From 0be1a63e30cf3e38954d87223d66a5503d8ac0c4 Mon Sep 17 00:00:00 2001 From: andyl Date: Tue, 2 Apr 2024 20:07:45 +0800 Subject: [PATCH] feat: support TLS server --- gnet.go | 5 + gnet_test.go | 67 +- go.mod | 5 +- go.sum | 4 + options.go | 11 + pkg/tls/alert.go | 109 + pkg/tls/auth.go | 293 ++ pkg/tls/auth_test.go | 168 + pkg/tls/boring.go | 98 + pkg/tls/boring_test.go | 618 ++++ pkg/tls/cache.go | 95 + pkg/tls/cache_test.go | 117 + pkg/tls/cipher_suites.go | 719 +++++ pkg/tls/common.go | 1556 +++++++++ pkg/tls/common_string.go | 116 + pkg/tls/conn.go | 1769 +++++++++++ pkg/tls/conn_test.go | 319 ++ pkg/tls/example_test.go | 232 ++ pkg/tls/fipsonly/fipsonly.go | 29 + pkg/tls/fipsonly/fipsonly_test.go | 19 + pkg/tls/generate_cert.go | 171 + pkg/tls/handshake_client.go | 1142 +++++++ pkg/tls/handshake_client_test.go | 2801 +++++++++++++++++ pkg/tls/handshake_client_tls13.go | 772 +++++ pkg/tls/handshake_messages.go | 1903 +++++++++++ pkg/tls/handshake_messages_test.go | 558 ++++ pkg/tls/handshake_server.go | 962 ++++++ pkg/tls/handshake_server_test.go | 2049 ++++++++++++ pkg/tls/handshake_server_tls13.go | 1001 ++++++ pkg/tls/handshake_test.go | 530 ++++ pkg/tls/handshake_unix_test.go | 18 + pkg/tls/internal/bisect/bisect.go | 794 +++++ pkg/tls/internal/boring/Dockerfile | 63 + pkg/tls/internal/boring/LICENSE | 202 ++ pkg/tls/internal/boring/README.md | 39 + pkg/tls/internal/boring/aes.go | 385 +++ pkg/tls/internal/boring/bbig/big.go | 33 + pkg/tls/internal/boring/bcache/cache.go | 140 + pkg/tls/internal/boring/bcache/cache_test.go | 122 + pkg/tls/internal/boring/bcache/stub.s | 6 + pkg/tls/internal/boring/boring.go | 126 + pkg/tls/internal/boring/boring_test.go | 34 + pkg/tls/internal/boring/build-boring.sh | 44 + pkg/tls/internal/boring/build-goboring.sh | 237 ++ pkg/tls/internal/boring/build.sh | 46 + pkg/tls/internal/boring/div_test.c | 83 + pkg/tls/internal/boring/doc.go | 19 + pkg/tls/internal/boring/ecdh.go | 224 ++ pkg/tls/internal/boring/ecdsa.go | 172 + pkg/tls/internal/boring/fipstls/stub.s | 12 + pkg/tls/internal/boring/fipstls/tls.go | 52 + pkg/tls/internal/boring/goboringcrypto.h | 255 ++ pkg/tls/internal/boring/hmac.go | 153 + pkg/tls/internal/boring/notboring.go | 123 + pkg/tls/internal/boring/rand.go | 24 + pkg/tls/internal/boring/rsa.go | 379 +++ pkg/tls/internal/boring/sha.go | 599 ++++ pkg/tls/internal/boring/sig/sig.go | 17 + pkg/tls/internal/boring/sig/sig_amd64.s | 54 + pkg/tls/internal/boring/sig/sig_other.s | 19 + .../syso/goboringcrypto_linux_amd64.syso | Bin 0 -> 2555664 bytes .../syso/goboringcrypto_linux_arm64.syso | Bin 0 -> 1980296 bytes pkg/tls/internal/boring/syso/syso.go | 9 + pkg/tls/internal/cpu/cpu.go | 228 ++ pkg/tls/internal/cpu/cpu.s | 6 + pkg/tls/internal/cpu/cpu_arm.go | 48 + pkg/tls/internal/cpu/cpu_arm64.go | 69 + pkg/tls/internal/cpu/cpu_arm64.s | 18 + pkg/tls/internal/cpu/cpu_arm64_android.go | 11 + pkg/tls/internal/cpu/cpu_arm64_darwin.go | 33 + pkg/tls/internal/cpu/cpu_arm64_freebsd.go | 14 + pkg/tls/internal/cpu/cpu_arm64_hwcap.go | 66 + pkg/tls/internal/cpu/cpu_arm64_linux.go | 11 + pkg/tls/internal/cpu/cpu_arm64_openbsd.go | 28 + pkg/tls/internal/cpu/cpu_arm64_other.go | 13 + pkg/tls/internal/cpu/cpu_loong64.go | 13 + pkg/tls/internal/cpu/cpu_mips.go | 10 + pkg/tls/internal/cpu/cpu_mips64x.go | 32 + pkg/tls/internal/cpu/cpu_mipsle.go | 10 + pkg/tls/internal/cpu/cpu_no_name.go | 18 + pkg/tls/internal/cpu/cpu_ppc64x.go | 35 + pkg/tls/internal/cpu/cpu_ppc64x_aix.go | 25 + pkg/tls/internal/cpu/cpu_ppc64x_linux.go | 33 + pkg/tls/internal/cpu/cpu_ppc64x_other.go | 13 + pkg/tls/internal/cpu/cpu_riscv64.go | 10 + pkg/tls/internal/cpu/cpu_s390x.go | 205 ++ pkg/tls/internal/cpu/cpu_s390x.s | 63 + pkg/tls/internal/cpu/cpu_s390x_test.go | 64 + pkg/tls/internal/cpu/cpu_test.go | 63 + pkg/tls/internal/cpu/cpu_wasm.go | 10 + pkg/tls/internal/cpu/cpu_x86.go | 215 ++ pkg/tls/internal/cpu/cpu_x86.s | 43 + pkg/tls/internal/cpu/cpu_x86_test.go | 59 + pkg/tls/internal/cpu/export_test.go | 9 + pkg/tls/internal/cpu/export_x86_test.go | 11 + pkg/tls/key_agreement.go | 366 +++ pkg/tls/key_schedule.go | 159 + pkg/tls/key_schedule_test.go | 175 + pkg/tls/link_test.go | 107 + pkg/tls/notboring.go | 20 + pkg/tls/prf.go | 299 ++ pkg/tls/prf_test.go | 140 + pkg/tls/quic.go | 421 +++ pkg/tls/quic_test.go | 489 +++ .../Client-TLSv10-ClientCert-ECDSA-ECDSA | 135 + .../Client-TLSv10-ClientCert-ECDSA-RSA | 139 + .../testdata/Client-TLSv10-ClientCert-Ed25519 | 110 + .../Client-TLSv10-ClientCert-RSA-ECDSA | 134 + .../testdata/Client-TLSv10-ClientCert-RSA-RSA | 138 + .../testdata/Client-TLSv10-ECDHE-ECDSA-AES | 92 + pkg/tls/testdata/Client-TLSv10-ECDHE-RSA-AES | 96 + pkg/tls/testdata/Client-TLSv10-Ed25519 | 0 .../Client-TLSv10-ExportKeyingMaterial | 96 + pkg/tls/testdata/Client-TLSv10-RSA-RC4 | 86 + .../testdata/Client-TLSv11-ECDHE-ECDSA-AES | 94 + pkg/tls/testdata/Client-TLSv11-ECDHE-RSA-AES | 98 + pkg/tls/testdata/Client-TLSv11-Ed25519 | 0 pkg/tls/testdata/Client-TLSv11-RSA-RC4 | 86 + .../testdata/Client-TLSv12-AES128-GCM-SHA256 | 88 + pkg/tls/testdata/Client-TLSv12-AES128-SHA256 | 97 + .../testdata/Client-TLSv12-AES256-GCM-SHA384 | 88 + pkg/tls/testdata/Client-TLSv12-ALPN | 93 + pkg/tls/testdata/Client-TLSv12-ALPN-NoMatch | 91 + .../Client-TLSv12-ClientCert-ECDSA-ECDSA | 140 + .../Client-TLSv12-ClientCert-ECDSA-RSA | 140 + .../testdata/Client-TLSv12-ClientCert-Ed25519 | 120 + ...nt-TLSv12-ClientCert-RSA-AES256-GCM-SHA384 | 138 + .../Client-TLSv12-ClientCert-RSA-ECDSA | 139 + .../testdata/Client-TLSv12-ClientCert-RSA-RSA | 138 + .../Client-TLSv12-ClientCert-RSA-RSAPKCS1v15 | 135 + .../Client-TLSv12-ClientCert-RSA-RSAPSS | 143 + .../testdata/Client-TLSv12-ECDHE-ECDSA-AES | 94 + .../Client-TLSv12-ECDHE-ECDSA-AES-GCM | 89 + .../Client-TLSv12-ECDHE-ECDSA-AES128-SHA256 | 98 + ...lient-TLSv12-ECDHE-ECDSA-AES256-GCM-SHA384 | 89 + ...lient-TLSv12-ECDHE-ECDSA-CHACHA20-POLY1305 | 84 + pkg/tls/testdata/Client-TLSv12-ECDHE-RSA-AES | 98 + .../Client-TLSv12-ECDHE-RSA-AES128-SHA256 | 102 + .../Client-TLSv12-ECDHE-RSA-CHACHA20-POLY1305 | 88 + pkg/tls/testdata/Client-TLSv12-Ed25519 | 69 + .../Client-TLSv12-ExportKeyingMaterial | 91 + pkg/tls/testdata/Client-TLSv12-P256-ECDHE | 98 + pkg/tls/testdata/Client-TLSv12-RSA-RC4 | 86 + .../testdata/Client-TLSv12-RenegotiateOnce | 246 ++ .../testdata/Client-TLSv12-RenegotiateTwice | 346 ++ .../Client-TLSv12-RenegotiateTwiceRejected | 249 ++ .../Client-TLSv12-RenegotiationRejected | 96 + pkg/tls/testdata/Client-TLSv12-SCT | 114 + pkg/tls/testdata/Client-TLSv12-X25519-ECDHE | 92 + pkg/tls/testdata/Client-TLSv13-AES128-SHA256 | 91 + pkg/tls/testdata/Client-TLSv13-AES256-SHA384 | 93 + pkg/tls/testdata/Client-TLSv13-ALPN | 93 + .../testdata/Client-TLSv13-CHACHA20-SHA256 | 91 + .../Client-TLSv13-ClientCert-ECDSA-RSA | 140 + .../testdata/Client-TLSv13-ClientCert-Ed25519 | 123 + .../Client-TLSv13-ClientCert-RSA-ECDSA | 135 + .../Client-TLSv13-ClientCert-RSA-RSAPSS | 144 + pkg/tls/testdata/Client-TLSv13-ECDSA | 87 + pkg/tls/testdata/Client-TLSv13-Ed25519 | 69 + .../Client-TLSv13-ExportKeyingMaterial | 91 + .../testdata/Client-TLSv13-HelloRetryRequest | 119 + pkg/tls/testdata/Client-TLSv13-KeyUpdate | 103 + pkg/tls/testdata/Client-TLSv13-P256-ECDHE | 94 + pkg/tls/testdata/Client-TLSv13-X25519-ECDHE | 90 + .../testdata/Server-TLSv10-ECDHE-ECDSA-AES | 79 + .../Server-TLSv10-ExportKeyingMaterial | 92 + pkg/tls/testdata/Server-TLSv10-RSA-3DES | 73 + pkg/tls/testdata/Server-TLSv10-RSA-AES | 76 + pkg/tls/testdata/Server-TLSv10-RSA-RC4 | 70 + pkg/tls/testdata/Server-TLSv11-FallbackSCSV | 11 + pkg/tls/testdata/Server-TLSv11-RSA-RC4 | 70 + pkg/tls/testdata/Server-TLSv12-ALPN | 91 + pkg/tls/testdata/Server-TLSv12-ALPN-Fallback | 90 + pkg/tls/testdata/Server-TLSv12-ALPN-NoMatch | 14 + .../testdata/Server-TLSv12-ALPN-NotConfigured | 90 + ...er-TLSv12-ClientAuthRequestedAndECDSAGiven | 126 + ...-TLSv12-ClientAuthRequestedAndEd25519Given | 109 + .../Server-TLSv12-ClientAuthRequestedAndGiven | 125 + ...TLSv12-ClientAuthRequestedAndPKCS1v15Given | 125 + .../Server-TLSv12-ClientAuthRequestedNotGiven | 85 + .../testdata/Server-TLSv12-ECDHE-ECDSA-AES | 84 + pkg/tls/testdata/Server-TLSv12-Ed25519 | 58 + .../Server-TLSv12-ExportKeyingMaterial | 96 + pkg/tls/testdata/Server-TLSv12-IssueTicket | 90 + .../Server-TLSv12-IssueTicketPreDisable | 90 + pkg/tls/testdata/Server-TLSv12-P256 | 84 + pkg/tls/testdata/Server-TLSv12-RSA-3DES | 78 + pkg/tls/testdata/Server-TLSv12-RSA-AES | 82 + pkg/tls/testdata/Server-TLSv12-RSA-AES-GCM | 81 + .../Server-TLSv12-RSA-AES256-GCM-SHA384 | 81 + pkg/tls/testdata/Server-TLSv12-RSA-RC4 | 74 + .../testdata/Server-TLSv12-RSA-RSAPKCS1v15 | 77 + pkg/tls/testdata/Server-TLSv12-RSA-RSAPSS | 77 + pkg/tls/testdata/Server-TLSv12-Resume | 54 + pkg/tls/testdata/Server-TLSv12-ResumeDisabled | 91 + pkg/tls/testdata/Server-TLSv12-SNI | 83 + .../testdata/Server-TLSv12-SNI-GetCertificate | 83 + .../Server-TLSv12-SNI-GetCertificateNotFound | 83 + pkg/tls/testdata/Server-TLSv12-X25519 | 80 + pkg/tls/testdata/Server-TLSv13-AES128-SHA256 | 97 + pkg/tls/testdata/Server-TLSv13-AES256-SHA384 | 100 + pkg/tls/testdata/Server-TLSv13-ALPN | 100 + pkg/tls/testdata/Server-TLSv13-ALPN-Fallback | 99 + pkg/tls/testdata/Server-TLSv13-ALPN-NoMatch | 18 + .../testdata/Server-TLSv13-ALPN-NotConfigured | 99 + .../testdata/Server-TLSv13-CHACHA20-SHA256 | 97 + ...er-TLSv13-ClientAuthRequestedAndECDSAGiven | 180 ++ ...-TLSv13-ClientAuthRequestedAndEd25519Given | 149 + .../Server-TLSv13-ClientAuthRequestedAndGiven | 177 ++ .../Server-TLSv13-ClientAuthRequestedNotGiven | 103 + .../testdata/Server-TLSv13-ECDHE-ECDSA-AES | 93 + pkg/tls/testdata/Server-TLSv13-Ed25519 | 75 + .../Server-TLSv13-ExportKeyingMaterial | 98 + .../testdata/Server-TLSv13-HelloRetryRequest | 123 + pkg/tls/testdata/Server-TLSv13-IssueTicket | 98 + .../Server-TLSv13-IssueTicketPreDisable | 98 + pkg/tls/testdata/Server-TLSv13-P256 | 101 + pkg/tls/testdata/Server-TLSv13-RSA-RSAPSS | 96 + .../Server-TLSv13-RSA-RSAPSS-TooSmall | 15 + pkg/tls/testdata/Server-TLSv13-Resume | 59 + .../Server-TLSv13-Resume-HelloRetryRequest | 94 + pkg/tls/testdata/Server-TLSv13-ResumeDisabled | 99 + pkg/tls/testdata/Server-TLSv13-X25519 | 97 + pkg/tls/testdata/example-cert.pem | 11 + pkg/tls/testdata/example-key.pem | 5 + pkg/tls/ticket.go | 421 +++ pkg/tls/ticket_test.go | 8 + pkg/tls/tls.go | 355 +++ pkg/tls/tls_test.go | 1807 +++++++++++ tls.go | 222 ++ tls_test.go | 132 + 231 files changed, 41202 insertions(+), 5 deletions(-) create mode 100644 pkg/tls/alert.go create mode 100644 pkg/tls/auth.go create mode 100644 pkg/tls/auth_test.go create mode 100644 pkg/tls/boring.go create mode 100644 pkg/tls/boring_test.go create mode 100644 pkg/tls/cache.go create mode 100644 pkg/tls/cache_test.go create mode 100644 pkg/tls/cipher_suites.go create mode 100644 pkg/tls/common.go create mode 100644 pkg/tls/common_string.go create mode 100644 pkg/tls/conn.go create mode 100644 pkg/tls/conn_test.go create mode 100644 pkg/tls/example_test.go create mode 100644 pkg/tls/fipsonly/fipsonly.go create mode 100644 pkg/tls/fipsonly/fipsonly_test.go create mode 100644 pkg/tls/generate_cert.go create mode 100644 pkg/tls/handshake_client.go create mode 100644 pkg/tls/handshake_client_test.go create mode 100644 pkg/tls/handshake_client_tls13.go create mode 100644 pkg/tls/handshake_messages.go create mode 100644 pkg/tls/handshake_messages_test.go create mode 100644 pkg/tls/handshake_server.go create mode 100644 pkg/tls/handshake_server_test.go create mode 100644 pkg/tls/handshake_server_tls13.go create mode 100644 pkg/tls/handshake_test.go create mode 100644 pkg/tls/handshake_unix_test.go create mode 100644 pkg/tls/internal/bisect/bisect.go create mode 100644 pkg/tls/internal/boring/Dockerfile create mode 100644 pkg/tls/internal/boring/LICENSE create mode 100644 pkg/tls/internal/boring/README.md create mode 100644 pkg/tls/internal/boring/aes.go create mode 100644 pkg/tls/internal/boring/bbig/big.go create mode 100644 pkg/tls/internal/boring/bcache/cache.go create mode 100644 pkg/tls/internal/boring/bcache/cache_test.go create mode 100644 pkg/tls/internal/boring/bcache/stub.s create mode 100644 pkg/tls/internal/boring/boring.go create mode 100644 pkg/tls/internal/boring/boring_test.go create mode 100644 pkg/tls/internal/boring/build-boring.sh create mode 100644 pkg/tls/internal/boring/build-goboring.sh create mode 100644 pkg/tls/internal/boring/build.sh create mode 100644 pkg/tls/internal/boring/div_test.c create mode 100644 pkg/tls/internal/boring/doc.go create mode 100644 pkg/tls/internal/boring/ecdh.go create mode 100644 pkg/tls/internal/boring/ecdsa.go create mode 100644 pkg/tls/internal/boring/fipstls/stub.s create mode 100644 pkg/tls/internal/boring/fipstls/tls.go create mode 100644 pkg/tls/internal/boring/goboringcrypto.h create mode 100644 pkg/tls/internal/boring/hmac.go create mode 100644 pkg/tls/internal/boring/notboring.go create mode 100644 pkg/tls/internal/boring/rand.go create mode 100644 pkg/tls/internal/boring/rsa.go create mode 100644 pkg/tls/internal/boring/sha.go create mode 100644 pkg/tls/internal/boring/sig/sig.go create mode 100644 pkg/tls/internal/boring/sig/sig_amd64.s create mode 100644 pkg/tls/internal/boring/sig/sig_other.s create mode 100644 pkg/tls/internal/boring/syso/goboringcrypto_linux_amd64.syso create mode 100644 pkg/tls/internal/boring/syso/goboringcrypto_linux_arm64.syso create mode 100644 pkg/tls/internal/boring/syso/syso.go create mode 100644 pkg/tls/internal/cpu/cpu.go create mode 100644 pkg/tls/internal/cpu/cpu.s create mode 100644 pkg/tls/internal/cpu/cpu_arm.go create mode 100644 pkg/tls/internal/cpu/cpu_arm64.go create mode 100644 pkg/tls/internal/cpu/cpu_arm64.s create mode 100644 pkg/tls/internal/cpu/cpu_arm64_android.go create mode 100644 pkg/tls/internal/cpu/cpu_arm64_darwin.go create mode 100644 pkg/tls/internal/cpu/cpu_arm64_freebsd.go create mode 100644 pkg/tls/internal/cpu/cpu_arm64_hwcap.go create mode 100644 pkg/tls/internal/cpu/cpu_arm64_linux.go create mode 100644 pkg/tls/internal/cpu/cpu_arm64_openbsd.go create mode 100644 pkg/tls/internal/cpu/cpu_arm64_other.go create mode 100644 pkg/tls/internal/cpu/cpu_loong64.go create mode 100644 pkg/tls/internal/cpu/cpu_mips.go create mode 100644 pkg/tls/internal/cpu/cpu_mips64x.go create mode 100644 pkg/tls/internal/cpu/cpu_mipsle.go create mode 100644 pkg/tls/internal/cpu/cpu_no_name.go create mode 100644 pkg/tls/internal/cpu/cpu_ppc64x.go create mode 100644 pkg/tls/internal/cpu/cpu_ppc64x_aix.go create mode 100644 pkg/tls/internal/cpu/cpu_ppc64x_linux.go create mode 100644 pkg/tls/internal/cpu/cpu_ppc64x_other.go create mode 100644 pkg/tls/internal/cpu/cpu_riscv64.go create mode 100644 pkg/tls/internal/cpu/cpu_s390x.go create mode 100644 pkg/tls/internal/cpu/cpu_s390x.s create mode 100644 pkg/tls/internal/cpu/cpu_s390x_test.go create mode 100644 pkg/tls/internal/cpu/cpu_test.go create mode 100644 pkg/tls/internal/cpu/cpu_wasm.go create mode 100644 pkg/tls/internal/cpu/cpu_x86.go create mode 100644 pkg/tls/internal/cpu/cpu_x86.s create mode 100644 pkg/tls/internal/cpu/cpu_x86_test.go create mode 100644 pkg/tls/internal/cpu/export_test.go create mode 100644 pkg/tls/internal/cpu/export_x86_test.go create mode 100644 pkg/tls/key_agreement.go create mode 100644 pkg/tls/key_schedule.go create mode 100644 pkg/tls/key_schedule_test.go create mode 100644 pkg/tls/link_test.go create mode 100644 pkg/tls/notboring.go create mode 100644 pkg/tls/prf.go create mode 100644 pkg/tls/prf_test.go create mode 100644 pkg/tls/quic.go create mode 100644 pkg/tls/quic_test.go create mode 100644 pkg/tls/testdata/Client-TLSv10-ClientCert-ECDSA-ECDSA create mode 100644 pkg/tls/testdata/Client-TLSv10-ClientCert-ECDSA-RSA create mode 100644 pkg/tls/testdata/Client-TLSv10-ClientCert-Ed25519 create mode 100644 pkg/tls/testdata/Client-TLSv10-ClientCert-RSA-ECDSA create mode 100644 pkg/tls/testdata/Client-TLSv10-ClientCert-RSA-RSA create mode 100644 pkg/tls/testdata/Client-TLSv10-ECDHE-ECDSA-AES create mode 100644 pkg/tls/testdata/Client-TLSv10-ECDHE-RSA-AES create mode 100644 pkg/tls/testdata/Client-TLSv10-Ed25519 create mode 100644 pkg/tls/testdata/Client-TLSv10-ExportKeyingMaterial create mode 100644 pkg/tls/testdata/Client-TLSv10-RSA-RC4 create mode 100644 pkg/tls/testdata/Client-TLSv11-ECDHE-ECDSA-AES create mode 100644 pkg/tls/testdata/Client-TLSv11-ECDHE-RSA-AES create mode 100644 pkg/tls/testdata/Client-TLSv11-Ed25519 create mode 100644 pkg/tls/testdata/Client-TLSv11-RSA-RC4 create mode 100644 pkg/tls/testdata/Client-TLSv12-AES128-GCM-SHA256 create mode 100644 pkg/tls/testdata/Client-TLSv12-AES128-SHA256 create mode 100644 pkg/tls/testdata/Client-TLSv12-AES256-GCM-SHA384 create mode 100644 pkg/tls/testdata/Client-TLSv12-ALPN create mode 100644 pkg/tls/testdata/Client-TLSv12-ALPN-NoMatch create mode 100644 pkg/tls/testdata/Client-TLSv12-ClientCert-ECDSA-ECDSA create mode 100644 pkg/tls/testdata/Client-TLSv12-ClientCert-ECDSA-RSA create mode 100644 pkg/tls/testdata/Client-TLSv12-ClientCert-Ed25519 create mode 100644 pkg/tls/testdata/Client-TLSv12-ClientCert-RSA-AES256-GCM-SHA384 create mode 100644 pkg/tls/testdata/Client-TLSv12-ClientCert-RSA-ECDSA create mode 100644 pkg/tls/testdata/Client-TLSv12-ClientCert-RSA-RSA create mode 100644 pkg/tls/testdata/Client-TLSv12-ClientCert-RSA-RSAPKCS1v15 create mode 100644 pkg/tls/testdata/Client-TLSv12-ClientCert-RSA-RSAPSS create mode 100644 pkg/tls/testdata/Client-TLSv12-ECDHE-ECDSA-AES create mode 100644 pkg/tls/testdata/Client-TLSv12-ECDHE-ECDSA-AES-GCM create mode 100644 pkg/tls/testdata/Client-TLSv12-ECDHE-ECDSA-AES128-SHA256 create mode 100644 pkg/tls/testdata/Client-TLSv12-ECDHE-ECDSA-AES256-GCM-SHA384 create mode 100644 pkg/tls/testdata/Client-TLSv12-ECDHE-ECDSA-CHACHA20-POLY1305 create mode 100644 pkg/tls/testdata/Client-TLSv12-ECDHE-RSA-AES create mode 100644 pkg/tls/testdata/Client-TLSv12-ECDHE-RSA-AES128-SHA256 create mode 100644 pkg/tls/testdata/Client-TLSv12-ECDHE-RSA-CHACHA20-POLY1305 create mode 100644 pkg/tls/testdata/Client-TLSv12-Ed25519 create mode 100644 pkg/tls/testdata/Client-TLSv12-ExportKeyingMaterial create mode 100644 pkg/tls/testdata/Client-TLSv12-P256-ECDHE create mode 100644 pkg/tls/testdata/Client-TLSv12-RSA-RC4 create mode 100644 pkg/tls/testdata/Client-TLSv12-RenegotiateOnce create mode 100644 pkg/tls/testdata/Client-TLSv12-RenegotiateTwice create mode 100644 pkg/tls/testdata/Client-TLSv12-RenegotiateTwiceRejected create mode 100644 pkg/tls/testdata/Client-TLSv12-RenegotiationRejected create mode 100644 pkg/tls/testdata/Client-TLSv12-SCT create mode 100644 pkg/tls/testdata/Client-TLSv12-X25519-ECDHE create mode 100644 pkg/tls/testdata/Client-TLSv13-AES128-SHA256 create mode 100644 pkg/tls/testdata/Client-TLSv13-AES256-SHA384 create mode 100644 pkg/tls/testdata/Client-TLSv13-ALPN create mode 100644 pkg/tls/testdata/Client-TLSv13-CHACHA20-SHA256 create mode 100644 pkg/tls/testdata/Client-TLSv13-ClientCert-ECDSA-RSA create mode 100644 pkg/tls/testdata/Client-TLSv13-ClientCert-Ed25519 create mode 100644 pkg/tls/testdata/Client-TLSv13-ClientCert-RSA-ECDSA create mode 100644 pkg/tls/testdata/Client-TLSv13-ClientCert-RSA-RSAPSS create mode 100644 pkg/tls/testdata/Client-TLSv13-ECDSA create mode 100644 pkg/tls/testdata/Client-TLSv13-Ed25519 create mode 100644 pkg/tls/testdata/Client-TLSv13-ExportKeyingMaterial create mode 100644 pkg/tls/testdata/Client-TLSv13-HelloRetryRequest create mode 100644 pkg/tls/testdata/Client-TLSv13-KeyUpdate create mode 100644 pkg/tls/testdata/Client-TLSv13-P256-ECDHE create mode 100644 pkg/tls/testdata/Client-TLSv13-X25519-ECDHE create mode 100644 pkg/tls/testdata/Server-TLSv10-ECDHE-ECDSA-AES create mode 100644 pkg/tls/testdata/Server-TLSv10-ExportKeyingMaterial create mode 100644 pkg/tls/testdata/Server-TLSv10-RSA-3DES create mode 100644 pkg/tls/testdata/Server-TLSv10-RSA-AES create mode 100644 pkg/tls/testdata/Server-TLSv10-RSA-RC4 create mode 100644 pkg/tls/testdata/Server-TLSv11-FallbackSCSV create mode 100644 pkg/tls/testdata/Server-TLSv11-RSA-RC4 create mode 100644 pkg/tls/testdata/Server-TLSv12-ALPN create mode 100644 pkg/tls/testdata/Server-TLSv12-ALPN-Fallback create mode 100644 pkg/tls/testdata/Server-TLSv12-ALPN-NoMatch create mode 100644 pkg/tls/testdata/Server-TLSv12-ALPN-NotConfigured create mode 100644 pkg/tls/testdata/Server-TLSv12-ClientAuthRequestedAndECDSAGiven create mode 100644 pkg/tls/testdata/Server-TLSv12-ClientAuthRequestedAndEd25519Given create mode 100644 pkg/tls/testdata/Server-TLSv12-ClientAuthRequestedAndGiven create mode 100644 pkg/tls/testdata/Server-TLSv12-ClientAuthRequestedAndPKCS1v15Given create mode 100644 pkg/tls/testdata/Server-TLSv12-ClientAuthRequestedNotGiven create mode 100644 pkg/tls/testdata/Server-TLSv12-ECDHE-ECDSA-AES create mode 100644 pkg/tls/testdata/Server-TLSv12-Ed25519 create mode 100644 pkg/tls/testdata/Server-TLSv12-ExportKeyingMaterial create mode 100644 pkg/tls/testdata/Server-TLSv12-IssueTicket create mode 100644 pkg/tls/testdata/Server-TLSv12-IssueTicketPreDisable create mode 100644 pkg/tls/testdata/Server-TLSv12-P256 create mode 100644 pkg/tls/testdata/Server-TLSv12-RSA-3DES create mode 100644 pkg/tls/testdata/Server-TLSv12-RSA-AES create mode 100644 pkg/tls/testdata/Server-TLSv12-RSA-AES-GCM create mode 100644 pkg/tls/testdata/Server-TLSv12-RSA-AES256-GCM-SHA384 create mode 100644 pkg/tls/testdata/Server-TLSv12-RSA-RC4 create mode 100644 pkg/tls/testdata/Server-TLSv12-RSA-RSAPKCS1v15 create mode 100644 pkg/tls/testdata/Server-TLSv12-RSA-RSAPSS create mode 100644 pkg/tls/testdata/Server-TLSv12-Resume create mode 100644 pkg/tls/testdata/Server-TLSv12-ResumeDisabled create mode 100644 pkg/tls/testdata/Server-TLSv12-SNI create mode 100644 pkg/tls/testdata/Server-TLSv12-SNI-GetCertificate create mode 100644 pkg/tls/testdata/Server-TLSv12-SNI-GetCertificateNotFound create mode 100644 pkg/tls/testdata/Server-TLSv12-X25519 create mode 100644 pkg/tls/testdata/Server-TLSv13-AES128-SHA256 create mode 100644 pkg/tls/testdata/Server-TLSv13-AES256-SHA384 create mode 100644 pkg/tls/testdata/Server-TLSv13-ALPN create mode 100644 pkg/tls/testdata/Server-TLSv13-ALPN-Fallback create mode 100644 pkg/tls/testdata/Server-TLSv13-ALPN-NoMatch create mode 100644 pkg/tls/testdata/Server-TLSv13-ALPN-NotConfigured create mode 100644 pkg/tls/testdata/Server-TLSv13-CHACHA20-SHA256 create mode 100644 pkg/tls/testdata/Server-TLSv13-ClientAuthRequestedAndECDSAGiven create mode 100644 pkg/tls/testdata/Server-TLSv13-ClientAuthRequestedAndEd25519Given create mode 100644 pkg/tls/testdata/Server-TLSv13-ClientAuthRequestedAndGiven create mode 100644 pkg/tls/testdata/Server-TLSv13-ClientAuthRequestedNotGiven create mode 100644 pkg/tls/testdata/Server-TLSv13-ECDHE-ECDSA-AES create mode 100644 pkg/tls/testdata/Server-TLSv13-Ed25519 create mode 100644 pkg/tls/testdata/Server-TLSv13-ExportKeyingMaterial create mode 100644 pkg/tls/testdata/Server-TLSv13-HelloRetryRequest create mode 100644 pkg/tls/testdata/Server-TLSv13-IssueTicket create mode 100644 pkg/tls/testdata/Server-TLSv13-IssueTicketPreDisable create mode 100644 pkg/tls/testdata/Server-TLSv13-P256 create mode 100644 pkg/tls/testdata/Server-TLSv13-RSA-RSAPSS create mode 100644 pkg/tls/testdata/Server-TLSv13-RSA-RSAPSS-TooSmall create mode 100644 pkg/tls/testdata/Server-TLSv13-Resume create mode 100644 pkg/tls/testdata/Server-TLSv13-Resume-HelloRetryRequest create mode 100644 pkg/tls/testdata/Server-TLSv13-ResumeDisabled create mode 100644 pkg/tls/testdata/Server-TLSv13-X25519 create mode 100644 pkg/tls/testdata/example-cert.pem create mode 100644 pkg/tls/testdata/example-key.pem create mode 100644 pkg/tls/ticket.go create mode 100644 pkg/tls/ticket_test.go create mode 100644 pkg/tls/tls.go create mode 100644 pkg/tls/tls_test.go create mode 100644 tls.go create mode 100644 tls_test.go diff --git a/gnet.go b/gnet.go index f77ee5793..f8f3a41f5 100644 --- a/gnet.go +++ b/gnet.go @@ -441,6 +441,11 @@ var MaxStreamBufferCap = 64 * 1024 // 64KB func Run(eventHandler EventHandler, protoAddr string, opts ...Option) (err error) { options := loadOptions(opts...) + // upgrade to TLS EventHandler + if options.TLSConfig != nil { + eventHandler = &tlsEventHandler{EventHandler: eventHandler, tlsConfig: options.TLSConfig} + } + logger, logFlusher := logging.GetDefaultLogger(), logging.GetDefaultFlusher() if options.Logger == nil { if options.LogPath != "" { diff --git a/gnet_test.go b/gnet_test.go index e6150023d..d338cf8ae 100644 --- a/gnet_test.go +++ b/gnet_test.go @@ -4,6 +4,7 @@ import ( "bufio" "bytes" "context" + "crypto/tls" "encoding/binary" "errors" "io" @@ -38,6 +39,14 @@ func TestServe(t *testing.T) { // the engine will echo back the data. // waits for graceful connection closing. t.Run("poll", func(t *testing.T) { + t.Run("tls", func(t *testing.T) { + t.Run("1-loop", func(t *testing.T) { + testTLSServe(t, "tcp", ":9991", false, false, false, false, false, 10, RoundRobin) + }) + t.Run("N-loop", func(t *testing.T) { + testTLSServe(t, "tcp", ":9992", false, false, true, false, false, 10, LeastConnections) + }) + }) t.Run("tcp", func(t *testing.T) { t.Run("1-loop", func(t *testing.T) { testServe(t, "tcp", ":9991", false, false, false, false, false, 10, RoundRobin) @@ -105,6 +114,14 @@ func TestServe(t *testing.T) { }) t.Run("poll-reuseport", func(t *testing.T) { + t.Run("tls", func(t *testing.T) { + t.Run("1-loop", func(t *testing.T) { + testTLSServe(t, "tcp", ":9991", true, false, false, false, false, 10, RoundRobin) + }) + t.Run("N-loop", func(t *testing.T) { + testTLSServe(t, "tcp", ":9992", true, false, true, false, false, 10, LeastConnections) + }) + }) t.Run("tcp", func(t *testing.T) { t.Run("1-loop", func(t *testing.T) { testServe(t, "tcp", ":9991", true, false, false, false, false, 10, RoundRobin) @@ -172,6 +189,14 @@ func TestServe(t *testing.T) { }) t.Run("poll-reuseaddr", func(t *testing.T) { + t.Run("tls", func(t *testing.T) { + t.Run("1-loop", func(t *testing.T) { + testTLSServe(t, "tcp", ":9991", false, true, false, false, false, 10, RoundRobin) + }) + t.Run("N-loop", func(t *testing.T) { + testTLSServe(t, "tcp", ":9992", false, true, true, false, false, 10, LeastConnections) + }) + }) t.Run("tcp", func(t *testing.T) { t.Run("1-loop", func(t *testing.T) { testServe(t, "tcp", ":9991", false, true, false, false, false, 10, RoundRobin) @@ -238,6 +263,7 @@ type testServer struct { clientActive int32 disconnected int32 workerPool *goPool.Pool + isTLS bool } func (s *testServer) OnBoot(eng Engine) (action Action) { @@ -365,7 +391,7 @@ func (s *testServer) OnTick() (delay time.Duration, action Action) { for i := 0; i < s.nclients; i++ { atomic.AddInt32(&s.clientActive, 1) go func() { - startClient(s.tester, s.network, s.addr, s.multicore, s.async) + startClient(s.tester, s.network, s.addr, s.multicore, s.async, s.isTLS) atomic.AddInt32(&s.clientActive, -1) }() } @@ -377,6 +403,32 @@ func (s *testServer) OnTick() (delay time.Duration, action Action) { return } +func testTLSServe(t *testing.T, network, addr string, reuseport, reuseaddr, multicore, async, writev bool, nclients int, lb LoadBalancing) { + ts := &testServer{ + tester: t, + network: network, + addr: addr, + multicore: multicore, + async: async, + writev: writev, + nclients: nclients, + workerPool: goPool.Default(), + isTLS: true, + } + err := Run(ts, + network+"://"+addr, + WithLockOSThread(async), + WithMulticore(multicore), + WithReusePort(reuseport), + WithReuseAddr(reuseaddr), + WithTicker(true), + WithTCPKeepAlive(time.Minute*1), + WithTCPNoDelay(TCPDelay), + WithLoadBalancing(lb), + WithTLSConfig(getServerConfig())) + assert.NoError(t, err) +} + func testServe(t *testing.T, network, addr string, reuseport, reuseaddr, multicore, async, writev bool, nclients int, lb LoadBalancing) { ts := &testServer{ tester: t, @@ -401,9 +453,18 @@ func testServe(t *testing.T, network, addr string, reuseport, reuseaddr, multico assert.NoError(t, err) } -func startClient(t *testing.T, network, addr string, multicore, async bool) { +func startClient(t *testing.T, network, addr string, multicore, async bool, isTLS bool) { rand.Seed(time.Now().UnixNano()) - c, err := net.Dial(network, addr) + var ( + c net.Conn + err error + ) + if isTLS { + // TLS client use golang tls.Dial + c, err = tls.Dial(network, addr, getGoClientTLSConfig()) + } else { + c, err = net.Dial(network, addr) + } require.NoError(t, err) defer c.Close() rd := bufio.NewReader(c) diff --git a/go.mod b/go.mod index 9c94e27ed..bf94bc47e 100644 --- a/go.mod +++ b/go.mod @@ -6,7 +6,7 @@ require ( github.com/valyala/bytebufferpool v1.0.0 go.uber.org/zap v1.21.0 // don't upgrade this one golang.org/x/sync v0.6.0 - golang.org/x/sys v0.16.0 + golang.org/x/sys v0.18.0 gopkg.in/natefinch/lumberjack.v2 v2.2.1 ) @@ -15,7 +15,8 @@ require ( github.com/pmezard/go-difflib v1.0.0 // indirect go.uber.org/atomic v1.7.0 // indirect go.uber.org/multierr v1.6.0 // indirect + golang.org/x/crypto v0.21.0 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect ) -go 1.17 +go 1.21 diff --git a/go.sum b/go.sum index 3a9505260..ad0a886ac 100644 --- a/go.sum +++ b/go.sum @@ -37,6 +37,8 @@ go.uber.org/zap v1.21.0 h1:WefMeulhovoZ2sYXz7st6K0sLj7bBhpiFaud4r4zST8= go.uber.org/zap v1.21.0/go.mod h1:wjWOCqI0f2ZZrJF/UufIOkiC8ii6tm1iqIsLo76RfJw= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= +golang.org/x/crypto v0.21.0 h1:X31++rzVUdKhX5sWmSOFZxx8UW/ldWx55cbf08iNAMA= +golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOMs= golang.org/x/lint v0.0.0-20190930215403-16217165b5de/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc= golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= @@ -55,6 +57,8 @@ golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.16.0 h1:xWw16ngr6ZMtmxDyKyIgsE93KNKz5HKmMa3b8ALHidU= golang.org/x/sys v0.16.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.18.0 h1:DBdB3niSjOA/O0blCZBqDefyWNYveAYMNF1Wum0DYQ4= +golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= diff --git a/options.go b/options.go index fb39e7fbf..233b1fcca 100644 --- a/options.go +++ b/options.go @@ -18,6 +18,7 @@ import ( "time" "github.com/panjf2000/gnet/v2/pkg/logging" + "github.com/panjf2000/gnet/v2/pkg/tls" ) // Option is a function that will set up option. @@ -122,6 +123,9 @@ type Options struct { // Logger is the customized logger for logging info, if it is not set, // then gnet will use the default logger powered by go.uber.org/zap. Logger logging.Logger + + // TLSConfig support TLS + TLSConfig *tls.Config } // WithOptions sets up all options. @@ -249,3 +253,10 @@ func WithMulticastInterfaceIndex(idx int) Option { opts.MulticastInterfaceIndex = idx } } + +// WithTLSConfig sets support TLS +func WithTLSConfig(tlsConfig *tls.Config) Option { + return func(opts *Options) { + opts.TLSConfig = tlsConfig + } +} diff --git a/pkg/tls/alert.go b/pkg/tls/alert.go new file mode 100644 index 000000000..33022cd2b --- /dev/null +++ b/pkg/tls/alert.go @@ -0,0 +1,109 @@ +// Copyright 2009 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package tls + +import "strconv" + +// An AlertError is a TLS alert. +// +// When using a QUIC transport, QUICConn methods will return an error +// which wraps AlertError rather than sending a TLS alert. +type AlertError uint8 + +func (e AlertError) Error() string { + return alert(e).String() +} + +type alert uint8 + +const ( + // alert level + alertLevelWarning = 1 + alertLevelError = 2 +) + +const ( + alertCloseNotify alert = 0 + alertUnexpectedMessage alert = 10 + alertBadRecordMAC alert = 20 + alertDecryptionFailed alert = 21 + alertRecordOverflow alert = 22 + alertDecompressionFailure alert = 30 + alertHandshakeFailure alert = 40 + alertBadCertificate alert = 42 + alertUnsupportedCertificate alert = 43 + alertCertificateRevoked alert = 44 + alertCertificateExpired alert = 45 + alertCertificateUnknown alert = 46 + alertIllegalParameter alert = 47 + alertUnknownCA alert = 48 + alertAccessDenied alert = 49 + alertDecodeError alert = 50 + alertDecryptError alert = 51 + alertExportRestriction alert = 60 + alertProtocolVersion alert = 70 + alertInsufficientSecurity alert = 71 + alertInternalError alert = 80 + alertInappropriateFallback alert = 86 + alertUserCanceled alert = 90 + alertNoRenegotiation alert = 100 + alertMissingExtension alert = 109 + alertUnsupportedExtension alert = 110 + alertCertificateUnobtainable alert = 111 + alertUnrecognizedName alert = 112 + alertBadCertificateStatusResponse alert = 113 + alertBadCertificateHashValue alert = 114 + alertUnknownPSKIdentity alert = 115 + alertCertificateRequired alert = 116 + alertNoApplicationProtocol alert = 120 +) + +var alertText = map[alert]string{ + alertCloseNotify: "close notify", + alertUnexpectedMessage: "unexpected message", + alertBadRecordMAC: "bad record MAC", + alertDecryptionFailed: "decryption failed", + alertRecordOverflow: "record overflow", + alertDecompressionFailure: "decompression failure", + alertHandshakeFailure: "handshake failure", + alertBadCertificate: "bad certificate", + alertUnsupportedCertificate: "unsupported certificate", + alertCertificateRevoked: "revoked certificate", + alertCertificateExpired: "expired certificate", + alertCertificateUnknown: "unknown certificate", + alertIllegalParameter: "illegal parameter", + alertUnknownCA: "unknown certificate authority", + alertAccessDenied: "access denied", + alertDecodeError: "error decoding message", + alertDecryptError: "error decrypting message", + alertExportRestriction: "export restriction", + alertProtocolVersion: "protocol version not supported", + alertInsufficientSecurity: "insufficient security level", + alertInternalError: "internal error", + alertInappropriateFallback: "inappropriate fallback", + alertUserCanceled: "user canceled", + alertNoRenegotiation: "no renegotiation", + alertMissingExtension: "missing extension", + alertUnsupportedExtension: "unsupported extension", + alertCertificateUnobtainable: "certificate unobtainable", + alertUnrecognizedName: "unrecognized name", + alertBadCertificateStatusResponse: "bad certificate status response", + alertBadCertificateHashValue: "bad certificate hash value", + alertUnknownPSKIdentity: "unknown PSK identity", + alertCertificateRequired: "certificate required", + alertNoApplicationProtocol: "no application protocol", +} + +func (e alert) String() string { + s, ok := alertText[e] + if ok { + return "tls: " + s + } + return "tls: alert(" + strconv.Itoa(int(e)) + ")" +} + +func (e alert) Error() string { + return e.String() +} diff --git a/pkg/tls/auth.go b/pkg/tls/auth.go new file mode 100644 index 000000000..7c5675c6d --- /dev/null +++ b/pkg/tls/auth.go @@ -0,0 +1,293 @@ +// Copyright 2017 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package tls + +import ( + "bytes" + "crypto" + "crypto/ecdsa" + "crypto/ed25519" + "crypto/elliptic" + "crypto/rsa" + "errors" + "fmt" + "hash" + "io" +) + +// verifyHandshakeSignature verifies a signature against pre-hashed +// (if required) handshake contents. +func verifyHandshakeSignature(sigType uint8, pubkey crypto.PublicKey, hashFunc crypto.Hash, signed, sig []byte) error { + switch sigType { + case signatureECDSA: + pubKey, ok := pubkey.(*ecdsa.PublicKey) + if !ok { + return fmt.Errorf("expected an ECDSA public key, got %T", pubkey) + } + if !ecdsa.VerifyASN1(pubKey, signed, sig) { + return errors.New("ECDSA verification failure") + } + case signatureEd25519: + pubKey, ok := pubkey.(ed25519.PublicKey) + if !ok { + return fmt.Errorf("expected an Ed25519 public key, got %T", pubkey) + } + if !ed25519.Verify(pubKey, signed, sig) { + return errors.New("Ed25519 verification failure") + } + case signaturePKCS1v15: + pubKey, ok := pubkey.(*rsa.PublicKey) + if !ok { + return fmt.Errorf("expected an RSA public key, got %T", pubkey) + } + if err := rsa.VerifyPKCS1v15(pubKey, hashFunc, signed, sig); err != nil { + return err + } + case signatureRSAPSS: + pubKey, ok := pubkey.(*rsa.PublicKey) + if !ok { + return fmt.Errorf("expected an RSA public key, got %T", pubkey) + } + signOpts := &rsa.PSSOptions{SaltLength: rsa.PSSSaltLengthEqualsHash} + if err := rsa.VerifyPSS(pubKey, hashFunc, signed, sig, signOpts); err != nil { + return err + } + default: + return errors.New("internal error: unknown signature type") + } + return nil +} + +const ( + serverSignatureContext = "TLS 1.3, server CertificateVerify\x00" + clientSignatureContext = "TLS 1.3, client CertificateVerify\x00" +) + +var signaturePadding = []byte{ + 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, + 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, + 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, + 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, + 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, + 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, + 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, + 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, +} + +// signedMessage returns the pre-hashed (if necessary) message to be signed by +// certificate keys in TLS 1.3. See RFC 8446, Section 4.4.3. +func signedMessage(sigHash crypto.Hash, context string, transcript hash.Hash) []byte { + if sigHash == directSigning { + b := &bytes.Buffer{} + b.Write(signaturePadding) + io.WriteString(b, context) + b.Write(transcript.Sum(nil)) + return b.Bytes() + } + h := sigHash.New() + h.Write(signaturePadding) + io.WriteString(h, context) + h.Write(transcript.Sum(nil)) + return h.Sum(nil) +} + +// typeAndHashFromSignatureScheme returns the corresponding signature type and +// crypto.Hash for a given TLS SignatureScheme. +func typeAndHashFromSignatureScheme(signatureAlgorithm SignatureScheme) (sigType uint8, hash crypto.Hash, err error) { + switch signatureAlgorithm { + case PKCS1WithSHA1, PKCS1WithSHA256, PKCS1WithSHA384, PKCS1WithSHA512: + sigType = signaturePKCS1v15 + case PSSWithSHA256, PSSWithSHA384, PSSWithSHA512: + sigType = signatureRSAPSS + case ECDSAWithSHA1, ECDSAWithP256AndSHA256, ECDSAWithP384AndSHA384, ECDSAWithP521AndSHA512: + sigType = signatureECDSA + case Ed25519: + sigType = signatureEd25519 + default: + return 0, 0, fmt.Errorf("unsupported signature algorithm: %v", signatureAlgorithm) + } + switch signatureAlgorithm { + case PKCS1WithSHA1, ECDSAWithSHA1: + hash = crypto.SHA1 + case PKCS1WithSHA256, PSSWithSHA256, ECDSAWithP256AndSHA256: + hash = crypto.SHA256 + case PKCS1WithSHA384, PSSWithSHA384, ECDSAWithP384AndSHA384: + hash = crypto.SHA384 + case PKCS1WithSHA512, PSSWithSHA512, ECDSAWithP521AndSHA512: + hash = crypto.SHA512 + case Ed25519: + hash = directSigning + default: + return 0, 0, fmt.Errorf("unsupported signature algorithm: %v", signatureAlgorithm) + } + return sigType, hash, nil +} + +// legacyTypeAndHashFromPublicKey returns the fixed signature type and crypto.Hash for +// a given public key used with TLS 1.0 and 1.1, before the introduction of +// signature algorithm negotiation. +func legacyTypeAndHashFromPublicKey(pub crypto.PublicKey) (sigType uint8, hash crypto.Hash, err error) { + switch pub.(type) { + case *rsa.PublicKey: + return signaturePKCS1v15, crypto.MD5SHA1, nil + case *ecdsa.PublicKey: + return signatureECDSA, crypto.SHA1, nil + case ed25519.PublicKey: + // RFC 8422 specifies support for Ed25519 in TLS 1.0 and 1.1, + // but it requires holding on to a handshake transcript to do a + // full signature, and not even OpenSSL bothers with the + // complexity, so we can't even test it properly. + return 0, 0, fmt.Errorf("tls: Ed25519 public keys are not supported before TLS 1.2") + default: + return 0, 0, fmt.Errorf("tls: unsupported public key: %T", pub) + } +} + +var rsaSignatureSchemes = []struct { + scheme SignatureScheme + minModulusBytes int + maxVersion uint16 +}{ + // RSA-PSS is used with PSSSaltLengthEqualsHash, and requires + // emLen >= hLen + sLen + 2 + {PSSWithSHA256, crypto.SHA256.Size()*2 + 2, VersionTLS13}, + {PSSWithSHA384, crypto.SHA384.Size()*2 + 2, VersionTLS13}, + {PSSWithSHA512, crypto.SHA512.Size()*2 + 2, VersionTLS13}, + // PKCS #1 v1.5 uses prefixes from hashPrefixes in crypto/rsa, and requires + // emLen >= len(prefix) + hLen + 11 + // TLS 1.3 dropped support for PKCS #1 v1.5 in favor of RSA-PSS. + {PKCS1WithSHA256, 19 + crypto.SHA256.Size() + 11, VersionTLS12}, + {PKCS1WithSHA384, 19 + crypto.SHA384.Size() + 11, VersionTLS12}, + {PKCS1WithSHA512, 19 + crypto.SHA512.Size() + 11, VersionTLS12}, + {PKCS1WithSHA1, 15 + crypto.SHA1.Size() + 11, VersionTLS12}, +} + +// signatureSchemesForCertificate returns the list of supported SignatureSchemes +// for a given certificate, based on the public key and the protocol version, +// and optionally filtered by its explicit SupportedSignatureAlgorithms. +// +// This function must be kept in sync with supportedSignatureAlgorithms. +// FIPS filtering is applied in the caller, selectSignatureScheme. +func signatureSchemesForCertificate(version uint16, cert *Certificate) []SignatureScheme { + priv, ok := cert.PrivateKey.(crypto.Signer) + if !ok { + return nil + } + + var sigAlgs []SignatureScheme + switch pub := priv.Public().(type) { + case *ecdsa.PublicKey: + if version != VersionTLS13 { + // In TLS 1.2 and earlier, ECDSA algorithms are not + // constrained to a single curve. + sigAlgs = []SignatureScheme{ + ECDSAWithP256AndSHA256, + ECDSAWithP384AndSHA384, + ECDSAWithP521AndSHA512, + ECDSAWithSHA1, + } + break + } + switch pub.Curve { + case elliptic.P256(): + sigAlgs = []SignatureScheme{ECDSAWithP256AndSHA256} + case elliptic.P384(): + sigAlgs = []SignatureScheme{ECDSAWithP384AndSHA384} + case elliptic.P521(): + sigAlgs = []SignatureScheme{ECDSAWithP521AndSHA512} + default: + return nil + } + case *rsa.PublicKey: + size := pub.Size() + sigAlgs = make([]SignatureScheme, 0, len(rsaSignatureSchemes)) + for _, candidate := range rsaSignatureSchemes { + if size >= candidate.minModulusBytes && version <= candidate.maxVersion { + sigAlgs = append(sigAlgs, candidate.scheme) + } + } + case ed25519.PublicKey: + sigAlgs = []SignatureScheme{Ed25519} + default: + return nil + } + + if cert.SupportedSignatureAlgorithms != nil { + var filteredSigAlgs []SignatureScheme + for _, sigAlg := range sigAlgs { + if isSupportedSignatureAlgorithm(sigAlg, cert.SupportedSignatureAlgorithms) { + filteredSigAlgs = append(filteredSigAlgs, sigAlg) + } + } + return filteredSigAlgs + } + return sigAlgs +} + +// selectSignatureScheme picks a SignatureScheme from the peer's preference list +// that works with the selected certificate. It's only called for protocol +// versions that support signature algorithms, so TLS 1.2 and 1.3. +func selectSignatureScheme(vers uint16, c *Certificate, peerAlgs []SignatureScheme) (SignatureScheme, error) { + supportedAlgs := signatureSchemesForCertificate(vers, c) + if len(supportedAlgs) == 0 { + return 0, unsupportedCertificateError(c) + } + if len(peerAlgs) == 0 && vers == VersionTLS12 { + // For TLS 1.2, if the client didn't send signature_algorithms then we + // can assume that it supports SHA1. See RFC 5246, Section 7.4.1.4.1. + peerAlgs = []SignatureScheme{PKCS1WithSHA1, ECDSAWithSHA1} + } + // Pick signature scheme in the peer's preference order, as our + // preference order is not configurable. + for _, preferredAlg := range peerAlgs { + if needFIPS() && !isSupportedSignatureAlgorithm(preferredAlg, fipsSupportedSignatureAlgorithms) { + continue + } + if isSupportedSignatureAlgorithm(preferredAlg, supportedAlgs) { + return preferredAlg, nil + } + } + return 0, errors.New("tls: peer doesn't support any of the certificate's signature algorithms") +} + +// unsupportedCertificateError returns a helpful error for certificates with +// an unsupported private key. +func unsupportedCertificateError(cert *Certificate) error { + switch cert.PrivateKey.(type) { + case rsa.PrivateKey, ecdsa.PrivateKey: + return fmt.Errorf("tls: unsupported certificate: private key is %T, expected *%T", + cert.PrivateKey, cert.PrivateKey) + case *ed25519.PrivateKey: + return fmt.Errorf("tls: unsupported certificate: private key is *ed25519.PrivateKey, expected ed25519.PrivateKey") + } + + signer, ok := cert.PrivateKey.(crypto.Signer) + if !ok { + return fmt.Errorf("tls: certificate private key (%T) does not implement crypto.Signer", + cert.PrivateKey) + } + + switch pub := signer.Public().(type) { + case *ecdsa.PublicKey: + switch pub.Curve { + case elliptic.P256(): + case elliptic.P384(): + case elliptic.P521(): + default: + return fmt.Errorf("tls: unsupported certificate curve (%s)", pub.Curve.Params().Name) + } + case *rsa.PublicKey: + return fmt.Errorf("tls: certificate RSA key size too small for supported signature algorithms") + case ed25519.PublicKey: + default: + return fmt.Errorf("tls: unsupported certificate key (%T)", pub) + } + + if cert.SupportedSignatureAlgorithms != nil { + return fmt.Errorf("tls: peer doesn't support the certificate custom signature algorithms") + } + + return fmt.Errorf("tls: internal error: unsupported key (%T)", cert.PrivateKey) +} diff --git a/pkg/tls/auth_test.go b/pkg/tls/auth_test.go new file mode 100644 index 000000000..c23d93f3c --- /dev/null +++ b/pkg/tls/auth_test.go @@ -0,0 +1,168 @@ +// Copyright 2017 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package tls + +import ( + "crypto" + "testing" +) + +func TestSignatureSelection(t *testing.T) { + rsaCert := &Certificate{ + Certificate: [][]byte{testRSACertificate}, + PrivateKey: testRSAPrivateKey, + } + pkcs1Cert := &Certificate{ + Certificate: [][]byte{testRSACertificate}, + PrivateKey: testRSAPrivateKey, + SupportedSignatureAlgorithms: []SignatureScheme{PKCS1WithSHA1, PKCS1WithSHA256}, + } + ecdsaCert := &Certificate{ + Certificate: [][]byte{testP256Certificate}, + PrivateKey: testP256PrivateKey, + } + ed25519Cert := &Certificate{ + Certificate: [][]byte{testEd25519Certificate}, + PrivateKey: testEd25519PrivateKey, + } + + tests := []struct { + cert *Certificate + peerSigAlgs []SignatureScheme + tlsVersion uint16 + + expectedSigAlg SignatureScheme + expectedSigType uint8 + expectedHash crypto.Hash + }{ + {rsaCert, []SignatureScheme{PKCS1WithSHA1, PKCS1WithSHA256}, VersionTLS12, PKCS1WithSHA1, signaturePKCS1v15, crypto.SHA1}, + {rsaCert, []SignatureScheme{PKCS1WithSHA512, PKCS1WithSHA1}, VersionTLS12, PKCS1WithSHA512, signaturePKCS1v15, crypto.SHA512}, + {rsaCert, []SignatureScheme{PSSWithSHA256, PKCS1WithSHA256}, VersionTLS12, PSSWithSHA256, signatureRSAPSS, crypto.SHA256}, + {pkcs1Cert, []SignatureScheme{PSSWithSHA256, PKCS1WithSHA256}, VersionTLS12, PKCS1WithSHA256, signaturePKCS1v15, crypto.SHA256}, + {rsaCert, []SignatureScheme{PSSWithSHA384, PKCS1WithSHA1}, VersionTLS13, PSSWithSHA384, signatureRSAPSS, crypto.SHA384}, + {ecdsaCert, []SignatureScheme{ECDSAWithSHA1}, VersionTLS12, ECDSAWithSHA1, signatureECDSA, crypto.SHA1}, + {ecdsaCert, []SignatureScheme{ECDSAWithP256AndSHA256}, VersionTLS12, ECDSAWithP256AndSHA256, signatureECDSA, crypto.SHA256}, + {ecdsaCert, []SignatureScheme{ECDSAWithP256AndSHA256}, VersionTLS13, ECDSAWithP256AndSHA256, signatureECDSA, crypto.SHA256}, + {ed25519Cert, []SignatureScheme{Ed25519}, VersionTLS12, Ed25519, signatureEd25519, directSigning}, + {ed25519Cert, []SignatureScheme{Ed25519}, VersionTLS13, Ed25519, signatureEd25519, directSigning}, + + // TLS 1.2 without signature_algorithms extension + {rsaCert, nil, VersionTLS12, PKCS1WithSHA1, signaturePKCS1v15, crypto.SHA1}, + {ecdsaCert, nil, VersionTLS12, ECDSAWithSHA1, signatureECDSA, crypto.SHA1}, + + // TLS 1.2 does not restrict the ECDSA curve (our ecdsaCert is P-256) + {ecdsaCert, []SignatureScheme{ECDSAWithP384AndSHA384}, VersionTLS12, ECDSAWithP384AndSHA384, signatureECDSA, crypto.SHA384}, + } + + for testNo, test := range tests { + sigAlg, err := selectSignatureScheme(test.tlsVersion, test.cert, test.peerSigAlgs) + if err != nil { + t.Errorf("test[%d]: unexpected selectSignatureScheme error: %v", testNo, err) + } + if test.expectedSigAlg != sigAlg { + t.Errorf("test[%d]: expected signature scheme %v, got %v", testNo, test.expectedSigAlg, sigAlg) + } + sigType, hashFunc, err := typeAndHashFromSignatureScheme(sigAlg) + if err != nil { + t.Errorf("test[%d]: unexpected typeAndHashFromSignatureScheme error: %v", testNo, err) + } + if test.expectedSigType != sigType { + t.Errorf("test[%d]: expected signature algorithm %#x, got %#x", testNo, test.expectedSigType, sigType) + } + if test.expectedHash != hashFunc { + t.Errorf("test[%d]: expected hash function %#x, got %#x", testNo, test.expectedHash, hashFunc) + } + } + + brokenCert := &Certificate{ + Certificate: [][]byte{testRSACertificate}, + PrivateKey: testRSAPrivateKey, + SupportedSignatureAlgorithms: []SignatureScheme{Ed25519}, + } + + badTests := []struct { + cert *Certificate + peerSigAlgs []SignatureScheme + tlsVersion uint16 + }{ + {rsaCert, []SignatureScheme{ECDSAWithP256AndSHA256, ECDSAWithSHA1}, VersionTLS12}, + {ecdsaCert, []SignatureScheme{PKCS1WithSHA256, PKCS1WithSHA1}, VersionTLS12}, + {rsaCert, []SignatureScheme{0}, VersionTLS12}, + {ed25519Cert, []SignatureScheme{ECDSAWithP256AndSHA256, ECDSAWithSHA1}, VersionTLS12}, + {ecdsaCert, []SignatureScheme{Ed25519}, VersionTLS12}, + {brokenCert, []SignatureScheme{Ed25519}, VersionTLS12}, + {brokenCert, []SignatureScheme{PKCS1WithSHA256}, VersionTLS12}, + // RFC 5246, Section 7.4.1.4.1, says to only consider {sha1,ecdsa} as + // default when the extension is missing, and RFC 8422 does not update + // it. Anyway, if a stack supports Ed25519 it better support sigalgs. + {ed25519Cert, nil, VersionTLS12}, + // TLS 1.3 has no default signature_algorithms. + {rsaCert, nil, VersionTLS13}, + {ecdsaCert, nil, VersionTLS13}, + {ed25519Cert, nil, VersionTLS13}, + // Wrong curve, which TLS 1.3 checks + {ecdsaCert, []SignatureScheme{ECDSAWithP384AndSHA384}, VersionTLS13}, + // TLS 1.3 does not support PKCS1v1.5 or SHA-1. + {rsaCert, []SignatureScheme{PKCS1WithSHA256}, VersionTLS13}, + {pkcs1Cert, []SignatureScheme{PSSWithSHA256, PKCS1WithSHA256}, VersionTLS13}, + {ecdsaCert, []SignatureScheme{ECDSAWithSHA1}, VersionTLS13}, + // The key can be too small for the hash. + {rsaCert, []SignatureScheme{PSSWithSHA512}, VersionTLS12}, + } + + for testNo, test := range badTests { + sigAlg, err := selectSignatureScheme(test.tlsVersion, test.cert, test.peerSigAlgs) + if err == nil { + t.Errorf("test[%d]: unexpected success, got %v", testNo, sigAlg) + } + } +} + +func TestLegacyTypeAndHash(t *testing.T) { + sigType, hashFunc, err := legacyTypeAndHashFromPublicKey(testRSAPrivateKey.Public()) + if err != nil { + t.Errorf("RSA: unexpected error: %v", err) + } + if expectedSigType := signaturePKCS1v15; expectedSigType != sigType { + t.Errorf("RSA: expected signature type %#x, got %#x", expectedSigType, sigType) + } + if expectedHashFunc := crypto.MD5SHA1; expectedHashFunc != hashFunc { + t.Errorf("RSA: expected hash %#x, got %#x", expectedHashFunc, hashFunc) + } + + sigType, hashFunc, err = legacyTypeAndHashFromPublicKey(testECDSAPrivateKey.Public()) + if err != nil { + t.Errorf("ECDSA: unexpected error: %v", err) + } + if expectedSigType := signatureECDSA; expectedSigType != sigType { + t.Errorf("ECDSA: expected signature type %#x, got %#x", expectedSigType, sigType) + } + if expectedHashFunc := crypto.SHA1; expectedHashFunc != hashFunc { + t.Errorf("ECDSA: expected hash %#x, got %#x", expectedHashFunc, hashFunc) + } + + // Ed25519 is not supported by TLS 1.0 and 1.1. + _, _, err = legacyTypeAndHashFromPublicKey(testEd25519PrivateKey.Public()) + if err == nil { + t.Errorf("Ed25519: unexpected success") + } +} + +// TestSupportedSignatureAlgorithms checks that all supportedSignatureAlgorithms +// have valid type and hash information. +func TestSupportedSignatureAlgorithms(t *testing.T) { + for _, sigAlg := range supportedSignatureAlgorithms() { + sigType, hash, err := typeAndHashFromSignatureScheme(sigAlg) + if err != nil { + t.Errorf("%v: unexpected error: %v", sigAlg, err) + } + if sigType == 0 { + t.Errorf("%v: missing signature type", sigAlg) + } + if hash == 0 && sigAlg != Ed25519 { + t.Errorf("%v: missing hash", sigAlg) + } + } +} diff --git a/pkg/tls/boring.go b/pkg/tls/boring.go new file mode 100644 index 000000000..7e87ca2c0 --- /dev/null +++ b/pkg/tls/boring.go @@ -0,0 +1,98 @@ +// Copyright 2017 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +//go:build boringcrypto + +package tls + +import ( + "github.com/panjf2000/gnet/v2/pkg/tls/internal/boring/fipstls" +) + +// needFIPS returns fipstls.Required(); it avoids a new import in common.go. +func needFIPS() bool { + return fipstls.Required() +} + +// fipsMinVersion replaces c.minVersion in FIPS-only mode. +func fipsMinVersion(c *Config) uint16 { + // FIPS requires TLS 1.2. + return VersionTLS12 +} + +// fipsMaxVersion replaces c.maxVersion in FIPS-only mode. +func fipsMaxVersion(c *Config) uint16 { + // FIPS requires TLS 1.2. + return VersionTLS12 +} + +// default defaultFIPSCurvePreferences is the FIPS-allowed curves, +// in preference order (most preferable first). +var defaultFIPSCurvePreferences = []CurveID{CurveP256, CurveP384, CurveP521} + +// fipsCurvePreferences replaces c.curvePreferences in FIPS-only mode. +func fipsCurvePreferences(c *Config) []CurveID { + if c == nil || len(c.CurvePreferences) == 0 { + return defaultFIPSCurvePreferences + } + var list []CurveID + for _, id := range c.CurvePreferences { + for _, allowed := range defaultFIPSCurvePreferences { + if id == allowed { + list = append(list, id) + break + } + } + } + return list +} + +// defaultCipherSuitesFIPS are the FIPS-allowed cipher suites. +var defaultCipherSuitesFIPS = []uint16{ + TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, + TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, + TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, + TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, + TLS_RSA_WITH_AES_128_GCM_SHA256, + TLS_RSA_WITH_AES_256_GCM_SHA384, +} + +// fipsCipherSuites replaces c.cipherSuites in FIPS-only mode. +func fipsCipherSuites(c *Config) []uint16 { + if c == nil || c.CipherSuites == nil { + return defaultCipherSuitesFIPS + } + list := make([]uint16, 0, len(defaultCipherSuitesFIPS)) + for _, id := range c.CipherSuites { + for _, allowed := range defaultCipherSuitesFIPS { + if id == allowed { + list = append(list, id) + break + } + } + } + return list +} + +// fipsSupportedSignatureAlgorithms currently are a subset of +// defaultSupportedSignatureAlgorithms without Ed25519 and SHA-1. +var fipsSupportedSignatureAlgorithms = []SignatureScheme{ + PSSWithSHA256, + PSSWithSHA384, + PSSWithSHA512, + PKCS1WithSHA256, + ECDSAWithP256AndSHA256, + PKCS1WithSHA384, + ECDSAWithP384AndSHA384, + PKCS1WithSHA512, + ECDSAWithP521AndSHA512, +} + +// supportedSignatureAlgorithms returns the supported signature algorithms. +func supportedSignatureAlgorithms() []SignatureScheme { + if !needFIPS() { + return defaultSupportedSignatureAlgorithms + } + return fipsSupportedSignatureAlgorithms +} diff --git a/pkg/tls/boring_test.go b/pkg/tls/boring_test.go new file mode 100644 index 000000000..163f90a43 --- /dev/null +++ b/pkg/tls/boring_test.go @@ -0,0 +1,618 @@ +// Copyright 2017 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +//go:build boringcrypto + +package tls + +import ( + "crypto/ecdsa" + "crypto/elliptic" + "crypto/rand" + "crypto/rsa" + "crypto/x509" + "crypto/x509/pkix" + "encoding/pem" + "fmt" + "internal/obscuretestdata" + "math/big" + "net" + "runtime" + "strings" + "testing" + "time" + + "github.com/panjf2000/gnet/v2/pkg/tls/internal/boring/fipstls" +) + +func TestBoringServerProtocolVersion(t *testing.T) { + test := func(name string, v uint16, msg string) { + t.Run(name, func(t *testing.T) { + serverConfig := testConfig.Clone() + serverConfig.MinVersion = VersionSSL30 + clientHello := &clientHelloMsg{ + vers: v, + random: make([]byte, 32), + cipherSuites: allCipherSuites(), + compressionMethods: []uint8{compressionNone}, + supportedVersions: []uint16{v}, + } + testClientHelloFailure(t, serverConfig, clientHello, msg) + }) + } + + test("VersionTLS10", VersionTLS10, "") + test("VersionTLS11", VersionTLS11, "") + test("VersionTLS12", VersionTLS12, "") + test("VersionTLS13", VersionTLS13, "") + + fipstls.Force() + defer fipstls.Abandon() + test("VersionSSL30", VersionSSL30, "client offered only unsupported versions") + test("VersionTLS10", VersionTLS10, "client offered only unsupported versions") + test("VersionTLS11", VersionTLS11, "client offered only unsupported versions") + test("VersionTLS12", VersionTLS12, "") + test("VersionTLS13", VersionTLS13, "client offered only unsupported versions") +} + +func isBoringVersion(v uint16) bool { + return v == VersionTLS12 +} + +func isBoringCipherSuite(id uint16) bool { + switch id { + case TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, + TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, + TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, + TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, + TLS_RSA_WITH_AES_128_GCM_SHA256, + TLS_RSA_WITH_AES_256_GCM_SHA384: + return true + } + return false +} + +func isBoringCurve(id CurveID) bool { + switch id { + case CurveP256, CurveP384, CurveP521: + return true + } + return false +} + +func isECDSA(id uint16) bool { + for _, suite := range cipherSuites { + if suite.id == id { + return suite.flags&suiteECSign == suiteECSign + } + } + panic(fmt.Sprintf("unknown cipher suite %#x", id)) +} + +func isBoringSignatureScheme(alg SignatureScheme) bool { + switch alg { + default: + return false + case PKCS1WithSHA256, + ECDSAWithP256AndSHA256, + PKCS1WithSHA384, + ECDSAWithP384AndSHA384, + PKCS1WithSHA512, + ECDSAWithP521AndSHA512, + PSSWithSHA256, + PSSWithSHA384, + PSSWithSHA512: + // ok + } + return true +} + +func TestBoringServerCipherSuites(t *testing.T) { + serverConfig := testConfig.Clone() + serverConfig.CipherSuites = allCipherSuites() + serverConfig.Certificates = make([]Certificate, 1) + + for _, id := range allCipherSuites() { + if isECDSA(id) { + serverConfig.Certificates[0].Certificate = [][]byte{testECDSACertificate} + serverConfig.Certificates[0].PrivateKey = testECDSAPrivateKey + } else { + serverConfig.Certificates[0].Certificate = [][]byte{testRSACertificate} + serverConfig.Certificates[0].PrivateKey = testRSAPrivateKey + } + serverConfig.BuildNameToCertificate() + t.Run(fmt.Sprintf("suite=%#x", id), func(t *testing.T) { + clientHello := &clientHelloMsg{ + vers: VersionTLS12, + random: make([]byte, 32), + cipherSuites: []uint16{id}, + compressionMethods: []uint8{compressionNone}, + supportedCurves: defaultCurvePreferences, + supportedPoints: []uint8{pointFormatUncompressed}, + } + + testClientHello(t, serverConfig, clientHello) + t.Run("fipstls", func(t *testing.T) { + fipstls.Force() + defer fipstls.Abandon() + msg := "" + if !isBoringCipherSuite(id) { + msg = "no cipher suite supported by both client and server" + } + testClientHelloFailure(t, serverConfig, clientHello, msg) + }) + }) + } +} + +func TestBoringServerCurves(t *testing.T) { + serverConfig := testConfig.Clone() + serverConfig.Certificates = make([]Certificate, 1) + serverConfig.Certificates[0].Certificate = [][]byte{testECDSACertificate} + serverConfig.Certificates[0].PrivateKey = testECDSAPrivateKey + serverConfig.BuildNameToCertificate() + + for _, curveid := range defaultCurvePreferences { + t.Run(fmt.Sprintf("curve=%d", curveid), func(t *testing.T) { + clientHello := &clientHelloMsg{ + vers: VersionTLS12, + random: make([]byte, 32), + cipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256}, + compressionMethods: []uint8{compressionNone}, + supportedCurves: []CurveID{curveid}, + supportedPoints: []uint8{pointFormatUncompressed}, + } + + testClientHello(t, serverConfig, clientHello) + + // With fipstls forced, bad curves should be rejected. + t.Run("fipstls", func(t *testing.T) { + fipstls.Force() + defer fipstls.Abandon() + msg := "" + if !isBoringCurve(curveid) { + msg = "no cipher suite supported by both client and server" + } + testClientHelloFailure(t, serverConfig, clientHello, msg) + }) + }) + } +} + +func boringHandshake(t *testing.T, clientConfig, serverConfig *Config) (clientErr, serverErr error) { + c, s := localPipe(t) + client := Client(c, clientConfig) + server := Server(s, serverConfig) + done := make(chan error, 1) + go func() { + done <- client.Handshake() + c.Close() + }() + serverErr = server.Handshake() + s.Close() + clientErr = <-done + return +} + +func TestBoringServerSignatureAndHash(t *testing.T) { + defer func() { + testingOnlyForceClientHelloSignatureAlgorithms = nil + }() + + for _, sigHash := range defaultSupportedSignatureAlgorithms { + t.Run(fmt.Sprintf("%v", sigHash), func(t *testing.T) { + serverConfig := testConfig.Clone() + serverConfig.Certificates = make([]Certificate, 1) + + testingOnlyForceClientHelloSignatureAlgorithms = []SignatureScheme{sigHash} + + sigType, _, _ := typeAndHashFromSignatureScheme(sigHash) + switch sigType { + case signaturePKCS1v15, signatureRSAPSS: + serverConfig.CipherSuites = []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256} + serverConfig.Certificates[0].Certificate = [][]byte{testRSA2048Certificate} + serverConfig.Certificates[0].PrivateKey = testRSA2048PrivateKey + case signatureEd25519: + serverConfig.CipherSuites = []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256} + serverConfig.Certificates[0].Certificate = [][]byte{testEd25519Certificate} + serverConfig.Certificates[0].PrivateKey = testEd25519PrivateKey + case signatureECDSA: + serverConfig.CipherSuites = []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256} + serverConfig.Certificates[0].Certificate = [][]byte{testECDSACertificate} + serverConfig.Certificates[0].PrivateKey = testECDSAPrivateKey + } + serverConfig.BuildNameToCertificate() + // PKCS#1 v1.5 signature algorithms can't be used standalone in TLS + // 1.3, and the ECDSA ones bind to the curve used. + serverConfig.MaxVersion = VersionTLS12 + + clientErr, serverErr := boringHandshake(t, testConfig, serverConfig) + if clientErr != nil { + t.Fatalf("expected handshake with %#x to succeed; client error: %v; server error: %v", sigHash, clientErr, serverErr) + } + + // With fipstls forced, bad curves should be rejected. + t.Run("fipstls", func(t *testing.T) { + fipstls.Force() + defer fipstls.Abandon() + clientErr, _ := boringHandshake(t, testConfig, serverConfig) + if isBoringSignatureScheme(sigHash) { + if clientErr != nil { + t.Fatalf("expected handshake with %#x to succeed; err=%v", sigHash, clientErr) + } + } else { + if clientErr == nil { + t.Fatalf("expected handshake with %#x to fail, but it succeeded", sigHash) + } + } + }) + }) + } +} + +func TestBoringClientHello(t *testing.T) { + // Test that no matter what we put in the client config, + // the client does not offer non-FIPS configurations. + fipstls.Force() + defer fipstls.Abandon() + + c, s := net.Pipe() + defer c.Close() + defer s.Close() + + clientConfig := testConfig.Clone() + // All sorts of traps for the client to avoid. + clientConfig.MinVersion = VersionSSL30 + clientConfig.MaxVersion = VersionTLS13 + clientConfig.CipherSuites = allCipherSuites() + clientConfig.CurvePreferences = defaultCurvePreferences + + go Client(c, clientConfig).Handshake() + srv := Server(s, testConfig) + msg, err := srv.readHandshake(nil) + if err != nil { + t.Fatal(err) + } + hello, ok := msg.(*clientHelloMsg) + if !ok { + t.Fatalf("unexpected message type %T", msg) + } + + if !isBoringVersion(hello.vers) { + t.Errorf("client vers=%#x, want %#x (TLS 1.2)", hello.vers, VersionTLS12) + } + for _, v := range hello.supportedVersions { + if !isBoringVersion(v) { + t.Errorf("client offered disallowed version %#x", v) + } + } + for _, id := range hello.cipherSuites { + if !isBoringCipherSuite(id) { + t.Errorf("client offered disallowed suite %#x", id) + } + } + for _, id := range hello.supportedCurves { + if !isBoringCurve(id) { + t.Errorf("client offered disallowed curve %d", id) + } + } + for _, sigHash := range hello.supportedSignatureAlgorithms { + if !isBoringSignatureScheme(sigHash) { + t.Errorf("client offered disallowed signature-and-hash %v", sigHash) + } + } +} + +func TestBoringCertAlgs(t *testing.T) { + // NaCl, arm and wasm time out generating keys. Nothing in this test is architecture-specific, so just don't bother on those. + if runtime.GOOS == "nacl" || runtime.GOARCH == "arm" || runtime.GOOS == "js" { + t.Skipf("skipping on %s/%s because key generation takes too long", runtime.GOOS, runtime.GOARCH) + } + + // Set up some roots, intermediate CAs, and leaf certs with various algorithms. + // X_Y is X signed by Y. + R1 := boringCert(t, "R1", boringRSAKey(t, 2048), nil, boringCertCA|boringCertFIPSOK) + R2 := boringCert(t, "R2", boringRSAKey(t, 512), nil, boringCertCA) + + M1_R1 := boringCert(t, "M1_R1", boringECDSAKey(t, elliptic.P256()), R1, boringCertCA|boringCertFIPSOK) + M2_R1 := boringCert(t, "M2_R1", boringECDSAKey(t, elliptic.P224()), R1, boringCertCA) + + I_R1 := boringCert(t, "I_R1", boringRSAKey(t, 3072), R1, boringCertCA|boringCertFIPSOK) + I_R2 := boringCert(t, "I_R2", I_R1.key, R2, boringCertCA|boringCertFIPSOK) + I_M1 := boringCert(t, "I_M1", I_R1.key, M1_R1, boringCertCA|boringCertFIPSOK) + I_M2 := boringCert(t, "I_M2", I_R1.key, M2_R1, boringCertCA|boringCertFIPSOK) + + L1_I := boringCert(t, "L1_I", boringECDSAKey(t, elliptic.P384()), I_R1, boringCertLeaf|boringCertFIPSOK) + L2_I := boringCert(t, "L2_I", boringRSAKey(t, 1024), I_R1, boringCertLeaf) + + // client verifying server cert + testServerCert := func(t *testing.T, desc string, pool *x509.CertPool, key interface{}, list [][]byte, ok bool) { + clientConfig := testConfig.Clone() + clientConfig.RootCAs = pool + clientConfig.InsecureSkipVerify = false + clientConfig.ServerName = "example.com" + + serverConfig := testConfig.Clone() + serverConfig.Certificates = []Certificate{{Certificate: list, PrivateKey: key}} + serverConfig.BuildNameToCertificate() + + clientErr, _ := boringHandshake(t, clientConfig, serverConfig) + + if (clientErr == nil) == ok { + if ok { + t.Logf("%s: accept", desc) + } else { + t.Logf("%s: reject", desc) + } + } else { + if ok { + t.Errorf("%s: BAD reject (%v)", desc, clientErr) + } else { + t.Errorf("%s: BAD accept", desc) + } + } + } + + // server verifying client cert + testClientCert := func(t *testing.T, desc string, pool *x509.CertPool, key interface{}, list [][]byte, ok bool) { + clientConfig := testConfig.Clone() + clientConfig.ServerName = "example.com" + clientConfig.Certificates = []Certificate{{Certificate: list, PrivateKey: key}} + + serverConfig := testConfig.Clone() + serverConfig.ClientCAs = pool + serverConfig.ClientAuth = RequireAndVerifyClientCert + + _, serverErr := boringHandshake(t, clientConfig, serverConfig) + + if (serverErr == nil) == ok { + if ok { + t.Logf("%s: accept", desc) + } else { + t.Logf("%s: reject", desc) + } + } else { + if ok { + t.Errorf("%s: BAD reject (%v)", desc, serverErr) + } else { + t.Errorf("%s: BAD accept", desc) + } + } + } + + // Run simple basic test with known answers before proceeding to + // exhaustive test with computed answers. + r1pool := x509.NewCertPool() + r1pool.AddCert(R1.cert) + testServerCert(t, "basic", r1pool, L2_I.key, [][]byte{L2_I.der, I_R1.der}, true) + testClientCert(t, "basic (client cert)", r1pool, L2_I.key, [][]byte{L2_I.der, I_R1.der}, true) + fipstls.Force() + testServerCert(t, "basic (fips)", r1pool, L2_I.key, [][]byte{L2_I.der, I_R1.der}, false) + testClientCert(t, "basic (fips, client cert)", r1pool, L2_I.key, [][]byte{L2_I.der, I_R1.der}, false) + fipstls.Abandon() + + if t.Failed() { + t.Fatal("basic test failed, skipping exhaustive test") + } + + if testing.Short() { + t.Logf("basic test passed; skipping exhaustive test in -short mode") + return + } + + for l := 1; l <= 2; l++ { + leaf := L1_I + if l == 2 { + leaf = L2_I + } + for i := 0; i < 64; i++ { + reachable := map[string]bool{leaf.parentOrg: true} + reachableFIPS := map[string]bool{leaf.parentOrg: leaf.fipsOK} + list := [][]byte{leaf.der} + listName := leaf.name + addList := func(cond int, c *boringCertificate) { + if cond != 0 { + list = append(list, c.der) + listName += "," + c.name + if reachable[c.org] { + reachable[c.parentOrg] = true + } + if reachableFIPS[c.org] && c.fipsOK { + reachableFIPS[c.parentOrg] = true + } + } + } + addList(i&1, I_R1) + addList(i&2, I_R2) + addList(i&4, I_M1) + addList(i&8, I_M2) + addList(i&16, M1_R1) + addList(i&32, M2_R1) + + for r := 1; r <= 3; r++ { + pool := x509.NewCertPool() + rootName := "," + shouldVerify := false + shouldVerifyFIPS := false + addRoot := func(cond int, c *boringCertificate) { + if cond != 0 { + rootName += "," + c.name + pool.AddCert(c.cert) + if reachable[c.org] { + shouldVerify = true + } + if reachableFIPS[c.org] && c.fipsOK { + shouldVerifyFIPS = true + } + } + } + addRoot(r&1, R1) + addRoot(r&2, R2) + rootName = rootName[1:] // strip leading comma + testServerCert(t, listName+"->"+rootName[1:], pool, leaf.key, list, shouldVerify) + testClientCert(t, listName+"->"+rootName[1:]+"(client cert)", pool, leaf.key, list, shouldVerify) + fipstls.Force() + testServerCert(t, listName+"->"+rootName[1:]+" (fips)", pool, leaf.key, list, shouldVerifyFIPS) + testClientCert(t, listName+"->"+rootName[1:]+" (fips, client cert)", pool, leaf.key, list, shouldVerifyFIPS) + fipstls.Abandon() + } + } + } +} + +const ( + boringCertCA = iota + boringCertLeaf + boringCertFIPSOK = 0x80 +) + +func boringRSAKey(t *testing.T, size int) *rsa.PrivateKey { + k, err := rsa.GenerateKey(rand.Reader, size) + if err != nil { + t.Fatal(err) + } + return k +} + +func boringECDSAKey(t *testing.T, curve elliptic.Curve) *ecdsa.PrivateKey { + k, err := ecdsa.GenerateKey(curve, rand.Reader) + if err != nil { + t.Fatal(err) + } + return k +} + +type boringCertificate struct { + name string + org string + parentOrg string + der []byte + cert *x509.Certificate + key interface{} + fipsOK bool +} + +func boringCert(t *testing.T, name string, key interface{}, parent *boringCertificate, mode int) *boringCertificate { + org := name + parentOrg := "" + if i := strings.Index(org, "_"); i >= 0 { + org = org[:i] + parentOrg = name[i+1:] + } + tmpl := &x509.Certificate{ + SerialNumber: big.NewInt(1), + Subject: pkix.Name{ + Organization: []string{org}, + }, + NotBefore: time.Unix(0, 0), + NotAfter: time.Unix(0, 0), + + KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature, + ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth}, + BasicConstraintsValid: true, + } + if mode&^boringCertFIPSOK == boringCertLeaf { + tmpl.DNSNames = []string{"example.com"} + } else { + tmpl.IsCA = true + tmpl.KeyUsage |= x509.KeyUsageCertSign + } + + var pcert *x509.Certificate + var pkey interface{} + if parent != nil { + pcert = parent.cert + pkey = parent.key + } else { + pcert = tmpl + pkey = key + } + + var pub interface{} + switch k := key.(type) { + case *rsa.PrivateKey: + pub = &k.PublicKey + case *ecdsa.PrivateKey: + pub = &k.PublicKey + default: + t.Fatalf("invalid key %T", key) + } + + der, err := x509.CreateCertificate(rand.Reader, tmpl, pcert, pub, pkey) + if err != nil { + t.Fatal(err) + } + cert, err := x509.ParseCertificate(der) + if err != nil { + t.Fatal(err) + } + + fipsOK := mode&boringCertFIPSOK != 0 + return &boringCertificate{name, org, parentOrg, der, cert, key, fipsOK} +} + +// A self-signed test certificate with an RSA key of size 2048, for testing +// RSA-PSS with SHA512. SAN of example.golang. +var ( + testRSA2048Certificate []byte + testRSA2048PrivateKey *rsa.PrivateKey +) + +func init() { + block, _ := pem.Decode(obscuretestdata.Rot13([]byte(` +-----ORTVA PREGVSVPNGR----- +ZVVP/mPPNrrtNjVONtVENYUUK/xu4+4mZH9QnemORpDjQDLWXbMVuipANDRYODNj +RwRDZN4TN1HRPuZUDJAgMFOQomNrSj0kZGNkZQRkAGN0ZQInSj0lZQRlZwxkAGN0 +ZQInZOVkRQNBOtAIONbGO0SwoJHtD28jttRvZN0TPFdTFVo3QDRONDHNN4VOQjNj +ttRXNbVONDPs8sx0A6vrPOK4VBIVsXvgg4xTpBDYrvzPsfwddUplfZVITRgSFZ6R +4Nl141s/7VdqJ0HgVdAo4CKuEBVQ7lQkE284kY6KoPhi/g5uC3HpruLp3uzYvlIq +ZxMDvMJgsHHWs/1dBgZ+buAt59YEJc4q+6vK0yn1WY3RjPVpxxAwW9uDoS7Co2PF ++RF9Lb55XNnc8XBoycpE8ZOFA38odajwsDqPKiBRBwnz2UHkXmRSK5ZN+sN0zr4P +vbPpPEYJXy+TbA9S8sNOsbM+G+2rny4QYhB95eKE8FeBVIOu3KSBe/EIuwgKpAIS +MXpiQg6q68I6wNXNLXz5ayw9TCcq4i+eNtZONNTwHQOBZN4TN1HqQjRO/jDRNjVS +bQNGOtAIUFHRQQNXOtteOtRSODpQNGNZOtAIUEZONs8RNwNNZOxTN1HqRDDFZOPP +QzI4LJ1joTHhM29fLJ5aZN0TPFdTFVo3QDROPjHNN4VONDPBbLfIpSPOuobdr3JU +qP6I7KKKRPzawu01e8u80li0AE379aFQ3pj2Z+UXinKlfJdey5uwTIXj0igjQ81e +I4WmQh7VsVbt5z8+DAP+7YdQMfm88iQXBefblFIBzHPtzPXSKrj+YN+rB/vDRWGe +7rafqqBrKWRc27Rq5iJ+xzJJ3Dztyp2Tjl8jSeZQVdaeaBmON4bPaQRtgKWg0mbt +aEjosRZNJv1nDEl5qG9XN3FC9zb5FrGSFmTTUvR4f4tUHr7wifNSS2dtgQ6+jU6f +m9o6fukaP7t5VyOXuV7FIO/Hdg2lqW+xU1LowZpVd6ANZ5rAZXtMhWe3+mjfFtju +TAnR +-----RAQ PREGVSVPNGR-----`))) + testRSA2048Certificate = block.Bytes + + block, _ = pem.Decode(obscuretestdata.Rot13([]byte(` +-----ORTVA EFN CEVINGR XRL----- +ZVVRcNVONNXPNDRNa/U5AQrbattI+PQyFUlbeorWOaQxP3bcta7V6du3ZeQPSEuY +EHwBuBNZgrAK/+lXaIgSYFXwJ+Q14HGvN+8t8HqiBZF+y2jee/7rLG91UUbJUA4M +v4fyKGWTHVzIeK1SPK/9nweGCdVGLBsF0IdrUshby9WJgFF9kZNvUWWQLlsLHTkr +m29txiuRiJXBrFtTdsPwz5nKRsQNHwq/T6c8V30UDy7muQb2cgu1ZFfkOI+GNCaj +AWahNbdNaNxF1vcsudQsEsUjNK6Tsx/gazcrNl7wirn10sRdmvSDLq1kGd/0ILL7 +I3QIEJFaYj7rariSrbjPtTPchM5L/Ew6KrY/djVQNDNONbVONDPAcZMvsq/it42u +UqPiYhMnLF0E7FhaSycbKRfygTqYSfac0VsbWM/htSDOFNVVsYjZhzH6bKN1m7Hi +98nVLI61QrCeGPQIQSOfUoAzC8WNb8JgohfRojq5mlbO7YLT2+pyxWxyJR73XdHd +ezV+HWrlFpy2Tva7MGkOKm1JCOx9IjpajxrnKctNFVOJ23suRPZ9taLRRjnOrm5G +6Zr8q1gUgLDi7ifXr7eb9j9/UXeEKrwdLXX1YkxusSevlI+z8YMWMa2aKBn6T3tS +Ao8Dx1Hx5CHORAOzlZSWuG4Z/hhFd4LgZeeB2tv8D+sCuhTmp5FfuLXEOc0J4C5e +zgIPgRSENbTONZRAOVSYeI2+UfTw0kLSnfXbi/DCr6UFGE1Uu2VMBAc+bX4bfmJR +wOG4IpaVGzcy6gP1Jl4TpekwAtXVSMNw+1k1YHHYqbeKxhT8le0gNuT9mAlsJfFl +CeFbiP0HIome8Wkkyn+xDIkRDDdJDkCyRIhY8xKnVQN6Ylg1Uchn2YiCNbTONADM +p6Yd2G7+OkYkAqv2z8xMmrw5xtmOc/KqIfoSJEyroVK2XeSUfeUmG9CHx3QR1iMX +Z6cmGg94aDuJFxQtPnj1FbuRyW3USVSjphfS1FWNp3cDrcq8ht6VLqycQZYgOw/C +/5C6OIHgtb05R4+V/G3vLngztyDkGgyM0ExFI2yyNbTONYBKxXSK7nuCis0JxfQu +hGshSBGCbbjtDT0RctJ0jEqPkrt/WYvp3yFQ0tfggDI2JfErpelJpknryEt10EzB +38OobtzunS4kitfFihwBsvMGR8bX1G43Z+6AXfVyZY3LVYocH/9nWkCJl0f2QdQe +pDWuMeyx+cmwON7Oas/HEqjkNbTNXE/PAj14Q+zeY3LYoovPKvlqdkIjki5cqMqm +8guv3GApfJP4vTHEqpIdosHvaICqWvKr/Xnp3JTPrEWnSItoXNBkYgv1EO5ZxVut +Q8rlhcOdx4J1Y1txekdfqw4GSykxjZljwy2R2F4LlD8COg6I04QbIEMfVXmdm+CS +HvbaCd0PtLOPLKidvbWuCrjxBd/L5jeQOrMJ1SDX5DQ9J5Z8/5mkq4eqiWgwuoWc +bBegiZqey6hcl9Um4OWQ3SKjISvCSR7wdrAdv0S21ivYkOCZZQ3HBQS6YY5RlYvE +9I4kIZF8XKkit7ekfhdmZCfpIvnJHY6JAIOufQ2+92qUkFKmm5RWXD== +-----RAQ EFN CEVINGR XRL-----`))) + var err error + testRSA2048PrivateKey, err = x509.ParsePKCS1PrivateKey(block.Bytes) + if err != nil { + panic(err) + } +} diff --git a/pkg/tls/cache.go b/pkg/tls/cache.go new file mode 100644 index 000000000..a7677611f --- /dev/null +++ b/pkg/tls/cache.go @@ -0,0 +1,95 @@ +// Copyright 2022 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package tls + +import ( + "crypto/x509" + "runtime" + "sync" + "sync/atomic" +) + +type cacheEntry struct { + refs atomic.Int64 + cert *x509.Certificate +} + +// certCache implements an intern table for reference counted x509.Certificates, +// implemented in a similar fashion to BoringSSL's CRYPTO_BUFFER_POOL. This +// allows for a single x509.Certificate to be kept in memory and referenced from +// multiple Conns. Returned references should not be mutated by callers. Certificates +// are still safe to use after they are removed from the cache. +// +// Certificates are returned wrapped in an activeCert struct that should be held by +// the caller. When references to the activeCert are freed, the number of references +// to the certificate in the cache is decremented. Once the number of references +// reaches zero, the entry is evicted from the cache. +// +// The main difference between this implementation and CRYPTO_BUFFER_POOL is that +// CRYPTO_BUFFER_POOL is a more generic structure which supports blobs of data, +// rather than specific structures. Since we only care about x509.Certificates, +// certCache is implemented as a specific cache, rather than a generic one. +// +// See https://boringssl.googlesource.com/boringssl/+/master/include/openssl/pool.h +// and https://boringssl.googlesource.com/boringssl/+/master/crypto/pool/pool.c +// for the BoringSSL reference. +type certCache struct { + sync.Map +} + +var globalCertCache = new(certCache) + +// activeCert is a handle to a certificate held in the cache. Once there are +// no alive activeCerts for a given certificate, the certificate is removed +// from the cache by a finalizer. +type activeCert struct { + cert *x509.Certificate +} + +// active increments the number of references to the entry, wraps the +// certificate in the entry in an activeCert, and sets the finalizer. +// +// Note that there is a race between active and the finalizer set on the +// returned activeCert, triggered if active is called after the ref count is +// decremented such that refs may be > 0 when evict is called. We consider this +// safe, since the caller holding an activeCert for an entry that is no longer +// in the cache is fine, with the only side effect being the memory overhead of +// there being more than one distinct reference to a certificate alive at once. +func (cc *certCache) active(e *cacheEntry) *activeCert { + e.refs.Add(1) + a := &activeCert{e.cert} + runtime.SetFinalizer(a, func(_ *activeCert) { + if e.refs.Add(-1) == 0 { + cc.evict(e) + } + }) + return a +} + +// evict removes a cacheEntry from the cache. +func (cc *certCache) evict(e *cacheEntry) { + cc.Delete(string(e.cert.Raw)) +} + +// newCert returns a x509.Certificate parsed from der. If there is already a copy +// of the certificate in the cache, a reference to the existing certificate will +// be returned. Otherwise, a fresh certificate will be added to the cache, and +// the reference returned. The returned reference should not be mutated. +func (cc *certCache) newCert(der []byte) (*activeCert, error) { + if entry, ok := cc.Load(string(der)); ok { + return cc.active(entry.(*cacheEntry)), nil + } + + cert, err := x509.ParseCertificate(der) + if err != nil { + return nil, err + } + + entry := &cacheEntry{cert: cert} + if entry, loaded := cc.LoadOrStore(string(der), entry); loaded { + return cc.active(entry.(*cacheEntry)), nil + } + return cc.active(entry), nil +} diff --git a/pkg/tls/cache_test.go b/pkg/tls/cache_test.go new file mode 100644 index 000000000..284673419 --- /dev/null +++ b/pkg/tls/cache_test.go @@ -0,0 +1,117 @@ +// Copyright 2022 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package tls + +import ( + "encoding/pem" + "fmt" + "runtime" + "testing" + "time" +) + +func TestCertCache(t *testing.T) { + cc := certCache{} + p, _ := pem.Decode([]byte(rsaCertPEM)) + if p == nil { + t.Fatal("Failed to decode certificate") + } + + certA, err := cc.newCert(p.Bytes) + if err != nil { + t.Fatalf("newCert failed: %s", err) + } + certB, err := cc.newCert(p.Bytes) + if err != nil { + t.Fatalf("newCert failed: %s", err) + } + if certA.cert != certB.cert { + t.Fatal("newCert returned a unique reference for a duplicate certificate") + } + + if entry, ok := cc.Load(string(p.Bytes)); !ok { + t.Fatal("cache does not contain expected entry") + } else { + if refs := entry.(*cacheEntry).refs.Load(); refs != 2 { + t.Fatalf("unexpected number of references: got %d, want 2", refs) + } + } + + timeoutRefCheck := func(t *testing.T, key string, count int64) { + t.Helper() + c := time.After(4 * time.Second) + for { + select { + case <-c: + t.Fatal("timed out waiting for expected ref count") + default: + e, ok := cc.Load(key) + if !ok && count != 0 { + t.Fatal("cache does not contain expected key") + } else if count == 0 && !ok { + return + } + + if e.(*cacheEntry).refs.Load() == count { + return + } + } + } + } + + // Keep certA alive until at least now, so that we can + // purposefully nil it and force the finalizer to be + // called. + runtime.KeepAlive(certA) + certA = nil + runtime.GC() + + timeoutRefCheck(t, string(p.Bytes), 1) + + // Keep certB alive until at least now, so that we can + // purposefully nil it and force the finalizer to be + // called. + runtime.KeepAlive(certB) + certB = nil + runtime.GC() + + timeoutRefCheck(t, string(p.Bytes), 0) +} + +func BenchmarkCertCache(b *testing.B) { + p, _ := pem.Decode([]byte(rsaCertPEM)) + if p == nil { + b.Fatal("Failed to decode certificate") + } + + cc := certCache{} + b.ReportAllocs() + b.ResetTimer() + // We expect that calling newCert additional times after + // the initial call should not cause additional allocations. + for extra := 0; extra < 4; extra++ { + b.Run(fmt.Sprint(extra), func(b *testing.B) { + actives := make([]*activeCert, extra+1) + b.ResetTimer() + for i := 0; i < b.N; i++ { + var err error + actives[0], err = cc.newCert(p.Bytes) + if err != nil { + b.Fatal(err) + } + for j := 0; j < extra; j++ { + actives[j+1], err = cc.newCert(p.Bytes) + if err != nil { + b.Fatal(err) + } + } + for j := 0; j < extra+1; j++ { + actives[j] = nil + } + runtime.GC() + } + }) + } +} diff --git a/pkg/tls/cipher_suites.go b/pkg/tls/cipher_suites.go new file mode 100644 index 000000000..4612f1b1c --- /dev/null +++ b/pkg/tls/cipher_suites.go @@ -0,0 +1,719 @@ +// Copyright 2010 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package tls + +import ( + "crypto" + "crypto/aes" + "crypto/cipher" + "crypto/des" + "crypto/hmac" + "crypto/rc4" + "crypto/sha1" + "crypto/sha256" + "fmt" + "hash" + "runtime" + + "github.com/panjf2000/gnet/v2/pkg/tls/internal/boring" + "github.com/panjf2000/gnet/v2/pkg/tls/internal/cpu" + + "golang.org/x/crypto/chacha20poly1305" +) + +// CipherSuite is a TLS cipher suite. Note that most functions in this package +// accept and expose cipher suite IDs instead of this type. +type CipherSuite struct { + ID uint16 + Name string + + // Supported versions is the list of TLS protocol versions that can + // negotiate this cipher suite. + SupportedVersions []uint16 + + // Insecure is true if the cipher suite has known security issues + // due to its primitives, design, or implementation. + Insecure bool +} + +var ( + supportedUpToTLS12 = []uint16{VersionTLS10, VersionTLS11, VersionTLS12} + supportedOnlyTLS12 = []uint16{VersionTLS12} + supportedOnlyTLS13 = []uint16{VersionTLS13} +) + +// CipherSuites returns a list of cipher suites currently implemented by this +// package, excluding those with security issues, which are returned by +// [InsecureCipherSuites]. +// +// The list is sorted by ID. Note that the default cipher suites selected by +// this package might depend on logic that can't be captured by a static list, +// and might not match those returned by this function. +func CipherSuites() []*CipherSuite { + return []*CipherSuite{ + {TLS_AES_128_GCM_SHA256, "TLS_AES_128_GCM_SHA256", supportedOnlyTLS13, false}, + {TLS_AES_256_GCM_SHA384, "TLS_AES_256_GCM_SHA384", supportedOnlyTLS13, false}, + {TLS_CHACHA20_POLY1305_SHA256, "TLS_CHACHA20_POLY1305_SHA256", supportedOnlyTLS13, false}, + + {TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", supportedUpToTLS12, false}, + {TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", supportedUpToTLS12, false}, + {TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", supportedUpToTLS12, false}, + {TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", supportedUpToTLS12, false}, + {TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", supportedOnlyTLS12, false}, + {TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", supportedOnlyTLS12, false}, + {TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", supportedOnlyTLS12, false}, + {TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", supportedOnlyTLS12, false}, + {TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256, "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", supportedOnlyTLS12, false}, + {TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", supportedOnlyTLS12, false}, + } +} + +// InsecureCipherSuites returns a list of cipher suites currently implemented by +// this package and which have security issues. +// +// Most applications should not use the cipher suites in this list, and should +// only use those returned by [CipherSuites]. +func InsecureCipherSuites() []*CipherSuite { + // This list includes RC4, CBC_SHA256, and 3DES cipher suites. See + // cipherSuitesPreferenceOrder for details. + return []*CipherSuite{ + {TLS_RSA_WITH_RC4_128_SHA, "TLS_RSA_WITH_RC4_128_SHA", supportedUpToTLS12, true}, + {TLS_RSA_WITH_3DES_EDE_CBC_SHA, "TLS_RSA_WITH_3DES_EDE_CBC_SHA", supportedUpToTLS12, true}, + {TLS_RSA_WITH_AES_128_CBC_SHA, "TLS_RSA_WITH_AES_128_CBC_SHA", supportedUpToTLS12, true}, + {TLS_RSA_WITH_AES_256_CBC_SHA, "TLS_RSA_WITH_AES_256_CBC_SHA", supportedUpToTLS12, true}, + {TLS_RSA_WITH_AES_128_CBC_SHA256, "TLS_RSA_WITH_AES_128_CBC_SHA256", supportedOnlyTLS12, true}, + {TLS_RSA_WITH_AES_128_GCM_SHA256, "TLS_RSA_WITH_AES_128_GCM_SHA256", supportedOnlyTLS12, true}, + {TLS_RSA_WITH_AES_256_GCM_SHA384, "TLS_RSA_WITH_AES_256_GCM_SHA384", supportedOnlyTLS12, true}, + {TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA", supportedUpToTLS12, true}, + {TLS_ECDHE_RSA_WITH_RC4_128_SHA, "TLS_ECDHE_RSA_WITH_RC4_128_SHA", supportedUpToTLS12, true}, + {TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, "TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA", supportedUpToTLS12, true}, + {TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", supportedOnlyTLS12, true}, + {TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", supportedOnlyTLS12, true}, + } +} + +// CipherSuiteName returns the standard name for the passed cipher suite ID +// (e.g. "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"), or a fallback representation +// of the ID value if the cipher suite is not implemented by this package. +func CipherSuiteName(id uint16) string { + for _, c := range CipherSuites() { + if c.ID == id { + return c.Name + } + } + for _, c := range InsecureCipherSuites() { + if c.ID == id { + return c.Name + } + } + return fmt.Sprintf("0x%04X", id) +} + +const ( + // suiteECDHE indicates that the cipher suite involves elliptic curve + // Diffie-Hellman. This means that it should only be selected when the + // client indicates that it supports ECC with a curve and point format + // that we're happy with. + suiteECDHE = 1 << iota + // suiteECSign indicates that the cipher suite involves an ECDSA or + // EdDSA signature and therefore may only be selected when the server's + // certificate is ECDSA or EdDSA. If this is not set then the cipher suite + // is RSA based. + suiteECSign + // suiteTLS12 indicates that the cipher suite should only be advertised + // and accepted when using TLS 1.2. + suiteTLS12 + // suiteSHA384 indicates that the cipher suite uses SHA384 as the + // handshake hash. + suiteSHA384 +) + +// A cipherSuite is a TLS 1.0–1.2 cipher suite, and defines the key exchange +// mechanism, as well as the cipher+MAC pair or the AEAD. +type cipherSuite struct { + id uint16 + // the lengths, in bytes, of the key material needed for each component. + keyLen int + macLen int + ivLen int + ka func(version uint16) keyAgreement + // flags is a bitmask of the suite* values, above. + flags int + cipher func(key, iv []byte, isRead bool) any + mac func(key []byte) hash.Hash + aead func(key, fixedNonce []byte) aead +} + +var cipherSuites = []*cipherSuite{ // TODO: replace with a map, since the order doesn't matter. + {TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, 32, 0, 12, ecdheRSAKA, suiteECDHE | suiteTLS12, nil, nil, aeadChaCha20Poly1305}, + {TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, 32, 0, 12, ecdheECDSAKA, suiteECDHE | suiteECSign | suiteTLS12, nil, nil, aeadChaCha20Poly1305}, + {TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, 16, 0, 4, ecdheRSAKA, suiteECDHE | suiteTLS12, nil, nil, aeadAESGCM}, + {TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 16, 0, 4, ecdheECDSAKA, suiteECDHE | suiteECSign | suiteTLS12, nil, nil, aeadAESGCM}, + {TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, 32, 0, 4, ecdheRSAKA, suiteECDHE | suiteTLS12 | suiteSHA384, nil, nil, aeadAESGCM}, + {TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, 32, 0, 4, ecdheECDSAKA, suiteECDHE | suiteECSign | suiteTLS12 | suiteSHA384, nil, nil, aeadAESGCM}, + {TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, 16, 32, 16, ecdheRSAKA, suiteECDHE | suiteTLS12, cipherAES, macSHA256, nil}, + {TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, 16, 20, 16, ecdheRSAKA, suiteECDHE, cipherAES, macSHA1, nil}, + {TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, 16, 32, 16, ecdheECDSAKA, suiteECDHE | suiteECSign | suiteTLS12, cipherAES, macSHA256, nil}, + {TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, 16, 20, 16, ecdheECDSAKA, suiteECDHE | suiteECSign, cipherAES, macSHA1, nil}, + {TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, 32, 20, 16, ecdheRSAKA, suiteECDHE, cipherAES, macSHA1, nil}, + {TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, 32, 20, 16, ecdheECDSAKA, suiteECDHE | suiteECSign, cipherAES, macSHA1, nil}, + {TLS_RSA_WITH_AES_128_GCM_SHA256, 16, 0, 4, rsaKA, suiteTLS12, nil, nil, aeadAESGCM}, + {TLS_RSA_WITH_AES_256_GCM_SHA384, 32, 0, 4, rsaKA, suiteTLS12 | suiteSHA384, nil, nil, aeadAESGCM}, + {TLS_RSA_WITH_AES_128_CBC_SHA256, 16, 32, 16, rsaKA, suiteTLS12, cipherAES, macSHA256, nil}, + {TLS_RSA_WITH_AES_128_CBC_SHA, 16, 20, 16, rsaKA, 0, cipherAES, macSHA1, nil}, + {TLS_RSA_WITH_AES_256_CBC_SHA, 32, 20, 16, rsaKA, 0, cipherAES, macSHA1, nil}, + {TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, 24, 20, 8, ecdheRSAKA, suiteECDHE, cipher3DES, macSHA1, nil}, + {TLS_RSA_WITH_3DES_EDE_CBC_SHA, 24, 20, 8, rsaKA, 0, cipher3DES, macSHA1, nil}, + {TLS_RSA_WITH_RC4_128_SHA, 16, 20, 0, rsaKA, 0, cipherRC4, macSHA1, nil}, + {TLS_ECDHE_RSA_WITH_RC4_128_SHA, 16, 20, 0, ecdheRSAKA, suiteECDHE, cipherRC4, macSHA1, nil}, + {TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, 16, 20, 0, ecdheECDSAKA, suiteECDHE | suiteECSign, cipherRC4, macSHA1, nil}, +} + +// selectCipherSuite returns the first TLS 1.0–1.2 cipher suite from ids which +// is also in supportedIDs and passes the ok filter. +func selectCipherSuite(ids, supportedIDs []uint16, ok func(*cipherSuite) bool) *cipherSuite { + for _, id := range ids { + candidate := cipherSuiteByID(id) + if candidate == nil || !ok(candidate) { + continue + } + + for _, suppID := range supportedIDs { + if id == suppID { + return candidate + } + } + } + return nil +} + +// A cipherSuiteTLS13 defines only the pair of the AEAD algorithm and hash +// algorithm to be used with HKDF. See RFC 8446, Appendix B.4. +type cipherSuiteTLS13 struct { + id uint16 + keyLen int + aead func(key, fixedNonce []byte) aead + hash crypto.Hash +} + +var cipherSuitesTLS13 = []*cipherSuiteTLS13{ // TODO: replace with a map. + {TLS_AES_128_GCM_SHA256, 16, aeadAESGCMTLS13, crypto.SHA256}, + {TLS_CHACHA20_POLY1305_SHA256, 32, aeadChaCha20Poly1305, crypto.SHA256}, + {TLS_AES_256_GCM_SHA384, 32, aeadAESGCMTLS13, crypto.SHA384}, +} + +// cipherSuitesPreferenceOrder is the order in which we'll select (on the +// server) or advertise (on the client) TLS 1.0–1.2 cipher suites. +// +// Cipher suites are filtered but not reordered based on the application and +// peer's preferences, meaning we'll never select a suite lower in this list if +// any higher one is available. This makes it more defensible to keep weaker +// cipher suites enabled, especially on the server side where we get the last +// word, since there are no known downgrade attacks on cipher suites selection. +// +// The list is sorted by applying the following priority rules, stopping at the +// first (most important) applicable one: +// +// - Anything else comes before RC4 +// +// RC4 has practically exploitable biases. See https://www.rc4nomore.com. +// +// - Anything else comes before CBC_SHA256 +// +// SHA-256 variants of the CBC ciphersuites don't implement any Lucky13 +// countermeasures. See http://www.isg.rhul.ac.uk/tls/Lucky13.html and +// https://www.imperialviolet.org/2013/02/04/luckythirteen.html. +// +// - Anything else comes before 3DES +// +// 3DES has 64-bit blocks, which makes it fundamentally susceptible to +// birthday attacks. See https://sweet32.info. +// +// - ECDHE comes before anything else +// +// Once we got the broken stuff out of the way, the most important +// property a cipher suite can have is forward secrecy. We don't +// implement FFDHE, so that means ECDHE. +// +// - AEADs come before CBC ciphers +// +// Even with Lucky13 countermeasures, MAC-then-Encrypt CBC cipher suites +// are fundamentally fragile, and suffered from an endless sequence of +// padding oracle attacks. See https://eprint.iacr.org/2015/1129, +// https://www.imperialviolet.org/2014/12/08/poodleagain.html, and +// https://blog.cloudflare.com/yet-another-padding-oracle-in-openssl-cbc-ciphersuites/. +// +// - AES comes before ChaCha20 +// +// When AES hardware is available, AES-128-GCM and AES-256-GCM are faster +// than ChaCha20Poly1305. +// +// When AES hardware is not available, AES-128-GCM is one or more of: much +// slower, way more complex, and less safe (because not constant time) +// than ChaCha20Poly1305. +// +// We use this list if we think both peers have AES hardware, and +// cipherSuitesPreferenceOrderNoAES otherwise. +// +// - AES-128 comes before AES-256 +// +// The only potential advantages of AES-256 are better multi-target +// margins, and hypothetical post-quantum properties. Neither apply to +// TLS, and AES-256 is slower due to its four extra rounds (which don't +// contribute to the advantages above). +// +// - ECDSA comes before RSA +// +// The relative order of ECDSA and RSA cipher suites doesn't matter, +// as they depend on the certificate. Pick one to get a stable order. +var cipherSuitesPreferenceOrder = []uint16{ + // AEADs w/ ECDHE + TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, + TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, + TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, + + // CBC w/ ECDHE + TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, + TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, + + // AEADs w/o ECDHE + TLS_RSA_WITH_AES_128_GCM_SHA256, + TLS_RSA_WITH_AES_256_GCM_SHA384, + + // CBC w/o ECDHE + TLS_RSA_WITH_AES_128_CBC_SHA, + TLS_RSA_WITH_AES_256_CBC_SHA, + + // 3DES + TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, + TLS_RSA_WITH_3DES_EDE_CBC_SHA, + + // CBC_SHA256 + TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, + TLS_RSA_WITH_AES_128_CBC_SHA256, + + // RC4 + TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, + TLS_RSA_WITH_RC4_128_SHA, +} + +var cipherSuitesPreferenceOrderNoAES = []uint16{ + // ChaCha20Poly1305 + TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, + + // AES-GCM w/ ECDHE + TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, + TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, + + // The rest of cipherSuitesPreferenceOrder. + TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, + TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, + TLS_RSA_WITH_AES_128_GCM_SHA256, + TLS_RSA_WITH_AES_256_GCM_SHA384, + TLS_RSA_WITH_AES_128_CBC_SHA, + TLS_RSA_WITH_AES_256_CBC_SHA, + TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, + TLS_RSA_WITH_3DES_EDE_CBC_SHA, + TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, + TLS_RSA_WITH_AES_128_CBC_SHA256, + TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, + TLS_RSA_WITH_RC4_128_SHA, +} + +// disabledCipherSuites are not used unless explicitly listed in Config.CipherSuites. +var disabledCipherSuites = map[uint16]bool{ + // CBC_SHA256 + TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256: true, + TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: true, + TLS_RSA_WITH_AES_128_CBC_SHA256: true, + + // RC4 + TLS_ECDHE_ECDSA_WITH_RC4_128_SHA: true, + TLS_ECDHE_RSA_WITH_RC4_128_SHA: true, + TLS_RSA_WITH_RC4_128_SHA: true, +} + +// rsaKexCiphers contains the ciphers which use RSA based key exchange, +// which we also disable by default unless a GODEBUG is set. +var rsaKexCiphers = map[uint16]bool{ + TLS_RSA_WITH_RC4_128_SHA: true, + TLS_RSA_WITH_3DES_EDE_CBC_SHA: true, + TLS_RSA_WITH_AES_128_CBC_SHA: true, + TLS_RSA_WITH_AES_256_CBC_SHA: true, + TLS_RSA_WITH_AES_128_CBC_SHA256: true, + TLS_RSA_WITH_AES_128_GCM_SHA256: true, + TLS_RSA_WITH_AES_256_GCM_SHA384: true, +} + +var defaultCipherSuites []uint16 +var defaultCipherSuitesWithRSAKex []uint16 + +func init() { + defaultCipherSuites = make([]uint16, 0, len(cipherSuitesPreferenceOrder)) + defaultCipherSuitesWithRSAKex = make([]uint16, 0, len(cipherSuitesPreferenceOrder)) + for _, c := range cipherSuitesPreferenceOrder { + if disabledCipherSuites[c] { + continue + } + if !rsaKexCiphers[c] { + defaultCipherSuites = append(defaultCipherSuites, c) + } + defaultCipherSuitesWithRSAKex = append(defaultCipherSuitesWithRSAKex, c) + } +} + +// defaultCipherSuitesTLS13 is also the preference order, since there are no +// disabled by default TLS 1.3 cipher suites. The same AES vs ChaCha20 logic as +// cipherSuitesPreferenceOrder applies. +var defaultCipherSuitesTLS13 = []uint16{ + TLS_AES_128_GCM_SHA256, + TLS_AES_256_GCM_SHA384, + TLS_CHACHA20_POLY1305_SHA256, +} + +var defaultCipherSuitesTLS13NoAES = []uint16{ + TLS_CHACHA20_POLY1305_SHA256, + TLS_AES_128_GCM_SHA256, + TLS_AES_256_GCM_SHA384, +} + +var ( + hasGCMAsmAMD64 = cpu.X86.HasAES && cpu.X86.HasPCLMULQDQ + hasGCMAsmARM64 = cpu.ARM64.HasAES && cpu.ARM64.HasPMULL + // Keep in sync with crypto/aes/cipher_s390x.go. + hasGCMAsmS390X = cpu.S390X.HasAES && cpu.S390X.HasAESCBC && cpu.S390X.HasAESCTR && + (cpu.S390X.HasGHASH || cpu.S390X.HasAESGCM) + + hasAESGCMHardwareSupport = runtime.GOARCH == "amd64" && hasGCMAsmAMD64 || + runtime.GOARCH == "arm64" && hasGCMAsmARM64 || + runtime.GOARCH == "s390x" && hasGCMAsmS390X +) + +var aesgcmCiphers = map[uint16]bool{ + // TLS 1.2 + TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: true, + TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: true, + TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: true, + TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: true, + // TLS 1.3 + TLS_AES_128_GCM_SHA256: true, + TLS_AES_256_GCM_SHA384: true, +} + +// aesgcmPreferred returns whether the first known cipher in the preference list +// is an AES-GCM cipher, implying the peer has hardware support for it. +func aesgcmPreferred(ciphers []uint16) bool { + for _, cID := range ciphers { + if c := cipherSuiteByID(cID); c != nil { + return aesgcmCiphers[cID] + } + if c := cipherSuiteTLS13ByID(cID); c != nil { + return aesgcmCiphers[cID] + } + } + return false +} + +func cipherRC4(key, iv []byte, isRead bool) any { + cipher, _ := rc4.NewCipher(key) + return cipher +} + +func cipher3DES(key, iv []byte, isRead bool) any { + block, _ := des.NewTripleDESCipher(key) + if isRead { + return cipher.NewCBCDecrypter(block, iv) + } + return cipher.NewCBCEncrypter(block, iv) +} + +func cipherAES(key, iv []byte, isRead bool) any { + block, _ := aes.NewCipher(key) + if isRead { + return cipher.NewCBCDecrypter(block, iv) + } + return cipher.NewCBCEncrypter(block, iv) +} + +// macSHA1 returns a SHA-1 based constant time MAC. +func macSHA1(key []byte) hash.Hash { + h := sha1.New + // The BoringCrypto SHA1 does not have a constant-time + // checksum function, so don't try to use it. + /*if !boring.Enabled { + h = newConstantTimeHash(h) + }*/ + return hmac.New(h, key) +} + +// macSHA256 returns a SHA-256 based MAC. This is only supported in TLS 1.2 and +// is currently only used in disabled-by-default cipher suites. +func macSHA256(key []byte) hash.Hash { + return hmac.New(sha256.New, key) +} + +type aead interface { + cipher.AEAD + + // explicitNonceLen returns the number of bytes of explicit nonce + // included in each record. This is eight for older AEADs and + // zero for modern ones. + explicitNonceLen() int +} + +const ( + aeadNonceLength = 12 + noncePrefixLength = 4 +) + +// prefixNonceAEAD wraps an AEAD and prefixes a fixed portion of the nonce to +// each call. +type prefixNonceAEAD struct { + // nonce contains the fixed part of the nonce in the first four bytes. + nonce [aeadNonceLength]byte + aead cipher.AEAD +} + +func (f *prefixNonceAEAD) NonceSize() int { return aeadNonceLength - noncePrefixLength } +func (f *prefixNonceAEAD) Overhead() int { return f.aead.Overhead() } +func (f *prefixNonceAEAD) explicitNonceLen() int { return f.NonceSize() } + +func (f *prefixNonceAEAD) Seal(out, nonce, plaintext, additionalData []byte) []byte { + copy(f.nonce[4:], nonce) + return f.aead.Seal(out, f.nonce[:], plaintext, additionalData) +} + +func (f *prefixNonceAEAD) Open(out, nonce, ciphertext, additionalData []byte) ([]byte, error) { + copy(f.nonce[4:], nonce) + return f.aead.Open(out, f.nonce[:], ciphertext, additionalData) +} + +// xorNonceAEAD wraps an AEAD by XORing in a fixed pattern to the nonce +// before each call. +type xorNonceAEAD struct { + nonceMask [aeadNonceLength]byte + aead cipher.AEAD +} + +func (f *xorNonceAEAD) NonceSize() int { return 8 } // 64-bit sequence number +func (f *xorNonceAEAD) Overhead() int { return f.aead.Overhead() } +func (f *xorNonceAEAD) explicitNonceLen() int { return 0 } + +func (f *xorNonceAEAD) Seal(out, nonce, plaintext, additionalData []byte) []byte { + for i, b := range nonce { + f.nonceMask[4+i] ^= b + } + result := f.aead.Seal(out, f.nonceMask[:], plaintext, additionalData) + for i, b := range nonce { + f.nonceMask[4+i] ^= b + } + + return result +} + +func (f *xorNonceAEAD) Open(out, nonce, ciphertext, additionalData []byte) ([]byte, error) { + for i, b := range nonce { + f.nonceMask[4+i] ^= b + } + result, err := f.aead.Open(out, f.nonceMask[:], ciphertext, additionalData) + for i, b := range nonce { + f.nonceMask[4+i] ^= b + } + + return result, err +} + +func aeadAESGCM(key, noncePrefix []byte) aead { + if len(noncePrefix) != noncePrefixLength { + panic("tls: internal error: wrong nonce length") + } + aes, err := aes.NewCipher(key) + if err != nil { + panic(err) + } + var aead cipher.AEAD + if boring.Enabled { + aead, err = boring.NewGCMTLS(aes) + } else { + boring.Unreachable() + aead, err = cipher.NewGCM(aes) + } + if err != nil { + panic(err) + } + + ret := &prefixNonceAEAD{aead: aead} + copy(ret.nonce[:], noncePrefix) + return ret +} + +func aeadAESGCMTLS13(key, nonceMask []byte) aead { + if len(nonceMask) != aeadNonceLength { + panic("tls: internal error: wrong nonce length") + } + aes, err := aes.NewCipher(key) + if err != nil { + panic(err) + } + aead, err := cipher.NewGCM(aes) + if err != nil { + panic(err) + } + + ret := &xorNonceAEAD{aead: aead} + copy(ret.nonceMask[:], nonceMask) + return ret +} + +func aeadChaCha20Poly1305(key, nonceMask []byte) aead { + if len(nonceMask) != aeadNonceLength { + panic("tls: internal error: wrong nonce length") + } + aead, err := chacha20poly1305.New(key) + if err != nil { + panic(err) + } + + ret := &xorNonceAEAD{aead: aead} + copy(ret.nonceMask[:], nonceMask) + return ret +} + +type constantTimeHash interface { + hash.Hash + ConstantTimeSum(b []byte) []byte +} + +// cthWrapper wraps any hash.Hash that implements ConstantTimeSum, and replaces +// with that all calls to Sum. It's used to obtain a ConstantTimeSum-based HMAC. +type cthWrapper struct { + h constantTimeHash +} + +func (c *cthWrapper) Size() int { return c.h.Size() } +func (c *cthWrapper) BlockSize() int { return c.h.BlockSize() } +func (c *cthWrapper) Reset() { c.h.Reset() } +func (c *cthWrapper) Write(p []byte) (int, error) { return c.h.Write(p) } +func (c *cthWrapper) Sum(b []byte) []byte { return c.h.ConstantTimeSum(b) } + +func newConstantTimeHash(h func() hash.Hash) func() hash.Hash { + boring.Unreachable() + return func() hash.Hash { + return &cthWrapper{h().(constantTimeHash)} + } +} + +// tls10MAC implements the TLS 1.0 MAC function. RFC 2246, Section 6.2.3. +func tls10MAC(h hash.Hash, out, seq, header, data, extra []byte) []byte { + h.Reset() + h.Write(seq) + h.Write(header) + h.Write(data) + res := h.Sum(out) + if extra != nil { + h.Write(extra) + } + return res +} + +func rsaKA(version uint16) keyAgreement { + return rsaKeyAgreement{} +} + +func ecdheECDSAKA(version uint16) keyAgreement { + return &ecdheKeyAgreement{ + isRSA: false, + version: version, + } +} + +func ecdheRSAKA(version uint16) keyAgreement { + return &ecdheKeyAgreement{ + isRSA: true, + version: version, + } +} + +// mutualCipherSuite returns a cipherSuite given a list of supported +// ciphersuites and the id requested by the peer. +func mutualCipherSuite(have []uint16, want uint16) *cipherSuite { + for _, id := range have { + if id == want { + return cipherSuiteByID(id) + } + } + return nil +} + +func cipherSuiteByID(id uint16) *cipherSuite { + for _, cipherSuite := range cipherSuites { + if cipherSuite.id == id { + return cipherSuite + } + } + return nil +} + +func mutualCipherSuiteTLS13(have []uint16, want uint16) *cipherSuiteTLS13 { + for _, id := range have { + if id == want { + return cipherSuiteTLS13ByID(id) + } + } + return nil +} + +func cipherSuiteTLS13ByID(id uint16) *cipherSuiteTLS13 { + for _, cipherSuite := range cipherSuitesTLS13 { + if cipherSuite.id == id { + return cipherSuite + } + } + return nil +} + +// A list of cipher suite IDs that are, or have been, implemented by this +// package. +// +// See https://www.iana.org/assignments/tls-parameters/tls-parameters.xml +const ( + // TLS 1.0 - 1.2 cipher suites. + TLS_RSA_WITH_RC4_128_SHA uint16 = 0x0005 + TLS_RSA_WITH_3DES_EDE_CBC_SHA uint16 = 0x000a + TLS_RSA_WITH_AES_128_CBC_SHA uint16 = 0x002f + TLS_RSA_WITH_AES_256_CBC_SHA uint16 = 0x0035 + TLS_RSA_WITH_AES_128_CBC_SHA256 uint16 = 0x003c + TLS_RSA_WITH_AES_128_GCM_SHA256 uint16 = 0x009c + TLS_RSA_WITH_AES_256_GCM_SHA384 uint16 = 0x009d + TLS_ECDHE_ECDSA_WITH_RC4_128_SHA uint16 = 0xc007 + TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA uint16 = 0xc009 + TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA uint16 = 0xc00a + TLS_ECDHE_RSA_WITH_RC4_128_SHA uint16 = 0xc011 + TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA uint16 = 0xc012 + TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA uint16 = 0xc013 + TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA uint16 = 0xc014 + TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 uint16 = 0xc023 + TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 uint16 = 0xc027 + TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 uint16 = 0xc02f + TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 uint16 = 0xc02b + TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 uint16 = 0xc030 + TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 uint16 = 0xc02c + TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 uint16 = 0xcca8 + TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 uint16 = 0xcca9 + + // TLS 1.3 cipher suites. + TLS_AES_128_GCM_SHA256 uint16 = 0x1301 + TLS_AES_256_GCM_SHA384 uint16 = 0x1302 + TLS_CHACHA20_POLY1305_SHA256 uint16 = 0x1303 + + // TLS_FALLBACK_SCSV isn't a standard cipher suite but an indicator + // that the client is doing version fallback. See RFC 7507. + TLS_FALLBACK_SCSV uint16 = 0x5600 + + // Legacy names for the corresponding cipher suites with the correct _SHA256 + // suffix, retained for backward compatibility. + TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 = TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 + TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 = TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 +) diff --git a/pkg/tls/common.go b/pkg/tls/common.go new file mode 100644 index 000000000..f439d223a --- /dev/null +++ b/pkg/tls/common.go @@ -0,0 +1,1556 @@ +// Copyright 2009 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package tls + +import ( + "bytes" + "container/list" + "context" + "crypto" + "crypto/ecdsa" + "crypto/ed25519" + "crypto/elliptic" + "crypto/rand" + "crypto/rsa" + "crypto/sha512" + "crypto/x509" + "errors" + "fmt" + "io" + "net" + "strings" + "sync" + "time" +) + +const ( + VersionTLS10 = 0x0301 + VersionTLS11 = 0x0302 + VersionTLS12 = 0x0303 + VersionTLS13 = 0x0304 + + // Deprecated: SSLv3 is cryptographically broken, and is no longer + // supported by this package. See golang.org/issue/32716. + VersionSSL30 = 0x0300 +) + +// VersionName returns the name for the provided TLS version number +// (e.g. "TLS 1.3"), or a fallback representation of the value if the +// version is not implemented by this package. +func VersionName(version uint16) string { + switch version { + case VersionSSL30: + return "SSLv3" + case VersionTLS10: + return "TLS 1.0" + case VersionTLS11: + return "TLS 1.1" + case VersionTLS12: + return "TLS 1.2" + case VersionTLS13: + return "TLS 1.3" + default: + return fmt.Sprintf("0x%04X", version) + } +} + +const ( + maxPlaintext = 16384 // maximum plaintext payload length + maxCiphertext = 16384 + 2048 // maximum ciphertext payload length + maxCiphertextTLS13 = 16384 + 256 // maximum ciphertext length in TLS 1.3 + recordHeaderLen = 5 // record header length + maxHandshake = 65536 // maximum handshake we support (protocol max is 16 MB) + maxUselessRecords = 16 // maximum number of consecutive non-advancing records +) + +// TLS record types. +type recordType uint8 + +const ( + recordTypeChangeCipherSpec recordType = 20 + recordTypeAlert recordType = 21 + recordTypeHandshake recordType = 22 + recordTypeApplicationData recordType = 23 +) + +// TLS handshake message types. +const ( + typeHelloRequest uint8 = 0 + typeClientHello uint8 = 1 + typeServerHello uint8 = 2 + typeNewSessionTicket uint8 = 4 + typeEndOfEarlyData uint8 = 5 + typeEncryptedExtensions uint8 = 8 + typeCertificate uint8 = 11 + typeServerKeyExchange uint8 = 12 + typeCertificateRequest uint8 = 13 + typeServerHelloDone uint8 = 14 + typeCertificateVerify uint8 = 15 + typeClientKeyExchange uint8 = 16 + typeFinished uint8 = 20 + typeCertificateStatus uint8 = 22 + typeKeyUpdate uint8 = 24 + typeNextProtocol uint8 = 67 // Not IANA assigned + typeMessageHash uint8 = 254 // synthetic message +) + +// TLS compression types. +const ( + compressionNone uint8 = 0 +) + +// TLS extension numbers +const ( + extensionServerName uint16 = 0 + extensionStatusRequest uint16 = 5 + extensionSupportedCurves uint16 = 10 // supported_groups in TLS 1.3, see RFC 8446, Section 4.2.7 + extensionSupportedPoints uint16 = 11 + extensionSignatureAlgorithms uint16 = 13 + extensionALPN uint16 = 16 + extensionSCT uint16 = 18 + extensionExtendedMasterSecret uint16 = 23 + extensionSessionTicket uint16 = 35 + extensionPreSharedKey uint16 = 41 + extensionEarlyData uint16 = 42 + extensionSupportedVersions uint16 = 43 + extensionCookie uint16 = 44 + extensionPSKModes uint16 = 45 + extensionCertificateAuthorities uint16 = 47 + extensionSignatureAlgorithmsCert uint16 = 50 + extensionKeyShare uint16 = 51 + extensionQUICTransportParameters uint16 = 57 + extensionRenegotiationInfo uint16 = 0xff01 +) + +// TLS signaling cipher suite values +const ( + scsvRenegotiation uint16 = 0x00ff +) + +// CurveID is the type of a TLS identifier for an elliptic curve. See +// https://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-8. +// +// In TLS 1.3, this type is called NamedGroup, but at this time this library +// only supports Elliptic Curve based groups. See RFC 8446, Section 4.2.7. +type CurveID uint16 + +const ( + CurveP256 CurveID = 23 + CurveP384 CurveID = 24 + CurveP521 CurveID = 25 + X25519 CurveID = 29 +) + +// TLS 1.3 Key Share. See RFC 8446, Section 4.2.8. +type keyShare struct { + group CurveID + data []byte +} + +// TLS 1.3 PSK Key Exchange Modes. See RFC 8446, Section 4.2.9. +const ( + pskModePlain uint8 = 0 + pskModeDHE uint8 = 1 +) + +// TLS 1.3 PSK Identity. Can be a Session Ticket, or a reference to a saved +// session. See RFC 8446, Section 4.2.11. +type pskIdentity struct { + label []byte + obfuscatedTicketAge uint32 +} + +// TLS Elliptic Curve Point Formats +// https://www.iana.org/assignments/tls-parameters/tls-parameters.xml#tls-parameters-9 +const ( + pointFormatUncompressed uint8 = 0 +) + +// TLS CertificateStatusType (RFC 3546) +const ( + statusTypeOCSP uint8 = 1 +) + +// Certificate types (for certificateRequestMsg) +const ( + certTypeRSASign = 1 + certTypeECDSASign = 64 // ECDSA or EdDSA keys, see RFC 8422, Section 3. +) + +// Signature algorithms (for internal signaling use). Starting at 225 to avoid overlap with +// TLS 1.2 codepoints (RFC 5246, Appendix A.4.1), with which these have nothing to do. +const ( + signaturePKCS1v15 uint8 = iota + 225 + signatureRSAPSS + signatureECDSA + signatureEd25519 +) + +// directSigning is a standard Hash value that signals that no pre-hashing +// should be performed, and that the input should be signed directly. It is the +// hash function associated with the Ed25519 signature scheme. +var directSigning crypto.Hash = 0 + +// defaultSupportedSignatureAlgorithms contains the signature and hash algorithms that +// the code advertises as supported in a TLS 1.2+ ClientHello and in a TLS 1.2+ +// CertificateRequest. The two fields are merged to match with TLS 1.3. +// Note that in TLS 1.2, the ECDSA algorithms are not constrained to P-256, etc. +var defaultSupportedSignatureAlgorithms = []SignatureScheme{ + PSSWithSHA256, + ECDSAWithP256AndSHA256, + Ed25519, + PSSWithSHA384, + PSSWithSHA512, + PKCS1WithSHA256, + PKCS1WithSHA384, + PKCS1WithSHA512, + ECDSAWithP384AndSHA384, + ECDSAWithP521AndSHA512, + PKCS1WithSHA1, + ECDSAWithSHA1, +} + +// helloRetryRequestRandom is set as the Random value of a ServerHello +// to signal that the message is actually a HelloRetryRequest. +var helloRetryRequestRandom = []byte{ // See RFC 8446, Section 4.1.3. + 0xCF, 0x21, 0xAD, 0x74, 0xE5, 0x9A, 0x61, 0x11, + 0xBE, 0x1D, 0x8C, 0x02, 0x1E, 0x65, 0xB8, 0x91, + 0xC2, 0xA2, 0x11, 0x16, 0x7A, 0xBB, 0x8C, 0x5E, + 0x07, 0x9E, 0x09, 0xE2, 0xC8, 0xA8, 0x33, 0x9C, +} + +const ( + // downgradeCanaryTLS12 or downgradeCanaryTLS11 is embedded in the server + // random as a downgrade protection if the server would be capable of + // negotiating a higher version. See RFC 8446, Section 4.1.3. + downgradeCanaryTLS12 = "DOWNGRD\x01" + downgradeCanaryTLS11 = "DOWNGRD\x00" +) + +// testingOnlyForceDowngradeCanary is set in tests to force the server side to +// include downgrade canaries even if it's using its highers supported version. +var testingOnlyForceDowngradeCanary bool + +// ConnectionState records basic TLS details about the connection. +type ConnectionState struct { + // Version is the TLS version used by the connection (e.g. VersionTLS12). + Version uint16 + + // HandshakeComplete is true if the handshake has concluded. + HandshakeComplete bool + + // DidResume is true if this connection was successfully resumed from a + // previous session with a session ticket or similar mechanism. + DidResume bool + + // CipherSuite is the cipher suite negotiated for the connection (e.g. + // TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_AES_128_GCM_SHA256). + CipherSuite uint16 + + // NegotiatedProtocol is the application protocol negotiated with ALPN. + NegotiatedProtocol string + + // NegotiatedProtocolIsMutual used to indicate a mutual NPN negotiation. + // + // Deprecated: this value is always true. + NegotiatedProtocolIsMutual bool + + // ServerName is the value of the Server Name Indication extension sent by + // the client. It's available both on the server and on the client side. + ServerName string + + // PeerCertificates are the parsed certificates sent by the peer, in the + // order in which they were sent. The first element is the leaf certificate + // that the connection is verified against. + // + // On the client side, it can't be empty. On the server side, it can be + // empty if Config.ClientAuth is not RequireAnyClientCert or + // RequireAndVerifyClientCert. + // + // PeerCertificates and its contents should not be modified. + PeerCertificates []*x509.Certificate + + // VerifiedChains is a list of one or more chains where the first element is + // PeerCertificates[0] and the last element is from Config.RootCAs (on the + // client side) or Config.ClientCAs (on the server side). + // + // On the client side, it's set if Config.InsecureSkipVerify is false. On + // the server side, it's set if Config.ClientAuth is VerifyClientCertIfGiven + // (and the peer provided a certificate) or RequireAndVerifyClientCert. + // + // VerifiedChains and its contents should not be modified. + VerifiedChains [][]*x509.Certificate + + // SignedCertificateTimestamps is a list of SCTs provided by the peer + // through the TLS handshake for the leaf certificate, if any. + SignedCertificateTimestamps [][]byte + + // OCSPResponse is a stapled Online Certificate Status Protocol (OCSP) + // response provided by the peer for the leaf certificate, if any. + OCSPResponse []byte + + // TLSUnique contains the "tls-unique" channel binding value (see RFC 5929, + // Section 3). This value will be nil for TLS 1.3 connections and for + // resumed connections that don't support Extended Master Secret (RFC 7627). + TLSUnique []byte + + // ekm is a closure exposed via ExportKeyingMaterial. + ekm func(label string, context []byte, length int) ([]byte, error) +} + +// ExportKeyingMaterial returns length bytes of exported key material in a new +// slice as defined in RFC 5705. If context is nil, it is not used as part of +// the seed. If the connection was set to allow renegotiation via +// Config.Renegotiation, or if the connections supports neither TLS 1.3 nor +// Extended Master Secret, this function will return an error. +// +// Exporting key material without Extended Master Secret or TLS 1.3 was disabled +// in Go 1.22 due to security issues (see the Security Considerations sections +// of RFC 5705 and RFC 7627), but can be re-enabled with the GODEBUG setting +// tlsunsafeekm=1. +func (cs *ConnectionState) ExportKeyingMaterial(label string, context []byte, length int) ([]byte, error) { + return cs.ekm(label, context, length) +} + +// ClientAuthType declares the policy the server will follow for +// TLS Client Authentication. +type ClientAuthType int + +const ( + // NoClientCert indicates that no client certificate should be requested + // during the handshake, and if any certificates are sent they will not + // be verified. + NoClientCert ClientAuthType = iota + // RequestClientCert indicates that a client certificate should be requested + // during the handshake, but does not require that the client send any + // certificates. + RequestClientCert + // RequireAnyClientCert indicates that a client certificate should be requested + // during the handshake, and that at least one certificate is required to be + // sent by the client, but that certificate is not required to be valid. + RequireAnyClientCert + // VerifyClientCertIfGiven indicates that a client certificate should be requested + // during the handshake, but does not require that the client sends a + // certificate. If the client does send a certificate it is required to be + // valid. + VerifyClientCertIfGiven + // RequireAndVerifyClientCert indicates that a client certificate should be requested + // during the handshake, and that at least one valid certificate is required + // to be sent by the client. + RequireAndVerifyClientCert +) + +// requiresClientCert reports whether the ClientAuthType requires a client +// certificate to be provided. +func requiresClientCert(c ClientAuthType) bool { + switch c { + case RequireAnyClientCert, RequireAndVerifyClientCert: + return true + default: + return false + } +} + +// ClientSessionCache is a cache of ClientSessionState objects that can be used +// by a client to resume a TLS session with a given server. ClientSessionCache +// implementations should expect to be called concurrently from different +// goroutines. Up to TLS 1.2, only ticket-based resumption is supported, not +// SessionID-based resumption. In TLS 1.3 they were merged into PSK modes, which +// are supported via this interface. +type ClientSessionCache interface { + // Get searches for a ClientSessionState associated with the given key. + // On return, ok is true if one was found. + Get(sessionKey string) (session *ClientSessionState, ok bool) + + // Put adds the ClientSessionState to the cache with the given key. It might + // get called multiple times in a connection if a TLS 1.3 server provides + // more than one session ticket. If called with a nil *ClientSessionState, + // it should remove the cache entry. + Put(sessionKey string, cs *ClientSessionState) +} + +//go:generate stringer -type=SignatureScheme,CurveID,ClientAuthType -output=common_string.go + +// SignatureScheme identifies a signature algorithm supported by TLS. See +// RFC 8446, Section 4.2.3. +type SignatureScheme uint16 + +const ( + // RSASSA-PKCS1-v1_5 algorithms. + PKCS1WithSHA256 SignatureScheme = 0x0401 + PKCS1WithSHA384 SignatureScheme = 0x0501 + PKCS1WithSHA512 SignatureScheme = 0x0601 + + // RSASSA-PSS algorithms with public key OID rsaEncryption. + PSSWithSHA256 SignatureScheme = 0x0804 + PSSWithSHA384 SignatureScheme = 0x0805 + PSSWithSHA512 SignatureScheme = 0x0806 + + // ECDSA algorithms. Only constrained to a specific curve in TLS 1.3. + ECDSAWithP256AndSHA256 SignatureScheme = 0x0403 + ECDSAWithP384AndSHA384 SignatureScheme = 0x0503 + ECDSAWithP521AndSHA512 SignatureScheme = 0x0603 + + // EdDSA algorithms. + Ed25519 SignatureScheme = 0x0807 + + // Legacy signature and hash algorithms for TLS 1.2. + PKCS1WithSHA1 SignatureScheme = 0x0201 + ECDSAWithSHA1 SignatureScheme = 0x0203 +) + +// ClientHelloInfo contains information from a ClientHello message in order to +// guide application logic in the GetCertificate and GetConfigForClient callbacks. +type ClientHelloInfo struct { + // CipherSuites lists the CipherSuites supported by the client (e.g. + // TLS_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256). + CipherSuites []uint16 + + // ServerName indicates the name of the server requested by the client + // in order to support virtual hosting. ServerName is only set if the + // client is using SNI (see RFC 4366, Section 3.1). + ServerName string + + // SupportedCurves lists the elliptic curves supported by the client. + // SupportedCurves is set only if the Supported Elliptic Curves + // Extension is being used (see RFC 4492, Section 5.1.1). + SupportedCurves []CurveID + + // SupportedPoints lists the point formats supported by the client. + // SupportedPoints is set only if the Supported Point Formats Extension + // is being used (see RFC 4492, Section 5.1.2). + SupportedPoints []uint8 + + // SignatureSchemes lists the signature and hash schemes that the client + // is willing to verify. SignatureSchemes is set only if the Signature + // Algorithms Extension is being used (see RFC 5246, Section 7.4.1.4.1). + SignatureSchemes []SignatureScheme + + // SupportedProtos lists the application protocols supported by the client. + // SupportedProtos is set only if the Application-Layer Protocol + // Negotiation Extension is being used (see RFC 7301, Section 3.1). + // + // Servers can select a protocol by setting Config.NextProtos in a + // GetConfigForClient return value. + SupportedProtos []string + + // SupportedVersions lists the TLS versions supported by the client. + // For TLS versions less than 1.3, this is extrapolated from the max + // version advertised by the client, so values other than the greatest + // might be rejected if used. + SupportedVersions []uint16 + + // Conn is the underlying net.Conn for the connection. Do not read + // from, or write to, this connection; that will cause the TLS + // connection to fail. + Conn net.Conn + + // config is embedded by the GetCertificate or GetConfigForClient caller, + // for use with SupportsCertificate. + config *Config + + // ctx is the context of the handshake that is in progress. + ctx context.Context +} + +// Context returns the context of the handshake that is in progress. +// This context is a child of the context passed to HandshakeContext, +// if any, and is canceled when the handshake concludes. +func (c *ClientHelloInfo) Context() context.Context { + return c.ctx +} + +// CertificateRequestInfo contains information from a server's +// CertificateRequest message, which is used to demand a certificate and proof +// of control from a client. +type CertificateRequestInfo struct { + // AcceptableCAs contains zero or more, DER-encoded, X.501 + // Distinguished Names. These are the names of root or intermediate CAs + // that the server wishes the returned certificate to be signed by. An + // empty slice indicates that the server has no preference. + AcceptableCAs [][]byte + + // SignatureSchemes lists the signature schemes that the server is + // willing to verify. + SignatureSchemes []SignatureScheme + + // Version is the TLS version that was negotiated for this connection. + Version uint16 + + // ctx is the context of the handshake that is in progress. + ctx context.Context +} + +// Context returns the context of the handshake that is in progress. +// This context is a child of the context passed to HandshakeContext, +// if any, and is canceled when the handshake concludes. +func (c *CertificateRequestInfo) Context() context.Context { + return c.ctx +} + +// RenegotiationSupport enumerates the different levels of support for TLS +// renegotiation. TLS renegotiation is the act of performing subsequent +// handshakes on a connection after the first. This significantly complicates +// the state machine and has been the source of numerous, subtle security +// issues. Initiating a renegotiation is not supported, but support for +// accepting renegotiation requests may be enabled. +// +// Even when enabled, the server may not change its identity between handshakes +// (i.e. the leaf certificate must be the same). Additionally, concurrent +// handshake and application data flow is not permitted so renegotiation can +// only be used with protocols that synchronise with the renegotiation, such as +// HTTPS. +// +// Renegotiation is not defined in TLS 1.3. +type RenegotiationSupport int + +const ( + // RenegotiateNever disables renegotiation. + RenegotiateNever RenegotiationSupport = iota + + // RenegotiateOnceAsClient allows a remote server to request + // renegotiation once per connection. + RenegotiateOnceAsClient + + // RenegotiateFreelyAsClient allows a remote server to repeatedly + // request renegotiation. + RenegotiateFreelyAsClient +) + +// A Config structure is used to configure a TLS client or server. +// After one has been passed to a TLS function it must not be +// modified. A Config may be reused; the tls package will also not +// modify it. +type Config struct { + // Rand provides the source of entropy for nonces and RSA blinding. + // If Rand is nil, TLS uses the cryptographic random reader in package + // crypto/rand. + // The Reader must be safe for use by multiple goroutines. + Rand io.Reader + + // Time returns the current time as the number of seconds since the epoch. + // If Time is nil, TLS uses time.Now. + Time func() time.Time + + // Certificates contains one or more certificate chains to present to the + // other side of the connection. The first certificate compatible with the + // peer's requirements is selected automatically. + // + // Server configurations must set one of Certificates, GetCertificate or + // GetConfigForClient. Clients doing client-authentication may set either + // Certificates or GetClientCertificate. + // + // Note: if there are multiple Certificates, and they don't have the + // optional field Leaf set, certificate selection will incur a significant + // per-handshake performance cost. + Certificates []Certificate + + // NameToCertificate maps from a certificate name to an element of + // Certificates. Note that a certificate name can be of the form + // '*.example.com' and so doesn't have to be a domain name as such. + // + // Deprecated: NameToCertificate only allows associating a single + // certificate with a given name. Leave this field nil to let the library + // select the first compatible chain from Certificates. + NameToCertificate map[string]*Certificate + + // GetCertificate returns a Certificate based on the given + // ClientHelloInfo. It will only be called if the client supplies SNI + // information or if Certificates is empty. + // + // If GetCertificate is nil or returns nil, then the certificate is + // retrieved from NameToCertificate. If NameToCertificate is nil, the + // best element of Certificates will be used. + // + // Once a Certificate is returned it should not be modified. + GetCertificate func(*ClientHelloInfo) (*Certificate, error) + + // GetClientCertificate, if not nil, is called when a server requests a + // certificate from a client. If set, the contents of Certificates will + // be ignored. + // + // If GetClientCertificate returns an error, the handshake will be + // aborted and that error will be returned. Otherwise + // GetClientCertificate must return a non-nil Certificate. If + // Certificate.Certificate is empty then no certificate will be sent to + // the server. If this is unacceptable to the server then it may abort + // the handshake. + // + // GetClientCertificate may be called multiple times for the same + // connection if renegotiation occurs or if TLS 1.3 is in use. + // + // Once a Certificate is returned it should not be modified. + GetClientCertificate func(*CertificateRequestInfo) (*Certificate, error) + + // GetConfigForClient, if not nil, is called after a ClientHello is + // received from a client. It may return a non-nil Config in order to + // change the Config that will be used to handle this connection. If + // the returned Config is nil, the original Config will be used. The + // Config returned by this callback may not be subsequently modified. + // + // If GetConfigForClient is nil, the Config passed to Server() will be + // used for all connections. + // + // If SessionTicketKey was explicitly set on the returned Config, or if + // SetSessionTicketKeys was called on the returned Config, those keys will + // be used. Otherwise, the original Config keys will be used (and possibly + // rotated if they are automatically managed). + GetConfigForClient func(*ClientHelloInfo) (*Config, error) + + // VerifyPeerCertificate, if not nil, is called after normal + // certificate verification by either a TLS client or server. It + // receives the raw ASN.1 certificates provided by the peer and also + // any verified chains that normal processing found. If it returns a + // non-nil error, the handshake is aborted and that error results. + // + // If normal verification fails then the handshake will abort before + // considering this callback. If normal verification is disabled (on the + // client when InsecureSkipVerify is set, or on a server when ClientAuth is + // RequestClientCert or RequireAnyClientCert), then this callback will be + // considered but the verifiedChains argument will always be nil. When + // ClientAuth is NoClientCert, this callback is not called on the server. + // rawCerts may be empty on the server if ClientAuth is RequestClientCert or + // VerifyClientCertIfGiven. + // + // This callback is not invoked on resumed connections, as certificates are + // not re-verified on resumption. + // + // verifiedChains and its contents should not be modified. + VerifyPeerCertificate func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error + + // VerifyConnection, if not nil, is called after normal certificate + // verification and after VerifyPeerCertificate by either a TLS client + // or server. If it returns a non-nil error, the handshake is aborted + // and that error results. + // + // If normal verification fails then the handshake will abort before + // considering this callback. This callback will run for all connections, + // including resumptions, regardless of InsecureSkipVerify or ClientAuth + // settings. + VerifyConnection func(ConnectionState) error + + // RootCAs defines the set of root certificate authorities + // that clients use when verifying server certificates. + // If RootCAs is nil, TLS uses the host's root CA set. + RootCAs *x509.CertPool + + // NextProtos is a list of supported application level protocols, in + // order of preference. If both peers support ALPN, the selected + // protocol will be one from this list, and the connection will fail + // if there is no mutually supported protocol. If NextProtos is empty + // or the peer doesn't support ALPN, the connection will succeed and + // ConnectionState.NegotiatedProtocol will be empty. + NextProtos []string + + // ServerName is used to verify the hostname on the returned + // certificates unless InsecureSkipVerify is given. It is also included + // in the client's handshake to support virtual hosting unless it is + // an IP address. + ServerName string + + // ClientAuth determines the server's policy for + // TLS Client Authentication. The default is NoClientCert. + ClientAuth ClientAuthType + + // ClientCAs defines the set of root certificate authorities + // that servers use if required to verify a client certificate + // by the policy in ClientAuth. + ClientCAs *x509.CertPool + + // InsecureSkipVerify controls whether a client verifies the server's + // certificate chain and host name. If InsecureSkipVerify is true, crypto/tls + // accepts any certificate presented by the server and any host name in that + // certificate. In this mode, TLS is susceptible to machine-in-the-middle + // attacks unless custom verification is used. This should be used only for + // testing or in combination with VerifyConnection or VerifyPeerCertificate. + InsecureSkipVerify bool + + // CipherSuites is a list of enabled TLS 1.0–1.2 cipher suites. The order of + // the list is ignored. Note that TLS 1.3 ciphersuites are not configurable. + // + // If CipherSuites is nil, a safe default list is used. The default cipher + // suites might change over time. In Go 1.22 RSA key exchange based cipher + // suites were removed from the default list, but can be re-added with the + // GODEBUG setting tlsrsakex=1. + CipherSuites []uint16 + + // PreferServerCipherSuites is a legacy field and has no effect. + // + // It used to control whether the server would follow the client's or the + // server's preference. Servers now select the best mutually supported + // cipher suite based on logic that takes into account inferred client + // hardware, server hardware, and security. + // + // Deprecated: PreferServerCipherSuites is ignored. + PreferServerCipherSuites bool + + // SessionTicketsDisabled may be set to true to disable session ticket and + // PSK (resumption) support. Note that on clients, session ticket support is + // also disabled if ClientSessionCache is nil. + SessionTicketsDisabled bool + + // SessionTicketKey is used by TLS servers to provide session resumption. + // See RFC 5077 and the PSK mode of RFC 8446. If zero, it will be filled + // with random data before the first server handshake. + // + // Deprecated: if this field is left at zero, session ticket keys will be + // automatically rotated every day and dropped after seven days. For + // customizing the rotation schedule or synchronizing servers that are + // terminating connections for the same host, use SetSessionTicketKeys. + SessionTicketKey [32]byte + + // ClientSessionCache is a cache of ClientSessionState entries for TLS + // session resumption. It is only used by clients. + ClientSessionCache ClientSessionCache + + // UnwrapSession is called on the server to turn a ticket/identity + // previously produced by [WrapSession] into a usable session. + // + // UnwrapSession will usually either decrypt a session state in the ticket + // (for example with [Config.EncryptTicket]), or use the ticket as a handle + // to recover a previously stored state. It must use [ParseSessionState] to + // deserialize the session state. + // + // If UnwrapSession returns an error, the connection is terminated. If it + // returns (nil, nil), the session is ignored. crypto/tls may still choose + // not to resume the returned session. + UnwrapSession func(identity []byte, cs ConnectionState) (*SessionState, error) + + // WrapSession is called on the server to produce a session ticket/identity. + // + // WrapSession must serialize the session state with [SessionState.Bytes]. + // It may then encrypt the serialized state (for example with + // [Config.DecryptTicket]) and use it as the ticket, or store the state and + // return a handle for it. + // + // If WrapSession returns an error, the connection is terminated. + // + // Warning: the return value will be exposed on the wire and to clients in + // plaintext. The application is in charge of encrypting and authenticating + // it (and rotating keys) or returning high-entropy identifiers. Failing to + // do so correctly can compromise current, previous, and future connections + // depending on the protocol version. + WrapSession func(ConnectionState, *SessionState) ([]byte, error) + + // MinVersion contains the minimum TLS version that is acceptable. + // + // By default, TLS 1.2 is currently used as the minimum. TLS 1.0 is the + // minimum supported by this package. + // + // The server-side default can be reverted to TLS 1.0 by including the value + // "tls10server=1" in the GODEBUG environment variable. + MinVersion uint16 + + // MaxVersion contains the maximum TLS version that is acceptable. + // + // By default, the maximum version supported by this package is used, + // which is currently TLS 1.3. + MaxVersion uint16 + + // CurvePreferences contains the elliptic curves that will be used in + // an ECDHE handshake, in preference order. If empty, the default will + // be used. The client will use the first preference as the type for + // its key share in TLS 1.3. This may change in the future. + CurvePreferences []CurveID + + // DynamicRecordSizingDisabled disables adaptive sizing of TLS records. + // When true, the largest possible TLS record size is always used. When + // false, the size of TLS records may be adjusted in an attempt to + // improve latency. + DynamicRecordSizingDisabled bool + + // Renegotiation controls what types of renegotiation are supported. + // The default, none, is correct for the vast majority of applications. + Renegotiation RenegotiationSupport + + // KeyLogWriter optionally specifies a destination for TLS master secrets + // in NSS key log format that can be used to allow external programs + // such as Wireshark to decrypt TLS connections. + // See https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/Key_Log_Format. + // Use of KeyLogWriter compromises security and should only be + // used for debugging. + KeyLogWriter io.Writer + + // mutex protects sessionTicketKeys and autoSessionTicketKeys. + mutex sync.RWMutex + // sessionTicketKeys contains zero or more ticket keys. If set, it means + // the keys were set with SessionTicketKey or SetSessionTicketKeys. The + // first key is used for new tickets and any subsequent keys can be used to + // decrypt old tickets. The slice contents are not protected by the mutex + // and are immutable. + sessionTicketKeys []ticketKey + // autoSessionTicketKeys is like sessionTicketKeys but is owned by the + // auto-rotation logic. See Config.ticketKeys. + autoSessionTicketKeys []ticketKey +} + +const ( + // ticketKeyLifetime is how long a ticket key remains valid and can be used to + // resume a client connection. + ticketKeyLifetime = 7 * 24 * time.Hour // 7 days + + // ticketKeyRotation is how often the server should rotate the session ticket key + // that is used for new tickets. + ticketKeyRotation = 24 * time.Hour +) + +// ticketKey is the internal representation of a session ticket key. +type ticketKey struct { + aesKey [16]byte + hmacKey [16]byte + // created is the time at which this ticket key was created. See Config.ticketKeys. + created time.Time +} + +// ticketKeyFromBytes converts from the external representation of a session +// ticket key to a ticketKey. Externally, session ticket keys are 32 random +// bytes and this function expands that into sufficient name and key material. +func (c *Config) ticketKeyFromBytes(b [32]byte) (key ticketKey) { + hashed := sha512.Sum512(b[:]) + // The first 16 bytes of the hash used to be exposed on the wire as a ticket + // prefix. They MUST NOT be used as a secret. In the future, it would make + // sense to use a proper KDF here, like HKDF with a fixed salt. + const legacyTicketKeyNameLen = 16 + copy(key.aesKey[:], hashed[legacyTicketKeyNameLen:]) + copy(key.hmacKey[:], hashed[legacyTicketKeyNameLen+len(key.aesKey):]) + key.created = c.time() + return key +} + +// maxSessionTicketLifetime is the maximum allowed lifetime of a TLS 1.3 session +// ticket, and the lifetime we set for all tickets we send. +const maxSessionTicketLifetime = 7 * 24 * time.Hour + +// Clone returns a shallow clone of c or nil if c is nil. It is safe to clone a [Config] that is +// being used concurrently by a TLS client or server. +func (c *Config) Clone() *Config { + if c == nil { + return nil + } + c.mutex.RLock() + defer c.mutex.RUnlock() + return &Config{ + Rand: c.Rand, + Time: c.Time, + Certificates: c.Certificates, + NameToCertificate: c.NameToCertificate, + GetCertificate: c.GetCertificate, + GetClientCertificate: c.GetClientCertificate, + GetConfigForClient: c.GetConfigForClient, + VerifyPeerCertificate: c.VerifyPeerCertificate, + VerifyConnection: c.VerifyConnection, + RootCAs: c.RootCAs, + NextProtos: c.NextProtos, + ServerName: c.ServerName, + ClientAuth: c.ClientAuth, + ClientCAs: c.ClientCAs, + InsecureSkipVerify: c.InsecureSkipVerify, + CipherSuites: c.CipherSuites, + PreferServerCipherSuites: c.PreferServerCipherSuites, + SessionTicketsDisabled: c.SessionTicketsDisabled, + SessionTicketKey: c.SessionTicketKey, + ClientSessionCache: c.ClientSessionCache, + UnwrapSession: c.UnwrapSession, + WrapSession: c.WrapSession, + MinVersion: c.MinVersion, + MaxVersion: c.MaxVersion, + CurvePreferences: c.CurvePreferences, + DynamicRecordSizingDisabled: c.DynamicRecordSizingDisabled, + Renegotiation: c.Renegotiation, + KeyLogWriter: c.KeyLogWriter, + sessionTicketKeys: c.sessionTicketKeys, + autoSessionTicketKeys: c.autoSessionTicketKeys, + } +} + +// deprecatedSessionTicketKey is set as the prefix of SessionTicketKey if it was +// randomized for backwards compatibility but is not in use. +var deprecatedSessionTicketKey = []byte("DEPRECATED") + +// initLegacySessionTicketKeyRLocked ensures the legacy SessionTicketKey field is +// randomized if empty, and that sessionTicketKeys is populated from it otherwise. +func (c *Config) initLegacySessionTicketKeyRLocked() { + // Don't write if SessionTicketKey is already defined as our deprecated string, + // or if it is defined by the user but sessionTicketKeys is already set. + if c.SessionTicketKey != [32]byte{} && + (bytes.HasPrefix(c.SessionTicketKey[:], deprecatedSessionTicketKey) || len(c.sessionTicketKeys) > 0) { + return + } + + // We need to write some data, so get an exclusive lock and re-check any conditions. + c.mutex.RUnlock() + defer c.mutex.RLock() + c.mutex.Lock() + defer c.mutex.Unlock() + if c.SessionTicketKey == [32]byte{} { + if _, err := io.ReadFull(c.rand(), c.SessionTicketKey[:]); err != nil { + panic(fmt.Sprintf("tls: unable to generate random session ticket key: %v", err)) + } + // Write the deprecated prefix at the beginning so we know we created + // it. This key with the DEPRECATED prefix isn't used as an actual + // session ticket key, and is only randomized in case the application + // reuses it for some reason. + copy(c.SessionTicketKey[:], deprecatedSessionTicketKey) + } else if !bytes.HasPrefix(c.SessionTicketKey[:], deprecatedSessionTicketKey) && len(c.sessionTicketKeys) == 0 { + c.sessionTicketKeys = []ticketKey{c.ticketKeyFromBytes(c.SessionTicketKey)} + } + +} + +// ticketKeys returns the ticketKeys for this connection. +// If configForClient has explicitly set keys, those will +// be returned. Otherwise, the keys on c will be used and +// may be rotated if auto-managed. +// During rotation, any expired session ticket keys are deleted from +// c.sessionTicketKeys. If the session ticket key that is currently +// encrypting tickets (ie. the first ticketKey in c.sessionTicketKeys) +// is not fresh, then a new session ticket key will be +// created and prepended to c.sessionTicketKeys. +func (c *Config) ticketKeys(configForClient *Config) []ticketKey { + // If the ConfigForClient callback returned a Config with explicitly set + // keys, use those, otherwise just use the original Config. + if configForClient != nil { + configForClient.mutex.RLock() + if configForClient.SessionTicketsDisabled { + return nil + } + configForClient.initLegacySessionTicketKeyRLocked() + if len(configForClient.sessionTicketKeys) != 0 { + ret := configForClient.sessionTicketKeys + configForClient.mutex.RUnlock() + return ret + } + configForClient.mutex.RUnlock() + } + + c.mutex.RLock() + defer c.mutex.RUnlock() + if c.SessionTicketsDisabled { + return nil + } + c.initLegacySessionTicketKeyRLocked() + if len(c.sessionTicketKeys) != 0 { + return c.sessionTicketKeys + } + // Fast path for the common case where the key is fresh enough. + if len(c.autoSessionTicketKeys) > 0 && c.time().Sub(c.autoSessionTicketKeys[0].created) < ticketKeyRotation { + return c.autoSessionTicketKeys + } + + // autoSessionTicketKeys are managed by auto-rotation. + c.mutex.RUnlock() + defer c.mutex.RLock() + c.mutex.Lock() + defer c.mutex.Unlock() + // Re-check the condition in case it changed since obtaining the new lock. + if len(c.autoSessionTicketKeys) == 0 || c.time().Sub(c.autoSessionTicketKeys[0].created) >= ticketKeyRotation { + var newKey [32]byte + if _, err := io.ReadFull(c.rand(), newKey[:]); err != nil { + panic(fmt.Sprintf("unable to generate random session ticket key: %v", err)) + } + valid := make([]ticketKey, 0, len(c.autoSessionTicketKeys)+1) + valid = append(valid, c.ticketKeyFromBytes(newKey)) + for _, k := range c.autoSessionTicketKeys { + // While rotating the current key, also remove any expired ones. + if c.time().Sub(k.created) < ticketKeyLifetime { + valid = append(valid, k) + } + } + c.autoSessionTicketKeys = valid + } + return c.autoSessionTicketKeys +} + +// SetSessionTicketKeys updates the session ticket keys for a server. +// +// The first key will be used when creating new tickets, while all keys can be +// used for decrypting tickets. It is safe to call this function while the +// server is running in order to rotate the session ticket keys. The function +// will panic if keys is empty. +// +// Calling this function will turn off automatic session ticket key rotation. +// +// If multiple servers are terminating connections for the same host they should +// all have the same session ticket keys. If the session ticket keys leaks, +// previously recorded and future TLS connections using those keys might be +// compromised. +func (c *Config) SetSessionTicketKeys(keys [][32]byte) { + if len(keys) == 0 { + panic("tls: keys must have at least one key") + } + + newKeys := make([]ticketKey, len(keys)) + for i, bytes := range keys { + newKeys[i] = c.ticketKeyFromBytes(bytes) + } + + c.mutex.Lock() + c.sessionTicketKeys = newKeys + c.mutex.Unlock() +} + +func (c *Config) rand() io.Reader { + r := c.Rand + if r == nil { + return rand.Reader + } + return r +} + +func (c *Config) time() time.Time { + t := c.Time + if t == nil { + t = time.Now + } + return t() +} + +//var tlsrsakex = godebug.New("tlsrsakex") + +func (c *Config) cipherSuites() []uint16 { + if needFIPS() { + return fipsCipherSuites(c) + } + if c.CipherSuites != nil { + return c.CipherSuites + } + /* if tlsrsakex.Value() == "1" { + return defaultCipherSuitesWithRSAKex + }*/ + return defaultCipherSuites +} + +var supportedVersions = []uint16{ + VersionTLS13, + VersionTLS12, + VersionTLS11, + VersionTLS10, +} + +// roleClient and roleServer are meant to call supportedVersions and parents +// with more readability at the callsite. +const roleClient = true +const roleServer = false + +//var tls10server = godebug.New("tls10server") + +func (c *Config) supportedVersions(isClient bool) []uint16 { + versions := make([]uint16, 0, len(supportedVersions)) + for _, v := range supportedVersions { + if needFIPS() && (v < fipsMinVersion(c) || v > fipsMaxVersion(c)) { + continue + } + if (c == nil || c.MinVersion == 0) && v < VersionTLS12 { + if isClient { + continue + } + } + if c != nil && c.MinVersion != 0 && v < c.MinVersion { + continue + } + if c != nil && c.MaxVersion != 0 && v > c.MaxVersion { + continue + } + versions = append(versions, v) + } + return versions +} + +func (c *Config) maxSupportedVersion(isClient bool) uint16 { + supportedVersions := c.supportedVersions(isClient) + if len(supportedVersions) == 0 { + return 0 + } + return supportedVersions[0] +} + +// supportedVersionsFromMax returns a list of supported versions derived from a +// legacy maximum version value. Note that only versions supported by this +// library are returned. Any newer peer will use supportedVersions anyway. +func supportedVersionsFromMax(maxVersion uint16) []uint16 { + versions := make([]uint16, 0, len(supportedVersions)) + for _, v := range supportedVersions { + if v > maxVersion { + continue + } + versions = append(versions, v) + } + return versions +} + +var defaultCurvePreferences = []CurveID{X25519, CurveP256, CurveP384, CurveP521} + +func (c *Config) curvePreferences() []CurveID { + if needFIPS() { + return fipsCurvePreferences(c) + } + if c == nil || len(c.CurvePreferences) == 0 { + return defaultCurvePreferences + } + return c.CurvePreferences +} + +func (c *Config) supportsCurve(curve CurveID) bool { + for _, cc := range c.curvePreferences() { + if cc == curve { + return true + } + } + return false +} + +// mutualVersion returns the protocol version to use given the advertised +// versions of the peer. Priority is given to the peer preference order. +func (c *Config) mutualVersion(isClient bool, peerVersions []uint16) (uint16, bool) { + supportedVersions := c.supportedVersions(isClient) + for _, peerVersion := range peerVersions { + for _, v := range supportedVersions { + if v == peerVersion { + return v, true + } + } + } + return 0, false +} + +var errNoCertificates = errors.New("tls: no certificates configured") + +// getCertificate returns the best certificate for the given ClientHelloInfo, +// defaulting to the first element of c.Certificates. +func (c *Config) getCertificate(clientHello *ClientHelloInfo) (*Certificate, error) { + if c.GetCertificate != nil && + (len(c.Certificates) == 0 || len(clientHello.ServerName) > 0) { + cert, err := c.GetCertificate(clientHello) + if cert != nil || err != nil { + return cert, err + } + } + + if len(c.Certificates) == 0 { + return nil, errNoCertificates + } + + if len(c.Certificates) == 1 { + // There's only one choice, so no point doing any work. + return &c.Certificates[0], nil + } + + if c.NameToCertificate != nil { + name := strings.ToLower(clientHello.ServerName) + if cert, ok := c.NameToCertificate[name]; ok { + return cert, nil + } + if len(name) > 0 { + labels := strings.Split(name, ".") + labels[0] = "*" + wildcardName := strings.Join(labels, ".") + if cert, ok := c.NameToCertificate[wildcardName]; ok { + return cert, nil + } + } + } + + for _, cert := range c.Certificates { + if err := clientHello.SupportsCertificate(&cert); err == nil { + return &cert, nil + } + } + + // If nothing matches, return the first certificate. + return &c.Certificates[0], nil +} + +// SupportsCertificate returns nil if the provided certificate is supported by +// the client that sent the ClientHello. Otherwise, it returns an error +// describing the reason for the incompatibility. +// +// If this [ClientHelloInfo] was passed to a GetConfigForClient or GetCertificate +// callback, this method will take into account the associated [Config]. Note that +// if GetConfigForClient returns a different [Config], the change can't be +// accounted for by this method. +// +// This function will call x509.ParseCertificate unless c.Leaf is set, which can +// incur a significant performance cost. +func (chi *ClientHelloInfo) SupportsCertificate(c *Certificate) error { + // Note we don't currently support certificate_authorities nor + // signature_algorithms_cert, and don't check the algorithms of the + // signatures on the chain (which anyway are a SHOULD, see RFC 8446, + // Section 4.4.2.2). + + config := chi.config + if config == nil { + config = &Config{} + } + vers, ok := config.mutualVersion(roleServer, chi.SupportedVersions) + if !ok { + return errors.New("no mutually supported protocol versions") + } + + // If the client specified the name they are trying to connect to, the + // certificate needs to be valid for it. + if chi.ServerName != "" { + x509Cert, err := c.leaf() + if err != nil { + return fmt.Errorf("failed to parse certificate: %w", err) + } + if err := x509Cert.VerifyHostname(chi.ServerName); err != nil { + return fmt.Errorf("certificate is not valid for requested server name: %w", err) + } + } + + // supportsRSAFallback returns nil if the certificate and connection support + // the static RSA key exchange, and unsupported otherwise. The logic for + // supporting static RSA is completely disjoint from the logic for + // supporting signed key exchanges, so we just check it as a fallback. + supportsRSAFallback := func(unsupported error) error { + // TLS 1.3 dropped support for the static RSA key exchange. + if vers == VersionTLS13 { + return unsupported + } + // The static RSA key exchange works by decrypting a challenge with the + // RSA private key, not by signing, so check the PrivateKey implements + // crypto.Decrypter, like *rsa.PrivateKey does. + if priv, ok := c.PrivateKey.(crypto.Decrypter); ok { + if _, ok := priv.Public().(*rsa.PublicKey); !ok { + return unsupported + } + } else { + return unsupported + } + // Finally, there needs to be a mutual cipher suite that uses the static + // RSA key exchange instead of ECDHE. + rsaCipherSuite := selectCipherSuite(chi.CipherSuites, config.cipherSuites(), func(c *cipherSuite) bool { + if c.flags&suiteECDHE != 0 { + return false + } + if vers < VersionTLS12 && c.flags&suiteTLS12 != 0 { + return false + } + return true + }) + if rsaCipherSuite == nil { + return unsupported + } + return nil + } + + // If the client sent the signature_algorithms extension, ensure it supports + // schemes we can use with this certificate and TLS version. + if len(chi.SignatureSchemes) > 0 { + if _, err := selectSignatureScheme(vers, c, chi.SignatureSchemes); err != nil { + return supportsRSAFallback(err) + } + } + + // In TLS 1.3 we are done because supported_groups is only relevant to the + // ECDHE computation, point format negotiation is removed, cipher suites are + // only relevant to the AEAD choice, and static RSA does not exist. + if vers == VersionTLS13 { + return nil + } + + // The only signed key exchange we support is ECDHE. + if !supportsECDHE(config, chi.SupportedCurves, chi.SupportedPoints) { + return supportsRSAFallback(errors.New("client doesn't support ECDHE, can only use legacy RSA key exchange")) + } + + var ecdsaCipherSuite bool + if priv, ok := c.PrivateKey.(crypto.Signer); ok { + switch pub := priv.Public().(type) { + case *ecdsa.PublicKey: + var curve CurveID + switch pub.Curve { + case elliptic.P256(): + curve = CurveP256 + case elliptic.P384(): + curve = CurveP384 + case elliptic.P521(): + curve = CurveP521 + default: + return supportsRSAFallback(unsupportedCertificateError(c)) + } + var curveOk bool + for _, c := range chi.SupportedCurves { + if c == curve && config.supportsCurve(c) { + curveOk = true + break + } + } + if !curveOk { + return errors.New("client doesn't support certificate curve") + } + ecdsaCipherSuite = true + case ed25519.PublicKey: + if vers < VersionTLS12 || len(chi.SignatureSchemes) == 0 { + return errors.New("connection doesn't support Ed25519") + } + ecdsaCipherSuite = true + case *rsa.PublicKey: + default: + return supportsRSAFallback(unsupportedCertificateError(c)) + } + } else { + return supportsRSAFallback(unsupportedCertificateError(c)) + } + + // Make sure that there is a mutually supported cipher suite that works with + // this certificate. Cipher suite selection will then apply the logic in + // reverse to pick it. See also serverHandshakeState.cipherSuiteOk. + cipherSuite := selectCipherSuite(chi.CipherSuites, config.cipherSuites(), func(c *cipherSuite) bool { + if c.flags&suiteECDHE == 0 { + return false + } + if c.flags&suiteECSign != 0 { + if !ecdsaCipherSuite { + return false + } + } else { + if ecdsaCipherSuite { + return false + } + } + if vers < VersionTLS12 && c.flags&suiteTLS12 != 0 { + return false + } + return true + }) + if cipherSuite == nil { + return supportsRSAFallback(errors.New("client doesn't support any cipher suites compatible with the certificate")) + } + + return nil +} + +// SupportsCertificate returns nil if the provided certificate is supported by +// the server that sent the CertificateRequest. Otherwise, it returns an error +// describing the reason for the incompatibility. +func (cri *CertificateRequestInfo) SupportsCertificate(c *Certificate) error { + if _, err := selectSignatureScheme(cri.Version, c, cri.SignatureSchemes); err != nil { + return err + } + + if len(cri.AcceptableCAs) == 0 { + return nil + } + + for j, cert := range c.Certificate { + x509Cert := c.Leaf + // Parse the certificate if this isn't the leaf node, or if + // chain.Leaf was nil. + if j != 0 || x509Cert == nil { + var err error + if x509Cert, err = x509.ParseCertificate(cert); err != nil { + return fmt.Errorf("failed to parse certificate #%d in the chain: %w", j, err) + } + } + + for _, ca := range cri.AcceptableCAs { + if bytes.Equal(x509Cert.RawIssuer, ca) { + return nil + } + } + } + return errors.New("chain is not signed by an acceptable CA") +} + +// BuildNameToCertificate parses c.Certificates and builds c.NameToCertificate +// from the CommonName and SubjectAlternateName fields of each of the leaf +// certificates. +// +// Deprecated: NameToCertificate only allows associating a single certificate +// with a given name. Leave that field nil to let the library select the first +// compatible chain from Certificates. +func (c *Config) BuildNameToCertificate() { + c.NameToCertificate = make(map[string]*Certificate) + for i := range c.Certificates { + cert := &c.Certificates[i] + x509Cert, err := cert.leaf() + if err != nil { + continue + } + // If SANs are *not* present, some clients will consider the certificate + // valid for the name in the Common Name. + if x509Cert.Subject.CommonName != "" && len(x509Cert.DNSNames) == 0 { + c.NameToCertificate[x509Cert.Subject.CommonName] = cert + } + for _, san := range x509Cert.DNSNames { + c.NameToCertificate[san] = cert + } + } +} + +const ( + keyLogLabelTLS12 = "CLIENT_RANDOM" + keyLogLabelClientHandshake = "CLIENT_HANDSHAKE_TRAFFIC_SECRET" + keyLogLabelServerHandshake = "SERVER_HANDSHAKE_TRAFFIC_SECRET" + keyLogLabelClientTraffic = "CLIENT_TRAFFIC_SECRET_0" + keyLogLabelServerTraffic = "SERVER_TRAFFIC_SECRET_0" +) + +func (c *Config) writeKeyLog(label string, clientRandom, secret []byte) error { + if c.KeyLogWriter == nil { + return nil + } + + logLine := fmt.Appendf(nil, "%s %x %x\n", label, clientRandom, secret) + + writerMutex.Lock() + _, err := c.KeyLogWriter.Write(logLine) + writerMutex.Unlock() + + return err +} + +// writerMutex protects all KeyLogWriters globally. It is rarely enabled, +// and is only for debugging, so a global mutex saves space. +var writerMutex sync.Mutex + +// A Certificate is a chain of one or more certificates, leaf first. +type Certificate struct { + Certificate [][]byte + // PrivateKey contains the private key corresponding to the public key in + // Leaf. This must implement crypto.Signer with an RSA, ECDSA or Ed25519 PublicKey. + // For a server up to TLS 1.2, it can also implement crypto.Decrypter with + // an RSA PublicKey. + PrivateKey crypto.PrivateKey + // SupportedSignatureAlgorithms is an optional list restricting what + // signature algorithms the PrivateKey can be used for. + SupportedSignatureAlgorithms []SignatureScheme + // OCSPStaple contains an optional OCSP response which will be served + // to clients that request it. + OCSPStaple []byte + // SignedCertificateTimestamps contains an optional list of Signed + // Certificate Timestamps which will be served to clients that request it. + SignedCertificateTimestamps [][]byte + // Leaf is the parsed form of the leaf certificate, which may be initialized + // using x509.ParseCertificate to reduce per-handshake processing. If nil, + // the leaf certificate will be parsed as needed. + Leaf *x509.Certificate +} + +// leaf returns the parsed leaf certificate, either from c.Leaf or by parsing +// the corresponding c.Certificate[0]. +func (c *Certificate) leaf() (*x509.Certificate, error) { + if c.Leaf != nil { + return c.Leaf, nil + } + return x509.ParseCertificate(c.Certificate[0]) +} + +type handshakeMessage interface { + marshal() ([]byte, error) + unmarshal([]byte) bool +} + +// lruSessionCache is a ClientSessionCache implementation that uses an LRU +// caching strategy. +type lruSessionCache struct { + sync.Mutex + + m map[string]*list.Element + q *list.List + capacity int +} + +type lruSessionCacheEntry struct { + sessionKey string + state *ClientSessionState +} + +// NewLRUClientSessionCache returns a [ClientSessionCache] with the given +// capacity that uses an LRU strategy. If capacity is < 1, a default capacity +// is used instead. +func NewLRUClientSessionCache(capacity int) ClientSessionCache { + const defaultSessionCacheCapacity = 64 + + if capacity < 1 { + capacity = defaultSessionCacheCapacity + } + return &lruSessionCache{ + m: make(map[string]*list.Element), + q: list.New(), + capacity: capacity, + } +} + +// Put adds the provided (sessionKey, cs) pair to the cache. If cs is nil, the entry +// corresponding to sessionKey is removed from the cache instead. +func (c *lruSessionCache) Put(sessionKey string, cs *ClientSessionState) { + c.Lock() + defer c.Unlock() + + if elem, ok := c.m[sessionKey]; ok { + if cs == nil { + c.q.Remove(elem) + delete(c.m, sessionKey) + } else { + entry := elem.Value.(*lruSessionCacheEntry) + entry.state = cs + c.q.MoveToFront(elem) + } + return + } + + if c.q.Len() < c.capacity { + entry := &lruSessionCacheEntry{sessionKey, cs} + c.m[sessionKey] = c.q.PushFront(entry) + return + } + + elem := c.q.Back() + entry := elem.Value.(*lruSessionCacheEntry) + delete(c.m, entry.sessionKey) + entry.sessionKey = sessionKey + entry.state = cs + c.q.MoveToFront(elem) + c.m[sessionKey] = elem +} + +// Get returns the [ClientSessionState] value associated with a given key. It +// returns (nil, false) if no value is found. +func (c *lruSessionCache) Get(sessionKey string) (*ClientSessionState, bool) { + c.Lock() + defer c.Unlock() + + if elem, ok := c.m[sessionKey]; ok { + c.q.MoveToFront(elem) + return elem.Value.(*lruSessionCacheEntry).state, true + } + return nil, false +} + +var emptyConfig Config + +func defaultConfig() *Config { + return &emptyConfig +} + +func unexpectedMessageError(wanted, got any) error { + return fmt.Errorf("tls: received unexpected handshake message of type %T when waiting for %T", got, wanted) +} + +func isSupportedSignatureAlgorithm(sigAlg SignatureScheme, supportedSignatureAlgorithms []SignatureScheme) bool { + for _, s := range supportedSignatureAlgorithms { + if s == sigAlg { + return true + } + } + return false +} + +// CertificateVerificationError is returned when certificate verification fails during the handshake. +type CertificateVerificationError struct { + // UnverifiedCertificates and its contents should not be modified. + UnverifiedCertificates []*x509.Certificate + Err error +} + +func (e *CertificateVerificationError) Error() string { + return fmt.Sprintf("tls: failed to verify certificate: %s", e.Err) +} + +func (e *CertificateVerificationError) Unwrap() error { + return e.Err +} diff --git a/pkg/tls/common_string.go b/pkg/tls/common_string.go new file mode 100644 index 000000000..238108811 --- /dev/null +++ b/pkg/tls/common_string.go @@ -0,0 +1,116 @@ +// Code generated by "stringer -type=SignatureScheme,CurveID,ClientAuthType -output=common_string.go"; DO NOT EDIT. + +package tls + +import "strconv" + +func _() { + // An "invalid array index" compiler error signifies that the constant values have changed. + // Re-run the stringer command to generate them again. + var x [1]struct{} + _ = x[PKCS1WithSHA256-1025] + _ = x[PKCS1WithSHA384-1281] + _ = x[PKCS1WithSHA512-1537] + _ = x[PSSWithSHA256-2052] + _ = x[PSSWithSHA384-2053] + _ = x[PSSWithSHA512-2054] + _ = x[ECDSAWithP256AndSHA256-1027] + _ = x[ECDSAWithP384AndSHA384-1283] + _ = x[ECDSAWithP521AndSHA512-1539] + _ = x[Ed25519-2055] + _ = x[PKCS1WithSHA1-513] + _ = x[ECDSAWithSHA1-515] +} + +const ( + _SignatureScheme_name_0 = "PKCS1WithSHA1" + _SignatureScheme_name_1 = "ECDSAWithSHA1" + _SignatureScheme_name_2 = "PKCS1WithSHA256" + _SignatureScheme_name_3 = "ECDSAWithP256AndSHA256" + _SignatureScheme_name_4 = "PKCS1WithSHA384" + _SignatureScheme_name_5 = "ECDSAWithP384AndSHA384" + _SignatureScheme_name_6 = "PKCS1WithSHA512" + _SignatureScheme_name_7 = "ECDSAWithP521AndSHA512" + _SignatureScheme_name_8 = "PSSWithSHA256PSSWithSHA384PSSWithSHA512Ed25519" +) + +var ( + _SignatureScheme_index_8 = [...]uint8{0, 13, 26, 39, 46} +) + +func (i SignatureScheme) String() string { + switch { + case i == 513: + return _SignatureScheme_name_0 + case i == 515: + return _SignatureScheme_name_1 + case i == 1025: + return _SignatureScheme_name_2 + case i == 1027: + return _SignatureScheme_name_3 + case i == 1281: + return _SignatureScheme_name_4 + case i == 1283: + return _SignatureScheme_name_5 + case i == 1537: + return _SignatureScheme_name_6 + case i == 1539: + return _SignatureScheme_name_7 + case 2052 <= i && i <= 2055: + i -= 2052 + return _SignatureScheme_name_8[_SignatureScheme_index_8[i]:_SignatureScheme_index_8[i+1]] + default: + return "SignatureScheme(" + strconv.FormatInt(int64(i), 10) + ")" + } +} +func _() { + // An "invalid array index" compiler error signifies that the constant values have changed. + // Re-run the stringer command to generate them again. + var x [1]struct{} + _ = x[CurveP256-23] + _ = x[CurveP384-24] + _ = x[CurveP521-25] + _ = x[X25519-29] +} + +const ( + _CurveID_name_0 = "CurveP256CurveP384CurveP521" + _CurveID_name_1 = "X25519" +) + +var ( + _CurveID_index_0 = [...]uint8{0, 9, 18, 27} +) + +func (i CurveID) String() string { + switch { + case 23 <= i && i <= 25: + i -= 23 + return _CurveID_name_0[_CurveID_index_0[i]:_CurveID_index_0[i+1]] + case i == 29: + return _CurveID_name_1 + default: + return "CurveID(" + strconv.FormatInt(int64(i), 10) + ")" + } +} +func _() { + // An "invalid array index" compiler error signifies that the constant values have changed. + // Re-run the stringer command to generate them again. + var x [1]struct{} + _ = x[NoClientCert-0] + _ = x[RequestClientCert-1] + _ = x[RequireAnyClientCert-2] + _ = x[VerifyClientCertIfGiven-3] + _ = x[RequireAndVerifyClientCert-4] +} + +const _ClientAuthType_name = "NoClientCertRequestClientCertRequireAnyClientCertVerifyClientCertIfGivenRequireAndVerifyClientCert" + +var _ClientAuthType_index = [...]uint8{0, 12, 29, 49, 72, 98} + +func (i ClientAuthType) String() string { + if i < 0 || i >= ClientAuthType(len(_ClientAuthType_index)-1) { + return "ClientAuthType(" + strconv.FormatInt(int64(i), 10) + ")" + } + return _ClientAuthType_name[_ClientAuthType_index[i]:_ClientAuthType_index[i+1]] +} diff --git a/pkg/tls/conn.go b/pkg/tls/conn.go new file mode 100644 index 000000000..2272725a6 --- /dev/null +++ b/pkg/tls/conn.go @@ -0,0 +1,1769 @@ +// Copyright 2010 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +// TLS low level connection and record layer + +package tls + +import ( + "bytes" + "context" + "crypto/cipher" + "crypto/subtle" + "crypto/x509" + "errors" + "fmt" + "hash" + "io" + "net" + "sync" + "sync/atomic" + "syscall" + "time" +) + +var ErrNotEnough = errors.New("data not enough") + +// A Conn represents a secured connection. +// It implements the net.Conn interface. +type Conn struct { + // constant + conn net.Conn + isClient bool + handshakeFn func(context.Context) error // (*Conn).clientHandshake or serverHandshake + quic *quicState // nil for non-QUIC connections + + // isHandshakeComplete is true if the connection is currently transferring + // application data (i.e. is not currently processing a handshake). + // isHandshakeComplete is true implies handshakeErr == nil. + isHandshakeComplete atomic.Bool + isWaitClientFinished atomic.Bool + readClientFinished func() error + // constant after handshake; protected by handshakeMutex + handshakeMutex sync.Mutex + handshakeErr error // error resulting from handshake + vers uint16 // TLS version + haveVers bool // version has been negotiated + config *Config // configuration passed to constructor + // handshakes counts the number of handshakes performed on the + // connection so far. If renegotiation is disabled then this is either + // zero or one. + handshakes int + extMasterSecret bool + didResume bool // whether this connection was a session resumption + cipherSuite uint16 + ocspResponse []byte // stapled OCSP response + scts [][]byte // signed certificate timestamps from server + peerCertificates []*x509.Certificate + // activeCertHandles contains the cache handles to certificates in + // peerCertificates that are used to track active references. + activeCertHandles []*activeCert + // verifiedChains contains the certificate chains that we built, as + // opposed to the ones presented by the server. + verifiedChains [][]*x509.Certificate + // serverName contains the server name indicated by the client, if any. + serverName string + // secureRenegotiation is true if the server echoed the secure + // renegotiation extension. (This is meaningless as a server because + // renegotiation is not supported in that case.) + secureRenegotiation bool + // ekm is a closure for exporting keying material. + ekm func(label string, context []byte, length int) ([]byte, error) + // resumptionSecret is the resumption_master_secret for handling + // or sending NewSessionTicket messages. + resumptionSecret []byte + + // ticketKeys is the set of active session ticket keys for this + // connection. The first one is used to encrypt new tickets and + // all are tried to decrypt tickets. + ticketKeys []ticketKey + + // clientFinishedIsFirst is true if the client sent the first Finished + // message during the most recent handshake. This is recorded because + // the first transmitted Finished message is the tls-unique + // channel-binding value. + clientFinishedIsFirst bool + + // closeNotifyErr is any error from sending the alertCloseNotify record. + closeNotifyErr error + // closeNotifySent is true if the Conn attempted to send an + // alertCloseNotify record. + closeNotifySent bool + + // clientFinished and serverFinished contain the Finished message sent + // by the client or server in the most recent handshake. This is + // retained to support the renegotiation extension and tls-unique + // channel-binding. + clientFinished [12]byte + serverFinished [12]byte + + // clientProtocol is the negotiated ALPN protocol. + clientProtocol string + + // input/output + in, out halfConn + rawInput bytes.Buffer // raw input, starting with a record header + input bytes.Reader // application data waiting to be read, from rawInput.Next + hand bytes.Buffer // handshake data waiting to be read + buffering bool // whether records are buffered in sendBuf + sendBuf []byte // a buffer of records waiting to be sent + + // bytesSent counts the bytes of application data sent. + // packetsSent counts packets. + bytesSent int64 + packetsSent int64 + + // retryCount counts the number of consecutive non-advancing records + // received by Conn.readRecord. That is, records that neither advance the + // handshake, nor deliver application data. Protected by in.Mutex. + retryCount int + + // activeCall indicates whether Close has been call in the low bit. + // the rest of the bits are the number of goroutines in Conn.Write. + activeCall atomic.Int32 + + tmp [16]byte +} + +func (c *Conn) SyscallConn() (syscall.RawConn, error) { + return c.conn.(*net.TCPConn).SyscallConn() +} + +func (c *Conn) SetReadBuffer(bytes int) error { + return c.conn.(*net.TCPConn).SetReadBuffer(bytes) +} + +func (c *Conn) SetWriteBuffer(bytes int) error { + return c.conn.(*net.TCPConn).SetWriteBuffer(bytes) +} + +func (c *Conn) SetLinger(sec int) error { + return c.conn.(*net.TCPConn).SetLinger(sec) +} + +func (c *Conn) SetKeepAlivePeriod(d time.Duration) error { + return c.conn.(*net.TCPConn).SetKeepAlivePeriod(d) +} + +func (c *Conn) SetKeepAlive(keepalive bool) error { + return c.conn.(*net.TCPConn).SetKeepAlive(keepalive) +} + +func (c *Conn) SetNoDelay(noDelay bool) error { + return c.conn.(*net.TCPConn).SetNoDelay(noDelay) +} + +// Access to net.Conn methods. +// Cannot just embed net.Conn because that would +// export the struct field too. + +// LocalAddr returns the local network address. +func (c *Conn) LocalAddr() net.Addr { + return c.conn.LocalAddr() +} + +// RemoteAddr returns the remote network address. +func (c *Conn) RemoteAddr() net.Addr { + return c.conn.RemoteAddr() +} + +// SetDeadline sets the read and write deadlines associated with the connection. +// A zero value for t means [Conn.Read] and [Conn.Write] will not time out. +// After a Write has timed out, the TLS state is corrupt and all future writes will return the same error. +func (c *Conn) SetDeadline(t time.Time) error { + return c.conn.SetDeadline(t) +} + +// SetReadDeadline sets the read deadline on the underlying connection. +// A zero value for t means [Conn.Read] will not time out. +func (c *Conn) SetReadDeadline(t time.Time) error { + return c.conn.SetReadDeadline(t) +} + +// SetWriteDeadline sets the write deadline on the underlying connection. +// A zero value for t means [Conn.Write] will not time out. +// After a [Conn.Write] has timed out, the TLS state is corrupt and all future writes will return the same error. +func (c *Conn) SetWriteDeadline(t time.Time) error { + return c.conn.SetWriteDeadline(t) +} + +// NetConn returns the underlying connection that is wrapped by c. +// Note that writing to or reading from this connection directly will corrupt the +// TLS session. +func (c *Conn) NetConn() net.Conn { + return c.conn +} + +// A halfConn represents one direction of the record layer +// connection, either sending or receiving. +type halfConn struct { + sync.Mutex + + err error // first permanent error + version uint16 // protocol version + cipher any // cipher algorithm + mac hash.Hash + seq [8]byte // 64-bit sequence number + + scratchBuf [13]byte // to avoid allocs; interface method args escape + + nextCipher any // next encryption state + nextMac hash.Hash // next MAC algorithm + + level QUICEncryptionLevel // current QUIC encryption level + trafficSecret []byte // current TLS 1.3 traffic secret +} + +type permanentError struct { + err net.Error +} + +func (e *permanentError) Error() string { return e.err.Error() } +func (e *permanentError) Unwrap() error { return e.err } +func (e *permanentError) Timeout() bool { return e.err.Timeout() } +func (e *permanentError) Temporary() bool { return false } + +func (hc *halfConn) setErrorLocked(err error) error { + if e, ok := err.(net.Error); ok { + hc.err = &permanentError{err: e} + } else { + hc.err = err + } + return hc.err +} + +// prepareCipherSpec sets the encryption and MAC states +// that a subsequent changeCipherSpec will use. +func (hc *halfConn) prepareCipherSpec(version uint16, cipher any, mac hash.Hash) { + hc.version = version + hc.nextCipher = cipher + hc.nextMac = mac +} + +// changeCipherSpec changes the encryption and MAC states +// to the ones previously passed to prepareCipherSpec. +func (hc *halfConn) changeCipherSpec() error { + if hc.nextCipher == nil || hc.version == VersionTLS13 { + return alertInternalError + } + hc.cipher = hc.nextCipher + hc.mac = hc.nextMac + hc.nextCipher = nil + hc.nextMac = nil + for i := range hc.seq { + hc.seq[i] = 0 + } + return nil +} + +func (hc *halfConn) setTrafficSecret(suite *cipherSuiteTLS13, level QUICEncryptionLevel, secret []byte) { + hc.trafficSecret = secret + hc.level = level + key, iv := suite.trafficKey(secret) + hc.cipher = suite.aead(key, iv) + for i := range hc.seq { + hc.seq[i] = 0 + } +} + +// incSeq increments the sequence number. +func (hc *halfConn) incSeq() { + for i := 7; i >= 0; i-- { + hc.seq[i]++ + if hc.seq[i] != 0 { + return + } + } + + // Not allowed to let sequence number wrap. + // Instead, must renegotiate before it does. + // Not likely enough to bother. + panic("TLS: sequence number wraparound") +} + +// explicitNonceLen returns the number of bytes of explicit nonce or IV included +// in each record. Explicit nonces are present only in CBC modes after TLS 1.0 +// and in certain AEAD modes in TLS 1.2. +func (hc *halfConn) explicitNonceLen() int { + if hc.cipher == nil { + return 0 + } + + switch c := hc.cipher.(type) { + case cipher.Stream: + return 0 + case aead: + return c.explicitNonceLen() + case cbcMode: + // TLS 1.1 introduced a per-record explicit IV to fix the BEAST attack. + if hc.version >= VersionTLS11 { + return c.BlockSize() + } + return 0 + default: + panic("unknown cipher type") + } +} + +// extractPadding returns, in constant time, the length of the padding to remove +// from the end of payload. It also returns a byte which is equal to 255 if the +// padding was valid and 0 otherwise. See RFC 2246, Section 6.2.3.2. +func extractPadding(payload []byte) (toRemove int, good byte) { + if len(payload) < 1 { + return 0, 0 + } + + paddingLen := payload[len(payload)-1] + t := uint(len(payload)-1) - uint(paddingLen) + // if len(payload) >= (paddingLen - 1) then the MSB of t is zero + good = byte(int32(^t) >> 31) + + // The maximum possible padding length plus the actual length field + toCheck := 256 + // The length of the padded data is public, so we can use an if here + if toCheck > len(payload) { + toCheck = len(payload) + } + + for i := 0; i < toCheck; i++ { + t := uint(paddingLen) - uint(i) + // if i <= paddingLen then the MSB of t is zero + mask := byte(int32(^t) >> 31) + b := payload[len(payload)-1-i] + good &^= mask&paddingLen ^ mask&b + } + + // We AND together the bits of good and replicate the result across + // all the bits. + good &= good << 4 + good &= good << 2 + good &= good << 1 + good = uint8(int8(good) >> 7) + + // Zero the padding length on error. This ensures any unchecked bytes + // are included in the MAC. Otherwise, an attacker that could + // distinguish MAC failures from padding failures could mount an attack + // similar to POODLE in SSL 3.0: given a good ciphertext that uses a + // full block's worth of padding, replace the final block with another + // block. If the MAC check passed but the padding check failed, the + // last byte of that block decrypted to the block size. + // + // See also macAndPaddingGood logic below. + paddingLen &= good + + toRemove = int(paddingLen) + 1 + return +} + +func roundUp(a, b int) int { + return a + (b-a%b)%b +} + +// cbcMode is an interface for block ciphers using cipher block chaining. +type cbcMode interface { + cipher.BlockMode + SetIV([]byte) +} + +// decrypt authenticates and decrypts the record if protection is active at +// this stage. The returned plaintext might overlap with the input. +func (hc *halfConn) decrypt(record []byte) ([]byte, recordType, error) { + var plaintext []byte + typ := recordType(record[0]) + payload := record[recordHeaderLen:] + + // In TLS 1.3, change_cipher_spec messages are to be ignored without being + // decrypted. See RFC 8446, Appendix D.4. + if hc.version == VersionTLS13 && typ == recordTypeChangeCipherSpec { + return payload, typ, nil + } + + paddingGood := byte(255) + paddingLen := 0 + + explicitNonceLen := hc.explicitNonceLen() + + if hc.cipher != nil { + switch c := hc.cipher.(type) { + case cipher.Stream: + c.XORKeyStream(payload, payload) + case aead: + if len(payload) < explicitNonceLen { + return nil, 0, alertBadRecordMAC + } + nonce := payload[:explicitNonceLen] + if len(nonce) == 0 { + nonce = hc.seq[:] + } + payload = payload[explicitNonceLen:] + + var additionalData []byte + if hc.version == VersionTLS13 { + additionalData = record[:recordHeaderLen] + } else { + additionalData = append(hc.scratchBuf[:0], hc.seq[:]...) + additionalData = append(additionalData, record[:3]...) + n := len(payload) - c.Overhead() + additionalData = append(additionalData, byte(n>>8), byte(n)) + } + + var err error + plaintext, err = c.Open(payload[:0], nonce, payload, additionalData) + if err != nil { + return nil, 0, alertBadRecordMAC + } + case cbcMode: + blockSize := c.BlockSize() + minPayload := explicitNonceLen + roundUp(hc.mac.Size()+1, blockSize) + if len(payload)%blockSize != 0 || len(payload) < minPayload { + return nil, 0, alertBadRecordMAC + } + + if explicitNonceLen > 0 { + c.SetIV(payload[:explicitNonceLen]) + payload = payload[explicitNonceLen:] + } + c.CryptBlocks(payload, payload) + + // In a limited attempt to protect against CBC padding oracles like + // Lucky13, the data past paddingLen (which is secret) is passed to + // the MAC function as extra data, to be fed into the HMAC after + // computing the digest. This makes the MAC roughly constant time as + // long as the digest computation is constant time and does not + // affect the subsequent write, modulo cache effects. + paddingLen, paddingGood = extractPadding(payload) + default: + panic("unknown cipher type") + } + + if hc.version == VersionTLS13 { + if typ != recordTypeApplicationData { + return nil, 0, alertUnexpectedMessage + } + if len(plaintext) > maxPlaintext+1 { + return nil, 0, alertRecordOverflow + } + // Remove padding and find the ContentType scanning from the end. + for i := len(plaintext) - 1; i >= 0; i-- { + if plaintext[i] != 0 { + typ = recordType(plaintext[i]) + plaintext = plaintext[:i] + break + } + if i == 0 { + return nil, 0, alertUnexpectedMessage + } + } + } + } else { + plaintext = payload + } + + if hc.mac != nil { + macSize := hc.mac.Size() + if len(payload) < macSize { + return nil, 0, alertBadRecordMAC + } + + n := len(payload) - macSize - paddingLen + n = subtle.ConstantTimeSelect(int(uint32(n)>>31), 0, n) // if n < 0 { n = 0 } + record[3] = byte(n >> 8) + record[4] = byte(n) + remoteMAC := payload[n : n+macSize] + localMAC := tls10MAC(hc.mac, hc.scratchBuf[:0], hc.seq[:], record[:recordHeaderLen], payload[:n], payload[n+macSize:]) + + // This is equivalent to checking the MACs and paddingGood + // separately, but in constant-time to prevent distinguishing + // padding failures from MAC failures. Depending on what value + // of paddingLen was returned on bad padding, distinguishing + // bad MAC from bad padding can lead to an attack. + // + // See also the logic at the end of extractPadding. + macAndPaddingGood := subtle.ConstantTimeCompare(localMAC, remoteMAC) & int(paddingGood) + if macAndPaddingGood != 1 { + return nil, 0, alertBadRecordMAC + } + + plaintext = payload[:n] + } + + hc.incSeq() + return plaintext, typ, nil +} + +// sliceForAppend extends the input slice by n bytes. head is the full extended +// slice, while tail is the appended part. If the original slice has sufficient +// capacity no allocation is performed. +func sliceForAppend(in []byte, n int) (head, tail []byte) { + if total := len(in) + n; cap(in) >= total { + head = in[:total] + } else { + head = make([]byte, total) + copy(head, in) + } + tail = head[len(in):] + return +} + +// encrypt encrypts payload, adding the appropriate nonce and/or MAC, and +// appends it to record, which must already contain the record header. +func (hc *halfConn) encrypt(record, payload []byte, rand io.Reader) ([]byte, error) { + if hc.cipher == nil { + return append(record, payload...), nil + } + + var explicitNonce []byte + if explicitNonceLen := hc.explicitNonceLen(); explicitNonceLen > 0 { + record, explicitNonce = sliceForAppend(record, explicitNonceLen) + if _, isCBC := hc.cipher.(cbcMode); !isCBC && explicitNonceLen < 16 { + // The AES-GCM construction in TLS has an explicit nonce so that the + // nonce can be random. However, the nonce is only 8 bytes which is + // too small for a secure, random nonce. Therefore we use the + // sequence number as the nonce. The 3DES-CBC construction also has + // an 8 bytes nonce but its nonces must be unpredictable (see RFC + // 5246, Appendix F.3), forcing us to use randomness. That's not + // 3DES' biggest problem anyway because the birthday bound on block + // collision is reached first due to its similarly small block size + // (see the Sweet32 attack). + copy(explicitNonce, hc.seq[:]) + } else { + if _, err := io.ReadFull(rand, explicitNonce); err != nil { + return nil, err + } + } + } + + var dst []byte + switch c := hc.cipher.(type) { + case cipher.Stream: + mac := tls10MAC(hc.mac, hc.scratchBuf[:0], hc.seq[:], record[:recordHeaderLen], payload, nil) + record, dst = sliceForAppend(record, len(payload)+len(mac)) + c.XORKeyStream(dst[:len(payload)], payload) + c.XORKeyStream(dst[len(payload):], mac) + case aead: + nonce := explicitNonce + if len(nonce) == 0 { + nonce = hc.seq[:] + } + + if hc.version == VersionTLS13 { + record = append(record, payload...) + + // Encrypt the actual ContentType and replace the plaintext one. + record = append(record, record[0]) + record[0] = byte(recordTypeApplicationData) + + n := len(payload) + 1 + c.Overhead() + record[3] = byte(n >> 8) + record[4] = byte(n) + + record = c.Seal(record[:recordHeaderLen], + nonce, record[recordHeaderLen:], record[:recordHeaderLen]) + } else { + additionalData := append(hc.scratchBuf[:0], hc.seq[:]...) + additionalData = append(additionalData, record[:recordHeaderLen]...) + record = c.Seal(record, nonce, payload, additionalData) + } + case cbcMode: + mac := tls10MAC(hc.mac, hc.scratchBuf[:0], hc.seq[:], record[:recordHeaderLen], payload, nil) + blockSize := c.BlockSize() + plaintextLen := len(payload) + len(mac) + paddingLen := blockSize - plaintextLen%blockSize + record, dst = sliceForAppend(record, plaintextLen+paddingLen) + copy(dst, payload) + copy(dst[len(payload):], mac) + for i := plaintextLen; i < len(dst); i++ { + dst[i] = byte(paddingLen - 1) + } + if len(explicitNonce) > 0 { + c.SetIV(explicitNonce) + } + c.CryptBlocks(dst, dst) + default: + panic("unknown cipher type") + } + + // Update length to include nonce, MAC and any block padding needed. + n := len(record) - recordHeaderLen + record[3] = byte(n >> 8) + record[4] = byte(n) + hc.incSeq() + + return record, nil +} + +// RecordHeaderError is returned when a TLS record header is invalid. +type RecordHeaderError struct { + // Msg contains a human readable string that describes the error. + Msg string + // RecordHeader contains the five bytes of TLS record header that + // triggered the error. + RecordHeader [5]byte + // Conn provides the underlying net.Conn in the case that a client + // sent an initial handshake that didn't look like TLS. + // It is nil if there's already been a handshake or a TLS alert has + // been written to the connection. + Conn net.Conn +} + +func (e RecordHeaderError) Error() string { return "tls: " + e.Msg } + +func (c *Conn) newRecordHeaderError(conn net.Conn, msg string) (err RecordHeaderError) { + err.Msg = msg + err.Conn = conn + copy(err.RecordHeader[:], c.rawInput.Bytes()) + return err +} + +func (c *Conn) readRecord() error { + return c.readRecordOrCCS(false) +} + +func (c *Conn) readChangeCipherSpec() error { + return c.readRecordOrCCS(true) +} + +// readRecordOrCCS reads one or more TLS records from the connection and +// updates the record layer state. Some invariants: +// - c.in must be locked +// - c.input must be empty +// +// During the handshake one and only one of the following will happen: +// - c.hand grows +// - c.in.changeCipherSpec is called +// - an error is returned +// +// After the handshake one and only one of the following will happen: +// - c.hand grows +// - c.input is set +// - an error is returned +func (c *Conn) readRecordOrCCS(expectChangeCipherSpec bool) error { + if c.in.err != nil { + return c.in.err + } + + if err := c.CanRead(); err != nil { + return err + } + + handshakeComplete := c.isHandshakeComplete.Load() + + // This function modifies c.rawInput, which owns the c.input memory. + if c.input.Len() != 0 { + return c.in.setErrorLocked(errors.New("tls: internal error: attempted to read record with pending application data")) + } + c.input.Reset(nil) + + if c.quic != nil { + return c.in.setErrorLocked(errors.New("tls: internal error: attempted to read record with QUIC transport")) + } + + // Read header, payload. + if err := c.readFromUntil(c.conn, recordHeaderLen); err != nil { + // RFC 8446, Section 6.1 suggests that EOF without an alertCloseNotify + // is an error, but popular web sites seem to do this, so we accept it + // if and only if at the record boundary. + if err == io.ErrUnexpectedEOF && c.rawInput.Len() == 0 { + err = io.EOF + } + if e, ok := err.(net.Error); !ok || !e.Temporary() { + if !errors.Is(err, ErrNotEnough) { + c.in.setErrorLocked(err) + } + } + return err + } + hdr := c.rawInput.Bytes()[:recordHeaderLen] + typ := recordType(hdr[0]) + + // No valid TLS record has a type of 0x80, however SSLv2 handshakes + // start with a uint16 length where the MSB is set and the first record + // is always < 256 bytes long. Therefore typ == 0x80 strongly suggests + // an SSLv2 client. + if !handshakeComplete && typ == 0x80 { + c.sendAlert(alertProtocolVersion) + return c.in.setErrorLocked(c.newRecordHeaderError(nil, "unsupported SSLv2 handshake received")) + } + + vers := uint16(hdr[1])<<8 | uint16(hdr[2]) + expectedVers := c.vers + if expectedVers == VersionTLS13 { + // All TLS 1.3 records are expected to have 0x0303 (1.2) after + // the initial hello (RFC 8446 Section 5.1). + expectedVers = VersionTLS12 + } + n := int(hdr[3])<<8 | int(hdr[4]) + if c.haveVers && vers != expectedVers { + c.sendAlert(alertProtocolVersion) + msg := fmt.Sprintf("received record with version %x when expecting version %x", vers, expectedVers) + return c.in.setErrorLocked(c.newRecordHeaderError(nil, msg)) + } + if !c.haveVers { + // First message, be extra suspicious: this might not be a TLS + // client. Bail out before reading a full 'body', if possible. + // The current max version is 3.3 so if the version is >= 16.0, + // it's probably not real. + if (typ != recordTypeAlert && typ != recordTypeHandshake) || vers >= 0x1000 { + return c.in.setErrorLocked(c.newRecordHeaderError(c.conn, "first record does not look like a TLS handshake")) + } + } + if c.vers == VersionTLS13 && n > maxCiphertextTLS13 || n > maxCiphertext { + c.sendAlert(alertRecordOverflow) + msg := fmt.Sprintf("oversized record received with length %d", n) + return c.in.setErrorLocked(c.newRecordHeaderError(nil, msg)) + } + if err := c.readFromUntil(c.conn, n); err != nil { + if e, ok := err.(net.Error); !ok || !e.Temporary() { + if !errors.Is(err, ErrNotEnough) { + c.in.setErrorLocked(err) + } + } + return err + } + + // Process message. + record := c.rawInput.Next(recordHeaderLen + n) + data, typ, err := c.in.decrypt(record) + if err != nil { + return c.in.setErrorLocked(c.sendAlert(err.(alert))) + } + if len(data) > maxPlaintext { + return c.in.setErrorLocked(c.sendAlert(alertRecordOverflow)) + } + + // Application Data messages are always protected. + if c.in.cipher == nil && typ == recordTypeApplicationData { + return c.in.setErrorLocked(c.sendAlert(alertUnexpectedMessage)) + } + + if typ != recordTypeAlert && typ != recordTypeChangeCipherSpec && len(data) > 0 { + // This is a state-advancing message: reset the retry count. + c.retryCount = 0 + } + + // Handshake messages MUST NOT be interleaved with other record types in TLS 1.3. + if c.vers == VersionTLS13 && typ != recordTypeHandshake && c.hand.Len() > 0 { + return c.in.setErrorLocked(c.sendAlert(alertUnexpectedMessage)) + } + + switch typ { + default: + return c.in.setErrorLocked(c.sendAlert(alertUnexpectedMessage)) + + case recordTypeAlert: + if c.quic != nil { + return c.in.setErrorLocked(c.sendAlert(alertUnexpectedMessage)) + } + if len(data) != 2 { + return c.in.setErrorLocked(c.sendAlert(alertUnexpectedMessage)) + } + if alert(data[1]) == alertCloseNotify { + return c.in.setErrorLocked(io.EOF) + } + if c.vers == VersionTLS13 { + return c.in.setErrorLocked(&net.OpError{Op: "remote error", Err: alert(data[1])}) + } + switch data[0] { + case alertLevelWarning: + // Drop the record on the floor and retry. + return c.retryReadRecord(expectChangeCipherSpec) + case alertLevelError: + return c.in.setErrorLocked(&net.OpError{Op: "remote error", Err: alert(data[1])}) + default: + return c.in.setErrorLocked(c.sendAlert(alertUnexpectedMessage)) + } + + case recordTypeChangeCipherSpec: + if len(data) != 1 || data[0] != 1 { + return c.in.setErrorLocked(c.sendAlert(alertDecodeError)) + } + // Handshake messages are not allowed to fragment across the CCS. + if c.hand.Len() > 0 { + return c.in.setErrorLocked(c.sendAlert(alertUnexpectedMessage)) + } + // In TLS 1.3, change_cipher_spec records are ignored until the + // Finished. See RFC 8446, Appendix D.4. Note that according to Section + // 5, a server can send a ChangeCipherSpec before its ServerHello, when + // c.vers is still unset. That's not useful though and suspicious if the + // server then selects a lower protocol version, so don't allow that. + if c.vers == VersionTLS13 { + return c.retryReadRecord(expectChangeCipherSpec) + } + if !expectChangeCipherSpec { + return c.in.setErrorLocked(c.sendAlert(alertUnexpectedMessage)) + } + if err := c.in.changeCipherSpec(); err != nil { + return c.in.setErrorLocked(c.sendAlert(err.(alert))) + } + + case recordTypeApplicationData: + if !handshakeComplete || expectChangeCipherSpec { + return c.in.setErrorLocked(c.sendAlert(alertUnexpectedMessage)) + } + // Some OpenSSL servers send empty records in order to randomize the + // CBC IV. Ignore a limited number of empty records. + if len(data) == 0 { + return c.retryReadRecord(expectChangeCipherSpec) + } + // Note that data is owned by c.rawInput, following the Next call above, + // to avoid copying the plaintext. This is safe because c.rawInput is + // not read from or written to until c.input is drained. + c.input.Reset(data) + + case recordTypeHandshake: + if len(data) == 0 || expectChangeCipherSpec { + return c.in.setErrorLocked(c.sendAlert(alertUnexpectedMessage)) + } + c.hand.Write(data) + } + + return nil +} + +// retryReadRecord recurs into readRecordOrCCS to drop a non-advancing record, like +// a warning alert, empty application_data, or a change_cipher_spec in TLS 1.3. +func (c *Conn) retryReadRecord(expectChangeCipherSpec bool) error { + c.retryCount++ + if c.retryCount > maxUselessRecords { + c.sendAlert(alertUnexpectedMessage) + return c.in.setErrorLocked(errors.New("tls: too many ignored records")) + } + return c.readRecordOrCCS(expectChangeCipherSpec) +} + +// atLeastReader reads from R, stopping with EOF once at least N bytes have been +// read. It is different from an io.LimitedReader in that it doesn't cut short +// the last Read call, and in that it considers an early EOF an error. +type atLeastReader struct { + R io.Reader + N int64 +} + +func (r *atLeastReader) Read(p []byte) (int, error) { + if r.N <= 0 { + return 0, io.EOF + } + n, err := r.R.Read(p) + r.N -= int64(n) // won't underflow unless len(p) >= n > 9223372036854775809 + if r.N > 0 && err == io.EOF { + return n, ErrNotEnough + //return n, io.ErrUnexpectedEOF + } + if r.N <= 0 && err == nil { + return n, io.EOF + } + return n, err +} + +// readFromUntil reads from r into c.rawInput until c.rawInput contains +// at least n bytes or else returns an error. +func (c *Conn) readFromUntil(r io.Reader, n int) error { + /* if c.rawInput.Len() >= n { + return nil + }*/ + //needs := n - c.rawInput.Len() + // There might be extra input waiting on the wire. Make a best effort + // attempt to fetch it so that it can be used in (*Conn).Read to + // "predict" closeNotify alerts. + //c.rawInput.Grow(needs + bytes.MinRead) + data := make([]byte, n) + rn, err := r.Read(data) + if err != nil { + return err + } + if rn < n { + return io.ErrShortBuffer + } + _, err = c.rawInput.Write(data) + //_, err := c.rawInput.ReadFrom(&atLeastReader{r, int64(needs)}) + return err +} + +// sendAlertLocked sends a TLS alert message. +func (c *Conn) sendAlertLocked(err alert) error { + if c.quic != nil { + return c.out.setErrorLocked(&net.OpError{Op: "local error", Err: err}) + } + + switch err { + case alertNoRenegotiation, alertCloseNotify: + c.tmp[0] = alertLevelWarning + default: + c.tmp[0] = alertLevelError + } + c.tmp[1] = byte(err) + + _, writeErr := c.writeRecordLocked(recordTypeAlert, c.tmp[0:2]) + if err == alertCloseNotify { + // closeNotify is a special case in that it isn't an error. + return writeErr + } + + return c.out.setErrorLocked(&net.OpError{Op: "local error", Err: err}) +} + +// sendAlert sends a TLS alert message. +func (c *Conn) sendAlert(err alert) error { + c.out.Lock() + defer c.out.Unlock() + return c.sendAlertLocked(err) +} + +const ( + // tcpMSSEstimate is a conservative estimate of the TCP maximum segment + // size (MSS). A constant is used, rather than querying the kernel for + // the actual MSS, to avoid complexity. The value here is the IPv6 + // minimum MTU (1280 bytes) minus the overhead of an IPv6 header (40 + // bytes) and a TCP header with timestamps (32 bytes). + tcpMSSEstimate = 1208 + + // recordSizeBoostThreshold is the number of bytes of application data + // sent after which the TLS record size will be increased to the + // maximum. + recordSizeBoostThreshold = 128 * 1024 +) + +// maxPayloadSizeForWrite returns the maximum TLS payload size to use for the +// next application data record. There is the following trade-off: +// +// - For latency-sensitive applications, such as web browsing, each TLS +// record should fit in one TCP segment. +// - For throughput-sensitive applications, such as large file transfers, +// larger TLS records better amortize framing and encryption overheads. +// +// A simple heuristic that works well in practice is to use small records for +// the first 1MB of data, then use larger records for subsequent data, and +// reset back to smaller records after the connection becomes idle. See "High +// Performance Web Networking", Chapter 4, or: +// https://www.igvita.com/2013/10/24/optimizing-tls-record-size-and-buffering-latency/ +// +// In the interests of simplicity and determinism, this code does not attempt +// to reset the record size once the connection is idle, however. +func (c *Conn) maxPayloadSizeForWrite(typ recordType) int { + if c.config.DynamicRecordSizingDisabled || typ != recordTypeApplicationData { + return maxPlaintext + } + + if c.bytesSent >= recordSizeBoostThreshold { + return maxPlaintext + } + + // Subtract TLS overheads to get the maximum payload size. + payloadBytes := tcpMSSEstimate - recordHeaderLen - c.out.explicitNonceLen() + if c.out.cipher != nil { + switch ciph := c.out.cipher.(type) { + case cipher.Stream: + payloadBytes -= c.out.mac.Size() + case cipher.AEAD: + payloadBytes -= ciph.Overhead() + case cbcMode: + blockSize := ciph.BlockSize() + // The payload must fit in a multiple of blockSize, with + // room for at least one padding byte. + payloadBytes = (payloadBytes & ^(blockSize - 1)) - 1 + // The MAC is appended before padding so affects the + // payload size directly. + payloadBytes -= c.out.mac.Size() + default: + panic("unknown cipher type") + } + } + if c.vers == VersionTLS13 { + payloadBytes-- // encrypted ContentType + } + + // Allow packet growth in arithmetic progression up to max. + pkt := c.packetsSent + c.packetsSent++ + if pkt > 1000 { + return maxPlaintext // avoid overflow in multiply below + } + + n := payloadBytes * int(pkt+1) + if n > maxPlaintext { + n = maxPlaintext + } + return n +} + +func (c *Conn) write(data []byte) (int, error) { + if c.buffering { + c.sendBuf = append(c.sendBuf, data...) + return len(data), nil + } + + n, err := c.conn.Write(data) + c.bytesSent += int64(n) + return n, err +} + +func (c *Conn) flush() (int, error) { + if len(c.sendBuf) == 0 { + return 0, nil + } + + n, err := c.conn.Write(c.sendBuf) + c.bytesSent += int64(n) + c.sendBuf = nil + c.buffering = false + return n, err +} + +// outBufPool pools the record-sized scratch buffers used by writeRecordLocked. +var outBufPool = sync.Pool{ + New: func() any { + return new([]byte) + }, +} + +// writeRecordLocked writes a TLS record with the given type and payload to the +// connection and updates the record layer state. +func (c *Conn) writeRecordLocked(typ recordType, data []byte) (int, error) { + if c.quic != nil { + if typ != recordTypeHandshake { + return 0, errors.New("tls: internal error: sending non-handshake message to QUIC transport") + } + c.quicWriteCryptoData(c.out.level, data) + if !c.buffering { + if _, err := c.flush(); err != nil { + return 0, err + } + } + return len(data), nil + } + + outBufPtr := outBufPool.Get().(*[]byte) + outBuf := *outBufPtr + defer func() { + // You might be tempted to simplify this by just passing &outBuf to Put, + // but that would make the local copy of the outBuf slice header escape + // to the heap, causing an allocation. Instead, we keep around the + // pointer to the slice header returned by Get, which is already on the + // heap, and overwrite and return that. + *outBufPtr = outBuf + outBufPool.Put(outBufPtr) + }() + + var n int + for len(data) > 0 { + m := len(data) + if maxPayload := c.maxPayloadSizeForWrite(typ); m > maxPayload { + m = maxPayload + } + + _, outBuf = sliceForAppend(outBuf[:0], recordHeaderLen) + outBuf[0] = byte(typ) + vers := c.vers + if vers == 0 { + // Some TLS servers fail if the record version is + // greater than TLS 1.0 for the initial ClientHello. + vers = VersionTLS10 + } else if vers == VersionTLS13 { + // TLS 1.3 froze the record layer version to 1.2. + // See RFC 8446, Section 5.1. + vers = VersionTLS12 + } + outBuf[1] = byte(vers >> 8) + outBuf[2] = byte(vers) + outBuf[3] = byte(m >> 8) + outBuf[4] = byte(m) + + var err error + outBuf, err = c.out.encrypt(outBuf, data[:m], c.config.rand()) + if err != nil { + return n, err + } + if _, err := c.write(outBuf); err != nil { + return n, err + } + n += m + data = data[m:] + } + + if typ == recordTypeChangeCipherSpec && c.vers != VersionTLS13 { + if err := c.out.changeCipherSpec(); err != nil { + return n, c.sendAlertLocked(err.(alert)) + } + } + + return n, nil +} + +// writeHandshakeRecord writes a handshake message to the connection and updates +// the record layer state. If transcript is non-nil the marshalled message is +// written to it. +func (c *Conn) writeHandshakeRecord(msg handshakeMessage, transcript transcriptHash) (int, error) { + c.out.Lock() + defer c.out.Unlock() + + data, err := msg.marshal() + if err != nil { + return 0, err + } + if transcript != nil { + transcript.Write(data) + } + + return c.writeRecordLocked(recordTypeHandshake, data) +} + +// writeChangeCipherRecord writes a ChangeCipherSpec message to the connection and +// updates the record layer state. +func (c *Conn) writeChangeCipherRecord() error { + c.out.Lock() + defer c.out.Unlock() + _, err := c.writeRecordLocked(recordTypeChangeCipherSpec, []byte{1}) + return err +} + +// readHandshakeBytes reads handshake data until c.hand contains at least n bytes. +func (c *Conn) readHandshakeBytes(n int) error { + if c.quic != nil { + return c.quicReadHandshakeBytes(n) + } + for c.hand.Len() < n { + if err := c.readRecord(); err != nil { + return err + } + } + return nil +} + +// readHandshake reads the next handshake message from +// the record layer. If transcript is non-nil, the message +// is written to the passed transcriptHash. +func (c *Conn) readHandshake(transcript transcriptHash) (any, error) { + if err := c.readHandshakeBytes(4); err != nil { + return nil, err + } + data := c.hand.Bytes() + n := int(data[1])<<16 | int(data[2])<<8 | int(data[3]) + if n > maxHandshake { + c.sendAlertLocked(alertInternalError) + return nil, c.in.setErrorLocked(fmt.Errorf("tls: handshake message of length %d bytes exceeds maximum of %d bytes", n, maxHandshake)) + } + if err := c.readHandshakeBytes(4 + n); err != nil { + return nil, err + } + data = c.hand.Next(4 + n) + return c.unmarshalHandshakeMessage(data, transcript) +} + +func (c *Conn) unmarshalHandshakeMessage(data []byte, transcript transcriptHash) (handshakeMessage, error) { + var m handshakeMessage + switch data[0] { + case typeHelloRequest: + m = new(helloRequestMsg) + case typeClientHello: + m = new(clientHelloMsg) + case typeServerHello: + m = new(serverHelloMsg) + case typeNewSessionTicket: + if c.vers == VersionTLS13 { + m = new(newSessionTicketMsgTLS13) + } else { + m = new(newSessionTicketMsg) + } + case typeCertificate: + if c.vers == VersionTLS13 { + m = new(certificateMsgTLS13) + } else { + m = new(certificateMsg) + } + case typeCertificateRequest: + if c.vers == VersionTLS13 { + m = new(certificateRequestMsgTLS13) + } else { + m = &certificateRequestMsg{ + hasSignatureAlgorithm: c.vers >= VersionTLS12, + } + } + case typeCertificateStatus: + m = new(certificateStatusMsg) + case typeServerKeyExchange: + m = new(serverKeyExchangeMsg) + case typeServerHelloDone: + m = new(serverHelloDoneMsg) + case typeClientKeyExchange: + m = new(clientKeyExchangeMsg) + case typeCertificateVerify: + m = &certificateVerifyMsg{ + hasSignatureAlgorithm: c.vers >= VersionTLS12, + } + case typeFinished: + m = new(finishedMsg) + case typeEncryptedExtensions: + m = new(encryptedExtensionsMsg) + case typeEndOfEarlyData: + m = new(endOfEarlyDataMsg) + case typeKeyUpdate: + m = new(keyUpdateMsg) + default: + return nil, c.in.setErrorLocked(c.sendAlert(alertUnexpectedMessage)) + } + + // The handshake message unmarshalers + // expect to be able to keep references to data, + // so pass in a fresh copy that won't be overwritten. + data = append([]byte(nil), data...) + + if !m.unmarshal(data) { + return nil, c.in.setErrorLocked(c.sendAlert(alertUnexpectedMessage)) + } + + if transcript != nil { + transcript.Write(data) + } + + return m, nil +} + +var ( + errShutdown = errors.New("tls: protocol is shutdown") +) + +// Write writes data to the connection. +// +// As Write calls [Conn.Handshake], in order to prevent indefinite blocking a deadline +// must be set for both [Conn.Read] and Write before Write is called when the handshake +// has not yet completed. See [Conn.SetDeadline], [Conn.SetReadDeadline], and +// [Conn.SetWriteDeadline]. +func (c *Conn) Write(b []byte) (int, error) { + // interlock with Close below + for { + x := c.activeCall.Load() + if x&1 != 0 { + return 0, net.ErrClosed + } + if c.activeCall.CompareAndSwap(x, x+2) { + break + } + } + defer c.activeCall.Add(-2) + + if err := c.Handshake(); err != nil { + return 0, err + } + + c.out.Lock() + defer c.out.Unlock() + + if err := c.out.err; err != nil { + return 0, err + } + + if !c.isHandshakeComplete.Load() { + return 0, alertInternalError + } + + if c.closeNotifySent { + return 0, errShutdown + } + + // TLS 1.0 is susceptible to a chosen-plaintext + // attack when using block mode ciphers due to predictable IVs. + // This can be prevented by splitting each Application Data + // record into two records, effectively randomizing the IV. + // + // https://www.openssl.org/~bodo/tls-cbc.txt + // https://bugzilla.mozilla.org/show_bug.cgi?id=665814 + // https://www.imperialviolet.org/2012/01/15/beastfollowup.html + + var m int + if len(b) > 1 && c.vers == VersionTLS10 { + if _, ok := c.out.cipher.(cipher.BlockMode); ok { + n, err := c.writeRecordLocked(recordTypeApplicationData, b[:1]) + if err != nil { + return n, c.out.setErrorLocked(err) + } + m, b = 1, b[1:] + } + } + + n, err := c.writeRecordLocked(recordTypeApplicationData, b) + return n + m, c.out.setErrorLocked(err) +} + +// handleRenegotiation processes a HelloRequest handshake message. +func (c *Conn) handleRenegotiation() error { + if c.vers == VersionTLS13 { + return errors.New("tls: internal error: unexpected renegotiation") + } + + msg, err := c.readHandshake(nil) + if err != nil { + return err + } + + helloReq, ok := msg.(*helloRequestMsg) + if !ok { + c.sendAlert(alertUnexpectedMessage) + return unexpectedMessageError(helloReq, msg) + } + + if !c.isClient { + return c.sendAlert(alertNoRenegotiation) + } + + switch c.config.Renegotiation { + case RenegotiateNever: + return c.sendAlert(alertNoRenegotiation) + case RenegotiateOnceAsClient: + if c.handshakes > 1 { + return c.sendAlert(alertNoRenegotiation) + } + case RenegotiateFreelyAsClient: + // Ok. + default: + c.sendAlert(alertInternalError) + return errors.New("tls: unknown Renegotiation value") + } + + c.handshakeMutex.Lock() + defer c.handshakeMutex.Unlock() + + c.isHandshakeComplete.Store(false) + if c.handshakeErr = c.clientHandshake(context.Background()); c.handshakeErr == nil { + c.handshakes++ + } + return c.handshakeErr +} + +// handlePostHandshakeMessage processes a handshake message arrived after the +// handshake is complete. Up to TLS 1.2, it indicates the start of a renegotiation. +func (c *Conn) handlePostHandshakeMessage() error { + if c.vers != VersionTLS13 { + return c.handleRenegotiation() + } + + msg, err := c.readHandshake(nil) + if err != nil { + return err + } + c.retryCount++ + if c.retryCount > maxUselessRecords { + c.sendAlert(alertUnexpectedMessage) + return c.in.setErrorLocked(errors.New("tls: too many non-advancing records")) + } + + switch msg := msg.(type) { + case *newSessionTicketMsgTLS13: + return c.handleNewSessionTicket(msg) + case *keyUpdateMsg: + return c.handleKeyUpdate(msg) + } + // The QUIC layer is supposed to treat an unexpected post-handshake CertificateRequest + // as a QUIC-level PROTOCOL_VIOLATION error (RFC 9001, Section 4.4). Returning an + // unexpected_message alert here doesn't provide it with enough information to distinguish + // this condition from other unexpected messages. This is probably fine. + c.sendAlert(alertUnexpectedMessage) + return fmt.Errorf("tls: received unexpected handshake message of type %T", msg) +} + +func (c *Conn) handleKeyUpdate(keyUpdate *keyUpdateMsg) error { + if c.quic != nil { + c.sendAlert(alertUnexpectedMessage) + return c.in.setErrorLocked(errors.New("tls: received unexpected key update message")) + } + + cipherSuite := cipherSuiteTLS13ByID(c.cipherSuite) + if cipherSuite == nil { + return c.in.setErrorLocked(c.sendAlert(alertInternalError)) + } + + newSecret := cipherSuite.nextTrafficSecret(c.in.trafficSecret) + c.in.setTrafficSecret(cipherSuite, QUICEncryptionLevelInitial, newSecret) + + if keyUpdate.updateRequested { + c.out.Lock() + defer c.out.Unlock() + + msg := &keyUpdateMsg{} + msgBytes, err := msg.marshal() + if err != nil { + return err + } + _, err = c.writeRecordLocked(recordTypeHandshake, msgBytes) + if err != nil { + // Surface the error at the next write. + c.out.setErrorLocked(err) + return nil + } + + newSecret := cipherSuite.nextTrafficSecret(c.out.trafficSecret) + c.out.setTrafficSecret(cipherSuite, QUICEncryptionLevelInitial, newSecret) + } + + return nil +} + +// Read reads data from the connection. +// +// As Read calls [Conn.Handshake], in order to prevent indefinite blocking a deadline +// must be set for both Read and [Conn.Write] before Read is called when the handshake +// has not yet completed. See [Conn.SetDeadline], [Conn.SetReadDeadline], and +// [Conn.SetWriteDeadline]. +func (c *Conn) Read(b []byte) (int, error) { + if err := c.Handshake(); err != nil { + return 0, err + } + if len(b) == 0 { + // Put this after Handshake, in case people were calling + // Read(nil) for the side effect of the Handshake. + return 0, nil + } + + c.in.Lock() + defer c.in.Unlock() + + for c.input.Len() == 0 { + if err := c.readRecord(); err != nil { + return 0, err + } + for c.hand.Len() > 0 { + if err := c.handlePostHandshakeMessage(); err != nil { + return 0, err + } + } + } + + n, _ := c.input.Read(b) + + // If a close-notify alert is waiting, read it so that we can return (n, + // EOF) instead of (n, nil), to signal to the HTTP response reading + // goroutine that the connection is now closed. This eliminates a race + // where the HTTP response reading goroutine would otherwise not observe + // the EOF until its next read, by which time a client goroutine might + // have already tried to reuse the HTTP connection for a new request. + // See https://golang.org/cl/76400046 and https://golang.org/issue/3514 + if n != 0 && c.input.Len() == 0 && c.rawInput.Len() > 0 && + recordType(c.rawInput.Bytes()[0]) == recordTypeAlert { + if err := c.readRecord(); err != nil { + return n, err // will be io.EOF on closeNotify + } + } + + return n, nil +} + +// Close closes the connection. +func (c *Conn) Close() error { + // Interlock with Conn.Write above. + var x int32 + for { + x = c.activeCall.Load() + if x&1 != 0 { + return net.ErrClosed + } + if c.activeCall.CompareAndSwap(x, x|1) { + break + } + } + if x != 0 { + // io.Writer and io.Closer should not be used concurrently. + // If Close is called while a Write is currently in-flight, + // interpret that as a sign that this Close is really just + // being used to break the Write and/or clean up resources and + // avoid sending the alertCloseNotify, which may block + // waiting on handshakeMutex or the c.out mutex. + return c.conn.Close() + } + + var alertErr error + if c.isHandshakeComplete.Load() { + if err := c.closeNotify(); err != nil { + alertErr = fmt.Errorf("tls: failed to send closeNotify alert (but connection was closed anyway): %w", err) + } + } + + if err := c.conn.Close(); err != nil { + return err + } + return alertErr +} + +var errEarlyCloseWrite = errors.New("tls: CloseWrite called before handshake complete") + +// CloseWrite shuts down the writing side of the connection. It should only be +// called once the handshake has completed and does not call CloseWrite on the +// underlying connection. Most callers should just use [Conn.Close]. +func (c *Conn) CloseWrite() error { + if !c.isHandshakeComplete.Load() { + return errEarlyCloseWrite + } + + return c.closeNotify() +} + +func (c *Conn) closeNotify() error { + c.out.Lock() + defer c.out.Unlock() + + if !c.closeNotifySent { + // Set a Write Deadline to prevent possibly blocking forever. + c.SetWriteDeadline(time.Now().Add(time.Second * 5)) + c.closeNotifyErr = c.sendAlertLocked(alertCloseNotify) + c.closeNotifySent = true + // Any subsequent writes will fail. + c.SetWriteDeadline(time.Now()) + } + return c.closeNotifyErr +} + +// Handshake runs the client or server handshake +// protocol if it has not yet been run. +// +// Most uses of this package need not call Handshake explicitly: the +// first [Conn.Read] or [Conn.Write] will call it automatically. +// +// For control over canceling or setting a timeout on a handshake, use +// [Conn.HandshakeContext] or the [Dialer]'s DialContext method instead. +// +// In order to avoid denial of service attacks, the maximum RSA key size allowed +// in certificates sent by either the TLS server or client is limited to 8192 +// bits. This limit can be overridden by setting tlsmaxrsasize in the GODEBUG +// environment variable (e.g. GODEBUG=tlsmaxrsasize=4096). +func (c *Conn) Handshake() error { + return c.HandshakeContext(context.Background()) +} + +func (c *Conn) HandshakeCompleted() bool { + return c.isHandshakeComplete.Load() +} + +func (c *Conn) CanRead() error { + r, ok := c.conn.(interface { + Peek(n int) (buf []byte, err error) + InboundBuffered() (n int) + }) + + if !ok { + return nil + } + + if r.InboundBuffered() < recordHeaderLen { + return ErrNotEnough + } + + hdr, err := r.Peek(recordHeaderLen) + if err != nil { + return err + } + + n := int(hdr[3])<<8 | int(hdr[4]) + total := n + recordHeaderLen + if r.InboundBuffered() < total { + return ErrNotEnough + } + return nil +} + +// HandshakeContext runs the client or server handshake +// protocol if it has not yet been run. +// +// The provided Context must be non-nil. If the context is canceled before +// the handshake is complete, the handshake is interrupted and an error is returned. +// Once the handshake has completed, cancellation of the context will not affect the +// connection. +// +// Most uses of this package need not call HandshakeContext explicitly: the +// first [Conn.Read] or [Conn.Write] will call it automatically. +func (c *Conn) HandshakeContext(ctx context.Context) error { + // Delegate to unexported method for named return + // without confusing documented signature. + return c.handshakeContext(ctx) +} + +func (c *Conn) handshakeContext(ctx context.Context) (ret error) { + // Fast sync/atomic-based exit if there is no handshake in flight and the + // last one succeeded without an error. Avoids the expensive context setup + // and mutex for most Read and Write calls. + if c.isHandshakeComplete.Load() { + return nil + } + + if c.isWaitClientFinished.Load() { + if err := c.readClientFinished(); err != nil { + return err + } + c.isHandshakeComplete.Store(true) + return nil + } + + /* if c.isHandshakeComplete.Load() { + return nil + }*/ + + handshakeCtx, cancel := context.WithCancel(ctx) + // Note: defer this before starting the "interrupter" goroutine + // so that we can tell the difference between the input being canceled and + // this cancellation. In the former case, we need to close the connection. + defer cancel() + + if c.quic != nil { + c.quic.cancelc = handshakeCtx.Done() + c.quic.cancel = cancel + } else if ctx.Done() != nil { + // Start the "interrupter" goroutine, if this context might be canceled. + // (The background context cannot). + // + // The interrupter goroutine waits for the input context to be done and + // closes the connection if this happens before the function returns. + done := make(chan struct{}) + interruptRes := make(chan error, 1) + defer func() { + close(done) + if ctxErr := <-interruptRes; ctxErr != nil { + // Return context error to user. + ret = ctxErr + } + }() + go func() { + select { + case <-handshakeCtx.Done(): + // Close the connection, discarding the error + _ = c.conn.Close() + interruptRes <- handshakeCtx.Err() + case <-done: + interruptRes <- nil + } + }() + } + + c.handshakeMutex.Lock() + defer c.handshakeMutex.Unlock() + + if err := c.handshakeErr; err != nil { + return err + } + if c.isHandshakeComplete.Load() { + return nil + } + + c.in.Lock() + defer c.in.Unlock() + + c.handshakeErr = c.handshakeFn(handshakeCtx) + // If data not enough return wait read more data + if errors.Is(c.handshakeErr, ErrNotEnough) { + c.handshakeErr = nil + return nil + } + if c.handshakeErr == nil { + c.handshakes++ + } else { + // If an error occurred during the handshake try to flush the + // alert that might be left in the buffer. + c.flush() + } + + if c.isWaitClientFinished.Load() { + return ErrNotEnough + } + + /* if c.handshakeErr == nil && !c.isHandshakeComplete.Load() { + c.handshakeErr = errors.New("tls: internal error: handshake should have had a result") + } + if c.handshakeErr != nil && c.isHandshakeComplete.Load() { + panic("tls: internal error: handshake returned an error but is marked successful") + } + */ + if c.quic != nil { + if c.handshakeErr == nil { + c.quicHandshakeComplete() + // Provide the 1-RTT read secret now that the handshake is complete. + // The QUIC layer MUST NOT decrypt 1-RTT packets prior to completing + // the handshake (RFC 9001, Section 5.7). + c.quicSetReadSecret(QUICEncryptionLevelApplication, c.cipherSuite, c.in.trafficSecret) + } else { + var a alert + c.out.Lock() + if !errors.As(c.out.err, &a) { + a = alertInternalError + } + c.out.Unlock() + // Return an error which wraps both the handshake error and + // any alert error we may have sent, or alertInternalError + // if we didn't send an alert. + // Truncate the text of the alert to 0 characters. + c.handshakeErr = fmt.Errorf("%w%.0w", c.handshakeErr, AlertError(a)) + } + close(c.quic.blockedc) + close(c.quic.signalc) + } + + return c.handshakeErr +} + +// ConnectionState returns basic TLS details about the connection. +func (c *Conn) ConnectionState() ConnectionState { + c.handshakeMutex.Lock() + defer c.handshakeMutex.Unlock() + return c.connectionStateLocked() +} + +//var tlsunsafeekm = godebug.New("tlsunsafeekm") + +func (c *Conn) connectionStateLocked() ConnectionState { + var state ConnectionState + state.HandshakeComplete = c.isHandshakeComplete.Load() + state.Version = c.vers + state.NegotiatedProtocol = c.clientProtocol + state.DidResume = c.didResume + state.NegotiatedProtocolIsMutual = true + state.ServerName = c.serverName + state.CipherSuite = c.cipherSuite + state.PeerCertificates = c.peerCertificates + state.VerifiedChains = c.verifiedChains + state.SignedCertificateTimestamps = c.scts + state.OCSPResponse = c.ocspResponse + if (!c.didResume || c.extMasterSecret) && c.vers != VersionTLS13 { + if c.clientFinishedIsFirst { + state.TLSUnique = c.clientFinished[:] + } else { + state.TLSUnique = c.serverFinished[:] + } + } + if c.config.Renegotiation != RenegotiateNever { + state.ekm = noEKMBecauseRenegotiation + } else if c.vers != VersionTLS13 && !c.extMasterSecret { + state.ekm = func(label string, context []byte, length int) ([]byte, error) { + /*if tlsunsafeekm.Value() == "1" { + tlsunsafeekm.IncNonDefault() + return c.ekm(label, context, length) + }*/ + return noEKMBecauseNoEMS(label, context, length) + } + } else { + state.ekm = c.ekm + } + return state +} + +// OCSPResponse returns the stapled OCSP response from the TLS server, if +// any. (Only valid for client connections.) +func (c *Conn) OCSPResponse() []byte { + c.handshakeMutex.Lock() + defer c.handshakeMutex.Unlock() + + return c.ocspResponse +} + +// VerifyHostname checks that the peer certificate chain is valid for +// connecting to host. If so, it returns nil; if not, it returns an error +// describing the problem. +func (c *Conn) VerifyHostname(host string) error { + c.handshakeMutex.Lock() + defer c.handshakeMutex.Unlock() + if !c.isClient { + return errors.New("tls: VerifyHostname called on TLS server connection") + } + if !c.isHandshakeComplete.Load() { + return errors.New("tls: handshake has not yet been performed") + } + if len(c.verifiedChains) == 0 { + return errors.New("tls: handshake did not verify certificate chain") + } + return c.peerCertificates[0].VerifyHostname(host) +} diff --git a/pkg/tls/conn_test.go b/pkg/tls/conn_test.go new file mode 100644 index 000000000..5e090a017 --- /dev/null +++ b/pkg/tls/conn_test.go @@ -0,0 +1,319 @@ +// Copyright 2010 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package tls + +import ( + "bytes" + "io" + "net" + "testing" +) + +func TestRoundUp(t *testing.T) { + if roundUp(0, 16) != 0 || + roundUp(1, 16) != 16 || + roundUp(15, 16) != 16 || + roundUp(16, 16) != 16 || + roundUp(17, 16) != 32 { + t.Error("roundUp broken") + } +} + +// will be initialized with {0, 255, 255, ..., 255} +var padding255Bad = [256]byte{} + +// will be initialized with {255, 255, 255, ..., 255} +var padding255Good = [256]byte{255} + +var paddingTests = []struct { + in []byte + good bool + expectedLen int +}{ + {[]byte{1, 2, 3, 4, 0}, true, 4}, + {[]byte{1, 2, 3, 4, 0, 1}, false, 0}, + {[]byte{1, 2, 3, 4, 99, 99}, false, 0}, + {[]byte{1, 2, 3, 4, 1, 1}, true, 4}, + {[]byte{1, 2, 3, 2, 2, 2}, true, 3}, + {[]byte{1, 2, 3, 3, 3, 3}, true, 2}, + {[]byte{1, 2, 3, 4, 3, 3}, false, 0}, + {[]byte{1, 4, 4, 4, 4, 4}, true, 1}, + {[]byte{5, 5, 5, 5, 5, 5}, true, 0}, + {[]byte{6, 6, 6, 6, 6, 6}, false, 0}, + {padding255Bad[:], false, 0}, + {padding255Good[:], true, 0}, +} + +func TestRemovePadding(t *testing.T) { + for i := 1; i < len(padding255Bad); i++ { + padding255Bad[i] = 255 + padding255Good[i] = 255 + } + for i, test := range paddingTests { + paddingLen, good := extractPadding(test.in) + expectedGood := byte(255) + if !test.good { + expectedGood = 0 + } + if good != expectedGood { + t.Errorf("#%d: wrong validity, want:%d got:%d", i, expectedGood, good) + } + if good == 255 && len(test.in)-paddingLen != test.expectedLen { + t.Errorf("#%d: got %d, want %d", i, len(test.in)-paddingLen, test.expectedLen) + } + } +} + +var certExampleCom = `308201713082011ba003020102021005a75ddf21014d5f417083b7a010ba2e300d06092a864886f70d01010b050030123110300e060355040a130741636d6520436f301e170d3136303831373231343135335a170d3137303831373231343135335a30123110300e060355040a130741636d6520436f305c300d06092a864886f70d0101010500034b003048024100b37f0fdd67e715bf532046ac34acbd8fdc4dabe2b598588f3f58b1f12e6219a16cbfe54d2b4b665396013589262360b6721efa27d546854f17cc9aeec6751db10203010001a34d304b300e0603551d0f0101ff0404030205a030130603551d25040c300a06082b06010505070301300c0603551d130101ff0402300030160603551d11040f300d820b6578616d706c652e636f6d300d06092a864886f70d01010b050003410059fc487866d3d855503c8e064ca32aac5e9babcece89ec597f8b2b24c17867f4a5d3b4ece06e795bfc5448ccbd2ffca1b3433171ebf3557a4737b020565350a0` + +var certWildcardExampleCom = `308201743082011ea003020102021100a7aa6297c9416a4633af8bec2958c607300d06092a864886f70d01010b050030123110300e060355040a130741636d6520436f301e170d3136303831373231343231395a170d3137303831373231343231395a30123110300e060355040a130741636d6520436f305c300d06092a864886f70d0101010500034b003048024100b105afc859a711ee864114e7d2d46c2dcbe392d3506249f6c2285b0eb342cc4bf2d803677c61c0abde443f084745c1a6d62080e5664ef2cc8f50ad8a0ab8870b0203010001a34f304d300e0603551d0f0101ff0404030205a030130603551d25040c300a06082b06010505070301300c0603551d130101ff0402300030180603551d110411300f820d2a2e6578616d706c652e636f6d300d06092a864886f70d01010b0500034100af26088584d266e3f6566360cf862c7fecc441484b098b107439543144a2b93f20781988281e108c6d7656934e56950e1e5f2bcf38796b814ccb729445856c34` + +var certFooExampleCom = `308201753082011fa00302010202101bbdb6070b0aeffc49008cde74deef29300d06092a864886f70d01010b050030123110300e060355040a130741636d6520436f301e170d3136303831373231343234345a170d3137303831373231343234345a30123110300e060355040a130741636d6520436f305c300d06092a864886f70d0101010500034b003048024100f00ac69d8ca2829f26216c7b50f1d4bbabad58d447706476cd89a2f3e1859943748aa42c15eedc93ac7c49e40d3b05ed645cb6b81c4efba60d961f44211a54eb0203010001a351304f300e0603551d0f0101ff0404030205a030130603551d25040c300a06082b06010505070301300c0603551d130101ff04023000301a0603551d1104133011820f666f6f2e6578616d706c652e636f6d300d06092a864886f70d01010b0500034100a0957fca6d1e0f1ef4b247348c7a8ca092c29c9c0ecc1898ea6b8065d23af6d922a410dd2335a0ea15edd1394cef9f62c9e876a21e35250a0b4fe1ddceba0f36` + +func TestCertificateSelection(t *testing.T) { + config := Config{ + Certificates: []Certificate{ + { + Certificate: [][]byte{fromHex(certExampleCom)}, + }, + { + Certificate: [][]byte{fromHex(certWildcardExampleCom)}, + }, + { + Certificate: [][]byte{fromHex(certFooExampleCom)}, + }, + }, + } + + config.BuildNameToCertificate() + + pointerToIndex := func(c *Certificate) int { + for i := range config.Certificates { + if c == &config.Certificates[i] { + return i + } + } + return -1 + } + + certificateForName := func(name string) *Certificate { + clientHello := &ClientHelloInfo{ + ServerName: name, + } + if cert, err := config.getCertificate(clientHello); err != nil { + t.Errorf("unable to get certificate for name '%s': %s", name, err) + return nil + } else { + return cert + } + } + + if n := pointerToIndex(certificateForName("example.com")); n != 0 { + t.Errorf("example.com returned certificate %d, not 0", n) + } + if n := pointerToIndex(certificateForName("bar.example.com")); n != 1 { + t.Errorf("bar.example.com returned certificate %d, not 1", n) + } + if n := pointerToIndex(certificateForName("foo.example.com")); n != 2 { + t.Errorf("foo.example.com returned certificate %d, not 2", n) + } + if n := pointerToIndex(certificateForName("foo.bar.example.com")); n != 0 { + t.Errorf("foo.bar.example.com returned certificate %d, not 0", n) + } +} + +// Run with multiple crypto configs to test the logic for computing TLS record overheads. +func runDynamicRecordSizingTest(t *testing.T, config *Config) { + clientConn, serverConn := localPipe(t) + + serverConfig := config.Clone() + serverConfig.DynamicRecordSizingDisabled = false + tlsConn := Server(serverConn, serverConfig) + + handshakeDone := make(chan struct{}) + recordSizesChan := make(chan []int, 1) + defer func() { <-recordSizesChan }() // wait for the goroutine to exit + go func() { + // This goroutine performs a TLS handshake over clientConn and + // then reads TLS records until EOF. It writes a slice that + // contains all the record sizes to recordSizesChan. + defer close(recordSizesChan) + defer clientConn.Close() + + tlsConn := Client(clientConn, config) + if err := tlsConn.Handshake(); err != nil { + t.Errorf("Error from client handshake: %v", err) + return + } + close(handshakeDone) + + var recordHeader [recordHeaderLen]byte + var record []byte + var recordSizes []int + + for { + n, err := io.ReadFull(clientConn, recordHeader[:]) + if err == io.EOF { + break + } + if err != nil || n != len(recordHeader) { + t.Errorf("io.ReadFull = %d, %v", n, err) + return + } + + length := int(recordHeader[3])<<8 | int(recordHeader[4]) + if len(record) < length { + record = make([]byte, length) + } + + n, err = io.ReadFull(clientConn, record[:length]) + if err != nil || n != length { + t.Errorf("io.ReadFull = %d, %v", n, err) + return + } + + recordSizes = append(recordSizes, recordHeaderLen+length) + } + + recordSizesChan <- recordSizes + }() + + if err := tlsConn.Handshake(); err != nil { + t.Fatalf("Error from server handshake: %s", err) + } + <-handshakeDone + + // The server writes these plaintexts in order. + plaintext := bytes.Join([][]byte{ + bytes.Repeat([]byte("x"), recordSizeBoostThreshold), + bytes.Repeat([]byte("y"), maxPlaintext*2), + bytes.Repeat([]byte("z"), maxPlaintext), + }, nil) + + if _, err := tlsConn.Write(plaintext); err != nil { + t.Fatalf("Error from server write: %s", err) + } + if err := tlsConn.Close(); err != nil { + t.Fatalf("Error from server close: %s", err) + } + + recordSizes := <-recordSizesChan + if recordSizes == nil { + t.Fatalf("Client encountered an error") + } + + // Drop the size of the second to last record, which is likely to be + // truncated, and the last record, which is a close_notify alert. + recordSizes = recordSizes[:len(recordSizes)-2] + + // recordSizes should contain a series of records smaller than + // tcpMSSEstimate followed by some larger than maxPlaintext. + seenLargeRecord := false + for i, size := range recordSizes { + if !seenLargeRecord { + if size > (i+1)*tcpMSSEstimate { + t.Fatalf("Record #%d has size %d, which is too large too soon", i, size) + } + if size >= maxPlaintext { + seenLargeRecord = true + } + } else if size <= maxPlaintext { + t.Fatalf("Record #%d has size %d but should be full sized", i, size) + } + } + + if !seenLargeRecord { + t.Fatalf("No large records observed") + } +} + +func TestDynamicRecordSizingWithStreamCipher(t *testing.T) { + config := testConfig.Clone() + config.MaxVersion = VersionTLS12 + config.CipherSuites = []uint16{TLS_RSA_WITH_RC4_128_SHA} + runDynamicRecordSizingTest(t, config) +} + +func TestDynamicRecordSizingWithCBC(t *testing.T) { + config := testConfig.Clone() + config.MaxVersion = VersionTLS12 + config.CipherSuites = []uint16{TLS_RSA_WITH_AES_256_CBC_SHA} + runDynamicRecordSizingTest(t, config) +} + +func TestDynamicRecordSizingWithAEAD(t *testing.T) { + config := testConfig.Clone() + config.MaxVersion = VersionTLS12 + config.CipherSuites = []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256} + runDynamicRecordSizingTest(t, config) +} + +func TestDynamicRecordSizingWithTLSv13(t *testing.T) { + config := testConfig.Clone() + runDynamicRecordSizingTest(t, config) +} + +// hairpinConn is a net.Conn that makes a “hairpin” call when closed, back into +// the tls.Conn which is calling it. +type hairpinConn struct { + net.Conn + tlsConn *Conn +} + +func (conn *hairpinConn) Close() error { + conn.tlsConn.ConnectionState() + return nil +} + +func TestHairpinInClose(t *testing.T) { + // This tests that the underlying net.Conn can call back into the + // tls.Conn when being closed without deadlocking. + client, server := localPipe(t) + defer server.Close() + defer client.Close() + + conn := &hairpinConn{client, nil} + tlsConn := Server(conn, &Config{ + GetCertificate: func(*ClientHelloInfo) (*Certificate, error) { + panic("unreachable") + }, + }) + conn.tlsConn = tlsConn + + // This call should not deadlock. + tlsConn.Close() +} + +func TestRecordBadVersionTLS13(t *testing.T) { + client, server := localPipe(t) + defer server.Close() + defer client.Close() + + config := testConfig.Clone() + config.MinVersion, config.MaxVersion = VersionTLS13, VersionTLS13 + + go func() { + tlsConn := Client(client, config) + if err := tlsConn.Handshake(); err != nil { + t.Errorf("Error from client handshake: %v", err) + return + } + tlsConn.vers = 0x1111 + tlsConn.Write([]byte{1}) + }() + + tlsConn := Server(server, config) + if err := tlsConn.Handshake(); err != nil { + t.Errorf("Error from client handshake: %v", err) + return + } + + expectedErr := "tls: received record with version 1111 when expecting version 303" + + _, err := tlsConn.Read(make([]byte, 10)) + if err.Error() != expectedErr { + t.Fatalf("unexpected error: got %q, want %q", err, expectedErr) + } +} diff --git a/pkg/tls/example_test.go b/pkg/tls/example_test.go new file mode 100644 index 000000000..6389fd7fe --- /dev/null +++ b/pkg/tls/example_test.go @@ -0,0 +1,232 @@ +// Copyright 2014 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package tls_test + +import ( + "crypto/tls" + "crypto/x509" + "log" + "net/http" + "net/http/httptest" + "os" + "time" +) + +// zeroSource is an io.Reader that returns an unlimited number of zero bytes. +type zeroSource struct{} + +func (zeroSource) Read(b []byte) (n int, err error) { + for i := range b { + b[i] = 0 + } + + return len(b), nil +} + +func ExampleDial() { + // Connecting with a custom root-certificate set. + + const rootPEM = ` +-- GlobalSign Root R2, valid until Dec 15, 2021 +-----BEGIN CERTIFICATE----- +MIIDujCCAqKgAwIBAgILBAAAAAABD4Ym5g0wDQYJKoZIhvcNAQEFBQAwTDEgMB4G +A1UECxMXR2xvYmFsU2lnbiBSb290IENBIC0gUjIxEzARBgNVBAoTCkdsb2JhbFNp +Z24xEzARBgNVBAMTCkdsb2JhbFNpZ24wHhcNMDYxMjE1MDgwMDAwWhcNMjExMjE1 +MDgwMDAwWjBMMSAwHgYDVQQLExdHbG9iYWxTaWduIFJvb3QgQ0EgLSBSMjETMBEG +A1UEChMKR2xvYmFsU2lnbjETMBEGA1UEAxMKR2xvYmFsU2lnbjCCASIwDQYJKoZI +hvcNAQEBBQADggEPADCCAQoCggEBAKbPJA6+Lm8omUVCxKs+IVSbC9N/hHD6ErPL +v4dfxn+G07IwXNb9rfF73OX4YJYJkhD10FPe+3t+c4isUoh7SqbKSaZeqKeMWhG8 +eoLrvozps6yWJQeXSpkqBy+0Hne/ig+1AnwblrjFuTosvNYSuetZfeLQBoZfXklq +tTleiDTsvHgMCJiEbKjNS7SgfQx5TfC4LcshytVsW33hoCmEofnTlEnLJGKRILzd +C9XZzPnqJworc5HGnRusyMvo4KD0L5CLTfuwNhv2GXqF4G3yYROIXJ/gkwpRl4pa +zq+r1feqCapgvdzZX99yqWATXgAByUr6P6TqBwMhAo6CygPCm48CAwEAAaOBnDCB +mTAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUm+IH +V2ccHsBqBt5ZtJot39wZhi4wNgYDVR0fBC8wLTAroCmgJ4YlaHR0cDovL2NybC5n +bG9iYWxzaWduLm5ldC9yb290LXIyLmNybDAfBgNVHSMEGDAWgBSb4gdXZxwewGoG +3lm0mi3f3BmGLjANBgkqhkiG9w0BAQUFAAOCAQEAmYFThxxol4aR7OBKuEQLq4Gs +J0/WwbgcQ3izDJr86iw8bmEbTUsp9Z8FHSbBuOmDAGJFtqkIk7mpM0sYmsL4h4hO +291xNBrBVNpGP+DTKqttVCL1OmLNIG+6KYnX3ZHu01yiPqFbQfXf5WRDLenVOavS +ot+3i9DAgBkcRcAtjOj4LaR0VknFBbVPFd5uRHg5h6h+u/N5GJG79G+dwfCMNYxd +AfvDbbnvRG15RjF+Cv6pgsH/76tuIMRQyV+dTZsXjAzlAcmgQWpzU/qlULRuJQ/7 +TBj0/VLZjmmx6BEP3ojY+x1J96relc8geMJgEtslQIxq/H5COEBkEveegeGTLg== +-----END CERTIFICATE-----` + + // First, create the set of root certificates. For this example we only + // have one. It's also possible to omit this in order to use the + // default root set of the current operating system. + roots := x509.NewCertPool() + ok := roots.AppendCertsFromPEM([]byte(rootPEM)) + if !ok { + panic("failed to parse root certificate") + } + + conn, err := tls.Dial("tcp", "mail.google.com:443", &tls.Config{ + RootCAs: roots, + }) + if err != nil { + panic("failed to connect: " + err.Error()) + } + conn.Close() +} + +func ExampleConfig_keyLogWriter() { + // Debugging TLS applications by decrypting a network traffic capture. + + // WARNING: Use of KeyLogWriter compromises security and should only be + // used for debugging. + + // Dummy test HTTP server for the example with insecure random so output is + // reproducible. + server := httptest.NewUnstartedServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {})) + server.TLS = &tls.Config{ + Rand: zeroSource{}, // for example only; don't do this. + } + server.StartTLS() + defer server.Close() + + // Typically the log would go to an open file: + // w, err := os.OpenFile("tls-secrets.txt", os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600) + w := os.Stdout + + client := &http.Client{ + Transport: &http.Transport{ + TLSClientConfig: &tls.Config{ + KeyLogWriter: w, + + Rand: zeroSource{}, // for reproducible output; don't do this. + InsecureSkipVerify: true, // test server certificate is not trusted. + }, + }, + } + resp, err := client.Get(server.URL) + if err != nil { + log.Fatalf("Failed to get URL: %v", err) + } + resp.Body.Close() + + // The resulting file can be used with Wireshark to decrypt the TLS + // connection by setting (Pre)-Master-Secret log filename in SSL Protocol + // preferences. +} + +func ExampleLoadX509KeyPair() { + cert, err := tls.LoadX509KeyPair("testdata/example-cert.pem", "testdata/example-key.pem") + if err != nil { + log.Fatal(err) + } + cfg := &tls.Config{Certificates: []tls.Certificate{cert}} + listener, err := tls.Listen("tcp", ":2000", cfg) + if err != nil { + log.Fatal(err) + } + _ = listener +} + +func ExampleX509KeyPair() { + certPem := []byte(`-----BEGIN CERTIFICATE----- +MIIBhTCCASugAwIBAgIQIRi6zePL6mKjOipn+dNuaTAKBggqhkjOPQQDAjASMRAw +DgYDVQQKEwdBY21lIENvMB4XDTE3MTAyMDE5NDMwNloXDTE4MTAyMDE5NDMwNlow +EjEQMA4GA1UEChMHQWNtZSBDbzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABD0d +7VNhbWvZLWPuj/RtHFjvtJBEwOkhbN/BnnE8rnZR8+sbwnc/KhCk3FhnpHZnQz7B +5aETbbIgmuvewdjvSBSjYzBhMA4GA1UdDwEB/wQEAwICpDATBgNVHSUEDDAKBggr +BgEFBQcDATAPBgNVHRMBAf8EBTADAQH/MCkGA1UdEQQiMCCCDmxvY2FsaG9zdDo1 +NDUzgg4xMjcuMC4wLjE6NTQ1MzAKBggqhkjOPQQDAgNIADBFAiEA2zpJEPQyz6/l +Wf86aX6PepsntZv2GYlA5UpabfT2EZICICpJ5h/iI+i341gBmLiAFQOyTDT+/wQc +6MF9+Yw1Yy0t +-----END CERTIFICATE-----`) + keyPem := []byte(`-----BEGIN EC PRIVATE KEY----- +MHcCAQEEIIrYSSNQFaA2Hwf1duRSxKtLYX5CB04fSeQ6tF1aY/PuoAoGCCqGSM49 +AwEHoUQDQgAEPR3tU2Fta9ktY+6P9G0cWO+0kETA6SFs38GecTyudlHz6xvCdz8q +EKTcWGekdmdDPsHloRNtsiCa697B2O9IFA== +-----END EC PRIVATE KEY-----`) + cert, err := tls.X509KeyPair(certPem, keyPem) + if err != nil { + log.Fatal(err) + } + cfg := &tls.Config{Certificates: []tls.Certificate{cert}} + listener, err := tls.Listen("tcp", ":2000", cfg) + if err != nil { + log.Fatal(err) + } + _ = listener +} + +func ExampleX509KeyPair_httpServer() { + certPem := []byte(`-----BEGIN CERTIFICATE----- +MIIBhTCCASugAwIBAgIQIRi6zePL6mKjOipn+dNuaTAKBggqhkjOPQQDAjASMRAw +DgYDVQQKEwdBY21lIENvMB4XDTE3MTAyMDE5NDMwNloXDTE4MTAyMDE5NDMwNlow +EjEQMA4GA1UEChMHQWNtZSBDbzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABD0d +7VNhbWvZLWPuj/RtHFjvtJBEwOkhbN/BnnE8rnZR8+sbwnc/KhCk3FhnpHZnQz7B +5aETbbIgmuvewdjvSBSjYzBhMA4GA1UdDwEB/wQEAwICpDATBgNVHSUEDDAKBggr +BgEFBQcDATAPBgNVHRMBAf8EBTADAQH/MCkGA1UdEQQiMCCCDmxvY2FsaG9zdDo1 +NDUzgg4xMjcuMC4wLjE6NTQ1MzAKBggqhkjOPQQDAgNIADBFAiEA2zpJEPQyz6/l +Wf86aX6PepsntZv2GYlA5UpabfT2EZICICpJ5h/iI+i341gBmLiAFQOyTDT+/wQc +6MF9+Yw1Yy0t +-----END CERTIFICATE-----`) + keyPem := []byte(`-----BEGIN EC PRIVATE KEY----- +MHcCAQEEIIrYSSNQFaA2Hwf1duRSxKtLYX5CB04fSeQ6tF1aY/PuoAoGCCqGSM49 +AwEHoUQDQgAEPR3tU2Fta9ktY+6P9G0cWO+0kETA6SFs38GecTyudlHz6xvCdz8q +EKTcWGekdmdDPsHloRNtsiCa697B2O9IFA== +-----END EC PRIVATE KEY-----`) + cert, err := tls.X509KeyPair(certPem, keyPem) + if err != nil { + log.Fatal(err) + } + cfg := &tls.Config{Certificates: []tls.Certificate{cert}} + srv := &http.Server{ + TLSConfig: cfg, + ReadTimeout: time.Minute, + WriteTimeout: time.Minute, + } + log.Fatal(srv.ListenAndServeTLS("", "")) +} + +func ExampleConfig_verifyConnection() { + // VerifyConnection can be used to replace and customize connection + // verification. This example shows a VerifyConnection implementation that + // will be approximately equivalent to what crypto/tls does normally to + // verify the peer's certificate. + + // Client side configuration. + _ = &tls.Config{ + // Set InsecureSkipVerify to skip the default validation we are + // replacing. This will not disable VerifyConnection. + InsecureSkipVerify: true, + VerifyConnection: func(cs tls.ConnectionState) error { + opts := x509.VerifyOptions{ + DNSName: cs.ServerName, + Intermediates: x509.NewCertPool(), + } + for _, cert := range cs.PeerCertificates[1:] { + opts.Intermediates.AddCert(cert) + } + _, err := cs.PeerCertificates[0].Verify(opts) + return err + }, + } + + // Server side configuration. + _ = &tls.Config{ + // Require client certificates (or VerifyConnection will run anyway and + // panic accessing cs.PeerCertificates[0]) but don't verify them with the + // default verifier. This will not disable VerifyConnection. + ClientAuth: tls.RequireAnyClientCert, + VerifyConnection: func(cs tls.ConnectionState) error { + opts := x509.VerifyOptions{ + DNSName: cs.ServerName, + Intermediates: x509.NewCertPool(), + KeyUsages: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth}, + } + for _, cert := range cs.PeerCertificates[1:] { + opts.Intermediates.AddCert(cert) + } + _, err := cs.PeerCertificates[0].Verify(opts) + return err + }, + } + + // Note that when certificates are not handled by the default verifier + // ConnectionState.VerifiedChains will be nil. +} diff --git a/pkg/tls/fipsonly/fipsonly.go b/pkg/tls/fipsonly/fipsonly.go new file mode 100644 index 000000000..f923abb41 --- /dev/null +++ b/pkg/tls/fipsonly/fipsonly.go @@ -0,0 +1,29 @@ +// Copyright 2017 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +//go:build boringcrypto + +// Package fipsonly restricts all TLS configuration to FIPS-approved settings. +// +// The effect is triggered by importing the package anywhere in a program, as in: +// +// import _ "crypto/tls/fipsonly" +// +// This package only exists when using Go compiled with GOEXPERIMENT=boringcrypto. +package fipsonly + +// This functionality is provided as a side effect of an import to make +// it trivial to add to an existing program. It requires only a single line +// added to an existing source file, or it can be done by adding a whole +// new source file and not modifying any existing source files. + +import ( + "github.com/panjf2000/gnet/v2/pkg/tls/internal/boring/fipstls" + "github.com/panjf2000/gnet/v2/pkg/tls/internal/boring/sig" +) + +func init() { + fipstls.Force() + sig.FIPSOnly() +} diff --git a/pkg/tls/fipsonly/fipsonly_test.go b/pkg/tls/fipsonly/fipsonly_test.go new file mode 100644 index 000000000..a23940801 --- /dev/null +++ b/pkg/tls/fipsonly/fipsonly_test.go @@ -0,0 +1,19 @@ +// Copyright 2017 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +//go:build boringcrypto + +package fipsonly + +import ( + "testing" + + "github.com/panjf2000/gnet/v2/pkg/tls/internal/boring/fipstls" +) + +func Test(t *testing.T) { + if !fipstls.Required() { + t.Fatal("fipstls.Required() = false, must be true") + } +} diff --git a/pkg/tls/generate_cert.go b/pkg/tls/generate_cert.go new file mode 100644 index 000000000..cd4bfc513 --- /dev/null +++ b/pkg/tls/generate_cert.go @@ -0,0 +1,171 @@ +// Copyright 2009 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +//go:build ignore + +// Generate a self-signed X.509 certificate for a TLS server. Outputs to +// 'cert.pem' and 'key.pem' and will overwrite existing files. + +package main + +import ( + "crypto/ecdsa" + "crypto/ed25519" + "crypto/elliptic" + "crypto/rand" + "crypto/rsa" + "crypto/x509" + "crypto/x509/pkix" + "encoding/pem" + "flag" + "log" + "math/big" + "net" + "os" + "strings" + "time" +) + +var ( + host = flag.String("host", "", "Comma-separated hostnames and IPs to generate a certificate for") + validFrom = flag.String("start-date", "", "Creation date formatted as Jan 1 15:04:05 2011") + validFor = flag.Duration("duration", 365*24*time.Hour, "Duration that certificate is valid for") + isCA = flag.Bool("ca", false, "whether this cert should be its own Certificate Authority") + rsaBits = flag.Int("rsa-bits", 2048, "Size of RSA key to generate. Ignored if --ecdsa-curve is set") + ecdsaCurve = flag.String("ecdsa-curve", "", "ECDSA curve to use to generate a key. Valid values are P224, P256 (recommended), P384, P521") + ed25519Key = flag.Bool("ed25519", false, "Generate an Ed25519 key") +) + +func publicKey(priv any) any { + switch k := priv.(type) { + case *rsa.PrivateKey: + return &k.PublicKey + case *ecdsa.PrivateKey: + return &k.PublicKey + case ed25519.PrivateKey: + return k.Public().(ed25519.PublicKey) + default: + return nil + } +} + +func main() { + flag.Parse() + + if len(*host) == 0 { + log.Fatalf("Missing required --host parameter") + } + + var priv any + var err error + switch *ecdsaCurve { + case "": + if *ed25519Key { + _, priv, err = ed25519.GenerateKey(rand.Reader) + } else { + priv, err = rsa.GenerateKey(rand.Reader, *rsaBits) + } + case "P224": + priv, err = ecdsa.GenerateKey(elliptic.P224(), rand.Reader) + case "P256": + priv, err = ecdsa.GenerateKey(elliptic.P256(), rand.Reader) + case "P384": + priv, err = ecdsa.GenerateKey(elliptic.P384(), rand.Reader) + case "P521": + priv, err = ecdsa.GenerateKey(elliptic.P521(), rand.Reader) + default: + log.Fatalf("Unrecognized elliptic curve: %q", *ecdsaCurve) + } + if err != nil { + log.Fatalf("Failed to generate private key: %v", err) + } + + // ECDSA, ED25519 and RSA subject keys should have the DigitalSignature + // KeyUsage bits set in the x509.Certificate template + keyUsage := x509.KeyUsageDigitalSignature + // Only RSA subject keys should have the KeyEncipherment KeyUsage bits set. In + // the context of TLS this KeyUsage is particular to RSA key exchange and + // authentication. + if _, isRSA := priv.(*rsa.PrivateKey); isRSA { + keyUsage |= x509.KeyUsageKeyEncipherment + } + + var notBefore time.Time + if len(*validFrom) == 0 { + notBefore = time.Now() + } else { + notBefore, err = time.Parse("Jan 2 15:04:05 2006", *validFrom) + if err != nil { + log.Fatalf("Failed to parse creation date: %v", err) + } + } + + notAfter := notBefore.Add(*validFor) + + serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128) + serialNumber, err := rand.Int(rand.Reader, serialNumberLimit) + if err != nil { + log.Fatalf("Failed to generate serial number: %v", err) + } + + template := x509.Certificate{ + SerialNumber: serialNumber, + Subject: pkix.Name{ + Organization: []string{"Acme Co"}, + }, + NotBefore: notBefore, + NotAfter: notAfter, + + KeyUsage: keyUsage, + ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth}, + BasicConstraintsValid: true, + } + + hosts := strings.Split(*host, ",") + for _, h := range hosts { + if ip := net.ParseIP(h); ip != nil { + template.IPAddresses = append(template.IPAddresses, ip) + } else { + template.DNSNames = append(template.DNSNames, h) + } + } + + if *isCA { + template.IsCA = true + template.KeyUsage |= x509.KeyUsageCertSign + } + + derBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, publicKey(priv), priv) + if err != nil { + log.Fatalf("Failed to create certificate: %v", err) + } + + certOut, err := os.Create("cert.pem") + if err != nil { + log.Fatalf("Failed to open cert.pem for writing: %v", err) + } + if err := pem.Encode(certOut, &pem.Block{Type: "CERTIFICATE", Bytes: derBytes}); err != nil { + log.Fatalf("Failed to write data to cert.pem: %v", err) + } + if err := certOut.Close(); err != nil { + log.Fatalf("Error closing cert.pem: %v", err) + } + log.Print("wrote cert.pem\n") + + keyOut, err := os.OpenFile("key.pem", os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600) + if err != nil { + log.Fatalf("Failed to open key.pem for writing: %v", err) + } + privBytes, err := x509.MarshalPKCS8PrivateKey(priv) + if err != nil { + log.Fatalf("Unable to marshal private key: %v", err) + } + if err := pem.Encode(keyOut, &pem.Block{Type: "PRIVATE KEY", Bytes: privBytes}); err != nil { + log.Fatalf("Failed to write data to key.pem: %v", err) + } + if err := keyOut.Close(); err != nil { + log.Fatalf("Error closing key.pem: %v", err) + } + log.Print("wrote key.pem\n") +} diff --git a/pkg/tls/handshake_client.go b/pkg/tls/handshake_client.go new file mode 100644 index 000000000..f2e593926 --- /dev/null +++ b/pkg/tls/handshake_client.go @@ -0,0 +1,1142 @@ +// Copyright 2009 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package tls + +import ( + "bytes" + "context" + "crypto" + "crypto/ecdh" + "crypto/ecdsa" + "crypto/ed25519" + "crypto/rsa" + "crypto/subtle" + "crypto/x509" + "errors" + "fmt" + "hash" + "io" + "net" + "strings" + "time" +) + +type clientHandshakeState struct { + c *Conn + ctx context.Context + serverHello *serverHelloMsg + hello *clientHelloMsg + suite *cipherSuite + finishedHash finishedHash + masterSecret []byte + session *SessionState // the session being resumed + ticket []byte // a fresh ticket received during this handshake +} + +var testingOnlyForceClientHelloSignatureAlgorithms []SignatureScheme + +func (c *Conn) makeClientHello() (*clientHelloMsg, *ecdh.PrivateKey, error) { + config := c.config + if len(config.ServerName) == 0 && !config.InsecureSkipVerify { + return nil, nil, errors.New("tls: either ServerName or InsecureSkipVerify must be specified in the tls.Config") + } + + nextProtosLength := 0 + for _, proto := range config.NextProtos { + if l := len(proto); l == 0 || l > 255 { + return nil, nil, errors.New("tls: invalid NextProtos value") + } else { + nextProtosLength += 1 + l + } + } + if nextProtosLength > 0xffff { + return nil, nil, errors.New("tls: NextProtos values too large") + } + + supportedVersions := config.supportedVersions(roleClient) + if len(supportedVersions) == 0 { + return nil, nil, errors.New("tls: no supported versions satisfy MinVersion and MaxVersion") + } + + clientHelloVersion := config.maxSupportedVersion(roleClient) + // The version at the beginning of the ClientHello was capped at TLS 1.2 + // for compatibility reasons. The supported_versions extension is used + // to negotiate versions now. See RFC 8446, Section 4.2.1. + if clientHelloVersion > VersionTLS12 { + clientHelloVersion = VersionTLS12 + } + + hello := &clientHelloMsg{ + vers: clientHelloVersion, + compressionMethods: []uint8{compressionNone}, + random: make([]byte, 32), + extendedMasterSecret: true, + ocspStapling: true, + scts: true, + serverName: hostnameInSNI(config.ServerName), + supportedCurves: config.curvePreferences(), + supportedPoints: []uint8{pointFormatUncompressed}, + secureRenegotiationSupported: true, + alpnProtocols: config.NextProtos, + supportedVersions: supportedVersions, + } + + if c.handshakes > 0 { + hello.secureRenegotiation = c.clientFinished[:] + } + + preferenceOrder := cipherSuitesPreferenceOrder + if !hasAESGCMHardwareSupport { + preferenceOrder = cipherSuitesPreferenceOrderNoAES + } + configCipherSuites := config.cipherSuites() + hello.cipherSuites = make([]uint16, 0, len(configCipherSuites)) + + for _, suiteId := range preferenceOrder { + suite := mutualCipherSuite(configCipherSuites, suiteId) + if suite == nil { + continue + } + // Don't advertise TLS 1.2-only cipher suites unless + // we're attempting TLS 1.2. + if hello.vers < VersionTLS12 && suite.flags&suiteTLS12 != 0 { + continue + } + hello.cipherSuites = append(hello.cipherSuites, suiteId) + } + + _, err := io.ReadFull(config.rand(), hello.random) + if err != nil { + return nil, nil, errors.New("tls: short read from Rand: " + err.Error()) + } + + // A random session ID is used to detect when the server accepted a ticket + // and is resuming a session (see RFC 5077). In TLS 1.3, it's always set as + // a compatibility measure (see RFC 8446, Section 4.1.2). + // + // The session ID is not set for QUIC connections (see RFC 9001, Section 8.4). + if c.quic == nil { + hello.sessionId = make([]byte, 32) + if _, err := io.ReadFull(config.rand(), hello.sessionId); err != nil { + return nil, nil, errors.New("tls: short read from Rand: " + err.Error()) + } + } + + if hello.vers >= VersionTLS12 { + hello.supportedSignatureAlgorithms = supportedSignatureAlgorithms() + } + if testingOnlyForceClientHelloSignatureAlgorithms != nil { + hello.supportedSignatureAlgorithms = testingOnlyForceClientHelloSignatureAlgorithms + } + + var key *ecdh.PrivateKey + if hello.supportedVersions[0] == VersionTLS13 { + // Reset the list of ciphers when the client only supports TLS 1.3. + if len(hello.supportedVersions) == 1 { + hello.cipherSuites = nil + } + if hasAESGCMHardwareSupport { + hello.cipherSuites = append(hello.cipherSuites, defaultCipherSuitesTLS13...) + } else { + hello.cipherSuites = append(hello.cipherSuites, defaultCipherSuitesTLS13NoAES...) + } + + curveID := config.curvePreferences()[0] + if _, ok := curveForCurveID(curveID); !ok { + return nil, nil, errors.New("tls: CurvePreferences includes unsupported curve") + } + key, err = generateECDHEKey(config.rand(), curveID) + if err != nil { + return nil, nil, err + } + hello.keyShares = []keyShare{{group: curveID, data: key.PublicKey().Bytes()}} + } + + if c.quic != nil { + p, err := c.quicGetTransportParameters() + if err != nil { + return nil, nil, err + } + if p == nil { + p = []byte{} + } + hello.quicTransportParameters = p + } + + return hello, key, nil +} + +func (c *Conn) clientHandshake(ctx context.Context) (err error) { + if c.config == nil { + c.config = defaultConfig() + } + + // This may be a renegotiation handshake, in which case some fields + // need to be reset. + c.didResume = false + + hello, ecdheKey, err := c.makeClientHello() + if err != nil { + return err + } + c.serverName = hello.serverName + + session, earlySecret, binderKey, err := c.loadSession(hello) + if err != nil { + return err + } + if session != nil { + defer func() { + // If we got a handshake failure when resuming a session, throw away + // the session ticket. See RFC 5077, Section 3.2. + // + // RFC 8446 makes no mention of dropping tickets on failure, but it + // does require servers to abort on invalid binders, so we need to + // delete tickets to recover from a corrupted PSK. + if err != nil { + if cacheKey := c.clientSessionCacheKey(); cacheKey != "" { + c.config.ClientSessionCache.Put(cacheKey, nil) + } + } + }() + } + + if _, err := c.writeHandshakeRecord(hello, nil); err != nil { + return err + } + + if hello.earlyData { + suite := cipherSuiteTLS13ByID(session.cipherSuite) + transcript := suite.hash.New() + if err := transcriptMsg(hello, transcript); err != nil { + return err + } + earlyTrafficSecret := suite.deriveSecret(earlySecret, clientEarlyTrafficLabel, transcript) + c.quicSetWriteSecret(QUICEncryptionLevelEarly, suite.id, earlyTrafficSecret) + } + + // serverHelloMsg is not included in the transcript + msg, err := c.readHandshake(nil) + if err != nil { + return err + } + + serverHello, ok := msg.(*serverHelloMsg) + if !ok { + c.sendAlert(alertUnexpectedMessage) + return unexpectedMessageError(serverHello, msg) + } + + if err := c.pickTLSVersion(serverHello); err != nil { + return err + } + + // If we are negotiating a protocol version that's lower than what we + // support, check for the server downgrade canaries. + // See RFC 8446, Section 4.1.3. + maxVers := c.config.maxSupportedVersion(roleClient) + tls12Downgrade := string(serverHello.random[24:]) == downgradeCanaryTLS12 + tls11Downgrade := string(serverHello.random[24:]) == downgradeCanaryTLS11 + if maxVers == VersionTLS13 && c.vers <= VersionTLS12 && (tls12Downgrade || tls11Downgrade) || + maxVers == VersionTLS12 && c.vers <= VersionTLS11 && tls11Downgrade { + c.sendAlert(alertIllegalParameter) + return errors.New("tls: downgrade attempt detected, possibly due to a MitM attack or a broken middlebox") + } + + if c.vers == VersionTLS13 { + hs := &clientHandshakeStateTLS13{ + c: c, + ctx: ctx, + serverHello: serverHello, + hello: hello, + ecdheKey: ecdheKey, + session: session, + earlySecret: earlySecret, + binderKey: binderKey, + } + + // In TLS 1.3, session tickets are delivered after the handshake. + return hs.handshake() + } + + hs := &clientHandshakeState{ + c: c, + ctx: ctx, + serverHello: serverHello, + hello: hello, + session: session, + } + + if err := hs.handshake(); err != nil { + return err + } + + return nil +} + +func (c *Conn) loadSession(hello *clientHelloMsg) ( + session *SessionState, earlySecret, binderKey []byte, err error) { + if c.config.SessionTicketsDisabled || c.config.ClientSessionCache == nil { + return nil, nil, nil, nil + } + + hello.ticketSupported = true + + if hello.supportedVersions[0] == VersionTLS13 { + // Require DHE on resumption as it guarantees forward secrecy against + // compromise of the session ticket key. See RFC 8446, Section 4.2.9. + hello.pskModes = []uint8{pskModeDHE} + } + + // Session resumption is not allowed if renegotiating because + // renegotiation is primarily used to allow a client to send a client + // certificate, which would be skipped if session resumption occurred. + if c.handshakes != 0 { + return nil, nil, nil, nil + } + + // Try to resume a previously negotiated TLS session, if available. + cacheKey := c.clientSessionCacheKey() + if cacheKey == "" { + return nil, nil, nil, nil + } + cs, ok := c.config.ClientSessionCache.Get(cacheKey) + if !ok || cs == nil { + return nil, nil, nil, nil + } + session = cs.session + + // Check that version used for the previous session is still valid. + versOk := false + for _, v := range hello.supportedVersions { + if v == session.version { + versOk = true + break + } + } + if !versOk { + return nil, nil, nil, nil + } + + // Check that the cached server certificate is not expired, and that it's + // valid for the ServerName. This should be ensured by the cache key, but + // protect the application from a faulty ClientSessionCache implementation. + if c.config.time().After(session.peerCertificates[0].NotAfter) { + // Expired certificate, delete the entry. + c.config.ClientSessionCache.Put(cacheKey, nil) + return nil, nil, nil, nil + } + if !c.config.InsecureSkipVerify { + if len(session.verifiedChains) == 0 { + // The original connection had InsecureSkipVerify, while this doesn't. + return nil, nil, nil, nil + } + if err := session.peerCertificates[0].VerifyHostname(c.config.ServerName); err != nil { + return nil, nil, nil, nil + } + } + + if session.version != VersionTLS13 { + // In TLS 1.2 the cipher suite must match the resumed session. Ensure we + // are still offering it. + if mutualCipherSuite(hello.cipherSuites, session.cipherSuite) == nil { + return nil, nil, nil, nil + } + + hello.sessionTicket = cs.ticket + return + } + + // Check that the session ticket is not expired. + if c.config.time().After(time.Unix(int64(session.useBy), 0)) { + c.config.ClientSessionCache.Put(cacheKey, nil) + return nil, nil, nil, nil + } + + // In TLS 1.3 the KDF hash must match the resumed session. Ensure we + // offer at least one cipher suite with that hash. + cipherSuite := cipherSuiteTLS13ByID(session.cipherSuite) + if cipherSuite == nil { + return nil, nil, nil, nil + } + cipherSuiteOk := false + for _, offeredID := range hello.cipherSuites { + offeredSuite := cipherSuiteTLS13ByID(offeredID) + if offeredSuite != nil && offeredSuite.hash == cipherSuite.hash { + cipherSuiteOk = true + break + } + } + if !cipherSuiteOk { + return nil, nil, nil, nil + } + + if c.quic != nil && session.EarlyData { + // For 0-RTT, the cipher suite has to match exactly, and we need to be + // offering the same ALPN. + if mutualCipherSuiteTLS13(hello.cipherSuites, session.cipherSuite) != nil { + for _, alpn := range hello.alpnProtocols { + if alpn == session.alpnProtocol { + hello.earlyData = true + break + } + } + } + } + + // Set the pre_shared_key extension. See RFC 8446, Section 4.2.11.1. + ticketAge := c.config.time().Sub(time.Unix(int64(session.createdAt), 0)) + identity := pskIdentity{ + label: cs.ticket, + obfuscatedTicketAge: uint32(ticketAge/time.Millisecond) + session.ageAdd, + } + hello.pskIdentities = []pskIdentity{identity} + hello.pskBinders = [][]byte{make([]byte, cipherSuite.hash.Size())} + + // Compute the PSK binders. See RFC 8446, Section 4.2.11.2. + earlySecret = cipherSuite.extract(session.secret, nil) + binderKey = cipherSuite.deriveSecret(earlySecret, resumptionBinderLabel, nil) + transcript := cipherSuite.hash.New() + helloBytes, err := hello.marshalWithoutBinders() + if err != nil { + return nil, nil, nil, err + } + transcript.Write(helloBytes) + pskBinders := [][]byte{cipherSuite.finishedHash(binderKey, transcript)} + if err := hello.updateBinders(pskBinders); err != nil { + return nil, nil, nil, err + } + + return +} + +func (c *Conn) pickTLSVersion(serverHello *serverHelloMsg) error { + peerVersion := serverHello.vers + if serverHello.supportedVersion != 0 { + peerVersion = serverHello.supportedVersion + } + + vers, ok := c.config.mutualVersion(roleClient, []uint16{peerVersion}) + if !ok { + c.sendAlert(alertProtocolVersion) + return fmt.Errorf("tls: server selected unsupported protocol version %x", peerVersion) + } + + c.vers = vers + c.haveVers = true + c.in.version = vers + c.out.version = vers + + return nil +} + +// Does the handshake, either a full one or resumes old session. Requires hs.c, +// hs.hello, hs.serverHello, and, optionally, hs.session to be set. +func (hs *clientHandshakeState) handshake() error { + c := hs.c + + isResume, err := hs.processServerHello() + if err != nil { + return err + } + + hs.finishedHash = newFinishedHash(c.vers, hs.suite) + + // No signatures of the handshake are needed in a resumption. + // Otherwise, in a full handshake, if we don't have any certificates + // configured then we will never send a CertificateVerify message and + // thus no signatures are needed in that case either. + if isResume || (len(c.config.Certificates) == 0 && c.config.GetClientCertificate == nil) { + hs.finishedHash.discardHandshakeBuffer() + } + + if err := transcriptMsg(hs.hello, &hs.finishedHash); err != nil { + return err + } + if err := transcriptMsg(hs.serverHello, &hs.finishedHash); err != nil { + return err + } + + c.buffering = true + c.didResume = isResume + if isResume { + if err := hs.establishKeys(); err != nil { + return err + } + if err := hs.readSessionTicket(); err != nil { + return err + } + if err := hs.readFinished(c.serverFinished[:]); err != nil { + return err + } + c.clientFinishedIsFirst = false + // Make sure the connection is still being verified whether or not this + // is a resumption. Resumptions currently don't reverify certificates so + // they don't call verifyServerCertificate. See Issue 31641. + if c.config.VerifyConnection != nil { + if err := c.config.VerifyConnection(c.connectionStateLocked()); err != nil { + c.sendAlert(alertBadCertificate) + return err + } + } + if err := hs.sendFinished(c.clientFinished[:]); err != nil { + return err + } + if _, err := c.flush(); err != nil { + return err + } + } else { + if err := hs.doFullHandshake(); err != nil { + return err + } + if err := hs.establishKeys(); err != nil { + return err + } + if err := hs.sendFinished(c.clientFinished[:]); err != nil { + return err + } + if _, err := c.flush(); err != nil { + return err + } + c.clientFinishedIsFirst = true + if err := hs.readSessionTicket(); err != nil { + return err + } + if err := hs.readFinished(c.serverFinished[:]); err != nil { + return err + } + } + if err := hs.saveSessionTicket(); err != nil { + return err + } + + c.ekm = ekmFromMasterSecret(c.vers, hs.suite, hs.masterSecret, hs.hello.random, hs.serverHello.random) + c.isHandshakeComplete.Store(true) + + return nil +} + +func (hs *clientHandshakeState) pickCipherSuite() error { + if hs.suite = mutualCipherSuite(hs.hello.cipherSuites, hs.serverHello.cipherSuite); hs.suite == nil { + hs.c.sendAlert(alertHandshakeFailure) + return errors.New("tls: server chose an unconfigured cipher suite") + } + + if hs.c.config.CipherSuites == nil && rsaKexCiphers[hs.suite.id] { + //tlsrsakex.IncNonDefault() + } + + hs.c.cipherSuite = hs.suite.id + return nil +} + +func (hs *clientHandshakeState) doFullHandshake() error { + c := hs.c + + msg, err := c.readHandshake(&hs.finishedHash) + if err != nil { + return err + } + certMsg, ok := msg.(*certificateMsg) + if !ok || len(certMsg.certificates) == 0 { + c.sendAlert(alertUnexpectedMessage) + return unexpectedMessageError(certMsg, msg) + } + + msg, err = c.readHandshake(&hs.finishedHash) + if err != nil { + return err + } + + cs, ok := msg.(*certificateStatusMsg) + if ok { + // RFC4366 on Certificate Status Request: + // The server MAY return a "certificate_status" message. + + if !hs.serverHello.ocspStapling { + // If a server returns a "CertificateStatus" message, then the + // server MUST have included an extension of type "status_request" + // with empty "extension_data" in the extended server hello. + + c.sendAlert(alertUnexpectedMessage) + return errors.New("tls: received unexpected CertificateStatus message") + } + + c.ocspResponse = cs.response + + msg, err = c.readHandshake(&hs.finishedHash) + if err != nil { + return err + } + } + + if c.handshakes == 0 { + // If this is the first handshake on a connection, process and + // (optionally) verify the server's certificates. + if err := c.verifyServerCertificate(certMsg.certificates); err != nil { + return err + } + } else { + // This is a renegotiation handshake. We require that the + // server's identity (i.e. leaf certificate) is unchanged and + // thus any previous trust decision is still valid. + // + // See https://mitls.org/pages/attacks/3SHAKE for the + // motivation behind this requirement. + if !bytes.Equal(c.peerCertificates[0].Raw, certMsg.certificates[0]) { + c.sendAlert(alertBadCertificate) + return errors.New("tls: server's identity changed during renegotiation") + } + } + + keyAgreement := hs.suite.ka(c.vers) + + skx, ok := msg.(*serverKeyExchangeMsg) + if ok { + err = keyAgreement.processServerKeyExchange(c.config, hs.hello, hs.serverHello, c.peerCertificates[0], skx) + if err != nil { + c.sendAlert(alertUnexpectedMessage) + return err + } + + msg, err = c.readHandshake(&hs.finishedHash) + if err != nil { + return err + } + } + + var chainToSend *Certificate + var certRequested bool + certReq, ok := msg.(*certificateRequestMsg) + if ok { + certRequested = true + + cri := certificateRequestInfoFromMsg(hs.ctx, c.vers, certReq) + if chainToSend, err = c.getClientCertificate(cri); err != nil { + c.sendAlert(alertInternalError) + return err + } + + msg, err = c.readHandshake(&hs.finishedHash) + if err != nil { + return err + } + } + + shd, ok := msg.(*serverHelloDoneMsg) + if !ok { + c.sendAlert(alertUnexpectedMessage) + return unexpectedMessageError(shd, msg) + } + + // If the server requested a certificate then we have to send a + // Certificate message, even if it's empty because we don't have a + // certificate to send. + if certRequested { + certMsg = new(certificateMsg) + certMsg.certificates = chainToSend.Certificate + if _, err := hs.c.writeHandshakeRecord(certMsg, &hs.finishedHash); err != nil { + return err + } + } + + preMasterSecret, ckx, err := keyAgreement.generateClientKeyExchange(c.config, hs.hello, c.peerCertificates[0]) + if err != nil { + c.sendAlert(alertInternalError) + return err + } + if ckx != nil { + if _, err := hs.c.writeHandshakeRecord(ckx, &hs.finishedHash); err != nil { + return err + } + } + + if hs.serverHello.extendedMasterSecret { + c.extMasterSecret = true + hs.masterSecret = extMasterFromPreMasterSecret(c.vers, hs.suite, preMasterSecret, + hs.finishedHash.Sum()) + } else { + hs.masterSecret = masterFromPreMasterSecret(c.vers, hs.suite, preMasterSecret, + hs.hello.random, hs.serverHello.random) + } + if err := c.config.writeKeyLog(keyLogLabelTLS12, hs.hello.random, hs.masterSecret); err != nil { + c.sendAlert(alertInternalError) + return errors.New("tls: failed to write to key log: " + err.Error()) + } + + if chainToSend != nil && len(chainToSend.Certificate) > 0 { + certVerify := &certificateVerifyMsg{} + + key, ok := chainToSend.PrivateKey.(crypto.Signer) + if !ok { + c.sendAlert(alertInternalError) + return fmt.Errorf("tls: client certificate private key of type %T does not implement crypto.Signer", chainToSend.PrivateKey) + } + + var sigType uint8 + var sigHash crypto.Hash + if c.vers >= VersionTLS12 { + signatureAlgorithm, err := selectSignatureScheme(c.vers, chainToSend, certReq.supportedSignatureAlgorithms) + if err != nil { + c.sendAlert(alertIllegalParameter) + return err + } + sigType, sigHash, err = typeAndHashFromSignatureScheme(signatureAlgorithm) + if err != nil { + return c.sendAlert(alertInternalError) + } + certVerify.hasSignatureAlgorithm = true + certVerify.signatureAlgorithm = signatureAlgorithm + } else { + sigType, sigHash, err = legacyTypeAndHashFromPublicKey(key.Public()) + if err != nil { + c.sendAlert(alertIllegalParameter) + return err + } + } + + signed := hs.finishedHash.hashForClientCertificate(sigType, sigHash) + signOpts := crypto.SignerOpts(sigHash) + if sigType == signatureRSAPSS { + signOpts = &rsa.PSSOptions{SaltLength: rsa.PSSSaltLengthEqualsHash, Hash: sigHash} + } + certVerify.signature, err = key.Sign(c.config.rand(), signed, signOpts) + if err != nil { + c.sendAlert(alertInternalError) + return err + } + + if _, err := hs.c.writeHandshakeRecord(certVerify, &hs.finishedHash); err != nil { + return err + } + } + + hs.finishedHash.discardHandshakeBuffer() + + return nil +} + +func (hs *clientHandshakeState) establishKeys() error { + c := hs.c + + clientMAC, serverMAC, clientKey, serverKey, clientIV, serverIV := + keysFromMasterSecret(c.vers, hs.suite, hs.masterSecret, hs.hello.random, hs.serverHello.random, hs.suite.macLen, hs.suite.keyLen, hs.suite.ivLen) + var clientCipher, serverCipher any + var clientHash, serverHash hash.Hash + if hs.suite.cipher != nil { + clientCipher = hs.suite.cipher(clientKey, clientIV, false /* not for reading */) + clientHash = hs.suite.mac(clientMAC) + serverCipher = hs.suite.cipher(serverKey, serverIV, true /* for reading */) + serverHash = hs.suite.mac(serverMAC) + } else { + clientCipher = hs.suite.aead(clientKey, clientIV) + serverCipher = hs.suite.aead(serverKey, serverIV) + } + + c.in.prepareCipherSpec(c.vers, serverCipher, serverHash) + c.out.prepareCipherSpec(c.vers, clientCipher, clientHash) + return nil +} + +func (hs *clientHandshakeState) serverResumedSession() bool { + // If the server responded with the same sessionId then it means the + // sessionTicket is being used to resume a TLS session. + return hs.session != nil && hs.hello.sessionId != nil && + bytes.Equal(hs.serverHello.sessionId, hs.hello.sessionId) +} + +func (hs *clientHandshakeState) processServerHello() (bool, error) { + c := hs.c + + if err := hs.pickCipherSuite(); err != nil { + return false, err + } + + if hs.serverHello.compressionMethod != compressionNone { + c.sendAlert(alertUnexpectedMessage) + return false, errors.New("tls: server selected unsupported compression format") + } + + if c.handshakes == 0 && hs.serverHello.secureRenegotiationSupported { + c.secureRenegotiation = true + if len(hs.serverHello.secureRenegotiation) != 0 { + c.sendAlert(alertHandshakeFailure) + return false, errors.New("tls: initial handshake had non-empty renegotiation extension") + } + } + + if c.handshakes > 0 && c.secureRenegotiation { + var expectedSecureRenegotiation [24]byte + copy(expectedSecureRenegotiation[:], c.clientFinished[:]) + copy(expectedSecureRenegotiation[12:], c.serverFinished[:]) + if !bytes.Equal(hs.serverHello.secureRenegotiation, expectedSecureRenegotiation[:]) { + c.sendAlert(alertHandshakeFailure) + return false, errors.New("tls: incorrect renegotiation extension contents") + } + } + + if err := checkALPN(hs.hello.alpnProtocols, hs.serverHello.alpnProtocol, false); err != nil { + c.sendAlert(alertUnsupportedExtension) + return false, err + } + c.clientProtocol = hs.serverHello.alpnProtocol + + c.scts = hs.serverHello.scts + + if !hs.serverResumedSession() { + return false, nil + } + + if hs.session.version != c.vers { + c.sendAlert(alertHandshakeFailure) + return false, errors.New("tls: server resumed a session with a different version") + } + + if hs.session.cipherSuite != hs.suite.id { + c.sendAlert(alertHandshakeFailure) + return false, errors.New("tls: server resumed a session with a different cipher suite") + } + + // RFC 7627, Section 5.3 + if hs.session.extMasterSecret != hs.serverHello.extendedMasterSecret { + c.sendAlert(alertHandshakeFailure) + return false, errors.New("tls: server resumed a session with a different EMS extension") + } + + // Restore master secret and certificates from previous state + hs.masterSecret = hs.session.secret + c.extMasterSecret = hs.session.extMasterSecret + c.peerCertificates = hs.session.peerCertificates + c.activeCertHandles = hs.c.activeCertHandles + c.verifiedChains = hs.session.verifiedChains + c.ocspResponse = hs.session.ocspResponse + // Let the ServerHello SCTs override the session SCTs from the original + // connection, if any are provided + if len(c.scts) == 0 && len(hs.session.scts) != 0 { + c.scts = hs.session.scts + } + + return true, nil +} + +// checkALPN ensure that the server's choice of ALPN protocol is compatible with +// the protocols that we advertised in the Client Hello. +func checkALPN(clientProtos []string, serverProto string, quic bool) error { + if serverProto == "" { + if quic && len(clientProtos) > 0 { + // RFC 9001, Section 8.1 + return errors.New("tls: server did not select an ALPN protocol") + } + return nil + } + if len(clientProtos) == 0 { + return errors.New("tls: server advertised unrequested ALPN extension") + } + for _, proto := range clientProtos { + if proto == serverProto { + return nil + } + } + return errors.New("tls: server selected unadvertised ALPN protocol") +} + +func (hs *clientHandshakeState) readFinished(out []byte) error { + c := hs.c + + if err := c.readChangeCipherSpec(); err != nil { + return err + } + + // finishedMsg is included in the transcript, but not until after we + // check the client version, since the state before this message was + // sent is used during verification. + msg, err := c.readHandshake(nil) + if err != nil { + return err + } + serverFinished, ok := msg.(*finishedMsg) + if !ok { + c.sendAlert(alertUnexpectedMessage) + return unexpectedMessageError(serverFinished, msg) + } + + verify := hs.finishedHash.serverSum(hs.masterSecret) + if len(verify) != len(serverFinished.verifyData) || + subtle.ConstantTimeCompare(verify, serverFinished.verifyData) != 1 { + c.sendAlert(alertHandshakeFailure) + return errors.New("tls: server's Finished message was incorrect") + } + + if err := transcriptMsg(serverFinished, &hs.finishedHash); err != nil { + return err + } + + copy(out, verify) + return nil +} + +func (hs *clientHandshakeState) readSessionTicket() error { + if !hs.serverHello.ticketSupported { + return nil + } + c := hs.c + + if !hs.hello.ticketSupported { + c.sendAlert(alertIllegalParameter) + return errors.New("tls: server sent unrequested session ticket") + } + + msg, err := c.readHandshake(&hs.finishedHash) + if err != nil { + return err + } + sessionTicketMsg, ok := msg.(*newSessionTicketMsg) + if !ok { + c.sendAlert(alertUnexpectedMessage) + return unexpectedMessageError(sessionTicketMsg, msg) + } + + hs.ticket = sessionTicketMsg.ticket + return nil +} + +func (hs *clientHandshakeState) saveSessionTicket() error { + if hs.ticket == nil { + return nil + } + c := hs.c + + cacheKey := c.clientSessionCacheKey() + if cacheKey == "" { + return nil + } + + session, err := c.sessionState() + if err != nil { + return err + } + session.secret = hs.masterSecret + + cs := &ClientSessionState{ticket: hs.ticket, session: session} + c.config.ClientSessionCache.Put(cacheKey, cs) + return nil +} + +func (hs *clientHandshakeState) sendFinished(out []byte) error { + c := hs.c + + if err := c.writeChangeCipherRecord(); err != nil { + return err + } + + finished := new(finishedMsg) + finished.verifyData = hs.finishedHash.clientSum(hs.masterSecret) + if _, err := hs.c.writeHandshakeRecord(finished, &hs.finishedHash); err != nil { + return err + } + copy(out, finished.verifyData) + return nil +} + +// defaultMaxRSAKeySize is the maximum RSA key size in bits that we are willing +// to verify the signatures of during a TLS handshake. +const defaultMaxRSAKeySize = 8192 + +//var tlsmaxrsasize = godebug.New("tlsmaxrsasize") + +func checkKeySize(n int) (max int, ok bool) { + /* if v := tlsmaxrsasize.Value(); v != "" { + if max, err := strconv.Atoi(v); err == nil { + if (n <= max) != (n <= defaultMaxRSAKeySize) { + tlsmaxrsasize.IncNonDefault() + } + return max, n <= max + } + }*/ + return defaultMaxRSAKeySize, n <= defaultMaxRSAKeySize +} + +// verifyServerCertificate parses and verifies the provided chain, setting +// c.verifiedChains and c.peerCertificates or sending the appropriate alert. +func (c *Conn) verifyServerCertificate(certificates [][]byte) error { + activeHandles := make([]*activeCert, len(certificates)) + certs := make([]*x509.Certificate, len(certificates)) + for i, asn1Data := range certificates { + cert, err := globalCertCache.newCert(asn1Data) + if err != nil { + c.sendAlert(alertBadCertificate) + return errors.New("tls: failed to parse certificate from server: " + err.Error()) + } + if cert.cert.PublicKeyAlgorithm == x509.RSA { + n := cert.cert.PublicKey.(*rsa.PublicKey).N.BitLen() + if max, ok := checkKeySize(n); !ok { + c.sendAlert(alertBadCertificate) + return fmt.Errorf("tls: server sent certificate containing RSA key larger than %d bits", max) + } + } + activeHandles[i] = cert + certs[i] = cert.cert + } + + if !c.config.InsecureSkipVerify { + opts := x509.VerifyOptions{ + Roots: c.config.RootCAs, + CurrentTime: c.config.time(), + DNSName: c.config.ServerName, + Intermediates: x509.NewCertPool(), + } + + for _, cert := range certs[1:] { + opts.Intermediates.AddCert(cert) + } + var err error + c.verifiedChains, err = certs[0].Verify(opts) + if err != nil { + c.sendAlert(alertBadCertificate) + return &CertificateVerificationError{UnverifiedCertificates: certs, Err: err} + } + } + + switch certs[0].PublicKey.(type) { + case *rsa.PublicKey, *ecdsa.PublicKey, ed25519.PublicKey: + break + default: + c.sendAlert(alertUnsupportedCertificate) + return fmt.Errorf("tls: server's certificate contains an unsupported type of public key: %T", certs[0].PublicKey) + } + + c.activeCertHandles = activeHandles + c.peerCertificates = certs + + if c.config.VerifyPeerCertificate != nil { + if err := c.config.VerifyPeerCertificate(certificates, c.verifiedChains); err != nil { + c.sendAlert(alertBadCertificate) + return err + } + } + + if c.config.VerifyConnection != nil { + if err := c.config.VerifyConnection(c.connectionStateLocked()); err != nil { + c.sendAlert(alertBadCertificate) + return err + } + } + + return nil +} + +// certificateRequestInfoFromMsg generates a CertificateRequestInfo from a TLS +// <= 1.2 CertificateRequest, making an effort to fill in missing information. +func certificateRequestInfoFromMsg(ctx context.Context, vers uint16, certReq *certificateRequestMsg) *CertificateRequestInfo { + cri := &CertificateRequestInfo{ + AcceptableCAs: certReq.certificateAuthorities, + Version: vers, + ctx: ctx, + } + + var rsaAvail, ecAvail bool + for _, certType := range certReq.certificateTypes { + switch certType { + case certTypeRSASign: + rsaAvail = true + case certTypeECDSASign: + ecAvail = true + } + } + + if !certReq.hasSignatureAlgorithm { + // Prior to TLS 1.2, signature schemes did not exist. In this case we + // make up a list based on the acceptable certificate types, to help + // GetClientCertificate and SupportsCertificate select the right certificate. + // The hash part of the SignatureScheme is a lie here, because + // TLS 1.0 and 1.1 always use MD5+SHA1 for RSA and SHA1 for ECDSA. + switch { + case rsaAvail && ecAvail: + cri.SignatureSchemes = []SignatureScheme{ + ECDSAWithP256AndSHA256, ECDSAWithP384AndSHA384, ECDSAWithP521AndSHA512, + PKCS1WithSHA256, PKCS1WithSHA384, PKCS1WithSHA512, PKCS1WithSHA1, + } + case rsaAvail: + cri.SignatureSchemes = []SignatureScheme{ + PKCS1WithSHA256, PKCS1WithSHA384, PKCS1WithSHA512, PKCS1WithSHA1, + } + case ecAvail: + cri.SignatureSchemes = []SignatureScheme{ + ECDSAWithP256AndSHA256, ECDSAWithP384AndSHA384, ECDSAWithP521AndSHA512, + } + } + return cri + } + + // Filter the signature schemes based on the certificate types. + // See RFC 5246, Section 7.4.4 (where it calls this "somewhat complicated"). + cri.SignatureSchemes = make([]SignatureScheme, 0, len(certReq.supportedSignatureAlgorithms)) + for _, sigScheme := range certReq.supportedSignatureAlgorithms { + sigType, _, err := typeAndHashFromSignatureScheme(sigScheme) + if err != nil { + continue + } + switch sigType { + case signatureECDSA, signatureEd25519: + if ecAvail { + cri.SignatureSchemes = append(cri.SignatureSchemes, sigScheme) + } + case signatureRSAPSS, signaturePKCS1v15: + if rsaAvail { + cri.SignatureSchemes = append(cri.SignatureSchemes, sigScheme) + } + } + } + + return cri +} + +func (c *Conn) getClientCertificate(cri *CertificateRequestInfo) (*Certificate, error) { + if c.config.GetClientCertificate != nil { + return c.config.GetClientCertificate(cri) + } + + for _, chain := range c.config.Certificates { + if err := cri.SupportsCertificate(&chain); err != nil { + continue + } + return &chain, nil + } + + // No acceptable certificate found. Don't send a certificate. + return new(Certificate), nil +} + +// clientSessionCacheKey returns a key used to cache sessionTickets that could +// be used to resume previously negotiated TLS sessions with a server. +func (c *Conn) clientSessionCacheKey() string { + if len(c.config.ServerName) > 0 { + return c.config.ServerName + } + if c.conn != nil { + return c.conn.RemoteAddr().String() + } + return "" +} + +// hostnameInSNI converts name into an appropriate hostname for SNI. +// Literal IP addresses and absolute FQDNs are not permitted as SNI values. +// See RFC 6066, Section 3. +func hostnameInSNI(name string) string { + host := name + if len(host) > 0 && host[0] == '[' && host[len(host)-1] == ']' { + host = host[1 : len(host)-1] + } + if i := strings.LastIndex(host, "%"); i > 0 { + host = host[:i] + } + if net.ParseIP(host) != nil { + return "" + } + for len(name) > 0 && name[len(name)-1] == '.' { + name = name[:len(name)-1] + } + return name +} diff --git a/pkg/tls/handshake_client_test.go b/pkg/tls/handshake_client_test.go new file mode 100644 index 000000000..ee9e79afa --- /dev/null +++ b/pkg/tls/handshake_client_test.go @@ -0,0 +1,2801 @@ +// Copyright 2010 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package tls + +import ( + "bytes" + "context" + "crypto/rsa" + "crypto/x509" + "encoding/base64" + "encoding/binary" + "encoding/pem" + "errors" + "fmt" + "io" + "math/big" + "net" + "os" + "os/exec" + "path/filepath" + "reflect" + "runtime" + "strconv" + "strings" + "testing" + "time" +) + +// Note: see comment in handshake_test.go for details of how the reference +// tests work. + +// opensslInputEvent enumerates possible inputs that can be sent to an `openssl +// s_client` process. +type opensslInputEvent int + +const ( + // opensslRenegotiate causes OpenSSL to request a renegotiation of the + // connection. + opensslRenegotiate opensslInputEvent = iota + + // opensslSendBanner causes OpenSSL to send the contents of + // opensslSentinel on the connection. + opensslSendSentinel + + // opensslKeyUpdate causes OpenSSL to send a key update message to the + // client and request one back. + opensslKeyUpdate +) + +const opensslSentinel = "SENTINEL\n" + +type opensslInput chan opensslInputEvent + +func (i opensslInput) Read(buf []byte) (n int, err error) { + for event := range i { + switch event { + case opensslRenegotiate: + return copy(buf, []byte("R\n")), nil + case opensslKeyUpdate: + return copy(buf, []byte("K\n")), nil + case opensslSendSentinel: + return copy(buf, []byte(opensslSentinel)), nil + default: + panic("unknown event") + } + } + + return 0, io.EOF +} + +// opensslOutputSink is an io.Writer that receives the stdout and stderr from an +// `openssl` process and sends a value to handshakeComplete or readKeyUpdate +// when certain messages are seen. +type opensslOutputSink struct { + handshakeComplete chan struct{} + readKeyUpdate chan struct{} + all []byte + line []byte +} + +func newOpensslOutputSink() *opensslOutputSink { + return &opensslOutputSink{make(chan struct{}), make(chan struct{}), nil, nil} +} + +// opensslEndOfHandshake is a message that the “openssl s_server” tool will +// print when a handshake completes if run with “-state”. +const opensslEndOfHandshake = "SSL_accept:SSLv3/TLS write finished" + +// opensslReadKeyUpdate is a message that the “openssl s_server” tool will +// print when a KeyUpdate message is received if run with “-state”. +const opensslReadKeyUpdate = "SSL_accept:TLSv1.3 read client key update" + +func (o *opensslOutputSink) Write(data []byte) (n int, err error) { + o.line = append(o.line, data...) + o.all = append(o.all, data...) + + for { + line, next, ok := bytes.Cut(o.line, []byte("\n")) + if !ok { + break + } + + if bytes.Equal([]byte(opensslEndOfHandshake), line) { + o.handshakeComplete <- struct{}{} + } + if bytes.Equal([]byte(opensslReadKeyUpdate), line) { + o.readKeyUpdate <- struct{}{} + } + o.line = next + } + + return len(data), nil +} + +func (o *opensslOutputSink) String() string { + return string(o.all) +} + +// clientTest represents a test of the TLS client handshake against a reference +// implementation. +type clientTest struct { + // name is a freeform string identifying the test and the file in which + // the expected results will be stored. + name string + // args, if not empty, contains a series of arguments for the + // command to run for the reference server. + args []string + // config, if not nil, contains a custom Config to use for this test. + config *Config + // cert, if not empty, contains a DER-encoded certificate for the + // reference server. + cert []byte + // key, if not nil, contains either a *rsa.PrivateKey, ed25519.PrivateKey or + // *ecdsa.PrivateKey which is the private key for the reference server. + key any + // extensions, if not nil, contains a list of extension data to be returned + // from the ServerHello. The data should be in standard TLS format with + // a 2-byte uint16 type, 2-byte data length, followed by the extension data. + extensions [][]byte + // validate, if not nil, is a function that will be called with the + // ConnectionState of the resulting connection. It returns a non-nil + // error if the ConnectionState is unacceptable. + validate func(ConnectionState) error + // numRenegotiations is the number of times that the connection will be + // renegotiated. + numRenegotiations int + // renegotiationExpectedToFail, if not zero, is the number of the + // renegotiation attempt that is expected to fail. + renegotiationExpectedToFail int + // checkRenegotiationError, if not nil, is called with any error + // arising from renegotiation. It can map expected errors to nil to + // ignore them. + checkRenegotiationError func(renegotiationNum int, err error) error + // sendKeyUpdate will cause the server to send a KeyUpdate message. + sendKeyUpdate bool +} + +var serverCommand = []string{"openssl", "s_server", "-no_ticket", "-num_tickets", "0"} + +// connFromCommand starts the reference server process, connects to it and +// returns a recordingConn for the connection. The stdin return value is an +// opensslInput for the stdin of the child process. It must be closed before +// Waiting for child. +func (test *clientTest) connFromCommand() (conn *recordingConn, child *exec.Cmd, stdin opensslInput, stdout *opensslOutputSink, err error) { + cert := testRSACertificate + if len(test.cert) > 0 { + cert = test.cert + } + certPath := tempFile(string(cert)) + defer os.Remove(certPath) + + var key any = testRSAPrivateKey + if test.key != nil { + key = test.key + } + derBytes, err := x509.MarshalPKCS8PrivateKey(key) + if err != nil { + panic(err) + } + + var pemOut bytes.Buffer + pem.Encode(&pemOut, &pem.Block{Type: "PRIVATE KEY", Bytes: derBytes}) + + keyPath := tempFile(pemOut.String()) + defer os.Remove(keyPath) + + var command []string + command = append(command, serverCommand...) + command = append(command, test.args...) + command = append(command, "-cert", certPath, "-certform", "DER", "-key", keyPath) + // serverPort contains the port that OpenSSL will listen on. OpenSSL + // can't take "0" as an argument here so we have to pick a number and + // hope that it's not in use on the machine. Since this only occurs + // when -update is given and thus when there's a human watching the + // test, this isn't too bad. + const serverPort = 24323 + command = append(command, "-accept", strconv.Itoa(serverPort)) + + if len(test.extensions) > 0 { + var serverInfo bytes.Buffer + for _, ext := range test.extensions { + pem.Encode(&serverInfo, &pem.Block{ + Type: fmt.Sprintf("SERVERINFO FOR EXTENSION %d", binary.BigEndian.Uint16(ext)), + Bytes: ext, + }) + } + serverInfoPath := tempFile(serverInfo.String()) + defer os.Remove(serverInfoPath) + command = append(command, "-serverinfo", serverInfoPath) + } + + if test.numRenegotiations > 0 || test.sendKeyUpdate { + found := false + for _, flag := range command[1:] { + if flag == "-state" { + found = true + break + } + } + + if !found { + panic("-state flag missing to OpenSSL, you need this if testing renegotiation or KeyUpdate") + } + } + + cmd := exec.Command(command[0], command[1:]...) + stdin = opensslInput(make(chan opensslInputEvent)) + cmd.Stdin = stdin + out := newOpensslOutputSink() + cmd.Stdout = out + cmd.Stderr = out + if err := cmd.Start(); err != nil { + return nil, nil, nil, nil, err + } + + // OpenSSL does print an "ACCEPT" banner, but it does so *before* + // opening the listening socket, so we can't use that to wait until it + // has started listening. Thus we are forced to poll until we get a + // connection. + var tcpConn net.Conn + for i := uint(0); i < 5; i++ { + tcpConn, err = net.DialTCP("tcp", nil, &net.TCPAddr{ + IP: net.IPv4(127, 0, 0, 1), + Port: serverPort, + }) + if err == nil { + break + } + time.Sleep((1 << i) * 5 * time.Millisecond) + } + if err != nil { + close(stdin) + cmd.Process.Kill() + err = fmt.Errorf("error connecting to the OpenSSL server: %v (%v)\n\n%s", err, cmd.Wait(), out) + return nil, nil, nil, nil, err + } + + record := &recordingConn{ + Conn: tcpConn, + } + + return record, cmd, stdin, out, nil +} + +func (test *clientTest) dataPath() string { + return filepath.Join("testdata", "Client-"+test.name) +} + +func (test *clientTest) loadData() (flows [][]byte, err error) { + in, err := os.Open(test.dataPath()) + if err != nil { + return nil, err + } + defer in.Close() + return parseTestData(in) +} + +func (test *clientTest) run(t *testing.T, write bool) { + var clientConn, serverConn net.Conn + var recordingConn *recordingConn + var childProcess *exec.Cmd + var stdin opensslInput + var stdout *opensslOutputSink + + if write { + var err error + recordingConn, childProcess, stdin, stdout, err = test.connFromCommand() + if err != nil { + t.Fatalf("Failed to start subcommand: %s", err) + } + clientConn = recordingConn + defer func() { + if t.Failed() { + t.Logf("OpenSSL output:\n\n%s", stdout.all) + } + }() + } else { + clientConn, serverConn = localPipe(t) + } + + doneChan := make(chan bool) + defer func() { + clientConn.Close() + <-doneChan + }() + go func() { + defer close(doneChan) + + config := test.config + if config == nil { + config = testConfig + } + client := Client(clientConn, config) + defer client.Close() + + if _, err := client.Write([]byte("hello\n")); err != nil { + t.Errorf("Client.Write failed: %s", err) + return + } + + for i := 1; i <= test.numRenegotiations; i++ { + // The initial handshake will generate a + // handshakeComplete signal which needs to be quashed. + if i == 1 && write { + <-stdout.handshakeComplete + } + + // OpenSSL will try to interleave application data and + // a renegotiation if we send both concurrently. + // Therefore: ask OpensSSL to start a renegotiation, run + // a goroutine to call client.Read and thus process the + // renegotiation request, watch for OpenSSL's stdout to + // indicate that the handshake is complete and, + // finally, have OpenSSL write something to cause + // client.Read to complete. + if write { + stdin <- opensslRenegotiate + } + + signalChan := make(chan struct{}) + + go func() { + defer close(signalChan) + + buf := make([]byte, 256) + n, err := client.Read(buf) + + if test.checkRenegotiationError != nil { + newErr := test.checkRenegotiationError(i, err) + if err != nil && newErr == nil { + return + } + err = newErr + } + + if err != nil { + t.Errorf("Client.Read failed after renegotiation #%d: %s", i, err) + return + } + + buf = buf[:n] + if !bytes.Equal([]byte(opensslSentinel), buf) { + t.Errorf("Client.Read returned %q, but wanted %q", string(buf), opensslSentinel) + } + + if expected := i + 1; client.handshakes != expected { + t.Errorf("client should have recorded %d handshakes, but believes that %d have occurred", expected, client.handshakes) + } + }() + + if write && test.renegotiationExpectedToFail != i { + <-stdout.handshakeComplete + stdin <- opensslSendSentinel + } + <-signalChan + } + + if test.sendKeyUpdate { + if write { + <-stdout.handshakeComplete + stdin <- opensslKeyUpdate + } + + doneRead := make(chan struct{}) + + go func() { + defer close(doneRead) + + buf := make([]byte, 256) + n, err := client.Read(buf) + + if err != nil { + t.Errorf("Client.Read failed after KeyUpdate: %s", err) + return + } + + buf = buf[:n] + if !bytes.Equal([]byte(opensslSentinel), buf) { + t.Errorf("Client.Read returned %q, but wanted %q", string(buf), opensslSentinel) + } + }() + + if write { + // There's no real reason to wait for the client KeyUpdate to + // send data with the new server keys, except that s_server + // drops writes if they are sent at the wrong time. + <-stdout.readKeyUpdate + stdin <- opensslSendSentinel + } + <-doneRead + + if _, err := client.Write([]byte("hello again\n")); err != nil { + t.Errorf("Client.Write failed: %s", err) + return + } + } + + if test.validate != nil { + if err := test.validate(client.ConnectionState()); err != nil { + t.Errorf("validate callback returned error: %s", err) + } + } + + // If the server sent us an alert after our last flight, give it a + // chance to arrive. + if write && test.renegotiationExpectedToFail == 0 { + if err := peekError(client); err != nil { + t.Errorf("final Read returned an error: %s", err) + } + } + }() + + if !write { + flows, err := test.loadData() + if err != nil { + t.Fatalf("%s: failed to load data from %s: %v", test.name, test.dataPath(), err) + } + for i, b := range flows { + if i%2 == 1 { + if *fast { + serverConn.SetWriteDeadline(time.Now().Add(1 * time.Second)) + } else { + serverConn.SetWriteDeadline(time.Now().Add(1 * time.Minute)) + } + serverConn.Write(b) + continue + } + bb := make([]byte, len(b)) + if *fast { + serverConn.SetReadDeadline(time.Now().Add(1 * time.Second)) + } else { + serverConn.SetReadDeadline(time.Now().Add(1 * time.Minute)) + } + _, err := io.ReadFull(serverConn, bb) + if err != nil { + t.Fatalf("%s, flow %d: %s", test.name, i+1, err) + } + if !bytes.Equal(b, bb) { + t.Fatalf("%s, flow %d: mismatch on read: got:%x want:%x", test.name, i+1, bb, b) + } + } + } + + <-doneChan + if !write { + serverConn.Close() + } + + if write { + path := test.dataPath() + out, err := os.OpenFile(path, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0644) + if err != nil { + t.Fatalf("Failed to create output file: %s", err) + } + defer out.Close() + recordingConn.Close() + close(stdin) + childProcess.Process.Kill() + childProcess.Wait() + if len(recordingConn.flows) < 3 { + t.Fatalf("Client connection didn't work") + } + recordingConn.WriteTo(out) + t.Logf("Wrote %s\n", path) + } +} + +// peekError does a read with a short timeout to check if the next read would +// cause an error, for example if there is an alert waiting on the wire. +func peekError(conn net.Conn) error { + conn.SetReadDeadline(time.Now().Add(100 * time.Millisecond)) + if n, err := conn.Read(make([]byte, 1)); n != 0 { + return errors.New("unexpectedly read data") + } else if err != nil { + if netErr, ok := err.(net.Error); !ok || !netErr.Timeout() { + return err + } + } + return nil +} + +func runClientTestForVersion(t *testing.T, template *clientTest, version, option string) { + // Make a deep copy of the template before going parallel. + test := *template + if template.config != nil { + test.config = template.config.Clone() + } + test.name = version + "-" + test.name + test.args = append([]string{option}, test.args...) + + runTestAndUpdateIfNeeded(t, version, test.run, false) +} + +func runClientTestTLS10(t *testing.T, template *clientTest) { + runClientTestForVersion(t, template, "TLSv10", "-tls1") +} + +func runClientTestTLS11(t *testing.T, template *clientTest) { + runClientTestForVersion(t, template, "TLSv11", "-tls1_1") +} + +func runClientTestTLS12(t *testing.T, template *clientTest) { + runClientTestForVersion(t, template, "TLSv12", "-tls1_2") +} + +func runClientTestTLS13(t *testing.T, template *clientTest) { + runClientTestForVersion(t, template, "TLSv13", "-tls1_3") +} + +func TestHandshakeClientRSARC4(t *testing.T) { + test := &clientTest{ + name: "RSA-RC4", + args: []string{"-cipher", "RC4-SHA"}, + } + runClientTestTLS10(t, test) + runClientTestTLS11(t, test) + runClientTestTLS12(t, test) +} + +func TestHandshakeClientRSAAES128GCM(t *testing.T) { + test := &clientTest{ + name: "AES128-GCM-SHA256", + args: []string{"-cipher", "AES128-GCM-SHA256"}, + } + runClientTestTLS12(t, test) +} + +func TestHandshakeClientRSAAES256GCM(t *testing.T) { + test := &clientTest{ + name: "AES256-GCM-SHA384", + args: []string{"-cipher", "AES256-GCM-SHA384"}, + } + runClientTestTLS12(t, test) +} + +func TestHandshakeClientECDHERSAAES(t *testing.T) { + test := &clientTest{ + name: "ECDHE-RSA-AES", + args: []string{"-cipher", "ECDHE-RSA-AES128-SHA"}, + } + runClientTestTLS10(t, test) + runClientTestTLS11(t, test) + runClientTestTLS12(t, test) +} + +func TestHandshakeClientECDHEECDSAAES(t *testing.T) { + test := &clientTest{ + name: "ECDHE-ECDSA-AES", + args: []string{"-cipher", "ECDHE-ECDSA-AES128-SHA"}, + cert: testECDSACertificate, + key: testECDSAPrivateKey, + } + runClientTestTLS10(t, test) + runClientTestTLS11(t, test) + runClientTestTLS12(t, test) +} + +func TestHandshakeClientECDHEECDSAAESGCM(t *testing.T) { + test := &clientTest{ + name: "ECDHE-ECDSA-AES-GCM", + args: []string{"-cipher", "ECDHE-ECDSA-AES128-GCM-SHA256"}, + cert: testECDSACertificate, + key: testECDSAPrivateKey, + } + runClientTestTLS12(t, test) +} + +func TestHandshakeClientAES256GCMSHA384(t *testing.T) { + test := &clientTest{ + name: "ECDHE-ECDSA-AES256-GCM-SHA384", + args: []string{"-cipher", "ECDHE-ECDSA-AES256-GCM-SHA384"}, + cert: testECDSACertificate, + key: testECDSAPrivateKey, + } + runClientTestTLS12(t, test) +} + +func TestHandshakeClientAES128CBCSHA256(t *testing.T) { + test := &clientTest{ + name: "AES128-SHA256", + args: []string{"-cipher", "AES128-SHA256"}, + } + runClientTestTLS12(t, test) +} + +func TestHandshakeClientECDHERSAAES128CBCSHA256(t *testing.T) { + test := &clientTest{ + name: "ECDHE-RSA-AES128-SHA256", + args: []string{"-cipher", "ECDHE-RSA-AES128-SHA256"}, + } + runClientTestTLS12(t, test) +} + +func TestHandshakeClientECDHEECDSAAES128CBCSHA256(t *testing.T) { + test := &clientTest{ + name: "ECDHE-ECDSA-AES128-SHA256", + args: []string{"-cipher", "ECDHE-ECDSA-AES128-SHA256"}, + cert: testECDSACertificate, + key: testECDSAPrivateKey, + } + runClientTestTLS12(t, test) +} + +func TestHandshakeClientX25519(t *testing.T) { + config := testConfig.Clone() + config.CurvePreferences = []CurveID{X25519} + + test := &clientTest{ + name: "X25519-ECDHE", + args: []string{"-cipher", "ECDHE-RSA-AES128-GCM-SHA256", "-curves", "X25519"}, + config: config, + } + + runClientTestTLS12(t, test) + runClientTestTLS13(t, test) +} + +func TestHandshakeClientP256(t *testing.T) { + config := testConfig.Clone() + config.CurvePreferences = []CurveID{CurveP256} + + test := &clientTest{ + name: "P256-ECDHE", + args: []string{"-cipher", "ECDHE-RSA-AES128-GCM-SHA256", "-curves", "P-256"}, + config: config, + } + + runClientTestTLS12(t, test) + runClientTestTLS13(t, test) +} + +func TestHandshakeClientHelloRetryRequest(t *testing.T) { + config := testConfig.Clone() + config.CurvePreferences = []CurveID{X25519, CurveP256} + + test := &clientTest{ + name: "HelloRetryRequest", + args: []string{"-cipher", "ECDHE-RSA-AES128-GCM-SHA256", "-curves", "P-256"}, + config: config, + } + + runClientTestTLS13(t, test) +} + +func TestHandshakeClientECDHERSAChaCha20(t *testing.T) { + config := testConfig.Clone() + config.CipherSuites = []uint16{TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305} + + test := &clientTest{ + name: "ECDHE-RSA-CHACHA20-POLY1305", + args: []string{"-cipher", "ECDHE-RSA-CHACHA20-POLY1305"}, + config: config, + } + + runClientTestTLS12(t, test) +} + +func TestHandshakeClientECDHEECDSAChaCha20(t *testing.T) { + config := testConfig.Clone() + config.CipherSuites = []uint16{TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305} + + test := &clientTest{ + name: "ECDHE-ECDSA-CHACHA20-POLY1305", + args: []string{"-cipher", "ECDHE-ECDSA-CHACHA20-POLY1305"}, + config: config, + cert: testECDSACertificate, + key: testECDSAPrivateKey, + } + + runClientTestTLS12(t, test) +} + +func TestHandshakeClientAES128SHA256(t *testing.T) { + test := &clientTest{ + name: "AES128-SHA256", + args: []string{"-ciphersuites", "TLS_AES_128_GCM_SHA256"}, + } + runClientTestTLS13(t, test) +} +func TestHandshakeClientAES256SHA384(t *testing.T) { + test := &clientTest{ + name: "AES256-SHA384", + args: []string{"-ciphersuites", "TLS_AES_256_GCM_SHA384"}, + } + runClientTestTLS13(t, test) +} +func TestHandshakeClientCHACHA20SHA256(t *testing.T) { + test := &clientTest{ + name: "CHACHA20-SHA256", + args: []string{"-ciphersuites", "TLS_CHACHA20_POLY1305_SHA256"}, + } + runClientTestTLS13(t, test) +} + +func TestHandshakeClientECDSATLS13(t *testing.T) { + test := &clientTest{ + name: "ECDSA", + cert: testECDSACertificate, + key: testECDSAPrivateKey, + } + runClientTestTLS13(t, test) +} + +func TestHandshakeClientEd25519(t *testing.T) { + test := &clientTest{ + name: "Ed25519", + cert: testEd25519Certificate, + key: testEd25519PrivateKey, + } + runClientTestTLS12(t, test) + runClientTestTLS13(t, test) + + config := testConfig.Clone() + cert, _ := X509KeyPair([]byte(clientEd25519CertificatePEM), []byte(clientEd25519KeyPEM)) + config.Certificates = []Certificate{cert} + + test = &clientTest{ + name: "ClientCert-Ed25519", + args: []string{"-Verify", "1"}, + config: config, + } + + runClientTestTLS12(t, test) + runClientTestTLS13(t, test) +} + +func TestHandshakeClientCertRSA(t *testing.T) { + config := testConfig.Clone() + cert, _ := X509KeyPair([]byte(clientCertificatePEM), []byte(clientKeyPEM)) + config.Certificates = []Certificate{cert} + + test := &clientTest{ + name: "ClientCert-RSA-RSA", + args: []string{"-cipher", "AES128", "-Verify", "1"}, + config: config, + } + + runClientTestTLS10(t, test) + runClientTestTLS12(t, test) + + test = &clientTest{ + name: "ClientCert-RSA-ECDSA", + args: []string{"-cipher", "ECDHE-ECDSA-AES128-SHA", "-Verify", "1"}, + config: config, + cert: testECDSACertificate, + key: testECDSAPrivateKey, + } + + runClientTestTLS10(t, test) + runClientTestTLS12(t, test) + runClientTestTLS13(t, test) + + test = &clientTest{ + name: "ClientCert-RSA-AES256-GCM-SHA384", + args: []string{"-cipher", "ECDHE-RSA-AES256-GCM-SHA384", "-Verify", "1"}, + config: config, + cert: testRSACertificate, + key: testRSAPrivateKey, + } + + runClientTestTLS12(t, test) +} + +func TestHandshakeClientCertECDSA(t *testing.T) { + config := testConfig.Clone() + cert, _ := X509KeyPair([]byte(clientECDSACertificatePEM), []byte(clientECDSAKeyPEM)) + config.Certificates = []Certificate{cert} + + test := &clientTest{ + name: "ClientCert-ECDSA-RSA", + args: []string{"-cipher", "AES128", "-Verify", "1"}, + config: config, + } + + runClientTestTLS10(t, test) + runClientTestTLS12(t, test) + runClientTestTLS13(t, test) + + test = &clientTest{ + name: "ClientCert-ECDSA-ECDSA", + args: []string{"-cipher", "ECDHE-ECDSA-AES128-SHA", "-Verify", "1"}, + config: config, + cert: testECDSACertificate, + key: testECDSAPrivateKey, + } + + runClientTestTLS10(t, test) + runClientTestTLS12(t, test) +} + +// TestHandshakeClientCertRSAPSS tests rsa_pss_rsae_sha256 signatures from both +// client and server certificates. It also serves from both sides a certificate +// signed itself with RSA-PSS, mostly to check that crypto/x509 chain validation +// works. +func TestHandshakeClientCertRSAPSS(t *testing.T) { + cert, err := x509.ParseCertificate(testRSAPSSCertificate) + if err != nil { + panic(err) + } + rootCAs := x509.NewCertPool() + rootCAs.AddCert(cert) + + config := testConfig.Clone() + // Use GetClientCertificate to bypass the client certificate selection logic. + config.GetClientCertificate = func(*CertificateRequestInfo) (*Certificate, error) { + return &Certificate{ + Certificate: [][]byte{testRSAPSSCertificate}, + PrivateKey: testRSAPrivateKey, + }, nil + } + config.RootCAs = rootCAs + + test := &clientTest{ + name: "ClientCert-RSA-RSAPSS", + args: []string{"-cipher", "AES128", "-Verify", "1", "-client_sigalgs", + "rsa_pss_rsae_sha256", "-sigalgs", "rsa_pss_rsae_sha256"}, + config: config, + cert: testRSAPSSCertificate, + key: testRSAPrivateKey, + } + runClientTestTLS12(t, test) + runClientTestTLS13(t, test) +} + +func TestHandshakeClientCertRSAPKCS1v15(t *testing.T) { + config := testConfig.Clone() + cert, _ := X509KeyPair([]byte(clientCertificatePEM), []byte(clientKeyPEM)) + config.Certificates = []Certificate{cert} + + test := &clientTest{ + name: "ClientCert-RSA-RSAPKCS1v15", + args: []string{"-cipher", "AES128", "-Verify", "1", "-client_sigalgs", + "rsa_pkcs1_sha256", "-sigalgs", "rsa_pkcs1_sha256"}, + config: config, + } + + runClientTestTLS12(t, test) +} + +func TestClientKeyUpdate(t *testing.T) { + test := &clientTest{ + name: "KeyUpdate", + args: []string{"-state"}, + sendKeyUpdate: true, + } + runClientTestTLS13(t, test) +} + +func TestResumption(t *testing.T) { + t.Run("TLSv12", func(t *testing.T) { testResumption(t, VersionTLS12) }) + t.Run("TLSv13", func(t *testing.T) { testResumption(t, VersionTLS13) }) +} + +func testResumption(t *testing.T, version uint16) { + if testing.Short() { + t.Skip("skipping in -short mode") + } + serverConfig := &Config{ + MaxVersion: version, + CipherSuites: []uint16{TLS_RSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA}, + Certificates: testConfig.Certificates, + } + + issuer, err := x509.ParseCertificate(testRSACertificateIssuer) + if err != nil { + panic(err) + } + + rootCAs := x509.NewCertPool() + rootCAs.AddCert(issuer) + + clientConfig := &Config{ + MaxVersion: version, + CipherSuites: []uint16{TLS_RSA_WITH_RC4_128_SHA}, + ClientSessionCache: NewLRUClientSessionCache(32), + RootCAs: rootCAs, + ServerName: "example.golang", + } + + testResumeState := func(test string, didResume bool) { + t.Helper() + _, hs, err := testHandshake(t, clientConfig, serverConfig) + if err != nil { + t.Fatalf("%s: handshake failed: %s", test, err) + } + if hs.DidResume != didResume { + t.Fatalf("%s resumed: %v, expected: %v", test, hs.DidResume, didResume) + } + if didResume && (hs.PeerCertificates == nil || hs.VerifiedChains == nil) { + t.Fatalf("expected non-nil certificates after resumption. Got peerCertificates: %#v, verifiedCertificates: %#v", hs.PeerCertificates, hs.VerifiedChains) + } + if got, want := hs.ServerName, clientConfig.ServerName; got != want { + t.Errorf("%s: server name %s, want %s", test, got, want) + } + } + + getTicket := func() []byte { + return clientConfig.ClientSessionCache.(*lruSessionCache).q.Front().Value.(*lruSessionCacheEntry).state.ticket + } + deleteTicket := func() { + ticketKey := clientConfig.ClientSessionCache.(*lruSessionCache).q.Front().Value.(*lruSessionCacheEntry).sessionKey + clientConfig.ClientSessionCache.Put(ticketKey, nil) + } + corruptTicket := func() { + clientConfig.ClientSessionCache.(*lruSessionCache).q.Front().Value.(*lruSessionCacheEntry).state.session.secret[0] ^= 0xff + } + randomKey := func() [32]byte { + var k [32]byte + if _, err := io.ReadFull(serverConfig.rand(), k[:]); err != nil { + t.Fatalf("Failed to read new SessionTicketKey: %s", err) + } + return k + } + + testResumeState("Handshake", false) + ticket := getTicket() + testResumeState("Resume", true) + if bytes.Equal(ticket, getTicket()) { + t.Fatal("ticket didn't change after resumption") + } + + // An old session ticket is replaced with a ticket encrypted with a fresh key. + ticket = getTicket() + serverConfig.Time = func() time.Time { return time.Now().Add(24*time.Hour + time.Minute) } + testResumeState("ResumeWithOldTicket", true) + if bytes.Equal(ticket, getTicket()) { + t.Fatal("old first ticket matches the fresh one") + } + + // Once the session master secret is expired, a full handshake should occur. + ticket = getTicket() + serverConfig.Time = func() time.Time { return time.Now().Add(24*8*time.Hour + time.Minute) } + testResumeState("ResumeWithExpiredTicket", false) + if bytes.Equal(ticket, getTicket()) { + t.Fatal("expired first ticket matches the fresh one") + } + + serverConfig.Time = func() time.Time { return time.Now() } // reset the time back + key1 := randomKey() + serverConfig.SetSessionTicketKeys([][32]byte{key1}) + + testResumeState("InvalidSessionTicketKey", false) + testResumeState("ResumeAfterInvalidSessionTicketKey", true) + + key2 := randomKey() + serverConfig.SetSessionTicketKeys([][32]byte{key2, key1}) + ticket = getTicket() + testResumeState("KeyChange", true) + if bytes.Equal(ticket, getTicket()) { + t.Fatal("new ticket wasn't included while resuming") + } + testResumeState("KeyChangeFinish", true) + + // Age the session ticket a bit, but not yet expired. + serverConfig.Time = func() time.Time { return time.Now().Add(24*time.Hour + time.Minute) } + testResumeState("OldSessionTicket", true) + ticket = getTicket() + // Expire the session ticket, which would force a full handshake. + serverConfig.Time = func() time.Time { return time.Now().Add(24*8*time.Hour + time.Minute) } + testResumeState("ExpiredSessionTicket", false) + if bytes.Equal(ticket, getTicket()) { + t.Fatal("new ticket wasn't provided after old ticket expired") + } + + // Age the session ticket a bit at a time, but don't expire it. + d := 0 * time.Hour + serverConfig.Time = func() time.Time { return time.Now().Add(d) } + deleteTicket() + testResumeState("GetFreshSessionTicket", false) + for i := 0; i < 13; i++ { + d += 12 * time.Hour + testResumeState("OldSessionTicket", true) + } + // Expire it (now a little more than 7 days) and make sure a full + // handshake occurs for TLS 1.2. Resumption should still occur for + // TLS 1.3 since the client should be using a fresh ticket sent over + // by the server. + d += 12 * time.Hour + if version == VersionTLS13 { + testResumeState("ExpiredSessionTicket", true) + } else { + testResumeState("ExpiredSessionTicket", false) + } + if bytes.Equal(ticket, getTicket()) { + t.Fatal("new ticket wasn't provided after old ticket expired") + } + + // Reset serverConfig to ensure that calling SetSessionTicketKeys + // before the serverConfig is used works. + serverConfig = &Config{ + MaxVersion: version, + CipherSuites: []uint16{TLS_RSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA}, + Certificates: testConfig.Certificates, + } + serverConfig.SetSessionTicketKeys([][32]byte{key2}) + + testResumeState("FreshConfig", true) + + // In TLS 1.3, cross-cipher suite resumption is allowed as long as the KDF + // hash matches. Also, Config.CipherSuites does not apply to TLS 1.3. + if version != VersionTLS13 { + clientConfig.CipherSuites = []uint16{TLS_ECDHE_RSA_WITH_RC4_128_SHA} + testResumeState("DifferentCipherSuite", false) + testResumeState("DifferentCipherSuiteRecovers", true) + } + + deleteTicket() + testResumeState("WithoutSessionTicket", false) + + // In TLS 1.3, HelloRetryRequest is sent after incorrect key share. + // See https://www.rfc-editor.org/rfc/rfc8446#page-14. + if version == VersionTLS13 { + deleteTicket() + serverConfig = &Config{ + // Use a different curve than the client to force a HelloRetryRequest. + CurvePreferences: []CurveID{CurveP521, CurveP384, CurveP256}, + MaxVersion: version, + Certificates: testConfig.Certificates, + } + testResumeState("InitialHandshake", false) + testResumeState("WithHelloRetryRequest", true) + + // Reset serverConfig back. + serverConfig = &Config{ + MaxVersion: version, + CipherSuites: []uint16{TLS_RSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA}, + Certificates: testConfig.Certificates, + } + } + + // Session resumption should work when using client certificates + deleteTicket() + serverConfig.ClientCAs = rootCAs + serverConfig.ClientAuth = RequireAndVerifyClientCert + clientConfig.Certificates = serverConfig.Certificates + testResumeState("InitialHandshake", false) + testResumeState("WithClientCertificates", true) + serverConfig.ClientAuth = NoClientCert + + // Tickets should be removed from the session cache on TLS handshake + // failure, and the client should recover from a corrupted PSK + testResumeState("FetchTicketToCorrupt", false) + corruptTicket() + _, _, err = testHandshake(t, clientConfig, serverConfig) + if err == nil { + t.Fatalf("handshake did not fail with a corrupted client secret") + } + testResumeState("AfterHandshakeFailure", false) + + clientConfig.ClientSessionCache = nil + testResumeState("WithoutSessionCache", false) + + clientConfig.ClientSessionCache = &serializingClientCache{t: t} + testResumeState("BeforeSerializingCache", false) + testResumeState("WithSerializingCache", true) +} + +type serializingClientCache struct { + t *testing.T + + ticket, state []byte +} + +func (c *serializingClientCache) Get(sessionKey string) (session *ClientSessionState, ok bool) { + if c.ticket == nil { + return nil, false + } + state, err := ParseSessionState(c.state) + if err != nil { + c.t.Error(err) + return nil, false + } + cs, err := NewResumptionState(c.ticket, state) + if err != nil { + c.t.Error(err) + return nil, false + } + return cs, true +} + +func (c *serializingClientCache) Put(sessionKey string, cs *ClientSessionState) { + ticket, state, err := cs.ResumptionState() + if err != nil { + c.t.Error(err) + return + } + stateBytes, err := state.Bytes() + if err != nil { + c.t.Error(err) + return + } + c.ticket, c.state = ticket, stateBytes +} + +func TestLRUClientSessionCache(t *testing.T) { + // Initialize cache of capacity 4. + cache := NewLRUClientSessionCache(4) + cs := make([]ClientSessionState, 6) + keys := []string{"0", "1", "2", "3", "4", "5", "6"} + + // Add 4 entries to the cache and look them up. + for i := 0; i < 4; i++ { + cache.Put(keys[i], &cs[i]) + } + for i := 0; i < 4; i++ { + if s, ok := cache.Get(keys[i]); !ok || s != &cs[i] { + t.Fatalf("session cache failed lookup for added key: %s", keys[i]) + } + } + + // Add 2 more entries to the cache. First 2 should be evicted. + for i := 4; i < 6; i++ { + cache.Put(keys[i], &cs[i]) + } + for i := 0; i < 2; i++ { + if s, ok := cache.Get(keys[i]); ok || s != nil { + t.Fatalf("session cache should have evicted key: %s", keys[i]) + } + } + + // Touch entry 2. LRU should evict 3 next. + cache.Get(keys[2]) + cache.Put(keys[0], &cs[0]) + if s, ok := cache.Get(keys[3]); ok || s != nil { + t.Fatalf("session cache should have evicted key 3") + } + + // Update entry 0 in place. + cache.Put(keys[0], &cs[3]) + if s, ok := cache.Get(keys[0]); !ok || s != &cs[3] { + t.Fatalf("session cache failed update for key 0") + } + + // Calling Put with a nil entry deletes the key. + cache.Put(keys[0], nil) + if _, ok := cache.Get(keys[0]); ok { + t.Fatalf("session cache failed to delete key 0") + } + + // Delete entry 2. LRU should keep 4 and 5 + cache.Put(keys[2], nil) + if _, ok := cache.Get(keys[2]); ok { + t.Fatalf("session cache failed to delete key 4") + } + for i := 4; i < 6; i++ { + if s, ok := cache.Get(keys[i]); !ok || s != &cs[i] { + t.Fatalf("session cache should not have deleted key: %s", keys[i]) + } + } +} + +func TestKeyLogTLS12(t *testing.T) { + var serverBuf, clientBuf bytes.Buffer + + clientConfig := testConfig.Clone() + clientConfig.KeyLogWriter = &clientBuf + clientConfig.MaxVersion = VersionTLS12 + + serverConfig := testConfig.Clone() + serverConfig.KeyLogWriter = &serverBuf + serverConfig.MaxVersion = VersionTLS12 + + c, s := localPipe(t) + done := make(chan bool) + + go func() { + defer close(done) + + if err := Server(s, serverConfig).Handshake(); err != nil { + t.Errorf("server: %s", err) + return + } + s.Close() + }() + + if err := Client(c, clientConfig).Handshake(); err != nil { + t.Fatalf("client: %s", err) + } + + c.Close() + <-done + + checkKeylogLine := func(side, loggedLine string) { + if len(loggedLine) == 0 { + t.Fatalf("%s: no keylog line was produced", side) + } + const expectedLen = 13 /* "CLIENT_RANDOM" */ + + 1 /* space */ + + 32*2 /* hex client nonce */ + + 1 /* space */ + + 48*2 /* hex master secret */ + + 1 /* new line */ + if len(loggedLine) != expectedLen { + t.Fatalf("%s: keylog line has incorrect length (want %d, got %d): %q", side, expectedLen, len(loggedLine), loggedLine) + } + if !strings.HasPrefix(loggedLine, "CLIENT_RANDOM "+strings.Repeat("0", 64)+" ") { + t.Fatalf("%s: keylog line has incorrect structure or nonce: %q", side, loggedLine) + } + } + + checkKeylogLine("client", clientBuf.String()) + checkKeylogLine("server", serverBuf.String()) +} + +func TestKeyLogTLS13(t *testing.T) { + var serverBuf, clientBuf bytes.Buffer + + clientConfig := testConfig.Clone() + clientConfig.KeyLogWriter = &clientBuf + + serverConfig := testConfig.Clone() + serverConfig.KeyLogWriter = &serverBuf + + c, s := localPipe(t) + done := make(chan bool) + + go func() { + defer close(done) + + if err := Server(s, serverConfig).Handshake(); err != nil { + t.Errorf("server: %s", err) + return + } + s.Close() + }() + + if err := Client(c, clientConfig).Handshake(); err != nil { + t.Fatalf("client: %s", err) + } + + c.Close() + <-done + + checkKeylogLines := func(side, loggedLines string) { + loggedLines = strings.TrimSpace(loggedLines) + lines := strings.Split(loggedLines, "\n") + if len(lines) != 4 { + t.Errorf("Expected the %s to log 4 lines, got %d", side, len(lines)) + } + } + + checkKeylogLines("client", clientBuf.String()) + checkKeylogLines("server", serverBuf.String()) +} + +func TestHandshakeClientALPNMatch(t *testing.T) { + config := testConfig.Clone() + config.NextProtos = []string{"proto2", "proto1"} + + test := &clientTest{ + name: "ALPN", + // Note that this needs OpenSSL 1.0.2 because that is the first + // version that supports the -alpn flag. + args: []string{"-alpn", "proto1,proto2"}, + config: config, + validate: func(state ConnectionState) error { + // The server's preferences should override the client. + if state.NegotiatedProtocol != "proto1" { + return fmt.Errorf("Got protocol %q, wanted proto1", state.NegotiatedProtocol) + } + return nil + }, + } + runClientTestTLS12(t, test) + runClientTestTLS13(t, test) +} + +func TestServerSelectingUnconfiguredApplicationProtocol(t *testing.T) { + // This checks that the server can't select an application protocol that the + // client didn't offer. + + c, s := localPipe(t) + errChan := make(chan error, 1) + + go func() { + client := Client(c, &Config{ + ServerName: "foo", + CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256}, + NextProtos: []string{"http", "something-else"}, + }) + errChan <- client.Handshake() + }() + + var header [5]byte + if _, err := io.ReadFull(s, header[:]); err != nil { + t.Fatal(err) + } + recordLen := int(header[3])<<8 | int(header[4]) + + record := make([]byte, recordLen) + if _, err := io.ReadFull(s, record); err != nil { + t.Fatal(err) + } + + serverHello := &serverHelloMsg{ + vers: VersionTLS12, + random: make([]byte, 32), + cipherSuite: TLS_RSA_WITH_AES_128_GCM_SHA256, + alpnProtocol: "how-about-this", + } + serverHelloBytes := mustMarshal(t, serverHello) + + s.Write([]byte{ + byte(recordTypeHandshake), + byte(VersionTLS12 >> 8), + byte(VersionTLS12 & 0xff), + byte(len(serverHelloBytes) >> 8), + byte(len(serverHelloBytes)), + }) + s.Write(serverHelloBytes) + s.Close() + + if err := <-errChan; !strings.Contains(err.Error(), "server selected unadvertised ALPN protocol") { + t.Fatalf("Expected error about unconfigured cipher suite but got %q", err) + } +} + +// sctsBase64 contains data from `openssl s_client -serverinfo 18 -connect ritter.vg:443` +const sctsBase64 = "ABIBaQFnAHUApLkJkLQYWBSHuxOizGdwCjw1mAT5G9+443fNDsgN3BAAAAFHl5nuFgAABAMARjBEAiAcS4JdlW5nW9sElUv2zvQyPoZ6ejKrGGB03gjaBZFMLwIgc1Qbbn+hsH0RvObzhS+XZhr3iuQQJY8S9G85D9KeGPAAdgBo9pj4H2SCvjqM7rkoHUz8cVFdZ5PURNEKZ6y7T0/7xAAAAUeX4bVwAAAEAwBHMEUCIDIhFDgG2HIuADBkGuLobU5a4dlCHoJLliWJ1SYT05z6AiEAjxIoZFFPRNWMGGIjskOTMwXzQ1Wh2e7NxXE1kd1J0QsAdgDuS723dc5guuFCaR+r4Z5mow9+X7By2IMAxHuJeqj9ywAAAUhcZIqHAAAEAwBHMEUCICmJ1rBT09LpkbzxtUC+Hi7nXLR0J+2PmwLp+sJMuqK+AiEAr0NkUnEVKVhAkccIFpYDqHOlZaBsuEhWWrYpg2RtKp0=" + +func TestHandshakClientSCTs(t *testing.T) { + config := testConfig.Clone() + + scts, err := base64.StdEncoding.DecodeString(sctsBase64) + if err != nil { + t.Fatal(err) + } + + // Note that this needs OpenSSL 1.0.2 because that is the first + // version that supports the -serverinfo flag. + test := &clientTest{ + name: "SCT", + config: config, + extensions: [][]byte{scts}, + validate: func(state ConnectionState) error { + expectedSCTs := [][]byte{ + scts[8:125], + scts[127:245], + scts[247:], + } + if n := len(state.SignedCertificateTimestamps); n != len(expectedSCTs) { + return fmt.Errorf("Got %d scts, wanted %d", n, len(expectedSCTs)) + } + for i, expected := range expectedSCTs { + if sct := state.SignedCertificateTimestamps[i]; !bytes.Equal(sct, expected) { + return fmt.Errorf("SCT #%d contained %x, expected %x", i, sct, expected) + } + } + return nil + }, + } + runClientTestTLS12(t, test) + + // TLS 1.3 moved SCTs to the Certificate extensions and -serverinfo only + // supports ServerHello extensions. +} + +func TestRenegotiationRejected(t *testing.T) { + config := testConfig.Clone() + test := &clientTest{ + name: "RenegotiationRejected", + args: []string{"-state"}, + config: config, + numRenegotiations: 1, + renegotiationExpectedToFail: 1, + checkRenegotiationError: func(renegotiationNum int, err error) error { + if err == nil { + return errors.New("expected error from renegotiation but got nil") + } + if !strings.Contains(err.Error(), "no renegotiation") { + return fmt.Errorf("expected renegotiation to be rejected but got %q", err) + } + return nil + }, + } + runClientTestTLS12(t, test) +} + +func TestRenegotiateOnce(t *testing.T) { + config := testConfig.Clone() + config.Renegotiation = RenegotiateOnceAsClient + + test := &clientTest{ + name: "RenegotiateOnce", + args: []string{"-state"}, + config: config, + numRenegotiations: 1, + } + + runClientTestTLS12(t, test) +} + +func TestRenegotiateTwice(t *testing.T) { + config := testConfig.Clone() + config.Renegotiation = RenegotiateFreelyAsClient + + test := &clientTest{ + name: "RenegotiateTwice", + args: []string{"-state"}, + config: config, + numRenegotiations: 2, + } + + runClientTestTLS12(t, test) +} + +func TestRenegotiateTwiceRejected(t *testing.T) { + config := testConfig.Clone() + config.Renegotiation = RenegotiateOnceAsClient + + test := &clientTest{ + name: "RenegotiateTwiceRejected", + args: []string{"-state"}, + config: config, + numRenegotiations: 2, + renegotiationExpectedToFail: 2, + checkRenegotiationError: func(renegotiationNum int, err error) error { + if renegotiationNum == 1 { + return err + } + + if err == nil { + return errors.New("expected error from renegotiation but got nil") + } + if !strings.Contains(err.Error(), "no renegotiation") { + return fmt.Errorf("expected renegotiation to be rejected but got %q", err) + } + return nil + }, + } + + runClientTestTLS12(t, test) +} + +func TestHandshakeClientExportKeyingMaterial(t *testing.T) { + test := &clientTest{ + name: "ExportKeyingMaterial", + config: testConfig.Clone(), + validate: func(state ConnectionState) error { + if km, err := state.ExportKeyingMaterial("test", nil, 42); err != nil { + return fmt.Errorf("ExportKeyingMaterial failed: %v", err) + } else if len(km) != 42 { + return fmt.Errorf("Got %d bytes from ExportKeyingMaterial, wanted %d", len(km), 42) + } + return nil + }, + } + runClientTestTLS10(t, test) + runClientTestTLS12(t, test) + runClientTestTLS13(t, test) +} + +var hostnameInSNITests = []struct { + in, out string +}{ + // Opaque string + {"", ""}, + {"localhost", "localhost"}, + {"foo, bar, baz and qux", "foo, bar, baz and qux"}, + + // DNS hostname + {"golang.org", "golang.org"}, + {"golang.org.", "golang.org"}, + + // Literal IPv4 address + {"1.2.3.4", ""}, + + // Literal IPv6 address + {"::1", ""}, + {"::1%lo0", ""}, // with zone identifier + {"[::1]", ""}, // as per RFC 5952 we allow the [] style as IPv6 literal + {"[::1%lo0]", ""}, +} + +func TestHostnameInSNI(t *testing.T) { + for _, tt := range hostnameInSNITests { + c, s := localPipe(t) + + go func(host string) { + Client(c, &Config{ServerName: host, InsecureSkipVerify: true}).Handshake() + }(tt.in) + + var header [5]byte + if _, err := io.ReadFull(s, header[:]); err != nil { + t.Fatal(err) + } + recordLen := int(header[3])<<8 | int(header[4]) + + record := make([]byte, recordLen) + if _, err := io.ReadFull(s, record[:]); err != nil { + t.Fatal(err) + } + + c.Close() + s.Close() + + var m clientHelloMsg + if !m.unmarshal(record) { + t.Errorf("unmarshaling ClientHello for %q failed", tt.in) + continue + } + if tt.in != tt.out && m.serverName == tt.in { + t.Errorf("prohibited %q found in ClientHello: %x", tt.in, record) + } + if m.serverName != tt.out { + t.Errorf("expected %q not found in ClientHello: %x", tt.out, record) + } + } +} + +func TestServerSelectingUnconfiguredCipherSuite(t *testing.T) { + // This checks that the server can't select a cipher suite that the + // client didn't offer. See #13174. + + c, s := localPipe(t) + errChan := make(chan error, 1) + + go func() { + client := Client(c, &Config{ + ServerName: "foo", + CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256}, + }) + errChan <- client.Handshake() + }() + + var header [5]byte + if _, err := io.ReadFull(s, header[:]); err != nil { + t.Fatal(err) + } + recordLen := int(header[3])<<8 | int(header[4]) + + record := make([]byte, recordLen) + if _, err := io.ReadFull(s, record); err != nil { + t.Fatal(err) + } + + // Create a ServerHello that selects a different cipher suite than the + // sole one that the client offered. + serverHello := &serverHelloMsg{ + vers: VersionTLS12, + random: make([]byte, 32), + cipherSuite: TLS_RSA_WITH_AES_256_GCM_SHA384, + } + serverHelloBytes := mustMarshal(t, serverHello) + + s.Write([]byte{ + byte(recordTypeHandshake), + byte(VersionTLS12 >> 8), + byte(VersionTLS12 & 0xff), + byte(len(serverHelloBytes) >> 8), + byte(len(serverHelloBytes)), + }) + s.Write(serverHelloBytes) + s.Close() + + if err := <-errChan; !strings.Contains(err.Error(), "unconfigured cipher") { + t.Fatalf("Expected error about unconfigured cipher suite but got %q", err) + } +} + +func TestVerifyConnection(t *testing.T) { + t.Run("TLSv12", func(t *testing.T) { testVerifyConnection(t, VersionTLS12) }) + t.Run("TLSv13", func(t *testing.T) { testVerifyConnection(t, VersionTLS13) }) +} + +func testVerifyConnection(t *testing.T, version uint16) { + checkFields := func(c ConnectionState, called *int, errorType string) error { + if c.Version != version { + return fmt.Errorf("%s: got Version %v, want %v", errorType, c.Version, version) + } + if c.HandshakeComplete { + return fmt.Errorf("%s: got HandshakeComplete, want false", errorType) + } + if c.ServerName != "example.golang" { + return fmt.Errorf("%s: got ServerName %s, want %s", errorType, c.ServerName, "example.golang") + } + if c.NegotiatedProtocol != "protocol1" { + return fmt.Errorf("%s: got NegotiatedProtocol %s, want %s", errorType, c.NegotiatedProtocol, "protocol1") + } + if c.CipherSuite == 0 { + return fmt.Errorf("%s: got CipherSuite 0, want non-zero", errorType) + } + wantDidResume := false + if *called == 2 { // if this is the second time, then it should be a resumption + wantDidResume = true + } + if c.DidResume != wantDidResume { + return fmt.Errorf("%s: got DidResume %t, want %t", errorType, c.DidResume, wantDidResume) + } + return nil + } + + tests := []struct { + name string + configureServer func(*Config, *int) + configureClient func(*Config, *int) + }{ + { + name: "RequireAndVerifyClientCert", + configureServer: func(config *Config, called *int) { + config.ClientAuth = RequireAndVerifyClientCert + config.VerifyConnection = func(c ConnectionState) error { + *called++ + if l := len(c.PeerCertificates); l != 1 { + return fmt.Errorf("server: got len(PeerCertificates) = %d, wanted 1", l) + } + if len(c.VerifiedChains) == 0 { + return fmt.Errorf("server: got len(VerifiedChains) = 0, wanted non-zero") + } + return checkFields(c, called, "server") + } + }, + configureClient: func(config *Config, called *int) { + config.VerifyConnection = func(c ConnectionState) error { + *called++ + if l := len(c.PeerCertificates); l != 1 { + return fmt.Errorf("client: got len(PeerCertificates) = %d, wanted 1", l) + } + if len(c.VerifiedChains) == 0 { + return fmt.Errorf("client: got len(VerifiedChains) = 0, wanted non-zero") + } + if c.DidResume { + return nil + // The SCTs and OCSP Response are dropped on resumption. + // See http://golang.org/issue/39075. + } + if len(c.OCSPResponse) == 0 { + return fmt.Errorf("client: got len(OCSPResponse) = 0, wanted non-zero") + } + if len(c.SignedCertificateTimestamps) == 0 { + return fmt.Errorf("client: got len(SignedCertificateTimestamps) = 0, wanted non-zero") + } + return checkFields(c, called, "client") + } + }, + }, + { + name: "InsecureSkipVerify", + configureServer: func(config *Config, called *int) { + config.ClientAuth = RequireAnyClientCert + config.InsecureSkipVerify = true + config.VerifyConnection = func(c ConnectionState) error { + *called++ + if l := len(c.PeerCertificates); l != 1 { + return fmt.Errorf("server: got len(PeerCertificates) = %d, wanted 1", l) + } + if c.VerifiedChains != nil { + return fmt.Errorf("server: got Verified Chains %v, want nil", c.VerifiedChains) + } + return checkFields(c, called, "server") + } + }, + configureClient: func(config *Config, called *int) { + config.InsecureSkipVerify = true + config.VerifyConnection = func(c ConnectionState) error { + *called++ + if l := len(c.PeerCertificates); l != 1 { + return fmt.Errorf("client: got len(PeerCertificates) = %d, wanted 1", l) + } + if c.VerifiedChains != nil { + return fmt.Errorf("server: got Verified Chains %v, want nil", c.VerifiedChains) + } + if c.DidResume { + return nil + // The SCTs and OCSP Response are dropped on resumption. + // See http://golang.org/issue/39075. + } + if len(c.OCSPResponse) == 0 { + return fmt.Errorf("client: got len(OCSPResponse) = 0, wanted non-zero") + } + if len(c.SignedCertificateTimestamps) == 0 { + return fmt.Errorf("client: got len(SignedCertificateTimestamps) = 0, wanted non-zero") + } + return checkFields(c, called, "client") + } + }, + }, + { + name: "NoClientCert", + configureServer: func(config *Config, called *int) { + config.ClientAuth = NoClientCert + config.VerifyConnection = func(c ConnectionState) error { + *called++ + return checkFields(c, called, "server") + } + }, + configureClient: func(config *Config, called *int) { + config.VerifyConnection = func(c ConnectionState) error { + *called++ + return checkFields(c, called, "client") + } + }, + }, + { + name: "RequestClientCert", + configureServer: func(config *Config, called *int) { + config.ClientAuth = RequestClientCert + config.VerifyConnection = func(c ConnectionState) error { + *called++ + return checkFields(c, called, "server") + } + }, + configureClient: func(config *Config, called *int) { + config.Certificates = nil // clear the client cert + config.VerifyConnection = func(c ConnectionState) error { + *called++ + if l := len(c.PeerCertificates); l != 1 { + return fmt.Errorf("client: got len(PeerCertificates) = %d, wanted 1", l) + } + if len(c.VerifiedChains) == 0 { + return fmt.Errorf("client: got len(VerifiedChains) = 0, wanted non-zero") + } + if c.DidResume { + return nil + // The SCTs and OCSP Response are dropped on resumption. + // See http://golang.org/issue/39075. + } + if len(c.OCSPResponse) == 0 { + return fmt.Errorf("client: got len(OCSPResponse) = 0, wanted non-zero") + } + if len(c.SignedCertificateTimestamps) == 0 { + return fmt.Errorf("client: got len(SignedCertificateTimestamps) = 0, wanted non-zero") + } + return checkFields(c, called, "client") + } + }, + }, + } + for _, test := range tests { + issuer, err := x509.ParseCertificate(testRSACertificateIssuer) + if err != nil { + panic(err) + } + rootCAs := x509.NewCertPool() + rootCAs.AddCert(issuer) + + var serverCalled, clientCalled int + + serverConfig := &Config{ + MaxVersion: version, + Certificates: []Certificate{testConfig.Certificates[0]}, + ClientCAs: rootCAs, + NextProtos: []string{"protocol1"}, + } + serverConfig.Certificates[0].SignedCertificateTimestamps = [][]byte{[]byte("dummy sct 1"), []byte("dummy sct 2")} + serverConfig.Certificates[0].OCSPStaple = []byte("dummy ocsp") + test.configureServer(serverConfig, &serverCalled) + + clientConfig := &Config{ + MaxVersion: version, + ClientSessionCache: NewLRUClientSessionCache(32), + RootCAs: rootCAs, + ServerName: "example.golang", + Certificates: []Certificate{testConfig.Certificates[0]}, + NextProtos: []string{"protocol1"}, + } + test.configureClient(clientConfig, &clientCalled) + + testHandshakeState := func(name string, didResume bool) { + _, hs, err := testHandshake(t, clientConfig, serverConfig) + if err != nil { + t.Fatalf("%s: handshake failed: %s", name, err) + } + if hs.DidResume != didResume { + t.Errorf("%s: resumed: %v, expected: %v", name, hs.DidResume, didResume) + } + wantCalled := 1 + if didResume { + wantCalled = 2 // resumption would mean this is the second time it was called in this test + } + if clientCalled != wantCalled { + t.Errorf("%s: expected client VerifyConnection called %d times, did %d times", name, wantCalled, clientCalled) + } + if serverCalled != wantCalled { + t.Errorf("%s: expected server VerifyConnection called %d times, did %d times", name, wantCalled, serverCalled) + } + } + testHandshakeState(fmt.Sprintf("%s-FullHandshake", test.name), false) + testHandshakeState(fmt.Sprintf("%s-Resumption", test.name), true) + } +} + +func TestVerifyPeerCertificate(t *testing.T) { + t.Run("TLSv12", func(t *testing.T) { testVerifyPeerCertificate(t, VersionTLS12) }) + t.Run("TLSv13", func(t *testing.T) { testVerifyPeerCertificate(t, VersionTLS13) }) +} + +func testVerifyPeerCertificate(t *testing.T, version uint16) { + issuer, err := x509.ParseCertificate(testRSACertificateIssuer) + if err != nil { + panic(err) + } + + rootCAs := x509.NewCertPool() + rootCAs.AddCert(issuer) + + now := func() time.Time { return time.Unix(1476984729, 0) } + + sentinelErr := errors.New("TestVerifyPeerCertificate") + + verifyPeerCertificateCallback := func(called *bool, rawCerts [][]byte, validatedChains [][]*x509.Certificate) error { + if l := len(rawCerts); l != 1 { + return fmt.Errorf("got len(rawCerts) = %d, wanted 1", l) + } + if len(validatedChains) == 0 { + return errors.New("got len(validatedChains) = 0, wanted non-zero") + } + *called = true + return nil + } + verifyConnectionCallback := func(called *bool, isClient bool, c ConnectionState) error { + if l := len(c.PeerCertificates); l != 1 { + return fmt.Errorf("got len(PeerCertificates) = %d, wanted 1", l) + } + if len(c.VerifiedChains) == 0 { + return fmt.Errorf("got len(VerifiedChains) = 0, wanted non-zero") + } + if isClient && len(c.OCSPResponse) == 0 { + return fmt.Errorf("got len(OCSPResponse) = 0, wanted non-zero") + } + *called = true + return nil + } + + tests := []struct { + configureServer func(*Config, *bool) + configureClient func(*Config, *bool) + validate func(t *testing.T, testNo int, clientCalled, serverCalled bool, clientErr, serverErr error) + }{ + { + configureServer: func(config *Config, called *bool) { + config.InsecureSkipVerify = false + config.VerifyPeerCertificate = func(rawCerts [][]byte, validatedChains [][]*x509.Certificate) error { + return verifyPeerCertificateCallback(called, rawCerts, validatedChains) + } + }, + configureClient: func(config *Config, called *bool) { + config.InsecureSkipVerify = false + config.VerifyPeerCertificate = func(rawCerts [][]byte, validatedChains [][]*x509.Certificate) error { + return verifyPeerCertificateCallback(called, rawCerts, validatedChains) + } + }, + validate: func(t *testing.T, testNo int, clientCalled, serverCalled bool, clientErr, serverErr error) { + if clientErr != nil { + t.Errorf("test[%d]: client handshake failed: %v", testNo, clientErr) + } + if serverErr != nil { + t.Errorf("test[%d]: server handshake failed: %v", testNo, serverErr) + } + if !clientCalled { + t.Errorf("test[%d]: client did not call callback", testNo) + } + if !serverCalled { + t.Errorf("test[%d]: server did not call callback", testNo) + } + }, + }, + { + configureServer: func(config *Config, called *bool) { + config.InsecureSkipVerify = false + config.VerifyPeerCertificate = func(rawCerts [][]byte, validatedChains [][]*x509.Certificate) error { + return sentinelErr + } + }, + configureClient: func(config *Config, called *bool) { + config.VerifyPeerCertificate = nil + }, + validate: func(t *testing.T, testNo int, clientCalled, serverCalled bool, clientErr, serverErr error) { + if serverErr != sentinelErr { + t.Errorf("#%d: got server error %v, wanted sentinelErr", testNo, serverErr) + } + }, + }, + { + configureServer: func(config *Config, called *bool) { + config.InsecureSkipVerify = false + }, + configureClient: func(config *Config, called *bool) { + config.VerifyPeerCertificate = func(rawCerts [][]byte, validatedChains [][]*x509.Certificate) error { + return sentinelErr + } + }, + validate: func(t *testing.T, testNo int, clientCalled, serverCalled bool, clientErr, serverErr error) { + if clientErr != sentinelErr { + t.Errorf("#%d: got client error %v, wanted sentinelErr", testNo, clientErr) + } + }, + }, + { + configureServer: func(config *Config, called *bool) { + config.InsecureSkipVerify = false + }, + configureClient: func(config *Config, called *bool) { + config.InsecureSkipVerify = true + config.VerifyPeerCertificate = func(rawCerts [][]byte, validatedChains [][]*x509.Certificate) error { + if l := len(rawCerts); l != 1 { + return fmt.Errorf("got len(rawCerts) = %d, wanted 1", l) + } + // With InsecureSkipVerify set, this + // callback should still be called but + // validatedChains must be empty. + if l := len(validatedChains); l != 0 { + return fmt.Errorf("got len(validatedChains) = %d, wanted zero", l) + } + *called = true + return nil + } + }, + validate: func(t *testing.T, testNo int, clientCalled, serverCalled bool, clientErr, serverErr error) { + if clientErr != nil { + t.Errorf("test[%d]: client handshake failed: %v", testNo, clientErr) + } + if serverErr != nil { + t.Errorf("test[%d]: server handshake failed: %v", testNo, serverErr) + } + if !clientCalled { + t.Errorf("test[%d]: client did not call callback", testNo) + } + }, + }, + { + configureServer: func(config *Config, called *bool) { + config.InsecureSkipVerify = false + config.VerifyConnection = func(c ConnectionState) error { + return verifyConnectionCallback(called, false, c) + } + }, + configureClient: func(config *Config, called *bool) { + config.InsecureSkipVerify = false + config.VerifyConnection = func(c ConnectionState) error { + return verifyConnectionCallback(called, true, c) + } + }, + validate: func(t *testing.T, testNo int, clientCalled, serverCalled bool, clientErr, serverErr error) { + if clientErr != nil { + t.Errorf("test[%d]: client handshake failed: %v", testNo, clientErr) + } + if serverErr != nil { + t.Errorf("test[%d]: server handshake failed: %v", testNo, serverErr) + } + if !clientCalled { + t.Errorf("test[%d]: client did not call callback", testNo) + } + if !serverCalled { + t.Errorf("test[%d]: server did not call callback", testNo) + } + }, + }, + { + configureServer: func(config *Config, called *bool) { + config.InsecureSkipVerify = false + config.VerifyConnection = func(c ConnectionState) error { + return sentinelErr + } + }, + configureClient: func(config *Config, called *bool) { + config.InsecureSkipVerify = false + config.VerifyConnection = nil + }, + validate: func(t *testing.T, testNo int, clientCalled, serverCalled bool, clientErr, serverErr error) { + if serverErr != sentinelErr { + t.Errorf("#%d: got server error %v, wanted sentinelErr", testNo, serverErr) + } + }, + }, + { + configureServer: func(config *Config, called *bool) { + config.InsecureSkipVerify = false + config.VerifyConnection = nil + }, + configureClient: func(config *Config, called *bool) { + config.InsecureSkipVerify = false + config.VerifyConnection = func(c ConnectionState) error { + return sentinelErr + } + }, + validate: func(t *testing.T, testNo int, clientCalled, serverCalled bool, clientErr, serverErr error) { + if clientErr != sentinelErr { + t.Errorf("#%d: got client error %v, wanted sentinelErr", testNo, clientErr) + } + }, + }, + { + configureServer: func(config *Config, called *bool) { + config.InsecureSkipVerify = false + config.VerifyPeerCertificate = func(rawCerts [][]byte, validatedChains [][]*x509.Certificate) error { + return verifyPeerCertificateCallback(called, rawCerts, validatedChains) + } + config.VerifyConnection = func(c ConnectionState) error { + return sentinelErr + } + }, + configureClient: func(config *Config, called *bool) { + config.InsecureSkipVerify = false + config.VerifyPeerCertificate = nil + config.VerifyConnection = nil + }, + validate: func(t *testing.T, testNo int, clientCalled, serverCalled bool, clientErr, serverErr error) { + if serverErr != sentinelErr { + t.Errorf("#%d: got server error %v, wanted sentinelErr", testNo, serverErr) + } + if !serverCalled { + t.Errorf("test[%d]: server did not call callback", testNo) + } + }, + }, + { + configureServer: func(config *Config, called *bool) { + config.InsecureSkipVerify = false + config.VerifyPeerCertificate = nil + config.VerifyConnection = nil + }, + configureClient: func(config *Config, called *bool) { + config.InsecureSkipVerify = false + config.VerifyPeerCertificate = func(rawCerts [][]byte, validatedChains [][]*x509.Certificate) error { + return verifyPeerCertificateCallback(called, rawCerts, validatedChains) + } + config.VerifyConnection = func(c ConnectionState) error { + return sentinelErr + } + }, + validate: func(t *testing.T, testNo int, clientCalled, serverCalled bool, clientErr, serverErr error) { + if clientErr != sentinelErr { + t.Errorf("#%d: got client error %v, wanted sentinelErr", testNo, clientErr) + } + if !clientCalled { + t.Errorf("test[%d]: client did not call callback", testNo) + } + }, + }, + } + + for i, test := range tests { + c, s := localPipe(t) + done := make(chan error) + + var clientCalled, serverCalled bool + + go func() { + config := testConfig.Clone() + config.ServerName = "example.golang" + config.ClientAuth = RequireAndVerifyClientCert + config.ClientCAs = rootCAs + config.Time = now + config.MaxVersion = version + config.Certificates = make([]Certificate, 1) + config.Certificates[0].Certificate = [][]byte{testRSACertificate} + config.Certificates[0].PrivateKey = testRSAPrivateKey + config.Certificates[0].SignedCertificateTimestamps = [][]byte{[]byte("dummy sct 1"), []byte("dummy sct 2")} + config.Certificates[0].OCSPStaple = []byte("dummy ocsp") + test.configureServer(config, &serverCalled) + + err = Server(s, config).Handshake() + s.Close() + done <- err + }() + + config := testConfig.Clone() + config.ServerName = "example.golang" + config.RootCAs = rootCAs + config.Time = now + config.MaxVersion = version + test.configureClient(config, &clientCalled) + clientErr := Client(c, config).Handshake() + c.Close() + serverErr := <-done + + test.validate(t, i, clientCalled, serverCalled, clientErr, serverErr) + } +} + +// brokenConn wraps a net.Conn and causes all Writes after a certain number to +// fail with brokenConnErr. +type brokenConn struct { + net.Conn + + // breakAfter is the number of successful writes that will be allowed + // before all subsequent writes fail. + breakAfter int + + // numWrites is the number of writes that have been done. + numWrites int +} + +// brokenConnErr is the error that brokenConn returns once exhausted. +var brokenConnErr = errors.New("too many writes to brokenConn") + +func (b *brokenConn) Write(data []byte) (int, error) { + if b.numWrites >= b.breakAfter { + return 0, brokenConnErr + } + + b.numWrites++ + return b.Conn.Write(data) +} + +func TestFailedWrite(t *testing.T) { + // Test that a write error during the handshake is returned. + for _, breakAfter := range []int{0, 1} { + c, s := localPipe(t) + done := make(chan bool) + + go func() { + Server(s, testConfig).Handshake() + s.Close() + done <- true + }() + + brokenC := &brokenConn{Conn: c, breakAfter: breakAfter} + err := Client(brokenC, testConfig).Handshake() + if err != brokenConnErr { + t.Errorf("#%d: expected error from brokenConn but got %q", breakAfter, err) + } + brokenC.Close() + + <-done + } +} + +// writeCountingConn wraps a net.Conn and counts the number of Write calls. +type writeCountingConn struct { + net.Conn + + // numWrites is the number of writes that have been done. + numWrites int +} + +func (wcc *writeCountingConn) Write(data []byte) (int, error) { + wcc.numWrites++ + return wcc.Conn.Write(data) +} + +func TestBuffering(t *testing.T) { + t.Run("TLSv12", func(t *testing.T) { testBuffering(t, VersionTLS12) }) + t.Run("TLSv13", func(t *testing.T) { testBuffering(t, VersionTLS13) }) +} + +func testBuffering(t *testing.T, version uint16) { + c, s := localPipe(t) + done := make(chan bool) + + clientWCC := &writeCountingConn{Conn: c} + serverWCC := &writeCountingConn{Conn: s} + + go func() { + config := testConfig.Clone() + config.MaxVersion = version + Server(serverWCC, config).Handshake() + serverWCC.Close() + done <- true + }() + + err := Client(clientWCC, testConfig).Handshake() + if err != nil { + t.Fatal(err) + } + clientWCC.Close() + <-done + + var expectedClient, expectedServer int + if version == VersionTLS13 { + expectedClient = 2 + expectedServer = 1 + } else { + expectedClient = 2 + expectedServer = 2 + } + + if n := clientWCC.numWrites; n != expectedClient { + t.Errorf("expected client handshake to complete with %d writes, but saw %d", expectedClient, n) + } + + if n := serverWCC.numWrites; n != expectedServer { + t.Errorf("expected server handshake to complete with %d writes, but saw %d", expectedServer, n) + } +} + +func TestAlertFlushing(t *testing.T) { + c, s := localPipe(t) + done := make(chan bool) + + clientWCC := &writeCountingConn{Conn: c} + serverWCC := &writeCountingConn{Conn: s} + + serverConfig := testConfig.Clone() + + // Cause a signature-time error + brokenKey := rsa.PrivateKey{PublicKey: testRSAPrivateKey.PublicKey} + brokenKey.D = big.NewInt(42) + serverConfig.Certificates = []Certificate{{ + Certificate: [][]byte{testRSACertificate}, + PrivateKey: &brokenKey, + }} + + go func() { + Server(serverWCC, serverConfig).Handshake() + serverWCC.Close() + done <- true + }() + + err := Client(clientWCC, testConfig).Handshake() + if err == nil { + t.Fatal("client unexpectedly returned no error") + } + + const expectedError = "remote error: tls: internal error" + if e := err.Error(); !strings.Contains(e, expectedError) { + t.Fatalf("expected to find %q in error but error was %q", expectedError, e) + } + clientWCC.Close() + <-done + + if n := serverWCC.numWrites; n != 1 { + t.Errorf("expected server handshake to complete with one write, but saw %d", n) + } +} + +func TestHandshakeRace(t *testing.T) { + if testing.Short() { + t.Skip("skipping in -short mode") + } + t.Parallel() + // This test races a Read and Write to try and complete a handshake in + // order to provide some evidence that there are no races or deadlocks + // in the handshake locking. + for i := 0; i < 32; i++ { + c, s := localPipe(t) + + go func() { + server := Server(s, testConfig) + if err := server.Handshake(); err != nil { + panic(err) + } + + var request [1]byte + if n, err := server.Read(request[:]); err != nil || n != 1 { + panic(err) + } + + server.Write(request[:]) + server.Close() + }() + + startWrite := make(chan struct{}) + startRead := make(chan struct{}) + readDone := make(chan struct{}, 1) + + client := Client(c, testConfig) + go func() { + <-startWrite + var request [1]byte + client.Write(request[:]) + }() + + go func() { + <-startRead + var reply [1]byte + if _, err := io.ReadFull(client, reply[:]); err != nil { + panic(err) + } + c.Close() + readDone <- struct{}{} + }() + + if i&1 == 1 { + startWrite <- struct{}{} + startRead <- struct{}{} + } else { + startRead <- struct{}{} + startWrite <- struct{}{} + } + <-readDone + } +} + +var getClientCertificateTests = []struct { + setup func(*Config, *Config) + expectedClientError string + verify func(*testing.T, int, *ConnectionState) +}{ + { + func(clientConfig, serverConfig *Config) { + // Returning a Certificate with no certificate data + // should result in an empty message being sent to the + // server. + serverConfig.ClientCAs = nil + clientConfig.GetClientCertificate = func(cri *CertificateRequestInfo) (*Certificate, error) { + if len(cri.SignatureSchemes) == 0 { + panic("empty SignatureSchemes") + } + if len(cri.AcceptableCAs) != 0 { + panic("AcceptableCAs should have been empty") + } + return new(Certificate), nil + } + }, + "", + func(t *testing.T, testNum int, cs *ConnectionState) { + if l := len(cs.PeerCertificates); l != 0 { + t.Errorf("#%d: expected no certificates but got %d", testNum, l) + } + }, + }, + { + func(clientConfig, serverConfig *Config) { + // With TLS 1.1, the SignatureSchemes should be + // synthesised from the supported certificate types. + clientConfig.MaxVersion = VersionTLS11 + clientConfig.GetClientCertificate = func(cri *CertificateRequestInfo) (*Certificate, error) { + if len(cri.SignatureSchemes) == 0 { + panic("empty SignatureSchemes") + } + return new(Certificate), nil + } + }, + "", + func(t *testing.T, testNum int, cs *ConnectionState) { + if l := len(cs.PeerCertificates); l != 0 { + t.Errorf("#%d: expected no certificates but got %d", testNum, l) + } + }, + }, + { + func(clientConfig, serverConfig *Config) { + // Returning an error should abort the handshake with + // that error. + clientConfig.GetClientCertificate = func(cri *CertificateRequestInfo) (*Certificate, error) { + return nil, errors.New("GetClientCertificate") + } + }, + "GetClientCertificate", + func(t *testing.T, testNum int, cs *ConnectionState) { + }, + }, + { + func(clientConfig, serverConfig *Config) { + clientConfig.GetClientCertificate = func(cri *CertificateRequestInfo) (*Certificate, error) { + if len(cri.AcceptableCAs) == 0 { + panic("empty AcceptableCAs") + } + cert := &Certificate{ + Certificate: [][]byte{testRSACertificate}, + PrivateKey: testRSAPrivateKey, + } + return cert, nil + } + }, + "", + func(t *testing.T, testNum int, cs *ConnectionState) { + if len(cs.VerifiedChains) == 0 { + t.Errorf("#%d: expected some verified chains, but found none", testNum) + } + }, + }, +} + +func TestGetClientCertificate(t *testing.T) { + t.Run("TLSv12", func(t *testing.T) { testGetClientCertificate(t, VersionTLS12) }) + t.Run("TLSv13", func(t *testing.T) { testGetClientCertificate(t, VersionTLS13) }) +} + +func testGetClientCertificate(t *testing.T, version uint16) { + issuer, err := x509.ParseCertificate(testRSACertificateIssuer) + if err != nil { + panic(err) + } + + for i, test := range getClientCertificateTests { + serverConfig := testConfig.Clone() + serverConfig.ClientAuth = VerifyClientCertIfGiven + serverConfig.RootCAs = x509.NewCertPool() + serverConfig.RootCAs.AddCert(issuer) + serverConfig.ClientCAs = serverConfig.RootCAs + serverConfig.Time = func() time.Time { return time.Unix(1476984729, 0) } + serverConfig.MaxVersion = version + + clientConfig := testConfig.Clone() + clientConfig.MaxVersion = version + + test.setup(clientConfig, serverConfig) + + type serverResult struct { + cs ConnectionState + err error + } + + c, s := localPipe(t) + done := make(chan serverResult) + + go func() { + defer s.Close() + server := Server(s, serverConfig) + err := server.Handshake() + + var cs ConnectionState + if err == nil { + cs = server.ConnectionState() + } + done <- serverResult{cs, err} + }() + + clientErr := Client(c, clientConfig).Handshake() + c.Close() + + result := <-done + + if clientErr != nil { + if len(test.expectedClientError) == 0 { + t.Errorf("#%d: client error: %v", i, clientErr) + } else if got := clientErr.Error(); got != test.expectedClientError { + t.Errorf("#%d: expected client error %q, but got %q", i, test.expectedClientError, got) + } else { + test.verify(t, i, &result.cs) + } + } else if len(test.expectedClientError) > 0 { + t.Errorf("#%d: expected client error %q, but got no error", i, test.expectedClientError) + } else if err := result.err; err != nil { + t.Errorf("#%d: server error: %v", i, err) + } else { + test.verify(t, i, &result.cs) + } + } +} + +func TestRSAPSSKeyError(t *testing.T) { + // crypto/tls does not support the rsa_pss_pss_* SignatureSchemes. If support for + // public keys with OID RSASSA-PSS is added to crypto/x509, they will be misused with + // the rsa_pss_rsae_* SignatureSchemes. Assert that RSASSA-PSS certificates don't + // parse, or that they don't carry *rsa.PublicKey keys. + b, _ := pem.Decode([]byte(` +-----BEGIN CERTIFICATE----- +MIIDZTCCAhygAwIBAgIUCF2x0FyTgZG0CC9QTDjGWkB5vgEwPgYJKoZIhvcNAQEK +MDGgDTALBglghkgBZQMEAgGhGjAYBgkqhkiG9w0BAQgwCwYJYIZIAWUDBAIBogQC +AgDeMBIxEDAOBgNVBAMMB1JTQS1QU1MwHhcNMTgwNjI3MjI0NDM2WhcNMTgwNzI3 +MjI0NDM2WjASMRAwDgYDVQQDDAdSU0EtUFNTMIIBIDALBgkqhkiG9w0BAQoDggEP +ADCCAQoCggEBANxDm0f76JdI06YzsjB3AmmjIYkwUEGxePlafmIASFjDZl/elD0Z +/a7xLX468b0qGxLS5al7XCcEprSdsDR6DF5L520+pCbpfLyPOjuOvGmk9KzVX4x5 +b05YXYuXdsQ0Kjxcx2i3jjCday6scIhMJVgBZxTEyMj1thPQM14SHzKCd/m6HmCL +QmswpH2yMAAcBRWzRpp/vdH5DeOJEB3aelq7094no731mrLUCHRiZ1htq8BDB3ou +czwqgwspbqZ4dnMXl2MvfySQ5wJUxQwILbiuAKO2lVVPUbFXHE9pgtznNoPvKwQT +JNcX8ee8WIZc2SEGzofjk3NpjR+2ADB2u3sCAwEAAaNTMFEwHQYDVR0OBBYEFNEz +AdyJ2f+fU+vSCS6QzohnOnprMB8GA1UdIwQYMBaAFNEzAdyJ2f+fU+vSCS6Qzohn +OnprMA8GA1UdEwEB/wQFMAMBAf8wPgYJKoZIhvcNAQEKMDGgDTALBglghkgBZQME +AgGhGjAYBgkqhkiG9w0BAQgwCwYJYIZIAWUDBAIBogQCAgDeA4IBAQCjEdrR5aab +sZmCwrMeKidXgfkmWvfuLDE+TCbaqDZp7BMWcMQXT9O0UoUT5kqgKj2ARm2pEW0Z +H3Z1vj3bbds72qcDIJXp+l0fekyLGeCrX/CbgnMZXEP7+/+P416p34ChR1Wz4dU1 +KD3gdsUuTKKeMUog3plxlxQDhRQmiL25ygH1LmjLd6dtIt0GVRGr8lj3euVeprqZ +bZ3Uq5eLfsn8oPgfC57gpO6yiN+UURRTlK3bgYvLh4VWB3XXk9UaQZ7Mq1tpXjoD +HYFybkWzibkZp4WRo+Fa28rirH+/wHt0vfeN7UCceURZEx4JaxIIfe4ku7uDRhJi +RwBA9Xk1KBNF +-----END CERTIFICATE-----`)) + if b == nil { + t.Fatal("Failed to decode certificate") + } + cert, err := x509.ParseCertificate(b.Bytes) + if err != nil { + return + } + if _, ok := cert.PublicKey.(*rsa.PublicKey); ok { + t.Error("A RSASSA-PSS certificate was parsed like a PKCS#1 v1.5 one, and it will be mistakenly used with rsa_pss_rsae_* signature algorithms") + } +} + +func TestCloseClientConnectionOnIdleServer(t *testing.T) { + clientConn, serverConn := localPipe(t) + client := Client(clientConn, testConfig.Clone()) + go func() { + var b [1]byte + serverConn.Read(b[:]) + client.Close() + }() + client.SetWriteDeadline(time.Now().Add(time.Minute)) + err := client.Handshake() + if err != nil { + if err, ok := err.(net.Error); ok && err.Timeout() { + t.Errorf("Expected a closed network connection error but got '%s'", err.Error()) + } + } else { + t.Errorf("Error expected, but no error returned") + } +} + +func testDowngradeCanary(t *testing.T, clientVersion, serverVersion uint16) error { + defer func() { testingOnlyForceDowngradeCanary = false }() + testingOnlyForceDowngradeCanary = true + + clientConfig := testConfig.Clone() + clientConfig.MaxVersion = clientVersion + serverConfig := testConfig.Clone() + serverConfig.MaxVersion = serverVersion + _, _, err := testHandshake(t, clientConfig, serverConfig) + return err +} + +func TestDowngradeCanary(t *testing.T) { + if err := testDowngradeCanary(t, VersionTLS13, VersionTLS12); err == nil { + t.Errorf("downgrade from TLS 1.3 to TLS 1.2 was not detected") + } + if testing.Short() { + t.Skip("skipping the rest of the checks in short mode") + } + if err := testDowngradeCanary(t, VersionTLS13, VersionTLS11); err == nil { + t.Errorf("downgrade from TLS 1.3 to TLS 1.1 was not detected") + } + if err := testDowngradeCanary(t, VersionTLS13, VersionTLS10); err == nil { + t.Errorf("downgrade from TLS 1.3 to TLS 1.0 was not detected") + } + if err := testDowngradeCanary(t, VersionTLS12, VersionTLS11); err == nil { + t.Errorf("downgrade from TLS 1.2 to TLS 1.1 was not detected") + } + if err := testDowngradeCanary(t, VersionTLS12, VersionTLS10); err == nil { + t.Errorf("downgrade from TLS 1.2 to TLS 1.0 was not detected") + } + if err := testDowngradeCanary(t, VersionTLS13, VersionTLS13); err != nil { + t.Errorf("server unexpectedly sent downgrade canary for TLS 1.3") + } + if err := testDowngradeCanary(t, VersionTLS12, VersionTLS12); err != nil { + t.Errorf("client didn't ignore expected TLS 1.2 canary") + } + if err := testDowngradeCanary(t, VersionTLS11, VersionTLS11); err != nil { + t.Errorf("client unexpectedly reacted to a canary in TLS 1.1") + } + if err := testDowngradeCanary(t, VersionTLS10, VersionTLS10); err != nil { + t.Errorf("client unexpectedly reacted to a canary in TLS 1.0") + } +} + +func TestResumptionKeepsOCSPAndSCT(t *testing.T) { + t.Run("TLSv12", func(t *testing.T) { testResumptionKeepsOCSPAndSCT(t, VersionTLS12) }) + t.Run("TLSv13", func(t *testing.T) { testResumptionKeepsOCSPAndSCT(t, VersionTLS13) }) +} + +func testResumptionKeepsOCSPAndSCT(t *testing.T, ver uint16) { + issuer, err := x509.ParseCertificate(testRSACertificateIssuer) + if err != nil { + t.Fatalf("failed to parse test issuer") + } + roots := x509.NewCertPool() + roots.AddCert(issuer) + clientConfig := &Config{ + MaxVersion: ver, + ClientSessionCache: NewLRUClientSessionCache(32), + ServerName: "example.golang", + RootCAs: roots, + } + serverConfig := testConfig.Clone() + serverConfig.MaxVersion = ver + serverConfig.Certificates[0].OCSPStaple = []byte{1, 2, 3} + serverConfig.Certificates[0].SignedCertificateTimestamps = [][]byte{{4, 5, 6}} + + _, ccs, err := testHandshake(t, clientConfig, serverConfig) + if err != nil { + t.Fatalf("handshake failed: %s", err) + } + // after a new session we expect to see OCSPResponse and + // SignedCertificateTimestamps populated as usual + if !bytes.Equal(ccs.OCSPResponse, serverConfig.Certificates[0].OCSPStaple) { + t.Errorf("client ConnectionState contained unexpected OCSPResponse: wanted %v, got %v", + serverConfig.Certificates[0].OCSPStaple, ccs.OCSPResponse) + } + if !reflect.DeepEqual(ccs.SignedCertificateTimestamps, serverConfig.Certificates[0].SignedCertificateTimestamps) { + t.Errorf("client ConnectionState contained unexpected SignedCertificateTimestamps: wanted %v, got %v", + serverConfig.Certificates[0].SignedCertificateTimestamps, ccs.SignedCertificateTimestamps) + } + + // if the server doesn't send any SCTs, repopulate the old SCTs + oldSCTs := serverConfig.Certificates[0].SignedCertificateTimestamps + serverConfig.Certificates[0].SignedCertificateTimestamps = nil + _, ccs, err = testHandshake(t, clientConfig, serverConfig) + if err != nil { + t.Fatalf("handshake failed: %s", err) + } + if !ccs.DidResume { + t.Fatalf("expected session to be resumed") + } + // after a resumed session we also expect to see OCSPResponse + // and SignedCertificateTimestamps populated + if !bytes.Equal(ccs.OCSPResponse, serverConfig.Certificates[0].OCSPStaple) { + t.Errorf("client ConnectionState contained unexpected OCSPResponse after resumption: wanted %v, got %v", + serverConfig.Certificates[0].OCSPStaple, ccs.OCSPResponse) + } + if !reflect.DeepEqual(ccs.SignedCertificateTimestamps, oldSCTs) { + t.Errorf("client ConnectionState contained unexpected SignedCertificateTimestamps after resumption: wanted %v, got %v", + oldSCTs, ccs.SignedCertificateTimestamps) + } + + // Only test overriding the SCTs for TLS 1.2, since in 1.3 + // the server won't send the message containing them + if ver == VersionTLS13 { + return + } + + // if the server changes the SCTs it sends, they should override the saved SCTs + serverConfig.Certificates[0].SignedCertificateTimestamps = [][]byte{{7, 8, 9}} + _, ccs, err = testHandshake(t, clientConfig, serverConfig) + if err != nil { + t.Fatalf("handshake failed: %s", err) + } + if !ccs.DidResume { + t.Fatalf("expected session to be resumed") + } + if !reflect.DeepEqual(ccs.SignedCertificateTimestamps, serverConfig.Certificates[0].SignedCertificateTimestamps) { + t.Errorf("client ConnectionState contained unexpected SignedCertificateTimestamps after resumption: wanted %v, got %v", + serverConfig.Certificates[0].SignedCertificateTimestamps, ccs.SignedCertificateTimestamps) + } +} + +// TestClientHandshakeContextCancellation tests that canceling +// the context given to the client side conn.HandshakeContext +// interrupts the in-progress handshake. +func TestClientHandshakeContextCancellation(t *testing.T) { + c, s := localPipe(t) + ctx, cancel := context.WithCancel(context.Background()) + unblockServer := make(chan struct{}) + defer close(unblockServer) + go func() { + cancel() + <-unblockServer + _ = s.Close() + }() + cli := Client(c, testConfig) + // Initiates client side handshake, which will block until the client hello is read + // by the server, unless the cancellation works. + err := cli.HandshakeContext(ctx) + if err == nil { + t.Fatal("Client handshake did not error when the context was canceled") + } + if err != context.Canceled { + t.Errorf("Unexpected client handshake error: %v", err) + } + if runtime.GOARCH == "wasm" { + t.Skip("conn.Close does not error as expected when called multiple times on WASM") + } + err = cli.Close() + if err == nil { + t.Error("Client connection was not closed when the context was canceled") + } +} + +// TestTLS13OnlyClientHelloCipherSuite tests that when a client states that +// it only supports TLS 1.3, it correctly advertises only TLS 1.3 ciphers. +func TestTLS13OnlyClientHelloCipherSuite(t *testing.T) { + tls13Tests := []struct { + name string + ciphers []uint16 + }{ + { + name: "nil", + ciphers: nil, + }, + { + name: "empty", + ciphers: []uint16{}, + }, + { + name: "some TLS 1.2 cipher", + ciphers: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256}, + }, + { + name: "some TLS 1.3 cipher", + ciphers: []uint16{TLS_AES_128_GCM_SHA256}, + }, + { + name: "some TLS 1.2 and 1.3 ciphers", + ciphers: []uint16{TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_AES_256_GCM_SHA384}, + }, + } + for _, tt := range tls13Tests { + tt := tt + t.Run(tt.name, func(t *testing.T) { + t.Parallel() + testTLS13OnlyClientHelloCipherSuite(t, tt.ciphers) + }) + } +} + +func testTLS13OnlyClientHelloCipherSuite(t *testing.T, ciphers []uint16) { + serverConfig := &Config{ + Certificates: testConfig.Certificates, + GetConfigForClient: func(chi *ClientHelloInfo) (*Config, error) { + if len(chi.CipherSuites) != len(defaultCipherSuitesTLS13NoAES) { + t.Errorf("only TLS 1.3 suites should be advertised, got=%x", chi.CipherSuites) + } else { + for i := range defaultCipherSuitesTLS13NoAES { + if want, got := defaultCipherSuitesTLS13NoAES[i], chi.CipherSuites[i]; want != got { + t.Errorf("cipher at index %d does not match, want=%x, got=%x", i, want, got) + } + } + } + return nil, nil + }, + } + clientConfig := &Config{ + MinVersion: VersionTLS13, // client only supports TLS 1.3 + CipherSuites: ciphers, + InsecureSkipVerify: true, + } + if _, _, err := testHandshake(t, clientConfig, serverConfig); err != nil { + t.Fatalf("handshake failed: %s", err) + } +} + +// discardConn wraps a net.Conn but discards all writes, but reports that they happened. +type discardConn struct { + net.Conn +} + +func (dc *discardConn) Write(data []byte) (int, error) { + return len(data), nil +} + +// largeRSAKeyCertPEM contains a 8193 bit RSA key +const largeRSAKeyCertPEM = `-----BEGIN CERTIFICATE----- +MIIInjCCBIWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDEwd0ZXN0 +aW5nMB4XDTIzMDYwNzIxMjMzNloXDTIzMDYwNzIzMjMzNlowEjEQMA4GA1UEAxMH +dGVzdGluZzCCBCIwDQYJKoZIhvcNAQEBBQADggQPADCCBAoCggQBAWdHsf6Rh2Ca +n2SQwn4t4OQrOjbLLdGE1pM6TBKKrHUFy62uEL8atNjlcfXIsa4aEu3xNGiqxqur +ZectlkZbm0FkaaQ1Wr9oikDY3KfjuaXdPdO/XC/h8AKNxlDOylyXwUSK/CuYb+1j +gy8yF5QFvVfwW/xwTlHmhUeSkVSQPosfQ6yXNNsmMzkd+ZPWLrfq4R+wiNtwYGu0 +WSBcI/M9o8/vrNLnIppoiBJJ13j9CR1ToEAzOFh9wwRWLY10oZhoh1ONN1KQURx4 +qedzvvP2DSjZbUccdvl2rBGvZpzfOiFdm1FCnxB0c72Cqx+GTHXBFf8bsa7KHky9 +sNO1GUanbq17WoDNgwbY6H51bfShqv0CErxatwWox3we4EcAmFHPVTCYL1oWVMGo +a3Eth91NZj+b/nGhF9lhHKGzXSv9brmLLkfvM1jA6XhNhA7BQ5Vz67lj2j3XfXdh +t/BU5pBXbL4Ut4mIhT1YnKXAjX2/LF5RHQTE8Vwkx5JAEKZyUEGOReD/B+7GOrLp +HduMT9vZAc5aR2k9I8qq1zBAzsL69lyQNAPaDYd1BIAjUety9gAYaSQffCgAgpRO +Gt+DYvxS+7AT/yEd5h74MU2AH7KrAkbXOtlwupiGwhMVTstncDJWXMJqbBhyHPF8 +3UmZH0hbL4PYmzSj9LDWQQXI2tv6vrCpfts3Cqhqxz9vRpgY7t1Wu6l/r+KxYYz3 +1pcGpPvRmPh0DJm7cPTiXqPnZcPt+ulSaSdlxmd19OnvG5awp0fXhxryZVwuiT8G +VDkhyARrxYrdjlINsZJZbQjO0t8ketXAELJOnbFXXzeCOosyOHkLwsqOO96AVJA8 +45ZVL5m95ClGy0RSrjVIkXsxTAMVG6SPAqKwk6vmTdRGuSPS4rhgckPVDHmccmuq +dfnT2YkX+wB2/M3oCgU+s30fAHGkbGZ0pCdNbFYFZLiH0iiMbTDl/0L/z7IdK0nH +GLHVE7apPraKC6xl6rPWsD2iSfrmtIPQa0+rqbIVvKP5JdfJ8J4alI+OxFw/znQe +V0/Rez0j22Fe119LZFFSXhRv+ZSvcq20xDwh00mzcumPWpYuCVPozA18yIhC9tNn +ALHndz0tDseIdy9vC71jQWy9iwri3ueN0DekMMF8JGzI1Z6BAFzgyAx3DkHtwHg7 +B7qD0jPG5hJ5+yt323fYgJsuEAYoZ8/jzZ01pkX8bt+UsVN0DGnSGsI2ktnIIk3J +l+8krjmUy6EaW79nITwoOqaeHOIp8m3UkjEcoKOYrzHRKqRy+A09rY+m/cAQaafW +4xp0Zv7qZPLwnu0jsqB4jD8Ll9yPB02ndsoV6U5PeHzTkVhPml19jKUAwFfs7TJg +kXy+/xFhYVUCAwEAATANBgkqhkiG9w0BAQsFAAOCBAIAAQnZY77pMNeypfpba2WK +aDasT7dk2JqP0eukJCVPTN24Zca+xJNPdzuBATm/8SdZK9lddIbjSnWRsKvTnO2r +/rYdlPf3jM5uuJtb8+Uwwe1s+gszelGS9G/lzzq+ehWicRIq2PFcs8o3iQMfENiv +qILJ+xjcrvms5ZPDNahWkfRx3KCg8Q+/at2n5p7XYjMPYiLKHnDC+RE2b1qT20IZ +FhuK/fTWLmKbfYFNNga6GC4qcaZJ7x0pbm4SDTYp0tkhzcHzwKhidfNB5J2vNz6l +Ur6wiYwamFTLqcOwWo7rdvI+sSn05WQBv0QZlzFX+OAu0l7WQ7yU+noOxBhjvHds +14+r9qcQZg2q9kG+evopYZqYXRUNNlZKo9MRBXhfrISulFAc5lRFQIXMXnglvAu+ +Ipz2gomEAOcOPNNVldhKAU94GAMJd/KfN0ZP7gX3YvPzuYU6XDhag5RTohXLm18w +5AF+ES3DOQ6ixu3DTf0D+6qrDuK+prdX8ivcdTQVNOQ+MIZeGSc6NWWOTaMGJ3lg +aZIxJUGdo6E7GBGiC1YTjgFKFbHzek1LRTh/LX3vbSudxwaG0HQxwsU9T4DWiMqa +Fkf2KteLEUA6HrR+0XlAZrhwoqAmrJ+8lCFX3V0gE9lpENfVHlFXDGyx10DpTB28 +DdjnY3F7EPWNzwf9P3oNT69CKW3Bk6VVr3ROOJtDxVu1ioWo3TaXltQ0VOnap2Pu +sa5wfrpfwBDuAS9JCDg4ttNp2nW3F7tgXC6xPqw5pvGwUppEw9XNrqV8TZrxduuv +rQ3NyZ7KSzIpmFlD3UwV/fGfz3UQmHS6Ng1evrUID9DjfYNfRqSGIGjDfxGtYD+j +Z1gLJZuhjJpNtwBkKRtlNtrCWCJK2hidK/foxwD7kwAPo2I9FjpltxCRywZUs07X +KwXTfBR9v6ij1LV6K58hFS+8ezZyZ05CeVBFkMQdclTOSfuPxlMkQOtjp8QWDj+F +j/MYziT5KBkHvcbrjdRtUJIAi4N7zCsPZtjik918AK1WBNRVqPbrgq/XSEXMfuvs +6JbfK0B76vdBDRtJFC1JsvnIrGbUztxXzyQwFLaR/AjVJqpVlysLWzPKWVX6/+SJ +u1NQOl2E8P6ycyBsuGnO89p0S4F8cMRcI2X1XQsZ7/q0NBrOMaEp5T3SrWo9GiQ3 +o2SBdbs3Y6MBPBtTu977Z/0RO63J3M5i2tjUiDfrFy7+VRLKr7qQ7JibohyB8QaR +9tedgjn2f+of7PnP/PEl1cCphUZeHM7QKUMPT8dbqwmKtlYY43EHXcvNOT5IBk3X +9lwJoZk/B2i+ZMRNSP34ztAwtxmasPt6RAWGQpWCn9qmttAHAnMfDqe7F7jVR6rS +u58= +-----END CERTIFICATE-----` + +func TestHandshakeRSATooBig(t *testing.T) { + testCert, _ := pem.Decode([]byte(largeRSAKeyCertPEM)) + + c := &Conn{conn: &discardConn{}, config: testConfig.Clone()} + + expectedErr := "tls: server sent certificate containing RSA key larger than 8192 bits" + err := c.verifyServerCertificate([][]byte{testCert.Bytes}) + if err == nil || err.Error() != expectedErr { + t.Errorf("Conn.verifyServerCertificate unexpected error: want %q, got %q", expectedErr, err) + } + + expectedErr = "tls: client sent certificate containing RSA key larger than 8192 bits" + err = c.processCertsFromClient(Certificate{Certificate: [][]byte{testCert.Bytes}}) + if err == nil || err.Error() != expectedErr { + t.Errorf("Conn.processCertsFromClient unexpected error: want %q, got %q", expectedErr, err) + } +} diff --git a/pkg/tls/handshake_client_tls13.go b/pkg/tls/handshake_client_tls13.go new file mode 100644 index 000000000..2f59f6888 --- /dev/null +++ b/pkg/tls/handshake_client_tls13.go @@ -0,0 +1,772 @@ +// Copyright 2018 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package tls + +import ( + "bytes" + "context" + "crypto" + "crypto/ecdh" + "crypto/hmac" + "crypto/rsa" + "errors" + "hash" + "time" +) + +type clientHandshakeStateTLS13 struct { + c *Conn + ctx context.Context + serverHello *serverHelloMsg + hello *clientHelloMsg + ecdheKey *ecdh.PrivateKey + + session *SessionState + earlySecret []byte + binderKey []byte + + certReq *certificateRequestMsgTLS13 + usingPSK bool + sentDummyCCS bool + suite *cipherSuiteTLS13 + transcript hash.Hash + masterSecret []byte + trafficSecret []byte // client_application_traffic_secret_0 +} + +// handshake requires hs.c, hs.hello, hs.serverHello, hs.ecdheKey, and, +// optionally, hs.session, hs.earlySecret and hs.binderKey to be set. +func (hs *clientHandshakeStateTLS13) handshake() error { + c := hs.c + + if needFIPS() { + return errors.New("tls: internal error: TLS 1.3 reached in FIPS mode") + } + + // The server must not select TLS 1.3 in a renegotiation. See RFC 8446, + // sections 4.1.2 and 4.1.3. + if c.handshakes > 0 { + c.sendAlert(alertProtocolVersion) + return errors.New("tls: server selected TLS 1.3 in a renegotiation") + } + + // Consistency check on the presence of a keyShare and its parameters. + if hs.ecdheKey == nil || len(hs.hello.keyShares) != 1 { + return c.sendAlert(alertInternalError) + } + + if err := hs.checkServerHelloOrHRR(); err != nil { + return err + } + + hs.transcript = hs.suite.hash.New() + + if err := transcriptMsg(hs.hello, hs.transcript); err != nil { + return err + } + + if bytes.Equal(hs.serverHello.random, helloRetryRequestRandom) { + if err := hs.sendDummyChangeCipherSpec(); err != nil { + return err + } + if err := hs.processHelloRetryRequest(); err != nil { + return err + } + } + + if err := transcriptMsg(hs.serverHello, hs.transcript); err != nil { + return err + } + + c.buffering = true + if err := hs.processServerHello(); err != nil { + return err + } + if err := hs.sendDummyChangeCipherSpec(); err != nil { + return err + } + if err := hs.establishHandshakeKeys(); err != nil { + return err + } + if err := hs.readServerParameters(); err != nil { + return err + } + if err := hs.readServerCertificate(); err != nil { + return err + } + if err := hs.readServerFinished(); err != nil { + return err + } + if err := hs.sendClientCertificate(); err != nil { + return err + } + if err := hs.sendClientFinished(); err != nil { + return err + } + if _, err := c.flush(); err != nil { + return err + } + + c.isHandshakeComplete.Store(true) + + return nil +} + +// checkServerHelloOrHRR does validity checks that apply to both ServerHello and +// HelloRetryRequest messages. It sets hs.suite. +func (hs *clientHandshakeStateTLS13) checkServerHelloOrHRR() error { + c := hs.c + + if hs.serverHello.supportedVersion == 0 { + c.sendAlert(alertMissingExtension) + return errors.New("tls: server selected TLS 1.3 using the legacy version field") + } + + if hs.serverHello.supportedVersion != VersionTLS13 { + c.sendAlert(alertIllegalParameter) + return errors.New("tls: server selected an invalid version after a HelloRetryRequest") + } + + if hs.serverHello.vers != VersionTLS12 { + c.sendAlert(alertIllegalParameter) + return errors.New("tls: server sent an incorrect legacy version") + } + + if hs.serverHello.ocspStapling || + hs.serverHello.ticketSupported || + hs.serverHello.extendedMasterSecret || + hs.serverHello.secureRenegotiationSupported || + len(hs.serverHello.secureRenegotiation) != 0 || + len(hs.serverHello.alpnProtocol) != 0 || + len(hs.serverHello.scts) != 0 { + c.sendAlert(alertUnsupportedExtension) + return errors.New("tls: server sent a ServerHello extension forbidden in TLS 1.3") + } + + if !bytes.Equal(hs.hello.sessionId, hs.serverHello.sessionId) { + c.sendAlert(alertIllegalParameter) + return errors.New("tls: server did not echo the legacy session ID") + } + + if hs.serverHello.compressionMethod != compressionNone { + c.sendAlert(alertIllegalParameter) + return errors.New("tls: server selected unsupported compression format") + } + + selectedSuite := mutualCipherSuiteTLS13(hs.hello.cipherSuites, hs.serverHello.cipherSuite) + if hs.suite != nil && selectedSuite != hs.suite { + c.sendAlert(alertIllegalParameter) + return errors.New("tls: server changed cipher suite after a HelloRetryRequest") + } + if selectedSuite == nil { + c.sendAlert(alertIllegalParameter) + return errors.New("tls: server chose an unconfigured cipher suite") + } + hs.suite = selectedSuite + c.cipherSuite = hs.suite.id + + return nil +} + +// sendDummyChangeCipherSpec sends a ChangeCipherSpec record for compatibility +// with middleboxes that didn't implement TLS correctly. See RFC 8446, Appendix D.4. +func (hs *clientHandshakeStateTLS13) sendDummyChangeCipherSpec() error { + if hs.c.quic != nil { + return nil + } + if hs.sentDummyCCS { + return nil + } + hs.sentDummyCCS = true + + return hs.c.writeChangeCipherRecord() +} + +// processHelloRetryRequest handles the HRR in hs.serverHello, modifies and +// resends hs.hello, and reads the new ServerHello into hs.serverHello. +func (hs *clientHandshakeStateTLS13) processHelloRetryRequest() error { + c := hs.c + + // The first ClientHello gets double-hashed into the transcript upon a + // HelloRetryRequest. (The idea is that the server might offload transcript + // storage to the client in the cookie.) See RFC 8446, Section 4.4.1. + chHash := hs.transcript.Sum(nil) + hs.transcript.Reset() + hs.transcript.Write([]byte{typeMessageHash, 0, 0, uint8(len(chHash))}) + hs.transcript.Write(chHash) + if err := transcriptMsg(hs.serverHello, hs.transcript); err != nil { + return err + } + + // The only HelloRetryRequest extensions we support are key_share and + // cookie, and clients must abort the handshake if the HRR would not result + // in any change in the ClientHello. + if hs.serverHello.selectedGroup == 0 && hs.serverHello.cookie == nil { + c.sendAlert(alertIllegalParameter) + return errors.New("tls: server sent an unnecessary HelloRetryRequest message") + } + + if hs.serverHello.cookie != nil { + hs.hello.cookie = hs.serverHello.cookie + } + + if hs.serverHello.serverShare.group != 0 { + c.sendAlert(alertDecodeError) + return errors.New("tls: received malformed key_share extension") + } + + // If the server sent a key_share extension selecting a group, ensure it's + // a group we advertised but did not send a key share for, and send a key + // share for it this time. + if curveID := hs.serverHello.selectedGroup; curveID != 0 { + curveOK := false + for _, id := range hs.hello.supportedCurves { + if id == curveID { + curveOK = true + break + } + } + if !curveOK { + c.sendAlert(alertIllegalParameter) + return errors.New("tls: server selected unsupported group") + } + if sentID, _ := curveIDForCurve(hs.ecdheKey.Curve()); sentID == curveID { + c.sendAlert(alertIllegalParameter) + return errors.New("tls: server sent an unnecessary HelloRetryRequest key_share") + } + if _, ok := curveForCurveID(curveID); !ok { + c.sendAlert(alertInternalError) + return errors.New("tls: CurvePreferences includes unsupported curve") + } + key, err := generateECDHEKey(c.config.rand(), curveID) + if err != nil { + c.sendAlert(alertInternalError) + return err + } + hs.ecdheKey = key + hs.hello.keyShares = []keyShare{{group: curveID, data: key.PublicKey().Bytes()}} + } + + hs.hello.raw = nil + if len(hs.hello.pskIdentities) > 0 { + pskSuite := cipherSuiteTLS13ByID(hs.session.cipherSuite) + if pskSuite == nil { + return c.sendAlert(alertInternalError) + } + if pskSuite.hash == hs.suite.hash { + // Update binders and obfuscated_ticket_age. + ticketAge := c.config.time().Sub(time.Unix(int64(hs.session.createdAt), 0)) + hs.hello.pskIdentities[0].obfuscatedTicketAge = uint32(ticketAge/time.Millisecond) + hs.session.ageAdd + + transcript := hs.suite.hash.New() + transcript.Write([]byte{typeMessageHash, 0, 0, uint8(len(chHash))}) + transcript.Write(chHash) + if err := transcriptMsg(hs.serverHello, transcript); err != nil { + return err + } + helloBytes, err := hs.hello.marshalWithoutBinders() + if err != nil { + return err + } + transcript.Write(helloBytes) + pskBinders := [][]byte{hs.suite.finishedHash(hs.binderKey, transcript)} + if err := hs.hello.updateBinders(pskBinders); err != nil { + return err + } + } else { + // Server selected a cipher suite incompatible with the PSK. + hs.hello.pskIdentities = nil + hs.hello.pskBinders = nil + } + } + + if hs.hello.earlyData { + hs.hello.earlyData = false + c.quicRejectedEarlyData() + } + + if _, err := hs.c.writeHandshakeRecord(hs.hello, hs.transcript); err != nil { + return err + } + + // serverHelloMsg is not included in the transcript + msg, err := c.readHandshake(nil) + if err != nil { + return err + } + + serverHello, ok := msg.(*serverHelloMsg) + if !ok { + c.sendAlert(alertUnexpectedMessage) + return unexpectedMessageError(serverHello, msg) + } + hs.serverHello = serverHello + + if err := hs.checkServerHelloOrHRR(); err != nil { + return err + } + + return nil +} + +func (hs *clientHandshakeStateTLS13) processServerHello() error { + c := hs.c + + if bytes.Equal(hs.serverHello.random, helloRetryRequestRandom) { + c.sendAlert(alertUnexpectedMessage) + return errors.New("tls: server sent two HelloRetryRequest messages") + } + + if len(hs.serverHello.cookie) != 0 { + c.sendAlert(alertUnsupportedExtension) + return errors.New("tls: server sent a cookie in a normal ServerHello") + } + + if hs.serverHello.selectedGroup != 0 { + c.sendAlert(alertDecodeError) + return errors.New("tls: malformed key_share extension") + } + + if hs.serverHello.serverShare.group == 0 { + c.sendAlert(alertIllegalParameter) + return errors.New("tls: server did not send a key share") + } + if sentID, _ := curveIDForCurve(hs.ecdheKey.Curve()); hs.serverHello.serverShare.group != sentID { + c.sendAlert(alertIllegalParameter) + return errors.New("tls: server selected unsupported group") + } + + if !hs.serverHello.selectedIdentityPresent { + return nil + } + + if int(hs.serverHello.selectedIdentity) >= len(hs.hello.pskIdentities) { + c.sendAlert(alertIllegalParameter) + return errors.New("tls: server selected an invalid PSK") + } + + if len(hs.hello.pskIdentities) != 1 || hs.session == nil { + return c.sendAlert(alertInternalError) + } + pskSuite := cipherSuiteTLS13ByID(hs.session.cipherSuite) + if pskSuite == nil { + return c.sendAlert(alertInternalError) + } + if pskSuite.hash != hs.suite.hash { + c.sendAlert(alertIllegalParameter) + return errors.New("tls: server selected an invalid PSK and cipher suite pair") + } + + hs.usingPSK = true + c.didResume = true + c.peerCertificates = hs.session.peerCertificates + c.activeCertHandles = hs.session.activeCertHandles + c.verifiedChains = hs.session.verifiedChains + c.ocspResponse = hs.session.ocspResponse + c.scts = hs.session.scts + return nil +} + +func (hs *clientHandshakeStateTLS13) establishHandshakeKeys() error { + c := hs.c + + peerKey, err := hs.ecdheKey.Curve().NewPublicKey(hs.serverHello.serverShare.data) + if err != nil { + c.sendAlert(alertIllegalParameter) + return errors.New("tls: invalid server key share") + } + sharedKey, err := hs.ecdheKey.ECDH(peerKey) + if err != nil { + c.sendAlert(alertIllegalParameter) + return errors.New("tls: invalid server key share") + } + + earlySecret := hs.earlySecret + if !hs.usingPSK { + earlySecret = hs.suite.extract(nil, nil) + } + + handshakeSecret := hs.suite.extract(sharedKey, + hs.suite.deriveSecret(earlySecret, "derived", nil)) + + clientSecret := hs.suite.deriveSecret(handshakeSecret, + clientHandshakeTrafficLabel, hs.transcript) + c.out.setTrafficSecret(hs.suite, QUICEncryptionLevelHandshake, clientSecret) + serverSecret := hs.suite.deriveSecret(handshakeSecret, + serverHandshakeTrafficLabel, hs.transcript) + c.in.setTrafficSecret(hs.suite, QUICEncryptionLevelHandshake, serverSecret) + + if c.quic != nil { + if c.hand.Len() != 0 { + c.sendAlert(alertUnexpectedMessage) + } + c.quicSetWriteSecret(QUICEncryptionLevelHandshake, hs.suite.id, clientSecret) + c.quicSetReadSecret(QUICEncryptionLevelHandshake, hs.suite.id, serverSecret) + } + + err = c.config.writeKeyLog(keyLogLabelClientHandshake, hs.hello.random, clientSecret) + if err != nil { + c.sendAlert(alertInternalError) + return err + } + err = c.config.writeKeyLog(keyLogLabelServerHandshake, hs.hello.random, serverSecret) + if err != nil { + c.sendAlert(alertInternalError) + return err + } + + hs.masterSecret = hs.suite.extract(nil, + hs.suite.deriveSecret(handshakeSecret, "derived", nil)) + + return nil +} + +func (hs *clientHandshakeStateTLS13) readServerParameters() error { + c := hs.c + + msg, err := c.readHandshake(hs.transcript) + if err != nil { + return err + } + + encryptedExtensions, ok := msg.(*encryptedExtensionsMsg) + if !ok { + c.sendAlert(alertUnexpectedMessage) + return unexpectedMessageError(encryptedExtensions, msg) + } + + if err := checkALPN(hs.hello.alpnProtocols, encryptedExtensions.alpnProtocol, c.quic != nil); err != nil { + // RFC 8446 specifies that no_application_protocol is sent by servers, but + // does not specify how clients handle the selection of an incompatible protocol. + // RFC 9001 Section 8.1 specifies that QUIC clients send no_application_protocol + // in this case. Always sending no_application_protocol seems reasonable. + c.sendAlert(alertNoApplicationProtocol) + return err + } + c.clientProtocol = encryptedExtensions.alpnProtocol + + if c.quic != nil { + if encryptedExtensions.quicTransportParameters == nil { + // RFC 9001 Section 8.2. + c.sendAlert(alertMissingExtension) + return errors.New("tls: server did not send a quic_transport_parameters extension") + } + c.quicSetTransportParameters(encryptedExtensions.quicTransportParameters) + } else { + if encryptedExtensions.quicTransportParameters != nil { + c.sendAlert(alertUnsupportedExtension) + return errors.New("tls: server sent an unexpected quic_transport_parameters extension") + } + } + + if !hs.hello.earlyData && encryptedExtensions.earlyData { + c.sendAlert(alertUnsupportedExtension) + return errors.New("tls: server sent an unexpected early_data extension") + } + if hs.hello.earlyData && !encryptedExtensions.earlyData { + c.quicRejectedEarlyData() + } + if encryptedExtensions.earlyData { + if hs.session.cipherSuite != c.cipherSuite { + c.sendAlert(alertHandshakeFailure) + return errors.New("tls: server accepted 0-RTT with the wrong cipher suite") + } + if hs.session.alpnProtocol != c.clientProtocol { + c.sendAlert(alertHandshakeFailure) + return errors.New("tls: server accepted 0-RTT with the wrong ALPN") + } + } + + return nil +} + +func (hs *clientHandshakeStateTLS13) readServerCertificate() error { + c := hs.c + + // Either a PSK or a certificate is always used, but not both. + // See RFC 8446, Section 4.1.1. + if hs.usingPSK { + // Make sure the connection is still being verified whether or not this + // is a resumption. Resumptions currently don't reverify certificates so + // they don't call verifyServerCertificate. See Issue 31641. + if c.config.VerifyConnection != nil { + if err := c.config.VerifyConnection(c.connectionStateLocked()); err != nil { + c.sendAlert(alertBadCertificate) + return err + } + } + return nil + } + + msg, err := c.readHandshake(hs.transcript) + if err != nil { + return err + } + + certReq, ok := msg.(*certificateRequestMsgTLS13) + if ok { + hs.certReq = certReq + + msg, err = c.readHandshake(hs.transcript) + if err != nil { + return err + } + } + + certMsg, ok := msg.(*certificateMsgTLS13) + if !ok { + c.sendAlert(alertUnexpectedMessage) + return unexpectedMessageError(certMsg, msg) + } + if len(certMsg.certificate.Certificate) == 0 { + c.sendAlert(alertDecodeError) + return errors.New("tls: received empty certificates message") + } + + c.scts = certMsg.certificate.SignedCertificateTimestamps + c.ocspResponse = certMsg.certificate.OCSPStaple + + if err := c.verifyServerCertificate(certMsg.certificate.Certificate); err != nil { + return err + } + + // certificateVerifyMsg is included in the transcript, but not until + // after we verify the handshake signature, since the state before + // this message was sent is used. + msg, err = c.readHandshake(nil) + if err != nil { + return err + } + + certVerify, ok := msg.(*certificateVerifyMsg) + if !ok { + c.sendAlert(alertUnexpectedMessage) + return unexpectedMessageError(certVerify, msg) + } + + // See RFC 8446, Section 4.4.3. + if !isSupportedSignatureAlgorithm(certVerify.signatureAlgorithm, supportedSignatureAlgorithms()) { + c.sendAlert(alertIllegalParameter) + return errors.New("tls: certificate used with invalid signature algorithm") + } + sigType, sigHash, err := typeAndHashFromSignatureScheme(certVerify.signatureAlgorithm) + if err != nil { + return c.sendAlert(alertInternalError) + } + if sigType == signaturePKCS1v15 || sigHash == crypto.SHA1 { + c.sendAlert(alertIllegalParameter) + return errors.New("tls: certificate used with invalid signature algorithm") + } + signed := signedMessage(sigHash, serverSignatureContext, hs.transcript) + if err := verifyHandshakeSignature(sigType, c.peerCertificates[0].PublicKey, + sigHash, signed, certVerify.signature); err != nil { + c.sendAlert(alertDecryptError) + return errors.New("tls: invalid signature by the server certificate: " + err.Error()) + } + + if err := transcriptMsg(certVerify, hs.transcript); err != nil { + return err + } + + return nil +} + +func (hs *clientHandshakeStateTLS13) readServerFinished() error { + c := hs.c + + // finishedMsg is included in the transcript, but not until after we + // check the client version, since the state before this message was + // sent is used during verification. + msg, err := c.readHandshake(nil) + if err != nil { + return err + } + + finished, ok := msg.(*finishedMsg) + if !ok { + c.sendAlert(alertUnexpectedMessage) + return unexpectedMessageError(finished, msg) + } + + expectedMAC := hs.suite.finishedHash(c.in.trafficSecret, hs.transcript) + if !hmac.Equal(expectedMAC, finished.verifyData) { + c.sendAlert(alertDecryptError) + return errors.New("tls: invalid server finished hash") + } + + if err := transcriptMsg(finished, hs.transcript); err != nil { + return err + } + + // Derive secrets that take context through the server Finished. + + hs.trafficSecret = hs.suite.deriveSecret(hs.masterSecret, + clientApplicationTrafficLabel, hs.transcript) + serverSecret := hs.suite.deriveSecret(hs.masterSecret, + serverApplicationTrafficLabel, hs.transcript) + c.in.setTrafficSecret(hs.suite, QUICEncryptionLevelApplication, serverSecret) + + err = c.config.writeKeyLog(keyLogLabelClientTraffic, hs.hello.random, hs.trafficSecret) + if err != nil { + c.sendAlert(alertInternalError) + return err + } + err = c.config.writeKeyLog(keyLogLabelServerTraffic, hs.hello.random, serverSecret) + if err != nil { + c.sendAlert(alertInternalError) + return err + } + + c.ekm = hs.suite.exportKeyingMaterial(hs.masterSecret, hs.transcript) + + return nil +} + +func (hs *clientHandshakeStateTLS13) sendClientCertificate() error { + c := hs.c + + if hs.certReq == nil { + return nil + } + + cert, err := c.getClientCertificate(&CertificateRequestInfo{ + AcceptableCAs: hs.certReq.certificateAuthorities, + SignatureSchemes: hs.certReq.supportedSignatureAlgorithms, + Version: c.vers, + ctx: hs.ctx, + }) + if err != nil { + return err + } + + certMsg := new(certificateMsgTLS13) + + certMsg.certificate = *cert + certMsg.scts = hs.certReq.scts && len(cert.SignedCertificateTimestamps) > 0 + certMsg.ocspStapling = hs.certReq.ocspStapling && len(cert.OCSPStaple) > 0 + + if _, err := hs.c.writeHandshakeRecord(certMsg, hs.transcript); err != nil { + return err + } + + // If we sent an empty certificate message, skip the CertificateVerify. + if len(cert.Certificate) == 0 { + return nil + } + + certVerifyMsg := new(certificateVerifyMsg) + certVerifyMsg.hasSignatureAlgorithm = true + + certVerifyMsg.signatureAlgorithm, err = selectSignatureScheme(c.vers, cert, hs.certReq.supportedSignatureAlgorithms) + if err != nil { + // getClientCertificate returned a certificate incompatible with the + // CertificateRequestInfo supported signature algorithms. + c.sendAlert(alertHandshakeFailure) + return err + } + + sigType, sigHash, err := typeAndHashFromSignatureScheme(certVerifyMsg.signatureAlgorithm) + if err != nil { + return c.sendAlert(alertInternalError) + } + + signed := signedMessage(sigHash, clientSignatureContext, hs.transcript) + signOpts := crypto.SignerOpts(sigHash) + if sigType == signatureRSAPSS { + signOpts = &rsa.PSSOptions{SaltLength: rsa.PSSSaltLengthEqualsHash, Hash: sigHash} + } + sig, err := cert.PrivateKey.(crypto.Signer).Sign(c.config.rand(), signed, signOpts) + if err != nil { + c.sendAlert(alertInternalError) + return errors.New("tls: failed to sign handshake: " + err.Error()) + } + certVerifyMsg.signature = sig + + if _, err := hs.c.writeHandshakeRecord(certVerifyMsg, hs.transcript); err != nil { + return err + } + + return nil +} + +func (hs *clientHandshakeStateTLS13) sendClientFinished() error { + c := hs.c + + finished := &finishedMsg{ + verifyData: hs.suite.finishedHash(c.out.trafficSecret, hs.transcript), + } + + if _, err := hs.c.writeHandshakeRecord(finished, hs.transcript); err != nil { + return err + } + + c.out.setTrafficSecret(hs.suite, QUICEncryptionLevelApplication, hs.trafficSecret) + + if !c.config.SessionTicketsDisabled && c.config.ClientSessionCache != nil { + c.resumptionSecret = hs.suite.deriveSecret(hs.masterSecret, + resumptionLabel, hs.transcript) + } + + if c.quic != nil { + if c.hand.Len() != 0 { + c.sendAlert(alertUnexpectedMessage) + } + c.quicSetWriteSecret(QUICEncryptionLevelApplication, hs.suite.id, hs.trafficSecret) + } + + return nil +} + +func (c *Conn) handleNewSessionTicket(msg *newSessionTicketMsgTLS13) error { + if !c.isClient { + c.sendAlert(alertUnexpectedMessage) + return errors.New("tls: received new session ticket from a client") + } + + if c.config.SessionTicketsDisabled || c.config.ClientSessionCache == nil { + return nil + } + + // See RFC 8446, Section 4.6.1. + if msg.lifetime == 0 { + return nil + } + lifetime := time.Duration(msg.lifetime) * time.Second + if lifetime > maxSessionTicketLifetime { + c.sendAlert(alertIllegalParameter) + return errors.New("tls: received a session ticket with invalid lifetime") + } + + // RFC 9001, Section 4.6.1 + if c.quic != nil && msg.maxEarlyData != 0 && msg.maxEarlyData != 0xffffffff { + c.sendAlert(alertIllegalParameter) + return errors.New("tls: invalid early data for QUIC connection") + } + + cipherSuite := cipherSuiteTLS13ByID(c.cipherSuite) + if cipherSuite == nil || c.resumptionSecret == nil { + return c.sendAlert(alertInternalError) + } + + psk := cipherSuite.expandLabel(c.resumptionSecret, "resumption", + msg.nonce, cipherSuite.hash.Size()) + + session, err := c.sessionState() + if err != nil { + c.sendAlert(alertInternalError) + return err + } + session.secret = psk + session.useBy = uint64(c.config.time().Add(lifetime).Unix()) + session.ageAdd = msg.ageAdd + session.EarlyData = c.quic != nil && msg.maxEarlyData == 0xffffffff // RFC 9001, Section 4.6.1 + cs := &ClientSessionState{ticket: msg.label, session: session} + + if cacheKey := c.clientSessionCacheKey(); cacheKey != "" { + c.config.ClientSessionCache.Put(cacheKey, cs) + } + + return nil +} diff --git a/pkg/tls/handshake_messages.go b/pkg/tls/handshake_messages.go new file mode 100644 index 000000000..a86055a06 --- /dev/null +++ b/pkg/tls/handshake_messages.go @@ -0,0 +1,1903 @@ +// Copyright 2009 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package tls + +import ( + "errors" + "fmt" + "strings" + + "golang.org/x/crypto/cryptobyte" +) + +// The marshalingFunction type is an adapter to allow the use of ordinary +// functions as cryptobyte.MarshalingValue. +type marshalingFunction func(b *cryptobyte.Builder) error + +func (f marshalingFunction) Marshal(b *cryptobyte.Builder) error { + return f(b) +} + +// addBytesWithLength appends a sequence of bytes to the cryptobyte.Builder. If +// the length of the sequence is not the value specified, it produces an error. +func addBytesWithLength(b *cryptobyte.Builder, v []byte, n int) { + b.AddValue(marshalingFunction(func(b *cryptobyte.Builder) error { + if len(v) != n { + return fmt.Errorf("invalid value length: expected %d, got %d", n, len(v)) + } + b.AddBytes(v) + return nil + })) +} + +// addUint64 appends a big-endian, 64-bit value to the cryptobyte.Builder. +func addUint64(b *cryptobyte.Builder, v uint64) { + b.AddUint32(uint32(v >> 32)) + b.AddUint32(uint32(v)) +} + +// readUint64 decodes a big-endian, 64-bit value into out and advances over it. +// It reports whether the read was successful. +func readUint64(s *cryptobyte.String, out *uint64) bool { + var hi, lo uint32 + if !s.ReadUint32(&hi) || !s.ReadUint32(&lo) { + return false + } + *out = uint64(hi)<<32 | uint64(lo) + return true +} + +// readUint8LengthPrefixed acts like s.ReadUint8LengthPrefixed, but targets a +// []byte instead of a cryptobyte.String. +func readUint8LengthPrefixed(s *cryptobyte.String, out *[]byte) bool { + return s.ReadUint8LengthPrefixed((*cryptobyte.String)(out)) +} + +// readUint16LengthPrefixed acts like s.ReadUint16LengthPrefixed, but targets a +// []byte instead of a cryptobyte.String. +func readUint16LengthPrefixed(s *cryptobyte.String, out *[]byte) bool { + return s.ReadUint16LengthPrefixed((*cryptobyte.String)(out)) +} + +// readUint24LengthPrefixed acts like s.ReadUint24LengthPrefixed, but targets a +// []byte instead of a cryptobyte.String. +func readUint24LengthPrefixed(s *cryptobyte.String, out *[]byte) bool { + return s.ReadUint24LengthPrefixed((*cryptobyte.String)(out)) +} + +type clientHelloMsg struct { + raw []byte + vers uint16 + random []byte + sessionId []byte + cipherSuites []uint16 + compressionMethods []uint8 + serverName string + ocspStapling bool + supportedCurves []CurveID + supportedPoints []uint8 + ticketSupported bool + sessionTicket []uint8 + supportedSignatureAlgorithms []SignatureScheme + supportedSignatureAlgorithmsCert []SignatureScheme + secureRenegotiationSupported bool + secureRenegotiation []byte + extendedMasterSecret bool + alpnProtocols []string + scts bool + supportedVersions []uint16 + cookie []byte + keyShares []keyShare + earlyData bool + pskModes []uint8 + pskIdentities []pskIdentity + pskBinders [][]byte + quicTransportParameters []byte +} + +func (m *clientHelloMsg) marshal() ([]byte, error) { + if m.raw != nil { + return m.raw, nil + } + + var exts cryptobyte.Builder + if len(m.serverName) > 0 { + // RFC 6066, Section 3 + exts.AddUint16(extensionServerName) + exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { + exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { + exts.AddUint8(0) // name_type = host_name + exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { + exts.AddBytes([]byte(m.serverName)) + }) + }) + }) + } + if m.ocspStapling { + // RFC 4366, Section 3.6 + exts.AddUint16(extensionStatusRequest) + exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { + exts.AddUint8(1) // status_type = ocsp + exts.AddUint16(0) // empty responder_id_list + exts.AddUint16(0) // empty request_extensions + }) + } + if len(m.supportedCurves) > 0 { + // RFC 4492, sections 5.1.1 and RFC 8446, Section 4.2.7 + exts.AddUint16(extensionSupportedCurves) + exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { + exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { + for _, curve := range m.supportedCurves { + exts.AddUint16(uint16(curve)) + } + }) + }) + } + if len(m.supportedPoints) > 0 { + // RFC 4492, Section 5.1.2 + exts.AddUint16(extensionSupportedPoints) + exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { + exts.AddUint8LengthPrefixed(func(exts *cryptobyte.Builder) { + exts.AddBytes(m.supportedPoints) + }) + }) + } + if m.ticketSupported { + // RFC 5077, Section 3.2 + exts.AddUint16(extensionSessionTicket) + exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { + exts.AddBytes(m.sessionTicket) + }) + } + if len(m.supportedSignatureAlgorithms) > 0 { + // RFC 5246, Section 7.4.1.4.1 + exts.AddUint16(extensionSignatureAlgorithms) + exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { + exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { + for _, sigAlgo := range m.supportedSignatureAlgorithms { + exts.AddUint16(uint16(sigAlgo)) + } + }) + }) + } + if len(m.supportedSignatureAlgorithmsCert) > 0 { + // RFC 8446, Section 4.2.3 + exts.AddUint16(extensionSignatureAlgorithmsCert) + exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { + exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { + for _, sigAlgo := range m.supportedSignatureAlgorithmsCert { + exts.AddUint16(uint16(sigAlgo)) + } + }) + }) + } + if m.secureRenegotiationSupported { + // RFC 5746, Section 3.2 + exts.AddUint16(extensionRenegotiationInfo) + exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { + exts.AddUint8LengthPrefixed(func(exts *cryptobyte.Builder) { + exts.AddBytes(m.secureRenegotiation) + }) + }) + } + if m.extendedMasterSecret { + // RFC 7627 + exts.AddUint16(extensionExtendedMasterSecret) + exts.AddUint16(0) // empty extension_data + } + if len(m.alpnProtocols) > 0 { + // RFC 7301, Section 3.1 + exts.AddUint16(extensionALPN) + exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { + exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { + for _, proto := range m.alpnProtocols { + exts.AddUint8LengthPrefixed(func(exts *cryptobyte.Builder) { + exts.AddBytes([]byte(proto)) + }) + } + }) + }) + } + if m.scts { + // RFC 6962, Section 3.3.1 + exts.AddUint16(extensionSCT) + exts.AddUint16(0) // empty extension_data + } + if len(m.supportedVersions) > 0 { + // RFC 8446, Section 4.2.1 + exts.AddUint16(extensionSupportedVersions) + exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { + exts.AddUint8LengthPrefixed(func(exts *cryptobyte.Builder) { + for _, vers := range m.supportedVersions { + exts.AddUint16(vers) + } + }) + }) + } + if len(m.cookie) > 0 { + // RFC 8446, Section 4.2.2 + exts.AddUint16(extensionCookie) + exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { + exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { + exts.AddBytes(m.cookie) + }) + }) + } + if len(m.keyShares) > 0 { + // RFC 8446, Section 4.2.8 + exts.AddUint16(extensionKeyShare) + exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { + exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { + for _, ks := range m.keyShares { + exts.AddUint16(uint16(ks.group)) + exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { + exts.AddBytes(ks.data) + }) + } + }) + }) + } + if m.earlyData { + // RFC 8446, Section 4.2.10 + exts.AddUint16(extensionEarlyData) + exts.AddUint16(0) // empty extension_data + } + if len(m.pskModes) > 0 { + // RFC 8446, Section 4.2.9 + exts.AddUint16(extensionPSKModes) + exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { + exts.AddUint8LengthPrefixed(func(exts *cryptobyte.Builder) { + exts.AddBytes(m.pskModes) + }) + }) + } + if m.quicTransportParameters != nil { // marshal zero-length parameters when present + // RFC 9001, Section 8.2 + exts.AddUint16(extensionQUICTransportParameters) + exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { + exts.AddBytes(m.quicTransportParameters) + }) + } + if len(m.pskIdentities) > 0 { // pre_shared_key must be the last extension + // RFC 8446, Section 4.2.11 + exts.AddUint16(extensionPreSharedKey) + exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { + exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { + for _, psk := range m.pskIdentities { + exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { + exts.AddBytes(psk.label) + }) + exts.AddUint32(psk.obfuscatedTicketAge) + } + }) + exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { + for _, binder := range m.pskBinders { + exts.AddUint8LengthPrefixed(func(exts *cryptobyte.Builder) { + exts.AddBytes(binder) + }) + } + }) + }) + } + extBytes, err := exts.Bytes() + if err != nil { + return nil, err + } + + var b cryptobyte.Builder + b.AddUint8(typeClientHello) + b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) { + b.AddUint16(m.vers) + addBytesWithLength(b, m.random, 32) + b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { + b.AddBytes(m.sessionId) + }) + b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { + for _, suite := range m.cipherSuites { + b.AddUint16(suite) + } + }) + b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { + b.AddBytes(m.compressionMethods) + }) + + if len(extBytes) > 0 { + b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { + b.AddBytes(extBytes) + }) + } + }) + + m.raw, err = b.Bytes() + return m.raw, err +} + +// marshalWithoutBinders returns the ClientHello through the +// PreSharedKeyExtension.identities field, according to RFC 8446, Section +// 4.2.11.2. Note that m.pskBinders must be set to slices of the correct length. +func (m *clientHelloMsg) marshalWithoutBinders() ([]byte, error) { + bindersLen := 2 // uint16 length prefix + for _, binder := range m.pskBinders { + bindersLen += 1 // uint8 length prefix + bindersLen += len(binder) + } + + fullMessage, err := m.marshal() + if err != nil { + return nil, err + } + return fullMessage[:len(fullMessage)-bindersLen], nil +} + +// updateBinders updates the m.pskBinders field, if necessary updating the +// cached marshaled representation. The supplied binders must have the same +// length as the current m.pskBinders. +func (m *clientHelloMsg) updateBinders(pskBinders [][]byte) error { + if len(pskBinders) != len(m.pskBinders) { + return errors.New("tls: internal error: pskBinders length mismatch") + } + for i := range m.pskBinders { + if len(pskBinders[i]) != len(m.pskBinders[i]) { + return errors.New("tls: internal error: pskBinders length mismatch") + } + } + m.pskBinders = pskBinders + if m.raw != nil { + helloBytes, err := m.marshalWithoutBinders() + if err != nil { + return err + } + lenWithoutBinders := len(helloBytes) + b := cryptobyte.NewFixedBuilder(m.raw[:lenWithoutBinders]) + b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { + for _, binder := range m.pskBinders { + b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { + b.AddBytes(binder) + }) + } + }) + if out, err := b.Bytes(); err != nil || len(out) != len(m.raw) { + return errors.New("tls: internal error: failed to update binders") + } + } + + return nil +} + +func (m *clientHelloMsg) unmarshal(data []byte) bool { + *m = clientHelloMsg{raw: data} + s := cryptobyte.String(data) + + if !s.Skip(4) || // message type and uint24 length field + !s.ReadUint16(&m.vers) || !s.ReadBytes(&m.random, 32) || + !readUint8LengthPrefixed(&s, &m.sessionId) { + return false + } + + var cipherSuites cryptobyte.String + if !s.ReadUint16LengthPrefixed(&cipherSuites) { + return false + } + m.cipherSuites = []uint16{} + m.secureRenegotiationSupported = false + for !cipherSuites.Empty() { + var suite uint16 + if !cipherSuites.ReadUint16(&suite) { + return false + } + if suite == scsvRenegotiation { + m.secureRenegotiationSupported = true + } + m.cipherSuites = append(m.cipherSuites, suite) + } + + if !readUint8LengthPrefixed(&s, &m.compressionMethods) { + return false + } + + if s.Empty() { + // ClientHello is optionally followed by extension data + return true + } + + var extensions cryptobyte.String + if !s.ReadUint16LengthPrefixed(&extensions) || !s.Empty() { + return false + } + + seenExts := make(map[uint16]bool) + for !extensions.Empty() { + var extension uint16 + var extData cryptobyte.String + if !extensions.ReadUint16(&extension) || + !extensions.ReadUint16LengthPrefixed(&extData) { + return false + } + + if seenExts[extension] { + return false + } + seenExts[extension] = true + + switch extension { + case extensionServerName: + // RFC 6066, Section 3 + var nameList cryptobyte.String + if !extData.ReadUint16LengthPrefixed(&nameList) || nameList.Empty() { + return false + } + for !nameList.Empty() { + var nameType uint8 + var serverName cryptobyte.String + if !nameList.ReadUint8(&nameType) || + !nameList.ReadUint16LengthPrefixed(&serverName) || + serverName.Empty() { + return false + } + if nameType != 0 { + continue + } + if len(m.serverName) != 0 { + // Multiple names of the same name_type are prohibited. + return false + } + m.serverName = string(serverName) + // An SNI value may not include a trailing dot. + if strings.HasSuffix(m.serverName, ".") { + return false + } + } + case extensionStatusRequest: + // RFC 4366, Section 3.6 + var statusType uint8 + var ignored cryptobyte.String + if !extData.ReadUint8(&statusType) || + !extData.ReadUint16LengthPrefixed(&ignored) || + !extData.ReadUint16LengthPrefixed(&ignored) { + return false + } + m.ocspStapling = statusType == statusTypeOCSP + case extensionSupportedCurves: + // RFC 4492, sections 5.1.1 and RFC 8446, Section 4.2.7 + var curves cryptobyte.String + if !extData.ReadUint16LengthPrefixed(&curves) || curves.Empty() { + return false + } + for !curves.Empty() { + var curve uint16 + if !curves.ReadUint16(&curve) { + return false + } + m.supportedCurves = append(m.supportedCurves, CurveID(curve)) + } + case extensionSupportedPoints: + // RFC 4492, Section 5.1.2 + if !readUint8LengthPrefixed(&extData, &m.supportedPoints) || + len(m.supportedPoints) == 0 { + return false + } + case extensionSessionTicket: + // RFC 5077, Section 3.2 + m.ticketSupported = true + extData.ReadBytes(&m.sessionTicket, len(extData)) + case extensionSignatureAlgorithms: + // RFC 5246, Section 7.4.1.4.1 + var sigAndAlgs cryptobyte.String + if !extData.ReadUint16LengthPrefixed(&sigAndAlgs) || sigAndAlgs.Empty() { + return false + } + for !sigAndAlgs.Empty() { + var sigAndAlg uint16 + if !sigAndAlgs.ReadUint16(&sigAndAlg) { + return false + } + m.supportedSignatureAlgorithms = append( + m.supportedSignatureAlgorithms, SignatureScheme(sigAndAlg)) + } + case extensionSignatureAlgorithmsCert: + // RFC 8446, Section 4.2.3 + var sigAndAlgs cryptobyte.String + if !extData.ReadUint16LengthPrefixed(&sigAndAlgs) || sigAndAlgs.Empty() { + return false + } + for !sigAndAlgs.Empty() { + var sigAndAlg uint16 + if !sigAndAlgs.ReadUint16(&sigAndAlg) { + return false + } + m.supportedSignatureAlgorithmsCert = append( + m.supportedSignatureAlgorithmsCert, SignatureScheme(sigAndAlg)) + } + case extensionRenegotiationInfo: + // RFC 5746, Section 3.2 + if !readUint8LengthPrefixed(&extData, &m.secureRenegotiation) { + return false + } + m.secureRenegotiationSupported = true + case extensionExtendedMasterSecret: + // RFC 7627 + m.extendedMasterSecret = true + case extensionALPN: + // RFC 7301, Section 3.1 + var protoList cryptobyte.String + if !extData.ReadUint16LengthPrefixed(&protoList) || protoList.Empty() { + return false + } + for !protoList.Empty() { + var proto cryptobyte.String + if !protoList.ReadUint8LengthPrefixed(&proto) || proto.Empty() { + return false + } + m.alpnProtocols = append(m.alpnProtocols, string(proto)) + } + case extensionSCT: + // RFC 6962, Section 3.3.1 + m.scts = true + case extensionSupportedVersions: + // RFC 8446, Section 4.2.1 + var versList cryptobyte.String + if !extData.ReadUint8LengthPrefixed(&versList) || versList.Empty() { + return false + } + for !versList.Empty() { + var vers uint16 + if !versList.ReadUint16(&vers) { + return false + } + m.supportedVersions = append(m.supportedVersions, vers) + } + case extensionCookie: + // RFC 8446, Section 4.2.2 + if !readUint16LengthPrefixed(&extData, &m.cookie) || + len(m.cookie) == 0 { + return false + } + case extensionKeyShare: + // RFC 8446, Section 4.2.8 + var clientShares cryptobyte.String + if !extData.ReadUint16LengthPrefixed(&clientShares) { + return false + } + for !clientShares.Empty() { + var ks keyShare + if !clientShares.ReadUint16((*uint16)(&ks.group)) || + !readUint16LengthPrefixed(&clientShares, &ks.data) || + len(ks.data) == 0 { + return false + } + m.keyShares = append(m.keyShares, ks) + } + case extensionEarlyData: + // RFC 8446, Section 4.2.10 + m.earlyData = true + case extensionPSKModes: + // RFC 8446, Section 4.2.9 + if !readUint8LengthPrefixed(&extData, &m.pskModes) { + return false + } + case extensionQUICTransportParameters: + m.quicTransportParameters = make([]byte, len(extData)) + if !extData.CopyBytes(m.quicTransportParameters) { + return false + } + case extensionPreSharedKey: + // RFC 8446, Section 4.2.11 + if !extensions.Empty() { + return false // pre_shared_key must be the last extension + } + var identities cryptobyte.String + if !extData.ReadUint16LengthPrefixed(&identities) || identities.Empty() { + return false + } + for !identities.Empty() { + var psk pskIdentity + if !readUint16LengthPrefixed(&identities, &psk.label) || + !identities.ReadUint32(&psk.obfuscatedTicketAge) || + len(psk.label) == 0 { + return false + } + m.pskIdentities = append(m.pskIdentities, psk) + } + var binders cryptobyte.String + if !extData.ReadUint16LengthPrefixed(&binders) || binders.Empty() { + return false + } + for !binders.Empty() { + var binder []byte + if !readUint8LengthPrefixed(&binders, &binder) || + len(binder) == 0 { + return false + } + m.pskBinders = append(m.pskBinders, binder) + } + default: + // Ignore unknown extensions. + continue + } + + if !extData.Empty() { + return false + } + } + + return true +} + +type serverHelloMsg struct { + raw []byte + vers uint16 + random []byte + sessionId []byte + cipherSuite uint16 + compressionMethod uint8 + ocspStapling bool + ticketSupported bool + secureRenegotiationSupported bool + secureRenegotiation []byte + extendedMasterSecret bool + alpnProtocol string + scts [][]byte + supportedVersion uint16 + serverShare keyShare + selectedIdentityPresent bool + selectedIdentity uint16 + supportedPoints []uint8 + + // HelloRetryRequest extensions + cookie []byte + selectedGroup CurveID +} + +func (m *serverHelloMsg) marshal() ([]byte, error) { + if m.raw != nil { + return m.raw, nil + } + + var exts cryptobyte.Builder + if m.ocspStapling { + exts.AddUint16(extensionStatusRequest) + exts.AddUint16(0) // empty extension_data + } + if m.ticketSupported { + exts.AddUint16(extensionSessionTicket) + exts.AddUint16(0) // empty extension_data + } + if m.secureRenegotiationSupported { + exts.AddUint16(extensionRenegotiationInfo) + exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { + exts.AddUint8LengthPrefixed(func(exts *cryptobyte.Builder) { + exts.AddBytes(m.secureRenegotiation) + }) + }) + } + if m.extendedMasterSecret { + exts.AddUint16(extensionExtendedMasterSecret) + exts.AddUint16(0) // empty extension_data + } + if len(m.alpnProtocol) > 0 { + exts.AddUint16(extensionALPN) + exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { + exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { + exts.AddUint8LengthPrefixed(func(exts *cryptobyte.Builder) { + exts.AddBytes([]byte(m.alpnProtocol)) + }) + }) + }) + } + if len(m.scts) > 0 { + exts.AddUint16(extensionSCT) + exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { + exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { + for _, sct := range m.scts { + exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { + exts.AddBytes(sct) + }) + } + }) + }) + } + if m.supportedVersion != 0 { + exts.AddUint16(extensionSupportedVersions) + exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { + exts.AddUint16(m.supportedVersion) + }) + } + if m.serverShare.group != 0 { + exts.AddUint16(extensionKeyShare) + exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { + exts.AddUint16(uint16(m.serverShare.group)) + exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { + exts.AddBytes(m.serverShare.data) + }) + }) + } + if m.selectedIdentityPresent { + exts.AddUint16(extensionPreSharedKey) + exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { + exts.AddUint16(m.selectedIdentity) + }) + } + + if len(m.cookie) > 0 { + exts.AddUint16(extensionCookie) + exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { + exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { + exts.AddBytes(m.cookie) + }) + }) + } + if m.selectedGroup != 0 { + exts.AddUint16(extensionKeyShare) + exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { + exts.AddUint16(uint16(m.selectedGroup)) + }) + } + if len(m.supportedPoints) > 0 { + exts.AddUint16(extensionSupportedPoints) + exts.AddUint16LengthPrefixed(func(exts *cryptobyte.Builder) { + exts.AddUint8LengthPrefixed(func(exts *cryptobyte.Builder) { + exts.AddBytes(m.supportedPoints) + }) + }) + } + + extBytes, err := exts.Bytes() + if err != nil { + return nil, err + } + + var b cryptobyte.Builder + b.AddUint8(typeServerHello) + b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) { + b.AddUint16(m.vers) + addBytesWithLength(b, m.random, 32) + b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { + b.AddBytes(m.sessionId) + }) + b.AddUint16(m.cipherSuite) + b.AddUint8(m.compressionMethod) + + if len(extBytes) > 0 { + b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { + b.AddBytes(extBytes) + }) + } + }) + + m.raw, err = b.Bytes() + return m.raw, err +} + +func (m *serverHelloMsg) unmarshal(data []byte) bool { + *m = serverHelloMsg{raw: data} + s := cryptobyte.String(data) + + if !s.Skip(4) || // message type and uint24 length field + !s.ReadUint16(&m.vers) || !s.ReadBytes(&m.random, 32) || + !readUint8LengthPrefixed(&s, &m.sessionId) || + !s.ReadUint16(&m.cipherSuite) || + !s.ReadUint8(&m.compressionMethod) { + return false + } + + if s.Empty() { + // ServerHello is optionally followed by extension data + return true + } + + var extensions cryptobyte.String + if !s.ReadUint16LengthPrefixed(&extensions) || !s.Empty() { + return false + } + + seenExts := make(map[uint16]bool) + for !extensions.Empty() { + var extension uint16 + var extData cryptobyte.String + if !extensions.ReadUint16(&extension) || + !extensions.ReadUint16LengthPrefixed(&extData) { + return false + } + + if seenExts[extension] { + return false + } + seenExts[extension] = true + + switch extension { + case extensionStatusRequest: + m.ocspStapling = true + case extensionSessionTicket: + m.ticketSupported = true + case extensionRenegotiationInfo: + if !readUint8LengthPrefixed(&extData, &m.secureRenegotiation) { + return false + } + m.secureRenegotiationSupported = true + case extensionExtendedMasterSecret: + m.extendedMasterSecret = true + case extensionALPN: + var protoList cryptobyte.String + if !extData.ReadUint16LengthPrefixed(&protoList) || protoList.Empty() { + return false + } + var proto cryptobyte.String + if !protoList.ReadUint8LengthPrefixed(&proto) || + proto.Empty() || !protoList.Empty() { + return false + } + m.alpnProtocol = string(proto) + case extensionSCT: + var sctList cryptobyte.String + if !extData.ReadUint16LengthPrefixed(&sctList) || sctList.Empty() { + return false + } + for !sctList.Empty() { + var sct []byte + if !readUint16LengthPrefixed(&sctList, &sct) || + len(sct) == 0 { + return false + } + m.scts = append(m.scts, sct) + } + case extensionSupportedVersions: + if !extData.ReadUint16(&m.supportedVersion) { + return false + } + case extensionCookie: + if !readUint16LengthPrefixed(&extData, &m.cookie) || + len(m.cookie) == 0 { + return false + } + case extensionKeyShare: + // This extension has different formats in SH and HRR, accept either + // and let the handshake logic decide. See RFC 8446, Section 4.2.8. + if len(extData) == 2 { + if !extData.ReadUint16((*uint16)(&m.selectedGroup)) { + return false + } + } else { + if !extData.ReadUint16((*uint16)(&m.serverShare.group)) || + !readUint16LengthPrefixed(&extData, &m.serverShare.data) { + return false + } + } + case extensionPreSharedKey: + m.selectedIdentityPresent = true + if !extData.ReadUint16(&m.selectedIdentity) { + return false + } + case extensionSupportedPoints: + // RFC 4492, Section 5.1.2 + if !readUint8LengthPrefixed(&extData, &m.supportedPoints) || + len(m.supportedPoints) == 0 { + return false + } + default: + // Ignore unknown extensions. + continue + } + + if !extData.Empty() { + return false + } + } + + return true +} + +type encryptedExtensionsMsg struct { + raw []byte + alpnProtocol string + quicTransportParameters []byte + earlyData bool +} + +func (m *encryptedExtensionsMsg) marshal() ([]byte, error) { + if m.raw != nil { + return m.raw, nil + } + + var b cryptobyte.Builder + b.AddUint8(typeEncryptedExtensions) + b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) { + b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { + if len(m.alpnProtocol) > 0 { + b.AddUint16(extensionALPN) + b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { + b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { + b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { + b.AddBytes([]byte(m.alpnProtocol)) + }) + }) + }) + } + if m.quicTransportParameters != nil { // marshal zero-length parameters when present + // draft-ietf-quic-tls-32, Section 8.2 + b.AddUint16(extensionQUICTransportParameters) + b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { + b.AddBytes(m.quicTransportParameters) + }) + } + if m.earlyData { + // RFC 8446, Section 4.2.10 + b.AddUint16(extensionEarlyData) + b.AddUint16(0) // empty extension_data + } + }) + }) + + var err error + m.raw, err = b.Bytes() + return m.raw, err +} + +func (m *encryptedExtensionsMsg) unmarshal(data []byte) bool { + *m = encryptedExtensionsMsg{raw: data} + s := cryptobyte.String(data) + + var extensions cryptobyte.String + if !s.Skip(4) || // message type and uint24 length field + !s.ReadUint16LengthPrefixed(&extensions) || !s.Empty() { + return false + } + + for !extensions.Empty() { + var extension uint16 + var extData cryptobyte.String + if !extensions.ReadUint16(&extension) || + !extensions.ReadUint16LengthPrefixed(&extData) { + return false + } + + switch extension { + case extensionALPN: + var protoList cryptobyte.String + if !extData.ReadUint16LengthPrefixed(&protoList) || protoList.Empty() { + return false + } + var proto cryptobyte.String + if !protoList.ReadUint8LengthPrefixed(&proto) || + proto.Empty() || !protoList.Empty() { + return false + } + m.alpnProtocol = string(proto) + case extensionQUICTransportParameters: + m.quicTransportParameters = make([]byte, len(extData)) + if !extData.CopyBytes(m.quicTransportParameters) { + return false + } + case extensionEarlyData: + // RFC 8446, Section 4.2.10 + m.earlyData = true + default: + // Ignore unknown extensions. + continue + } + + if !extData.Empty() { + return false + } + } + + return true +} + +type endOfEarlyDataMsg struct{} + +func (m *endOfEarlyDataMsg) marshal() ([]byte, error) { + x := make([]byte, 4) + x[0] = typeEndOfEarlyData + return x, nil +} + +func (m *endOfEarlyDataMsg) unmarshal(data []byte) bool { + return len(data) == 4 +} + +type keyUpdateMsg struct { + raw []byte + updateRequested bool +} + +func (m *keyUpdateMsg) marshal() ([]byte, error) { + if m.raw != nil { + return m.raw, nil + } + + var b cryptobyte.Builder + b.AddUint8(typeKeyUpdate) + b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) { + if m.updateRequested { + b.AddUint8(1) + } else { + b.AddUint8(0) + } + }) + + var err error + m.raw, err = b.Bytes() + return m.raw, err +} + +func (m *keyUpdateMsg) unmarshal(data []byte) bool { + m.raw = data + s := cryptobyte.String(data) + + var updateRequested uint8 + if !s.Skip(4) || // message type and uint24 length field + !s.ReadUint8(&updateRequested) || !s.Empty() { + return false + } + switch updateRequested { + case 0: + m.updateRequested = false + case 1: + m.updateRequested = true + default: + return false + } + return true +} + +type newSessionTicketMsgTLS13 struct { + raw []byte + lifetime uint32 + ageAdd uint32 + nonce []byte + label []byte + maxEarlyData uint32 +} + +func (m *newSessionTicketMsgTLS13) marshal() ([]byte, error) { + if m.raw != nil { + return m.raw, nil + } + + var b cryptobyte.Builder + b.AddUint8(typeNewSessionTicket) + b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) { + b.AddUint32(m.lifetime) + b.AddUint32(m.ageAdd) + b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { + b.AddBytes(m.nonce) + }) + b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { + b.AddBytes(m.label) + }) + + b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { + if m.maxEarlyData > 0 { + b.AddUint16(extensionEarlyData) + b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { + b.AddUint32(m.maxEarlyData) + }) + } + }) + }) + + var err error + m.raw, err = b.Bytes() + return m.raw, err +} + +func (m *newSessionTicketMsgTLS13) unmarshal(data []byte) bool { + *m = newSessionTicketMsgTLS13{raw: data} + s := cryptobyte.String(data) + + var extensions cryptobyte.String + if !s.Skip(4) || // message type and uint24 length field + !s.ReadUint32(&m.lifetime) || + !s.ReadUint32(&m.ageAdd) || + !readUint8LengthPrefixed(&s, &m.nonce) || + !readUint16LengthPrefixed(&s, &m.label) || + !s.ReadUint16LengthPrefixed(&extensions) || + !s.Empty() { + return false + } + + for !extensions.Empty() { + var extension uint16 + var extData cryptobyte.String + if !extensions.ReadUint16(&extension) || + !extensions.ReadUint16LengthPrefixed(&extData) { + return false + } + + switch extension { + case extensionEarlyData: + if !extData.ReadUint32(&m.maxEarlyData) { + return false + } + default: + // Ignore unknown extensions. + continue + } + + if !extData.Empty() { + return false + } + } + + return true +} + +type certificateRequestMsgTLS13 struct { + raw []byte + ocspStapling bool + scts bool + supportedSignatureAlgorithms []SignatureScheme + supportedSignatureAlgorithmsCert []SignatureScheme + certificateAuthorities [][]byte +} + +func (m *certificateRequestMsgTLS13) marshal() ([]byte, error) { + if m.raw != nil { + return m.raw, nil + } + + var b cryptobyte.Builder + b.AddUint8(typeCertificateRequest) + b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) { + // certificate_request_context (SHALL be zero length unless used for + // post-handshake authentication) + b.AddUint8(0) + + b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { + if m.ocspStapling { + b.AddUint16(extensionStatusRequest) + b.AddUint16(0) // empty extension_data + } + if m.scts { + // RFC 8446, Section 4.4.2.1 makes no mention of + // signed_certificate_timestamp in CertificateRequest, but + // "Extensions in the Certificate message from the client MUST + // correspond to extensions in the CertificateRequest message + // from the server." and it appears in the table in Section 4.2. + b.AddUint16(extensionSCT) + b.AddUint16(0) // empty extension_data + } + if len(m.supportedSignatureAlgorithms) > 0 { + b.AddUint16(extensionSignatureAlgorithms) + b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { + b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { + for _, sigAlgo := range m.supportedSignatureAlgorithms { + b.AddUint16(uint16(sigAlgo)) + } + }) + }) + } + if len(m.supportedSignatureAlgorithmsCert) > 0 { + b.AddUint16(extensionSignatureAlgorithmsCert) + b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { + b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { + for _, sigAlgo := range m.supportedSignatureAlgorithmsCert { + b.AddUint16(uint16(sigAlgo)) + } + }) + }) + } + if len(m.certificateAuthorities) > 0 { + b.AddUint16(extensionCertificateAuthorities) + b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { + b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { + for _, ca := range m.certificateAuthorities { + b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { + b.AddBytes(ca) + }) + } + }) + }) + } + }) + }) + + var err error + m.raw, err = b.Bytes() + return m.raw, err +} + +func (m *certificateRequestMsgTLS13) unmarshal(data []byte) bool { + *m = certificateRequestMsgTLS13{raw: data} + s := cryptobyte.String(data) + + var context, extensions cryptobyte.String + if !s.Skip(4) || // message type and uint24 length field + !s.ReadUint8LengthPrefixed(&context) || !context.Empty() || + !s.ReadUint16LengthPrefixed(&extensions) || + !s.Empty() { + return false + } + + for !extensions.Empty() { + var extension uint16 + var extData cryptobyte.String + if !extensions.ReadUint16(&extension) || + !extensions.ReadUint16LengthPrefixed(&extData) { + return false + } + + switch extension { + case extensionStatusRequest: + m.ocspStapling = true + case extensionSCT: + m.scts = true + case extensionSignatureAlgorithms: + var sigAndAlgs cryptobyte.String + if !extData.ReadUint16LengthPrefixed(&sigAndAlgs) || sigAndAlgs.Empty() { + return false + } + for !sigAndAlgs.Empty() { + var sigAndAlg uint16 + if !sigAndAlgs.ReadUint16(&sigAndAlg) { + return false + } + m.supportedSignatureAlgorithms = append( + m.supportedSignatureAlgorithms, SignatureScheme(sigAndAlg)) + } + case extensionSignatureAlgorithmsCert: + var sigAndAlgs cryptobyte.String + if !extData.ReadUint16LengthPrefixed(&sigAndAlgs) || sigAndAlgs.Empty() { + return false + } + for !sigAndAlgs.Empty() { + var sigAndAlg uint16 + if !sigAndAlgs.ReadUint16(&sigAndAlg) { + return false + } + m.supportedSignatureAlgorithmsCert = append( + m.supportedSignatureAlgorithmsCert, SignatureScheme(sigAndAlg)) + } + case extensionCertificateAuthorities: + var auths cryptobyte.String + if !extData.ReadUint16LengthPrefixed(&auths) || auths.Empty() { + return false + } + for !auths.Empty() { + var ca []byte + if !readUint16LengthPrefixed(&auths, &ca) || len(ca) == 0 { + return false + } + m.certificateAuthorities = append(m.certificateAuthorities, ca) + } + default: + // Ignore unknown extensions. + continue + } + + if !extData.Empty() { + return false + } + } + + return true +} + +type certificateMsg struct { + raw []byte + certificates [][]byte +} + +func (m *certificateMsg) marshal() ([]byte, error) { + if m.raw != nil { + return m.raw, nil + } + + var i int + for _, slice := range m.certificates { + i += len(slice) + } + + length := 3 + 3*len(m.certificates) + i + x := make([]byte, 4+length) + x[0] = typeCertificate + x[1] = uint8(length >> 16) + x[2] = uint8(length >> 8) + x[3] = uint8(length) + + certificateOctets := length - 3 + x[4] = uint8(certificateOctets >> 16) + x[5] = uint8(certificateOctets >> 8) + x[6] = uint8(certificateOctets) + + y := x[7:] + for _, slice := range m.certificates { + y[0] = uint8(len(slice) >> 16) + y[1] = uint8(len(slice) >> 8) + y[2] = uint8(len(slice)) + copy(y[3:], slice) + y = y[3+len(slice):] + } + + m.raw = x + return m.raw, nil +} + +func (m *certificateMsg) unmarshal(data []byte) bool { + if len(data) < 7 { + return false + } + + m.raw = data + certsLen := uint32(data[4])<<16 | uint32(data[5])<<8 | uint32(data[6]) + if uint32(len(data)) != certsLen+7 { + return false + } + + numCerts := 0 + d := data[7:] + for certsLen > 0 { + if len(d) < 4 { + return false + } + certLen := uint32(d[0])<<16 | uint32(d[1])<<8 | uint32(d[2]) + if uint32(len(d)) < 3+certLen { + return false + } + d = d[3+certLen:] + certsLen -= 3 + certLen + numCerts++ + } + + m.certificates = make([][]byte, numCerts) + d = data[7:] + for i := 0; i < numCerts; i++ { + certLen := uint32(d[0])<<16 | uint32(d[1])<<8 | uint32(d[2]) + m.certificates[i] = d[3 : 3+certLen] + d = d[3+certLen:] + } + + return true +} + +type certificateMsgTLS13 struct { + raw []byte + certificate Certificate + ocspStapling bool + scts bool +} + +func (m *certificateMsgTLS13) marshal() ([]byte, error) { + if m.raw != nil { + return m.raw, nil + } + + var b cryptobyte.Builder + b.AddUint8(typeCertificate) + b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) { + b.AddUint8(0) // certificate_request_context + + certificate := m.certificate + if !m.ocspStapling { + certificate.OCSPStaple = nil + } + if !m.scts { + certificate.SignedCertificateTimestamps = nil + } + marshalCertificate(b, certificate) + }) + + var err error + m.raw, err = b.Bytes() + return m.raw, err +} + +func marshalCertificate(b *cryptobyte.Builder, certificate Certificate) { + b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) { + for i, cert := range certificate.Certificate { + b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) { + b.AddBytes(cert) + }) + b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { + if i > 0 { + // This library only supports OCSP and SCT for leaf certificates. + return + } + if certificate.OCSPStaple != nil { + b.AddUint16(extensionStatusRequest) + b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { + b.AddUint8(statusTypeOCSP) + b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) { + b.AddBytes(certificate.OCSPStaple) + }) + }) + } + if certificate.SignedCertificateTimestamps != nil { + b.AddUint16(extensionSCT) + b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { + b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { + for _, sct := range certificate.SignedCertificateTimestamps { + b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { + b.AddBytes(sct) + }) + } + }) + }) + } + }) + } + }) +} + +func (m *certificateMsgTLS13) unmarshal(data []byte) bool { + *m = certificateMsgTLS13{raw: data} + s := cryptobyte.String(data) + + var context cryptobyte.String + if !s.Skip(4) || // message type and uint24 length field + !s.ReadUint8LengthPrefixed(&context) || !context.Empty() || + !unmarshalCertificate(&s, &m.certificate) || + !s.Empty() { + return false + } + + m.scts = m.certificate.SignedCertificateTimestamps != nil + m.ocspStapling = m.certificate.OCSPStaple != nil + + return true +} + +func unmarshalCertificate(s *cryptobyte.String, certificate *Certificate) bool { + var certList cryptobyte.String + if !s.ReadUint24LengthPrefixed(&certList) { + return false + } + for !certList.Empty() { + var cert []byte + var extensions cryptobyte.String + if !readUint24LengthPrefixed(&certList, &cert) || + !certList.ReadUint16LengthPrefixed(&extensions) { + return false + } + certificate.Certificate = append(certificate.Certificate, cert) + for !extensions.Empty() { + var extension uint16 + var extData cryptobyte.String + if !extensions.ReadUint16(&extension) || + !extensions.ReadUint16LengthPrefixed(&extData) { + return false + } + if len(certificate.Certificate) > 1 { + // This library only supports OCSP and SCT for leaf certificates. + continue + } + + switch extension { + case extensionStatusRequest: + var statusType uint8 + if !extData.ReadUint8(&statusType) || statusType != statusTypeOCSP || + !readUint24LengthPrefixed(&extData, &certificate.OCSPStaple) || + len(certificate.OCSPStaple) == 0 { + return false + } + case extensionSCT: + var sctList cryptobyte.String + if !extData.ReadUint16LengthPrefixed(&sctList) || sctList.Empty() { + return false + } + for !sctList.Empty() { + var sct []byte + if !readUint16LengthPrefixed(&sctList, &sct) || + len(sct) == 0 { + return false + } + certificate.SignedCertificateTimestamps = append( + certificate.SignedCertificateTimestamps, sct) + } + default: + // Ignore unknown extensions. + continue + } + + if !extData.Empty() { + return false + } + } + } + return true +} + +type serverKeyExchangeMsg struct { + raw []byte + key []byte +} + +func (m *serverKeyExchangeMsg) marshal() ([]byte, error) { + if m.raw != nil { + return m.raw, nil + } + length := len(m.key) + x := make([]byte, length+4) + x[0] = typeServerKeyExchange + x[1] = uint8(length >> 16) + x[2] = uint8(length >> 8) + x[3] = uint8(length) + copy(x[4:], m.key) + + m.raw = x + return x, nil +} + +func (m *serverKeyExchangeMsg) unmarshal(data []byte) bool { + m.raw = data + if len(data) < 4 { + return false + } + m.key = data[4:] + return true +} + +type certificateStatusMsg struct { + raw []byte + response []byte +} + +func (m *certificateStatusMsg) marshal() ([]byte, error) { + if m.raw != nil { + return m.raw, nil + } + + var b cryptobyte.Builder + b.AddUint8(typeCertificateStatus) + b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) { + b.AddUint8(statusTypeOCSP) + b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) { + b.AddBytes(m.response) + }) + }) + + var err error + m.raw, err = b.Bytes() + return m.raw, err +} + +func (m *certificateStatusMsg) unmarshal(data []byte) bool { + m.raw = data + s := cryptobyte.String(data) + + var statusType uint8 + if !s.Skip(4) || // message type and uint24 length field + !s.ReadUint8(&statusType) || statusType != statusTypeOCSP || + !readUint24LengthPrefixed(&s, &m.response) || + len(m.response) == 0 || !s.Empty() { + return false + } + return true +} + +type serverHelloDoneMsg struct{} + +func (m *serverHelloDoneMsg) marshal() ([]byte, error) { + x := make([]byte, 4) + x[0] = typeServerHelloDone + return x, nil +} + +func (m *serverHelloDoneMsg) unmarshal(data []byte) bool { + return len(data) == 4 +} + +type clientKeyExchangeMsg struct { + raw []byte + ciphertext []byte +} + +func (m *clientKeyExchangeMsg) marshal() ([]byte, error) { + if m.raw != nil { + return m.raw, nil + } + length := len(m.ciphertext) + x := make([]byte, length+4) + x[0] = typeClientKeyExchange + x[1] = uint8(length >> 16) + x[2] = uint8(length >> 8) + x[3] = uint8(length) + copy(x[4:], m.ciphertext) + + m.raw = x + return x, nil +} + +func (m *clientKeyExchangeMsg) unmarshal(data []byte) bool { + m.raw = data + if len(data) < 4 { + return false + } + l := int(data[1])<<16 | int(data[2])<<8 | int(data[3]) + if l != len(data)-4 { + return false + } + m.ciphertext = data[4:] + return true +} + +type finishedMsg struct { + raw []byte + verifyData []byte +} + +func (m *finishedMsg) marshal() ([]byte, error) { + if m.raw != nil { + return m.raw, nil + } + + var b cryptobyte.Builder + b.AddUint8(typeFinished) + b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) { + b.AddBytes(m.verifyData) + }) + + var err error + m.raw, err = b.Bytes() + return m.raw, err +} + +func (m *finishedMsg) unmarshal(data []byte) bool { + m.raw = data + s := cryptobyte.String(data) + return s.Skip(1) && + readUint24LengthPrefixed(&s, &m.verifyData) && + s.Empty() +} + +type certificateRequestMsg struct { + raw []byte + // hasSignatureAlgorithm indicates whether this message includes a list of + // supported signature algorithms. This change was introduced with TLS 1.2. + hasSignatureAlgorithm bool + + certificateTypes []byte + supportedSignatureAlgorithms []SignatureScheme + certificateAuthorities [][]byte +} + +func (m *certificateRequestMsg) marshal() ([]byte, error) { + if m.raw != nil { + return m.raw, nil + } + + // See RFC 4346, Section 7.4.4. + length := 1 + len(m.certificateTypes) + 2 + casLength := 0 + for _, ca := range m.certificateAuthorities { + casLength += 2 + len(ca) + } + length += casLength + + if m.hasSignatureAlgorithm { + length += 2 + 2*len(m.supportedSignatureAlgorithms) + } + + x := make([]byte, 4+length) + x[0] = typeCertificateRequest + x[1] = uint8(length >> 16) + x[2] = uint8(length >> 8) + x[3] = uint8(length) + + x[4] = uint8(len(m.certificateTypes)) + + copy(x[5:], m.certificateTypes) + y := x[5+len(m.certificateTypes):] + + if m.hasSignatureAlgorithm { + n := len(m.supportedSignatureAlgorithms) * 2 + y[0] = uint8(n >> 8) + y[1] = uint8(n) + y = y[2:] + for _, sigAlgo := range m.supportedSignatureAlgorithms { + y[0] = uint8(sigAlgo >> 8) + y[1] = uint8(sigAlgo) + y = y[2:] + } + } + + y[0] = uint8(casLength >> 8) + y[1] = uint8(casLength) + y = y[2:] + for _, ca := range m.certificateAuthorities { + y[0] = uint8(len(ca) >> 8) + y[1] = uint8(len(ca)) + y = y[2:] + copy(y, ca) + y = y[len(ca):] + } + + m.raw = x + return m.raw, nil +} + +func (m *certificateRequestMsg) unmarshal(data []byte) bool { + m.raw = data + + if len(data) < 5 { + return false + } + + length := uint32(data[1])<<16 | uint32(data[2])<<8 | uint32(data[3]) + if uint32(len(data))-4 != length { + return false + } + + numCertTypes := int(data[4]) + data = data[5:] + if numCertTypes == 0 || len(data) <= numCertTypes { + return false + } + + m.certificateTypes = make([]byte, numCertTypes) + if copy(m.certificateTypes, data) != numCertTypes { + return false + } + + data = data[numCertTypes:] + + if m.hasSignatureAlgorithm { + if len(data) < 2 { + return false + } + sigAndHashLen := uint16(data[0])<<8 | uint16(data[1]) + data = data[2:] + if sigAndHashLen&1 != 0 { + return false + } + if len(data) < int(sigAndHashLen) { + return false + } + numSigAlgos := sigAndHashLen / 2 + m.supportedSignatureAlgorithms = make([]SignatureScheme, numSigAlgos) + for i := range m.supportedSignatureAlgorithms { + m.supportedSignatureAlgorithms[i] = SignatureScheme(data[0])<<8 | SignatureScheme(data[1]) + data = data[2:] + } + } + + if len(data) < 2 { + return false + } + casLength := uint16(data[0])<<8 | uint16(data[1]) + data = data[2:] + if len(data) < int(casLength) { + return false + } + cas := make([]byte, casLength) + copy(cas, data) + data = data[casLength:] + + m.certificateAuthorities = nil + for len(cas) > 0 { + if len(cas) < 2 { + return false + } + caLen := uint16(cas[0])<<8 | uint16(cas[1]) + cas = cas[2:] + + if len(cas) < int(caLen) { + return false + } + + m.certificateAuthorities = append(m.certificateAuthorities, cas[:caLen]) + cas = cas[caLen:] + } + + return len(data) == 0 +} + +type certificateVerifyMsg struct { + raw []byte + hasSignatureAlgorithm bool // format change introduced in TLS 1.2 + signatureAlgorithm SignatureScheme + signature []byte +} + +func (m *certificateVerifyMsg) marshal() ([]byte, error) { + if m.raw != nil { + return m.raw, nil + } + + var b cryptobyte.Builder + b.AddUint8(typeCertificateVerify) + b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) { + if m.hasSignatureAlgorithm { + b.AddUint16(uint16(m.signatureAlgorithm)) + } + b.AddUint16LengthPrefixed(func(b *cryptobyte.Builder) { + b.AddBytes(m.signature) + }) + }) + + var err error + m.raw, err = b.Bytes() + return m.raw, err +} + +func (m *certificateVerifyMsg) unmarshal(data []byte) bool { + m.raw = data + s := cryptobyte.String(data) + + if !s.Skip(4) { // message type and uint24 length field + return false + } + if m.hasSignatureAlgorithm { + if !s.ReadUint16((*uint16)(&m.signatureAlgorithm)) { + return false + } + } + return readUint16LengthPrefixed(&s, &m.signature) && s.Empty() +} + +type newSessionTicketMsg struct { + raw []byte + ticket []byte +} + +func (m *newSessionTicketMsg) marshal() ([]byte, error) { + if m.raw != nil { + return m.raw, nil + } + + // See RFC 5077, Section 3.3. + ticketLen := len(m.ticket) + length := 2 + 4 + ticketLen + x := make([]byte, 4+length) + x[0] = typeNewSessionTicket + x[1] = uint8(length >> 16) + x[2] = uint8(length >> 8) + x[3] = uint8(length) + x[8] = uint8(ticketLen >> 8) + x[9] = uint8(ticketLen) + copy(x[10:], m.ticket) + + m.raw = x + + return m.raw, nil +} + +func (m *newSessionTicketMsg) unmarshal(data []byte) bool { + m.raw = data + + if len(data) < 10 { + return false + } + + length := uint32(data[1])<<16 | uint32(data[2])<<8 | uint32(data[3]) + if uint32(len(data))-4 != length { + return false + } + + ticketLen := int(data[8])<<8 + int(data[9]) + if len(data)-10 != ticketLen { + return false + } + + m.ticket = data[10:] + + return true +} + +type helloRequestMsg struct { +} + +func (*helloRequestMsg) marshal() ([]byte, error) { + return []byte{typeHelloRequest, 0, 0, 0}, nil +} + +func (*helloRequestMsg) unmarshal(data []byte) bool { + return len(data) == 4 +} + +type transcriptHash interface { + Write([]byte) (int, error) +} + +// transcriptMsg is a helper used to marshal and hash messages which typically +// are not written to the wire, and as such aren't hashed during Conn.writeRecord. +func transcriptMsg(msg handshakeMessage, h transcriptHash) error { + data, err := msg.marshal() + if err != nil { + return err + } + h.Write(data) + return nil +} diff --git a/pkg/tls/handshake_messages_test.go b/pkg/tls/handshake_messages_test.go new file mode 100644 index 000000000..72e8bd8c2 --- /dev/null +++ b/pkg/tls/handshake_messages_test.go @@ -0,0 +1,558 @@ +// Copyright 2009 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package tls + +import ( + "bytes" + "crypto/x509" + "encoding/hex" + "math" + "math/rand" + "reflect" + "strings" + "testing" + "testing/quick" + "time" +) + +var tests = []handshakeMessage{ + &clientHelloMsg{}, + &serverHelloMsg{}, + &finishedMsg{}, + + &certificateMsg{}, + &certificateRequestMsg{}, + &certificateVerifyMsg{ + hasSignatureAlgorithm: true, + }, + &certificateStatusMsg{}, + &clientKeyExchangeMsg{}, + &newSessionTicketMsg{}, + &encryptedExtensionsMsg{}, + &endOfEarlyDataMsg{}, + &keyUpdateMsg{}, + &newSessionTicketMsgTLS13{}, + &certificateRequestMsgTLS13{}, + &certificateMsgTLS13{}, + &SessionState{}, +} + +func mustMarshal(t *testing.T, msg handshakeMessage) []byte { + t.Helper() + b, err := msg.marshal() + if err != nil { + t.Fatal(err) + } + return b +} + +func TestMarshalUnmarshal(t *testing.T) { + rand := rand.New(rand.NewSource(time.Now().UnixNano())) + + for i, m := range tests { + ty := reflect.ValueOf(m).Type() + + n := 100 + if testing.Short() { + n = 5 + } + for j := 0; j < n; j++ { + v, ok := quick.Value(ty, rand) + if !ok { + t.Errorf("#%d: failed to create value", i) + break + } + + m1 := v.Interface().(handshakeMessage) + marshaled := mustMarshal(t, m1) + if !m.unmarshal(marshaled) { + t.Errorf("#%d failed to unmarshal %#v %x", i, m1, marshaled) + break + } + m.marshal() // to fill any marshal cache in the message + + if m, ok := m.(*SessionState); ok { + m.activeCertHandles = nil + } + + if !reflect.DeepEqual(m1, m) { + t.Errorf("#%d got:%#v want:%#v %x", i, m, m1, marshaled) + break + } + + if i >= 3 { + // The first three message types (ClientHello, + // ServerHello and Finished) are allowed to + // have parsable prefixes because the extension + // data is optional and the length of the + // Finished varies across versions. + for j := 0; j < len(marshaled); j++ { + if m.unmarshal(marshaled[0:j]) { + t.Errorf("#%d unmarshaled a prefix of length %d of %#v", i, j, m1) + break + } + } + } + } + } +} + +func TestFuzz(t *testing.T) { + rand := rand.New(rand.NewSource(0)) + for _, m := range tests { + for j := 0; j < 1000; j++ { + len := rand.Intn(1000) + bytes := randomBytes(len, rand) + // This just looks for crashes due to bounds errors etc. + m.unmarshal(bytes) + } + } +} + +func randomBytes(n int, rand *rand.Rand) []byte { + r := make([]byte, n) + if _, err := rand.Read(r); err != nil { + panic("rand.Read failed: " + err.Error()) + } + return r +} + +func randomString(n int, rand *rand.Rand) string { + b := randomBytes(n, rand) + return string(b) +} + +func (*clientHelloMsg) Generate(rand *rand.Rand, size int) reflect.Value { + m := &clientHelloMsg{} + m.vers = uint16(rand.Intn(65536)) + m.random = randomBytes(32, rand) + m.sessionId = randomBytes(rand.Intn(32), rand) + m.cipherSuites = make([]uint16, rand.Intn(63)+1) + for i := 0; i < len(m.cipherSuites); i++ { + cs := uint16(rand.Int31()) + if cs == scsvRenegotiation { + cs += 1 + } + m.cipherSuites[i] = cs + } + m.compressionMethods = randomBytes(rand.Intn(63)+1, rand) + if rand.Intn(10) > 5 { + m.serverName = randomString(rand.Intn(255), rand) + for strings.HasSuffix(m.serverName, ".") { + m.serverName = m.serverName[:len(m.serverName)-1] + } + } + m.ocspStapling = rand.Intn(10) > 5 + m.supportedPoints = randomBytes(rand.Intn(5)+1, rand) + m.supportedCurves = make([]CurveID, rand.Intn(5)+1) + for i := range m.supportedCurves { + m.supportedCurves[i] = CurveID(rand.Intn(30000) + 1) + } + if rand.Intn(10) > 5 { + m.ticketSupported = true + if rand.Intn(10) > 5 { + m.sessionTicket = randomBytes(rand.Intn(300), rand) + } else { + m.sessionTicket = make([]byte, 0) + } + } + if rand.Intn(10) > 5 { + m.supportedSignatureAlgorithms = supportedSignatureAlgorithms() + } + if rand.Intn(10) > 5 { + m.supportedSignatureAlgorithmsCert = supportedSignatureAlgorithms() + } + for i := 0; i < rand.Intn(5); i++ { + m.alpnProtocols = append(m.alpnProtocols, randomString(rand.Intn(20)+1, rand)) + } + if rand.Intn(10) > 5 { + m.scts = true + } + if rand.Intn(10) > 5 { + m.secureRenegotiationSupported = true + m.secureRenegotiation = randomBytes(rand.Intn(50)+1, rand) + } + if rand.Intn(10) > 5 { + m.extendedMasterSecret = true + } + for i := 0; i < rand.Intn(5); i++ { + m.supportedVersions = append(m.supportedVersions, uint16(rand.Intn(0xffff)+1)) + } + if rand.Intn(10) > 5 { + m.cookie = randomBytes(rand.Intn(500)+1, rand) + } + for i := 0; i < rand.Intn(5); i++ { + var ks keyShare + ks.group = CurveID(rand.Intn(30000) + 1) + ks.data = randomBytes(rand.Intn(200)+1, rand) + m.keyShares = append(m.keyShares, ks) + } + switch rand.Intn(3) { + case 1: + m.pskModes = []uint8{pskModeDHE} + case 2: + m.pskModes = []uint8{pskModeDHE, pskModePlain} + } + for i := 0; i < rand.Intn(5); i++ { + var psk pskIdentity + psk.obfuscatedTicketAge = uint32(rand.Intn(500000)) + psk.label = randomBytes(rand.Intn(500)+1, rand) + m.pskIdentities = append(m.pskIdentities, psk) + m.pskBinders = append(m.pskBinders, randomBytes(rand.Intn(50)+32, rand)) + } + if rand.Intn(10) > 5 { + m.quicTransportParameters = randomBytes(rand.Intn(500), rand) + } + if rand.Intn(10) > 5 { + m.earlyData = true + } + + return reflect.ValueOf(m) +} + +func (*serverHelloMsg) Generate(rand *rand.Rand, size int) reflect.Value { + m := &serverHelloMsg{} + m.vers = uint16(rand.Intn(65536)) + m.random = randomBytes(32, rand) + m.sessionId = randomBytes(rand.Intn(32), rand) + m.cipherSuite = uint16(rand.Int31()) + m.compressionMethod = uint8(rand.Intn(256)) + m.supportedPoints = randomBytes(rand.Intn(5)+1, rand) + + if rand.Intn(10) > 5 { + m.ocspStapling = true + } + if rand.Intn(10) > 5 { + m.ticketSupported = true + } + if rand.Intn(10) > 5 { + m.alpnProtocol = randomString(rand.Intn(32)+1, rand) + } + + for i := 0; i < rand.Intn(4); i++ { + m.scts = append(m.scts, randomBytes(rand.Intn(500)+1, rand)) + } + + if rand.Intn(10) > 5 { + m.secureRenegotiationSupported = true + m.secureRenegotiation = randomBytes(rand.Intn(50)+1, rand) + } + if rand.Intn(10) > 5 { + m.extendedMasterSecret = true + } + if rand.Intn(10) > 5 { + m.supportedVersion = uint16(rand.Intn(0xffff) + 1) + } + if rand.Intn(10) > 5 { + m.cookie = randomBytes(rand.Intn(500)+1, rand) + } + if rand.Intn(10) > 5 { + for i := 0; i < rand.Intn(5); i++ { + m.serverShare.group = CurveID(rand.Intn(30000) + 1) + m.serverShare.data = randomBytes(rand.Intn(200)+1, rand) + } + } else if rand.Intn(10) > 5 { + m.selectedGroup = CurveID(rand.Intn(30000) + 1) + } + if rand.Intn(10) > 5 { + m.selectedIdentityPresent = true + m.selectedIdentity = uint16(rand.Intn(0xffff)) + } + + return reflect.ValueOf(m) +} + +func (*encryptedExtensionsMsg) Generate(rand *rand.Rand, size int) reflect.Value { + m := &encryptedExtensionsMsg{} + + if rand.Intn(10) > 5 { + m.alpnProtocol = randomString(rand.Intn(32)+1, rand) + } + if rand.Intn(10) > 5 { + m.earlyData = true + } + + return reflect.ValueOf(m) +} + +func (*certificateMsg) Generate(rand *rand.Rand, size int) reflect.Value { + m := &certificateMsg{} + numCerts := rand.Intn(20) + m.certificates = make([][]byte, numCerts) + for i := 0; i < numCerts; i++ { + m.certificates[i] = randomBytes(rand.Intn(10)+1, rand) + } + return reflect.ValueOf(m) +} + +func (*certificateRequestMsg) Generate(rand *rand.Rand, size int) reflect.Value { + m := &certificateRequestMsg{} + m.certificateTypes = randomBytes(rand.Intn(5)+1, rand) + for i := 0; i < rand.Intn(100); i++ { + m.certificateAuthorities = append(m.certificateAuthorities, randomBytes(rand.Intn(15)+1, rand)) + } + return reflect.ValueOf(m) +} + +func (*certificateVerifyMsg) Generate(rand *rand.Rand, size int) reflect.Value { + m := &certificateVerifyMsg{} + m.hasSignatureAlgorithm = true + m.signatureAlgorithm = SignatureScheme(rand.Intn(30000)) + m.signature = randomBytes(rand.Intn(15)+1, rand) + return reflect.ValueOf(m) +} + +func (*certificateStatusMsg) Generate(rand *rand.Rand, size int) reflect.Value { + m := &certificateStatusMsg{} + m.response = randomBytes(rand.Intn(10)+1, rand) + return reflect.ValueOf(m) +} + +func (*clientKeyExchangeMsg) Generate(rand *rand.Rand, size int) reflect.Value { + m := &clientKeyExchangeMsg{} + m.ciphertext = randomBytes(rand.Intn(1000)+1, rand) + return reflect.ValueOf(m) +} + +func (*finishedMsg) Generate(rand *rand.Rand, size int) reflect.Value { + m := &finishedMsg{} + m.verifyData = randomBytes(12, rand) + return reflect.ValueOf(m) +} + +func (*newSessionTicketMsg) Generate(rand *rand.Rand, size int) reflect.Value { + m := &newSessionTicketMsg{} + m.ticket = randomBytes(rand.Intn(4), rand) + return reflect.ValueOf(m) +} + +var sessionTestCerts []*x509.Certificate + +func init() { + cert, err := x509.ParseCertificate(testRSACertificate) + if err != nil { + panic(err) + } + sessionTestCerts = append(sessionTestCerts, cert) + cert, err = x509.ParseCertificate(testRSACertificateIssuer) + if err != nil { + panic(err) + } + sessionTestCerts = append(sessionTestCerts, cert) +} + +func (*SessionState) Generate(rand *rand.Rand, size int) reflect.Value { + s := &SessionState{} + isTLS13 := rand.Intn(10) > 5 + if isTLS13 { + s.version = VersionTLS13 + } else { + s.version = uint16(rand.Intn(VersionTLS13)) + } + s.isClient = rand.Intn(10) > 5 + s.cipherSuite = uint16(rand.Intn(math.MaxUint16)) + s.createdAt = uint64(rand.Int63()) + s.secret = randomBytes(rand.Intn(100)+1, rand) + for n, i := rand.Intn(3), 0; i < n; i++ { + s.Extra = append(s.Extra, randomBytes(rand.Intn(100), rand)) + } + if rand.Intn(10) > 5 { + s.EarlyData = true + } + if rand.Intn(10) > 5 { + s.extMasterSecret = true + } + if s.isClient || rand.Intn(10) > 5 { + if rand.Intn(10) > 5 { + s.peerCertificates = sessionTestCerts + } else { + s.peerCertificates = sessionTestCerts[:1] + } + } + if rand.Intn(10) > 5 && s.peerCertificates != nil { + s.ocspResponse = randomBytes(rand.Intn(100)+1, rand) + } + if rand.Intn(10) > 5 && s.peerCertificates != nil { + for i := 0; i < rand.Intn(2)+1; i++ { + s.scts = append(s.scts, randomBytes(rand.Intn(500)+1, rand)) + } + } + if len(s.peerCertificates) > 0 { + for i := 0; i < rand.Intn(3); i++ { + if rand.Intn(10) > 5 { + s.verifiedChains = append(s.verifiedChains, s.peerCertificates) + } else { + s.verifiedChains = append(s.verifiedChains, s.peerCertificates[:1]) + } + } + } + if rand.Intn(10) > 5 && s.EarlyData { + s.alpnProtocol = string(randomBytes(rand.Intn(10), rand)) + } + if s.isClient { + if isTLS13 { + s.useBy = uint64(rand.Int63()) + s.ageAdd = uint32(rand.Int63() & math.MaxUint32) + } + } + return reflect.ValueOf(s) +} + +func (s *SessionState) marshal() ([]byte, error) { return s.Bytes() } +func (s *SessionState) unmarshal(b []byte) bool { + ss, err := ParseSessionState(b) + if err != nil { + return false + } + *s = *ss + return true +} + +func (*endOfEarlyDataMsg) Generate(rand *rand.Rand, size int) reflect.Value { + m := &endOfEarlyDataMsg{} + return reflect.ValueOf(m) +} + +func (*keyUpdateMsg) Generate(rand *rand.Rand, size int) reflect.Value { + m := &keyUpdateMsg{} + m.updateRequested = rand.Intn(10) > 5 + return reflect.ValueOf(m) +} + +func (*newSessionTicketMsgTLS13) Generate(rand *rand.Rand, size int) reflect.Value { + m := &newSessionTicketMsgTLS13{} + m.lifetime = uint32(rand.Intn(500000)) + m.ageAdd = uint32(rand.Intn(500000)) + m.nonce = randomBytes(rand.Intn(100), rand) + m.label = randomBytes(rand.Intn(1000), rand) + if rand.Intn(10) > 5 { + m.maxEarlyData = uint32(rand.Intn(500000)) + } + return reflect.ValueOf(m) +} + +func (*certificateRequestMsgTLS13) Generate(rand *rand.Rand, size int) reflect.Value { + m := &certificateRequestMsgTLS13{} + if rand.Intn(10) > 5 { + m.ocspStapling = true + } + if rand.Intn(10) > 5 { + m.scts = true + } + if rand.Intn(10) > 5 { + m.supportedSignatureAlgorithms = supportedSignatureAlgorithms() + } + if rand.Intn(10) > 5 { + m.supportedSignatureAlgorithmsCert = supportedSignatureAlgorithms() + } + if rand.Intn(10) > 5 { + m.certificateAuthorities = make([][]byte, 3) + for i := 0; i < 3; i++ { + m.certificateAuthorities[i] = randomBytes(rand.Intn(10)+1, rand) + } + } + return reflect.ValueOf(m) +} + +func (*certificateMsgTLS13) Generate(rand *rand.Rand, size int) reflect.Value { + m := &certificateMsgTLS13{} + for i := 0; i < rand.Intn(2)+1; i++ { + m.certificate.Certificate = append( + m.certificate.Certificate, randomBytes(rand.Intn(500)+1, rand)) + } + if rand.Intn(10) > 5 { + m.ocspStapling = true + m.certificate.OCSPStaple = randomBytes(rand.Intn(100)+1, rand) + } + if rand.Intn(10) > 5 { + m.scts = true + for i := 0; i < rand.Intn(2)+1; i++ { + m.certificate.SignedCertificateTimestamps = append( + m.certificate.SignedCertificateTimestamps, randomBytes(rand.Intn(500)+1, rand)) + } + } + return reflect.ValueOf(m) +} + +func TestRejectEmptySCTList(t *testing.T) { + // RFC 6962, Section 3.3.1 specifies that empty SCT lists are invalid. + + var random [32]byte + sct := []byte{0x42, 0x42, 0x42, 0x42} + serverHello := &serverHelloMsg{ + vers: VersionTLS12, + random: random[:], + scts: [][]byte{sct}, + } + serverHelloBytes := mustMarshal(t, serverHello) + + var serverHelloCopy serverHelloMsg + if !serverHelloCopy.unmarshal(serverHelloBytes) { + t.Fatal("Failed to unmarshal initial message") + } + + // Change serverHelloBytes so that the SCT list is empty + i := bytes.Index(serverHelloBytes, sct) + if i < 0 { + t.Fatal("Cannot find SCT in ServerHello") + } + + var serverHelloEmptySCT []byte + serverHelloEmptySCT = append(serverHelloEmptySCT, serverHelloBytes[:i-6]...) + // Append the extension length and SCT list length for an empty list. + serverHelloEmptySCT = append(serverHelloEmptySCT, []byte{0, 2, 0, 0}...) + serverHelloEmptySCT = append(serverHelloEmptySCT, serverHelloBytes[i+4:]...) + + // Update the handshake message length. + serverHelloEmptySCT[1] = byte((len(serverHelloEmptySCT) - 4) >> 16) + serverHelloEmptySCT[2] = byte((len(serverHelloEmptySCT) - 4) >> 8) + serverHelloEmptySCT[3] = byte(len(serverHelloEmptySCT) - 4) + + // Update the extensions length + serverHelloEmptySCT[42] = byte((len(serverHelloEmptySCT) - 44) >> 8) + serverHelloEmptySCT[43] = byte((len(serverHelloEmptySCT) - 44)) + + if serverHelloCopy.unmarshal(serverHelloEmptySCT) { + t.Fatal("Unmarshaled ServerHello with empty SCT list") + } +} + +func TestRejectEmptySCT(t *testing.T) { + // Not only must the SCT list be non-empty, but the SCT elements must + // not be zero length. + + var random [32]byte + serverHello := &serverHelloMsg{ + vers: VersionTLS12, + random: random[:], + scts: [][]byte{nil}, + } + serverHelloBytes := mustMarshal(t, serverHello) + + var serverHelloCopy serverHelloMsg + if serverHelloCopy.unmarshal(serverHelloBytes) { + t.Fatal("Unmarshaled ServerHello with zero-length SCT") + } +} + +func TestRejectDuplicateExtensions(t *testing.T) { + clientHelloBytes, err := hex.DecodeString("010000440303000000000000000000000000000000000000000000000000000000000000000000000000001c0000000a000800000568656c6c6f0000000a000800000568656c6c6f") + if err != nil { + t.Fatalf("failed to decode test ClientHello: %s", err) + } + var clientHelloCopy clientHelloMsg + if clientHelloCopy.unmarshal(clientHelloBytes) { + t.Error("Unmarshaled ClientHello with duplicate extensions") + } + + serverHelloBytes, err := hex.DecodeString("02000030030300000000000000000000000000000000000000000000000000000000000000000000000000080005000000050000") + if err != nil { + t.Fatalf("failed to decode test ServerHello: %s", err) + } + var serverHelloCopy serverHelloMsg + if serverHelloCopy.unmarshal(serverHelloBytes) { + t.Fatal("Unmarshaled ServerHello with duplicate extensions") + } +} diff --git a/pkg/tls/handshake_server.go b/pkg/tls/handshake_server.go new file mode 100644 index 000000000..31f706390 --- /dev/null +++ b/pkg/tls/handshake_server.go @@ -0,0 +1,962 @@ +// Copyright 2009 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package tls + +import ( + "context" + "crypto" + "crypto/ecdsa" + "crypto/ed25519" + "crypto/rsa" + "crypto/subtle" + "crypto/x509" + "errors" + "fmt" + "hash" + "io" + "time" +) + +// serverHandshakeState contains details of a server handshake in progress. +// It's discarded once the handshake has completed. +type serverHandshakeState struct { + c *Conn + ctx context.Context + clientHello *clientHelloMsg + hello *serverHelloMsg + suite *cipherSuite + ecdheOk bool + ecSignOk bool + rsaDecryptOk bool + rsaSignOk bool + sessionState *SessionState + finishedHash finishedHash + masterSecret []byte + cert *Certificate +} + +// serverHandshake performs a TLS handshake as a server. +func (c *Conn) serverHandshake(ctx context.Context) error { + clientHello, err := c.readClientHello(ctx) + if err != nil { + return err + } + + if c.vers == VersionTLS13 { + hs := serverHandshakeStateTLS13{ + c: c, + ctx: ctx, + clientHello: clientHello, + } + return hs.handshake() + } + + hs := serverHandshakeState{ + c: c, + ctx: ctx, + clientHello: clientHello, + } + return hs.handshake() +} + +func (hs *serverHandshakeState) handshake() error { + c := hs.c + + if err := hs.processClientHello(); err != nil { + return err + } + + // For an overview of TLS handshaking, see RFC 5246, Section 7.3. + c.buffering = true + if err := hs.checkForResumption(); err != nil { + return err + } + if hs.sessionState != nil { + // The client has included a session ticket and so we do an abbreviated handshake. + if err := hs.doResumeHandshake(); err != nil { + return err + } + if err := hs.establishKeys(); err != nil { + return err + } + if err := hs.sendSessionTicket(); err != nil { + return err + } + if err := hs.sendFinished(c.serverFinished[:]); err != nil { + return err + } + if _, err := c.flush(); err != nil { + return err + } + c.clientFinishedIsFirst = false + if err := hs.readFinished(nil); err != nil { + return err + } + } else { + // The client didn't include a session ticket, or it wasn't + // valid so we do a full handshake. + if err := hs.pickCipherSuite(); err != nil { + return err + } + if err := hs.doFullHandshake(); err != nil { + return err + } + if err := hs.establishKeys(); err != nil { + return err + } + if err := hs.readFinished(c.clientFinished[:]); err != nil { + return err + } + c.clientFinishedIsFirst = true + c.buffering = true + if err := hs.sendSessionTicket(); err != nil { + return err + } + if err := hs.sendFinished(nil); err != nil { + return err + } + if _, err := c.flush(); err != nil { + return err + } + } + + c.ekm = ekmFromMasterSecret(c.vers, hs.suite, hs.masterSecret, hs.clientHello.random, hs.hello.random) + c.isHandshakeComplete.Store(true) + + return nil +} + +// readClientHello reads a ClientHello message and selects the protocol version. +func (c *Conn) readClientHello(ctx context.Context) (*clientHelloMsg, error) { + // clientHelloMsg is included in the transcript, but we haven't initialized + // it yet. The respective handshake functions will record it themselves. + msg, err := c.readHandshake(nil) + if err != nil { + return nil, err + } + clientHello, ok := msg.(*clientHelloMsg) + if !ok { + c.sendAlert(alertUnexpectedMessage) + return nil, unexpectedMessageError(clientHello, msg) + } + + var configForClient *Config + originalConfig := c.config + if c.config.GetConfigForClient != nil { + chi := clientHelloInfo(ctx, c, clientHello) + if configForClient, err = c.config.GetConfigForClient(chi); err != nil { + c.sendAlert(alertInternalError) + return nil, err + } else if configForClient != nil { + c.config = configForClient + } + } + c.ticketKeys = originalConfig.ticketKeys(configForClient) + + clientVersions := clientHello.supportedVersions + if len(clientHello.supportedVersions) == 0 { + clientVersions = supportedVersionsFromMax(clientHello.vers) + } + c.vers, ok = c.config.mutualVersion(roleServer, clientVersions) + if !ok { + c.sendAlert(alertProtocolVersion) + return nil, fmt.Errorf("tls: client offered only unsupported versions: %x", clientVersions) + } + c.haveVers = true + c.in.version = c.vers + c.out.version = c.vers + + /*if c.config.MinVersion == 0 && c.vers < VersionTLS12 { + tls10server.IncNonDefault() + }*/ + + return clientHello, nil +} + +func (hs *serverHandshakeState) processClientHello() error { + c := hs.c + + hs.hello = new(serverHelloMsg) + hs.hello.vers = c.vers + + foundCompression := false + // We only support null compression, so check that the client offered it. + for _, compression := range hs.clientHello.compressionMethods { + if compression == compressionNone { + foundCompression = true + break + } + } + + if !foundCompression { + c.sendAlert(alertHandshakeFailure) + return errors.New("tls: client does not support uncompressed connections") + } + + hs.hello.random = make([]byte, 32) + serverRandom := hs.hello.random + // Downgrade protection canaries. See RFC 8446, Section 4.1.3. + maxVers := c.config.maxSupportedVersion(roleServer) + if maxVers >= VersionTLS12 && c.vers < maxVers || testingOnlyForceDowngradeCanary { + if c.vers == VersionTLS12 { + copy(serverRandom[24:], downgradeCanaryTLS12) + } else { + copy(serverRandom[24:], downgradeCanaryTLS11) + } + serverRandom = serverRandom[:24] + } + _, err := io.ReadFull(c.config.rand(), serverRandom) + if err != nil { + c.sendAlert(alertInternalError) + return err + } + + if len(hs.clientHello.secureRenegotiation) != 0 { + c.sendAlert(alertHandshakeFailure) + return errors.New("tls: initial handshake had non-empty renegotiation extension") + } + + hs.hello.extendedMasterSecret = hs.clientHello.extendedMasterSecret + hs.hello.secureRenegotiationSupported = hs.clientHello.secureRenegotiationSupported + hs.hello.compressionMethod = compressionNone + if len(hs.clientHello.serverName) > 0 { + c.serverName = hs.clientHello.serverName + } + + selectedProto, err := negotiateALPN(c.config.NextProtos, hs.clientHello.alpnProtocols, false) + if err != nil { + c.sendAlert(alertNoApplicationProtocol) + return err + } + hs.hello.alpnProtocol = selectedProto + c.clientProtocol = selectedProto + + hs.cert, err = c.config.getCertificate(clientHelloInfo(hs.ctx, c, hs.clientHello)) + if err != nil { + if err == errNoCertificates { + c.sendAlert(alertUnrecognizedName) + } else { + c.sendAlert(alertInternalError) + } + return err + } + if hs.clientHello.scts { + hs.hello.scts = hs.cert.SignedCertificateTimestamps + } + + hs.ecdheOk = supportsECDHE(c.config, hs.clientHello.supportedCurves, hs.clientHello.supportedPoints) + + if hs.ecdheOk && len(hs.clientHello.supportedPoints) > 0 { + // Although omitting the ec_point_formats extension is permitted, some + // old OpenSSL version will refuse to handshake if not present. + // + // Per RFC 4492, section 5.1.2, implementations MUST support the + // uncompressed point format. See golang.org/issue/31943. + hs.hello.supportedPoints = []uint8{pointFormatUncompressed} + } + + if priv, ok := hs.cert.PrivateKey.(crypto.Signer); ok { + switch priv.Public().(type) { + case *ecdsa.PublicKey: + hs.ecSignOk = true + case ed25519.PublicKey: + hs.ecSignOk = true + case *rsa.PublicKey: + hs.rsaSignOk = true + default: + c.sendAlert(alertInternalError) + return fmt.Errorf("tls: unsupported signing key type (%T)", priv.Public()) + } + } + if priv, ok := hs.cert.PrivateKey.(crypto.Decrypter); ok { + switch priv.Public().(type) { + case *rsa.PublicKey: + hs.rsaDecryptOk = true + default: + c.sendAlert(alertInternalError) + return fmt.Errorf("tls: unsupported decryption key type (%T)", priv.Public()) + } + } + + return nil +} + +// negotiateALPN picks a shared ALPN protocol that both sides support in server +// preference order. If ALPN is not configured or the peer doesn't support it, +// it returns "" and no error. +func negotiateALPN(serverProtos, clientProtos []string, quic bool) (string, error) { + if len(serverProtos) == 0 || len(clientProtos) == 0 { + if quic && len(serverProtos) != 0 { + // RFC 9001, Section 8.1 + return "", fmt.Errorf("tls: client did not request an application protocol") + } + return "", nil + } + var http11fallback bool + for _, s := range serverProtos { + for _, c := range clientProtos { + if s == c { + return s, nil + } + if s == "h2" && c == "http/1.1" { + http11fallback = true + } + } + } + // As a special case, let http/1.1 clients connect to h2 servers as if they + // didn't support ALPN. We used not to enforce protocol overlap, so over + // time a number of HTTP servers were configured with only "h2", but + // expected to accept connections from "http/1.1" clients. See Issue 46310. + if http11fallback { + return "", nil + } + return "", fmt.Errorf("tls: client requested unsupported application protocols (%s)", clientProtos) +} + +// supportsECDHE returns whether ECDHE key exchanges can be used with this +// pre-TLS 1.3 client. +func supportsECDHE(c *Config, supportedCurves []CurveID, supportedPoints []uint8) bool { + supportsCurve := false + for _, curve := range supportedCurves { + if c.supportsCurve(curve) { + supportsCurve = true + break + } + } + + supportsPointFormat := false + for _, pointFormat := range supportedPoints { + if pointFormat == pointFormatUncompressed { + supportsPointFormat = true + break + } + } + // Per RFC 8422, Section 5.1.2, if the Supported Point Formats extension is + // missing, uncompressed points are supported. If supportedPoints is empty, + // the extension must be missing, as an empty extension body is rejected by + // the parser. See https://go.dev/issue/49126. + if len(supportedPoints) == 0 { + supportsPointFormat = true + } + + return supportsCurve && supportsPointFormat +} + +func (hs *serverHandshakeState) pickCipherSuite() error { + c := hs.c + + preferenceOrder := cipherSuitesPreferenceOrder + if !hasAESGCMHardwareSupport || !aesgcmPreferred(hs.clientHello.cipherSuites) { + preferenceOrder = cipherSuitesPreferenceOrderNoAES + } + + configCipherSuites := c.config.cipherSuites() + preferenceList := make([]uint16, 0, len(configCipherSuites)) + for _, suiteID := range preferenceOrder { + for _, id := range configCipherSuites { + if id == suiteID { + preferenceList = append(preferenceList, id) + break + } + } + } + + hs.suite = selectCipherSuite(preferenceList, hs.clientHello.cipherSuites, hs.cipherSuiteOk) + if hs.suite == nil { + c.sendAlert(alertHandshakeFailure) + return errors.New("tls: no cipher suite supported by both client and server") + } + c.cipherSuite = hs.suite.id + + if c.config.CipherSuites == nil && rsaKexCiphers[hs.suite.id] { + //tlsrsakex.IncNonDefault() + } + + for _, id := range hs.clientHello.cipherSuites { + if id == TLS_FALLBACK_SCSV { + // The client is doing a fallback connection. See RFC 7507. + if hs.clientHello.vers < c.config.maxSupportedVersion(roleServer) { + c.sendAlert(alertInappropriateFallback) + return errors.New("tls: client using inappropriate protocol fallback") + } + break + } + } + + return nil +} + +func (hs *serverHandshakeState) cipherSuiteOk(c *cipherSuite) bool { + if c.flags&suiteECDHE != 0 { + if !hs.ecdheOk { + return false + } + if c.flags&suiteECSign != 0 { + if !hs.ecSignOk { + return false + } + } else if !hs.rsaSignOk { + return false + } + } else if !hs.rsaDecryptOk { + return false + } + if hs.c.vers < VersionTLS12 && c.flags&suiteTLS12 != 0 { + return false + } + return true +} + +// checkForResumption reports whether we should perform resumption on this connection. +func (hs *serverHandshakeState) checkForResumption() error { + c := hs.c + + if c.config.SessionTicketsDisabled { + return nil + } + + var sessionState *SessionState + if c.config.UnwrapSession != nil { + ss, err := c.config.UnwrapSession(hs.clientHello.sessionTicket, c.connectionStateLocked()) + if err != nil { + return err + } + if ss == nil { + return nil + } + sessionState = ss + } else { + plaintext := c.config.decryptTicket(hs.clientHello.sessionTicket, c.ticketKeys) + if plaintext == nil { + return nil + } + ss, err := ParseSessionState(plaintext) + if err != nil { + return nil + } + sessionState = ss + } + + // TLS 1.2 tickets don't natively have a lifetime, but we want to avoid + // re-wrapping the same master secret in different tickets over and over for + // too long, weakening forward secrecy. + createdAt := time.Unix(int64(sessionState.createdAt), 0) + if c.config.time().Sub(createdAt) > maxSessionTicketLifetime { + return nil + } + + // Never resume a session for a different TLS version. + if c.vers != sessionState.version { + return nil + } + + cipherSuiteOk := false + // Check that the client is still offering the ciphersuite in the session. + for _, id := range hs.clientHello.cipherSuites { + if id == sessionState.cipherSuite { + cipherSuiteOk = true + break + } + } + if !cipherSuiteOk { + return nil + } + + // Check that we also support the ciphersuite from the session. + suite := selectCipherSuite([]uint16{sessionState.cipherSuite}, + c.config.cipherSuites(), hs.cipherSuiteOk) + if suite == nil { + return nil + } + + sessionHasClientCerts := len(sessionState.peerCertificates) != 0 + needClientCerts := requiresClientCert(c.config.ClientAuth) + if needClientCerts && !sessionHasClientCerts { + return nil + } + if sessionHasClientCerts && c.config.ClientAuth == NoClientCert { + return nil + } + if sessionHasClientCerts && c.config.time().After(sessionState.peerCertificates[0].NotAfter) { + return nil + } + if sessionHasClientCerts && c.config.ClientAuth >= VerifyClientCertIfGiven && + len(sessionState.verifiedChains) == 0 { + return nil + } + + // RFC 7627, Section 5.3 + if !sessionState.extMasterSecret && hs.clientHello.extendedMasterSecret { + return nil + } + if sessionState.extMasterSecret && !hs.clientHello.extendedMasterSecret { + // Aborting is somewhat harsh, but it's a MUST and it would indicate a + // weird downgrade in client capabilities. + return errors.New("tls: session supported extended_master_secret but client does not") + } + + c.peerCertificates = sessionState.peerCertificates + c.ocspResponse = sessionState.ocspResponse + c.scts = sessionState.scts + c.verifiedChains = sessionState.verifiedChains + c.extMasterSecret = sessionState.extMasterSecret + hs.sessionState = sessionState + hs.suite = suite + c.didResume = true + return nil +} + +func (hs *serverHandshakeState) doResumeHandshake() error { + c := hs.c + + hs.hello.cipherSuite = hs.suite.id + c.cipherSuite = hs.suite.id + // We echo the client's session ID in the ServerHello to let it know + // that we're doing a resumption. + hs.hello.sessionId = hs.clientHello.sessionId + // We always send a new session ticket, even if it wraps the same master + // secret and it's potentially encrypted with the same key, to help the + // client avoid cross-connection tracking from a network observer. + hs.hello.ticketSupported = true + hs.finishedHash = newFinishedHash(c.vers, hs.suite) + hs.finishedHash.discardHandshakeBuffer() + if err := transcriptMsg(hs.clientHello, &hs.finishedHash); err != nil { + return err + } + if _, err := hs.c.writeHandshakeRecord(hs.hello, &hs.finishedHash); err != nil { + return err + } + + if c.config.VerifyConnection != nil { + if err := c.config.VerifyConnection(c.connectionStateLocked()); err != nil { + c.sendAlert(alertBadCertificate) + return err + } + } + + hs.masterSecret = hs.sessionState.secret + + return nil +} + +func (hs *serverHandshakeState) doFullHandshake() error { + c := hs.c + + if hs.clientHello.ocspStapling && len(hs.cert.OCSPStaple) > 0 { + hs.hello.ocspStapling = true + } + + hs.hello.ticketSupported = hs.clientHello.ticketSupported && !c.config.SessionTicketsDisabled + hs.hello.cipherSuite = hs.suite.id + + hs.finishedHash = newFinishedHash(hs.c.vers, hs.suite) + if c.config.ClientAuth == NoClientCert { + // No need to keep a full record of the handshake if client + // certificates won't be used. + hs.finishedHash.discardHandshakeBuffer() + } + if err := transcriptMsg(hs.clientHello, &hs.finishedHash); err != nil { + return err + } + if _, err := hs.c.writeHandshakeRecord(hs.hello, &hs.finishedHash); err != nil { + return err + } + + certMsg := new(certificateMsg) + certMsg.certificates = hs.cert.Certificate + if _, err := hs.c.writeHandshakeRecord(certMsg, &hs.finishedHash); err != nil { + return err + } + + if hs.hello.ocspStapling { + certStatus := new(certificateStatusMsg) + certStatus.response = hs.cert.OCSPStaple + if _, err := hs.c.writeHandshakeRecord(certStatus, &hs.finishedHash); err != nil { + return err + } + } + + keyAgreement := hs.suite.ka(c.vers) + skx, err := keyAgreement.generateServerKeyExchange(c.config, hs.cert, hs.clientHello, hs.hello) + if err != nil { + c.sendAlert(alertHandshakeFailure) + return err + } + if skx != nil { + if _, err := hs.c.writeHandshakeRecord(skx, &hs.finishedHash); err != nil { + return err + } + } + + var certReq *certificateRequestMsg + if c.config.ClientAuth >= RequestClientCert { + // Request a client certificate + certReq = new(certificateRequestMsg) + certReq.certificateTypes = []byte{ + byte(certTypeRSASign), + byte(certTypeECDSASign), + } + if c.vers >= VersionTLS12 { + certReq.hasSignatureAlgorithm = true + certReq.supportedSignatureAlgorithms = supportedSignatureAlgorithms() + } + + // An empty list of certificateAuthorities signals to + // the client that it may send any certificate in response + // to our request. When we know the CAs we trust, then + // we can send them down, so that the client can choose + // an appropriate certificate to give to us. + if c.config.ClientCAs != nil { + certReq.certificateAuthorities = c.config.ClientCAs.Subjects() + } + if _, err := hs.c.writeHandshakeRecord(certReq, &hs.finishedHash); err != nil { + return err + } + } + + helloDone := new(serverHelloDoneMsg) + if _, err := hs.c.writeHandshakeRecord(helloDone, &hs.finishedHash); err != nil { + return err + } + + if _, err := c.flush(); err != nil { + return err + } + + var pub crypto.PublicKey // public key for client auth, if any + + msg, err := c.readHandshake(&hs.finishedHash) + if err != nil { + return err + } + + // If we requested a client certificate, then the client must send a + // certificate message, even if it's empty. + if c.config.ClientAuth >= RequestClientCert { + certMsg, ok := msg.(*certificateMsg) + if !ok { + c.sendAlert(alertUnexpectedMessage) + return unexpectedMessageError(certMsg, msg) + } + + if err := c.processCertsFromClient(Certificate{ + Certificate: certMsg.certificates, + }); err != nil { + return err + } + if len(certMsg.certificates) != 0 { + pub = c.peerCertificates[0].PublicKey + } + + msg, err = c.readHandshake(&hs.finishedHash) + if err != nil { + return err + } + } + if c.config.VerifyConnection != nil { + if err := c.config.VerifyConnection(c.connectionStateLocked()); err != nil { + c.sendAlert(alertBadCertificate) + return err + } + } + + // Get client key exchange + ckx, ok := msg.(*clientKeyExchangeMsg) + if !ok { + c.sendAlert(alertUnexpectedMessage) + return unexpectedMessageError(ckx, msg) + } + + preMasterSecret, err := keyAgreement.processClientKeyExchange(c.config, hs.cert, ckx, c.vers) + if err != nil { + c.sendAlert(alertHandshakeFailure) + return err + } + if hs.hello.extendedMasterSecret { + c.extMasterSecret = true + hs.masterSecret = extMasterFromPreMasterSecret(c.vers, hs.suite, preMasterSecret, + hs.finishedHash.Sum()) + } else { + hs.masterSecret = masterFromPreMasterSecret(c.vers, hs.suite, preMasterSecret, + hs.clientHello.random, hs.hello.random) + } + if err := c.config.writeKeyLog(keyLogLabelTLS12, hs.clientHello.random, hs.masterSecret); err != nil { + c.sendAlert(alertInternalError) + return err + } + + // If we received a client cert in response to our certificate request message, + // the client will send us a certificateVerifyMsg immediately after the + // clientKeyExchangeMsg. This message is a digest of all preceding + // handshake-layer messages that is signed using the private key corresponding + // to the client's certificate. This allows us to verify that the client is in + // possession of the private key of the certificate. + if len(c.peerCertificates) > 0 { + // certificateVerifyMsg is included in the transcript, but not until + // after we verify the handshake signature, since the state before + // this message was sent is used. + msg, err = c.readHandshake(nil) + if err != nil { + return err + } + certVerify, ok := msg.(*certificateVerifyMsg) + if !ok { + c.sendAlert(alertUnexpectedMessage) + return unexpectedMessageError(certVerify, msg) + } + + var sigType uint8 + var sigHash crypto.Hash + if c.vers >= VersionTLS12 { + if !isSupportedSignatureAlgorithm(certVerify.signatureAlgorithm, certReq.supportedSignatureAlgorithms) { + c.sendAlert(alertIllegalParameter) + return errors.New("tls: client certificate used with invalid signature algorithm") + } + sigType, sigHash, err = typeAndHashFromSignatureScheme(certVerify.signatureAlgorithm) + if err != nil { + return c.sendAlert(alertInternalError) + } + } else { + sigType, sigHash, err = legacyTypeAndHashFromPublicKey(pub) + if err != nil { + c.sendAlert(alertIllegalParameter) + return err + } + } + + signed := hs.finishedHash.hashForClientCertificate(sigType, sigHash) + if err := verifyHandshakeSignature(sigType, pub, sigHash, signed, certVerify.signature); err != nil { + c.sendAlert(alertDecryptError) + return errors.New("tls: invalid signature by the client certificate: " + err.Error()) + } + + if err := transcriptMsg(certVerify, &hs.finishedHash); err != nil { + return err + } + } + + hs.finishedHash.discardHandshakeBuffer() + + return nil +} + +func (hs *serverHandshakeState) establishKeys() error { + c := hs.c + + clientMAC, serverMAC, clientKey, serverKey, clientIV, serverIV := + keysFromMasterSecret(c.vers, hs.suite, hs.masterSecret, hs.clientHello.random, hs.hello.random, hs.suite.macLen, hs.suite.keyLen, hs.suite.ivLen) + + var clientCipher, serverCipher any + var clientHash, serverHash hash.Hash + + if hs.suite.aead == nil { + clientCipher = hs.suite.cipher(clientKey, clientIV, true /* for reading */) + clientHash = hs.suite.mac(clientMAC) + serverCipher = hs.suite.cipher(serverKey, serverIV, false /* not for reading */) + serverHash = hs.suite.mac(serverMAC) + } else { + clientCipher = hs.suite.aead(clientKey, clientIV) + serverCipher = hs.suite.aead(serverKey, serverIV) + } + + c.in.prepareCipherSpec(c.vers, clientCipher, clientHash) + c.out.prepareCipherSpec(c.vers, serverCipher, serverHash) + + return nil +} + +func (hs *serverHandshakeState) readFinished(out []byte) error { + c := hs.c + + if err := c.readChangeCipherSpec(); err != nil { + return err + } + + // finishedMsg is included in the transcript, but not until after we + // check the client version, since the state before this message was + // sent is used during verification. + msg, err := c.readHandshake(nil) + if err != nil { + return err + } + clientFinished, ok := msg.(*finishedMsg) + if !ok { + c.sendAlert(alertUnexpectedMessage) + return unexpectedMessageError(clientFinished, msg) + } + + verify := hs.finishedHash.clientSum(hs.masterSecret) + if len(verify) != len(clientFinished.verifyData) || + subtle.ConstantTimeCompare(verify, clientFinished.verifyData) != 1 { + c.sendAlert(alertHandshakeFailure) + return errors.New("tls: client's Finished message is incorrect") + } + + if err := transcriptMsg(clientFinished, &hs.finishedHash); err != nil { + return err + } + + copy(out, verify) + return nil +} + +func (hs *serverHandshakeState) sendSessionTicket() error { + if !hs.hello.ticketSupported { + return nil + } + + c := hs.c + m := new(newSessionTicketMsg) + + state, err := c.sessionState() + if err != nil { + return err + } + state.secret = hs.masterSecret + if hs.sessionState != nil { + // If this is re-wrapping an old key, then keep + // the original time it was created. + state.createdAt = hs.sessionState.createdAt + } + if c.config.WrapSession != nil { + m.ticket, err = c.config.WrapSession(c.connectionStateLocked(), state) + if err != nil { + return err + } + } else { + stateBytes, err := state.Bytes() + if err != nil { + return err + } + m.ticket, err = c.config.encryptTicket(stateBytes, c.ticketKeys) + if err != nil { + return err + } + } + + if _, err := hs.c.writeHandshakeRecord(m, &hs.finishedHash); err != nil { + return err + } + + return nil +} + +func (hs *serverHandshakeState) sendFinished(out []byte) error { + c := hs.c + + if err := c.writeChangeCipherRecord(); err != nil { + return err + } + + finished := new(finishedMsg) + finished.verifyData = hs.finishedHash.serverSum(hs.masterSecret) + if _, err := hs.c.writeHandshakeRecord(finished, &hs.finishedHash); err != nil { + return err + } + + copy(out, finished.verifyData) + + return nil +} + +// processCertsFromClient takes a chain of client certificates either from a +// Certificates message and verifies them. +func (c *Conn) processCertsFromClient(certificate Certificate) error { + certificates := certificate.Certificate + certs := make([]*x509.Certificate, len(certificates)) + var err error + for i, asn1Data := range certificates { + if certs[i], err = x509.ParseCertificate(asn1Data); err != nil { + c.sendAlert(alertBadCertificate) + return errors.New("tls: failed to parse client certificate: " + err.Error()) + } + if certs[i].PublicKeyAlgorithm == x509.RSA { + n := certs[i].PublicKey.(*rsa.PublicKey).N.BitLen() + if max, ok := checkKeySize(n); !ok { + c.sendAlert(alertBadCertificate) + return fmt.Errorf("tls: client sent certificate containing RSA key larger than %d bits", max) + } + } + } + + if len(certs) == 0 && requiresClientCert(c.config.ClientAuth) { + if c.vers == VersionTLS13 { + c.sendAlert(alertCertificateRequired) + } else { + c.sendAlert(alertBadCertificate) + } + return errors.New("tls: client didn't provide a certificate") + } + + if c.config.ClientAuth >= VerifyClientCertIfGiven && len(certs) > 0 { + opts := x509.VerifyOptions{ + Roots: c.config.ClientCAs, + CurrentTime: c.config.time(), + Intermediates: x509.NewCertPool(), + KeyUsages: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth}, + } + + for _, cert := range certs[1:] { + opts.Intermediates.AddCert(cert) + } + + chains, err := certs[0].Verify(opts) + if err != nil { + var errCertificateInvalid x509.CertificateInvalidError + if errors.As(err, &x509.UnknownAuthorityError{}) { + c.sendAlert(alertUnknownCA) + } else if errors.As(err, &errCertificateInvalid) && errCertificateInvalid.Reason == x509.Expired { + c.sendAlert(alertCertificateExpired) + } else { + c.sendAlert(alertBadCertificate) + } + return &CertificateVerificationError{UnverifiedCertificates: certs, Err: err} + } + + c.verifiedChains = chains + } + + c.peerCertificates = certs + c.ocspResponse = certificate.OCSPStaple + c.scts = certificate.SignedCertificateTimestamps + + if len(certs) > 0 { + switch certs[0].PublicKey.(type) { + case *ecdsa.PublicKey, *rsa.PublicKey, ed25519.PublicKey: + default: + c.sendAlert(alertUnsupportedCertificate) + return fmt.Errorf("tls: client certificate contains an unsupported public key of type %T", certs[0].PublicKey) + } + } + + if c.config.VerifyPeerCertificate != nil { + if err := c.config.VerifyPeerCertificate(certificates, c.verifiedChains); err != nil { + c.sendAlert(alertBadCertificate) + return err + } + } + + return nil +} + +func clientHelloInfo(ctx context.Context, c *Conn, clientHello *clientHelloMsg) *ClientHelloInfo { + supportedVersions := clientHello.supportedVersions + if len(clientHello.supportedVersions) == 0 { + supportedVersions = supportedVersionsFromMax(clientHello.vers) + } + + return &ClientHelloInfo{ + CipherSuites: clientHello.cipherSuites, + ServerName: clientHello.serverName, + SupportedCurves: clientHello.supportedCurves, + SupportedPoints: clientHello.supportedPoints, + SignatureSchemes: clientHello.supportedSignatureAlgorithms, + SupportedProtos: clientHello.alpnProtocols, + SupportedVersions: supportedVersions, + Conn: c.conn, + config: c.config, + ctx: ctx, + } +} diff --git a/pkg/tls/handshake_server_test.go b/pkg/tls/handshake_server_test.go new file mode 100644 index 000000000..15db76071 --- /dev/null +++ b/pkg/tls/handshake_server_test.go @@ -0,0 +1,2049 @@ +// Copyright 2009 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package tls + +import ( + "bytes" + "context" + "crypto" + "crypto/ecdh" + "crypto/elliptic" + "crypto/rand" + "crypto/x509" + "encoding/pem" + "errors" + "fmt" + "io" + "net" + "os" + "os/exec" + "path/filepath" + "runtime" + "strings" + "testing" + "time" +) + +func testClientHello(t *testing.T, serverConfig *Config, m handshakeMessage) { + testClientHelloFailure(t, serverConfig, m, "") +} + +// testFatal is a hack to prevent the compiler from complaining that there is a +// call to t.Fatal from a non-test goroutine +func testFatal(t *testing.T, err error) { + t.Helper() + t.Fatal(err) +} + +func testClientHelloFailure(t *testing.T, serverConfig *Config, m handshakeMessage, expectedSubStr string) { + c, s := localPipe(t) + go func() { + cli := Client(c, testConfig) + if ch, ok := m.(*clientHelloMsg); ok { + cli.vers = ch.vers + } + if _, err := cli.writeHandshakeRecord(m, nil); err != nil { + testFatal(t, err) + } + c.Close() + }() + ctx := context.Background() + conn := Server(s, serverConfig) + ch, err := conn.readClientHello(ctx) + hs := serverHandshakeState{ + c: conn, + ctx: ctx, + clientHello: ch, + } + if err == nil { + err = hs.processClientHello() + } + if err == nil { + err = hs.pickCipherSuite() + } + s.Close() + if len(expectedSubStr) == 0 { + if err != nil && err != io.EOF { + t.Errorf("Got error: %s; expected to succeed", err) + } + } else if err == nil || !strings.Contains(err.Error(), expectedSubStr) { + t.Errorf("Got error: %v; expected to match substring '%s'", err, expectedSubStr) + } +} + +func TestSimpleError(t *testing.T) { + testClientHelloFailure(t, testConfig, &serverHelloDoneMsg{}, "unexpected handshake message") +} + +var badProtocolVersions = []uint16{0x0000, 0x0005, 0x0100, 0x0105, 0x0200, 0x0205, VersionSSL30} + +func TestRejectBadProtocolVersion(t *testing.T) { + config := testConfig.Clone() + config.MinVersion = VersionSSL30 + for _, v := range badProtocolVersions { + testClientHelloFailure(t, config, &clientHelloMsg{ + vers: v, + random: make([]byte, 32), + }, "unsupported versions") + } + testClientHelloFailure(t, config, &clientHelloMsg{ + vers: VersionTLS12, + supportedVersions: badProtocolVersions, + random: make([]byte, 32), + }, "unsupported versions") +} + +func TestNoSuiteOverlap(t *testing.T) { + clientHello := &clientHelloMsg{ + vers: VersionTLS10, + random: make([]byte, 32), + cipherSuites: []uint16{0xff00}, + compressionMethods: []uint8{compressionNone}, + } + testClientHelloFailure(t, testConfig, clientHello, "no cipher suite supported by both client and server") +} + +func TestNoCompressionOverlap(t *testing.T) { + clientHello := &clientHelloMsg{ + vers: VersionTLS10, + random: make([]byte, 32), + cipherSuites: []uint16{TLS_RSA_WITH_RC4_128_SHA}, + compressionMethods: []uint8{0xff}, + } + testClientHelloFailure(t, testConfig, clientHello, "client does not support uncompressed connections") +} + +func TestNoRC4ByDefault(t *testing.T) { + clientHello := &clientHelloMsg{ + vers: VersionTLS10, + random: make([]byte, 32), + cipherSuites: []uint16{TLS_RSA_WITH_RC4_128_SHA}, + compressionMethods: []uint8{compressionNone}, + } + serverConfig := testConfig.Clone() + // Reset the enabled cipher suites to nil in order to test the + // defaults. + serverConfig.CipherSuites = nil + testClientHelloFailure(t, serverConfig, clientHello, "no cipher suite supported by both client and server") +} + +func TestRejectSNIWithTrailingDot(t *testing.T) { + testClientHelloFailure(t, testConfig, &clientHelloMsg{ + vers: VersionTLS12, + random: make([]byte, 32), + serverName: "foo.com.", + }, "unexpected message") +} + +func TestDontSelectECDSAWithRSAKey(t *testing.T) { + // Test that, even when both sides support an ECDSA cipher suite, it + // won't be selected if the server's private key doesn't support it. + clientHello := &clientHelloMsg{ + vers: VersionTLS10, + random: make([]byte, 32), + cipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA}, + compressionMethods: []uint8{compressionNone}, + supportedCurves: []CurveID{CurveP256}, + supportedPoints: []uint8{pointFormatUncompressed}, + } + serverConfig := testConfig.Clone() + serverConfig.CipherSuites = clientHello.cipherSuites + serverConfig.Certificates = make([]Certificate, 1) + serverConfig.Certificates[0].Certificate = [][]byte{testECDSACertificate} + serverConfig.Certificates[0].PrivateKey = testECDSAPrivateKey + serverConfig.BuildNameToCertificate() + // First test that it *does* work when the server's key is ECDSA. + testClientHello(t, serverConfig, clientHello) + + // Now test that switching to an RSA key causes the expected error (and + // not an internal error about a signing failure). + serverConfig.Certificates = testConfig.Certificates + testClientHelloFailure(t, serverConfig, clientHello, "no cipher suite supported by both client and server") +} + +func TestDontSelectRSAWithECDSAKey(t *testing.T) { + // Test that, even when both sides support an RSA cipher suite, it + // won't be selected if the server's private key doesn't support it. + clientHello := &clientHelloMsg{ + vers: VersionTLS10, + random: make([]byte, 32), + cipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA}, + compressionMethods: []uint8{compressionNone}, + supportedCurves: []CurveID{CurveP256}, + supportedPoints: []uint8{pointFormatUncompressed}, + } + serverConfig := testConfig.Clone() + serverConfig.CipherSuites = clientHello.cipherSuites + // First test that it *does* work when the server's key is RSA. + testClientHello(t, serverConfig, clientHello) + + // Now test that switching to an ECDSA key causes the expected error + // (and not an internal error about a signing failure). + serverConfig.Certificates = make([]Certificate, 1) + serverConfig.Certificates[0].Certificate = [][]byte{testECDSACertificate} + serverConfig.Certificates[0].PrivateKey = testECDSAPrivateKey + serverConfig.BuildNameToCertificate() + testClientHelloFailure(t, serverConfig, clientHello, "no cipher suite supported by both client and server") +} + +func TestRenegotiationExtension(t *testing.T) { + clientHello := &clientHelloMsg{ + vers: VersionTLS12, + compressionMethods: []uint8{compressionNone}, + random: make([]byte, 32), + secureRenegotiationSupported: true, + cipherSuites: []uint16{TLS_RSA_WITH_RC4_128_SHA}, + } + + bufChan := make(chan []byte, 1) + c, s := localPipe(t) + + go func() { + cli := Client(c, testConfig) + cli.vers = clientHello.vers + if _, err := cli.writeHandshakeRecord(clientHello, nil); err != nil { + testFatal(t, err) + } + + buf := make([]byte, 1024) + n, err := c.Read(buf) + if err != nil { + t.Errorf("Server read returned error: %s", err) + return + } + c.Close() + bufChan <- buf[:n] + }() + + Server(s, testConfig).Handshake() + buf := <-bufChan + + if len(buf) < 5+4 { + t.Fatalf("Server returned short message of length %d", len(buf)) + } + // buf contains a TLS record, with a 5 byte record header and a 4 byte + // handshake header. The length of the ServerHello is taken from the + // handshake header. + serverHelloLen := int(buf[6])<<16 | int(buf[7])<<8 | int(buf[8]) + + var serverHello serverHelloMsg + // unmarshal expects to be given the handshake header, but + // serverHelloLen doesn't include it. + if !serverHello.unmarshal(buf[5 : 9+serverHelloLen]) { + t.Fatalf("Failed to parse ServerHello") + } + + if !serverHello.secureRenegotiationSupported { + t.Errorf("Secure renegotiation extension was not echoed.") + } +} + +func TestTLS12OnlyCipherSuites(t *testing.T) { + // Test that a Server doesn't select a TLS 1.2-only cipher suite when + // the client negotiates TLS 1.1. + clientHello := &clientHelloMsg{ + vers: VersionTLS11, + random: make([]byte, 32), + cipherSuites: []uint16{ + // The Server, by default, will use the client's + // preference order. So the GCM cipher suite + // will be selected unless it's excluded because + // of the version in this ClientHello. + TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, + TLS_RSA_WITH_RC4_128_SHA, + }, + compressionMethods: []uint8{compressionNone}, + supportedCurves: []CurveID{CurveP256, CurveP384, CurveP521}, + supportedPoints: []uint8{pointFormatUncompressed}, + } + + c, s := localPipe(t) + replyChan := make(chan any) + go func() { + cli := Client(c, testConfig) + cli.vers = clientHello.vers + if _, err := cli.writeHandshakeRecord(clientHello, nil); err != nil { + testFatal(t, err) + } + reply, err := cli.readHandshake(nil) + c.Close() + if err != nil { + replyChan <- err + } else { + replyChan <- reply + } + }() + config := testConfig.Clone() + config.CipherSuites = clientHello.cipherSuites + Server(s, config).Handshake() + s.Close() + reply := <-replyChan + if err, ok := reply.(error); ok { + t.Fatal(err) + } + serverHello, ok := reply.(*serverHelloMsg) + if !ok { + t.Fatalf("didn't get ServerHello message in reply. Got %v\n", reply) + } + if s := serverHello.cipherSuite; s != TLS_RSA_WITH_RC4_128_SHA { + t.Fatalf("bad cipher suite from server: %x", s) + } +} + +func TestTLSPointFormats(t *testing.T) { + // Test that a Server returns the ec_point_format extension when ECC is + // negotiated, and not on a RSA handshake or if ec_point_format is missing. + tests := []struct { + name string + cipherSuites []uint16 + supportedCurves []CurveID + supportedPoints []uint8 + wantSupportedPoints bool + }{ + {"ECC", []uint16{TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA}, []CurveID{CurveP256}, []uint8{pointFormatUncompressed}, true}, + {"ECC without ec_point_format", []uint16{TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA}, []CurveID{CurveP256}, nil, false}, + {"ECC with extra values", []uint16{TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA}, []CurveID{CurveP256}, []uint8{13, 37, pointFormatUncompressed, 42}, true}, + {"RSA", []uint16{TLS_RSA_WITH_AES_256_GCM_SHA384}, nil, nil, false}, + {"RSA with ec_point_format", []uint16{TLS_RSA_WITH_AES_256_GCM_SHA384}, nil, []uint8{pointFormatUncompressed}, false}, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + clientHello := &clientHelloMsg{ + vers: VersionTLS12, + random: make([]byte, 32), + cipherSuites: tt.cipherSuites, + compressionMethods: []uint8{compressionNone}, + supportedCurves: tt.supportedCurves, + supportedPoints: tt.supportedPoints, + } + + c, s := localPipe(t) + replyChan := make(chan any) + go func() { + cli := Client(c, testConfig) + cli.vers = clientHello.vers + if _, err := cli.writeHandshakeRecord(clientHello, nil); err != nil { + testFatal(t, err) + } + reply, err := cli.readHandshake(nil) + c.Close() + if err != nil { + replyChan <- err + } else { + replyChan <- reply + } + }() + config := testConfig.Clone() + config.CipherSuites = clientHello.cipherSuites + Server(s, config).Handshake() + s.Close() + reply := <-replyChan + if err, ok := reply.(error); ok { + t.Fatal(err) + } + serverHello, ok := reply.(*serverHelloMsg) + if !ok { + t.Fatalf("didn't get ServerHello message in reply. Got %v\n", reply) + } + if tt.wantSupportedPoints { + if !bytes.Equal(serverHello.supportedPoints, []uint8{pointFormatUncompressed}) { + t.Fatal("incorrect ec_point_format extension from server") + } + } else { + if len(serverHello.supportedPoints) != 0 { + t.Fatalf("unexpected ec_point_format extension from server: %v", serverHello.supportedPoints) + } + } + }) + } +} + +func TestAlertForwarding(t *testing.T) { + c, s := localPipe(t) + go func() { + Client(c, testConfig).sendAlert(alertUnknownCA) + c.Close() + }() + + err := Server(s, testConfig).Handshake() + s.Close() + var opErr *net.OpError + if !errors.As(err, &opErr) || opErr.Err != error(alertUnknownCA) { + t.Errorf("Got error: %s; expected: %s", err, error(alertUnknownCA)) + } +} + +func TestClose(t *testing.T) { + c, s := localPipe(t) + go c.Close() + + err := Server(s, testConfig).Handshake() + s.Close() + if err != io.EOF { + t.Errorf("Got error: %s; expected: %s", err, io.EOF) + } +} + +func TestVersion(t *testing.T) { + serverConfig := &Config{ + Certificates: testConfig.Certificates, + MaxVersion: VersionTLS13, + } + clientConfig := &Config{ + InsecureSkipVerify: true, + MinVersion: VersionTLS12, + } + state, _, err := testHandshake(t, clientConfig, serverConfig) + if err != nil { + t.Fatalf("handshake failed: %s", err) + } + if state.Version != VersionTLS13 { + t.Fatalf("incorrect version %x, should be %x", state.Version, VersionTLS11) + } + + clientConfig.MinVersion = 0 + serverConfig.MaxVersion = VersionTLS11 + _, _, err = testHandshake(t, clientConfig, serverConfig) + if err == nil { + t.Fatalf("expected failure to connect with TLS 1.0/1.1") + } +} + +func TestCipherSuitePreference(t *testing.T) { + serverConfig := &Config{ + CipherSuites: []uint16{TLS_RSA_WITH_RC4_128_SHA, TLS_AES_128_GCM_SHA256, + TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256}, + Certificates: testConfig.Certificates, + MaxVersion: VersionTLS12, + GetConfigForClient: func(chi *ClientHelloInfo) (*Config, error) { + if chi.CipherSuites[0] != TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 { + t.Error("the advertised order should not depend on Config.CipherSuites") + } + if len(chi.CipherSuites) != 2+len(defaultCipherSuitesTLS13) { + t.Error("the advertised TLS 1.2 suites should be filtered by Config.CipherSuites") + } + return nil, nil + }, + } + clientConfig := &Config{ + CipherSuites: []uint16{TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256}, + InsecureSkipVerify: true, + } + state, _, err := testHandshake(t, clientConfig, serverConfig) + if err != nil { + t.Fatalf("handshake failed: %s", err) + } + if state.CipherSuite != TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 { + t.Error("the preference order should not depend on Config.CipherSuites") + } +} + +func TestSCTHandshake(t *testing.T) { + t.Run("TLSv12", func(t *testing.T) { testSCTHandshake(t, VersionTLS12) }) + t.Run("TLSv13", func(t *testing.T) { testSCTHandshake(t, VersionTLS13) }) +} + +func testSCTHandshake(t *testing.T, version uint16) { + expected := [][]byte{[]byte("certificate"), []byte("transparency")} + serverConfig := &Config{ + Certificates: []Certificate{{ + Certificate: [][]byte{testRSACertificate}, + PrivateKey: testRSAPrivateKey, + SignedCertificateTimestamps: expected, + }}, + MaxVersion: version, + } + clientConfig := &Config{ + InsecureSkipVerify: true, + } + _, state, err := testHandshake(t, clientConfig, serverConfig) + if err != nil { + t.Fatalf("handshake failed: %s", err) + } + actual := state.SignedCertificateTimestamps + if len(actual) != len(expected) { + t.Fatalf("got %d scts, want %d", len(actual), len(expected)) + } + for i, sct := range expected { + if !bytes.Equal(sct, actual[i]) { + t.Fatalf("SCT #%d was %x, but expected %x", i, actual[i], sct) + } + } +} + +func TestCrossVersionResume(t *testing.T) { + t.Run("TLSv12", func(t *testing.T) { testCrossVersionResume(t, VersionTLS12) }) + t.Run("TLSv13", func(t *testing.T) { testCrossVersionResume(t, VersionTLS13) }) +} + +func testCrossVersionResume(t *testing.T, version uint16) { + serverConfig := &Config{ + CipherSuites: []uint16{TLS_RSA_WITH_AES_128_CBC_SHA}, + Certificates: testConfig.Certificates, + } + clientConfig := &Config{ + CipherSuites: []uint16{TLS_RSA_WITH_AES_128_CBC_SHA}, + InsecureSkipVerify: true, + ClientSessionCache: NewLRUClientSessionCache(1), + ServerName: "servername", + MinVersion: VersionTLS12, + } + + // Establish a session at TLS 1.3. + clientConfig.MaxVersion = VersionTLS13 + _, _, err := testHandshake(t, clientConfig, serverConfig) + if err != nil { + t.Fatalf("handshake failed: %s", err) + } + + // The client session cache now contains a TLS 1.3 session. + state, _, err := testHandshake(t, clientConfig, serverConfig) + if err != nil { + t.Fatalf("handshake failed: %s", err) + } + if !state.DidResume { + t.Fatalf("handshake did not resume at the same version") + } + + // Test that the server will decline to resume at a lower version. + clientConfig.MaxVersion = VersionTLS12 + state, _, err = testHandshake(t, clientConfig, serverConfig) + if err != nil { + t.Fatalf("handshake failed: %s", err) + } + if state.DidResume { + t.Fatalf("handshake resumed at a lower version") + } + + // The client session cache now contains a TLS 1.2 session. + state, _, err = testHandshake(t, clientConfig, serverConfig) + if err != nil { + t.Fatalf("handshake failed: %s", err) + } + if !state.DidResume { + t.Fatalf("handshake did not resume at the same version") + } + + // Test that the server will decline to resume at a higher version. + clientConfig.MaxVersion = VersionTLS13 + state, _, err = testHandshake(t, clientConfig, serverConfig) + if err != nil { + t.Fatalf("handshake failed: %s", err) + } + if state.DidResume { + t.Fatalf("handshake resumed at a higher version") + } +} + +// Note: see comment in handshake_test.go for details of how the reference +// tests work. + +// serverTest represents a test of the TLS server handshake against a reference +// implementation. +type serverTest struct { + // name is a freeform string identifying the test and the file in which + // the expected results will be stored. + name string + // command, if not empty, contains a series of arguments for the + // command to run for the reference server. + command []string + // expectedPeerCerts contains a list of PEM blocks of expected + // certificates from the client. + expectedPeerCerts []string + // config, if not nil, contains a custom Config to use for this test. + config *Config + // expectHandshakeErrorIncluding, when not empty, contains a string + // that must be a substring of the error resulting from the handshake. + expectHandshakeErrorIncluding string + // validate, if not nil, is a function that will be called with the + // ConnectionState of the resulting connection. It returns false if the + // ConnectionState is unacceptable. + validate func(ConnectionState) error + // wait, if true, prevents this subtest from calling t.Parallel. + // If false, runServerTest* returns immediately. + wait bool +} + +var defaultClientCommand = []string{"openssl", "s_client", "-no_ticket"} + +// connFromCommand starts opens a listening socket and starts the reference +// client to connect to it. It returns a recordingConn that wraps the resulting +// connection. +func (test *serverTest) connFromCommand() (conn *recordingConn, child *exec.Cmd, err error) { + l, err := net.ListenTCP("tcp", &net.TCPAddr{ + IP: net.IPv4(127, 0, 0, 1), + Port: 0, + }) + if err != nil { + return nil, nil, err + } + defer l.Close() + + port := l.Addr().(*net.TCPAddr).Port + + var command []string + command = append(command, test.command...) + if len(command) == 0 { + command = defaultClientCommand + } + command = append(command, "-connect") + command = append(command, fmt.Sprintf("127.0.0.1:%d", port)) + cmd := exec.Command(command[0], command[1:]...) + cmd.Stdin = nil + var output bytes.Buffer + cmd.Stdout = &output + cmd.Stderr = &output + if err := cmd.Start(); err != nil { + return nil, nil, err + } + + connChan := make(chan any, 1) + go func() { + tcpConn, err := l.Accept() + if err != nil { + connChan <- err + return + } + connChan <- tcpConn + }() + + var tcpConn net.Conn + select { + case connOrError := <-connChan: + if err, ok := connOrError.(error); ok { + return nil, nil, err + } + tcpConn = connOrError.(net.Conn) + case <-time.After(2 * time.Second): + return nil, nil, errors.New("timed out waiting for connection from child process") + } + + record := &recordingConn{ + Conn: tcpConn, + } + + return record, cmd, nil +} + +func (test *serverTest) dataPath() string { + return filepath.Join("testdata", "Server-"+test.name) +} + +func (test *serverTest) loadData() (flows [][]byte, err error) { + in, err := os.Open(test.dataPath()) + if err != nil { + return nil, err + } + defer in.Close() + return parseTestData(in) +} + +func (test *serverTest) run(t *testing.T, write bool) { + var clientConn, serverConn net.Conn + var recordingConn *recordingConn + var childProcess *exec.Cmd + + if write { + var err error + recordingConn, childProcess, err = test.connFromCommand() + if err != nil { + t.Fatalf("Failed to start subcommand: %s", err) + } + serverConn = recordingConn + defer func() { + if t.Failed() { + t.Logf("OpenSSL output:\n\n%s", childProcess.Stdout) + } + }() + } else { + clientConn, serverConn = localPipe(t) + } + config := test.config + if config == nil { + config = testConfig + } + server := Server(serverConn, config) + connStateChan := make(chan ConnectionState, 1) + go func() { + _, err := server.Write([]byte("hello, world\n")) + if len(test.expectHandshakeErrorIncluding) > 0 { + if err == nil { + t.Errorf("Error expected, but no error returned") + } else if s := err.Error(); !strings.Contains(s, test.expectHandshakeErrorIncluding) { + t.Errorf("Error expected containing '%s' but got '%s'", test.expectHandshakeErrorIncluding, s) + } + } else { + if err != nil { + t.Logf("Error from Server.Write: '%s'", err) + } + } + server.Close() + serverConn.Close() + connStateChan <- server.ConnectionState() + }() + + if !write { + flows, err := test.loadData() + if err != nil { + t.Fatalf("%s: failed to load data from %s", test.name, test.dataPath()) + } + for i, b := range flows { + if i%2 == 0 { + if *fast { + clientConn.SetWriteDeadline(time.Now().Add(1 * time.Second)) + } else { + clientConn.SetWriteDeadline(time.Now().Add(1 * time.Minute)) + } + clientConn.Write(b) + continue + } + bb := make([]byte, len(b)) + if *fast { + clientConn.SetReadDeadline(time.Now().Add(1 * time.Second)) + } else { + clientConn.SetReadDeadline(time.Now().Add(1 * time.Minute)) + } + n, err := io.ReadFull(clientConn, bb) + if err != nil { + t.Fatalf("%s #%d: %s\nRead %d, wanted %d, got %x, wanted %x\n", test.name, i+1, err, n, len(bb), bb[:n], b) + } + if !bytes.Equal(b, bb) { + t.Fatalf("%s #%d: mismatch on read: got:%x want:%x", test.name, i+1, bb, b) + } + } + clientConn.Close() + } + + connState := <-connStateChan + peerCerts := connState.PeerCertificates + if len(peerCerts) == len(test.expectedPeerCerts) { + for i, peerCert := range peerCerts { + block, _ := pem.Decode([]byte(test.expectedPeerCerts[i])) + if !bytes.Equal(block.Bytes, peerCert.Raw) { + t.Fatalf("%s: mismatch on peer cert %d", test.name, i+1) + } + } + } else { + t.Fatalf("%s: mismatch on peer list length: %d (wanted) != %d (got)", test.name, len(test.expectedPeerCerts), len(peerCerts)) + } + + if test.validate != nil { + if err := test.validate(connState); err != nil { + t.Fatalf("validate callback returned error: %s", err) + } + } + + if write { + path := test.dataPath() + out, err := os.OpenFile(path, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0644) + if err != nil { + t.Fatalf("Failed to create output file: %s", err) + } + defer out.Close() + recordingConn.Close() + if len(recordingConn.flows) < 3 { + if len(test.expectHandshakeErrorIncluding) == 0 { + t.Fatalf("Handshake failed") + } + } + recordingConn.WriteTo(out) + t.Logf("Wrote %s\n", path) + childProcess.Wait() + } +} + +func runServerTestForVersion(t *testing.T, template *serverTest, version, option string) { + // Make a deep copy of the template before going parallel. + test := *template + if template.config != nil { + test.config = template.config.Clone() + } + test.name = version + "-" + test.name + if len(test.command) == 0 { + test.command = defaultClientCommand + } + test.command = append([]string(nil), test.command...) + test.command = append(test.command, option) + + runTestAndUpdateIfNeeded(t, version, test.run, test.wait) +} + +func runServerTestTLS10(t *testing.T, template *serverTest) { + runServerTestForVersion(t, template, "TLSv10", "-tls1") +} + +func runServerTestTLS11(t *testing.T, template *serverTest) { + runServerTestForVersion(t, template, "TLSv11", "-tls1_1") +} + +func runServerTestTLS12(t *testing.T, template *serverTest) { + runServerTestForVersion(t, template, "TLSv12", "-tls1_2") +} + +func runServerTestTLS13(t *testing.T, template *serverTest) { + runServerTestForVersion(t, template, "TLSv13", "-tls1_3") +} + +func TestHandshakeServerRSARC4(t *testing.T) { + test := &serverTest{ + name: "RSA-RC4", + command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "RC4-SHA"}, + } + runServerTestTLS10(t, test) + runServerTestTLS11(t, test) + runServerTestTLS12(t, test) +} + +func TestHandshakeServerRSA3DES(t *testing.T) { + test := &serverTest{ + name: "RSA-3DES", + command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "DES-CBC3-SHA"}, + } + runServerTestTLS10(t, test) + runServerTestTLS12(t, test) +} + +func TestHandshakeServerRSAAES(t *testing.T) { + test := &serverTest{ + name: "RSA-AES", + command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "AES128-SHA"}, + } + runServerTestTLS10(t, test) + runServerTestTLS12(t, test) +} + +func TestHandshakeServerAESGCM(t *testing.T) { + test := &serverTest{ + name: "RSA-AES-GCM", + command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "ECDHE-RSA-AES128-GCM-SHA256"}, + } + runServerTestTLS12(t, test) +} + +func TestHandshakeServerAES256GCMSHA384(t *testing.T) { + test := &serverTest{ + name: "RSA-AES256-GCM-SHA384", + command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "ECDHE-RSA-AES256-GCM-SHA384"}, + } + runServerTestTLS12(t, test) +} + +func TestHandshakeServerAES128SHA256(t *testing.T) { + test := &serverTest{ + name: "AES128-SHA256", + command: []string{"openssl", "s_client", "-no_ticket", "-ciphersuites", "TLS_AES_128_GCM_SHA256"}, + } + runServerTestTLS13(t, test) +} +func TestHandshakeServerAES256SHA384(t *testing.T) { + test := &serverTest{ + name: "AES256-SHA384", + command: []string{"openssl", "s_client", "-no_ticket", "-ciphersuites", "TLS_AES_256_GCM_SHA384"}, + } + runServerTestTLS13(t, test) +} +func TestHandshakeServerCHACHA20SHA256(t *testing.T) { + test := &serverTest{ + name: "CHACHA20-SHA256", + command: []string{"openssl", "s_client", "-no_ticket", "-ciphersuites", "TLS_CHACHA20_POLY1305_SHA256"}, + } + runServerTestTLS13(t, test) +} + +func TestHandshakeServerECDHEECDSAAES(t *testing.T) { + config := testConfig.Clone() + config.Certificates = make([]Certificate, 1) + config.Certificates[0].Certificate = [][]byte{testECDSACertificate} + config.Certificates[0].PrivateKey = testECDSAPrivateKey + config.BuildNameToCertificate() + + test := &serverTest{ + name: "ECDHE-ECDSA-AES", + command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "ECDHE-ECDSA-AES256-SHA", "-ciphersuites", "TLS_AES_128_GCM_SHA256"}, + config: config, + } + runServerTestTLS10(t, test) + runServerTestTLS12(t, test) + runServerTestTLS13(t, test) +} + +func TestHandshakeServerX25519(t *testing.T) { + config := testConfig.Clone() + config.CurvePreferences = []CurveID{X25519} + + test := &serverTest{ + name: "X25519", + command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "ECDHE-RSA-CHACHA20-POLY1305", "-ciphersuites", "TLS_CHACHA20_POLY1305_SHA256", "-curves", "X25519"}, + config: config, + } + runServerTestTLS12(t, test) + runServerTestTLS13(t, test) +} + +func TestHandshakeServerP256(t *testing.T) { + config := testConfig.Clone() + config.CurvePreferences = []CurveID{CurveP256} + + test := &serverTest{ + name: "P256", + command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "ECDHE-RSA-CHACHA20-POLY1305", "-ciphersuites", "TLS_CHACHA20_POLY1305_SHA256", "-curves", "P-256"}, + config: config, + } + runServerTestTLS12(t, test) + runServerTestTLS13(t, test) +} + +func TestHandshakeServerHelloRetryRequest(t *testing.T) { + config := testConfig.Clone() + config.CurvePreferences = []CurveID{CurveP256} + + test := &serverTest{ + name: "HelloRetryRequest", + command: []string{"openssl", "s_client", "-no_ticket", "-ciphersuites", "TLS_CHACHA20_POLY1305_SHA256", "-curves", "X25519:P-256"}, + config: config, + } + runServerTestTLS13(t, test) +} + +func TestHandshakeServerALPN(t *testing.T) { + config := testConfig.Clone() + config.NextProtos = []string{"proto1", "proto2"} + + test := &serverTest{ + name: "ALPN", + // Note that this needs OpenSSL 1.0.2 because that is the first + // version that supports the -alpn flag. + command: []string{"openssl", "s_client", "-alpn", "proto2,proto1", "-cipher", "ECDHE-RSA-CHACHA20-POLY1305", "-ciphersuites", "TLS_CHACHA20_POLY1305_SHA256"}, + config: config, + validate: func(state ConnectionState) error { + // The server's preferences should override the client. + if state.NegotiatedProtocol != "proto1" { + return fmt.Errorf("Got protocol %q, wanted proto1", state.NegotiatedProtocol) + } + return nil + }, + } + runServerTestTLS12(t, test) + runServerTestTLS13(t, test) +} + +func TestHandshakeServerALPNNoMatch(t *testing.T) { + config := testConfig.Clone() + config.NextProtos = []string{"proto3"} + + test := &serverTest{ + name: "ALPN-NoMatch", + // Note that this needs OpenSSL 1.0.2 because that is the first + // version that supports the -alpn flag. + command: []string{"openssl", "s_client", "-alpn", "proto2,proto1", "-cipher", "ECDHE-RSA-CHACHA20-POLY1305", "-ciphersuites", "TLS_CHACHA20_POLY1305_SHA256"}, + config: config, + expectHandshakeErrorIncluding: "client requested unsupported application protocol", + } + runServerTestTLS12(t, test) + runServerTestTLS13(t, test) +} + +func TestHandshakeServerALPNNotConfigured(t *testing.T) { + config := testConfig.Clone() + config.NextProtos = nil + + test := &serverTest{ + name: "ALPN-NotConfigured", + // Note that this needs OpenSSL 1.0.2 because that is the first + // version that supports the -alpn flag. + command: []string{"openssl", "s_client", "-alpn", "proto2,proto1", "-cipher", "ECDHE-RSA-CHACHA20-POLY1305", "-ciphersuites", "TLS_CHACHA20_POLY1305_SHA256"}, + config: config, + validate: func(state ConnectionState) error { + if state.NegotiatedProtocol != "" { + return fmt.Errorf("Got protocol %q, wanted nothing", state.NegotiatedProtocol) + } + return nil + }, + } + runServerTestTLS12(t, test) + runServerTestTLS13(t, test) +} + +func TestHandshakeServerALPNFallback(t *testing.T) { + config := testConfig.Clone() + config.NextProtos = []string{"proto1", "h2", "proto2"} + + test := &serverTest{ + name: "ALPN-Fallback", + // Note that this needs OpenSSL 1.0.2 because that is the first + // version that supports the -alpn flag. + command: []string{"openssl", "s_client", "-alpn", "proto3,http/1.1,proto4", "-cipher", "ECDHE-RSA-CHACHA20-POLY1305", "-ciphersuites", "TLS_CHACHA20_POLY1305_SHA256"}, + config: config, + validate: func(state ConnectionState) error { + if state.NegotiatedProtocol != "" { + return fmt.Errorf("Got protocol %q, wanted nothing", state.NegotiatedProtocol) + } + return nil + }, + } + runServerTestTLS12(t, test) + runServerTestTLS13(t, test) +} + +// TestHandshakeServerSNI involves a client sending an SNI extension of +// "snitest.com", which happens to match the CN of testSNICertificate. The test +// verifies that the server correctly selects that certificate. +func TestHandshakeServerSNI(t *testing.T) { + test := &serverTest{ + name: "SNI", + command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "AES128-SHA", "-servername", "snitest.com"}, + } + runServerTestTLS12(t, test) +} + +// TestHandshakeServerSNICertForName is similar to TestHandshakeServerSNI, but +// tests the dynamic GetCertificate method +func TestHandshakeServerSNIGetCertificate(t *testing.T) { + config := testConfig.Clone() + + // Replace the NameToCertificate map with a GetCertificate function + nameToCert := config.NameToCertificate + config.NameToCertificate = nil + config.GetCertificate = func(clientHello *ClientHelloInfo) (*Certificate, error) { + cert := nameToCert[clientHello.ServerName] + return cert, nil + } + test := &serverTest{ + name: "SNI-GetCertificate", + command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "AES128-SHA", "-servername", "snitest.com"}, + config: config, + } + runServerTestTLS12(t, test) +} + +// TestHandshakeServerSNICertForNameNotFound is similar to +// TestHandshakeServerSNICertForName, but tests to make sure that when the +// GetCertificate method doesn't return a cert, we fall back to what's in +// the NameToCertificate map. +func TestHandshakeServerSNIGetCertificateNotFound(t *testing.T) { + config := testConfig.Clone() + + config.GetCertificate = func(clientHello *ClientHelloInfo) (*Certificate, error) { + return nil, nil + } + test := &serverTest{ + name: "SNI-GetCertificateNotFound", + command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "AES128-SHA", "-servername", "snitest.com"}, + config: config, + } + runServerTestTLS12(t, test) +} + +// TestHandshakeServerSNICertForNameError tests to make sure that errors in +// GetCertificate result in a tls alert. +func TestHandshakeServerSNIGetCertificateError(t *testing.T) { + const errMsg = "TestHandshakeServerSNIGetCertificateError error" + + serverConfig := testConfig.Clone() + serverConfig.GetCertificate = func(clientHello *ClientHelloInfo) (*Certificate, error) { + return nil, errors.New(errMsg) + } + + clientHello := &clientHelloMsg{ + vers: VersionTLS10, + random: make([]byte, 32), + cipherSuites: []uint16{TLS_RSA_WITH_RC4_128_SHA}, + compressionMethods: []uint8{compressionNone}, + serverName: "test", + } + testClientHelloFailure(t, serverConfig, clientHello, errMsg) +} + +// TestHandshakeServerEmptyCertificates tests that GetCertificates is called in +// the case that Certificates is empty, even without SNI. +func TestHandshakeServerEmptyCertificates(t *testing.T) { + const errMsg = "TestHandshakeServerEmptyCertificates error" + + serverConfig := testConfig.Clone() + serverConfig.GetCertificate = func(clientHello *ClientHelloInfo) (*Certificate, error) { + return nil, errors.New(errMsg) + } + serverConfig.Certificates = nil + + clientHello := &clientHelloMsg{ + vers: VersionTLS10, + random: make([]byte, 32), + cipherSuites: []uint16{TLS_RSA_WITH_RC4_128_SHA}, + compressionMethods: []uint8{compressionNone}, + } + testClientHelloFailure(t, serverConfig, clientHello, errMsg) + + // With an empty Certificates and a nil GetCertificate, the server + // should always return a “no certificates” error. + serverConfig.GetCertificate = nil + + clientHello = &clientHelloMsg{ + vers: VersionTLS10, + random: make([]byte, 32), + cipherSuites: []uint16{TLS_RSA_WITH_RC4_128_SHA}, + compressionMethods: []uint8{compressionNone}, + } + testClientHelloFailure(t, serverConfig, clientHello, "no certificates") +} + +func TestServerResumption(t *testing.T) { + sessionFilePath := tempFile("") + defer os.Remove(sessionFilePath) + + testIssue := &serverTest{ + name: "IssueTicket", + command: []string{"openssl", "s_client", "-cipher", "AES128-SHA", "-ciphersuites", "TLS_AES_128_GCM_SHA256", "-sess_out", sessionFilePath}, + wait: true, + } + testResume := &serverTest{ + name: "Resume", + command: []string{"openssl", "s_client", "-cipher", "AES128-SHA", "-ciphersuites", "TLS_AES_128_GCM_SHA256", "-sess_in", sessionFilePath}, + validate: func(state ConnectionState) error { + if !state.DidResume { + return errors.New("did not resume") + } + return nil + }, + } + + runServerTestTLS12(t, testIssue) + runServerTestTLS12(t, testResume) + + runServerTestTLS13(t, testIssue) + runServerTestTLS13(t, testResume) + + config := testConfig.Clone() + config.CurvePreferences = []CurveID{CurveP256} + + testResumeHRR := &serverTest{ + name: "Resume-HelloRetryRequest", + command: []string{"openssl", "s_client", "-curves", "X25519:P-256", "-cipher", "AES128-SHA", "-ciphersuites", + "TLS_AES_128_GCM_SHA256", "-sess_in", sessionFilePath}, + config: config, + validate: func(state ConnectionState) error { + if !state.DidResume { + return errors.New("did not resume") + } + return nil + }, + } + + runServerTestTLS13(t, testResumeHRR) +} + +func TestServerResumptionDisabled(t *testing.T) { + sessionFilePath := tempFile("") + defer os.Remove(sessionFilePath) + + config := testConfig.Clone() + + testIssue := &serverTest{ + name: "IssueTicketPreDisable", + command: []string{"openssl", "s_client", "-cipher", "AES128-SHA", "-ciphersuites", "TLS_AES_128_GCM_SHA256", "-sess_out", sessionFilePath}, + config: config, + wait: true, + } + testResume := &serverTest{ + name: "ResumeDisabled", + command: []string{"openssl", "s_client", "-cipher", "AES128-SHA", "-ciphersuites", "TLS_AES_128_GCM_SHA256", "-sess_in", sessionFilePath}, + config: config, + validate: func(state ConnectionState) error { + if state.DidResume { + return errors.New("resumed with SessionTicketsDisabled") + } + return nil + }, + } + + config.SessionTicketsDisabled = false + runServerTestTLS12(t, testIssue) + config.SessionTicketsDisabled = true + runServerTestTLS12(t, testResume) + + config.SessionTicketsDisabled = false + runServerTestTLS13(t, testIssue) + config.SessionTicketsDisabled = true + runServerTestTLS13(t, testResume) +} + +func TestFallbackSCSV(t *testing.T) { + serverConfig := Config{ + Certificates: testConfig.Certificates, + MinVersion: VersionTLS11, + } + test := &serverTest{ + name: "FallbackSCSV", + config: &serverConfig, + // OpenSSL 1.0.1j is needed for the -fallback_scsv option. + command: []string{"openssl", "s_client", "-fallback_scsv"}, + expectHandshakeErrorIncluding: "inappropriate protocol fallback", + } + runServerTestTLS11(t, test) +} + +func TestHandshakeServerExportKeyingMaterial(t *testing.T) { + test := &serverTest{ + name: "ExportKeyingMaterial", + command: []string{"openssl", "s_client", "-cipher", "ECDHE-RSA-AES256-SHA", "-ciphersuites", "TLS_CHACHA20_POLY1305_SHA256"}, + config: testConfig.Clone(), + validate: func(state ConnectionState) error { + if km, err := state.ExportKeyingMaterial("test", nil, 42); err != nil { + return fmt.Errorf("ExportKeyingMaterial failed: %v", err) + } else if len(km) != 42 { + return fmt.Errorf("Got %d bytes from ExportKeyingMaterial, wanted %d", len(km), 42) + } + return nil + }, + } + runServerTestTLS10(t, test) + runServerTestTLS12(t, test) + runServerTestTLS13(t, test) +} + +func TestHandshakeServerRSAPKCS1v15(t *testing.T) { + test := &serverTest{ + name: "RSA-RSAPKCS1v15", + command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "ECDHE-RSA-CHACHA20-POLY1305", "-sigalgs", "rsa_pkcs1_sha256"}, + } + runServerTestTLS12(t, test) +} + +func TestHandshakeServerRSAPSS(t *testing.T) { + // We send rsa_pss_rsae_sha512 first, as the test key won't fit, and we + // verify the server implementation will disregard the client preference in + // that case. See Issue 29793. + test := &serverTest{ + name: "RSA-RSAPSS", + command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "ECDHE-RSA-CHACHA20-POLY1305", "-ciphersuites", "TLS_CHACHA20_POLY1305_SHA256", "-sigalgs", "rsa_pss_rsae_sha512:rsa_pss_rsae_sha256"}, + } + runServerTestTLS12(t, test) + runServerTestTLS13(t, test) + + test = &serverTest{ + name: "RSA-RSAPSS-TooSmall", + command: []string{"openssl", "s_client", "-no_ticket", "-ciphersuites", "TLS_CHACHA20_POLY1305_SHA256", "-sigalgs", "rsa_pss_rsae_sha512"}, + expectHandshakeErrorIncluding: "peer doesn't support any of the certificate's signature algorithms", + } + runServerTestTLS13(t, test) +} + +func TestHandshakeServerEd25519(t *testing.T) { + config := testConfig.Clone() + config.Certificates = make([]Certificate, 1) + config.Certificates[0].Certificate = [][]byte{testEd25519Certificate} + config.Certificates[0].PrivateKey = testEd25519PrivateKey + config.BuildNameToCertificate() + + test := &serverTest{ + name: "Ed25519", + command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "ECDHE-ECDSA-CHACHA20-POLY1305", "-ciphersuites", "TLS_CHACHA20_POLY1305_SHA256"}, + config: config, + } + runServerTestTLS12(t, test) + runServerTestTLS13(t, test) +} + +func benchmarkHandshakeServer(b *testing.B, version uint16, cipherSuite uint16, curve CurveID, cert []byte, key crypto.PrivateKey) { + config := testConfig.Clone() + config.CipherSuites = []uint16{cipherSuite} + config.CurvePreferences = []CurveID{curve} + config.Certificates = make([]Certificate, 1) + config.Certificates[0].Certificate = [][]byte{cert} + config.Certificates[0].PrivateKey = key + config.BuildNameToCertificate() + + clientConn, serverConn := localPipe(b) + serverConn = &recordingConn{Conn: serverConn} + go func() { + config := testConfig.Clone() + config.MaxVersion = version + config.CurvePreferences = []CurveID{curve} + client := Client(clientConn, config) + client.Handshake() + }() + server := Server(serverConn, config) + if err := server.Handshake(); err != nil { + b.Fatalf("handshake failed: %v", err) + } + serverConn.Close() + flows := serverConn.(*recordingConn).flows + + feeder := make(chan struct{}) + clientConn, serverConn = localPipe(b) + + go func() { + for range feeder { + for i, f := range flows { + if i%2 == 0 { + clientConn.Write(f) + continue + } + ff := make([]byte, len(f)) + n, err := io.ReadFull(clientConn, ff) + if err != nil { + b.Errorf("#%d: %s\nRead %d, wanted %d, got %x, wanted %x\n", i+1, err, n, len(ff), ff[:n], f) + } + if !bytes.Equal(f, ff) { + b.Errorf("#%d: mismatch on read: got:%x want:%x", i+1, ff, f) + } + } + } + }() + + b.ResetTimer() + for i := 0; i < b.N; i++ { + feeder <- struct{}{} + server := Server(serverConn, config) + if err := server.Handshake(); err != nil { + b.Fatalf("handshake failed: %v", err) + } + } + close(feeder) +} + +func BenchmarkHandshakeServer(b *testing.B) { + b.Run("RSA", func(b *testing.B) { + benchmarkHandshakeServer(b, VersionTLS12, TLS_RSA_WITH_AES_128_GCM_SHA256, + 0, testRSACertificate, testRSAPrivateKey) + }) + b.Run("ECDHE-P256-RSA", func(b *testing.B) { + b.Run("TLSv13", func(b *testing.B) { + benchmarkHandshakeServer(b, VersionTLS13, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, + CurveP256, testRSACertificate, testRSAPrivateKey) + }) + b.Run("TLSv12", func(b *testing.B) { + benchmarkHandshakeServer(b, VersionTLS12, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, + CurveP256, testRSACertificate, testRSAPrivateKey) + }) + }) + b.Run("ECDHE-P256-ECDSA-P256", func(b *testing.B) { + b.Run("TLSv13", func(b *testing.B) { + benchmarkHandshakeServer(b, VersionTLS13, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, + CurveP256, testP256Certificate, testP256PrivateKey) + }) + b.Run("TLSv12", func(b *testing.B) { + benchmarkHandshakeServer(b, VersionTLS12, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, + CurveP256, testP256Certificate, testP256PrivateKey) + }) + }) + b.Run("ECDHE-X25519-ECDSA-P256", func(b *testing.B) { + b.Run("TLSv13", func(b *testing.B) { + benchmarkHandshakeServer(b, VersionTLS13, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, + X25519, testP256Certificate, testP256PrivateKey) + }) + b.Run("TLSv12", func(b *testing.B) { + benchmarkHandshakeServer(b, VersionTLS12, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, + X25519, testP256Certificate, testP256PrivateKey) + }) + }) + b.Run("ECDHE-P521-ECDSA-P521", func(b *testing.B) { + if testECDSAPrivateKey.PublicKey.Curve != elliptic.P521() { + b.Fatal("test ECDSA key doesn't use curve P-521") + } + b.Run("TLSv13", func(b *testing.B) { + benchmarkHandshakeServer(b, VersionTLS13, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, + CurveP521, testECDSACertificate, testECDSAPrivateKey) + }) + b.Run("TLSv12", func(b *testing.B) { + benchmarkHandshakeServer(b, VersionTLS12, TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305, + CurveP521, testECDSACertificate, testECDSAPrivateKey) + }) + }) +} + +func TestClientAuth(t *testing.T) { + var certPath, keyPath, ecdsaCertPath, ecdsaKeyPath, ed25519CertPath, ed25519KeyPath string + + if *update { + certPath = tempFile(clientCertificatePEM) + defer os.Remove(certPath) + keyPath = tempFile(clientKeyPEM) + defer os.Remove(keyPath) + ecdsaCertPath = tempFile(clientECDSACertificatePEM) + defer os.Remove(ecdsaCertPath) + ecdsaKeyPath = tempFile(clientECDSAKeyPEM) + defer os.Remove(ecdsaKeyPath) + ed25519CertPath = tempFile(clientEd25519CertificatePEM) + defer os.Remove(ed25519CertPath) + ed25519KeyPath = tempFile(clientEd25519KeyPEM) + defer os.Remove(ed25519KeyPath) + } else { + t.Parallel() + } + + config := testConfig.Clone() + config.ClientAuth = RequestClientCert + + test := &serverTest{ + name: "ClientAuthRequestedNotGiven", + command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "AES128-SHA", "-ciphersuites", "TLS_AES_128_GCM_SHA256"}, + config: config, + } + runServerTestTLS12(t, test) + runServerTestTLS13(t, test) + + test = &serverTest{ + name: "ClientAuthRequestedAndGiven", + command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "AES128-SHA", "-ciphersuites", "TLS_AES_128_GCM_SHA256", + "-cert", certPath, "-key", keyPath, "-client_sigalgs", "rsa_pss_rsae_sha256"}, + config: config, + expectedPeerCerts: []string{clientCertificatePEM}, + } + runServerTestTLS12(t, test) + runServerTestTLS13(t, test) + + test = &serverTest{ + name: "ClientAuthRequestedAndECDSAGiven", + command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "AES128-SHA", "-ciphersuites", "TLS_AES_128_GCM_SHA256", + "-cert", ecdsaCertPath, "-key", ecdsaKeyPath}, + config: config, + expectedPeerCerts: []string{clientECDSACertificatePEM}, + } + runServerTestTLS12(t, test) + runServerTestTLS13(t, test) + + test = &serverTest{ + name: "ClientAuthRequestedAndEd25519Given", + command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "AES128-SHA", "-ciphersuites", "TLS_AES_128_GCM_SHA256", + "-cert", ed25519CertPath, "-key", ed25519KeyPath}, + config: config, + expectedPeerCerts: []string{clientEd25519CertificatePEM}, + } + runServerTestTLS12(t, test) + runServerTestTLS13(t, test) + + test = &serverTest{ + name: "ClientAuthRequestedAndPKCS1v15Given", + command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "AES128-SHA", + "-cert", certPath, "-key", keyPath, "-client_sigalgs", "rsa_pkcs1_sha256"}, + config: config, + expectedPeerCerts: []string{clientCertificatePEM}, + } + runServerTestTLS12(t, test) +} + +func TestSNIGivenOnFailure(t *testing.T) { + const expectedServerName = "test.testing" + + clientHello := &clientHelloMsg{ + vers: VersionTLS10, + random: make([]byte, 32), + cipherSuites: []uint16{TLS_RSA_WITH_RC4_128_SHA}, + compressionMethods: []uint8{compressionNone}, + serverName: expectedServerName, + } + + serverConfig := testConfig.Clone() + // Erase the server's cipher suites to ensure the handshake fails. + serverConfig.CipherSuites = nil + + c, s := localPipe(t) + go func() { + cli := Client(c, testConfig) + cli.vers = clientHello.vers + if _, err := cli.writeHandshakeRecord(clientHello, nil); err != nil { + testFatal(t, err) + } + c.Close() + }() + conn := Server(s, serverConfig) + ctx := context.Background() + ch, err := conn.readClientHello(ctx) + hs := serverHandshakeState{ + c: conn, + ctx: ctx, + clientHello: ch, + } + if err == nil { + err = hs.processClientHello() + } + if err == nil { + err = hs.pickCipherSuite() + } + defer s.Close() + + if err == nil { + t.Error("No error reported from server") + } + + cs := hs.c.ConnectionState() + if cs.HandshakeComplete { + t.Error("Handshake registered as complete") + } + + if cs.ServerName != expectedServerName { + t.Errorf("Expected ServerName of %q, but got %q", expectedServerName, cs.ServerName) + } +} + +var getConfigForClientTests = []struct { + setup func(config *Config) + callback func(clientHello *ClientHelloInfo) (*Config, error) + errorSubstring string + verify func(config *Config) error +}{ + { + nil, + func(clientHello *ClientHelloInfo) (*Config, error) { + return nil, nil + }, + "", + nil, + }, + { + nil, + func(clientHello *ClientHelloInfo) (*Config, error) { + return nil, errors.New("should bubble up") + }, + "should bubble up", + nil, + }, + { + nil, + func(clientHello *ClientHelloInfo) (*Config, error) { + config := testConfig.Clone() + // Setting a maximum version of TLS 1.1 should cause + // the handshake to fail, as the client MinVersion is TLS 1.2. + config.MaxVersion = VersionTLS11 + return config, nil + }, + "client offered only unsupported versions", + nil, + }, + { + func(config *Config) { + for i := range config.SessionTicketKey { + config.SessionTicketKey[i] = byte(i) + } + config.sessionTicketKeys = nil + }, + func(clientHello *ClientHelloInfo) (*Config, error) { + config := testConfig.Clone() + for i := range config.SessionTicketKey { + config.SessionTicketKey[i] = 0 + } + config.sessionTicketKeys = nil + return config, nil + }, + "", + func(config *Config) error { + if config.SessionTicketKey == [32]byte{} { + return fmt.Errorf("expected SessionTicketKey to be set") + } + return nil + }, + }, + { + func(config *Config) { + var dummyKey [32]byte + for i := range dummyKey { + dummyKey[i] = byte(i) + } + + config.SetSessionTicketKeys([][32]byte{dummyKey}) + }, + func(clientHello *ClientHelloInfo) (*Config, error) { + config := testConfig.Clone() + config.sessionTicketKeys = nil + return config, nil + }, + "", + func(config *Config) error { + if config.SessionTicketKey == [32]byte{} { + return fmt.Errorf("expected SessionTicketKey to be set") + } + return nil + }, + }, +} + +func TestGetConfigForClient(t *testing.T) { + serverConfig := testConfig.Clone() + clientConfig := testConfig.Clone() + clientConfig.MinVersion = VersionTLS12 + + for i, test := range getConfigForClientTests { + if test.setup != nil { + test.setup(serverConfig) + } + + var configReturned *Config + serverConfig.GetConfigForClient = func(clientHello *ClientHelloInfo) (*Config, error) { + config, err := test.callback(clientHello) + configReturned = config + return config, err + } + c, s := localPipe(t) + done := make(chan error) + + go func() { + defer s.Close() + done <- Server(s, serverConfig).Handshake() + }() + + clientErr := Client(c, clientConfig).Handshake() + c.Close() + + serverErr := <-done + + if len(test.errorSubstring) == 0 { + if serverErr != nil || clientErr != nil { + t.Errorf("test[%d]: expected no error but got serverErr: %q, clientErr: %q", i, serverErr, clientErr) + } + if test.verify != nil { + if err := test.verify(configReturned); err != nil { + t.Errorf("test[%d]: verify returned error: %v", i, err) + } + } + } else { + if serverErr == nil { + t.Errorf("test[%d]: expected error containing %q but got no error", i, test.errorSubstring) + } else if !strings.Contains(serverErr.Error(), test.errorSubstring) { + t.Errorf("test[%d]: expected error to contain %q but it was %q", i, test.errorSubstring, serverErr) + } + } + } +} + +func TestCloseServerConnectionOnIdleClient(t *testing.T) { + clientConn, serverConn := localPipe(t) + server := Server(serverConn, testConfig.Clone()) + go func() { + clientConn.Write([]byte{'0'}) + server.Close() + }() + server.SetReadDeadline(time.Now().Add(time.Minute)) + err := server.Handshake() + if err != nil { + if err, ok := err.(net.Error); ok && err.Timeout() { + t.Errorf("Expected a closed network connection error but got '%s'", err.Error()) + } + } else { + t.Errorf("Error expected, but no error returned") + } +} + +func TestCloneHash(t *testing.T) { + h1 := crypto.SHA256.New() + h1.Write([]byte("test")) + s1 := h1.Sum(nil) + h2 := cloneHash(h1, crypto.SHA256) + s2 := h2.Sum(nil) + if !bytes.Equal(s1, s2) { + t.Error("cloned hash generated a different sum") + } +} + +func expectError(t *testing.T, err error, sub string) { + if err == nil { + t.Errorf(`expected error %q, got nil`, sub) + } else if !strings.Contains(err.Error(), sub) { + t.Errorf(`expected error %q, got %q`, sub, err) + } +} + +func TestKeyTooSmallForRSAPSS(t *testing.T) { + cert, err := X509KeyPair([]byte(`-----BEGIN CERTIFICATE----- +MIIBcTCCARugAwIBAgIQGjQnkCFlUqaFlt6ixyz/tDANBgkqhkiG9w0BAQsFADAS +MRAwDgYDVQQKEwdBY21lIENvMB4XDTE5MDExODIzMjMyOFoXDTIwMDExODIzMjMy +OFowEjEQMA4GA1UEChMHQWNtZSBDbzBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQDd +ez1rFUDwax2HTxbcnFUP9AhcgEGMHVV2nn4VVEWFJB6I8C/Nkx0XyyQlrmFYBzEQ +nIPhKls4T0hFoLvjJnXpAgMBAAGjTTBLMA4GA1UdDwEB/wQEAwIFoDATBgNVHSUE +DDAKBggrBgEFBQcDATAMBgNVHRMBAf8EAjAAMBYGA1UdEQQPMA2CC2V4YW1wbGUu +Y29tMA0GCSqGSIb3DQEBCwUAA0EAxDuUS+BrrS3c+h+k+fQPOmOScy6yTX9mHw0Q +KbucGamXYEy0URIwOdO0tQ3LHPc1YGvYSPwkDjkjqECs2Vm/AA== +-----END CERTIFICATE-----`), []byte(testingKey(`-----BEGIN RSA TESTING KEY----- +MIIBOgIBAAJBAN17PWsVQPBrHYdPFtycVQ/0CFyAQYwdVXaefhVURYUkHojwL82T +HRfLJCWuYVgHMRCcg+EqWzhPSEWgu+MmdekCAwEAAQJBALjQYNTdXF4CFBbXwUz/ +yt9QFDYT9B5WT/12jeGAe653gtYS6OOi/+eAkGmzg1GlRnw6fOfn+HYNFDORST7z +4j0CIQDn2xz9hVWQEu9ee3vecNT3f60huDGTNoRhtqgweQGX0wIhAPSLj1VcRZEz +nKpbtU22+PbIMSJ+e80fmY9LIPx5N4HTAiAthGSimMR9bloz0EY3GyuUEyqoDgMd +hXxjuno2WesoJQIgemilbcALXpxsLmZLgcQ2KSmaVr7jb5ECx9R+hYKTw1sCIG4s +T+E0J8wlH24pgwQHzy7Ko2qLwn1b5PW8ecrlvP1g +-----END RSA TESTING KEY-----`))) + if err != nil { + t.Fatal(err) + } + + clientConn, serverConn := localPipe(t) + client := Client(clientConn, testConfig) + done := make(chan struct{}) + go func() { + config := testConfig.Clone() + config.Certificates = []Certificate{cert} + config.MinVersion = VersionTLS13 + server := Server(serverConn, config) + err := server.Handshake() + expectError(t, err, "key size too small") + close(done) + }() + err = client.Handshake() + expectError(t, err, "handshake failure") + <-done +} + +func TestMultipleCertificates(t *testing.T) { + clientConfig := testConfig.Clone() + clientConfig.CipherSuites = []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256} + clientConfig.MaxVersion = VersionTLS12 + + serverConfig := testConfig.Clone() + serverConfig.Certificates = []Certificate{{ + Certificate: [][]byte{testECDSACertificate}, + PrivateKey: testECDSAPrivateKey, + }, { + Certificate: [][]byte{testRSACertificate}, + PrivateKey: testRSAPrivateKey, + }} + + _, clientState, err := testHandshake(t, clientConfig, serverConfig) + if err != nil { + t.Fatal(err) + } + if got := clientState.PeerCertificates[0].PublicKeyAlgorithm; got != x509.RSA { + t.Errorf("expected RSA certificate, got %v", got) + } +} + +func TestAESCipherReordering(t *testing.T) { + currentAESSupport := hasAESGCMHardwareSupport + defer func() { hasAESGCMHardwareSupport = currentAESSupport }() + + tests := []struct { + name string + clientCiphers []uint16 + serverHasAESGCM bool + serverCiphers []uint16 + expectedCipher uint16 + }{ + { + name: "server has hardware AES, client doesn't (pick ChaCha)", + clientCiphers: []uint16{ + TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, + TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, + TLS_RSA_WITH_AES_128_CBC_SHA, + }, + serverHasAESGCM: true, + expectedCipher: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, + }, + { + name: "client prefers AES-GCM, server doesn't have hardware AES (pick ChaCha)", + clientCiphers: []uint16{ + TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, + TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, + TLS_RSA_WITH_AES_128_CBC_SHA, + }, + serverHasAESGCM: false, + expectedCipher: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, + }, + { + name: "client prefers AES-GCM, server has hardware AES (pick AES-GCM)", + clientCiphers: []uint16{ + TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, + TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, + TLS_RSA_WITH_AES_128_CBC_SHA, + }, + serverHasAESGCM: true, + expectedCipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, + }, + { + name: "client prefers AES-GCM and sends GREASE, server has hardware AES (pick AES-GCM)", + clientCiphers: []uint16{ + 0x0A0A, // GREASE value + TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, + TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, + TLS_RSA_WITH_AES_128_CBC_SHA, + }, + serverHasAESGCM: true, + expectedCipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, + }, + { + name: "client prefers AES-GCM and doesn't support ChaCha, server doesn't have hardware AES (pick AES-GCM)", + clientCiphers: []uint16{ + TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, + TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, + TLS_RSA_WITH_AES_128_CBC_SHA, + }, + serverHasAESGCM: false, + expectedCipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, + }, + { + name: "client prefers AES-GCM and AES-CBC over ChaCha, server doesn't have hardware AES (pick ChaCha)", + clientCiphers: []uint16{ + TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, + TLS_RSA_WITH_AES_128_CBC_SHA, + TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, + }, + serverHasAESGCM: false, + expectedCipher: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, + }, + { + name: "client prefers AES-GCM over ChaCha and sends GREASE, server doesn't have hardware AES (pick ChaCha)", + clientCiphers: []uint16{ + 0x0A0A, // GREASE value + TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, + TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, + TLS_RSA_WITH_AES_128_CBC_SHA, + }, + serverHasAESGCM: false, + expectedCipher: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, + }, + { + name: "client supports multiple AES-GCM, server doesn't have hardware AES and doesn't support ChaCha (AES-GCM)", + clientCiphers: []uint16{ + TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, + TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, + TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, + }, + serverHasAESGCM: false, + serverCiphers: []uint16{ + TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, + TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, + }, + expectedCipher: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, + }, + { + name: "client prefers AES-GCM, server has hardware but doesn't support AES (pick ChaCha)", + clientCiphers: []uint16{ + TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, + TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, + TLS_RSA_WITH_AES_128_CBC_SHA, + }, + serverHasAESGCM: true, + serverCiphers: []uint16{ + TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, + }, + expectedCipher: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305, + }, + } + + for _, tc := range tests { + t.Run(tc.name, func(t *testing.T) { + hasAESGCMHardwareSupport = tc.serverHasAESGCM + hs := &serverHandshakeState{ + c: &Conn{ + config: &Config{ + CipherSuites: tc.serverCiphers, + }, + vers: VersionTLS12, + }, + clientHello: &clientHelloMsg{ + cipherSuites: tc.clientCiphers, + vers: VersionTLS12, + }, + ecdheOk: true, + rsaSignOk: true, + rsaDecryptOk: true, + } + + err := hs.pickCipherSuite() + if err != nil { + t.Errorf("pickCipherSuite failed: %s", err) + } + + if tc.expectedCipher != hs.suite.id { + t.Errorf("unexpected cipher chosen: want %d, got %d", tc.expectedCipher, hs.suite.id) + } + }) + } +} + +func TestAESCipherReorderingTLS13(t *testing.T) { + currentAESSupport := hasAESGCMHardwareSupport + defer func() { hasAESGCMHardwareSupport = currentAESSupport }() + + tests := []struct { + name string + clientCiphers []uint16 + serverHasAESGCM bool + expectedCipher uint16 + }{ + { + name: "server has hardware AES, client doesn't (pick ChaCha)", + clientCiphers: []uint16{ + TLS_CHACHA20_POLY1305_SHA256, + TLS_AES_128_GCM_SHA256, + }, + serverHasAESGCM: true, + expectedCipher: TLS_CHACHA20_POLY1305_SHA256, + }, + { + name: "neither server nor client have hardware AES (pick ChaCha)", + clientCiphers: []uint16{ + TLS_CHACHA20_POLY1305_SHA256, + TLS_AES_128_GCM_SHA256, + }, + serverHasAESGCM: false, + expectedCipher: TLS_CHACHA20_POLY1305_SHA256, + }, + { + name: "client prefers AES, server doesn't have hardware (pick ChaCha)", + clientCiphers: []uint16{ + TLS_AES_128_GCM_SHA256, + TLS_CHACHA20_POLY1305_SHA256, + }, + serverHasAESGCM: false, + expectedCipher: TLS_CHACHA20_POLY1305_SHA256, + }, + { + name: "client prefers AES and sends GREASE, server doesn't have hardware (pick ChaCha)", + clientCiphers: []uint16{ + 0x0A0A, // GREASE value + TLS_AES_128_GCM_SHA256, + TLS_CHACHA20_POLY1305_SHA256, + }, + serverHasAESGCM: false, + expectedCipher: TLS_CHACHA20_POLY1305_SHA256, + }, + { + name: "client prefers AES, server has hardware AES (pick AES)", + clientCiphers: []uint16{ + TLS_AES_128_GCM_SHA256, + TLS_CHACHA20_POLY1305_SHA256, + }, + serverHasAESGCM: true, + expectedCipher: TLS_AES_128_GCM_SHA256, + }, + { + name: "client prefers AES and sends GREASE, server has hardware AES (pick AES)", + clientCiphers: []uint16{ + 0x0A0A, // GREASE value + TLS_AES_128_GCM_SHA256, + TLS_CHACHA20_POLY1305_SHA256, + }, + serverHasAESGCM: true, + expectedCipher: TLS_AES_128_GCM_SHA256, + }, + } + + for _, tc := range tests { + t.Run(tc.name, func(t *testing.T) { + hasAESGCMHardwareSupport = tc.serverHasAESGCM + pk, _ := ecdh.X25519().GenerateKey(rand.Reader) + hs := &serverHandshakeStateTLS13{ + c: &Conn{ + config: &Config{}, + vers: VersionTLS13, + }, + clientHello: &clientHelloMsg{ + cipherSuites: tc.clientCiphers, + supportedVersions: []uint16{VersionTLS13}, + compressionMethods: []uint8{compressionNone}, + keyShares: []keyShare{{group: X25519, data: pk.PublicKey().Bytes()}}, + }, + } + + err := hs.processClientHello() + if err != nil { + t.Errorf("pickCipherSuite failed: %s", err) + } + + if tc.expectedCipher != hs.suite.id { + t.Errorf("unexpected cipher chosen: want %d, got %d", tc.expectedCipher, hs.suite.id) + } + }) + } +} + +// TestServerHandshakeContextCancellation tests that canceling +// the context given to the server side conn.HandshakeContext +// interrupts the in-progress handshake. +func TestServerHandshakeContextCancellation(t *testing.T) { + c, s := localPipe(t) + ctx, cancel := context.WithCancel(context.Background()) + unblockClient := make(chan struct{}) + defer close(unblockClient) + go func() { + cancel() + <-unblockClient + _ = c.Close() + }() + conn := Server(s, testConfig) + // Initiates server side handshake, which will block until a client hello is read + // unless the cancellation works. + err := conn.HandshakeContext(ctx) + if err == nil { + t.Fatal("Server handshake did not error when the context was canceled") + } + if err != context.Canceled { + t.Errorf("Unexpected server handshake error: %v", err) + } + if runtime.GOARCH == "wasm" { + t.Skip("conn.Close does not error as expected when called multiple times on WASM") + } + err = conn.Close() + if err == nil { + t.Error("Server connection was not closed when the context was canceled") + } +} + +// TestHandshakeContextHierarchy tests whether the contexts +// available to GetClientCertificate and GetCertificate are +// derived from the context provided to HandshakeContext, and +// that those contexts are canceled after HandshakeContext has +// returned. +func TestHandshakeContextHierarchy(t *testing.T) { + c, s := localPipe(t) + clientErr := make(chan error, 1) + clientConfig := testConfig.Clone() + serverConfig := testConfig.Clone() + ctx, cancel := context.WithCancel(context.Background()) + defer cancel() + key := struct{}{} + ctx = context.WithValue(ctx, key, true) + go func() { + defer close(clientErr) + defer c.Close() + var innerCtx context.Context + clientConfig.Certificates = nil + clientConfig.GetClientCertificate = func(certificateRequest *CertificateRequestInfo) (*Certificate, error) { + if val, ok := certificateRequest.Context().Value(key).(bool); !ok || !val { + t.Errorf("GetClientCertificate context was not child of HandshakeContext") + } + innerCtx = certificateRequest.Context() + return &Certificate{ + Certificate: [][]byte{testRSACertificate}, + PrivateKey: testRSAPrivateKey, + }, nil + } + cli := Client(c, clientConfig) + err := cli.HandshakeContext(ctx) + if err != nil { + clientErr <- err + return + } + select { + case <-innerCtx.Done(): + default: + t.Errorf("GetClientCertificate context was not canceled after HandshakeContext returned.") + } + }() + var innerCtx context.Context + serverConfig.Certificates = nil + serverConfig.ClientAuth = RequestClientCert + serverConfig.GetCertificate = func(clientHello *ClientHelloInfo) (*Certificate, error) { + if val, ok := clientHello.Context().Value(key).(bool); !ok || !val { + t.Errorf("GetClientCertificate context was not child of HandshakeContext") + } + innerCtx = clientHello.Context() + return &Certificate{ + Certificate: [][]byte{testRSACertificate}, + PrivateKey: testRSAPrivateKey, + }, nil + } + conn := Server(s, serverConfig) + err := conn.HandshakeContext(ctx) + if err != nil { + t.Errorf("Unexpected server handshake error: %v", err) + } + select { + case <-innerCtx.Done(): + default: + t.Errorf("GetCertificate context was not canceled after HandshakeContext returned.") + } + if err := <-clientErr; err != nil { + t.Errorf("Unexpected client error: %v", err) + } +} diff --git a/pkg/tls/handshake_server_tls13.go b/pkg/tls/handshake_server_tls13.go new file mode 100644 index 000000000..b4b2b8d47 --- /dev/null +++ b/pkg/tls/handshake_server_tls13.go @@ -0,0 +1,1001 @@ +// Copyright 2018 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package tls + +import ( + "bytes" + "context" + "crypto" + "crypto/hmac" + "crypto/rsa" + "encoding/binary" + "errors" + "hash" + "io" + "time" +) + +// maxClientPSKIdentities is the number of client PSK identities the server will +// attempt to validate. It will ignore the rest not to let cheap ClientHello +// messages cause too much work in session ticket decryption attempts. +const maxClientPSKIdentities = 5 + +type serverHandshakeStateTLS13 struct { + c *Conn + ctx context.Context + clientHello *clientHelloMsg + hello *serverHelloMsg + sentDummyCCS bool + usingPSK bool + earlyData bool + suite *cipherSuiteTLS13 + cert *Certificate + sigAlg SignatureScheme + earlySecret []byte + sharedKey []byte + handshakeSecret []byte + masterSecret []byte + trafficSecret []byte // client_application_traffic_secret_0 + transcript hash.Hash + clientFinished []byte +} + +func (hs *serverHandshakeStateTLS13) handshake() error { + c := hs.c + + if needFIPS() { + return errors.New("tls: internal error: TLS 1.3 reached in FIPS mode") + } + + // For an overview of the TLS 1.3 handshake, see RFC 8446, Section 2. + if err := hs.processClientHello(); err != nil { + return err + } + if err := hs.checkForResumption(); err != nil { + return err + } + if err := hs.pickCertificate(); err != nil { + return err + } + c.buffering = true + if err := hs.sendServerParameters(); err != nil { + return err + } + if err := hs.sendServerCertificate(); err != nil { + return err + } + if err := hs.sendServerFinished(); err != nil { + return err + } + // Note that at this point we could start sending application data without + // waiting for the client's second flight, but the application might not + // expect the lack of replay protection of the ClientHello parameters. + if _, err := c.flush(); err != nil { + return err + } + if err := hs.readClientCertificate(); err != nil { + return err + } + /*if err := hs.readClientFinished(); err != nil { + return err + }*/ + + c.readClientFinished = hs.readClientFinished + c.isWaitClientFinished.Store(true) + + //c.isHandshakeComplete.Store(true) + + return nil +} + +func (hs *serverHandshakeStateTLS13) processClientHello() error { + c := hs.c + + hs.hello = new(serverHelloMsg) + + // TLS 1.3 froze the ServerHello.legacy_version field, and uses + // supported_versions instead. See RFC 8446, sections 4.1.3 and 4.2.1. + hs.hello.vers = VersionTLS12 + hs.hello.supportedVersion = c.vers + + if len(hs.clientHello.supportedVersions) == 0 { + c.sendAlert(alertIllegalParameter) + return errors.New("tls: client used the legacy version field to negotiate TLS 1.3") + } + + // Abort if the client is doing a fallback and landing lower than what we + // support. See RFC 7507, which however does not specify the interaction + // with supported_versions. The only difference is that with + // supported_versions a client has a chance to attempt a [TLS 1.2, TLS 1.4] + // handshake in case TLS 1.3 is broken but 1.2 is not. Alas, in that case, + // it will have to drop the TLS_FALLBACK_SCSV protection if it falls back to + // TLS 1.2, because a TLS 1.3 server would abort here. The situation before + // supported_versions was not better because there was just no way to do a + // TLS 1.4 handshake without risking the server selecting TLS 1.3. + for _, id := range hs.clientHello.cipherSuites { + if id == TLS_FALLBACK_SCSV { + // Use c.vers instead of max(supported_versions) because an attacker + // could defeat this by adding an arbitrary high version otherwise. + if c.vers < c.config.maxSupportedVersion(roleServer) { + c.sendAlert(alertInappropriateFallback) + return errors.New("tls: client using inappropriate protocol fallback") + } + break + } + } + + if len(hs.clientHello.compressionMethods) != 1 || + hs.clientHello.compressionMethods[0] != compressionNone { + c.sendAlert(alertIllegalParameter) + return errors.New("tls: TLS 1.3 client supports illegal compression methods") + } + + hs.hello.random = make([]byte, 32) + if _, err := io.ReadFull(c.config.rand(), hs.hello.random); err != nil { + c.sendAlert(alertInternalError) + return err + } + + if len(hs.clientHello.secureRenegotiation) != 0 { + c.sendAlert(alertHandshakeFailure) + return errors.New("tls: initial handshake had non-empty renegotiation extension") + } + + if hs.clientHello.earlyData && c.quic != nil { + if len(hs.clientHello.pskIdentities) == 0 { + c.sendAlert(alertIllegalParameter) + return errors.New("tls: early_data without pre_shared_key") + } + } else if hs.clientHello.earlyData { + // See RFC 8446, Section 4.2.10 for the complicated behavior required + // here. The scenario is that a different server at our address offered + // to accept early data in the past, which we can't handle. For now, all + // 0-RTT enabled session tickets need to expire before a Go server can + // replace a server or join a pool. That's the same requirement that + // applies to mixing or replacing with any TLS 1.2 server. + c.sendAlert(alertUnsupportedExtension) + return errors.New("tls: client sent unexpected early data") + } + + hs.hello.sessionId = hs.clientHello.sessionId + hs.hello.compressionMethod = compressionNone + + preferenceList := defaultCipherSuitesTLS13 + if !hasAESGCMHardwareSupport || !aesgcmPreferred(hs.clientHello.cipherSuites) { + preferenceList = defaultCipherSuitesTLS13NoAES + } + for _, suiteID := range preferenceList { + hs.suite = mutualCipherSuiteTLS13(hs.clientHello.cipherSuites, suiteID) + if hs.suite != nil { + break + } + } + if hs.suite == nil { + c.sendAlert(alertHandshakeFailure) + return errors.New("tls: no cipher suite supported by both client and server") + } + c.cipherSuite = hs.suite.id + hs.hello.cipherSuite = hs.suite.id + hs.transcript = hs.suite.hash.New() + + // Pick the ECDHE group in server preference order, but give priority to + // groups with a key share, to avoid a HelloRetryRequest round-trip. + var selectedGroup CurveID + var clientKeyShare *keyShare +GroupSelection: + for _, preferredGroup := range c.config.curvePreferences() { + for _, ks := range hs.clientHello.keyShares { + if ks.group == preferredGroup { + selectedGroup = ks.group + clientKeyShare = &ks + break GroupSelection + } + } + if selectedGroup != 0 { + continue + } + for _, group := range hs.clientHello.supportedCurves { + if group == preferredGroup { + selectedGroup = group + break + } + } + } + if selectedGroup == 0 { + c.sendAlert(alertHandshakeFailure) + return errors.New("tls: no ECDHE curve supported by both client and server") + } + if clientKeyShare == nil { + if err := hs.doHelloRetryRequest(selectedGroup); err != nil { + return err + } + clientKeyShare = &hs.clientHello.keyShares[0] + } + + if _, ok := curveForCurveID(selectedGroup); !ok { + c.sendAlert(alertInternalError) + return errors.New("tls: CurvePreferences includes unsupported curve") + } + key, err := generateECDHEKey(c.config.rand(), selectedGroup) + if err != nil { + c.sendAlert(alertInternalError) + return err + } + hs.hello.serverShare = keyShare{group: selectedGroup, data: key.PublicKey().Bytes()} + peerKey, err := key.Curve().NewPublicKey(clientKeyShare.data) + if err != nil { + c.sendAlert(alertIllegalParameter) + return errors.New("tls: invalid client key share") + } + hs.sharedKey, err = key.ECDH(peerKey) + if err != nil { + c.sendAlert(alertIllegalParameter) + return errors.New("tls: invalid client key share") + } + + selectedProto, err := negotiateALPN(c.config.NextProtos, hs.clientHello.alpnProtocols, c.quic != nil) + if err != nil { + c.sendAlert(alertNoApplicationProtocol) + return err + } + c.clientProtocol = selectedProto + + if c.quic != nil { + // RFC 9001 Section 4.2: Clients MUST NOT offer TLS versions older than 1.3. + for _, v := range hs.clientHello.supportedVersions { + if v < VersionTLS13 { + c.sendAlert(alertProtocolVersion) + return errors.New("tls: client offered TLS version older than TLS 1.3") + } + } + // RFC 9001 Section 8.2. + if hs.clientHello.quicTransportParameters == nil { + c.sendAlert(alertMissingExtension) + return errors.New("tls: client did not send a quic_transport_parameters extension") + } + c.quicSetTransportParameters(hs.clientHello.quicTransportParameters) + } else { + if hs.clientHello.quicTransportParameters != nil { + c.sendAlert(alertUnsupportedExtension) + return errors.New("tls: client sent an unexpected quic_transport_parameters extension") + } + } + + c.serverName = hs.clientHello.serverName + return nil +} + +func (hs *serverHandshakeStateTLS13) checkForResumption() error { + c := hs.c + + if c.config.SessionTicketsDisabled { + return nil + } + + modeOK := false + for _, mode := range hs.clientHello.pskModes { + if mode == pskModeDHE { + modeOK = true + break + } + } + if !modeOK { + return nil + } + + if len(hs.clientHello.pskIdentities) != len(hs.clientHello.pskBinders) { + c.sendAlert(alertIllegalParameter) + return errors.New("tls: invalid or missing PSK binders") + } + if len(hs.clientHello.pskIdentities) == 0 { + return nil + } + + for i, identity := range hs.clientHello.pskIdentities { + if i >= maxClientPSKIdentities { + break + } + + var sessionState *SessionState + if c.config.UnwrapSession != nil { + var err error + sessionState, err = c.config.UnwrapSession(identity.label, c.connectionStateLocked()) + if err != nil { + return err + } + if sessionState == nil { + continue + } + } else { + plaintext := c.config.decryptTicket(identity.label, c.ticketKeys) + if plaintext == nil { + continue + } + var err error + sessionState, err = ParseSessionState(plaintext) + if err != nil { + continue + } + } + + if sessionState.version != VersionTLS13 { + continue + } + + createdAt := time.Unix(int64(sessionState.createdAt), 0) + if c.config.time().Sub(createdAt) > maxSessionTicketLifetime { + continue + } + + pskSuite := cipherSuiteTLS13ByID(sessionState.cipherSuite) + if pskSuite == nil || pskSuite.hash != hs.suite.hash { + continue + } + + // PSK connections don't re-establish client certificates, but carry + // them over in the session ticket. Ensure the presence of client certs + // in the ticket is consistent with the configured requirements. + sessionHasClientCerts := len(sessionState.peerCertificates) != 0 + needClientCerts := requiresClientCert(c.config.ClientAuth) + if needClientCerts && !sessionHasClientCerts { + continue + } + if sessionHasClientCerts && c.config.ClientAuth == NoClientCert { + continue + } + if sessionHasClientCerts && c.config.time().After(sessionState.peerCertificates[0].NotAfter) { + continue + } + if sessionHasClientCerts && c.config.ClientAuth >= VerifyClientCertIfGiven && + len(sessionState.verifiedChains) == 0 { + continue + } + + hs.earlySecret = hs.suite.extract(sessionState.secret, nil) + binderKey := hs.suite.deriveSecret(hs.earlySecret, resumptionBinderLabel, nil) + // Clone the transcript in case a HelloRetryRequest was recorded. + transcript := cloneHash(hs.transcript, hs.suite.hash) + if transcript == nil { + c.sendAlert(alertInternalError) + return errors.New("tls: internal error: failed to clone hash") + } + clientHelloBytes, err := hs.clientHello.marshalWithoutBinders() + if err != nil { + c.sendAlert(alertInternalError) + return err + } + transcript.Write(clientHelloBytes) + pskBinder := hs.suite.finishedHash(binderKey, transcript) + if !hmac.Equal(hs.clientHello.pskBinders[i], pskBinder) { + c.sendAlert(alertDecryptError) + return errors.New("tls: invalid PSK binder") + } + + if c.quic != nil && hs.clientHello.earlyData && i == 0 && + sessionState.EarlyData && sessionState.cipherSuite == hs.suite.id && + sessionState.alpnProtocol == c.clientProtocol { + hs.earlyData = true + + transcript := hs.suite.hash.New() + if err := transcriptMsg(hs.clientHello, transcript); err != nil { + return err + } + earlyTrafficSecret := hs.suite.deriveSecret(hs.earlySecret, clientEarlyTrafficLabel, transcript) + c.quicSetReadSecret(QUICEncryptionLevelEarly, hs.suite.id, earlyTrafficSecret) + } + + c.didResume = true + c.peerCertificates = sessionState.peerCertificates + c.ocspResponse = sessionState.ocspResponse + c.scts = sessionState.scts + c.verifiedChains = sessionState.verifiedChains + + hs.hello.selectedIdentityPresent = true + hs.hello.selectedIdentity = uint16(i) + hs.usingPSK = true + return nil + } + + return nil +} + +// cloneHash uses the encoding.BinaryMarshaler and encoding.BinaryUnmarshaler +// interfaces implemented by standard library hashes to clone the state of in +// to a new instance of h. It returns nil if the operation fails. +func cloneHash(in hash.Hash, h crypto.Hash) hash.Hash { + // Recreate the interface to avoid importing encoding. + type binaryMarshaler interface { + MarshalBinary() (data []byte, err error) + UnmarshalBinary(data []byte) error + } + marshaler, ok := in.(binaryMarshaler) + if !ok { + return nil + } + state, err := marshaler.MarshalBinary() + if err != nil { + return nil + } + out := h.New() + unmarshaler, ok := out.(binaryMarshaler) + if !ok { + return nil + } + if err := unmarshaler.UnmarshalBinary(state); err != nil { + return nil + } + return out +} + +func (hs *serverHandshakeStateTLS13) pickCertificate() error { + c := hs.c + + // Only one of PSK and certificates are used at a time. + if hs.usingPSK { + return nil + } + + // signature_algorithms is required in TLS 1.3. See RFC 8446, Section 4.2.3. + if len(hs.clientHello.supportedSignatureAlgorithms) == 0 { + return c.sendAlert(alertMissingExtension) + } + + certificate, err := c.config.getCertificate(clientHelloInfo(hs.ctx, c, hs.clientHello)) + if err != nil { + if err == errNoCertificates { + c.sendAlert(alertUnrecognizedName) + } else { + c.sendAlert(alertInternalError) + } + return err + } + hs.sigAlg, err = selectSignatureScheme(c.vers, certificate, hs.clientHello.supportedSignatureAlgorithms) + if err != nil { + // getCertificate returned a certificate that is unsupported or + // incompatible with the client's signature algorithms. + c.sendAlert(alertHandshakeFailure) + return err + } + hs.cert = certificate + + return nil +} + +// sendDummyChangeCipherSpec sends a ChangeCipherSpec record for compatibility +// with middleboxes that didn't implement TLS correctly. See RFC 8446, Appendix D.4. +func (hs *serverHandshakeStateTLS13) sendDummyChangeCipherSpec() error { + if hs.c.quic != nil { + return nil + } + if hs.sentDummyCCS { + return nil + } + hs.sentDummyCCS = true + + return hs.c.writeChangeCipherRecord() +} + +func (hs *serverHandshakeStateTLS13) doHelloRetryRequest(selectedGroup CurveID) error { + c := hs.c + + // The first ClientHello gets double-hashed into the transcript upon a + // HelloRetryRequest. See RFC 8446, Section 4.4.1. + if err := transcriptMsg(hs.clientHello, hs.transcript); err != nil { + return err + } + chHash := hs.transcript.Sum(nil) + hs.transcript.Reset() + hs.transcript.Write([]byte{typeMessageHash, 0, 0, uint8(len(chHash))}) + hs.transcript.Write(chHash) + + helloRetryRequest := &serverHelloMsg{ + vers: hs.hello.vers, + random: helloRetryRequestRandom, + sessionId: hs.hello.sessionId, + cipherSuite: hs.hello.cipherSuite, + compressionMethod: hs.hello.compressionMethod, + supportedVersion: hs.hello.supportedVersion, + selectedGroup: selectedGroup, + } + + if _, err := hs.c.writeHandshakeRecord(helloRetryRequest, hs.transcript); err != nil { + return err + } + + if err := hs.sendDummyChangeCipherSpec(); err != nil { + return err + } + + // clientHelloMsg is not included in the transcript. + msg, err := c.readHandshake(nil) + if err != nil { + return err + } + + clientHello, ok := msg.(*clientHelloMsg) + if !ok { + c.sendAlert(alertUnexpectedMessage) + return unexpectedMessageError(clientHello, msg) + } + + if len(clientHello.keyShares) != 1 || clientHello.keyShares[0].group != selectedGroup { + c.sendAlert(alertIllegalParameter) + return errors.New("tls: client sent invalid key share in second ClientHello") + } + + if clientHello.earlyData { + c.sendAlert(alertIllegalParameter) + return errors.New("tls: client indicated early data in second ClientHello") + } + + if illegalClientHelloChange(clientHello, hs.clientHello) { + c.sendAlert(alertIllegalParameter) + return errors.New("tls: client illegally modified second ClientHello") + } + + hs.clientHello = clientHello + return nil +} + +// illegalClientHelloChange reports whether the two ClientHello messages are +// different, with the exception of the changes allowed before and after a +// HelloRetryRequest. See RFC 8446, Section 4.1.2. +func illegalClientHelloChange(ch, ch1 *clientHelloMsg) bool { + if len(ch.supportedVersions) != len(ch1.supportedVersions) || + len(ch.cipherSuites) != len(ch1.cipherSuites) || + len(ch.supportedCurves) != len(ch1.supportedCurves) || + len(ch.supportedSignatureAlgorithms) != len(ch1.supportedSignatureAlgorithms) || + len(ch.supportedSignatureAlgorithmsCert) != len(ch1.supportedSignatureAlgorithmsCert) || + len(ch.alpnProtocols) != len(ch1.alpnProtocols) { + return true + } + for i := range ch.supportedVersions { + if ch.supportedVersions[i] != ch1.supportedVersions[i] { + return true + } + } + for i := range ch.cipherSuites { + if ch.cipherSuites[i] != ch1.cipherSuites[i] { + return true + } + } + for i := range ch.supportedCurves { + if ch.supportedCurves[i] != ch1.supportedCurves[i] { + return true + } + } + for i := range ch.supportedSignatureAlgorithms { + if ch.supportedSignatureAlgorithms[i] != ch1.supportedSignatureAlgorithms[i] { + return true + } + } + for i := range ch.supportedSignatureAlgorithmsCert { + if ch.supportedSignatureAlgorithmsCert[i] != ch1.supportedSignatureAlgorithmsCert[i] { + return true + } + } + for i := range ch.alpnProtocols { + if ch.alpnProtocols[i] != ch1.alpnProtocols[i] { + return true + } + } + return ch.vers != ch1.vers || + !bytes.Equal(ch.random, ch1.random) || + !bytes.Equal(ch.sessionId, ch1.sessionId) || + !bytes.Equal(ch.compressionMethods, ch1.compressionMethods) || + ch.serverName != ch1.serverName || + ch.ocspStapling != ch1.ocspStapling || + !bytes.Equal(ch.supportedPoints, ch1.supportedPoints) || + ch.ticketSupported != ch1.ticketSupported || + !bytes.Equal(ch.sessionTicket, ch1.sessionTicket) || + ch.secureRenegotiationSupported != ch1.secureRenegotiationSupported || + !bytes.Equal(ch.secureRenegotiation, ch1.secureRenegotiation) || + ch.scts != ch1.scts || + !bytes.Equal(ch.cookie, ch1.cookie) || + !bytes.Equal(ch.pskModes, ch1.pskModes) +} + +func (hs *serverHandshakeStateTLS13) sendServerParameters() error { + c := hs.c + + if err := transcriptMsg(hs.clientHello, hs.transcript); err != nil { + return err + } + if _, err := hs.c.writeHandshakeRecord(hs.hello, hs.transcript); err != nil { + return err + } + + if err := hs.sendDummyChangeCipherSpec(); err != nil { + return err + } + + earlySecret := hs.earlySecret + if earlySecret == nil { + earlySecret = hs.suite.extract(nil, nil) + } + hs.handshakeSecret = hs.suite.extract(hs.sharedKey, + hs.suite.deriveSecret(earlySecret, "derived", nil)) + + clientSecret := hs.suite.deriveSecret(hs.handshakeSecret, + clientHandshakeTrafficLabel, hs.transcript) + c.in.setTrafficSecret(hs.suite, QUICEncryptionLevelHandshake, clientSecret) + serverSecret := hs.suite.deriveSecret(hs.handshakeSecret, + serverHandshakeTrafficLabel, hs.transcript) + c.out.setTrafficSecret(hs.suite, QUICEncryptionLevelHandshake, serverSecret) + + if c.quic != nil { + if c.hand.Len() != 0 { + c.sendAlert(alertUnexpectedMessage) + } + c.quicSetWriteSecret(QUICEncryptionLevelHandshake, hs.suite.id, serverSecret) + c.quicSetReadSecret(QUICEncryptionLevelHandshake, hs.suite.id, clientSecret) + } + + err := c.config.writeKeyLog(keyLogLabelClientHandshake, hs.clientHello.random, clientSecret) + if err != nil { + c.sendAlert(alertInternalError) + return err + } + err = c.config.writeKeyLog(keyLogLabelServerHandshake, hs.clientHello.random, serverSecret) + if err != nil { + c.sendAlert(alertInternalError) + return err + } + + encryptedExtensions := new(encryptedExtensionsMsg) + encryptedExtensions.alpnProtocol = c.clientProtocol + + if c.quic != nil { + p, err := c.quicGetTransportParameters() + if err != nil { + return err + } + encryptedExtensions.quicTransportParameters = p + encryptedExtensions.earlyData = hs.earlyData + } + + if _, err := hs.c.writeHandshakeRecord(encryptedExtensions, hs.transcript); err != nil { + return err + } + + return nil +} + +func (hs *serverHandshakeStateTLS13) requestClientCert() bool { + return hs.c.config.ClientAuth >= RequestClientCert && !hs.usingPSK +} + +func (hs *serverHandshakeStateTLS13) sendServerCertificate() error { + c := hs.c + + // Only one of PSK and certificates are used at a time. + if hs.usingPSK { + return nil + } + + if hs.requestClientCert() { + // Request a client certificate + certReq := new(certificateRequestMsgTLS13) + certReq.ocspStapling = true + certReq.scts = true + certReq.supportedSignatureAlgorithms = supportedSignatureAlgorithms() + if c.config.ClientCAs != nil { + certReq.certificateAuthorities = c.config.ClientCAs.Subjects() + } + + if _, err := hs.c.writeHandshakeRecord(certReq, hs.transcript); err != nil { + return err + } + } + + certMsg := new(certificateMsgTLS13) + + certMsg.certificate = *hs.cert + certMsg.scts = hs.clientHello.scts && len(hs.cert.SignedCertificateTimestamps) > 0 + certMsg.ocspStapling = hs.clientHello.ocspStapling && len(hs.cert.OCSPStaple) > 0 + + if _, err := hs.c.writeHandshakeRecord(certMsg, hs.transcript); err != nil { + return err + } + + certVerifyMsg := new(certificateVerifyMsg) + certVerifyMsg.hasSignatureAlgorithm = true + certVerifyMsg.signatureAlgorithm = hs.sigAlg + + sigType, sigHash, err := typeAndHashFromSignatureScheme(hs.sigAlg) + if err != nil { + return c.sendAlert(alertInternalError) + } + + signed := signedMessage(sigHash, serverSignatureContext, hs.transcript) + signOpts := crypto.SignerOpts(sigHash) + if sigType == signatureRSAPSS { + signOpts = &rsa.PSSOptions{SaltLength: rsa.PSSSaltLengthEqualsHash, Hash: sigHash} + } + sig, err := hs.cert.PrivateKey.(crypto.Signer).Sign(c.config.rand(), signed, signOpts) + if err != nil { + public := hs.cert.PrivateKey.(crypto.Signer).Public() + if rsaKey, ok := public.(*rsa.PublicKey); ok && sigType == signatureRSAPSS && + rsaKey.N.BitLen()/8 < sigHash.Size()*2+2 { // key too small for RSA-PSS + c.sendAlert(alertHandshakeFailure) + } else { + c.sendAlert(alertInternalError) + } + return errors.New("tls: failed to sign handshake: " + err.Error()) + } + certVerifyMsg.signature = sig + + if _, err := hs.c.writeHandshakeRecord(certVerifyMsg, hs.transcript); err != nil { + return err + } + + return nil +} + +func (hs *serverHandshakeStateTLS13) sendServerFinished() error { + c := hs.c + + finished := &finishedMsg{ + verifyData: hs.suite.finishedHash(c.out.trafficSecret, hs.transcript), + } + + if _, err := hs.c.writeHandshakeRecord(finished, hs.transcript); err != nil { + return err + } + + // Derive secrets that take context through the server Finished. + + hs.masterSecret = hs.suite.extract(nil, + hs.suite.deriveSecret(hs.handshakeSecret, "derived", nil)) + + hs.trafficSecret = hs.suite.deriveSecret(hs.masterSecret, + clientApplicationTrafficLabel, hs.transcript) + serverSecret := hs.suite.deriveSecret(hs.masterSecret, + serverApplicationTrafficLabel, hs.transcript) + c.out.setTrafficSecret(hs.suite, QUICEncryptionLevelApplication, serverSecret) + + if c.quic != nil { + if c.hand.Len() != 0 { + // TODO: Handle this in setTrafficSecret? + c.sendAlert(alertUnexpectedMessage) + } + c.quicSetWriteSecret(QUICEncryptionLevelApplication, hs.suite.id, serverSecret) + } + + err := c.config.writeKeyLog(keyLogLabelClientTraffic, hs.clientHello.random, hs.trafficSecret) + if err != nil { + c.sendAlert(alertInternalError) + return err + } + err = c.config.writeKeyLog(keyLogLabelServerTraffic, hs.clientHello.random, serverSecret) + if err != nil { + c.sendAlert(alertInternalError) + return err + } + + c.ekm = hs.suite.exportKeyingMaterial(hs.masterSecret, hs.transcript) + + // If we did not request client certificates, at this point we can + // precompute the client finished and roll the transcript forward to send + // session tickets in our first flight. + if !hs.requestClientCert() { + if err := hs.sendSessionTickets(); err != nil { + return err + } + } + + return nil +} + +func (hs *serverHandshakeStateTLS13) shouldSendSessionTickets() bool { + if hs.c.config.SessionTicketsDisabled { + return false + } + + // QUIC tickets are sent by QUICConn.SendSessionTicket, not automatically. + if hs.c.quic != nil { + return false + } + + // Don't send tickets the client wouldn't use. See RFC 8446, Section 4.2.9. + for _, pskMode := range hs.clientHello.pskModes { + if pskMode == pskModeDHE { + return true + } + } + return false +} + +func (hs *serverHandshakeStateTLS13) sendSessionTickets() error { + c := hs.c + + hs.clientFinished = hs.suite.finishedHash(c.in.trafficSecret, hs.transcript) + finishedMsg := &finishedMsg{ + verifyData: hs.clientFinished, + } + if err := transcriptMsg(finishedMsg, hs.transcript); err != nil { + return err + } + + c.resumptionSecret = hs.suite.deriveSecret(hs.masterSecret, + resumptionLabel, hs.transcript) + + if !hs.shouldSendSessionTickets() { + return nil + } + return c.sendSessionTicket(false) +} + +func (c *Conn) sendSessionTicket(earlyData bool) error { + suite := cipherSuiteTLS13ByID(c.cipherSuite) + if suite == nil { + return errors.New("tls: internal error: unknown cipher suite") + } + // ticket_nonce, which must be unique per connection, is always left at + // zero because we only ever send one ticket per connection. + psk := suite.expandLabel(c.resumptionSecret, "resumption", + nil, suite.hash.Size()) + + m := new(newSessionTicketMsgTLS13) + + state, err := c.sessionState() + if err != nil { + return err + } + state.secret = psk + state.EarlyData = earlyData + if c.config.WrapSession != nil { + m.label, err = c.config.WrapSession(c.connectionStateLocked(), state) + if err != nil { + return err + } + } else { + stateBytes, err := state.Bytes() + if err != nil { + c.sendAlert(alertInternalError) + return err + } + m.label, err = c.config.encryptTicket(stateBytes, c.ticketKeys) + if err != nil { + return err + } + } + m.lifetime = uint32(maxSessionTicketLifetime / time.Second) + + // ticket_age_add is a random 32-bit value. See RFC 8446, section 4.6.1 + // The value is not stored anywhere; we never need to check the ticket age + // because 0-RTT is not supported. + ageAdd := make([]byte, 4) + _, err = c.config.rand().Read(ageAdd) + if err != nil { + return err + } + m.ageAdd = binary.LittleEndian.Uint32(ageAdd) + + if earlyData { + // RFC 9001, Section 4.6.1 + m.maxEarlyData = 0xffffffff + } + + if _, err := c.writeHandshakeRecord(m, nil); err != nil { + return err + } + + return nil +} + +func (hs *serverHandshakeStateTLS13) readClientCertificate() error { + c := hs.c + + if !hs.requestClientCert() { + // Make sure the connection is still being verified whether or not + // the server requested a client certificate. + if c.config.VerifyConnection != nil { + if err := c.config.VerifyConnection(c.connectionStateLocked()); err != nil { + c.sendAlert(alertBadCertificate) + return err + } + } + return nil + } + + // If we requested a client certificate, then the client must send a + // certificate message. If it's empty, no CertificateVerify is sent. + + msg, err := c.readHandshake(hs.transcript) + if err != nil { + return err + } + + certMsg, ok := msg.(*certificateMsgTLS13) + if !ok { + c.sendAlert(alertUnexpectedMessage) + return unexpectedMessageError(certMsg, msg) + } + + if err := c.processCertsFromClient(certMsg.certificate); err != nil { + return err + } + + if c.config.VerifyConnection != nil { + if err := c.config.VerifyConnection(c.connectionStateLocked()); err != nil { + c.sendAlert(alertBadCertificate) + return err + } + } + + if len(certMsg.certificate.Certificate) != 0 { + // certificateVerifyMsg is included in the transcript, but not until + // after we verify the handshake signature, since the state before + // this message was sent is used. + msg, err = c.readHandshake(nil) + if err != nil { + return err + } + + certVerify, ok := msg.(*certificateVerifyMsg) + if !ok { + c.sendAlert(alertUnexpectedMessage) + return unexpectedMessageError(certVerify, msg) + } + + // See RFC 8446, Section 4.4.3. + if !isSupportedSignatureAlgorithm(certVerify.signatureAlgorithm, supportedSignatureAlgorithms()) { + c.sendAlert(alertIllegalParameter) + return errors.New("tls: client certificate used with invalid signature algorithm") + } + sigType, sigHash, err := typeAndHashFromSignatureScheme(certVerify.signatureAlgorithm) + if err != nil { + return c.sendAlert(alertInternalError) + } + if sigType == signaturePKCS1v15 || sigHash == crypto.SHA1 { + c.sendAlert(alertIllegalParameter) + return errors.New("tls: client certificate used with invalid signature algorithm") + } + signed := signedMessage(sigHash, clientSignatureContext, hs.transcript) + if err := verifyHandshakeSignature(sigType, c.peerCertificates[0].PublicKey, + sigHash, signed, certVerify.signature); err != nil { + c.sendAlert(alertDecryptError) + return errors.New("tls: invalid signature by the client certificate: " + err.Error()) + } + + if err := transcriptMsg(certVerify, hs.transcript); err != nil { + return err + } + } + + // If we waited until the client certificates to send session tickets, we + // are ready to do it now. + if err := hs.sendSessionTickets(); err != nil { + return err + } + + return nil +} + +func (hs *serverHandshakeStateTLS13) readClientFinished() error { + c := hs.c + + // finishedMsg is not included in the transcript. + msg, err := c.readHandshake(nil) + if err != nil { + return err + } + + finished, ok := msg.(*finishedMsg) + if !ok { + c.sendAlert(alertUnexpectedMessage) + return unexpectedMessageError(finished, msg) + } + + if !hmac.Equal(hs.clientFinished, finished.verifyData) { + c.sendAlert(alertDecryptError) + return errors.New("tls: invalid client finished hash") + } + + c.in.setTrafficSecret(hs.suite, QUICEncryptionLevelApplication, hs.trafficSecret) + + return nil +} diff --git a/pkg/tls/handshake_test.go b/pkg/tls/handshake_test.go new file mode 100644 index 000000000..bacc8b7d4 --- /dev/null +++ b/pkg/tls/handshake_test.go @@ -0,0 +1,530 @@ +// Copyright 2013 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package tls + +import ( + "bufio" + "crypto/ed25519" + "crypto/x509" + "encoding/hex" + "errors" + "flag" + "fmt" + "io" + "net" + "os" + "os/exec" + "runtime" + "strconv" + "strings" + "sync" + "testing" + "time" +) + +// TLS reference tests run a connection against a reference implementation +// (OpenSSL) of TLS and record the bytes of the resulting connection. The Go +// code, during a test, is configured with deterministic randomness and so the +// reference test can be reproduced exactly in the future. +// +// In order to save everyone who wishes to run the tests from needing the +// reference implementation installed, the reference connections are saved in +// files in the testdata directory. Thus running the tests involves nothing +// external, but creating and updating them requires the reference +// implementation. +// +// Tests can be updated by running them with the -update flag. This will cause +// the test files for failing tests to be regenerated. Since the reference +// implementation will always generate fresh random numbers, large parts of the +// reference connection will always change. + +var ( + update = flag.Bool("update", false, "update golden files on failure") + fast = flag.Bool("fast", false, "impose a quick, possibly flaky timeout on recorded tests") + keyFile = flag.String("keylog", "", "destination file for KeyLogWriter") +) + +func runTestAndUpdateIfNeeded(t *testing.T, name string, run func(t *testing.T, update bool), wait bool) { + success := t.Run(name, func(t *testing.T) { + if !*update && !wait { + t.Parallel() + } + run(t, false) + }) + + if !success && *update { + t.Run(name+"#update", func(t *testing.T) { + run(t, true) + }) + } +} + +// checkOpenSSLVersion ensures that the version of OpenSSL looks reasonable +// before updating the test data. +func checkOpenSSLVersion() error { + if !*update { + return nil + } + + openssl := exec.Command("openssl", "version") + output, err := openssl.CombinedOutput() + if err != nil { + return err + } + + version := string(output) + if strings.HasPrefix(version, "OpenSSL 1.1.1") { + return nil + } + + println("***********************************************") + println("") + println("You need to build OpenSSL 1.1.1 from source in order") + println("to update the test data.") + println("") + println("Configure it with:") + println("./Configure enable-weak-ssl-ciphers no-shared") + println("and then add the apps/ directory at the front of your PATH.") + println("***********************************************") + + return errors.New("version of OpenSSL does not appear to be suitable for updating test data") +} + +// recordingConn is a net.Conn that records the traffic that passes through it. +// WriteTo can be used to produce output that can be later be loaded with +// ParseTestData. +type recordingConn struct { + net.Conn + sync.Mutex + flows [][]byte + reading bool +} + +func (r *recordingConn) Read(b []byte) (n int, err error) { + if n, err = r.Conn.Read(b); n == 0 { + return + } + b = b[:n] + + r.Lock() + defer r.Unlock() + + if l := len(r.flows); l == 0 || !r.reading { + buf := make([]byte, len(b)) + copy(buf, b) + r.flows = append(r.flows, buf) + } else { + r.flows[l-1] = append(r.flows[l-1], b[:n]...) + } + r.reading = true + return +} + +func (r *recordingConn) Write(b []byte) (n int, err error) { + if n, err = r.Conn.Write(b); n == 0 { + return + } + b = b[:n] + + r.Lock() + defer r.Unlock() + + if l := len(r.flows); l == 0 || r.reading { + buf := make([]byte, len(b)) + copy(buf, b) + r.flows = append(r.flows, buf) + } else { + r.flows[l-1] = append(r.flows[l-1], b[:n]...) + } + r.reading = false + return +} + +// WriteTo writes Go source code to w that contains the recorded traffic. +func (r *recordingConn) WriteTo(w io.Writer) (int64, error) { + // TLS always starts with a client to server flow. + clientToServer := true + var written int64 + for i, flow := range r.flows { + source, dest := "client", "server" + if !clientToServer { + source, dest = dest, source + } + n, err := fmt.Fprintf(w, ">>> Flow %d (%s to %s)\n", i+1, source, dest) + written += int64(n) + if err != nil { + return written, err + } + dumper := hex.Dumper(w) + n, err = dumper.Write(flow) + written += int64(n) + if err != nil { + return written, err + } + err = dumper.Close() + if err != nil { + return written, err + } + clientToServer = !clientToServer + } + return written, nil +} + +func parseTestData(r io.Reader) (flows [][]byte, err error) { + var currentFlow []byte + + scanner := bufio.NewScanner(r) + for scanner.Scan() { + line := scanner.Text() + // If the line starts with ">>> " then it marks the beginning + // of a new flow. + if strings.HasPrefix(line, ">>> ") { + if len(currentFlow) > 0 || len(flows) > 0 { + flows = append(flows, currentFlow) + currentFlow = nil + } + continue + } + + // Otherwise the line is a line of hex dump that looks like: + // 00000170 fc f5 06 bf (...) |.....X{&?......!| + // (Some bytes have been omitted from the middle section.) + _, after, ok := strings.Cut(line, " ") + if !ok { + return nil, errors.New("invalid test data") + } + line = after + + before, _, ok := strings.Cut(line, "|") + if !ok { + return nil, errors.New("invalid test data") + } + line = before + + hexBytes := strings.Fields(line) + for _, hexByte := range hexBytes { + val, err := strconv.ParseUint(hexByte, 16, 8) + if err != nil { + return nil, errors.New("invalid hex byte in test data: " + err.Error()) + } + currentFlow = append(currentFlow, byte(val)) + } + } + + if len(currentFlow) > 0 { + flows = append(flows, currentFlow) + } + + return flows, nil +} + +// tempFile creates a temp file containing contents and returns its path. +func tempFile(contents string) string { + file, err := os.CreateTemp("", "go-tls-test") + if err != nil { + panic("failed to create temp file: " + err.Error()) + } + path := file.Name() + file.WriteString(contents) + file.Close() + return path +} + +// localListener is set up by TestMain and used by localPipe to create Conn +// pairs like net.Pipe, but connected by an actual buffered TCP connection. +var localListener struct { + mu sync.Mutex + addr net.Addr + ch chan net.Conn +} + +const localFlakes = 0 // change to 1 or 2 to exercise localServer/localPipe handling of mismatches + +func localServer(l net.Listener) { + for n := 0; ; n++ { + c, err := l.Accept() + if err != nil { + return + } + if localFlakes == 1 && n%2 == 0 { + c.Close() + continue + } + localListener.ch <- c + } +} + +var isConnRefused = func(err error) bool { return false } + +func localPipe(t testing.TB) (net.Conn, net.Conn) { + localListener.mu.Lock() + defer localListener.mu.Unlock() + + addr := localListener.addr + + var err error +Dialing: + // We expect a rare mismatch, but probably not 5 in a row. + for i := 0; i < 5; i++ { + tooSlow := time.NewTimer(1 * time.Second) + defer tooSlow.Stop() + var c1 net.Conn + c1, err = net.Dial(addr.Network(), addr.String()) + if err != nil { + if runtime.GOOS == "dragonfly" && (isConnRefused(err) || os.IsTimeout(err)) { + // golang.org/issue/29583: Dragonfly sometimes returns a spurious + // ECONNREFUSED or ETIMEDOUT. + <-tooSlow.C + continue + } + t.Fatalf("localPipe: %v", err) + } + if localFlakes == 2 && i == 0 { + c1.Close() + continue + } + for { + select { + case <-tooSlow.C: + t.Logf("localPipe: timeout waiting for %v", c1.LocalAddr()) + c1.Close() + continue Dialing + + case c2 := <-localListener.ch: + if c2.RemoteAddr().String() == c1.LocalAddr().String() { + return c1, c2 + } + t.Logf("localPipe: unexpected connection: %v != %v", c2.RemoteAddr(), c1.LocalAddr()) + c2.Close() + } + } + } + + t.Fatalf("localPipe: failed to connect: %v", err) + panic("unreachable") +} + +// zeroSource is an io.Reader that returns an unlimited number of zero bytes. +type zeroSource struct{} + +func (zeroSource) Read(b []byte) (n int, err error) { + for i := range b { + b[i] = 0 + } + + return len(b), nil +} + +func allCipherSuites() []uint16 { + ids := make([]uint16, len(cipherSuites)) + for i, suite := range cipherSuites { + ids[i] = suite.id + } + + return ids +} + +var testConfig *Config + +func TestMain(m *testing.M) { + flag.Parse() + os.Exit(runMain(m)) +} + +func runMain(m *testing.M) int { + // Cipher suites preferences change based on the architecture. Force them to + // the version without AES acceleration for test consistency. + hasAESGCMHardwareSupport = false + + // Set up localPipe. + l, err := net.Listen("tcp", "127.0.0.1:0") + if err != nil { + l, err = net.Listen("tcp6", "[::1]:0") + } + if err != nil { + fmt.Fprintf(os.Stderr, "Failed to open local listener: %v", err) + os.Exit(1) + } + localListener.ch = make(chan net.Conn) + localListener.addr = l.Addr() + defer l.Close() + go localServer(l) + + if err := checkOpenSSLVersion(); err != nil { + fmt.Fprintf(os.Stderr, "Error: %v", err) + os.Exit(1) + } + + testConfig = &Config{ + Time: func() time.Time { return time.Unix(0, 0) }, + Rand: zeroSource{}, + Certificates: make([]Certificate, 2), + InsecureSkipVerify: true, + CipherSuites: allCipherSuites(), + MinVersion: VersionTLS10, + MaxVersion: VersionTLS13, + } + testConfig.Certificates[0].Certificate = [][]byte{testRSACertificate} + testConfig.Certificates[0].PrivateKey = testRSAPrivateKey + testConfig.Certificates[1].Certificate = [][]byte{testSNICertificate} + testConfig.Certificates[1].PrivateKey = testRSAPrivateKey + testConfig.BuildNameToCertificate() + if *keyFile != "" { + f, err := os.OpenFile(*keyFile, os.O_APPEND|os.O_CREATE|os.O_WRONLY, 0644) + if err != nil { + panic("failed to open -keylog file: " + err.Error()) + } + testConfig.KeyLogWriter = f + defer f.Close() + } + + return m.Run() +} + +func testHandshake(t *testing.T, clientConfig, serverConfig *Config) (serverState, clientState ConnectionState, err error) { + const sentinel = "SENTINEL\n" + c, s := localPipe(t) + errChan := make(chan error) + go func() { + cli := Client(c, clientConfig) + err := cli.Handshake() + if err != nil { + errChan <- fmt.Errorf("client: %v", err) + c.Close() + return + } + defer cli.Close() + clientState = cli.ConnectionState() + buf, err := io.ReadAll(cli) + if err != nil { + t.Errorf("failed to call cli.Read: %v", err) + } + if got := string(buf); got != sentinel { + t.Errorf("read %q from TLS connection, but expected %q", got, sentinel) + } + errChan <- nil + }() + server := Server(s, serverConfig) + err = server.Handshake() + if err == nil { + serverState = server.ConnectionState() + if _, err := io.WriteString(server, sentinel); err != nil { + t.Errorf("failed to call server.Write: %v", err) + } + if err := server.Close(); err != nil { + t.Errorf("failed to call server.Close: %v", err) + } + err = <-errChan + } else { + s.Close() + <-errChan + } + return +} + +func fromHex(s string) []byte { + b, _ := hex.DecodeString(s) + return b +} + +var testRSACertificate = fromHex("3082024b308201b4a003020102020900e8f09d3fe25beaa6300d06092a864886f70d01010b0500301f310b3009060355040a1302476f3110300e06035504031307476f20526f6f74301e170d3136303130313030303030305a170d3235303130313030303030305a301a310b3009060355040a1302476f310b300906035504031302476f30819f300d06092a864886f70d010101050003818d0030818902818100db467d932e12270648bc062821ab7ec4b6a25dfe1e5245887a3647a5080d92425bc281c0be97799840fb4f6d14fd2b138bc2a52e67d8d4099ed62238b74a0b74732bc234f1d193e596d9747bf3589f6c613cc0b041d4d92b2b2423775b1c3bbd755dce2054cfa163871d1e24c4f31d1a508baab61443ed97a77562f414c852d70203010001a38193308190300e0603551d0f0101ff0404030205a0301d0603551d250416301406082b0601050507030106082b06010505070302300c0603551d130101ff0402300030190603551d0e041204109f91161f43433e49a6de6db680d79f60301b0603551d230414301280104813494d137e1631bba301d5acab6e7b30190603551d1104123010820e6578616d706c652e676f6c616e67300d06092a864886f70d01010b0500038181009d30cc402b5b50a061cbbae55358e1ed8328a9581aa938a495a1ac315a1a84663d43d32dd90bf297dfd320643892243a00bccf9c7db74020015faad3166109a276fd13c3cce10c5ceeb18782f16c04ed73bbb343778d0c1cf10fa1d8408361c94c722b9daedb4606064df4c1b33ec0d1bd42d4dbfe3d1360845c21d33be9fae7") + +var testRSACertificateIssuer = fromHex("3082021930820182a003020102020900ca5e4e811a965964300d06092a864886f70d01010b0500301f310b3009060355040a1302476f3110300e06035504031307476f20526f6f74301e170d3136303130313030303030305a170d3235303130313030303030305a301f310b3009060355040a1302476f3110300e06035504031307476f20526f6f7430819f300d06092a864886f70d010101050003818d0030818902818100d667b378bb22f34143b6cd2008236abefaf2852adf3ab05e01329e2c14834f5105df3f3073f99dab5442d45ee5f8f57b0111c8cb682fbb719a86944eebfffef3406206d898b8c1b1887797c9c5006547bb8f00e694b7a063f10839f269f2c34fff7a1f4b21fbcd6bfdfb13ac792d1d11f277b5c5b48600992203059f2a8f8cc50203010001a35d305b300e0603551d0f0101ff040403020204301d0603551d250416301406082b0601050507030106082b06010505070302300f0603551d130101ff040530030101ff30190603551d0e041204104813494d137e1631bba301d5acab6e7b300d06092a864886f70d01010b050003818100c1154b4bab5266221f293766ae4138899bd4c5e36b13cee670ceeaa4cbdf4f6679017e2fe649765af545749fe4249418a56bd38a04b81e261f5ce86b8d5c65413156a50d12449554748c59a30c515bc36a59d38bddf51173e899820b282e40aa78c806526fd184fb6b4cf186ec728edffa585440d2b3225325f7ab580e87dd76") + +// testRSAPSSCertificate has signatureAlgorithm rsassaPss, but subjectPublicKeyInfo +// algorithm rsaEncryption, for use with the rsa_pss_rsae_* SignatureSchemes. +// See also TestRSAPSSKeyError. testRSAPSSCertificate is self-signed. +var testRSAPSSCertificate = fromHex("308202583082018da003020102021100f29926eb87ea8a0db9fcc247347c11b0304106092a864886f70d01010a3034a00f300d06096086480165030402010500a11c301a06092a864886f70d010108300d06096086480165030402010500a20302012030123110300e060355040a130741636d6520436f301e170d3137313132333136313631305a170d3138313132333136313631305a30123110300e060355040a130741636d6520436f30819f300d06092a864886f70d010101050003818d0030818902818100db467d932e12270648bc062821ab7ec4b6a25dfe1e5245887a3647a5080d92425bc281c0be97799840fb4f6d14fd2b138bc2a52e67d8d4099ed62238b74a0b74732bc234f1d193e596d9747bf3589f6c613cc0b041d4d92b2b2423775b1c3bbd755dce2054cfa163871d1e24c4f31d1a508baab61443ed97a77562f414c852d70203010001a3463044300e0603551d0f0101ff0404030205a030130603551d25040c300a06082b06010505070301300c0603551d130101ff04023000300f0603551d110408300687047f000001304106092a864886f70d01010a3034a00f300d06096086480165030402010500a11c301a06092a864886f70d010108300d06096086480165030402010500a20302012003818100cdac4ef2ce5f8d79881042707f7cbf1b5a8a00ef19154b40151771006cd41626e5496d56da0c1a139fd84695593cb67f87765e18aa03ea067522dd78d2a589b8c92364e12838ce346c6e067b51f1a7e6f4b37ffab13f1411896679d18e880e0ba09e302ac067efca460288e9538122692297ad8093d4f7dd701424d7700a46a1") + +var testECDSACertificate = fromHex("3082020030820162020900b8bf2d47a0d2ebf4300906072a8648ce3d04013045310b3009060355040613024155311330110603550408130a536f6d652d53746174653121301f060355040a1318496e7465726e6574205769646769747320507479204c7464301e170d3132313132323135303633325a170d3232313132303135303633325a3045310b3009060355040613024155311330110603550408130a536f6d652d53746174653121301f060355040a1318496e7465726e6574205769646769747320507479204c746430819b301006072a8648ce3d020106052b81040023038186000400c4a1edbe98f90b4873367ec316561122f23d53c33b4d213dcd6b75e6f6b0dc9adf26c1bcb287f072327cb3642f1c90bcea6823107efee325c0483a69e0286dd33700ef0462dd0da09c706283d881d36431aa9e9731bd96b068c09b23de76643f1a5c7fe9120e5858b65f70dd9bd8ead5d7f5d5ccb9b69f30665b669a20e227e5bffe3b300906072a8648ce3d040103818c0030818802420188a24febe245c5487d1bacf5ed989dae4770c05e1bb62fbdf1b64db76140d311a2ceee0b7e927eff769dc33b7ea53fcefa10e259ec472d7cacda4e970e15a06fd00242014dfcbe67139c2d050ebd3fa38c25c13313830d9406bbd4377af6ec7ac9862eddd711697f857c56defb31782be4c7780daecbbe9e4e3624317b6a0f399512078f2a") + +var testEd25519Certificate = fromHex("3082012e3081e1a00302010202100f431c425793941de987e4f1ad15005d300506032b657030123110300e060355040a130741636d6520436f301e170d3139303531363231333830315a170d3230303531353231333830315a30123110300e060355040a130741636d6520436f302a300506032b65700321003fe2152ee6e3ef3f4e854a7577a3649eede0bf842ccc92268ffa6f3483aaec8fa34d304b300e0603551d0f0101ff0404030205a030130603551d25040c300a06082b06010505070301300c0603551d130101ff0402300030160603551d11040f300d820b6578616d706c652e636f6d300506032b65700341006344ed9cc4be5324539fd2108d9fe82108909539e50dc155ff2c16b71dfcab7d4dd4e09313d0a942e0b66bfe5d6748d79f50bc6ccd4b03837cf20858cdaccf0c") + +var testSNICertificate = fromHex("0441883421114c81480804c430820237308201a0a003020102020900e8f09d3fe25beaa6300d06092a864886f70d01010b0500301f310b3009060355040a1302476f3110300e06035504031307476f20526f6f74301e170d3136303130313030303030305a170d3235303130313030303030305a3023310b3009060355040a1302476f311430120603550403130b736e69746573742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100db467d932e12270648bc062821ab7ec4b6a25dfe1e5245887a3647a5080d92425bc281c0be97799840fb4f6d14fd2b138bc2a52e67d8d4099ed62238b74a0b74732bc234f1d193e596d9747bf3589f6c613cc0b041d4d92b2b2423775b1c3bbd755dce2054cfa163871d1e24c4f31d1a508baab61443ed97a77562f414c852d70203010001a3773075300e0603551d0f0101ff0404030205a0301d0603551d250416301406082b0601050507030106082b06010505070302300c0603551d130101ff0402300030190603551d0e041204109f91161f43433e49a6de6db680d79f60301b0603551d230414301280104813494d137e1631bba301d5acab6e7b300d06092a864886f70d01010b0500038181007beeecff0230dbb2e7a334af65430b7116e09f327c3bbf918107fc9c66cb497493207ae9b4dbb045cb63d605ec1b5dd485bb69124d68fa298dc776699b47632fd6d73cab57042acb26f083c4087459bc5a3bb3ca4d878d7fe31016b7bc9a627438666566e3389bfaeebe6becc9a0093ceed18d0f9ac79d56f3a73f18188988ed") + +var testP256Certificate = fromHex("308201693082010ea00302010202105012dc24e1124ade4f3e153326ff27bf300a06082a8648ce3d04030230123110300e060355040a130741636d6520436f301e170d3137303533313232343934375a170d3138303533313232343934375a30123110300e060355040a130741636d6520436f3059301306072a8648ce3d020106082a8648ce3d03010703420004c02c61c9b16283bbcc14956d886d79b358aa614596975f78cece787146abf74c2d5dc578c0992b4f3c631373479ebf3892efe53d21c4f4f1cc9a11c3536b7f75a3463044300e0603551d0f0101ff0404030205a030130603551d25040c300a06082b06010505070301300c0603551d130101ff04023000300f0603551d1104083006820474657374300a06082a8648ce3d0403020349003046022100963712d6226c7b2bef41512d47e1434131aaca3ba585d666c924df71ac0448b3022100f4d05c725064741aef125f243cdbccaa2a5d485927831f221c43023bd5ae471a") + +var testRSAPrivateKey, _ = x509.ParsePKCS1PrivateKey(fromHex("3082025b02010002818100db467d932e12270648bc062821ab7ec4b6a25dfe1e5245887a3647a5080d92425bc281c0be97799840fb4f6d14fd2b138bc2a52e67d8d4099ed62238b74a0b74732bc234f1d193e596d9747bf3589f6c613cc0b041d4d92b2b2423775b1c3bbd755dce2054cfa163871d1e24c4f31d1a508baab61443ed97a77562f414c852d702030100010281800b07fbcf48b50f1388db34b016298b8217f2092a7c9a04f77db6775a3d1279b62ee9951f7e371e9de33f015aea80660760b3951dc589a9f925ed7de13e8f520e1ccbc7498ce78e7fab6d59582c2386cc07ed688212a576ff37833bd5943483b5554d15a0b9b4010ed9bf09f207e7e9805f649240ed6c1256ed75ab7cd56d9671024100fded810da442775f5923debae4ac758390a032a16598d62f059bb2e781a9c2f41bfa015c209f966513fe3bf5a58717cbdb385100de914f88d649b7d15309fa49024100dd10978c623463a1802c52f012cfa72ff5d901f25a2292446552c2568b1840e49a312e127217c2186615aae4fb6602a4f6ebf3f3d160f3b3ad04c592f65ae41f02400c69062ca781841a09de41ed7a6d9f54adc5d693a2c6847949d9e1358555c9ac6a8d9e71653ac77beb2d3abaf7bb1183aa14278956575dbebf525d0482fd72d90240560fe1900ba36dae3022115fd952f2399fb28e2975a1c3e3d0b679660bdcb356cc189d611cfdd6d87cd5aea45aa30a2082e8b51e94c2f3dd5d5c6036a8a615ed0240143993d80ece56f877cb80048335701eb0e608cc0c1ca8c2227b52edf8f1ac99c562f2541b5ce81f0515af1c5b4770dba53383964b4b725ff46fdec3d08907df")) + +var testECDSAPrivateKey, _ = x509.ParseECPrivateKey(fromHex("3081dc0201010442019883e909ad0ac9ea3d33f9eae661f1785206970f8ca9a91672f1eedca7a8ef12bd6561bb246dda5df4b4d5e7e3a92649bc5d83a0bf92972e00e62067d0c7bd99d7a00706052b81040023a18189038186000400c4a1edbe98f90b4873367ec316561122f23d53c33b4d213dcd6b75e6f6b0dc9adf26c1bcb287f072327cb3642f1c90bcea6823107efee325c0483a69e0286dd33700ef0462dd0da09c706283d881d36431aa9e9731bd96b068c09b23de76643f1a5c7fe9120e5858b65f70dd9bd8ead5d7f5d5ccb9b69f30665b669a20e227e5bffe3b")) + +var testP256PrivateKey, _ = x509.ParseECPrivateKey(fromHex("30770201010420012f3b52bc54c36ba3577ad45034e2e8efe1e6999851284cb848725cfe029991a00a06082a8648ce3d030107a14403420004c02c61c9b16283bbcc14956d886d79b358aa614596975f78cece787146abf74c2d5dc578c0992b4f3c631373479ebf3892efe53d21c4f4f1cc9a11c3536b7f75")) + +var testEd25519PrivateKey = ed25519.PrivateKey(fromHex("3a884965e76b3f55e5faf9615458a92354894234de3ec9f684d46d55cebf3dc63fe2152ee6e3ef3f4e854a7577a3649eede0bf842ccc92268ffa6f3483aaec8f")) + +const clientCertificatePEM = ` +-----BEGIN CERTIFICATE----- +MIIB7zCCAVigAwIBAgIQXBnBiWWDVW/cC8m5k5/pvDANBgkqhkiG9w0BAQsFADAS +MRAwDgYDVQQKEwdBY21lIENvMB4XDTE2MDgxNzIxNTIzMVoXDTE3MDgxNzIxNTIz +MVowEjEQMA4GA1UEChMHQWNtZSBDbzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC +gYEAum+qhr3Pv5/y71yUYHhv6BPy0ZZvzdkybiI3zkH5yl0prOEn2mGi7oHLEMff +NFiVhuk9GeZcJ3NgyI14AvQdpJgJoxlwaTwlYmYqqyIjxXuFOE8uCXMyp70+m63K +hAfmDzr/d8WdQYUAirab7rCkPy1MTOZCPrtRyN1IVPQMjkcCAwEAAaNGMEQwDgYD +VR0PAQH/BAQDAgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMAwGA1UdEwEB/wQCMAAw +DwYDVR0RBAgwBocEfwAAATANBgkqhkiG9w0BAQsFAAOBgQBGq0Si+yhU+Fpn+GKU +8ZqyGJ7ysd4dfm92lam6512oFmyc9wnTN+RLKzZ8Aa1B0jLYw9KT+RBrjpW5LBeK +o0RIvFkTgxYEiKSBXCUNmAysEbEoVr4dzWFihAm/1oDGRY2CLLTYg5vbySK3KhIR +e/oCO8HJ/+rJnahJ05XX1Q7lNQ== +-----END CERTIFICATE-----` + +var clientKeyPEM = testingKey(` +-----BEGIN RSA TESTING KEY----- +MIICXQIBAAKBgQC6b6qGvc+/n/LvXJRgeG/oE/LRlm/N2TJuIjfOQfnKXSms4Sfa +YaLugcsQx980WJWG6T0Z5lwnc2DIjXgC9B2kmAmjGXBpPCViZiqrIiPFe4U4Ty4J +czKnvT6brcqEB+YPOv93xZ1BhQCKtpvusKQ/LUxM5kI+u1HI3UhU9AyORwIDAQAB +AoGAEJZ03q4uuMb7b26WSQsOMeDsftdatT747LGgs3pNRkMJvTb/O7/qJjxoG+Mc +qeSj0TAZXp+PXXc3ikCECAc+R8rVMfWdmp903XgO/qYtmZGCorxAHEmR80SrfMXv +PJnznLQWc8U9nphQErR+tTESg7xWEzmFcPKwnZd1xg8ERYkCQQDTGtrFczlB2b/Z +9TjNMqUlMnTLIk/a/rPE2fLLmAYhK5sHnJdvDURaH2mF4nso0EGtENnTsh6LATnY +dkrxXGm9AkEA4hXHG2q3MnhgK1Z5hjv+Fnqd+8bcbII9WW4flFs15EKoMgS1w/PJ +zbsySaSy5IVS8XeShmT9+3lrleed4sy+UwJBAJOOAbxhfXP5r4+5R6ql66jES75w +jUCVJzJA5ORJrn8g64u2eGK28z/LFQbv9wXgCwfc72R468BdawFSLa/m2EECQGbZ +rWiFla26IVXV0xcD98VWJsTBZMlgPnSOqoMdM1kSEd4fUmlAYI/dFzV1XYSkOmVr +FhdZnklmpVDeu27P4c0CQQCuCOup0FlJSBpWY1TTfun/KMBkBatMz0VMA3d7FKIU +csPezl677Yjo8u1r/KzeI6zLg87Z8E6r6ZWNc9wBSZK6 +-----END RSA TESTING KEY-----`) + +const clientECDSACertificatePEM = ` +-----BEGIN CERTIFICATE----- +MIIB/DCCAV4CCQCaMIRsJjXZFzAJBgcqhkjOPQQBMEUxCzAJBgNVBAYTAkFVMRMw +EQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0 +eSBMdGQwHhcNMTIxMTE0MTMyNTUzWhcNMjIxMTEyMTMyNTUzWjBBMQswCQYDVQQG +EwJBVTEMMAoGA1UECBMDTlNXMRAwDgYDVQQHEwdQeXJtb250MRIwEAYDVQQDEwlK +b2VsIFNpbmcwgZswEAYHKoZIzj0CAQYFK4EEACMDgYYABACVjJF1FMBexFe01MNv +ja5oHt1vzobhfm6ySD6B5U7ixohLZNz1MLvT/2XMW/TdtWo+PtAd3kfDdq0Z9kUs +jLzYHQFMH3CQRnZIi4+DzEpcj0B22uCJ7B0rxE4wdihBsmKo+1vx+U56jb0JuK7q +ixgnTy5w/hOWusPTQBbNZU6sER7m8TAJBgcqhkjOPQQBA4GMADCBiAJCAOAUxGBg +C3JosDJdYUoCdFzCgbkWqD8pyDbHgf9stlvZcPE4O1BIKJTLCRpS8V3ujfK58PDa +2RU6+b0DeoeiIzXsAkIBo9SKeDUcSpoj0gq+KxAxnZxfvuiRs9oa9V2jI/Umi0Vw +jWVim34BmT0Y9hCaOGGbLlfk+syxis7iI6CH8OFnUes= +-----END CERTIFICATE-----` + +var clientECDSAKeyPEM = testingKey(` +-----BEGIN EC PARAMETERS----- +BgUrgQQAIw== +-----END EC PARAMETERS----- +-----BEGIN EC TESTING KEY----- +MIHcAgEBBEIBkJN9X4IqZIguiEVKMqeBUP5xtRsEv4HJEtOpOGLELwO53SD78Ew8 +k+wLWoqizS3NpQyMtrU8JFdWfj+C57UNkOugBwYFK4EEACOhgYkDgYYABACVjJF1 +FMBexFe01MNvja5oHt1vzobhfm6ySD6B5U7ixohLZNz1MLvT/2XMW/TdtWo+PtAd +3kfDdq0Z9kUsjLzYHQFMH3CQRnZIi4+DzEpcj0B22uCJ7B0rxE4wdihBsmKo+1vx ++U56jb0JuK7qixgnTy5w/hOWusPTQBbNZU6sER7m8Q== +-----END EC TESTING KEY-----`) + +const clientEd25519CertificatePEM = ` +-----BEGIN CERTIFICATE----- +MIIBLjCB4aADAgECAhAX0YGTviqMISAQJRXoNCNPMAUGAytlcDASMRAwDgYDVQQK +EwdBY21lIENvMB4XDTE5MDUxNjIxNTQyNloXDTIwMDUxNTIxNTQyNlowEjEQMA4G +A1UEChMHQWNtZSBDbzAqMAUGAytlcAMhAAvgtWC14nkwPb7jHuBQsQTIbcd4bGkv +xRStmmNveRKRo00wSzAOBgNVHQ8BAf8EBAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUH +AwIwDAYDVR0TAQH/BAIwADAWBgNVHREEDzANggtleGFtcGxlLmNvbTAFBgMrZXAD +QQD8GRcqlKUx+inILn9boF2KTjRAOdazENwZ/qAicbP1j6FYDc308YUkv+Y9FN/f +7Q7hF9gRomDQijcjKsJGqjoI +-----END CERTIFICATE-----` + +var clientEd25519KeyPEM = testingKey(` +-----BEGIN TESTING KEY----- +MC4CAQAwBQYDK2VwBCIEINifzf07d9qx3d44e0FSbV4mC/xQxT644RRbpgNpin7I +-----END TESTING KEY-----`) diff --git a/pkg/tls/handshake_unix_test.go b/pkg/tls/handshake_unix_test.go new file mode 100644 index 000000000..86a48f299 --- /dev/null +++ b/pkg/tls/handshake_unix_test.go @@ -0,0 +1,18 @@ +// Copyright 2019 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +//go:build unix + +package tls + +import ( + "errors" + "syscall" +) + +func init() { + isConnRefused = func(err error) bool { + return errors.Is(err, syscall.ECONNREFUSED) + } +} diff --git a/pkg/tls/internal/bisect/bisect.go b/pkg/tls/internal/bisect/bisect.go new file mode 100644 index 000000000..3e5a6849f --- /dev/null +++ b/pkg/tls/internal/bisect/bisect.go @@ -0,0 +1,794 @@ +// Copyright 2023 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +// Package bisect can be used by compilers and other programs +// to serve as a target for the bisect debugging tool. +// See [golang.org/x/tools/cmd/bisect] for details about using the tool. +// +// To be a bisect target, allowing bisect to help determine which of a set of independent +// changes provokes a failure, a program needs to: +// +// 1. Define a way to accept a change pattern on its command line or in its environment. +// The most common mechanism is a command-line flag. +// The pattern can be passed to [New] to create a [Matcher], the compiled form of a pattern. +// +// 2. Assign each change a unique ID. One possibility is to use a sequence number, +// but the most common mechanism is to hash some kind of identifying information +// like the file and line number where the change might be applied. +// [Hash] hashes its arguments to compute an ID. +// +// 3. Enable each change that the pattern says should be enabled. +// The [Matcher.ShouldEnable] method answers this question for a given change ID. +// +// 4. Print a report identifying each change that the pattern says should be printed. +// The [Matcher.ShouldPrint] method answers this question for a given change ID. +// The report consists of one more lines on standard error or standard output +// that contain a “match marker”. [Marker] returns the match marker for a given ID. +// When bisect reports a change as causing the failure, it identifies the change +// by printing the report lines with the match marker removed. +// +// # Example Usage +// +// A program starts by defining how it receives the pattern. In this example, we will assume a flag. +// The next step is to compile the pattern: +// +// m, err := bisect.New(patternFlag) +// if err != nil { +// log.Fatal(err) +// } +// +// Then, each time a potential change is considered, the program computes +// a change ID by hashing identifying information (source file and line, in this case) +// and then calls m.ShouldPrint and m.ShouldEnable to decide whether to +// print and enable the change, respectively. The two can return different values +// depending on whether bisect is trying to find a minimal set of changes to +// disable or to enable to provoke the failure. +// +// It is usually helpful to write a helper function that accepts the identifying information +// and then takes care of hashing, printing, and reporting whether the identified change +// should be enabled. For example, a helper for changes identified by a file and line number +// would be: +// +// func ShouldEnable(file string, line int) { +// h := bisect.Hash(file, line) +// if m.ShouldPrint(h) { +// fmt.Fprintf(os.Stderr, "%v %s:%d\n", bisect.Marker(h), file, line) +// } +// return m.ShouldEnable(h) +// } +// +// Finally, note that New returns a nil Matcher when there is no pattern, +// meaning that the target is not running under bisect at all, +// so all changes should be enabled and none should be printed. +// In that common case, the computation of the hash can be avoided entirely +// by checking for m == nil first: +// +// func ShouldEnable(file string, line int) bool { +// if m == nil { +// return true +// } +// h := bisect.Hash(file, line) +// if m.ShouldPrint(h) { +// fmt.Fprintf(os.Stderr, "%v %s:%d\n", bisect.Marker(h), file, line) +// } +// return m.ShouldEnable(h) +// } +// +// When the identifying information is expensive to format, this code can call +// [Matcher.MarkerOnly] to find out whether short report lines containing only the +// marker are permitted for a given run. (Bisect permits such lines when it is +// still exploring the space of possible changes and will not be showing the +// output to the user.) If so, the client can choose to print only the marker: +// +// func ShouldEnable(file string, line int) bool { +// if m == nil { +// return true +// } +// h := bisect.Hash(file, line) +// if m.ShouldPrint(h) { +// if m.MarkerOnly() { +// bisect.PrintMarker(os.Stderr, h) +// } else { +// fmt.Fprintf(os.Stderr, "%v %s:%d\n", bisect.Marker(h), file, line) +// } +// } +// return m.ShouldEnable(h) +// } +// +// This specific helper – deciding whether to enable a change identified by +// file and line number and printing about the change when necessary – is +// provided by the [Matcher.FileLine] method. +// +// Another common usage is deciding whether to make a change in a function +// based on the caller's stack, to identify the specific calling contexts that the +// change breaks. The [Matcher.Stack] method takes care of obtaining the stack, +// printing it when necessary, and reporting whether to enable the change +// based on that stack. +// +// # Pattern Syntax +// +// Patterns are generated by the bisect tool and interpreted by [New]. +// Users should not have to understand the patterns except when +// debugging a target's bisect support or debugging the bisect tool itself. +// +// The pattern syntax selecting a change is a sequence of bit strings +// separated by + and - operators. Each bit string denotes the set of +// changes with IDs ending in those bits, + is set addition, - is set subtraction, +// and the expression is evaluated in the usual left-to-right order. +// The special binary number “y” denotes the set of all changes, +// standing in for the empty bit string. +// In the expression, all the + operators must appear before all the - operators. +// A leading + adds to an empty set. A leading - subtracts from the set of all +// possible suffixes. +// +// For example: +// +// - “01+10” and “+01+10” both denote the set of changes +// with IDs ending with the bits 01 or 10. +// +// - “01+10-1001” denotes the set of changes with IDs +// ending with the bits 01 or 10, but excluding those ending in 1001. +// +// - “-01-1000” and “y-01-1000 both denote the set of all changes +// with IDs not ending in 01 nor 1000. +// +// - “0+1-01+001” is not a valid pattern, because all the + operators do not +// appear before all the - operators. +// +// In the syntaxes described so far, the pattern specifies the changes to +// enable and report. If a pattern is prefixed by a “!”, the meaning +// changes: the pattern specifies the changes to DISABLE and report. This +// mode of operation is needed when a program passes with all changes +// enabled but fails with no changes enabled. In this case, bisect +// searches for minimal sets of changes to disable. +// Put another way, the leading “!” inverts the result from [Matcher.ShouldEnable] +// but does not invert the result from [Matcher.ShouldPrint]. +// +// As a convenience for manual debugging, “n” is an alias for “!y”, +// meaning to disable and report all changes. +// +// Finally, a leading “v” in the pattern indicates that the reports will be shown +// to the user of bisect to describe the changes involved in a failure. +// At the API level, the leading “v” causes [Matcher.Visible] to return true. +// See the next section for details. +// +// # Match Reports +// +// The target program must enable only those changed matched +// by the pattern, and it must print a match report for each such change. +// A match report consists of one or more lines of text that will be +// printed by the bisect tool to describe a change implicated in causing +// a failure. Each line in the report for a given change must contain a +// match marker with that change ID, as returned by [Marker]. +// The markers are elided when displaying the lines to the user. +// +// A match marker has the form “[bisect-match 0x1234]” where +// 0x1234 is the change ID in hexadecimal. +// An alternate form is “[bisect-match 010101]”, giving the change ID in binary. +// +// When [Matcher.Visible] returns false, the match reports are only +// being processed by bisect to learn the set of enabled changes, +// not shown to the user, meaning that each report can be a match +// marker on a line by itself, eliding the usual textual description. +// When the textual description is expensive to compute, +// checking [Matcher.Visible] can help the avoid that expense +// in most runs. +package bisect + +import ( + "runtime" + "sync" + "sync/atomic" + "unsafe" +) + +// New creates and returns a new Matcher implementing the given pattern. +// The pattern syntax is defined in the package doc comment. +// +// In addition to the pattern syntax syntax, New("") returns nil, nil. +// The nil *Matcher is valid for use: it returns true from ShouldEnable +// and false from ShouldPrint for all changes. Callers can avoid calling +// [Hash], [Matcher.ShouldEnable], and [Matcher.ShouldPrint] entirely +// when they recognize the nil Matcher. +func New(pattern string) (*Matcher, error) { + if pattern == "" { + return nil, nil + } + + m := new(Matcher) + + p := pattern + // Special case for leading 'q' so that 'qn' quietly disables, e.g. fmahash=qn to disable fma + // Any instance of 'v' disables 'q'. + if len(p) > 0 && p[0] == 'q' { + m.quiet = true + p = p[1:] + if p == "" { + return nil, &parseError{"invalid pattern syntax: " + pattern} + } + } + // Allow multiple v, so that “bisect cmd vPATTERN” can force verbose all the time. + for len(p) > 0 && p[0] == 'v' { + m.verbose = true + m.quiet = false + p = p[1:] + if p == "" { + return nil, &parseError{"invalid pattern syntax: " + pattern} + } + } + + // Allow multiple !, each negating the last, so that “bisect cmd !PATTERN” works + // even when bisect chooses to add its own !. + m.enable = true + for len(p) > 0 && p[0] == '!' { + m.enable = !m.enable + p = p[1:] + if p == "" { + return nil, &parseError{"invalid pattern syntax: " + pattern} + } + } + + if p == "n" { + // n is an alias for !y. + m.enable = !m.enable + p = "y" + } + + // Parse actual pattern syntax. + result := true + bits := uint64(0) + start := 0 + wid := 1 // 1-bit (binary); sometimes 4-bit (hex) + for i := 0; i <= len(p); i++ { + // Imagine a trailing - at the end of the pattern to flush final suffix + c := byte('-') + if i < len(p) { + c = p[i] + } + if i == start && wid == 1 && c == 'x' { // leading x for hex + start = i + 1 + wid = 4 + continue + } + switch c { + default: + return nil, &parseError{"invalid pattern syntax: " + pattern} + case '2', '3', '4', '5', '6', '7', '8', '9': + if wid != 4 { + return nil, &parseError{"invalid pattern syntax: " + pattern} + } + fallthrough + case '0', '1': + bits <<= wid + bits |= uint64(c - '0') + case 'a', 'b', 'c', 'd', 'e', 'f', 'A', 'B', 'C', 'D', 'E', 'F': + if wid != 4 { + return nil, &parseError{"invalid pattern syntax: " + pattern} + } + bits <<= 4 + bits |= uint64(c&^0x20 - 'A' + 10) + case 'y': + if i+1 < len(p) && (p[i+1] == '0' || p[i+1] == '1') { + return nil, &parseError{"invalid pattern syntax: " + pattern} + } + bits = 0 + case '+', '-': + if c == '+' && result == false { + // Have already seen a -. Should be - from here on. + return nil, &parseError{"invalid pattern syntax (+ after -): " + pattern} + } + if i > 0 { + n := (i - start) * wid + if n > 64 { + return nil, &parseError{"pattern bits too long: " + pattern} + } + if n <= 0 { + return nil, &parseError{"invalid pattern syntax: " + pattern} + } + if p[start] == 'y' { + n = 0 + } + mask := uint64(1)<= 0; i-- { + c := &m.list[i] + if id&c.mask == c.bits { + return c.result + } + } + return false +} + +// FileLine reports whether the change identified by file and line should be enabled. +// If the change should be printed, FileLine prints a one-line report to w. +func (m *Matcher) FileLine(w Writer, file string, line int) bool { + if m == nil { + return true + } + return m.fileLine(w, file, line) +} + +// fileLine does the real work for FileLine. +// This lets FileLine's body handle m == nil and potentially be inlined. +func (m *Matcher) fileLine(w Writer, file string, line int) bool { + h := Hash(file, line) + if m.ShouldPrint(h) { + if m.MarkerOnly() { + PrintMarker(w, h) + } else { + printFileLine(w, h, file, line) + } + } + return m.ShouldEnable(h) +} + +// printFileLine prints a non-marker-only report for file:line to w. +func printFileLine(w Writer, h uint64, file string, line int) error { + const markerLen = 40 // overestimate + b := make([]byte, 0, markerLen+len(file)+24) + b = AppendMarker(b, h) + b = appendFileLine(b, file, line) + b = append(b, '\n') + _, err := w.Write(b) + return err +} + +// appendFileLine appends file:line to dst, returning the extended slice. +func appendFileLine(dst []byte, file string, line int) []byte { + dst = append(dst, file...) + dst = append(dst, ':') + u := uint(line) + if line < 0 { + dst = append(dst, '-') + u = -u + } + var buf [24]byte + i := len(buf) + for i == len(buf) || u > 0 { + i-- + buf[i] = '0' + byte(u%10) + u /= 10 + } + dst = append(dst, buf[i:]...) + return dst +} + +// MatchStack assigns the current call stack a change ID. +// If the stack should be printed, MatchStack prints it. +// Then MatchStack reports whether a change at the current call stack should be enabled. +func (m *Matcher) Stack(w Writer) bool { + if m == nil { + return true + } + return m.stack(w) +} + +// stack does the real work for Stack. +// This lets stack's body handle m == nil and potentially be inlined. +func (m *Matcher) stack(w Writer) bool { + const maxStack = 16 + var stk [maxStack]uintptr + n := runtime.Callers(2, stk[:]) + // caller #2 is not for printing; need it to normalize PCs if ASLR. + if n <= 1 { + return false + } + + base := stk[0] + // normalize PCs + for i := range stk[:n] { + stk[i] -= base + } + + h := Hash(stk[:n]) + if m.ShouldPrint(h) { + var d *dedup + for { + d = m.dedup.Load() + if d != nil { + break + } + d = new(dedup) + if m.dedup.CompareAndSwap(nil, d) { + break + } + } + + if m.MarkerOnly() { + if !d.seenLossy(h) { + PrintMarker(w, h) + } + } else { + if !d.seen(h) { + // Restore PCs in stack for printing + for i := range stk[:n] { + stk[i] += base + } + printStack(w, h, stk[1:n]) + } + } + } + return m.ShouldEnable(h) +} + +// Writer is the same interface as io.Writer. +// It is duplicated here to avoid importing io. +type Writer interface { + Write([]byte) (int, error) +} + +// PrintMarker prints to w a one-line report containing only the marker for h. +// It is appropriate to use when [Matcher.ShouldPrint] and [Matcher.MarkerOnly] both return true. +func PrintMarker(w Writer, h uint64) error { + var buf [50]byte + b := AppendMarker(buf[:0], h) + b = append(b, '\n') + _, err := w.Write(b) + return err +} + +// printStack prints to w a multi-line report containing a formatting of the call stack stk, +// with each line preceded by the marker for h. +func printStack(w Writer, h uint64, stk []uintptr) error { + buf := make([]byte, 0, 2048) + + var prefixBuf [100]byte + prefix := AppendMarker(prefixBuf[:0], h) + + frames := runtime.CallersFrames(stk) + for { + f, more := frames.Next() + buf = append(buf, prefix...) + buf = append(buf, f.Func.Name()...) + buf = append(buf, "()\n"...) + buf = append(buf, prefix...) + buf = append(buf, '\t') + buf = appendFileLine(buf, f.File, f.Line) + buf = append(buf, '\n') + if !more { + break + } + } + buf = append(buf, prefix...) + buf = append(buf, '\n') + _, err := w.Write(buf) + return err +} + +// Marker returns the match marker text to use on any line reporting details +// about a match of the given ID. +// It always returns the hexadecimal format. +func Marker(id uint64) string { + return string(AppendMarker(nil, id)) +} + +// AppendMarker is like [Marker] but appends the marker to dst. +func AppendMarker(dst []byte, id uint64) []byte { + const prefix = "[bisect-match 0x" + var buf [len(prefix) + 16 + 1]byte + copy(buf[:], prefix) + for i := 0; i < 16; i++ { + buf[len(prefix)+i] = "0123456789abcdef"[id>>60] + id <<= 4 + } + buf[len(prefix)+16] = ']' + return append(dst, buf[:]...) +} + +// CutMarker finds the first match marker in line and removes it, +// returning the shortened line (with the marker removed), +// the ID from the match marker, +// and whether a marker was found at all. +// If there is no marker, CutMarker returns line, 0, false. +func CutMarker(line string) (short string, id uint64, ok bool) { + // Find first instance of prefix. + prefix := "[bisect-match " + i := 0 + for ; ; i++ { + if i >= len(line)-len(prefix) { + return line, 0, false + } + if line[i] == '[' && line[i:i+len(prefix)] == prefix { + break + } + } + + // Scan to ]. + j := i + len(prefix) + for j < len(line) && line[j] != ']' { + j++ + } + if j >= len(line) { + return line, 0, false + } + + // Parse id. + idstr := line[i+len(prefix) : j] + if len(idstr) >= 3 && idstr[:2] == "0x" { + // parse hex + if len(idstr) > 2+16 { // max 0x + 16 digits + return line, 0, false + } + for i := 2; i < len(idstr); i++ { + id <<= 4 + switch c := idstr[i]; { + case '0' <= c && c <= '9': + id |= uint64(c - '0') + case 'a' <= c && c <= 'f': + id |= uint64(c - 'a' + 10) + case 'A' <= c && c <= 'F': + id |= uint64(c - 'A' + 10) + } + } + } else { + if idstr == "" || len(idstr) > 64 { // min 1 digit, max 64 digits + return line, 0, false + } + // parse binary + for i := 0; i < len(idstr); i++ { + id <<= 1 + switch c := idstr[i]; c { + default: + return line, 0, false + case '0', '1': + id |= uint64(c - '0') + } + } + } + + // Construct shortened line. + // Remove at most one space from around the marker, + // so that "foo [marker] bar" shortens to "foo bar". + j++ // skip ] + if i > 0 && line[i-1] == ' ' { + i-- + } else if j < len(line) && line[j] == ' ' { + j++ + } + short = line[:i] + line[j:] + return short, id, true +} + +// Hash computes a hash of the data arguments, +// each of which must be of type string, byte, int, uint, int32, uint32, int64, uint64, uintptr, or a slice of one of those types. +func Hash(data ...any) uint64 { + h := offset64 + for _, v := range data { + switch v := v.(type) { + default: + // Note: Not printing the type, because reflect.ValueOf(v) + // would make the interfaces prepared by the caller escape + // and therefore allocate. This way, Hash(file, line) runs + // without any allocation. It should be clear from the + // source code calling Hash what the bad argument was. + panic("bisect.Hash: unexpected argument type") + case string: + h = fnvString(h, v) + case byte: + h = fnv(h, v) + case int: + h = fnvUint64(h, uint64(v)) + case uint: + h = fnvUint64(h, uint64(v)) + case int32: + h = fnvUint32(h, uint32(v)) + case uint32: + h = fnvUint32(h, v) + case int64: + h = fnvUint64(h, uint64(v)) + case uint64: + h = fnvUint64(h, v) + case uintptr: + h = fnvUint64(h, uint64(v)) + case []string: + for _, x := range v { + h = fnvString(h, x) + } + case []byte: + for _, x := range v { + h = fnv(h, x) + } + case []int: + for _, x := range v { + h = fnvUint64(h, uint64(x)) + } + case []uint: + for _, x := range v { + h = fnvUint64(h, uint64(x)) + } + case []int32: + for _, x := range v { + h = fnvUint32(h, uint32(x)) + } + case []uint32: + for _, x := range v { + h = fnvUint32(h, x) + } + case []int64: + for _, x := range v { + h = fnvUint64(h, uint64(x)) + } + case []uint64: + for _, x := range v { + h = fnvUint64(h, x) + } + case []uintptr: + for _, x := range v { + h = fnvUint64(h, uint64(x)) + } + } + } + return h +} + +// Trivial error implementation, here to avoid importing errors. + +// parseError is a trivial error implementation, +// defined here to avoid importing errors. +type parseError struct{ text string } + +func (e *parseError) Error() string { return e.text } + +// FNV-1a implementation. See Go's hash/fnv/fnv.go. +// Copied here for simplicity (can handle integers more directly) +// and to avoid importing hash/fnv. + +const ( + offset64 uint64 = 14695981039346656037 + prime64 uint64 = 1099511628211 +) + +func fnv(h uint64, x byte) uint64 { + h ^= uint64(x) + h *= prime64 + return h +} + +func fnvString(h uint64, x string) uint64 { + for i := 0; i < len(x); i++ { + h ^= uint64(x[i]) + h *= prime64 + } + return h +} + +func fnvUint64(h uint64, x uint64) uint64 { + for i := 0; i < 8; i++ { + h ^= x & 0xFF + x >>= 8 + h *= prime64 + } + return h +} + +func fnvUint32(h uint64, x uint32) uint64 { + for i := 0; i < 4; i++ { + h ^= uint64(x & 0xFF) + x >>= 8 + h *= prime64 + } + return h +} + +// A dedup is a deduplicator for call stacks, so that we only print +// a report for new call stacks, not for call stacks we've already +// reported. +// +// It has two modes: an approximate but lock-free mode that +// may still emit some duplicates, and a precise mode that uses +// a lock and never emits duplicates. +type dedup struct { + // 128-entry 4-way, lossy cache for seenLossy + recent [128][4]uint64 + + // complete history for seen + mu sync.Mutex + m map[uint64]bool +} + +// seen records that h has now been seen and reports whether it was seen before. +// When seen returns false, the caller is expected to print a report for h. +func (d *dedup) seen(h uint64) bool { + d.mu.Lock() + if d.m == nil { + d.m = make(map[uint64]bool) + } + seen := d.m[h] + d.m[h] = true + d.mu.Unlock() + return seen +} + +// seenLossy is a variant of seen that avoids a lock by using a cache of recently seen hashes. +// Each cache entry is N-way set-associative: h can appear in any of the slots. +// If h does not appear in any of them, then it is inserted into a random slot, +// overwriting whatever was there before. +func (d *dedup) seenLossy(h uint64) bool { + cache := &d.recent[uint(h)%uint(len(d.recent))] + for i := 0; i < len(cache); i++ { + if atomic.LoadUint64(&cache[i]) == h { + return true + } + } + + // Compute index in set to evict as hash of current set. + ch := offset64 + for _, x := range cache { + ch = fnvUint64(ch, x) + } + atomic.StoreUint64(&cache[uint(ch)%uint(len(cache))], h) + return false +} diff --git a/pkg/tls/internal/boring/Dockerfile b/pkg/tls/internal/boring/Dockerfile new file mode 100644 index 000000000..58eb028e8 --- /dev/null +++ b/pkg/tls/internal/boring/Dockerfile @@ -0,0 +1,63 @@ +# Copyright 2020 The Go Authors. All rights reserved. +# Use of this source code is governed by a BSD-style +# license that can be found in the LICENSE file. + +# Run this using build.sh. + +ARG ubuntu=ubuntu +FROM $ubuntu:focal + +RUN mkdir /boring +WORKDIR /boring + +ENV LANG=C +ENV LANGUAGE= + +# Following NIST submission draft dated July 3, 2021. +# This corresponds to boringssl.googlesource.com/boringssl tag fips-20210429. +ENV ClangV=12 +RUN apt-get update && \ + apt-get install --no-install-recommends -y cmake xz-utils wget unzip ca-certificates clang-$ClangV python + +# Download, validate, unpack, build, and install Ninja. +ENV NinjaV=1.10.2 +ENV NinjaH=ce35865411f0490368a8fc383f29071de6690cbadc27704734978221f25e2bed +RUN \ + wget https://github.com/ninja-build/ninja/archive/refs/tags/v$NinjaV.tar.gz && \ + echo "$NinjaH v$NinjaV.tar.gz" >sha && sha256sum -c sha && \ + tar -xzf v$NinjaV.tar.gz && \ + rm v$NinjaV.tar.gz && \ + cd ninja-$NinjaV && \ + CC=clang-$ClangV CXX=clang++-$ClangV ./configure.py --bootstrap && \ + mv ninja /usr/local/bin/ + +# Download, validate, unpack, and install Go. +ARG GOARCH +ENV GoV=1.16.5 +ENV GoHamd64=b12c23023b68de22f74c0524f10b753e7b08b1504cb7e417eccebdd3fae49061 +ENV GoHarm64=d5446b46ef6f36fdffa852f73dfbbe78c1ddf010b99fa4964944b9ae8b4d6799 +RUN \ + eval GoH=\${GoH$GOARCH} && \ + wget https://golang.org/dl/go$GoV.linux-$GOARCH.tar.gz && \ + echo "$GoH go$GoV.linux-$GOARCH.tar.gz" >sha && sha256sum -c sha && \ + tar -C /usr/local -xzf go$GoV.linux-$GOARCH.tar.gz && \ + rm go$GoV.linux-$GOARCH.tar.gz && \ + ln -s /usr/local/go/bin/go /usr/local/bin/ + +# Download, validate, and unpack BoringCrypto. +ENV BoringV=853ca1ea1168dff08011e5d42d94609cc0ca2e27 +ENV BoringH=a4d069ccef6f3c7bc0c68de82b91414f05cb817494cd1ab483dcf3368883c7c2 +RUN \ + wget https://commondatastorage.googleapis.com/chromium-boringssl-fips/boringssl-$BoringV.tar.xz && \ + echo "$BoringH boringssl-$BoringV.tar.xz" >sha && sha256sum -c sha && \ + tar xJf boringssl-$BoringV.tar.xz + +# Build BoringCrypto. +ADD build-boring.sh /boring/build-boring.sh +RUN /boring/build-boring.sh + +# Build Go BoringCrypto syso. +# build.sh copies it back out of the Docker image. +ADD goboringcrypto.h /boring/godriver/goboringcrypto.h +ADD build-goboring.sh /boring/build-goboring.sh +RUN /boring/build-goboring.sh diff --git a/pkg/tls/internal/boring/LICENSE b/pkg/tls/internal/boring/LICENSE new file mode 100644 index 000000000..38990bdb7 --- /dev/null +++ b/pkg/tls/internal/boring/LICENSE @@ -0,0 +1,202 @@ +The Go source code and supporting files in this directory +are covered by the usual Go license (see ../../../../LICENSE). + +When building with GOEXPERIMENT=boringcrypto, the following applies. + +The goboringcrypto_linux_amd64.syso object file is built +from BoringSSL source code by build/build.sh and is covered +by the BoringSSL license reproduced below and also at +https://boringssl.googlesource.com/boringssl/+/fips-20190808/LICENSE. + +BoringSSL is a fork of OpenSSL. As such, large parts of it fall under OpenSSL +licensing. Files that are completely new have a Google copyright and an ISC +license. This license is reproduced at the bottom of this file. + +Contributors to BoringSSL are required to follow the CLA rules for Chromium: +https://cla.developers.google.com/clas + +Some files from Intel are under yet another license, which is also included +underneath. + +The OpenSSL toolkit stays under a dual license, i.e. both the conditions of the +OpenSSL License and the original SSLeay license apply to the toolkit. See below +for the actual license texts. Actually both licenses are BSD-style Open Source +licenses. In case of any license issues related to OpenSSL please contact +openssl-core@openssl.org. + +The following are Google-internal bug numbers where explicit permission from +some authors is recorded for use of their work. (This is purely for our own +record keeping.) + 27287199 + 27287880 + 27287883 + + OpenSSL License + --------------- + +/* ==================================================================== + * Copyright (c) 1998-2011 The OpenSSL Project. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * 3. All advertising materials mentioning features or use of this + * software must display the following acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" + * + * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to + * endorse or promote products derived from this software without + * prior written permission. For written permission, please contact + * openssl-core@openssl.org. + * + * 5. Products derived from this software may not be called "OpenSSL" + * nor may "OpenSSL" appear in their names without prior written + * permission of the OpenSSL Project. + * + * 6. Redistributions of any form whatsoever must retain the following + * acknowledgment: + * "This product includes software developed by the OpenSSL Project + * for use in the OpenSSL Toolkit (http://www.openssl.org/)" + * + * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY + * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR + * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; + * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * ==================================================================== + * + * This product includes cryptographic software written by Eric Young + * (eay@cryptsoft.com). This product includes software written by Tim + * Hudson (tjh@cryptsoft.com). + * + */ + + Original SSLeay License + ----------------------- + +/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) + * All rights reserved. + * + * This package is an SSL implementation written + * by Eric Young (eay@cryptsoft.com). + * The implementation was written so as to conform with Netscapes SSL. + * + * This library is free for commercial and non-commercial use as long as + * the following conditions are aheared to. The following conditions + * apply to all code found in this distribution, be it the RC4, RSA, + * lhash, DES, etc., code; not just the SSL code. The SSL documentation + * included with this distribution is covered by the same copyright terms + * except that the holder is Tim Hudson (tjh@cryptsoft.com). + * + * Copyright remains Eric Young's, and as such any Copyright notices in + * the code are not to be removed. + * If this package is used in a product, Eric Young should be given attribution + * as the author of the parts of the library used. + * This can be in the form of a textual message at program startup or + * in documentation (online or textual) provided with the package. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * "This product includes cryptographic software written by + * Eric Young (eay@cryptsoft.com)" + * The word 'cryptographic' can be left out if the rouines from the library + * being used are not cryptographic related :-). + * 4. If you include any Windows specific code (or a derivative thereof) from + * the apps directory (application code) you must include an acknowledgement: + * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" + * + * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * The licence and distribution terms for any publically available version or + * derivative of this code cannot be changed. i.e. this code cannot simply be + * copied and put under another distribution licence + * [including the GNU Public Licence.] + */ + + +ISC license used for completely new code in BoringSSL: + +/* Copyright (c) 2015, Google Inc. + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY + * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION + * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN + * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ + + +Some files from Intel carry the following license: + +# Copyright (c) 2012, Intel Corporation +# +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions are +# met: +# +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# +# * Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the +# distribution. +# +# * Neither the name of the Intel Corporation nor the names of its +# contributors may be used to endorse or promote products derived from +# this software without specific prior written permission. +# +# +# THIS SOFTWARE IS PROVIDED BY INTEL CORPORATION ""AS IS"" AND ANY +# EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR +# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL INTEL CORPORATION OR +# CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, +# EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, +# PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR +# PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF +# LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING +# NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS +# SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. diff --git a/pkg/tls/internal/boring/README.md b/pkg/tls/internal/boring/README.md new file mode 100644 index 000000000..ec02786d9 --- /dev/null +++ b/pkg/tls/internal/boring/README.md @@ -0,0 +1,39 @@ +We have been working inside Google on a fork of Go that uses +BoringCrypto (the core of [BoringSSL](https://boringssl.googlesource.com/boringssl/)) +for various crypto primitives, in furtherance of some work related to FIPS 140. +We have heard that some external users of Go would be +interested in this code as well, so we have published this code +here in the main Go repository behind the setting GOEXPERIMENT=boringcrypto. + +Use of GOEXPERIMENT=boringcrypto outside Google is _unsupported_. +This mode is not part of the [Go 1 compatibility rules](https://go.dev/doc/go1compat), +and it may change incompatibly or break in other ways at any time. + +To be clear, we are not making any statements or representations about +the suitability of this code in relation to the FIPS 140 standard. +Interested users will have to evaluate for themselves whether the code +is useful for their own purposes. + +--- + +This directory holds the core of the BoringCrypto implementation +as well as the build scripts for the module itself: syso/*.syso. + +syso/goboringcrypto_linux_amd64.syso is built with: + + GOARCH=amd64 ./build.sh + +syso/goboringcrypto_linux_arm64.syso is built with: + + GOARCH=arm64 ./build.sh + +Both run on an x86 Debian Linux system using Docker. +For the arm64 build to run on an x86 system, you need + + apt-get install qemu-user-static qemu-binfmt-support + +to allow the x86 kernel to run arm64 binaries via QEMU. + +See build.sh for more details about the build. + + diff --git a/pkg/tls/internal/boring/aes.go b/pkg/tls/internal/boring/aes.go new file mode 100644 index 000000000..8819f576f --- /dev/null +++ b/pkg/tls/internal/boring/aes.go @@ -0,0 +1,385 @@ +// Copyright 2017 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +//go:build boringcrypto && linux && (amd64 || arm64) && !android && !msan + +package boring + +/* + +#include "goboringcrypto.h" + +// These wrappers allocate out_len on the C stack, and check that it matches the expected +// value, to avoid having to pass a pointer from Go, which would escape to the heap. + +int EVP_AEAD_CTX_seal_wrapper(const GO_EVP_AEAD_CTX *ctx, uint8_t *out, + size_t exp_out_len, + const uint8_t *nonce, size_t nonce_len, + const uint8_t *in, size_t in_len, + const uint8_t *ad, size_t ad_len) { + size_t out_len; + int ok = _goboringcrypto_EVP_AEAD_CTX_seal(ctx, out, &out_len, exp_out_len, + nonce, nonce_len, in, in_len, ad, ad_len); + if (out_len != exp_out_len) { + return 0; + } + return ok; +}; + +int EVP_AEAD_CTX_open_wrapper(const GO_EVP_AEAD_CTX *ctx, uint8_t *out, + size_t exp_out_len, + const uint8_t *nonce, size_t nonce_len, + const uint8_t *in, size_t in_len, + const uint8_t *ad, size_t ad_len) { + size_t out_len; + int ok = _goboringcrypto_EVP_AEAD_CTX_open(ctx, out, &out_len, exp_out_len, + nonce, nonce_len, in, in_len, ad, ad_len); + if (out_len != exp_out_len) { + return 0; + } + return ok; +}; + +*/ +import "C" +import ( + "bytes" + "crypto/cipher" + "errors" + "runtime" + "strconv" + "unsafe" +) + +type aesKeySizeError int + +func (k aesKeySizeError) Error() string { + return "crypto/aes: invalid key size " + strconv.Itoa(int(k)) +} + +const aesBlockSize = 16 + +type aesCipher struct { + key []byte + enc C.GO_AES_KEY + dec C.GO_AES_KEY +} + +type extraModes interface { + // Copied out of crypto/aes/modes.go. + NewCBCEncrypter(iv []byte) cipher.BlockMode + NewCBCDecrypter(iv []byte) cipher.BlockMode + NewCTR(iv []byte) cipher.Stream + NewGCM(nonceSize, tagSize int) (cipher.AEAD, error) +} + +var _ extraModes = (*aesCipher)(nil) + +func NewAESCipher(key []byte) (cipher.Block, error) { + c := &aesCipher{key: bytes.Clone(key)} + // Note: 0 is success, contradicting the usual BoringCrypto convention. + if C._goboringcrypto_AES_set_decrypt_key((*C.uint8_t)(unsafe.Pointer(&c.key[0])), C.uint(8*len(c.key)), &c.dec) != 0 || + C._goboringcrypto_AES_set_encrypt_key((*C.uint8_t)(unsafe.Pointer(&c.key[0])), C.uint(8*len(c.key)), &c.enc) != 0 { + return nil, aesKeySizeError(len(key)) + } + return c, nil +} + +func (c *aesCipher) BlockSize() int { return aesBlockSize } + +func (c *aesCipher) Encrypt(dst, src []byte) { + if inexactOverlap(dst, src) { + panic("crypto/cipher: invalid buffer overlap") + } + if len(src) < aesBlockSize { + panic("crypto/aes: input not full block") + } + if len(dst) < aesBlockSize { + panic("crypto/aes: output not full block") + } + C._goboringcrypto_AES_encrypt( + (*C.uint8_t)(unsafe.Pointer(&src[0])), + (*C.uint8_t)(unsafe.Pointer(&dst[0])), + &c.enc) +} + +func (c *aesCipher) Decrypt(dst, src []byte) { + if inexactOverlap(dst, src) { + panic("crypto/cipher: invalid buffer overlap") + } + if len(src) < aesBlockSize { + panic("crypto/aes: input not full block") + } + if len(dst) < aesBlockSize { + panic("crypto/aes: output not full block") + } + C._goboringcrypto_AES_decrypt( + (*C.uint8_t)(unsafe.Pointer(&src[0])), + (*C.uint8_t)(unsafe.Pointer(&dst[0])), + &c.dec) +} + +type aesCBC struct { + key *C.GO_AES_KEY + mode C.int + iv [aesBlockSize]byte +} + +func (x *aesCBC) BlockSize() int { return aesBlockSize } + +func (x *aesCBC) CryptBlocks(dst, src []byte) { + if inexactOverlap(dst, src) { + panic("crypto/cipher: invalid buffer overlap") + } + if len(src)%aesBlockSize != 0 { + panic("crypto/cipher: input not full blocks") + } + if len(dst) < len(src) { + panic("crypto/cipher: output smaller than input") + } + if len(src) > 0 { + C._goboringcrypto_AES_cbc_encrypt( + (*C.uint8_t)(unsafe.Pointer(&src[0])), + (*C.uint8_t)(unsafe.Pointer(&dst[0])), + C.size_t(len(src)), x.key, + (*C.uint8_t)(unsafe.Pointer(&x.iv[0])), x.mode) + } +} + +func (x *aesCBC) SetIV(iv []byte) { + if len(iv) != aesBlockSize { + panic("cipher: incorrect length IV") + } + copy(x.iv[:], iv) +} + +func (c *aesCipher) NewCBCEncrypter(iv []byte) cipher.BlockMode { + x := &aesCBC{key: &c.enc, mode: C.GO_AES_ENCRYPT} + copy(x.iv[:], iv) + return x +} + +func (c *aesCipher) NewCBCDecrypter(iv []byte) cipher.BlockMode { + x := &aesCBC{key: &c.dec, mode: C.GO_AES_DECRYPT} + copy(x.iv[:], iv) + return x +} + +type aesCTR struct { + key *C.GO_AES_KEY + iv [aesBlockSize]byte + num C.uint + ecount_buf [16]C.uint8_t +} + +func (x *aesCTR) XORKeyStream(dst, src []byte) { + if inexactOverlap(dst, src) { + panic("crypto/cipher: invalid buffer overlap") + } + if len(dst) < len(src) { + panic("crypto/cipher: output smaller than input") + } + if len(src) == 0 { + return + } + C._goboringcrypto_AES_ctr128_encrypt( + (*C.uint8_t)(unsafe.Pointer(&src[0])), + (*C.uint8_t)(unsafe.Pointer(&dst[0])), + C.size_t(len(src)), x.key, (*C.uint8_t)(unsafe.Pointer(&x.iv[0])), + &x.ecount_buf[0], &x.num) +} + +func (c *aesCipher) NewCTR(iv []byte) cipher.Stream { + x := &aesCTR{key: &c.enc} + copy(x.iv[:], iv) + return x +} + +type aesGCM struct { + ctx C.GO_EVP_AEAD_CTX + aead *C.GO_EVP_AEAD +} + +const ( + gcmBlockSize = 16 + gcmTagSize = 16 + gcmStandardNonceSize = 12 +) + +type aesNonceSizeError int + +func (n aesNonceSizeError) Error() string { + return "crypto/aes: invalid GCM nonce size " + strconv.Itoa(int(n)) +} + +type noGCM struct { + cipher.Block +} + +func (c *aesCipher) NewGCM(nonceSize, tagSize int) (cipher.AEAD, error) { + if nonceSize != gcmStandardNonceSize && tagSize != gcmTagSize { + return nil, errors.New("crypto/aes: GCM tag and nonce sizes can't be non-standard at the same time") + } + // Fall back to standard library for GCM with non-standard nonce or tag size. + if nonceSize != gcmStandardNonceSize { + return cipher.NewGCMWithNonceSize(&noGCM{c}, nonceSize) + } + if tagSize != gcmTagSize { + return cipher.NewGCMWithTagSize(&noGCM{c}, tagSize) + } + return c.newGCM(false) +} + +func NewGCMTLS(c cipher.Block) (cipher.AEAD, error) { + return c.(*aesCipher).newGCM(true) +} + +func (c *aesCipher) newGCM(tls bool) (cipher.AEAD, error) { + var aead *C.GO_EVP_AEAD + switch len(c.key) * 8 { + case 128: + if tls { + aead = C._goboringcrypto_EVP_aead_aes_128_gcm_tls12() + } else { + aead = C._goboringcrypto_EVP_aead_aes_128_gcm() + } + case 256: + if tls { + aead = C._goboringcrypto_EVP_aead_aes_256_gcm_tls12() + } else { + aead = C._goboringcrypto_EVP_aead_aes_256_gcm() + } + default: + // Fall back to standard library for GCM with non-standard key size. + return cipher.NewGCMWithNonceSize(&noGCM{c}, gcmStandardNonceSize) + } + + g := &aesGCM{aead: aead} + if C._goboringcrypto_EVP_AEAD_CTX_init(&g.ctx, aead, (*C.uint8_t)(unsafe.Pointer(&c.key[0])), C.size_t(len(c.key)), C.GO_EVP_AEAD_DEFAULT_TAG_LENGTH, nil) == 0 { + return nil, fail("EVP_AEAD_CTX_init") + } + // Note: Because of the finalizer, any time g.ctx is passed to cgo, + // that call must be followed by a call to runtime.KeepAlive(g), + // to make sure g is not collected (and finalized) before the cgo + // call returns. + runtime.SetFinalizer(g, (*aesGCM).finalize) + if g.NonceSize() != gcmStandardNonceSize { + panic("boringcrypto: internal confusion about nonce size") + } + if g.Overhead() != gcmTagSize { + panic("boringcrypto: internal confusion about tag size") + } + + return g, nil +} + +func (g *aesGCM) finalize() { + C._goboringcrypto_EVP_AEAD_CTX_cleanup(&g.ctx) +} + +func (g *aesGCM) NonceSize() int { + return int(C._goboringcrypto_EVP_AEAD_nonce_length(g.aead)) +} + +func (g *aesGCM) Overhead() int { + return int(C._goboringcrypto_EVP_AEAD_max_overhead(g.aead)) +} + +// base returns the address of the underlying array in b, +// being careful not to panic when b has zero length. +func base(b []byte) *C.uint8_t { + if len(b) == 0 { + return nil + } + return (*C.uint8_t)(unsafe.Pointer(&b[0])) +} + +func (g *aesGCM) Seal(dst, nonce, plaintext, additionalData []byte) []byte { + if len(nonce) != gcmStandardNonceSize { + panic("cipher: incorrect nonce length given to GCM") + } + if uint64(len(plaintext)) > ((1<<32)-2)*aesBlockSize || len(plaintext)+gcmTagSize < len(plaintext) { + panic("cipher: message too large for GCM") + } + if len(dst)+len(plaintext)+gcmTagSize < len(dst) { + panic("cipher: message too large for buffer") + } + + // Make room in dst to append plaintext+overhead. + n := len(dst) + for cap(dst) < n+len(plaintext)+gcmTagSize { + dst = append(dst[:cap(dst)], 0) + } + dst = dst[:n+len(plaintext)+gcmTagSize] + + // Check delayed until now to make sure len(dst) is accurate. + if inexactOverlap(dst[n:], plaintext) { + panic("cipher: invalid buffer overlap") + } + + outLen := C.size_t(len(plaintext) + gcmTagSize) + ok := C.EVP_AEAD_CTX_seal_wrapper( + &g.ctx, + (*C.uint8_t)(unsafe.Pointer(&dst[n])), outLen, + base(nonce), C.size_t(len(nonce)), + base(plaintext), C.size_t(len(plaintext)), + base(additionalData), C.size_t(len(additionalData))) + runtime.KeepAlive(g) + if ok == 0 { + panic(fail("EVP_AEAD_CTX_seal")) + } + return dst[:n+int(outLen)] +} + +var errOpen = errors.New("cipher: message authentication failed") + +func (g *aesGCM) Open(dst, nonce, ciphertext, additionalData []byte) ([]byte, error) { + if len(nonce) != gcmStandardNonceSize { + panic("cipher: incorrect nonce length given to GCM") + } + if len(ciphertext) < gcmTagSize { + return nil, errOpen + } + if uint64(len(ciphertext)) > ((1<<32)-2)*aesBlockSize+gcmTagSize { + return nil, errOpen + } + + // Make room in dst to append ciphertext without tag. + n := len(dst) + for cap(dst) < n+len(ciphertext)-gcmTagSize { + dst = append(dst[:cap(dst)], 0) + } + dst = dst[:n+len(ciphertext)-gcmTagSize] + + // Check delayed until now to make sure len(dst) is accurate. + if inexactOverlap(dst[n:], ciphertext) { + panic("cipher: invalid buffer overlap") + } + + outLen := C.size_t(len(ciphertext) - gcmTagSize) + ok := C.EVP_AEAD_CTX_open_wrapper( + &g.ctx, + base(dst[n:]), outLen, + base(nonce), C.size_t(len(nonce)), + base(ciphertext), C.size_t(len(ciphertext)), + base(additionalData), C.size_t(len(additionalData))) + runtime.KeepAlive(g) + if ok == 0 { + return nil, errOpen + } + return dst[:n+int(outLen)], nil +} + +func anyOverlap(x, y []byte) bool { + return len(x) > 0 && len(y) > 0 && + uintptr(unsafe.Pointer(&x[0])) <= uintptr(unsafe.Pointer(&y[len(y)-1])) && + uintptr(unsafe.Pointer(&y[0])) <= uintptr(unsafe.Pointer(&x[len(x)-1])) +} + +func inexactOverlap(x, y []byte) bool { + if len(x) == 0 || len(y) == 0 || &x[0] == &y[0] { + return false + } + return anyOverlap(x, y) +} diff --git a/pkg/tls/internal/boring/bbig/big.go b/pkg/tls/internal/boring/bbig/big.go new file mode 100644 index 000000000..5ce46972b --- /dev/null +++ b/pkg/tls/internal/boring/bbig/big.go @@ -0,0 +1,33 @@ +// Copyright 2022 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package bbig + +import ( + "crypto/internal/boring" + "math/big" + "unsafe" +) + +func Enc(b *big.Int) boring.BigInt { + if b == nil { + return nil + } + x := b.Bits() + if len(x) == 0 { + return boring.BigInt{} + } + return unsafe.Slice((*uint)(&x[0]), len(x)) +} + +func Dec(b boring.BigInt) *big.Int { + if b == nil { + return nil + } + if len(b) == 0 { + return new(big.Int) + } + x := unsafe.Slice((*big.Word)(&b[0]), len(b)) + return new(big.Int).SetBits(x) +} diff --git a/pkg/tls/internal/boring/bcache/cache.go b/pkg/tls/internal/boring/bcache/cache.go new file mode 100644 index 000000000..7934d03e7 --- /dev/null +++ b/pkg/tls/internal/boring/bcache/cache.go @@ -0,0 +1,140 @@ +// Copyright 2022 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +// Package bcache implements a GC-friendly cache (see [Cache]) for BoringCrypto. +package bcache + +import ( + "sync/atomic" + "unsafe" +) + +// A Cache is a GC-friendly concurrent map from unsafe.Pointer to +// unsafe.Pointer. It is meant to be used for maintaining shadow +// BoringCrypto state associated with certain allocated structs, in +// particular public and private RSA and ECDSA keys. +// +// The cache is GC-friendly in the sense that the keys do not +// indefinitely prevent the garbage collector from collecting them. +// Instead, at the start of each GC, the cache is cleared entirely. That +// is, the cache is lossy, and the loss happens at the start of each GC. +// This means that clients need to be able to cope with cache entries +// disappearing, but it also means that clients don't need to worry about +// cache entries keeping the keys from being collected. +type Cache[K, V any] struct { + // The runtime atomically stores nil to ptable at the start of each GC. + ptable atomic.Pointer[cacheTable[K, V]] +} + +type cacheTable[K, V any] [cacheSize]atomic.Pointer[cacheEntry[K, V]] + +// A cacheEntry is a single entry in the linked list for a given hash table entry. +type cacheEntry[K, V any] struct { + k *K // immutable once created + v atomic.Pointer[V] // read and written atomically to allow updates + next *cacheEntry[K, V] // immutable once linked into table +} + +func registerCache(unsafe.Pointer) // provided by runtime + +// Register registers the cache with the runtime, +// so that c.ptable can be cleared at the start of each GC. +// Register must be called during package initialization. +func (c *Cache[K, V]) Register() { + registerCache(unsafe.Pointer(&c.ptable)) +} + +// cacheSize is the number of entries in the hash table. +// The hash is the pointer value mod cacheSize, a prime. +// Collisions are resolved by maintaining a linked list in each hash slot. +const cacheSize = 1021 + +// table returns a pointer to the current cache hash table, +// coping with the possibility of the GC clearing it out from under us. +func (c *Cache[K, V]) table() *cacheTable[K, V] { + for { + p := c.ptable.Load() + if p == nil { + p = new(cacheTable[K, V]) + if !c.ptable.CompareAndSwap(nil, p) { + continue + } + } + return p + } +} + +// Clear clears the cache. +// The runtime does this automatically at each garbage collection; +// this method is exposed only for testing. +func (c *Cache[K, V]) Clear() { + // The runtime does this at the start of every garbage collection + // (itself, not by calling this function). + c.ptable.Store(nil) +} + +// Get returns the cached value associated with v, +// which is either the value v corresponding to the most recent call to Put(k, v) +// or nil if that cache entry has been dropped. +func (c *Cache[K, V]) Get(k *K) *V { + head := &c.table()[uintptr(unsafe.Pointer(k))%cacheSize] + e := head.Load() + for ; e != nil; e = e.next { + if e.k == k { + return e.v.Load() + } + } + return nil +} + +// Put sets the cached value associated with k to v. +func (c *Cache[K, V]) Put(k *K, v *V) { + head := &c.table()[uintptr(unsafe.Pointer(k))%cacheSize] + + // Strategy is to walk the linked list at head, + // same as in Get, to look for existing entry. + // If we find one, we update v atomically in place. + // If not, then we race to replace the start = *head + // we observed with a new k, v entry. + // If we win that race, we're done. + // Otherwise, we try the whole thing again, + // with two optimizations: + // + // 1. We track in noK the start of the section of + // the list that we've confirmed has no entry for k. + // The next time down the list, we can stop at noK, + // because new entries are inserted at the front of the list. + // This guarantees we never traverse an entry + // multiple times. + // + // 2. We only allocate the entry to be added once, + // saving it in add for the next attempt. + var add, noK *cacheEntry[K, V] + n := 0 + for { + e := head.Load() + start := e + for ; e != nil && e != noK; e = e.next { + if e.k == k { + e.v.Store(v) + return + } + n++ + } + if add == nil { + add = &cacheEntry[K, V]{k: k} + add.v.Store(v) + } + add.next = start + if n >= 1000 { + // If an individual list gets too long, which shouldn't happen, + // throw it away to avoid quadratic lookup behavior. + add.next = nil + } + if head.CompareAndSwap(start, add) { + return + } + noK = start + } +} diff --git a/pkg/tls/internal/boring/bcache/cache_test.go b/pkg/tls/internal/boring/bcache/cache_test.go new file mode 100644 index 000000000..19458a1c2 --- /dev/null +++ b/pkg/tls/internal/boring/bcache/cache_test.go @@ -0,0 +1,122 @@ +// Copyright 2022 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package bcache + +import ( + "fmt" + "runtime" + "sync" + "sync/atomic" + "testing" +) + +var registeredCache Cache[int, int32] + +func init() { + registeredCache.Register() +} + +var seq atomic.Uint32 + +func next[T int | int32]() *T { + x := new(T) + *x = T(seq.Add(1)) + return x +} + +func str[T int | int32](x *T) string { + if x == nil { + return "nil" + } + return fmt.Sprint(*x) +} + +func TestCache(t *testing.T) { + // Use unregistered cache for functionality tests, + // to keep the runtime from clearing behind our backs. + c := new(Cache[int, int32]) + + // Create many entries. + m := make(map[*int]*int32) + for i := 0; i < 10000; i++ { + k := next[int]() + v := next[int32]() + m[k] = v + c.Put(k, v) + } + + // Overwrite a random 20% of those. + n := 0 + for k := range m { + v := next[int32]() + m[k] = v + c.Put(k, v) + if n++; n >= 2000 { + break + } + } + + // Check results. + for k, v := range m { + if cv := c.Get(k); cv != v { + t.Fatalf("c.Get(%v) = %v, want %v", str(k), str(cv), str(v)) + } + } + + c.Clear() + for k := range m { + if cv := c.Get(k); cv != nil { + t.Fatalf("after GC, c.Get(%v) = %v, want nil", str(k), str(cv)) + } + } + + // Check that registered cache is cleared at GC. + c = ®isteredCache + for k, v := range m { + c.Put(k, v) + } + runtime.GC() + for k := range m { + if cv := c.Get(k); cv != nil { + t.Fatalf("after Clear, c.Get(%v) = %v, want nil", str(k), str(cv)) + } + } + + // Check that cache works for concurrent access. + // Lists are discarded if they reach 1000 entries, + // and there are cacheSize list heads, so we should be + // able to do 100 * cacheSize entries with no problem at all. + c = new(Cache[int, int32]) + var barrier, wg sync.WaitGroup + const N = 100 + barrier.Add(N) + wg.Add(N) + var lost int32 + for i := 0; i < N; i++ { + go func() { + defer wg.Done() + + m := make(map[*int]*int32) + for j := 0; j < cacheSize; j++ { + k, v := next[int](), next[int32]() + m[k] = v + c.Put(k, v) + } + barrier.Done() + barrier.Wait() + + for k, v := range m { + if cv := c.Get(k); cv != v { + t.Errorf("c.Get(%v) = %v, want %v", str(k), str(cv), str(v)) + atomic.AddInt32(&lost, +1) + } + } + }() + } + wg.Wait() + if lost != 0 { + t.Errorf("lost %d entries", lost) + } +} diff --git a/pkg/tls/internal/boring/bcache/stub.s b/pkg/tls/internal/boring/bcache/stub.s new file mode 100644 index 000000000..59f2deeb6 --- /dev/null +++ b/pkg/tls/internal/boring/bcache/stub.s @@ -0,0 +1,6 @@ +// Copyright 2022 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +// This file is here to silence an error about registerCache not having a body. +// (The body is provided by package runtime.) diff --git a/pkg/tls/internal/boring/boring.go b/pkg/tls/internal/boring/boring.go new file mode 100644 index 000000000..ded36a92f --- /dev/null +++ b/pkg/tls/internal/boring/boring.go @@ -0,0 +1,126 @@ +// Copyright 2017 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +//go:build boringcrypto && linux && (amd64 || arm64) && !android && !msan + +package boring + +/* +// goboringcrypto_linux_amd64.syso references pthread functions. +#cgo LDFLAGS: "-pthread" + +#include "goboringcrypto.h" +*/ +import "C" +import ( + "crypto/internal/boring/sig" + _ "crypto/internal/boring/syso" + "math/bits" + "unsafe" +) + +const available = true + +func init() { + C._goboringcrypto_BORINGSSL_bcm_power_on_self_test() + if C._goboringcrypto_FIPS_mode() != 1 { + panic("boringcrypto: not in FIPS mode") + } + sig.BoringCrypto() +} + +// Unreachable marks code that should be unreachable +// when BoringCrypto is in use. It panics. +func Unreachable() { + panic("boringcrypto: invalid code execution") +} + +// provided by runtime to avoid os import. +func runtime_arg0() string + +func hasSuffix(s, t string) bool { + return len(s) > len(t) && s[len(s)-len(t):] == t +} + +// UnreachableExceptTests marks code that should be unreachable +// when BoringCrypto is in use. It panics. +func UnreachableExceptTests() { + name := runtime_arg0() + // If BoringCrypto ran on Windows we'd need to allow _test.exe and .test.exe as well. + if !hasSuffix(name, "_test") && !hasSuffix(name, ".test") { + println("boringcrypto: unexpected code execution in", name) + panic("boringcrypto: invalid code execution") + } +} + +type fail string + +func (e fail) Error() string { return "boringcrypto: " + string(e) + " failed" } + +func wbase(b BigInt) *C.uint8_t { + if len(b) == 0 { + return nil + } + return (*C.uint8_t)(unsafe.Pointer(&b[0])) +} + +const wordBytes = bits.UintSize / 8 + +func bigToBN(x BigInt) *C.GO_BIGNUM { + return C._goboringcrypto_BN_le2bn(wbase(x), C.size_t(len(x)*wordBytes), nil) +} + +func bytesToBN(x []byte) *C.GO_BIGNUM { + return C._goboringcrypto_BN_bin2bn((*C.uint8_t)(&x[0]), C.size_t(len(x)), nil) +} + +func bnToBig(bn *C.GO_BIGNUM) BigInt { + x := make(BigInt, (C._goboringcrypto_BN_num_bytes(bn)+wordBytes-1)/wordBytes) + if C._goboringcrypto_BN_bn2le_padded(wbase(x), C.size_t(len(x)*wordBytes), bn) == 0 { + panic("boringcrypto: bignum conversion failed") + } + return x +} + +func bigToBn(bnp **C.GO_BIGNUM, b BigInt) bool { + if *bnp != nil { + C._goboringcrypto_BN_free(*bnp) + *bnp = nil + } + if b == nil { + return true + } + bn := bigToBN(b) + if bn == nil { + return false + } + *bnp = bn + return true +} + +// noescape hides a pointer from escape analysis. noescape is +// the identity function but escape analysis doesn't think the +// output depends on the input. noescape is inlined and currently +// compiles down to zero instructions. +// USE CAREFULLY! +// +//go:nosplit +func noescape(p unsafe.Pointer) unsafe.Pointer { + x := uintptr(p) + return unsafe.Pointer(x ^ 0) +} + +var zero byte + +// addr converts p to its base addr, including a noescape along the way. +// If p is nil, addr returns a non-nil pointer, so that the result can always +// be dereferenced. +// +//go:nosplit +func addr(p []byte) *byte { + if len(p) == 0 { + return &zero + } + return (*byte)(noescape(unsafe.Pointer(&p[0]))) +} diff --git a/pkg/tls/internal/boring/boring_test.go b/pkg/tls/internal/boring/boring_test.go new file mode 100644 index 000000000..83bbbd340 --- /dev/null +++ b/pkg/tls/internal/boring/boring_test.go @@ -0,0 +1,34 @@ +// Copyright 2017 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +// Most functionality in this package is tested by replacing existing code +// and inheriting that code's tests. + +package boring + +import "testing" + +// Test that func init does not panic. +func TestInit(t *testing.T) {} + +// Test that Unreachable panics. +func TestUnreachable(t *testing.T) { + defer func() { + if Enabled { + if err := recover(); err == nil { + t.Fatal("expected Unreachable to panic") + } + } else { + if err := recover(); err != nil { + t.Fatalf("expected Unreachable to be a no-op") + } + } + }() + Unreachable() +} + +// Test that UnreachableExceptTests does not panic (this is a test). +func TestUnreachableExceptTests(t *testing.T) { + UnreachableExceptTests() +} diff --git a/pkg/tls/internal/boring/build-boring.sh b/pkg/tls/internal/boring/build-boring.sh new file mode 100644 index 000000000..db49852a6 --- /dev/null +++ b/pkg/tls/internal/boring/build-boring.sh @@ -0,0 +1,44 @@ +#!/bin/bash +# Copyright 2020 The Go Authors. All rights reserved. +# Use of this source code is governed by a BSD-style +# license that can be found in the LICENSE file. + +# Do not run directly; run build.sh, which runs this in Docker. +# This script builds boringssl, which has already been unpacked in /boring/boringssl. + +set -e +id +date +cd /boring + +# Go requires -fPIC for linux/amd64 cgo builds. +# Setting -fPIC only affects the compilation of the non-module code in libcrypto.a, +# because the FIPS module itself is already built with -fPIC. +echo '#!/bin/bash +exec clang-'$ClangV' -DGOBORING -fPIC "$@" +' >/usr/local/bin/clang +echo '#!/bin/bash +exec clang++-'$ClangV' -DGOBORING -fPIC "$@" +' >/usr/local/bin/clang++ +chmod +x /usr/local/bin/clang /usr/local/bin/clang++ + +# The BoringSSL tests use Go, and cgo would look for gcc. +export CGO_ENABLED=0 + +# Modify the support code crypto/mem.c (outside the FIPS module) +# to not try to use weak symbols, because they don't work with some +# Go toolchain / clang toolchain combinations. +perl -p -i -e 's/defined.*ELF.*defined.*GNUC.*/$0 \&\& !defined(GOBORING)/' boringssl/crypto/mem.c + +# Verbatim instructions from BoringCrypto build docs. +printf "set(CMAKE_C_COMPILER \"clang\")\nset(CMAKE_CXX_COMPILER \"clang++\")\n" >${HOME}/toolchain +cd boringssl +mkdir build && cd build && cmake -GNinja -DCMAKE_TOOLCHAIN_FILE=${HOME}/toolchain -DFIPS=1 -DCMAKE_BUILD_TYPE=Release .. +ninja +./crypto/crypto_test +cd ../.. + +if [ "$(./boringssl/build/tool/bssl isfips)" != 1 ]; then + echo "NOT FIPS" + exit 2 +fi diff --git a/pkg/tls/internal/boring/build-goboring.sh b/pkg/tls/internal/boring/build-goboring.sh new file mode 100644 index 000000000..4938b5eac --- /dev/null +++ b/pkg/tls/internal/boring/build-goboring.sh @@ -0,0 +1,237 @@ +#!/bin/bash +# Copyright 2020 The Go Authors. All rights reserved. +# Use of this source code is governed by a BSD-style +# license that can be found in the LICENSE file. + +# Do not run directly; run build.sh, which runs this in Docker. +# This script builds goboringcrypto's syso, after boringssl has been built. + +export TERM=dumb + +set -e +set -x +id +date +export LANG=C +unset LANGUAGE + +case $(uname -m) in +x86_64) export GOARCH=amd64 ;; +aarch64) export GOARCH=arm64 ;; +*) + echo 'unknown uname -m:' $(uname -m) >&2 + exit 2 +esac + +export CGO_ENABLED=0 + +# Build and run test C++ program to make sure goboringcrypto.h matches openssl/*.h. +# Also collect list of checked symbols in syms.txt +set -e +cd /boring/godriver +cat >goboringcrypto.cc <<'EOF' +#include +#include "goboringcrypto0.h" +#include "goboringcrypto1.h" +#define check_size(t) if(sizeof(t) != sizeof(GO_ ## t)) {printf("sizeof(" #t ")=%d, but sizeof(GO_" #t ")=%d\n", (int)sizeof(t), (int)sizeof(GO_ ## t)); ret=1;} +#define check_func(f) { auto x = f; x = _goboringcrypto_ ## f ; } +#define check_value(n, v) if(n != v) {printf(#n "=%d, but goboringcrypto.h defines it as %d\n", (int)n, (int)v); ret=1;} +int main() { +int ret = 0; +#include "goboringcrypto.x" +return ret; +} +EOF + +cat >boringx.awk <<'EOF' +BEGIN { + exitcode = 0 +} + +# Ignore comments, #includes, blank lines. +/^\/\// || /^#/ || NF == 0 { next } + +# Ignore unchecked declarations. +/\/\*unchecked/ { next } + +# Check enum values. +!enum && ($1 == "enum" || $2 == "enum") && $NF == "{" { + enum = 1 + next +} +enum && $1 == "};" { + enum = 0 + next +} +enum && /^}.*;$/ { + enum = 0 + next +} +enum && NF == 3 && $2 == "=" { + name = $1 + sub(/^GO_/, "", name) + val = $3 + sub(/,$/, "", val) + print "check_value(" name ", " val ")" > "goboringcrypto.x" + next +} +enum { + print FILENAME ":" NR ": unexpected line in enum: " $0 > "/dev/stderr" + exitcode = 1 + next +} + +# Check struct sizes. +/^typedef struct / && $NF ~ /^GO_/ { + name = $NF + sub(/^GO_/, "", name) + sub(/;$/, "", name) + print "check_size(" name ")" > "goboringcrypto.x" + next +} + +# Check function prototypes. +/^(const )?[^ ]+ \**_goboringcrypto_.*\(/ { + name = $2 + if($1 == "const") + name = $3 + sub(/^\**_goboringcrypto_/, "", name) + sub(/\(.*/, "", name) + print "check_func(" name ")" > "goboringcrypto.x" + print name > "syms.txt" + next +} + +{ + print FILENAME ":" NR ": unexpected line: " $0 > "/dev/stderr" + exitcode = 1 +} + +END { + exit exitcode +} +EOF + +cat >boringh.awk <<'EOF' +/^\/\/ #include/ {sub(/\/\//, ""); print > "goboringcrypto0.h"; next} +/typedef struct|enum ([a-z_]+ )?{|^[ \t]/ {print >"goboringcrypto1.h";next} +{gsub(/GO_/, ""); gsub(/enum go_/, "enum "); gsub(/go_point_conv/, "point_conv"); print >"goboringcrypto1.h"} +EOF + +awk -f boringx.awk goboringcrypto.h # writes goboringcrypto.x +awk -f boringh.awk goboringcrypto.h # writes goboringcrypto[01].h + +ls -l ../boringssl/include +clang++ -std=c++11 -fPIC -I../boringssl/include -O2 -o a.out goboringcrypto.cc +./a.out || exit 2 + +# clang implements u128 % u128 -> u128 by calling __umodti3, +# which is in libgcc. To make the result self-contained even if linking +# against a different compiler version, link our own __umodti3 into the syso. +# This one is specialized so it only expects divisors below 2^64, +# which is all BoringCrypto uses. (Otherwise it will seg fault.) +cat >umod-amd64.s <<'EOF' +# tu_int __umodti3(tu_int x, tu_int y) +# x is rsi:rdi, y is rcx:rdx, return result is rdx:rax. +.globl __umodti3 +__umodti3: + # specialized to u128 % u64, so verify that + test %rcx,%rcx + jne 1f + + # save divisor + movq %rdx, %r8 + + # reduce top 64 bits mod divisor + movq %rsi, %rax + xorl %edx, %edx + divq %r8 + + # reduce full 128-bit mod divisor + # quotient fits in 64 bits because top 64 bits have been reduced < divisor. + # (even though we only care about the remainder, divq also computes + # the quotient, and it will trap if the quotient is too large.) + movq %rdi, %rax + divq %r8 + + # expand remainder to 128 for return + movq %rdx, %rax + xorl %edx, %edx + ret + +1: + # crash - only want 64-bit divisor + xorl %ecx, %ecx + movl %ecx, 0(%ecx) + jmp 1b + +.section .note.GNU-stack,"",@progbits +EOF + +cat >umod-arm64.c <<'EOF' +typedef unsigned int u128 __attribute__((mode(TI))); + +static u128 div(u128 x, u128 y, u128 *rp) { + int n = 0; + while((y>>(128-1)) != 1 && y < x) { + y<<=1; + n++; + } + u128 q = 0; + for(;; n--, y>>=1, q<<=1) { + if(x>=y) { + x -= y; + q |= 1; + } + if(n == 0) + break; + } + if(rp) + *rp = x; + return q; +} + +u128 __umodti3(u128 x, u128 y) { + u128 r; + div(x, y, &r); + return r; +} + +u128 __udivti3(u128 x, u128 y) { + return div(x, y, 0); +} +EOF + +extra="" +case $GOARCH in +amd64) + cp umod-amd64.s umod.s + clang -c -o umod.o umod.s + extra=umod.o + ;; +arm64) + cp umod-arm64.c umod.c + clang -c -o umod.o umod.c + extra=umod.o + ;; +esac + +# Prepare copy of libcrypto.a with only the checked functions renamed and exported. +# All other symbols are left alone and hidden. +echo BORINGSSL_bcm_power_on_self_test >>syms.txt +awk '{print "_goboringcrypto_" $0 }' syms.txt >globals.txt +awk '{print $0 " _goboringcrypto_" $0 }' syms.txt >renames.txt +objcopy --globalize-symbol=BORINGSSL_bcm_power_on_self_test \ + ../boringssl/build/crypto/libcrypto.a libcrypto.a + +# Link together bcm.o and libcrypto.a into a single object. +ld -r -nostdlib --whole-archive -o goboringcrypto.o libcrypto.a $extra + +echo __umodti3 _goboringcrypto___umodti3 >>renames.txt +echo __udivti3 _goboringcrypto___udivti3 >>renames.txt +objcopy --remove-section=.llvm_addrsig goboringcrypto.o goboringcrypto1.o # b/179161016 +objcopy --redefine-syms=renames.txt goboringcrypto1.o goboringcrypto2.o +objcopy --keep-global-symbols=globals.txt --strip-unneeded goboringcrypto2.o goboringcrypto_linux_$GOARCH.syso + +# Done! +ls -l goboringcrypto_linux_$GOARCH.syso diff --git a/pkg/tls/internal/boring/build.sh b/pkg/tls/internal/boring/build.sh new file mode 100644 index 000000000..ec960d729 --- /dev/null +++ b/pkg/tls/internal/boring/build.sh @@ -0,0 +1,46 @@ +#!/bin/bash +# Copyright 2022 The Go Authors. All rights reserved. +# Use of this source code is governed by a BSD-style +# license that can be found in the LICENSE file. + +# This shell script uses Docker to run build-boring.sh and build-goboring.sh, +# which build goboringcrypto_linux_$GOARCH.syso according to the Security Policy. +# Currently, amd64 and arm64 are permitted. + +set -e +set -o pipefail + +GOARCH=${GOARCH:-$(go env GOARCH)} +echo "# Building goboringcrypto_linux_$GOARCH.syso. Set GOARCH to override." >&2 + +if ! which docker >/dev/null; then + echo "# Docker not found. Inside Google, see go/installdocker." >&2 + exit 1 +fi + +platform="" +buildargs="" +case "$GOARCH" in +amd64) + ;; +arm64) + if ! docker run --rm -t arm64v8/ubuntu:focal uname -m >/dev/null 2>&1; then + echo "# Docker cannot run arm64 binaries. Try:" + echo " sudo apt-get install qemu binfmt-support qemu-user-static" + echo " docker run --rm --privileged multiarch/qemu-user-static --reset -p yes" + echo " docker run --rm -t arm64v8/ubuntu:focal uname -m" + exit 1 + fi + platform="--platform linux/arm64/v8" + buildargs="--build-arg ubuntu=arm64v8/ubuntu" + ;; +*) + echo unknown GOARCH $GOARCH >&2 + exit 2 +esac + +docker build $platform $buildargs --build-arg GOARCH=$GOARCH -t goboring:$GOARCH . +id=$(docker create $platform goboring:$GOARCH) +docker cp $id:/boring/godriver/goboringcrypto_linux_$GOARCH.syso ./syso +docker rm $id +ls -l ./syso/goboringcrypto_linux_$GOARCH.syso diff --git a/pkg/tls/internal/boring/div_test.c b/pkg/tls/internal/boring/div_test.c new file mode 100644 index 000000000..f909cc93f --- /dev/null +++ b/pkg/tls/internal/boring/div_test.c @@ -0,0 +1,83 @@ +// Copyright 2022 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +// This file is a self-contained test for a copy of +// the division algorithm in build-goboring.sh, +// to verify that is correct. The real algorithm uses u128 +// but this copy uses u32 for easier testing. +// s/32/128/g should be the only difference between the two. +// +// This is the dumbest possible division algorithm, +// but any crypto code that depends on the speed of +// division is equally dumb. + +//go:build ignore + +#include +#include + +#define nelem(x) (sizeof(x)/sizeof((x)[0])) + +typedef uint32_t u32; + +static u32 div(u32 x, u32 y, u32 *rp) { + int n = 0; + while((y>>(32-1)) != 1 && y < x) { + y<<=1; + n++; + } + u32 q = 0; + for(;; n--, y>>=1, q<<=1) { + if(x>=y) { + x -= y; + q |= 1; + } + if(n == 0) + break; + } + if(rp) + *rp = x; + return q; +} + +u32 tests[] = { + 0, + 1, + 2, + 3, + 4, + 5, + 6, + 7, + 8, + 9, + 10, + 11, + 31, + 0xFFF, + 0x1000, + 0x1001, + 0xF0F0F0, + 0xFFFFFF, + 0x1000000, + 0xF0F0F0F0, + 0xFFFFFFFF, +}; + +int +main(void) +{ + for(int i=0; i len(t) && s[len(s)-len(t):] == t +} + +// Required reports whether FIPS-approved settings are required. +func Required() bool { + return required.Load() +} diff --git a/pkg/tls/internal/boring/goboringcrypto.h b/pkg/tls/internal/boring/goboringcrypto.h new file mode 100644 index 000000000..2b1104972 --- /dev/null +++ b/pkg/tls/internal/boring/goboringcrypto.h @@ -0,0 +1,255 @@ +// Copyright 2017 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +// This header file describes the BoringCrypto ABI as built for use in Go. +// The BoringCrypto build for Go (which generates goboringcrypto_*.syso) +// takes the standard libcrypto.a from BoringCrypto and adds the prefix +// _goboringcrypto_ to every symbol, to avoid possible conflicts with +// code wrapping a different BoringCrypto or OpenSSL. +// +// To make this header standalone (so that building Go does not require +// having a full set of BoringCrypto headers), the struct details are not here. +// Instead, while building the syso, we compile and run a C++ program +// that checks that the sizes match. The program also checks (during compilation) +// that all the function prototypes match the BoringCrypto equivalents. +// The generation of the checking program depends on the declaration +// forms used below (one line for most, multiline for enums). + +#include // size_t +#include // uint8_t + +// This symbol is hidden in BoringCrypto and marked as a constructor, +// but cmd/link's internal linking mode doesn't handle constructors. +// Until it does, we've exported the symbol and can call it explicitly. +// (If using external linking mode, it will therefore be called twice, +// once explicitly and once as a constructor, but that's OK.) +/*unchecked*/ void _goboringcrypto_BORINGSSL_bcm_power_on_self_test(void); + +// #include +int _goboringcrypto_FIPS_mode(void); +void* _goboringcrypto_OPENSSL_malloc(size_t); + +// #include +int _goboringcrypto_RAND_bytes(uint8_t*, size_t); + +// #include +enum { + GO_NID_md5_sha1 = 114, + + GO_NID_secp224r1 = 713, + GO_NID_X9_62_prime256v1 = 415, + GO_NID_secp384r1 = 715, + GO_NID_secp521r1 = 716, + + GO_NID_sha224 = 675, + GO_NID_sha256 = 672, + GO_NID_sha384 = 673, + GO_NID_sha512 = 674, +}; + +// #include +typedef struct GO_SHA_CTX { char data[96]; } GO_SHA_CTX; +int _goboringcrypto_SHA1_Init(GO_SHA_CTX*); +int _goboringcrypto_SHA1_Update(GO_SHA_CTX*, const void*, size_t); +int _goboringcrypto_SHA1_Final(uint8_t*, GO_SHA_CTX*); + +typedef struct GO_SHA256_CTX { char data[48+64]; } GO_SHA256_CTX; +int _goboringcrypto_SHA224_Init(GO_SHA256_CTX*); +int _goboringcrypto_SHA224_Update(GO_SHA256_CTX*, const void*, size_t); +int _goboringcrypto_SHA224_Final(uint8_t*, GO_SHA256_CTX*); +int _goboringcrypto_SHA256_Init(GO_SHA256_CTX*); +int _goboringcrypto_SHA256_Update(GO_SHA256_CTX*, const void*, size_t); +int _goboringcrypto_SHA256_Final(uint8_t*, GO_SHA256_CTX*); + +typedef struct GO_SHA512_CTX { char data[88+128]; } GO_SHA512_CTX; +int _goboringcrypto_SHA384_Init(GO_SHA512_CTX*); +int _goboringcrypto_SHA384_Update(GO_SHA512_CTX*, const void*, size_t); +int _goboringcrypto_SHA384_Final(uint8_t*, GO_SHA512_CTX*); +int _goboringcrypto_SHA512_Init(GO_SHA512_CTX*); +int _goboringcrypto_SHA512_Update(GO_SHA512_CTX*, const void*, size_t); +int _goboringcrypto_SHA512_Final(uint8_t*, GO_SHA512_CTX*); + +// #include +/*unchecked (opaque)*/ typedef struct GO_EVP_MD { char data[1]; } GO_EVP_MD; +const GO_EVP_MD* _goboringcrypto_EVP_md4(void); +const GO_EVP_MD* _goboringcrypto_EVP_md5(void); +const GO_EVP_MD* _goboringcrypto_EVP_md5_sha1(void); +const GO_EVP_MD* _goboringcrypto_EVP_sha1(void); +const GO_EVP_MD* _goboringcrypto_EVP_sha224(void); +const GO_EVP_MD* _goboringcrypto_EVP_sha256(void); +const GO_EVP_MD* _goboringcrypto_EVP_sha384(void); +const GO_EVP_MD* _goboringcrypto_EVP_sha512(void); +int _goboringcrypto_EVP_MD_type(const GO_EVP_MD*); +size_t _goboringcrypto_EVP_MD_size(const GO_EVP_MD*); + +// #include +typedef struct GO_HMAC_CTX { char data[104]; } GO_HMAC_CTX; +void _goboringcrypto_HMAC_CTX_init(GO_HMAC_CTX*); +void _goboringcrypto_HMAC_CTX_cleanup(GO_HMAC_CTX*); +int _goboringcrypto_HMAC_Init(GO_HMAC_CTX*, const void*, int, const GO_EVP_MD*); +int _goboringcrypto_HMAC_Update(GO_HMAC_CTX*, const uint8_t*, size_t); +int _goboringcrypto_HMAC_Final(GO_HMAC_CTX*, uint8_t*, unsigned int*); +size_t _goboringcrypto_HMAC_size(const GO_HMAC_CTX*); +int _goboringcrypto_HMAC_CTX_copy_ex(GO_HMAC_CTX *dest, const GO_HMAC_CTX *src); + +// #include +typedef struct GO_AES_KEY { char data[244]; } GO_AES_KEY; +int _goboringcrypto_AES_set_encrypt_key(const uint8_t*, unsigned int, GO_AES_KEY*); +int _goboringcrypto_AES_set_decrypt_key(const uint8_t*, unsigned int, GO_AES_KEY*); +void _goboringcrypto_AES_encrypt(const uint8_t*, uint8_t*, const GO_AES_KEY*); +void _goboringcrypto_AES_decrypt(const uint8_t*, uint8_t*, const GO_AES_KEY*); +void _goboringcrypto_AES_ctr128_encrypt(const uint8_t*, uint8_t*, size_t, const GO_AES_KEY*, uint8_t*, uint8_t*, unsigned int*); +enum { + GO_AES_ENCRYPT = 1, + GO_AES_DECRYPT = 0 +}; +void _goboringcrypto_AES_cbc_encrypt(const uint8_t*, uint8_t*, size_t, const GO_AES_KEY*, uint8_t*, const int); + +// #include +/*unchecked (opaque)*/ typedef struct GO_EVP_AEAD { char data[1]; } GO_EVP_AEAD; +/*unchecked (opaque)*/ typedef struct GO_ENGINE { char data[1]; } GO_ENGINE; +const GO_EVP_AEAD* _goboringcrypto_EVP_aead_aes_128_gcm(void); +const GO_EVP_AEAD* _goboringcrypto_EVP_aead_aes_256_gcm(void); +enum { + GO_EVP_AEAD_DEFAULT_TAG_LENGTH = 0 +}; +size_t _goboringcrypto_EVP_AEAD_key_length(const GO_EVP_AEAD*); +size_t _goboringcrypto_EVP_AEAD_nonce_length(const GO_EVP_AEAD*); +size_t _goboringcrypto_EVP_AEAD_max_overhead(const GO_EVP_AEAD*); +size_t _goboringcrypto_EVP_AEAD_max_tag_len(const GO_EVP_AEAD*); +typedef struct GO_EVP_AEAD_CTX { char data[600]; } GO_EVP_AEAD_CTX; +void _goboringcrypto_EVP_AEAD_CTX_zero(GO_EVP_AEAD_CTX*); +int _goboringcrypto_EVP_AEAD_CTX_init(GO_EVP_AEAD_CTX*, const GO_EVP_AEAD*, const uint8_t*, size_t, size_t, GO_ENGINE*); +void _goboringcrypto_EVP_AEAD_CTX_cleanup(GO_EVP_AEAD_CTX*); +int _goboringcrypto_EVP_AEAD_CTX_seal(const GO_EVP_AEAD_CTX*, uint8_t*, size_t*, size_t, const uint8_t*, size_t, const uint8_t*, size_t, const uint8_t*, size_t); +int _goboringcrypto_EVP_AEAD_CTX_open(const GO_EVP_AEAD_CTX*, uint8_t*, size_t*, size_t, const uint8_t*, size_t, const uint8_t*, size_t, const uint8_t*, size_t); +const GO_EVP_AEAD* _goboringcrypto_EVP_aead_aes_128_gcm_tls12(void); +const GO_EVP_AEAD* _goboringcrypto_EVP_aead_aes_256_gcm_tls12(void); +enum go_evp_aead_direction_t { + go_evp_aead_open = 0, + go_evp_aead_seal = 1 +}; +int _goboringcrypto_EVP_AEAD_CTX_init_with_direction(GO_EVP_AEAD_CTX*, const GO_EVP_AEAD*, const uint8_t*, size_t, size_t, enum go_evp_aead_direction_t); + +// #include +/*unchecked (opaque)*/ typedef struct GO_BN_CTX { char data[1]; } GO_BN_CTX; +typedef struct GO_BIGNUM { char data[24]; } GO_BIGNUM; +GO_BIGNUM* _goboringcrypto_BN_new(void); +void _goboringcrypto_BN_free(GO_BIGNUM*); +unsigned _goboringcrypto_BN_num_bits(const GO_BIGNUM*); +unsigned _goboringcrypto_BN_num_bytes(const GO_BIGNUM*); +int _goboringcrypto_BN_is_negative(const GO_BIGNUM*); +GO_BIGNUM* _goboringcrypto_BN_bin2bn(const uint8_t*, size_t, GO_BIGNUM*); +GO_BIGNUM* _goboringcrypto_BN_le2bn(const uint8_t*, size_t, GO_BIGNUM*); +size_t _goboringcrypto_BN_bn2bin(const GO_BIGNUM*, uint8_t*); +int _goboringcrypto_BN_bn2le_padded(uint8_t*, size_t, const GO_BIGNUM*); +int _goboringcrypto_BN_bn2bin_padded(uint8_t*, size_t, const GO_BIGNUM*); + +// #include +/*unchecked (opaque)*/ typedef struct GO_EC_GROUP { char data[1]; } GO_EC_GROUP; +GO_EC_GROUP* _goboringcrypto_EC_GROUP_new_by_curve_name(int); +void _goboringcrypto_EC_GROUP_free(GO_EC_GROUP*); + +/*unchecked (opaque)*/ typedef struct GO_EC_POINT { char data[1]; } GO_EC_POINT; +GO_EC_POINT* _goboringcrypto_EC_POINT_new(const GO_EC_GROUP*); +int _goboringcrypto_EC_POINT_mul(const GO_EC_GROUP*, GO_EC_POINT*, const GO_BIGNUM*, const GO_EC_POINT*, const GO_BIGNUM*, GO_BN_CTX*); +void _goboringcrypto_EC_POINT_free(GO_EC_POINT*); +int _goboringcrypto_EC_POINT_get_affine_coordinates_GFp(const GO_EC_GROUP*, const GO_EC_POINT*, GO_BIGNUM*, GO_BIGNUM*, GO_BN_CTX*); +int _goboringcrypto_EC_POINT_set_affine_coordinates_GFp(const GO_EC_GROUP*, GO_EC_POINT*, const GO_BIGNUM*, const GO_BIGNUM*, GO_BN_CTX*); +int _goboringcrypto_EC_POINT_oct2point(const GO_EC_GROUP*, GO_EC_POINT*, const uint8_t*, size_t, GO_BN_CTX*); +GO_EC_POINT* _goboringcrypto_EC_POINT_dup(const GO_EC_POINT*, const GO_EC_GROUP*); +int _goboringcrypto_EC_POINT_is_on_curve(const GO_EC_GROUP*, const GO_EC_POINT*, GO_BN_CTX*); +#ifndef OPENSSL_HEADER_EC_H +typedef enum { + GO_POINT_CONVERSION_COMPRESSED = 2, + GO_POINT_CONVERSION_UNCOMPRESSED = 4, + GO_POINT_CONVERSION_HYBRID = 6, +} go_point_conversion_form_t; +#endif +size_t _goboringcrypto_EC_POINT_point2oct(const GO_EC_GROUP*, const GO_EC_POINT*, go_point_conversion_form_t, uint8_t*, size_t, GO_BN_CTX*); + +// #include +/*unchecked (opaque)*/ typedef struct GO_EC_KEY { char data[1]; } GO_EC_KEY; +GO_EC_KEY* _goboringcrypto_EC_KEY_new(void); +GO_EC_KEY* _goboringcrypto_EC_KEY_new_by_curve_name(int); +void _goboringcrypto_EC_KEY_free(GO_EC_KEY*); +const GO_EC_GROUP* _goboringcrypto_EC_KEY_get0_group(const GO_EC_KEY*); +int _goboringcrypto_EC_KEY_generate_key_fips(GO_EC_KEY*); +int _goboringcrypto_EC_KEY_set_private_key(GO_EC_KEY*, const GO_BIGNUM*); +int _goboringcrypto_EC_KEY_set_public_key(GO_EC_KEY*, const GO_EC_POINT*); +int _goboringcrypto_EC_KEY_is_opaque(const GO_EC_KEY*); +const GO_BIGNUM* _goboringcrypto_EC_KEY_get0_private_key(const GO_EC_KEY*); +const GO_EC_POINT* _goboringcrypto_EC_KEY_get0_public_key(const GO_EC_KEY*); +// TODO: EC_KEY_check_fips? + +// #include +int _goboringcrypto_ECDH_compute_key_fips(uint8_t*, size_t, const GO_EC_POINT*, const GO_EC_KEY*); + +// #include +typedef struct GO_ECDSA_SIG { char data[16]; } GO_ECDSA_SIG; +GO_ECDSA_SIG* _goboringcrypto_ECDSA_SIG_new(void); +void _goboringcrypto_ECDSA_SIG_free(GO_ECDSA_SIG*); +GO_ECDSA_SIG* _goboringcrypto_ECDSA_do_sign(const uint8_t*, size_t, const GO_EC_KEY*); +int _goboringcrypto_ECDSA_do_verify(const uint8_t*, size_t, const GO_ECDSA_SIG*, const GO_EC_KEY*); +int _goboringcrypto_ECDSA_sign(int, const uint8_t*, size_t, uint8_t*, unsigned int*, const GO_EC_KEY*); +size_t _goboringcrypto_ECDSA_size(const GO_EC_KEY*); +int _goboringcrypto_ECDSA_verify(int, const uint8_t*, size_t, const uint8_t*, size_t, const GO_EC_KEY*); + +// #include + +// Note: order of struct fields here is unchecked. +typedef struct GO_RSA { void *meth; GO_BIGNUM *n, *e, *d, *p, *q, *dmp1, *dmq1, *iqmp; char data[168]; } GO_RSA; +/*unchecked (opaque)*/ typedef struct GO_BN_GENCB { char data[1]; } GO_BN_GENCB; +GO_RSA* _goboringcrypto_RSA_new(void); +void _goboringcrypto_RSA_free(GO_RSA*); +void _goboringcrypto_RSA_get0_key(const GO_RSA*, const GO_BIGNUM **n, const GO_BIGNUM **e, const GO_BIGNUM **d); +void _goboringcrypto_RSA_get0_factors(const GO_RSA*, const GO_BIGNUM **p, const GO_BIGNUM **q); +void _goboringcrypto_RSA_get0_crt_params(const GO_RSA*, const GO_BIGNUM **dmp1, const GO_BIGNUM **dmp2, const GO_BIGNUM **iqmp); +int _goboringcrypto_RSA_generate_key_ex(GO_RSA*, int, const GO_BIGNUM*, GO_BN_GENCB*); +int _goboringcrypto_RSA_generate_key_fips(GO_RSA*, int, GO_BN_GENCB*); +enum { + GO_RSA_PKCS1_PADDING = 1, + GO_RSA_NO_PADDING = 3, + GO_RSA_PKCS1_OAEP_PADDING = 4, + GO_RSA_PKCS1_PSS_PADDING = 6, +}; +int _goboringcrypto_RSA_encrypt(GO_RSA*, size_t *out_len, uint8_t *out, size_t max_out, const uint8_t *in, size_t in_len, int padding); +int _goboringcrypto_RSA_decrypt(GO_RSA*, size_t *out_len, uint8_t *out, size_t max_out, const uint8_t *in, size_t in_len, int padding); +int _goboringcrypto_RSA_sign(int hash_nid, const uint8_t* in, unsigned int in_len, uint8_t *out, unsigned int *out_len, GO_RSA*); +int _goboringcrypto_RSA_sign_pss_mgf1(GO_RSA*, size_t *out_len, uint8_t *out, size_t max_out, const uint8_t *in, size_t in_len, const GO_EVP_MD *md, const GO_EVP_MD *mgf1_md, int salt_len); +int _goboringcrypto_RSA_sign_raw(GO_RSA*, size_t *out_len, uint8_t *out, size_t max_out, const uint8_t *in, size_t in_len, int padding); +int _goboringcrypto_RSA_verify(int hash_nid, const uint8_t *msg, size_t msg_len, const uint8_t *sig, size_t sig_len, GO_RSA*); +int _goboringcrypto_RSA_verify_pss_mgf1(GO_RSA*, const uint8_t *msg, size_t msg_len, const GO_EVP_MD *md, const GO_EVP_MD *mgf1_md, int salt_len, const uint8_t *sig, size_t sig_len); +int _goboringcrypto_RSA_verify_raw(GO_RSA*, size_t *out_len, uint8_t *out, size_t max_out, const uint8_t *in, size_t in_len, int padding); +unsigned _goboringcrypto_RSA_size(const GO_RSA*); +int _goboringcrypto_RSA_is_opaque(const GO_RSA*); +int _goboringcrypto_RSA_check_key(const GO_RSA*); +int _goboringcrypto_RSA_check_fips(GO_RSA*); +GO_RSA* _goboringcrypto_RSA_public_key_from_bytes(const uint8_t*, size_t); +GO_RSA* _goboringcrypto_RSA_private_key_from_bytes(const uint8_t*, size_t); +int _goboringcrypto_RSA_public_key_to_bytes(uint8_t**, size_t*, const GO_RSA*); +int _goboringcrypto_RSA_private_key_to_bytes(uint8_t**, size_t*, const GO_RSA*); + +// #include +/*unchecked (opaque)*/ typedef struct GO_EVP_PKEY { char data[1]; } GO_EVP_PKEY; +GO_EVP_PKEY* _goboringcrypto_EVP_PKEY_new(void); +void _goboringcrypto_EVP_PKEY_free(GO_EVP_PKEY*); +int _goboringcrypto_EVP_PKEY_set1_RSA(GO_EVP_PKEY*, GO_RSA*); + +/*unchecked (opaque)*/ typedef struct GO_EVP_PKEY_CTX { char data[1]; } GO_EVP_PKEY_CTX; + +GO_EVP_PKEY_CTX* _goboringcrypto_EVP_PKEY_CTX_new(GO_EVP_PKEY*, GO_ENGINE*); +void _goboringcrypto_EVP_PKEY_CTX_free(GO_EVP_PKEY_CTX*); +int _goboringcrypto_EVP_PKEY_CTX_set0_rsa_oaep_label(GO_EVP_PKEY_CTX*, uint8_t*, size_t); +int _goboringcrypto_EVP_PKEY_CTX_set_rsa_oaep_md(GO_EVP_PKEY_CTX*, const GO_EVP_MD*); +int _goboringcrypto_EVP_PKEY_CTX_set_rsa_padding(GO_EVP_PKEY_CTX*, int padding); +int _goboringcrypto_EVP_PKEY_decrypt(GO_EVP_PKEY_CTX*, uint8_t*, size_t*, const uint8_t*, size_t); +int _goboringcrypto_EVP_PKEY_encrypt(GO_EVP_PKEY_CTX*, uint8_t*, size_t*, const uint8_t*, size_t); +int _goboringcrypto_EVP_PKEY_decrypt_init(GO_EVP_PKEY_CTX*); +int _goboringcrypto_EVP_PKEY_encrypt_init(GO_EVP_PKEY_CTX*); +int _goboringcrypto_EVP_PKEY_CTX_set_rsa_mgf1_md(GO_EVP_PKEY_CTX*, const GO_EVP_MD*); +int _goboringcrypto_EVP_PKEY_CTX_set_rsa_pss_saltlen(GO_EVP_PKEY_CTX*, int); +int _goboringcrypto_EVP_PKEY_sign_init(GO_EVP_PKEY_CTX*); +int _goboringcrypto_EVP_PKEY_verify_init(GO_EVP_PKEY_CTX*); +int _goboringcrypto_EVP_PKEY_sign(GO_EVP_PKEY_CTX*, uint8_t*, size_t*, const uint8_t*, size_t); diff --git a/pkg/tls/internal/boring/hmac.go b/pkg/tls/internal/boring/hmac.go new file mode 100644 index 000000000..ae926da69 --- /dev/null +++ b/pkg/tls/internal/boring/hmac.go @@ -0,0 +1,153 @@ +// Copyright 2017 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +//go:build boringcrypto && linux && (amd64 || arm64) && !android && !msan + +package boring + +// #include "goboringcrypto.h" +import "C" +import ( + "bytes" + "crypto" + "hash" + "runtime" + "unsafe" +) + +// hashToMD converts a hash.Hash implementation from this package +// to a BoringCrypto *C.GO_EVP_MD. +func hashToMD(h hash.Hash) *C.GO_EVP_MD { + switch h.(type) { + case *sha1Hash: + return C._goboringcrypto_EVP_sha1() + case *sha224Hash: + return C._goboringcrypto_EVP_sha224() + case *sha256Hash: + return C._goboringcrypto_EVP_sha256() + case *sha384Hash: + return C._goboringcrypto_EVP_sha384() + case *sha512Hash: + return C._goboringcrypto_EVP_sha512() + } + return nil +} + +// cryptoHashToMD converts a crypto.Hash +// to a BoringCrypto *C.GO_EVP_MD. +func cryptoHashToMD(ch crypto.Hash) *C.GO_EVP_MD { + switch ch { + case crypto.MD5: + return C._goboringcrypto_EVP_md5() + case crypto.MD5SHA1: + return C._goboringcrypto_EVP_md5_sha1() + case crypto.SHA1: + return C._goboringcrypto_EVP_sha1() + case crypto.SHA224: + return C._goboringcrypto_EVP_sha224() + case crypto.SHA256: + return C._goboringcrypto_EVP_sha256() + case crypto.SHA384: + return C._goboringcrypto_EVP_sha384() + case crypto.SHA512: + return C._goboringcrypto_EVP_sha512() + } + return nil +} + +// NewHMAC returns a new HMAC using BoringCrypto. +// The function h must return a hash implemented by +// BoringCrypto (for example, h could be boring.NewSHA256). +// If h is not recognized, NewHMAC returns nil. +func NewHMAC(h func() hash.Hash, key []byte) hash.Hash { + ch := h() + md := hashToMD(ch) + if md == nil { + return nil + } + + // Note: Could hash down long keys here using EVP_Digest. + hkey := bytes.Clone(key) + hmac := &boringHMAC{ + md: md, + size: ch.Size(), + blockSize: ch.BlockSize(), + key: hkey, + } + hmac.Reset() + return hmac +} + +type boringHMAC struct { + md *C.GO_EVP_MD + ctx C.GO_HMAC_CTX + ctx2 C.GO_HMAC_CTX + size int + blockSize int + key []byte + sum []byte + needCleanup bool +} + +func (h *boringHMAC) Reset() { + if h.needCleanup { + C._goboringcrypto_HMAC_CTX_cleanup(&h.ctx) + } else { + h.needCleanup = true + // Note: Because of the finalizer, any time h.ctx is passed to cgo, + // that call must be followed by a call to runtime.KeepAlive(h), + // to make sure h is not collected (and finalized) before the cgo + // call returns. + runtime.SetFinalizer(h, (*boringHMAC).finalize) + } + C._goboringcrypto_HMAC_CTX_init(&h.ctx) + + if C._goboringcrypto_HMAC_Init(&h.ctx, unsafe.Pointer(base(h.key)), C.int(len(h.key)), h.md) == 0 { + panic("boringcrypto: HMAC_Init failed") + } + if int(C._goboringcrypto_HMAC_size(&h.ctx)) != h.size { + println("boringcrypto: HMAC size:", C._goboringcrypto_HMAC_size(&h.ctx), "!=", h.size) + panic("boringcrypto: HMAC size mismatch") + } + runtime.KeepAlive(h) // Next line will keep h alive too; just making doubly sure. + h.sum = nil +} + +func (h *boringHMAC) finalize() { + C._goboringcrypto_HMAC_CTX_cleanup(&h.ctx) +} + +func (h *boringHMAC) Write(p []byte) (int, error) { + if len(p) > 0 { + C._goboringcrypto_HMAC_Update(&h.ctx, (*C.uint8_t)(unsafe.Pointer(&p[0])), C.size_t(len(p))) + } + runtime.KeepAlive(h) + return len(p), nil +} + +func (h *boringHMAC) Size() int { + return h.size +} + +func (h *boringHMAC) BlockSize() int { + return h.blockSize +} + +func (h *boringHMAC) Sum(in []byte) []byte { + if h.sum == nil { + size := h.Size() + h.sum = make([]byte, size) + } + // Make copy of context because Go hash.Hash mandates + // that Sum has no effect on the underlying stream. + // In particular it is OK to Sum, then Write more, then Sum again, + // and the second Sum acts as if the first didn't happen. + C._goboringcrypto_HMAC_CTX_init(&h.ctx2) + if C._goboringcrypto_HMAC_CTX_copy_ex(&h.ctx2, &h.ctx) == 0 { + panic("boringcrypto: HMAC_CTX_copy_ex failed") + } + C._goboringcrypto_HMAC_Final(&h.ctx2, (*C.uint8_t)(unsafe.Pointer(&h.sum[0])), nil) + C._goboringcrypto_HMAC_CTX_cleanup(&h.ctx2) + return append(in, h.sum...) +} diff --git a/pkg/tls/internal/boring/notboring.go b/pkg/tls/internal/boring/notboring.go new file mode 100644 index 000000000..aa5d434fc --- /dev/null +++ b/pkg/tls/internal/boring/notboring.go @@ -0,0 +1,123 @@ +// Copyright 2017 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +//go:build !(boringcrypto && linux && (amd64 || arm64) && !android && !msan && cgo) + +package boring + +import ( + "crypto" + "crypto/cipher" + "hash" + + "github.com/panjf2000/gnet/v2/pkg/tls/internal/boring/sig" +) + +const available = false + +// Unreachable marks code that should be unreachable +// when BoringCrypto is in use. It is a no-op without BoringCrypto. +func Unreachable() { + // Code that's unreachable when using BoringCrypto + // is exactly the code we want to detect for reporting + // standard Go crypto. + sig.StandardCrypto() +} + +// UnreachableExceptTests marks code that should be unreachable +// when BoringCrypto is in use. It is a no-op without BoringCrypto. +func UnreachableExceptTests() {} + +type randReader int + +func (randReader) Read(b []byte) (int, error) { panic("boringcrypto: not available") } + +const RandReader = randReader(0) + +func NewSHA1() hash.Hash { panic("boringcrypto: not available") } +func NewSHA224() hash.Hash { panic("boringcrypto: not available") } +func NewSHA256() hash.Hash { panic("boringcrypto: not available") } +func NewSHA384() hash.Hash { panic("boringcrypto: not available") } +func NewSHA512() hash.Hash { panic("boringcrypto: not available") } + +func SHA1([]byte) [20]byte { panic("boringcrypto: not available") } +func SHA224([]byte) [28]byte { panic("boringcrypto: not available") } +func SHA256([]byte) [32]byte { panic("boringcrypto: not available") } +func SHA384([]byte) [48]byte { panic("boringcrypto: not available") } +func SHA512([]byte) [64]byte { panic("boringcrypto: not available") } + +func NewHMAC(h func() hash.Hash, key []byte) hash.Hash { panic("boringcrypto: not available") } + +func NewAESCipher(key []byte) (cipher.Block, error) { panic("boringcrypto: not available") } +func NewGCMTLS(cipher.Block) (cipher.AEAD, error) { panic("boringcrypto: not available") } + +type PublicKeyECDSA struct{ _ int } +type PrivateKeyECDSA struct{ _ int } + +func GenerateKeyECDSA(curve string) (X, Y, D BigInt, err error) { + panic("boringcrypto: not available") +} +func NewPrivateKeyECDSA(curve string, X, Y, D BigInt) (*PrivateKeyECDSA, error) { + panic("boringcrypto: not available") +} +func NewPublicKeyECDSA(curve string, X, Y BigInt) (*PublicKeyECDSA, error) { + panic("boringcrypto: not available") +} +func SignMarshalECDSA(priv *PrivateKeyECDSA, hash []byte) ([]byte, error) { + panic("boringcrypto: not available") +} +func VerifyECDSA(pub *PublicKeyECDSA, hash []byte, sig []byte) bool { + panic("boringcrypto: not available") +} + +type PublicKeyRSA struct{ _ int } +type PrivateKeyRSA struct{ _ int } + +func DecryptRSAOAEP(h, mgfHash hash.Hash, priv *PrivateKeyRSA, ciphertext, label []byte) ([]byte, error) { + panic("boringcrypto: not available") +} +func DecryptRSAPKCS1(priv *PrivateKeyRSA, ciphertext []byte) ([]byte, error) { + panic("boringcrypto: not available") +} +func DecryptRSANoPadding(priv *PrivateKeyRSA, ciphertext []byte) ([]byte, error) { + panic("boringcrypto: not available") +} +func EncryptRSAOAEP(h, mgfHash hash.Hash, pub *PublicKeyRSA, msg, label []byte) ([]byte, error) { + panic("boringcrypto: not available") +} +func EncryptRSAPKCS1(pub *PublicKeyRSA, msg []byte) ([]byte, error) { + panic("boringcrypto: not available") +} +func EncryptRSANoPadding(pub *PublicKeyRSA, msg []byte) ([]byte, error) { + panic("boringcrypto: not available") +} +func GenerateKeyRSA(bits int) (N, E, D, P, Q, Dp, Dq, Qinv BigInt, err error) { + panic("boringcrypto: not available") +} +func NewPrivateKeyRSA(N, E, D, P, Q, Dp, Dq, Qinv BigInt) (*PrivateKeyRSA, error) { + panic("boringcrypto: not available") +} +func NewPublicKeyRSA(N, E BigInt) (*PublicKeyRSA, error) { panic("boringcrypto: not available") } +func SignRSAPKCS1v15(priv *PrivateKeyRSA, h crypto.Hash, hashed []byte) ([]byte, error) { + panic("boringcrypto: not available") +} +func SignRSAPSS(priv *PrivateKeyRSA, h crypto.Hash, hashed []byte, saltLen int) ([]byte, error) { + panic("boringcrypto: not available") +} +func VerifyRSAPKCS1v15(pub *PublicKeyRSA, h crypto.Hash, hashed, sig []byte) error { + panic("boringcrypto: not available") +} +func VerifyRSAPSS(pub *PublicKeyRSA, h crypto.Hash, hashed, sig []byte, saltLen int) error { + panic("boringcrypto: not available") +} + +type PublicKeyECDH struct{} +type PrivateKeyECDH struct{} + +func ECDH(*PrivateKeyECDH, *PublicKeyECDH) ([]byte, error) { panic("boringcrypto: not available") } +func GenerateKeyECDH(string) (*PrivateKeyECDH, []byte, error) { panic("boringcrypto: not available") } +func NewPrivateKeyECDH(string, []byte) (*PrivateKeyECDH, error) { panic("boringcrypto: not available") } +func NewPublicKeyECDH(string, []byte) (*PublicKeyECDH, error) { panic("boringcrypto: not available") } +func (*PublicKeyECDH) Bytes() []byte { panic("boringcrypto: not available") } +func (*PrivateKeyECDH) PublicKey() (*PublicKeyECDH, error) { panic("boringcrypto: not available") } diff --git a/pkg/tls/internal/boring/rand.go b/pkg/tls/internal/boring/rand.go new file mode 100644 index 000000000..556b98a11 --- /dev/null +++ b/pkg/tls/internal/boring/rand.go @@ -0,0 +1,24 @@ +// Copyright 2017 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +//go:build boringcrypto && linux && (amd64 || arm64) && !android && !msan + +package boring + +// #include "goboringcrypto.h" +import "C" +import "unsafe" + +type randReader int + +func (randReader) Read(b []byte) (int, error) { + // Note: RAND_bytes should never fail; the return value exists only for historical reasons. + // We check it even so. + if len(b) > 0 && C._goboringcrypto_RAND_bytes((*C.uint8_t)(unsafe.Pointer(&b[0])), C.size_t(len(b))) == 0 { + return 0, fail("RAND_bytes") + } + return len(b), nil +} + +const RandReader = randReader(0) diff --git a/pkg/tls/internal/boring/rsa.go b/pkg/tls/internal/boring/rsa.go new file mode 100644 index 000000000..e3baa4454 --- /dev/null +++ b/pkg/tls/internal/boring/rsa.go @@ -0,0 +1,379 @@ +// Copyright 2017 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +//go:build boringcrypto && linux && (amd64 || arm64) && !android && !msan + +package boring + +// #include "goboringcrypto.h" +import "C" +import ( + "crypto" + "crypto/subtle" + "errors" + "hash" + "runtime" + "strconv" + "unsafe" +) + +func GenerateKeyRSA(bits int) (N, E, D, P, Q, Dp, Dq, Qinv BigInt, err error) { + bad := func(e error) (N, E, D, P, Q, Dp, Dq, Qinv BigInt, err error) { + return nil, nil, nil, nil, nil, nil, nil, nil, e + } + + key := C._goboringcrypto_RSA_new() + if key == nil { + return bad(fail("RSA_new")) + } + defer C._goboringcrypto_RSA_free(key) + + if C._goboringcrypto_RSA_generate_key_fips(key, C.int(bits), nil) == 0 { + return bad(fail("RSA_generate_key_fips")) + } + + var n, e, d, p, q, dp, dq, qinv *C.GO_BIGNUM + C._goboringcrypto_RSA_get0_key(key, &n, &e, &d) + C._goboringcrypto_RSA_get0_factors(key, &p, &q) + C._goboringcrypto_RSA_get0_crt_params(key, &dp, &dq, &qinv) + return bnToBig(n), bnToBig(e), bnToBig(d), bnToBig(p), bnToBig(q), bnToBig(dp), bnToBig(dq), bnToBig(qinv), nil +} + +type PublicKeyRSA struct { + // _key MUST NOT be accessed directly. Instead, use the withKey method. + _key *C.GO_RSA +} + +func NewPublicKeyRSA(N, E BigInt) (*PublicKeyRSA, error) { + key := C._goboringcrypto_RSA_new() + if key == nil { + return nil, fail("RSA_new") + } + if !bigToBn(&key.n, N) || + !bigToBn(&key.e, E) { + return nil, fail("BN_bin2bn") + } + k := &PublicKeyRSA{_key: key} + runtime.SetFinalizer(k, (*PublicKeyRSA).finalize) + return k, nil +} + +func (k *PublicKeyRSA) finalize() { + C._goboringcrypto_RSA_free(k._key) +} + +func (k *PublicKeyRSA) withKey(f func(*C.GO_RSA) C.int) C.int { + // Because of the finalizer, any time _key is passed to cgo, that call must + // be followed by a call to runtime.KeepAlive, to make sure k is not + // collected (and finalized) before the cgo call returns. + defer runtime.KeepAlive(k) + return f(k._key) +} + +type PrivateKeyRSA struct { + // _key MUST NOT be accessed directly. Instead, use the withKey method. + _key *C.GO_RSA +} + +func NewPrivateKeyRSA(N, E, D, P, Q, Dp, Dq, Qinv BigInt) (*PrivateKeyRSA, error) { + key := C._goboringcrypto_RSA_new() + if key == nil { + return nil, fail("RSA_new") + } + if !bigToBn(&key.n, N) || + !bigToBn(&key.e, E) || + !bigToBn(&key.d, D) || + !bigToBn(&key.p, P) || + !bigToBn(&key.q, Q) || + !bigToBn(&key.dmp1, Dp) || + !bigToBn(&key.dmq1, Dq) || + !bigToBn(&key.iqmp, Qinv) { + return nil, fail("BN_bin2bn") + } + k := &PrivateKeyRSA{_key: key} + runtime.SetFinalizer(k, (*PrivateKeyRSA).finalize) + return k, nil +} + +func (k *PrivateKeyRSA) finalize() { + C._goboringcrypto_RSA_free(k._key) +} + +func (k *PrivateKeyRSA) withKey(f func(*C.GO_RSA) C.int) C.int { + // Because of the finalizer, any time _key is passed to cgo, that call must + // be followed by a call to runtime.KeepAlive, to make sure k is not + // collected (and finalized) before the cgo call returns. + defer runtime.KeepAlive(k) + return f(k._key) +} + +func setupRSA(withKey func(func(*C.GO_RSA) C.int) C.int, + padding C.int, h, mgfHash hash.Hash, label []byte, saltLen int, ch crypto.Hash, + init func(*C.GO_EVP_PKEY_CTX) C.int) (pkey *C.GO_EVP_PKEY, ctx *C.GO_EVP_PKEY_CTX, err error) { + defer func() { + if err != nil { + if pkey != nil { + C._goboringcrypto_EVP_PKEY_free(pkey) + pkey = nil + } + if ctx != nil { + C._goboringcrypto_EVP_PKEY_CTX_free(ctx) + ctx = nil + } + } + }() + + pkey = C._goboringcrypto_EVP_PKEY_new() + if pkey == nil { + return nil, nil, fail("EVP_PKEY_new") + } + if withKey(func(key *C.GO_RSA) C.int { + return C._goboringcrypto_EVP_PKEY_set1_RSA(pkey, key) + }) == 0 { + return nil, nil, fail("EVP_PKEY_set1_RSA") + } + ctx = C._goboringcrypto_EVP_PKEY_CTX_new(pkey, nil) + if ctx == nil { + return nil, nil, fail("EVP_PKEY_CTX_new") + } + if init(ctx) == 0 { + return nil, nil, fail("EVP_PKEY_operation_init") + } + if C._goboringcrypto_EVP_PKEY_CTX_set_rsa_padding(ctx, padding) == 0 { + return nil, nil, fail("EVP_PKEY_CTX_set_rsa_padding") + } + if padding == C.GO_RSA_PKCS1_OAEP_PADDING { + md := hashToMD(h) + if md == nil { + return nil, nil, errors.New("crypto/rsa: unsupported hash function") + } + mgfMD := hashToMD(mgfHash) + if mgfMD == nil { + return nil, nil, errors.New("crypto/rsa: unsupported hash function") + } + if C._goboringcrypto_EVP_PKEY_CTX_set_rsa_oaep_md(ctx, md) == 0 { + return nil, nil, fail("EVP_PKEY_set_rsa_oaep_md") + } + if C._goboringcrypto_EVP_PKEY_CTX_set_rsa_mgf1_md(ctx, mgfMD) == 0 { + return nil, nil, fail("EVP_PKEY_set_rsa_mgf1_md") + } + // ctx takes ownership of label, so malloc a copy for BoringCrypto to free. + clabel := (*C.uint8_t)(C._goboringcrypto_OPENSSL_malloc(C.size_t(len(label)))) + if clabel == nil { + return nil, nil, fail("OPENSSL_malloc") + } + copy((*[1 << 30]byte)(unsafe.Pointer(clabel))[:len(label)], label) + if C._goboringcrypto_EVP_PKEY_CTX_set0_rsa_oaep_label(ctx, clabel, C.size_t(len(label))) == 0 { + return nil, nil, fail("EVP_PKEY_CTX_set0_rsa_oaep_label") + } + } + if padding == C.GO_RSA_PKCS1_PSS_PADDING { + if saltLen != 0 { + if C._goboringcrypto_EVP_PKEY_CTX_set_rsa_pss_saltlen(ctx, C.int(saltLen)) == 0 { + return nil, nil, fail("EVP_PKEY_set_rsa_pss_saltlen") + } + } + md := cryptoHashToMD(ch) + if md == nil { + return nil, nil, errors.New("crypto/rsa: unsupported hash function") + } + if C._goboringcrypto_EVP_PKEY_CTX_set_rsa_mgf1_md(ctx, md) == 0 { + return nil, nil, fail("EVP_PKEY_set_rsa_mgf1_md") + } + } + + return pkey, ctx, nil +} + +func cryptRSA(withKey func(func(*C.GO_RSA) C.int) C.int, + padding C.int, h, mgfHash hash.Hash, label []byte, saltLen int, ch crypto.Hash, + init func(*C.GO_EVP_PKEY_CTX) C.int, + crypt func(*C.GO_EVP_PKEY_CTX, *C.uint8_t, *C.size_t, *C.uint8_t, C.size_t) C.int, + in []byte) ([]byte, error) { + + pkey, ctx, err := setupRSA(withKey, padding, h, mgfHash, label, saltLen, ch, init) + if err != nil { + return nil, err + } + defer C._goboringcrypto_EVP_PKEY_free(pkey) + defer C._goboringcrypto_EVP_PKEY_CTX_free(ctx) + + var outLen C.size_t + if crypt(ctx, nil, &outLen, base(in), C.size_t(len(in))) == 0 { + return nil, fail("EVP_PKEY_decrypt/encrypt") + } + out := make([]byte, outLen) + if crypt(ctx, base(out), &outLen, base(in), C.size_t(len(in))) == 0 { + return nil, fail("EVP_PKEY_decrypt/encrypt") + } + return out[:outLen], nil +} + +func DecryptRSAOAEP(h, mgfHash hash.Hash, priv *PrivateKeyRSA, ciphertext, label []byte) ([]byte, error) { + return cryptRSA(priv.withKey, C.GO_RSA_PKCS1_OAEP_PADDING, h, mgfHash, label, 0, 0, decryptInit, decrypt, ciphertext) +} + +func EncryptRSAOAEP(h, mgfHash hash.Hash, pub *PublicKeyRSA, msg, label []byte) ([]byte, error) { + return cryptRSA(pub.withKey, C.GO_RSA_PKCS1_OAEP_PADDING, h, mgfHash, label, 0, 0, encryptInit, encrypt, msg) +} + +func DecryptRSAPKCS1(priv *PrivateKeyRSA, ciphertext []byte) ([]byte, error) { + return cryptRSA(priv.withKey, C.GO_RSA_PKCS1_PADDING, nil, nil, nil, 0, 0, decryptInit, decrypt, ciphertext) +} + +func EncryptRSAPKCS1(pub *PublicKeyRSA, msg []byte) ([]byte, error) { + return cryptRSA(pub.withKey, C.GO_RSA_PKCS1_PADDING, nil, nil, nil, 0, 0, encryptInit, encrypt, msg) +} + +func DecryptRSANoPadding(priv *PrivateKeyRSA, ciphertext []byte) ([]byte, error) { + return cryptRSA(priv.withKey, C.GO_RSA_NO_PADDING, nil, nil, nil, 0, 0, decryptInit, decrypt, ciphertext) +} + +func EncryptRSANoPadding(pub *PublicKeyRSA, msg []byte) ([]byte, error) { + return cryptRSA(pub.withKey, C.GO_RSA_NO_PADDING, nil, nil, nil, 0, 0, encryptInit, encrypt, msg) +} + +// These dumb wrappers work around the fact that cgo functions cannot be used as values directly. + +func decryptInit(ctx *C.GO_EVP_PKEY_CTX) C.int { + return C._goboringcrypto_EVP_PKEY_decrypt_init(ctx) +} + +func decrypt(ctx *C.GO_EVP_PKEY_CTX, out *C.uint8_t, outLen *C.size_t, in *C.uint8_t, inLen C.size_t) C.int { + return C._goboringcrypto_EVP_PKEY_decrypt(ctx, out, outLen, in, inLen) +} + +func encryptInit(ctx *C.GO_EVP_PKEY_CTX) C.int { + return C._goboringcrypto_EVP_PKEY_encrypt_init(ctx) +} + +func encrypt(ctx *C.GO_EVP_PKEY_CTX, out *C.uint8_t, outLen *C.size_t, in *C.uint8_t, inLen C.size_t) C.int { + return C._goboringcrypto_EVP_PKEY_encrypt(ctx, out, outLen, in, inLen) +} + +var invalidSaltLenErr = errors.New("crypto/rsa: PSSOptions.SaltLength cannot be negative") + +func SignRSAPSS(priv *PrivateKeyRSA, h crypto.Hash, hashed []byte, saltLen int) ([]byte, error) { + md := cryptoHashToMD(h) + if md == nil { + return nil, errors.New("crypto/rsa: unsupported hash function") + } + + // A salt length of -2 is valid in BoringSSL, but not in crypto/rsa, so reject + // it, and lengths < -2, before we convert to the BoringSSL sentinel values. + if saltLen <= -2 { + return nil, invalidSaltLenErr + } + + // BoringSSL uses sentinel salt length values like we do, but the values don't + // fully match what we use. We both use -1 for salt length equal to hash length, + // but BoringSSL uses -2 to mean maximal size where we use 0. In the latter + // case convert to the BoringSSL version. + if saltLen == 0 { + saltLen = -2 + } + + var out []byte + var outLen C.size_t + if priv.withKey(func(key *C.GO_RSA) C.int { + out = make([]byte, C._goboringcrypto_RSA_size(key)) + return C._goboringcrypto_RSA_sign_pss_mgf1(key, &outLen, base(out), C.size_t(len(out)), + base(hashed), C.size_t(len(hashed)), md, nil, C.int(saltLen)) + }) == 0 { + return nil, fail("RSA_sign_pss_mgf1") + } + + return out[:outLen], nil +} + +func VerifyRSAPSS(pub *PublicKeyRSA, h crypto.Hash, hashed, sig []byte, saltLen int) error { + md := cryptoHashToMD(h) + if md == nil { + return errors.New("crypto/rsa: unsupported hash function") + } + + // A salt length of -2 is valid in BoringSSL, but not in crypto/rsa, so reject + // it, and lengths < -2, before we convert to the BoringSSL sentinel values. + if saltLen <= -2 { + return invalidSaltLenErr + } + + // BoringSSL uses sentinel salt length values like we do, but the values don't + // fully match what we use. We both use -1 for salt length equal to hash length, + // but BoringSSL uses -2 to mean maximal size where we use 0. In the latter + // case convert to the BoringSSL version. + if saltLen == 0 { + saltLen = -2 + } + + if pub.withKey(func(key *C.GO_RSA) C.int { + return C._goboringcrypto_RSA_verify_pss_mgf1(key, base(hashed), C.size_t(len(hashed)), + md, nil, C.int(saltLen), base(sig), C.size_t(len(sig))) + }) == 0 { + return fail("RSA_verify_pss_mgf1") + } + return nil +} + +func SignRSAPKCS1v15(priv *PrivateKeyRSA, h crypto.Hash, hashed []byte) ([]byte, error) { + if h == 0 { + // No hashing. + var out []byte + var outLen C.size_t + if priv.withKey(func(key *C.GO_RSA) C.int { + out = make([]byte, C._goboringcrypto_RSA_size(key)) + return C._goboringcrypto_RSA_sign_raw(key, &outLen, base(out), C.size_t(len(out)), + base(hashed), C.size_t(len(hashed)), C.GO_RSA_PKCS1_PADDING) + }) == 0 { + return nil, fail("RSA_sign_raw") + } + return out[:outLen], nil + } + + md := cryptoHashToMD(h) + if md == nil { + return nil, errors.New("crypto/rsa: unsupported hash function: " + strconv.Itoa(int(h))) + } + nid := C._goboringcrypto_EVP_MD_type(md) + var out []byte + var outLen C.uint + if priv.withKey(func(key *C.GO_RSA) C.int { + out = make([]byte, C._goboringcrypto_RSA_size(key)) + return C._goboringcrypto_RSA_sign(nid, base(hashed), C.uint(len(hashed)), + base(out), &outLen, key) + }) == 0 { + return nil, fail("RSA_sign") + } + return out[:outLen], nil +} + +func VerifyRSAPKCS1v15(pub *PublicKeyRSA, h crypto.Hash, hashed, sig []byte) error { + if h == 0 { + var out []byte + var outLen C.size_t + if pub.withKey(func(key *C.GO_RSA) C.int { + out = make([]byte, C._goboringcrypto_RSA_size(key)) + return C._goboringcrypto_RSA_verify_raw(key, &outLen, base(out), + C.size_t(len(out)), base(sig), C.size_t(len(sig)), C.GO_RSA_PKCS1_PADDING) + }) == 0 { + return fail("RSA_verify") + } + if subtle.ConstantTimeCompare(hashed, out[:outLen]) != 1 { + return fail("RSA_verify") + } + return nil + } + md := cryptoHashToMD(h) + if md == nil { + return errors.New("crypto/rsa: unsupported hash function") + } + nid := C._goboringcrypto_EVP_MD_type(md) + if pub.withKey(func(key *C.GO_RSA) C.int { + return C._goboringcrypto_RSA_verify(nid, base(hashed), C.size_t(len(hashed)), + base(sig), C.size_t(len(sig)), key) + }) == 0 { + return fail("RSA_verify") + } + return nil +} diff --git a/pkg/tls/internal/boring/sha.go b/pkg/tls/internal/boring/sha.go new file mode 100644 index 000000000..a49c11973 --- /dev/null +++ b/pkg/tls/internal/boring/sha.go @@ -0,0 +1,599 @@ +// Copyright 2017 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +//go:build boringcrypto && linux && (amd64 || arm64) && !android && !msan + +package boring + +/* +#include "goboringcrypto.h" + +int +_goboringcrypto_gosha1(void *p, size_t n, void *out) +{ + GO_SHA_CTX ctx; + _goboringcrypto_SHA1_Init(&ctx); + return _goboringcrypto_SHA1_Update(&ctx, p, n) && + _goboringcrypto_SHA1_Final(out, &ctx); +} + +int +_goboringcrypto_gosha224(void *p, size_t n, void *out) +{ + GO_SHA256_CTX ctx; + _goboringcrypto_SHA224_Init(&ctx); + return _goboringcrypto_SHA224_Update(&ctx, p, n) && + _goboringcrypto_SHA224_Final(out, &ctx); +} + +int +_goboringcrypto_gosha256(void *p, size_t n, void *out) +{ + GO_SHA256_CTX ctx; + _goboringcrypto_SHA256_Init(&ctx); + return _goboringcrypto_SHA256_Update(&ctx, p, n) && + _goboringcrypto_SHA256_Final(out, &ctx); +} + +int +_goboringcrypto_gosha384(void *p, size_t n, void *out) +{ + GO_SHA512_CTX ctx; + _goboringcrypto_SHA384_Init(&ctx); + return _goboringcrypto_SHA384_Update(&ctx, p, n) && + _goboringcrypto_SHA384_Final(out, &ctx); +} + +int +_goboringcrypto_gosha512(void *p, size_t n, void *out) +{ + GO_SHA512_CTX ctx; + _goboringcrypto_SHA512_Init(&ctx); + return _goboringcrypto_SHA512_Update(&ctx, p, n) && + _goboringcrypto_SHA512_Final(out, &ctx); +} + +*/ +import "C" +import ( + "errors" + "hash" + "unsafe" +) + +// NOTE: The cgo calls in this file are arranged to avoid marking the parameters as escaping. +// To do that, we call noescape (including via addr). +// We must also make sure that the data pointer arguments have the form unsafe.Pointer(&...) +// so that cgo does not annotate them with cgoCheckPointer calls. If it did that, it might look +// beyond the byte slice and find Go pointers in unprocessed parts of a larger allocation. +// To do both of these simultaneously, the idiom is unsafe.Pointer(&*addr(p)), +// where addr returns the base pointer of p, substituting a non-nil pointer for nil, +// and applying a noescape along the way. +// This is all to preserve compatibility with the allocation behavior of the non-boring implementations. + +func SHA1(p []byte) (sum [20]byte) { + if C._goboringcrypto_gosha1(unsafe.Pointer(&*addr(p)), C.size_t(len(p)), unsafe.Pointer(&*addr(sum[:]))) == 0 { + panic("boringcrypto: SHA1 failed") + } + return +} + +func SHA224(p []byte) (sum [28]byte) { + if C._goboringcrypto_gosha224(unsafe.Pointer(&*addr(p)), C.size_t(len(p)), unsafe.Pointer(&*addr(sum[:]))) == 0 { + panic("boringcrypto: SHA224 failed") + } + return +} + +func SHA256(p []byte) (sum [32]byte) { + if C._goboringcrypto_gosha256(unsafe.Pointer(&*addr(p)), C.size_t(len(p)), unsafe.Pointer(&*addr(sum[:]))) == 0 { + panic("boringcrypto: SHA256 failed") + } + return +} + +func SHA384(p []byte) (sum [48]byte) { + if C._goboringcrypto_gosha384(unsafe.Pointer(&*addr(p)), C.size_t(len(p)), unsafe.Pointer(&*addr(sum[:]))) == 0 { + panic("boringcrypto: SHA384 failed") + } + return +} + +func SHA512(p []byte) (sum [64]byte) { + if C._goboringcrypto_gosha512(unsafe.Pointer(&*addr(p)), C.size_t(len(p)), unsafe.Pointer(&*addr(sum[:]))) == 0 { + panic("boringcrypto: SHA512 failed") + } + return +} + +// NewSHA1 returns a new SHA1 hash. +func NewSHA1() hash.Hash { + h := new(sha1Hash) + h.Reset() + return h +} + +type sha1Hash struct { + ctx C.GO_SHA_CTX + out [20]byte +} + +type sha1Ctx struct { + h [5]uint32 + nl, nh uint32 + x [64]byte + nx uint32 +} + +func (h *sha1Hash) noescapeCtx() *C.GO_SHA_CTX { + return (*C.GO_SHA_CTX)(noescape(unsafe.Pointer(&h.ctx))) +} + +func (h *sha1Hash) Reset() { + C._goboringcrypto_SHA1_Init(h.noescapeCtx()) +} + +func (h *sha1Hash) Size() int { return 20 } +func (h *sha1Hash) BlockSize() int { return 64 } +func (h *sha1Hash) Sum(dst []byte) []byte { return h.sum(dst) } + +func (h *sha1Hash) Write(p []byte) (int, error) { + if len(p) > 0 && C._goboringcrypto_SHA1_Update(h.noescapeCtx(), unsafe.Pointer(&*addr(p)), C.size_t(len(p))) == 0 { + panic("boringcrypto: SHA1_Update failed") + } + return len(p), nil +} + +func (h0 *sha1Hash) sum(dst []byte) []byte { + h := *h0 // make copy so future Write+Sum is valid + if C._goboringcrypto_SHA1_Final((*C.uint8_t)(noescape(unsafe.Pointer(&h.out[0]))), h.noescapeCtx()) == 0 { + panic("boringcrypto: SHA1_Final failed") + } + return append(dst, h.out[:]...) +} + +const ( + sha1Magic = "sha\x01" + sha1MarshaledSize = len(sha1Magic) + 5*4 + 64 + 8 +) + +func (h *sha1Hash) MarshalBinary() ([]byte, error) { + d := (*sha1Ctx)(unsafe.Pointer(&h.ctx)) + b := make([]byte, 0, sha1MarshaledSize) + b = append(b, sha1Magic...) + b = appendUint32(b, d.h[0]) + b = appendUint32(b, d.h[1]) + b = appendUint32(b, d.h[2]) + b = appendUint32(b, d.h[3]) + b = appendUint32(b, d.h[4]) + b = append(b, d.x[:d.nx]...) + b = b[:len(b)+len(d.x)-int(d.nx)] // already zero + b = appendUint64(b, uint64(d.nl)>>3|uint64(d.nh)<<29) + return b, nil +} + +func (h *sha1Hash) UnmarshalBinary(b []byte) error { + if len(b) < len(sha1Magic) || string(b[:len(sha1Magic)]) != sha1Magic { + return errors.New("crypto/sha1: invalid hash state identifier") + } + if len(b) != sha1MarshaledSize { + return errors.New("crypto/sha1: invalid hash state size") + } + d := (*sha1Ctx)(unsafe.Pointer(&h.ctx)) + b = b[len(sha1Magic):] + b, d.h[0] = consumeUint32(b) + b, d.h[1] = consumeUint32(b) + b, d.h[2] = consumeUint32(b) + b, d.h[3] = consumeUint32(b) + b, d.h[4] = consumeUint32(b) + b = b[copy(d.x[:], b):] + b, n := consumeUint64(b) + d.nl = uint32(n << 3) + d.nh = uint32(n >> 29) + d.nx = uint32(n) % 64 + return nil +} + +// NewSHA224 returns a new SHA224 hash. +func NewSHA224() hash.Hash { + h := new(sha224Hash) + h.Reset() + return h +} + +type sha224Hash struct { + ctx C.GO_SHA256_CTX + out [224 / 8]byte +} + +func (h *sha224Hash) noescapeCtx() *C.GO_SHA256_CTX { + return (*C.GO_SHA256_CTX)(noescape(unsafe.Pointer(&h.ctx))) +} + +func (h *sha224Hash) Reset() { + C._goboringcrypto_SHA224_Init(h.noescapeCtx()) +} +func (h *sha224Hash) Size() int { return 224 / 8 } +func (h *sha224Hash) BlockSize() int { return 64 } +func (h *sha224Hash) Sum(dst []byte) []byte { return h.sum(dst) } + +func (h *sha224Hash) Write(p []byte) (int, error) { + if len(p) > 0 && C._goboringcrypto_SHA224_Update(h.noescapeCtx(), unsafe.Pointer(&*addr(p)), C.size_t(len(p))) == 0 { + panic("boringcrypto: SHA224_Update failed") + } + return len(p), nil +} + +func (h0 *sha224Hash) sum(dst []byte) []byte { + h := *h0 // make copy so future Write+Sum is valid + if C._goboringcrypto_SHA224_Final((*C.uint8_t)(noescape(unsafe.Pointer(&h.out[0]))), h.noescapeCtx()) == 0 { + panic("boringcrypto: SHA224_Final failed") + } + return append(dst, h.out[:]...) +} + +// NewSHA256 returns a new SHA256 hash. +func NewSHA256() hash.Hash { + h := new(sha256Hash) + h.Reset() + return h +} + +type sha256Hash struct { + ctx C.GO_SHA256_CTX + out [256 / 8]byte +} + +func (h *sha256Hash) noescapeCtx() *C.GO_SHA256_CTX { + return (*C.GO_SHA256_CTX)(noescape(unsafe.Pointer(&h.ctx))) +} + +func (h *sha256Hash) Reset() { + C._goboringcrypto_SHA256_Init(h.noescapeCtx()) +} +func (h *sha256Hash) Size() int { return 256 / 8 } +func (h *sha256Hash) BlockSize() int { return 64 } +func (h *sha256Hash) Sum(dst []byte) []byte { return h.sum(dst) } + +func (h *sha256Hash) Write(p []byte) (int, error) { + if len(p) > 0 && C._goboringcrypto_SHA256_Update(h.noescapeCtx(), unsafe.Pointer(&*addr(p)), C.size_t(len(p))) == 0 { + panic("boringcrypto: SHA256_Update failed") + } + return len(p), nil +} + +func (h0 *sha256Hash) sum(dst []byte) []byte { + h := *h0 // make copy so future Write+Sum is valid + if C._goboringcrypto_SHA256_Final((*C.uint8_t)(noescape(unsafe.Pointer(&h.out[0]))), h.noescapeCtx()) == 0 { + panic("boringcrypto: SHA256_Final failed") + } + return append(dst, h.out[:]...) +} + +const ( + magic224 = "sha\x02" + magic256 = "sha\x03" + marshaledSize256 = len(magic256) + 8*4 + 64 + 8 +) + +type sha256Ctx struct { + h [8]uint32 + nl, nh uint32 + x [64]byte + nx uint32 +} + +func (h *sha224Hash) MarshalBinary() ([]byte, error) { + d := (*sha256Ctx)(unsafe.Pointer(&h.ctx)) + b := make([]byte, 0, marshaledSize256) + b = append(b, magic224...) + b = appendUint32(b, d.h[0]) + b = appendUint32(b, d.h[1]) + b = appendUint32(b, d.h[2]) + b = appendUint32(b, d.h[3]) + b = appendUint32(b, d.h[4]) + b = appendUint32(b, d.h[5]) + b = appendUint32(b, d.h[6]) + b = appendUint32(b, d.h[7]) + b = append(b, d.x[:d.nx]...) + b = b[:len(b)+len(d.x)-int(d.nx)] // already zero + b = appendUint64(b, uint64(d.nl)>>3|uint64(d.nh)<<29) + return b, nil +} + +func (h *sha256Hash) MarshalBinary() ([]byte, error) { + d := (*sha256Ctx)(unsafe.Pointer(&h.ctx)) + b := make([]byte, 0, marshaledSize256) + b = append(b, magic256...) + b = appendUint32(b, d.h[0]) + b = appendUint32(b, d.h[1]) + b = appendUint32(b, d.h[2]) + b = appendUint32(b, d.h[3]) + b = appendUint32(b, d.h[4]) + b = appendUint32(b, d.h[5]) + b = appendUint32(b, d.h[6]) + b = appendUint32(b, d.h[7]) + b = append(b, d.x[:d.nx]...) + b = b[:len(b)+len(d.x)-int(d.nx)] // already zero + b = appendUint64(b, uint64(d.nl)>>3|uint64(d.nh)<<29) + return b, nil +} + +func (h *sha224Hash) UnmarshalBinary(b []byte) error { + if len(b) < len(magic224) || string(b[:len(magic224)]) != magic224 { + return errors.New("crypto/sha256: invalid hash state identifier") + } + if len(b) != marshaledSize256 { + return errors.New("crypto/sha256: invalid hash state size") + } + d := (*sha256Ctx)(unsafe.Pointer(&h.ctx)) + b = b[len(magic224):] + b, d.h[0] = consumeUint32(b) + b, d.h[1] = consumeUint32(b) + b, d.h[2] = consumeUint32(b) + b, d.h[3] = consumeUint32(b) + b, d.h[4] = consumeUint32(b) + b, d.h[5] = consumeUint32(b) + b, d.h[6] = consumeUint32(b) + b, d.h[7] = consumeUint32(b) + b = b[copy(d.x[:], b):] + b, n := consumeUint64(b) + d.nl = uint32(n << 3) + d.nh = uint32(n >> 29) + d.nx = uint32(n) % 64 + return nil +} + +func (h *sha256Hash) UnmarshalBinary(b []byte) error { + if len(b) < len(magic256) || string(b[:len(magic256)]) != magic256 { + return errors.New("crypto/sha256: invalid hash state identifier") + } + if len(b) != marshaledSize256 { + return errors.New("crypto/sha256: invalid hash state size") + } + d := (*sha256Ctx)(unsafe.Pointer(&h.ctx)) + b = b[len(magic256):] + b, d.h[0] = consumeUint32(b) + b, d.h[1] = consumeUint32(b) + b, d.h[2] = consumeUint32(b) + b, d.h[3] = consumeUint32(b) + b, d.h[4] = consumeUint32(b) + b, d.h[5] = consumeUint32(b) + b, d.h[6] = consumeUint32(b) + b, d.h[7] = consumeUint32(b) + b = b[copy(d.x[:], b):] + b, n := consumeUint64(b) + d.nl = uint32(n << 3) + d.nh = uint32(n >> 29) + d.nx = uint32(n) % 64 + return nil +} + +// NewSHA384 returns a new SHA384 hash. +func NewSHA384() hash.Hash { + h := new(sha384Hash) + h.Reset() + return h +} + +type sha384Hash struct { + ctx C.GO_SHA512_CTX + out [384 / 8]byte +} + +func (h *sha384Hash) noescapeCtx() *C.GO_SHA512_CTX { + return (*C.GO_SHA512_CTX)(noescape(unsafe.Pointer(&h.ctx))) +} + +func (h *sha384Hash) Reset() { + C._goboringcrypto_SHA384_Init(h.noescapeCtx()) +} +func (h *sha384Hash) Size() int { return 384 / 8 } +func (h *sha384Hash) BlockSize() int { return 128 } +func (h *sha384Hash) Sum(dst []byte) []byte { return h.sum(dst) } + +func (h *sha384Hash) Write(p []byte) (int, error) { + if len(p) > 0 && C._goboringcrypto_SHA384_Update(h.noescapeCtx(), unsafe.Pointer(&*addr(p)), C.size_t(len(p))) == 0 { + panic("boringcrypto: SHA384_Update failed") + } + return len(p), nil +} + +func (h0 *sha384Hash) sum(dst []byte) []byte { + h := *h0 // make copy so future Write+Sum is valid + if C._goboringcrypto_SHA384_Final((*C.uint8_t)(noescape(unsafe.Pointer(&h.out[0]))), h.noescapeCtx()) == 0 { + panic("boringcrypto: SHA384_Final failed") + } + return append(dst, h.out[:]...) +} + +// NewSHA512 returns a new SHA512 hash. +func NewSHA512() hash.Hash { + h := new(sha512Hash) + h.Reset() + return h +} + +type sha512Hash struct { + ctx C.GO_SHA512_CTX + out [512 / 8]byte +} + +func (h *sha512Hash) noescapeCtx() *C.GO_SHA512_CTX { + return (*C.GO_SHA512_CTX)(noescape(unsafe.Pointer(&h.ctx))) +} + +func (h *sha512Hash) Reset() { + C._goboringcrypto_SHA512_Init(h.noescapeCtx()) +} +func (h *sha512Hash) Size() int { return 512 / 8 } +func (h *sha512Hash) BlockSize() int { return 128 } +func (h *sha512Hash) Sum(dst []byte) []byte { return h.sum(dst) } + +func (h *sha512Hash) Write(p []byte) (int, error) { + if len(p) > 0 && C._goboringcrypto_SHA512_Update(h.noescapeCtx(), unsafe.Pointer(&*addr(p)), C.size_t(len(p))) == 0 { + panic("boringcrypto: SHA512_Update failed") + } + return len(p), nil +} + +func (h0 *sha512Hash) sum(dst []byte) []byte { + h := *h0 // make copy so future Write+Sum is valid + if C._goboringcrypto_SHA512_Final((*C.uint8_t)(noescape(unsafe.Pointer(&h.out[0]))), h.noescapeCtx()) == 0 { + panic("boringcrypto: SHA512_Final failed") + } + return append(dst, h.out[:]...) +} + +type sha512Ctx struct { + h [8]uint64 + nl, nh uint64 + x [128]byte + nx uint32 +} + +const ( + magic384 = "sha\x04" + magic512_224 = "sha\x05" + magic512_256 = "sha\x06" + magic512 = "sha\x07" + marshaledSize512 = len(magic512) + 8*8 + 128 + 8 +) + +func (h *sha384Hash) MarshalBinary() ([]byte, error) { + d := (*sha512Ctx)(unsafe.Pointer(&h.ctx)) + b := make([]byte, 0, marshaledSize512) + b = append(b, magic384...) + b = appendUint64(b, d.h[0]) + b = appendUint64(b, d.h[1]) + b = appendUint64(b, d.h[2]) + b = appendUint64(b, d.h[3]) + b = appendUint64(b, d.h[4]) + b = appendUint64(b, d.h[5]) + b = appendUint64(b, d.h[6]) + b = appendUint64(b, d.h[7]) + b = append(b, d.x[:d.nx]...) + b = b[:len(b)+len(d.x)-int(d.nx)] // already zero + b = appendUint64(b, d.nl>>3|d.nh<<61) + return b, nil +} + +func (h *sha512Hash) MarshalBinary() ([]byte, error) { + d := (*sha512Ctx)(unsafe.Pointer(&h.ctx)) + b := make([]byte, 0, marshaledSize512) + b = append(b, magic512...) + b = appendUint64(b, d.h[0]) + b = appendUint64(b, d.h[1]) + b = appendUint64(b, d.h[2]) + b = appendUint64(b, d.h[3]) + b = appendUint64(b, d.h[4]) + b = appendUint64(b, d.h[5]) + b = appendUint64(b, d.h[6]) + b = appendUint64(b, d.h[7]) + b = append(b, d.x[:d.nx]...) + b = b[:len(b)+len(d.x)-int(d.nx)] // already zero + b = appendUint64(b, d.nl>>3|d.nh<<61) + return b, nil +} + +func (h *sha384Hash) UnmarshalBinary(b []byte) error { + if len(b) < len(magic512) { + return errors.New("crypto/sha512: invalid hash state identifier") + } + if string(b[:len(magic384)]) != magic384 { + return errors.New("crypto/sha512: invalid hash state identifier") + } + if len(b) != marshaledSize512 { + return errors.New("crypto/sha512: invalid hash state size") + } + d := (*sha512Ctx)(unsafe.Pointer(&h.ctx)) + b = b[len(magic512):] + b, d.h[0] = consumeUint64(b) + b, d.h[1] = consumeUint64(b) + b, d.h[2] = consumeUint64(b) + b, d.h[3] = consumeUint64(b) + b, d.h[4] = consumeUint64(b) + b, d.h[5] = consumeUint64(b) + b, d.h[6] = consumeUint64(b) + b, d.h[7] = consumeUint64(b) + b = b[copy(d.x[:], b):] + b, n := consumeUint64(b) + d.nl = n << 3 + d.nh = n >> 61 + d.nx = uint32(n) % 128 + return nil +} + +func (h *sha512Hash) UnmarshalBinary(b []byte) error { + if len(b) < len(magic512) { + return errors.New("crypto/sha512: invalid hash state identifier") + } + if string(b[:len(magic512)]) != magic512 { + return errors.New("crypto/sha512: invalid hash state identifier") + } + if len(b) != marshaledSize512 { + return errors.New("crypto/sha512: invalid hash state size") + } + d := (*sha512Ctx)(unsafe.Pointer(&h.ctx)) + b = b[len(magic512):] + b, d.h[0] = consumeUint64(b) + b, d.h[1] = consumeUint64(b) + b, d.h[2] = consumeUint64(b) + b, d.h[3] = consumeUint64(b) + b, d.h[4] = consumeUint64(b) + b, d.h[5] = consumeUint64(b) + b, d.h[6] = consumeUint64(b) + b, d.h[7] = consumeUint64(b) + b = b[copy(d.x[:], b):] + b, n := consumeUint64(b) + d.nl = n << 3 + d.nh = n >> 61 + d.nx = uint32(n) % 128 + return nil +} + +func appendUint64(b []byte, x uint64) []byte { + var a [8]byte + putUint64(a[:], x) + return append(b, a[:]...) +} + +func appendUint32(b []byte, x uint32) []byte { + var a [4]byte + putUint32(a[:], x) + return append(b, a[:]...) +} + +func consumeUint64(b []byte) ([]byte, uint64) { + _ = b[7] + x := uint64(b[7]) | uint64(b[6])<<8 | uint64(b[5])<<16 | uint64(b[4])<<24 | + uint64(b[3])<<32 | uint64(b[2])<<40 | uint64(b[1])<<48 | uint64(b[0])<<56 + return b[8:], x +} + +func consumeUint32(b []byte) ([]byte, uint32) { + _ = b[3] + x := uint32(b[3]) | uint32(b[2])<<8 | uint32(b[1])<<16 | uint32(b[0])<<24 + return b[4:], x +} + +func putUint64(x []byte, s uint64) { + _ = x[7] + x[0] = byte(s >> 56) + x[1] = byte(s >> 48) + x[2] = byte(s >> 40) + x[3] = byte(s >> 32) + x[4] = byte(s >> 24) + x[5] = byte(s >> 16) + x[6] = byte(s >> 8) + x[7] = byte(s) +} + +func putUint32(x []byte, s uint32) { + _ = x[3] + x[0] = byte(s >> 24) + x[1] = byte(s >> 16) + x[2] = byte(s >> 8) + x[3] = byte(s) +} diff --git a/pkg/tls/internal/boring/sig/sig.go b/pkg/tls/internal/boring/sig/sig.go new file mode 100644 index 000000000..716c03c5e --- /dev/null +++ b/pkg/tls/internal/boring/sig/sig.go @@ -0,0 +1,17 @@ +// Copyright 2017 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +// Package sig holds “code signatures” that can be called +// and will result in certain code sequences being linked into +// the final binary. The functions themselves are no-ops. +package sig + +// BoringCrypto indicates that the BoringCrypto module is present. +func BoringCrypto() + +// FIPSOnly indicates that package crypto/tls/fipsonly is present. +func FIPSOnly() + +// StandardCrypto indicates that standard Go crypto is present. +func StandardCrypto() diff --git a/pkg/tls/internal/boring/sig/sig_amd64.s b/pkg/tls/internal/boring/sig/sig_amd64.s new file mode 100644 index 000000000..64e3462e4 --- /dev/null +++ b/pkg/tls/internal/boring/sig/sig_amd64.s @@ -0,0 +1,54 @@ +// Copyright 2017 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +#include "textflag.h" + +// These functions are no-ops, but you can search for their implementations +// to find out whether they are linked into a particular binary. +// +// Each function consists of a two-byte jump over the next 29-bytes, +// then a 5-byte indicator sequence unlikely to occur in real x86 instructions, +// then a randomly-chosen 24-byte sequence, and finally a return instruction +// (the target of the jump). +// +// These sequences are known to rsc.io/goversion. + +#define START \ + BYTE $0xEB; BYTE $0x1D; BYTE $0xF4; BYTE $0x48; BYTE $0xF4; BYTE $0x4B; BYTE $0xF4 + +#define END \ + BYTE $0xC3 + +// BoringCrypto indicates that BoringCrypto (in particular, its func init) is present. +TEXT ·BoringCrypto(SB),NOSPLIT,$0 + START + BYTE $0xB3; BYTE $0x32; BYTE $0xF5; BYTE $0x28; + BYTE $0x13; BYTE $0xA3; BYTE $0xB4; BYTE $0x50; + BYTE $0xD4; BYTE $0x41; BYTE $0xCC; BYTE $0x24; + BYTE $0x85; BYTE $0xF0; BYTE $0x01; BYTE $0x45; + BYTE $0x4E; BYTE $0x92; BYTE $0x10; BYTE $0x1B; + BYTE $0x1D; BYTE $0x2F; BYTE $0x19; BYTE $0x50; + END + +// StandardCrypto indicates that standard Go crypto is present. +TEXT ·StandardCrypto(SB),NOSPLIT,$0 + START + BYTE $0xba; BYTE $0xee; BYTE $0x4d; BYTE $0xfa; + BYTE $0x98; BYTE $0x51; BYTE $0xca; BYTE $0x56; + BYTE $0xa9; BYTE $0x11; BYTE $0x45; BYTE $0xe8; + BYTE $0x3e; BYTE $0x99; BYTE $0xc5; BYTE $0x9c; + BYTE $0xf9; BYTE $0x11; BYTE $0xcb; BYTE $0x8e; + BYTE $0x80; BYTE $0xda; BYTE $0xf1; BYTE $0x2f; + END + +// FIPSOnly indicates that crypto/tls/fipsonly is present. +TEXT ·FIPSOnly(SB),NOSPLIT,$0 + START + BYTE $0x36; BYTE $0x3C; BYTE $0xB9; BYTE $0xCE; + BYTE $0x9D; BYTE $0x68; BYTE $0x04; BYTE $0x7D; + BYTE $0x31; BYTE $0xF2; BYTE $0x8D; BYTE $0x32; + BYTE $0x5D; BYTE $0x5C; BYTE $0xA5; BYTE $0x87; + BYTE $0x3F; BYTE $0x5D; BYTE $0x80; BYTE $0xCA; + BYTE $0xF6; BYTE $0xD6; BYTE $0x15; BYTE $0x1B; + END diff --git a/pkg/tls/internal/boring/sig/sig_other.s b/pkg/tls/internal/boring/sig/sig_other.s new file mode 100644 index 000000000..f7ef4cd5b --- /dev/null +++ b/pkg/tls/internal/boring/sig/sig_other.s @@ -0,0 +1,19 @@ +// Copyright 2017 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +// These functions are no-ops. +// On amd64 they have recognizable implementations, so that you can +// search a particular binary to see if they are present. +// On other platforms (those using this source file), they don't. + +//go:build !amd64 + +TEXT ·BoringCrypto(SB),$0 + RET + +TEXT ·FIPSOnly(SB),$0 + RET + +TEXT ·StandardCrypto(SB),$0 + RET diff --git a/pkg/tls/internal/boring/syso/goboringcrypto_linux_amd64.syso b/pkg/tls/internal/boring/syso/goboringcrypto_linux_amd64.syso new file mode 100644 index 0000000000000000000000000000000000000000..6cea7893553abfee72af501a05a11ea09b396232 GIT binary patch literal 2555664 zcmeFadwg8gdH1WaWlLb0Jp`FJ#9)yQ#7>+<0&`I?pn);$A>-f#C#1nioZvcXN*Gs` zLXr|>kQCSvO5K#+PI+7Rl%{!8+PZluAuVYn%XbXO=4K;;g}IFwuw)x-*~ZfO{+_k> z%t*Eq-u6A`^bh>8w)S54^{nUlJ(soiR?Ga%RTE;dvglu|?6R`rQ54*J27+?}sZDLc?mF`@aa+^u#yX+rb4ey}SOjAVj+HzdE9{L;WqW-~77 z!ucnUPx`IDm{R7=Ec?v3f9H?;=Z*U}O5>$JV;+?88xnpp?%xN-{X2EszoBve{M%pu zTxD5Vs^g9!`pN{|e)kLIertEUu4|c>o%)f{(a~ioFFR?jZumVuz)fF232&2dPzfW;yq1U8^=eR-+j8H!IDs9C zyd2fx#_GID!U5HxTPjn!cQjc=(=o?`c}6R~(8mpZks&a)JG zLPfZ-396Adm9X22DbD0_Tkc)gz=Pk~75D4Az4o7th`58BDV9krv}=Q1YwcQN*ErXz zgxwC=wIAAh%x@drY=`uH(^`(&BH2JDI5M+#FLEcMr8JYItxRDmWHLrkm@$rQ=Qpio zw~)Ba8ra0sUY?$28hu0Jgac{~>ZQCvW$abmEy~!YjP2G<@3Q$`cCDU=tY9~-JV#+s z2g*>mPnr8I^EoxumavuM?%ss02X_x7LMq>%Fw&89Pr|J!rQAYM$f!@=eF@Pt**ZMI zyJJa3S=rBdDjQfo0iu`it2$qt=x0ES6E>f@kTiQ!0_tX$CTf(ONkI1Ot%(LbEM+~Q zSr4P{t<bW1`daWnNy?T9*7mr%s!AEFYWuJ(1Imjiic@Dmz{N1`6RUKQy zT|8!=cV(@6az{vOJYbFQ51Y(BN|9}G6^18(1Bjq@2h^I{Wi>SC!IxD5+6@jWkvR;C zGEb^z<34NhN%j2{BU~yP4EC#n)+f7D^}AJ&j$ky^$?v2H!^>{vhn9pVE}QXr`Mqk3 zH5eRH1GX5})0@_lHNBhmTT(C&za00pz&$)HO4RtlCcnGCLL+D^FYt1CftSl8UM?^2 za(TqdkjBS)~GG0{nxANVzq!MvtOV-+Em{1q92n&rM90M!LE54RAp( zF#&NFWvF(DJ7(XdMk$v`tW?(HYG=Rlx6y9~GJARM2A}2!MF6wW2wZGL*kzOu{SQ(D zK9V$0Us#uYM9oQy0l03~zfxVezYirR?P%>txcW@Oj*=>NT&s#&j6NIZdiN++CFyl_ z^pukFdK^@fcDIkmtn|<#w}M7~0gi?Z!9^+tCO%%Hnu{SUzq(Wny7i@uH&C54{VJ{Y zZRHN-B&zf+6&-BVXoQi|$SS4Z?-q?JW-~mdw8v?T)uAQ&X2r7)I2u#)pxQlbEv=>$ zWTYY8-RGFl%if(>srB&sfDBp>R~%lZi)S@gVFoBd(>wGid|l*LZXcxMheuk3QT0Tv zw^i(AT?Q>v;~qS$1|C-;NXObj0}0t8qtf6rDk2;ccvy);6#eFQl@}rmzMwpTs#X)- zNs{q0>fBabENo0>wh;X?&3;O?EJXu(E#(O=859sx=~7Vx;0-F!ghG-K)^bgmK7z{^ zJ`^{iWY6h(%hdfxHo4yy^t#`d?%;R9LNgWB2PZ9mq~1|dYG`@SAM+qId}5im;#m~O ziX&Y5kYkjGmj^EL=$w{Rd9Qz|7Qt&>cO)NWY%1p&NBH`W$i(p^MiyF$4 zAtWJZl~(H+*y@99$h`3~6L7-jG&shSH+YbrCL~Ms=t3-q{7{#fqrZ7#Vefqv4C50K;-O3@^KfJYiSHgqD8cVuY>l9!DbPwvO>5o(35! zDJfo}3rY?x4C%>~$r~iSrY9SzNe@gY>@o}y z4K>P^gfJv!7-IM}200cvJp zU-$vF@`&N`yzoP0hp$%bs*LahX3aCYJazK$N6SqSel%54Ho}gdq-82y1;9H~=?c_> zGnKe&bEXn^_Z4iVj4XCUXNarta&RegrGA^Up`cj`sHDonku7yApvm(+&ZP1NMFgJj zH^YhsZjzrha)3ci{rQlHp_v&U>_S@dtkB3yP&PaDAC!xXVI5^J_$OBs=|E7u5mh@x z<}TJS|2PTKu$UKK9|l4mDKz)$$qC$iWdES`0uxH~oX>?VAklB^r35yM;aB6(WK#B) z^F*tCQ$OLlJg3L%=U>?GwVdnUzD`bi5AlX^@r<86U5IDgZ@0&ZXZ!_1F)p6*qq)b# zGgjR7pNeOU3rGB9TsYzbltO-eU#p?tc*-5|a zLJ?DcKMYBH+kS@;3B@B$hOCHp6pvs@pm-M6JW)WxOw?Z+k1)lN1?~Q~!Vz0n8vZC) z(Q@C`E_=Wd3PTveBMnSmO)(s?)vO#DDXP=!>cA*2?7>YmnSu}Ba{t!VR!p`fb^2W$ zg!9*hBet$_btu+y?^dHUQ6Im4lh^(b;RxvXF~$ZDhp~nIV`2-AV$rZ{NPD$7QeUCd z-$T{?FgAebA`6lSw1grHUZ34K5*ND>aSekSKf3s<#a?WE#o6-zQ>Gy=$V;WbT)d{Z>0fWcX50Bh)C$Q zbx+cL7b#xb`gmE{L!^?hQVH$%lDX01t|#-1#8t3T6a3b-1YiBmsef@_MOoc}aqGqM z!{v?JV%+q@!gADL%YU^9qOqkILV?!oq%|%Pb}_@-ymCe8yzI2UQx=BUcH~vgPJw%z z$kK+`9lOMg#YU+x*-rvdCy%d5+8>p)qpHxqlyo}n1!c&vX?#W**qqpagL;0;3etjX z2IVS~!mlcmI4P~X$gKquVR-J$vlBoq#x|yzZkbVxcJQcj-{J=Q)VUa#MTqli6+qDB zILH!4^w;pDCKgGmv8w0=0uHWMdpq@H2Bz8La@(D2fm0-~r_xHL$=EYb7PH3roPE?} zRI=10&`2RI$=4ye+HYX2rg;etq1?fwjKLUc`nlm=@J2WMv)huZm#M@=?%tT&0 z5jZaLKk))&SU|Cjl$E=Iqnh9Mp6fad*s;ulu%HC?`v?51+W@g$nwY~~}ASbk>(2|rh zY8zU}n=vL_YV8nT;Q39J6E>U2ruD-Pq`u~0l_`VoX@erJ=3E!mAoCT~H9j|!UmhvM zbB+NP3MI7S*)!ifY-Xti(y>^nBw@7C5q{!PpH5DHI8F zmheBTQK&(g?6jZiLD4Bfr+d`4xh}BUh;HQS=0%wcK5peqkxBMhZ`e}6u>mQUWt*M$ zLD!UHQ?Q0ad6-!y=BxqZ5df!guQVC^0;bop(=M}$vKnM!%iqY07*j7K-FtA}DYO9t zDKbvg>C$z}yql4Z6+5daX4q(gMe>S6YLy%LWh)L-W5uuvX;9q`cQ?d@y?*P+$zJgFr)hib_LvS0bDijv)i(0@Yy%!bNN@(vkE8Gs-u zMCp@VBD8cU-2-(Sdxg>$j4I>;Nfl;M{Bs;i(}uQez?3CSf^MAE3w6h0^&Z+FP(rip zlsVpu_I$_?+sRO*AB)ilgF`reNfjjn!hG^A2CT@9%rF|VFs}t8EXHZ82!(;Z26!rK zAvNP*`93SA~-RI2r=msA9k^*P3KGf0EWHzKnMZ z7_o$X*kp{wI0*PMpF=Ju>forK!*HMeDWq`AAm6|p`Z$(hJH|8evU=bGzU{B zlqbMIE@U)?fa-&t7_Z{o3bXYcrJjRfLlb%f4IOfuiUspSWoyU{&PwB<_NeP3JjNUr z5{52Prhx4#?m%+e!lE}@fmg_B!uB?5QCrkt3N}7%RS;Ani$$jXO5M5!48`RWkj#n; z!f94_DZ_LFQ3Y;n#s-*%w~&(^1W0dzMAM%#BitqwB$1|cm=D{CvLO5cibI0(!%_Bba@ZJeSvq0Jzf@kW*R~bA zo3iv3!th=DjW#q}0>iB?(ZR4goWQ0xt26c6%7MtDB{VxB2*>G~PL2!0RM)OkR@kKm zSYpvM+Ih!nL=%>)7qnoOc{)c|&6$m?Eg_lA2$psq4E{<%m|>gErp~b;q!Wavpd&p= z>fmp>x7Z}OhC91&;k+GYqU zr3l5sZn|@J9ehh38-h#}8wzydhS|~`%xf@gLj+&Ucx4768wy1RI|~h3knWGNY;lTY3i()*k0;N_k%1P_6^-r z3b=4Vec_aCW@e>GY{sr1CTrLs$qx-(S~HV>4UN7{s)I2GjAck&me`P(HgJyIN$a&c0g}ht1BFOVcMUPS+}6v3H*2IpH?W`Ycspspv{bL zZI!a1Tx{jdp0-@W+cSTrSSqV0`vv@=A#6ss)okis`>1U2QQfqbwjJcN?&8PcEmX}z zP!!`}$v|772C`EfMAql1vwmU%O zMmXdE^=$#_3;YO769gr?YIGc7U=FIv*~3+4^0FV~cQz#!dhrTxHV=g;M#r^rKOpkv zZ%idVM^R2QtgWrvoavm@{l^%|QT&HKC-cMjis6h9reAo&=B_N*GqjeUbBRa{)^aiQ zm%ZQ#mm&Nzy;RQFA=}sx=) zYLzE*Yn+K}=1wpD(*`|B&iM(AXq^V?Eo8G{bqoPzQAsX5;wPBAIt@fxrS{!0S;SWh-SSq8;B^JsqIY6#-9Tw7vSlt3wVn{g#n zXSfBE*+87yX6{bC#8rk>ZI^LN(tEJnrA%oj)Pr%!^zCeBN@Fw_)ukX|hlFFO+4}PCbY$wBgjl5oJ?e zMOtQh@yXt)SM*Bvd$BAU080(5$h0(r&pc^GCe1v+TBjJp5@5 zBdqG|bjm_BXH?4uwuN`Fyi(OEizLe;q#_7q=7g{m;01~0M{{rfq{P~pXCMPGO49~_ zMHkoV380ZmbuT57mES6>86%G;nR|>=DgmF|#TR7D7^G`8@MIB88CeFB!dl`>3{KG& zY@Wjufe@OYd9nla6lw*n$u5Dt4a)#V^pj9n+?y3NW198G+&70-hmyvDvK^ri8w{d) zL_FbU7Ug4vBpvJ2j=JDF8`g2k10j|52u5JWii+Z-lx#^I3_^u+Clw>=V%M5}LR(0$ z^l6(9owbTvSQXvJT~-Dq$7e!lW{yDfY90-Q8GjhVX6UTKOX^=}N9ck(03tMzH3`Oq zRjZZglOc=g-pjo$UsiN7VnG(}-qOXipODLJRy$tBurya${$XUoOk!CUVnIM#tHTuO zj7LLO!&rk#xdNti*&|>X&Ga=Ol~M$`xtJj%&7Yn0t(P3;YLL4eBUAlNp0rH6uw5M5 zvVOu?;2M;Kk+K(jQ8i_3fumRGp2=$Y^QLaV&?4A&8NAvVi@|fAe$nd5M#9#@O4dpm zicH|<%#AJ^bi&th`&qqYU{Et~melr>?O=uUvvaL`DLCnQSCRW&-2iLKk9o7s@@9GT zz1G{X^OGUQPTFAQD|QGAVHz2+D-M^tGIpHKz}ceAlv9zG$rRa1 zZC8m2i^*5)ts$Fj+S^EIVG}SrS>a{b+cKK{V8{=l0{o6ma+hg``=QF`Eo3!`UopAs5(C?J&-wsR>X$nV%R+YZX@(x~Kkz+8Xir@PB z=QLp*5c0C+Tn1UmmI>ahOhw$g{+hTqn;#x(c&Oo_Mh~?-)bdcPhXx)RcxceWLLL_K zuuu<6cv!;25}M9bET`>jxU^ie+>TUwGuaP!E7CW0E_=D?$KF4Njiy~>4?6j~d{aFM zlP!S7zNxjY7;LD0h&+(il2I6HC6jELqUp$wis%25+Yj*57?(JGg~iWa zQOo5T*=*S>7IORPCA$6kawG?~Lgc~!ETG}sVhNS-onF9L3M#V46WqR=B$*(%rX+Ro zgn$~Dlcpd7_p6r4LL%EN`@HUuNI@qiAyu5QYe(#)D6nK`SlsI{l39ZWQgdsRVZaZq z&_lgyYD9^4(p!*5f;2ApLqiq`Fq;&p0!0lO_bMmE-7K&zs?t+~lBM~ex;E|13ec%o zbaP}P1N!DyFgDQH927IcyH!_%vBR|jdS(roQ9`w%Xz}p6VgwwUruZS+lHQUVfo24c zA=9o~nPWI5DKrZbze2;{1f6i)9ws}(XE z17?v*F|RGeKLH!oAOq7lR0oP=^AtqKpzt7pu>@KJ?Mg9=5V|M&?xoDzZZ?;+suqoTaoK2d zf&wg+={e@fDmWLywos%5tp%cXWNODnN<}(WM7H3UDFtImB!qnPUc_5YhBl}t#RAN_ zcpYguKxHX9@h%MReN*Zj0#nYMKy!HF+LFy$=s-MXzP{4ob=pyQ zfIt;@CdW2W+c>g!6pW#)D|3xyJISt+e>u2*;5NM)Qh?uOt7s)VK^MTq%YLVZ%cpC( ze7=DT&_d4FmvH;_Y-BAgkg}VDRS$UEwFB^=;!&QVJNaq^m2|CC$n|3v206nt$xuaW& z1sqYUQ6MpNswUj1%rVy(Xq_1uVa1CAR4jN}6$>C=5_4*bHcTFvG3F*y``Or9?&!AU zO=c2~H)Bzx0}kCr3%yFzPM(Dyu>j55rVka&3UbZJVmXnG?0TBh9yE32O2E>T6k2Ej zVNwRXYpG37fR3=kk^-JJ>fnfK9OPMUw4#C-GSt*O>@=}p7swqVSL4`aa%{jRREKPW zL))XY)y4cW0}>@dD`sVi^#!(utm0ek%E7lx!q!^@HzBd(6gV;VNNw7Z>>C@t$i0O) z89s;fsLQNu)(`>waMi@p91`SWxXDT)hw6WqF^0l3Ac=oq^M0Zl+9xzh$1#Hv|s>21=whn>bPJxIdMHXIIB@*<1B*) zbBHWRV6vf&JAN3&N(SqWu^97-WyDR4s-Hol8n{#R%T%kPFYqww@B~w53bIR`5L-XO zKeQl~OpW*G&LBu@!jC}^nh(uOjvz>&W%%zP$i17x8qqi>yDMsR`<+@%)r997(Z1!=3w3Q= zqU-0E`>h*By|x=bu7agEIIkjXXK-mnT*cJfV5*`fYIN|{idv=9HoJ%w4W!d{c!q0H zg>_)v3^r9*Ki1pe;)>-If`Im_pO8oI4%%B>$jB;<6K+%{RFa_+z6vR<03lqhA#TE# z1SuajMtK5Cw5fsYrBF9WTqo4Yfq3GUlrR!*2@z(T8 zEV)_|i-EBal1Gr*2<#5q8b6?FBrRqhKo;y!*-qGKQrjF;W(^v771YbymXty}SaKAk zla}}B2Kx+4*K7GYg|dL57SJN&Ze7hb(TY&6b4ie%0#8z@E)()zGv&;)45u#h5h*#RkJa-oKS zNQZ@)wqBZb#{vwzWZQjyiOMVNA$97Csu;^*5F+yq@h-fdHssza`N**QeL>ki`Bd3U zEBRfr|AUqwGU6@YB3}zev-i{1*7KkRf%}|~r6XJRej0t-J8Fn%ODgiOytWAkt@Uc> zWBom(yPN`oropdjj1Ez*t|8G-YOtkNsfH)lf+T_y%3i-vsSZhQDFKo%Emyk0Yu)Ec z4pIN_o?jm0>>lI&{^kU~eY@8-JWU6;`I1HQGs#7IW5VYEaXNU+51!z=7U|&aj@xzg zq2#>@VlQ8jcZztO^SkDzM(<0onB}KH=U!G+UlBm};qjj199)P$!jE`F=?>c_@PI_w z5q=DpLabJa_z5oRE#1$#HOIEmYXG4^Ku6`YA%jA3%`71>_cDXz=l-o-dS%}kfA?%H zo2UnNYQsv}vb9RP)w7xbEcK#*K+sPS}N&l8TQ_U&RZwFc$qi5EwP4!-qC$m$$f9h zeSgXQP|1B6Jw$cm-0x?NAVN!9qK2nb$Nh)?O}#{sIZ4Q zJov3gDu2OC1!cZ>h2XEt#<+?EyIJXO*c9f`-rVN8(C!=TT5DG`xVnU5avt>ahHJ~> zn)r`{2mJOonm+Fbule1(%l%GXsqi}=Fbe1X@qZAD5>ww}?>qqCHLTcTyaa(9-C&f_ zW%ed*cjJyrh@;nvxoZpG{xtnz+%MxfJMCPx#`2@CcdUY=ScrbNQ8F!5{a15TJyDI(}|p z5lJMgZ?o6W&>jK;?hPk;- z<}<_PV|Em2a4$(uTZ4zxp!)!d9p2F{0=}3TPuv;y#u=bQ#o`P7qA4yeUW|JSP9~Ex zw9PWH2&DP7Lt+peM8!sbe>J1SRjgO zZ75;Bg=`m-3n%4Bap(gyV&|L5%T$qPyonmFj*Ez=G>|D2^@A= zzQ&}aw+E^t=B_R%3%hZ1xzUBDGQF;=ZN zFX^w5L_~!w_+c@vUi!y-VFscxb}eIeTa36QsOiLN)gwD(E730c>W0<@{ThAYN4~wz z!?7oKZdOJ}yK7 zOj7)C#w0t}tv^;XkRyfLt7b{Yk{Ogwo>g4Jz0w04_kk_euPhz&0CLo9bF-vr+9627 zfRRV5ZamBf1!^=vFw43`FaQIisDy*!QhH1aDS;!+b3j>u&%{e?YYvOV`F*c4n)?#9 z0w7A-i5nOn)^t%(x%f~FLb8rJ7b3BcN0F6$=`@MKJWjDRn?|Xv(5!?(BPQLZAnOn2 zx7QF@IYK2Ct-$b#2tW@kUN)z}W5i_%&(Qu$jLrfze9^-Q$rz=TI5|Zd`!qP#pYH{% z77=+eFXDL-MrxSG9Z`T%ghwx#8Z&u)0J8{4uXupjkN^tp&?ziq%Zw|_(`Geh+A`z{ znuR)j4?8xa&-)$gkdE2G_W_197N%jLUZyBF%@z^9CfVFS#Y&h2JY##SIwZ*0c{Bp3 zJ0zHk9S0YyFJ=NfTL5=J1+gnlHNtORc7~|sG^K5|vOvx?V=hEgsc4(Pin_eOkHMzG zgYr(z!#C-G^@s$Se+!vvs0M`8LNmSkuKR@=CgQ*nQdjUr7;6bx`pS=(eWhCl1acL3 z{}$IHyQ^tC8J+#er`+!ge%t-N^vnESMFFt}(^$S$E?eZkt@~phz-i)t;rB(}t|SH8 zo9{*)_kEG-xPSX$bi+~hjjlfXN>qPC$m$o1$6Ai9EGD>?suYsC|D#@)Oa|; z8d;5EL?R*x5?v{Fl-2OyGbV~!W_-OiK097Qw3a;EutPG;^Kz0djs-ao8fj>%S}+NN zQCn6vSHXjUj`aNy4>GBxngu$hN`WXIV0K}G8dCx@aKcU8jb?6o;b!ZMhH?Xa_NmPT^G`wnNVFSD&q&!`Qp0j5@>3)CYIrsb0m)!3QUf1u^{jOh!KhSd={-CGF;!hR$b7&>QXqrah zrBz^0cRc?;3--JYB6zdf%4KSKv-n<#{l2GMCYE=7D#7uCd&^~J>GU&a64=iI=`z!lF48I8e$TQo zsK;5>W1D>t(VKm@eGbu^eNSQ`%;!;zL9`{7gb(!JmRKG>&^5i-L$TLY;d9j6YMvnx zK9IY?2yq9s@3o%b3X9FiNP{UyB*C)LFf6E}F>r(WvafPv@3n!DEv2fR7lF+PKZXfX zyLa2@xPgNkpNMgDzYUQhI&Wt0O2BHk)wWlnuH->dPXnh!#Vd^4CQ9%Li)6;;5H`yEh~kC%>St5r3g1_N@1d|G$nu|5v}i;dj3VQE#3; zE`a?t3t%4{7q>nDJ6>=`7`L8uwu?z$I(tm~8osEbSg*tgl#nMM?HimZbPb0h$OcBy zIb*5ZqEyR6x33@I`4nCtF;$C!69uo$qLcSo61#r0pVea!6l=NXO>?lv#I9W(;I1Te z{pOIXgXmL77|&1)TqQl+$UJe;6D1&5E%&}DHR5uq)8OhDhN%cQ_JXY%DF&|Jl%jFD zEqA}UkO%f*30x1k?+<5!wnP_lCt0eQ-@e&v%Xp@CEL0{1(ZD!SLl!a9b8YynvFN!b zd{#etj)%`8gPzO6XH8MhL-eNhG<-ex^UO>UVG@`n-Zv=&jY=+P{P18Pp9`ZkNw|#=SW(_4P1PEbl_lsdrBDz_2^-`n>xRkM^-H-RalKUH1*KXzBZ=-C|v5FCA3)*p8Lu zcMBsw=(lc+r}@F*B7^UnQNU~aU)AnwH1xBMRO2f|%Qk$BF{QwqrK@m+3+lq93=(%i z%Y~IHGcji%2xbJ+Q-%}^l~j_rAyKFfQ;BBc7o!pD*T z-8tUZ-2=w;x+8E!t^+VVKWzN2J7Nl=iK>akefvUn6XD}u@KiRiRgD(-n+n;K7?+T7 zgC2OdPQOCdwIOEjNw^W?%E>xYe#n-vQy^wM z#)!hf?u|tSW|R(%72*iPy2j)XG0c%U6~>maLS(m?+ZCR7sHB{IsCqAXa>?c;xPh;2 z7}0J$9m^(i->JqAa{KhM!Up9>WQUch7%Tx6dULzYb_Pa4GP!DmO5FJ{;vb$7m6v zvRd?Mt`4>?EAkf{s-q;$VbhA6`8#$=y(l4A`{WrcijmLgj&rlP2sEP8WUvhskD zISDqa2ufiKuQ4%~q+wbw*8}s$9L^Z`eEM#w68yElxy_S@LSr#I>m#HWMeIe%Fi7o=FzJ)m-?ZH>qlz3;JZ1e*+zuxjtHAR} z6-`@=(nu~LQwSNF3rK|Sh9lCDG-9I*Lp;k>C{jysd8n2oB9P}l;-V4Jo!i1t^7q0} z@(;pL@}Ju8@cj!Uj$PmXw&V;7B2%_SfII*J{cfUCg&`}@fYd?>Mr}|FA|6J)Yl|R2 z$S7cvOnp^$ElH%13HVD9Ua3Q!heh(JfMhC==ERwhhJu#%pqC^iaamx)xZT2}%oyqK zvUZ90YO*U;oMw$-UL4%7k5y5ns+nW*5q;z=`5DM5XnDMrTa91kUpKQE!J>N z4cr~ZNN;Fo+BRS{AsE8&6TpCq(nz*LPZ3cqj4&HN2*edo;`k&t20pf_WoqF`rQszR z|Jp`^V-ABGh4^7H#$@U+LLaw*Wf-&&`k8r-cBUbTMHFK`E&%E8NUVm?1^gKaqso)* zOBmS;PI134J>7o)AI6_gxnqxuBmCjLy#N-;bl#I#GC_f^du_8Z9US$8yAzubML%%z znZLFWf0jF55fOiroHlQK1Ad2?^Gc%E)kEplH|#i=-%3xh%>|IyZzu-xzB$~ulI$Axt1870O$*&n}+D7HoB>a zZsO5RS#&cbE@weyoLE>?JoN@YGT!kx?TFWb1?>l#miZl=-I8tUPkg|n!w&`-QSOmj zG#miM+7hF?*3rYRKjg=afB>-@6GGCU5x~P3ec|2RVZ<3rCyW#c%_coej157OoCCZ> zlg%_2|0)~tbZ5OV@az-#aQ=w6U$8_PW}FL7i>dANH`we^NE+*oWGBtxNiSg}7C#{9 zjR-5TY`F-mWG1)>v{ccg3*4|aX;?Nk$&iB3&{5E<>sxd`M{3}IB-7JYnF8qCM& zvUq`+uBdCrI0UVw441$uen*>0V#gYd-RI-ba*_y9=Wbk2XhhL3(%A^IL3*?9v3}VD zvZl0yQ>*Qt2JQT?-@)zQ?W-JNh-rm(Bywr6HXyE)+w4bQ73JA&3)u2^Sovt_Y` zv*ap#Bt~2uenQua6~=71xQ#fF+3mJ43@C?kweLa-@zIxKc3WIrLDY%1TC8^&ir5=4 zRgtZ`X)4-jQ6ZKTwibiiPK&E2MwgdDU%zgnW!eILc><2qi*G0#$K$90>1SDJ1s)gR z!`>Lm5>RAf438_f$m6nRjK`T}VYh`!lLqZ;6H;HtVRmdb_vh%4>*H;^l<=I%tb3a@ zvIUoG1O?WXZ6j?zjC{`saBx+&BiGf=pCn7(yb%0<7yYL?Os|)2iq2OUNvgpu%_sQ zrlpx+t>3zP#6S3~B|1G@h-GPiLi(%xB3&~V#hFUmTsg7QW91j|c=ueXLOqg=na;`H zIUL|$uS5L&9E~;qNAf^dEE8<;+TO6g5QEYw5ZWofqyYn~! z>$Ig%vTfqcTnRNwkIlEfelfZ?-TAGdhuBeIr)Bij(a{#~P9e^MU}Gv6ZGE-EZy)vA zKT3+4ndk@Qi44ip)7^s; zEygF!|Duv=@*gUO`s{p*-vMMW*;uB7>`d$^;X!tde#}s1E!1W@mL_JUgFX3AVG^X2 zxXTZo&j3h2-F{M8s}f~m=xF|)@%^87?v%2DKM>*6P6vk!{2->T zrnh!g`mO6OE+Kw#()wNj@A$_T1RMAh4}K@z`@z$Gur_xEQ~re(qP?qWmfzmzcV6(J z-!f`b?AAo(zsYjRy*E3hti7wbBH6lOI2F7VT1xBdvlevz zeucjg2`?+FdxN1L^zJ+#S;_>Dq+1USdv~78LppfU@4RyK-*|aq)UWUL?mShAt*;EH zJFlwLdlh$?jC!b#ACpts>Nk{R!V~Re1CLwK&4DrGr_^!+c!;N=srC8 z-E^?=nvJR2VX_g!jbRrbrVHUJjUd3X#cAo#f?z23M{K49J-}}6r!>;u_pM8U9g@QQ zN5^(L@YqRZ`S*-Xd+GzQ+{W@moW2Y~jL~P6h*XGYd=JF_@mW6mcOd-D%TV@jibl&n zz|j7k6#kYl>7RY0qvZD(`I!~1T^Gw0=g(@gl3KgY-yQbrANB4OlrIR@xj&~XKc@9a zym?mcyyYRYU6%Wx-NJ11jYgT^RYBK#|1a3>O25-+1;6vRc3(&bJ93w^Pla$_Qr9)` z7HeKwrCdY;aUpcr$o8{^w(xA z<)6LQ?>>AvwW_?$e&_F_7Oy<$*8!p(Azw;0F`LiGY#Z)WwEC1}H ze)mxdJw>6WnfoYo^z4Iv=ZgLQ?8km#Ut*k1p|@;$%#D3L20wavX{G&CdP7CllXdj+ zW!{rhA9sJR1VcriTWEZ7CWG(6WNUm$cUxsBPU~}JFenr_`6|}mSG(-zO7G?>><9kp zp>3=!;rEyM!8G%}0u{c_y*>v3ZM-LW*5C78xUa6Sb!4J{1E7 zrGlKkz*cb{4AK+3Yce(qCR6h$?_b4|tuK2`H_K|t1aCDzmA}!oR;=Fk@Wim$|HX~z z^WW5-*VaMNsLgEy-{lE&pwMO}n3qU(e7h>?Jr2Icz1C?0OWAxWb{PHOE${j+zhhp) zJGJ89$RTBM!{q2jT1W-osq)(Iq?q^M6;m)u?z&3r^qA6P zq?b)#N;O{VhZuOKqbiXOUP~U>5cAsKYdC~X9KqmV>Am&~NEx`ENQdA3a(R08o^ai^CUA^(=x=DFgAM$6f zH}zk_FzMjU+`~_W6iWreya;zi)%^C+=I{SEA=khN^F(cqrhKDjka%AE zFGwIS-C2Hey0iL}bmv_3&b%oYHK%1_n=`R3em(5{!!E!6V1xI=jZ(*Y*z5hUJJ~ku zwF~ZQ_zO|Z{FZ^)+TZVY`u+A!%4?HApO~+cBcBF%W!1I5f@|=6-R4v<7`^Ws9QESm zANJyz565}Mv3j<5eJ{ULv-!3YU*I~m`a@h&ABuNoYu-`0){PCV-3XXi^o|3$)`eaFFkyF~vV{Ao(YZcT$o{NP$7sLwBxFKo)O)%2@%)lWhdB+G` zA`-YKB&feZ;C}IbDXstR0#`p?;Lbfp;8GH}SGW{u>HL%9%HMOwFaIax@76Oy0{-`x zzewut(BHw57<%ph#NB^I{%)qeEa>*<`es#oeG9zRK(81 zr`w6`7TOh97}ymXuq$5i`21h2d3&-WTjf0}Gdm*-$ZNesE8X7bwar2lZ6{%F0*$Yz z0mM1AJYh=TEaq3tgjo;_k1k4lZgjo(XfmL&_P=61==^G_`{Z3$OW*T&Eebz**R|64 z%0%UpC!Mc6ls0Pm6B>ij*BrRKI+Z(fA zTo8L%R!}DPDrK<=_ITf0FR8?ON(axSyI(I)-~Kj~aCSk)yRttOdpTYIy4eN3clCO+ z3%sib(zDlTpG4Lmq)Z2IiJE%dJ{eqH)&55FA8PpjeQ7!Hx{yP}9OxA5;CQEky|M00 zhY{7gLw^{~Vbx!9N1kj2zq5LZY=tzoLfUMF7c#Nkzrj|xf%?L#>(rvw==iq6^kcB< zU{N}jtqP7}9+ZEWOK3673B`R*B<@9v;T@JNu^IkGi1MLSY_FPlXcYmZ7UIbO+c5D+PIK7KSk6+CM3g~!vuQ|aJ$1dh|Ly6vFSX@Jsc zaa<*!s25Ku9zoLSGILHRCv_UWQs%T;FTN;V6Bep56Q4nF&H-hL>{ z%x3(%CpOIheA{>~E4#vbaK@}F@0#&ZBwJr+9&LUD(`;hnC1E_4{3`ORKFUpIR_w~V zG9QiE?F8LUu-l2cok#=a@I}0NYc6&}DDLmi9r%0*+%-g>GXZdQIQO|Gr2VYo^Ft32 z3q7Uy{Nt)A`d-jvGx)|zdXKTy?}20E4O7DDpz51IDoYN+J*nx+R$UN`7|P9I6DzkM zc-d`r1y4Es!{W><;ug0>+?t1(OC)z677_bD!o3`GG~6S8<=ukev{#Y3O7>Cane<(P z^m%P_kzo_Mw=*4cFzxm-GAdLyE=+e;&B6Bgux}FgNLA|y_;LwJ3p!`a$r#@GaONW`2+v^Sr|Y+Pcj(hg6vW{74Dbe?o)9lovAvGs1OLDUDRFrAN$~7(zk85B7QYcZ8+LehsCLDB>NrvD zz|3pE(X1&jVUB@IXB8mR&G26ZWOmi{m69h#AT*wOpD+jD;ZB$X@Ng&00eIr&?*mNE zaG0|(#GE+_J$6>jh%je+vCUOR?^DZ9rEiwDSMWouR-1u@HY=Ma`LVb1b*2k_um@_i z?jH7I55h5lrGt6rJH@t7ifvod*9(B9N&+mDw<|BWO5QbtxrT6satE$1F6LK} zUp2?jDtT9C4vd_ch0@N6Q3UA8<))2 z@aICdN5|mLECTuL0H=dT?UQw&5PL_XHH}S~`j;D<{LcCPnfm?}zlR+SGCcut3iFq} z!zK_0*lWqrXZ()&W$BJn{PV%Bbf5_FWRfb=9iOaJT0AX4O9$*Dw)PA$3BYJwTpr*p zKf`NozIEUSAR~RQ_!D*2_}jMaw?M#qQ)0T|K{|MYE(szlYBwEdt4ViMr0dvA@3^`$ zUB@;;Y10cBomyvGY5tJg(P!^>dVV6oQa%g^ttOkd{$9GZX;|Af6E-ouRs~0NSfJZ) z-5kTiZJOTj{iaD}_!pDUTU1_&uTY-6Ywlz}*yPtg(uB?-P@f?mE3KqJ)nuj0%~&)U zgRJ}{jIMI5vdm;O7RM^;dzv?CnBJX#NXXJzUg_C8o#k~ZNg&Z#AQ8AbA13XQ<#iP| zYrQ-68xXM<*g7O2+CK0vO6V+~fopgcFin-}8Isd<{oCFT*&5H(6WaK*wdwjdF_e0E zNyOPpPx5QM558%Kmjd0H`U4H#pW$5{Rki7v`hBDlfPS3HbzP}82=BGOh_uhI>G9g1 zwHrWS8#fIfXkxM2H*lM*dBz2~nVt-;uJ8}jpV0gKl!0S0QjL73rXuv2sd3Dys!A`u zxN16lo;bz3emB1tor3xG1nZb!$K}*TRTgA9h1(1nRIO3fT2-B;suxpb=_wdxt}a%Y z>hhHVt6a-9b&BpYrvN}Mj_tL78-S8uddYubEUdBDHXVu_=)oHM2eZbyoflqWjln;# z^;AS?E;7_qg{aJ}N(a?4^|dg~FQ}dNn`D_i!i8fvpbM7c6(H@#V~}>Zc13kvSAKEm zwqD9S23Bw(bZ{1URqJ*U7@ynDBM-5C9VcU)g2rlKEQ1 z*B#*NWIvWOo9;jf-cX~K8Z!Lh*dgKTHm~jP4PUzrU!N%8>rTm0Yd`qPhHe3033CK< zPjk8keCC^2O}`iHJh<~A8HE09Sm}j{P4AD&BV%WlA(u?B2kGiIdvMqQb|vMJ&y@1Z z&(aMtm^ur9O`QqArp^LjQ)dFOsj~ps9srizb1a_|?0+ugOcH?UY_?>_Yy}c8<->^e z#o0s8G24^$i~q8Y4a&w*@L$`LEbU>oC-*f!ou8->0!Bp!;Pme3WU#q!Ees9On%p<+ z7QgdDoM5mB!fUz5`E)22%r`%jzowY@p?^B5Oo`L-7ZekxO_-v@TRwmd*ilvCpI=39 zRm3PNZt>C`nF_)4MA$7;&S9htLk^aE;&w;`aQPz!W1E`@KjNNuFf>Ny;M_m|N`?famktRE;j(98F=w)KKR;&a1D+(b}sB2XBwt_TBX`dcmC02}%W zK`xJXUJWw7gK{OYxxW(zesEl{-wWIKqV@&DsVV?t{Q`ph*DEToJ>upmXk3;q)_hj} z3P&-NsOKUXRmg(!nr1P6+y09(!rebTy3IeF05<=gO$M`(OTuS`uP}rd_XYSOe@Ai6 zSB)`qIIlqbACV<^B~NR9N1dehl9KX@|9?1)|8uCo9OfQy!U-<^)7Tw=UfV{H+i1R; zcgLRWys2fzY>B(`U=n^c%Yo(- zh)X!8VpFu^-Ll?7Xxe{ptZqXi2Od`dx{^QvLHi3VA4idId9+{4gT8J*oJid`lc0}F_}5gjbaZ;RKnHT zDiR%=K3T$F&`j20#Nf#={A|xI`s`TznLLLd*`cz9*UGhDMJKjUCyYxsNWsgUD(TM- zcXCE7g}Gdl?1%xURh+?T=j+oM%)P3G$xr8|!?TD}oc^i;R38U8dm?>$jQpg7O$ZNL zTNzsX9D0wj{Ykgnia+V9+0=S#Vj=tmW;b2b#u>d;rvIuclIJZ@>=i-c{w^GYv0CtR zkrwRDFKFxX+O+i(t~XrtU|1L5siO7~yeF%!rizM`4=vj)oHE@!@C%;Mr?xF8rRv?G zqmmKGuT73_mrTr&I>ca4pI=phKGcut#A>Bhrq4$)q7&^>RE!Fugo^Qw-xi;CEY?w^ zHhPSD;H;zeq0(}P&ZkxWOQqonosX9i=%+-jxu^^nv6e%315;?yM$VZ`8+V~qPIrgn zJ}(+~M|Fi?$4RZ~at&YV{Jn1I9gEQE%E3)>QwY_1>FDcmd+g{{kzooH()ewOt$@v> z!}II9=?Ay2!Y0#kEq#z;P92jf>4LF)xBS#>hF9=l3e7SBvIq%%T#ic6=ME5k+KQNh z@Y;Wuhk*x_0z+2X7-*;I{PAt9_;3cw$6X8Gx77_>_$m!cbrJK`UrB$(TBA>)}z$5-JMg18FuO11fa zqE-p^1=8&o#L&HRx77Dk>-!k=^VGLzeUH)fUfV?GWP9*8fm3L4w0rVA`7)SC*yA2Q zk)HS3o@RkU`F8r=iblmEt#64=?^|`#{f`a&g#;uty5Jxr8&}BLT?%vCqRtH$75i%* z3p~Sfi|W_!a7syw%Gz!kx2S&o^KMZwzP>_RTGY?;+ZOdx-29qDR@$~1yQtFF!4arg zK2s!}DU!-N!4o|beYMuRp52O5%V%)O%rKf#?$pII9z{4vaQ0V{OMz)(`!G2v%-?+0GD!1@F}#+ z{u=5H=zyy|hs;(EKk?$D5ytp#F@Ao5FygR`x%99Pgz@6;2+3a>pRLu$bDVv5-9ign zjda``zvSz29i%^~)83#G=gXwGWS( zJ>+*(WNy5=((gFkzmXuDj=^sj_#pEMP+i!^) zc%;nd8O>)O^Vtv!R#e&~Zs@7&x}hhy(ml0r{#M1tD{YFh5gJOuhzp@_$5oY=T)`-w z^1aNSjF&l_4n`K-n6310{6gh|&fme&eI+O07iqQOJwI4hsnarl!@Y|gUX<>*jPv~* zyP3T`KY{(*j_N)BY1Ql*R1;|YM$8}G%zo$lwzuw%rRwwFZA^FIzfR^rBPX|m=Q%Fk zaA0GsXqIws&x$JvBZCYz6ZwBcOUOyEV%LJG4y>FS{CX1)e`!C z2LJlPbjRf(eY+fe%b{;MTean-^zGv0cSzsUA@OnPTmG!0Z#hS#MBm}#)3^Lt+TIC$ zpAG5TD!t_Vjh@N!XL0 zL2k|1+@$3$BR4mlc5n*ENHjy(-1Ncu$ocH9{6yw^O-K2LYfdX)3rRLE=xm7iU+aTl z_N+<~_D%)e-G^qT&hExQM4sOVCWP|bTO!Z5RQ3edR?Y|HDmGqi5{v+c^1JA|keE8C zzQ-&xO#D&*##^8RNnc>RIGaD`mtMDfOn>}##YuJB>)0VylEoq4_B%h%Yg@aBL-MNN z##nH)^<}(?BULM^mht{NTRFU#kiR9|*(oL!xt;Ow$9AiE{~_PYO=<^kDCWDl%j~G( zx_Cz|*QGleNPU5y-8?PYv5-67zYS|F;clJPSk4{c(H`~}2vq*P{$>d;`pg3i_`X{A z%aho@2EWwA%pr=d<*u67EUZqAkJ!J&120P~-^7cv{0$`EyY2COr9Wj}FR@5Iue7as zKQALT%}=(r#LJpKl?;h$R_ZIcC*iv!J1RF`FHZ8>%xEc6kbyzL3=}*t@I|QVYAK#! z2ZD6&p>A{gfq#d%W!|;V7fGajhWVLTVw2yQjwSVXXUZD$19t2%T7>Vg2qPS0U=e`v zw`>tct5(c2ijQg$2L76Atm_XZQeUOS-~YG0?Blg5_>^qDx-!OsXM)6zf#*qJLyzq^ zy@uaaXH7(SC#nrYA6u{C!g>wcdJWrp4Ubu`;W6tqTv)H+aJ}^LyA8$lnmeq>v8@+> zqspz7ex@ZTQz;jzR@18Es3C5Aai1cGV=SjT5 zcMI6`euOGwf46v^E#B)8$DpdGAOvIRpX4a19phjHoERAS^2?8*sME*)uhCP7FW`Si zPr~$*IC^nndg>&`vHbs-_`igdz!Y3`Pge=i^jENCbCA(A6OGmS2UTTFb(xM!LaSjx zaM8vq6}aTYM3}@gk7fU^#9)UViR(FVCE$G7FO`uy=>mt$pE6{=&XC!2$Sj{QSFikz zOLEW66)w|Jl{NnZ!1r%+lgsM*A{|gf=G?uM&Hs=Rw~r~2q`%}thR)xi#K1Sk1XDyW zX1CC(CgGw2WSBUzz@V?!cD0^6PUk*p2YnZK^Lx{+hlQ2cy#s?Z&$m4c0XwfnOz}hW zh$#WaU}utj3{W9r6JFH%{PonN>vtZ9Up9+h zst!vTr0Wk0FHvsE*4x0#uSAwIc6aU;PJ`=N>lUg*-qSpo`)Aw**mh3(#&0@3)NAxT z#b}EjVxRDEx!3wLs?{Ap7yTjG1rxakwP^PGxqj!jWshxB|r==IQ)9>knT1I(?b0 z-*KGvclvU#G>l)r&*{tf_=S!bAtFhUwvxBV-qT;w8xiMpToG?N38rYl-N;wfy}|pb z-%ew6VEv7C>OL?#a_Vjlow_dgL{e&}J4&3ok{1Tb-hn?xD`ojF{zA+eI+_Rh1Bwjk zQ*t)*snF^BwDs0BZ;aFTPTE()1~K{L_AVVw>&kdnb;&`ROS27hz<#`U~m+4K!L z#k^n{`eEJv?7sZT#WnFeX6*6bKLdYZMybEh*ZN{?zQT3$>(_tx!t{;3VH2rfeQGxD zT(^I48>fn590-eTYrZJIloO2`HJZMt)~&cvzshIWFx)_Jb+&vrhF7(ba09+Yo@z}W zqlB;gK91Gs^n$WGG8-y!Xj}ze?%0TI=}blMtxwA2s{!L%c9&{_rI0uI&=IZ!4UAxZ ziPvr_Xy9X{x({g}mr~|OjzQ^h%A6B2bKvszDD@&*o1T|^E;_m@640Zoxif?I=o)es zAMN70^k^@s1%vizKTidN_UI5#X3!oj;|?^IfdoMRNC5p2KgL_f^A0%~1*6|ke;-pF zvu8i%s;mc}2aYG7oOo(F!;kGNS>Gx1wmJKDZKLd4uWbh)3=u#6!m&iu>Dk<;J~9Qh z?WDKp!AAC>PkhCgIUQ_H&)(~OuSV4En91Rmat?%SAJ9T9U{9g7|Lt^V1Ju?z2J;`1 z9BSh16d&M-bRr)vMkh8CwB64lL+v6OT9)%47WEeB-CLk{uhF~L=-oSp-o0b!-5b%n zN`)ZzTF5Q`VFCW&M<`K+(I*{5cYF6!GLP+=G`*Ga=5IF2%Xf?H5hl4C zPH%+vd;RVKXy1)JvdNjPBN6TS_Peu3Uceqf<6w_iQgJE;dqm{ug%MNsiCkm%A=5`g zwPN?72J#E+KD3ah0=o|_;mO#2XgPNb4db8F>7u{cuT?|N9zh=+i0s!ob!haj3+q7t zq2tis*(1H;Z;qif?+*>R%}wPv0l3q;j++l#98v7g<|qB&cU*M5_#f_c1O7YC-Yf95 z?UQZ8qL7Jl$8Dro{Y=p1A3WEOaiVN{nIH4)SFp{JmsJ+hSv=)O8S!EUT>&BXNYd6cejkTV5%iThX&z+!SN^r92gx!-pp=pN8K6VhjJ+hcKmC$UJ&Hugd zoSXmry6uhtdV$~Q)4^%ERAShgT$|AN(>*HkGXD9l@?EZ*0!L`t)NEccYUA#M&V~mM5U-jLfc7zpogzaX6_qwvN zrc^XE4qV#MdJAQ)XMar%PH37L4RBLfXj8FJoI;tPw+DjgS0P?#^pZQyYKc;fUn*rl z_=%w%?DqrSL?n_R`snFu=x{w7#L&YYYj~W+<8=2}%j3o2lpBzjw{^z!mIs6-7maOD ztIxL-#x|?Dc;gy}xmPmEvg`Qhlr`}If>cbVZgX9qW_c>3e*(418ct3h{Borh9wtBa ziL}_24$=qDE=dSilSDX(R{>6iO}2&QzKj?YQ`8!qS4arH#6l}^`uwQpG(Ed6z8rUB z2~*-4$(WSs^jJ*DI3m`N=*F8ajF*BMM|UwrjY$NGDa`5162L-=hE-FN5L{d1#yYER zbGkSMqsEtO#-ynA>0?qf0;W@#c*j+YQ`0F)nPt<75;DP;#00fAop4n`N>FedCDhnh zYN!y71c#5iOZ3%H;UNtr*MMEehpquj;8egTU zj9mvNJZ`Nnh6E)I2iING0c%l`qCv1;B`F%{#U&}hmlo22%3X{}E;&Go3q*8l9i^y8 zx7JaLhU?bar3BZ0E*!2&OEeAARCg?aG+Kxom0_w&!g7x7N(QZNN~aNg>1$y(OhrRZ zxAp?Q*Dj}#Z{5&y48HZ1uGTnwE9r*ihT{qe!IvuOB~Icv%1|!k)sPM$z7>cUTst1$ zfKVfNpbo=p_{>K=N)VF%Pt#Cw+$QsM`!v&KLT-ML-nzT9j#`bB*L_ zsg!MHOfS5nK@n9N(4ZgfQUEG!s3bEB@9EnS76ZSsc>T~>hlF?li^ zpn!F_-R4XCCP1{f49Y_RODWz_zQzV~Y!+k^L1&Sz3Az>61fx4wSM5eA#XIuUCsaQ+ zk6F%g`4Glo3!}2RF&5Q#%-&o&#|5!<9F&bx5N+jwlj=;vEyzI6{IQlgA7qLXXXZm;!3$$3s3e zfHgjhpjIu5)e)xxk4AZ{?=nI4F?rC=cVu_V%Y6Iv1&$STx)Sq$#|=G1W!64k8kI?s zn|vs(2L4?iHd3KdcY^&aYm9F|hC9Hku2ZCibGWrU3-7xSSGRC!cy!zLjsQ$-~t*`wQ3o|`THw?o~|8xp!Gk!rj*f4(jygtU8 zB+q+ocdG`ccof8Zd6xw-FZXYB`$N}<`$I%AbMLd^ROb2Q;nW{Kb^>~JoWX|BrOA$~ zM1?9<>m{~z|=1w5+iT=>sG)CqzUH7W>d(x#Ot zYNBX~V9DqN_P`9%Hnv`3#fBoSs1#-pD*`f!b)RvR)1$5Jsn*`Dr>&mT_J~?*LI}B_ zkPwvs%FPRV7%l-M2_WSEd)L}~E+nb7-|6@Np6B~`9wsw;ulst}`@ZYF2F!zrA=3Ld zC<>i-q+nl9TXdP9L`o<<9=e+8i6+Au$6(R!)`l+eSAA8fv(A*^idhk>|83PTCP!1< zbf3#+C(y$lL>QdjgCk#4y0+*<*~L62Ka~4q=u~N~q|3U9mTcvkt!lfae!4Z2r$lA^ ztXl6zYsQFEvu=!kjfYA;Apj=-_3_PaeGFew2^DG=kzl7jbc9l z0Y^yqL>&j&>`_K|PplNBM)#KPO_3e>Ic-Ksk5SOcX9?jV2=ursx6Jbdv1YsR?(E(Y z`7k$Utx>YlC^*8W$fjFq#7z+l^$#Ox>fRdJ>CPb>WUEoo#HaLAhmbN!k95IQR@3z5J$>+2}7$Y<>ji}FTFAZsJIa?tu6u{B||A*R*M4ASf*X8Nj zNqfP_chNz94utSv3kYG4qanVF@pxB=4}|qy+Kc~?Z%WOA5BzbX>Sjbe9cWWL4@ux7 z>?1_2GJlAObeiLXcoYy%Q3Ry1FCl#+j;L)2a~#ihggcHXb&nFIE@lCm5Jk>S7h|he zDHJ|HM)O0C?bMCev$n>XAnSa_Ss>oaQ7{h{QQR=lX$e6VTCBTxZq&V}19s!28#>J& z{Q_^ruyZo+Oh)Yl&`CSQCADIX1C)!1P3$)!$Lr>Ob~+>YVbjT3&OYn@!_xov^T6G; zH`OC9o5(>tIsRktTWUTwymcvSD6!kGW&anPDOxqz`|D(|2jY{|-eVoyW!*w`P@CxV?Hq2st$RYU~pNZ`92pz)fAwM76D__LL`T`7E3 zG-Q-#5|o+1C;J(81^}r-so|^r+>(T!ElK#=y7tEby_Yh*xV90S!O>*ys355BCEfkg0zf%e7DJt6D{0+@*l$oz>}7TW{Wv zSODuS!WAWQ%FTP-8P+3d^S|LMC=NW;J1Ff(z0r+_CEFH)0+LQjauO&)Q9{mH=~hoG>)g)c zO09`R4I6HWe?x6ocH@-TDB{v!6aK?`zSc2IysR5|!UOGjjd!)TI-!G1`SRO|*9Ey1 zc`^zzq8i_=EYf@u+ITg#X|+BhHv410nebys;ukYaiIda~8Vi`4(MA%sW;0B7YC#TO zi^0Hp`K(-@D}M^xEHJ8_%>n^C_-pYu!RsZ38{~7&234bCeZEwwTwg4I zX11wcbJ~jkRs%CPNGVz<_Dj$R3_rEEgjbyECrUg23xmQ{!&5T`GIh(XB43v_!@o=1<-iLXtX5EJFP9R%$iZ{%!< zSg!dXl2fLbi?;R9XYYzrC;~@Nx04cIbs0HFq{yqPNJV;)^@(RSpS;(j`Q$q=jq1xM zPbRAWF_~b^1;7wPS2R0bBLl(L43i1vnt4NF0S;!NyS>qJVSb1C#mMzBT2>ES;h?{< zoGP%tQ$eHC>&33N*TJM-p4(RrgDQ!OW&I^a5q23D=(!Fyaxe$LsMoi>CxIX6KI?Ky zs+cxCC#sE4uy+=$3jry|yuZBUeenXCE&D`_q`?6(2A2qCdo8P7q1;=2=AB#+#~Y2= zVra##Nc0=)Tsn(C&TqYBubifr?4|*3R)imkTrr9O(?YP zq$&Nx6&@qe;icEaMJ&?AE7K8H+8Py7MeYnctxNfq#?hxV=V{g`&@XjAB5MN7(e1>P z*Nm9H`*1%S21_03afL65-%r;B=IWK`8_K4rhe$0Yv7zF2on^G|EqnM1u`{D^=qsS? zw>p6c@T@McqI40Du{1W#y>$CHqkUi5!?*-Y;Voggw$s!EkGbD@b3cCdD~|&~opO%h zYkI>kImSDVKL+fca7@w5g=rEpjzxc<=&%nQLpoNi2KW=3p>bon?BA3$LGta^-bp{z= zZs)&b+?@eNyPf~SDc$Wmi(E8!2hO7WjFmj+e*%tS2Bvhki#grviY1Z&U4Kv{;v$^3 zsZeotHeEtvXP~jZU9{E|zB>>4oO~cHDIBe>hCOrZZqQE_gZS%0=LcMA0Uu^9Cp^{3 zIjFgrFkwLUm+T3cM{CxHFA|Q2v!d9Y8;K{S%#Hj-TSEx6w%AP45zF9BCL<(zd1VVB z!}ipav(52u^WoeV^?j6BD3=F>on>c&<|aRR$sW3ZwJxc}eFTF=cIF^E6R;sEHi@07 z^Vh}M88L7JA#S1c)YzzEK!BYQ69Uj5E6vWxuBe?6eJ{&XIauw-;J>*agJnO44jy7mek{{zQ*2VO zs3SB)7}u57DMJ9D4(IeTt^E1!nH?RVvN}CDrBwliS1~HNuoV)j2}@RM?g8FnI3L zdiqp@IwHXKG2nQ6FBfI($+V z>Lfm7{-45rgj>T`hSVh9yNA3~C zFPwTQCSv0dLnAY}Xo0m&}{rIQ&OE>j% zpIX<~z6^gA<|FoH`?*hvNR8_i$w&$ik&%zYJY0Zj=7yYgW{;MTFn>bcWX|8Vty?Pa zBI9XK&c8i5|8_P1b~XR@jQO``%)dQ3e?>io%x28L1$hMQ2v5bnPS5{bsiW+>Kndy& zihWmq^T)ofA9)1x5j?t9=HI5~FF9vgB*>jI=~$pOs5zw3Hj3&`OhkyYiOUs2-4KF9Nj*ii;!-d<%3FGt0* zOa!;K;i|eHYU|aMD^RE7h~ft5n@f5Vb5c$y{8ZzS{XNWk4c~`{^G(6`;nBRQJUoui znTHLYCgn|sZ{$}Jz7NmlmonfxypV4Sz=Z;Ze=YL-QV?xwcFGY@@d}4B1HMs_?~9vIC+#wYbt7%)&oK$q$r$pI++>{}k4n zcPrDL19R~|xj(Y3*r6(rzebh~ zQ{m{TM#+A?xDprU1gIa9xwv&iLt}A8M<5q(ELmHUR>Z6ua9^8Pq=dA}ij|)k@FU3# zE9&(E^VL_cS6K2T){mB#mG$G~&&>MNBJ;DNKDEmH^wsNS=4+tdUT0xoF=TyO42iGs z3$Lu?ld+)<8vdKz(r(_VYJsK6Q|%S5&Gz@M48Psy1T>5EjNpFhCt$h%)S)P%ZTnV% z|7KuS&=eDn*PibccCHcUS7*Eb>)j%S761>``8Hl>R(fiU~eY)D^O+O+6kIlf0R!AF7U7lP)>U{Q-&HRRGwadG{`5><&6 z5hikM23#?HY?>2`SSrSvzEsUPr6sAA&F@$IGuNy6e`39wQe$@3OT@ISS5vts&{Ph+ zeN=3i0|0vT>~gV%SKbP>@jU>H&&2!sW1+BW(S(Hs*XWxugj!#m*Vw{Wg>ll>NS*N( zg-BX*6(Ye^kJCO!`Ra`YNcJ6I(>sL(iaXyvp{(3(fW3Tvt>V{eeg#^J`Sped4`j{= zV#2>vS7V_Ac`bZY>h=qzNfCRjl5SFM3OJ_8DWIs$$WcR|O)ZVaPtj2;{Z}Bg&Oypw zD^5k>-Dst+zyi673x<)?!ij}%f;@s+?W^K_+*uMoRrSB}S}{vzl^-2~qOUe|wj*^b zBQ|(huGlr$mJDY--&bUIk5t`%gsM_Vj|b8{#!-65t_%)736}k=tF{sjaJKXjz29xM zs~XrVwD2X3n-cg`_noCnMrVaiwi#YT!qMw<1JQf)jq%qH4^J{;*?yzV0&{v_%Vz-i zO!W9m*DWX$p;euAO&AmE``zeX6yIXamCl%10cIH-toyl*P0dYY8&UZ+7D2*wxh|Wp zY`ku?%lV#h|3b{EhIFNO>5`%>PxUNd4=LiHKcp{7h_QHA{6v;y%i$qe-qn+fvf^K) zBoQ58Xu^5ct!mzlL}yYWn%`5@AH6N#nj+7+o?fjbpf6EdM*QW0j4PrOMUi#Bo|u+3 z(ubcFvQAT7)Hjx?00NC=N}}wKOwM=3|44TXy7>1gHJeurS=pmpES<)NU6%G%Pe`OB z)-c{C?&iIR_bG>6UH?~7BGIF!Jld6*MltJmsZP?GSuKUqOgLJc-&nFZCLHWaxAmV+ zYf1uZZ;yg6wGX1vpNuFOQ%oUYruY{4ntBX#a()IlA%98f7mNpYKg>u~RM6K|h{5C0 zDejc>h`w**KQded?5g3&qIE(*+d^?DHUVU!bI7I|CzeA&oIu2CJT<*iepI0m`dLIp1X|}wb|G<3dD4^>x=2(MPYF0xy(KS@swzhyoM)j$ zAhk;|;qQ%~EG1&Yp8t>Z)tA%fUGb)@{$1Tevf@G16Jmg%bd?!?apt>Dkb!g;_q)<5 zs(pu+`{Vz7ya1u6c6^6Xh{kYXmG}-y{z88h!zC#sfay0W+X$>D` zG5mmqKYCBTU$DiuQ`q8_d|tAy9jLw++z!T4$buMfOWX+D-{obNbzPS}de{0@47l6a z+Us)@MJ)Z;=hBz{TNL)L*eF#F9AfF$pCtVPlI9pZXm2FvIS|X=c!^0+N(#e4_unyfoDp)7VQU=$Y1ac7H$1mi|cXo06;nlP^EtMAEJD7IeDsQQkZkc_2Gi!T?Ed{w6veMxHo zi&Vdrh53?EylSc&EmIT2%<{$VBk3jcPke=Y?jY+HyS$_)l*oYjM%8to5(@aD54gRk z6nv#U4_v7H9Cr>j29J*!E^p~Nujl%8-K{RddgL_-QpG^v&X0z`Yurz8AEMEimd`v^ z^cHeK6fUlCc1d&MBxcasDf!IG46aE0&GjR*dt=je5SFe@J503+13+w!7F4Iz(}!C)j*8TRZJ0W5Va!rxgnwQ zGjU3zSM8oeWG{{!;|lx@@h(QnQb&->V@ zMl=tUEKYnz(z^+|EgWZ@-uThj2F`<4^= zK2TI^L^ctIe*e5PQPP(fu?I+mz1kQ-?Tzz@9ahOIp=P8DHWstZBcw>M1~+pEqh}JQ z=ZKUrKtnz7N37Lsqo^x!iY-4xD_3uf9E*({e^c>%y2?V(O_rAU|{` zM0O{WlChKbi@*xoqt`eRhEsk*p zflZ0-l2Lrp3GBC1;ybxp!+`%&sH+o=2gP=JG#;U>{aE@86p1G@atsm)wW^_PpE)-d zUO7cNWLxKIv&;U&(m^$*YO0|F(J7tQ(g#Lod1{_hN2Z+R4%*9ogR|V_`SC}1o5rt2 zc8^BK{IJ-9NOTD?@e+I6$=LS3>8;y+GTTN3e47kZ|50PkKT|sL-o#+^QdnXM?Jy~p zUEr^(g&atfLDI^5swMWKTp?$IJXe(Qqo~7c)_Kj%KJz`Xu~b2pMe7~Q+sbu1Lm%vq z&S~fY2z_QVTKgEeYO0!zoUx>W-e|Ow`)ABbF6!Wj9v2NPX^UqGf{qOf|011z&}NK^ z@BZT+*oTP}!e(q7e`H**gG9^C9k73%Wl!-PL&OazBZm;h;0;Dg@}E7VSD!zO@e!i@ zEzh!r6hbkqox;(mOh=>Amb&z!s6SuuGR2urr!*tx1vG=80RaP=;SQs*p4IPNPJq#O zNiq<4m%CqJ6Cc@|03_eL+xQH;%e8k&V3U0MHf<9O3i25g<}O|Dim#Ld3OjynY;1vf z$XE2%%R(nbgwegjvwUUgAwAa%LkgP+}Z}>@D&tLMV@tZ6hdnC*SQXGjf8`Q}-{)N}o6!p}Ii5tR( zvix0w(@3e&L?{Mt{z^~HYkUzVF4ue`^1*Sl3DKRl4Z}cejc5}jFG?)*1`H3$pBU5z z6wa^;GHFt-cW=T0OUwV1>6KWLt)GUv6`^E%hr+9qV&pmTSM6n6X720Z{rkL6yvLV! zrm;Ph^6Vh?V$?f$oo7iN^0?aL%rg83qck8a!SZ;uZja6-5(^`X0BxH6o4h zy=%#zz`KMFY?rOy+9O-P)xxe64Pof>DkM^!3zhl?n|}JE70k-4XzE00#yL3bTC%$w z)10%fjpcnHzzgGad16Rb`QTaZa&wy(?#jM`d1KRwC&>-zJPb)uzr*ZG_|BNWH?+%( zYnehLiF1etroVb4J-v%k245X0$wy}(>LxY6_*JNFQbak0U!XyrhkwZyI;j#3vHhR$ zyv8Fh2sB4O8?0K4K6j6|ZqLcV(tVzXp5ZZm0Fe(Sk|aaE$0oypTY)0WFtZCi4^8Bm z_oXuC=`D%}F#YImB_-duAO?Uc&VcwtOomnBJ7^}jI|&{lVw&vn=z`x?er@5<(XeoA!07Gg7DWi%~X zu?17@W`Fw*f9y_|Kj%n5%!J}WGw=04>84Nx19K6<7q+tzA*7O*M}2#HRBcN_gDNz+ z!^nZ3s@Ml-n#~hh=3T{JY1wGkF9{w>2wQ*YzVKhCL@SQ#7IsmdSk`%~5?=#_Uj8&F z^aM-rryhFDdwmR!4$tL@q@_aB34G`N`E&_xuVeg3~d0-WFb1dAeS%XAKJe_g2qUG4M)?N zvWevz7f)pqI|T~0#?kqUH%9e%RmHK1P1-jA-Fa&T+}9#()dsNqDqJT}zb=>0(7Jp+ z7p+6ydV*anX0a4oqKj3mm131^rI=$z+sOezn7bKNnK(*G)zlK20(EJT?Ssnx6)TnG zAo%KZp4Jk_F3lh})iDS+R3+SXcbj9$JnHRW!5YkyHv|gW139=1jY6H?f+cfZs8sAx zqeI^g6ma=f1&o|Esz5aGHulRrt=z!hcJ-LAP;<^qYq$lqHKJX~@cbokc;eyIrnBFj zYQHzy``y)Nzc)-7Icoh>b5vV@`^~{!i2`2l_ZZp$Y1Jk7J5bupes{$svkDA|@VkPv zWS5(i4Yaf0)B5c9)B*MzdXv{IRHw38w%1u~zNYUq+MLbcx6Q3A{G0sk;P1O^VV>-G zC4fN#70pU=U)d~szMubx?Fy*sRE4dStq|~`Msm+}w0O1e<7M9k((DEc)wt#~=ThH+ zp@DaPb?93XuqSQjyMqPo$O`ux&dztERaZMdF)1Hm|GNVPZFVue|J~eDyV-Z1R_@1s z-QNFh_J1||-f$7<6O#bMlQ7(@x{h&@Siz$JvpCR)9&Q8w3pcY!}6p-Mqj{tA>|WDd_BPCxDfKBc!n+ise zBp}NeOxhsQ+8by9=mP~_lD1u%}VgaKLjsleoA;5*%w|SAG-WS2Z0() z)HK9MST{1A_Jx?UKRv{Votid|!mFsKIIm~izo6UIWl*ZMv_s;W0G@S^gNB1c1b^lb^0CbW9w z9*QXSNUt?hN>dUq{`W0sZmnvr+p7GTzTaKP zLw{9RX&Vju*=6=KB@?$Ux1WxX>XP474UTZr^r(FOm9&u?J4$mEhW-J$+kW*Oy=F=o zgmyu+IHS#SccWIF*nmyIOd?h*pYktKsX$c{O%JPG9{naa<5|hv17dN7#lw=jvOv5y@-eJSDF6(|vYF(o^UvXnQVo(j z6BWIRh&h7y+F2l-gGqDvyA}?n7C#v{81a+gvUP_-W2^j;_mBI#-$^%V1I^^s3kj$f zR%K>G7N2t(6x-6E*p>$2Mg}5B6;gglr7B-hFXb!irTl=@NZO=4+)FL#pjP4KcfS() z;AJV?u4?Zd-Cm&#YfgRc-(X(UaF;M#gaMxF?Z}aqbG=l&^Z5v0-pcY9G;xP-C%`}; zrxtK}i<8tUj+?MK0T*?CPn`_-;OqevSU*Se>WzW}_}C#i;7PQiL31>V>iOG^d!7OO z*c^@I=jG(YZ=*HbGnHq}rOYcnlMlj1mIL9rW_hlT$1l!wlY^yuL)S{Q2l02C{FJ(9 zU*Lp$u#YCWIPkRlZikWvxD%%Ui;`)?OM4<7;BT&tY{wqf=uQx>SPu9dlLWA4e*A3S zI`Ay_eQ(8AbaGN+TOYMHJxP+@lJ~)})78Zv2WsyAL9@py+p30Ds;>W+sJPr*|DU5g zxHs}^{-j_3wUdZSP=F9XWggJvRi$AR-+a;EXnI{i7%f~1Bt9_;HEjZP?FOy;{%Sua zK$6f|WGIqrzSf$}QIWvTgfoB^Aq%;3*4Au}@>$ovf|<{Q(vFzsxuaH*^44?Pp{&Me88B6VsG1IudRxQTFkIdEl&z8?j}qvbMLqQ9 z5MIL==))&kbQZO=!}E{?F7-#rKxozli}ve9{fK8QYA2=-Nv>m0#tOEsgev&dz|N>@DwIWho^Us@yg1icSYpSN-ELGU!lva8 zH@xW?zA0yeO)m(g*;LEt%uTI4g+A$QFPr3kn{+nV)X6VpT#GzfIfmpaTXu|rxg4LLDF3cll;3h2p6uP-8%J$8q{leYGV<$ zQFu=`i0K}ls=ThV_!5W~7An9;jt9d6YFzsRUD=RgRd8ZTTBE|vM#+H?&I%#{4`M=q!Y0Gyzb(Llzv+dU5@*%szVYFA`A3ejkS3sgOXlm+ z@?8YUI3VF3CK4PuyKp~iQH3css0AB~`H;W(xxC;{HGj1J@B}uf(H7)L+yfGhJ8Te! zZX%=)5Z6J+Jt)}&KL`lri4v=FukbvDyZD&1OR+z@gq>NmtN3rQKY0{iQmKkp?3Ln` zd!_h*+>bO#dAJ|p95Bg!Ffmm2!W}O~NmQ~&$!L|dSH__mE|k&D*_-<}*dQ785=Jd| z@^1=cbibu#IDu&PO2q<=B397RKn_v5u+&v?E8ZYoz1EkYF;?*^q==4JfyMnCgiG?Y zay5VT<4Tb?+438hs={a)00A6f)@n!6(K(_NOAhu3= zyo2QYFO$1!Qh$_&0*cq7Kgt6Dr2oGB*|{)>{qtwfsNfT!6Zo?skE#CN`w4&kQU2^7 z=XV0cTIiqO`NsD(uKD};ow0W5Pv&=Se&hdNe&?~*|99~_oo)8o_ThI<{#U)WpUm&P zvs{<_1b*ivCiTCW-?`Qv+27`O7OeR@_?>Q!z$frKm(tGv<9Bqvw0{b}V?59=zjIyl z-^K5ov~D1NXXK+Afd3(WXG=_1&g6HVf-S%_^HcCUBR?I#b7o(DM{zpvo{fl|gxisr za{Y2Uqcpek(5L5i#1$ly+wm#?Y=_@*I0|U%0DMm$Ws%Kj2whI&cLvl|DSihQ>XZ4M zzATtCI{pqcjQ;qY)tcXdrx}pnfzgrpTv8;(?+BkG{EqNF|Bv4pD4rkpoxhjgG430P z-zjTI<97y@2VG7vIEm0F%Y%$=VV=|FL0^4C$%7{T7J1Njq#cn5y|aohTzcN*Z$jij zD;EwR4|$R4r^G0)A_TF8qSiz5SX`|*+ZsCTK}$g~;ad&XVQKPv+B2Swbbp?${?CwZ4Gp ziXHf8qW%d=%1N>6*UAaGK5%cTblwsK(Rndy$Mj%QFaVm2x%S2Pg4o_RAcKAYA!SuV! z4%uWfnjS(zWQyPAK?6ytg+NbOCx>e5HrH zo~IB*Bf_cK6CRQ%p)bCLigdg@ZukfgZ>t@WCBG$nPh&X)L8qmZWs`V8ET#rWe15CS z@QbXxS`~8eW00^q<~l6T4f7BnB=Mq&off8vt(Ln+FX$p_IH{@c)pFr5sBgUW1=YDb zF;j+h6MCz~v(qMYIB0fSc}z&wSj{>m&QkM#J!Af=_y<;U{*spa1J6^ni4jCjI16pZ zb+~#-SZexN@}!C-kdmw~CytQv_Bas#IZdR?*9n8Y)|;skxa>8J3M-J8tMG+MuV8=a z?ogGMWuZSg1;ii_^*a_ICB*%?EQc+`ReMlOa}tlw9XI7wY*^jA0SLfTe}zQ-j6xFC zj|J;p{B0DQ2<{agMLA+w@9pe&!OS%{Ysq?Lmi{xPV^bBplQrGSLp{J2aZ;jmU`USJcp0a=GMKy~+Uu45soDQ8!DKI7_dx{r)Na{^D}p6FkcE=r&m- zP_+1&Vocpj7_#|!Amgsu!QmzG7kGz^3%t+=%SY4{5;Oj5Z|C4b$cfwNyCbxF56q$9Dc!H zw8<#iB;ALuk_>fZCLNp}gMj|CNa$Ck=VPqk;*5KDO(#ScE$(>l}tdadW$PQGtKxP-M zk^Rvdf~#HS8rh$%YWLWmtwbwke^#dN&w786gw-8jf9UU2q;m9k1j}po$8I8he>Qu} z>8MYVdo;;Slr=r})GTayoWh?HVjsgaVbZj&@$Hv2V(H6U!c-)Wx#$`{e(yxy^2kbc zB;R|QBYD;M;Voy~JpgLCmJ-gPm0a!_0FaXZ+3pZ1Dm>K>0E&{` zmQXC7>U{M>1;IW{3>!Okyc5MfKTvYmD5&F80^v(=`CJtUe}hDHC*Xc=PFiev6i5;V zN22Mc1>ARI!zZ!w3Hq+0_Ddr=n!eLWc6uYtIzT;v+PQT}Qbg65MB8kn7yT)hHeFQ@x&uYW`2o|IG~}{bU)Z zPCyfsmJNJ|O=36sV_#SBm;Q_K z%Q^mNb|H|bf?H%0j(eI9%!)P~+s&c_;w8HvEn1R_r#4hvoGQc?b6*qx(M2thM@x95 z9h#1WH_F*RUG6_dcU~(55B)FsWBmk1fEUz3I(-=9rw&3DMoHOiCmaFr9sXzM_J#ep zg8jsq3L=@t!kpx!tUvt;^bosp{*Pfg2uAn9ABSXF&+<%jA7av-LS6Aap%d(#Zh+yK z6*)f0vuq78=kvU{`Xxv!zL|CATC%7yFRx@OsTJoSaaA)K6&U0f#bIBnjYbD%TcG1Ehsnxy37_r$X*<}=L;*(&a z60?BRBGG%@g8$1OZjWrs4diqXSiuW|^4uB2`7a!~DoP6OZ(x6og< z=8EZ_=Xq#eJm0J@TGN(rt-(#KJ>m5{-%-?2w=LK6;wI6fc0hgVp^W)O^^~c%3vBZI z@(7CcR_CSJp82|N2lcn+v=30<>?wlKXj~{8n%XK=3kU?)Sb55F2ExnJ3MGpi@ zKM;e}y@AqWVz9c;`s<6f!RkKik9$e>(Rm@o2^f1_tm}q+Y?{;Tsr5O74|m?0bV_>>H5F47{Z_ z_BCisF7#LVF6_mFJ>i{lHV>VU6Nv@PR0- zTuH(Xsps9`-S`nc)O}Q6udbuHUTZwIFkEc1y(+RD9PBAwS+4NeDxji-{<#IB!L|PS z_%(DWq@-M}ioALztXJi;3YlwLq0l+bibzhVwJ+E!LN+Gs^d>=8AX1VG3gc&_7uf{A z5Y3yq;w5r9@0f~=pHrBPajYz^k}`-3;Gg$uL7f=-W(aPOuZYk|YyS5%3#LRLaqDbsqFDRjiSCAF;%|8Vfc#SYi>$n6nLH0) zF5ep`DUuxj96wkA@wyM+?Z+}sc2mpa#N$4&7I9oKKk*e=;A;csd)g9mr*#eZsisz$ zH-|2Bs5VwlJDluSbDozK=GwyoBWVz_ji^E40@YjS`wqHu*q-E7Q_*LFt#&Ou&%lft z<}l8>w9RKxPGMb|1V396zM;7Bjzxi=wF}?~Ib&r?Jom`*AZrOSSvq~7yFO?uHJ>JUhqQfwv- zijXD|hBiyXgy|89j_J*H!tF>OawWqm=r)O4WT^Hx&(-7I0;nq6LpclF1mIKXKvLJM z_OsQ1VXQFYQD+TBLv(U3OI4gWoukK3)g8ZO9@xUpfXy-(XBL0Uo@UV#e^?qBM*dAHHAOiv^=K__-#l>JoXp95kUzno+JQs#fi-oy80^JfrC0DAR zA#>5G@;udhIdx=_Rf5c97_%G|#%wc#$Z*m*2BSh0*anxGP~krb6MjMfl@C7VYNqTJ z|9Jsa8dP|)&7q5p*cc*OG+>TItj}KII8QnRkv$H$U$U%~t`E7EiQl3cH%Nv{BP{2sn&fe{M;KI{Vr z?0_JkGyW@ESzUXoe?b|sR-7H1+N-O1+doi(Ejeyeo|lv7duOhk_50bQcV>&xvpW6K zrnI&CKeL72+$w=Puy+pg+E+N+Yc?bg`J06P5uF|(p(SV!S3z&&n9K9nH`ra>r?i+G z7c`aRh2@L7397j$Y!>z^% z%6dzlKE=~`AwLD_2WTT%qNV}2XO!=#YVxO|7&4q3YB3y7a&>H_#9XvyaDou$2#_wwpE z=n+Lk4Ys8eUh-Jn;z8f$CZsi2a~sXY8z|?)aFU>XwZ}QlrYvcG$9w*jz6zvZskvl#wyT_9Q%jD9oA+qKFS zJ`Vyh~=4&-8q0%!IJkHN+o(G{J{BNQii>mJxE;wRqZ zk9_1(f#-&U`ixjmZ@Y*9Jj=SlfFfA5)2FR6VskNe??!M9VQ6%jN65*7Y>{jbxs-$w z5N16dl1j?Gu#lP(Z}H?=jS_AVZx+k{oLstAi6`6_`6|m=CZ^Cc3rCB{sQOnz+06#; zUzmdCLRx4J&II_&700z9h?gXGj63le(Qyk77O~rQN};4wP1h;ziYyzaV5eOIe0HKI#o1dX2!MUF5 zQmV*+RS?KxZ=@IbfN1^gvGiKs{4Eocl0ztoOQbe6fGVp=h${6fG$sY&j8U+AG0GwB z736JyUt{oOYv<4!>A!ZDsU}~f#*}Di_c+xk5hYm`Y0+i3_(NGgXm+r4ceqa4Ko3L4 z3hBcan|oZeuRP3GE2!5rItOm0s{tu#d@ax^r@i_@fL7{>G^JZuaFIpIMX7WCR%Hy9 zy)xkWMbG^8T-%BV&09>l#rJs$w}U55xw#+A)D)=N;_cqZW+}X+j(6e`K~CF!=36#) z@_Kx`KuoY7rH~VctC0w2NmR9Q{tAVv2vws{)pK;BX&SQ#pOILk zX7e31tZIS_OT4dwx|J`M%MohHO~fDdFk%diiF=vVy`lB>!gzCE3K!g zq*_!(YiiX(dTJhI>*Fefm+XaIbWQFH z*}(kF4Lm(<13k;eQz)sAwS>cwb-7*x!U>&(&a`3TzTYR-u;_7#3ZN81Ed;5trVY_2 zL_E*p9(k2?Sph95r~E?%BEnuB|9sz};licK*T5m28{m-64RFZdh4xtyKmJ2E@>4sl zsA{wMsiJWQ4lU#>5q0ex3{MN6ektL(NCI<+J)wKDE=UuKJ6x&1a+gtcvJKJ#yv2_? ziE*LRjrl!`UzapvXNVU-@KhWqk)0u|YzQ9^Rd>GPzx1v=xGEEq$GzVc2!lpsMt4?l z8F#@Lf#jkJXY90Y@Gv;obGO_mJvHwgma5#P&s-NWU#|g2Ibd%c#4vA9JYRr zfRmS_%cF~-a$EgXliZ~p3oa)ip7Mtyb_n5)Z^CU$T=%di5?=Pv)9kOETB@KFcD#_z zzF#Gv9_sKDqRS{c>ZzV2@F1z|lw%cs)!cEc)lb7Uj^WJ!j!`IoATP<(zgPl1*lAKA5quEiNche+;H{ar3~lt0wvb{*^k5A~C8fc!djl5ZeQf`UI3R<7h7 zE$vYL5TVb)M2z`TzqY{_KE+zq$dNV|yW`*E%dF+vUL@hpfDgwXbF|`Mi1+ZO%GXRJ z)?x3`bjr&@GdvPx&1(6Ht#=)r#++!8jFQLnM!%I0kFe-#rFXi+U-p*HDRhUYYHhIf z8$_{!GoGU%iKZUCLPYe4w1z{6im?Xq6X5mBj|@?WxV>fuv@lT(Ykev$%hawJN_7&=5&5CJ#DiV zHRvNhk0`d=IVgRPJSV#1VDiKtOrH3I>ck&ZC;ni@i9eWe;twWI{K3oB4kxWrGA(mH%U&K#U-nsQ*?%OQl@I9@Yb2qI+BOx6VL4S1=L^3L-#-#b zCl)Ah(R?XZcbkA&SV%O)_qg|o_=37^p2?&kq{B1r1ZpypR2ou_jXQ4ve2rIPY2fB-e|(B}TVO zejy|kD$zGSGl6i{6Ym+BaAtgF6`$x3A~HYDe1wINuo$_XWx}-t2wGFOEj!>MR8jr> zF=R5Fe<9kgv9dU^VebUe7yVkb=%3?Nd=4IFQngRutA@0|SFI_3NnBUOV3Np$z-1#+ zJ_)a;!x;%kZV&=gxdBj1Ma3gV=RI@UbNLLlL!9qf)Lz`5`M!km)Ws?`bW&{82B#7J z3bbYfypood&=N#R%+$nba*!kuRv{zceMk(=r(~6T6=O9cJSNcZ-SPji1Z!+ zpsH^@%DJ|KUacb0H@ksb070)N)CUUo895O830Rj%qVFA^>dPoiiW`=Lkwil)d-@i2 z>JufxX+Q!-D8I>7hMP~HAx`ipKfG=rjhZvgbz%D<%Sszk$6R%Q% zT|&2O?*0m8VY!wbQCE?JgZMf3V!S4rw19+_4OZO)e&6G%UJgtJ2_Rfm4uZEl4?WIr z!ZCw3!Sa^I@*>m|gt{yKdmvX?NQ!HGIn9Os6BzIDXT<%{R9?}X_aC=ujyRwWAg0q% zDbm>h;cDG>vJ!nqO}xyFL2^g`?k1UX=syfx=jD1^bi`9Fp#vS%Zwyvpcec`RT)gl8 zUaYU2<`dr~7%1-It23~^dgbst0CmNd<-o2SH{X^d_TTaXzbm&W?7yXz_ep+lO9uAe zBIil*dt3Mdzen;5N$2((!T#iz!UcXT44Q-emrH-24*kRL?Mi`kA3{LpfMF9RXY5xR zC723<_L+A<21u_Xp3ovL8h4`xvnzP%ulicP`4z{**k3g{zqHj;QzSbeVSa2vFoNHD z7cASo=$a;LBES)P3-HR4fI31Q1d#)vxngYwXCR>HP=tLjmRv+E zW42&U?5}nR7Is4u;)bh(I~ZE54zZD_^*m8eAm$wTQM%6agZhH{spbSCY!C+^(jZYM z=KUrhvy;(Dju6Rph8eUpH{2-NlgLTR|NPN0M~#tVFt!|X*oZCB@eqv>dmf*q9CCQ*?`7L85@vB6S)JPueJPxUj3V2Fo3(F+y5AW9HH?$^eosTqn_26zLPDS;{c#q_GzUM=FBzA9AUhapS(y{y| zTwE}=&{g-r$=&aYeUu-ANKf^8CE{Cjn1sKLy^#jwe%SYk5E5Qcj)bY~aReBN3_qgQ zC^=#jtc+~SmoF+12_hmQMPPOGzEMIX+nwIX`?-A66+t3IycN?URk0tfm2MHUhi@2e@L+DPxKOk8W#N}3}*NL;ad9h2h)9l+&l!432g1=3#% zg&c~U;PFRg%_~Kgd2EnS%wo?nab6J}Rhbcc+%EVwHyx494Y%s)FkmJ`DdT;WYg(4J z_w!2HmRNQz*lCsVV52n8qvQI~pH`{vVikpD$#(9i9XMKZW4k2-gx38)qRwX#IrtMyi_sW!Fr+lPW%Ixr%zPMYfA57P{Aq8oU=gJEpYB zZ1G&%+P$e{kCJj}FSEqhRBeGzbAM6XXC7>SFS5o}(~IQxpr@QP3zs9iMXQA5R@6$j zDp{@Q?Xx8F8{w2ij2WG+mH9P(aD2<0Kz20vn!Y7`%7QAcFc$U+J$OXOX z_Ehy`$9Z(TGTAZGVjYX0aNl#OXIkB@WVH|pYw2z;S`6vRQr&2$<%)6eqYOb z9^5TvWWpSQIj+8DgV?VPlK6`(K9O??Tcf4)E+C;?82c zL-wR#h;#Q2YR`AD0DN8X47;ox#1T_sLoeoP`MPi&v9Y;Of90;)m~)JCR{FN*2ek#T zBV%7zqB6`@N)z+`47(i8jmw2ujP_uiALZ+`*wEdW2oo|rEt&M@}G;+Jv{$ z;vq};9is?c5dnQ${gGoRx-O?S9Btni*|qllPhw;@rN}#GGGC+$mfgF#@NoZwux;o5 zw-F=Rq)nCL7mp}Pe`K3OMuo%{9#@q9xTf^SHKjk!68A&trRb756ot|sQI!6O(-eO@ z`%rq-+LA@bq4b1}jnvtcUR?<_l|QVg{9#Syosp!q$xzcSg~Dw(V+atJuPAMPSZME8 zk+1W*AVH+F#4Du>ei^fcL*X5S?#Ip*wf0`?zK0bk3y7xRys|__ z8W((H+lymdrlP7v4(HrEL8S;>>#s8M$uSkaM93g1?J?4w_jw}fAaiVlmEFp{6|Gp1 zbK7yRl04Sj3dCD^G7iACbam)ao) z-ydrD?y`PVqu^VhRN!0UIXb|7mjL&#H9a!h&|(Ts+dm&>Gkcu`OjSmeHa>UYJ+j-- zOye>D0kMZzAyj#VZ^VP%gpbBMWpfCDN8Y;>0L?9cE8J<_C8LOpDI7HaBH_nEg)4yh zv?I0Lh|F2liE9JV(qQy5A=6>G-M%NMUl$dSr5yxH0;j{0J@@W~V_Wr0JfTJ+u?~t~(cXq}}3WN~394 zLHaxWnk;(t)YS9d8U;p@3;Jv$npPqZ)trPdI;`&FYE>D8S@+=fESEd$!Ncr2akWx>N`Jo1Z)+)q?%hAmlBmgVT0L_8jr zvd(+1e7XD%nByC-8=6Z~YB0{o)R^NB(V{Z^< z)ojozdFr`-HGE@i=*kBV*PSKs_=wuLc||dAnNihaRXu3Wb`2OroHe*h%#|P&k@tX% z`m)5CM(ihr#41p`&O7+7GmNUoRV$D?oO!-W6aK1IA_U>4Gy_hM>#gK^WS3wpvzr83 z1RNWy3xy8LKP<4y4$%bs9>SQwH>dP1vFdSw3T5T-UGw$N>qZtyI- zm$w11CdAE%eHF$nQ*eKtdQG~9oiJ=$B|_%{krW0x+`?mZV3&||WeRNM*^-Kl!_|Aq z4qnkQF5^AVct1{*8!%jh!v7twWtV`I_;dN})@C`SzQP&tpYaQXkbEE|Vmwm`fxC&o zDd$=kvx;smFSdmCr^N`PHZY5Z2&D%q?!iHnrILS&7AMYe)~;VjL9_3RaybN02c^VuW# z2#m<}m+lYUE%{=6=K3Nu!QBMv47kW0v|}(tAvy{VWb6n@E(7lXR__fbj7aa`dE?NF&3KT>A$nqM~!S{bM*SWcy1Ggd2SL4wP|#4MxoolC-KZTVld_ znk~{Ab0a*kwR5ZJEtHD>ob#n+WJ&y?E8TpICXD4}T z&f%9)rICiOwCRD-qF6?+YYf)i$(6VXcycoD?q8%y1GE|RLJhe>7eDa1WHs=`iFIC0 z)`4s>5d)4J;v!gEP}cRa37tl?Y`8=Nn|D6f#U>;RggWLG8IMl$^FVIBkvDlDuHBN- zDd1|>IAAcCGCHA^J0Sak?;$Q^VJ>=y2YZ$+Vrn$d$u(&>CS|RlZgSU?{nstu=rYur zE8lwL8!Xn?HdAuUJ$6VX!3W~*K&sfKS0qad<+n@EAE@-d zBufiEvrCr`RJt-*S`e6B`kZ8G*iV^3V|Jkolu_zYm2+AA#+A+-Abw8GcfV;r)K-kC zIeawRDJ>k0-Ouv_m0q1J4QM%~9~`LklgZMDL>ES;KzEMLYPo*wIrO1LF^R3nl# zPuPdzWIvb@I;9gc2bl4oWa+$A=~t7bQ=^gv$rzP8IVutC+oOskYo0KwAK&530b@6( z^bG@*o|7y+DpmTzWa-qX1b8w=HSY?ipPW?9JyiqDK0DdZ8L85*B}=FJk)_P&XGpRi zu!}RFnq`R(l?ni0QGLYt4>G)5L|Jb1sU0 z$ykn6Pu*Uu-rt^o7F;UQK(6KSi3zt;h-hk_M=`78E;7B>)eMuhe&I+znT)u-Q|-X~ z)BMq5m=8h$?E4}@=bUw3i6-#KQ@YA=mqg&`x5`ke#IK2LcjX+W%HTzF>EReXbm`(; zbW{&V>>kESuz?AfMdhrec(&(}SLKEqsr}g1B{4o0B3`%U9#vnas#x;3&ObZ(Fban> zbR|8Gmmc>g2APK=Yrg0!I!J_iA*8TB+#ykI%&^ScY>tK?>Zf?Bx3GA4Z9RM!6pYpI z{sn1QZ@I_#&^P#(YW>TLK0(nqu6$(9-*=dTZ*kNniB^b*ft2v5b3ssNjQL(9%2ibw>BZW(u ziNESgNH#>GhhYPr(n`ZKszuaXI834}^gJpa_+FgP2K%e-bDL`cCfL)`DS^T?m=!mePI*KMw=+eZ(|Ya&qEDBYC6 z*B;l760WY;sHcUsd_>HM{Z)RvIz+FiSm$~2D4N5d>U?dkScOf2wMU@Qjj57T3=X^E$Z~Gzt-^61c}DK) zdvpBK zf9;~dihc~Uxmx*(X!HA*McZ}YfxNsqWUW3s)YhEmiozEre^3S9$ zQL_L!?+URawl2Awuwhq|Wi3Q-2mF{AQUh;UQ8Gwd%Xq8XMF2ZOUD-h|+$vB?ZnAE6 z-g2LPMk*;2`{sgFM|bhiyF%U8R^5f2+JDfcQS}pb>)@K^dFUp2000Q9e!?Y9WgHvC z`%m87bkFH~|F7EB%KX$~r|s(3=CG??wV}aS;VRi)Tw?od?=L7O$`0hcIFHyIn!ULX z@XnS~43fL^jhfbk^-82aiSxR{a4y?y>rFgzuS<6U(5e;HgLX^~^z?+I7SrjGg4 z^Hb}c1`w0J4M1EYATVQEY;0#g@IYKY>)$9P@IbIKfd_TcF+|>E&E*9fE#h_&(km+? zpJ%egK2PWT3UpM zTJMjn5+6&u;a>>56%$S=rtkFFS_zY=z;4#-+F}zcSS>Na0bYbavXrRziII~yc0#0GsdQZ`5^M*L=&8Lasw&{Qxsb|v~T{1aHy*;a+f4J6FK1d5yp zLYMF|{#kjU@Q?xv7z^)T1tyHxPZS9V#AX(b>kmLes((dD?pOD7Ku(g~kj&6iy-e*I zBx#E>l(iuv(4ryZyT}6+J_=(>jnEXumjbNNYqIe`2S4Eh{6$!+fMO)6`!R;(H#dJe zi)!4<5e@reWAOm&C!5$m&6FBe0^p|KO|Tc5l~4gZK9wzX_#`$yah5TdmEfEIRD45J zEV)+kox|StF?Q|*nAkQV2@`jyebvfJU#v=O>VDL%h1?f>sKrt;?z>h5_so)7v@vgs{Y>J3= zmF1FD*~WV@>Eu#2BXN#jykB7gXZyx$#OkSj5IFXkb-t4QMpc^@w6h7llFq#D$V51E zfU{XS{|f07=ONg&u_I(LXR!bK#e@7@gvQOrcs)SqC3j4w5XW^cYZeC8=vE}vJcM0F zn-#iW?pxdVhJFl*a<}lH-6&!-%-NFZsbd#lgA14GWS$;=JPqTvl#L7s7^k3 zB?Y?Wabpn+pFcOgyog>s_G|YW34`wsfo*Zl~iV z*>-0EbPzHtzvN#1lYpMNR$AhsJ$9W@@V1dNwuwigG7?>d#7%ls0qD?fqoB>mK_?Ln zbYu0*_W*h!Tzd#M8r~Y8O(}J`*-WSch}JtSjHl)mJ`>p}8p{A!(csq9Dv7zLyeSY9 z8X5bYLSAg~Qr-fxo`>HBt9grFH`jn35rc|3lu*ee*?PV~gQAp^m>wNiQ|epOpD)yJ z>Uoozb)38k7Rv$%T4I1-xdPX^%(-qe!FRbKwKm zRnxriWw|CUrE#O`Uboqz#X_p(`M)Hb6zJh?2RA%!#8UdZVr%;6lWMzL)XCN_9YPjG ze6jQ|dIdA~%~RdN8Fel!LN}%dVxwB+%M8MY$*Jb<1rp^{Kcd(rPxX`PRIl}c`l^WO z@*ydg{UAGk!AJhOk0%N?m>%hsqrEwPwjyL}Ioil@jM%6zD%Qjw8?_08BE)3SmO$wi zPBo!*s22Z_xzF-@?p~EV)!TT&sTP9`*%p1O4{*XN4sd+`kyCv@o$3Rhc&brA*{8az zT0w|?vio-aH%_+PK?E^jlB8ycILA}{tUBRa%2cpnj`*fP!G|1i(C`+0#M_PW8dOys zPxZa(u#Y+rD0t7vK|LI;Jb+Ie-z%NN-pyhEk}3ri079RnPYr%XOkZuRVJmxkIadO^ zUi0;uTD}W#;|hw8PXfyfPQD|iko~_=1US!9!ukbSCWPwM62G)DCAFY^YXz4iI3yY8 zjPM!adoavE3D+dm{_E>-Pxwqc&)@jLP3g`T9`O%K^M8o!<_i9X3X`K^=!``~LJATY z#@s;cziI^uw0^D^sr^Z!Ne#qa)_M!4x>0@a7R=iIU zK=u4Wp3}IpPsVUlJv&o9qw#a%OkOKTTuA&oLSE=8$fD@F&2J$MaAnO9dF81Ne zOexFqIK?<&X~lXbCyR*&&9ZKn-`dK+Cr%Np5#vFuba(HvPHscq{s z=XWP12RdAey^&VT8Q6VaPL>gkh4ovfOxMe5IS)I((Oz_oBJ9iqguY zt>qc1?nOgp4N5EKbpMA`Q=%%fwtU^5a2Htt_k#AbsBXoi_WU*C*Q@CUq`OE0flJUaEW1n_1au#hmV6 zNHrx2G;7SWITiR+T16cw6PlU7W5q%ej#63&V+p#L9x z?*boJS?B*JG(aN73ARX)DybW_m992R!3K)$Kq6=81W>|liK3QYL8wyOnNp+>U=o+( zINEjbw-?u+?CS37uI{qCtkm^F($Xd^7Lry3Aq(kM}Bx!YiHk>Ce1_sCyy6| zGkB2O(VrcGGAJTuLOeaSR_-m8(bVcA;PyLeYT02Rj<)1ZuqO3mib9E_;QdF(<2$ui zb^t67XH&TddQEVFHPsR0=b)`PZ3JJuoVQ`+y5pg+Vi;|lbGE=t;WM^3YA&3?Ll@Iz zSU8$ooq7%!TS9ddYGu_v-=ZE-wF2IjpHzSFL8@h+xCKYC{4KkFhOV<4PNsD5{%fns ze%2uuPOcy-JU*is&yf9-YljCgl(~E*$Vouj9s_Tu;5~VbyeE6gmYmK$;(RAV2%T(I zr&JdM!AB=L9@{xcUgCTs@sl&p$g4un$eYSFvNsdMK!Uxg>tW9FYnm56U6>i5jOR#F*OmBrglFM@uWXzOH zN@8y^f4g_{XoafBXKAFLon8^&Y<_mhwdx}o4CPUAkj7q3>HA(*NUSnHeQ|Flz+xF&Z4%Cko+OMNG!l#DJn_sEBvsW5YD zKlk&x6&lXnXV_kYuW>i`AvJ7ZuWMHOXE1r@Kh&UbS#^#aZ4PGsBf_ivr?i9_sA@R|eydpfZq_vE}~#e5rz8F_3r9~caN z%w~wgnlNy}m2_D&a@t3x>8D0N)%=`fEUxyt;B;bb!K%1PVboz%^$)1UMOD+$;t0d2 z>eFzxML_t9-7W@I-{a0vhbpMLD%K^gha7LBbe~p(c;*lJOE=h;RpvuaimS`wPfCJM zUV-F4;p$1pD#;9SiWWwC+`$tZ0O-vpl|sGT!t0{T`3`JO0tQdk7|hcYK=sG z(Vy1vC^`6oSpB-i4e<~U91yEk+}It?zvlyD)k5VEsyv9*rIk%Ub*k1JAXb;MNQCGu zRLzrt^%txryH&978mX9=_BwenJfVAsf=!$NsHwwsb{#^b*&c^pc0Tck3;>6@q%7?QG>qs$>DlPQLR>eFhH-%kX5U zQ>+AdR509^vV=gD@anfEF3!WJd@`){5t!Y4kcVO06Xap=DPN^R!KZ+2Z}pN1!Qq~C zH9D$#X{EmF8}Jw2+-?tm-S#!+kM2bpP_%(xS7qsAUf?rL^`_{6&!Jh`llQ2N`h&`f z=B18~4Uw*QnKAy>Qf;|iVv`!*hw`t7gN8nKE2jojO5fXC`lj)FQ{QZ^7VPeQS8`Us znd|!`XR^D;`xbD7;eA!LIo1L^(vf&S&a{29#gm@x#5#kE_+UT93}o(uVfmU^eK3m6 z9YAwD$?039_ETn}=2yCyy;6{yD?w$X?eoxWQtL5B&5X^(mGo612?9PT3QV^o2$A~* z*$0d{y?W2@0q0hBu)G}nIzxVu!EM%QZW@eXEvuL}x1XEApN(^uUtt{d6!=sEwvV*^ zqxCyDNvi=E{Y#ys>xoaUzsBH}l8@lUMQk6c<=wpF z9{8LUNYfA2*C_LV6u$Zh;%i5ZUn^EHV^L2SH5Pw zZV+oD(yu+MC9JvQqd;aXS=-savC=l|h`GVPotl63o#CtXHMYQms_@k}+8rKdrQ)NdLaYAljUF?~0?@-Ab5h#x&D zPr^$<7QCVwNfhSeS|)?#n7*_oyNbK<`suZa%Zvlx9o)j?{VA`3!%Y0tnk&y+?E4cO zOM!Q$5Jf*6eAO%L|4JUDqUqU|KFClGbN4!amt3weyT_EWFBnVRnrz>p`dIoTeI3D@V6SF*jVt=f@KhpM1s$t(|3kvb-5fly&s+<@3&VI_Z401O8Fv7}V@`T!@ ziEKMv*!B)3*XKS7CY6K`hbH)%CAp|L%w&om*4%17ED^iqFtd134=-7?mn|^Y&B1z| z?bn%YeS_Ni^7+?}C4Z#GwV#h%#(G{m==GxUXzm`2rmv;emQ^Er*&E%#gG*^BZTn8iPL!mum~XfcjpA2UY$W4Uu5 zGwtq;xNRC~_`bT)msAott<1%v+F~G;QOw_N54|(bt`|}Reg4BX)DQfNJ-jD)7DGC< zB|Zj#w&277VaE>y{n5_gi%mAiXB$y!%kV%xmC7q8*&JUr-pz4`%malT>W%q(kbrK; zewWf1PO=a2mup#BWmpwU4zWrLp@&f}MwiF<4L;wUVm@nK7C(u8b}n0Ddd2X z&^A^pXs|(PaX23-g6-f&-PR^XhVllTMfq7lx0UDI${P-rM7E*epSV#XsO6JMEh~;U zzyLG&LMNXIe;9CIoXMpQ*-rpJ!JqND3-P0$gzV-K>Ng=imz)Y{zOcePXNpK?`;B9; zwLZquJAn#4|NFH&`F4=Af_r8viu6Id9#1=uO&Mi-tZ$Z_Pru(gcp`m!FyHk~g!=*a zgH4wxl)oQ*9ksJWjFT!9Faw-GXjPX# z%Y2@lsTjAv!E)vt%S#dt$hNf@?%P44XSS^3Vv&ALAZ!CH;~pI~$jc!g{%aU9crNJ1 zO#?;Q!Xk#Rq+Ch(uahpg6CYT>9X26Bq!a%8EqTtJkBt@r#w8`vSzl~`<#TL)dq0nu zsPT69>QxUklifO z{=Yeoy3Emx%u5G{jf~saR#PPVDY!D8BMl#2AJy&?Xt_5x{D(1pR&g+@5VL?l?BV9S}1#rtTk9k3Gg>gu*@43 zE=dNCAQI=Z@7Mhj=EX&Wzv{RbO@~(@{NZ$X)kTB9>Y~A4EpjlL4zFHEx#Dzq)$uTz z4zDh8L#pWj%%vgbpNES?VZR!IoIidhJDb{B@?43)=&X&Lv*B5jrSIPjK3Sc!xjH;s$? zbu8|rj|1{NDNR_77rL<|E|OkE^0Zgsc$mjk+<{+UF-W}6aYrQUy}K+(%wn41m!PHq z>`Lm0_N~dYvwzGZQkJ;3Dj7&kR9X}Cd%(qd_3IL|E%g}_)PEw_F~+^p&cBE_ z5?*wQy~x#v7F#b`lRP~;*vIw2s*#kH?qP+YPdK%GI+ z#i{LH#%eL;(C&vgG9R(s4~u)--NEloyL-6$EdQRf(mOdSD2H~709#OovQkKbaI2Lh z1X~43PWEYo#dY-icz%>#{gF{zdqzcsb!S?qsAC5^1l)qS}az=g^3| z7r&!`MC{y9Z**f~stIX@HVWkZ&&%CtpU%UA1%A^J2{D3yJoA4>1Y67-kI1($u{SUx zF`R?}h-OHXBiq2C-H?3J4aqgOOt8<|kepQJhU9*pwsg>MIwr9(mLK|k#9RH(DtVJJ zIfebH5e^oCG<4sad#T1ooT?NWi+|5cgNxM>QZgluS`g=6H?(@uLOi*@V1uQRQhu!K zNlhne`84cyzL-5TVlhd_GC3r0SCtUBg5%$q8AMC`uX=3^RuYnEEJl;RB8H+hHazpf z=tPb{C8?xb3WWd5ln$S9S?vDjxwSn!QF@4h#U&l;MC(rgybJ&4j8s1>@_wbe>MF#9g+WM zDVJ2kwk|41u8T^*g<~9=0CDEt{*i1AiEDZw6Tx7+_QGs34?61sTYBl`CJ!Av( z0vX}8>3q`eX5RH1XYq%Vbn270eKi#hu-T-R%W?w&~+t%1q6ZKCtx#FyGVNdF7ME(?zGi**x65NH|ejG8-nX4q|IhZ zJ}?79PSJZQ5+m$G$Ca9Hcu3HWE4|c%BeS5Z+=Oh*Jdsh1*c%im8u-0tSg zOY?sv&=>;FOFOpCBPV@4{r)JaCy1hoOvKme3CF$PVO0I*uE4jAO&*g%h|xs4R2C(AM*jLOLUAJR8w zDm1Q^sRN{kDdB)tbdj!b(OHVAg5qYC0}34mN&rS_Np?IEfPyi|6u6+fK}Q|3yb^2$ zUMC;zt3qBkyUwK8b!C!R*P;0-W-)q-OY@(SAtLdVyd9Q4HI3U6V29-qqFAdd*1XP~ zBG#!`FaI|4PZDl1KLuF6s;ZT$P$m-V)Nw-cUJOcW4ifoLp16RwH0PVbac$UylKPJK zdVPy0{j3c_eLuP9{qETZSC@nBkZxF47N69Q?dz$yu&Y;iKFUm~4@pol(Cb}D#F{-v z{?2rK6=iX(7~f@O*HX4iSBcr+YI7HVse;QKs{H^=C)dO@Tigtar>lia2VC>k+*^tY zvRHZ|`K>0BnW5!rM)YHr(4@~hb88dx$v@EK_ci&i#0GvLW4)UN)fRHda7|zyD3KcT zpie#n2Lc zr6+b;Q4AInHHB6%%3N*fbdfq-=FpAys^nS?wbXq^EaJ5bFl@`4&4B1n4)LAw#MthQ z11Zm+NtV(Z^7(6oM=wZJ4MtNsVsYLvthLnWl#IaWTTLCgQ;U-adjTJ{#XGBFd(5u@ z(X&urM`|bd_NYA%;n#v&q<x*sZZiP}z#@-lU#* zRX0Q6d>2JMi1reop*$ckx1>olGl?`9Q&)SFp7yG?k-cbTEIl7*Xzdy;EPzQHysBKx zZ;^krh)0*EQ-kJErH$3X8e83Ncse7g{HkRKujth9eL52_D-KY0j zC>rKZ)Rk<$Hr>~I7ZMF@A=?=u#)(v8mVH2TtM^rcf{K73FZ6NHtgcDvLJxmBX`00Y)D+F$6Y_ z`B7V}J)wu@R6?NKi1jlBjM!?gYP1oHv^n0LdF4iokX?-!#Y;zwt2Scp@~{y*Squ6N zIDr51BZk;Y#ufo!HTk>aFmvLxG>(%6A+X9$4AvZ9NM*iEpD7+rj$p76BqJMJB*2O{ zARpPdsbo*$Z%IBfsRFe|0X3G$1&jbbQ7(u*o<2=E)u?N$@{>%=#?G497xO0uUgop; z{QzI^xXAVs3Jp&~n$NIoIs$gP-?Ke``ifZn{zdPzhGEWyXzyE;Z)jF-R=QIYPgiE& zexjq`N>c^{5YloNU%#9t!u44o0WE%rGmFN}vjJKmwfpruf4`&S`yCzMua$RvI<7}r zTX=-ETEYw*pN?C#Ji%fWJJ40kPIiz;U2*&62}jDUHLmJfF)QOqbPTV0R^Id@-lXjeCW*Axc~u8&IB_Ae;QVL23xDFo7(FL)K9gh+ zJ1D)+N*|^4eo~a}w-jaR`TLBlS8;hhmn?3-KS_S{y|Dq9hh~k+TOjI_D;!a;j%CKL z1W`DW$}``(0#VxHVj%N&YE$^&g}R=Gj)6UFh2k{5C%Vz zTW2Xo$8XR)Y1vSnC!aQXdTsLby2;b)CQq*>&v44Bky6pt`L1X)X-%y*6&;E*6K|b+>&t z!WB;39r*s2E9d#Zc6kNrA=z(m!^T@lY#9A?meipf&nQbU>K~O8--=l=f1F*zBM`H6 zXm8F$E6t5nUI3eTOU1&;vCJag#NLh1=pn%dr2fKQPn141d_Qi7dCrb%01F}cpudqY z{$3)G#$@+cS-@QuqLrz@^xQ#Z^I5l%?;NEGQ<-uPIyH-Hg*n1yuAxzU!c5%Uztcsr zr5gr$dM{5y61iHaL6pjBF*2|r*`33S^pQ}FQqj*MkKEqSD>uZrO@QX!2^_cd*1VxJ zBC9mMK?w$0TQ*FP3ld)V$$wMVN+;vhKT^`-b{qn<)o#W^kuPr8I*1_zhcI=0NGvPg zhy&(XNqzpHl?S{iFDKB8 zjGGR4Ka{ViAAyP{Kxp!N@y#q%h|Fd*m?FTju3Ciix>JaVr<0mYa?%8Csl3NLKJr?z z2g5Nuo{*dO&3^+a=B8C;tcLlkj5Mw?(zxpN+gzm8%C)K-+uN@u$Edc}rK>_YMu}VR z7$(QOPQ)#=V48#e-@pHfQsJ5`hnf(=Eeb%up*$MG11{jmB~_M z+!^dlO7%+NRj#mEWO(M7O$%eQ7Gbes z`^~dhcL~@nG0>6J7j4=I zUlAr-7|l!EctdCSh$JSoBFB}Usy))SQnup!#w2O6?Qc|#g2U353dA%%Tu z?RL?g5ypW_#^slIZ_li;0Ou%yL~=+En!a&84W%(8Vy#lRuvNoCW)Zc zb9_Mq_EeR%Exeu7V-LgOWuG2=UXAw0|a=$MiJes(@jWFT!OuI zmRH4yM$r!&F^segg!8|~=KoJ>?`3MTEQ}_>Y3j6MAs$DPRPw9936^bkbHqY`!+g_) zU=}r12+S4L{{{;IPBOm`r1D}R$i7EE{T3I3`#k&bNITGJaDydlp>fhL)Pbckw@GLP znLF&P(PVC!b_y~#64&vlT%=8az@l_g$eD~L;hHBLrL(IDW=`hzd=B%pVy*Ebd3)S( zWbXeyGMdd^$=MRqVx2EwtG%fcqvImW#I6wbkaZ0>y*Pz1kT)oV;uMxM71u6MB2LM07GBn&^$<3+QFej< z-r`i=q&Uq>pX3CpP~ilk>bO$D>Tr|)3k=1!G7@)+#5&8N305W+XXSzL)}r=WcpCU4 zY>bZ^+k-zsLA=W0k6@D3bEUSzI+3XFG414A-A=ys4R>-? z*1B{%JGnEp6?XEir8{}PMcT>3mb}qU9=1Yz4?Fp2)&nhQI%Z>Mc8 z;2DV@LerFv+zIoR#bqTNSHbvKl#V~{IKBVQBQg|Ae!9pFK5X&IP<~?YQCe&8+0Lml z`wkoYj%<4P;3Gff{S6${azWSFR{IbyIG*m9j^Cguu)(GP+F*2z8%CW16l+y6O@TMp z8pF(~vQ{c%@3sCbOo2DjHHM9OqgfC(MBVN5#bzBuU)(R5y2LDN6G2P@22~mPHk6uW z9}IQ)01`-QLTUk78R0r_ew~ixxLGnaSCOsrmpLq%3&_*OIUuPi8}5`&8%0rRFhj%7 z|Ll~n-zgg>p;`JbvRR7I{%4C!9lvFf$q4NT-D9ltS@^_wc2Go%$vtV4u|Fb-O!$JN z^i8Nv{c(yz@UA}i&2#Kn$B%*#r@ zJs$B9`#_l@Foo2PWD^@F^%&hR*e8uwj-*`Ym|*FgPVN@*H{=xSnY;@FEU;V{4vyl& zP(s~+K;9^v2>G2Hc3uoTQR>CO)r9;`++_|66fQfHM&0WG^oXieJFhFmJ{U8?i3?HxJ z(Nffl+th^RO-!=jt`kCp!cu&^ktmp;J$hi#+|uP@4-}J+)}%Ik8@@O3%!xnd4Hh#T zd@5rIF$?q1l2Q7j2F)h2`%3^v5Yia;pB0Sj;7y8lOvGXt{N@c(VmEua?)>bZ?9K<> z6Sl$I6RUZ`P)K>~ZBz?hM&b{?TOMhvhcuFrD0AvrKP>%FY`}cz_4?4Sl`~Eb&JrUB zaF$=sU*Pe>ni&K@-^aD=E>0Xi##L8Z2Ro3Og_Xh0tC<@BMpK995l1fJk;4D$vL`IMokMsNK1O8h~K<9lV?uK?2r08-pUz&AX4uSS=>a87kR zy$DQ$ITMnNaPcwp5yWsCHX)b>0YTx5XUg*)JcA^-dxWfo*o493WyBKF%y)YJCG`4j z2pV(1B=l$y5To5*>Jl&sPny?t36O*es=pC16WmANYLNRrjLS#=%yUM?Bd&(C0G>6d}v;U}z)8iU|s z3INr9$kHf{tqp#0y#vIW9r^mId+*}I@ye&ov{!&co_|#}%c*;i52?v_VM{cRV)B7J z8bT?a>+hgH6GPw%{~G-nIq|stS^N0$`|~nX$|q1@?apBs;&et^*v9uXixXt8Z8d(X+or6~=J987VxN z=s+4aq(4stZhu4Mihl4&5_bdgDU6xPp6`-#MekiQnK)|0)Pb}`+U3S9xT>b~%?`Ko zw&N^~Pv@7$^@8mzERF9Sbwhbc41mj62-n$wU|f-VkE61AI6(eZ@-p&_X*14VPH?EO zvf_Si2M&EGT;*Sn%vmZ_d$3BE^$e!+*q;bk5Fy4-R-mz$Wu_7*yJ|rxUc?9lpk*+D z%?Fm@$=t(H!-0o5GOqu?!<@Gq=-~IJ13g^D_tHT}91w?CfQ~rO&zZs19Vp`{1pWc( z@L$$DvPreYE0KHp@nTAs7;uXp|O1 zh)*dQpsU;fHLJ`09Sl%#{bO!)#`9otbgbheZ5Njejb}mAZHF~s3PU4QtU#h^ z+;S<<03fpd&#+N3e3e~;;OmP_WbgYmMx=j)MALFYZVKyT#I@oEHgdfru7TN{`VSJ%UdUsXm4uJh4zQIQ$~1KDH~@v**v=?4Z4Y^D^rU0VuBW)*~!j6); zdZ(6$uu5|Ws<~*lFrxyLV*qyK#zrbqGi_g0@ z4i-rJ$>wxjJ|gs9UMwdgYMV{6N@6_GlqYJZ(Iuedv5nu9o0#X&NM9BOZ;=h-rfB_B zkv4LZv;1$Wog7P_koP|$Rl*DSpZzj6>2bCa5CCz!&-<4(r6;avI%{G_lLEXlv-AE# zTcf1!j%DTy#V0*0q-c5J+x8j6((gx)ZiW$Mpit-&U6D}cS;0nKmYE3$eRRs{2@qjtr4wz$JDWEOjXc@or zkD6}$sOiR!P8&s8VC7m}x#mHYYZ+9z(H*K$jjOKKrAJYX%gB#@ z`jO1=0Q~C`{>T2{CxuNBv>B~i7bfK zA5C`02DXxbU8K&!^C}DNNduXE)>3)7&Fs%Rlo5|fU@l1;cVb{`LOZAJPm|wV%us+; zkQ>d7|D4R&EJ?2yRday9;Tp@-c}6(!9R+1o-XyZLRs)|9;5l<>8bP;MF~-|(%bMbd zbFsEtx8`@7og>k0rmm&kuOD<=gsf<5ShRVKvx==b{+L%wK4&r4~ zYg}wYqIN>!L(90o#+$SPAB%2h`M@u<8->9dMwzRL?$98DCBB={?qsyrCD%f;pa*`Z zY-Ijg;O?3*lBGI_z;ukXDY7P(hCzvZXEhf5x>)KMv6zsMNSjjK#WELHI?yt7qE|A^ z3gU`o?yQ`XnMmC2jzv{-GI)g44=((ibfHU-8wTqR=I4_-t6`t~pKp)vb2h4d6Li+H zujb7hzT$hG-}GME3g}+_K=Pk8OBQ(bG$e7i`i=B#{y^^i=2GAqox4j0z|1{RuL=}# z1VvgvO5{7+__nFEGr_Y_FLOtExPJKdiTn8WmE3RHJIG^)d5lPdiTjF=+Pcx>@)55; zknEn5Zs?O+!5qIKJE#?4YeH0$0BTml!ne<1Cymwbi=@5aYz3rIvtjI1$u3 zP|?<~Xftuo6m78>>e1=2)}vL}N`-ubQLWdn$9$_)oxS2sL!t8R&@5s-4#dez+&&+* zRPmc*nX87NjRKB+8w;Ug(b;tejd{rm6+T8Jfjsle-KE1evK7#|PP?$kID_k$LU<8& zfa-rRH%}G}XL_;urp8uu=r`VBtD?EXda$MA&D~u(d91aivzqD2YUoP-t0oI;;kv}l zunV>v-pTxcYV^yj&K&7rULRpzPu%MmFq`}r@H~@W(^6lQ=osW7l{AOWPR^!xFrx^r z2z`G5ckN)-uS%|G)(3@IKdDy?z{0o9$y6}WI~KKapsrZ77>%rJj~PUmuRUs3oRG1q zE*wPj4YZIg$XcZB`~k+m`iGa}F0)ZBvhoVpqBXL8=qjzsUseOdcCF1G08?A@yBOrJ zXul$BaXzca?Jyn1u`bMSb?ohQY@V3wwAKb`z8jrHhnwFWqwhB=+8P#ZChFE|d*l7a zDr{Za!Ti>DjJDt8TQ#gT`6lxB_3JF(4)LeVZ#0fUq;1OqG~k-#b#6C{v`?qEv$yhN z_!6@Lrk!|*E7$O200g@77r=~Wf5DFh3+u`)QU(8wG%nPRvV;DF_4CqGfCv2%-CG7Q z@H)ZJE_^4hgxy~K(~;D@T;^mQe~3R|x9C~40F#-&QA1z;r00X3`|_B?JBwoiKhr}B z(5JCbU}8vh4JCJ>OBfTm|DdW!Pv@orBGQSTN*(e3L{GJjXi=hPf{xfN6lK$!?8$cO zAvQehF`j|)>^CSELAbEMapZ=%dKvzDhXs9B^hc^)mgHtr9`ulN<3M%f8mE9T?(x7h z_(SeSPU8+tU_(ESo_%+HHE2U4UDfr+&nfhv4tn)=6i7v#JfM^G!JlCE5+_a92yaufbdye`o0ywkGN^;g!B{HsACgG3dQZk+Y>0qQ5G! z?y+~Z4@Dlt`f!pNTcY>gElUER>~K|0W=V+oS4;8PJ;<<*Vo4~`PhVMLi*fTQw8h-^ z8`)xJyd2J_(QGkOyI*IE+3?CS=DitXrbXdo!DBx;nrg*7{4q2RIdUd(H?MK{tQO7k z(=fCI|MF5**_#+p8eV5XF>Un#xpFbF5zrNEe5a}R9}Qf@MR|nZ$9yEKJ0CL z*eGB1%NMIqV_(1Wy6lBCtyo3Lc)9$2>rhOLx9p9tIU0br4EtG8B0#VlXVV!p5djQnq5*)0 z2k**h(BLLyhUZ+mV49t-?@JdKSuG;Ja z_fkw}WM7P`QtV+-6e`u0BWNiAeZTyktM6J0Mj@D$EP%GVR5{x93H~7JBc9Wg*WNcd zj;f^wo~4#C$xT3C8U->;`(uNj-4Lk7WAsMsqf!5Hu0=PzVs_RI&&THuM3MbF_nbsv ze0<8G#pgv+M^9XQh0J(@0(@H33EKdDN9qldO1)53mhIqTaj-js2NKF0!Ky0Ftv%kx(T5vg&0h@9q9<)Mcmt~8c< zd`N=knGBPyE{4gge{#{CoFf*jgVQ40#9B+p4%Qd=VQ2_oubwnSC)7a`;lE&w1f9_9 zl^=?<&8B`{3VTInBzn^dK0!eupW?7ux=NSkFLMZ|1!BT8$u-#uJqy|r6QV@UEIPkt zKKfeB?}>E=C&Z-oB;ixr4!S$euAVX!ySnvmzA#;$h6B32Ntsb|XLYH;QRW zY!oN9bR+E62o@MglVYu|So6~=*7CH9jV@*)WvZ%Hs^UBNmX(06SsGTuTg$hCTJmo% zscJa$U3@cXYzR?00`q*YSnl*kC3m(GzX0=CN81;v7&>`*#mzF^2T$Ffm|?g5s>=E%KYfEBn^Y(NvcfpLVt!fqgzu&^5>d5P@? zVhNkr4T>zGc7xZmgpn7I4aLO&?FlM4v>l-eD;ZYaSpAMfo!bD{`(O zQvWh$_jpm=9u69^EIB94WNq};+U%&plgIV+f3v!CS5Wd~cp(Fmyi55S#b zP3m&U$h%D5W_^#6%F(OOje^zxRIU{TRQtl z8n|K+TJZ5iuzq{XA`MuCjP11LSHAowr;V55v_OPplw#<$1L?aX!V# z`qH-5NWQpL+BoeWnDdzvWBA*75#=9qk3OgTW0CfURn(TOvFVZai;>=s%c^Hz#jd4#UzS`{q?0U)R9l&J&6{1)7bfLq6k~2uZl27Ymd!IXDK{4rzNqwdrIT{A zOZS45y?Ke7lmOW&+e>N6x@}r=$902TS@G+ptRq7Y$x7+wKg@VOzC~El3P&yK%@=7H)z{IC2~XJ4`zQWbfHYf z=3ZlTXq@O!EPcKlM;7vmX!`O>aKg!OWiBF_yKq`uTqAFpiu|+nJX@ngMdRJGi=n!+ zg7e(NHU69$9-i!9GC7w1$TUQ&Y5YZ%bjb{siqQSuAitUU^bG~d@Q8vzWbEHXGD+EC zGwPhjrtvw!U7M{ZB5hCF$6*WH)4?V@`yKjWe{YqfA5Gt0LuOw`7P~GLV^%h>iXZe) z^;BBE>ptlJ(3m)gVYUo*2fz1!+(Lf`w+*L$)l%H_x`fso8#Bw#PQko6ew}Kn8a3?`i4CRdai=h*hjUx|K_@xp-2+o;#eQ&gTtd znpR8l*%EwPPYTq%Ny++llDFVW49L%ToqJ9Y=jtC#q5Vl69`0{*H}B+wH^bR1C@!wh z8>cuyMgN=kEn}6~2C(m;{94=hu-4i>hUWI0_VsYJumS87>r>bO_VsgSsaim@EpfLY zRm-l#2fT8!Lym`luV4#!@x;1=_P#&RGnQZL55i~2uXSJ)`oFe`j7sl_m#-`~*gHkv zg#NC6llFu42z!}RU;EOqUN7+%cy(h{S?(`ysL#JQ(<6}d? zXP?2#D}7I8u!-_=t?c2i{0LI=EiE`kO1@)#Mw_ofIrge8OBv7%bA`~{bVaQxLh&Na zXIoxRqP(nzBCmw}Lxyfge&`C>mXG9fq#+dTS(95-I%0N-&CbyW#$)^@dd-GwQ#D7X zo!n&m^`>bWu1&-C>rGcurZ8Na3j6h@1+MQy(r9UywO?=2er;)&5#X@@Fh9;NjMv%W zGo)VLG|G6n{TdEM-r>ErUnky6IDjJrkPhU&iT6^zSchUwvO}F8J@7 zHy1hbH=XT!R&YLVh)SKEn+yr9$(=*R|LT{vwZWRBM1|S;>{smPlJarOo$Pmq$s>U@ zB!A?ZdjOf8!-lUaY`4N8yFbQZT<2aN| z8YJDLSGPsEE+=jB%6sCIAcol!yx!e$;ApD$dR2#zt&b&t5c4me7VG-R487Bo6WOmq zTZj3}H(w=+esIan<`nPm@64T4e`96q%!bS&M}H3n-~Kb};6@{nD~HkE&BJK#FE)tw z-cgx)ah82I1bD+v2rAx(RTaH%nX>e>>^>o8v~%}KQ32`D zwf=$N=YQ(R^lFNrzezniOMZOO`qg+YxZMRWJb!F$gTHs!SMFYqOhDS@+gzehJ`tUC z1Ij(Vk(pD`FeUISYTG;HI)ncVt-0qj_DWoR@Z-A45Eg62}d}m;hdXlD~!Gr zdt}}+e_b?FF_rI2oHg?CPw{xBshm8RTW}k?5LqPh&92-SjvIsl_IPPzLV>=N_|GGK z#0aU@kfVVb2+rvhk$jh=ulI9k8ew+#2VrQZWTE}d-oN^kDvH6G6KHb?5$F5Vr_#L7X5j7L6#9_Z}Ylr^^Zo=p0n zLB^)AH_nE@GSS`M81)YmBF^qOm?yB#<#8b<+9$BQy?$#Hz3X2FnKJ_0U)T@(ALdR= zzwL+pJ=`zshyBC$!+z09+Yfb6bU%f@uGfC}ByZl&n<25!<@dvBDr)=TwD1||>%LLw z>yzPr*jenc*eTQbkWSIth5MziKZw4*WX(8N^H{n%`!AQGD_$n<^1fH(9EYi{>JALY zPoTrCB1SiPgO@r|NzP#a_LEHRjRhyVPh`LNFNhq&t|b0ZqWDX?sQJ1#_!F2l(rHRn zE%xS1Pr>Hpz3@J4>Jvqy6x1i@Kj~x&i$;n2cfDCO zO78}zOoy1Xm=*F&-J7lQWyVE*RD6D?O<>b|pq`e_0JTUF- zm}8>|t(P*L8vS{pX5&q*CH*7xTgBO28gCM18q9sRvHgWaoxB#GmDgf9@%j^2$IrrN zaTI^WMu^X8**TDTw9lMG+GcT#BO0}IDEwh?$*GNgR}^ZQd=Dyw1r2`3z$Q#7wnq>v zF(^}E=6=2g5QlB{QAbH{aqRNU^p|4zq2S=~tnBr5@MH!5iTT?H>(<1lY>RxYlU-%g zU@Sd#JMZ_Vtcymz24dV)II5MnPi#wWh!Q;;Y5RLBzARJm658WUdUBJVWCviwZrFyr z_eA!A@YN>dv{Lpty%m2e-oCQ3t|VjbG9K(6jF)edm1JNWZzOhY{u6^uRRZ(vj+Y-$ zQ|yMC@PU`ADp)g7qEkjua_U+evR)z8(#MkCbM%1d)nSGKJ3qaZ^|Yq@OeYU zUJL^Rn_2zc4ds|kHqpyU?)%qtPkb(9hir5!hvYbcE6vzmG{}n+blWrW`ZbGhlL)w1 z`lN#^$`gbROdS9|1J52H=e9a%3=$bXSspL%b>K^0dMqV?TbfFVZC=$nMjd3W_yFpA zuFl_!`rcih&n0X6K2T@m=ofdI#8KU7GMA%_>@KSBY5s183p$O)9|wxfwj^MZ<*YJ( zvw6U5u4c=u-NDcN9Xd?xkdU%;2bSr6>x-|I6V;4Yy` zd19JYhNiXyvoJNjIqd5FVTHBUuKAm*-$;+I2GHJk{l-Z9eel60;$PiX)8>DVJTCQ8J&32u(;#X{z57X_px*`!GKv6&+z< z)HxN12mUW(=@``aqiEP;$IZdK7>$wTUrt^YOW!G<3lT5ghRb#k>1Lb2h>X>im&2eX z-V-B>Sl+FruiJ#-m$^R>RFdPwSGW<<2AuD{8J7x{!E_yx>uc??|2%_n!*d z*BvAAxau=&sA%nOrjYdK=Qd&;#iZ&-F@p9_32+jtOx^))SfmwKomw)sI+CiQu$>;9 zJ)R+3!Rcf7(&V6}%Qm%0+iFF>kj_}ocynE_u&J!v70hF>llM?Mzdr>NIf?lnK(rbw z#ZgvLU}L8C12mvI@?}w%)KLy3!)3g3rO^JPzvEb213u@F&DzNgm~(3*4_r@kpv*7} zoqg4jud{d?>h?`qn|ii7UWa*pBfkFhSU>C7JF}y1>29F$+Q)r;l8NW-E7Y zZ0@VJQwJBMoka3Qm72RTKG*e8ga1kFNi*DYrv#6n2D1Tjvnh_7Aczc)=DS^iX%dTf zeaZIxi%Pp0TmludxU?2E%xos(R-4Tvw33*<3z^UY%k=j;J(4+f;hn=YF}Kpj=<-i; zFSvCTS}bLTlvT2?(6M!W)~{Y&-y8L-27-Ql2H95qy05`siSsMWTBu909=CqoVg0(p ztLo-GsiE@7pLV8RIsshkiiWC=s(#!e%RBGw95Uf$!;6~A|4!5=U%DDV>PP%S zzxq?!UeBC}eAQ-5g{BkMq<-ER{Lr^Nnq;C}u-xt7eptt4zhNk|vLFP5#$R@k6ZDxd-$quGQc8HCz4EFUGh@Mq_Jn zH!GcM?GIv)$bLk+{miL1+%argMD?M|=V@A8wUTLZ7Nv&i8?Kg$4M*x2f&nOaDdp_I zR2=gM%wt_Sy-WoQL^YfU{5wJOepm3=pGzna6O}p!qot>uH0@=kZmZ#?1UN;10$nX@ zn(`_f6Z$-S*FS*9i=|Uhds#X@ja7k^uq8;K&bZ8PI4_8$UOOSuCh8FurORDWm}V;) z3yYEk^)=r5$Hk(s$*$;xu;{zOqJtz*Puvz(h^^n1stHRCqI1x@`Ha;ynE5NHcub`I zqx4el{J0NtY?oma^s6)4_p?bMc#V;wUEt2>QHE(PvvXHKQiokC5n!&CK!}(fO7rUz z*NWf3{=gP?f%y~?e^0BmZ_Ff!T_#qu$FT|?{-Uh{ur|kdbLUiMK3eWyMgL9j&b=*k zJnXte3U`^=cKHFOgO9H)*)Q*VWrD_$PMrHWRC2o_U%8jEW<@w4>vE*+OPn|PuQs6^ zMn>EbL;y-qL@$RGcGy+dK~G|6pdw=BBW?d|L%!Q9#}o2p&!1i!oMMdxB9}X5#S>bgx%#b#z%)!<=5S8Ot9AJuWEvZV1GqDxlC}~OYjYVnc z2sHpHZ6ODT^b1P#8%ax)Z=HXHV85y7#~=Y`)87^Q$-0Km0AU}!UKKi#v8WtYqq==H z`CL3RHHX_9d>fvXs0qyvHY?V#LOl^a|jAcJNv} zNXS;Xeq_F@=2hfl7|#UJK{!LQ%qWyY(-rA@jgTlUk;;@#W?8&^Ew+J%DbEr*DL=(( zEIj4oyQK56_}{fn<*z2*UDPLWFP0*QW*H?SKkTKDWy3=uQ9A7l{sJDB6wg1Sc#d}= zL}<`UUs34~NISb?=vmvtD1v-Gj2>PWM;@(#97X+u;D+FcRDsl0cHgnTers7->-9Pp zvlPAW*lbWMTA_}$6&&coR)}cphjig2cj2qL@LpXI<)p+P>cZ)|p#78!)434&a&-ie zYklPFz+@0r>wE%k{*l`p8{uqT?+@@Zp?1{`1s^GvBJ#WI(g`)xE6ftFtD>7j*riKx zAO3y#&C1V;-#nOie2#K6G{Zl?9Def)d|n7L!i)=+<2B>a8ny=(>^N>lGanh^!VDDZ z{9(-+@kbB(Kuhfy<2aPJCicU*S6@w7O^yG| zlpVc$%K4X>**fKL=X2GOM~{)y=`+u`5`8sOp5Z?KGUHpPY$V#0r#I&B`2)l5cD}^Z zJyrX>&+Kz0cGpbV*V|Xlzs&TH`75Rnx6#R-ai~1jQR(Escid+ zWsygxUKe@vfJ{*D2RCLO-0W1_MeBc={AIS285+tTxbVq06387otNjr+m+ZH>i_bZ^ zid5{;1L~_b*c>@mm3ik9O>pdl$d?!CLgtzw>ut6yoT)W$ag@&c#IE)-cVe76W=H{0 zME`&}ZVZiGgs&3;CPTUT=E*m(-JKTvVFwGoP=gaN5ShV$(0ri=%@=BLm@m}eb(AR> z{09rZP=iaHaS3lcqG{y|wM+3N+e)`*^_O$iN2yrJUN9cro0+DXr?C&np4C<14Xqjl zAnr;0vmj)3Hg6Axj%b3w}-z^>*mksr_yzkoOir6^C|V{@HKO} zJzTP8&i=P>&4}KVu9@68K}Ja9>j(vmf5~a~Z4?iQLa~X6~D}lgXX0ZPmV3_U#^V9EK172l~#yAAQ{=vHSj=YS&(2tHh$~e{C59TEhY)-YPb1m6FwH{3@f~2!LE32cCZ>=Wa0V=gx zRLW%6+*=)gOZ-K={y^eV7JmPITKLm%Q5DmNU_>$RU?F*&zvXwZIK@XHVKVqW$gb z?>WQEe1S!|v{%k3hZDQxGj>;H?yX?p;EHl`D5@j8QPGV2csA6#@m$J26ON~tZ;fY+ zxuEg<6t{RPlvMr%e|KG-!&M1ES4#cGpt3(olV*AY#$hQ54OFaF#qh9|HwCkbX&h;j z>B!c{X@%t>4VEpBcNCV#eY#X!9*YvCOJhRG(ipZbY*Bp6YWsB;Meeq6A`S#^y#ph1ZSm=d1l>et3^Fo_A|JlWsg4r9UninKM7{x?H-EruyB9_scyr z>Ni&78)~{7t&bO2aT*u-Npm0B9EWziN0WsTE5Z_TSZt&OR=vnqgpsaoFqVFMG~;2! z8e>uKa~rXC6ADtdt8Od9lb+c}P|7S1rz3xCfOVh`+VlOVpgl_iMAbxJHK%(yjR$Dg zmiA5H^cbg!0Q-XW%USHzJGB_1_1WaZGObP7g3vN1F%?F84Bl#E(DtThzJ+~*x8Myl z6-pdF*on7Jck)@Uyc_rNJI8ts1U8y#tSm1OnDdkF>%YS17za>U9r;!V8i6YBL{S)V zfu8wBVdxCpMTC{X=}+CMvY(3DAixA)0-u%w z?+up@r0>dLG1shmDA4yyS8&g;VyEyIj+P2(!?<(ORe!czc2fT7v z|9P3EwFD#XrZ;d+In;>IkN&+TXnTiwg_)x2%#KqUC?q9{8IvMyXTA#GH>6Kw79s4{ z5xd~{-{0nXe-4&$*m@T+XQdZtIr;(C`^3@d_c+_1h7)l&2O@3%NH@UX^Sr(vJ<)EH z1Y8G@p(1EMbHwLYrUv0g1k|J9))voZtA~N3+&Qdy&SNKIbx(dZH?BDFS{B)N5)&T=M!ePi<$)w_a|a76@i@R^=J$Et;eRo|;^)7D zU-9YxAeXt;%HZC=mtXNvu!O%ZqUyR*eJ19LRyi`?f8#K@^=9?h@;_owf^&E?br8YQH zpZ)!qM!X`p`3x5B8n~o0*POx&{O)3WLQ#K!3pB>=JBotj%AY|r%7V2A90hENKJd#D zQPO0yc;@$SSaM>?3SAbBJUaj5lB(1@Ukx9v%8O>tvRoy3-AtP!k3Nm$l{`KB5l$qt zx(k4ZaE>3XcW$+l#NNw!69T+3rZGS;Bln-gC8v0^=)@HxB{BTKa1tz$#1;;d#EKMU znV7iWl{~gy^4ON*%bfiBE68IjMv=$Xg2I&`z8_hvL?AB1f4(S>h025VN#L|yz>y)% zmb$!`jJGMw1*9zB+O{7^5JLWicUa<%*>d*;^W8Bjs6D|a-7#(kA4iM9cJt>NDH!;& zNZVI9w4J5hT~n~r7dUJJ<6%Nj_FZJS%z2MxBzScNul;RRS@7!LaZL!Bn7CF1)8WKK zY&03Hem1Wfc53(*>v^Y_xppXo&yr3+L=s~F)&p?c2(ms6mgSI_xvr83xXAt5F=Yo21Nvel*e*oO z?n-qFwZ;9(Ii`P>X3hzB@siZ=0if;z3WFJXh@I>+t zqng1Xo5bMdM*&_LlQL%^h!Q=SGuz08sOP!0-t!3(NjLXb+Ho^rR-9Ca zC$Kur{S(3y+*2JC*s7@CiW|L)5rQ?L^Y2DMd@y(iyj7-B4ixg#LwB z#phmulg^sRSLSI}q)%?FTMvD&>%dvASlIU0Iq9*eyPotqU#gMwC{0bR9s-I83WC-3 z*eoAi_FDU1{7aw2Q48$8MtLO+&58~@lX|`e&xIOq;F(E%mfB&j*ZJ%;J)w%wU!fxJ zJTxmhX-JiXJb`I1d-GE@(ht?AahU|q@Lp@ekMb+xWrl|a`*~+Rd zN}5!)M^V_F&(4%LD}8P+*{qkOUaI6$_!5fXs50rOSCy?oN4ysM+=tD-;u)DZQqObm zu-AEb7A_a~vkt7Ew3g6;s{NC)RVq3w^)gtOy=pF{fgP;kgZpMx9d0OJ-!SR09Ayc3 zNUfONRR3h;%ZQ6Z3beG)u{ZYTZ(@S0kyz$l^)TuiOm%YMuqfj>F}k+^JMrThEtyE; zCZGuxBQiKQDDnmw^o&+pS#avNO(T@3anLg#haiDr;UCFWC_GXIYZq$#7SulueddTn zqQClX-d`3Vd$iUlr@hP^47U}8Lte>q(5BtQY$Ce`FTT@Jne~)2>LJenlb3_wGZ=0~ zs(z?@=zf~g7gsj{10S1v3!=&HyYcD3aV*<3Wv_X(pJtv%ma-l%)H982p?Aw87%@Ev z;y|P3cT4o)ErMDu#q&*q!GLaPe z%YM<5oA&o`wcy{reXAEJlg zyqf&Iu_;;WL5P2!^*&3Qeii-eL7)RO69H~5?Kv(Fdq4ft{JZNv z{1$$T{RiUKar-Yu7W)0nKD<(Q%k@Gjc3`3i6!3TB9RY0TPYxcYE7+xjpz3H!8CrS_fc3ugZ-SK7~@Q{ zOo@RT`f4}>BQ&>~vv}V$&epl9vkHAg=LyO0Dwg}b+#E0ET8pXGY6FTrM=?#$<{)3; zTCQ{ocyu=h-F(MAYtW{lCrz9o`ADkKbEghM2u)pDe=PY*BQ~7I^mWyZbx*KXQG(by zl@SQG2IIO`>@*ZrO;h&86pVkGY>WL_A#W22`ab?B0822xnI-fWgtU(pyMhp~Uqn+c zI7ajLXlsXXZuhLo%40|eb-VZ~m%24eu*Q%9vDj>6@xvGvo*3T0%}18;Wj%a!!;!*z zKJu{o<%q54BR$+Ntmh-c*7K2m?%8@i!h!VrC>>X@p0RRiJr8)9@rb}Hh*x>x#JZtn z>e>tRjIHMj!e@wAd2N*S3=az82tAfKJzn1L^s}d6I+Yp%IKll*b2r!$mfsDzFPd;| znv#nVe}X57zb7mENgQGyPCvNzOX<#)`RNz+f9blD;2yVvJ92=ZjNeUjp?%NOXBInI z*D<2MRuuYcMWMe|Sbwds{#r4tzg7(EuN8&{Drb0N8=in|hznFr>zOwf--p5y_cYE**6#||ulcjv0^Y5Oy1Sa+UwHwq1$I`Sm^ghI>-U&jzkP1~ z9!b7}sg)q8#&bP1oNK(Q-pGTUm7NWdAMPc2ZZ!3U8aVR_nDRnzMZbjQBR(p9acx80 zPVdi%<~07M1OBGl>l~aVZvYsc_U=gg7F7Limv{JH0&YkhbrQiDvKG=dQI4j$H?qrL z$1cD1?)Mta0ENlLjK44LZ-&H5Dk<%8bnPw?a$esQ2VO|qcqYo!FT}O^hlfYCVQ(O8 zcqu+6+nIYz{ydsO2=h^Vh1PGdjA_`zQA1Fe|AEc_z~+C@!~Fui2!_r7pr3n2FQB%X z|MExzT7mta_%;GjnExz5R)yl*9KD#KXN+FVaL;tH{~sP@{yzm^wBo%t7uyT|2eH(O zZ+k-f{nkiE^wo&P=6wA9DeOPlF;F75XtJ8Z-XDEr;^7lADQ z@%|!K?e+Z?Q-3k<*x$DzdWZWvg6=ebiwNw=b-QeT_n%I^Xas`ZYAl^%CY-Ouuq9`b z)J_P*CQY*80+Pjt6YjwZHevH736{6d-#m@q=`v#%_V?}8oE7%>?ZfDUGTY|qgMv6Z zpbxVZoMiMt>1SIk5pJzm*}?{|Fb=En^&33N%AQV~>F8&g>3D8M7UWsxD$}UX?e9^1 zs~hUNS?5Idb#<`Y4#h!Z5pSMfvFH)t%eOR5*is*!fqL>#*{Tg4af@y*@KST?p^y9?{J z+tzEht=H}z?ibc;_ptTa-OoK+uib9#!I@)6DXiDc%s)U_!}Ypmnci2aXKcN)P_)K7 zS+8qHS+DC9rs|mW@$vHQB75E`xN9N(dG-5;tylQ-EwQjCS+Co(L+nnrUQOGf^}6b~ zo#xi-8e6X;I&4j8G+Zd({O`zxmYDy-LgfM2nl-PYoYS)UcB zMmWE9sgwfmQB_C-ek(7`Gza; zo3Cf_>$8>QVB~rhMJcRjQ(%cgyna2e17ptdMdNX%WxpQ_zrN1x_lH@}w$pcF0;~$y z>(Q?d^t5*-KO|#AJ<=e}2zCDQ)af@oXGPyXU6F3K8_yDut)1^Mze z_|u#L;LUJPoko8`iALXQ-6bX`(td{EmS^x|CIlgu1E1}s&(Vk`Z}L(HPEaV-mzOcM;+g1>>6D$;eSt3ds1HLk6hsjx z1jodny|~-D>tJ>>)0jLoH%psOI22VI?v3JwQv1f(Yo?&%9r2nfT`Il?F=6!AL{c&X zgs=J>hrs#%m3(vx+!DgR=-+;kJ)^h#anuO)Bj#_l-~6ridt5Eh+x^#Zrg`h0xP>Fp z+xY$^96>zsatpDiM%V9$Ado4Skn=(w66tNeusVFa!W$Y*zYpytUz~8>ODO{S5&V`- zzUoXG9>A_h`%m!M%q#dG?8yFr(_!CStia{_`G4a3ku696e*D_=-w#ikJS9X@o6RgS z&%JLm$ykXv8`Mrn9YPN{ggX(i^shPd)hS!eeC51R;!O8xjSn0vaW;znl!}V`Jq`f= z$4@N#NaWF(w_wXcukdovy~SC;s_@q@$KxWog$Nd5d`t^9{8;K|5ZLl^;vHru{h7EA zl-#v5LVNv7uwAK{wPnfMXTFzUaD**UFmEhxIR@TUw^ewPw%mz4qI_1) zGxMUj)bg2KUL8?~)`2Yjt7)2|gHs))tN#zUTCyyUyZR%k3+T~sS^jSholo#p8B^Lu z+B9CUQWSvM8G#d4(neYShhY=n$WA?4ZqKFp1coji)k`l?z^oh(%7W*=>@>yK>ElrL zC@}Uj_@J!w6e)We>S5_5%Cf>|91dDshq?7@j0aZtQM`^nOTF1y_7EMM$2T^gi#NP|0A=+9d+Nl6r(lGuz_bY}=LrO$1CP+AHCp%X%}hRNF`?55#}_H&IS=iNNtQ3+MYx$vw#Gm`?(^m^}YPX4&{;j zwzjLGcC7lzHG!gI6(g&85KK25>quLS;=E@p=Df)qW)=F;Gnz=&bCL2dMZkmu&j(K(4W#;17jawA! zl^Zzu8fYd?3*E0Q`DgCEO!Msfinlbm+(#HrQKSEwJ#K?729Tw=BRKQWu^|J)1r7oC zq|q>RZPh#_k8Fc_yZMjJCF9D^;*xQ{FP99U-gZ6Upx$2OZgEPnXB% zD$@}P;?ybx#g)RtrqLzx9_Sl8BW=C3yvcv*^7Q-{F>ybRC3z(l#$5^Q)kovyFD9#E z_0^FtTJW5BJQ3C!9Nh4b^qXrZkRIrLCN*&dvU4=Jy2)viM08aaYg0hxnRrzoy_76K zimX8|6;u%F?5Rf}8*LfFW>R$9w$kllll>(g2SJy9>F(r8H zkLZ!lvPvmbJxZbHC>s2Q3V9T&+nSB4EVO2tHaWc1?gsWFbX%AL0O09-;=-u8BS zDE(PMpB$wEVsV4ZCe8219a;U6K270s1hIAef9$;rd{ou7_@BT4K@uiP)Tk&yqYafR z5v-)BWMl#}Fu_~_#fnNVh}c@CFeA1q1SioP$FcO*w)WPxwzaq3+t+Pv6|Ij95dx?@ zeekHrL*)#^Q!Nh#^8c>2&&-?&0rlSN@8*6!|9n1ka?XD5wbx#I?X}llOA4w8_g6J7 z&S;eqhs*U~=Uinj5s`_?$McK?$Mje$fmG{#bRy0tA_QDA!uO1}y{dN@kEALsOE%C3 zRiZwotW5MT)DXo^!w_;E%D>ZaguI4!R!HQeokQi{)SX$Tkk9cuvs@vc{+)&`hZ*N`Y@Ui5zUOSYot$=TE~Iy;IA?HsH}BU5v~R&FBMWf1z?Hx1JQ1!X6G`kpCuV(s7BZ{cGE6`xXT2w_+lX-k6=V+5y#DgZ z2+>gzfpz*mm)d0|JVj&Pwx5)wkRDj2x9xv(J_gChkDU()^V{}=&IeF>+n&n@vKdy# zI{2OCdfy`i+KZ^AS$CGQGdx~oAOQQobvYc6ED zl;+LWs8*25`_M$*jmj2jCxWk{BB4s$EREXkvqqUt4d-A-El->hoHDk+IE;^Xn{f$b z_>3aM0rVw_qxvuU-a78A=4uHA{R+K=c~EF_h5bm>C@>^JMbYP^>n!*7UNsQrZCFjP z&M6tN=v|nqh9@YFU>0DQX#MN#(0O97;2wuY(zEZrAU&hAb;27?Mm1F{3&EvuC)+Mz z8z%jaP`E!ft{5{^-i8|1nVMl&7e{cHJ|K0MUvxf^pQAu0^RfD+g22s8ZOc7ct6SyME9VB zBcd7Ev(zG*QO#H*n%P8uT?V_Gjdny+f={Thr-t2}9)UP^=GUW7A#ewT>7?FP%tm(P^x(pGR3r(0)!9B_bT5w?l{fxkPg`Iz)b~D(g<) z!ryJ*um2wn95mpLLtFB87Uus;I2}=M^TnxC6ty8a#et*ndlP#=-DwM9BFV&XpY#UY zku04@uj3<7!QU$D%|!0ZlzSVW!SSE$&A1vPe?Gknm*Vu6CC2`3N@zA~QvDoEvNZ0& z(PDu0A`lzvxGuRG{Y-2S1+0-}$<-Rm9sq6D@Wk|;ucm5))c+3Jr`>U!Z^-3fVKOM} z9vp4mB}9{ciD!;Jvbxc@5Ml&N79HOLBtm3ZbM z1?d|4CEj&1RAzh_$W^m;J`DEcl0h95c$?;HDPv#{`h9k>NTWKVAJ6UvA*LjjlQ)$eBChXI=AHjY%&H->z@V7_uM3 zN>!?dj2jWM0{V0Xq^xR_w(8^X2r1sa)hRiiEg3V1S}eE$ON31`?tdD8EpUjktX3OO zEm+1fiq-6wf9;nBhDR&oB2^4hB*|jPYu`~x#sC-pQfX|Tosz@5go~eHB=b@iDE1w} zNrtpy5UmiCX)boZE4S)Y&G=^tQBM$5unNr7(X1_G>pohkYzo2v7XxO+yB-T@sjh= z6poM1540{~Mz;mlyz890i~OS?`q6Mv828rNVr)pwVIx5>*d0H4Xcc_x8dgNHus`~o zTW$7|JP<^+g(qSnl-=3F1JRGW+})3${0L&9P&ubn;WIGwrb7L|n)lerrUqz4!28=* zQyiSU%BJ;;PVPMcWyWc6{pen|+IxuME=hi*Ykfg}1|STvNB#RKebhZ+?vbC!kLnP2 zG{HXF=g?kdFt2r4+nP2%nS$fU9=OaOCx*64u_r3bn_R6FlLnC!IhwkVkG~15)JCA3 zc?s(_tH`Hp90~GCP%Fkmx8M@u3Y5EAf{7H$T`l=F);exq!oX$BUN;NPO5GYnD-Q3* zd^DpKN06TPw`RyxYlcjpzvP3)z=y_K^hp%h)1ltlF@pZNEb!P?J`>Pz?%k!q_vxSt&LmDJH z?;?d*i&{T-n}U@fW=mke2cgQAP|ufnimCj>$HV15!gBjEM1ms6Sc_5Tqvd}SLoAXN z*hdLiLu6MH!hl1tb+O0*)91IrXxkxg!z0iPygQAK`9CTRB25wFOe{U&%@Q3c647g* z>ICn7Gf1ZhFY=OAD5W?;Jj8j95D#&l6NWgCFcIP*&Ql>?!e;Bm>_oa5J_$2A;$yBt zJ^tBq!$>vbqq<3aS)eDfa`ZL3)(-fP8!hGRI!mY+7bjeS6t|3B0`WSqAGy8imhlo$ z9V=d{MX#SJS*IH3SUlo=kOz4bev*(!t(6Lf`d*mI5T>qyzCn?>XCt>61n4V;RYl=7 z2DmEUhnNKid>E`e6zut$Jo{r>2T}1+5+4#wS5)A6G2A z4gV>VLGJrtrBUw@R@f^fh-p|ny1zdq?pkC*moat1zgJ5j4Z3+^>sRWTRhXV8q7Nwu z&rqNzYS2D4Q<^Zye7F%*^}Sj$^Pwd(A6j%iwCH?j$(au=IrE_}VhmJiFAz2fn36vHPpY}M>77HZvVG5Z5j{lA1 zWP(^4#(d#uN$(aJ!LL96D7c($&9wP#i!l2qPtpYwCNzwtwD* zuU7j%B0cl=Rrjb4pSG{MYjwDf977eqP(~GY<8=j`Yef2?&k!lHAD}APMTrbs94-xD zQpf|t5yhTz?=`%oKjoEgjV{yU6Z<TnEf=Zv-iz3-MN$x z3=;~*y3pC~K~DrlBNt|o(-5Miw(mDud*f`8Im9o!cMx2{1}Sr%l$F6{?fS`1+A*ZH zuOXh{kDQl-%h??E{SyWIy^Uv*I&~jqe?`ikD`lU{!#%$p|6(wjnBBaiz}|6@GR|C> z!oYtYG2?d){< z@&8KsJ~0og-bs$gm5RiU?ik+mMk9izBJsk_9FCO!hVa_k@N1f3 zt=zxT7r(RzOF0+FRv9H&wiCv&EjGQ>qwT7|nymrhrR93yo1p>Qf)-A9VUKRAwLT6G z5QiSiLjyL~#s@A}y6hf*$o5*t8!hFo#gA@a%{H8*2d%r`;&i5j5d7K7ar|1`R=6VJ z*u;y$hRE}9Icb-;V=T|&)CJ3~H&`O|u7ZH0fi+K-n4|;U0a5;9862k*lVJkONybXVpqO6s*1D1@9 z_g#+d$Q8=5yWv$E8{cvOYlbc4Ts1ssg%Ss9F`&Xxivs8B5V0h;E>>eOUM<3$`6 z)Kj|f6Q1QfLTXNH{PJSnCoPAqIKKU#6{xyQS^p=8XDHpzV=_ zBet{}=YQ#{-TXpyM?i_d8(bFUcrSKE0W|O-QS1xGdIw@vs_5BpE8l_Wem2@j!q1S8 z_zWWnN50MM|Cm9d+v$6PsKMvBXmh;l;h+tsP}F5}CE=f|ugZ??vt9a@;MFmOKH|Bu zBl~RV#J?f>g3H?L3tsA$0JViHgHzZ&>vr_}94yF|n-5*XxMoXQZn0z55*B42=k1~l zCv1kfgeg!5)?F0V{f>sU=zM=BSi2n70(w150(qVvp&<~@Ui9f-t||ItH|I+h4-KoH6e@7+di*Z7-k=dy4{R`}U0 zzCgIcp!@*j?(^|iC|Zgce}(E?GJ_xe_Bfj;l`f!y+rs^Yw>r4LVEh&CG4~bH{)K-E zl#EW5w^8^$5&a4Mkdrjo$gn=*+|Nu1r66J~=QCk-&RLpLkhPf|=i1DUbFJ<;*XoXQ zZO)E!ZO)E!ZDz;0*4c5kux=P{w>#x5jVngEG-GIbk2%!YV;+}goUSw@E$`qy*2>KO z5@BZeTWS@@+c*l)xQ#e^8w~;INC(q57hOGeCRg*S+sx#JN?lzRC{sOLHfhVJi#h`8 zHf{E4`pOi!{ zfX`5fX8^53Ap#t+AVQL?aB{bnSEJUhz8kdXjq)Iv5SW|dZ3ba9D$8SqK(76f_P7ffb@T|ZaO-*$0Um+YtAyA+Y+M%~%!pv+VUAKr#% zPBuW+{@aD;8i@RgP!ZVxkrOfynFo<~L*xb_`eKYUYi;p;H$>k36cD*A7b3m1$aWAR zO?!wCj%GzTqBKMHmiIc7%(WEz9WNhpw5?6(ex6~YVuY9@7eO~P?R^xL8? zcONUG41I+jxpE+Ak1R6@-{NGF^?(}+{1aj}Wi;}rWx87#EgWy`A~Bex(sV4`m_`*y4?78iv9;5T!4rNk8sM5Wqy?vpjChYm=&Do_C1oescZ+Uk`D5{CIxVH zjp=d(X$evn@8hZAtVsv>!Vp1h(h;$$EJ2v}Qme`b#j3JoqxWh_lJP#4Mc^)o1@;OC zEa7Ffe0?Ba>*3%#wg`NqYHoygt2+OH%)59g(Ip4;S1Rz#je$>k03@>V9K`&(pMjE_@|t!k2v@;DEx1|vj~10 z)WWymC!nyscp``3-wnRUP9Ih{B*FoI)eoc`(k$#TQg;_ z79|e%>%Yhh)||{>9WfT0zaxP8x*IU920k)0Wpd({omX%E$$;q(=z2=D(gE1VkL-JX zXolrsjp63O|H!aha-*s5axGQ(5}oO=ojPi^qbS;sXrr+qbNYQ)MH$PUP9tGA6}@Pu z=K8afE6J53=>+kVTH3u0ON0gMi zA^13om#*mHLT~gGQaT%gnUYBqRvZSe2-BU(%cZ#hr|~zkn>k0mF!hF&fJ)gedc-6` zXrr7Lj#tA7lQx!uek=0@BZsFkQocTrFU82UB2Zil)fbWTTVharx1ni`AF0w<7+*`P zpnhRAxnz#VW&)IwazV`H*cJEpep{}7Y|duZG4FcM?Do!?TB zI$N|~kRPJ3dndferR5GyLBGM8BYmB+i>ax`Qbwrs&kv*>?~* zWbSTcJth3FE!#W8u4VgObmIj09WL94I}kK1SF;hqW}zM~w+dO^im^a}k4zc+p*j@F zXJsV*Uoos3L^QA==XwcD&rxc&ix4NabfAu*;=~hG7tzh3!k;>5HB6{oyy()NSxReI ziL-=R_?~pN*ATZT0p&B0OLL<-XeRs{*$FTFLfh}mY<@#D&IN>yV^BMW9wSY8^p zz$A`$qE8F=EBGb%FIh}7l+v#MswwV%EzVOOy_2o%`Dq??VSnXOH}o+)s-Q9`nc2%; z-;id$_%qqsG+UZX^u%^4BMnl6rs(( zTqD@7~JFycrmPW{Y@ity0NayrH7fZ2& zXS76eS4AqU;RddO@^~Fqe3mi*-j!V!|9TUqC%Z}mS$9_|5wh^_Q`T5w<$mQ z^lWhl%iXb6ro)3pVp+8lLj?*a!~Jsn?E?0;`*mJ5a^hY1HP!JE=%>ebypx{3bot)?La`X!?7{d+R&e z{G&Dj4>{4w^ectU-Fe(bywBPxob+f|_~cKen0V1|^0G{c+5XL@QFiNS@g@#%Qg_Oz zm>or!d8eEP+TX+tvY+*4hp6$150IUVh7INWF`N`6e@AQw3zl}=DZnC0>iMJfVJk$+A3hfd-qhxyzO;5!W!iZdW@!z6v-{9_z126Md)qqL&( za{ImjXG8IeYc7yFTJ3vBp+oi^!o>A6cy{K6N7_XB1O?H3)qeNmV5^a(3;}~NfflqrP%!>uEt$xPI0*Fb^M!2jKnRWagEQjd{=_!wR*E361Nu(N^D8wNGDDD;c6Lp?>Q{tz4Z z+e7PhyT4xbht_}Mc3-UWW0Fy}`@yR9k!M0xZ+aVtDxr1zmtvek)?4Cs=AL3}PO-Hn z@o~TYYqHomP4t5h9UkRBY>r5yZYWUE;YejVbwIY*eH+Z05)&$qd5(aT=2ZS;_>#A8z&) zEcWeN%xU0%q6R6)l94kqme5qQ(Z2FBEv4zZqJar*z0eoCzIfR6#Sx6N-eZtQd>l=w zEwIZ;>N1+~KcCp0ISDEyK{*d427xNt zEiLgj&QNp}TEOX+-WC%IG>qvk_pT88at&K9I$CSPrG_yYq>JP&^hnn1f>@vcY!XJO zrdV9i%PpIoc%Dt3Ldnkj@;=ogN1x66)Tn${zDwEOPr{(g3%NEP-ak6h7H{jrMv ztD~Q~JZPa-DXM8NN+Nq6NjTEi9MD#@YnKv&i&buJH;2#md7rA`%=18GaL77eDJ&|J z!bbYqR&p*AN>wq4g$EeKvlzX~eb3&lgLpa5)M-TR-JgxRQ=`W4wBPqpt2qOdQ@{Ou z0tahtX82sa;XcPWuDR&_PMXxu`_$!usuhvyfHj!Bq7G!?$Sfi4371{hLZx@RD$TaX zz9(BLejg;^I9Ebf>&E9MoW^}9slNxv94?~Hwz|@6m#r0DN=56GD!#;(#Gf_{WAYgLFQ&G-8o5>DRmteyjTZ=1J-J)B3G)LHPtSEb$&j?i=3{MynFZlw-TJH!2;w7hr zsy@171ckrxk8DrOiQTlZ6Iht<=oYA2INR7u zs@ix*H+ndm@Wpq0mEPYmfxd44uzg>}hLWASoT(;Cb0C%Ubh{m*_ql!l3L%-1&CZVy z!&MiGomvZ)oQ?f(4+{$w&2v>WgDQLr9_N|*0YeSjh0=@6UB<30Ts~cXzH$1TP^bUe zuBrgS)mB0Q(zrD8-Q@L9C6|6H{kc_Rp6+VOO$wM-c_xLNhX$lVRUd1r zD_p4zDzA}LqlM_l2hy)i;Q^tlckd`?_|IX`?+}<5xiT3<77ek~1kCe^)s--$6Qa2= z0RCYJJZOQ)>!jVj2@~2xBIa(ow-GyHZQKNn7d`cU7I@RO#d~<#PhSe@6yEt+5-RwF z-z)*7$tMVL_D5HbtK~KnS9ckkFX04!5GwuBYR}+MRkODG8dveIR^KF~D^^Xzo5PUU zjd(BtHHPN=5RkuArt%qROG)KUx%!tz;rDHe23j`PFRmAQwP$aKz1Ta9;g*b%*3|0x z)afGl)8v~r43#!?Y1@RtwVQhR!D{Gd5SLq;tXh(tWXNXQO4c$nn+JQJ`ne#0eg*Ph zo^>{@`Da?g4$)bwWUuO5AeOT2uSt6x3IqDxkW-^x*E;e3dXjrj95sXAWPWx0s`(A# zSH`c{dm_D1_}9HSUxw;j3YEqUP-0YX@>i3;n*7z|uO@#r`K!raP5wM_X-EHD>kXP_ zW-z!#`8M5)-BoNa`3lRr(6^{5as)+=pvVyvIf5cbP~-@T96^y?wf|fsbzOL+QElM~ zpHRt^&r%6(yDnKt4%7Y#43J)#TMigxprV(vZ%pu!T}V6X*zT&&(6MI)##AiswR%x? zP~`xFg0b$gJK0^fh0nDgr#w+DmO=O?T6?j7;+2~pK~A@2Bl#NfwXyDs%D#QoCl`lV z9QMD!nF)t8Y#DuRbwfe%^V8}|JM}VQ^=^=8XBvraC9!Y8G@f=}ic4d@!`#G+PRdE` z)70PMnOd10l1~_lwL?DxSUMW-?0x^b8tau>i_0e~#66hxaSiloq%V4?E%FtAY)aoy z?0o2Jq?$#^+qjrkGH3p2mwV2bHOhlS=54-$0e(aIRq!hav_@rRmp>^rV4craP=@qWd(|bGA;oMJ321VvSHL;v zV6!6IyAh?WBg!PVZ(q&HT_WSz^OgL&h=#q5U*Q?uG(38soA-Xv4yJ>u%{Rp}4`;k> zn_5Q*tz`}7!e?*deX$9Js@5kL+XL~thJbEKA;iJhHz80v!;Bqkx2T=9y)NoXH-Kw* z(x^m-LmWnwiXO4brv#)JJ88f68o3+z1NM4e6=jPTCQ>h0tUNSR`O;_EUxmR^~ z`oFTK%CC{%9DYAy@sgjLf9CAKtOAv7E3FoRZiqdCEGy5Y+}$%s`2~T(BNxksUQP2z zPMRzb?Qk|tI46w@nsrVZrN=BZvFeiOCKjTc@8Rz6LiuQrKIi%Lv^UwP);6H$91|z+ z)DIJ%osaNkrI=P%u1dXF#@In#?+J+Eh{^?kW$u8r{;ECqhJ+_A2t$U^3m% zEA?(fWN^xI6`jatuWdpFoA{=kWVgB|-{xN{fMzZ|-0Xd7tva8?@#@|XM%Sjf|-tb!vig!Y`CZV_$4!=8Nw%|Tqp9OlQ_|EnB|G+n32{#}l?hZhk>o z1F;KrIQsfy_jtJGpC768nGKpzG*<`1YA%o2^q$fW0rZ{U@mbwXiq!3~aZ~q==wA@I z)K~T99cTEhBLi^pcqw-uTK)T1`}04NI}i40G&>L<$Cye%@Wcj87jleIV_ly5A`2e3 zZ;KwVJ!(zT;eEc&Q1}*167;$0A}9i`gm)T~lDYG=o^s7O5#FT=}jERb_ zGY37R=(?^dsn~it^<`H{gROT+b^9v8);B1X1=ka~OZ>e3fG;1W2>KUz8$}Q$Hy&<9 zsN(^FPi3q?gD_i33+eBAyC2OB=F?ZMlnWK&V!01jM^7-nNIr*|GqX@`VN8YPsF%W! z@F*$LWu6F6UihoN{Ig)tr@WdjWjotJYZ3PrcY1@1_P?Ik*^gmJ4R%IMQQb~K9CPY~ z4R!%5c^)mO+^Hs5T){2A0cU9w=(`xc9@(aO8@~n^Q_r{&%;9(6 zF!K(OE989pMu8gR{lLF+sgG`Z@0A5DI(KSbIKqJc7=!KE72qy`#Dc{#0FglqfOt2n z+@NSD8)0u#9|GueQmlDv8A5U<M%rpuN*S9Jx+-)?uHZd7_tv~{qc1+D&HL0O z?+n?bv`Ufz8@vy`z>Brsk#AW`hED1+!`t|>WJoqN zyhJ@ogW^DQ15G(?kGHt+G#@gS)A#T!gebM(KyGbhYp80O*_`_JB`^SjIup}&m3Ed> z2Ko@N7{+J<3F@-QE=~O)X_A$?_)8@SN@f37(YDFKm+0KSdEsu!MQCp&XCRbqPj3;L zeXMED#RZ5`-J$;2O;FuK`H|XOs{02iKFz?io4`L{0;ehRkt{`?lcmVBTom~=p~&y$ zQe-agLy_QUS(ez;tLGAHRGDry*zx6! z)2UK5yEObIL;)ydK%q*iBk+wyedu783Ynt`G0<)AKHo5E*6dQ@*K+7xjyQnwW20z% zW&=BIKF7%IzG1#{;?vBU;kRO=_*Q1keAjUI9uo@C4w`#`ZlyoX?mqb!j5{M%|2_Y* z)zQ9eVM9K3VGfV@H7(Nl7|)0B6WQ`AKXrM+W0q)P@^(T_6U{(no9qIX^0OIvC+sMP zm@R3c@IQiF+*^8qS`X=hdm`qJ{Vbn}tzGw3cO#?<(#A@rf<=4U^@rPJhaAVb19DOE zX8h&_T{wdNbp=sJLh*AaT2dRkwBZC$#Um7u`~@wfahWDP`P&}sS$2jat|lc1Xp`2) zdI0C+HR&lyaoi^PX%Y+tekFd;?0XGA$GiF7E}&W6$-1An_Tc=IX?tHybiB5IM3KjDd()R(;KW1_BE771 zIg2WaABNuQfk7E&0o4_@&|HNoqx{1PKx+NAjQ*#GHx!>Lr+n~Bx(|3g5dWKuZ6N-n zj4dv!&Dg>K)moeFkJ;R&0V)1)evl|jJP;LlmLDlt(xh+c79#s^@2|Vg9e$ zTx;StohS9X;!8~a!Cy7;%^Kh1sQj~>_{ZAk|4;}1;wPQ>dX3*kpwmAmzUy_S{K@U( z-!b_|IPujQ|K?HoqfUHT`}{AN{4Gv=p2k0&&Hp%E!NgFP$mw=ckRg6?6Dl1t6tABv zp!hq1_Rmcr8=XS_rZN9QV4XcRoByE6KmB@>{|B0ChvdKAdGxH0C1BAErYzx{u6K8eOJQvk7$Id#k*P$W_F&Dy|(AXsxa$ zd0ya|;=*FVZE|w>U9>`r56El74bq1Iw-Smh^IE~{a`QT9V&*)s&K{Cm|6}C>v@c}q z?|Z!ZOLOYKGF!hVTYt}N{bM_*|0O!??!VUGN}$vK=j8QR{V&U@e}xW@>Az`;_TRi} z|IKSo{|`~2tNzE%k^b){(5e3&c|BJB#d&>29n^vU+tU>20)J1o{-rl-sMNo4y1wSr z|4MHCWm^A>+4}!-y!y*>>c25tzo<1i;~&h{e?tfLm*m#}*xAzm9@+X2(V%1ZKL`Fl zH^poJv-MwlOQ!#0O=wR4-=TaL{L8fdH>FZJkEpX>IbQv_n}WB{kik+Leo?2f42UltN$I;{~;ZA_h0MZMxfLGzsu{f@GrOj ze{}U<$+h7>e)=jP?T@=E2x zgw4CPEV1RJ%4PGmXxOU6c0R0CtCE$8d7CHjSGgpAY2_*(3X6&D1-{BgqD zRvZe2;zdVRd)nz2J==Aj2-FkU#PeHg=Ajtf=B?k7|DRndR$7TQsrqH7TdRC)w)m`% zt%Pq)%38H%o3$>wdAPL}6DCNPto4cQJ)&DK?TL-Tx_M~Nb)>TLx=MrAW9bmtSt8j3 zL(hI|Ln2iW-Fj)ymwmC{{TS_bYWdyw@;sU{u^oe5!!-Z_qQB?c)<-_d_C>dP6T44| zZW}}pvCri7$jbwsbkN%EeVX>Yi#Yhv3;anH|t+E-xu z?+Pol7|{pqOzIErVhrYQr7-T<h`1_O+aQYh*k>Z;=sDIWHpU}J>ENV6Ng2=r!D+1u z^em`c#Z~?7T?F;DMXM59x(GH4x<37W<>Jcs6YmvQE;n7dC+vq{o-hFdL()Ctk8!v%yVf$0hR^ihNRes9#^ zNB<-U%>QQu@oEM?`n^2xjqhIw+VlNmL0$e^f}s4LCm0vIy1-w#J~pz@U%587P5&|Q2_ccH|DN~YN-=Fjuzg1d@yF&`2?aAL) z`3CZ*St5VJbrvG0-n&HTih|}5BXT;j)A>eA-rmc{|8x11+;rr^#|OBbkQ=y2eo-qC zS2f&;d&630_Z6WSF;-Weg@~@uHNb6q4m|Phg8V8iHTH|3Ok{b!N+e~-jr~@$ipADd zwtypBnMo}&*j*~uo~yF6mc*tml}miq2Be(Ggj;+_ZB|15mRIc^S z+a!>!scfmqZx%V3uabYwIpVVQv9S&==8DUn+;N)Sq?sa775in2Oq7B zxNKo;ER!|C{BX7DIE>`+8}peYR8C`%;i>FS$=F!Pm`v9HiN<^;*;*1)SXkU}sC0D(!JVUb{t0U734XMhaU2gpEuIs;^&%RmOY+!-Ll ziUnj?u{r}}Sj&M7Yk6mY3|tP7fy?O(kQtd-AKe`iyd)Ujy4bCvPT_p*`toQ z>`_Nt_NXH+d(;t^5pJ}3?lt1F<};1RY^^BbH9LxU&H2qpI>iNPJH00c^uMh5bV*0@ zxa@sJ1W^@w!OC2sY4gR3eX)QCGaTNAktihLiJ`!I?^DPGgVtMeho(UFrv{(u8+;{7 zZLI}diZ776^IWYFn^cyg*7a4Dv2DaoQi0V6yIY0U7=&1h3vj4|%a_AFW0XU%z`UVLU`A=SPbT59BJ8 z%k-*Y2f{+SL`!|B!HI?%wivnW&jsyLzjV_tLN}4} zwmP#{nz#>%nXpo8jn8_eCU&78ql5)Dh)4yzeqtQSAa)Ro5m@HY1`G*^S?p3g2o1*c zpMUVw^1`OGn&zOFjnJ=YWS2y$wCM&k9=A5#;AxuE&2Mee@a`JkBWEC@Y8)~orR!ik zPAh%ZtJ)-S9IZ0SVgZQ{VWZD#&B!VN3+ zO|$Y%iV9i==SP~SQI6ds4Z*UF2oBbyn6vTR* z2!@+_HGLyrMEb=|46|zt(z1Nx(9- zE5{wn!(v8lGWXx6=f#Sl1|gZ`#$z~!BMN4ICuqHwEsp!9zQGgt)q=5$3S>Hf_t-58 ziRHlcTsOAwejU?bGI21BLE}A56Y`oO&fwK_F+*O{wW-$A^i5~@YP!qVls47S`b7oI zgag#vWA+ajPi($;8>T`M7*9-O#jgZ0gkJnRLACjZp%?OYG`*-{@-K4eMXh;v=!N-m z=tVl2(2EHsS%zM?vMIf&ZBu$7v;yPu9gLiZi@6s{s?j`;P>7uCMiPJR7|yD zOt2KHVXdi&MZ}V<93+&;DEO@*<-DgG1nf)I+kpM8_ne`?-pb&<7@;87S?dRjrIZgKY@Uz|XVJba@qltDg%fhKsIBQ9^Y427 z=b%yMy|~Fq6)~wMKsl0vgkn5=axMy*VaP>5p&ui2XvRvCnPDj`Nz;xW^BLn;&u=EbY5YRai5h-Y{JzBRJbwN7_2HMDfYavJ zg{&ohx>g*tmin%$v-@H=KxX|!IWqENFz_cU+!vDjtx@z1y5cAj>GLX!VZfzw(?VEUG$I(y9fht=|dSnCZ6-disjgYev) zXnX2#n}k;qj*HB448yjCM~19_ux1w53}YROR5&J$gU}oG)NOy~ox^IWST6JWmo#Ga zaM#?EQutrm$6FYbfa=y4V0M@6wXrYPR=pPCfYwTT^N|p+nX{_T_Gkl8J(#4}@ z5N`qYnRLL1GfiytH2c79br2~p#oA~ouWj5A? z(=A@IHMhl@_fC(mzIPXCZE+x0H(iX!eIXDlz(|B%Z9WpT)`|1fWR|@?lFTU7q#lxm^S4K?41!I@X zR7|@o{NpAwF<|RtCVRj8UDBwTpqkiNhygnngu~>*qT`7H)}ZJfR3pSO`Bn6utD@Jd{$MJWpP*mqO=i5=C+{R2e`$;GVqm=4H;1bN``5Y&N;Q-2(oZH{%^i63St9m& zv2wjU-(6r{pqFPad$#;w)n4(g+Z^ek{@}t_1)}eFGjmOZ2f_Ha&0G_=5#D>x(*;`{ zyvkf#Xy%%j>+gbDt$b@?bc=d^oOQ7SJDFZVFb5O$%<6|8(76gB3B`s+58}dLKJyTX zf%R(gHQoZzP55+MYw~_R5N`HF{!P~0O9K1XX92?gJ??SfyF?cUyh^I0;_><76uMi~0m9#J!f|6J(&c4t{m`Xlo!o zK~{PjHs}y$yas#3Yp^|>?XdU);R|QN;x%{?LBpm5CGk3dk zH`5ox-TdnoRwUtWy2%Tx*x}6ud1^7wz0+45oL<0!^H6tiSRBnL4jzVAy|tWG>Rw=0 z*_;$(;+UgB5AR5D|3<+~aSdU;S{u7{_nu(v?%fBTl^e#m_7xgTO(4b*4Z3H>3V z!RX>Hk(Xt=R*c8xa7p`|Gd1U)UV)w~m0WupcCuGU-R84)WvX^nc|xYjs&thSl&SKZ zOqEzXEY8%I&DMnk(M`QrN4q-p-9voQd&2x|BHrr9Qp~*@NOz=AaVeVAV&FX9Tqy_p==v9Sd(1=dq)$@VWzR z7FZ(Lq2ot>W#T};{w~|gvOXN!pN!WU$);rkzNn2u8AAlh+Yy0R*f{2_@8v=SHqs1l z;~JifU6|dv>dS2KG3$vPNXXVm5;{>i1zeCR;G}E;Y#TR3`lK$9j727+1m$G> z$KTU6yE4M!Nyed)@ih`qqXdP&;A--7nT$Q18pZe8+xFv{e$JitPxR$yO#;bwmDXqS zx+*O;m1=8m)Vw!HP)=({b(FExWYpH4XEI7qPHTH-GUm2+-v%*PHix0-MVz1*SSL5~ ziOePt8&&KQsLtoxZNQLk_w9SJcQ|T#yYy~@f%C=e9~LG@u~>8${zBdn%XCTGFLCax z8)Lrgvi5~95uZ7+8x<06@Lxs)4aVel=v=~Ut(%KwKQe@jM?u1KjEprC^f(|mC@Azc9h-0p&=x#UlEm?c&dmwN&|ZEu5cC2FStL%w9| zxx~xWbO{oNCsNBrNb|!3+}{4i(7+D8{ar*v(CS+*yD#K4li0|#8~tL*s?#eMSO?Zg zpAml>nTfzm3y_(YgFY)r*iivbYXNM2JF;Nx$MEdzjIGLgy63WIEb=%tV?5k`v-xn_ zWhZ_iFK?!J->@DL@!7sKxtT^T-+~sNsmVqr5TH&Wb{FG>&R8xv9SVnaFs3QqqJnT3 za@N+3aTH((=6D+?@Rd})JYID0K~n>aU6!D!fbO-m1yH&g+(O5T@@WTVlpU%kX?+WX zDYE}aB7x5k;V^M4Hqb>BenXsrQ*VbTFenjk>T;nB4-hG1gk@J8_~k_gaL%O891)4x z-y~AM^CLZjt?Z@fFhaRDd%Wh_7ybgfX=Doju}PV_?>`4qw}>dHYJok77bdS=!GC4y z+!Cu7g%z_;A_}N^8-Bu9&}vo4gt7 zWEjI>{MK?rks=>KC@6lpipUCURz6uiPLK~doQhM9c=ORDyYbsCkeHko9xthqeB&e& zC*d(&Z*qnwNKX4=%1PcJ+t_%~smDrGEQu~9ky;?%XZLJSmxw`Hrj5CmYNRm@rBaX% zVb~{vI}sxk)WVFCj5`z`)mnS(zE>IH!w%TLpg1&=*;1-3I3tO-W6IDL3FvWCHI$N!Hl#fa6Lo6z{g5roR9;pJ)FRlhcwWE^KD&D6vY!6z9}+R6+6< zl`P^C4iO2QF&mdZK94+MadcO{_uffl5GPGIKd_&;UJFrwe#sF;WZ8op`eVHwRL>J; z7Igs(GK+%X0$fqENW700dvAVSQw5+dVLVphM6`93ioS!fD>I_+V009s??DX8&n zE*2d1N#j9u#K{f8BY6m2}_w{3SYI}c_*)*=KUJK6npW>TX^S}+DxqfvO_#WmmwROypV8yDGnDVFXNqG>J_*xSZ8)W zfAH;V&JPa^V*F*}kOoB^>xk99@#5C`WCA)Z8!b@U;37NAP z6WZZ3L;2gY2*A-^VV|DM#W-@XYIS5!t+idmd13^<7GHT_mABz(K7!GY3TB>zLHE#r zRoI-yZCD?ilX{~<@J7cAFAP?_?2R5IVdd(ewKBMWWo`b-kVqUib!Ek{4vvlwyb$Pd zx;3N^A_Ht@_p2v$p7*J~y_+VT%>Hj7b1jh{s9F+9ksyRKtLTBQGcTvg09D3^U~qhK z+k9Yvu9+K{?61*4y7l9?z2iFvE8El8Ttc{#@ zOnamqCB z?dup+5NF1QvG4OZ;{$n2^G=r`T`ECKC1@!@H^0o}EUX|4xHI|a_~|RjvRbmNmMp6! z%PO*ruh;{m${3eT!74iv1!UfarL@wwZz1-<2lK`)EYsuz*nA&6mL@YP4v1@P>-E6? zx1`NkWP%_3z&od)!#3Q!6hwWaa1cF4^<^=RQvVTItrg-Ewk_ETS(5!8T+ncP+k(Sw z(dHh^z-wK+Vu$AexIBB^_{))ue;}h_6wZU#Or9^xcw2gfHjIM$lqy=q5-@{F9f;ml znuqkBAq&Js$wdhJF8e*~b_pGk(_0n*tOz%XXx(vl+`=noWkTUjcG^GY0Yilc;M zdE-LyLqUs8QhQpI@_Ob=P*_}UaA+{2-*91?~s5u~@-$=BtC(VSR_)o59wb=58n z#it;)K3`7lZdd{C$7W5I_es2qT>dio7|jPzWQ{&SK5O_)vC8k3O}+hxyTvW=BG>@U zSRrX;WnC@6im|a9hwsiYljXduRMjMQh2RlztSyVG93>Zf8yYq38RFElDllc1at6~L zmZdZNO~<8Y_+;bH6CdZS7(b>KPW9vn(yA$ljSzR9&XMVE`*;7UIR^)DJyAwyr6b|H zjLi0K06OrY9IzXJif5u!Ut)Xb#>ztGTQHbd`)|wX8eOiRV@?%EBIqCMoGM;j?3^l& zEc09FeC6oQ_+FG&r0|K#8pY8LSXib$Y7`as*)JoU0~H^dEUUeyl~ax4=$$Z@4><=3 zPSVFr(#Ei?ql0)bAG7CYY?)Z!#s7&}-_Mp714Q3ZTypwIyPK1Ob$ul3`bcM8r(3P& zNIMuE>8$Im^EzDDfBh=!`ir!rEh*^|KiT#1L$kRSE@<9&2gU-kYEobC`UzuUfi(c1tWgqA0b_Kvu z=KTAw80I|2e}f=yCnZcxQ}*+zU%K~;qOTZe?IOUfiG9mcxgl7!+C^+2y?vwCRi(rc2iG-om z8kNRf0nweQwGPO+8Cy3vt#FASErY^Hk>X^?8l>I^gbuv;G8>Jx?Qk7@L~+hV(%bjP zW#FEJ-ovs5833|-2YA@K;zKre*FgL0lq~K2XYd8Ri>u{RbRUET4Os8euQoZxm#v1l z{1!J!IE77r?`x|olMnIa*#m_xA8I(_X}TabW1!uQvXpff{hfl8xFvM98fVhojH<>< zeAvsDu@l_M%(GwPP5O@@p;DY}7TinT zwD}qP|7OGWO{wc|l2NFJP8}mCcu7`bmULh-vDl>bNm`je8%fF}KRQLfbc#KiBF*NT zGE{DOc&SrH7wY5m+9{*Ho(!@fm?4kJ@~D$XwLAvNqf8#fJaBw=loYX$QhlwBX)z*W zVI0mR|0+vzylB!rLWJMR-6-e=Z#+3o@1{5{Ydl+KbG)cR^X%&&Pgy3mU7Z$$PcoA(7+12;fJ=+h-r6H8P;(iZ61|gp*qd@ruIXA(#Idg!Iyy%iHqDxcq zf<(!7{s#7iGQ#&#ET{anQ$XAFF%`y32^&(LIj7nz0dh`tl5EXHR~3pv^k$z zkv^X)!OhqT=pYklNtwIhZaAALf&w8Ps{v%MwzH&y@!hzJJ^cmG8J)@GK zzUr@D&!|$9Yw_<9-F&E$2~bZlAklySaN(dFE-b-;Afq}u=9j|-d$i@3!vz56lcR+< z5=Z*=e*^l%c>*@i+xw^YSvaUa(P!PECkg=E94Y7?Tv((ZeowiE(^O*co_e-AX!}q< z7Q}dhZU{L!CwE|!=INf8^N zL=*w)UC>Z1%k3$Z_Q~17g_%s(9xoHL`MTsKq;Pcr`La9zX`h&X|4X^~g*C5egxPUc zge&O1Z^3MV!2*(2HoM7p2k>;YMd6p0XNyF43X)wp7KzP4B#ER}z|mHRs8w8~asU(S zs^q+$%7Rth!{^2B9B5CXQVo?IJ8OArx=9v31-^k)k@dB)X~Mh}5TBPCP4jPQQ0bY| zfvE)h7DRd4`&-yD)bmCne@-HwCX!u}y_!U+8=%h0x~%03mdA`5A!gL@IyI8J2q!X* zUGbPwYfXb2md1xmVs!&WtdB>U(PYtdo)3Y%1#XLAOUu@1m zd)q>T?frFBI5S^GK*+j_9t{TTd~H`3Yd_Q{?ML?>-P)I=wM}H=0Ifs&Fj8N(>4F@l z=5MyI`I_U@Tz{;Zd%J7S9A23D%-IF}QkoN)Z~Qr<$BoxSBFY#?p;z6NbwaJ|E@hlv zNjS`lk%{1=InCdEy8I84UzHD<^yPR|AYDV6p8`2Na>#@$YO@~o$nmE|6zj>^_| zsn)j;9=fc3eY;CD^$j^qU!}g&PCssa4}u`B{teRl<`U@iFD&uTh+pCI_Vszs$kaF0 zyed4;OxIUU2GLByPeywF-TYq9uQ&eT=D*GS;I>P@@{cQjJ@=~K|McMWZa?|$x@f=C zUfp!v+Mjhx^mzU5FQ59>j6qe`_TFFFtGVsOlP6C9&36w@ef-LgUdYN<0`qn}0Z|CV zZejJ_86GCSdM&OHaowjf5W7fNx48g`MX(wm^kln&%7mBJu&?|&|9lIs<(XV6Wk598 znh<}6i8o@XaS|`L0}$AjB6&d2fH$(o%U2Sv(zExtWD?*~S=~_cY2R?2R(L4~_(SdQ z{YvB~FZrS`_3+I*R0@L397#uSw35B(0L< z2;a0L5dVv|BOtPy{dnB2E0vAOCSv{8yT}_f&7Up`610(J7Jmd7A@l;II&EK9ry z3wRx;ukinDo^BP&B63H$ID}351B8_mMAPK5jPP+zS8XxLru(K3SODN@Aa&#D+?-b;cS8P5B9ql0to ze#ng%ryt+YSEnCklqvmK!T)3TaKAeEU1@ z9vEqJgvg{^xCz9cE0>f36{pyx-5lrP$^J)2-qj-=>Cs37OGbCPs9#smj+B=NBB^x1 zMtj>c(!j0oci@A4%M)GlUNB_+ZF?qB%1b5x%79Lr-v&5Zd7D7t>0iY4E@A(|FU@}l zYmj9K9eLBZIy4edH|=K_?%0(T!^T!baC#jn5;PswHC*gc@^DUf<`m?GlSsPxw*?LM zvSHsSi>wot7rjyBOURt2j48GIa++%;_OD}<{HWw37mVE&81{`or$AJGI3`tqa6w)ddsVx{B|`iUkEw3~%E%=~6KMg6_QIPs%^8-&Bj#+wMjZ zE1~V>sIoC2DPstd*+o(n{};lR?zg}1L)ikaM5KARIVnODrKiH52}6E`XsBG~FuKC& ziLwxC_VyXqIOB05BJkcvm2cEo|Ir1YC19+gkQ>pR^w6eu1vc zpc9`!to|fpV2IUI`syN9!tq~iuru!Y2i;?S>8%w@iBX zS^FFA{%QLA&|lsCEk;8+Ls(8Ds)PQ@_+J0hzr8GL{uc-Q>p#o7|JD3!zb9+|+8r03 zEbITx=MBDDc!2vy|K%a!1Bxyv+#tNbnSsBK(*67dEK3Y(6A7nIc46oRrYpUQ83tV*wSL;mHec`c+8HYG-bfLy&qGKJ9!@KIhyd(A0 zJ@X>L2>b~tj=X0#UxGx+LM!6kx#GR_!eIX2YX|H|c^9*m)++%?O%~e*a$gxC*LM5L zzsP~a@3axA0)NcBad&jFzp$=85chGYa(Kqf^PindZGi#H!d|XdaQNO@$9a2SGE=b{ z8Wr5Tg4!#apH;#>U|~+uy-$)9Ssk=dy5LV2hyU2*CymxWSw(JhDcEoVNX;qYO=yCPs!A-Mk# zwR&E^4dJ}|!(#J}Wa91*OU*k>SE3BU>Iqc6A6X>w4E!jUd|0_JTO{SZuZb_!YYR9? zkL;l7F9;iN|N74c=jOe%iO&p)aV=2u3zk0jfy}vKzggBGeChcI9zG(x>E17&d86>B ztL}a8_rjz0yY=$(g-`v)^S+OTSN(SXIemm*{hz|WY8oh@7vA!J3jeAv{*3sy;!pn# z{CkwlZlqZ_g!1&|^s!H|A_x*vojH-E#!s|xDJ5qREOt@@p95v~u`OH!W(SOe6M@6~U zJ^zKgx6>cyWK-0i8wBQQe_g`B$_dkb1O+j(00%e6T#oIalY=u&&32N5BBz&fgn1$< zM7LAIa(a2-_Z|0g6XCV!kJNI$T;SrB+bcx7`MY^L9$_mdO|1#Vszj=LSs-?;Ryl+| zi0)zRq`;J!gwQj&j;iXvU5qw_w+1D(gPvIfuzJ&$Jelnj`0>s+70*rw3gDU9B|pYT z5)l}=*JAZr?z6VP%KCA1tGQlRDCe1~d9@V9(rEeyh!Z68M9!y5Y}Dsg^5VDU4qJk^ zkj?q#?UQVdI&Yt9R}+d-Uup|qkD}2tO!)?<;XmIY8Jx+y)G44!{XNDZTo?4bL9~ z3lS02fy@HW@30#dc+L|Tq4-Z!f#7-k;dGL=`Eo=kY2+HGSSktB#%JS#eZPH}gGH>N z1ml4oaQ9t9Rmq@t#H)gp)4X#%#4da3m?WGJxCnuy+^SchOv zto*urPMEFHzmvf({SQYLA=5C!d|cl`o=0=?Fih;*{>W1h_Fx$t)as-N6)fBhZo-Do z==hNSAlV+H{K}AKR2I>7?MP*D<I9)ni;0Yq05x_>53=PBvmMbwUs@#{l#}}Jhn*23U4zjFBz(5Tzj zdyA*;DDW1K-%;va{P(fmiXGm?+s97xu0ct34U_5vAwpZd6%4`$=#Hk|0$$}icuc~? zesmFB>#oQG2t#-XWiH%B>2ns*hkR>QU=7#mJ?MtDsO!?Lfu1SQ^h0#jpd{$;Rqc%f--Pp@Qi`$g4V#bf%tX# zfwraS_nx*h`Yr`01N+yBQn22MK1mAAUSU^C=NAZ|bTXsa&!PRHpmhMX>@G$vn|8>d zAM}syF6!7DD&?kP$srz-4xxE+`_w~1r2jwm-UYs@>dgBmf*KS&L8GEl8*Eyk#TF`B zqF56Nu#cQ*tf|t9mKJK6N-NbwX{7{Af}9?Xr7gD33~gzL>2x~Gj5DQerlmCj<>Hk~ zq$nt8tKEkn294ns$^ZL%*52om1dw*7|M&C0!-wp%FKey6_IjT6tY zA476yb!R1KZ4AzvTvc^Kp0|UXty>tS(NwLi>MYGtJWy`pZ|lbH2nJ$K603+%YD0H?J9 z>P2~HfmgD+dZ_q?u`S-vXE8`>sq}`ndi@V$P|;%8SF*9@Wx^&5u1HKADGA+doBvB4 z^@+dW?|Tn^4O!1e+HY5QHf5c0SNA{#GCZtP^#gg^KRtX;MR4HFK zwicAxYOIS-PUiLmqj*7`V1?;g{0PHjLOW<)L;SGW&6M2UlPs;FTxz;|eqPRV33kdF zf2Zf=JkOw1cYewCJ5@JU)_si#3^7Pq(Wf#jn?VJ1MYSlM+Zb{L+cz&s<8%dnw7m&+M~?(f;?4ii@^|aJntviX2>eIh zR{HQJeJF@FzkKqjj>UT4NEJ2yV`NaLNZ}27@*l)RSYLgTsC3wMK!~JOD zW~8mx%TyRz=|AEeXyV1lgPn}{3dxAm%zvN{_7d~7{&wxM>uD1)IcCDB3Dnw8K($iq z&OZ{`Bi$%D=uk1KLu7GyuGs0sIHWF3)gS5FXm1IeUK4JQ6QI&KL#2bTo&F;~7AoDc zhI*6Tbh$|;bPAA-ViyikHe?%vK<_b;985}pyuAx=`J1W$m zLUo75STv=6te44Dbk{B~IRF=%=C)Cr)kRxx!N+JDhe6Qa|4HVes;~gM8!LpfSj}HE z+{MP4`x&n4xgBc;SKp$=%{qBNGPU7PczL@iY0O17!u5gEIPK`1Mr;7HuURsASdH~H zo7Mh>-taYE-Y(5SdRTeR6SPJQ*W zh7UQ^tU{xF$ugwi7e(tHqnbs{B!Gh1uDyc!ZUwg04d4o^y?xSSle3t?ke+(+Co=?) z9g2VB10fETH42h+J<@Q16XUPSBDE7nzNKT49Sd|kg*|#HB^)mOyH3ERyUvH?42hMr zMHcwn;^M+s$*#zP?Ob4nC@-x2a25T|M;FBAtuG-);I%69_F=4uo%gz~Q5!NNPQLJd z=awz(*Pk+h|Ijn$KNO8`GXJ5mvEffnO700Q$V<$%zdgeGZ+$pXA>(+j$l^=4W|PHP+%9X}!qNZ0_aQdFA$&(HzAKhk z?%EXtJD;c8hfUQSNbvYj3_~mynix3I^*m<{8P<=U&s<8+ z^Qh0~U6fPEZO%ri&_os5(Vu-8@q%DFz6R5A#3TKgG4*emkfUqB-RyiqXSCEe_2H6; z?0+e9H#41X*ZRMtGoRkE@^9p#zH_j<5ZAG&a~Kz#EbScQPL_9i?s3R|Ea{x=ZiF02 zedi2!Lrln`PVtqFsWAV>e)zDk*k6WPy%V*%-et0owEmV#RUc3DBOec{A`dy-3qSG< zOtYEpSD%+&Z%<#@qR$Zx5lP4O8{ra@l%;aq$Y`Puv&HWdB-1+GcIpy^@rd*|K-rt=r04nzg2~XBXdNdv@)r3*3dWwTv1*4D$ZMNnM++-{roa8q@ycH69nJ$Bp3Jl$?P(_7)wv3B0E(U70a z)|>Tkla%to)*F~9qV<%^d);r3H%NQa?qITE67gYZNA9K@WxY1tdGTh zG3rdhRT_LrJrj2fRuiqdp7yx*M7X5ojoPeTl~^??-U@;ZZb$2Y?C*m^Wq&&wN#p39 zS^L|Ly4Tp>?z8>v+OE2Hi23!VTJLRti(`iEZ@CjB7WbJPe5Nh&O?Ey4* zPT5n$ar&N-9B1x~_D*N|9Pmy*Q$qya_M%pw|Q1fVx4; zPY!fbQ$UkZuiK9O!rg!*?FbOrtX?DaTLg5x7A0B{+F=ueT&1J+WaEd4LGVtW=vkwQZ_0_6 ztTl;B$~(_6F2L8cEGBO;VFzC9g8&8u9g#-R-GKmR_+G=&tt?K&e>`#gT)_ur)oU1lHiTCOYMyrME#t^GAHH0H|S?p zuZ{;_^{9N$>>lu)(JOps&!xDD4n8FLPa26iQYvVH(FXL%u)zS7AFBAW| z{+YE%8-N)s@VbA_fFoTP#3NpLQ0O8lM1S%DY)%d2D&A}&h_Ap6><>i{@k16-@W_CG z8!#zDDxsHVX+65h9vpvnXI1+Q=*C9iSl$jeO#ZN_Jpk>}c7ayFZvQDKJWg{0?Tzk6 zniFVW?`{|;(7w%GWJD56wCg4W>*#i7?rbCiCy(k{Ov}Bm|A%^6|A`^kTzx@?JVP(N z)2p5W5-za7o4moPGyOt5yv6)UD*tcvB$mK=n9wBUiP;Eya2x~#d;KFfJO3(qK8#0U zb*|U^DnbdutT=uFLpJ{--%(tFxoM{%FL4KSCTOZ+8tu?phyQbHs(QSdIXl|?T3`7p z3lC-ppu4{X)Gw)A&MLcGLjrlr`#hr|+JL?FSM z_81q~c@Ds93KjSk0XtfN(-f^WYedjy;$#DtCiwwMuE1<1_*^leRa z5G9XsiLbD(oAJOa^o|%1@2Hm;sG$G3%F9Fg;th%wPfoaRjK$xnh`%N=P)*tI=20*@ zd~HR^k$Z**hBi~pQskG<*jj6PU$!Odnvuny?_$D{GHhF zw=42qv(Gkz9ob=i>nv#1{CDP2;x5e0WF(7r%Lb;yujXMiZ!e}q42Z_&T)vWl(T5JE z`JfA}rv|+;o1v-mJZy$!GIU7~lcA}|{!-tRkd`;3`!JB#AYMgZ(!+2_6&h86xmGEj zZE|2ZBt9lE91@MmZE)3@4Ahe1Kk7kXF_g4I*%m{j8Cg`^#%P z!BAirWClY;Sq4MHdNCM!Okl)%u@L&Ux?og?t>?Yk3nB9HOysl5 zfni*!pcQ{WKsK|HiKUGqlo&|NaJ-CUbk>J7Ty zizUBMnXvW*pJ`>kokyAI@W-PiFWxgGnjCuy>}Ms$x)MTvJc$KU-VfAl>%9`Ro|RQV z7IW`WfprU1K>uRHTPyP32u$E)Rp*Z_(4;y%kB4_%AW?01|QZwy=F#Dg{j%(}JZXJE2dcQD6XFYG;2 z=}WvJ)6paTcOtpwQdvc>p(sv&rNlXqv0gO(U=yFil#9j}Xo=5mCPp**mJgLBz8jk9 z*%t^rb*h%Ut1G_A)FVgw-kr~kn>ebeb*9ZW)^B{IJ8UjpN$l4SXP+=-rfR{Y^=a{N^M4w+fuHa-Y z|Jhv*UOTSn8ZQ6QT@LdnBp6%bStYOf_93C_I$_2L-rTXK=1r-(Wbva_u_TSc)qUgryMu9-u>7$_6T>@ z)`=TbAHVHxHrY*~%Mflp{S1DW8SV$|aSManZ_vtnE^gKP~GY8(B`?SoS zDioQ2A8){ZE%a_o`%h-^W0s!;sXSUMxfS`%cbY{0D)Z!#wcJ53$148I*7{Vn{vKLS z-5{WtW({wQf>Ez4M0BJw3;;gSJm7mH&1x{*Llcx=mC3SHD=4? zWr!onQ7R7N{^Ymf)Hx2vh2r%tZ^|gX?{inW@9Rs|v{~VuYUe82NqvPc4RSN61@Xvd z5FY`jXr1=u6n_8<&~TVKGL**B3=C0Mcrpr6_iGAq0^_ID0{*uibj<(LJP*=`e6Xyp zwm=i-?TI9ANDh4Fllb&rcf3SP|0^#Q_jm@J#^2AjlJ#1auw zYFk%j0cd=>M4JLD{Sp9=mHC8qZJ67gTz2b&7O!T)7l~Iho40bC{3i{1^Bewleq$Es zBs-d9_Vx?^f4^GQl9#Q)R9)SjN~OuEFL2Z7CHhu*cgGLc)uQA)39V`JH=33HRg~ka z2s*<~sZ@}vJ{dT6Z8QX;(#ifU6iJLLCX@#5-_J~a&B{#eO}s|f})@bAWFYkS(A@%11nTyL{1T{lx2;7 zt0Ie)v4+vuZUM9q5_ja)9U!HL2wAr@4ZEn7o2KE@2nBYgg#s>>%;5od=c5eRFlu}2 z7c$ZSF17c5o=0x)|NP)!?;m@97*D1=Z@C$s_p-M9RnJf6D%|gvKQFm~89zQRxdA)< zH3+@BMZtcNJ|cuTN-CK({k*OdO(pXvvOQ;De03dgXQ(DY158b+a5P$n0;12>v!bNE zI;J4xmZZp103bGGK9h;TP5&=4u1aZS>5N*@R1Ey><%S43WJuP{DN;4LEDu^URx_hT z3_eKx@zfvB#e=`0n3<0x&M70jR2}XK{a9C~jVD2)!lE$hqdM3VJOLfO+UrkjK+Gu; z+qaI_JKX^^{d~=gT-mm`k^I5#v^<{$S+>pMLhYMd2Yb7-U z$|y))%G1;>Tu2@y<}MOTNL&E-s>O75S=X+kthb>G{2fn<$C521q0uKZhx|W`7kH~j zM5k409odY@AT}&ASW&q0v#mosX+2wJ7^jpaJ~_DcEJAXm-eeUXwK<4PGrlOkk<^(7 z-#c^@{gAwk_%s(->Z!X>XV3Zl0XqC<^=?qIEM7Ah^Q(9TQoq>I~JK=1uyhPD#$BzW>iJiyG^nR}_ajRE$CBUn>j4HsZ2JSt~uQg+K7U0Z7@P|!h z@doXYBj5Z9Bi?$Jj6uG|8Bv>bTmK&2#lhbJm9$rRJcU0X6%GV+Ks5PVqvCUT9E*P_ zn0({%k)VzntOF#Zb{rI>cATffWF2PcFq=c2*iZdxA=R&VO8si?>Q`)|x2|p*Kl&Gq z-wL8lD20pg$|41)@OK@Wqk@}?INUZeGU%2ukwG^Oiwv4HI5KElJ~t<*+;x*xW`@el z=6)s5359>-tjM6hpQlz63)Bx7ThVp2<##re@{u}8Rt6^ziM`UD@6Xanrpt+-%ijsQ z{P*f|G|@1RVzj89N9RATG19_ZITwt!;C?9!jhGyG$<-OJ>@o_MH9i6?{VEDZ*NxBT zPM_32>AnL9?O;h!Ge!fA(y?E$bdCiog$oSKfL~l;=z6V%Gmg}oxhcs=(Ibcc6<<$OgxR zTg^o)u{8hWH*!|Lz4}ZS)-Ib(kT9@;aGheKNaI%IvM*T>Fg~fTt|}jz6DS&nDI{0b61Hd=o#d^FNR8w10^(IR039$*`J}p@*#> zc6dL&WM=Ugg4{d`;QQ!eR&`;Sq2~CK6~&rNkp>CD{Yyk}v=3S5zx1{IK9dq75RmNj zcW^E}aKq&+%d)g6bz7RTywm8@!}Lu#4F_j!X|x9@AXJso*o=(c@y3|(kzZDiD8dtF z#4s6knx8Ghpya;qg9R=#zbD-vW^JygO{|hG4a&NLhyEsAP$YP{P?j3`6ujG&*hUGn zCsX?>Q%#vk$+5rm@`9KBGE-uVmG~4T5Oj7TwYl;uV0N9tR(z#{ZxrvcNhwFthy zD8}+wV4Q!X{xnJvulXJ??*%K2?m`63^b-5J7BA#n`4|}jl;xDYHd**{R}lBc+)@N| z00tf{h=9ok##(ag`y2j8KIEEG%t>(yk@}adSWsNOtSTPkKa7n&pWW~b4^tXa@O8l@ zCQIk_-L`h0`>Jqg;Crsfkccu0l{GdqBz`$hm2tJyVBeoxqh3!bAS+dNmspb#*W`Ux zDPJfQp;GD$m31(-R6bPrFIBKxW5V6N`cu~UlwS4xY%OJM+{iG=U}GP`h}maqFEskC zE~Nsrq>;ns+ooyIt!$dcsryQ+^lwxbqW(m`R0V^G45FShQbjmjS)~87CCvtoWBj>c zIX%d$xi{F&*w&G%H8pJIBMtvT|I`3j!qrY)Ny)Nb>g{-|n4jO>8%z?C@eQ05A9AET ze#bB`{^F?Zdipb-s#i5{s)7W*n#1Wm%&lwu4wcY;m6uj0vU&-kjq$gIPhBqug}qdE zl+-lnxBp9(5c{CW404zY61x0=`_6yvoWS!g{EnInQXiwNy7g6SKKQ(PMVrWKVM@A% zv%?ld02Fp2)uDxj2FBRixx1GUNs%s5%gv^bWpGK@fwhui@%6dk;kwzsEudtpiODm)4b zPgdcj&YDFxUxM?digG7Ur5**N)5bH4phnNBV&eKS7^oDhN>GZ_xgbE|qsKF2vb z26HUmF^pqu#~3}-^8Kbx4sdc9rp`*%Qc^cx)*+<>oL1{&I$6)j)0DGTYH5Y-S3brE z_=C&@8_lSs)ZU_=#jIyl_Vy{R&1SWt0O{t8vQa17Xp>&nTDe-v$?V{w#Y~bG> zfFem?Gq^f0{#@OwxG5Y#oI;(ui^NSLJcnCK&1LjPZP%BO(?T;$5lM(Pfh8ek*}j$)h$0_E6^tVCJuI4kuK>pta<=?#xp(GWTiOTj$yb#7>|27=wqkb;+8VH@#%m z3`2o-SQJ|GBbvO~v&jZgaWhRtHO1@(^KrMvY_b)-iJ~iQs%1(~8|Nn1AE<&oElWb~ z{0io#=2>_9vJ;+f-dQ7dcK5eB@%h%%-Aa3%7(&KizQF>PYHC$=3ah7d+I;H_=UZpb z`PP|FxjCIS-#Ud4vCgB+HCGvu3G2+3?pN!mZEiPNss58)r;PndD;T{-4B2P`-R zJCf`<_6^N3qZW~dk86&}nJjyEay0v#|MvOjWOPm0^KBQ_IKh1D)gJdi_xXl*;d-y+ ziEi`FJH0$4R-0)Qu!{Gh?YEjoCTI*a6g!G@MFWIlJ36+&B z-CMo=TX|)dHx$Bs=xV$r!eQ)6$ulz;#@y`9X_t3r4URi0ME!5A;Xeg=4+F3F?AJ5D zH5z->gYOv<%yr)1S#LY7$<-Bfid{RE*=OQv`VZgYZ{RzzULrtNg z5Xx7O`qhmJC_j(SVmaDxO6$}gF4w(2t!HF+uQZGwL4>NwmR*iWTb+^_+@O#`FmPkk z%W_FMOV!7BMmiz3_8F3NvWRW2X7!b%vzo&6^MlsU^5RlUxPf$y9Snjvti8I(fX3Fa zGMYdhm1IBYiIrsA0s9$5{i6{{Qx)oL^{3etGaBP$vGlQMa#68Xkatt}O@Bd9_f#`2 zP)8Uab88}aTb7AL&v@31-6G7x^&9B7&`T#TyN?_GggZ>7HID1AaINvZ z)ZO|Rx26ZTirg&>%r3h*xHXVl!jwk6GcvyUmNkv)6+h}EKkCyhyb$=h{F;P>*WksE zJi3ct|MD+t69#WDS-VMT=Q=6v?@UU&^>4Jbz0@Ql|Cj#vezCvPOybEMVM(oQGxh&;*@#&?V=c z<|4+0_SDwL2bw4t8T5ci4?oM?kES(O^Xz9LQrwAC`9rEZv6R1&{1x$syysMJo!R?P zFgp~m!ArZ`vt4}gtNqWIktpiIeKUvx-t+m@;qy)D=br=s>3l?9;&MMhkT0-W`uR@{ z&#@f%BCjtq(D`4de(FDT?JQ18T7$GFiSbBa071cc{QfI2p#S8sNWrauC0C-&^Gcpi z<@u~g!T0CU642t)a|GI6qQOX?6KF>Y8VrU7NrPd*Lk7cw?+b=$_?j3yGRUOZh{X-Q ziH2R`fmki#C;6DQZZUz9?3jh+pOa3nLyOX|81kJ7o z&29$GJ~P`3Meh$RRBs9v7;Fn3TxM6_HMkf2ph;JQ9&m8~rac?vk%Rk?)$#Ug?`(z=dxWb9t z@~|MY>J+L_7cpRUrcxpy?@ zmdcuiuYR6VO_Yk2yyf!1*_>=b+al$eS1MJC^eNX3mMUeKR4E|mWMEwhtUX{21vlsg zY7|wdRE4RkFpI+v=Fxtja&g)hA?-L;jRjeFM!^LSQ;^>Wg|Ga6x6%Fnz+tQ*XBt%l z#5FP%m9!%W4aMYqOVhHQIDAY?)}?`~-=9sO+^l>J0_Fc{y7ch;j1J~EKZ`D=-NZL#m?xJ3w?!(g!t{3`$v9eUoEG}r;2-i^&9%?eba#X z&EQXBTxmlS8ylPp3Z$4$6>*avDYW0ckHJH9{}_81<1afjjA{O|L-6Iw@s}MMaN{pK z1ZSNs@7U%_WcbSt-`&aZmmLS(9mijG)XUs;>+y~UE?*kUM(+jm#$jtb>jN;?h%h4c8?cmkegBx zhy^=Gxpf|ZA4Npdgc`U>Dtxc5+m2{~y%UMfegsFMyQkZ)Ejc1gvf*VnbYz*kFn`V? z!Z<#8>5(RPvi!(K_c&B-EjhBw-EbqT2HM;W^Wr#?;oG$jYQmpWVH2>D=y$|Bc^M@! zHelzN)~{=P$E5c|V;o4<5ntk{`^Vhz^-izfs?U+Q3U5LDIkE5Gzlm2fzU#%c=ga`d z4+Uv8!2f?T{2wO#ADR&YyE%VA*#Fj4nZ1S(k{l0P4)a7en6*Z-*=hEhS@wDJ_sj-p z%0>;3FX8PBC%i=#q#mP9>)H|xRVMLQt=+v{TjY7{^uRLGlpra-)YL1I*sd%VVp9|j z+2l^omDT-j7q|LE>K{2-Ueddx(^zrE+kL;UY)h^i!+sjC5yBO`>J9Je&i`Y!u`_zs zScF(}USx%E0eSET>#F;c32?nYfV(;HH$!71|FJ>>_!Mr-D!;kzl{|0w?-kl;|L@Iz z>>@s%Osw)QR@9zm$!(nocU>sLy$KJ;P0{8Q5qxmSkp=M22I}h&*}Z}Y_k~g0df4l~#fuM-NE2*sQ#_vlm>U_*p1{nbK5**+K>Ys%z%=aor{~+dgCvRjed>N_8CCyP3pIO%orhP7&4t>et$u*F)}qLT;<@}IVu4CG^U zpuAIkjagrpguPm7y*kc>4ola%(vl8;koA@M*uq3cKD?sEU?-IfBI4jG(8@d?i$9kt zVtt7wuft#M57L|mG~ZNl&U34*>$zb5hjK~MdF;<4qp1CRT&FeE=0LxOk`0rcI-G5*U#=&wjaKaDHZ2BA3yp>o3} z*Ps5^QEfeH( z02{)QBdW+UKK+03qZj%SMRLl9n-m#hMl*y07dHTJjDjN&0{rPY{06k)g3++aqg#80 zzo?4%#DG3v>emW;k&4ENOq;ik~HquCDmB`@_vR8>PpyY9u2Nfe$1^fZ)LeBVy>%$1*IJ&vd zS+Fj=jDSDA|2s2l|3`F^X)G7V)*X(@DBe>^W=^O(tdfl$vGKaX8^fhcR0xC~8*$CQ z!uDWqNDvLqoVs3o+LZQ@9H+OJayQ%$R<&1h6>bL0+oy8n)b+DC3)J8#w-CxF+){>AVyUfVCZFisNMn@G$R|2?xjPy8L}#13 zax%=p~rcX5em&HX|Mp+jZ>8Rs(lz2!_^pH=ibn8)O|IEZ@|Gbv{^D_jGx_bZC zp=}JKX}Ywb&C+zq0HhfMkQCNpsf%Rs7HF$~+`)|$2Q1soMC5zz+}Ow=EU^rmzto>N zWJ8nvbKtK^^lu28$*4a4u=eOR5#*r~YfiGuY8>7No_A*VE&EBVCw}P-Bp(F1yPO}V zc^xRIkVW#6gTccubdhBzNPUxb_N-@2!~J`e(sc+R3eQ+KdvKrX%S}7h5{mLK_t$*S zLuwCP|cvErL^&! zat$AgSNzXk?UZZtOu5#rDsSn%-kbgjGy*Lujf|DWz*P>7O z1p0(eBm9(EKe~lM=oki}YPbe{!nNoVK7l^r)3cF_qEA4-FbMs^pxe+V+`rI9$1M6I z1rL;h*pY&7R@%?^rrOUBXX$5<(=`lox`shc*D&Y@O{$)FU>-%h_yWyur%$L9#w1FM zMDF^PP43zSetad8!BYqR%LM+1uajsg*8nhAe&o|EcxRd8Fahkew!K*jR^cH|nk{+I zGRlC|umA{nOqYuB(G(&e#9uJB07a}xgI3ei3RJOUqDh{zw6KI*9HH*6{}EvdzLA+boouvCkqiL+W+cU{Rh=m_?8&-&ZsR6w%p42!m z_X99B{|ny?|L1HfFsHy~!NSdHdgB`Bf8<)T6}TO8a?$B%YSOvRW>cW7@mdj-iIj;l z#WBrB{QDEtOn6>2em&H(G(S?{p)al+7AcrK2G91-jO1{05r^w>jT&@ng;s}X-P+1g zueXlIORqGF))uYWc&XMZC{plA3K!g}YTfHvqBM&D5r05*RZPz*I$Wo?uXo;5q~mQP zIo5t=wvIQ?(DC}oI!<(U=Aw1ktVO^{{0KL_)C(L!#z8SiQ~#_*!Sq?NY1fw$x;j$- zpWuBozCM|K1QMe;%6yX|7zmWIdOMW5YO*=q}}T? zQd0Wd#Wy=AC8XWYr|nl;8b#n*)^jZ0%3=JZ%QlKnY4LfykH3TbZG;Ei8Wi72$tpET`9Ln(d{WIkBWPDpQ%&9JnwoAMn%T0R zszJE=?Yn5|6|QN%wUtKH(ONnhD|xoterLdu7~YJDs?J6QQtJPN7cV@*J_`?}gEcR& zaSUS3gRMk8l)YXMZy5G#m;v-zTl|~~<#PYJ2h;k>A^AP^l~Xkf$|j<(oCjSoFM|@1 zLy1=Rqi{U$%fsuk3o<#*!#Y{Kc6__*b$PLbU#?guqt4L+1sw}1&ON-~xm_4ktf>Sy2 zgrj@p5eRBAMWO_~(l1kTftVM59~Ae(?{~$%@cRStFI23z4s+sILQa+xH@dehEncs- z5(~t~sL5?ynl?K1aqd8DesN0nFppEU#?Nb*U%=_mOj~6oCjCED2bBH=CA`E9$R;YG zI%Nz*lySI$VfYlY-27>K`}r&onv&50WXMv8L_@HAh24f`A^ zm@lYA3gSPtpKs{{X+@uBtpq3OFHet!8=cllQ@qb>Qnf)AkDZ@o?n=GnYM%X+&Wa2w zoyuP&f2I7vca|3M2j7XU)4Yw8(!WvLU7$9GG2rZB5KFV-5!LO1Ma`9RIv z!OMFYU%COPo+EYgUn7F|*jUNSkp<0Mj3O4&`sn_R6?yApu<>;SFJ}+?3P!Bw@^Ls` z4jEu{Khp=rFF$KxzXCvmX{AWY2h^rV_rU>@4{=qt!BcPukO_6Y?1_-yo`AF{|P70_%&h}UAvRgfNrx1?< z4@y@FrF(cDHG6JQ7mDh5@dp>`X~8^4-4;6Pw%Ad(hegzmy+NI~%~}aIsIpsH(BvvT z;(nI7A4lRA%(JU^ZCk|mrzWuoX5nwJepiOZ#N-e%DbA7wCdIihn)n#91;4>vhC-ct z>{9Z%_o2vtgh5@LH_Jr6XTK5=CD`6!<0gr<2#Nzw9Du>xJ*7|g& zZ)yJGM(0x(^z2ZB^(^d4t6dWC2LI2lzL4=;vCf0)%1a+NLokVJ2p3N$vO0j0=FP6k zk?!p;knc|RpLk+p0&=m(OAiYnI9YyJ z2*R^a?7QUfGIzrXFfju*dWd?-!@_TZJko=dZTx+K~Ux@Jiz1mmx z<`1EG?mhfRs<%`!J)x8vYu>bth}e+dFgs&O84cdVc0e0}v_7NXq38wuSl9ZozPV`0 z=)*Chnp@f@@?f1&jW)B;k_2?E*L(yi^43vgADPED5wE#=4ex8pGuV`@pR+f0J$2IZ zFQUX5$j&T_Z_vKLfYxOB39;fD0_@5I8T2)52UbV%w2RXF@o{z$GUFm8kn_l})ihPd zE2Ajoqk&hQ-OZr1^RHX$h45QDIfUQZ8Gvod+Svl$TG5bf;H?!k;YJ#GX7I)h1KwIu z7cKxEX@KO*@^`Y~x-^z7T+8KTv)~HHgB{$RRVTGke6>ysPYNnx!PQjr3Kv<+uRMTa zEW77rK43BaKU+P)Pw6J!B-hTYSaJfwt?S2(X9GNZb9Z~CNr}Qu?8i2;AKO@w{6t=m zKWuYdZE2smqb1VHGX63JKz4c%!HJ4SypS48g=pXRXz1;uleA}hmz%0M#aL-w;Cg7xTcQITH!I%`2kub;jzZgSf@wr0vYESdDXSwM4*@6vGktlKN|(qnH|I z5oIxas;r2#&Ps}bLh&WPYn$5;{VN4+DoVQiHMQpa|DpU)M>Q#?Q$YsC7DwvWs8^#wQd0+Wg2Mgk7ud|{&Ntx*4zJR8)0 zYMx3a2VVBNL4x7U4JeR$P*WcJKXNsNq@H~!pdc0s_J3m#(&FGhw%Ee?{iH{!3svfA zE7i(Z$}wKfhx(9TYw`8ZFA0(Ze~=eN6IbKMac-Ff1nBb~0s?%L$I(P>zW;sNkiqvu z{HBh;eA#-H!AF)s6y?ZiPEmS=r> zU(hG>xJFTBBlC>9u8;7NHxLzxu)2xz^{fTsi&}pk$REsKW^?sbE@mp&73O^D@Qb#l z$Gk?KEPuN{n?J}PjZN-3IS<|Bwp1=ZB3XIZ@!MESOkXgWp+;XoVldh*qiTqX*D#`G zji(98W>B$*zCiZet_e>~jCbAcBKU{>ZA7I4v#z=1fA+cD?!VB{v-=Zyk#+yKIS*Yg zh|1H)e}$yoneG$c!1_N`FYo&)>;C;z&F%gTs`$@T?B4xSXOC-5%s5{Ef7FuO|MPRY zSZ)LLg|PqcpgG9!Zm$2gsT&vN_TT2$jcF<3X{QL;H={+i#e1gc>N+f1&Ghp;FEOGy zHuSk@Vn~xWbc^L}7=nT8`n*`)vydcc+G6DQ6!|@24k+@RnSPB}3t4E+x4Sc&^26IR zwXJA6DO%E8^F-<<>Ry}d_Y6T{HjrJjEb_fI1c1R`c718&d&;-TjaW$&7wbkfmDRUK z8m6<;DJ?o2X}E=xm~>~my2%~c{92%d*)ST1qs^@_8f&n!MHcoUEQMq7?V)vMHvbO4 zP79Y^6KJ!4qu|$7IB>Fod8D-T$1d7y^sQ1q42Tble^T5bsRGxl>8q^+X zR5P72vrMt0uKWu+6DwICX()x_8XWJ{OhWEu98c5fr{)RR@co{&-)_)ywrN6@Y5cbe(NcTJ0o0J>@ z&>r`QK~NU?_PS^ZTlQ}wmhdCrUK1@jT*^J-HPr8qG?ay)9&_TLzJUcV8`K6Q&wwQ9 zJ3#Urgy9^ID%_oZgc<-z7M)cGjk7!`IX<-|$Ok`WAG0 z)8pgBxgky{DB1~5f2BLh#)%9&?(FXlstW*S>A__>0l>=-*e%Xh9MHXEKzq4)mjLh; zN31sXd0W12fx@Th~bS zv<5SmFOhjR^$#4v8?ZB7DS{=YZ`?(nTAQ-R^OKpiWi!K`wYJR4!PMidE#IZC@q>T0 z^<`>^U^kyQg0%vu-Vtmuu=>AeeHjboxh2Gpn*V6seLM1=n_p%)Q2sW`H0u#e zr;2|Xn|3FL3B=xe3lc!kZ#EGY8y%NS3T~5^jbqSt_N=rb<$At?$CQ9^;a9$SXJBAQyD`UmGBK3o9@vEmT*rvqjO;je#CxKa1 zZBl&ZmIK!&syDH*;`Ypq{JQ%iwlEkcRS@~>iPUpcwe>R^-+gUz=IcOYX0gxLU@SMY zxDB(;Ny*WvXvv$AZ|_KVDuRD}FfA@Bwij|D_(4 z7442RoX@2~t5pNpwDDpn-)?OK&xf=c!@RdmKO@jb${It48%k$qrW7fDRj79Q8!A*g z;tjS3Bs$z%^Xq7QU#w(rq~Yf*IJxb+VF%ukx^K}L>|PQA8|brGjsY6=;T4J4^IlX& z7(j-@OKfD0#QHxY2nbv+qO>Bl@-unf{w*Fsp&9aDfa?LjF>@cq+4D|m;}-|TRz!?# z2dKMG`ySor*WDk|hH#(l&)YTYQ+Hbn@Y9+LbO#(^8>EdBFBJ$ln^OG9waF=`^ZF?o z^eM%QuS-_7+JnaQgJpWK9(-%XOVo>%Y-NAs5fJua0VP)Q3_xMmG_!b_pjBSKCDNd1 zm(tVrDKD~b+?E-WNW*J9l)5_Ok65+O_8_FFCfO2gvNn~uuK4soKEEJHFaxFoqsr;#pBXf`(|4g zPp48@W1~bFHy0x*oGlI`aSE2eo)oiYzp{7K28*g5sh5KdPUb}CImHQeDFgLDZfXV5 z_Rga{jeoxBLP5LoV(s4f(e9m}0{!$WjuJq+l(KykyK^!#@*CyFQ?FTA{=Tld!+DYV z3Ec6L|1l=9J$2b!tv)z0H{lR^Oz4r29q#f$f^ibh*OPU_0JJG%AaeHEMW(^`yMB zp!Iyl5x;DF^rnzWRuZDa(QLnLXZr4p_ce{vvpq+fRL%%XwmEMeMY?urJ?Q?t5h!He zZ0yr#^qE4 zVG*IZKP*u>i~B`trkcRS3!7*v8ozE#VxDvaW$_6kMV6TJVK@uEpNQT$@hfe6M7E+w z$57J$xAz8023b!KA)HWDD5o&knoy)e0f$paz%-Jlvf`^gPYRNWsuUkLO!DG|JQ{*Iz(@$3f8;`*BwW$YV4YEbHof{L@dtVs-dJ zJ`s({b3Yc4`f{gc1l{p3qm|$#vwL}oI5U5Sdx;IN0xZqrW*FbA`s=c0s9RU$pG_&= z^CcpR+J~I$C9Wr!+y*7p;j?wyA7&qVrT@)`72No4TunNpSNym?S2q~9K~{hiI{BRV zyNB|1$s0$yk@6Go(Z}u#z?^zjmjTG#`er$NssOTdK>leghJ0tF{!zLMjH8M73M21O z+EfPmIw=nCL7GjcZ)S|Y`cg)FaKApV@kNgQ9lWLW9-e=S=NZBNI4ki>m58duZ3@dw z`kx?a&_M2y%PX3=H(x>Ruv**iKS5#M^+9fe4#CYDFo&CGmn9|+29XEzJA~gMvG`l9 zr>WKwu?;xohcFKL2jDA57b$+P*5`a!pYu;dx~4Uc?*8mWx|=rh$oina8$x$Kq>(r? zx6hyAffv7(T0AU`JoI?$$)-zXbD&YaHH#R4UpAl2lEq#>O8Or@Y7*X3ev#|ORJ!p# zbt7%c;<}-T=cem9CFkK?Hl+P|=yzN|AFG5RQv0T{Wb$_%mbCJi+nf2iY003F#ZPfM;xWn$rPXjsu&^x$44f{4<>zBeB6L_;|fpW37CdekpFUxL1i*- z(FOiTXgnIft-yx1btXg9XGb=q+$ij$w%>L>qd?lvfiG>(E>Xs_vc^xV#4{=}j1sGI zN_^c)$U4|xK?%+CMt%c8hR$BO`7==GD3qwUon6=0!ak0K-l&u`?* zlP_eZtutn_;882jgGF5gE>Yx%6v<2lH*+r*nthW(X6~SO20L#Y5VC_!ZBD(9lEj6* zgr9dGY)W*qhmUK{c)@utdFx?{!2@jMqW&$dWn5T1q_-Nm;O^45*1MDCZ>f(wwoRK= z_T7!NEzMg8+zqp(d8w|G;Q-@1D|q$N-4bIinr zyiM3;Y&2^o;=?wqjx2nhXVJum4U!Ishi)?`$fc#9!^I zkx1&})P&-!roq?z)@5of(y*QVB%SzlPA9%%ohVf&B(LZB6*h=^E$#qlll#bGoc{MD+JN@6W`xC{I zBFZR>CxdQB!DMwaydR-Z|Ma^89?JpYhxPQC2~=#XPk4VdiF*B(8ThEK5#_x03$(et zri_ofHK+6S*1cQlo>B4AULH>3p+E8*s1v#FjqVgMzp|GQXJ3N9tMtN>+eZ;qDH798 zJ8!peh+FI&3r3Lvm$LiOUEK5co*j_r9b7@8U9u-HNcQwiJ&k|J%#Hp#!-$G=5XWZ5 zNl!j4$qR${UIt5x@9qPJe%j#rAC|I)hgwDz8}SFp6HCeq>@mxDSHL@j zo}a~L%u9U8lP7|s8EXlm!-HGt;f?e#oG@Aa`wfY@^`dqBwkiS9hqB6vXD(~JLErHm zo-2}#tlczR>5bH_1doEG1nJ`3r#S-S62|>l@(huj^7w8n%E$oak6gg0mh7r|pd!wK z|7z<$i~lx(i}`bFF~CkQ8h^HoyhseUvrInpDf^a-=;H$|fH=)1Wqr--WC?Hmn1&kK zrJ?p@gdcigGZN=Ps< zY5djgJcI%{v%sVCS9MKn7*Bz@f-xrh;e-KY>n0d~CEO5Ji`qE4uys(-v;;+9PcB`! zm#5MAN8CU;t@` zXlCHZxqsm!!j(wjj4NXhn`NEc=d07Lmln%FXCF{@_c^HZ^^cE8LPT1`WEgt{Bf*^4)J&TisKM(Hingr<|%F) z982DppEE2&?QQ%0l}Z7w!TT3Z91@&5s>xL{`KTfY6xd8v3<&=YNQ5Rk3FO$RzhINS z&5tM_`G&d!dFO37JytwG60^s&xOI!~4LdzDb-G^U_RDtt%o*wHEN0l`-8Km(j`7w_ z^ngsCbr0;)5C4b}JqB#jKl@PJmE^B@)bg&-VvPTp(2uIBziciRj_c~eW)kCKL8{s@ z{xW*RH6(A0OI6!fFCzP`lGD~%ceUL2>7(`%6EhXRaIA{g@-RbctiK^Wbc7Il(vT3k zF23`1x+uKw@K5@UPOZ0E1jaaW=T==&xKGd<<8hE-TDDzCHj1Wr*Grg)m0rU&c)KIx~}xX4Q}_E1 zoJrIRw)apH#rHPT?c~?TRFwRwdVGxj6jTt%BcG(4wuHtvbsEu8LSWJ#@+#Of6Rrmd zMm3dJ(g*a1iV2`sC&!l}*jqQ=kT^T1DEUN-DDNeE$tPNhm##9Dl2nwgu+fhVgs$zO;XTUMzT{Gq`Uagi0t--;{u@72&GFT4CrOni~l-F-UZq&uvu z;26;%R{O1MU3MYGUygf{uD=Z)HIgOEA`35CI`IkWXvENv(jXQ@d{EQn7m_?=KtDbwfL&{mHv zOWaw2UFDTu@@i=DYP~shxb#2WH^_$iI_yypG=^-byJ*7D->@js@B`=}F7Wb%4Xlfi zpgQZ~2}P-S;r>DCz+wp_C1FM|JffRZRrf39Kq(O*ug`s+x`HQ}N$lt^zN41+{jFHC zb`1F=(pAvxz!TBpKL4WHcZ|6IY@e}u@#f}K-$=do&vge%aq4SIDUt70eK^?FKl4HO z8SUET$)6F2x4@}0P5h01us=<^_~F>un~NV(`|kdFY>rPzp%bYsyc83%*rf=e*A~$k zT>RQ<>d?KWiCJRqph$9ZBvUph5yb+C`0olNd)>f8aeTqLBxR6O{7j3fvj>ek_W!rbW z+>gYtG0JzHk2~n;v66$41;XD+$pI0sy89}9r&Y*Dg2l;GO>@PF#zR!&HRdzCnEK-hs7WpC(mCq$7Au$uFnT7Myj4wChjA@?N2aVW;2$e&XQXi`z5a$HGr} zf=d<#er~AQY|Y;;{M=~^N@*A`10{sRPofEc2jJ(=TSNRTYt*0{mL6dALM)wNSUSP5 zbb?{2RBfe{a9H~9I?2M)w#WjXTVUyhhNauN=oL%ZCkspWWw11}e7#$I9rb78>&@UR z3#cSP&-lv_ayXm>WhI_}?Xm7C>z~yZ4m60s?{Lk~ueFs=4^ZxB`s&_MPVl?)uY_;s z7`~m;3%;EUJv4k%Y#fN-UxIHecHQyqC&IV0IS5}f@(OeWGfoCY6vN`6qA3iE#-EB# ziA)KsfY*}Hnc3w1p(C@&`^|}&B1;c9QJItFhc|MPE$=_P%iT!J`wzFd8_w}r>=eZV z$LGg`{0EnN$q|RW`HwH7s7rv5E$_dojT*{VS#?!d*AgK7f!ob6Q$h3!=RUi+`aPNH zgg@))^;;xb(wx&0hP=Of3`}<;zQjhdtnLtIdTxyGK5f)yL=maM^!bEFR+eTxM%L|z zLDC?AFP-10tNOn}d`!l9fqaxd98Hes%o%4J)ps|(Bm{jXR?=;JD^AbE$F%XSfCbq9 zdkhSa&wNKCUy+!vWz0*iDt;Igl@SwTy_j1vg3R~7c8~b*<;4$kCp5LhmXn|^9vd!B zVu^XKffdD#Y)owXO&Eh${8DOKiJnDQ70IbgQj0!6NI{Bi(%V6NdAlp?Uv@Unk57EDv|{Ly=(MLR z688(c6i8ep9IGXD_$ydw$}kgbDRbC@835RFgA#^V6zC)Y1clK=gU%1>75nWsybFj4 z9p^VI9(0f{q`=i2zCDb$fUhL+#)s_2ddkl#4-%0m_pLV_ww*G1}$m{F-Sxs zC+l-qtJc*L0FQ+qL5sDnMd))c_)%_MjagThgq>PyojM+V1f^?TX{DhE@S{owYa|p| z(eCgBV`xHy23J8|k>}GeSJsJcFgGFu%!B;iM}>D9)Y%%MxXl zk29)pCezlZ*Q}+*!?cbN+|DgMJ7cKa*Wamir`|0s$x7_8dt0ug{bEnJq}YQ-_)Dx# zFXcpdio_@K4p9^BB@-)cHS|A2rQ8MUbV`H^R(8G6*IFBLuNe8ip9cQ(0`MV%WtIm&wFYO!9a*74|3&?4)VTI_wj!t|A1#B8x# z5_W27y7^8$mN^gKa66qU%VS9TSyS7n5C#@=U;lFJp2+JH5C>JyY!!uqb% zr#L&d&Ck`w;9ENE)GBc~T7e@CUqdgIYUVI%vt57V5Z9YH1kX=nsZQO%p{I>dxZW`w zOWM^{V`o{>+ik1^`=ItFo={|IyT+80NG0mo_0_6zNDJLZD@ zLXd|pZ6DN*eURSe^3Y}V=Uv(d!OlM0Gap^-^i@x}k(VqH`yhg4DP&H3QSm}vhH@>q zI=~gy0$oNejD-+~tG;_lqE4%0%xEn!{=;`1g-?womltpA=SsS{|0m7;#Z>mES*3a- z1YUAh??fiXykATMXc)v0f5hq_;*L%G49-=E(nwkeOGL=mCNa3BG_1(4%^TYkT#1f;Hk^9~L7J&lM7;>|o zr4uR5z^;CG82HH)=h8>SU~cOEKtRRqqh8N!@D_tpReOwO+*8E)^gYJU?CHkO?9rF= zc-5XtcT&G+sykVD(~qE5t*doB`Vq8P>smBh2n*LBez&Y+b&yZV`WmyoE(v?J z)Ow}%k3~Sj-ni1Sl5Iggr6~k38H&03ipTVkMn7JJpK(_T#8tAU=J_;2TmXVv4B#fk zv;>Z?=h~kWm}4LLu=bG;YoC|ACyXEUI{A)*3fpt?rNGbZi(W9~P59Tgtn%CI{(wIP z{YZKHNx^rRCF2@;7n3Nd2jm|Q^WDt?@(QO(Bo4eiWT5b>RZ@~XAperfcei9m0L`U4 z0%$JZ5kParju4vZwWE56uw%{+VMqB6VMlC-VMkB?HE6eXm9=|3cn9ySU1aYxV;r2j zy5-NR5Bs_(>}!?vXUdMEY{tr5c$X(WQ#!r@XSX2z z5!{N%7g$m(!Zo)^GH#M zTr4mCWZfT74ILS9cUjhgBUdx5sF(tg2CQ|uQl-ddgB2&ggX`-#C{;!i1=dTL7O^Gg zWh7HX$qa*=2J#cFH-dk9y%7#@Ve+Z=01uY73lD(x^7eV|ab~?)>~3V%n`Q2XTW=n5 z7r}bdjC@K4y|PEudZTw)UXcyi>&+RV{G^aTnOdrvahZCu=8x)Cj(BQ=pxE6Wbx{uF zkWZ~Qd(`Hx=+HN!L)S%zJ{xWBx|$Fcv7t?|h65<%SR&f!h+l9Xz3DC`Tm#r6_4{}p zowmkidPgi-UtGz&Ctw_+2}r-bSQOmi-A{Rrd6 zI?u_{mZ|P!dCM$!vZ6(StTmG|^WCPzHM1&YU}!9uwS*i;eItS(Y7xz zBcbvfFk1;lp2LZEw}0leV{jn^6;1OkmLy}h|H|i%QeJ${E_De$$4S|C`@c9^VQp`g zK>)-Im4bGrD%h^?9t>a8WJ9_YI($+)VDOblSM5XIT5b(g0IW04EU;A z$HmtsSK76hi?5;lEmyv>%qlR=!sd^~jrN(Iw`u;@fcNJm#W~S=zD-0fBV9ic z`RV`9@J_v#u7^~P99XCdzN?Q>`dsE3+K%#cqN3dVhscYbC;#D2)EjAW5%Qm&;-Vm4 zF#CmV>=&@7IA;Fb_Zyu(L3z=YR_V`>7ge7~f+H(T5=2W!bPR#DWlBOiw2-Nskq*s- zRTVWYWp-yvhu&?HBP&ND#2JzZy$^jQ`Ei{*C@aB{P6J8M&gisBrKuH_4_5nnVAvd;N;lV`lI0C0fp$g8YbMXU5eiv8GC@Zf9@J^v6slm*VWch=zm$_ zKJq+A8osElz=n#1nb9il!sIMQ0h30{9*< zh-Z>Nu^R~4zZ?U8e?EVp4R9Od7n9gZL@0r#kKf4sG7mlOI?{bpGf~7iYg2Q={Ni63 zzP6h&g7%jJ_#)`pyMu2mkWfVGKe!Jg9R}PN^*~#bUYQV-Vz! zdYrQ+tnO|=96>~;y@(^$B0)k4Dl;ru61!w9*uwR&*Dc(_gqgBMVxr{%S9|A*kTG8w zGUlrsV{YMy6oMlRzLCx?wIr7#rnRaqMb`32N)vsh*A!Drg7)E~H>#(m23?03$;kHm z0LOwT-vcVuX-Xc3Of)m@Z2fZm(AQ#z`KLk9zF6>g(P>@meH};&=XfN;cgymlFaH zZMdg~%#~)N`P01W_aLz98dij29bSKu zosLFfyX2{#T1R+Ly@7DS?n(6%=#86CQa9G5uFA!aCWjwn8zXzxQSd`{^~c7K?&FHh zPVpvL?#$eD^pV8^vUsyB(q?WJVufG^HUhJ1Pv0cdLK+cz^bQ`XPv2|?h%+~j%%BFY zuU!gtV~{WJ1@b4{L%<$ss05wDiRRX?6Pjqtx({S%4_~##;zw;!blmB-Ow6>Es@hhn zRc@s^`n*c77*wy?V!`mX%s$49s=~SIPW@FVA9xJ2h;Jfpl?r2w#iZbB=Nrx#xgsqpJM%TQ)8#5#>LU(wH`L>jOS`k(Uj`y7%WW_ zig9C+>4@+CO4fWK1~aY1hB8^^Y#_k0n=Nym@Y2&oUWuBY_I{fa6bt7B>Y}QrrpAWa zec~{O_bbD>vM%+36Q3(T?gnDyGdUw^SncA2Z94i`8dj?mb3-^`0Apf^(Qp%EhMO3I z@-ZfcO3}pZ%*41e8^~I~GC=+_x@MC?>2$z#?$6qNTu{tZXTAC#zaUa>76$z&^^d~OuuD$_!TScD~<}PNNxCaEHUb#=Fg>B^JmFZ`T(0kE1z6Uhr?O4 z(jJ5pNl9|=8XZl3Lq%*Z&0lS$HJyH9_n1yDVxwl%V$eHMm*hd#tRmjEYt<&!stsx& zoLj4&u;#+m=pTF;^h*93^pB~uGN|BY(@Ix?0{QjczsE<-8 zr@$)XTFqBuxBnx1Istp{&1KSo;WmH(tb-OR61O4emRe>cS8ktzd|a=WF=4K~nAw+M zA2>GKK2Y)Mq@BqRHaVL!_JoCg^sGYc4+~RS_JrtgPTZcb`#$E54{0AGAr8ve7e>7v z+VAYi2eMQ44CXj}&oGWN_l(ijGp&qi%Z=wu}xr)SfX)&C$C3V;*i{ozc(9zh3j>gSybT<5*JPuRl0RCMW_>c9` zmq=c|I}83Uz9B9|N;mHGbAML8@vjaS3Z(UOU7|;6QJ3Iv>BLuyco|b(b9Ay2{iFn0lUIyBi23+I;CVPJzglQr zlOL4Lp3jG)7Zj3=r;t#a>3nQ1zcQ?*gXf{ZzC!-jJ?$&fmNk{=TQ_GcYv}Z^FBUw1 zpWYq2^+i1gLQV+C$?|X$ydtfgO3&@;76WXH0k*{e+tNE=SB4wpRcQs&F~qH*Mhpqm zM!J((Q*!KS>cb8DqHx1rW&N4bay&SPySlUj%Ma{nmOQ4TNH2TyQn%QejB3MJ9o9L&U?^EU;&p~s`M>9OFQp1R%WeTw022lE$BD008z zeaV;Qm=>7b1C+l0{@m&7^p!SC5J3a!|M%u^SzNw z1@?7N4c9ZMhC6xp^dRUB5*oE%vM!_tW*BVrfJH35IdON%)9#fV$f5`T#0+zA4%zYP5+rqi#OF~-hgV7sJPD@S?-5A3B1S?~Fa7ar=i zey7=jT>3wn{HvphraU@(z1Mo-4S&r`$)(1rX7S&m&%LhqUIJgSvy5NQ z=I`McH<|tPYUlrTb{<{KwqFPpAKAgk4`yJE!vCcU1?#6nQ#!nR6_1Ir%5cJgc#V6- zhdInVT)?sVa1qBjhb5NY1#|uizdpaMh(A@V))lKVCVmP`d`3v;c=^co0~A+DYpRx} zLVbD7JWCXK1usbVg7fh0Sxp`7&9?8#C@93AYySm*KH{w~&lqRHzU$>QpB5>~g&S+U z_VSvvZri;%T#pOiV7|hC0mF>{-cjL)E@OAF-^zhsc074okKcMvHwdOZ_|o%L0p)XH zcpH^+U}*ETQ$1$bmUa$yC(ApBxsw&0V>rp3ukU)}wK8ZIe;KuVy!jfu6N?DFGla04 zuc?0;0tb|Y9U@svWj4c$dKewz_Ls+FG4S zfCLo@f8@Us@!uPUe}X~?A@lp5bKjdkN%+%lyW8E*=JUyYch0@%7|3-X72lpl zkI!MT)mI`OyeNYni~Vv+=?HlW>$q169e27&{QSjcK2|*cXY937@=(@!dszE^zWZWs zjbX4Q<|pK#JU=l{``c?7^ms7(F_R>}U|m6^1N4?wWIkoEO>fZ!Kr*Ebxdggx1 zsOu7=u2qJ%hsr+-U0-I@Mzk`eFTrtP`d*(Qv{FC~eMtsY(E3pMv=y7qhn%UulU<#; zzb^PI_V?FD{9k|n=li>hd2%So3_mNz9xW07YxQ@9(!)HX^ej2)&e&-u_i1UCyM5Pz zWw;61DG!1`)`V_+-53dm7{2EP8RQf-!Pg!TkPtSY4gNwhw7BRXa#m&=_ z!8C(hYHZWoW78Ifr~1$aa0-3oF_5oZ4qjfFm@bbw<9fjIn{)H?XOzdZ>4t`Mv@vrn zSeM_2HYDXSNs5{#kAbvh&g?kLW8y`KFNhB)k0GIq$X3N`!*r|-XOYKHQS~Uwp!VtV z7^4>Wm{tFJT2cMvG5VML%VP|EILTuKdypoN$)M|W7h)Q#M_eB4ZO+(V1Jd)qWPfEI zMO`qo&zw&7S5m{6)?d1%Es*D9tKS7%2JA0ntA{}@vQ@FJbUJjUXX!60svboNZO7U{ z)L#*kkL71ZEvUcFZRbl_=*xdje>vfSH1vn1APi7+*If)d?7@(ukb~YN)VJR~qXkzl zLJta`m!!uCzRH3dvfw7E3#q^9JSXm_-8glmZ$s8?%D9acAvZf1IJ-QB&VOoWlc$i+ zKH*;=Lm_I2NDbTH?_f%1-q+~N%jjaV_oALLECmpMfqfw&vXcEEBJzsi1M$^U5nu$p zcSg%R{oVTI#=Ge<(=*!S>E+`sDnBJxdzg3H=zSTr5I!0aNtQj6YdstG4XN?echVZI zsTZxGBS$x;WT`y9(QjrGOg#X!LoUYp6`wK`lx2R(>&!IPbc+-vl4vK2G%S z0+O$#1TGj4{Ry-oUt{^~x#TV7eOGZ~Fr1k_%Q-X{lJfG+DS5du(+tc4?R~5tXlTys!eSEdoDU5!%B>gW8k9h465|1S5gHH4-CX~=8MVgq95o`^(0@D_ z^nB$pq5uX>*MAMjuYXXG+3os{kLf$fW6mI78<4)^X4mtP$NU-n{VQxK|F6IQ68(J) zyWBqOc)CBt1CZCy`Tf58@iX=JUvYnS8r)(=pR+z?D`^riah4k%2467T93?E>$9_7D?1G8elbXukfqnB51mfOi zsp+ci06c(zjsTNaont!yxM^n!aC8p_9HM}iM$6u&fZjx3bLXOAfV4i zQRrA$tH&NiU;qvt1Yq2u6kr`rWX4V*Fe)~Kjw1h@k0OgQ9zF@cKO?Xm7l5)(02&Y& zh5mgEfK3Ptz|)5TcnyJZzS;6Q0Obe>KovXP4S=0)u4B!E)b#830r&uc@ydue03HMe z;3}Lcj6H_HDC1>1P}fBV>V)=!=a!*YU1I1}lbqnW=9Zy36&hKZTR3IdfN6#O%&VWV zf|*T7Nmc!h@JB14#{5bOIv?%3C+cHgfb|gcw2Jtpf~0~9{8EO3`hpZwr|Un+9ynb; zMeJ4bzH^p;*FuCb@chcqPiHdF+jxHU(MK-pA^9%R(;mBsywFoAA}f2U5y_;de}aBm zlnebdm3uCFs(%yuY5Hc0k0$wMY&0qkM^|G1k~{%mNTy+Zu}#}|c^W6%iz3AKhOBnj ziIOlI7{K3V0`BuplfD=pu!X^H#{P!iPxlXw1gEJ(a@jUi9{kTVCf0NuBrSETygIhvOow5lr_D}U<|CH*NjQve==Jl_eQR{*D z*~}UZyuVpMcHFQR(RVb4f9TBp4Ow;Lf;O2pycflAErQtYGC*p41;2T}OEOA2#u35r z(Ak+j@+Ztc?JWMF2hvBJgWnaq-2xiZ>C2%pAkMtO$>j}Bx;k062Qnl-24;ctnQ_`x z%#M>D*%zOMa6x?D02t?dkU&ws^OHcKEJ&bmXb*Qq`ssYecMJ_OpUO1qg7T7eFzR)- z?-R|n@_8*|zcTxnY;0C2s#Ds%NlJT|r*u-vOqM`ocS5_AO#1oP(Knu_J}FZs^(gOI zlJwTF&!u_;VK_o5A}?%xUPM-IeG!pNdds`n1?Oe2FUke~O68u5-s;~3|4QHN%fCWy zA^2CluJ9`%s(AkVt6m$?%5?sf68iJ63{9=Cx097OJdNn~Aus4gMlc`Zqgaf)=b~G=!ddNza;28=D#>~pNlWzbPmz?^Eq`-dFcC? z?^0t8R63R087kPN&( z&m6N~X8P1`J=2l-w=0i{J#8pJbdJzuaD=1*5fh)CSwZWOX`ccoDv*Ejd9dX6EzQ50 z!4Ia}JAq#G*MIQIKi$7JX+H!%n06e@AQ)%fAV`@61KN)>+lS9Qg?R`Aapnh4VUEK< zd_aDX^1(u!>BV_jh@&i6h=X1j_rqk;3uCWB^unma+4w=@`^5VTe$e3eXKw*NsGr|N z)bOWfXfk57rxbLeZgD&!V)`XD`hIqav7b%uPKYNun+=S<6RsCKVd7c(%UfR+Cx!dT z2k4^)*NXFox7%YCx&R}|OZ^3jPD);}?7Zm>>jlLGXiAVQ#bB=tg}t!A)t=8!+exo9 zh*RpoWTt%%?5!^!hxHWmBxQe}Iv*?SxBAYHe)5gf{NVLe=^5A;L3c4cq-+(YToPN{g4GFkq=gV6o@xJ=gsX_Cu+b%cnn5vlH zs|ek1`0J1OJK-O~Xz%&6T-H#S6c0~ar}>Fp_B{irc@v4`E8z&*rH8{DPp>&e#Dz}@t%?FQY(FY7i0 zv$v5Ugl`-5-GXhU18napTfN9uwRH!wP2Y;6NJ*za)GtTzy9-Y~Z$w4aqbRZajAq(P z=(Rv8#@Ew|>dW{VU-p!3gtw=p&p4bn^7O3s6mNpvNv~YoBIn^QX~b|2)LnM6?)_H5 zCDuI`$GS`Huhdp9&4JPDu+|20{*sGW-Xe<06n#!aaUu4wpTT82poNIe`i!GRi2f?X zc}ozz>JJ<(Mf4YR5u_rIM>PMd9JM1lLPTXmFTRhV(-8foi=)+ucHGX`gon&|3Q!Y#BL@X3`*-i^nL*bv!EX> z7Q~o-v@rc>VfxWx2Q*1PS}O4?Nk3Yu@r&t4OATV6A0QU~R;C~8eWjkzs22PL{dj+{ zEyDg$;Nhk!n+9qNInyb~*53jJiPqt0UHT0HxRK_~3h*t3Y4yE*=%~$Z(2ok-T6e5z zy|3C6bd4tyn=ui#r@1X?Zl8L&`3=nfw+(X|@RJdLy*+E;4Rqhei4N2Vmk9uGrzW{i zY_Y9R75~UmPw}X?*~Jp>U57WF1&904qqO@>{RgI1DC?AW_>$+-{_a7(!8nOpH{Bh2 zW<0Lf)xP1QOYCe{TRkCbw%fl3Cs08oHlXJ#%07F_jR7|P_H1@W{_&510Z_!tNspe$C zdC8(RR7ToI_>lE{z;OF^IgS)A98dgQlLCl#9 zWZ@^SJZ7xy6lfz)OfOR|)4T2n2?9~XXtThOib5^>3j!3E-SJl!h4#~2ZHZXWTN4hpV|Grv0|FMRjBXE@z zXB@G_N~9S@;Zi#hS#E7d#2sARfUH#H4*dKh;#sj-@T-M>3r$V$H!)L#ls*ONXtY_I zQA3>pB$)l3z5Xr;ey%_Pf)vQ1DWYR80H}hzk&{%9t}k|4Eslozk}Rp|OJFi%-v=09 z8;!3SVBUu&^E+vaXn3OEv zB|M@O!XlTVN0JCmqFi)>?O@CT5ffVaRd+gGMO*&~rNnSMc|y7;B8_N>P}w6IsJHQ0 zAs*Be{A%Eby+#^guf~5R{_XfjyX{5z=XSR>bRZY~;j=$Pv9FgRuHD%TwuA<62*2D) z8-L7xnf{hXS&;0RzoQI6uf-j_r^r3QTUh7CWOK`#G<3lqi;yTwmG0i>vQGMxPwRpU51+~Ew&h+3nGSZ`fheBu3Wb=r;v(`o83WIF1V<6x8G$k#jgQc zUc8CX0-*{m3=TXTtBLT(wn7m1h@;I_Vlsi0X%8;xfhdogLD%7tgRR&3lek#~H!@*4 znr%6R1DU}-re%=tJ~{evE{N1KCioBVA2ijDl!K+Rvf%A5EU$?_ zLI_EoA)=p9p1MJDUN7Z=nJku0-^R2&$Kxy8?737C+wu4{0@I-Zw1vqMl%Gy;V;|>=KZb*_ECv{^$ z2Pep(uihI1rx?0u@?$*-&4;hZ!TGt`-bO@}z1ns>V-7>Okt1n~Rl(uQYYb2A*KwG$z7G9WP>@-HLgJ`?j^?0b=c(Rt(m|T1@{@NI&-IKZ@wb zM*Rl{;bE->KhRZ-oA2_CIZi7!W(%xEK+0^akd5q2J#-tWD;S^IR%}M9tkoDKxUfj@ zZZs9Exq!8VB~$=%J8Yg2sU%r*^bjUC{Co#dD5jBhn)ZxK%xiM9N8o85n#~SnUaq6f zu1{}|wNh#KcVc>jA8nw5vA)-MFcoClWc%M2+t>I7atIR@zNLNBWQ@h=zFcY5jqva5 z*D$%=LDa|Bg^AmiSk06BIL%FI)m@nXM=48`vs9&L*&JWV)J31*@oS+49~94lAw7MZ ztebq7G)3x0if@6X&FgRn(QVF?T{sU79t7C4XGx7WQR_lMT7%95cN-}iqfEygnv;P$ zJK;{&9JdPGeV>b60Bitv_P)5AmcpHyjyo`>1LE%Cza;K}gIKwlT8)|wh{ekDz#_&4 zCI-meer>~Rr+FPXf?41R-8LTO7O3Ep1MNUq0nMjEXK-?^Q;9}Tj&>GDJ<7VK;|nj7 zgEz^cTX8Mwf)ic9?K)42HG=Ic`N07v4YCEbzPl z-=r}*97oqzZaX zPal!|6mjHeRPs|xU9O7O-ZbqJ7_fP%r=GJ~`~k@+ay!!pPyl z2THNj(1*}yVg{6$re4&WAeseoeK)v+%?rN{jy#wJ0oDX`L7m$jyf}CP)~HwxiqIA= z%*nbsA!Q|Qej+O?yRJ%`0RX7kfk^|9^f8zxG4hcMlIwe#oHRB80?%y3^EYj#Z2~bb z*u_I!c`d}1$76$dY7P5wW^q6tR*37UxF}^{rwq9L@H@C}px3x=K>6JN5$I7Ozjh?8 z12!SZgj4TW1-*l-KyZa+DupBwB)IB8#MuRQLP#RISQ632l8CMhNkmsA@+2h@T}eqq zR}J90By$}k5wuEO3+@ZFX`Mxmel*yYz$XU275DT2w-mk|&y|Oc>qtp0n~r;w(=-4| zeef$zYbp+UjI5x+;k%0nQz;e~o*~6p>}Z0xu$rM)7SaqkN;9O_7lVjQc?KKM)3Gm! zJw@3q8C^D;aeO^c6|cs$LB{w4N=2@1J*HDWP54rsf+J;u2P5N3EEVkhg~xlT_Wn59 z)E?(e?K3t-pKi$pxNi3@VFX#K6blov)?f5FL3<4^afOHfD-|wdt7;*5-BOO$h)VSz4*RLdl`8j-;`sv}sF`Yg+6V z0P6C=<(xij3p{BE`Cu88%es7U_!AsO<%WHLo9K1<;PduD6vdWw*fWzkT8ikiQ#eXO z!C&CU5oE9<+B21-m57eGgQGQwF0SGz$^34cOP?@gejA?RUjeFYXjpg{)j6<2{2Bq9 zN&I?I{F(u07WnlNenGC66p&VGThYL@_OAF2wYLpGy}hq;`mle0oW2AmX4pxNu{?Ak zBSEJ29)s3FZ?E?69HsVtYc)ryz2AG4qtxE!bsVMkPTaszYVXT%2agh{z3W7j+Pj;h zMtg6rO>gf{^3&T}ELyL(H+wr3JV1LtLj%*=`_i|my`KQ6w|5Vx4{QCV(cZjNd!G|g zYVQE97WrHn}DzCrvHdRcN*nwMD>FEsNaSx*C%# z>t4uvgRVl{TRxm5yOM3aZ8PhGIJH&3vi#eiq1|$HKW(F+4(b?C9rPsmIfc{d6#3Nm z4@5=(;`*SLls<@L`z?L+K{p)%!DW5WO*-X0gFfgD@^#-=A5$y{JEg^c z56IL|ezvFVq_kMU4?3PnKIAst9?Hl5jvQBH`^J)}*BzQzNNj6`soNI8ZnR)fpg^Kc zs*s;CWhFH3E+w zgV4>}%dy_v*swYjKIjP~Y2mfz_PJ#En|a>SuT9nn}eg!!FrD2~=s zC#T)7d;1Y|^2Luxb8s1OH57t1yKg^=;PPV>JR;44Ua4k1fz}gfJwT7XiLF<@gje3c zEB(`Fb>NlF^vY&>Wi!3939nR1N3doVp%I<#vh{U-2;-&38`wTIQYba9}; zMnffp#k3Qi@pK`C|HMFPkL<^OY{qT)J*Cu*)48;LKMpZ;E>IpDbFhb$)r~+l$k_}p zzr~voeX_=Kki$5i;6ETk=UB)(#~-7ogwD~Du5(P+&$GU97&kV7Sc41UMdIkdxd(jr@wk}pR9cHnv6zk!CEXj z{x!0pZw$pFLLMdmIsG}X{`k!Oc^>*>bN}9qu>P25BW~(CPyI2FUO;$57Xka!Go%JK z6u5|{tB+Y}hb*|BOSr4l)yLe?dOxQ6kgi2x_3=qO2UZ^s)Sq*#RG&`#b3an|#t8!I z6i40aY4~AKr24bxjOyZ4fBxagGxev?8Zl9k>Km;M=>119UaU17R&!V>w+S@>5@A8$ z!fd8Rg1P`gI~!b3L;u5bGfH~H^!W_^;V$S8cMV`a;8yk-?`%%`L)7gDcEWyO*O}}G z$UV8}f8l-__ivH?K>z+|NUJ(ht@G0)VFsBI6&lfv0GUOHI{SHtj{H zq^5fi!R_^YFM&Q1ge8d>6LM%Cl=`O(rM^tsp*Rg=Ww-4A0HV0v*hnY07fXq>oi@VS%kMCxoiVI zTA|naHZugc^L4_1qB5SccByG1R{8rMV1uewQ{Bt){jiVF*K6ji-;O=A4{Ld{^%xJt zA3Cb;Br-40cnEylsl2D>dV-IZI?ABxsCyKABlPo4yL}K)6}(IIz>OU{&d@pS`BbRGTk{WT@zNK;JR+n0KSpN=%<7w$NV1%VM)5x*Ea{0 zl5~Tzb^zDTZgjJdl5}%Fc9#M=v)c}6(q5yx62FpCl5P-4VXx6$gII=?WVi3jkdkx@ zDai+rk{I{d+;Rk2nZLh9f2T+;J2jA`WFYc^dwNeHnJ-_>_E7`hKLb)kHiaE^d+Gj)rie#*Q*5#=m~{tZ7Xwjv zkOp3#d{1JReL{{N#x5IjxNiSGOupXy+9KXiA4j-8M*4iiwiEUtiP+N!=>7=##NJf4 zbZP{F8sY!5T%d#}D7>)i6O=u}PycK@P0-I|K$8>nvuXI1oS>i0!Y?+c`fMIzm^+YJ z`rFKPKgZVC_a#iw&j2cfMuaCQe{aC~**(Dg+(7g5^7IT<~rd4E%TCfcDO``GQja^Yi6C)YPN2CfCuwrTIcD>0foeOs8|c z$K$pQXk`&lM z;9{sfV$adq(^us|_yEVXEU^@+nC%_(t1&?n55J=HYe|A6jucy-i0H8w5*;FkpdnmB zr+^4L!lfJ$kTs$d5;_TbLI&PYi!3Gs?=L}UlaLp!TYc z-B)JN6Zgi*Zw46VNYUK!^R%^#n?48f)g8o;R;x2hn+X`gme%fuwv#7sD zC;79{qKjK0f88-ae{Gb@-tN<1^3Ye0QghG?SU*2Se~}AlbV?hPkQ?VsB3l43NeQj? zX0q+`UG1K659HmOeJ~@!nu$YQNIkCI@Nk;AI}V$W_+Vz?z#~@*_H7{hmO|W$Aj3Mf zkWFZN$>eHGqm|YZdPel;OZsz#{#>d*8}w(5{;bxYmHN}JKTGvzk^Z#cNdkgSJn4_` zP9RutvR#I;UkS*bWEmt`rdlM+*NY^}eXt)}ZY?A*Yy`>Ag#@F)E-DUIgc`s4Yyc(E z+co_5WErnd!|Su~`aEgOay~sRjakOd|D-WXtk79;D@*Z|gU`}1q1R~>fpVp0vaSf8f53lM{N|MW6Bf|0RC_G4 z18_N1UzvRBo+s@VT;ys2LGud->Bo*+qKD|Pzh+d$OnE|yXrw4ci939 zREzesZe=13hC)$Ue~``D9i&4@gnkY345ZC*qqLz%(Ujlze0Qkbg2;9 z(iIqFm0PN38Ngvt|6<)E{yQ}X}POy#e|=qq$Qwsyl?Z@qQ%4fuO{cf7=y z56q?XD&SVSwJbD7*_Dy=W%rDy3PTmyN_$irB9|S(R=`|4f>fI@0Wi19TQum|VSy51 zP^e;%@8K%z{vfIy;jok@L>Bc9{@84ejDg5V0ctHXPxZVO zSnI)1Z+nGly*uw@MP9r6#3s_r5Jwz()yktNwA@P549bmoG0RuTR^Pp-l?T(JHhQ@I z-9=L4I27$cH`&0AwI)2pZ_2R7m&rVT3oWwf__&Yw{nQZ~ioHpy4W}*LpD@GJ@D+UXcoyxNj6QgYreI|5QB0aTwQL*B4u`$ZLj-1MvEKb=BwyD#@Ow0 z@mdVNt)=ebJ?^{%7^Yhx?GQ(nI;nC)p}HY$!grsQbS^TMdy7 z_d_#L(JT2|y^>!}Uy(pMW^cziPMF{0`gpncJvk5iTZ-xx-b)p}02L;yRqz|<#3$Gh zUcgb!<=a=_B}Dq(cX{TD8#z&T8lVP(|3%bYYCH%t-#+!%`GsOg-Bxam&`ZVd%6YJL z)PLy>*%o^l?=FSKml+mcZLoVK8wi-Gfpoy~(k_+2B0?(hSP{eiUMiW+#>x+s!T|Z6 zA_QIw0-PDBvd&{lk6lcOtT^obNd3Ja_jkZt*bQ@G*wP8gj@(6*8`zjk-8q$d^Xsz^ z+(%t?FGgMc9YqM-76hi)EvO*q)Z;XRF*xg+sbw6YY08lmMues*LmKpmtA>8MsyVFW z(9U5gheaG(D9mxUH4~!g51bP%sA-%N`kU^}3f@EPer~LxE0M^Mm*kG6Nr;y5Aq8HC zAvrm%ufq{cWLk$`(w{5z=TiOIpg(K$XSM#U)Sq_!S*kya^ruCCX5mR>rvp#=^Mqcp z?jV@H4)cQBe;pRo7UrrFB@Wze}vN{!%N8@Jw5W zX?c|_ybMbgUWFwKFT#?A*I?oZXyql2fEHfj2x#4^yf4@sq0EmzR`81h{G=0&P)*EIC7DLf0}j{nt+yvN|_I$DiI&VPw+wf z#LeG$x`WLI8?_og@s3NTB5+*9a?dO(VjkiBMS2Bzf1aOUeE12z2Tv5yff`XIvf!2x z?=&yPZ#=^*#PbI)iRVuucv6jy;5DjICqI{1JNOCy6Hn^KT$IDz=z$MsJElzhmJ|u2 zC95w#McC2%^OH|tnhP`mbWe= zFZXhAiB-m6rtBv`s4|Ma71_&e2`sQ?|Jp>^TB#Xkb6HCKcf@nc(rQqgc?xUuK^yvjCmkt0l7L&jTALKJ*Sd`CjW{j3| z81*9r>JXZ(w4&D-D>_bq{0S>M3^yrvpG9Is1_KcLA(T?dRuSIE+;K*{|GIAzop`gv6U zfg(3-_OT^w@Ic7n2+3w;L-gPfTjckY(^K|N?J&3-jbRfA>AQbl5pra64n4_?Bn{go zf2Sp{1Brvg>zn_O_WCH~iAO)k_J5F@w*z@h=>_Oz5AyFb=XH>ceQXG<*2*^3O873e zlTm!y1ka{}@;YGl<|}gG07H5XWn4T;2C!v>qH;Cu0 zHTZFBH3gLv*eM{!_SPZ_h_M|aw=GU0RUB298pq@k^;%#JK>yCBi-SXxA?e#y+~q$p zsd#%Hj+u2~kt7$ZrZzHk0*aSH0}e_@C$_NlK7pIZAW4!#i>XSoLbJN@Z4q}`yKuGu zw9;vPUJg0m=GYM#%69^3Y?z0$@XFin6Yr4`eS;@7*@E3Skt92In=tTOB%~dSTEzbI zZTb_5PA(6UFClD(Lx zxNB-~)O#{s$ZMUdjCyZs(76lt27pd~4?=nYMid9t2YJeN*1Zv*XUI1mfysbyX-PY| zjbcBXZeK_H;m8r}4d#rBV0U6&hhX+P%UQO=l%*b7VBLV-a7*2*9;L%w_J-7SCCPi} zK%2vV$~^ar+h84;|WJ<>q(ungOD=X9dz!I(JDDO`#o$? zftIzhLQ$|xu*1Mk-&1x>YJ7w6l2qvRAdHwWtcnPS0;RZzkuhij{DR?EBWI(G` z*A{!0@q14E06i_dA8(-@+{|?ppS=z`xHF3jC=U=c%|Or}Ah=)zT?hoFsxIsk2~`lQ zW26k`@mprLO8!+estsHTIIz_v`G1UrB*seI!NxuG5+iNpd;GqRH~m*8>PGk3O+!A7 zO>~PW0w`R*P81=qsQ*HS=lL6)fuaUFm#^brI!1pRi{NnVdEj#ye-LO~-m(IvA@Tx$ z7m<~$SvU)Bjhyu&r-5O}3mC(VH=_!%cd=qXz+XtB466-(=ID6XQaX(lh|z)748WxT zIF-FDlyX7p52=+frB=4Eg+*6>>TTUk#zB()$LFV;R5OU^2O3dzi1f7`h&d0Du9h8S z9HOoN^h4PD&w1exZCa3!l<^-TJOYrE@gI6o09eLtx2jhr9k&}68%N9OWa@Xo za=C+cxX~dyxD}XLAgp6{8}~hr>XI*?PX3xlB`;`)y~1wy47(k6?$UD_YQ?v4LrKsA z&CMHfw0jbau%K8+|KvdLLhVyFq6dgX8CFemK%%vje;iyDZ$drNtQVlt!1x6|J$qIl ztlIMuVR%mj;mkc)%GgvCy-?5T^+*Sd#Cx59alU%w19J{x2W|#hLFZB?;%|2HnxUcZ^|POl~s?j&_u?Q@JC4!26jhjR0RbktB_XQ89$$4pRqz* zma`3Xe1n{K8bp5^hM;br0gX^m8XsocP5mS_Rbh_D<{+>oP#K{LkN?XfOEctE<1Zr& zzC*_|aW0U&42{=LeOWlYFq1CI^7|b;IuB`ET{&6)Qx{0juE0XSTHm&`LhE=Hd@=B* zPjc-rZq24GgfJTaSbKABA`yBVwoigTWPJjA#QirUU^7&AP{y7(LVbxXoOo-Wc2PN& zN(jM8BqUT2q#~&oWu=A}{L7HN5h*&fhttceK`m3|b!%&#*bU)3vYFrza-muLYPa^U zdQuUTEtEu6(UZbRqBeCQi9x7%w|4SLZjrE`GQj(^eE=uh(?JK4)7n$6f8<3R<<0p1 zKJ8jPsUf$|_xEX%o-{2_Bqg!2Py1|&Xi(_|B8eKzb=jxw)RS_DiX>{Yp7ffY)Tt*? zoAsohA&D@)I$sCTK~HTMHL5jjQRdu?@1r%GB>HbDon=b4w_CeQ|IjQt)0K(uoAe|* zZLl-(Jz7sHw1}i+d%HEWoPg2PqRG{liX`e!krdm986!g&!y`O2lV=o5 zIQMCG*u!{`lpNtuZS42J`tlbjE_1fg+2s**k_~evg=)$>U;lIp%XG;0|LM>af;~#i zqr^227riotUdURzwN-Rz3`Hj~%hf2-3rQlCybNg<=+GoS0o|#62CEn(OUJSBo;Y|TA{tDCnd4SNz@cAge0N>$yoskuwOetCn)i88ug6!eLVKH zhxCGI)a!6Gz^y}Rz#F**nbE$iC((cxNz{r$9ZF+8^#XN+c6yTdGL7|A61QTXoyV_iGMr(p)Z?Kgn#JEvgI~^2XfJ0>;szGaBYE8`ky*pqcylf`pxI==%K3|p(ijP z`FQ;&`oVV+=RqF$7QF+`zFJmLHl%<>h_wiSOM;-=i$BvG7>u zk+-M-J}X(EnW5*1DKaumL*`j{2}-|4cJw4GevwUhj3Q@K5q@nMi;L*>PJZ1lS{+=$ zzy3~O}h8gO}ipZgEgrf6ql=zDGj`j z7%wfcjz@k%L~H-|Uc!6mDlj$V?h82VC0os+_$8?UuoNr0v+Q%pPcFFlN^v;&*`*zS z3}iupZ~sFA+d&=M!hl$>94Mexflr8xAbT>hv5@v_>4j0YFZOAHVicaLKlv+6R)F3) zIsqKs0|}H*D%cJEOE=(anw7>T8b`UH=@67bFsd{&!?DR^lLJ5qoRFg{kzB3x{#6y^nG|>i}km>xZ|G@ZiWvyFz z%b1Dsj5#=nK**r^c)gX5wVGeoc~y9XJ$#i@(O{rPbq`*!=DFsCoSP-OBl8PC#-~<+1#*47VmFKeDOs*$nx5%MN2p#85lS4H)50;2u zvlOyIs;hBoU{Ra+#R3htKQUTrdfe!-=(1m9eKFW$b3) z>{E~{3Mite<)DhP)9La=)PO`hV%JJB-NYth$RGO36LCay&g@nTHifj$r2Tha^BOCi z;zSl9%vnS7#E&Y<4oFQSG5HxE*D^kIQDUj&{{dl~`^0pF`wzmg5{U;3$yhhSSrlVv zbVU%ty9$ULg0ow(yL{J^hs_|O$RPVSkf@cUkU-K`v6JNeHHtk%_yH}80%8PUUe zfFE6)$oT0b{4_S;lQ9dBRNi!uXq823v|_LY^Q|z@hp)7g5Jp1|v59dAlTe;jQ$yqS z!-Cfia!YqYEdC{M$wOa=8AJbOr1-y!6!M>TgpL@~fV&!(vGFCQ9=`wSDCg9-?8bej zZ{xh2CN(Zc@j5;m^;dw>SM^sm$|U0#WnpbRM$0cF_tm51zLLZNA_FDB(iABEyzaL# z7cUWzd40@2m1zu$lW>L%NGt`?mvvLc5n0|%rYDG; z&+T0pwRA3)x`~ggVkGk+X5%K|)Gfu!x~q-yYY@RZI4HXthh+KPZFthVdok#jo$0P( zm}-cFFt<~Ejl0E?cNM>2v|uH-03{moo4x`UqhyWC9Pg{V5DSqAe z;#mDVAoLh4Y_E4XR!>3?xW{z3iz9OJCJ#-9H{?zGVS^}}Ho@RfR&r!zc$)u(6hB$6 zL~$10p__27cWl|`_IE+7^(&M(C1k!3gtf;N8h4=s_T1&lTfu9c#h+KqSnt@>OZ?}F zy?+4ivf^pJqj@|zmG>Q6K61icYsfqrbKk_`GRSCr)5>iJ?HHzY`OxKj(U8X|F=x{| zzKay?I()7oH0n|Sia)I=Yn3LqkJ%9LT$$K(+Jl3D?oj?HUeP>dJ8FOA365=XZ#n4j ze`Jb>((u$rzV!UnM3Ue1z<7kmtpf8D)SA|7s0Lw@MmixsTu>|?MZEJGoHm5ZkLlKu zr?2vW&$Y{;MymzfK5gPEX?G8mKAaODr={g-d3DEwljr9hyc+YgbuM|Fd-3=nSV|_H z_mu-bj@6_N(S9{92Ptsn81qmukDVF;I-tD-s2iRu9y=AGP0v5^&$f!D<5Hs=*_aKr zBf@p@C`ZW3c04b5<;sV`(;UgZbCDgzRRkTmM0AUS7XQA{?io*lP5%T(n|_BiHYlwcD>lb_y!TG%32(>pZ?o^L>NNX`5_Wg};= z{Ddn~e!|r&p6*}+uk-janURt9tbu41McBa)MV7ACAk$!wOI%rEQZT58pkt>NEv3El zN^2JOehg=^2ul-wjwE_@hmpjua8giz>m`yLQfaBTYV@}P=;73d_^rG2x2iF)`n+`$ zC%s}FkKMGM#IIaMrO|MrVJ3SZldUA9=@RHN$g+Ey)JS`|3gu(yWnup834(ixT}S9i zD*Ld$Ry@{4gPGnOk7a8D4Ofd>H%||~BIaMH02^n|5c^ccGXc9m^AK$KhQK(#Y6y0R z(}$E!hBx5}6jn_rLg<-bL1>#J^U9YK2`u#! zu++aq;{@o&9*PGG9bI)R2ej{Uma)jPmMjvDZsa0J680q0^-ol%#tpgsBYH)((QZ!_ zF+OAbKwzY2xh_?TB{h!HOM$y(a)zwnD_Q9;$I*pq1(U)lOpy51%XnA)pT1!NZ zhY(J$NR7_{Q{WRLP-8MR4i>b6P6_IS{e~`|2NP~Oic?I(`2Y*kr`{n_<3EFyvK=QH zH5|0JI5p&y?Sejivs2mb|3uKI(_^|Ffd#`(ZR&Qpxuk0uEcY%E58H*bDhT zHpQ2b$niz$KMZBNJ5GUZa_*C`w@}ic*-0T9%uMio*D&pSd+&C(`Fu!U2>^v&u|F6Okq6BO1 z&Ov|nw~>d#eRe0fvj=naVElUK2m5sHAIGG3F1-QQ|8m*8Qsd9?mi!pg438<|kX|zn zfk{*+O@#o408NDrys~722TKlxs$9FQEMwGQ9m&PwkW1@GF0CWEY@bYXd7x>qESCl_ zoIPV2ICE)P$)#l_mzI^>c|cwNp}#DbsJ&bHfid)Rsc;(lxhq6uS?)_BvOG6Jk+Tf_ z#(l)*L-4o)8UL2MHFh^DnxxOhRQzAl7y8s&XyIwcmpUC6{soT5iZJk$7QWQ!zVrj9 zN-vzvVY85*aop68j!btaz{gE7I+pEu5h>VGcHl?j9^yLjgU^@lX~z$ulzWItK;(rz znn-3L48PnZ07=`EJ+v~Q0Jc5ZQz(AGh{QNwN=`Yx3de1GX=ekU&4X>bQ_CgouLn9` zDwn-Cfc**11Gn%3?z_}jpXH&iY^CNH`v1dpu52t;XLry6*BW%YaK`fCTItWUNHyNvZI|0-mAV%+t22RdU*$`%8D zZ+BCb6x{E$4<2=Pk!xC=pFn$;^iYKfmpz1gM3(pHcz>aX@Q(d?JMI2K(~P|JBCn7I zutkdTPQ7>s$i*7oGN|q!$<|_Q|IeJcP?)zdQl-YvPW7`llZ#(@OW;?ya5x;>h)irm zQTLLkovl?zW~5yheZIX}gm2PS~fO&}Mug2TWu_ zyB|*|1>k1v>J0S_L^H!a8kBY~j{`+GR#RcxNW2sOeQE%*|Eask1J$AfRR0R)?FtBn zls9pXp3m$!p|S)cZKnVX1}QWVSfnw~Ti^zSYP^G<{zUs35JUX@kMY|RTxsp3CmpXR zISKaI7*+4V!X;5Dv=^i@tN}DpS;QG=w`U1XGY4zNY74J|V=JViu?cPW1AJM8L*&xm z0_igfLLQtTF^Ykf#g`M5%?_m^OB9LnzKrtXLmh49s1iC4GUO2L^YO(}?GpMHYDl($ zJ~&*0#3^B6O|no2Bd1KzO6_2=$XT7tIV~e6H9%|EGeJqN7gwlfBC$Sf`ytNwgBfKYtdTFvtl1Fh>T+kZhgy;wtG{>$Y{6lk`Be%J#@nTlS3t2bz`J3M7 zFTKCB&}C$I&K{@8BWcrmT<7MIoJT;j>hj!lMf0uL(ZD59iKncq_M4uv+Faik9l?cT zwGWGc4eD<@?~ZVOcfLh?13-`RIE>0_p`Lmiy?)q{xEuTYDHP?CKi%AKQ-B6ob{ytz z!wo7wD&5mgr)bfU9VB6++{6HT|fn1c%Ms zJaq+KP4%>lRPEk-nF8Tb1qjP2KcpKxit!Wik9iPhLyYYk!jxw?6-0Dw6$;@x#q%6( z*xjOW5hyzBY3*1_{(v#{JfWvC0_sb(X1s%;z~l%*!})?5VS9EfZEuHoLbWnu{~?i& zi4o-!v?!Sm5Q{cJj`205xJa!@0-}|MsslaT-jof`nbg^yds0 zQQ51hP3Z`S{{gZT{(FG?Htg4<&aYvMMZU8(>|v4T91YWMq-?1Mj>S*N!*YUlb8C`c zzKh*+vp;5kTM2}4CE8>6U~nEp6=V}D8kUg(44$S`qr0%d;bG9X{=~gr zgM~pK31?l2Z6vHF8=#1M)W|gQHM-GMfVw+|7n(y&?1Gj4N#5qOmKW z9V<}43&D>Q4rvU53w>I!j%)2$62<0h5@7xhBDk&+SC%QepofF022N;EuA`UcWI^f# zfCE?i!l&mtXMSM=t}Yor_qyMcno}P0hEJmP4R|TU8uun%z!zA7Nd zir&&TAVzh=Q5fX}%-uugcLee_5%Nqf%Ls2l&^3*@h(^j7$}g1j;8OCWy>=8f^h2oK zFg6F`w6%p`089@~i;<~CMd*=2#~spMwsuS~%!qQNd|uZx=NqSof%x;;A*vx3#t^;Q!x|Bf^@ub0jeKYD+qprLGx(&L+e^CUE@$xKa^+OH?St~- zV+b9l)^gJpCsMXLqOIA%+s&9c5nRjWv~@X)cOZ0_-g21MIHGHEa1$gF4>%Qok2s4v z5jsp89i}!%v~6hc_IxD1irY(_wjIvmE`$!#+d!uyx^AR1c&i1hq0`psEJn$l<)&6A zMn7`2imw*n-PLFMY9SIoJkwW4ArUrf1AR4kcac*$>9oBMEj~hrX^X@3CVkHtyxr^p+FF>_JnV%DdE5r|olR@ka>3UZbKN)JW4|Y9~BQIc@Jci%%mA-Z~bE z8a2{%h})?E{1J>35C(5ArO%n-{6*!M({{>Pyc=O~;W&q>2R+v5Fzw-wDF7dH7Jq;c zzAjNDFplr-rSFw1AC=qQEiXQeF!;nod7c zhu?noKJjJljXbSfK`Eb?o7QlaHI7AVM3yy!347=k%JNZp@w*PwcFxk~Skxx6wB=Ff zVKh*d)8)kg6o!9A~Z%Ncw?t)0^k45~%Zs=Yc2`hkfUQ^0Sv6qmoE->#H_*9v z0F0q;^wB^A7Q(lAHGF#4zX&LDEyGrH(~W@kTT|+iBgSY;xK#@7Fs+W|L!4L?q!e**+pa?ezHw%w9{yThZvy>?&)g zQ;9fj?Y8#NSj(cdT(PzI4v3x7j_fwgX=>N&i&pGV_S@dDwcHxA4$@IYSVHbKN{ekj z;VCrn0?aHbht%g?G|96urD3gvMuH@T#*NY2NxHHl*(UT1zW421XZDk3XZAPp!3o&4#;J`aBDS<9cuZ{3d< z(pe`5KGSCrHdwP#$~qvwm5-PH2l88YN$1UPU5l*g{MKc^9{lI?Tkrmgy7Juo)^CUZ zMft576qn9C-HmGW>1u=DDo56V_^mJCmA?SLrO&68gQ1h4^TcWVm;V54lfZtx0Nzc= zXkpVw(o8b%Bkrt_?2*7~M-OLDmR6Z3IhD`t4Ikwwv4&4`q*d#|eH2JPYnQ$kiFD=! zoK{?D?6l636$o;%CmBf+*9&zd?5x0Y4Z={ZEy2e~{#iIhTIIZ%HY^3wzqd=Ps;n3K z_cbW7E&KCYrUa^PMkX>cgcnv%*-@#f4x0n)ElSczg=kNGpTC?we^Q^nNqznVKKQ}} zyHk0yLRsg~#h0g{?1z-kZ1pH@bU&8zMgop?=$3hhI=nQBljEz_OXX2C+~Nr2gEzwo z1uffgye&s+qzyc@J!Z3TCMm7*m|-FQ#CnRr!|oF>XRY2uKXCVxfDS{1?ytiCH+E49 zu00SbLlJ?tsQP_^USL4;5aCjgAGgaqyoFM8jno`OxHN(eF`$DH;gayq2b6;9iEm`5 z@;l9g@IyoISZ#-(ubO-p`SI9G^e@;Um(_kMVZTBhp@23_rOERoIPkcMrRhb5e#l zym<7G%XusTGjVs@oW015);zfhHQSBE-NSC=%yCqTGIEJ~j7%nEc;^wRwi}49-G$)O z7OGC?Bhph)-hH|s$%KT1sQU)0`+5ZIv>&C#-y&7X@OZuw;qIef*ft6g8@4YGr0-w+ z2MUGR8BHRRC&HCFqyX^9SP3!s2AnJN&9|lL=EQ!6gnni#_D5iubEW^7lK%)I`O>N> z!!eSE<0;`Ok(i0@BBwEj9etG*SF~XOWIL`mkEIpX5-^XEgBQrbufsn1PW%tWnVrBC zSf#FoXM@9a&&TItCX>IzKkIuw`d%ldsCk^UYG^6+tq^`s4&+}i2ZzhSyEDH@leD7j zMBOqVsxWPW_MtbGPz8~*c_rVow z5Ije~hY);-fDb14U;#H1+$`YP1kV=mK?ENp;3k5b0ME*X7|?wKY>$*2cMunK-%yU@ z{Ulx1fPo{xgat^!e~%2E zwI0)_9@9~rJ#t{(qI-$H*NSU0IR2^hy{MycN1a;KUbh&-A3~Z=oD=AzBLUIGNwh0t>a#3Po1E1~ou*p<*8MIkRK7>&R= z+7fyQB9!yX>Tk3AqjowdQuhR!>H|zHDDSm?`f6$0t%px5b<62gl8+gdFK^VMwff62} zqZhab<~1bH-}`d$r*8OPl3s{RqO%*YW3xp)@NX+CURm6Usq&Ba>Pt?+*{NP1Ou;DDlZ%A9{rV9LK zHOG#4l;#MhZjzO7JHw87l%J5+P_}K6m7nZj7_LJ8k4}zl_b9Jx9Q(|p{Nf15HhGkA z7hb*YTx<26jg6cA>UVFf04|vV0t3dTS0xn0uTcEnEs&{h0H96q5s;+UW zcS^uDCEy*Wx(2J>%7Cjf;2o^GE>gXB1YCCnycemit5xsU1Fo+JyjQEPud3cV1Fky* z-mj{za@AWEa8(7o<*I9l>a7mAssr93s_SCa`;CC>8v*ads_ToY_u+u+;ehvxs_RD8 zJ0swl5%Auqx^7jyGXt)f0q?D<>u%Ni{{pW67x3P#x^h%+O~6$X@aCwlOH}WZ0oRiO z?pTks=Dq|!~e_>4!!rO zu5YU0pEHC*?>AM~chvAN7{a0VJ8H9vpK6%qVW64AFhiPu#PEM%IEP_|xQ43Xml(*Q zcc|*RTn)d>5DvYUtFG(R@V_yHL+^E}Yl0g7cZP82ouImIQ^T(?ghTIbs_T9={9A@_ z=)GTcJ+6jVF@!_!Fw78Fz8a1&kV9|2>KdhnqYUBDJ4$tpRl_X|;m|u)bxl;mtqkGNJ5hCc)bJXH zaOm}@uIXxcEkii;PFG#C)$lroaOj<_x)!M6HimHMU7$A8R#9cT7icEx7YH+?c{#(^ zb7l_13~64;@HZIFVVEJ!uQL2ihI1HZh-;V{?qDE?-eIci3N^fmAsl+IP+ebA!t;2)g&`bzZ&qCuYIrL{IP_Mit_RfcI}G8_`+(~DmKxs15DvZHQeDre;q46J z(EE(qOlP6h@D2uY7-mTGj~Tv`;T(n;()=ri?_xNIVTLsSk>R@;&S97#%^MiLhv6KC z8R8nQhC3O^p?A3Ix>60l&kzp1SE{ZrtKoeN;n4eK)pd&+{(vDIdT&u(x2xd~8N#9W zcGdNu8vckO9C{yAT~Datj~T+D_X*XtPz`^=5DvWy)n+>AqJ}jFau{Yv^FJ~?#&8b9 z3~Bx~!}l|s!!SddiG@(ZafWjkW=Qkf3_rkd4#Ny-evjb?8O~vtAudS`A7LPeUP*P0 zR>Pk%ghTIW)%6uMe3T&^dcUH&CaK|L4B^l_Np*SE@MjF+(CbxQ52@kL8N#9WA=NcU z4IgI+hu%4=t6mMCUpDM5Ef#xns3NxhnCk#KynK=wIr1>`t?`AlMVTLrn z&hS$V=P=BW=8X*RVK|3jhBWVG_-Tf77-mTGVTSiIoWn3d()hv@dz^8;6#M52_WuBV zK5S?lH1T2J0G^e#9ONNY`Y03KIgJY*(cgfpF{K%8ocG%!FuZN8V6^^tF-04L$Xki-SP$5EV3>F*6o(M zFKEq6A$1H5F8ZGF%8eWwLMDSKIxBvu_R3<;GE6bDY~dIQ8`AgCO9h{dy&pE-*oR0j zz^s}43z{PGm<}+xxiXP_`a@$nWLrBT0@6lb1E9zDfjj8MUX;_|DFQBfC~YXx$Q+wb zt`)g$J6Sy8vBC5YP7C9E?gFD=#__ec)ombjUdT@RcO}&A}0G`o9IpDHAV6-Kab)zh` zyP0fl=3S}LOY((^ z;FsOOC-BAw*|yd#ZE)K*xUmsU!y>ufI=-B+NTbR?BUuu35)}R|D8Ks#ktz^LsVzvQ z0dF8O#zGg54bB}>h-|@OK{@(95DB|=LL^Sk5&(!iDci75*yypfk#RqUJulvhO8JTynxFy|BM51B>0V4JYGcK;%x@_9w_CG;psRW4v` zO-`a$-~9F4?*YFu3wj_>h9}_WYG9Ohc!hFXGwt8$kM@LPa-=aZL>+@Io&RKh-4za+ z*~%1{&(TEBUN=QD{c#ZT#uS7&ONm_QpP!-xI%7K?&Q7YSSUW@`7NQUs%jMW&0cW-Z z%rFY*J9t|3XTJW-)t_d1;vQ>=%W%M+4w|+Xf++k}a*e(~KX3 z@nilF1drz+sD)^(HV?@cATyGu48@bgW%+nQPWkvS;MjtU_YZgCsDFV&IfmL;8T%MC zq&Fx*c~WdMqzyDon-X<}vEQH)WOP2BM>rexEe8lS%$<7~0PL5L0FSTab}oI^>d z1K3bHmNyhe+ejDzDDpY;i&(6L7fPjj-Xt&#x;;Zn;hR86jDCgdxkxbM`@&huHcA8% zq{b8IIs5T8xQ$uJeF*AJb?+kj2aoFcvaMh!iqFOE-nbu+-dKx#u{#im^@i;K$uzZo ze3sPo08>&>aI#s#-8-coQ#T}SNeK_mrW}=;$)#4~da3Cvcvb`#6S1fW{(2U_dv~cL zxVRBf80@*&s{^qgLS78FT#!(clMHBXN_?p0t6>Wkf^AGrkWJAiGn5qnvsArI+0XSQBi48 zYP}-N2v$*W5@b4##U5MhX|48dTibeStMN(#LI7`oRZ*)TR(Xbzi#G@$%=`WA{mhMv z?K$Ut|L6aCKQAB6JkQ>1U!J|!UVGj4+RZLj9W>{oPU_iy%~zQJ0$l0m@DrrZZY zz+3rKu)hZ|Yoa_f`_JulA0 ziVnpeGh0?XDl9Y`N+5PiUG!;TVo`VqzPk+~4Cbz=m;7n8e95L*S7+4Z0}_8)+Z+cE zE;8Er)!o6_1$Yn&V;cuR%Rwzn6DEpCP2&JM!k%tC7)G0U%9LJc+daDsFE)(z8kfW)DV-r)} z*;(`%W2F1Cwun`eF;+y8U^X~$Z1paSjpYKsv1MnU)G}I4pB-x%rC-u2lvd)V=~woO z$P;HL%11qEK@^3By`Y8)aZ+b@3G`5F;}gYSBixv&E>SuvFt@{i)6Z?H5TdHmZEtI+|h| zy{&JO0!=!apcu!<*(O;3iA)@vv+;ZH>%a^$ELgu-=aYM=MCQPFCE*m z3@oF(ufyAV55EmQOz!h}Pz0RlhOL3bnOo^8>>&;+2p~GAqtO+E=~_WD@!4Z5+2kM) zI4_iiy0dRBgD#YEd1zyIXiEq5gI}`Q-9p_VBFYYRm?Ic>(+A$i`^eT6+XI<8sjOz1f4(79HKCIVNYrjiqFxq>nwLkS z_G-A0M0xL!W-CLT8uUe?PLuUusFN?VL=AQF8Obu&y{QX~#^8-CA!*R!tSv7I`lYlDE$)w8ju{VHW53^%#<4*OQi0#LSj>qCY0V% z7~}#{Q$pD+sR=6J^d@gBnhr(PgVMCaQ4Jr)Kph>b-vg<^sJaBg(_tt~2luBK+v;oV zyilYpwGl@wYV#lb8fx<}4_`uU9w0lP+GP0wLvO^`LSjU3%2>@}n){pIWe^uuITS%8 zMg)g^=#0td*W@#9`Sj)#J8;?IYF!0e0SW&(U9g{DNR2K{ic-4NNIii7i5itn5EW8O z`c+E@sj5So~LSqwHIojp^v7lH zcUb2BWij^~Q4QoZ7(jPO)!||O@6MYA`c`_vLz)ujG;pNQhEgY-SW|4Pvv3UBH&15( zBYE}nW8>GuOTFZhf$6u2<2UP`2Sc9>F)GU~R-+Gis-3U0^#*91~KJ0Qa;igdReH1puZWDxPFr>(B zN)*oXPPQT8Y)O#g4eWQB;h;5iKBhs>J7&BOHVgVP7^UrowJWdmr+=vZh0xbv)=Oh! z*OwAz)DSCk*i?Had%w@yT4sutv)o4=%h3{qAH3w`NAZ@JjI$HNkAtOP@pFkV>F^it z!es>O)7s|@m+^|m#kb1aD!WgEZ>P8QSsvVvCHgFEhEDUiY{u&FwERUc`mQKd>$J*F z=TGP~ZThUN(PoXGrd=O?qVco_E&0@MY_Jg}c5N<<_^W ztc%}gmv(klYtd@)SA@Cz%8Jc~WquWb8u^*+Mk{ZB%RPLBLA`TnL+&3qL%RA{@8cY- z2k$cDQ1gO+{!xg$TI-#jro^?Ct~4L+t+69^apXm<_!4T$^g*rDZVHB+s+)+eix=76 zYac-do*G4~yY{<}hGeqvJ)OboC1c}LS^F;r=kC^8^xm<>;Q7C@{`a%CUo|wrwwIv^ z5}oEg-wuLt#=ueqcj0Hrz!JOuciZ)k>4NJQIPAAId={>KW=$~ioEFWfEA$~6c72va z1&E8KKeVL-Dmd9^TJo$7c-|q{CrS;1M(aw%U}C@P|9SB4#j&xeX8rF*&023@o80BE z&?)TnC$MxHAOT+!G4*T?)UVaPZ`VBX1#6za?D&g=@~?sl?9Q%#+3kF9dRyP)*DQa_ z4mzlpkTUjO{@#{5fy*ZW3(Wdwahny-`e%(!(7IpAx;GC--Z)(l?(#PfEPD&VgAqAS z&+YnV{U2jw$K0sH(@LfAg7*IQ*g@>J*n3*V&|*?j21Ua8zkrh;bA z|5AEj>_5`S8DjO&ug=2i)>M;$q?FzJTL@>IiY~~=c&5HZP`SZIy3G!0g zj`!TX?ODU%V$t)w{=H$(_5PpipKLo%$r2Fsp7DmfPRq@?%n!4DNh<|5mz{_Uy9VZZ* zzLnH2lX|L6>$=z3+^6RgLSN;6+yCXeE+%2{BjvDWsLugXCsrknw-BDt+{gRDjq%tp0>xH{L4Skyhd$R{?CF~7iR&1+3 z$`XsFYi1M^lyjoue#@aW@3toN$7RK*dM_*<1@eu8^qdMi(m0BS^@mrVUg?bf@LHo+ zY-#*4>{)baapc)18+u^)sDS5X|>s59I=V$N^i@YHifj5M;b^N)VJ zWR)L%s($*->)M%4VeZf6|8f%Bd!omsLH+c5eH149BlGhoEa<8H+4tzD-{ZUyl2hIk z!PuQ@1KN%zzW<#iJO?}Ptl)?LvOHIfJ>)($XYT+{CL0U;ZUv%jsRTNMOIHY&3L;1D zg+dw3krxk`V|Dls>BWrwI<8|_7mRHs@_P@djESLurkqN3EXCEop{t!k0W@LYOIb*G z0>WGv60Qh)^kDFXJcA{ScgUiOa5;-F-6GHG0=n?wUs92#{P=Ah6$G@%Lys0UzhC@_ z^a#c_qz3Xw_K-sSXiEH5L+p>Y>IOmYGCoi2k$IDkL5(5M8~y1YXmSn+*6`24LR_ZR zY{@-bV5UN*MUi*3W^|6fj8I6tHt1DC1ksUrZPshE^Si&hNO`>Tpm_u-8;$#fik1Io~rd!);Neip+QB}gmk6;lU zxHfJ<4*UJvmR5wnigMj{vkUu{H&8pF6!z2_ST_sousnIGv{wzM$wXiYs1@1bl)sh5 z%HHNNgOz0lD;X>2i4udAWg`q$Ui4`OD{~N$3k_DDfZiT*_?uHQSeb)3CT_4YbeF-( zR=vgInocf#%E!uH^2!JVqLLoEff1p^FN7GW^DVy+j~fJ8&J=i;$IJ^nh>2gk(@19P z(kn9v(&*{pLT_wM29KINpUYs?9IF1D+P&U+n%n>qn-99MP=Dq9(H!!gv3qQ6kALom zTTdq`ZaSyXLnAoHSZo-fS#T9JT8rcSC(e?;@g){2c{v$*Tbb62!Z5XRiYp_pX8LC6 zlk zN;QkrU7u!YnpH`zS*d1`X4YqMTZJOI!@)1(~OM7~pYWfk1 z)j0K9mz|<|8c@@t48Auzm1NqyiIN|k2?CCFI<2oTf~UAIv-EPJUhHrV$&@$qff2}A z4n!dS;|49Y*0&=YEcOc;h?m}(f7N|min%VqNYooI!2OIDp zpPEu*VWNM~4lpqTu|z%I(L3r;k4DT)Y35X0@{O11Ue-WrzX!bfw5J&d`!Odk;A6f= zGtLP9r~*KddWfp$86|CUojEpGfb zhU%m5QG2awFYJqv_tCdZvw~`Dm*cP^ESfuqPC?yob10!nk zNaRRw+yKPp>qm=m{fj+|vZ#0(Re_R5H9Q4k>z|Vz#`$}=8^|_KxdI5r{_)&89*pj2r}G@S!MRIS!l-TN z8guG=lirC1?E~X!*h_`gFx3UzoUO$+$FSB`<>L%<^Zw@M)o2y?Y`HQwug%SCFf6&v z`|JhV+E3iPX5}^5yftp#95-*W@|tblGj84$Zr(KIO}2Rtxp}(zHIVpA_v=HN6i0x29eXY-h5Tu1T-i3J0g)nGH9fGtFeO-vhT!;p@jx72)$>nxD zpk1bwW*0(`wvJ90;szIDvI`+d3-K!#qREAr=0XV4LPT8%T@GZB!-Wu}h4_XG(c6Vs z;6lvFLY(eGY%n>0seH(V5Tvc+2p3|B3-PE6AxI0cYnlC8g<@7e+Fb}iT8KAYh`FTb zHkg$zgdhzB3Sj3iF3=c`xdtNUvQcrToQFs|PaQn>E4HS)Ir z$eHZsOtU#Hm2*H5Q~E+T8m~&acf6Rw?xnV-{JoX!2Hb!MK{K_iGtX+`UW0U|mAedf zWkAa4e5N6vc{a7wm`C-p#azvl0cp;GOwI$DW}azD(w+yh(gi^? zDkAGLOKhrFRL=PcO0Au&>p*w5$D#)UiCQQg2*~g zW0K8nSPLL-136w(>4)LV}?3YeVE?kn&5h#AC zSU278>*ae)f88iKn+=;ppQmS9pXj_zX;`0l5f?gyS4X@0hR=_79qVoV9o2^tBaUQ7 z_v$|^1Xb*&oce!4bYyXu3#~?bfOI}0)%m`vjCOe<-*$ck4Y0iGvs^)uPMsNB(%L?2 zRcwoyTB@05s|i;}mw8Bq+;DdS=@Z@R525A_1E^V*I(14Nd2D2e^DQclRaqX9AhtmD z7u2JXVLQ%gIl?j;V|YBSn!520o(kayZM*f z%%IK>6bVB^v1w%-B(YGpx=@oWl+7Dc(mAH=C_q!Up#6Ao9yq;ni) zQx^eII*Z`aY(=^Jpz?dE?%0~tR{%-Q+%L#K78?+>Hzf!V`X^q05Wlr=>$I9HP2{GO zqY~j$Gzc(JI(huoq0gG zY2oAYN?xBW+1o8C`}tbu0@5Y^*q$WM{HFC2aUf0HmNU& zor#7d#@{a7Mi#4I(1-ZY;FOs@OxDilckUwmuD8Y5N?2RL_=Oe0DdT;iM31u=T!Vhj z)~4MC=x-G79BZc9A3xJ4uiN-Z#GgiB*~wMv&ctC~7`R7(Q?gh>3`pedke5$vq0LUH z7m4wBQ*x`GJORjTitTW!xx5m*x-pZUDOdXylYSAnLCK<2tp&(cTxJ0-Fl{nD*%r5R zbu~4P4#Wo-MwZa@rYCDj&xI*J4m3Hb1vGInt&v9jZJYV)Jlny#v?z&Er9d9pi{5Yr zskEB$3z)n;$=hfkH(R1d8F?O;@;)<KO=K&L8iXO-!@B`ErI%1Z}I_gOaa7=1|rU1qrMb@@CH2iW%E5q zl7C+)iSS5s*=%wQG(I0az_{Fg&aPBputel*;aqdyhl`mON#vsG97BD{cX`6rmBA1d zxVxahbknInsK6)BQ9w_!hzmoyH4*m-D??eZ8Yg)45P`%E-QYS_&q3BpM9ACXOl9Tc z(YiYv&=qHiBOWI&)lc}0e=EVJJ_>*Bj5)V{1%Yx)6W*t}Z(3j|hv*mI?xPm}oYRWJ z8&kM3(2{>?I#lcP$=tTkP6gWuA**g5h z+SB|7dH9&yo;%Y1XSDYQI+sd!#j(Upe>ghJF`?l@m~Tw!T>Zo~w?o#jMTUmF&uR+} zSrqL37ANRJL*BJRw;}Q(uT4Wbg1SGO;5v!vEH{Q=Wnjowb5NR6tsUVLg7|H{posYG!XIqKx`GnmS=!C++4vC@^D6#Fkm~KF%)Zxon{a- zv!IO9uYkZ6ofoM8_$JQL_B+0yc8g%ejH+`Fwa3<6vUrA|dKExfiqKn7*SJuoJ?Vd6 z)FG(Y3g>AzV}IvYXUW;E#5ldaVsvevL*;b;W}D`MyXPL&FRGkFozp-XxW0a0>_!pU z>8yAfzUD-wwZ0wjHm-?JD<&NI$ryFIh3brbIlYeJ7mno%6 zXLeZjr6=oZmF=&){#R-It7oX1frZuBfoWDXvsBFws3w@W6s6X34Dv6SBI{@Gr{(ii zWUPvOlOjvU@?o@2baCVEML4((fjBxstw(v;)h_2Ma_Lv&TkIx1j8f`qNvL`k@#*Ch z&rSi(xR?Cs%;t*Q{yiaBqaA`wEC#p(SyP;&}*xXl<5^lWOX-!kKPe8I}dW!xX2`Ml}# zg9-k&Z)*^XXg?|Qys<^<{AW9vFdJD*vT+}EYx?aw`?%SK$XFv&vgJcdXZr9Zlwff z4|5iDD~E4%R)KG z4U@SMmiU=1q7Lw!9I&(|Td*f7n#nOn&9b#G{g{MU*M2Ry;R*T1TLxgDhmRlFpWzxf zgky^XYxC^1{gsOoet#4R<;~s;CzYd35L|!YvbNi&GPc{njQ#*>)48Iot+zi({Ym1p z!zb&AZ1^ZlUg}*JXkA*9e=-)o$gXgI9X77XoKNNeC#KG{^T`upZPu~H%*v|JFSYvp zy#09YM><%bt+GZ-u1XRMeh8SNiz|%|*@)hCLPz<5eK9tERk2KP#9q(c--i&4oi$Wh z8Dc8W(gLl+I@%Q5f-S%wpEV5b$hnH{uwb~Ln)ZU+)}_7DX(H7g)WPc)zgxELU~J7; zwpONwvpUqU)SqrH3&eF!e~T7SmDYBRxyz=w@+mP7%77cMBrQ~*ntrkijFfF|xsfv+ zZRv8GHy@|D>QuO~iFn<({tA*clN`x@XG?96%-n#_>E1`@F`#V1hFIw0ptXGV--Wuus6a zvQ?n(4#qw+PL_YEG=zdpqC_)fHi<*qXfrXw`P^<2zxpeiL_gA?Ke{DLmj!Xg_;}!p zLY`!xJ~@LRB#o8RG;I?#7n60j_*G0saQoi^v0;@#&qsW?^BXEs=f7$0Qexqpl^8Zu zUe#KM*p?X=j_tfBVdy8w`9NMYR-VAxCIX2u9=~k4->hApJb?tT2lDou4)(9V1B{GxzB5W@&=H0+F3eZh*yYTGVf3h~PFB^+{UPC$VfBhqD$#!)5E`saj9uvd}{(X`v6VQLb#gJdq2{ zTWaZ^7PT(F4$C2<2KX8+>V0ZsXATo`a!EzF8qUD2OMggbxlIcen1oy1b zQRe7lj3oOGCn=VAqq@CWYkCX4;fl}ru*yU^ol6F)J3`e-2>Tv$(ERW`d1i1gf6d@t zBE@vs#6#H8-B8o%XMkLwMMrTSzs$)-&u)KBIRTv~c=q^fCiKG9c!DRbr*51);@r)I zUYO!_{QP;vN4U3g4&Bx&nMJ@ucGGF%0$Mj%E?^JnB~`It%ph!Z{`zN-a|%-GGVz$O zvIN~Bk}Xy8MC=wq^K4%UOYfa0TeCbta49F`L-*la2)Ib>Zte11hdItoSX#NBbHx4= z^NA)N4yXPD9ckF#*Fr;Bi>c6%RABpSfgwrV0JD8{Xvm_#_BR4U-U#&WQb1X;%aONmGdll&Po7p#6UH1dkdt8T(!px?vTqcW?)3SO(3pk#N7Gm*X- z^=$UL_zH=&i2i#dh%r*E-Sy778VAOUHSE(O+4LVhtvg}zRhkhqCUJ))&I;|ATxaPa1?nTmN#7vGkXh1ld~+ z>re`~IkPXQ{x~z)&99?dI9B1|?X!hmG zq;J6m1o@I3p&vnS6g1TJXEJ5}0%YINPhxMOSo<NIlRD3g$ojAI_eRaTtgZXA$bGnBI=hmkmg~~xS#o{^bA_HP)VLTR- z4_xCxo|?wKI_cDSP&b|wkEQXT?mR&pI*7;eQe+jQ6+Y-cN*b$@ZPFvX>iD|zO~bdp z>rXVK13$uU&e`|JMb%i-^^0Z~w=55TG-n4NO6?GR-iPUfuznSPTgslZwH z2X;ray=$F~JXsz@Y3l91Jc!mr-WJNm@Jp!tsDjF+{qeUQugarTl=_9FuZf}h%F6Hw ze(29Ir&aZ9$}eZigkQ~Ss{sP1WFkd)HV3D?q5UieDGqS5dG(o%PHl_j`|uH$QyZ)3)hS$5jfLD` zttjSZ^3`V@z~!5V(udkj8S?vW^Ub69=A^mgTAI1JMsS|L{&ON&O)Ve>u@#%-!#eU7Q;< z7r%$Pd}K`Os^RYyT@9oX(m%DHw+UU%JY_D^ZtR-On{Ij!bxq@myRdQTi!LdS{6-4A zuLTmrh-}2E`Hpoxf2tyX3}@m zGDGa@Ux<7vS^m^U1^1Ys9p+PRy2TKojRr3L8~13?)6sRkNGT2G?J@YjvB#uN0CUD! z%yBtyt0BBdNd8r$58B`yZfeogaRlks%2Mzdl}Na<0j4!EuA8(K!>MP_HTjFhYK5k% zp7s1$ietB-&x=@Brp$EIVV_2Kr^AOwckhXmDuP_~rzj-$r1~Hz%#TngmQpmg>dzDl zU=QKCh<}ynci(=Rxkb(Bk47ON1(-Ie@QI>$yB~JxPy_ivMMxO<*44)JD;Wnl_g&}e zQ;?20VpS)56lp|d6H1tyG<@bSQ4F?)hnibt|B$J##OCvZw zBdbv6)l27ukKBXy?CoIeO>c{=!Z7&A~v7Asp(W?cHmaXZ>L(mF%vW)W^et#gaWdAVf?mN%H`&G`NIc&IWZLOuP{J8yik3 zW5WJk)!}aMexGN|(#AgNXRHL@0E!L&c0MNC9U3;=ZnA?4GW~qMzYX(9k#ozhdm^N6 zVqrNgJQ{s|zUM3Z==)Uu2iC;?2(>ekLLgIspS|ZQ^*e^vp3zY>-;lJ|inGue#ge@llRLnCTs}w$g$9^O@9+fUw~iq0{3vu~OU=dpycCwW^g?49*!)YE9N2K1_~**Bk5n>m zou-oCmF{o5`}?T-`;hx9rd4or?C-c~yo{TyKh65npg%SG(Qtj8W^c z?ySqmU}qCE4Jo+x8quvzr#E@ddrAX<_Zr?i$7s`IS$B^&a6RUPro?SXc4;T^3v6uB zr7Xzp&Wk+j&XssTLQ5D~V{LjB4UBin4PBD|v5pje3hj20NI}aMzHSQ6#tZS-~x9~rwT>K`I@xwtWAv%5z>x8R3f>~at>EBX1r@4bKni{GcBjo2RZ?Nw z5AL_9FR$oqTU1GfMX%Uz(W<5BF*!U^gPTy zKcr_L&rR_sB$4dXr=xNe56n*86I!k6)*-2r)X2_<^hKG}!jF2FJa_K%Dv+TquYxCS z1#W6#1rO}Eg7(4+X4wkd)WQlTJ8Zd$mKgR~2R@jF)n zz_HjhPV?WPf<&V9$4$I?B12AJ$2cnANk3@Dca5Gu)pO$ZiOzT)SZda>`W;@lFWs!k zAMm`7^PQ_txxFMg2=5tpzg76+Jd5c9-plrSuh{F|x7T~sUhg$~z1Qva-caxkhQZVj zLpjz{=5#&7CUp}T(K9lkXMga%JoqZ$v3|^9Y!FgyeKmRcb$Rtccnj*w>5t&lZooW= zMqq28Hv;}k)MoVYUzjeT=4*M%B)tr)t7cBpNrCG4SVO-8I3YO~{}gX3-aU~%fle%- z{1X$p#qpC7gr|h&rNbu&VZ)&AZx{Ge9jUU$6RXglswe49Xzk1VhNaQMF%_6oH2Dr$ z?>w;o3YL)GBvUM5e)e(&!hg_yKMwct8+^t#Yd?Oz`BKhLz)GK4g)%dIv-{O2?(@}G zsNwy6_1RFM_}IcPuRK7hr?DV#4c_nG;6+jJTG ziRP|Mc82dJQzsQ~e8f3t^vG&_Izgra=I&TV66o0-E1W+nGtVk1_jyz(@24#k_u z3h$U6hoPN8fnx-d^;jF^&=z2no|fX=h`0=1N#M66%`qyOoNUSy8M!qh>cZ`5}_cIhTW+@Maf=J19`R_q=-0~Z8B~q-{A3F7yS>H`*9UEg;mULRz z%-EaJ_j(aI8BH6eeMQ8O0c0qIt2WK`pXzs23YWlU+ys_(v&LrmUUh6By7*y%-n*hn z&y4awys7A{*rX1uH0|jpd(i}{(vJ55nT4rltze$9Ft_Hzq*K2JS9E4g#+sTL&5X*f zi}Ob%=P{Igi(1M5{F40q?~&+l(|{+nO_&ev99zO8)1I1PTy}n2P-D)!$V31{4DOa1 zW^@Ba*Z8PpA~XOP#R*aAocAMe`X^HV+0kI?MUDowF2{A(j6o5$Df?-SeA<-Hn!tK( zOTqXcTw_a|{tL{w&!4C6CHkFQ(ES-C`rAg+eP_;npcq?}Z_X`MMUg{^1}nqEJlJGZB9d7FyR zcYZ@UPjfqKdH1{&HI=8c^iJ#GAih#=!?|Y_-jAGqu0Y9CJfJtRL>6JgULDyg^-=}f zy&OAVnV7#y*s(yfpwR5lAAr#JBk(s#vu;?c=+2VqpgY|Q#1@6BF%j(~Cg1=Cc#kgB zm?p}51?yk+MrB;7T`hG9reDv>5M%(AFdP|l4d1R|^+sEl7(BqJOfc}AG@t01^bh_T zRX%ZNuk#DCMF1{Bw3w z8Jei2U+9C46^=e{q|f1AwcDIW@6{3_=0_k_W!Sdlqv+Iw(VbHJtWGMDQYf|>^jQ~7 z%+QLWaSxj0_O0fd)>xG#ik5Rw&)jebci8GSUeIFN+vn)c+`~WBpQ+xfxL$YKawRQS z(sGi%CACgz6-B^|$@}JCg}P|kY86?nBCAzo6-6dgZRK-(4BWb4y%UKl+H*^#EF;?% zVLDhKl#0D>d)w@rCHpE`mKq zR-1;NruyVC{=kL9_BYgMKP&cMl3vHyl*NiG9qpeNEzXNi$a#TRa3Ru-9691=Z!YAm{J*04ZJvpz8{%v-?n&s(V5}DXI@9#(qv9?-?PW zzfw?To+o}x(9Z&W6W)aV_MDgB$J|!sd{baQ1Z=7#91q7JLe;oZ6uRp_3Xmf2Z(oUi z*SPCzufn89(i#M!kY@|t(kUYj5poN*03XYp&J7eZ*S5qP8kjx}_F;0VHtt8s^h(~3 z2*rjPdr@j&F2{Mj(wvBXUuMxQ&Z`UL(YueVGlx#^<*znuw1z=s2p;<(838QEp}WoJH*Z!X5B$=yx3 z1m_f>Bru|X(KuS4(%hMCUE8r&-Xn&dC}qx?j_uQAFwvM`Nwf7@5| zNjKk(NJpc|6{G>!vjEU<0FM%2Gk~1zOa6u=Cv-FcifmU~&xd-_NbTE6jg&bs1{d84 zLF0A5J(VleTW@4L8#$MD@BVsz2j^4L-*yJ=rfT#7&?3II$}Wjx>?chsC}9bL4BgJJ z6P&Nx-Cg?G?am)~F{|Xj@n0+c)%9V}?O$CV_lGmsVb+Jr9%y}>^JVK}-uS)O#|2s+ z9d~`%`uH!%%gGtJ{<;+4KOrx#L;TD599VhzO7-&a{9YbNUao60w`rL5$zcQJ<+QVl z!+zR?f@YsI%d}4F_LVWhD6hGRXkq;(F)(|}#W4HKf1FiX#1lN?4tf!kEx%9h^Hjsk z=Mb+Wmsw%>ZVHH!guhf6zRp4!PY}tbKK#+YR4kTs^@J6Ri@|3cYwfz5tWJ8=$xG-R zKt-pUFWFai{`+?UIvF4m|QInx}d1*hx|dYqb&I&O&^X!=x*|Ef3E=J27nVexx?JnPjE5 z(MD<;{iRadXd|`B2joCfo196E)HXmJOA1|$v}Qb7B&{hqJdB%%jJ!5-|MJ>M8pud+ z|3qFJ5b~@yvQ6)ov(j2qY(27?k7+yR?EGo7vfAC6w$oV@MoiN|Jj9ri>Bry?9;#jy z^6cP15fa)eZ&V>G&rXychi%>)9mGq4geI5l?&0GZ+fi0HL$1S~y0l)U27XiPvj|gbiOUo0i zF)IcRX|Vfm0Qr%3S`LHIWl9INBLVjs!MiZ_@joX!bp4pAdf?5@)@8?v4jRfZL9q+cBAM zLoqw^a-wYfjujG^QcB3Aj`VwN+Tv1IOLKdAbVoz@lIV`<5i}9ID!r|jY4PdWsLq~< zIYl;BS5o>}MH?zg4R7nApX1wT1f3Wmm*qlu)j04lEAHM+mcOl7XnU104C0d89!iV~ z62G1>5K{rhExz$Iyk^%#hVpprX*~jX`_wx#&Y`ly3o5(IR3_c9aa7$iHov9WCi4R_ zol_W=eK^bzyDwWXYF)W^`7{OWhE650n#c)wN~7~3cHYvSW_~t07n!WL^OYEMFpMon@(<{lgSHgetki{{fNIQ z|77y9lU)vK{(%3bf&B&lXZ#}z<{L)r1%01S){W2nvE5Da`e6J_F=_H)D+~8CQYBnU zC_XZUu9`hM{%x5hmU3|pW{J(+B_34JJ7&AFvPKX5mg<*^j0@P|jfOFa;pL^!$NFA; zx8VPlq-OdNnK-h83XI6NI!RKBcR9*)=SmQ-b`#?}rZM)h%2b3XU1K~=tg zRz?-wln%7ah}>m>qm>KsSsp{`jN2fN?PklKI(I+p#Qy4X{F`Mci2O%tVQzWn>2q{` zT>Ex2R{Y`+S3{!Rg**7n1eKkjDc20=xZYuAEK_n;ymidJ82DAu+`rC&<}T4!X{dcy zWvB>tAT|W&Ph<<}#>0m+@_~~zGVnob@m?}IhmVO)Xv|>a^G51SzD~;(IM*Hm*3mcJ zmK588nN1u}5)m!8{4Bo7FWfnrHd7;T(W(B@YMcR^m@(Zv`2(YWO5g6Tr9z3nP@ho; z$_3*$m&lFutH=()=*?wCVV@E4xu^#b;!{_>B9si{Hj0WYrGqJ_7Iat4pTA8mmPQ-p zY?zuExUBS=#nTLWq6V8DIhG@4VT1uU5(be+EWaaHTAZjO#=VU2_I08B?jb%*cQ2O#Rpl<|M68 z)*uEFs~{S0`V!;rj-`aauaCiaEzVkg%|IV`ea!u686(1e?D7nK z4Kdr+5b#81s*0bL7|Hs~VEj^+$J<;r5sc2RDk8pPO$X6`xtY=w(3qVWoyEdBpN@H~ zgsP1gG4|j1@wc_pvD8s`hzhILoyJ#ZPaVki=5NzZ?HsBe>y)T^l`o3Ln^?fh!$)ZG zMt%~Ab3SJp6sCV*O0dKUp*(4AzqwWZ107aKPu}7#o|mbJy+sm)4AwcTHD1qoiYMy{ zo!wu|>$E^;OXVEO>z_$!7Qkfp)s0jDOuJI}2TY4GHml%6CP`b=b-w8AvLbKG^K2!2 z{QINxKfVPp&VlOV2h(TJO|CQj@O`Ruj>;r>A^~jZm8vl{jw*JaV5-cuUMRVkp_|vutyWs(dh(=hKAD+VJdIs?EYUfDcr51Z}gd_`iPYHoF6H(rBXem zM1Pf-=0x)n-9poHg{C=EY>iiB+GuvZo=I`Rn{(jJ&Tw1Z^R^ARfM-k`2xo9!x`*B} zup)>0m+BWtxKP_}Ha+|$skCQGFW}jEH!s~St#tjfr43XYQ0OnP+YY!xGc@pvOHmk{ zK+DEQ;(oG48}8vZc{w}-YXM|@J3J|R3)9+Ktx?6K9GDUTBL@VgoL%BPb)yl)WBtf$ ziqEd{M{gIXPIB5ppP712Cv;P`%sjWun`EWDd8NesGi}&s-PlZ%Fr2aACb0bINPBpw ze5XcEEQ=g1v14tgK&mvC%@DqBFtgkkpI4 zcdVno)>r)tPPbgYG?2KOlRH}i9b53(=;TIF4*L=6yL1NT!7a-nkl#Wnz?q%3_7zj- zgd|z^uuifbxARUm5Nnh_3Ji z`VLZBS}WhqvV+Qr$fnWA!6DR62sA%B_`HIzf41 zbsRJm3f~K?a;d*g5HRVXN^Hnmoo^e6@J+#ZlMje0ARryLRyHa#WHT>fl0!w|gZT** zh5Pc;$Pzh~7Mb?lC+AQ54K(C$>&Mzm4z&626y)Dx^3y_#&$~?dXAAP}qSpO%$=Arw zF^k5&cm8?!6yWA_JJc}EF^l*_<4IcWjJaf2dbFpZsA#%&&5KTw1_mG(# zfSJ$Dwry?T*9+{ytiP$w2R19Lv#8z?1PdqI&g4Ems<6VwU+`7@1;rK(@iX{P%@uM# znlb}5e0gP1rwX0gYYc1jAO1PFqo%$w7$47MU+4>t9A6Q^U9dP9SmjW|vp(7ic*i;% z5GFDe4R$!ABO_%C!TZCK2OJ8V`=&#;sa$LJh+ynYf^*zZp-NN5h~kK&<;#N6Gja0k zHPzpFrrh@+_Q%i4mfixZ0U)E*cPGAx1P43=nm;S}>odl?OxKC@|>1wd0YBY&%4 z>_XUW{Hk@Q=uYT)AF@J;GtvwBMaL_8zLBR8dmltv^t?TgxB+^e z;yzL6`C?COjX8%2JwMo`=QkSNQquV9MBj(9zn!D(o3oUCbC$AiHk5s{q3oLrDEsCD z%Dy>E**E7=_Qi&>!xPA@OI~eq@HSADKtl+xJ7+mvJ&vl>HUxQ8Cdlh#XVD zGxBNeYUW*s?B_4{#}0|Tl)RY1&*Crs($SAVVB>HCe)N$P;cXqPA%y9?^HYgS-j-V4 zEss8S8pxz11u{AikB(U?%a8`qh$4V(ajv;g($JRCTbPTPvzlN?OW?3dif+3W3*fdQ zPxy-HY~C)D`CPB(JD;+O;Xl54m<@@0`wg%w8%!Dt$7qI3K&%dtx7jxu^zotWL0_bN zTyodUF+75(oUh2+vXd@@zk^Q9r*fE^pc;zF?KIPX{|OI_S>?9H-Ee)Uk7dp|q;6a6 ziF`+&R0ecW>Sk(Lg%Tvkz}Q;qRZAb>lXGYa+vLr*#cs#suNc2+QPkCW_j-L{zgFrh zWc|mergn0TZP0v>vxHa6^7`13VR?I>2g^H><_ydGYqG`i{*>Rbx;6a^S_ty#6@2j#4*FVK#=|)6Sx-> z=xu#lh8=09P52|uRoAX&x^R(pzPdq6%-ixL5TI3QH*f17c{DTVt{F}$kdl0fKUTrn zAWZ3&UY9D=?_Cwp$`5}_u1e9{D~iIGnouWFHd`|D?ll(4Zu(Mt{j)CAbzg3!p8&4( z|5`pySytgcKw0M!>M)pcRi5fX$aU2I*KF#goTa`5K@Fvo*o)oMWU1d2zFZ%Cu?)^^ ztk~TZUe{@W_fYy3!T30~L_C>|*lDG`F;hgOyz_M;igvHEYJy_k*j=sF{bhCZ&sT%| z9CGM4t^mR=kLLxkKoH$(H*uDP$@`bA?XTmC2PIi}4wU3$iW|MvBt7s=6Zkbo?7y>R z_~)jJ=v0KeIkq@A{F+%_sy#k&nbgeA1K$=Enx}6d(Av`C5>vrFq$VE(j3p`e<~4^H z#ndVO_&F1TMr8bYY*}<&Nknl&Z$Mtmt@=Bt$yKpDsamS6b>pl8AT4=++pGHadj-@T zAZ}|!yErLwu5;>-#APfAayV6{nSj%El_X%tAOE8?RZaEt*70M{M=1!{bG!xPcdz6p zkT^dba|lpC%$8m=4#U$`{n5#Ah=~2EO6u%&Y;*L(F1FbCs8yXdAT*oCs*=3tvb^Vt zyk}qDb5-7RP2O`|<~gd6TdzlcBqTZvi`ObOIeb;;I1__9BgGM!&U_MRctJ4!oF+rJ zsBCoJ=EGHV$kHNDaHyH3VEl*XL-j%OUK+L{d5x#2h+D*%nys$7Mt7_<(C*>tlScvP=cVl^{YbOaVtXcBZJk;aXTrV zaXbEj^81qOPem#?HvXKx#ZO4k!RGtVijV4YnlnSMtIHefcSrtV+%cIlk3JWS*m0%B zh=6k)PiCv>cYSp}0ccdUZ69cDw;7O4$*-b(Xu`!My6%f$Vj2wm=ebZS8~ss^J4E*s zhEkaxObmYk3+%LgLaLxNnXqR8ytRn}u;(EuN=OUsd6d7C_MmsZ;fg(YnCDb9d)D!m zRnhF(%9~U)rF(cN2&b}|>p(rP(DE)?CZfvv9<^xzC!D4tQqq*4<`yBC%Ff6?c-c!w z(^TKV!F*3gu&;VASCUoJjf$p^)b-w$dA&4iKYW-W3dYYVagT%u*>Q+8`10;r!};QP zqG@hAXWFvQum8ms`@{=ghX$G6Tqvj+0CoTjH-@6pW>2 z4?(d2A#HD}UMcZv2Irax!IA6^TEO!vYA&b2%$0|5h`P%+aSoI9N=AF;kL~cATkUpa zCQETmmZzqll_=#XK?jqS(WSMU^8?E@ddci$C9{*2G?SGyla(x(tYpDtC9{*2v?K4T z(};buJbZk}^BN>|BP}yo@41szpPekJ)-=CN){gy5)+<2{Ve|;a-XScShhqir5C`WI zCZ0*#8u_%bex)}d7oq?|)`UMyHQFGCtOUbs@)PFI9;h)=DXQ56juRrM(KB98PYI!s zKSrn@|Idz(g3<#Sx1@*m-Z`QMHpMhutkBBhIIsbZ{Y+9n6fnTkv~4R%zx6DvcQix z{ic9S{VuEAmmcuIci=W+!u}AL zDRh$IZnxpG%yi&bnEv1AShy1pywU*$j)gnjLtrb8-gi!p(43TC4*zM6-{}z8ZyC6Z zci|4>UHD$syYP?X;axb&co+VRm;HDbRx`B6{Y&13P?PS{@ht2L7|%iUCVo)sa)NFXCA)sd-@5JR(8QzHlb;g(BKgq+O%*BWA ze}adhWzO>b_jnl0O!Pj-!+2ZIAn2wMPN$pGxN#2P!czwVBhRjgj6HyQ+n-Ty*GWRn zsJESGE)nWm&0QIdar#M|818%YmP+fFZRZ)06drP+?a~em>Y1fI0opW)|qJN?{sNFP2rXz35&pu}j zM2xA*oK{u`CQC5FD&@x~QhlNyC^>MkLAD@_>%5c9+6W+55XN@ga=A1Cba1e`!w47U zED*W0GX<@6EaPM`fBy5U1qSJVV70)U4Cnmde`~e0vs&oASb}AS1}(*1y7=^_Gb`b0h%=coFQPsf z=?82@z#Do)CSPxeXwB$Bgalpf_sk~ zRyq3`w+0HECMbgvD7LwJJ7L$k)WQ=Uh%K^vd9uO#eKbSm4jdUB+^LA{;geBgD9@zF z!^x6B^z|a|_ZN8|U(Gi-ymoez)}ww@W#n%JPs%pIcWPIn)05*tpFVp^(tZMNaa@Tr zAQ)R7tWFw&*o5X$G}E2B&Cb$8?Z8}!Q>d+S%B+$=^=@y=D1mi+(47z(cs1&Ky4P9l z-$xT*O^+ZuOG%p%$KS|_<2$YHWM@Vk-zGsPH9e5f7cVLh$4!=GoKF@Y+pOfN@sq4L z{>h`fPx{1&2$yQfVDwQyXc(K%aw;+xi-N|NJ-b%|>cd|{*ov0#4 zcXFaz1abV6{fOf$T;0i%Kwo#h>XUMBS#6Mc65+=)K1owq68^UP8JA?S+#57z;3`Ol zoi9LUQSxKl7Bc?v@iQmnoyeHFz!-@0QVRU%E6fRv-J!${6QwTy&bd8{zWabfm3q60 zH~(|AE3=}v^*uITC10FNZWSn5&yf{~w@M$#z8*otHX8-c9_P`tIG9Yjx8>gq+-%HS zY3`bfKKn2Q*r7jEx%h09g=kza6O3^KZ8^_?KVbM2E=W9FRUZGCs^p@?R-4@JZ5a(% zDE_O5sD*Gik)x=Jb0B-1Zh#tJ=2m4HP2|D0a%mj5p|PVKX&h7bQ5wfy!p`WkVwrfG zY~RE*@pddu6Xdm+6QO^S0ce+G89DGwz^80aH%n7l@rvmb{VN_(Y#` z%gL^8tCbq)A70rdfhljZeU)&W6vc5VTG)|* zajqEQ4$Jk_%b1j#F$t8^zv-R#W0KGU7=mMl#T(U3GBjoA^jU?3t^OZa|9H2RfBfHE z|BG4w^nNj%)Ec|~$FP}A>b}4A?_4-u+J5WBdr(lOg^RK&o=8nFM8N#tq>INnglAQkUkxC5M{Nse_wTlfO45K1@vV<-eP zooTYynpkh%))0(#fIA8KmmI6-M86t(x1X*JrJSr!m-<3-55=YSo4VxV()gG%|40}I zZ>tBaa($Y#z2_X8_>gjE!Z`2|zQ05Q4rb)?A}iwzfks=w8k}zk#1n=N5q>-NMv9_!fQJo7+xie4)gGqdc~wUvSrl(IeE|u37Xhe>;uZq4;|e(uUH_bB7YF;Q_gYbJ+7%_cdY_^kmgII+i?c-`##78$+;1^2 zUa#xxcAu?be$&OgUou#MPEdxSet}g4d^vkC8Lo?;YeOPm{Cf0z5`ihv$4g#lsZ*%j1{kex$YD2zi(gKq@WcfEONV z()!OKt#p->2>hfY*)tHkt8xy2QYHa5tz&a9Nei#$n$M% zjLvZsO+MY5jXQgwc7eQ(=7W{dt|8Np$rP1SDMjx!MPn-ZQGlXzC~Ey&w(%;JjXxM$ zYT~Li9OmucQ0DEQ4bb?e3&H6od`CLRRrshAB~ms(V=y`n-_53cQcaWJ`@%zSjg#5U z)R5^AySqBn-E^pb4?1)SxjGG1m)yvp;Q>0%cz|wqhT;=~`-HyBXCBch>1BX<;Vj>F zr^HS7>19`w;4y*gWwUvCq;kI6lSZwNW(0CC7I6>z3>2M!H+mq^M`F@_M)%P2j-K&K z(6p>F&yylfd8 zjP_JXNZn@_#onyO%eVX`dWO-%S#qYOR_I9@E2qU&Y-~|rZs{7b;l(CZ&Z@ttZXvf|zUI7T=0O(ru@HuVyaGZ|16)iV#)4bPX5W;{NDuktZRKa@u>= zKFWaW*hdZ20Em%2&*k3FIa^~Y-*4+@-g2)VYhZtwo-&=Ij;RNK0Q!{5bZ( z2q{YGl=I|9>uot(Y_sR~N*ovjtwQhy)owx!M=psg}WF(j><*rIJ)zs{8U%YjSzC?yTo zqHL*YnNq(!aH%RvG0?5|WlNo!DfQC>m#U!@qEPF#*;2)sQvY_~QgsE>*XpOR8TKXO z%C!eZZz=V8qx!~eW6JTvo6gfh2@cM$8r@;LMX>m$+1cePY>h2s<;-e<6yH^V=-qO)&FB=iM^tED3xk<;FI#H`PGAj8LT>a>7K;BwoR0&2! z>})Twi(76&CI#&r4m!;1wQ8w}y_06ubbvD^L z3o5%euQHJt?GIFTn5oSD)Lea!nf_hsW5F0%#Dp?Gp)o$Cta0R(W!y+_&sNC$BA^gQ zuh-iT)J0p3%UYM;d>D~<(Sh{l4A;RVhWi9#*YS0iR;9WJV(&ObXK0BSNh~qq$>Z>n z+|hs+`p16ImgC%LR58YIieVA=1K1IMjkzd|#w?-q?pmT5IFS7Fed{dbj{)#~2FO@p`6CgOU(&hC&=nFL}ztXYtZ8o=^nQbq8 zq|Vc5Hyn9UnYU#iSob8PHO;QuTFDE?gM7vT6LI(aDxF?I55rhymfv-1DADiI&xO)D zx0gC|FBYPmsU%A*L^H~OefOot*>=~g`b2s;#L%!S&}*^HlEcqs~7H}>Yr0~?5;Gj zcWH#HF%^Q+xxqN!b5@M1^@R&Nj5B^s?b~K#y{#rpsg4$BX0?%enDC7r&FU^_cJju& z+*@t#izc@>bDlhpT*k~^EcEEV!*}ZhxcK-yH)@vdgrYD(gSR+|mrM^{(Qy#ijlJ$0 z*f<(iV}FtNSCOF;vq2b3xL>>d*drx-*YWEE)se7uAXcEBpbj%;s)Hr7S3kaapgMxK z4pe1$e^Q6p+f;{dpE`~_P#ryN9Z(nS7S!Qmu=qGJseAY1tx*RUj}9^z58O=UYuY*1 zY;mfCqlSBZ%MTA!$81{%#y>cE>Zr-|qi&x%&OJ~a^|p>W)lo+sW>Zu@8uqEU(s5^>sT?eaTZb z7DnZv`c#;&)sOzEe{KBk)4xAcY`^`x-`1x>s?Yp(w(3X!R9`#4`_%W%1JxI_^{J5R zGryg!`q4lCca6oO(&PW`U6l?AbKcui(&3+PUyOfI@^6^(awOP|7oxM1ubXg?bN3XL z5E8u{2Xul2g-iJ@gYR$scWSe&{R{Q%qHK1AWYpbQh{*YdfH7t82CyMGxt>vM>8fJ; za+J|MWcab)SZtgYu8~s!p$6{{mPiHFO$N`A&Q;WI6@N{EPPjLAJOvpZy2+zM2}*Fe zVwWAR1U~guAleYLbH^600?^-fqjtq^fy+|jj+m5~FkF`|uH9r>4$n({FMD5g zvvVuRVL!~O02;Vavw>ST8yc226niG-*_veEG+&dKR@)v;dkFQBxj$yF0AfYo`mp!a zt$+O1)6+k_e$=U-kN?%}=N|O+yRPc-)t(r z{rKb~E*Jc&J3jn_${cm=X+u@+nrHpHRQBc}w+&Ev^neBb3iLZ&{g}(D9uKEIMc(R` z%6057yvE$umG<>&_qE-=#xuZFJCzU;Tlu}=dWwDD%~(JJuZ!K+$qYKLzjR-l?Q5(1 z+F)O&y010%^$GX&QQPE?+}DTf>&@=#0{gncef8P0zjt5D?CV|bYmt4u&VAi#%l^@Q zT?Z!7$?v(ZEA8u}?rXb!y~llh)V{8EU#Hos9&=wO+t+*D*Jk?~abFvFUD{GPho3n# z_?(;kkgf7T_f@hHx$E3lpRJ?AeJ!)EKX+e?>?>$yCUGleX`zPHQtEioO`c<`{Db>C z&Az_uzD~BUe{x@&c@4B(JN18Y_b%{JRo5PW#srNOoTLN`iV|*9oA_#?c!dg@DT$ns zGm;9ew8csbRcdLak|D)myLPJK>Q476>4qpb&iE8G<}S z-jDphzrD|7CXlFY@BQEZ{pa(^oY&rKzt&!Rt+m%)tFZbTldGA$bwwty&HSsvRU->0 ze`BKFhzJ7zQ9ny*NBD(;kht_Opr4a?uBaI$o{_D*?UzC>c=HN+j%P-LoTzx-;GJez z2?`$XZD!@Z@>5Q#Df2d%+inQbli=>0#E^a*6?GD`i&_}W7iy`1clU%t;L)*aX{6f;mN+7f#}S1Ip#3*nDBN$ zTQ2JY(9Zz$LSNt}g*O2F1_0eej~!z*N?kSHyJgFvHoOlWKv}?&a4SGuP)|c|1`~Ni z8|P2=w&OVi&}KaCLMs0_%@nCWZ}TNE0!WsLOYiJK_*c%`&b%0bvxV2VNPu&e+LS4W zYNvJ}n{7E@s1tkCpgEatG&S(CJ`aFpOWW2+@IItGiA&D~sJ16B0ch~a$^f;Ek|jK7 z<>Y)}X%^GT9ke?*BOthFTx~bZE-DuqN4J-o1q$AiXq?!eqkdz}F8 zC#1XY80XR06{wntOGk9K%^Fk2R%`Id2pZMxg??4@+!&7csbH=$tAYp2&^}RAXr|_D z!@ao)mLf z@JV{1U%cQ75lp4&6H`k)Q>_$Xx;cwt`lgEsm^$_NLb{ku-tt}+*MDw%Z`1p#wxxzI zl&dMR4c^mKg`(fH+0Rq<0`qB;_kf>Woo~jmu4ps^6U?vUl%Bl~^smKSEhkuLGS?MJ zk;#hjG3<=RZD>S!Jk5VJ!6uk;g}k<{y|moaj!xy3@dAWq&ihtvxArO<4crc|_#Bpl zNv4#YUfE}~zzi8>YkwPTpnv>*lh;f$ggU>ZGb#Dk9MH(9$Zz~dRfMm<^&eFq9_RUw zr92AltL*Dv_^-?D;{)hZ1k(Tdp#M15ex2n%PO^_b@E>b=bmo^+fBkEwHS>lwd={5l zzng!cJaqG~{p;ggMWO1s>d$tydQJeA=&MK_SJQLe6OVVxLPI6Rq0^AeR)q9!1_wUh zrnA1B(L0nKjDClnVN>=+gKgt2b$6jjol^JbS&frJO-VgwzZuASkzo)!F0Djp{uTUU z_nhc)N5-cq=F@O~z3*KJSQ;QoroZ+@;5CRvr{yhW?MkjONqZD!0JVp)@8N^@DS)cO z7=m52LDv@l+U#HJ{p(}?b*_J%m>g=*1uNy*K+?_>R$`}Yo342;;MFuTI#R8 zT{&H~>k``a!g(aMBlY+NY=G8l%P!A9Grq5Eqh90`5kOIjUfXFBx==*fMI{p3ABpXV z#NNi24Z*;Tj~31y?~Pyvn%T**mEO;0O8NAT_Zu9lNz%m3f?cKYzt^(1)7yW(Ib2?y zuk-NUHN2IYXbW$hxZG|G=8YmPc8J=#fX{wx)Q(YG|EPS3S~uPW^f(LBv_+CRGIUWX z>J!~^q--_*Pn`G@FAHm(AYm}s@Ot9q+|<)#_T-*;Ij{W@z2g%v_ilgejS)m4#uRwC zTvan)z4K|#$Gz-KYY@D$)rfQzz~y|lfjwXiX)&5;uGyZNDduRlx9dFWoEUP+ZnLn2 zU^Lp7xpD@{yN~r-RAe+P5F6DmO^1PDLr1U3qO23Xm*ejfV{?jL&0CLosPw-q%Ise% zr7SB*c?H`+vL>W@-hXB!!sil+eq$4rD3NW0m&iyY)pD@zZks6QE)vyRNE0#=6`DjM z(iC??Mxvn^iO_Tb=@OghnT$l|WF$hBMWWMfqF#5Wi#ymm-8yttBuY{bikp;?=;e$= z=`}W;;G0z-G+(K#vy(U$Fy7gJv~WL;c7wsZ;#AEE%BiIW@Ov-*NXYfVSXWYk*p=o`q^?P<|YVMQ^6;e!bFVVNonBv2%OfP&KD0aFpDDGss zCqIr!3$)Ws1~5f?>qYjP(u$5*Jb0IrjgClYunP5cwfEgmXs3T6Z-0{U_ABNsM@5JH zI^%66Z?SEVi5TO$5f?{Lf^#*o`&(-q`6sB)KPKTS$QvAC5N&>l5GXi( zx2Sv^i*Bd46I?2rhbj|N9dr7IZ3AbHl9y-QmU4^ZTHO|Ni&=zj3%UIY%W&_RxWq{3 z%j5O+Gba{(^*$$$FE{W7ijjgimJFr5{#yFAKz^Oqg}fejpK}_Q@%K3&4WsXq8@x(_b*`(SW7pZZ`3eQ<^CgDcaG z6~uDC4?^kJ>VwbueK6GaL51yuO4|ol**+L%`@pe%5Vn1Awe5r9whvs}2NBx`*O)%g zsjSDaD%Kj&3>rB&F0L}P#G3}b30d9-g-G>7KhxoymTA)PiA z3tikTExYZgA#J@NS(e^B^f0(6$d`$V#TLHULVEA(Ma&_rZ$MH@`5So~RS3=QPU6{8 z5vpUKBne{%&h|EZV|gxm%HI4V7?uy@-{F5W{}cG163nli2@Ea|*~`QBGT&a7aB-Sy zU*V#^*6*7w=5_)%KoqDm0`~)!K_jeN0=I=q9na4gZpIM>PF@KAPw!p$7W!IVQ~8e6 z?lESX7XgOtg)wTP?FFq`)!**e14sVN_CWFfNDq99iq^q-+KLu;Qqg&oZ}sATQ%z*s zItJt0y5GR%rfkW4UY!Bs)m5Cau)e_7N&MwrmR8GjkD{v_Y4GU~2_@;oaYHVLPho6b zgdM*#iP)C`;S5SCme52tu?_Cb&{yTsMpkTxY=hZ$W`k2Ip?zB|&V5~p;x$U>t)5`s zP48vE%KvV*Bw9zaoT`ZK2_EJJRmPUfoDbkdv}vGs?y2e6$J5%xu?3?ZI)D&?ki|Xy zfP3IcUkkXF9XZo8lz&&DYv6&AUT@Ndk*ILz%%{P9Eq@7{sLBAK)jiVlb${ zUy-3Y-FtYr5RK5_FZy$LoSF>NU~BR_zL{b96t8jjdwgy1znBOAafgy6x_zQ1heW41 zCjJJc@-QqHCy;QS^l9ygf|K0%1x5H1g%B(yEVHrWC0^m6aBR7EDKH3arxf}Ss9`B) zK$yVTSg-WX&}Y6yVmg@eZm{kv)TknUcR^?$?i8#r@LoTgMz5)k2Nyzj(Rqb{(ZBdu zf5(>#VQMoz;N~{=|uwK6`X#r=`<^e8lA{C?~d@%Hh&qNV!O1}tjktSY?y88 zYt_YPQ#pM2i%mEQIwzUr3skOCwqY=fL3^NjwOCOj<` z%=`1_EdRHL5=G)uDUB2dmWtPUrko!le=Gg{2q~m&gS@UTAAbd z$|RrvCR6f$-KCg$r>mS3w49^#%u zu|p%CSC@Czh|2`MpBhnzy>-V-GrP+4Z^|USO>%@X;XiYwB#urFznDNMSG|s!#}`I! zCRb?wI)06s=lqOM&YwI8vYNA529%bi#hku+G4};{gs8i4SfbK}r8{T6=*DLna z^@xjVp_{mHJXMNhf15z%-%ju2h^Ql=fAyO=l9FIPP6dve_|$iKQT8t7D?#wdg7a}c z&)3#IG>g-?;XylV-e!Fw?~s8c&1lhTB}trJY5*uVUR??zR}GY{Q1>f*dqJg%`=FqlOa_Y2w-snE{= z{S@h^fZ%1_>Vbow)tn-2lkD2Ent-wUs=sI=J+~!tv||QE+Kp^+wrtvAO$)I0LZCUh z`fOqdXp`WVY&xSd#}m($yoW=)r-vp8w31Dy3u@mcWU@1pIF53;kV121+m(rNO(5V#?~D8EBF&=#cdHf=$iD z+y$3X&r!i8)O2*%&yJ;qAnfg@;O^$2=Fn1tcMQe-($t~&NSd16G_)MJe7&VRr=@OL zMbz)+%;?=?m+;h}Sl;!D<-K4}C^+?Gip&cx3BkU;FqX`6O+Eh;;yZMnZmbP!X7p_t z_6E`IXooOpKNCES#1OmN!mB0Vy`MEJ_GKw`WzTR@~vC*8fr{0cVO{7wc}4 z?n?1c7~4@sj7tdeci^R5uSM7+Dyzh0l$>L(zSi9yc zS)Sf$?ZO0DXV?@Li11d%R|8hHz4Sm2xc;hV1mypPZ85*Owi!msQR-MRMOP@0wt26}y!wT|8 z^o|c3W7ya_eMofg?VQRns)OZ|`-T&ParNCKeAgaQHyR!ae05CnCnSs{ZtNR+zMQ*o z$>Qps8A;`Zbpry2!F017yVbiIo-Y#E>6Wz8mXIcEsrfB5zj^%T6or_vf@db5CL|hf zvzOb0%$%-tqAg6trs$hjN<(!7zUHQH1}*rP0A|3!xba}&?T?r@c%i-Z*JVrN1@Yjr zP^{nqITwqMoCv#glKiB;(^_Zfjio=oADf~-$)D>seO^=a==xtg`;utVc_lyly6DoE z17G@qXwxg(KhsO}>85ipxk)r?#??{5^Z`W(5!-74;2@ETD@<%vs;-;#&X&;oYdR*xFS~9T^hX=iWTWZ;^ z^2y#cr)ygOQeazem*4c%Vyy%sb{8r^)4fWdKNe|7T_*K&QQ$e#4%hPW*0aPKH*6zt zfmxf&_ym6(eRFEKWV6=gUS?y-(A%{=fEzOf`}pMxC>f@->Gj!4HcZ~ClwWYOL|17F zPlBhOO6i8D_F0W8=H=a#kgn)4@3$xv;i)H?r0~=kNv|a-XI#oT&g-zd6OKJluT;S$ zxQmujJQK_qz?cm*ykWnrR1Mp*O$)^7M)iWDBC%D*vF@?#$+>0wT8D82dt&sBBW3%H z{4{u<6C{!r0b=gjmuqhC#5coT`||8PXT0v($0id=?)0~~8`rPW1v5ZG6? zFFk<}Ti-K@2jf^k-fnl-Z1y9VeZ<^KJSgt= zSN~qK?r;9RKkW+DHCU<$lQi#2VCY=!tw;vD#xP(0N*9I^Z5&a`8-8uY3tuI=2bC>xbz7|2SnV9l#vd>KOb)hI8IMF3asEq>jBq;=Q(7QgNQzZwcbn-qT4BjzLu-tQd0a0O$% zDQ~A2tm(vmohlLV09GC?)G~v$PSf`^{-`k;{r^t-^#B$4K>GDDTkQ9qHGb@s8-0LBD=T(vM2N<^bmZ68*CL!`Ay!{6mI*VcPa$bhZ&3 z0pQSEy04@0FX#BQrOFT({gmpbP(OL1SPqipSg;Ut0h9@{8K^Z6Ru!S=x&HHG{yAoNG_bdy$O|eR<6P;^<4UzWmPr@?*ZZ30WHP#RIa`kJ=AWw%e4A{m2P!d|uHc z>9^x^iYA!r?4q&eYMY|%0MRSyL0I_N@Jl_R6+sV}`67;1-v?34HT6m5w@@=6v{f0M zjfhTBUPXLtPJGe@-hJIfDt2l+-SOTjw-sEQtqji@^GQ=;29%6q^>*$Dz`h9B9Xsw` zQ-D;k6MVmA^lQ5JZt~0jf+?R$*}n5e`0wR%O$sSHR5?Wzu{YW~#IFnO4iDON+qD|e zhcu!ztk^r<2XI6^#FzR07sq=aJ6(;*8|KShMN{x2>TUL4E;k*@7{sLD@(049r_CM_ z3xWnK)zj)lKBdM{<9ghu&c;V0i>Q0Jx*5O4=(%rV+7QS9AM=}JJ6KE7tYBV6FMix!dBMCUoc76e5J`(n(Jm4)S54I3TBxv%9BqXj04MA;7+Rfi`-J~YY0>qWq|GyAa2d7 zKfiBb@9N8#%&PZ+%+f)4*>XAi52q3ehW}C8|Y523?llSN7d#MXuHXdge z*0hF8HU;Ze()Dia31e`Lt*7?V=L!($0rFs`nHt3@I=rsVNX@l#PSQxSyYqxWKyM2B zCJe#NPT=)a?({@UO>PTwhd-7lz+4tMevbW{fokR$hNmtlIa)nB{Rfz`$y5yVSAC6{ zIZ-o}eT;OtoYnWH>5+z%OGG(E?*_IpIQ7ANG+FtW5R75A^0vym&QCeEJ>}>QDM^&) zUF;_+Y){nNPlS1iG>W-mStig$-btn+bL^a@-{$J&ds(WEJ>w)0gq(ZM97pI-RAP>u z&wQ&_uIKz*hN(&A5^L8Xmp?Y%1AgjRBxo;VW;(T1f2*=nM9U`G>W)+{3f6LRH|UkGq)r+Ie~7mr|65QAGr#?)zK-CoJI!+0?eV*`!|5lj{s1sb&gvA* z77OOHGdYBk0(0R9fSJ}gm^Bv6xJvdNQed_o?YdE)?HtTv3#RY(j7I(H1HkM#v(rYI zgFcCFl~ozF8T|oZ9_<{=A8l0VetZVAl8Pv~Q+bFiSBGX|K)T4*)Z(b1>hrV7~rh2AI8vyKYptb1>Hf#%mJ3 zB`!Vr3cG2QO>I2Qh>y(XlKE-12WhjMxhIzM)eY93>;WdD7GM}PQOLxl^}XqqM6a;w zTEezfTWYP>YVjDk&8tG2T!h!>9R5NE$?}d_miBqMmswuN&<+c`J%0uVA(m-U7a+d^ z$mrqn;PmHI>GZA zCWc&X$WxEyt2MCH-Snt;bBpYAs;78AV26a8TcCTQW>yPh5NQrXZLdbMGYf!8fHV8$ z873u5x=MVZ688eSk&C<5P55%J?;#@n)NG&pk)llG^NSuj-qk7svOAs#ztvX8dkf8K1NnU$hyEhg0ImGcykCD&yTY&so``jyS~u+8-YaL(oQ?|vyFyj@&8PG4jw^W_hr%3H{XG!raO z^RfMHEvfZBLw?6TfMDFXB6VU!9K|f)NT}AtJh%_2;n*ext!@vv{S|r2;xJ_@>h`mR z>aAeqE6$*oZi_hc(KhO@pEGFT?N|7*w_hg-fL`|cQYA4;pF*gVX=ONegNeK?Ur8r~ z-|n6YzpamMY!4L5`~8taZFrrQ0M{z&j<)d{w)n9l2oHL<8oIZG^Ao7zyrUN$A)(SO zBpv4$a?`$q48M;lJYLt=AfZ$wQtuAO%EjE;|At|5+#IM>7|S z-Im*$7m8hzi%TMmN3Y6L>uv1vJB=3fO?7A_ev^%0K0Mu*&li$16~X*-nSHtV_DeG3 zn0ssX+K%ibez_YfTGBCoc{ui(8*5ef-E{a6r%&)<+2)PmR$^|U9!8jl#d2%TDU&wu zN|SC;**+8Q^lOsBF_13I3f4(dH>O`MH>3~NDKxVi!{ZLU5gvCNi&#%*-0)oQ&Ubax zJ~;D_Y7^hF6fons-}~-sD*Dxm__s zG4K}CVZrIY5yVarFnI4P`j&}=!5NErm5GSnkKZ?)=f{}LK*QD%P1YNd?^r1^=>6*J z)F$>zystd1_PhWvy5Slqc9`IhvikazjnDb-#!>ckU<*-NImbt^hu8)FSX^CJZyaUw z4cw?Gl6w{(D}vL@1&!ot<_Xc^O~T|+lBeba1N6&-huWUiJgdYEZ|2Vdl{yM1HFafd zd#GXi$rXdXkvsLO5Gy1OVX>=`V&p&O8wUsz@)7R(fcN~NL%4no^x0T( zYOBS4yq9&+Lc_NyCvMX$+ z>Orr^dDivV-}sDOMtZWNI7`iU9Ejm2?PfU;GxL2L4#XA*V&9PiF*93F@h7V(zvBFF zm5MHbx9?QMwh>*^JAjcj)azPV!I)WXx>brfk(~QVRE6pRxaVpw9?G;$(DG(Y-}n7* zJMqstiSMZV{h~KJZ233mwtlT_pY5bUU3Sukb)qo<%d}jIT`dB1O4H~3nquU#&--yh zI}%qX)K7~Wj`r(M#O8+SOTXXWiC-f0qkbz?zg5(4K_E6VH?~$Ck=xoc_AOwVdjMO% zjQ+)qpYM!&JsdA63XfwJOE-q~+wDn90~QD=%ian_k7WDDcGM?k^fu`{POf*fUW8rr zdJo4tL(xTnj-v>p*gL(LvA<#+!eRV-f(qP{u3Emg@C%0{N8dt*dQc4j@nzrqmAIo zW5wRFJT9`?CUKh%MDk0KxeJNsv{$&~26jO4x(?#%bQ;8US?j6c(?%_q>W$6OB{lB} z=E)+5==pFBnx}vRM1162j!Y_JAxj~XZ=uB!KhuF2eg zM2V@NPvn4y%@u(??zn}Xb3Rfr(DFDdQQ}pU?82*cH^yaLb9fv=)am%?Z36ERB zrr{FkS9H;ow3;NjUn2L8JW3l21GZJhc7;k_QMJpJ(W&4E1vjoM4tfuo zY_IE3=_O-|dPk2kp_l*yP^x8gLe2MCrqMhKTDe!=h`SYuQoMBHs)P#hN_b67!ku#Z zI5s?P9f(=vj$5o0qs@k>_i3nRBzCwWrp_txf^`L8Cv<`y(xS$Q3=ZrHc+Nvqe<541 zkH6b3E7=MTBy#@DZ&`_-p;EN1@8(V zU?}EliqSzDc8EgJ1HlT0kZloD>xo6qRI^1=8fyqe59ZzdiSW4Q$hZczoa4%0ga)@p zgfFor4PL)M!>WT7gBtESw_?!JyZUoi-Hp4NHyOK7$x^@GkZA7;>e1Tkgx51rkhvmN z!xK5Jcz0aQ`5skdLZoDMYmW}}C=xGNIHNcgR#M;E&8$yuJg3n;D`!C@mebfCpDEI(-lUC`w6&g|SzI}IIk?g7 zIT%CP!3#3d(+eA%{cG4h&k5e+GMd!<0&u+183YziKEuVrwV@@)3G50FYDCfhZt~M+ z$lp~&XvLHztjwe(6}rPPb5ebUlc*%b?80zEDwIx(2Q zNKIg->_6ERc%^LVEJZ0=(X0SSD_U+0Zp6BIb`7gIDs2B(21Y z-RN;`#W>m|n`)DdTA^fpSEQhDRrDibC2c&w^)Sf|q^W~f8ohqB{-l~|Az}$tmy4Jc ztS}^S1$2cT08-HsekLw~NZML)J-&D)nMx9O(7R^%&6rnTdvzj*2G{3ao#?(pMWsjN z##tos4mkbSq0&fl-Rzu-`M+-C13dG3a5D9lyXfMR5LjxKsZNs!jlEDIqd_g$WCxTu zN$_%xIXx?m($U-`rW%CW=Ja8Gaf?b5-NPXA-Qz;h7EC4H;s1>Qx0QkQq5hjAB@5jC ztKCx%Ie`VvI1a8hIQv&U9H`DO+ZPTLEF^kYquJrWB08|8x}UX2)t7K|)WTeXb~OZ_ zTty11xTxlxjx=#$*-~|FaQd%VyOOW*s{(0*tzG#1?D z?N}$#cd;Qv0R$$)GmjQU$1mfn-oZ01F)x(3lLywnZBw#U3rW^c4!kCD0Y>ZNbpo4x zPQ+1oL&hsN#I&One2l*8{igwAD0`v7N#;!S0JM8zQF+a6>YMK>axv4%P;Nf#6Fqml zFTo=TMOcQ|d4wDS+^gWF2<%wub5!+l0_LMx1IoQm>2qvf7{OR9R3hg}T3JZHsS8xo z2}vVPX>J7S{cpgAIU|7~9I+e%MZw5|si}II`k36v3_i6#ELs^8wMWjt)W_6N2?wUr zq=G1pWj$#WB2RK+-3@8C)m2J)ZfXia%l`yGQ)xjG1wLje@WDvQ(pFB(bYJK8?B49g zx@Xecr7Ax6nnd4yBAg`6q_2^)Di&j>ki*#<8vt*cPhd%RJUw@bmlx?dO6mDYWk`ym zgDU&iMB5;+Uo!-@J5ojW72!e4MP3g&4O<|uy9sA($mWyNA7_xM;cV$hQty}QzVvH>Tf_|H4~IM-6M1Ha!_h6sHR~%$wn3M{x)bR0HuL&K z`n*&0nd!zlXJ)z+*da1~&;eN}vfx;_=P1$Vf=v3%g3mmw2)uJS3X>Fpeggu%B>;`C z3@i)v-w-KjaQiQDPi=Mr&Ca-$6|sFKfcSi%d|#uX(oUdad6ps5907^3Qm?B%)4X${ zqX^Ft{9%3Y$$DA{fnHI=ij>K;8UpQ)1^ydFr61*ImJZH}dr$pWc^7Q8+ZVp00;j2b zpy&rCgUv`h@+bSWc00jF+DQ1dM33I~wvgL|kTm8Lk51X^TKYd~q<{D=eu^8PDx;Hv zQ1q=U5&XK<hrAq=(X2s$L5Y4@zVul?IiPwadY$?u=wq;g$e|Bv$KzT4bu=}$ zfScqm`0)aMF*Vn562D^+(xLc8{MxE?ug((i2QBa(kB+9?)#Y{XqMutunH@?Ps}e5f z$5z^hGl;Xubk(gDI#h1pgqvn4pZy81fA1}kYH*=KkC?x3; zhOBI3%AMJGDixZ)m0z#11%codNoMBg%fSk|JWZl!A&8xebIz+T>Hf*#vF_ZKb6@ev+~Ki`bD{Ld z+}NQu6d`biyMPgnE+&}EB52yt;O&ca3@(=i@LZU(UGAXqSkO(Efa;*;=BU#HdOC@xlk{|wp0at$))S{V8Zc>H zUPC0~qru<|526uzQ4}a#vNIfQ%MIT1OdDKQy2BqqSk#-kf1CmD3Y* zsh*fi6<~4GjFD3w*9JB{3(nxD;tal2^u&MIAZ1!?J{ipW&}uM%FePgG zzQw(RbuWl5gLgMAMgZ$q2RM2lJ|NGzWI)ewY`_^>bma`LRavJe$dD9wh{^m#d@6-o zDh4yC`8!9{B^zmIpJtkTrh1`Ii|$%Txrv#9vxn^g0(EjQ>U>kCS(-*1EfxWS9`!_tzQBQW&8Ll_7tNW%W zXz_5%CxH$rWzLczR~8PdwEoF1wV}$rQBF~NgR7JUoVFTR6hzf|v1Y$+HvDFdIg7gfHtn&W) zJyuT0jUj_yTG;lu$X%5;dNp3z(yuc*t6vt1&Ex9d_oLOHowQW_m&gTC7xnK*&pGX2 z&xShj>uAqCs$cvTjubAfz8JOaMK{ihd7NjjIC((m;#0!l{7i;oVZcp%t&Q=Fz8zE? z;DZ5Zea*VoY#q~2e1AYVdITaaLr2LilGsFuCGO=#Vv9p<%_6?%Lq6k@QQW|Q@Fm^R zGj`989zEsuo~gHk!UZ`!Y z`Dh+6AEy{f$>t8w+Cv)J0We^Lx3kCMnccUi0Z*l=Ebj{^_YLh^gmC^@6&h>d6%W_) zko*BZVewnBWT4^JSDgm0ux1TSOLWg>TH@blK+i}b=M?0!Ph6AePMEHS0pUarGntig z&_U6~@St6WAT}7{xEn1&dENS&2Md?f#5t)Q#!@t#a9Tte8n!|GaPcT%rp(lDUCLT? zX>6yjFMuX7V^877Jq25kyiq3)fWUE6adHI|4l0<;nl!Vcy@@NAD0@Kmo z?pqM3E)FD>G02Y_G$ov#D&cg$gwrVDw7iPI;>e&y)wjZ^_Deoz76sE!q5DRi4muSC zXBM0$*9vrIb)=o%#en`~Izb{5NI#?9ArF0btmc(gcAXexp#WoM23i9*eHaCWV&9q2 z8Rt>9lm-N+U(V{C{Hl0y0Qb_t*T zNjA_7hQmVJV>x7mx6tAqoG8`pz|4pWndj5lSvs}ZM$a~pC^@2j)QJzv!;tvRT*$8u z4t@O@S@FVypuN3+y{wRaYhENKS5*>=3FWwSrw6?sKPnYU^kJ$fM}s4raq)+^H_Qts zgWmJjZa&u56qOGc;AJ&MXZm-oH%Fh9Xc3FMno8+P4Ax^XX}NROQBRXGdXg z^zGcx^K?49RnJ{y>V|Jps9Pj4_@YqsMN^Ytot#%;`XGlO6#sccm3Px+!8+|^h7(Vz zEzvv0Wj?5GF^cpzA~6<_HNmsW3nzLrZ?&BwTt$xc@F$HIxJ<>AEbW82oU$5@III9mtn;v)uz%ZBk`DlY!E z@M>weY=mReg@VPy%0t2HGy_X?mp7~&qu@}}48>Cu8^^6_CbxK8Nq(97gridx;BSO( zDaQ>o%TV+gQs}P`zpud=7xS@hX>j^^CeeecaU?!t0vC)zN<;A(sLOwTUh#@n>3y=Q+&j-*heGX9j>i9#+ovzD8Gwr?Yen~v{W=0n@skMj8ipifqJ$SwwV9Bd5M^$W&4Q!(~0b|b)h|#o%#^H>sTEZL;YVf)teTg%! z{w9kJ>{inxoxt&xTKhz@2Z&@3fc+hHS+iw&FKf|~kmp_oGuZdCV7@-&S6tRY!ioVf z#&FH#fHQtcuVEXzU&cZ}dr(dNnf=9mp?&o*yQE43FDSFH%fxlF+?0{EEDy7#VBNjc zTW1LhaYSP4e;^zmP~eme5O)b{3wKGv>aWRoLXy;GIW3VS^>NU$Ag8nd7LrCvhJuYm zhPuoM8qtQK_WP*7QLPp^fznZdW9IH8?%K>R4sx_Ccch3FoC?i^t?yvYD}P+RrKj9Fx|mQVgM)%LT3 zhCfZ|b3)IF#6^$w4$in=(>1mtBwnn;3cw1H=y4}sopCwSoWPQ{7ROR<`VqmPGAmx* zJr*@2IJy|g`w>;d80oMUXpSY%He|(^7*e;KC52!Q(-sRu* z?-hd#+`EaDXjTea@XqRP-Y7CvV0`m=u2j6eMEOXoh?!hTl^#kA)4>aNE`u{h^Blcf zBw8jz(P!1#tl-QL7XVjO#10`SAcuRdYE;DQ%-m-xk8)4XOK0#6V$L$PF#wZzXH)Gl zpBciPv9v%veg8%t;-=p#N)B-9CwTu--uUgRL>4vzinnSdHom5gXY$$2{;g@*xWB1; zwNYNehGZ`n4ici|y>&gNl`_&%3!gPhX0Yy7^7-p?u0&)ALUOt76cB;QfEmP3%xoJIk5Cdu0NbM$-1kF(sScR^3;7KNc69Y&&8l2sit@ zLn|1juIlk^>XCc|5UAY;L}E{=nn~%xy5JT546vrCno9+6$w~!Vr=p-o5*_Vi8)m~P zS;tslNTB8dE{6j(pW<>TP;(BKgMpe) za5)fY&66!j8bI}nX{q`s5fCL0z4O{~Boe5#VRY z#}m@<-<3bVO!yB2yd(TaKN|cD`878UKeGEc`1fSg-}38&flsG=7{4BUzr9mt5@1u6 zhPs|jBzbPduYcX%9>=dg;*UpR`*>^z5kEqIfuK+`qu(FswHN*8ZMNuk{r-J^d(!ad zd^GqO|BTOc+?+{H2jGl4SvRWOi9Ck{&@J)GwN^0;|Ma)M;MPi@3mL@ z0F%NWkAzjdXgpTi+vCQg%6ks@rvEver4aVzh5VN~Pb<2BW{eZdZ7R<-cV?qS*ys<$ zU$L0yR*D_Dt+XALo_&%B*)TmNUJjSAb!qG z0{phO+Tp+7CH%j40sl`O>R;Gd{eP8)pVKA$zW+S@E7R}?bOE2!fv6OlwH=9$>=`t7 z`s?Rn8Gz9XvI{X$qRVpK{_ygL3akGO)ICVdob-0ijWjGY|3^$iZ+{~@SNOAA`mDkJ zU?sln4(H#hJc~QzsWy4Ez2PlXo?_H?@U>5ha$|ML8LG-TM-YkcErp7OX8y8@3wua9 zxolbGuY&${JZEJc@6QHrgHEux0w+r{vYa?cwXwD>k9y|ZJ|n@rNbE9n#^t>n(t zAybMnE>E=8=*nV8dP!Q$9-20>s70YVBR055N6QLfe2lIKRtH_rTtJyqvQ9h)mnDyB zB0p0KB=0W1NC%GI3ucU2F7?m; z#pnl)q91r2{QxS6_o=WNFxE*tQB=!ATXSm(y*GpaBs4X(7kLX`Li3x|d!JoI?@1lw z=)}V7*v;*#?%M%`j5JUWwyh5bc3AN`Sf`^j60dLlq=OcAtl7C3)DXOvBY~8UOdYKs zi$z`#y{W`*hiSEcofFtZ$C;gqp0ua?$)#@2SW?;z3QYEnW#3xb{(&3!{SHfrTD>7Z<*oI_NeLA*+mC<7l}V0yhAx6%k|!BS|LMNeU>pw z@z!kAsYRDe!pfR{$-`=zb|}4v*e^(b3f67mi}q>=Cp5b#S1>K;6i5z%P)hYF-c(?= zb~F18Qu~-ABOso}IQpD9y^bo2J5@Og9bSh4Lwn9N_7z&H$Y`gGE*7?q^>tcK89_Kw zBMeryt<_W=8@!H_@A5w~Rwu00XiU2Ep0PyfbInpx^mMZ4n1jjV6r`PC=P%D?=kL0T0&3?L;21@B zCEW3)LVJFEN6}GNPzz)^R+y!0iT_+;pV3m38%_8ljJ0v1(C2DC!sZTwvP*pqIS|H4 z`Cje>mWi;Kvpal43He@d#xm|iSQc;n@#2hCafvrcHv zCs;39p)Wli>G<^ZJJwb-DoJQDvypk9Z;KB#TnWwK`w>sJ+lXp^rVebWBcFCVgT9 z^|G|S*3hpiLy|95cL(vh-r7)tP~Y=u;dY9$MieE_Nm!C5tEq=s2rg!<&;8c690J0&;Qe*n3u z61joWR1{Q++>Gr=ZYrQe(3)DnD+y%DKC}~>$Gajl$HR37Ee_W8qt4cv;PDitQJvc< z4M@~ZX-K|Hlt#Ar=_xm>BR>j4oX-aDX}4?bp7xVWzSA;3gy72Zras5g{U~iHTiVJt zeZ%`7jgKws055}&{S5G0Z|IbdJ&MU%n)l7%V-G(|p7T%OWADaWi_gc_F6`bpE1PaT z@=yl97~PKlI50Siqlm<>?NG91Tz;t5Pow1I%e0<-kZ|y`-w%}Uyu}yF49{ars~nf?+2fZTDEy%F0+{An>nC@S(B?X zEgr$-s@k3?GLBY0{Bm=5uT^@GsG{P^?DJ%%U_mIRop$cJhhyE@=0CZ+VfI12jfUax zov{Mr&v2=cLMH!5Izp!HjsH^nCO@Oo(_dO>EU;PjPrF^>$5k1L?R0xaiLde#yV}ZS zzx*Wd{(Uu);JUv`$qF2g;NAAzr`0i`k-od~fmNYvz0Fb)L>HBQDeX_ZBmOqc7|8OY zzmJBJzhp&9qgMt>&Uv~^(dy<7c`{IPg7TawT5Ut6_<^ET2YfXC1xJl!=HgeVdret5 z9%70eXoI@qYw>c^zR857?(rsTNQ$k#n+AvG_wL3Lr--FXGCtj5KK0;}w`9JCivBYy z0r}L{IE>ZF49+o)DPlvG^HVZ{FSoY$;*eve#0)u%aR`kZiPQD#LZd*h`=!=FfNOok z+T*0hLwKGZkH#4eBNO;&!*U7@=yX`R(S+9PLCKH_S>XmNcZZ|LtjN3ihnbl&#-;fw zjf<1GGZ!^>mR4RP@?M)Td+4Q9t77KggncK7ycKk7yMK8*AQzYc2`;I9QSHf+pR5_> z+}ZXq%NK;p7KEdR+G;K|5l047tJE;rv6!e~y4a2XMA`hr)u+0b|3s)enJ|Anax?PS zp}j}rmrFa!>f7h0nR0gYWHEmH=!M~%+?WBHF}X%og+}5oKQ($Qq|SvnwEi(A-&diT zaM=6O?oQ!PkF<#u%F38;EXY!ljp!>gsI;Q&8x85C85>}k=MBl3(zJaslNg3eu)e$n zLm$Kc#z*!I#dAIbC(A*`&*Y#t$iZ!ioXaiv%aJyu<4`Q;0(goXPJdsJLrg9y?*fb6 zL3?jA!UOzQhrK%ms?I~a>7qKbj$6M_IOMhW^KAvGT$vQz#I3+P#nEsH_8pk@ChCgR6mwD~g7|Kx z$i~(&W<13Bb82$8x91VMzk89oex`eN*35}#2V%<_wh`~}?2}9+$g{I&R-BzPbNt!e zIJTW60OZ*xH+a2ycS_i7T{27y-9d+gGj2lR71HLD5dhJ6pdvx*p;6vi{a|~6CxLyf ziR0r#fPT4F8}Fh9E|)6UR|(5u?+QR;ai1|>>G^ByA51&(H@y$D`rHowrq2!q2vd+h zq97C>Hrnif)+zCEF(OVun}r#U6fxeGzjeb|>kXrmb4iGGLhp_~_ESmasP{>dKBJjr z%u=>`Uz~HSEfU!A566f=#M|ffA+r@Ji4oE0$B5_`irp}pO=&8pMAWaHP$UOZdizsG z-x&Rl{FUjjLHvf?`0&wg0w>KTV8m&?YvBZskMM#yU{h}tRy+UGZ;)Y6j(O96eyr`d z2rsFmi%9Aa(E$UzD$@skmTSqvNMg{5t%_nY=qHb#j6e|~6DEQ%EeaCBMIj=%bhlgW zs{j9o@uT7KkBlEbCTS*q+{+n;e;Pl+Wd4Wnqc^4hH{-|3$2#K2e~lpCQpX5DDg2m6 z($4VX9_q$+(yz&{Mh>BzknZqBy*?uL5vwy?gaXA;4dE)KL|K; zCrTE1vp=nGSM);>qW%iVOk&WBI(32{N?J$K4+=Q50XgKu@I(% z^m;^$nR4M&dQB?s_JUoHz$_cTp**jt+{Bn^-|zT`)~7=73%+Pr*D+v(G@KeW_!auI z!LJD^{5mcMOe(4H>kN`+;#cF*e*wQ@WbPEdCV*d5?gadL=+Un6%d(^Fq%-JdcZ|7yGw zGhW5r{;PeWJZtXQ=r1<$?U+!7+%C3n+4g6!vP$`PVl$h$SYEKai}5pFj!b+J?D^pM zGb4fx2?wq!59eRw5Zw_U(`*Lj4Im3->T zL;qyKwI2F2#>T`)QoJvIQz_jP5f(<&9tQ>`+I2dp6>E_0eY#uLe1`rIDTl*|9HtZw>WZhH3o1GA6ay5~EC zcmMm@H+**Qh~KTcXX~G*UVHlI`%S#!{QD<#`}wz?4;_Bw)o8yv`hUM?pXDuI`KR!= zT)ptWgTEL2;Y0BEG$r^T{5|iyF7Y?Wr>^k#Z@>R<$KRU)nTfx%O1i|~D@poM@iz>Z z|1D@1sQ4QL%>Nnu{fFfD9#%ffg(;X6%&)Bl4Y|y+m$~-xsJS>}V6+t{w1c{X^(Cz@ zV`qb{=m*itgkx)QOPHY%lBr$8jf167%)L$FPif=5E!4k}EU2_gz_z14F}ei=*DhXadz z1yN6E71K3y3zS&#yzSSdjHI;d-t2_ScTwJ@Bx zVG3oK_^XZ|f7MjRh&kK5FO$XZJzU3a@|OJp?+k$*;gWYvrwygkhSF&!5JS_@a_UUo zOnrmXUD(RxSbo~iBN};({g;1SCHC5{{CfEMtp!(fD$+`O_Bcs9Q+Yf{mJbtUyHbg{ ziE(4%aSaJF_!M6TpVE~KK80GGpQ^AKwPW57e&1<@l{AZ_@u8FA!>b7j8GnpIf=go2 zC%C41-tdnA_>k%k9b|N08`$0Kvn~c>zo*~a+c5^A_67!-hN8Cg?r!^XJEWp;Id<^f# zp-eWrxZNiQ6<)dwMA*4BsoBjrBu>?DO24)Gd;9~f9W>25))Zb8|GICt~|Gxj1^1!(;Q=<;t-6;oG9zz+`MkoPayX zb7D(w-LBInB$5@=SSNw?q%l$2rnB0yE#CLKA8ree8&S?tM^#2fCnUf{zL0H6&9&DbK4z~!t2fuFUoFM)-WLn`xrTOQiOL;P z-@!ojHLOHzfBj;Dx{hJWI7@HjFE{a|V9Wa~JzQ6$E;idx8@$hdoGzKR@D)Cb^hOuA z)o={-5ahfqqU1QM16RL~r=o*7lY24$a3WSwlxzLDE=_(0NM;gZz=w}kdG|1rFt*zS zmps(nr1t0GYBLXIkfYYO@RXX373(#ZG!?tA=Z0yxz)r(I$PVI);fVoMW^0Zc;4Bvo zDx(W(v0`F6w$mqaj=H#gK3;5LG-4{(*?e58`FJKRY*P!}zykagp4J`9Z#x(FFdNKV zY+x=n1ZRGnsbl8i5N^WpIc9Jw1`TH}p3fWKF*qj2mDKfWCgXDYk5NWWW|9;}Vt@B8 z{3($cV_P&M3s0JSu4ZI^Gb2;fRK_m1qR?M#a{$Q3u zWYJf>Ex49W<}%9Z5xH?zm_vMKXOaG@x2+`h81%py7s1S6dJ4Z1gf`O*-5z9if3rzQ zMgxkSX$ypo8Hrh4m2MH~GT$cV`0iyl`?TPQ~EF*p@V41Tegw}@5cReQr4Sfx)XpW_=e7$-?R4!C7Ib~{oga!KA81?k57l^?5XE1gF0_dv;CYR zH?#M&*cT~^Q@3ZAePP!BJ?ZtoQRI&GU&fBC{{!|o(;DZJlu3ls=+u0rj8Rv#)0-=rfJfccyJLr9%>>ZbSjA$PM0`i%RTp92?an`SaF4q{F zoX5P+{SaM<8B-lIQ2H?R(bIL@7_7&P*^11`U${@c-|x5$2T8-qztW{(1MAYGIPNG*y2^O|td(mw<*-Gis(&391O+yx;!7nEqyi zgm^56|7zhwJN4_J5y%or<*)tPfggjc;vT6Sq2lzEOwpD+lb2;}$s#U3J2M(~W^>Br ze7l#h!zr0!qv2(yt8&&;m!Uc4?TrSXH)&{7^kmaq`(WtFrpI{D+OVnK-pt$7Y(KZt zlT9u5MLRv&w9CFQ^kh?-o-Fj~iB6J0Px@|xmzzsc+4+A|pVCYE`_}mnn+4~C`quE7;!fQ^?NHlX4@m_!MDnB-v`{Ob61>+^K z|4Ju*?=J@;s7z=T+zV}AYlWVF7bvx(~yVW8QetH44%?S{Q19=FzsD23e0-P-_p4`cw z=jLw^2$-N<;r&}Ul7fG4H`eUZx>r=j{+6)bEsg|U59i}0{fVM_)mo|f0=#;2zZLg` z@@#|oSuMFzE?#QG`Rh{;wU)Dxo6~2enx1N#D*N41Cm#;{jYx3bd!;xdK?jo;p~m^k zLcym9F7P%@#FcC$_BtsRlj3!!;oZDSJibrca;!}wzopnMskdF!=T(j+lCHT_b!%wN zbFy(j?DWJ7t6Q?q?emTsSm8w1bH23E&EM?IuT9k>&_rnqF!3*TvJLyQG#p)(<(8}o z_n`|9Il+1RbE(-tH(Oj^PZ&?#l{(S2sA-Nm`D??*g@uOS#jmVU&EOA7XTRLwydN$tj#g3JbSn<9axNWRpNAbmKt$eBj>7#y7s4E@zQg!jy|c+--?8#jBlDa7e% z!?o(!RE1{=bdkUUH-A%Q@Tu3r4R01BJLt#~3c)2fQ_EAml}K?K#)6FpFb#VO4~$#r z%oNO6HgZPf_2I{U#cjdan6VpaJ4Hh~*IW|dM@u2ABuMD>nu}FUw z&O@L)vJzN)kQwkQXmyP1W`o6U|CgNS$>?J-?#VT8N|xw6P@mlzgy1~RZ8UfTt($VD zOK(>bCw24+dJx#_ypSRV;rzYM`4drHoHdb-3>*#9a3^(H9?l1mlV(ORjqnMx*3tYl zQ!Bve(*KQa{}pck<&plJbAsAIk(!`L95o0Bk{TF`=4J-40{8uQX<`CiimDpjibNDN zzWd)c*w|<=_)SCQz_5DrehsQ>H?Y>t-)OMXA{k%3@cy?=%Em}wT_m5Qv%*<G@SOb`|KkDvVvK8`up} zg9Ps(85W}`cA{$#i5G%gt&qwEVM9dsg!4BLN^2S}q8MQC)GhH;9fYr3x6fipyuo=( zNWX#wB+oftq!Mxm5*7+e@^s`hMJ)GcqF+<+sRq$XEh3_TF%;D+BYplZJb`E#YUu_x zyZNh*Ba89}XvyLVQ9_;j3(h;t2Kl^$rEdSGOoU200RnmK5?KtFY!3H%-;KRV^NxU0 zt&qjPJNXOc%c|jBkwy8QTO*92L9ge63x@XL@bZ4UQfg&0WYH3qNdHBaAjlc6#za)A zH-uc&4pN#y7MaXi9W9j=m^5Kbk*Z9>2!IZRk)>0}VNl0k$RUjQjPF1gMZ5&rF@({; znBx=1Hw`L+{GL3(TiR%8Vx3P7U-4<2weur7Z_w@Hq?vk#x{oc zgV!A7X@~?GBKhohfWN$1*co|5M`I|2I$VqED`4TvtVf1?sWcHul`e87s;XzzF``v= zD_AP8tPn}G)B-66NXZ7L z&nh?s5r9Zw8OviPYBm56bly^I)EI8bE~gKIIFogm<`2lTZJ+}wN|DBi?WB=_3qEOF zY?1zLHy;YM+<}9UIgkFb!u{cvgyT>}ys?Wf0G|z2+-azy)Bkmx@;T2^b)PV9rq9DA z&5DO23cY}8)aRv{w%TxxRzIBHDo}Y*lxG~DqJp~ zYR>q>`XNh=0nEQ&34Gdp+$UnscJp!XY~E!btU zF=;FZNngU9g0JFm&BRcn#Y!?8EHbWArz;7_xLUoWazSKJ59XNo5#eczj^{ApCrx+z z)DzbMnH(mr8hWd5g7Y?%ip;rzW#Rl|6~U)o5|%_bw<+KLkHmJ<(W^)g0p6D9l)UaRE(Wu}qG}jJ5XTJ7ayNfnCVn;s zpMnSiFMywm^^nd(;gXjl!VEKfRC5QowZqLnlwONj)g%}+cu+Y{^q^rUq;oB4S?dkk z%wnB^avM0~%xG&(2$yUR_c@?Ae8G7whA{}!JNd6#kI*8WtkHo6RRu^ZxrhB+66yc< z2r&uz!|y|y-eS!Fg$T_AU4e&tOK4!R14SgBAPPCdWWGk0z^2lGMvAM zSR|RKz`DLjM?63UJefAqbH_+;R$aGbuXC0dE{F`MK$sVU3Tv3Gd)@psnW(TZ_!Qw5 zwTc37bvU}3(K;IG(_nYPwTiZa3Wt%*!p}1D647Lp6 zkM*b7uA)c7eRjLC6*Q0RWDG;Y^6Ad~;JkWe1wdDXg_RO_upwa>5mqAoiBO?s1Qy54 z#Fs~;hMeaVD(Lt%j8 z_+YFh^2~7WgE&}>KniRI>DSRYn;2okd(lUc{Dw}61906wYa+2-fIL8YOB~>82O7RA zwZs^VkPy1q&0imG7eZYlg!(9f;RCZbwjmO0jg%aY^x+7txN%{{PBTmMmwf+@J8MA8%+#IhhZI?(3y zXXoe@A9^N>WipFZwLBE-5hzGz0}LEvU&3UhcqY4^9fK_fBU$-K5?B$=C-NT{Oe30f7IjKW z9nvmpiZ>K570$0W#rZ-d;LvH%*>J&3YotNtfG`+G7Et>lM^H8&sd4BwSaSb&M~Z1q~wr$mfdIy2i^+{%>oO;nWQNk zfHWBfABBY0_$lE&o{N8$;Jh_v4bk!132wGTO5}uc-8s5LJ%Sq_-R0`8Sj$Qz@Qz*- zMgp4=FrDWuMHVZCuZ|2>iq;=ubdGUtGptm&|IRRN$slILvQnp(;K+7?(+8)LrDD3o|OP%SsopEc5~g$6a#+7{MdC><#q4C27R!6!i` zktoFpaV!85E!CQsW|NThaZxyM#LXuZ2rDVf5Slhf@Ddkoqd_1MPLngRKawv(ZPrPv z3#oSz1B5{a71yM&FheP~HiKmfNc2r>%()Eiz;T|C_9oxsg8aS$VUW94m~xS<>M4 zdELp@m>Io5V7G)x7qJgjKs!}LJ4VT@tw<2!cUPk&TNCL6MxS4pFS+Z(~y4TT#M>~-lH!uiOHTS0~G z{vxZo_SZU8|rH4#s1h7Xz4paC2% z{I9rOhEd4GG=|kqt+@~;yB-=ER;X|Aw9SS%VpjnH1HYh3CN>?T-(r|HG2P}1NCufR zXlfNBtDiC46CpVwH5XKm4t2n!Tbswy1V8_r)9dJp2 zWR$gfF;Mn+3^V5K^VXG4d&8o@8_0ZrSFbVTOANzh6;RUomMnDp;57y&6*W%aP4`48 zZf#hlNvnj~BGQL(Tn2QMP>i~!yTuw!a%v2-1zM#>{b3(i-X*nPSD z?1j#3Lmk_g$vm4tt0jBT`{J$w1dtvUG;5d2!ht<$s^aADch4U~v(JLsMbsLYC*&eS z_YO;RGz3jB;M2fGNo`u3-M~ILH7T|G!&@IgA>l+p8n)V-acv?DVSSw9uaD3lxuw#} z=d2b|95cMNS;|l@m{k-aWb{|0dejQ+T5f5%BxeXhEtm;HA;uZ04_3@BnQ6`LT%|x| zqM2bdW}qcZuHb?auz#Q?bO>riPNO3R8;nEoVT?Y60f<6gyM$Zn#gg!>hUG6>f&O!d{4_gaZ@{&`#vS zfqL{7Tf+@+6-P?mGf3|ku?+-7>Vu8bdRi)ZqPOk_>aI$6M#d<1v!AnF%4)8+W8M6h zP<%W2FCE7uqQ2Nfm5*7ZW*3u5!Si9Hlq5Q{%zcT&E+n*Mzxbm*FyWG*$woY@4%0z{ zFd9B0Jtq*C#C)L5U}CuEqc3w2h@42^4a;k6uow2E*1&b3^^3$d(9Dgjx~MP2XQH-X zZfI$bu<{_#BnGfY*8MCjVa`fPfiPfT@RCeCgp}@*dSk5r($YywZ4I}jWtOGcP+l;N z#L|(A6gQjo_I;#5Lsr3M@Lbvpmn4%|fQ`t?UcyQzA4mL9URHC+osmRXy6qe?OEB!~ zDxbWzud*Vp#xq?zxs`UOSroH4Q!c?TBD9h9k;bn>L`_11kA?GhgBwQM4=-f|5=@x# zptua&CQ_k@3ml8&FRF-b%vANhqPdvsoMozsP$Jf57r<8<1zgE`2VSW3|6%X#!>hXP zJ710gTg2E$ig7H(ZX-R>z11mpD_SQdt=ouLqYJ;!%!E!d3DbB8iC=QWn*^6F0}NQ! zTrprdrA}PHfQk6)WfoB>xOhg~Smp%@Ry4N2fHy}Z)fn*Wrl$5e9~e3?w&`OA4w13n zuYf;GFUQ)3HsYr!gopx#{6X(KfCFdv&(>^Nd%3WTFE3%h%b@x2X_z{muiJ7H-YZ$z zX{cyPEHmT`as{2~=1Rm#8`MdY8f=0k>78d^+~u*|LgdSAbDFAd$k#4s#XllM;*-y2D|V-U0--rt zCn%qe!6BeaC^K3DCRI3PH8ZrXe#Vl1=NOgE^<_?p|2jbq{@WxgV*~uxui6u^UzS;^ z4reR2Cu@#?48(17o>lyv7BZKuB8vZY5Ou$!9oRQ;tip!zhIkd{Wbc^nOkQtz6?;m_ z4iopfZ@MtD6a?rb-v?BPMhk$XOP0uDY|1G~B?IammDX%V)^7Jsr@~_4!8TEfH+zGr zXcz|2LQxa$*A+I?lC@$ zo~rm=x9m_qQ!Y(;g>b-$SYcKhXma!*T4Qd2Y?$FPGGj+<#cq}4ZeS;3Bre%$AnTZ+ zG(<596AJ;Z68>xbNqrU>L-l3^b_3vGOgM(lCLP0s9ds^t+>ZeitXp1cY`s~0+3{x{ zq$7c`J!Ar?XAGDt+$=E8vdX}rXMhekuQL|RMxe9>MG1T{looa>!&Gc4ZXi}Dt<3-Vmxw?JR=^pqFD-$1Bd0)lx_A9qdVHo1h4M zoQyjPGQfAn;A=K;YA;OpgfZQlJ}hkodI{4V0aPu+2x{rTR=NZ0RVhFvID5eu6mTkt zX}c2XV(|_JoDbSp+G-iO6#8WO4n{A*50dFLSXTcDw`zhvum#rpVt}x%yMR7SfOLd( z=GNGRLgZoCX~cSWmg+SxXwS^b_>5+b%ZW9xMB!D)NRWDq*#sy?c$%h>YEjqU3bhMUc>4;yhlvVF)w&qO zE}8_QY>bd0NR65{0sYJD%%Uh4_1!nn9xzgk(RV4!2ZM>&ElVstZYXBAPTwsFInieD zT1N{xIbrN}SXMrUyv^ymtkiiv7_c*Ti)di%_Pl7OCcb8~>AO4DUIS_g4(5*4cdwfi zbKC212mt^PJ-2A^TEr{FHxt!aPNPQPa*4hxo3C+OyH>7i)d*w8Z2_50j@w3Bt!Fkj zlp3e+!iSx?1YQpLih1p*cx4fLB#=>y&_YwjuvhxnvSJKTw8f2>9%2#~Kfc^pz~O`0QDWP0?MCK%nR&ht0#>n@C z(EAw-CEZ44q{-~yeOQc(x~?kLCv+D%Sm02R6Oac(nh78ng0L;FVSMhFkEgd zp%;nOTrmF)REc3&>^Vu8 zxQU=3+nI$P$6}o>FWIpL54>bY%*r-@@O23+K4cSFQYPh67)O=_iy(rB>%0t3e`nCC zf^;hqirNUK+s+en1){{mV6G|zNDCAK)UqjTBMO3gEvPt~P5siV*p>jj1UA_?WYc+- z&d^7krHA7quvTof8%lwm&Ey$`pE*%fYq=3LlO$1U<&mYOm9N4dnrOBj%oBad;i8Ag zIajVek4P8cqohgu>GomOXtwQyBW+SNfI?iP&6pEq7kqX-(=Fxp5PEKqn*g7^@meXk zj?YS25^RX)3g!$O;IlnisaO^*A&P*Qlig5D;f(++)SC%@!oI-BVXxz}*@}XxCa`i4 z0@b9?<1UlKVxpN%4QEl{rQ!ml^d*Kb1y^fr9D3Kg@L8-~ieebUXZO5=&+cM2)&XgF zC}dTBsf5o;wUxUoy>csjQwCVn-!rDzZY|}r+i|ezP1uyt>2@-ga>SeCp43`7;^DIj zGy_=Svk)i6NZ^P+H-_}`=18gT7U05V;oG9SS}Es--+uv@-DX_27mR?w7R1Hmf{&D1 zqE|0)!}Eps7!4>g13?vVK_btvI)~7vUi4+RKg00hsut4(NkqA}fGB+9#$|(=9od>4 zYkyau2&I|p@;5PvOv3H{QDn1-yBeH0YlP#k#w8^z=}LVFeH>G{K;PI5Nl!u{!9%5K%E!Nx6gNS%p!_dtkwn37-YCIJKMak>{w~h=hU)>;23I zzv=}g`LY1FVyyQ!wLF%3V zf)a0tQ%zo$y(ufYtzVrL5Mr zzJ`u~JdTbmcYK1iY)N<;L$kGosXBgZD-MZ?HB-k%<8U>{rrycscul0^MQ&dKPejrT z=vZtqI02|*xi$n-X&W?zCNXtmF?tU68__I#W_fLS#A=%yt2G@q(Y74}<~e{`24s6T zeWOd{O_b!kD5Y6R;emiP%r{}REhVfLUSRALy^$CyOqB^ZudLPUJy@%Tqe=%AUBUR3 z#)fsa6~sloCE5%7853xwwaBR3w0h`1pa`gyT!4t&` zvnvNZ#;n{p@lGMtTsdkykjl9m24@t8RSa|xByGQfjd zN*QyxK^8n1k|@iJAq)I=z12~beLVDRxn~nvEn9;Lc(&5 z4bc-^RdHhj{B{c{ElB6UMIwr`RmeFCCRW}Badl`(nLXwclfqkW0Rg4K#A7oriVAPR z@!=PIMH0u+E~lWdJ1z)^yO_31z>703E81m8#D>hcyv4NL5vT29x!#a%Kg<}V?OLdd zuN86D5FvuE*m#RA$JZzuZI2n3iHO^JF>P1%Ta{Fw8on)eJ=PMrC<+jxSl?A!nmGgw z!ir8|@B~JizT0nR5GVhmB}0_vFkf7&1~BZJj30m!x^JTII%4JYU9JE*PAjH|gAq3d zf~4=31ep^OX!@?a;a#kgnU@oNcU!iiMBgQ(zNqgaPXQ|@(09$XuZZ(^=(}bKgAZ$e z(5e^kZi-WpWgWaTZ{ZDfV71xD=)1=lme`qWZ6;&G{)xsSO$XDDSwfTwL%38NK!R{B zF~9(Yg(4h8u_L%vT>y!=@R)#d>=s7|buz)9+=dgpZ-^B^@E@!4&LgG?Eu)y2fYcvM z#oaAgAC;G~{)(6(0zf|-aIrZ>`>;{b$fHf)dx6{2vMtvTWxG!XwK4iGR>oN0bu`_g zK>9DBECp@+waU;QAadN=#QT_$dV-a?W^S_^9Di{RSD;P1m~}d;VKC^7z@khJ3}ZeF zK=F9Yhpjsk0AoH}q9Su2e3PjcNNP;tv|?>yfW}#|;-TEef#`XlIM#4^#Ja^tg8hjr z&QfFET{$_dQ>4p$r14^>W$^mfsxJ}i!xIGY^f4WJwT+ZU9$cU@MI40mu^c=mIWOr?h?$_i_MF<>N;f?mo-P?AhM zVyZOd!PF<5JGp9i0Bf3SrgD6l0+KAz4IL{Z31WSz3PO~XbF5`fWvftPWv|(1U?hVw z%$R^dwP41mGio_4S@}RhFTSf&FRvg-O)_DE8v-}t%a|tASv3_$sy3KX`SG3G1bkVGP65NbN7HxnAO?7&b6+)PVeu@nn zfEz%^v=oNRH3@tMW3X%U)WKOrft?@6t^m9!xJIilq^2dhjio}$#%HlbMfj7A!a3`n z%T}% zGl`nnVn#%iMj}un{lJkzTgg#Oox;J@fLXlU5Fh}iKVi56G;)7Jfuf_13lb{Etw0H~ z6QTlCjK{{h?WF67RvGUH(h^cSDuG!2Nqez}f1%3;w7`$+%owxywFCqnA8Rt?DMJC` zg60qu1mQE8Li?cXmZ7HUOlOGvuarS`9?g zG#ELkX<=HlKx~OMXfn3mrqw9#u!8hG{MRMQz5?nI7UJNs*ZC@?{7B;;0w0FKhmB)Y z8pY~mkoU;{N99jKR7*Aew-Qa?Ja?txGO_1wi*wmU5xTql3baOoRM9b%39Uff;}BF> z3z!#Zjn9FLigVq8<*cf$61ndu=?PY z+d+mTkf998E(O;ZUEM7e1+&jx%!2qT7Pu64zpbSd7E*4}VV3Wxq@B}#W(Y+h$<#Q> z+>@!XD`CMVo+?uVq>l140ERBKVgM}8)Nr1bk`S04m#J|M6)4+&RMtX1@s|js&*Qb$ zZg=1fD?h}_V{JwkH_{B63ofvVF138eh^{e-JToE$UjZ_iQnFt5zZ$qQe6L??U#_*6 zwjp0jAGbw>1UiFnpZn}F30>0Qiqf~QaG1GLmRP3Y82F0o1S^*dLKNYmg$d z&h87$Iz-N@LMMQZfV7{%qdf_kjLeRWr-lF`PLg`rBS$VaT*t|ae#J2{v?P8@X0DbU zmv}*>XQhC9S($Srp6qi!>oMt)W5guBV!e$`0au2%*~%4%z4p)aNm_}hJ`3^J$da|h zU=y2xY~v)#qCXmjTa+k`iPq_1BuY`Xcatb#zFaFxl*ZIu>=(2VU7a2`8Y6bTzF#j< zntl%4k72>tR2=>V{kuS-Bs&j-brf1Hzm_D*%}A8Rx)@3L7p5K36rBc9B2hx`BvGQK zzgSA|BvHEXFDFqR`=4H-JSnG~MPrYR|AK5IkST^7p=NGwj5PQl9VT*=il8=N)h68U$vW3qBxxjRnb%k{`+ z^ip>rJx22+yAk3obuctv4e@D(fbCBLNPQLai2am=0v^X}Ozn*0>7Ov^*eX-6%BvEz zpJg>RB0Rn=*EC{Ww&J7qb}F$LNnvDsuyTv{&V+JXjM z$n_YfBuV0I@yJV13^SvCRY}g%Mj);m{+g|LnO>vBP#{9q^4AQJT*VDMjd`>mso@aB zYS{rF+l;Ruy>#(-+R!l-y7D?O$e;5%7F-t85PsoZnXNhPb$C-ur2?#-zH4HKgBI2n zD%303K?p^EFmQ8(%_KE=ZQ|&2R19*6y$31ZAdxYn>R_6>kOC$i$OY=Y*%TSNyNj|c zviks&P&qSe8r_J9HncD5E($FYoffI619mm#ky+puidd~S3d;Op{W=~!S?weY!UhA> zI6Y{rL)w+mRfd4k9I7M34SKli8p#1dyt7Df>q`hO=1`lmigl{4i*v@Oa4q3`_2{nz z7CCLaDk?!7Fi0Xhp_IImM#?a@nGKA0)|1AifU;_@SWZJW8ND^Addt*B;vtj@ zLO~eOI;556;41M>44r-U)`(MbY@CvdExOprMf2*V-t>zqm0xiTP0p{_<<-zH;W)}^ zL;E5oBZ}LQEHD2#;F+y~LU(%^1vh$CeVTZQt%{CKh=zi$7b&3Rsl*l8Ct(`ztF(xz zve#Z4C;DttJPX0``XPzYoO*e_PWe1aFYTq6^?e)lhlq9VR9z5Ce#}qb+cQ7C?~1zB zD(L>`rl{jp} z%98If?K_tLyvP^lY?+VnyT&94DQwOD~w!dr$6c@e% zA5GAh8(}f`%A&24QDHegW0}^}3=OQl(+Tad<&JrCN2~4tcBYG0j3pG!_9XowXd}A7 zl@MbhK`XDvq~Y2a$~A@-dWbMvfU8;Tw7YoF1|_i8S+hh*>vd9*xD?#SB3_88;5VT!*NS41O)yaihCG>#zL-#)q83#~A`uN% zq_nhBy^@FlB%@7Ax(zb2)CzwsTxK&6tm+Xmt>Jl(HAWq@NCHEXjbttp$2g6Z87@Pk zDX2J{#b8BJS}|b2gd@vBvw9XU@pUA0TaMa3a8p66TTA2j&WMl06Jc~w3OG-^&UlWG z30rkk>jIa>>#}(-5=EJt1<^^2!kvf1g1Q?bVEQ2@iwf;Be#-9h7R!qjj;J&=^)kf? zz^-_|XCPy$z#OH0lYr!)=%n!ilhwIV{sBRei9q(UJ`$8nU^2LD7P#eEZ3n%0&J!7l zx4>KMwiexHD<~X5sK;}mPBAm|nhpvA0GS$rZOqQ+>4_EAv5mJn>S>W4TVMcOl

zlK3JS&(Cetk_~A(Xial>{3h^v4lt&N-$QMkbKZ0jDRq$#~r8T zV6IMMrlAUf6%LYf?}QGksTP36Br%V9lExyqhRWiAQ`+U$`Z2Ic|R20w&m6D?I!Zld97;>eI!f@q?3E06YygZVo z2sWZ)((qE-#Cy8u`|10zEy1J2nvgtW2K2puJ%2u^Ia1_75+UA=0g1;HE+rRWu!g+^ zj?|>6o&4s{$809>03u=GJ%2QDTq6s;WP_^G7OUCbJ*J#(gWIok&TKZv=;70~i%C(; z^*VmfljGkpeXrwz%c4UgpB)ce866st?|1+y6EhWeYZ|%Ri!Qgi!`q_6&>h|x9g1#p z^Ih@7!X>Zc-|VzruJE~ze{-c>?Qj8y-_=d-YKzzL_bYYSC0BubHXRk7B9(z@uj6)x zY;8F2?TpvjO|%)TyMHbRjMOev(`J~~h9%$57_D7Tn*q89rh6TK=SIghe5M_L=LTnY zmU$msVuJ&<%Ds*yZe)ld99Men{Q>2atAm`(fjJjNALO2{ZDssH4waTPB*0S1{shUO zdbb~Jn(>Jlv;T5jVIm7o!SrfZD!Fj!)vQ%+F?8u%;jJlZKdUi;uZ2MlS#+(Y7X6+X zpDkJO`L_Sx4A#5twFMU}_Io_#PKlCs+`_b3n`yg+X|p!dc1xs5U}5EeX|oGV+bv9+ zwVAeCm^N!OZMQIOurPXM+P?0ljcb#cwy(Qsvpbo#uar#NSH@18rYp#yY5VO6?-$Nc z;p>4u{1j+k7``f*mc!OAPRsKgGJy-?If?6`kE!3h;4*F!ZxH`yVa7?GYu{7&-sjxL zkr@bPnm_gW)1W_1`qQjGEi;}~3H@hygvE4=Ds89Se>x7M8N7=94cI8fUvlmh?n<|P z8boDdk;`X%anrV&ZhY|Y;QvYeia=5zrT{6?fJ?L0&e>V`msyy=-F;8d!9F^8c*3;& zV5OhCb%J!CuEO~AnhE1u4_@Z&X78F5=f{iAb{*sVl&kFgF=U*HY#q^dsN9>hjyo>7 z*ppsvg07|B@pRjv6xWvF^*bB@CtSzwQd9JK2N)gt*hZZ{pY`wo#3rg%P;cdD zdeiyyi*d&7CeI?M=}!{QFu2QrM&%XreWq}0MzJ^3`huE5pufl^QE1FGa{31Y{Y5o) zcDP^~S+>XZw|%oWjp*coU>b=>ao|&|qB=LQ9@3ntu(qgn+m~x6k9%m=yTPEBb3#;; z8k+Ma0lKhy#wVdsfA(H_f<{d{F5Ren;A#Q|(sj;*ZWyA2Ja;>s;hQp)tI9!b186)1nKfKLiff6for&@nX z2!&CwAa}25nM>mdaxP3Fz2;+6(ra$HBE9BIm!{Wz;#x2k1eN44v8{iCH>nq7yR_}# zCEg_L48xasAV==%DJY^Iy|p}BZi5&otoy7!@ai*FDdsep=q4R#A~l|dbRCpRQ{JjG zbuK?EUFUdFI)le5oq8eapxU>nJWANWA=cQXTHuTl59rBcLuqKmPHTp zb@00(5y1wT`Q+t(vG9){*JozuT$FHi^|P%+_PUD`t}NUGtM(8da^vqC)uQhSP~7Yf ziVxi6=;UzQtDN2Rjprxbd4_+gYY`WBMzf)!sBJKV+Nl94I_GnHwXVsxJJsj>h0r zL*Z^aw?T+POpclE5a7wnN_Z~(_V{3Ba_{xUdylsr5k&X$f326B+~Q5bIjg}<%r%|& zPW9DnX*==J_Dwb0C!z13@OBR9D+toaO@0`w;zWqZWN9SnjAKVSmbFaBz0BnN^!-aG zkGRI;lO;DnTqY|{72+}(TE(5tSdq>+y3VRRUfXF;JnHOIt5WHuS8->=xxJ}T#rk3r zuXN+KKEQwy2B>RRE^g{lm*^oLJ~3wDrA7~!UrFiCZaLCXifejG{XoaOsgA!q!+6Gd zRmY{|3XSD#ddji&GoEc=!b#XV(k8i^LmI;YIQEMkc@iaTo&0%pm8gu5hN@_nUE`b* zh$gr-R{YMvrfeeYWoBL>UA%_iJ{L?O$nW8mGaozu&~0MNDD5U1)(d?xOO42!2hGtM z7+V&Xv__{IaOJJ<(PwO^W^O)Kdgt_0X2o1MJ;uIR9 zI7QxWLnare5TYTl8j6)CuSmCzXvv}HjC|p>e%rZg(_i~1K6dcKrRWAfeYcM){I~&G z-k$pc&-uA;Y~Z~S>1@RP!1iy>^d#iE%uq#AF9Pm(ZhqWuF5=iV5so?e6+DA|T;w7b zAauqfglK!&4a82NGGW^9p=T;0;7auOn?h!@9p|B1#fM?x#J>%QTy%G@^$Yr}jKLE1rciucOK%0l4E+T;u0IaE&|vnrpII^hE}5$7GybN(?}B)-6sfIlI_{ z$R&huzKpprOP;yT8YG-zLXRU9>UCUaId4cG*a4BtogdD^OU+n58bvcK(7ny}EcZr& zu4m68NFn^>c{aM2K_g=FUW-e`;;G|udlpv~{#@*h+)F>Wwq>(-@e}6xC1dlvU8Pr7 zkwG%7GKsJp6K76uY7r%b$<&(q5D! z9HqAj1za2y(yve6u(sQX>lvT{c|U7)%ljz%=U{_8qcRN&r4yV5iYat~3>5rj#MtYw z#1O6*jF%?}GbFY`CQhvdYGE9=;4ZlaFiU1rJ@|gD7We6dF(^CEaEh5k+3ca$F4;y+zI;% z(7Cc5!{VlxzdQ@+q<~1mVo>z*bSwVSqhC}J(e=XrfFWQt5<->8Y3%nJ<6Zn)BA;PG zDm50G{ix$hn2xB(`uZ_tx~N7G-&e*V$Y#-&VdB+LPau*H=qcxdF>Nw z4L|JA!L$qkatdL3$IdIfGWgzL_p!-PzdETS9#lP4+a3KDa)?2$5c`a~1J$(A0^+EO z!*0NDZ1dW=yIcnI^vVtOBpZ?PSaj4Lm)lk(Th)GNwr?rPAn-bFs+H|PaRWis08neO z(Ud;2;6ai}T@(tRCu0e?^=09fGQBe0K9#F+fZ(hlCBQEYfMtUL1^32rd;(`e3Q>f7 zE?A6S-ZGN4)lpaMq&9;@k3}+Ii-y+M2brUy!_xzHWcXRUbXjdlfYf)4uL4NUGAu#& zI-t9kkVcu#tG37x(h4k;KsWwEXRRj~*90$>jU`Cw-GMZELO?3vXTSj|*6+=cX=4lT zUl#-EKVT*uCa+6H=EZ++C8M1940 z#ynir+E`ELQ@!4)U4G3;zh<{zvx{Cl=mWm%uG3tz5AJ$vx&>@POV7~S7hV?Lc3Jqz zE5pxT9sWfsyuU2`n{@c-`xNpG$Tft2gBBp>t>z>rrK*XDw?8_2jk~v!vzYR9ubS_1 z_o`Xp?o|_PQNPtRC%AjnyxiTZ=6l_}YF4>>>u64N_o_MB-K*wR?p`(DkB(3u{^_O6 zYJGUy6|87|_(`F4efZgHyZ=<{Gww6%i~C*1Qy2dt2HL;)*A4*K_!qik|KeXeP^};R z<2UL@`qNecfVpjAyGtgaB|_N{SND++3#q8P({VXI~rInCmL{`HE;rf*OAiu z8oZ7fc5f>$pv}EvN*y!oM#v)K+7uK%uI_`#8UUzNK@lZKw1s|59&Uq#w zX-E!GEEg!~qHbPQcX=VpD)cn&7DbbBP;v~cUhKW&A>Jh?in@ZVB7z`BK!FbjDIRUC z#c2*MI;9hP0tYvBP4YeSO}cn3_k3nV6++HO&hEuFZrJu6~C(c-v}k$mtAYy0Cv zMSqo4b@3H3?&==P#A?xBln{OeHzBEjl#HNkk?~<{@W>-G+c%Xa!e+X&Ra<ZF1=P?6>;jQvB8;Ikxq)}BuCpvv>=2nydNa&CGpEGYL*rA_l>n`-~sH0Ul9b4sP zTxOewsM5^o3&OLXbFtX~h61ywqRn@cszK}(g_b`x)iBvGZ-uvBzc zg-!a{YeAl5x04LDf?k7MQY+myog)`P0e9OGRTO~HaW4R(7${?uES#NmI*>`Kz#D8* zn}rDwi0gvY&Z*^%CK(nKFttj(gi$Xoy0Sn#5t=C$d)^8W?osX$LP#-iz_T8sa1n{S zF~r*d;v%rIwKfjxu#o9~12u)1Da=RQ*QDf5y}2g|8(E>_)g~A)3=9yuR}+i>WSM=6 z;=ZWqlO=#%!6ph4AzYTwLRY*=!A{KOIK^0;VjtNzCT1PxI7SWct1CiYN9TY zS~98t#*jhDADhc4=wNaWOl7)XbDHgQ5|6rHGm1FIPGr<>h-2Nz*XtQ5ZrM=ZA6F&<%s4Z-fJboj9YJ7`O?k>NwLv3r3Z&~OMiZ9Dp0FNzm`roJT0Ug?v17VM5g!X4cp0Yj6WGz?=9ZXtJOD?k}{HK`bSK^ZgV#xy;rM!g7d zpC?KZ;C2;z_zti#%BX=;i36^7!Y^<`juH)SMZySEZDi$?NGr1$WEII#k>4vM{enL$-7Ip@pwpe&xkJ!S0U}Gw zqdWlD02PXsy^uh*r@%V|UNlCP>66%e5O7hR?GfC1LqPW11i2@W?GZSOG6!TsgtWP$ zw#`$Z3blXC-zS|+NeRYd2}vmyFYpP@VLE!1EY%uJ73xtRtH)4Js6C)~Z*6r!xg%60 z2uU-$Uo*SjA82yn$30qhheLZpvMPPQz zUcmG424ov}LlOquP{JE1cpvH$;L5ICwAnwjJEUwD#0S1wC*?&mZ>Yf}4P*WMX^ECDN>li!&e8}gGgQN#UAaqaB&bqmI!9a|=i!o8`42cTaf3Lpd$~^*8v>zz4g~Q}V&VDH zbc#`_$6$`6nyFt#`ocicPX!+_EsGe`4-td;poVTm1B^;3a*)X3R8MJCuOO_KmoUw6 zihwPeTRB3Dr?0Bv4H@Dt1o)FDcAZPU#K(-1k@V!&;fG4cE{q8e)e3}^Q|r_ zUgie{7Ba*L6~vPC6zq;YlB9$yaY+M7{P!Her310Y=rX0_H9d!NF&n*(b>#)!uR+hX1*9=D_F{# z5Kfw}D*LIxfRf!5Sz9X2Xy<1Ovkg)s%8$urAZ*YRMaz~HP!Lz?7bLb?`f)6Udqsdm zb%*3RK^z=GsVJ4j<&}{j-Zcg$O%NxcSo@8fcKhN8eD(r9d$WoweuE>CVx@XRiYfY` zDmf&p!Eq-72VXRFu7ai-e6{TkY&)Xt7S>i_B=9>WY2Thh1X=P`yy`ZjaExxE$BxnpmrPkSYZ^fg!T1Ta0B}W*AeZ|klgteT9HoZb&vxqmxHLdX-`djjq@QBX zL@epbbVkxdY*ETR%%<;T`u=hJ_sWfanoR&|)hNO^r?wB1-ck!>ou6*W8;M1(049zK z{sc(^J57|sGJ|I6^01B zi!LC>dwBh1-;OI;O1&aNm9Ws}GV&q_LzSrya+LrpiI zQ@ggLq@n!kFdLQH<8n0wD$iuOV#f^MG-b1sGat*~QZ`XYhd98IGmzjEJj{35oJyjC zGgOPwrQo!a4*@3r9f?TT>v&IfLY{rMBu1N#4G9PS_2~pzi1;GD_dh!Fx zRnQuQN$~)W`W2SW1D*S_>+t}FF-NBJb!kb; z=^D$Baf=?oNhg)c1EGL=-mTF^8;BJL39+~lRB@gN+sdYUy-cgB0YLstJR6FxpoW$_ zRr+Lne?dh-n{07Hb0Pc40xjJ(XS)ZL{LG-ffUL_=Q`2Q+pfbrh)g7ql(SSDT4=yO> zT1B{rjC6w47Pp0f#y%0KODq~x^W1MY*;2WARpPbgby;KxfRX1T&^Hig&7Rlrqq(2Q zN=ZMOQ=5-d?vNx$G(C7wl>5($u^OGgZy)gy(Kmzpukg((Iz}+*)F(|w^$A4!I;6Vu9Oc0smnXA{v^syuCaspyX9kKC$?A(_@rij}j2(<@8hxlGxkY&e(Tl;F zEewl!Rt`q{b0EY9MZt8{Yc}{&F@z=SEXrjq^QC`4ae%cP$0lZ+6|#4khZPZ~j60;K zdKp-io|KNPd!N+^71hcnw?Smx@qU^>)?V=JX-D*<60VZ@>z)4=ncw!5sVi0SC>(Q~ z#Aq}qU_l?Z4&Ob+6*#9_);n|xY9iT6lGt6ft4+z2g*!qT!w&u+XvYi4B7=rzufgW6 z5=mOtwXy8$mJ2e1)F->{bkZbQHPW7n?Aoij3sFF-kB<|{Wj`BJ27CRQeg2ZXO=S`U zT!F=Iy~?OIcpWe-sWcfJ$+$;R$^yK>44_Xg;c{R0J<^He_@=%xgR}x8*yuPsaMQ~A z_)o_Z>$klO#4nV^ZypojSo}PwKPB~%dFx_mkkZ8f1dTw^267ayD5{i zY~7ISAp|fqr27Un!Fk15uhxTBA9u3@-}ZO|+h3LmEqk2_=K1+qsJgIo&-}*py#>OD zCcbur2&cyMzJdfSon5D+JePWaLH3g*Frc6BJB(%Tq~3a3Z{46fM|J0Eb@z(?;A6VC z4`uECUj7Wepg%9pPY*)x?*Gtt^cF5{BpMLs_x(3~J37(N3G!+N`{$$g?chomoepo- z!v{Gc5NjB08GLSj`eDZOd@uiXyhWYy-0=T#mpV${fAzem!%}i_>&={}rEd zmxlLp8ea4~V$a}SnQ)eYD?vv~xxQ$t=H^v>)vU+B-PdsolT(q^4U?n&pN!|`SwJJgtZo1)m5D-*_& z4Wpb(f)ED&>-z6vIT0Z89B<+vn7JdK|fy z!8(nNfsQ&FD$|4MYLUSr_7XDh+`--5MfGiMKoPNJrg+YQOIz7)HaV1F2h)IKi-FT> zvOR+_HLwTp$@Jn0wfvz%0~!`(xDOi{rgsEI5p-4Ul5mN4JpGeFvpiVR{YIur0kYCJ z?%N~ES*=!|XE86J@4aB5%sJ_ntp>M>jaf`0EChI=xQ#LkGv`ze5j_kug|m89oGB54 zOzWeHo{ZD?)~?MG_`~nAK>P5?tD|Cx1&q^54uzE&NOFJ;FOd8wBPXqLxRiy0;89Wd z(MxdC(h?HLKs}B#I}65kh~OSqs8Zdd$&?zU(Yc0ghsYtXiYHajDk>a`Rjp{39#c%$ ziBPKeG!IKFQc|C4>$a-mQy5k6$J6I3J`obOF-!e=)#q0wG;PEy`;4lU5UC>2CzehH zM7ixC$bdIUNU$*$`<)(y5k%T?`bX^T-7Dbg$Ckt)EF2g_0W!PrZawMLK?mEwGSV0B zJ)wEt^{^@G0bHVduzEl{q6gC~I?XWr0>%>8KXwKBcS12GdCb&LFp%EUZ6hqcNAX1( zVBGzv>mIYksQJz%z{^p9^2!xI{UZ>!fLthj3q&KE0or5MH%v7=rLRM{=3)DY>CwYL zDIs=GI{_6DYE|qlimL(kYuaYF`=W=p-D@wn!kf&=TU%xU2_^S0*XT^vxvE|BKjPxrIUC?cn>cQ6kRm zk#a};F~#Q7Kf=+<1r|Dw2h@-~;6r+;JDZqmREr3zrI5UC(A7ezWbSBE=}3MN+!xj^ z0>g{B$6$ETWCJ0@%!GOkm_0A+IGa4Ys>uMj*`3|ph>1{Du92Ro2Bd_L@z-IwK^>5S zfwZr(j5ur)6~^|kriOZdou9!`0}Ew8Z0GrL)yyRJw2Bb)sRasS4~kNZrSl1$b*>Jj zPQQFH&a17ZCOO~~gP9q`6((R3;+8Uukjw*l$If3`ioIuiD#oF%f*reTH+7k%*n(Xq z@gnj{)TY$UDM_;Vq(q~NQ6e5!nx|Bgx=c}IYsoy0ou$w)g`m@axz$(iL&BFkR+TTP zS!wkyBuOI7ODmB+X(Di|fw^A0Iv_evCUspvD;WzbxoQv$w~7>V5H{0w>uN_EA$x&Od5GzE{BlsLseitexgh!S83BIEA_I@IjP4KlVj8$GW%u*`qgV&o>2=7E!4sc zq0|+x5KhCBC>fOPR4=Ksw!4L5TC=K4G%7IZwAEg2#6%<;+B~W?NALQDBjE-hs^SWa zvF>LCF`zsWiEdS~TE0?@X+>n8uGGaQ?zffQWR!_w)c_1s&x96FcPtXKMC@A?nY`>5bRtr-#g8TtUX$A(*jMUkZOiBPg zp}Jrbk1V$_$v$jGn+VjCT?9rMv3(5p!am${P+t&ZgAE?Ki&Q|hEWFAFsmKJ3j?-@Q z9!*E5Hf9hr&_7W7Ndt5Cr85T|p9hw(q}n`N;Udm7r`kJa%jVd|#&Ijp+uqg!Pl!-| zom4!Qq5vl=*T;gvLy{Nz=x>kY1$>u>xa%yGYa0_~L0L*Pa9E(0!wkw22NdVSbzxGi zpE`b#eQBYdhY%T_^Q#cKMjSp2NB9s3_^+##yijejfm)_aG*I;0xsI$j3Fv_hWvlm$ zV>?PBI9`+#2)&jq=|V|ifRM&9!h&{V&afb^>W;kUhzfk=JEVmbW8$k+u4ffND3TGT zn+aQTL!W|BS_ywQ1GPNr!V6sK?A8O7#ckyTE%|!b*F}kHCNPYEz&)CEocrBoYBv@d z)Z}$?tt8IoB9vmfR&WGy6|&vxhE`pJb-=V4RknST^yFa^l$|`V-0Yt^+eI1`;m;0P zmO41lD(l*)m%DMCK_Nm2SRpeZy?g4tDX0-rOY%okhC-uE8UcPDS>&VQ7L1>ZAdBgx z<~MY*jEkP)8WcN{I|Nwuo&*uT_JyDZ!eBcHF-P17hJY1$_cHMXWCuy<$|cNd6Wc)y zh$Aip1lL+*X_qAw9t2_Su5WDLn0V0x6BYL$HrNgrex^%)MPLenc^=ZUVufUnBerCN zB8f0rW94IxS9z(t?&i?PqOEk?wM!xq2diC-6Vw6WrOyGqL*}2X6wr?1MsfNsyAW&@ zY=mChKCCH#%Pgw)QjyJ$31lTwk2C=F-nKhcD)}P%y@KQbY`{R}a|dK>3kAs?DE&2T zb@g27hCo}h#DQQ6>jf^@Cc(TEprafOiofk-8>n%9hTN4te%>(Aq{}D4<|}~F+Dmwd zf7l*aNd+YmGArSP5Xx50o2cY$;y2bxyPW2K0fc6(K9ump+6Z8Y9m za&7c)JOPyWsvJ6|C{u~5f<4Si&B^4qm{g*!#8MUjy68B{)H#3t%=z(@{tjvkX8XLh zt}^Ox`I&+M52>lzRN$y66;K8=Ba?tuGQ@)yE4a_6?gO{hMYnc}{@d*9ZeuKPo~4lt z=Q>y(F$lMps=W)H2&o@&O!vx|X4-*04hBY9I=uTr%rfVw5HvzR3#r0Yx72y~q+;;Y za&s>lt6~J`9Lp^PU$-^zE<-c83}G$^TRdWSRNIxMwSDf6h{g3pXY=vde)U!vo$cjU zJPS*sQ6?8x1~iGYGE0z;LR?714Arh1%#j*4T8cvHF=U*{WYEvbn*|uC&#pj(Tv_O1IJ&6{0ovE1nl-tcB}D z6Ru}8i*9t7P^F`=V483rq>$dx(gLP&QXAGy@V2k|zE!v@7V&C#lxeuF*=@EM;e$gPd5x=-U$HTK9psoBxk z713?qFT25$Q9aft40*iFR-c@45(3BB1U>B#j$`QrlGzt&bG=r->U^MD?24V*M=`i! za48J@9E04*5S(O$X~?$S7@n>n8LT4i0Mm~<0LB1GIAL6x8O~TNKaa)I1V1FTCI-Xq z3Vzi#=?>;)ZBnb!{H?+G8}Wpj$>m9#B^>}SPuko%yWyLJB*#I0<5C2;lm-nVixM+D zfKY*r1gz0!oTutb71Lpb)pGU(lENOCqKG(VR6<*YoO88>7_c&3CQo=o)&2`pFPEs^ zoJHu8;j0K;0AraHg0-GPLW`1d#{9dTO26O@EA$47feF2+geWPKl6z3J^@BTRvDsqC zO#xBZ1b|iIpKJ<5F)wylC$=OP!!UMiOgp+y+=5ct5}lAew)Jl^nn37-q*{YLAWPrN-PxdCBM!82g+e3L_6G%v*iHp ztNYo#g{yd9BDWKX2I>xfP0MC=w-YPqfn6F7F$?>MT^KxOXVVApob5Zo@#}(`>3RiU zQ^h-OFV~p`_R>c)C)1DqwVB%)YvjOXn)BYYZm;H){=(kNxmV9ce zIPKN!^rjKx4ZW}vn~31^rfp(q_u^)x?iVpGu^*e zU$kGR_UhEW_|(gM58pVrTO(?5-}7iC!*42AXL92$H}?+r;VC%KtvBK^9MnYbBSPVT z9BqTJ&!y&{;>j|v-7ELnTPok-mRcX}ci>>5n5Q;wOn#buJ;bS#kM=t<*^b-GyjzYkMc#U%dsZRqnmbC?4GFZ`cIJr6`RWZYCVGGmaAb6F z4t5)tA8OXjIMhrMnm{?K1m1d{?P7@9EmhO+lGS`SWOIEzuat9$%{M789;Mnk|DMVt z9FkJmiu8Jj8!cC1X8Xa?eHJp9z0HU;k1nea5sq{7D-h#hm1b5nLxYD8rXUSygeV2+ zKNtikE-Fg^R-#^_Q@movIkBGTo0f5|c!XASjI&i;Xzmkfj?(%4s@DSB*;FE-5)-5> zAXE3KwMtTTmMB!JQkI0MGXLld`%o32fLNLo{qX_-CH0kUm1Ul-+2y-DTX;BmTiVwK zxha$cOU)!N!!jIEpa9~7Ju3~6n#gj3Y$PHoAU&1E>~+^=-Nr4Y>*53=XRgd7*98?d z*pgT!zoRbO;lT%8nfdD`$rc-CI~D+gOO5Hy%H1Upy{mR4i>KPbq3KD=Yl+~lRek0Y zI0TRoKh16i{{*J6<&HXAE^N|Zkn?N^5aWx7@>Y+_U+*bI+1o%RB9PWqkcjH&ppxFm zh(Q;6A-X=Iub!?qF0i*CmhSeKY)~pI8UqK7?lJZdO}!FS0AK43)MUso{SYYa)kkr5Bd=M9x(ESdv%R1OCQ_w0 zIkBooa|+nxgPI=c*Y0emt#8org|eXI&j8DL((L}a(x?zrPt2Rg3X&7`7~~My$)1%L zmg~61q&P%2=D9l6#M1`pW@rXCQS%YX5$+<(8r}EsfCw=718AEC8Hc4_!vW%|nU%|& z`a@^fict^HLtMT|(x0anE|OUj_@q;wb1Ywi=?W&8F3k!pYqB2Wg)LF{YneT+vi*m=KXnQ6-FEcOlaul-nB-|9K3+V87~p@#bDK zyh{I+CxkilXlu5c0g1yhu)XFS@7l0;ClLIyYG8{>VphY=YK07Xbv&x$)$EhyLv=`0 z%T^H69YZqOFOa;&?V31`gs6<|oxDQk0GueU)PbPbiJM56kpx<&R=J6w77Zt7-+mo> zgv|MDq*x@jmgjK{TtLPmlTle-C&~ij3~xYbk55OuOd_@Xnpc$CklE^06$Er>0stu# znuHn%EPBN%MQe3Rngp+8;(dmxGdcNOJ`Lvc>jPp(A2+y`LEXA0X2tO8`sXD&7%Y--l=T!#?G z8cApeMXke1T>}O|7Q1)U%+VZSEW};C+siO)WDwp)1Rb5hQhNm8qcSu=FX9KA)DhMP zg36e2Qy*j0Gm|@g&?Qm>=+85Fg77s)@)T5E#a8H`pADKdN1Y-Npxlagq8wA=wlRss z8KD6vx3absIMG3D$|ITewc^%|3J_t6Muljsqypb|*Q-(|@!8-TAPnn33{uQ8ffi^_ z;2WBdgqdcwR;#s^8al8R*|8C7vf4eQBx%@BZ35qR#JiNP$Y$Qsw-CS5j|@ZCLlM`& zio*dE`ff>^+gEYcRR)8~G0TyAyN zb*WwJL1GMVqzapTj>I1JN5|sMUNSYLhTwBF8fpxrPB6q$^aM2{pb92tfDxi=7n?A9 zu}OuK&tdto>@BsjeM&96r8&tY;uA2=UgdA3oX~9WTWRoY<^;rQCt~+8RR)kyeR{yM zAWyf+HhU?tq!Bupg`YqRoXsH`(%gu!$8=r{m8BsD0h&=(G<(4L#N(+=Vew2}>t)b+%lKbUASvJ)z-JSi*%?C4DrlW1t zICAFW`zL8T^C8qrU9U(prmNvLin;x$Au!>bIS}vkht)>K&VmZWfEdI zE$Xm=&=85c%Z!(RL=Ic*2!b9JbaKua3M-IrT`XTl%_fkb&c${!x-Wy$VwcSRKEsdI zNsx#3mvVB?Nx6GO9LwaMDOZFy5a1QdO8XUW`)w%h(q9&!JnuWHZP&y_?w6hNA<%s)8Mu3Mckoi)j?_8dY#BxQGN1jV2fL&TSAU7 zfzdH_5(w^B-wL0izMW*75`muZp9m`68SMYGgPe+PZ>sc3fHq*W227Tjmjdn9a0dGN zBDjo+ZEXzyeyTL=3Q1?G?CHosb!zo_hR1kIB(_CAY-o#iS};8|y;5$ZSIng%FyB=o z5)ovr44Zv`C6;DT2~e*vf8`fgv>BD&&x*oP?qkSA_kze%XClo=(8^5?y`LAQqp5$( zbuXpZxV}+co4iPwqeIT zVLx?PSHwd4gI|oArhpJ**`#y_3q!-z@oMYN5NcG%&CY)i8Fl)Sm&099knAdBLv_$Q zq&3(nUb3{d)sE&M)i6g36e^mcn#!nVJhTxYUjktFihiJ|Fo;2Lm@R0O`bC%2ot-jC z*IVp5NZYFzFAbjo!nRM_jW5DwuH_C>st}yTY0W7M3(bRFS#8)ghgasVbL9HeKBG;T zbIxT#(P*eehpV}!~xKpkq`@t8{i@pqVOtN=VJ3Ra=t@LPN z&{Tg2td<%TXk8eyrlc>(Y|K`@rc4M}A`DV31ig7IBM}P_7l-yZKZw35ktJDRh1!(s z8}e)?CVjMpZ~3J*av>n?FocfTC+N!7T2l-i_J&J^|eAnk*(Q(% zj5^8Tm|=q#IM4x8=ZPD@iqBSS@lJ@XUTPSoPbsD&buQXxhjDyiRhbE2)0(gKT?JE`)4v>%G#gh50*-ZT%BJZGr_-v^) zFv@}-xX{Oda%nnV4f5a?&3LP3c)EahM3lEd+lloBRb8s_NGf_%;L*{}apUkZfc@*3 zK-j+mhfoezImqYXf(|hTiuAzfTi8L^6hNr83Owp(z0zu;-lRfeXDRU^sB87AA(9s_ zT8J8HI{>UR0e}FUmv9`!G!a_(KCk`btoogmn5AW7PO>G|C-!H=*t051U-73+{BPiY zJ^!ouU!JbGEXe&$bHYx%jw@}`j@z2Oj$7U4AGa-_8J%sR8EyS>+oB-%^H$!;DbJqy zW_0AX0QsiYnQLwnkZ(GH@0ZbuqteOOKx)At+@%P&iU$FY5Q$m z4TVn?#7){7?xT%TI_&*<4V zG;=A-rb@XdZfK?H=a$~k$uIVxc*~aAGd@A#d%dp16Q`ZWT{!1YM!0hwtto%v9_g<3K62(E ze075gbm>uAS`Tz>@pkVcg@wOa3UTB7%b)Dl*LZFDl=qR14-w3Qrwb7j5PNJ>I{b`^ zWV0C6VsdqU?k9G0PC38r!-f5StgA>6fXYyzce;*f?nfUlJn;KKb8cl+$`N5~f8j^m zKy;n9HRFccxxvf*z&S755oca4e8YNR3`2#sq`9crq=ZJ{{nqc37WH9i7DI(kTEC~L zi%KawZKBWd1}G(Va&Z%mq*r1_gk^Qxp-mNd_PsQ8($ zC(WZt^W~(uGih#0nolLo)k*U|C(ZwqG{0GFdO0Gw3cp(qmu&^G5|oYL>d(2eZTHzNptkZVrR#b=AoqdV$ysrX?7*e zHA(aPNwYI)emiM?J!w9gG#4h#FC@)-lIHBB=_SoSPMW`$G=D2;UY9g0lIEpJ^Ngre zyOE@kq6B>nac#R1%JS4oV}`OoP9v7#Erm|i*qe(B+@7X?07__*jCD8!Ana<5(wSwnF} z{vk8e>zGn&4s|qKVk7Z96K2_`zRJS#u!TJ=j+KW^mtf?q!~;-`X}yj}UQF!6(;LGE zRMwXoLvI4^+lFw#L_DqyVauhkw}x=hWw5_+Zdtf!l6-pM-1pEGeH6y@5jI^;;we2% z#&ARzR}h#;7gtgMkS@|Bw}oDLxS&F+W$3+EUC`SFU0g-=I;x0;bElBJL?>61+D0eu zBhHpiu0ezfy~=PwmFwjF`WD{E-d2Ov;oR%!vo37<4Sf|4{ieQ*r#>Lvtj>GvczWsG zOsC)0?K$SIDLn~22yzPv8gT64Fto|2l;ik?wy9bGF@IsiLpnkUy>Pab?} zj&b2bZo2O%PB(7)It*(hEDSN-Gu?D&neM%f;T=r({>Jcbru#r+_|RpnL3npr__uDl z?~bNhOE$!k4J+wkdU%JM?(Aeja~r~km~Q6zZ<+2LbkB5e4YTFpU%Bbd+H|{BcU{Qn z7T$3cMv}%bI|XHtF0LjkoGwrUyTiM$!PXJZtPKC0xh|B4Gbz|TP#I>mjaYSf2U9&n z8SjUf>tW{lZ<%ZQyZZxHo`OZqU9kmM^0a+pcM$zYroYg$X~HgykTB@%siM9}Z z4v&W-Qb}WI-&6P_NSU8|$kYC34Wz{ue%ns`56N-b9i?}J8o!}5H`tfP(UKG zL8oqOKUMf86v2;V1&KSYoCmoIFB_%6Y_$U*DQ+}&$Ba7(w5n~<1~~5*BS8;S=)|u8 z2TXL~RpEmM4Ke1GfQ~g1lFK2oDD#5@-qO$y2kLq%fg$>!p{Q@ zg>s^iK%3)5P+&QT8|eveeh)^7#_*BL4H~`(P=JFEI-q#u%5Zi%oK+rv(V)Q%<5)G| zU=YbtPRA*mZGROZHk?Ij=0U~-CLUrS;NcO5bv1)|A01v3-dq`e-arCCW+cOmWB{N% zX0E#M=Jzw)Ya7Bxt_x@VMmYO78^SMsKr=K~6sk!^wgyL{N-ze`YB<{qAN1*k?{m~? z>>SpnegGJ`c z?hI#tGMqIx{NkrXTi!WG!^JszHJtTnH%Fgwb99%Rqq~`-d-(LvhBr5dpZ_yA63x-j z1#|Q{=IHaha$Y#=&%@dCnWMk3bP3H7Iw@MoMdqk3{FY!l{PEujL`BNK_4l+cHeZcl z+qVpkft`-!)&jJ?^=)ebR{!`NYXN6J{*SbXoUar54s?9Z~ITy5{VY9xq0MW z)5CB5qpq~~G=$%O!dhDz!l(W(YcY*KcBYl>4B`K_bKAm>P8#9&|4D};{T=^otpZ&i zD|RhEZ`k%PT)}vY!6W>ZtTGrP>HI%i>n%F}FV;H8tG{Qh^I@ATI^nQv!z&RFt3Mbs}K?>$b;{r`w|MmnZjUpfn0}Aq>QIP4s z20Q-U6a=uJ6;lv5NAE^KgtxUt$AdeUY`89m#{|fH1X!B$-AyPALKT@r49LWWx~O?$KO!DlBRxjbzl=0+-p z3U?xI%GR_@VylE5Xv@d!+>@3$!X|r4p`m* z>#aGNW>*u@(THK)*ASB{xn#_MlmyuRLFvaZE?eB%0L zcFWT1SL-+?bWJmy@%jj(yr}Wowz+jKE$tQ9qCd^HYoPwHCm>$Z8PC$?xM$AuM`CvQ z;1?1K?d8NeF)|~{vri$#n37ElM|i;YF6@gNc{PyXG`|`S)@$ogNiSlAnDEbI!k4i! z-FEu~ZIt-t!pUFUxb3Fj|C_^uzs3Gl@AkgJ%^w*z&fWO4C1=mj*TYx;R3lz;_HF*A zAA5d0i@j^`1GvxHx+b*uz_qkJtJ`1uSl6M6ZHKCJ+41p(c;jvM_iXDg_a^n`vX@xh zJv|g{zTI_beA}Ti_T9^6Q}J^*x(vpW_39pj zIc+oB?xvs-BmVWa&-PUpzRx!K>vjI6iMdEsCGY<)6P%Bd2oE%zG<7?nKC&La3<`+nJ{fvvb@XWR`|%2+8OC@cV!h} z*T)WV*_ut*(9dV_IrJYiIYt0UC5(Y}SMWxXb#jsUwYlQ~C9(=Ho zLc$-MT$`Ol4m}|qI1AX6bwjh)_Etsuv151)BrBFN{Z`L_9m5;m+~1I1gC_Edy;Eq#8YgK5mlNkkDTkU9!K4!uwf1UG z29wx$qd%w_3MLVm|Fl_1l+?EtK$2@c&#xi{B%7&TxsX|zlB4`8tD#aUF6K*P^$@<6 zMoFj3&EV~EQCP2{?EUupq-C|WeYy7fap|R-&QPnA*+=;&{9Z9U4O)531DGjAvFFOG z(=3P90*j{BQZ3ROTj@+M3;7**hHjReJxlZ9Y6}q4;K$kIEjfFRW_sy7B1Z-u;?K1F zz)k$fh=3nSPGaV!{vGl@o2+RjJ9#*KU-6JBl%??ip% zITx`aKSbZd*Cla}wYIKiN9~V3I@jj`Kjp2NRKjfRmSB7_{!&}S4 z`!1?J%Ag@)fYIRA_nJN7<5yujU=)}Y&^vBL^1BDg@8N60k5`8CO?Q-3ljx3vPIvtH z`@=g?9T#60-ufHiJqUjHVYyMP7}L}&`i$$jPkG_^&WJI@9mCYk4e#;7#i)*C&REI~nsQ!&~Qu_eH9s1V5?QgGJ$3uEO?p;jN#x`MLEoZhr1E zJ@y`?zK4AveU$Kz;@Km3vIT(UtDUa96d zR{nDoXt$9O6LbiRO2itqs`aNlogsGGY*$Dz4Uz@5XkwkK`Ax6+*fr@jx1`f+zI0i7 z%_lwpxK0q?XRqzHemv@M`GHH@4#Lg50GG?WNeDw9s^z01|JJd>(VKMep(f@cT_+){ z&Owc~Vb+_p4Rfb{8Am#UysE9385)5o+Q``k!8jXqkhlBvA!}~FD!pdb<>@t#Ad}3N zeel-}tNmEvE)9h;ce1aM0Q9c6oEe|g7RJxka22_1#?wYUk!Q2m=&BX2XwOK> ztBy4Ax8O9?^e=2N4ZA-UaAvl@F{AYe+t&|xy9++jVV>!c&~&+-I@T8N=^WIyx+^!j zD?<`maub&MxyNf8^hSH^CUGs}j*q6iN!`rl27stIzhC>K_@mqaasAuayqudn z6GDY6P5Q{a)$SvGEQ-ZpyYZF`uJeLnCxdG)4le#CDDn7@vBUfCd%K6-S2Ps|`WcWy z?%=}`^h+l3SC8>SC1Yft?+qW|oqpTf)npK*zp}t2kY8sEm%y{&e{~)f8!vF{T!e?! z{V&eLR9h1sk9imY>>~5y{cr9C(fI$5dx<}laIXvE#g@D_iUyoj#5`FTxL`~emQzKR z2_D5NfvQya*Y}H8VVKZZ%~)}&@NLd{xhI?~?u->kriI0Jnp;tZ<#p+`U)Y^~NkMHt zn5B+K``*GE8Qt)-lltkqJf-91QSeQ47h>3JdhuGGmV*W+Mr$_u{lnLCJA6c4G})t1 zx>C_};p`NTyLcN2w7L$U`Stwb=h5STP<)&?nCS6d`(0i;qF;12o@k;O&_j#;l5o#2 zoXooTrM@&8fh;B-IIw#9xQw=VT+ zb*ZUSm+`C5RPl^hc*kXJ{mAhW;Xi+S<+L{k-zWI$IyxaWN;Fo=TXHVNM=uOkr5<|E zw9SJbV9VdeapQ7}`rEtO4yL($26#$;Y{#ndbYoAZCw%ni~A)UoT|gG<4>qr=&aj?Y|iOOk!=ozB40TcZrEXbxS97Y5*pm zmCv+Bb-H{evJoaJB%ukt(PfE66Z)frCYh9oWJ$NZ&E&{@bcNS;<^vD^_P`3>H-DLM z#)KI1xJk%!BFtsKr8ztEf%MlNh(#IOO!Rk6$O~ zdTeug>7O9owD+9qTe>;zcO{{}RF%V&x=}=K>E=as%n~-#bs~c-a{93i{||fb9T3&= z{SDtOz%Fff>77NfAR56EC29mgy{n5Q_E-^6i3OsdF=_-6l@KgZ6B9LR)UPJ?*gIgs z5_?b)yHOXh0n$X|`JB1CTr@`C=l6S`_x;E!!c_5aP2T zfH^3{R|S{eKzvo;6Wjm*;6%ez7q_l$5d4Rl*I?~{YWZMX|r zgZt89tcN)SwS3kuEWxl1a&RZ=yP0hik5cJhgkiI%>c|c!13;OC=syX-Z0Z8niZ)k*rY?_r}QxHDLKJw z%E)$r?f^bEJJ88s{f(_+$X&6gqnDh+)&e*QSZ{zCD7r_4xdHNWmvn20kF%KV^fI!s ztjX2kz_RLl?1vyZU6cZo63C7_BQIlx!@+R6`vS$miXFC$$OhXmM8iZ2PCCPQJvJnm z{T&?mC6kkMl8~$eQuSfDiPaoeOQOK%JkH4@HER!2{EdZK@|@OW)E5i&5xu4Ym&6K2 zpRdpGNQ>wIwLrAV*L!ezVIq~VpYtW(1Kyylfp zX6TOvX6Vb_(7ecA#$YtZ~yQJs>ZN_|E&aAa2(KILS*AD*FY90OX+*SPy{>LFQ7pFT%CP z@VW?hF^1PcxSECc_Vs}kXl$yUqP$udI-z`!x!wWb-o8+GybHjH)cZmO@(uuBpm3-~ z-UVP54oT=80A}G(p1cdd2#@#02FL>d#t_Et6--l8K4-)OaJ;V*A^{kYy?q@K2*5=Y zj$?8U0GNf_BOHKPIP^Ln05HO*`eJwHApn0tLZ~$iEmIw!67LJ`Gsxb?PZ6>y18AoFQWTWuudE-_X;gvYzZCBE_g?eom z-v1AV2^%2sGOQh8xaT41ADURT)*GV;0ycl^^JyK_G%m4?2^0f^8JLT(9IHzUN7*=p zsY~mKOAa+Ft;80Ncz z?MarCVWJacZGdV*p7V5Kcq`Qhz;6RMx;ZhEMXe{~8^Sy=Qv|43UU(o>svETfv8wM; zd!*27U~F3OZiR*)JIag$-mKbKXUh5POxFEmItML*X)jopfms_JaiN+MdYsrz4{Hf@ zn?==TMU~g;QNg^=O57C;BZI)$K-bw+^!adD6F|MM@-Re44%10?d=b_lI#iBM!eYnz z4nA1wVjXuu2P2@8qHxVsv>iqXU`&oaJ=JP`c)Euw99J$-k01+%t+BIUNaiA^lbloS z8iS9EGtVoLSuZJ3?aHGi>06j%2$}OIdV4E+{d#cX@#=7@C>ADMjSl^cc;Btmotk5? zXUn<{2i3*C!tjPY8AI*9f`&i(>QUEp2Mvr1;erBPy1XgtrAz1~cFuio%~~v&DPB(o zwKOowxeKdJ29>fBwzXIQz{hM2PjBp^(?H{ajhhF?L4#$Ky67sQzm;^pc|Gf*JE~pGycPOp56-vd zuyLi+Jg3f2#ofWjsfTfKq$Y>p*BV0X>!G1<3?bN;#MRIhFaz#}%VjZouxaDQsD&JK z3uWhPv>52-0m*fA2bN&;`w^%`z>^U!DTbLp!Sh^47pe$jo!;S+zo3vpqa6h7Tg&tl z785uo3Tvvvh9*VdGLPhU)iTHnnWgKD?KvL{bU5d`h&;=cb zp@5K5u<`f|$92%P06mC{h?RGBv?w3bE1&3Kd=XcJ(=rXEimOaT1$z6jzKtxbDe!BSS)%Ht~pMF5?Jebmvng> z<5y#&N*u~`niJRqh=wF95~8E`^ER z@J~?9_Atzd0%2MU1;YRk4eBF6g%xZFX7C#HVm1N6V8GdbnEPj78M=gO6U|`YWvKF* zPyp-nW2D zkY7MjQ%5})ItCZnFlrf?_&F(AK%MA3wQwsD@MZ(vIvX>FRF?&Uq2nqZ`NC3Hk$3W=9Udu)9Tk707$JnX_i%kq) z>NTg41_K2c2kRxT$q(05(f2_e#r`4V9#rXC{lgYUNg;57mJA3=p4Z?4T942_Fykqr zNY+1FVSo}%5c(&W#u3H^5HGr-+}IVE6Tot?&Y*)d4MyYAqUbg}e1Fy-IeHBnlHJnV z+J|c%8b`-%BMMweZN$g}HGY;Fzf~wAAASgp3C#f4v3CYW%RPny|HM5ECKPxX&CWu7 z#AXY$%^NENt)jrp7#4xyw2~RRriXb73+NTJ8@*)U#rafrCtPv^!w}}dvuoqPd$n=k za{&i}SYbHu48wts2nRAAH=y)T8&=+Jp;}6hjom_OpA9Mp1PwYWo5b;Lt zpc`m-BXa<4C=+kc4HUeQHRuZh{x0Zja0Z<~zuyL#eI5|IsdW-?EuBEVQyu$)dMAik z2mlDa1km*v%X@06;3kOaKVRsGA(2 z07#)S0U(7+5ek453OzIeh)`R0Z#s^d^;77v*yyp?9H}LrdBc9eDDZtS5o5flU_C8& zkSs7!21FW+^#fN(_j2giKq5?~OAArxtRyI;r*1TICW4e(HM22hKA+YR6`Cn*TpC%1{uDqf zvpy{vja%cJ!Q9haNJo+6T{NX({S5Coym)mu5EJf5lfWd*afv>yKW-n~nA;vYVC^C6 z!c~WSb_O-efn$q%U>;5~!U&FO?WaJPoqHM%#4C~y%svmy-ta_g(yb_-R`qMSe{o1QM9br?RAjRvI; zk`(u|U&MY16f@6}6${oyMoa+y3Z}PBodzL@5dNI3S@}I@W2Z(77Uwl#-v6cv&lqva zS>wu}&Sg>+T~Likg$OO|mz>u5{ ztn)}ffZ^7VxL<_5HvCeGp1}Y?Cy;8dziWl zX&v;tASS@xYOMtLPAox=m|&xDF$5q`OxZOi+bN?khkT0%dEk#-%QuBZ z)x6(pQwUw}-J0yQ334Pv)kv0je^OSh9rZHYwVDjO@nnrKM70Zw;I|-wfq62$&wWU| zQn5(mY9J~XixKq(`V3=@RGDe4kpS~N#t!WyrD6M?h8ND*YMzr)E?LtcV-7O-NMU^G(J~qtgX<&yEhU-XZ zxWjiC;t92oUOZu@IQHJbE(r)npMV?euTz$VE3waiz?TWnunAAO=zxRTV0cRNZ<%i} zwGKy=(?~dG> z!f@3!3I0?PNvS49S*)@HPQouLhxk_8;sSWJOy_e%r>unHI$>I6 zE-swV`(!Z2Ya_d+1*Z^nO2}WA`SSFkARp_&-ZOp4iVv}B$_lKdjLwFX7tB5wI1Eu* z+?eUS^SbmN2*icef|5JL%T#{)Bm^FZq>s<6XwPT9#zpCu`IN%=R+Mf&`-sLR72}gF zvG}NS2q=KBWN+YO!y0oS@+ABTPtAu(w>z-0ghc==*L4Yuqu>BudxSofh}{e;p>KBc z1%{eW)1jR_mD!s8gPTgP$ zL&x4?0_hT7S*7#2&Lq>f2`kg7fs=IK0IY5+ajs#ba4iuQ>J!GUKF{7egu9$DGcuU} z78a}U)T0Iktemo$M4_gcgekGIKnP!H4Btw z(AqS-*oedWRMR?tA{dcRE5mr=5*I%lFV$q2-ht98v4Ecg);c?j&A&5-953XU)fDKv=RQ= zy0Ys;q!EV0a)yoCPwOhZ?FcIC*n+xBVJC4758YXWTX`z5FI$Q22&kE| zSOn2cMa7_TG0pK8YWF(Y9=k|bm9Qt^JL4f~8tQkE;K6KK+&x@@l=q5!*q)BdBOh%f zU%~qY9$cVQ00D@wtp&r1eaO;mxSH-SLZGk|_$doyiqtjf@UFAhb}=nkGcT$A?FCyW$0lN zRY9B(U{GI;0vuNG5v0WiVBTMN3gCW31=6yFO3(voe9}?k3*RZBd`rK;g$5*6(j~}G zGE-oDw&Fp#2`9x^H-MaCiykP<{xsDBi1l*@0vFET6T6}`qIova1a{>=_lX$lh$ajM z6BkdpGW33s%4L}lffPihIJiIsbfYc=R(TEo;QP}VZ3W)YGh`{L+@M07~F z1owfFs4zpd>paOq@4y*Yja$$mRl?m2mDqUJYYgmmW$gB1jb(E^@nSW@>2#h-PTU6zAuYr}B_(x+JG zldmJ>wTRLyg&2_Ry-V^L2YngVJ)2nsNvMA;p2z4Hq6f z6+9Q%#o2TzJHFTPw|5P2S*N%NiQ-7fCDZ;tPBGOQgKStbdaH(iHGK|K2C%j?3>y;0 z7)B_7&>4AzMaeXp2_Yr27%T)v9{3FD0T2&-RX2S9Of;B*p-{J%3auUNn*{ zqzF+nilNZRzAEMw8~l1;5OM7jv|nI6+%yIFpbMsMGWN_V9dK>g1)a~Sa3zMpB?tw0 zC9I1=e*!&IM(2sqT}nuyPousSROxKuU(Q2tR)7j)th~lyC9!@wY%ciyWm_1Db!7@Sj|EU*^eE`eoC*=VoJPJj;;(eSS7D4z`_vj^IE6GnVMCtxh5N33fywvhq2iS3% zL!hZkOTZm>;n4cHX@V&9kchPOM9UGap-Y{M=F~s{^!<~%S?7-$ZU8$gXq)SCTQadVisngWD)IKhxFBPDdS^E+T009>a zD`P+dgF8zo(OUml0r=_(8t2)d5YHFB-l7B8b0N#qBl%#cxyn5(vIkeA#N z!XeT&@FHDHIG|9ET?oHI6N(emw@SHBFHdbVa4%inWE_8HBxbh6OlnmQmVY060 zAS9TG>n!82aD_9Yh#4ttA|v!^km(64uwDj*g#M7Rvn5EMHb7m|e!XmnvH3j(L0?~L zd=@VoP)o}9P7&X=TB~HO9SX^*_Xzv2;Q(P@&4z4(r1Cogn3 z#81Lfh(@sl0l`67dX4QQ7?`LJI|*PyL1Zw}y*CJM(DWd|h-3zqS_wo%au>pGh7CYz ze430;>#ETE8QvbMrVm6yG|1PC{9rG2Fk=U6mQ<3aLB?i`p5h`z*Q};=xi)gmC+u zJ{8#a2$`_V`gvKWsM{z=z=A=uT2+aG)1W%xb{mz>FK*|CYtV{cbsNh-@3S-rY zK-Q&=1Lj4Ps1-q&mt>{bsvsU3bQcj_G+wYJF5ugI<2cc!e#6EIxCP<@-pMV{ejd?k zrXPK4QW^%E(V++Z38p^*^hZm7)c6C{`*)TT3 z7XblsrXHc0LD3h-9%`>w^ zIFfe==2JWLNWKlRM~D94x{URIWB;u+nyE`I`9E$yyktJ>PNU`Tl9hr_upeHs6+UJ^ zyd=ZuT2pdfNFgX?W4CEh$!#Ho_*TIRdC7AjM6e%TLLVA&P_8}>WK?569D3QTIKAZQ z|7-TckIhHP|7Jft4r)27+Ok=v+|a1kq+lW^l!g6u^yRaA^a@ z5G^`C7oFWjXPD>=s&SI=)1OtRmi_Ms1{WkS8lJTgozfa7Rp*5twSoz~Zh`GH{N32p z35HzJc~*2D5uJNP=O)qltLXeubbco~lSJo4(K%Xl4ilYyL}!;8CmoA#%j!MGw+CzB zO+#ZA3+Cjh!KcPaEDU{MgRQZZ0kr%h$!q_bRu+p+gXp{=IxmXOY|(i@bZ!%!{}G)_ zMdy6cnIbyB7M-!8GfH$05S`sbXQ=3GEjpWs&N`ygS#(;9PKoF&r9neoa??;CI&X{4 z9MO47bRHI+J4EMiHBOoyOB=|zgNf*T;e4pEloX_atuC?`4v8P1&ORWOPv3MDvKZ41 zu7PFvOmub@ooz*Dpy;eGI^9L5T6CI;&X+VMgtk8uoqvnYT+w+}bRH3%dqn3Z(fO|0v+Hd}SYj zs!ILsN_ru@2ZaZ#)Do3i$8yF|z%Z3M1X*>+D#$)nemHH09|Pcf8b>f$3*TxSL8cZO8HLEe|5k-y4sPHPoLBDyBk`!y-?!24iLA{KiGmY> zqQNOccWdy8HEWFlAJ&x7Us7sLejfeliqFFb)U?Z)kquWb6a^LEcI^kU8yAN!XsGT`2ypU zM)xo}=@yK`VM%u>AuI$QrwstDAzxURFw_md*we_*uBKZ7j~XfHScpYIN1vcD?Ayd$ z1XXR^7@{MGx!C9swu#sgr#u*hLnv*3z@;m@N!d)hO?hTda9A8s7^3X5w2(AO3a0Y@(QH9=1Hq=2*8~W5 zF%Scb7l3N)0>Q(&8Iy_*6;2I8X-UU9H8_prV-~ukDk&l_;1`kG@(9*UbO7@kU#(z;__Z|2Ie83F7oJ4Hl$) zQFhhmR8k?0CZ9~@h14t>bf+#n!ijw{43J5^oOuU!5*!~y(ZmYFDT;=;uU^%#H?*J| z4#J@YKNzbc<5_H~2M9>6q1o;oQcl2Q4bAo&-Er$BgtwYE+`9APr>LyxtXA4^la*7-9aSkjex2kvL4+jOZ9+4c=<>1%@=n1^&GgCPt8OGj(-0u=>C z5vl->hQpqZ4BsG#CU7FU!l?H)nxzudRYiag4BIiSDQN~v3c2T9LomxNj1!hrSl|tF zC}}FK?!=k7F@OS+FaoS5-etHEpcai{HN0zhW=l0(!}JtbB_UjRWXMG*8S5E_g!`l@ zo)z=J;8UxZBExo;7sezgm4a2WjEbq$04BR)gJ7i_VXdT8z!?IpQbP_>nW|i57>QK- zf>|sGn5Tx_EY?Kc>ku3G1Q<4Po0QZK9mW~yocTxwf7m$ERyKp-6Wpo52q0%Fm84+F zRqhFAAX1_aSqrPw(qE>vtQR&Fb*V6UT5b4ol$FIzHuM{6`S46f=nn>=Or8)B1&^@4lby z<-eVGcdK1v4whiCJ1(4cFQzh@>(VTkFa$fX*Q)2Q#8)@<9P8AxgzF|=si^3vzG;r24muv@2uSh!{rzA2(!6;z2><;PjF^x9 z`2Wxz0pwn=M{w~idj!I_nTe{h@$kR-ecrr3??d(oZlL@4bY@WAgx)}G8cLi6+@=-K z27R-;2*Oh7zFCTy4T|)p;XFb>YXQmPFQ{&IZX824UhWG*LpV0hPUo>x!K#^GqAZLK z%rAv5Z8_WiO*{CUz6fpl+~fm~@abKv`9Nq#-sH=$C!5Q3B;hADNhlPSU54c&CEnPV zy$o$jR+YeaWN(~6b*~MoLMZ&7pw40+q3i-JusYxnUD{%f`jDD%nGek3)4vv)a2aYw*stX? zt5G3i6Uwp8Tz18$Oqo473I~pH5`M3oYT;K}U@pi*bZITF@b)dRQPAQq({cC$rdJ6f zgnf($hW<_;?044VbPl^T49B8~xd<5)GMG)a+S3>JiM~beXJA?6XxUD!tfBUazQa-) za2%^EN9PLE-PCUr1}b$YaCF@mM|T@dqImkWm`}6j3vXru7R0rnL=VSzMq6#riAE2a zh#~=b80^8s(%MD%SsaAz!1~f9h__iN*x%QNM|COa06Q4M@;)$JVL@wrhslh2pBj!L zh?d*i=x@rk!{{fSYafVI_84B)0TBhu z0Nn-34+nrA!PdMK+b%r#DM4ht%M+Cr*2>dJZgggd&Yhz3chR{5&X7Yd@wpgXL+gVs zy<4?FQG>?`lLrWNXYy_6KoEmxCNOwaP_|>HhLapBU~ zn}%IJHJ!3SbgmSgi$&+RaO#p@%T=?VgM!3fW&qjR{}h%}VS5|x*ZYFQeW)wDC3JvK zIq|nx{26~s&8KZ;QwLxPG`M=a-3QrnD&i<(YqQ_c2T;Bf*xF^j#wLsWoiX5peNbeO zU`D;ge!W2tCqHgT>iT;$#vczBN=IA37j<;Jx3_O1zo(Azhq%``Ly9;$5W8=V@ki=1 zsW_ShCJd+1Nv{SD83KDlAz*BDW!U0B#qS9-{`mC%P>ZPyPY*BG`BY>+ zlaa|>9Atq)4`Ab%C-(o(g!>%B@j}wSpbFt^JJqTjI$7Z3b!B(RJpUdFdXC2F0?We# zpA&O~&Vw(@0IY1#SxFkDuT%hdrLwZS>)2h8eD zwjP%;&j}9%S&Wq>3e`kv{6T6~NEB`&XGgiI83L>&w0DeQyb>_<%?BZ2;0b-;Rah?! zm;9}7?(3_Ewq533Dd}}x?ULU12__P!54@ree5l)J8XMt0=XLu{gCX4KW;pcA4w$|~ zxX(j6J+a3$D)c@XdSy8uh^pfw^Qjh8yqa&$EDlfgeJ)%m9hgnQw<*}bqh9BU9ze(m z3Yo8O4$IHFz)ZgR7__fB-3A{BD~V7U%Y6DN9|)?FTrOR&i9NM8@N!TGJ) zw~FU)>nrC7zk@sKVTeKd(p-`&t5hkMk=hUle{yR`efm-JfWKrl`_YF#MUav0EM>=z z12YWcsqp0TYE_CBv4$&vjqXY#zAFA~a=Dc%#R=huy$SY1icHA>CCRM;C8_Foo(B(| zxD56ui#|sba8w$%oTrr^$@#R_5E0&9EyaZ+hULgA)TYJ+!u&VtL${9@?o$D*GGzWf zxs5zNFP{wDljvA}i2F>Qn0gDzqL3^lBcU|`l#4V`(o|nLNl>N_Jv{%sj5Dl4GGitz z{m9pt<%4a!E9&30CxH^5dHE3&D1O5}*a7 zmIRj`Yad@9nf`Dg3zmN$28n^2iuPf=b0K?5h^naUE$8y5fzMB>0yx=JN>-avBwzy*1HhN1O~d$ z1un)w7d8YXI;gNU{zet@2(4kD3;V-Y!$22~f{!uKg2Q4 z=JQr9aKR8n9Y_uS8rK`4UlS~ozgEKz*9sIImOgb8mpG*%X6vt1kF>68ecA*q-=?ce zLL{Fq*WvmeSl-&NrASrBt9;PuiMYLjOt7{~=xI^_XK)r7l`dwKxk29aM|56j^h6`&x8N z5hMm-s&3^W*a8T{qTV(e>j+hu9c7CWbfi(6XQ@xYSz%CdhK;!|$q3oZL@EQv$Cps@ zgdjkWLb) z%7LdK8E62`G8z=gLLI6xb*OO-x%efdC8mI$C9O&g+w@l_G~v^N_(*8%rK$NyUSYVT ztEf)REX&2^!C@y-a8^bb8q>Y<2cQ#cRXc^`u{HQPajLHc7w-z_4%DA1jVbX-)m&e^ z3qo-JVcK9;rWR$YQeK0ig|aOqG(bqkfP5<2S~rNqwXW=gI|>#uGz zSe@_@tp|~DsB0gXlnYlFHu3N7C71jOZ}n0n{E#ob-9LI`|Af7>f1D8dcK>`*yU5!8 zBSGR2XgI@~MskH(wIX9g$RUUiaTXnl!>YN|OCfVIb(wdRxU7wkc{rU|f$XgI1zEVe z>cn#rCg8GBm?2Q}G1vO`>C*>V=i1aOezz_>li*2jJKgUkj6|8a5&YN2!D%7#|#RfR-Xsx=%OT@5ynURJ&UY3sLQc4E&kl<;&bx3jrRtOFO;prjOYz7M}#BEky zCJ(ctq&){I%Vew&uhC1S04PZj}aNQC%>SPksQSqc_=t0sXqz-sLr`LV3-q zP|j9`a<(dzzp*Nmzp*Nm*Q^TV##JF3bmVb)0#=2K@&0t+Exkn*>WJ@omaPL2h6(FH zfN>qj#yXJoj&S;H^R!< zponssS5zAu!$C6GP#9(surg@_U^W?AdsI|o9@2dKj;aKHI}BoX!bd>7xduLxrda$0 zprSA?zA2KjeJkV!@=eVp>kh#7gxw73`&d%KTEVCVRR~jC-6r0*ZG03u-h>8GUA9($ zl~c!C9;V>|%vfN?guJLo%E*`1R3};n5?pD`poNN0?}_CAD$N-5pjkt;WHd1OX#ZN| zImnPISUp8n6VZ|m*dcp{5*gA-FXsw23Z^Lw*8Iox8!+HMAAQs`a{T1D_}Hc+V&W!@ zjg3ke6Ww(9xTXF6@VCN~9}OtEM-F|65bPh=`0G9`l|mkBuD{KQeY~ z^!Ul|OO!C?J+X1)W5!0mCw_dyxTx5%NKlL3p?bgX_iyc)Fe+w5{Cmop@a6b_jgE|o z8x=jiX+(6yzjnSciSVKto7Ow3DF%YjH%u5`HE8O8Av1 z5Ak^LMtO)=ARZ6i@GDWC0_6cP^5PA@5`HE8O860vya9OdMtO)w-T*v!!w>kvPl^nv zB&}-90YBbatrXLg!y}c$iwAx!{0K)p9w|lQk#fFxlbsJCA^gaI^Qm&gj=# zg!|&{i*$&`V~4WUc;H7q#G`EZkq$oz{Q(dO9{eQmjb_ z-f{^GphV~y3H6o~`SHMyH}WG+hDVAx86Nm0@FN`g@gS!HfAE3jc+2tTlg zkyU~6U^qpNx10>9DB(xA9B;W2>)cC^~S%kx>fL{T>LPL?%Y4{}6c@i}>01w{O82FJN58fKQ zH3)|v`Q^xu2jSF#_-xdpoWzbAf(LJE6#N`nfKlVE!CQlH_!aOg;8(!UIv$^ub-u)o zIsgye)EV$2KOVd_cxw<2Kk}n&yy2$?;D?3?9Y6uK8w9TwPXOZamINS9iwAEB-V%gU zABY|Fc7qXzd}^fA;H^PEHS($P*5IuP5VGU18s)3eVE~5*Z*(C1h|%IfItkt=AAUS| zqkQ;T(Q1^h#s^WOL*c}OH#!)8#3LWdSEGD2%7-5h-Y6e_RGxmo5cos?g$__C@Wz86 z`aV*`(|3^~9)3Cec;lgALOlnJ!UnBEf_!)sO1$wPo=pbCvq6b?_>oVEHy$dM3b3St z@K~aJnrfCPTZ+dL!HAb4UW#}r;^CLWk2fAmluc?jmMC9}#}Z{r@mQj4DIUa25ido& z6!A!pe0UHKKi(*tHGs8VLe)WY=pR*Gf)R`W_G!?1HR9oyz>jdmA)e#32*JZO#2XK% zMJyh!A>Iv<4&5%ngLpOK;YU6^h=-rL$B1B1whRw-mkbYetqf%#9!feG#wZ){@JrxF zIN}h`Nwvs_M~bp#c%&#>hDQq6GL(UMHR9EXS0f&Nf!S#KVtnrLM;t z@D+ehT|lEu7yxqWRy=qkz9HhNiSSF|$0OGwJs!LPANlLRj|XqShhK~Ic<@F%($|3> z58jA}A4nQ&l7)prVP$1wV{5Bc+uJ)jIyt$zy199HczbKLb?ervSHHfWU!z8i8#iql z7}%^?ix#a~wQk*}O}loVei|Gc8rrdAr%pOumo9pJ_wGG=e)d`K-u?RZ?>}(h;K4(N zL_`c99u+lmzyIJte*U9J zj~_pKR#;e6^x{QXS$TP7WmVPd*YBjqqDD218U-o|{5H{~^!ss8!-&=$M$dWq?2pX) zU5bzYk?b@rxp3|=Gi}yK2VU)LGhtJ#-o4H1BgsicPn+3wpIe=rlE3Wr_yrM7TQoc) zZ;|o%ZrPbTucW`kjkSDwVx5JR>;CbP51;hi{31N)=IRdJJx9H`GHmy?FZNd6JMl-? z-xL=jDt))l*k*a)>&c(+-A`={X!&r{$E*4mdX6_dE54TcpSzRN9^8(z?!Khu$$ry^ z*!SC6?DnKxpXkVx^W)5idY3f!jfk$w$?>{%>FbE2o27pwm0nG-j*Pt5bXvuyOMTBS zU-)Nb^C*XqkMI1p_~RyLlaKAaTG+N-18v{yTYm1c|JVM#%Qp$FuC9J}|HO=po)F(O zioO1gXpN3UH`1T?B$yCEDJBp<@XmswBN30t9!)Un=x@u9@wa(va<^<2_?}EdM@JLk zKOeK_y}y4icIbyW2vl!G^q6R30sak6Y~;U^?Z`bLGGa```1fR=5HmJz%)jy=fG}xX z#0cbngPwn1gTcg&kBytG9T78TjCMps%$VpXE;cSMc6@xoxR?p?F_GGLrFduS#^dV^ z9}_b!DrVfse`^Azi38IrBr#R&U%??cHKt~JWW;>J%4)j+ZGg48qR}jVR+){|%nU0# zfeOaspbGE_P@0?h+sdSFh;X0?{8j^rd)Nmw39vC&4x7bGqGfWa9Pu8ATZuTWeL!IC zI0@pkh+BoY0Q-QD+Hq3E1t9KM#0A?2^sF5xLtHT8-uHW7bBEFgMw?Ci*qwXLAFLfV zHN4I0PftymcW!9ixW(TO`KnWvS;Og*L(XojNG#iSN#*>yYQ~<8?I(8We({guk}V&7 zo9xp3dfBfx55CIGO8UJlWcbRP7WQ>cwLi3~^sv{pDJzCFYTmSEv)7XAa!K~bGh*Fa zoZHiLSHqkG*P=RDe|oZ@@ybgts%)#S?&=bh)a6w0{M40e9(~k*T(ZipX-W8r;=s_z zMyIdm?@n92KIeGzZd03%KVaGE+m3Ub797}iYD)71nqkY#dUf;O(qZ;T+KZzaylnUJ zZ24DRrYs8`vOZoFl$U%x_Vu>)M}FP&i9GpL7ssEPC#P(5exhIBCUxJiSkD!Qx+H8* zoi<=*)Xj?K#qyn6V@I0$qeJX?jGa&>3(&cq_xPP!hwv|U4bYdel(G80HB zwBXFOVbL|-9%CY6#>GSQ;4{0)lB_=i2Zr2!ImPnJj1GspN1V6m|6Q3`<)YL}2Yz?! z(b4~ILbx%iP^%*3SCgPLD$ zb@gRu*G^3f=kJb~7keYH{TER-9YVvyI`--sXnZ#_zMGrczb4>oz4tJuE8Rox>~CJJGQA{AzVDuGjcif5|4tRhlo})@TNQ=hLF*mCyW= z>U0bajXSGSeBm)OV)@+d89#PgwPM-zEo}w`J}-(ta&X*buRr#;h#x%DCklMC1P^>04RE6>ZkY@OHoXR>hX z(&U7%pF3pVUG&M$k$uIC$l+nIm?aEGDXGyo7 zFm$pvKePMW^KCkvcZlk>bl?za$9?0zvE2L1@ZC9I&wg~tckQ$7*Ugs6hjqQVe!gPL z7ejZnzjn-f+-1j`(QC#HUp{aBp;@KM`N3;n)IC<(dX|mHlP;E<*VNDY=#u@2h(|3Y zw)WS)(rz9wbm?znD%@{P>~&&YN#xk#>Z&aXT{n*0*7op_n-ipCFIsPl!uQm69Tz)k zoHk_Kgh|okwY{-&YQs8w)>*3?7XyLX7z|qhC2Q%2^gW`-Plz2CF(&3~CT$bH7VXy& zys*zYbY=rSBuwiWdCRP)u1=>jOONd@92~aU{;O?&Pc8hRdAnh|{QlZMI;`SZ?u%dd z@sENM1~e-RY`nz5Uw2EoYw(xK9(i^1?$=rTp89doqD*Gw|YbI?ruvctfu zSJrk<3o24~=`rxv6VLa5x@ztGX}xogZ~Y;||C^;JSKavPqn!04oDRCQE&Bay|5gh}E4r2CKBXN63^D({xL=(|BLTD7!UUD2l^t$y7>p|_KJ`rCBv z>wDzywd?QZFD^Q|cQ-$+(dJ_rmVdgRf4t}VA?rh*OU;m`&TA8EcV`&KJscLc zp#IO51JzB&t!=z>MM2!=n`7=B-hNx%J7vSwh$~a%g^}ExV>$U|pKaXrc+|u_6Q--i zw|KBWpjn+(yBZ}Lei;}0vGk$O#lXBpk-M+D+Gb^}YwDM&Fy_vZuIzR8Uh#%iT}w9R0>6&a6>;=LIw3x48WN=*77& zHdf`2S>Au#?t(3)Tif5;{qx+W6*tBf>whoW7+2Nm%k%Yjxb^kQw+(G|zTePqtu72Z zG3w#Hv*q8ex;m5J_IJGhDu=}1%Gd91)naOJdi=Vage6DkBn)5v{6wz?t9)-fcFVEO z`SG`u{xe&gbv^z(Y*ozYp}t*Hmwq$puhJr^{pPvb2Dd7hJMzJag9o}_z7t=+VY}aA z>#qOt54G8MQ{yV_z8F|)o>$;DcF-xgi@w|9EW__|8~8;=laI%3 z-}-RhjLNv{2PaHj+pk5xE?^|~d?w?+mw9)Nl-fW8{6X*LB zZN6qR^T#Nw!+X-zo$ltGa^HWy)gNtIUUH9qw7E!jch}82yJzVpzrNyBc754^lHG9` zy*k8hyV#AZ*R{##OV8&w2>p{A@o3T4R(n&ehb-Fj$ydw5XFh1wxb@Vs&}CQmc%1cJ zpdI;jZ|`qrO<$EM>(;pbmw%WCY#-zJ=f-;XTebI{*C=&JyU;}^Ki(Y7ePOe8T-rx* z{qD@^b=f?zQMb>Zd;NZTgSl-3RqmWz$vumLTSx5f1<#o>bih~R>T8eOI`Q|AJs}-? z4V@4jKQvlc8;LA7l6@apa)@ja+99;|!ija1f?1v@VF7)2o?5Fb<>}bB$Iy_DAz?#9 zd-oq21I(r!5j$Q>1q3#0-J~p`EmYSQ?4b~hHJ-#a-BIH*PZLd4d5cUXl^7onj6b~$xY{y zxl}HVTg?5)E$3Eq>$pwac5Wwkn9JmjaoOA@?iP2CyU*ow&$vRa5`t|DiH$@hag?}9 z+$HrS%_XfQL6UZou9BXTfs(*(a#y*#yq>&)yotQMJXGFMu9J6{_mK~lN6KU5)8$F>H2FgL za`|fcZ}M&OgYryyw)~9zoIFQqs=FqPd86CPcdI^zRG;H`6lzd=KIZ$ znV&JgWS(n&%e>IM%)HXP%3Nt-Z{cmxz@n8!M~ki&-7R`r^s(q?5n(abVuHnFi!_UL zi{%z8EOuJ#w>V;P(&CK8Ig3jcc@}pp3M`&jlv$W5R0>ChkD{)kfx=JGT+v<;qUfpU zr5Kt0Oe5SXyup6Ny-#us&bxksdBaQH{~W}wlY_FPg$URrYupG zDXWzBmfn^=mVuT*mhCKcmi;UvEF&#PTE3R@W0h}JVpVBnVQpotv94#`)H={Q#Co9hQ0oZm zvDOo;Cs`+3r&=$tUTnSGdb{;b>%G?dt+TD~S>LxVur9PNv#zw3*vM>DHug5&Ha<4~ zHcf2W*|fLmZqvsm#%8ijl1+-uY@0Njbeq*S8*Fyl9JI-{Icamo=8{d0O`gqtn};^V zHdQv&HcDG(TTfdb+Xl8xZCl#5vF&Qx&vt5)j-uq)o9gp)ne5u z)oRr`)h5+;)lSuZ)dkfhRjw*u^-NW%s#3|+Dz&%TM_o_tuMSeTQ@2<5RL7_%s3)tZ zs8iIl)eF=M)yvhZ)oayT)Z5hi)tTy(>WAt=b+NiiZKko(IBFVbnrMPF9W|Xb12jW5 zk(wAytR_j5tV!1_)vVI2)vVKO&>Ybm(_GM8(LB^V)0Ai`H8yshcHVY%?fmTg?E>vu z*@f73w(Dg#)b2~W33ik1rrFK2`_XQT-FCa3c6;p(+hy9FvAbY*%dX1K!rsQ-)xLp! z6Z=;7q4pi^b@tuu``Hh+A88+BKh}PVeUklb`!xFn_6zNo+pn{=;#pcFu-B7L#)G>4hatF4nH}pa9HKA&0)90L5I^0 zIS%(69y*vgS~+SQogKX$>pA*4`a8CAZ08u_80x5V9O@YDIMQ*n<21+Vj>(Sm92YqL z=(yBzr{jLdOvhu6XB@9MmN{BDDVgd$nsgF~P(^#ii zrv#^kPCq)WaQe+@i_=c0gHA`B&N*Fj%5}G#a+&5b-6h3kp372~$j$uI{dZuFYLLy6Rkex(;-m?3(1d(Dg^xpIleF{^q*Db(`x>*KF5wu6eFc zT&rAVZf0&8H)l5=x4Ldk+?u+zbZhSx?$*;S#%;9Q6t`(^v)xkN7P_r-+u*jzZJXO( zx07z?+;ZHmxZQIrcB^!&b~AIY>t4^jse7P%EB7|;A?}^sySw*sAK)JCKH7bP`*inY z_XY0D-PgGvc0cBR!TpMRuKP3hGIyniy@#tu0}p?XCLYZ_+Ie*J=<3nkqmRb~k0g&Y zk93cpJXU+G_1NjL+vB9i9gkv<3J;~HyQhz5UC)-DL7weBLp-~B_VOI;8R;40`K4!q z=M>Lrp0hnuJr{fa-$=?Vh_mk9l74%=5hCS>jpYDeU#UA=pHkMvIPp5mS2y}pI%`LeZVZ9XgjEcyK>* zO>og9*|el41XNJjfkG`*8Tx@_93;W-Fw=TPl%NwJY7-St z>Mg9^aIg1~-%>D4d1CO=*LTX%UDJq@^^-L+}uW zy!cUC7Dr*ogTEAxhlNvGgc;!xj6@0-!i;H=+*lvVV=O}mqqMA!tXxV+dGIh8VtZI! zDJ|;2V6ikvg?!Lp!(KcTF7N=yNl0Nyj)ZuVgDGoJ0EJ;M9DgN9i#Uc4k%T2?c|;g2 z4FgMXC=LD~AA`YQ!bKhyX38f7Q5`5bMGJMHaF&LFsa3z4`cPe12C5r#vhomCQ-222 zRBvOs1XvCvAIv@n8*awWOx*}QB&hRI9Nd%w57TX8Z-lc?$+QDUPL~IQ&>T7DjQ@{l>gP9xZ}c z9sxFd48AcfxlyJ7Q;2(`JgS?iT%kOnUKB>~h5C@2eu%578(`vxHc*{w+C+I+I*LPD zP7%y;iNP$CBD8`V5y4t6ky7K0N1KQ^4nMppJ&Q|3ID%Lj%9jWadAVTrX0RwtA_DOs zpSC8BU{YEZMsb3h!dN~8;fHwqr8vMO7$}P#f~h4p!i{bgNAM^;(jpwO_-T;_VZn$) zoNDYQ{)}+AOqI{kMJ|9WWf{6(omd)xsgwfd~mZ(Udqd|AdFxU z48S6oEDypsa#I+}qn{8*Y3QM_U_7QcAW7q+hlO!M z9#$8)sT`_@P;dVvIajxvu2*l!I7wrK4!QjIe*bL95zu5BzDnWAUCHsSD;7D)01l4eI&$n}t)HKFc`RX4_$lmJ@ExY1g<#;j@n3e~s?Z z9wzHj=9=%8%k$6t^6BXjbr-enTIfoWaTybGUj}P|4%bv4lCm(M5 z!|3UM;vl(*xgN8?J+SGzyPrP%d&yk0(f7)mxVm^Q8}~XX#7^d*nAgL8_UFg@2Bm-d(S_xWQcgU% z^tjQp-)Enyb12QM)!c2_Ud7r?@#8$(3{P9Pbjg6SklQnQH)`ESS~U1@AHOl5^d8cB z{6x#$A3NXd@7phEUr2fuaQ*N-2&e(~oqzX{NRIonPqu`qTUDMV2>`k4Gs zlM)%XTKa3Ia;V>ozqdai>nmfr*E`HCQ>^9NH)Ru2>+UOuukLGL6%<;xPxX%7 zw$=wn?>IcYnf?5|U1XV;`eteBv}l%iSu@Df=U}VIIXlbhR_g2AdT=H*Vddu*ouk5X zl733zzG-2qgYb6x_4c0UpW5H>>o{moqjvA4>!IHi2gR=@AGaW?p7E)s%Kx8w`*;r0 zTuyApwWy=X>U$}ZlXclU-@e&&?(mM$2d!;)b1lB%QhrLx;liRiTYSDUfeStJ;8q=d zC0Dm>=bXq^2RX?HDwe;0+=zr9s<%6(pW!Jyo zbK8#_{@~-8!wiqP^XgtM^HQ#JK9}}%yJ5HFgYfsv9h^S$)3IFP@a-N?e(A%t|Mu+u z)%i{wzb@LGJi!OcdH`$@Q$Jl+~Y0tIz_h*V++Q<>%;$zFxNRpc{QXI@8{F!YiHG|7FXRsA)qB*g z;ur4u{NiB)Muc$d*5A#W__&H|WbXPr@zc*f2!BH33H5I@ox!OFyZ1`=Sjnw%pW32T z`;WOn<7W=qvET^jyXo>DcXIY~k6$jobEfhJH@#7vZ>}vo!iC*^GXJYeuMfgsHO=SL z{9p9k{s9ZtJ$ApqO-(zQ)jYkL)0Hb1ZCBUlR)!yM)bc_YSGl88<0<>kaH(w*mRgMY zfwSADHT*sD^#|cM2`p){`MbN^xIwWOBHXh%{nSr?j@Uh!>%25IxLLLt_sOT(Ga{$2 z;I5567Tq(#h3i}8v$id&Stbw>Y`@gIb*^l)nG5+mn!s?M+f?zedE_UhCYzb)Ux zd0JPFntd{aOS;yq((KWFuFt4bl`GD+;~oq++`h?c4{lxS*}<|QwjYE)-O#+Q{~x#s z=i=b6?E}KNJ%?JC?fv97=iB{=&0y=(+}f%W&!=^n$c1TN9$7okh3j$Xz?{oT-*ZW= zVf8?E^n>t+sbVJwEZ)PdR>oZP&)>vdo5@!uTf1>He_LDUaI`b`%htgUe`z#{i_JVc za?F9cT+?pb*5`TYxfuJ1T*qJUeh~ilXFFH)@ao5XW)||pEW;-5b^NuLDVtAl_YSr( zbp2)w_gN>EQ_mIETu}7qy1P?%a4%-;>@{Z5uiUVopKfn5w&4fiZwYf#jSGZNg8cak1TFR`>QO9C+7_h?1G0QFZ2 zF8+r<*N*N`!W|f%QdrRN!{fgo>crHa0#|VQA!!#EoH6Gn{I+0(%(c z;PQFP57s~W=I@)j>D;)s_ouH5zjm3M^?1V%em_0r?#&<8w$G7huG7M;-c}JWxh-A3 zwd#GmklS$j(x3Kj$GC5^T-*o#L`=Z@f6o?=pW8S7D^8w%uhMnLEbeEUKI`V2U+0={ zJQViD50|*6_I{5O$NO`|O=MrR`5o5*+5P?P)oItE_;bZt_W zb>7tv!hg=K+jiu)iQIw**-I~O%;y@&M!PlfiQx|QzB4_)P9*pH@WGvqt?0y=wVC7c zBqW`i<9}?#=DFTn&qMVV9(win2jM$yY}^0V&>7q((kW9@tfXADq-(r$+fiI$(Y0UC z~xhnH1%(|r+=>Mrd^bAWxSd{=MyEf$K zdQ<=;!oY-L@J#}k6iTRM!T13Q;j#&Le}4dI&CePI|Is>2h+c_1RWSj#ur4lLZ(#pZ zzun9KHONi^;FfX24qn*>ARSys#O>z=)L_EHox^Vd;sW1`a|~wzPM>rIP%K)2R#EhJ$Hfh>CZ#a6(C00u?lk<+3H09rb4HXZe60B!MoEjM;IU=EU4 z6h#LF;P~ohxBo~1@Rp^a($jDPbna@Iv7ux9&-mRZ%ajgmGy$Y`I($Nk;((`}`T82X z1HcZXmK({y5CHu+zw^|K9?)hDTu)NZ0Eo>AG($fZ1w6Jh*@PI6{!e`{^LOHzA1*+m z9Inwuk|=<5GgAC;H#8@GU%mR=bXg)s+U2gq_TpMVJKWL=@k(>+S@YAyV_Cj5GioVW~<*brAr5 z{Q8LcySacm)11a6AJ6|8f8)WYjW=dBAiD&XS`6t9@GnpZX_w0quwLX5t-Q();IY>F z{Dq7Fuz%-j+puH+urpxZ5?TebJA@8JM1J#SUil#~a$QZ!Z_8XuJ?F5-f!->t8t97Zy0WoEb;DDnj@L5%D&4fZ__j zA@tl5h#>tSethTFQ&ZuEV-s;F)N4j}0L4rUN0{==wQThu<4M)os6k$zksXh)z#Lp- zpmP`c<9;ZNsPwJGk|D~5*g;e+V=OZ@FEG2R8uV><=f6a7nI;b8lxBGOsMeb_49cHa zcQ&dkv~bd&pZYm*&MnsFt&n|jXU+#!4QIBaYiH;;>0wtKWA3wCbgQwRic=Z4wq1wn z-k<=Gp{IW@YZ}Plvz4J7Js3n1COF4Bx9K#Kv+Of~s`hsK!J~(4Sgchfh%M^hp5O%D zR4hn6hkh`LQ~N`+tYa+sp|C0ir~mNs`I%pBf|Nl5`|8ehaJ>d|mHA@CR69CAj`UZX z%E1Yz_Aytw4?d_^1kJzU1Vw_~l--(Hp{WZq;M3#j#xFD0-ph46Ycn_xrgxdry>|S1 z1@bwpilG-FgGFL59njy;5m9OMER!50UXMI7s|Ti^+J4y@5RyWo2w4!sxvw{M%JGi) z9FN5Nvo%cPpz~7;8o%tZ{>g+a6Brc#0YV2tph`sL$Q*7q`}(pAP%n569_-x8n6G#g zwuhM^YXY<~v7;ql*h6=)j%RTgF zcU^_GDi)v0!F95N5Lx@0EuN_XeTG2si1it|>*)*jY>c&ln>uPqVIhiTx9pX){+7AT z8vIZ!s$3?2c^}h2&gyv^OHOjYhUztVI&o+yxF2$N`*R#ZSIN_JgV>sm&$N z4fF+HZl~}-v}X$Qdqh*22kqnD(8@9oW;)Tw3#uGyz}5>Ei;-c8D^ofmG#Zy=iS$ch z>MG!LuE)Zwe^2QfW}}Ut2wNJQJIoqg5+dlY`#y#>TibR0?$AMUn)+LAfAk8YU5AzVu3XqUCHrHYEiomAjHetC z_}dIxDx2iuVBRc=gbLiNihmfQIeBBdNEJA_FVbWV52TJdzXjA|M|;BC<*kl0YwbYg zQAdt8z*cvP_C@;yNBiUGAPMeVR&5S0+IFEc-HEOltrLl-8V@kpA=ZUS40uKZA>sjJ z%Go+eHjsrnpW?hwo5+eMZ5$Gfb1Z$H0*9r2WPz6K(8BWuz*RJ)t+7Jy(|b~g0@U?+ z$<_BW#Z(4D%cf;)nSJ9SM?eeHE2OCjzk zAaG?(&?Lr(-w>e>kwF`SH&r&-tcw8zB?AFT!UzN&(8cR#%QLt zLdVwXml;z!DFaOj+<#7iFM#wpfM{EqKtxRob>jHG%V6}Wu#^Qk6%xRv;W@I(T5)+x z5`cRa?oXLuHl>XUwo=5>m{8#eu!*9hTZsVq2PM4I(#+*S zdoWg>AZvzPh$49s`7n)J_i&y-Qx8XzVA*j78KNYUgIQrPA2b0xie}?Eqs}%4tI$f> zBZ8vNXcG;a3opMLHdE-?5@_8~u-|8H|0)tgbwW?5E3=SGUCKA}d7BU`*=7}+Z|IuKd5!Elgnvahgq3j}BPU?Zj zymJ4piKa=-YMl9A>EcSpd{O(-Rei>9daWJ`S>J5Uc|=7CtMIoIl zHCCGI)H54eB#!yNyPs*?*jaV|zh2(|x#9Q!p8kIf+yB$L{eMsYv5^1&!qrWJ|O7~__*mqDHF$6_511X4I%MHR+rW_8M^ISZQ|qf+rnp&NP1ZsIF6?!RfqYb z4^b`3s}^%ki^%{H;08VwdQ4$)w>%XcF9O?K=j7N=G;&=cC-MM=a8^~d0b_|)C-7|G zs9I7vc_j6aLL>UL@?jrjfJVEpeZ0eJWog)^A;lq8AM~uRHB=LU)#I($o|Iv96$dlm zGFQ=zois)S8V;HQK8_&UaVn8Xe@PW~d3}ZDP;S*ZU&+_+to~F|!&r!m}m6uJF zgP-@tidojFM!C8WO%pQ(YT1#MKuKK^99iMEl`E z&@@?K+;xj9@zxZA*amg|`XaV8J!xL*o=llJ({{L-QpEC$`i}DMzcnTz;|APt!&X;u z8pZO$>}S-DoLO(iLxQ_by`CUXZX}moFxLm9E0r^R8PZsrac6&p*!0%~w6NoX~f$aHBbZQR& zS@?*M_cU>660sF(Z^u}{Mq<%%{VA86Z9g}DDj0|!KKA%<&Y^|lOjlzXZ{21Iu1lp1 zdpD4ye+E#b-WPkjzBb9=N7>DoRne$Lk9dx8Sw{D9cD!LSNmTm5E|_EbzQ;L<@FYA& z)wtmmurM)gB>O~wL^Cs2^Mz8(RuCo)=85N>ok|^cwwvq)NMe=!z)9ELeHkImPV9B0 zDi}7E@QIfNI5ZRMorsSpLh^|SBE@8{XJ5!wT1i8ap()r!+hB837C6MT9A&O42DN<+rjnCuDg9WQOKqK=v(gN^mVZhRgQ@jHBp+t#m;`&O zBUzK&;J-3>FfCBTr$%g1g}}##{8jG=T+m)m_XCmn)ck3=nLp451i1-d-v-o7{{Es} zEftvPlt=Il>&MUS{S5De?CU@@u=HO^(W-bq1&SIs>^sqO@o8AeQCfc)nD#%dUtF~x zha5C4Wk2Y1cLw%V!($auRQdA$arP+m6&=4{4(W5Dx20o29D&cEj6Wp$$Q|eDcv}bt zgSIGAV>&-`9sLH;6=3NMEln!=A(FPBfiY@k;Y8g)JI{8S)6xcy=5;rdJEBo^d3&h9AWm~JlC@iWowY<)0>bI?Zyk}%ePd=oj6f(XPG)*BlNNM^R zkCv3qlX zd{8c{kW5GSBgWZBnGJ#%jxdM}=g@c-F4y%u|3(?rpq;1pL%VMJIY@n?qy|BD?5$Z9 zv{+pImW8++Ul6w#eWjHwj>xss35V=x1th3_wr<;w%yD%}UAjTcr_wO&NUoV72+`n8 zQ=_%=Do7@jmC%z<5;kH<`3(($?`)OMvA}>A62>M*}9alSmTd(GydDH#tZT!`E^&*-R@$ z|11zC7LCi*_j2VhPl>=f;G(2NNn;agOk=FaCT_|%mTeN3$uFGt80DN^c^c;aYEfv8 zBA@Gm0>P$>np&2~>;=P>cWx0V;>={*FkNxL)03b12P+c(t88k{{d#bMMlX8$%DoM% z_sX4Z_8ij``c?ln6rGgLSS;iJbG}ZlcbQgzoj~&ioCfoKef9BA)KfbCEaGvk@Njtc zYj~}9*PUM~?z<-ysQO3E!n&)7QQ6$pj*#P7@OIOh_W%+i9ZJk7Q`m=}HlrFdE5);D zAU-)^mBE1dp9#DQ3Ti0uy_uv}%}j86gsO4P5M&ihz3`ox*%i}$e+(y8;E=`bvZxyQ zJfyM{DxZt29_0IwA>AObkX8L6cYzlQeq~E`P<-J?ap^=-w5fBUBbcTUFa7q?cEGs( zdy6(S!1Fu7Hq;hxvY?YRNrk(R(Q)+6304&bK|TN3XJp4W=OZQs_Fv5$kHoT-u{jH8-gHuT&E+xj57pnr0GY&*Jo$r;KB#}B#n#)1 zInZLw5HnH3o+1F{Xf)rbf2=KFYpx|Vkxs*xNrk(ig@$A;m)zbF!c_TkYxuUj8`Y=O zB5J6|UA!-4VE_Xm{YJH$K11n=LF$MZv2%Dd1|oT`M_R(*Z$l?59zCzE(YxwnW7i)p znn5^75cXd6#)_#d2KAVgpo(tkLBA}&fueQ6e)YVtq_uL9MCf0XQw>`q*3ZA*M6qC1 zAq=cTM~Z4`bi;;3-fIUgVFCUor9-sXo-+F%Ms1=H#2Dtseb6wxxwLIKW~)cs`y{*2 z@c4m#4i6?$X^`P$jIYiBPa2UlG~`Kjk*@m44*Mt>GzhIbyXa7 zM%NKfi7?=+ALv)0YO3p5tw!C^;u4(0N#*=lx^j9c^@9PSpAXHM@GK(_lHYT06Seso zIqFBm6qd|c6umg;27n}wcUSn~Y}q52cLeb_--GOjV_0ZY@35c0x)W$z^?GX(Mjg*) za2A?XN{PNfoj^y~@z#aHT!1us;Yl&qbbLZz{3!J~jKv6UpG%{moqt-ueP$@{o*Q8;B zBlJ%@@Kw35VNBKdt+k)MkOw$buXF<0nVTGpV~n+2)&OesLBsy47T@wavh>m^Jw+03 zgTR2w3zF2mjdpt_GS(?lVX0@LKEVDk=1#bGE|Fvvb*i7NfxV=xy*~)eD{=bTR>? z`Icf3$muVcz6*K7oYXJXW~(g3$!6slB%%&^f>)r1rqL6bHwx)mjQ?xGvzs*Qhvp@1iUrujImT=LD$Ih(? zC(4wieX9_1l)+$ATq6Jc=#;RhX20q3z1_pJ*dp2VHus20nu!tZSxf3_}lIMY|8)Pu(6Gl}a=L zQB##9aW=4+3K6XpnI-di!@07>WdH%I*L=YRS?Xk~;&ud9C6yG2sURxMc~IWPC0p6z zSA^@E>ya1GtGr31$EQe|xIrFv!hN(pa7655Gh~GOHR%<{2Nw zmudSCmcYysVTp9}%*#!Tw~tj=mZcj%6>iajPT>ucAmf(DO{!48Q7qVax|Dq9dzRzU zXSHkny;U2gf^hu4A`dj=CXQpyx-Qt5L&i=S!L37FJ211`V+W&~b4mZSU(s#Iy(*U9 zSv|{Ry!Tv&^~JX982LMZSQaqpWI#Nl%V2V}%2xn$ks)}83orXJh?iZezf1sqds@{V zEKz){S8sw{W->pJMQEH~WD4kGiuGo@V=e?TBosRk?#MtObgB0!d!|ZK;Ab-3&$Sr#Ks0 z$+8GF9z(S?*Y7~6pGWI2vm5K4gi{fe_SX~kQZKi~>~k^SRK#N7NN)>_QEc(Q$M z_seJey-W zalpn}9E$x}-Y%xJo5v9fMZ7JV-3Rz(Q$)RvQSxTq>~Ny|d#L`gq3*k`6iCiyh?CYS z@!4ACq>N^J)%idyT9Erl35=Y@``4K!$iQv^cB z0NiCHci+No&MD!2e>>UPfS%Bm{NH5{Ww1hMu{SWiHNjzI4#!dWRmF__ z)6ein$s3|Iuy*r^=B&c+ss3Q1r|Hn}M=M}3elFS+B+JI{gs)IOJg45=4GRA&$#fgV zo)XH0HiL6^htEcum2~oQHJSKa`=g>26m|R!r1Bey(l|wnCUD^77Lg&Pk9F5&mL{d7 zbI4S1U%MLlXo=b=Qtyv5d8C7dT28(qP?hhQV;=sU70VfW8tIfb-cI3&XFyw?jLm_= zR)!!=V2OLo(j+R*`K-Kf7~^&il4Am1z;0evOD5aj2gG^KTqqg|VaB@7?qu+5tWG(x z77Xdp*nYkusGPxb=I|~B-Nrlc?XWA`$%L&1pCuMy`JU)7; zhid`46Fx@HpNG;wYjU6}3cSyj7Bh4f;Z)^kK<*U!0A`6!$Ukro1>&STxI|N>I)3qG zf0@BgbTyDEkf34oACt-U{D(-}INE0vV8;yIQu3`73uAzDW*F|%^vvlv! zM(TdqPE5rEsoXQ&81>c*ZM1zZOtqm4xU>}De z@(NZXkZ8-Uvi~nfB}mG_LKu^mAV__QBm@TTt?2YspVBNE{in7>Fq3)s%ln4tC()d_ z`g*)KbP!>JK^2$ZGeo?Q?ouWj&bl|W|FGc%*_r%`EJBvti?g;C#2^hG`>3vWk5bTj zZ|MgMT?A06vR7KtAeROQWPo1AdzZC-llH^0Xk+ z7aEU5my&aaIY@%gcIcTz-#37?Pe(~?tB25HORKX!Pq&67w!Qs}&Ma|darHR<%=ZtY z+kajpnz!V={`PKPV`|Wwm~0ef-_5`)!HEjnlcRElSUU+ie*tozLvX0!zeZr}AOTL} z3o6k(zl;$mGFrl?7bV(^T*Q+nzJ1!tA!(QMeyE z#w&bi*?3BY`Qa$unpLqAW+Extfy|u1_mv*&SVJc?dW=8uvGr|9sN3?X{1m~_iDy|4 z!~)rUz{+&}qI1#TSHn!9pqBdV7UcW8%|>-a2AjLco%^X>AP)9z;n-cgg;O-SYAsiU zTikiI)Z)Qigx{c`aZrBpsTG?W$7ors8qezH_6n#yockvI)rZ@q%oRpY_?9q1 zd()aQqSJh~CjBJTs2V8Ma8Vw-4f{0TKJ@qyw*!_Jw~bGhDjcPK0oGVY-J^{@&iW)% zG{`B)DkC|tZ~ovB3btV~dl$mn7%3W95Dm9{zg*4*bzox!^5o&P>Z*JvplZkutzKnl z3Jn^FAiqojQ*8JmyU_kET4ycJ;z5!yI=ouRYsGp3C%%hgJDJ3F~rFWMs=az?12qJZgU9X z?DlRp_?nD!Z0v5^2<2nb^*@~NIAiYQ& zzhq7KBd=J84gXI8%4>Xy6QC>EB`veuYPsLisqIzX@6`WHs0DbD_oskMQWRoN{IVDe z>fL!Xr2*;(F4*PCX%Br(IT*JU@>I zUfga8g2Z&H7xS$2^JQ2hTSA4q!ZkI*+{F2cPSDI+($$_yWGHlE@PvyB0#-)sZGOGW<*)W4`Tli#z=`Rs@+z^Rh%`>~j;>d@t;gocZHY{!%SuKJN z>jrlq9SUHvl62P_)&mBGV1ONBm4k6-TwzEjswU>b%-GusQjEsRk(A)=|) zIwV-5n5xaAw`RJS&+>u>22{EaskG?~H$2r5V7tHSkf4h5bf~CTbif_t4y1VSFKSR8 zcbeHhglFUQHbS)sc{sq?-^yzp5eQ~Nx+qNSs^_bcc=3-!C#wO+vjkSdF>WbmskUcB zxpe98F0z6jZAQ8B^ymPv?EdTHEZtPB#$x7+&@k`}oH8GX2}eBS3?Rc?#n(SqE_`o_opnz8C3=(a z%cK<6R+S|rawi?R%Hfj6uHQb*`y||m*DnFFl4i6kM6+hoX<0-_RXr4@ze|g{#bW!;#9m=?mDl!V9waTBX%|*m7E>-zuHGB*E5#QK!Z9j^(gX8n@V{b55#pEJ0XP20 zcKpLTwT9Y^&@j73zHOq1)%}x`75}ep@d*#RU{_LGa1q>P8Kd@CHwZyY>DBSIbDp;@ z$-J8-NMu;b@DQhZeFFao@I~}Qy`4gz=V!fevjDkSbPD~l`br3vlC9$VL@}D;u&SGI zj7l~^O1k-QtA2{yjxzUElDP8}8zQ=)xNn9(=x(i#Ld&u{Wwa7nuMRzqBiB;3mn8jYFP4DG%K+6 zsLy)mH0kwzd8U-oVCiX2>*}XU{r)jo0UV4sS%D=nno!lsbvR~o6ox{V%D_ittDNLX z*3O4w$)WQVrl0s+l7S#Rzh+n)HenpJ^swwLa#(}j!>BILvCK6pLuO(eur28t2!HmY z9W3k^{O2#SVY#_Pd<}7P{wm;bsrGl^vRLH9tCeS5L5|Cq0PpXKJ(OBkk?NNdiy~6j z{x)h{U&X4^e1oW`B#3tYitkeEO?_?m^?NRrZN!fr8|vR-bYv^5yWW!& z5Bs?SI0O(6>6zjK=uDaT{Mq5cHPu5>Rb;A8%E7Bt#O<&e247!Ts~_IZ@BdbPP&xS3 z>_{uXrbSb?O3lYz2~pRS-9nQ~x+ojNJ%`DJRHG->_~TnW(^9E%KKe3FQ>NIvznm3 zNP`t@opMR3SL8TL6bM58r7Qo3!_4ub;|_>@I(^jgju(nsw={nO3N1rJzTC?d&bU6{ z>t^M-MVfHO72GNI;k6n(%z0(~oo-I^KO!e=8!>%1 z1}_rEj99 ze+xSnQOYYi_=azScf;W2tOMo2Z%nX8qu0Ox{<8M>T^lv+cPI?~EssinbIY$9eQI#J8M9Lr+=^XhvmHv)G z5*%1@@BFZSPh_B+5SuBO;eY0Bk!+L;|DyzhUWqqQNF({j;!J+-iA7GvbsvZ6X>!#> z3zziES;n+Xu)1uJ2Jj2WU(_sAWr8W1F7V(gdn5~{e|wQRjcB&4wx;#RjHlGJ;(3zS zBi~sYN_iKU+LDwx*oW$)WjJjNHnKTIntyv!z;@jv=9RXllQ0vwITVvuUMKKQ*0;B! zte*}3Bza+IzH4CCFQiZVY7`S zIX@rfxE_8P1HtELi+5-H!tHs;kmDEJ7U5wSREh3%82yWhu^XafIEmZMz%BhGQI*Y= zG~=mJ);&jUO2Vz5dKL9IPKw3~CUiu~d+KIln7`ZG2r@Q@moK!o%H_82F9pVAcRphG zJ=bJr3J4}F!kXCd-iIC?=6-{Ziib`@i9|KGq*XX}<=jBGn(iEg7&lk>CSDiI!NPlO zl&tt~4w%h5TJ&ajQ&uDIH4&(5%(-Lt@3cw~ZdZ`}{D%lcY#knbE^W|zrB_64V5Ls) z5<{T{r7uv&ti!@#US(hxlnR-%B_~`cQ(MxrT&`t7%?Qcd%Xc%5IgcL-3)2atb1QJa zK%qWxI2x;<{x^)?76_{q15@y2GT|RWidx~Sqi!DaTOVxguZZw`S=o6|vv9Qu0&aXg z0sttq<1Ifu9<1#fu>r=Ca8yh-xHMaGWsx({y_olu4ut!f#tRmM^qoq>pOS9uUi<@d zYW;UXv>QjuIa!FYSb)pCAM$4x{r>1J)YdAp* zG&6j5jDyq2LsVv*JH_oM=PtnTjcGCVd(qY~D`|_83OU%b-bTK%5X^^)ZFIr5ug9^( zI=n+!_Voz9DJSObN20UN1m|R|$C(D2p5nHtsQZsbh2@`}vW`f8Vc)#(9;M$$N{=3# z$jojBiB{S23Hhtklu$!SkHq%nP|_>>>Zo-4nxYr-OSxw<%%n555-?{G!C~_OzCtH^rL1?eFl4NDf9qa2pqfye}=m8(sW|tUn$Cin&Fw;Y9pxW>IBj z6>N?Ia%5dkL5*lP9(1suwgsRc<^@So^#36|25c0wE3>7_Y97uDu_z zftS^$`eQLPK(d`>!AKW;mAo0iEMY4HAaV3>#M(DH=fB7#WIf7E6jT)_P)#cXkb3g^GDb&QbEW6Cs$bN&yga zx6M#ZQ5}uiNuVNdaq3#hj$!%R`&Cyv#*~Sy@G1Nh%H^C|zlbTU8n|9{r~$*o#rt<^ znNdq^yK&E!!C*}WD(hJwI(nl4v%G~jtaGr9Dhz{F_CUq7XnqnG#MyVZFZ#DqZXtz}Ch&a8z8(UJ%cL*Dq@iW2!vLJn94HR__CVd_@L;er5 z!OZDAg$SBMtoeYr;rvuG&(If=&B^CXe~&=%Kae|X^Rkq>aOqB`-joJd^8eiPis6H3 zg4B$AoZ9J2<{r_EqIT`9j|83ZS^T_+#;%Thf8-r9sxovYnd6V`wL$KfAv+Oea3(jK z*N+wBzjhKp%TuG@7e(C363KrY2}Qw)yBYUGYFcn%+f$l)lT^_y3S0QR^+1?=@Zf}-IKRcxzQI^F#>E_;Hlvb?EU+7C zpk$eRz14$H?%%U+G_2K0OQElCZY(Rgr1QKlqj&O%dZWy%!1F>uh7{#RM}1IIJF#}1 zDJqi1UFY5S2*!p3JVkkZlAcHp1w!c~g4QBLC?!_ex$Ue9Jo7WlL3wqK%G)JOY(M(1 zRs`5HXe2~Q4>^siIgmnyI;Bb}U%OBO`!Qref)+6gyZvWdOcC#<4rjei@T9EvL}h2)J0mGD@qCm~G?wUPQ@P%UQfr}Ua3s(a zd+~w7*S7rH-2 z=r5a+ih5M-P~Hw|2H z;)x?%{+8+?pnvJlM_9a+%`2SY5}_FxcT=I^)mL(LpIXDdi5`xH+3wg5X02z6I;&yJ znS(RW$sD_N1lqVWKi;K!gb<6*>~9{SiMQ$1$?JBzXVh`?0~FcTgwTH9_V_k8%Waj{ zlH9I)=>&+(2}nQU6FfUM_qbG;8**X#+RCi{u)B1ZTkv1!^UxdTg`f-!(VmRrQq<`4 zGNtb(fKVFj#dvgP!>svk)&N;`Ez)jXIrTswX$-R9ndXXMPVz60z68z6TwBcx!9&ty zed-4{WfR%D^O*Z2!FIcnzq6L!$YD@ZtT%x-B5tV&IiqdFgj#r1bnX^M)LltaOxj_~ zdBNL8MiqQoPe}*26#cMN^-SNfzzLm0)!HR_SI3_r;$F2gd%60t9gGvI6v zngp}_KAXwqtY~n8S^jQ(v7kKO_3o@_W+>G#An!T1-W{vYW+{C=1 zPu+daJ!;PP)^${9i?v{~G~LeFY+-CH!jx~y3yV}%o?6~i2z7((R+wJP;%fS9Xegk*z~a~jC01iqhzI?-#j?sx^kXDqH+P4Nq9leBT#?SOUoP~>;Rb@_gI z6s3*^(Oog`=kuue^wW&)KCPy{IK8}#!oY^pobSg%s+#x_FJ)7xw~Bu&tr%6P8T3pC zbrfdji{{qd&EI*9pY9u6RthGoeP?zq$2)aMN@I5X(`ts}^)^~#`wFH|DUSg{4~i&& zS=zkRuW+T7G3yMU9xL{^JQvV`myGySnH;9y<9tJgQW;^rq_=l5Al>ZixVxVr&YD7k z#lef`F9-TVIY>*~Jsux)E4QQ>-iVuK`sKsAEC z9APGui@Mr|)uh_dv~}&(;6A1X^<>er=XbF6;On(VV^eR)m4Fe(mRktrSF8)&R{#}e zlrkU~^XhHgoc?LhVD*1Y@cye;PB=gubx+~^w(@R( zQm+Wymr5ic@kfU9_Mn0_>6j)JI4`2*-|~nI?5GU65)Oy{T*Ja+!hc2O%JQ)JFO67JGXTD4 zn5p-<*j9bN1G_XuMN=K2b!Xzcfn7YwK4|(&Y9pXvzn2a65%elef<6rlYsP**^R=5m z7{#2Xe}@3eiEDb!UN`@5eF4qj?XNiRoE3Vv^j3&ItHuT*{_te!ch#@b2ez8^zOjz) ziw#Ua$?&Ty?VQSDn@P9>W0a%RH=TXm(SsW9v7-F6;zw9e$~#n`Nle}T4?~SA=bK}O zQ?3GWv*{i{{qR82o86vC1ew&G&~@)sh^%O$(Oq^Fw$9#F5Is_u1p>>a6;JD6!m|VF z;Vox{+xKD88zyrV7ut&+#`hp2rW0<$_~2VUU^9O@_C8?qkDgd-U9c~&#A5ks69^^K zqe{kHJy&yjv!$HmFNB|+R7;Wl+coC`j)K!7nid{pbVEupkExh&6)<5b&@EdD1OKuJ zBM?Q<^OHXmrl5ypi>~7aO>e8K_c}_VCc)go?xA`~p(!EUF?x}4{`t&Q)ScaWk0DJz z=`IxgQ=FojYwmz5dzKv-X^BDaaokTb7OxSp)m3q4bK)B*ZZ%W({hn|j3nMtm$xEAK>${nFwHhh&5X8!_jQ9AK6+cI{C$b7J}4)1TvQOW#kzfc~cJwx$3p)gNx;opW^I>%`a>;SmvR7@Yf$zs%&`h zdD8h;liyY*pKt7pWnwS+4?H$b8@wau)0o%J7o2(}6Sr;V88k6)HN`X0*k*B0+D}Gn zz|JvUiVAtG%47Vn-X@efj9MAF1d7Bco)jN`V;Zpumxc?673}O`JoE&2)imd3fgD%z zBm`Y7Ip(a;EVUX6aoPEeURUH*v|wI_!=KzyrR8TvmEy8H$zJ`& z2awfRb^h$05JpNz#1q3G``l{0OC_n*Ht3CB`yy9cPC^NTR(!1kN;G}5Oj+wz55jKo z0pWbE^U2#7VPsGC5G9nVkj&V3FUF5BF}2V4yldSA z|9-U?SL?3)r&2IPE3b*s^&geBe{b?!F$DfG^o+3MI}8s6%Oy8SzW1^y(gfrkjFqfO zgtIFZRtpgEYRN=pf`osSKQYguA|JNp84? z!@^T(usBgVrZdjG68su?6eg$(>jK%9(vI{?-sG0ATn~hu!Prue`i0dLpvi&PbdYkn*fP`ZC`E+OJ-6 zwOTm0BW~aMjX%7|{JB)oAjK3BtVfRXNDW^kQE=;M#>Li&NZr8vN2$U!G*m`3|y z_-4bb{9TZt#ncQzk9DbK)r{JD8eEVf2nJI2wd|(e%oPO1`QWI=;3wQiSCSMKJlxg3 zbYwIVds`;vAs-DdM+8h(_hQd&^OKVJ%k4f4G%{g$bR0K<1@$|xwS}eTxI2DRbIJ() z7fDBqx~U?qaub;sF`pRWzXnkxdxw)oq>nA~i6|Oe%Zu$;fvsIe33c0|?9jd7)33A! z`K}oV|G}zNGqN(C{0^l9?PL+dAh9GMei36*z9#8@UrVYKyf-a4cC_n$lJG&z-Wq)d za7bVo#HIZo?w!8mlO;2gD34X^K$m|VbXU8vXAPFo2d|E*PWl4B(AsEF0IV<^IY9d( z*_tP2I#w*zJVB_xWd`lmmVwHJX1#VQDhKVCEk%g zt%W%j*0?2D*jmc+N_QmY58jy%`DW}4%FNs1Y+jyUyWT?dhz0~vH#&{YTk_YRZG-+g z2y4?d9(+wdkkBd(>{94#_w|@Iq*47Jq@4qDAPNFRV{>BLwr$(CZQHhO+qP}nwv+vL z*i&>@HQwvDig3*%%~*+$40M`OnRxH1{bk=1zPg1$4Q1RbTkg&x!gEmdiC3r3m;E*G zHLFOgl@a!#a$1or0-4j0QOs#kSa;?Yq`;a2lX#g7lKv5K89XYqV?BlRb6(ADH5k&| zJWVNu#bLCIpaxZiX}mM%63#>oV$tX@p~R>qiXEx7oLIc4QT`{ZzVGt+5Qr zjJqpwrgFaR$LtN1MZnN^^G;|YYzILToFS)gqL^xtXXdoeJwppN6|^DXkJb9YMh_hl zUqQWNn{d-~D5?mi zU@1&g7-y$!_k+ctv=f-kf4j7!uY-fHporWFOkn^lXXgCdoP0(G=hGMNh3tYA;LnNw z8Yy$IxEHkNoUzAzZ<3k^iXX(c!@?gBIi=|T=-FGnlhnC2qgg1(fg(VLeSkdTJhKejU(6T^%!zpK>(_T{VIxn4LC4HZSm~~|JS^T^@emT{ zDp5J$RKi_LXDpk{;h5sE2T}5mDSOe~VCvnL?5vjXT|zS(OtS{J%H`|`756`Nb;MHo zaIw?E$$zUUx@ln>)_C@N$3Z#EkXxA0sDjT9;-BBDr%7}$r1a5D@7tDWUpSS>*L_vR zqrJ+5%bHuAsqBH)yFQfJC|r;2(0Fz!si--9a;g-0kFzNZs>pov=`pbA@YYcZi=LDJ zr5H;fb{GuVFn%tjOcPyFf1~4VKI3Tk6wPmE_7UUS!ZIoWIJ7PZ2O0R9ex%lk80QP_ zdrxzA$E+fU(Bx}rLX#gu7RdG)KsHyG38;Nql~}TAY)USev;m1ET=@l})SULF;i|p_ za%{Gi40oA7i?-Zokiy{87-&?Up0)3vV^rh+@~lU5u(az9(}xTSL^k!6gBfgXzp#{k zoDGmW6Tz^_nH#Q|4L_*Q7*S15W~^8cxm`eDh;%S?sE4S`PetXFO}mi z>h~n-#aCA;XL_~%ou$)TI$pf{Ag?j8%+~#(9=7mbKhR~g$+!F{T@-|I8CW5x(s*>n zw1*vh#TP)49nfwDywGkRJ_DstzTX|wn*c`KuEzcFbWHul1&fAmETQgs7UK~A!Rb4A zE<@!jr(vaY4cYIRCdS#KGw;=gZC5f1EJ_}nQ^R)JCS!b0iAB~uwHTUS{faTObwL@l ze9ks#KViU~<_LGd`Jo_hy>qPg8E|V&*Zu*U5eVQc7nclT%M#vH#rY|1V1|VTXu?)h z&@8?=gFnD#MNYeywu}5x5A_h94Q`YGIWoPpIP`VMd|S}@jiej^>bOcTZML$A#!vAr zK>J3kbGj=1b1|Tyt_w(`&|cqM>j)U$c{(-Yr$%E$Ro>bm~9n!~bXAGD;5>&6aG%7zw zU&D3TZ6yKJ*!bIdUVtw5^TAD_4~G4BX0!OdoGY7)JI=uZ%i+}l)4NVqC7IeowFmfa zd^co*8O^)1VC%4u;HbI;rmSb3Es?@^Sgysf`QtEa3%LTvcr}N*V>(Gy;nnM-`88^_ z1R=UVPh+E5aC>A~looeYRPTbj8-zWLoc_W$$b?-#GNH;UP-$0;V_l(O!m#U%-zOSp z{U1ZaHk8ZiCIxw&%+2v^JFrzqkfZSlA=E`yq&>3O(I+H$R%j5Ot#8W#meFhSZQq^k zGxLv6(d%-50RvFbCmM9>J*^|Sp^J@jMvJ@@Pp4SodRt+NIrY$(YuEC@ww<&r83y9$ zD~PaxN4@g~B}sF9hbsPBDmAoedH@_Sh@^Gy^4XmT;zLz}b5F|44aeDE9==omE$V5= z0S6LD%P`X`bpG$Ki_N?>7T~6K|V-J9(oTM9JT(HwyNKtjH z%KH=Q+NRQn!*EhPvscxalre_IKK%>klE%(oLmp2`*(Su^exT4=`1FdDoi-}K1iIu( zV$tO-vA?kyH-7R=6MOwQweDz%Yr1%NbMX+6c~1>!!x-vcd? zV;joCLH{eGY(26e^>t!eWNtN(Y>75 zhz9)MI5So$a~^6LR<~j*!XK3|i+WHSk#b>R+c?z9ii%F+coWSvq3NGsYm}A1*|+%i z(V9hc#wx>n?e-*yf87>0D9*YdAeR3qoRP+NL_=~cwQC)72HZc8;?bYt%t9scjQ9fF z{dJ6h)bq86s&8&K8YEfR5&|YfgYpX_bBTGA?jkUQU6|;**u3xmY7}(>3VwfZET;H9 zdp0K#qLFf(>5RYNFj$vU?c8C8&J0v}gh@2pH!&vacgFBCb$2G^V=zuWWR$@)0^G9$a`uOA+^J6=2gV=8nRByE$hDi(<#H_{9$@c9XJ%4JGH^R zDIId}`c3`|X8C$LdI_~KsphGEEzAPdo3X{Ks;oV%&N$!4M+2LrU3lvj?{a3#OxBIp zOS!`5z=9i~VMrm8c2~VoO1smau9&4Uqbn-g$|#dK!ciL8WL$0?L>WupxqYnMI800# zM==z!!O}FUeuV{Yv0HQYRqbk*D&xtW9`1IvIa}KrlzD)I?|WX(-Evb+TC+_%P6?6b ze({$a%4I1_^Gnv)KsR@*!`F$KOm3F-9~F?2qu~xHR+C}s2@%5P8G{ISfwngkg&OLz zbyp@w>`$n*W;MED|C#n?=sRWdMJMdB@e*eSg%)Yc8Vf&riWxxPchid<0GWIOU@vH~ zW4n!jrLS5ebY-n2`8c=ho>u-do z;zw7S-Y5C~+;GoJhzO-4plvY(N$3qjyT9_e^c%7`+BPx>k`LR0NERwuq}HHgIUorj zA^Yc0hn*8I6i7(TGus>IP2;J}r?Ow{?|RYq)8_(LnVR3D^8260ZD`K^_#yynLrRe6 zXM5~{q-+FIIc-!Zz5^tfa_*Gi5*KGKGv29t6mv?_GjwxKdJ zvhPy}qA{hr(!FVMX?urP%PQV$fk958ZX|LfW6_V^fdd)sUTHRr^H=K+yo% zjSLumBVptY&koQx-7k0lTq>m%B6YkU&9(yVmE`S0Wr|tl(wKlZwW!xb0n5m0QCoBf zKHvxf6z!Q$*t22cJRkZBY{dS_20Xj_TMRHEnH~&GO34V?v1{e-@~e%9$&yKvD$-fU zv{$s2d&8;-cPt=7q7CDHhrp;~tc)s0v2G5$aU-tGhJaJW*)wZ0z1o9?^G&0eu^o!W zQIE-g!iZ!2zyD5Wv6GetZI-s`z|CtM&S9-W^OJS&^J*p|0i7@4hIPC!<{u=`5XwT3rrICazmHxeeI$yX=|0+rApIlyb(w(J zeFiMf$S9p?d3L&!wsQ5%AA`HNQ<R;Q)6m6`RSkIKFs{uM3iUsU9Wz|57*sHb zQsU8vM~{_y0aKXG4|(k@8u6nC&bI0~b~TN`Anj%~LE++CJlU*cg^?}{Kbd(JvTczK zy#%`CG~Wmxg3%0-3c<`n{Bug%WX^0G16UlG?)y0h;OrLa=e2QT(*d$%N})x;T0wS? z@Iye$>^!huLLjX?fd$&>k>5?kz`ei|zI5$OlIC*;Ypl0EeH3|cdw`le>R?DuK!)bD zhTcN?unnN&UY6kSm6?4)vT<==vKJ&agFK&Y6D*MN zhoB40=y0vDYUXm`X%MT`gI}xr(vU<7FM0t5Z2nH!h<8?94NjY#U@y1y!>`+t2zN(b zzsCUNs$fvmnLAg!Actwl#!46f+$CNbPwWB|V_F2V=3RQV6i#9?awj zC<@+Zg^1JsMz^U-nv>WvY>W%cN?l``=Z5nV8UxfH%2pl5Mif zlNa`< z7<Vy3@PXQDIYWdxp2l<3e8gz1Yio$R7&37Alijj zHL=gM!ASy_<}RzL>z=>$IJGSz<7sCNXR1h2?J4tO_6iRtpcmhOtW_d~kG1GtdnL{= zM@Ao`hHzh5m?}&C8~4PzewWcmeMdnzaVPZ1E*lN&*-_29F9fQ6!lsL?Zs9Rvk-P^{gtG5J5c3qd1P-!A)A`MC| z_^S&H64X#Uw#$)vS|4U!Qme>Q^V!1B& z&_!a>3C@wv6hZKJfKbowg{WAm+-ll?dHR@)kAWQ9_{a!5=~HNm#`Yg`_G8QfyVkuS zGhMUK3P(;=J^oWdb{B66#rB%)`^?qR33yf-sBbmG!v@0GV`D~I^xjdELDfynlqEZ! z#9_z9sv8{pzkntzt$VaN$Li`wan@I!QF)^ApGnC#SkL)e z%}#>_r~*P&T*JNh-CTA#!wq)|B!9w{-n#-rjrdJ?7*-zlRE@7>K|$5ToCB>Qpi69G zkQ^;1+1btIQr8jo0)nsT{kBTS5T)=F*~!Y14}EH<^RwFzT!GQsJ)W)Qyp*#}ZiHJI zC3)E5E;rwN+$P*1gHOGDmy56EaSoeZGNmu{T+$0hjqwx%&Ydf+TrQ?pwmwa3PImNx ze5uEoO-+`N@B`z%X?zZW<#pqEJ7X)3J6*xgGCb^`$s!3Qjr5o51F$B^0j;c_>x1RR zqvec2TDSRpxfjEJY`PR_m6cB-ZX^7~K6qR~!FO4gKh+OFi`h&HnIAj;8+h8%S#gBc zEVyt4UrkUPqXD6HvKCN2*8teZm{H0YNxhdWL!7c6(!%IvoRu_{D|Y}~HlJ^4$MXT7 zw?iNY9OybJhI*(vzTN#BjPX;(;FT#QDv-f81g@v6%fO=|R#=7xCY&i~k|?*0AsW2Z zrPmD`+3MN74WU-sm^#`Bmq7v^d1yKResoh;S!YgoK+SfKi4^}np4mhc=S=snixS?g zTG7W>I@1$*y~Tiz3H*g4&VX-y18&u)B$r=pq!OB*E{6RE|7ieVuXep64}%b?VbAVM zAl{RXasaaH$bTzACa!%VJeXZMi3pcJ{Oi_}Ud+fo>#c*ZFLy%wIFlO|&l<7e$LV=s z_R3{(VDHQT_NHq8=~*<}-0`ujK%8FSC@Uw?R63!4eJ`C=I^mYxqO+@=LW@5iaHT>I zLWVh@WSbH;C|H)qo5-rDOjs{q*T*5GTJ2F`?-b+FaLlv82>#}9W72x-j%>o!z`XlhGk0VXI=fQd6CpnputXuGgB-}&U=)CVVO7-PF3pP=(2w@`AsNq zoCHYA;!u8ZTh~(kHvTO5FJU1%8Inua4xBc59`w;NujMH*W|Wjzu&{`aJ~`1Ne4TM~ zD*?B==6l{S{YO;AmAYKZf^Vb*Az3ARrr?sGB0pCDSao4@;v(hP*S_8hroW9=Ui@7d z$SeFGRpckd=iFP!8UvvBkxP;(&^Ia(lqP!G488U@c0&8L9_`@s+-`ME{-zfoAAIh# zJoLmwrh(oEEf^>Um`CR!QR2M^_saA?E4fsbKuH~0-lre2&a-0F8f$l0({!#d@C&`CHo zNt54Kg?Q*kGu#5^QdM&e96+EHyy$f~U-Lk!#&{ck>py0WVLsw=&>SvS>QX;5!DL=v z3;*Hg==RM6^v^`G;L-D)zKi8RW#pQJb1nM}GUG3DTya+5#Zjg z079uj>}qm5A(^v3BUz#=#V6XTSY|T0w3Pdcy91_7-)rM}sD`1lPHj`NT$}Uwdqd(t8PuJV&`yXEq-oJcs>u zF!_DIzWJEi0<#0L_>okTNxvpB52s!w$U~Yp)(rke)PN-bxe2Em^mp(R4a9sOAMb4M zh#Q(YOloj@2?i^7V8SH_g!Y{^dj3$P5MX3pc2PbwG`u?rbPAN-6HKO(X|rLknS~m}cR3sqPaYT#)*$x z4n3j6K|+5sL^K@D$d9f&JC;Bx!M;27CyO)?Z7U!sMgAm>#G{Y7R!MunO~xhy?c^SRUr*i@vML|iX@pi663N_8 z)uD>P2mv2VERSkYz^!7=anp$?vPSoW$y~G8>v?6q93=+`I6Drf^QlASd-{PnuA<t0#d1rWd zlpCpI|27+U92q<|_661=!f5{6zIm|s@_zqy4HDsfRz_5_;6I;A=v00|aUIhstS{}a zt5xsdDA2ZEkGK67r6GyP=`S5L(%?(< z^$g`Ka4yNg0U*TsD@<%uZ1WT1NlB=CR*Oqs1TSke*K^yo%s2R0r9nKAwE89xQ^@r9 zQFsGC}D%hRCmwlFTAwJ?5u>pnSaU)q_z>=%)PQ(fO8M9%|yIeKFtmn$xcp8 z8U!ENrpP^NeZ~lwFnhH+p(F`pK}*nWyj7dm%z0Wo-F4b7dcHSD2|#wZ%gT8c5?Tdi z%Ln#q=x1Tom!9fR5SL60Vq56=EZ_7$AQ)%TW^lYw5G?62UIk*XIu)wGp2J1X#u~1< zIo7GBe`VsA2F&8T@ak>?^iy>eXoCb@KTT$tbbbYPF69Fvg#^S_lnI3QlF4Mf#=juy zl%pocHEVJAr5rtfFp}>?8A(sV4XgbX24ukwVxs=dn^EvVwpo8@dtykL z$LGE={I$yi2}HPKmfUN1I6oaz<0HRaU20?dR9Q1k!#;Jjo?iA5ZMfYtR zMMd(A-I_#nP<7I}!mnT_DxP{`OgwMSkmWChT18zxOQrzNmPWSJ%GA7TBT88tq`XDk z);_RcV3K!wV1p06Ge?P9KR)oMZt_9)r1ugdYkdR{%=4UB_{iVPzy*VodasHi%#gX6 zk%9CkX-fs`J`s=09&t|ndPD1rXfnh;?!jO|_98~#cPE^0$2+N8IwcY$Xbs3;v7WUe zgtxqHw!9CBm$+cX-8y*n^f-cUEz~Hq?!-~%m7PE=Jr1$@X8A6=&BS=mvL_@4Kf1dy z^?b^Z#U$e5yD5azCh0L4c!hg#whnBOf@6A5HHB%Za$`f2ZywymfSD#s@EZ0y^_et& zT`*5%5lg`z(bWq?{34zaKufy+7(oREcxq_WzA6Ggj~?LwoB~v!9xluwq)WJ=t<1g+ zv|xm5y|rRU1{hqZ_ywZ+2?&Uic2y!UU+W-{Y2H80S+r8;ax-)r9PG%@F2omQ9}YiY z0t+UeM}4{1(Hrrx%<&QXM`N6Jt+)2=Ymp$f9HI~EoQ1)@Q_iSz|0%^AFr#o$Ze3~{ z_&eE4Z{-$9K$$Hq#*GJK!Bw{N0UJI`t)V^gDw){ig@@5j4jqrFJD3SjZGXXTUmNQHz#(Q zF{eFft=20;zHNzSMe97c!#(AXrx{EXhh&yMm1oT!8^D_i3c`4l+BQ{!^`RQ4U&q?n zkCF`LWe)7B=5C~?XFiL1E8fj8sd}AdtfdL&`k+o<5;M19TU}zeR&fivzm=UI_MX!1 zQan&KbJ=wP(-(x^OufzotXan+w?39G47HbL(5+0{0rhH#mP3SO8=96oo(YDuXF7!r3=@;3i+KPNBRmOiP(%W zn7dh09!@w)XxBB1GEDlboHp<%64N>a@?RM{rA8&lBSON~P)XAJ^0ZaokBEEeN`PbwhDGmp^xht7$@r=)si?0NX2*e#EDk(2Yu#yccgQRu zvb_lTk9n`t2&g}R(0fjNF)ihxJP3#B&=jw8nC2?4e8^O51G&k zZG9=^WZH4=7=IlV>|YPJ%rMRR;{he!lky^TV`AW42H3|BOG~yeT_+VjfK4+#cipTc zrUN*rIi3d@Yf?Q~Iu`HL2$IVxI(KPiEH5#Cb~t@K!&Yd7CC-WLf3sdi!5k`#jo!1)))ntCh&g+fX*3t(jr!pGW54l|$Hpf0Mp+UXsY zcm1srZ0#HBK%*A{a}oXYaf5XPtqpShx~^NmMya5<9(~43`2VD6Eq({~0A);sIGS*Ze0k~tOa+d1WdaIX9JT(aN*V~}K@ zuUU3Lo9kVyQziuvJPD|L#-qR?1D=S&(53pu{z1T841n&6kvi_)4Q{AZ$l>}A4GPL3 zjtn9WGv-n>xY3}r^{6jE4E@bx@f2rD!OgHWcVso?@4akyNxd!J23`5Bd2gUq3T_*a zoXYA&TU$m|8Bg)pU2kR9Y^4;i{T2P{3 z1Nrj9#!i1ox#Nir zMefpp@s5O02~iU*I6s8Ovy*`&0UjK=)fLac{Uq~tX0-p8!3#UZ0!QG_!ZO5>g4?CASpr=FRTyl;b<4@ zv=&_O2(^V=nUAh;Vq$rcf-J$(c@&cIeGCQbAn)fcb3;h&#hA--Bi4L_lRj*}5xK5G zO~>J*sv#Off?McR%ASIa9P~JV-4lA83MV&5%jN!k z;+$H}Ipg^mNDMQeE8x#0?~fr&gp$~VyyTg{qfmQ2X(UV6QV;DuMpHxB2hL$me_U{G za8~)drek=)h4tV*=DbUOCiiL&pt}kE`GD{;WXqt5AL0U%zKAU8OZ{_2Z`Y5(y(@g$ zw#<%)y(P&ytK))6@q45d2g*&^*cM&%%LX*GNR8HuM(deMPho-$2D1x!A0~V=dQ&Y4 zICa%f$JLD8BN5I@L#`dw6HteSdGFi4iOmIua5n7uM35BlE$FIht*H%Is%p>c@+=Ic zRiNtu52Rk99W^{=;1P=rA)l7@`SH^Lga`T0pYEbmz|6lRVAsOhe zb$4sqygV9lM5|;LUs?r!b3Jo)7}?fsa577S#&CdeYFfUl!d$6!r?^=_0!!gRjyk;L z%eEQg?_ggfXxK;ym}Pj60+)wYS>(nuk2zr~?Eyb{G7dnKifjF~lIUC)&AXMcj)mZP zTNzh%l?+^{0Q#`OW#L#iC#=QCKf{T2cx*;%C0j+f#LclE6cFie@U+-xGbXR%4Sj%x z1`Z#cUOLcvdLy5^1S}V)@&R|6pz^%IMUq)afN?vo7mggshEmg|IGqoz2X*6*i9n>W z;|m`XKIoyboP+YEV8v%bO8k8Xu2{9Nc6D@f+I7m4gpuqo6y=&#rf$J!_uVMGG8Wa_ zIDBqJ1Ry63wBLEuppNw_&%655tUiO`6-DU>XWXL+Q}Xe z)xdu6ys@a$PiQ)vY^b{ErZhHSh69|IDwjj>;*j!0A1G_d%z}i;Bz`)CWLeo`k^poy z3${t^Ccq7%P_7qR^633;K;QW8H5dk@UNtDVu7Q}UmmC>Y>BT63tP#7KP(#G!F~*3G zszm#)sccwn*8#cFEj9{3ItYQ&k^OSHa0g-{AT(ydi#Nc~#P0Vh{wA6n zX8~QWo*}u@z!qj}Lm`2xLPeiR1c2xt{wN2eg#`8mTA0rw4SE`f^(Bk^tmYlG!C+-3 zi89BIKQ~_&`W?sTke*ftg2ip-z7WF8;kSvZSy`U-%B;bb<9fBpA%ewhUM+1vphY^Q z|LiDYFU5vFaEBsVmt*{jq-Gie26g||K%V$ZA=Um>{BhUqv0p!8t=~*>{y(-(;ERB{ zG>3H??A>xnpE+ss6~1Syy2Jt~R{yzMQmQ~pWdM5k)Sln<%oibUFaFNJY~tUO$xvx$ zBjT}I_*_TBgyeIDmoOBtD{J8-KHy;5^QeV-UEDi5bx%0I)QC@li_(>_*X~Y8&!s2n z+dY%vq-GO~`(*ll7FX=dD5E^xdsAa~Q&*BQnSKcKy6NxfIM?`A+DXGEmUf>dpy%1| zpTqh7Pq_FE_SUTtMoBl{A{3QjvY17-*9}-tseFQWd(`wh7 zg`TGY+@uGgTMR>-0h6?xKz&~C747p=sq~@*>%|@=m?+4knET6P)PAkp?qn*SWke41 zge4V3d#5!`>u?nCdVEq>wtbCG|H|tLKtF|8C38%HAo@D;fb$1?;54a$-Gr?nZ9{N| zYCvn#kKZ9r&=t3p^2Rrv-oy;U$9iH87J!p+j~CAy0i-0J&vuENmNIHGBEjO}_8>8g zDV}2>q#HnP0ohq$-vhFQ44bc-CMK7@(A&w>N|IB$_*b9f%9CS$mbPdVNh~iMe@2U< zL$cfnhm*924TOHzDgN4iGlqykh@nSykE^AeyV3>^2>Ndu!ZKE{JzvA7dFvbBAusFM zFIj?kix^PK50@iT5;qTN8+Fb_OxK5!XtwHd6XfquSQCXps$jKcSx+VjBEi!m6DzgV zN`^Kelsb!{->LN9+2XHWvAp=ruofg527#{&LzCaxhdYhSgwj{(Z%|J$`e~jYcxVG+ zqXJb87A-EjhXUejVnL-CWGzZSw+}DbpzZFQ(MA{DZ!hc3Az%v6GEN7egh}pu*j<%v zFn7txm8mJ$W*czz$phRXHa$a~gCEpq%xC8my&Z4^v4H(3Pw z4B9#&9kb0a3LM9ujFA2Ts=LNl!6YxKh}3(BSntOgT>NidJjuKqu_ur;N_)Yw_kEb+ ztEN`rpUe6EfdPsXq=l1nD+81i*HfACdv?{oN< zE~%A|w?;D4m}*YCG!m|Xa|CBM<#&Basxa$2`DrXgB++7K%Blqv-t_o^5srT<@fv$4 zI|ffKgn0z7Xvb0!I3lg%^5B&{_3j;#^)5XTAtK9pKU}T&3AgmTfDgRR#Y9PU3RJl= z3*xnZsh5m6krutM+YZIk{(y^y5(!2TszYvIrXxH-kfcT)kWyhV-8 zbWEQo*Jeiuc}`gs02U+~ihmW@%tHe6hZUry=(jtt>J%ZYqXgEYGzK#Yijy4D?bRgjg+T1aRQu|{LKC)FkYyk(J~^Ka3t&uQ&clp0!RpMpd29~e3jC9=a7cP4 zCUkuAPY>b3wu-J5$G&JiX2AyExK|UUKkDB@YolZ zLgXW*DcmK#kfjrUrfz2KL~BX>mtG(4O)^e+vCY+PUPl00K=z_F#C2!mJjo$Y^QhG* zksToQLS&un+nl#3!c1?^V-1?~hPZKiLYJ*Yt~sC)28^QcoP{mWJ#^6tfRmS(!IG9A(pDRotS-<1M{R%GDYSzb}aJ6eW8AD4U0-$jp~ZW>xr)S!2Q z^S$>8E?^FR=XqnYkA#y>+2dGwlBch@lY@ac?YuPBsS~^pHgS@Dl>J=Ij&W;JO>XspFsyL|uXT$ZDlyiMB~V{|7a12@ zP}`Je9e3HvY4L~*UpfEOTu?v6%pZe4qITL~n)bqu+Pkyw92CkJe+Kwiv)IS@{L=D! zI-jZPY!PF*5#M^utA0secH4~aj~0MFoAyH>hA?wzkomoAHL;!&Sz|z!RgK^nWi;X}Ve=NJ z6<%!^A|Q`<;@~|I8LhjsEDJ}pdovwgiPFCGU*@HJz8VORtI*B*Yr;dY}l!x#M zZP6*H8N&CC=^Pc^w$U;u$&({)Lp1xmL=E#@0UqQ>S)QRwnuIt|{wBKblrUkC7#-S1 z>fem^`xvH^D`b5#(dxBC^v0Wv=l>Z3*v643k%(=qy0k-U$i9wsC)SV{?hxAa40Xf; ztGAAmb$+eZ&j9EQ8zQhFnZx+-GtoqADXh=wc17n}#7(WQL5#kO2}N%K@OD9kAW~!G zG++O0mgDo&-HP}lyZ8KeB`r{=eB?4*E)i3p4!z5o!t!~T4ENu1wAwJQM6QR8+%?)# zbPm*uELu2Yv#N!ktwFpGFjq6C#*#7JO(f^+EpGwZqAprSu zoRBbsjUZuW9*Hgy2hp9e;VUq=e7Hc>UY;M4pKfj^=Cq!5o3846UyFt~iP7cfQfp;c zf0znZ_L21^M{A-s5?4y#85sDTxuPI#0)&%=GaTetVy=dZ?ogH@d`D1|iv;m}lf0Ot zPAa0hQ1O$(SWLFF*?*hCJf6kh8T3D~Lvnm3cEDke?!Ko(|HIT^sPOq7G>}(?098t! zJZ@6Nb84C9E$hBew*N}xjgqNxKHg&Ev2=a-h7dV%+*xzyx8mQ)=Z7|kurw7 z{lkwt5t}8cl-uox+-L5rKWm65=_4z6)*_CC<*jg>p1%JwgH&8a65px5x08YNoB(p< zMlsN-oJ-H_9s99ya~zPd<@?(5tSKb)bgF6a(a>Ml?lHfVOiFpSBrhwYDwzecZE=iV zvHi{Tg&bm_!hnik6PEKZrU*{-9R?OiNA2-=yaOyvs**$8-^HXfE1T=XK9a!Q5~!Z% z)z@sjJU8Vj4djHUhT71r83|R*SyDa^79>VoA$S#_f`~yo>2{~hxg3?XVa{6&_O#$Y zOZ~@F72FoJug7=;d%Z*Nqv8fi>$_?&vN@d`7THi#rxR~8y*jRk@n z$?1XI5G{av!{Gw@SHQh7eDlXA>v@}KXTg2YnY6ACvy*fejT#_y_1^Y znR|kwTM<$qpMz%jPh3xfes5s>;E>mUyvr;1ptR-)VFYB!7DF1}i{5-Pol_x{i`P(MCAYaboBmgge6T{j*kaA)f~<2Bq|nEEnRn$JHw15 z$8Z(Lqx6ZEhr>~cr_0U+|N#}U7 zb5~>4N1VTBw0?y$8<*M_ z;6xe0GT6-1DlT;L2}B--@&N=+xoVmhbA*P-aVOQDf9QshqvwV$cnk_r-Xd#RX z6-9!BeE+Q*{A`aMJy7C}ov0kOWZUohF%K2@*D zOF;T!u$_8{auDF=)1C*rw}>zoks&2Glm1wyQZjS8F!}n)DH4HfILFfBs*9q^cF!Z! zd62N<#d}^)1ow+4KaVyuJ1_kXoXs4Kn8ul}RWL?aWcmamXT2^BuRxS`Yjw>cxV^F{H8A{Ah>pAUen5@%&wLSW0Cc;TuaqB z+6Y9voe=@xc>w>{L41oTpvjz;Mk``E50jFoTz`V`Bg7NCC|3J>fq^ok$Ls4w{g590zAZtOW76ss(IG}p-i z3Xcfm8ZE#Rj`GkTT`9x+XYsAqa>hhP#sHewE%qRqyhpgkOso~|ZS{R>A}4HFZu>B# zDT?Wdz3|Y8BdUq$SYU3QvSTKeF3P!Z^_a*sHbZ(clU*?uKt(~g?WYu*p0HGEF}LnY z6Cz41^f&T%Y6e>2E7y?Lrd`|GrpBni6OWL`Eh!R0%+_sDGqJcXJVjweoV3YaJvHuz zQ^?;U7@Gjda@?0CYcQnhY5)1xrgXIYaC8ilUoU!x97zNA<0Pe4wE|)M!$-C>u^`Y5 z;C^OxcEHZUAa63l7WM0Z$&_V9fVzS06vy5LtrJ*-Vc3SPwLhrp>#ORJ(AN)#FfnWp zY6pI{0n**61>v=7S&^ix0n(9|Nxc1aIY8>t2EB7_wj>Ojvf7`6mcfyN4ojSS0mo`! zD%{arz3mOE&3Hn$;B9)wC7VXjl2(Z4$^)@=7Qp|B(gXH*%9X(ooi~7-MJf@YMzm4k z7$Zt>4K`97G%`h<_FKIWzTlfuSo`pgX}vazhLt3!*_!fBNE;(oa2FP7R9+uW6G(7e z$I=|4%&~%|ycy!8AcLZ%r@REABmRD4)7TtRVliQIV9SiJH_0+q+V%OR)2_BU9}#(R zf7A$NT@q^3&;65}-ak4XTY`86T+c%qu2b!wa@ypqS;BKrK8J_YE47Va-#nkA%8?4m zq42{nn2l|P0bF?4PPw_*$}z+V3cE52if(IzHW0?_arm5d48FScKfz!TV;8DI|o? zG)Sz)!8=aFIA}a7@S#_jhXJ=-bgnZa=(mzPR8BVy+lF#-lAI4Z7My=`&TQc6xw$Ut zdgi|hEqA|Omb63oHlSQBm}g+6bC6q>#8mGhDx+0q{Ap1=E#>OeM#no9!}u>%h%G=V%$@@9}OO)<)!xW@z7W@cf|xokj&ZDkKk!~l_^GDnFc*zwJZo%UB} z<$0lcOfMwFTn20)zJBeSS>-Z-WzEZ}6L1yrfeO5UtPU9)4k&cHdrRTX%HjZVksAf)jrugthb) z1>kD@Vj0dUQvqr+yj_P$%-_H*c&V55M-N-)EM7G!)-gX@etD@MQNDQ>ul00jn;~rN z0va*AhaxV89k+%m(zQ7{OLqnnEWU}0K6sJ++8WOi<1L@sdb z1}%MWLrKd{ffBHplfz{Ri3n5*fAd#K@El_%7Wwjvkn#RLDR_ZzB!ZJ>E`?Heu(qOY zA&jkDO3BN_bsF0(R6=8*WcQW4=6R8=*N` zwdRqOHpUY{qwnGNc*Ubk!eT4-?rXqB!A+g7)wrYlsBI-8_lr04%Mj>HyoFWDK-KG1 zoAB2Y>m0KG=phZf&(c-jl|w=kQk)FkH=NUPfs5rX*9YVB;>C8;RnL z4b`r3BEJxL(;a7?>);ZW6i#;-_fdp;4pq%GYmD{*9G5ds{YO>XwBmTs+Ki!H&8~G^ zCdm*8`zGA9PjtTmh`V_Mbp0A^~FWzwZhWQh3f@P`A9Ps?k%c{ zxKK6Txi}t7GkhkOdi#yeI{Aayg@2wu+X+ohg39%+xR7l-qb2MiePp;}Xn$1^J4V_V zn@0{>K@b}qe@5JjCSA4WZyb!^tHKM_}{{t&P)V~bzqCX0qCM*~tGY#gjM&cQPs~{KsNz>$km$Lw&8nYfFlhSA* z1G|@;cS`^TN66tBKTDm4ObqGow?)jmrlE@SgxkT}{jwFySv%-u(Ldi5Rk{&~9|oz` zpGg3p@4w(5&2ox=vekp)nc>(8-E-= zb{i628yo7+lS`HsQyn-`G`VTs&4>UTAXmq)hMG|#>D{Q#HNBNM1mg{tRfXZf2zFkR zH6^LvXM&5PE;3gN#?-a=PJnlLzu@HTZ@?(44H})a=ae3q1=J|3ZE(`ILdE+S7OA6+ zBFpL=eGp_pP9pKx_0Y50pX<#*ZViT`E5Jr^ADhK;YG(_uY)zQm*8hBsF5b$;`OY?Z z9Aww^yP+<3kM1zCl^d}otmrPOW%tIn7&`n+u+Cu`}3hmyx+->(@0Ewtv!Tk1UU*eX?QQ{FtI zYNt&gFu1Qugin95HynXVop;Q*xK>eHhcsjZm^Q&I@DKOYB6;S%uip6)`!Jijg zSrZj`rC+JDVvlG>P`R*GF#jZ5dypmZgqk&8nJ)Xhn|^7}+K1zoZRpm)(3M=Ll`TAO za%CZZ(yRfHJSK#KCBBd;TixAX#@5EV{?q9~Z)If^3V!hUNd>O_|3W6g{QI8 zhWKtrfrm+rFWa?;EK6M}L<%6ySLj5r##kYJeQ-q2cAblWITO#^euQN@(i{_)N$mlVO||d2*tlP5+U~L(@&bb6@K+A zVyiSP-)J^ZzgZ7YXP$FS^VgeZgZLeLNin#=io`o`22ov-J2D6$2y{Yk6(Y+kNXQye z{O@@*7ZSfQXk3t#bHtBQqRLG?8;>dw(u57{n=QfLWY6zLrFgCDKSS}(b9=)cVjmTT zGdCyJ>}vMy*a548AQon8=ouM-I)mG_nbJ|BBVdV3@Vhz;yY)nxbgpUZHD^2C6Gz2Z z;Ly!XJuE(1^8IHv()~_Bj~nh4Ao|LxQr-V0mc19XF+PluwT&$@$zGIFZ>fc>bG&M1 zpkeb{s)9nS2)__mbxHi~9EsK69MTZJ_-A{yjFBd%|5kh&T{e^6GGzqCH6#MfbS4m9 z{J=u7yPWv^QErk3#jjd!LmeWnyg&c{Yj(KPRsH?KNHO{%G9$_T$5Lzi8RU`>|A}`= zB_)~L);y;y@f=~Hg)Yepf!usl(ybzVC7q8&KkA#Y)+fFnEM%sE1QfOA2krRa(uP7E z+G^FGiVh+HlI2MojBu|u$pZiSODpaV^I&0Wj)exTH)hau(?4f-OwRk>h;c1T)j4Ks zYV}ak$*A1nPqJPQ{8&u#b8GIMubu@5WiyLd4XG)|F0aL6Ti$N7!qcwLa$MRqL<7|s zjD|(we&Lf}V2H8RrFZVcV5)M&U^~*k^}IvBj--iL4{M)Je4vETKV1~wC#w+wgTu^?;4}UyNe-iPyFetZrS!^|4@tkmhTa&? zp=ZVkk0^~tL>Pv+OEy5T?ao5_KzKJBV_MSvX%c;le54*9c9dpf97q=~4E(2Gsy(7^ z;e|*LNs=>Q*v!`g)bwL%FAQ9UYTw`YHe-h>z_mO^DhlorFTdxT;;@L>x@H0(qVU(j zBas7s_$Qc*iZWH4W+5p>@sb0WYZ&uQm1E3S(9`xtS{GRT120&GRS~{U<71`IfLreE zKjG2a0n{L&a_DE)spuAVWm1!7jo`MVjl6X}a2vb14>x0jGt`E$b7%j1@9cQf+8Ek* zR+;UG$Er&fHw2670Z3kX{&OI$F!Xcl<&I4iWU&r>j}X}Ggb0`hQeT$9ZVuVF_eB0N z24uNtTBH0l{gO`4Kuu;#TAV$2wt&A>l#~z(GCKYN=YX;~3K~jQ8jahB1u{L=HWXsR zR%LB&3H5$mMdHAtBfR-Aa)4CsdOH1rt|F$-p_>NR#hH2qI)lj-BZNy|=!+6Br)HWL zgV4=$%*|bW$1gDM7FK|YxFUlPtLKkY3H!}(5>XAS){3jyBx!oZ_F)Liu8?xS_n@SN z_YKL1pM(P)ug?{n$0yGEW5jj#`MX1O!nM&KR@oLvF0*&gJW_@@Nq0 z0y*r*@S<-;Nm8mI|1>RG?zQ< z>Q61aJ_%0wz!if9uQMm|^=d#fAI1jqDhzx%S48o>UDDvXyvi5QjxGjMfxv~l)z}}Ghz_bXxT0XeYY(Dvsk>F zaXwg`#63OT=V(}7Isrgef{hzIo;*hvF(IqAnS7_Bunh8u_`8R+Fl;~)MLk$wcS+hPpk{LV`~<*Uw&!)pl)Qz@zA;mcXOpIsS#gvD3*GbhMHJ; z^I>vOW~wZk^P2A@)9<7&GI%k)C&QF86+N)pDKT;K)q(XVfb>EPF2@(=Hif*+K&lU& zHZ6K(TJ+|0f9k})JFxAIa}5~8s75JQ-r%rX8gF$LsEfHU0`b%{D-jIy#xi32|Ja=p zS#<@!S+qwRC~9_RJNi1k!FM{BDR_Xh2?qsbGNUrGCXBy99qw|H);RhqXfzD>OYJU2`E|X+pC?YV@(roScHfR1unnk;X%ANoXzfkNUdWTY2f(w*-QxB&U z1TdnesUbkR96ta&ly>e;f>2$$JoxPV+n~Vnw3A4IQ~B3T@;;;*1HS5VUGf-I=Z2@&~EL8ko1^>Zm!lP z#)}=m>7pGAD}&L_@bO2)H=`@vl9ZFj41oHMpuQaylS>|S3f}nh41yDV4;eD2)4o6Kbl67X(l{-}IW{*bW;l9js z=4P6>^0mZg{%X@)4k_lr={?#i3Nf~eCyYBX+Y5xF4??gRxehzl;R+y@OQ#*>PS*@6 zbf(Z)R5=i(AVv?9Ofu9btos>FA1$oz?VHNzhCsNQXPX-#-3-M3kZ^q#a9Lyg@%qW~ zAT+d#j50biZDC6O@mEYXWqmrwaOrCol~*S=Q((W&Y@-|e%?W^WeEcTE z{PBx0c(|F>TJd?b=?h0K%0i^1mt@c}2tksx%d6Gkh)AjF*LC91-HGmv&M zr2xlY0)0cDzS7*|Z*GPA7BdtG#hUdBQYRxqj+%I0`Td~9zE&#V=eJ#+72ka?0{4&p z!OF4f?vrQ{MK_EXK!E1lXW5FX=zf`!ygKK34*Jp0WFY)3GiNjzWw72coHOdnJ1W&E zn{meFYMm>{bnfPk^15EoCkZH!ah)vB&Vq>ov)w*54GSqQ+x>UBOa7ky3uKVFTe}D$ z_JVifCel{j{{n>x@JqF^p)87ZR(Fy9g;JwpE5kt1oQ!HzyzL0ET(1+LM;`L%JO?1> zr@XElsTa5^3*lpb;s|A{nz;GhquZx+Fne+-3^NJNARIG(&tJ3`nQKDpT$DpMdFB~C zV_X#?{1|jpNXI*-uy`#V8jg0kQl!=3q#Y=Y1ss=EB#;FYyFq@98pKJ1Ph$ zPfUvIXvZ$oT86f8`x6^80<0&SS(U*=djl*8ys!bIM}7C9S;lA$JW3CyBone2C8_9RaqjWI0-M>HH2x#LsQ%k zL<1Om_Lc+)QG_Jq!F+wY-xfbqp@x#xTU$b@ACf%KJ+p4h%$*+fL%7-9frXwt*MZAl zlT@phUJ7~X2W_isI?oET$4wFL3m5aTdKBc|ub(}RuL_lmic`zmv-)v3@ouy9T|h}% zjR?!>^zj`(vu4vI&6~hQ$pnni~jz(Z0dL$^aw)N78{wN)@hbA)}mR2AEg2!VBz zCLS!Mpsf(>#Vy1)@c9wEzmx|CX235E#L2rbrobMqUzEsw<_u8lV@K2ubDCxi ztHB}Spd|B1hh&puJ7ke!JZ+)cf*DCwyo>j#0B=q>Hhk}U1IJYCA8bf2s}_g>Ccy~of?9-xpsNOLkN7<-tt$ETrcoTq-ks_MprIlt!A;Fca37>_IV z8U=jQQ-zj9`3viqsp+Ab)v%vWgy0jnujW|QKbQoV)@91TaF#9qrEcCLD|0(y*k7p& zWY>ZhHKt>cVV^@#?yT-7{0jmPu`Y9-L9PY+Ly6HSz!@s46aV)d@NqJshlqZ2karM- zF=h!fQDMTAuu9J_gNfFn{P>q!ndo?Dv>{P8tt5Ar2(%H zsY0ua)_dT_LO93@*LFDiS1aqPQ#_~#XNnlxv}F**!D7dq(6al%;*C4fYbFxy-@~?j zveladeUjQkG7$0bvM-r)zJPn6RrshUpC8UAlkNB3n{vmQy`YEZTFD3WlsYE2;o+M0TtF3WXV+|3<;o zvi+sjy*25aTz;^WCFpK6uOL&NHxEj!WxV4ti(n>5d?pfW3~}*Hm2vrI$x#)e3JsIT z&atQ?y@rWd6(5E!MfsfhFRr5M3^Y8I-PkjeE-rOaH70HFhK2d%)D=dx%J-<0zt-@Y zYPSlS#WVL>3A(cibW)(4I3$YRM8wOWZE$0lZ_LjXC2OZar?pAPg_Qvo#BrD2gXT{S zHF)*4&|@SO)-ekS&imoT40>BC%lqvo$*MI>*dR&XAn7LFv?8{k28{FF=dX*^P19TD z=E3bBg;nR429_39IniHmB44ru1C(H>qOf83LvMk}d=7#V63>=Owh9tr7!o`%)sZwj9pHfKNZLW}r5wSePtT4X=QPLR z@p>h_Dlw(>Qz7fkuj86tBLLTgT%B)&OpNr?2m|FUGl>LiroiuJ<%yZo4PiAFtkGbk z?)cxpq9FUT%Y?;9O6Q2QuRu_-CexUKb18v9*QS4T7b+BDqE!V<>R|rGh##~|QB!O} zgMMd4*6k$=MwaZ$*417S+-T0wFQMu{cxlo;yu~pdGp49^n3jO`FGm+*!(fvW)Jg@H zBJ`4rJD~8M*-Q5HM8Owx98g6`Mi{dRkQKhh#dJ(rUTt7D8Zr@ZSS=#Zm^iV7;n4(s zYD`i`pj%}NRYfZv`bVXyz)0}g8I(3MBz#jTHfD$_v0Sl42hE6KWGk9)8&<%;!e*rv zlv$eagAZ8l1sM>%x9fo zvbuuqaBhkI#DC+r<`Ztk^6$!T(lnlx7@I|Forq?u7bQ>K@4eu(XYm2#X7go)m1)4f zJEyB?qgo*hBzp;m6cPrImKZZKj5pC!{^8DZP0L|J3=qOJ<+AmcBLhmh>O|hBF@AfKR$k#@Y(*FK+-QiSu&7FvF1%H@s9>irRpZ_a zt#hs|L<10Fvd%~6|2O%rdwA$YHJCBpqlPtwjEmbw&HBsRA;!CJCRyo1qrK0yM|JjkXNvKGeyN9ffhdE&!pMaQ zSVgbu2j9y@JIMtfjmE4@d&mBwY7mC5rv&_p9Za%Xw4VLLLECgLvea8kBU_4<74qyo zCEB3hPM~gJ;AasVb?D;aN7Z?8Piy^A&4op zLf-CH?sA4gZX=SFvs*xMZ~YcC7}58Ej=fvk`uSqn0$L1S9dINQU>m0$S@q`;HyecB@;!9SZ1Y{(E0(teiU7S4q>Q1 zh)Gu75sJECP2_EQdV+4=aH$#m7hWV3RKA=W0E&uIqY`nz=e$Xs8SHYXVS3=kcD+0>~$z zb9*&L?@xS^ikc)683+vaw&9V$PTsq262yd!<4WB0-{FP%E>GK6Ki=J;M$|V$mNfQv zo`s+n@_Y3Y9gZgj@sB62?sNn11fyE|ozX{LZ~QBmt$*Wv0NeEyH(}9QASj+viFhez z9wm5==^BJlaB?!N94CEK82I%N^tXOnp~#aX_JMCTbi`{hLc&_y+miLK^xLdp;H$=t znvniDjBb?67GdQSX(| zykM~%IaVn~$t2D3Edmt_RqHpaDRc4X^^q&*C z)gOmGn{mhc7j2fLbEQtQ(sK%@(F`|fXR^x0;xr+jX1@jt1?NVP-X69{>HAqGW|vU_ zQ=r8p0rBnB%UH+;Y~AEWCf>j}t&9kPFEiqb)@zV{8%Lujjt#OutX2(6YZKdGMz!RP z{iYEfIuh@hccbe6+eCc9YR-4LKt=DYV6UiiQAvU-963!WyPoI>gB4>)-Mq@}@q_FZ zZve=~U1>KgKB0$t1xoN%wApcch1l24g5 zVj670Tn&pX##cJeL6U!F8~tHvUN4syp!EyK6i3l)sziA@0U&;0E;GasmUQ!fo&>9HZr058YF^sJELU+X|Zm~O6!fFz9rY}U_k zP5DYDO@MyC6m#zaxV-}HGehD{wU5~~Rw&?M1ayOwUN*?G6G2k;-amsZcIv@axkoN; z>`tT)Vr9M**rQOq*t9D~)tYcu8L1Wv92jUSL3kYg)a#7&-@v><1FmN118~npytW&p zB#P>78u7v;Owbw?2UKW#TiSin$zt~J%!oBYmM&@S2a8X|l!XlqO~^dwcok?UQ~y;E zPJ3FJ?6uXvNTXDmC=^wlOTTy5`&gz`p_?5^gc_*VZWsUwOkpr9nbb?d0KFm6nA)Mg z#D2(4Q-8cP+&6UgUrN`ZejT`$!DtB5rhtJ_|FJhc7!rFseG@RV<7|As3=EiPl}&7`kzJJ{V_t8oZJ=m zn^BFp&Sp+0q6K!%p5mY{Ucbb11UhF>d!ev3np`(vvFQ!`M$zV^7S%`Wx zPYxRt>AZ-!`89-n`I@$M1TtdU5CUvRk&z;92Rt-*{6yK?Aa%VPtHJ&(Yic+NW!%1H zitogGU4TGUg>wD<5$%?fINEjyW^^{a)u}cAU9?nu))AE2^`uDA_i8cgyTCt8jk_wb zq2ST$r-xsu3wMq9P9DqYD%@N&GmHa-%mH>1&(06HIU6nkd}yRQ!!@nYkp048mRx6A z@1veV7vPS_k2az&Y8hc?4AU+#TfG;U8PdV0lGn@>SoB&1ERB?lbGP%tMUSD zU_LBted9y+A5wG`lJcYc;@8BpfhPv+Pa!}+~ zaOdB6p0z^2@VrvqmmTPl{7g#9;67}kVMe?Mh5NyzAXY4dp9HGZL`y5^Ko!-+tIk&O z#ufb#XE1Ud+hZ%`TE6jDNi*i>@dj{86fy9K<5zn`mftVCY5Nk2<8#yNcn?D5d@BVe zBDmqba&(!_)aKgs(h0t9;ZrUvxl=Cm4;aRwG%Nzlo5jLLEJFF#1303n6kJdDuNWwc zpb&t+u2nx-HE~#d31-c3>!OfY7|k@{mu;Qt>U_>egxzp! zEYx!X#kfkl-B}(^^E}@Y#si?mwgeT*xrC$R@EAF7AvFMOn7zEx!an{elF`{l^^3zJ z)=Z>T#?e}iD^M8cY&Pe=pzgGU{49<>M9=PA9pLyNWdqqoz>b&>)RNJ|v)=@oRm{#z ztP8QG4kYEu>@}>QrTE)23m5>GY3rqOc~qdhCdvU=cB5MIN2U&);8)Be-7gN8R=IKM zf>ykU0=T?x=$anc=H@vWpNv1qWCdsgRym?F8CBvaoCGU%ljy@(p{C`|0}Eq9mIP~M zE#V!!<6}-$M@#ol1Vy5@8OH~zjpPc`Bu~Tb!N^v1^P^zX00(xzN1Ec~DuN^!8oNyU z@rk2#;v)6MXqh9bv2tWT2ENMbU#AIr9I9B-9VhCXE|e3`?38@sj=B zLM@Ubzf7#Lu4AvFkp_3@=^ff3fZ6w&=j+c3m<-_K>%0k7AJsqi1ZF&Mu= z>3}c2=x>p{uWX?M!IX^P2!mON4;N4WfS0S%;$89qvPHaRWM;fWv-J=luUP&<@$w2l zE)U;JU#Q-{gEXn?zXOxdvG4;H2*;Hhpe~mXx;@F{L+PgTIJB*jzDG7@zvV)Ay8yJ8 zLV|;EYZG5ZgjIl54xOIX$MM|GNUL^kB`SgBsZ$dq>t*1u0tBZA#E*o#+uD*;e~qNo zT&9%bx^$C5)FH$iUpwY}k!E5phtBF!t~W&T1u1fS2)j@BY95Ag2NLS-SP)50WJ?{& zIJV;ub%GpOIA8>~@{D6pWBz)y$p2$rO&jJQ;yOzkmYqUJhP~};(VKn{3}Jf|ClM+& za6%5n&t&HR7kxs@HXa(_-cXuf+%+P0iUut9Q{Oh#2%6sabKt8O;X1UX_b)aQht2U*&OB0Ws=}S4R`G4un6Yv4#hf`kIDv0lVZ3YZKHlg! zMWvAqk*hd$$5_31(pbE` zY^(zx6v5N}`fZIscXo&sW;s(9pfjLvatrJgoIKiAn{1Q)3<>oL#G|fDPvh|^5z^c0 zX*B43ARbC*QOx-sJIEwEDIT;7Y#tLm7Z){ccaW7v02w0r=4~_%nCBvz-So>;HHT4( z@yjR176XC6GB6uulTA&7MmcdOe;|Or%`mjr2rOYL--fhLdK03w_v{Cp?V%awB*e%QKcMOkablI9LIZ;^Pbv=;RR=?WfL|0W;NbEh^yeAZO?@@x8xsq-J7? z8s@zSSb~K*ZFvIe)<3sA+)>dPVv&k=JY+I`t)hi?%{HVWDY6Bf+v8xCqT7DRlw`;2 z(!Af1tniJ05JjL@>rHbi(Zg9ECqf;?!lis@abL@Oc?HH$AIq>#)7IGz?J4WRgGNVN z{^dq|M3=ShR!L`ZAaO%F7F+MdNCNFI`jb#O_A&AblV{1I$`rwucc)^0tS9b(Zc^-u zvREeO=Hc-E$+NI{VPn3KUv1!0cdyS;&h8km?35pFfXeOAWGFO|#+QTR;%$=>DeD%) zLR#RuU}_nXcgNA0b!$fBO`<_bUAL-q(@F3jP%VZ9keJVOdFu|;7M~Tt*v$)uGZ4eh zlpx5O#K*;jVueP#thR-nRzzXM)_fg_@Rv3U8N+>{)ku{w z^~T7nN!MnXk$oVF9Njla5M>!OXfMbRRDLc3l)k7ujFrOLMPZjQTwqi^XaNCrz&|t+ zTUo^?aUFjrfs}msxDeYKTIQ&-eP=~8&fTiaFYHi5Dgn0S^(m5gFD@Ovf5k!%K^FwUZ~$jD0|C(2oSvi&aO zNC>6sBhntPzvnJXKDq5Zszm0BFvWA#6~Jm{dNBu=ml`9^h{#w;Tn*;ILGg2AkYVM0 zJGGUSnd{!VjfFN`o~5!!yNp8U^xU%;17>3Z($m(@fTi2k zy^w4lu*LJY+fv-30^!u&j^^-f>zQ|3co%uMhI3KO!zPZT7i5UpUNkZ9)(7OYkm*Ab6C*uma0-zH!Ogj7aqxJ?!5h~qL!i6ubT&>fDr}Y!| z!IITxmo(4%d+a;QBR(_DvjihRms`pswgFit@9F>2BGkOhC9HSpZ#}e*O8I=S1@}U+s zvM?(S<-Z{f2TS4Yzv0l&_$w4aJ}MlYjpOWhQkml|U7VgI0JX`e zJn#dC2S?KkQu+<{8>}5s^Ufu?IM3N|4&#KH1If>kC?X7*#=?GV3Bo z(D#wEaPgiAN%ScAnaXK;G5u|qq%0nLU;|amS2{?l;#D^s0Q|(Iyd~s@aRz{Hhbnpb$?Y6N02W)_YHX3MtIj`mbTMh60|PKx?lDr2n6Qt5|cuipK3O z62pE?@=j2mzZVf$Dn68#l3f8VkOF7On^94y$T`}jyLKLxl-itT`RN$cxMq#@YD=Uh z)E9IRGWsWA-kqstj>lxVQ%Zxt76mXPVE;IsW&D@O#aLWkwF=+Gi-WS6P?$KvFU9U9<8`P;a@ojA^woqsOEyuLu_|)H@ z;gI&Q7Q{8Z6HJW>xfq_yxD|>K5v)Nd2Jjf8nDz8l^NBBD;J*xd7chQf<9at`6JbYp z2{bB$1<+pmvJFoz1d%)aUSG=iaP7wZPmIi|Ewu|>WaJ+m0LhE>mX!r^5l+1D$Wnx$ znB&r*O8wqRPY^o(TY+C*h$BBl<(I2EL+F{0FZTrI)Z|pL0KNZn;pJ*xv(PPaWRXaq zvRB9+c8FVMJU%iws6Cex-D^Ak+H)Qni#)7+F;wQPmqfF17gD(jV7|EM->{xQF0>CZ zLOIuGYB(s&F+`1xR3#+EU6?}g&!;lJ#FL@*U`^r1anQ)s>w^m`{jsNjI=bjH>|2)8 zI-9dUba`QohO_!&wEg^P(a*1@;GEZ)wA1)ME#&bW+*PvS!^Ui$`vi2PX>T2t=0|(8 zNaf5r>r_bv)PzEHj7PV z!xgU?DVkw}lo0Gdrk>Bt3vOF&$XY=3Y{MAYlK7l)ImtKZ)2?KTA;8iId$8S*m(IG& z8*h%AkznoCgi7oA!HSUwkl63q)eWjaN%+NL{bvf~FS4^Oe-)xz;g_7sD2|W(qPYsao zY_J3To@08xv}UtZ;2$1(qlDh6B|q6**Lbb*p7XWAVo*tswbwQ@R{yE_bZ_TTujncN z829Xd=@k>xG*Sv2FDbF&sJ6i%cQU9t^{2=z3A!SqY?V!HbSO&J1CNr^&}M=c{!xG| zgFM?bo6)r6qHSEv++fU15DG5VT_pV>3u56NtEVH;lQ;{mld>G=Ua^B$xA%)isX`RS zqgq7Q727-#hSnBAtEZ7@VT@U%=A_7S&2QKG<#!N~A*^epPjKfTYWv)Q9W;HuIp}$V z6f%iu+s&FMF&p?B;)nQ(mhl9Khr9thnti}4+2Rz6O zrdeWQhq2DRa~tVSuM+Ti4J!v7Zqy4q&xcP8*k*XVo1`{stfKne@eHviz>ocsbC9 zS0h)og0%BM%c2DYG6;43p$4rdcj4_@d*9KKWBPBX@s%cM+^(fPZ%= ztyyQa4*yigWtc)nMQ?%H^%Le@A&@j~BwCLd~Ya6V~0fWcYRM)IIDiJAm31+!Ux|5k%YxsfH`I)EQ$tJ4) z`ogHOa|ERYB|BBGX%r(fq}JCKeIognJ*_qBwK0cnXxQ$h@6_;cEaioY?jR+;9qnw5GIIB}Tv@yi;{nMoG zZ=k}g;cY=iavnk}PBZZqIQ1j|FOrUtP9ash?`3&$Nf zSQ{el6}cqa7o$7y{hGx8xEEQ*-iJ`o)8u1C%ffjHS($h%jy;o=5c~$GZ=T6fa}D#goZ9>4(g5JHnV3~?lkZL zw(rr;K@-01GbcP;0w$V(Ua^SZP?M&C>E@380);nXHjhU`+zLHmN}41DqjT=IVZX2SC&Z~?=pO+B=EmHUih&+qIOHy;)NO6$=!1*!#xY`WiLUuM zf7?1ok3+faoiW2!I4Fj*I;I;oYOpUC;}dKET7BI3St(Md`*p@Aye*zA!iTbYBEhm~ zqH%Q}_6FjdcLZ^{Ya1QQtqKx2sI1kps;<1?dMOj1`&;Ku!KKGydhvtB0IK#`Hy13H z>p738$%fRS>mFWg0pEJVwhBoHilW;`p`vAxQSR0tY$O#2fzz?kXi&Lefpm-k=doh{ zfb;sX^#dL(%k$l_fA89-k^HDRwd!HD`SS<2-Gij}ef|;RP{lxRKL+v#&8M7)b}2PB z-muz1SLKC2__aN(*z;b}sZIi)fnsk4;%{W7^v=S$vP$DE`d^k^6&?UBr^B0}unrr; z6NOu5H$XQ=#st5%vM)Kt%?NHy!$p?YAMg+1@m9EJHvR#D`%S>mA&^s|?cl4%28#db zlzM`wn!DMsJ1r3X1?=VIAnH!092#Hie(k+{GR8c#rY|88sXEW&ceR@bG&<_lYmC4z z;9xnr<=6Nd6p+KxZSj~J5P;csa>D!4uQ>|F5sXsJQIJ$*fYTpEK#J<`Xihrpm|kMhcKL`QK{*TU>F zw@yl*>^ALd%CWsWlx&iCMe^Y_Mb-wa;`i#Pgo|I@nIzL}li*iQ&<=h*1rnWIFywXs z-AkhIXCJvIr8MeB?40mQn&-!xi)EolQ?Yd~uQhLZ(rY!uQ9zJ+m8@N5I>V#gX(ppe zQHU-)P+dXYQ#Usgq2G8$bSf@hloy6;nKDPAx%C`)xWO?ntCQl77{%q6PQa1eQoi z>OeC}9lkHUOtkdzMO%J#%u05HuV43%)?>Ju&!!X?F38u^Qba-Rci>CDQBEvfKAdQL{CS?P8}H4h%N`P(epd zUo-*8*Loe{0APEeM91&m z*v9}`z!XRenI6@4>67l-{b*wiVMftGVrhulJ&D8T1hPhHI%;M5%!?5e&Be4Ol(n%~ zHvd9E8*r1)gh$G2<>O$D=8qL$-X|G9)%ecOxk?Rl3ZxMOvE7Oa?oQD>r*EBcNm59M zRQ>Qi5~vnq)=4;2`RBAP!*f)4o(&1oE-nWJpPea_iunqnY7F)~)5WrzCv_CMGMWc- zN_WcwGJd@+#OTCJ?PLw@%G3rL55lt|9Tx`_0=U;`GSLLeCe$X;^d$#yHy5dk;>s_9x?$t(}mDNjsLkJ{<|NT!T{ygMy5b_~| zMwOO!L2^E>ED*Vff?fYzmhnA46fH;Cc%XKp$pA5j0wyuqz;B|1P~_k0x}wcXTV5D) zyk>unOVC1Of-GxTOKee8pTX7cep^W_7+|5_sd~*$mD#O?ILGX$1EfKavzy|5v47|w zu&c#nOKHdM#2JLa7(L~aM;z~SMx5r7U1%2CT9_la%y@WvC&5x#r{`{ETRHWm zjgsJf-vCcVq)c@&!U@6CqI&dk$xh6iUFQeI!$k%I$vuj`w`1H(v|VPL;5VYiL1>{3 z)=&}~-w5tyn{VHV@PBzob2vQ#=s#u}Gn~l$LSN}!e*tH8<>+R32SXU!{Q1s-_sMkO z5}Vo`6F4e$1B##JBA9te3N= zB0fO2s9pfXCIp3&mQJRXGG1_2q^4QCsv^8XSzkzFlk8_ZBe@@4F$xwMlLBhLAK2HVskN+ST9|H_r1-I&420AZkYyc?DFoRi3@ zU=?4I;F&&c0MA-CB4d_H*DbpBYPD)ai^cJ@x!{8)DNv*T>Ke36!{Wh*m76~x7mExv z(dq}1Rc!>8fBO}pW-D~RQT|>sPzaO&MqZv*Pn;z$+IA|rhg>u7>u=!XorunZU}OgD z0BLh4;lDKlD!vdwG{rUA(XAlO0=Tzmb#=(*_W*g9Rdw*vtPfAQ=s0!b{R6M_q5k|G zh;`VZ5nk`|;=wMkrnAMS1;)E8JsB+vnltYHUou9B44x#XwkOJG!|@ys1>}9a56PQa z$eS_{q2Z#$bEBz~1Fg3*LbfTbeHO5OSM{=rx0C_%1Qv@lDd?}1stZCxWkKE8`*)h- zWVxjdwc2jS)6hJg!qj9L(N=us+JG<2|K-1^2Xi}&aFMFPyJhPRzbGu`QK7d@qi=yT zwQQ&Zl%ibVIZ-anr6xgVf=n)Wm&t;(oiI|0i z4aInIwt?QWHHtOs4SboG(!o{8Izn^{#oC7rSg%ZTX;`1QvMBo~PKP$RqnSGQ^Cggx zEW5YWse~A5pBZ!mcYY-!zJB8GI0pyeLiEytkk3{>pU((~VF}@BpK-DIgTZ8jp3JWy zYBrTRAnYF$iw137>}u%*PnnAME$*;I5+~@&oU>0qMSMmUA8*%Bg-vry4Ol1enHJ z8{%B&GUz=LGE(Y#OEKGqu4RmTFbM5vMygyE=LR|K)3l34aIuEDo599DE=}zO1Fl9$ z^Ti^UpKPF&c99Akt4tSje{72`ZJiF3m138CpH#uP7}JF~ahC)#MI!z{q^L`SjYe*H zy1%mJAJ`W0ac$dVBNbC_wzXM&jJuMdK_(l<5)1vO@caTu@i88-h*XIO{X&?uQkiXy z*Kq+-tOwb0wT_5N8BI*2qTptJ0lL{gw$l8ri1^6H?|2a!h)UXPZ?~5tY_v-;e;64k z?OkT|OaL@Zb~prA>Zu7w2zVD#q`MvxaS?GvM+R}W$>*_td#wj`4|71g&)U&@t;fdL zj2Ad^rm_Ly3%~LdoUdooRyB1XW~DKBOArd?*?GHJ%2+$6X{C}=#7oKcm{#agdQnx^ zt*)g#WQBwqSSr;F?HY0uuYiRAw7DN$y73b+Oe8Ul`Srf6T`DTPbwlVQGc4V)lvPTr zqZfX8w9fmBlA#%Dh~!1`I_OHLwQ@$)d5LG~`5C+>_n=O{`{+_J(AhwJaJL=x*3aPP z_G8(EFk`QNW>wsr&Fyd1L@q1&w{sLLmQJ=gF8jayarSPHKz+N3N*3HrW6TA;^FFdG zq;$LNjY6{9fD)F4EI_;V17T8ES~Y?7EBbV1lmMufFIGDuplxlTOim@L( z-}rSf>YgQ-W|gY&gre9#eTGn?{IecuohDy*1T}%qtY}Ll+E->Z>J6%$Kz{2Hx1+Wmphk}Ef?O47wn>INpDdFDdXo* ztu}HoX=?TF=Yyg-<;2gl;TY#PCw1;auV^fj_oBT3J#daj0#)^4urH67+~utm$S6vX zp~<9H3`dPquhZ>}JsDrTnicbo5FlS9H!65>KO!Co7y9+U$Pg?0uqQ_aWkBk~0wJfr z!;0TzMOl`uolr9%5SSB+(eXcIiD~d!{MV7a?lsu2>iTL4jR%~ugmLC(Iyfzhg{27 zU$%_-hfYD=3|=9oVB0_xh^A#|!Dp&ct412{lMrOiPCvD;mB1QR1a>a4YiiB7CJRnW z)K!Wmarv34`2Z@K^y z%e<4mtpnO*JHnvEYUtn!pn6~C0TlcmlnY06HT0c%*4SDQ*kuo?xX(<1y??6XfX*8V z(g>BUkuoO+D5*kgw8ZsFv}&mAga(25$qUL0WRXQwU`t&5&F{4m-JWg-iToD%lGoHw z3!UO^5d)hX&|jpaWf#abQUis2wzRaesp2051_J2t4bj2aSb)6zt7M(K4=Qo8xkHHr z?>##d+3t}4b>~c?I;(|1ki2`!)L&rxUB}{Nr8J9Rg*6aL$^SvBC|sU$P>L-T>&Hy| zpcUy|4{eVHtMBQNo1W3BN2}XR6?Ote*ZzzR-u^7ES3?!=r1cr!Fa}Z&HiF}PpLHcy zSigwL1>3f4)L3jC))y&y%OL%cVCUQ z|8{+Pz7^Z&>%FG}1E1JbfS_k&Ga13D4!>5ueuH9XL?p<#LD(RRj=eHZrMTNj1$q)T z0ASApBrb9ohl31jOQhgeJ_sqtQcI)GQM}$Gr#@mUhC4=TnGvk5g@bsEO0I8jL3!C>)^H* z)&U+o&Z8r&GjmpsVL>o!+kO>~{m`Aba(J}@NB1Y;UwvgyYw|8YJu!g5hg0lYNZxKO>fb|6{Z5Wh1;rS$v@1n(Fe|R+G{v?L9JNA5GmO7 z7beZmf=?1~7isT}UN6kd48yokC2)dTSB@I$YK41Ql&i7tFM_*{<0S07C|L+iOOLwj z0t8)))wBS*)O^5tej+K=|BYR5IKMFrP1IpcZ(b8C+=k@u5R~WZVhL!qhyd|J(;KFS zhT`IOV5e$vh`EmuJw|~4YR9|7^(M;{HsJf+j;qw}EziK4SL?_@t~<#UOaRQXqwG3e zuKPx@njR0&H4Jc$Swq>RHlZhgW7=tX5^~(&G;qyJKFnjo@yh3&{i)FYM z4}emCEdv@wl)ri9${ht$;-XaUxTfopR!G#XoQqt(>4u38q`iblv<)w$7H!dpK~14h z0LYH2dit0LVY0GLs&nwFBR+O;kib(PzwAAl)r8{Ne!H1Kb7y3qJni=M#a4aO{S0+2T|ge#CggeWXl+QyA4+R zt7c1vGL9Vp2?JT>Qg6~4l!R47_TwH{S)W!gH#=>m+lfanrt+V+$+dD7xcre0nvZOK z%SQCI?6*0=CH6?T8Dbm(=(@TiFRUopVx{MZ1>z<$hqU2Q@LG4R9PS49dH?!Dt|{8! z=`Ljwq(Q;ZOJ5mpe-a+}G%p8FtHvo3fkZHO6nuMDhNI;18nuEDP%$rx0`e==jHqrO zprpwdSbingl|J?sn^Ck7`i|Yd5UCB|bBXP#|TekB^)+Uu5vFgW z^KVffR+Ia&9{Y4FQdfjWkPK|by|`-xA=A%St$@s;glH`{wyB0S{3m?P==81ax?wc% zLULgmB~~5uzE#Ny(try`u&oBt$^zf+Psd)7%h&Kkx)Bj|Gf>ht%TwQ8b#ay(RcJF3 zw%k;tC7{Txn$~7T^nT~YM(Jym;FYP-MwxNg1Rmw~Na$q~F&=6FGcV=?DBB2PmQJB)=`P2G=Z%;|e^v7mzhuDgj%r_26=h!$UcvZx>hU zXJL5Ufk;_>iTUNhAh^%i`d(|^7*N%dkQcJfR;&v$eXTix4*V?OB2l%fo!ItaMtl(o z`ee)D0WCJ&O`JYXn=opzN$RV&pO^Z@#^Mlt(y_F9-mfFX!ePBw(}tJ$6lUvLbZ>ua zfn7>_4mJr-q%q`7kqN^xpeKyj!fBU}CRbEhMij@)(2&tg&AB9b75PsGU*d0Tu5kR=vY%p`m ze0=LLx3keH-TENYvp4=*i-m(+9VNDt(M-Qm*-{hJAIcn2!26J-S7F9BhPjD2rjU8z zz}|-{X{zM_owN6i?F|97pwCpufE#-#>iD2`xV~l%&2}^~_192IIgPMo4n3yEpGQ-v z?g<(~=b7}8n683m*r!|&xmc?-JKH+qXDL{`!0OCLM6QYTYV~`3W}K1N-1T6w7wnq6 zt;*e>duiq;RVdj632G8A+?uLc#wppoVIWmUVw8&9-% z8q^S$-b<+DWu2fLY6|k$VDLicoPYBDJ1S+Lb3Hp;w!OBWu7B*d++FKhZnp0fCtsOT zT|{Y)UFqH+cH#*}Eo>VW*C~N99AYx6!B`3L2|2K1uk;%Ejz*03&87RFLM#?>lRI@o zBWN$zoF89Ww8|-#+eNagBNkVgnb$uF+XuxmYy+=S_AX9bjsXRD%HxDhTjGuT&q>IV`UBg$X+h|xLoOtam2chjQTpVKT151J zrzL4gi4EycD(B{qV;?KyNM^k$|8mOE_3{g}=l52P(0L9|!X zbeFldTecPSy~u|x@$SOoi8|WzadbSJyOrLQ#S++CA`f6|rFAP^e2`Q%4z`W(#XPAQ zGlTlpJU(>EgBJKfT&;b65Hy_G=fQ9X3BIN|O56_9x6p<)aMU(n`YR^`+IEZ-qzDh{ z2TBW5-N8jEO`d7B>m4JQSlr6s0Dq^){7K&qT0W=0dj*rxOnL&%ev2;}0TjlwG)EC= zd}n939iZn=KPP@(zS)WI2$%>i%O%nWL7vrpqWAI1xejSEA%8J%X+TMmRXhCiZfap`B7kXR_4gD(6}hNA8}@o z3c~`qprv2PGG5) z_{MD~|3)^^x?m{v=kS}7OSF6;$dWCB!Ktoe&h?`GrBsozucFYV9e|ZgM=nT9!V$L6 za+$$V^Qd5Djz%3JWY2qPfOYGU#QTWu(4FiuE^L**(pg(h`Q6-PXxwvUcJ90(BVPT) z2AW>)__U{0_<(ZV7^(Y+#;%KC!m7JM4?r^y@Ux@j=JIAKx-C6*lTetH8uzx$Bc#qB z12d2N<_Ad7jhg^WmD^n9&tp;O#zD^)kIVyHl6wOxJn->+Legf;8Jxr97;JmGBt3#p z3m=dZknb`s9F+L+U_)pw2`DU5|GEw@lWZm9(#|JW`bv6r)0RI_!Gz?)6bjxWnY}pcBuX|SbQk5Ijqx3uiqqJFk4_hn z6W-?l#+NSLb-|%fm~h24P_8ndL6DYf2%>g7Q~k^S=)%_bapn=evHcECHRNgv-^2MlRK>{K}DuHk^kooE+CzkMorK(9Xz`~<)(h7sSMF7UFm zx1pd9UJCJm>^6xbrmQfU4fFy9zdZO&iZLu`#DPY1CY%l!R#%uV2}c-4(0RV#0ljz% zNFJ}b9i?*QS<`K{y07CQIL>03F>@ET<<7;spZ#ytFpJ=~5XLr{##?UBV&a_g&qMRU z6uD?MPA*dAvyu_;WT zz}V!(nQl8d66=S$zLSScm-DZi-xw?flyn0*aR8B%qQk|N3wq;EBX??R$zir3n!*BM z&mI)k@v6g9FS0wHP?eEa6V)OFbXh52?R!%qI0zf?iE`jIZhg)FZrE*%#FQWUoDb`Q zAG^qXxh@;#x8R;JPS-Rp{!&`Dn)f>p!&0M<>;9`+Z2y-9bIJAZkG{VMMv$lG90=A) zqWr`(w;WkBF8&$Om zrb^QivWYI$Q2_PoZ>bauyAlm_?;%cpXSrY?@FK+>bN4N0zIQuc_@@{0eFWSs*;!u2)Hx)LP3Guz zq}sazS)5tX11--726R4`_}N%N4Fo<8qt3%b~7+p`B1A`ukZUC zaegYlEAKyeGC9Y-`SuM&qMzaw((iG5b&`D<6!QKx6caHLWMIA8kRT+KcYm+ zhiRDJ>LwJ%Jcddx?&dami;H3)lm$rM;g)mQIxsNNs>L`++>2ahP>)<6;XppUYb1?m z=hmwM3Ns_SK&oh0lc77-a5$q1wA1GJ z<4+uL4`PnL45ibhp}Y3ruE5Xby?9E!P>jGv+=x(-Q^jeTmdE@nbNNtvokb77s0lG39iWzFG6&4f+4sxgR@@|=# zG(Vy}%L_-eWMA)D#ki7UsV1cl3Uq0}suT>Rz`ds9sX-0&u1K5)A=Q^VC44?Gy%x{G z?fpj@OM}cVt2#I3#$t2-koCo0*iI&J7}RFK*+zN^x`#)xAPl87M%3d`eqI>d*y1sO z;Ip&Y>3N}8<6 znS4#!X~!<8-)zGf-7Q|~Z9b{|7a_tU5qFb2Sfc2nqX_zmU@yKB5e|>-)d@&m33}S2 zNGOF%X-r|` zq!UaOIuwppugNmR#hT)ocTv1=g>)y9dEo_L^&4yj`%-Qep7G=*LfWn-%UrLDa`bQ_ zf0VM(7$IG`ZyhKW>LhO$>G7^N(o$mv(pYBCteUrN(1aOX~H%rXb@{iwWd+l7Z z)xe}#k1)sY!8c{-_%}NyYR)Cj#_QgjnhqB%*C>Zlc>~?NQ~`xm4qHTfGpBN{cCO_ zTi&NeOWVG(x20Z0Zc5XU0aw-L_fMiO4fg!u8F*(cIZ9#ZDO#$2Oy_$)U&v$5{!pto zv&u%P;-akMZz>Xq18{$+1S*IF_i5W#?Rw8$lXseL$dQeFAQs=4neAh%Ny;yl-+iY< zToR*lKr|$VirocP`@{aC-6NnfFmw$3K^sCjhC^P#AR$i&8$8HSu6+9%7sAS_3^%g- zAjoWD*|ILbL|V99?*3Wum}Oha4`P&2Krw!7n2Cac)$Hl)@fJ z9$b?!Ws^;8Aqkb+qREA4Fv`boVCZX7QLfeH3g~v zR)>ddQk?TV@a>B1axpkGz~Jv*2dE$-WCCPjoGQWne-l+(Kjz8QulxrlvTii)QZ|;itS{_^u=;%_ z-5P1Q@;fI)Y_#$~Mb|K8(8BUQ=ja8=>Mqm(iktr;ogkM5(#tO_>J;Ak4|MAo^{%KB z`5(uk&-DMhbo_frV6(OiXciaon)ja0EE^KjvmT%}$n(E@2YFv=9P3cey9A)tGK{1h z_GEn)lch%%AP|#(6lh>}CDD{r_QevBYrM&)aj@@|>LYH&pe=k|-J#UBMg8l_29e~(8L+Sm0iB> zk|dn5Tpg0LZ%shKEg3@7i1{+n+=NVpj(edW)+XKvbbJ%G+-AhuW}-H>*EpIRzrKS8 z%k_Ta6wnX9%gyDWWm)!ZH>xmR>9gy?i2h(8Z|-Jc3;i>o@IgP@+$V^T##Rg@or=F5 zWVhX|T_!*)W@|dX1uIgUj7PEl9c@ONMuZe%X<@3LkKY1G1-1=QzqmXC%6r4;95*3G z4Dzz!sVrF2I|_g z$H)j2rpP~^-p~e*_}_X8&UHKW9KpNQhrIjDdb^+E{jGZ@jzytX!a3k*HnbdF{TFIdqMS@U6M_t(*a5VGL4IwLC8erTvD!FW=NThmxM6`P{|DOWU z(6TEpZK`Z!DqaU0HRmGUdAN>ZY*3m`V%5CdBz~yyu8tu!`rSlFXyrFY_p{o?#m}7d zZ0R09-@%%X3rIVmaRm%Kdpb+iv%W8xyUkr`Ho!GHTS2ni^`KIk?Gr?_S$EaNqA)$! zN9G^gfr|Hj_g4s;N*WV1qty}hlhY~rN~ypa?55faTspk%*V2fSeiFA4SnbhE1E%*g#OqAkK~~`vIxcY`bYOkHPtm5 zS2yuExcU6zSYDs?JpHHcY#7JWp?K-eXt;L-ExCF#i>BjZxTS}bmjY28)L}Zq1_od8 zCX;U`z7!}fJpRTM98xb)bKk6eO-2_)et&n<`SlQev!5nwVUEt_E#`d$IQObkLETSv z5uvM_v~V}NSyxeEIzp=W>j{gJ`$5g2MIu=?iANBkmm26Mqjvbr^uXm%0=T21N6QPv5iS$(Hw=bDA))9|KL!_drr)dEI z4g!_0)JYu+5{}>^SCo~4BGaUJIODeG3Ia%-0&e3_x2ZS#M_Aw)IG(aBfp+-t7dq08 z6Rm^}m9y}GM0;)Ede$%WuBhMkIx|uv>OPIkT3xYqAO#J?TYH!-Hg{24lB z?lzRR$fV~f+bhr5T=~UB5^J#Zm8Yt={MKVJXr>81}xS?V1FamH0Zm9YAtr@+ch4l*Z*jn{r^F?+{VZ%lv zVrOnYO?OUwCCeilEfA~|g`h-OZciKK<^CnHJ}Rbr$<^)j2|nk8II+90A=K zb)spNC>$qhOV-l2qu`u4XYAF9a+i#2??8x}pR}VHG)0=p6pVn?qVNn`DF9q{%u5~n z6hu<-h?+&xk#?{T5e@faGW2)z`K!0!rLAQ3OjKJ=`OvTa6DR!@I-#`mbPOeKeVe&O zPBI{KFMkOLg8Hx6H%poPswvzH8^gnYU^;qHMyEa2RcZdgxZ&7>hC#>`7;bTw9m#!v zNF7vyX_>}pMxaP8P^N%m7Tnv(5o44&pfExe(_Jimp}{721?d= z#HCpMSV~m=!`v;nQ-Pj6P)XFA7j$<5{UkFC64~3xM_sSml=?Jc0fy`J2QQb=y%$*P zynE6vo>%3j1krF%b+3RhK-&AW zskz3LKe;d%lzjkk>~sttmD_G)RTq?k!Xkfool0Mp5skBz2#2?P&M2buJz2aOWb%*nWhP5oc{qmt6P{_7>g>5ELGlhr^Xx4a-HO zEdramJCYb~=;ync=qvBPXJ8@j5EV*3&eeoefsEOZD=PW$clR13SN2W-w7j4GrVKpE zqy#>cDF9WqEI#|I>|;~KlR6(;RUauB25U;i@$7Lf6}LnhsT~XpAD)Rz!KmUgD%^h%ZT)^VqVj6)9*_$%I?XQ9JS0 z7r9%w3aQQE-lI-nRbflW!BPr^PK#H>U$-EYrm^bAvkR&`Pr+c6U?I4QL=Pe~J?5}6 z?&nXdPvxm{1z_}~wdd6|GfBWPNYw_C`-z1*RfA>B^>C`?Nmk-Y33&)oMg$NCMUc!- z98>~rX|U@MhjF>y9~WBnsdV$$zVSH0y*aw!g2l+rz>JUzdqw=>K{$xie;As9Q*t;t zTf&Z&L->{j?NcR}Xl!p`c3cS%R@_Tm$a;|hvz`~^Ux>2Iy?Bd9RmNYLMxN!9$e&8D znc_Un@PE4?i}S6s>023(+l|wQoRVs}Q5v$G$^2E5MH+HUTWKr8s*ZLQnjY;G`H6HK z*JJw-i4k}lql@{pjuM-56Dfd7uSnERApv;PjX_l_;?mnff|=6|Jp1n_IKRhy2d3YT zBlt(lTNd(E)ntWe&o};<`+*9?CHUoUP3`|@Ps~HGGzztNm0-N_`aw|n{HThya~EY( z@L5(n)(YemQ32y;8s!HEdUah8`52gu8!tSVnol2@|lZziO3!Z2;d5C_Y!9VlM3DBJtIyc zbt9Igs5UFHMI;&7lQ{x(|M{zrO06pNd-EZ^E4}zhLkcuq8E8n^ERY@Xw*BStyC*#y zpHC8quv&Tpo}l*zt7gO_!SXS88Hz7gW*Y>@T{YT#D$b4)4TQ^eCbNB?tpK(gZ=eS= zq5gQ3U>~z-A_HBjH|&G;K6M9p>INIBoLz6oJP z5p6r_5kY`dCRnJc9w)Y9W#%O26_#O~t+v-iNmZg>JS+ za58++CTl2P)OUxSnMc?n+P<4IT~fogGpYljS*a-0mU~My(&aJbhBv!M@?mMt)3vTY zJ^2E!g{mM=uBX>Mt=qv(pU4Hxgh%-|`YVT}&THmzWO=u^!i zI2XtxW{fgbzLunYcHw@nMTultGVzI=0LUf%rA3~Mt6?A6>o2c`Qzwdsy!JzRE)?=e zBYB64Bj(0glGqoUor6mD(l&M6`=NHuk3t{*ZLkdimJl4wqoYv4Yr(%8^e~(3*~|IP zj1vIXpj}(1mhVU#uxv(IX(g(hL|5`Rk!^A&IGhArpLuOnmu% zyFI`p#~q*KyNm&4Hw3Oz(PsxXDhvDTx|}4|^x~*!pwRLfyui$!>pG($&D&oQl1`65x`43Hn zfb+WBCu&L0Yj@fKR4_80AYXF!&ds>G3u;3*54vGV0ETu5p+6?iLN(fsxxSJ(m4www z(bS^6q3IH6otv0wGHzd72iajb=B$~iYAiMXLl2TwN>1Jvz;o706y)XV1#WMy7j$M; zz0usR7BpcIH))0eVzXWpsTw*2#d|GvS=@G+5?U8r639RD-~j1$h#3)#_MTR>6QN^c z+Y*pwSA&>VKfUAXEkSltO39^MUURAmDxR(BWs6Wum|8&5pz&?dq2#^VfV$tIGn5)G ztw5CdFB$2Q{+UpgmSmqwr6&tqw%sLR+K|QFd4d-jXx{sosd-dl;XeTdPUz4ZM=fKL z+!4N?2oC&33=7{SKom@{75fAynaLBvUmd13>*77&=`*0T%i6eHT^RVCR78el;)t5| zA7@lzuNU_NhNWK{B-Bg5b9d$or27WxM<{C2Gugp#ES_ldto8IU{klfyu&R>f_H#6< zc8z&785EP-L1xTeQy$Y-cjC$s?!t$*L(ByFp8_s*mLH8Qdd%c<1{J~+uxO3o!2>(< znDXs!f!3*HM1Z0xwfh?-A+lYrFQt`Ewj2&%A+uHf$$x(KC`bU4`>-2=OF0uDsqr-} zIw`i<(nZlB?={{7rjNU`C1SoUCC@TzkNg0__q}NUEmzS9#-TY7(XkCC0rnO&8I4vm zuT=ABmaYZzL?y{LZQdExH&~-nLkP^yPEi`1hPKOQ5FIWk=QFk(SZtG@)?M-W#5r`% zxaXEzibO6*Z)aY+Ymxn1eaf;WKmzqaC0f-t*}~*$SG-4`7-9n|xiNkD7I^P&2=jxQ zSBJHfZS?tHZ09i8A}#FC{{XOIbk!#;{7*LdWq!LLqEcpelze=F$(GiMk6~f+|L=(% za3N4*K{0%e|H$$_P5X|m6QnJbZ5PhpT6>cm)n_U+eTE{*I_nq^n=2-Z@;}7nPccq< zPG)K+W=D3yWu>F7gtj*_o%j_6BWdNTT95 z7Rp0b?(y^rB1>~TFW%g(rmIfUMWm~z;Ldhv_Nq0S1ghn! z1PgwIJ`jqYBhOMp!xMhBVfS!LYfna4~rW7Kuv@~?mo3>V_Qz;zp#^> zcqG6A-85AEd$mF8soap?m@_2en5c@oluC&-$Orazo5{kLz6ZMklfoEhx^`uZr~~KB z?|D52(V({1&ROycVcy7HI*AX?BjRWK6~*YqZLLnGzjSwxa$J&?57LRwgM|rZ2_Aaa zr}C4O+wP)DO)yNCASfFxD0jfx<3b2~EuK50a@pkn7=pwn3&wnrofL#P2*;1i9!4*3 zGz46!P)1?${psthX7<51wKZOYyt;_d6INtC$>GI1&dP`*F6ljWqnse)w!2@*Jh04u zNU_%g54p@Aln}=_DxCW5&Ln3eIBazz11%X?B9JV#}}L{s$+oDY{+!~6h?Ei#Fd52Vh@?h0N$hJI}FMb z(!SaC>5Sis2Zne=MATg4e6ro$ZIW1KN;mDe6@ZXQEsGPldLQ0-Wo(Fg3j)KSnu~~4 zHX;8|j!Xt_v;+&Jj!++LhJ18M8djKMpcn=I<*~a6Hr(us zPX8b$Ko}tH%~gN!g^cr+>~oF7xWkLzpIBROwh|AR-Icxpjx!Dk8ol)xS&?4lIu>PX zr1*x})>vVj`RndDwPu9xcci@bVTZ~A#=D-vNi?r7uEXF#4?FKtH|AY^S8S?LDrjT@ zW)|rlsuldcmoQpI2TQd`CDA|S%v=+5fl4$VcZQ8g_s+Oc3mY`#)N*>y?AIJ+|cZVKVzf<%8H@ zNmNs~?!t_44N?=CU)IxmGxi8u`5bt%eVKy+EWHf|@o&yF>6{;H>W)t#IhhVid~a08 zKXqOtqc&pcB4D9}AEafn+tEXK*cc3)?@TQ~R>gC4Ohj-9fkL1>`~8|;@#JXVw%=Pr zVWmlzJ%V4<8@#D191-epS?j#SyJ@mtMQb)&(-{AdWr+;XxHKcwb zfF&$He$J7U+lylj*Rqz56}7A zK)<1N&>x}YGbh~Mu1WIgXFE!Vb!uKNRkK-l%MoyvC{ z{EnsnED?%I%VfnIc8yWawbAenbhT-P7whTFIdE};GxZ{npW;7U$;WF}x>Sx29r^c) zZGfC8S1PFSuwgq?XV;W113*T`G}uSpwLT|PO-_6FtB5Ig7eL;>X3n>>aZqtGYr3D9 z8ak~cJVAn!t?1yy$bVanhO1xhnrF51Mma0`()qCpwS`vPmxx94%Fu~0$(SCJE@XIL zOjbD20}N;nc?|o6|6KTG2QF=^DyYXYE66peyhe0S z7-Ma!2j*R-11Kh_MjCuIfWEFhF&NVLQ9Q@}KM|5_iG!-3nQ z+1LfZUuB&pfGJdZ1zkUsM#YG2^;Z!-R|%V?t822+|E(gh1FI~9^J(445~N@`P_k5u z>2~c+aeipiXYSOLwE%lamUD-jaPP@=mqE@zIv^Z{Z}&ivkNxV_QqwTfjaQXDZ5gjU zKg@U6vrFnLc#gRPy`@48k|YK|jFqg&{8s!-6F9hDE?0@qOzei>d*quYHNDVJZ1%3Y3^mk#9da|M30_>yW9O|L*V)lES8= z*|@1}{sjrp2|-&dIM!@Nx-*&18{R)91{FiFs*jYL4=L*q_uk}389 zqv(*m@k3)jTY*54G|BJ#W{=(@q=NWYpWEm3)e<@qx*faV8(C#OOSdTvU4Z1 zU2N+~;NKi(?oh)i4^%|Xz^a?AYV4(}wpYBW8+;1G=zJDdEBjNW13I#Je+5qGLE&uK zkmQNOC1rVaej1}CSIG+o{U8#NXT=`Y3yVNJI&N{P>+9(EYt1omw&uR3Y%-@q3<=E~ zg`Yi$IV|xLj~-U!drOdN3rSFWa}WgK3~6CfkN^)inw}{x2`2FHScfGK-2DCXRidBL zyy3tf`^not7-b}G-T5`Vn#HArTBO`KNy_YRIXw_5KYO_f+A>AIrkNR~UK7Ob@@rmN zP^mhT;9EZi?|k#!`umuD>eDI4@35CF3wbK%B`n%B_jup&gn zzwweBkmO0(4&mXCAFBqqCMnx@RnvsRj&3zMoixg+@jEm!J+^SMrqMSjz0;4hWoR*+ zhg1Zj?^wk4pOx-E+y@+X7X zHnP7U^L&?cLI#Cx0VnPV^uvTJZNFL^3e5D}OZmLV~V()EXAz)pt!cOsUN zEjbZi?P|M1d8)P9nde8`lmG~up^G4lSo%tY@)Cs)SLf53dG!M3WUkASluJ?X=j-18 zn8M|l4=^wvHh4C^Vf7aln#-6H^Dp&~)M8bcJr$p)yA2R0*8L{KBii0kKr7c7OA>4Pa9h>evgpW=|?7?cbE7NL~DLH}y@_73y|3>TrCsRejX9SZ)Xt0v4gYURB^A5%5ZDHdA@ zVfvaYEFrArdubK(YoIW}$73wqMFnrKt<8KwxQt!96>zMZH!jsa!eaDCVfDnYB)mqL zLQ2$6ZH3}G(sR7uyfO%k-OgdxLGqbaHI-nUG#UWc+e+?{A9Q_YJes+Z|FJezU%TmzI4exxm^88TeEQ;GldrxfC zMpHPRA7e4^#fH8qdZhy)+L6B@_#=Ck_p!rNvkiCB0DTYIdH&ctZ2XUw$tBf5j9$zt zWB<<`nLtJ;B@t(ge%WLm&G7W9wv0+{A=j7)C5-Txnu0`C&yrp_Bq z#~zfsEV(=+K(){XosWLhxu1ZpDw*P2ME~7zFl~B-`<}J#;)Ne!6Ev!m*?y_5G4d!lwnu7~dBGRu|cF(G_mgB0}z9zL~ zL{>P$yTQzJyhV&h`9Gd`iWpd;u;lBp?ca>oUM=i&8X^97z%`}CMA8wP5O|h$nkl~f zi+u6K`w{ytK~c74KdY32R14}ug7*xS{omNsVFS)ro^dW)+)Xfr@CT6UqN`19j9v+; zD4jpF%`;j9Feu{KT)BlaM|8Ov$kx1rSAYCC^~EXVIFQx)vPojej*m z!Ah~w#MtCO%T=&-=D59QQG1trj*p3BxG%U-R>tff@Q7^`NK{s-bvh=Mj*_t2{304} zgSO9n(>p)g6dh$`Myq2=K`7NA=rm`LQU73KCaoOSZg?iGgk@#3XX)!wV;n^ANSM7PMe zSknWk*$@s3u>eiCQral7u##g0$#n~uqC{tG`S+-D7^GElD@=Snlqi^sM9Af-#yK4%@ z4!A&MOJZH~R;7C-BnL~VAT2&r!=Qgbog(8g`XTAm8&i~0#wn=@g43oaU=@VDm)mP| zpVsp+HiH(L(FTd*8`T3YOrvPn98nHCSXs-cGQs`*YtETtw9Wsj+N?hai=#9eyo+Ux z2dVM+0jLt*Rk&*Tyk`}gHF7oJn1tYq=2?d2Qv=U@fFpg#>4v+a=$IjmatOTEtvp4% zx8jZX!3(^n068G9)2pUOZrHs0?*fGqtQ?VPRF>>Q0#z-30pKZ;cApM~n3rXb2R~!) zQTI$q)Q9_;K_&c44te4IJpW4raz-{k=(Z(>W828mZ>?-2pT=yti^gkOYhs>&;nt)#+DoEVMH%@tgq^*8K1;KT)5PAh*QtxC|oDt zR4(0}8bvjWVFd=Yt&wRY%{F_@ON(0;a`RSU` z|EF3e8hN?H6AS+qi`C8AA^?`&(yCXIT-Dnd<`46us;WEv9*7M_BTJepUNT0&7GzM= z7+eE(9ypP(7kKi%XuGpF`4&;XxW5%ci6+5@rDS}_q8Wt4T;g$K^fiOTu-2ar4({kY zy6{W-A&e|)T^m(Se93fO_K*}#By zC_e+(ad+t3!(4sFZWyo~yvaL&yXaUB_HJ*?l@m>%L}D1$Vmzl)TM7{)UyhNhej9Yk zcu4J0KH%FL*EldnGCZlb1OkN3w7H;ZV5=b*Le{Y>Zu<3+Vb${vt>zuaDH;EWstQ-N zhYn(V>K$Z3JE# z`S3s&d+cxS54Bq6E%X$}84@626#<>Gust??a+$HIyIMuQ0=X`q95!7ti!U2!cP&$fjf*KK>SocePL zZ3@Pz^@}ntnbYlpj4XrD-GIYTzo4QJ)Pm95D5cprbe(;aIrYlvpt0zDm>CZK<<{Mu z1q&Gi-?*%w5&(lTI&f3{JH%*Wc4Hq=K;-}v8NIy4sP%hd%rAl3h5IRAot8i7Sx0FK z;Pi60CI@*^ZfimbvfDd{ynA66T+;1rYmWx=`?CHo&Rsbt}e)8D@`2|HFf)|t$H2*MFbjrruNlfg41Phvd@tS z`(kd^k$qgH4<7H$a@#Yy$LB|~bbR^=ynF#XPzv>s6_Y$ds%v3jPsPd)pEk09(`=hj zVaFp4r_-0lsbZM?)}3EbFEJ9bN=yXYElPv^pk4!Qf_uzjxaLWaI( z0QSJ`)C<>(0h=MretG`P>pFER>|2|q>^aHY^ZD8dt(DL-XuQ_^(xlo^-K&`8ix!PB z3WV7_q9r5X5PZ+C&u)I8D!`=}-@moy=VBxhKg^(uiY==tDrdZ1NZn}DEN@v-mjiN* zJONg@CSc})8VZ37YyuQON)(TU54Cn}I(59H)LdlfA>71x107Q8Ehfcp903Im zjw^ub8B7bioS_@+s_^TzWZNN~FEnuJPB|YGO2ixP3Zav#3;jMD)9$BbP8A(af_!f7 z=VqCK`XlZDJ3z$04U)G7s7mZ))T)pzEk;Bw)p{r2mC;S~p|(c5@o{90kWh&I6VqiL zw0Ef!^#G_d@8OpRA=jy_7i$0fpoLnR?tID~^P_N?<4aJks)mw_u}@tTivmezT@3wZ99Z-l>wJZnX0fNNhT%2ltRk0XBHfKA z2Y|L6OgxaF0u=H{iA8QUqP=Rl6r8j%kTF2u2}_(Z{zISAqkI{c*n>$Y9^G?*k9=`e z-a8uF(fMHmqD?*h&f$GbfzUD&5DsmsqxXKBN*qu1b1vH#XI0ZouKzu+aZYdL2K1t; z$3M<`o^@u4#@MJu&+3$w4o-uSi@oEGAq0$6Q_AG8#)0nUR_NFLIvR;<>lR3*`%3%G#=aOOHgdE--hm)3ZGoT-7S1uo|u(FG^dB(+K@vi z-P3fib~m6=19?Co2Y_HId-t&`g)tT3PmjeVM`Uhx_F~`WS|?HMzR|PqKS&QR$9?2o z-@d|^j@dGKq4*gBCmF%jPANL401|bbask4fN<)ZWYEW;Y)1QsfNX;FcG0l*uwA1u( z!LI8H0FC?)X%ia#IC#}pK*HI%VZ*v;CY_Q+rd+WlV9+dDMnp$$;e$L&G*KSzcy+8A zK`$Q3*7X>qi`G6Niu^WdBvJ}d?dJ-HQ=9PKH3Md2jmdeHY*golNOnL_JXg- zDhtk+*yPc(-(01`f5_M7{u;Pwm1~4G*g3+}uM&*`6>cB_2x2TN#)7z`QzYcz)nWmq zqi{rpDyA23cytvA$5#V_v_HKVtymOqt~nr?p-QwR#q%ASfl@u~R|9x0)YN*%O@7Z< z#82P(n0cDiULbKDwWwu8s#KC>rVj3)ao2mR&+cAJxnjaKb1;W&=V6^ZNY-22(qI%a zRBb&Y%v%}!CRPm6V~f`WSXo3R^N#EnJn12-ejvzu|0F0#W0AO}bn{;?>1ik6(0a-!2kk_9{S#iJF)@ z?fH-~Rx!HkhttzarD?>+*;+X7DJ*0^-hqO!i2DzbhzPzQMkOiLO5IcQVxo70-X|76 zIM)2`6QKH~!*|SdCiXjzUiC<$WshMpp6l{s4QUWgld0c`2od=! zHXH36Nrv<~%FdIK#gB6>eKIurZ0=u|H?WsxrFlTWpj}8WtfA^JHCNv(o@G_NAVidQ z3<-8aE8}x{8d*CQ;ZM7U%J7!K?HWW771>$@N*_Zzv8=D8H?$FK*t`94+sCjl&041I zACp41HL{YN=;o?Rp_4gl4!t|4G0;6}>|kxs9EetN8@b8@OINcUFNPJ?8V0*$g#lYg z1|Aroh)F{ySI5A?)Ed?-1N8YXTJ8TnDUc&#i;c;R4YwB`9s&j;6#!Ac%D}#_`VA9+ zWO41E_1prAwZd&Mzz?zhAZGALQO{Re)#1^25ce(_T8!_l`7v}mOTDj%o(v^q2Xr5P z2keWrjWIE9PMi27xWrHWDr&<>h~1@Sr@AEY|I8jwP)4cC@*JWf_f(}q?w!(=y2LI3 zrGtrrJ-4lk_n{JjIT(DRmx$_lgZ*XDr=@9$yr5#Tk@uSPCs8Y}wy56xye&*t;S=c) zQSTwV6rCecl5*ut>pUFgJIuRBXz*Wo<`I6q9&WUT^d1C&Bf6#zE;M3d1?4Z-)RfXO z{cXI8$-;ONq8H%1iZY3_3Hto8wQ(2FV!SUhzeTWMW6;0^0WIYa+%9F?CuZyeER*k0 z<52FwEjt_D4XHQW#l5#$mOA4x6LO~hs+lQI%e8`J-SEq}#%xD8y9G2C%lhk+>}ezA z=daBb+qX5@q+2c2&7_$e1YnC~TU529y#Y~puYcB^io^0toJ2xIW8A8-xKFJ!8j|VY zf^BH36C+hzY=&J%`Zea>if-;0N+LYGFW^G$rbyTB2+efV3X>1#-%9fT?50k4N)1T! z9Nyvs8qbQn$L-kgoLVVp12aDIeW^ypXkXp>v8?!(t(R4a;@TT$)k)pG^h4btDAoKH z8Wb635>%w6TH;{CzqaX&cp6#}5?yDkY7lirC73?z<1y;gGZWbo3H z^QVc=6g%zV9)wp!dE-g?J7 z1#&5P>N*<1OdFFl=c9>UyOdU+E-q0Qw)lG&^GU;9KL5uEx}+{6T@(@Z7M)L=!+Ena zqY3fMmss+lh{N;%5C>*>8E%5U$nt$7mkRd` zrA=_{Ky!*g{WHo4sk!c>mdcwJGh*3E`>Lib)P~Xol={M;>;{&=vk(6x)zE2(WepY3 z%w>sUhi?lhJ zjGPS1r(9MppO^2Mhpt?jsmuJQIlV zYR~OUicESv!Ra?^VCUa$e27RVyjwb|BT)tSbdI}wCGt;|x!=Q=v5G6iRDl-Hut}v= zk_NTG=SXL*%ge=Y4|sJa$k)l?xPYrpR?XW#;o518&gyBI`?TgqTFV8eg%B?QRq8)& zM9L#hXa#}vhMcaneez-|8@aznjKaFv$+X^JOvC1Vl-QD}eOQ!4S%T(HTZ%s#PT@|G zg#&OXsy-3B$+Q(AxdY09(aH#kI6W48nim+V7@-o$fiP}}P}iQ|$`MB`Ls;It9FZ3qHuWq%cnaG{*7IW`3EakuehKhmyBu*Y%N4_}44dOAK zbcxnJEtBga#D`9N2)s+=@0#8XZU`YkMMF;$|D0=%xegm~A1sNMRJjUx$npib+mZ*O z31i}{CgFqzv&o9=MUr^!5Z&-^AUww#bdDzGeXxx8HRe6BK{?2We?iO?Tt2rWQolDa7(@Fj*CoezwQU}@*X6UjU_kwj zj!3NA0Y?EYNu&xkn$LBt2u)*o1^o=S?-l$1ZBvn@Y!H0Vf_1~P`6UAN+&?L_11sUM zTo*3IWWT7;y2DBK#^Z|X?~ht^!y7VKqvh8yNZ-T@=PPruSWxQelX)Q@Mb}S0-W;d* zyIV|&K2ywwf-u-=*~b-WM8XwV1ud$k z8_a9l^$AB_A)EG1syPoWP_l@jM_H&9yBHy2`t;!a4^qD_IpttTDW49c4}Y~H>rrZZ zN@Re3xigxC{*~|?Z_(vY0`OJrPPJ6mm`ZOWBD?!sy8vhg=~)a5ba$FskDA6xNXfp| z1o$&6X2j+)m6CF^bDUXD4{eob%rRUQpCo#uPAJad4G-8P0k4ag`yGPKM`p3xeHt_7 zV7W{QGp)EDrMw%-ILbU(R&-V-jjT#IkYr212?P2-_Qb>(TvWjoDa&e_kNLEh)v%LyMU|5Wl2v5BZ@Lel3j+258&1g|R&|TlK&cW?^ z7A14#*~YtTrm9_FhSa~uo@|=Cw{rbPiTfm>v44c*y#Lsuy_}VG?uezxWuI3^%UX-$vVfSIJTfxS_gER3uvCskPu5Q`kIYvd97fBGvbvirbL)7sbHmaX~Bl_W)y`88JAl=M3oiP?KfL*LZ`l@LRv%!N}> zKJ`QWedd_msWc2wY#JWcVm*pV#zsq8(nEJ7(8OtkGvxP(J)yHJNm#xC5IVAAOd36= zw3apKK0g?J>VHl}9I&q!Va`8fI5tci=H+EhTf}tlpB4300uE$Ys*~I+7v7D!A z;m1r_4K;uDd8<$}W6F6jN?HG!6t-_7E2dd(0_?9fZY=Ev^hWNRSDKT3H5b}getFT4 z0tCfG%BId-d_INPU(H{mjZkGk>&je7jNfI6VyWR0P^c{r#2nATlp9Cxb^8bk$eZ!b zku~0d^;k)8h)?f2viN5xUz(rlgp+iQ^huD6H&r+rw%C$;^GNAiYrW#OU2<>PO+}2A zydt7EVZRB8yBfyljqyekynpaU91VQvdU{s-deHNJ$YG>}n2jgd=Gug|h*51R=vy!_=lK6aFgjBa>AMn-H z$$HK9X&pe8Sqj6#co>rHP=+Rvk5!Df6Zs1`soJl|>$<>0(`oTk)nR`(3-VvC;|JRK zs1B*9oy2ywA)BIuEC0cPcGB1?td}x4g87NMFA@PTNaPr2zLeMD6K+0yf)s2d@3kgf z_-Hyfv5?%Mz7xAp;pP)ecRilA*)y>E<_|g2s4ouj0rH|^ zB2c;SurlsYQ0iGtsEMa-D0hF@#FCWv&!U*m!b1siIdWI|(7BK~^-Ki1N{I56Bj~7F zub_AW?dDB`61^o~n(pDqak6@Es?J%Gb_>vVqL*!cDuXwq>TV2N9k>Qo55h81aXL2=nsSgcbUc>)!LD>CTD*zxj!VX3>M1h zd&r8&^i|_b?aXvheWQ!zW?7?{T{9PWqK(Y`zsLK7Fer6fglWmy)EVSxfCHog^f{V9 zym#pzuMd=nrrwT^OQ}G{eN++c7tJCb;=})0&S-_==j7hORU4{cW3zmN$d`1+@+(>p zibMMbAdU@C#C|m}5ZiDDT?yG5{d_ye1)5lYC~XahePBfO1Mv=`v6H$Ndsn7wFp-6= zpcJBS_8iG&r45-UY@F2BomRUbjqKU%Gra%q0wqhmX9VqQTFO=+jB;aJ_n{VfX7!{~ zeM$M$5NNfRWJYs|A*PfBblTzgXdD5JlWJ6gV!;~58Ou5!J`Js_ocj1uL+ZD*BV{!e zC4peBVXYQggwd`~f4ID`U-T(Z9cv?B{ISLh2X-vfWZk zl3g26AvwqEH+Q4L-{W~QLv zeMCi&P$6P?Z>j|a&o9EjcO30&rtmNjIoAsx6`%4kg}&bA$BB6@n0{xDat;Sv)gR~v z(|dsmm8|lxFxU{mPUax1TA9#Dn$0P9;Q&4lMrl>uAPiS3O(BL({k$!am{eiU;!XiA zZr3n1=CR^c(bf9w zrr@qxLRRW~zrP3)H!O!|JF3R@Br^F!gWx9DSQZ}!rP@>&v(gOT@ofRX-cUV*KJuf& z7cjlM(t);fz(d12#BBsGA!KodeSUezQsjHpBErFZU!%sg11NJiu=j}-bpUP%D)lv7t8iXpT=OE=wI>{Yay1nE~;rc)rslF!dD5Sok%C zQ7)KUWAW#vV!z=w5`}z(7=%Ovj>V_;wn{ho12;cdML||>m61<|P;F8oNI$$YmZV}5 zfIKpvnrZ|;uBVr(ngfd8J{a0?rVFZ49QSBjEu2LmQU2hYwp$p+~@!WJm8g1`wxI-uRW*FP+a28wASZ@pkj2=nE z_1F7{tFq!N?D!GUom>t+VCTfQjX%S@Q7SpTk(w`XE$K4Bm8YbA8x^q&;|dEJQ6l34 z$h!Vic%Dvaf>1i@xIq5o!Tyisp3mUX{E}7p=(6X)4PU3;PFOX;&lN(zDhXFFC&y10 z>I;+WcX%h~S}L$!%dAXLn;Rtc_Xz&^RHr zNgPtJ5bIW+p#X=zUJH&vinToX)~d?@XI?7V-uolz5q~rvta(YwTUfwrg)J6|<8VBz zuT)~)X||WL;IvJj?3)=ipZ8Hc5_=olj7;f;myL_Fe;JxtvXJ!k|+H z300`RRt>Ri5!yncw^!LnXmTrO-P5ENYpDW-d}Dq+J4Ow2D+9+T6lxRX7%RZNzcP+z zotDqK13aAFqlt~lPt3j}3PO^5TvkoScptRXm4fmR0G*bf8U;PEc7K2Dg{3X29$u6P zZ$d^`eQP#V9YlR3iJs8sNWX7$O+X7#eZ7R|&;y`{aT_uV~{iG_r`uje5rwKL1oJSm zh|!|WCWJUsNoHnCHCKp`_Eaxrn*RcC@GGuglp@Gwoh;H?&TaBao>L*LunvI|pG zqr0=8>S+keckko9V-Z6OMv%OTHJX9s($@n`f~U4ao=>hbhNg&|2eWM<+3o)T;E3Ik zKuEn3pW1-3LFY9Vip!@mrvkosiU1V;FyML{G_$Wi=?vXk=Lpq*QLP8o88XOnN|r#4 z3Y;PjqK$_fHpAi@hO4sbLTAa~*Njs>k%o^&Q>_S&Y##up{}o-o=Ek^E-4zl6q%?w5 zML=6UEuC8bkU@}2w(kG1i+^B9q^zS=DrcZDTxPwDXfRkp;57J$gXZ@0>nhp;NFu=n zT|Rbe{H~~Fk2f%K%H`;BwSc{oBqg@990aRVE>)at69tAFW=>MoEI>`@H(7u4b2WdX zrTpa4eQXcw{IH6wRHbDptae5xZ1wvWAlLV-*=sK@W=A3rh>!e1?>p6nvlMz!(WiEO zr6=RsXM%ymWuVY%!MnjXn;5Dyk}5eTQVW-4>NOQD9GYn%{ioN$oOdA2@;u0ySzs9B z$GE_93q)y~O%9%W*OwHi+=5>piCkS#o(ExL*Jpp4FjJ!up4f)3}tAnXrPsgZ`}+n(#1a0WBAZv?&TD0-pcMWxXJanlh&79%iSw zAnE+mO)wxu@ApS5AKFE(K*j%Ch*E#xbogX632>SBI3N0^&B8Lx#c z?O#RsBqTTMtIn-!`Snw4e9oz&nQa#vm1QJk8wgyvHjOE<=AN1zxLZ(DuyDHaVV-Y4 zQ`Gv3$rgUlYD(+pyOb86j=Zou+0N_Vi;RX-+}zWWrUzj-q7g$EWKNrCeBcQ|w%qeA ze^}%&va=BgG3pwG>O;;99n?f&19+M$fkjM4Fo_jDA2&VF3pw+#^4E68auT+sj2n8N zsVCvW$-ll%zn9rv3{V0_4-6Dt!T&szN{0*MY!@#Oa+DmK33O5cqNsq$DP_#3r*-I@;ySeLLi5m z>rS?)-}aDMf>$7{ddKu3>z4LUuXD1h?v&=&}&|eeM`2fN8P7FB%-l^#2+G7(^1SCefyqUnwr z4^$P=Y;^WB_^9*8%8;r4WpCsmsj%J3#noStRYhTV7Vts6So?26G(>MS1j5@CHk4I> zf18$C{vh4+nxmQMR_R%tOV8Ab9G9^1xR3iUV2DHmqzg1Sl55DmIaMKuw=uS zq>jhuwTd1ErNpYF0+3xuVAbKdRYZh{ic!s)z*cY2k7&x|a(M#Z4fl$qonV??1P>o+ z4kuym&4S&j(-`ldW6A@Gy`yYBHSV{c1AX+XoS?L)j^1Y+0ovM3M50xbNjCsesZk+M zw$gv+%kQ*i_H12gCH^eh&&r_1Wf+0)T>efFJ{}AY)vN^Y5Kv4L2=fe2ymIzplK8_Vf;g0 zgtm#XSF6+Dbt5SAs2v!wXG^0`xKi$!vd|u4b_SWP;f)uYWkA(dd*&V00m3+S#3w8& zTo0r;$Zmx*-rQ`y75pM4iEj*_Ge2M+rZ7Gb!|jxLK7|Y-+WZh#tBhor{W49=GxqsshsO8)ohtMSr(OXIqmuGfJ*y$jvS{Rq zlGBsJBJc#|`8olm)Zrnk%ZkFnct0rPpZRMd_BD(1X&xyKbV4=gEfx&26*^~OzP(Sd zb=(2L7uH)P!n7lURFNudla`ijhm&VwU|8nHBaXskbXml^At5JYDN!tj@F)&`prj!)sda>8#MVV(;h0i zsntSFArm~-#m8+iiAt8zQ5aFm29|ZvHSOm4A0VmNT9P(rMeen?_ZnE4y!(R+QLyf0 zK)iM^62smCjL8vIc*~6=nCJ~B$q1ZNoX_+uZm`ohUbYOUy?f=)4#6(5wZfn^R<_52 zy=NR2&DF=<%rZKzg^4cXDODQLM3lOE8u}+B0_|k!3U{F-EjcI^%`e9iEY4D)Np`@F zq*Fz4Q`DVBkixVW5V2%?6t^;R_PXDn5n%@jNhY`j2>Yw)Qr%fJo>}R_LMMDt?G7sNJv67d&2g~|a9Scaix!~&leEijyeb3A*n*HO)7yp}y7i9YXA2&#Y2g^lnMRr{AiZlI zGY-uT(t%#D4mKNCMI9UvSn8k6QUr(?j(AaKM%0ZTH71v-(1CK}BGA4>T~gXJEh|e2 z*iRG_j%Snc9R|Vlq+6@F^x(_f`n5wt6DNUVaU*c3lO19AEp5L?*Wn?(jGJ;sedj6G z;M9b4AFSJ8>TV8$_o4>cgv8h*TT{wVuoP#Bn|j&nL^h4ww09w~`uT1UoLx;*Wb~W& z3pT5!NuxI7c)M?N9zc78iH1a0H867!U3 zrOD9|{V=wK240M33dS|usr!bXPn3(m4 zu)XHKUm|CnVA#ZeSvx~JI9BMBwr%D_FNW#kQj)dz>@r+tS5bJ|P%k#F*Y7WI!?5oU zT}MDNcKl?7pwb0kc#9~qT6d% zC<~6--2E!YyzU3+zjr0{Z8OscB?;ocM8c?IXXxCI!T_|UqH}iWWs7%H2!MnmKD4?89z^&MzV9JM68;hTdtGROE_ZtbcBwSKfqn8L??_*f z;s|!a!_^_B`a=slgmTJbCi@e1H@Hn5v?*7AYf?K{m`JgQ(bKKFrZTqxmg7huCiDW1 z^GKcy`7(f;cfQ%L)~z8h(qU7&bkYyTHky`IVA z#WWivY88YRE+l09-)CKEFGvPL5x^(z4$fz}T?@z|Q8(LVpv)elJXU%xexNu~PW*4> zRM^fkW+`kvg}8998hxGVS!8G}*}B88Te`>$M!$HRqgs_18I?m?6yxMys28>PZ;-hB z&@=+(BO31L5XJ+j7K9Jq+Z~*R>1JP{*)E4Q%l-{ z2!`AGk!Mo(_RVyAErXr}Gzz)G%z-te46$I7xSnHk8>i&qA2Yg78ToR6lWYBNGLUCw z94Aw5&T>NWL}VamG*~mTqcr!xU}*1%oTc{nfl-B0Sq~>G=8brWDXH(n;)3BhEgS*{B7U#U&tynv(b# zMMQ@=YDd2kW&gGTk$ukz*kp=X%2vLUNq6km6*jZWg_nsCt>f+j{gR-#a8eX7H9c#n zb+!_P#+W@a547uIg~y9a-kd){R39*XWLB#yPy6JhBkaE%EhQ@*4H9?ZyLQ$5G#Yb* zK7B$2j&6hPjsm$We998G_|IyyI>*`5@8yrUvrg*m#%n6RckGTxGcmbC;RbQBX7wNR zGWt$sa*>`!qd&qy1P@5GE}EFZur6`5r<|gb54y`dj6xaK6kH%~h8ASAS9#lzPK&HX z9ceNIPyT{0N3;jP0m!Bl|rHMI_UJ*`P7B7T$OK;y4wGl z;IMn;Qqi#LG%%zn_|B=gqW?Au8U^gRen1yha^`62mSB0D`*%G1`?WoV8l`0DsY^#8 ziyMk=nRX^@C<+pkCN_e6+ogkpNSYqzZ6So815np}h0Q~)2Mq$NS;i9DNUk@Otx{Cx z>%vK7!PogL987%7tL2sMYKR~c3>U7xR*-wUV%EUhP_m`S10x;5G8EWOpLPQu5^1J= zD40`({iVk`0^Q6zl-k-9(XjS@A;W}=B0rOSdPk{Jf(u0bigNZ|UcKaOS=c*VJ}oTr z^?-|!#caE`Kv0b~9HEsap+aG{aOxTBI#{e=HzcbLn7e#2$W$g?RgA!le=ykQAZ0E7 zlZirC^GEUN@ofFl6n&guu***^WYFxR_d#=x@cx6XToGeBpd&wIL$_Myt9XjjoXG7p zv2}dEX!Q+KE_K*Fg2o8rc1m3MH_wXZvQ?Q(g|9NJJ>Nv7lk{Ao^}~)!>n~y&WG9bJ zNxaeTeQ1y`BCM4<)SQ~Ps573JiFfmims&`LSX=iCXmgtrSzq?)JF5a4)XQ zQ3knD>!_-e1-!)Xne-jqiH6ONrDyXZsG05>#dLzMxrNk~oU<@}Mbs2*f$zb*3#tCP z?V?$vdNE&oCqnd2br2x|mh>RpZtZ)a%~P0xB;?-==PVxgm@;`2doaG+crYJ4Hks~r z4#LrGAgVko`P{q9wadSY}i{Z;5HZ4zCr&J)~Niu-!hv z_PCzZPap((a28M3{JquCSOxr6hT@kt-nz~KadRLLE2u{XkmiS9PX$1a)DDi212~0w z)HC*}QnDyYnmo~tWDiCkcJ?klHe=8>n+uauo0r6otaETQmsQPP4h}ekIXwQvYb>(k z-|Ks9Q-MmlSu|-Sx3)U+5i61ua5ubD+hF`!tH?!0qw={RRU-nb2gMK0OqHTi=fdH9 zyD=w>oim^qs|c3!Y(q6Sjb(bQPb-bUb6)S!HGRNy(eM63law-w3ZO9Mu)kjM z{L zu^_&)7dZp(NI5vMU2~EQeSO`)qAC2rXwW`Dm$rpu+&jstv#P%nQm^g}sm2XK6&z$t z0{a87#014#jF*HHcWO$8hXiCd+IK1<#v7Rh5$i`@R|+O#EJGXe6K1c+=~GFo$*l7t zRnb9?B1w}{?^(b)Xhi}|5k!bhRTm(zj~AMy&sBiVNkt&`uhDnSS!V{vJ_?|qDZ+9B z?{N@Eu(rh0YtNeicTq4Rs5mAnzguKM-&q~iz@w+Y{X!9_?qhIFZOVS3?A+O4?T5Gv zRV1w-QI68qx&m>g2xIN*2&Dgu6frCWFpj2*#hMBIK2d`dd_8J<4390kb!*K3RJnK_ zme1N$iLa@oZ)rvL?3kNrv?U-8`9#h>Oz~n2Y3!=&5rpHEjs6OXjS1f!gnnVgeq-NzpJ^YZZJ4{DKSI}XLJ-$bDlE6+n z@f@8#=B9x2Q{)2{!Z#F~G315|3SlYl@^e9Y_g6jerzxk8ej%J}Zf_VqB$bhoc`zNm zu}?h}a4M#faW9P4G(PPzx2Un6e*%Tq=r6Lxck4I2k)hVP@HA^i7Wf64uZfBP3c*5s z`zWv(xc0M2FUjbCWlqQBM`K)(&~uw(n+8J9(<6ybOA$E(AUzJYSI- zONYg21n*rO+QGJScmRVAdR5r`(uL1evGZUAc6@vfV}RvG%PIwjX0CpafGZ&hi5zlG z;ApTs9IQp%u0eUIyA7%h4P1@hZZ1&c+#f>PgrJE{0Ya3>`%A*`Ub+W!@8G>4>nkDJ zg61svOQJ36{Oo}?f62}%C*z77}n#9;w)?6 z&<-Nvz@!ZuUz%xxr^CQ;^#<`j3>Y*GS`S!{b<@`(4idXgbv9Ay%z{^5a4N`|3|Ms{ zOpNLkzn?Yea9%-sxQ(<^6krSxKqAko9WQ0%^~|cDvR7f%D&23rQ0!r1AN%yAQq5~e ztyNAW3o?BK1(O_zKPG`;)q|-V?zoR9M4C=DWJzv054s%A)e?T4=c1g|>!ql!kHn~}PiT4I3K&q*L3fZRir5+5lg;-5d(`18`f>D@oV7x8{l?X92 z4qMx%^};FRbs?c-ek1CT(p&PyBTNb{B*hhZQp~e!O!f3^Ngx?S9$yY-XlfD=k` z2|c_SOq5{-M%USYjmBLX)i|%*r=W&Z^ z$JGh*(0kv#%7EuIEW!a|^j;}U*!Kjh&ZrYZlya0D{!Ge}tmHD~da0+-fRA&DTm68g zh>QsAQJ&61%pNOYD&1eQ{Xm$HIr!%RzgX7PM2KG)`(1&o`>R(K%aDG}-|WAyRc6s6 zN~~N6A1CvGM=$2kr<%imDhsK1A@bvEM+)c<$q;Y zfB5Q#7E~YNa>S2TwU_1Rob&%Gt4?ht2fN!kiK~Tzl7?9#{;nJZDiQcKi%bTk;{xB6 z^Gg87ZZ%^~-p7O6^au(gx2Fk*aIz=LExnq{#7rCw=>AZ3ZpI6WekAvt$JCrQ=eMXV}?nhEfp9wHrGys$0u&sZ$~dE z-0!ah%Gyq#P2(A1yly3ni`Rz-=@X<@P`-3p9R}`#^>3lx#DN#&qR79Q9>}oZEq+uB zX-!XJEoPl@(@GQ_+ezEO@|CFO}fNI>n@$sNW$QDtP86!rRhL zJ&-SGgDpFJ$XU7$HIsgvO~{>&*Cw(KupygYu6ri0l+!!ot`#o6CCrAZ0L6}KefA4a zSO#PHM5;zu6~DsbK$o!o1efWl1tNN4WySl#&~uIK=#31*kL^ApNjo;EgC*l0rm(`v zxois>T*%vy(!=*jtikjim%HDntHQ@+Oii<|gzClO=MY96wMsmf8*M*{#HCx5>DSGp z?iWM`gGo_fE8lCaJhE97!zTA!LBp~mN;TFpHI{-p7%Um9ACONePZlt6{>xwNrfVeP zxBTMb3>q3Dvxs~i#fUA*likO1S^EYNjugT{6c6^G_0)Y-F%OnwvQnGvShJq&!b z)-HaY!o^gv+hU~c&+OI8X=~;!UxN+5~w-9QlkCCaF;mUl>4hMym;Q`v8wGvWen==6HSu(dCG!ECS^N z;^gg}8WD#)3q}ce91fdX$E(S4Qpi!~$sNqcC{C1%2>Lu7`X3-q&LL+$T#)<%OlPyu z+Hft^qz!=>%H_gcncZnzbFze~q+H&FCndRK#NJZKa+n-13EtzvlQpmyFWeKD0Sng| zDIMIVEo*>6MB#Dx2>=7rc9Qg}Gqe7oOTY`qo;z5zAYW;fc)qY5wGz;Y5g3I0Ll*W0 za`FjeC^3lDbV1WVGnheV^_G#>2zxt*QsP-)3~*K)7Z}=v#6FF(R_<6=rVcv+9e1LA zx#`7JOH$wcfL$;o`1D?6% z1xz6Yf-7GQsCIg!Vk_ukFij=9?p4V?;9sB-Hk(qNZuGBy_C21D0TZiLn07IlapPme ztw-9-I20xQ>Xp_bM>U+vwTa~xZeq?zhR}zx$7EY;NO>T#lou}09TAvukLg&8%)|NI z1!KyPu!%tPa{iH4|A2h_@fwt1sxe+Q^G4p!XVo|s&V zLmw_t7W2{>V*d!ORK@B7P7BfpOt>lm;pEiT72(l0s2O{!8a_m}Ma}r$eg=*3+5=u_ z>GQ2)7P*o~4xts#C8RjF<;+X;{jxTe)iL4g1=dh_L5K#FopcSfs!nJLTL-#woMt?X z6_7@{Rg3qDsEeOI-l_&y*M2RtWz~yq)(BsKJLdEywZXi@4IoH=N7yB>Xc>S`sNl>Ax48SxENcucy_TY@*wR1~qk zfcfutX0X9vk*T3T$DxV%fQbR<;7h`G=_pa&b$D zC0x51;{DWoX$XYqDzbNEh6cS~S%`+Hy5ANNF2FqUc6WW)KUU3lzbe?Nn02G#^>D%F z%ZwObhp=W)03v9C+FBLI62ca8I$a(WnOkvfglk|+F3XqsOSN-KW{b@}L;f3@ ziqvN+2`Dif;;A149%pLJN~1##Dlx;p(?{=BIaZS$>T~Lki6o$2vadCuWV1(tOtocF zrT~MrNO3H3FJ^`^AWZDEYuA6b{o_9mr!S%K=*QSW^}9v*s0zVe%4yl;qcY+{w^IO2 zTBP_ltUr3(j~v(_#bH7`0ILqLQ#4EcVlZyghL6;C0{=sycT#L(F7$S<-gJRetj-5y zhN@>G)pF%>QDfKo>o9Y=_Zo()SB8y2$H<|eQkp0r%OQxEtr*PAA|-QqC*Y>>jX&S2 zO*O(7lPoy*iMANn3~1q8>AvjQ{JWkttYWSloMfa%Gr5qh6 z_`Y&E7`>|K$2&qkxbwie^G-e=Z|InOiqc3VT=@q5hB&rXu zn%5z-Tpw;z>f{7mI+3~46BY5+{@h8`lpXzf^?M@jXDmOo?yohUQ%^DRB#mRzBG|mj zNcp;Au#NOiDc(X=vTI-b1ZwNEYT*a~H$ce060Q)zBP2dH__Y;H8Vle{7DQ-qFb!$+ z_9RH+sLyb*kfL*kRP>SYLNW8cp_i&hlF%6Ra7U58NR9#q>Q0IK+w&qZ;TTIN&h~km zzTc`?%H^G;g;8@z5mnb>$225 zK?>Vq(L>U;m>?xIXlB1hyU}8(x=D%F2+gYo>BmX)5f1Qs?S<(~MLU37wVqt7tZl*L zG3sbEuoAy>(mf$0T!(mAaqBo0AuZ}1b1zDc87h12bn58F+dW&c?XsQY15=pztd zW*SHZ|NFb1{CYxV#!~%R`;iVXua#6WKW?vXIXnHXve- z8e?QoCEz0;0C_813SFD7nNv6lc8iWv-4n^t`4vcb^ZICn_FR#TK4xv z@4s9Dm)}uQzoo=twDK5nutChNAuOan1Y1-L)~n%b=~SvA{DA6FPA|ht=#5>QCGbVA zJzg7+!|TU$yM1A<=t`#r#^T9@fKBGW9u*CLre3wfu`jSj&-`k9rdg|&&Lom>vI=99fPh%cM@^ts6cCd8DKH=F#r^n z&F;)01!z}O_7QI+XEQMj?^?_+a64%heqF?TBuTd^$4O2|{SPu2vVHF?QnQn*Sq1cN z<#7-gpAouWBG3*q6_sVZGxsvv9o1>R#C!-y1ZZ|lCax_*aX*kStVh530A{jLI0J3n zY!TBAKqMsn`2Klb1dFL{`bwAm{W@nJ3_g-QFGnSRmzBeU>PDs>W*Xn$%TZJaxsk=p#}giQfns?Vf?SA}k#AX7+Hk%9C`srS zyl>NSCP4~r9`*cEK`e)^VN~aLp0I};L<#>*qt%^x&~dS*h(u0nc9O^O5fY^a+&*06 zOOvhw>Yhdn>1|EQ9GC8RKeV&+y*QIiFg>Q*5$;fWl9S=X`=jQ;VQ$iNKd1QR*7b#>DvMvWeU&SK>z zE&M|c1E4mIU`q?L`xt>zNG$kIV-Z;>&4u7^d?=4KnZPh8e+g_}W?rdaF27xPn>~F% z2ltwQ#lg$Qs&?&@;ttIXkip>EBCvnQ3NcI=449pcJP_4FraO`n0hhUX25D$ z%ky{m^cnF)OfB|buoiT;={EIMMLX86j9JjY$EmVd!_K$T45MF^MtdkTKaq!g)*xGW z_z1l>mSK8I#n*Yh7>rreRN;JW#LHTqh<8{Bi?>@*nov-B3q7F0`ZZvZ@``glee1An zD$c?jhI!n2k5wryZ+2q=Gf~vUVUUp3T7WG5*`YSLvN$)W7+y z7|WX3{r|ybWS+TnX+Of{M!tM;qKnU`by(&r20y$mO_-b@Uq?hs30liQx$TAWN)Ru| ze3I7&XZj`u18jH5$Uu?WpmuML`tal)Su~yMcVbscV8{!`-hDM9P z*JG^+96T`0Mtfd_Oh7bLnfGh+NVUC>8>e%EjFQ8GTh%p$lEf1C2!I1KdGYWZ2TBFn zs3a{+$6RZ~LjiIQ%k%HIzg3aGJKvIhcjq#v z#X~_sdXw}Yry7-&sP=r*yOIo;{{QaJ-eg|AMd?FKq^ZIUkxlif%qBlT%iHz?ll#4k zl6>awsUDR#Ji}p`_fi_xJ9(O1Ip#Q`2`x42VJ*r)X)#uZ!CqV*ebFEr9xQYj9&RrD zBM8|uMoE#C2&pM8}UB5XHtY+zC{Y*%LQ36OTBQ##N8?Naz-ja6?7JOu61w4R$$ z65gmf+nQDi9>nQ5UE)VKFuy1jhmFCt^?c_Dq9gfh%7~m2ou7jOzkeCOyp%CACou4v zo1LYcGmBaUJ0O*24-zA5v?O1CNgtnh837pZs%Vr+oSfBZi;xlSa(Te?td*71i%8H6 zj?Nz8J{WJ-9_)tR>qE{T)@zVmB2Cx6=++0TT(??W{%J4vLOI+BPIIpydfE@H!mASKOS=NY9?t$M`nmibS|FC-j9+KO;A81_O|E6%qGxXGTxA}lP&;%i7jiZ;KX{veb)foZI5rs;0evxmuyGK#?6 zZ((FIIxNjQ3cA}6*qy`!am1u}ODG!H`9WFLOzFkbrF-kXc@PPzFm1p3>{rQH~cf8EwTsQiSG@xeNy#P*@a75}Ljb z)<0{!lE`6Kq{}C7{#Zyj^*eT+wfAuXOJ0szTd4*{J(7Z?1)E*k9!A9e=Fl;B+HqLa zkdrp!qm6AA20%b|=>r6*iGnu6wKvxBa)Wu%OFG5U)t+Y-riVMv{n)(3UQTIhwi9-3 zuH`5E<97UDbndIlm4cf_aN_}$h^0&d-euBm2L{~QYqIzbT5BV*4EgJF3BTQCKr*DP zB6T?3@pk`8bkCQIs3bj({{5OY(eo@&kt@2RQeC%A2&ghREXlDj-rX&s1Ps<6MJ9`(@Akf(`7X>A12^~{_@3^@U23<+J zWIIccx_T6&lhoOg5k*y2n%t!@pAvHLZp-`PW?{h+^fC%Vt}o@R zh|_jw9(@MaQY8AoOB>AxkE({k1HrO|sf_cuOg8^JjDWt(gLUO&Qql`r0MXo=CE9%r zMr*5F`a)J5N{IaApSjz6E490q%qWgQ39ca{p|npY*iN>GTzvpHv0_O)#^E1RfF;`> zn28=#P-`np{h^T(+{#birWZPCzytCZ0Zw4Vve3Ah3S${xBt$GB#;PFPuBcKEQdUmw zvEzGG_;vM2{+M6nsm(KR3IGAc7^%}mOWHvlrfSWmvTHn(SM{{JVElg#E4_|Wr?w{6 zjE$?Ko?2o7HiV>ef(Yek0Y#XFh`mawnX;R_jB%#0`jW>was0oYY#Cdbqf+5H5{_mO z=k(vWyI3WOR%3bb+pB&2i&GNbvs(UHTdw!1H0vNUe&p{_*K*J3R zwxChaV3Bmgho7PyEtM$yOgwbaPRe+s z5XMK{J}_VmIo@~*j1p5mk8t0G9@;C=%z|YbrUP8Z*3s(@{2Y>E2fz?e*dqu{(;v@7 z0L!X6*NW%0qq|u_`#*1j<@d*jA^{o;SVH&eN_jg%U|m6g@I;~Br_CZJ;c_I_S(Zua zNfS9ASMQN2w2E4?^%U|D29KV%FongfN1|n*2lhP<`843-L+f1%U8*ENL^N9aQ-7Zf zYiNvOs8%*stenDWoVG{Ky6Yb!TI`~wo{0j^y*`Cwl&l}x1*&+SP*N;`mXa0~S8-SS z(?lGO+4vzR>*1R@GKXMLz_{3X*%4J*+JI;E#$DBZbM&Xj4FoU^;sY9#^#OCv0y_9G z?G;k*kzd%7K*4`rERT*f2Pa)C{1x}q@8r+wHkunA%ad1hBhwSeev} za+L&3=dS(p^6Ad&rHj^O?$u0bxi$cem@-|6H|fyrQ*FGtz6UdY<7j7Gp9i_C=?@n2 zQPs?rL#AyrM~sL7B}2|{lG&a=I4~*N1jo^xfG4s{ik9{EFgR-$co;sd`5Y`g*?CT%Xcu2>ZMN}GvXM1F_{WS0xgXxRW7q#plq*r3pQ3CU@@b1T%7Wx`2S((s!5HH)9q%T~$Y_sW&$xJV2`_ z<&rT)d;VYWIf(XI+fG-4ZQx5!j~gv1?hHla%!bg+VG@c&s%J@&_p_1CtL>!-8JqAo zMdv~g^&UbJs5CkY?7YtP`kJ$*Oo#msb3)Va0_}49aNCYt*ZDO^>rtwB!dD?5!N2}H zzcuz*#2;YUYqanmI&;e)#3Lxt$)go1JmT}3K0q`av~n!S;9r^paemG6afv(=K003ZELmW)}b0CDxMGo&{eO_2gedPY0n-m6@uF>GG>;(Te!6 zmY|ExkZJ-{!GcGBmC{zPQZxtdRC*M&MO2>nyljC|njtR`J$Ej)Iet+HXxN$-X(3eN zl30acyK&ed*PH*;_O9#XU_N&8K^X|43r8~UQNBek%3pf@E9`R7W-YPMbT5yJQrvL9 z+BhD6;XIg=pB8gn9Wg#a-%1#=Q4kv2u90#<%el&1Vw1{LAn=%psbFY1RDR`3rNs7A zPMwZq?vS0)~uOjt`%+bo^H?_9nUk?#2|UmPd-vyZ2}FI4=4kFSB6;6YLQie@;m23>~Z zLk~#yIN3+v9jJHRa`#^#OmXR`^4N+9o!Cj#MsILk80r~jl45_|$Lj)qyL!P+9Y?B=uM!kb0ZQ@cY*+w;x*ICQF`Vz4eJz=L2 zVG{P$v;KtT3hXH8V2zumUNCS7RE3ELZ2logtOTo^WEA4ui_h)sC1G=~hH@`rwc@!r zaH=N~4tM$>taGyO&|8<^d5idefj&@~8HVy}g+}Z+P#-nbv~I6L{KZlVbUzxqEET&r zE-5sq7yg;+!*si5-SNv$%KYf%&DMkmh`ylbv>Z&x-7lvVy$w--hv6{nfv@qrL_P;$ z3aC&X6t0K9M;KR?4RS+j_ZJkVXw$<7#)p1>^)mBPQuz8h1k$8Z6(Qji%(O~PyOQSK zwxkv~pvZKqwkb+EZ{!*Pghl(6*F=NuTcuT>w|#ChSNz}1O5i+G$pre7Ij=lNQ^@o^ zp_A(dd2i&)m-bOUr})g|3gJ4d(Y!rdiU>tvB_|uF5n}o8VLAG@Yb!x<-|zF+E4Zc` zvndT2X%)n|u;txM0a8W5?z>BSB1>W{aPx@i)57Q#D+K-bq;1SQ?uBfuLMnm)owxG& z9j4B(Em$7jLaWls*I~PFEhg1&GzqUS8kH%Qvo2vJe1N5>FOX#QeA)!AFkw0B4hSh` zbw>yYJ;n72Huls(QaK$6%VQdrcMv%HwESkfDuh`K!bS1|`FyHCJsxXQPBtg8oKF+8 znc5`UUat|*Txp!WuYHUN#|q;Xnx8laG7wj`T2p#J=YLcQ8>?>IPuKY(BTe2gbS?7o zz^SQ>=9VTn8E9CJk@4^G7X(6YST(k_<3U5bKY;me6i)44TYxN|H67%FbWU_NpTZ=v z^X$W#nyyg%k^ZJ(k$n0S#%spRiCXb8#}tbui39CtwBq#Ed=9i$&S{wU`z)T4~ z`PVG&?Wn`x??U}(vcUiIknI{I2v+^4f#|QX0N8q~l~N5cK2~rNKtuf539;V))0Bl8 z(UDyE$hd9KF<8=cF3{h#0;7DKf`&X4X}-^i1oZP6Q-{uc{dS`-)_Tfa3TSR@qR|xqjpUb9cF!vfcUlc@%@U zrF(j5cIS|MeQ0#n5Va6;lLP+$dhRU3C`&%?TCP?73E1qg?`mBt4Ki`+Ojl#u0ij>} zoW&Y$^H&RAIeq)eHm#|T0Nca}Q*hsGk9Q>Pl{b1)Q4tf;TQKeoy4R4LkRlt@Zqt^A zd|0>k#eh2KJgDlp4R1?JvN!&h(hVOiQs}Q({@L4@j5dcgmnWrEl*%T;YtX_|&Q3Th zq1pyUUVVw3cd!!dbFfD~rLFN+SGv0`Mz%Np%JK>RX%{Ze?7tp8C;bQZJUG?CiX{x; z694x#fFMtWAbMh3tL8Y)lpF*mH)7r@7MrE`G}q2^B~qO<7hIdlA=j?VxP%Ak%EXfEc*S} z?f#5!?mqLDucfFz+~qfCz#TfUural3Bd|B{i7B7uGgB&|*{8Mn6A-iSQO@=a4Zih_ zm9#Ef%UO;UHYuJ();8m26uIK6f;OfaK{<+L`!lJ))Wz&laknP$Ns4t0@gFe>%a?zH z^k2kN$HW5r-Tpwx`L=<|80Mq+u$s_sguFd-=iMq6v9>yHBOtACa3*7=vh~`G_^!w`B7NcwS(8pVAnlYr8BvpbxMh{cku_+BeERh$MeQ^FQPZ z|2(scq%yP+>1FqwGAN;AN%!V2zE;&8to);(B>50_Rr$k#==6KxIGL;s?XOR$YZ$ri zS;Hct)V4zP6TTgs$5+%P-;lmV{xgG=SS)8dcMNvP-oYW`jw#6!+Wc6 z=6ma4u5AT-Ib=Fx7pf9a5Hla5lS78Ms|ze1B`Q2@3bs58nyk`}v`(sjY{bHXoEwa>m%1HNp+%Yfgod`_L6A*VJ@W z4Y2pp%Wkr*4J!z$`pKg{8HQvZ>W)?zH?$sXs8@908L7T;s&AQfx(KUpMWt9<~ z71A_)8*B8+B4Fe;Sx^3!nvdN@YEDOwxinOg_Z9C`01^a2LBE&YK@yG6arC}`yJ8UeclggLkV`r_a zNiGX3JlU{4?feDAZa^LHe=wyK-29dZC`Opk%t#ivn|3ky0MH;YWreh!)?&QMO!Req z(XsqVw}OA5G*nglyNCBWEck=sV$jrXu%Hu?p`VB%SG33T++GMP7Ro-|;4#atyrmN_ z<-C6*#+SmnCj)CM%u4kaxy8!iDo?IOc+>|-N8oZ<&XV27{<{@<9YH0%!^#Iq*~DG= zX3Frqy@l3Cm0Y~^UUV}W7&l0l( z2j)kA8g92+&=n+{lnhT^g80@@aw1lqRz3k}WjgEWyZl4)B0nI#jY@Muvy^tdorI~c zM)(qKk15{j$)XU3xfl=KMbs!^#(UyAKo zjmIWd<08hG1Y;+aAOxj4cQkg)H+3HUa3h?fiYuolGRvbZD|%WTHBbGrV(Buf-K<}%hBp=TpFeIgbc2ML&&7Bf726L zG{CBn1cHE(JxnHPJ|Blilg;q-v^?FZzUR}eK4;LSz1X~S1-QX80BlI2U3rsOCFj1Y zhFk85%Uv#0BJ-%=k4*f1a_|p9w%aCWB3PZ9VaF{idTCa|UIFVnOa?AZuU4hbde9>w zg?dPX_xf;@4(qdIRs`y&b-Lu3XEl%4N|E5u$K~b}k^=-Ov52%F#7S2v{0g1~WFLg- zI`LZX1EylOuo=qa+gLP3`d?gxMj~gn5E;MP_&a&x%&PEEw!ug2#U6#*aj8!uJ3f!M zKF$UK{5228u)VELcOh{?1!Fie&aZzqC3a~D&B?Vvb?Tx z1nY?CT1-x#oSCfYR#Ce;b1A@Tx*$BQ+K%I+E7Q}Bn;Ox@3zAH`siTNroTn!N^0+)5 z7H+UoPp0ttY6<_rCLiaCaW4&LGUt)cUPy;S#vyuj+gFZt73G`?DfkI}LV8L#IFB%D zgqbUIu(Yhhsu@^>7YPuQo&#RarxBscmBa}EuzycIZ(ob@k0)$7xLuc*97C?DvDNg(qhjkVS&!-o&-0G|JO@I{7&ZLMAr z89pT6Y|l@uOFlW_99!}!oX`%IECq@SugnViVj%kZjTwR$ruP4L+tMIN&%dCK;!WwLv<$aAgL9Lo~6>;OFPAp)Me_GGmlvQ(iQJkME7JjZvaTc&214w+f_N^!B*6~&1)#DbU;b2qAi>r@dz1ffR9LC1=M`@C}up(!huosqsdWUc$6L$I{-OF-zgg5TQa zIZVBmV+dq%Ps{8ce`w`>55d3x(xJs=SW#rlO!^T*_gE#fz=(=AW-fu(n!=q^TlV%k zFVKUOSI$n8nRp-*QiJKq+z(~BP>L($uF0O5%9$_r)+xwDY7BfTObMd~j|$76n4q(w zPGp1bzHoa~ToL{%XyHH|MyS9+dwRzYo;F<#;{C4Vd1Ig5G9cv^DX%|>Kj>1P^)-!# zD>;^LIf0m=Oy8*j$)*7$+ahSm4~@q0W`}hnK@Dt2`{Ql=5RhFTgn6~L_)7F7`fNm~ zD|MMl?;yE1qF+NWBLrZ(V72GB&swYW){#>~gO^aOvS;eiurKa5@GxSF0B>(K=03gOdd%iKzn!enGaSgvuH0eh<_Wp} z!58K|m1#^ViB{E1aXeWeaT!sDz z@}d7`LAuxdww-zHo>o9H43FXmL5~Eu4M1oiL2)?kbZ)?-R*#=ZbTn~y5?cTq9>c?a z^K&XQ+o0=N-Mv{-##b^;+njKbB9N0fy(K$&n($UPN;ZIi!f7JjD7n-gxbtnUzPpcG8mNl`sbV84_XY=Y6*wRu8F$(L!F8w zEb)9w#&&vRa#8|f7Q4~7B9X`8uCha@A^n*5@UdI~jZN+3R=$c2AAomXH6|lcG|vQk z89%{7{U5XWK|PZXw6gy9Uevl^T|#d%CyCFJjIzys0{&7nPSND51dtn9b1zLn2w;8M zw@wn)UhLEpO)gsJ8yst}K$=k0g7r)}r{TjqI zg1kI8K-EES`yoFt6gTn+1R*vCy6w@@?3%FC%A&TbQd)&)Mtebvs@zwRy8Au>PX{%B z{-VSp8%0B=n_y}{p$o{9X*0S!-c5A{TSH?mA2VPCU3#wn_q(-|DaRB>$+LLqWN2pe&9mseU;QnN-?3N2Vr5kX91 zfV@@3`xwND*PpQ415x&Y*-xH^|cz9x2!pt9Bo=Rl3GYxA?NO`#uGa+v)s@-K6-g^du00H*<~ zhk780S*ZT1s#OQ@Y4|e8%;Olrlu180j$+t$Z0jU2z)-O^+-a=ZQ+Jd@`y-aejY@WC{IdH%v|X8oTMh2T z%)fbP*3*lsl|qRk1;KS{9;HAUwHMf@4t9JpB$q{Z2Z8}(24r#im&3mO)<_S@6Z@UX zAY<}wXme7m*6U98{@e?t#xnfNvYL(vxHP~f-Red?y~$1QrEh9X ziddcbqHLrcFICg4-O&iT-b$)cclY_WW=YbmC=Vj?Z~%#mLP&vB4rdFjjpaxZhs`GrWX3G)<# z?(92!UXLm2+wF=59PF%seDQ(P2wO=ow7gD}8W&n8?rFK%$1X72E_D8!NPHcG<#v)cnTfb)*X@>*)rqISjC{|s6?R`h0 z1Dnq?#?~P>EkInp_U35)>9;O1ui<<_=hBiVB=zSGmvOv8{~n}gTy5O+A6P1gAbXo| zcPxJ)z8!N^HFqJmTg|BQDp}ASS!w6)Sa)Q)OUW=PyZj83eMjIvhV;>IIngR6OyT#M z1ISx;^!5ayTT6o(C1Lpm(M%iGd{oLi)}>uRrF`+Bh@gOicPvpUBT0#t#CodD&L)vc z7keZV3l4sa{KUb8G|~{kDLecfgI9;^_)>HRz!Cy40&J3-d+up(KlIu{@1QLM3FHm< zgWd}8d6#S>fpOaqVjpV42&Zd|Bt!j}vy?X|(UIN$ZwS&U*3wyOiVjndG}S@Tsfk%oI2io)Lhh8EM-3&v z36Lj(v$4}UA{>{vlfWifY-0NNb$Dq9o2%C)2~fznbQ)#x8FQ`PH(xHUz0PxwgQTXEK{ynVchA#*rz$%^g?$DS!gUHGqBgyMcE(I3AZ+jNK@eb$H! znTuFP>Jx)Dgqmc!V6H>eV9v|^)v#I(fkSPykj&-R1o_xGXES^=4Oki+0ziD`Xkrnj z03QmUH#=vI{+t%`p7SEPY{1gtcEn&-GM=?Gp3(Dn4*$tAm2{Ji$)GOkQw`oF%HAu!K*2ThP$y z(Vdbw+hp(dO-8yQs$&Oh;rsZLqIl7<#=oi{)dIHl4|+K{!@Y6Vl=_laPtTZrd|^@{ z5oZlveAK4Jr!l4(n@uN0dSV(;$e9hMr5s`w49iGf&xou0_XzIY_o8ebt2}>(=gtVd zgC{=0DvFNe_w}ig070d`Q0|l*-w=Jqx-q;b zx1n=AB`9uaF!CJGvx^J;RU3P^QFAfu{)5q(pto`kXSW|KAYWtQs56Vmtp(YM`D!8P zGy#pZDIksJ!joF%Z;~AN5kPM#k19s-74l*|>UGl<8GV6$eJj%Nf+(S7}2M_lPdII+T_wUqA? z-ADGyg#bMU@t-Qq9uYHyBPrt29Yk``bDiMuIPp`)k4AUiJ{;m8-1S*RuIibEYWgqR z00r64FgYw}5vCHsrF76VNtOPKR>foRy&6Pp0SZK#cij8dml*OR46JH*;D^nn)7$70 z*K&X3&W%p@CJo0Z`=9|6wkXHo|5QVA(`X?mrriFIb^y!tf9Wl-1Bfsi#iiW>IeZkT zrL=Qt{s#BbHGV}`!q4x*S{q>ihtxs5XSU=*_Bp1@*aHi(%uPOISvS5o0aoChfe`=~vjg|`8s*tv3urdqn z+5OwLcze_QQZcmBi(X-53)T9$&qyGSBE5DCByBjVzP#7kkjQ~%Enbh)2E#v9K2Vom zotxWy@(x>!(kjJ;KAXcwQm>T<87OGoz3VY}R3!9*N++Tx^PTudet4XbHY_>ELm4@E zCTnr@)NiWp4g)q)<$A=73^8=e z&}hS7C}fPG7E-%64c*d!xHt_F1y>D|WqTJ7ru8*q^JhwbAS6np9RIbq--!Kclc3ZQhBqWk;{zcS zhIPCDeog!|9~-&^XCkq|5RXPGeCe!ej1Z=?Hc-%@b*I4mt1>?0JeQGg2EGaYDfC{D z&QW7GsJbQYiFVv6{UY8zDqwQ)HrX!Iek>pOvfCIw0?z19dDR$ZlfQdm_Wrw*j}sq70qByXke z5nXzZX?)ED~3Bl~}+Qv{QRY)MoTUE~MNe2^wRHkdT-=kLq<3{B_Q7!%%PTRa>B>hcRK?gWRbVwsqZUVb4d6}r{gg0b zoT(&X)U@cYXkA0MR-uj!Y(NF_Czxm$a}<8J5)VmvbVl97+XW0ez(SZBm6p6Ad9ynk ziwZ6vD@L<(rB+QPM_p#*cZ4}U()%8cOtEWp5SNI1$s`B&>tBDrJTCdqT z0feLci112ec8EW7a!OCvWh(a~@p^1xrFRvR6QtGnaO>H%)hM#N*XP|@H!=$x42Fy7 zF{;}>7sP1w(E{IDRD=AI6@Hq{5BtFCD+)VD8@T33~`)6$XAa^=|<3Ch}J6@TrIA6ctTIhHuPe~qdMqK?UGzPa;c zRqs?b*99HY>U53Q6U3>}XrOaRZ3q|OVJg$+MgTS1gBSs>Xr%l-YH6S?(8;8^p#p=e z>&N*o3pS)nl*0$Fn4b?{nI?0Yg~p4uap0|gMk`uky;@1+N6omyGab;<{rdTn#we~h zESY(aG$|uuNQ3oZA&zsum&uG?R;MrS6^Y?@S4GIBp(!YDMc}>=%+)J)+E!fIil`mg z=@cR^6?8nZd~yz3m)~X#sc?2({Zss3BCWW!wXV|M`g8wntDU|~Z-Hmk>(@(HYDu!# z4*G$pf&NCqL2#Vg!v#oIkqIb$`*L#hHRq@fRA1dhyuY7cqc3(o87`ohPJMU$4 zmY~O~DUuHu+>YK=n z{{&5!Hh`Vz&!I_d!f}I~+HC?Xw9;nK+ByMj%I@=|Rw#0h`&*Mx*z9?=2(#fa)=a0t zG&F@7td`|p%Oy|p;r1c_IaiR9j})HrC*M=Zzy_{ldd|h^ScB1QC8d(k-h$4YoyWJ6 zZh2X5%qO0^F_LiP;h-s=s)H~Kw?yWJH+32qzxN5Pj%6%A^-a-$m(}4l6TD^{&EO!+ zX~@6eyEh7Fo9({uD1qEl&gG^igM8<73}c#(xYFPRHb^4e6UvXXx*k6YT*&Cwj(@|4 ze3B%syp6Zxp1WfE{YJXZ%Xj3c>r39Q?y!v0H@4n(dFYtL3;Rc5YXnS`vI&+S_ccEf zizM86-pAZkq0MQJRWgbe@!wDw4V4wbx=6?bvRf(075{{ReKx9L_S<_zFpeUY!=9z& zy+cvW5$3h(YddbD2(2rn@YKkh#+IF%f2lfZ=Q&#*Wc+&f&2X~Mt6BtrwG)aTR;MJe@TXlG< zw$t4cre@esRGh(he}SZgkDNgCMmggAkSG})pSeWNvS>kU0eD$M$M7TIx)~1RAc)9P zv9E9X<3$!EoM1kJgu#_va~D&U19Np51C>cT@Tmez3jjtZa9Q|L-=w2&cnq*zPw{k5AUr4YNIC^Ip&hlsSc9ZRHvkzlzVgqRPJJ$>&RiHK}&PjQL zc=1(is$ea74bsKO)&1KT11&Tw2d9mXvx?)5d)&QgH9|8&YGg$YG!EZkX9syCPzSHP5?i33}u^ikYu&(*TyHQr(uCQ*BW1QIaBOhOa_#uK3; z&1scjj?1ZcJvsu4|YR06#@@NV&JRek~Z8*h^t%ecAx3Et0>cp3Pmni{w z9QwI_#p}NLUwFhK$Rq_#q7~E}Mk?%%{ftE?@J<=t`xW6E9T`*qwDi_yNZEAwW697O zvK3IrHPT6}M%Kx-rm1=pgA07eLO5C?X#4=sBnRo?FUZeh50xK8#v8EFB9BCl>>2ks zeY&xKcwhQ6o8MRg8KM2$lnF|0UpcdU#3r~>?p!rbYYLMa^<57TJ!y|-pR6xY^mI&Y zAk~3qR7fsO%hc2%&@EgD%EDAiNvKc=QlzZg@yZ$sNhXuWV*+bZL7d%W%UF_^qLC$c zyGD4~NN_1wKc_n(e9>@g*3{0R=(X#Q!ofHL!7&(-Yx5=nzlq~i4ekc=N?_DTaJhWx zclL;EcrJistl?TW)EvP+)#1;ZMld1d<%2%#42axyI>6G1k@LZ#1e^`7*O>7G`^ z+?f)k35qd^ci1JcvIf$$fs$9~`WU22_V>EitdAv7K1+s{Dcelw+@xPfABk}0qFQQ9 zQ?@IMvN@eg$!qMVG1?%!)@FAh9gq=rhU~S?N@Eakb0}kSXq&<)A$;y6O=#Gkq0{Sf zz&qWI+Z;$PVN%#+8dTTew5!C%#H^L?07h&Is_oJ?6_7`FLxw;pVG!CsH0UL-RPxp( z{f*iApEZb!MtrYE2dB;sbIUP$mw`&p!hmZDrFz3yWHV@(sx+Owrt_QfYE;<8Gn@Wm zYF;}Nw*(AEZwTYm1S3iF8=%{)2@U{cXrfh10pxc*gJ|o_()g14fB;Gjh3o;rJHU^uAr7# zQ^LIYx9PvH2b0o!TW#FIIz2KXaQ`e>J9a(_oS5qky32Y1K|sF08B3pz=NRucY$*`l z93gkw#Da2`=ziKZc%^XC7q$ylx12GY&G3-^Rpj@}{Q>hdbAG!#wLk3SeNLn<9(d4C zI18<_+KMSi)>AL;o)RlbVWJlvM|vzu%jCJO`Q$Aux|eUCH9eQstO|x_Y&59&!ga$$ zw31HrUDy|)pT{xZjX827cviTxy1Vj_=3r}q1dFctQApC{lANnXAjfMH^L(Lnj8RN| zhxrP%PXD{g8L5zsR}{9gUaZ9U7=q*$AXG=i%%e$ze=?5rTLMA0JoH9$>GOpU4^ZE) zE8JBu1}}Da7FVVv89})e*<0m35}`K<&TKI2~a z)RJMeQX{(+;jc8)0r8`Ck%*KMy!s{iGg83KYkyVjf9Kl*sNh+)X@GTmw7qn_kNMsb zUL5XMgiFR)oQC(Qeotu+Hl>fVVDz8BcI7tvw<1W@aBCIg`aAJA(m!eQ-^)^Xc{BMI zwI%f>-`c65d?>AVae4qU6soPs6xmt5%~i zv8yIsoY~CqcYl-}n7=n_g=TKoi*pHW=NUPVBbLL8Z0BaPFsQzQq`;Z9P7D9)xVL3U z`%Aoo&5mz(^P;yb8<*dTxb&oUA+$!MAHMZ{VY$*91I-B4GK;_%wo`r7YaAnaB5G{( zB*bLdlHK0_19S4LwQ+bTap@ga75FlyNRQD~z|-}Q^o37oC3PnhDk8%SHfNwg*wDsj zk_#rOMM7iv2hZ^niN_?K4NZM!}76242G;#SihvK06V@nulk^>_Nxf&Q!0Ws^kv}^8=(PMnjLl2 z4&p4Ur+C%iL7ILB;SK5|P%vLVM=+OtoEDwnI^E6ruFs^p)m#Heq-6_4*IeFY^G9ly z6Wqa9gDdDOdj~3f)#=5wu?#*o{{=GZOnUFBHOfu;5c9@pfB90gx7%3H0t-+(cMRE< zA3PyQF6tE+;O?+jv;R4O^5D%R$+_hFqefcEHVbUqMqZ?@svrNVC>g_b<;sSu4W|MV zXMg;R#c`<;z5J5P;J(kA@5_U=!T7nLJy%fGK@I-=Qb+#JRUzZR?&nD2T2#xQ!w*jM zWq{GREK+Q_%Wx`|JSM3m(Yz`)G~kWpDm*CLAn^y)_WntYqq+S+@gIUJ{juQZt{^Zk z7QIOsCCk*M7fwAKeouqT>nbM&dy`+Xj$oIWed|XaF7zonrMSeIrt3Dfk>GJ0k{{K( zCR=-+;>>`iVLR>hj(UC^AG$+;@8#N!6&M$S>K6I%pIIx4cL8hs1cBEhsc7?0Y1-dJ z`dbozX7}5faZhiv(1`#{=FOMaECe-wsAN2j6R|@klqPnlX2ukjeszpNsFmfOR>6 zC6E~>!obSYzt|oX%E{yj0>+%Cq1m-cbb60}lN5^t>86P#EP8)@5>vC7;$tk!-;5fBy@EI_8kCngcI1V3c!u z@;HiLc|VL414n+TftGtlwHuVRuI!~7lK^}(Z+M+?w#|Jx1n1Hmz}fFFTvZ@HN)IFQ z3VaDAMF4h=+k{7erBnv0$djt^tUDrWXy-B?M16ke#?a-M?ay{Axzrf-YdX$MIHE>|+;Wco3!877_Is{GAKv!|*ph=+Bj zXKXRIZlAHx#qSzN5X-U#xZwB6f-s;bEIz0lCdP)zOvnf4Xv8P$jyr~G1-=*Blqh=}j z@!JBAVwZ?E|2j4ZU#Lus_Hj0wA=MBuNC)L;-J?I%sRF*8yB|hH zI?Wa0a4V5OGE*J!(lVQ|3K$6gmba?JS3HJ#*fJ-Y#J8`U?JAfJV==5=v!A0NK3w07 zjx*cn&1QmO@qjk{axH+F6;5(cZks#txYxm5dpid?A@y!KmX_noe5EPhu`1V%HqKLfq4Ht;F zF8=v*r2q5=>I^eI=)|>w?L&)5{a$%k^Vttg>zxl`N*0uJYOLFPlEwoMo}c%P!bPd! z*Zdx4XejYWqyNz8^nBnrg*k-6)N2`rnkbQ=7$$SEab{p{dG9jDkdWm@PGb+-tHU5;>;@3hVKcExtj~Ha}A?KJr4O{7uxeOXxZR zd~1!Q1h_jKLw5S879QYo)ZML8R2wJZ9u4PSKz*5YqW>Ll{7^L;Ilnx`8Z~Q)L`1k0 z`hNQ-K>06Cmt=iNgx=`T-0z#1NGo8nMU00uM%co;{HSb4yg&D|veCdp^vJgb&>@@? zz(8j%k5R#2*9MGk16H4?Niw&4&n?~OMdCdj-GQg#*6T~$c=e#?EZ+l(0!*y0Ih=@M z7>}e1Y?nBAE~0;QLg-+s+*8OzAC|boK^JV(%Cw9pZrlvFX$ZT zb3i9Bai{#2wfn4ZC%_E%gr>=#fgRwn_sQLVv?)Ltn?(cRjWv@#0b5xdi0soUQ%RFd zS5e+Zd$UEz4u|4pqS!k*UjeM1%Y%6SQ8MZ09&6JHbu9~s$+#pDSN)IY1JwkN4RF?TM6 zRpg79RUhKfQH%V$D+Y7j7FXW$i%#VcJYze)g&Vea4w|OS5eX>=QC1IGrtg(x=O?Q= z4F@xetmNg@ESf84Lnd>P{2ZJ2?@~X(r;wYZTxOWL@3UFjjaoqyF9j`;dUm@&He47-MJ@j)U5)VRN=6W-W$1$KdT0U|=->R6j1_OB%@b}LnWNCIFEkY-NO^EsYi8bCy7S$(YO=iM zQXM_r2!`jOi*|-(2kI)@FiH9v+~*WmSJ@Yc#rJ)`#~*Cz?%B<(M{76ijOF`xq6{j; z0_PLtKM_&Be8lc#7u`A6K6~DL9t6PQ>0DWK%TN-sB`FhyRy7<58vw+W|9n)mh=9FJ z?qiA!o|^YEf7{DPBx@Mdce9%zaMP-S>En~7qQd0C%mz>La|dN;!*U~(g_WmGJE4yZ z1a&hVzl)K{P}*||Z*t;pErMIkuSjus{UD2R{NpHM=(#;`r`c zTv{*Nu$=x?T^=dS^^XP{W_0wVxDKBh^^3v!2?CM zakq+x7F?@EK*w+VeX#Ay0C>M(V=SX`$+@*#DI~gWntYD<=EkFApqK<6DUDH%;(zEY_eKK{Re z1}+_U>F8syO~sh(TZ|uFrF1H0`6}3EZv>C>`{R^H+|;xxr=!>{d|XAJcL|N1(ZjF3 zli1&;)>o8Jr`1(rE|vNI_>BLGn%et(rajFK7Az|EBTVn=kdNcV<}_Merl}cKhBZBk z(~qu-#0MvZ22k3r=eKH;kQ^iL2`o%9dFZzO>@hgW4*P2#hoD`9P1tDr@UiB>9fmot z49VB{lyye1742xn? z=MRV5=xXU_0=_E*yp!>g;UZYXH?lOfh45%WEQ7t0(V!hC_Pyijc6zlDiMaZLs8Y2K z+qC3GQ^^0rr-7ydzN2Xb?C^}7h*9M!=%r~B1D!#t2NwLsw9CPS9VDh%taa|-DTu%F zL%@aMrH*xvqk^BkeAu}_+KU0kk1by3WuCK;R-<%ZQ9Z2XdD>6UN>g7UForrixM*&5 zh0rdGbX>B0)8$xlF|fqK%*7gnHD_s1ojq&GeSN)D7yS_AN1@f-nbVYRDP_E+kG#;b zwf1`_3{YpSUW#3cpx@>tMj=P=oR!@E{ZTT?pC}7M$!kB{o1M?_Z{yw$>R8K%;V(Z6 zkXj(GX6@GWsb7nh-~i`hqc_fGKrM3T2fav_nyJw7qz1r=331rVK+ZMa-qk%RLl^MH zRjVvcqKZTjZ+5i2Utsuj*pwRp7^Ud&Wup)81f8~CVD2SNjk?VhIa+cw5w*DCz(m|Y zXN%}0u*(cj9qvT*zqh8I!%lE3MaNq zH~^J^v^rZ7WXlFo&|+4?Q8YzZm85-FJ=ZftpT8CiS2<(y?5)$P-`4`+cHGg}!|^t# z##C5JcV2tcl0I^_)Y_ny*YFRSe!c>W4&Qhr#$T-f3_UD$bw zjN~+buxqEv2kF(Wo})T6+gK!5udN5*rVjHnGSX@B4d8!c%XgM1GCpk2pdAi;i67m& z)-l-iQKohbBN`d6Vckkzs?Bn8QoVl7tI#$!b;{h>3paezy?FkU%@@KJIl|)R+}cfg zxn=l5P8aLcPT&eiA-k%~krXmx86$v#S`?Z`dsx?EI6Upp+ySGAN}nGup+4`oqD_wE zCb2WF=lD0`l=LzSNYLf0?8`gPM6BhH%wTXZEyjkmqo{mv5yVRTZzW)ffb7IC(l z&(DZ*SY+#ZJ5%Nfe= zKP;L!ufjG8h|lUAr@j3U#+GA*sxql}Iq(YEhJ`p z32KlK$9>xtxKaC$cU1k}2CwYDGiwXCl7(LoJpL46+F_*qH~H6UCQMQ06FlfRS%oR6 zW8-p5<(-~g>n^$a%peXsxxOVD<|SXd|2;hk%o;;pWq)DLWH~*|whUmj>E)q=vT7~o z$DzfC*Hr?)t=>odE=_2VMXVVD=n?P{^KmA241rVcwn~lf7yAD@W(}rY@AKURS)4(kCra|F|K?d!BDi@Tb3Ma$iUnq^m#2XjrZ8;CtJ`g`YK% zasNVi9#Pkj>c#1?23j$;`X+Z=ax0*QXHtX1`M*ug;N84=&;-0P1vokOOs~%oy2kn_gQe^ad2z39XfD;E78MU77jhqjy2ABBTiz@M?Ht2xc<4YD}K2U zp5m_PMlww+&I89zpGD7iz`GmDwCTY>nGW)_6DF}9eFV9SS^Sw`14S#wM3>lQd=^6I z-l;PV0}S2ChG7Bwv6sPT(tmaNI`g_oAiM) z32_hyrDU9Km92q(ieroNVU@$(fLY&M6;yg8Z_<`Z+p+-Bheu9Mcb(EVh6gTgo*HW4 z3SKQfHXKx=&*?r$lXQ)_bbqrvgmy=1w$zbj%DRjSMg*A7QnXc%c0)$eFlgTr|9#kg z8T9wi4M1|VA!U7-N^$M)u9g=g4Di#2Qr+y-wtWtC#&hP3@D(-oI zV{J}^VZJ*kns~hNkp%QM2#7tb({e39<%pwR9I8D>%+({olm&xic3}d!O|90NmA1HT*QBVsjkk7ifgEBiX+c&jNOO3n{P<1Wz ziOieP3EjJNJ+x4x+lt9+bY&+Q9JP$EPB!dvtq_)F#}gn7)c7G$1TdSId+N8DEp5#^ z`{s1bc+LL%&xW2_SRh(Xhh9spbG~%S#AkkR}{KS3Ce@RTEVQ!q21Ilu}R} zi=ZCUeT#;o3!`+(9+?iQ3)i{AV&^OrP6;JBpO-#(9k{27Os@(P{T}-F8~sEfTvDD| zCL084DND9x+qpEBj_rz_SpzaI$Tjn0H9$|Lr`oGHECQ{F@SO_NKf7kI&*e@v@bB7b zkwR?aBsEg_oPZs^RROb4Zxa%yyB`6sCP<;7Yf!ZC@NPb*u6HqulG#oqs$TMHzv4@_ zH$oCm2#p8*?Bkifj%e6jg!T-lxK|~kq+OiFkAPxWSfeW|1F43S^6k|nXttZe9z)xx zrM1Y79y*vh6uTQZt`g3a?lq9w%!X_ie>%$Q21b5mI>z4w%|n2r<(fttCG8cB?3-j> z%E~ZpT^|Pz@}D(3do+f!mkx~1+7JerwO&_d1@q2@v@ zu<8DFm#(&4RG|P;uyX3OqcMGNP`ommy^DA-iRG6nvE(;jyvT93b4msb0Bg{vUv?tD zwG(htY8~)ffLWN^fI^+(rDx+DYj7bYQ}TRloKO+zQ)xa^C$lJrdl?S$n>5`s!AVnun%i0`{UK8 zvuGWKk~)0}h^G@tZ|RDE4hFoFIvR7n?t&WJ8lq+NyF&dA1Mj473&FdWu!qN_dL-I+ z4E8d{jf*}~Bf@IJ`)|*AMKlrr_N4Yu0+>8yC0Mzl8oYi9-Lg6}pf{6~hzB^^pf_<| z^&ArxEO~!ONG4(O&ObI2(Ap{Ss}3E=Ibz~#C!OA5=Z@2A+8#7|YCthNNlLnB^Ghc1 z_nT4*@>ENam6u}RmbR=m@{4V`+RYQ{CG85w@=xcx%Yo|&9s0#Yg+_;r{D>DbYiSK< zdW0snyks6iGx4?H-X_R6rmk!>5VH$t=hoBC)YX?jZ{Q1~5_M7(mI<1riRJxg*zv#qSk4LXk6^K(BDuCv78}%Noq?b(7l#yRE!ig z3H&Pb+j;s&saV(6%t=m-w7`H>y@)KZkN>iB)CcJ`QpfX(7^1}*t53jgSC_n_4+AfK zehcVE$>;!9FmTMtr9iY3u*j)kf^A%=yKql1Xaf<`proM<39Z5I6(n%zaB)ZKVTArQ zy1zIX>A{)-d17Bd{2KE(cBBsuy1ctw#x_VSP6PW676RniTw!w%#pVV)B=JYUj!BF? zd$9?KT0Ze*#SCGd*u$89jLWC{`z-?1Ajxa~)P2agY zwV%6>hEv`5+|R?(2`jY9KXT*zsX?QB^#}I_*>hDDj;yht4+t@(r<;V12z-AOn(c;F z(+4)gNUy6#C}4RG&kQpCAanoGi?Nsoc&Y^{-LC-S!cxs=LPOT0e)3;iU=?lAmWyj} zMN3H#vwQd@J#>zX_2+f~^M_mHwdqyp1~!d6aoot)>p5P@Opj1}sUUvvVvreaGu=f zrf%zZQVeA?V~A_%pE1j0UpODe4+|&Jy&{ARB|*YM=?U>u(Pv$)A;1U?l3=BQO>#z8 zpCXwux?7UC|F<$QLEfQJj8RP4FFbetn=1YEkuf>q&C8*!*3%X~2}1^!c3AUyMHpOS zHqx`Glq`;YLtMbQB5BC;+1MlGNsn1FP7GY?#pE~9ThAm*$31BBaR}P`Y z5REQfQaYdskULzoY|=<{o!-FBu(l?AGvRiboRsBgJ=eY7s&Cn7xA7E)6`pDE#GF^9 z-y+t=lfD<)*37x}1f^kYh9sd)X^lKJAtA=NKmmZIY#bf}Wa*5pMZ&X!D+9X!JGhvb z??=WUqWX%IESSbRjebfJExeH+svq=Uu?5}3RK2%ve8{WwYdB_a>-}Q|EBmysMO#;{uG5YO}bAiU6%v zQ=6Th9nbNlXG_l5*ri7pHj|M2p(Z8LL@r%$ za81$>Z4LBA4A&5AOWAqA7P2A`AP+&_k7dPX$<7^MCw_gr(x~SPBmd#!%)hn&GXQJ< zlryi%GJy%jkl1K=9yaT+#Hy+lE$GwUlu>z@3Wu21h>J!L}VgmB}F6YdPT19f2Ty9H<)}ah$)KPo>2R}0MKOQ zZ{~Sf`NrVAVfqzeN>Cc3{_k1n{hHIPiSxmk3d({LvEsVms^vdK=$?K^5#r zSo=!g2q1FT+d+;LN6}O!lp=GVK`Zw}#p%;9pJqt`RLCR3qEZ6;O=A@9sa^AFc=Yg3 z2VcxOlcSA??sU;!<4;irQRaFs0r7&A>$9$ArKrF>0Z}^*z(+%pUft!eYm}V`-hZ>S zF~|N?2LocD{h6dTp%T0`8d|ty5Pa{1Y(!&MAHOt9ZJ}+YDeX@jqTC6cx_^e`jcov| z*Jk0RqH~8C24L`yqMe2hK#QDN#6t-8GcgUzDDJq)5t$wK3XXIre$D)m?Q-()g<5l? z)SNL-A%#38B^kcuABc9m=#k)<+}NVSTv-0EAaQ#6TXXGFNpgWjvp(GCfmMCwF6Hv{ zzg&CF*oO`ZGL6uH((&`B>YD_|?wfIy3wl=oe_JjyCXsEu(~h*k`vD~DMcEQ8yERqf zikePo1Z1B26ruIG8Hc=1N4HEf+6}lS5kx9TRW+?dukXXr=-AT+6Z3;>tm`Sjm3r5 z6&q|>7Z;1zX0p)mEfHFjL0Olsi1w^3DSYFGb4Xm6)>jR+^FlQIkZPFuq-~9g%4O46 z^2lQMQEAGn{=%#y!*tMryx|fm8YO3s#v9ylioSI& zStkU(<7q2JzeT13ySB)f#`GG&bqJI<&c4UBQf8S1Tu=Q~H+wiMQ?*!Sp>FqX>7t34 z#?eTR?O{4RcbvRBGMhj;Wh;@_;qc)FX5xAkhe~7+)I}ENyvw(EnvdP>2gIsG9?wsf zTcg;~-GP}o2>qTjK1Tv*d5+$_lx&63MTOc*Fj~vFi*xEku7VEXhu`BhielrRTcJHq zV$)PYz7(4vM9ifwyuG~q4t>6R!vtb8U>_`nrB?N0^C3_bP^cU|P@%gJtJvY-Q6e10 zVQH3}65ePJk%6Q}av$=MC137Dw=P$4VqQPfM?7e~^CHP&ZB17Ajmt}>AYtDJU3*nc&IFnDIB3#CnrhSPla za+R>E*Dd{f?+pKWd@Kl#mFJ0OG$leVCV>QSe6WzBZE@ocmAC2<`8Bm69VTfh*KgB6 zwg>~5I8vb!e~9iT09z50E_7fP;vn~b_g_KP_6{`>#QE?ik(QH5rfA7v9r9d0?Q&WHCm~L#{Oj}1x17MxQIN>)Z7Ep(=!SF+0YQj? zvNK;q8yAC<2LVj2F@fVD&ztCnImrd$-;9rpF3D0sKjuButuU!#lyX||fXPF#>tbl> z20P_cIZv_nEF`UU9sbCLhOfuQm0zj>k1x*1!PF{gbR{yrOT=iPq||sc0Jz&c$}Z)` zk9?Wa1ng_E9qP};D~~S7Td>lTNA!PDJ$BHTy$HC$QA9xUb!F5XOJs1;b#pW82Wh>A zBKp0)$W}%xW5le|6URaV)~|X(+80K3T*#m)D$eA4o7OM=Mf{Z~mAnV-AGE@WmF<%!y)rm@Th}5cSXIElk?X zD=PW$dG`LE4}m^Q{(rfY^ROXZ`sE=VX$y6{`<+L3y|4g__xjoogVI+|LsFb1jQ6W; z37AE7A4{{q_>YutzjI6zPDMTNt~AAdthe-0(fHM;4dq(7&epgNI^3|5w4q}t-Lq+X z6?I}gLB&qT#Nx-qU%dC9GQQfK`e5oRT7!qnMRcw87x8*;7O?aegRbUu?9TV&)BF8P zhv2Lhwf&>>fyNnNggvkz7JOXp5(@#vV=LXXXu2N7Xl63a1FT!i3r_cWVk!_^=xVTO zy%(m_{T+E}lydBg2P|kZpxIK2*1uS$#z6o%0uCe)>dj3Q4Y47??z-H#iUo8IU|QYG ziMt`MGZXQlt2*H7CEw3PaXW6Itt`Blt8sneer0aSZ+c9N2$|H|Nj0Fr)dj4>Sn-eF z%R+_L?T4_lwm;Bh@P_sr2O{MWDE}XF*3yiwfBplvf!n+H@zd{g`#fFi%@%ge+YF3= zYE~*_IZxJP05nuYw*qhaCBIH*?Pw(- zA%~93xuWE*1A3~7I`wwL(+u1wij=YWiVaV&Dvn=tpxu@3t3F zx)cj9Hi7C3CL$or7#bcX>X0_pAtRrek|ChB5#tooWbgH%R69%_K-apWyl;b<0U1mD zzmJnLtwun;00rL$)&Q=_IO+(V!@jf zZf}ViVBTCK0_GpSbMu(Kd(kHtN2ptx^vV{Ysu+a|8h*oo1t*p;-$}1&w>^ za(J;o@gS2%Ny-TijNb|AQt}|6(?}9au~)AtTudCTN56feZ+cQkTyimFX13>At}`a44%DZrMY#m;BE z$i{q%E?nd>>)ufuZu>;yle$*nC@vef__?_%ik63>WzHYVyGCiw#p5tPuIITm$oMO` za{ngoyA~qNLj4yYUS^=uvG{PA6CN^2AbBa;ToUEJ!%3x-?s{e#f{9=O$7pF5n2&gN z!}mot%t-tx2-*DI3fD>SYBZek3pX;dS0L_C=0eVM4Ed0&CZXzvGvIp&T9aRo8Of*GxWXnL1eZ7zFDFl|Bn}Ob?x{HO94#*2D|+NZ&1d za4r+NtqlLJMW#B9VBUk+ukDM%@dY2=l)c_AHatN-SreUN(2cKdZFX;SUJB9qjP?;D zslQfrdBKP8`J@TL0ahPc*AQWIun9~z9A&M}wTM^?l}W1Gsc%>S@D4ij6;3AH9rZwA z^e(1ciy!bKmF}a!Iy88xUYD}!b-VP3a}YA~%o{ESu$ozt4|!i|Padsfqw!FhQDTIP z;0EsTWpam6kzih!u9Gy%fNEq&x~gcGvVqp8QjPMfJhAZut&T`z!?nP{$AOitGRb@5 z;mVG1QdCIx4I61ftew2L&EE_^J|lDiRP5i(&gOv;2$f!h4ZYP>lW8D%ip;2Wv%_r< z91+~$QT=PYmHj$Wh-fBi5K3*J0n64a6it`2xvh!Pzj+inhUt|1+Y6@lU=}H&*eNXp z997o5YJcee!wT!20~7lrh3qKi8=xq|p$r2-qi&9p1G&8vLC3H}k)BTfq>2|yntvY& zWN^gtN8};(^rP^RLSTB@xPjg#S$#&lfYvV{p)}PW@`Tv)olb!<9vw7|t2r8mq#R1B z8C&e$oq%SOGEIIj_gRNfZ8$+c`JzwOXWg80zd%?aaApNUNwj$3v2(syEHc(OrBcuSAfqeotg-?yN#HQlYhei( zy5DfVF~dYg98*x_(vU9G1iUR2pAXTX1sEe*?nlL-L@eX9i8(`BhcSUP1`Pd48EcY6 z555SV`z;sc)#(G;@IR<#l=q?O+XFJ0>J`wuhYPD%AFG4>Wb2CDeu3JUm2Kr`I~`{K zoM}^7W0ENkTx1;by6S@6JSCoGK_V((xq^{!pDpYMt}L6)NQ(?|Ouot12yX+t9VP_n7hT=}b$Dt!jLdE;n}%GBu?{5~o{yMXLi zH3(>_MV3Ih1KCdnrkl3#nWVm&G`Kuhiy$2Qv@qqfsymQLQp>t{>4$(0-^@-KBsD_J zOMN95abmg&0lAw!3hChCBNJEM8#|d5u3pufj<S7l2iG$(i_) z7Z+S>sP*oXvk@mxh}eQ4%Il$ zm%NZ6G!f}fA{^~18YG!I_^OrVD>cZvVikYxzn|k5KwP<4_UeWU5*6V2#~p7? z15Di$PuMsx>gqSwJt(5qh0O^je;IcH=K4j$yKdh85>6Wf54dX>q6fmzRo+_N+$4YF zvmg7B(SD^ZV2uqv0(Mrgj}X8hoJDbr7jW=QYX|E z=hzpmER8uUM}`9&m>>9Rax!~?2U&$C>+ z#e&m*Rx}wHF=VWX3sS}ebBY$`s@hQS7T`Ahm1MW+F2ohM6=OIt%XS1Ytv zP7Jn&WovR8o3^ozgqL2r@SNrAnrlvfuIYSVN>n|$JADl9D>c^?fE0^|mfG|vw z3mc_OTPjL{vVbW&?_pc@crQ;uior^BIQWJNJ&>;I5yn+NMJg7&+LU>+?-bhO^5#6; zAd?qhdRwHm_Khz%E@_bZKrP@EUOyPqJ!Gzfc*t}|R8!;ShckKNjqX+Vh4?&MEzp7>785F}=~GUF zZ)8n#Xz80Urd^NfH<1?3@xdgf^AI5kM9QL`DtNW=Mq8e9l;4|N=*$M-o1fFd$E4P9 z4mMyO`mXA})hul*J&eF(&t#Bq&*7tg5c}pt;MK-A>9?QTG|qU+=ycEvAwI!2i%+Ot zqco&t@g4ROL{0bL7&OB+h*7Wj@mggW4iio9&O%oiI#dhFU{xcrY>4GyH^VUPnEoG2 zVrG4rkPyH0a`zC_g-E+V<@DG1rJE4=hjOvsnBHaB&?2L_`@Er1|4A+Z!)sIewzeHq z4Ht6#F+FBU4@*yS7=Q=f+lQYy=Xq+e`1B4z_*QBrd&K@4B$vU5oNbP4KnfeHLd^m` zKY(fM+XScy1Akx8x;yuUJE(sdj;(WY3C6*#XHX7Am%tYPBsI3L4s*`NKY|{$`PaZo zK14DNy(bs)W=+|e#XzKo!xwK8Gi*(OhU?Y1Lr}?cT4xdimvpviX7MrGkAvNPjzQhF z2gTMIFGrJ&h&fH`Ck(zOu6~5LtNYVFwHHsW0V^8+kULow3;J%yU zLeiS*FY74$A-G>#m|fB;9^9AV(urcaFp#)rwN=KkK~J?o{o`S6sktt!IJfjels3v| zg?~V#1Nbdsn1pO|lpg6vr+u zoANv(7~HxoG==EVYdVaH5woCwbU$UR4$b6pqT;;J6!}qDx=Z6eq{LvB8hYu?$f3?> zqvhkPadN4Pm7UEM7Cp9p|MRdQuJz6hD56IJWY58++g2FSgI+x@TIvzSB-(9j%>)$E zROoR=4;+D0R%xlXrjc78&)z^{mfQ)@_52*tA{*7)A&^1#1uBCiG1O+&4vcRhK4e{~ zc~O%@1Q+aI7|bCWnN&G52D2uofdJd=0oc2ns87bQNddXGkwaPr>93>nGuDPD$?X%4 zYOYGc2;{4mIG^4>gM}3b8rXggfJ0yWPqaqk2;SiG@6AjYlyK3mUKV>e`ALdKe0M2f zU1QiSj8oCi4UCI0YI@_@+1Ar%CrmI{H)6KFjPu5eN{62Pw#*toP1#8DA-Y?0sgkho z(QM_=Dkp?8umzm9H*_V!NNEB`@aOF8qRUFaR*FGBr{i!E7z`yh=>wfkvuvp$Wl0l< zeD{!_fBJ)wR+Oy=myArR=klY;!6v%N(#{8U89T|?G?AJI_hJ7qOYWW@vLmt zAHf=25?0*!lsBYAV8Yc2D=*@4Q%AhVSUwMYLb4q|aL@Xi4{ zK9f@c5SfL)f$-MIsKcP?I~YykyVhFVJx-N3gi|m^$Hq)8>}A(I8F;dZJk87|-?)uG zNLrcW+n72r(|uQ|*m8B#3#*iJ2xS(XC45Md*!+R26L!}_l!}C9{)GSt5P*mRv46Zx z{BY>*Yv|K}g7r9zmwYeS{S_6_l0yzfK`&$7yv>Ua zW6S|Yz<)!F1DDlieCpVr=>(;?S#p|Gg+~(IsF>kW1%!N>MGl^juuIVN{LQD0byKo! zs5If1$?AiXmjG-9~&oi+x4+y6iH3-{+mR#P$3Ad(9J%{kPbv0r_ zsARiT0RkV|bz-aWe9@|mXP3j38kJvpd4~wh{7_@DHQh1r*fS@Va57xjjY$fzT0CZ@ z+(E;I!M39+V%XaL=Y9Ka8<3Js=$VMpN_-A0pfEPi(=VzW$j6`MiQh++G0`(;NzH_T zzOpMp(*Q$2yuXv{N%YknQ~o6z8>D_lRvl_Gbb0w2P~IzYe+Gt}=!FcxffV`1Td??L z(HMV1`+iPVn>cBvp z!+>RpDw&+ou3#z^j}BnpNx$HvoCxch*+MOSJtLg@!fQ;GKaFJb)2-pCgTvfNqhwEN z3@r59+b{rc7riQ8A#8o40p(4+WSUDKd=N@m&6Xt73V)~j--vc%ta$s5eUoR(q9t(W z^r+F%vgrMMl2mg?+OzdFS0LG=28QGpxp(2ld`GOBBZH{Yb07OxgNw}eawXx0Papf7 zUNxO=?DN_9mA8r9m_xPkR=y|I?(ILigt9iN?sA_WS72CnstZw;Z zzIFtW9{2i~tsi7SrfJ<-C1NQUS(&%onL*yA+QtL4UR14@+{%*VG-V}=BPbA>K$V5& z4Cr&4#a+;5Obuy(?j4wqdtb>VtX9|*a5MDEO;W7g*&9UlnFL>jJqu)lq5ajVgwHvk zm8!B;u;&C|7~c&FKjSGwYd=D@bS?-FE2;{)-hLrf>dS*QKe$+MT^PJg?uEpXX~sA&ed*^2Se>yGRkO(y0sJXy>ctW z3hyd>QO#-EG%`yM+F3uoo>#Or0t?T_b|h^jyBuu@55t}2HwaIdZf}sg zbwHZY=V8Y*v^ymbuXAo+WG>zu6JHEqK$^IJ1I)O^Kq%2iy9IPxIte|vNMj&V!UAHa zJX*#4S6#nI?>meP$@Yl~mI_)UcB~_-LMv5kJ-y%dVIUJ&B=SBMWq!%pn@-oB^f1C; zlXr+o>U19C9qgu}MYccX&K+13KS+;}Bk#I9(Kpfj-7RfGI&{(w<;_%Qe%a*3Pos(D zjNlTp_3;zRvhb(4Kn17;D3}3v&r5{_>N_L-KV`Vdw6Fq)hkK3+7t5L-CUqv|6bzG) zof-z}tMK07Fq^e~>;M9$p1~a}6V40yqx81mCqD6z-qpBo;jJI=UhcX$&&K4cYCvxl zm^RS{{!FXJP}T2;{?83LegAdGSx=p(QzfuTcZad0nInPW24Kn`_mIwaZY!{+ zV&#x~r(PbdOmuHmOK9>|7D*$KJj$95&KD~o{weQ%43qxx0{?W62ey9JYM4tb+t zFvok^?u6GA2Gwn8(^kEyikc!xSy$F5?3G1FkILNUPpbyO1w(-rKlCJMm&3?5D?d^; zU!>x@lMRxSWL%jmWATu;+OPOjSt%UNzUz5NFIjopJ-f%4>4;x@Y9VJn83DYD2_M<~ zgWIvCDB1S__L1oqgyU5-sevgz5s@n1JFx~x*2&96|5XR9wh^!s#$E&%wM=gcll8(e zEiF>sWiB|c;mTTXmb@otFl1NolW`nfa1vgQh3Gp+FZ1xn-^P}GJzRKQc`?5rN?X^| zStc}l@vM=LH}FI>>Xzl55>n2Oa1}*`_40WhemECs;oeE<($8`^@+v+fQs5eD29zDX zb)End^s6|>G0JQRnZ%nN)(f>ByyEqYN}EcogKw1g#cb;+tN-i#liDZ6$RS9UOfl;8 z6+Eczo#c%KF!OpK&t!TKeqzb%zwt$2-?>yK28)L?3tXu@+)rMPT?4|(H%jG<3-W-e z&4-ZWtr>$O9QHQ&{fypvC~tNJH*YjZ8G=Zn^yC&(xTi_|t?gW=__MhcsIrX}C{~Y^ zkM;pn)wjToAc|-w9+wjQH2=_+w)n}6aUv4pO@bgzD3uJK&l7S$f)(5wbgkmgJOotV zrsEE?5=7XWNBVeXkEWunuNS;Vn&6 z4ntt4y9U6ki89*O(4r7ooR`;KdIOw9*%qPG^U(y&g9(arB=VoT%7e%_TjD5{iKR!S z+i2rQtCwSX+^JC#atJ9h5&=Ry`gA}&xO=hb0Bw&ZUXQ}5fb#W$VD3p4m|?G*uu zC#QAhP?!_K%+CMp`qwA+_t{Tis1`6x_Sj5h?2^P$dz~kc*P>WfQpX>~AMFemFhh^+ zie*0QS=t3Ilwk`ZH{1=QU_H8re=c;<95H-u8?g57|8rzQ#VTn}U;~5Gk$WQH|9SAe z`KlFTKK2>=MDy`w<(~POks;O}W*v$gpUQ5oHh?i?0vvi8yh-v!Q{H zKP#7@WGBu=;XF_G^~5O5@zCO1nDfUC4DQ~;C7#p3t@M3>pl8G&m|;LzTF+sVybeSF z)+$1#DR)w)YqzmC32e&TCLm3Pt1cP}uGtwCUU9J|pv1bFk*)C#d+G)AeU zN%ifk2yHF@PNR8 zDUBlj!x&Q5DZxXv1h_R8#jMe|S;+cm=GK*cX%K8q{dNeCLyp6P^U{L{!|+ARGzqcn z!aN}EMx87JGYUd{y&Ei4Vgfvc%&&at-Bo%}GZbD?E-jw`AjtU&G zpw`;I&B!$GJP`yyIGmCC4@niI`!fBv&s}-;kkMGLi&%pL8}R=+ zKNnLw_ZGS;KpiXmx%rF~5VJ48_ijWE=20z07aqAA0x`$bneI;{M?0PB!NvNvNXkq1 zn(Dh0_4RN%C`^~7RUdWRFGb55B`|JK2J=v5Y3?!ENHvoP<+HF`@38bwnv}S`^N2hq zgNq=EnH}3Od=#q#-_%6?6=m(kurB9yFQFIPY0oxod09Ic3};s9?imt}4F`JnK{Ngg z`6r_b6L6ajj^PSoB%?MsrocucrXe8Iur9_ISQ{miB6dvQyuXKJ9oEeSwTkywh{4GG zQ+kXQbrcqF&QqqJS;juXlEZmRGJ^3;%QRVd_aDIebreRAqSYj>aI(H`A55ns?vj z;qhpwY0tH=k+c+v{^Ka%yKH*vz^cXM{^939QGRKq?MHtfl2o)e0Yy)Rfz6eKUt-&X z<+9D83%+#ZZC>4c{p7AW7ZB)uLs3Fz17fV8a&2ftlhwAI`{PTwb?c$$M2l_=!KIO- zo#TWF1dp?j6wEh*-YP6Z8I=OqqL2}ThiIF+f)OJWePShtZHi^8P_=F)bDYnoss$9u zNQYc56i3nE;O$dSeq(t^I*`Pmv|7_ACunk7Li}O$E$9zzexhW3U*f5h#=Y5xtu*vj8u2Nd&ZS ziV${Y(ov}3xf_7Nkcq#(na~Y}DdVfEs>N6*oYhb&-RTbnb1;qcAC-i7n^J};_#BD+wQ38Hu2bRmAGO}oIkqyTT)=-uxZTB3;^;2yz#qA2(K4e{kVRRH-siR=Q% zgPIt3ZT2I3dLEoX*@F7LSQsW1V$`vT5%f-Zs2Nm)E%T> z;zFH{h}X>^TC!GjUpWtc;sA%P;NR+#0F`N}Qk}3sjej!B*(Eh5f~s zFVs;Op*)V=d!g43K=dveQP)89W?F}=kcq@cdN9Mx7qyH7*9ElJnseoN((6arbAr!%TOZN21FQ2a^IQMFnG z4^#=J(?Uswkj#oZGAJ!C@ERjy!IBBAj75{QJC2BPj_)6gCXBwNjaMfC>;>qO=Znl$ zI2^{VdnPG6{lQqBLjUWylM9T%hS(xgiQ6r*0A9+s*#5&80W;6`0i1#Q#+uYry$?LS zrrK@KqDg>gFm#cD@A9u6n19xQt{5maO=ZK9s45#oP|$%WlL=8S%|w8*hi>4aP^Z@nG0FSwL<|P3`r(9hyG9ytc`nVIx16L{4+h zkmp{z`Py5tG^p_Km7+|i-Od7xH;&6Isu@P4ewfTeGGXOVIjFnZQC}Y3>CLfUC9EtfdiIKbG-h5FkcZVeYyLA(o{{rr9=( z6Q>(vL(r~vE2yL#eSy#EYk>0(mWEZeYupKme71V)=T8x!=d4n2o4m^yc9_lKrA%O2 z{RU4n;k|9j6t9qEGK!QUL;f0UEK9_uEDfjrefSQUXL74|V`(njWDhZ*CV@<7F0@H@ zv7pYwM5GRaktWOc-KbN`ow~d0bmsFjoo3jmcqk2{wi(dXHMs;v9&bR7_*}aY!B<-r zEs>#k{p%Sa`~#S&WOu-x93xLv&|A0ehBDdS$>xrIMX7_3?1x|#S!o1D&DL0o-NqEs zG-i&qGq#*4!yEWVP%y#eccCWY;O!DmZ(0Uo$}BT`NWN#yex$=3?MDxXu^x03i&^Jb zZswU1|IlN~LI<>h?dkxE=Bvc_YkaHQCp(aIAf; z+DmC2+AL^oQ6mtHyNK%>>)YS7G{(g0P42XE%Jm{4NK)o#qeT$17%K%oik|J7^kKQN zEPtDDmH>OfF7AJAdQc)%hYd9yU$spU*Be%^ybChSoES`ud< zSO~~EfT-ghMYpb5$EQN4W}v}@7FSBN6tXT*DaHndTC z(n8qdVr7!16zUHYX3O8%Omp(CO*!kBzQ7UEB?E-J;I5BUGv zU$u2Jw3@9E3@+p#c*=7|8zttT;H+&elMPH;AHe53{dU=zzN9DI^#-^C0!BUCA=N!AGhe6yJ++wW>T1n|Wt zTAt5ToH zk`+eQZamtw0+Y07a1ArZ-5QLgd0+c+)F?n6$MjCbkNWN;>{bH zrFJ`urzi9q8hHoKK}h%#9bX!o}K(b?uM}qVZYU0 zG@qTH%B=QXrh7hyls2e(c-oy)y0wnC+W85?8%WkOAp2SbA*Qb|&h&P*X7KdS0Q#uH zuN_81QLBlVnK+}@o-;%PNg=%PV)!rPR#mWt`G_nY2xl~o1(wa~H^%LDL27;6tfe*y zJ#^tFce8%ta{XpEpn()lCi?ezs`N$PJH4MGK74jZ0Uqt*tLK7w`5|`rGxkMt-0m4V zzc*oC6`STx=}tk;6Rn^cWeyx9)#HBXK$3+ zEx1^t)}d#(Ek3Nss+bq8zUE?##YWx_n1%el*T`vkllG_VHG6|6c~v6}40+(#GpPn$ z^?wJO4t#=u<|ezCcb8L7wVWMv2vb?_Q>;o!^rOrV+J2yiT-*`J0A&5oyg0#f+T|0| zfRlT+5EPH`mU^xZ>^5pReQIQEdY|30HsmV0} z$ptkUeP6P~fCOV8eV^+bP#P-6xW~gJjvrb)7@0rtRnndM7_t4PVt>Mri?O+p!EQPC zGWY1KhUW{BElN`Lpv4OBtukGd_9d6r)Ki;@x)24%b}9oz73=GxkpqOoI@dmoxVJ>J zxNIeQu1nGq%ar3973+Mc=D}OgW^28_2M-C$&T#CBb(4MVLPb?N%irnnK#Sj1-0K>~{7xiP7E+)FN8Wr08(vxx_np1FoK1MA5%~)C(F6EI;xw zRfOR&yTGYyKTHZ>P28PC?-eY0t@^#pN=Sb;qE*fnA6o^dJY@)@bBI$Uhx#t($KkA9 zo+$~sGUKggtFH&Qaov*k{o$J&u~=7GU7MspPi4rHD1{40ls8iJ_CB@@XTblm*q7)Cb$sP6?{lBX4E zX(16^90K+un8?&4MDg#0UJZzr6U}W}yd!0cmpl>t{jAYIXtulPWWlgmgtc-WF!cBA z=s2dP)SAMXhPOsxiL3QcN0knAdA*&+()nbF-XQ@lBZb*Qds!}b7e!OW!?soXxtvi) zB0ev$bJBAcFpRRA?;&?~5Yo&!+)%cX!b}BT z1c+hYMj~d>z=Lc0QcI9V&FPnC@-3(2C6|fKLu-g4|4G=07G*0lMe_oAn@3Os??JviVQAL#8;||d%C^vuf3brnhX>e z53D6Zs%Iec`_TkjDY5q?NU)?4k%APFUcEDt@#8FV8!nGk9eSKYqAD3lmSd)y`fS3Cfut4Q91C-VJX7u12 zwb#jU_Sx1!&8_+utfH|f9&EZ_9w6;AcxnbKMi2QJm)RL%Uke6e^fC0pSI~R3MsKBM zzu`x0%8fMt@w`DkcsQCE2XWe|GhKT2>IyE0nRi-;(J3uWF^9@C*N4VF+z$Gi;4x|; zHuIe|4mH6|cc092NpG22uioo7D0oS=`W^pn#ofe z#erMkTUdv;QV71NuUnF*8BM7D`lNQ$22xmpS)@4*Jg{E2YMV*kKfH2Od7JUlfI4oR zTWhGFfkJHvbvNXr=svqpHfF(J2Qsnz6zg^NG}w9u$;_zzFX`rVBx>qdXN?b){c@e% z2aG@g;e^W}GUBEEOA)y&bWZ8wUyC($4)m4mcLf~Q^K(5>R2A@Mn;X4n%~hSpV~wwP zZs=q2mB7=hG}$?EZMWpUVX_2-X+Gz0X)YZR%U@nQvY&^LRM+2fY)}!w@w{P$(3d&~ za9+QH9Uw!eGJ<(8#R`AaWVLR@%M~Xn4p*Kmb!?4Y{q>&6M*{d1wLaBGYsSM?-iHqX zv}TsI1IEU0z+%oq$xnV@Ona^woH}NA3#>RckpxTbAWh2?Mrt(@zhjFif#7iVt|1Z@ zYs*Sej4kGtc%CX8(>}BUcOOt}hrXaRvdgIXv#L-2A{FGY3(+R1l@yxu0f& zcAYW%0a3Ex{rc5i0Sq7z_w zx6kD^7*eCH8af??r22C)CEd<=Xs5tWZ0^W?W)UjM&%E7QX)he9jzJo6IrmYLy%F1= z*e=?FJWDmCC+y@!=C=(}L2B?Jr7N|0XnzEAN0CO845>qadq{nGaSq)#x`{v$7zDJD0r*9w zdvuss5I!7|k7sY#jpb#}5j9oKzyj1hPCM01!8f2O zKHfK~5?8<$#kPiT|BbUg+B7KWYh&tCECIgwH{D^3BP}W0LV=GzQdADu1!@B}v>xOC zz>^;T&EtdL9fD8~{?b1?v!4GAo8id*rD?T4l+4I=Ei}~BkN~X!pzO*^3kibj5Y!ug zXgSJvot0(x4ZG)=NtT=#g4a1wR6(-nVt?2OVb{KNx9{c9@FM7>5uiT!1czGDdStv0 zg2qraTQR%rYv;E;>^+9ZzZdX2UH<_of@_yKL^`Epss)^%?4j7fFrWX{=<$}K5%7Ia6UN{gTn^IG-rJ4QMaHT z51+*~r0CL>sGMF>kbM;2av+x;(@ig2b;jn7+Hav)Wf{-^CTPZ$IP?sob{Zdh3B!Zn z1lFkz4moBCgOK6>UdXdk_Y0*_0;l%gy_N=Qv1&XUfQwXOhtQ-1_xv|bZ1>;qJqrm~ zk;`d`%jkzg&R&^B2dPB$``HTgl~edF$goev_OMCM%=fJoyxDcI;i2Ew<)eXq!J8yR zmrrI^drh{U}&twI^m6J;Lq@U0>nz63Qo{ng= zzrV-M@e|pm`odv6ntOQ?oC<2}o0l)_d6qQ~otCv=1e*svQqSvfxcU$X0Bil6qjQtm z+%7*cgjR2-`D6`@iTDD1!btelTMH)Ptr+y^-g9Xq(UTSfBrUICnALoWn}_cRq*0S7l#8FsL>L zKu~9F8SizWvd5o~$gF^Eb!zd9%mY{zBoug{CvkMM8Ns`?km2>`2%Lik=5@DE0MKy8slHy%61-ys=`pMyw6%txf~;VVlwjSVwm(AG8upp3E}4)|V|HPjSNlq1%T5xxInJtYd z-Ikria$U~Y+2VIkaU8*<#Ri=|pyYWrQK|xq@(%;TvxXC4KPdaA=z{+H!>jY<1M+<$ zHcdKF!^iGnCwAYzebM*uRUlGCZk5B^NT-k65-{Er%pJdD%b&_RFHXMCoo%JU$klv~^~JQy{gmF1KUB(R}hHlGaLcYT|&?a#g5kFB)en$vL&g z)6Ubv0}`Xz8*k<7$n&4XZV8L(97#hm=8aR-#V|;Xj$Cx*EV4%sZ+3- zD0_O%eg>{#CaON!oOc4qxk-iUg)_xKc^wA57;W%_s0%(r2yn7f-lj`Uo*G$bwr08Q zpih5ib@r2cBS%9UaROS7V3g-C9t6CMJ@;_+5U*ADWOcju)YQ`FJn6HEdeYY$EIM6v zsI~WsAzLM&Xr8iEXZMPJgEO@*tDjeMTCmZDL)Yw~RS>ilkzPb}k~XqVCm{92r*bKZ z=6Lo_GYD+$SFoAzU_nlrw#-tv5&k@K_sAhSg3&Kk@R%|$2Y=sgO2_{BW(ABv(6n0_ z;7R3B*a(ukFgbiHkfN&mL2=;In)c+G*P2uPpFe?=KSieZ!do{;JdMScPR3oWZ!)t~ z<3O^h%C9=9=b@|v2^$@txDgU(m+MT9g(~AoKB(-idyuX!i84%-w7D*}Dzw!buB#s6 zKHh&t;{DjN`6%g zZO=4srpq_Q@M$6Pu9+aTtT<$ z(qKr_x()@>o7-Q%rG;k9;8WX^W$T|Yz%aNM|IBI-^M~CKTveZ|>jNWYaDFJ2Hei&D zHG?k05rg=60sHQ>*^N+AhPo{VH==yyt49E%#j0Ynryh%-(qWo~6pOB7tCiH5F9nB$ z4|F){PM5M%;dG;>G)_M0vfe-KI;jVhcu*8r}6FyBU!%f zp(=0JVsTy4eE<*bwZE<+-JZy@6ka8lwgUrl;Dx&XAXo4ue$mCY>nKrfjkN+3;Z)Zx zB!Dc+;rgpz%Ab*&MIjoj`g)Vnq-Gx+sSKVm6YL}N$4nWJ7NLqd6eX<)p0x>$tw6pC zhEV654c0eIL%+rduv2V+>sAw8L2|X&-guRxoxiw?vyWajj%6Yu%lKL%&TyN6ftrGf z0RViJ(jK^zpE87l>O5bfJ~VtbWmsolW%xK3#XcR-pkb!2AtO;zMs%2%C8_L@rA!Fx zKg%7-ox7<(!nAl*L&X%_uMA;3D%M_Wgg6^FFHr|!f#a|Ww;NZ|1*a`rxmLB9kD#%p zt@u9W`|RDPEHH)51u>L!1yc@PC8;4*O;unjfb;U9FQa31ct_2!#mF_GE!1l2SoD`I zBx~z{a4myI;&D48&HYSu&&Xz*AoP+;opTz@uhHq= zxQe1*r>+Um@y6=4UpEw`dXI2mwIF0c+*D$mNv@uLeuH`>IVpapBn1hKz^-)iRd0G12`0*g_@2iGo%ZdI6Mfu@9|Hg;_q-0~ zMm!J>M=@eCxPn9pA$&;6`fYFTX69m-&I&FKzrr#5R zT>_u&+V~8?5$*t}j@K}C-Q%^?JO%5;LyXlvv1OZM78Sj{Nv*?>c|x{9j{TV)u6}U6 z70(hLx2qZ(Ppv5qT~r56=R;B9-iydKVlkz2&8FR*Qg$JBbDOK&VkcP;# z1t*0qEKesbRS8Z+jlZzbb!C|Az9@E4MuvYl;(I`A{5hscFkTKNHUNg%HC*RL7R+7P zTk{M$Cnjvt&dQ5IXH&Hu&o1JN2A&$1*gXNo33-ak5%d=Z)g6YItXEgNT9Y0PAKry} z<4qN`5dGe@>zp={4#DnSIj5+@?xwivifnL8` z1i80HJQ>3w13G>hS%Y&#-mnQ)q!5GdLGf*I^w#D%puw&#(U=hry0R3kH{>o7Kabr>PTM~i4>&3IXYy_qO{R@-mX1F0bao&N7#Y0VkFGPP z2`&*Hx2|ebb!M5zu>s-nDnoh3-YwpbRqNG1byrg#EjfXT72!IUYp17?nTbmOyKh0y zok|V;{bimK-%XTAp2B-(XoWo4k{Z0?-rrp2;D5f*7kCX*7^Xh7Jap^T(49`3F)9 z(fESPmP()F`OrFf&2ioJR66|9HS~mkcr%V$#RE%oMmVN*`9kmTxlvH}1atqwha7a= zp{y8y{!1;VAn{f#b3O$ z*^%(WS%$+vg)OmNUYSaYS*7#rJEb6%sp_#8OH)=n-~_*<+|!R%~(Scwrr+ zce*Ez|Dk9=49Mg?_7e)35CL`bMjfUhHS>GBWwQ{DA^!?>>emkh7y^MMsk5Yt{i6lu zv^|?&=P9`RQZk26EQis}Lm~ix?-GU@} zQPDc^f_(ww5JA@D6x8}Gjgk~3E6^@jUll9y8-mLl6dFj{^?^@t$Kw)#ga4o9U7X~U z$i7=LG6fODh)qSzQP7|pQ;r{;xNT2FI#$ZoKmIhiirQEeB3yr=@N|@I0Y!ugihavr zP16?{Kt~)9Ih~IC?kv?QCjZJSEMmbjKF|3D8VBh-Ub)naLzERCro8*#-l_zq=C&R{ zN#SVpCoqMa+N<9xG94nC7t6QysgCW;O_R4xc6;0n7ztiLIkEiR!hN*ArYUA#ky@Wl zUd6v2L*Ccj*y6S5l z@l7!Ons6Rg1Q!B!LpGIUOZmt;OCY~!%79jUuTxHRb;jUI2POsfD%tG#&e)Y&bkS^j z`nl%h!zH6VZB#w3I_a7nX;&XJ8ZMpw^O5K^JqD~l2{6ej9QW_w2DM zF{3e<@O|Nd)x_28)-T($q0WzQnF9S!@q&0hrk~>6%EkvZ-1f=PzJj=KE%HVzy7MgJ&9{Jk#DP3q%o#ZDo%)wq+pj11S z-t;)L{k-qx6#x#Vjk`_RBYhXG7p9k@N^+QvRkrU{)Z2JoKx1< z$0|d7rNsjf+J7?eENODymFoxjQVA)j*Uw7B7LM|`7@2*T#19x(`>a_%B`p}g7ex7HOLU33J9gM9~LV*TlP9+ zTz|e1IzX2>Ky@symKzfHY+{tcKA396=N&`$Jx^sQZvOAM6-x))Hf5Hh%{QrD_{9w6)a&odVthHgg=UC+9Xn! zo(*W}0PDkuZp~nI!)uz3sdYHQRMk%;`GDL9bjNBHG)ruO20|r|>gAzWqz6V6`WsaF z``4Cwe!N{r3Ry85g=%E@ZSEDig`NYzKeX2|qMy+O4w@4V5$*3r_yv%tF@oKc~dWF0JndnQ=a6fsY*cQ zIo)W(smd-_&#<{`f+XlW5DvP;qcKK{8Ny(qW{LW%g#X3(ua&GKzHTiEZKSo^wwoM{ zPwrFNVvs@a@0YvKLXdmC_6&o7@P`k^rpRuZ(P2oc0WTn-+Mv_b`&#mJ77?)7Ap086 z)&OnA8)rZOP-zpJ>V+iSusV^fVeg&>?JFN3o_TE-f((V;!f`S;UqO=)Sx;=~2K!ne ze@(?8Rghp&tXH$&@* zip?CYQ2mGKPsIjG~MLj%y1AMlplfYe?+>bbShE&V>i zU2HZd`kihC<1g*vmyvFg=ygS1Dp0EloN*C9As^`MdrT%*#PwA{k{fjN^rcB?d#reU zTg0EDa2@$o^YySqRj@hPF!}DzYw!`_1&sq;(uCVl9n8Arj)MdX;EtY#&ZC_l+HS*F zAVI_Q!r5dKxqzhBe}S`QlF44q{!ttEW%&xL2Zyb(ah zk|BN)nTrzWu*?(T*h!_aI8?~kh*f|m%O$)mGk{j~{Yx5_ywTidWp8jO^q+Tnm|5_c z>As8SZD`E$jL!D5{XCUQJgxXP+65xnCe+bEqJhUh@xZgFVpG=+HiO6@$-h$C;7^KKP#ZuNYj%}3Nc<8e{W;b8JQ-lbMbO*Gm z+Sy!kUTs)^8TFxA%0tBH3s6TSBxT~VHSc(RcGqoh(!~jTKTW5ar*&~zq+ZXB{U`)& zbkU`Jxg1e=5*_C`IW{)*3pEf``7O_a=c-^ibb+%8h-g0Kz(}VCprzNp9|D+|dNvLW zr*@FSw_*SxO1mXN24m;$1C0<$sz}<P3giDl}`)p zD)P^@u+VDVh$XPq+|UuM(Pz1Adw0*qYpjh~8Es6xyiY?E=9oUp7yX?|PL>Gywn6et&EqdahJ$=O zW4yG>I`iNkpA$Xo?5VU#A4=TKY0d?&iuv^x8=ax=;3IF=al1v+{mn+rpLjFMK;X`J zDUO>cXbP@IvT2;E)p&3uJyW{d`?Pz&LN0n-I5lvZhqTXIaDg%l(>;uV;7>qo95#O6 zPGCQrWFdP;{x9V}YQJ5-*;Gp-d>h2s!x1%s=5!NSx3a+&zhfAdYMvekh3AlT@rGTE z`Ae(hZ|Q~83r^QW)5Xf4?n;bpKDqM>!^U$FAoLdVK@ypFq*vtXjuoH<+->gL zSD4Xp7Q`4NQYN!l4Jx5(KTq6-m;zd{(!KenYlhEsivNr)x;jBc? z;fck3>48Jp)A-=Hq{U(po9S8k$qxPZV$zVw6Fw-(RLJ{3vL1{Ki8EBEQ=V-zl>>^U1jgr@&5e*=6lg*<24k$-dmrqD1IE3;3GMAwQE0+Hz~Q&)+@wneOBA9mLI!lWcY24vO`E3 zTmB9}vUy_#yBn5kqNZ^0^~$z6ZjLeyY-n)P$X|)i2HJqh{bREbh)sZS7Jndnha$d_ zQejSr(G8ow!lRem=vrdvhMPn8PFM*4nAqHw5vamh1Z7L9P zM>EW^4|gwA>7ChLQ`bx&#=)2T&IvzA#J1D;v}0NouO-*)ARfR^(v=J!66czfbkpDL zw|DGv+iiWWq*DVsod^EX$Z9SM=VmYkTy79UT5Ft)o8|5G#?w-+$=M2+G%ba=8WRnX5^#ln;H*NZVL%z#K6#Xdr1aO;KIkw_ z|L*x|a_pW3fSn9kx~!1Vxp^K~r0icFYET^~RKAa=&p9NHEGwf<3*B>b!EqMGRG>r@ zf}%I^Q;SX;3U+~>JNfw}Lcpdx9%s)qOL!QRxv9<4?7M+TIIFUG8G|@2JmB)T{#5V! zh=BX2d>PNhmfTH8azX)iad$8ZRnnpz_Y6&#m_}2^swz6TH|cDfjq_T=9r@{*D8I;q zt(YYiY*V$#YH*I2+=%v-blgDvN=y>h3`r(jcNiap>`~@Qul=;cran0hjx&ElGanwc z=Tl%SgZnwv6rN$)0_R5H_U_Hmtek~?0AfVvoVjDS^|ef;NUON#-Cp(5bH<+9@A`~% ze^$}#yoU&D8#qS7^LXLTmqcmHW?~-WC1qX{WPNES-Z5E|)L0ID-}r|TKet%WUaqlC z!=T=T_h`eQk(z}dq0pOXJci7-hz+o1O&>iT!5li1Rj3N*;5h2&uEc$qKJhoLdz8Fq zhSLx(?lvmU2aa>B{CCC8a5TvcM}j97w&C6qJ$Wu?UZOVIhVkI8Y^v7xdfv~mTrPcu!-wK`2lM-7E?mJir231V+jH1piv65*%#Le z`gT`~LeqUY!dCOFJvxp5KaeRONt8YMmz6-IR!YDBrPoYiwAzYvWC`W4Cp26pQG2Pq z$%4{cKmlY$Tr48j_$fB+3f1TqEWokJTVvUE?V`RfRU~f5kY^%h(D7xX@-sXx%=~RW zMnfuLH%Qw$MZ=6MXVqneV9e)-{65~x)_y0iP9te(^YR%BfD2p~L$8|RrfrLfd>$WO z$45q2w~Q$z-bY2%^ZS2aN7NIp}YhNe$sLIv?pj znt%_;V=sUlZ3$sL4Ru#y6rL#R{)w1=76$DJIho+%z{%CdicnVAp!`OIjvG%$V1kiR zCrX-nhb&L6{^rVZ0KIWR8L9@%jo&z^>b_%4O9xu*$j-quS=QFQ1H7u9wCtu8go@t6 zk>0A{HW6vx@37C6G^-=-MXwP(Mt2K{-!h@}23>(%!6S(_q+t#9v(CfXv5)8-DN?U_ zA)y^~c?Ieq_x{q1A=j`)h#ii}nFwsx+AVbibrqPGil(7Y*9+E}`&jm=qepP$5rtpY zhFu?sZCXo0yrj5&`o0=7EbD0y#mN)sIlq-dtBTYLmT~pQBTjJ7`;2~Drm83+eH+Jv zJYFQdvO%E#R2b4Uh`DL({yUbVC(?<_r+wb4dX$;5sc7!o>7E^E!;WbK@CXWrB=2~X zKSltwgqNFoP?H)0RVx(F20V?25zVwfKkSie=WyS`Q*}XJy1yFVQ`ow=CYp>c=jtOjqs~$- zFeu7afo)9%5yXv}6n!zH+TKn5{$hrpD|ubDIu$DIMCr!AYQZ&d^BfldG+4a0wgS4 zbkaLI!!6~vSBBs0$mV$chrrk^VH8vKbTU;Sn@N>jff7oK()oZII(Eq7SjXN?E92YI zX+gs<4IvV*Go`wCQ>k>iRPs2aZafn`Tkjhn8dEW(?AK}bB3>yK6}5jgWKTEBv;Cv$ z{|1DLs4YL=NaSh|q3OsokP4fRg;=d|;zdRy6zvKeBr*s+MlFCF?wDL-qcQ)i9J9#j|j+G#M^FZhpg{Tg3&u84l z{2>ec7*{}uM;6rxx1QwBAHr4HA4=U;)ukerrMh9r;!y9&KCA_mT^ho`KL&h@Gn#9! z!Ffk7IRiJw!)JkG$C=+E46|K%cK&bviAjZ|GcAHEr8-tH-7)a~e`b8uf}gM!@pcQ$ z&JqL1?1~Y|=BWg~Gtmh&8MOR@P1HrJg|mtpql0^4B66VnQXA-4-B4e!|60x=Q?-p9 zbErh))VP;0KGinO|o~bK}J=mFt=3<}zQv?B_p8b!dg4{4khZ(rZTRG#p?zgdIZI4f%i1jv{2>8(tC1T@*JySuod|nv8_uk zAUU1(?5#~3{vAy5rW_mQAJuEU%z3nsFziKu0puirVh-;mqnxtJ!0Y5m7L+beSnbRV z>_F>9m`|h)oJ-9m#u6BZSY+TsQTEOjRSo!=Q^9S{$v_iVAysDB7g3E9O#uf^yhYor zkqfqjIJ-129+K!P(oahC;-M>vjwm^>vVg&{bOEKEhuo7EW~*>(fpi7u$*Y@wLEM0x z@7;k#f<`G(sSSw?9XN1ndzUb6$K4;^EKN7=yG%~+t5NHo1? zN{~iqT>X^u8csb*QePt5rNIKhnqE)*x?4r#&e57nTbMR$llQkVQGzHb~n=VXSH9aJ8aIr210=$Uju)dB>$ zJh=T8GN?L3zeZoTv0Wi!uN5A)n)oN7)LFi&+7{>s3?5WnlC~J8Sq8eQCSWEPGj}po zQg!u}{Gd~>$*`tf_evx&-dE^;IxjPahz*`Ao^Ig@ zNnoH>^bpxnNH1Bbchr7Rc-Cbjdy&h9(U^%$lN?d_kEITC@uP+zu$=<3CYBgbTDQ&u z*`_yR2h*lMP{I`KriDu*ytcu>qk!`%B@S@-Xz9ory7J##|4f zec_Di`vm}5woFtcFOfIIz>Wy_N{% zU(%8Uk!MDYc7j0X$uR4R%&Lcym2^Yt)C2x`jd0W>nNh&d@|@a?RD|dHBD^n9f}wKt z->JR8a4z>Zu?{gR| z1QUXH_O$2ZN;lPrm;cD+TRnn+V_uOf;*ajKRmW@UQ6>@ROk!7N%399a0r7ejXQHMN z^1S`T35J}+K=a+&WlCV_QlI3P)hd3Ikmu-|@fU6~2qkWW+`zjFdH^^-))pSIKVSpT z)$u}f-~jm6tK;Bi(FayXM?l867Jq<(J%~xC*s(Qq;smq zT2gY$tRqB(J?hP;IDD@72f)x?k^yu*Tzar=vu)#FDx6-vMo{T?deynr@*uj7=Q6BR zQlq(XkIE76Sf-f&J~v)4XSP0q0HNjo(lQt25qn2h4*WPJDC^eW#qK#f%&6o==Tz!&#HGd%BwSoiJqD)!2?)1P8N`R^Fyz z2w0mhYA?0cr&!6DltJzes!SettD4=-z9GDL{au!W^#rxEBQvVZ*rmdYzH+RJsz+3y9nM~sS7S9V&UH`(Ob<1}uv=5diD_n`3E2QnPb?FS#Cd^_QlT)bu zQsBT)mYc>S^E1Z372hYKNPVswNQlQOJqLXl`FMCpeSm+K8R;u*k8N%<*kM?9LyA() zOqaNbQP5ZacM(zvVHs-sH-Pgm)N0qGbh--s7wo4c14wp!$eV{qU)M5q!E4S~z^s1i z7Ho-*w00rL?GJSblj%I5i^n}|U0s#R8xa~IBj2&K-=X^6;6x>z7cU%Y3-<;TiCHfC4ugm>!>J{jW zXNY9`c!)xy`&CAW&zW{7K|W13)>~Wpw;Ucs#(?$#XMGB{W**i*X3u!c+@fn{cmLaO zbb$f0Xhw||+t5voDmtqj&{dQr?5yL>#bkx`cCxJ#B^eZVWj`>AU2=U=dyn(x$+q5A z`*8ZPSGHUI06GWQ5A_H7041Qjr#de84Rm#xU5StOYAUW=U?34NLP&=K7;?P<(|hE6 zkvKv<_C%Fy zV;alllpJ?8GJ_msxF$$1ROrsg`;@2vKusAoo1?k30VZL0#iv*3STD~`(w!jmhcp9P zZRWXx-MQ%GG->0(*LNeNoh&!fJLEbJ$CTVrZ%;=A9(Gqu7^7Ga3eDQwnmPq|_4AxI z;*G{JP~OAFpKVJ#cBNBBmt0P&THS~ibUdrKp$h0*gTiIJeE!aGk#L3v6JPmPJ5Uuw z;uMji=@+|9#`llFX35^yO=tfeV{bQ8uaHJ{y@y_;V7yV zM7tYU1e|sa+N|m{-nKx(-tnL-=oaDGRgOb>$6n;i*HZVEoqTwaFRUr?D^q`oEaEm= z$hQa6^SGaMbq17?DBFJ((3MZoLr~>vDbP{=;eDt?kLfXq;{N0b#vFg;k}U^LXFCQB z7DEp0xtOVNM#^e1YjaBH$Cuhq^84`YlZ_WX%ViIwg+kvJ1U4lW;%ddvySmA+!_URf z87l*GRv>i=!{wLcmfA}ev}*|xp-s1-86@N$x+XY4Lt?{^VCD(jX#kH5$y0K|f$3+4 zMQXE>`>v)1M!UD1HcKp~djj_nb@P;i51kNSoX2}~3dW3Ec8b`_XrAy`Yo^73tbP*q zQPflC^~Mfcp>#{cxUz{-r9E%iPmGvYepcf~Y0?9pJPuLn4}q;~rFu~RCykwnVFuuPHIA||vyl!Ov4)dvYs ztNxi#qxSF|6)_APkM{tw>{ko8{lAqKR#!ik<6h~p>BP?B`X-MR#B+IZ>&}C@XKGAatM%-TB5#=a47M!2imvSi4&^q9+f&jH6!0 zR?8n`d`-e9#)kQ*gv7j5}tTb-!U?FDfu(j@7>GieV^Y( zs9h$@z=_BK(l$e{5Ut_-ehO;*_6-q@+$E%Km>WagzN$1BtFFY&{I@xTB(dIvm{}@3 zY4Mha4H-vyv`3Pg6mVG)rP;Yv?q(Hx4cDE1WM0k7_js+8GQiZE7pz$Wt|G#GueuRC z66kokgyN>AprOtrKLwJ5krZMxO3r)9>7F??G~2O$(HiLN?|45)4Lv>f;4jxf{9>!G zfVd#$gM$^5$!iIcY;TE=R}-Q^tNh%@`r=+22jE7P-p>kU2QIL&NwPyjTp0ax%uX~pmy7BEY?QJUfVgP)>WE_EHZDAb-C^%+R(PUU76TeldV?cZ!+ z3wz=|zSS-fP2R^u8H4isgbn84h3tjac<#3yFn$AQZcRJ@&Anw?YMSDcIyUDsY<18G zVLDrxOB1gzT=*x~BX~0%_wB~|w75A0P^!6^b>Ot(1hFo1CP{olm2#L#Ex4&hrmFgydS=fAAzpBl*EKnv z8-XhPd?pEPfC39vJLQ1)8PT5cX<~Z@349{(nf0z*GlhGWyzcL4Ly}t+=DL@}^)zkG zaI?;A)797=`FoA0dBy4~VtTf4eF0@%XFtUkPvppO2~DGhPzn6e2T2p>R-*ji71RBI zoT5+St(kP#1I_?Q5xkE_TkI9mq-;}1UR4CXyckRoHS&i{s#|7 zrMhB;$xJWR^9?C0hMr2tBpOFUHL9W05k(oezDATIP1M|h0NujAEyyaw4}U$%AVshJ zg|Iyz^4dv7fIe-zLR_sGik+7A5f%O0J+V@7V2~?l8x4sOEJZY|gE$?hv;{bLTLn0z zKC&f8cM>E+?YjX8l)<&i1#kSxmW)9UI zA-M9-RGls7JyT~&fOCJ^$i%$9@;1Z;iM%_5Ua%Q5|!?jupB|qOOc}h=G#=O#irAZN=?1R$$>X zc@30)Nz-Xs%WZ}O0nkru@6D4)SC6A0TcN}HkmvLJYmQHPF6!5AhRQm;PwQi*_friB zr5*+%KX^v<=HGxM9%Kqy+Qy61Wr^M{(L4$J&sDUnv`uA+?ycb_n!h|j)RZzeWH%ov z{)2#IS8{m(LBot7(**S;L++r%UXEI0|CpF(%Im6dRz1dDNA>BR08O+1W_g&-3Na>L z8Eg3YsEjH&gj7SG8T=5_P%3m$u-Uo=!U%@LlKu7AKvP z{pv)`vt_bR;u;?1&3zs+may34ri?m{m`Pw#ux#Xwrz!_I*qRBExR$Du9QhX}6E4bs zYjMaABZo4TUT+YmB4sWn3&hFMl)$$_hW@&_A;3cwokMdNUH!gX-le+X|B4<`Ui@RD ztmJ1=iW6!$F&T$D)fbFZ=+!D5__CFY9Ira%p&47Pa>ipt~=MS9SY4AeJjyBTpO? zzDBQaC++jUBO@1n(Q`zbMq-~cc!(ZCG8UvIdRV9rlWbd~Bte0|+qmml^{E&uoU-k9 zS2Io~;!%9a&0Hj}6k;AwTLH5c&Vo1!V8t=J1RlZul)GVRpriNijaz~{CUf7hI5)$- zA4*`Ed~~g7nbbR)G|5!a2C2s!Z%{L=j}BIBl2f~LL^(btzWgX;G;}x|)hHOj{}M|+ z;Y-jwd}fF(`Pr(&&me&$_}neUGL<+gE{R&0pkKH<8?va5~^Y_L!J zA5EMvZbF4;N3qV>$QPSsR8CnYWjx z=jQ$xO-7c+4K|%z65hWjNb9=e)dn*1N89x)QUN9%AT(_+n)r`DQ+Bu)Sfr0P48vDZ zHn~qN#l;tO+>BA?toI`CWO{_Z=7Y4}iTdD@SVai+)C62AI+6TorN_>nlcTXR&Kj}Ee#J!PKuJ>UXBCCRMA?GA(lePk}W^-Vl*L< zctE*ey>Y8-Al_^jV+!4Cyi`r@46?~oFTg6Fs@T#zuq7LNAExjo&I z#c33SR1=twB;O&0S)zzF>?3|yESaF!f%5Ik2Nae#RSJ^^A--F_>kTpqe}R!CwWa^3 zU{MAM*|f;!snYiUk~vSTy}{`^SfQtSK;nGkm~F4%v^c9M*+N6*%9tDq2T-@@@>nC_ zuZGU=C=!zDR=Bt^{AU~r5*aE5S*@<)q@D(}vpk@G;?^=Uh<)7;TaJ_4UHr=|&C{5?u7s6y}3?wIC*0CSQEMXnxXPud3KYEgi=!R|jq5&5)2vf|H`z zvDYH^-;J~cOt63ZLvP{hr_zdIKwu&uwZA{j#I^)cvFtQ#h`|HNPIbUAu*xGX2x~L! zISxANDG5uUxAM2Mrh4vDhL8hpA$g-Wy3C& z%fGu)t2UTxLKeYv8Ssr&o;8S-Tcl?T1oHFo! zEv}?dDnP`MB9c%Dyj#?-H65m8QK&UA{+94KC&1pJbc;sEy4=T4=Mc~6Q)8g?K>s!B zX5Dv-`VCAA8C-teQiYp$Y$d?K35K%zJ#^Ho?vC|jJIQQ&IQWiEJ-@L`CJkloVc*_! z37sEI?F_fS*U9&;9^OF~eo(+3c~Iod$6S8Rw_1=){7 z3uD>G2E|2DbxnQrd#G1r=zy9HzeX0*zN+)iE8RLpok0ht2@#aZfXZvTVjidZ^D)E+ z6O0u!dc-T4yuM0VpE-Ezk*5A_q{~7-HT$Ya@C1AZuVu~c8cBrcW}_(@zw#j*y$;1vHGtEGnX0|^f2SLc8%8L!GBuE z``V_5iIRQqwX&U5S^<9OUsVax4P}(*tPB$Y=?9 z&ecGF@ObImy@uYV9CeR2PkdA*o+|rg{e|YSoENzsZ!>AmLPSs!Cmda|YoHOiTt?rw z&45`kqXgKv_v<_QlEgb{1jSP#?yh(>qI4w9nB0)%Wk2RxgxgeKV;$7goQa%0Bp zB1U4h0{R3zWp23)syV8TY!|14KVzZl9ab|SbKf&XhR~@+ypX^>9V}GfXTe#j@0Q7e zP5kE$=r#A_dD}I7lam*F{oBR(C7waH1bZ?c9(tWksQis7n{S_&YBuSO@!!SA-7Clh zjaYgc{hcxRG*tj-fR*dmwN;AVfy!Hr+J>lJO$#a|0SZ&-p`hwD{BD-n1RK-yd~VKO-|3p7Rr{$*)5n0zR5CLG#+&IXaL7?-#MtG11Xw6WW#FKG1r@XJhe(-PkNf zo;WvO=3si(1o{KP@OZTJL_@<@jma0`*zJ+dF2Nrouy+>#%e)7&@<*-_LZbK}jn9MG z*cvYK9b5l;v;M??&=LJ;;luH;kgii*0~iGC1$p~Wh)6&bcgf?0kBwri?fPd9EK_J^ zP*H|1u%>5fq^hhHLF`jNi^Rx0PE#%v&% z5BpQk(Vo6ntQQOKaYZ)?I2#z*US+a$4qcOps1EqZHkne9Lh0GS<=})KL11VZlT4$o z(}dflGN*HJ8N1c_z}L@fR{qks`hx58HeYu|Sd0Jt%nY)O5W#eVU$$8mns^K|BBZpq ziy-K4>ciu8{&;RE`WMJM1bb#6J~4 zBlx)YFFgjvO!)*eSPt=MMq_90bgu6)e7UJWZEV}RR$^vPV=QnKM}e4H&gKc$8=dB-E^Z`8rKa=R5*5;>_@rYf6|;qk}I4=VS(bN^^Wd!s1E`! z5M!_~E$lL}Fhy#-nONb&8bv><{!?GvtgP9>BY!+Pi{&S4lK8?dpLs&p=Wa%56K0|x z)J-y&W1Ygit8Lt(SJo2Os$XaM6^;ENzLYtEQ*}@MBDc$2AZw%Zi~luI^_^8|uPDAm zFuy^a?OV1$AmubSr1Fc|y4;%}FDgKX9_!iE3 zJ6VMygqJJ6%w!*{wjm^|*}(GXTn694ba8!Q`gmnutF`X0s8l;9DHHz|T@g8)F>`ZGJFC4{37^Z&7LypjJD~hodT%iq<6a`@~c*eFfl$Wdr_~c^7 zdCLa6Q1Hwi$mU>O!)7;74b; z5DRV~{Qm6KU#=ZU{P@4Z*iQ%tmPIn^8lXUcHbCCgfN5k*!@pYAPOG?{#~xG@AGsXh z5>RRV+nNH8>}hp8gM{Lmp@40so=jn-5&89XL_P{=!B4u*O|b_I!ErF5TPPffJkFkZ z>wLz_Cw|~TsSvp-BQfOi3ADXtzU;|*H?jBzkZ@Eu{rZ7fT|wi8pNp#*CmZ9(l))(c zLc6?gs^B|>Y=hgTL+!Ei1ze;7A+))%WKUL(KhxTQh=ZHTK9Q3kPAfvO z5`nyFk}o||$Fk?^z89cB#+UKRN_=**pRU`khyNwXR0@bTxel*=aSlzK_1%P$^^9*Z zlh1(_QuM((hp6m6{_kr0>HHV8!;SmyMu3r}0F)pCtQgaC<&%bT4?qCu?I)QtOM!jp z5Si*%J5A}6Y5PSYwl#|XGz}ns*HbtI;XGvzXdVwod1Ihiy#=g+DGZYX!cst?mnXa? zwfb^vacA+F77b?;(MUcXQUDhKc=oNg0pyRD)Lk6ZlKbpcrG2u;N8i3d$u5vc~p@U-3cdZ7NnVr?- zP{uD*!skFLNqn`dRiE3a6OWXv!(~LUf|g8e6}@O=`eM-IevL6-tSJ|zmHf7z_I=17 zQudJrs7BFasv(wG_qbuGj5IOMTJiN++NKRekuzqGqyLe$tazu-&gOk6t6iXtA$SnpHganLs*62D))02;rDHo5d8r)Eg+YGgGNHPFWs794WLpgm z;yv~2%E8FfwER1b39|%U^G=ZsmDA@v6=d&K=uo&OZ)V}W8LLUuZpz`?aweMSBC`UC zQ+mtVeoJSu|05;!Zm*w?i+F{a+BKzX)FuYKt^*&^WZZM;M~t5de#wpjO;)JQjK-4Q zTzZW@#5^){p*7%meE)#>bz<^9s_i}}|2^)c_!v&F2Q`9NDD!d#waI>#hB2L0*%|Gf zoa5YV-m@xR-zLHlO>V8L6fkm!LqB-=8CQrJ&!9<~zn$8US{e-etdbp9N$k3de^HV~ z{)L`aucS_)6tFXct;OXMFQ)P`g`3z0I?lqF2zvJ~szC?2qLudn{N6AnnZdJ!3%cdj zHp%1?QG||td*KVceV;+D$txxzjQoS8z2d)-$0~$tCuj{s>GaMs6#Iei-t=i-lDkhM z_V#S?SmEc{!#}QeGYfR-!uE+yq1IwaUC4W96%Em7e~N8v&9PSkByyTxVOiKp7P*#i zN~>4q_eYFhejP^l(AQVq;$F^xO$oMsM+F%){T&_)P|;oRLr*!1=0x9@O|qT}8CPeA zzXr;9BJBQeVl)eH``FDk>b#MiN4^E2JT`-@;}Dky!FIZV#)8Hu%Oo2;TUQc>C{pq# zm~Q6idB=yf{;^&_=>rUV=SZ~`FwpS*_iD2^;C8;KKnyWYO0e2Y?8<)hJ|c%=Ad@+Z zRbY;1Mn)dMra%5+UK%C?YlecvN+d5_xJA$3LrZ8cQJSldW(p$5RK}L~kEO5mesGW- z-r(C$mmNYZFT5_Vqs{chB>qmzJ%q2Iu@KFi!B@Cb1U^lX>(R;G>m7GuyU5;qfvUxk zs&|rtu8|{y){XIc%7hxn7V|(CNsO=Vn&~KsDAy!zJ*Rr^Y!xf#!Us@H9g0Bh#aGW? z1a<|sIi7K!zl(;#0X#H)Ej|!_OC`!IqP{WlsW|KAv|{IrPhvi^6Euzm(d3>g`UTi$ zX=9F-*T1-Zo0LeH7lb;}<<|&PrJdsQ9Xl_HA4l#zo)cWjiQre)O<6I9%#D%WJSxcG zOV9l#lv#T&EgQ=+Ndm=!2d-CkojPIa_sRY7Y+vibg65xxxajJ(f4m%7;Ql=&=8zIT z6Q>OT6;=r!>f(bCGmPdGcdaN2z8Hu-QUd&I%}`kLIuV7np^D!y3ty9ctmC&ze4yQ} z%K$G`nL@*oY~Kkf-qAk8W_Rd-T^Yh6z)Ihp*yfp@G)d=WPA+5#LGmB}qW=&kS%DmN z)JGjnW0N|sg-Ls9GkiyfM#>li^Y1~FWwi{c%OvnNNI1J#Xkh_1cOSlm@dtj~d{|j* z0*@W9ao`&nT;-+ArJokRtWMDPJi25!+Xa1%e>Pr`U7l2?ZHJ1qqCgHq0%yl8-O zjO~>1$&h)ZMSxOtNk$r8*T+BgeLh)uo36#a*Jay5<4&wBo71BNB^WUpR_u7?F`6HR8x>(Ww4QL~U2&%^@T=cb7chT@S(4+pcp!~(Seadc&7gH$;X7a! zre{d_99!dXJ+WoTEIzOqXhcB*Au%7U+CgCCe2M~Ztrw7db0|m(>21lY)Kq@AvDRfm z=ZJl!d5*(q<1Of%X4hfViR7nb#h!YB^7Y=J&2?7HPDx#uh35d8N>KwFKZ7R54%W?s zT9D_fgaH?!wJ%^$Dr6(D&4!q00Q=#lkkDw=e<4`{$08Y9=?;;rp@Y7d0z^;5c(n zdC7f>+epw->CPS@xT9{!RzT`5G%I(yr)bOAK_yOKLDO#G+Z5~%ruH(MzL*v{_jcp% z0!(Lv7pkY}Dgr}TmoI~551FJ}+Nkp>7BY_eI-I3>7P}d}E=}B=hAk$u(9g%lM+=;m z&=k(pC}HIjw^E}Y)3!aAxK%wkzqjS+P-ug3A6L8PmPK*L(k)vpAM>3hZNWT|C5ew# zT5qD^ZCkt;u9@`pz7wS1gs$+z>|KNSunMGQ*bC;iem6@QIb>O7X-Wu^C05wH;O!$% zxijQkLs8ahPw?pI_DbQ_Cm2x?$H0|>5DGax7P=l{y{6to$75wlN5pLY0s_1 z6dXxxJQ2(hh(Fzch-Q}s?K0UZ=h?LNZHvRA*s6l*@Z8{wM^ln-@>9xXu7Ch=f2TY| zRuL1}g!xhILTN4OuIb-}_==#?%7!XUrP(FeAn@NgjhIs`K->&NS`&-&3l*ng;EIt9 zn+`M#-q;`WF7UfeuIHeyIbynAD*H!Ri>%As+(#B`$c6L)sKzjC7megt+(hEE`C`Yx=BVcxGZX z<{^#07{&BAZKnmYF=g2zz;i&A;f4D*XQi`cPyXt>f~7*f_ulO9=4%9HfMER7soUrY z$P=&0|B)1AN0@9L_c099B}rF1A|WcQx^nBc=UE8vtPN^+LJ5!|6vO@oNg%@b5WHk0 zX}?~F=gj+?Yce)NDvqev`mDlR93}w}n|6!Ka=7s{BQhwfEleu={DJ2G-D-uwCu#`tKrF`&8i%)djd&xi62rr>9 zoo!-v8V_YTcZ8!K_eUELPZHeJ8DD`tinVUCm9A+OhZy^nh~dq{NSagmd-Lg3rNIbv z1`ZIgy9`+B5ttoY-sN_+4t}_&7ZvdT{S;XgZ|` z)J5(aNc-+4Hh^e6M&r)2X(TVi6;nJ$Vu3e-E=|}OpEOMz#lzPk#aTTTL|B$(uFk8t zR*V_X)mepN8~d?uO7U$@efY1s^3q}!l%;b_BO&5E*Ex*(lW~)m)dD4sPfXVQD+9MwSM$l}O4ULny0bRuq@bF_I+kY(XfR~s^Uis7$ zTGhp^0EL^ah5vkWJ@j*mdsQ4KcEpR}q!-q{vWoqE0aPSrs&FVeu8DiDMdha>Q(sjZ zOnwEvN8*uZO`}gTtu_IMD6YOtM-&n2nKIqJa6&o)G+e{Me>z+}(h>xXXWRC$nrqzr z;w2{8f~hD@%v`RLe$JyuHXJ4DzmW!cGKpoKt~R#@i3MTpZadb%1TQRck4Qbn)o<`z zL5^72tUorFekGGDV)vUL&dPdb#Q)K$&mIN}s-g58&=?rpNs8n^uo_~cIsZcjIrg68 z3}k3mRA|@)>Y2bF{V2`s!?`e#t5ocM(#u2Fwso}SZxky9AAJgtf|`v5aw{g0k|N+` z1K$q2`6T(4LTDiV$XWVaAg8Zh1aJfPmfhDFo@p>&l_aanf`=YBN$HE-Mw@1l@93%~ z^#%sCq)})5Ik*xi?*OR#6k-_`btoE4%GH=dNrOFQ?f?vOd;lQWu%2ncC0LuIVCD{p zglQi~ltyWAnyKC6sBY2sBbrgbvUS!d<5Fo){*=F-ib^S>XSa*;_45k;O)F7_4QjEO zsEd^tr$}|W3`4?|73OQ95E~7%Ot-&Y}d_SY+0ovN8t#D4A z2YMmKd|SZ@7^oT6RLFo1DYFLZx##tz&Jjo#^ksZ_5X0YQRI3&*#e;)dk4!k_uGMKgaK8Lgpovul132^9l76doMcoo2(gDs)vMOig96`_vLarjM9>I%sW8< z&ow-j(-E6}?M4c@&pTpwP%7QrJ16hnZiE2_n;&#aDe1-zQJ%On%_4t`pD_Zbvx7Z@)2D7@GTx8CL& zFhNnk+&G@7Bg*~KWw`EvmH3X#2<{bH6jqP{3Zaj7o8boMLRWX{^3savjgdH$G{bl-!YGYp}>yE z#>?EdBr^bPCA>Qp^U-bD1=#Ie-GZt!@v?q@Pp&!=&0=Dr_533j)$3pYT}^)i zuS~RPfZ9aAvoxJiW-hZ@`7}5v0HAncmxo|(_7Zbq4whmbRUDA!d$Na{AH4k}IECkc zeZs6SQ3<@eT00c1IYK!GL>X*1KuWtc5f$2FlqR-(JBk#yVUg0W?xHSE?b-RJ64DKb zqAc7MsW}m*6F5AOg@+GpZM3H<|6m-DaVX9<5}Xa;D6oUZ(=#svqPlZ+SR12f_OYpl z60ZOB8qq%ej&!mNnyTD`7T<4O81OlQK{<7DoU~`UHp?NyRmAQq&V-9U237%xZ^$@} zgK$B1-BXEKryNfODRhob5aBt=FHezLv%(sioR3TA(_Z5_urC{Uvc2BWqI;Pwk7I=u zna(esZe&ZGe}#Y^fe@l-Dz!s4L{8NPL%5C&V{MJz3ThNWV-+%RA~vdC@+PQ@hldk} zy;yo8HytPtJixX?Io?gRyRRl=UoCIjie651;aKs{nyIo#kCBJ(ppQJMT#NSCO2%DcOn<}Dhz0IM6%2b4^O#Q zr;I}_XLA3&{bNSY5zf)Nt{nH+o$V8trrIBtrgAd$Hx_NZ83F&kco{Y@kx#t-|K33_ zm3p%Rw~0IEnx#YzQTaa<+*dMZ^tw{l1tP#1lGeAxX)wY@tO6DN!;)hzMhGGsqOn(C zV_O>xM)@D*LtJcDQOkvHM(~$48Oiz2O4*c24Cz#peUe8ZGLxg=E9=1x!TKkJ`Wf>t z!r0GYyBvcnyt08|Na=hLIF2YikeEw0Cup%;Wd4I?{&az`WVCqy(CUk^=VYQ=xo zv5Hg?cdrJ{P#3FzgHL=0jpa~L^a6v#E@LA6KpcR-4!$6fWn^;09 z_|}7>Sr17V%b%{=gdcOFpgU;8VA-}kX%Jx)yJK9)1;2;~uQrsi(qMEn-&s_Uv3(lh zl;HMrH-9y@j+1}fVyf6Hc@NOV{CTM?x!icjnK}aN**@quJ-=WTbK)awVXhAyS>%Qg zy%dz17K0>sp`PmSz-yHoIGh{9k-LR^wO8**3#nQRZ>u}6X|dkkg*G=WbFC2O6^^>3nXwOh>yXG7D`p$kgIXf&%XU2O$fE}HZXYVs zBNp*IR_SACWUJNYCR_kqzD$ZcC%fjHr76|iZ?V(_QmU`Sjd>$^CQ4$ktA8+S_HE^b zn3nP@Jc)q<19r~Wq#68?k5!tjquix+cfU|g`m@eJX``FGU|_Es!iacTHxPc32TY@e z8NW8!fayxZ!4S{X6xN-EG*do0?#R#>TU$q*)ltm{9}Ng&CPRz3rqIC2Zz(jwk%q|{ zwtt9}q=O17@|@}nClpau^#Vwu=%z4I!PVn(55J=Ko%!fY~G#c_{7@ruW}&uO+cHweh7_huM_FKJ;x8N%Lj@@dsv>3 ziVX17gxUZTtY$>DNYGqDzu4)JzPX&W4jV&0+ZGm?|Lhu5dJ(GAJKXeH(~_@|DcV2j zlENOFypetB7i_zB=HaZbU)c$D<64EjNB&bbbq;6`C<_>KY{Itg8~yHeHbQN-pYqM5 z*dbVJm#J_qHe5s?2jV_@ba97Sf~?VT>2sfy_c_H6fiNzZ*YjM^DRCTo3*uOZ@?oA< zAk3}*ElgBdFFIYYQ(pg{!SxotHG$QtxMk0CzNLBt86hlUpw@3>KRY*h&v-cvwVeVE zH=z5JH^kqIrk4j|ht~V9j?*x`D>$V;WOQ9vzt1OjW28(@?+-JwW6WkXhjQ<{010@{ z%FZk1Q1?I9CjdbYNgKDo^hR zdIa~N=zsoz2IHXNQh^#hB2wCj*h9}U=Klg;U#W?|>eFg~q`96wUggMnyB910tR2Xi zbQ;b5m|#`8ix)$1hBzF6-=UB|61iua{{WbE$RH*o1Or??%I@57OFW%Rj$|Jg6+A7w zTr@LoH`sysdMWY@n&%LgTS;lI1}9y-dfQbrYZ$x4d<9v2xf@$#;Z9 zJ=Wp>d3eUoaEw>j6kq_Gi)*`hsF|(F1~~f>jsTfwv&uxxH5BO2M6*vXf)(zf>!v?Q zP&9(LNp~z|Ju)p~TcNPNm`X?3&;T4=O%*)kta?5U*@4x6_}wKX8OB5_IhU@u>ocHd zN{4XO! z{y7x}8zcGVGnI>#TJi)Pg~;ehH2Dk|_o{@Lm6d3Trbx2~}EmX9QQalYz_ zu-=0Fn5_lOTsr4gHQJVd~(I>az~6ZUlLq z4S9*Lb_womEe~Z)${q(pnq8Bl{tG)O$Kn0R*YQTE>zsf+0>X;1{zOaeHY zuBT>%@3p4o0Ot_74Uej`>Q)@CrgZLp2c@#QAVy3};t|RX^wCF5E^dkalf92HQ?5np z+Hb=GE?Uh-g@dHJkWM{nV41$1F6LF;=k0+iplU#&r%osN6y0EGhEG9&!m!-WCqwxn z5DP*7dq%BEILtFz@ilV_Y>Tw-V53v9q*VJ9%xNUG(y2;d=}1m>hQys-jvhxhRkS>5 zwl_PC&DSsc2mcAr7G5-Cme{2uYq}7bPB!F!HJ;%gcg8cC!>Ao@(4YM&i%7H;zak$R zRFXp<=wpGaaEc0&j%DQsNwU#Dn}h7OocF}?8;zq%(8IeL4pG^)T(b>3z}{d!c&t_O}zEdx^Ph3F)GUgg;8O<6YGkkjBOr zMDwz&kRu}yXn_ba_d9cJAExN?Qg$tzwyJceyv3F6;|Ejw5b=RY!gE}p$yk)59OJ4R z=VI#YeRo(>*|%sy69i47s9+5aDt2%Xu@jAwXi%)!1r-!UKxuYRK#dW_-n-5?WAAm8 zl7N6BP3cGz6N&**nh0;LeUcCqXXbbBd*8i(JpIneKD(^G*IIj@Lfm{KdAGUdRmIm& zUzK(ZHaYff_b$EpgP)D4h@6}LzI7qH*P)7w=O&$RRUm9NjLSsIW<=uU2V0wOeA{dDVfjmoyLkRXTWGO8$h= zN3TnLhl?+{w!L}xdC8!W_k?cNYuni_uPA)FV%&MlSab7Emh0Toy8H9;d)<5Z?8_eO z=Tjei6N;Z~yK{D5+kSsozaBNd=h(-78~)HfbN=m;z?}NyMoz`%EB&XkXgRlV&8-gxkN%iT`JV|cZr7ifsz#u#n9aOTvL-LFl9>`s1*+ovy-+gXXXW+ zZ5ln6-8daz^;fUj%I&pTx`Lkf#+&rsXK-)pUA-s$r@pv+RWH>&{IWst?Ne<`etSDJ zPH#h1$m)y6diLMTr+ZZqsGI( z0teL%;!K)<f&)GEl($Pe!)wwcKP&P^%i?BNAwQdZOfijJ3ut?UVldI*qvim z#Q!q0_273K5BixE%q|n%K9_LSk{&T*dcpO|W$jxyZgt@6kmEF?$b0W4U3#`(c-!&U z>f$l0lK$N2dG62%@3hl>QqKgOKJ0VZ-h1z_3GZk8b$`gykvsd}sP^lgP`Z@)vRy`~ z?XwP%b2hr>TfPa-`0LV|KE-X1Hul*4VaA7G&CsCN71x$*w2rAV9Jx8E|K7Np-fcS_ z_``qO_Ph22uk^31I==hatA`^VMc&kr%}NZ&-&^0)-}{PT-tG5o_Pn~eLO-u0^TE8^ zDFGKxj)*!1e@ATc$fqgm2DY1f;Nj?!URiN^y7R+!jUDW{Df!6`&htyZbu@H68z0nl zr+oZ+gYA14?$Wg0)x(0bob6N}HfZ;UtwU4i!A2bah>hc1+Ub{f9}jSs-R*u3}A}JGN)WCG68Y zvF(?$twkg4BPZA|e$Na$y0iDFb{};fTfGdMGQ{9z(&!Er@pV09zg9l0Tz2Q?5UH70 z<1TrZAnk!#*G_cLH(5FKT|xP{ElaW|#p(CC!1~ZLdCu13HzzSaGS2lb*uJnzb6Cwz zziYqpp4ytv^xZN-c%py*IUn6N&if)=elF=`8{@+CsDfwmQ-cgrg4cZfm3J@Tf+R)| zq~*Tf<<*|CLmr1Sx9%;V(^~njtZ#SqX-FU4QiD0&7QG!9>-&tud6hJxa=&!J>qG03 zhOe<|^ULZ(;o^1)WB%&=$8)Qa9f7<$%e#9g@6%XQE?FG&=-T@C<)MeR?lg0^ryLf`%@YxFL{{SD&yASqc`r9^-ejo9TI07F=`(%w%%)EN?ds5H#hFvS^=-HF{?e~| z?DrbHl19s)u6%Lt-s!1VICmHKSn{Q3|CJ9Wh83-M?XjU?!1{~cj{Rq9#!XL(OV*FL z^Tv7cI)kVyQ^z|MhxD~to-@%fe}c)tQJ&rZtagZA@#3ie3E5fSj>|-=tHw<^ysp*0 ztROST`8#7GUWdLtyJOn%k-ui#ZTPrjREML7)-8U#`qp&Y?ENOU!cB)3g~@XcSXmdk z|GsGA(U2}ytWGxT<2rQyB)eLBspR-a`BJAOFE_eh(H-vPmpUJd9a{Bo=N5Xnyu*jA zZ4Y7?^#j|T5ZOnaNpqfjr9&v=$(y$iGS)9TKhMvt+@yTjxzgxiFVpni>0BBtU*6vL zc+|(O^L;N0%I-aU!nDd6)ce9Uj!t0wuvRa-2FiAs9TW^Lat??O_vg*Edh+njhS9g! zoJGN7-d)P!YLo!bU%lHa&<;PIO~1N)5-7G+I+E?goW-P_A$cy7$Q={xT)sT^@g zH+n;V%fSom;!i%gzG2|K4WR+g6P`Mmyh^S-V&}a?&r)~(?Tl_C+%E08CF%4_j7~}P zl!k^$U9W{c-0`4uKu+8J$6saj$e5FvksWpXV^QqG!QoGOj-Rw(YuVG9sOW%YwFCap z-a746@P^9F$Tq8tIp#&1N(*9^Gu!l{(qptq`yrpCTll^wofe4N4(k*h)w=(} zycMsf-WRZs?qB|N2`eH;pT!*coBXAhtE6*I?vc8JT9HB9(PLb{F1lNvk|g7;)jT~l zvU|+HfB;RMt-lT(=$BS`*IZP)gHFrRmQL{!S{ycshN4)EBV)9O@* zZF;vPQ!1~Yv^JDGXU=%CXVUnbW7%8cA_gwD`4m`o!DH(M-ErZMPK@*FZC?D^g^@~cRH zd*Y;lIqzoQUS4izb?u0-eeNLpc6(dz5A@4AJJx>X_NQUj3~AEeChH_~9|*@@%Dfc! zs@pWp^S6FKv^r(8@mJ2$QExX)IT=4l!0Q|9K5o}k{~Tc=!-E zcKR@9wjZ$Pmh?vd6V*9um&UFYw&6YboH2Go$Jq~329Et~U=cL1;A;0jX?+TB$e$LB z{t%qn-Sz$AM9LHJq(Rt-F zaid;}on56|CqI4Akoqlo59VrcK5nMPT5Sv4dU2Ld%-D!_Gj{IY*!Qir&YU$JhG*}o z-m`t(+3AbKnzO{38n$DXZ!s8=_2$LVUW2#X?X#cb^M|3p^8PTjkda(I^|OI_M$4L!2rYs!peBQ~6}=o>TqVnx7N{kWRR zeT?c$B^ssCq7AkUyb|Puo#2)Bf37f*_iHn$h>p$MP=<@RF`_H$U++lJYM@SD2^Ld#WCf!tWL+^su_POnQ=UUJ*CvJ9le{`YQ z{G+FKe>JJs9}{%5BV8-TV!}<=%Xen9JJ!=IP-Q-O}1Y9u*0Xnb3dcpUp4B@ceTqa*ztPM!@YW64>*~vSo3?4Ecm*~ z7_DN<7cOu4^RMg}$FVgUQ#jJL-*J<<4;i0Fy_@q=HrKiB-3~4Wdm6emc%GUt``e2v zhTAoBwD;8IZrrp$Q?^3BbkDx-cV^tBFJqSEZ3FXc?X-R3!nQpUE?>RT z)fYbYwxGdh@0_smRp*Xa3Ien=|9X}`=22)&1bor!vLUP2@P;9Fi7vlJ$3E@#+-d>; z_e_@ovtvY-*Cuu`w;Qs>#`CSgl8I;NBfJVKQZBd6HI2ME|rDM;c3}-dj99?tJ$nE31a+^>nvM*?#w(V|cc+W!~6{rLX;`g%|ox z*^&`>Pa`?)9Ix)}&R1*a^qy)SbuLuYXH+-0fUZx=V|#s=F?2!5sVAC6a~rdR^*0P* z%(~bqqVz!PwUV6nJ>R-=9_-YgHP>qXgir0(?)VUUkHzt2n_7J9Hpf4%{nzV0tPH={ zfj%GpY+Njl1pzxj2P zraO6-+g>lT!Gq(^cN*rIb&#{wX4Iqh>#Yt;dmNasU+Xu^oz-KxM>n3kWH^m}C5k0j z{J1gjPL5;Iwm;}mGyfFyeznh%wJ5op_Nu=&Ew&hS#MG8Q-KW*f*m-%*&OJ^zYxTal zcX!_}=Ff-aoW0y-nMu9jv_*9;7oufpBg&^=IvJE1Hgt-HEK?dSjE;PL^~w2jOFs2J zxp|D&^Iv$}hhM%9-Z_$2vufv*o)2uQo;iy~YRq_5^Co3q>GMDTI(NDivqRg9y%#P_ z$hwx^d1^>e`zwRSW{wSDEX(iQ*tJt$dRR;J}uSN z|4vV>iS)bQDsltY*>i-($Ko$H3|i0enLljX{Anpi7CfIjb#tE)`=<_>dR51g;k^08 z)AVUihwn<7T2;Y`~$0dhvQiW+B163y?k?|ZhhwI z5Bp|+i{9$C|2TcP$GBg*oP6XRa%Wlmsy}?Qxa5BCDBmb) z&f5pJLzYZyf53TtpLCvH+0ZL8C%We`-NNjUyF*^;SXXw}S@w3YN103`LZeQn<<@N&vJdYwfmyoZh23@CM>8Q7Uk{HlGMR~OIy z(75n6_{9MO54twvcYMB4N>$7U}>xX%N&>!)J)~D$* zZoJq1HZnEg9@BoFbHj`Pv(d-C>9y~wzx2~Fj|T;JZ){wiHhG=R!>n%a4deIIo*VeM z4Pgv1`?AV>^os>+Qv5nBpCBGO#B)`xF)ew!%=PV{xJ_)c`pl{urY{_R=~tUJct%Ni z(%wfWQv7F4I&NGP{(Jm}OJ%nXirCgJ1}^(Y)a-pW?!<(@==399y`xJ`{?&?Q;CG1I zYLKXPFZ&)d@B10P__(C{_ne@ z^5l&HaUQ*#Uw@kN_-v1Mk!#}?whOFk%V}3oe6ibEb7`8J-}e0Ft;T*mI^7}t$|Zi) zM^^U=?TEFOr{s0Ek0-R>9DStf-H4AjI%I3rIoU2bSoElKRmHLcpET+}FuMJ@ zz1M3-w^{RY&T`@6SL++1JKBdl{F-RLTPo;6-!rwV-{n@)AwGqB`sDL=MK9~uYJxR< ze_h{ue-VG*r{9ity}iO{#bNhHdqOYYinvy8eQH}tkLuSqLTBshn*?6ya7@T6&(YAi zd`a)kvQ4$e+Xi@e9DArg(0Xg1E&I35c-)r1js9iQkdaXnO}4O-k(;tVq`bBzw+w$ z-&(i)ewLHhm?ue2vrd_AKG}E4Q~l>=`WKHFroUSh7T8t$U10glX=fInax3~cN)-9{ zTYa0-f(PBII|j8D?a3(p|K) z9Ns_NlvSj;IPv-xz6+bHJJvNPY!x{9t5zpQ4hg@|f!=y}+3U8k&I9$uh6mRf%ozNa zj^VOT)|P?X<5qpwoF5zdC1}O5?)x(yB{4FJW_G{1(Dl=&-=>)OuJ}t<(EZ544f$P- z+|O$*GTBo&Gs!CU%79*O{VK;9`rZrJVaPj{7n^S5+F&QpW1M3J9NMlu`TjmjhmB^j zBQK?lT{v*NU+;aE_U^$4pYQE0S(B(=(Em64`*Fr&hcmy`?)Gc2IJ9)`j03k>D`#oA zx7&T=@SoNh{v93lB8oC?U(t>2?_YT`Y@Of10lDjC_oKRX-rzIs_*;V;XHFfmFN-X{ zw7A>huyni2?iI`I%*AJa*}i5=$E#gMW6GCrn&|AHPv4yuckRo`S;s5-wSD5pYqfuO z&vW5h*7RTt-G|T~KK0ZxvzWSIfP3k5+t{(2i&u{8SH-$ zSqCQn@@pTHJM)Xyy6^nMJ^OL^)8LPi$t?4pZ42}EgnK`8x>Ql|^tY6x!M;MnUk+Wo zRAjGjuYa}&?QrauSDP2s@77xoypp?n(7-9bEg9A0NX1jxW6AlUL4my^ri`C>ZL(Wg z@$Q1pFJIbzt&w%VUC{O7*r|W*ACh^2dFxE-$|$RQ8N+tv|53!>vr&4oPr-}$Zy^mY zJ#R0&I5M~JfXUGde_U<*b~xioy8$&fhOFOQo%>;5nSEng?(b%GbC`#Vy-UC7_j=ts z+U0Q1%onrlJ{)uKzx4b{y8a#8db?Kg_1@iTryE2rj!Mt}>#|itpvInnwUak567{?A z>kw%>r%lUOnmv!nYB%%=!-=u3&80nqW}lRbyY;{Qunm{~O!zg?qxDFZL+r#PzujG9 z^coko8a`35&C%ZfmhJrM8_hc2Jb!)8%{{LY*h4MPc?G|bB;4gWU0>0)ucuT0><4!) zbn833%Wur9V%_zt4=xUT(`oIc6m8C;oT6T%Go0-A@w=3^IoRIfdhlnfyhA1xxq~`; z-S)Tt-QD=K`<@Njhpg!B2eD!zE_8rDi)i)a-I4wuX?M0tDq|nMc>FnZ;U~Yh20^Qj zPVJhx+sv{kY)Lm;r*kjj7u7`U$)Ds=_jFSwC-|7>WXAae%jX}xEFYP?al^!Adk*|H zcIAL@+mL?7y|s)NAF+D5e0xyGuiX}(T2XOT`Xh9`{_e3uSHE zIK|7)@P;mqI=1nMsA6=NYdZ}xPq$t8Ed9aO)-O9ohZ#*z<9Brp4sE>mIcnw5_*E|7 zE^gQ`Wbz@i=uSBwR%Ha+kFK4PO#ij*j5Uo?-siM&%hCmPdlLs)BnR&IJQ~#RSoW`W zLzg;mCLiwj`}^DzolcBc)HuZIR$!M^r{<5e7*Y0qz1-P*t&{sQkJW5f_hqh2oxGjB*xoCgyy4`` zc6Rq(>*2Yc?djp+#$Ms%#di1bW-oDec8AWc-mXq=t{VU(d%6>JUW>!r*-Jg#ynm$-Q>UB&i+A#TcUZ0O_U3&c7tadQT8 zRRq$ePvP25m^op}%<)rZvOV0{gO@q`4)#${uV9bu;LKj?e&?coVsf6@k2v0dDpmV2>X)`IL*R4h{)?*)A(au<&m zOr0=i!g!=uy_-sXp?L+L$NYN0T)fzM;H&%HJFZ#6tJUBAOa7t$`>IWof4w~>P~7|Z zGEY>y#GMy0yu+6CVdB`rWZFKN4|Ze -H@in~V<#PWaeZdxG`|vY@KdW5 zzh27R6TQgatjoMKZqFgB($?M_R6L^pqIRrHPo8f#ZR^&#%&L!rL8+rwpT)O2QMS?x zm{AzXgms?IOTC?!jbPJSk9Trg>f;86fmglEhpeMDnI5ADmqtq-vE)oEzneytjSVkj z&PR;+ty@}o@A=lDop>GMO3tTl!t52ow>jJO{X4P{`7hB?wlu2TzY(387Ia&Y)tpy!OtwCoh?OnvnJ zi_p%X>eu)6UuSpuH2hR<ni z$9@~LZNZ#A@pR3|jzih9@(vp~Z+c8Ges@jqq)nXGzMF?G$M^b{w8Yl$WBUr;+SBO+ zixyvuIz8`p)cNYx9XnlL)zy5{Qr*B0<4b2Q8lbDcXyWh81LJ2*Dd^}mEB@2LuxEGZ zG`hM(XoClIPZ~Yo)(I1h_=krUPfa(mW?9`lZgu5|txxr!Z$3TdbUayQDBE+v_0*~D z4GX%AWPO>n%uifD~OZP0SG2ee@iJ&CYc$J>yLiv+M zMnuYqn3+=_)#eGx3k0DV8|V>d#4q;T>VCk-C#rp~$d4mmK3wa@zp3~23b(}0rrc@O z`=W+1t^Ilr_Z=-5b7Fqjjq`JSZ^|2>wb3mJjeXjRq{bXGQ?t5*%TpqK{)%Dq#%?teZuj_PSHD}=3vaxIGj@(^Z zI5mBu=2u#Yx#y#4>8+D$>{Gsu530F3CvxK#`@Qg~lY4jjiBj!;X}BTl*fWV!w)2x` zoLx!ynj>QUG4lok8b z@a}9n*mw9c=f5_0KHU3UL*>CX3rmCZYwif*YJ)}XPM#eyWa$2R2W`7}CWUJ8>1mQe z@%RTatH)2hE`PnTJv?o6+|`OW$IX3Aa+di^FFU`qacn%>zn&4$ZGG&VU2hp>>yB&C zv?6A3q@5GKt(iams_~@z?JmUSMQ>hk)O*TO?^XLY^c}hXc5p(DaYpy^X?wfw_qrJq z8vUhIBBX1tV-57S$26VXLe`Kpm3HwHC_gN9z;YA0h(ogTF=J>Zp9#p^9hx3&w8tv#;Lq9b0I>rF5?Q&ZzJ|GdkS#b*eEO;C6$NY1+AQ zP{YKq10wHFPbKElZ~C2^x+{5A!A7Hpm2;L2AKU>xD%4ZF#mG~;-`Gz3FcvFAi;tT# zdzpu`mwO*?wwEWwMrVarWqYk(y~M+95L@YH*}Xj3qehc6oLV#>xv6F+!CgkV=Vt5sbNkF#p_DCokgMD@M`fA zi>z2lod?&{TFha|<=7TS6EEqTl_ciq$*Vbx17fWE$`UUz$;v=_=a%!Uv&2h`v+^Y| z@-O0o_1qGgWVl=`Uc$;MmQ={!^8*VVCF_{$&th8~Q@lhk>k}4}=~F{2dyB_eWW9#| zTvH>g%w!SlJn^``S*dmm>vH!w;&CQf@381%FCJ%{^+6zXGc^;BV`a$&!eyrBNP{a= zJWemG8nN62Dk>1tD;fnlMozH3fi3`25-$IWt=V(}7K>#RO27la30x3<9)jhwRbaya zEP<1#0$YiL(KI&r~pZZZ(0)COC;bT~J%2@MEPfyR-5BpLx=sFiX_qE~~ilGXVXCUH1NUPF*T z!+Rn^qbBf7alu@M7_4R!v|Qo@B>Ng(0o^nypaDPt?S-u1YhxqACk9aGzX>MeQX+jc z0ZIihl{*o!K*1Ii2$Ka$9&Ab%6>>jw%A_jf{x;CC*d9p&d0S-1Vrd2&2+K~8RMbbH zGS~4!{2hV9>}*MGeX&4z(KG;r#tZRvBwi1w%`TE8f~#A?%9cxF>g#~m>`F;^eFi@; z!Vx{>+HsO~tSM*39Q1|jShH_R)_WvCVNnjBol3(+#2F^e;kGmA5u;~=T=BMk8Z#Q_}A z90Nf}w|E^IO%SpsfFB(lzyOVNHh9o^frSCsPm>oSM2_r2_%ocF0-K3Eiv%}g zh5MC+|afnmoA& z7%%uRNuC^}O3c_vZVSc>&I{@sY$!9%0}G~X)FS&On(iC4)*Kj+or^|UOc~@lR$CM$ z6Gh2}lZ!c=+->0G3&VXK)kWkI+TzsxanedqEXp}6LD?v$tONu^rY%Z{OkEU_tPnOB zl=i!|jt$1k*v8iS7bdI^ozzTNVYHM1gC&FI{={enAy#0j9nno~@no}-`S^XCC97ttka#DhfCvpwLnGc^TbOnxN$6ilP9r| z$BQGUapg2gqP!SJpzI3PaLXxNHV9WDTMe;z4fh3$MCI@`@)&XCT;n+nI+~}$X_5);z$m+kp_SYF}y3#zAWyoUihYvl2O zwoE+Ug8Q1_7%q7vuan$@7v3mYapbSW1$x{9K*fjLE1b3Zjd-aZw-Uy>%HK$CLFA`o zC+19(hm-J3B69(YE2a2i0%fI;k*JRkl@8YDCl6dmR>k;54Yx~Q8-Ca5{0*|kibO6vZL zK0K7swvB;)YdzgouotPRfh(M5|00@Q(P(sy?<>B$=1iC|a0;JoJKl~B8*sQva)DjK zb=Fpktt3bF~;uJ`=Dq9MTv}4x1MuptE_^X}rKNCLsh*=?ta;pz zQgs%=2%0MjMrP&VN%j*~u?;{VzcE;D&Tp0s>eQLWODSXpWIwef{(nZ#cZ}tz)1xj5 zK#-$G&kw_(U0o=6*)lyaE7IV|g&tXnN-M?-P^Mf8M>$@AY~(czrWRT=eAuyRc49t4 zhAM_A#fX;`c&hz7fno;&A7GWQRgp5oxhxa z;;$w7<{*DL>iqqnAnbs|<*4!ZH=v;B4@$#21o7@C{DJ=g7D0WKveY#Qf|S>|aES** zeL@Mmqe6#5}r>#Uf6r%Tc|jGO@<>h;vWM*%(mM#l&=n}E)K(XzgO zE)NuZlRQBGeh!x%wRAe{5I)?uV!Y?H#dlHt(_j>Swk zEoZ~Y!yHb2HgNK{ujDd3Y#s4D)sq+U97plC7UNF|IJY491u(3R0%1CI@5B`*Fj$Ka z&|)To<$}PLvl%RR1n6PTVEH0YKN|*Xi#-(l?YRurL;~E_5sFg)!~FmN*bJSt4Xhay zIK2*1xDW}!<**N1XT#Wb znOp&lLC;9Z4^}6*MUX(Q{OuV*MNp!oF@fO_BlW9?#Tct2Qi7Z!lg-GG#lp&8<^M5R z;Dzv;r73z)p-fW%lI$1^An`(aqFM!87KmU}_ZF%4ku|Dz#4TIgtWT))Yx8!bO*WE1 z4*(`;42MQ(4Qvs#K)%cnx=AxzZbT8wD#3idqeo>;Ovoicum2@$TA>E?|E)c}f?Y5U zgQ=;ssZfvuc!ngfVbmrRGZnT4#X=Mw{Fb3|;kOEf0KbjI)?6llb0r3cr5J_zs;n*= zm*|w$F}6|mhL-mfb)d4mcyfi7_nDNGme-LCM#~dGiOXQxIzl2rY)>Ee@hGB|6r&yd zJ8}u7vH=KPIe(e-=JrXY!AVF^_60}`mCpb21AbX15>Mr?Qhiv*|Aao-9q6Z~ zYP{bp&HQs0{-9HKI%$SWfyU5umn8#x@NPm1a`&>)#Aks+-{u2Hj&Y=0NIL zNB5ZoCd6bgdx-WaTx@d@!b&8T!E6$t+DgO$5@vZO$cN#OB>Sd|TQglvXYsa{27qW_ zXR*AJ!|*^KN}nLIF@U}aB3JnFH#FriUbrwkGT_LEqZsODnu1Zn8B7v4VEDo$Qt;%5 z*wFbQ_8N>Aj93e)1#}(JGffj}HKBchDH!>Pp81-L7Xo3DU5LFFR4y}RTSz&KSZtAM za&QRjGn(6l@U*$YnWh2`BL;fvP!WY=A%m`5p}=$j^n^aGu#X$`;laLKz)3+!hxG^P zG&{|9r+6XMrtbvNbS)gVHJ?Va(ZZpdP-4J`H}U|Rwe}!aUB(~xZivkisC7w54#+S@CV?(q9Yl<2GJmlGJKGY%3DRssadtVFIb%mPCuEXS-X zxTXdikPTkuSx8AmSG~T|)AjaS>k6@S? znqnc2VTRg+QVPQiREDK&h8ZXdOGOMb6eg793^NcYfb!SD(-g$xKO6D*FG4*2E{Mn9 z9q{-%qO=)-QLwki3yjcV1bqSxa6-lSq2dyua#Ac5P5j>uW! z1Ryu+}<@CU>a04(DB6&=lvua_CT4Kq+3FEMyh%5~Tx{#5% zSSQ8dU17KeUX|ks6I<&nlKNypR>cWZ42L8SX;2P_#9o1Y01PJzZ4rCIKVcsQ!->vY z#Gd<4*aa|L8)<0~d-*?MUjV~(aCl4D>Hmb>4Mw;6DRO2r^BA0 z=>H5oht1d)gI*mvQ_{y0C3q~g$gw%LB;X12+AK=TSZawuj*a&!Z2Q;H?Xma2hVEF> zrpbGNe@E6AlS!6<#pPs{rD4&7OtV}p`jL4i#iGAG*dnZx;Z*bQ$pi;K)lrdByKrDx z1Fl>C0^vE7lj}?bm;fiZy+JAp$+-+`;N}PZxPb@2p;hGEh*hw;jX#@+AF$322iM9q zwFg%l3W47`I~Lzl}t3U;Csqh$5-wMiwf;Kp~rw7m-Y_OPF$?!++e3N@AQzyBMY1Vkk!*MKl2uKZ zn@XXG3brzu<44p*O{fV*#IHaDENiUoN{CTn^ln3lfy+X&f^i75D8n2F4m8C~I11sw zx+*vt8GW@(QH5cQzFaUrqD&~Uv6O^$=2*(ak`0y$v1E^>GAt4GS7FH$>l*o@RW0=Bmg~1WSVX#0y6w9(aNXK}>MBa|- z%8M?ckC;FKuWzD7SmmECp@6d-Nf9;xK%PaC%o}ct;r0V#O=atO;0Ub<7)w1o{a6<5cxS< z^Dt=x>DhC()?!x12r{M8G}!p&dzN%)vQF@yFmc+Vv~gnEIs!k$jZXE166{a&&%$pm zFIoc91NTvf)sUXyKBL<1Od{}syH%W`%06dp;Pr&ZzxpH#xgej(CvyXHnsR?fQaLWH9 z=z9MdaOQsm93F!qf&AZ##+9sP{+!kaiHvIb_cQoXvj{#%oDH zgNf;>*!f`Wm=2p*9EKSNlTh%Ao{T-7u>Yf+zc4w$!CZqd34M~`%F%BbmthtyJt1vu z1oGuc6BuR*Sol8hV)SSVz8FW~s*1!kkP)&jZzPczuBw0{d+?d5P;Qj9CHP^lgKTv4 zEN+C27ABFhJPAq;j{j|R7<|G3Ikk-g$PuJR0#=9NDMq%d*%p@z$a)NMXUd%|)Wm<_ zV*MR)K(y5PgF-$M{JlP-Ynz`54v@(EZUedRT0q|x&CRvFC%i~2ILv1n zFJ#jY$gVUPOa_D1ioqiH(=q#@>cA~#hT#b|d#1y#Hq^6hnGDvXa^CP%zf9<)=z(|L zVc98%giEYTZiWT{63D0kA1^wL#Q)$%Mvxbz7$gT=2?YkT6(pp}#H7Ozc-!iSZ6w%3 z(xn0Bam=j^G_<0iKVZskZ3qM4jGz#x+1e0*< zpi9l5ofI{s9hF5bDLyYnYIUVFWsxcU0y`%zNT| zt7L3(U_R4t(t`JDg$82j(kSc>%81pFepVK>q^M6)t1Hb>7Maom$|76(LRqwtZdMip zq_?3+WNpp^O1j_`xj*eOa0O9_M=y+Tl-!A|wW#*DC}7z7w5Gufwa$h~Pstr~c}NYs zYEbS!7U2HAXBs$RIpn8awb%y=@(4JRi8fFZ=Y^hZpk*&{c0nKmpot0MXafb*tjaKd z!xokXgEbw90eR4+`U=LtPK}j3YDhlQAPs;C=V}7px#@$^(k%QJekSp}6|KURm9yEyFyg(`4=Mt2_KD?4~0yHnczA-VK%>OM! zps@f?|AUf%gv*+i1d|;$3tOJWP+x^Jj7x4wQ~GX?P74&@tuqvOfqCTw4C)vbFdnVR z6{sKPD69y;oha>q!^i|zj|tZQHv*L<{x2{BhDQW!NYij12{X|^8IuwGE4X$_tzaD_ z`vlGX;Nzi=SVsU@GVS~4VHw~31KWTH1U!?bz$qWsT$q73W2c&=$fL(f(4_7qR;2<1{18^V?@=CydFX12;I2u~1+HfE! z1KG+&s$fk^=2I^G+F}yIDA0u>ZodDoB;7;$zmzb~Y?Vy2L4dFU3&KaC+B6B(9-R}F z50ZEUIn_mYy$Ed$4!8>d4o>p7{AJMq?Ei?(0A;{UEA`w$EyjkD*qYjwa=Z$LwvgQ| zS_GM-L3<&VLIZ5blg9;kA=;C?=`@}uO|=0n!tLf-*nG5yguNH;K98pMoo(P6fSB_h z(sIMt0gg6jag)rKY?W=X0ig3paUO*)1J=>jG<;&B1gyLOtsG|82yO<*ZUncO%)JjZ z+>j}O6Lx?dpaNikOiBFt$RbxC;4Y~{CLCo9<`%qTRETKjk)1mY1rkIRp$-d{|71(4 z04k|D4)ci1@C=&*XVTOJANJTN_~6QHfI)aB?Ih&O2;!W03y(C3o9ACig6Jz+_5Wc4j?^Plv6`N!Z4^}I0D1i>QxIqiU=482#NrL5L}x!A}YbULMS0$P^2)x zHDQWUhsp~ALR1lj3gf-Ae&@j+ui9sMOVgE2wKnQHu zDVDJr+wu9d(318|=Be5rBVG$oK$xKdOD?J`icGn9YRW-$!O$gtg`~7bAyGyHt4E}Y z2o1=IL7H+E{w}g4A1w( zM!@Xk?~e~MBizj)sP#MUyCxd8Y7 zdIG?M8?C{YAPFKip)v8B7>X_Ud1YtB)XJB%~xHCtRz{Im^pA1Y{S7jTW{c%yHAo@j|hB03*JkF#UV|0 z1WwIN9M%)~%6f?|ywT`UE~#CeCdrehkyrFtc#eQ(C&=gE9mQN|$&#caraVZ?B(-ue z)W*R@`EaN%9|P}^72wraMWG(vo%hPZj*-yuC0r!Xq40u?O!rFBCWTt8t%di*YCWX? zv-ly;0r}=m0Y0-q9D{)kd=u0b!n(gXKd_k22u=WB2?Al1D&$q;R~aeOhvzTVgsR$U zQ9M72`rF{q2_7Om4~q;~Zri}+!0k|mmwRb%cw1`&Kr4)GpD`8KD#Hutu+|fl?i&X0 z_0qmTX$!mt53e^u!v=V_QV-k@z6}{K9!ICa*BkV>@%XU@-vlv-zB(F5lUFuVq0?}A zG=U*5po1C-5G)pv{^bM+0=2<+`{ejK=@xj?7=Th{fQUd0c?7Nsj}_QmF}@S3K!6C% zQOy(*RJIByg@}y?sX(s8W1~XO{tj7lrpyU8Wb8YX%)dox-vUZcCCU+hi_uZVAEe z&BB}1$?A$_J7hH}my!XzQVp+cT01Co4R4O-D-~>vAIq?S#TLaPs#+Xw4D%3Q>BRSW z@pXA1Ow2*JM7Q|fteX1KuuuY&U5xL`$cGPF5R)T@LG-M!I4g>IRJg(%kS26KXcFS_ zeYx%6lNiMEh%kt6QCc6H5(bi>!mcn11$Oq&@cNqnfEWy&(zuyJ3Sx(sXer8ng56$0 z9mmL_pant{ra}=iLX8g9Ebw(iL#QW=GqG5wG8Qt48G-raRgZ8qAlX;QFIsXEE}=lI zck6Oqh+%6~P8ekpAgyoU5!2wvgQJ+rc5VR>igAS?(G4Kuz;7TjSVG>1Y=2N!Tx&)bz8QqLpn-2wya-b8Z81RmQNI> zQWL&;-&5iwPms)&rxUq{PXiUgsRZ6h|E3F{q{&vyWD|L|7$(?DV(3X!<@XiIWYWXZ z6K)Ci3lD3>5ysKssq4&fAqU&deh@9?m_$NvXxHV^ zGr}VbIKoVN1jizBT*z)#rYGB!V*=1Jq1}K>PY(}gafFfdM1VLh zI~w4s!f*N`{u|X?kqW=rkN9uRhsS1={15mM|FhHuLKS}VAMy8Og|1TJxBLdi4p z0lLA~NT*0HJ&z+4hljTX%fL=2+y5DTU&b+c3B&^^L((gmOD_P5!XpjAJ}9ylG6%m^ zk!41DwLsPkL#~F3tWl&_3uJ9AI+vy-Yc}&|biMeR{6R&R>CfmYdX;CQqRaYcbiHjg zEK)_6!O!U0(dNx(6=1 z8jV^+soia-7Brf+h;n#BN;))}w}|uovCJZ99MvMunoZ|>K%;JpIGtx-6%$UrlPuOf z!Dn^=A8MA{v+rk)9_R+dp9avnQmx@(I#5OF_ef*E@f=W z9K6EO1KR-gBR7VMF5wKQqI5m{?16fY9#{w%0eT>FMVH79P(^7xa_)R*by^I5q-Fn0 zgT3msnEgo0=Fjp*by~E3q$P1-P_Q~J>>p{Fy5+KmIxVAqq$Rg#K!Z9hMnBSGIG%n% zofgXAB{lcdys>a>{tNXx$D?Imio zC@dvhp&~9lj7tYIso>JM+md3aN%>8${sh_4H;0?>77@D>1^89^4XDMQjx^7TBPNP{O#7K99~L&`*>+XJ&a zVK}e4H(waW6TaZXn-$eAx_o*#T<`*uXz;!&R51DU2t|dRP-4fp5zQASL%k879tqr1 z9aH$#y#+!EpDs~U!D||JeIxjRX*5288AJLZXepnS#1j_t0~2Vx@LV>0xs1*48_5%m z*X0?%v7<-wS*3h@Yk;CmMGQ~)hN2GEjzF4x|bvfdy8gz8s3dN@?^SU_vuK=C^j#ZrpmBtAV%AWY-4 z68Weqw2W**aT=jGn;)2|p!g+4F-QO?enTiuR--tKPz!)$2uL6-vg_a5PFP~s#a&k* z47ckt5vIv2yDn3VPzD0VxFS2oxDxmchvSt%*he7rfR47%Ybs18l>>7#W#Y5~2etql z7BX2+`H2d2_^NJbctvE>C(Avm&q} z0ih@>OZY4?R>J4ANF~T#z_>9HKBxsF%J{4(o=At!N(Fks1%RSa3PjUzKRFvT4ZW1p zA83K;FAze@8&GHrz?lLrK+O&4@Qo8-GE=iN5A>@J5G))4=JDyu*-7SdGWb~vU?KpV ztp+d*Ni$C5(}}(FtMdimM${+-J`rF(pRSxd0wGQ{c=MhDm<|9JsR0D$03cX6F-d-P z0cG1NmeVPK1$;W?LX|T?AcTkf!KsIKj-Vg+A#fEe-`e#GORRKG*1VlP%c<%zA6Rygw#4~964NaV{jz9Qo$4R2Rt%@C!F9xN&~)^ z2v(}_sFSb4qaa(2r=%vHWP~RP;VGQpiowXxoF}EIkkTJ;VdW3Fuu{R35#dQ4PXxgO znGxVY@>M*kldr;~PQD6{0-PF88BIJX%!=?7OK>G&{AkXT5?3>xl(?Glq{OA<$&UIA zl0aBMI8$H~2#X2AID#;l3RvM7upnCf7^(^&L>2!xLRCxIDfRrUTEd6(w9|0b`92gvP_cgn?3 zWWFIa)C5(|2kb+cH^sh$KnO#pK>!n|1Q|YlV_ikT&?PmAq$Zn!N@~(cjfB(~k(zK) z^NN)5V=!t^NsBri>h6$&LD8x(PYNm-rQnB@A<$*0LH&UaidF?3YP72JL(!_>hd@ZP zqeCE*355AnII|PR^T1IGFnddF3TJ6lID;huV|)sPu?jfq;D{vQ%p31E2|Ga;Q-m{r zML4tl*Ws)sD-TuWcRqGM%kP?|5Vex>?hjcUET6s$h0-6ClNPq6##=g-_OX$~;Vgf~tqr zm@=JeRu9WCWyasM27?rjAD-8QKNj5!i!84ct29_@EAcB?QQ>b958zkg`5yl(A{bnz zDpypH5%RupMZ-A8dFD)P6_k!gOS>(W)yoOjX zEOKCJq}XTx3vRaPAqyhaMg*)_a4atIss8j*K2(7XgLy;P!KEwY@4~nIKv)|6&7z3p z^JwF^c7Zh!T*G~0T>VgWal}F)psLlqf|U?i-=y+HLmNuLdx-|ND#M&S948p8&UoQ6 zYJ!1{gR-a`Ul>EoA3j~7>;SC*AHoP(g~84du}{RTfB+^6I~X7!vLb`;T@VAp-5Ny) zSTYl;fjZowLT~)aP6$hkx3EsL6T;dhnb?#a1a-8j9I&ZczOfuv=CHPaztb@eymue? z`J}L^T3k-xQlgnnsW!&c^xw1`;73QX!A>yk$Atm-r=YPS znTV>XR75Schl~fjk&+lDpQYUE0hiRA7)5n^OWOe~3?5+sI7 zC)ILtaH`;%l*AbESzvHvSquKDIWg*ZRm7;{RS_do;A@gh1|cRKiHRePusjo0mymo) zEtv)n3x0|a1Boz1qc-p{05D5PgB9B~7GS`zZpms?d97DXUW-b9iPr)%CSD7+LR#=z zO%|r~UrqTbZ050IRmtgpH7OMx4j@MQ_c+{RKto5 zSD|s$;ly4eu??pG3v8oSS z|6qfh7{U0x1bCiSI{`n+z;MU6zFPd~5k8O`2G7C9;9H|i7>dtvP?CtHcUZ#r6EZ(w37@pjlw+wBOVwEV zf~N*v;|m`lJo5^lRrSY@^uh}{aKexD`r}7>{oy0M&Hh3QJTbWpzQG7DReXWR&wj!` zzFUCgX}`u#JG3MKcm+yi1G5aHJ$S2xu#5bi2R?q_PmQZ4 z?+@P>`akS_eSB2qoo^-y5Fjw2LPZ6fsiTcuuo(+BwrDewkr_LqP(`7N#3BeSFyYNY zTObOyo*UD$ZQZrEx;MS0Tf4QZ?P{-f)y;$%5?&G#7y=j|0|9qJfC&&J0U7T1`+Lrr znG8t;4ZHV`>qjQ%<$3wNzn$|uhwq18@b#Mj$b-kDJAy}|jluo+q|621I1{g}@{PET ze>)c;OImoxW^gVGli~gy__x}E2KN@==kX%^{BsF!t@8bAIsZ<3dUJ5x(eFKmo!#2Zl~8lwTnkjAsXbQdr^KqTvlBt8wd5U;7?=m0T&CNVuH z(MK|RCCDJJQYG+?AL;c01Qec(n>^Qi52f|6=bA}5o@>52QsPtw?LFC_AIOrZA&b2-AKTpG@*}=9jWy;Hl z<%~x=DLDahj$sIc@odcgk?Rk9mP`S|Q&|-23Q?da?7-hz51v=mA44(!8}xzo$K3-1 zh|#~nAiDm9ci=9U{~%7j=&r}-5q(*R@4w+5SnD0Q-Ef00Up# z(kK&!JlGkKkMoULf5chw!ATORDzfqv+rKQcdbKt$(9%9~YtcxNOqprpL$fRwxPnO@ z()qkW2M5prM6dQCDQvTWy!_T2A8haOXxN&N@Zsd32b;!@^lB$XNWKUNIrmn@p$L7Xe{Mn)~1Uc@Jm~{I(XUkhC0|_t5658 z+3Mt=mD~JbquAp8f5ri}{pAdE&8@9Ccswsv#blPSbSyqHMy6`R8QR`UVD6uSOTV=7 zT?rh#Y|D`Y#3yEMX4F~@N-nArHPzPHEV${>-n8Y)-*;_!@^_srAAc!LMUm$qX>-j_ zqkHkeKcoLa9302U#rrTd;vd=N<7xaYK8&X?lL|bgOQFg?oZ=~+G@VmzRr*XF{ThX~ zR82}TlF1<~MHCjO^)epeOL!DesP((HFs0juRGGad1Vj07tjvEhp0nh5aIKO-OT<>$6mpQ0_ zRp537V!i?RH<>Z*WD9>7(@uuyt(iQfC6)oPi-!hDN9#F2t&HM&CQuGATfPfABwC2= zqwR4~5(?-oAVh_>=}HbSbSnlu*tU0VMVKJcg50wQi?2-OtNNgnMAAb^a)18A$+f-FCpotNoxqEkRF1GzrFUVK!eDQ=%oS-QIji- zGEm!Mlm+X^G9VsR-=8C47G7YC^ur5XM7;#lQ0FW_EwUb4`-{%;V(DwPYWe$utqy-l z7usJoE@0!0Xq@s=g~+kAQ3F$H!g}9N(!4Z|`Q;V`04E@H{7Wi9EFOvr$YT_cCn+F0 zB%R1f*_uPdF9z`016_E1T$+znzD?_dqd3844^1x!TXBN#do})2WB>;*i!Fp^*5M!b zcfh(>A2hWI+d^=Exh8JZuupnaU^?lcTXX3Fb$En2F$?B6XGM(Ep3_rultElMz`FU_KmL7VnckOn@6jf)kPB2{stiY{>0iYD-zMS>LkX0bZhU^w*G zbcZg^Is^Vrob@;9tg#W2a@LRL$*77#hI7`*q#UpK<_cquIypc+f%OCBpZ6LOv?VeK zN}#*m=0CeiGrSs{FI}$TfDuEf3(-ceb{b7}H_V99t9>k%{Rr|+LxYt2`8P&!-8dRc z_YU<(@Z9Abq?;~1s-p#nMZT-|BDw^De|s@?oan1Mv_;Z|@kc*_7GZJsuHju<3G7Ow z2?ZgEdD+ScC4R(EqELkr6>Rm6w1SJp2?65YUad+w8bp4JJtK*HfsO|M(x8>#CXM0q z_)DQz=P%pV%k>R5miB}N-@yQe@qW`*fy;epznw^sh)cQ5rUx!{5@~f4kN*ha$2I8D zjlEVRe_8i+FUWvI?^PN2P5m4}EY3Zp8*FdObu#T)Y|5FOaP(-VIr}s=R>_JUAl<|W zQ$-h-VJJt84^b-`M^BW$pTSIaXP(1A3Wig;1;&IpQFgK%To*g3tMez@Ny>@zm?8%X z((cW3nzYcT%~2<6+6rS3-Bf(?v_(dbVmXLUn`E9xUV(Xz$8xOiT+>5+2TvMU(f?E> z9;1H7@o(s+#3Rq1IDSaRPcHMg&3|h~9zF@Rm`SS8Gf6M>OiC*BB-N*`OD*xJ!SNPi z-6drneeioQI3A=TY+}gNC9{l^#(X2z7gEFJEy~pT&u1Y{B0N^>2h|JPmsQaDWt|js zUcnzY9h3v``w0b|JEfrWa6w8zr$YISU!ywfDjja4iOpgdT9Q)H`GGXR=fy9r=wJw= zqSFoo5ZV686`dD8xuUaKN*3KiM2oUL@}KZ0|J@}WeC>$_4^&M~TFX;QI{Q$0W6)Xx zs}p&>Ye}a>YAEEpK&DHz=3x$k z&S5lCX79;fsx`mtrCJm2N}6&E80k2mkfbokECNE0X5n2479*AH1(-O51eEo?RBNWQ zTJse>p8BL}O%&A{!~e2N*ZRz_Q|dD?Wbq)pBDFrVs#~td>oX~aN-v#6_LCmn8*n9p zx9G!m6~Rj@G-1$&Ol8nRrgo{&Jflx@X@#b|t0b0Sl*oh98f9CY7-a9ocI!+Ujb28O z4=L@#2!B#{6`I;BsnD1(!X*(uWLHO!e=l3r(m>!y-aaMA1vnvz__u2!RYAh0lxNO0 zDmms5@$yVRAaZH+UxX&{I9vs?|Gzu~id;szQ!b=K{pt-l=q~=hlJZR4({}N%msfD< z#tl+Z;1B;FE4WlBWAhFKG^yZn&6N~f%8i1{@V!dPiK+4+U%+!ky3rE3g0cht_F_=z zdAINBzDq&8{+Xg+7K|DBmENmDpNM}yVWPS00u3&bE-bh#lY&c+wq6fVfBFFdL_``d zxP<8uQVK5fq*bb=Nv;p1pivG}6xp#`Azz@Q!M~RlT=+Dzn_|n0=xo^GJ}68cg2=p>g4XJ*n;vMal5qA@^*txbv+O0k&>Lcl#R821K2B+f|{{L56@WKWckaL5e2Oq|#R`5i5 zqRm}Z0Yaj(pf4$R*&*78@!qW0{t@0LPy; zVY=*%uEB`9`IFC|0{*zn>-b#>e1nD)xwNgWo6u(YJ+7*ayx_5JTy~8oBi(b&eORLY zExgk6ZM@pNJI!l;t=fd2dj5Q1a+_Z}Z*tW~UG)dCgB<#0Eq~Kxes?prsa$p|D}(v2 zQcj4%fy-t769C08!7%>`Px@RtPq;MR=>kMf5)jP<;tQT@z6&6h0Eiy|2rNG^zjloC zpW#o8Ktut=@g9LN*7fr31_F^IK#UY1EIJUmgceWS2^^pW$Q}UpcWitEw>G!|s_DAH zW6NDSg)MW~665kJTIRB49$V(KWdU2dT=H^*#&*Ec;==0yRRoaT9N4S27^d$$eV>#%|tI}w=gVN3HpY-+xTZO!+f@zVFa zw}!pfwRo>P<-P8_i)*E^Cjs^&F!mzATY40f)(k9`!k!OP9)Hv^%kj8lrsJ`h$+a?m ze;W~3wVeJK8;>X)f++5nL;Wg7}iEHhN68GBUCGKbb^CI@;c0W@^=i&B8v+-sezHGGa z?>QT~;A+6X+UG2BJ##n>=@d`A<@}vi!QYv9CvdfIjx<_m;qmeU{;tAqc&mNSm0%c8 z*=x26OpVKHoF)8~0oKR>Yh-{mGQb)cV2up0Mg~|T17M^zW#t0U;WQLMf-&Fy<@kBH z0zZ$3@pB9QEwbPTn`y>;tBZoGeLv>Zt};AL!C#!;^&~#Z(V9MYy{GI2TLn|zGWC8* z@JwiP;5(~kJX{hy9@-J`uUg|S2_6YG@@Q&#aDV79k7iT^cZH7g=!tN!CiD@HZVd)Q zAjqmUi!FF_GE~9Cl?6h;fMeAfM^W%k?e~^&?8nQ4tJi$9DBxe-z9j%`JT}l_Vfzks zT#i=^+dojp7-VMqA$1%M_@}iW<#DzRFKM=)QkN}wSF`<`I>u~wwO0!G73xZnTRZD` zAL~WZTGrtwQTH+O*T6liX3Q!V(1I62YYR}z4EV>j1L-rN(jxr~h#wChjnkXk=VR!ZA?##%Go}Lap<_I>19uRd_bos@bV2SD^H3n* zzgeGaRv6e!D#9EOmf+{n^5D4kMaFml9fvX=0LIWVAh6KK!+n6w@c{ec0x&YPi5R&B zjcdWT5Lkv`XIJ3odtqWAqqGwi4(JTUcz7#E2?~G~j)DPk9|JBA)e_dJGT0N7jN003dm4^W8k@=y&ApTHob7@(S=h>HtzLXX)hAX-A>Nku3gX92WD zMlX;NhX$RcJ>G7`RRu*6sr{raOqCRgT)l=cjccDPP50@gItZ<1CuVK zee?^Zhd6BfMPSm9^!kjzq?^+}${>|11Cu7CH)iNuSs2;9XeKQ{(fE(&94$EsR@o~k5ILtBddLHAzio_91&_EwedpvxONyebkBJz@I>e82=tTUJ|_edZ;XR$ehL~8!ulTJ z$g1|`uk!M=h`|wN$XSHA7W%q}_m*cR3F=dnRM7x}z7tlVPKM1*l3pV5L2yWWn~dzz z#dza4%QA-%pAX{$&vR>);F}Br#DFN+#`ghqwmCzmIE*U;FT)1>cZFiA=L90wxo8_! z*@{sx!6+DRJK!G?!de9cD`NM_73EcFR|&G%B;CF#J0(`gusfg{p7jOGXg>U_lFdi( zm8CmI>o&x{uyJ?r#icvt9EQX{r?H8*4##cEg|y>17Rv&w4a+h*ZdoRcNIwiCLz#fR zIgZ0QAugN<9l4s*!i-HW2_)vm`2*!i0O0(Q3IzpLZG-_z2o#vv_@6MKyKpoOD0cRs)9+FMbfwq^2B!igQ<_l>RagxxY=p>;n(ZQk_nY2ns;tYLE z2@d|3!T}n5F$or&`YcHR;r#m&Uj%Wq2GQgiae(+Xx&xnWeeQ2~Q!e;1;_8T}bVZ$~ zv>5MJ&kK7>i|}ssyf#jgBj@{+>nOcFL8Dacb z@o&BbKZ^_Svl4{xJyXKY459HC)NzyqFGMSFfUakti?KE6&SgunH5h_xmtt$IvVJMH z21D(_2MS_qFkDUaBOGAJU=)6SjSP!5JPc;Ea!#@KaD}^cW*W`cG)|OhLwf%d-VtEY z%6^y;{m+rPC_jl_KVvV(_rbTIt}ZO?#TH8?9xTk$KH#QC&wF58vS2bD=GQC4?6@^7 zetG@z^_~p4c{etdGrvCfB~J!6whAI{FNaUt6Fd{DW;|3uFpv=-l)@=|o!9}W^L{k# zAKV`bvz3KL?-&~t(0rfaFhx|2&A$i+LmjyB&m{m-P|BjvW8bbyfaxevc9)0GEAz_3 z^^6Q)gmFBT(E(xwn8o?!bSm)Ghzo!)2>>4lu<(VW z+YbrZV!nIfyO)Qy(c>Q#;&H$ZQV$Br0GAQ9;U8 z?Hh%txI15X&WW1YS0IKrAJN{*t|LjR{nCML^U3*mTY(rEi{5sH$bixI4-$Mp3Z%I( zUs}>f*AV^n2JsR0VC=bXxV4ROQ6+`J1vn3qgMtb2)loV*+@S!alY_L0hze0SMot`D zp?97EuFzXT4gpu_EfL2VHNk41to^3Ys_`kSGAd`9Hqrpv0iX>57Sg^!vI5YMgmPWz z8i!WsngCSjngEo;%#Q;qZ4-b>+XSF&`v*ov2B2(y@AC=bk_L!+Kw+wOi?qTCczXn6KV>WqGm!(0aMgW zsL7ZNPjdjNC|k29gQbVNl%gSQ>s*Ac6GA}=$9{eePUDqOrVa6e5k&~M^OqkSXzT5EMn*+fr|+siXurQ8ABcbk{Hq4e=i&eus|3eBpRU49-bguwd7KM?)(QAhn@OfMcX&9DabId>^*WD-0dAogezxVfXmqe2+J8Z{|AxCh zqM%IlKgu>`{U^KJ~M$;9KrURuSpk!7kjRi`>yP#C0P?`rY zivi+51>!9L@%k<(%~SBL@Ti?EJf;6cD+ow4&fPnu(tQL`a9K}5kQfz zp!mGH(ncu0qQ>a}6a@;39Jz8Wff%Qz%mNTD1;ikA1xv49tNx;zWF)4YqNdGMSAfn| zkj<*v<`Rgz)s%SvV!8t226ZK$K;$bR3Me%Sh!N_Fi%{II#+d>r<|!!5>dJINF;>l4 z1SpCX6a&?jd7SqaHA^w(U7_a9P*-qP2XHP!3(in!3$3Zf@fm;gJ+)J7QC>gqy&HkkH><+<4=ch z{(L#lkHl(%N1on?^Ys-xH~L*z^HP}SN&VCCcq+Is(ci-JIf?#!e1#n#c40?|0LFW% zi02b9{{+lGE_MXFVT6J=$BqYY#(bk=XRvF;;oykah2V&%j|GQ3-5%`s^v6Wu2Vv|V zQG&_;Mp6bZ`0hp8%ZE@G_z>y>A3|MdRM?zpR9GBuRM4MkMH<|wAiscz(CB6f9%((w zt_AE`#IAw}x(Wj5DuC}-T?Od(8h_0BgS%Q=f^Rkcw4BHLTMq^Q)c6k->UwMNca8rP zR@cM9R~mmTW3v5=jX#xf*}kmtA7t!Zt*yc58vlu712ys=!-ZvdHskI6tw#dQtL{94 z&kD943mkIZ!PNcB`1qaW;uiCBXIU{&ss8|qMA=RH^GDh>KtbW?_Al>Yy0lFE!~W0m z9U*>8$oPjtIR<3%mu-0uPY~rV{&e||?UMhoeeyr{Oa8}sd;6!>zeA>9{21Dp@wxa% zd!40&oTc|I9rL~EavCt=Aahw%%NOB;&|p9|KKY{xA7#5204yr z4&qONb6~aOnGPIHF|TX4;1S*HpX>UFt`O|d!p7rUx7LBOkIRik{w#-JgEBn(E^w6Q zIZ9Umj_Fy>(xPl<>AalQK?wzQlnyg*ag@%_EY!lv!auW<^1WW1*40WU&; zJ}qE^;@9M|4Y#Pa3B&-wcp&zW4LuHm1PQ#ZS4|Um0fc<8Yk_S%&=L^h{JKk^O+stx zM4&|g@_`p9pyTBzd-D!ynn3I;V{OFiA=^al=z9=nIf5$=a+Adqk_q`VZLP0_ zfC7qa5m3nTUYrb9ti;jSLaQOB6j6JdX?uOpR7DVSl%!^Boje<<5BziHjONHD2U>R4Y107eR2(25qESmH#>hfaQh9f-s> zrIPhRF$gXd2$FtK2o)#UM9Q#qX#?JdYSt4f$ggM;`tHSPuA%yrEmOk-h`RgXB*3Zxt*^p z^|Yby`#_?xB4D}Nd6LW8rer^xA}_s8ORtS!q_s7!^Nj>APb6)ucA6*oFpRnq25qUuS}RT`!ajmPFl^KT)w7vBH`P}bS{rpUZ~)-tE4f4e zX1W4W2UkZ@7gRT$IQ79K+7LRZ0|gNM1@cTG4sSq@HryeL}!lgNXB2Xw>$AP<~^ zA`h$5f%hQ7WNXtvt;U((ou3 znxc9t(g;x#w2`<-WD_Gala`7)FlJO4)zhF(WfFA&6qJTS3MFmC*+?ZguxV5s!O;+$ zU=n2r6C4p>&C$;DWR%c`N6@*KM@vVYI09=jbztt4X&w&x&~=FH;3%Jpq=3~41iHov z1n8iFw9q3dIUuK!9GE+3llqeP)7!?aTsT3>clN3u2 z>qMO<#+}S?DprI4I}D5sQxjAcJs#Y_%fNAnxh0*UiyLlcm!y~i><2JVL4gfANH3GA zoGWZ2RY`hu^)m5LPdS+^Wouy^p+X9#6ek0nVVI|UOt!MM1PRu5g6fdsV~h|_d`wO} zj>@INs18Y3)9uCMJNg)SG2O?ErJ@K13CF6a1kIv0L$k!kjEwsj=+?`lrArdhicWAy zqQ~e>v=vaJL~BPX#{$+#xD7fX zwtH=y>XE=(!DLa|3hiMa1wSU34@ZEo;TFLn32}l1l>x6ALya|JD0r}!ua~w-7%PBs z1!IYy^5XGR7Gzxk6USD;0@>ap-U9KQpbE=H@m7r!xDt*$ph^#s9~Wtaay^Okcp@o5 z6EuJbQh1;OJ;*cUSa2L}GbDLr50Wg=7Wb!h7*WLOS;f<2V@kR-D z>y!6GupD{-wzPd92dhFxe>q>)N8f_IZYplTokh4>yqQN&TjrYc)0%O#I*&)K{5j1{ zaX0hme7qj$y12ztc5lI4b8H*lB57lb3UmJEBN)EU{IzZVG;@A6_W6i@h>Iu8`CI-I zH>z=?k~eB`BZ`a1aPw?(kKMS@j*B1T=9%Ok*cvK&0T*MJHHWFEIe4SnIe4SnIe4R6 zJbIiXy{9>NquV)nquV)nqgz__I7deE9N;2YtoXqjyL48A!3J%4xi-#sa68d@cU%at z_mSdVh6Bx&AYhkb+3nf4+5B7^Ua%8U(xqq(ByIHr{B&Y`dE~7o-9%Xh;que)$pL=>VfFLu0FO5Fryi>$Gi^9JhZ}f}IfsY946ia< zcv#;$Gyy#KhxKnw2X^5T_6CajM*PIKYE>CyZF9{F4%)Z!)6m?Rdg-1_Ym*(Dmqo*- zpuc(m+C?kv+qDyTjVKfMqhZ*bU_V^Oqt>aSsIU%*Z%m!8XpY8}>g zXLxK`IA2nCqdn-a>}NVj*}Q%-9ly~-_M>e5 za0R36^VSAlJ7_;@+Unm74i&eYu%FvlV6 z6>Y&sinj_jTkX5GO&M^E9IZt#NB=d$ZKey>0~{`hFWu^>`)cg99HxWF9M__JQ4{A& z>TeV(m`)MAI%}1E53kmZQA7YTE%qj@0jQ7S^;3dO1Q?_Bypzdn`^D#~*vH1whNAQO8B|C03_z(E}!hYg7Mo|ISoYDngEL*n;HYb5H zTHharFo+aj{x(Aj%*E$VKngHBQHs@y6hN>Sd~C=7pn#xJ2+Yy*iUhzWsEfdOV$&g* z6B`d+f+zPe9`HAC_f>)W7)J!{qHsT-@IlaY{sX=(!hYg7Mo|ISbm#&wk*$@WorA=q z^}}JR0mT6Ga~JsH+7pH_n4`c0>-RqR^{f&kaurlaiahcf6Q zkV&|!1#uifKl8|aVh&Oo(hq9eHwn|JEUkV6_u}0rOsC0p(^hafo7|>sci0=C0;WBn zUJbaI11SYiby^kR$F(h{GxqHSs#?i>tinWXi*AAZ4hL8#lm`3iP3MG7uq04*(@_X4 zK9U5Q02c0P52}gE+N-GBfNP7X9&$MflNDE-05G+pnD!G;VH0ge1Aw%Mg<0U&ngA)T z?KHL7cN3V;Q)@w@&43%g)B$iC1Zxvv28k+77X%F&Gk|Rh0@z$Yb1L0_K;s_z&@T$x zDSH#`5}>IQh{qC|%_kr_4We20O#s$Joo@oHd14|KY|*v@R9xFm(Xk_jd4JGDx?Oq`GDqhI;5bA(A19+n`z%p8UvcW0`Wvbv*UzLWYSkC zi_@a z0GuMlVw^DbDFAD+;!Mfwf*P#~vS5y$6%q@(02;Wp3yKN?ofKNzXsQ&fzFG}5M+@*P zM@$kxG%xumohFGe)sF!dxzhTa;+8!(C^qA zsD6OvJjkAB#hDW11)x1-1eQu@PblxVK<@zNCionHc}}=6o;FA!=7Z~z7T~0XxLp7b z%uCLu)5;Lc9b>?leCq*0v-KR1)1nX|ak#~s$RYR|5&MbsIz*!Z+DVUMhfNW&4`ht8 z(ZDDHUr>d};{>4e3sZ!@&_@8d9liuWRtR^*wJ5xN6=V=;2@kLH2|%``(~}U$x-no^ z7TJZf)(W6Tb}2P3-hKkc2Ye9@W$PRwb9Al85HZ!;N0D2Lm0HUUVOF7iq-99zkgTLf}5#SYv8I_OedcLKTst_Xid z>HHyUbe;%1XwIPhWQG#51@&YGfZR!3#P?T2e*vUl#45T&IAhZ}Lm+pMJp>XSS?3a< zgh?Z-6u+@HSKI-h+(EGew}20!^uzYs4ckAKUZ9KeG>H9g0x$BE{jW6a|31V1>tYw% zqU`@3;4?nS{%#{;;2Fx%?Ibw|%MvL4V#wg|&aUV`o zFCnxNaJo}WaLzBlj--tj(<9bhM0r%INrwPi#7{Cx??NSbIJ!w2sicB)C7^VZoMf|r zkgHQnx7srC*lwtlC+?5Ie}YsPB~~x=8c%wuuwTg+y&os37Z~zMg#-a);)%MOGj#}a z92sejjN(j32C|imDcKGUr%c(4GquwW&6TBXcW6_x?YkYw+O4scH?dm@^9h5*DT51P z6EwYYawaI5AYy`iS5CPE(Gv7ZQ0mhVi3B2@NHY=&bOV7%9&hQ=J>Jsqg}tS-Bkt1g zwYf_l?a<#4NlVQi@$yIyDdeeJdQBk%{*};!fMccaaV$pofzQMrH(n+G0a8f*&d3WK zTA8+qdJs6YIIT8tXntBl;LsCkSOmK=)*SFJjBrf@y+(>?51KdZ=oj$Y;R4aUHEcRb zTW`V_X>NtRs2fGiDHv+{0dM+?L;GY_e=;*CPWWy`~5br{2WC{vywSf3ScCg;a z0~LM-#8X=%%mj#^0rAvmi=e7!f}8>Qo}fwQg;g40su#321)85QpMtVMuPlJOM&Smy z_h&K#2yRAt2P6S^KoHgQzJTA2yi4IoQcKt(mBT4qx5%kAww(-wibN~oC^iACx-m+IC7;jKaqML7CTX0(Kb5?p zduxR*mMM7~#gIt_xd*^!uQXR>1y36Jn^q;7byDSSpk_7kAx{=ZtKlmpZ4*G>K`aZ1 zAfiYvh>PiH@FW5s_@j~ZM-(u6Y|0+hXK`yaWNH+hkI=ue*iHuDd0cfgFCWncIf;QL!T?Mqc^jU(CJqLnewMEY_8FHXY1>?h2XSu|*prYSPwR8lm60PCX23Cjj@N_Hkt!m8;4 z!X!-r8r+N2j5!)zyzm{FnL$U`Hb9q6Pp{uQ05*~^bZ$klh$Lm$ zuS;x~1dO0Ez}H1qQn0{mw>g+avtlG-!~o|V4DA71t$0O?qPQ|MMvyGwMVN55)YsD0j)d1bRgGx-3if6^I)dJqIHiG%}3p0ieza zWn_%VJ~PS4FvwSI3DU%Lc0!*1RED#;9;)htEu1tXzAj1;-qhkPO=qh3GK(eb8eL#K{NLVJx zvUDp=%LJnW$Y7b2m8NCVlPdxX*y5HcZex^X^1w26W2R}D9)o4N#7rZ%!bDpWrbM|T z!=OMYB)95nO8|>xSGwTpHW=C``IRoRy7`q1>lI{JkgUs&ECDMrEQv3beL?3~GmAdT z$VhAnsgQg?H!!;E1H_VG>5{A4W7a&I~QBU?By-w0H@1486=1DDhq!)j{=O`^k`n8(6(|tb12i<{< ztMZ*`rohJK`Q988mWHHl3T#}MKh1*U6+ZVK8xQ$rp z8;xMNT{jAZVGN3dXjcsDXw{(8S|i4w)1ufGW?B@B)Til#mdl`XkmO*{{h8Pb;S>f9 zV2xErXhV!$flO?ua2~@UUUo)1 zFx+kqhZG_h!?qo2IA?2zF`P5n$%fd;$Egn&#&F!RtptBtuSq;Qjq6{a`G;-$(*uX5 zoH}Q%v0rF4C)&vS34z&8<`)<6QPqs)C4oaLPIcnMZ#of}{lm8K4eTD_>Y!+abx)z` zLpy;)YHt72PC zC)w_hv^$k&2o2Zx^-uv>4^P&VD>7eC1;{Fjtu7p!4@Z5=m~$=c0}5O2>#{KYHLlQDQv$0 zED#@@LH+@>Ulp{wqHINuw!F1kPzIu}38DeVa$u2ytzcmhEEL920brbptbt>oXB-2w zmou}$CwzfzwP1@AY*Dn@H>NAvP^f5~jyq66JaHU40o=CJy^y&PzC;YRVmT7nij#d^Sqobb-J|mt zSRnE^f*c6Ar*+F|G;f6rg55wgQxFX}<^YQ>T(;H-7Da*uI1P-my5+CI+U&C7=@b(~ ze(fiS-+{pFIn1nJk|4yEvTQpJkFcE~zjkG($k(Gl(gqBWQtd|yRW|AxHZ&yIE)tCG zxnR72TyELeTY1|MVXk@qY^;D^0`SW+N3xwEzIKt^UBIWHZ2WD!W2mQHG_yJ| zdnOYxSUqsA5Ln?*7@WXNOrf9$q+Ea)3D_=VTtJTlCQuWs(7H7O)I2E&iE-4i0z%wz z2Om}<#9c8gd%k;=0<*nL>0rFUu@`_G4zc+L{GX*O%fzlz z^T@Yyz>Q=sh~%vY4*Fs2f#-%4w8Y-)atX9v6}ZEMyIa12Wv^*x?N!}jW$kRuPPl-% z>yz#O!V3FI8h>O~XNfnhKG88G)xHx5=*Ay6C3}LIhwYVg0|qT<|A|jR zF@cZn2H<3@bTSe9Nun>t{}SGd{WmZ_269mFEyM>TxCDCx@ico)ulQ#6hHtV@@Ma+! zheI&1rxPGP3AF`2x-Wo?Tj^4>?Uh7dJisOLAWp!*+ydr{{U<)U1ax7(fw)bvyhnU< zd&4)`F-#k4-$SopaGUOc_$2HV@X@^jjFvFJKrvr@!6gzP?!dsj5X>h&MZ~8^Z2-$% zishGZ+rZaj-`O3mqS8g(NwL_fC%cnh`vJ)Byi4FV43c5rE@2cyAU{AY=?+Lc-Nw2e zL43YP5MSsK#PS|N+|VOzul5MrYdykN(Iaeu9$~BQ5w>kT!WQlkw!=Nb7U>bTV{zCZ zmEN*HF!*+ty~967nw62G9!}1~LpB^vm*;L;9iCR=$=fkJbj#8{aA?!BwKI4Sm!s9< zb#AF=+%lN;4CZ8>J9mHop5Qs(WUTu4Jy3_AN5c4-)s~Wx>B*SN!&-BaY`etwOb)nF zK}sIr#+Gxi$tAr;M(cWw{+{nS`h(s1)S*0Nc|*5BtP#Jy+AGW|P*07~8S>C|eCp5~ zx>wz8Pzoa<@o4vfw*j+?xl_Y!BLe-@Q8wtTV(YGPbs}ZzK9DwGRxxyH_-w%ZsiJ1k zn6YwKuVk1vTaWsg8WSfX$FV)?XHQYEUWGuRLJxzxx|DeI+as8%;cil-+oKujDZrH) z33A_!dVot`t;IMnJG>yD>gihfNHe~JbQlcPi6xUEs z1P2i{N>$NdBa4evj-;G{K_z{?5jcP9_)*m=VHr}RNGV_HSv~W4Rxv>l2`N#Xj9g;T zfV5HFjE9(sGG`K#4djv7iw!Z5N8MAZ7)AstMbH!hNKX4DvMvV^dJakh%`BRB6PijL zRj+0+_h&g3M36WY#nQG*Y$UM5dm$_UFk(&ATY;C6Dj0Yn@7IMw6^T)R6@rvY88*c< zC6@yPp$b80W)CrLpqXV`Ae_xe@;}YWvgz(k~O9Bjl6BS<| zWH<){Aru5e5DZ441T2(50UCwi6un5U69__KLCE|6SjcP?tR0^+O8)T|@d?s>P?ccb6(hW)bCk=L%K8Ssb z9?jCXL&AnhsNLi^2X4WhNjSo;NO#`^3xG|PkYbykTRgnWc1Vs#T-?!Y?Xe7@foXJwW?kX8Cfc46t{oWjxvh8LDTGP1CA)~MDD@JDNM zm5qC3SX!EWdtvD9(4F?2RiM$3pJa~Vc+DmR^e7Zr)eLq z;nrZZaGE}LXjO$7bJEbjVQ)f%{toO^V7-V2=}yxzhy6SPEvE_Fq%F*Jnobv%&dqda zyPQ}7r)DbDsvJ;P%v1<4@b#fgr~QBx<8!7Eu5l)|FnwI8HE|}~w-XXfROyIMBPHnfEsllmm za$=K|_*4#iC;XGsbWlxo5>p`u-S5LM432x9CXOcr}awsM_6zOuDV1iY+PB zQDGDmjD$;Q;N<0+{)O6>1V;9A;1KvkgbGch-EgP2-w~&sR^`+YY9d0z9rlJog%P&n zAcZIl#7NPNw-t*DvCDWIp+b8n_yaDfX-Kz`PHmSXPB*94)OT?q0lZEjdIuz6e?N3CQ7)d zCaNJyB6PT~=%!UCBh&%*fJx*~p>W93n;Jc7v-F`J*?QL_Tc7DsZtr@O+lP8Iwl_T* z+h=-|*Sj9&^_?D#?@f=!_n98$_pV3zeWphfd)K3hpIwg<`CnlvUSul7H$s8kG1#oZ zP%$UIJmKG-?zA6q_>X1a;sB@ptiyj|5Uvh$+K=I^5FakE6=v9MP(?8mo6zhkc{GBU z1qeYFfe;?fp~boaSf~J0@Zp5;IiMjngV13-d08~fBZPFkLPPAhRx|V}I9@`Bu<1t#7Yy(&R|v-wKyle5 zp-ACXa@l}!BtXPA8oHjGx-1Ij6F~9w4C92ySHsf-x>2NHP8__Gmnno32_Rzx(PLrp z)rk=Rq6H9w7CHehM~!J^p0tgkMI`-nExrno1)#H$fS`m9-sOs5CLv@@(xV~ltC)m( zk_#9?4qb~chlDUOgpi?3FP5+`LK(t0mP71m=6%g##QC=OyNiZD8X7! zrm#F)K6UfvgM^Ix%%{u{C;%PD}M8~-(YKolyl$MmT~{GZrOeN{_w_QA3Wdr zbn5xHrr!P1!cF#9tG}4>M%9`b|B-rrdT@BtY|1Epeo%j9A zp8Frz^75mneYed^JwNg6&zAXS|8B+b71isq(yLxbJwJEx{q?O2rffL-+s^k-tysJ% z^*puSn0lUOO3%m|IA}2ThnN3S&wILVv_rk}_6c|NS;aCT&ieNelJ;N!>;*@Bj}BXI z-4(%R`PhW3KmOgHgP(^j+{CI1M~~;B8o3!CwdRHGXgenjKPbTB6#JXS!Z=%Az_TVC ztt!H$7W_Mff9J8)M8+ z^QiQoA{cbqL%7!u^_jWmubIP{PHO;Hd3+8*)F_OO8W@_?4n`-GHJeZ|!%;gr^+(|e zTR4O=SlltSV$%_GjFqbNLemGh-Y~#nI*$Mc+f$uKolU|-Tt0)8^t4k8VDpF%2?J`J zPWv{(z&@y_aa)Na4lC+-=(^<0;6kj2!A_AFJ^G=v6j1Q?6^d%olqFH?Md`R?_aLX~ zC<evWM*(C--EV&(R<&fa5lW`gfVdZ5#2(SRQGvto%hL!0&_}0>0It?) zil9uL;6#Pf)Pb`$R(?zrl<_vAkFJND8m{ic5q9h+2tkM91FAse|G`X$HGr!;KA#CD zD(|G=nZe-1a54g-!*)s%P;*6bl`VBzNI%fK(A0wRHUJ^a z0A!0$zR=Xks*wqFR-#a-AsFFkN)%X%O^AY2kU}B~xRHTnqz-KDLrFj*LVz+XDz2QF z7_$~@uPrpSqDSWxDSBh#y`a)r(|Lpmz+(3xhoKA*%t9&y##eHH>a0@{00kwH1E+Nx zE{AGqAwO4A&>Xi2out4e z7U58mMd*MX`!nwXS31cY> zJ(`4qWNAn?2|6cqlK{ojO#*y|E)C(hO*ltsxWpzjC)tEf+5|Y6E3*lF!f=UAIQJQC z!uU^N6R1XgWfSsyvk6VfHsO4q+JuR{*o2~FDM+>nItO%{0P7RC33(;&t;N%QWEz{# zUc5+=P{x6x(8VyQAfan`ph5#qD)_31fHX!lpaKCs22k#wVdsX8QI47Lp>TuBbtWRzb;#Rt=dH%^D)w#b5QEjMDq`xs1}I^u3H?`)wn3>^m7v zvip4|qp;$AE~B)}eJrCBuS`Z&!A5J#z-RVQvibA{o3~D0PQeE6w_I`liuay+d1ofL z($~+8oyqZc$P@T`$$H;lr|+&THaLf`+nqyxi=T%r_<3Bm->O1>+j9KkMedNWo%#@z@*4zgSykgb|;|>B)05;5WWeU#Iz4ZYRe9^wLw2q z4CTavolIcSP7Gd8_W<&=+}$p3$O( z^d$`9>4N^HyN9upp3nm3fbw}9Ih}jYAbM4fk8Sa$Q3IRP{qZI;S~i4ZtqD}R)7oH6 zc$=OOL*X5nZH6}lP90N}xnYmN0+&i^*`vQe5_gX>F*05PfwWepjyp=;WFG**l$H~p zWJ^FnpUH`N8$i^;apDv?tDe~^%f!Zmm1$x_g}d%Qc@I-294JI#yp21X9aP*`0c)Un zC2~|Y)??NL_vM|200a$ofLq$+AYv8nBbAkzVZVg?d|!*x>)ekgvLuyazxZ6?KHqN8 zNly+c?<>;__mvOkXu|!tBNi&hy>XoP$|ZMUKDq$pZOS=wU|~K|SmmL04%BiA`f1^T zwof2{a~9^q>WmeJv(I-4SPM2HsTvkk|OfG(2rsexZM(V0hm+|9g6QN zKuz#n*ZP(iTq?9)#Q|5S_DE8Rw~Ane@t;-g^|&F<`tH@fB^K%{wQq^xWj{mhbHVy^ z|3zw#iODEK?P=q6wbug@lJ-i}9$6~Yyjk(z(EIu3PQ`zft0wrb>;1tPUl!Ce)hpHe zbA7D$D#D2~zX!cP7~9uZdVeqm&C|p6d@%p~e~I36)+D_@7+YSX^j?Kd!uTuE`$S%9 z>bQ83L+ehTBkAs5pOBtD;pLMYe3EZB{5pHPIAr(4P~8K-S|kaG0WI-PmDxW2YYMW0kehfe0fjzyS%C^-)C^Q`q)fZ z^|6_;>SH6IV1YQ1va$)lMp-iMO5<*n_mZ<#jsZ5Z{L5Q<-pZ@+7paLWTfkPZ&dV00 zbv$+DJr;7}xhq@HDWa&$dl;DoU0%h=Nq#WN1txhvkXkvugwr$pojx!Nw)()#VfBIO z;y$f+(+8$U(+3VJ(KUkCBo}s-WLkGjoW8GRT2E_b=%f&{Ph|Sj_!6PE@*hHNnG#uPj;1j ziuEU}ukCKh$uq~wQ5eOllLocw$yIwbj-Ge+TplpkY3ip##;Q+kV63%a#UZu2&`zvf!6 zw%uzFy8X5Ny!PE5tVnU&H+ij9xRvQO?ZY+P>W>y))5mVD%7b+xXyCRtp}|nM*66Wf z|F+suUehtR{k#WT3&`StEU)Rb2Ma~q+AgnlK%dE@Rk`iEIFkopaG{9Te!ykL1e_{_ zi=2v0Odor+CQii$cEWKaw`H_ykLdmmD?1;MKu+9Rqo~eW+Jcde^HdeW+K{d)KS!eW+JOz3Wv`AL`Y--t}r;AL>GEK?3iMJ;$0l^WO74yj!V~|<2D%7@@PBSC=IR2W zM?r{-gb-(ha0-9uCt-5vDgokE@{@!Sk-|jKLkIEHf@K@|T=5E}^MRr0R{(Lyq2 z#bLxJA1{ZDMTC)#S;$yR7_X9JCX5KQu<9ZX<7EotJi;g*opcmwyjmU|Fy@htBXt#G$C0LFaM(GrL8j0{?OG>&~0v`}THkc^2VVuW^u4nVuM-d%hTtPY(#bLZm^O#Q< zi+eYZeH02}Nejscf?SDpgjpeoD;PrdY##e2ge+M#0B@W9yR2(bB^AVuuCl*MaRqNo zWT1$Wfg%c4wRkd6M9DxAB?Cp2j9K}vufM6+Tn4x_G}F)wi(5PznrUdJp_w)--~8+= zve4yCDa>3}{pbt-n!B58R%+%%Z{j+Z)blTY-Fu8{Ti$Kdp5gkI)bsqeT&KCF<+{3l zf8{!t)bn3IaNX-%`!e#Gg&%PJOX~SO=^4M}nwR%|#ZIn+Nj-nzFNg2v+L%LcUfjj? zF{$T1?T4qhCg#uo@cFNEolNTagwIvo%(XMWyk-7&uAfOg-*Ml`f8v^%=9?eL=Q^6y z^S5@rP|CG6b6$S!`&?g>dcHjU?`CjK&Dz8Nyol>;QqM!@9q)1N&07x+Tg&w~spo%e zntOt4ZgOsaa~#*7<_fp3Mkz z?N0Hcp@X=7C-wZ}FYmaQYj$qge9L39jwj{(_?H6T=Gva7e|zy2uJ1`bKQR0CQm*NF z^)KI_$aOxc=O6y-@yT5K^YsbO4(Ixx)bl4ZPI|cJ$CP)^yIcp9dj9wS*ipx|L3!^# z)Sv5vQqMLe|vL~Yl^o14@WcC8Ks^tZJzyou08tg+ka```lHnI zkN*;#c>-&YioSg9B(6hBJzw(2w%>4V(y=?Ayq@cmQqOb8%)W_hl3Lz-_5jx@rJj#i zx#=%lyYzPtE@|farPTA6pSa~{?cHD8GN7`;TJ`pi>r>Ciw1#UMR()`EMg5`^YaUp2 zCiVPpzH68K%TsOr|M{ir{~cU4dr<26zYghqKl7z;47*|SsB0z+UVKC9`MOn^H=X%@ zW9~0(RRur%Ny|3eCwJS zsprSeHGJ)lzOA#aoj&=#7p^N@ka}+H3zfQ0lyQ#rR}<{F|5vWRy0Yp!o)dgh0X{oX zfS9gR3TKSA?pkv_d2i zOnsj4OprU;2jru6UOd)9$pSmzO*QY!@@m^~;iG;5|E){wOnhu$58-n~p^a>oi4thQ zZ(Uk9z-tZQUchf(+JAZAch1A3^U!KiiU(|h06OIb67GV2+!9OqEeGQ&9 zcdRShF=zO!1DL`i3Cs0`fuj9OeTc z-#)gElP~B7Z~gN_JJ}4p)n(6Z4d5w?BA*M)wct^SkPpq-KTf{wcs|lC`8Ij*(KZfYiAY!dH(PAjr2bK|U0M75ThYJa$v$ zbKzaSTs&Vf$R`LIxJXTtoVv2u%y)c^cb~a+@kVrVc*c(WNg>eYufzQI>D9c~1|PZ$_w@ z&3dwYkJ0k>f$7`Xt?4^$C@;u2BNR?DeLFAP^trCU^buKQ`euZt;W2TyrtcwJf%>?l zkWXyieDmHOY~R#StB?;St9#owrB7^Ms9W3DZjcYQZ)zx#WcxywZTqHQf$bx*%JxkS zO~a$z9&Fzf_2o;Qe6W2_m_O*j_PIl+b@KIK`%qly1KYQ&TibWWP+r(Rcc?AN_U*cC z+c)nDY#)%-Z670?9&KNd`Z}kOPi)@|b7K#-&k;H==rf#9g`5oab5_G2y~ScHYb%Y|_zG-4*T#uVeR`s9>>|XWV24yN~3j zg?Y9EXGeIp(`X4)F`G_<=w9=4V^K@u&F_@+_ntR+Uv{eD!A6Bl0frHD{iio}PhWKH zB$3Aq0+9>NzDfmb6TV~;r#3bd(Mb-vpXBg$XqumfEk1nx&I}}Xd~Lie*qp_jyKp}m zjMK?sj<$gzKfoLPt z`{RNihHvk}Job&~ECg;p*INTO5|nqrc`y_+avPvsxD>?(G&%w&yTHxM`vlzts{sc3 zC7O3(dh|5;A)F^=$8E?`xB*s*K~qeL!lguw$Sfxm!<}*Yh=QQ`X?x{n6K|3>y0`#t zU1rFS4|#V7?*da03U_rGQYho@2fRzcBL|~kAd%zUgkz_Fw|V z6OvT%Nwi1_o-hW3i(H&My)jV^#rk2$V~V2xO{Afz+O2^-P;(JMx4$_>-+zl{?zN}$ zAW=$wFoAn*bDnS#1kWJBVFJiTuW4t?KZ?YOJ^79(*L@Lvs1XFe2glMZ#rgYOp$<^1)$GO*%U+e@XgpGq-;D8$#b+K)@cBzfP z6;X`nA@+ft=+;Ki0>MVG-ppp-Dbm4-3IXmZ=EYx>lf~#yGbmP~GMPn@@AXrH+wYzM zX=&I(Yyfoz-&;71>ya_|a01Rdz=Y=hc%}Tg&C9Xt*qU^F${7NXEkxXl3)j2Xw>& zs{jwazi`pKE_VlPyl- zhx`L4Z3%v=U=X6Ps?r7H`8Jt92VGe&R~*2)+6)c- znz_P^E3ha6E>6K>A2wfFdNEU7S0`EOBzo5?l-&5ET=eq8RSKa=*>HEfh{qi53|cbG;z>Ee!`xBF`aCQk%==lJ=3-6ATPyOMM&=d5ZVHg-2DF-go_^-nF(RXGt;5 zbe`+hSmbMH>{#2GwrqSW_9J9}5Oh=ICJYbOwPA?NyIo~#a@cKYxb^mAcTiwhn2tzu zC)?9G`ObFjLnpN+j}$9}j9~ufHk;SI1%wHL1Q7l1rSt%nf5lZ!N)}A8^5R)PNwdrf zxV{nj8Oj!zqYBKA>42?mF%h_B^Wf2ZAMqy!y^CR6JKvCSh7znz6c+Kv%B4kqFQoIC zG3X;XXgRupEhVmtp28Th)BHIvXy9kr-9$be^H`SuKAGGizaumP4F~(D_%_x{@_3UWklL{|9#f)mL1-HZo=O=>er9?DYo-W z>(_rkCbsm<8Zy+JoqWuD#&x3|+Ze~Zmw}Bv2W0l^KNy>WnzMO#$k60##&zRba$8>G zzM$wnfP0Fvds@Fi=FEXZGqQ%H56Cw4ADlKYeQ@TG{^l&xpp5K(LkFY{88jf%G;}b? zY0e(lKjW__UU~hUzh8UfGpl~&&3fre#gC@^msa%GhFjhL>tfct_YYVd|9Cd-*t=7v zzIWUd&VKBTKhGR;Fs*sR-W|?~i$<{g0K7+_cGu ze>?N~cVeCIkN)`l z`#%2b@Bc4*?*boHb?uMOWCoaEpZ zIg^C?__hDf=l=fnBa?IXW9_xqUTf{O*Is*{BeMr?d1UmeMVJ5hZOfZmhi@Bd+x>&` z=|A&7Su>;Up?9YD`AO+7*A)E8dEbfKUbFn>?NwVA4P1A6_T`U^{_&BimTL;GyzBa9 z-tA}hCVu~K^_u1OigWC<%cYCF(*_Qcr=D+_+vkqMk%K>2d;Fh1TQYe0d6qYS@Z=2J z(3-9OpG_|xzI&U+_tr=1;IXl}|8eS%|2p!vC6-_Q;qbm!Z+y7S^Nrd;KVSH{<&`E^ z$H@cZb{&21{BsLSi!Ika|C1lxeQC4(jZdCypM1p~miafo_UoUnjo<&KQX;c&{1h4BUJFT&Hs919yd%%y$;e2;R96W$t#)TzK!Yxl5Mb z8+@?X^kJ(nFTY-OE3V*?JK|*Bgi6!L5hp9%k0Z`@Bxb-w$$-|^Ukh=dV#Z9lLY^tl zl5g~NyzNsDPK&O6m2Q!xH+(e*URsc8llqlyb$&Ge_j)k>v)$>e2t$LRgHF*7_t zQ5{~Z$VnsTatUzx0-TegY*H%*>0oOhd=x0b)?1ha#{tDr>SRBQteA z>!zuiy^FE~Rvi7@MNiYz1*hSN-%a4G4ah&i`KaqtcLHXhY)7aGHT7D0l~<_>K`7k` zP)1_sRJGvMKy;ZkX(#(`DkPCl`Lf99iwF?JBZks%9!efWspZ=6JgH@B9s1sihZ~;4 zLjn)CJckDu_Q@m>*yG~S^P5Kx^^c+8wK1ySY}5x3Q6G7k`gR^IY>Q+@3)M?dGly#D z8?~KAZDeI?3$9%xxE8!~2SH(GZMoJ>^~;U=cNp~-r|U~etN|7`(%?24gNs2G|r=rq)XaIo&H-ptSQ$9$T7Rv&a&9Ts`@Df%N-C(pN7GBe72IlkXEJzC(yWHK%K z3x5n&d`L~|={3?!o@)u0S95^*PdH_VB`y}X(2I-KMJ`+OA4B)8{8)0H{Q#4th8);%w ztedF_ma{u8e(SzK^g*W*^}!`Zljj8J*5vSvEcfviqiM1-SKs?L8VMvrzy>oeo(Lrr+5aK48182V0zl@pmV4)BBAX#-L#h*kdNg`Wcnclkf-r?d_j{x{dX|2gmEl4uajha0mUo zKF=pD+)Gaf+G?Ov+T7S;YkP>EzD-ZxqorKelzsSrYA|eV&H$_+cKS%Ptx5XBWeK`p9V)Si?9Q}+_6Ot}O9s(Q8aA~D zSUnpkJZl4UBmjdD?#5kFKIdQShXQ}RR8s;$)!U0cz%!b@?)0lyqh*|Ebo97y`3s1S zH56zKm1+>0Ua=<1qP|T~pUC5ytDQ1E(VGrmeqk-+DAv5dO zUdG378!6E^&Cj55wt=Ei;(=u{;wY*FL*AE9G)>c!H5x`sEcKW#h@PQpz-Pu_BzXa! zA*2%7lrPn+$8rXrJ2SX;vca^s89d9B(;=s^#c@&)(cmgYyREYuXWfqKjBpx99R!Y` z2;RMs*&Ix(O+F^@?~Y%`K|&ErMSn4Z=Tmfj5&EI1Qyk!fe7{;%NK%ILv2;|Ql;iD= z=~34#U;M*~)1o79_QjJE1G&3#%NPP9-%~nTeI5HyrqDOAk?M8&)hm4icSGII@~ev+ zfeUdn7*(|E6`N7fX|7nL3~a!vcNC7-=KBUVD_~HZt}R4GY?HW?g&C!oc_RJXJ5Gqw z%iz?R!D)VL2C25*kirR)Ohrcqr(?j0ngULp>3UyC1)LT7I#lqC!s%irgNXzfE!djp zLWBvA`8~&>mp)I%FnmFm#mJ$fM0EA`W7I)XCmguJ z^pUndr$)y~^Av43uAIZ<3B~~r__g`Cf^JcfUt3<{*Q!v7_PX5jeUNnN**REnYhKF> zh|jP* zkyk7uq-T!>(heHV17~`RL`As$SkrPkq{Ley(myg3Dq+!t^f4m+bGiT}@+PCJe(JMs zMwUfnb3Pm4qgLn$OOZm!JIM<~}nB0$kTR;CG5NQyIGzdf*1R@Or zkp_WCgFvJU;q`$FjOjwqh5wHc1TZgnsoz;i6s^M4(L05DCC=Z6Fxs3~i-Ot)IaEp$itLLB%x9>Dxi++J6jI%2J1*n+&n{*{>E_8xG2n2 z?|l(`Dy0QFmC|-*e^47I`yDWeR$+}y3K2u5V#rhsnTjD(F=SwBrR*)~kq#J|y>GuT-M52}!8joxl@#Ly=>nSxLo1PYct}jA@;|a}*q$ z9a@lHzmR_~}qELFYIHCe)3x;)JGZQt81%3SVr4V z&Tt@uUhs?2&Zi&3*RA85aE9Ldy53I_U-fm^<6JX)T=KW)06&&BVr|nl z9%J`)mLF*X`)TSEazn0OU&mgPhqpg_etjG>(&vv@`LUCYs-StSE6onz0@!{phMAT0 zjZgOf;z!@Hl(OBR|G(P#Br2r$d>=8kKL5(jr_?e9)NPqwj-MN8_o(X0J7|)XT5eyA zeIc=_C@q>F#t&EHZxi|YY%4~qO1oo6>amYvjxD`PYL)LTBZ8c z%45m?83n}^&omzRU3=eo)YO}V`!dngp2h<|Z=amc>4zKd`Z2JdKOZ=A9UWCdou)i) z`Ymd@%!KAX#zlw5MLysZOp7!2aJg0>*~&RbO?X!d=xt`a??0xbc1ShXksSm7hQl}T zD7NVO2CT4jh=v0}&ZV8n0hzwh`otgoaXxC0f0j0UC<1iR6ynP18LoVUN6}!+NA+!O z=CvO=nX9n@3&wj=2!_6m3OK}=(=&|uh?@)RjQMD}s4C#xVTQ9>%;`O^UusM&>q*msV_ZshtfZ;g_yhjX$0Z)Q)IH~d&kNJm6G!IdJ%bc8e ze3~ z`Sm=wI{&i&XlisM9Jnx~6l_A~Cr4xmRX1;5=4Apb(|-6j1-hteij#gy=m&bGY6|p9 z)s#EvXED@57&yc3a)(|~vGmHujl_32v5hCBA})4_Q;szr_;LH>5>EN}Qy+wA zGijw&a8b_^)6Ow2cLqy*H+(Bt#pCL@3%3F{!tAzu#-@<#Z{(7%ki=spLIU{;rvPK1 zQe>d=1}C-d_arAAS;yUD4n;J3!%=$D~Zljc$f+MzY3Y&DdiUBj3bpPQbj-si=G>ttVC@;*Uj|o($L{W$CcnM`i z;WmcZL0Nwh>{qc}v@h8I6oWi9A6^Kl#z#{CImrZp$VZkRyipl}&z-}QI4j0w`|r>2`U+`Oaw3((iF6Yx z-hoQ@paK*boa+j0O~bp+PIl->CS?nJsAz8y1oKq;UQT)+N`6c`oS$n4kn7a1{j(E) zIO_;!q0a3^ipn=sW~%MvJh(n91_0pv5&@nQ-$esJbP9Q!duym-09;2f*|i(p-I`HQ z3rpPFi+Z$ka12F}5Kni##hgp&+o>eRdDbfVU7@}IJ!xWYAN zYSe!&B!Q<7UaWvd{&1)dz=N6ORx?4`J+?t2kPdm z?&g&!H`aqW=8-;d_|XX{r~!P02Rr(RX6V>MhA_3cjefTGG=-A`>$>}w8}It*C#|3l z)>U<%v^CyU`^mA!yTYGf`*4qc(3O~+;9G_lc~BKJ-lgP7_N({7w;c1UOP~wC4+U`p z`<8!$O(8gz>mps2;6?a!(KZF2CBn7@@BRG90^W>#Yz=*A_C2%x?T;cXbM;3KV%}(< zg*0_W-aiJv8bX%!=t+O{Ng8)0TJ560y&fDu;Y<)A{F`AUWWw>KDy0qynNWPVaGyd# zCJY~b+~>N(h;@h2+#N=1cNjoC3lB?o5c%CfIJ<)==?22>?hd28JB&L7jH;U!_w;X* zLNqbMY7=>NgfJBe@<+d4i%p#y~!L2K9p(>!Cde~Fa5Lu48{MUB$c+%nI7}Mz@ml0 z`HLQyyW~M ztcU-r9|~~J%RcY%wa)_>c=rVG#YY0Zi&;oN5 z&v;FQfu7*F8N}6aU?_zQcXbNpGmdVYZcDdC5*@d>B2F||My*i$Ws?g%~1GJCLWoQovMyI zO$SR1d4sT>CEiv9+F~%cOX*G;f#rVO{lz)yj{cQ#v+D8V=}u0wRh<4>12@e!2NXv) z)6IUV5u9cd2ZX-rNK$iOaY)bWIi&yhz2&n&83Fl%fwqmrd8W7cxEqcwVZiCgQh!XP zQ#D8{qW@1T8V)YOb*0@~5f`Itr%_@f=6Soc5Bb+Jg2mQ-@R>F9No9I`8x{!{C|> zLqIdC(_ttEVfaW}v5|;6B;3hJOJZk1a3|TX4D4 zqB-__I2!GCm=oKOSJ4mA0abZa0!Aj4sPa&W4)tzx0BHN)7Lmpm9>BFRku-u zg)e>p8_hT@HOG&2?;)Cbi$66TmO6+1&kF*v3CFc;lbFNHN4FfA}q`knCtuDSyyb9w0WYr9hcLDFrI!wuC`QytgNAkO~N5%UX<*h zB}&p{60{9@1MDLLWUysO3l~u){k^x#{2BsWGz7S44`I21=$0V}kr{#znIVYP9`Z2K z9>A*PN(y@E9`S00g6lwd6H!`pCB}OZ zUaFiJW$Y^9=NOImAbRu+!t*k0z_x%QEw~w^1*t7<0;aG$!4dOY@v{h5d&Hfgr@n4< zMcN+gzCS_E?&59W35<9_Jx;%c&wBdJmOQWL_<~{j`_()b9Z*9oE28-jzCgPMh3sb} z7XX}DepiVee-`~dma^y3_VOL(?d4^(y-YP66;_&;%<7iL@MTbR1q^Np;qtV7@VjtJZ^2WGxVCKdX|4Nm`t!@`OeON6 zGxU2!9rR_?=Gm9#ncFwM%re}}Q@rt^3}~3FKqIBvt`+cvAZ7q(OrcDFMa>!|2%r!IVi8|57UONt9X9o zqMKi|T)g&&YhD;|`R5_|vp@YQ*t*?gN3a>)*T(uaqjBqI$~WTLAzVK+qg<&;1tG6LfEVL>4&p1NY;4f@CH|_*HvT9T`kiv18RCt`j68t!_$*NSoCav>W zQ_om~uH*u5>HCTQMAb-ZKUr-`&Y`N<1x}XNCU$ped~ zM#_BMy3aU6h4Ok_on(2&9U4%&wK^vAU6LNjcia=5YYhPJaXxLhr}i2p z(qQ#h9;rDJyj; zbL3m)+vMACHC>UKp^p;zs8Ffdx#}84-Bk}LVWn*2O1~04m%yXX8|bd8()Jhs3xDML zI{b3O2^oFuS?a&Jl$I_v1f@WG`Z6%O;|OS11Zv(7oy#ETxMWQ%I6k0VElcYjutd%{ zmWyYh>2CO~=7Qq$QdQ8b}QzBciKBV{P zLm1UlIV*3cyj+zwvrHyj|KSgZ{UZSW$IEu(hrllO*3k7<4ydi0v zi)pPUKx)r5T|Vo(el?+}pC@xlkH~=S7CzIaL*5NNZIhIT68E zW4Us2G=j>w6&;V7739ehd|P_NU?4%j_W+X1;y`$|Na*&ydOUhPXeRmIWRkHU?>dZd z0gU9Z_(@yY;8lYaoJGT>kih{;J~-t5SAy$@`_T>aEh+m`OV43H=4#rG6@_ zsnQhV^CGpuy@38vYFdIfDVmKW2n4jdK$rqwWf$iwxRL-#ly|M7egNsEs(gE=w=^a| zbnK&8pgdPC1{XymF)MVSB6(5M=E3eilZmxPTFTqAiRv@ZN$#kVXU%{jDWWh5oMVHu z!?_FT!>LyiBwYRhl1b`Mu3Fdc+Sj{SZZ* zbX1L+>(E7l#>B6vFkcBWP$=wd^`aDt^X(qw5v0kV-C$4&kA`%%WHVB^foi&r&QBOGVy4Yg>~ynpWTK;L zq)%G~Axs7PaDy9ijjBEsj(^bhoF=yecUB=8bAmRF1$H2WWko4|Lfg_g0+CQ6RVyOld?kKrj8r|F-sZS2sCNL3(p1vHn#KKRYiWD3e?3_h z?seAERB4Ns{@>{>-3p1Osf^}`XnE?5q)Y}G5aOedKQl7x)s<;1vb#MIu~GsJ(vp4@n}=* z@E9N|J!8dQq3kbsP2--bENwlueND~5GSX{`-#Mq;)I%Tb0}nX4!|;miP%FVJ9$*M~1sD&s=0h$c`E;sGTy309qGLbW9;vUU55 zG62Z+zsE1v@|S%Yx-xlH4?+G{F7}kE7)_5t`LQMvst?*3lj|p>TJBedsE`+QCyV=O%}BL+M^_YeTxN^sL!{`Fqxk(w4|7d!bbG7`Rp&6*+UR^w?@V z(iWw(-VwdN83Q6!zm0JSpUjok%tfBGuG|`3((Dd*A)x{Z(L6Oedg|(?V+hQObX7`g zCUWA`)o~}-_5Q7Qua3WQD3wyD7f9=s9Kd8y7YR_dG^pI(Kz)WWiRS5`v>OYe{(;Q` zklg_EI*I_NK50NPt|M?d$~c`Pt@)i9P$a$svFO02uL0yS0i<6V$U{AV43pN(%LW2W z@&JU$#9f*qfaIoueA@&>P-n2ThVJ4{cPSDF5Rh8wZve>=K+Z`6IS!qZP2#cAns+!+ zrwaqI14v%<`rYA^S4(U5Qbf$UoeD4FEMbzOr{9z!4M^Th+67!nOQysEV_+WxysUwJ zNN<&B�fkz|NymrZJo)YGuaI+gq&?Q7b)QPEji}V3Mg857-F|*h%VwX@oxHE|q6S z=xrnrT?j)_3nSDhYNdzdc~L7fBu|@aiGE>79v8LJW3Wop%8bDSJ!)YLZW6WfqTkyM zVF1->8We4=(xvWi!4h8@@vc>9wVu>`R*!J~DCtIa?7K6j_`?*RRgNG28V`Ej0j$t*hWKn;;P`q z;S;w=H7^q?u$R4RQ)!D__OZ0KA@K~-ywSyd==Fy`*9!zHw_Gc&AMJ?F5~6-Jfgw@< zK9wfdf>n-|3;w3N@S_Fm^&^&V?Zy5IyPVKwEk+Kj3rkuoV-5RTf* z`!Lx%LBPRCy!Xv~giPNb8)t2ns;|c^rf%%mi+)I+W~FjxX^U=>(&R_iC?pPoZ4FVO zZ(o3E&rOR;6J=&;Bee1dBu35*kRE%6b4@ZM$@LVjotOtTWx$Le!31;pGK0kgvy5Fn zS5zX1(W_{_t^m1~Pe*tCR;z%rTn3e*dDk0~lefG?me%{Ny6#(kshKv*3#bLVk|xU! zt^-tc59R=~GX(1cMeQn0C4iqr_>qO;MXx?H$L#O3gk1$?+v zOkJ4GE~gd#MVLDj^*xVzfF}nlLLjLL?io-;prSPXI z+GwnB+Jj}h!VzWzt+vyPKDiryY){sE4E&PCdOq6B?!xs(5yKkEUSyliH$W5XF<4?? z68McAsEkDmFGkU$je>;ikpi;AO~|5S>BS-2)@NUKr7<$fWpJnyqL4n_SU01dj9=|` z`y~yRO}3XcgwA6W)Og3+H7$~7i@F61y%-+X#;mbOEH&G-xFmkg_#4?DtH9LMBw9*N zevtrQcB7r#sgD+xwpX{PyCu)Zvh>p!Tt1Tb!0ive=b2<4JB%J26NrDCFJzbB+~rk zK_t&A+{4v<07a=hfnf6qiWMRnOFcSgLMn11XXTX{0%28jp}HM9k@BO{QqsCxaC!Ge z*l4zg54N||7E<|n{^<9+JW;tzj&$0V;A+4orQ=Nn_y0t{4|hR&*zG;19C_1z#mT8{HS~H>eY{x3_dB z2p00L2Sf|dkskXT%8$+2d3EGnlWLwv0$PR}>Uih~R8D(hCsG9clK-u4GaMtyUm)wx z$O=Tut-cpRbLxb|}%?k3s7x@sA<@O;#EHtH?ntd`^`t zwU@ReZ&4zLPvd5uQhd2+Sqw2T{)>)c?{^C#Tl|IiR0`hrrQZ?nf_K^*7WvKmz9Ib{ zgIgT`n(U!#Xuu?q zr>Ef$kVrw%n2?w$kk~D)!#C)G#Az9hMmU2!c>n<)D3} z(V7f;)m9jbZS8w&F%5R+tgQ4#6$t$a8(rLzzXV@!2kX2JjY3iOORE&?aiuK2bUC&S zpvz_OnpxI)Jr0YfPpbX(T7M49yBy6U5w604bpT{U$R&@dUw4H0t!Ho+9?tg5h@du~ zI*h!CPDL#uKNI^w)4M={=*?EeB*Z6#5WkC2rU)&BR_#+rl5d0%y{^O)kmNWdd8=?? zoFqx!Ns_!DlKeKD+qxuQfFL#@srf9)7a)jDe`iU)pgH}{l6*ld{SGPKh<|aG;B+C;{Qv+sMJ{9@^UKFV&K(ZX7 zHi|nT%=jEsVsw@;XZ$I`d%3{@!ZNSpLQ(QWme9`LT_!^c9!=>LY}ki}iBMaAG_fI}-DrTPfpsc^7f08=;<@}RRrQ0(3C(DiH4>k}O z-Fl$# z{|kdrReCzUX?Ql$>WBk~XFHtJn^w1G((Y1-q zMZ_5wDV2Na;{x|!QRt_QHnCG>ED@ms{3-$%X`Q}8s{STuK@;Pc@i~YBR@9NM;5p;% zc$8{BKo%_&qqy*jZpL%t(hv10%pxI=v0e7)8mlZfc1%Ngt5c~i0I0qN zo;JC?F(;TCNmVUd<%_(JDY+Hl2uJbmlO{JJGv6n9a5FLD$M>Il#tyS-3u>dsiZpo( zmi4~X@25IasgAhCL8SETM=rAc(&YVEluOkiw2S#pm~C{CsP5QCFQuBBQ8qb8_ZLJ` z&fx0kl;%ihf9a7B5w|nax-Syj5b3-~dgN{-@V=6ILfO?CNlld21dyb#mn?kB@+;*M zSgjL~l%NworAI&*5CikjsvG=eXO;%Kji!kD_@gnJ`l_EJJl8v^dqlkx`p&Zw{T7le z8`v0C_a^5m+Amx&Duw0a<8=9xQueO&gWu3Yw&_UACAt0u{4&#|n_1v;>&+a+PGqmm ze5j`;egvm=ufv?N1$qA@YrNk?lQiC$;r;&KV|af;L^#{<-bbVHeOMYav^B=iK8Vz; zp}hwQ-G-Jtf8B=mS^`!^=^~nv0s*vw+H88u`0O4$c(duc`|N>Og>AiPb|B=>Y>Cx?bL3=?06O z>B(8WVn92biI;F4hGIP;Z(xx&Au)_9UZlhi<;WXI#?1&0MV?QENsk*mNqVZQ=u!>M zNxrXdq+@t4kaZ^!^PA6b#K=%4m}U+ohnVEAdO9&I0xuXO>~8Gc7kLm_JqA%`>QM#G z8YhDxSsh3?XVX*$Msocp)T0FM-t^J39KjQAzbayB2uWJ^5!TTK&`~-}YG(xlMvC~0 z3DV7F{3tloPf(C&(q9_^2lxzy22T~Z2=a4CG1U+4Ag>c>hE%Ga@f278+DPNL1SPuG z6-J8Dv+6aJtyOa(A~;gY>JwnIs-;WdwV(hFPzUEPCp!`Y(8*p&Kucc+m%O*vd~!`C zngF$1F8SbOHUdQLqF(a{V3Y)vAkg{z(G2T<-JghfKiada zMN_nO7^y0>1XqzSYiU7g>czeW=Cqb>56+F8Nd@nKy9o>y%q6*iqc~ZhRGwkrv>HGf zWh&YX!~-Bs=LG^`gy<-hNQJBFT1WFhl(8`Aj{I+rUkkRhIwZCiW$?2k)h=;K(ZU@phm30hncdId^=oZZoKxBAw+c?~~Od zGPIUY?-zCGUj7uqW)FB(HA?dYeOULi2FgwcoreE6d4WDBpva4M16OquckL#VHGojZ z3*c!-F&#|uoxgy)Qb~MqfhQFLkP86GznIlIIKvc=)2zoMQiKx7ud<&Ukv;hVvW&dQnjJp)eo3b}94YOtk?ScGKvdvmxE^=| zPuNj2g5CV1?ZJEKBy9BBlrkO)ziRo-KJ_z&{W`&E;c+(03iwaEaMJL+^!ULkXqC%0 z1@A(3ICLD?^$V}Gr7SBD=EVMVu%6+Mrl3B#o@VRh(6i-|&xrB%^Dc$itw^jb1+)pY zD(xq?PjOm9S8gaW$`fH^u(ot#Od9CUmj+rkyPc3ZENX`$IC4>;Z}Sw|1Ho*6Bv|Gx zTU7Ayo$}@>G$o`JkjaUjMp~%Hk5DQ>){9XEOlOYh4BiF}OfH`|zD^yU?nJ<5o-4^t zAf)&zUnBGeL(s`biPLJP=uW&?u?SyO=v5aL0DD;)*pGcFkTIV+)Rp)IL(xs82&7tp z6w``|BRX|Luu#^fI1&9@h`8U;h#pSIHDDAHzXcqhHj!)i5PZN7dV^fg5quTt!hvT{ z%jho`u!f#Z{!cdl%*Y;r3&EN_Mt~L+9Tx-`(HO>#ct2)+Zalt5hBJc);S^CTWx%C-g(_OWj^Z!NHw69Yge1fh5l z9|$WwANG6!<{c+-ECf@u1LsvkkNpS+k|9Bl{F?R`NHIv$x7U*`!dm-hcpzv0FYwp> z=ywnVB~{nqSyo>u-O5`EG8@3Y7m;WoGZ>m!*O$@B|2FQTC9de?=5hU(T#PMgXK-+I z@&=^k<7MLV%dsonxO52M%965GF54Bn1R*$sDbAAuu3k=_C$nXiDG=IMPt<|G z%i2&+Mv@on%+DF)tmT*+)EG}lAy}uH{u;JS`h6yavz*ek;EQC4G4a6dGxbDct$?I? zJ(K42OoGY9I@PFHdIZSbz=4&?iQ$L(Sc2Fd@sbnrEAmE-K7pAxWcB!0MDK%7+_Jh|rYOqKGCN`LRAZe6 zx0!dJ2OLz$Btw9n&~?e&I=a8AY~#|)-~!H9UWdgrZkF=>h6$LU=V3DI*YCPO!K5Qu3|^a7&>OekSNK&yoCaY*iyyt=h-5%myDp2HsX zB%<>5idDGuDLF-n;xn$A;*9Li0eewcGp;@Ibu|0W;p+a&-1yLi0>$OVd_(h74>+sp zDegDYnA!EjdF#kWV@QJJ7l_^QT@_*1CncSKed=+4*|w#Z`J$r-GClIvsh#o&`xek6 z7Oc?efg)M-@OGoeELwl^E+oay8uS=$qK8lkKyFNfFKXYy57bM%XQUPT?OFDQ5+HZW zD+=vue};Hx10F1$;YxIT9i|U~2w6-_B@kSy9)@(!U}{UdY}<>_1F1=%zL?iplZ1Jf!WB7iAzL*MEv%h^G*i?wKc$ z$<^6lQB2lXW&lA?t)B)ZG+=~P#19%xLx_ecn|X`?2SoeU4gBZ)bMS|iwkXeLgSCNE zc)iVm7M*}damAoYe?7h!Jk1=JY6cS(ru7}|i>n=}*0eqpoyouxfd{5{mTA*F>$dbe zD;mI%#0HFe zc7y&Vz8(hYHA#dX?++=4Ww(Rm0G=$`?Z;9CKPEjB9EYi0#Bij7i00%Nj*|=;m|mw% z5}2YcTgh;{5U#}nSFk@DgJ;DxnP(uGiEalA@Y*6X{E%Nn#zr~^2m41l3q$>xiu{A9 zR#W^89lyfjh^+`Nei4dGHE$3{=qqOk%=u!oBAtMJSQH>z3de=W%1lSMVD|)KA4YEE zA$wuyLW(EV1{rQhbpL+T3f+`^P#YB4n1l56vNd?Uzw$Ed)!72tBB<6$j_{b#hU-J0 z<)kUt3{LM{5@^#aVT1Y;ETM~G4kim>$EA%uvvCJ&IV~`z;hmQq&u+vJv3jRz%vfvV zubn)mhV29DkUgXa9tnF0-Moa_#`nc&A!LmFxoldHj9|DBieWtI`d_SH!Cxz&X!ST> zEGf|YRZ1)bU?Zm$xpg{~Let-h!C0XD+~MLlS+hL~s!4~v>^0tCR_1Qlo=t2H9N z;UUo%j4O10?GF7F+(VZRXwmwq@yJ$t@ey9Mbm9y|{o=*ql!D#` zoGgK%^GSx-&==x74rYg|D7vahlg17RT?*SLI2c0^yfAX2ZwTkB5Q&X*1FT6v;1QD@ zg4U*FL*J+4tHHD}xC|)1`W)%8|G{Io`0Afw?&hG&pCK**?=k@-6VW@j2M`2( zmiGWc@zDtI74gyKFcN!-k1j*99v{7)PV*#28v|nzt!4t>kD@5`KPx_(!>(c8G0 z@(k%;Fx5&&I{%7Ftyj{tUMp&4XdUTM3$&*DLe0dzP1MQ|H(;tIf>%M@F``zQnnj{k zhME+UoZT-_Ge^`)laEdw$xNYMh)97kSWrA#;0T`_5gZaec~$U&@X1?3b{Q6CIvDv` z0ugBv!N|YFixSyt^+@aU9CGw~A{6<%NEN3H9wCr=Eb?Ogz%CV4$=SmU#yILmjrwfX+o-NkV)t^=SrEUz{_&x?axvNl}S z7WE#&j0-8x8p2G}JWB}kyU5a~?3OPGVfIk`@9K}jsKM(TeIcMADuE%q1SU*jQpUwh zJmZ^}2Qcwhx?oVi?@Oyom`DoOLGe6ZD8iv_x2!scH`}R&*$pc$fD^kWR`pTGo(o${ z=`W!bu_-UgWhQj^2W#3_4VKmouWngU5II=I0qyF0>NjEkV$Po3pzevZwvLYherN*E z{gJMmmG4XImRr>hcld)?J+@&}?ra1S2z?w13BvP@cvl%L|Cf%9stD;=1G6XQM=ZO za=f*#oEt+!p4_Glm~$+8OSA(iMd;S^#6=Hca4ad<2 z_kkO7h>Ynu9(AkHIDI()=-4vo96(CsV88gm^K^9bG`+9TZjM?@Lum;kY zVNXkZLm0fUP}) zEd{k9bT@vmP{;PX47Pc|7N-}1_yHikjS+uy1FiZEl3JWV{0Ig)@ezL1wE2oFQbYo@!~kk!xSJfz!GVy8%E-y8 z<-=+R^J=VtZ};HG)hEN$??;}8DqMXsg;N8|CzQru)Jy*si`w1T9Ay{v6Uc_7NRK^+ z2emog);BL!+b?`zVt8A)_C_m5IyEre8UO`rh~@AhQU!ui1NsUu(-@3Rdd#bX$;)f4 z?Z@z36Z68gQ>+Ha96oi+z=m6vmlH4>0}C4{QJ@iXKRJd7#Cdtg1gtzAmI-c-0oTT- zcNuQVw*0n8S0DDr^8sGTALq_K1Axeo9{V>Pa$#PlfP9__vffILsTG^iik;y#M7sJ4 z=rl$GdT<&NSK>N?c-t_SHSe^5TWEr-x504rHf*Lg>_!`X_)M{Bv1i^7#zhZO^`Fry z<~_eQ7-zb^>s3!creiqW6KNgpi>^Q*)bP+`?l7&>e9>F1NX715MxA1PB&{2PJ*$51 z>LU-{q(qKdm&}bEs^V)*8m!8AjH_kUJIU+)xV`|4=2M|)a`Cikq8$0asYI`{O6yQ8 z4EUkjl+8p2Y$c?EPB`du*vXEK=Ub@ifZR53&DPNR@wEP2^=I85Wb6z+gha73$a99g zA&dlZP6<1J>;+OcMh;XFSnQCx>6Tq}0s^J18-2xl@o}wHM#Q=SQN*j$NDGLocMwQ9 z7lBp7lK&CL;psIih->j(uE!VQ0TI{d)5fQ4oS5#kEyc0wI-4Sgw+u%a9NSm7m`5M;eY_3di`i&}!{_q=b-z7^+vIf$O&vGu+c%kDv^`PtL`FPf;R@Di&KH(=1dFo>bzyUKr8i?@WHBBYd^=HNwuER9CZu2 z>8c{3d7>e9u%Dx0Qtg~lYy89jA5La^;pf097#zL8Nt#Y;)yn}ZK0PhSS@Q>si`--l zo0`uw2l;_NdfsMG10$NFs3IiPB(rrj?JG)H5l2oAUpbVYvg*e_><3<`*%@k&q;f*% zL}Iq&6++JR#c2%qjBt96Ba3k)j9oy+{uke0CF7Igd@#Re=ZZofzUbpE zyK>b?3YM#(`vn5gMULb`cy6R>3d1v8f@}tJ*{V0F2zlQW8F7uc)#_N<#iqVZ;nC`? zn7>*=9@>M^9mL)4&!I&r3ow;UUZ=z9=eEAK};q?IU9o z3upDj89VC3wN3UB7P>RZ2wzE`PSE|wbUvR#ZNlgilO|Twi1KFgb`$R_HwwaEu#F zNC)cv?HSn!4FwT;L+GzGLAUW z2|-+Bsz(th>a92e5<&oN_w%jTA6Cy~IeHvA;v@ygUWHvHAqrFu3X>(m4!Bh@H^}HKunJAw2O0 z^0)GJaT(wECGh3?wQmHlK)uZ1JQ4bZpkVM^(zwNJ6FEqi2BLGpe-HDS96d)59%L6a zeD$9&6j}9JQ2ugXWSq+qx>ZL4=NOGCQxNCrYY+k5}pOt@y?Ff}@w?FTQEJz}2_3Md$w`!SQO_3%liu-@u2r;<$;{ zsV0i!uP3Z=+%SEA{9S8X2=R*@dXU14@S=%6>xjl_?6>SJ_V~+ax_ktH>k*33$WsC29w?vZ@687)xbl z=8P&!%e2_vGwvejtuwnNbV=IM>rCoQ1oo@{!)okh<*Oiu(YWc5v|sRqc% zCeYJM^ei;!S*FvoP^ae@ou0%+eX~G>yr@nFm9G*<56c>)#}*PvM6Q6dY zQ3%a|1nFD~&7|x4O9U#2IT(W&jMAOlRS!NZh+vGrbS&5(a z4yNt97)F}<^j&2oJ(1pu01l7|oERL&&N?=2PnK@Q>Re9k^r?HvDex2);Y?VH8jz~r z2gau1Ly1~SQe(cdDTUJGd+?0!P=~RgwfSsxTY870ek?|sf}X@9QrCk<*zgtsABlfQ zH5v9FtU!up)+LTKu#?=s`pBgCjyRljmuK8(z0Y!A3PbdJj466oLZ~_bCA`ul0ZsA{ zv!3-CN9{7>2b}X?3FU+DC z&Qmc4OW`^U;LD^w3aFPJe;FKFJI6Hu6U6yE6C(r^(|MtSi+vs+MSX6^I>r_}$n6|9 zA`fA&ybimCX(t@zxW52_zD&j>;=Otkwp#AaThyJ$GY4I|^XDiOPexB@=O03aWeUcJy8*>{9YUeAMwvA(MVR5+2K2mvB462bFy>y=7gT-`PeLIPtm;-$eiUmBM%9Upa5gAw=;!}H zQ8FL_7E{2Z?Z7e>$iY|!RH!v~$c~T!m}g##%SwHwVIg$`uP_jX z#$nPVK!!iE*44@I9dIaNvxg3op!05J1POr^(?H@1nN{`<{h($IP(MMpN zjJhskM1AmzXk~A2)E}!iO9%cj0>R(m0Zl*pm@5oaS7Bj3rO=}uPT0|ePGdg1t;>&L zHw$(5Efh)&=L0YtDu-`Ep_lLZYNj}X-==^+LJk@YQ|`?BEQ!UKoO;NifOIKA+Kp2x z8L18QR{CFnBshvn{|2RX3?Z=tAi#y-QM4&l(`>*4RzSqe509ZyTS23?9rb&l@G}Pb zUj+0907dt`>iarHK=06n2ui$(dm<(+#xe0<=r<<{B}Ofk&{|_KZy*@TG}TPw$^%BI z5HF2UR4e-y68ACb#6mT__IaAIq21_2W9L~3R!RB4qI~ug0W>o<#a_zr98s@{AX2r9 zXkp!^6k`$uabOn}l7<_An_n)cQ#sJE-4J+&5%?oDFbNINhlYJ+w->JRac>WI6CiSW zLx9>XR;l_)Jfl!r9y2PRC6Y{M0IK@4u1ZRXfAiJ7#h)`;gSp&;H>n4!aSj!C>r~;7Ud&+O2f0ua6`GUD&1lT$IiI{6iE+pm z{+z6MU)(nivw--@^Kk3gwrdnkKwcsAMo9X zi*S8xY0ZaGAg1WVT>!TFPz+6bwOMdKaFsn|s32z7?~=$+89;_gJ{c-AU?<2ol(+p_ z%<+byaxs8lwQu;aGhGt0)*qUSNu8jrYp_XQOYk8qvFT0@_%>*}mGlUdNIurIgza${ zg+R5u?Jo#_B}_3i_tQ8ye8rpmwgq&rFMa^3pC!1&7dbkwd=Ug44u`BZVk zcyfPcd0|@b>gUJF!Bp(QXM|v)FGdqsk*0zZyy~mCMUM_U!JOZMR1a+O82*OK`h?sb z*jWYeiOP|#(=uB=Qq4seBk`QX$p#^TX;)q~YRdKNfO}#w%4xC#0$mX4JT286K$aI? z;I!DLE2&(mkt&TvC2uwDn{LKmPA%~?(k^CMdj^9fsDg*5)O8pqK}vcJX< z!#Q!GEnQLzMb5U@%(jw#%nY!65Wz!M5#QJqyb6>lfJK$!edQ#+ikvkrV(@kl25W%~ zmR=%2#c!{`iomoiacesA9_Ek>h124tN>w*(Z!zrE50dE+0ttsuJAMck-FA9IEA*Qd5I zb+BtTNNtK7wuZ*ifR#`W%ad+H_{gEA6IiaVg25-Nja(1ka=>8Yn-hN5isV49Mc*AL zep|67{KY4#v7V?V`w-*5!WS)&O1Bbyo{0M-?_0!PW2`4U#m9Zc@A|Drl;YhA{3uwG z{qS8{{Dix#&shtw1sRL9TCJNsWgSwrz`ff@3+3}ZETP0eR1|7!IbAWZhOYj6fv#}H zWe-y13B2{-6N>7_`CO{K3v5m!25T2L@a&~txoNJoZb^PSvKbRj!NY)nk6V05b8jI{ zcM8hk=4%WgGer`?-&k(Y7`t(5Vi3*Tg(4r?n9Ua_j?loWo8u~ha}_&Er$b9w_4>6U z^66fQv2()9z~p6Qu zuljL76|9OXe(i3$TFZ-;q2`k|nC4M0oOc&vZ!t5tN~L`@dYfv+J)ER2ct%GRvERVh z5Cw3~=LPZl5KjnpZAnlEH52)bR zFw?Z-PDyp4J$V(;orX1i+?ou%1*kyRS8{O`4jKZ5=xm6xdOoH zel6sM_yGPL83wtQ^E|G5=(aE!*RZz}6W+rNi3=nXj}TjDQ|LaX5M2!-DE%9}cPnxa z7pYDcVbLQx;1+u{h)Bjhp>t`bcK9}X9Y_FvV0KKq9M6?p*bSb{@SZZ@fq0?^I!FT0 z<0flS=Z8ie4@i$&S45~kU5S9E?JlYbV$re5!MxsDiCYNBlFP-L=w8ZXRi-CcF+ouL za$;|9`J(Xxqj6GK1UK~i#B(U#i~Tqzpl+huQn3F8S6&^^q7hph(8@>)W3Af~9337D z8~zDoVV_CSu7hmBNu^y^fIklHx_tb}Q!1}3^jl9*PJZHikeXCF)&T%PH_m`bS&`Gq z6O%a~4tGG02h{D{*?@}O6RH4WL64(?8iyWMcN0GPB$-~EkYX1aJwX!XSMR1Z9xb!g z(|SAlNvG__xFy~v2KtJ6odXQ)P-hh2Po6ph%OY5v{^FDBjKU_H^_kT{wh2neXoF@b zB4y;nF))ZWv}@Ui0#$S7DrXN=Maaf-=yLwt5qGMVm=bNRz#jBvWoTPm?4hl7g^_^- zhg9BF!zVSxVRk&K5MLF_{uk|V{$#}YhpcOEN0~Pc;Db<_ysG%`ykak zLapNzC?cz^FAc;?qy>9n$t7?(JE@pdV})9lSMRp~L9#4iv$gT+0>g`mQ)aI`sB{l3 zwV7?dZG-ZOG&*6ZN!3@PCTZ_CNwH^ZBq5DIM@E7|@?~ts>&vBPVtw!fFPHR{5>z90 zRc^rcaodCB{(>#Y4bburySP{Az(EVcgc0!Rq$m?LaVMU9+DP1UfpeDs%u<%Vri9d| z6Q9hXB~ymj98YK5#erEAPP63@7F~@Q8EAd4Poq0EFbq)KGYB+Tls;x9Jx)%40*jA( zh4IJ=0{uj^%K3DKWk?D?Ol}RHM(O(p=_6P~eX)!K)4~}cs0>GpPH5Wy_&`vaS|#79 zGJ@8B)&Krp#Kct(O*ld!C_kh5+C_8(Agq5Yz0R5COCvHJpGLI5i z0E=2sOR#`fMUYNH$81L1Zw{wfAXr5H0Om8A1G_aL#^|5WL~;ynH|C1~d9-{gP8?G; zp8Nj`Mqam?GJwhT_Zp+it3%=3Nj}uAsAyyrHF715AS+gGrCUJ(ll+&QivdmkMu~da z8{;rh3wQa!AQb)>Sbj7^s10OoTj}^9pABNg zN4JfA|A6%~()tb<;Qr!60re0G#N*^i;C09_nfY=s{t#n+1WYp$F|W?ALW0D(R1mVl zg=H9455}rORySkWy5b_aeX}*>;kn4Kxm?M~X?!v#K6@-NnCJoZqvU0o2J5Ig)`0=* z$AMy;Vm}o=2nhuCXhy0%gT7WH{OCL&$$>{jASqcv(DG0|^hJ4JWvLs+z1$!Jm!^6}w*d-#6 z0)KthH+s-?)vtP^=Pv*@)4h3hupPb>Ne6QrrEaFCM394xepeEK8X{4gy^-!!8rFEMbhjz|48 zkpo(b_+wc5biXr^2*UsyjrPX^l@oB{e=r-+@J9&gqlw{}jA&F2I?ZLe?*$%ppB8$QlloFwx@Fwcib0dPm6En`V%8WA!) zkQ!Mh{D~DD#zJ^$SopVqyyp@Z%;3>|HM#nD{lPBH|Pq*-zpbehqQVT@l;W zs6ji{H^Kr2H?ZF4n{GU60yh-5{S=f-tj1uFCbshpI3Hq@fhHI*8vKxS8B3Ai5pX&T z+c~&Uf+s4lOl=Wbl&a};A1x2;i9)<%D;ok&e$#F`J@7tx$U zpBNFZqvWmZ7}bgr$Lt z8iFtE2z3c6z9o1a*6~rVEz()Ayg$4}aQNerN*LJtO4~i^Cpy8Z;# z*%NJ7p$RPgeU(j$)fU-gi<~Kt)(ikauxUrI+N6ku$fLIN+L^uwcnL;_4-vr24_cIN z#Ue&dH3!r-lIvGM176kOTB0O+V(jx1;p50NHj4j;X_eV1roFMuMltLaC>dt;M1PWS z8d{xLPU0tY0?QgRu`2uN#PR{MtZo9eoM|d~dXQ+aPNEM5OLeCZs_GOv2XJvQJ;);V!B9bgKQ;vL#X`$b@; z;8n!)l#W>6vMnqcRTo;DU=P@#w2F9}x@=Kl)sK^9Ahh_lgLy3>Q|5-9($d zXh`pT_syp{=mgFFEO=4(ZipQ_nvhVW zBvA-VOR*;?Vty03`s>F=LMOHBJN6nxw5jIkydyA4~_Bho(6vLF7`~E|1|4 zCIx`?NZwcmOz;J9^#tZrD!72IO2krHJr-%rAsn7)z`z%9Gix^@BCDR)Z+l2*SMOEx zT#`4AQ7YmPWe=VT!ND>79cMC#f^$)tu4#0`M=0zYp?guzO}*eAvsN?lBhV4b?M~q*~On=o34&li)GudH#&ubHW!t4O0WeCDI4sap-0bqheKr|?4Y8BU8- zL*9!-AHc#V_qs^e6ZYs)X$$Cx3kqozWZjuf0=JjcxVl*!0Bq9qkLBW|0^L{p7i30G zfq$RJ1J(-6vA7dS%X1Nb6*4~5RWU|cz!PEAVG<-rkLxE4jRxQsC+WaC1X&=v)k#KrA`Pi*(~`}Jp8*QcOZ*f5rgP%0 zHe6Zd7W_bDUW!~rrMm`?q(AaX={ImXi6q8}tYo8#2dcibWC; zCfpCZi$=^2M?$9m!I1&@=_5^0|32*kGXZ+(48Gy4`y{|qMYxXx>v(RZhplStAI-pm z9N+O%Uny?DfitK>94~HGGz4!<2Q$@C8@>M$9HqtYSI(V_W{1xc4*we`u&MWLO2Zn9Iw$_pB3uP} z>N;9Q%G8HH@AyxgSI z*7Q?UC$EBJq`p=oYMc=sg-;*K*iUw5Y|=20Mx5#^niq{PI*OS;Srjn;ypp2o`cd8% z-z0DQU~xS8&NRp61OTsZywKfPU@V~UFWO(mDb-L8noWk7mq+j!0tbGwaNw$!Z?(;b z1j;s7>7;HHiE@Hyzsh*e;6q==yLU%(Y5}^bz3~~*)M@)x4MZaenk6nT;V~2;q^<^0 zbw_vuy-?P}Q$Awl`XVl0l}$8J{emnu)Y?ofJ+B)=DvVx{tWq~LmB!?~1&c!rL9$xa z_%y^Q+}*nga)uK``3QSh%jSkReUueUK@4S(prI`GTcJm&Bt}t5Y%cpY%mlI^4g|Up zihO*OOm!mE`j*Nk-7Xzwl(;I*4GYj56HXP*Xp7eUkv}k?@ZYL7#_7yg8@rCXrGfEZ z2$4XJ4%PG|edPTLTcggO*&qxg1zyrJK=GImfdKjpshT$x31kTy_`*Cy zQyfZjqR)7&IbBCIp%+5zta9a$=Y>4^C+uNzM2*vovKW!Lk_2Xg0&z=?dpBxYu>5ow;8c4{at zu6P(t#ox?jFtb8ugfXSwZGG$A#APhzK_12RFPe(0?I3P59hTsHG931&0`>7~-=XiR zf=Bl^r_S}~LPil0_#)UVhOczI0KQo6h=_T20eo|H2z>n)559CxWe2y2O)TL>^57sc zZ^0++vq%3i<$~~?)G}c}0xQc)OA^gOz|Rm*jvYbBe&Vz)(YGaX8vBa8SEMc<<(83& z%yAa&k@&^plj@}8fq}S?N_k#byC6s6#Gy}ulS`K)t-+(dMe-04f3NDi>R65k5(Wlc z761~aencPy^OcjZPp0#Qb$mnws>&x7*)IwskD-gwSecN@Sn5Hcl?m>~Ip(cwHnCik zxE>R#>+fGV75pYa**JH})%#Wod+fl zBcGijQ{mfUq5C}v{s_H3E39%w_XG50dS8{I;-p6@DUY-`nm+|_BvuC-NY;TnRi}(l53C)cqlA`9N#s8f;cS z=cKL#q}}n`tzQOytgXJ8U7EhS7wwkWElfl_mONN)E&fv>lkAK@-)fV{*iaAM9NKP_ z7k78>dP7Q6b8_3j?wtX4Wr6c}^7Onxx5p3QLW-B$Oqe-S3Jy)`5y^>maFslW%7^q;b{{hddMsTmD#<+pe+ns618FSB za~di7s>cf@bvaB}e1EPEufgLan?_&qzvyhwL^69bc#coQdc+YD05lX=q*>N4gZncA z@WeJJbssZwvb9pU$JdD5F2KiNVnBS3TqrD7_Rj!6{!`yZ*vh%5(YPl5b1qb1ovo=ypEJSPcaW?5u$yUc6A+W;DUqLzDCGYEf6<9uKq z^Y((DTAtPI6;k^92bULftk2RuIQ*H)s~axr@Z#`N)Ij(<}{tx?%<%fU9@@IXv^0<|z0s{fvAB_o}Ld3i)fhc(YT%Y{^e=q+j@DX{y zmBCbb(D*ZTi1wTMD(^$wu|x2W(J~>BK(3*@Mf~)AjlqD(L^LAsU}r{SRad##s^tCM zOa8O{{KGUq*Q5wGdgJJEHC8!+E}bhinxcOBaFGZl*j&FrPvBv?<7e%&gQf9WXGXME z{T-ACTW$;19O;S#tF^H_OJ?F9M7#>d`xRWQ6^xb&IQAhR8!zJd_~3n$YXS-5ZB8pL zYnef{leN~H`q;ZpGcpyCTgt7ele$PXV}#>Do@02e#k?@a()dE-{3ABw&e};2M@H8W zg29@anm^j?Rhr~x*7vmR2-F=3u9>uyECeV$uX)B1Ulcagjf@ulC_X|wahwIW%1Pfh zAj}TA(v6QUA$zuhTi78m2M3MnpLC$onq-ro3WKNdC1#2IG$Pc_Q`7M_`HbW*pB5y8)_>;&`aamReb$x-SS z)WSQ0;f+2#oQBB<;u9s*1L{fu;I#ph^RYxn$Z zD<8r56q$?gkx;D9+)#h@x+m5&aZgFeQgox&;}!uohKEja0;`Psk(R3i1e5z2{tb7A z>NB&Z1jXNGU~^ziuO#p> zHN83_t`{foML;`i{ZIb&UojZ;n;RKeWv9!lXSM(50Q_q%9e&GWB?CtA2foY`I;OV_kG&-~-U@|!w$+M8oku^)A1X105EeAS_^{VA5Sl9a3a&|qfv zuFl&6nZSnD%zf{QGn0QD!8u}y`1-*?QVdK02cnsSgQIxHc&jvB{?&-PuD&xmEA!`- zbm*Dyd;bcn{a`>~RbZ2QRSg*6&aHN*S4C$q+BK_x@x#AhUP6J4yEgN|2r3P1aM3)Q zwZ>h#bZOC-0f7xVTN})m4?=;p?&i!#BQl2u1U|WIjA}0%WiEK#I*I+HapBtw@7-#?Z_O4lC|4bv^_Rs zlkIXD^EFU)YK`sT>K21vfLoRZ_|*Zfp6=o5lX+a-WkpvDu3qr>imP|uQ)1U=?O9nx z*VP7Hcg1GCF4akt@XRite0ZcC$lB=(PH$ap@O76nYnQ>-tdq&o;L&peucvRmrzCy% zJ!MF|quI>S(y~ca5%6`V;%jWi8axFAHdsqVV{z8i9t8eGAh0P?cDlbhfq*W}JOsXH zAnM!6rLhbJnblx?KNNK+w8M z*DEl11vD*!!ESrj?mjR$YG82Gz@Qfx?2ZKXwssg0Y;$I9GayhP0rPVL+4KcBrH9{? z>?q^#9(_G?xU}qQU~s7ZwboU-XlJaA1vWf*ZLGe#iFF3y_(3~kvL0U*g0%cZ2HLg} z-yd0PIR+vb(y8YM?V?eqmad9L52N+FqUi_9pOK3Fivk?$+C~;U zv#Y#p5SFaS5iui0Jdc^-nAy?%-r~vEkNV~5i`HxkMgv`1sA2c)=3FJK*CV(dLq!+O z?G%*;E1F(VGzRxVwsG~Tw=iN&;o7dej@T#J&%t0w^K+JE*GO6yJ*Lmz)~?c2&;PxF zC;DBY$@EhZWkIUcr=+cp_^}Irpts5W1P`QYVs3qR8JS2u3$LBQrpniNyfV;K`C_xX zKbqN1Fo=Ur@?&6)ySvQ6iPmx)pW&4Bd}sfr~?{`Ms56H649=X=p|H{bMBbBc-F1@?rsGZ3Uv|HY$Ut2$= zUv|ske4m=q*Brr$ml{7P7${lteIm=0sQX4Pi}q_TS%&3CMi%16y=byzz0qw2TsS=3 zF)=1Ke7|%44iEZU(>WXX5PPG-FM>$XSsc(ruX zAu%1tZ&@cC!>Xfr85Ui|Ko`pxFNy6(RN)KH3u2O$s6xV**%6FXZm`|8P3~qp^U+Y$ zHe2>G>nJLAf{e!|Hd@Qk`g$Yzo{x=tQ8x#bCKyy#1w3YLPgD9)|o7O3*daj^bgF$L-Oy@M|vZj%ysYh zuF({zSv?1Ht&1wxHl?Q?5g;Ba?B8An&0KC3&~1)Xt|OB!9bv^~U0}VjDVJsA$WJ2p z0cP3oWsS`e!aX8WwQuAb0<;a4vXqZ?Mk;zQWA-~M)ZSHh9+4kt{0A%HG)IH8PURZ>jIfqvDZk>3#Fffzbx(?C&2qctz#x17 zhI~bpsD!=*t21&ZRXHFq?zgSwU0kFm-<{y>U+;`ugRfwc){!sy?nKR%aVmSFt=%HR zj*jfMmQM|&XFVTD+dmLDpUJ)F!w*1y4s$SH8%=(~&{i>)L%gnIqzuiBlrg=#> z3g{$KI-eV5h-7!7t?OhsOxIW0(O+?rzhxAw8O2d%1fFCMqiAOo2iPw-cI}09m@(Sv zsn1i<-xbhz8q_|>?5GJKd49lm0#Nf0dPFR+cwLK_cq~;d=~&&)=>Av5r&EZm>st;E z+P}#serR#;ksfY`v_K5#{)Sn3f#DsQn4a`Jtvx<|n5suXpzukh)gu>J?~Ox0F%BFebr4@r z);6D{-}e4rH(QfYdU`Foe-prb1z1M+Z{!KRKHHSMv}yO zd0KME1TV?)k{a3XNs5kK$Id_prqKaWIKgP+BWd~XsCYc~xD$xdUEvdrWg;LR#yLd3-`*}X3 z&z0-&(H_4w^X@>mr*%jB#FCQAgAyHT%;J4I<%#LidJ9@Fvaw`#qbn1sTiUpE+|oM( zcJRZ<(yy0hzk;_V?$b>+Ij!=V#ue~Hp6!kBbn)AE+XAar7B7kd=G5l}WukoWvI*$jQ zKeRu8(Wj|Coi_au`FCNbf3Nr)9Oo~RJ}~UlPesHNWG(39CS;B(*@6bK-ht&= z-eMRA*v80Y4_P^w(MUkq-t~V1h4_>Hm%#d>*%Jr4C0ZYPT)Mc>1~l~r?HhZye|j}e zm#72v780Fl1)hMp$1?TeW5?86?YKJ#zzd*Q$K`dO)=lX_er}YWO@nPL7Z@;h?enRA z-6x59dHL@*{#?gT2v6BM{%CmiGe5!`{W0}b&Mmx>oVm>1bM}qtBpgLOXt}DovY@~+-Uk)FYyDQf{+2tc_jFAWB^kMc zZ{%1`yyt=fntzWwrP|Bnq^=s3y1F{~mQ}gRy`ef~*SJ#(d!+dKMQ`q_n0rU?zwA#? zH|~$lqHzt!aykf{!RtN*v^6D^59x_={% z8?Q5C^Ga^@O8!8C0snxT=z{5!_ri$m@IMD+bt0QtrRx=G8u}XSkQ)=faoqby6_hpK z$&5zulu^Rh$bCHTlc)rLO^K@PdDIVY#|&TSq=G_tcQ=F+*@8;^?>I)) zY5m@QC~o*@6ErisQoW5fV@dpaH6A#o zH;KA6jdL^6z?I{~)}||aK6(qe+xcB5*qZP@FO&tg*HCo1VDc~xFOeR6=^-lz_up6>cReQ#w9Ak@fiwxtL_{HOj{!ojaLQy3xI+=xMu0GY7>0Csi?9Yh(gd%DCzD>c7eI0?skB+PR zA+39ebnA!K@|)`h6BsePl2`8kc87Nn*UNaL^4su6^K&gG&T@M0WJi87L~g51oIAT) z>J}P5YTTohR^ygi{vhcgXw}iu*_?(viw_s`I^cbV^~+e@pqVZvWJgP_#T8VUv#B_) zw?EWoM@zFG!wDGP&RQ~^E?{-=c?dt{kNLM8=V? zt`H8iR@)D$v$<@1ogxVVAM#wItWT>=TmoS&2A*IYb}cU+uKbWk!4(N}XV$DRXVxQ6 z@@{a2+eqOi|G8%(P1txeCrX-)f4%YLvvX&{oX;(TDq|_!Gnnjx%~(2RPt+@sf#-Vl zV}X!R4_qHJR_T@aYxgi%d-ZFXB_D&eS2#_NUmQ(iDz?!G7~pIMg|~4bNvPOCrB3B0 zqNlY7Vhtb6&Z2`u6IQZ{?j1Kjrstx;-*dIxE_piBxsln@yA`*}_i+BZPlxj7rk?ZZ zqX}7(9!;5&>`6L>4X+cAg@WFqb-ZE62`8sRmeIQ()W0Uf{u8PY>mw(CwfcUaTZVq( zztn2Gl&=^RC+d10p}xW%AW7_dcoSRCj#$G{EBU8_X)M6{Eyy&G`&&x{{hjpU5|BLB za3E?;>2g|+_U@K!t9je4u9bXG2eiESVhZ$}UeKtlS8a5W4Ak{k+Hr@;>TW~_LX{U_z zxqPE}m&67|V$!J#`3^rfpkRCD{;1$h&%Z|DRr`<{z=(`(wZ;KlIGEcg_asSl+14(T z2SXxr_NzDmLmPn*Qq%lzLUihkG^ZR%P9y)v^1qJ%HSQ=cqP@h4@{U1;8W}T}>8_aH zQs6)4j?*>c?f<+t_Ia=F^IqHMeN>-!6YniwU#I{g!v7S#yK`Z-bL#gqm*HTf=-r)L zRrH>kQvB|bC+uF17Bb$L}n)s<|KG(YNpsWVaQt(BSdDruzt&P{Pac|w$Hy|Qo8(XBGviVrOu4Q(HXx+Hhh}XuqM$U zx~vnUWeXX-vAvQAL1*__nQ_{;SNuDFwH2+~1jJGS19IeiJiokrdYbQeB9^+>?_N_$ z!%jDA#e`ak0A%v(i?=PfB$`T~nTiwv^D?sqViYEJIYB%!M&0WOQ*k+?trx!U{Ai%p z_vwO(4D!s=?bNNcGW|YEWGi9;cHHj-ec5GB!Y&Sy^2nLzk4?NIkx3gHX0N}g=92W} z-iEDen7)8Jnr007`jl@OfBGN|56Ug>mc++yNA}e4F7|G9oF{IUdmaI9@Y~H?i-2dI zZ7Wvy4IS?5)>S)wNMsl9TF_u1!Q~O2HckMENFAUE3n(teF_#f6d&lF6Or6LQ>l9xl7GS;_U@%w;)yQ1uJS&E(-2R+*?9C6C>|@H*}? zlgIEXUC)D>*k>~mc?111 z2cyHpA}|K2V!A(grR!2%Ijo&@ah#V^ld&Bt~dN@-C;nBmDx9f(GXFFZ2{xpbHIt`8&~!u|IbL>w4ewG(l1i z)h2r}@6e%nIEhUK145hA=*c)UCRdp!_ZsgZn)>r6$r1HcX=F`p?3yfoI?*A-|K|g& z=fujWA2QQlT2XgO(6<*vGr-hpCnuK1A5}^5v7Pg%!g<{L;NBop%>Jq<|2b)8U}|zL zR)X}&`-HSo){)6agT^bU-yj$Ev{}tY%qi$GZ$LTuo~%!A-E>XS<=8bvhyMIi48%-4 zbKIZ|Sj!WnSwmWunV%N@X}k|k?CboW#(&|?#_&JHe-v0{`Js?7IpmL+0T-}0f*)pm z-$FNZX`koK1~xmBL&#xpNhsioP= zq~Ik51>!+UsVNEP^^Vb>=B?O{zuDVhk%l6u+SCD8Kk*PHL>7LpFXPYD)-c ze5u~AYEAO3m2cwNjUS+^-=3+Ixe0S5xKE zqhv#Au8whtAvf-GIoAuABmte)-d8o>;vmUDja0AL)FZ-xK5XXQl4*rV6|`K>Pma%Wzh+s_-=5p} zO4ux8ZfHXB5pn~V+AH4jtMHG}-y%W3ye%bV^1TjAZ>2FA`UyMSBiiSE`g#Y2>=j}@ z-m{HA+F`FR94%#-5&%To96)LP?)T;{zUmjTf$lN>L%{mLIo^tsE9YtUqQux~+OWiEvw8aBj7u2wu$r3=NOXvj^co zAwD2^aBw0Z5^~Nz*Iy&SBSb1p?+j#xxq%3s!hSA1#GRx^JQfG0hJ8a=qc+LTJnES} z_m1y*j$2Y9$Iq;s#hZT~6MhQXomvR9U|b?ebOn#{N@SQs*bJp4?L3`4cmV@YUd9{1 zS_W`nFatPHp5RbuSgrj1Y=_>r{%_V_a2`W0elsT=XT}G(Bf1cp$sy@C(T3kXFkh~y zd2M!o13h0@s{`<@7l5sQcEkf+d;|x!nB6kIZcw}lB|3C>R`({>ir3>W<6O`v?#+gwAGqkq%Ed;8f699MpIb}71`Q0{1c9d)@+{r|qn^Wa6Iax>Z zT|hn#$Kj32ekhV?dJXC5%dmt|ScZYoFURv!QlVk~i@2O#kIShz0hg2GUp%J8Y~y); z;v8@$e_lAf-w_q@1wQ_J@Z_9pz%T0t)u1A2m2QAb7#OJTG3H$>g@&SbuJddBse9DO zCwBIVZ<0m77ZZt?mr)iT$J%Chk4G^yukb+Ud(^c+rQzFTwpR!x%GUeqM&`I5?T7m` z>z(}73JIfYI7RP#FZ4q1U`|LcyzRks{Zr@#=N%y!QbcE5&O<`beR?71A(8K_l-*2o z6rcCxy8z;MeXsnK@5p&iSpFK-9|<`#2nKXj$eTTGi*iw4uG}Kd^upWZuXkS5BKNB1 z?O_Hd1(gVMU{sh0#p9?rP0pj50M1Ny(r40*lH6VgZrCeiGt(UYRwBruU;f_zVjRRu zJRi@wtLUlZ@5_bW@(ED^(@r#2VPyA5=IM6w zoj{X&M^&>sH`F8hB=pjEdNpH9&xihSSz0}B=3e-+k(cO<=~X@5JV*^aVsNB`3vYuT zd9Tco^k$^#%~0vhNm?@6H6_Gnc&sTw`GuIG6=Azms?Z7z zCLn9P55(b>wYZbd-uld*%2yO3bw~8qtQFZK?&->(DVL1ijs<7pqmU4c5C^W1v?bKf znBn{9V)X;w;a@Iq%b^FF-}VY&zsxii1zPq9gal73_u?&n;*p3#Jkl!O^{dGKS#if1 zN;z@2_wdUo8$|A6=uTd@QREi(ir4)bdZv)c5Z3$}_0DS-7tz-*D1AlK#>is~%+X>D zQB?`sh5Qsz+k*Op;HrEPF^Hq5Ow{$QA!3{XQ{N~>iOIgwf#a7aWlTYBm&-O z$q<7zszMZ&Jz4c-n;VW9k4wlI7yqYJAS@m%exqCvdURcqg!|`?KGRd1++n$^G9L`L zme-uORKm_Iuc}`ft2;?PR(l_7P&)CxpX`0NaZy|ui2 z6fQ4MnaS{KLLt`0GlS@(&bypF?qPhKg~m?imijWrj*)l|>fhR*s(ksA2o!p9D0$e5 z4_AVkJY11Di!>{wn3)}F^c$oVD>Pqes)E7iTcoK{nljC#o$W0LZ+-egI$}-9pe{dl zX{0J7-9R+U;ccvw1XO|KVPuux=cpsqj+sA5Yg8MXXNDGz;m5p?V=O=7-}eqmuz0z# zebjuY3h|H5R?lYubEiEgYe~djRqmENYUutH?oJ-CP+3pcR3=y9M!iA|a+PEE1oCL( zOkf(va^K0BdTjDQ_3Rf}Y-0D*87U9VPfrfWujy*CqttVG?Pe6S7kAIAL|J=)zQA8O z1<=iiVEmyo+Ge?j=E1`(5vRaX$=Za*JmQ)0^Ed7~x-z8N{FesFFmO^SFp1s^bG= z?meMwc?@^MoHx8Wn^aY1q^>f2-O(A8#UG?xOyo*m&@=vhp?pM0?@H6wzBSRep6RR~ zC-oo%&N$VKx|eI6Q{gJ8*0zRRj^obTOS-%OVqHyRC=3?YdY-P(!`2j!iL}8IrII=U zJ;SB?V!)Wj#r<&4TcFX(G}VcsQ;*a;bJ@y2>+>$x2?gH^_ZJWa?oaOL4j0AFzxYG7@4@!ZCn zo2KR&`(q8C#H>l5K(0`)UdAmBW^P?h!^>2G*2Sw%{i}o}hSiCuVY+7~#JEJZ?_1XBNVxLV%vOg_cK)(Iiwb$t2MQv3(&M6b^Xd{UrXc<>> zI7|EngJ)GUIAk6Opf>QJX5nijWd@h{G4MrHDgJ_lSi?bvaS#`r629nY_EbY}qzb(p z#9W~M_4w^5?q3)c6B@36<_;BwcPtTxX3z2YZKr;(td!41%aFk6Hu{?O&@@)RH45FY zj{jJjK{FtFDeD@&2l#W^jRxMJk;LB;J0*Lrh=+nD_`LL%j;=MX`03?=W|r$1H5ZZf zt+#TXye$R?rMMSKUx@+m!NGISiy1Ne6*I;@91CpjeNWWNzNHRllJjsda|^(m2k;(i z?`Z9u3&L{aGuQDDC3l>PrW!*X&J1pE-5aWqgmJsmj`|m=qL9@Qm1P$nN-lYZ9#q)L z2f@K%oZ(3v(_yn-!1y@@KkqF9fenrCcPP6L8Dz6@cF020U>RP0=`X6biJ*)oT>YmW||EPOP zf1j;u=T~&d5ENqfC1FGwCAgjAX!Hg_UB@l2i>3dgt{To-Y`KEslNAyu62|nib?Y_D zj+J6-N@N=anhM-xJNz3yUM62=PggOnsL;&V?%x#(Y;O^Xsnn%a7q^P)GG}&Op{8DM zn>yyP<`To+@E%!$D*cCcg_PXayhFnxvinUsrQJkW)cS%zuwaYgzNe48M(s~fH$U2s z{6`K3?ni_jF}UKL{1b}YR zAMuybh}EI0DHPO6${Su+kfE5ui%)d5q$jds=ZAWKmOIb9%1SV11uVz~S0|4Rw%Qf} zJT7XJ$7aQ+C6C>im?gC4^D5;q_n&>G9NxW;NbObH@la0MaY^!6Fn)IOSY-ka6Wpqv zr#$bOvVBzOg$#H%V@_>$D1WQ6aHIRO716Fv=mR*h#~0nmO->=eOY(OwbhU&l%#i$g zcQCq~it~H?H)?qW@{Lfx@(ph+MT~b&KLT#MQDsK58oMf_o3hMVlGXBOjQj}+EeGK^ z4~g0)#}9Z9%;%8rWpv({^-GCkYc^~cl-y|sEhdU-9&bZbzo)q3_RcLmKapyY`{SJd z9ra7Lj0Dcxt>39`;pu_FPU;>wi(QG2vh$SwOui3_!!^_7Y5eD!X)=d|$y_r{uC|7h zrLJRR+DKHURD#QwH??8*M~2?cOYQHU(`ViqjLQ0(D}~qf@}LRP zjs+$`qB!G=47RbPXtr5DaywitOp+8cM@g6z2S)63^#f%hQ~z6;)HYNZs21$IYWeQK^pfA!xrDf^7nqRi`i+*SW8FVU{=`u#_% zwUw0F_eR}!!7r;CL;|<(K0-{MEKDBG`-%(h^w*+O$Iyw3e=whit7A)T9M(`zWWe9cjCk=N(W7paTT z1R{p<9o5`eb0dMH@YHldtKNXK`m4q{Wj8cBF8@BC<%UJ? z{rkeNo_w_v{=`{1;_eCO|Jj`b{?-YzTH|%?_#0bs*K_vapKMKzaGrj2(#rB{&z-;B zu_9|^D_!HP2zEca*Gyfc?g?kbrT?czJ!wSutTa^Y5Ps`y2W|^<1e2%{gU5a^-t2T$3fQZa#s}Y<>^@-*l2rl>jlH+UUI!NYxhfh z$?O`Ke0Mu8tV$Y7@2-26kGp(13;M~+@BR{zJ|dXImsRcL?JI#;;A1De)_*N+E+b$a z1SqpABu($(#QYWP+wrOpb@wy}UYBdVC!7G%G5MvY_E>nQlW7k{;ZFJXq&S%1+mjsK zqT#*KOy?-{#wFwWSlQjHOQM+$c+&Psv|UjiE35km12wup%_PmQ7|` zg8`W?*t@&yP>VepyO^4z;htzFGb$R!^MP8pGv4uAq8mCXN0I0T+<|nBiEda$0m-`| zBc0vD`os!3K8DzmTb;71J@QgJs5$UTtn32wQq>&z6@W4?CrfW0Zw??E(}3HL(?};} zBDIxH_+=_EFN0&@52(Prz@y-AKnBWOy)EOUR9&YB3MpJ-Nnh49hYv_~W@rW)(JUI#eKucbcSSX(gLWlHyXx4piEGPJoqI6X23NTevgdI1{F)K zRK?_q+la@dPKJdWK%}prPK;1UVj4|#)Fmhc^cXY!1AY_(j2W5YHRM!eBRi00cAjl) z>8hs1XL){y=KwO6?Zlnhg2!x`t^>}+&1{l_yI~Yr5+$*V?+Kbl!=NH}L>J!<4-UFX zf89iN>|(jm2IjFa<{gRJ*u@Dj@)O4;@X^IMiR1tWRPjjFJSukab&wT>BM8_uCU$Z2 zIDs}814U>mx|GZ*n~FRfa>bbguHjfLyYni4mwCS}`YQy!UWhw?rYTW(y4sZG=5uaOt1qwfw=eSLb~T=J+ZxYB`x-_Nt;eJd z-MSoW(nlhICq= z^1ipZ>|E;)6f8?EZ-pU~g0nx$BB1G}Pr4dmKro4FoOc^DU#J&rfTqS=h*hB>} za+_$O!nf*Y3eUu1-K!1>o++hQ9)A=cud#t8-SC2PT-InK@rcI>A`LI205_NS@MEtS z;g`-%J1$2;a}3MnxKM-c_$L`XDw;zL$2=i{-gy(THK$D?y9u8bGMJy+A7yoE;BQ%B zzKJp2JoC8LP5v`OGvk0Jn9Db-?Ox_tL_pPWg1?Oq=8w3JLc@5p ze}JbK!Oo_VF_JEFtw+905kyDAMiGtCY_{161#1a@9CvVt-`Vb~0!y1ql5bn`ShloT zF7`{!Eugs95cRG{-UBP6DZKHdZqBe*id)QaF8;gXm*BEnjPfJ_hcuKYHFqZb-!=>-f2+^a+R`{alicgwr|FrZ{Hg~ zmQjD``0*80xz1XA=qQ&LM8WcA`Ok+Tg$9jE^70ywVA#4UuJu=i-m`nc#{8rf@cUv9 zDRS1;ltAy~;em*R+fcY#!Tb2p!irQU28mLiQMqn%kJ`_|8T1yKq%MOa8h@cK1Wb~g zK#wAQlB>Q}XmjtvI7)^I;u4J?&0BACV7Kh?oR!;gO_CZX!oMnM$Q*LBmR2NOPf)Vp z6l!&E>ruKBn(v2V_Nn7cQtcH&0kureCZ6cOE+^4S&PlwZGkznSsA&PZr_rI%8hm6G zCG<-yRe>MECX5eGnYru=w`NO}JEutfE7l|bLYCywYWtaL9wJukmFSFBjIur>OBP0) zU_kYG(CT?N*|{DSp3GZ#g!;tHS%#&0Ah6({t(D>Qt?OG3S3a;Ued`Ze4iA`nO0x6E z*$ssiG?t`qeLmUQ-Ew%KZB70-`yUL+KnxkJwfHPxm>*1!#Vg&`l!!as3^D&*FKYmQ zdBmLsnPAeO;ZFu{*1+E8n;#wHYVz+8i%|6^)2isOLX|j zPT&(RN2{0CVAvzlqB3e&I=mW3r~y+RC4~(i>6A2lJbO*G{SqDZHaH)_%xVfl zQa$YUF0lkWn!;^ZQDnND2vK&|wjVJbbYlHxNLqXd$n);3q)NB^?5>Bk8jzzm{tvoY zn-)Z~Gd@7H^;RL9!uG*=`lVl)f8vV>^Xg2tEM0y^y1XUg9<0x_bdRx?f2<(Q&Da<) z0~~*}J(}#TwEj9n(9j{)l6y(D(FqH#!F6ilpY$?~f%k++_u+XQeTZY4u=nAC;ax%+ zrUMReWc=s^zJoggDj&>NQiTML6ImAn{=l0fSPJ%!sp+awvGmsi&;y3QFwR`X$^yv@ zO#gNi#b&?R9C%l6djiy;=Gi77ZG2EpT0KOE1%wo^|E;(LyMbwx^~gU9m}mS7ujG4& zt-TATABsH@ujXe5)~9RQ)8*6ZGb>IZPyHG;`$z_VkJbO$PYN6106XKB7_ERtkoI*G69~7rTsoR*MzLaV%lNV} zi8CL*JWv%H|6rnq&$tfsgxc*1oLpuv$iK(;sCF8q6Q@Q~6FkI$+@}V1H3|cc5t7OT z^Z0k;&Yh+iNc&jJ$A z?i`s9yzme-VJAEd=k1TiyB}9>eOl7v=f(o>74<>*pv4QR!Y`tXyupica6aK(mB!s< ze3ZMn-@=pnFFcmQl^af2s;Z!rLe?}nMw;AK`HJc7iJE*FKCqwuUhun{{C+_xBbZg} zA7w_l>327Ib3x$(5Y_$eCeJM>rK60w7t}SoNAW$4-%z6}5=!o{pj(wMJ)<);+Fch5 z5Qn2Tk0&}u+k}!}W#=fr8d{L=K3diFi^+-kelK%Pm7AtckU!?<*HNM9Q`r$8>2|V6G@TSXILxNUMhKTTLiJW8T8p6~tNml6M}bslS1u=7 z1ff*^qjsQ%oVx8!`o;>`5{ZBIWCgS^v__ne1_;c(51xIiCEkXmodI^|<>e(rFdYbK zEcZ!{T*z7I>p|2cHZv}1Pi|pr!!fYvrT4ilV?R@IIr@tZzA5LP>+uY1D?Zy`&gB0B zlIUo9el7Fo9w7>H=IxMUy-3?foQA!L=_*&+EH+yH{w7MC=E_hy^$oPQ>7^0kdpD+x z;#wGP?gm*W6}Ee2bzA$qgiqDe_lev?o6UaxL_PbN-!rwxF_|xh*${VS8f#pETafv?uV{wXV@C_UY7{l`4Vvg_;g6HPye#iOQaG^{9L(e&aTYppN{IJPcXKqb zIhuTr5TJRBZ5h@V(0TyCbE>nK`9sIdX%}{-R*KM(rvm5iU5t6!`R; zkB{LfDhR~Q0uch6=J*!#vQRy+bAsjona*{C0q>7C+)_QKULkme*Qf;6PSmvk8l{+!ds8g#`Zklgd+y%mb6SFcG822A3C(Hbws-i_Jw1T=!&aA;)G` zbg%lpRKhVt;(FJL5;TLu(2}FZ=lu5l@d!5G!;9!AF?OUrTbtdT{zz^_-4Xp%xe%)Q zF_nhmUFU$NZzd0%HFwa{wbk=)wf-?Pn{Z?t_I-d;;YfvvY82Iwog>w<>`Bs7Ky8d5 zkF#(qg2$a)Jy)a7)hPF3;`}&*=&6d(Oa?}SV0Tg1--!1TWWRLPv7I4m+sG^ydO?rTVGRj8y>>iG0X@IF8T`EJQ{5CU#b zVyb9ZHTC(>GJjxiOX4DcLJjU~%7sQ`f_FZMB!Ib^-}8KtEXwTPxj{>N|A!3wB6X*Q z5*HTKF4j;!sK5ZZRrRoxTF>p7MIk_|d9>+pw`sRT+qK#peuWMgIgZ5GdbBfQMGhe0 z?74t%5$-<6_k7+|gPZbd@o%v@qPTQt0W)j(iJbmK^1~aO+|}-jhHij3?m8d8Kkuzn z1;#P9%j63;<||T~n?oLk1~XyUCV_#RXKD7-u5IQPJJ~Mxml<^?o{=V4+kL4w^jeaHgy+^dGc2Unh=!`P zph7{#Wd(!w^mCNiL!oC#h2h_HeTsRI>=*fu{!J84vJi<1Yd=7)JTHAd1YpdXkrm3%bvjkU(8-y9!&i$k9tUemI0SV_DTmR49)jq7=8%R15Qc$)@d@q1i)2gEluUd=lmmI0{Q7)&8>zeD2S&MEZ zNh*(jekF^vH`=hzS~8WiXsf)IJWyjl)n-3CfT3g~k%zxtt5@FoQ8fGPr;_%wh^R`k zUyw8&ByExXtekX+eVshE(E4sY)!9$A+Rw5Fl-Qs@p^pyE8Dw`hogV0UgEY~+cN#Je z++ep5^FGe5R#PJC@`#zONgq26tK=twp$$4QkPu;p&>9zEqhE zla{hUEsFp7sM{Qjm5sw?61%^DdkH*z7&SgTzpjE(98hMXjdfpj$Od7@5ImN)c7ln36>)I>`BS`LtTX5zKyF5CX|$88{ut z)(~Am{$WfNlwTu)*lGBt9D{45FcEh@+;Y!-OhF!H#j`7(QOmAE@H+)dgEd78hK-D! z@5Hh{9~!Xys#>SMI75LxhDQ?=19j)L+C*X6Nu3`{-455h!|BZ=Ds_GqX}X!82|7JH zz3JgpBUS@UkNz+zg(n-dk(x;O4iiDx)b!Lqmd;7aTd1rAJIkv@6&)3T%T;GYX3HIj zRACq%Eat$b&#WfW(dAGaTft;Dj6&&0(R%4;JU_^fCz?ER^Z_#(m((cCLn(bxlruwm z`}Z2sbA5(XS~Mg=-*L$PeFjx}!a?Qdx_CeAXM8^@8s8Cbe2;kJBlf^&A75F~_&Ou# z;s5@FEIaWaefnL*KaNrkS~dy~E8h_cHWWJ2gb#$wF6=sg+e$3cUSwQvCXbGoJy!Ec zrd`mLSPIDt7qC0z*$|2A*`78CB3}kxL1{Yqlq>TzFQB`sEC0JZqx1!x1XWF$8x{G# z#}_tD{8D)2WwH-o@B;WP*i`drNL%^_)aarm@sOyXB=3QTIxy)dkh=&gbOf*jA$m zxd{#x;}_9RE0U|RR#_bo&SX!-&1UPlwXj>>Uud_#Q_&P8M4wbuSB-|HJs#g>JeMpVWgn zmW4`25p5Y;o^AHC^n}L$iN8+j8XpDD=$s7JEF%#ae9uyT6_0qyE`Z7_`552w5Hq+r zhYy<}g|cDkPwGM1aAaoGtfi&-J;egE@UFjW7f}ePc){XZ%iVF2LBi2gWMl5jetUVV5UxJPbtjr_V-?B*Sdv2KS_!@YmpHS(EU&SX1PHmY-~M z{!Cd;+5JK5FIUNdWg!NAr?hQMSk9&QSI@1)LA>#ZllO<<@#B5*cdiF(@R+rkJaqH{ zgB6Hfr?QV1VlZ)wJ{^PMObRi$G`A2@0azNV4nR4N$K%|7e9g4J{d>sk-<&@En*kT; z^{?{*LnyrdePUMFK0_!_UoRpQ#r>OY`bXbpW-=^`Il&Y5QSP(zGAK_guWdYF2~5Zk5+Jxv>WuHgGTi4L&j0@JXM(eI*AwmMB$tu)8Mcez5e~VCm9$ zFyMZ~9p2I!Gr6j96qv0O=3PGJk);3mw%WuD*ud0kYtd&KOCCJz&HH^cEGwg+@4)rb z`<{oZ_PspU_lSFV>CM5irSpTO5%-Yv{@P$5ldWAk+)#?5gJHh=MqYj#K3Huc2>1JM z=$hDf9P|5szmvZHv-O|qs6zV>URd3Zdkt7IrflimV@f3mI|CRKz!SpKsxil7a()0F z{LS&afEGVj(Ep$3;lCdqQ+CAvBT4D2p;LuZ@Xqfu1lpw<_G~x31FYkOl%79G;Ifbga1ng6GYoesN2 zox;1+O8=iCEI9pN+z9X0^FwWdTvsVW6LohlJFcID1TxBuiK{`?am#VsmPe@c*kXNm zJ<V-^Ykl zPXfL9WfAU{1A&|xM5k4xs=@5gWgIp9ql##!F8EVKS$AK+A;9uLRFQ|6~Gx5H!tn-B(}y}^)bv<`;0P=gWh;m8X1yX@m|aT@~THh9aR?9{%uXC zzk{)h_K8_zQ4J@)$hNqQ$3IOOp6%;q)5v%{hrg!&*b_%yR$eq73^9&V)-IA4$^D(I zWAT<|Y!PIJ)_~w*_A!c6tX|i7w*MrdnCPqjS#3{{?-z38BzJXaWb!$@i~8kW%Nl=S zVyKTz%uiyjrluWY=vG=wZl|dDS$#C)JoA0??{o}ittAqap)u5BEuJhn0=v-lRQ1VN zfN;<4&s-$vQojlmu$GJ@2VM;!zN^vvWVsk+pT_@0$&XyE+Y23wRjirW~)w!-VUW&Mul{-W_bMm=CzpYd$Amdxjaj%SYK2<*Ee zUA4ULKyH*yq{lLlPBRdL)eJ;$VP!1y7>g*C5}sy>#3hlXBav=2ay8w1c zq`oJaIhg$thjfvL5R9d+y8W$+ND!O2D}qaF#;}w_h(tKG*N_phh*n`GAEPizd|Zdt zsBFY~jN8rvnsx^=kx&?U+e{KAk9v+EQSYCIm;*2)yscjp z_+|kL%>Ao=rhjg0XsemK6U_Xr^s=9s{{`J<$vm7L)VOao$Sd(-g@z4P&$=x6bFzC{*5WH@x~G;un%;9V zPv%0UoF}6%Uc^73f??zXGWRoN3Bi_d*8%E`!Gk)N8sfYNYyN3Lryd7LhveFGls|O; z*N^o{9iOKTj|74zqMuGr#S?H&slxD`qTKF}fo)!{Y7#^(KU``pQey~o+cG=H+rnjX z!}Tlvnx1_J)Af?COFIJmx^_lD1xI% zq4&1Rk{APi$Gw2q$8RnZ+9y}u9~Jd^ij=3HcmU{4{5N;`*O8!BD>0ZiM&i#K{c5U> zmZ{SyCexOU-At0zl;uE^9ZdtqZB)@RRFq0~0QkG>Lc;i1Z7(ruAH-4OTzd#tV96k} zCKOHNylBGQ2C`zo9BNM84*lhTAa0zDS7diXEO2o41L87C`Ta>Y3>rep+j5Bb3jAvi z^hAF8gh+}{kYE#0ssR#^1>8!%VAh=fUWs4NP(euC%Z}ZU~=>B`QhwD44WI@G)InaD0-d7 z{kX3+EMg*Y1ojv~GmB%eE}O=eh8u$7W8Yk-dm^Prz4)5``FXg5pf7zjqUzJsCWxpA z4+oYSwS_|eQ67Ag2TNz8?NH&QrT1+8C}%*?b0XL|Y$_|GoL519JPpUdmX z8+HDY2g_z(X!0Xpr%RcmTK{snmknfgRA=4_R<6abere@;zk=fO<+Hu^%1wC!r(YFJ zl~`;1?1sMP`d2>t4AWk5em{2}f4u$$XJdyY<6+~F{vGJIe@#kptAa7q58dm1adB=1BF+Y&+Z+meK&%^e{Hlz$XV zA6%d}EqcxU!2_3YVWdB?^d$DF3cbS@bX-1EDn9K*-6(`->1_NhNCgO_qyi70hcatp z9E;8Lchr;bQ6AsRW>1Z!PHRq2Le?eqDgHKD%LlRLd^HgD@F7;Ymb9s*(aH_6`tI4M zU6C#apL~GDxVc-w&V>le$3LMTP$tTa+W zOBhYz6lCvDtZq5jl4$QaDqDHFc?Sk_+qpQlmV8J8-i)`~nRjaK$`1uY$|COPwKmbM zk=Cf>I$_|O>tAi#_~7;81cR+~Cu~cc>0qMS7GyxoD!v<}P`dmSC;e?GD{xiti+imD z*pac7p*<$fR;(rjLnatq&mELWzO_(*Gu__*0#$|L*K;xQ)m%Fjv?K5XbmT43=2Thd z0$!QsOJViB=3)e)>#w;CRb>A>J*jtmnYCmul|&mhT8loAev{~KO1@o&W@Oo%%BZ^$ zOVo{7G|@M@>yz7$$eW>WKq598j{7ah&ko4X1`@6vT?!r2FA%2UFOa6S@H6F3!_EXj z3h>UxF>JJq0OywB?qx#6tmPL_(+40mLBw86e8_#y!nt(tlS!p^@!k&+f6i|d_D z0{KK;_KbehtEA*;MLyVZ&nq;Kh>Bs?W?Z~q!QAs)T8dHuO$RJZQ@%^*X!e$ z1i=eF*4}{MYL4BZjI|sSYJ5+0EW^DN9NNbC^jOMbbp;}RSlqW2a%eGKYTSq z+LtJA+c+=Ywh`fES7XbuUfj4f1`qM!!Rc)q<2Qj8D%OfxP3t{PK?gzrG1`|0m(Y8; zQQm_*0Ww==Eg#$9RKj^;**XPWK7^tdVx!FNaq(9fUaW!hp(~CET zAd-W+h;^c(9k#g0R%} zn?=ViWVQV>pC5)zITlEKvHeg5&KC&#;r(;0pD_bc+hP+R0!-h`h=OyzjQZLHDS1@@ z+7@Ii?k&8wb;~5Q9Fj3nWzbq8=dH%z!NiYxF5`)^p*cj(Gfo9j08GBOeQJ6<>0NsW zNNDYD&riu->)xyO@aMFd*1fOIw7$M&rgh)8D?j1S8GGf=OzY0|ByE(WjgqvHq&qf| zdu#u>*O0qga(7GaZpr=PUTfjC!-M>d4X@=W%Ym&6N$eYmMNY#fRvVi3CHq#@#&1wQ zLwXC*$~g50r>2K9vmFPd$Nqk{*IF=`hWlxyd#1HHHl9nuF8+6*C~z#Xk@_*>sNWL{ zv#*(9xs&Qe_@Co#jS>(7dFmJaYGzAQi^Nl&rKp|m=PqUU^!X(8j6zx3z zkXzM2e8|I7754_|J_7;yqz{NFE!J_=Z+TPHyAQ&SQ_zzmM72D%{TGd(gjiBB;Oy@LZ?i zHBT8_7W+_R7fxkmx#&asm_pnf}`eneyi~a@zd$JGG^oDX}>>ohG{FZmR>G5?k!R3i73${Fp{mSq0m!&$Z>FsC$rjjjBtTI9+i4obsRGh60C54$4nj-Mx8DT!n5hZ?Xi3nv|?3L^GM z49b=@yA$#l1(c-nJU)+eU(8jGlpI>7l~YB68UW60p{||;{dknG_^r;NLL>l07)wa@ zCPn#){h|DMYNS$<`253I{Ng;ha(r*%RPCVco|Ub@LJ44;mG3bCkp5pCV^;kt)>4({yK-jzsUdN;kde=|OrK4Hh`Fo%HR@@PCyw3b^^K1BI5 zwfw2Jnupn&w!`GY;0hJev~PAp+iC=K=isYcDys#bPPSpS+e95^4&G?wwJX7u0)MeU0k7-xA3a| z8CY*eG>%kUESc`8YHRASUb_`5zpNOyr5ptsAQfjppT_z~g`Yw!l zncaHy>s;bnZS|z3myRjLyZynCwP+ZxWJCXci8wuSGp#$sa6^2`NbbV`8Cu-4i{Jca zsr{4l3H+gMBmPyQz>r%{w@k?lYY=C}&?x;a%zv_i-3SolW36At>P~jow!T$zfR+!H zY{CD?i1c4*9}k6Q*SKqwZyjsJ$q(rj?%;yD^Ie*`Ong^*izPlWRd!iP$&eE3FEj3{ zR-#Kty*i@DR)yC3!ymzAVQ9lSB?kb3G|D-O8^h)8CR(vJV|@P39=<}Rvb9$xa<;{< zOc>Kv;v~1INF`$Yp}Tvuw(u@fUt0%R+`Z|f4&?yg{=ZTUry7B`oLk&2=Sa6M)4pj8 z6>$V}c;Q@v$?S#XK>sl~ijRc+6nnb|qCYLB&ik58t+ z=cv0Sv$LvhVpU6VdRWp29-n@C%i9xMUL>m159(Bh(~o%QIQv}rq_d^?7e95H^~?ThmiGNx=!dE2%lUfF zr)$7??%93nJH?O)PjYQs6tY*fFcXFQ6^EV!k<`FQ>dNv6D&>*XtyO5IbEJGHb$Jax z9};&xb@_0fcBa0Vnp&Qk6ij`!>iPKXp}U^@;^=SAvsZrmw$R1)v$sEZ-!~i<_#S%G z+Z1>q5`Hh!iCdyKx%7D_u-6W6u`}&e{)b>-FV{KmkctW-A1ayx>muQgGnwiLs$3u1 zftQ=Y2klIT0wz6}OR9(jUJ38av{wf@?C@)LW>uA!5cCts@n-l?W)-dPO5I(zGw_NX z&f1v{GHQCzPoULbMZ#~9GqA}HZ#C_il%StNp3RZ)KE@LGtsVYA+VfL_f!}gnw3Adk zF7bhOUk~@_8180lftQ;6W;K~1ycD6pJ0_XjUEu?a!wwLd_JBagOCe)dgn9YUBv*)b z+a50Ekg@7R?@(*e-vDMgxgKb8Lrv~|<+gh#ywihKHnv-~>(tn8BjJ^&4KI)bLCJqHh@z30cn$=(YR^_te&`!8gOpVrzd#(9YvP3-draf+r0J%eTXlAxwX z)=cDJpNa8q1!ZH{OKtrmZ|*-?{3!O5`#<_mmLc_%`!D-XZtXw$zW$TN=~+K@i!Dq) z$tn==!lxAsUZkM?@W^j{=fa(m!Bg3%L?f=0-`a5Jm#@PbZHUAIdYfSCUX8J3`~WgfhQ9QQKOUk zw>oxvBuzh3H^d@n8W%||YlNR)@oLe5bzX05w&XYn6Lx_D&e5y{r;}|S%(C)ozv&@{;~Od$a?Pc z={nulecjh>>Q)s$ruDz+@xar zuSS8U31{k0IAc!H-{7b_jw^=G#0DQj<{Bz>D18nM;WMe3pU8%K z7Rfr1yFT#wfM4Yx$70Lz2ZbDS{LBx)kXL1Ma)ftbtz1{@JTL_dVU{c1uEQQb-Kw{u ze3LaLf)XJgf<<)zNBYh$$+}_UmdT?f{u7qisNQS8UC*s&DmPITH;?TN8-K@}LdJV7 zCd&YMGIX3j$Ytxf++EwZ67Lxkl)X5ZB%#QLI5kMvZ&&}(b$|cFGB;S6 zuNKN|q)dWGM_J=V@%D$q>q*CS!7AiwFK^8jvc@yIJ#Dih%7IDTuQe;}|ExJ^|0|8f z-e!WRB+>`28oDox6kitnL>Bb@!)atd6($t=TV)1_{8=`G-kJ;%q9)hKerBHfa1Vv! z?f>j1zAu*MIO+q;j&2N3T`^xrKYZV9^OVnAL`L)-5wB{T{L$BYRp>Om1^VK#OSVYz zsSdG;4B^3QGnPb;A-KHn-SiZw7*AvR{$Dh9;FzTMD^{Gtk=`HpOu=m$<)s;vX007u z*x&56B0a+dq>dkSE*4+)TVEaBJlWuzlbOnK_3?6C@9=mCCl<-Qa;3K7i+TNDKAnv5 zaUpU}w69Tooo-*F`IBnSZ zifUF)Z|LaXPM|4`|JB{Su}q{_lak#xM%wW7K_-QsEb>}qkK8cSpW_Fws6JbFpZ75B zq-zg(J9UzU*Ag{uhYQF3!Iv46S5@xuC+_i5%=}8$vWGRTtnn6PiL7LS7gq94ky0iS zP0pyNL@QG7EqGkfEPlMQ5k(pQyGAAdSO4p5zkl;f(2HY%_i5)rDFhnyHj{J$Kc-Ci z0sYyXX=-fk-Cr86Y3+Tw7*6-K_WrUM^jr70Kv?;o<$qUs@?Pl#&oh04Uw7Cad_hfQ zTX(C&RhdPseiCI~Z@u}`|N#sz+$k;){t z+g$oW{E$y61KN>D2($D#-NQ0TN@GBHkpW&2ww(-6fan^at_abm6EcYAh+#|rR=W5* zKyPI^3~urNkC*$`jKP-sOCy#W;jWD|WT}6{dS9BEQCqUwEvoO|b-nc*E*rvdST+0Y zj!UBR;Pr!kk!lPSd*hr`)cbk54mE4P)2R2nt8D3WpVPVeM`fh0A>#&tsDTxyIhF{a^%t-z;wK?|94KT;%J|!Pk$(XFa{L<^-bb=gqQ<98#Af+h1BlY%A2$y~~Ibqm9d z1ss=n^=dr*{Jbj-Mx}2y?SEv}8bP18<~#gNwEs#Fi2zZxqRAb_!Uk#z^v)pR_Oj-TH;qn{Ct22W2LTV!&`A#1uzUjlHH+>8f-r$FjJFH~ra}kXoHl;$_ z1QXikA&(qIXd9w?hC$yG2FV+($YaSIYftK?IWlB3S)_`?Cc8~{ElQAfP zycqYKdXyLA{tVIV_y{p>2r(|r93#eQaX&(gyPT>@#W+NO3A~6DpYVH0ampP?coRNE zhWp3@@f(+-i75Vu?Dip8V8i;QN_{Mr}bF@5=-^wRC z*{u`#?Ql_k+v*Q)kB2(-5NPY0$Zs1es4H66%`VH&m_-T#+{?P&)(AiUT$v7=*dt1Q z<9(8&$Zroh`E4um+r`Ll1Tt> zXa436W8|AV9Y24y^#hh+JB++1zY|4OGwY~#YpWO=nl#M0?zH)|O$KYjO~Eybji=+8 z=f3cImQ}V$7&6VN(w|VKX(&_qD{16b@7CY(*>rbhBeo`-hjD8n#chP`yeO0T0anq0 z^F?;97r>^|eGS{$CwsSMg?||zdU6DM^3R0Qovp79ERK2K-Ml#JE$@wDYXxUj)5}by z!0#t49QBr6nE!A&h&dx4Q^<3^Vr)q4w-*j+F7Rt}7&o^1r<;YNZ7N7LA{#|d*T zzBuBoJTRKS%U&Vr9sBCz>plBA$k!qJI>y(aeLcw+C8*-_)_%l$@hQr`cwB!D>CZm> zd3kYDkkCbN+3SnF9leU*sgVvS%d*G#v!m;vSEUcj@v0IJTH-TG+({+N-sR7Z17uUw z^4(a1Bq^ruIEI`ju4yJcE=C3wpWCZ55_ZrOYR3;Dcd zoqlG@piqJ! z@5E4cbb4FM?!&qOwqt+h(hB?jz~8Z#YnS*5JT-lwF*WT}R1DY%Ro2tcaT?_Rk<*gA z%ZA@4>3E@H5(C(PR}4K1t~Gx~ZWE7-%U!37Y6CZY8j~}S8QoC*I6H$jJLUfWL^qs; zLjPBVb=kfe%XH{t7+7*e|G@Fo6(Fh%)+X1_<%~>URrPZ*S=U!Z{oL{mP=m4uHIuo^ z4{b|b#^Z3W{`l_$LY?Aw$T7Ow}{hTxM_07TQfU9rL$MW^fnY`f?)i<6$ z(fa07O;x6CfuFf-qD}%D`KZxHz3X?5OBM{fs6ks7h%8fwp0%N%Dhq9(0z6(oXqG~% zMU2|!^AXE@f5^C;-GRoGZ5wyj&@MoBZaqYa7zS{eY2*A^au~UjcM0@l3-(IytvuTg zb?W`1#@MW9R-VQKv;AGQ$nA231sI%W9=6ndnWtVw$L9m>-0=i@GU33(eIA zop^@2Z7NwS7+`g{e*S35sMt<*i4NnUT;5_!0Wd~vU7H==Uwic3$Z%$+%Wvrw4;|Ab7g#lpjN{oBYC z%lrrv%#FRV%wKC)WhW4riddIo>D#nNYD)cFa#SMob8VkutGinG5qzJ^pZK}7xeL{BYa;Ct*&IxcwR4M- z;gdc^=_tCiJi2@ojboc?kHuF>&s7uGf#IHck*`^2bC;X|3V%lV$c9b)b;D^@eeCc~ zsAK4#1s1{PuKkX%a61k?=um-HcGej?e(^JZC8*HW7k$p|t0GtR?Xl5HN%mJJh9fba zDN&uyIcvv2d#1ZM!;I8z@dCdDh4mXQ4+n=!MQziMtvg35o!*I~q(u6$m>#D9IF6~m z_b3DXU$5WH1A=5f^HbO78zJH8{fTsca21RvxZUf!fnf8{;yWQtw{j7?TBC06$OOtLVgjR%H(=gmn;%sFXzMF zY+l4iqhjWHRb#!X%h{n{UE@{#alKcEUPt7FFQ7U={j<_`64=^jg!54L%8Fg4(+Ir-U`Gfx?qpE-;4 zvHYPLI%o|$8v)5i7(u-0T3h{?eoHp4rSep}guAi_`G5MS{Bn%s_y|BW;9WjDJ8YSp zzTf{B=6Cl;k4Y5vS08PmcJ4f3y~$K0KjRN(_kR>Gznbhegxum2u*Na1L?K6%S6(Vw zdn<4eG8&kqjN z`TY}lzB@!OycE@cuw3nopiGXQ{9~cgC&^@Zd8hdr<9?c(%-Q3R^eQ5)k7}yW(3_dt zl32SDmqpr~aN&b^c`lyle_RElSPc@1=$593NH%6 zVmUfp@6gPp+srgb)f?3&UybEMIjb$i%zUTi{-Q=mt0Cn3+3cVo=iDK<9Zb1#R`*Q2 zSLb+{e($B6e%A-T>w@1F`xU_wG6vJo%p)U#O->xMXI_kMzEt}k48CKb$IK^)U-trf zGA>|jo|pHiz!c5{U-LdGignpe&WDTVS?yindkt0cpvQd7#=jIfcx z94aRZ2k%ys1=yES9aoM!ad^hrlG+U&U{{BFNaxK~eqrc?)WT68pldG=U9d28oWOAf zMiCeyfPMYK^3fMe38kitq7^J5HYdAs7o_*KzR5N0!(71A>9xRv37az8pFZVFu{6KB zsyFK}{b8H9Mi)4oiN_Z&_)PwM}L9Kr6o?e*YhSNAde7{Ep`LT7JvX9Jr!6#`n5edf!MlDf~c6wG+LPu_bs?gkK|a>x;H6F^ecoR*eYSI(iN1XpUI*qL}w8 zh8gLwlz4c#9-KQV3;1@SSKomJe0T+_wa03^Biy22!oB*1tfwrDsU~%aY}~A-ty5%L zZ<+E$*+?v&fmRBKUlH%8nfyqdL4%Y-z z)E3^wX!Yzxw!gfo4LyE5d`rsj&@m*Tvf4G?i!bDq}XCI+Iad6NSW8n z0X=tlUW024_@nQ#7J`26fn!XAM2zSsCyvMRQfR*VVppvJYuu5D=5Q61{SBtumWeCd z&K^eWqG|+lls4067<^6C)D0LAjqAH{sOjN1?xMvMVB|P z3B|PuVD}-S<`(}1-Y0m0_r)^RUL4#I2%&i#kGig6#m6th-@Ng;J86Ib_I+Jmt9E(_ zt96gbmB8S0eh7~IIw!(;e#Kev1yja4PGnah#qWmTcP$iDL*jMu&=%uy@JHn@VQ>>m z8Qkfm3~o}9!ErRr{pAaq(!G(^Ufh-R#p^ocz^xH7a0?!Erq4ddPtX3iNS8lrS8@+l zfZm!I3{KM|Zm`IkNLKg;zLKlxSCK@E2A7cNy#BAK@ye7xOMx=~!WRBESNIo}QQ~*+ z9llmz4J%Ked~WY>X(7i~6Pd*o51Dkydx7pM5sEK0#HMPP?hDmh4L4*XYyU#oTXr9> z$VO839qGDl9yJc%NCd9|7B<8mWq*r(JXIF?kUy)JiU9uJ5F)dgYI}WrzKVptDv45tul9?An8XyW?NjnF2=DJm;?%3WM&za|EzJ;Cb z?HYG$FAjO9u?yK$j@C&Fiur|Up{nE1!Kne`nj&9+5S@7D?(ll@z<(Q4vXIr@Ou}wt z=%<=wjZf+Dj<=U1vV~%^_9mb8rkZH&lC-10S6RTVdsGCX&_WoWCDtS05+_H!XyH3l zeV&>Fa#Q^@FqpX!3u4Nwr;KcEVef~n<-2T->5CZJWF|;jAx(B)WSq+?X7Cb>XUMfI z$v{0&_uTFq60oX8*Vj3#X!P2?L*ZDasa~8A*FS7itiL`H9Bjlg2_}j;GVzow*T_+& z$VSd%e%K?#X1(pTPNfnNljUe;G-iz*GY#HCTu$*l@jC26j#h2Z)N_2%DP`Yd=;13? zgs;d{Ps8*P193OR%QKbdVOANNb#Ud)c!rJ5+Ol#v{@(E8!g&=(SZA9VUi-t=&9zg$ zc)`NTsz_=fClH*N;Oe98Pr+lq9V`2Ih*PL$Orb+>7W8k>lhcM&B(?Aq#NsKZ@jWp$ zg@d!~DA}XE(*K7lPG490YL%0Tqg4;OZqM14-qyN%a#4KO_}gbU_|tEhQ58$izJN0j z=*fZP9&VBIOb??taLxuqhPOsH464B$U#kXnvAqRH-K*YvkGC>TmCuV zw2_v}lMh4fnlFTmPop^;Rs@h0f~8{z1We+Cq(A_u;vA~@1gAdb=TaP#ZRjO4C5?at zPOt3KNcRqhkKy|lyKSJ*Q^Dz!ENHm!{ptAEyscgSTmcn|K=u21QE?xvK ziV&HHQV2{lBIO84(NT|Ts6ziKQYIMKX$@n%adi8I#EW?JQCpR_=Cc-*$~CGld|e~8 zHi|5;E&V78;`PcqAAf6dx{mD9r{V0e5|84m!_ld zE|Qb^#H{y{I|KX-1X0Sb7p{OxKQnYh)WGM5nT(avj(~7T%V7DKm|pUGT*a*e-$C_d zExL!|bIxe^u2VIv4wEHFU+)LlKNT`yRPh>O>|>s;w0x`x4(m82OUxSdT0bA)`yyWi zQ{7Z|BSX)C@ryX5Js8Kk>PU>oej1Gb1Q`E0Fn(MjQ;D_ej5?wEcLG$uz7*A~LG@W{ zLG2T8T>hVh0g9cxYw63yxQaFrZ=LeP{S4 zOgV2eq&BIJ7`moKIK5RFp z58ICE!j@C3jkgKFSt&45n@)8 zeAmz5H8VKenHYlyhf;PuEZ84>W8+BuyAIAp+2?svB zhv8~au)EI3V>SRU?6kdNa@zj&U3=RVa}uln#%V6B^?jw(tDHk-=kv8f~bGmM}9 zOtk}F6-=Z!$biD>Ts-vJ%1?aAtcbPdR>gT=>%<&Rq8GB~zG>vk`kK|b;>10HW85-~J;|QHQIQ{#SVUuupacYBv-(cbbJwrGP_3K5<(QnbpjEbu zYMjTn@$v`5UKmCj!@X4@oEl(97fHVyX?^n|WVW#}Ilx1OpCZL^Nyn&(2Zh_hEiRsK z)Jbx}kA@<5?&5Xv_R4S^Muom_AyEAY*|#~ctsZjm|9KlcRjj;Qw?YD|YqUfI7uj=hdX{fn4CCh&4TO=kv#{FF;ha)y zV5Amfp;_Bj&i6;V(Zs1Gge_%uWn_3~4WBN?^~sEy$OX~!%OWWgB16{w3s}ck<`OpW z$1lR4^@`{EYZQY`QB%4H0cAPYjIcDy#?Us!i?(^aAAA_!nh=1YR^qsJ+0es{EpbD;u2MQOBs{vynsDQ1i#J z!u^6D+J{MpOqHtQ<(NNr^9F0>7vrH#30^JCF9;h2cv&LU)qfg2m(5T%l+5Oymz1q7I@%f+@SH>rsOu74MbFk z)u}pF>o72mk;MGS0xpjnra<3vEA?1SF3M;|@&D2)9kDtHVISK_dVU`p4YsgxQSW)O zw7bSED6BgMGP<=qDG@RaT8$2j16?B?`JH;B|9>KQ52Ft=K@60=us~mE(<5hc?gad< za0_X9%MO7oA}@kqaImYRObqTFs3H&7n*{6>74FzKe@>v|ht^)N`K*9zVa51)4NI`^ z4vNHW>m6^^R(3hZxs9>3=6Nm{5542d@cARFjHhSY4x5X0Zw43QVco8KetJsy z#5gwKT+?@ru6|7OQbKi#;_)!~LH@yX>={+JMX2Imb~=IN*W&5Ni=>cE$%;iELT=xq zSideVTY@cKnh#m*r>U$sKwRb({C5>0umpeg{!i}3x(EO$HIC>HKkAJnLA#otV%4|6G9LlZ=w^r!DIbcCVQf5cE~hOO1fhjLPR zZUY5NU#yb{(aFek&6DN@?n#5Sq62x~;6-Hy{%tb|M$}NS4;c{-{DUGKKTjNr0NHOit+yhy*`-S!p{4MVZ?;n-kLBGePNJKOpD@7TV6Ig*|p`GO48BqVV)fdq1vE`Ysj!W;%9v^+^`Ig<|9+jg2?9zX&4%cB$e1G(u z^4iV8imt637fHp>!BI-{O8?qJkFHYYy1_%86-k^HAH^ldIk~SRVtg@jL0k=PSzF0; z#hKX5f+75Xd?g+_#QY+xbd?texbA|=Gs%mS0Ww#fNm0fY1o?KuIy#ixwV{>v(9dCw z%;ldBbRUP27rSrTZvZP`l$8$PAkV);{cn&vntpEeTX?Zs1w!`vY<;ut_I|_!D5(Z@ z8S_x?JDeb*2{eOj?f0icQK#!g`REtQ`5XU2HL}k18pYOIEHsx`thS@m8x=dxVi6*U zov+wMid}B8*I8_{-@30w0Ga$dDF?rJd1lHNVyzpi{m{$IiIjq48n)-S*r^Kdrf}^KF5Z*^3<5ReuimKS*y>I0hc@um)-8uIJkWvdM{BlRm9XwJ@>+;j<-6o-)KRi{ zC!w_(5AQR4s|s_C=1CinB8TvuJJFHoPF<#$WEGS?$uNvQBMNd88PnNkj4=;I+N&b% zemNAxYiociaBNuN-SHPD-k>UorQcY`X=`Nq$0F0O08k%0EL*2^bvPZz-@6#{p}r@` z+)m6@WgPL9rxVQcCJdvGd8;->(p$6%;Spxu(rF?efQHE`ybCx!GS<8OR^m)RJcFT^ z`Pa@~>*H;Hi{3jLdJA-$i+sO%DBD}b_Z9AYcg1*w>mW3~n=6mSY?Jw3;Ih41#WN&& zf2pKcnoBu^$9G2?I-(6*SylE-mKS$(mjOu{ z#+qLX)rT*UtXLM9GUN)vN^@FkL1F6fHr(w^$H*D|U zL%jiigC9rR&yBV(V8OR#`&sH2v$?9s2Kg+Cr4Ou2cMtZ|?uv$XrME_Fw}(0xM@CQd z9_Yk1EacRSXQo^nP4B|XZ*5Nq2ZS%wZnZ359aYG48a6DqDobs5G}M!RAzJ%_%Tiv* zG9jL+?u@2;RLw5U^|spQLs?pijb&@gqdvT&35Cq|pE^Dp8R8`Q209n<9@ywTu!El$ zqTU0~x9+}(pYqFNp^j*}1D~dZsxOI!wo|VQ%^>tLo}LJi@e+pAux0VO^v1y*(b^qR zToiXkYY&EApxNs2REp^BMp*v!Xu5N7JBd-%wy}0&Xa|`Vj%SQ7x?HC*fd3p#Zy(%V z+ZhcVjHanFpNnAzxfte*7XWtE)fr;I1DdrS>WYpZ>pjqshNO+j_MJMu2bx*YdZgZ4 z^T%$WJsM?`_rOjD#hrf}DWmBrjC9!8rd$#a?MN%1rXU)6Ar{)AHxcZQYw`6`f z-6yadNav!p$H;o=@zC>;x+gHdNcUxXPs{FQZaT*ILBqWNh1wy0abM$6#TWyvXYofL9k?Ctk>vq)T>K>1@W{12r5iK@8`J3g90%;MA z#GQC5%8rSqcLUzu1C^IY>YmbRO7Q(eT41kuwR9l={kXc_{|?F*ns@>nfuq14#ucXc zCg%2}>^2HrKZ(3<9`V2B%o)69Yc9Zfcvf(Iy`v>?Fml}wdKpwYkB<_e% z_UM}SWVo)sdb4W=XNT4TJFLmLg*)ojYng0hVH`Yjk2QS zFk#4wNh^V{jNlF$vs8zainPJ~6Qc0qW>v|Hf%fZ#D(g12 z&ymRTIo^$x3TJA%&%J6F4NuSCX=6^jHMcUTSm11sk?~&R!=^Ss@M|+0d&%hPfhiiC zN$qK@HH@@I?c157nO#TdRZTLH%9SqYeSQ9>MiwiUTLAH zNu)stj7+vAXvf%(gn0frC=e`=|1;+;g65h2NIz|xAG5YV6QvUpB=f0$W?4lEJ#i{vdoC1+ z%qy&fa6AuzQqmSPoxLnm&gM-bUrqD4hVA~~fn0gR_Q3DP(iW%uuxwm!-{ zbSll{doM^jL-m4{r`UrHr76dhlVaVw*@9DMmDv3gk0b$r5fU;eW@Y=E@qg=O0 z&CsVKEx&OT>1?@~#V$}7pzSdk%hU@QGOI2&k6ipRB)Y>IhQ$;z`E(>-E&IFlCMH00 z8;3Ze$ieeZw!fzN8x7lIgY49w%l**_Gwo=u_T(oy)%y<7kqx>jVJ+I>yx^{c;-Zrp zd@rI?MCfJ1iyO$xwfUjuYlT`Z1T==(q8W{JG*3-6K!GEd;;=<&{%hufhfbSGcb6D&*9slR45O0U4%x;ir&N`Zx{mym6{ct|B-5(LIwrz9 z-Yb?WXFN2JpPkcec5;;sFZQ2JUN@k+XPZC9o-Tru5?tB)nTNybfmNzjt(CmlppDB> zHH}NJUE~{#hfq`pYgpoP_n(!8ZlGhBX{Xcu|CJc`-V6d$JhLi~XVxNuMxK}ncFxZS zIKc~Hv@OpFHO;5+;jn9500e&B4nOobCoV|Cyf{-T4@1;B2YWgSgQzywvr?%GROd-u zTa74@hbqG~2^ocVV$C1h!^GsX*ps=AqeXZ-IP*i8FFR}3^~`Ua_;JjF@;JebKy%dQ zY)ULTn)+2EV6_$l#?%_2MI!WWBJ_5{-nNdo7kz`b+dqp~%XYmQ-vT^c51>?V4$-h3 z!)~hp2KGJpi>p%H2HU8Pe98jLAJ}#LhT6+=SLgAdAW|(RIzbFO?@l^ZG6l%nX+&W#4>d(Q|NKvea7xdgFGY&TBW$ zj-}7#>a$aJIY7wk*NgJzzqCKdx8}cOcz^!&^)bG0i5>oX)kpulf6w~p-=pr}q*R{& zH;s4MiS_9$9;F{{Hg1>vWajHvMdn|LZDI5jPQ$Y(t#MQu!wj#XJ3hXfzb2s!_DKDz z5)bLGj125W(RILTJQG9BcQlk7)5L2#UvEn9jI4h1IJqv*Ogn|B*k*It2p8vlM7^mK zt?%&e-{lXY9l5`0h)`k{4`9!I1+PrFT8(*gHpgpw{n}lqphsb|eVmdBo}=4n&O~Yx zb6z|`*Y(D|IRjjfYqkqwn0ATZ zq+c=&kEL_5SucC78S?AktgbIU>ounCwM6UMcet_Q z#_}q^HX9p{0~mb848G!HE{Tl>s?VY1oiSLIck2hVCf+$umKjxv^qv^UJ?;Uv+@y7h zP)BTAKbz*ntUj-Gr}Em)8PE5a#)Kj~atr9Z5E*VF6S&WlsY-CzD z`#iTfR%cXdV~O8h9oD<_tsTVojn(dJ5!Wa&%a9m`9IbVVYhbcMiDLca+@jTVw^l+v!Tkgz}k-_6Kl!=yDl z2sP2w@8WE0`4&E2lp8GTa}M8I>iws_Srr-oN}_HbK;HUB^Y$4~NMw(2gsUyt*&XHdpbx8yN- zZR=Lz!=_^(_{`IC)W)Kcf1Pr8&pfVNjA#{B=8C}|+6#)J)2n{L1rrzbfyyziRd-8Htp(^3oScB(ouTHZw|M3{F1+) z$UVxzN6xwVa3MyC!#dW`mWdt+&-j0gSiU1(4qBqf6}!(BD&i_{#T)wC%hytz=&g85 zq5X<~Q(uP^&q6Hir|^o`&*ks(ci+=D#rS?w=?4_p@31tAl6L$(#=BGw7ncQ4 zM6gT20B)k*wOXZz&7zKv{nYUN*D3l8&H`V-o!_!tKA=^-&#k1lOl|-ziyB*|i69j9 zUU`;G?gB9%>ab;ERJaff0&ftwGu+`;Jt(PyHmUh~ip0e&CRbx?N;Q2hojUmcBGhWyAzllg=E@Oef`%g6$={z5C1(6irs3$I1H>n<~Fy z&VAU_ICf|H)-M6sw>r-|_BcnKm^CJoOY%x3yjmOg$%jqbX-W=vahcA_V)A@>B^N{H ze%_ousg0MIJ%tm7VxhgUy0`s0w3*G46fG5Qwma`*OH?>s;MYwZ^JCye4Vs_3 zO)r|?(5E*6E$Wx3Chv zYm>#iuE!{|76;+ck$&u9tOsiT(^9*J_W84N-@h;pgs_vj+wq6OY+$c0?H67=4wjb8 zF{?33vi!4hH~p5Yqs@~fF9m($kl7kZ-{r=m4p@ZWJ}oS>%6MAYBldw-BGQ@@v5r9wjQje zs`$-vJ>!frET7J(QpR0DMh%uXRjNQm%UK`ftWi#c_|8Vzz9s)VF5#3w6IGcifb}DqhR?DCiC!8op3k%31|BRxKRPo0xDKYn)5TojgdGyNF z2|m06dyW!(<0eb~Jn@j--hSFzNN-|y(R#S5c|1-Ayfv>G(m6`New$tBnjWI!8RK!f zi!4+2moZLEyI}~_|B)OK2A4U5j)4(u@C+%7Iqn!)htrN*4^+dAq&Kd;C0vEVaAG>! z(LXLzeNn~MNb0BBDXoo%PcOqE*AtPBx5q^)9&1Ydy@(%qCzWkUcQtnG8`oIzR3!Dl zU%JfIWgY1!8$0$AyD5_TrC!4$?-^xVP^U+Tj#NC^l=`LIC{Xj6s(EXqV-L}tO{t&$ zgy<;QKUTIy-p}buq+&}`>c>*31Md)~v0yeCCR;z7C|=Rsl)7EFE!Hj!pGDixQ>Y@F z!s}5a^cG-?k<=AoU-k%{%zFpH;S7dK37BA5g})!Vq;V4?_@9A*ue|1 z+Z$Wny1lXfxk&2KzauW1?(OIsrwg7nq3so&%=&s_(*r~{mA&pJ{J$!ukC?`?LyZ+( zO!j}Xk}hhmo9X{Hb)Jwyr}=mS|NSk}gh0b>8bvci4x+4PV|Q`w>PE~`yh{+F`6 zm{wORb`k!C!dtLcQbacq+Fhp)6KZ1aZNmPM7%{w>j>C+5D9oH4CgU%O?zet0nRJ`k zJUd#ynb{N&xY^89o-W@HKVDDFf9Om$0oLlX0ioux&CO^+XgEDYX9O|hw9JF~c?lY7RVac35IKEA_^An-{DDA%g2N+*U|6{2bVjRu$ zcJkC?G#RhM`t>#Jc;Stw$1;xujpkWnB>lH)%2bbX6v|ku3S%u1IqiG~b?iL5gn(e? z&NMIzOr&S?LiwTQDebMQDT-e%yiB!<8tJ{kulB!`ub;XxHg=voy4psoCoQg!@zSGt zUW$Xm&HsnQ0xxY{Pl(E#B*&A66<(_lNLR9-#+6Gvgj|CeH*YA^=Jj=sznrQ@BB|=r zOmvr(`djkpvLYVvpF%p;-W8z>?mSiPV&Q!ndcOG;qloyYAYzmvMicSRK?HWtSxncT zPX5XcUl4>2Vgpk$MqP2ipuX}emu9MG;>J~7Vdc-wuly|ROn=&e$ASp&X2-d^{!{M1 zJ=N&_Wf$fEZQb6QbI}1d)*STKoXH2Hb~1xhoft*(5Zj3|1C{`!mdXu<{RE7Cl6rvr zFsZ|Shsh7vOIMre^qCSMCiMh4d+m3)072IIXV&mHdS+3CSa0IPAO8NW#AhAx+B#7~ zMGkGoBzw9}cqB(KFy26GgqWE8V116IXPlWAAKp^IH8O0^pRI4}9ut7o9Nl-rusz!qP39vtHNMz{fKD~| zy7QY0_pWAs9_eq*H#VC68#6&QV_Z`VU7;!YP*q7<9=4btiw?Ze=A*HP(J3}FTf7Z7 z10DVu_gAVX6CTx1-fJzhG2U-)tfC*29WYJiJlx7-Ru#+*r4gC9`gswxEO)j1+3&2S zWPfJzvru3sXEKtS^RGT{F2LQn?kpcaZZaPEG83sMiUSF{uW-BU(O_wi9a);U_^}#{ zHwg_Q-vZD^yvJrb4=Dih_-vxGom?P(0_@b4Utxq4;M{Bbz9qjRw{m}n8H`R7rdmSA z5-{m_q>RS>b}TdUWANJk+7cJ?p0TTxZc&hlTNsvoUBh0~7P)#P@KW%EJ|wPvJC^yC zRT%WK3C~UH$7QOq{Tmg$fO=_W+Gj5AD*uc%%3$_Aq<5mM@r%3KKBEBrbmld@d=pAm zsDdY`0GVS=hjsNwI%Z)vMNFxK6rwPRe})Scp&xxJ03J9^(x)h2H(qm;Lqy6%mf;hFWHyvM@QV z@mIVz{QfBKjt`*BEw`L9w9xxWXB4OU6`kIiW5ngE3;c+@ZCIqgK`eLLDsVqFc8>SJ zjJeoD10DZRRsm&Pvw#7!eY&Trc_vrYLd6a)UdQ3ysGz`8gISk-D%o|Yb|_nwe1#7< z3P-D3bLaY*NC<8@s^!nPkK;vqz@I{S@-(&`@=`hG7EAHL&a!fBB|mkjvoZONL!C9r zjfXnf?MaBytoG}m$oLagXTBO*`$wU+7n{$G&fJ*X8=V=!wlL#zj#8?3zmk)?0f}3R zoj3Y|+a;2}8j8;B^zPi)>|=5~Z9#fZ>#G&X*{=SBjfXbXG;<9={T@~3waE{hpIJe% zODUFBv1%2&0)rST#sb;;Pu9WgVr_Td02F@1pvu~|du^Y`vVauit$~)K-$;I<|1nTR{T^vC|d)3-5e@w#&1-|sNCy$`K;yWmy&Zy_)@Z|OF%7{#cfe{ z?i4@-d{ORvJ;)X{$UYnXnhmZ z_Zh|Us$_V?{CoHF9xr`V9@bTPnsY5jIUl{B^;efb7~{iuW)QvQx*|qdg)57gNN1W_Du!j9VpgKtDLv>pKW}P>yoe2jY=ePcq|D zNn`R9jkSM8XY4bB_R_K(L^Z*mGp-*?q0EHu@{^~5NnF#Z?!G@&nra?H+kQJP+OBc7 z?y)py&9X>xE?6wj#k8(=U^(>yCTl<)&P)hV4?@f-`8HJLBz3l39YIZ(pfWXRi0~)&)SyX1o#{1BPn&; zY_j^$t^&I={@V$hUm$}Afx}G(qaP1ov{qDz)EoyGfxq{bKL-a4H5Jdn!=DegZ{@x! z?Qa%rO}nY}4ch;ps(FtnQ`;I)tg+?zH<6HL9rn|_*8Lq2xc|FE13D}QigE~gOj=fo#ucD*=1pV_Q6wW`LnYl>}Yi(K3!0C$+5CYdDD)geivny!CDQl=eJ90-i; z0zv0dswZJj5Ub<-^I`y*fv1!B6fA+qyb0k6UI9vaM2Q+Rk_5<;+j7qYGm)PLH*F8n zbbqZehmrHN*yc$WHI3+>IFYV~Tgle{3at2~_5WPOv&Gbsb-3Q@U!e@^iy89WbF1`E zO1)L7;Ik1Yo^^h`e^oJmNrkS+4^`v}G89p+|I|aJ!4mmz9&_Wh&4l+mHwnmqQSXsA z*TAiM=w5)|jcY&C*tWO1#^A+oF9UI(JQVdqHO-!P|58wIV~F%*pIwoN29zs?fI4ee z^CXo#O@|*|Ec2bA+*#m%1BUy#iwcO4nT9@K(@?(l^uD^6d565%ee?|pSjwg$c&9a+ zM8ge*JQx{zF1-;n`U@$J`_&OB!DF^Mc@w&Ai};UD0*?L^iz7D%gMw zLQQoOyc)y!jWw1ih)O<*B{A&ja z^Q0Wtk|V*!AEAJ|JDB1-GFubRyTh6AHA7^%rgW5&w_%+n02`r=gim$++<__hGvJy#WR9i0rWvRn+Cxz{S1@9%FQZk>E>Mb=&w z;+6X*TF6Z+4%Xlm(h)t9RO$l9{mKZtYaU(sASdusB`$b)rEb#83r!5{L= zRC5NH8}m;gnILAC;6tl%*nSJNV#{OmCCqewg6;D^eF=AO@>bR%E49gm#N-(f z?~&~hy|4N|Y1z+EXBx{xpc9;#&jy|W)=S8oN5x=uROj)S^-0!6Kt&IG#$R%!*PtB? z;0d_)B~>WC5ePYpLjxrP`g$GkOl{_z2VFsGYzoa3k0Po}e)Apw%(QR}w_T(8S^Yr> z>j|&*HER$r0fC?@?Ab#c4hY*iniH{Wk@+`;;)w8^f=`%2FC+u!u_oR=tz?U`c%6YH z5Gk1uh~+>{ZdNw2X->YLo06|(r&+rUuSLCfBS=;Cufs0J;4pUW(_Q5i%*cze_Ai%G zEh#V3n5(+`ImUEye>Or6_)~@v*)W$G&s{Mh>D!hRS5p4kK%R?4EJ@}-xwA%;y1|lW zkQ7j(eETN|LwR~8ePTmL!xrzqtv)vQ`tK%_pI&|RPrrM8EcuDmN50#9{f*p>=)|O( zs}B*K!7JG_!m|mxHgiAj^9S+jZF>POEa(VHb_oX z1Cew$?(B@gDVTmL{ah29{F&+O>fL2tSsC``{7rr`oz3=F<8`I=NX3dX(w(bcg^rc+ zBvaYAvgD~mCdaOR6H@W$>bHi5_W!a8(EiNor)gu}rw6Y9dvVw|vyfHU{-?xVLM^^8CW$5LLR_}h3 z+N0_2PY(?pA6k7xp$KnIsoz87x4O!`rtZKmTzY1Dd3oBeh^8BH5_KWD-D(Igz9L;+ z`{xyB`++Xg*TIe+5ylqK=VPJ*=mRh@fmfqvFx4zC;kb_yAwcVAn!)31&q?Do=Yxjr zEk|x)(OPDoS)craLgPq z-(DUjQ}V2Ic5qvy_B4#RY6g2EwU^*=#3_zjj@^=+6d6BODUtETcy5a1v#_6c6GF?U zGhkCkms0qVG3y#SN(Orp`Dk9T!Yn{xGiZOVvAWl_4wc{J`PX9OU@|nsS9-~K4!~V(C|2f=oc_F|D@FND7dkL!T2EIn zQ8V{Bmn;{3uCb@;sxDvTtjFrg!!lgD*-kx&`UVz_LLGuZ#ak#ZbO&x|!zhI5jZ0vHz5cl3^n)L+5@++*vBDIRlbeoN$~c9_Cm^soJ!YCk??o4oRBilE9aF?!z)NS%Z$XELkwOxL8@ASc!{PwG>*kJ7S z>-Jzx&mE0K?MAHWrw`&B|Bol@YKUD=RZ)3P3%Qe z3(kmT`#%;HTPr83|~s%arN7ir9Ar$WP^X>IKt(A#eMedojvAQ zcZb=Pdv$GQa;`hM9|k2?yQEJB^_ul+cK64F)KxC^^dME&$LZ54q|*I6!#^bK z-T#a5E&LL3SNI2f#Imn_n!tTwv~mRA`~-oA!<-Hfc2Ecfm*I!)O8I4(^4D=o8%->I;yf+@q2Zc+Wo+3k3lu6sRf&0Y8!g_m182DcsTu@dP&@%^P6&+`X&D~%TC>!@tX z+40P53{$Cy`1zvj96egWH#ob%^Mjx6i>Xq`bS%9+5uz7Fyd@2co;U52qhJ!3=yQ-V zn8D)pW5BwLUjww|7P4+KULEo&6^=3AZ2>9>`-9hom)MoL%@%qyKAQIp{YhL%iiNWN z#BFi!?kyAihw_*ftKB9_QSXmdZzs|3c&JyuljEa*;pS-4U2cv>-$;v-7ILk5bTd;l zNsNiF3Vk)kDZkvGbW8Y}MCfpQ;wv$UHP3Nb@$StNVzoW-5Qd)5ax!)I2NV2S%vpFK zb%%mEg7AZlvDWQeyu15_39Q)mL}tdti4YI)4nnD*`B>n*5AB*B3%wt2=b{8K#AcH@ zaIXQP)W=q%X^H+^6WiP*dA!W8-4UzZ8KW%-3EY)6emK0ue(yFzxv#y;Jn9Bo zP(Q;n%4CxnuZs00{|}t_5d;AKdD!9}!dK_KL_00ju{<~|>iTUgG?=K{91Fcm60pNF zH0oj9V}9tpMEg}s;^KJk;N4)kUv~_HVzDbdW58+&jzhhi4GBK7{l>+l$aqp*)(^d; zP7bKDN3DHGW1{xBrDZDjGD=<~?8l39BKVB+K4H3>^C5>I$9;IG9zKCRjt0^-EFgXt z6~=Kvy-u^yez)~DKAKl76vnikgv?h7?N%`%2*AyyJ(U4uxr}PzMumMYvBj}R8wA+^_vd0< zY)Ib`o=OM&rO%$H>FBXqC`F@qZC5EEfiQ@1myJd74v%#O!lCJ8Mb==x#QX^&CacDf zw%^wLaB`5SWtr{@Uc{VzHkk~~z!24PbF7vXdMZv|YN*9hd!-CXZ)1|UN#GvqvWCHH zfCPMIJR3pjcGh~9-X=NQL0k5X|;G<#aWPNcwc6aB5 zI7kIXR>VQ=nTgN`iHQf|qpw2^01kqUce^?WEQy6U6E{?RYeJ&-nYdmB+a_c?LM6|| zN9(2_D142+s`Pbp0;vjY1$keZ;5%fOuNR)HX;H@lf`F^<0Eyq3Alk|^PghD~fU?Q3 z_N@}Eg>2R`cv((pehh#doxCOh9pW9d*g_g)2u9l7eHb6;^E1}14Gnq(h z_Rhewe_MEFKC4aAWJ0Q-Djy3v`WdBqZuy=83}|{Z49g%L&Jr2m;(?ldD)w zw!*zZuEYE$yt{Wz@Qa%owkW`p*4-bCIy641SrGQHdwY2FEpRrFsooDgotU`WAN{Z! z)TBGyAPN7>>gG+&cxZD0hjg%CyIJ(rhA;`*q9GBs86#{nNZ3|`@Oo9lrinYg0 z)1i`&GDuyxV}anmijXE1QNThppNwBikmm;h539E<*GUEo1Tip?3VO9vOX8ERqpR@Y ziO&d?Vfd{1yAyn~{L@~?uYF3szE~*EPVL5Wd{Pu96M7{f2)`p(vtI;4Sn$9l0Dy$1 zXMFf#xzP#hYo;VJ00}uvUyd6jc+qSk;-I#f(^>Js3A+42v!Pew6Z-_el03Y-4+BQ8 z#1Y&kas;2FjT-|VYS^_ zKf+Z3sPqJ3W9p>u3c_Nh+V%AY;Q?U*;l3ceD+mt+VWUx`9}dDsA_na=dTx z-y;qZrBMY@R}vL#Ur>{ullan3HXD_v%MAcWZmMF&7XE+FU)p~j{y@h|kB?C(t`G&! z0onpwEi@|m4bUM648pb|a6I5wq7~ugETg5vv4CwzxN*ao%D^t9lJi>PAlwGh5?0!m zA!I>I5m9>dE~vg~70E2L+l3VZ*ijA>2n@9b0<* zJmxr&-lm22H8Jyime;7Wme+_~em2>{y(vW$b61>DN3&Q4gkZi|&)}U1su33|3cL+fZ_5|<)Ac!GC?rNd@k_c_xObUV3u=9m7 zV(HHY*L4liB@$lwn=eL5HZP@Qm^UR8)LpKrLi=^HWxO1!P{;n`CYq2KxeAC+)B@nz@2U9{~@MBMjT_4q_AoAT8i zM9@7hhOQM5k4Ki3;*_rn{A|Z2KF>1~qIZE%JmkAgvs_^CwaAIbyo)>WSvvP5wH@&@ z)xq{>4}1TssF$r_E`~7?$cyHmULaG`j+i)0w*a_VEOP_-wGOH%(I*@R)$iiNPJ7Kt*%{dj803V3jn}-TP z$$I+DQX54GbQw4Mp)K+{<_L=e42=VKiUCZ3*PEOqjba0m!nb3WfC(j$K~2KmWL-A- z*j8Pg|w$&I!i&M6jea0RSA>C@?P`dJYu|FmS|J;byt#fE8A= zw3S~)howDReoHTxhzL>#1uSe~m&0n}wTCt7HydL@u;F(Yzmb2KloHWFD8IOvSQL*a z^zB;@-(e%L&cYBl2T`*lvN?jrKxPfQp}w|n3TlD{Epj=hL@X2QktZP{vDBz;xGXaw zG4OyQKn(RkriRlI?IYBA5FD*qWz=#(ZJem9+`9x%oG(||?iCpeHp6Rz24&qQU)fH} z1YE%wtOrWswq6=-i{*5XAKa-XwI?5Iz%DBm8=Rllfh_=r!ASHPdbVDsKBYU|(d@ z#@bpEcuVJGi8s%v{++gYQBV6wR}$XvZw~fHRl&H*_$7&+Nct7YQd`#qsq>V|sF&NQ zd234DYgCo%U6nxxI;>oq+aIYmR`bsAlAxAFsztG{+if>?nQBifP_G>9Ikb{-_8bGM zN8&4bq5Eut6>AerxI*<1)|x;(*@%=d^)5k|tvyog&#XRqC}0a_>(6#Xs2gX4b&q~S z2W{JRr@7ZqtPPo5T7HE$Sgt+6&TAX&n|;$A=3^s{PQu1U*yfM0%_rerEAB4H^SF78 zZ4X_2T-@K621U~HOewu;H1tVGg%nU&Yozd0o04GrMdrzI6mw`)pac7^;RQ}g8Xq9STPY}TfFvhr(Yw= zIEq$80HbBY8*nVtk9wydTo&OQ$^)A**wSL!u5Fh|gLxHBBGh4u0dP03wLw!}U{9dG zV<5dSHmClu;wGO0J517f<-1Bfg}I=WJ!PEsED} z5fxr8aB8$g)|V|e+JtBQi3kFEGC-nDj@(abQx4oUYriJCgfP=W|6`#S{E0hhXD97! z^${mw|9i~tbGFO#~K zDGxxV4-IV-je*s0bQaIp1|Wg-NmVaG*ylLvEx^$E?hdtht+KTaSWN$)<+R-RV>*G~;L^<7MrjI?(IUa5+rJxN-5YdwJ-=4F#r6iV9s0$%X?Y&z zO|&u{R~`p81X)EgOrkT)*cHTzz*w~wE83|kHhP7>LFi(NjK+abP|ACp30A>g4O{@R zj62u9>d-D=Le`|XnRAf3iQ zGyALr%65Jgb~F{esOk?rpP0Bwu|Kn1hC;hzsG_LrNeJRLsWPB^QmBDw9jXH|+N<1z z^JG@Dk_bJmd}y5a2RiB@h$8NWwbO-UqPcSPvxwSwOHzdeN_$rU^^H!Ge}mE;l?CB8 z(xV>Z@13gl8dVFT!;#JUIi~P_o9}OKfbWsCx0#BEURD+Y{ys*)y zP(x}$RzW%TWSr$P)tIzC0&CzS*jxcw4xEVvjHSS*tt#~kqK$Y* zEm`GWPcu+t?GS@wj(X*+&?ds56=bvx2m~Sy;BjJzJljGktAL;l8dezPn+X#Yvf)ol)QH6|Npysj| zK}OJA38Xc52}u&~>vUv^fJ^%Z!JpcRg`SO1d>VOL)EGj$A830LsXjiD9_RN7M_KQu zrAa_#0Uy^_jlNLh?Tk(2W|GlzfSq#>v}g`uq=DcIS`Lp#lj=|0LH%O!+91H+Id~4i zvW_{+m0YYA&!$@nT2?6%jK8BLJrrqQ!TQftwTajq_9Jt=|&>iU*=>s&rIs$P(ztd7~lV=neo9 zCL)R253g6`&}?#x&@sZkg+1r8~_85Nnil-@%RKD zBzG!<6TslLSnYm2wvbo0<4@e_2?Pe9Lx8OT7{pN?6uHW9GI0VJumJ81^|Sc49IdP0Rs^3KL!kR9OUT0d$Eaq66}62FyLrdU?5$02`K;! zfRO(S33*O&5`yr5A>jnR@NcIHY%qcYxDTZXRbmbCrT-s$?;l)udEa~bfB-o)krYg= zw6sXA(n^inN(sqTZ`nqQh4~(Hj!`ZI+%22vPBT724}Rytm#N zcCTjEe`sfYXEZw=>f4g`92?s*KWqsH5Wf$EAIJQZO#lG__Vs>0&-a`o+i7Tf@7>#( zc*Z*4=l8GA@8|P8&rxW?$7Br%!@-Fu*M6dYOKl}uK~^G3^X3g~MG%jwfL@aF22l_5hVqXW4jz@)0p#|; z#o2pOXPI1kIpqzq5JaMohc&~hQ=%|e;|=q<7LG!t!od-E!*hA65K+M0GZjDHLxp=u z8eUS>^^kTgA0S=aFI~@$O;Y&aATS2mnI%u?t4}X`+K6~cZWBjyQypK)X70@wUW(36 zFh<-oAUaa{wDZvZ2wMr(?ohHkcac}KD5ylyJ{k15VX^2|?WW+q+`zN3mwlN`)|;bl z%%qxEqR5Pq1(&$B8&r>EwjI%=6+9Z;5u^yTvLIBjAG#x$eiVURXWLyLIsrMXr`y~o z0pD!OQiQ}Vm8+^mUe{ubUF0`~h_lqa++>h54RhBsc3?2bt}q>p{)m`|-7*aYJ3`T~ zLwJr-(-~l!@=OF+%PfQ=7|+LUSl^MQ4!y%{Px`qeo?72#W7g@k$MC{%ld(p(6k=nw zQkN7fW18)aQAt%kiK4%d(hz&a6UC|8zXQY^`s9%`4ph{9ny+s83#lC3N+bV0jVQ5#dry^a?xQZZT zvTaFc50_cqQbWBr5-V$E0powCPvFRQq z!yN)YKcJT5agSX4h!`_>y5LRP88Fsbq&L>y6*O~%<(7j;^>1RHIhGiAuGo-dct!Sy za!f5NdxIC^4NhDy@@k{m-e@Hjjw!w` z!aeer$Tx(DO{RSNll6N**Go9JeT`gTN8At`G*nUQh@x5(TzhtFl)6p~$fEjm*EvO( zKqa9Y=zh?4tl!eYDLj_6bJ+qQh{>3Fv^U*8Lk9bTD38+ajD|>xd{Z^VKsGu9FdFhB zxdOh1w9eFYSd_%9WD#{q+w@*8wn9^*A*e6Ql+Qes zYkAvBn6``hWG&+t|F`*k%e!%hj~$*8pm-wR&V%14lNRjwx{_47;C-y>g5YXM#2iri zw#*NrlG^oovu473AJBPJm^RK}1ZflcWutJ=8-EIQ=T^52Y6q;a?gN1(64JmworKET4$ zz`~m%CgWN%tifT4*>({N-;&6k*=_~$p?oKoS;%hxzN&rz|K+vpja_zqZF%J1cTMXc+pIJoSXTWd(OYa zQYUVu9t9#)IvP5JbQ)u4{R^z_3HuKKyd@2Aib$4bSK!%nRopq1npf`XITox!$~x@t zm*f)Lr~LReYN@o-wy18&`w=_sU2*SgZ`}L3%ag5KVy=KA?z?sSarS;JtGu=!gf4hL z?u|Qsw+0&*`xS2?AIoa2K}ovsAgfkncJT1tkDF-n-p3NWD{k5CsczY6nq-bkMS~)( zDy*fDXb`aF`xHN*0}5c3J=TKoB6++`6+{t7VXcaCB67p{^OxCLQ(iNdf`x%tRHt6!3N;Z)TRpX>7F3Mp0|x85r9 z@!_D_m0uCm6{#@_i$+)|ZUFuoxx-gh%?g@9iWRI}o>n%}Eo5(5_!R>R5_n2(9fl&V zkP;{YwGQt=kx7?r#Vf z@mwDp_O_z^_QVRk>>2zQPi3K^-2JMJxSGu_ffkDo%he1iE~g_c_N82q zA&4`LO?&3--yv~tTwMje1v!%VhRpUkZWv6rsZ;w}?6wE;K?cd=lvzEBB9hU5I@|tE zww>O*EtY)=RaNh65cv%f;M;)B8o*{vHhasvxQ0PdOy1>$5>@xwx$ge-*&p0oN=(6r5p z5#HwAS%HHE1v(Z^GEt7bC*l$Dg8(6R?flQ>*zm=i9?+0326kPgL%H^%_J@Fqtzy@x z)=!H`qZ>=2=c`d)I12JcMciZ0vB#d_ZUOJcd}P+@ z%D53e%xa_70~#A%GYM2?O~3L5d~8!X?D{Sv6!604>)H)YhZO7zlo|9C3rzuqXHU)( zMG2fFh<8@1b_5pTT@=gSI|5a%0?@DunXX3BKk9eH4!HqA%$Zz`&gjThnZa7dsN>PJ zZM#A+d3CRrfPkHI;79Ci`AqBF$_RZa*qgH#Dy`#s6i9o zn;)u^MN(C*rrQZrTN5v~glb~tfoUV4I2L%_6YU%+n>OGA+_jS&qKJ+a4yhe8AmM{V zQ%Ir{U(nhOs#bWhR!Q`vn_nCOMMa1e7gemdsKT0Rh5Hn4+VjN4*(xzasREf;TDG{gLQMPD`4Nfc3TaXPw`w;QZmq9oBeF7##|%RW2jx-^Uc}}ERt?Jb=QEGzFp9Ash)WNb zOy%3r8Usp_uq4SVmk!6jg)#f5{L5!EenXx)X{16AdqouS8dq79jh#NV-*=zxhPjk0E6*{De~^GkVYyeT6FsHI7tlKwn+E=?NMGIfTLCjCxLla6o!-yRZo zK+U4wM*uxswQ+{g7CK9<)diw>W5VYs(VgGos)ewviiydLSh}-7h5uET+kd>i?B#2Y z6pMB6!Uz5LIZ5i1sYRf00w)~9H{=clYydG^iT~N#5aW$W?w)|F2TkeAWT5J3m z+Hyo=^f0vOU{Q?N0b91J3}WsHrb7t7Nf~%q7UT$#P>HPp_lg)=fVWq3>SP)uAoyJ* z%QBXgg?nbRmc6T+B}=X|ddEu9Bx9iSDlRG;J2^|n*hy$odSU=>$cbDhvC>uY1E$kF zg7>2Qa(6l%s$e^LN?+&{fKsP-xc1svJQHroEq6tg*q|QRtyN+wtoh+~x~KG?I%^zQ z+{Ss&l35IpHI>+?0op+6XeMq$Fv=OaPONEKv}_P-CZt$Fx~>D!H!iBd*;L%7Ot~D~ z#!Dw>Cya8@MTuCk(Ud1CmlnaspL&%Tg$A#nT>%P$5$UGDYx`W>yml+B7)ILiws>tq zd=7s-ae0O3-HENzin*A~C;AS9G4oR5QH(W;bn8iBO_st%iYcrGP`IMs%;~6CpP+_^ zWKm36ZE%qltKIE_!78Nieuq=VSWX8)YCcXCIAX;kred{Lj77)0tr+X8su(LE#aOQ6I#xdG{0(1>mV5Z{VP(hcZXlO?i_P0@KSnXG9`ncJ%ub?KjPodzt~%QPQ$y`;isSsc!-_fbBojvVH4U zk(CeR@TV3Te?wB3bn|us(cKBYd_)Rz5A&1Wcb2T=&-m4?xgjTKwxApVJl2nkp6r@l z3)N=wwI2Zl^qJ9`Xt9RYD9+^1)ca%jGwTKmrIUaP-}TmPl;SfWXX>)5_j4*BTC}V3 zXDR_QS?(%-MooZf0U-a?_%n{|(VC6yWox$2{XY||*{M{WTC=x`yx5w(Lc~7XnjQJG z7dFW}Q(e_6e|~3sP>=s1{F!}OEn^}TYC53J6Zxt28<YQdotByj6Kc-C07b zp*1B{JisD>8ya$GM?9f{un{<(*;xvn|3Av*sT-->*>PrXUnrCC|jDMlHdjglC6DGTD zCcD&m=EeaG*|CGM0_nJB(_j;}p(Fl&UM$;F3v<>I$v$0Fx5TosV(<0LDb_PdSo2$F z#eQvt75k9*wHFnBjanQOZYdgxd?A|E2icc&y1x;#QC{{X=&$R9LOVSgl*z(j4(`J+ z-~JGDv=8!o957{%3nuO9BD~6F<7p?tWkvzhmOTk2g@g3%(2#?o+oPh-*rs+xyM5e+ zC#(fg;;^#y>5CH~7{twY7cfX;5Es)V!5q6yU*_0j+J_of@yOMamQ(r6T(o)FmYtZS z%8<>LQ#53AhUCW>vN<(y<-Za*6sa__>@DW2UO4kzaMUcj&XDc+K2zJ2y1^6i6L~Cq z%R|57s1+<50%&-Ipj#S%fP--Whg1|`N^9v;`QSYT&!D>q3x?s$6RsH^oLVb$?O5xn z47_G{+3dPZRrPjkH0PpG4`U@7@&Q)?_aHwQS2fF>!;Wn%`v=;weF)ih>?iUqY%r!m zSr#ij+7;{?wv7Ig`WGD!cI;C=hmZQ49#@tBF?MWdhxTZIB8Y*$uy8(1rX8L zJCO@BpfJv$(_QEYJJ@L0{bm;$=6^`KbItxye^%93+v$R(<29qFrmOu;TeY!mFNtaY zJ`Hf+W4*wKOa%0-*_6HIJ?z*?BGfYAgqLx ze1@f7{t5PMh$)?gHWe+oQAwb}l*6tkX~6L?@?gm%KL?EF&SB54I-uv;=gzQaqbK|% zd-j7X?b$e@$N&YVht<{>s|{tbJ$nIrcDl~#euZhoO`Izf1@J{49CWZf`!ej=2jkM7 zVb8ul-+r8vMfvu*$gqPw8?UK-fh32eGZDa^O?<@rGws<%NfR5{vk}pZmuP|0IYOElojFU@ zuq_Uvs>F9Ni#g-2K+lO4eWxGVbQhjS(l@9A6NKFvK!DD0v}WGPfCIulhV2!WgrO7& zNwWBtYT7nz18FO@eD#FM5y6YOVb_o|;`7j_FfB!;(vwB^1l>P)LB&+FB2tIKz}zgl?}McMWfn)6oYgsq7C!NED8M2wK8P3jJY?T7O% zA4o9pcn}OczN+|etCa1x;(;TC18$ZAJ=A{=km}Qu1GCg*Dcq=E!p;2VGnJ~6%f)ok zg;FIu?p~r)dy=q1YYn7i7xhcdurHa@7LvE7xJd;?l|fH9qwU!@Rqfd~RqfgF3=_k} zo{f)*T}K|H@QDN@T4~SbMz<`=e=ufq(GcgU$b_3_!-nLRS7glA2_!Tn4BKL?sKG)z z$S;zcDR1D}Ml^@}lqr!OD#ly2AGs_9S}2QRUw6E7h3y)sfl&wBwHsJTc9YB#Ki+n2 zt}7gJPo+EuL^pW_pAaA+1z{Tz63q8M#dd9v25i^jk;qV~uKW{i*FOAX=3BE}ZJkN z_Uu4-&a`I}TUOrgI4ZF-lh`wq<5owq4mHd5Zg&FO=EgJ-O^di@(5o!w1m(Ca?&tZ2 zyOqiLkFjT0ePVTZms$4;LjbJ;TSN8|v$tdZiZT2Be9MDkTN;!UZ4Z*LmRT$q{`!98 zuegxOHx<1&y$>%q7b@K5;!$)Ytl5`syjSrn)M_mA@L8)f+TGO*rKdF&?sP?aqA?pj ztDJpYa2FlLxGzn7HW;pSAdh`x?4SDT))(rLteKG*D=?JHa3r~U(}Qm2#JZ$A7I43f z2Wy@}9;x2Y^S&nU42vY^Yv8lTQj28Zvo*dN_^kQr3O*Zv5*g}VV-Zl0ZWCkT{36`G zZo6=c5{C>IWiwiZLAd}uXR=y$x?!bo=o$^EhjJMYVI?@G%bGF=gSkU>vAs>=Pcj# z7JbtmT|N3F(oC-YZaF#6J|npgUTcr*TdN+|59;h>;j!4fE=|Dxoff%_r{lrH>I4EJe45))udcg#EskJ?+e@Y%x4+_;D(nhUgKvQRCfap{rF zDTRy`m!8#t#;siXymns5XqgR4rrnC_B^q9MB&(vGwa{8vY`&?aCdb<#2S6-GavT<( zTxIPCPIfoouVWhvxnq^u4t5KjE66-(Hfy`dOdlchy+C5 z;EI-&-V9i?eSHHQf+%&$9)lFl9*Djg_0?Rnu;f9+mZMw}P_?e)+aKqW%esxz$JoBA z-B-@0R8Xoi#-H0y+QSJh;C@#LsxRf?TT^NVLnBV zoE0bur{65%aj@LAAOg-SAqbW9;(2egrtbPg0C>oy2u$`uFR@ysr#frsy&AKyBYyq7W}wKh zgA2cNzNp#q$dE`qtyL*2+-GHXJ7!Jh2~RZX)6}7`R@tup3-~QyEvORWgo})kbtGNO zcfc!6xE#ZCDu+}wEJ3J~S5b7}b>+oZ^63_8$k(S=qMT$#$)24WD=A|NOt_+Z!Vn2- z!7x@w$Dof8%5cODt|!7fW2EOEky2|Ru>j)=+OV>DdP&iAN=yhhjK9E^$Gu|Z$Z&z@ zDUis0vCkY{U*Pdp39pbPZmh`Sj|iPuqU2%tcrib9Wgpk&a?3)vq4PnkoVvi2(^T0E zH!nO`yS`sA^jS0Sh)E_vO*prSu0*;A4kICD9P@fc-a4v2rbC}~T{^hite>tV6 z^r^eTeRz?d>EXqbf2k+hzQ8iC`s+3=HgO8*VYfA2z%S1Bzr0oE~iAC)7jU|BKO?O zc{7`Num1GzgPbTdtWI5ql(F`|$ILDZo7^x2R>->m&T#>k{AC4pb3mf57%Tj2Qs7a~ z!bWV+8(VXQ8<13PAJY!&EF-D>>E`oR?Psj3l5O|ug`WC1e0ILsblb*G{(SQ0rti-w z(9EA3dI`-ZlN;NT^EW1MHr>(0{~H7b6R8_rS{RLmTQNaTCN`CHNi37f#qnsYdv{)o@d~j zE*}W*t6mo#<;pQgy|VSclbD^ly)&8mW+$(04dR(v`HteYA0G63Z+eUC_xiuq|Mio9 zq`&TE) z6uMpx%(yY98N7iR{5JfCm&i6c;@>j=*YO`suyO@4np{n)kZ7kCSg)L&u6$Zaa7aaI zr@@>I(P`RQ8aiannDICIrUGV(aOdXSqznX{{Y}^{T+gCEshin`eSkmddM4)!5cmTu z%NPr4j#H1XsZ%}TY}vw>DEk{ZUT!Je(a7hoC0!^?+{%qO&viguFp)c2iSJ6BrA=yN zW{Jm2p-yZHLbSe^EquK*U$`3o?;Cr$LcA|qU~WpUe~woRFJHB4)6^AT6UPB}lgTw5 z$y7rkW0&X|U2C+S5-(b(mt5zu_J6EtTiK~CA0@g%*ochpGgNZ@ZGICbSdH=2;*M)M zS-qJrX$90X{!AbvY-Dp8?<7 z4;Z8kkYJZ<_cB&r4zoH!H2JtT{>7OfzTi5#uAbuqv?w19AB8Vg70pkB= zC5Y>GsvsW#-g5E(BZGL*t#HT5yc7Hg4dP;GfcSC%anLJ5=<9-Spj~2n7tbkZKL9vq zD;n`OTlm%>SwEZWI?U%5K09+=7-_yW#AjEo>uEl@B;es}*9ZB+ZKFDXuZIQaK;y;l8E=w)__wdrH>AgU#8)i`101pJdV8y{rsq#4@ zM78G0DN?q`ukHW_nbDr}Q)@25G0w+@%1+VtN8zRXRL3QPyo%#)MW!xXGn=2veF2g2 zy8SXdFDa$)`^9X5ceSuEkYNt=|Fxv>XY+MJ3-jHzTpxZn*Hx+yzXu_x4}X~Jdc8jU zL9UC#d_{zw4amFKl#{}Bm89^^rKE7nvTnGY+R9Q*g?;YI1sg#aBDvrtu<**8R~fs; zU?6?j?e}tOegP(RbJH6|*#;WH+&*NAJ60t}`q~%~xSBA>xeg?bJNmlyr;j9QHcEoY zV=z|i7X29}X)q?ijR7OYj`3$))GRqNE;6Qn|LIHo5k=*Z2+0!`&(0T!bvE6-_9BWl zj6ZwPiIWT+&NF(KgIO8< zXyE37rrVz3&ohe%2|Lz~Gd!w%^ya2#9wB1i+MOZd86ut{V(;4N5OJJ{2Z-3ScGeM3 z9J#r_=@p)9eBzy(n_fB1?;HHS!tYD`K1-d)$?(k4H)-$AwGxVH^oisAdF5!Dc%Kq? zt(}jFk1BD2Htt+o4sE!KWuk98qO=kqyLO4Br03~`Tl;&S-d^Ha=mTTPw)e((zqsi; z4KSsfo9+l=Hy``rMe28;|G3IKP<%pj+^6o53^d)r{!WYok5s)5EAuNn;w_G=JF}CQ z=O?e_*2{+Td9$ON2R(Z8leh7H$G7_OlQ*{VTt||h{Cb-n-0sd!t;Y<9`8zvx>!nn6 zD^Da$t^b@p5;=R1&sr-Jm76#CnElLS7;ABoX-Wc7#V+@pIrLPV?1MMb>%n=gYmkQtK=$(bJ} zQ%C@!2cSLL*3-GEy)F@`t4R=~;`jUsrDABq~t# zGKPV`%Y0S_oDuUU&F!*oRB4y4Sm5OB>pA+GxW@M?Kkqs~|7aSKO!!>og1UCztGv@6 z+M)i!m-b(%g5=*s_UBW<|SOe54xFmNaNd} z8-JntF6idVhz)OoZv1&-<9nbRf3Er#=*CYI%{!o*TdQw?Zd^yy<%!-E-Tbq}uJaq6 z8!siciCCVbyn%;QpX1HX1GIk$(Y*J$`BUT!Z+&iTA?lYx`DS9n8=p5cC8g(h-}64o ze3A^j?Kw|Xn|Yh_h70-Sz07AjvElQeEg8F=aWgN;KHC;P&*!r>e4fW=bNI~g+33$t zhKMzrr`Ajaf6xngNmDKS3=fokX8W_ez4L^V0Cy$mhl3lP;7m z;Qs0J3FcOFJ$ATLs?HChj`$XuP0)ARDg(qMliwW7 zP5vH=#|ALk%F70@TISHn4Pf?wq!sqeM12P9HJDMc^s%VHP<&U%I5Qz7W=Nc0EJ?D? zu*89#1hR$Sq4;lFiMhR|#N5vOR+X6BYf8-RL5W#DLy7qsO3X%-m>Uq5Huq%tBJ0AVpC@tplY~l8(#oRs=w3yqY z7IXW#w3zqLrN!KikoSLTs@p9J#uUvB4>>?vy=y8R|?@H~$fvu8v|8h85Dpmx0Jz+DGTK06SAM5H(Xlx)EM;xEZIkW7*m9&ZV~K z(R>=+T-ek^HT1rue2)Um%)5KLqPr7wu7=f~_lJ5NV%Lk`oV+fc)$|O<*dX&P0-xTm z@~+uV=hS|cuc+`YY9mE`NX9~)T{V}qC8R}&4J~`f-EfUEcvnX{Us~?RNY0l>WnMPp9A%s(W6L3#hXuP7j)3)ef!;X4C<;2!(W}0)i`d>UnsSeJOTC zA40Z>8PWBkLjjsWEX|j|Beporr&0y>q~>+hF z>VE%HlmW+Wec&Sau(h*;sAP!V7X5~uUO@xyT=T@}VMnhSVXczFi^{1-rygSG`!xH^ zJlp0y>EKAOryYjmG%~8M;69?QNexo|hZ>|jH29qMCpSMnqAlasApsxg4U)t;?}~>O z!nU_|%iENw;rNWc%f2HwLdw2RS;T<2nxON%76}Sre1bwigY1}iCN0sFk;1VCqj)#9 zt{@+R7?F>Z9L&bBfdKL_9m57r!bOL*Fi_iJZy`r=wvuo_12U%s;}Xu}mh6s>ag`36 z5b}8eyxjkG_OF8h&X}edUMNyJbPXVF~M&ptR7Tj=Nl9s%j1EY=yY{Lkm ztfW3rDsVm3Ig$3%*c5S@5v+2X)U`q|n20^`3P>(-U179#84A@$cSLZLET&t7v7mrl z6Eqa6ujl`bF-vSYiXv@}wL4GR+*r)GC9T7q(2SUPtI67R>xLJ`m}}>nYIHU^lHkd4 zQwNsT+fzO%Uo2soyiPi)M}by93wr`&*Ns3l!2`ngM5++3ypWf&AdHHngM#cr57CMl zO)AUV9D6z~ItE$5`vr!il-8Is88W69#=_yz`@iLw8o3(v%bsSV3 z!?BK8*I}Ut%A+x8X4E^)6dWwNP3wAT?uh4jl)D)u8#*5k50fBZkX$p(F9~-=Cv1ca z#d?{;1GhVZ2`+=(Rc{lgX5uIGUB>OeDS(@!x4K2MqHuJ~7Rt}Z z_;QRl*ivpWmRpSJ20hA6Xl&GDa3L)4$>X5_RmD;B*u`?a^t;gaC+WRg84x6Fb;>Ek zH%76W!Vn(EeEcNcMy*pT?PYaz$)6xF*S_&7q>(xl9Wt>=GfKbX9Caa?JXevi^60Nn z2c)A-rGWL_E`6t`jJ{ZY0#hx}raFeJZDkxn@?6leaM`5s& z+U~e?0;`}#h!FM$NeN_XbZ+DZa+`@`2^P&Ab37uCYth1LJ-pCWUC7`;ticHJsPM!& z)FB!*{jn6(?RtW*9h5rYeyXC?1dC;j!}A|RhjJXmkc%%yLzBDzJgWZvO|8 zN`|ELAc(Njs4tWdS*!TMRqe+pLLWl`(lUw;XjvuXKr^u!qW@%DxNhy-`VU@m;--)+ z>pyMW;dYkxlTzVS0lG=VG_YmKGSeD)ooq9#c|x|~?tyrQQ3_D3Bsj$e9moq#L4ycF zib003SCVi!R&2l`Y(OL36HnL+Q7<6*h~!y1kc+3n42uwbRl&GX!*L{aU>@2GI?$cL zTTYxfC<*FD#Oit-$lbG#w%*H-1R^XMQ`T`82~Hf+fiPC7Dbu<28OwLLzNKM1S8>0jh=v!DWbVMWiN_V031f$MinK;+Og_W)pASoUImE%3c^#lhob#Tj`0R@km`pb$?vIH@m&MQaQI&m%vX4lr z&?43ohed}!j^eW{&~)*7nqerZqXDzAeyzRiDAO@)+CaGI@EMAaEBOhEPf^W}t8}XP zpch3q3LUjh6`w#o1g9b>OhROHMHfvKA5!-P<6Hm+cbf)wlgnlAiAs}2WfM43H7H}i zo?zhw%C-oq5*xVPfXI&byn>R0!h?mRs_@JQ7zAAcHo(fkX~_}Pg2F=>*sLi$vQmW{ ztr~u()>it;9y7-XvH{?Od?LEX$aZ_&!sI$_he8Yl4P`sN7r9THKx8F}5$n(#d+w2QLK1n`?iuUh@&GA`X~& zx78FLIJp&`d60ZLC<@_80y*6aoUAT&(~hhfh8)=MOh`a*b%Hep)A4QJ0VoDOStFLDZ=Be1;?xf+vD9u%D4e zZSC=Msyq`E77+;$j;YC06YUwqm(|iaRG!gTZcL4%@)%-}=6LpUAs!eyx>DZ>Iz|Q> zXMIPf1X6wH<$t=qbH*OfOP{7&Kh<~6ls&XOm3cm&Y zk!7SJ?oaid+HTKJ^&LB{|5V=rPmr3TydVira>0augEH__ednk8jz#}?qpvr5kOh9K z?-+9=fm;-VFK-ct{;9qL85V5fN&qv>>z1t);avUm{ZU5mvSl{7tODPmqm;Wp4 zJ6WEJ_$TT+iK_T-T;Gw={Qn<)hxfda_ETqRJtl`JU_WtxNABUPq^aSap1QsLa18}z zC6q=cr}A{u;_=F3m()A`Va;+;P7&>m4jwO8?v7cOjB@rO|G#2XB~+**T{{(Zt(idtgyHhtJ~V){e%?G`JwI!_fCP;_=2`I}x1~aYNiw^;GOw(P=h8 z-RTeOJry%`osOQ0uYW2GHFVl%NS`1|2Vmr_xV;#i6>ne&xU0$^b%ncXU%kI7CkvJf z^Tp+hCa&-JZrl8-V&{S6_YW5q3J*i3_m7{-G~Ip5?%bJU{wclA0h6bbk>w)Q=ECuU zO_P_c+dP?D*O_d8Gn4Q#5I>tIx2|jCEws&(1M8Z(J$BRN_3K)b_S2guZ(7%;Yh|~e z%ILK;ehQT<&cjPQGgqom_u?jM8cTW}OSnXyzlHlZP3~PM3X|)3i#G=OyJ_;ybrQUC zJtZ>fFUKW{ij{#R=~-}5j8=1sGj(xwIaQbInBP2k*ScwP=6mkXwjboLI^RuiHc#$b zCw(a2b1d6_n7>Nsb;3RCWR1!99LIf)ze?zH!k%@~r1CuvWZUoMuM!d`>|IxM!h<-b z<$E4f!XOFi(i{o7o}=#kQFUoXgWdwZY$kP{)NIdDUNhvc5{5|FG`VZtA_+;)ecUar zzpT%!Qio$|`OMUvn|^ugx>2=PandPI3--=j#{|H#|BCaQ?w${8dtd2grv7o|wcSP2 zwcy#$bxd!X+_7%iHB^%J`J{(!pMj3uT9sA8B&sSVJ%@B@R?neLOl_l(splYpou11EAUMor6^!p(H|zq} zcT87d(vz>cMq|?M6-mIso$D+T^l<9|@Q(q>D*y(lK+jWpWwYlgP4fg1p5}vbns>TN zFd^GBr`Ifd0{A&t{rWvsJG|xJMX$IUq&HEj}Gy~?I<{}Z< zp0@yR{%VHji0}*_jx#(@gq~p!GaSJA&UK59y}pAPj+m-JhH1RuT+>*N1(^4`0u!36 zN=%wrk>u4{ib*Rc-!r_dq_bvN6nn)C%W$+}hMSdx@$6nP!>!JC<_xzHyJCh#+?m_j z40k)CZicm=$K2LtxQ~bxGn^2yVulBaP>*(235KDOgF^KQyA>POLUKj6=eX*f zb`4c%XUMsZvJz&TP+gM;l~7T_tP`H~VzCp*G5TD`k`neiL98T4_ladsJltB$ooDf^ zedhIS;fLAMt6U|+4M;DAhZDJcD4gV8j{4k&A04waSitj^UD- zcG%>@N@z!PdLZH2rN2(E56QE6+4V}E>*Kn3F^Vf|x*pE)MpD-g5cW8keqMI_y-#Ml z-usJzj_(#L7jY7?n0*J=o#SHRpbIx5A4z)H=F4>~XA2qKX0hMgJ?Y_0AuzF&E%Z0) zT-;7YPa}oso`4=)pZl9NyAz5A7Pt$8m6{{ERcE*7^)M7C$N+`;TswacWD8$uOFsYY z4&0jlv@`iU?PLpo+?{-$nzMzG-sJPtl`UlZa&9uo_xva?X85Cg;a{_5HqcSd_8iQ& zAJpH%?`}~{1=%An{&*-~7#UK`Qqpr!7Z~&$%ocukSTP_XkINp=-@;c$>m>D>(y`+H z0EwH)sST`EGjo}>TZo3_&4QlIq)lT!kGM8bCx^l!kzCHkgIk}teITN zgd8amXU2QdfDZu2=9pR`sZU9Rc6H@?wyN7}S!vTsYqpaN9w%(zDa@8EeyG{WTN-nP z$8yBB*(yk3Tv|@#raHdpFq^&7S8(+Y?^64rA2beoykSp$K?kQt?O7Ukc$lgr(aY46 zpH^eTZr9!4sk$cIM{h9iPVZZ#5^b>3q0XehN$ZzG8T%85-E{o67=j#6r?a|s@C05C zxG`0sJqug|BX~y1^#eb1c0fhn`P!+|D^f#rRC>R>qBOaAF1ez%-SYjK(XQfd<-lWW zRxz#m>ePE6gK}EuuCkN)me+YSGkT>T!?T?G2zi8QUhb5-*X$UlXR`&Kg|R>C0X*R6 zq(iG(uE@+Ww*Arh@(~>q;l9(g8}ap$$BezB$n6F66=ps=bt`wcPkxoTj4nwa=H#FB zF}1oY^#<+|(A3Yw^BT-dtP? z0aoD;VA;-V5@9tM|7s`FA{P09j`6fTu4}OGf`A%enh`K%C;t%8xK)q{(7BUCDzqh- zvh`V1@8;_-*<$qqOe=X&$rb7nTvLU8(+4`19pdHGZ+DahUQ2cX6nMSQUOTky`i{Be z{Iwkdg9*XZ7JUtgx{b?0Xs2BIck8RDuX$~ScdFZc0wJzCzKNFks_14t+}{$ z4X|(`$m!m;m7nfhyIFFtFBSvO@{{>d%JW=cLw{VLCC$)smOD$cllfu$;{!%<)l({F z2bBSaP2Sx(NLtQM_c0q38q%c#^4y~wjxel9O1YT*0VXGU^%=NW4QR@0NFGIp%P zXN592(r~djFyjy@hsCw(Zd23%^_o2xHZ8<;#imIMdEV}s{I`QC;MI;f$YNj^`-Wgm z=NoB(wgFJ13z3E*;CYX0HT|&{sSrWWw9U)8V$m;YJPL?Bb8!va^4yBUvI8uPPM2X< z&+62e(@_PbH@H!OzUtl^JJ5NMTYcTBv0I=u;8M0&=L+Uh(z zSFgyKaGcr8x4)Fb2*wHi`*Q6j0ApEtCfRQ$-(J=wA0n0E)s5gX-Ktfd7Hmwdq5D@P zxm)gs)Rm$mW<~2=Hbg+60DXl)f(q#dUapCKPK0~7{$WcKs_Q{&uIDVg!D~H%fT)6I zRRB8;6c1vgFp?b5Ljx(&`1uX8;QbJB>spv?`iv!<8=mk~dSVtVVphQj7&lA9!yI@> z1x(>O+p;kYz%e6*s`)A5aoq{NC^($c*F2B`JE|ki(4y-Fqgy*F+^m~#;i#4dPIx(= zDeJeG&CEw`#ofN`m0aeLNO<0cvAwRPghjG!x$`dz@SD$IPW019kMZ;o&NqT!RvMMp zu&fug@Fav;-fv%=qdI_akcDBv)?Slv#ZD@#^ty$ zF2~JTxx%%>xx$U3N#XLOaARXqxUHENKt&94x(T&<-zQ>)?_Wnb@umAb?UP<`83ozA z;GvlEmv-beFcM^1pgTE$gZ{R^W}Sh1d30SX&^0Q6?lN&4L*7ifcx*fhuYgFKX;RmM zuE3qiu?9>(Aex|#m};;)!9|m|U95@1pN#KYPw>0I1(XNU3n)2oa&;>M9!m<}9VcH> z_;(ii3V$g8$QAyB1-!HGwyV1!vfkdl?bYQLRl?x+bx2p#;SOn%zJ>uOc3o`5bpefy zBpqSvm@w8VUn$T=TvOMMj_#P&%CFPNpD2yrEitXHE^Robjm5MHe)TVz{Bmb*@?YjA zH#O$D0yml5)SXQJtKOV05Jw`+O@6gCnf#xV+~ohzmV+Vgq*&Isj&nU@_~y<~P6~wY z&*^(6d~@y5T^+N0CsjP-bfWGK%RJ_rkAS7q0Gw|=dZv2w5q`BQgA`cwFYbW;-PbYi z-+MY1`E6>xiW?L1zA>S!aMzt3OG=--3Mj+{k|*C2c8?nU`zPEzd8tNQx%=IW^0X<> zT!ZVOt~@tiaOgl`rf(+1cM{*Lsh(Gu`pf)MHc{CnzPX3yszLtbhky@O%~3j;bb(F^>(Kbzb=aN%bG$h*&cdOHdgJ|18ys|%!dsu9i&%*Whwim&Pn(61fQ0T>n%Pj^siJeHCjO|=y3O2ykF zTFDaI>h(Z&1us=Ll4XudKx&5e&rDj;K_y^Peyf%b@YihB$QUZHg~5ip4+BG z1akI&owyi}P0hzD194#d6rnTe^$_tS0Cnwm#zp9_mGGJy;}(~g(}ESr<9dB^qC&_z zI%i&?tbU+J7Iye`lstyivq2r(RZo4QH5`g{dMdFtbfk+Nk4(~=3D*q>Aeij3_rJym zxWlZdU)#u|ROz|4-i}nFcKST8MM<`XCJK*{Pm|Rhx)8et`82hr33v|UK`~bc$yj#9 zQk(z~ckOwdbFxA-tS?-T(UtYprmxN{(x~4DczwmS5?ucf-Mu;VFs@#}3JhVKQ%qub zoPp~6k;ID{gvkuutyj`?qOZXySEIz|TAs>g-idcfe1IIo zS)h2{2GP9i7Q%^EiRzkKy&N~=7NOAU31RaMu`oY(VS`$%B)lkh#LmoGbk$;T!N#!c zFajRmvoTGurto|WYvvX9N+9Di$F8P&;v$N(y3?05BYM2zJj1>sT5|+bkZjh_9WPih z_OJi4&IU|49?=j*en(t$07pHb)J!Zjq@I| zW(R>FhyDmGxc-4)RDvPx@u|)#g^)h?wiu~rf_}`XJ$gT@UmOL-U8_V}i@AreY8syo z>mCW7--E6gFpz!=?;E(WtWXw}QB-4$;>I}ZajgQ{M#8Rwd5eQwq=2w>)VUYk7#J8+ zD^7)bIu-C|!gd9)q{9XdBme`0I)?!ZBC2VmF+>_>0D(R|Cz&g(0eLY=?F|!Ug;)!q zrFYMs&liG{8vxPhgpv@?IFWN&{bAe!M;(!5m|CTXrZ7;QE7G|)kGV}@1Ukr@k60S5 zsBI@j)b509D+-OLsW8q=V;p-kzqJ=Ua_x6Trozo0&T&t?4}%5TV|iL5?NyVVUMY8c zk$TlsqniwC>6?ODT?ccA}p{ajx-)xAv-kjApb(6DMFGGZ#^Vn|I&pG6jcy`bmv4MKh3(^ZHJ1mQ=3508oOi^qI|UY*)G zt;mB6k*d%`uO8zVuXTRLEk}q8@5zo5Ws(w(uV`q^p*O<0{Z0kIp|(NJp)byE*wz%O z;V1-HBH_xN*h-&&Q**$O5C)n`m}RoLAfDf6MDC;B+1um8Vv)dXaRq_`84)~@eX0fA z3$^Zw=$0NR3U#l}MVSUvgBO9aU$NHs{y@$xWd}i!{Yh9O8pzI=n8VL3npC zn0xmbo`i;=9OmK_d(z8Y6yD8f6xJft$p*OiNy`I2bTm#ZTvj$P<=Z-y&BYBmhBe`` zTt%+*fY9v{VS*Ia7_u#o=k-qBLpmk-I1<5| z!d)*ScsWjv^l2iY8w3RtoxUty^y#Zj88k`0EHjo3<~N@0rZU4el?jGKI$HHh*swr& z$YCRP)^cLtRqVio0kO&D;iSGAlhaJT{CFU)zZ~dlA+j~ zdoGH=Gee;mn=fkHM3n(GDu*)f4F|$xH3OCp=7{K4|77PYtAr)2-38dlSU083<09yEzsYuDh|Y0rkGX__J`<(X!AB$^tUVtF`Ju-_Fx>&(=*XrdCy z5h2{FFoKN@eKgw^JF`l^fSy)Z1f)#Z=p3}IBHzB7kE_%gIwGDM8fa1L90Zc2u$B#; zXtLJiJYO?z=O#J3n8!X09%*8AGEox^ta3Gpng@Ylb=pPb3;t`98V^qERP+}QjhErh3NKT+!WD&u{^};AV^sM_Ph$S1m@Y_@$7Ubl+$C3Z zsEnpXWi(BG1L+YN#y_Mp$0ZPG7<<~@Rj;R;D-FWt7Dj7 zPsgYtV0r?oeBpR@YE6&q5P~Jmj$j5OBbV_0T(0oeHB*<73d9ksp=c`n1Q><0g-?o1 zb`r&nwT;|V%kS4vsNpUlu9di-A+4>>fCjnJ>l+{WiIWT#G+rNhD%bU(Eo((v)*hos zCztnjXA6JS%jLa&T;j{_1%eIL@=nfTQ}gCZe^blGLH=wW;u(!)a*guv4OX%XJV%8C zm8lmolx@GqCZ&tM^>tlrwTe;j49Jzqwj*ui(}i|Zsp;eK%1soAsR^lS&;tGxu&3d3 zm+EiTvWzNAxW)UIiS^B{`{I>;r?ujSts&1_%~)m3jpir$5{R}(@feb2Kw&NB-CSfh zD~(k`?N};MTgVb6=3zQ;&me_GO2L7=5vG0&hpa+|IX*>D z;WF@>vkXDn=``smjQrX|TE^CIFZv9u8YkWyM3; zVQ>P&{lvo;JRGLURi%=6U`li-U-&^J<82;9KwK9y=MhO$|BIxm6PgI3T*mU8FvC=z zURCW=yj0~XVCC0qUliVhYql_~>{d``gO$p{Kr|xIiU_F-qSI2gW~>?y3Hbv4O2NwE zVWkoP1CbF+#ENM^=vUcAm0=!C$b+_Eh$3mfdr>u5xfhZc>F98+O++=O~-aOxP+7Xs#1C_G=S`f95aOKaQBc+P6*({xRyDnsQZ>pMgs4R7$6J{pqs z3HFA~g^c;kGy2qU@|okgmKXD~MEUZq4`qpBb4MNl-4ZeT;$ytBr4a}J;r5_x=7*7d z`n^5D%)BN5X|b%1NDbDnq{kSZiD50f(hUa4ti!Tg@%XC6Nmo*Dxe_d>7Sn$CdRq)@ zS*3jLkG1ZM;rSTub}OXoH(0M+)k?*)0makpy85~eC%`UBFih>Nu_5f$f!x}x?H8$@ zaC}g8qDU=3P!AvpGfK79s^QDB9}8_PrY3@5@H)80$#8`Y*;PSHOgpapa%#A+C<;i5 zsP87vH5lEpQwK74m+|>oU8XD0NL`?%RqydW+Xca|U32R7> zpfCmH)j%_2E{o{~6H}@L+barMfGFftFo6QXgi*o_En4u}Vrs?xKp%1#gNiXvV5mB# z-D@;1|I#x$6a;r+$C%}6i~1oUGPSr0(+)!&QyUCq ztI`(v6~>MF7v$rGw15e=q(wX(@<3>X?NSJy8pmkGvi%@6b*Z1bW1SQJUDnQ}7v6ww;Xs)u_G+jP#F!y#+L zFR3A;2;5d{DoInoVK0vu))Lyl6T@0Gg}rFHV(j|}qCY~I{>sS;I~3R@uyJd1PA$AJ!`s=kQn=Iw*oQ(QINwZxT;EpF+0^r zuv@jNoq!u^S_Q`Wb?UyLMFcD~8;Yxw3V7C$(05RkTAeM7j z!NTiQWe8%r+{0iSR!C7^fUU~%qu^Bf2wi&+#XiD`utFMUU?yJkH+e%IR zThUaEIkoJ4>>&Nvazu7RdzdLR_M#dJt$5O?M}u?ED36FFY)#Uh)|;;&22iy*R{)`b z##V`p$JnQEuL&+SooTXycDeV4VOm{O?-_ZwN5RPVL~XFPCs&;mlQlO?3vDKAo+l56 zx^{*-Oqub{EV&Oa)Z9jsb}W4AH|=R{WOD-bZj$;Jut=J&*M#tHawzOo5E_T;PjR9a z8VCE8e47Ss>D3qD4UgAFT^f~0fJT{@`T5>_=4n}cF+}|kfdI7^p;q?L8Ceu zTQqVA3HD`APOHL5>`+dZ^7v?Wl{=N1wO9_qmH{wp-Ag0>M)tz26=Y&Z>QYof)WH1U9OYTo*`%vo;>OTEO3-3vbKFZIpmSm8p*22MtnvL#cqO>8n#;y_mtHKi(6F0&fOCRQ!2Dxx38R zZP1c%QfJTt+?LcdhOJ>q7=i{FwhTdp1yR||<5A35s5flwsgel6h29qzV5R1zk7d~E zQ$Z+z3|rzk`)OSgYA|fw6E|*lR3;p)%wZ z)~#FtA4dGY*JRE#Z1LtACMgVCA7I$}EkWS2Ac;Evm zFsZ?`^*zmPux@>?s4_JVv1s5zpXCkTA8X+Hp5{DT_}}LJ^B))e^PRGPrYig-Q(=_2 zXZ7jX!=%D1d3Stgi6nhY3DlFxJ}h6~Y34IK^}SZbL@Qb9EjDoi(-a1dWo6m^qYHH( z!F~;S3X34WI;3wUNh4FZ@IupfKmRyK?x(K23^Up83)IW+tJ*#%zgPJJRmRjJseZZW zbmj6|Y{ju?IPXGkyYL{>4a5q0goS>X$ph(AtV+IK`9i1!$yJs7sw$yyG#2Xag|*JhlTI#q zVXfr*_qq94^0kGtN@eetr36J5Pbo1MO9 zveugu;ck$|GtG%MvI*$T92o;U*@1_l8XS`G0+bx2cFWggY0?IE#yG7W5+3K5RFOZy z@sDwSOD&3R>PDyVU&s)2Y|WU^M71sPE9+agQ?V%GRs(=AF|oO#n`6SyZBe|(_9B-# z%cAI=@p&3pVNo0sn;$&eqUbdXiib#!I=4G*`=xvV?XPB0oCpaxd~3@4Xu=D1Jt8iZ z_eP82nB&W~C|-|b!6XFKE=rj&L{aB{a;dRyex(lveQZn>je5SG)f8Gdk&Qx2GUSSJ z>*EIK-~nfIB9i}BmOLo%$k+O6Q{0dDfCB;z4RFq8_2ZH&F(>Y^aFX8oukbkIO}*ea zE+pxlTP+{RwS1VDdC=y>7tsI!B|A?e-^-qWzucg{kokEyS6{7(eC8gN&)jkO%!#9@ z17ZwXDGBgKDg^kl;_D>+nHVm*qkDslf#i?4qthF~^yf;d5qf$#zrIASHVl7(R zdb8q^YsD8R_M$t6y*wGz=U7$M$gt8W&c&=Hl>O95fNU|iSs@9-^suZYAp1j|CmcU# ztuvSps$kEm%s4fQi?%Ixu>W0lZopR{0ftwCN1T08rd7fR`WiMGZV+Ov?g}cYakpzk zDNd=_I}mF&^E3|(ZdT(399QWV0yysM7zZH?It&tyOZt2rOT0I%n##M}B3}9ydxOP5 zhj*xBtXhZq+ot}YX)Idk4@L;JI6)2KoTKEngAD-BWV4U zrgo$;0I8;IIGwURkrkzCpqqz|LUuHniwrF75xmUxLfJ!Uv+O;ojZt&gOM<;?Y!ksj zZb|)=`;LB*{sk=BPByR*uEemGQt4VerF-#oDY@<|UIO8<zoCg#*h@pWF@`-v!Wwd3``mua z=@E)^uqK)fAr8&zH?0KXz%ohO=#+h8NMCk!(;O<$mk>_vWhGWA*N?GH;7K!AJz%-4rFECnGnO_>crc7l3#n-U z_eFce@gYa88frk1X|+fd6KU$+Xo&>HWRMV^h?Oz6K}s3FqX8WYCB8U&s&?&&+bJdp zWkfd&dumV-SPI^-+twlBqjuWnMJfTS8FvId9K5?;7CIX;*lw{TU?8KLUR!yZ8oy^< zZ6G)9J2ZmWuM~`4<9KnQsnWJup znWLKI(B>#vn20t#aog118TJSS0!tofFx9%p!Eydz?ET->$V$8(9-#qDlw}So?>Vm` zdT>M)Vte-GRxiY^fY=|XkBjOMW``kR_n5>FL=w;^iX>RrwUeL`38gi{eCDY-TmUL`$6#QUrmu zy6C|C{*W8*xdx<%qH{@L0xrf$k{B|}@1{s?w6ig_{wiYV`D@-oaJ8CCl@UA(l}2gt z8pH_Hk1tcFPS}FCeGzZL0>Bl5YX%6m;TT8L-eeq#n1hXt-HEqVtW8nP9t&orP|P@a zC=}CW6tunQKBNXnw^8=Msb}8)bm-ffa?uugjiAGXXl|em-uv4XmXBC1r}NRLKp2#F z%(2)KjY=K>v07@^;Mi&R0&BC26BWr78cwj_+i2=)JrpYF4%Nm9*rL%UrkOHU}1Fq(b7zLt$f-FyTycjpcgXyV$EGv z&tnf~b*biE(cTzDg__wMJ6%c)Zj!wb?BOhGKzkkx!*3N9jsPC^*y`+*w+4h8QumhC zcluP;;)(#MZ(yFlN$E>5y+S(2Je8ylE32kKVNFY}?ohe!(qzGvjmC?yredsV$t`_b z)<(O~;lZmfT-6WqQun+Henyvy@Og?Mk@jQ$yaO{-75P`4=M@zqXZ* zDgr7qOzVaDQssP!Efb3DDmC5Re|cfy?S=7Y8%|WVmz#9fal8@J)I&HU{yHP0q1z7K zd{xsMin!Df1fICL>5b?4|2F?WQfg6ujy7GsLpfFz4);8={qRTOuF9K}rawA%bJOV2 z0cv>c=B8&B`Q0`OpJYHB`F-V}oI4>Y~PSzs4n&Tsq5PI7ZF zI7X8D3FZFXY2|)Qx#^R0KgsXEo+bCQj)nx>)`{o96s1L*|s?dWCduguAw}^lanmk~6B<9MP*4 z;^W#+Q0!+`7AumzCav~j(m%N}y-Ye?y0&>`wTncz#AIv*js3Tduz+GT>bY)8~HD^~JC-1L^n%A#hC_J+LMON*_ z=BB^8@z;{o=p|b_rm6imO3yW~zK^Wk&ibw2Tz!fTg!J8{e~x}P-Tkee)u;Olr}}BS zfAvvve_owfApHv={R*X@?q{<5UE3Ga^xlyEFO>en{?hZLKS23^8Cv_T)u#&Y(A(9I zHr@Tr-==q~k1>KbY#` zjr03UuU*)`?S+p%;%NBDgWGq$^^vdQ$#smEDi?l6(F<>Edr7~^$Z;j>T9lDP3zwd^ ziZ6lba{t0B{o8(^Ed8Zd8~V3Buh0C*kCaIY0#}#swQx@CWa&reOr%*Xa7m^ZK_v8(Ldv{q>7z zs$Ad!E9*q5a-Oqtpd&j{ z3jJ70LOG3j2`M`}^25*>65a{zpaO2~m?^z}Q5af& zpi49Pkq2V#E`@jIr`C35w;fQKWaJ|!aawTXL4C0`)R=G;4fk7d{m8a^l_?9m%#IX8 z#)Eu$OjGO6OEU9vwI;{NT<9_08l?nrrul^9t6VWWNPh2vZluD%VFle-7zj{ zGZrvSnV^)RiBi*)!hb53(#`I>OK)5dfDR*dw)F0$Sv;ufi%%yb1073YBx^5BxD;sH zVGk5_wp6)P3fj&bChl#|g&CSpw!Ij-%f{sOTy|A@Vm zkfN*r{3W~X`A`(mdMlUmZ7YZ10qGZ|k0^b`Z*Q7fdwCLO80V;L>3#b7N)p;kx=bnd zC+hvw+9qLDSU|Q9vZduqb*0Ee5|%LO@*T?)+0qA>>Kd5wO;hW;Hceg8RUOtT)gx2* zbaf8Fp`!P4Bd>*u9!y3)P(_le12xHImT5)+!@fX%WG>*#yTDv%#0JP9tZCVi`_&veb#`PalsJ_iIp~3a zoAddp%XndRDZ-2{fSQQo%x2zZuPDMvz6(X`rjEtj$RYKRrMyUBRL)Ob*_+*V#GpFz zLFnasaVl^a#(cGv8;`1}0Jq;Ar$@wgIXfdr! zoD6BmXUegkd9Wx2;3K(_Z*h=8B(DrZaYU3$&b6+f#^ z&G7NL2#xu|hgmQM808)os(@HWEXV;#yYtxmLvoLjC$gDi*?^sSUH3slBuY~F<)8bHQVGI2!Y ztr8GwpkqHpI%T4`AT(2@Ue3mCVN@`3QmZT#Y%ygVpy*6ec&CbTVgX(>hy-)%SSV*F4de%!h@A z!28AQu;Q3P=C}fj(^AYF2LC+f9LCGjq6+G-@x7vn%x6w;Q6`eo^E|1Q^Cvc(&jnCFGjUx* zVJXh#%cYkunOghj6W3i(xG$1cID6m3H!mzaQhM>CQstAYmnJqq7v_?M%EX4ofx>bq zSvt9T;+oZkQt8=-(#tKY@0+;p6FK&fOD7v9uK5{cwlxD2f3{|zPzu8@Rn|^5BoiAh z9w<~?9zK52z{G}677mo2yRdY!Y4yUyHBGs~Nh&yR;+keI@A|~R#4RnQ%BQ|O)v!3R z;Zrg`LsBO;TryCYk5#;K@xa9Itu-&2xaQJ{TYk25vU&TnT)TCj`gMWoT&E4&(#i8D zu4&CO^nr=%K0Q!4m3HcqsfLM(4L_G<$O9AK{P}^xT&a9f>EtI@mnN>cOqMQ<`4{w2 zs;r*a@QYl8*D^41&E<6pmG!Cq8~bm#F4_KSn@xW2XA3X=Z5v7$Pjy)1t2ts2i5_}y z+wb*%t^e!jtWiH-ai6VBAu`)p3zTm^dYxSJ$Mnk~vw2J-uHHwA9(N1lXsSdn|HY1u zH~8)N(we@B@TrTRWK6*)CG-We$F##cY~*fg-r=p#rsg~CzN5>XrfI3E3l-Td2D78| zQH3i*H_F!qTcavL?OaqQpu01{YRe^+_!)53ePc&cdY zM4NoxA4XpD28%Yi>HU6}4_= zH$b-9F6^z}A*Zr3RAwg`nG0$L)ZH!=b`@-@-rCU?Ew0V6-c|lx%ok2aYjZJ{nf32t z4nErK`s3c(XzI&r7gTJ?-u03}nW+dc$(GSKw3$;gf6s-=+&01~z#1ar&QzjW`aFlM z1`etS>WlP8?~#s^Q+qdBT5*OUnR9U$!AZlXg|jGy+y>jUXKuwcN!)9MQ@YEB%@UnG zn|C<)cPgwEl}ow}vebyF80XGhW+C6gt$`&y8_Pz~{TN++P12~gVAvo^4^;07t~Lm| zecqfwz<+D!GWtyXQ+UGJ9J(QN&P zpItv2ch|!>eQ5fX!AATt0s@HNUm$>tgAouwK*0NYzwh~czhBuVX=Z0h1whhS?ODp%2bh97&hBKNKkx2s{VcJh9cHH$X8CD|yV*ekLK{#U2~*ug>P(2v zR!7smZ20Mr>b|B6d4?!kPCG#65#WovP&y&8Z(In=w&Ac^pr8kZESfX1lQB~rzTRww z+K0;BgQ<(4eKWHaGQ%vN?5EX>F`X}?@F<0~03^t(s*)yz29AZAwnM`#&7-XL;u(fQ z8yapE9`J%vN0e_U;i}MGJyJ!Pzw=tK+wH%BKRY}KC|KEFhg3P-qK447I=s8p*v`?U z6)?nsUn;C6$bxC?3wWpfg(u`3y;KL!<|n}ESkE}sETjSk>1!W+D=Y< z-Z&YJgbu!P5bM+zjipuiXwMXRs5lWPcDd}dGoNLhvwwh$Y-}ivy!JiO{oUFyd02m* z%!-SF#R}rhXC{{mvtMM-msb(=2Aay&TnD~!{<4eDH+G=Ve)RjXc{WS1sMB`rt>C-N z6$&dVfiU74SV+cQ!&6KBr{BZXIL-=^uAVIYD3QoS)8whvF7CS$$ry2mP+L3yXYC43 zD!4J@+DoD?XluWkUjv=Q^zm4jgt1l9-h`lAC9e%*^OpcLZhsKrU=kjbQ*xWBfenBv z?S$NRuco&Jp-piT+MePYLYsbOQ=kwn<0tH#MSuUM({)B9H$W#xV^t=}Q1gVWiC1tc zRe35(bBw`B4H0n2wZkiEO(I|)VTphP`XT~q#M*k(SZP$n1_g!2Zt2$sB?7VoqDtVA zldhaak?9Z74ju--v#W=RTEtAwiO6ZmE}z=L`pxADlF-gh?TZ3vh8Bz=XV|yE~1Vf9d9^>|RXe?O>&<#iSoPM*A)_%arrOd?@>vk2&^ zq1VO&R)|A}G6?{gZtYq!5`;6dF3%K#P@t-e?4%pH2+v2@Xh2hVJKzYZND@6yggtM` z;?)^E<#mpwI{(3X*QjDk<^(r3MsSqyQZUdcj;Doko z%I%o|YYZZrG;q@)#z_?;TMQ_RCPj#~tS>axX~rf}(JMZpivrn*gPM=|)sT;8Z$|oX!5HQVnRmp4MFeJ%s}eb=uaWy z!Ov=nLd3&c#sHAdQXlNRV2m!>uYCMr)*vgZ*x#r-Xm+h+ymAV9X|^N;YW5{}dG-nS z5wEbOMd=!Ng*_1x2z8QJTH0HhtXAhLbhN`s@T*I6*dbIqVNX4bMW~=~yK7CZrV5(@ z$o&Ryzqxblwo`5Uez$@?#m{t7DLz4(~+JD%~4b|Gx)(c3GNr??gFpn*$ES z#5Zv#&mdt9Yr4#!#ABktgnV9FPPik8e$c#sOuVSH`ye?}iYFZ;4)pc!^?Yj(FSEwL^OWhe(L2JVe5` z8zSK}HOXIQpTDe!e9tQqE~Er`{v?s`fJz{oxCVH@uxof~=@Z{bBH@I_nsjw)shvn9 zF2#jNc$TnL2w4q_8SZe|)L3VcAfyA*mxc5b`pJgEXo^G#b7SWUVQn|>?*2pCZ2R{} zLHgc2)4hxD+%spnTqK69?7NkmJTLZk-xy{7Rg}52a@X9m9qVsZ#y@fza+uQOhOwedo5yU3ed`7w@X}MqUc;?VgIfe^TVFdwt+E zu)F(Dot$JvH)~+Ur}~uqXHnI>y87qN+i=(DQI0P=a;AHRZ{2O<85{sG>YySj%YUyd z4B1~q)_r`>Gi0+&gR=h*N-l=%e~dDJ8D$zyD;>&vlau#$|7*UBo2B1*R0gi<$1boAaJ1@*eKKM|oe_R(T`&q&(DiGt0b^pQoys?t7K| z5dLYx98K!D;Nl>mJMfBH<2)jxzHBcQ@d9xWW#Xu2jHt7H-NCv?QMARBZ?jcR!&D+>wLb zkL&mP(@e&C-rc#bdsLM?=?r!@QBSONQA?J(+OI4;G@XX^a5t|>3&hu%RQVMN#CGwR z^;l?N|I{TYH>p4Y3RgMC}8F&&DnpXk^P5PXV+S(?48c;_AgNmAZ$+%ikGR$F4y58qbqPricmJ4jU@03RDfO*aiN(lWTI4*~ z{p0*>8ab`Qs^BM7LCo$J{cajNt*>hDlg<+pe7O53QxPT@B{F%D&Yik2IRs^ux948G zFm}Ii>p{Mlr*Gx9uiTMWUdr0Oa!L;{G0+)xZ({?$zIAyYiCnn3MAjhyDgDyn>&RUk)4pxdPtn7em=Yf`KX(COZD-Kx7_RgIcyrL8tzvNC>DXu z4?R&G{z*l3Vwof4WS>y*-0F5Y)R~-!iDAngItF83Nv!~G-M=ZXu$ilNXoO733auT4 zzHRrNu5X=wzPpty4{&su4~_)i$|U)|MSv$S8P}8iqLmXl{_^e!j{&h4P(<98b z7#V5FQ*prE!GU?(+{-w5*^5gpj{uYO%|7zpotk`84^y!dPqoPei;am?M$C;@PU)bn zBo-nC5pd)P{0S%^dH{GOONvi1kF@43=p0K`1D-x6Szvc!v$_BnD1I*+-P+w401R@z zDz!pQvKge>?{-t1l*NvrHy+WSHBJJ{5U~G1&;V&Tv?JN}m3w?WNhq7jSe1k&$OI0D z_a^yCK6eg10OjiB1+sr2YllKq413bftT$0MM-}O$J*xDXmDyAe&l!PMCuK(MA@!bw zZ*q{=01LN(m0t<{AcAy!Fk;d`)6sk6`Gka6V5$VhF`4=d%spD}J|R*|1k>rU#B@D( z^1{YGct_s$6?O+0PfDG{DB3t%AP7zf7OG_|HM@c|-*YW{IF+XfCP?q&^;G$BXq*{X zpbCA~^QArjqD)lN^gc>?zGyee`!ubpvdSsx6BA@>f-yy;KJh+Na!c2^SC#L@4+O8E z3nTI#X#0w+^MI@lA-kk}P*NgiUJ#RakFs;#7~@fOKDZeDG)+rw5tJEv`o&sXvjjYM z8nG`07o@h8j7t=C`27y;6?D)j42;*lWM8NMvouQ_Lrxq=Ad248BZ`4tG94Le(&PA0 zbnaei--(gA^d?$%Z7W?xlA7L42S^yCNfotuUXpedR4( z{R%?>atM)$J?!bB{0X7;h`UN#D`iy#ZKk&FP|&REPJS6^h+Um>zR-i5;V#D{d>2NF zQsz~NuA_?6T~sLITqUD3A*i*0G-yY;+rF~jc&L+}z&n!W4f=coSaH(ylW7cPLXHlx z4G;i6@rovKmP%=ZNem8~7zxNj?6>97llX4V^^3}Kp8#^DoP9~$**t_*?+8_i)~cz> zIpG=8ih@ZQ5RaWEnv}^PSSEWhuH22&X^=7@EAxHAOi?WVZXB|r>B?htDK*E^^9}(< z$Z2Y+a$>OUE3^PZ80sE3O_pCCp~CCp|gRo&|h>fb&7CCp)p z$RZ9aiwP&Sw74;TLT(KrSv-P!doEEB6p{2e9%K zCF?vx{nnsYb#Udb!OAm^T(0_&8>@lKsuQdrch;!EORdND|V(+(^rP@Z25sU-zT z0m__UReFMGrj$B}BGl*gfx@Tx$5_Fu_`y>D3Lm0JHD3zXR>}rH1QA;()?i!IGvIo*`~yi_?#9&RmldvvTjw@W5D(LRCLsib>v?n>b{eWdJaTAHNJBvFKX0dX<#Y=#8tsj*5Dlvikt(zd}5hO$Ew76v{hbw|1Be*|aRHz7eXtSd=mwXG;kZHd}Orc!* zw%89;Go10Jqngmv2;VMD`NPl(B@X%SKCK9Srm$>k9n%#?)~R)u6(zRo1`QThS)Iw; zo=t5j)ho<_5X?SaI6|_c6Zc_={irV!>SA*dOrm9AMPfU1=7zkhic`1gN9$03Hg#k8 zOg2(L&}7#vJaO}>bswP0_GUj$xnT#zRPb^PXGzSAviT&>&T{WkPX7#$Fq&G0cGRXm zeW1BEyh5qX_{Qrh4Zm(`8*Z)*3%5K4Rh2PMK*0+T0m6x0?K5m%tL20m8z*WmD5EKB zY@1Qpn2;t85a7?v)Tga99sjLQq$XTd_ay(;Yd{s(dmRJc-2RYOpJnwF-zT{!PHkDI z)`jEc(rw|4E9WawQ;t89x-_-!qZy;6Zb5TDTcLWSVmK6@^;l{bQyGDV! zS31kQ)^%Jc#hu0&YB)>bzpJ|}!iAHmd?q;+<1~88nMXn3k8xR6y#@SyIf#H)Xn$5m zpRDVsT;JzT;!yjDygYUEa0Lhg0|tBF$#y)FoM_WCV$II>&*Ca8H&F35kx4n>N#4r{ z*jpBt(Bw*+t`(KzCJxnxH1BoaM)5OEp0q(Y5LRn=NN2r9zt(U?E$=uX2z{dExIp5a z;qs363_$6r!5t6T?Hh(XmhE`beJMSV?|4W#dH5jPaU$i!G5ffIDp7lypTQkZDyCd| zfHc>VT;O$brSSXaV9XP$AXlb1P%~dRlkb>MkiCK%x(AE>s~roey|>Fd;$Q_ZE~u}( z?V7lOaB0UQZjfhR8Tmt+dn5ZNk}Ea)e4odcEIGyx?s!_wfO2xqm~`G^r});yK+3(h z4W=VCoIjOCzN%dIME0Xm^9s7|axX_g>;bKdde|WlvBoI_VL#-%Pni+nOeZMj!fH}L z#GX2WE)1sm!);ebB;Z)u=VHGuEpz4Gf%A9z7tW%FZCii`(VbN>oE9p z-bOM=;mVG~Z91|sQ0GrCila7|BnC5)8xNgs(X0&QrRVCUB?eD1BRZIJk8%x8ZRIYe zrSg}mDe_oBsXgW7+CSKfkjZXG;uV`eif?(HQoo-3?!R3hWt_D>FKy*L9Zumf-_1Y5 zi=b&#c@0?p)kqu9rU88vk8FExGaY?(pKSIbH9Nuk7+#()0~Hl;WXq=_)pnk zXh-NaC?YU#$acJ!kQ-VsPsn#17mo9eeBn&L;|&oK*Ue@-?l6(!ZZ^cZ z27DLe^BSG9WW8_elo2Ka=>kREN_oe(4JF8%4s~f`dO~Qw;|X^aBpN4EB2mt3_!JDP zOnJxM3HW=(g2+NlUeC>AtNFeWLY}W zP%fP=H`9;a86V{&gW6+#!Z{EBFFnazh?gi7anM0;PsXXYsm=e;tb=y`aUdZ{f)uFu zR6;swwJ1K%CnVkgbWEf?1yeUr+6HNtnS%vfD)Deaqoe~`M)YzzKLJUl<6Ij! z&b5W(T*m}dIUN!Z|4u7V*6TAU{pG1YOF+wtRjiQMBc+Q;Zp)|sTIrl8HW@dcR4h4x#VNJqj z%dbrDX(yQk(E*#AtKu#B;^ajRC5dD}_Wm+T7U_d}nS8!D_|{sSdV#rjY68Qy8|Oyi z%u6~qk}N_=ZwMo1oHh+zf`0XB_a6R}_r8IyT{j}XX{mvY*^c4_jGDvJLyN_sR=Q2~X0%10|wriJ*b1B;)R6{X^97<7vlv-Q=%airBYd@)x&kuRNWmCeEgO_9q%=Q@(le_Q~J;WaDfKMuN#- z{7DQgl>NZuFZQM5DZhPLI-asTdBvyX0j1+9SA2SVWigJYoaT7S?`)m?)t{RD{hyvY z)xPW5OVY8FM<%cOhkBb`$5O89FVCIgSjw;dOw(BzA4|F7XE`Iov6L(RQS-5st1g$z zFWtT3=k!CzQm**N=~&8DKYs*a6ymr|9*Ip(i@!0w%3o1Wdtdg_#P9$7C2fE7>Iad2 zm~VN~zrhq`Q@6xzCMTAttL4UO+wK#}Q@@?9{5M>nz<+HmgHu=W-pqV7p}k+9I#Ey^NHn@d!;wDc?{YaDD(8o?oZ9YLAoCTp4sM z?^@J8``pW)hCcz^hF|n?ZuR@qyd)}%m0r?ZR=&B@M6r#+CBKj5ycG&BU12;V>L|X8IYEG@!+6fgn{D~KeeHXhLqV;KKVj)JtfWx5? zW-hqY8v!MKOh9ep4S4m;{)3t#)?Mxd56ho<5+sEN}i~*wERAvs7nHS zDlSN!VwgQiPcBWWVRYDZZ3PM9@eA+>^$)gp=D#V$+$(lyx)~_f!t48GET9cH5zH$vR6kS?2CgD?u534pY zh|gq5)X>_u3`l0;w8rjmW?RWQOrGwn?IfGv>`2+;s6=bTE~iFiSi}_#4?LXPKuxFO z@kNtp#Odsc*2m=HI_W~*TAG&##i0c|7rZTZM&Su%WdzA*y+?E_l5b9QlYYV4P#7Z>rUe< zHOzM;O^{guP9SLugAX2S>=!F7nG`M0Na8w563KFo_w){R&pJyMR+#C znqH-=Pr6l(v)}g)>LDyUl+lJC!jcGNX$@~MACtfjEE!o9-JfrK$#pyiY7a3%pQa z5?7xbhxB!<*+Z431(#5of)+S>s69A&xcb62V`bGP({{Lz^8xgB$Ql|R<>g)JF;DRU18iLECB_rnH%0HiHR!p&`rM__YiQnfN1fgTYZR#(nQAV_W1LWuPRlR20bI!^looJEorl~W(b{J;sFM?76N4ag){1LtIG`Sha8+N9 z7xjy$4Cogpl$fv8_f0;*VkZCiX>u2io(fMyc#^MVcYMs@(SxP=cx~a>hss@xG7Xq8 zU_2reg=;Pd-*mxn4kukxq;!uOjHnZ(J}%FGqkc$9?zqCSa}FsLe!J%!Qc{A^0$Wb2 zW~It{C5ER7)4{49`F+e2i6uY>tSm;5ro0P8!vdQRDZwE8@|?HR&hkjjG5a8lNn%4T z^18@G`U?f~J+DXVVoGRuq#jZU|7 zb$9o_iBgi^Le@$rc`keD#_B-Z%&}8Hm+eX?om#&5sqDx@H@*2kKl#>^n=)j%Nox7M zA8EU>{|&DHI`Yy3uYdky|J8?wl`=s}+aGokk1+bB+oT3GD+!-04x_hSvif|}5$g!^ z_N8Z$0VXb^Ys$SnZn0~-dGkdTF0Q-i{!Z;Pj(-+^r)Loj~ zz3I=0Ag1yA8=_CH1H^#ue<2*>$Kut1?|*-P z_)`7npI`hzBrQcr(OAZ=`b^w9=LEHKRoRL8fS zedigwXHI>*sqO^jUEikeU!v}&l(#%Se@%+u7jfNqf7|YV>u|zzuI5Pax9$BR(J@pv z@UxC;OQy$SymtQJ`QSM@NQt81lLG`+GmwFF3nsV1ZEji3K%in`*R`zXAfoLi4s!H} zImi)nkgt;1@->a{-`pPQ&Dd5|A+4*35S`4H^jL@IW9NnEWKM|!q?12SpuC4? z-S>QQaL?!1(OmbFDBr6&yC2M)p9Yjj&-Y@FTEL4sZM^& z!qua=soxzhUgCQ1H%rRX>DJ(SRC19jvh7dut}2vdsU~`q(%-fb2Ogzt#45^{;^;A` zJOHL#4M3zB2@q+S1t5I_A3!=NS(jSJN76%5{fa~_wa7~!N8rX;@dQgeuwEFAW|AsF zZi&(wks7#MRzl1v6sBq{SrkCX$;J{m&ckC&w6 z!V(hnhKEi%OfJ1tl}*r+4TS0a zC?D|LE_JLLFGnqqA$l^T0@4iWfjW~>2czf5qtfwR^6ONcVZbqRmMKYkwF23hCQn<;RAf%?`?W}l}d3Q zQ1{W52jq}qgrj69k@2cLTbO=C>adMQ=YL0vYBU(CW=P8Suuo~KcJ-l9({;ZbC&D>k zDP_DW#a8nrdt8r!;BqgA8TIu1lpkjZ7kBN)aTGirq<6vQ+kwWTCSi{*0;%dt%@g_( z_ACrP5Hq11WrUIEt zY#G;^QMbhP0bnQSn(S;MPm}+I^M{=Y^5=&9#>Z^h+9GsWc*)q7!Y!qJF=>itPu&B<1VTbeu!eM7m<|j7Ij@ded)$TZk?VKxK*`N_7 zI2zW0O^1-~9m4!LQTRFeZS0FukxlWcb~-#a@g~$ z%1n4cjS|)zDeUfTe0LD1h{R7`qU3YpCwa;JC9@TAihVT+4EKcY>(Ztr`vEAEc z%4gx;@Y$>c`hgF3CRPG+dYh_YyGy>$d6(Be)vgmDV{%+&!WPwuL;~$9$@)ZmIu2n} z4kYa-US~I2)E~`%kO=-e(EGKr^EOr*QLX4xn4ajTs!{JO-8 z{jZFpc>xFlL3CeHCZ|Ih6k-<)zLxK5a0+3XQs&*3Vb2tm$_ZRkjUW>FrJW-4P_L8t zog|pP75Bt2FiYA4nfJhW3r*cnB^oOoAWR%$M8h@Yus0io7Rsf`2R!Yx)`;>p9D9b! z-DH<` zg66#T>y;fEDc5g($-6)v6P8Lsp!@WN&^+)#&E3CoDRbmqrj(h&xICs~Yb@;TZcFV&JeZTI`2OgN15-fmj_%n&1mVO0UAy zAB7qgupVkbbW7|$f$5MQ%z$>i)^@785!Vb_a&C>~lloLx=;!Vrg}OUwj~wnn;j~8x z^N-BSMP^oKXNJ{ynW9JiiV*DrJ7^argh6;G>3FX|VYX;)|UR zfrE^QX>>wUGfAwMGoV<9P>)z{OH~1Q%7hz;ZBN1)8)ej3t>!MiK*n8%I5iY!Z(Q+` zPR%#$^#}-nY7LFH>9O9hNOy4I1R<=6`o<`yD-Q3|pU0aR zM;2GyaN(Bk!Lm?do`$p{PcU``uWP&&HLmu%kYK=7|9nNBI@A0V(e6_#&5v5mDuInc zv(qW0T8EP~fJzabkKB|%O}bT(wb1D( zCDJ$7pu}vHP{XQUB}{_}qoYK>OB8%_e_?_7MtN%8c2zDSBC8&j7TSt2_M0WhxuK6H z;F8G*y@Lyz^m#IU=CoES5qL@#ep~31+uZ)@`k}!|3?O zv^$IQg$2Pefr%hhH^S&ZP-2obHynHhZ;i_1VTYNB1f!a4G3g39*JxXesM;)$B?13O z>mkBl%Z)JcYgo`}mLs|eQY4xB|5LZ6Y_3SRfkk88DMmpfL|kub{952!CM)jEBQ7)F#}DGM64ct(OXPP2w!k^IJQzW z*G@4+3{G;HN{W(;H(OwY04mk)QpIi4;-D-lo?9yKJID5tDSPsKat-fedogtQ=9>%M zX^A8Zt`OR!(Obfq33G}UTE=t8VXi0Lrwj1~2WYBQISG^V_* zk-8KBjXI3m&??~wHiY|!tEZr;1$hbmNS2|>x6RZVVvxLd7(TjZ1d>c<6ZDutrL<{F zXjkxtv&}D?(HFVylT#ko=oWSq;fCo201}5e+wiiO&US>r=uu17m*5etM8%jaJ2hD$ z8s6YJZ)Y3L1i8l{U1dxs>l(AEjBz{Q!C;)|&e?_-IbB(2X6;GC8LICQLSAAtzG|(e zTA0Uq!6UJNuMD?F55k%|J4r^mW=mnumaH%jVWv2N=<-OIV4!^6iiZg%OwY&$NkAp&5st_AS4x8M3$!yZQVjx-X>PSDl8|-Y-~{hcr(8g+UifXRjqp!(&GQ9bDJVny z3>~C1Qr$IOt((?k(1Ww+VAS*wgVlqq{eS%(~kRjjs3>2e+! zxYEu~^dNQ7?1xU7_f5yJdD5fiv+0udT>p{iM@?Twtkq#^3i~S{R9&5Q<}_>;XXYJS zG`SQ_R#R~kJ$w!xu7=8gQ`f<|idBb~7nB#m*6bFq&MK_AQ20=!djbf1LPY4?x3T{Y z2>rhL9qyg-zs6dFLZSoTnqvjV6;RK_C)86ONE_UEI^Kyz3V9M5eLz~uvP%?vVShZ; zom5n%t6yRc>L(9`1#_rT{OeMTFtkW(hJKMzG=KaW5hZ&Hpkz-8VUOCzcj8`M>?g(M z3Npy3`ipPAh#Zf|bnd296XGgo-USY)8X0EkF?}izeoU$nFX>yhiR2WeBvEA=9$~G!DZwJ; zMqjxcQw@|wE~6@Y7P6ZTG^tz25n-n}S*(qw4E7%LJ)66)E_^$sD9mdSgi2z71xJ&C zCaDy(28K6QV&QI?<2-U4_y5*&`_A)-29R@FqOGOIn>fkNgp<| z(K98`bbm^-)EygHl+eI^^%o>$sN))$T(8%2;n#L|5XO^VSueP}TQLJN&uA3%nzu&9_xXNZn<6~%!g|y7u(;L) zz=#Ufb?S&kEZCb8W|aYe#ud<{<)x>a^cI*|+M5)cnNO9->l?seY%K8l)u~^ZavD>} zxkyf&qtCVh+5WRgN5kf@sPWCzE5>ulJul5Q?Rx(*~LU6`x%u}B{`1Q-<}-Go4TC-KTZsdT~ve1ZI%n6mV0 z^b)&cVwC`O(5EceHh<0c5+9e*=HAr%$L`GPTht3SLHqb&-UYYdN|4h!#g}&>-0b$z zGtu?{aEQ_A2%3j%ND)x@gaDb!e;7Q3n|XX#nDnhY$>W9}%PY_P;?(9Y>C_r!^<9G{ zPB|p!9<8Jf-_kv7C!fnH3FF|m^p2X!$Yzz&KB(VgE=Qco^>TRdmr(csvI}7BJ7`KmhSWd!oC@s8XZMItti(QSJ zW499L%p|-@XvO{HHhveDD=VQrRBd&$<_jAW?^a!icr1J*$#^v_fK)}HI|VOe)H_`P ztl8_SIG!M%)fc>(_6Wg0Z4eq$oi<&~QlVs2j+%lI?Sx`+7*R_!v*d~}VLfFzGgf92 z#1sV;m1_`PvsF@&YOxMmpcP3BR^Dc9w4%q&H)?)JPEsOottVi8RSgMv5YcVcO;|V% zX&{iWtr%3LvnNQMTO3hIN~_FgzW_@Pu)iW`;;o7sZRbs8L;L$fL!o zxq6$0SV28N0Z-m)KO&2fa9g(60m&MuzJxU!3eWO=KUX51s@5qDL5D_;J20iPh=ue#UztMoaq7c2lsmO2z9%@rV&vSMI(!pF`; z?^2MJIIP&B8E@0*NO75cWLmD3n z3~31+Q?_Qcxp51=q)RSa3lA+ibx1=7PzUtI1~=>`kFWBG=Lbg78hg^3;<|+FtMT}(T}luCJTjx-L7Qj z7ZxliJED%T!@_KYHG2wc_LQ#qQn;qDd=#YhzJk_!Tz*B^v?ajC{+%`%hl-odv}-ua zkSVP0E3EDhmY&s50cHi*Zbpxy!TL2D4WG>08cs=KixJ)zVfT`B^_tgg>MxYZX98U7 zQFhov;(D>8Pgrv%Cj!qQ9AZTKj-ATc;RZtZPlhH}lC~h_Zd7!}j;LNy-8G^O z6jH~Z*Q7=MgGp&mgfpuA=vgq5&;~>Tst*X3{S`rbn;%07zonnT42(AfAwT=Q7&Z2w zjf4g*Hx#PSm^#Xa9O08854b3;(EVmJW-e zr#>+@SfSGHYH%bE6G=S{@nA$*5f2a-Y)@N>o_pd|LHMPL#^AeThVWOSK2IkgA9A52 zaWweH0Yg+&d?b2qN?~beO{p67nv2KY2rZ;RF;Q2YRO}8G?aoK6$sr`2`_hdJ>i<_8 zcC5g0+FMe4O)Ijen6PI;w%16X*O#!TgR4b0K8O|eT_~DmUW+<5qfS}05J0e6$m--7 zme-L2>YfN#-5o4_yS$OBYQHJ3BkWkuK*o1VMA6_Dehn63BD_yu($z1etDm?G>P#)g zPf?tkwwYPc6MC=~0)EA5W~f#3P}tE$y|WRn>YMD!ebN-+QB}(eqco(9E&3v5bUF-z zC}3=%e&nF7=w6x^Vr#Ao{+=ZAh9{HFRvUi7Tkj1^m6%B(GH@qLn&iBTn}$OQ1w$vP zGJ9WZRl8uKpeOx(tyP_({Z`#oF>p1n&keHKU976=ju?Yzrk~14zoV?XNJP~rnn|oL zXw}A}Tf))=&9Xpp)E>;US*Jh9MM6rM3#`uJ6}CK03uIZIU<|9xRGMM8SLs!mkAsox8Z$2!=Xt`1Jp$7Y;cSWVmFXsS?O3^JlKTA#U1AB z^azVwFam|ps~bTU2&OA>Ady9go?EA>QW7^SVyimQr_KOGRe}ZKkqFN#EZIMo?5~vJ zNLh%K9;L{0&z7vTQKzT@u_cXB-A{%K5>XTY!F)$@#sr{hh1RH0Lt*!0EhLE}C&ZiD-3HP_sw6FUN|+`>tM)KeUngtUwQx4A=Snm}v33i=a1GM3 z4KsRy3k5zej*x7P-_^1u;#*KN(ESnvBGGrrVOCj(k!BpmX@GFuvZax%lAtkfM=G+w zq%bWDyX9k%3|Yx@Sn-|2t6VM0B|}#DyP)kg8?EZrs=?Abp`JZqqt&f4THW1bv})|a zHPi_))rQB>!&w(gZ}=U(s#ng0tpF`yV%tCGl4BjQ;g7>9c#^wwPwfKe|oh; z)|wrQJ)zx6mq1<~65n65W5Hn8>{tywbkXZ;AvRXm>{y72OB$0kJ61@@Yj&(ft88m_ zED5)3cC0l!)|wql%jC4=sWm&+n1%sO{*b=tu9GOGYj&(PJJy;VYn3-vpJdAaP&?MN z>^|5C3xBMAgbO>?EWexWSO-#??O2Cg?t8am9Z@;#SXF=7UGSHUIeoEX86NCdi-gZ- z$68jtCOcM(Zg0nqRdac^w|tNLYCG1kA6~O#t@&fc4$_)GR`D3m5V-;SJYyMcWZLj%bt$PDE z>@|O^H9OXtKh~N*mY$wl#IFi}CO?z1=8yG%k3UwQpV4dBvHA%YcB}z@H`}qYlx92D zkjs7VcC2BQ!;UrL?@afozZe(v#g1iouw#uAKA#aAC)) z@w?fMwUp9q$69u|@7<2IqH@@=TE0(T?u7A|BcJ+W$1*(Fu{sE!&yLlnd`)(&0p-Jv z)#>t_UiEji9qXq!G`n`LaP3^-+PT6tJJ#C$Sn$F%I~Ee@*qR*+R9LfPt=X}-+9fV# zUb`QwxW>x&tZ){{j(BT!tTj8Rh`YYwdn4cKQBaXU7_|U8rHl8Yf)X zu_pN4Y{!~RX|`icyWIC~$J(cI*s*5)K;JdMK|g1!hekS3CCR( zcP!#tQoK(%;W(~$^kugr0^aWvjyk?7w@yu%)6cowT_f3{BHWK#n2%^%Ebx_hA#VO7=bLdiN?(8khxt(@jjS+u(6k?DqG6pK#VKobP?Yow``{I$arj zIPO&Eu0L8(SX1zR*ShP*bt7cFPiR!5j8N^nzfbr|(>ou$Pne!X*G=wR+RWXE`Zc2H zeS$>q6TbPKuXDepew{mS1L>+?JR$}J3708OP=~HmW!=s`-#F46@c6(jpRaa)AE)p zH1{KpTnfxc(_TCl)wt2!lVA?x$Df@WE35EqIPQ3U-**Z(@lGMMTw6t#dT3^hrmt$e z7!6dP0emjD6*Ri2eA2y17nchu54j_}?O~YHji!F6SXaDoJL_?-ZO^&&5oTiyA-ZzL z7mcP{nDrtaS0oNK6+ioG=oLS52oGVW!r9W*?OIhb!hWL>H5$T*)TMxFG*#+;awnu> z6J6FXV2#&!xVu&=hF}9~U)MUSsQyeZHRu|5?xdzUW0ts?FY)Pdg%o&hu=29+p-nfJ z`c7Obft5K&x`{fc9yVgBr+D?km_+yM_=JO=O=Z+ss>FrD{BxH zUWl+}Na2+TtB*WE5f2wWPw~esDJU7%B3jf9vh5M}Ea{R|;>BvXy861t!-dM(p`7Wu zygq)$owK|+2%Q^&D8=Q^=e%7AJ3If|g^;3f-DS`Fd|`S!EGwOCz9o9u)FW7Y*E@tC zo$2D`oV})vT-VGCcR|oa^(QTV?LttNbK-A_JK#+qM%;eKAB<-WSJ|?vS@Dj5CQ9vT z;&j@0T43k`W3GngM)BMHn>yd|h3~g3Sb3AXvf?^;N(|IXh`WueGD``n#He}584{so zd)9Ra9t;1Jd7iIGhN}Ac8P~A4MCuX4w<69v)!Wlg_x-)-4N^>uhV7CDg+BE&JhXQ1^OX>sS2PP*X;>y z8x07lmG_9gdv;0!qniEQRhNxdger`RqRp7*qxM;UQ=92xvJ?@`X*jrDJGHd>(TH}E zbd9K{!{J zm|wYcM$AG$4VIpY``+KCs@p}u9nKkVC=%8XnN8?RSkqSCcyh4x_23OpQ_{C#v#5jN zdZ@5nzhFC`KmU`3vs59eK%l%3aM3=8;}u7BrxJbnlHU<_X%h~U*lQ$yfR19ZiOY$`1gmLI zSH-)mJ4fsR%4$`aRL$_IS;CfYc%Ja6@1=*MBAU&`4e;h*%B(6UR7l-74n`+>=C=;3EXC^22u%pYd48YLCYaxubq( zcRx|r>aurnIl??xm=;$R5jvGica(XZ6rOlOuajQK3e0nkLIW`xp@qUiEvqAZzw0gV zdMQwE3}htd303w*lyT~8IhD(=V&g%8lTc&|_wz8}?}JDP5Ne=M6?ccm4y|10;r=ao}=<=v~N zHvHuKUh)1YSG;opJR~f9;oA}y$G3k_;f4vTgK%NO>g0E`39Bci*@V^Sa><01_r9E$ z&iwtJD(qJ|OjrZ{&U9z~!T|i;+da(pwYJ}8)&P(ndt+odVLGNPfL`40K0)|5+HQbQ zlz@q9(qBX!^)0S<|KILcrkAVIV#ZzN4Og}^DHmk7U)c#FknzeMQQ2f9_K|qy0I8x2 zr6SP4CL)zb3~sn`lvH7A%aJqunYd-$^g6y@{Av9nU&|M_Ol4;#ZrPBcH|v+8+iv{t zuA;_W)%SL-ocZGX$uASyRXuZKwQX{epWArle%I}#dL|3@mvY?C(so5Oxk#s!#Z=1p_8B@>Bnn%o5+xR|8l|^lN#qG3-nDyB0&$NE zAcawY#m>2b&EF)k!Ht#FuPDImbb*yvqFHyZ(aS457(%?cI2GAsW*HVG(#zLqR6N4B zv8YrHePR#pGK+Bi*+WNA*e{q(6y?02iF*kp#6}oUO^?PnjAFG&6c-R4Cv*N? zlQ5_$lXljkCXqu~HV!7yg#Zf-Z-|sjx0N?O2xES3)phW<2?;cz;>%t=DY>NTF4)Q= zxi@uB`1j#tqtrr3-g4;;ziBjBIx)EMox#%Scx~u4-Y8@h!4p%EQ;~*3VGk-{4RU?~ zkM3AQ94tK=*02XD$aBjOqzWQr_PBz*VGY}z?5?a@(~;gD=~XIJeh(Gt9=c}Bm|ru| zUCqJM$vfh*H`QO|_MFnQn(GpZ6_&99=ajuf(s9&q?n8$)rMcF|!(*c=D%s>78Q7EI$YLSz&pwoqJxt1%?aO6Gi9d9*MoHPD1Bj@61+zO%|*V)WxGWbUzbTe)&K zi0<2&3$jaOD4H50BP=0gSvPH3^ppwd-Fjj_eh%J4D}Drp-wK82CCDi$4HDoLeNOWH(AJ79}mwc~%(Ts%A%EFxv4PB(cH+ z=XHw{&SS+eub_?jJ-;T~mefvUMom{=QP9M1M#Lm!HjEukwzVYankGmZFsR>9<1LY&l!jO;?O4oa`WEm1XjIiu77Y#gODug- zy%wa0(`fh&DAy|1TVBN8Y({jB!GFoTCt8lMsVc$N|7rqvWB z2V4yYb@hdEXCrJWD=4{KdQ7Z^N4j4d+<1()aAXal(kG}C?PWesdZ^z7(%6QatLXH~ z;UJWX9E(JCJ4I@i0@OYk`XpZ3Je_zOUfxdOm2pH(Pc)>gfl=54l}y)tL`eiiI8N`I z_PAUu2tY38rWOXopgg-&R8=J5niFFl2#=|OWbSf3=e1DPpZ3X13&Jf|Vpgzdb7E8v zflO-VA@M`T0A74kbIq)PX>Y9J?Sh=#2b^2mFwNY+Sv_rFil#}_NUNxXnouqM04P0=VkDCUO@DmAPFMn>bUVSeDT3tY||2wDdommyY=ja@UVU zzz!7rVnK_Zxl?_8)2ykVt^Tf9qeL-Gm<>c?QK-dc428ugsoP=?)1;cp=uK$(b@GH` zY-&<}6Dc-CkhHL_($D{o9y`qpI=gCTSPRydYriE%Z? zpTd%ux&!ZHPWb(_TBuT;Uf^ogGl1>-g;FOYZ~d{+^hR6R&zeEVi!95pspp+q#EomL zvBI^6(2*X@R9Mp~rlaXqc%PahJj<5{4F@;AJctZZJOx(n`j+?+j3Cz*89d6mvl==; z0R_efOK(d*g+JT}B(F-*H%k!JitJ4wP_Kr(&ISl;o)s3;5~*imCLN7OMC;r^Gf(~j z@+6sq!E5dlUJ!cBVmD=)EN<-i1ak9fjo zl3^_O>JC{Gx(8F>G1tAZKqD=eWQkR}Rb<#_=vZ~2e$Y&46jXBzqR)9q7Ijb)M6|bc zVETFv84T}nQLxe!tjRMb7cVAmZ)~m0w$1!`k&8k;NJ*jpw+X>6Y|%A;XHr zYFuXPX;p$6UCfepbuNPEVe}+sUe3T3^tf~+}M_pxM0mH`bD#FrC`n;-UU>2BL z+1w!CMB|WQVc04xbHP!u)TuYhsNUsz0M&1nE@2>hPCy)TBS8`HF z=?stgU67iXP*Ze9#uwQHg{xv(vuXlaUKX$neNT$dfHGu}L0FcT-Ux>Fn$@WGsLZCZ ztnI&fNY<}MvTzdc1*2j0!ocr$4fE2`Fpi}$?x8uxOAyJXlXroYNX7gtpcjT`gx!lF zei&`|;=$8)^X_$j%FoJN_2k7Za|>@}ZC{(q{`taqHgzH3VwgQzI5z3o_9@mqMt14C ziTBPF)*`mS^UCu%NlBP^b?FOLwSlckZ4ocFl1&|q#rVage;nyD81YOwk1H-+N)(oz zGi`tJZ~HZj5a5$bKk(J}&g7N1t^ml({}l7l?y5|dqm*j znwevYk?q<{xyPyJ8h~mojojg4rP+#7LI|;&0W~zM1{qP)RlR{ZjsKBG5#gnBwebB; zK31L1SIBGU_*jVp;VQJ?1q1UuymSGsTduGyJgkKyaevl?T3(rx3x>#Fu)?>HDB<3# z9Ic9XoRMy%zIM_V8+*W+)vQyKtLd~z%Fs!hCd;V0L$@aVUC1j>$1CquH(Su(V!85o zh<7Gj%w&RuIyGt@RThRs`dVPbNv$4FQ14&`whKQ{&~z*V$ol&S&Iag}`{d1jghdpa3se7rZ#R zIeAx9y5-BO3{C7)S?DaJt?Rl66#K?P`t>JWqUFv!! z;evIrLYRSSgz=9kcJ#YBTrIi%c>0{WCn9WqNqE$4+2@MM5c~DaB&~H^iRX%qOPchm zDk>~X#}(tMK&eTiJ6u1rl*XoNU7UozFh&+SRxpAI=buUPt|d)dpdzaW5F|uISx$;1 zG9w$YD&)*tuRuCVk0`5ZA)|0l6QGP^u62}vYiDzE@WR&7sm`c)|?4Xt5l3hG!fATjB3Qvk{7d31J(V%|R@Y!TC`Es@%; zFGD%%a2mBxt>8zu1gT;U-q0Py(`q&)gA1!$^A@j+%OOjfRT#M#N;)D;qIh1p7Z(u$ z*XO~2jnK33Cn9!Upwj3B*+VQHP{t;zMapJ8YVwvs*h@mADior-cPv9l@U9*y#udUZ zU@aCAvHy7mBMTia|6QSg=3Pj5RH4Bg@KB(4Tq_P5TIH+~WmGf++ZXj8@KeI%L%1QCX)(f@JB61btl3i7vsF4?-uMvaoi`Be z-V^sR;>r*uty5TOhYfuRcerY{1tYBfE8YF)X=>T8zZLfDXR$(kTQzFj#6FIwFkwxM z!iOU49ui(5JXm@n*vm^4e^>0KPuU^)R%J(#9Z!qhz#JmG9TDQT^)CFT0A)s%`?j@Q`HOgtu2Kkt@7wBU_H77jmQ5hB~;+ZkWgT+$di616j3(*ncjTT`78B+f9 zc~Hp&B_ziIf%;7zyzkC$^h(GGUx+0ybBGd0t#=hP94ZIBoTV+tt|BJkRJLae<{(up z{9IHF`RCo7!5>moB0@o|RP~5PB?4unT3WENtFHj-^{j3uf-z7ZC4vOh6IG(&GNrP< z+Fo0T1Q0KFpyU^=j2$jOYqx}e(9q*LZ3C+*_aVc!-L57fz8G1k;6SQ?YV*oV%6lY0 z5Dw>iq&;Z>8uGwWq>m_FgKLgaa|;rBG~B93y%L1gBHuSG3}`~+%yy)~I=~>AZ4!dB zYE#ggJ}L;&9@3X|4|@=~4bTrEBs>Jo;5za7L=K?y^^!5{uvF-lH>H&ZUDI6>?W)Go znZb?E=A}19yO7B{$rA!)#?9_c&NW!JG(d&pR7TkSfezKby!2R5*&`IcH4IE(w_G)Q zM4QtZ1p+9t8h&+0F_sXL&931&^^m-`Zi=>Xb5$-D`gSE*BDkE5skDM?%z&v! zv_hRhI=G|@;>E+r|7231?#%AI3_o)Eaul}1};Bac3v8x<%OR$8s}q-*L5vy#Gx z90n=M7+p5r59c@v=U5i!fLP^p1spA|grOFZz)AYWNk*ZonQ(`)x7AJ7orwLeW}xk? zs`O>a)rD9F`*9y(M;bnf5*p6D^l%d+dQ*(XqazXqba9pe)wS%pk~kvzo>d~9fVHr- zp-z?_3%V9ddQBdrRpo*6)bypBtWX6~JG)2dkgP%&Ejl6|wz9K3BOVPw^(;g^ z!pL&z-on_@Fcl>Y>ph!!MxqhfjAWKFo+0uW?=$>^6A+Ja6 zf*_1}GBP3bzJ72ed*|-ix{!WH#0a!VNU|| zmMbQ1xm>2GmbO3riO0{JIrZ`1_+;B9yOq*1y&M0Zr#G$2vz|O{mEU{m%o*7O`h^L6 z59zz+{NuI8N)5V-q^fCQaouErCL-*X(cDfpiC^sY3Pvtln{caUtyktHQ0QWLw1KDCuiI#h3OAkS)O;b3M|w3k(0sat6fn&RM{odTnTmZw5u zkb!87`jNKm^5-mG=4R5QAq5P(ecHo^gYzud7oi)3f~uW=;I~P3maHU+3$H(%f7teQ zF$61Yud#>NpePFtY@tZ5V_S*k#JLeu$Sn&S@tv~ZjygV#OM{-hga-LG%%{d!jUf{t z3m44|xUX#J?PMer-{k#+>V@N6-TTL*Z{4Tgh1e#R@JvrU@JTJ2@Wfyal*!kuqQ#jD z=N|+&*wHnz#dzZlU=R_*I6l03gMUON>H0v?_5EqFWV9xu(oTPA%5WJDIwdMH0AY|Z zFYG7A9lGBqT0D}-SEJ+&55Po*3b1np&FR-jxc}e_C==}q7)05IkDVY%ATAzuYY2EO z!eWeCvAxQp38AB5X)Tvl2JtB@t;7m0`|7g%3fQwkq0z5Qs+R^>0pu}6k-^fbII{8x z`CpT;&_@PoTQxVc6FMLuF-7{LN1X70YC)nIP@={}i5jCYcBqo`dj1rgt(^=>b352Q zLFKB)m_^5`5%vra){J~Fjz2YFUrm+RmQrnU{E=jB@`v`)VjtvTJE@GSqA!(C2ptGc z?gPdYnIo-jg|XII6Q&fHQ#k%e`D2Qw)zVs4MORcdLy=ETa6(+ z6cA49%K%P0H4W6+UO!OaCMdL^esL~!ZZ;ZB{Er6Vp9ljMBM2p4uw6DzF*0?xN2#3v zk+XH(5!&8#R5Ru;I+5)+!aFsYcn7g&10$+{4InBsv)&iInAP`h3yVqC6^>>Sa^0^L z8E8aX=VhG?RFk)l0XW;&ht4FOjhdcU{Z%Rx$+dnjzCNeq>oY1_O(KJ|T*-=>Xz}mo z>%)1|b9{Zix!TtU%|sj9G;~0nCUBOo&x`-DeSOe^LMLHrVK2!F6HY&@xtdNQJ;|ta zo^%+~NKA88)5K={fc9-B1T&c}EfUtmXj;3aYbp1!h?iEP}-gx z?0QEwq5)a?Wz;q3V56^{kpEyc}VT z#%c$mcWssyn_{IZ?4gA%=X#`CaWfy%Q&sdz!6DyTsjg`bsr=B7~$t?)MYA0({N$1X1d;HY>g!0P%aQWHVaP65@ z+c2#Gec5`OFv!WMRTxkjK0&d;L;jY4IT0`ug54urgX}mZdkg08*FN+c_yiqqJ`s0! zR`(5BsGDt0=3Ogw%gx)lcAS!-=4>mCD^J!L_5(Fg(1X~q#3~`+;MBUU8q8(?-f)q$ zArB~sDr_2@+VoM0-7Nwbv|dzM8WSOvr?z}h-X@*=miE!AJP<^W@=#|@@s)$-Z{&rf zum!8!-@fO?ybT7q<&)X2V~^*(&&f2TO1aS>?_JJ0O56*+LoFVulX>qWdFfQ%d#frL zaK&J+zj$+~(#jdT4UxTawEE)3Ek_sLe&bQRn~rKshMn`Kv`qZ-rSW{~rDLFHf!JHn7kpfqdPMF0V72|RG?!1U`{}%d zdnvMu#~TykP2EPy(kU^NK4LSbJ&k;!fTocbc&o;D?)0a=^!%AiwEkWGIk8YyZkEEK zK;O?zZTc^AE_#`J@zdGVrr*lGT9@pmcAVifu=WR~non)!Io-`)$bf*e+=}VCH{%MR zuDi0zyII#g+1$%S&9hTe?z%JUy7Q{3t(P(}kE>sr7|p?~zP%?fJtD#9y|-UAwSi3* zwzVA3h7LL(qjL2WgHJccJVM+S5kU#L|IY!?A?|9}(s$(9kEuj|-h4 zOeg(jj_-Gnv2Zg)d!ZuPXjqy1Xe{<#M_plI%PiEFDjn0nYte9*k(gH7G7&8hwsxo0 zMmh)5*EyCK;gS~H&}M2;Yg%uU92UkTY8rD}#9C_6a-{lO`Pu+Q>~VFVbCn=+txPYg z?Jv=o+EoReMYVL{nxthRJF1z&!o=_A8+t|(m&1&abSwqhrOTv)j0+eqYODOqxccJ# zY?)iwYzRbQnb-6wtc9>#dR;6jj#?L#D!7ne7;& zFFUu%kO||FA(Q3r!4G9!M{N*G(;^c?kL%c5H*$E8!`7m7PcY%C>x|JN?9of^AQP%0 z?e_ksILkPy=8A&~c=7HHiKQ@SB31_%a9^yf_|mR0CxY9;awf$52Bh@3H7hm9orv^q zCxqs7mQf5`3=2}mKxyMh=+c_Ef((V!;&kM?1A^ytg6s2a(OM$MV$H-%2HxR-1oGHu zR<~vP8m}aT$-GzCG7mQnGE(qt`8wGk8n(=vVi8{~bQ)8LShV=El?;H3-E%taX_oEI zOr?-}g#^y)*a@M68QgNtePfJfzby<+)=V*zCTph4n*N78PG(GtUYe=Pg$re9yXZA> z!BF&pN^-V2k~vhn2CK()G6D_VYiPAa(|E#E4A4;Ydsf_TeS-l|fR!Cx}y;hDKpiOld`<-$&GW4V&#M59~%Ftg-_NOh!dj zeF@hhY<5C;ObwKlRdJ8Xf43uzHRW_A=U6tiMw$~qw1kX688cBj?z9%)2|Le+H<&0#^PvRp_OKwNu?Xi4K)W9Qffw!^kT zI#k)Zantx&ST3OC5CZbjJ(5#B&bAid3n3RZCvbs^t);izu;VkH?ZRM%MY zj}bgQ3Xj^ziPxYDoGkz>d6;53r4jQ}K@Tw3XtM@lb%o}-`(pHG^{qR5e6L3u>6Ord zs$tSh?6tD$oNeaB1_KK`7UNz&(x}Z1RB&k0-eaig+H^dm+1EPDw=6@%eXQ(nL6vXn zxKpRLJxqXP5w4vpeiS?>>^ATqbyY@(Sy#!CMlOZ9yUa-=izD7k!IMqqfDsvAlVLy& z9iTv%Id9cMjx%~}e#ig~*^6pL_9hU*=5mC^4wSBWR=VdMQcvptcR$jovZ8pY{L`+> zY@#q?#+G;8hzVN|>a2DdUB@1$8IgHXAs4`?8FDT1BSHEmf>`9m8v2daNiH=y2X0ej z*hM5iIsZCX1$+1=W--TtnCtY9YaZqi7mD3Sn=gIuXO#0uvBroQ6#m}G2UZAz?E8gL zqoUqER|SF4q-E%Y;zZQIFGyT&IA}qdmV(NmXPYYz#t|0ifzpArES7{RT-eqMgXI3R z4lp)Ti-ZKNoyFqaAavTyEANFI?s=nP&Aqc)I#2vD@k=>?(JLd5jh67K!YK@+1m)0Z zd=_W%EF!MSyw@6bKqE>pm4@-MRcIr+bQE2NU3ge9yaG;~VqA`CThaIL3WZq48evUY z#!Ddau!9l%y=*p%1V$e1gqg>{ptox$##z-Z6MkVPbgX)%3ep#kF^8$Zry1MJT}XHD z$=)~=u3$`kV;2DaaDZy12pkf`gf%l(3>0n{F0-yTZMaO5hcX^f2DnBGEmC8#dw|89 z2yvW6WnkqWHAskj>NXbC9&xD-rHn+%yi*F>W8t*Q3Klh~bGAj=75pUH#p^b(7T#j2 zYe}s!YYVRH`rtnTR0Ef9Jeim7ty?1LjcySGfX8Md`4P)@$w@V)50jAsPiE&cU^c9mh1s-W z2ko+WC7W7?42b?TpsK=9E2PZ`+wV@6&B4m;Ixx6S2L|h>8sB)t=NhNho$ZGvtDWem z`EVm$Xm&=M{dZ^1oc!}g&YVg2P*uhWXJ5MQ2p4Jn(`}#M_G{a|u

?be2~n(m|8 z_RIeSapg5UXusC!5qU~@)iUwHi~sn_OS*r4!^Gs3m*m`IiXm&)ZLR-w+ZRqMxlzY2 zZTppNzr5|2wq5g2vM+rz6DrE6#w@k9U)0wAx%Rf+g!OH`d%Yk{>^Bjt{PFJY8^}cq z1C!~eI(R_Si#=6zVmO58D~g28E%22Fxadq9F4h1WYlv&n$V_coFUIV}sa2rBXKT*9 z^&?qjr$`VRA_dt%km^!%L2Z zt1N07;+x~u($A9i1}5)cuxp&NnA^~p#z|H6Wt9y&ghfsE<~B<$wm-s6pOYOu)Z`2F zgZYd7sSk-BSP5BWus5Z{e_nB_k;4pAteRL$XqG2A3X$YV3CP+rt6H`!Il)8YT@ujFB%(X{pzS3huvhKyPq@_=XGpr#I|@)E@vkXa4i;hMoNcLREuLp`Rdv{ z-vX|*&8FCC$Fin)EgIP1Ok3BD}0`>3OY8nXa(Jvj?$``y1k5#4D^h$F=p1scSQQ z3vS!I2d=?Wc-Gb2(b)d(;yV0dMZ}<@`5^2eM2tP6?1bm_CA<(}&nRKdaJlqEY-OGP zkYwl;=e?eDNd!E>Xy2M}g?scREQC?mXcTJyVCl8EcH}8D_glr(@40$v6SCo^U&%0e zV;zzy9@9J`gY5LB6WH-Ik|20zR=HkU6K+Yt=|2P{V&C2mOk6ITV!d1X%{$%|qZRvW zVzh0SY;S2<#UJ;HDZvjU{5A2%F$Lj|6MW&13W`7eDc|6a`nkRB=Bw7V-F(G`{P_Kg z`17k5^RKn-=HFUR;CH@{KmYj$`SZ^<@#nWbM$`{wbI)%m&po%Uy#959n+a}8KYy5? zo72x9;b(XHdC9KlZy>ZKg}$GkZRNRdTwGrNElU3Y!H=e&ALZvI>1PK&e=Pm{L4N)u zKg)B^UWgFOcwUgNe-c=(*pSUV`=QLgfAvGz+;iWbtv?Nj|DZhg{14~r-yqBH(9koV zD9=6JnXi9n`<@REuD_E`w&RN3Q(k|RDmHH0^}@yFxfl8d*T2m;e3-s|B%6EYQ`y|p zKTfWXXLB!njOsp2?caCR)OG*5C13w~w*K90{jqHQJ=yvPIdh)PoxBL4!Yui`BH-|B}ede-n zeCD#pE_*2@3qwCs1cc8iS_GqCh1u})Ql$}6m{_f2!~WtAqbpC@UTs#Wyk_5SuQ%?r%x{bTb)y;L* zSL?I&o^rOF)0ATffwAQe83M?B7=wcmB!Gl$Fc6H4Yjl49`+1&s-WkcH$vNGeUf1Em zn)iLaKko1Qex7$&<1u7!=N_Jdlyhzd>UUPT_Q9xSFxyTuE+J}vGgq9<6Gzql8c39F zpUAaOa@uwR3dMIsHu^p-iqF581A4`)fI{ufZ2Eq6cLa z`N*owvsPx@vT0i!1|^M*7cJwkuUFPgxVnz)CMBt13SmpQv$dDJd=Z;~;|Tfor?M@3 z^6l^B+uzp47)RL_+`Tw~Q|9hv2^w;9-%+@m5; zxbtj11};2JY=3Elmrw`5^f)kUhBWgsrK7p~I2)nu)*HdZXP9B0=j`15M*J#jxnMRL zSae!$?&K9o``NrD6o*Y5$uZx}JX)Y0ytv|I6JN>~A4I6YBCptHxF^gv#MEQ*qiu;C z`GHxTCf{H{=yZ|4D@n(-H+!+wGJ~4vxoU5=Uv}JngUXGG$cI#cM_O1jm6>XK)JEsT z9eA!cv-kSuR=Z}rN6&a8Es1GVOyb?X?9x!y+Fk2YSK2Sa4p3QOs!vc7lgtP`P&-pxjiHa81CxI;~kVE21kQ9c{2SML|#UGtGPZS&)O z*c!gwX&}7US-ym$)LUMQmKy%7%!S$}2_4!txg^le zDOn2@dHq9emR3u&M}T0bWUWn%XG)(j8{Ys<17+N08Bkt@QZ_4jKKG+}32FaX+!K8) zJ230BQEEH)e`dEI{xk$8SA4;O6i{9~P-a`65j!!kbKlC?stH0r2nUhMFb~un6JSR19Ctu*ek-(KWw*j zJjp-Y_I!DU(2rVh$F_yGqyadCo53n*bim#{0MW1kR2-<^t$C5^0GBqr?Cbn)%|2Hf z6;L0KLck2jmSs>)gxz(1n_t1*PoIMzAemTM#P{QPPktX>~N+CIqRUq86SjT z6Z6!v;w7B#+V-K$t9{QaEfvZNN}6Db=4FlH3IxZ4bI}!mLy#69rYFFG`#elP@r=W* z=2F!&NY)^X*7f@C)>?PYFze25TOXF|$|5l9e5lRw<%-!a%QXtXwy2*dL6>SIFn`#; zcj%Y=4gP(jf7b%5ye+s z5?{mURc%B&5devLT?Q5ApY>{I%fsC6DjK1YM5`XTKy70h5nb>QdzT(zDUn**P)WB( z(jgL5K@2iISPab54C!2aX~`NMyufnJ5_}CCF|g>oY;i2BFNffwGQMRj6@oxx%b+CU zzB2LCLw68C;Cx6x$L!W7vdt554SMcC>v@LxR;6B$ZR0N<%@+^li{nruW1?jfR(K}B zp7j}m!v_n8voByI0Rgas|44TPG)HLa1cPb-Jgp=sWXD;_YyC!K3FeMzd8vrGYCJCe z-gIhPn;DCU)%4+(f?SN0?s9{drNwK6f~|U~>X>UeKB|>U9g4N}Tnm9T*T}$&@Tez@ z2-uS;1(f)6I!|(R`UP$ET|i|vb;Nt5;A;c3VF9x~2NThf%JnK(!5cs5_=sIR(3Nj_ zF^6o5xQ#DcI0G@iMRuc3Eo)=% z^Oh8Z7Xuv7Aje&W!9BBTH(){}(V(`zjh&7L=3HW%PX%ESwFDvN)#W-XW`nSVhZif< zaK!AjchEhryD)am1%7&w$&W@68*D5B(^0t;uwv1nJ8^;G$ogp#eKjYs!v8cH;v2{z zvK2{wkG(#x(*S}GZVJvdzTjXZmU40}2jsydPM}kP1drlgl*Px^fjzW!ajA`o32qTIpw&Mi)QG>OJ)uCo1O-f^48^8;WvzQx(6FB<3E`0$7Y=nj&o8^m-WHFp%xwwlf@bq7r&3iPa zBXhY!02V@LQEFIgZ5YlR(C&a23M!1>m0F<1Rw*U9A|1NZ955-Pbl!3%=PluSfLH}4Y(bGB zgffvgu4WmxmqKdAnpmD%lnHbQUTqL6(LtzwMN-2`o~_6h@jYTo6&h_+cMQY$hop71 zBXM(;oosrkJ`b9C#22ty6HUxX|>j;iHA*0`Wu)Jc05Y(%Yk-t&D z33X_-jo1Ygn=JHzq1WUYby3TNq?u9m0w*}iuOgZ@Yf!wm@taQ_$TuEWs%<%`&B}#4 zVNoWODXSo-*K_U)1=N!5$RgJ0QuRu4TQ53U>)$u%mv_xv`4PWF4@ZpvrMrhgkqt;l zlG(ReVQ0-17cv}z)^z)uRKM#rC}$Veip^JZlpN8VQhfXngWZ_K6mIx=i)IOE_RT^~ znyh&=U>V0TUSA{9DOf-@YOsbjIYr#mC@){6Udc8-NNbNdQZ|by!`WBp&QQ>besT%U z2Q~5d@A|d=TCf)TkU$+;aOR#UHW0x*+oHbhKa4)%Su-UTXq=Fa%{Hm+$`byovXZi? z-MLR7X62ZghOMGPC)4E0){s&utyD8STp0&C!(hafSOn5==gjKNu6i3zD|3Jbn#3pL zfuzO)5}d5VKo%ZnQj$D4Id1=6^#n}-?2wXb!gkdF$T~1P!Cs9JED%$Kj60>kX))nS zzY$T2HuZ|W%H^oT#udFx*MJn}8?(tA7UGs*!WZ3vOn2O+q z5C)RM*LkMSOVKAVsT%!M=obhzqO}AA9G-Z+6W7-E@lQJj9GiV}Ek|WRm{9-7U|Kt| zw#LULvUN*jTbWCp%r!nArJjr$k(&d=kDZkh<9REW+M8>{*5=#^=`9b!a$nEuguaAR zShQF>@jlC(Z@eK&J)Uix(8t3#N&rwEp!}N}d%aGecF3@S`caU}TfPRKqC5bK5~L4o zMFX=X>s%M5U{fhB;)w=Zl3&mWiL3F1S_$E* zpUqk^FX5C`!XQ|UJY_2uDJ)JhNaaZDKz>r@# zF5p}vCy`Ik(Bt?3bO7QNKB${(d>hv@OK`}71hyI;_$WvWqE=PMCYI?c)Q_Tb5UbN$p3|{Rvo#Pog(R5OvU6%gExVAYT+2{i zpHFe3!}KiL+c_4PijUe;R`(VnFl%vs)vgPI@DM;Ppb+vPB1H{Of;ekI9GI@%xkRw< zu*uzwU|8+0dOU%OB9Cfegd8ln=j8?#B~X!eBO&(yx#f*+FI+ z7QrBZY6z!3M4QCBY#aSM>Ak8(4Tzq5fhM8_%3--Q$J*1fRS`u2Oi}PGEI^h9IVw$R z3o)ta#gc=o0}+f1*tXG>woQQu5&Q;&)w#kh-XghRYk*p!W;*AINH{T>yd zn%heXH9{6Drvt=_)Vsk-0z`&4t9^ZwNeB&NE6rUd>5G_g0G0YCpLO_>!=b19+(CQe zC^B06n=QS>8kQMbog2YySSqMwetGNqs7=j5C2YpJk+Mmt=89N2;!6qCgHL}`90j&i zgF*gne zczD-_8K=r3Dv>T2l5{uU$~n8A80|*?u6gKP^U9`1?a?~+W>ekf#%<32w$?!>tKRNo zWBna+bYqJ|H(fMihxUcu^|{p3{pYP~nxVBEEwdbbTB ze>3TPC)V5XpEBbelB;%6RH0kSG_2akn>k_u21(iK3!u$4384aVM~0_{O%Bk_ zmUO@dB3p=1+1YktGGg;7N<9S+8AU8O$Ba%up+ztVmd3*h7%rQ#*L*tIws?X4yB@E%v~KqK8fxyGEp8Uz6YjR<5a|?Z;!Y7Q z*V9kv2|;#DglMDH@X9amT3_|3^;Ui_ElVUvrhGozSeD>MBj~|Hpf$4#hX|x6VR>to zf3HbT-FjN70;AT1CmX3fiix<3*0YVMBQA7AU+Iln%+f_&WiF`^Rc>lotI?a?d z-=_Y+OJ?QO&ZyFTnjwp4)r#5BVcW{21zY?Mp0ICi*GsgMCgbz}>tBm}BvGboz5!(fxyH`#1ZfXv*nR;7h;HX=(}t!^am`64Uz-YpFVG`LH( zB@-b+IsYkZfwdp?8I`(-csb5|*P;}b;A_64;^`-J7k-DUg6 zS(W=<@)(;SO+sZk`wS|mw?M;(%-ZhpE>O_BkdMzL=usn(b^>wA$x=}X;pC!x(H8^| z0-%fr=?Oyw{b;VdMA$C8L*Zc*ALOIugflUKvN|G;!Pbw0#2;)iCaX;Cj!Jfzh{adl zyoc#Ui`cYXfWB#0bRMcp0@6~2X9^JFuu?e ztBmTUeJ|g0{>$yKvvoTayjd09*{c#&@tuxV5GZ$@@ZG+Kkz2Ln0*r%aJIpS97VMq} zcF+5AZq?ok(B;om{8(F5`eK8b-Ap%-z9_%dh$x9RTtEt>BGV%vNLS+>NCwU+0I5|absT4(}uVO;;eqP}}mItRknfXjX-x7tC1Daz2K)OL z98Nq~b;`diKGW<^-Y;V=2Y* zy_jp{xECLBu-nuX+`~;6d~M5)-0bCbdp^Y-#TK@sL%rKAqQC(31h0E!=rlQA=j6(G zOQnkHY7j-;u&~?{f~7I_5QN&@PJw||L5*Fw7>SjemGxm{9e&$bciY`=y+;NB_HHC= zr7aW+^G<9o`Ic9*f*xZQlHn-l*MprX8^DkXmmv}ngN4?grFXlVV{EzvkMTdwNPxd# zYrxB66lFhO)kz0su=~UnJ(h17l_=m~(KRj0rXa)YjRXIpyFUN}8>IRG9HV)n+-BvL1S2;2$HdFoc= zi}-y$H5@fQ1VjuP11#HZTA&3c##vWZVl(V&L1Trv)El`L?4MraX&E(y5@&}VZ02_g z1C%%=sdl4&z3H4|j-%IpPVe5$O?$meU4TW;87cFKhFvBAg${Vip_J@sS%BYHV@b@BaztXO@~OrmI{PI z8iy^$13&`6HaSg;dJ>dmeuD}+{^^~AWX)HWQUP!8+aq;CO=9VUywNT&?Q9H?ON;WR zj-eD2^_&>dn2>ReK}pS?bPf6U7!m2oQ~V~6h`d|RWt&7GmsB+LYO~P=WAM=&Up9}D zf~|vbP~&BBm2OR8$T!qsgDe1!9(gNf8_8yjU%X?r$7?3)9peDR2AZ&1TUvXqHHjB! z*)~+gw-|cbu)F;LyX+UFg;_X%9J0$x5~w5PK)$sH747%F*wa?$^R>6iA5o7fj_f~< z-V0s7x8m~Vu4%v9p!sGi@7%`~gP!Lshz8nN>H7=#C0I7!2ou@l?FxuP`P4HCYyl^S zA-#`@aA*z^Y;8`w+cNRqOnR`$D_@(E{QhUu0@RhoYs^j8AOekhH+Ub_tUNhU zzN0+_B;rJjP6R3T>_+m*T1hIn8zj8*)SxGmUhoSdy;KJ!KN%Sdn3u_ld6?fkhi3$Y zXh8*h)cN1`U;|JXe_5jg!-wqGovM@JZDpOY9Dq+hq^x9qp<~qO9p%HXdG(Lj2_f)aeq#0!9k0%~`H3Xxyzk;l*Ms=BxN{ zzJ=S}UQ(oC@geW^ejOE$(;~-njkudlfPy_fMB?6D>T#qI-sFpZi0wuixe#e&H*Rdj zddcg?8nwKdFFs_JrxpS--(T)wXqss-UUxCrOy1bAS&PT|Z{-)RfcXRo z+RKATeYW1D`x~B&)HpKl5Zd~}5e4;PcePtWI47;DSwlBchqQ{m*|(J8$bG-VVGS6S z*%|>!Lgdk~B_MM7FcUHwtaXaZ^5?DGNPW=zKq9?%(_zpF?e-=P%nTH=_oWq}LTNKN zLy$7ycAy(X76)2Xv{DuGxhSMTw6UFT)on1pEAJKS%Uw2Q;NDV)txmu5XlN*wTE}!u z@#2;!WEJZN==H{8k4YwfV~q)eU8w>_#jSu@h~Nq~N{kY=M9^DN%}BeMN6DYWCDO6ZnoJ+kRf~@JFapfBy z_JKe*A$p~Dc$bge%cej~8r2f2(GhFRo$%7TEmO>-*kmqTl-kD-Wx(B|I9TjIIA#Ua zUZoUI*rZqgeFL3 zCXJ|1Vi_$Y7`<36utD1+L%!LIv#B@okU3&1vRoC(4U=-Ir%p!2M<{^=$31C)%gP9q zF_NUR+eLEDfk>-kf%FN9pf(_Y*O6T#sv|KlcR(*p?T{sb<{K%@Daj73o#0aCwXdTLz&l+q$iVL;vEwIV;-3M<}0ju;35It$UB`yf{` zr>r$m1nI{gvXKV9kGY{`Ff@?NX%NPIz%u6I?6P9mDnWw@K0-xeDqKZam1#=6Juj|o zn+UMkqzHdic$zuufRQ6rVhU#sJ@`V|=S!jvP|~c=o&Y@t7!Ym@63a1qqz2{MD6>jF zd>b#kgq5vIalnP|K`a8J2Mj>U2=FPr^O)2dM!<)gTAs?M_U9TO$#Ro}R7dx{T#or2 z(#P@~rKjYZXQA0djYH%gzzI1E8owwqpgG};6~MvM#zJ(hIpV`p@~O1Id51-)F*h$J z82^|Zb`xkCuna8vMt0RWpcRN+y;iTod|xc_H1P6-zPV@N+a_HLo5S8HVBa{nEqww~ zq;$%rVzw^7cMi7PTIF?dk08{-X~bm_C&c5V8Q>R!T1{98KeSFVtTho-%)l%tVNhcG z?BUSLGR`W=fP%#3dqRZ1sr^%2v~)cS17WdWIV*8NESJ6_T-$)LQ2`ik)G|#pvr9ye zS;=00`QFsGPt}FC686%KT$L(#|rR ze>zJauEjBvI&9qE?Q?pIK7RUyE`n{`F7U@dfe?V(4hS%LU`X+10Ln~`q>e&7+&Osy zGT(M`CHOa-ZyCmvkZakO$BGze&cM8bCbv}pW!|csSsU0UV}SusM!l*O2n(x=fr{Zg znQJ+ekQS5s9i8u>60ZPz7o;j=X zNzJ@IMTuvXV$vuKN*wtxC?VSR4T*)Y1b^JnXbCK=OpR&)u>nCeu)0feFhf624Y|gX zc?C`Fl8q1Y0VR0&tbB1to_iYz32Qv&Wk_Iv+ZSXJ#nOQQ832Q8ArJ&>03)9|ki+|I zVSYr$ds;$>xC0E#OfnxkPBbv@SS?iikxb#XCx&JTsHh?zKn>zNdj?cI<;Vxy5;%;f zm;-Yz0xUe@Cpir;CHs=a7VvB}ZJ}Wbw#EVrG5`wzPf!duFtC7BkeCDugie8lwc>IA zX9Ww%M*?RV9R(I9H3hH$Tk#CV!cneex4exSt&{j69x+&CQ-H-gMm!`bED+srVBrE3 zPYD*N7alBtSp$nF3@n`bnBMXtbYZ8#1gyYxNMM41SHZ;IsPQ?`cSkH9Ju3%mGnkn0 z#9|J_g1Z1LIMqIs^`_%5z(g4+&jD>5wl@*Rg=NYqBHkZ}1@z|2(W=(~3mAck&<-pN z$qY;av2ct*W^t)DtG1(B+UAzEs%)-SS1d*9rQ-)luy8yJX$pjZC_w!ORmnlbqytK` zmCKn^O(@VBV8V3IumdB(`45=VO09NDs*O59EvRYKg3gUvP=u3YKI|~K^-{Ym#6F9I)W55JqkZn2v%-@f(x0kxT5mGY);X(!sJqsj&ITPBDO1Ke_m(#Ap5)P!XsJpL$Od``X&(ju!!8uWy{ z>vwT2vM?ARXrYy=EijWG(CBU_RBAJo4Ti1kurF(RlV*-1%M5Lmh$HL=F7m}pe^4Rd zlfI2IHhT&+s@TodMpnJ**mHC-ECZq_uaqu@9Zx*f!`_Md`wbKxCxzh2&S4*f_JAv z%Xt8XG!oJh#K>om?h(Lg#KgR>c|Aa;p=JquWgC-II`lqj?+R{|00=>GpRf zER({C=}BqG6a^6qGbj^5VP0)`0tB}(uzoz5w~U8`(98`OimYAN z{nUziKB+bZu$UE)sDOWbZ+Zvvyp7ZoQ*Taz;Ex7*{_%YAm3+%<(WCWLccfzvn~n3e296MN%9Vj%ZJ0$PN(!+!kBV+bi6=-UWwZ2 z+=@=W6cI6p!!9Ezkao!gHWUyIeHQ9oD@X1}~8$O3qv&7;;AA9SHcN5O7)n#%)1$d_|H(w{#O?aZh66 zL3kY{G%Y?9s;}fa5s)+cqVRHXGF`5C%xv*oSK_s*op%H@IS^XoeO0gNlAJr$W< z^_IX1(Q(e_q&t`&(2R@bjzl&vx@Hufom=V2g(EQz{ zuh2kNHnPs*;ux&3a_VWRo*G0&R#uEyq9GU=Is{Ft1x47DWq@crLF|K%#t|HGkp4vC z9)!npsptLaVmLhpKMoF?&E@>{_3?+J4!E zEnWl*c5nmr5shHPnu|pyk11Wgf!@#noy8}RUKT^vI!iWg=2wnF+dAI0rh1=HySy*; z@3y+K$HXyED|{MuIb6Ej&RB@R{AhKWMX$ zQRW36jRr5Z&h|nkLA|t5Tg9}ZL^1oT9QJ~%+a+!|sx9$Y3}2LCrJf=^;ailV$WuMx zNgj8_7zQ2sauh)43C)*;uPA7LDcMTgw+&(P5Plpq^FAkVu-$Mrl3r~Da3sp>Rh|yL zFA%34woJ&LsX_+9^#*V7YG>Mgi*u7%vk^g2tC+l_uwHcZm|@ZZ%MMA+;nAGWlH{ev z3v<{}0hKN+A3neqeb3x>iC572zTvIt0svh3~ixH#4%+6$n<@0VA_U0ZT+G z$5a?Hg{={GN1W))O2T{4lWf0>YMk3iSoE7*5Q{tid5O>G!r4>4MuW&Z0 z@$Voj;OH=RFRqGSxKb8qTV!5P<==_0c-vQQ24){&PRL8Iu$ZM3B7+X z&*4ipqJ{tW5)MwFcILiwDBj8aK)w7rP@8#acGWY$(kvq6W?iKt%tjsqhc|J}^e4CD z#^Kprqkvr=&JLKu&ra;IO`>?<@KooVvMO-y$4j9+Xds0ha2jh{#@ zu@Q^1t07VHiseUiT&czvL`>Z5eClc|JFK%hBed={_tmN(n6}=45x^H?62gIzkigt= z(K=pbSW#i_42U|876IDUp{*>fipT=4vKWdWdcb$g-N4w$>QW8BKu9B|u}$8t;p7x6 zXw9zl^VneXfbebcVoqT02IYpM3w%*^YpKXn2rW*YGT;ZToFoq5za;U)))#N7wnjj$ ztx|l2)>7|UTfJ))^)BA&;w>OYxI$wzF+teL2a1;g=5G>T_ZA%JE`fc^#n=7r!GD|7 zChs;g-ZfKB@1k2psRN!X?*tWwC3hiP*utXh+d{{(N5xnm9>ZtR2`u)`XFP)~PujOh zlEk+|x)%K0xoY$RKfllRO2xE@c`g^n0c~_yJ~)IAM~o$;LoT|7$MExlD7nQ7p&#f8 ze*UhQ!-d-R^gNUW&Hh3Qk_Z z)zPHFvH)GnzZ@09rt0sPH9~D<6ctT>=b8)g1tW(5A7A`l@2LO0BdD zyhf^d_P{)dvSZqy0M0yzbC`=D#jd)u(2p3+CM0c_NuVZmG@zbaDb9%>HI+NbmG_B> zq5g7pSM}`>CNM!pIi!$pLF0a7I(~c?L@RJCJ%V`R$D+-nynEGXZY5}U^^P8qe0!0SG*3wc9M3Ca3S`CcYTTqDserwhkB4sBm7dV|( zr?zF<>KoYXiWH^Uz@G)c8@IP@L@j3BD>8HbLk9S*A-ffAc zQ$GRV9j?}?r6DEM>iGg}W51C#YV6nS)qXc&bhf*&U(HZqSeh{;IomjyOO1F*bPw*v zVF~uABeuZcnJqZ)ZEBhK5gX~gqQ%0al&a0=f>RvCk9~fS)&j= zo)1SnNHQQdTyA!>P9PfNhLdOwL`)I(>%l1y3BaZ_cdG)}kT9A%QPhAOaL={ucgmKj zN*K+ZHx99a8Ne9c+h~sN*1tlU;9HGz^PXVcP%lMsx1TKQ7@Tt2o;lqj@_35bpQ?m$sJ=CAjynk@=uadwV$t z#-Nu5Z4frh&IXmvUcNn0I=ICz%3f~V8+q8cx9sKc%TsZ01dyNCUS7k!v6mlxPwxHG z?B!M5JBEY`_x{=JCw7-&65+FsxQMpr|R@y}p69t^w=J$kW(}WL z%(b(ZdpWOH8wCWyg#i!XKgruo0`mby38%RE8qHpgX?4}`1;)##4asIL-#FSC z4{v7fzme6ic*r+)vNF9SAre{qb#~PW*~@{YSy6V?QS@_2Ld9N=fsQ7<@t$ zmxGjY!but7>Ytdy%jy;D=h{Lz`~ex()Vbt8^mDV9V|VlRazt7kQ!()#WN%iCLx*4q zcrbgppi1`gA9>rFE;YghzE6h;>3)b;?B!_hPl`C~I?L?kPwDP$=p3j22~WE`o8m&y zn(fb~@QYw9e@s?$F7#=6Jkz&3wwH4y$*Jt+WKC-?_wH@u@QR27Lxbqf5}V1~b6qQ< zFLjd->G0|kbfHdE)*M__MsmTGVKC-4o*@9Hu#0aPL>XffB^P}Y`wwuo$@B4kN55q% zu(IMjDr?leh@tyCMgY9IdbP4_L+FiV=ul}@l$*zF%K(%oi5=FJ*>!++W9Ab^a*j%Z z_hxm2zaYSft{O~l@veSIn`%ZR$`Nk_&^eiwY9IzWf@tul;?Iw4mZVzSEB$;nSSo<) z@3Uf*^=f;8L38NPb5zB7p>Oukt_oy8oecSqnQJ=i{?58J--Zgb;ZbLHSl zp8IIIqriE}J&-7&i$!^6UEIQpHfy;=!g z;OI9=RsXItoA83F?tCdKCN`$~INg=_x+;3Vg5U%?LSD?}UyIG<=J+&oImSJ2F2~Sr z*MFD`EQ-zLPuG~sjiW25#mwavvYeBN+~35TTXo2tXcZ3uM0zzU59*$pEwIoeAUMIu zO$Ko0as)TPD9GxBuwRrd9_C)1ik{vTP{Js>v3qo^L3;ysVg|0emPe|&Hn+?;w(W#s zgG8#po}DS2XAlLWmNS@>&WYKhUd%-Shv);K7|bE0A|kNLW<9mZfEF9ftG{R9g(f)j z3ppYss1g+Kqo*{OKb>zmVCPWZkd@7a!99Zk=b$&32dJ=swVS}%6ai~*>2^7tVsIX8 zXuGIB%-Mym=>>!Nk%+G{IeM(%#Cd%F(d17HSi@j`!ri6@H%l7KAI>}=-Mhk$SHO>* zAN`7dM!cG==g_6Voox?{_!)ST4!v^p+592Koq4B7Y&|!iXcN?6Jzs?Nymg8iKPWjB-WtJplp8jVT{+ z(E>a0zh+aMB06XRPFO5jP7rOZi>{nGJu;1)&t$K9#GBI>ea?W~%;$kKgGB~V9Ud4a z{Ckt$fe?X#J055!Rrg(B#0?mzFz5@ZvXVEU2rdlG;|X6cK|-Wd&6lVej9n|{f@m;P zpR=)^gkwdXPFr`FG+#S-OHslwX`&PIsh#>I%3u<*?}|*>rcfaMf`W$ym+nyad#(hEgboHyDE&~m`+yB zmpv=e$tgr&AWuduK3$>Mew`v}5_?@KNta(lzo8&U$((|HjHntt!GO_>Wmyzy&`W(* zG2^+F1)8(|RNxZuFfMew~{zGTS>vRv^kVZ83|i#PviZ9c-?h1b_?KImTLXbZ+x)S3pbl5AD?LpC=U^x<<_l)3A>x zEAbBji_wUU=WG;_6}k`m{Reo=D#E)_69|*(k-TGXfgCu~jNk*o2sR;~tKFU?@}UD5 zxs1O5+ELRgjsWjj*aDX5zLs*^y4iy7{Vm@UlbH+{p z!*pT@!l=%63KHbbhEMz077>IgzyLKU$XEu=PXdFp!Uk}7QK)L*fO>A=z=6*r9vogo zPLf{uEMC z0~_LZVixY3L~K8>@k|~=C_<^D5_(!HdhwoAA~vnXDsO}!qHbm=|9?`KSQjR-`?cSW&SIcYAzMq6!?UC z%Ymrnnd$FF#N58wgnqoG_6zFicK`#F{SsKDU-aW`{Ep5MAg$Xu%5&m!;EKhd>VDuM zBQo3(^GD55=?bDmS? z?~n0?b+U)5VY+lJ&~Q!b2G!@^r9RgZo49tE)&Vc1U3iyKKL?;lSDmeZA#VnvM}=mk zKjb#Y6=4R?Tw1F zTO-f>Ny{U3IjJgAF>JG8loNU%wM$ozdN#aGNq6Z?#vLX{E@#h}CV$K-f+S%bT%%qr zR)UJ)uvta6S`AiEJ3#Jc8zA9Vxz?kSccGJ#xp*4Z(}9QEWHth|z*D}8*5QqXq-nVjR>}Y9Ia&Ph+fn-V3tdScx zTjgM*(}z;rachNi2`(gRLRyx!ZnO{8+O^B$b}i~IU5olCDC4h1h5WnkKOxC_vmu&- zZkRw+NJqu%>!ac=4K>()RTD@nbW9*^`uxtS`@H)Ox8)@dK59bxTg8(P3{zp0e{~Vp zg7-hHhvH!R`f|Flx6BJa8ah9l-H+gvw_f|{Seit4@*yRzNI$oaXWrKwCu97<73n|TclwI-!LwZM zSB6P=V+IMn`1rmz)3;sIn)+5}YvYRaZ7$aCTer79K>2~$)=_!v^!j}pa;=Tu%C(+d z9zA_vwl=%2e#eGuTF<85ITY|k>mMZT9LmkEDL0#PAF3($AB!@6Ez1{o zW{N|Zbt50S@$9Af)G%(i;)Cm6*#Dik|C%$K#Yfk@eCYV0*}2rCIG>>FIp})vt+#Pn zj5Z^&WUvA76s3kUa29)-uuFO~uqZ1stk@)3{q1eUyHZ_4|dBFMk8A;TykS3PqMr~qP zb7%2oKE>Sk;>@UT7o$0ON%56+FMRi^r`8llf91=!XS=g0e9W@xFxefXeSXcM5?@wS zsek|St3vFc2=pAQ?JYeq0zM6=9E6uFtDbhv$%?XS9f+6*F>GgD|5xGyE==Dujwq_ zu(Y^%S>N}{Gy#2u{OHGMLX_?tjt1^*ZGv6}pvnzwXpV3Dsx^x|6Brsi?9q8%E^nJg~cuuiWOX<0?Qpg0>+hmw;juo=SexYAZZD60hpzk}^QG@=kh$Wbcz#jwN1^vXSZ%6YSMSz( z>e5VKKCH)28)@hzo})*M_nO_5I`O(pS1SjUZeW_o0)D75Ohp5@4t&p(wy^nuo^BfH zIK`I4HNW3Mi}&hJu84QsLsSJQoIu?-(GjID9gWr>DZtqXqg1>=fJGyW#kS0z^}<$Q zHO5xqU;Iw)|HpOeV8Dc_2Sha6kKMbRpUk$u;;-w^ z<+dLQ`49v0AB^+EApGxmvv2Q|H879$?PL{}WxkO4V&+R<7-T4?7v}Nzw4UqlZ=&Hq zd>Ci%{U0C!Vr+xSJfPhfZ@d5fRi)DX*KwKr{Tf-Nq^86Ae`@Tvl&5-?X4Cz@qD0|( zsG#L;AaO}?GF$rX&f-h=DmN;Q<>fP-WjrEf@( zx3ur8J{jwuA!FGLy|o-2Mv-Aq&PyP@E%PA$k4Z>`U-|8ctie2~3*IDUXzjY-=SF8DSavZ0R zFSSA3x;m6w9hGifYcJ8B#cOE?cBkg_A5E-P6Q9i9cy}-Fu2^v~iRD5%Q~IV7i&lL6 z{Q-^>7_v-|F$lgzeTPw%PPqD7=6|4~onv{4YWFrEIanUee$^g4(0@4+YY*J8@Vh?G z0Y4I5GV@|yLkESADGzGoaGPe&_u}w&?B2~ijhW(Q&B^j}YtUyUz*wseVgl`WnhR+3#CKP~Kk153p2)4uILCRdpH z37c2Dqwh3@(U(OD42XmeSwhSKOw;}1U}ZJT(Bc%}K!4XwN;bRgSNkSs7CzTE*-_~3 zo4h%_zMr{nJA*&b_L0;5YE3S$uOIlcZmu)xo0xG+&ZkB<&Roa!-IF8RU=+2*oyb?+ z#5SWt)oJS{Q;edg5oNkMqrE)1O;oHVdE5J@NfYg>DYs&y?M>;bhW2vb@jt%pL+kez zF6%o!v+(cwj(7B2WJ4LhW#G?kQt!;T<(GooeB-Q*Sg0nSw@Hm(+jsot!j3{#+h?6NGg?@m?*AZTiL<6Jc)Aso@gh<1^q!A~w|hSE!5OE0x;}k( z$IQN?A31X<-M^Ev+55Y{8Kr)2#>~?~xu|dA%pTy>kE2wdYk!?e^-1*|~d=qBpsn$mXKl2fnl2j?(zriMKM6&r_!J;8E z7`)Q82_L7uiRIxksMNUFkF@>Z1HVia1eD+7 zC$sH7{*Iq_ip>8W8h19Y`9N$;)_f}~td+l4D^G^=caGkyJQY0#>qT;)(`{ArzA$Xh z#s3xb{>D|Odoq#!v-b;5UC$L#VOX$y%78L9prJ5wqq8fuwS5ya3v&@*3!k`HIGA29 zKF@x)xUH>4GKvVvJfR62jpsa-zWbW`Gc|{{u<-eKMp4yois zUgn{ut9wG;L(}BZl-2wD_sIM9GhG5K$h%>hJYkLMUGg4zADbpmXsUW=yhq+R zi&r~$aY5C4^gZ(aVVb;pU++J^N8YW|>GGU;V@l`ue2~Hgh{F^ln6~44(klKN(-gmR zx=!ywT&^p;uf2T3U^_R)JdbcAfU3J;a(Sx$9@D966SYuNN@^*lBxR^TfI$cuOA^pcEo29t9K zrsrv$HhX$i2uJ`z)-G^u5Q?yF&jynG>wzR+(elBaGW=w=EvqUN#(%X`qJJ+Uw{A~w zC;{XA{b=CZYPMz{(XX7;&x7ZVrCXa^-=$ld!-J#dlvy28yjC`FYdmh}#kpayn!k5N zeXsReB@-P!UzOdd^}f70k+zZdwwm|)n)im9_ok|M^pi8xXe7(TWA=>pb6U`cq`xSi z9gOoE$d8a*m5v;gO15YIcM}(oDd~jL~?<=J@y*sA-k=9Nju(W>)>jcT}z7_qBDmJmt%$Hxk+N%XCgw^ zlD(pTPg;L&|Io-AGWR9N;kJ`;G<6n7WD_xqh==d0_<{vg<6~b;jXwMZ#OvOztCtDG zeHI|+-R(D@VUr#|-F__Ab&r4Cv+kq}T$%6dZ)f`QBU+D-vjpu&qJ;<2e|8N77(>~C zX#K&$IkGCdsB!eKXRHPLW5V4*SOfSp)huOhaxc6lY*dVGvp_t^wK!G~Ekn5w3{ZJj zPnCQNxbvAJ(O1)ZuDGSOmr|L&U6*9~UMw?F8y@c%0+-9B`tp(@r)+k2dP|>bo@?V) zL}YOep04lMfu+vk$;`mzfDhpZ?87|||KJBdh|+(L3uEk8BUX2WZY~{|d6J(xCL%8r zYt}b{UcixHd|T1n?Uryxws=Ib2%d8!8}Y z0QOw_F}ZIXU}(g*!o100r_!4S(FOdj1arKK+{~mlEW>F>-ch=a2EJoEhZGfCIms$3 ztCF+?*!&pA&qaYg4MeHl{#j}u)${&=XtHzRL~-cmF>Du!PNM;0Ltq~)T`whx*Id%R z*A`wQ8Mnb&c^e2JAp`EZp7y;pMawF>9)kh*lBfIsk+%9y)~`7O%eYjkzLU*sX14Dg zzk#*G=eJV+5!{F~JJM~rnO*7Y`)8IZmA?M=nZx>>tDL#yM1AGvXyNvr$D_WlwXUu! zbemg-*h{_E-@K@@+AE-E{j=0c)ZRI(0}o++cHzT4uP9Qj&z&i)E3_obr|-VqdYzw} zN%3+jTDYrcyq6;@z3OCbFUcuM)E(?iz!*c8$6&K6(xgg)1e~Z1nGHJu@cTcd0hDI9 zb`n|X!I6au3;G|=213{Xt?jc|AI82#Q(?bc`ubZ)njUmIkTWZw^O3|x#)g!1{{pHD zcmxiu0tbxKj^F-tco1Z~7dZUT1`vaTik|`+{!f(z8nk@r{{M?b3DEGL?AbxX7d$jL z`}w~Hcwo(i(7<>VL<~v^`MDtCKfDk9npXAgh}G}}sGM216Q<}DG~Ui}x0h>e)K`!J zWuGHJDBWk(+mCtDE(rTIjS5d;gK{^s?goZ}Ey4Fj=)syam{gt&WTJ4`!&Hpy%LM(; zwC~j^mtI;(5{E~CWk6oo!Ggf~9a8~C!qr;o{=cOR{(X_yO#1H$w4!)L6)cjAZfb5m zS6RbeLuzIK-(BZt+{xTbac6qHR8q>8+zFL{Q2m!_5Fpwe^g!#e!B7o-TzS@`NU#&W zlrAL9m6j7G?tFjq_=D+}|mPt@u)to=BtG4(LbS8Fbi@WpP+G4}P>koc!+N@WP6E97)We$ zD)ZY~Ms3Gk_W26kwk~S5O|3So zRc>eW9`1_a@&zbbyhocg* z1c-&O8YCF^%NAKzu#|N>CBY@!Uh#s0balxE&7}WwXJM-jt8XJGi_&9l@Zh9K9-MSw zE9UZw2+fS!0cN&%IT*|=LS9q0@3#87bbnq}7y)#r9)K2g5cREXAg^6X@V%`h)fLjp z)uUFmp@_NjJ`3HW;0Gwkd^iYrm-36LvExuA@n_j@@nlqKUBN*5|EA_8|CddTAfU!pd{b@f~@lzgr;FPMHR}6xFV*a~p@!$m` zwe$O?`~Q-K$e~mq?Z>`XdG89hMWw47yq|H>hHTJN_>){|Rdas*k)B3Nbk5s!|9UOx zz^#1uXw3p@f=V$YUlEnAWQ*4{E=9bZCk zON7eotWsu;f0|c&F3jbpt*#Jzh`jz`KG{K6&sE~gk&oF^g`P+8vs<_0ySg5Lq+`#5YfiPx*QJ zxJ+UKn&`ML;z1)|%{aQ^df=(cp6rkJivO0&V~q3VRz+k%jMk9{=qgUaoe&A~aDXgR zys!={@~3TVD@|+dV%xC?6d`P8+d68wc0n}VVX<~Rf1@^`Z0V2M@MEu)zyLKw zZwt#1evSV8iWrJ%k945;*y3@kuD;Jy9x;UU%?E1^iMG?o^ZDY0715=@4gl95O!q&= zR%A<`ZOE}EpbHgHI5__nN~^&|kSE&_2Ddg;4!<^>t%4yN4l%iCOv&L$60wG1>O`dz z4={BcxM*3DW^&|U z@VFM_tIE1lS*1KQt_K>IhX!&w3JgdnL;V|EnTB@O1%LV*mAt}gYqGRttvTy z2_-5k8iW8Fl+_MS^cdrvJ_GX{vTJZS&jQ+it#ziAZr|HCkvezp2Xd`5i$h5xUDbXs z&Fgc`kLWaw;t5Xf!6qQcb*3NTfg(~Q-GfaRwyJs0M0sknj+EA6PxdEpw{O{Y%Ua?h zP#ljDNdLLzxKzEbbMM*GEsh?NR{TRt^Oj5%T2`BIrBA4;c9A8nfxTaEa0YjCywDK# zZKf8>L)%AZL<>hPz6+Q!IS6d>vGw%Wzt>7%W$oaLx57Qs{aYyzAvs2+`C0ts zS_g_G7_4K>*@4?uX9sS9^j!~N$E^7e^QEg8=PgatZMHR3AN4sjlD5p`Evqxvxz)up z4wt#a^?)?5QXTD+m4Og^;s#OKoc6s;VAJ+YF<&=+0bF_fau0Vr2f4)oo?KVfPYiDF zxx=t~q?@G)u4C~QU7U*0w{D8FS~+l$D?aFk&bWWm2qav@0aOMPt%rvsSGVHZ*gL3< z^Gs*>3pZCx+)p;UiInE`2@7v`*TZN+ULQVdi!X z6t|ng&^K}0&9kF{Ov>IiMtwU{L|xbSU}m|nkr?ySSoMXE+`L$q>2OZHZ#&@=uit#3 zm5$aO?`2#!&vtLcA?#t5`VgYNp%mfb?T}WM&0oHz(DcQdNiKZw z;t~Cvak0EqJ)erP(0JL!jlas?a`@0kW zcO`Pg7}$ImY;^=)&W7qE@Gf!4<^>7ufX{U?ct$8`!O0n9rz=EH8xzOX`GJ4g#@5GQ zYbFpmcy=PLu0mRjezcwkl>X4l%Bx-6t5?SPOQCFf%CwdLL`#Pleya@xE}F z>d3<~Ef_v0yjM~iv!$;>-cV9C`6R+S5<#{heGQ2q*^s`5M38I*rG`Y1%)Fa&dqWGsQ1gJo&Ir(QQrHc=jQuww7mhxk=W?CceXVjgD7SAH zZiGS88N1DQ_Y5XL>k1l({)#dfEBoE|TuPN-+9iL!Ij0l?^d(Ux?4i$Nw8~6A1p#%W zDOZ};ntgj0)p`pTjNceIf**_%)-@#SG4p-s z2f|{oAYeVfuFK_6x^^I{7#b!=Tz0TWyMs>Y{y(Ru9Clx6(l+KmTb*WI@zVLo@}SGN zC7FaQeReR$S+v-M43-)8FW9(9`Sm1=@G@Uid?98kg?a3X5%lrTGVds?%SRX>0Oa`e z_jqxm^eWbo2deU=Mfv<-Xlp;1DSk2-bZb`yC7`Yg#WLMLL`_B7iOZhPk{U1m@Z@kr zI7U))UvuGj+Sr&aLF{U48TK?Mgd3FgC| z6dP*fRMClxsQ5_Edxirf$^^!^(i)RD81PCIy&FRe0uFWl2kYfF$a{q`Hpwnsm8M{$ z>PtB^Uq@KH!-g)Ja|>^3ZRj~yxP6gP74zu?6I9{fOc?^|g-2}bZhSp-$t>>A1j}V{ z*O;RED=L>eFBBEc`h3bWTvd`@TMcfUdg8VZ93853=j0oCQz0gH4U3&0WA$ZN2#XYB zWxD^HOv#`@t5c2jU0LD=lozA@Z)Y*o8SunOpQr+*U$!@vBwV{v+-`Qu^?Q4+s2q}; z9;j+&?I^-fyxlRxn$goppANKbj0P@GC2{Fod#S95!zX9Io1MlQXZE{ygpZGMC(b3# zfVc1F3!Q=08}QC?Z^Z|(-w|Hs@sZD&2p@OI0{9^KxFbGK*A!dY0IWY2NXwQ3VpY*m z>`B$g*fIqf4Glar)712^5Uc-TPs1rcI|x~syUG9mQ{+WpZJP6hUpob4UFO#zhN9mH z>ky}WtO~BCoI_;)bq>*q8K;7$Ko-I&MXOXrua=@l8(BzhQ@Z~_j}(X@;Z6dvgMUym zDrg6{Mf`2DNObSa0H-P^3zCN4a6b>54e6BZBqNC|v^xLZs=T8T#Hcdgp{R<_#rJ?> ztWaY)We=OE_8dMsFNS4{KU6VAL4}3z(%7HUbY|O4{2e=;Mtm;zN}u0r`LdCEf*@fc z>9w#9{|61DC(})3OyUscvf$Rvm*R>2EvY#MkM!c4$acw?dqmDaQI3a9JtzFigp3fE z?*9WdsfjGNwwa(i>aC>DDajU+hsr{JJ|w$^tjhZ{W@QVhyyko5#_{7Ud`0QaN>7KR zWxZc(P1p5YYdK+>h06#eF)G*Wl3-}6X)i|c<<2JhbxC_UG<1&j8Cpp9pKe2R;90fm zcZ30r-{SX$HLl*6e@l_^t7;lti=(?{n|mpj*|u7xTWDk)Lz{J&Xz*q$@>TxY(Ap1L zJip@uVY34FZ$CKp2HtPOL;`G(TnJFwLBxgIFo@Bv-Yc6<)406Dg{0uqt)7AG2iD>E zUsP5ueRo~o$h*bGH3t*#4>U|0-VN`p9oN{hDxZ7;f7cyWC&UfiPr!=X9yPKaWYjLB z8dRCmLnx5Pzz!QBbGX^zbk85y)Kqh6k{lF%N9jwW0T)JCbxIMb_&y6Rw6-|bdPWZ% zGm)etwvT+e{@zD8X87r@8D~D2?$6lpoN!Zvk{acvVc(3~4s z-r6vJ5u3=a5XKR%En(K{w*u;-_fg-;8PUL!R3`lw$YFekeqtuRSTb{~-XeN{RxV55 z{k8ecSCp2`Z%a22f=ZmXyl);aS&&axILL~PA)|LeUC&2+)Rik5a=_l6rCr~9+)x{d6!1M}u*`*yWu zOJAtVrB0+9+^4^$4DeHx0sai*D_r1*R;i7={m&TRe+T!j9GG)ScE%U#G^Qb-ZpxTG z>E-dTDnEU_e(v#{>&A0i7>@!Df05%Uf}mFn%=tdUs0(A-I^CE)&U*h(SfAtnWc&4i z8%rnW9BLuFy#fON{PCpw`)F7&RH?mUBk;pXUNQvZ*}grKJsegU99yas^c`+GWhE+# z`j{5Ufc?_aBFF8Ib+&#mrTcFN$9{J@c6}=~GTXi#Xv5fVSRo@xT;6ssZ=PsC`~HT2 zW09-1F>?L6Pg!ay;Q2Cyy0)j7VnUc#IWI_~-J?y~+^Dl z3wzv&+UD9NAisK4H^rlRxb{9Yg`Hqr&V>7Uqaq42k?UqxE@ET^aKbSU0H<(?0gdG7 zlB{Pj&_KtC%|c>SY*uIS9RMa&vlFi!=}o(c!9HSEI4lxzKxQI-1fnKSBqDBwcYP)d z-2JnsMi7G@8vSR9dq(+0yMwOVlYDou{Q=Po{ob zsTn(1rX$>h%lT`G_ZWb&7a>BiLZ%%M>L8K>!VoA@DbcG&w_P5WI9uBMs@)4pi)L6A zEwfn=&1w|n^~!k+-9e=b!_9(-zvVZ%V@gq4zizdiUE)tZJ_X%ew|^IRdpTHyL1FFw zZ0VwG@kKKTI7a3mC>{&bJWqa|Q`}|c#>zcb9-jPtf6f~k`?m$sfk@&jN|1UW_)rCg zr&yHQoJA>YZ?G9za+06f`WX4Z(f!!kKdIc%Rbymz^I}rhg+tU@aNaLsR2B0{;a7tM zI%V!L+~_8+vqP~kr-aSV-R$P@-LHo>>Qdc`(055)VWF&ZYOS&~!35{fgi&$f1qI@h zduBhcnAkjJc4Yg<@!r0_0>!6TFn^yJqxpPPI$!6xJ_k$I=(2Veg)?||^IFer4+k!? zkV~C*Q!ZQjB`oU+JIlq{(i!Qy>-(O6w|M0ouE@<7e=~XLsA`yRg<%3YY%a#)DX^;Y znQfC49Dj03X2vp4D05o{0xI~y9KPz!o*)L(C|y0Liu+J1 zlpLYQgyiD-()~s!SQpm{R6SoDiMcSl^BFlQX5>>BEGfR6F!aR4-)+oU@E%)6xJ3m| z{KNvEaC6p$Hda(48s?%zd&#=E;#k&8uot%)bEr1{oyuwiergA})*ar!l6lWh(Oo$f zyl2dzQRay7-Z#;B^F@AS34@iRYArNl<53vmx}9n@p3WE8MY|AG0(JMj=aUy?k?<17 zseA0dSPk430%#Jwb&{Uhrq;$cazxCTwKBzB+;-qiT>4sq7t;F<*XN6GP}?JlJJX^g zG;CB?=6C+U4H;8vvv^1bqlV1^8?OIF^2A;AYHSSEQFWiS%g%%RDI*aT__`owt+sp( zC)VZzFBSzIj`I}0Fm3APMps_NL+n|3T>jUXM8)7z_$aU8o_zKtZLh(c+w*}iV@;Lg z&as`iVwiK_3;DLuk6nj70^-xp=&Qa5uZT$zyW`(Lc5VO?I{KpgoD1j0Q+t`f!s2M($cPU7 zp;OGB$LA9|XtDTe-%EU4!Kg1UYX8jgb_&7oL)clphRC!EQ9#fUaRK-40@LNam=QT%t zdq$##@AmX@nMAt(KQI++EDan($CO$>&ubR+fNr?>wB3G6Fujk z(8Kea>2JJ$+A;k8-WBQnvpz^O*vYp~L<=9~evE~?a2s=f$=vNxY6RC|$Hw&C4I4Ji zx=KCBlgO3%J%?dpg4KFfG#c1sJL!O6a-;N|>33LryJl8Nxp;??Ggb^5++~AHs;K`@yaJFZ|Rk0XBc;{rFVa556E~TT6E+Q2F1X-eNmuNVpB>);^ zG8(9qDPe+`>}qpYIE^(?%<#3!zaqr2Z;rUHy66-fXNQe0c={cOVT-OoHHoO;sG{SZ zo<`myP~G)jH1a=F!p;_nN;QLc*WVYQ(md$YNPo^tWLmtPj zp%AXKJU_()MiOst9k#A#&jFsBi-(dVamB`8Fg@hJ3-fnzA0S~o%=(8Kx-xjDb?h~eO5&uaoq z3+ij;K(Z~o*_6!cBlt`39N}vfe2#)4eYb(c{VQe)g!t&rnu`lNS@$Ir@3hZX1R+YdX*iJnzu9{mI612-&%Zlq zk`4r(jz-P8K{{A!BB))0V_HDENClpPYHTG)6d0q#OjIP1R6!I?I##!&EZWJq(Pd|u zU0mH6cEpi&7zv1^DV+-zdX5R@+`I+((ZA`08U;p2itkLRJPwlUqps!viJpF3m}WC-Lj zjy}7N`F$m=l4_PSP~uK2rL%wdzpM;hAOGkNT%dzfoV>u-?s)qviODo zlVfHL5JLwJi~%|fKh|>80TXni9_gZsO(CWbyl+l)+uL*cl%PfapR*UHa}7W}M$i;y z*U&0Aq!Gfc3eXI?0aepRQ1E5-%!V6S!`A5Db5gc(k$iMd`2Hz|9Q{;pqH zlfH9{{q)^vKfMymj4h3#ZAg=sTC<c9wVBIdfb7 z{s<#eq?*N`+L~0vjZl*XPhy1)-BB_w+`71vf901^zbc2VUgWCn_54J{6x^Yq+&d

vT9CQIX`g}cV3O# zm`;o*;L#}XoHz`gxa>48gvKb{?QHao7er9jH8xB~)f-11i1LQ_K=GQRT21DpYv@#q zH;@;C2Z3v}V>nwzEg2c+2#iz1=Sl9;L{HH&Hv=x3JMp zO|mOuj5<0wO`M0@J<}0=6 zL-REe_2Fc{V!U-J=HEPT`kW>%5xb$On+yd2G_ofEV87l80NAAffb+bIR=bdZ7v0db z-EvfIhO4G+4!e&r`J2%C_rKg@oo&R+s`iz`Hk>_;4KP0ckWL43Nb2Q{Q*!UA%@+AX z6Hib;DV|^#pCO*$FBMO4duRJIxwlB3xXyqkejwTXjhXh1`D${foZb;A5QXD&K`wYo zgo?UCoQWE=MKt;dGM$1PNs`beyN1n--28Y+cUYT}c(sQuM}(APGtQh4hr)*8qAB$5 z)ad$NPXk&L>16~PeuuICEZu6yn(vZ&$0Tn6g;&L_gfOIzn1i) z0PMKx=f9|4{j|yThUElV*gZ^~=(9#N>h;Vaxmz>E>%B^DJb|HaXT3IIK0UI|R1y@b z8()*>F6ctplyv&CKug|P`e6@p_gaSzI^rsU50&dp7izONpY3hJXd z&ZOJ7dp+;t4H_uZ`%ch{FLUys4YO(X@9IK^rt%}zaDzyz$<3+aaneIxi4?+#9X@t$ zhOimDAzSb^Za{Hs8sL&m4Y^#l@6`1f{04PjQtr)u>1Qj+G^}TI#ce^afr>dfR1Hl> z)*vkqSL_&TctA}CZL%(Xb$v9rDR0vF%)mJ|wCUpag}f0~#yE8`J}$h1#VJ;3Ihn>Q zK2tB$S8| zaQ_?Y2O69*Fz$8@&Xadr~T4I%ukyYTiNq&ORt|y zw2|t0^>Chk7&zZG9L{U2lY&6vnd0~$8c6`UGto!-;5dGhL&QClexx==t46`^@g+m5 zO^bG$A@VbQeVEO^VHjqA7-6>d@n}D(5PLFn4#)3lBOzH5Lh`SJ*?W=3;v6U6_o|r1 z)38Sq1b0v9yB@!0*RCwY*D5S@K^^DudiF49qOcYg%VjKAP1%ehxz%Q?B@^p!VAgbf zhxD1T^fuBvg7mIfx=;GtAbnvheIDtHUHZ?u`Hf{Q^#=+omBl~Ug`|^OZef*D2MRax zqkj~*g`Ze~o0K|GSfgD2QD754u>$={9Vl$!NB=0Wou62NN0mBIuoPEdZ+(H?u0Vsa zBx^xCiC7CJiwzW})Cx?mFVM;>pJ=NU=%_C+(-rV*1+;CCeWJ@1m{%*XxW2$bS72$a zz{>gp-Mn7BzJ9JF8m%9>ES!OPFiwwN@BN4*)pgN)mg%-}y}2~-YI1BLbK!Bp`T-7?*rDjrJl9ifVd?&Y0Rf)Sa>Vp>fl zcUC^m)uv7WFi}KLbbAu3xWXeCned{pAh~)qn)1{NmKQMph17~ehWgL= z4z~)cNY5_dOXclex>zaicqdt&6cbiS&C&kw65NfN-tTW6OqEVwQ9M}Q z>9tp`{GIm=b17tnm3u<_!&g3D9ZU62Z6U-cSQ5ORNt%qoHMz)Y&8Clkf=J|@#eKnn zk$J(wy!tcn&@!Dv^$Va=YQ7As$gJzv2yQ`_c+<+83Fr;Z4FprE%3*rMEL0pkwir7GzxMkfjNG|*+r%z%yvnKW zUT#V>`hD*aa=e}|Gb3ydYU}}ws@pM)#u*0a!29+LIp!IgP<%3H2H&%#Jb1z<*4OaY zrCYL#_os^Na$c#EGIC!_60hnb$-fzV%#gnn;Qx{7A%^y-3iF;|_OD*tXuYQ@uHNV6wAoi1KpZE?G^$j`8T z=+HBcvd&%DJbazgDU|BJ)a&OoG^yfHPk-)1IzuoIWe9h!&sd%4CIkJ4-AUoiaAWPw zxY_hb-VB@!EdNet34*{-q09V+s?XQ%5amNwM~c$YT$(>XPoh<9fR`!$8enT^OGml!Kzo# z{yfun)tk%$fCi)nslMLXcg19b*6vKbOoTZ05>rc?lHFGA- zGtOa-{Z@@!a_7|(2+kwb=IXiiWB#sD$NbY!bzHW|{{vizt5Wq@*&74cN4Ut>;m5@< zS@FCv-{JvCB&SNb3`9EB)aLl=wg-qI{lyM;ud=kZw=wZwdevGKxHku=n!4_ zYqh7Y;ZescSV7UklOyBer%`XJ|JncDabr5qWj=omU`YLxSf zxdYAB55E?i9*bx(9H)W9)QY=>BjYy2IKmGCgEm7{Xj=bELUC4~oU2qq-zmnbhFS$rYRq3Vj59S=32{(u z5#+9wl5w%ZASR5nHaa%P#VL0TN9Owuv(c6haJ&Ov@2A9;-bBa@Hrx}dh<|TR99rqH zQXB-i_17zPG{l5!lh6O$cgg#o37lTpB_FZ~$hi;vteGw&`>g6Ly_2ZFQ;l5NH=?0Q zPu-gtNKaJ(bkPIo(AQ7tJZ)L?mA?wz3`L!$P&3C>TW2EqJhr|>D>5gb;e5?dajMjl z5HCob)|1e3L5O|+4hvPPqc2RDs4RMKl}-08Y-!(=_GS&HX54#jU(-$j=tKB^F^F0m zdSkvs25Xns^D++RZ73oQcNG;GRwOy{mSG8JWf`R zImgIdHd7NWipcEJod(0~#$BnxvtFk3UI^*<_!4(Kn?za>OdshxeffE%Cgi{L@eSvd zzWNHPwxQg2?dwWwu70zAYPP|aN7ZL8qT3QsLgzlO_h$$~5?Zk=21?Cn*$lUDWL6PY zuV}7rqknOKSAuH;UPuHkR9ZAhip}qm>~3_gXM-V6XDH(5HB%*enJT7FXi0&v<0miB z^W;q7?#4{%Y&@yJT>ITi&cj_cQ~K%&5r&|vrV}8m6AVKc8UYScghgTJCc{pKwwkLq zM6!*M7FVlOQ}qZ-v-=n+&ZPt}*g9lw(VO1)Yx2FtT$@wHYmM**t~I)&X!MoX6eHfN zmgT+RJq&DWjr~7G3kdtaTG7JBCA@uMRc*B+zHc3K8hM|C(|4?aV7TOg`KItD`@8bT zbuUAsju7@i%hF+o9*Tg(()c=hv+^_Zo|T{A7q4!16>85M z1;e=ZMcClitij%}L0#1mjaRJx%p=#A5z+vvt8eR}!uc$%10)}uo?s*tq;VB> zwHt2<1$BNyGgfjZ1JW)-I6H8h{YZzhR)hCj!+G<~A0^@2szWhzM#O0+(}& zF>vcI0176XqmU;7_&4@uzjdzv2OR(Y~5KUGBNML55b(my}lW z7put&)j8VB%^JqHuHu`iHInISfpY`Q{*`6@9e>@(Yu=jfKE&Qm`nyzL`kn1Hp9u1Y zwhzO996vxa0zVoaE&zbXk|!k2s}*wk>tXo|>+|V*Y{(a^O7^c9(hb?mrmYzI7j{#* zlUEGgs^9ml7`mSH{09StaP{QE(70S{VJJt;7N;Wy3&8`En2jxX;fh>)D6z3}^WE;_ zvS3$0p0tzQx^lqL)T9_q;Tj~Ga`m+^mKut)nz)u$m%rqq>)>s<4za7%+~GM~zcs$1 z5Hb2c^?RJ_Ws&$!)OKx%bbia&mmSQ}7usBpW`sR@)mgIQprQMnD-IgE|6;{KL-*+` z4jQ^YA0nW4TmGynI-_x12zM}-|5z;j-PL65ZEBSmg@$y_y5x_mzNz+xOc2Loa+~#Q zy)hLX3^OAOCtw32?q&p2YtCcTjfjIg7C3>`Z|~IsXC7(2H8 zO#Qp~&7aL|-WM>N*#WcpXuxc~60nN!eE+umrNPC=<8l}!bNNqgIswMKUcH5N55GPdCYp=q;RWo^ zl+eLxU*s4`hY~&VpQ?rbtP>1BT_Z}zH<1EZ3|_m0W)yAo7p$D}(F?lx8b=~z*?`$w zy|uPD+Is(g!FV95zvl7KnWunB{QDe_U_agAOAH+Q2{uWiZGuW+H*7B*^OzzYwC(3R zx{g@?JBO`b`bd-M15Z1@DL>WcVzV_)kl&m;&My_aHCe#+n4ukkyqGDzc$Z}VJ7$t) zx&{0uY|rQ9$@=^;6spf3&L95V_u=xgR0|!_3)ID1BKS+BFNnus%DpQ}uMe(?>m&LF zM>z~kc+*f#7F$5iVoDbm&7(tmI*#b+`x6IuP=valR#K~yLakBm3xw7>rXfE+piG6) z@Ol)62;b$2wdos#GZyzK`D`dQ=Pr&k9+=K-6T}psKY{~x8*q#G8xKbmFe(SR_DaF$ z6)x2vH*vF`$rNhE-24ey6BTOw#06+ZSB0GSOf3oy_7rvOa}Zw`49G9NhZZ@ddg-w^ zUF4H!`opXqf<)Ryl&%QpU7FCqg$Kgb(B#+NkSH?v)+i1ALb-u=!mB`Z;}IMB`r#Xz zQP(v_?l9fr(y!4W`9OUG?8yvuBf68H$Z=SlU){-97g)){%9yqg{@`}d6WNPSISiBN zrW=Ih^ul-?;&{kuaKw1n`kk`)B>3mk-KEPcJpIF& z;vTuUmEJEDviG~ks=BUeWcJY-;ufAP<8q7nn{!uE<6tIn+v}BC-l_)22ZC#n-w38d zFC3cb-A=L4wV)z>%3<&togb_GF>KgiIZU&~ShLlP!4WU+)j^T}%MgMQQW$PhjMWSL zbv+Nr#I;rW3&rgRH>d@pGkC5XgmymINw?2y%AX)TXI<1LVKe||Toj=&9CxQ$ItC=x zeKKT}QzE;XoZw^j$HMar{{u_UGaCd~*rMMu_@ptbYe__MF2HFU3|JoyARz!uxJ2Q! zURi5sHWpqZT}R`xDO;tA))-e^H(*>M2Mk8nxvh+HW!2n>H37nT{=j;z`~W34%5Z0g;`T=eR&kCom)f=nVe8lC zfVcWc?Q__lSn$tKBe}_iy}8_fDC`}Ve;d}D=D?CM+EcwmwSqQNYd#U;#H1gYsvN&_ z^J|XS9s}X-eR!FPW!3bOt);do&O)jY|-J9YAfsm}xoAYDi z^^7o^LDPtG*K0JQRVJ^EU`SgI)~iEUtI%%X)f3Q2NM$vKUqhCy&(6O`oq^U;tkAdy ziqH;wcf&~P54z(lQFsqXUf_F*KxOvfoc6%rD;~7$u5PdtlElZu4bc0LW5ly^?+lpK z6Q;+7?3rMp-yy9}r*&?KAAR2wEmJivahPCT(zgb#9)QP(A6R;64Fdrya044oIR@xM z3@(C)rP~thW}~ci^|E_SY|;xs&faL)kv4LXQ+)<)511C+h)Tp~ zkushLk(Rga)#34iOrTdjImF}J1I!&VJX#db2#>`L)g*p49~eeb8kpExUqhk+0}KX$ zS-vz3^+&|w_i_9`e46$3|KT&5=l>q)^A0Uh)d`V3F68H_;;)d9SY-?QhjJ+KO_ol# zf3_iq4_xi#iuem>%xXDvMhH4?z41Jogy09ngL`A<@#y}Htmvie# z5c4gRAV#%drf95w=Nh>dAfFWXCx_aK1m|)djQyZW|GrgThaS*BJBd zz;VQ_KiGR@LDtGCffiG;LL=X)$Krvy{<|wh@N|pez?;N2ZY)a=O9)==XE&E-wWf+^ zgT-sWXmqVJ(!bqh2@rLu++%Y#PQN(A>OApK7bpCepA#I}tWg!uXm-8Q!fZyX#m_G0-zn*uo9oO66GV5aHi`GM=0UK72XpsQM@l*T$e3w zo|_taO6#fFpWhku$9b~k}Vj;E+g1 zQwk3f+=D3>a&@+%IA+K@FFfBALUK*W{+DR2uy(_52Eij<9O_!E@2-rscUbqa3nMf+ zpO#>LBqJ{~H$yI_Se39o$I>RTTf!~hQr=Q)bd6N?juDwo*C03O>fhnrGsRV{es@H{ zh1SYfC|LOt0#S_sY`z~K%okh{oPWwh=8I6Cf5+iC?zhN2@{Ip>yhJ2_jhHX3j^3I8 z@YU$;Z^ITx(pzqRL~Dw~?6*o1>MC5*+LY(|?Ux}Mcdv;}$TTnzSYZr==0a+yMUr#YP!mCrkW9nRhH0$yRRKZ3z-Lh5{mALKs(|bxbH|P zdd#6HX6;Ic@k!?3@<#-*KT2yB1~g`D-%(SKtWVw91&L|IQNTpUxbkOKkF}xGCZD|E zv|@1<1cYwJw%{ABK6XUp6}+xRDOTS838WSAO^1P48dcpaLtqk`Kjv40V%ROXd|vW_j>*pb+v8pFgKQe0WsTs1A~s3Z`cYaeVz?8 z#I&gkAF1Q?UA#vZJs9aStAN8zp~#8pb2OG(BQ9r6qD@+HcQsA?$0kbn2$nv= z@0V!ZsbZ3wVZf`)x+=ED%_4mS4hFx%T`)!u?#kfYu~4vmNTc`R5zuJ-Qft1!Usot7 z91eNtzvd#+Tairhoay01E9y6z-OTmDh^;T@`oklyB)%8#8BvX1h&sPfIfht^ zMv^OelNM5{TX_&@4WLo&Lo55e!3>M9NnILPc``6nD#K@KXb*PUp zWd!D$MYJY@U+UC|>^VhItZsbyYc9<%UdqUG^d9w}O4iKM=#o_|NGM(kiPefZp+>E} z*%b>CikD7tE7J1R<|3aH_0fJtG-^K3xWFS{q21IHZ z?u*Xzes$>LTbsS+4?7IMQZ>{cF_~oQ0A$Nq(+!^&qZyX?-=pD(`4`sLnpUfoDV;yv zFX3wGj*_6BZFc(Q@Tmro*5lHrn9B-E&Q(N44@@nm(ZFxo-Txp2mCl(?tW{n5ne&2T zT2b-|?z#-rv~#0jg&D=la6Okf6Iqg2ML2nRenV`@Feb`@-bmMv9As+u5#;?-R2m8?>y;Ygw0|ff; zOBc0dOXoK0tfYpUv_+mkl&qnrFSs_@ytq z;X?>aZnK3QJ;n~aQ3BYOri=aYtDLk}a+)U3Pil?$utQ~yj|XE|=pRqqd!)%gJabg! zR)~N;jD~Dke?O#R?F7qFT32F(s|&+@YK&jI;Xe5=gZujkqNBt5$!#G))R3h4n`Jq2 zyQ4#6mQV4EzbG7P%q=V&8k6Uudjgk@t!UF#I5gJl`6nJ$96A=YNB$kfM+{PkIM`Cj z$h9m$V(~AVD=R1*LKp2s9Bbzf6|Iwy_ee#SO z^%_lsGrp%+*?e8@|B%djT&DOocMX$C3M1f@d28VVbv3Ls1Ck%gx9Ir$os5AK0i5#8LWEu)5 zlUwOErL0-8{6Ihr2Nt5RteW_7sk6jbstr()>N-WQGis4-ae3H~xc-%pTx5$auCG1n zW;KG3GskL^!RuKH(qhCYBKRyxVT(1;o((t9PQLggg>dw#d?5I3D8sa8IX7&3< zmF`5Pakc8-#OQ03{Zt6khTx7m=6tK6TQq$u?Z>w;?hH67BCk3pC9g*#qw!`Ohi|5E zCyGd`elzv)khopVqT5YEVlw=zp^iF_r*{?ZC9;h+b6n>Y-nuYSqCFfbX?D~|shc66{CPn_WfBcCJ0_mbPHHmu4z;dk}) zP67QR>DNv7FVj-xI{t*SCblGSZEb7*wEAJpFpMd$WgP#X-{MX3+c1>2ZtUo2U~?Tx zDxYe0V>faa=)O6V&yBJRbOZZgGDEyN7ngedlX@5IpB2^os^(FarSGXf%;{iRs^dSB zDU`QR_58ZM@fTw}#jjh1E{IyIU!B|*IogruP9j<@m}Z5#qm}Q();Aqruxs`v1kW}N%HGRxYWJ)mVzNP~$ z%*(uuu7z2vavI-g%$>o*(sZ-IN($7=Pd2&w+-=aJxq5xfmtr)xu#V;~3fdg5elbsa zIF~d&aqOEf)O4e}kf&-v2}RkE?nX{ZCllQT;G;}R$LxMYW{oI?EHT+=KPZmh3SVo@ zf0*qS4sP}1d$z_`oSxBr$(nJa`QD<$81OGc?6bY*@(4hBG^`3)3Zj;X@}Jc43-Z8;8R#Oy|eTc=&p>_;gIn zdYnHnrj=YH1-E9HKf%k0M*1q(BROev*m9^trU8ceD&Tr89j!DA?;o|<8uHP%t?8h4 zY&~9cu>Re-wuB;3a9|!qPsp!KALWM-NRnuG?kP>IJPH0kmH#IXbfhW5+5U!R{&py) zE-@w=(%#N1$1;53Y?Gc6vXr=kKTpxxU^{%$}YpEt<|bfZ|xG4dvr-oS}@b z^VXl^%B&U+_jxU|r+AZQO)1Tu4p@HSYlKO77xLFkSGe@GnSLqX5!N(U1{{87chF2n zq%;f!GV=_q>B~5D9_q_V*R%!gg$>se@A9Tfm^P}t;N~driWHWn8 zgwaULojX0Y4RA*ts>u*gD@^TH;zc)tKPSVo3j9O$SlUsz#b>RoI~`#PC@mt9K34wp zU8WCHNEnk(CABR=#kY{%s%y``UV6bVWJ(hgT!pyg#E@JgRfv<`q+79%;m2N@jc$rw zl`d>4>>ro=LULzee`7uwwrGko3pkUO;_NZq1V-(c;;bq0bJ3EyW5)Gn3@1#Fe(BO` zHuGHD$)(j@4k7rTRv%24E(E(Hilja^ly8m7wc;fD{kr+$_J`s5f=)?bkRiP*BV*-n21U z0tbTWsV*oP47+q;8xFhq;}Oc8e%Zfluj`&*noVYZ?h601Uj&%Yg2Z(NTr@k_S=dBT0<+x$`xB+V5-M5&&bEzNFCmpai4KzdJPiw~scq%I6m zI=wp1)G;x@>*)t%``mk@;D@ay+^`ZIWV-^!zKH%Av5AO?P9vVZY%hL+Ue8AuTfcNn zwte3cJfe;HjZnHGKRI%$yxU5Djmg`>1owJQ*1O%~Rh*xgNk#4cdz(l#n6>-1fW3vU zwKe45mWk{H5grYRUXQ{v!ZiZWg5b&s8Fq}VL+5BFOC9U(mC_!1i-wo+86YaF9wiGX z>LmEzr+cEfEQ$b-1_XojZlQjo<4mTlGuU7OuAlz&fWahEP{m>M*)xXmBSm$Net8EbG6l(NOs;<{!(rfV(|Pf}3Y z*uG?dhP|r(if>eZ39kshpYN`&lzdhPHN2T1o<7v6A&9g<`Qn|=^~2Oa74}%Tq>&(WIxPc+TcljAL{OH`~4lv zt<@7kygB_oVURVvt})$^ggd0=YzsFCAW2!I%j5BBKZJjFZNZ0$7LsB+^mViFiu7HxK&KLfJ2p! zA{Pj&;@(7(+CTCW6{%4%+rDeqh5>xaK6jti&c1I9?HU>?>^w#85uQ2gl~Ilm|;i)ahYZ zsT?(Gv#!*}sM+808TvA%vW16{jeg0X_-$1D7FWF0{Mr#%3kMH**GXSn{KE7~pMFoO ze1o5nEx8Zx3R|jDbtyA(RR3;%!^VRCfy!Yq5N+a*Z zN@2&r!oH^banMVCf?*4^Pbq$(B@$QJkr9<5l;=~}gT?`*ofEjd5kjrE2kHEJEq{#V z$IrLFT0D^9`O){L@X_1H9{zilubEnZUOuYdr20o4zP{y;8&N;%PrvGqf0cYq>iX|T z_4lg&gjdPe#ILW9RK$XdJBe5#H&atJApfkzJRaY(u__>$_s-$7(J{ ztPE=6j-zPYngx`pF;JkzIwN4{HC9{y-OhbpSU>!-vm%GPmB40<-Nfx)w8lqvlW3Fd zn$lkbg%!v3^oJ%D9kLf&Aglj{{f^UL-b88b!0-{IFMhqoXbqX_OrYce?XA{`IP&YV zxJ?LQ0&Zt7RNI?7&K7C9a&OO=x-}ed8hy=L&6uiM_XPl#Qy_Ji|43+V zlh4XhylnIv_`3w#2bAPdxHuK6_k4-A5MimB3>4Wvjiy5vwSO)8k#5h1=Fg{}Z--6& z3G_3}RV<{RxRUY*G;b5cDGuvsYGsfYsLRED1A5EF&1?(rh||-@)fzPdm1mruoL1Zs zwzy*0SVTX5nDUzGXL;BRh_0uf;r6K4`#y^OO1hDHEg?ZS&3L6qbRq0$4hd3-x<6oL zqid|IBbDkY`f?-#7HS3AWM~XADN9)^ z1tY!W2#~*F&G`JaI&phf=sz+xT6t<@L5e}(!+-aiCEG3kbfB(claCSww_2e)gKpW3P{&4YP+`dPIBJ$7?tr zWf61Zl8u*n70VU!Ip?Kt%{`($Y+<}bXAe7)m92h0t!bt9pJ5L(enpH;i6Z&4&FHF_ z8uHrK2;10dpYmBYFQY9)F(t}1fu9CJpN8r9R?t#v%?|#K;-Kr;$?F@{8V*>mxxfkS*TtkVz){W_Kr7xD%8^Gk%zXzje(AkqByxi*82m zplRHqy`HyN!VL*u2`DU^xj%#^r<&jywp(ot<-KfUl|rq$6A&#g8v2UY^Q$p{i7BBa z(|)hOY|DD*RA{5s+r(dVoSXsrkEP0GMl?(H8RSFS_X4>-i`Z(EEEmyVV6e%BVDt+oP>T#Tpyqeccuo0LN$te17{TV)yvoS%aCr z*}=8;X)$G=JM9Pk!uIX5#c+(~g-qd@y}C$@UUm3|9f$lqkLh`4U}0=o#m!@l>C^ZK zhhtDUjoQ~+Y#6OG^VCxzc_TnUj>sh4IzZ(wo*ztDOa@pFF?a5mUEG@~mWOcq zOnuyC)>%IB_mzJ^>Fg$y=ef7JxK{5Wu2p_!c;SfKYvtci#XzV{E=1sVUvFk6T&!@R z@znftq!u5(qdV+NBtpN*>K1<+9DlIcuk$Rg{(X#%{q^5hiVhXkf8Wae8+>0D^!o3c zO?|}ot=#MWzK>3cD`J+0{7>(7~`md3JF1Nc(zN+@rI5 zf9LgRt0EijDETB~f*Dbba;ve{S zb4vaKEKx%_r@u|fJ&Q|JpQ#bAIOspoe`YC{2Ym^5l_?Fx?s2<9JJW;PM0B3V`&JKS zXX6eLZX1u+7pedxDwU&y|rcrf|B2J1zJZG z`1_zhw<~~NY*-7uRsg?anL&qVE_9jrNL&ct8CLT=mpOyXjuDyfB~wt#V`YLuwK>ZU21--g8s{x2`B2L0G!5xB2Rig)h3`n(0ceBLd$`Z^Bat5eJC{tE_9)xzf|(`eLyt|+KtYU8-*6Qj0T-&Cxf-}CuQ-(Pa^vK9;LVd|UbH}-7KdYRv6WkT++ zjQ4(8Y21JS(u8vYfd>0#Lp%s@DbIhtdQNm66`|)W@28VnI}wW-v+eT{C4+tiy`+2A znXqI1_PNgDAGng`ifsGSx$`)ecYAT=%9XzNEz}7wZue%tgu9Dlpt9T=V2^?!FTbz zvSNH*Jn1Wxq_eX=Zh<&E11O+QcD>cieufgas)jB(r=IR^c>5PcwI5r&6cDlHqKog9M>tsMXVPEK|r8Dd8*BIsW z*an2p{$d!tuXz4?!v;%2r*`_%M`TMk+a=w$U*1MSXYrR&7+ba)8J)-&I`e9~1oX`0 z1F1cKuyEaDmb|fYGsPi{V7K+()LQ$X_jL`0FPk2&wLG=+Iq%wTJ%So$`xbxepnv;? z!9RamSxGZC`L~}E{L`_bY4@aq?M>Om*Qu$mV_DnOC=qP){8p!%4`A$#Axh6N+MJlxpNr!QQ)BT^a*fmgPZP zerCMDn(!juW!Ulj%C!*QchAe2zE1AF-L%B39-n+5dc6`!uHx_6>NjrkPXi$YK^ZPk z_82hI%2uwB)*DC7mh<{1qAl5(@qYZg^@j(hkM1S!Yf5o-??S))>^MgsBKGgH&rrQq zzx*`dvEdGA=eL2|7k=z@WCXWn8}VyH@snAxL6p-;r#l-_Yh9k0m+AXRn~JIy6G!0a`$+0p*h8DR z;LIvB>ypG$MUl3|&c;9br`=%0Z9VmR+QsBxK1=x;EC^j4ojM>tDYQUeMeU?rxI6Hn zVlAD;JvPVH+&nGHbCE}xcp865dFJ3eHOTim8(-;cJmj}ul4#EVR#3FC21%2(ShWy- zo*evuih|9BTpvGHV6*U5Pn5ofCqBD060Pv83%v+8!irx1`-l+8reACaGzL z*D|ru5+=?-AA_Q2-BA8VmAL@oC<$OY1gvjPh?R(zhHg!42L^t2^W(~5Y6|=ptC8z_ z8N;BMWAG%N|{j@)obZaDlh1-=1FJ2`-jRtg_dk@O33MmaS7-|AqWr zw!t2)v^}ZdM)m4?wR(@z%2u#!k1z0d*+zRD(&Kg3W@YXkNGE!Z z2CbofVpiYODdqL!lMkNNH+ihc`qA>b329iBf)UI~>}`C!yzba^lGFW@6Y0Lm?@pE1 zy@8_B%j?FcllQ2|;8}fB-(6lmA^H18N?nrJO@-vTzNWX9`@#Rl*~xXOzNX{K{o|8p zM$?JyXZ4-jR^Bk-l*<#V`c9u-9ym66f4Xnt`%>ld8`8-aGQ~g6>YI3axjg=qY+@x% zPowEmE=gS9cj__ajX-iJ-8c1Zsq*?a%uc>Y!$+&(EkML{d>GJ^&-I-=ro7?UB%0+p z35N6X#L9GE6L9xa<0-AKk9HQHOZ8>n)4)fP`_Ae+eMV>T`SQSo-?7q|6Q{{p2spOt>C=Es?q)!1==k!gaaQWC&a^E?9 zr%pSXrM)ZmGO|}}*VBB6#JgfMByhz} z9-h;~9_5M*u6Rs;URvONX1^YO#h=eSt6DU8`LnzodP;9kD3d5}!3@|sSln9J(Fixp zGMgGjbf5X9{_ugzE2=f9w~aLWds22Qeb%s^aD%n@W~@) z5FyIO{f-e`FS2Y-4WL4UMGU)67iMmy6m%%KKL?vD8yGorbCjXUauFY{ke$|P>P@x{ z{LCa-;9wnzz-lM=p-kyi7H%i2^ZstzbE!GDPIk?(9J#}mCxW`>RB`;zVg9Tyu2y)J zaD=8{|Nd(D7@j{IKO99+*c%-+>2nK}LsIJhz4ewh8P4Vo1=*#Bd)# zmruvHoz>Rq^msqHcF8iS?q)Rma;kWDHFkTFwjbOX;Oe>fKTBisSbRO;@Jt4)O?b4T z{;If78aUIl#f9vT=1GxeU*kN4^pg2WL9bCDokM~J{c~y+y>Q3Ea_63%@_zb}j>b*c zz;Fn+0ji!Gif%jC9>;(Y0>~|9QmI<2RS3t~_=c7E+pt8~zYwYs$F*t;ppBo-|2>@2 zo{`ymrr-}wB8&zoAWNQ>xePJJ z$vP(E#Eq79y^_=$H(J(Z{!`eYP;)md{6F%I?5DjiFMW3edhUc&K>FGC-B%Gc>olf9 z;0S5Nt1U%%2W&@!@1|{Z9=t}+T^PL^ydE7XvIA#2$QzBZ8(t7II~qzRX^3xjJKTdC zY`5xq^c#9q&z}sYup+`|I6=X>*YhokOLjRuQH5qsXU@A>&AQmh<$t6&0^&r7^o5R&n2zyIlxZkj`R-00Jzk_DZ>F^sLl`4Vl@6wwPPSJo{ zH^Jl8U&qnCkN;PN;Hjp=2FFuWslHbcK4YeRqnFUXs4FWgCoV=ptCkFSf?YNSV}pgY zK*FI*oapcUeyJzX&1ZDhXQ`X(Md?N<3i33>#kw;swP2~+)}BB;rqNV>Qfp4(uK{i} z)rC`v?hT28D#(A#T*L*MUt~`*M~oUJfnU_t9oE9lk>zOokAt~R#xn1yJhtsR!bi=e zyDt8Xoo`(6ymo>T5s=lf_OsuS=2?OSyP`)Nwu>9j?VH$oe&5Nh8Ri<+ z9?!`KGJ9Umw(nqfcyU^d6t~5m8wNdHrTo8DU7~UiJQx1Q0Q!b;VQe= z-W9eURuqIfWIqvR=No1-A!aM%C}hP&&-zC7Eup-aY1~+cVzTFQBIJdOo3j5yLv=T;$8}+u;pO7QZr%LF2^rB=*G+5vE{X zakqvww#L+m4gTfbcI{`_6G!uf_j&R61%;upxk>yTlWXB`BL_`r&51Gg)D`j>xhg{C z@MNg`ulZ}8SE!uY2N$gR6Wf!Y{iyB9UVFzDAP!f7!g_QtL4ZQ-KMMn4Y|3uhsJFLF zH-DWu&Tx&nQ3sui2f5G*#b|iR7qbxy!)<@ye|GuEH7`mTxlnvy@#kAF_XLbiq1 zhw#CM+KTJrvp>K~krJsj*^pF5D71q4Xy+?}>9~a|8G^oeyR ze(BbPx#J*DE;ion*qc^`zqb6I#1wwRhz2v@8r}@%l-Gj)#d$4yZu3a(2%5e-uux$#=`Tlp- z$AyPrG`~TK)SA!GU|e_zG8b6pUy*5jH@%z2GMaqyERB25ztThpN9tutM{`ZmZ65u#N%(EU06yvcGO z)+}Yk3M`SgCfWoe=v{10vxL!BnoR^iC7cn5;*jI^f_XGzIA9xi$KNRx$IpXtYL}TLhY@ipfhtCg%eE!ji;lO%5-PTA? zq7|t9(si~*9f9ZXk&y_SK7>VF$i(6RgX0zu`=V)xO0qPCv|3r^ly{I4MIXfDDZ4*O$0 zX0ml1K^D3xhOdI+1V*}`8u;$K;0SproDyO%Oo{)>kF8PeRie#nl!sPR)Xk8;b5G2W z2(C~b`cGs@9-7W?b`*K&M$7L>%;fjqNFI9AF*Opu*GT+NkcV!WP-|qRHFBMk@oKUW zG8QH(WFaC4iO0UkAgkN;KZ8Hr^V;UiTB;s)zT8b_ZN6;bdl3nQGsfi6-tPE}aYs`D>3bwU7NP!| z@#7yg*GS}n*GXp)Klaf?hmt~HKxa00ptE6oIi$BeMsHA=Pw(n~1~Y$rZN#>Ns)r@E zXUMD(+hLhA_t4d3amSn&|JyNVvyaxtpRMQDg|*tu5m#gc!#|7U)S5Sw8}_Q6g-WYc zSldrNPP0Fxu=C4CsU*o9@jRVqMRn+WO`VID?gqh`JY4&;Sd$iJ`j&G5{93i++!RoZ zt@F#zp%B{WmtSb*=8a5wkdp)DOu5pQDXzOr=bvoK)>hS{4Pfl*4Bh5rs%U7#j>YF{DlG~al zVz@?o^^5%Tnc{Y2Q|DMun4;7L$hr$9t@FRr?g!HD8!`nO!A7S-+hXqimCgJth}jz? z9|ZK~_S|(OB=-F8mxMkMlF&z?3N6DUNa!phq4$D9n=ch@-A5F1boTzJ&>5~-M{JUH z4ohs#eXgG1x~U*C`&Xy8*F$S(iPmP+Xl-=*dW#4+|HJCNe-@p2b#xYNd+OOzJ-too z)Oiu~+1y2oN8$nRHq%&nx0%LDo7dw8zW@@^s}ei#B!9(vw_|fA#7Gmw{@pZl9Ie6Q z<}rAZt>W7A$xT+XAP7nEo&F#~SKMu~HvQno7C#*w5ho7>5?jb;?~uQNQH{2I+~MH7 zLzUAM=8%303AICWB%J8oMhk9#%iY4TUmGbt_6H$wiUF>Do;&wzj;)pvzir6t`5Ph1nL(%&+IavQ z%~>w7H1x-_nr=rNG@SdSUs`S6IucsC)lBTOgsDWoKzq)ekAPBio+=E36h(yABRzVI?#t~wa*HqO-pU`|f3zVTva{UH7! zHO$R=M`{gQl7_)wG6l5H?hva)zLWgsdpDQQ&`!R?FWu>!x*(D3g;($9N6rwP?AA;2 zP&PS`Np8wa+nvSCo4n7TzgAlgD8ezwxuxX#p;fbGTt$Zj>SLsHyWOdkoy z%m|KE0URr9aP%a)EpfH;JPq;DHWHMM2ow>IRQRhXl=W`zHzIQI-D$3QK(n93>ueM5 zC%5{^m;B^Le;QViCBC1;m36CMEZt}yzAkaSHS>e=SRurLc&nL{eeVZ{#_B_&=L}v` z$%p;qJ=tlH*`^GZ&f-=aVo#S>(VoY2LqPe3(+kh=@&tB%;`Pn-le;s;eVOEo2Kj)W z+?2(W7ve5n0}1IeFsL<Pj;op%j(t67iwUK~ZB4hbao%Dp-DLmQPU|!^0HyDXM%oa#>EPBsW0}*$HLe0^G5AIKiLx zus;pA#3fz+G||LO>f4ID#Wd^gGlG#0swwOmGJ&^vy)UR_iG$#o=4^@kx&DJ+8sl?I zmkvsmCZvlGJ5rck{B^4EyT;6(Uw2OXB@8Az?HLz*FSYheT98s3542$Y%51G>wmz3G zK2&%bGWt!r_;}$-9v;t5yC<96;7`Mgk)uT~`VT&vCQk5!JMmet*Qe~2l>$oRh&G(` z8HhcLhhTD_h_@DSG`G-e6|L-`e2=%BZw{bJHD zrXbI=FvYdXtEjRPT_e%%I`PujidP8SymQ7NJwCVZ)IqsHKPqe#!|C&}=JWeb<%q9y zl+BhVo!2)N=x%WACUAq!mOjyp&v#Y6q)_{H#zzRLB4c5fUwWUs9ox?ByLDa>Y1-jF5Ky0sFY6EhxAORB-n5D8*o@r($cWO8B4S7wOj)P`@^gPlqI;rHO1nMpp;ISuLJ)Lp3EGs#Cg zlUq9{kT7^njmyR7drb2mNUqGR2dBrg74^t!SBm6 zvhPk;u`l5L6xrm85Jq=Up3)Mq;BmX~6{_)O=R_}wV&>q*6yg|}*YnR>FGvDvue3_h;I-dEahIWUS~wru}i!I(m?ayxxs~+i@Z=y34drL^kqz|2K*06PprV z?>{KJb-?S@aS^82Ap((Swhm@cNf^))&2g^r3s0ez*p?hxg;)AM_J|YpXYv95Ox^EY z^b7BzN4@Dgyo;Xn<~-$1O6>D4+TwkDYs#B6c_04o`=p`B+TS?`^nA&FA{q>Hpty*g?4pF;2ZGNqFbWJ;6wLx21H)MQgSM zD_RV%n7ZTKz9x<%T#hVRe!7V>Av65OhZqwUYNY5$EIwF+Yhv%vi` zqXO&w_CusF$Qu}Wj&Qxei=1M$ld0C<<}XaO?$391v_6+V zFS)J89k|bs4nM|tJ;B4A-)MV3^@(A)XP6R?IovZ~1f^R)Ce!}w{01HRL%(zSW86ym z8!VYkP&nDib-p~ykyt7m7RnSSKBn0}0mgr_>VoiJ=Qj&a_{VMbPa@=nO+>%1X_Fz% z@0)l}ru`S{bEdtYpAAZ;>kra(Fh$Bn&2D-NebIB*=}h|;!^vi&_q`4?_kqUQJ-hNB zPq+R)|IrlP&$h11`yH+K=Vv*3QU67z6Zi5*)HwB!chP!p`jg&8JG?pD)%OG5MRb3i z_i-YxO={W;(a`@_=s!e5|C{#0>-N$0L!vuBNk{2%*`LPZG?91E0lndQcCxC{{a5n$ zus&-oKJxx=#q$eo<8x=Cncob&N0;pk4P|a`7;^t*?${mt%lzz@!N1Jfe+>R*?hFrY zW$ud3YTXf?$XXjT(%=(q)wR9A+tt6oTi%n{4llBY-Qhz66mBUk;X`Zq&=x*)hlM58 zTHzbRhg-sj{_tT756PXY82cCIYH8nE$xhqB*`@5Xz5awvPB}X!JBEO@-Yh|^kP#Z`G)thJ*BsP(c?FAc#9t8%b2C5O&{KefjTt9p;yT=3GNmm7l| z-!C>L5S(nO`~Rf-=c@ZSIU*_1{cE+iaKNCq@P1I{?#}BH{eli?fVPbt$c84#Ew>oR zbHImp^A=JJO+t!y^EzJ1kfV(-!%k+<3Ls4Wz|hm_-TZV@mJRN18sX&?UL1OOfrIn1 zg`5mqpr!x{i7?LpDa&SNrK`7C~)VAqs$ej=<-qUbcjRv z&|uIK!c_-fe7s3wlh4!doA~Avyk3&%(%HGW^ri~zh%-UQ)i9exz`A*>bqWH&SC-fP zyskE2c-g~C5M8eP0?*DV(!RXd=)(yd8v9mz7y5XyT_%9H>ZL8nY0=9}VX}C$ZP~KL zAD9Xv%Qw0#Jjz63Oxv$hMqn)PuIhI)lFS9(qNDh6Q?y07 z9GH5OQYxGv1S^(!QmL0sv3oFXm5`WpwOXVhXHsSt*zM-`X`ovL~MGz|86a0&G z#AcfgU+vl*Can%w-J*NQXL`H-ZQ_Qr`vGpN5c4>AWBuWkWaz2GzP|{bR4O_X-oB_2~9PVFq8s+Qb`tO&_JFpU;q zFM8gpcDbs9RDE9kc$yl6s()R=xHJVB5qi@d{{{s&Q-}@(_1#CT40Z2J+#>L1dy95i z-Fd1@9W~5n7@LFc)uSgZ*6qS8iA@91IY;str1A^T_PIWse)&Mme;cY`0r2(iD z1i)&9IO=cX2ESb*+glTh9a#7A@+^rov26#xG+rH`Ingy0+o->dJgB5g6=+5$-Jo`! zM3m^%ln%huUi3#=&{;QdW8bNYbkzQ$O=@Vb-ki>sB!NXeF%sq`xD@@dG6(G)q@6|j zWDm-HmS3fS)Cs_=uv78PJvepOfE0ZM>v&4Fy9LnTqP@WK&w{-VQB(moCKAr0cKqlGA4rQn3tnvJcK2l+CSW}A51lR&`a5l{4X zRd|U?h|#W2bn6Si^@KhO$PDl9;G=)kNB^LYax9v9VY*7KHra-U{Z{2hRna2k)>xPX z<%7iiY8jTHB76wZh1v~9zPp~I0vu}BLk6WK@;Qo7y~FitwUdx&gTl1aqMD#&r=WXY z(7EDa`g5c+BLk9yFvPc^F%h3u4L6jFo+ABn$K0M)OHZoJ$JN{;g7VjTLTVDlEx!cn zgn*vqPgPVz^Q~_BA)o~9{n~v&qv3Gz8>>vCVo0zpk5BRd2j*K^3cB>F!|zoVHy~>Z zn+)h++k>K2V!_j9KtZleZx@q%7qd;ButmW&$gF|Bz3QXZT!(AU$+vuEn_2>12OS9C z224;MK+xPGEwJ=;n<^u@D>>jp;&WkJH>!5f7F6uo5~(o*YzeR>5vtS@st-`P+tpze z_NuTIrp>&tr#5C_d%fCpvV_rq=744f*wdiHag7#?r7z-hnlMJ)A!S2`zPHTIUvn}A z`v`1p+SWafPkVR*%LJb^>hpH#Lt2}dl#30BT|4jSa=rMS;=AxM05>kSWNRY;^D&8- z#&vC+E}7gx5?C@mv}B74vEUoCeyo`nK!aI}J}k1@(YTXQ_yAc;_VZ^^b~41csAsbJ z4pZLEi~9IfwV>@*8y)r8OG&4I#iYxd-eV#Q*G6{ec{{bldUx9|^N8}^bSLw9lP=~` z&I^bv%7K_kV^zF6D84Evexv=eYU+2=thp3jNR_4Dr2nd|oT~I&R$u~wckzmu<0c`A z_zMD;L>rD}<-&H12ah`Y6fq&*$p075WhAbEu`TXTGf0neX5A%$m&Kb&GRk<6WR<=^ z0VOV87#8Fq%C@Wv6l&t)rC~k~wR~k=(8eDFJtz`9*Gj3t1sy7Ny^XU$6g<~Tb@*?0 zmYGv#p-IMg78q*KSTG0}JOB}aM zU*OGSYKbnNKAzS@wQz#ZZC~Jh8p8Z5SkXg4`a#MpVq$&iN$6BF?4ahQW*Qk^dXU6j zVM!POf)|V^-OqQ;8SIQTjB~!kY1wP_^tnwJUf9r3uC(+`%*@#2t=+VB-?XwOTG_j; zTr6*`6kcrPbwYUo+uJt0` z2)GAf6AzJa@Lsr6i@#!@P?P`B0&l}TjOanlkMavVXzpx6vQdgel`FTjxYT9qyxVR~ zoCuWOkMC>TiuxtNGuoT!mh@8Neco-?CEjT-TN_{Uetdu9R`0geiFaGd{>J;!KAarn z?pIUqwHMcv#>@M0(1ymq`!Q``d>2~1+wM#lmWV^-{rJVkha2~JYws`b^9q|Ai}!dx z-m(CVi;>Mh|K9ldFFv3Cm7(j$TPb7DN_#Yxre~%7I+mtqrEQO;=~-#Ni>2uqQa#!~ z7`BrLU=D#(FZg?w$515eraqZrzDSX`r#NeGID04`Ze9Ck(K^DD3OV z|Gi&)H{6_y_GV&zA<7${-&|ew@?$chK8Stk-OA~^>lO$pba$%FZ3g;1qCI{;5d5B@ z-&LCLtH<97xUo5p6fk1Gv+lo!xsC{Zur|*-#ME`)=(sa$igOA6-d-`h)kzW<}8xcPo_kZbe(pX|lWca2*#-!&HDd>48(-wj(wn(szFqs;d? zhAubX^{hENHq%(5f+Y8tQLYLqSECi=>XDW-m_dq-D}^+GL6RORq+twFY(y!f!3>i0NFfbrkYb}t zAq{Mhq(=&Ac!Lx-(mgiPL6QcYLYg5#iXLy5j8a?&epxjpei%Fy_sn=?LGjLs!UO_zUu0F&Emr|4lO9&YWb{=FXz9z;3Vf2 zCFB|AOE$(YcQkVXtE^FHCV!Z-eKbLn+!F>>tO14sje@-K1urtkq2o z@NbBNm3mRxKcgF1^Mtj(A)$0Zvh4kWiHEP)14l=2ZFJcJOUsbJvYrMGn~t{Y{d3_* z=~-L&o1L{Cd4wI>J^+z6X&;gTM7m{~0o0S;&O<=qr&uisn-gb^T4{G!so_NHMQimx zvo@Vnm`68sv&4dvN}u6TLox4NhNP1U^DW`J#AlSC5(|P7^TQGggAxnE5}yxBEDTFr z9+dceSmKJH#N}a$#X*TH!V*^oB^HMzv|vfzyfQ4I^+b^7NKnRA{Cc+)M8d#1!-UhN z$}_aF5e&w#C(-2wlTL;Yi^GR*9(+b`6~Fpt=ZE}0Dnm~!^v4ALHOLoZyxYFIrMTbMT#2>SzJ+MXshYw|KVPMQWt4YCXbc7Ex!v|e1O?kYT!iQG(0OJi>2;~nMcsG%jx$J=Uj%Jl4O3$7xe%~UrwHs39 z>Is>``k~_eg=g^_ywh30Arc6`wNc>ilk2E#?FY~F_dJB#!-5Pun@%kG^yE>RmVdK8 zODGawE`T_*-|WsY%ls)z=U#IE4|{I|UuAXW`zI10VB`rcDpjk&9%o>*Eh*YUi!}#> zoMTT4t+6_zwOA}#YbC;o(rO`0k}0RBX_=XJ#(S@G$C-Nn({_6A-?rAGRY`aWFTMea zqNu$2l5j+*FT6>T|M$1{ex7qq5~}{M_y6ht)8_NZd7fv#uD$l!Yp=cb+G{(jKDGW% z%VYN2_m~a&8ov@ev-2ekfU^r3b`sURgI;ig4I_F#(KB_ znL1>15IxBqMpdbCZ_7$F10qsbflTsN4Rq1?)VL#wN#0POYA2?~^(H2{{dpNvPEL*M zOHhm2q>JhqoHcmF^Py@?Dx;Q+>k(CO7*8b8PHj}FaFFS# zK=szkrw(=nb>pzE6T1E=UD;ZMdKgbBhaP*;&b37jKy61$XuEas!AA?t0|{ zfmcr0n-{>rJN2{f0y!-V?t10|5#&}ufgLcd+YthEn1H!;!Hw**-GK7dHf^NJT=098 zFu4su=f2PLvE_nbJlfL*uPbm%(0NFKPZMYgM+I(=2c4Y?-FQJf82>UaZz_1l^q}+L z=h1F1cx+;Y!3jb_Ar|XLl4eETr$Y&m=k@;o~r& z@Ij&g*|e|H=}IS!&X}kzijr-C)a9s-QPRIDrR^Jv+@{D~dXvx0Z9C%fgSAO&`+c@E zxeEvzo~%_SZ5cXsZ>K&V*XIT$)P~EvE`3U^k1`mIxVCUm%kwF|yzObdJ(*~Be3@HD z*2%j9vX$m_F*!X^H~zv+L!cgfYBFtRG%|(71Vial`5{F%8Pw5l8UO5*TV)JqaI2?n@fj4)8(FpzZR+OhHpXcs^ zJQSPzk5t=Tu_Ncm4Rl|s?H92lp8^DlrDy8-iW9?P`7i% zoBPT*?IrG1D50-XW7-gRC26g#!31P2A-u<#_xOr?KYC8~9w4D-unFz%y74?oH1nK1 zUfu53ckfCb7sOz$lI)Q@PTkY3>gf&?NJhyps%K(H*0QC=DNMz=iQ)WQ~jVT8Rbw@4J@L{ROQo)L1F}-K{^=Q-id(7}sHUwSEDRi(38CAYGGR zKq1L; zo4;*O6&`hCnw#mP#gv8^b(VC$EC@u+!c`dWA&O4PMUX~?HU2u)_G?u#NS*HzM+|BP zh^GRa-TWA`D?m@a%m3fwBfj<`qitLL+R`x?f1;Y5FI?;QN|ujUb6>b4s9zb>ZwN-~ zdo!hC}L!RU$$>42(Sd(%&@1`%g8{bY`Ne9b+sb&s#R$2Z*Lo9-dq z3>j{6j|J`_Z6Se@sCj%#k3`$Q%8(V#8-!xNf$0&ZOOhiUFzAOK+~YPg&%jGI{8 z_V=XU7`*+*rnzu@|1r}W9wUN8$-h zH0PaQV=TD&MZyM-w>N@C=OCWVX8T75A}>kg>Se3$ZMN#(V5{yRYDPAwdx)Ed7LHAzrz3%ea{@i=X_omBd+jH+F z-vRPz&>!OINEpEngloSZ{QjcUZ;!mcI6k+wAAW6T3Gs4c|;&X(7|`Y9MO&+;0xM%QT{af%Fs zRcOOWDjb`}aXd4-97pDQnXaX0M~rF5sr}|FM!@&W_A7L7{i_N!{p6h^zd+jU=vlK343e_qlwr;)z3r=@nIh%xB-e(erkSXG!dc5#0G z{8*8$l?)nXmO)6h3@Bn3`}y=vZ3)a4h^3}%)#q2;rxdRGyvBV>-Kx*I?o-NEeO~82 zrE1mZ_3l%OR(;;!K5y`!H@Z(LSryyhK8;NIobNu3`uI${Pa`TmZ+4%e73IaFwqO>? zs85Au913)u05>$b<}9I-&ikl6S;KiY>Dgwa)Yf|L(i$xk8)a8C?>m+Hy|hZ<8Fw&zKfW8al^FX?xgVX5vUu}%NCWRyEkHpkmlW)5cG@WPX1%>m~1`$)D; zcS6j2F6ex=l>c2p=e8$R{H0uv(tvd_aWaqH4y((lrg^WD`NeBk{qKGy=zJ~~bnf|t z&Ovp))S?#roY+^@goYO`rK(r#u8G}3qpWbZKd&@G)r*EIsROVi27cM3HLP4s?)D!A zoogt1hZ@rGtZq(ecv8hQ>=9s_R|~K$t80VK&9adDs?2L;p0Ir-nukvWoxLp-^0ZmH zdy|re&8lqA0TR;KAlC)(dtzYU_O?MB)?nIDxoNW|I9{&ZOx4?Dn>-K0$(yjPLV3X3 zwe3Ou_Fz0XbaUYwLH#Sic>3`s*=X&1B&gpPjAvKe8MGL-=(u@1<_1SGZM&9Z3rCrr zkIKe#-b+MaI(O6SLj)F1kxHBtp{!$TK>v%jJ$q+-VqIu_#%(_io)$0_n*#~Ucw5NK50-p2%k8OIb z+H5zT@&S);+E@L!Qf&1B4{yp~RUh!q zwI1=czUFg8wTjuQB~h)CRTL1_Dj}q(t&%Pj@XocqO|6N{4mOb@_O%Rpo!3yK-?93c zT?wVsROxkA$h~A?+3;+hd-3&%XJ5STE@oZ9`12gs5(8*>0j~8}#I>MM_@CI8@)htc zA|UtevW0DUR%~m>vDp?hk17$45^U4`H4U%D_|` zR?yJ9I_NxtPW7uc#*Ja2D}C-0{OoSQzD7(AXjIkf#;TCVbNk_G!i*W2_G3|mf}(l! zs5q1z_qdjWu=URdt9{sLkQIGQddN3aBI3C4|`pnpqSQEW=RF>h` zD2p=%+dR9;3Gw1tgLA0R%x|0LxOvW0VPY1Sz#|mR!q&{OraI4>W-&L4=%az7+qD%C z4V-!(5DlC!`G9D+UhV_ldEgvE;uCB78=oVp^-3QQ)q0f=h-%dibkT5?SoH3O>tSE3 zB&VXbN_Hx0tE49dM72tOQb5#JNl*%S=e8d4wMxiRj;O5?vlI}uRf3iRqFNm?}&mYIj%;R{wh~Tq_@in8YdVO;3Do7D8 z#Ccw7`iN=4Z)>lrn9yO*%2GY+uNpOBRp}GKZ?R=u#dqqe4@}r#&yz~^yz;6s6V{b( z4Svg%x|O}qVaX+L{|0sV{9n&K`=4xWGvx0ir^ZW>E;1*_Cv1vi1R$W|rR@gJa+->; zdPc3tG&SSU+_O^`9nsHG{qzFDj3aY1sTsX<&#qTk{YAWuxoB=?%nU}?af$OElJ-9( zY;6!R9(;Dh2JUQdtAHPhDBn{)w_Nz4X!kwkbL)y9s(;>7K4qYN!nE>r6j^I30Bg;4 zverc6YLDZZZ&O$N;MVvE^|bYm*)r8;+Qa_7GU&~`Frjm9=G=ge4vu1p^upXsI-uLH z42}@>l)jDzzfA{+GOtf~c5bFVz?iN!IFMN>JEr;ozX2F5{RZkDP9?*yC>#&>NgbP~ z@nu}G6Wm)r>d4ZQ^?18^*BMxgj5^x!%Fq!{*DPIF3J84d8M1WNasKuA=3PUSrnha( z{Yz)@T0g3{W6!YWU5kU?P94?p%5ckAhB?WoO?#Hk8mgC$JtLZT(VW{x9oO+nnI#ye zjK_8CDO);gxPPs{^^ek&wT=1q(plvSE$i4bym{9J3LVCEqn2}oB8GMBId18!k^XgL z^DYXxZB%*Nm?KMP9k0;xjy*${&XTv#%0%136QD)wsn+8e<=<0-XPq!;i$^K5Yq9XJ z*WwmeDs+$*j}BY>f#A0lqdK}rH0=zQCO%kz`~mm%CO$2N9#^(ul7AFS9Zd3H-XE?L z$NyjleWlwvCvYq?!Nze_Fy3tOeOOH}0aFkC%oeNNF}#qi-VmF3e~sg*?2kD%>F;H8 zTSwYOt0YSSA7wN{#o`$A>>#LF?zlI$y3uObZUiei=G~<-LD`R0(ul2?Ue%YJ!Nj$uw7I9I@v%g9CNjv{ za!N_!V&cNAnw4NXN>F&c|5+c3R80FP6b?vm|NXL(zfva*YTu`_O~2Gc2{3!f_tAc$smKTy zxV@(fFkX(>i|qTtXu;-S0yba@?-Wb1Jvyr#zzzuNpX$vSt)HA{7=`xgSL0;!%EtG_ zTK%WV%y{)gBJ*h(t$S$>t))p@#D}5Wi z^yN;{e(@mm@+iK?xXdf_26QtbH#c)feG^^G-ehwh^pfOSH&)Z47y0A?=jB+<71E25 zu1HlHN^(j=*@B1o!R#gJE_8MPt&XnUVK0XX`Jh4$6JjrmYin!hW!jRDWRefV1u#vGo_iVmJFqjx@ zwuub=o=<;`g}20>^x<=T_*@_Uln=kohhOKzxB7716QX*r_uXU~vI)j)0aDY*OL zb^LD>MJa4CVP2+7{{=}>DTs}P4MhnFBO%~*RONm-cY-H0o+2=Pi=gxr0qH4%(NhGX zrx5~A5rDqc;d-ir^;C!IsSear&GJg}0ovSU0#jp2=RxPy*U~0C1ZrW6`S#<>nxnDf z)6pcK&YDx}#?!Bw?uu=qwljD>;h$Ul^J)Kl#y_|D=kxx#-9LBw=WhRe$vMr_A-tTzw-PtS~#nJG!ccs~jJxPTcG zQ#jFy9d-RX=Sts`s@>81pY`p3*0=xvSl`}+j4qL2P<=a-v(zP#%4M?;h*U05`hZB~ z@{|vVR4!Y6z@wY?RzEt3zP)xY=VF|~y&O@;6z)DtRPA#GFk7uAmR)xPGlMAb?pQd^>GU-tn~wQu@> zsM-TQ;9XREyyQt%BMsH={Ihhtf7ZAES>OK0r*GenAYod#!SwCzL>958l|CREHLHC< zG-^71fGK~)XV&?E0i$M{+X^gTO$(*TAj<}yB^s=c_<*R|$9zCkt(GZ*G^$o&qypYW zwcqm9O5!YPtwc`+MAb?LRX|j&gi!@V)k-Q=z`LmS+rC-}u*wp(R+6j&qG~15Dj=#> zvaJH5Y9-_<;9XREE7h89G%5nqmSX@Bp6pJ{>B1AXj_I(_<(Q70z8Ro2GPTD5{k*2Q zB2~N@SO8a1U|v5TUXji%icZfHANMK;vRBJdBmiXbW*yvna`xQVxW~q=9Pzqo9%H4! zy|SG@u=mSv@ zU-hvM67<0+h_B1WP|}#Nq%lf!B56*H((qLuJBgr^q9DHNW2l91IXMdA>$0(wG&U@0 ztkQglG#`r6@Kql>g`iWSAinBjrxJ8(6vWqMr%}>rVM(Vc&4)?z;V2DX^|8|lIz0;F zt3GxHL1#okXR!SvMQXJDQ+S8WGShb_GDkxD&tzs3MT|NU+*^ybd&e1gfgQm3RD5a2uCfs;mE$>BA(Kw-6`hIVu@9HbZDHPi)LFDj7JTFwi|i%RA%Y?bFyRxO z)K4iU>$DkW&o*NRJ4yT5YQAZQetxf?okL`xrufCF8KFh^M9YKG+PsPx$IL?X;tK7C zRpsu`o$j!!jvYg82TOA^_N9y8ivsmU;59{o`XX>{QJ}sEysjuvUj%BWHeZpx2)v;v zP+tUULpGmMUj%B`D<7yY0=1=;57ZZd+ONt7>We^aapVK_Ro&h+byN_1_qS5?aMpA= zdP2Q$PV|MJ$;i$T%Vy!Y-T^oAK-{HAB@Ck*p|t3m6c`Wc7# z74EOzNU|;bW3_ZO3YK1MLwX+p>0=Y;KcX$jf8!gwC37Rw+rf+6$n=tO(Ym=qtg$@Q zARcN04*`7;rM>Nq*%73I9hAAt!d;T?NiSj4bVkV~oPFfX5j!Wl_iG=b0{8gb+H}ew zrtntS6|1V-3pd2_{*kyxXL;lR`#%4+C3%173Oo5b|Mo`mq0lLIaz*4&`+?9scJjf{ z-L~%BaE`JQzjIF=a;f0%jYrYJq{gjDja#2+tEiL4E>YU8;EugGuim2Lv27J?Md3KG zek;+jlgHu22%i=Q)-MspqdN-Y!08sk%$+sqIy$Nnnbhi^(kZx|Jal}}`fa#CB3m2V zufw2+@E_ArmdFJ9=;8za#hDo#X0DCx@KG}>6}L5v<7{(nY-1Q#rMPur97jlNW9?zw zM8z!+<2W&18@oGo3?|q5P|VPM$8y^C)SxNlz2vLC%v^!%nM0 z&W5+>xOz{we#{&S(<1q%>Di?mv{zZyE6aMzA{=ee*~^}lG!io>xjg9sS6i@??V;NY z0}I}!`rHdLmD;Ur4Nv}@EI1GYbWU8Wj3@Z%k$Xzlf#piOiT-cc1q$XJr9hoT?U7g7 zo?d0xq0Hu%als)q?s;JvDv$vb9Y!+iI?SXDewnIrDin99Bl!_EIH2srX)LDdR$oeW z?LVj7dF`s9L(N*HPnhYJRkUZNpnk?cyOi*T4L?_@YBm2o969F~JF$7U$;*?Fh4zV2rB=%3yxNJz+8KB2A7Dy!L?C2o)lag^|OUfU{wzUJ!_SA zo6_n>1h)mW^%$jK>fuP>8DZ%$qL}~;Xu4~Q%w2KnWK9M^!X^VJ$O&f)`h+SuAoH|r z5QzZRsg@3sY+0-PEBTV`35EA;P@*T4XtU61)Y`*+Y`pi#!7uNXg1=WkhsY$#>j7U| zc9C17NM}`a1bFdrBw76JO1*xyO26|bcAtbn6192O0Se|<@hJxK1@P{?@6Nl4u*K)b zB8Eb#jMs@mrBSYRF`Pj*zEB9w=p^k13KnU*Ue&>1xlt8CTd#psBf%|?k+xIiXe2`v z8p(7eZ$~Irm8-O7XHGhvGI+4n0W<1{NmRjI}M@Ky+oSQf0oOGG&`dnL!VRn)2%<$EB{= zd3zPLhaVe(1{}mr56Eq7k8tuD1?o{2$8#4qgeOsRj+amS_BcrMqZzF|X=01#uf zvREPbP&qcbwBLppvmhCt<%cGcQI3XtJUN?hXa_PAY19xrM*D_n+=m~)46e2)q24Hu zSTQ$hWIREHnA?g0^6g0jFdz+ji~|xh`c0y?*zp3HC~tX&Rx!gcw)P7K+G^9Z*mTd+ zWStsQ&OYVT@CJO4hY5BMw@~nVN9;~zQ+|7aR_I({Bhn@~<^%(h;$BplyHtqWQ}@6N zh~&!#8fitWL2u;H|r4SnVuTFA?RufHJ1EwFX?)ozR+xKrat=O287rbNk{W(Nm59R; zOuk2LPDSDc`$8#f(7ZDDr*|mCxXNo3F>fcRWJ~}j!ie=k4|5B><3V+oqY`z5a`8uR z4cM~5lDLlrN5ol7?0sELa>LKV*}vP1BsZ#8=g?)nqg?NZ`8{L!)65Fyp~A;4%J?Gv z7I3B}T8YH%_RQz`WsYcM9i zTB&S)z*M)#J3&VZ8c7k0FP7l67=gz`A-zu%&K6%ktGmw@TL;_)ZgrW%brU*t7b3Ti z)v>@%r11KrYn8YYQ4W(HO=X@+W!5eOwjpz;1wCbF(~B$>=1nirXYEHz_%0j9^1Tuj zH2oPxI zm^`JZqZ4gYhbU8)Of1o3i41<7xRUQXWHSp!i?UVgL|G(O)@62d%_fpt?b0)oZ5Ls0 z^EsRq?ZTL1Xx^Y^uJBQ_AN!a%Kl93YsU6MRVhcmWJX|rFFBz3p$zVn|<~2TI0JN2j zNKM(9j?0)$5Yp^?4MTQHpI6{AdOe&FdxDl1eFRKVnjD*{B4)^~qFe z?!HRWEmMNpQGn1>d%OVAuggQ99j`t*UVs2lZ{rhaR<-0VSd}l+&El8X#nQbiCQ@J* z|M(SePhZO2*1=`%!RQ)Xeb?af8&704m8x?^6F)AUZYd`1xJ34nN-#A9hveyz_)zkf zcc(J9(q#+A=LmBbLvwj`W-IrC$G?JLBYXG+_`c2q!HtYFDpg(_Z!x)177qrwGHvaG zk0rC8=d#DChm~PZzDE+-uatXOwkKM*HSSAhFRIL~Pi7anV2H=6>jvhMRp^_t!;AD! zd40qzySZIAY$vjd$Mg!i+R{&ADqZ=VdXc$(%$qZ`X_JP#jrs)1KQftqf^~{{aT=TdC}|6fhGYpH5DBTtFUjKtBDs>}f|qNcu~O z>?8~-9eh(kY%zSv%yWtC6~MPG{qcg7jjtrBm&@&9g6#vT?BrY}w`(5tA&sxepHJpc z1lS<=m(Su}$Yh3l??CC%#9B6;=xs2|WgvZ6>T;K;jDIULwXrg;?3}WH{xBdvfS0Yd zbGd-*oDQLEZj#+4kK#RjPXJ1FA^6ab-C^$VdtU#cWEHj!)x!5n}ufT2QB0^O0@*`3Q ztd;mrOmPQtM^{zQ@;HHfS8q-pJczDtNbt9h5yB;q7o@nY^Y3(}W@0%%`s41$RY7x> zwFq_WYrkAHRY&$jfrfi-60=@7?W@GND>D32nGyD6I zpIQ_5t!e%Qnn$SaW)8*ljh??bxoICSmA?~@NCq?TJhc@(oZom~s%`4?YE5CQ?)rnR zN`H|SonYg~wI>}fYRgA*uY~?E-*tOL9gZg?Gb|mFI9n_4mNTY8iYh7M2ahCi+oo&m z9Y6RAw4|ZdnVj;NhT48N)SiMLydi3>OJ)~`#2W8=lD>l<94IWlrjQ@Z?4La32cJ=Q zjV5dE9QeT-x{90r-v@W3$A+Y`pE3$aa=9(e@ROM!-n@8h34?S%Z`Eb5bp*M?5u}LC z6XctYAhnG!v+bN%-ISMZUXdq8t`=QzH**t&_)0{G|H_QOZKoo{?IJ|y&Oj(hw5|_Y zPIYv6YQOf%ANrKXf|jGylvE2mIi8*~{~C@S&smko%%gErc^WmYgBnv)y5_@j;|Je@ z9G`ZS=fG}G8s$9_{9U1$9yuf!wC*7G^KG%c zghPf=n}U|La#ZyP+LfL`H;gco%qfqhKV8^@)6gd}pJ+S{fd8=p@YC6j`sy}siOd^Z%bcAtw)s$B`YLq&@ytbI>#~a&@_p$mxi>NwxbdzF z9qXp_EciI{9`oZlT_VJy`SCl9`EQmZ4D~%hT;pphCATh~y+~y@j?JB6?n!;wjd#J= zRp$tdOI2qYA}gAJlG#y(JnlEZTg>C`A%v;og1RY3Z(dbMQmYr-)1SBf#87X%%}C1e zHl}(B7P7UV<*|^Sj?t*}WyY%`6YY?)YSe$>*f=xS74B~zgTCDO zC~Qw8@ziDJLSI*vcV8&_66ZKkn`&+t%TZM46($T-x62>VC5h&~gSVVwyKZZ}Bn9Id zk;sfiW-RZ&y=LW|Wt()_%Q%;|ivN}6lKJSrunJc`r87TU($)iF8n5RQT@lF(kvs#% z3)U+V&2JyPr4cDCm0f%&(ROPdrrF6%XIr=KTgK67sb?}<}PpK~u7t7Np zFv9aQWjNe(AF-lODJrvqGJScuA#hxHXrW94zXqoF(q2uatb~q~FF0X3hnm{Ej~5NM zBMEIzHt#x=Y@2o{nQ2e5Z=KW*o+j{8Qq*NSlFd7NlLt{5?b|$^W2@#odf)nK*^1Mr zWou6_n>MN9jA@f<&tUWCMiSk~!hbfpl&ksIeN3~_@m$S+Zl_Y0Ps^rGuTXN9C^xoG zo0K|(odbEEoxPHD{G(0_X0y({n*ZD*oNBGaH2k>6Wp)epCw-07ruxab5qN-UHv0ls z^Pk%wa0q8(BMMWgC~F$ly~fKrUf2q=kVRZTzBzrG(ZjUh-ini^eWC)(ll3FkB{_DJ znzFgE8)){myJoK!2tn(&7=O9{3B4Ui(`6UIjP}Qyci^V)(2xbe@-_c*+LG$cxjK7U z#WB01K8WH^uI~7H$3K>qU;>glxwP=(xWbPi;Rh64mYDKX<7%ygxo!1n?$C?IXK?Si zCs%iVy;J4skPz2QH-ft;zPeoyo(eN=5&e}kO&wm6=9D6RJEgPn_leB@g2aqBTk43Y zrorEhWK(SmxssPbIFVe8yR~i@0m~V1#}ux)StN+X~9EdhS#=TyrS)5lB&237X=Sh44dBeg%$C(FA#R*lz4FACQ3Q6k{Kj}lfw;cua<5raLb+v>n-EB@+;x;YhH@{a+-Vj@xhto1+%|UcY1Qq( zQju&+KqV`anRSirZ1=A+n0hd{sxu|8fhPS7ec+=F=jbLzHJLQE&Y#!c#P4%U3;rGBTA568) zDNSiQL@kZPo3$**IuUOxOy4IBx!Dwe-L=v2|AA-40Al928Bho`5YWd+D&<~}f^ zsd1IhTwPijfgrKh$Mz z8JoRuOguAVO!h+7J1h*dw?Z?Br+*t(kj$*6l*WZ9DSRVVloJkM<}GI2q%4Ei8zOYzHbUk%sr+`-J&Q6TiZCiJI#zy-Od`nE^}>p_QI;>bteFO zRqkK&!x4FX4yKczACuWQVO_d(6|FuYk-Zrkn8jm5p(vl)@vpx0P*z@J#dyHK#_{pl znPbG6f@Ft63o{h1A2l`fNi^zVF#yKO3(O%Hw~d%_EM-S^T^FrhWsa)c|J8|?}BT! zQY!6I`I~Zy<{daED634h#hQ==c8-ZpS$o@4{4D+yTBnP%>75`9CYW7_+jl3jx3+&P zP*IuR`-*Zu%fCw?V!URa&;1C2=m27=O0DdEl{e(iS0_Tlt{*cUAZ^KEI&$$XpA_9r zfDfZFj_ERkDr-RK$`q!IUu>sU%bRbBJyiExpyefjkj6^*x{IVjf8O=YIWfc+6W z4|2j5Ju)wc)RjI_qo$z0SUy$e<`soJc%KlxE#6f8K%73@* zJ5PS}%V}T^MI6tDfdND*DeQog*3qum))TGi{jR%(9Stn~;?FNngg=>8cIVZMHKJd;`L z7BdC(1iNp3wTh|Sb4$h+(0oQiCqpkDG)LA(I0Q3D;Id+{o;(R-Tfyb01dk-EwB@wxH!s=$`qkt)j_~t>)V{RHAeI9^tt!7t&xN z&qb!7;~Go)qh;3JLx<{tL3~8f44xuhqAAmcPEmnQ)~MbVvf^u~Grs&A;q(+`V%WBo z0iTH`iMG=^qL@PN2))dT0D!BO{5AaZuL~IH+-3RrVTo)_dH)2VJVh5wHVydGrYSk9 z)6ruessg$Y^EF|YT9o-%Um3~eOS=-k6~nf(?n3`a^whmgq{ziujTp*TN&)#+oUYD7HT9JDkMj$qUL z?J*_kTcldMR{fVPf&i&RYa)tg)Q2FWcD8B2W!$Ipmq3R-rn7}rH% ze@-VTzWk?Qn|=r9?dyJsKwnD2akG$O6TYO@cUMwwaR{i^xu2%&cxG)lY#9k7%mG8| zfyNKl<`v#S%V-iNvJ(+bf)=S^@+~TCPV22omRXfM#h`B8yJ&R0b681^%a9P%9Ir8& z9%~yw5x=zYTbamgGK~bR`23}6{!efhg#y4Z`E>#)rD=B6>qVm>8eWZJ{T)ixcHV{% zd5H{zOhMEgwA3QkUoN2gy?~g`%e{ ztIaN`bejy7#{T9mLzsz+Qt}5am1s^s);SY)BMcPPY{ z_g_s`KHo^BVHm2TC4FO=3KmaT(kIrl_@d^%>5Jz!_mu}N|4D}CzIf1jCK2+oUDEvu zKW#sJ1*7@q!y|9G%u{b-PQ?!srHA`=-X~GId!;4127+%sJmeN`GH`S|r($WMw1Y%t zO7t)MH1}PUp4HrUQ_$MZ*L}!DCEXhOOZt`pQaZh)?>9Vy)_+&*Xnu0nFX{U}z@%p{ z>ARC>(E43PVUSspn`yUVj0dYog|;O5S{50{xGxzq0x zT)C6&$WN|P;#Em*gl&7H`&jSRE^TE=-^gt3cgr%vObwyc%xES|qRt~zNjCL^^2|sC zrkavVKxl6Xpe?Fh()$x|mj2q3-aB~)Esv5ie!tQ$>6K2d@v7=}_uYJCSmPI}*ZZ=$ z0cI!}x-0o! zi??(%PR$32^x`e;jT2bY9cVnCMy5Z#_kR{V?M@UCKs70Ms|$M^ePUJ+n_g8c1Iz5Rct_dl)q{Qd6lKaU@?$9>=CpZA-; zzu)Ekxxe4v{{CZ^um0TM@h@rr)+w)(nKuihOw0--Wn!wwwwf;PM51HCh=G#R@?xBn zs|ppkBZy1^{O!$R=_Z@%{ z$^Sm<4Z7;uxe-_Pv}He+>~x5(MaTA?b1}8C$x)}t03?BvCmpFl!?3+J)6JOztSuTp z)xQ;gK~mQWm3@*j(wuzWwJtA_tlj=Hc@(pSjL$_>Eo|3-EU zY(D1)A$ABW{5Xsg6JP$%Ve#ER;H}?Kb!H5?Fp0C@as?-{1w$$|<7>8^I$S*b2c|l25^B+qqOAI+H{W5 zWgf%pzcJMwX`eq4?Lc9g5WN?$N~xf&Vs@NQ>3#y#!-(a}Ck%CJ<%F(;Ph`I_S!Ugf zv!9#Tx_;3@)DA(5w7lFkfMt&30)>273RvciRNJjpowA!qwOwNz`yuJojXoe6ObHpv z0C(6?j8m0sRAJSzi`%g=T&d&899dw-iznq$I-E9}CbKaMOt?xKh>|mdpv8HFb z>bz-OYx^RO+)R>|o?ZKWzL-VBe@DYha#vMv%l(ZXAMCLDK_nBO_;MX+$xR**`E`q| zR^+JzB3;fnk-jk;8+xb&SnZRoq9v=5Zp` zMjRgsU$BL-orK(Q|KjJZ`&CEC9>R~vNuSFT2D_R0s%}*q@nfx@%$_Uru+DI0-qa>= zK|X`uN?_j$$-pg3)3mRsc#aE=}v`=sCTQnm%=jp`lsnY$j$kSy2 z=X(%p*>bqIVv@Y|@SL(V)zGK!=AHPe050JTq=NalUkIA18r#drlK}($MD3Epj%48kL2Gi}8T++$0)H*Nm$V?{M-|jkw z#IuMdSiAEQ&zH5aUOZf}A29^mg}cqKUM>qyY&|LeVJ`)xnM06+sw4-E6)3L?)}*m?>K}CGz@Q)>)SXa$%)n?- zIbt5tp75p3PEPljy-1B{fWCiC!qMau{`Z#=>v5RAO75_#65MOS6MM;&=&Dp7*fF%H z7o;*1!-5~A6H0QkET_pP)q71kY2-d{8`sr)SJ+&fdA7RUQej}S*ObcMPS%f(=`DSY zm{530$*hP9r}y}8OI=lK^8>VCd}28*!-qPKvt=IVpr(X?1V=TYe@QB?WsF6Gzzm}O z8;Jzy$Q# z{k>sDVEYHy*q0<9`l$YqRpSB2wisu_MKZl61CZSD9{co5i~m8#w^Y+sV7 z#%Eeb`s0HY{Ami#bTr*oF{^5Eds_mBa+!6DU(4Msdrqu)u811evAfEhSke}3qLlNC zhpISA&Qa{Ov&^n59C-|ce{v}`bzw_9B+=1ZmC|Gw-CiOB+DXkW-4R)+wZJa9`S2c1f5S81f_6cTUqNbJoc@t39WxA8*d zL!`tOQ3q_hwWS@hEO8<)A%-kAGV$`0aGd1vWB_eqtN!SiO&3U-9tQ@j|APU-|R-8rZc;@*$`OaMycH^k18y!*1=@M0( z4^=dQn2|w?7#LQR$4zUi{pg6q9Ec=pxlsAHTVQW&4ttUd%+p_V9wf91i4hS00psfVC zj$lP4OtV=I^Uq1eDiU+HBuY1QmQ|LN-Vm#3?!mz1bfq1ngK7!S_m1o<-noCYfGooL zhTvXZ0@Zw=3Zsq@PX#|-+1ztM@Iz7G(oHgddx1BGctz>D=Jw;&l_BZESg%$etAEZ{ zN6fhm@Q2)5)I+gj_0a#7M>+$o`+U}mweT*a)#ru3N<&WW+Clq3H^STSNM+vYE+;2) z_AK~-<7`Y4`9X;wTy-q0+&xwviWRPio9u@sr6exzT+=8`SG{MoQ!-JigSNbaX+ zS>OAaC;Peb)Ep)V&4m@3LNkvU8W>VbWsjPegRA7kkOlCy2P~%&p3^T$Dt1o73MpNO z<#vUJjoPiclOjhJjdHe;)c?!TwBeyzL4TDLoD zUH!3=bVW(3Nm4Lh&N73FVTrXDnLfg%R_yiR4CG)5@x9?PiK*pdD(q(}&twK!+ezxO zfC|YLsy)j?$4u|}z&8y(O{#{hZrK4=?`^vE_;Z8S{k%8bT5(R$`Z8~cwp&jKi&bWi z-1LVBlzD@d`5W@&eqPtM2(Kio#(wX@w>T?RIdx?E92w;Y_v)KtM}8KF;AybD_mj8# z8#aJ$joK0|B54S-qfA%;HEhT?ETfE^y3Id8<~fesoD*xCz7dZSrBg@F-`_TUMNL!B zN7JuNJ!SsxI0L88Q1eApnfO?UFTEkwCy|M+kM`V~4-LPiWyya&Zi(4qx!LOwSRK#+;- zaT41&E$7ui(7qAt_Xw^8^wp4=GdN^Gl?;-Ng1on+LNYWqg{ z^vt0YW0?;BzU8;U-IlJ1>MxO0=aUE$^$w zpHHY_Fi9e4(Skuz8OhN?usrOZ?(L~ntV!f^P;{2ANni;*Tl}Sro(;8`1#3s&(7YNz zrB*#uL-}sZ>`i|yp`w`d%CLNtIDk&0+?}4wUGKZ7K*@IwxFXqluUK(ul~j2^S1 zfdzfd3i@XXvJ!ADgMvc6Ss)v+0j=33H&)tAn*)Kz^{s<`q@2 zEP=7M>oV!ZNuz_?mPX^96MBxd^ivO20ao{afm0^AX&D`ytbNg0REBlK5mLyCHKt{gCapGmPfY&CyGK*A2P))t zS}DbsOW{3;QYvndA0yJB&><{j(>wv{v+^O$CJssnb{QWJ=_d+Na|~zOHy;%6Ky}TcL}|dbu@v+Xtx!qCRcA`B>n5E?r(~*qtlaH@&xNyxjat+gi4`1 zuoS1Xl2kCg9dsECnh#3ieH-zCB8KrzK5H4GYKLp0N^Uuka_zHj4mwCld;C;_Uk)Uo zZafCVaKf=`10J6mKcI0{-1@MEe)^Miq69^HuyAUWVlI@A1`E>y3YZQGI}>X&dqO>^ z3RMS$dC~sEt5~l}`zCgE$eIR4&8{_u;d{*_BFC@71Q$3d2Ly2dwjh~1ghL6ZQ$R(j zxQ>stoGP{ZQ?^ua1Yx1wE0`4q42gN_kLBls1eZvg9)$wA^S@A}?n#HzU^pKF$b}w5 z1wo%27&KvE5GS;+SmlmL9qYFcoKPQEe+fq|S`RGzgbw6!R1t09!%S1@Go>kXTOye~ zi76WwjOLsv#24zore|K}xPWNhRDH$z_~uuy!=atFI63EsE}o*;z`(Dtp(dPs>>!^B zWz=MMqgZtO0qvxkL-h`@NgRDyn|a+LYp3iFT20~MFsYo{`;L&JjBHp|1J!4&qI zL8}1U;;C?Y>w!g6Y)wHRVu>j>9gup%Bt} z6&Bs&b7La?SiH0|Ub;Ow;rT^ZaUHL25&fNhl0oYEXSdS8S6Moc4MbGiq5_{lFPD z-0v%z@89qGKlje{n>`mo1mxRpdcloYlWR``{eotyynZ~DsfdX=+Obl44L4_*4nr7Sy1laZbeQc83a?{WVc) z_7`&KnBl3c&HL(Ew}%$a`kL~8M3o3g1uYQ|sIul{Itpr1TjsoFg;?9ddexNH^Ny)Awg7a8y@XSITn) zTnOFYO2Y&ty^DF_*w7WMub7XH1<$97;Hlm`5SX{ve)!)8M*7`6Kh484p#P@ygU5zT zzs{TUen7-|QNMrw{@T;MF_2ue(are&Q@3CIQ*VEs{^8e?Lw+rdTauH;;f_p^v{VH# zAw^&-<2b0zi4us+s(`hMTbXO+tRtS1oT_ZURdVq7a6gfVTE z7a)oZ5u!c@mLRn0N{TP&Ki15(^W z3Y)t2YU=tZUjW7GpZ^(FTkQIzbm&yB3{83+y5bcCpp(Z$WM=+-{t9D`p4o%llE{3=ty78zT&1Xz!Gx@84P_jC zMIf^bHT&dxMQTWTYEp}ixk_0V0;;}u<>@WlSoe-p%sn5IuG|qtLdO4@`AYVKgZJN` zI=}u?Z-2O+pY8XA)=JF<`{im1xmxyG7V&ZI@rx~^9z=U}KZ7V7Db6E$G;P)7wJ^%} zvX$pFYGkj;D|Hn6bBkq^sMLuvMY+?Dzo11c2b%~KS6*DBRIrLeHOi2vHZ*e2Xm`XPl@DEu0pK>(^2}i zqq%pcCc@^kq)=-;uY#M6xsRYcO7%sTpQ0T&eMibTRsDc?qtoTsUaDsO4P83#?!J z+=`JIS3X9nBvo6kYK8uyVX(+YrDNCSTS{NdRrqxS+L-?QvD$|RAytA3!Ce}Gv4XF2 zUH>}e_gR1-w$ZEM?IK<`-=qke@67yG9?g$hV#wP+*Fqmb%RiEi5z27%w5dQD_(sE) zW=z8%iuD&kq53ON0-CC23R-k-W3pVMhb7?9e*S72+=dL7$et+3!YDHt(WN9;#!cG5 z=)kp!3Z zZ1EUB1n}yT@ycY9YlXJp^Gx7r62Js1W6yg%Kj^TMs)BL46n@-Ib4u;|)vO6}0Z+f-Wx+U!c{mDd~ifci0QOPCE3 zV&s*1A<@ktmP!IJqr|;S032_gss2B&PfpF+&eO`qRu0AVN3*$%h4TfPZb=f7OuC_< zFVcSvX+r?z$;?Z0)&JqdUoPb)vEbdch zF2pQ|9B)S<+0U`|DRpJpd%QdzR1Px_tnP)SU6yQF&LXij(m~Ed^TP5H@178va_b)z zdzT_D@j~VicQJs%zaNE94x#2?fGgEkO$}>FmCqj~{7_h8LCTtPB{iM5lkjZ6*c(bt zVC#5JUiQmkl^Ah_A>uk1?R$wXd#hi(2^L2Dr`621^KO)3ikmL-m1Y+*0iQQ#K$Jg- z6?S&G{4*+dtLa)wL#ckXU5b#sz!y1q)o&ma9HVNPC>BTMtM+#7>Td0WH1o7`#o*_@Oo{3OSpo6kpNX(m?^Kx`T{)o)@ikCGXn#DqZ{XGy1719a%Jg zkWVD+={(}gr$D!c3}?&TtfNI&VJeR|#slg7Y~%agh!3f2YIUkCoLaD1CN9S@-L+N# z282q3mgf>2R&P#Ex5O?E^1)!wl@0&FLN@c+@H>>>Jy>xAOV-WZ*RVGfYDKPEwJgDH zQrRy-NS%(q_V@q%UcYVOQJ^2_pI@_8jRu^#dj%gs>k!B;+1QtlC` zK_<-<1bUnl?264V^3wBtfbIUf$qH;;8J^9BJg$^Mm6v~bwrLYX6cA0j>gO5`heo@g zeyudkP+wuG?NAj`%w zSxwzdQTP|nFN9RgP>Mlz;2tH%o)l)wgAm7Xp+~~Xqp3A$$r)U(&`8Y7^VdfdoxLMg zB2M6ol3h4ZjltaZO_exNEy(yAb=qcfQPd-KrLWHCia{A)ls+0Xud_-_^ueHGMbVJF zoj5~AZb8`9d&3kI_mdf26y=Tj6E61OCgTY_l!Ff5|k;;#sc2r*#gQ4CU@w{}k; zRe1q6>PuT{sP7Bp2TnKpd)Lw)a^-esANQ3dCp?+RbcG4np6YU!vQ0pdxi3}v z$^w}E;CP5MqutlR2$WCPpN0A6uamh^!cGtx?9w_^mB8lc*S{E8rbEmB2%FtKhBBpq zbXJIBk=$QZ+E`Y-J_q5w%)KVPW?h>*!{4#=7QI_`k~Hn*OUp)bdBJfU(d$&Ys@p#FsYM&=Gjb(b(trN zSzf)~v^A;B%KYp$cUf@n)XLI>!M*p4QJ&J?nx*GfcD$y81AVC}N9ONHl^#x&9!gDF zKfj}UC`H*=>h5LkHhOcP`}iDSpT_*Rlp;A|ZN3iPWX@Z1MC<$XxFtulk(mCAB}bO= z3|c>A9mbuyZig_3WljF$_<|30&Ui*se!XwD!YxHAhwF+}W#)*W?dCGZ^Or_x!o4mc zln!cF$as@I^M#5q#RL_H%pu)e8J|(UjN;%g>+E??tX)siCVYzYH@wwxB*I|K;`Yv% z0ik5s>N=a=RJJUZ!p2!eTwmIEkKMi7b&(2eUR}wyWmP!6Z42k7TZoJ=zXY6Fb?)3E zVFj~IzK09s5wkz#7Gvbf$7C_0v6y+g?=qHxtNShi=dl>;Wm}-Uk;>i^yOT0q4ebbd zTm+##D6&9mRT8=2zxS*eeI(MvJdlL&cB$QsFH+@9*QYxfGZU6>tK#CeVZ+0z%* zf{>r82xOP46!@>y(1dfG8>`-orFiJTKC{Y<)kEBxsd_ju4}v&%GW1~7EQyNO6=1EO z{u}v?r1;O!HPo5M%<2i9e2-C#Ax5MDcP=otrF+?tjW!!9?;jb~M$BI_?-*tx+0=_P z*O4f`d_FzuZTJT(z$RLz?P-ITZ(f~==Ga_8?h#@2=HFRe^BHQ9=^u2(?XhhiB>{Mz zy2hTR#!1Ix_lIp8#wqW>OR$PbgaCNM~T#b)3SDp?n7z?W>mxdeLGvl|bEW^X`m$8)9*a z^aC<^SA?0o+sMZ%*vcpNzl%{;>5#movcsmO9o%5*j_rM0(op{D7!Bu-t@`! zS`}Sx{$1V>jf^d1EfR(#I}kp(DEu#@@bQK0hI@IG-e8mf{qX@HTxVF6LkE`#tTeB- zllEHHYn4Ec7N{TGYa)Zfgg8`&;shX!1B}lwwDKNOIIYf9#^4h&Sxh8s{6_aE`r5GH za|(@ID_&EU!F6$#hE`;Fvuo{&772SYhJhfYADH zq~>0+sB)H@67DQbsFyBks1dhNR!H2fd*ct5Qxd0MScCZS09Bj{-$uz0syFL0FRRX- z%-Ffx!BOrX)rmEK2*4H{x3T%W7>YHi(zgG2Bg4@E7|$h(BL16Zx@sP(D6r8K56{>D}f5W&!;@6{CDv-TSf6sUa7yt9VU#+ z*!V4^l-A7)Q4D-0^OWyD9N+26Hywe|8HX_RG`|Q!3kbQxQEsga)w^f`_hz~@l>GKz zi{NnkfA~8r>{;nRIn|9eF3XIE>ifksx?QgZO^R)XA91G`$7&2cU&deVU@AO!i;nX@ zRwa&BuG%~{jBY&43vbkNp&W4@1}kC0!t+nl#M>0$ScRs5@gB?JM0=eYvOH1+gqa7m3F5_3mYWFeTl$f|L;a3mEr_UqQzU-9c= zB^g$4bMH1POsQv76;@eXz;#xD_Lp)G+J1#*YnsUZFNeJjq(9Jnq%S`j*$mDNNzHk^ z06{kBLw(u8&-(t;JPWnCaGu}{Im*EWeoj`Kl_UzOK#`RDfV4^5bSaSQc$rqHMZP^Q z(A}I~)qk_4-~4L(w@+vmT}s>N38@&XG}(>~S`HA@d>A$DUbQ~c!}d>MmHC+@XnBbg znoYu!+WjLL>P-2%m;N_43 zb`~aB2brcxWaLDWu=l_lDUd=)F+@ZKv6QF3*l!HLdl&<<94$g!ZoF%3Y7RGAMAK!^ zdMZ;9c*iLL&{z(Q7OzE)remY0M8W)9xL>*CRpqnu5Ui$*dLkvRmx#sJ|C)jSPZZca)k_m(_GT=Vd9y07&r{iXbU0ftU)`)iH$~82*RQSD=fhSPBTE0YYIhx@XVAk z)GH;FUlW^X=et*vEhIWDk-MGRe~@ndZ^BDVqDwJPYoLJma@`ZuJ#1jC>!kms*e-3E z73X!a|3k4G2FA{}l7FMvUkr?Od1WBf{R3jLfzjD^gfg?!yC-%#xr@8uZbF1)#pFBg zODZ~}X~Rc}UKZw&_uyu#fD3#(DtW0&E(;4G>MOQxppz*++EpR^t3C@;kng7SXo=~S z$+nul#QA+Y-Wqx{v&|sL-lk^#mP0%buH|j8B$=-6eivH~mSZkAJa-UTicxa|g~yk_F4WvXY=M4h$*by9RM=QyC$!V0gQ;5CA*VfVs24j7 znQ-3TT2qLWOK6}Zn=)yl;)yS3|C&9s!|%dvAZsyFo+))cH-!1hynh7e7DJ6L z;C6+phuY9ThA9MUyh0!^Y0(8mi_S|_0YQ*z;h=FEfGP(MpkCp-1gAEhX}V#k9W@Vh zC_x;PV{8A=(!#N|VH(QC)<=%XU&&VX|v>^Nh*iJ=5U&c@B% z^NocMGPXVy)?dB1yN*PmeU0f)%pPyat6~+QSuk|Z7lV+FDdgJp8$mU6Y$2!S*5pu- zrUB=N_=?u84qsy-;s{@kIoO(8^+r94(B}C)Or_Y&GE^qmU@Fq_;Ae^U372Cvcil;W z#YU9!9Ot7M)`jQ{S|r0LZlba_DXYw-3{cITd-(9tOsU0LA1jQTE!vVXMM+b9c>$*k zTK>b5MblUlpT#ZvFd)=r=T_Eb7tw$#S{pSW`0uh2Zr8M zO8NL z>#~-HOP($;DhUg~Oe+^zz=rF-azE5{|Vm)rShz$Rp zo@JHrP)U_KaBV(9^qEwb$FpPDP;fFgs~j>d-9#KxcU7KATFOM}3lq>txTIL_ov&uI zZGbyU%1BIkVm=O%kCc>@l?30lB}6G}8+eY>1_(*FDq-$dT2U>O{m*rE%);fxxUIM8 zC!}Mu!G($;du422pFFih)JwwqfJiHN>C;Yn1r*dpcxk-i^L&1$zTAph} z{0#ri@G!ri7N~Ti{Dy^ki2|V9GLH_riff1A%J!B=mFo}rgMKG_r3U6s>ySS#d!<_e z>z(YCl5N^)`ZLLakn1&OdPVtFX&dRvh?W5968se=>A z=BcrgbX-RY+pa58C)OYyA?G?1RBM-wYF}dG=NvfAYuJ0;JD*MI1L>JM+djK`TTRQ} z^i^Rkx%vS!S{(4>%l|#>cr4DeT+YDZqWUPV5x;KdO*oMeJE)C0G&eRPVWG3e_?7e{ zXr@B_$T{doFgc#H654N?I;5nrfz9*N`2bn^iL9y{FUt)lxOH>m=kwYVuT@ZTrVJ3g z(?EQI)9E2%@yi~{FVT`bZkyLRciumLC2x`OX+M3)l2^Ba4mR&<(N$D20rD8D$1h@) zJTT1qowlLl!SrX)sz2~!-fM&DFNOOE)4Qg(w!3PlBY!tP5R-cjcB@5KYhWVa2$v4Xm#+G+e`E?g+^S|#` z#4Hs76nA#L!Qm^s-8Z!< zYRD57U4VWJ<4X4g&AL0n4{F*O3cPNQ?S^Pn|Cm&Wm%E25v7;6%x%+Ml@f|5J^H}&D zUq(4v4JenQqy8?!#y?w%s4JHX`T}f71C!5wNU{8f-H53!u?kh;TNPU{e$t_e(c5jIY-AA-*@$v8jIh@OEkqV++8uK@tys+!f!;nT$nECCA^gOE8>t+@E`URHab3qVg~E2 zpyew*#a5qU;E+7ur#QyIJKds>Iq>?x0`8U;-qe5e9Z!WG(_As-ab=_Tc4CT~p>?&} zgm@r!C$Y7eUTlQKE|Zxq&PcHbQN{nP>s^V6I8{0J4k7|Keo$25b$__Rq(yt8gUrGm zu%PAR#89#A@dK@&Nl7xX>qIc2o~`g@FN~UZBqS0o3m}@?!*3;jo(~O#S;ohsJTj*Y znYy(ddzQ9e#LBJk`q<@m33wul3c;z-H0&xbLE{L1K$f@BDky}>Lnh*?JCrezH=6~z^TRsl^zEwK) zUcaOJtBl@gy5jyH_TC3R%IeA=&Pb|3(I+U{RIv;?wxQBC*=i+KYeolr#!fV?sJN9% zD^gtlB!!9M+Dc+3C6D7&wx!kGbyv1^U)^7Ab+;BHq9pPk#iAmjC`7E9aR5OP@E>`< z-*f*w&oh~T?r!&e-{0@`Bbn!U?!D*Ud+s^so_p@O=gtc20{2Rq77mclVWCQ2G(j3m zPV(y~H8a*M)4=%H^<4OQpI#7wooQwz3FAL@euzc0R0?9dp60e{`WlxDcbU_Q>cR*R z9&FR_ht^c*WY)8f8Z=bRmeq9Q&ivE`c0U8X!itRA1hNeG^;VjqH8&v3-Ay5(wQwV%qSk}|QJ20V>tb%U0 zPUf2$yy6-z$T}IfmYjygw^|!<^D$~(cya=2142dl#tbJj8fCc3V)R#TiGZg2rT4+9 zGScVPEpamHczh8mr=n%?t~|gZ4n3{skkN`8``ZWb@9 z%YSC-H<)VozVM(obU?leiIFA34+8)NSX?5 zqvU1^sQfsD+!50~n*}>!cy>6{q)0ioykif0Y^aM(ek1TfCXeN|k`X8#%DWNdgbzfL zafnP;f<{J~c?OjAv>rz@PD-}^6rfZi(4j6=DKB{u`k*gZu!wh9`*??$q(RxpqJOF} z8(U5)V0kFyWdJJzXaeBEH(gyQ$s)%7Eu$O1Xw@vH;3PB2}=39P^&F(abuJ4vusT_WfT^ zqZ63F=~FETf&;S(Tiv(iJxIlF#0k4Gr4{!6L6C6yj%fyxR zISdl@O78`WJ8F%%RK(N*!HZ`4a^3|r< z@Mk55#js=ut=4yonD#-m0+e43$8ep_!4#rDq+yv}N5d`SEk5zK{$Jzg=5OJFicM9n4CI(hfyhY5}ZksQ}C{>c!hkvj_QW zQH*&=9zFs8qg11$HLD>rOAP^ovA>^I*XMN5kJt`KH)oqH#Xg2uh8AbDIMn04UR;P8 zzob!sVO1x$>U2ma)NwZ6td1$;3~WOoaFV)J!}d*d{LAQ)4PNd9yZ|o`7^B&Mii1R^ z<%QJ)a$GGrsQO6_h5I-<3djD!y72Sh{jWL(7j9cMSHWOM>Y-RGU=+LbhgA4eOy$-k zVLFP$yEfymR4yxa4n(L+i(;+Fz_AJWY^1Rx=O=}@I{hn?Bw#T|wq!^k&1~jg01K1c zmA}|yChL5j<(;e_!#ec9e?vf z!b^jwZ!a;&)+Sr|19JA4)#ljRHwQ^3uc70k21zDUqls8{mM7!=6PL=8?>u@hD?}A7 z{*@a!xntxR_$T~F!+8D!4%zp@3GuYChy`sZ#I z=3k9gC-W4FNG5K5DAGY!PSxeqEiX3nVrIt9)Gc#5mYUMC?}JLEkZ8a> zQW%04l%Lqc1?dqWTUisN7-fDB0BV(7MYx!bkMXXfQAd7=uloBwGi{Ro5&q_1gOkl5 zxMm27{E|}XKauiOkMqBgbi4Gd@#zaFJ48BMI59vYp$s?<1Q?P@P-Hr-cPKuCY9tY$ zFwd*?hI}B)9chqczNDjrbYu)0`hj>%Y7gX^5Jku#jw$;AbBpwsOVj)x2nM@L*jwg3 zi!ko8oY9u}u`&4K(xtQ}_@&-|fgSfvsa5Eu8ojb6&=Sc<;|)Go3MW=!1!$diB$&ex|6OX8Z(fPs*Q%@!`eak&zpwAqTuf zm9G`z1D=&^f4w`|{uoP^rKcvd9b%)wJl^pEz9ifC)z84P?p?S2HBQvZMWt^N)ca&) zbG-eHvtZ{{H>v8PxNx)DZClX_cybV1olj|q{E=|;ZxW`e1E5FGIF<}>v;y3BB-_@$ zBARSp-dmU&Ule8LF-sXk!8zv*9+En~82T0=I}I@v=}mgl{)RDcq-VSBd!sXMY>2#> z%>7X{=k2}+2y%tw!4n_Zar|#uB|`0B4Edw=_~?#VlB#<*>728Pep*GfTX!yvv&aTr zJ1VZ9d8nP6mjF}AF`INN77{Mk$s-^Yf=vOYo%WwY;;ZYvtpU+rZ)E2PX@NC&B(ifz zTs(TSH`&u0O%Cl&WbY<@rEnQsUlP|iXXgmvAxCd==#uOMBsMyNASlS|NE9kW;#zko z40q+fLn=%mBU*Xu&7NL*4teXpl`B6kxd(R;K7)&Gl93lv!*`}|XULw{5ot#ymnHYS zmh|AHvLqGxuwgh3b#IU_EbT_%s^5*=smO-ZaBSkFV=LXqfm-2}lylFj5y{az-N=i{ z_GfWD(><$4xTAL_BTu+^Me4K1pjkgpMOL!zp8VKkWK|NH)adt40)QdY63%tqxKIK7 zcWlC2+0%Pud}w#Pt(R#j9HsBseuDcLtLn%6o*Mmp!du(Zd+5;R*uO~jY^{j5{h3K^ zZ}2aI;UItp{Erf`Zi5OpHxj7mOR}#T6+_)UuL&xiXo$Q7RB+>j$+*DdIb=;mko#4M zXA5M!+b|qES1aWU&UZgIZM<{cO2J4U3h`|nx|SOL5<3Dr{nP02`VqRx5GBdch+~r< z3%|wG@b{T#D%v(0>wiR(S>rnQ>>T0tY(sL7JN$XPt|78y46znSMb^Tr1}I>0?}@f8 z>?C0TWZ$ts-;grzot`a64t*jk0>{sQL3#(Gt3rQquKR$9^j7z5Idtgy>>U(S3T4xr z>y~F9rffnhE8AX`8l3A^WpAh8nihAO*CwVpv+tk~=G!y!HlJ@!)A9Jh@5blwyk(j* zbJs!BoON56?ODn8Ad~S{;M)V;`fV5A9$qU&XW!c^zr`S&+4t^H2?fA@9r4%Jn0?6A`OGQEiE*6y z&ai1t0a=<>BL_guzP(=M@QXC656@L2rzU~fcTd4bD=Edl604>SY(c_lx>u^k!|hTX z9_|*Xc(_BL;o)IIaN9qqcW&8*rUyFU=$70To3DCwL8bnZip@p73!?TF{cO6R#=ds* zwcZvNB1R)x1&s9WwwQWpx}e#X!c)@)Q|v3Anl5OxuXt*@T|p8EaPHxk`9924>_L91 z6g25PHT+T*{1W9CP2|LLDmI^AdV_E(`Q<_X%di+fbo(Dtu^s%fHu$AipU)%WGYVyK zr)eelVb@d0d>L?t$CvRqF}9YEB<+c@R{7AaJ|vu7_lN?AkBefh0>0@@ro9UKeiaW2 z;3~X5$%?LtHS^;u%(4-M-sS^&HxZkHzdQK)4l;vl*X?4?*ZE}&-d@MQR|x{X3lOKf z_ThQmK9t$O9Gj5JrY2;hr4y*LDUFspO>Zy<8$_7{rofAzbj+@bUQ2EMgXXJ-CiK%$H)#Wq+;Ft*@R5%UgXn6Gz0~9@WVU&^Dh7F z0`pBED}Dvc*T)yKY3f^l;|$F|DfE)x0>hYHiZ$idhThaJ+Z}V*`$Zx#Uv=q;~_-7p@ z7FKQeyNNx-@T}uFHRbtMV7We)!(yA|REZyV*v-E03{~4M=;L4{V^SZ5ylU!ymjN-!n|@;p;Q3^?CfkpyFw&3;}wF4}U`X zy484UdV#NN`MQozAK=fr4+Rs>E{-mSk=-R_~VwHGB+n&pJCi+_~F9q(-1 zfj1Ba{=h?3h71{;nd^@QOe6yEdjP7ef%v|T!w;fU!~YRpHZvm`U>%=8c|r;JhFt4D z<|k6i+G;*wc-K9F2a>_eXFxCO@BlQ4l$XXh>-1cJd}!v2$gGHO-A2Cm@_n5U<4I^N z=TOXhKrs1B*bvpCZt~Pdj6COJbZrZ=V9G#QObvK{f$vZ89gV>ID!#wNck~9hY1TeMYVD>|*eCSr@f0ZiX-}b29WSL%mH8n#%(70?;<-c`=Ct|hS4nJ?Q7RAl1C+HKIf$)Y>j`d-%nm>=k-zKD7_?rb zOU9)#o|qZcbkPLi1vFAbM_H1Dj3T7zJ9bEgvqzBAz&&Ihfb7%hV32@}q`++w5w~5} z*28?PZ5i@W4nT-FO?&u2F%1$`B4RrSaxebuq5=!@!ykyGrgwEtC1dj_Lde3{!t75X zecc*loYTv80<4hV*cd^*rTRjV1Fpm$k}yOK{(!W}(d*s^huuCG!-U_5TV?LNW+%Vh zslMG!V=x$ya=GbfR3QWTG=OcSq*%9-f1t*Qng|*N^*)O~)FO$Rnd`}Rm?LKHq|_zT z5F;De5HJ<~K(3LN@ohC<32&EHT-mRg(17q6QbxG62{RGdh@2r>muOk*xMDzgXPs)H z(*%h`?sL{{V7q+=*{Eg+jM8!xS+~>FyOFaSS}w{ZdPL!ZW{3HVtg3i;-JkI&y69R~ zf@yBHNaBqz;fch9=5XTLxH{ey1yqn%m6B_FrS~woKUe;b z-W-|^u)_4_?Bzq^cQDP+rk*Qb;LWMR14hHJsOCfm7$H06j zB78{>%41|GD#%J&83eGA!r&lP&>&h%B}X`2x`Po`ldH^reRvZVX1jz`M8To-Ax&du z2g!CLjYI~4gX$mxR1uOK%8>Q(nUgd6iZav~K;=*XqI{KpD3OJ1lnI(EkoF-#^dmoK zu@FO`(TX8nU=~cQMw{745rH<$1id1K!U*DylZK;N!fArI0g|1Kuizh)sf}RanR^bx z$34i6Ia|$pKoIAA#a&>tPy;ps@J7fqR@c0qk_v5TF7N@ew0Q#`psY0St;FAFF86z0-~CQ0sKA$@_;SBe1T}a&fF1LHy=Tl2wQt z!C{gSoC4e}iMdl2xDnhf!Ie6)K4FX)Yu%pSW0ScDK)N5fqnEiuVJ#5WM7|^AYK@-k zd9@<$y-f257&O`Q=Mx%+K9wB0F69aLg1HV&_PkN)f{EB9+98%Fha$|3aCK@-&w06# zhq!G^$oRfFYPzyU(SR}~J4aTfc%0;0pc=Dc>tqJ(&%m_7rqJO8fG37_koG zmr3SJV=8xsd~wZ}`c!W0LFeVlA0rHeCTzvC7*A5UQ(*Oh)dn^%xVOU370++ra397= zY*{!G`U2gkBk!h$znO|`bce$viahv^d6xZamNL4$7}MZ_0DJ3F$p>>0o_iz@%D}FM zW129yZGjDE^N6IJrlch~HF`-yWP*hQaL-#9!;e!D;ATAt8808CBJknZficBoQr?=%mBTM}Saq_! z=QAm9m9l@~p1VJ}J#UXCN#Z~5(hS|ffKJ#_?%4)Q{W1W5oAlnZ_pIdT?$qf1F9OgleQCahPZ*#$IQxkH~O5`jka-W~mn zJG3ViS*2p;!kD%fGzeOJhfN3Lxv+)y^o>Pd5MfH{wkm(E6 zy;0>3#hJJtF$DjtfXyT54U{M=yKr$m8o%<3>V_H#C4wDiszZuL>|xV{ToR(^aIq2uv$ zB`KV0#9=h-VK(Hhg9DfHw&UFgxucgtYsSvc8u`JltHsdg$dK@_X{Vf(LILy6k#pIjxhY{iM$EDHpiemt$5*a6he`q>H1AGBK7OqsHw_I| z+hD4}N2vyno392q<$ajvcD%OdFdhI7Jo7G=Fdj}W!h>-&RY(|4B=CTyz{ZjKBLbb~ zB@?_biqStcd@%Bdl9hebrRXC_!TFBl6ym{s#XMgQnz{J(FMb~7 zAJ;j1vx6;JR7F zSImw|WX~;U+`eIiMs(rjn=xfPCmtnweL{l{_s zqw7CT@*k)BkF)IKoKE1;f4ejEc3T zLT_&9ZBpoMdgyId=&dvKc4z4AzR+7&=xt@_ZA0j-FZ8xI^u}{)ejga>$A7C1y)kHu zpXP?%CWYRnhu&s|-a12XcZS~X3%zxP-d2X*HiX{#LT`IRZxvAg{Z?0n-l{`y<3ew4 z=xtKyZF=Z!R_LuW^mb?H?Y_`kSLkhJ=xsyjtuOSp7jH01fQ$JD%hOSiFB7s8ZwL3j z=qwm^Xd<#UvJxB}2b0I^-W~5GHe^$CD$e#&%mUsf8zfbO|{sB!4Kc5op9r zui~I^8}iV*QfUU8Lq1mx0wL+abp^GYrJS=oywLT9> zjE2yOJF;p z={MYvzY&zsu2A?~QIZ<#drcb+`ojb%%{LtJGHdnuVU0-?epnn%e9$Dym3Y4nC;q}D zMoEMnp+qOcxO65%wJ_}zD(k_zoebmBnM^g3>GXk_ssou20tOz|#|+Fw_gDi7F<6jk zr!2bzU3D^>)F;V@Jn3T6RLGro0+fRIcN&eu6NNojNY@e5F$(D!ftT0WSQXhxFz zJu%_aAWXkUlZ?ji|EJq8*dND3P?(iyjxt;vU_cdD1$G{T8uHaG920OFPMOl;5jcIx zNND^dM+A$YYUnbQqP-}~3gz1;R}A1buh@{=S~3a3Nw^&CfzDH68q`$?XN;4fv+kOj zKK@_a|5AeW!2J)g;r{xs_R}X`7^kIs7nBn-KsYdiG5I10BA||d05Bom@3N)Z%S3z4z#X7p8K8n<`fV~T*J=R{OOsUH7Hxt(;oWpo+ zWhH}HQsV+YUKp+kmlA!Vnnw9Gp%!V5sg0(y0p?gsK(vjOyV*mq8bAYhe*!*ynX)GP zSsF=CfZ-ZpJD*KskL0Eb%~S3QEN#llR-8lAds$Gyoy+1!xOJypKU7(I%Xbj6ue33J zIMZS5TkB>ofF3zwr>eY_z?goFvhU8;3j~!pb;qbG5 zU1ATy+6pJwXC9k`jT|g}%8Q)D@=!M7{V(t|c;OW}zAIx3W2Z9J$!!;6$qO`H#)tJ^ zppB3)hDzmQ7~pYZ;qYL6M=~%8Km8VB2`96M6t*N`)z&rjgOTHx7uR9#n{Grg zCvzVVB7s#!_@lDy1&~&a=+HAaT$akkh9>KtnsJ=l1$~JBjY^H~P1W_b426R)HUP>C z!&15LN8H>gYbpS!wwt+sPleV%G<@!y%eH0vLr&5VIxw zmj0F|vATDlRogn!^uvDo(+hq?qt4z1POn~JCTk8e4J*8GR!KoCWbef^0uYMyq?On^e3O$-Vk|%JDulc%XhdQcIVWBehWCEqkHx;+(?7lM4e1G zfGaTX0n81LV3NunhMhVmLrWb20Aoh~cI!s$NMA4bs(X6I&f4z$FHGBR)w$)?nWEa# z-;pz@_TGD69-V&j%!O%kUc9~%k@j+lXHCidSVSmq)O(X#%+a9K&xqJJVs;`6oJ z_h)ht za(gUSz5%Uf;324o@fGKal$9M2-F)1EHWs|UX2uCY-tSA*^|fFZKzN_rzGmjpg(p+F zt3o1R&5SN90`e{QTZu$uossm;#o6+vs$|x2;VLucC9DuM3yuK$Z2tjrdhhfPAHeDgv;yn3u4#J8|0Mng=4o-;T zH(D5OZ)H)6V~E+&KA8`X6k@mlOt~t3FqtrY5T;aw)otH*5HEPXslq?M2dM|186NAW9NJ{<_JKy=|@98Ykd z3(EQ;rcy*D*`3~wNi*L6ya-gUJkP9d`x$SSrH=>D!rGMgUSV?WHjQPo#xIh|V=Y(CY`*f^rkTmwWywX?Hch?m`!kxRCTpKcF8=&MiE`4`Y^`$F6#o9`5!mscfj-nyURU*|RLl z<6x0j@O?PGAKg&{)^DpDsTd$(c{4r1lRExxw={Zy|;b^;dX_&U6eTn}DkG zKhmmX+a7M1ecJx~#qtxmz%k)tFfb+<3l0g!gJa*Y7Rjk=bQ+ z%R!Thw-3R|q+Iwq9W3SE7!3Z{hr`E&orZyamsFW1D>QfaKO-^5slMMYGU%G}2a$NG?cW zG*@Pa7htf;FY!~TN8|9tRw*HjL&-ZZ)7#{&cwv=|AnI_Hgu*JBy{O8E@d?gXl>!Az zYOMAux#+65URAI|zQ%G{-uXilq{W-DWGN$LQ5kyOhRYDgX8g3_vZ%~W1Ih@p_FK=n z1IiGw`>#hr1%~<~7}{?=n?cIq{t%nC9-_?6%@e|si@!|@?YP}2ySshEiSW;LIvyq< zh2ee)R-uBq;wx4n$owXnPhU=Ci9(K;c!*4Tib>g2ESg^>KtwpeE*r%gxGm0)yvOSb zJjj5Wl&L1=L6ZVYZQD{Zn-v6;5er$wuMhA_B1VcaPjerV-l0l30D0Lgiho zp)@Mnbmh^)MFV)FXzKGYbO_>H8d+-2JgB_-=ai zBNT>be5oF-W_Ik-lpu}=m_*_Tl*WDX8krlM4hC~FRm-vl^>^$-6q&*e2A&?+^t1qs z5P7CkQv1NJsN ztWD+EoPn@4${6S?HvTV8Uu|1Ep&tl|;U4%envgE?hv#t2#PTi>1!TsfOB;Fa+l2+6f8ns4ut)@ z%m<}l^E!+MZ(p))1&NItp@3{QLIcB%1|wu89MI8*BBGl$DDdwQcuo$o?H4jo5g;U( zrU!+{O9K$(N3~cHs2K;DP|ORoBsRESH8{xtzCUX~8fPsp1+cIf8{9Gn-F5sQ>ysxxcC`Lj?WzGkTWbWa5>Ha*4 zg&$P+zA9BPW;!OO4alUmSLy6_s%}vVdsp3NZz++^u7o;*4Fpnb`zcjQj2s9wU)}sgrHv~}MVrR9!rF;}15oRQFiysuc@)`kVm$Lkd z8x5%<_u^Y1p>4&3C#i&H6q5u99x0?`MRX7uW7n^uPLY=b>Xel)CDv0b>x*Q|Uur!? z#TF}P*E&!G9i}7gwSCDw$s~3Zw89GXciQFD1(m1XWVk zvKm?A<|fyRy1Gd($fN*a3=tT6xRHV!aC&=5l5}R?@AevR@wG-%?0yIGFm5N6BXAgq zAl{FVm?ts-p_5r9Ujg@?SSQ9)c3^lLx~=#=WN_P-sYFN<*nw4eESAnPkygmvt!fgV zE)6QFbzRQ9(7Lh+tVzu)sKuTma76856;|W83$O)H}}Dw=j&^Y32zPVA5`~Q$W6$B>HH$tE2Ju;F2?Ge1PB?k&h%G1*MyaZ=nAgLJZcJ@*oD?yx3#)ytv+ z4xDlWr;}VSV`3BPvC9Z&;V|gy00_x>Mz>DD)z=Kt_#nROFV`R@bqC^`ee7i3qm<>= z?^ZtG7C(yMGF+{rUpv+7)AEWNKalhUpEW>hzI8IcMUFC744Hsy*6_JoY(lH$QK_t5k{7e-lnfs|s%Xp=*#;YQ?Ol*?8 zP5@bEVvQ&=U`0tGE6x!Fb193eiv z=)xz`y*a#Cz(!&C3&;O?*a6MlE=w&n&AVAqS`lRi`bp7>>(?y8bPfVYstjCA)q`23 ze*JxA1@U#4;DaDA)Wii8pJ1+W%%xI^niOuxBw8fPfdXf*v0uNE8o*df#K!77s5=9KUn3=s%4oz$vQI!V6W|60CAC!lR@)K$TxERi%X&s`8*sdE~`|YP%4F= zPBlEG_bVf-3N=QTiwjWE@Zw$7ATz%)rVUC`uW~xBJq!)Na<|!S>yh>&(tj(+88Z*FVxe;jbW{q~e?62%#SH}+V7W=wz1;E? zO9L<6OeDGTjz-*3g@TMCJ*&ZcRa!^@S0Rti-Z#|G?&SyMJj>5{r*uLC)?uoP0ayCj ztEh3AcHE|xY{l7MW#wq|T6Pe5eI{PP6eZ#z#h?xbw*7=5wPuT6Jch!87LPsmcL$Yp z-7KB9d9IW^5WUB+MuN^YV!yC8WK&V3$%#_KplzkO!IK+N$}FtUX;>Qo%gn>_j>ooS_xF!RRU<5E^=R?NnME%Cr}@c(Le?g&k2$Y)#Io z9ClM@r=15V>$Nmjs8B8HtO^wKv89Up*eb5|ekqRil7d1rmC=~ks9ZQ%U1zB}#pLV4 z$!<~U3v}D2e2&mz=9hFB3;3c?$aN!#9trHE1~8zL2Wvp%jx7O57|0_azuO9+-|ga- z{gFyJ>}Z?>IG!XfB?9$A+s)yUOibxaB&A7WpF-23SfeHbRvk{M1}a&GY#K~a`tBpB zhWIt~LLB}MyN5Ksv{F9?UZzwk2ug*<(#nz;7S*~1*lDLyNG$5yqBZ+~*#v5%sxG3K zU=7_cRqMuR2~!D%;0RXg;LBV{VUEg!N3ca1EcE$%TWl?Vc{!2m5$m{_iP{!Yb0a;uojCET#V>s&OtW`Br3oFgk=CE%7Ut?vWKY@YZb1EbqkjS>e_*kW8(sK z&5PYfv_hwtk6#Mpnp2eMdK$_!aoaVFmCsWR_0NeUbH9pm@&zH>M}i>!VBIoUo~Lva z`HBr;!3*rfvd}`2DS;vgQ0|wq(hWvuRm#oX1j{rc$_fnn2h58#OU;XvkOmUF@Gi;3 z)?K3is*h~A$_#NYSW^s0$^MA}erphby5Caqrvmr^2L@|zHapltjTHqDSTgAxHx9Ly zFvb*`LeHByIvf>lEJ#6)nd&lJ0hBBjyW~y{cAkhuDFc6TgZcYo_3S0kW#uD1LB$$OOm*fg8E7qqNk6ODu|JQ{58^iUSUW){jm1tml<6JwJoMy*x)cvc%OYMjigFvjET(l}{Mq??D7vWSbmyG^zz z++6cPu9Mi2bRKxm*tR5RoVT)32^|6o`#G<|J~W>07jj5#a=~1HYOtCBoRC|f z$tmaOe0x6a=g`0swEe+|p7frU0|(gX_}I;kGFJ-XOv%iXbf#ss0m+3MmZ_huiJt{6g0SFjgA{V zp@|40F$!XY=YX@JAd-yQ=fO)AU)XG>RI?~{Gv9Tcu?GRrvffT z7yXx8aMUMh!E_M=A&-iU;9XjUI)R;3?m_;zkc(I(;2K6OqWIZUw>IfdcQOlfE_O$C zP-T@7z;{;Se@}BT-k~}|lna)X;ht#wF)OD>50>VD234{Yx&2OZ?U&qdm0oD>5`3fW z1S#-B1b4Y))kCtE%bG00#7cwNr269IQY|{}z%AM-sMuu0}j}k!Ax9@Gm{cxex@p9vfDF?8L4!GS}mIr)=r^*!}>}E z$(>RUqaxS@xD)W zYzajQ?OQ=B{d%EZ@EX47KSm~_bX+9`WcH4C{TjKXxeC*W9C{X7L?06#t8Rn*l*zhH zNmcVqzBkV-&F5s@dq$i&9dmGJUj8G%HkHPMmHq(<17zq|$2nqKvYcUdTm-2xL(MLiJ7L}!j z<}$xkgCU_#w~9lzA0+VJKa2Chs-se<#o=I-u$ozlkznD4kZ`vQTM>ibI`Cr}D=1hW znV=_o31w#dO`)2rz9M2`x+t`4{Zn6ZryhS2k*EyKdfBW_ zU}Fi2#YtcZ+WzrD>01kb=3%VUYPZoqL^!GJRN58cF)EfIgz?Mwt%8x2()LoGM#pjG zWcyO=*=%dsKz^7j`zlHSseP8k$I+~k#R(JW%D5v`TE^lZP@h1FF42bH<^~U3D2p;Z zuQQ4L68FPPrf5;7O*)fX#m<8LRJN+3Z2u<9%QTED$YWNqa4D1Zq*9_AaQqpus?k|R z6R;WPeoSi&tWriFWZP$=Mp~r!(Kw%iob4m>ldMG#x9Zw~fPVhKKuNlv4(KW<2k>jc zIALQb++a8x1shC>3)t{^FwXKUKxII_TGvM+LtF?j`|3_=`Xdf=U418TTo=VeXv>6y zWhA^`v=b&$`Y4E*!nI|E-P=S;H>HzGc|!xu#Cnm_IN&&yaN)tbQwbxr{9^Y(e&Kh* z-!XTIXO1&wUaSTka>if}M}9M+@UlER%JLN$A*XU)tV(|GidFM>xN`b&hGP$i`G(Jn z&63}{Vx9P<1~d-&Wc{Mw<&+$jFulwN_(TrjyYf3PHc5WrTEkzoZ!Pnoeckele#kHS zgk@$u-XKix42c0nwet3*Hr;J33{!4}j+3lV_p$bQGV2 z;_hH*t-y{Fq?Gr*beNpI0n6ADj2goFNFb8D!H<@M!rZ?SV|_qI4FTmI@d1FgerljI z4h(b$W}Hvg(&G;d^uA9GRQYx77pGG`HPD$A2gGUBK%n3!F7!m|iHE=1?jc`s4NPQV ziP8!(RBVFpYbg>S5B0Fy@16R)9y$3=KJAsA%=?2f63cb73bCw6Cgo>k_OqYKp(!Iz zA&_J}0s+)WK>`89A*BE+6TyR(zWm-5i}LpX0+LKRALS`(C{JGt|V*v6iQBI={q%r-lr+Fi@(D!{R9*WYz8Uxc2rAjPKRTO!6uPpr)IMR z`Oi{lA1Vl{MfXX6|F_1eIut&;?T}&>A)NxF zFGR5TkEl6PzEe-Q1a!gS<*Jnee4_9%8D#IL9C>h4{V8Cy7aFY>>I#mWHS;AH?`)v#J)$59ai|meV+>NYp zI&y%VpD*C0A*S1(u$gzGnfZxWQ-dJb(vFMqoZs~}n_Jv5g~=5xaRPD$_CIZWmO+ma z9STB`ZkP>F#JpFVql|{)pCPigfx^i}cuxr41A$R&)+K>>YrK}G8l;5%Pn<)?{cA9< zASjBQ6ULSgb`6%}x=3ls!g@fIPl~okhQGqFnwSD7^B}PrqtF?3IDCN{1Oy@?jmnF` z8Ck2y<$)w8;{qCqnjeke4On@YpV||slDi#&ogL>t(Tt7kP042TAcdwCHp4Kt*bVev z7m~V}g>mJr-GJEW#8-oj>Q97?s=_6u+K`U#w|?BJR$O`Uk#!R$$KS2K4vmX<9SikA zhC+^$a_B8tFgnLWvi=nWzt#T>a}4r&85gYCDWRZ1>p?Ivx6L?8o7Blm9s*9^#e`0o zS?3wJnhesd$=vN+@;BsemlZs3TT>2m)Kyst3yPzUjKZ6`pp&7&i%vPPqG1by^S8O2 z3nTCx5*uLFeJ|t(?j56-LjT*2RH;Mu1#Q+@)w~^wHxynia|_di$9o6XkomI2S)N= z5z83Zw=<%`UYvjrzO0dWP`rJLeG3I2;HegAoe?qLa&@>V?TG6s>kdZpGLz!H5%2mw z0Euzh9E63fvVHIOoq0=yrdSW+LMmzKw^((|ilac*+KqviV7zI#yaf(dR#X->7jZ{@ ziTI9=50xLjz=~oc+EvwKK)ll3K!_-FUUsnf4D*aR(V*zqV4XJpM}F+016OK8fS@^p z)ffAO^^JV|Q`T4Fe0UdDRiWV@1fNeFxGIhNQt?gpdtUa`;wBv6yzFO|A(BkA7+^LW*5XMLI^f!8cA%1XW z<82VP@kj7n)`z|6G7qd?R)!dVhQCApUUwo*PI0eDdQXYYLqW6nNx%>iK-6LhOfV1m zQr>Sl38uW?@EByudvq;+Zq07M-}=_qBdxFQtFOp+$~)(zibp6M5l_~5bI`v#-H1?W zsoWow$sM7t;enwlVxTo#bdF-?{E2-!z7K3m%o9uL6`8-!Hv{Bjv?$JmBguWd`& z4LiQLXwXJ`#CdgfQOH_{>msg<6R{)Atzu&^%X(WL`8>YIAF0P*)fC)!6aZoMQvgDs zzCS4}AxKdG;x{csp5I+j9s?{42^LQQFRy#?4O1TMV5PP*J(l3{G_JUaK7Wrn-Rx%J z*&ZkxIHc8bp%f8?)ND)uac3$(bXEqIrC<2^#Z(rtvk8o!YozA_RtwE88bLfCr6U|jEdm`x+rG5X4uVf_3jeE;-hqao6!JNKMfX(($D_u@U1(*IvKc20 zm}AFFoBuEHfxyjg6Z}4DudHGKCcA59h75M}z<|wR5yNE|mW9}(P|$$NYk@a`jEElQ zQLusW4Gi4`=izsKB%$1?B?o2{u77c}BM|mj26}hA{|<83{s-ibrgIn&l8r*385$Xo z8h=1a@PGSOH-*IxwjJT@`4q04=8?C09zXznTt=Ta?K+H$VWDx5KsN{Qb1$Ss06)=% z&`u40oQ%g*__!ek3N&;ZEu-kX;uXkcqirx+iSNMZ3V>mV^==D?q6SolE5LSdDZV<0 zx#-5kAZp1(gU7<k{GPZE2f@$Fj+-y2l zRjLo)9K4DX{VM$8p-Ljik%B`|E60!HK_^o#W=p!hanYc~P%*l?1OR(u3kT$o(?KE3 ziaI|*Md|BGR+7HN%??&U3nmDTA!H*=Qd@-B!B2=yAblF=W+&2t7R7H+!Z zpOH)R52_3CPrCpZoPVweS72D6h(XU}E=AtO6{sWWgY(Zprh@(Q&&xi87FW=tCBR_( z^DjmMs0ujn<4W<597!+T2gWi}G`HC=9^xOKM)>6Xa|Ge3X}q{M?^;$Z%|Fj+M(z9r z{DVWtgjTwuTMtmt-{^{D6?{O6aK_*jjXpp{M)XiJd@9jXjJi)MdggzEimd1fS8`y{ z0~_6co9Ou^Fc%O#zGsx0#0QEVtI^Ia)`teJ2fjos70q4l?|2@x4{t8Lf;}@!!n2V|8sTm71D=uVG zSFK>xg6O(>o#qXpgWk zD?woO1^Pr(^`q7OUuUVd1+M=}lm+8|$$UI4hUpl0&fuCX*Lx4^G+rxTZEe@kA=Gk6 zsg>B=5}=%M??G#fqXcygthjvZJ{JRsHq^;HNUQdgH4}Jhmc0J^6iJsgT)clo3_0M- zjS{@0_yb)TFA72hIB)``U%nYt|Lh{9UWp3hUG4ZQ*$@{xI$*7%^4w_hNNti^Dv_sw z62;Jq*x%f?eX@=^egN$8QvWaTx4#SJfn#)sF1!v2dVP@c zPM?;*kd|nz8v4Jttu=%0jB3R1Q}jb@vn&Z2$0JC-W~zmcwj^xTjC5ciR6B@90wsL!s^gTyFvnbM%IR?4_HejXPL0 zJ0Ab)L8e#^xmRuMicr9wadNVK1@3E_N*Du{gu*&p5cWem1-ib2`F5C>I3Aj62OF03 za4ncTDT{Rpd|i#I<6RHnuRoI20kw3%kg4rEhIuKh(f6xm4{4v}mZe8a)H+;a=@i zeIc&8lbeS(^*7?yTA(w>T1YrFhxlV-nBCTpkC&c-IyKw(xJ^`-7s2BTN+B zKp*9y8?MVLj|l@F<7N?7 z#?)ZaF=8^??C(zWC<@s)o~QU2Gt-&uF`~n};&4D%SX=xE| zag@e>hs_e2RXf=jz!U5ziy67|)*oU7x0fOIr}`fPe!PqOq=keO53~Hy$rXnnM_F_9U}yp31f}39q%gYoFEkyiy9~ zCFf;4XsH+KknE6g=0&Wr+S5WUAN33H0;d!SO^ayp`J~q^h*Qh4NorVeJeaeli?x3R ze(~U&g~yS$lnqv8Mq_>|jRA3S84pIX6b0)qKqNg*J}@sQJy@+lPe~8=%i#DaW{~`f zQv0IK02uGO2pG$+l631rQanP_CFl2<^X^iR6z;DwxTjx9g|yq+f%Dg(T;TqI1L+fg z3s_d4Xhnc*1r8Jj^jm%6dL(>OeWKO2u7o~ulGZ1t+nTbEHrwZb22rd}R=Ln0kWuLm z8Q>|&!|o(aAfNTksA)rJexj4Wa+rFmal0P1mZpa4dBGP zHkg(s^rL+*yEc-{GX z)89e-D4(9h<5_p4cwS|g%=~N8q@sCOIXR7F`Vyq4aHuJo@}^?O$R3i)POo7fY_lPR zObb2Wa~opdT|Z5e;^vUDJ}Q!zPZY zFrABYljLuffWVTKlPg*}HM!#4ih6(pQ4QnX+&C|CD+aYw&&4SZ+YUl+xc3@0V=flC zl)nTzXuON(*$btuB);Xt*ha!j4r@g*Q$xH<`4SfmGKpCs7L&5l!tyV1F18lFfV^wl zN@wu~?@tK1mh{%hMFlDDX8^09f?=)RO%p(D;DVvB}(ZRn|YDt^wp96sOzse}{aA zW^Ak=rB>$9()?|u(iPdT!})8N?kVF<%2NVA<=vxC_N!yAa>xa(<~`lnNi{s!#NL)z z(vzTY88VFc(ATN^^*=``ycK3QDtl2Pgb$Oh<>NC_r&_x>>*QQjkVi| zhLn?dopPWifXhYYL><08eh1kUJU#gNXY%<}d{TwNJ9N#q(657qF14Sh1wWr% z3=2f*Hz0;oY+#Nx?fog%L>$#&78vQ>w)eduY*C(Rv$27bJ^^{UN@b8hQP_MxSY>#C4co$=_3%ox>pz^{MvxFA?o}Wih z43d!|Li_3|3)cyGG7C9Ff$}i}V?_!oi;HZ^e33tsui?t3OM^aSbN_B&bK{cw6(BmV zK*5=Xl~~GD@m;@x@o^2!bfb(kfE>n2h7C|!49_}b1Epyez`HF0%?%q-PG%QCNG!Gj z9&iJ%li9*Ar8&*)VzIhMnavlW)5G3N|0F;xhZ&QQkY`ZHq+#!}l4SbABT!6tC_Py` zQXrp9t-=tP1$_~ft_zh00&Ho-+f!yJBjEBq2*H8j{X-;wtiM7EYmJO)Bh?odMxoaO zH$Yk?N)6hnC|3A>(P*ori%gU39$vUctEZY8HI(9*j;EWJp(WqtU6X_8r>L&Md%D4+ zKdM|ojc`BLFvglb9E&w5O{>cN$0%VYS{Tlts13VY%VXVrhx}DWA}qwAtt)%Q07p^! z{}%737r)aUA}v9%q7OcM!_oB>?>Yvhw9HsZDZif0FSlabIf;8>Ir)xUipX z4z9E<5m8G%;;{|MWV#2x;iC2{!^>@GM2WSz-#LLY(ApN1=2w5HVlX|fB1frGk)!)I#a@|}l2;x8?v*M6*O}|`Hm@uGoMeQ$u z5K4BR`hnC8mvePQhh4EVd%$5Ke4elh!!BM3f!=1Z9u!!XseZves%z#Y0j38W`y{7% zJ#w?x)69^Y3VqLeQbN#3pi}?;K)F>AWqvDV=xpl4xdY!sAu>Ti1TolRI2t`r4PkY6 zB3m+dZN1>yZpo^=M&7D48+@B4qWjfSpPRUE^}UKEB4LSx8PLz!Qsz6J(UcZ3HN~3j zJ%O?rWZWX0jI2O8awU9i-Rw273M`3Op3M9K6<<64W=pm>G*{p@>@Y|4=GZ93SId_v5b`gWRcq4YU+p<97uHvhY1! zL3l=8U`m?t8f34#$K-D1p(v*3(>~s!pOl=DHx@Ogx3qh9vc*B zu75S3Teob6*+&ReF?3>5sZmEF3 zQR-?_q+Jp#mXVP}-DKQCM*NMIIT;=~lzajE!YF>rei^kP=@04#J*X_O!jzhqc0wzn z<&~AmN(_t5AU!{WbS^)-<-5eRFxThxO5;*>y-vq(naj49EcW;KLL)PTpwKqVujN_Ilj z9zw?wVw{sX6-kH+SK7;6LKYw&7AS~sfs*uawsHj55EBRjgdYMRYy`6aG;^~`8Oo58 z@FsSa0ChW@%v1QHi?D;GMxPG9+O=9nUp2&+W`7W%q1r8|Q0?OI8zO*Ne(kowMULIv z7~Ws)H3Mt6phC4D!i<61xha4Fc#mksdb;ww+!@t6$ch?w!4Z=xLP@P4TAgGN$$Ou8 z(94+`>r54?uj>o-7J7Uy~Tt#+IJ@cVo_J{T&opYK472!irk7e_YRIvPOo zll@h7K!`D4yz61pd?WY``;oAs3NseX`89}r3J~q@AC%(!#hNRej)(EJuo&ODH9dtX zQ8ED?&dDUbm1=_KDqRIaT;{rU5a2BvQO0mB$d-W+2~}N56;(psM&41CWpwBV!xgHS zx0430XwqhOGGnFF*j*qxLQHa`*c`O96n(^JNF`S&&9=&N_n}xb444!cickFXr*yho zq0&Y2{alK1bWuHnSn<&QeEGdCRwFeo())+=l$^t`HTHRWSh%=ih!zF{Vn_D^ zA}=2oWkxl@d&zBkA}Tf9B|)i>C@W%ffs8_r`f3iPCv)Gk%Otg|s&|0`84u8jb>*4j zqB$;?R!B!gTd7`60cMr8zv4Ko87$6_S%!qga8@YxZH=RXc-MgSPmy)PhD+gbPXzl+ z2WiMBetw0>Ud%wH?cqBelv?0A5A0wjW#IBdzvTSTrWi(}yQpQ)yTEk*hsfa9lb?)N z-+U3)r(77#6W$VgbppLb>~Y@M7CYAL-S@S z{9evf>b8O&n0;C0bgf!#Q1#Spa5_#yK7#@x_lr`F`7vnh*}x`XvuM9n|Cy3FRCN$k zXnY?*)?n@bCPlA-l*FJxlXmOr{$LQzzR-aSyE1AsmknORBETr>s0OwT5}9DW4~B$U8w4Yc7ST z_c1wv5%d^Ug4csQu#u@ilzblmDuk#9Im_7wI~kev0`GGJ>8e6C#6XO6LUrRW10?J6t}Z`Gei0yPb;)-^SMgP+N$T5$l2ca26L^#GdXADKlt8k;2%S%xibMG=)b zck0#X%>d(9{`@@y_AgaEr=Xs~modo}{*jP~T7fjc%%=3NlTEr*jRvVD{=lZ?r(!Wf zu#ohkWre$Up@Cz%B9f}`yQ0jhQvOwqD&FudN*9?l0Ou-G3oxyKIM_Kp7@7x=Ck3EH zC%9s7mSo{`z4oyPXaAxq8A$TcjeFHPIOi5zkI zJVNPG+7hiF<`G=8gY{AOveFGD#C1{8U}@Jywd+s6jS?Dk0wCjE*2F0rI7C5EfoA(q zE!Bd5L3Y%MZ49NrqEVDwT#%_O=6;zpA|PsqR4}8G%xVP9KF&Nt6!zw{CTYtZs6F2V zN`)80wfLDfw=o#)2kZ_BwTc@MzwGgZj1fA>?$yeEY5P`q#0G=89A|yXpyb+T6U?3gAd0!1&$~l?zE-x=&8# zYEYuy^b%`DiKPSPhJu+}w}HZ;t)9b}&T_U!PJe!l7>iO0@j7JE zX3^pr8B|NxXbKzM#jWdeI{u#Np&I8%iR002z@!#isz!+c%7yU2KAx*<3=|I4_{9M= z9v!OD#Ux%bBF1)UQOPWIU$BAM7&>>*@ehn{+{WA!UiV1lr22rHqPwm1W!4ny! z{6#|i0uG0`kXUN#T@P*w-pAZt@m{Fi-T!>*ioHfKa4xB%0Rq{jJK*R&{fNH=B7s-& z7BV>kCzZz-xdDwVi~Dnxuc#b`1bZgXHGNSBNrK0Jf&yHf&w+HTR7U~jw$Z&-%4yW% z=)Bs85M=O3_6hD4JCwfwmVKsG^vNQGY7mu-_(+`&@% zNc&cVzM?ZcTZ1NH`x6J;KlYKKkL)G0H)_)GmN5FkQ8HhfgEda(c61Z_^l1m*%`yk= z#rYV}sp$7gXYt3-z0>u|W8MmBIq3k|VFvTZ038^cfnQReg#?X_VNFxA@BtJox z{`6;b$;lNU5;+<;9(&lmIMuuooH4!&+0sd** zx)MoxwppL_pdn)6zO7?b!b#?Du61)FNfX{SpP;ABl{L;L9{4JY_rJi!3im^?o!|1h zh(B+~Nm!hfxtM&gBIxM@n)VKH=KK_y7UEwSr8=ZDDNE_?d~OUp*O=!k%G=z?%7m8} za_R5wQYFQmR}?35GfLX$8hBZe*rjoWnl8*psL9V?7(U<=lT9&iBIL)rZLgJ;wbI4W z0M@N^5-Zt`Ntlt%+8<@d0s%k!4^%``VnxCmi}?{|HMghm*7{%b2qX*|!;3%qi#as3$J?IN(`CS!wT+1{=h&|pY)bNtfpA-Sl9%)6wvPa<*g%*HdY>S1| zw@5UqU{12yjnZ)H#4@SZJ)jD7-+B<|4F zA|YXM&i9Q4B0IWgeJ&nZ-o7M4JdXEvoqkztEEFbe!WIrw!(A9M-rK5tKqv$PE2Lul zLHZqaq4%6Z*(#Wb=k<6izbmm3%EZ6r;tLtc5CJImQJCUT)=J2ri-;xfB`=TJX>xuJ zR0GH(t*lb|A~eQw#xe0WX@d!kqRRRuUTu??bdf4qI<$ZRXZEM7alUwm>%H$@@sfn6 z5J2h#i}w@jSMWP(5RhkY3|Gu0lp9k?k8~x!%2w;P;tcSa4^x2%4?sk-@U9p zeZ2^wgl=MzW>lV=7OW^ss%#5>sHo*}ww)YxB1E1h21*F%D{l%>^gkzAWHf)-!<_Gf zX**XZBJkZp5PW16DZyR!PMWd0h617LkR{p^ZJ7|yUEkln@Aw;PAMbzr#4n|s-|U`& zqirG!BI#31@ttNKa?{^1?9CEt#$389>B=TkoybEe>E-GMAgZ z5o*HI*;+GGISbxO<$w$Hi-)gX>>Gw2neKJc!^DM9sysV4V%)8%*x{K~XXh>(caW2K zsiEV~>8mrV(#P5E>z+?!U=}A+j-pB2rWenCJ>`Me34eTTH>0Ii_T7s_Wa`|EhPM6~ zBY|`3N(5O10*q-!h9)s@Q+@${(0CVu97^7)=pI**8sDsw_DJ*|z`+cX+S_o&7f6m* z$<+^W0q_c(G(nvypu)-;pDE(bg7Q&x6zs{DI}3)5=}g6rXz#_rpYrNX9LwYK2x`a? z3sDIsNSxz@BM`vC&>czEz1-3bo=Ze}olY)>&&iz<<0b?cyAsaz-d2>!7g#Vmp=3Ft(eTB4IC$k9IL4c5z;5;11fsBv>Y=shy9Eppuw^vn`zJU8-GOJtt4E;%b z8G~p#^f|vnRjNbSPVzgn9>^Laz6^D5w=97StBPziLcU|;jiU-*mELgXTVAMslziYP z&pHxVkaTZT$L?9>k>!QY$RJ917+D${_0h7d<<}wDR>+?p+6-3lq}#Wm$5;lqUU^J} zh6|nX^6dHLZu|S6zv1GAR&FUG5u=Sy45$Ew?k+xNsXv@r6TF#|n9Ng@LitI56 zXA|!#i;}w4ZV5yxPNXv38-gE1O-48yEaJoZwyT`!US?6lCCy(18hxmDe+5=byqk3=C^}jkSF4FJW1lmQHw8-Y_3@DM)r!90w@WL@-W&1 z#yK6lccOM10;&|g=o2T}lfXOnfO&@0T8@hAXm?K4WN`^D}z005BF>@B;9AF!yX{0Sbu!KE0)F zZM)E4)<(ac$TBoO(opw$%QN|5fK$6I&uJZ+*GT%+c>B=!C>62F!f3&VU;$HXl*&?l z!h7949gKxjW+>&>?Zf>6kC9S4o=w-Ze-KGujbU>-7%tXXaBxp=1(>SBS#Umg3lAFF z11+$kaG|l^U|M4pBe9lAz(<9C^17o=CzYD`m}MNckzRK)vRn-gLSUg8l?8|NiyC+< zGpk5M3*E1MMm25050XDJ#e=V#sfWQ;gO+f08sK4VLa&qTlilYAAmB(YnV!hNsn z^0WVM_TD}|uBzG_PtvrV(w37#3jqoY5G2T3A_WrKLJmpj8A%{oiiJX{25SYB3TJ4r zFG)Ew(!(&dSH=lflI?{m&f zQb4cQ-|vsdk2G`k>)LCtz1G@mue~-JC?WZkgrs*9{uML{-iL%@h|q)VS7=_u-VwJ{ z9`ScC$6XFs8F3ms39Voe&^R`JEw@|PC)M{!yJ|DHhAN?5c*5INe#oodZ}-blltPij zzaOr??977tqr~e6402rRp{{1pa|prBl?_etH&%bzZCD*kA}oWJJO!=(fn{2$9}zn6 zQARnF^xRjF;=fT-x%$(|&8tVb^Yn1uXE2bw91OkmU@p#{m?h2Pegw#N#HNb!qUNLJ z#z61P*Z1tcH2H_7o|i25i3o^Ts6}mJ?h5&l;jCb*I|oU1 zsl+&fIT=`=pmlyGffW@?bWW^k>+B;Xt3_zcQJq72mWl0Mfd2A0rH~DK2v)Oz#SMc1 zkw2q244?+ymQtTFrGnr*VfSJcsg3B?;Lqy*59~o$!jwmuZf)y;V7*HG?3GgK?HZLl z(a9`^CKJZ8fTIq&gDf96Drt%JN?Ao<~B~6LXwrDAr|OmIKBsIJKH5$ z`74J2*^7d9?;`vgJ+{)Ae?T&q;$H$mO@R_XUcCXEAU3j*0F@a^7j zqk_~{arIy?p4*RxpvtL+prPSZ1nqETVwZ+?s?uANz4=E49zs)9)G>;l5fuF}T~^JB zY)K>haQQ1dY{Z7#W-Qdd(yrMcP~k_N`7s;lDj?ws$e^-;R80ptF#d-r_?H-{37YKe zwI?D$q=XC<#CPOCYuUX>gn9!t4t{|p$C@o*fAbJ!(c8Y)+f|jMQ=hxg_6i@fZuu6f zp|*!Vd8h>NBLlf#p)iP+FXDxWG@K-+qX1$!w7zF&&n!zsp-x}7T&MNaHa3u55O3xr!F9#WcDPT zmLe{#J5U@u7b|rvS{B;SAt{)-3Yk>*4KI=!bpV%2Uz7Mo+VCzy@6cS@V91h1qi<X_6)1FF zJ+z3z=vyd~?Io^%Y6QByKCnaRQ zbJFYxD}A6)gsfm~q9*FTgVY4}?bw0YG47G%!!H-s+2Sv(%+c;DaLol=CB2Mcn{=pB z*pXbeI!;=pT8tJFf#g6|dh<}V@@5&y(;Ufhs3@J$oXKt7@c@aA=y9G0dz(blRYI4I zEgsq!S+U)F2OE0^|JXfem%&$RXt}hM3n715oMDmL!mmdm4C!A!suw_ZU*JY(pI1iRn3S2o`nz04xkHtg7%F z1^$NaK~O^Pgi%Yo5*Z_b+`r5KeOU75Y$vyv-`dNkh?^9GakURE@}DyF9|T1{I<(05 zrAS{;MDEs<&?3+R%AW&c~x)dUrtplHw_sqlKir_r!tuYn17DRu^NorpQkUsIB0OV$>^mpAwQ41Z8rk25Q{=d5wFL~0$12GwMm2N_M(9?2hN z^7U?D9hw5sz7uSqUY6RJJz>K)?k*IdEzB+?_xBJdf`zTrLL`!W8enIW(l+1hR6l7g zfjt##PpY|1?VY&%r;n3i)Vi<+L&DLIuD78z^`f=nJv7UDC!m@=xS>3GfbG2)2am1G z9|A}q;qph4wCYf<%%-Og%qTE*L&(prS1bwsvxF}F(6Xscc3i^APW}yyZwu;Q#TKRo zbkup?yEt2Q%3&uwH8b-KU5gH`UjL4%Kat8yo-Q`CxeFkcXiMjKVrKlyE}?UI4`7fm zAXmdIaNsJN20gF8x@GEJ($vz^GS}_O9GE%pjh0L^EX(S2!CU-pnfo|V1a9P%)3_Yl zgsEJQK|*BZJHbw8d%FwnM;Yn&QhzfA`x{j)WBPjI=&!|U*^VKLX%PHTNybcN4c6!Z zPUjX{Ibg^NmF=r}&BU#7C=%2S8cKZ>Xee5gP-x-CXO?2_YxpR(kJs93slLzz#pR5< zMp#pHQGxv+J-7_9=`e3jc6NDvpRpJ8EH0dBr4B+l*aT?>#oLp4bx>Dbzs>ev^WG~Y z#|wiHN`U3Hy>qX9e?5lTrVe`YlS7>n=Z_~LheEl^#uYR7ORZCryOOy?X6YL;Y%@Se zyT@@L^)61$-1ggPF|g8faU-XSK~6dT#dukH5QV zVgLeP{`8W3s%3U>!sJI+6HnNx^mAWsP}RS%dh z%KJj39=zj=@;GlLu<^dS-OG~<1>28ss8=%R)Spmh2)>?V+u4s-26KJ@+E8>wHR!j< z&RvGahV3sE^mitUblw!sHI0N=JT;)gcy?jAe~)BkE1UebfolK4fyv<414K?){%T=( z15M-PYcA$RkRfF^q3ou~4p$S_D$&rkDV{$QWdxbgG6OA};w+Y*jNAzk9`VqFF5|!JD+XLyECk{TkFq^Xqpx^b3tsK>B1Qw8+>F8z z=4eAbk%m@DLz_%PnqbvUjn#4Iwz|X^XL_G0#)*M>U8iHX|NI&(F!R*}%R!vwoYm zw<39_!)CnQBa%}z7z64rv;$>##MHve6>FUb8a*h8jVnC7OaK=&fphl; zfz0chKs`~aa`3b~C3U7yFFj<*=@I;jBwLR$drh`e^BtSM@Q+J;-pC5D{w z&lpO;Ss1JcaokHoWij=lfm&4w=dl2$swLAE%Y7Z$0ezr<;QR?dE<~2O4#Xx<{+U9FbXGgT}&8EO#9C=w3A=9(JH$<``aYPrhv~`5enX~4H*&)dw6|97QygA!-mBbGXs3!B zn-qS>BIC!?99&+JkwfQG<8AkI=>EcCdJo5W!vog0`YOv2aeJ5Ty#A3jYu*O~%*D0e|zg&nwjwt;L)cvj$S*nth}6r>8T3BX9-fClmpz-qS> zSwvX!b7Z4;vatvo?c+Dn8+7^#wyzw0*iFbr)Au48g;pF86hof{fZ2f66GG`ZM?=|= zLTM>P_jW0iUofPEEhVN0CCXG5smAh@HiB6xJ3tO?ZG-GprTG#0hcjnv zY{%i;!b)9>kth7OZyuEb0ex0J3Sb!1&U6ndh8Ov1PEjIzetEn9R{QaHB1veXuc$6=u3#IR zTaEsWJcmzUjz<9IJK=T5%9002{e(Y*W??He5&*8NHdqwktkm=P#uWn4^*A3BoSj~d zQc{l|&k1;71g0K(M6;b0tl}-LD&wn0mm)qa_xalfAnN>Tp%?8r^S)%pi&p>baF<8^$9;o#rvI$Km2TNO%%J4@I zK$&6WkTdE|J)}b$UD>@a1RegCuaRW-cQRv~#@O|vME~eNq_61x?P}5#%D|`tMulgo zAcOMbC!6sk~bHLH&?kJA_atVv@uk6Q}QbtV(kv7vvmmz*w*l4TT|T z<(XZUe!!2(dbzG$WY6JJuE5y8?=<1656RkRrCZ@%<* zJN^xP2qL*-B$saz8Q_!gFsiHO&a~Lty}<|#gQR1w$4B8VwT(lZS-<~pzDwr2FM?q! z{Xak7e?ouzp6^E^(Cl-*pEZR(#C+3V#GZv4me{1iH_b}_5S0V@k7XQDY<|ToACK$7 zLOT#yxHR_a8<^$V5#J~9_`t^SK?pkTnY)kAuDhfZM#|DjDM_LgQVQ_ZvkKK z;odISJ%KJkjokY%yqK_uxeBWvE~(h8eV@S7Vc=1Yv#QYu3h^GSswN!?yvpk?@-5n4 z)Um8MOS zhfXmLEUM39J&3gk4{TzVaLiRX(LGL@!}D=aJ}>~6Y2)g%O zP43~QqEe-%vZ7p&kaX_k;skgQWWC)&a@uzG|#))a@Wi#W+=E zdI=!My%TUJ?ntEx(`dq58Y^?1h%pjGu5>i^P`{48PZ}g>Q(!E#eHAqyLtkZT3xdF9 zx}~5I^r$p%F$zWxV4~`KOUeDoT6%-aJpMZx_Zq6KGzGf&mAxx((`Fp#>Kt$O8JeN=72@ws4GBggZucbv56eEL7%r}WxCij%r=w9dfvk}k!Ahq~0!<0i4E)1X{{^b6no`Ss*nmWF z1O(Ie>`kiyN+;t;Ng|gWh#$gCp#NW_d)=6R^@a;fH^KH;LCB*JDVBRWvg;@*^gRPd z?k*I1U?Q=eSqxXJf;(3A0XO617ib);BCf?4h&Vle4m|_8_!qGUl4H~<-b&3g$#RM* z?Xh$sOrBCBsbrT7(wRG%S$f(_Ks_`V&lnVnQh4!w1zZ^c8EXaPnRJ~2 zB9FKvMNnaCRx+%|Fv)cA8`_hVY8t-y@kmanDd6*kL6_`d{P0xtM!O&vt{i{e$WUhxC8+4Bg`oWV)C79^`cc2^bO)ek48E0tna6lY2v>1Wd zPXU2dHt6mb05RNjY?rgkBG|+@kQ+coxCCZF!Gac2|Egg}nCioomcS?SQTd_OIE}Bstw#F;((6NGQrXMUE9}_t71AYvdWaSTI1`u* zuhxpah7<10GGJ8~>{!<|ZYD+9r4WdSRt-g4DJ=&4ObUCaSeH8a31Q==*Pt1lz?GEg zsEZVQ$nK39%(eOAmnp499N)3_%=SjNXSKXRMD$5Xv*uCEN>M87+rVwAFgD=fTvJ~~ zd85rxUSQCwU;tt=nD5~-IR(-$GyT_sTC=FTfne&RBT_aoEurylxaVXj>lT8Qb_BYf zn2bty_n|$~(5EIvVE>qaI)m4gWgr5UCO<6)ifPm_n6B@W14`Ksu??-9_aMJm9zZ|; zJ>pp$3ta?W6Am={%Ch@tqp(_^fvAx0-u>|XK%9v!J0NXsF}~ySD9(E+@-nA8{i1f^em<$+4v$Oh>nUv zeM{JeKGR1(k>0PC-p_?T37w&c$A2=cY1kV(me(gk1b_^V1R0=&(R=mH2}7Q|(4kmC zfFRwyX_d5idsz%u2(H^#QFi2M55?eM)+{^Xe3NH#7tM{2 zsOwV^J?Us8iFp0UJY^J>MZvYQVnNhy$c}O6 zY@>dg5=2TcAwGaVU7@RUpl$$z0_ zWXbshUPEljfmWKHi;2vPSWiQlwPG_q%(CGQeCN~l^6ttCGF7W}bD%p3=Kw?7qI(2< z{_BV&nD8G8)}S8W$pRqWGq{-mf~UmWcuA%hXM!%-jjh~UNpNuJrYtlZV_uTZmO|6z zqS_G}A-vcz2JLErg~F+|C>*pN$N?T*(ke+u)Ro^xk-_y*1dweZ{TxcZkE{QLmwYVPxndiW>{gObPSL zRBHlQGESwpyBf|tXu#Wju$6ujKY%i$K+AJR!OR)kk)E~Ihr@CEuLtAR053yF#-BaW zIT~;ESlMad8@OYhxd1oSCrX3{B;R```V@uDYT2yk!!+EdFh;DW`?`B`#}oPxJkHZW zOw#xO<_sX^(?x)(UP>t9tPkpoj?}4#tQ8WRuY@3uGNT|C-i%O;zK+gi7EGA6aw|)4 zNkKT(DfJHp1ov#nc9vNHDa%;>BF^pM^GiRuxa>K z$(jJSbdQlGAr}Ry9f8pp8#EGgWQS=6i`h&b!Sav{#hWoH0o%|?Xc{X!D0Sy;=uR&f zy#vP_j8WbO>PP22qAjxOOjHFw zHCzmKkO&B;OXh_&fgz_Tw_4{`=y4X;eFxNL-F;!rh+%X8pmQsS&87Hc-I2rQ-llU$ z4V!zT&K*5$?iD&WHf%2aX4x-d3<{MMkEmAX?l)}iemZyTu(_{5(6D9P%pa!ZM|AG^ zVRP@)x%&^B`!$^#S`4Ez=;~af>lBaZBAsh2UB$V4HHa`DFl@iPeaBpSsezS1VT<|@DL{RW z1q?Y4DX>HrFcdwcz#Lt`5cQA(XX*lmu7?z0@Grt(NP9?uU6^bZFw{Myz>~UwA@Csu zcqND}7#bf^;8tD0kaG)XrHTl@v&fP%$wuJxk1Ki8iZ_QV$`<*s!>ce!2{WN1| zHTEz41S6asUiR~or**p@nReu|{r&a%BSIN9ZNGa@Mg!}(>$6%Ooi^TT`K{CW;EHjT zxW4A?x?l;tSjADZ5}48d2h2Uezh2-eYJ)I~_%J{Wdq2g50O{}Y~maN@}v z!O#h}Fj!q1;@`<)hMQ-?T6^$d%dGO4mHIZa@Y!8H*s_%0ybg`a#nvr1s*FVygDpvB zh*PSycE*UomR5clQ|=L(xygkRxz1oHG(G7=r}q=KmleJMnATX`fm? z@P-`6OuV}-`@IhS&NdH1AdgFAXY7aRfnRNvw`bgvGaPGeos7mk5kvmeSZUggXDjc{ zR-Q9b8bP%xum3GP7lYtQyAV_I(wcFIY_VnwY+CnSjeo4RXW%|Pu6sV52i;F+$N6^l zmUdS4b|2aO30%EuZ_ZBqc5Ak>!(QIUbQ`)zcLNf?)|wsn348f^mAHFq_c3tdsG8P2 z8Gpu=xo7fEd2;`rhD(xQ5hr1IW%=*`Y-dz;!NeCkl1k}v6L9Y1nG3h$iqt({+CBLb>UBO^fCMI-E>*o~}r_ZKU(mu>0UGiK5CxEJxok+%L? zfWmV}+1WXgcL~0(A8lvn%2yk{&W+jG+46N3zLt%#vzNnu{0gW zy?#lUkiGPdGCTY4m%YwO+B5e0qcx`}L1shw{$;nnHI~VS`*hZ*` zn%?fJB~!iiZ#w7zHbsOuyYytMM_{#XdJqT_8!aN5{Rxr%@)HnYl&-z%53b$3+6MM$Z>Z{{q}QQYRg%2@-%SQlvJxnICEVB<1F zjxqN_dcyf6qNO8rk@)y3K17}O5f0cNQ1>TkagxAZiR>cy1;UH2zoIq!xpD@t>k(kU zY3c84-Q8SB^||qBrzBso?jBLOZrUM>{)oi#Y15NVNY1Meg6?=kP=4K4F}iUZya89l z%iNjNz?CW_u`>l8Z&yX~5N1O+Pu`k8MOw}FEUuWIyea=HZRExnip`Cap;<_EVFf3R!EI|~?Cilo-;45JR|p0S7#MkX|<;i8D@ShgLs z_A$j6Q2jqbThn2P5iLqXh+Ug@t_&(;)Ys0Ht){+0)lH#HYqi%3G-ra|rQ>$2O^a!A6L^F8;vC2ol#o=mEF;FGE2};E^}ip}P0^zQ&b*Y(QZ6 zqs#lUm3=#(YAN59{83mfL<6cFfOOm|uk@b~GKKopQ{Tr28Dvj|%&>I*Lp;@CZ0dcU zt;_s~0V2YW)c7x)Y5R}k#)OI11X`J+?#9#6<|15!u@RW7ynY++CnTOSjD_)V8vnTT zbf-1L$;8}|jyngOp zD9_})n?0u-u3uZN#16p)%z=&1E^Tl+BhmSlzXJ|U^|H?(F3VnxId?yjUSmG_Tz&+? zOho$*v4Q!WHM4`A9^=1_2)!@^?UDM3Y})w7^^lp*3wAHl<{raFq8Sa?y*J`t zX*XZ5DcJ}TTk^kQ@=agpL&~G2HclQN^3gRTjfa)<{~6iObhI*n>2K&=Cz3^4BB+

yfI+Z#J!NuMWaI zzLR8j2l)MRW1HGsY2bkK9>;G(AMW@Tv$W*{eA8uQlhvLQQq6T@#S1*|Q@+U(d6_hF_~NzfK;ZlQJzvE)qduf=wM%aY-=F-u zB)A@P8fzv)UzVaz^xKNFjh#VWwsrfYryrAu~PQ3FvfNeO-?}W|BgV zpOeO(=U^7B_So7tp*&y_hc1ElP36aCp{n(_&{0F-oFU=#-Q|ll{@-@(QVUL zv5ok52A#V5l#w^L?Rat&e%g1-p9MY8TQbTjIo^B(UtF+QStG?DqTeHBLV?cYY6bBt8T!i)4-X@-X^sbd33^6Y;raw96Yo7G`kz}8_#noA|Xd9B!eP6a~k+a zIPqQble6$sDW|1y{fQ+tBB~4c?#suNtcfGY5gRNHSoa+B8ELUqk?4!>&m3G3S&E$J z8ot%Rz`xdqj`@8_f)Cmd<30obV~k(*wGebfW7?6FqxtYnMnY~+L8p?vJCXEf35DpV zZQK@g1$eFN?w!mT^dDzl=Y6Pm0*z*;zaPV#`xfmjtC0KL%a%VSs)+prPWx%tt47#; z)htw?SN!R(R1+(sk^^a`!&i|nThCW!w z8=@MaM=qJJ3G*3)u9x4$JA~Zd+V@-3!%#2Nk6LW2kS9cB(VnFX-7K6bb;(M ze-GS&{~6pdR9{aahu`Th|DX@Q&so9ckUH`c5@$oBb>W*-Gyi^vzxH>h2(=)GNp3HD z`@2GcN;dn@w^e6AZ@ayAn;~$9tiZ&vECrlr%P0Tzp)*G7JkC@`e;i336}BvbuFd)N zba52w{_&pH2tDk5a9X_U5Ab(k$fKBvapb2e_6bx!WDq_V_Am$3mn?;`1~t?Vk>zK5 zYa%IR&@58ab`X9_wiUzFlu9N7Il>izW1pNAxFHT*%jICC#;_`Uo0Qy$YVi4*@Ea)u zdl13ej*MojeG<@F6to9A`H&~qjJ_6zzJBs)e-Za- z8c8jcP)%F|f0BLWY!UF#7mE-5Pf=%fotv>8#ypCz)UvvruTj@`t?-P({Ws9mU`5`d z!A~)J=wu09@LaFuP4KMVrh1{#L7~J`eMfl>kOPS+y8-*3Ve=Y+(zPIz&Eapcd zsgCi%cprN=botF|As5qqDa7^!?!$vqZ0_rr#BsYs!>}Knod2WkG8j)t%fXYBGw9ph zgRJa2=%=b%9IieGPJ7p4xdybK97xCR-L?rzZc!5KD zrQ=%w_f=~=L{@^AiC*lHJdHe4Sz?2rFz~e9zFWJ*koRdX{&`c@cA<3ys=`kXJb`6D9j_EBf}pt=k5VpqqNP22YyMh+B7^^(x@^ccLpd z*(GCcsY8A0I_kLzpDDez7<+<@#Wr+Pk-ME5_*Co+pVW5${dgtlOhL+OD$m76h%+^zUb-c$G^cYKWGt8l*7t_V$e9R*#^>dNxp$m>L9jP*q%BRBPK({Hbp z$es0i{;m)tlF;q z2mEF>YQzCANC>?7Usu@qcqk{(6ncA_mhrtG@bi`}weyF*ac}hxKV|6Q8O?47|KEc* z<5dvFd7DBCr)|C{E@qN81L@Hn{K%Ki?#+mW-l-O{waobd^ljCnH}@+;*YlVCSiuXt zvb|J}qK14-e(PiDSnO*PY&ZO|m`2zR?Yk`teUq>A_5HW#4C#Oa`Kq)rabGl(c)XI(RsX~!dOUhxWv?UeBj;yUq0b_FzWS9b z%VVx-w~gRQ)WvmgTX?kbezy!q-;d$P9x~n4dHkr?MMiBp$V|+g_kf40{HbXooS#^o7dY#7&szI45`R!D77E{$iDP2f%}+=6?D> zpDNC%=lNZOy@;)+d!Hc3yy&%Ob?y($tLg-aJE2b(9|^CyxC%L4_wQAs5y-Dz5tS&s zN+oAbZWA#RM5Dk4LmdWb+MPyCgI=^Gy}|ttc!cckBR8aP0C!0fRs-gY zG*-4=KNiCvD<=ikrq3hK%2sH94gSUX-iD&9n5*ErE1fWmJ|ZX}@GCZjM&=!l&s_h^ zAS&*ma%wuLGpk&VYT)^-X|)fN!2OpxWy@R94E%NSq4Y z+rz7&1GrsbaW*60$6>r(J{tQOGbEzQ!QZBq9ky-VOC!wp95OFIV;;*zzx(|Hbh)Zs z@jJEvFFdQ2%7bpUW5+3t^usLjGH;8`8t}EWz^k=ekAs($Dob4r#{21-U9AipnLH6T zPRD<>=esfnfD1UAU3MGd`Iyc=F8JX~yK@NZIV`aBvo_P7JWIB8$u@WZp5B$EKB<0j^ zd<>HH)%nxVZ_Lv~yz2e+8hc^Rg{d_fa0^St^=zA3A+6`az^qNG?rH+{EirRi{=XK~VeRK7C=-bB8AGvjr zj-+hl*T|~~4))aUib^k_8Lt*w|LVnr)XqZNy zy|r+nhYLA`OK%>%yKI1coNg+1C)fjV%``FxpJTd{kGmk3MS35t78?LAwB2Z4wfQD+$Z*c3PpF&K zKeRvZ`ii`uc7ySfgTT8xPSWq7KDTdL&aVWXs~$8X`X-4&vIQU2)>|V#u_=q=Cvt8g z6vwH%d=yefOJ$isNB!X=`J?{^ooqY5$S=?db-B5(t_kO7_7+>~GS~nNix&%jUqF8z z|6v?@f<;W%@W?(!UTE>+>HtOvjR;G!5wQjI-Q8_*d}kQMu&4D-)L!IZ7}X6`&@C&o zWnUN?GKouN*mQw6_G;_@IUKVMeuyC7-<1dO9{t?cpC3YBzoH(;2flgZTz`P{IE7Rn zGkQA?zg~?)Mz`J_JUXUI{m)H8*cC;mMnV|Gsm8$G34G$}+G|D9&>xy#E95QSiut)m zhf769ux}}ETY4^V*12Q*-!e8rU%6j@q6+x7%&Y5@R~sQpk1SS8If9RG$Xwzii}~IW zr`A0ufm2B88guk@?~wJLqn*f$ROA?(L4P8P>^v@lfA+*+P;mB&h47jAk+RXkCfZ z_#nq52ePwRs?ckDmp$64L`RPPN{8ZQE9_O6&8J5`fuDRV@h@u*K7ZThhW4d&GPfkw zjY6!J8zZM6c$JM8I`Kuv<<90CDP&Lo=G5K=_+~j(FDpE;-@@Kt zM>givBl!+KOhT^Q&u`#+mofJI$o7^i27*6a=Z=f#LEb!wcasxx!=lOU`*S?7uW<0^ z#53?vNg`U){_p?2C2Z4PpOJSu6Y!^s4?0BJ!+oC6OAo!?AKjjgy8D$J8oY-5?)mtt zH7w|Cx0QL#kxS=JU6vkvnnL^;hMgawlb^HN@$fDDiYo7r9sQ`cB`P*gBqo_8Gvj>G zHRMTF9A#=A_J*#zDM2gj4uwQIi}dfu{r%D+5hoRva-o;{tu8?(^H14y&N^T^ZlA z9QfW!{pHSI;EiwmJ>4vz-@Is1()_-PN*?uws_A)PPqEC^iApE$sD% z0=kcTPth}De&}Zx+7(wp$9YoV?rZy;O8#-l4f|zaZ`G!e;9vM}+0M+{?eKluVmOX> z2@$e>>D#6U;Cq!?e%S^=G$LfNA#d|`I$5T6$K@3TxG#$D@tsU68Q8jGJ_>%{{xN+& zF9G=3T28h%Pe8~2kU7rWfjMi|K`A9g@X4o1y9N@Fi@NA|-x9ij<=+lR5#a8@!W$>J z*I|B2%{p}%bZzlH4c}{!A6{g~FU^m-H$riF;0k{I#hA)DC_vnx0|NAkY4eEY)9EiPqbt_WRKFI9`-)bcWn_$G+?!J}H`{Il-wgG&cpS(4S)U-o0KCi4tCqgZ2e^LyvIBL?u@A3gj<(O3 zMHY!C3XiK(NPdl~;;J=-9KSuAuyYX4mtTMT|G)5oo7U*<4MRB~^5+w`A?ybpXXn2F z9O9YgIDY>Z`t*~R+q+jGzxHEb*Eb15?!1yzD#rcqTG}qUwTwcJrr8;*4>3q$VaZ=L zZs@z)_M4(`5~~Su&;9U+z5TW~{{i1n3;%ki-uiYtx{g&rae*ZWP9oqEOr`ROm#KrZh$15?{IMOX$4WHMFL#63p7K2=WXCoXI zMM%svs_ z`1SMO2SMzU`DteN0X(?#ySWk%a=06d7_Q-&(2GR^Q<{NWhGO}2YCWjr({Z(zFThv# z=$r344gX3%Z9%~l^WdFp5-t~9120^ou&*8bAup$7PzJhFW|D}<`C#x;3*E7J+}Eyd zi=Q$R|L@&V`m(+OpVv~UFH6 z%qdgoCj-2nk68mh8Hm2ihmJO0(DF(`n@OsR&-msbx60;xat#ajU?Re>l@Gq>>CTLa zZ9i$4o89FbNWs3N4NU_>hp;y)Opd<(kxMuy}H0E?pa9=rSjXm{4?)BRuux~Cqw%ZebE?nd(eo+s5$Zdyd z?(g6aNU+~|-;dwT^3U2olMcT(tbbd}OU#cQU#in7guSCGvEkLw-&YKOs%h23UfBII zrJX0CyIfK$oy9o~uj}38!-O8|Y2ULSzDf4^dosS48-}sttXu%#bQJ=x=H=D{S_ABJZ{B_v2pp0-Ygi>g4Z(FWMc~*lLC65|TfBVOR0^mzjJXd52Gs*k2e|}Z0 z#h$d-f6V?zG?KCGu~a%6avG<5s^szgPWryD*;>dTC)V`-Q`V&uC&!hiDZp)c-+7ll zfNmhIej~i(H;s&62>5F|ih0-lz7xj4t%n~Lyf}jV%ZY8NJJ`3<3ESncEiB-Di|*v| zo6vpEoxK&2hdhd657p);a6(vd>FuFP-7z z=Y-!Aq02rtgd7)-0<$=ckhWV_S6DF_#N>u1$GkoA@)KXX#}nb}@CAP1y+I>e>dX(U z#CtLd9a0fZ03LK6KArI%y38TgV!(QGT`#b?s~vctz-4q6pR>Aoe7_d*FfnYa54qu< zil&A23#|t)IDD>SI-N>FQ#&-1!7E-IcJY4-UaubSR(DwndA@7i@rpYbWQD;*cR~p9OrG z*~}_k;XosA7X(s5aj!%pt=A`IKp*sLj_8vC@AD4WZB$4|!K_^irhUHDlcp8|9b!k3!Y zluHCbZ#o(8v1b5#m`h)+6+DS~gSro?-q5=>G_)q~p+085KVJO={p-@onvtX~>`PqF z_n7+y@=NZC)uF&c-Dg?~f2%NvSieZ*BJdn)>W{@iyjfq1SIruhEBpw9D@i z*NX<+YvtWzC0j68>~xoFnHungwpFo{29t=rv|61hg!)^4BlOQRyr-zL`g72KemTqE z5J$froynduu|Pgu>Pc%I{J{I2ZKVNtZz*wWxCU`9Rvl#?TY__GJ**S|9XUjSj<1nH z8hGBS(N`_Ga31*7Izk!HvtovVzaOQeF1^gs@5b{vDOofJT*dZnVE19*r0_%!o_+Ak zT93I8{l$ILVb*l);$e}COIO-$w*{WJtQ+j#gF3Ka_*)l$b~>>mUl(}KuDnBIT?+Cy z|13o1N3cI^UUV)+6X$FF@&(R2@JHqxM6?fMKY{Fn*$L=>uXwK>H-g@xu|pbcMu-_v&wFJgC( zz2;kPVBRdNUe)w0_CqBtKelKT`TE=4tVif)_D0c75)lkydi-;_Hv0PUQc8*BECqSI zJ5i0wOtP^*qW#M$=zMv7zZ*|8Nzmro8kbOiy?;L}Z~%^{2t{e^fi5}sBw*Jpl|}j^ z>P7c$1Fuvb-?|?2@Ph5G`}5%s+>D9#nXATms6HJV0$$gUJZDMJ$6DkI&qUorojL!- zrmq-#AKEB6b2-?v&UP%A3O%5A{0O~C7W=9ctTyfRL7l5QRGf`_7_Bz5cLcio_a9}6 z%a9KqJvMyW89CJYe%|IcS@^v&Q)3mQG~_K!LavWOAG&-$si&v~y4WaJy~82sg|~V+ zIqtHE%^vgZ-KZPWgP+^1FS3Zs7WaKzOgg#O_I04v3x3Yo<)YWiF@Ln4Jb!)z_+a-( z#gotpt_7z9E-3**_*UX}k>T}*k8+p+8wqBKw!RPrbB9ki!{JANq@&);E31-9`ucf=9ntW1?bJ6n?rjrr*X%7KGh#{NLsHn zJzTC6VsXZL?rb0UL(Z8XV;jZx4NSsNu_Y3favlAlr#j`Wh4te3AA<2I+;JFD5 zy9Ei%pA}#HvcMHO3jV&C4&!9S0`W8T!4 zhu0LJGo--9CJg-eGFR*1fqU@%man{_c?o+Izg@WfYK%s-oE~ZC09U_vOjq5JfjR%7 zkD6h?-$q(2j$z!Vd%~$ZL-LT5S-~D9j@*#9MrN#l0(`ivyYy?@Da0pOmH#iK&^XRIarnGY#=f}0k@xdBZ%2lh zmi!yx)9Cw+Y*t~B@L8{Qysk7N7SH5NISgM=D@))faBo^pX!AGpH%s9whM}+UeH>a> zdhceCINJ?0>0tDY-7!zs!Y{8;e_80@1szQI%Jk1n_})vGv4a1CM{UUF4R*%dhn$<> zy%+GUB#RDKBJZ{T^3a=`z%ja$iKoKRXYM$Qmz+esxLo$k_#gPz+PEIB%q7^nZ}R89 z00sKyuV!jvEBf`G1LIZjCy!}Po-FRgJ~Hn>NqOX>)nm?weMkat{1yA^bTsBGWR`HR zk%cbtd+PM48t&!X%w7lhB^!$$RGY)sZ}v^@~SZG?W(5-fE#9k`C^b5TuNN7z-7*C)(2#f&;K%+Lk|=d`2m z^}d1M6^A_^X9#LJ_UUH_3-^%A=FnhN7vS? z=);=)*Uv8hkGl7OZsK^`#b;*aZa~Hc8?dRS*#--D!+Tgpd$wNF#-W5PAqC)CBlHvrRI|@B4rE+wKN1bim66=$GjY6-jf#1h}va#!)^1zi39WzD&?+6L{6~!OpJ%}FP{#>>R)+LUm zc&Ef+ec;bc)6Z1^j_38y~Z-JN$ft zyYIZ|*f-HBc;zGbQ;wJZ@#*-b*uT1D;nbSk7c@xp%i zfldxgI@S;G1x@5tYFuDX0s9Kij2*IPVLj|8b({Axcn*H= ziRE-<2#*K z{k}UBi0`D-SmFp+i{HKad9CdN?4RqW->glz2tCpIRjJO9tK}9v-cla>n2O5Y?t88j z-cwEebwcez=&g3^u6_zX&(7oDPyK6)JBc6t&9&GWnD>ZBgW~$YpYy$aM`k*{|LC{z zVP-kZ%hPk?aysHYj4wBJn}>Y`&m+fl>m3cdnr$cC(rKMvN6_C zZ+om+*8#YvPrYXerLkXQT;}=NQzGHW34Ss@9DMVv{?}K^e8)(yzZ)g?#CqiUxMz(k z&Bt?UL|tkZ4tktE_T$=Ij@+KP`2=un?w|^O6W)T(=l^o2-5GpGZ{w{;c{TC75S!bb z`5F4*argZ{Rr(P7VNIXCoDY9xy`X{DU%tTa5&d-RUhF=6N5xTh^7~k)xORK7{sH*- zw`mJJb0*<^%V#sw{q4TMC7x7_3N<{ZLp42E5`2-o;$6$_qwlOFF$#2=jr{Z zKYz@FRU@&E+56B>_m9G_HTlWh&&}8`IbImpVg3{RZrTb-x>&`M_I4&NUr768oX5Pj%$nhkxRO4}SGJi~jxA zWpa<*7@u#}4%;>j-=U6Ner;YP{HQC47%>>%=kM_LZa3^BeEH;v_cg5J-?}v-bo&u} z$LE)QzwY}6epdfwnHyihKR$clN&nAuWT)YS#@@hB3n$GVzP2{}q&H(;)e3{3@qFd_ zm$5%&{r%A|{&WY~Gi(unzd``mJB*RmAriYt2bK8Rvn0Gp~-d8w~j!d4BtM zLBKzgE?$@meA;eCXZJRJ9o$WwyE!h_S?WmwJUukzJx#T^1zjk zC*t=Me(f+~1^m$aP8Bum6zM@mtjarO`2p{lyfV!E(j9sxa#rfIMed~Dyx)T&DBh=A z`AN%L@C(rX4+0Kg{cVnK{z(2l&`*zsF0Twf=&@fW9Da&J{wY%02P;XB+JC zKj%dz&i@?mU-n$k!#5td;dRT9WY}lXHLFbd4(l%NXNGio0zc#8fI(M0E@R#3b)SZ&V96_d;2zHDxv)y*V9+fN46gGXOs@dI?CsVnkQi&NpY>)SHB*O^~JE& z*W=gV`_otURw#fTdz-SL`XL>@Yg2L1v!!@%^slHVKUZMDk1sdR+Xa8Yr+fbhh?FR`xhNu5&57xcyY;4@(jW9%=UP;g@qT!3ZrXua zji0!Y!_S`UuC>5-j=EfVb{qcosRM;a?b-=sQrVCPQ((vKnUxuAo{aB=7DV^BR|9_L zg8Tc6#$$bG!R*c3zQ8`s&4cf-HF%$FZ&&|`@MqujXkKq`MSKUh-c92i?CWU2yu#gE zVV~gP+g$?B;eEw~wT?32(`j=fDlb|OIiFVJ4>R;?r&Daz>W{%U-D=&s)dTOtPQUu? z2k?^^PkwXn0{jwdj{o}NMv{&s<+lI($Jy@WMpCQoA$K7UBdeYJVlVK<-n0unvA(ZA z{na0(&*@0{$z#_%U4-}56Hm{0fpv!KFM1hPe1?5+wpOKvECip`X0Pw#-p%hp*tjFu z=X#>nm5boZ_xfkQ+E)(#Hp|mC5lCO$ahvX^_py()*V4BOfY(U#)DBI+*YBBcoLT(^ z?9b00roZyS{=Tr+9cMs4wSWC%-Otb9ccgY_-9H8Y!N|ie=gyyv^=99Tt5_NQ{?s0Q z+ilPvIW-;QZ@^DF^YqP8&F|xT2ggUPJ`TI*=s$076 z6CL^CY*|b70eC-h@K)2b<9Posu;+nmSg*L%uR-;#hdjuyhi|6!w_~4K&oQrK7h|7W z%$e-n^YHysq2-UQvA?$6@wb~3s^L3u85x(Kuf;lwdD`PPm0*XMJ~3UIgMF0W%?`Wy zh?0b|yKc9ghxMU5m&VT9jrZL{D)_y``uqRX@BjW!{SNQ{)bHW`PyH@!WXCO=rgepX zWB=Dv;_u-*C8nicehK+~^Op)OZtuW)-Ohxos~Tf}fALCTH0+k%qoX}H{DAM5jq6bM zgW>RZ=x%oYEYqEw+gW9!+Y0y_cU$JXe+R!ual_K^W&qw7e>1&RGS*|y1&kiyz`B~} zo@!MCli}|RE1ouiK+oLz$Svar7+U8TNPUm2AnuY4GDsZTI?21itsbd_iklEv$bI_ni{d z1N+U-PYJ5NK}UYHhv#?x4*S=~kag9uZu8sF>&p)}#do60zNvf%`g4?*$H}c#vA-?m z!RXh(1M}Y>6P1L0u%&uDeAp)%>&Sl`U)T8{-g~LgV(JAu_LmL0Jg%q~-g{eLe_(~R zg!BrVb?k8x-cS8;&iMt{w~_Vt@}ZX-;Qhxn-}XI*_hHuDyXY^R$M@1U%$(rA9{8X} z1(O|qn0Bv!_+imPtUr_;Gq*bMywAlM8IwN8cUMnUtZttOobR36IO80C$50nE;aDMl zuXJX$FIq#6mOprDc_j8D?f>lizivbBp8R>ohh8l(&Z+el(`u0GyYywh#Jb5Rn>wCZ z{P;IO8XU3t>dC02%6=b4g3wY2Mx3f%|{#&QMt-W#@w;Z$Q!&)n+9~s~MV)+3bQrp_|Rty~ScZEl51~v4n zd@1Mfh9}P$y80ddFH)U2x%jttZYY~w-xt#Hh=iN<<13hc?ICy;E zwj-@NcWz}^)u9D@aimO?{)0Hr{3VSl|GvFi+aJpNe(SZg=c-e4Hnu#!=kW0>(+jUA zrOw#czl;0LI$yjMYNh+L_q~14dx-AE>E_FyRJDIJXl{k? z>y@>i?Q@AWN!~Q7cyP~*wF3PPlb5{^F7` z_uIC#4-KyR-Q%iDAG8zaKWZI3_UDZ|!%koC`N8PfTWhrXrqr7?JN)V#n>Ej)o`*O- zz#2RAlHc1U*NLHT=R<48tnfT?VgDA>)d`lLZqD8`wc1yMSWc%O3(BoJRyNzq_)H(V zc0#$=-Fh_ZvcI?W-uoxorR4{kE1hao^X50!WrKG9y=taUP?yll?mN1Duq)ug-ajU- zp6vJ4YQwzi4}2Qkd1jC6R@SfWjhGE@iFd6d9fqy&y>{zqaK-Wya%Qz@F#7q=SJxWn zv~Q!^w=8H?!C#l#FRbMG>BwyJppeKuFEzxuTKv!9~o_KiEW^Mht>hBQe3n}&?7v#;}= z%z%#*-K$nQvp+qszusJV;Qn1{@2`Gp{=|RwWqNvA#oqUFNSi+Tn?HKr95rkB(t~dX z9mp7Y3l9z^%wq8>U7PTiHRwFW=%bL=Xlq)GrCOgSf_ICpov>{mnqxk(6sRt zhYo4mVcO>8BW}&YcgNM&&)JuFAa!u>hFcoMo~}Im^suS1!Yg@@^XdSrk)2Y zv<&S%_e_J=XI|aj^jYb~L8TU){VgP;%Dlb%8il9Fzd2pbZ|b8K1C!l{6n(a-)Ud)j zKCNb~`ej>_Wv0Gv*Z7#;%^N>@^Zvj#*FRbuHt~;M8K(VnK4`Ys z7Q1)l;j_sTd-r;MVb8gBLx20Qr*Hf#!`#aeN7{}VTR8c35Nm13?Qo*=#}_JI4Byr? zHRs~74u#7u4S4&g&dK+_ZkF=2*{Hky8$4JtXTdiG?@#c#>7H3(nSaQmmHvNR|FHFd zRS!eAb$WQa)S8h4k1e0HImxlTx#4lSvEw6Oc9^iF%QHu{ub5;G;G?AAKxywE?Tj1_=Ri3f*$)cUpV~s)j^$oHgq!FY5ljO>2Co6S1m~| zesD`Yn*3Fd`~j^Jz1|yFL*MA|hu>M-oO>KF{-w|IyEP{C_{cNm+mx~kCkJg9l~&`2 zFDh@z{ILJ^r$Vo0w>PAZiyqM-W7Knf_n?H@%lanlcs1|Lt}dGfE-Y8tsyp=e)3enY zF1=nl?)RoA2EUxV+%ITer;4}FZf|+E))@aKru_8lpY--Q++cp_mv=&|^sTme#{KK# zk4(M!!B^drSkHno6Cw|`4jlU4t@fqP{Frnxb$;H{sYhF$soUVx>9@DiHti5TefsuB z+=V}WKD>h6U3KNeJL~slzHD@{-J;RwO=UW* z9FU>&c+%=mkIR3y=>Jyvt39yBr=GnAJ=QHb(I_|8w`=c3i~4!gy|(Ij{=}+H|L73B zXy^LxYP9J*zVKq`>n&;JyDz)y2#(A8c8S~j9oHTiNlvG<`sG2BE_Jeht~`|#&5c7vi|w;=(Zh(9Gv)z<#dzYy<>mMiw`J#(%U=S zP$|9P=ld%xeDu98X4WvzMop?O_fOjNo(~&zzUws4TvqpT@OQ=2JAC|6%;|2`)_q&% zoZ4=97XO$2!X{-+dR_{SBTuaH!rW5s0sOEh2Q`J478uM+7|?`>xU`#;MLP>RM)3`R zHOzU>a1V1uOBZmz&gEW*`}Md-{TEUw?bLZd_aU9DTGFfb>^!V0>Q(>flA-7I#>0+g z>8EzpZ==D--&lRQMX~y{@^Sk7MREH6<>U3!7RBpVmru~2T$G?cUp`TP zXHlYF2yCb?ySSmgeqfS5dvTJ!Z(y?id2zD7I50)OU~!6me_*Qq^x{^YEHUaE1)20MmzeZ@g3|R9mZa-f1ex`Fmzecuf-L&4mRR)O?iu>l zQ#14rf-?2O(oB6&g)DuorCIvo(%JfUi?j7%ROhU4QRW<|wE9NQNk z@ncj%#It<~5dqPO5uy7NBjTbPMl{;rFrrm-QpE86Nf9;ulOvMmCr8YRPKhX(pAxY> zIyK_x{?v%e(PbkMxLM`_m&nk1|I* z+i#BO6lIB6v(FNti_XAmWt5>@ag?D7i8dq@M;n@v7(@T!7()?>HOwiFHLN9ZhNH!C zhL1_S;aYLL;WdoTVGKjY~JY&&-A! zQJmWCegtqj8^wK6PoZ*4ddmF>gliC>GxVJTw zncUV;)1%N3Il0iVRM*bXsJNYBfKOD+r0G#H>wThQ4o#1aIpY%(^JaQX%+EftG2ofx zb2FlnfA)<|emx^Pxnil9Wb@3JTI!Yl}2Lb>PBK=mB!+X)s4k4YZK>GYa*_xmM?y^HedX%nq7Rf)-LL*7l^gj6^QxO9pdbD z4)H+srsC)8nu@ooHxpm1YbKVe(OisK-(2iiqlGwUeG73zjh5np^)1EoHCl<^uWu#( zUZb@bxuLa~9NI=~zoCt|I<&2LY8sBvLh>$3k zv4iMStD{(TQ%5nrRwuFJrcUDMTAjs(n>vd-YjqL7+SEm4wY!R$o4bm$Yj+d(Z0;uh zT)Vrd-_l)dP^X93WJ?e6o4P&4zqj@j%ZBw5g`K^`sCvD{mOFckQ|k2*ukGw3*00}J z?6Rw`IIMm@anY`RVj0i=;+9?g#pCq{h>v#-5WOM?iZvGw6hk5hiSfG!iCK|@#n!tA zi#;NTh7Mf3X6;+~K(;*iy2#1mDE#jjTui~FjL72B;DD-NtTP7Gf@ zPOMU6yqL9Vy!aqwf;e*h1d)bL6l-prD2@%CBnGdYBp$6dSsb`=ve>=S6tU&zDdLez zQ$@@2sbZtBX=2LKY2s&w>0>7rlg3~}(%8RFT>GsViQW{S_N%o6*qnyg=-@ZGm{P=0dUco`vF? zdW*zsYZi$`)fS5xYZi;0gO`XmH!czN^_Pk()-4rdt1lB z!KOvwRZMpxs+lTA)G~b>5pJT}!%bTvB1{LiMVMxW)iX`rQO|TEtiI`4xB;KZj523W zjxswuqRkyAN1KOu#F!^fjxo>jh&3;n9Bbb05oi8ja-8|9N4)vQ+Eg7O+C+TR-uS zwSGB2*80Rh&Kk5J&RRPl-Wt0g-r6W2!P;~|f^|qhqIJ!JMC;LjhSn(_6K$JtAlkMvCdPL7K#c87Oswttfmqwam^hnoFwPbn8*hs|7;npr zO|UgTm|*K2n`j$*FwwR)wxR9t!G^Yru}QX{4kp=N$0pkX4kg>_#iiKN52e^_ajCX0 zhf-}tacQg84@x>x1d(Y@+;M-4h!95txGH+s-a zuc#tmp`u-0(M5BLql->@#S~qc8dLPxE4IjgT5M4r@3^AWX>mol-tk3!r^OeI^G+yQ zFfE~It#@M4scDHt*Ss4R-JI62=%IH~5uKh?6y%d!RBw86k=ZAusKxY@qTSx9MeV1h z7O}EXBZC5>isuwZ74K{iU3|1Sy7)wcnBvgAF~z0^vBj76#uiU#5LX<%H?DX{gZN^< zz46718zdCl_a+o~Ymiuc12&24pV6M%pwMc`%`C_&%*nRr7z@&~h|$r!(2}2@mrqPa zb77{Xpis(|XKG|gFDOhmTCGxoa-U@}nk{nH0!xm~YAmo2Q;yAEke{8KS(t4vY?hyg zfcy|*$}O~Jn}{hd&uTH|{xjK;kzvU%EXd0%L}T!v^t{{xOY?%l+`NLq?A+{vY@;>X zZZQ+HB|XnxaMy!-;>u;jXw zmb%KjS-=}ykey>8mgY8emEWR`Qs?cKCJvN(Cn+0^%S7i((OPKAE>I>WBQGDb?M#p-M7vMVGUglcuzb4~^-hT_OLHwL8}lx81FdyNDubgw zI~S8;F&83BCU3SD?Z7m<-V`=9S{)WGN*PWyN1m-9J1-YqG3K^#=8+=pg?XST5MiN4 zh-xYRP(0hU3?F~>QF2SAaW>l1v$G4;zA6cv9;Jch358Z^M03&1Y%?FxLS;z#;9?>( zFsf>z$_H8uXfxZHo|9+J#$@Je$(Tix%dNs<61hrarqpY<*f2c>;868RQg5_Y%T06S zW^-48(JHr3%j+n}NKm4{Oa%%PDdZ%RyCu&~)Cfynx)!#B?Z8$_Gu0gOgyks1z*$v$ zG*M$^DZuGNp#zDnWHI9!qclt<77V=EVzH52Of4v`(1kAfb4tt>kFezCIWn^f&Bg*F z$`nchjq`DOR$g|xMUn+17Zmpo$)gPQKPt^LtKBWk%a9&#CnZL~h3ixy@egj+5_t8l zoUA2)tn3i9xsYIXo+BeWli0H$tspLQEd--tG3M}&@EV+gOc`>CJ~>so+)Jei23#g` zshL^X*n}pL%0K$4RiTMX*LG@=w*2fINa3ay;>eYy9@vUgh&JO&6W$g4j@-t%dChWF z&Qfo4EOxsw(^9C)Y-?s-es)1t4(gNh+p{xsjRlT;OQG=}X`GrIx!P!O_6D_NV8Fna zvfwX~ZgZF*rZlBcB8~SD+Z?&7dN-Ssbd?a#%2i`Vp3Rb52qwmDeqLjQZP`e|z~ypH zDHFG>UNE_mKFKv@=V^=xQSHdF;F<7D7c52!gS&t8yggxIn} zJ#oQd<}}WATFDr@BR#7yBio94IH_}4kz;`@C-xQ)P*A^)T%*YfZoo4@R|TjrFTJs) z0P(7hZHc;FhZg0t^2`_@$X8wt#mo@5))o+ec?2DaDzt(f^E0ERk_|s1R0%1iXm|O>T&T%hC`C@psz8&tqR`&NVa!J&IL&o9Fx03E z0@Xsm1x@*|N$^6|4aCNU3NOW(#6oztayUt1$RMntwd~F~uA%bsjrlFWo%z{(HtfV` zu}d|ARvfm%3?nAcER80>PJRnpffVMCRIpTfLB3Ub9#_8>PDscvMS?EnC;lUu50Vs_ zG`cJP((|?{IUjr5Q#?8YQBV7vM42#?A*$8WGNYT3VKo6Rv`WWYC|> zDaZw2Kqz7$2!tJHNSET<^LMQUx zaF&qjx2r+~bI*xa=H&FeynHi8y8u*BBEcM$U1&+SHFnl2aTXK`v7{Gf=I5ba{sc%D zNwjjdP*Sdg6D8NLj-J&1LL(QT;DPLd7Wg6~dZY?SRHRhl)W{NMm1T}1`s`Nl zNCsyRN3N>YGc77%s$?cT7&&CPAa_vaKIsuo?PpiiyPT!5IYSk(N@FG5Vc`lz?S)#Y z0!~yDR+1eGDv`B>i~I#Sn)7lLg#xQmYA&BRrBj-mlccbQT>u(#pe#V`=(95x<^k+s zNOldha9yazIcb_eofNbvwAmZG+L*bZOQ|5AU>U7(2nm}ORsm0NjVv@PajMM(Na`vE zZALQ~EK`O%Dz%tod%cA8FF9IjP9;`?S!x_wzyW|pdpVgI_*~Z0SAh;Jrim`xl zB}0WP4=8YMra@5S#%8qJn}Ovd#7Gof&T$gwYZ)5@=Rz$=@VKP7!5CW_a}km!%?QLD zhd}@yyvrO>D)tpG4VwQruInotGPdUO7issTzDLH@b1UJ-$%YRnpU> z7*19Yf2wtv&Rd<4oi1q|$a<@TyPq)0>G@U;MwAF?OjHaARPTUjmxcy)Hi(jIbGcU^ ztBjSRn-%*s+YDhK`wXPPP>l?EXw*CIyyMg)jj2+PL}#4W()02;gwke4V;UFR8si7i zr3pe#;QU^;Xk=U99Z99alpG_x1uC|5nNB_)g*K_jP#jXnT?kZiq(J~f31e!tc~Nt6 z>f~+!m>aTVpacRh;R|$mB%A>*Za$SQoTRVDX!Ibf5M{jnnNJpBCFlkNqX-69YU0BM zJ2b;>2 z2++=16@&!?ESK;E8Q*cnkx7(D)(Qq#dWsByVS56Da$`kKbqX#ivvw;9Og<5kZu*xr z1<5*VksZ!jPU-fYT4cvEe+Fz$DNR+ReDL{DK$d0Z!&6)Ugk0Ewz)W>Tsfw1?K#$_P z&4Z(r%Ww$-NgN8G4reK90TWApCv9|)3{k?(3Yi&IajiO16mnF1E&+A9XI3M8eI*~2 z<3LoF5e6`z8XWStD`+O+c~r**nZlyL4tcp~j_gk`S)kD@idm!ZJ#n2QTVWHDXSCR4 z4Z%T!+*Zk7fQopJkVlz$MFS~Nf)B3TURC?2XIWsKD)5Pmj(4lIa|$VuONvoQu!UMw zWp|B}WX4gW)yGN7RiZ@A!!E-~4O6I=ve9aT_eU`UxIe;T%!h>H6hx3_|Bq=l?k$&P zgG6rGaP3R}lnhKpuGyYtY-}OMcXQzZ_AEz%8D2D=C_RS@RhJ?K+^ryyUcLnmB~TBR z2v82WoTw2b%9m6m6=bwRg-Ia@e|SVRV;c@8DOze@KCG{N#i_=Ze@w7U<V{J(?RkWBn#vu#0;k~;(|P+r?_f8l_E=If-KI?&{%;NFHAQnY$@GwCF-;?6>gJK z{?R&2U9JTlblF(3Ma9MuPCZJTlTB2Cri_`|u6H;^Nd;ix4g;7R#-=dAxkrPfTeBf_ zWTKEqPHmSQqAWVf~EX$+c!drrJq5gdr?9 zRA!O=B(l(wI6xT#ZAuh{DrtAwPxp@)Zai>$lF1vMz;t2;X~?o)mM==J8X@s?r*}qS zrV@gUGk<127F;0%IZ30FW()wROm?Fys)?8#vWUS7soEWvI7vAGp<7(yoYSVsN8*%c z(qJiGYKy|sQXIE!cu@#>_*1gLDew%y+>ur={xfO*Gpj2$a<07s6th%d;wTCB~;$iW>%W?LdDi~X@~@=F#;MRDs(Fe z61fm3CP~?8L(Z3^A%US^)d`Z&h#c)A0wtA!hvh>Ya0e}(qZGiGiHw=twW}!;k_o!S z+KXfX0c3DzIR_cewmL;CXBWP70tS$I34jn1mN;|Bn1%ZJp)L6!6`e?`l8fQI^gOKgDju*Bv9d^3lU$pN;eZ!KE2Vf! zT<;~f8D~amHq<)I7QW~W9^tDTlHG(A2sKe1U-ceC2)b36RZ<3OiXFC6iF*HyRkX}d zCyLh99tD>Y9Jw6+^5tQ^*MfT`u;RlPzTg0nNK>-O$h)#uL02x5tHwBaSdHP@&_yq3 zF1&&qV1+CReXCh{lqFq@e! zXWHJ8zU0D`S?IZnrtHMIIEbib9o9<040!GuL#OzcK~@ znaV@!nyNHL(mGmkS$``K0FL%7r}~uqgk}Y#$OYi#bDE)fybeu2HoMK1$2T$=iUxeHay#0UBV~il<+08@Zrip zx|#53PHYnR!4Rtvs?IeLOm;e?NeKf{ii2j!wMz@d7%_PYL3o8+>AK`~p-I^#qgaHf-8IRjghI3`n<*Qeur`9_ zazJ3N(-q4`l|4MpsR7lTe8uA3+){)yt3BP`l#6{CT{p{uDe2NIpc-YfhdjtK#8635 zYq4vhLX7I9NJty{7Tb?dl?09eYVyzxO=YM?8qc8EYv501<6Frkc{M|hQTCL94CNJk zlvQlQ!e&|AzyXBdPGRzIGRZko7)KBu*1qJX5y@O~!ec0SEZalXL-=yD30q&diKUs$ z|FEkFghMp1-lccE&wSa4r!|d+BH%;9k+BP-{Uc4GFpipCi@6lRQ)C+bPwDxVrr48# zfpK}PYk8#?CDWx9Sg;(7r4kAMG>`Zqp=;GnOr@Z%5~=Eb3u5jWT@d|UV}=7NY~;OkmGcut8N$Y zLxbo-&2S;OZ`wei0%JPI$7o$H-^=2f@(z8-dO@<9{>y9}>SJ{p{11l}Hfp$5=`zB| zAd8s)n8A^oXDToP?{YiTwH8hY+Q!p&61Yj>ViNvKs$y}wrf}aH7y?bkj#=4H?3(-^ zAa}_ub}YkT|0U;Th${zoq?c&)J1W7oFo@${QPw+oTx24Ug=?aU%QU)jO;p&JyMi;U zdCf``RHaC|@n54|mEb!Wc&#uwu}4W-kA5fBiC>&j-nC6|j6vfXu^)wRHsXZ~-@yu; zc$8g8u0$gl0X(~l-w93lcUzt_hP3-f_W7!2oXZv<$p)~&-h)`xayK*Pb6Z;G4<(-O z=909t(;k-#@C19~Y@3ZMMW^r4xgP{;??~Z5Uz0n0#X-fRD8~CIGqJSY#zorjOnm1; zwv_`FX_K2vs&i=nE%F@~k4qL+hPgy(76(+83_@KJWdcH*<+T}Ec}V7&8s$1e|487- zTr&>g*w89cpoIn`wc6y(MkOlZ69to9QsVFUj8%(PE$%8`wK(p6;OjcZ4DR~NG^TUw z+7${G2X&RJB7tJNds3=U? zj9fC313xE6G>GmLgyjqbL1s!Fm$$=6TRemQ(rYuwYm!1 zI8|UhT)l-6WR%=E??y<5w;GA(XQd`bc#Xu^7#dmwsa&N>{pUzd8rc%-_^LD52qhx>92Nh7BqG$s zI`F9ErY(>iwAg^Croh{Rbq}n3b48%~nmI_468Mt1X7KZ{y3^eZkG*Q{siP$C@xx9H zZKUKk9=Nknne}&4Bz&nB*JPcRiEk0nVx9X<@ID1hIJKBov)%51hR|BYCz=me$rwrM zyO=rFJfpNdMj9=2fT$4)^nxP*7}$xIu;+}cAwCk4KM!}D5~SjM(U134+GnQ>rT^F#JskEFVZ)1-0!Sd02FWq1Pg}z}TF>g`*L^`ZAWX+ehUGty*;(keZ-v z@5nb}OS2kVf(0c<5fFvCyMoM zqLk!%kvph$N-@(U6IQN?yJKX&(^$v}cloP|+C0f4`LBr(Z7xELd*GFqRy2xL1)RnM zn#j{)WI|RmDzxZ|veYPUZfIt*>&ut_1L1+4JCe@rI~VpF&=YGAIi%{qZtVwj?o^2Q z0i6etEL&qsJwrU{H?U`6_fCb~+7IkTy7%eQR}Lwe@Ch5zq5Z(lg?;+=>DZZcF6u|* zTKLCp-s#gmdWejm8<-E7%tlgQGMqLcgl%H`>0vU89uPhd4hpA)jcgh%MLLo0q%4N9Zf` z6Z#7Sgn_~!VJAT^$!q$Y?jnPQA;M6hNEjvz7e)vpg*S8#r2<}sA$Z+|G$qYQb25|c zqO-^h!UREB#=4RgiQCAc{3INkC3rAT=Ec035A$WESZP*<>6srZ%lugYE62*SKo-O*u!^h_3uYm#GONO> zvTCe4tHDB9O;(H5W_4Iy7RJI^1gppDvq)xO4OkS5W-%<5#j$vnz!F(Qmc)`-3QJ{a zOk_r8V(HAxEG&a%vMiR(8nMRA%5qpP%VRdygyl0kD_{=Rlr>|`Sqs*ZwPLMV8`hTf zV!c@()|VBscC0<6JN7;Mf%Rkk*#I_>4Pt}Y5H^ne$ZoKo*w5@H z`-R8sC4EJQlC8ovVY{$H z*d^>1_6U20p{$4vW5d}9c7VnR(L#=pE940_Ay$YJ;)MhuQD`V63CTi=kSe4JqF@wE zLb_lUEJB8mDP#%RLL;HEU=;MW`xN6Kdi^RS~3!jAvWe4z`o+V!PQMwwLW=``H0@ zkR4)&*%5Y>9b?DY33igb$KGd4=`y;UuAnRFD!Q6h5Go3lgkYf*EltZ%J@unysXq;% zPkPc`)KBmgN(l`~5;;T<(L(n1-*9bb2yK|P6)Okj(J*}`UF zj!WLntu#T>$8|X$FAdC@;g|WgWx|wdFTWL9A zoG@OPAZ(-C=?=P+mKP=plZ45_8n%|LW9!*zp}J5*$Rt@Ln=~Sg3Eng!xg?KFC!f;K z=z01%y+AM0OY}0mLa)*<=r#H!{fd4~zoFmK>-0PNJ)KN{pg+RyJAF)_&_C#(^eKHtkJ01w1U*ULqwmvG^aDDDo~9qtkLVft zF+EE^q37sH@*a7goFX5P)8s?4imWDU$Q&}4%p>#30NWkI7l`2{}hTC7+S=w~ zz9rYmcjSBW1No8MAU~0x$xZSLxkY{@x5*uHm)s-w$pi9`{6-#;-^pY0g#1DNBu~jR z@|=t!ql6daC3!{u!Y^LGCU3}FLg*s0m@FYn$uhE>RDVa`^}doY!;h}ncIT7S|seGGuUi44Kufc&J*4fjteJ*V?ry^hO{Pap#>j7GQ41a zF)ky1hkSU+{+1-gWA>cAVy`86(TnsUy-8p4zA#!S1s%4Q9uoRu#;QOXR3>xSTowX} z98Qu+Dyar3kwWIN`78|*+eSu0W|<(hGDtc&mFwV+_$D{!l~J@hsX;Le5WjoT1424E9LYJ&&GG8tR zhjQuY3HiwN%z7r%`Dx(Bea2#$;&6 z80gC;E*h~Z^kai}G-jHnU!$O3V};t#ZFQjG!i3U-Hzarm$ne>c6yHONA>jfb;l@L< zm4jrP1c_E263v~C64Ie3EYKIS9PpK-eK+9AEzAQNqb0P54SK^4t-*Ck6G>wf2xEc_f&@G_+0c}Q0-v0h8^>kT~s2nbp}T7EX-1LcvGO^2at7k@;x-cN^%4G;vuv|T_Em5(0yZo0AJCU&;?T0*()uU5lPqKXfts_RaT<|^&^Y+&19Wg>=%MM*L0j2<=$Br?U1-04Z6IUfB8XjR3epGv57 z8TpoSB+HR2$F)~A{Q9+oXjRlYj`k6z(e7j{8A$uXVsHm)9t8wF1_*i_aI_oamV^#y zyC0DEP~h%CK(~W|!AB^VbRbY~AE0iIzk2|IcLXYL2VBlEc_-KmBCvmXSQQ-qb6Y|W z^dABXqq1ZJRDn%U0SLc7P=6$Fe={I{ZWqWlhHM?kmPR&gkg}5fPze@B9PA5jA#fYR zAz2TyB_i7pvOSUq+oLpW5pU)J3&&HkPkdn2a65u2(@?oj8mF$bwurS)N81gaD z!FalWIS3VI(R}g*SYbHqwt2K2thx5WXS62pVh^&74W$QYkq{4T)laxg`wD~UCfHg( zDoDR1`VWN__?)f+ZYcTJ6SBP@r27)KSCZ#k2EQ+iCuJZtr_c$6YdS6q2SFOvgXD^Y z?8}D)YyjyO1uMd!NvEcePpSkQ&SYGB2pW-d_GC7Tyny95hOVWPCCZ-!&B&=An1#ty zpDEFOE=g4AJ_nS)j|>3%>kkY#kRAZ4lr>^Yfy;=oz|s&3K#`ltcm&4LX>>N31${A= zOe7c^Xf(SYv(6Srj? zqZGTKlre&eQ^va>m2rZMRVKNhm5Bn!D@BUtRB_7y4Y~YRNcMkKfBttc&~e~-83l1Y z>&6BOhZH?KjB!*%8P~O?p>5yQv?GN7f1JcMv5ov^UCdF&zw6?Wz+oQ&V{yBfqb#nM z>%ulHshNw|U?G8UeJpF^q3ktn!8(%qf{evnwXstRkD{uD>Z*mER%zyc)W2N&zN>M$ zw&j}k|2{4IU+Y*|yZ)PI{l7=Asz{paS2)T9j*kzLzHB0UKqs+9#EGnB9a{!kmg`sn zD45b2u=NK32YUi*wt zBUm5JO6X4hO$V#mSJu4$@9SGx({hVwAnc{}@L#Nf#k3Z_jCJq;tYTsCQ*bTJ{i>?= z?L?f~m+RgGu$!E^_tXEj_8nDH{VLy6m%pk`m5-}48My{Q%IT?8=cQiN#(1fX@lv1Ur8dS(ZH$-N z7%#OiURr%#`~&opUYL{%RjyJqDk=}7ZoECE_{mp^a`RCGzC5~;T3jtpnHnRg0i7D~ zPy?Q7z*h~FQUc7)5#k6b?FcF32+=!2{2U==9U=aXkN`(WRYyn-Y1kG!D06rUopE$> z=)xR2Ok=nsqzZ2jrqj)#^L6M-@n$|7MwK58&Q#X}z-PC5g zc`Jj%s8S2{D(%qKb?EBLl_+%?lsolSy{dEL6^1t8|3ZRvQlF!>Rc;~m(rW=l&>%|9 z!r?msk2_@Y%g=x%be|H&U%@%z06rJbJojT>eb|yo=Kbty1;ms4{ci#cbB`Dqiz$~uGo&Y(uMdZy7We#F6 zgPlPxML2(Y=>_NT3C`gYoWrN7CggPvpWqxm!8v>y--EQA^}0Fhb$7pyY=ZmdXoCyL3uFb;|RgPo#96@;seVUZ<4TDdly_^K{DdbZUJ{KXpn! zbxJ>VN!CcsL+P)F(qENmRH{+Q#zX0shcbU291?-5JjyCpf91+`D39kF zlwSjtYmj{PRNCjIUX^xwDed%9+UcdV(_6{st>p7o@_8%yyp?=DNGXEFsS5cQ0dX25~P7D6k?!09J25O=rlZ>4>bPy!P~^! zA+-Tlp2WvrB2pcl-f&!VuX(km&VLfoiB?cUx>646hW~g)da2D+pNGduBkc`boaG1! zb%ew_LL~K>f)e~UhvW;FJQq?V#c?4;P-0~u#qYT^;#V$;_?62ce&s@lU%9-ykfOA7 zT)dwIAn}7pR0~K*lE+9$k_RN5!~^9xT;zfBY9LSz1gU|#Y9LGvgsXuFM+lex7ZT*w zCrBy}cY+rNNf{?~xYR3E1A-dRsR3^_AZSs7n;NHc=GRhn&Qy0TpNAIWt&k>7S6T~| z(L#P&sH_(9*FphWsGJrmuZF1B3CgrMt$kE$AJy7Nwf0f1ebiGctF@GBV?cehR9`Jr zN(*T{qFRrr)@G`;nL67XsFe-ULKU@8B`p-Jg+jDYWi3=i3)R#@>Qr~4wY9i9TBxoT z3e!U2TBx2Ds;`A2wU9vzHPAv)S}0lz#b}{eEflAP;qShD&wevqbiPSII82Qfg==0 zO&qmw)W%T5FYaMZ(5A4en(1C9nbqHsjxh`|wyBMwJAjszTuI2z(e!jX(4 z1xG55G#nxhj0-X0NXKEuVZo7sBNIm!j%*x_a5TnY#gT&}7e^ir8;&M8@-eI!LyGaE z7(a^fqZm7iv2(-tdhi439vEW}M9vEW*`32+`kY7N4 z{IWYgNiot%isuOeY7zugg*{|E1!7M+OBvjxup7dj2zg@AJ*(rWfdj=nQOa}I2*^6% zR6zyc)V(Wchnt=Oj8l;ug6Zt#&?#zI(YjPYA>|aTSPlkiWt4y-E~g?-s)Bi{LV2nJ zd0JYLxJ(u5Ocm-(73x5v;bV1O!@Gv7dPUY8lu4i(`UZ<#lCD5NQ7V#k1tlVxR{W~Q zE6PT)sCc}hY>2FE1j&%%@!TrmS3V;A%Dcd?l8*pa-T{8k%@BU&hAO{u1B73>^}(;) z^x#)+ckpWfx&nlYlLtQq^HT^vdGV7cKULx5a_^CDq7=(k9z)u))s&nHf5CheD z@RKJ$dGV7sKl$*JFB~t#5mL<&5*Ie!bH=j9(EqSJwV>b(>V$O-+ypFNE7x+$wXSki z(}R@z2<0j$*Ffb8Uyhd}B-jxW5;nf#jAdr|3_u~>0Z_9k}Hd23O5xdR8Rx;r0LbkWT=ygO{b8jPN7bnLYz9))KhI^ z)f#5Xvs62n`6$&3Dsu>|&P8{D#D`53fJkuil0t%X)=6hM##;*eOXmRTTuwTdm(GFG zxr21>D4k1F`9h>iW#uAAR*~Tn#y`hMZPIP79UOLglmoLlN8SoA>Lx|w zs>EX!qru!9Xfx9F2JEH=g^gR=mH(OAcwAk zLs!wEtK`rHJ9HrqU1f)^ibGe`p{wT5Rd?uWICP;7T}_9smP1$Dp{wK2MLKi_hpvG` z7v<1JJ9IG)U93YF2dYur1Cq0q)0VqRQj#x}$4I_V9;m1$X@nT8#?)5>k!rx8u^q@y zWk&Q}3+mv!R9#t`pNDE1KoW?lvhS0DcO)k$4>0ZxF5_rvDMM)~Lun~P zX(7CGpYYE8!aMg5@7z}zB)mk9q!SLruhdDw_U#KFU>nf%+V zJiG$oH8^;9C9Z3g@G4x_DdGM|6LAc}k)edsajgz8z<=YF$JaoZ*TchW@O%;1CAd~l z^6+p)B@Yi*LYO~`hl3I3&*I@Z2=hPQo`Xu5Ulk&Cu5GB!C2iT`-(ASsLWhel*~{q| z*4%HZ^UdiNR$u~CJYHB+u>FU}uK%^hhrw@!Z^T{?Zsgqiapi)`legD?o@c+eK4`$v%T3qhj@@=Y zxO(rz;I?~f|2_G`g_ryf`?NkQJ>|cDGFvT8s!Fd!5+00_&UyJ!Y7M#*wL_P_I=5j^ z-XseFQ6@^_BnmOfg; zOwS)_CLYah}a}1aS{i-U_cN9CK&Jo6P(2m118A^ zKQM`44H#m;JPd@5Va;M#@8aP1eWy;{Tle<8l1TFQz4!a=m1_FdsZ*z_PF0;cb?VQ( zrEuxP@4MoL?|X) z`rt!1Y?*xHSH3>qeBF1Xu2kBc;!4w7sdS1G+Qb)ui=B$sTs>B+mb^~mc%`0`0~f~{Kl7%@gBC7n=QUGJiesK&reb?#1;lW;`r0pYvJs)@=pRO`A4(uYW!M zI?qdAx(OC_2M~Mp(7YvP3~s#)MKAc@&$ogDwX1)O$|2xY6Iu7hdQU$n! za5ummhI=2}C(rjg@1jbX#g= zZ>3sqSKnQ^##FUGr8ui-V1N z?UYxpEEZR5o$kyc<$ARYVsfmRw`z6ca8Lk7-yVENx;u2WQ&J9fbB7%3<`61%p;kQx zlKdW*{p6q?spglKd_CYRcR*W@lvYn>n;(C4tS~Z*yCd*v5}tPCWz)PJ4A=GJ&^|v4 zgIiOsX2JZvzH2?_YjO(Qd94i|2;O#Gi<6uB2}PdH7D^K%nj>5&iBrkLxL``Y8tKjL z?$ftJIL?d9d*{_Vk>90n2j_4O6l^tL*qG#HFvdTdpBWDbADSre+bbGJaV>?|=kZML z`}bTMe!kM%x>`S8Z`@qJqN{@1^@V1!bR697?d#t;uxs~KgM0GBBRD$i_4ay4F6jp6 z(gFlM)*d_PqYLFq3H0|>E4A`9-Zp>kR1+=O{7piy)QO%HQm@>M5NV6%0&r!4d+6Q- zJ5?-!;o(>l?$ow~$7@c2VfC2=f=Ux_v=#(pE7J`RYE*#HiZqd8^(VmK%cCZ{(z+!; zo4CC5Gm!EUG)eIVWx*#_3iyyIF3HEm!og(}F3)W5l6Z3w-@b^?rhq#zgEaBA5qOg7 zX|)p-yT_`H9dM{S-@#Yt!b*iA6n`77Q~t5l#l=d?+fw%0jneT-$1gSNbqKUrJcT0O za--e325RMEwN~-Vm3FCB#n{k_;WHG-i;ZTbzV)r%Terbofotn0$NXjkf)_~^--bgx zt+!!+UyB!J`^{oCPK6*)35(1kKm)FK76CRHj)fZF!g8h7ti=e&VK)oVD`uYb2 zAn$wngLhoY8N3Tl2h1Qoar9kqEF5$yrDFk(eJ756C!M9zN`PbEiDTc1(^w4Y*mvUa zouwf?`7KxMujI8=GWidyqEu}zS6a%_$^r^dDn-Za1dL8=d8HVYHr-grZ@YRjQav%G z(sB|1`+J*>+Nr*sy}QnZ+o`pq!HxRj4%9NMvcnblRBb&umaV47JAPg^E?Y3N9!VFO(yB?J8!03RtQXatXF8uDoO^^9L z9=Y%1TYvum-}yry?qa78Kk)4wlra9lx2vz8Vf+E593XupmlI0(_!A*sxm~=W+F9nS zg8Cd-pI0dXBX=`U3;|q)meYJO9=v09(K4%zy2n6ChDoFbhb2fy35u195|%X;C1gN1 zO4uJzz8!Fpwx+P|Y6ClLjfbz1sKPMYyU4sGB0>1M1IrZ{4JeMo+*V2&m!^Y-PGh08 z+7c91TzqJRtzzp`*c&Lb>&2R95h|?~q(0ELZdtv;YgLNvMqOSdVDFaR!L_|x+IxfE zr11e`Z(TD5Ew_P6$4;k8e-JCzj+@{Yl-vAW{78mk@j)Hd5m z=ozgpE>Qmlt?V<_Pr6Co@z_Jv@h%KOzaW*JowYlT5GV+TSHT6pN0-;PVd z{1V0tL@B{E69!?F-`?j#y=s&pIYKz4PjzXvRqUX(`!bLQWrA#30T6sOlddop3Wkxk zTJoi;LO3K+=;1&b(Bel=u8MjGLoe_2@(=9{0j*-a+*t9!;$tW}rdk!`5Os{J$MI?0 z5RW%ChrWXo;X7~53w^ji&}9_w6AS~#aYbwB8x=9;FRs>0(xsFi?R zDSORgyA2{mu%lLkZUV7fq1Gb03;Ka?+J6Je!eXs)v)i>!Hg_0FOgmh(*CD8Kk~7|7 zZ3)9kXL-ek=H+xtgOJdjHK5d4J9q5nLb9wt{N{qp3!*E8wF(GOVk5D^K`8XEzuRQf=%g;{$4UfyyeGy$@& zfR-8+2&)opzI(kbZNK*tXq$Z5(uQnA4%@wJP&<%C0NS3vb*i!iVR5o@1y1K+7QY7I zUKwa-!lFBcbP50pZjqT`Deqq2o7wC8zIVO+-7kNo$L1WG$Wqu+SL^N7X0y@iRLYmc z7>!u~EJV?UvbI2jbp*D2yu7%Bf1=Rl@yd>6`~j3V2|2XQR3&V&kkC8efQXBgIA>n1 zYj^k1y2|aUj0vMi*Dq8cC##)P+x!X4Z()EbnE@jq(5Ik;a?=mJMwA>;mu5!>M9Bx? zm~Nt&-P*u8wVIjXF{nKKIhaYj=CKN6!<(;{0mzLEk9Y=QR}^8Fg8+%$>y@i5OwTxV zgRnbUEmhk7R*pd!E-BHyktyn@7(=EYv2c*E)L5-|TBpP}=|K)+lp_ znrSsoR>nU`>0C)>5%veYcEH26Qk2E7lIys~rhJk;!`DFD`%rm#;F*80M8Cuu>+^ zHLQZ^RSmO37iN%9(6NL-BT6F_q_H^^c6#MybnX07t5R7(pTgCVh1}T4u$jSNMk5^F zXZ$71bS%g1{7vvj$Lx&9#2+04T~3KGvGZU~%1b3dIVj4E$Us2UKtNR>OjaPANzIP* zOC&pcqMr!#2jL(g;h@0qY4vkPMs*rGuvLip-reXl^OBI}S2C#Zoo;}cp)!QY5Sz(J z#tD#&6T-^d<5gBLV&==`R;7)rnd&f3u9mp0RF;~D7SjQj z%s~X2=2vMEBui2rCTr0gxjIcL1TIC33n;K^76?Ezc8tG5|_Y^~$qh4g#`RAAo4grnYO`;wAa(!R(E0R;?J zmZ3r9Y%9X|VZh)p01O8EYz)g}#vogRDscjKN=Pu>v2|@`Y6-QSJmG3!`ig-+6jV7v zC{ai`$A-0gz=|D$(A#Y5oEe60g(Xm(bxBOnV%id!lng7Q93peYxQNhUT8S_`NExUi z7234|#Au}@O**K2>eL4AO8|{elUjrsF%I$1A4}vd>vG1{;7XB>;$j2D86L*`leIAk-w- z*Ko~3zGmb)#}X%TfI0o64q`Y`ZMRn|tr+%%0R1jxT>Dooji6(~{00TOZ8L*Lg87Ua zP-@ktWd31MaMP`?5ND1hby$TY&}=$l!qhLrimRPvD%q#N35RhSC2vFHj2+%5HFRuI z>IXhbZ1^a!8HUczFmz}5*pcC5=jJDzp*WQKr3(i>?ZS}l1G#}-Y83oo-y7(aged&+ zN;~5IDQ^iJHbZw|3e5sMhY+n|w5=9vZ4c}jt%8e`gXm8)G^K`20IS?ka6*Eql}ydV z%q32mzeogeM7EIlal}TsQZU1@ zH-dNHdSq;e+Sh?H$qbL>IN19RgzJn2Za%?K?r|*l1K$e7VYxC}-h%d3#Tk%SB`q@{x^va?k}`|H9*xshE5*Ua=M(dvV|ue1yM@wMn6X_eIbp~{y1 z5m~GDR@!6xpwkC9Ix+%b9~UkPVp+oAL`s27Pa;&V)H+2-AzOo^^!pS`EHTD4SV-WT z6$6+>Vz7Zo0j+ThvIuHL#hWm;E_kVCRJ_7GvVf~)3!PR2h9Wc)*kZ621CTR>4{${x zHiiQ-TVn{nV(0Fg zY+=4#u9>Ni%!5Dy9A3jn=Zqg-8`DVFFX2!#kljK*{=#t8=W!XsDoE_SCpx)Ov+b#F zaXos0F(8i26f}4hW+u$mx>3YvHDvE7t?=kTX!?@wZqGN9ze(9GovRz6R0^i2=sw9IzPX zef!D~E9b;mX+0B#X|LLDaP1Q&&K!5l;ezgI|A6@YVfE(@76g2-5DA&zliPKbH@|1Q z{KaCMy!s;t{O^{Qi3_MOZNfSWt4M2#g=?=sc;;Yi3O!g~4FZZq=e@QRdP+`&cJqW2 z(5Z$V(9L1NED9j=f&_@ss5-<5SZOciPVS5%VOEus(L!cwxxvA62Jg8lIoR}p)YuyA z#x8YouxV6a-3}=NRz&S{78U`DIlsNk4jO^a73SDRqA+ajh{JT&+65myG*Zw8+?A#Y zYr~S)u0#WiMVoWm_yevZ2(m~_P?N=Dm0FlHgsjwHGA!21;~3Up%87(&4#%OpMc}A0 zv}2uOyUAeQQEaNDlNp*DXv-T;E8I{>u|vh$s`NqAOp!TsV^}pYNAF0+otA_^r8ir_ zt^t|wxa0u9=nJtr)2b{+GT$~jh$~m!h?2Gr(Zq?S8E7J6?~l-BlLc+ls3x2?&T=3O zI@wCK!_nnW4FG(2<#HK32RP#@8T7^G@UBk1>L`>tD7rt9zloQ#&1 z;o)>QF}MU4NxgN)Yz33;6a?t_ROUpN>narqLw6xUa>k3T(lTZ!$rM=0B09QwT|QZA z=kUi#u(p&ND~yic3@d}EA|Z>M5DZPxC`7%vg;n_oI?%d-q#i{ZIZ#NBkAN-`rE;!T zb`ydKmL}E4SdVTUl8yxEC?8}G+O@=Lwi=Da>BZ?*b*Wkp@;xov`NEs+MH18n!;nJ21|jD4_>qah%$%S1e($ELS^Ym?3sf z(c3AumMT~!U-F7Y4h^jatOxC5OU+!hNgL}h6yW0qfMK?QZK{pcHYP=|2N)<9kt;37 zY|?>Rr&?;YiIHurUe-y}#0=J2eE99GO2X$>v5&0gnLzbO0QFr3%PU7$&z2wUp;Vj! zqc9jyNRlUjQL=DY!G18x7GV{@7;h4wn1o|+f|_~87$reT9XC0a^)zb4rYupYv;dHS+@?Xix!i)` zR55KEM+GicTPq612u$A%#cGFQSfMauEfvY6u@X;!l( z!o;LMDFY#Fas1VU&BIt?Va1)>$fT8+gJk#Y%UI}mBnYuY${)Dn(YoQ7A6Po$1{F71i`jNt^ zdZ)OSJJ~0U!X&3;S~`Zt9J;S9yn2yKsRFN9UI@k!vOYiRv+su%Ieeo}2LruO;BLwb);28PZa=7Sa>g*dct-^8w=C&0Om*NwQ<~GWVwQYMM?U` zr%K}p2Aai16Q%;gR~QYSFph{K4tttJr!fvN-vTlIu%62t_g34+yg*B;K{i0BHkjx( zi)b%ctZa8?8;y=3r@Ocu?u|~5dSy)O zC-U6CR;(ApnBJ&eruSBsRyy7Rgf5xIX{a+Wy>sA(9yaEBbm7KsSD`IS=8qo6SM$=Y zuQX5gdxfb3Gx#|Gi>(Jbl@?;QF)EHZ@8y!&&gPX%)3UhajgBCitova-qE^8M6m}z8*;QwxT?}3dcStW9mm!BC^4CtW z>FPQYdzcz>3cA2WP|U`ooedq8DYrf8P)%9Z!=M;nPBODVSX{#pqX#*Zt%Vl5&*lOh zsoubZE6;toHh8MxE;&k&Y}tj3ujXI~+THKvrwS83Oh9-A`(fe1jzO%HQZQf`Koz$! zlIA)$H#7icsg%qx$}vykV9Pf|LGY@S2;FI*{X6$q1imT)UoFC}-9U(MuSLg~b<5EH z4TxE|%fqtEo#0%?DRS4j?k=}*S_>_l#zzb1numpR-NVAUHe%si6cadhvIq3>&V?ci z59sTTcnc5c10K-FdqAJ~N}oH{Eq%UQ`h2(a`EK*icT1n|mcHO?{skZOm!Yvt=w1i3 zU9M$#@+im*M+VPGiIEz#Py^V{p$z&2j^SVyg01f|c5zLwGO<)| zv?@GR<%S4t6*lsYrDcri97DJX3DTytO1Xz_3{AoMAm?etZtWWx?C;04q*#N(4CJYT ziX|hoW-HiPUnwhjYs?=pyPL4(1T)8qm6L8Brk%Y^rd(V$l-XV9lo+_M-BZThgBb2s zF%m(2<75Z&3w2+fp0#^YxIpH$7E8z`CGWAu8rF3%kytFAY*0K`M!}`yQaD{!Z7yTR zCo~OPd3FXz2{{zBg7O;;g4>M)(41M0RdyZX_8G9zGR#=T1Fwva3}41{aSoCisn#o+ z0}LVfKp!`9i^0m~8 z)s;B3xaLA_(L$x8JTW(0F}wM&_))Glf*O@Uq7C~Z*QR>0)edU6(@M;8!gAY_rJw`j z1sqf50>g4Uw_GVQ@9hwRH4gSJ3_i=1wOkWD3#+aC{^My)a|2+-Z%XjW1z zX`Pt$ua+D2Q=;Uz@!3b|ZWVuwS_2j?v6W*koCLw#P=R_&1p=GE#2)G!ZGvzZvoYVX z`^J3H?bygoEb1Q;-3;}H5+)6dQo^s@X&;M*6AM_926-ye_@pWYV&F5g-M~A|bGXKb zX}*IwVWUK$L^+7TpW7J~V|;paqTXEXsF&RmIx?0TmpB7Av<>hiW?Cum7(N#EB%|0d z6yyV&KR`E<$K2d-!G=e}OoAuEaLrZ{VBX23q#7dGd^o9EP>7T-ofs*$${ZpOw7K+3 z#)l<#5QR11f?J9Ju^l2J4X`S~Z?h^0E)@Zgzp+RPio}a$0JhF@G-3bNCa zNCki(mO#4V#FBFw?N~HsG(or7p_kcYU9gi>(7+tjpgGyNAs|Rt`h`OW<_B7vhcI>_)O(2khkp$`PqL17GIs3nA74)2Qr zU}pafhfD6>5{oH4&Cx*uxRf`N7t<*@>{}!=*FpOZ_pBg@^AcGIC7yURb=YrCahl-c z%nSDOp7P^4668oS0zooJ0~Gp|k<)TiVPugu$Q9c2Xyv5IC+ti-)h~v(2xd-{ ztK0-WNuPsbWCe}lv>i+{As~N2lmN{g;E*Id@$cl=f`HiCbco~a*&C+gSk1c+F8wYythx|YLFZ@_v8%p zChmpJVe=1`lNb)4+0e|cnRDj~ZEVkT!hClE3B|fySOLRJ$mV2&OSz$mB?zcVz)Jhz z%#;%hJsuLE4MBj$RL3F!-ei*DSW^02Q%YZGGubz+A;t(|LezR;LezYrabVMd-DJ?E zHt15*5JSy`C^ZwJ)CLXbnL5vk!2Hr@A%hlTaO^no%(teEu5wP4siGM zxv#`kC~+GGVIX|ng;yle-#d7-QZV*ZiDvAn!K+drR4MS)Qn;#LD1g|`-T_N&=Pnv& zC5fH8gCqua_O)<&r&4P6_4PY%6yJdL4_X-B6t=tfxW?GsYeVs-p?mr@6!jCnDIRK9 zVQ5SW+tsf*==AmNG%$G+dYwL-KY3Hw?wy882i0L?;7vpK1TefASpQBN18*7w3{xuo zgF)z^4ISvUp?K36yRPcf78xUNolBn#V^iqh?77rAg+>jp#CllxgV2HLVPB$Z7ln~?`;l4v~ zx_G=+IR!&{|5R?LCwnt?dM@oM9n!An-2gY7$h3OARvOlRJgbhNrfv6(XvD^SQZyU z%Hm>3SzHWF1!5w?GLDV$bX**hkb|QsIXIe>gQIET)1a}m2D{R7aZFkcj;7_{Xj%>q z)8dj!Bq^?|L`oIKKtd4=QjK5`Knz_Y4AxMo6zkDX?H6{yp$33SRl8KJ z&S5@6T?BLWear{e2iaci9!+}D791}tUcAmiCRY)7<`Qc#k@d|c1_ml75uj0CoY<=P zL?P6-q7dHgW6yH%J|g?B+K}soI_G#v%JGs8FW$HrrC!j;5kF$zyj*S7nz$kp$M|S` zfMTm}C@9&qAG+`C&VjzZ+@1k*SCWPF=CC8M&)Yv;nDb}-odeqi$7gE315~v0klHhF z0fd0GQeId>j=IsAS2j$WJLXqfs>zGZp2yhnd}|iF3HOo+!Gn8D_WB3=2CmA%XMnj9 z)NH=upc+m}k`op~ntQXgm}78D8Q4|EnOSLz`+-9yn~Y$Ka2Nl4vu`*=+%phI+cV%G z*=*!Sq*^gU;lU{E#9OB6MJppf;(~BOcu?Vw2-4_;e=FCAf2pMl3t*9ZF9dmZVkCj8X$9zNNjwVz!z8>p`9~NVWQ{Y zMvNdZ(~?GmkWK4u|IZbNF@JS>Bc)aDSU1E$3p!LOF0M?5A@u#Ap;L108L*g?piDsz zvvPPK0?QCZA;dv)GMF@mAj>xTIR}wQ!snqWe7zv5>3KDxIB3R^OsbqVoZ<~!K4g|t zWR62J5PRGQQG?*6Obd;20+rL&ZNL{{kX(j+A2cwzY`OvsxIPQnJ|p zjm>J<1yQz`u=e5bfbRCTr<{X*^)}ZBD!5<)n?%4tFiWs4f#9YnoH)TT4+(>5jfQGH zed*zPWT@BN(KlTxt>QEs*Ci_X8qQ~O7mihN&Gwnl-shF_jxHV^8^sPjJ;uee;;tee z55a+Txfn(bh}>-sTRYZ#O4wZL)F|{bIj`Xw7|Yz%2g_oWt29zyxOE2GGt3E6Y{5a+ zooWf$U^kv(cPS5$$MRHOF~rdRxTk&QhS`bSbz|3gBW&FzDm)A^TJ-*r1A$$aSG$HG zBTfh|V|7BPTVwNwoR3rOJ0Js1+#v&BKnCv)8P(VwGSu2F8NP>P=(A+_9+IIi$W37R zo|_Gd#2aw!p1=_cXHFC@q!lit0S620Jk*_M1Tf9Ii)ZselgpUyEQatfH>l7^Vu8+0 z4F~q`!_}uti+$YfTEK?anL>dp5!g#JgLMvDn)$gxP?|NEkqKvV7S4CVc_T$8+FfixI014PAHdy8|nA>dUvF1dEB6vJie-E;|!;-ZMWCJKuzEMlcSU92>5 z&sI~e;H&E$Eqk^P^ivbY;!w5Dsm%;-+<+Y~;_pQKduS7N!uRw?!eQf#gu@>V-?cj$ zzH4_Rd}n_&efXo{VkHgJ$2=|)j)`1^KKuxuDa?$GOzfM$4ff4KFaa$u7a$92a+4K~ zlaxotWrB|T?Q-qXGIo1|Ur89WcHQ&gAn)hJLH^TlN)3z}nB$)(+flT0lj2DG0&!KSOGHem1EaIP++a$fQQS&>pT*Uu=%oOyxXztO*e?VYUl?$Z3 z>(+v~_rRSLqnNuof&=0GKIUM{l!zTrMRbGIs?CI=2nT&4~si1_r@mB*9{| z>(+RCJ7_@QNGQD$O2Ek2$jtTq$nwCzpf}Gy=<+Bq1qWA=?CZ$b>>S$R2tKCZ&+@|v zxWjL1>;^vxPRo^OHF6IuWtNYt>JKsMbz_H(|KRZC#E5uj!dGmNjbMsDKMNx;zUol$ z#zvx{0^B zjF;aqDr^`LR;M)%r#ga$lvE3*?eMSv=Bxa|#QrH%(`acBkyB_Nhh;fAGYERFLTJ?!W| zj$350Z5Ss8oUFhg^`H~kKa-8#<5=yA6S{3fbi#6 zL*&m`e#(4;2>V_dcvWPdeT`(+g@zg!PDhi?_l&|w^$0OOEFIO9Rl zZ@_1Ph^fEE4>pK@-}LMOkAL!W9yE*=+6?T^$iX!*M&Kl73A5I=zu1DIhqn*3v850f zikmI}v=GD^!?9Cns{CdNK8S*QpG#<5wYBYdb8iTjW&=zT1ZvBqL?5Vk8h#0yjoZxx zpWnc0k}{;*0wygBBC`td46rNX01@!~t@<4+AJ~qB!;RFJc;ncjh&vwjBqfGI=qG*t zR{fI36*!jIJ{}1->lA2|hw_tXfSf@YP%L7hh!1H@;%?Z^@?O7p&FdR*sN!e=3faQ- zZ8&8o!NVg?F!xOcdBPc+_Hnd{5P)r09YYxhLxqsgiF2T{fEyN3e#gS#hf{T5ZlT)> zL(vs`aS!)k`;ZZ(zFgXEuk2=kSv%Z|`@98j5?kARbM*k&bqNrrUdaV+LJnQ0?kJ(?H~*$yd&ho`Byu}mgtOpHK2PBE}u6Kao1j(0=5iN@MwXQ5R& z(ZvuLJlY*(g>HDyF~=9fmxtG6Wr|Xixvj9_4T(MXi$~N zID-z>c^(sc8Zp42tA&`t@NmJHSp#~pcW*ClS?8;_HH?dsm)K_-41PH9yd6!Pf`2uj zAHxy)+-eIJpmM}aASYLllBsaqp~*WGYDjIjdn3Jc#f}|^omxE?Cvh8mHzy-?jH~0( z&SLk*N3M)#skh*>8@xCkeOn)Gqmk;sok3OXS3YH`)?#8Kwm)3K;as+wpg}Q|A^AmG zWf5Z0or;cuoND@(RI@39Z%#;|^4K;8+jeh&3!XPy`OxdkopiWVUmuGt$H*x~NQC2f zP*81KP?yYEb46l&Y??KjX(RG(7!8ug^?e*i$K6_6aIb%V*#}X4?Zp1svi(Yc%cvHA z|ADz=91{+mtl)O)mD+*)U?k=vcLn3iC7K!?m$v`jEGDM!I^cC#`+DeB&hO} zPt=IbO|9|@X${rT-s&iKvU=w5sx&PGNwb839S8P#$Ax-D`gn7gr^8ZC3XS8A#KK)4 zepU9Uhzg>1?id1jry*h_2nC*AG2+I3YugWZgLh+M;7Z59=`fp{rjhdKNv?f9BprOB zg(G2*U;uTqTy4vDTTY><=F$g7=>obj&}}i$;k(M%IznXEZ!R7%-*lmt=EOt6>Wz*O ze^BFi#Q(h5MkFR98(#6etx*V4Xd1LS1XctMw=(&SMIRSfQh~&U4U57j^jjy(Y4BLd zeAvLSfjz8Fwi`^>pgx?l^_a|X znJ^6u`@$PHSIXOb94{~8N_(s#O3ASevxNyKk2m{^HC!+2+#BT<#c!^*uo8$fuugwN zgTiqQ5zrBMOHTMB%b;#o%_7H!g09fkJ2SMRR;q1Wj#^q4gCcJ@IfWT_*|%66y0AuR zc67J=6l|phi9!w1nD|3n(pcr8VZYp{7~bF%Lk&0aMvBW`%Q;xIRhiCd&gF!B01{T+ z$~b?ILoh~X3RO|>90`(~P3RnGnD|$*1RF|{qy$MTPz!>FhvPCR9U2oCMxi3QwfFDC zhKU&;A#jqYH{dbX+~Hf843y1zJcN#gZI-Nr@1uA)C27C56GrwIaXlZ7=yvA^FskgRVl#FGNLCz$166qMkJp7YhI3UoFm)2cx=qCr2nVmC zohXM$5=VHZ(#6M!0;z)GYjV2a;1%mqtLRexOb+WLX4X6-ivr`=P#_Eodh;0XGw_S% zdo5wdotR00>BsimW-Ve}m+D#JvQ|IQrA9!OH;%71mAx8HnH;OVHa;zj;iOVrl#v## zzL1~dXJq8V$nokhnh5K}d{-?=nL4=>x>RDoB28=dOP=;ujH{mPR$X9qc+e#m%*FZg zs+v;*L6!sr`ID%iwsGSf!bM%oPwvO}uESR>{RS0|P6!g19fh#2`QX|D+CV^T4tBQT zgL7jZluh3C!aXZOdv@&5^mSO$5D!|rG4xtr7gyAbVMKYb%foJv;QSw5K9~w=cksX^ z_ZINJms6?0mvq6Qkxx}DtJ?M?^Q^{$_iTL8#p4U2S6UBMUF-*s?i3}OdH2wa6zIU%cNL50Nlj8z!ZqHy0B zKmUpqz_|jhhaX!g%v^^JBd&MC(ucBVzPse1`C>zfRyJ;1i&2M>&I>eNzKJ$#N;87> z1$pb{!x|<};8oC;M2pa-7p9<1OT;d(Dz!`?2TT}m;ZZ1Gon}g573GW6v`qB!2j^kf zgGL4BNzZ{Hqu8bnf&1X(>YG@OPww2&EWzLk>lJcs@Jx3BYjNn z*bi{}x?MwI?8hMT=1XmWIJN^&!8D14@OM--;X)v=RW}X+*q06)aT6C28I=%IFV}k= z)PJ0|md~=v9bRbW5kKv~Q4IF22nuP0AL#>u&@&Rw3dHikUPKu4C$n{VDa}sGuchkC zEj|^^mUv+PGM|nWA50nI6HijBL)CN5&@`)U#$b1iw=HN-cEs9-Wfj)EUVkt@Dc*wxj84;Y6C-0VHSuQ_pRa_84VzLh1wc14#yJ|* zMyvsubrN`tIWD-433z7q00DPG@2bWz{HDC)V{qH?JrdkXh8OOpgc!%xQ+SLlG+tbN z1^J2#X0a(Va>~~P*Bfzd#kBnr(mhvysTOyEn&!^g49RbyFfUUkFLn|%$K*|lX1IW* z`pPzt0}CT;m@S%`Q39ItuY~d6D3Jj(Xnnl0?Vi*RA{(0g3aZzp33Mwz=z9gx$LuVO zIWYL6SW;b>;ne}g4jB5`2w_gN!3BIEq;L>RpbjiixIj%pRiFd&``GwO$t>28|hu4!LKcsH0tonGWBK0X4?DI!0}B5%0FJ^;GimX{;~E3hhxe+IT& zEZf0q!1G|`R`F(RJg~43l#i4p@0NvZ*&Z-Ud=ZXuM{bjsJCL`d@Weij*1$zyY;`z= zUOPpBh@UoYp0hPl#bw4V3?GOsVbsIqCC^JPWLW7M5!lv1hQ{?)WO)vsGPhx@o{$+_ z2fVV)FGevfABkP!35f!-0=a8ihmD)JyD_>+Ts?MRX72E{LT(>FO+Cf2O1yGIA{vr{ zK+K2~ri}J4ivZ{V0R<;jKY0YbTZk#h2tV4{APGG5i?yz{Utzm37KWQYB z>nV7=SZ@IXfs9Ntn&t5wI$XTfg7Rb4N)`TWFc=8TMV9I*PZjiS4H~J{D$CnVbA_o{ zLvdeWsHS3MsaI(WpH&-_BkRlCt1}^)@PGmII^C;5ipk>(#t$$jKQc0goeJ1pHiEDB z&2d&4YT6u87YqiD6UZq98m>i9Md=X7C5WWumF)Ws<#NNa}nakE7NG{JLo}p_UR*y{nq%{QA290PlXz4Ud zETJi2SU$5jV6v~uTcmn173ZB=R#i|$y=1}o^y&r7yaW|H0@S#x$oA$1+$_Q>M^h=ggxp>~aEyS&+VkUvNYe zh1J_(xXzR)5;?mPqaZzY3WX_z-Xmqg)K8Vdw~?U9NfaIqnbAcZZrwH;2P!r6Xpf(C zSvIfX{rmw1?g_w|u$89JNvei6radS)%&E(Xj9Kl_R)~GNW8S{}WMPapkBWELJLMh5 zLNZ9i?0xSb<8rLRi}2h9QIe?|5`nlbH#>dp5DIxoddgeUp2U=c&r42s)B=` zFg!mzGKz^z?3p<*EO)83*&AR9lIz?K_4(r{*c@=r6<#<`_(*Da|9R+}@O1hnob+XX zgp}Y=uP?vMIRf+v!~H|kI9MJjre>od_h*|37ldEH$}2W_@HroUzuE8}lP&KR`nyqo zU#`E2F4Vv-)d)*6GXhFTVI9U+u4W;J3e<6wm(d zjy*?W&rPxC|LyXfjy<*<_BU3X-LdT7q{R<@z%D#5@$B!P%F8Rfe@prOX2Wg5w!ZAI zg`bbU&1c$gJl}CVn~qJ_{#tk(|9`b#E5am;zb}bB&&M8{@BgQMH6w4b^yBKL1}SFSA2#I=>>C;kP2%HW~SK@NB&E;h!(u(ve^0 zg$Z$-U__1|96LC!a7^KN!?A|r5XT^nPaK;l*EwcUj=mD^RdBC{yA=S1$Q+ZP6v3`!hJW~5L_N^7;Xe^6mATTiqw9% zakvS%x5HfrHwkwDZVGN1ZU*jpxLG*rGt{XL!X1LU0d5}dFx)%f-U)XE?nbzG!7acY zg)71xgDb(6;VN*8a7%E@a8)=CM91N3a4T?ixCUGk?gSjQl{Q=lZWZn%+|6)naHrtj z4fh_nTj1Uc_ddAy!<~lv9=H#{-3oUb-1owL5bi^8x5IrO+=t;l0(S@8N8vsO_i?y8 z;XVQP{ct}3cNg4$fcrtXAA-9Z?uX%i1nx)S&cOW`+>gV367C+jpMd*GxSxW%7w)Iw zJ_YwPaQDIeEZon*{XE?LaQ_F~FTnjG+yijG1ovsUUxs@S?lW-z5$;#u9)kN-xLs!-+}vGxX0jr5AI8FUxqsi z_xo^v0QaBa9*6rwxIcpXW4I^a{sit%;l2X*B;23D{W;uUz&!=`mvH|V++V>x4foe@ ze*^coa9@S{JGlP>_cgd@;Qk)&AK?Bg+_P~12>0LM{t50mxPONG7r6fp_dMMHfcu|t z{|fg4+}Gj$4emv_^F8Z;;JS=P$i^ZPhmVEZ-wg&VaztN)AI7;#bYcwC)WX zU$Ws&1PlRwnTFlS-{GE3!#$hxJ^rohKbHM?rrNVvARESd{I@5)Bg$sDqi}qF{T2AL zzvrn<+0VS92bmgz_ZB!l-za?_aUX%>Q)GejJ)8FT+_~x2O!kIs&!#-nnFN@1%I9YO z0Zv$s4`$vkc?T-WG2y)Lv+pQz07rBmZa|s6LIxqhb=k)*>e-Oz%iXUqYaL?A^p5A=V;QpS| zuetRlcU=6@i$1pg4yodEW+SALX`oT=*K#!ld zC1TpoDSrFH(tbx;+N3q49j%&1>u97LGv}gphtj%}`AgzSl-A9e6rRi@`V&g)C)ps9 zXwA6!%3R+wKiqS4qGxcdXD0im4M~LaJu@K1G7qfBA3X2i?|Erw2iB*MyA#n*D=o_I zkXF8DD;ndi+Bk2fFKm=!J-rKEkOSWe2(rLDU8Vp4yeKJKMl?u!7`+&D@cgvO zU=bgotjYHbxos``fy810i*4&prS;EgeIQ!S#}fMhn(F1C^`z1oWadzhqZqt0M??fp zaMYrNW18zBDBi(j85HOLcc;mqQPA21ntWb5$1>UCI_gc(I*9u|=RI?e z>v_@fOxkyuPu;7uUlys8SeyEKl$Ybk#*-TFXOjC;yj^@Eu`huR>tO38_=9J+@`tdi z73S8}jKcB`URhxrtNAeQn!>0n^C9dGg}v2@dym3?RqAZktk^S@a=nPa% z&T814@(Q}(>^g*z{xcf(Z#p&-CX;IX_?jkFx=UZi05h*N^ly?5S5`U$8cvm#595q0 ztd9W6)1t%~MI44NpCg=o{dNuKyd~OxGGDTdfp`xn9@|_DZ^q)04^JpwFYzQlb>zh8 z`_F0E8#L@7LO2iDxRC&3A7Gq!YI!eL_-~nD;pL#hHY(p3e^OyoM;U)o5MELrb6A5!hZ8K*4 ziuSMUqmUY|76N>hV@TuLa*z*m3fql$%nvpd!3XB4rtr@&omg42KMyHkN+YuWZpHmq z%@Y*ZTdAi%vrdLBc#Z6TMDczhlJ`K*kN5Gr&n5deO2uKmc|o)?UrUnxY@>5Z=NIuF zYokA7+bH>di{jlKNiW9t6EVI+zLS>^Y1~@3ynRi^CW8869X+kM`|!?(u;&#vE)Zk4 z+Ncfm)k+iX02Iu8H+wOt2CXggZ`Q-|j%vJjl9u!}9j6b72$(?iOaH1V9@_}WYR@kdZ3y+jvVI2dKHn))h zcs?8Q^i~dFKZVJ(j9zGSlw|{ocO8+XypW9erF;a6H>ctK4Btn+1+sAL^WG4=O%3}H z!(x44zhx@8o~byVAi(tP2bIQ$S;iQR?CG!{5$!3({SKywXAW>zyvO;J33v+iC@|od`n^;e%HNQ`Qoq?h!WfD-t$z*wmoWTq-0(RKe~Xp@WAJM; zPW;X}!pVcXG<+-d+9ZBPYy&qZiJ^Q?)6~sVO6wMoQXZhdR>s^Rwyew{N3^4%!$jgv zCjl{b>}{_m5o05b=4AVg)Gy<2IqpYkcg-LJ4ER&qD}{XGw4-GR1|#NRxSvb~9|c??04&ZTOEc|O@5 z1lxHeoy=#F6FQyE{$`@-YzzbjQG{DGogN)0jm)!krET;-I86SEd-f8yezR{*RHTM`&R%jjxoj{Fi2kSP{6U28j{bKxs{j2|qLP*G zIg9>zHL^M?6KSkb#{1mQgw&kyJE zr@L(Xd!EgN4G(K^_aztZS#$--+nq}9{mFTY>B*ULGPxPi0iIM^H!_1k-eU4~+Nm$d zSJv01Z(;=W>*PGd`Ge6kp~4WKw2pp@Xi<*due8SS&hp55#!0mY`4FtgKkMXi#T%x6 z8A*rt;igc+K5T(Ne%x=8Wg+p9hW2TNgS+oUcU7^Oj>s((~9vRbK|-4-BDUwNfP-w zCi%vq4!nfjrQx4qxREnKAJ3c#y0Y-|5yk!c3#*$yPOBU0BOAYy31YtsX{E@w?8%s( z2!(`k$2IN;NWkT_>a42Gv>b(BDry|)w`trP*2Ur`&yBB5>u;loepYF9@E*xWvJU>P zqwz{3`lNlk(z%LsT0NVn>Yh>9_Y#KKSpU0~jf6aVNW)TORJ?7!?OZ%tPvL^+Q|s}^ ztvkarSAJ)2U*9!l$@icEFi(?8XCk?e#P@W3AW?mT<>n}8-L141liNhBzh$pUEZx`mHIpaLO_AW=0qfdTDL$bd+8z#Rx#P{fyEg zpIDco?^H$2k+$=&hJSRU36I$fM|`?~qdy!Z+`PMx~DuaEY` z+Vj^^cy=0TvyC;C-k)5YLNB^jv@vn64Y|)UJgl@(9r6%%R$;b%N%<3C&nLh(ZZmW? znjf)4_zL@F!cyxZ^AmB#b7(!Hao@+d(yq-uie=Gv@fToe|B5H7o8TP@!tT*9;u#u; zBy0fQhc&FtFysxo7sqd?Ud>R!@&mgA!pu6(a~kh;k@khQO%^{iI923LY zi%49^2-S0qtvmCHC_fO`?irk+Ix;@oGczi?E%QCgNN~KTcNz3y4~$8Hl|>8 zG*Ofd6@`AjXC6&tU(ZnH7sNj-{_&n6Ex)Gqi%3e-3iX~TvY{7h(`e7oz8?RmRfB-R zw$!_wk<2+2{t`B-FkNnxwd8q)m53Cno6I|HLW6Vr*(V12Kw1&MUJXhiqqlI4J-mnbyOaMnwKAjKd2b;ys;!_q@W~cCxWwqIfPnUt#WeGLQfp zSD2a>#XfUHVIw399^9IFx3p~RVv&5^qTy6W_%N?`D$LEpy$P^~5@3%h%q`PX39#oB zCi&8IH|%5%%$Uz#=H)Vl?IQpWVZ91-`8%pGb{jrJaPta#CFMkH+@vCjEvmXK`ajnt z=`B|y+8L$s{dkYGAq*! z=ThLc6!>i^@G~j!2UFmWrNEy~fOCHFg2IPbXz=H#EJl$_W}nMtyBJ{VGb#M)bA(@t zct81bc;~~h`T>Q>zGEX-RhPs1R|ccC zz&6Oa6M5W$YALCb^$ee_?6bS!d)DsziAKt;5i?C%8#oRS6GYoBKC=<$$u}x zkJ#{6!IPN&6|ZvB9|zi<8fTJ&B4~EmG@|pvZHd!;DF4jglS-?MchZvlVQGTvL`>@i z4gbCiORIXWw8r-`5p&L*X&sQc*o36Tx?I+9t4A>XTNL(*wDhBPtUZakH1ti@EV_cE~wv%3cEI?J_DMcrG_T zvd5`cVgE{4H=kqrc;>H@)K}78Q#w|UW*y$4u*!wC2ds7{PJ*R9JfXDiAQR7<&+I@- z+a98fzx*2f!9y`ZT9{ahE$3>5=hE^U?W+%^wBMsF`|V2WOUZMu7+mj#!zI3YZ-g*P}~zqxL7ll=wKds@Q~v65Ene)S)dr$nyGmB0wK7Kf>n$g}L+0@dVfrg}HOZW(>x%+@`QMFb$N& z>R@LSex1TI*e56TpMw8b3jWh6_%Ed3UpmYLyLG&63XkV!GzI@i3VtUA|Be*=dsFZq zPQiaX1^<~8{PiQr<-JVdZh0qxI-u}+79P}BOupili^%@a>>E-9|5J$1Hg=oRv;CHR z^lpWn>&)j(P7j4jhu&+(>c=(iD(J-8_KI!W;|O{|@qUVU-Q|d{ZDc;2B+L;N$$I0X zBx3Gq3H!M$-vpZF&(*FGD{D)OeRxVI4(=K({R)W$y8FHs(1%>p-(NF5kiez(S1&p3G4 zPVQIOMFKIfM-;{}gUYDZj>bW$_~lv-(PN+3w4aeM4`cq4`b2EKHSH1(mi36zs-2^(+2QVSmUVHr#vP*a z(VY*-nCM#Vx4kT>bLN3&>f)O1%Vqu|-fy=8{eF$RcU=%S&?UI1-zo@9`w7LBF%^D}o6oo~l$YZy z^R!+wSP$t!Xhhp&_Fb`hLOiy$A&vXTcxQRSzMc89?a)kiS@Axd)~=#+-5*XIGC)Vh zf2HN>3)Dv+Q}}!E&icHSOJMkA^B)E184dsYEIcvZ%b~}>D2?+{anYH_sYpa4ZwKCv zKX_heeq=5*uCOcE0J_^!eDB0eis+C%DR(KYKTm6y_e96nFQgE=2jwJRo>qEWm|x)w zW)}FJLH(1T>t%p9ci=G`lYJ@EWeWfNOHI74asH8LK7QtVyL}s~e({NiZ(!X0_XH+JIa)qbQtfpY{_XWk3`5fZ* z!ad>AjL4;vHa7A*W#475%f=~0#M8&go#BbQ{u@7EmHqvmr1s7eRz?pwqV#SiQPcJU z9%aU@xCY2i{8~{pC@`|J$(5DEvI)4)Def;TUnvSUXy^L~`RcYgv-hFv9Lx74H~ruo z%e>ONDa?=Cm*V!k&1v>Lw&Q!1Ruk{qj#)Oe<8Y6;jQ@(4)INI=^%)I+e-|AbfXAjE zZ1>6B5cCW)cKWkKHut-dFSyboX!E2wq~RAza{zHV8fWfecmiHyObYhAZob$y3F*E8gF+ohQ=&TsBUB2&fwi_=D&2_4pISgKnCz z4}MekK6q~k(ePz2dHyn?k3nf)=gd!kJKNRCO#iw|X>2s4q<`I~Fm18|dsty)BcDxh zXA@vgC%~Rpn52O@Dfzo`j#PA0sn7NIIxYwyiUY_c5hu@zCxA0gl6jqc(5M$61Z@w;CrL*O8Au zi{|46#cdNenh#?qK|Vve(E#=RPGH!JK7@jisp z&p6Yn1?fZ!l1CWgQhv{C{4e5N`x4p%gp4^lp7~X44np~v-tCItb)JQM3-5D#-8yGt zh^PoPWACFH|DzGU2YnZ#V`MLQc1Mc9J&X85$j{~*@CVNi@{cPEkfNO{DHGlo?Z(Iz zqKv~GQ5yFqk16pn;A3fXKDMj-l-2^?<83fdpTJ@4e3jnEJg^>~(s-khcv=r1$I$4b zS7{8knN9OVGx z!*ZE4x@{OKXZO~>199;Dd+k(Z#2M1Kx8&e)`-#URQP&x#Z%dR-ru{ykw7vqmiTsYrxy)}S zu>n!Z(-)N1o`@di$jsP17uXbz9wyuOA zj%dmFr}W-HqM&Ej#U50+9a}PAFzaHErQkoEg8xDa{-rlEL30N^((P*vrCxiB6l`k1q%Qor-@I-r0{sohLZQAnoiS#d|&R@UX2u zrZ8#0kYrihk_5Rq!?3TWgt1)f--SPTzRvcES?ap%*CgUS@H0=BYxueJZnphN#j|<| z<ymsX}vnog)Op+aH;a$2HzYriq7r@T&^@ ztCzr&)HY#OaOdW~owz~B$nyaigz;U2NWMaO{&O*T&h(cx&PrPPX9pwcU!Rgb%lDwt z;yWMGe^g;|k8M)<9+{8OeQBuWy$jNq3oL-5LT1qr~;tUG&b@V7Hp$(;# z``LjAu?;EZCawFAk`lg;5z$EkLPW zhSqNL;|<|=USWSuSa*H6#52FsB~*<(J!9#!GEKtwFFgpYi&nP_^ zn*tpH{1crvGB;gY7gcJ-HplkXdklZ@yxIH+-BE>oF#}*1T~tb7SIXX>NuWzvf4kBU z*#Um>V9(Wn-=pv!XL>Q(tfYW+=0jbSDZ8H1_z82!57>Dl)89~H0>*y8`hta4=C!`U z?_nUmdl1TFEQhNZcI@+C5}7=yxNPctw!$4%n3!HnJ5c$L*{<_p3Fh?<#r-8lMp>P- ze%7WX{a^7oFW|#;9#xo~%VK;E)4|Xo^4_|RLC=n+1QD(oBK!)cBC2+5v<4=ls|HXY*P8HIa9 zVZTE_x15RZ$NQxu2{DAI8x~0bd|@AU>7XvPpPA_{ceC`uo*^|IG%Fc{CY8q9*dAOO zR?m&DalR@=%@taAE3N;LO{5i{JO5G265!AfqCc&))?boHE7E?ReQ9_58Ar6OOZbCl z$Ay*cwP|HzJ$97VE}>{-&g}|&Nu)1<ºO!u5)Zb46Cz8=wdhtu*E9mj^!@78bqGHp9SK4g!(HXTv_&^cMQGaCQH>*2Y8 z{G3Q!PcgK<`Yoh2P(^<5{6%uxjP<$f7Zcki;-YhMeVhQ7 zzK*$SlYGBZPvE-gkI!h_`xqDfG1M=DbztZLnVYPx0o(c!`%WEcTa6LTw+ERv_uO)B zIjZpM7zj8jTkbp`g7>I~*)#*&hm0#jj{bH!I;;p+hlKvUO5?3cA0IwJDmwmYSeKpF zj5)D!B6CYpQ(_r5tdO{w@3IWgKP8Q=glU*8D*@{2R;R3L1Cffvkl5$EL>hb^yp$E{cu-xc3HfgLU($#^*cp&%N_( z*H0<@RmpuV&Yu^O_(Pgo>m+QxD@pp?JHx&r!}s8FD1&04_aP;p(0!ESKO`1<%rp?v#&@i2lM>A z(khXb+ukTgRNu%JFft=?>9bs%2kPZ;15NzFBf|~Kdn=Zq*;|Y~Y+mrl_aln;9<C&e#PW)bQa89Amzm$X9b` z)+W$g-(o`HJ}y%9^`0-YfC0<(IMkeucl3a6HWWBMKwy`4IMa0_>{^uon_wn?z}e?ghF$0XCQb zn@oTmRoE8EoylKEVb*rbJl`I}qwGGTu&*<2ce{$q?!Qfv-R$d6E1h4A(~0T~pNz{V z=E3hU5}ilmCiR(@2rP=H2%de zfv3A3;&$41C6)=7H(iS8&nT@|;hnT7QAPgUOn~`@Hh;IlZB`h05z4Ogb@Oq>cV*L& z7>wmJZ#R#+?o>?thy@nySzV-iROvCRd-h&rBV#^E4g1MaN);i4ngQHsO+=w#jPK|4IKb}QkneJ1# z4gdl^1#^T1`9g`TsQWk&e+ zOFa)=Hr(^bWfSxqaXi@{OR0+oF3bMu%YnFtSi?P!!kvYC0`4iHBK3ay7UmM;G5>Vu zE!HoNr}m3pM1M?aeS{Se=$p>E#x3jYY*Z#QA`afmgfYELlP?ijh3o6r=F!7Odv1rj z6Yg%fd(cRl?@7wqSWol1B)I7Zw`kh7ow82vRM>XOm1$4+D(o9sUwBI6{t4*?JkfO) zoKP}4xXI7P_nAbky@~np6}HC&Nn0FG z;~MupVP1l{OXgo~nE^t}4ksao2b(k2&t#uCPaw z^}Me0jz5vOPr#ga900v1l-}n^FKG92Lf9CAzqH4~j$ew27lDqK= zog)c!#u2rn@QqnRC(z##^P2sulsU}|`T2;_n!`Kul!4)wefbH6|9i&_=I_$mNDOwE zWM0O`m2df505IXJP8K<(2PIWWN(HaEHprOHt#@V{_oa!zZmCHv^{(>8*LB5 z_s2D^+s4SNXHwwnzZZdc;`o;-+~qCl45Z*srohW7@LN*o-=*+bW{P!+i7L~*U*T6M zdaN=l9d;Nx>_pE@Eh$f?|N6HxBcAs|{DXAN zPJD0^@AyRTey;WK>{z~MaJXm4-1o*ho!5AuXS`@Ra65)%c*7imPAlH8DV}MgcCMt~ zXT8yxE6KWGFFsy}EM8;hyE;p5{c)R>Q|9lJL(y~|C7f2YDZzZ=E-?Fv7w z@bmQ5#Ic!tKdW^1kxqo~_*%MQyR0!huXuYkJ^5IT4ql|Q`NItGyfOZX(0Ok_XB=ec>=rm$~CUe=V>h2-U4#m$*4311%i7UpIB9ft59@+Z!h z-;MI6S8+K;^I;v0D(su(3;BMh(xRD$4`KHvr1{XdFwONJm860@&7}VSZ|dF$&d#E` zAHMtC4J;vCVvV?Js;jKJYSdL$-Rj!jgbi$9fdvCB5MY4_i!QQ4&_JVXO^ne7STSnU z6c>%U)u>UU=GEA)CTeUWtZme^zqCdh{6)o@wrQKz)V|;EnRA{yGk2cN4du0;cRru{ zJkLFI=FFKhXU?4Y^UR|#mXCquU7)akB%oLq_lLUZ_Gb=j+D67l8xna>{txm#cmjFP zy_bb^^~yWT-LA05Qtly5+eo?BEAGY27-0y%357j5!=HNl68SLYcP6{nqVGTs-%-C7-VgMuru|NuKY8WXU;CXbaOMvnZ_*oAdIf9dID;YF<9=n* z`NkOx;D>hnfYQ4R&n%ngTjif5qrSI{6QNXkio2DnxX)ME?ala;%f7xd zGQY;QGo&;=PX_Ai4`f1r>wTA{eG$rLi_)@hi{`!pytbx%)585tm7{QM#xQBS4!?2i zMLOJcOXxv3y*{S&TH<<_4PUnD@?YbmrDfoy``x%8Jd?6Xm22YkU{1BYT$wx_bEl`D zSJ{60qRJGWCr;0HCJVa`BsVJk#qbN0^l{XguUGg81K@c8 zF7km7C}se>Fv$u05@g?gKQ0K_Nw}oSIv$qw1?9>{Dc=&58NA?m{PglY;P7;;4B%IT zW?xPLlP?K6o3vGVxurq5T%7dZ9j#+ZYjwKq#%mqr*CpF7d&?d&J0$69N%zy zdlP)S<$x{MxOcuBe^T<>8tiv0|KMq<%D@Cqb9voUQ&Awxwzfy}89SpOpF`n3l;vln ziP0}_-GB?i=e0aD`=ezHYif@0l1lZ`6y+-DjVj&Grs)PcjfKHZS*2)`++n-ixlG%X z#=p!4!IV5BoASfiDQ>Vo1<6bAcoFs+?Pcc9;FPnied!pxI4}xyfz=aEaKP z8nC=L`Susv`rP;7g0Q2otq1ZbKR0Q2rXd{|xX>8gmjIT3k``TwdxJMAF9qLCMqe0w z4?O#DW&7;&DpRwURCdqiSHNLzXTK3JnA_P4J=h%y*ewZIqj(T;T^{8_O$tSArP3RU>L}FN@+HZa*WkObqBrt_?tK<6^*ZM3e)&bS z>f2)#$$FK>v2+^>XdHs05Vz^Mps`MATuQruz;bRUqPPs^L4|t;zGK9IZo2 z>sfOOXibNDebSt?%^X?dT%5@AHVI2Bd$GgxZse%IuWG}@%uFXdOVYcd;`9Jbve5j-+l+E1HWU6bF21$ z@pt0Omt}&yfcPK81>p@vxX&f7`>1>$@CFtCk+hvh-GzPLcan~~n}gb{v_4H*&JWGU z?c6=0gMPsB^*qt-{hIE2`U;W%8tv&nKXn!lWz_Z|To8Vv{zjdQ9x02ASmu7kZA$wl z@!p<81@45*2W?bZk23RmeTv3C*lO!(d;t-q*GHDWoYd{we$y37ZxwA0LKlAP6!sGGdGTqbg{!lL zYs-t)H!r$p)}nh)T6EvZ*?&IV`%v$9d-wEyt9R$wr(s=>ZE?zIF&zSF?N!*zXpfer zXqA6mj);-goIk+@;nnUY^xG1!E`?p;;q@h8%M>>1;f*F>YZRu_QGy> zm4NM4*eNO#mhDgic1&ScYdy>d-rNTq@r&qlWJ^ywb>Z5q{I4zFqQDv7sqwclzTDpA z5c&jxIy9j1H{luc@pH55DlM&e99H!+?_hKKw)Ql`d3xhpL=*q6((yqNXN9p3j2;DC$Lot+v&l^750b++pMrl zJ=k`I4S29U3j2Kzc0ggWb_aMben%80-z}M0UpRkNp3depxAdC9+}TTGzkJp616#G8cJ3a}&S9l*^~vx**0iwWFMm0!Q~}zBb@`nz zh7SY#Atd`QY~3FCqTd23%6?dBpN?k+!d5Bl1p;yJD2^-aou>lWo9esIIqjtK;HjsT za)mT^Ky2x>rZ2O9N~S*>>A&BSN>85Ve#|lRXOsZ~VeJa*_h8)$TPRp=4ya#YPb1zr zr=41UVn#Pb_!`!@50PNDx~^cCoqp1rr%ETC*;4-T>C|Z7(_xZHO@D{-&_ipTAO|$N_beiGQ>eIA;9JmP2ehMy$d}ci*Ow$XrK~1yg3HXy; zQdeF$bjwlXeNyBXKf!Ord3{!qbVBKT&6P3X7uLw!TB#>P8V8le(FSOIf;7%GTjy9| zc{)CU3qtqr;F2v)mFISpXJZqq@B_u=8C5#>Q7&iCOh&{K@j_kLrZk3{@CSjg-3pVr zOoi=N*!w)Z!wQr00u--#5)TN^a5tgXs<1!vU<(xXA`ezo*nfDir3!nN2OCz{OFh^s zh0$+hU^&JUu+0klL&0)*+ZDFcgY8k6<7&Sv()|c zXR-1&(>k6XYJi(7S@5SWvqQYWwp<#vH1H=22uuAdjZd{Wx`gdlm`)>#d=D#(&7Yx)U-KvVgguY6ElHc1ZPWbA z6w{Q8RP4|HokrB|n0q_s|I zoioePO6XQ^KaDN<6OdzDr*`AXWDY=g<{??5HHC9F^K)4By0gr||8G>u`?i4L-o zy*4BwsofqeJ~rKTNvUb&+@_~twuEOTP(SA@4zpljzMb-f_sm(}@Ij)vhG^cSTq>A0 z5?ZU2);H6%qCHaOu_P_*P9a~rmDca2X~lepJ@nh*nSHGeMR zqut}#suG0!}&NZ&u|@eLtR@0JoD;SOGMeZfaUq&>9V=&4De z+*y9h-|Q6scakQ8_!^+S8i#wJ;qZKXu|1R#!#o`?9>q6a-T(mNRhRAx{B$P^} zucvAC;)E!F`t>!*d1ZVPxC3+!DJ}0?N2){ke)4i?y=#V|vu3CMl4)Z7{(6oo`c|b~ zMDW|kQiaXsJxX6bDa>n3aUW~@p#E4rJ&}x{E_jAuKOU(=45!ks06eOT`0NOrRFtfX zDYD3X7-IY6+vV>NAm=Xo zZbe^rkPgEAyyW#!v%`0Lb{MKBdVH9;2rs3Ltmh%>_wZG@Bnwrkn;xy>3rP^PR%h73 zj{9=d6YFl7#t-H3I7fmB zFQQAh(ftMyH5B3de6%R8&xgU-pBf*#h=+1pAA$FY|4h0g$f1fT(~B2T9>B}>Ikvs! zr!>`DTKKd`wiQ1HnL2_BWcO0k)jql6eU?7N?G+4+H{*P4Z|_*RpQPwTZkD%A>+V#g zNm!S{Uf{v{6gEd;l&k4Q2Vv;+@f|;@pB0L0GGufk^e z^)CZhgLU6mhue6O^)Fq(*(jJQ@4U{W?;XuQr*MC08_3_ZrhBU1X=e`Vb2H2D+OhPd z9jJeA&w8{c+UdU4!=0pow9qlMB=JMsJL~B4LFOEDe|msscKjsf7xF%VeRt|`{v>2x z-vMu=K4gzPNc;8Cj{gh`@U!|jp8%IX`Yf_7uFqS|Y@vBb`(8mj1eqJ~?401=$Cpal zP;7}{StZ{|mqctHAB*@VKi2*aG~-XskNROaY=@+si{Z-DPl5=(FE%8QQt3o}G1DX8 z7u%w=t_tcW<%|7&L%tYwtfXyg1D{bwY}9Oma$m0{8*jQSf5HiSl)MW?a%)4h$<5w- zTb<$S*`SSAc5rpFsyZ^IA8YM|vqq`%IoUEwR`xW;;d3U(3 z9XtCP_pJw0eJk5ZyUOZ=q~prMJo$a7`>h>QR{e^1G4YV!Y8>@P$+Q1$1!zR$MXvHK zJ-m2^?~$`y>oo36P3xEID${txkss+VaDR>Bdi~f1){k`}Zokr8NW6gWi;QiQ<3@Xy zdYDT;1c9zF1M8t(VQh{Jgmo*-`gH1%&EFf0xJCL!xX1x_@@k<7-`B@~ATrA1_sgDL z{+>7V5e1`sO&{fsI+3yM>&%Y4Hg94@`BR^a-&vIF@%8CfDSaxUPa9_R3(lI2^tF6; za!dm{3`P0;e_amhhLwZcWEr~fvpT+v0H=#OFLG6-@3P7Oj8JeVF(N zLK8BVBfZf#b)aK$6B3w%M*KLD5PnX>U0*kHNQF0ugTuG3=|b4t^DuPA&aZV%*Wk}W z95=y!6+5W0!+k4W-9zLGL~?Hp7FL_!DZ4+6=}XlwPk+Hi$#qRvA;}`p!=7>cYV^wM zn>06}{!9G17^w1Rz>j$&{_y=l=8Ji46wCavN7DKi&9}X=GI%K^I&f)a@M?K~53j>7 zs;nf3fa3g-!KD(PeKTE&CepcDtbOnxdu@hYuRSx0#Fmjw~ zg2mt6G=#{7dfdxGFLFhii7DjYhpb1{-pKk~Jse5EJ3p*L5Cm*xL!3Ne)Zv@(2|MBwcR6nH4RJxZDVM~W-V9JqH=ma5U6D&i{| z58R&I!OHqAZvRyj+1lsF@EnvMZHkRDKi=rBy3q}6kgJa&rbRe|#y%y(;9QsTp#oM% zhmhR-t4Ve+DOzE<@eRd9-LjdKpO<`Fhvk(y65OAUAM;p^Bc#|j!#5KB>Qp^9+w0~& zo$G~85)EHn&Mcqb!Y5W0md}h9%boVvviXvw_`hFapW;30e^qbv7@9jm#Sw?EdT|{PWLWktmHh_N zmAY{!5W5c=%QL*%!v2jiHaWjU>3MyGe_wX)~U}vtXE++4kDiUJ?4`UHj+p? zmVilp0PfS9R6L*Fjzrq&1ni)~e0oO{^ya8O_+@KLz)Wv^dN#k|^JnuLKE2Tdy)_E+ z>1|Y)Pj5>iE&C}3Kaaf$de)!%^o}Lcnjh}dGe6wtFZRP(zvhSgX@|7W^IPJ)7zDxw=Y5O(L`DsaQO6OZXbF0{B>v_>GRj4FhA`;0=8UXKE0I* zdg~KuClau233|H|^!6vx@;nL#pXX*ZNIrk93iHdmKw*B`Y67-2L2o!gZ&e~K&pnU% z+nj)HPr&vhU^15zmG?*juSE;$mu-Fm)|r6yCSY=Abd>K%0&gq<+mL`wCSW@fu;~Qs zU;=hD0h@D@h(6Gbwgjvz0qcuk^Bk$V^%U9(>sS0a<4(n|=$&}I`rP5ctY3MN2OH7n zm+8F~_c49$=Uw`CtWLH#n$}P5*0_8;pPrxje9Bp2e|wPW5#GW}?w8m+m7Z}Dy`e1S zSGz0z7?QGl<_CU_w7{=F50klX5z7QqBXZTMmAN02>u%aUkwY0Dk#7-yL1Y8)^&02o z0RC6&+%H}f^4D_7S|jlJU+~Lj{(_vD z;qzl_E8!R~IakAh8Rca2cIUG~Q?$bKztk zuExM!=WX$?Hclk2e1`+~MsRzzUXO>%_GA9&7x7%v0kdJc1hl4puDu87=8rzWw4prm zbtVWt-*bfL>r75&X-#Mj%%*pxdQ5>usBPX}AfHSK^C%RPsE>@gd zgwAy|_d;W-#$TlIemq3Fh532xQ`mD9 zk8Sx;g;AGS{}^SXZe6`GevTH#)(73Lf?B-!qeb!kGo)_={Sl3~eG6EB1{Y4ZxOPH0 zm_O>v#{5wqX8!0ik%ob3_bC0-1ma-kkDjM6wn6hprw9WFc|XiP%$8x_Ti*tmhxwzY zGc5vbh54iJBmneQXLly;N*|&}wGiSr=6QR2Q9|4O>mu7tUd$i$ zApEVAw%SR4RcU(pj5xFLYw=0@R{4)QYIEj=4iWP;f7H*{{84{QvrK9Gu+ao;O#-$t z0o#&*O)1RhWp4s@NMWiXQjTK@*j#OFKAwDY7v=V0-HN9q3j0y&2iq2d=m%O{&DX>t z`rS3hhq9%PFtoUv@VQK%pX0$s_1W~0Y1brR8@)7qB;FQC`&PVbpLrXJ=IF8lpROwVf^A+$)^?rjo$ssV z(uvGpdF6r=>dM7>+o!zL_9wbC8#$lMx;?7#)<@Oa56%JA21JoG;%A*hMDS=d?#*gv z4YJ;P8IR!W#-IZQXRe7K2Keu2Ts!V#`YbeD9=cxzUtW{?*7NZd&vb+N?ogPG6}#|% zT4A^Fp6g5G$M}0-VLX_wMdfuO={6u;Rnt9}_qYx9TN{F@TI@adde7&3&nvy>rQWlj z_A(FN=RL!tlI&3ltzgCU<90kd+n>FW#+5QZqCAgkoYgD#p}B7ZLMD{&eDy<~LOg^% z{5lo()@J<4<(s#GcpdDuMf21}dPg|*o8b?5!6FCz0nusJ69fB7%^QMs`*KF5`0NRs zEg2#X0{=6xJS*g>6zJr-2uAsAQrJv;Rf)H&0lZ$|n1BCO;@8V8wi_Qy*&x=H%{Tu$ z>BPFW*6JUJEn^hobOF!#kr|N=;&eEN19(!WoXjRwSIl=|xpyec>Y=7Tx8A8`;YuUa3qHjC@r>esJxt6$bX1MgP9zAf1*u{GO7JgZ-`SA^|L z;930|o|I2z^g`mJ&R1t{1&L<@P=+=?@D9eKB20!D!=mREC21jEpVE=G5a7Mp&_p&i zev|eo6^rU^GrQ;JpvrG*@|;K4ov=(celwqebu^{zF_j*3!c3yBueO2o7u+n-;T&BS9DW8HG4d%1R?*gs6FDMPl$NH%%Vc>0bc9)HE zq`w%_G=q$ny*QiYwzo*EY1@fS(J+77&n$yH0U0;oa3?-p63(I49hN=xvHCaxQ3d zng8AjnjFhx_To%U&wNWNe`)8)x7OaAALM$rVmVbo!sJx?3pyJB6TI%z|*;wJ3s84wec5ealu=@To^UHbSP6+qj-K4hmfzWUW`3rl_rkT*E(>iXpYjtsHb7j2Z^eB;Xve;kMRu$YX-vOn z#c6F0J+$llitIXRS-;&3JCmmBii->JUM8)kxz1R8-BJA;01W5TERY=0bMdqO z!sdkf0Nafp!^a@6mRh)R0&8zf1cK<(Py3=30O}8HjscVPrz12up)aw9kY7) zIG)vB*t;m`Nu;ox(a2yv-5;PeLhsv3&&|I;pZJEP9p}6)ba8uuyOj6{bIE(XjH5AY z_U|bfv#vIg2!iN!iVohE@%H$Z&nmF%L!fbpgb?K1^b{?;j^WWtzOuL&yK}MWGoca1 za->dJy__l>xIJT?`n;0&oF8key8iPzPqr`#tm9!#C+#L~1Lz8zJ;)7-^vTSBLerha zJMvr24@KdAGuk(8#}wfR_wZ7{&xIj7P$g$4k1-9x8AY}}=r_ubChao@1eBGHziezr z*fMPcPh=(t)G@Q;-z6aDH=h@Y+wqrEwMIJImG)mXMrTJ6os!z=A2vqk>nS?a`97s{ zJ}2($%N4(y{LDbz^QmG4jG~JdUo$~=}Yx~)z$b}F+Y9ZeU zavp-uf8c-M)!J|vC24y#?Yl{!IPD+BX{jS)n)bO&iy-A!nAnk=UR3^j!}2rT9!)nv zLPhDKcMCg!+T6?pIQNeim#)^AJy7e*m`A7L&ba>jiF)2_Ki8LPd3f^OX?L z92cdU(&EZcc`#{bK))Bit(wOpcs@SA*`8D;JxFT%xpu~Mpzm}{^S$-iXX=K4Z13GC zF(KY#p-fY93;pDuCgrAnvaO$exTp?7T5n0p2efDdrj;+x?{s50ZO6J^f|>n%Iz;-K zc`OV!+wat*QHJek~tAR5|8!6K#?#ICjA}mT5Zz4M;M7P#7i!_sC{1&>U29$ zHxnO$I?Q3307#x<`xHepavhj@ROBLut+Bf}4TE~4K zuKdodZbT{m?q;PSd&*F6*xMrdv_s)CA0m1Hcd8Bg#D;A90d5ZUiFJQO)7e}So$hR< zn}cE9+rH)vcxIpsY+v(l2yim6xq*K%C1hIL*Sv&y2-Kg=LZC~tvs)(&bT27`?j!&?hd|giO)GOv z_&3QE)(+`XFS4EUJNh0KoA+fm2d>gg7J7)9s79kfCcZl08JB)U^a<$eNZ5! z(oc8?D(brC|6F4J57x-CG5aHOnXh)^Sxk3+W$tBYkMru;jFZ>oLsuV3+{O#qHh zv=+*@3OXj=e@)9buo*vwCX3h7CYs7wC^ugZIt<#UlRyt*dZWR36rW$?=ovHX&b)^2X5UPgAPu1W=R@b<6T`5_WCW z}o8kJ}V#})P??&op3>--&?`wZtAvV(ZVm-FH0 zR<`4P*D1XIInh);{Uku~tuR0*nr_x-#w0(&B`122mpRJFo}#?Nxryxac+HqOoSVO9 zjB|rumFdgO_&8Kk`38JO2AoWQFZ{#K^Tecud_bTN`LEaf|CT;qs_bF@<*yff|AhY3 zKBZM>?`NnJBx|T0S>3Y^V|`%WrVsMXsIafWnJ~I0yP_#n2&5yuG5i=zCr0qRK_I2l zCkRZ*C3;Wwhx!ILzXpp{TlePp75HLsp+lU=Y>77oO zNP5$|Gf5Es>`eYC^{^3trvrFKSLQkc`^Xo@bl}EO5^zWHWB3R!_4N{sDYEq`wQNOF zvBkK{ya4FP+8+M*;kOq*hUalSS)WHd=XXkSt{N|0wIO+%>d^zNV^_A-a3ISYGmazN zH@$lm=Q`f&^9%g=3le@jQk_u!wgbPDi4bI*6Uh8}lemlz1|3?-pHm>{vFekrV^;4z z%<}VLBg%sh8%w}8L@?TgNresYUN757Uq%lgXGkkqojlIyS#|ra963DtDC3w z_{3%xCnGJ4w=k91xvxfqO3mX(Y2Cy*Hep}1vcN^2 zLi!HS+pYAj!L#<`I=020rhMPZGKY16@OaT%_Bhkq@;K8w_BhfjvLii^r}ZE5?(4-i z$L8kgxB#JZ_5T#k)$iQ%-G?3)JHAY61$3wz_4+EGOY{}Clx!&>jkR9T|&(FMs4 z&dFt1%kuoR&5QfWCnQ~M&|rOUQ(BMkE-jYx)HW|G=Q(MWKNL>OqG_`onp_{$zSh}a zTQ_mzw%+>XHat69e~s9B#to@0l)XW+_vdao1F;iv zwqCKE>4LsB!)&1l9PWB;gWFu7ZB=?!H%0ZwybVYCPmo)koiF}>JL0F7j19PtJ>%Zz^i$ z)SC|N_smZxtVdy*jf@Eg60qe7n7y~GQIdAO{-Nv{n8$>|Z0`^CZkxiqcbMEdlRqc$ z-=56T+7Kl&Ijm`AeWG3_b#nh~fgvesH`EEyE8M?C!2~*A{#cV~H#p8Wl>w~>zoqyw ze1?}G9o`qLwP$!suCYK7-MeupUlBi)q48t;e+cVj9tfr{go%#huHCN4e~?HBR`1Mb zL?HToCa`h^S_{*!QMlzt*v15Gi^7a1@um{6y$RT%1nii?d_A12fBZb!6=rxWOSk@c z8fkcCiRX`s`lNvik_;m1(0UKTjKZ_4V|SlHe- z3kB?#z6lTYx(!xN3g~jQ{^}u%n6mhI)gv8U1`a=S`E-K=BYhInE zRYmdxO6&a7lC%OkuQ;u~YzvUAy%`sTaBP^bxet3w?o!Wo-q@d}eSo_5de13o{wWJv zm;VeKYDyO4rvzoVzoVFz?N2*%P64gMA+3|=6w~U~4(6plFQWD2fUh%to~G4~%Iw{L^OV2??b1pTaF*Y z3wV(+40eLy9CylOj4*^tifroPlLP&Dd4Wys2aP>K32mWBCR=9*wAK{Jgk*~3LOnFO zoJYjaPea!)f|Bo*P=*Y@Vjom5zi3V{`=^xV07=GL<3dUM)!fIhafYtVw$-oAHd2ni zA#GO96ojkdg3%$M5!xK`>hMzejGA13?2 zz(4$io6BTLwpwO;vpxSuj&LCZFu2EBB zm!!DMoKP0M><9h|&2!6aKhJ#50KQW=Z}*L)zkmg7_=IfNyOf^S{^`$C6~AYy$hvw| z@uVLBL;m>2^X0MoJ?B|R+)fu3s1G_Hv?wd=Ps5cbzqqvy+owvNT>pR_rRX16=3!0y z(zH$Q#TFgkrl$|F;T9s$>ch|c;ja*o*IO>bs81_DSTrX>JvD#$Id~>5zOT0wkMq@+ zypX)7@(A~#ls~}DM*Qx9Y(#l?sv8hnX6K#V$ovAkgpG%}!EDQ)$>XH*;;*aq0zRei zg0q1lIb{EuVv6)znsGsRD=#Q3zF8o15we~S&~p`z(*u{!*w*L4VN?zFdpGYycnLN`7OgU znl`UL<>NY9(G$ZJn)vjxAp>s#e(M#tk^a9E z_&XH8(f*%#96rH3+SGoWNFGZyO{3*l^BD3lJJe_%hfXk$qIS^_8Ctt2ct5DFAHg@M zx}gtZB-_OJJMW48NKrmRUOrc|&Qf+T-2a!{ZpBZ7lxHUykaCQHG=ubEv_I3*!es)V z?QDXP2x6ZC{l%fB+9vuCzgw_yo@x=V!8=pw{T@93ma?_=d9fSd$@!e_JA7S;xAyld z<_Vs1-+{Y*Y~O9PT0}c3?G<+^3+^nRIEuL6k6&aT-eKiqyRm&njq2MzZD*eSWuHLb zAb-gR<;@RLDAEI8-@a7The!S4smbcD?U@>3SrIm$j7z;<)$P07oE+aT#;%9*A0?;G zu<@78trtJ@2k#}o&kGGgKIW6ZpjPg|v@8Z>xeo-tZ6S6xyZPNVl_#e`VmiUQAlRK; zPh~)OF~9teV;XKfC)yX0C3niwrf*SRHu7$5Li&{QJ-$t6|7d#fN#>dBs`FPlvsIhg zeox3ZJV4s`R<&Ew7A!BND88b_tSlH|rwMRt#R zZ1pMrWzMtB+2}~mKW_;ZgK}GnAH%!JXP(X*qlEjPRwk(V;T8^U9g0%}3m(w7fh= zq`e|7^EA76B64J&n>0@=C+lOY!p>El#C*yrnGOn=W?JL9Ji$Od4=RkjsJ+y2vSSks zT;w{3G!dv)4D;|a|5MIqgS`4}9Hh81mkm7TZFa8(&kW>yNb!C`0MhGc-35P@###B; zhQ}55bKdj%$#ti0FVcIHZEhjAPKzEMP3Z$oz1 z`;D%wcJ8-7pVY5oQp$pPVTMcWh`p~VW1xB-(0v3`00o~NuL>I93nKTXcUaeV>wLYA;(!n54o92@9nmzFKVdCe7glD% z<|kmC3Tsvx#Oqa<%njjxCw_wp8zx@JSH4LReC3A*wgb)Py_VLe!HL?gEDI2~O=|{E?IIp0HU4-!PCo`7ZT|guJT6ebg6-bP5vyj9kjc^f4z_Ip;Seh0sI&yG>!BT=qWl- zH##rk26*K^ZVD$x!~{y78ypF@ml}HV8m|t>*EWrp{s!@muU{B9H`#--B{UDsK(h~V zW-q@M^PQYSDsN8uVW3mRZ>b7g<};x^p$vv<(;?+EA{oFP!{i~`ip)XbK8PRN3igu1 zC%~!W`IW8I^;x?#zppE9n4k9@=4?xy$Z3DgUN$lZ%J$WzHc94I;qzjA%BtlYC{9+E zhTXFBAqC|#p*tVyLfTPHdpCK_Wh1^yZ4PV1Yt|46)0w^8#dMMdtOe}>E8pCbFL>#o zPE2Rxv=hy*RqfA-=4a>XoJf9@soBdD$&aF##|y$t{wt@08JG{-55o&%JxBYj`LE^Q zg=K|&MU&Xv#TJdYq$S(`(2DovU!$| zlOL23+5#udjm67P%lmV2+}eP$Md{syXW|bf_%?s1D9^)6;~}Nt=ZV!Pbs=iLVw<+( z6g{?us>XjWMen|l9#M+gTMy!_znmhXlZUh+_I6y|w7^quW|QsE0o3kh7G0DDPZY^`9KXD_AeackQLHLZ*d zB(qjw0tUYPEL5u$4f)Rn-dxqiQ#1`>GXH?PjFX6iU$^3&iDw4#XzlI&1Qg2)D;j|* zlJ)m>O7Hqw+FbWCyej3(Xj{Z1lN8k>>(J`4LuuQY)!doW30M!|2)(>G`7m#Y$4v=~ zC~HF@p*Koggs1a@vaZfBE8@0xmDrZX2}k$@FRs3{JojbUA4+)~Swu76Df}2d%!@BO z=dVQbM%g=4GmfkmvzyN(9fU6YY@GN20ge~f*ZR8SpKl7zD66F^XE_rvE(4~71q8ie zdB+r2@^}2#>hFNnA3(q*pJq4Bhh`m_-}7QTJDK83k$grds^31uS^YknJRDzk!ztN8 zz@o#$%nad0q~*&>K5Afx1L5QhG`u#~okCjf-S5qkvQ)Z)_gG#R)#OEen^xR!^6v8- z+LnvMwo^`Xr*28+G zbB4w*MGSq1%?g(~MVVIPg?H9pJAP9d_e!RLY+&}lZ_vg>FAhaK7S%h;WA%O#X(BM6 zPI)So*7EN1F<%y~P6REwJ*ar&ybG^*-xPP(ySteMeiMj!tWjJ^Be?SRr1$_u{Bu{5G>?Dd-SKTUIy+>HBZ}o-K^z3yTn3hTojld{WVwEn&a_O?-)YJq zMrXk3>kduxD$3mQoN8jFlwaue3vAzq6!(3+=VhU2-Ja)ncp0!fty+&Z?^Wy9VgImW zLrAo^Iy1doMcN`?dHYoB;%d<$%F^`G_M)!F$wjQQ>w!VJm|mJb5GLbR+zm!L)_=(S zn&fw>uk{!6aGPsBj$Z_DD6t
#W&iZv|d5q*3~0zr>v2cUtG4%RocLm;#$ATHn2AVJESmmmnH471Z=J% z_;~I5$IrvoIenPTH~O%lL|U6~^zm%`?89un(TCYOr@`i-yt_0H@guM)?R99~>>Ktg zJm?$T9@D&UV0wml{7qYH?f<((@Y^BHp!wj}h3$}j1?{2rH*=^DNQ?eY_PKD9uJ)B!7?JviYP4N%&(aTUCoaNc;q8b^>du#(fj8<>o3;`27YMWV@5A~c zJj!)h1Y@>E@+MuAx7lviA?3qhYe+ReqV|2hF2tL>r5_TTn&ks`{PmyFeK<%f(v6ci zLhOSU@yWV1KBt+`>4mmW^mW+1EFkoC#O)&v!awt3vc`ardT=nW(XgL?IdKtK_I2`v z?;)xlxqdZ&_bBY=k$`#b&@_LbX*}I4zr^e3iF-(KCwPy`^1iSv^RzxiW-;#C8ZPUt zs<>|#cjcS(-t`gqKVh>cpO@um}Vfww7wu^w%F5%=*d;~vHT67z`p z-csY6xJMOtmEwB(hF8H+5b^$t^|%k|Oh3L%`y)x95^Z@u3_B3M&+?&y_w@#le3*P7 zT*ym3t*B4GrP7Bk6dh@O=fd;|MS4x1jqkS-QR)n@6+m9NN?Z@&2u1PBTy!#?^|ngm zTl7xYxIWu@I$@g?CVPwUOqkg_A7=iJpY}i^?U4kmMeEtpO1&xUm+TjhE9>$PlUt0C zl(bB*PfydLqwXJ_^lwR5MQNG;+S3@VGiTzfq<#LQMYKYn=iwwRIDsvhduimHh-~U*aH9IrFl-h$ms5tN&Cs>u_iINxH2??W4S>ps5wM3+kSg$L6;Q z>tv<~KCIV)av1f%`lX*Su3o2l`RPPY5wOia-FBI$wF^H_YZpGu+J(W$#{v8p9_FP1 zKE71IM^U}A>?Wt5rt^sEB3;xjq+QPR2w&hO=hfyubzJo^&+mfo%=*|we1sleV7F?v z`$jX}*rk$haS*#QOfZw3m|Wwr_-JA*-VXeJ{1|TL#mT|m|H==iBF+lNBm7IcoOS0d{xI229gQNrU|EfS zlQChPE?F*jrl$@u$o+b^YESqwfrfDQ`Nn^ImL%zqYZ~)WNn^9ZKEQi@y+-c_-c%XB zvNF1`vXZarEYibbmsEz*2hoz3X06Q2XHP`^+Zbn>oQMmFe(>i0wXBV;K{HO`EAquzKG|?s1N=@#hfuN)Q>S_VdLoGpnR|^k6k~O zK^T`qXTS%3PLB$8WhHo+q>dom5b*F=WxO2OFRjl$A#b+H_GZaCUw>xbXz$Iwf&3h| zP2QT)9(W_=BTbcIyk*u~S;<)-)BHo0A51BoS?RtYKCk=H6dkfmd(9Bfr?dfP{lFhEFVr;}%t?4p;bpVfRikqt zA65JqCQrttULUCAzQ0snUvN$+X{{$Ags1)vE=gM9dq4mAgmkG$Yaa5yYJqgu<^w#wfT@^xvXR6HA-L38AcZ5 zf1|=)`y~8H@jrG)AlD^NO7qWld{AlGyc=OQZniaJ*7Y2=I|P}}K%T4diY2FB&IX@V zz-|BL2S~4;r+}ZgH`Ps-O1W%5(tVU=J&n4t_U)&q%T=Ve9UyCZdl#OyzH0M5cxzOu zu*I#5Qq~M_;KjX9P{VcW+UUC%@8k;vlpAd_gPIfZeN1n+GNQgrvH$tOREfHgbT88* zY~&@6KnCYbM;4UE}#+g2RuokzGaUJ+S zS8drXjEm)PL(K*h*^zD}GrbWx<@Fo!{8u5*a1BKUgUlDb(#5 z4f@>4vLDx;Tw2s*g#QCdOY{M>=$T}AnS(tz{Sh0`%K0Dlc|~Ka^k+{<$Mj}DX&#@> z&J@$Ew{flS0i|Pe0&DRuF{g9EHuTxm%?`zVh2pNxu%905vUvNTv;eUE8h@?E+g!Y? ziNiO$#PiKMfn)uj?M-vC`a{jMdb>Rg%7f#fs(L1R1peHc5$rKt{E)`88>d{Lytumf zE`T_;Vc5-!uVa+F4WYgm>KJv?-WRvM;?9qRZjx!;pIg4N$xA3Mn~dX+Xr2$$^b0c8 zHHx)a`Q1&PV31ckejPdvAgC=H8;wvR8WpyE+mEZF7ua%5OPMebZ>7R)K9{id z3bVeIunC3Hy<{M4o5J|a!2526Jxd@CX6uQ5zK0dh&$n4Kw7Cb;YgL%FRjFUVV?UX= zW+(c!&~1Qq;>U0sWexej-@7)Gx)*Sv-|f?ThC`L|89lS9#Ou{~AJ6QL;gN5%JJL?D z-iqBZLUWC#_i;BWEXLiMz};1VD>eXeKHb9wxYl18F3UAv<>;47Y@tU}%Add+RG86| z@+&MZllk2~uKC?D?$(Gd^WT-o-})<~NxVlBcqMIvhDSc`sh37}4zj z-4TTi;JL0Z#Pq6|9W)Z+Zfp>@9k{!Eexc)dF-=S=+|y2X^1W+^k48K(ZAsgq@IOOZ zvpZIH%Ckq)`ubsZ$Hz0f`pAp&6mxkMazbITEVn0c<$JG46XPC?a4E~93Ok-G$wPY!E(kH*9)+9i zh&xb#I~?IsR;v`|%W6Dg2gJ;Gz&dlVM)c`$){v;cRmI$wU7K)TM~>H^ICEpKdB zzu)p|&-I0K+J|&YNf2Q^?GW^rAF_1dEl6)RegyY6wk&qa<(zXG?#g(5 zbaG;-cz%UtwEB26c?!k`+3Rg^zb@@HSrR%Mi~; zjiknw{YWbL;%;-W$E*LJ6l|v87?t$qX%w>k>O5IjKZwfvE>uR~udnf&+ zdU{bg%eN=VAu09T{MDZq)q8jbIbK-VK6_DRYW9-K*4gD(rj>wnThy0(FP@Lj#7=nQ3bsF%iQ%-gjO%P$(K&GkTHGAR21m|)BNX}K$dmKqe97Mq#d{&| z4)4Mg-a*Bavk6=|`eQum${cO?zf^jWU4k76Y%~tVPE;_`vVGe4SKjMDo)N7`SFW%0 zU0E4eq}%zc1?`h`&7Rzs=CPjcU}JR6o~&<_?xl^TT@&Fl|BVXs^WT!dW1q#~=?aG8>DhS(0#E|?vXwZ{53fP>M3_EdgG()Qx?IM@Zs zWP}+ZSUq*&d5i#r6VZcS;BS{y`uhB=e5--S~l z!F&QAJ*|6xitS=41%hyG+9!woo@CQA|OUg+dWI2~H9YVpm;&D04FDmdQ$55_z(Agr?bdP`= z->|vyl@P2XN+WI|-rffAsDH;4k6R!Z*iPnZ8=WMe-Y&%JaQCIEhP18!_i2wj4zw45 z_BN$+DS7n#JNvHAIdpDxHktmj?K}A@)8+LD{g5+c^jkrbzIvbp_-K>n@&_hHum8?30EvYlBw{SPu+ue0c9!}0I2f_8QoywNs|;K#6* z`jVoDcb~nz_k0I>H{LIp#{R*nrh+qGM?q>Ai6TfpSWh<|i><0mHZ8;6&_$K)c$Z-c z)F+xQPr%ZhGxDKqy0xuTsSove%HgbjS@6-tL{ASN1ax{pVx7{nZ+bYtUfL4OzAY5j zeeIbhO!nvR*7ODYgTPO)PcQp<cE-KqND;P+g{)1-&) zstn`pTI>rg(m(32>E9FZ%s^PDJYh_wcfx328GM-eAwF!xq2+kAVPgs#=H0KyU=9E_ zB$@>10{RY3dkyct{bO3IvgoYZ4xk>IXaA^x3 zHd|0y0GwXM`8=L|yKUq0k9u}{8BkUz{;ji=*t>||8n5N&pqI~Q$=J)Yo!b74g`^ww z&$n9Fi!QnL{!bs!y_ev+WsZ zk-?lt&@HP&whI~KkGeSdtDEdb{%v*G8=zV?J4@U?v2fr zjTjb8wBS2mE#;ME{KLx^Exnb=mPM7V0>vED#+DlaTnHfAmjG`A>;_AAS-J$YwcC`R zDLg0miGA5mq(niP9#c96-!H4{LtmO4$GfpcpE^~~R-SHv4))`DNa0T`@?kKN@onA5 zQq0l-ffn1{R;Aa%d=Qw&E`@DO>qecuTa^~A&@1W>*`HZ|_;l)UN)Mv-h@o<2cNwp3 zqLZI07j*KR=OOKtl6$FC_)U)R9qIHTBJifN@|T+{yJ1GBVXddK!f_yFY32F4=G}uk z?FNH=(>|Zy)c*J$Iqs%B8rd7fIvYLel9zs&mXTlA<-cjJn?{$h$u^~N6YG_GU(45? z#DNQSc3R{9DBTw0_eaaavr`IHJU(s*eUpofjZn|%@ZGjT9JP$U*n;SEk!_J-uDi*d zb;&?F46XQ$$dkfk|1%DM)bHZ1)3}?{x*NCUPo+wO7k*@K#9pN}#JlS&)VAUr25cS@ z5P0ukJo7_%5ib$$Pz_alW1HWSIq#q!$?^{}<3-Y5uTweSp4pykd@Oz>1jr4>l-U~P zLCuiBqzxm^hiy?j+r!JWQwl?IBrqTIdu;C^BM4`R=c!mPR?oJ6Ap6#_R7Lr8GZBKt z+1Pe%=7z0qC90UduSZKr$jJ@wkT!E-45-|?_#eUIDUUvZW-^z0NWk_cV22`lEZ;GO8GrmsIKxc!bvY4SyOe{g z$cNR}SJhuCqC;Gho6VcH0oI8hLl-ZgeX}%m>?6iAK}GbaD@ISs=<3HA4W-<<&zd=rwq9#PyBucS3kD^B)E8!h3rJk(^&0+0Mw757B=U4V2eHJvxcgH6-D z)G%xQx29Q#lZt;OonPN4Sv}Q`?hL(?#-u(!Men4sL!X6D>1Sav z(a-h(zE9)c$h&(Ft$uIJ|8EuWQj@3B$e`xO80nIB}8w@-g8 z_)wT1WjvLDi|a^RNN`_}Y+&FRJwAIS zz4Zf0Dfc$jV;j?v=PrebY(l-rzfs%`yk&~_OFY+P60bX~@YK>RJ1}3{H!bg`;Xm`W z`G7ycbEJ>&H5pJB_G-SbB%bIN{4d<`mYS5w_Mtq9@d$nRwP-)GG%d4e9kKlTMMH|B zcG`ce)pq(L6j3E05|>}UcuM~VA+wCNweY+VVMwO7L{ zs<&3;YjPET6ncbjz2WNY81qz%HQN_{xbP9xu$s7S3ryD zj?55e>t`vNHa>{s+Cb0bDmo@@?@p13c~+FOjStRb{=m5o?UHh|@xfmxJhY+Oi+$O% zp)z&UDeZSk>sZbsh}u@IVMX5wgKfsZI+#c+(t}R$WO}fi`~`L|U;l!g&6l}ku3~_= z2v22$L0R*@+2%_R%n8QGw|v?r0sFFoZw?k7R>iuQR9cPJ1!Z7<-#^g) zrt&`=o)h!!g847%c8B&c(pKwfMg0Y)^b^yQ{h%|dbiPPur=AYxvaSmB`0X_O5wFz@^2HHd!v5bpp%FgS&b^ypqB%hNf9oZ#4ca*_pCoUfhe~RK&pWJ(L=#On=TGO$ z6VRx$Ha~9drsnJA_5;%@HT%J~Hr|X2!s~b`YVV0}&+UE;>Byr^#5Bqy+d`LiM*owx zz&c;0bfnJxdYVyp@%_h0cS&ov(s~=78`qzR7W9X8Fi)MG6RGccNY}6FWd9w?a|il4 z^0r*z|A6PDK8EK57M`QVJZyga<)npS@*9yy6_2|uZ`#SIKa>qSHD|M}sm|GSe&(E$ zkrv@BUO*cslZp@6uJ9JZ5vurgE37-2pa0FMXQr|fxvWweuS~box_w5^O!k$|e(Y9S zcd#A!y5#!ZI$FyL-c6Z{vshzPF+C^5(ZTxX)r=x~ChGaq0&3 zOK~IP8*9nbM#!O13k0tfWr?DeRgZ0s?G>(!` zsy@)Y`D=DRN);YS+1HLMt=I9Mq7|L@`A~`$90eAq1HS`GuaWvSf8_;8=js~yFz`Fmy#ChtyaJJ@`&)hN%7vNcyPCJUtPcT#HD+Y+it}z zc=sZ|__szzidii1B$1Gn*%A?71 z$>8LnU#8C4d(U-#s*Q`HK5!_-9_Y}{HEUlFQA!}JHG=g3wm@MAh!xb^6*heYPb&Mg z{Xu2rnl}0^LeDVh4p~ooyX$Oe?nxTu9gdQe;oS4dOxQ0o<*YI z58r(g_&l{uiwMUA9?uCU{sM*nfx_vUgr~K?DZ_-0d zhScc>O*_9qe+dWVCEB=aLuO}xv-a$GkeuAS3@e!Q_KhzuJr*J=i&_|TdNvaKbKq%sudSLQNjt*u zOxoG{GRO(AULRbZRp77E_cD9&bP^Olhu=lsS*qf%`DHgS&gG+h(ps!a(uKp|A6C$P z?o1}wXapS`Nl1S`(;|o;D)es@`YhW~iK*=YqwO(!@xCHG4eF=-mI5`EHZ-VhQP#*o zo3b2H*jt!4%0vyyFy+FcF#q)$e`!(vaKC-o_7pJC4O;t@);oC5>q**c?VPAL`Rx@< z0JTUTsCT9huMTL+)CSx>tk;BR(zibry`z3vK10kW(cV7hwKsGvqAvqLWeC4T9jsaC z#BAhWit1Dg%iRH*#?K!!1JN*ihj&QU7xT3*?sXv^>yhCcUZjrOR^tmOtYYV%5RUL8 z3OlctT!yjD$3~Wf5y0uwbP<@>cKjIrG2I^HIypC4Ct$t`8qKOR^W*x3kagWhW%#+U z`&JpUUD^1A#bfBg&-%?t0`f9L7eRNmeN*^@Ue^J7MS93QtUfG{4#2244CnFU^2qH4 zX5VtdK)bMvI0!c1u{z^ygj>5?DKWb43p!|^y|OTX@84nz4z~}A-I`Fmw{iX=FOye~ zQ(@ozO}w)(i{2-8zs!R@ zN9&RQ83-Ftn7Wn%TOQ%{0dJ+k+Sq5;mn-Ts%a0W3(*X0_rL>-mX9m`(*`*Ewu*rl1 zWqIhoGx%`+KM_43|E353m-OoSkLJ6}-%Ik3q@=Y9KZgG)E!xiALa9`eZ6cbUzXE z{h5i!b{y{S9Gym+uy)L10^ETAPnui=%s51?5_^0MW0B0HA7Hbn+q3I5IbG%cKrBn_8A8kF>`7}_X|1iJMb9lK=BLLo zRXN>&);6UjXCMW9VMoge(kf|Nd^~9NKTfn*w;Pp~&94zAZ2|WdEkAAHl;YVQVCNHa zHp6`%-9Nj6_%;r`kTi1Jnd9H>O+AT@$v7FPrembhrEPO{L}Nhn%)bo;1tH(d72o(K zY-IwrK7ui?357LMKGL05eB-whu!9P_3(uh*GHF9w9j<81wvwd`wX6-?0uXUth0T4-7uc^7Uah zZt`IxE@_ZlJ4H1Mwyjux$z0?gVUq z0%rEw@*v;MYR}HVGus)*qRiX;LBl1iQ*jN(^b9k#qf3Yow!`zR9kn9L^ym4+lXWM2 zM;rS)nBNd#2==}RVJid@!qzFQP48?=oAg=sji6jO7zx)4P&(HRO@GcL9%8OT49l~Z z{}E#NqYfOv+X1urD%pb)mh)#;PV&7#>*Hlghj~>M#%JxA>8$=u=Qs9 z^u55%p6wIosS_{Vz#>cMLU*cEYD4nPnuokMBl2BF`69Q~IGM)n(Kr41evqH*pS-?l zr#DU$`sCI0XFKx&)x2-BJs(@c^NltYIH4U#E^`66e-1y=lD;v^Hpz+*_5$D?d|4Y} z{jO47e4*mH`sG{6ZtS^9%C5z&aPX3|EgMrq?`{aE#K}PQ<%LkWADSyQ(+h`(|06b zJqg%=!t^FGUY>xhOu*JBU=s7elu^S@m_Q;K`K-kE-{ zK7WRH@a^8=x2^_r57N`P^d;I51fNfvH#Ar~;yV=YIwFIn&2eBw$xU*gwgyU7G>M+9U3(+czRC;U(Wyrli1k1y@qha){n+opK0Q$|++1#_J`eHkbWH1dEp`NPiWY*!gpvCcsi>FC0S{}s*YJ+_ zy{$g(#TSQLc0P2rTc^#ZjCMW*H1aTkAA{)|VcP^!gR#DMD{P2&;Q|9h_bz>YUMBGl zGag}xmjXQI(W>(2mPrP}%y0Bz<~JIQc`VhmH!xwCM?S$uyj2b0F<VQvyslGvribKplfpXiOu4PbcQjdk>{gV$D`t-#CLZAB?>0#} zNN=B}ZDv{o!X8zax*h^Edt`nu_1gCBvYako?3Td_s~ZRc=F5U5Kw?hu}} zZzZm+V;oQKNP}f(c&fX}m2igG&iVLa=P)kAmMJ;oqRS;It>@jZqp&|MTytBY>2IGo zechT{FYvc&THA9Ojpd^C1Z;5W22-LwZEn;F9qt5;qe@50f-;!hooVgP>|CR1dXUGE z>c&4azhYT^GxR;cGtimOgr>i^mOk%S-1%83P_#ZnpU3p{8?|)#7{}Y=@cA%b*H%qW z$$x04Yim2yJ=0Tp*9!mV;b(gK96WQb1S5HA52mNS4VE?zw9|--K$_zX_QPyLrq5#> z;P|q2F#PDg)(%GmO)wC5MuIHcjgIpu&E` zJ8YxVY1nZZUOQvy7oHu5tz_NISKS!bbf&|wsrlSKl;u*Jh*4*4y~g^(*Q(B%e)>9V`su?qD<3-i5k20XfbB`Z4k*m*_gwIEBmryDj>N~a z`5TsjfoX02#>eYTq#aDaW}3h8`!<`u@nJT9DM(p#bPC;t4{x&&;K!hBm`@5TG=V3*?gF#Eoy-%cM@JhLOxzv-W6 zX_;2zh;sUjIM+tx(5CT5yB&C43gdIwe=jq$E_$>~@vdV*>-DH^{$=qgDT%rIm{eL; z9@?ZG5sd7Zt&06k@+#%U-R2h1mM^n`3D}eKP&*LMx@P!GUgV^Ud`$ZlDQf z@JwE0Z2=<_eK&VKVFPDor~wL)vUvn3(mlP18MB)7AWp zYfaqpe)4|BV_u=&h2NI9^_XW94?)V$IzaG!L7S(s@)NJBcz)Ylnt++V*(_9D9@d{* z+D^n-f8Iwt$g@^9%-V=fppt4^dqhWfX?`za8sMzX@Mb3N=c7%sjt*-4-)VgA&q+Vw z)^%?6#0(E!6oImCQ$ug>ffzq)@s$el16+|;pW<12qik&dg_VzbIjVTF7evaVdoqxt zt`q4yK(7t0J2E28t(xAK=g{;m~BZ3lC-Tqm-Pw!XZyGQJT;HNG}fQf z4lwlNXZ`sx0#HV7;@}2(3Jd#hAvt|=r{Vxq^x*8%W-Y9(+r3_8zC+=@%%>BugAt52 z@2J9rZ*TlQSC!jn7THJ2nDSvbhnGOc`L+*?1oN$9q9+5yMX)(7w$0@NDV0uS&XMUh zJ%)7cNV8YdiCqu)&Tcf_V7aCKaIaghQoCY)AN8O^VJ0`idJ-_3$M*4Tzk?53nMk`n z0h>s`%s!fo$;)oV^L+!ek7my()5D6l1kd68FSIV7|Gm(}l+XWmsEtvz5+AciVWJgCWV>Y$THy!aevOTnZD8{YX6%1ch{Rs=QLKdf^>WF zTS|O{f8oWqSvIZ@$KijQ@=BPe>FeuaI<&*J_dKrj`ed3{X*c_r2EqEHPCP#pp3j7b8;V6BC&2zquH2pG$yxkV_)(7+zO7kz`wCR0z$?qt` z85UVjDXndd(Rv^yYt~td>V}M|{PLuE+MJ@pvf2F6x#a7(bjmL&m}-&sVETG?t!%me zVJ6Gz93cKTKv2eAtKs1+cLMY=gqgmb1<$6?PBreme{6yzZme9Y8;*X{FC{ zY4djVMz3A5J=?m^W~M35=f=>^;kAwHLkR0*ncAv9Agw^3^Uu>ueX8G1tU|q^+)W>E zB4R-At=8XyUVcVT;7{2a3hR40(<4Y-qKtN4-6{tzJxA}v9oOeGc?a%w>RVcU7*E9A zp|~;Ky$bi~9#U9Lx1=&Ne&+&jp2BSZ6=CL2`7raRe3NzthfO4S zF@MU(Gk?m5nLp*j%%3vY0+h|hn^GTMySH}+Zt>bZ^}9>$|J8VA9l3KoY|K#mZX0P2 zDekc11~x@DRkXoP5ap8d)NQ`L^+9 zBYfLAWsUM}`~4e{x6L0n%D44TjqtsonU$jF1T>&0%M`y6zSk*kqkP*rWsUG{V~u=8qed zx9$Hs9^YLko}H`uY8ExuZ?^`4Qyv7uwPf#g5b5)5|DW$)+5SHtX8Zqq*qF`%8;o{s zgTfk>-!8>(M1F@Aw^8}EwNMzP((&X+zWWuoQNC9xej|KOD(*0uL3ePxeq^8GACGU= zd$UdmuCCE`ek^@GJFn*s&yU66mF4Zxbd8pGMDZIb??%OKw7k0&|9Isk-$zc6@Alag zOsUie-vf%-w5AZ6!-OHCZPk@n4g0B=>W?92Kgp#i%y;$j}Q8t3^R?h<~WpK zoaMuMHQtBKG=A~NC1aZQ?Yuh~xUqLQE`hcRSUsy^KcBwse5L90BR)0YKJ2mb%{;~u zd2C3)CKIq73D|T3b}#`unt;twpV}{*%|n^2+mWtI@kU8QTvU#SWl!F)4S-lS8+X|} zJz=8>zkQ9uOo#e_w^3m>2LZbl)Tet%WtCT*7(`>98<+8{+x2J!qjyTyuk>@vW+P0`OFhKirH0JPhF$%ea#M@m(|T1 z#p{XKRoD%!mi6g2!F7WGc~^g0X|*s91j^FZm0rs@zik-(@I1r*!Evk#XM5prFf-74#O z*g_(4J%l5i$BV2Xzg5?P@qCDK~?{X8ZUcsmlX zX@!}cAioC{CVU2V;x;oAup8mJQ>(ViW=-3LyRBzS*_{7b*H*K>u(7ryoy{+7BQ4ZV zZQecmj4*)yka#w~VDt?S`{DAl6$XH3^9$WY?I=9gr)uA@FMmJTVx?``{P$n5+^M!1 ztXY&lm!{+T_AG8WOG<*FK2Tiyyc{+G6>coSYGSLU!myfVPM(E_<&%r{|$b88IK7!CocEj7T>?E ze102xxd5^@z5EH~?%9w|wIP4)*#jxN_KW@=2g0qtd@kw0M%W(YPQ}+Dt>|2D1nWVP zL52O5rq6v(c$ncnpRd*J^XW#KjhcQ5@6JYfeY3uc{;Kr8+`XFC{Bp|vkix7DcL8=x zVe;NbQU8y(K41!+I}E!^n`ZOzop>g1t8t1lI~3akY5k?G7czhAFRg8`u2yMZ_Bt)2 z`3GyW^71BgB$x-nZ%a@6kk^RhSSo#q_gwaF53aXQAzBf`8re#3kOUuyw6;G^v?#-7 ztuI?=BFyyEV60d3>)yq@^ERLj09%s;#10Ne%(`bcb~C?jeJUMX%Tzkr*-gsVtC&vo z0pEJWBjdJf+^h4rKa@Dur|BtiEfm!=X_>#l_T~BG}dYPkX z2m@&ezpHn`%nv-xgAMAl(PufW{fSOXIXUukyc%Ea9*s@jGas4P)(A%WRxg%6Q7qqh zy!`*N_a0zURN4D~!GNF=8cZOlji92Uwup*~+A8Q6cQ68?wg`#=9W&+@6;VM(#GFP& z3~OisU9%%5bP>m}<}l`jIx1@p|8wfR?@af#n>nz!-~IicxsTY>pL*-ubI(2Z)~)L5 z>T=n}b`8e-)G&uzP6hX`m-Q)n4k0S_XS7x(McbjJRK2QYy~X0mIkmUw7|(d!9_ML= zF$|@=wbd`oD(!h_7{|w$bYz>HMEQXnAO{OCkMb*ZXvTDR1ci;t4^f z1vxxOX2th#+4ZBAbMj_Fy~Gpu$pYO+3fIbM`MWLVhYNIr*^?Z_TqWN^ZkTiA8&nN{ z%c-sXZE@TMHZ&$pjiUh~VSHavy?o!KpNutv;iVZLa+FUO>j=~(#`EWhoFO68Z18@7Ln z3MG&{?#g+&{CZpLeA|(-iTTyF_?#N#OxgIN`9G*by6niJTeS9)erkK^XR&dR&**19 z8xmV@Tz8j>N58y!M(93qV#U{8?E!{zt7k*rNuZc_^6oX*=cyI(=KJeSKsb z+c#Q;4f)o1KVbgvKX2tyqY{~D= z6=|Uy0_1{Xkqu(MpZq&jZA*!-=iA(eHNbfJ`V&UBjOhdUw`d2*zggJt9o;#9&Xgb* zo?|~#ILpaIp<`qL_HW^9ThZU3&@ns!V_1*JT9om=X)?|4k z{%Oulg?>Be<*6VtDh`a-!n%DHw#VaL?8&cOHf&cPUdDE=8I^rng#8Mp+qLLxLgz^- z92d%ZfpM-<*1rhb1&r%F)nx)kyWzT9+rsg7m;7DOuSMtAmRA%@Eu9-i>i$yR(~C9v z`N4C-!rwD3`>ky;OY*zrk{{ZJS!zs5J9~-Q9Q>Wn-YUZCi!h$g=kLq$md|)TpU=|B z-F&uZ5jMIA<9N&8x2lM4S`o(c`TTw77SYueVH|Jy`|@*|eAXTLn9ouH(|L}c4;SW1 z;W=+h`6xU8q*uCrXd$urw+i+*)7N6TQh5C!S!&MIJb4SY^2bSiz)I!6wu||{pp-9# zpDVvv$``dYTK;J{rj)JVykuwzW6k+*bHL)}zxD<5zjvv=DD2lqN~|L))m9q$)X`__ z`=YkQPCxlK5w;4yD-?{Q+Y3jHuKAz9e&6d@&mS{|YxIwUHM*_GaXjcz-2Y%*QP!qt zT8c{j=kaEm{M~r&LI3gW+o^f}%bADf^Vvm?U6&VOw-;eG0n;)2GFV^rL*il2kbi0&h01f-jv>)C(Soyx|Q zsz;9*tY^H&D}TP`dN@~jjdDzhgNE7~tv*QEs`&gputVXoY>lGxx9qR6nx%%MRzvJtE^4eCp6lGax$x8Kya`p$cYNM3Ccb@)Q z6^b9sb2)Wvco>BwdhAEJYNX`fPdVIBLrk^)O0Zk>Ri9KOk4~3QhO#Z>@rSy-3fmuR z*gnIy%fkoz2+LtR=YR1jK5FQLB;_$dc1*L&+VL|<>Y(39UklnWCRWR-Z@ebq=K_No zb5)uan~v|(DeKlE?`*m8x6pWAr14Vw2cxfspkMISkNEQ`_Fp`gi#C3CuKirJ)MX!^ z$RC5_D~n=IV_FS6*EISSUu~3Yj;U?*H<}C16IxzU{EX6`H$ES>9x84tTmwxnF&yKZ z>5us)Zg<}EEGod;YCNQr$}epj^YI_W{RzkPwWa(~A4Y3sQnuCq#aR%~$#LJw14iRn zPJPlbGgUQG^2h%zh6>n2MObaX%H{osV3(C@N5TDsWv7>FM}M)y`#n}Fu*LZw_hBrZ zzrN87wsjHn>n>gQSqv7ED`j0;bQmH(Lbxq|^RVpT5|gI3agO>U<)Y&AZVME*s zW8U(ayko9}Tw}7Q>ZPnvD&B?t{&~@Um+Qf5t6B|7>E25I*Wg3LHS}PdmyIZ4t3um3 zUkypoykIHSejN{NfBtyT{?L-o1{x}0@mv<@jwqtb7GYD1uv-FF%I{vHqu+o2KKO|Z zIij(p-)9tzsfO5wxqE2Q*oqyERh9hH!nmk^(_+%d^ld4>)gSsDxAo6`y+eokf^|{L ziNz*$v7@#|%Reo3zP4Rlv~3arZQHEaQe!)m%?X&c>n*Uhc-0qAdt3SDj<1UPD0Sqw zx0}ya>!R}zY_Yv1uT>QsTgysas*2YS5$4Cd&lK|3?KW=*mj>f}>W}>x%TjUFV*~SM zuKe9NN60*-pFHt>+;~IvM`FQei4T*bvTm=%KIg)RmeujC zi~5YFx_Rar1gXfR=jOUN7v~DR{AI~30C=h>I4vp)JA1>ZcP)7Zb z65op={g59&dv=GM{7FPxUfLMTE~392`|Y4R$L-X6_U&_felBzcwl&%uFArnI+DmMz zojTa*&|pWu6=1&ebDV<6AwmpRHt2gW~&jpmfbxiR2c!%jWDaz(UAAddv7NIlaXQhGh z_li!C_gZw{-q0N%6JrCwcFSWGU|b97z9YfX(Djnnv0%3)jY1Ol55A+*A#n zjz!-4q&E4y0&TAr)y{>Mj9g#C>x^nc`&bK)ttt6i|7m$l$4NuJ>Zw6|yG+@P7CbGp z>wMalk-CGFgY|y}>qz;b11ugr^Xzh3r^LdpPd46jhE;f(tit27%VF2^P2uk|EX=<41&>#2G{#0ocH?Kt_p>`BU*wW(e9e~UC6_n)WalNgZjXET z#^;4I?o6%k7Oh80d@n>^|KtApva|C0U+ihD-oifn>yCx7lDqmWR^_sZ^X$}C@+QBZ zi=JDTjVgMNj@$#$TXyGpZ+za?;3tx_eT#-*_Yv)>m;>Yc&_iv<2Cc-^J}pYChW zV+ubHxe@i)c;WdIJ`cG#Z(Sn2t1;u}A-Cy%R&4M(KJ(_3yUARAeZm26su77VWtYV<-Hy>^J2KFsKOP&91js#S(L1CMmn`iD$3eB7dtbTYa^ZFK5UbSxRYrW1;!B zAWus5McG@W&INVe;&WlPDzGJEKqoEaL)m(N&N+2YT+q7ke#B*|dm@7CX|9*t-1@*5{C$q@-R@=2-s_enC z_HCqho{|G!yqnh72lf1dTvL_?+XMEL@pG0|d2JsJ-HCa+Q^7vTYf}{%p9!t@c>mIf zrEOawrLk$Twgx~BZ0 z?yL7YkaQgBFw#+^j*H*gR-WJAu|d;%HC-y6nqwRntG*_0;@C;XY&)^6Y{l2+Zu3<8 zHoCSbwST|7{d;PE=x0?soz-^G_%?$kE;VRU>p>T`8Z^1A<=c-BdTP+zLC+1EH|Y6+ zVz7%y_mqEH;`EcmoTOiyl7!Z6mGKtTE88aOZ;xrRvn1`0th{KKJdWHn`v2blF-)3t z9K+*Jx^V$16^=6lU8~?d-=57s@XGaIfTOblfWv4&8?Tvi1Ew6lZFrs0@R$7|saLd| zQI!X#eHX?$j7^x|VIGJ1+JtY}z@OReJ9KQ9|4+B)|I^=w%m1gb)zYf< zQf>5~w%LgNU*9iIX=rE7!uQrWxVbb&Ak3G>EeroE%)^DN8@K9`cX3LX=UyA_yuv`o zYX<>t@-5dBO$q}6uk{7E$+tST7N^A5$QNVB#T`E@FGgLu3)gUqx_kWj(W34o`i6OA z5%&$}RqyVsPiU|aiN`3?-zA`T~zxm7PSGT90lh!#3p3!&8?Vt?mZSR zY`KKnyWA4C*Ln%JH_@I~w-+9lrnV;9w{2oc*pvm^o@$p&`jiV-rI(PMM7zYIPN78| zTT*tCOUR!kX=hRA#9{$Tc1a|bgdMg0pV%28`)eZWFw@tw<=?i8Fv+fg{WNJ7XMe3% z{b$m(mH8tr@4cm0qSxXsEeopX7cC(>OUR#rOUR!-ZM!d__$(Pa%SX#E5q}Cg&+$gr zQ(RMNddJ^2U&ww<9mdiN*;hB+*u)sBZesiOO>DoRiS5TU;a~ISrX!GSS`uYN^O{4~ zEb&F)IFYS0zIh$x6rq<>niSJ+V zPVSn~s*v7nV zYs=rB{#eJUTQ|@4!v5?d8$EH+=Q?=&TYq7dgYrcIq~9>Na)i`a5--iO#bw*<5sUMJKc6RD^aq4z;>h!yBo;>)QQ&%B6PZ=yC z&pLK@(RtRBdY`gKx2IFLms7X5Q@4*(H^iwM>eT5y?w+{pD>_de3>TfJ?B@}QCjQQu zLwkT|JnQ?6Q+J@FPL+&s>JAc}C(a|Cx=~J@)4k{rr@hgl^Bg}8b=o`3sXN@MJ3@4x zJRKuCPr((VCZ$I;sW5?Fk@Wa?wCFtR7w_ja$BI2qzv=ZRPrdp*X^%aTxyp&6@?38k zD>~15?Ic&NQFO9XcZyTzmFcq@J?D+5i_SA|oFO_-{Ia6+^zWIX^Tc_aQ+JkAceYb^ zj#D>Ybb5`gsdBCeJh}-^-FZ&k`A*#hqVvof6Gi9Amq||Dg-+dM(Rt>BD$#l3e34T( z#i_g4shjH5UEZXg%Q*IWKr@gm0b+fox7o8^$Zg<+dLv)^b@=mAj zF41|8t2w9cZqa%2WrkBX)2W-~)ZHUGPq|k_EgZssh{n?&_leGPoVj0gp7qcJqVvT0 zL8tB^(Rs$v!=m%#^CM2(qfT9oQ}>utH`}Ru+^Ks)be`kolTO`JPTkW^-5jUx8K>@9 zr|zFl-CU>cIj3%(Q}?`6SL@Wh;MBe7)V<`?z3kNe%c*OOGlK6L6na_T;I>OOJmK6UCobLu{K>b`L5<~wy? zI(1(;bzeJm^-kS4PTjXo-FHsi0;lfZPTluT-49OPk51iBPTkK=-7ikvuTI@>PTlWL z-5*Y!F2+6UEB&5>XI<>Q&A3eLdCrf#w{N$0+FQ!0Yva`E?;3d8v9wdSj8nI)Q`gR^ zYcD!a|8{WdIy!awD2Xb>Q;B^^qE(l{_W+|>GNVe_SSUj)^h54J9TS2b?Z2F z>pFG%tU6Cz)^qCCcj`89>QYYKhE82yr*0#suAfu4u~WB+Q@5#8*Wanr-#hl?!RAig z7NYZ9*Bju}>0?7Y_Viht9^KYXUD~PJ#;M!ZsoPF;p8go<)ama^dF*ZP)a~HZl{IOS?yE}DzICc6AQ%^hga_aVW>h^K!hB$RY zojQGntf#&EI(5UHy8WCwIjwb-1Dy6UPThe{-3X`dAg6AmQ#Z<~JJ_i^#HrKg`Fir@ zP^V6x+3&G;xKnq8Q#VF*p5y9~PTf&XU8PfZv{QGCQ+KRWcbrpqyi<3AQ+J|MH&%45 z95cd6qVs%Ce6r|TI_#YyI{B~3qR+PW*gH*hp3l2a7oDfQ`de%sUDl~P)2SQh)Sczj zo$b_}BRWt2ju)M0oS!Q?&*$+IoVq3x1%mU%o+l435S^!gCyLI~-bteK%)1vlb(5XC zD$#k`dy!K&#i_g4sq^;RC1TH$f0v5RbG`U7r|xp6?h4U)`u9qw?kcD5YNzfRr|w#( z?mDNgT6CWNxL$Ogadd-IccW7`&8fS|shjT9-R#ue;?&*h)ZOOP{oSd%-Ko37sk>8j zp84u7(RuPJ=hWTp)Xfl`{MTfeDI!lhW;yGJKb^X{ zPTg}(-8`r6d8e+{se8exd(o+T$*FtUsr#2x_li^Zs#EuxQ}?=4_l8sVrc?KpQ}?!0 z_l{Hdu2Wa%)V=4_z3b`X9zH;im zcIxV#x^JAiZ=JgDoVo>0-M^i>@143IMCVzb{wO-ndG}AE^L+o~XQ%EL(RtSQzdCil ziO$pB-<`T9PXH*8i<6$~lPyH#@vo&*r@z_iv8TTw?9sJ$>Xvfq+KA3`eXXrir@vF_ zvA2v>Jz*V(CC&Z%48sawIRThXao$*Jq&)OB_0R(9&T zId$Egx>cOIRh_!koVuh_*Tbn>-Kp#8)b(=e)^O_9bn4b}>UukMYddx8ICbkfb$y(= z^_;r(ow^O2I{h7A&v9Wxr>?J4w~JP)NSt6ZQ;}naO$>n z>b7#~wsz{$PTe+6o&M&FC!e=->IOP>gPc13J#3GEJ2-XaPTh`9-A+#3&Q9GfPTj6f z-EL0Z-<-M%r*5!Qx4Tofhf}wwQ@58>x3^Qbk5f0qsT=Cl4Rh-Db?SyYb^AGW`#W_9 zICUAP?m(w*gj08rQ#aD78|Bm;?9?6N)QxuP4t44dbLtLv>W*;g#yE9HI(0`mb(Ny? zT)#TnsXNB0JJzW?&Z#@zsXM``J5h9=>vdzDx|5u`lbyO#oVrs*=UH!@=G2|;)Scnf zWu3Y+ow{+N^W^hcqVwD@aJJ|?_Y0gOI!_tz)SW9jxzyTZnIJmP{Q~DXb>}<%yTGZN z=+sSe>MnHZCOdUiPTfUL-4v(pVyAAZ=see-FLCNF6`kjEgUdwc86THBbyqlbSBlQl z-m9GUt`?nV{9fbKUF+0c=hRg@b=Ny}H#l`SI(5@T=b49Y5}l{tri)JgYqH$zw0Dc> zJb8Mn=sbCFn^X69r|x#Ae|I=_cRF=(u?jsk_gq zyWgpMz^QxCse8z&d)TRa#HoAKsjCs4XTA2AQ#aeGd)%pe!l`@Gse8()d)ld+(o8x)Xj71o_FeMow^sCx)+_gmz=tnow|QHb+0&euR3+FId!i)b#FLz zZ#s2vIdyM4b?-QJ?>cpLPThM>-TO}62Tt9GPTfaN-N#PdCr;g`PTglt-RGk7Trc@T zbe{F@e5dY9(Rs>OPTkj{^E_9r-l_Y>sry!Rp7r>5PTc~h?%z(`_fFjpPTh~9^OT>Q zx}Tl8U!1yMox0zgy5B|T>EAz`IvqqFdo4ug8E-9}x-zHE)3>T=E%rRui@o-|y0%iU zCw@yib;~$)%Q|)KoVxZ-T?f&5&f_~ebqQy^ot(PPqVvqV%Qbg61t2lM5I(4f#bxEhLhf}w@=sfw-)2ZtvI?ueehUh%! z@oPGDYdP!f?bNO9)UD&xt?ShFaq8A{>ed&Xr)=P~mvZVhbn5y#bsLG!Gr#n6>Na-j zHgW1Ub?W*%b(=YLn>%$|ICTS@x-Ff$t(>~8ow~GBw~bS`ty8z1Q#a758|2h&@6_$! z)RjARJ34hcIdwZbb-OrqyE=8dIdy+?>MESN!J_l5Uv_uu_HgRh^Z(_7R<@ z3=y4Yy)jgD9+SgFP9>&ElwAmr<@@=&v7B^)ScdtZM#yfTAI&~97 z=PBnob>};E7l_W2FB6@*Nlx8`qVs${Gg)+={Ht>6E)t!mOmXTicIu`&b(c7GmpXNq ziOv(h%SGookH5lc?@FicDyQyhr|uf3?pmkrI;XDMsk`2(yTPfu(W#r})ZOINO?T>U zcIs|%>TVUC=Q`$XPTk*~y4#()J4ELhZ+ANF-R0EfoVvT6x*4MLl$lQ5EYW$S_c(R; zdW=Z}{^8W!=hWTr)IH$TJ?PXuz5H8DRGW`9NA=t$|Gn0w8Wx>n^53id?%XJ^x^Mn_ z)vlPgUH8v_ulja*+qLca?{)uG^S0~$`S07y`<3&yYy0xwtAESoZP)$t->d!QgYEh6 z)qeQCTb^FylmA}p@0_Ha!Cb*wLL{kpHt0gJo8>>3x&6MSE4 zexfd%PdHz3|8Tp;X;F%{N6Vt@vnblo-zDANMe(JWwv<2lYbxC@j5BSO>L(sAsO!x? z@XGxH+~nI*{)Ri2@;B5qbv&a!$v=YEFiv4RDcAGC{F2IlQ{?Y3Z~8;SxP|T0bw+-v z$ba)6{Jo^&t$r7ab*c7*`7`!EXv3oHN`JV|f7*W93;QcU}AH!u?9cFVuPClni$)@xFHn9^zC8@cul!vY$)MC)9EL zq)XW2x|8`)UP8zE!noyM8`WJ$m)L)C@sjFK^}kqOmTDK{LBBucA9xMd^}*(bx04$F zvOh|-hkj5V#+f|S6>F1fSugcT8VFvwJ*+QmU+-YQVe&pawgr+U`j+|Jl+m!=rQ%I{ z93Nr(Sx>3>g!vKn!(KG-7r*ZP7u%=#varG2@E5(7iaYy@)rS4H4>$b9uk^2}YC>J9 zd@N-r+@HEI4&7T|{*U6> zRJDtG{ynrQgG*?8sr>&>&4=TsR6jBg!}%&4$Km!x_74>`)erxvKit15|3cmWb$r4+ z_;33Y_BZ1 zrF4P0KfNuLCm|2loiyY}!gf+i9oto^pQz(;B>!F=+S1ojaShjL$^4z<@0Q{yeF!%FSKiX^urkIu z`OSOS<3-w`KxV_Z+wbVE*wf>^L@b!PKy`|cpztlKb+-jdZ=s4 zAL-=evnxj)}~U;k=7jgF5uZg_fMdDn0Kjiabp-5itVJZT;c%`-&vtl4~QXg*#xuL_!1 zO3kZBSwJ_hk(6lPu>@9 za637_pT^(zAU_ED(9S8~UGb{--KsxR@jkSFX9+$BJgoO!@X-E`;Jh!llf2h@e+6F} zuUfzI*4hv$p%M_{K9_`cww|7U=+zgX{O;QZbO>%B7I`c~_`20V=az2K~u`r3fYJ;$+~eyA{v z+g9MA9sS*FE$X)x_KW_`uok?;+tp9~9pHRUfAn{HwS;!E;Jl5U@zLKm)qCo3+>a6{_dd`#)0kS@1OB|%k-1K|HZswKRyjR%tP9L zF0fDjNeMm~iAjH`zZIOnRYN}?24{Pze-xZ~Nd6Hxs&DAW9|Aqw)e#M1yLw8jv|m;L z22>ehZgcT1I~W`5uEL1Jbw;2?feSP{2@;u z!5L@TUk;r8Lj6hsr@kAwzSnY`{L?%+4ZK}Uqe!2hq5QmnPXNCp;8Vb_5BSyKcLaPo z`27LTfj=4W2f$wl_!Ho72Yep*XW(ovHR5>OIIzRc4aw6Xt4-GM|IXma24a7715X9K7kE10ww`DcRRnw!=raM|8oV;#<>1+X z4+gIaxMIzR4G^C-v3(fyxj=sqcul~M0Iv-=?e7KqYhXM1$>5qFTF9q^uVy%+KXrJ| z7y46AfLHnx8_e5wJp4?=uZ;5UG00&c&J*e0qB_$=tN z0e=|W>TmR4vG(JWh#P#FoEAVW` z%mV>$2c8S~ir_T?PlDG5d>!z*fcFEh5BOH#4GT%cryM-N4hP>IJQ?ue;HiLf+~wkU zz=*sY41G<&j{>*;Y1DJRtqb&=Z|eg-7Ivcewb9O*;E8~r4{mX7)L#sq3iNDOI%qHF zlZt?IKFI`J-PSxGhP>tT?Z{6657$u_gLA&+c)1^(I2{xfwNst zfL{&H^PPF%vjY8V;Ex7+uCE>o;_yE7uLgE_e*J!6N1q#_?fp5>e-GXoj?>Sch})Av zy_}z)0q1&;>$iCUFNd9%z?oNEzr7J~uHW7ZILFZ{@H0GL*bto8C8*yCe0A|d3;7Y? z+DNm_V1RadgRcUB?umaJTJ5Lc597>y*d3hh zWj-7Pu5r}Dd>9EX)y0KzUK925H*d+e0cSoi&U=CLe24lG;9;Je0?s(l&c!9{RD*~9 zJP6MDg!R^fYrkqC|GWfmg~SQ-ttU9=AKKXrJoINz@UXpOz{B(X3&5FIjKihi=$?l2 z=jCKgS|-Rp&6AA-&g0RR;H;O&qw;|Bc(eyN`!@&s8E~#k9{@iXT&BCY z@OU&DT;r%^p8Qik4+Upl>09MD1o3$d{50q}AHEMh4xDkD4}Kvy{o(Pb3Y_yKk4KjU z`kd^j{#*f$G>UjUx&@r|@^~~0oN?yy=uvP?2N91)&w(?ZoR{uE9GHhZ9=#Okc|3YO z;5;6^8*mkW%s*d%<0TpZ{wn~-S5L(GarnvWU46jc0Ovf$`RW63yhP>De+R(! z4hCNu_0rBT@Xp{k+)7_rf34VA{*Xd{$kzjBzL9SO&U(rB2{^~;7;xqx*SEEtP_6oi z>)X13b3I=laIWXWhs|vt>*P8K7ih5mH}GV@?K*y&C>3y?=cWVB^W2Jn9|-$(0Y4nP zKH$fLX99jYcxAxP18#&N!?O z&UFamwgWhiQ*7@Z;Fv}mu1AdoXFPkNy<@={AGY^QaK?e{y(r*p@Acqp7yZwHb3Uj4 z4+Nb3xY8)=N4AUWqMiYt0RJ}t=W%}u_$J`2m+PW5INQZ_Q3W`U7dhBD7@Yn*0Deqh z=Lzs};EV&;MHdBn_SX}L1LMzi(e==?AGt1?0ZxDBquxirIWD*^dIg;Q&UMk}0q45t zcW{miu8Ue7EEP$i9j=SIfNQ^M;kqaZ&UGf&MeBjne~!oJf;ezpv{|6%x@b_qna{7l z4(EYB;*-t;AA)n;$b9}7JRHB@1p2|S^Bp+j%<;P{;>LDu+)C?RDoVq7lYwH z?T{ZDaE_NV!I_`TpUZ+c(9VtE%yZhA8R%)}(ZD|YjM4(czwXX1dkJ*!Iak@z!RF- zd8I|1mu;eCz?TJ21$+hYbih{wuL$_s;JF|UeZezV5Qpo)`FS6^#_ki6^F%HXuwf?j$$;DaLvo%N z@TZ|q2mA%_ih#cfo(Z_!ZzSgz0sk8MY`}j4uL^is-2OIEZ4ifc;MIYCMetm}Z60hB z)dYMU+7Ea?@VbC+1zsO;yKhMb7Z;L<|L)Ky0zMo(8SsO_`FRcd*XGkUQC+;9G>T4w zJ{{OO3%nxWlfW|pzYM%G;MarK$FGg`-Uc28^T|x`M8J8xTXwYBSPiDg*8$gcgBJ2# z!Fw2v9uoVyUdrM%oK5mGx z@Osn~=;{Bzp--woDeKxx)T^!eUjeS`CoQZu2RphB(?b3%c(~4aADru3F)#bbx)(g2 z_J#30>z6>!^Q_+jJ^^)^2b}Ra1$;el+R;~y^DuDcKm9)@utWck z1!up|&*Q;)p2E1D4bFUKz1IYGsGkK+f2e;mu)}e8*bx>7o(FNR<^+CO>gEKzN{|y6uIrQ6tbG#1*-w|BnqGg!; z(|#Nb&NwrkZ-aAQWjq&v_lm7F&SNKyF+e@zSp}}`*TQ(-2F~+G#`6(y#*OpX>)`xc zl5y?=&VFZ{Q{c>J#(6_<#VBX#h9_H<1;LF->4RM|ePCpsv7r=W!&p3YzPXBqlSP*a?FTMw7 ze?5SBb~?%ov)_5VSQni0&phZi1Ya8duz$P3KHK#g^qWJ^cCp{rgr51#e%~6L`Owhs z;LD+2_WK^-j05|9FYwi&XTP5a&N#5&r+}{pJ^OuY_|Lp$zwZOy0ebfPGvFN89ACBI z%+Cq3pXT%X;PjvU{$ZeJzkd(TxUt_mR+=O1NA~;L;EdY?sCNK38&iL?p?5p72MW=<=W4{AuUh#VDkKoBz9W{JT z-Q{Qlj1RBJ_66?eEdT2T)-~_uL*cH zcx}LM1+NSE4DkAZKPX(!JF2xIQW$5ptHZIz=|6ezfWHviX&vo$s_ECVmxgh7Ja`zl z3&Ck$-PHN#7Vy~Zm>JInocjB~nODr)N5DCsYdvcJnSe7NUJf|h`!0Cs=TG3Qm-;^f zJ^9~Gv%qlPqd(IEPW?zd;7Z}~da(Sh{=XP->OT)S!qIq!I{?dXE$(;U(V;3 zfpdQ5dgcmn=E(%9P2)T*us;R-&cOcF;17W_p3}i!24}zLz`p=zdmjK_YMlHbh4JKi zrad^1*YiZ9es&Hx<3AksIZwU@{Yua?ZtsKl0H>ex!TW=^lJ{D;o*4k%(s09iW-D+W z@3@}X1DxZCpD&LAZ)mR=)OH;Q&U(3?84F&9dbyrC1zht$3-fIh;=p;H>zT8lXB;+` zeYD<5;LJDPcXu&3{p5XjSAw%&c;DT10q1>p)4QHHC+lVYj|FEOxK21V;N|c? z3(h!j-k1R1PJ<(5nEccBP6cN?nLo4PC+#qv&w^7=|DOZryg~mz3))NnzXfMJ>HkmQ zthWXHY;l%)9YwUS+tvS7z!^{aza}{C)Bp9rL;KI19h;9h9%=tWaP|xBe-6%iY5zNL z=2cJl`CGslpEl=Mz04oRryV%!Er*@X;A|J?w^P8G=bYarfOocP8otN+aiE`1KfxJi zj`yzP%>diW^Ox1Z=?};I+Te^c$NPqXp64(9!8N{GINo;zZ)LdQKHFWvId5}Z4*_Q! zIIc&5^SHoqeJnV~1;_On;Pi*%x(b~0B**p5;GFmLdxM&v4}r7ZkHDV=Z;5t&4L%pV z4E!hX=fN50GU*7l{|Y$IBbZmi(T{8w^J+A>jw>zY@=xs?3Qm6pgC7pgdO2?#1I~P4 z9v*kDT5UXjF%M4x=lXntXtdt*!5JSOXD<&pkF(Rk*}v0aXD0aaTDcS+XP*WSuN%Ap z&ir{o_ECR63OJ9m_2BGx9#7k7L!_|Z-mdG|pPB#5K~LUZD$@9`56(P~WI!q30G#I|{Ju{)IQxs=_ZbS# z`IF!GIUGC*Kly#13&0tlm6o=8F9T=(_W+*`&hfi0_(R|vkA0*b^?wlJ!1!zo{UgwG zp4=LIHaPQqNATysInV3?UJEX7!aOMf;nO)&0kAvm#e;;t#=RA`E zXWnw283W!1{%HLghpjF!z~hwmoAP1cw9n)6LEyB*ygCe=?c#c4zlmmF_t(PsKMdXw zXW6FpJ_gP_WP9HNXT7xl0XXe*{yb+=TwTPtasHeP&UQ^ey_bX2f6kxP;LLx{pVx!a zf6kvbfivGYf8HGEA3(i-2j}??=g-H%nOB@Yp9<`A{+ttV&Y#bMb6#aU_XcNt8uAC6 z@fij`4+UqQF#hj?GY%R*?Z*$m88_-b4D3)JT_`)o``Rn}@epwO!+xv;XMatI_iY`G z1!tbHAI|`9ZRR8P-r-xexR`zw;2K9Q z%)?#4xvpTGmjP!S80Y1{Ij-5>6~UQ@Y;SjP<{R6)YM^I(dx0~ajB}qr&;02NPCpr+ z1Hd^ClMlJb+E1?aXucf_&hbV4Sa5B>7V4)2ddB%)aJH9mz7L#nn;^Ed-UkED@%{)n z+r{zzG&u8+^Y%P&#w`c?uYfa89sqv>oc?g$ejA)|maDE)@LA8jwuhR`P;uzL3cPlKl~H9yxty9a|;^|zJ| z1s?&Pn{9jt@N>W`-ZMWre@+EYt=c}W@qN^LJ$Poi{2}Ed@Q1-`j<$e}L?XUT{Y3NM ztVPi;;OPwt4177ou)qAtN z*K#&^>NL}H99;&U>tPihgnDlQuiwn#$>(U^2VODHEKEY2p9Zf^8b8{qja~t-eBJzE zetrsGH`Cgs^M#h5!E1lC_vgZ&RhmIu$hWtKNH93{b17u!g=7`z{N z=5#y4a@_3%UVFURSs(htz@s~@U3+4Olc~SW+I1@Q6Tz!5u)x@Jh@$9v@cIjluaCIR zp#2W!r_M)OYK7}~`4Jt}-*EIP^vMoZ?_S`)gV)TL07|(FyrYCywn{*c1?Fp_C1p07@_ zL_5yRMeV_>-Y^TB!_QU0Q|$}wY)U)Fn1K_Z9|)e<-P-#Y?C(K4-ObPA!4Cwl+_f+t z#(~$N-_L^n67Z@A&5pc{%T3_*k6YZ>-Uq;Ijx)XeKZ>3euK8AufHB|Rg1+{Cv%41B z^%;0-zU4zN)Z1DTL*rS$i`9D=_}bvLH(Q*UZ(D*_++%ijhkj@9Ivuc5dV&uJuRhG| zd=7s`g4cX#b|yl9DtPLPL`=l(xajjf)X&=KrnfAOqG{mSYOD7==x2c^r&&K91wIEn z+S2S~z~7?YzW9UZ*~#@qaYO4(<3YnWK;Ip_3g1{f7JMV>k1x!(!Qh$B#&?ANNbtIK ztVP!%J||KCnzhTm?-WJj$lo{4@p2(})jP)5h5f6*>z}dqN;BhfD|j@=`lTJ}y%#)p zliA_%?kVu>P}~0`oCv)MUc0sV-yI97Z^0ACnjQOp6fG;mMB|yAZSxrCnbpB_IKFWG zya{;a*Jfd7+b!BoxaNOup83P|Nd@%Du_oNvHb*1CYbKkY^yg&S$8mWz==C`u>SyY7 z8y8c-@1mVeEw5d4;rXLJllxds;{}$ z{68Q1&fuB1jUS4B>;;}g{Fi}VmxXb?2brGZdMJ2R5A&SI>qEdRf_ys`yjuL#V$Xe$ zbqjcHE6eliEWM&DX$KA627cZKo;b8{yxa?(tF`!l0{t`K*-wl=jRblXysFOlzUEf+ z8F<|cv(Nr*Au^3a_4RZ#>_W+}40PT0Qe%}lF zJ-{ojG|qMJA>gU=%pY`nr0J)5j%GzwuyXj4|&@Fj|=xfUytMF;RwVN z;JN**p}b!G8ttddKK=QY9P7sQP;Z&YG@ccsCE!vR=OlR5(Uw;n7yZD~8gMBi(U;)K^1{6O9XwTM@u8myk*S@Uo<{gQ`}M#xSl=>k zTY={~8|jPjwHtWiTeE*K{2vBhUs)KRBfx94gQVPt_>89>=U%H3R3~)X35%k$0K0nYt=1I198M#2G@u^H$yN-nY&fpajWk)H=`2SI~ z9(dh#)~+wXw+F93-U9YD+PgP+ga@w=1U~~jyMo!LKbKP9)+W9^VgC;B+`lZ}o&|rB z`mtu=Vel8gtADh7u0TJ|2d`bLa6VjCPJc8G**VrO`m-8%0`ob?fxm-CSbwgGILx8Gzv(vx z{}4Q(6N{8bz*|V-X&fp(GQI_PXYlklW=F5fXz31Ky`$-I8(g$0coOpruQTibo(jg@ zaPaJ#W{2@V47>v8g9vAIKJ`mm+`dHrUP*qU<y#9BK0}jtonM~{&w{(@Q1b&4-tAN*cGUYC4z(&;1wDxX^dbbC!zRdFT zde|9EeK60D5+2XDpPPaHurn6=nhgv4eKL4M?YB{t}(Zwlfje7+hf72gljyrNQANA*F#@@xY-#4eh+vW*9|xx=Yc1Je69n} zU1#(BZfMsJ;L)=dhk>x)S|$XIPh~JKbp@{ut|RpUuX@Sm4cZw9Ubl=z>;%}~o%VI% zDy0H^G<9~)Bal4F6P5r@bn{A?}OOzA$U!~{G1AZ zz9(O%Fi$$k#G>)3!hFK>*>%W&Gtc!t04-a9rz#4MJ9~j=53~H~Yx3wg@S1nbz!B)L zi@|fZ+swZS^fSThzOr@=1Ah`cb!eggb>Njf%>Gd5>uJA-O&IoE`zZPyygrD3$5kv2 z6~|e&%9CS&(`2|LEi2NUR`D#bv5kl51zm}f%$)ua2-e0ub7bY z(q!ms5eJUb8Q?k0lhi*0UWfTdrjfY33!Z(r(EobyihtS>WMlN#FXVW@@dL24?5dc5 z$}Mi=z`KH1>}&J+F*soK0k6zho}35$cHp&3S$x(Yv zS6yWMMDR1fqtz{MIj*OG*F0mw$DqFvJZ%rki#Wf{q8&XkmofnQr@`x1u()xYz71Y| zgvIAx=)VKc2IsARfLG$YW*Qc_og^`IoMzTC`~1D8)xp!jdUYf4>=srp=cQf2Q{Pz} z?D;HFGzvU1(c(=1PXLdG7moJ}z^h)iemooPx)MCMomrrro4{*VH2;~mv%zcd0PZbe z=LPWeKP(ZfH>0QyJn@Iwc^vw0Y3B-?uTBAPm9)6kPc(46O*hfX;OVY5Pula}qi6&0 zitEfi^JD-y=EJ^bF4`457aT{1foD3I{okQK61?(N8+RLGJ##vEZPLJS=+6O9?_-X? z30_UT-tZ=6O8kGhPLs6uMpb5C(kU)4foFns;1}Q#&il9?i+aEgKF?am%tW2QtLNi5 zg>l*oJd6I~=d&9N*Lke=E;GP+X&310FET&3hy4S=qw6hix&Ax?yke|*_%ZZngQswv z_I&WGz-uoy`^>jl;K^Ujf9stnssXRWyh{Jy1+NOOo6V=4RxRQhdt-;+z_YC1p8>X8)EhkWi#dKE{NE5f5v=RB1Ft;Y@^fd{*%Q2en%VCOJ0rkrao&0k_*mM( z=R3^v3&9h?b*F2=vuPWNR(ll9p#6O?pTM8lv@^;4Ss(Sj1D?Y1n&(sBfY&21{5_}^ z(h!~ZqF2lg>+J+yhXeA?u-_fL5}%{(4!$9H@(=6xyTNw=&jjnkVYGjr>2uJJ2G4$A zz_K)ojsdS(-~8mfcL8{Mud;Xt^6S78)2&4vVgDZR>?#(|%@EILsXwgH{s-VSr`xz- zp8pD-!gU75ZKYlo&m7K!=uaQ;nqWP!6?kW0CBN zIG+HX-Jx*ZG6_7nwDp&@B8sZP>o7mufH>bpJ9pW*+Z}wiaE(uwvcmYh27NuwYuk91AGWRXx!zhBr`MYQD)6l1ldaAF zr4Wafy)8cVm>)P!yMk9GOg|C!`-7)&pA64~D!`Ki3fpxE`3+`=f>&T?y8+^Y0O6e&}|*8YAKtsM?*geJoB#g3&%?}IX>rV4gG!KiN1yX_)qZ4ITp!dp?_Vtj^9eek@MR( z&}Z@a0@5w|89ei~#goUcW!ABHW~W-c2{_afynd?1nf=%wJlDa<(c73q<>2YJtp}He zpF?TC#_Y5OKNvh^Kj0OOgQKT`SGTqJvt1LwYjIzJ9hKyJH{cbWED*=R{!H*R?pvV$ zHQ@EQKk8`cp9PN&usHC%`(^N|kBxr{{b%IwT6t_&U|vrf0vW zz$=3L8HRypClI2D}Q#uUFvbE#UQa)-TjQ2wsQJvzCE=E_m*= zm107D9e65f@fi$#J$QOKiv#^9VRJ3cN13zIP7otZqHX`xB;tCudlF%OXC1 z2hZ$j@t*>IAMISzKHg!V?G`-)9(`e%qxa=#c^5nvoY(vtJdMwBU_NRmCwe+gYxTx9 zDYwP{m;0^2D}uPCz-utyvR?*(=OXKo#}Ln5!K=F#_Tv%4bw000f^)o_3VpP)30{_r~UZ17ZYUiKz<%@~V6*Bjqa|CkL3uD3hL0Y&3h z7ktjRCU`}+LjU`b<2svdjiRk-M?avK!hGJ1`b&%~g?`x|Jkl>bO5yx)9PQw9ZEHmo zoe7=|j%$;_Gh16c$H4v#;1znqs+5l4Gr{WuJ9EHm+M50V=-&iS=nW52*sf2(D}v9h zmP%o~W1Yt1OE>WPqb$%Cz37ee25L*(Jk#y4nV8&(h=Nq!DI!;W7aq2Ge~6HI?3_}<{vJ6V5y3qA_G z;*`Sidk%O_@Hxem;EBJR|3@I6Ir5FIMSH;hli;c4ET2yWe-XT1Z>*9s68uZ>^eX1h zH{icgf0J=*o!sZ!*Wwf5Jc9F8ckt>9&7V%Nvle(dnEy8>56+jj1yACBX^zLez*Cqf zJH!3~;1#%zD${aY&H%5$I*M_)7CeFLle9k*Jo?P`KOb>^1U!AFW#$;emRGgiq9eg`7Z{%jJ5#{xR>u7N1907Ddrh zd>TTN(c{tAI6Z;);InILDzHajX9c(N{+}2ZY4V4Sb6y<`p2a-e0d@`}4?agY3%qVW3s?&JDb(Y0{H?)n7OwFeZDEea zg3p4!a({EM6HdG@sqb+;9#`tEbuh$XJEfv0iOBP zYQ*6>`UiNj+LW9ho&ZnuHO}MOzi6ks^?MTaehi*n-NxgU$p2r!>qc0fuLFHo2~_;K z2F_n3ym46zye9bEDh-|;XY2C?7#KsrD}(kPM!tgO1J5tc0FPF*xZRC>z8E}(&x_@4 zTy6%h3D(1Nz-xo^g7?5PzgT;BMI7dXM;YVS!T#^$!SS)3EZ{Xh)i}Sv@;^#}CzrRL zlFNf}DF?5>`6Jic`-A6#_4Y~N^*9dVuohK;*Hv1cBoLqLz*E8JSL%$k$<>S_mAAoNNUVDKZNBI56!Qi=DtRL@$|NDYxR9mi$?Fv2H(cna$cgfqGkyz*0X-NpKHQbU}p^N+;4H-9d@$d(eGx5$FIw%$LHESp56qW4DLUF06g=Z_3!PlKL@-D z-^b)}>NW7%=d51b?h}0qo?Uyz*uu7$fc^l_t!nu^9`@VG0$%elS7%^vw0A}D6h3!b z1Nxre+2DJ)Y4F-0A9e+=!wvGiaDguao@-<6<$C5=+G%U^^K{gEHh40)-)1U!HS&ko ze{KTL%(D2L4mo*YlSeOpvm?iOUDnzi)AS5Zk|o{uXmHqP|7i;+e$t zD6Zdnf!7A>$$sE?jfz*7&KBl0#bZ_6K=SM|?Y|LzC=6?j%3 zEGea1{C`>hq>+c$SccySzSK6x>#)Fl7VTXfJcaLlU^y0T37$g$u7aIC!0YjO5dAq6 zymC1kp|?PPCV1^@c3en-UkRSx%;J0}_zdvehb>|<2>gEPry2MKyoUM#X8!^3SHSE4 zVfIf2{}jA3nCDw;Yw@Z1#3CTFxO4^24Yz*Z5pi3K`V)h z{RN4E7PmxjU)hG>HNkOwd+@pw&G4$|$bG;o@IfE*b_941*O$1?KMFjvzh#KLjmz2K zHNC7|ePRDP@Z?#xlIf0i%>vH`=i{$}S6pZ92#eYZeyTBuSKHdua3GxHYA32SU z%UiVH$?UM-=YwbOwGO16rNm*4b5-y>khQ_CqeE#2`N{S3+2GapSd9-O(3gUzgX=9dw__aDSc~|%_Vv(L z4mSQQ`u$Guy5Re&&x2=z>)!LhQ+HXMw}hSFz!O*6c(>opmCrMGFn`k5Szg)iT*`HL z@cOSUK&=sne&ChCbYFw0a*0Ukf~oFAD2(TD9~APrYdR)|kfzfLGyszl+JEoxp2x z-;V7SMf-y1@WnO8?J)4@L-TV@*f|-z0-s+n4pYI?Ct80U1AlG@uUyGy$OFLd2d{t4 z@_Ak4;S02Ll0|GL>itl-#y^1t4(t66`kEk~?PS8ycqVSQ_*cTt8sL>3%+EpS_f5bv z6U@&v{4A&b0*hD@c7_O7e|j%vfc_jxJwA`lL4O>07UO*l@H4@yU$pVa@5@{P9tGFE z?*Oma$o#nyb{?jF6XPlHXTj5m59iMhz^ic{%H!-e;K|Qyyg!M4X}y!hvkv#u?u)ps z2A(*~`f+{KyD4~bCCi^j!FL6Z^g%aLMuLw3&jjDgI2t_nrM2rt=qJ(66V_jkf!_e0 zKG_`PaqV94%3z&27rY+V+k3&zo5Hn!%U?1u8vFz3qxY=8e!+nGH|?)&{v3|Dwb zR<(o00bz?)1h1a9Ol7(CI%#>*7whl3{{wYcG9v*-}; z+QYDUo8;-HoI9o6L?OY?Iq7M2Cu<=HEdTu z@XRw7PwLCTtFAS}S8QYT9!NV#%r)WXG2qE*mbZ8;W|Rfb;{JSI-@699GI*}Y9n|A~ z!Y9z)hiLy2^AOWsR103QkqOB^BY)M%#_)3ici@#g@*`o^EwGwze&f^%LwZSv^+^{|B?MwYd7KdxWw*apww+L{49ts|nSsbRKf`f$X ze3*O53~)X?7W%3+%};q7mova?gY&qn!E0`@BgJ}{XYLiQ_Op-M{#=jEhQ4|)v;R2~ zs1`gM%!eOHj$4l)n#f}NAVYl7=VQ^{Lc=8S-TI(QoQomPTB1fB}+pZ}P8 zTwlsS|225xE^8P2x5e%jpJebkQ4jEnan^wwb~Hm0~m&0KUcc=dd<&>8-p1)hD~{HOg(z!UqMfl1i#uyD<{YE0zJx4F=#FkU!s zyaArUb44sGqUam&`sFP#xeou8{6_QtDEPVb9v08)wK~P*1@La*nQNDe3FF^~yq`HP z-4vGr;AyP8*xo(BqsOhiTt6QGUUj#{hkjO)zhrsH_1l@?)lZn^lTq(Q;MpFb zHF)wouum3H2;xLpl93&2x{n?D=EpO$-CJQKk@kN}T@ z&)0f^r*I#|R;!-I0bjT3t>)e3W96~X z_Z6<=;zzqI-SE7`?Vzs=?yuVyJb`-mg`K0x_b?BS1|J7rcc(>w?V1Fh>#;(t+z$Hd zz|*)dh3CI_fLGR;aC7MI2d}|%T;=p6E>BV)e9rzBcs=@y{(MA^&);u{ooH{1Tg6w_ zFKllI@Vfo&$lDhBwZSu=*+AJCd{gqRE&kN+0$$azkRL=np8LxDIUc+sxNqTN>YufG zmqDUj3tqFLjjxB{&n)oTyKH9T`f4_K<(1Yh#0uA(e><+TLnZ0Iv)_XYVk? z;+Cm3;V-biDtI+MH}4HQ>w_nQ>rvZ+R|Ut-J;BpkSif-G9Rgn4)j0F;4DiZey>Xjx zolhdn3@ZA^|L0p9ykj6>~nTp!c&d@&& z9vx_TE~i&_F)?^iyIID7_PgY`gn=zj*UZ)Nd07rezVi%+VH`8gJR-@$VmSx;>W-bp5Wov*5}US&Ui z^_KDI2CMgA=zBn)ZENx8{I&^r3ipTD)+pK&ydLw+Icqr&cxJW@6xx{v9^rE(_G1n_6`a>U4PO1dwF~B>w`f0@ zSAQYLa}1L3e_6S}sQFog>tkGRbOTR(Ykr=G0Hwg|f3SZ45_bB7XLhr3Jsx~0c*RvV zj|~Jr2t0@9bg{kTsmJyCOQF9UJbJP)ZZ`?nyu~!%a6i>O(ATeK_5K?HdI~%dd>`!< z@Cw|AxdrO|H+Y0~Cg<&CWWl3xtH$&9I3Bx#*W>(}d_(Z6;J7mgJPAGLy*_Ybq* zlfpHB>OVCh^Jh!wGrL;9u-^xRSK)qFq-`_|JcZBkIS(8{j`_J2{5c7{8t2#i{P9BY z`r!K8|Hs&Oz_(dl?capG#fDOdSYbBE&SuJS9AdJB?La~cl58uniHET43( zRS>gm1hha)0hO|+D5H!5qLfWRw6u&e{%1Vr)vGu5_xt?@`A4fd4bbKTtRL2zWHG4*damzA^r=yC=bC(+-te@lNf((f=5DWwN$A8T56) zL%6?h{_|kqQN&rD9p{b$UjAD7AkA`pz>C+67S5ZfnB3{W^J{8+{|@b5YSPjYv{lK1RlLyBi$^8 z-M2;$eKWroBFD~gJRGQp>;ycqp7NpPkNk`S9^F#=nE-we@DlP*^H(zsKS3q`F6g^~ zXZKb4j{%+q9t+s%MZn8gU)wz10K5Wy-T@BlKH$Z`z4b?dM{o~%EZTh&cfh9_}6Bk*AgL zK+t~)Jamuh&jSbmn=ewiC63W?#WApPz@v-T6b>f;Cc@coV0yj$c0TCy$EhB+qd(oi zb3+PPesu!y2!9b0{iI;Eq`{u0$#ja<7uP9?iS$LTNGaj{7-~)KfB&m z!2I(QMt_Ws>pP71ufPidz4|Bc*iEWGMetvfv-<~{U3m*19gLEf#(9}-v0r-i1+y|E_@B#3{hu|-kYHbVtH1cS3Nul zeq(3gg}}bUWZ>CrRDXV?A9KyX^MQ9E4hNpbxv$SmZpLT2%E#i!GT_C)y5pJ5wS!B5-vc~xl==Z}-MQz1SMY^TR&OZ-&j!AK=ik7~5$%Zi zlW%~h@eYI8-MZZ>=OW(2xeoo=8hAMHeU5tquRN~&)oSP+B;ZlR-!|}RH9niF9M%Ee z0X!Et7nCs^-&QHqx14C@P7dh!C_1UzQ)li&ul!uHYr=L>IDWd=X0-kG74`BMU4jBmh&)AbnI0X~7G2!eVO1NKUb%PxY zzgPK?+RIM_cz8?IgcjhlfoG%Z3o;Q3eH8E_>TD_v=lX%CS1EtftFwT|ZdRPiGV+t9 ziIcbx$S1D=y@OvxxO4XauWY3)J`6tp{1AF|rOubdg;zjdhMw;V`p;dmepx?y8(}2zux4~0KBx7&Ipzht`m6qS?&Ki+AVj2 z(Lc9=^l(S?^Gx8bSS#nNfM=Jh2e3T(F5`oDHD^Fio&jF`OeMSw{67F*#(Qygf8oEt z6US>mBjB?}ugcBg{J?DR*&KKgc6UDTF~HMdW$-iLV}a)`)Nzs8%TELF%2|p}0DdI! z7``9M-4(a%?TB5iS@ zK9x`CAe|SB?>hp|6@Sg&_9H?U)V)Q#J{ZByOVf2A>s!M_AH`RH(81$zC zcX;ROQQ(&X&*8${^RSoefM;<)=}geyYV^40VsY(0;H}s{LO61NH9lLZJ}&^DcY#L{ zcbb8J2|O04<86>uIj0{~IoN*LZorFyefBAaW1sX4bx&><@JL`?w!rYsl>gi4Pe1S& z&PQ24PX+EON`DsUF9x1Qy{G~B4ZurlEB!5ya}jvu5haAXanAzJzn}qaH}Lr@@a+3) z@B4z!7r;aO1>f}3jS2Y9@WB1_jgC=ymVc*=CxOonz>7C%KU?(AZUXQa{2RGh`I!qm z`>6`}I^c2OiH(%c*}!{@9`93GzPB8B^a&-5fc_-lMbxps2Y!z6!Fy=W1HTM-1z)^* zEynd5;4$QTSHmGb06ZMn$9xUAL%s2B@c-2K->w1hRp6t^fpDG>y+QF-;M)SPyr2_e z_Odtd^hxT64+niC@WS>wk1^nFz>Bz7btcBO2zb6p<@_A*6~<@lO@#w(i^$I}fR~Uz zm>vBRc=?`?(47nVUjt77KLPmdz#SeO`Xv?yj{?t*)pnl+{ma19xL;{;=R?D>Uj7m2 zzcw8AT#(kejWa6e*nK+QC7|CEcpmwTQWb_e}WffoYjw3h&n?6{dwTAVr- zcr379{w47IOWH$g_cGvVoDa1A-vZp7qy0Dhao}OR7j1FvRp7aMwf`o!Pl1<_XPO;t zFbMes&f#wd+=W%~2cReW82*ipw+;CI#^+h}GY>#+vw@dx)t=+}lj{baMV`3{=uZKj zzGw?UP6nPg{Pv9nnWgIP?f_oeNcCq=&_4mZ63AEIF#54NuHzuk?+E90$AWj1fvqFf zA5!_`1NG0bgfso=@S9fWIS}-Pz<$ahz{7ZVj?x49SpYn@?H2OiHZMz!556zn&ZC|I zycl?Q@haeno3<1_7I$t3UJC4+JP14oKZaqrvf+4_>@V6)R{>tQWJ^KJKdiM>8Z0UckeF_g$w0FZ@pBuo8UYz>6QKULh>IF5r={_MFN}@^dWk{Bf!e zP)~OO@WdI4cd2=}2Y^TMeRC%N=Ybb@R(g}?d%&~UZ(17-d~XE*w2TX z)Lxzd{Z7E6*jKXn6#*W5SvlDK>wSTzkJRznx_*w)2i`Ym2VS~jbCJtwkk2u|b7$&2 z9t`|M;MudaUHz+brvVS)`}Ix*{pG+DxKI5n;J-8a!29-(08ihk^K16?GVoZ3;>Ux} zd&URn821PMCGhO`IxmxeZ?s(HoVZkh|6qQ1HoQ*dZ~GckfroZfJ}K~NHhR>T5T;za z;YX>%coB+nCh*AHIxj1KqKqyDp5CO^t_#4!jY@Cd*ZBzW9O9j|`38y>6jEYDW{KLVdUfQJL$)7l6;-Kvrq13f&PaGtN_2#hvg-Js8d&lTXm9C+j= zWzY)zm%yXnsV6k~UjaP(kpWHi3IDXz;ib#f3-g6dVyDFXhN|&_?&7u_Ek;Jmje&sJhtWM1>nWk zYvuNP;ISQ4&I#~;26*|ZTKc~MPvac>5upDRcs@`!-k1U<$Cnt^U*=bLHazey{dnM| z zsP=w1_&ja+WYws(Am=jh@{20ZBIrK?9>coB;>$WGs(iwDf2t)&Cygq5rBP;Om*)@xV)Xmv{{LoCiFC{TkEHn}L^~QoBg!?gp?;~fd}8z%xU;@qZrZpVOZ!fhPjzwC^FD{YDlJ z#{9;kpwHr6^n=l#mw{IT`mcKQJK-#!!s|+C z@_7*SMcBnm@OcAxDG(n&0bap5oOMAz>SUEq4*F*EyAANtm8w@qkJ1n94Ll3|F+S5g zTqn}%Cx-)%B2U)Yajpk=K5%a2WZ>yQT(}5$=|J^|*3X*^FN~HBX3)<+0#5|&{V%|? z|4|N?Lk@2OcY$|1{{uXFse0N!gFf_gm0M}Dj&~Xcybtimfr=lB{v2p{OmURST&wXx z9ozJz6L@8!#+S)xcO~%X3dQFGKh^M^6}SDkbAiWjUQ1i2caMRGzgIcD3qJP%uUw{b zegybSz;h|(zY6%jfv4Y4KK6Z}-vKXeTsvP||3c*!{oQEcV0O9_a2L?SiNIr{l+OgT zI}>Dvn63FN(t!T%S)!-)F}fL~yE;GFZ-z@t-? zzs1M<4G+8*`Xq3N^WN6acYsGe&<5+#?q|SDi);J;1Mt{8D!0c#zxk;u|487xXdUp_ zkkae_(tEtX(?3%F<~I&E9DZzV@b3lgaPPzT91A=en8#BHXFnfN_3_RJUIhB^CCZ_+ zmNsx5@NAPtiUZK@Z-JLk_gfD9e&EFws+flYf7x(6e6kDt)d#=}i2K`veoZn2&i_lB zYDdliK8A4a|Ks?)#i@GGhXVJDrvrD`H#dFzDex@zBQRW-1|C8F*@Sji86VV7EN)%_ zyh!8VpBMBWcN_2=?x%M{-VYo9E(Nv&{p-LBSLnQBc6!?&m00i`vDIH_OD~WBe-X3@0K48JP}x5F9+_Nu5_k@ ze~xgT$Nc*WbOFD}=mT||+kj_rKE(R}An-z9-~4&t=>YzB;}h5~_y%|=aQ=UdGgO|% zy=&)X6X1zJzP%@KcZ%B4W|04Wz;l;qT=)aVyU_Stsq(S&y*sy*XPq zT?ssmx~r&j)?(Cps_oK2kU6UwOHf zJ`MWFU6>d2|776Vz`IFj12256{O!KX^}vfORWkp^{N4$?a*leEwZZ=(;N^XlkLm4e zMvo0Q!#@X}4ZM4{?pZ3g3if#|PHh6bfcM0%LA%=<{ohp1HjjG%58+&d{*}I`6?o|? z?We8dV!*TAs-K^O{}SNQdsLp6>9o0J#{U!bZ$BVEISY6s@LtN*#s}|^bb$Z8z|+`Y z(CQ_fzXhHP)Z5<%9>zHwlh1#ECj$A{CaYAQk-&Yl9e{@yXvfVzPd0kYqvaKIf#(AI z7YX3$zN}LY7@QM0iT(fuA0MCz7d_&0R9^g5=AGI#QVd z{QW2J>cbFb`lHquNU<~+N1Uwd)-#dZluhjmiHahnd@bV)Y2!|u# zx8DSw4cuG*2zViI58Y9M$MT6_-pzhD1s>f&?Qv)Ha~I%gz{Ag1(P%i97EqU~%VUPv)CGPTjN*Iw?Muc0$yCCoUx2_y8{n>rt*0Wd?o|W z?xgq~zz;V(u6|${@C5K8>UAccmB7n8Dg92M{{`?8-g7t^a<~Y1Byb<(Cg7E0b$)4k zMSh+Io_|*V`*+~;rqSd3D^CIahejXR&mDCx^bPX2xU&WD2)>8T{K@XXvuo=}&2JnC zyx6XCqiK?#*}xM&SIP&V&qo4}1>Tc626ztpDXYNeT;QRM@>vsnt}{MqmCuFhcHM)( zE3YYzGQE4%_&gC3&KE;&p99bDslZKW_dBECOZ9dL_@?Kn+|sxQaU}3vfaj2h?+<(u z@I2y($+H=_gMTpkPT(QRlKI^O8?Ec-Iz;mc`ntyoI z_y_9GWy5igX&a2|Gvoh+&if(2zX$I2Q%`02-UjEZ+$!H}E|hkjXFK37ke}=cJiD&a zF9!d)z>BC$V;bGjgtOmBAb^d8~@vY=TXPo z0sVQz=+{y`c?KVN26*_mErini_Pf9nuy=gzpZl6{iBs^u*8jCHP`Tyr)du%QyITVf zV}E25;JX4(Jf(Wx349Xp>^SX@jdwP1hl?HN2aW`uM*q!^Ee9UL`f)e#Kilv?ytoc{ z?n0F(t{J=E0?#hf0h@fD1@5pvYku!_;4yr!;sUh$kyWiCMoB4fQNu* zv2HyU_&DGR#1~A1+ZTAWSLJpi=nn-RdQ18L82C|y^E~EJ7_fOv8=oyz4%lvVKL>s2 zVP#djeouNd@}ko2)uHT_TTj3V&GA{k81w# zUf`t*wiFKS;PV9V#C3`%fWK<|w^7d50RN0|p08IPP{8CrngqppY!-gZ=67?#g&u;p zc()_yLz^jo3Lo-QXZRjEA+`=Z$nZLK7qHv@PH-&2O;@-7ZMi+yC1!!qE7+jK@O z9-V3YH&;rVmm=^o>Zm5?XMx88di56Y9QIS5!?-HOe*{HtRgW*@_0Iz(dJ%11M3xVeX`zAxci-GZ;47`9kfW_qt zjQ`%+ZVZCH2YBf3+L7t#&(pxu7ixcIp+6^WuX-}`B?YDce--oz>|cBc{C(j0%T%6? zz(-%I@^pdov15Q&aGpF0`h9>WurFidY6M=IuXeEj^ew>4zt{fTdjlQ7i&trXOiu;~ zXZ^SLByC(-!X4SmODneqXZ`0Q@QGo6YAgKpR^S!f3qBn3d;6&g698Et9rS;fR}Oa=}+j-RN#4>=SO#3i}Crf%7La;eij3d zY_IyfGw@}=W0_FyPx)aTkxM^_&KT}KL_3bJa&Zo zy|Z-K?l9ny9ks!gpictN+3 zzw~c9-pHkzFZ~#N{tWukcB)qmkWUGCxkdZACGaxv$`~D}yHn+++U4BefQL{AyBq!a#Q1b;|7~8@p~4`?-}GaeiQNJEt$;`H zK6wl9y?__jRt_Hn-ye7x^~MbFn9*;o^y4s(i-DIm)c%|e`s0Cz&r$pV;Fl84{_ycX zDq#NVX2I8RWdz27srvVa!KXY?+co`s33zT@<(~%sPl1<~s$Q9Y7)^XxJ_X#rpma`t z)&X8AsXpI_1||ZJys??kSw1-jc>WZ{PlX&(z)N_?Y!&z~2VT5H`(yXJPXX>u(RNP+ zpR0jKV5hcjy%l(Vw%Wy!=x5RB1NWp#z$*i_{^1|MqmS3>&zDBOh01v@`oB(IW`f}jhT|4l|`WkR-y?G*Vx4-r?;q)g5JQv85 zuK*stMd?k??*LvpMCI@kW#gVP`aqm|lW^((t4i1f`cFWg!1uk*0sbBEXuVFz0?fy`Q+Y!H9M^D5K%a$y9s&Aejn54V;A8F- z;8A>UVACl5`=!8L;Cp#)0G{qukMuI;^HJc%jE>00^(ycvzVB@8DCPe#@G$CZmRFCy zTIExLor1mF7I^MFQeC^4enD^fR&u*f6Xm)YG@xi%t%lcjhUJSg`^_k(&pUcqC zwXRXQx%(8j5%^}n6YHuSnP1(_@JBT+WdzY`&tv!*~Y|!*Z>_b9gT<20lj- z&iaY3EA;IBXwWAPQ8`Qi{W!8K_QNsc59U`_TD$M4KeYIDrs4P=?J?kUv*8D*AGUdX z5O@@M=?u_62fX~a0t#~VVxG&!$zt&S^=`(GN(o!cIG zF0B2e^jm&@0z7)O%15(q=Vk)WVq)<%nXV0Z1$tuh(nq-T=P%0F`g0uU6W6XGf3SS@ zEZ}ZW#W#SRUJN|)Z|zA%*}2<*7amp1y=`~>!+pSG?W%7lfc|;I$LM&=z~2V$aK7;z z;NJpIW534iWvlB{p7|Tq|0p--#sQB8{AVNZa6u)1H^y~1@Dk1go4-l{cTcP-J=qrY z-N1`@58-9>^F+c~&I_JVpbPjJpiiJaX8percr>N)x^FH00DnKRJaMc_ z;49!iH9lCkzJzwuz;kD*W?lpOlYqNVRnDfj7XXjpp0eQu!dXA>#YCAO_%rAuPpiPj zU;wWG&!4XI^*glt74X7GO1}{OT;~RrX9?%?2S7gtcp7@L9`FgkE4yfiI>4vZ_ypdc z=>i@O>xe8qE;atZXMz7OfJdIxe(nbRm%tNawcT#uR|78u-g&zdcsAgFo&jFEQ2h_S zZqU5}ynL=^0-Ix8pBkTf?f-#j_XpsW_tmeO9c@njUE(0ti55@y1fB?dKSBfHJipOD zDPx=8nDP0M>hm^eHvzn|iQ>lsUktnuST8IyKDci_6XQAycoyFmJRW>*0Uiq6`+Ed< zdZy~FO3%61fG3_;eVd2{|GU7$?yp1VQwf!ERQMmMP(UJ2yqTNBRm3T zoflho{1mtg)%vTYMvr|c)1Q-phYwQvZPCwjfye%%c4T&)H$G2lyEIJsxdV72poh-^ z&*S`(jrR@U?gHg+^Yu^Qr7aaV`ZaD*xg~z9^JVY%ZVuex+?3^|KQa2zI<8yM&nDpc zzppQdx4&=ndu%B9hS2}Tz+-og7W_l~#~o)l-hVSaJQsL&P36;vKU`xt?i-q4x(j&p zNVUg%(C#C^%Yl634d7vXkHFIySH6RRzZiG{>j*sO=WYNV zxnU#Wd_3fQFYpr9DYhPY8F(1?olT!V2A&JN>p1E*l~3%14TZnO!4U8q)`Owt$JQG5*Ka}V$c z_Mxnv`3Uf0pq~E{@N}U5{2}ld&TW2+{*S(0<(5O;Y){}J;O=n+ET7*Rc<6eyQ}xo$ z?F_s!Ly=|RQ)hfaI`0-w4>UfDbi75_(R|>E;}o#5%8Q0N)9C z80WOd0v``Naj5p6(jNJl0le^<_TR>}5P0YpA))&K^n-@~tX2+Z0xt#fw@ZO10_&aI zfJZM531_4W?vKDLD0nnOKOX~L_+05xu5zyd&%s|=|33$w7^m}V?;C$bIC(O+0QVd* zEVtPmD$l}Gifn>E{0Mk7P(R-XcpmG0jT+818XxQrQ;&E8yjEn@N8L(EcWOseJPI z0x_GfeSjAN?<&s)9!b~QQ3`kz`-3`a=T-m@Bd!_$(}BluKA{czaIx{nIgOB-jl0$O zz@O_VoO=Lx;X?JF?}E>hz{`Pq%5NJUcyI6vUP=3At?wJhYPv z*y3gwc<$N@EN|Hq zco^qhAAmUmx&j-Aum0K6^F2k=-{HMTwZhXF0!=0q=-mM~>^)URH5}F=f0{R5L zr|ePK`!&GBf%Wg*z#|u_WOhWm4+76a&K5UcHTuB)>kolPlj?sqhJCGhugWdmq8|8l z@ZSb_WNjVq1;8f)FaMzZLD|m5fQOG${W%2mM-$F+h2CxCwr+y&l;`2lz&P;cDg_bRv8 zUMk3+LY`sZq4(4SZ->CPAMhONtEO+WfEWL(^1L4XIo#-R{`MUhQrd9TyH#viH{{!mq z@O+`W5_k#s{Z)&cyWQ}>I`Mwsd7N{wewK_L=O;}+KL8%Xc~OLA_dW1vAdlMWK9ySq z`R#0scP#MO_1gctpojYbPv5VCjDmg^;XJ>&7ZsQS{3y`7z`AAtcoyFedo<`T1fIvc zb}(OeGw|q*N_YV1i@*~nD{uq`{5RmmYgHev1pSx5LmR7|n%p*|b3E+li+Ha& z7XmNg9R|%#o%rGr2pGd!aBd1xR3JRNukqX&2*a1Q50!nxgx>0kb_cFzKR z80Q$Z73Z!6UOZamaG`$8Jq|n<$XDM0UVuFw2KtYImvIin@fZ_?@ zR~vmmZhrut`#}wE6WHC$z)NpxKaI~vz+?D+)iC&f3A_S--Uxil2O+oPv_A-UZXECe z>bgjaTqE#s;Cqmhz_VMZzq0e&OM%CJq5^vo?H&(2A9!E-G~l_wK1CjQ8t)8`1)n>C zmr$Rd1^fZvv45z&{}1u^Im7XVFoz>feGNQuoig|t_>3y5d=fjTWc~|$Q{dU(sAnLT zCO>0=SH9GC+u>Lz1JC_J3D-b><^s?E+R4uqYwN$Az;l5(wE}oP@VyUb0FMRgB)0%B zV!zVt@nPW6U9~?~q5m%cFXO)X%}#&b1D?kHR;Zz?051mCS)>1?a!Vhq`uVW3ahm`y z;r`U6z{9{ppX!9nhJDo$&VFWh(3zh(5cDy;FEj>!pJR9+4km!-Z&OX~9i<;Q8hGhQ z1uh4lvk2#Q7ks2Z7w{`UA6us5>H~fU@N7mUWBWc2flo!%!HY*F<8!wT^h1pIZQu_3 zP=MY4fL8+Vt!?y>$~hE>gF67vU7&XTZ}f8t@cd@#hgSig1-$f~j?3Cz3_N|R4&b!W z`hk_e3pu6t&M3vV0A4&%$9o0ncLkotIZs<(GysqOOZDVqv^yVo;#lpE|@K=DxP~U3;{xR?p4r*Ns{9EAJ zKdS(?1HKU%Cg)=%oMYSqa@zrTXpHuAZQwrv?(n@`+knp`;Q1Z2|6c%~0X#Zc^~CJ- zDBvZ$gR0VYZYl8ar7E|p!DkiWY>#PW@0J6lj{^Nl;ORhqbw2Ru_o~Tnf&K>Ixo32|_W*y;_#nTv z_0eO-=Q<_a7WB^ncV*@CF7Uqr4+YMBt@)_REq8+U=T*>e13bE!&dXh}-<^O*Vk(Dv z=;u`6F}%aG7x)}XxcGC>*}N|Teg1#?hj#pZ8SwJ$Ixj21=PckQe6QBefaif%n$=HE z2YwsyTvYYM{MBo~-M-3SrR3Zvz!Ph&B^=Bi*CV-0{SfDJCxHJ}z{@zVh_u3uHTnUS zC(1)^U*N^3l!00qy=w$KcYkevT7k!Q(;k|Bb^@=AQh|-dybJ+P{8#<$B;cn5FTSMm z!PjWHtAH1_(RRx<{$kJ<|G2T>ljVP%yTNdh2mjRRKkjbe6@@YhC<`seMS4?UrBc8{nYo((zd1w4oKg~h@BfX71GANo)EnFTzA z_W@1@{xjhDS*kyW0$%~V5YV5~fM=H|{rRB36u4Wa1Ns8^y};AIQXr~k>7F(GH_FHS z!#lw9fpZt%0x#v2{zLHJ@=29X;xnDEopso57vPb&YT9J@r2~M60(Ct8o>BG>WxT6~ zX>>;buLRziKL&U@@NUNGzzc!*zAgt|#JN6;cXtC1f1@2wVt$_lUVc%>`$vrT72q-W zf77e431@vSP~DM#OrO^wKgHuJysms89v32<>8HG}^j-Ro3j@zSuYmCx2R?~F9k|K( z<9iRsgHM~$-=*?D3wW2|0r@Ni9@$nk`C-tX0=!VKxQ+J~!nyyszt{HjA<$O>`|l;- z>A?HyZySB!-12{cNAUd=N1#7zJ`H*HtA^P9vdw^(1AKM^p1)D$Z+Yqdz|(tgD4gGh ze$D_MMg7F~t=fQx1NVkHjDAOr3*G4FO5pBcRVd3>R{_uC{^n0Xp9h}1Tl;DHa3Ao> zu4-Q^V83qyFCi|h13q5>&t9+XnjhQf8I@ZU-)p%p=zjt{-=TVP9pn%Lp8G`mWA9FP z8y~#m(GET*0}n$E+W^1J`0S>9G@3Yf2k_7@)vvAq{R6=BxYsiq_zS=bf%E?#0C)Y$ z+4A#mj6U#=#HP=x-j?1|#wO=5;bNz_AGb5wJpg#9Rr#NxVs-O@C-5%)E}%~Wj|ARZ zdugHauRNg>coyWGG5Q&bW7*?QGyE{st6ziuLc-bZ(jV9M|0<)uTIKvp^yd!X;Xs|? zVc==p`!;|3n&E->Jw64VMLm2j_keJ-&7 zcqs7nl`8)!ki%~dQvRjuRex?ke-fb2;y%}&z)uEV!iJbi$+`0l-%pWEKz{@9a-d#u zA8>d5hC*p}^aSuQ>J>0k_ny&14(oyc55Uu?8#DtSQ-a*C(EdCGdBVUFD`6cwQA9%R1f#5eoAx;9G#(LTO;W@?! z`@ELlUJX2o^>{tnz0>GFQ~u`wF9MIXspabE==-67m+<|w>!Y7<0S^b_{y%|dQ5Q9R z_!4-2M@1;Tk)JL8qVf;pyy8XRzZY;<(tc*4ZDB4Li?|12e(6Hs5uE!n|8|4%!8<3rV_f$cj_)�DlB{4E3v1fWHVlx>QFr z8~ERW=b^9`-#-Li{O4vuY3sFbfJgqV_%YzK-U}+{9Nw3^2KZRu1-#1vb#s$}=dn*@ z{$wWbSm2)TLc-Zj^RFsnv%7wyM_ttVc_Q!}zL$9~^yf0*i5qI|@mApZEmc0|uZqA+ z0YCqo@fo$1a6Sh5QwCmHXCuLFydMIO!mpa%uKl9Qt%Cij4)k+d;F0jgg8UWycLQF$ zPyL(ahf{#(&ei_U0iS8WL)R$%wZPkeR|4-h*BL&*%|PO|Le3 z34ZvjE#w2cfzK|$3y4QM0^bjKDR6$Z1$d=@eW6@{c}W6Kui8@Zoxo=Rcm(HI4h4Q9 z@N!_E=yKqdz+y#dfv3w`3iA9K`iD<|mjmxk{9yQ* zN`DFXZ2GdwErzexXtPvxc+mGKgERgSc5q5Le$&i#oT4Gb^e6%NkC{1q_wYN>txravpM3rB{r`Lf`n6sep8mIQ4Uca}^eoR33~?Fya}e-C z;CyB$@YpUYe_M~7I6}LpjeuV^0)8F%yLOf50hq_fMxcKV^x4PYFhKub;KfH3huOFv zQ#|JJR>mv-3ygO^!iUq7X`oO1MG0>M|DOTRU#$*xYv3mUcX&6+Eazh2g`(1%-2P1X zaP2+``t18^(WWO~0I!^+{Wt%-?Q5`$MJl&HL7yiRJ{newk zh6QK(yeII=!`k8%pl>qz7Zt#Eg*ytkd%o7LR{}5KzPWj>UlTr@oUa9a4)+DNL%V+j z9=butdlusItH8^LDZa1iGw?)S3AIP3L{ud8W{>En}@F@J)RP?hG zco_Eb2=J4ES8!f;SKwoA9=<gh z&mO?@Pw9VKMlxdr{_{Ye!vcLn$aBdE^n=F#H05vam!1#2f_uT1=NCrc^VRXgkL!N$ zaXah0n;yOlJiI_9JQb4!RIyL z;X@T4gNgjg@Ic%N{ayPX8>{qv`j6XUhvD0uMD)Y;=Ro6w2h>kMe-gmMc(2Cv^Mn!j zoDcde=F3(NcLOg5zK{ML;DrH|TLR-9{SNebla0-ozpLR&!{0lb8K&%S@*Sm0@VPchtvJD>33`g7R`_*Em|H-LYo zR4cbLj~Sl-BcP8Iwf`p1it*V)<*+8kyV<*t1OEF+{5#I@l(uVmLJRQnZ*_F`er!MC z!;SZ-%ZA67jzE7F_@@K@`Fh|XtP4y(9|K;%!~9q1@LYKW{_h)~!`G6Lt_{bx_IoOa z5CYB^$YE#Tv4EZ&O!#o)onw5?)sEP?f|Ev|KW7B|(h>0M!9O3!Gamw82-wSKz@r^H z-rtVWfvx|(j<+0;^R9#sH?F-$z$buD5%mPK_ZaXBzMpzO$a7!>KBs^_jQaDhK!4i^ z^bdkQi*tA^pbq2lBcn2_H_L&x1aVfZu~|(S^w7q;JK@8%yUz&t zMDU3`t^=BY@y-LD$M-((1f0JIaX9{cppUhxJk5^I1Ri=!8JPWE1w4zmGXwl{R4*8g z|AU|}VI6Ag$Jc?UC#oQ4tgDRvXY^oZ{%z}zhUfq0^x^Tnh@SJ|66BmhKW77vVcrct z8hGJPD$kuke>(7VAiuhm@ZrYm#?2m=863br*Lf}1c}>@OE!KHW)_HB#O*PK- zUK{mZ8}-~qW2|{noc}1l@ZaF{u8)IreH@(YaKd4h4Six@<|p|!d?4;%0M&Hm~! zsjG6CU>&TR?0sU2_uEwat=?;`zB)*+je3uB{Y3kO_s8+pJFkJshIkE45rkE9T)n3W z^`0iwdzw)1X+piH3H6>P)O(sR-qVEfo{o+8I8X4f302H%ZGzX@1h2L6-e1RK*2bIQ z#@oz}x0xmBLb2#K2;YU!4B$dIP?ofO}}}KnXwb*H706A#z~mhn5dCr zUSpz0ig}HBOhljLkKzXPH;A|{E}Es7H!{-``l~mx@m^!&y^)Rg8uLCn!5i5GZ)Bpf z(uAn2{#N~jH!@LK{j1m51h26PUSr+|CVGuc^ctJ!jclSPfr(yY6RV%~MmEuFY@*lL zM6WTAY?9a5B(JeaUSpHI#yoBwGv*bKcl7sV2FIm)+XwrXr268i<>|V3S2EKT?-;ja zCjHwuJK3J<`M*gsO4|DWK{}|UZT}Z({r`UlK>GjF0g#T=fwq?Ut!?qPd9#}4#+zGP z=Qp*)2U4A>RPVSYZ7dm<#q`$I`n|M2J+O$SX6*apiwF9L(jyFW81hU#Gwq0Zs)%{22zjan6C+dOa~tL~ z#rykGJ>7khVHnp*%vJb{vFUHDMEV2Iuw`kVI&u^7d?Pl%xiCWfNF zvF_?`Tc>xlPe7RQ%QP~z6Mc`Z%x#Z?Tp8V1{Y0nsg88KuRAk%EJ+}q zT)MoTy492F7>qBQte;cqF6$ob;tzEXcK7!sd*YqR!KBLPu%?#g84KgFhL(mo@s6HU zl1A5)T%7SsFGIayfp-k_C=AI{TZ8of1Kr7k>3olndxfR?JLMQzjlJ>4BE;vHS7jwLQOtFd)*d~iiN74Oby&)fUr znPUdjyA5{trmA9XZEGRDaZQbJnm3-W`u3qkuIaE?e0uldRA#WbuX|7?N!n>?I+SK+ z#yq!N=XY_62D{Y#FzK>PH;SG@;Qq-`bh;TJ?N166}n?n1N}6SH2=(1=TG`r6$`gT zgCcAQs+o{4{@B< zJdf0sRG24DI8hIz88+X+cCs{@*C}x_yG)9$c3?%C%#uaBG)YEDQ|B667RK7<#ruYO zN&P#Ps7@X>UNmWGvS)})x4*x~iI`ejRfk*SeW_*6=ZP~kez#;^I@Q;(6tc7#-DE|pX?2`T zuQx@L(9qNxUpA0T%P4rz)aj-LZQOC4g0^Pz%hdMj(?u4-QUxx z{q7nX?Cf9GN6qN0%$_%I*8G^p*3Rw$(I4`jvDpm^+o)-6Hb%zL)-Y{$6VEy6Q}0ku zd|CfMCz^rT^`w@jdbqCWP_q5)JJuLYA$SHjm@!{6j)g^L zit0h*Xyg&GF!FKQeez9g9!In5>TlYY1BdCj~dXwGoTGVPCjc9OMYEl0{iY+eF-J9-7#WhIRS{4mqX?$sNK->$g ztVbL|UHq7#Zt_dqPEs9Xa&T~f;#hp%v_oV@lPPl66qZC+I@+nBu4G+&uqPubLtbpC zkJXaBBfAAM`_y9cp7e3@u_;o2&&jxH^Jm0qnb+4jB%Y_eufDyzFP((gL^1eJ(@EoC zMB_b)Q1;iylH{KB^>;0cb5}qm9#}-h4v<7oJ!WZoHh*x_+@_X>+092ZO=oRomwIr^ zJW?@^1k!De6K-CtX)YO-%s6$PjJTf$IZYyzczTMEtSdvASR%jU~!5x7xfHL(k@bGkJZ136@-85OD#?gb}uE# zk^v5M)bkYUxFunrh^} z$i1n-E~Oz)M(Wl)kKD4@iOnj+ulX)V9}SC?B#56Qiz8<$0`s}MKx&v7WUs(-oHJdV z7$tP%p*=-ZS5~8`Rco2wHe(8M55K#ti?@?Hb-Jdx2RF}cB86T|I!`e++0#SW3p*dO zb3eQ!^_FX zGx5|hLmcHu=SBYPQzfaQENOZ(rGae=g(quvt**0jvN4kL>Fn-XEFWi?kYnTAtX`}{ zy?j$!ykYJ_*J0T&Iku+8HkVlre zh;7RV*l2xOZB1avZj3k1n@gI|K*DO(KCq5Tj+e}E7>O%Co34&U?QDh=`ZTH1)RR`7$Q6-%s|(QW87$WZNq0FJ|HMa2!O0u4ZK+664HLf*gBY{+utZm+TyU zK-{FdyFa;H#Mu=GX;uHKUFsT5+N{Z7IC&v)QobEnZqUlE+Tq}2*E$yAD&9zQ5w!qL z|K)QO+(ZX8zI2c_bkl<0A=`{EO$}sd!R4kmw~+qNYgy>GXbum;zLA2S7f0DB**heA z7PE47^=5dPBmREQJX!{GcExUqb>J}4yG1KB7ZrO7Mjf6kG<_!p@{)F)hoN>3`c&JXg^+8U)6j^NnYBo| zI<2`a4u=_=H@mrUVSG+QEJka$R?ba%a;uATVM!UCYO;FDp6+8)ot&JpMhx~2yXu;( zbIW#Cvr6^s2W0{BkiIn%BJ0qk2_`!PHVeo)X-zHU6%;ZK^#3rK1w!h?N0)w>V?AvNQH>a%%t(5h>7h zQ++`?Cep3OQr7J5PB%;e5Lpg+jhc!csR3IQ)}`VXO+%`|Rhtqi`w~(`t(e93Fl~0j ztfu;Dw8VF0^zp^CK;}9Q{UeGio{Lu{lBEY0RDP3goZZ|+&RUYFwwCzxmT3p8vQ3{! z0Rx$yR2(S*9H69ZIae3zY3qe#sr61SHL-vwt7Cy@Xd%a;gl35AAw1QRO_=a`Y+~x3 z(;~p8S^7P%v5oRFL?GtwnIeVkY5^1r&K{atm5=xV)Q~lQnBUeY1&n0p(W@m-wOnhA zeE2%;6mdeL1vFn`0n(yB>tQ*{YO3nwI1|+mX`e7I7DH!hQIhAaHy+nk{Hh}L>LA0FQh`2n^>aJ z(Vgxh6*N{@*bcF8StPY));_K^$9Vz3S+_2esVKp#0D`I_)ylDCgz=h%l2>Eo%!B91 zG9#JQnw2#-M|w+BP8P%QLk2^=rF90E?yWo|Ft!4yP(|XOpQf@lt>AR6RoySBaTw@* zXDV%LN^MZqiJi28AX{cq^%<^^J4w6aEmP{aC{BqwS!Ev;VykmZ3ueg=L_AG2XPqhZ zPdd(_Q!114U)5NH@=qW|vP!rlN>U=RH6iI$d^z>m)(p};av35o67DdnK;oxOz<$ch z0^Xm!5CQjt4s-^mmRSW{@0cWCb&e+%{+aRhItbR0dhiAnemkjhuf_wBTlG zjo#mh{(7OD^@LJfvd5abLnN++2QK}wHgTa#h9oNtZjD4h?Zrv%eT%s0;-5APf*oDS zZdG5egwMJl#XI|ixFT}pEepj9BMXq}sV@07*s&_hKv^kylElVoShOG~A0dX$Zd>ez zN308V@~pK!vo?6MKx^vx>OOcJtinym_X97qvLezG{;E zp+2svBh6pB+9H^RE6z-PD)qa6h0Jelb(1QeUA;*uadOzKSuWUK)I=#`&Y`3}nWjQK z_92?)&Ywdi#%L z7(#{)TF?^Ls%4f0P?E8nb9r64h>2F0ViJRDlIXxHR*SmTWpS+&gqCv!O4X5_0NX;f ze;M-XWEz?Ofyq7b-wc+3xAu!;Lx=T)`XH4r`X8#Hi_j(i(*05SZ%nOj?(mjXAJ&js5>*ezRz|fbNh7Lz zi1AD>6&(By62aeJ$gHO=3oT_zbF|>^rCJ9S@+}bQIz@|%oan4px{_Hy8aCcbf3%hp z&>5L{&+$>O>sYG;8HzMa*|N7O5g`vPnKiA(s&W?5a>6x}ixBMk#c*U4-ga2kFl4Wt zl)xut8Y@?jBuSAVz)KXKYhD8dcM)lEKpTv?w4YHDY4y1bfN$E0!Y=gQQl`M)EEgW8G1w^}Cto}NImVUDpt(MLWO!ca6B<7wD z_)~B7=qqaRUMX#}lLMesnOFUkr%`XYYQr(OE?$km)eMMTvJ^5H5~*E96K9#yMMNQ1WbP zpe9L=aB)Xg^?c-nWa4c)=s3j~b=#qib(}T|*yPj)aWI)ntH&8)1{y7$Y{0flzQf@M z`J=C8HW^JeO~@=H%G;=(+tZ$;C{jHmk{-`1z7CFPmRM57gNG~bL(`G!?gx}mRi4|i z1u8ob*`6cgTB@SLNef;t@#Oo08fQY32GwW!tb?s>4YV;AU#()x9)P9Ib!5M#BJU;P z@{)z*HQc^8(j)9&bB@H>2{`~djav1p)UT?RNKd(Lp@n#!E<_L>f>w7WAGVB=EJ;p< z@TN6OnH?%EYx%Sf36yqPxWYlTXF850ev(MAvLq9iIg>Sz6k^QX@$SDQ76$044)|kH zLvsc+chhi|g;RB&H-GKMUyiMhQxH@cT87BF%WM7C7?+A9qKImf8v0#?1WOu??T>T% zNk^->Mr_kh?nA2PgZ}J2Nj64n21ydF^3X+^mgMuh-hzo$I})c;9>h*fqFPMyWG1U3 zid}NBtg3w?ZP|@y?P7hjGEsGYWeM+_Vg3t?TO5MtNcpo82<6xqojTDPl}r}AGn4R# zYwCqOg_KU3Bz;!MDk?)m);Q=L`V(uc9#E2^5sjInn9onkJR_RRt|U(`IUPPNrfH5p zsi~v3P>W;F>FWo7%yYhU_DcSQVuMv0STO8fMF6kUH}@FwRv6c@ve- z^U3K!rShM^lPe$^!T4l?E&fO*a(<*X3VRb_C(Q=vcsS`Hq*#-Ma0!#WFP-?2%^S8- zk+gX*ud2$D=IPQwQ^K1huTSlZ`HK?xyprE=P|KEVSkoBBUs!k4xhCPm3WFh z)k?f*9hL30zK=fz&V<3t$m8P}PR)AET)0;8z`^IYxY8-D_$QlnRE>zEjm!y>Z_4du z{4x=o1aVyuIS97Fxxh&4UUHIr`jl&jbWV+Yt9K@jCElK-oJJV0wjad1@l;6X3Y-vB zt0XcHq%yLj$jas|#!(~^daE<(nM6L1nq&i~^|A#FIxkvPN!DS`?>N-^CD+jCm{aqN z=0;kOi_dN*@2p9-X`$>d_;oVEI}LtOLi6ZIlbCANhTuJwmIY2OG)0G?`e`{*J#LCW z@S4ioOQi`Xe@I47TYaQTHFZ-vZ%6X3Zizudtc2xDG)OodGy$2wi8gMPcK7KV1Ruww zqNcZh%O0wBGuCWKor&0dHP5Pwt5J%oDEP4>2~axO2cQEDi#jGxrGv%w5jsKb9TxUi z>P3X=)|w8T-!!+eNsd-{XO?=BR1&QoT&j(M5)kFXnxIqmb}SST8s0&PuV}Xzf%Lk4 zg;de1!N4;bUqJ8@M_Fd5CX#9qmq?tugrWC#PNX9QTxCjTG(IEqV*SIY^sERnL$>Q` zX2?Y;q4Mt*Q#8?4Ke-`^dS30iCLyY+Zb=8dqOGs0*h*&>8(L?^Y3GFpERA`A&YQTo z^JmYttcwNJxk5{4oun^R6|3fmh}hU?7oGAP{b3sMwCX1ZSG{!syA3{8T1~Z9bM179 zm@+V5(!n7L0X!1d%>^>XYBd(8lbdweM(11>Q^8x+j_4_7%2taPXtW6g?B26e5F@SrXf;-kft4dIs`5!%w3W+x|>6X7Zb6<_jGNTv({pp zoE=l_S=vtJiu)TR63-j|w zsb*1&jMjsN5pm#C%66u=HaJb6DH9ef>&X=!(CUk7&SZyHf8}V+3Smo0*_E&p8AD_b?KWw?g&w;o z7i*cffX?~zMw6_Es;PqrnlrrBGh|LAmdfA#sT=mI+v$8_pTzEDUq{VZNO(HuE%s&E zWWl&Uje8~j-AryN<2!w73n-p+7OX$Wlfnh6k~$Gpzthv-zl4lQmaf8?xQPBD-=&fe zrL2-#a|5EjoG{Uz+-kmbU<#K_beo-W3(^m|s>#e$<3zD&R%_}R&A#BS=iJGI!a;S{ zTYDeu1wiZ}r zNOBZj|Jq&OPloCR3r9*v|3{aWDLqZ%w^2R1KTMfldm(#&Dat<7`+!dLNaoFIOO{f$sm58hG{#?zg4TKo?6E#r#+vVnfu z__njW;u?G>WvYudmR34>%#fVs=Nz_wS-opdrG{z>1$M{4w2ro(7A^Ap%@m(PkmISw zRxc?F?lG~|kpY;Og5U^}ja?T>l-BsCm&L$rE&UWJ+2*=T z9v7710W8rZd5xHiibhpEC=UzEGWkpJ&;dJS4vjU(z%|XGLm$-(60T-{mBbp+oouIz zZjm$2*LgM-+-dRb*njBX_T25{6J78;l=P9$$diwz)4;2Hseal`mL;LAbo|S1cITAl z()l=?ql(vTHgE@MZmOv+8^#jZ<%lo$l{&=CJXM7W`HG|D`D(VmJ%3Rx$wVZb!qp+Y zen8sEwL;cVnF{)abyzChs(l<@Nmab_FG!fUsM$@|v&g*-c63R1tSljcgp*^RDVb{E zOtV+YwoHbrYZgqUS|}G7DJl(dkE-i1&o@aZVBcbqUr#mgEj$vw9yMjr(g2x-FQ@0= zMxWz?)c@pX2dM_0wA-HhcTfR2nu3sNgvC&1s@TmeVC4AmYR+KzF6q&SsnXy$w4)eU-6zocI=Rh3FWc`< zj<4^ai-9qcpk9*7q?43tNoRr%NYAd%Y@xf2HHAtq-#><>uDc$*1;YLGcHiW9gZ~6S zJy9X8tX6_jz&BUe2VrVjv}z97!E02Y8=GkR`*OlrVA(<)yNtN#|+lkT~5qqr)YOq+(N3Zc`n^ zdPJ7HzI=;yJw=zNbWh^Y`E!&Ur&dW>2uXe3F{bXRGq)Bp@{--Yw=%L z-PxX55$IRC)L-A;r^4o=u%u(UQzoDCbFQk?q=vNPMD!8;Z#jL$D$1t| z%|Am_glGXxiet1)CFAJqmul6(Vsiqx3sSw5<%=6u^%tekEy&<8J-RMQ%^>8Es_8LA zRsn1sNnw-MwEmdj(n~rrbhEdeZsgz&8_)Q3Ijbx)jzr71*~KbNxf~rs6;omn#M8&% zD7Ic@YUF^YI$l&fiyL2y$@E3&a<8}vxi=hK_n^^kFkyd>>SLIcB$Muvel{P8KfE+1wvyZe!L|bZC2NKDUPiJu9ns>g_ z{b}`T(lOE1>H&77SW4!Fj(Qo9L#*PXwVo3v8E7qzW+cOJ1`U_x$GjXwPBRX($*;95 zRcFpDYu5#mWW!DAHD+v|Xw1+>0aqqO3|_h>QB|O-JqQLFYDq#AQDni9m#Q%hizri; zTk!pQ8O?+|OnNjyG7z34-oj0jsdASjRk$@bz;&x=DzF18Myy#ek_XY-Aw2)NKj@k;! z&W}_xD~_lXIk@btsUcD`|2bf3n3hnQ19%soL{6Nxa^;w(juR%mD~i!N>OGySBc#`JHE`Z%YSU1g{&)L-mxPNnJ#%T zgf?T?`;zCCBd?w%U|&tHnDr-9bU3@S)(dN7?(8S^M>5Ho2PHP#dwFpv$v3rG{IwQt z-cT*sj6_CCNt7IKByq@t43zcaaTgAN{Md{*G0!Bb3rcZ`-oqaO|KY7Tyb~IoV!AXX zk@%uy2VKL4^f)T9+IbrX@O?{b(hXeKWmiBtOQ#~JM$YF*Sa`MB@JMITIQgU7-+ITS zYC&ENMKzFBM&r4!3Qrk;?~1k5$Mj;FmYFJ{Kep z5y^eDI32@jY-x_Q(Y1Q%wfduKiIfj8dYUNpH1b5sUAJr0a%7s3ez8t?x>gfZg_9JS zr~;+lz>X`EB=`~(d9&(iI$w>dnbUvi$23a2^=*WzN@6(zwd7k?q)o^ly&4F453ZkfWDr0wa(4`i6Le$@aq*%Pf!o3(trrU?QduXSd^oR=n zls##CG%zG6;?tnpa)?!zRbm4CeusX5{ufvGN*?~|~MA;juJx(tl=5>Ot{c3kH zWQSI0RDz_Po<~`&5G6MV(q9F*=t_3Rwp;;outv$trSCxE{dK^;B9C~F?N7fckECpXxnOs?r=!0 z*;7`Yn!tio5@m=$-x;e#M0irz6e9L3JbV@>nFBfQs=}cvPfNCuVwjk`FG(jqL*1o- zG?40%7h-y7n^DdySDguEGP)+^02`M#;`;h2tjM80I@3oho$AEb9FXyNczcej^OEv< z9>=4yLrQRczJn}Md(mgU20En>QnTMH0zrMw_okQKMPP%p`X`rq2RglrJ40!%Ws*5? z<~K1On>K6ujQY4-0^kGNVkI$eQB~uUMPtaecuHkvs`1}Dx=F>aOl<*~mN@qCAX}iU z_iEQ*RRcjfMk;aVDTEtYdZ8Yy>4R9!O}-ZQCH7^3kX@vJ8e z@)ZF22wcQh$Z2nMIe=QlHpNCUKvC(G&5$yBfnf7muwRFdL#BbLu+QRcavo z;#g-&U6QTux#~eLRSB_IF{jQ^R!%3CW#!T%FV5(h^PhECzY|27~={H;5K+NaDB~Qt{Fg z4#Kl~W|bCh^qicyVZQ@ouj7?!=+FZzO*Q<;W*cQgJOb}EREUC`lVXU;7PrJ>^e&|6 z^>Pv!Eo9|N1P3rwrX`7xQA=$G!NiI)!yP!~>9dSQcK<0Mq#I29<|z)zV2?*#+@kI@ zGD+W_1wX0gT_Evpm{9k4z?>Ga_IQVqSO@(cgP$R!!!;}hUtLxt%p&pzSG`p%L67qh z)=t{a*4RxQ7ptUu{me`J0YCT_GL!fKW#hUYDw+3~Mdz$Z^nSF$W>(0ypz#ghKk1SHRa>ETvcj*WZ-X*EBr zw+F?PQ;U5U<@x$Ie2cGM!-y1XI2PfBEWa+ZXlsfU)fnwRDa09@S6Z`E=rt=K^0`Aj zwgM7?c{8k<9`?=917)Hq2<@0xtmI?gG=o}W}>%z>`btzgnT5GDdSo_ z;P6%**8MSWQNwbes3%)WBvR~D^7TkBLAO&XG|PHY+gtHh=T*8d^)Q++*Wi^gW#2`g zw31bvy>nywZ@E#O6-ogo=54>?jDZZKx&jir zmx*ISmOk0&AkIcv=2P7X_KH4ii=OrHRC*_EU1L|0{*Ml4QdNR-e6LzT8W!9lCXdSb zj6cDRwKVDX9#peW7PFeo|6}Ytz_coog*}R{Y0YsJTywxgG-5zOMMY3h(G^G107@P} z%(~{RYZlBoq9W#;BL-9qm{!5C=Crz^{#Di0r{AyV>-+rkJlwm!Q&Xq9ySlnMoIYB8 zTH)yh60h$Rac%5K2CI$cYHDzAIhkTN$M?|{96frY%F@vr9fAcp8t zaHtV!c-`GdJ9JfKsoFS87q!T>uMfGW=={x!S8X?r95AU--d`U#OfyWaoNjg|!u;CK zsz~&de8(cF{<>!SLT7$DS+XUXSTc{oX_-b#CkeB7n*J}llt{8ZIe1#Nh1lE9?o;r& zggT5aDu$C8R;6jfUpk?5PKhD|~gwx3;f{^Y*l{UG7^tbddu7jF63Qzr}QO+`5X ztfdTZXX(_yhX)y^<@l3DM)}x+%m;NL!M{i`N|#&oY!pU$iNzR{w7KlmVw?q8Rn@ep z{IMJ>(pwwVo%WWQe$%1a0c2)Xd$LshQbnrXBY!E5XNLlsat`6qXz3b5GDjEIC;KXb%~IeTE9}~(z6WVG89i{ zY!@Xgw@G{n%a7RsVCg@WFiIU-O;;m8a3$?+nq%pNN!v@rbh}WOOv0rcDQg+iUcU1q zzZ}z{N;bsV2FY;>J$_fEtahcFykRASfgdr#0ZMg_(DS4d*x12QMH|Q3R>zVsj7$8i zy#%&qdSt@B85zPyKAW<9!XAWUo)!wlar1+^8r(GF)w=X7-#ydE#FXP`MP=`%Ti~*J z<*t74(?%(AhH%qN?Xqhqy%j(^py`WO42G=Pnl0>S*rqm*jZ3a#TjkX_qMgW;wXC+v zo2>uoJWl6IHAgJN!CwYAZBo@2CaUc$0>LYn=Q31fzOZak&k47~M%hpw7Mrj4B)NNXA?MX>EVj1IUZ%5LRN6`3eX;kqo8--4J({2ui%@Fo@NrfokyD2q?NVWlU*`-q zUa0$~K{z>6xGgf6T;q3I?ct)w=&3b*UT37?T%f<@&t4V&78i+XC0d>;Z_h|7rv6u@ zqnhz*mM={u9~G0uM}2ig1mbK;`c-6bYL?ROK`vCgA4N=r^6s|LQK z5yF#QjaqN5SjQkedn{iq=+Q0zq>0PI2j%69D%gk_L&np4I~X{+!}7a9Kb z55nfMUj3!6s6?I@YCjaXdMzOvA4Iera|Y|m+G}ce11(*a-6qQ~)w#kPG^Rpsx|hUm zA&7xSg|nnc-!YCkQMFMUvvIYXe`{l%r<*puSZjpQD7?b0-KExJth<_=4by4&Ew!tz zacWQ=GDuIqOMpz?URYZiH)s;ZgtSN+Oc^x5YF-Z8GFDWp8*p`fg%ZB5)|**=ua^F| znBy5=9Cok-q{7nb(u8CM{Y| z;YCzM>1JQ~pR$`BJ_Df@Sra`prrVR$D}8Azq|_;o$J(O$3x+VPvR65Yc1)?5+BrS; z=Bpvp@8zo5C9?Q$_N4frmW7qh(1^00qh~7ep-07Jm8SOAit4Df_RbN*Wu9W6_^6#O zNqg(vKWUk&#hR9^jGCDtnNzn-t)i<1I?9;U)i7soYRO9+`aVY0tZ_0_`^RdyExAiu z=qo~6lXaKIYHoar>p%9`6zwHcDiIeHrlB~mrf@phdSqNjRO@vm$i55|$`LM*6wBI$ zfyiE*(*xC2htNT!N}@)L(!}!6#y!Vc7F`onEG$UAQS+L*xrdKhaSC7Cw>15$acGIF z)rzgIU#Q;3aLMV8J$m;E9mft0_#%I`;t{XIkXv;^jHua5m(F4lrurb&;2}fx&4*ah zY9tV+85QR}R_mdXbm&l7NvKlx8slZXYecF&!PPt4qlsf=yUm$!dtMWjpRf}geF~Bkif4xzfQ9qZc3j&sMW$vZ={Wc79)0U?` z?dxHK<--ViyeKxUX-OeV{VMdgP>^7?ueVf-!gjV*14s3tOJC+|**#@jK|6R&=T;vH zFSZ9KiIuszRiG=#RP9h&<<`r>xiI^m)#gOa zk+wawo3^i6s7|lHdJWp#HF~7ox}<%~&rpOOCjVV|ye@!h`PJjKVzh$wNO`q5JJ62L zXpFYD2v=8!6~w{2g{x9x<}{(s+Hln(>B1tL5r%a?H7!npWpZ+eX6)5;Uh-bCOfR?! zZ!udx4mDVlaEGa}-mI?b(%O#Z1u_Yc6<3`-*ZHiG_D2micF9Rx0d3I%^m{8j0TCud zzH_BhU8%7!Gd17U3XCg%u{8Q=L`(X(u_q^yt*O(S|7wo~C|P5$>oTpd5}>X7#x**- zhea|kDOz(lY^JIuRLB*uwSFz-=Se|LHF)`@cVK(BDSUk~9HdfpeY)-~UzC!o9{mc< zxc;VZ$A#6ubofZV+bC~D+Y2-C!;jh*RgET+l3m*;6bn6DjxX5RmdX`$l+@%==7+Ui zujVC7o#)6(Om*Lu&B$ZU9M1TM>7&(gJf~w#?bYrd!>krW#dnaegejVNR7jEi^sA{$ zQyOhDzJa0zw}RGqsPtNiViqr}!J^T|gc$wRYiyEWb58BP_Mn=h5b>L^`Wc7b&?f^a)lreU$)XllUSga>3RLA z=`C+zu6B=Pzq;NN+jsK4D%)&|gF#p(ZVnlM)S;fvlK*F?9NXJAkj)r1HmSpSm(&C) zc0k()l(-U_+^3p7kEPwYuR=9xT=1ERVzE3f(ePAe&M+a9@aXt7{{9n z($Z{LW|z@hHlXxYKs)WUr+sPAtkyLcD_^xXRh4r>o%LF6b$k6H1l!;l*&@$UVrD{hBCsyS0WnZ;nCSq$0`YLey4wlu(a;BLlQB+px zGm#$$9=e8_5&_Me zkOxS6Yn-!3B~#2ZY$3wDORw*gjvim3Djs{Xm|_O^!6D}=87>%wr=d^_-U6qo{vtr(+-NLeq+L#@d14G&&kxHf%`n^j#_u#K{a1=5Z zw4sP`(T-{Q{=VKpW|pONLPM@*Y_-i`e&dsGQ)`p9;Hhcq73Qy1{!-`lXDzgCe5r5R zWKvhEeILudlqxAe%}5k3X_T}uoyw4xi##}K3yWv=mY0bnh**_Y+Qm$Zb!l#3v&Cu# zqqi8a!_a`6s)j(|wtA4e^X24ZC>Ths_=cb{^*5P!$ z&j;{kD`#9!GhJGq7}ZT&zGycf49~Wk?Zc1B){VhZbHQ`0Q`^9xXB_p3AxmM>pq<$A z(zwB|gNhC|cEl}xPPjR|F{$NC3q7V%SBET*4qG!mOYkl1s)jVR)Fw3#4PmXt$2UtE zg?~;*B8jv<-@w!6@=w`o!Z%K~o5iv8F>-iB-ufLrR6h(eVra9S(-|CAy{);cMQ^Ld z;3_uy#wF#L(8`j2!_M+dLTm%@yVGC`))%R-LZI7v%XM`Rq+Y68{ReqS!xk3 zn8QMyg!r^|ukk)zRg_kp!ra^PVCggiN61CM9R|vur2^U7t$48~vo@Par#)*DW$gzI z=>W9Fm-Hx8&s(Sxd3S?dJ)T}JKt)f6!v3a$c# zG+ni0xT+!i$X6C(AkR}jP^|%J#LO&8?7}N#6p<2fyCz-;lbC`g{5Wl5Nj2Iz#anOwvUapt01l}UMx@Ns;TZe3hp1o44HPt=rY-=_w zl^7nQ35V2A)rUrk+v&hzgGAUltVT$Y)z4_?yGtQ5*?OboF0zgp7A@3C^d6|7TUto( zc-2wYt}K&Ai^p(dAhZW#s;?eVZ3pNusa;H`5Syt*vfi%;=j3r3#kD$c{*WV!EVJvf zO&lVnmk+Qu)MEle^g0M%C9-@`vb9m+L}Q&j#^CQ^S{*CS<5G2_@NhY~?o75C_O%>N z((L$sQ#*8|2aU~VV!KLJRc}Vi7Li?qE~g(XJm`T8Nz5hRlNB2|>DZ3b71iRYri^S- z#!>YKRmuN`3>g_dWfsOo+pLfStv>vF78Gg~FWmZKj;-OSYmU}zR%c8;vZ*)puJ+(; zRo0R$nb+t?QbJxHo3};S>?^k{Z!aI14*kv7q+`lqO=R)1s#^62y>QeMd%w6QEuL{4 z)8>}V+Tk50`qpLoz_hwIyiC&*IZ~ikOQ$0h7Oky`Y;3bwY7t8>kkX@~_Pdm5_#I*< ztRrCUD@21v4A<2(eG)d}+)K1ny27L#tvU>E&)N|;VpV-o7gTIPHtj^3Eup+BR+FAb z57WpMRuLuKq!Bia$!dm8@h6E(*=Ckx;dW}Q*|+p9(~+WU^@~SKW-BiV50+}PEL-MJ zVUI)qi!YUjs;cG`?S0okTuX*L%)G4>wf6YDB52SONOqv*w?hxLJ;)-c1;(BAf;`Ey z<+QbUDn{76@0j!2PP_!+I8ByRTrbxORcb*dw3xkxh&;uX9!#nxPm)@cuN{oBQ>9gt z#RD~|aIuNvy#%R2(jX)?ZR6yG@uO20t9g@1KB^QwF{u^{;>Jvs-D*ZFWt1MQQ{S2| zforo{hYv;eC_Q}eBpp>_fVOgu9@IQW<|o0=+;{a;aia%?^#v2sC#gygVzpgW?%Svq zx~p--K6js{A5~(bns)EL58AKBT{IF_FJWjt)=RcR?a_Y8EOyMrLH#3G@wPp)HRO)= z=~L@&z6u#GeHVWUHBt@!mKmF%QQq@2}(O`Zyj6zOYa0U z9UiNyH<%toqroLp>W!*D#urnd>mX(nB( zjk88u98u@DQz=>+-PDRE%X)`|fN@P}9W#FFIPXaQ0Rfs>GnMkOOGo~AZYeaW%`kCt z$;S(OOCWq9NRAupICF@8eN^JEjqAEL7&gDGnk=?ko*Q4|wA*l{ShoHk4z6FK)#V!b zpP>h6nRPa1_sGdEQZ?|YQ)9y51Gc)4TA>k5CB_Vp-KeTxgk6YqT0y&dmFoG`(>@(f z_J&tZL!9?g>qd+nl9uh^zF>eD8gddZR;ov#8Fk2hHPs~40d0kOlK)!L|htHdG-{{$nv z`El6y(8MJ6Tm6K$6~Ud+B7#;lO0KU6_&XZ$sESIUA=9Pz*)Q}_b(SU5I2Q&i?O)*q z-B5;joJCuMUqRPZLHkyS4?pHMx@O}`VYTCj2BRt|&2M*A%RG9@VIti_$M7W?nhbIB z^!A~7)3B;xEP7YXWi;juK>nj{uS2NQp0oD)a_Rr|h?7FpaygN&7q2e~Zb z8m)`znLA-0A?%lD~##5d8funBcI^DK?UP-^g2O!k8Fh`W3#*Nej zWMrLyJTQEus5(z4PnVakh7ag0XZ-ZGI@!#TQEr@EjxC*1^Te34Dd zZk1^(N}T=sx^kETYn7%XtvW4$BvTG=*b!WLU~Rscc8{u4X2JROIHnHcIyDaaP`dx? zJQQJI^l$D97@Y*R2^1AuCYx5HU+?Ts>h<2IbEsr=QPD=Z_VZ!23rm#jBdYHcX6 z=o4;!F+sDT>+bu;NsV|!ylg<18f8V&s>sf))TUN8i4*Jhwi90(0_%AJ{xf z_m-_Dv^LZDsTZ5XJrrwzn$12vKxNN$e-GMapp@xmm917u*ueDd$3bHzgppRBs>EE5#z>F! zBPiBCss{AwM);^wMXP2VJjqvO!;7b8?e_8lZFAqzyGrc#UT;hD%_FTA^wd-3(bflb zbkROxS%GAE`UavYk`61Yx7*9%7?~%!OW4;1^uVX~(3%EHiK3kj>anM+IrrLgU-wSw zMis`np}@9|4*RvEwzh^(9I|E&FHdN}>P=7Wn4Y|c9Z#v6r~0hOdX(M{ zq)rzeXa6P7vUjtsb*NZtPBtCG3qO|O$mvndaLgq2+?rl%^A}t~VsjG}m2p*7g%`}& zudR&?;J!IErwYVkP6`?bzdEyxO%%-WP%DiQ!;dY8$>}Hk*0Z#zHis5MCze_WcOZ=c zRSsT_foV0m_7y7sqi~V2fBms4r$iDPOJwsXOqMOEOQ?{$HQdL-&4Mt>do<*PVhIl(r~;u@c}lRQk4>XBo7T4Ce8PhDaijIub+LAhiIC*&6C5 zHph>Hxi5u&5k@l&P1T5Iu}(L_;+j$LjF_0%wx3Ng^mv^v&C+xWfHLrk1@^naGLVE5 z+FF8|rDu17nj`$W)*fc#YP0S6hCD_7OCK|iov>z7ts`VL72)=rubP^JO0bvv&Sa|O zwJiOq_SArcZofBMa?%d6W;Zgt5v(%%9S1agoYkBq?x&BF!BD=}mRxtN9M6v_h!n}&OIN#7$PHmb z`h`v-bo;8sP@&fcg?N_o6ir>^1MHgL*;l2~Cv442tb~3{xW$Fg+iPRm&6}Efn`4+) z^pYu2*vzuYL`uIy_o+=4wSR|bpwUNqkA7y!hIdWm=>e!+3&Bz&Aqi72k|iAZmQ0LY z`c*YCsiEa)Y$47{W$VcLAf2j74(D&M{~wzoEzGPr^eQtD86$B=wx7Le z84?0RZ3K(cM|oq`RO)(~mO4&(wTtuGtso^X6s5&YwL$$$J2Kg^Cb2oS>=h4}%c?m$ zj9-8nt~<066$Z<_q;`(qBZseAs9#vHlLDnYEqjC0TG2v^+{wu(Afu|j$)&~6tVD~z za~bk(y?RaX*A^=p)+#)}V8N<#v+$NksDZns8y)7uyEbVN zNdG?dW;IoATau-nhQ^_z<)FH(jry&ljg1q;SH} zRb^{dCY1l7vbm;DkS|?yamu+P}a)x zv{K`T)xIxk>Zs;(cJ}}sedCAIZ0M+lVpWqaKhz*SQChZU$win-nfLj`%SJpIM(`1# z;PcudVKN^ot~SxK#dg(I<*D|uyAc257t!kN5y-jT>LMOV55zH>hU<5Xbt6Y-_VPj0 zxSZuvC2{cDPb%a`6lIyxPAOIcg0@SYbqF=LdY?&?IXxbw>)+wdBA;5*w`2BKt#+$s zIqjFexookrTErgIYvtIk?hn=nWkXUzQsSZfyGXn#|2YA$C0m?R*R+nuKNTD$xOt@aX%rp+M}6LC45-%~=gu3YQI{T7pLDiRJx%C3%iV|*Dg z^dOyeS~s^h1G5EH$u{tsi5ZQ-U0YNleEi<04)*Tknu6fN3F^DLWo5T*$z^Wgp49Tu z`j|JHLl3Ri%=+xLecwI1hbtTH21f~0dZTAJ&1MrH9q=>{*ep$6G`rGK!xxI|w>E;= z%UrVgFl2DoQG>h7nr3*TN(X+w+V3!R>@fbPzOHUt?~q2QPVMQoj1kLVD{PW@gyr<+ z_+57$NA=dZkkRFjTJ&bW*EnT4`|#PT{n z9wd8yHUfkIZ{Nfa$B_Uax17m&VH;dSV2R)Jv+0>#Lv0mRQxS5Bo_#+^Yod=dvu1S~ z$m^sC+Gv_vs_7DA>}ALpFimmVLP_rz>E>U|zO1W_*2Ofv=Tkr7r)Ha{G!5$5xx=Qa zRzg?%&K)<6%Z`kVQcR81rEQ1Wj3Ts}%%`Q}Yv{2`5Kod*V0MshV6%NusHN*j=#%Yv zJ*BRnQL7qM1v#c_gbYhui;E!tQC1RRpWz?9#xnK zmu2ZwWjbLV8_s#^_L!eGOOWWl zLV*k=THmz?)jXw>d6^y22m@Ex#f$H7YN9BE#qfjWYn8Gel>(^NI}+T6>P)%K%Ii*b zJBIwgSF$u>+R%ebgBxT8pmXQ;TZESuwVvT&df+Nex@}n2o6kd6*0RZ^a&kL<_zPdP zO5a1Q`mj~2R4;pmPkROqk?;L*)>C(+7LT^C3&+W>)~odz4FI*vW#$jb?Q~&c&)vhJ zVjZ@cbcfi!^AcXZv1CDawc^=N$xb9-jTj`ezbvz@JXrlZI!ny_;{~x2+G>jF0l*x= zPyJd9uTHn?3Q$aq%*#SdSV)l6$*A~BXj%+}wIhpJtbd=by*5-+En$7rJzsoKJ>O4r zxaZeSb;B!(mMg3MTJLq@A?8W;$b3}QmpbehaiJ;B-&I#NCs14X2^&oS2gn6!GLzGZ zioX*tlTgXA!u3(&)%vkA-|WpU7)wvoS*(;UyhRpQWou%tR6%M@EvVFE4BjoTPLe@x zf*7R(c6G~_){N$iVcst5k#QqXo+I{3RqG82`W%U&`!%+2r&mDxoAGu9V2nn!-^8?9 zLzA1gn4iX;lg`p<+sC=7yGAuTt*L!~OF~CaAFtzDfORwd8jEaq`GQP*A3>&#x{ekT zXfs3;g26-d>UjAusb+FA_NGgBbb2s~mxh>jJKP{$wn`=}%M6XB{YZ_gj;u)@p`Ve~ znSj)lAK8;+)>0$8H8X6)%Yg17Z=}2;AWIXHtY}Ve@MTRn?Oexa2e`jsV-!+aG&t*yRi%2g=qCaL9AE`Fm~V-iQPuwWYZG*nVo74%45 zZPUer+i^e(QAHO2<=e5{_YJi-Zis$~F{}$q=#Uet&AN9ZIi{6Srinx3%O61&FU^FH zBFY}MytLa*(|)tuw`Ihq;`!m)GZ>Zw$JnHp8%uWG@<4GcogF(`IK*Y$P>* z!0b?pA0D3KhwYll%{Q{yC`&U{SFinQV9oN0o<>m52t$S~Fq*HrdsZjGZ1!PA4MU;U zeegT+gY<@sgbrD{_HLqC|JVt`eUT`BW5!;Qs#)l%mb=W^?GATskLH8ro=baVC}7ox zbSFyf;Y>(JrEx<>%6ZcG9+X~|H>7s0Nax2^*qAw_j}_Hh(+D434%0eaoki}Uqo`Jq z{!(7zk>5(0p&_bEJ|^A&94`-HuS>#>Vy?bn<^AlZltyU0hhB*?#J7-*t&_~ zvru`K&ZVty>*GSUp_b{~u}bW#G27Q5XJJQz6vrz`dAtOTR5_`ReAxfy4|;9L%JeZi#KG@V2O4%6yjrUdLI1X zQKJu$k#OQ>Y?4yPfT~*OZs^mmrO%5-JiJ+9Uer3R8?7lXeARV5YnKzg8j%N#6eZpdb?d6m>2tA3 z^+*BRH4Yyu5mHs{Z7*_^wgtwu?`Y4Lp~#+5lTylrpv9OgD+`rl#j(p058K|Cxo-7# zs7&8$vj*#|T4{TS{X(6_X&4N3qPBYe5#G?2|HdMf{jt_m80%|xxOHq#<3&h_Wu%qO zK7D^n`m!9c(&11i!(o!4BlMUdgJh4$>Zsa|(LJZe@NMOqF-?xN1Lcuex^aKz+n>`QSRu@uQt7M%pjDdUR%)s>hry#Fo&&=Ab%16TOnq%JpcK zmbtF7I7}bboosWyt+n2(VIBNcWu&7hM99~PGu)CUAp=_aLo(RQZf)soAcHUjoXS9as>J5&?5xP_*Ph4`wunI+f*57od5E9K!0zUCiO4>Q^3V6uU#zsCog zJji-Ah8IO^HtjXXZyq4?pD^*!HQce|ctwT%X*}A2PO0v#ztcQGQ~WBXC39*HZ{gsY zUL)^@nXtX(tiw+1mt(`0k2Ii8(zPAUW5f1f`<53>grQJu_ixaL@uT)6sxf<9HHv48 z1pKD44b9?ARnUsd6mkMrPHAZ)RT0`=wL}xeY;3GoFCL5~rhoP`F3w5%X85ODwWk^dsGP7)!1Y87zP3j zizZSNG3@DK2g-h_)gv#=$w$a_&1O*TilWwb+Gw|1eu7G0@v+C|M^`jv$#JOo;o%T? zN6F54E6gjS$X2lFO2)C$aTz6w#ihSxRh+kd$f_gfk@)b9E0t7Q{-`BI(p) zm7R6oCeM|Z&BZ(FG=utE80@Va7^kAcYt@Di%J>v$!YDb1pK@H;ag~=OM##y%7AL}d zCaCo)t32VwC^I}iI#v^`>FJ^!7QQ`R}M=Z-G3e@GZh@_7iG>3uOwu)w{3%*STLjYY z!P@(JS{su1w~+KkRI^bj|EE~m^~fKaj$xY5j+`(`lKU3Aq%Gwns4h9S_tmt#5EeVD3nyTObVjX!YTm!7oNH@FI6HQ#S+8X~8^TRgmayGN#=m3y@i z^I+9OQ;(J^ba>F5w_d}=aUsmx^2i|T1>?t!ZrPSv0%>kr*Aj{GvL#=5u4RlZOp-rO zIjMA={JG(Eo0cl&@2W&KCZ@S^?TM*T^WWBlOkK>=Qx)}us^?gCVe8-3SKnIvK@5=% zO(9FGr_c)QOHQ(ZCM)Zs2gtXbQ$b<7+|q4SLcph_O9?6eG4glSD4RxO1zSyl|8)-1{lh7kIayQGnO$}Nc$#7-ySGIras;yrr>Ep7g z<}-Hx)XumT3Zj%=G%&n*k|aQN`hz97_%1~qE3}fVFAW_qT#t8@1A|m_`xa(YkwFrR z4z>-}&}3O_%l@s7quny*1on+ry@6-A%*%4iD!uhOvK6c5T$0rIc-NmE% z=};U2E03-Byef#UEy#B+oY@B$&F&EZ~4VjE(7WuC$UG;oS z`g7g*SM47DUt>T`Ys!*Cy(i1Ku2+uK>B9B=PxIfnp^pFJCde&c zchFtz7Jn1`QYPn`2j&XxHPQP1ELA7Dq1^kZ?IIJ+{7}iliPRZz-!irEX zEv3`RQ2p4fO;{z%KBRiGoa>Pq(EUEiF55NQM?YHFrD3czZ_~Q)VX2ymw0wg0yCBsd z9Y_03^!t$$D}LTTuBWxM{OQ2uZXpbbue7-56NxTU)uz$ z^h>KRtlu};Hc+mnaxW1tx|bYkJ9NyD#({chNar$ffRO+Be~rsJxvU#stNzPaV2O<^ zP30D*dT8-0)uYuf=k%JwySR;wlXMlgrDX7-x`Cm_8k4AP`?@W!R$;n|F+vZR$ZOT| zS9S=XWQsKpG_;h9(Iigh|L-+r%WL^lL)eiiX%%-Q7au)ni!J0UZG#5XSwN{;EKdHc zYP91@&Y*tY(s1jJb)7MEBspx?G-yuXFKqRprl zUhtRTR}X*<;C1*DDjXRnMu=z98R{2G@ZlJWhWkIeX! z{@e)}Kf?Ku8DGwydqT$Va(+g}M>sz}<1f1YOEccr?YuVQe|3Iq#(#7^J>$1He<!&&l}d&cDj|H8Pgy&rca2?ELqPFXwzg9W3Q1 z`v2>$fANg(@AAuMytVT-8K3QZ?Tp{ze4~snCpm%sbk6vcU|z%486V-id&WO;{XH|j zo9o{zr8rSns#=l%P$Ul|wDb8QY`2In>;f;*9cK%+*uW>#n$zc@0syWobQ$KYn=Db_!Q?uGQPj_ks05xRj_|T#=ms=BQrkU zf~Tf6=vA-?k3MYwZ$%l{3((v#XR{c=PQYf z^7!+eb9JZPBxi~8pL`blK{@A5JA9t}L{pq7-`}~)bACO%Ab(sz{tEEVVE=;!Ju@NC z=gtAY0D4yaB9)8t@!i2$-jl#NuYb_FhBem1Ovuxo1OJnr%lZC4!8zaj44iiU<~)Dy za$hF>eC|8o4@oSE?e#x!>TmN^(lb^1bd>MqT%W6{VdTRh&*xqW{xP2WMM2Lz$Wu@I zuaiBWinGV(_5uF@`WwO7Ugv`^DFujn?gFR&S>V+F2{`qCP4;w#pKSWS#J7<~i2D13KLvXxf>ZtsaE=R4fxj${ z74?4y{t?Qx=x@oMvr#`Ag46z<;Pkfx!0Df-I@fyBC7Wo^rI2rn_)|2j(Nret zc^&es|Bt}WLjA8WFO`>ZrV}{(_0Hg%A`bKgXLe%c0F+V=Rd*u+%ui$&%GA%Ebl$wI!B3iemQ@#hxK{R0*TX}>%l4i zPJu79VEy`8&3RrwM}Twv{EY&i?=SW3Tn3zWZtgs==wdbzdM?}XEpU!I zpMdW#t`zJ4PjHS$n=YL6b3EDwoa0fG^SoR~LZ0P1tss9*LH-VK`p;|N9FM*Q=Xmt1 z^W4s*7D?r$og0Dwi2gDRobmQN=c-?)K(U^0hCKDZ1$j|l$^vCp z;REnX(Z9X`r~JUhf}Y&YL!IaS;uy#;4LdJ{JjbKUAg@#IX#aEIte+2|hxPL*QpI+j9l^PYe8yf}VwzN`69rSk-yn zzt#h1yKD~rFXU0%gTDa(ISich;>*D~o<0gb75?)kILH0}IoJBsJ{EGFzL4kL7p8MMbaMtsE;HJoRk2T&f59 z&wkGH@{WZ(%X=<3?YX+ZZz=F63;e&}w7<0;I+35;&d$#B`aA%fb`CA@BMW>=fj0_Qy9J8;JHnJc97YT2THeq7+cg0BeqRx74RN5ozXIfW z?qYSw{|)l%7vwuZer3paDah{x`Bfm_s~|rCd>54KD(GRo{R*ySj{ATcuaxRp!ePUY zzV5xbbJcMk;`z1(`Mn_j8`dihEXW@Od7gWj2zlCnCgkVJFJgO5FUY?MdFIKj{+7zi zde{b>^{}(^ydHWL^)RL&e;DLh504h)Uxobs7+>Bk$S=Hd{qk<-JTKQykY_#g zhdj$QtRO!Q@+{Y};EZp-6!bK#lKL;tO)cU)wqf*#bqai2=wUo>hCIuAbjH8+esKZx z@O;+|;EcCFK+i`~lxXKKkmovctJbN#D8I0CZ7;41EnARZ3GzE3Pg}DfzaHfOgq_{N zxvn?_{5bT-QPAH;Y>nkT3G%G}^TD~!`5HK%`z<)vGna0Y{Dk(b>|FhX_H=|i?b#BX z_KX7GSsW#ns~P+%%rCA1r~Gtq%D)WGb=_~kIX*73YAP@JI?lDctD^ol0{=UB7wFNm zY_VLsf**|dKL(uZu~&j~{o!$NmiJ9?*3TE{}y~J#OJ@Rmh9(q&j9}m>i-jP=2!Erp7cm<(l{0f|Y@|Sh%%eMiipYH|E{(da@rtqIjz}a38g46!5 zz&TDWv|h54alWT>?RTrAe;o*Ut_zI-XFVJPJ*z>_g^*{wx(0k1#QC?uS^wXGvmO>- zKb4Dq+jf({wOnh!p03VyJfb~E6y(n>$Y0VSJ(unKJ2>lSjgCp4>%dz%&+Y6BdD=M? zob7uNIOmCPf>VCJPRSnH-^O`v&!&*4Jzc@+S3L@RC^+po%X$9X8z9f;&H(3gXBGJO z1-?q>R1dVLi}T!`y&z9}E&)Fi@x0BZLBHx*6MncZxP;G!cs;;Uc=TdH{?h_)*eU4G^(^8%_lMOA@*5ZAyBFkpgR?$A zE9hynbNzbQzQCU@@cupO>zU|0uZJ58^5^Z6>W%w84?EB6?M2A5y>{BQzC9-t_y)VB z=MF_&9SnXo=4F$et3CQJzK?Jp1}(_}s?csa)(Y|8$<)|6Djkx z|IvBguUFi&zMgi@bNMCu)R#ZFz)x_V>$x19?=?RO{vP_>8{ixt-vg(fWBR6g=6e2A z=Xt#?vse9cb#$)w^S$id3i5*>&vqXL&NzQaLC?jIXL+wE$ln8bK6in=>zC_H=UOhV zKYRgB|6F~a`g%5Wp11F5;EX39fb+Rq_e<@?=ZX~I&b7Sy?-n&oezy8YdhYI+XN`BR zvK{4LoL@{U@aLh2_1}H}q<^aX~aL$9i0cV~$w10g)e>)&?=BpcmQ_o}IJQwsG zIPF}avA+I|z^VUqaO%Ibz*jpk>1TUQ0cRY$2b}wxZ-Z0Md;^kx>RAz-b`Aiip2NW@ ze?2(s?O|~0nGH@oiw#V6QqP73zB4$>wReFZ0?v9n51e*h0Z#q*7x**a?2jK5`2WDE zfB8YF9%yG5aN4;SIQ29Y__5&au+DiQIQ86H;O~JmZvPLQdR7>m%C#oq%o^a7?+DJk zYli|q0-Wo&e>jhE?@5n)s}4!_^cNQ6QWN;9$Tw~SXL)}E*H;swowmJm*Mqa&?+2&;r@^UbCitCL=lKqt`)>2V&&N62&O=lEJdg2cJUHz+7o2hUI`9)j zWvrh^z-j+1aMr^Y;C$}S;MCJup>Cfor&PI^Ad3Ce+Ha(z5`A>=Ymtu58$-( z(Ba8`>N&l@r-QS<%mk;N`439^Y0tXgEZ3Ic)UzWv_4EN}xlRJ7o=?D6gWvuH&iUPv z2PgaK&ntqn9v*fc`{M#Kr`4aIA$9J8EpI3J7yI3(kY~9T8=ds9T)mvjQ?wy@$9A-TX1fK;zJPvx+LOeVf^4u>ww;+EJKc0`D>gL7w)^1*bjVfzzH=&B=cjWc+d7!hZ_#D?y(2 ztOHJa+Jn=c9iV?x`18(?XZ`dk$oGRh?P&t1J!8RX&vDQ{8F~K6kf%N87UVC2Jngv- zoc7!SPJ5n!{<&zcXCY5}W)|e%f;{b+3r>5!1E)Q$#wY)|2Kn2<&Rh6TL4GC3)1Ea8 z^6NpK=cPLqpNLC4K)w;<%g&HzefBBH_k%p`A5@SZ26@`wT#%mxdD?#*2ks|m^fFMk_(L!R~Dry$=C z^0a>tFoo97cTm2sRTOrT+-DBW`u?~6nQR%s~b54QJ1OG`XDL!}Gqmv%; z!@#Nk(&OvPpK(Uwtj}5CY?psK*Lv6#_3#_ySr47gO!}#(J2?H}I&j|8{yI4I%mJsK zPG=RK3r_iao#*9x8S*UGdj-qKdKj}QzKd&Ia>;*wjF29@e+)oA-O3!3Q$hYT$e)ezVn#uJ4&>RtekjNCW@|d>fqa-7I)neLbrc_-4*?{o54e4=C^n1wBU; z zr(azO&T>t;BG|8Xa9o?}T>W-)`4{uIXCcox@G9hWDL>x-|0d)gzRf{Eo&Wkf$HM4NkwB1J3&xTV0pRMg6Nd&;4`b0`CPqTZo;p ze+_~>-w&MxPCF+T_)P`=2Kd{UKh6bj#Jul2aQewS@Y|$HqWueBpW5qBtgm(l=X3W4 zUk=Y50M6%*0OxZjfzuDCI#++tfAKpnFGBt`Ja_FIlKqU68-af*4Ij&U0XXF^1E>54 z;Ed11ZcNX;7WRw*r=4el^SKum_~ixO>8AAD6|jDCIQa9h=dJ>OsleX{=lJps_yqXj zUvEzKu-?`HXL;Kfcq90cShqYJ{9=qp*Mm2sy!U|94_^dd9`ftolI*8{ZUcS*{HM{m z`sS910}~<7@#3Ea`Kt>2zJi{2z-i|<;IwnGTSK{WJJ)rtagX)0aY243$g^Byz}ddX z7Wl~pewOpx&g&r0=iUkVtx*3DLw*@4dhGA7LZ0pQ8RV&deyv>j(fT1@*16ir=dKLi zMSd5byAJfwo_)djeYz>oqvKTkzS5PD=Q#Kvcu(}lnFT%nDaii@&T(pqsi__gLVx)i zIQ?fWaF(k#ILDV!;KxJ%q2SbiJUI2=4$g7pcW~-o`1VvT>TeHD{r$nIf3kD+2mQB_ z)w8wyi+SP)f%k*{WyG}j-2UKfui?-`J5PrE6x7do z1^L?`&vLy8dDiEvkY{~<3C{X#H7(S0-Y%`3=XvP{1-?yzA5h>&75HTZ{yaFpN7-;! z@{{vWpG$)u4c^*$?mrzN&wB1z;HQCifc}fXnYX;`T%W7|9`yeBL&iUIzTEUwF8awP z;N$V!F5r{Fdw_QZ9|q3vgkA;C=f34!ZQlX?Vh;HB;9r7w1)u-!R4(2VwKzEA#um=? zx$H-KLZ0olFXY+Z4+Lj_9}2!5>^vO$ml2a=e?K3b&%F$Kx0Is9cy*q~|Ap>P z`Wdg5Dex}NRnJZ+Zy(6BUH$>i`S_p$zaE_Pthb!!&;6|+zt;nyT)F&V&hxl>YJp!; z;M2jGKm6Ny{@h<7&-z*R!Bqduiza|`J?BnvKDX~fNe|^O0B7FvrgODZ|Mhc!SnT0c zZ^}=0eyVe=H@3_CkEG`^|6jDg9|7M9@o+9U^{@D7(ogwyz}b)5fzzID;FRy>T+6z% z{EPjx3G!^O;~=m7NYC`^&y)hc5_;Ib?grma#+>-v_rbZ|@)bDq@L#~`53L?c^`@zP z)W0M+{jCEypW79j`SWhzeC|HreC{A{`r(t{%wx}fJlRkFEBKx8pT9g2IW_-5GFYr{VXVvqi^FhwFo>@O@KAr3*@B2)xo_VgP@!9(P z!~#F)x%%?0Ur5j8diA}|^Llt9B!7oBUlc9DOP&w)Js?dyX4LNk(`lwSe73G2hFgY$a|n}DwkKO6wg@5qdB zp4)#O$YA z8up9;zZUx`M}l*FydIq2-+9q_^z$iF2L1W-)nKRcUFBc&lNDa8Z~uwlO|bJ>@D=1w zqn?++UxECW&hzKCnpyw3ZNaxk{r?yI4Cr6{^`vJq>{$_<^|L=XzbDcRPX9R$oO&(+ zr~Iwp^z%o-DL)&W-x=xhMk*J}+tYbopMxRK{yPGkdM1MNdmm?k>!;gd`(6#sdUy!@ zEs5n(eg-(@mv}Rki}mn6IQ?o4IQ{DISxL{v=)b3ekEH$JtcP2{=|9uKY5(ePrRQFY ze%&5?Rru{r;M8-Nb8W}n&>v5NJoD8l;M8+H^z?+DyC6?J&w(?}d;~peQ;Zvny`9QS zJv$fpQ3d`$fqz%v8^2Tkxq}OQYJtxw@J{d6*FUVluP*Re1-{Je`uevo@NorxKRCaW z_!9VY7$0YWbKX4pE*ll(yMl8c ze-H4Vk(Ukt=Xrp!;9O@u7M$NBI0yV&Or4+5?<+4hH9Q$AeS;ngV|Wd`I+) zpTQRbKYLEHllrHFQ_rj5l>Z2v<=u5|(69ci|L*d6O_Ou&kDMn?0;m3Sz^VUDaF**E zaLUgEr~XAhP4%!2^22SwIj_7Nd_O5fZ1<vfYP)Q_q+Je-4~_?)*>E&++1W@Ya|wfB$8Yr=IR#B~Cq$gHwK`uj|WS1y1>2 zz^VV_Z;~F$-(KLK6!?zcCOy=Deu3}wU6SW>uLh@{&%r6b_xDK;B|Vfs6P)rNfKz_spOYTS9}Q0V=fNqz%72p{ z${z(z`B~tU-{zO3hw>MKQ~nQd%J27U(nI-Az~4o_wC(?rJjbcqz^Q+U-;zA_?+s4* zY2cLq9Gvo9=GE6f44m@!g7?R`zxVG+56g8LIQ6^%PCNeur~LMR)Yrc^IOT5zr~VJY z*PWfL7eAx!6T=~&_hU498;2U9Gt0y?e)BC|G|8ar0 znJ+z;dX599p2qo;Jj-=6IO|~!IQ6$`mGn^mYT%SV5}fj_7f5<&Pct~}xdfd0{|!z( zD=wJyvt9lUPCdJTGoL>Ioboqy`T*w~|z8CV|lboyn?;-!9J*Pu{D#|q(@_R!5>Vo{8kna!q`wQ~VL4E+_UoFUg z2>F4K|EwVYU&s%F{GSE+CDsh>tMxM&@+&x3zh(Wb4f!FE->4wp1@cXh?^clS1Notl z|3^XoAjtQD{J4Vrv5@Zz`BMt=7eRh6$X`*Ap9=ZCA%9On{%OeX1Nj*R`S&2-5At&g z@;^d;U&zlZ$S<~5@`wE(zpV4zAJ%~UKOo<>Aio9V^;?UvKXxt1_lEodkndNJ9}4+K z$d4|_9|idXA%9{){vz=AalZO8@C6X}t^sFUx(S@|^LB8?x4Xd^KOY1iia7Q-_&3PM zo&{eEaeD^%T*S}U!FNEseFyvknX1Ni{1AKz@VVf>z|JqhuY~;f;Mc+aU%)p3{{#FE z@CDWm{;Ynx4aT)a!MmeeOMy>BJFWoE@#q-vBQc)d0KPo z(T;t<`P@<9)N?#I^<1@XdhYkApF6;(qMm0u*KtJ8CwG#v>CeX*Kf?LK>m~jDkw3R_ zu6l;azvx$+LZ17r+ZN>e734>Oe+K*ix_+=Hf9~4O)qnWh?F#by7UU;_AA<7s+Mxb( zhdIxmJH8-)MnV3gjZ!^xzBYT4#HXO&E#5BiS!nl9oagnkO#39yay{-mm;ZNx-`z3k zp*?GMPMr2^=RDVc+h$3g<$VI2^Vu2Bb3LCzp6%Xxi~9QaajtrX!*3hG4+0+wJ_39U z_(t(k~_G?^v(&NvX8UL${dHT~0e7yX3j6eOI=l$`Vg8WSd`MV49 zFBjy$1!uX|)sJ4tkJje|`4{cn*}2*|4RPil;9G(Zgr14e(+qwH_}S1y{a1if|M$?t z`dn=LUXZy|uXZ!vDPCe`NPWJG*n}bt+JUE|w5;&iGH8}OWQs8^- zk?a|c{&FPv1y~2T9DFm0&9Oe80UwX`=QqKBL_N;|KT(2W)U(!}$sYRo2H^Db6Z!=C z+}|#9p2yqk3-XT^j^`^b!r~f$? zXTt;Q%kN&`XBYUb1^%@2{JC=r@=pv%^?5MzihTwJ-d4)Qd~%|5)ld1K!PiH;T4He0 z&-NMxPCZ9~KLtIfgP#HayvDiKzy90M^U~W2^3N6c>;nI9LH~S1Qn_ePn*wiN;M;)r zLEbXidG1#a6!^OZ{`aQ(?RbFmyd7@=AA*VF7g*K<1Lsb?DGb$+yfQ+{Rlmx2bNOX6e!TMyoohXx zhd8s{K}nD5I>P<-ssewbzz2^^^+5gWjH=b&#r3~9x|a8I{>1piwOmiS{j;6t_J0n( z8T@3)3CW%t(7tOrkM*`d5Nqg|aZj@wcF6d7F5f5Pvz-sh_*ycT)}Q8#k8plm#_w`| zvvVyk_p_#fAB=hW=iu+5|NaVo7UWmf%^3O7dN@q}#qnZ*bA9f*kRMr)KexcAK@Zol zXBOnYEAS-`sc+}{&ecx#qu$_mqus}Y9|ixv2z(my|LNdwA9!n)BQbUoY^V3VheY>ifyT1%8L~+|M5aXFb0H&i0*G(7(>%sXpod1HoC(M}xDT zFD~%A3Va4Q>;GeLmTSQylAWW_FWQ3dEHOC7hb_Tb4^7VVc08`Yr$7(;?_6*`cc~+j zog4?(FYun=)N>U$^ZAFtDgP0;-We0?VY#D{J?y7{2WLHR2+n#t8@v(*Lwmgpejn!D?}NXC=l%rFdfxQtRNgh9zc)Dj`9Sa!AwSA_?k6Wfp8jxlLH@>q z{B&@RgAajo9Q+NO<7}&AQh7Pf?f||7#)Z?sd7k84aO!y%obn%oQ+|VElRcWVL_h2Z zPWi*ZDSsR|fgobtnuOZKoIt#d-+^q+@MOneiJFKtgsobrPUe5!NxpTp%} ztcORzj{tua{7CSRz>fm|4*Y2F`A!aY>T{0)UmE;a@HXK81b^+cq~|#BPr;7|U*?Qd zKRwV-_bBk2!C9YoI#>Hofc~!`zbW+p0lq)@5@#lR$U7EzU+`}+z6=NFbH_MWJ5Pk2 zQz6giK33o}zz4$q?q?{;R(Jw&0APUBG!xY4-v@u)r?^-xU6EA2`Ra7o4j<=)WVRuJz}A z$TM&GwjkedZvFBu={(oJ8sw?}nG2F0*7G0WY?t*fO!92Uo(0|vPCa*m^SLWrl=QQG zXM*#&`&^Rb`To&RaQgXS;Pi*n!08WD3jEdrzZ-m>m=@#t3*cX3UbFS&V1M3TJ3H5W zp6xXVoaH?V{C4!;Gr?)kP2l5^&)i$!bHT4c{8?&Bs(-&p@`oU6aF{&xZA_mUc+=M>m881lTQ<#O;<(JpsE zkCtt=$HT7+@~tmV?XnQ!?MC2yKWKrglRW*f132v*2~K~$8l3I*EI9Sd0)G_!eW7cT zJ*%T0)&lQ|akB$B{b#!Z-@U*O0H=R8fm8nx*Csnz-aEkAj!!$!`}K#Ar(b3(oIz{oQ%~+$|taJ-Zd;n+ozrgY&tkgR|bIK>w-e7tZknF!5S3|)WXRZckJb4J5e)2+r zzg^(}cAl5(H^{SG3*Vf|#W=G}fv*fsJGTI*p041OKNy_j)Un`fud~1z$EG>g^6I}h z9zC6LeTP|pM&Fjo%Q$%xIG_6xIKTfm&v|@q)W7}Ipg-r$&UL(IJsely=Rgm~{aXtB znF9ZJf&c0}&mUUdp6Z8jX7n9_w-x)j5B^W*THe#OZ2o=ulboym_0iuiDCoHj^6bB> z-I?n14CwC!ekOQV=la}d@!WGEFX>yuZp+F4k)O*UKMwiW9pHx{KmVkl=Ud2A&rjf; z#Hd(5zkz>+{9&%{eUM|gR!cdqs{i^^Eu)7sRRzsPwme{&|k zfa_o7?@7;<@{Fi|UGS^G$AYV!8@itJS4(=XhWwS_*MJ|oW|F@a`~>jpz&q*UzWnGj z`P?>+^Q~ z>hl-&OI+=o68^K{?6HZT3;j2Mp9em+ImxrUlaEjQe8^vTV&arm|bSqxN4c z|6=`|;#}>gofm`C&Z!0dWP#5Dr~My*)Bf|n33jSIo1t8jze}8U-V9DVA1LtW3Vb#= z?fe9sc24_Ws?SSMpKJY=>}1?tf59b1s%0D-v3%l_p=Yxd1JC_@%)0gEUt2$M_PcMK z=X!S8GRgC~mvl*-dhT(a>sh8}lBb@5y%MLMqn+n^-f2wo)YEog;?%Q~^IXqWREC^;JKcIPDt|9bN@++Q_n2txt`t^C3)&O^peD>=lPowr~LW1B(CyPPE>D_ zZ^1v9IOQ822|Tyw(i!#Tk9#$7>i_!V#Hs&`IZ6LutZRJ?&Nw{(+$4WE)&~v-XT19T zi}c(nQqCB!rZ2aYm0NAR6#PAK{oVed8#a95T;me*xb`CM1zBdq}dAdFDFcw_&{N0DczomZ!iuKK|%jZP$O%&fhY=zn5#tNy#4C zzXmw%-x{3#y*K!}sD~!-lVze6>!BH(N$A(p3j76d+W$d; z|LR=Jb&LFq_AGTost2xHuIN0MZt9Q+&Dza98{nD6u`=pP7q+H*Si5*WWOE$}-F z{Fws(xWIoY@HR)Ldh3LIqciwR$Xj}V)BX|Q=b~Jvfb+XfSAx^u?gXd&3*eNW3r_hz z!70D=QK`I?Ul*M6oxnNn{{x)&a2^hRCF*T5IP2#gaNc|WC^-AYOz>4Oj?4z9{I}qg zp9ju+O_w-2)erCI+z_1dn>*M3bu0Q~FUZsX_W@`9oD9zUoG%0a4dedw0)GL#Kk8=| zIPZ`B+<9()!!fBIX#YaabNST@^1FjGzug;rHQ0GDIO}I3coX97wcxxT^=|OakbegJ zA@ujR!FiwRipPd}(DLdy;?vuPjllJHQ*<#;es%<>{C)*Ks=!Yw@XHGP&H{hBz~}#G zDwo=Si`&1sbIn)TUgIFoa-9r$_KOR^*mQ~nWf%D)3n`Om;9ztnNbZz;bjIOVqn zr~Izqly3s3{CIH6p9N0&OTj7swR3F~{r94`%O8-}EwwoAuX=ncFXQLt1->6R?HLPB zJx7C6{`3OB$hq2noBWG*PA~8o(8DnX^?-TApbe!?}Gey z1^ER}PVF@v@{2pq+iP{m-wpZo3-Vh-{vOD8FUao;`FkNhpddd1^7ldh$b$SikbeO3 z7Z>Djh5Un%pI(rE67mm0{>6g)yO4hv@*fxE{|os?Apd7Ueu-03`#uW!6`beo+ZOVV zLB2ylzANM(hkTEMe1FJ40r?>X`SFl{67okBy-G>Tg{! zPoEC{6V`=Z0Pluzd=@y@^H(`7)Q{@_9P(|!SHk+qrp|SodPV-le5n`YnQx2*|3n%f z${zk>bM zAC2{gH%?FO!u5@>3Vhcy>dW^p@CgO}Jow#MS9}$m@9WJ5=X;~8o|)|7`sbS9T%X(w zoa>X@f^&Uxw*ud%z=sz2_yRw^z|Sl2D+~N_@aLqHMgN}--WBuuGtWx(#&x_qz_}0g z7C7tqKLx(k*-8Ht_-9jr_dX}duMK}V9sFyo^E?Mm`@aUK{k!}t>8Cy83w+?YNuKsx z22Oh(1*bi47x=FQzU+DFxhtT(`hnB_W^meh2{_yRcJN+^!|#FjKz#TGocjVxpP%fc zo(;g4hW&ejZ;W`1^xo!_H*EDuXYzC``KPwgVUa#;IwBPILmc1 z_`)df)!faHZ`x?80b6;a`aE?>Qg0ns^ z0q6K~b%Ebf;CF*_eg4S;f33iKUX<#A`N{d<%ulWXXMS=kIPJN=z@I7bx!|)AC%Hoa|@*vk^GQyPd$f{(m6&Yw)WH;FLcfyfymcH1Mh5zk<_$R=FhEPk(4z;G2Q7 zz50VwPg8-924`M08GIz{e+0ZW<4J+f0B60u3(j^~d2*7XTCQ8 zocZ2S;5XvASAu_!`NGZMjGr%qcZFYl22Ojv1*biWUz+NH_N)(1dpd&Cp042g!~VSs zd>A@Q0c_*USISNnl8E=?%#i@_PMrh{`Fp9%gU{NY1z z_M`6$e2L5J_xE+3=l#81LB2;pz7II<`A2~dDe!Z_cSjyF3!HKCdvLbzyaNBr74`jL zF>uDoHNok(TYxW#_|p@-4dV6z;M6l3oO+H2r=BapH$YxD4SWdfc^RB>?>q4Op=Y@( zQ~i*)1E-(w2YxZmxg7>he?AMG<+{OnJ{~;|d5%ZVgL8a&9h~FT`vv}4fiHhms)ub6 zKi31l1@+buoX_o2;N8HP4;%tM8_#_Nobm7*@GaqQOI@Apr=9J<7l)th2F`vr1e|tG z0%v)TE$~yospmRyj^k~w3HGZ$aNVqvbB$M5BR=#4zYY21Fz}-we=Io9y<7;+esnc> zO}<^=uN3&F1^!2YFL`ZhN1nUr0?v5Sqrmqr@Bz-Xo?n%Jaoy&q0>2P?*dMO}XT3dM z;BOT4e_!CMT$k!$5#$eBfOCI*dvK2L`+)P@(ShKUp9oI*uoCd z0F>)9aPFu70nT$r%U_@BhkSK#?q7Fwp4+(#`_ z!CC)rfK&cI;FSLnobrp_km`-{%YsvWeQ?Te22Ow2!FgWK`$3-dJP@4o@k!v!e{KM$ zpF9Che|V?Bzbo*CZ%p+=J^Ac)@vIu75+G<@&rJKmX0C-YCBcIQ^j`IQ^j;IM0#p<2<)>T!EhgJ+$W>aJI`e z;PjIR!RaT@fm8lHaLUgGr~LoGDc|arRG*Yz5uEa?fm6N{IOVqkr=RcUJg?`2Ay2=( z2%LU<3pmfyz5q^to?GC*7x;3wruw0t4GMfSaQc4_=XrS#ggpIcXhHs%g8XgZJQsR5 z_|=$4ya3L8<4tg$dtC6gR1ZAIy8^ggH5c>7b-{U#cMEWy;~fP~`zM0GhJBpVz}dep z0H^&=fz$ps!S6-h^(i>*{}r6}Z#*^C5AEL+d=lz^S8&?DH#qG-0i5<<06rS|)%D=C z|2}Zq|1~)6{~3Hk%ySpJJ(ZXCuK-T_yMxpIy}`Rd|4?w+e<(QZe;E7<%x7nSk45{w z?OglgYnbo+x4_rGBbE15tiSaDp8@|r-g&NnGUVCcXMuBH`_qD+`R@$&+qjY)T<^0Gcp0cU+qF7WHYS)cbf z&+F|K$g|#-pPuYt9B2bR2mN#taE|X=InSTl7xH}W{@|?VVc=XZ8Us%GbHVq4ozuX% z-u1Ba+|F5$r=4GbzYc#`=I;9SwlX;Dtt~j~ZBysDJv|{$d-einJ^Vkq?gU(`scjs1 zi4cWK8Jd)ml&L5hWXcdCB|@Y`GD{IfqbZRgbA~2Vl!%lJWfnyel_?cU5kkcO?C-4S zzkcoataDwx*Y*9r+r92}@3q(7&wifsoZE5F_xo`7;c2+*@J-xxxH#b}ao6ES-1EA^ zi^YA*&$n*yY#(#J4HNN4CgM-TJ+D{eM{^vvdMO@9UoTX_y}zxW@Pl!W?-9ZC^F4!j z=i3$c_>RUsPsih~x0$$k-om|J|Bky(%Fl@Xah=q_T_^h|ycO;`X@`5=?-D%Ux2uV_ zZ#Uo`_er?NcMk6B!PU6&Tf7|m(3yR{25$WRcuTIo9dYkZE(o5@cOloip$Q*N9{VsC zZ_GMhg7>HXpK;g2-?-~}o0+i>zOPgXzk+d_;CtY0ar=1zZa)Vnd=%b@`@M;{_0Ptg z@B6s%U*Xx`o+{iA{Dd37DR}-kR-P66=JBc?JRjeRc=Ml>h`%)9Hhd{B`kzxt}};cU~=V=XDY8`W%A0 zJ|Du}PiErAFG~0-+<9%pH|xXf;{N3Oc|h>|_4G)*6R)q&#V2qdH4(R-xw!Q#!nfx2 z(U-V+c7HVChoXjRjd?U{5W?s+M zz~``!H3^re{l2fG&lA^uZf%gK-~N4LviCz!j119JimVW z6Yu&NlZc;{h@Y2;Uzvz+{buZg_wAi@_bt){A4`)YWBkUaxH!%_1}lz%6-mDxbg4f*106%tApp)&o*xt z&nxeB6W%I#{<_~O5#KxEW60B+irdf5!Sns; zO}yhihkLv}z&*Y{;KtW}H`ed|xgTzSTHx+W?Qr**3vr)c^~23`J8qsyxOryd=2?iF zX9I4YZQhH0Fi#EKJcr@tIX-y)ICdl6<9Kl*erO_o6z+9@A^sTW`|?Eoe~7o9s_(}> zcwMNC_vOC2Demj9BXIk6HSY77f%xNG_wU4yV}E-b_j$`S+~+6jap$!W_xZ-wAH+WR z{9!lT=MVL8Uw<{m?N4jm{+x)Lrz38jJ8}E@IPP`lIo!Uz9z4Hp7ZdL~`3|?w4d%tZ z`TXP<+~*HHg6GG*fq2KgBN0C-;eU|FeXr_=u}(ja+6p(mQ}BG9R}gQVLlf~2C*q&N zeZOEvBG2E%dtKY&qd2cc+_zW6-(-KN89bZUr#!Dagm~xGk@)PtIWqe)_@bW+h;PXA zioSR+&g&cSy7=wnx1Pzwd!IG~pU%AI;?8#sUXO7%;hyhX&5!-`bM-spK0mC5yZ%qa z_v3z`8}9F?^vAQW_AlJm4aePo9>QxA|1|D%%jvlL$y>O8*Y88z&#N!OZ)e;u@tg3< z3t~TAw`bxW-@f?E?Ekj}&(>h}@2s#6MC~1B7R9Ce!tJ-xMg@AvdtIK_u;&*oAA>TenG;o#A~w-N8pb8Xu@B@ z@8EbXz(1k>s!K|qSN((^f}6hwZk=NjK51zj*E}!c_F*w@{c93lZduHK0k6yUOn4jI z^S3kZxC?{l*WpjZyAE4_8SB|dJ#BHnH={G&pZCSC#dpSU4xZJM{Tm+ktNVx_NBq=; zFT|&FUT^zVtlx2W30@d?QW&=`@s8Uv;b$cLs)XN>@X5IK_xw86@8^hyeiPk!J%U^R ziwS=};ol^D18$vre;ezu&X)Lk&g;u?>mP($|EPpNo$%KZ{uyrlzXZ>p7v+}6d3jzm z!b`E=_Qbtk9gcfnJs$UZ@gjZ}`OAG5>v7!PxcNuo=6?b=|McKlAHL&yy~T<+uJfu9 zJd0mWe49l4JGk|4!mYo`$~dm|?}b}`d))lvaP!Z`&HoW@{-we5{i(ky*6FyNaL2tI zcie%v<35L*|3BRPyL=z(G5_AU`40}BpVtuL9rpp;^)Myj?uLg@0c3e;4Z9c1>{~ z8Wh=1+|SgK{%1HN;#0PCv!t;(Qwh&+;4J4qwW= zPQ$bRrr|wB|5NnS17BA3e;4{NBzV3L6L9Ne4XIgaWuXe?)lzLBiV*G1-K=ACi zxZWlO&+74dF&lSZ`V_a$mALy-<)338zNMZz!Sj9C5BK<9iM#&$li&N9nZ)18e)uN- zKKsCrxP92-m$(kyubSgt*RI9w+nu<5dmOiK$E=Uzn&&;-{``V}%Y1A88uNIc-wb!Y zXW`E465M)*;Lht_+<8sL&40*mu}<^%$KPU~9FAN66x{r;3mxb?q) zTmKdtORi_vgddRb;}YIA;nyep!GzCD_|k-LN_dUGOP=px2|qXC0~7v4!sjIXyM+Ig z@U8!e^?TfF)DTZ^IV1dymSD*iRVA}<37K70sowS zzK#3*ZGP~4oj(w7o&VxK@7?{s*aycw9(P_Hap!dz?!1QMjkpgPjXSRi!SnNajdp6~Mr;#aXw?jwFH*5@?hT~{9v?{WMMw{NA&mb^}O4W6&F zTkvc>*th<~-^BY7pCsZdZC&!X4TI;$?SPyA+(e#hiMJ1Pg6G%sGU6+;o*Qpd^7`o$ zJb!%e2%fM1Mcn*z5_y&qZ~a$nTXH>j;U1Uqxa;|4-1Yn+?s{GwJU`#9$`#j>pYQg; zvv}9@&cwT(kH+0UhX>CeuY1Yw`hSKz_U#?=*q;Ts{rLj7Kg)6ZQ+~UW*Ylpi^ZjXv zyU%yU-RG}K=R1mc`~N8M_J0CyJ)hzpmulOWybkLI&##kK!Sj7Moje|wuDHkL zBHZJ074C6)BzV4_=Y!|#nT6YjUvQ7hHswn`?lptw^VcKZinX>;F39 zT@Pau@iP=#9a%b;geZlkNKA-S;Jog*@(uR}$~I{S)!SiFe$0gXh=(*TlQdOI3`0 zbA49D{XO5qaN|2A{3_h@_cq+~cUJIx{htzV{VNjj|0d!qR4SftK7ZZd`Tf5U?s zUW?}>hvJ@hZE%m{X}HJzyx{rzuO;642jiaCx8dgh5O-dS@V_}Ot8w#ez@1m4U1Hz- zJ*FYH{kYjtKEy|o9}0};Q9T(9&SGy6g;c{hoXOl`?o69V}Go_dhjg%N8KTqL4S9v~oeqQs4cV3li#QB=Pdcy1Bj@touUL$emH6h_2;nuS_;a}s{vnqJL z52b6y`PzqG!SnHh67jbu;>RZ9pH0NSm55)Ei2ptjzhAB5dFAUrHh6x2>z#>&JSmzf$mgJq?Ms z{zDV-of3X8d3=5S1n&2xzl0k<7x(X0EWrIc3oCHHhxQNL{AKoz>uNRkMOB06*Hum2 z*98aRK99N%_xqaeOZc>e&kmj)uk87D;b$K4^?3fU9QS+U|H7?j>jrV1`29{*alf~= z4(|60H4dKDX+KXO-gR{~?%#tRhr3Q*z&(zy2hWfD1@VsiE$;UW{D^yeH{q_gviroo z>9uj!;l8-_x5n*5+u-?m^(5Z!ix`gkcQYTxo$mzPb^9~!I@z*eoUh-9Rtq=2S;CJD zo?p-HiFZAB!(GqU;f{Md?z(*dcilb}Jm2TH68;r=Tvxy2Q+R#1ZKK#Xzu(|Y+`pH1 z8Gbv@VTR(ykHU?ggd6_~Zv5Z4>#)kcv3`BOgm=U}k1oP}o%LA4*WrFo(Vw`lo2u*= z>-76o4#fT5szY((PsIKHlQZzExgWa__x+T)e2Qy#B>IlfTIUalRhM zV{wmTC*0$8e(-#q1BkcIn{kitm-rm|^DFLpE^}aU{rPdL1<&7y)WeS>f8&H7k?>Oz zes01qOZaWU^Yy<)yq_oeG7~po|alW4K%@W=r z;pYU;>d8LeSopb=c=x4YxZ{q(y`E0N%`*#k|M?(zzCSC7w-2Ybh<)(5oD)2s=NjV8 za}Vz4jvm9!KLvN4%*2gx(V+SJbQiN@wyfFy7m-q z{5uK%BzS)Pd`rB?eIsuEiml>t)a&EsX@a|cjtZXdPuGO^BaiE0BJS~e9rt*Bh9 z5byar9{2aJXXEC73wK^iar?PEcvesLZ+P~lTtz?s5I>6hx_#QjdD)*+aQkyP?s@bu zeh_{87&reO$HZ}+?;*kS{cKOX{TzauXE<)(UctBE_4s#q1?n$%Y^+m12Y1}7g6HcW zPQ3NMjhp8q-1~`;?!NIGd91(p@x}Gz=X+c5 z{62G6B7RaL{-Z?v4~h6vZDW7j|EuAy+v9ORhk07?{JbtF-ag!vh<`j0KRFTqb|QXh zB7Q?6zTOEXAD7m_^T*}5M0~eI{Aj!v>u?e7^XCl-Z*yWiUdH!G_^^bJPxxC2UzzZ- zCzV`Jy@a2Z@IeW`7x(qZ*x>o~Hj{YQ+k3dLcRt0xxc`3w_denI;MsiF7yT>jd-I5QzMtXdY0{y%5BWSN2G3uYPfx^O zk%+%O5r1zY{;@>-j70ng_{qGESe3|As$)Fv_NPYhd>@)7;@jb#*JqOFSB}f|#Cv_b z2{+Guxa(&Y?s5DucvipTu1@%tr<@XLZ{^<=-FUicY6y!*o_+;PX_ zUUz2U=6MHqe^?wm-=ANIcRh6L6#L_Gxh!}-&&|Y}XDsgZXbNur*KpU#`?&E-aMwwh z(_{VD@f>DH-1Sp8cz#|-CwvrnJYG-ZUSHnDjsHI3zXs2*pDoUa^YXawhMWJugr9($ z=XBilb7Am&e}*P}GuH`^7ZVK@S}p~_wx&I>luza?&w7R znF(J=9{ccDBEI68@%S2FJ$Qb;2Pfh$OT^!ti2nh1zO~MZ_1K@IapOA$&)3;I;Ug3N zH2LkrSGdoa|48Jie0Is}q*3tvdbkAldEg-Y3+{{V$M4|tuC=aWo?=J$C;b9^cHGrfXm>#C^D zr6yG^zM}Te`S9R(=lp}<6Uo1l(e?9B;Gm?!GEXDBgtc(y@PnRq+e(4Xo#z@jvjV z@IUdl@W1fo_(r@`k67p5c>Unn`RMhoH}3Hof}h1cb_eyf0kw!q^|zL!IDRf6TK#@mur0`EA5+!?<_hW%0-G zt?}vPcm2GT@MQ`AHR0R#jPo^r4cvY2Xx#psiMt=37d-3Rw#=(H@gA?i#Fry}0=_-I z7%z|ig;&6Ly(sPvJK*hb_s^ce^Y@v3aQBnfaX(l2G4AiX{f!^Vd9g#UcwD-(uIl4A z65k5&Mqe?_Lqz zJip`S+4jnk>ueZ2tJ6Ll&?n~i?@Anw-_H6u1^4^;2jG4V;Q_oqpO+Ym`*#rD!2LT2 z^Kt*)!BV^reO`n6_ci{-{rei#`o=zdPM#+C%lIj{ed~(bw<~b_HU_sp&*1jwE!_Sr z#O=>Fxc&JB_wSOFz9#m;{#3{PI}{CZ$2|nMZLUoZTbh~Mej*dOC}#XZ0F!2NrUXW-7OCvN@2aOXQ3ufu*j zDR_Rq?)<5B2;Ujo%Q~vr`PYsTH_25~5c4M6%OuYTM z1~>m*i98dDH_vL^=a7f=k9GPSvK{X8#vVHRZQtPedEH68^?Zt(|7YCif!hvgZqAWoq=&&;~NFf#?AiC51*@SlJmvEd*^&v@auA3i2niixR)JN@_MKl zJii{A;vV&MEBA?Q!29zXJFD%{vo55&whxoL7Pu*3Y)tAJ;AVDKj+Ib2jJ2&cO@u zJBIjf#1A9BKi(I=C6}ji$nz%gUKbYR;%kQZvcnSVFnE3)PRBiuzQ8^2w!10z!T6nn z7y3{*@2cgza2}nN^TK)8E$4;!FL2MhKN7y<&9P3`Z9Uxc?hxGb?&RRvyd1YD@#eoa z5kHT3_s?B!iFH=xK5ehy`Egql@3@O`kIO%}$FcFPaa`kD2G1YIqjFw2E<5pJI!!tL|8;Q2mJ z%6Xx0YjR%b^RGEC#P_|uemxvbd~5c} zixTmJi8uf2xcluQ-20+Vca+?>2kwmZZ%;j2j*M>pU2*e27(74UX~bLqtBLr#WN73+!)o65crBN8o-R^>Ezp z!F~dF+^N9}^IaY0`x^1yKYWq!)%ctA`ET4jyWU%Je;VKi^19<7yak_+ZIAo9wHt1K zCgJvHX7GF;-Xq@nzf1U^xP91WRLS$Lm++>zeK-QQ59i=F^19=4+&+9ip}3xGzSUW` z8}S-=#pyA=Cf)$Ag?GUBz~7w_`_Pf+6-$C=^_YJ-ZvNG{`FDLK)>)fzH_a~g21WUA z;e7o5)mYEToR7D@SF%4EJfG+E_e;*-FL-tx*(`q|{-h5|&Qo(<$=)n@KL6PXzc`U+ zzYmM^XZ^23-&O?A&v(p6CD$`6c)p&`6aIA~&zSio*K^x~=zCJ<-FRL6QM^9he__e> zclor~^YuTqD2}@~d8Xp~;4kA1@i*}O@J64-{0;C4i=*$0zl}G-FZ(>k*Tb*F_rjMi ziSdrR$Fk_={}H#IoxY6mj=L-FxO;tF9G~@h8rO?`gBSMUI^lI(bK(yr{^W$8pYW>_ zek0zA{L{aQ^V*-j&BhPFJFbZF2jX`H&(C)P?z~<|_&d0D&JUjTtuf>NhBw8xSy^)b zcfqZve!`pK*7I5L{J!zdsyMFu;mzMipIk1!FEeg+bmQ+_Q|#G%n=!A-Yoi~6SHqj* zb@3K>BfJUz2!1GD_2)QlE4(S*68{Q62w#mKjGy{z%uo`JaI-hw;s zm_Lg1Wb4-7yMG(^{QWR^{`_4+yzA=cgm3j{9M|}r6J85<9hTm)Vo~L#N@ex?{@~sT zKMsG8ec(*o_v2nj_y-C9JmG&=EV<5GE0yeHaqB#{a>?=iaO1zmo!9uCV;;RymFV`f z5pMofxba(6jd_gkf;(=HU1Gd>Zp6*gbk~yOJL1OA#vS(y-23^J_=P+#{SQBa_0w{< zSdZhj!9OGZJly!Zar4i_eV^z<+&qhL$6bY+ztQd`*MBf>o=dC8c>6X4H~)Ct`Ww`Y zd5)n!hbR02-2CH$XZzA&?5m$7;(y1jr%bKldh&Uy2ha8ypI2Oi+lM{&i1X6h;?{p5 zZar57&)0Js@zyg3Kals+zr;PiO4W{aI_{qM8rJ{8!Lxc=)8`Y3x1Nr;=iONe@1F3B z6FxL}zMe;kx1OoE^ZFYf!8*LOPFxQ~FDpxR*tzI`ihiyNo~;Kzx6m&aKRm?WOZ<(z zJ{_BjFXVrUct3~mLL&ah`*0kd<(l;U|Fxl17xLJL`|wTdS7Y$cicZ$T=fR%Qc}_J0cfHNQ zYZ3o9?zmg;75n43m2~p#oA6_CfA94y+~<}T;{JZ?W5Kgt+UMtS*Ut>{xPD&C#g7f^ z=NsZ(KR@T<3+v~1;$1&m)i3T_e*KgSp6$2B??k-UqXxvg|Fv<2i zpOyBB^YZ-KC3rS3KfhWt7hgEPni4;S`?^+%_)`+`r|04e_b0s)@mJ>J3)jt|iTL5U z_`>z&?wl9q^&)xpV13TZ#TV-QB@th$;pTlV)VXKytk33el8Z0Yd3qwgYc9U9kM$tl z&+Fcli=Pzs$vcSmxZg{BR%_7~@qa&~6F#0ij$5r!aUZfAzHV)fdtcW9@6En+0q%A7 zYTWo+aN`#Q&-Q`r-}TuqwG{nq$oa*=r|%n&V-`Ot_=1EVd_c+ZeefgLPp%7|_2+%| ztAY4EMgPyjeZu%eo{7ZwCVnbzp5=)=Yl)x8`=O-|jK^^q&r2Hz&wAs$S`mK@_sOT= z<{3<$Bk9iw;;rX#+&rHo@_b3W_56aHr%K~^9FL}+-Gk?k*BlEBPgA;j15WiV}@bBpVCy6{?62Do0aPw4Y68qD}{sjM@{@|}rPn$%Zw#0ANAKW~H z6M04uzgd6qQ`l!dN#yyG_|5u*o2SA-@qD?6^-u$E%JpS$+`pUI9QXUay5Ma&-!H|@ ze=TnQ+i>&09y~j*kKy>vBi?>~gP%t|I~^R?iFv9A&(?|kJODS(Y2-PUdd?)?{j)3n z0ev2p$a5R7zd*bhq|66b54^1<`--2*pI8}it7C6dgz6_9!3Sv)j!X@T_n4e-Hdp&c{;|dAbnqetrdRo)Ng` z<7j*^<35Gk|CzXd&*+!nS^rO<|C@++zB{!j?oZZ-3EbZv9z37tMB<%qSKK_q$m6=b zjd<6?Nc?op$LWbYGl_RSypEga*F>IwiQlY0En|PK=X^Xec-9~1brSKL^#?c40NnF& z1nzox0Czo1#9a@|gJ*Rf#d=svyz?#HD$aK?=VRmG`8=(NcfP0K=IKKo`*t1iu7`p6 za;{V36L}^Q?|PVun`e0<&syR)>(61aKl51+jf3acLo4Dp>kn?8-uMp8_jY_fzt?|1 zehtTKZ1Aj}6FKfPiTAl&rPgs?{$6uK+~0?7f=}l@>MZ<9&flwoXZ4&!J=YNL^NRb3 zZ%6#YiTIhspG^E~iTJOGKZW@367gjYFYZrPe|zG$37+kr)?bDAQ;FX_5x+O_9f;pI z5q}!)^X;o~f8TsC?(w<@@4|KGS^O4!ZNhgtBCelmti$HG^&E#=&$YPEZwDuQc*5Vn zU56jxD|mkU9q!*TEO%s_m-X+8kK($yckujqcO>zickL4KJreO(;*NU*?s<9-zKs3q zVca}paq~>a{r&ejxW{W=!WSjH%2Bb;U0H9Z;g#s~eYnqyKE_?oYw(e*&l8T0<5s6X zr{lL5o!o`zTIb-Wu)n>48$Sy-emTC0b@)5}CHv|>!Snl1#Wu124%B}%zBBpHz+a@# zmj%zS+u;d+D&cRC-*vtKf0lZ-J*K$+Y~0h>_bTEY@!j#R_@4O1_&)e$c(dTyzTJy@ zj!k$w@?1`yZi)Dth`)mPk%{=n6aFN5t|ZS3iTGD=uL~>5b2WL+JvOc%?>BD1y&t<3 z_kLqk@a#BVMgGaeyB_Kv7sqvfZW=txb0&EXC*JGqDY*O3nF;Tn@Bz5>jKUrFsf5oA zp4ERI^}m*gUqE~};uj_2zbC#s@joTv|0e!?;!7PL`|rFe2G8oZo~nuX`o#Ajf1^bF zQHl8D67lB}e*yW=PsH~n{zBrfPsEQP-uz?mv&i#gBF}W<&nA9mBK}?CyAc0jB7Q0H z=Meu*B7Pn5=MrDGZ9MMY*ByX+|8@@U`PB>W!gc4y;Mw}=&A20pugG=nG2Hx5CVYCr zw>u%us|(lnN(rx?@ZR{=-fslY=5+@1nwN;*fV&UZIWg8bl+TZ~!E10`z83d$q4(g% z&%mvJ2|k^9tw{J!3I8p4)(7|b@+ZZ4xzAS#o{w*oh(8Lq&Jz;eA>l)D`|uTR-}Y%2 z>$lHMgXil%iFoJRJrRFhB7S5d{v+b8v);+EPUrO`zBl)!^Kj?&dGP$aekR^|?R-k{ zxcT^o!L$1)<4?k^b2RRGF%|c`_&j(vuIJtIMEqLfU7uUEkA1Vw-SFN#Z)uE|<9s;{ zf1Z7BBJMsmE#Wg0{z343pO+JF{p%9(Wlt@6zU_l&`8%AWdF5-RNH#!kNJK^aM$gK;Q4VE5by7s{EM5X&KV^imsSby6gCAgg=zjrKzMW1Vek0z$U$E2JvH$uW z!LvNxH}0E=KMA*&6WtB5zx@Pyw-9{W5t5kDKZp7+V)ebI8_J>PdbC-%qd^})FNe{0<9b=%-s9~}2Q z;vM%v+;OMlK0ka7cii`b=g0k)c*kvhZk+EooY$8G&+_!)I1VA+JR@-X|116_=liZ* z;p5&W1kliZ=dh%7LV6e+|NH5 zJU`!g#Q(x`gT=V@e2d$Mb@+OY<3`;6?9@Hh>E~Fg2hXporo=nn!*J{Dk9(fJjC(%5 z89YDkQsN!A`uVYb^Pi5JzgzHp{(i)pe==_V6}b6-PUPRZN37HQEphYr#mzq`c)tDz zh&TUS-2BV%PV58UtY{7bx_FWTwC*dOy896alf`)70FH|r06pZ!VX=|%iz{lU#M zCXweE;y3FL{tf%&uZcYW62Do0ddB{k=bYeKfBLa+_c5O1au4y>5&tmpzAl(R{Pn~? zn~0xH`~c$LO2mIk{0+n}OT@1s{zl?|OT_PeQS6(?u`TZU?-o3N-MN!^uR9On?&srh zuRGImuRHJKUSAgBUXQlw73byWLn;T))MFWO2PBvHXz<{o8TVzRtfKo+n?L<8`kmGR>-CsKo@a>PtUtJU*5hB% z{|cAK^XOmBqXr2-BzU%dvVTLiEoyer&#}Z$;Q3*9-268t{673%&Z9}Vd0tQW7r5V( zvjX>fa(>1A-iFdw#Pu+Qb+t?IY(03M*23LS4o&14NW7oh9ED%QbHW$#;T*5|xbs?p zJFj)P@zt)3>tQn2qkZtLd7an__j9&war1Y^?awuMdBz=t8-FWq-^Sw0c%3o{H~;gv zdA`B@-kARqUg4^^PCPHF2hY}t-!sz!H~*Ol@0ajpM{Wxx8-0#&n7q|Zx;{IO4K)f0I%t+ik6L9}t*t7Ul&aXFc*YhX1`Bw(d z?vq_tYl)x7>yE9jj{Uia{cY#q`8?H$H&0#MdYa&_{}#C89)+9dl7!!gyDvS2yD!a3 z_@}u0!%w*T)gQR=)%wJKx?k1DjXwzYx^M(;d^_CFtDlFvPA;72W z_({0OYcB3_{{T1tLfkxm2G7p-p*4<-wL;$HVMBZ;eBxHzcYBg{(FhH z{)xm}|CB`h4BYzPNcfNVD%Ss2*T?ngd9)jD{)V{cQMcgPzCDcVML*(wee^W$=UQjt zo?oBg#%~OsA9tVrab5?r|IftzzQNCM_sO4dzgKYU0WrUQ+a0%W`vlL|c@**XrxWh? z5H7_1yVa#`i1j$H-Er%zgL}RogO}qvcqTrB*L}Tk^W1_Z$B*7>3vs&gddIj`noG_p8g4c6gSTl z{A^yI&ceO#`aO7lJyf_U&dc?1IbMr><3W5O*Q00g>f8^1jvK%2&2ik?{Hea`| zh4`I=XZKN#TQ?W~eTZ+8h(9G4Us(Txh<863O}z7Zk$C(3S|WZ~!Z#%Hl)5#p6Zh3} zxSwl1825Aar{R9CesJ*o`k6(%>tSKS*Cc!+?sc~8ZSnZp&zixr<7+>gpL_=2oBN!%aIecB znU?UmxbG8vjJuw{O8DyF`Mzy=N1T^^tAU@){px)fAs*IQHK9rqIA{k?$Oa6ex+26sJ7#h+k(&cR&|OL0Gs{R8fNf5BZ3 z?e30!v;NMwpPTBByH1|N?_%GWkGoFR;(i{i{5>VF^F4#-*Lg$S&pRE4TmNae>#8em z-+JQq?P=WSpKsuP{^57r>rUBwWB)zARf6Zw_eR9K&YR-ae;984C*juL9ryj6i*cWq z_QuUKD0sg9hlscS*|^u)PZN2{jEa4;pF89B^FZAA4hip*@S(x8d1e1bh4-oNBi`3L z({acB68F6OiTv&}+uc|4d9ioGk4gCX2_KyB8Nsvj&iX&Zx97V2D{g$H`%6Av4RDWF zE8O+aIe30u^-uUO_$^#F&wL=(~lR>B+Nj@vAFe%w=tcib~^`*t;XvRp5O{b~sD zu7}5P>wh)jOA@{@;Z+_fxj!xO4|pAMLh!8i>|bHO?LxfuUx$0X48!g71l;Ej@8aI4 zt-|f|ufg-jtJ3JW{;j`u@NE5C|Dm}3zlc0u7j8}XXXNoYz^a6oc{CmupG()mop1ew zAC&O36W$}?H{yO@(*wBQdov9$&Fi%<6TZV^alYnhjN7*(6W#^4Z+&t5c0l-K_w(WN@CSJPyBPQL;gueb>(h1BAb5U%?u8&r4i|d%h3BEAzVMA>8}kw{btmvIu{Z{p~B<@0Be*CeF*xQIrdw z?^_+>y)HDx=kpxz_~7}^540!V&ku~ludNWjA7B|?p65BMabI`*hWk3A^w>CG`|uoY zpI77FKUWx6@_ODYcz!*fgnL}h#CtK{tMF>&Vjo80zAm1I`}}hr?)zfvaN~CxAN!-% z3ZAV8uP+A@Uyu914!C*xB>dilPsTkiAL905=Lxa?16e1v@D}V>&2XPrx5s^+-xGIU zBNF~d@Iv1T_eIYVZ{HT+=KnR}<)4i6_4qc#&C@pFor4$ZEZqNGOuThIfcw6~EZlJy z;6CSH9y}Y@>%u1D-Dj#i73b@7l>>3dJtN^42G7s8AMwuje%$=i6TS}jeSw-!$NGIg z;t1ULBhJHpKjKE*_ajE&jyo3jeVnPd{al7S-~SR`VPf&T^8Kt8JlhZL=MlL1yC-~D z!p9|iZo(G_FVy*Tc%AYi@z%NRqpvsm7X~l%XKCn9U*hf0-MINDCj3?0JoE9DynnP5cRlu{CU}0GyiL68;UnDFr{ChfU%w%dzs?J> zpT3`a2yUH62hZ2pg?Q`if&2P;a3ar`gfAkG_3Su3*6($&7H)hC-1T!t!mmpBVBGwV z1uv|_!gXgH@vg)7aqC%zn}2P>|4Vqe7h`{Xox2-u{{8XBykFKDzkz+bZSeehIFESO z!)3Vl8@J)Zd46>t?)}Wz;Q4W1OT^E^{r$x65_$e6-ukzCDfZKPYT}-cje_UvJT~DI z$>Vi)Uc#4>CmW-%53eQO>u>oPv3~P6OnBRbcMhJ7nf)v5w-*!dxHsdD`&h!K;{M*> zT-@KM`vf8c?FZ69ixK4dYynXu_H~$VZ zWBvNR32zy^Fz(tgZad-~w-;{yTNC~)Zl1ZguWP=*{XG0i-1x0#l|0`ggJ<))mG{lh zBHr`&QQUdWAWzZuQ)>GuMgLRu^D*(x>pR?awbd&n*SRz9y4o8z{~@^f+u*)VKLt1c znF;TO+yA@qrM&)q4fpp8Rt3-Zztrs52m8Nm@O*sjM0_*c`}s?8ubcgFuWQ4C=f{1N zcGc}l$Z51om3-CmrCA3(h4%V<2yvu9ZU zlM{Jf$;Gz_@gF4Om*(O-g!t8o_`h@U7l-(Auf=}ahi15aZi9PV+6T|Chbt5Q1bNK= z0`BL3=HPxV`U|{s(L>F`_gDXnn`fKX<9t0&cfs8U>gv3IcQkJO=O+A8+`bJ6p6}b} zgwIa+mkIwD&&K#8T&K#v5&PhAuY%i$n!&Ri*}wlno_&coPjh@a@1vcL+qa&${kbmT zHwDl4?RnzO{|0XU4-AUanCA|B zA$})*)%=p<%P)v-{6VK50_zk>Y|0e!CefTKhpX2s(1Mc@xZ2x8KgY_SVA50%k$F097Zv9u_ACc!ld=K7F zAB!9R0&bnJB>WrPKKz~VoxUo$4=r%_$zyQ$$8xyydM4_-UNRLKLURkKN)`n?}CrUFUB9m`{9q{ zH{(y>qwq2KSbQx096k52UFh<9F};?8TE?_=M5UR@Lao98?SC;SN9=gA#{=ljr$c@6-K_yD#mwCiX!;B;ltg{HlcCn()UH{!+r{;_j1+g6EIdPsH2L-xBfVe~NuD zz9sHHc?|A8c{*O5=S3Ie?vn$8=j*?hci`cij5Ru8Z^acvZ!%e{bCSPsLp)XXB20 zC2rqF;I5OWaQibA_xR4i-G4p`o?mY(iFduN#qIM(+~-$ielG53K7X~~+5NEj>*1UA z6W^?#_-6gYJ&q&r&H9ON)=%8^HV5CVpTYC@O z!@1sFfS-V0hp*xF#cjBs8=Q>$Tz5gjH{#B>>iT#-nx}cfd*SApiu=AsjbCGa-iD4p7jZD@^>89_!bFo`%jE_++Q~pd$wp7A5>bUU-;>NecjXwoHmi*`8 z&g&A~JcDrObvthS6S#Fw#*KdiH+~*&{I~dJ%_0EuOZJRx%mCVxOeBgFt10+%J!v@y{mW*Wnep?| zcig)Z@sB0qKgAt)CEktmVk7S7%&Tn~*F!t{zb|h5$++?7;l>ZajUR;@{}OKed${py zaO3~Qjjy#;$@4uFf120bJ@C>+i>2`S#zDCG9}1qWHP4F|iTAu%knlB$JeA7E`sec8 z>_FT)PsXkDO5FItxX+8G;>ORz&Hn>#on^O<^_yo;+&o9&#&^W6b1-iFqqzBB#f_hj zn|}@Nytdk={|I^9=f~vY3;X=!oEP@_xwz|j z3He>mJ8m2M;PZj{xcgE|yd3XCb;Q^6`tBm!=TukYK4%z)-_Q9w9=D#Exb=L3ThBV& zdN$(Lvt7B^AM4o%x1QFx^>oCo=Mvm{uEDM67TkL7!;K#kJiiWS5$}5Vg?QKJCgNS6 zWwtBsPnJK6FRah!v1grZat&O@BXj=_j~Go#(jOd z^^Wm)`FpsvaX%;7IC!?dW&aAVgPIZV>w;79XShG_iT7bY>6`GW_^ssm5I>&#-oJ3~ zPpa$`=j;8O>LoBsve__uNImwpVMzfNsgG1l*KuNb^R(J?uj*TuUM z@AvZ64xZ0{2=V4W95?^*i9B72H_v6k^L6$m-a20+zvtHn#Cv{yoQp4}k%%9Xh##GZ{|NUy{UYHj68?L_D^!l_$NaT$-*>wT_kFj=ao6*k zxa_=i>FKa};i$XW^S2 z7u@*2aQDf&yT&@*pO3@Mb0zM$597wq!X0-lZu}0r#d^%&7`M(&xOuL_%`*-+{w3Tx zm*U2k+P&mD8{o#bOZZi|bv}Zd=Z%D~#Lcr~wOFTl4odhLxOoQS=9z?h-}qj_zfXAC z>akAq?1+0@_6`0&*I(kjZZ5&6@%u7c)rjNjO%mQM;r(&f=L5mBIO_2#JxV?KM_BIUd96*vZ?|`G-}3ou2hYFm-a8S0L?XTe?tNEp+~YeM-=li*LBK{QI=M`rqyl2AuBz$&ZS&jQVq*}u`UteFe z#@#o%;l|&V@Mm%JEX2*TU89og*$+2QC)_-*;C_$vQv7_*mw#~2uO0S{_4xdx2JZ8d zeQ}?kw8DLU(gpYV$pGAXM&j1<7;ZgNaO-&ux1Png^=!Rg?1Rs9Y9_pC!u#PKuhF>2 z_Z{5$?{S}>Z@+)6)A;>y^LNILzaimcaP!Q=&9gq?RSt-Cnx{2xp389GM|dFNvlG4o z_w~phxa)1F17n@;8x8Pn`JRdsaG$3Q!kyQ6+&+95Jip(5PQ3f`k&TP%%*US_JiC7R zd|(J}Jx}7+^D%Dx_qf;V-I~O{8Q%&w|M|Fe-h!KFGH#yFaN~c%t+VDqCD(Z*ZvKmK z>l}eQ?sK?#mg2^*$E|bggJYfg?zn&7p&s6Xef|J^8n2sL;NDN3g!?|@#liFItuOJe z&l~XmJZBz>JMJTi{Ld3_{@J+q;qN5;xK$5{{dC;gxZ^g%9rq;M`-dL5&oPGMK9?Jx@R$TikIs z;Er3NW$c^d?ut9^ez@Z{#T~aT?zr7>$GsGH+#$H*4#yq$G2C%q!X0-G?zo@hj{6Pn zxWD6$TfSAveclCk+S@gLm$Ra(b* zegA~lIXuRj|3ut8-4i|_;a40{a{ke{`Cm%-#|eM)$ddE_h?{@Qqhh>XBjL>welqUs zj@R+mxG(B>bR5^`-WTG=_Ya=GAA6X1?~BGKd`iM!PWb%b`Egef?|s_ZMEo{w;(U$Y z9rrw~k2|je6W$`>Z4!QR!q3LN-|HJZ--i*zJFj~a@oy)5yJL#`ljZmMWYysL=abcQ z@rCD;d*!_FeDYY_=ac7<-})cN{XFwj+~-Rl;O^Vs;qKf2;p@3?ta@x*CtgQtluw(&r`Vdyoy`T7r6DT$E~N_aj_59QvaVlfm_edI!28I3apPwsd?{|8UlRUL@O&TYw2kMf z=h3CO=WoB@`SbV2TzujDy*1~B^LJ#peX2LrM&uaX<=vU&4 zK4SNOKRt3@_}p@T^6bUu7$*_Gm^?4#ypU%Bd3--*E$(sIzI~jR&(G`Q#vg{)D{6FM z+>W^4E7ccwUN;5LU*AU)?|OI&_w~p$+}8`s$p0CA`yuCr`ZtoNCHFapoEq1m>$ZLH z{62O$?)&3|aF5GK@@KtxIIQQ#h_}y^aNm!35pTi!5pUz>S&YBH{r_6rxa;sE+;#XZ?mGM>cwrq*4(qVg>2Y4J!@9VAI~=z^=iOZXGGd0xlO zvnt_b&WQD!r#5b$;}hNkH_uJDd0t5P0^B@58@PFX zPWbj`#yZWj4{n|_5`G14p5eH8#^9b`p9IgJUq2G>`LzM}{3>-;oR{ZUli*qY>^`k< z-`E__{(rN=dDI2Z;!h9vb^Y+AT;GS~yl{PgBzSh6@;>AP;+K$Tan1{Qej$(hK!vm8 zeC=~X+~aaAZu~j8`^MF{$Ll`ac})nOKaR7B_c*?bd%QluJ-(aB{{?;9wo7pzvT-vn z^li7`S^vGiYD|3g_hp_Be_!UvoNqa`=>J*tb85~z1n)|I>mP{wImric|IXAi}b2oVb3>Q!nA2aj#R|6MiK=h2QtNBjHcue*Ws^gnxy*K7UPk znRDYhvCq2&&)-khO~kiK#2<^hZrdk(U?Tqn;$1&);C`R#Cy6|3i1)bf)HNP=zdyEK z@a#PD_saJn-p{u*!CgNCao`|t<2uWL5ouFoC1#ro}Y<=|QU_PGJ^uG_P5SvQ?s}--J@&_Ok4|`(;Q8Y|5cl);wV*aqGVeH~vxF_!sdHsAmqoo_+Xd+&+}MFdlckdGLHcyAW^w z^Aqty6F!-D!z@cevR5O1Abaj!d<;MU(K;m_lq z7q8>)t3TnclRt6SNxh3oUgw7e&#&`NiTJyScfJqeUS~f`v-bL|3xDHw?zEz7sqiuE)8(6gY9wm^Yd}>!fM${B@yyBK{fT?b}S;eSQh*o>NNW$+9p7k^Pcj9(MO)dI)g7|veN6o;^KR@ALoFDRxAl^LVaP!Pc_!8Va>v8jxzB-<# z+1wh2dUgz+osZ_JkN4oXG{#-GN8;w`j9X97;DtW72=!b;ym=<#zHa&m-=FU}`5j+X zG`Yg-g=&4`arbpxbKG$|;>P#ISCfAX?zpeu^Z5M0N4US&_6zQHs#4!rzkR5Sd;K~N z_xd$4c-DVkm(3;K>&RD$_>Bp#d`+y=JbMJskJ~H}e+=$@)F}x+6Zd-8E#a5rzRnti zn`cDueEm-){8RFL%KH2z;bpFkee*b0N_d@wpNqQ=FAH8c?=BDL-2mcU|M%m+v(BHy zjh~jw-#6rcBN4v{H~&i9{J-S#4-5HA^^1KoetX>GSUKShg6EI#;l#V1kHgJ>O2W@c zVO!j~od z&xCJ%eXQTtiM4UZ-5>Y$;}N*=r{F&K8yY-YS4Ef8QfGztNk5;Rp7r1>?%Ur;_*V(vKz`T%rbK*|0kJ>EA09k^+)pIl<9=!`zHr>n&UxXuUr8Q6 zCpn0C`|xPOUm}n7uOZ%b`zP_%|8Fk7Q2#bJ6!)jlheG|ef@k-i2l9Ni3GVuAhr2${ zA;0szhIr>SFcJS?BK`~F?ZZmq?ZcW}e4!5;b6)7ff8_CdiuS)Tt}E{cj=}w2g0peI zFZZJ0S^u+th5g|&;@ux^!TtX8`*6Sid|bjm$Nk=t4YNP^_Wz57|3-f6uQ@pGC+2B~XLT0NuP(u}ea7>s zXTtj@d^qlNr|G!QN!|>e9T)3aPQ2@O%OUZ&yUzE)0U42gu2gfb6Bsn8&z!E+wp*7dBnr+AX1Mto16Thh-2D6iSHJaL#7Q3Nz||iE*S`Z?eQ&t&kA$nA3fF%T z+|OliO7Jpw$A0NkKk)pzaU6Q*-6skC;soE6@Y$|kjK}Md9TU82g6{|S{=nmKKd1je zf-i=9pJz?r`T6?~Jp12D_S16xW53)_>%cwFoC$Y-yczEJKAhk$!AEf)yV^Z59>1UV zNVwlOdj{Ok-Jb_{J-HTcJr9C={vQt4XChpmd2oHc3p`)9f1J@lC&iU|cUnsdA{0<-Y)1PwslKu4e9531L{=&!ic}m^4xxe{%_DS$& zfoJ=s=h6-d{mlvf5I*MlJ-GYwCkehZ!Pmjvm+Rag$Jc%N$iTBaxG%Ry?>gKYZhbxr zS3ebQ{gfFHm%!bxAAq}GKat>5;P&@>xcMplKK}&d|32LHb}`&@$RBXWWygWBU)I$DaPJqL0Qdf6XSng-3AexF z;OgIm+uykf{vF)UsV##y=DFTlxZj&s^kB?``)^ga*QX=l?#pu$d@+$Hl?mj*6e1ES+um3Fx{Sfr#=V`e89h2ZMC-}R8=i~eu zz3ncBn}^j2pRy0fanYwz;Q4lIC-e;x`qLBoE8)(^UU2hvM}ps%;E%u^$MJCerzH5w zz_UDfp4@=m^W@e;H|MiNUvi$@DaT9Blhp&y&Vjx!R1fa=9UTvMJ!}VeJ-h_&dU!S5 z{ND}tJo6A-{ZoPG>*S3DUx1JGw%4#&hn^pfg8ThBrv#pFwdhg?PM{oY`g?rBbAKdfUSp2gw7!#h0O+)W_Y!=*e(R_Gg&P9vh z`uqX+IpYq)WBvI4#;$>v%*T>>cO=~Ww8F>yw1>N%TmpAJ84ov~Z^O;!yuh>0QWvdrT@i#J;r%^Pq;q&2cE_MBhRmo zL2sP*z)$4!Vk69bN>V$NLFa!ry?uivL>ToPoYI?*aY^ z|B&n4t)7YXc?SMf;O}y7EDk(B?zNwdKBZY7u7X#9-wC&_2EcnUe?NpzBA&yai|tOO zU&q0XzjNSO{6CYox$x|Nn;q)#;^*TyE|d|J-S57D`?=I#0?)^@-HTg}bML_OaUPV= zpP0~}4!53*;qG^L!aWZRfxpap{ye-H>)~|x2=sH{`g{vtz`C~*K9G5_KJYA`e>1*S zUW#?-_|}5o#5`&MKbdv%IJj}Pgda>joC8;X4cva+4!2)}1JCzsVuJsIkNe#Qcs26B z!-SY0*QXPFD0SNl?tXe-;8_mr z?+Emc*Z73~d-OMzig{j@(3hVS`_-8GISM|8^{@wA{e$q+@EHRy;#@j4@O*#&M*j@) zmzf;v$NU_Y;LQWi*GUKXdir&3!e>x|znI|f;qQ3OPw1B=^cAPXae0TlRfYdR{59at zyZZ1O@aYbBKkXBEokATRkN#ftK0kT_{u%L%4m>};Z=*LqA0_lZCG@Kj`ZBM@yy?Fu z-1@u}?mBjT;Q9C;Oz<%Y{$7HA8+g7xmn8I?68deY#(A-IA=r|2wMyWbeZV- zDR8eZ+QHS|0bfL&%z?iSFEuTWi+nG**E`q1#}og|1pf~1^W`=0-o&%*>oFedf0qQm z5AJp46M<)SQm`+Y7QT;eB0Re<-8DQ<`4peNoYQuGBaWl%+d+Zn>!d+Ke_BG{2K{=@ z0~e#WPF_Ku^=)z3m*>Nca~VF)yXtRlxnD;Gp6^$gx3;X`JMg@|KKc#x>jd=XxfS}2 z=+95+yQ1HO{)U9UANqgMKa|ivgWh~jMQ=WT4h%e>pJU(Ntk3u<)LZYsv$4(o z+opUW*uuX@;Knl%ALIEkq2G|umzojd&l>*!*Q>y@IIY8r;l}?ke1F!5r|>uaHxhgS zKK5%3`Yfg@S#k>h%D)ry>3X#X`~uED$H84^u7tav-Uxq{b7LR4J|o~|+<)P<8TVJ< zJvp~82|TNXQjAN{yRpCK=jy=!uXfPigx)+n4j;mG!36kAocET&Jy(~R8RPlS`5f;0 zTphj_?G^`~#hm4$oIlyM55x?&EOVodExZI#~ff zqR@EBdh!o^2;;cN`!UasV?DUz*b+V$|4xDD^UwwTnVdHU!i{GX+<2zJjpswS>(4T{ z*QXocwp;3hEstZFz_W3jMf|nk&c~}0d@}yqGVX7qcYXK-z3b0%^sYaDCGwOG4ir?s|SB-1UDfT>blS_mNNF>Q^QBHM3*h9N+#4 zJ{)d+J_~mpo(%Uq_AcCZ*TKD?Q(;bw)A~OQ-k$re$HUcM1V4y6?*?}sJsEhuex{(e z-ado>C;xEA>uF-_PKV?+Uo%yX(A|ht`aHBY1Q8 zY4DFY_nr&a=Tf-iI~4BtjtM-U=b7lu=L+}&=5^60v0ui&J>2;B2t42JQ3>7_ALF?w zp}!%aza8%QPR6GUbv^@qHR}0$_{W@=mc#Ym0Cyd(IzQ%3UJLH}-x%&ZIumaGFN1r& z?HPET!n}T%dbu0~f^W*hgg1?22 zzMtW~Z?+n)zSQS2|Id-n-Qnu%1)d+5M(EAkneaOJcZGjR{ofAvdGx*T^Qngs@bAdm zbhtjBB>1AhvwoGMJ~yDZKDS#C^JYBN;Ks90;Muy=kvI=VKY@B^2-m+Q+~?^R!F`^7 zBYY6`d_oeZ(A(}`@SoWiw*ETiry@S(0?+cJ&%W@h*ca;HQwg8C==C`Pz44!%&|e5Q z{_glxrrloXZFdOV_($MV1)tIA^_cFi0?wdG{+tY5P z!1LpHApB;oJL==JGd_*c8-Hu`JD@)&q3?p;{&r93d&BMT1NfAu-J$4>^F_G*or2Gf z_)JHy&&TMEe_=wu0q*l72;UR` zCHQ#%%{e^V&DafqCN1bie8@@aL4^{xcU}w$E7XY{9Fllo(_k* zj=co`fN`G+cO82_@T|Z4)8FsWyN<1e>)+vrxZfRsPuIY+{m#$1+=RX^`hE%hlklxr z4@cuuAD;>E2JkoWaa=w{e+2sP6Z(JP{W(vT{W0dDAwIhVp3lSK=o_IwHlc5c{z&v~ z;r90eeC%&8xaXz2@iG1f(7XRW1wWMQ$EoldjMogfzoRre@Isf0j-p@l;r8nreW>%F z;K$SMU-;C*e-m8)GK=E+VBTuLou@}6_$h&B{i;p7t>LzN9zM2v3%n)$9f;4N_z#8a z{|r9*kAd5-Y4{wD{|D$@hZmr)gZ>Bfwz~>`8P_ix;MV6hi{rR#^qdxWp~<4dXm>C4 zwtE!(Iqv_oz^5KQXQJ2VTzDtyzcaiWabAVL^Xmrmu9N-Yj?0sQ*D3V373Y(Y=)KSX z5!`*`i@>wIx&E(4@A_Zo~>`L4>jP%e-zyMIT3yy{b~jGKET=VrL4o9 z1JC+p9d?B~FM8nP`1XN6ga1Id^*Iy1ANrpI&*C|VysbpZ|c0lj=_DS&JaPu%4fBW?!di~!-Z@)fE@SpLqU%#TaUp1D*^~7`3 zG4N%albgdmN1YjXHoixb|I5%jkA6Yl82x(m#$Rq}tcT|4cMUwN2le&fHCca-#pg_X zPK39EpM{U}q6hl3(Dy}eJVW8_xZZpX?tRPo_@9mcmvH0!30{o;FZ_*v&tGCbPe)%T z@cjHb4(@zE1Ma%i6@EAS!cBn}nk+hwcKf2Y{zsrc7X2jj_UnE4|2Y4A3HQAE3;xFQ zCwj-R^0Jt>OL=c0cefAjeV z`eV?qPw1;GkL$^vg=Cc6C#fEI!J?=MK8K+<&rRSf7{_zr=Aje*XW-u*z5c!7#`yp~ z*281y^?3z-Q`&tWz4`nKemLj76>#fwJ^sd1W<|`i@ze-B%X2g0IU=Dy5&eniPlH=O z#rW8-o^aQPyYMmo0qC9YPr~oyoIefj_0&6Xuczh&p5@^r`t>Q?el606c9+Awo~rO` zTnAd=Mu6x(RUB_<0-}Ufr^sXDvp+A*+coDsI^#S~J*0Imv zzBjuLu6`rj=hVBbjQR9?qG|`8n<$#3#@Pz)vg#L_#zEeVfWkP=o+~;3+ z;?t6OJpjFR_%hseV-DPP<9qyFH-1I0|5j_ZoaY?_&*yo+g#OTkzG*_=DxtqPp}#tz z@0-vMO6Z?U=qD!h?n$JH}}|g9FdU^Y}keZ@VMm_IEto_}_rHBF=e%=j*5J`ZzAWUvU%M z@p>Tef^|__{2xi^-$3vE$%W{>j`$vK{T#j_=I1=xZ3J%*ZxMLDzpddu7w8Q4xxkHZ zzmKsm-0Ot_aQ&YQJj>e!#5oDQJ~QCP^BLTDzK84cE8KYg4m^ve1MzING1h}Vy9S== zFGRl=-25MckMp7-+;~of+ux3G`+Ei4IIo54e^=mH{N{fsdVNN~jpr4(@w^4sXAazW zz6d;v$Nc|*UZ1t-JCXklaPwbwQyfS0ziZ%GyBFiL7hIo15fa~)k zT%Y~6+WZY5S)BSbgzIw=TzyaY$J}pu0q*CWUx$Cq^Sh7XeolEw;Dw!k z`(wGl^ZI=g`r7ce+~+(TJ^|h=;eQkQ%7vtsJYN_H-v^&z@cq!g1iy%Je+&K@{6o0$ zFHG^!k_GF6P-dE5hw>E4caZ3U_>a!u9DBcs>uq(HrMe=*`26=*`0hxckVi zrDK2HclLw3e_ajNXDD2sr{Vg{f$Q@%T%V#cF;4ZB61*l{pCjQ<^WH@}_=!AUZXbAl zTza5)T>8R|^SK0n6>gj};l{ZDZk*o+o{w`adgI)!Y|N*1xF6hgpgY{}|GWq8_hCK{ z_qo_K_+I3H9^CI8{R=*V=de}E#rXXk=>CD{^KcA$^Uw-Df_OT>Jr~`O@E?p`|3~3| z@8t-%@&5?7e%8UQlj_^YJPc+ZIUVlvwaXKH2z&tdwdTO}`6a(dvm{;3529f&1fL3bUN3+Um{|VlLd9f01 z{!3Sl?V9Hb@S3a-yTkQq1fR?MqD|oyIsaS)e}nh9E`?9zKGHRCeFnhw84UM(y54~s z=Ulk{E8zOCha2a1)nY#NsSektP2k!3b0zCfCwMn_5BOE^KJf1F!SJi$BjDG-CkI|A zouXG5uUYWhn5PTjCsS`r;RnIj!56d6l-Vujtt0JLg%6;vYQbN||48_C)KxLueszJ{ zuU>Hb)emmJhQaOENVxr)0yoZuaQnLyZhzOp?bo)u$9&qao#FPYCft5CfZMMV;r8n+ zxc#~gZom4%?bqXQ-|L$P_c`g#d&K_APuVkaeMZ24;XE)N?)P)ffP3G29=r=azrpvS z&Nsl9Q_to0ig9{hx@v;&1Gm2y!}n$$T@9bl{p$Yk+gRtP!51@+=D_XO7jXB5Kj6k$ zw0G>U`kmnJN5ydSa~0gr-`xT?&jaDc^BUam&zu2QKL_sjF@6qL{}bfg7vfYzA+xZhxu~2-~ZefZu|q`ejoLS1b+i=f4@lZ6>!^a zw_l9kb4z>pDa^Z{;P!VD-2PUp9{p|iOt|e{1h?IOaL4gExZ^SvuK$OD7q;-C9_-_b z(R-b;8g4wB;8(MbRjm>G>%7<>ZoQodSKkWmd?|)opB)0v_p29r`_&t6y*&)K-T%RD z_u0Vn?S6{hI#~|4PIjsp^JYCC0JnZlhr4cH4tL$Y2i}SC8U^2q>$}(B#`786cq;B6 z<98f)gPYGraO?Rjxb=Jm+G<0?+rW7JB=27~Fb332wWm!)>=+;Q4lUt`+0Ao)3Xr&u_uie*srtR6F`xZ@a;* z=Z0|W@NBsA;!?Q&FT*{j&4F8o$aL2dkpcudXt&rfm!p%b?xIV|j?N{@_vvHK4h2C+z74GMbABLOfui)nSC%Emd zf}7_94vzV89XKBDI?x5~JiQn0cs&O9^QzCot8xEfHeCPpaOdfEhs5};he~kAs{#C9 z&W$I*@8-EfXLwDno34X@&2?5^_%i&*9~R^E_eW;I{hgo5fqNhF zVz|HCeh2&#t}E|>`}-On1)l9kHx&Mq+;9I1ej~g>-Ocf5`d;u|;XUCG*Ngg_;MM9! zem(rbzza)ok@>9IAm+{A={qOzf<@8I_%t~p>fL`k1fJ=yLw`Mb_x;{*e^=!Zxc)ET ze=Ytmq4#$~UPEs@pCx$RhOu9Z*r(dTJ?~u!cmDQ*Po&Q8g!}pHq3|cUfASRE`{$G4 zUofdo$|7AEw>&6TCaz=TLnD&*IGfD-OSN_b}Y} z-%9Xr6MVNLWBm4aKe+kq3ZKD!q`MP*IQ(p8gJOY>gf*?#vvd7h8n@6%ofH=Z&_ z#eUiD{((v?X?1$D$)}@Yc=Usoe`bmN3+kFSU?fwkcXC2&js~#QuyA|=* zg1^gilSc6O*r!g0`ySn8a>l(sd>wT@3+{gL6}%qxumbKps@^#E%kS+!7Vh`OX;>fzRp$-~X5x=WEo-G4N|y-|m8|e;lrU*JHQre<)o2-EjS%fUB>2 zT=Z{3{5=BC)}BHdil!C*%l_S%;1lrieTLt2`q`Upipn0px!uga&}`9|@H>W;1JBy@ zJh@v!e+YWdnJp9gV)UMKu0U^pUqkPCX(3#n@8Q<}YPdezo)GgduL{?HAGrQ?;reue zJ1)-zp3nb8^ydGyg#IJ+=6~xZaeT9UmW+EvxZ}Qe;F;F`)=%hGufw>l6B$bNZ5T zd?3f$2A?4bpGR~0W&yKN9+Xa{7`wFW>yX^*lTHR0=#_&((7JX+ghNLSG}NFPTU6a{Q0r(Bg6S{4tmcs=d_4UQn)_X!1Z|#Zalxi^{IQxmfLL(SAPv$|GVLS z4)jg9_xb0;_4yV)ko&i#PK|MH&-LtXfoJ*JFU#T1(?8+HU*U|{Uw!rrJRj#N34I5+?LGl_9bOH$-CbM7c=Txq zSKl6PzpjEiF1Ny4QqOP0_5TuXJWJsA>*Urketm9)``*RNaG$Te3;(9D5thu~)o|lE z^vo@{dqIL<3)iPF-23oP!R^=UaD6_6+u!ft`qXT*<@k?*>)#r_8{;?~?zoh18~v@5 zgW&2;RaP?=v)pvrw$$kED zaP`aJo+tl;JMITvu;n;Ug}a`2gm2>fd?UOy<9-Kx9`$oS{5a0%kHa5_zW}#RrooM; zZim>f|Ku5N-abz7N*$w*&x`B8f24lShWmW8e}a#O`+fMY!apa^f5QFV_^mFCajNeQ zx4#qN>Pue~ef&Pa_VEAlp66BY8qB-<;M-BRqv1X$`US3krA{%PK3tC+2)Es4@VUfu z30(gN;QEh*>pvZ?f2oUOocbRO*Z%~#{_WxV4+=cLUyMQT`u`35R_^~VP4G2v-*?&+ zc)r~|I&bc8p7#hmyZ_+l_wR)dU|#<(!AHY85&t{zr>KWd;r91C_%zn@-{Jng%kzwe{plYMGoLjOB@ z=iOg$-)}sqORS$SsQ)Gj-VSa(oDcW+$gYFye{X^hhwJ||T>mfOw=wU^T^7eZ8{-|a z#1{Tl2|QyX&^LmQV;oz+Z$FR|4_FZG%^nV@h=hr@m-@>_Wec*Kp zaeAICx-$BE-C8a1EYDfrO6p`^^b_!J0QbCiE!;Toha2aF!1HlVLT{WO2cC~}A$sFH zzgz5YRo0Cw;C@bXIQ&`GrLlo$?cP!NQ*z&C0{Xwn&+Bk~mIt2ocO?7fomXv+Gvg;R zUmk^zX5PIKcovWK`B~uk`urNbrPVl*K&p%(n zy)Jm;y4bGgpAQrKbGSY=ua7=nPaO}R&iZ^g+;ijS@Xx5{f8f^DZarhW16ZFMz|H3g zaPxT@TzxTIeJ8m0Ge^RWa|YaXY+2y>b?kTa)?v9`oBNy1Bj;n4z%%B2Yz6nabt1f& zJRf&M%x6EIH+6=apZgO08Mt}-C-D3_Q2EB#uKU-0aNB(zuKz5!`lWF1({6iHY}e0U z>AIxYvoN-V)<+ zJvj^RI&cx(_2jAqzY(s_Ft~BP2sb}-;pX96_$jOpWp9oB(&yj=ZwA-@47m5x&V`%L z%i+c|3~oHHCHQQ(@hpHF&yR59Sq(RyZEs8DC&8P*ji)8tc#7f1(*)yWQ_|Hr5+u*i)Kiv37!qvY5-$Ot?Nj zCwQ4VwjBQ+aN9i;Zhqc_yUu));7j1%hdi-QjK_1@wQxVL*B`F_UATEznc&;p8QZnL zHQ?6Up$UEz-2C*0d;e{Cg1-$npL5`@w_m_rw|`FXRd9VO^^JKj&pqK@&-PF7`Eaij z_ql7ce|BE-{g9f0=g;k@CHRGK{clR}AqhSs!DlDC1NZZ5^pE~4(VqY}4^P9@PlK!9@t!S@OXa}xB}!u1~kx2|4-+u!MM-|JohH~+ieyXE}Xh3kJK-26WXSHA%6IkVJ#v0e4s!;QZ$ z{51B3hv4tSKZQGvOX24K()(jP=4Tk(Iv)kUj{78U!fp2xxa}^1n}^@w)yj_;s^{xS5%^8)%lg`z9DKlu`R^EM6r zo#@|5=;xyEi+({u|0DXl&@W5q*P_20{luiw9b!)JMYeeTescd>K}&tJ%p3seqOkENQ}qNMfQi=ui zh1bFTyztQv#dhB-406f5YnI?0;l3Y!Bm6hclkdRI&);zKxy{2d9zQRz8(g0Q;reuj z`+XO$!1ehUuFqF+rI4(%=74V+iXWsGA zI9`6vr6$~Vo5O9lQ{egj-iY4*-T}A2W8u?@^F6rrFb}RzxyNF^oR2l&j(dH$PhMR{+ z1JCE-W%TA@D*FC~|5M5S^#OW+*Xdih{ap$-{;L0rd64e|w_o)G&&S^qz41Q-ci*23 z_ji9jhWmcZ3rd2qi+=nuH@Z~J77^LFB_ z1owX3q41&XBQ4+?xc+S$cs4HgP$%8cJ1#vF`UeyG;R*fA3H>y<*RwyszvDc%3jP`W z+6Xs46`qRul-Gvq-w?i*c8`M_XN$n|`Me~-`zCzuOX#0N@3_oB-;sTP7J9#DX?{Y# z5WU}Dv?!rpioQ9|sn;a*>(KwpI$Y}M&Et~gZG7Rvsbsw>6L_}28-L}5zAAd--ygmC zIS~C6@>UG@cf>A(yYAfy_xHaBz|}ts_xHShhWop0`;CZo`vvPjL-@(uKRFieeq9W= zU)|uwc^CXY{er810&c(N!99nshcDt>y2~@Mzo(Xq^{{W?S)JU=desQM^P+9w+4G1? zsJBk&2T^agqd$sv?@H(=px6I3^!qYi-z4-uqThjbw|jPT9Q1ou4f z6}%VuDKj#zZ~E7Q>)!ybe@D3S-wMB|kkpd>^g;L$#Pc{@{}WWY zxc*PV^&bP*|3|p_-)eO1m-*Qjei7@{A#nYVh8uquxc>d%`acBM|1G%je+%zIovebJ zpN(++%Z`b8F#coU`nQ7X-yW|2Ah_|r1UEnP;J>pjeGAurIo$ZGj*b1&zY$#j6XE)I zha3L@_yxrI6x{rbh3h{BZv4N(^)DJ1`=$R5aQ&OWjsHTp`MDk5iuHd0T>nSm#y<YBe;ylwDZhp>(>wg*C_#cPs{~}!fX>k2l!;QbwhZT_t79S{4L@7cZBQT6|Vo& zaO0m2H$OkXi>d$L;QFtJ8-J|{F%SB;fa~85u77X1@&6BgGxh%x-2A)_*Z+OE@o$9d zzthCnFa7s`>wgA(f9m9FxW7AmU*L5L*C}4VJc#~i&UItZdwuazLO&b5=ks|9{R;HI z6aT7&zS7GvKaSVoaOAyUqi|Nj&S{VhZ}zjxc*(>`dz#RU^YaZ{|6kz7zvrZw2mKF&>)#lze>eEItV?&m?bqXQ+Z_+L-Pho@`vKg3 zeF8t9^ZeG6V}FfjU%2CV0(>&-!0B+~IS+0;{owkKgzNtbT>tOk#=i;PpE{{HCHB{R z?g`hwHr)8nhwI-RuK&$&{U^YUe;(ZYtb#A%dUF$8|LtFk{WbnZaQ%zn`gexwKM-#G zwf5cE;BfxABNuNG9wcDk?4J{G%=x{ zjNa!;GZXp`(fi!zJGjqHeoOeQL2sPv;XY^C_4PPjz6VsoG&+Y5b8-J-cHrG{FC+f=tUKsKsXya0bhsDVt+j1%{U+1v96u~_w%{e2cG4*aQRy_ z`}M+~!oS<$S+3h=g2KO1`1roT61eN_p>M@_Dih~jfoHb*k41k4&wt;BSD|0u!#8qY zZtnEh?wwq}d<(yZ=d(-UzBju%!MA;TvwwEodM5Fd3q0$SpDQ^T?&tE_!dr2E=mEE1 zk0$tg3BD2TdwP{-#QezjgZuv8!EoPSx)AR7M0JJhKQO_cf!pp>_?hJAN4THISr2!9 z)qW@TSD%yN>$zTN3x9?CLYKkqSHA>*3~s+h!OiE|z_WSbI#A)=7{BX4+rTq@Aw5OY z!u$E{(a)tmFM|(ZzVv{1fZv+%?}PqK@-q;w|5I|}8JX}Oi+&dV@5B8Z%1>~|Wt*8X zZ_c|4a6k8Y7+jxI;ErQ4+|S8&gX_~j!H2{39}PFo&*1w14%cTR+&Fi7Z_D}F1Frv( z34S`de0#}68c`~J%{u`@9z)xLvQ?p6Z&E3jsH3H=4Ui|&pDIeo(C4=bAKV(CC}?O zqIVqkdq0ks-vf3S+|SD&3t!6ma2nimNV^2@6nIt-MVvRfpf{gA68c`~&1av4z8`w) zVQ@k}488U6TtYt@z2h|zz4x~#qqn~^68c%_?eF}Aej$4MyC|Vwir)VInb5CCZ-2{u zu(__X@wLAd0?*EA>i13P_eXC$*CzD0pf^9W;m(&Y;GSoGhWmTUyM7q^HGuhbSm0T| zoL@&K^k*jY9pHW*`BJ#^>k+uW|2r!1EdRcTKOVj3h56+X^&)32Ip2_}j*Nq1gd?MU-r^9V`F5Gq(!EJX%f|vR{*3UTlRVMJP zemsX)PUx$m_ncWhp|6GBb*WxL-w3_)0-nYCYp}zvX_aS@0ZTHTEPk;3K42IjUN8ygwbofB>|0#Sb&owUi zBIe&Xdjy{4-_K$7LhromlhF4=Z=DQI=!cAcjjFq^yZ;yLf-5H~u~eeLwWZKRBTuhTix`B=jTE8~;S~zW+QKz46aT=x3of{`m?0LiEPJD4}19 z-uVAa=+~on9V`EJT*pdtKHM|#Y+jg${m>idG4S&_@0||Uzg@z=GkWuUBV7N!aQz3t zAERGS2cGro!NQ-C^YAqEo^#$uZyr8E|DXKB{r<7tzKQEhcK$i2L*Y;1UyZ=Cb;jS* zIT7yf>9m9Udph^xZ=8>!H=pAZ`Zp8$U*TiPXPIwfzifA>z_WgtpW=kR3wr0vJ@9*2 z&!0^Aj6$!^9JoH;!`1%{SHHt|alUvxzF*+^`EoFN{hPz}zZ&lO^KtxLSD!|&|Emf8 z)P(*M_(sO}n*?72_d31Q_c1^6Y6-q?f}afcdv%7veNW@Hz_a{k|IIGHRpD<@(Q5Sm zj?Y#<#5jK`OvsXTpb~s9>TS=!GjHc_P4xcm#^La0{p5@1Nb#a1k#K-lv@{e&nX~OkX)xfj$#C5EC zLSGBL^P*lt-w3_?TGNES1$x)F+Y|b`(Ca?}UX^iq8*cqCfzPC_PFS?%yqy$ymN(n& z1ouAS9dO%y9&X(>UL5C<_s`o0p4Efncp-Y@=?(XKYB1dU+vDJVKg?{n@vI0uAI~cE z##8a9*e~O$2{)eO;l^`K;MseL@}B6u-#am(pPbOIhR^4|U)i5G$Dg$;-!bs49&C44 zxcg51z)RM>Ys0yvF?#QJwSarSt2p6vK6>x}Tnl%feF@%#>!bN_*QFho#Br4G57*~Z zxcC1%!hL`EI=K2r6MQ_}=Mk^NyD*NQ!2Q15ui);3f5CkpZ~LV&57uoX_+Zwbli|L9 z+dlBDt|qYlT#Vkj>J2x~1L3!_&d-3WUkY~|H^Qy+?SF~&Z=96_&)0uV^!n6E=#L3J zKQEe~_rBsCaL4g6xZ^brZk>Dw_j|66To%XIb*5F|*?7Ih{oZ!y9j{B#>(e!%zYgxY zF&^$ZJRR=5{s``RyVLU6FZFu_p5=c~;ZMo=tpR$^701Bs*C}x0KNGHgw-qrS=X*=I zxbywb1mEG;80SjnX+yZ{%z1FvhpQ9(9=QE_Iq#F>!&2eUR z_z>4k4Fk{Cf8T386|T=YaD95|JZ$P z^jCi~+&qs;@HgScGaIhYvIO4%*JsB+W1R1?kJo^kpVkR}BiwkNOz>CX#5cKY+FTmYT--HiiJy`&E-)ZnqjNg7W zh3j)3T%W7q`rH9GKaare*EqQS`W3GKj_bD^|2}Zrtp#^~KMt<{X$jsPuK%s@-?^T8 z1aAG$gj?rd!972$ft&yG8@8N>^Wo}y!tL+faQig~ZofvtjdMQyKj#Gar<@1=h8xdL z8)LuR-}iv~JI<#h_*d{>IfwrgcsAz-bN#Xs{R_;ab#UkP4x3_}2XMc-Cfs%p4Loai z2<;w)-gcY7ZTC93c^i!XL--Fv@9#;CgX{A)+=-JH)X zKgPdr;MuuR{~quP>{ET=BN_LH;Y&Hsj1N3(cPMerLhtqLeDuT6e}}#j@oa!MqTNzO zI~Q8qy!PAf9)V~5wcR5U`ZE&xYv8u~DBRD#kATnSy{U0C>DPB~>u@>TILnuc_4zV!Rth}JkL%dM=wCr!H=!>M zJiESbz8W`8*rF{kjD1_}&CJ|AXL;`_pjqGY)PZrUjn$*M7}MZ@<2R zo43UYpY`bVDZAa~ammleih*bI-T8QM;Q2VOg=ha;jc`49C;XAZ|4?$j{UNyP;S+&p z?OxBhbQ1c>_)Jge=b?WV{m`ev18x`i=s#I z*(;$x60ZNraQ)9o@N41v+zHobNP>@t>+>dDpScOX46e^VaDB>^-Eux_!u4qY*XP6p z?+DkYJ6xaM3H~TtpV4rACIp_ z5a>jYmEc$SA3=+|=eRj7wQ(2qjD3B7r%zC#=r&%^cLoh?m6d1xaXX^ z;Q9{W2|TWJHaQgu096${>-$%3!(hq^NX%wU-$t1OI$~P3-@<0m&1MU@gMw+ziNe8 zhw{3CXLV@5j!o!`6Z*^HAMjlDCiqU|=YF`~%lZiXU+zD=3imnhZ1_RE5BxdY-=+Nt z?)~9^0?)?9{8Zg(%XzCGc$T*Z7_S!an+pG9$vM9Zd@%dbZSc?F_ru3X&N+v|TXUUq6nq{&P2jIFU(SHpvu+AD7TCf)8fhSOa&R+;fl3@n`p2 zYEy4D1JBk;@3))@cYnDc@O-~|p|@YR!CNy=@50AAydVAn_3#8f*2Cn$^Zj}Yz5Ob; z=jJ@*LkhpANUb?eMX`7o)ddkHTH|M&sjpJ{i61@H=pQKE=oN{0H>< ztVZv8zRg~7UZ~$0?s|A6+<2~rs~-$EpR?i4$EAVi$M;|K*5@&M$M`*`oeXy!z69=l zk~`t*N5WfjpJ6iG^=f+H`S`y?Z~SHUiSfJs>;ZQjXb$)Mb}qaF>)SQ(>zKbc!dn$4 zP09U=yWqC_3|#$-aP@D&jdMQSILq%F^RSlnuu6g-oZ$5n{Ne<^6+Vjb9TIr9F4^Bl z(7P^u8hC!(m!o&wYwowXzj=M*!1L?aVDyDyEUGfM@Tc(a2lOW~zN_HYRn_V-&yH84 z1aAR%9NPt+#s5>`Pf7iBfd34?1RtM+Tm$zx)Xn%T!RL1LK7V-^?(>w-;O?`(!OcUt z8gX1cq220%=f|Z9T%WVx=Iti@KgYi}dau78hkL(t5RJb>ji_=HXempI4fKPbb!a zH_+?zE!=$m3pbxT?H}vvOZvNW;8|Un&jZlULw`_0e=Pd1&^Jx!JD|Uc`>q$Gx4*Z; zoktJB&BLe!e-CbcK7rrF_0cbI?{jW~+isNuHs?8io~#ylmS@-PI`D`{vWvOTe(_s{+gfaaIafWh3j)x;8}m2N9Uopzdhi# zdl%gKH4N_ayO-hSZ93e%Ery%7aaCtZ#@5^pU*n8U7fhTeF`rR{|sI&@N7PM z-Bc63`8ff-@6WeL=sTb{{+k2O=jTrJ=4VjC{{{5=zlPp<^fr3yVGi87{Q@8JuoAuP zZb;}W9~kF_`r3hK_3tPl0D`3S_X)l} z!FM?**0b>+9C-d5*c83_JOyq(Tf@!g`S_d9i_yDYbwh7m-2%6+1_qw5|6%B@|K|eF z>csC|8JEz%kKVj3N$^ehIKEX5j`=sAyTi@resJ@7NZ|Q(<|y>WS)Ab4C-?~Xx77s{ig?B=u*+w^y?D% zH}GrV_V)(-?eCN5zr$xNT%Sn^pSR%l_al6M!2fIb_wc3o80RXu{@WcM*ZD>GY#(^G z&O0tu;ri5uJ1$4#|0Dj#qu2io_{?(g{^TWa_1)k;XS^}+LX-cQzqg^+=Lz(SiE|X( zaeN6M^IWcOtY@#&_kx?Zrf~Ci0elJfwXTA%gWm=BI``qgvpoDrJ|9KzIy?cc&)fJ6 zE-*N5xj*3}dE?|}bk__pxZ z@NwPv2=3>V7UE<4-=H_nKhbYbyIUU-=biDC4LqB7#!=#763`cv6w*P%E5QjKE$s4o+ERzJpHIiatL z-uSC0^tI3%e?9b978);kzT61C@i$HATc9`oHVJ((dgJeu(04&^{QVR90qFIA8tyz= z0r!3H(nrR9%K2LtuFq+KXY+A=;ZI3ETch{f(gFPj^cN@e*P#Cweb0oxFZxaB?@8!~ zq2Gx9@r3?;IqT~83I11tmpLlV3(qHe2cFFf&nNq%w{8zXZ=IZiUjGZx>)#7~5&gOi zz7_l~_}1`2_J3excm6^aQE3e@VDLj;m*@xaQE2}aPu%8Zu}nvp5=2J#&;gv{CtCt zaV|r@9X_kz`fN=2lxrO4OKE&6!u8oR@cjAYVDx41X$CI~KNYV3*$MwU(U-&LUbsF( z6Fy(U{eH9MaL23kF>zj45BtDZ6VG9AeU68p&ilYE;ePI~U*K7t?1KM8=zah58T7lN zAA{cgVk+FvdoF}~{r(5s&wFllY|M|>p*zFvS53J2IU>QEz|DV~z_a|g4quMmb$CcZ zKRTg*Bk=6Go7b%~(R&^GBYHo#xGbUnC-8jy6_1PgH2(bq&-9+p4@B?z z`lJ7T=rf=8!KZePw+*}z{5SlMPxv=SpZQ-Kd`{2tu7RHqUx|O`gnw7`ng4ykr$>(8 z8TcLW)%f3&@P80}=KoCa8J6RZ1^ztz5B$d`{9i?%`A-Wzujly7fzN{fiT}q5{{`qX z|4)O@w>dsL@L%BT@L!eiUxz;PUlDx%&GE&7mpdWW?LYWe3Orw*)zD}D+bk^nDg4_f z$2SE3qw(=`d2Qj&-|m5D>y@83>4o0)Y8u>iejfbeLMKY*_0MqE`IT_jnSTQ>q~<^C zbG0U0Uf*g5o{#@<^u|94?*6hk@T^_W1HZ#}Vt-tZkLRmxo5nc(T<1=KXZ}_3sfyln zU`@C_hv8EZpGN5QX%5%tEPR$zhZmsN=L)z!*W+V6x1!glFZy3;_x^-_INWxh#m9EX zqPN|b(f>}n(-Qjk;kNrJKDPTcdfQ!ueiiL5Pw3adZMRgjxNg|)_JL>XhV52DzlL^q zOXv@P+iqQaZ1*ViwtE8lwX}P3LVp(Ab}z)ob}vJ3yWP?MMZ3Kc`o3`69f*(Z4nuFd zPoV#scArn^$D#Ln^Yw)O1GsU1m*9USc-a%Tye{pP;Pn!`MS`Clcp(Kvl~|X$pG_d@Ue;XVm{KlI)o9-Pn*L+|y`h=hJ5dhh$qK)*HTqFLyT ze||#05WVp)O6ZrOH~uvV{W|or1%b@3%PcEI)fOUMtZ1J;3V|e4CarKfV`N z1#aFBhkGt+5_lHR-o$erddKDZ!1LGdx1#raG7WCKAH$9FFSz5i)#;o2o5guK=ZftD z&(;~|*Pd|CX$|3i-(z>U--Fs8?)W|fcYMdeJvYvPJ6@l{&BL#O=f|b=8FAblm&$?X z^>q^ZBNFr$<@T(@Nc&)03`guW_z_v`BDPhy{~h2HqQfiJKE-f-Zo((KpM22b!k@ywX>ju}6CZzfZ%#tL2))0@_gg~04!!Gh)iYxr zd_Vu_z_UCU|IKjYzY8DZzdxZLf!_GXCG?Zg8-G!oI8TkUG2A#$3Ot*?#@RBV?}Xks zyCw9!&>QCfxbx^Se5|)u&|7a`CG=I=#&K-H_2Y$s=g09excM1{kNJ5ip??>>`T01Z z{{p@FSq^u8`-~#;pX8kxOw;&KA!X89>pj^{OS+x-pyj@;i^gWmH%>2qVhtdj%a_V<{;v-l68{+popeVBIW4@G}&LO%li zSn6aXdgGr3_qyOqxOMd_+`8HXHxHH0+nk@QzlRb3!3lm+;Mu<8IG%~#aXA;g`^6>b z%|o|@egyjch;s_OI(!ja|E2hw=QRoaI`qb0s(s9x{Vfyt|8uTR=&PdFzXAMk_QB)f zzf%9L;f`;|1iv!D?}6(-0aQ!d1AoffD8xs5;xIP=;`jqJq>#7FzTmfDazE9v;z4=~2Ex7*2;IltI&EN;X z+v4N=QzkSD;XZyQL;Q4&+ zi{88)39o~H(}Yh;^ar7Dhu-+R!p%cZxcUKb^^d^SzX(@96|VjhxcYD4>i>YN{}--) zmkZ~iTzs5gm%$Ha9J?ocdZO3oWq20r%i%fE zm-u);c3Fb&-znzJbKoOz-@BfW;6K94^E{>8#nIn*PDt=J3EmIhp7X;L_;{{&79@Dt z&M_W+D#LwFaZKP@jt^(Nn!)SB+u&n8Tm;{^R%UeVAyC(Dv;4jm!R`@i+=X~_;gI&=d ziT;L!z8`w?_F{rBOz_qCo9FGX*qom%57t8^xb;vCZavftJX^P|ho*3!w-)1Lzpg@W zoc+)n=L2x#d>C$=PvdW#ufQvC9{2zs<6Mj0-!a*PIr=<^xp5PhyG92pGN47ziC3>0=@CK zN$88w8-J&Sz6*Neza4!u*1h}C`#W?)(VvL^iG+SS`m1>^FcZD;e+l=T^B3InQkkn_ zJv1Sn@_}dd;Qq2Z`ljgjN$BgrU4NP<_<3;Szd7)1{+>j;gV8%rA4}+8P3YfD=s!>B ze?{M%c>aL5fUk$23@_b1u2-%DI|iQh*Kywky>(bGp>KrVI%%5Fw?MCdcevv+6mDIO zg8QD^)C7MY?)&zi!ELv~)iG~A2dNHM-yCk7m&4u1Z%FWm0?)?fGT!qUj@~@K0{6Mh zbhvSTj{hmt$x8Ird8upS{5_0#whug;zg`zqLa%>AxIV`vd`?2IPe=5|c?0@W=~r*~ zY4E$@E#ZUlcfL$SZ~Rlyn}@g28~-A>cfyCb<255dSvBISg+6&)}o~i*Wtl zh8yP`xcyxLSAX<%G0(n7aV6Yy-BW>Q`9F((jf7iQlku_LnStl;lgvTyI`A3Xb9L40 z%Y(_ge$c z@_#n{>I=7D58-3Ko`UPY0B-#({{QH@ANcy_`VZiTzOh&wOeVvT$!O`sWYutDSgf2F zErt`rFgX~8#fhbr$-yuT2g7JMv6xyq7)_Q=HMO*Kuvl4~AH&M<``+*Sb^CrkuZO$G zL+bf>_4>Te=bn3a|LtC-U%mdmrntK9veKijTh_hyd^<^be7c$9>hq#oDXzZ%ry5?^ zhi@tSu)E@|iZ>`d>O8HA-=RD%J3;ADkGD(7t3BUS{5#6?_LnL>>h0>)N`8GMf3M=| z6<7D+6{SbL9N$n}-T(I#SNH#;=dQiH)cvo77xrJ>=WUg|x<7j;uI}@G zN{_nFhbnos=NQG+eLhL)QTO>wC9m#tpW^C1|3UGMmCNN-#nt)WQoLJvT)f+PYxnK1 ziXROx>|5cspsnyub#nsneX5oe3ck1gVnUYt3kFRsVhtFT9xO%)zimUtM zm+*eY)%RsxtN2aI<#?;&>faAOr1*i#dHAy8>O31=_~FO(#S(sm;_BtqrMNn0pt!4? zKUXNO_S~VkdO7YAtesQMHz}^>k5F9AU!wR+%6?uCFP?8h8?Uqa%rK1mO5`6`d_=iE zKBKt$d+JY$tLNdr6jy&wy{)*~^Sf1$WK z=Mzf5y8qK9@-HfRb^p!Y4?nK0;Cx)WDz5&$!%>Q>pV!e*!mn3cef)J>315Ws{=cW> z)xX19|N9?)T$S*`ajDPC)hK!OJp781SI@)4O5{6BE-7_%$W`W_V#A)H%nM zygKLeCGzi-$d_NT_I5y>bMq2@Pzi4-;YXG5E;wJlKTz`O@BPb^eBrWeFZ>@@|6EHx z0Kc7l68->r;WOz9KaY|Z-kV$a`5k%TIhVrE-^hF6uab|!|3f|xFZ+Rh-p07!zNO-Y z1oF3*$d6FIcpmP z=EBc(iTocaU-(SS!q04p{PUDAUN8QSybkNWU83hb$`{@PSNK`C@566@J_aw0S2))T zpAA&_*{DRmg7U@d>5k;>=&3Eyvm50*k*_b2-<$G<*ER}2jV1C2Qoa}YqsRx~$Cl_h ziSk3pf2TzLEXwyFe_n}vK>6bB*j40{=ou{0b2H_qksmIR{|V(sk&jE{AEf*|@=uX3 z!JjG7^DO08kbka3{sqdAoIm%&3+HCr>gz=Dy!yG4S05ie zuK1YpJm;L^>ig6FtGJr~>J@8`OMRZOUGX8M|GSEROL-lkA6}UMNM-)JOZcSHquvis zOXUAmBEQ*{GC!}oO9|f(UijUpuKP8`)%TTkE3WR_rHZTjd@G#i`Gt~K*L^~9b=@V! z)yIh+ziRE}rTR9CS1He%)tB&t6j$FLa;oC$jpOcjRX;b`Y#gA8d)H%;7 zk?$#yzgh8l<@eMhN{@PZ{aMMY`}}vsFH>GG_}JBJ_w#tgw^F=YIo~YBPgI_tv=vw1 z@4C0*>hmNm@WOr`uk70~N?!eZr!FP09`BEpyn4LXD)|$X{#%v2+8-;feh%2U;_7+z zcg2rYK7aLnIA4#pxMuA>t8;FvxO%x9rg*AcE|)8Q`|3MP#or^hD!z?!yZx}@YJURf zIsaC|-&T6m`8U6I?Qyj!=jV=!+sd4EimUS+1m}4!Q}XIQ-=nzN^9#k*>)jKItC!;} zoY#F_$*afvj^gUNpBt2YDDm~9>Dfv^B{P897T}r<2 zSgm-T^pwb7s^m{q@>i9}->T%lqvY={k$+gptGAzzmdK|{{xqe3wnY9FCGRWw*GuHz zSMtXw`Sq?_dp@g|*XHoTE1qyj>#yWhJlPzO^WM^*lUT$seoqpRV|E zigznsc&uMMA9|I3_5FmuQe6EUuz96NUH4VR)pg%cTwT|=e(gT1>((f)-v7B#@mRS% ze7A(R->|k{&0np!`g`h+imSI9|5jYhe|czazv`DLuJ&9D=i8ZkmArcS&M2@`P+)Cx078;&rZtkmvfc8`n>dwimUU_D6a0?<~M!#an->KbE&6oP52Z&vu3T|-o@=8I z-=D`y_#B)s-^CL7kKFR%$F-s2>V8(1@NMCIejcpk)#LRP|Gsj)zD05M{Q#qitIvB( z!3*z~P`^(qRr2cjxz(*}k5~Pimd_}zeoo77imRW~(yX}pJWqEC?^9fTzGzNy^>`N* zSNqFuTRXq%m5QtV+bgagBbQ;$KtlPwuJskCpcsHYvWf@;Id(&gV&|l2_L~PsyvF$8}MO{LLl&r;4lB zqaWSA_IS@#&i||LSnKNfaJ%B_vw~AAehM^>}+m*3R>)@_6bg#nsP+Snsa2`F|>pJC1`FZhtzI+u@6q{FJiKA1JQ= z-DTz7Yx}QP@_Q<-=1)~zoxfXg_4%dC6jz^TyH0WS`J%@aSNGx1imTVJ|5IF@=i@(F zdt9n-p}2Z}?x?srzoWQ1f3xE1{D&*9_Ftj6dOkm-xO(1xc69Chdn?aN?5VigbEo3! z{rSW1S=;k*`8=Zd z-pcLRWh+}yUYK9KzFhY3+WZd-FWBJc&6%}c`2XBc z_>a{;>plD7zSEyS+;1-7gR>u=A1&eKf6?<3n5Tk#6n+f(H2h`qV$W;j#h&e-)7PCt z&p{>p>=HgqUR-ySytwXf$&2e6fBo=zb}Qj0l<@0H_;d;XpoH%__u=y#OkUi7pS*Zn zx0LW{@?`r!wXH^2`kFZLWwUWNP#hG+jQsQDZSad<(C6=g|B}2o=Nsh3{Ejbvcu!jizoLXc zS;F5h;m^LLuUnk+oO#{*aa>oE7xOogS0R5pc`<(vc`^Sp@?!p%iG%uOpuSlPs#OsKm1Jc z2Ka^K#dUu`UOcYL$!pPb{Tuqa#hw%1)V(;*cgQ=@b3S>o=VJ2WJeQK!qUS2|;_==< z-i-Wh`#aas^NZ-|A}{9ux&GRG;r=J$M!eI9yS4g0eBq}s zPvI{nni^K$iC+CvO>XZgUifU)!cQ@uz-!4{_mX_!v!m7gJIL3OZ-#u~v!vAgUz??; zfqWER_$(bY|1P|d{PM3!PvJ8+)ch9kX7c^vg}>od^Ebd-$Zv)h{w7h)-v%$dr$zN? z%vpG?MD?E_UwAD*_50w3#~`Xd0580TrTRng!fQRM{{r4c{wsJl`Qz{&@?XOP@~7dw zYc9^(pFyuSSR z2ssbO$hSLEe4P9=_yqZ-M@v2-A3}bT{O9l~@|xqNXPSItcuIaGe1^OSK1=?3yY$bI zUygi6-Upv2?}smthw$RRPhS(Cr%TuB!3_IDsl_`7WwCV>8U1v6a6*h z@4#!x--X-cAHeI#kHxz6+$r8e{vtdee;M9O z{x5hR`D^fg@;Bfi`P=XT@^wdK&Ove$K15#3N91M550h^IA0gieK1#kRJSP7bqk*@ug-Y{ypz1R4?g*^$aj&S055!&l-hqXyodZd@PPab zcrW?c@ILbM;Qizmz(ewj-~;5Bzz4~H1Ro;*F+3u_5j z4dmy*9rE+xjpX0M<=aGlG4jpiKY+XBm%>}fFNe31--&e#?-5n^`K4dV^~)n~c|^RO zycOO--Uja^_uxKxJG_g0cX;7%+0;4rg7=W`4-d%ChWC8 z_h*p&VDt=;7uSu*JCPqI?|_ex7xSa!KJqbn7krHThj3^0dyLin@Bhx~H|?(eX(SKe zP2^qhX7ZEaF8Oir7V>YwTgkrxZzJE_mpKdHd0O}>-jCW8-cG&&yn}pQcqjP>r%At0 zz5?$eUxJ6L-z%ujv+X_7Q+RK->IcCG$q$APksk_=$iE36CO;BBLVgT9h&OnxGK zjQkY%IQePt3Gy@H3Hb@|N%HgIQ{)%Ir^zpdr{q6`&yZgVpC!Kt9$l$lUSIm2xdw*G zuYr${-wPile-a*(Z+wyTkC7h+A1C+V6Xd7B6Y}G~Fa49`55T9$AAwJkKLxi3^!<71 z-_l=4ej>b{{9CU}zJdHCxI=y}-202ZZu5bgtbum&hv6OM@mD3^Nj?Vm$y4-nk*{}< z^mLPNj(iXKmhgbQ4&F;%5AP%29qaa!dvL!@K8Lb+d-#!EHeItnUF0FWoBRfN5BVMN zfc*K-N`Ei;smS+{cf{zk`pF{{ucw{^+rCTodH`94DTT|GQm$k~~Cyiu^6)r^(lcr{vCe zrGJL}F8D0@7<`WWSMZFy*gsF+iu?k3@%tne$vxzA@>}6c&Qpo z_2i@Q2J#s0kQdLlM)Gmwo5&~N&EyH(C7*=1kWax|$*19M z8QdqIhj)=Lz`My8;XULzJRo0!_mVHe`^Z<|{p7|4ayt`}uYwPdm%#_g%i%-hm%yzx z_bS&ukB$Fnw3D0iu*C?-Q+Ybgm?V$nX)0rZ9KXJddh``Z?N1p5>`P#yQtAC2?2H%qZUHm-wq8n$3PjUWC@n!N1&VP^Noh5nx`wr_I@j3c? ziuhdddU_wecaeB6d2)$(CB1Jm`hhsVUpMa;=l6g5SBN*!`+wqV#QA+_-u2@Az9#QR z@iKZHIfA#4JHwLa_eD6ji}U*yJUG9;pTH~V^(O01>EYKU?GbT)ea*Z}oL~QP;1kpz zz{^*E7FOY>c>YAA^1m(e^d9kM^7vly5pwH(@r>MlK)jY-56XTf&abao4~g^ZUoMpa^s zJc0L<8&lHHuTN$0Im$avNq(8!hnw~fINjyko$j@`~rFQocId4{a0~wWBGS+o&erN9z8EPpWOJncpte1 zA0qcN$tUD7e1_b7QSuAq!As&R^LOT9mDkbJlMr zE)^dn4=)p+C(nN@Zf~vkTcLOdc@7^VH*b*qGI=y4-nfn4AKoNBKyGK^8F~DIc;&Ww zkNKi_JGu9gcuXG8i_el9{}8XS^nUk0;$7s?yW$DC`JQ-2?!s%g)BBB&6t4M((M=we zi4T&e@JaIEW0E&NrT6>g;?3mV#^QbCIedoP-9++L+w1))+$Og+lYAq&4euw9;SqTb zpCAt^q`$11=Gk1_B@aF+K17~wD{kzd_c+^$*OJHZ9&)Q%@)>!&gLvDg^?qX~ai83T z_mbQ28FJ@~(z8hJ!|Qj{*Y& zxs%=>oh;r)9(Ia%k;m{p@&rCi?tVvla`NPKac5_J9{ViuPVx{wNS?zN$g^{#XNBB2 zSKR!JzHR`oCePtr~eG&oFr!i>_r{{--P%7^e}@(5nOo4!9e z+#+|zW&S$y5Z*){!Q04Vc=2_B;{55)r9Y#*{|oVD@(^y;>GQ|%8uAqGkmvALauZ*G z>XX~>K5`cxk^As*@(`Yq$M6O66mIOUA8!t~$n9UszB%MR+#`?S-Q+1eB)1=t{t{hzq;C4F7<4e@63>@D$5a^r3BfZT*nlgIy&eC3z*b@NppSp)Ut!AHe? za(8|4UUCmUNbbW&$pd&o9>QnHBlrS&0=F9UVJ!eIN2|W!)xn z!xC>Nx8Wgq1fL+cwv(P2avQ!v?!&9UVyyWo+$t3Aucq*N@(kWgp2IzI<5MzE7r6=V zBe&oYxdR_358)|!3|}BOwwHN~ee~nC;FaV)+$Im}m&r3*ykS3mU28Y-4)Pp6L>|;hJ|++0ljIS6mOO!*`|I=gyGy@E zp6n^!MV`WA@_cW}Pm&vs_$;{vHxAI}3E&mvA>1Rk_Lcr2@^C-#Me@`YH=6Wyt#61o zlRJlrd*mU!i#&tJ?1xLw9J$pho|8N9vajlMdhkZ_^jp%?Ngf{|K2Gi*C7zOp@SNN{ zTJrS=>hl=KiZ_#6@Ii9-M9D9Z+xP(KvV-(~4{ni%@J@2?Z0QfkefS7@3ZEd);3;_y zpC>oYk#((ReSV``ypG(2H<4TLHgX@{N1nlB^5k4ucaq#XPdp=c;49=Fyyk2Aae0L= z9bNs?KyKiJx;xk}kbEC`2p=NP;Zx*cAU$*B`S--luj_NV7m0i1;T7V8=FKL|@mrM|v8`19&&Naj)cK za&Jt0mfU?%+&q-l{keDxx&MgxAi4LL_$av#PsjuK40#A&AdlcHL2sSHUBc!UHz|hR{!IF zL%f>YIaJ&scU#0;$US%mxpBDU$H<*;iW_bEJXWi?OYR*l9+5jIijR|f@RZ!{ko*F< z3pb9Uc}|jiCAkB)$<31`?~*(4c5?p|$q$eRr;1OIC-9U!gD;ZDr%6xQ(fV-(r;FFH zpDFH=`)7%_lZWt#+&WwGv*f`!;)~=Vy#5%P^FqmYk~`lMA19Cd#HYyd`nKL5kBYaE=kSO;y+`snxrr}esXLbXAH}-l#$)3BuxC9eMOe$v2Uw@Luu^UyKuzN6$*nBzX)k zKS7@-`IF>b@*H2VGemAZC;0{T=f!JJ)cfrP@osYOpW^-G5qy$7{+Hy<4!z&R7xH-Q z_(GnDJbXiX7Rjx5#OqJe`{Q@Td&$EO#8dLICC}j9^} zCq7G_!pl$5*EK#S`4;kcL-B|_*+hJdJcZ}v-lmebJN0$V&BU9?EqFV*4<8}7Dx_zU z+=Z8)s;`^FYsjt5rKg2FfcKM|pOE}CdAgPOJb4bU{f<75xwYgQ$!&NyxwnnvBlc~@ zXUKE-0=Z#HzV0-Ao?tuiCh`d0OYVP4@-ca`z4!`wUM*hl>+5=-7Wc?g_$ayi8Obk` z=e6QZr|bRBuHu8_(H`RCE+*|Sgz9=w@6hI`}*yo)@AC*+AI^OSe%^BBj9w~{-@i4T(-$BXCW-U;H) zxq82Sns_I94j(6v&yc)vp59}gBVIvn!Q08R%O&4Up2PdejZpHl@&Qu6#M$*=mZo)4ZD56Dw|f!F|f z4j&=6ek(omk} z-`CfT;TE~Mh2-nW1Gr0`!8^#EO6dv6BlsY>v8Ci=at}U59>O#79A0yYe!T7{rQacs z;jQH6R+9J0eRv;v3XjRdD(RUdkKl9UIedxS-dcJZf1n>%zMc30x%X-D3HBYutNZkx zphmon+}cUJmpq5hk;gkre$@}D|1;<(_iM$w$U}HPc>PPxKDZG)~ z+C_Roa`SWI!{iP;C--d0S6!;FYkywcCimby#x>23v>)3Y} zZz9j&1LVdYn1|ekPmufYvdi>&!g}ecBG2G9x&1}ScamFQ5+5XwzAQdUp2HW&vj)jm z{8*pU+e^HLJchTEM|(>?B+ni3VRH8?;$@fX>-zhOHjSB0fa!-6vjirQVa=FV5fNkd2EQSLu0gLcEzg ze?+{4JWIq=^57lussX*<*l7JV&_$kXEIv-|Zz8_xYQ4v=5^pCrwiA!Y?H$A`uF-q! z&mm8q?=C)mt)4d>@l}Jm2m6aRk*5cV_p`g=5xISc_#(OQiPvAJuN!xYH?yBAK1gn# zEj~eRo+Ca-9>I<4^>wXo$=8yH=ZUwG8{ZWlAo*!E)x1-k)41`5N*J-c9b*Z?LAIpFG)9e3IPQTYQ#0zz4ILH|p~Q`$@i6s#To)9;O^>w4)hVUGd`Qo36WhtaVoZW4$lFM0u}#!!?7~+@a5(Zz~4LY2;NMd{6g{}d4wG#Cbt*G`^kOyIC%nJBKQ9-J!ba;-XFt#^1MRwA-S`;cuXF_Gx8L^M4rLRex}cp!|Tb7Psq9* zp^|aXiM=__4&e^ z_$+w>FMn8HH{4G8>&Y{C2YK>o$@h?_@G)|CN6Al-d+@5C>+>Y|pmd+y+X?$X?$?SZ zwQH^BZ4~d0cWE-cN4rA^DU%fZLDg{b9Z22g&mdxg9F5yAJy~e!QzAD?jhp#V|v~?9C`BWTjF!% z;Su6BkLx}0G2;E?Uc2}xc?dTr^`88A^pl$>h)|61P%8(vTDz?;ckxJT~6yU2ZbA9(;DA`js)c?6#%kKwcA34D<} zg%`gMq_{sBykbh851%3r;B(|5 zJSUIftDe&LCx%y&C-7SG6khy(mH+KOyoK^Pyo200Q}(}y+=PeZ7JQi8hL4jw@M&@v zo{@X-C2}8L_8WcQ0(cd92)D^2cq4fXZzWIQo#ZJzAkW|fZxJB;4>&Sh06L|n{BM;#|c?9nzkKu#l34D}1g(u`0e1<%SFOVB& z;r5^0gqzd)zFF{UavNSx?!cSLUARZ?!Mn(Pctjq+$H+tY6nO-nBTwNuxp8*+nhjX> zTYVoKxJ4eqJIK9rq$eWJ;A7-Qx8#?}6L|SE`aCJThCDi7db-KY3&i`$U3l?(mWsEl zK75h#$%WEW^E-W>pjW(wJb`zRXYd|!B@f^Zc?54IPv8N$b-DD9kO%M?ax=u7f6(WQ;I-uT6_W2D&*3BF;gyn~ zCePqGxqX%7%|Gh%gz!4@4Bkp^4@gfBc>oW|L-;Ux1Rp1l;nU;^JR?uxOXL~6Y(_uc z99~6kTrJ0Clbi5Hatq!{Zo@mt9e6igisYseFL zGr4)K^mybJyo=n1_mO+>A#xuclPB;+@?cQrG5(|q z!Y9aGcupR{SN&O^Glo}^C-7SG6z-5`@D}nM-a&3ea$G&+COjm!;KSrLe4N~YPm{aw zjNF4Sk^69KR^PV(-b`-ZBFE*CTktM&7v4wi!H39wcuXF^C&@$js=w&-+qcS`E_ntY zBF}G={2aM;yZ8#Z2X~&+*Nx#Fs~nCAkH! zCAZ-YxeIS0_u(DnA-sn?h7XZv@JVuiOpa@jJcid~`tfEDO1^@&Ly})0&mI=9 zdqMB_e<9vP9>CkkL%2^K!6(=!q<@(_`K5UIi~2mlBjUB>3EU&MekJ)S@*okPBM;$a zFX`*1@H%qqQR(r>1Nb1h^O)pE$$fZE9>eSA^?8g*tV`~~yU0CwOdi1}$*m`(zw96S zy3Uj0&E)xS#JkDer^Pe!@VDaT%X+{2jJQi~{!YA?+=D0N_8%l){)*o3%!s#=yMGcN zCeQyYo|1dB;#CWJe>^ANLY~6|a{q6VpCAvP7hfh%;FbT>*ERnx`8skN?vWdr*?@jSluj@VLlDI=2!+Xfxx3DgG0G}ea-j=+P>+2@) zT5|s#$+wf+%i=@iIedmZ`;X)o$aDA#x%FSkH~pVJXSgChN^ZR`zC><*AYS)|-jl%t z@^sb5*951@{q@DIH}#$zUPo@=i{hKeEqEKb4fn|%_y~CfPsuZQPHuio<}X{)=eOZi z6Q#*5^;)wdCF=($m7esdxu@3?Cp*DC; z)8sLHk=)oudW`?*>)P;oa%)@3yW}psgFJ!{lIQR__U)wK{I5Qb^(pac@&KNZTRTX; z>0P}i-BG-aJcIk>IedgXu92Pz@&sPLqOTj-k{>7c>%~{Sr{~?h#aqcuN4%5Vf(PU_ ze1bgriu9!9DcpHqpC{N?@-ex!pLpd5dOq1-yp}wNJLJ{@lJ6kT;63Cye2P5&n)Fnx zc{h#mzt2N<4;61Fw_C(Lat9uh$E}h#)>&uG0k6CIKMViOI!e5QJUd#vhdhUe|JRwiIur7HDUm-WnlDxg1 zzODstB)8$M6s$8VsT>=eckM* z;;rQ2{o=FA?|!q?+?xqA0fBS7f;E3c-2;VkM~{4`{dyT;)CS=h2jah z9f;@TA>66b*UjNAjv<4^5jP8iOGYT#iz()xV4?$Z`>;R z7IGinNgl$-$fMh&XPVp^7M~|~;mhP6y!=!8oIczow{DkypWM7de2_eaC*;AMl3yeb zN5m_(r+MxYcgWql#XHE&pNJ2T2czN%d3cX_PM*W7tMz%@dnMmO9>e>{&HE%jPVU1O z$y0dM4*I%wEIl3MAv`6w?w5Ssr}duT0nAVCjfwY=XYeU<<3Y(Uko$0JM}1xIA>-k-u9a(`O#UF61Z#fQmLxbYdiKYK><0ePN^r{wXU#H(uc9``Te9pvWo=pnaW z5-Q(%U{Tg>B#+<&_ zDZHIL{y*u7$-yq-LSHaCrcr)?@Zq(`X8}CcrB6r}OH)N4$ePfcKH7@Q6Hv zkC7YeO8+9c2e-bU&trT<@^$1Eyoua_w~>2rpWKJ{lBe)-a%YvylaWVoa}Ry~=%bRi z$uoE>xxJp``^h8t7`d^&b?8irj=R zk=q+c-u|LKXR@JqC%OA^@qY3UK1!a#6LMoC>6sz7;0xpqe1+VFn_trB_u$p!KD?eh zfH#we@NV)5K1yzya$GriyotE^Wqr;Z-bn6jCi!;q03MS&n@fI)JotpT)u6AN!9DVL z3(1G%W~KNvc?@5*r`~UGDftF+;kld`6o+!AoBM;#|dGZ;_50U4!;xW1LS@B776Fy7sz$^CE=gi;^xx0(>`{W)x zBoE<}H^~o? z+jZiz;TI&|O&;$d-cO#uBk~lUkQ?=wliY$Ykvs6J1N8X=coTUD zZzGT3z2x>6WuBNkfiI9-Uy^)9lRl5}WpRhSLA-_Bf%lQSdrE$cJlsosp4{GB-2AFO zPYSOmcOA*MlE?5)@&q1`r|@y|96n3#d9^4)W4tj zAbGyO_&mAYgn63vp5UwEZRAO_xKEzJd&!NjNq&&rgpZP2@Pyok&yc(D1#%z0LLS1+ zuj$7d!>h?tcs+RzZzeatF30PU+wg934?a$w!yq!FQ2joVZ^pBD!@SNN^3iBMI z&uM&He1zPEPm!na1#a#&Oc$N^ZhC$t`$5Zo>!29ry^j z3tu94PLO$=7X5hL4)K2S@MQ6vJUCUn?J&K^IYT@lx6c-zA$Q;l^kJc9R;$M6MmH;{hs2z~zeBJr9db$2ci zA0&_Z#LL?By!S)#e)9BE39msvd3u9*H+gWI_#}DsGjY??`@P?bw~$AfxKAFxB;HGI|3f?_kNzt@Pwu}j zzDyp#E5EJJnZVn~J!8`~&(A01`Nral!EN#!-c25DB0Xc|&ZgqVaeBY8 zxp*_VzlHc9dAg-|N}j`Wa_f_lFK^e^b>TJSKD?dW+)8=^atA&@9#%{F6& zB{#Ph?(vy*AJBwGGq^}#)iZ_raaF;xVx07e^Zt@)7Pi}lx){V$b_!zkb zpCWhRbL1X8C->p2PNsc;+vFj@K*8+9*|pKlywKlZTJYe3!fnO z;3;_kpC=FDE95EM^!4M-;5Fpdmt_71avR=39>9CZBX~$2!-vUJ_&9k6Psyz>%bfG% zHhhKLhnuJC`w+kz$WwSbx!EA=c9UE1h}?sZk^Ar|@(?~p9>H_+1itDF{kT$i6}h>m z%x{xh@FsE(-bU`j`^Xb`L~iUQ>yD9|@M&@vo{@X-CGr4XcBZ}$A-sw_hTG%`youb{ zTjp;gH{o66E<7Ul;Irf@yt+%DKi^l@Z6>!H#k5<}P-FlDLCf-OM z!$Wf87|G9)2k`oH^?t*Xd_W$-N61t7GI@5a^jPQV{pNAvP2>*TC->nKG&`?^MZK7wYS#@H+Aw-b8MEM|#@GEx1o^!~4j6_z-yjA0toT8F>m{BG2JvfquNk zX)=Emxdpe$ZFm#84{sw6;9cYiJR(owv*h0CGH1>A^!bxB!~=4-OFUseOWeFj@5#;< zuP1lU5%wZ9 zir0|a@CI@R?vlIkc5)BiP42_{$pd&q9>QnH{R?FN1@ZvCLLS0vzOU~?1n*}5zVxT$ z_7B7xFVTCvKJfwa=ttr+g$?UiF@S1fcP|dc%69tkMy4Sdhs6e>;~~k^7tn4 zS@HyKUaI%IH%q>j+=q9N$C2cR$c(}S8Zk3*Z+`mmcCbx#goy+td z^FHxD@)SNpZrv~WMRFJ3@MFE-AD6sK9>B-Rt)EN2;&Q#mc?5Hk8v+G+++Vg@p1A9o{^hxNZuIK`vZ6dc?h@3Q+OkJ4sRtl-;{N`$Zhx- zc?_Q?HNH!Tdn>(+5=7mwXp_22aTS zgC)OAZn@&-?bHu%BX_@nb;(2cIC*-Av&C`N)$)j(IC*)R}_zbxX zUnKY8tM1g-jp0q?`BBo}O>Q48-cRnpBXSo$M()9<$bI+{xp|DNYmVsi+weAW-;;bF zx$$lBVR8qale@=CzVa@8-4NbJ9vvt7h}=D1e3AVG@rJwg{-i^^gWNqyyq7$Hr|c(7 zewjRhSN}v`*E>b>UF80$;*;dAFJ3XK_vGh^d*uH4=qC^0edHlLBlml-?mhat_66b& zc?$0(PcD>vO72}GZr!W*$Crxx+=|QNPjbVbeFhCp1=cg=WfYQlSlW6TMy{#+V_d~k^8au1bO;X@yap1$9q7$kvxaD zlRIOQA0xMZDQ^5s?>8SqKe_$5cq_RBA0f}-6XeFE^em9O@Kq1$^MvqPa`Or486}UN z7M~)|;B(|TJSR7%rDxSc`aCAwCAXiEd^@=d?;#K1F?kH1Bv0VxxIRyu%DQdj(I3P| z$+JI-&yoi-;$;u({UO{Zx1N=JFS!jLBzNGW3W!+Zt{5kQ2{cqxn zw2$C zPYZbnA7p<^^7G{0+v3h6dVjPmK0==VSG??3dfr$O_t`%XPswxmJh@?1ta-dyo#_1` z+#@&Fk^BI;3!fqn;mhRSy3*r3s;_H)M7)nYg{S24D#=$pruSGM6>lfE*ApKlPvPd{ zdQVU$`D*eI-bQYGO!B?t4m>4KHjw;0c?!2D^?A$7oda>-Xbq4%V4kKFsX z5R~3%=?}ecb?FN1no)$TN61xxcZj+fN?ABk~YFMjpZE$qiHbm&r|d z?XUIY3gJGvwTbkMljrbha&uG3XXG}#VoG1v+D!5u`xfGZl!(DQB zOUbvBd+_f6r|Vw8-l)p8j}IpeiWm-JzzP8>2CNv6LqHA#R0szpLeZdz0jor*8Wk~M zw>tuAzzT!AU_drTsSpJ*V#TN+k&POpTccDAf*Pc1K$M`B9kk*%ch@~|=lQO+uB&P1 z*QftkN#3OC+xK9+MqgpPL2nz6=&Oyl>0{$v`g-Gidg{mX*K0^$V0=u^8=uk_8xMAJ zw?o-@n!e08p*0^nvjbeQdl&UvIoY&#sxjeIk0%_>{iXcy1MoKdJwnzg{6dZ+&Mszu0(#ewy(%y<>eB*I8qH zOi%q}en0)Jn_ptQv77UT@o;zNZR0iigU0&{-F)_^^XCoraK4}MEWKvD_Hs9Wk?{t- zWjvzaWV}ls8ZYHsfAit|KBGOIXN@6sdVeflcnLwe8nn7+pNls+~dyvp4^>y4-Bsh`i^Zdv*Q z<9T}Cct~GtyhJY>uh5qnuhARE8}yaNBYMYpn|_<|E`4acPhV$zNS_%W)3>^J{&t(v zv&MtGyZ!ewo~9R#XX&RI&(mwhLwehIjhW;Q?;8*4j~SoRgI~<=KRDQRwl|)pA7Z>gUt+vXZx~O%#`RYk&(b@_^Yq({hxE0^ zEA+>VH|U$+H-CNG^o;R7eUb4Yy=;6;UuHZw#9iN2#w+v(jrZwO<74{fzntHHaH#7q zGG3uCG2W+FjSuO|jgRS(@hQD$ymFY^&)E2ozTWtlo*KgLDB(^coW@q9mcm-Engp1#C*NUs_%(U%*q&?DnD`YPiMde3-7Ut_#Y z9~C24g=?&u{eWmddeQ3OPw%gA- z;|==eznj0l*=24%W4uA%&v^JAH(xS7rLQpFsJZ#OjF0If<5T*=hv)YhoZ~uGDL%9(YwYg^t+7L= zKjZe9F{iLc(Bs#Gc=y2 zFEO5_SB>ZC%Z-=lk?{(BmGK(=LF0Y;)cBB|`}6$mkiEiPuS1OI=_TVKypr#FJ0|Cn9g_F zpL1R?KBYH|_pfpDJ>%*BX8(!#esHbxobd{Msqy^h-F##`q^~kwq4$h8=o8~@`Uc~D zdit;P`ybOo% zH~;(m^%~MM#;5c}#?#lk{e;Hz^d-hi^s4b1eYx?79vSb_R~aADd&Z~qHOA97xc!ff z=jrQ>m*}Y{=Wn+fyPmQm9Fb-Fy5yx`p5i!@?UrJW#bXOX*_+4n_q3bMqg)qOi%xF{=DHg zT&HNfK|jrSn_e^Cr(a}zOm7(vR=e{Kj5p}(jgRRIH_Y$9^i9_(8Sl~?#`Cwj`J0SK z^aqUx-*WS*f6bq_LJy5k={4iEp6gs=d`MqoJp8tspBZn{b5GCjC;J^Yzr=Whev$Dh zy=%PmUDp{K@6)&Xw>j@^ZoXu^L0@V-qSuYL=_`zP>22eE`fB4tdMem-iw9?{Fj+w^6|yYz&*-Jfs(mcj>1YAJS{ar}T@Ar|)q49~!UG*BOuK3pSnK|CpXPKBX@<9`xOL z%f{36n(>f+oAK-qxPRk$`hv~o_u2lDn=ctp51coQhxC=kOZ1NM3jH?YHTuwagTBsq zM4uUN({r28U#~8`Xgqy4ub1%(eWmdly<@yVzs-0=9~y7d*BS59XU6;Vt+trIUPF4; z_?W(*@hQD%JovG@9hMs}(Iev(`oMUfJ~iIB$MrMMncx4IzRY;`CvLuHeEL)8Ym5g& z=L?=Y-*2yVo;Tj5FE&1;*Nl(pE#vK9xc<<1aG&#a#?$nf@hp9-)cpSQ^sMoazQlO# zm+rhx+WEkEe;eo9 z?>OJ@Zs$BS-ltcM2iv>()y7LN;(3i%=nopN(Wk~6^z2Ua`;6!%6bWPZM^YP=a~ibo&L_wOUBc?IFF1^=_BL8u5SJ@<5_y}()sg-^t|yd zy<|Mt&Gl=>OZ1D3*XS+d5&b6PZF=8$pT5@kkUlX!rf)DlrRR2@za4_zdA*Ex>3!qv zSGxJN#=G>1@jiWn@gY6E%lv-E^o7Q!^n&qVZ?~TljHl@p<5~JS#`E;1@sNIv@e;jj zyh6Xrc#S?X-k?8bJfa8L`P-*W-`;qao-^L3A7Xq+FBu=xuQ49I%H7Trns^oj9^zQK5#p5ASKKVAAl<9&L;_>g{r@iDz(d`dsZ zcu;WHt7$wU;wZ=>uQEQQ_l%F}Ym86nW8*>5U9a`V)AZEK z=WmBBeSz^jJ#RduFE(DHmyK8G%Z%6P4dV^^O5+i|W4ukj&3KnSG~TDLGd`r3bMv>) z^jLR$t}q@R=e%vaL|<*ZMt{uske=Cd{=C8Qt{)n2&>P0nC%E}F#@nxRp4n@@KR(g< zBI8qfXgnyn`6b5F^s4bJeYx>GJu)8BR~awSd&VpDq464ho$&@e{fhb9A)<%I+w^6| z!#B9wp<%p4UunETUu`^nlIyHBKBjNJXnvo;65e0NL;6zV(J5|zx$!Alkxt$oX?Dp z-{U;D&wPJMKg4+OUN>Jdo~AD~o~74~=jkhqhxE4b5`DGt3Vm$6Mo;ZKf4#c&CC2kL zcfG2{Lwd`2iN4Nw@P60Hzk2?>;}1ArYDC1LpTrxzKe= z#B9Uz(<@v*Z#+*g886Xm#%uHy#@qC^@${$Nc~={6&k`F5_+b%y{iH z?!1MA=dah8eva{ArJHXWPt#W!FVTC(YxFh7Bl>#d!4>Yji(WIo&mnz@@$gFS(|GN( z&hIjwZaJSB?_T9Rd&vBG(^orRX1sf?^Oo`9=baCXhhK0W96H~R=sDwKdewOUi>}i) zUc1iu8sphj&S%CW`c{X{@25-88t>EhGhX?U>o<(|=?@wo-r(kQhtHok>^MKfc!j>q zc$eNWUipga42^f`sc`&7Gc3gc~h+jy7WGd`xTF+Qble#HF# z$6s~(Txk7f=QZP%Z#Z9RJiXfa*!r!`3rEhMxAAS~%Z+Dmciu7{-r;<;@ygxKC&v40 zoo_In{e|=NQD#5%g~t2zg7M+VbxtrI-0!?%d`LgXc=Rhb-!$HT(D^mSv%hhEm+{)z z`OJ7}o%5|0&tKotW6rb2yY&5x_aArjMdRVr`Dw=Ue{)_lKK(!E7a6Z?vctyz_v{+) zZ{hqd>(6z*@U`>TtFfo^i;M>+IA3i%{DAY|==sk0I_IJBVEKzT?z3(@`=8EN8qd=+ z8~>F1Sn|!{U+;gmgRJ<*kBsNnInNnSzAk!bJo&olMdQiWMX!qEyr1WJBXOKJ`Fh}e zbX z*Tr?dA&&VP=iB1=W%BiTI^vlBDCY;_IzJT0{HHn3PXqn`ZXbU7(MHGo)toQ8H_wf} zMeM`dvKQ3`#yx{oJeHd@0&#uI?+x`FkyyrhVm*Oum|I6n+>uK>z}jKIj_f%cP)Z{B`X2jlYRLFn%U|XnYxcWc*zE*m&|h zH8FlM=cmR$O`jS69DU;r8UG&cZrtxT((T_z-=wGcc9G2AMb8-j2|a84KDz$BhV%Y` zo;UOB=>_AP;t$0uG@hmxjc4g4<9pGY#y8>Pxo>6}9^@_HnGA-!SzN_x-ub##5+!$^;ww8i78IBx%>lYTCC`RqO~U_T?S{k%9vXY7{5(N8)R~ksi*%8M++uwDauJzlT z4~+M3cRn=U_@48T@jiVjj{RK4{mjI%pJCs1f-U2Nc){=^`+esb;|+S&czCCq&l#`L zL*vtzzW}ETO2)f6=N039dewM4@8+AvONTpe8Bh8h<4M13Jn0XO=R?;Y8}A?Cd}@41 zpBZl)<>oVd&79o+Nk3;i=@*PA{m^*QuNcoB3 zCC&%NL;BEox9sMp#*_UA{5vbT-ID#Mj3@g~8&CFMFrMtcXgt|}*?6-5it%Ls4dcPv z-1Ul#SLkiyHG0Q*pFS|2^hd^%{=|527H?+RX+C3g7N$upjGlBcs|pGjw8`onWve`-AVkn@cD>6v~+&l(@o`SkS6 zd~mKCQ|EB}qtj~0k^VZCKa^AY}yWIrY2$$qNFlk+x=S9sp0@#MUb@#MTMnD#*^EjYdqP{z<8JY85&Ra zGcum+XKXy#&&+so-r$AL-oJP~lj7f_DdXGH)5eq6D;eW^b3SYQ5PD7={}dkc{boh+ z3%F|9q}8a(-lYO zUe5Q7|B5~kzg0RzadaNy{K)u(J`sP3bf)6yJkI%<@h9o2bUYL<{Jl_?PFftDe{nuz zd~?43$cbMroxC_Y&*yx>`1bUoxZYnSadckF`Lgks(W~OxsfnYL=X~AxLG-4$b|P_f zUd#E8xW3(X#W8;h=X=KAN*{>pd57ZYe1P*K;~$|<#P#iVDvr+OoSzxLhMw9c9*P&< zPW0_IEsoA=&S#9@LC=Zn+ihMPo#cJx1>?VCrzoy(wA55PaKZzb}8{dfW!hM3<^S$(x@#J+|+IXAu8RK82XN`Y{ zo-=+oJ#RdDeO56325~rjCT)o9vbh{i^hlalJTJ6I%VTodc}B1 zuNrUA8^$AgWV}sp8_yr)_R}@qr_YRM4|el``>?8KZs*`N&QsP8ah^6F(lf?Ohr0Q! z@#rw;Ipg`mo#%}Y>HM_SXZBeN-F(r^cj+bLeR|FKklrvpr8kX-N4WDw#?wbS=ZE<| zv(J#;HuFPz*ZBA-*XbKizt;J{`1EM!L*x0P^NI1svCad2_!^!g@niaW=PBd;6P>4x z4@=H7#`AA*o;4nv~Tikrvc%NP|KBPB{ zkLfMr!!upKZG24c8K2Vo#)G%J&cJw@J~E!AkB#T)6XPL$DvsB~pXKX}neqRoXEO0n zyzm&p{0;Q1@tf&+alAh#KaDTq6^f(tL(UhC-$O5pqjLZ|RdIBZ*Hty+kFnDbN9Ry> zB5`z**I_N=>)Gjuqw`vJdgACLuiN^@H?T7lN9T3yjK$Fj__|@@@tHU}r?8XS5r6pE z`)g}<(#Ch7XT{Muot?Zm_VWtP7mUA}UKB^?EOyG`=p?T%E5?_wQxiw0#!f>Vop*7* zY5YUgW zxs;ujI66;ozHR((^sYEMm$TCsM`v@sUK|*IE`219&PsMB;^^$m`Kj^U=)p_kp?Kkb zMCY^Yq{Y$MgYy}W=fu(Z96JSZbQZA_db}i#&UNfm#L+pBovO#{;^^GOPE#D6mSU zeh`cYc;g=l^X2z2*W0`tsJQT0warzWH8F6&} z#{FcCZ=i?9x8T1|ipIC5m&LLFr+MD0IL`ZG&ex15|Ne}O@5%X=@qOt%(vm)_2Q?+2TkMrH141!j?ND3bi~m~{+--4&QC)OhQ@o`=g9aE=o4|A z_a!{32;)8f4&tv>FyC5x&&hG4F#nJg4J2~Tjq8E*?rfYKE_V4YkUx|P2wNu ze24QX<9E?B;^;Kl$%&)$Fz55e|3VMN(TUh8iKDX#|NUP!{sMa4_>T03@jd8mttjUL2kOW+xO! z=TgoWjbBMGi=%TrJ5_OXzQFmK@h{UG;^^GSP9%=bcRAlOehbb3Z!`adgh&eAD=O^p-d}zhkE(j?PNXca496-WNyb zPwWiE(YclLBjb0`C*tU=XJ;mk&I6ne7RCqhO76!$(bMAS{EMBeI69l}h(8^_UNF8j zy&#UxbN;$u_e7O^uDN9SVBkB$E~eJYO5tJn$lh!5hGJnp{D`IPY?JtL0JzU<`0v7hAqUwPyI z$4)4Y&i?F_#L;=0^JU{(@clA%<6F@i#llKp{jDLikjyO8UveOes=R(f+Jw6mi=LB|Ax%ePn$=mq~cGAYbNY9F+ zb0Rx=aqQ>&oG%z(LobS>a}qmcaddvk`HIJD;^@4IorX9%>)2^}yd{p#o7w4zqw^>` zU61$0(RnL7LveJTWM^bN;QQSs;^rp?bH z%lVS=L+CZ*N7L&bZ;Io3y^GhYC64QL8ar*{@1S?Z(fI&7eQ|W&&-sDz^XU`g7t*K3 zFQo^2#nE^r&p+q!ylHWq_iD~(j9*L7iDUmCWv3vH&P|*Tjo(TyiKFvzcADbo^f@0H z{|UV`yr^5N6$H(I6T+hx_ z9G!QtGxK!$R*qMo=vpeU5z2k#;CHLbi>1lCvc4Q|jj?QAv=Zv3BFNmYFfSsZ^I&bHE z$@tmyia0vEuu~I9=cAmj8^4U+6h~(vJ1uc^Zs2^|__yd?adh@(r!S7qPdGm?{vdrM zj!uD{i8wm{;{4S3^Rw}9V!g`!lsvB<$xd1vokdwUmoa`QJtvO+oWM>&9Gz1+9~yrb zy(Es#8`-IdqjM4Gs~)e5qf=q0DUQyk*oi#e7Dwl7cDmx|e4d@2#|Pr*oXgHg9Gx53 z8GC#xj?Tx}3G(qlypqS`&Do8ILCWJ9adcL&lM}~&dhFyq9*U#$S$0a|=nU8?d%P-+ z&KKFKi=*=kb{Za!#L>BtowhhSV|F?o?}?+cnw^0-I#YIr9v_RN^F4N^;^-v*pEUD$ zY99Pt&vFIPV6YH!qIP7dT%q-lZ4C(b-~sd=am*I66Pze8u=$dQBXit=Vaaqw@&o zo5r7{x5UwTF*_Y`bhg?pzKB=X_>1U$adfim48_sehw~%j1^PrBoxRwZiKBBI=Yv|Gyk~d?b#}iR?_o(fMzlcWV3wdaz$S6ffM5=)8%Y zv^YAqa6V)Fd-R+*I&WjAAdb#GoDYrvlwL7@FTHB~xAeOBrg8tQ_3=f#n&LR`KT6_eISm`+3bwO(RmT)$HsS}PsP!xu@mecAH*wp+`WwR zDUWBw(K(l$oH+LL3U=}y55>{>C_5!_boODVZ2UlaRUDm9uu~UD=P=GUJRXUoa~V5r zadeJnr{nRSI67CcGZ07TP3#OkJ{CvkI(DYw=)9esna5KH#6$5)9*4~Fr z13P_>55>_LvojV)r^n93<1=w|{=`n|!1y3u$>a2HcG4ctilg%+J9%;J=hy5MJYEz> zXOq9j7x5~KqqBjXipOi>=xoJKLmZu#@c+@99&d@G^I~>7;^-XAPS@joaddWLXDE)& zsqBnAJ`qRfmF&#K(RmL$K_NbfS8_ilo)$-^z)n^ioeS8>dAuNw&Qa_X#nHK%os!2Z z;^@4dotij0H?vdscvBpmQ`u>WqjM)aZI5@w(OJq)UmTrZu`}@aNF1H_u`>}z=Sg;^ z9uE$RhvJnyub$6NS{$A2`0)f8kLSd(pO3Rs5JzWkc0!Mr#L3Mu0j?UNF8HuBF1v_JpPsP!>jh*1&_#j@%Qz6L#9- z=`cYcNj~0X=JC{P;-PpYkJBxmbjKNSbk5~| zvL4TiV?W!o6N;mAIXgvB!*eQ#nvy`2R$7|x~EMuo3j?RVbG(FxDN9V)rbi~oQmYuH0`{L+az|K${ojceW zd3+*{&ZpU#iKFu%JHesxLA;XtG4ZrGIxTjx;^_Q~ot(!D;^-0*vW(&`I-Cu zNp`Zv|3S}-V?XDx6N+O$PjkNL@v=BN%h{=lqw~DI;){6I!i_&Yv(LmE;^)9!bqq8qN6_3}%(fKMn4RLf1VyEfxmN+`A+3AR*lYD$+ z*W-P0biT{ZP#m3OxSx^7C*tVb$<9n1o!7Gy92pz`*{O-6^J#YK9&d`H^AI~Nadf`OPTS*MadaMGr!S7q&Fl<3 zJ`zXg33evp=zN=y$LSgDWW>?AgPp9$^WxagyVwcE(fKhuMUR)o(Rn{RRdIA4V5jEshB!Lsu@i}- z^8`CBk9Wk;`4~Grade)`k2CIjd?=32#q5m5(b<-riSb?OGjVh-XD4-Zd=RhXak?+( z)5Z^@XT{OEik-YT_H#Vv3&u~O7sb)}0y|}KbSj*$7=H)7CXUXR*=dNQ^KQ;JJ>C*W z=j-fr#L@XEJ6(_W#nJgTJ411Fu3%^6@rgJ(-)Cngj?Rtj1job&@k;K;#M9#F+|5o_ z9GyGa$$7jWj?T~6DT<>rVyEQsia0v=vr`jC=Mi@59&d`H^AI~NadiI8PTS*MadaMG zr!S7qj{G?CfyYPU=sdyBL>!&{*qM4fD8@taN}gArVka$*&T;HyJf0KBel~du)%fpo zadeW;69_$C5=UoCb}HiNoWuQ8Jzf__XB&2!;^(C(eQXAj?VGyw8hccfgj)B@pw-hoh9rH#L;;*J426;#nE{y zJ5zCVlF!qac|3JoJQT0war#bnGUDjGo%_jpJTH#@ypNqw9G&FzI*J}Ii=$I#rz(!l zr?{V*#~b44e2kq)9G&FzMp_>4h@*2cJ3Vo9ZsdOY9v_OMb2&R>adiHNor%Y1;^|+#o$s?V6h~)&c19kbh@*2iJ2P=~itGd@#0T+8?#IN_ z;^_R0ovb)Ir?ZpuctISU``Iaqqw_&_N*=F>qw^3uHF0!4$xhwlO>uM{VW%aI&ga-^ zd%P=-&J*nP#nDMVUufX*kvKX}u`>}z=ML^?>ha)p@ld>y=haRA;f~Yd==?7`8IR}0 zv7as3DTt%|$zogLX}ilegyKYu3jcv~EuUD@f1qq8GB zJ&zB>(bc81Zi=&f# zo?*uLXW7Y#V?U{Xq8h*7MjV}+I3IevB#zED>{P_jxrLpo$Lr$g?8Ht}9G!2m6B++L zy)BN;?(B5M(OJX!p2r8`=qzGqB#zE~?2J7=6-Ot}PH=L35U=F%_%J&u6xgYYqq7_58^&KwkHpbAn4Pvb zI*T~pF@6BOCyvgc>aYEs2NXl{`*g%T7id zop*CSYy1QByg2rAEIXk%I_Gn~X#7HYSsb0$u~QXCX9eeL#{Y}n5J%??>_p<|T+R8G z$2;QaoWf2|9G%az(>H!2eJGC3sqBo!(fJnVC&rV{vz>{fb2>YzQ{sboC6Cj)*-0B; zL(ht%a~3;!aqQau~QRAX9YWTk2l59xsIKdI69ZJ(>8t`y(^B+_3ZS;(Yc-T z1LHrXkHpdWGCLD-bROpX)c9ZM!JFctcqPw=H?dO?N9P6mZyXCk;~9EM9Q*kiI~8$s zcISN6<8^U#R_O8qw`&My5i^*+39(FAdb$R?2N?Gc@sNhk59$XxtpD! z93R9hc^sX|PRipMaddvhPEH*Ac@H~zkB8#u+|N!)9GyBlWsg_I(RqlSx;Q!)veWQ* zB#zD_?6k$vxs;ub$9v-FJi*RD9G$D!8G3vyj?Po;OvTYz#m>y*sZ-;jcqNaoO*XjW zj5s>0*~uEejh+|Bep2j&;^_R8^F`wi(97cJY{O1f9GyRMzGnPy^oBS(JFydqqw{ah zw~RmkfcQ7#)e%Q$cXoQ>=)9QoedD{+hvMigVrMLl&Z{^-G5#9*OdOs4*-5=QK8RQH zI6a2*Y2zo;v*PF+#!g-w`*|DZ3&zi;7sb&zhMlrFIv?hI#rTEvnm9Tob{gX7T*mpP z@z2p);^>^pPDdP_8#v!J{tbFx9Gx@S8H%HG2j@q|@1ak`(K(x)nK(MX}18!d7Se(YU1b|#reAN zx6+&9=zNl$mN+`+bG~gnqIbp7xs;v0I6BGK3mABOB#zD%>`cVb`6|yl^>}bvJQT0w zdG$(m(&FfRot=!wbK=;~RqPbR(fKAjp~p+&=(O3Xh@+E#J(RrAip2r8`=zNErkvKZ**%^C$Dvr+ouoJvBK8RQHcnk{eIOXw-I67X?F4+55>{BkDZb@I(xBG_IOnsoiRIgadZw~r{VEP9GyqmX^W$CBs(3C_r%dz z&(1&`o#WUUdVDO7&eQBn#nCyLotei|r^iF_N*<@Ff4Sp~I67r^vL4TiV?W!n6N;mA z7CS|cm&MUpz)n>hoe#59^LRrXojurz#L@W}J1viQ#L>yK(-TMM3U>M)ABv-MFgs&$ zbiTyS#N#t@bQZIddRu%DujFz19d^S*v}ev3LY@>vDd4!#&@jugB;^-`6rz4Kedd_z}-WNybTy}=y=xljVd=ama@vZ3-adaB& z%*4@I!1=eb($+J`PctsqYYuTxZ zqw^Ye>K<>3qtjuhC63M!?6f`J6-Vb5cKYJz9M8_c<0El&ZewR6j!uc4smFse;-PpY z&#OOVCoPUnnVpQsbK=;~kez}!I%l&Jdb}i#&ac?1h@*2JJ5`U@#nD;EPE#D6i`j`h z-WEsaFYI*1(P^>M^Y}mN9UL5;5kDY?Yi{j|C*eQ#na~V4o zkJrS}`64?FadcL()AV>t9G#ok>4>9~e7&l!$NS>w+{(^S9G(B=enuXjh@;bIXC{u$ zuhncCzB=JkCze;{|ba*0NI+M`r^&C68Cc(fJKKHF0#F`T~|>j??1kl-bF6JSUF*q}eHmqqCHq(Bma>barB=B96|x*{OQGE{@JZcADboEN3V3 zcv~Euz1iuCqjNbsJ>yr?2jb}L!_G(?o$EM1_V`pBodehj&WaD>l{_B5$xh1S8F6$D zVJ9b!{rrHPyvIXvbdF@FB#zF5?36uT6-Vb-cIx8j{GFYK$0KocO6;`7(b@8l_#$2% zkN3pUIhmcQI6B+0Gc&#uJype7o_&11k)4b^kPU>CpLA;X3SMqi1(jL!>qw{Wd^5WRf_qd;e$BW|VyqBG_I6D8!PQ~Lj zadbYwPD31>2iR$Pyd{p#x$Jbr(Mi7UUf1J&adggSXDE)&6Wq_p;}daoKFZEa9G$1x z3Emwa#4EWU6Hkkya{)V9adfsj6n{GY{?r~Xh@Bxot!xK zv*}@|#;>D29*U#$9d=6M=xonU+2d7lbiT(JIQH`-I|Yvy#nJf-J7sZnQisPE z@v3;dCXUWu*=dNQvw)qZ$6Mm)JjqT+9G!jG>3X~`j?O>W8H%HGG&>`YPsGuAnw^H7$>SAqbe_jfO&p!i zu~YYWQyiVG*=dQR^L2LG9`A~yvn@M)addvf&cNd%addWIXCjWy1MEya9@OHYcqPxP zJF$}%N9WJ%WIUb|$9{HZry!2b)9i#EFNveG8#@(obkbpb5wEJp>*DC_!A?^gorPh1 z5wFPOZEgo1Kw3I>(0bMZCrypNgZiFFV2eH~z7WN9epY zbjK-=XT;GtfSsH;I`3sC@9|I^orBpaiKFwM?36uT6-VbVcIx8jT+U9zQzN3zov zM`sl~9gp|K(K(u(fjBz1vNQDfSR9?>*qMr>b2mFPkEcEm55+5aoW7o&j5s*w0DqgyQJ@J&Z5nRrGjS9Gy3^Qx!*N%Og;U{~yWY4RLhd%uXbZ&d%(#Jl+vU z=X7>@;^^$nPT%80adggPXDp7+;p|L2J`+dho$RDO7$3xIllTWZC$f|Fcvc*pce9fh zN9Rm-3LYB$ovz3G;^>^u z&QKhko7fq7d?Jp{N76adbYxPEj14 zKd@8sctsqYOW3K2qw^1T>K<>3qjM=cEpc?VIWoS8SKH%VadbYzPG20I96JM#kHpcr zlAVb-I)|_`^?2~1cqm@DAJMs*owPVQuVW|U@tin1*RoR(N9S$qgdQ)6qw_^}D&puQ zU!S__@wzxV*R#_UN9SVhC-Qh(9G$PQ(-lYOOYHPKJ`hLeW_Cv6=zNczvGJeKr{d_` z!cP1IvT@;lMCT#Sr;I;N&xoUQD?2%Hbe?-ud=am_$3t;+zQayQ9Gwh1Wsg_I(fJ-b zb#Zj|V5i~nNF1Fz*=dWTvmZMh3E;^_R4oq;$yZ{+;Y<707je$38P9G!QvGxK=r z!|_nOlE>*!*vW{aa~?ZckLSg)pP#c6ilcK0J4KI|#nHKsovJuG*RWIbctaeWU$GO3 zqjL*8EsuA^(fJKKJ#lpIVyEx%p*T9fV`nUm&b{nRJU$ag=MU_p>hVFmlE>*fcG4ct zilg%=J9%;J=U?m;JYEz>=P&G(#nE}u;`kz76_3}%(fKPo4RLgmuan;NcuO3eC)w$U zqjNC#)Ae{?9G!o#GZaVX6m~`)pNOOLG&?hKbk1ZaI4?ekS8_jofSwjdXVXnE5d>Lr zbS~q3&f^7fbe_XbQ5>Bwuv0SLrB}q!c^*48adhtDeBI+sadft3rzMWgFW6~&yep2* zcI@=U(RrAifyYPU=w#TLh@=eY& z*_oZt<0Wx)Ud~QM9G&Fr)K@)T7e{9iJ56zPj^chI<8Pw3#nIV^ovt`KXLG)1{5<+V z9GwH%8HuCwDbA0LUrV2gqjM-b!AIhQcqNa=F6UFm@1$qM(K(8poH+J#Kj-tt|3nYP z(K(i#k~lh>9UWi9tL*WrI65b?Qx`{P2X-1BkHpbAnVq&cIxlCZ`cYcIgy>2$5YGWp?D>a)3>pc5l82AcCsGNi(@};XD1X#=Y#ANJzf?^ z=PY)r;^ObOWypqS=ee|^PztXef*yn$6pLucYbL(SJjX!_c_%8IKI65C?r!0<6@_hm-#t&ns zCXP;%orX9%XK=o0{Jr#!@sH5E#*^<8Ff@Jz=SRlBNS_)18a;kT&Bm47{&fSU1talUT+IYqa>mhl(T+r~5WzVTh@1LLovPmCW*pBg`&p8n7I z+wD|(#(4651#;qeJNXRXP7309J9#fVp~p+&=v={0MI4>;*r|HFE{;x%ou)WC4R#{q zm(ttf=zN}?t~fe3alU8#4*EbGog3I0iKDZI^JC+`p-;up`5HSxBR+^%@^=0x=TnW1 z{EYvDo)JgqTkPb-v7c>^jW6PrZ*2VOna<1Tp*T9#0T-(B>sWU&g`T;o)t$Y%}!n%ojuqoc)Tc%&UWmS#nCyEor=e6;^@4D zorX9%$FbA&cuO3eh3s_1(K(5ouE+c0=)97hp*T8kW@qH_i8wk3urm`!=N;?>7sdzi zO76$R)8gnH#!gloo#gv@)EM^qw@)N>K<>3qw_{~ zTH@$j&Q9CoU2$|yXQwZY&Nb`|JU$Xf=bh|K#L>BdovFuzi{hbp;eJHtz3imL(Yb}4 zjK_20=$y+=K^&di*$F*f5=ZBw>{P_j8L(6JcwHQwPq5PzN9SI4B9FJl(YchJt~ffs zVW;QufjBx>vNIA#=Mi?s9-oS%b1gf;$K!)|C6CAT?4&%N5l82Gc5>p_&%fEpdps0J z=Vo?F;^;i@`1m4TWsg_I(YckKx;Q#7VyEHpNF1H-vC|euC(BO9<2`Y7e#p*19GzFN zGxYda9G#!AGZjbY0Cr{`PkkaDidXVDy^o!YI65IaS&!$%v7ZOn3B}Plj-8^%%i`#a z*{O=7vxJ?R#~b44{GOdi9G%nIX?eUOj?Sa(^u*DrveWnYP#m4d*%^zY^8t1y9-oP$ zv!0#QC*y;7C6CkP?4&)O6-VbOcJkub&nMU^c)Tc%&eQCa#nFk_sd&65j?QMA;hMz% zjuc1dYId3)Z;7LmVy7dH&MJ1g9`B2z^8$8;;^^GW&dB2vadft2XC{tLkDZ_yAH*xU z9}`cDqw`{Rvf}96$xhDW1#xs1uu~LAXAL_gk5|Oe*_EA|I6C*SQ}=jN9GyMbX^EpV zW~c4(t~ffcV5cvR&ZF!MJU$XfC(q7A9G&&-Og$c491q1Sd0yS0owPVQPqUNpcupMq zIhdV-I6A2l;){5N9xsWbb2vK{adft2r|R*#I68~jX^Nw>fSt(WZEyKGxqpY9G#Qdi9c{_<4PWn2eXs%ct#wZGCMhO>}N4Md5?$U=)9Gk zk~liAXQ%A(syI4lvQrmFr_4^nQzXR*^3N9Rm-Iv($dqqB^ifjBzL*cp0!ERN3m z*_n!?b0Ir3kEcEr55+5aoSw^0MjV~1*~xl5FOL0ugq=_vov*V~^mthuod!EqadeXJ zKUed3LmZutvlEG<^IPtx9ErgM<@AydtKw7Wv4HW&Q0tL#nHK$^CRPT&?n;Pe2tx%I6C)pKKOKe z5U=F<_K)#y8N5#y5Mt>z0gfPp^n$pSN(IHF50oWt^`YKY-p8N9T5STH@#& z!}+%H@pI@CadeJjXC{u$e{eqj1dxp@dEWRWJuQyTN$h0B(Yc)SIpbfV7sSzd zGdo3bbb6dG8UG=@B96}6*{O-6^IOi>J>C>YXBj&!adiI5PTTmu>0NPj&S9r7j?N2C ziZ9|d@c2j^o#pII#L-E<58~A0!GGZ_&p!WrlAW|TI^jth$AXN@>yEc@I00$J^rQe3hN9I64=x)ARU19G%tdjKtBo zik-2?r{d^*mz`i`d=RhX@pvOUDUWBw(fJ>Ca^l#}?d;?|9*U!L4?87sbbiWC+2d7l zbna!RE{@Ja>@++ciKFuXJ8f}v{>)Ct<2`Y79%g4Cj?M;lh8`b_qw^$+DBWGCqh` z@;E(ywI66;pzG8f{CGl^@t0s=lKI}Ba z(b_~azB2Mo)$;vSa!1F=zNUxIgb~Oui$*i_!abuIL><_&s!76d2ir+-FWhSNt@#6 zoWf2^9Gx}nw2hDHU2$~Y!cJctoxgK_VEnnK#J?G@kvKYMurm=yXD7~2Jsz}Bd-iqC zS?r|6(K(!*jK_20*w1^}DTt%|$zo#pH_#nHKzoyg;D zada+Zrz?)mciHKAd?1d_CG3pE(HXNd_V`pBoy*w?u8I%hl|1gYc%wT`c|0SIPK%wK zIQFv_J9&?X;^=&yosu{@C$dxacvT#o>)EM`qqCfyhQ}lE|5w_*K)Y4dX#fv>(6prz z5g|O(h$wN8t{{)OFd#u*K}912V-S%PXbl1-v<0HPf-o3f5(kkCFfzUJv@QyfgZf8zc963K>PA|d-;>fw1IU{l8{Ej)}2#;Ukid@6_Mb7=qNs1$9(@(jD zYpDp&h$H7A=48c@vm0}A5nd2SPLDYyapZiKIpqkiiX-Q7=G4WJa}IMF5#AC<&Qr|k zh$H7l<^&Pm6GzSq%o&Iy=cmjWM)+79Ij=A$ex+M+EqtB+l{twBPl+SvHRfc*F`g|8 zNOk`{Cc<;#$a#Y~1##r;&75L{m&K8@!G<^z_xCh$bbT8r?8ICA35X^A7}5{{=G z;ej}EHfByw965I}ryt=%apY{qoUu4^o?}kzD!1ZVcpgJfh$H76%t?tO=TFQ@NBERD za<*koP8>P&4s#3F@)2GXN6z-lDT^a#YvxoUye5vE4>G4Aj+`Bt(=@&>y)BNM-Ix=I zBWE$|yT+H&`{Kyin>j;qA)iSVpAa?W5*UK}~wF{cpWC2{0bnNtx*PWU~q)d;VPBj+6EG{up#KgZLG@Qyfg z&SOqj965(Drx)P^apauOoRK(kPGrtF!s9Dlk!#`W@gn9V#gTIsb5aqW5yyBgVNO;Y zITtb~7vTkQh_db7I%H71zS^7ZfjQX-&x<4HVdfOYk@FYk zlp?$$j+{rBQxiwdf+O6*wR(g%#gX$UbK2s_c^7j!5#AL?&ST8!izDX)%o#-ZNE|tj zGbeVfTX7BN5jlG>Cm!KRapXL~oU}M{^32IZcvc)azhX{a9684@rx4*KapVk`QxQkb z@yw}4cwHPh&oQSdj-1n((=vWGy=(kDde8XR=mT-|`zre#iO+N%ey{e}_|43TuX07M zg|ElgnUfSp&VR8!72z3ij3+h+iSF;x;>h_Cb8^O?q!+}IGnY9fapb(j`m*sq(W~Of z*@QWDapY|9S+{Vl5#cRyQO8k3c6aod3`h;>bCaIVo}EJk6Z6@z>~6 z;>am7Cnt`ac}Kd1YkA`v(~IKBIfgl9apY{u`ik*)(QD$!Ie|G1apb(8^-bfu&;#Rp z)4RqGq7RK9MjshpLQh=h2H{$GUY667#?Plu8DB}y8oz^HH2yHXWc(R=&G_r|y73vs z$*^Nham@26oaeSU=6NI5cZ_dE?}{VmEavpZk+Uu92N6CJN6vZ7iM8B{YvDZaT%4@N z;t`${N6sb8NsD7V`!XjJ;aPFyG?NoiQh2U?akNetVMo3 zVSHnHN*p<};|c(!EyRD|cmk+Xm~1##r;!JJ}*m&K8@8FQ-Q$SE?X7U2zX zg*DISp~-EM-nJ z!rS7=IgmMlIC3s$PB+4b#{ZM`qX$TgK}+Pd@en9liwcBXM!F# zo}{OZznh*hzCAr}d{=tG_=o5f;|I{I#t))5jUPg98UGBuYkV=i7vUr0$FqJM;qjZN z=W~X8dMK}xr1(td%b1gj@QgTe3e3rhBj;4+472f}<_yF&C;n}}FYK^c(>ZBz%vIbZ^if=3RO>xw}!1|W>cjirxClJT6rEc}}KM=?C zC%8T`-sXC&?K6>qey?V~De)mTuuX~UdC80aQs%iN{-Ru0Rq?grHSu%g`l*Xw{+4hw z?sKE~-SeltDZYv1w8XEH`EQGFICnayBYv9X1mai7dFhHjAmizYua)`ii~nw;>3#>| z-;;3;#b2B=T_3;2KgW4oBI8Mj|3dmrif<#=c}n~*GM=>fHzg+{{uLR|lz2<#p&)*f z)ECA7UHUDFcckC4`0J8W5&sA2w<ee{&^HS~<}@cYHH#vf;W-uTn>qVebGW#g~WtH%FIuN(gx zy=i>@=l$`wjc-B^jBicv8UFx%V0=gV$oMYw*lp|1|HT|v&Mf*&l~?ey=eRmdfE7lIhjbBF}8NZP} zHvVn8`y#MO3*RrkvD~l6jeq=f?+N4K_ZKFOKg67r@t5dn<8NKz^E1YGqE8wB7kbwC z3VP1?1@ye})%1e#>*z(}kI_rUpQo3NZ*sCfu8Q%!=vCuO=r!XP)9c2sq&JM;MsFGq zzh|yxe9kF;oNeO^=^f(-(gWj1(7VR3q4$h$cdGBVZ~OrI!1$5$q4CS;BjY#G$Ht$e z$G+qH53m0@6~7)gzAHUp{BU~Gc!i!azJ{JQzTy<$Z^rn2^eN*jnUgjC66CrtyEK zw~U`nZyR4l?-&p7hk@~XSl>1N9KC0J?rDCUedF8G2gVPi4~?Hh9~r-#J~n=J&<5 zejtwehghGy%dNPEQD}Wi9QBWd;}_TZia6@S@42ap?;`)5*c3h2YIVIyK)63#|ymfKpoX+}& zxE^m?9OKDzy(f;GCCnKczndPr+ZDNndC12@- zNBv(|pB7(de#B8f>r9`O7uWi-IO;cMeMS6N^83JsIO@asZ;I>ucf@gQiD1*ofcoM% zFLln#(0GgMV{!C*G3O!q-AUYJ-r$>a{3-Ew%j-8Qj{5L?<;3-TmBdlM74ysD=gR%0 zCXVCH@_1X~INli7JH{(q?~0?}E6>1A?tUPS{LBM>K1arz4|-4DGuiFU`Pny|A91}u zWW~|%M_Hc}|HR|~d~Qh`^@p&&EUv#NuZd4$xZV;+&U?@F`Ca3mruW44dK-!(zs>dd zy*>|fhWwqGlQw=gJtMC3lNU$M{j4vD-+>KmWpRur!S%X0%1>ub+j#i>TOIM3{QkTr zj{FAKN8-r8i1~@Yt+*D>!;k36V8Rn$Aiqz}h$DZ@+`KsQuVzkB9DM{o^w(j@c=ciL z72^YX)p+U=U*8tTcnVw(#4(;*IG&;L^jU7BYolQDFgad*y(jLQcH}H%eNtRs?-_9% zZ~hm4oOyAKvlqC9YenNJu9wBp?+o_aFdlxNSyNo!j{bx{D|Ky z_s_)ruE@0w+z;wM7tW8k{+%l$j(uWJaDK!wKUMZuG@jymSseZD7S50HW%Q=_?(%*b zh$H7T)_2AAdKikM{v6hi#PxcJf6o=UhGU%^7weMZGu*Z|KX0eSk$(X5bH=|;&x`9g z%i_qniuDz7y${#LG0qIv+u}2wU(B4o@qj)M*XtzqeYdk~;dSyL>*L~S`COM0$9Mwf zX2mg{Ynf9r{wTdHewUp0x;SzkXMICl=d&Y@`e#@li0gUpi(~wGu8+l$b1QR_54aWA z!uk0lJteN6)3V~o`5)Hj#I?RCJ{uizy(*5JmzmQtzOag&+;u9h_nDqJa(1nv+WlQ! zTq-e<-}2c2wDrl4?}UxMRVZa zU*cW2;u;LcTV!3*c%PmYN55~ax`k^wzm@c z$op>~j{4QC?~3bvekhLm`&mB{*ZGe>OJ74jobG>0%7DraF z)}NP(@#6n@?}#Hm{9egGT#suYj{05Cb_>^r;(x{lw)hYI6O0ACC+id9dcR7Gnq}V9&6&L-{l;)aIJ1UOK%!KfZj5GFuh~^FnVCTNbeb6Lhl1E@W(ksTVq1TMxOs^YXP49^7^)M3G>tQUe*F)mR)ANt(A>esR zisRf2w(<9wl<^TgFOHl6*UREFop154ZsA&0{3*Ggcg4|f>^;8Up7Az)EUx*n9(MNk z@|Wdxkrqe&6&z1STt8Rj#ZiAP>kHy5H$+dqmBld+39i@0k+TDHI>v9N2jV)OfjDxe zSU(g;zqy~d1=^$j0dom&vMwdAIXUBxF+VSU;(VWpWmz0KPqDrte&yWh`novAli_+> z961Ltr*Hg4`aoRsV?6Hge)1aY%wU-^=>G_|Xg82DY&{>esM7_ETSgdCj-1VT z9tYwl%yJvpQjhy5m$8b6I*GJXNQVm$m_)vEDt zvc7KoHhRPOgY=g1C+KbCFVF+yBYM~P9Gz%N2gV|n)qJx+y=ImIO^YEeOp}rzR(j#{k)5OP+$Byd3}w= zQNIQ2W54qIVcvB7DRI>A!uqth{(dzlj{3b>pBLBbvm}o5JK}k*i6iHH&O^(1p80KY z{k+!|M}D2_LviGPo%v(&b>`tISL7Pz2S2fo^7DrAD!nMKIW=+3sT&V-y5gEM64#uu z@h~UzGzRU*t~mv9%_$lWa~k5B6Nqb0*Lau{8%%~XnM=({i)&8Cc$iZX*PObz<}{3l zIoW4olZIMcC*5cLdQlwL$pyUL%HsRSeJz$PabzVv=C6~s@#aC^`{J6DVE@R_oTTwE zry!1THaX6sxW4YH;;6rl^)+#Q9W})bCbIRoS2_vQ}8KQHgUWASxr2MV^s@LRGXE9vpUw0cSXRZ)l1M%1kenN1%j}VWGzbNyZ5Wi8zlN8@la#G?rzu|S57TWh9`Q5=`gf{VSE#f#E!TO7yMJIuenI>zgVdmoA;|DDVqiR=9;!EqrQ_3vSQQe5u? zQ{t%Kp7mLAtuKhrcJ)1uqau!+wY(oTjPJz!rua<@+zxDkICA!5eOFxT`{J|ZI#0di z12GTy$t?EsnH66p=cO!;`a0`t#+&q(_@C$azOWpLBd5*!vGMv6Kc4i^?~7U-?=4^P z>ltx<|H_M_K45)8TtAnV#c{q8T(65G=K|(*j6X;Z#Pxa@h$H7I)(^!umh&6?wJUNB z$BXeaS(g$=&gIO>ichXLt{25o{~Okq#ZQv^LrWZemzVnaZyRsZhvLXz%lwhJ&O_oi zuE@3UJihG`zn&D=`iwY^EBCUm&x@nqE0|Lh-(!}q#j+uezVl^&TutM#lf3uEk$(g8 z2jY6Y#W=3;xW3E!xVYA*#Bp2!bF<>;_rmbFjEBct5EOIN8N9?fU!X3@( zu5Yd%y?n)vSVPF-(veG+EjnQ_R~dsX$1Xi~#gU7aEnD;jZd>AH9Y8TsT(_}>M=f6- zTX^(|C!DZ&sTs#OQQiCOCBEM^8)NHqGu_AD z=Qgdc|JdwpCp#r~^82EHTz|HIY(@_sbU)fYw$hLA)vv1hT1Ysm5A(U*KfB`=lN}!o z3ny#tKFr6E59a=x(8Gt+PJaKGT+`SV?jJrbcIL9ekGtXSvDAnB{;mDjo!RjC!@{C_ zvcCCCPWkyOALvJl`NO{9{^9vs;S3d+TW!5_ab>vXPrrZemf^TVIMF>>U;nkU-#aN8 zV54j3f1dlX{h#IRE$-*<`aj?IAJ)5)NekD*$1gfvU;m}^eE;EbqJO-tg!_eFceb(n zvHkb|kNsch_FZ59)%Em`<7|ENKVbj;mtBE0JO5X?ZR_j5!Twt(O`m`4Yx}>M zW{*EOdFx59!I6`PHy5`5+uRoPka@GhKMD6g+8Nk{2oc}-#Nzbv64n|@e*tZRki`H1 literal 0 HcmV?d00001 diff --git a/pkg/tls/internal/boring/syso/goboringcrypto_linux_arm64.syso b/pkg/tls/internal/boring/syso/goboringcrypto_linux_arm64.syso new file mode 100644 index 0000000000000000000000000000000000000000..9659aa1a5e4a48329a41738a452c92021a34469c GIT binary patch literal 1980296 zcmeFa3wTx4ng74{IRwrnfdm495Dfv9^DO0C*rbEzPa^YeGAyMM_eZG62Lry}1 z_TtR^{?G3`&wlpVd#%0pTJL)A@4MD6zjfhl4%0MZKhyYu(RUTQYZ#T&FTZf%xBmH! z@kZK(d%y3W-nIV_eAjFAoLS-s_BxH4(@sa|jMEIg>oh`BzGQBrGc#J9V?)QBsi8NW zV?t+^%%Q%&r+4jvx~_Z8)S=4$dX1UdyY?T0=a-mPyAfyd;nTF6|F*wr-w0zy&M>1U zdtLd~4yReO<2Q~a%YS1o>2$h6$9eyTEk_rYxs9%Q!^-df0>_gXlUIK`W6J6$GbSzm zHpgEU<}cB`zvHa?|IGh4Id2^H#QlHA@e_`XT;HMVjH#=Cl5ySY`!cc?-;ptW^=~;R zU!Jx2!NNI9rgJ{c`M!)RxPRs9d6!?Ydh}g$mVDvzD_397Ir;LdR!_ft^6J|-ui!lT zrUQ$wzv*8VJ0Cl+c7$B+DY@tjBgY4M!PoDK7m91V9YG8=B6 z|Ktn%dLo5+rmJ(gVHEldBel($8R}%bIfknxknE~1p5Us^Nib>xSw@X(y-~B^vz1@KXs3!wp@=)cNh!pQKeW@7lHdr9~K_k!@t?nU9P?uFq) zzc#ie|HjxlontA-o9>a}L*}UP{qE$j*WnGn{U`yiGGL8b%6)rK|VNZ&O``&Ot zRzbKVYkt^u+4!wF93GSV^sykz6%O>?exxMJ9WLV>FkOK%(;Y}$=ihqux}vRtTOQb2 z#^K8MsJ%dd@zm#g!@hMz-}CkseXpQ5|40dki*e_0EbN_oWEDps!4)n`aEBN7&N*^F z$L3?k)&>rZ{S=4Gofyt>Cxruyz05r-eDZoT*fGTjc20E!Pt9}&7dee>8dsK4v9uLj z{t?&UWzG2|`N7_``|I{Pm%V-|dRX=sm!^kXFF_Aa{6Bj5fAsLbj2`Y9Ko92}ADJF} zd4^++WW)}5TdiZ*nj-7$T$AN63ZHqfAD#FH%8ei0b3txgRMrNa#AM7Qqhhq=jOa4r zbROg@$ZZs{qm1hiFGijtzm}fZGv|g#RW6k<` zMqz;B9H}wue4v1h4;T z&h2#{*!-=X^9#dW;m`+jkBHYj1z!um(@qR`TRgp!`!2U9d@|P=3{h4_SpZ&_u&I@K@XjSQ#W|dOU<#vZQxji9I@8^$9;|L^uY3pVV zPw$t$*ExDoxFN~EbsGN*%(3wG#IVau3j6ZiVQ)V2U_G*6y(_$JxKVTWK6m(`eXek= z&*=Kuf8_;VpJUXlKNl%%b!PgSOe3{9Zob}V&bj^Lny>9E(fJyu`MTE#x~|9% z-aGGCKmFw7H-GwZ;?3Oy@a7)+F%!HQPd^@BVFufxIOC4wA2|-rbPT|mq!BjGcq6|% z&YbS*$x?gYS@GH|EX;q1B#oOuY`dFD?Y!5t?fg)tgBI0Oy77Nwz<--Cv}GXNgjHW)SY zN4Tq8=ESN6BfM1s&hhlKXhc%gX6}hzV&$>%i)PyP7lhph=3g|fyBX6XjOp3?oWa>6 zjGDiSMA9mw_-`0{Z+ZPC;lELHgLIY=6}Pla%@2MYI5-$B4Ajdyt~Gr z8ouFXx69w-i|U8-O?TLbUN|3pP`aQGU2uLD^JnRQ=y>qPT=c(b@JG#WRd3Oe_FN-) z4xPVpIPIYC1>k?V=y^E_p71nyT@v@i?>58lqz4D!c_UShp65azZqIcDJ=8mXtuxpn z-bTG3b;K{l6WgNv@Mh*xd{F#QeDP$S&F_Bh7+Wn~7vp=v_jtaSbb8q=@l5ec&1I*< z-*bvOn)gloKSbFn%1)Xi;fsy}A zSwAXN$+Ow{uCV(b9ypS7%kAR9;Yx?mQ@juS;C?5t$XV|SPus_R{x{IpVvYdq9ipxI zv{h;*1rD0-kY~LoG(R7>(^i1CT)ac`;MzAoylJ@6qxRHRHfMDdv6h3iX62! zxAMQp0X|*j2Zs4aa-;As1I~%S_-YOp^N^Dun9n(KEyqB8JHR}Yp>Mm8Lphed?F_at zC+*h`L*Gsa{@1zwJY^JoKroKMRB&wn?lvlrVUrhl5olT@Y62f84t%w;Oe3c*ZKuvH*IMC+PEj!?z!CPDjHsK%ie>L!gl(& z+hf%H#eVP*+xd($Ep#iijZU-l%#sD@E`eb8viayT1?V)N!v44|h>lZp2^-{+I@hcR zF0FI@=B}Z2uIKI_T<3beHZE*G#Z7{)a`Vt#f$_9f*mt`q$|R#_tdlT|jyE=%S*HCmR+|M4oDYnP4ZIwM+^ zVf4H;%qaZp;l|+~ylK|Rj++Ob>HJU8^Dy!54WI2U@%e+V4_9B@;bP{w&GBd5dUrAN z)wbc!D7X7n>`~e0?6Q$6`y6FCgUQ{)Rb;`3HU3oZxi{1>xj(jIAg07*|4a*zItKA4mvT_wL|2gdak@c{BWA5jtH*!eZyeI;;kWTy=(>UHQI1jJ zj;Thl4f%3>rUU-$4DL)Y8rzY3*~5&(6~8v_&;ONqe-1tp$6t*ky<9wV-eswa6Q!h$7M`LM_FJIUuXIa+_7~z`_oMGxM&$P)12O)W|}XLmO(S$02hnl^}?~0H_i#J{*$@*dB%hufPcLVKH{GV ziyv;{{HmE8&UT=8nIqw$qrwebAL9Po=Jas8nG=5C6GpIPvKcJ%IfAQhat1$twtw6A z&zT$C4c)Dw?eE65T|pZs%@q7kYI_uICx?Svx0yzGiQ~F(l4DZ%{+o>8s!!N$mrQmB zccd7FuWv98{{;FJp4<=J{1p0pySLy-*DoJAlKf3$>tgU}H8ivrI-UMa*Vbf5O6V}< zNk&q56|}Sun*Awtr&D(+<h7RC*YJkRps#(*$5QGV-%wkl z!b=@S$Y*%M$@tF}acrf21@%jzzgWF}%-MAMp}N!YugS;uAoYr<7ptSP9K#JfkxTgG zmQwDgyac+9)!D~ftKMed7I1jNpP)E^WgE4&hD)WhsX5q+F%+qV|FyX}(V2wUu;lgIXHfWYWS$-2N#c*ADrv1KZYN?72Whwe(*{7!LPv&ejR@B ztMP;9ME&6FvArrd+K@r%^r_wHs5#~w*3kA<*!;N;3DUXVh( zAcc4Ve)>ZkiWR&HZm&v7;{M2Reb$2Tt62-fW!Pq$IaWafPeBv)S>A91vhvle#PA`` z@TR~aGcj;K^7U)T(+2FeLmXxKNop_908be?XJmK_eu>riC9XCv@4n_MMz?gIQ=jw) zPh6iL?981LY@aeW=#IubG~XRo>?4!-PA0gW89K>visL5rX&?~sk;o1dHdx)^Vbn0QF$5H z(rc34=rvpixYqNhK55WrlRjg&OmPO6zvFLe1veEZ$nT9j8;gY;1K!`^dS+LIImisP zpM3mC*x{=7mKAp|L?3D3e;M$uH?c9$>#Di0c~SgFyd;!h^sN6NQuwI!gt?<@&MdhV z9x)GIF&CaO2i~C=#6L%45SQR32T~5-dw$-L_r@8G;wfj~DTDHp=N$w1N$UT<`3d6{ zKdJg(%1^{ge&sZJTBlarlHf6Bv`w8K3}3Uau9bejIoGTyK(3S^Xa1*rJAb^G+i+rT z3B=q+-~(_4*F#VDpN~ANG1_srv7ujby<_;ko9`WAbO|0i<@=o~UhD5M%!*qg2U0Fc zAM!t)r@i-~L&Z&>o@*RFM~u2{1ojX-C)=4(ZJ0-IzSlY4;=||Q!)x)a>0Nt?aV{HU zbcxsAbA9FZ38x-E(n?#$oa2aZPY6}7#EyplipEFQhw&s~%f2ycepitkE)2tn&BQxdtK6t0HnhOz<{&kewHSHd4;KUKqXH^XZ~Sssh` zZieSJn4Z9DcL{_-|1N~*u7c-IgXdli&s}fv+yObZ%$DHFscXBO1)iH3x?KQe4WlUP# ziqFc~MVxwsaX1s*XoYDM<}jDpCz!|5wwsr8T=Uv-#N23y_R!3=iJ^AGd&#b=SR%c zd%~POJ?LxT2X_5;k2^j1qrBBmIla{l@cX@6{0nz+NN+0xH;0j%a3yx+x3(Ay_rd=& zO;6{}_acRNOAc%_iD{X^o-syGKb;Z$Za-hUw9;=JZjXHDLB-iJ(Vq{j$}UHS`6#@7I?(^ySy|^tS(Q-6BEyKw{h^s8dv2W;Ab3;ub0N#g=-z@!ZrSD;NW0aiK7 zxesjA7uR1I-GYk?-X^##rY}Zs|Gs3>m*3Ktw&7{j^$f%EftTtCiPzP>+fetuJW@%;QC)(_^eXtI$ae|^0E z)-y)=Q29aV+4BEH4j2|)TmBztxedBhPSu-JL~|~DKf^*}48zK;D%d|Yxz=HHndY|b zt&}^6{WQ~uy@oME^sZRA)%F2+3vqDXf5*Ukk-0V>>0ahQr*vX>4h#13UW z%?HItIzD*dNaqKS9Qk*Taro;KjKgK-_&^}*o_OL~Z zPto2aE2k{Re^Nsa17Fci-D5MmXPUeEBShZ`p*@p~my7v-5M1}c zOY+b?h*cGi?^?Ij1+U38ot?x&3J=bxUV09G5aR*Op1t?xv@||=bh6RaKE=psMt;c; zVq}SC)6gr%g(AqZy^L!+N0C!GqAD9pS!$?^v87vdH$L>Yl>41Vqstgy9ecJ%yl8!9 z_e+#X2Who(OUH)ZLjV31dfzM9*^J58%JnnUnc?W3Nes;=-%9*@djH(q=0czAgI}Lb zJ&-30KHboxt#b|V(QPzp;B^)Z_xO!2!Ei1A3vH{CI|1z%6qD2J=%snXT6HuKJ%*BFQAP-YloTTYoN zRd-PKwbBP>9d}OiP2v6=?tj~79G>nlswR=+y0!GdS=dBXFYxSrlo^JjY8Us{moB%S zIl=v5)^pCPjiq0hg`HD%!g;mtnh(mKE@KQ&^2}FCOK0KFrZ34=C!N>$Mx8HzI;Xd~ zs+#hEIjriCIlAhU^IG5S+<$?4Dm!JGRc|}5^95-CHS6Bys$_?=s>A8?owTmER0Yh0 zs!`BIPVZAyIlW)4!jH!PD(bjH*y2^lsL?h}_Tg0T+BtDD-j=!N?|0z8aYD1hpxp#y z?{G`@o^}pL<|l+iSKa91J#l{D*WfXaIq(NVL(81Tnl@~YJSViq8UM0pFSt|yO%dCf zwJGq}tN{MPdy|X@KZ%T^JWw~zm{kN%%0q7T;185tA(>g3cIjt!jO+i*%RKWwG}boK z-&8)==*j@6oGznqjInF!2+Fdtjn_I|ExWOM%kzw`*Ezf4Cnb@hBgK(?e+=yVQd>j{9ppOKOWpq3q1o}RLT!J(rCK5H*!PUHOO!ueDx}1 zE&6`jHOB1htO9TQWaPTfm`#4Mx8rjDUlqNd&i~2L`{Ve3dG!8h{-;OpkL3Tj=zS0W zM@R1u=l{s)eFy(N_I>!F_0BejG5g2xhyTbj8Ye?{;z>5$+I_Em!U%pr{U2dWm+w|% zc%C@)|F$udZ#23NBp8M8{lm+guG|&;cM&7aPB3=2In#ZmPFHo1d2Hd>%+c)dR5x(Q zPg%veZE9_LxtY}2$yxHkV|qQhSIfP2&g4tX#Lwob<6PRgc58vt<1HEE#~$|J+fDbq zh7J7`$BqPl!~P_H12%A%?CN_r8YzD4_vIN`t1A+WhMnN-33R%0C-yM8qyGrL=~{hk z2d6unE?*0@znKGm)+PLamjvodeY0fGfA_x`cXz>~|F`4r``)2(_d)gl{{q~df<6+% z-ThJAt^6b5Zop~du8Z>@3wNahi1)^DS8_l0|D)jXnI*R&H*Q6K%tMaMB@STges!kN z6gd#HCoe5){?qU`^*BdZ@}?Vk^B(f%T%5f54RQuQS>tDsE4EB|d{z}QMfUP%$ytlZ z6hCyB5sBR38s%?_px=yv&+Sh%3TKWTh*#;Bo+h3+$(i>$I;6!DU88KC=(^TF+nwv5 z?U`!xb=S2vk9AMsI@jjA9{HQ5M(<fjN(6bmv!IE zf9x;o{s{h$iry!`%;mN3yGGdenCsb*4Mx|-BzQIQz80Q1ng8O6ZHeNE8NLqq;2**h zLmnHi$RnEB(Xn=GB|Ncxbc`ov49OF}F$7PHI6R%pk;99?rDA08IrJ>a;K-lYGI-Nz z^2@Np+di;mup4>pGB<56aoBSBbW{#c>?emOB8TmHv*rvPU-LBvIsCtEz78OVZ5qlz z7NmWsEO1_+xeVV&p(m~JiOvZ~JdcAzDU%;-w?pu=uZ5s~RHvQMXDYrne|LKd! zsk8L{!OQbiKE$(!?i;%7FFvoebFT#9=RJev6LdQh=h(8(}7;GGajo}MRKS);Ww1Bk(>aXn9{m2o; zLBbAqOSQvYooKqN+c{r7)<5eh4#myM0|~4eYs^}XK5-PC?A!;eFsR5Gm{5JxF`=^(-<8%2p21IeH}}tR z|136%#(A~b0*RYv;$I#!7 zI^3Q9vz&*oduQ(%^f{hA_|Cem9gd`GubG5?nN-~X5Arka%9{dSa$oc8bAB`$$fNxNWTQ<36D%5-V$r~a zL1p z`{HXJF~Qbu=x)TicZ!HP3tw|ie{_7+^E=;-6n_5#zD@vNCk%I<7duxda9)( z+WcVx{9!^r{xI7)G=CrtQ0Ojs6kMM@OY1}O=GwU4hvVZy!V}?hd_GALaZ=%SjK|B5 zxZyIRF&1;YNUnfa=c4#5f5p4t^I75m@-4b5Y<#XIt|q+BG{<#r;4B}QlX>s+;f)Wq z(w8=TnkB>>t2pF~-ve(&#|$^)+bZQ~!_F%qCr>%|+u%7?8Tp%92Ug0t68!%3Fk|;C zz)bJl4<6}VQ!JVqgP%^cEZ^C9a6Q#}X94d#NWQn;r#AIY$r!z}fcL$JA42)H&C&O? z@ec7?!?f2y{LCHH(4ZmfL#n&3spzKwSqmJaxr#Q<#uQkVXc05~~e$+9tbGmbE^(Rb^$GVSf zkSsXrNa>V(s5K{ao=`pNALm?48>hIR=NQv@lIu)lk;eBn|KI5*_Ko}qa-NTTDdD`y z9OcR3e9%nxv?EvcY_RE6&rG0ib;y-Y;I)Y{ggMHPFDp5pfKN%bJo!v{!zAR4^8F-V zHV`L&o;bPW&73WH4Hd{4$sfs@^~jn%4wofs_8@DDELr0U)gfz+>mA6MQjQi5{Fulb zSIZ>i&3cYGroUHmCqExtD%q&t_m<6qP+z z+zeVShL(4uLx`3&clG?&{8bVEU&-M`*6-#FtSp(A!+Ry`B)=q&Maz|?56vnryXI#DjJCkq|3G`qVEJz)y)JI3?!8{I-b;`{h+k=@7VEfFHV_zaSldK?FRO{C}T0 z_<_f0?3;rLAp`$_Wq)JO%Kk2w{mp;N{vM$@nD~d=-w9Fso3rfi;(qq`#3AkPwS(B- zmhFw4xq>-3hkOt|lV@h(bOgRFoNh;l7&yjd;BqCnu6g?~eC@FCb>c^|Z5<&>5n>cptb+KM6|1oI1e@>3Cwv>WashT^J2WdlQ&nlntX%ldqwt@5;Xeh$E-FiN zW+{Hr$Ai*C;_u7gISzEmv5dEPB>9oFv8l9pR+x6;+kpN9L7uNF%^tLk$zzSeKc|iN z;A3iY1-M3x!?zt>zHiQKJ!KjEYa{ko0ldM&Oa5DU>9X-M0B_iYJbw{;qn`5?&Uxm@ z&R6;Wul#RAUdmT4d75XA>P$w~>YjY%x>wFUTPBaRWbbvug{Ra3PqUGyb({n6jQQ{j z;jHaLxA9f}bJ>r(;(X}w___lhy8P%C?8G;~*-FMOn_PT2hO^+M&4>HptUZ45UmIsF zSa*j9@Yqf8*chL6!e?cZEBD-@*&+P%)%fS-qc^Gl`9bF4-hTX{ZypZB&BKc5JY>83 z=0X0sr+|4iXFFc;`_IDz(Rs+`ta;FU3^osf{~?Znv5fe6&>ZYa>YIms%)?cGz&ynB zjsUVQ#2iT8X)Yx1V)LLmkWVIlKB|e8ygEp{WOH;rKAea2-wSF+vcIW-<1{uvt;1Ee z51l~kgTOP(&s5^^H)XHe@}!*IGxgqBe!+P5EosGP z^t-$t-)vJk?^ZtszTa+J`&*3-nY3-Z|GTvv8(YyJV{;k)9=EHaX)@<2oLkXxy$fJa%9r+Ou@T>xx5oZiqhU|S4q zH8$yPC7cV4?wPT1_UH3`@t5F`bB>Hml#ViV|HWL-Gv^~$^WCHjWv^jh5QU!J8~QwP&WKY z;53c#>pn?y)_Gw0OZXwzaBLE$^&5f?a`M&0GC~ zV_eJCJo_Sj?U-4cuKKH~zZ{->G%9<9lb%O!=++uwtvl{sCcV&J3p{X-D_3GgQ>JNl z&VhF+PchFZ>NEfIaJ_ z>s^M?lRXUn#i4uXD)rzKW$tRqg9&t^?~fJ4t^Rbanz z#GZHad;#~}tld@r49e6G;lX|2fsfqF1srP2M?L1(s;@ftVWWAUwDCZEL%h-j4GrWC zUdA&NZ=ioodd|&Rydg8$z8;7J$CAj=fjgRmgg(A+n0gE8-Q&m z{n8q)(ZF=UyHBv62YF$vmpB1GGC6O+wr`-W>~?>~j>XF}b}klPPU62gZ2V$_Yx&X> zjX(cpEA8R?Y{^aXR<9B*@GjP4hIUeaAvjev+TVnIHN)21#)McW*YqO%VH3Cp4*E)5 z#*9k(i2Uiwp^tgIcNa2Bd_eu2LLXz##^cKh?q{0Dnz8%HX8=b-!;D77DR@75tYhkP zp{47=`#JQ(M_nJ|^hU?2e1DBoJ`8w?mE%9uIOWIjM#o8hR*MV%?O~kq2`wsj!AfL<=EViyuY^Zl4~?s@$gqoO;xu&f z9y*)kPY%yY7RAF#v=W1rVgceA!j+G6yyYhOl#EmF8Hj`8D?6cy;*na{W`?qv`-d2- z`X!mx=rDSa4HxMTDl6x{>c!8q-ch{NKRX*?@W%-nh|QlUMl$?q_gAj%~J3$VA0u_kYL$E zj^Z5fL3+`%;N2wXtOS~y&sj1#9)}#n7-Bed4bOO3!?XGDdFpBRdH157s_X(K>%k z9V7C)>AJ=A^&!STk$1k!dqk%d;KX|HV;AS=IUgDpud~~FHFLFX$M2|D>s^BNV03Nk z>~_8}yldOu?%!=3YE$hGrn3w7@%aG-E`L)Fhhiccui!5oHfx>#>9g3uTfk3Zw7&WB zEppGt-nKzt!CZHGo>{+r0rOrSCqLQq){4EZM6O(&WL8UlR+*-?e(a<((ULE_kS~XL zMtbE?@}->kvE<8M`1rI(OC>*vQ@c9JlM8J`b_su9RQa^?X$4 zR6o!&ecAK_-f!t?y3V1W0S@V!x%;wP%FqG427C-1b0LTHgLdFV?oK-UC3fae$BnKD zuJr^sI<2zmbaV&13|%t^J#ztv{7WvgDqZ>}c7f$@((}?ibw6I;jOm&==$Qcy^+oS4 zp+B*9q-(mPx~9QA3zqx959tn@I1khvHbh}BJxjXa$H|AQqkPyE)m>vctQ(qa0|zI? z`5+WuAIt~ghYxE^y=(VadvX}81ug$GD_;N}zxSt^kF(Ds@aX}D&J#_r?U;&J|_I>VS*j$RSZ>qU>T>(Bg| zy>E6*R~W3V+dpDkw?*4J6WxPbd}|VGF*J5RZD?JFbbV|5#+c3+3=CxVa`?FP&WBio zTZC+peb*ed?Zoe8->Hpa_(Uaqv=|-YH1(ywYCLD+_Ef$v@nTp`1$O^`0%+UK}%f9njbDQ+mf%-%Y zN8h8I{L#yylU;_=_S=<<0-O3aMwFI{I2buJsSPKkNBRi^iqn3>mO3w2F;W|L(zcwFc~>#98Rm6uD; zL_SF#Ov8rUf^TdkHe4q%^lEgjN@!kwgi`EY>ExnQ)s-%m^G0!Z9%J+o3yk&k1miu) zcyr8=j5n!@SVPDMERILVJ9v4)k!s*~={obMlkp*S=1}LdA?s8F6TL%yss<*~!AqX0 zPMOI_I4i<{rKYpR)V_(ouJvkEHG77^q`Pmpo?aIJS=Y<@eG3 z(J?n5^Wpc6MbL_TuyesR$y@p8VzN5+O#r(u{r$+|g)zNV?}+il%V|eE(Pd_S!txC* zHFL@*J8}l>N*noDH+H9lNEN z@yKT&Stfr=OfSntFH4N-5ZE8TvksAmJa$Lz{(48B-OrjP#jh>9UvNN|Y25ghJqG#M zo}5~-^k3m)li#-CZTl`VeQkegZrc@|gXQ$uy3ak$!9ZBKfDQD$rWIV#T;!cMUfu|e z#Q21>weNl3y2ggt4{1v#YrUAr?YREs}PwyzVtznVE)WO%C+Irg9vmvL5pO|9v$@@dMs*J)ilI~&ZA z9_8HdJ%X9+8RYSDt~&F?RwK!^IE!O}pIjM^B#x8txmdo8a%1FIbFe3&Gh@o)D>ANF zd}YR!i#KHKTKqiw9LiqUMedAjhUJQ>n!`HxGWUysc{O&n$4IJP$+3vzMd0#P4&mfT z_#J!2RgtF@T8!^23pm+ye6b&2a#em__D5) z$_gWq-II7$`b#qNCE4o7pCkR{9Pcb=Jp%H(r}6#BZpqcL)P0!pwx~|g$~#S-({-_F z>l6`m3Uu<+x&LD0gnZ30eea!n&25USC=dBG|NHcn!F=jN!)gwF5UjNCMJjNsWNhPE ztC^-fX)IW!g(dq>0L4Z@i=@)F*yVd&Tv5= zt}NE8k_S*lUvkNn!Vh{FIreg(q^#TPW=%5Xfh$|Kv+v$4#XjO`@gf;u@pHZ>gFKfG zI~E)dlDk#{U(aLjl_*d5DIYckSWIKjmQ@b38a(r1v-m2_G1U#=s_gCWbS<0p(v|*M zhj@Nz*u3!D9L8229h=4=d8M(fW^C6QZgST$ zeeA8~3nQ~mF}AmzBST$`?H$IJ?7=5*ruZ7n(bm|?$z!ND6RokK^R@U)PxV5^CSD0o zvc@JphwWvJEhZc4z$xWnO@XiY3>Q4bQ=MzN$WbIe9vR>l! zXSM`Pqgp=pX}m{#XW_e953t4W9|KLL`U)0F?g%Jw}8!?QzT>UoD1yZXZzKq&EhD36YK?-V%`xCmw@U2X)bu5 z2wZA`%P!!O%RA+B6nwPL#g;hu)Uzj8{$;MkJ_|lcA<=^LGSR|N@R7gt!}Qi=*s8I( znffW-KX48M(K(FuRdcAmY7YN9`dDhoJDZp7jLw;5i$v#Da}|TL_+x#P=fWSG4CqQ_ zF6B#Srh2Om!H>>==BDBid%iVu5ff7PQayUFjUsfAyLuwkm{Cu{Y~h%t~S z?C(i3-7R})Pjju@b?JRCM)C1}ayv(GT^fl(Y0N z@sN3}2WS8$FprwoBfDzgyR#<|LtAP*I`DqHA6ETV-IXQS{d|65~ryxw1gtx&<*oEHTzhtY!{zwt}#)m_hZ zt;6VC&-}|S+RU|q&J^#Q#k=~Cb4p?VHiT14sb3kj-zw;L z>>8Ohld<>6=PmnUA@!6~E?5_UBf=l|4)!UP{z7~r`%(5HPPTQ=$N>j?(BmsIbcxsB=h$qxi3Vx}JshR7PC)S>eJDHfDCu zo@O-GZCuvfmMa@&qUF0tO*Ka2A6)7%Qx|C8u4CMmHc5mdkt& zmA97dwR2i?I4f^0Zw%k>OSapWZ%Nm0jxd@Y;T=1s8Z)f+!Cm2MOlMdC{#{CEfHthW zS)J!cbK}Gla>z^dfuGovWvgfdJWVmdzwf?FPQ?|*j7G+y9JEUC_6F5^G^bl~H_J`j zpE{GK*mZIkw_;5c&o#-;G+1N>6&p9*5J)PL8v87{oPvSj) z&$m0?c+0x<=ju&weXfb0ksRaA>wfXvX7W5&aUb2Jei}K( ziR2fTalefF7wWsIPi}Fnz6;%GmFn=^N}j8y?lf|XrH5(_Pg3)7WM1CmFDj`58MUIV;l<}ncn?A<9O{H^ZibwQLxcmz5Gt(!kG6nX6d%} zxKq$~GeWtH7k?8l=(~S{wGuB9gB!)(2X8a}94ps)WWC0vJm(kl{lU=s%LO%rPTD)hk#E9a5%*Mdd`~}la(87@6|Js9BJsKp1!=YnCDBW4=#48 zZ!ZF~H_5AQ2M)wCtB=zk{6vROpkqD-Tt;yOcxE-v@ZBPEzcXLab2-50JHSUerf{^Q zBhpw0K0^03b;#K}k*zyMJP~Yw7P8?n7x6K4-XZx|l*i<7w)hzIho05=<_Le&zd@_N zR9+PL^`i50-D>}!yP~NC9jO`k#ml-~;A;%l%Ds}@Y5Uj64JEtuy=L;ykoD5hBJ!*e)ZHU85G>SbfM$TF~iC^0BtScLLlw z=^W_`aK0Aa{58|=#bFMvmq z2hP#9>{fg-7E}0TVN7=S&u@Z16nc4o8Sm2j*f-?JqLP)?J64rU>)wq0@;Wfu|KMeJ zNYm3)ad&+oDc%pWunI13pT1qWrT|oOQ89zLsdb6D?b~uq3 zc{X)i$R}{8NwIR^GF|@{K=X?2Y96HD$LC`0V(ym_`{Hc*3@7uPe23Z5a}M+{hny$h zI_GoPSoJOgyi{KOx&zNCN8ZDI;-K~DK~}Dli~GcYU%60UI;-;OqxF^J64pEoMM$){(i$KI?~y*bgmrYztW%c0jd?FOz-+2HP;DSXPp)<^I4375Wq z8hOuJ#AlJ=4*|QMKQa7H?Q@>P`m{=}Uj>&Ix`}ToR>gjs2!{h z=J@KYAGWT3$2lrA`Kj`TD>fXx`N|D@Z(hoGW9G~|w)#GfC+D@U{x(M}7U*~?uOWE@ z&vPgixQDff*rei-;^cAQ>!q;6yy-)wNS2)CyRx8aTOG4!X4`AZqFABx`!cg0^yILEJr z8hjm0eB4U8od$a)Y2SPkT_Y3usC`?BztcA zAX)ydx!Bu^7Z(|sR!(EQ4LOjX$;NtHtA^tC8ABXw;7ws)gEkley6gU2A#%}Lh(Kr6s`j(-_zk=}#M)vr}4mp198}yd7 zhl9P3kmkLNaes-mIGXD>p%>{V(zEmp(ROI21AL3=ngj1&%{UK18!q%N{9*OdGo@p} z`+IWHxn9E_)IIWp>v@*4qnB4vs73(%)>(YapbJ82D+NzZ(J zgHaQEeihGGbAJ(fXeRg|f1>)NeA8n1@zucm&|d;~>TRLkYWgC*Rdvu;x)w)uF5xUV zuH4td8uwf9!FU`ezIp-2@$FhTE`RGE8&A>03ja{r8HnTZr3lZj1RmNiY7a7NKkrd4 zfIaT9%xkK(M$OIzAg4YmZ*9IHpW=bKU!SqRn-Twve60&PG~X=_Z$0*nHE-w=7jles zFQzY(!&mQPzJ25tFXWI8j&Ib$1=aB}-@a&mv2a0hSNX)!&!unc`7d+d7oBh6gZdMj z?_A{XLJsw15%q*a-{-74ns2SEl8zl4r#-&0p%>B94npgq?>1*nNIdQjqj5Jp&Smkq zOVKzs_hOUdk4fW^x$>_$@x=_oCzF7lF&y1#1pYNwu=fD#0?}P74SYqMMgRD`X3X6k zCrfABKAt=ICW!6hDd71}(avqOcPs7A!^bl>$a^dw&q3u?;U8;;?ql|X_^0;r;QMs= z@r;n{qYY8I5kL93^R>P3>^kZ6!;Bm1@QHmd>JvLQh;O+JSGn5#O}-r9Mz^!%IG~c{f!oZIpe+Gh^^qtFC3YVGG54U3K`V z{{x-1+?i(OUz9t?b)Lt@T@Os8hZK@~a~?RMi!^3N>ts^r3_4q^&I0O)j#a;a|2y!5 zX@34Q-Dqs&sKa*Sd%%sym=D?3Q@hX^CKxmJS=XtdDO?vtujQM`RQY)JxuCom9jL-- z=OIh~Ij-+vp!Zbb`>Msy)l41Y5yAKI?^t!2>sSu)G3qv}F8U6|dG7 zw^QFEcS-t?d>O=gyQHfCiazqPDDS~IG|g7XUOJJ8Su4McLw9U=ae^vcz<^ZBM>Vm)~bM{;wFpyW%4|78hD7Jqw{|AB;&^0DqXJ-G!XcmKTa3;1 z=tJnbN45(Vtp5!aJB=RA?|#Ocij0-+w;tQTh0MD7Y=rza7h}#22?pX_)#$UE*$1lJ znP}y~l<{q-TGq$BNtx(x75dp`rty9-MrYC6k;4C?-P7!4dS-;b zX9jdu>rAz5g!T9wHO4Q$jSfcceT+z`YUAm2t^ z)VEQGZ{tV!2qb6U^(tQDu-0>k=h@#^HA0I|L0jKJ;wDaXBYJ4+;GJM zMZhmUF1e4gGw>AVlX!uhx2SKB_w5BR`2J#*R@_dyi@h(DWQp`sXu*ned^yU~2a7j; z2A-bB_wlfc3$r8GcEjyBM;3JPJpGx3|Em~2t$5?3aq-4+1LBR_;bksxBhyST)4p9A zD|;_Jt8eF4kca!3a{trzcLpYeT9|Xz^36Dkop}`e`33m27kk^ZaBy7cfXY+IL*%*+ zoHoJ1y-^%|O7IhI@(g=-S?@bY8iC}kw=QJ$wrnO@Dmd#p>G;Xe4G2} zhhXuyz@i&i6tVBS4GZm|J0VmVg@t5UCh{X4IpRmBwq?`!P(>6Ll0Dhb!ZF@y01wgQ z0^XH+06g_*73ChQy24>Lt6uL!2|C`8aICNirYmq z%D=xNnhVYvqHWU8<6*v$JqNpyhq1nXioUjjgIVC9XgyajMGuos5Mhpcn6tCs`Oi7D z{z!VmWWj`e6?OpceH;$pv61tyIKD!iF8mCYz+w{p*+U!fye91>WUp!bcwrGf9ci4h z>|$8F3@jwKW8-!+?xOCWA+GZ^37a`MuA?<*=Fg74id--hCQ z#lT`Pz88qXVko{hCkl(f_+Aq4`(yCE9NzI^eDBQS{(Nr+QLtgo>2!~aZAo}AHNKl}pi6rms9ruLAl^Eg}j;q;63!`YO5n109t8NN^3 zfB)Hd{ZM-*hI)c*5U|WiAJM%mcIL@xQX;J?Kvx5yyY79`SMEl>F?ifLCxH%Rxi?GEitq3+s| z<#mr`8^rdH?OW3>o8>ZKRD`|={4R?5mJKmyf)TpGpfQ>LdF%b(HCOoYvAwIm9-_6W z@M>LYQQ*Kz=irtj8poW=uH0GcP%&`u=WxNMsY(rojt#Oc3!Nma7KRK z@n>b*UL2nk9nnu;UuP@a%6OUW^Cba#%LE)Chr+WC? zpx3m}S?Q*hkD5HvWTR=1!{|EacxHPoek2bzjP{s%mp$1XjE{A2*pu3C>f&{9>_HQX zf0lTDp>6Nz-J*vy%f4NKt~-f$D<86(*fl=DvPr;qu)23sS2;|3KZx9r=}av<{e#-{ zXUI#__g>YP-S3mH5zUj7ZtYrRZqs!!d6M*{=V#OtZ8^CAQ~nQTuiJil*}Ar!%ld&% z#eogRZre>`L!UT~9!hS8^n_+;Q+AWyC%dVa?@Y9TFTw%A6+cCjVD&J*P<>0LlXm*( zyKnv{F*f13;BXE&9K8UC7%%9nJC?d_!)-Y5jq9>j;2_>39-()MN5tkN-o{rWvVtFL|GVoXEn=-;P!QlstX>XjrLf_Snfb(D6=q&j7gWjlxB32rlB2 zf{W~54}E?9{FIA)6@N`#$s)y%X973j9yyi+aKiqc%}>!8n41f58ytV^y8lAmKDecp zor%It?-JZ*0KX#oyM9-C^8RDJ$AX7EROcHabU*aVi$5swt_F1BpNF(H-zwaS6(LExu+6)!kcOh4r#kRNd& zKEoXDmn9^Iy!Z;M@r^3a{Z*s;`#FrsZL)tE&tjihJlK{?W1zz^QMoiWbe`CY;8-l2 zjmjnU^B9NxX5vrE{n%9Bo9tOKv~3li9}=Jct(*$Uj!a-7I8?^Lp)v}G&oa(d`cO$< z2ZKYQ%ITZ(cm#(|+7TS8J_HV;i$t^g2l4TD-HX3A2EZu3Y+x)eMkAV2t=~VjU?_b} zyjJqRk9MyD2i520UrkTm1#gb`=k?Hz@a-3B54iuFvkP3<_}0ZV@)~7*`da_IoT0uI zaLjG6w_`LvihPx9_5soQfDZP$=w#0e)@HKrhxY%l_x@Ili`MYtwHuT?_urVWwyf;&9dX5OS~rJbD;BiNHJRqx6C=Ewp>`>)U&fJ>$uX zx(QuyT-jsfm1=&JS2`|K0bF!vuI}wXSLP##IqiK zmrS@Q{jijI9V#bY_$(f+^WEr&<eAYkV->TfTx+k9Tw0n${Qs7j|_~37M2+sA$0ZYf^xd8VUkh`WF zAI10tQ>}X!ZEHPVtz(Q8$57vHrC)xFx7ad!J$+LjC9{+1UySF7FNrsc?zGR3&5POV zt~X-Mnf5+M*9euP7qvnkgUQ)}{6c&}u>3o6=l22|?V(u0S$u#oU0BDk;lD99TZUW} zug_Lohj`vN=JaQA^VrjF>m!mw?743Fq=nz{e%l}O?T$U*qu}1jyp&L0$NVW4rx>7o zM^}7(=30kCse^VV3bc|+%su)7Kgt3vYEVseDK$cKC1PiZ7Z>6?f2l2!mVL7^T5D>b$48IcUE^i{pbqe*T>KP%t38CY&k{K? zRf?;6*-z;O^YN`J*E+Sq>&&ChI;##j7(>*VL!BqAI&S#IVD(-w%eU&CD$4}_0?$-! zw|E$Fnnml4lxv`$X*c_~j)KR$mi5|p)|hLLgu^emUu8{trY`_3<}$v`?D47G*cVw} zc<2^?4)E-9<$ra|*Veh7OXj&kGt>mR%mUHMOq`6|zzqAbN6wcr$Grzm6p0$(f1vppBJ`iW&G3)s+9yQ|~+qbL#)A=vokjC=;WTWv} z4*5>d(W0@ev`{iMx_6WvTWQ7)Q7o%9%G3UX{wQYF20v81sSO$x|L-1UG|K+C4qsdy z@{!~SA2?vGzpCR|7vHMFFEKL<9FRPm0N+F>yW#UZ8;f_U94 zvkhGpe~#r(j`nG9v`^oU_Nh7AC)ogbtQ)BYp0jwL=uK-vGMy93@WB9+G~`>FrKcKK z;|E~h**5w-FweY`_6PG5$>*T)t6gM?<(G-@&LBL^RX+Sqt<16s(7X+cecO@OqeVwCdWswvPEONUa*xK5gOo-t(s*ow3FI`Tvt}@%rZ^dSf{cCZ ztG2$XoZxw%vh$d-7>B+^!a6Z*(|dXDGdzC}?c7a!cah8VY1XR^w{n@XX-9UrzD1U$NI=?dt}vC=WNCIh$bl7XC%KHs>RjkL^9mDuJOpf{_AAx_^`lkAp9097B8^#J;sOHehd7`b;?#u9lTb)hruDd z{vP8Md=+2T^NJa_Ir&}~`SXe$D_&g$ob0&0QS&p}GSd3mUYtVdwBYGF}sPX!=76|zlK=$9wm#R;MLpF2&6N^l*cdc`C`W|#;_0<6XHq*CS`sT#;CP&<-?*hi!U#4%5 z{atN(w$?eRujmVd_4O*j^xen|zE!uzWKN6A%`xrZ+2l8hEnJGN+YmlYr0%3Mkr{2y zn|%6aRyyCN6Rv1H-{w27vH@c>P=^fq8~PKQt7g_mYF>&@k3ue>hkOb@C)cji(j$zT zFY20k(q5OXtSP)NdfoglBW@IbGL{=PpX1(5PRQrz`YzlXOa1Q@DsdEBqS@UgBYb z*-gKVq{Vo!@Dcw(TJ|J#zo@LvM)!%y>MQxL+-1on&BuAxTmO8#(fIcqUxv5qzVKM< z^ySk9FNpCQp}q7auiUeymDsL$`hW1Ak<`oEWApeQaV>b}<(X?5D1VM?wWD{usQb%| zHO1VU_)oRz_F7`;DvIyed=T4xn|}=Rjh^2&%4mXC(d+p(HTe;;Zz}k1@La}) z=X&X11w6VKo?yuc=0GyyUgSdtazbsiDaQgn=*Kq7M@GDftq^N9@5JMK<2W=ijQgS<3d_aFm8@WdSWjAA}#4(|;$plmp*u zVGPGd`J2wuUSOU7Y4JPu2rQd6eRKM8XX1jJxK5&d?ZLO&%vi7ozPD(~q4aM=`CbEj z?M9dG)&CckVGgos;2xNsq4TZn*N`cIuBl$=vIGYMZ?n zW{%e!IE)*=0Y6V;FDzTej*rr=4f_{>0kk0=m{RLZE3Vuh{GDE@CQpK#}X$|f-<4^bxH zS|j^7XitcC#$Ey(J!YzvW9mR(mH#Zu8jspf4W$BiKRS(`V-MZVR&pc;`s9w%w;Z0a za|P`^bic$Nx_?;SWGZ=+sTbuuofTit$TMC?;Epjh$(xm96K$Yzh6(;=diMO$+V*6|m=9gFBd` z^&HCCJivOmAMZD6ehuGoU4#FJ9Ns47p#u->IyENn^fSNUrE&~Bw{5@0C%s0|#tZ-PBT4n@sSxl00jXiO$8p^FKDeIm~4d_PyRKI@&88fp^CHwv!m!B;IF#o5iN1s^4QT zYVCO#+e1P79mf}y+f7&x?>@tot>500k7Z<^DIlM)l!^p~~U(J9tU<{80Nd49+L z4|{I{US)Od|G)1!0Z-D-HdFyZByW#DWo4A4{A*HqysT_|KM~ENDMTndE;Y z_hfu1X|b;^-$)G%rOzoIBMhIl?NKu|a1F6&Qamx?SstTf6fqAb-Io`fM{F9y@NV-i zO{$w`#Dr6p?&Y0~ZKZ}0&cg>H(`V<9^y)pnH;f+Pc}B*z6eA@(i}h(#LS9E6<2i?W zUVTeBsuTb6ZC;NVPT~J$=1d{Fqm8U5dGOTo`#%A#6aLR^k8BbjIGcO5w6PG_XZ@tK z-5|Hk4b*V~^=478;BQji4Mxni2=U7Ef&Y5o|7aIj7XWK~BbtRz^4Hu=ok!Ao6W73w z`x`;O?XF|;Lw_(SE>HyQkMOTCn$A49ll>g<3xD)8eKn7;4$HT` z_6k)0pRINNOdG4{{Q<2L;*-lh1`T)hdxx1@((g4y$tkZDo^Ep}{ho9drDu^tM8ikR z#wgRK;TeP$g3q<`mxzX?9R$ZSWG7+sUs{h^IHXtmZ|c!nCcU?4ek-&>>*em&A*a?$ zmwrFNyWoSZb2#4^_bToA5B8b$9r>Wg1)(pD?-b=Y|J(JUoaeKIa z$)U?yI~oQUR?Q_g$%!Oi;0@-N=I6Af zv326FiL(Ul@{ljr_BB_YS>01yhgn8)z@SYtpx19e0~VRd0dsLe-Ck(%2m?-X(i@Cu3Whkro~U9ZN%pt?Rs{ytg!gcfF_=iPJ>6BcNkR z^mz=2?(NjKl(X05TV0!mwN}(a$FdwcHU>I&Vwvc-VbQUL??yI_goY`uNh)iH`dGPS zU!BUYWp7b!-)E*$j%abSBC)WDW$e30A$({%9`tjvcG)=NX?@%H<_E=;a_>wc| z+Dp(i**nPoZG(6Q;3m4Z=M&O3$@YiQT50ikA4JCeH}FChJT0ba*Bn=&0@KRpLffqzS7jrhLx%5? zSo&q}C-n-g*E`&oUaS;c_@#4QI@hSxcgSlUqJyq&@Vy0Q?=`#=eeZ7WeR#_@^h_rD zCJ+3+7rs9ReOV977c{cF*S?YqjFZ_J$d#Fu>?!q-O(XG9J#EVdW4D4FAlm-^z?i9J znZ~|D=#gS?zNY=>*tp!{HB%3v`=77aNbE;vMA=CZ$KJ7%iVelGuRoDz*P6GicI~L( z^J>ToP?L?mM|qMKvaeslJ1dE`;^tbCofZ4}M6L*{?du-bIJ(qjV3yWxvlH$X+@7s(Iu zRL9Sxf7)nT`ulN=A#2m3c6`{;<8AdyA5=xGK|SYi>wb^(N$8G{VYYsN{{9=((U1IV zKJ+!Q=(&ygzpu;UIKa2=H<$9h@1hsewTG;HA@6#@JLEr0Z$gd@3pVIrefL(U4+JKQ z(Vvt_53W5qXk)`qh&_7Y-`8eadwlLbjXg)DC(fk&TiDyag*Ld~l|fhDW=^=*(dD#) z$M0ij7yUl5$BW>HFizKSziGCq0*R&(d`%-elb98gdfHP1U}*bm`%rl(&~( z*tE7BT~Mw$U}^fuPLg)Q z?_0Wb)uVEspncMXPVgF+uun3&p7-(f_uKlUGyC6y-bK2kiRhA~Q^)_`@2fDcjAdMo zFkYUVV4b^n?vBZRz7b9k=dR-bco6-*>Ae3)J~-jM%wNI2|1Ic;CeXI5H?ilSO!Mx_ z+4u7NT(~HjvPSQCz39(l!PhuwKs=c+`-tLCU@LL?o7#66WRZeY-PzEtmU=X z*kmzBD~OFUVsV_cmP-bCgZ7*dzX*(@<&xRRB;xN!!Pldw-&P+blOO|i%wjE%S!2s2 zS!a<+=CH1tF-Au|Yq?~Up^j{j<;Wx|m*jFCvw(q#Tp~Fo=9ElghL`D@b$=B92U*Kw z5^R~oBu2F@lX$JQ{Cd{%RAe*BBzdgm>f`PuJL**ajwME&+RolB<#@N9fVO2ivY^&- z$}BOyDu*XnW$^^P0vh`eGXF=(I&+RM-Y@+6TOM}3GpB;XMbOzP?45Y6y^|NYAF1kL z?+=yq;(2dyypOdnRG~Evn!b`X?j7)2zWNhQuN4!!75tE%YaMxChBCihot5Ne;qfcL z>zg^Os|m)q-PEBRr}sE*DMi0%$4v0Cr`bDn{Sae~qjP9m&$C^OJv!G=12V!IkFlv0 zo!B$re-W~90J+@k--n7S)K5IO)8P9{vb+vUR`qdWBwa0Ng{c+n{kG;~y z%F}s2?O)x(JGXKOAH+YEqvwpqhX+3sKJ>QmAzJqRxcFexnqHxQrEPD`{1?WX{j?Hi zKdq{Vg%gu4yB+effY-hsYwg-~rp=Dmj`RJ_*L#95=Rp(ATJc1a8NV`%C$juJES_jR zJgsc0#S=*moWuAk=U>ZEqxNgGqZJw+8%wNS<{dI_M+5kTJ@Uy?{^gc|d1Maqj=e_MIh%!7uP|13l85-MnO~!yPV8#09oJ|u^=4#x z|6=g-a74T@%z-%gka+l!1o)CfzDc5Q$;<^$?M*&%uE^#anEU`dl&<#)Xo~hohn5ey zp_F!d(0NX}(cU9%l75qYgu(^(GwDO0uM%zaSc zZsl+n&5pce#Z~hE9=eXaYT2F0ALlWy<>z4elT{6D-(EGS{m~gYS6_8?d+gCjN~W3jVbFVZyKm39Km+m7x8HPm zj*oSD`%PcYY4D!kUhf_J0r8+dFoFBT7#jzD@S8a?#udJA&TntP2c>?Vv9EJKt6!)T ze~`B?La#^M_&WO4+1EksKjT{O-}gWEJEdcgODQiz-0^H=-d3-#8F{h8M|~OaeA>r| zXWmI~UdWtGU@lHa7cjz1u=E7GrW4nW^Wogvj$XQe>s;U$ZzeQL$ACPdycvO9^m5Y4 z9VK_vG-T&x+7I<+Y}sCwv88^u+CR|QXOuloztC#%u5vhjl2s*J-WdpA&%Ua6x~(tK zd~$PgW&+Cw?{~ILM&IF`cINZ`dS3XgE$T~Ef1_A^Ur&7-I1aK0sJebcUG%c|2`8TSc%t^9f5tU-*%1c?Ax8-?(eF8X~9A7Pq`F0c)#8G?!}$& zKBRY@a)Vz!vs}*?JKt^L-OIl?WY)#b_;npS_2VGzy|v5O8PLvC_!KpE2ZoB8MB2Kv11d&mo==M7{+SL2IRtA*0sRRk}vmL@}=ypF2=Wt^|rUlUJon; zyYK%udw0yAC$J@J&^_QIc>k_%-s*wODaGfX2;A3Uqjd*1Z-U<=RadtkWFFp$txi09 zHV=CGHa}H>wd=fTZCOTYO};@K>G_%Ml9go#F1WP*=eqPKprz!@ z*!l!CU+@*2bx*YKvF!HoH{sjxHuh~6z5@3RQTRGu_=@f7X2-708k^n5zC^~R6g!(! z-*C^RPur``-;%?3T4z*83wk`;cd&0Lk@ZLG+h+K*N@zqw)wkLeGkwdKq-*OF`aS=D z{t$hI+DjY5e6Rc-D;dvKj305wi7(7}K4u1qr{4UYH-2g?V>y{IZT*cARR4MnX&=w} z?T4T7mwDo+wiX&&6~7T2@IUjDj4SEO6(!z2<$cjrVLxHd(=Pq)Al^tGvUZuLPdxK; zyz*hhqT7(Y&MxBp`N82S*z07YBk`dlQ63x@Hc!0>Y{1!i=#TJKczQ4W5vG7zla}#jYm|A=a@VlOCtzQYm5!V`~wd=Fk znlyK_hP}fY_AK~W7-z5d?mBh^+(eHBJz5;p*lG`KFk}0|6ZZNg+}_3f?8m*AdH3^d z>%o}Q+xj&1H_)Dez)Ef2MO$rqJoIuC%r%#6q0Qi^+N=9Vxc3C#ECjwI=CJRHJ>pFM zg&RBYm)py@r+^o(&s+;WbHarz=uL&0*jD;zqj%vt~u}8NYD)d>B4zAiRnA zGGwu_vbAvg{wV#_{reuZ$IR`2i2KNe{nkSZBqO+XsrNw3WY6^$`hpVhudAPV7WzHK zIgpK(%ZFDZ%es7ctI_^@?IYN>F0#Y4^Lj67myJlT(6+xrYuE!?$u|p-9iw^eYV5W? z4zIldIu^}q58+z8c7T2pV;Md>J|MpPY`k_R@3Ggj6}{C~w{6mKep)=JggzbsPLiWd z3DW!`yG`V1Pp|`iy}cv`nY0HobWdbxqc##Tf)Vx!%8;e)Jrl)ZxATC>Uru&K=m4y| zUP0jFhi{y^tfU?OV_z$4;xP71Lg=;oBU>3}Q-^Tf^nN78K%SEP z)`2derO^D~QuIT8pn*f%Y#bWGI`d?%EkmdB&Cp|6Hwd?ubN|p<`+hw475l@I*O7^0 zHer*rl5w$Hl_iy`>S@4!aj0N=XLT{sQonLF1sH`ouf z;N|Y;*?dH=(EH3u!OVqWunP*G{|3dnrS3 zU~bwzNY)&-^+>Mm<%j{;t;tryi33v#e%{7+x^6%Rgx_|D_8ptpj}))0J}uSrsJ+Oa zIM>>X1P83WNbzXj=f2**k^k=O8nqw!KKpNH+mD=R5SN*GG*3DzM?dgBIIw{>PByGK zisR?~XI6@E+=JYFK{EO6saJOV$obBcHPDF}1(j^a*TSa-e6jacMO>eb`1&kLG!_ExzDZ zdKMcOFZZ)Ep>vKc`w!69OK)Ytmvfs|^a@?ixpI5y{KGyf^ zv8|Eq@pyed7XHGqwOP+t8P4|}zHh+RMz+q@*ywwXY|1P{9})*&n8Ujz=u(PqUAGoJ z#L4B39I4y~qFLfca`W*6apeC`BKIdaxs+K?uq%u|a1SDYFt;d@^IDdaJQhWlcG`106~( zv|aF<>%gzC1G`H2Wx-FnlV!_Znjn3NC(pdDa@mdvLyIeB7Q|Fse+{x*R-SR4hwCh^ z<-4)Mi7zn6lI7yt>ZLE6(0|4;@37DaU>P=jf#`@T0L7F_P*`tRVZokvkLeV~6o_9>;A##oK34>(!l$R3KuQ8vj_ek`Ab zzpssD99w16?2O}K@V0XtUBBu+p?<);<$Q7%@ov{~Y~!2m#*saIYaI2jag4yL*yGqQ zw16`62HJLGs`vj5;~3w~II91@Vw_OIZLMb91c$X;U(R~k>ANt{|8Me{z&=c4#8+_(Ig-8t4T^vHjqSHuTK^D)}zJg(^-<$28FmVIsknxkubub^eT44fJ2W=uEOcNP{p${YvMCR~0$PMWK02(4 zlsk~?Xg~c<_zei1FZzy8g}Spwk?);7!BhF(MR(-q^Lgb^FJk}A`_rrx@y8ZFK#t^?40}Cq@)%pEUnX9} zw%we(^X#_wG1#}-I3OOWUuYp~StYv7R+o>^8pr(Hz_F2Y`RLAJAEw^ILp$%4?NepP zPkR#{qtfxGuZGvunio6u{gj&H@14b$zK`WgpNBt@Y>y)zJLZAyn?pU|W2R$+uXXul z+EB@%bvc*52~Vq;Q)+89b1D-!{E>3bkoA1xe~i#{%FDwiST?cqDW`$<)$q@L$jKe> zD$?N|WDKVvt4!412YX$)(D@S1Wz(ni_)h9R#-2wmI*h&Ob;*$x*bBXXerH8cc7!@l z?)m&Zcd;ij2l}r#MMdmq7eW91>|3v*ty%-(msDHy|61CuH6Xql+EGUTgq!93Yi>#2 zQ$M3+KIxjL=d*{yaf0=u9=U%5>)b}xx5j1g4XkGc&bl^_e^>9UyzV<#^5BDliehvYLdnQ@e^-5|&IW0yL7IQA9U#*RO~ z1#ecd)Ckg_4$Hp;n?>s@Qp&b4<{^8$Pc#4G=Z`xiT9xa%i+C*p0XTw)qHYifXdt@Ox3PhzLs z)h9$-EPpzEd$#9q6UPz0W8C-QnX4UnMRVXP+MsJ6c4(3_)*-XphfJ7AIlBHK?>9N` z@8JCzyszsrWR;hASG=|4xXIiX-yH1^_2Dh~0pg{VL|*&HQVhxj$=}_S}_sNVWu$ zQ*1qt_{IUqto<#Y;;(@Z26Sfk4ffbbUb&x~=^BH+R=XvyTtVHlXv0j}GJ`fvXRmx( zkTzN}_j~Y%>|39leEYh!8Q}YJ#zeMP+FuiI9n0KV0A7o?RxTLv)&=a*l=E&8^TM4g zn#-Ak>SvfS{bv~PhKhya?x|rv**xFz;bl+aBss7w-kMmbo3v+MPMu|5VyZA!>zr%& z>C37;#(2^0-Se|%H9)Uj8vbPe%GsKOgILR&!0V>-jB&i*u@3)IaOuy(@Excj_pW%| z4bC3F{4ph;mEcD?<>Ftk*L{9_nGYG47|1s}e$(>#>FQH<74b%7+xQI6CL^m=J3eLk z=l7*x9@<$|<89;a8bc&JV#?TUH(ry8l1<9$C5G zThgw3^<3{jMwZ-_VGb%^$$BOEE1n#oS~sQ3)ZXV2=I({G$>lqI2P5M`?8n-2VgJyz z>L0SQ%83QN~d|{x1F4f63=J9?e6H&5wHrwm;6inGiKDIbFtOYgKyt+^De`8Z|ci{{kP8 zWsi;CQ@`@Svk+yvcn0s@Azb^#=h(NlfyU+r@6uq9{hL9t$ndO*S*(TYu}fk-DHra= zvPQ<6rZuMuPW8_W4WWO(q+j*v@YK*3%f^WO-{dZ~`^LSlefzi5`er)w$oyZKNAZ1( z&FWV})zVL`=<0d-^yI+o-1pU%I&8rLOm-b-4OW$^|H?7=r(S0km#;xRxzKx)7 zgZNhEh)!rN5^Wfc9j)vwL@WN8_7?F;8oO`PHuAdDKhbd?@E0vqAA?-Gv=ALiM_1ge z=eg)cF8!=zkJ|nI6mIgo>-fDr?(>^>@%SOCO~Om_$~K) zi=Mz&geb3T-~OGx`5C{@gT}|Ru5BF9x#xI+le_6w+TgBJO^s)lkIUFw6kcbWgW`Sv zmVRaH<>({^#Fnd%g4Hf~yWImj%f5dwHm>j^t(T)K`>XKzTNXYSKvU!3*-UUla2|%P zF9*CmJXAJ?()X}0#(tWQd#&sZz~?BpW##^A&|gv2X<)JQ66?kr{$Yoi2STQ z>U`j)wvM7*f}7x%?HyRtiY?}g$bE;gFA)FGwH@)aBiFEHch4$xVeF+&q)i(Fwj3Yt z?X+jib=on5vdg=)W4hChhN`O=$M3YO9^fWDX@`e-kDrW{b6I>(8?uaKO5Kxu*!5W= z-;CfWB9G;8ubp#Qc_y*B>PYOtGY;j_U1cU(d6if33>)c=gjk+&D6ca4;luc1TJKyN z%d^D1j^P~grSu`MyWb2<(;fQf;}5_tcgS z{`HQ=Lu2qVdV$Bm^DqNs&-IkiHIL?X&UkCAk2v^!uDa$@ zzFU{)Q`hzF_Ghpu3Wk>k!_XSxmiQC+>P4b2Vei%L>Vtf6kAh>;S9HBMlJ{qEAh+&o zG?T-^hek7nT-rv*aPVp-hwhQf-NGNea|gIJ9K4#zp=ZZKQ+Y+-xy{DsQzP%GQ9z4(ouFcYl2uu1cW zTXR@@dg`0{Bpyq3X-yKXpU!%a#dVOi;C0r4(a`)LHh!0Dt)Tp?(L;o}Zbr^Liq7WF zJM!9f{alad?x~<(=$w!(q3_t83m4==lt`?Q843L@n{v;uz+v7`Odz){eOdlX_PdZN zb?;HipJ}88PGlLxBu#9_KRi%HTMh|#=+Cr-#K2zasEXNrPa%F?S`(&~&2L|YJ~g2% z2lb%Q`$3)4hNIq8eAH7;(Vrx6B$+WNF_POhTyGT5;5@@fYAfJewsda@cHZP>)vtOB z@hv+<-KuY%kx;Y3NUW(c$cN&LRT%m+UC+VSYx!>kUdNy-w{rflk+=E;Wr6P@VtdqF z&EAgaQ~|IME-L2!3Fzk`_61*Ij9+Da9Yx#qY!?3~uyHuVx%=+ZW=x<1_&1t%e2<<+ z47%n4;aj=?9DQvhUPuRreCie&iDAX#(DUc;$7>`;NC(Fm&+x@-#1F5-@x>F}XN}sn z(e#Fg^WVYP?M^VD^BJLy;Q9mj;jO^$?gaDlMR=O$nb(K7et_dCj^C`vYyUY%qj_HV zd$eOK^&gWjpZW?6|GL6nKTdel=>M2g;}XNT^q@cM%pPqU{>>;}L7y^=n6?7W6`%Ik z_*cewdjQv-xU=*OJWU;2fyIg#Qa5H{!!>z`hx{Z{*Ou zVcvKPhULJp4cIpW_l+E9JOlR4zU+JR0P$Rr!tM& zwwUI7!qhW|dIIz3Tl?qn%y;dD1ekByPmgCT4l(CniJJ30!7cT39sQj94cg-L)5E#? zss8o!p4WW)$Lyo(ZZy+s%0EmD1?K0pmwWS8+AJ76eW(*27oGR?J;Hav zV-kG+iVyPl$CM4T;4uk!Sl7Tq?V)aK+*S7q%GF#eF_~+#jp9k}T;p7GP48&FtuT5t ze}#I_oNuYjx0KW7+brr|WTe%k{3A6q3prx~eGf6FHQ<5%OB_7#L;uD5&t+cgeq2Hv zJQ?vZuCaYJ9^u{4^#amOk!_ zqWO!AREuut`EQ{+`=V(6Y0scL`=V(6Xm6@TuZH4xJsLXlO>BcVM$!DI9Gd@zL-X;Y z+jJaS^dyJq)osA(Y1U@7@w?Egi#+Fr_c=5lzlM{-QOOL)p|x+oo4e!TWjtblbA~6T z%`?d;_Ifxsyloo_?KyBOIOz4pG{<;)1bP@f0>7r7+Zo?^q6bD&&1>M>t47bzZ4T{u z2t1zwto8pAbWZSo6kHa6DZD-iKY0jv=K^Qlo5}y#o`07*USmvg=G?c}>=}N5zU(#6 z3*QO6uLIt%!Z+*QLq<}Va(UJ>d?)a}4tT!`-+ab1;C&tNeigo1&*lNM6Y$1+`TkYD z|0C=9Uhdxt%u9g1)>pMxbpA$Q{ayO~8t_#;zvjKCX^Y<1JA&`+4tzJ#?-LG;E1dbh zk^avEjuxDuFUv0n&ZZ6LA)Jf$>K(zF*ka8w=GkDKd%voY1btm2cORDqv{^*iK{vBVQMIO zK@PJ1x7%ZX7#VvQ+8m_c`kzR@Mbo99jKxk}zC#7zvYy2zh)*X!0{AT6`~>$#(f7k< zY;&@a5=bFtTnh9o_1TIbeELb9U(s{lJ&HS|zDswLL*HW^njQ;ITG#YlZJ}<9rmJr8 zg?h4A)H?qg;uH5C6E7?-zs(tGyxBjL`@!d|j znY1;ZL**t!m8&xKU3cY1x7RJ#SQ07zJLMjy9=F_F%3Vmg%W3cZv{z-yf3Lf8H_+Zj z-cfti@9kRzy{@leckPXaujJ)pl(ilCcE|0J;!)&( zbjzOOls)}Z!Xmot(&|X@ILcOCnk%K0y^JFXoZgj~*O-Ky`(&Ry%dfS&c1s_zE7542 z1Du8LcDwPLf==YEj1*r+`ELOKO3GcYvVqG?j$Mr7A;xhp-$V1e9mfNVqv*EA@dV{W z7)RsoNbyaS`zqHhlsPBCHzS5JZxu{dfgfwY=}KfHc)#x2y0Tx-9@>FC|B~rWxcvD_WC4}gA^251X9><+;q zs_ff8W!bL@7PL9)W3}sFQ;6=eFx>{Q?8dXV+x>0 zzW1B0RBE{n=_jT&2r_GvwvA`mkHV<*;h~}7l$GXGi=sBV}c!IJbtbsc& z$M==8U&U{H1?Bai+{zUdjms-vnow1_V}jttD#lNELlhoy>y(t`d*wGbWM^}g)T@kS8uFdkh zG;W*NDBnx9S+dUSlv6^C*dxfMdCc!WQuaaaB{Obml-)wv2Ppd>WsA;qSGI6GkFw=c ztg^*ty+Jti=eWov9*e?XNjKIR1F zOf-|BqsgIC@Om$0pNP-vm|khrCY8biBqj&ym;KL#^_0H>Jdq8d%9qW20k(zF_Jvvp zqwNcijm!^9KY#2zaCuIo*kJ9NjQySuK3=vyRr#5x*+H$isB(7S4&I69ok(Qt6z~5% zwzoCJEY+TnV%F5NpRIG*%9-p5KlU89i}XqNw2#_~9nWUYE8%B7@MY`yUra3U2FHHY zdN0+sVf7%V$et2=J}Y-*88%(5P5&78SNskmRklCgX)z3|j8pb@t=I{cW#?^GY^Q3@ ze@1Lk+1SY!Nd94Y$U6Dh94t?=_j2SDbRB!P@(J2KHZ!G^F|cgxa%>yBFVRNq{`}ZK zo#q#0`LtCz_JKp?OVfq5SQt@sWI) zZ|xXU%E@5I6Kus6>2~FZ!?v?(uKnE33uN0D|CXG0dBC>wTRWz+V(;C|ccs8u`Nw_0 zap(xAPh4Lx%tUaohe?>y7b%nS*BZvs=;@~vnL$>N#G>NF?;TDKF>G>aQ%7k}qa!*_eE%-?bFzEu&wflM z@5>H1!{}q#n7MvW9eeDtKAYdulhh;pW?%c1-;;2AGkfv*z(O{@U){_1mcOBVO_cjd z@!IWiR?M-l5HCr7g)R8-YCNNT!QPOK4>96Z=BYjWZsVYyJ=Xu{4g2dqA?&x($L?Ui z_8hSPw~qn)*ECPh0sE21x`+Ke{}kB&d+^P8qvJ!bQS0V+H~@~XzsabTO*y*VH7(4a z4a`g7p<=c9u-|v_!HxMUpXbPKJAT;**Z0H*_&jWZeb@xYVvihW#WI_W4f1>rH;xW4OuFJ$bB}Qqq%_=@ymd|6KE^|)%SeN->(Jk6YZ+^66LhJJb+`#y z74f87zK!|3FTW5&-}kZYHTAvhFgM{-I6uqaI%;edqS$NSA(8e2)DnhxUI!KV;wO_9KTe?0!53Sp8T|KT5IX(s$}d z3u{SNyU^+MV>I~sdDw8ZF{i59GG>WKQCtt#hO0Mi_-OiH1U;AnU6>4g_!>R}PW-^# zwm-RTXPUQFeyZ40#^+$?HF1Eid>4D52ak5v`6MxH55gDpMwiY0v40bG;!}p%xmXV{ z#+kr1+K!9ddi!L*<-?XszL;^c;qn?Cllc!-WwguAD_A&qi}vP&h2PmCzt9SAYo&aF6b{+kJY1Nug)&aF)f$H_K^ruD7xiXSZ!Gbs{brvU+0{trei+^RZuaEk&EA$R zmijW4tuxu*%;j9~$v?KSs-&H{W$FClksqcZKg@-%|D?LP2PwzW&7mK4?RutRZ;^<- z%|qz3??Rs`yAOP(uuX`yY!mKubdN972l%OG+Xke6Xfyp1JcFLzHJh+m5L{(DrueMt zoB9<;UrN|ZQooASFV593y{CSuJ(={&v<3hD6Z*ST%iI&)LV zZb~}Uo%Eqd;|RVC=f8n5Y;$bteqz~Dn3gSt{8MC0k!WCBN8gSmqX$8*(mqyVCVpLx z9mRp(TqmU4HWZx8hT;+AiIM1cXJChLB1kghouJ-gbK+pYbC z&w}qk;Ft(ZCmM-uLx?Lp+=6dn+b(jOXfNe?>P++|HIFco1IZk(Q`bJ~#9rfM3VP+y z*tm@Hq=f$Dz+o!=UZDL__D#QtF1-Xjmg<;h?GIwFL#~4a`c+~iv<=~0xG6uoMC>(W zvoQ@DvAy(7K6aMf4(IZ*lMRh@=h5~c+8@@uadqbp7nW?9OsrVp4fZ!vRj<#&9bcOV z|Gvpq-|&sb&RDw0Tk2H0Z&@;7BESHish- zJR89w+4xCtO){`#`6_e;t9ZXVU4it-_4o>^ zKhhN(rHm49LK`_Ti|?h(6UckREB^^P0&xF0Wm!2ZnD_NZBE?^${3hnoI~*Czl~{ba zv=^iKp*W4i-wV9t!M2mR^Q;GZQoXf{+D$j|<-~6m6K0rMEKs>lQjq%hz2zCdd zsSXacURgkFsQ&O)y+g?+cD>KA{yi75WV;Q}Ajv0p`;||ma`rD+PsPj4L&xREHdl0W z4|*Nt$0!v%8KZLGq&*1Nf2`7pC18TDibqySPI2Wb>dw!y%;HNsWk1QAWuGASMl86k z*c(kz`J-pjeq{4gyy-{fm-+dh;r)oGEWgCgxH!EmIdmwoc=Pb3ZAHdwf=>`{6y9B8 z#pUz^U-rlUOw5T;n0b}J++PPQv`0G(_$i)zG>=%QG<<^vand_IQco&R$^DxF-^VjvuQyzuZe(TaLnH;}6=~&=xyUC%^ zDLY2{MgDJ%+k9u-vU_yKOnI5u+x4Gd+=c;9^b(sa-!A&qARjMeor58pm)W4WG30ZT zztxk9>&^eCfkE^bCaF%wP&p`V8AW-JCDYq6kgtkEp2IKP_Hm7lv(zheH$JWg&uqW% z48Bo(cKP}C3XR9^JM;a>*bU&8{anv_g@^%V|jUc*}MxpGS5IeWlNq|0%ke z!i{J4`F5wzAKtRlifg0)F)$S8$`j(wM{l1pU3Ai|MF2FI%hrOP;B0bP%sNPwZzbTFL)Pt_^qx z$!})jKw`%B59QI8Ldw8zV(fBwBHh#Vv_3}KN_b_zIj{};SN~yTjbqsRHkyM1N%&oh z7sBp+>T&PDP$BdriFk_{-lVov$`${Yl$;!ZKiD^s*qwT3D761!=twE+ruH>b3ZWn7 zz`$r|v|@Q`59z|?FHQKu@*NXmwzOPVFzL{B^EmFG^zwCoz|4Q=t)qLTv>G&r5uLagqiCf9q zx9AAG6#Vo)t%2gVle~$nd)T(3lMv6H;Z1Biz%$vCx;Dv)CN|05t~SYWXV@g)&U_Lb zc6pB^;HP~d#T48H4L;=TpMKoEA?+vU9gh_M59OBj%qaY0xpsXgL_!tQ@b__v9y=f0n#RZM0(pu?tGrTj9T0F+6jr zSO4Rj|G3<|p!{SCu>XXA4CgNK*1=C~^O*@@pJ8-lV;hvSWOv;ZGj>}X|303x)`W|& zamOD#?88PV8ylh6-29;KCGdQu?(1Ey;Yq@=*b3!fE2Qfzcqc#4a(Iupe^xojqT$Ir zBTi3;+G_Al0d_*mq3t=?3B}RAVSJ20dxF`tS8eUQ=M9qItCoG$Vstxp`M@+g z!GlZ&UkwiWQas2KJ}b6VD}2mh^lX0GFCJ_vc^-<${}4BPS%Y|awX^80rK_jJAZ>N&aLUyS$z@OZ)dBG`5o~c_v z{<3oNm(6Ev_AGg>?ztt2b;5}t*8z<$xH2Dn7~YTzo zDSDT0SMjZ%Tr0$250~?8k^Cx_?5#V#B&qHw-z8tTZY_LQxGihd+8i?}{GiGQ&!+Ic zpR#9+%@3B33#=WPmmi!xDKEH@@XG$&!JsQO1S#-kbI&iYfs3Dm!O@$R~+#onm<-taWF zDD6Hqu^f<{M}jL|E$%YkB5&o{PRCC{4bhT82p!6 zc|rB3yK%UU{@i|+{%l&hzwWW6y`uWrE4+$wVh1_nmR%T}w#mW&2?fDfPv!?d^SCAC z2Pduh6ypYczjDy09Jfq&-14C#?zj~|M+*K4^QMq_^U25UT;mmcK{Whrx;Msxf5B&` zKdgh3fa9m4KiMuE3!>myXuYPW z2rtIBs%r-LROIj-cP(kI3oMDRd)E3UK75pad^o~-FUjF^_JDWd$J=;j^HG#{Xj3UZV-OUbfcid^i5&q?aeVp>dm(|ekqgi)SUSjw(2hIBJ4TFMmtjUHLsM!mplA$k=2fba3Z+{ zlgLvu%Hdb9fY(r4#J8qdFi8zh9U}fTAv}#|o%Py$a`)H3(t@GO-`dwMACt@aZo{k~ zIC`=Tw+&~3o6ASL{PJwtAevaje>u60-=Liy2YypCS6l6T)Pi5yCxTyRKWsj{>$S_5 z~7E4^G-^*8d|o>F^T%M}XHB;0DZuho{d?TYj?VCUF{~ z=BA5>?%a%b@G$o@yt3zF=Xg1D)8!YK3&Tg*eAi55wIXCS%>!4ajHWx~QFO9dXTzoI!SB^%5eK*)5*kevn3BEgvAHs!UO0X z(NdLl2XuNRblVTEKgfNxImCagweBZ`hXG5;uJ)QA7hV93D~HDUkYVTZZV~UgYySV& z)`8)y*IENkACKm`aMZdbSl0ks!O$I#J(m0*9~NC7#v1L8hss*Wc+7XkBOE;*tj#O6 zUa&5Iyz#Kt<#WZeM}K6+mkvuO#2Wk-x^o}#Fq?=&S$Jr$WpnD$egw7^vXiPt5AH+n zH}9bROnViFcqZNG&xe|8$oH4VKEN3|!S~sZRL*JP$7E~o%wz3SH931`u02=&IqbP| z9D6S8Xg5nwDSNKv)LDwYE!v*TLp$~SqinaH!G^}Q-Fiy)O}&gwvcrAJ)6cS_v}6AD z4gF>px=&(X$z}++SbGGnjn<9SZ|$+MN6-pvWTU0}f0}A++U~LA^X6^Ubs0JNeCVK`p-f_ipNzY8-P*S)qXhl@JNSh!XN+Zkq5b=RX59K=?BgwD z4^KY9#I~_wYaWeLjDK?Z&_?B(K0>ZC<%uOeda<8a>O~j+=h~tO_Pn%P_PE3-_TPcM z=?;7uzit|rGy#ihVAMokz{d`iBmJ*0HgEOhTgtZdUebGD5ICvtIqV~W6Jr~kcU!&L z*b4Ry%?EbRU}vp(&(Y7_XNTE`N_5I?^-etXO)O;zhKlo|JZ7rb{boueGEQ~~=#b+w z%!)VIn{)Qj`ku0lUDI>TRX>+~7UeY2#@06?R-9!wFNgNrGRWta?fn_KUMIew+)SD` zmQMWDv+Kmk$I?&ZE;wjR8`O8;qud>D@T@_&gAIOAWB-3i{A)k>}M6@*#9H`jh>aWXHs`Pv0T+>!A5k*s9#3v7^6{b(z~vGYIeeo@xGfguIx9b zVl_4wkJ|gLeM3v=TPC)Rf=k5XE00IFzY@3{As3zU928{XdxD*&X!TdsSDqba-rWbR z}zN~|V=s^m=3$1@oTI-+SeF-qZZ*23s*8Dgf?_FG< zBY02;`L9mqtXQ{JxWV4yNzrlH&WM(aj=MH4!keSmxX3J(qVp5OSY`v;HGm|A=R@t(B~9o%T& z8^Rdh-`gJNdo36!26O@QTK(T`^yns(T9 z)SBzi)95wx9?Dyne z;CqPq{>6%(SAGNg1?*G&Heb*`G@1ToV#m}#|1R%mq!A0->SK^T6nW32Ybo?m<8#=X z?%zURUAm@v{>w99YJBG3tv+I>wn+V)3a#qoK{|bvhO<{)3S3$H{V#a>O?}tv^9#P2 z4qnW>|jq@{~2cg@|NGDFQ9KW?7Gj}^x-XMt{WQf7R!#s&e;YIgnpfA zuK6i_6McDrbJmVc;t9mV=-xW+Rr0*v$~`8#{XU`d$yrkAF*@+eIBBg}*yH?^_iP^h zOxom2VV*EI)n@VPe)7vJ4lXu(!` zt!;N6=ft(OW4?Zx_|Q8jJ6Aj-b&H3TU0@ZosRBE(mVWEfRhR3dvYfX4<|XX*ET5Cu z;G0+C!&2y}t+>EAiL6mv)?Tq+xR_y@ZTVbR3}N4%epO&gGKc>+uN0k{f~}z^L>aZy z@eA#G@2U6j74^!m&I8}tEA;IcW6hl7i?Nq6YQF_+-S_pq+V&mpH7K?Ub*@)kna0VT z^l3Z)%lNm;i3t_sLuj89(+uA-`Mr8QvU{>^r>0R(D|jJ#Bfc}5{)9@m-&FLP|*xDY#4?DYMIpn3h^!-Su8&<63_P2JiRc0XUUGdpvh zT}r#;=XT6m#~;Ukp-WBuH^X{?da}UO~FSM`+K7%p-cJQYIxV{YUBb&TF(3`&@ z)0TPC13w_ILXI~*aKzikFZ;-&%Kc*YYkT*ib?I7D60ujxx8^{Cbx$&my(TCRhjKLZ z4K-8lFz!>vRIPP>`W;J|MSr>XDwSDo_6y7A`zSO)WyVwHyPkwl7Ugy=YYS!df#=@t zF&0(RzB|C<==PPH#u;T9hFw;i(+1T|OeU*8yx-R1^hNcGH&NLQ|9bCL&+f_wU;8!t zsZaQhy_s?;ERrpi?1itzR(KtLy@y!~1Dscwz1miCt~FUc0IXrn<(`DVDvmptE7v)) zDY;;<509;pefS-Yy;pQzjrYE%_3n=rk0Kt^z&0(5V^sk$MmUa3hK8@YU-nhdyheDd z?(D{wW8b}s=gXLL74TU*Tzg_GXQzpeiw9is;`0)fx3kcwy_~rxTzQzT1_JL!8@A5+)n@RP%#3EIHSe zFEl^)bFKILb+H9o=jq#43C&uE9p$^o2J1Q3{QTk5HV*H=$E^uoOS1Wo6>i%Xu%KKFSYo@V_IIqJMdh_tidqvynqSvxk_Ewa^`Xx1RC%KHs@CMDSeyHgN-> zA65Cbyiou@97E33rMy>tmNu@Wjp$oBVneYXPToI}J{+MBZS+C+*;C^1h5R2*+F!!6 zh2|3cnt0ATdRD|dDB|0x9~SJ_8hV&#$9Yy{Ce@TPKUmX4HOvv8IXErH%t*t2%}-r^ z#S-wtm^;V99@No}@j5WQ0#pIjLx4u(ekX?LN ziXXdMzQ*7WDxbL$UDkJ%_O zu&w8-<~t87(@Hxk^EgV66 zTcIO|xjw+R2l=)D*;8|>0G)&6>w>{%Z^c~IdZGX5?-d^xdbcliX*~Ow$;6^IIvytO zTFTPqx)k}bJ8(kdf?YucPO0681D z3m&?!_ir$h1B>vfGH%NYjsaKkA=!6=HYXWL;Ymvq>KHR((8Yw4dKw)gpr5ms?x`bo z?Y154(d=c9X0K_64fYfFvY(g~$2)O(9cj1a2X*gBp0762!h7{D@I%=bPJ=d&Mn|RV zF_bl$I!1fU@N8g4F8J^a{`(=V8Ni_)dX&pJS}+5)7R>THVK&OakuzY@GymK$QGY)Q zCiK^WNza1rVM1R&7EJnffeCB)Cx!{QFaumLjzx+sTmp{;7mtfeb2{NN2Dk_&mv;vr z#`&B$qrQI>eCWH4Gv|O0{r*_+L9cll&dmMf@WDoz`38IrMT$$A2l8oaIvClM>(HZJ z4*qB^x^u2O{4vuCPJ_<~=G0ffcjy!IrAIhPeRtq9hB>wK)SQY5XSs8VzFY7~D-7!1 zADL5+o;Ih`l{o^9L00dLJi4`l zHD)B|?)_n-^McAvuyDyv_Fv7qaB@RAo0qq`pbGD^Ziq3-=sp>&qx|HAt0p-?CgZJ%)j;S{~ zuRiF?V`|6yY~DA5955Z;&D|$d4my|Tb^UD4$@4lsTGdfLT0b5H&l@Fgp5l3FtN326 z;q!pCc;2r557I}z1FyS`F;br&M}Ot+8*bs;jq`9{tg-24j`z@uf8+fM_*FZ0!cT#b z@}8E!3)e$8O7L}kng1QYYdy!<_Q+4OsoUiV-TF+%gNSBfS?o!$?AoL^E53l6DKNOxw?|Q*XHs$ikc8y#pgSl#k$Ud?W6{H{t|yTJOp)f2PaxupTA;cu0E{zFS2;V_$r!QJae& zhUB;FZ}zvB=aUD5_g7^ZwWauj52rlManWJ%F(;8>$ss`B<3ge>uXE4lZ{k9Wh()@Z zoEXr0E8ofu&~w=p3XilWB7b@5(9Q>L zl6MsAq-$BzFT?H;xIO$~#s2ahvfoMGHeGbNM^bn%_oj|EEZg@m=c{-wntY7&>v|-I zW$Q8RGBY@lcFKoV^~!H2R{ACQRo6GjkB-yz4RZZ+2$~=CV~f&xZ3g|m=xa|U_r=Y{YM-t8b7W-=OX2EDFG%P^x@`hzU+kOU3YRLypMBH%K^n2ROY7oSrt$_6zffup#2LuEIUKq z9ZsDq`PX~e16=5g^PA`8w@a>=hQHHP{GAjxAe5RA$Vx~ENQO}^-yQgqKZ3uLXocbk zq~hn4#-7>*{9nlbR~`SRiyhyl-z@$kz8F2~^6+6=jX%i>{7K~Fv;lu6`8&zaN&ZgP zaBrvM?=*??gO0zGai=kD1O84LH{0JSp=}v?=huVd=kkwLY^4(P&C)I9vo^T&`>mO$ z>p4HTUOKR+8WP`@pRgBQr6*J}!8i%*PJJVtxBP#*`}XJXJU{qH{{C&~G6$gZYe8Qq z-+fyz*(Y?%dlmcdf5Kfu6_;lK&+OP@zv6zYw{P<^==?%&bn4*Rn4i*t-eIN(mJ@^a ze&Ww62W+?cx5Q-+u4k@>J#lU5gNu(Ov9}3rpMLWXEZkj%4x|xXhwN3RIka^#?R_t4 zVBj6kAoPz~yX6P1J)ZPXFd~}+>73OM``-QB`(4_Rx@XU!gfKLM z`H&PojNCS#b?6}u@qVHo&tRL!+GfqM!^kl6S&zaTvL}|^p5}|@z|CAAhKJW&QCl}a zYnzxW{b@@Z?Wp0H23<_NJ+EDD8o~SI&4cl?VS0u9jHh5xozy3w zcSSFca9@7H3DC;tpyA?a)ed`(Cx&C`>ocq`x|W@!`l$BC(#L05Q{u-#PkAOf;P!!> zh8@qamgt)oShHj|t?!2Mj^=he{ZmYi68fk%h#u6?$D^zPiS%tR>xsTu$h)k=;UNEd zPiyI&PTxYFUgT*Q*ftk@Lbupl=IPT+y8<=f)>Os}-C6js>?HZdja$*(91&gd#2A*{ zd<$}b7y2h%H+z15_JI5cXjiF`@q+kLz57uy)U>Cdc!bK^48QE3SpCIC+EZ8v4lbq) z?GJ4C^jW0qUvQnG>+8<5uAksKLDygIXQC3#oFpah}l;n+(pO zU)DWfR!eLqOUHVUy@nQS{0_1AwfpDi-%v{Z(e@)1l%*JvM|qx2`MxWSo28rmi@v+c z*!1^M&Frn^gJ&t1a6?byipN8t8{g_>bZqx#Y}s5jcndl5w*HR1!B6Zyf6EJAW0P-V z-etkv-`TQ~_-4LzW1R1z{9te5tV*{&2cLcE))lWN16^qxZT}bcwYFoUGQU4@MTsw$ z-QU=3oChxt{rHahiT+xBQXl)!M-)E2r7Prn3ufdU9=pEkJ6nd(ub~{$T@H#j))@a{ zjQs$6245cgG?l;<-SxPg)oYcLI-d2nmAL}l@T2Dr`S7QYC&qpG=se{RJXw^#s@L=- z1M3<;EZt8~rKycQX2drxF|TZlO~fxh!5=c?;%9s*<>F^~r-*lm^E9=HcZztYD3)_G zA-*U-&}$mcS6O8wOkKtERXkr6n=tj5H{Op8Yy5P|2svduXq7Q7s*L#fYoQ$_Uovj2 zWRCnReH(kr4}Yxwy^KxhgV^_FOfYT)--}=9DLaq8Z6qP%u_H z&fflCD1RV*R$gsC^9w!nv*;0u1H>YzU>?t<9PMcdx3$;o#wDr2ZpkDrN%kE1BqxMC z?Aa*Ri{^iKaY>Yy%;(s`1jrkbgDs3-ydbcpUdyJj^<-pIHuYt{5gB(gZDziX72b^p z?<$8AhlMfK`s$A90mf<^?>|6njrv@@Yui;x_R{{`A-=tfZ|jLsX2VG9P4CcKTd`5& z-T`pXGr-v7K8yc7y7B?WxGShT8b?iF(jATl``9>IM*de9M>qFJx7_=59Myc+^WI(N zqv*of?yKJ&vdw9aY#vT~qUYh8+?V}_-g%w#51jL3oabF&Y}$#eC^+q-KRbrnvg1m| zS@3+8|9D_-&?k-YQ1B=LS#r8bzCbgvt$?^%xtt^4>{Fh%UA;QvQ5_>MTdqk=Dh~Gg z6m!CgNhKYp&Xb8rbr-Z;dyUEoR76e(<)`t_AJ)Ey`5C{2I9N*paXFN|O8OV}Oovhb z@SDrqueIW1C4?46BAcqwadf}~XfHsvPdcyRT=qfICA>T=Z>x<1gBVX62at8v>_7)# z-s~l2ZR#A1LAS;d=PU*-}MRI2p-)0mBF)=Q}``t<6GdvTS>;IWx!81 zE6W7G0j|v)G?e*L^AYg#j65BF%SU`R_^C}U3|Do5;e!qgS94R4iASY_qx z3Ea~jqv+{a=&07PUz}&uuJf|*lVTKS-LlxCO}7!x&NsnGlilpw>`7-Z?oIHH?z~fM zrQF{|eyZ|H*^9Z6azt;Y=MzheLvlbpa=-@SbZsO~mt=$P;&e$yh>p1}x>Mg4DV_!Y zZue!7)t3N$fo~o6b?OQ^xV0U4M&rkMv}p%8vyMFVrQm5bF+SC1?X^}D7g9R9cHWWh zsoIGHYS}Ye_|q?>=dbHI`pA_$pGd#sk&m^`)Sx30|0BMS^<`0ckA#r+=>y2Bnm>Dt z_TS|I5AkY(H|uw*_SB-s<0|@)X~ovD$KwOmLfI?1W0K97w6aE8ZG!f!VNH0O`Ld3+ zHIw;2;g;_^YsVn}`HYd)jvdhamSk)@yo3DxoqJhb#%kwg<`O!o1Kxb>c#O~=xK_Qw zk_bxpY-f0G_ncSfk6zS({HH`qNFH~cm-R^ug}S^S1OUU}pw1-DYstCsJC zKlvVQd<(mp?%EXbp4p~MbRi87b>F5p^i7vGRbuz#YmBJwMeC6_rcm!clWw%U9x46_ zbVKy8`bcEl49@?l<^PHDk>xce`OHW0+^Va)Ib(q1J74XU;`ze6DZlTFzMVP!GycT~ z+-LnOPW`!Ky;`y1siT2;`WpS&4(#?Y=e>pJr$`PsKy2AVqbg_r1G~KKe=`ZzEL(dl4q_rG$;|P562EGwb{1?{v`Opyc z(dCJUAxnqRmxy25;PAxS3lPo9ba3vU#T%nfIV*2m2CdY*(;8dm$T}^^hpzp5dx`W) zPg=HBXR~(|oMb2L=0li^JxwWkX02x>I!B+Z^Q(1^-dN|~ObU9!z}2 zT#weu-l4I;L%6Q7(>f^}a>p>*hhZW7&xkq7WuEuwO#T&nOuA6%K^1q*_(tY+SsX3I z)s%fi7Ii7NNF{XeZ_Mjh_CdvO1lY%5UBuSNmTkpzs7|eUiALq>WO#4dTw8%GejFIQ zzNB>jK67LZ_7(g7WR9wN^uyX`Q~ptL&kRp)+^P?Mi@JJX+8f?cp_Jt_YshO?bHYps zz5bF)Qv#^9)M6!jtN^-Yc-*Q_knt&!61oz4OyXd(!OphRmd_v>NNZ z#7SM=8{GL`TGV?z3c9?P(fMB7%s9%6qdfl!Gk^c<^ex#llKgfR`$uwbrkNan+)Rqw zVH*A-(@brC*S6giY@`qR@RrAe9q=pdB_3#y{0U+#f1_$AUjEzYfn;AQUlQ$AmUXci z%m=5s+6=mRDV|~fRCy_?o&D1+YzDKLJ4V$0X>?wSt~P?AXE$O?WlS1&<{ zty|8ubc(Xe83e9MZYY~AT~M#kZ0gS>-em;YRPQLJ=?HN4F8qk3qk0bc@I=1wHp%jr zIe?Bpcq?4(-d`rEE!NQypkrxXm6#Z~L%KueR1kZ*_2BsbVeVbPqpGg{|8r&nOcDZ< z3rPrI67Z54ymN20OcIo2KvbZuQu`9X)`X~)daG4TxL5;0Z4l+v_kGJvZ8DfzTd<@z z0@yZ!V$q8B^41_)1MyNoAt*Ti&-Yx&FbNm?Yx{rmJm)!+bN1P5?X}lld#$zCUYq#z z${_OiJ;rh$GilqK;3+?a)|mQ%!^@7J;`{g)gva}4Qf)rIio_z}LheHcj{ta_$XD^E z+4mS8eNKRf=#}#9;+&0)v7z**^iI)kBe4dYi5(P9TKCKbryt$k={va+nh2jo4sApi ze|woXDmiE80s8x9Gbx;Frc@?ThjNpzrO!3LZ3b`2h`-b4 zn&b3aeLDxb?sxk3LXWR@GW2ZqrdoYlL_SG_IF-rsPu#avX6muMP|uqFZ6BuitvC;z zH=FE9w)%D>eY>4lM)mK9&@&aRL+`$W{od%#KY&QbdK18-lekF~a| zK7Ki-k1wQeh0|K@``|eb^tqls)>^O5$`Wp;>fTYbEUzLgJE^V)mt+hEUGH~>BIp-09l4wYw%%)}u2=A6-H=;6kE zW9k^@v6i#ZtIYmk?QLcaU`K&juy~JmbY$$&n!WS#v@Ye!5ZNfU4EYayjYb~+B>2j* zzbqM&Xz|lTXf!mApCm(K`RQi(>HkGmR5|o%g*VQJPhw>SF*p`KjWuIsMPiJsNQ{#e ziH@vDw0X&q72+k0$&>MtWQDuOFJ4x-c;M$oRxCOuE5t{l(Wzv`1r8t8a+e&HtPmf$ zvf_03NV3A^qgYwNnpW-kak65Y!$*6N6BFU3t;`SXa|utRZyVu_N;4%=1s`P-%baWW zw)*-C+EE+V*NTaa?dxyR*FSb-#|O*{e(0-lA)Q%cLt{c?<3#g9RSb_6 zd=OGV|1v6i{FwP?$|t$ z+=!a~V}0HC1bB!pDbFrB*4J&P+1Gvlg?;U#ult;!uS@7>V$ZFyUydJM@#xOY!`IqCNte!wrkTt|4V7+GX2KUw9epq4u19d zL)QLG>0R~Ed=+|)hgb+Nda&$^k2XY?ze(JiFQIyxOZ7J;gK)=1^-vqCmeUkO`O%3}G{*%4d+AAVov3$p} z-(|ZU!9R&_;qmYA{}J}M$bP3!r=n9Ieza!LRnvI>#&^Gq4KI5#J9xk;Q%yfjvwY1t zmJNRp-^g_DKqtp;cF^u4-`1h{h+KNFcKYaS+J6M!$q{Vo8t&p}ll%}`Gm!tW3>$QL zqA@}+pTU02Wv%xm`ua}FUCy^(;Qn3sKkwf~$NikO2pt)lb2K)~fh`}zeFC+KHUUM3u-OutW9f8Cijg_-_R(0L+hX=IR_#&%3Iyj7?DgFgLUhD zsqEXge3W+H1=&jO+O^8IV5`@V-~BOXuT^(;le^a{zZ*irm|y_jdlIFT4%}jQht>T#dTO`Mty?+{17p!2gTdibO+%p&OeH1 zePh=Y_Ox+VOsL{sF+@(z7xm(R8Ef>pC9*o@~=uq1;<6|4C+K z9;|`C;1m zJC4Lp!bR)TRSs_-WL#?e{RlnN;uF>p7CE`h)t6dFAkOvh!FQwUnvu2Um(u-3a}WCG z(3j27XEJxi%3Q^LB>fuoYTofMKD>;R1jb7b#!XM=on8$`7Z`Qr%oX2duIOOi;fw>t zctjFYa%wgAD2_;LmW+j^)4l!IHp7Qsyz8zG=EWU{1{-yEvu1f6&*w3&B=dD9Y6G(7 zQRI{Dd(4d7{A2u3(5JlD*T}I`67i*S<#QF5Ls!gG1NUP7a7iJD-gkC?9-oFvDu6d`RPI&*il1GTJweb`~QCiW+FQC0KP8@ZII%qUaFu%d z*N&BL#hmyteI(nz06b+Q>i=xysCdeK*WdZA92)J+XG=KyOLkj{<~Z)su}>$DhV0#D z=)3p3tRFF+$rZqP3yG0=n%9Isc1x)lSe$HTY)djTwpNm7NTvxD#t9G`d{t8QuB5PZf(K z-pt1rE}!U7`ax^`E5YAq;MX^dk>%i|zSW#j0M89sX!Ffmec1mt%jTQ!`ORfIldaV| z;FN0y+RuL&U2HXLOj>tGKZ~q{cJgC#2Kv;;h`lJ6+&@qLru4`*bgh*^;`G5wXQsA- zqx3Q6tH{&O@GfBIn`mKQ!z%C&!DEVNzZ0D5(YdrXCfrMqefD~1PUKUKpL6VU7-REZ z?IG_KcAk~@Doj14cU5!*$bA*Ca$luK>cJ&+w)WuVAfvN_nt!$tQ(t|SjqAZIQ`N{V>1VC}YzvH}XqjovtHRek9i~IVZyoG*$w%2!S}_P}NtO|7hnYQFdd>wWgwlLI0%pjBvu zF}#d+6>$}_=KTDf192~q=gGra!o!W>RnVw}wdGaxjpW^1-T}_sksc|Bj)&huJ`dv@ zQPu$M*ul)mLFTpUi|sR~#V0M$+Q(YB|Y@kBxLEP=0ZR^E{r_|4;Seiz-(wHeAkjgEK_+*E%7=kY88uGS8; zMil0(C&f*<=RC<@HIz1GQ2w8Jo|DdU(wR=mEr6UlcAit@V08UKV2xz1j-^{G@pGN= z42p-bY48=bfAI0`*BXC(`+peI{sPtuCpqnJQu? z^kX0M<0j%IHD@RuTY8($9D38!zmoWd)K+4Br1wZ3YQGAuy%c$m7-n9{X>GRro z4R#TG8SSI|H=TJ6?nKx2ftzfM2hdp_bKtbS93AmD=D{-bu=u@RlBLCpTX{LU{zXUM zcGnax<$2lm==$IC+_h7hoH|QhijL4ZSF%$Y8DD>Np4Yq>9ibd}vRCx{u=BiSTXe*4 z^jvleu?zjNTSNmN&o}a1@}?Cz<;shpf6JpZ`o9)yPQg32Q?J?xD;kM+W90 zkDjES7UogK@%VfOIWy%SvFB2)4HY0m#b;&c2A%Upr*HShUDQu}Pwbpg!Fp^fuoTy` z-kCFMkT)g#FaL&k_ZrbV#x5L#T_~EDZ;XzZ$ve@o{7^UJ6WjWj?1WyDoo70AYHs*1 z#y}C@w}G=eHyO0k#4ma8I(v?)f9jDO;ZQ?aeIuR!-ywT7-|yWYT}Ql9#|q8~UPa8v z!@$=1VRyM|lozBV!AK?VNH90Wm?K>uUstfo$8Y#i`MYFu?4oZ9I#x_>i$3#h%}?7X zw|k_m$64q9rjZ*B8WlUwij@D4{2sEU){L;r>Df4*$xcXuC$zR1;=OcL?R_QrVMfbm zM(PWnnB>!9O@O>Ze?&fIRbBq@)=%W~W1X7us`bNZ&pwuODSRh8v*d=Hv@-Z@4Eezl zv55+pr{_O9@T##<)=KhQ9+#}huIicog;h0wGT8%JPFdniE=qi9bZzi~=^bG+XEFXa za6u1h43*fj7MGsLLdi_TqvZTvWX zz#4df{Ce##5UX0yqx3i%_^a5->Da-4WR9%wlT&Nt%cr7v!2XfjQp{yOY}32vPl;rk z{kPr0{$HIR-GD8*XN}SD-^45Vpy#!eK_@>folE`D0K86mWI~V36Vk)h&+XW7#gJ4$ zo2q+5v-62b!)G!_v1!OcbbreS86l>2S^ez0EE~Cg_Lz<=cp=IA*!i-<(W#N|V&7o@ zMm>q`*tVAat9j0wdAx5R8@PA$u1*tO*b8ux{L`^*U~i?>hS;{t=2!dGrUGaX`Ybw9 znSx9w|&M zJd!ss@BC1zd8Fl=>^pgQ`sm1->7(%hgzF#99o;gUXFr`j8rp^H*YN+%p)rvy&ikM8 z|F?Pns`Gve|KGv;-Ol@0`Tx7TKj6II&Hwje_o}V~xuaKsvt>K_*b5M>p8OO3&x1Gg zYmFfk*CJ@Y(m{Z?z>n6dFz1uMwwcRX_{U^KAo}HDa^I4 zUZc*$r>dCu-CSAxzG*gjZ^`%cICWzGH|3sZ%rS}Y#74IA+_o+-8e6^9m&*6K655%> z^C{+2-~R{SDt2?F_pg^Qe~l);F?$lVhXNdcB^<;Lk#DlU0^LY>%J1@K&}@2bDe@bc z*UI>mPH`RZ|D>^s9BNrj{wKzA=9A={dCEAtjL!s(-JIf$~`)EP8%}1WvOIB zzjn#%7QPMhzAt#j!q27sn|N2uJ3aT%X5lsR2KMu?rXc%S__XXyZAhSPql}f4tBOMV zZohc><7;TI$|~+k@%}&Hn=(q8k->d9XM z_DXO#lRJD{=f-OtiHW(Zo<8uZD|r7!u4aC#Eu*<&b5n@V^YJl?*JrP_b*yUS)J(2f z=yGp&47d=v7x}?w=!o#g3g)eH^f>ViKF_AuTn{IzcWO8Fo_Wx&x8}6!Jw8|Nm#zG$ z-pEFew_SL9kcAU6jI;^px8=lqCDMPK#TjHjDRI;zA}Qz`OU(4z705Q$zuDK+FEWHV z^1R;Z#L{K7U)Z}}Z3DD@pil4GTu(~7^&VT}LFUIoa>12xJyb+24A)EK9?s`{(tWIb zYn?cOGfR7LW~tU`i#Vrr7T3aYtv5f(<(^sk7J1>U_3`=kIo&IW6Of+&wApXl2j24{ z7jPc@5@5dsjvp}3=uCBY|H_AFZGGH7c-!NOL3@b!y?lI&1>eEn$n%=-20Ao`W}@2^ zVFM{fQU7a?qI?hY;rD#nrsuy+W^GdXGi7V~q+4g3y7_1|uPNv2uW?km&)gia^Vuth zZn&=*SuLGnH*^ZHS9~nF{9fQ$BDtu>lH;<1-}1W-1@2yNAd+Y#*H)S)@jss0O4@Ye z`l^O7{sH}dy2pzTpX=<&@lifdUf!X-c8TQ$9g1^HgziCNXOg+z!_ONc#;}Ne7RBtd z&>q(l?X!^2wv5=rO3KV&+-NVKfiLjS$dE#>om)2m?73;8-^w|~N>o0KP4yUxW*Ag4&~`7)asLkpIHtk^_tIA(w&+F``zS%v$h}ZWSPY zAvkY(hvH+%aU2Pv*A!5`JA87%Cl;4etv!^0r`Efbi|`0CLhI170g@S0(qrUfN@D+m z{7wHZUlVywkNKLG#Q2(KGoLNO_tt>lq6QshEboGxgD@R_n2DXOcrnG6Rxmc|u~A+8 zZQQH=fAy0E8Mj+r9&lk9{8NM;GcMWIW40uj=pBlS?H4(fF7q+=&=hDOTebijO*BCN zJZzGiTHj|Pf1B}@^`ZR+ar4hwb>mO=8|w;;=2te}Yc$leer0{nUMI6X=aD*@|pY9?#@%&X#zQGw&DU!-%jpn?&2jI((Om94DS^>A8#n$@f$F zIg@7mgXh+Rmk+#>@pGc<9`kc1As=h-C$#zOHRDH}HRBn?RGiR{rG35fWA(DvjAff% z0X9!w&L(8D*;-pIS}K zy0&cO*mdhle1Fo(G#8cg+s>bq5%~tcwI-wIGx=@ls{EeLZ|y19^XvG%@)~2EazGwr zJ@BASll9`|&l1sF;bVQLcIVz>G$8-b?W8lxesX=x8Ig_~jE0|K6Fx(Ip)suYU_bd% zp$~M`+RjS;FP-_Ze`}AA{qjAO;CIx%5b0_1i>@4nZwj4AYvvx>r?u;vD$OURwbmoK zV(le6>o1QNu-2nJ%-Ywaz1*wVv#PbG)CO!^)=%oGr<8G8kM5^E0Lk!_=GZEDSaa+| zWcyf?xc)B@*AL%K=lAAIyY35PPj~nGUX!}p_gZA_dwrU=CNXA`ndbt`Z`v0&9r<26 zK>NaGcT8j~?IlLd-S?`suQzD#zr%Mmomj73#FI$=v_UK54M+aGe!TptqTem~^B4O( znY;Oa9e!r-@~(V)3-2UL#k)1HMMnT5W0h=Y>{>UbfjvNxM%K`(3+z5tUp-Y1eEvV( zzM9FJl-pMxerwK&-NSdnzUtFmUlkwgt5$rB-SyW{casu=&VU*BqM)$jetUtrcSzEqbp zz6RR$=-W}u)8*91n&iH~{VN_H%eX+F{g<49;Ug|T$&u?5oY>8^RzCd!$dK&F_Y-3FOuB2zqWL2FD#Y5Q#iQ7YZ_$4)pOTL&ay@HhAwdKQxnT$thm@VLma?zo}|a%)5SH*z@-f|Jbo>mQcR3 z;>M0j?3(0?b2}!2n_@U7a1P1SsYX+8q+2p$dMo=Wg}0yRM%R z*-RVJL5HhfW1nk&{vGQ;&7ausG>#t8__6@cUMpDHgCWt_Kh&lox0As)H#x*3}W;LZ8vv$9L%8_n=`d{5cytSNu91zLr0?v{%Q-3S#qRhXt_1 zB)hd1q5M~}#qhnM*JfJtvG1|y2x8T;{#oZ4btlV((^|_vB6&&NQ%v7Wp8B;$+Gh7} zBK=$1519cCV)2*k7|cF>w+;8x2FXM5s>?_H;n8a7CwUXASBhsB^|f`%wx4|D_r>Xz zt#8}k2zG^XSx`P6_G;!}7xn~T7yLfD-W^wM4@O5|`~O?k7K5)v*B4LgoXegcQa$-& zct^V7&4uJ!;d1wdZpLS`1)t6Kc_;SSXfKPqUsOJu70BGYozbaJQ0KprCy2pbCpjQ_ zF^TaVVz13nB;X&r-2F2xmVK4LJYtiBFGiTN(9zRDWBWu^fZzq}~>lt&&@W7kM z7uG5{FTx&6_4h_c)YFCr-j_2b+o(I2F=@}soqVdf<7V`-ydB6w%4mGJJSMtdv+WT~WC!bu;jN zN5f~XT(D?HS)WTYegA)mW{a8U(PdL}y#p(&@t;Y4#qtO1Fp<5)#W0tS=wR+vyNI!~ z&Q+M<=w4ra68`!%xjFb>^QGuFgYl;MG7lQ(_cWK4Cx@E!Tr`#LRsgTIc}E8y^ZJq% zi?|Knjy>Ni2P1jy)PKMD_x9ftioy9=bh!3z5Lo%YX9j2zyAX--(WR5?ao>pi>Wf`~2$3KM;L2AET4VKc?TVUh>%!jKyC> zM=W>B)U1fEznk%Y(zBlY&>4TnkaKM~t99MY|JKpwUFjeDzs_C1U0>8rbV$!V<`jFaE+;aHxm|gE>{xB--xBBdQ)jf=T*?~PH+s!T~pH(LNIr>MI ztbzB?2X7c6(*ta+XjVV_UWweu!9maf0MBZ9LIj z*yhx`$Ei1J)vMgBT3_Xio~Ial#J^4V+ItAgwT6O?QGTG;s1jrj_T~sfV+uLt#s&Am z?_IV(I%+ETo?6eYLeH*3&#pqxt~#ln-O3potI^Yn{r1?CZ*|;gd!Ir%`;FWf$X&?2 z6ZwwuJzKuxwuH_Y$X_Sm17$x`IsVr&_8Tb%Qt>|C6dTS=`0)8J*kinrvdmG|88g^z zBPyKzE9K7qm2&p4#OE)KJ;%GOoA^n0Jer&bF_8Aj@2mJp_j%#&=+sP}uVY^6zzexix)m)l;7SR3{c&r9~X|Zsz^VI9Sg%uujQTALmQK!Ma1+C*5 z3C`W;+>g#%zqhydl8Fvj$@kvvF?S7}Vw3+N^|Cu(9=uN*CM|1qm_`c`&rC)nF@pYfs&pbT4-tpI8Z1r_| zq>Ar{@tc?*{OLNwxa%2^TDw1hZ~Z7S76l2R!@{oxyaLc+tm$nxq3;apv2oMh5&OJC z;nfPQV`H|8Kj{X)!(H)9vhd3d3cuLzV{uXJhH$A@ta6I@yHCC9ht4+W zJNFxXFFa2Mr+{{0MIWfGqC>r9H!9xn_%?^)+Pr3e*Y>^QwZ~dK+ybB7j@UXm z_c16O%UGw=nYhsfCVRuY?4L?tKUj~3qg#wRwdtU@7ja2;j_$<7&=~Ezi5iJ(w=f0S8vk7ad>|R{uD568Z|q-IzN>|v%=XQcD}LWDr@UHEP%edXQTD`O1F^Q7!MZ~) z>zutkMkc@eS?BDnX}7v z0e!Uxbm?i)(>si zkjJH0dj&L5{7-HL2+PwAbFBnr_Lr zy%!h_;(hhGaQ{2F`$DB-a_Ns3=$9?8+jy)NzxKD!cRpzNwn^?=?|0ho#n0F0R8QW? z_iw__FTlTL^tE_6!2Km+t2WY3eKX{>&bD1Y$liCnq<`q})5mbrnQ1+saZkohCSxcu z@-F^#;aV*^Gya9^^T68jid~mSy7U<~onG~r%XS`&#*7W>;Mue4mo0W4I_unL`ozxT zZAMnmAJyPlW2Dmu85Yhp>*cwoG>Ap88y}M}2LW-nGheHmk+PYc;yj^Mh?#R@*p`Pd}G%34CABz070J8RStQ zc4@PfV@`3IMzy!msP=G~Tn6fQ^`*kojiok-QJFzPGV#zK6@?G8)S~)t73H60f*;wt9?ppQr9|C#gGj4*Y`0%&^<~Yh)vN z4!z`c!p~JeA1NnT3pSMc>)3qSO*;Z7fmKbctJ*VfeqrN+#i7O-v~kvAqjBE+V*W4U ze=q-g8f&13_^}3^%fLsZv64Z(W$2ip1pB#%=QGjG=27+x-l=TjmqTOrn0cc_tJt{0 zEgN!fvGg6r*Yk{V@#d$d%a_VAX!pMlJ~Y`=qnH7EebVWlV`HGR?2zYjZjo$Oy;h6^ z@>b{m+48!x+~?^hHWr*V4|JDH@}Rc|IYttg!<1*l&N1>NxW7rPbRlEojx#u46*}EX zp8W5Sr_K9gn=VC~D>(Q5YmAMN(C&^i*jqrkL!U+0UE`t82Xy7vXB=FsE;kOB&7XHk z+5G#tzQ=VR*FvrZT=TiAFHwEcL0i$6o9VMve5=09gP#P)3)~Lo!784~e&c-Yrt%!4 z$@f+Egn4|UeC#!=@r6eD`jKzBA9+fMAuCNX{EH34KeVEJbT~1&He}}RteR~!O(o99 z(>K)Q!DcIaMKSl}CzOoHr46*j);}eito3J0uhTj!y7AOz*1&|1;ME@)KT>|BV#*1{r)7ZPA`7)?9)i?kDq8 zsosO$grLTP{7pINM~d~;xR{PFZY}LeG=9ukwK)^UnwgbB{$H@%ZiD8Iggm>C_8B(5 z*U?9kFQp#;s5e>n)E>k|->hz0gb(Fw-oy!2-ptCEcvj;f?^dc}%`=12Q4aBa%{R3d zIWxIN{lH$X66%uvx`j9e$r?A8p=jNVZ-cq1X{>mHyUwb=l;5J+7rB?>Lj>R1t=RF( zFVT-@*RXf!F0N1MZx_C;AN7yCF8JbU;LT4n>s)xs%WT2J=dSlVJp(4J_w=tlM6L_v zfk}j3_zJEbZDuBs|6&3%#EM^4J>oC79yj))nz2*vvD?WwYuW%V)xcY|d1S2z+}4A~ zf71R$@I6r-A!HT$Uz07rk3VB5)`uXvbXfi0)o#wB-__shYw7WAUm>>6@Q?bqCu`Z- zk3~Q0d%-9Gm$poe9rc0iWvy|rR!u(`33flIoX*c%^gUvK=*J3AHt~wS%0%i}QeXDmsM47GV~D&N~W zQ+IZD_c=Vp@5(Xdp1+hq|7qWeXt09)Xlst~dj|ZTZSlLex|83ZKi`Hu!hwxYu=stC z*FQ@Bl=I-XdT7wrBYRZS&7r2l^e?vC@Ku||Q=(l4xnR&)u?1{<&i2b`uLb871p9Hm z5w^l`;W7*TxgJ{LgBrdOxkS96!#f$t;vLakeo*m=7vAZtFUywK&Tr@g~h7?s$pa4;P!KtFs>24K`lgmEDUET)eD(Z!2k^+U7GeCJ46%@GbXLbG|n@ zL22)`pF~Ie!Q#bE-@$b9dZ|Cehmsi$rhio8LhkU6kABfw%@$-u;`OXwK!Yu}+Wjz7 z{uumunqSoRSbl6K21;^4v~hhFmb|2n0><8&Ih}m;#3;KjH%ASNk7CP92Ua`c>v6|K zY}v#cp#eOah#W{V5^KYo3de-Oms}y0$@myKUyI}60<}wczJg~a&+xO)k=!U`pFu9a z*Rp>sH{Y1Uxp_hPmXWj6W7bV4=213skb0AwO>*@nSvg{~Mm>=-LyaWrHS5UtxNUL2 z&}i!1H@lxPS~H_kKmRTKNagx@oOF`d}|X5z5M_L#fBnl&4h4bGXn6#EX`*lz)D zjo?;&U+73trtb{=wDL2G2NLMVY9n{2Zy@n;@c9&YtFOf`U1gWbh-Wlz zrEeD?D}IJ-mJDlwhYljcB!^d_tEj)kCpJ$@U+wCb`xncLs`*Gbk$}15OUXVL z-#!YRc71!$6mt zC2+;q!AaGY-Pqh`-X(XkM=x4sG)#U+{n31BYp?1{+ceV$;>L2@yy8Lc4Jw=?SuS_ZXM*Gy?Wf3iovN3 zCH-^L%2y|h5#Gzed*$y2`jf17Wkl|!d_83ozumQb>#uVCu3z;Kww;wz%kiz+K0oJt z0{Xa3{AkfaaqPBDX;l00jr8K`$<>1^fh)#u;;Tkwt-e%r@O>Y<&*^LRn`FeP`mLu! z57~;M$2riWh_Ng5%O(a`ri{-0w$NZnDchl{u{{8f~ z#_b_XI(Xb)pxzp z{6BEs)x~_*z`OjEH2-qvU46{EX5JO{P4j=>dABj<-D^BU9{U$L@BVbO6VKOq=9@q7 z6`yDI{sz7;Fq-%K&NLd@GSd9wQTgk9y@?^^|0EOM?U&}y&0{^FclD)7D?RvmHaTZW z*nR$r1M6l7){Yoh+XZWZ4XdzhKp*ogCJ$99UBvSes*DZ4|79Hmp6q zPFMwfj)&C(Jq4?Pwx6tB_dBpgJFvbN18ad`d8%KjS+HjRq6wX_T9V>mUG21M+R0%p zc3=&1V9{^K_zJkodQQJ;Yi|Cql@ zywLVp)L$Bn`c1R>QsUE(?k!96x6iQqB6lF;zj_{9uI68obgrktWL{#w_tAJf4gh}! zcvL!g>_1}TF(?K$KM^rleO&Im(MI_$@UKhrS3)E8&*{SdqXU0}1OE*N{<*+X`?H;U zHNa!rzr7pyVcK5_KYSkezj5FXb>Khmz#r1sG4!-FBIpJ41@Y~VX#2fcI@bew`qQCy);osIB{Hefa{CuAFPZ#{7QU5jv z{(k^J`NB}(fybIAYdt*RH|lOqofzK!l9BeZnH+vFwNJRcv~T#u(mvr^%#@@DxO#i~ zhJR%C2|rYNRrsaSE5aZ2xFWoLpUU?QH}>cg{!#vw;qCupr2XDZ3BRAu|2?j<-oM2E z&&*Aj(x+#i@ZVE>X}`bJ820-?{$aoWx_{XDfA8;~o%j98L$L=Y;_trttd_^edP4i3 zxyeYI)2}vXX^$m2t!M4XY0Q5mr|;Q2a{Pl|$w|AX*A(-fK2s+5IU_AUVPIO?z@EcW z*{5!XQii=!dU5TJYv*j3>?v&8RGMF#Zxl6o?&&w>?YX`wI$!7Srazcsqy&o+a?=*} z))_fw(7ZQu%5Ll>&s7=2R?f|w@^*f&VXAja>5$szOV6w|e1p<<&FDAm!>jvFnPrS? zT4-F>6f%t9%cU2v*XHu3=F+@c!7_|ua&L}rT55QMS8`s?MIM85bj;wzUpiw->skJ^ z{UiDe%e&V<%!dze|D}C~^(}uWopT5G`ENGTF8x7B^~yeI@pV2l8Eg|Ca$M9 zF+C~%(3n0Mp)q~4Lu32{Lt`q=&hZzpHW93tJ$h(G<>+%OZXA7H#Z9Bnuef>i1r^^K z9jLfvG~=2&4C*kb!=Mg>It=PC#v~3j#>nDUtW@7-@PJNK6U`^Gm{Ec))s}&-)&{hexdUJ(9v& z+e4=c3?Y|J=bA!p5c$1KFzsg7Z?r>g5NEUP8%#7Xh-?kM!;S# z-eT!%2m0oAsNMeCYtjq$=J+qVeNp;M_P}233k4EQUtN;vuS+(w>n3~r;qhm9ru4e@ zh7D7`lr&}7wYP34GW;|zH9Y=5(xyzlH)qOt-hKPpZ*M5_&rk1dCe&TzNe@pM=$VpY z_U3o5@c2uTraa7deasC0PYX}JE^W#W`KGTqu&(HyoGGvH?OWH*+%Uvn7|^%+M&(FG z6u#Kw4Hp65qxYVK@HlWd^V;h-Tm=qA4*VkC3H~hq0uH@P2wx9uKi|#-?n27?sq5Ro zTur%I4!qsh&f0KRc2Pj(RaRyEz)JJ<2p0p-%ljUlp5e=ZclNd4+`yr8;bI3~G4BNL zN&kK67g6RZ;9bPGYk>DX$_n?N0B;TDo^;^7bL}@aoHMbQ_VuJ)UZ;IMXkV}JWx(s9 z_oACa;~&$$%N%%@@lNpG_1{nX(!&R=_VozA>o$_(rH%@ zr+vL>pXV4o#{=se$|XR9t7%_6Js0{H(!O5d`>pnQ!p!zl?x(!kx74BMLI>X4(0NGq zWwcLy=W*JXVD+C%&og7_c?<1}r>EfgDf2z6ectc_hn{Mm;EA5G@XnfeIqmCd^_$&) z30D7&gPsZC(<6qSb+m7sL(g%%>+HYu@K3GwC4`@F=;`*~6O@bXzrh2?JN%gt(|?`x zJd3uwH0_Q*#V>x!{LpHjC%oFBr*Id)h(BZD4aqK{eZ6R(%bz`HpZ8zJpJz@i?S?-Y za}GVvilOKC>A&viDSi_@HLhHGy6x*q&#=Rv8iN{tYF{Tkd&JPQJN~rCpG{BkoJ&u) z|GLt1LL7f;{B_dvtW)r(-GBCYm#lEdyW76_@qXsSiE;d?_I1+ppUQ^vtr$cpidWyx&GaE%A6Pp!V|5xxxGTu6EG-*`v1NLK%jZ{C7W)#f4DlW3p% zPV&X(QXk=3s9E}D-7&P;7tbBIN)4H{i=Hj&m?DuC0rS3r2KZueF&_8 zCoycDQH74i`HA5Odm%3NU3qMt>is$9sinXW9?2(|r*1v1d1{hF=g&V+34V9;)b$pv zPc%}TGFi?aP_E@%~LMC z_<2h7bmd%ExjLTq{bTc#3ol-eIvIbS$-LiHkLr}GC!42Sc=7X;%b%KuyVCPAhd)36 zJmtcZUZi>7ou^#>?0()K7ssEcKTo;v#Glej-FeF8Pr>UtPZh`U=jqQ=EZ9&r_ij%u~IYr!-fkaP{Hp8y;$= zhsm`Y4yP_ozj2Uf%1xIhO}Y8&X;Uia=1jSg|F7o%$^0MY|2*@YGZL@8aYOIY^J-H{ z&#z4`9a`H5ySs1cMYXBe`o7X&?P9a2>1lIZQzf?eOJ-qH!1RYdFpIe-g)i`2#=Upg zXO8E7JRSwutj3_;eL3%v6lBKH1HB46PGlRq=iDeC@ITu&R?MJlAAgNA zf@1CAukwGay*!2g|6TTRY>X-E-vO<~uAHUyRcp^luwjTdz@Fn}4MU0p6@!gHY>Y?8 z^k1<@#3bI=)6jc(D6r>%aq-@Fjf>k}HZFcJ75@>wg+_c$FVaUp!nd%!aAH{gq9uiW z!Vf0$9^ZoAH73fxgntU(g7qH%(u0ow$$F3fX~FGF($Bpy$KSrfxcG_NAFyorv$FAV zVZ%R&4gV0j(UXQZ{2a32(QEJ6@H6zSpIv+BhTrn+dB((Z((TZ_cJl5W^sV3eznA`f zbfbkvR`_+ksl$d}Xk>*ufMozn9!+dP`-}3!s)4s9c@@u|{ zjawMdxB5oq78*Un_Zht`S@b>T$omcC1aW&mLHjbp>%e!}wYP0}l(xGxUVx3T&Vly_-U;5$v`1+lv<2QQ@caYt zL|5Vd8{iF}cH4%X4!o~ibH|3WCyt|iS+py|XM`Y0u4~=du`j&VoO?qo?>y z^whX=>FKtwD?P&we`*YB{HcAN^t>&Gp55`MJ^pNZisxKY{2>n6tWr`p#^&woCDUSaX)Ia4PEMwMMj+V}KuK6E`3y3T_> zXEQE_G3GV)hcgx=MO;x=smPkkuKC7> z8HNdro?L>JVZj>$ZNAC(H#o4)g08pnZ6h*3aO6kb4(t!H@z+r9hm>=9$vh{T>UnCCBL_bJ zJSF(u%~J=Uhxn-bdFl%I=pUP>1h2b!>SN|KcbvrY?MV3cADyQJue*6lbXEJhpQk1` za^UmNQ-assJav$H?Zop`I8F|n{ygQvi=U@NPqnZ6d8#x{4xIix)!Bc?&r_nO+kai< zYKg<2pMRcm;l@&fW3zvV&AyrcxA6b-{J)+5zkls58|tvvmtwC! zgzY}Rba3qg*47uYw!Q?L{(MhS)774FO?w@DW$!?Zi?}L5;=%;;D_2+m4IurP3 zvx);XgN?eKgN+?;o?+};KGO*3%;S&P*X<+sobLLcP08zC;2epu{mB`F&!COG*hy)I ze;aX)6Dul4S0?r*?O|pu`Bj5uX70{{qti$GF7;0d>YkqzwC-k7a47$)O!*++6#e!U zCR@*Z`N_e+KK?fogTk{EJYBq9e3Kk}+wS#E*>kUd%HDgkr}VD!O-ZTpPf4!Io+8}C z#L~`U&&DU-tl+2Y(aC~FE)DGcW4Xbf&GH5gaRzk#ImH3D-D+c!nG-G{W`i@B!!3ru~?FrQd%X6J(@du0(j^iQ35KP8%y|&urTE9olmv z?YW6|5Eqpp`W=RTL!oa8S1B|OL*sL~S5j^$zu8ka<}SXAt>;F*uM{1wJn>#P_5c0s z<48$P?3v&(k`sIN;HLPq&izK>-8i2Q`dY~!(`v3mpoOS~U_7Y2gt&u6@w=0C}-#Lu${*3SJe|UVKh^`u&vEx$XRO8ki-=gKG(DFw5p+@}0 zeKGw}$#0F}8~J??b=(~{zE#JK*7&ybw{%P&$5<(5%(%HU?EMKE>>$(l(0%&vccoBCy zbtU`URwY$8y~TYu_g^jV%;Tke?=P~4PcrO3k!LmR&GebZ#Wn0RdxP@1-Yn}pB;{aJ zPPmrulRJ_{yB-EtA9*9&$lt}jd2n#g1(*BV*z96xw<+ zUhnC=KOJ7bT09G{m*ewUaDP``fB)|`uiwJ^SY9vYyRxCiI_-fI{l}`FAo+m92>s#lW9`J6&d_>Ic7NuB4yU*}PNbfU4I zc+P!o#N(@;*^I4mJim)GX#O}e)X)L%{*fyOoC>%&tFe+iFjEZ&r@`EZfZHFyhrEau zJ~cf%Mh2)Oo4g_yasLtdoOLFo~iM%{AQ?OjZJ&cY&QBufA*%QYtLgOmopm52HEGhC`YJ0 zE(clTa+AJEH|jjdNjq;=ZcyLM|6k_MUhE@fZ-Xy&#kBGP$N|Qx{p~mv3{q%LqFUEEhauhzQ(?GzQzd86FH-yo?HXl_zfS# zozdVUZ(B5YMuYFP&uEyy84WMeUqd;c0jKnir!W(|0?M}lKg)&B9PI->^L-@SfnNj+!Tt%b1$P(lCjz^i z=LLpuF}V(2@$HMQv)ef6;)TfdwX|FLTb1K>WxBCL{VrQGc3eIE7wpX~(>J(%Ur+gh zL!3cn&HK3*ucw~VnH$Z7zW$=({r*+pr@3)Hcgf~z>#n)+c)QEWZ|3ZS{dbIsaBFmZ z0&Q_~-(Oky|DOB4tUWq)l2fNEf5`>^lS1Tg5c&IoHziVp{N0ZHWs&BD@>hBElN|Yb zqTJ|vcShGYS^1(nZBc_fhXLqo>70)KS+?4!s|qVmRLq`kC%4(r57^f%z2{MK-Ox9& zHfHe?+5VNhldieY$w`{x^kHl{*}`tVvNB*=u&?se9j0#P^5JC{hYnxO*+aL%&l${X zHO?6%)%-8``rl_7qgJqo`ZoAvIP<@9Ma1S1)1Kq~l-2wAI^J{YsOKCLs}5w;ACPy- zwW{yl)^|LM|L(8x-y!>BzuT$rcozTN@15`39C&443LW02vX@(B*ApaT!Tl}I^zQl2 zcgMB;*G@gh@J8>Ch5wws<5@iXAIE>!$No+w0hjKNeqdx6K0CjI(c8JB4=MJ?81CGi{0}qO1Mj13fngk;so#_@;kO$n}B{y4+qDU0(3k!pXUYuTr^Zw#>8T$!6vG%(iXU!|z-Ad?W)J z$%g*K`rn9zXtQ+J>ecfusrDF+chT1$qc8UN8SCzVXLh1PU(PqP&hBa>yiFa-XR7m6 zhTLnzoC)5~=h-m-!h6o74rU^&WRtWYZ$w9(joD0pyuo|@Ur&FioM`(Red*?c_`UPJ z?9_7bD(8FA(>+_Wh4(m%|KH*NOlUnMC%em;l8bmJT0g~{H>CgZ@9i8P zb}sj}XYKPK%Pux7c(eF!^nvKQ$Dqfoo}q?sSa{euv)_ge*OTu*Z+~?79bYjUM$vb# zeH2}<+^cso4i53nF7!_6pN&hf^Zp(kuCf0XmwXrF^0O~2M zJ{X?^`g)*a#pFHFXTGhogp=XTHD_e|%lJmTc_ukVV4pRQ;{-=Zu&(5nM;=RPcZDXF5OqcZ=GkB7~i#n@Dl zq>4aCFYqs;+zR|FA@oT67gx9F3=eQs8#kcaHG*$i&7KTS#YtVqpqKCa8P#c*@!qx5o5B4SaOdm>^4FzDzVZm?F5s7xU9Ma(ZXQ1A zqBjvQ*^GZ?Fa7DuHBx0u^_%OR(&p_K4C6MZ|>6Ge7nRt$1XYY0r`=e?Oa;> z3}0TK>icq!%%jcIf!E3z-0xU?W#{cMknNvg^Z5oEsRn)G?&Uw3&q(r0-)Vky*ZnLg0jsxA0< zS5c;wOFrHl;fK6!Lmt&*lgIjae<1mYO(2`2t(S2)1Nb$RksoGDsFSYa&ar7d#CfLq z`}(tOTE9o`A?a1>_nMEQ-TG#K0KYy0KFh%GE&Llp_}=E9j7U%X%;Z#^Q_C8O{J?Ga zjNG}yEprszg}iga^Y~71O7=xZ{LPWAhjfPVSDhS9=(DbDJ>xv-AE` zvQ_<<~ZX~GV(S0We;+)fWGiCz5~dHtqN zx1f)I^X7g2|Di681?9+68}G61oiZ_2=XC33eSd`VJD*I(_?Tx)4CC<6$pJUr>$T1c zKnDz-4bI|w$setUDsP%>5b5MEK4{CaZ0M%3G!0zTpUsx;Ku(V z_)Tnin#~%y&JgNn`7oi4&dLlL@VERY^4qRLu8n|)SmQeE0S~>`w_}gB`NZXZ+x z4S%wJyS$}yI*xx%{!Q}!yU%XL)=_@i3f6yGITOn~kMpS29)1s_tv-IY^(BY6Y$AMC zt>h@M^Nyt-Cm&<;o_T|eee_n#*WlO&`}bPooW5e;2fwX4k!c^m2kOhOKPX+tnUnB0 z{FO2qukL)L+zqjIr}W~tC?kERj6CMjovYA`%h8MV?$5ll`rdiBf_F8}yFc(wbC_ru zt8>fW@)GYv`)X&*HzUK}3}Z9mZ)ql%d^360oAI|alY4y?WhMJs@V6Y`44`kr6SFpE zb59CzV_ELuP0*ImmsIOU$^ZsA9{-M{QwZiUK$>uT=8mGf5D7x%N}ZLELi z5#Illxo8>J?Ob2sDtBxf>7I4G*Z+$$vi(Ma+1F?0UToq+6i>qsI=|>>)nHHHcZ-mp z$fk1S?_$1leZrOeKA}&Tv+9odg!%o?@Cn}-;}c%u_=KhJcjptPudOq#SYNk%q$?;d zJ3@29`o-uR%yYJ$n$Eb_`CZA6UY_fbqJ}38Pfpgb76l>qMFUT3M@Jw_M^8hkJ^Q7K)j@!;M2Txe0 z)8}c~FZgNpQdai3D|d9RgXE6tFT;l*pQSAy?DGaf$oSYe9=D!1PEn8g&-H)4w8zL$ zyG~TsZ$3v|KX>YKW!fy$mWf4L>*tIB>FDhwNvTY)h@4EPOQWD)xSy=g&ZG0V z0*CwhgP-*EPvFY+kwdz`Y)JMSq?$L5ni*Yl_KDx9-+!+I6MoDfZl+s!1>L}F_^hu# z67B2X#&tUIavXRw9eDkL7Xlu>W2=2-++Eq3)(yNsg5STjhu`1Mbvp189C(*I@VvlV zgAzZ`fp<#`yd#u}rzgZCnVR1}f$MbOeLx+eXV8K7ew&f85_oyt!28=j0p1%9ygm-R z*MUcFbK^qbRdc<;<dSV#lmau z23{c7@86r}_pdEDJ$O$!@OC=zo&?@z7LxM1f%k)M;5A%C`-aiJFP`TdobpB$dXwR_$0x5U}^{pf~YeEY!7mwe&lE1#^I z+~?{gP%(Zk87bs0xvx1{>sSl0b<41G zXZTB28{FYJoH}vg(_!l?M^vxMU>{Kyz3XbOZgyqhenZIzJp&vcJz}Anx z0qwVJu;FhOd@kut(|K;s-Cw7j*U{duv8FPOGYxxLIjV)9@L0_mg~CPii+dIcezf7% z`zhp0A7a$4p^UH4#((|2-YIHB&9{vmzQmS?bI&sNeT-kLUUBk04L?qYV`n7Q^Igcy z-C1!U>fg$hPrlS5F6j@o&`bXPMf;-uy zNM z9x4BAGkz1{9j|MZGq;w=ZsP9aemm|7O4j_WxVkoCHOq?3x_MlyS+m*nH`Yyf zR<7@6dg|tJ$>;eCo>y}giSS#*CH>3HXDIbe?loyv802GZ_m{%y-7e>aOGCf56io2c6$Wi#^DI9;`L? zWNh?82KX9|7Mpd_D~(pgd)oU4>~(w2=ESy_?_WMM#r_89)8ZA!k57%c`3|f!_`05c z)!4E9tH+NowMXxFAA66#iSeZ~HPm*s^*bJ|-Isvhc<{WOv3pqqcw1xFm4&*WQr=l@ z?bUFg*f@N2i&0JbU;m$9Y}1?(3_Lzl^Tssu+B(f0Z@hOwKg}OEoIUIY%^~-P*FC6tB<1|xf7V4=z;`zsZYa^yX7PI!%L~mC*Haea_bt`>Cm&|} z|Kb?qlvsM89r>rwqkQk0epsIG2`P` zITr~3x$sEh9dUfM8#kMCk_st9Ts~uT>R!$YDstr19?Fp`r`7;p@%>+{voY*_Y&!q$ zci^MA!9;jtF!r@%Tl_aK^UaBy&h^xJX-wf3;6hT zw$6O&(wRMN@SxT{gBABKeUCaSi`YNVhckQ%jXIs3Q_VR$jl`TSA?D2RwJmrd9;hzbL-5X*(pi26NvX^yR{-}ArLR~MLF%RbM$D$DS@7OyaKw!e*fQm zuWuixOziVVd2WE0Xky@B)qMtj3h5^Wh7;$<^Adh{rw2-Zk*;APw=}O}d#!sEx=W4| zr*vGr-`&7&p`G>MhwgP)KE$2)zqKAIef(D5>sfpZ+)d7R<<57QcUJiucrLx+kx2$~ zkiBo&^?xZo=1ANgu4r-6j+ykyt+Z_z_d98q;*1olP{gxR_JC9nJ72!00?pyJ= z+Mza%MXnCkoPZowT!!Y5HDAuUDg^JXmc5cuJ-JM>nLQcF$Ybdh?;(>FAFRC?OPswJ zA??Fp@5Kz{Y#zVey%=MO;c)k2=sY$bvN_3-&Fs~-_F@p{zHZeJ*)HjkMD%roebt+x zm+)?29VQlU;p@&D!dLp)zY@2#^!ut}kA>S?jE6ktu5$Qb*P4X7)y{L@mt8%Vcwy$Q zgXj$3xSu@;#0n)2VoqYt(>dUxUErce9%nqWo@O>iA7uzI-o57c0^?_pT*Oc1y zpAY@d>}T76f88zq&JEJnb#8p)k?9&k&s(u|-V)~<`P=#C0QOF>V(!wR#K}~$R{kD1 z*=N>G*O_xpoQz?`$*7Msf2zz-`iQ;swM*DD{Q$Y=Ig@YS70%gtxhaY59`L+9C)9L1 z{gRYuq$#E;d2Z-oANDP6*~j^Q6I$7C@cymv8hsT`9CYz&=6PbABKV#%^eyL7WSpx# zJ}JIQtGV6>Ziss${FT3<_2v)Q>#%0to0llgd|b$T^XhrcmwaPf>&*+t?YjA?flo}D z74qCXj{j%z|AK*QCO!4Q*v3Y5ff?9PV~ICvr7c%nl0E4I>iy7rZsbMwY7i?_*G`Pl zk2r(i0sQ1@*E9KBAOFDY6M1l6Zin7Wmk3}F?d7`(#ITi9wuIQVnb>3Nbl&O^bTr=W zM&5k?zUcDXiN&+^7h_vug0X`&w>e(y{ly3GUD{5$_b6}Bu6(Xa+UDvr8aE3c>C|b8 z2Iftg#kFu?{-h_l<_}ywX$|d~NxP)u$TpnLne1xUMDS~;UeT=5>|Ogb*J4l7Hnr(y z#+72e8cpBg?PlU)a_L1LK=)C*W?@fWpA$N~a+Y_8+VB?qd)Mmda`$=bmL7E)gL-}| z&nw{Z-S|5S0>m&OH+KPZHQ&BXIgL}eh4Lwf0y+ zrdW0$KHRJ!7kBczVr$3oY{5nLv$x=@=d-FOkCpxI$np5K@e)6KQ;5OwZp*aRqF3Y3 zdBTae@iT6QjI!;!)#$?uk!#X(lbrDsFJFDx)lFYP?#NH%+OgJ|hVXO)G}-3yZL4x* zkmQfz>X>LUZiJuDOF@rjj4wu?7B7pBB_~%qdnUxACz6wjlXKJe%kE7p(u8 z1NPUj27D+w(zeNupKE-~7hYsrnUPDJg*W1bHVN7C56H%pt?7%jt?GL^$0bl2#wm^&BXE;0s-QLcxo_q=Y_GR$=GIQoN_zbhT zuax{|Y|BUBlaIj6YTw1UQ@=)sqI)bb8(S9`jd!9KLQ06mD>Z~ zamGdMR^&3W$vV?C*^$eu=+o86s8-7Drf=rbr#ka>R&FQXKjG|wnP}4)U9}Y2l|aMs z%psR!``G>n&n#rzFzTT$`8yQP{0_VmmM#dN#g9Gd5JpIT7O&-772TgYj((Z#n~;g3 zA7`_p*P4y!p^YP<^_$RdH*-Thc{g&+^!7#g9m}oX{n`Wk7F}PU-TxnXXC7Wvb?^Os z&Ixcb00%NM)Pw+<9I#po4s9rh1TBMg037PIB?PMp;D9quIZ04Mg7!vHD)wFi*n7#b zxqVx~Hob#^phanI5r?+6*O1r}2#P2}qF~<7cdxyZoe-$j`@YZnJntX-+2^da_8Ncd zw|?^~#;^n`Kuh2^QvxHVQk^Q`$UNbi{g?TaJ_&id~A{@{N*>r|(8VvX9FgRGJ} zkKv!!y-vEf)vQxmdoB08zG2VLzt$FHC(5Zsx@Jh^h{4#$>DcZ_$kmn3JLYFQ0e zF?X5w`Ika7&s!L8;K>i~eced2PyV#qw$qAX&z+JAZDP|R;B)O~$yI}641N`kSK1{B zmi(J1?Oy1wX>roZhq2d?3m0=1%ZGQucxztfFl(vK_PsVv!>5(`s~Fg`Pvagm?f(bu z1CuEm2AI5Z=6Kvg(K&x$?D2Oz@Yp`u(OS;}|FvV6EBq&)vBjbVPJ#cVyO+dqja{)37%9gW-U#j(-Wu&(#58Kg3(nW*& znAhI)ScXH7{a_7p0b4fKHP-6PWllwp6*;nr!OVl9qtXo>6)-Z1!Us=5M^VP5qxPSI zj=GEazpI;$O7EYJ!oICPI!fQ3Ku6K;{}DQhdjBpuitoI1)K<=-BhXQ`&;q;3)4jjn zsOVaKS06g+9fyv3MRXM9eoXoQIXWt>n~r*xdf%gdmyUYnv(QoC+3$gGZP*i>@%=N@ zGYnfyjSD~PIY*k&pEFjCv3p-$ZuX_*`+{F!&i+>Tdj8tpu)Eu-cNnni?osY}viE2? zaOv*RWMI?YbCmz0d#;^2kQMGIVb4uq&js0Yi<~_d=B)cI_E?gsXTh%s_BJ_d>B=QP zF2%0{d+VP=heREkLwoaA%*E;it3mc?ckJO@6759;wVI_B{+QoiCoJ&%9sVeUN6baakiSe{oP zePepvu_mkY;~PeBc8=r>9R>X{y6!l1vFMNf=#H^(r`h~;i|CH=(K*_;qC4JTUS~je zRPyGo^iUN~7P91NJRcYMYgX`oA5S*_BgmN}yyKAz&P2{UAK7v~vgJD9DQyAwl~O(( z8EzeGa6WWk&R_1?6+U>+uFQb{;EV~#nK^^A4^H3JOgYJ!FaJHUOorb7SPuB^W#ZzD zLC)O4IVU;nhBr)qZ92xGqrbs=K%YT3T+5jMfw5nMZ`Ze(3&~EeLQi0Hk*Zs^-YwW8 zf0J)I7Wx`?VXHOcjOle9ta&GE9vqzfZ0_N?)wz>bteJrfylvq$`9e&Jheo=9eoPG{ zx0i4Z?4_?gvgs7+OpcvHohqNBJ!V~>y*8|`2In(Qczl$_TRw&t8 z?qL73vnE%q5q+E%@zu;aoL?QE6IWO4!1;N=d6z%AeJ1c%34LqyFPe|!*fQ3*@-_LD zCnr|EW;Jk+Xv$l_VefM3v70F;7;tg$TFTz$Pv5cGpI-fK;GooR;Je7yFUcPuH8z*@ zjsE27+t4wk`jU6-vf*3)Yo_gMsPl2^IpoCtkw1fIV^_}9*QPF)F;8ZE(nGnpZ{woe z^QUg{EzLpSw1M%t`lec7P_(?OYns;Gf1L%Xv59@)zi;`;lrPDi4oPlg4En}}{o>P; z>PGYZJn&h`o5-Azxy|5QnTnoCdpsVTxX2$*{En3Nm!Wf4@OvseM~Or8+GpR8c$??e z**6QlQPo36Z{+d@UVA?As^THMY4PZ<_`^U^d8Fm@J`)^~1^z1vjGx)n1v&;Yo*S_fiC=|#_r1YT~PcrtDyuwZ&BFlTwLV4UJU7lszpU-6_=qCcNkad7C%)drxAM(5_{Q(QVDUv(=aPK?1vg$|b-vAazS=vjZ0_S!8v-$Ttg~3WOfy zt>1+=Ne^#gT6z6+yt<4+=$jyCv&OzrJ`rC*#=^Invncyqbe8m$)+14DS`yLyCh)}b z1nWhk6qbKKudw`4o=13A@>KIw@vPvf4&S;w1f+?d9=%jh$!3Q)#wcQ8xPA<;WWbfG1jiVAAr%myI<%+og8@ zGdY+0e81ZHp0e*cWv5fNZ#n(XC;foK-}dJ>e+WKS`i7&xuIR)cl^GdI<^pV>*neYJ znYOkfn~R%h`jtzaA45|tr{9~vL((->;;*(HpM*rxEMRLqWeTB>H2<1=t&1CvPGyVZ zh?#`%Mj5u+i4p zuKW!A9hD9~sHse_I@vQRO*v_|6td3Qnlr}oDsz&Pg>Cm7YnkxyWe*u&asB=lzcs!e zV23UrE@(JtiA->ve6P}N9}LM?Vw8(0=A2?2$({tikG;DOgcdz`Af)(pGw8qkyUcg8 zotpY)BXpjrOLU2ecd5EoQxvA5j1R=jf{lu+TVOFotQ&eT;1o;-w3wQN8j^h@6Q z{dN5FKBmvL$j@fLgEj|7+BjNtT`*quWr}~5V)rGA52Et3EVG{W8j`kReWZ@L+o`$B zSytRp2~2;L`U-(--^)p%{NM+nmuahzxsLG`oNct&0XO!4U^ zHiB%k^o{-(g4-#79x@UeR_;|@@N~aYtV71&wsi-6>M97pGsM>&ohzG?M0kZH?34U8 z>RXUleL-Z}Hm*Tmm;>Gs?U3on`YZ0~*~{C&Ly})zOIz|OqaDtli=oA5Q@3dFnb6lCXUFG2mi_O}k zmzk%`|3~8dy@LOj1@1qMxyWMg+IBV4omzM44t&<3o! zdVr|p@&!I%-4jox!m5$X)96yH*gJlIyX2hUlzHnIv+CV{FFv>_;5`1%U>wp{XilWd z_&IIXF?TxG4iAT}Lw+Dx0P>HpaAa||)zB7*59bm$O)}c~tix>T-of{a;c1qX&F`2E z{@E8uj1kvtQ!#5mJYu_!65fg>hD^Fad-wN>xk!K5W3m0nT}0m$65IC<;OkD-OYKPy zw1xU*bGZN;%JsCffqt(m@3Fbmn(ckd#6~RntJSa%xsCMtcLH;z{I^C&=iI`$8s)zf zj-Y2!yd7(@aME{3*BSR5^Zo*~N^N;GuNJzX7W$wTI-wSNp%%KK7W$zUI-(YOq87TM z7W$$VI-?eP;||WSsK0TF>eKg?+2AezwEFUajZ-$Bt~x97)=}Sj>aDzpGq3ztd1d7< z=9QPfl(%t~)rl@)%6fc1qvhN3YSW@q3ae(-7jI>}-))?tb~e(lb+ofybj=*4t;qW_ z{muf`&tjad^9-D6FU4JH;Os2&MK8;)ME=a8lZu&(1ueiZe4x&ut}d&tYpB(E`Tf8H z=TX}z_9tiD!u_cy==4TWpZt=KWJVh9B<@W!zPlqy!@lA?;@X@in}CnVyUoco@) z^6=1e6^o^-Vj%lDg_y&s$a>O{`J{8+WN?O!s5>4QAYDfIedbW-*F(IwJlz$FQICFu zCmMv8(d#V6?q*&m`%3mO#Heg=(=K2Qg@3o-+LQKe(zM^V$4uIo3~Syp(%#ZqQQw2q zzxtkK9g-a^=XZJrF@vBJpXPTn{=V8j!9m!ZJ28uM{vr7E=(5NK8R!5%;d|o3GY6xg zg)?GTaW;y^i6rn{V05+8m47+uienK`eS><^XOrHX$o|4!r804JwG{|-AY z(3EebZ^HG3P8mP#?_Q`g0DEN0bmtEPhc5K*Y~kBhC;#*T)~aKzk-7-`NqPFFh5A+z z7r=skmR&~RwbWj8t>9!DbGq={p8Y)Te6ydwPP+UNpT`G$KHn0(l!LvL5{|gtlCFcT%Y3=LbR;QKk@>JcGC5iI3+!QuJrKIiDhw z%_2?zi~ZJl#E z|Imi?4WF6KZ``V(ybo$^u2zek$+k6jz(&xNiL-_y+6{FS`tJG(Z^uc9FA z%qM(a+%z+ve=wAmg`8aPc{Vck<5E@u#l<?lg3{l-s~L{v&XCEp@1#7RpGMGalQm zjrm45x&z!L-RM@{(z^)8Qyo~BKfLrWF}@YvnT0I%^Xfb^9G$1?kPK=j`WM-KKrbG= z+LvMLJnb=$)m~Su(=@y9<=MU(@7OgSTW{oyu@$&bS`p>EV?Win_rN>WF>cYh8aH}J zd)&sx$&6b%`7w+;%(yo?;||*6Ha3BNN7oxfzI8HNm-)W<_MkKFA5({|D}`PYEiGMd zr7viY+uM&8`s3OtYX05dUvv6WU2gQwpT{;){gBO#1x>fowm0|Jgpp}KLO*0j^{iu` zxCk0DiTEtDd=siPCsoI*UMZ(PvT1W|5GOJpi=95a=h*$o&P#Udvf(<}T&(r<;l?3J z*bPapp0wk~hOanS?erm@I}UPv=T{MbVrPyor|P{x;*Ov%scJDcUO{+{Lzn&od*>SV z5IUI~u4eyVRfoMuLa7g%yq{KG!x)FN*KB-X!E+j$*Phs?LEARL_-IGqIef?=b*^iF z2bQ6ugEp^3p1&PjPzEnt$T=mN;?+NZ!=THH;ccKb8;aqz{H%#&Ii-H`|v0}jCcq2V}WEe(2I(DBR}$H)~t-Z zD?I-8-PpTuwpH@q?jQTw{R5`Odx`H7F9?meNj7}NaTj(-7qNb9i6f3 zD&}`^UfXo(B@b|}Q~o*ko8>eA#y82aX?zm_cZw!Hbm=!)7sux(U~Fux94EF!vsLr< zeds515|{1=o-*$nxU`mWWsXZ+I!1iPC#jd&x{ry8OS6=IcH&aeQjt$mLrRzY$Hv7U zoBxrIO?fXKpVparnQ-~7%meE>$=8`0(wg4n{9o6RdYS$&a{e#qF!|T>U$|OwW6QU8 zq$|@N)}oO z4~O4hnEuM{3dWAe&M$9|A%%Sv53Ui3}8-TsMk z(WduJSuYRsDSE-ab*hh<#a5>k9Z+vY<9Gr*ejXnWenD1rioHI-j(1HoW{b0J9y)5( z>CWBW-y2)_!jqJr(Wm^Mo$}uKb^R4p{}`U_2jOMeyJOqTnB?nv9qXg^hn$7ZzPzBmY-Hnm;rbN@=LE#^x<*(#b-UJU?{%gM9VXsp$>$8A$Dq_8&Dp}%FkN)a`=86^^Y^_)7Pd=>x0b4_SqUE9RRRe!CXlK&pd3q*1+v3 z#vz{F-8b4}S_8q5_WtM9y9mzv)-@Ga$pTig*wn!$l7W+DjeN8*|zV_}r=|0tO z!AAQBX3tgpx~K2&e#i7(I({Q>=z(>ePnizQ<)t-6OG-Xdav1ngMMQ^o6U4f(1R%)4yQkv-d9?{bK!_kVOBWf&NziwB{$9 z|7v&s8++zIZoZlSmCV0QlK?+1O|k&Fs${9|m~DEbNwN=P>vQC)5zr(fyLl3=waqVp zyVI`tW}Vi&)(@>Mz5^aYb?LuNk9+?^!^le)WF`ee4VSEzmcveOns+*Kg6-Uw7dD|FnJSO!hz` zw0$VzOPM&bV$NQ#^>FN{ptW`3g?wMV^U&G{EtEtRQzkt{+M29 z_Q$q2InRid+1IvV9ebq6*(b@!v|K*EZ@H8Cyo#5X-eM!Pjc9n&zaIMjpXpN}`=E8b zr%y#j7Fgh>A%oqv!1Qws{cL6rpUmg7l5_F}_>aB7eM?})8nrEcWG{Pg3*%@dP4H>! zPq2j+PoQtsCHr=+Ur0XRi63ywtRp65EqRhv&qQYtLG~k_pw~Cl-Tybqu{^#Zma)wf z?BdKbcOVX^`{=7yr{Wc8ep=ymgj;rFf3JGf51SvM?Pk(s8x*FVkG?8>--UIo!NF#D zE9$cOx^>hWfo{_IG$Sk0ISslgAG#?g%YugTK|@8SM4+2yKsQZ;Zpw#l%7Sjnfo>WD z-INX86oGEaf^G^n!rxi5>wWY1p0hBUvv3S_lXV&OchgNhF|Fc;MLMs8=aF0|iY{ow zDrX&8vuCb1Yj&oyX5F%%rXGL$j`<D9kxb1VV`H($mz1deq?deOU$^AlDBan{x0w_7QSkN%R*?V`0?6?yZJ(aekco$~t2txN<=69PbXsjLoif*fNEAxqNOZ;Omz69Nt z_>v%fE_lFHz>noV+dCZIU-euDiv+ z+@s8`*{{9%-i_2HdZ3(VA&-0oRkzMv;TO?2x;MPX|NcL*`IH@@A04P{8(dn($SIff z>Ju_Xr%z+A?dj9DrKV3Mo<4c)NCg94dMk(?(c2$y*}k-&Bv|a4*qVlimtNW1uh4@juU4FEx-1we+UVb#yk-JyHkIv#8v~?d29X#2WYV)HD zz$>eCmfPnt|STv9-{gd(q!v=W?)(cPan(L4%@8 zS!|&t98GuB2aApy%|QxdFomq3_+a+rbT0w9|a7Yw}a1N#=!Z$mUVNu7$0@KT>BQ z@;y7QKIfz@k9F(?t_0tU=5Xms**RV-S_Jw;xMB@BqQ%J%juG84((n-A4E_G_6L1u| zh#z#vw2)oBxi54U_0*E5dRnMQ?QDP!3fl1m4bE}fZl<0n^YkRNgUXjtzSV6P9M!@; z7fuK>rm?T5^wQn`44l8=d^5l0n#+fr`Sql2t1$CB!LjCQjr3gZy8P?5-lO0=eeyz;x0JNMAvECFu{7{!m`qV&;vr>JGx6n zbaf&0Tz~hU%!AH}vPQBO`9;1>?*Rw$f09jZ2DTl^v7b?dsEjNg>jwb|CW3#LRPr`tR`{NB=L_L|1I9e%#Vv9CqmB~FQT$`JgCD4OdYOUMe{$+@ z`A4t(Pjv*Lt)WlZ?3_04he;>ve`ZfR+a7lMe_Buf->o!lKkzsDANWe7bD`7! zLiK-iPrc)+OdU7=t^Q9wdH?@}%)j6HAJNm!wrZ#U8J_;HG;LqfPyZ9(`?x!0lI%40 z2C`%Gk#}*o(k|(>Tk*fY(MqiTGS3U>Tffiyz13?+zT*qDf55wow4eAw2_`MB{e99d z4Or*Z`-UV8=6&(u2Oe{Mc5g)I`zX&@JRhJNS3HbuihqJ${8gTl#XkuRw+^-t1LXi^ z6x(GjXLuv${`cwQnby$iM|p1Mxfp%<2b`HZc@!@r=KX;^zM<_J z*9-79kC5MP{~l_Od5C{Vg67~7))t$Cgv35;ycoIvBRpT`Ilvmr_Td@UShf#Z=aa3m z?(*Ks8Ve5GHP)D`8S_o_cLMA22+vJCvsmX}v&KK+k$uKW;@lj7#@p{piY;;0SvW~> zJqy2jFI-E89Kcpn@pEpnlB&<-c?TF?$y>1d0&snR_gd2S+yCR*U-b>O;ag+o9<_ud z-m^V$y##oEgy+jV2e2_NcgDQ(bB?*xf$N*-+r(buP291=Gv39{c-yfFsqQo0eM5SW z_y3oD%mwH6KDJ?+eR@imCjWE6H2e1vo-gzKkHIwk{d-{g=+G~9xc31Cf$xpjdF}&e zOFxnbObQmyMJ}` z?+0)4Zsrc}ENsxM{rByX{sVjM>hJMHdG^p2wC}vb#4w#pY|=?QsXT*xgLXXsP^4ou z&z?Bz;G2Gb)lq*!)e(PM>`r_r<>#on@ROaVI-2=@fZwV()xE-mDX?Oj9FEFa{N^E=+ye#$lnt+ z_^H$vY~RE8yN`Cw+d-dx1Wdielgv}w-9M}S4*$^VW~YCDvHO?WKF}JFpfuT7XdaaQ zFGmNRXOUjW8~FsWb`oO)nTM^&;hT`vYmT<@`$c~D#i18zzCy&qbK-?zb5gSv`AidX zo88EM+`g7^$4xnXb!8bx2NiS(PoB&-$(8*XzYSmPXSa2&P9q-DJBnuxZf<%b#kQp> zN2V7?Jaf@^=l;&ncT0h>O7S;i4Zmu9bfw$KG%^+95GvocyIKfOLpfJx@`e+STyi6V zCw6+{1>FJP)Rr8%pbp>V7r4_t=V0dfjliO00B*dN9B5P9w;dVT{$$x=X2xc4fB8zD zXvyMZH+Gi3hMcUX9(mo3{=wCfm+6kk+M3K`K45ezcsPsk?c-a?`V?lk%(x`K(>+TAZtYrqB{J*1 zerv}Iz*}1&HzryHIc6-K?_$I`*-!Z__N-#!EryS9{qc2=h@@(D(iOm5IiVLoXGDz7_natlrU!*4yt!{K@oxYRFnTjq&NX zOXD~ER(^Ut{Dy0%bT@G08~JJIhve(`Ch63e^A*&cIT%~eb5^V=$tIR@lKk|ngJGZ5 znXtUz7vZwZU*t~X4tmx@{797Yu0CJ;Nb3=2S(cBdce~hLVW0nf+7q83-c9gUDu17H zi`Z1rDX&AvOV)B9WeU?Q+ZV8u--`ciao5Q0TaA3SaI5dwjieW+nfPMzi>$Q2b$oW= zm-^a_Rs3hlWs-+y!`H}vRD0(J>gZeUUzrQRkM8Qa*zSk%N&K!;R_`8L9xqSjonzfq zi;W;U6O9$v*0{n|AKCn9Cv+D7d)vuX{Gz9San4=BQ~T+kz8i=<<8Sq$nfX=Q!cF5e z4s4qWnJ@TT`<`|0d@22Ol>t9Ig8k3!@Z6gy7v(>93t%gUeYf)2U#Ic@E^}1GT4$KUHJLuE51dEHg76pEV`MQKeq!b(AOFZ_ zh$F4F>v$C(1z@e|-%OtP;B9Fp?;v@pm$-Pax)uHJIYUTYt-*stQ}8(C+~(Tj|u5jn)dx)aCo z68&N>df5U#NB@eQzRTW!Gi9VhZyvOE)X))w12MZaW#_67!UirUEhe`gQ#+cI3``TwF=b`ig zcT=Y&T`+hBd0s4QWm#V4L<>97<=7-v@RajJ^L!S*p`0Z%!Cmnw+^I;}V3sde@Gc$b zMeWFHSg$DXUPPUm+ z@<*lVn{V(B$QzbBG$Qjp4*9d- zuU`Fo&?(Cqc-rh3nLX(v#=2}}x=O9OWa;A=tHJedp0RB^bFY0aaz>`acC>Y^zO7rn znGZ}%tD_ILF2A+Z^sgMee_gJ#zdUKrOfciSgYg+0+WY(d;X%dy?it z>HjF-K=88uk6?}^dp-m{)E-!PmzfXksq4-(V?UQZ_2_9%jIlEIb^{N>NAe3+EK!v& zq#utV%hy`wQpX2c`vMa)p<{jm`ktPc2@%#Y9bLBkDHY%R4ZeNDoG0PkHvFc-e>q&?PlNf_O~}W8Vi5= zwF%bJLU03d?UpWp52Di(Zg=|Y8{4i@s+u*MY?+_Wh@J-!o$& zV8-p^iF0cD*x0L&sq`_$)}7o;AKi888|R`wJrTHSQ>wF%uHbiVKK5Izi(;zIKo?Z8 zz`(BJUyPe%_Ht{X2cGd|5w0pXedioBulgrtY zZd{*eUNLjK(K+W!(k$W@_;R0Q&4>wL@AD~rZzwa**b=ies%dA`+NKf-#+ zx1bi?+~9Lpo3*7?x%^y(4+@qZy z3)-+rte0**kmApz#eR9n=r=`^Ord|e*FZE0@f$Za^8H$DzXa3glBe_GiGfz9&WNTf z%p7~^kz9SxH%E?gKlEIKAB0n;<7Y2DQpKF!I790)nr{-x+i>}b=SwPiwbb{3-G|he z{tK@p^L~Ur^yLAxem8^L1ivb`5S-WO=oCf&cxmgyLW63-gs8hVU%x0@WbD#N7_@ng6v(tAQnoE4KdoPLR!ulb!Ecas-UlM63{bvhW zE_j||T{O`jr4@qXHWC*^z7q5adp8q@%JrRSpfBD!gBQE;cT7D${fzbet6k5DG0ogQ z9zve!+8YWl?IrHBiP4x6JN|umTlyYh?`utabg?Fubt-&Sp>xg;295#+25%KHU(?yw zg0Tu`Ed_&x{~YPuY1dEu3hH(7LGSos|BgL^54!|E=T(69kF#xq49%fCXH86Uo%bE| z_rGrfA0?T%bRVN5p7H(2FJx;{&3U4I7xbauC62|ye6we^g6pUAsBhOgeRJbgbj;7E zZSnsvZq!;Ae?}d+8xyO9yUG<4D<{$Dz!ei~CT-Lb6T#JiFZ&xh@W+u4W(~GBJq3K| zT$>umXpbUCn--8=>4?~Ei^xyn9uNL+Bo2zsy(}Kt)qaDvq+eg-_tne{;0xi2=dyN| z)i9rVnN3|2D1Wk;E|vKvrppT6is_>7bmyID7wxNG!PjNcuI{@tX~eT3EsBolN&kSF zv*^RRU%eOl-fyt{j1G~1s2Uc+ZVxRPVq`5x3hp`=XeRhS{d`?->VyVs0KF}qy-EJjs9QZ}F z(3jW)@yL{Ou<@J$ojKL#v-Pv$wT96DeS8!Dz5DUG4ti`IQ(_U~ZX?6(bAL(DmfN=T zjqEKI+fg=`OG*}}~P z*zyPZeT06ya{F!cJJ@}XL0bDXbo#ceGaDKOJM_Yn#NmG#p3{xPU&3$M)}1O2{}b5P z2_6l;)j5VABQ#f*AN$|Y4!s5M6gSbF>l;S(q-_fuymmT!&*h!G_Lj@RzouRzOE0$~ zowI=#3Lzwl8G)7n8r(zL4lZU|&04`ncpk zp9H=ZD`(G3{-b^jrw{T2tLyHAiGPuezD9Q)|dY756t*G5=+^U z0byTm+rMrD_H*dRUHS5d%&lr}8iK4_He%_q5%g;XbV(C1qjJBXO!J1p5IPo;~l;0 zv-4<6dApS7^skwFt4tp!zsxx2--*X=K6zSg9=dXDmrvvr^|&h%KSCw-mfg_!a!7xerIkpFP~{n`0k6&$$siM+1(x0{?S$1SBuzJzeYAgp7GR@ zw~j|^SmWuRXejLw^`qL`Kes&js_V$@p1$|VJ3!uc_TvHOIyi#Z@Zhx~=3e+rdgyrU zNMiJwNIqb=Y&cv8?;rBDgjP`PgzPwzX_F6x+H{v^zBMkEvI9 zHs(*PCZ*)P0jvf4wgQJ@*J(&;2dOZmQq0Ghe;NUgY~iV{dlHPQ8n; zInelJge?Lwhc0i_0ABGi@L9yqNj^ zd*@>x_^a1^aMpbhSa9cKKlOIc2j}nSo)5m+$K%dNOT055oPnB;BK>DR1b22@l$EY! zuP>o`5x!G)d%%X^Pdb;Czz0ruHvCO=;Nw*Ei1=*nm1luFi+wVNXA%2kG5cjd&wK0_ z*=>srsPPShZAF7-^vyw8hf7G7IYVVpi3mV^UgZ1og19-ICSb#n17i=T?LD#(7 zoi^H8kM1^DW4nzq{}*nf`7k!SHm}nEou$F%2yyx3Uuf*Li<6PrgP*SB>^#g`Dn5bq z@8aPvAvT$tcLcb%?=iH`i?rA`J$X7abx)yanrTW0kAF|J4*1lKJD|KD!+&?@RRntF zod%xl&eJ(UzRnBz5~q9fNVD@Oqr8yvoc`Os!?daIGClnh-gjd$jPUkvEcjjLI*;l) z?(LuQc;vsVyd&N`_0N-cz>{a6S(G=jjFi~To;*AD1M}29C!RdbmD(|~;MCY3mFJA> z3D(6uC&kCNaj%v;S8iQO*SgL1)cFK!rhckk<;$*RwkKcfxlaAzQJMerwCTTvJ4 z`{X5_A}`L9XYUVZz1;m#p*9^@H}hroRibAMF1~R0+?{-LvO9u5OB|mJhd&BOtiQ{j zQM^$zG^OJB=*&G?jG=h=_^jiVujnlOtT73uGB$5a0@t>1`-{X~J-;io;)1TwtZ#IM zb_`7l1;<%+!3tlf}3iAv?N4 zzkS&XeQ?AIU4GOGz1HXpm0jrzB~9|z{rbAD(2bLlLJ2<}RQJjTi|^v=HlCLh8j=^N z3r&x!8@_x%UDBptT|#XFvWhLX3_ggADvp@EvXks9TQt6<#>eVp{HoW_)?JTTf9HD0 z&sOW9wV278xUogAaC~gbI3FcnyY>c8EFS32llj&z_W0H=#<#W#_;h`1U450Sr!x1n z4yfxyKHTfBR`9m`LY?@IVd-$@2d$;H{D{6{BfE4AvZ6-x36B>W8RiJfTztX-2s z+~pK>>R-h+Vy!>JmbnJ*O15?VvPpgydnf5`7T#&nTwS^3Wl6vab_cO+^0y;Pzk49@ zB^F9QPaNfG(tpZVlbEsCz^J`x%!SJN0wbzhITKV?=-T^iQy9TrB?@uNf5*~D(Fj1L>_&CaGm!q)=pP8U14O?t}R4geY`8DbbV`O=QqQd zD?4ri{n~hI>2tb6b{+Cc`gehNo@xB9q_1x>?%iW`esUihuxk7j9s364@hYvWTjP&v>_r|yA1Xa%Gd3bY=A&Yfnfvv!Q^3wlb6>yBl~wj{U))t7 z|KnujeksWRQjr6uArDMP-k3q`EpMz5qfZm{bPX5=K$6EAF%@rp8V%r(OT16A_ zOSTfn*MFASCi2Hse3M^7pO5`c&)&IiSagp3hc`3s8KW|X z>&}lc_-$woMzIHr2U#_l#JVU$FK`9(rI^|qrE^TOCP!HJrfW`I_p?}oO6&wmvZYta z49{@lTz%RWQj30Ju>=I!wl zM|~rH$G`ZT_Yl=GFVea0Z^EVv{U3V6PS(G(!O^)YU-u9x9bUC&BeoXy{(5(KFQ4xV z>1R$Bd*1f*O^tnd3HDpyM;sGkU&nXiKH>*gb`|UzVcR0fmSaS0@IrKP*&~%&{f|{-An#__j7gF z@Z=7#F7M9o>e@V}H1fD?@!9{eOzO3$&(&S-Dq-ISI?fwA)3Y|*^)6hop7{{0Xl}P- z4^!v(I&1v8OK2m$&UfzavTaV*Jro~md2xT}dA@06zE<-Vetv?tpLr<=Si=oXnG9_x zpX^lIcHOmUQyUwPcTL_y*{%xNo&~`T@!*IAa77|GBMBTd7@ddTjz8?$L3IWKVd>hW z^SFMX1}uF^Wv*H0)f z9~o?ZI)mJEX!<37K&=(p%9_5V-2)o;!Rdkng> z!0=wlvFv}rc3~uEUt*-8gR?aL{>onW^HkIRNo_gkt9%{6N5+8rsan zRQL{SU6^j{Q%#=q&L*!2IZRZ3?Jev#=z^ZU^_1C(-9%xko2R;a@?Ie?%AG_8XUK-6 zr(GXB8!$fkhxF0ZJF?fe1+-nu9Uc9ByNP-m@!M=+-rRh*&-LUrhZOG&dXPIXOw5pE z+YV*Y&!q>pHmv|>OhuQ|&fcp8hwQ^f3|k@HBQ_iw95tfuwM1v=q#@f+xpb?w>Sgdr z@Z#X`_`=#-i3>&eS8LukNniLS55B=}`+JoC1MnWt(?%a?>tODKYq`U8RE&1)d&sk) zhXq%Hb?FQWMmcqGHe5#?^GFLL8%;zGDtz;K;$zDHPVxA~ujp=B-AkL`$na-7aqvH3 ze(*hKj~iNDwmKU)$0ESI`iu`&Ljv%IZZ1~p%++4fbLs!Y!HLz6a3|Cf&NH1~gSiuG zA9nSyj(#26z^jn1LN4&B@oa@v+1B=+$-3*Xsd&H&--?VKMa z{lxtk^;=@Au&<_F5+5pmWPj)*zA2=w*LmwMmDhORY{%I${u`h2zl?iC|BJWy*5g}b zyJzw~Caw6tJ`L4v`7{)M`P0ziw-arCdiz_0Z63Ph*x*n&G$b_pub+m3IaX)e;ZH;H zIfLp}jI%uoe38V}nD#`KQ65N1quSI`G2aP<&QGUE76LC~1?wZpeQG>Vj9x ze$epCZo3+%`t+33r~mf!>21>5e(`CjkeG;wSwR6jKo8gfl2bYM-$?$h=`!%o?!Aon25z+NzjF2QRP^$`8B z`5o-7+;L>F2i)I5{9VM~_osK24ZX_RdIW3;!ha`k|F>i<^NG=)*!7wQG`%(+bN8s^B?VAgsz1;Yiy8F%(SMwxw zJc=!mTgUzr>d+k+@%H_Y!kt}XMc4T1n*&yTz*C=i@^|6C@3rgl+5P#0T^BwK6-I85 zK>ug`e-r~l>#8+2FcF9)l=j#sdhZmm_vLu*RE2*{rF>m>qyczayaih=cQ2%2bMPi~ z!@42P{b;QDD&|+`OME~L{6)%zoFOr7Oe`@S)?!D{pu8_s{y7u^Wx_G6X{=54?a-DL{OzlaX z&9Y6BjmxYrh*w;hVPD_01kw1=8OAOT+0f;No?gKI(>~Prq~B>}pKatW6yZ8|FA5hK zJHH;EvqE9BY0R7q|jG%Z{y1 zp7NzDke$i1@W_?e4)uqp<;yRdA-%h8hWJ+dau&4B=d~G1ckI3PQHMRRo_n6I@}=AM zURxzUB;W17`mX;iJepHmZsZw{v7PD}(_Q_Hrv^4hil;97HO0r)m~!ng z{e3oU`>7)ldacTHhtmqjhOO`18Xl?ly#|T&V^O)W<=YRBod6n z!SdxM0FSm0pc}9I(4_Rb(cMi!aGLDXb^gc}@QN3DXqZEnI(HN`ne)u-(cWoh zANNi>e(x#lLkC56b`_kx(>}}EIm;>r*JF#wlgN|66VDT@Z!U;VnUNLg%qLzsz8y7B z76odyXXCpvgm~p~k@|A(RF`~PvbQqsR*!PG`i$xL=Q}aXrx6>a?W?}dtHCoZf#LOv zVZM6nz?u>G=(iF_qCyf%OS?P21(ae8kg6 zhn60D9bZWJ`kKrN>)=uPVu9Z~J{@#!Yf)gQTSmC$g2UWl2#r#kk8D7)f^2J2M}<|h zmoYr^)KhbikB5VC*5$I(S%!}CT>7{CsfJtsvd21S^jKfb$O7*AV&9D_kX+OX@10=P zAlD3w#0N+SfxZ;6;cBOjCbm^xvO|(;vkweX^yCnDo=? zB?l->uF?dWd|0~BL_a;Vt&KT}eAl`d)5b^5=SoJeV&sRFMem1mzMCpU9 z`grQR61*+=ECpv3g0l+C<9Gr*ejfZcoOm@|gCaHH*^}DOi{=W(N$=#3$$$TGTMlpv zyqyT%t~h(AaIuTKqqHBT{iuC6G_mt(KT7*i;^nxwdo{SSBQP-5#+aKuxcg&U*GtTg zQ{ZmtQ_B4bHtxOxJo&VPzoP@=yK(m(Xzn)VqQ$}At*d=?%?=LV_^FG-yaFKQJ-i3jhLSXDLIDFwk;c!z%cJ$jn>RoO(aB$cecU{p1HGfM#6yY9%tLX37 zx0v%L`f9}#t?4w@wEVS-DSMIEwtYR=8U16$l(IL;`zGfWcM{}tC&4uCB*^)x;DK>- zCqdSL`1(lVh4nKQ^Zi%3OY2C*l(vc>@y{xzlz&_?C2~gNlwWSmtBHPCF(r{b*~XZI zSB!Ytzu*GS3NxnhjQc3#?(&TLtrNyQGNu?n-f|lE@8ypSymb`}?Tmi+;VIE;c&_A` z!*dDGES`&a@_D|&^EIAxdCuYa^21ZCK;x9uCoAS0W&YaG9b09Of@OY|Io%M zBf){bvhU|vWsl~~1m5$9a;E`v5M)k#%!!{liQe<@l(y=j+!glll=26tlX=lO9=-G7 zDM9ANPkiBd%=e7Nd=I|19-dww{B^~gPmoPS9*(Qmyi{slzQep=bL-B_JDi`$<7?J> z=H>N%=4Cqb;w`6nY2|}i4&nPa&u`~EPsPr51a#Ql_(}#Dx6b|Z=vxjx zYo7#0hT8)8B+#E$zBBzWXZZx$XhDYFitK;4lgAy<;U8Gms=j5jRCXw_H$3GY?WbIt z))RUFUEJlRfsu=6aMo;uR;YwdxVv=Y({Di&1iOlM1>=K>nZ8krw=gd0h`jxJk~#90 zS;sls%6X}_TNs{Y6nKZdltAZ0!GQwfn|M|!N^Yif{^KsQ@Jp&Rs z11e5^2DtV(AKx$#9pWH#i9z(5k~hJVB0pIXGBlrbZaND^bLWFM7u{{>zFgm^xm8Kl zu-OjXC;NPO8${qXUm5o1oGITjJ1$Gkx*l_0T(u?q1R{ zYy1xKzcklR9jdE3uBRM2fN;6pzFY3Jxz+a>np1fNPW$@39Q~@};}iClLH|oTi)m*Y z?PShX+3T3oD(G@|9O_FkWrFlIh%QBak?bCO{qScwe=DF5KfrG}`00ha4hMoe#-e-r zkQj5r(1p+OhjwK7LsfJ9sa3`qQgdTj|vu(1d?L zuCs?2o*99GRTl&XRGp7b?e|U$Pt_&b>rUc#7E!lkBj+(!M~Qve!5u7XeHraVYQsOQ zJ)5`k&mzB(c%b>A=IQPl)$i8bLHbjSAsak27JRgfF^%K*cz*Y-J0rP=CRO{{70da?(4=bPD0PV@ z?O=YMvNEdIl-%8M!5Q3j!}(EarMF+hyj;Nid>dPdr%KN6MUyJ7=V^?24|1v_RvP{q zY3+iqE-TcoIa9u9e7)ViYfP)HLDemfPOrbqKdAcMC#ToHc?z0!4?IB2qlRWxe>Ja> z16}iuur8}<^Xig2JC4pWF;z>gLG2mz_o#nhRXX&}RVC-z{k@6#b7dBSm#y?o@F=*D z%tCKhX0fQq$cR3#%p%Q^c`ec%AHcFLyKrPP=lZaZW^c;=(3WG3wQ9cp9m(UO=*ozl zbARNqGm*)@g6u~3@y+s`Yv0GWh`YBnkK#8KS7rjTqc*;cz%K>irEU4q3L`rjGdk-M zt-Wu>)Oy`Vu2_+!_=gZAO9G8 zR_y`%2loaNcFcl*YlY`k++Ee7xSfi(yOQ>AWUk&vhEKXY<(eA5!*B1s|o@hP3 zAN7pkkO_9a&<#&Nd~kJHb3{O4Y!ufKr@z0vVm@!Ao7e1jvW zar6OyQ%=*A1HF%JNVD`p=FX={-<2&|q&~>GkeMsnKC6D6KfiwckZJY11OED!p*qv2 z*KbHDsBaz=$DI&?`gP?O*4HiK+z&TS*$sWR7dowFLUc+6^hh1_$O`C@_5e1N_t!lg zJYKZxPH4heocY)hENvm($i~xRsby6oZ-u7$Ir5Fe$Tr+`$z7I^4sE}50c(UzsAe6! z0Y<`<%2!-q{g;T&z6=@O%r^L z+LyleKa`fAQqx46ZraaDdvkrd)1J}m7EpKJet)BHzx|^;?WM(jL_O<@POI6_-CkO( zR%u(u)NJT(FD>@8(z3_bY;eY?F+Zua@|>CtjKTCPEmotnmI*Z*7=xR(Qfc{T)ofr4 zZra17ZC-zl(|Aucup_8 zWho7w&kJv(NDKPP=WK!JY3han;vFe{w3FTq2dS~4N)|G`NIj@|UXDE*L= z4lKLr?0u`wn0C{5kzNTM6C8%l7kfCtXlp=mRgA5&^h7~mxT0&= z+0Dcu%*WQ^nd^R#Rd0&7J73veRp}8VtAR+;L+vq zIlBvl1GNXzfp2)Vp;p5xc$4PpNWCqSngB0XF|AuB)eOJgcB#^~!@K>8m}L*<6<>tB ziu-(uxX(v?T_Lf|+HR9Q(na;f$X<$&y)+NH5F6vT`adEscz0-|p{HH5C+`wJ=JdtH z7)*}c#F{8}XYcZ|xk`yG?x%ba^t_rsPGm2)O#`Y_LMdK6;EsPkbU|*jk0$Tudk=P>95Lvqo2AbQ~oXJDvj|D#@hG0 zuk`axjx){zXq~5=abCb$P7RD+ydE0bJI;UWcbp@_+-r5hd=IDIH;(t$_Yq@VhC2E3z7J0SZB3%*?%Vl40-3BU$}hYjWYe5`5{2hA+!#-$0&t!uEl|M8i8~w6~Im zULh>n4|+B1Ex#TbYR5e;&zU*b`&|)vzrJTlM>YKB65nZa69)tn7t_{_@T4!$7xB5j zx#z}?XUV?>ezYwin3!nuxf$)^bCEIIeC`Lly?Nqu)n@Vd?Q4d?=YE#`D;jq@HiDPJ zU#|2G4KErJtWNSLg}{;BXH zMbtmv8fx=@DkJ_c3*OJi(+XYuF1+7g;8)h8&sfg=3qOLFS$GQmuYBdy`sI`neO!u6 zLiZzZH=2DPgzER!JAnfRN z_7d}>0{BUUroR!}rzNaey>CFx3%;cGnatH<(f6$9O5%{Mh5ldf=+eXkJVN3+%>$emuTt*M-hJ_9^_;^ zitC^5t^xPz&HFv$opJ2KU3-ypBrx7K?&u^WAC=75=qf2_`2 z9_b=VGHdmcAS0s@79F;*6;)O`;tT1FOP(8!|y-XKGZ)nv61<^nHYuIrz+p&OI-9p zU}(4zo^dB~*$;e4vp@6=PMGQsw1>`lY~%r7X!hB~Ip+@thn-D+2p)gf0~hU@>L1>| zfpMyyzcN;1L-)6ICaF8^Ge2TsqcVW=J}%aZ9eN8o0L2AwzJ@bxh;g1r@SHG^g6 zi@s?Iy6S%$W(|MuxlDVG4p8pEvZWmd#{X{30dVT8%o98-@RiX1>ad}S5zZQ9xaS>k zaN2>uknpQk*14CZS~b5dvo7B`7<*#>sP+S2sTs)~NVAo0<|MKGC)oG}kPGYEeauVn zkJYcuDE`TZIqUxX;l{Y;4@{uONtTTUZeD5^A3yJBZJCXfk z;NLb#CzBCto_*r|$ornN(4!^Pw_J*@fV*iEW}++5-Lz#7=IwinduPkIx4i73JWF@e zmYsMv?cPuL{D(qtPx zD)tT1?}gUxNgqY}=-Bxx53SvkZpxpd^3d8n>8AWd(rx|+x%z$3+&%fDW8=wN0KM&| zss1d|+D74LHrJ}l0S1m_%KkAkb{A_t50_LJK+nFki3d< zAADg?y5`6D}|E%)xhCS(~{97syZ`hM=%I_q70leWS%(a`R`gf47IlYa& z{^mu&8o{jgM9BjqpUz!e@(bagT=tXj$CB$uJ}o;0BgeLe=dzcCZ@Ty zd&!l9?+e6-UuG{QvS-5VrHSmNQs1cdSzlQ>64~?YR~F@*pTr(cAbI_)mt7!wL$PYud4DjST)t8OA);xR? zCJ9F%!`@s;zM&nBtRs`PQQnLYcmzBVEIE2UIE9#;9p?q__stdj>|-wkbL*bA21M%p zgQwNUkHL?*?4`WsL6Y?Z>iuQt`peMsm;EX);X-U43an1wBNx`kmk`f0(IS6({kU{r zeHhr9$ukZ4P(HS+^VQcta5n8E_q3DyKi*ETpnqFF?H9>3^_D;NKJ6FehN9IzuS_%9 z@lTNLbM8>?4d*Ndw;sIBmu$;3ee6%&8LYUcEj$CS#;%%vO~n@cS~9|OMjO{@10Xq+N= z*&PVfx1^H}{8+$|518@;W4XY~7;uqnAOvGs;48tEzwE+#UvA?R!BakY(9U2<*;K?@N6-rwB6I!@c=3O- zzAM|hHvbeGm}?!~>I=vF&HMQ8c)MDRKi+#(Hxskfb!ok2>4tt>R zf#B0!n}|69+>7tk|4;ZY8)Je+b~oH^Xd}f!k8|!N_$%KV zKhKod9)3&L{ule58t$@nyQ!y^MK#H9H4(l&3I2UBGN>WQp!}R6io0ukKk*}gz8r|p z#{g)|xLDU$vC~10@A?=(yVmHgYYUwRbZKX5;QpVv_Kv~9k^z~R2g+L)@IkYs#w25t zJgu!FQs+A}(vUVF((pX}_Kg+JNsT4!z;_M1Q|~vbNA=m?QI~6**j*QCw+%# z{Qo$&RCg`)>f96Fl7E%nYn2bKO4(r5JVkyRFvQunDd?kKaF*H-o{tjiwt0eZg;kTn zS^B8Te$`XTDohl`P$ z%;pXe9Bn5?eJ1h@oeS1kk%lYimj&G@ALT;)Z!hEj z-TzH&6vihQ(|C&U-!*n1q7|^`ch*MfyBVkQ+_fn#H|w0j+T>A}gZ_S61;itrA zlD^jOUz$Z9+PH5bp4h+H@MpE)u)UPag3pp)+ce5Gv&UPLr`7*uRDS)Qf`a<3fAw8z zjn2Ml49`NIpnn`~WE@&LXWSidK65H`cfvC2pDdyPAtx+BCVkj-!* zJ_*D5fA^byXWS`f+}tHYWVZa+4F*~ExjZ`DkGrFX22z(vDCwaB-HPnKsGIreMRZEU!E`5qxML z%Qr(Xwb5_jBpo>U8GQlo+xTE0eP<3Pk?+8kU=E*br+uXxe9!}PN|Rr^@IeXtJqjEP zAN-Jd)n7j_$h~9@uK&zY_WAL9r`OSc+jigULuUKGex7Ka!4K2wgg10|!jk8Dd@e20 z7EuRs3fl&+FRpOcB!W--$;R{T&p4h-Kf`z~I>mTwyvLq%$MrSJx?|J0&SPA*%_;cH zV$F=~q{oNJz5CIswQ9!jl)a3rZsD z`AGeY^O5)&=EMIv=HtlEz`5Z2(sS6eer$E2c?y9iZ=ZLw&P^v->wM&3_t-YNC(fA- z7u4;}owxq8`pn~mKJ$3S-A`PpGzz>`Om5XxEpSqhEPVmo7 zoDKVs9p=Ns0Q2^_AiGIxfzFZ4@GqG|)tk+F%b#-tb%`&J=Np|R{e4rfZxSQNz27xY zu#Ve0FlliZj6V=>BFVef5^EXN%x_cvtyeb1Ff&WaV~Q(xzNCYyZ<+O;9-LY9%_4yB{O_p zuW_WtviiV6-|`bE&lz#NXYBYHhpprIMcVuF1;$;=xN8|VIHf`N{5W`}p>iO1bq=%| zD!IR-nEN{_hwvVvvqg8hHQ8f3cJqn%z4#|^SK;Vsxv5u2a&vC~r#ZP_{r;Ssx9e}6 zdD*kKo|zNL?X=EKSi`;46V9HNi``gwav(Kvvwv{n<~yHAUgk?lT;-pf@JD}Y!Z&?` z66ZlP?Xgl4_gwdI@|W}SbJzIN5?}Y9k?_2KP{Ql}l<=eg<*!_o{3bEPHv1xq=ebWLpFO>R_J$_zu_n_dbp{57f8`&PxaanVlh^n|wAH7s>sKY8lQcc|dH=8z z>$~!a5T8Z!f)Dh`lf$G;+xk$nf#Rh+=O2;*Z-TlcY%+pI`_Z#%mkRsa0w)k zkbnsUH5s(^!X;6V2|*2mAV#Vcs|jF_6Jk+7>jgDKf;A+l2SicSCV<*xG;Os|jh7OL zZ9`~P^t86MtpThC@Y1MAqTsyW-`;!3B!F%Ir{{m(_s!>%&)&24x<2c<~xT7vWY zMlx*;_rBnW_r6aXb4|FP>iHwE6wKB-Q)qLjcP;JwkvtDL`}uNR!)R}q=RxxDG~qhe z8E?+jTvtEuk4S&t80PyqcZ=(JDrtW-sQ6KmYCf4y?_BC$d-Yng z{Rfy6)f=r}xX{J-Ewdh={IT^jf8N_vKl3;DIQ0u3Zl!-~7pi=-czkkt*`@f#{*D|kyU+?#@@@{q}1qz{;yPf?44bWr5P4^_; z?HpjHZFUR|6kffC-$Me}*~s6|`zu4fcm$a-oPQ!?==Q`--9oF&p};R-J7U-xC6&K zfHcVqe0_n2Z{3qfdw~Viztiw~mr%y6=X|T4kI5f!4D^0XpHxrarYh?31eQ`iee~Yo z^m;i@CD3q{RnIE&AE0hxAK85C36y@TI+3;lPf)+d>GA%UF_`t7Z`E@q^{k@qZ`$>& zx@i^t=^q$zoj*IpMW3i^STHX;!R7H*slKbM`u0=*1C9~i>&P4UR#oD)j#O_o-{-*J zJk%ASetfJQmpRhBqYTIDq!AAIsgdpYz3%v)#=1J6b+vWh)#2-ZY4T$6_(#!|jwiqW zH}#jQpZ@Fm%N;87|5N>C8e{uc^_Pj1>6YRDe*Gn#`u}g}Fa3Iq;~(oUU;gBOR)0BB zEO7ZOV{_V#dD$o3;LjdAuDtM~*Y7KAxZsC{i!NVZ_{}Bj3%%Rwmt4317fWXT=(!~y z&3$6YYd5^S{$k?uR{Pm%Kh66Xawgl6<++o#ci^jAN!h~(mluxtPJZ^IKlugikML%H*KXfP zqn|z7zv`C{6(0F}oz?cGR@;Y<)ApU)D+|v?r#h+c7OVZqR{M7xr~OH_YYP8dx7BJp z+iLsH!2Dg^!JW#%g!0)$U8jY4_?e<%Q>S@>Gbw}r$G2h7? zvX{q`?KsI7czQ*l+HP&uTzkCP-?PU274RMb{+tW`EOU+Ud4dlX3g0~L=V{mDT~=hn z8ksm5{0V|TZpTQUFHmi^+q&~{tKI3{c-EucgAZBlP7sdM?wMA*e|7e3H|#Ap+ui@m z7p!)#x7r=S*kapVSXFL~x1iQ)_bRL1$>3LPyS~>SHQV(iy=b*Ny&J!JjQ7?Wv)zSX zykxa|w$<);dbQj7(!*xEzDf3Yzh|}kaxXZyei1U;-TxoYTkT$Dx7%yH`+vIJY&X3A z7goD7x^XLZyy3^J@dlo%v&MU-)$Yh%;|*s#X12R<(w3g{+pAqq*;)(Ek8SNSzms~6 z*LP*e9Pj=QpYAcgBOPghU%28ue|4n=0;^XRKI%FNh3T0kkAf?Yp8aUzqtwGagx;53 zBLab}y9=`&BfWu$aGkkdyfX0!cvR_f2Sj(v=o@=u0>0OOSO{KueINbQYU^8-iC4Nt zcqchV1o-Zy&Ol(ys=}8@3;(RaYAgTI#H(lr{0^v1>I+mk?k+3=$HOn#?VY?b@m%O7 z+Me2~DtN50j{L3bHd}2iu1q}Q?Aey@;KPN`g12>9y#=GoA4&YP-PSU*t+asWx|N0X zw6*Xpo1XGkCcaEtjDxXR!bYU||6#6LrC(3&|e>I$^};XVuh5}&Zz zTKY($a7yEfwiSq2wCkH=)6ln8CO!%rW7`TR{JLPD-~)M;iFfpBD_mPqh&=In zR@Yi>o%%@PB*qZimapG>b6i#D*mT33jbscx+M0B~Ij)6ozjSoICfQ@sTzP8lGv_Ms z*`}j&^(%W!nyWPCUGo+GO_e!cRS(#-!h8uYv>wQEWciSr%-4#-7RKtk>lapACBpxB z?*+_Hs$-IGt}8yU|C5@+L(Wuh;JbB84xzUnn!7Ghb*yF1_BpeC$kf388&?$Wpbu3` zZ2CA~Z6$k8p+8nz$pK%#wT0M{ybITCwc0w}YAeYxk@a$XU|~*m;jgeyEPU$eCBHH} z-d_cOz?#R6jUwK=!^rkM!J1ob1=c)VSg*ErKV#wj6>6)mSL-aRt-gWqeLpnY+JD4u z>wK%N?_vw+>o~;+yaK)#stXJGUG>wSE-7SOh2L1iI?C}Zu`R9bEb1XF6W}@tl2^z^Crw-&K2^qJ zjiHTk?dD&1)E;#8@#((iHf-2U27Ya)KevSctxjX{e(Z9>Yqw)%YK_NO(w=YR?%)jn z0?y!-Uo%8Zt7*f=X3RNptIG#EX6=2~xY!Zrnl-AAe?a^IWA(HVnX~4Pm_KV&JiiAM zbNhV8B4gT^MWY7ro0zasgLw|;Ih5x}p2K+(BROg$&y#sN{4?XTdG_IXI?s5XXYw4t zb3D(%Jac&tc~4pnaH;lfBg6>2u*jJI}~nxy0zK!q4L%?px>C{WJAwZuWgmJ+buA zg$sBmKaH=Be)+L$r$r*;BU6oz1>7HC#bhZ~F*TgQxo++${@nO; z{kfir{@g=TIj4+sY28zd+^kUr-uScqx$bkpHQqhnFKOO1+k%gd zdF_gvXU=PD9dp=19KlNde?L|GZQZSPeT}Xyyt_Lib2zKq_ZD}De;q6$7T{HkFC^c8V>4sh=7oB`08`nC^${C?KZI~Oj@S;fC% z3I+dahd1!lLSN1(Vh_bXlowwtzLB1CM(2a;-d@pF#AWf2gYb~gE_RtRrN+Sj0uQ#% zpS65p;tTDk`s>{Tn*Nl{fBUIMeH%VIzY&_e`YB_rVhoz_0V_7(*@um_b>}4}#Gjj( zpm-pq?RtoKtdkNGN=76m5Hr+e`H1uD4@T*nxCQkmD~@2A7u95Y^~9yfvC ze_m#+t$+^N7T`0>*ZC>K!f%mQd5XWDdsSN7GUZD%R%g=IF4CXMEUW+E)V%r+$NG_J z)9MF0^4^4>wfY>M)>pgSt>_!A*koIG{!Q=wTiN^3I;&61{TIi#++Q%V<^F8PfYybi zqd&9;`pn=ts5KBjqgC`aedLVRC|pZM8_4$ak(2OwoA+5dKrh+fY>iX#5@mko-=3ER z>{E>MEsprshZ$dU4_Ksx*OJx(EcQ54dcfk| zUa(jTAN+U0qQ>S)f=2=Oe+$nvE(<2zx%8w4{D?akyY!)j$Tj&CiDBu|8CM~2S2S=d@Lj+@ zNBrB+9{Vcz=ez-*_PKFpo{w|#eA;iJy(rp;_6h%r?UA3HJy5>A{J+cp&E<~O;<3MU z7Uirk`UI{)H+f}9QO*J*F2KCyHjggKnQFKK^F2oH_Ops|Mj6h)yn#mUwy8xq#H0m^ zhZwm{g+)2qUrkU=V978e_l@~QIr5vIiN9lUs*$^ENl{LMb8z5>lZ@Qg%ZqZ@KNGlq zw2}MTnxY)`iUby&V&uNMu_#A=i|_f2+}}Q1l!LDzaNReI+}~_3%8{R-^eiKH=Nm;i z@-Zx&VC1&$Dav7894I*led-h4j}#vW0xO+=dUC$eq4Nc=L04GN*PlDzn#+J)b}Kx^MV%OV9G>E}Vewb`JXFdFUCyMf-0X zi6!lVM*m10)|5=6V=sKK#W}n>ojYaWbDUc}oU>Bg2ez{xK=B6I>}y(R@@IFo?sT|_ z`%c6U#S3Q)HF9(Y!93tD7^%NOXrZ2SLxfvOXDqGyhEKW6{Ek1_9p5x}DEu_|f}g#% zim%hTP*zM@ou_H8HiX>Py+PUwdI;M1{BkFB0dI#c+#~#5K{JjZ-Iq`Q zIIp-X-gx&7#W0GOcpT2B+9%eeDt28sT)-VmS^bQO!5`!`mRx;Vz4WPtsqBqHcO1u^ z7z>@cgV*hQ3cYG($#prBLj)bdkBlKtX%0$GGxe(WuOj2?xW9y0o7IAQ1~F(4esudM zii3=%i8pIsbQ}67{@3cY1O0100}pCO8yzn41u0waOfqF~Hu02h_TOz4E`Wc6xA1^7 z(02wLj@5O%p9mim^JvM(be|bl@B;@j(%P4&IEf?6tQd(J^qSbYtVE92n{(;-r{}VU z{)Jcz)%0a9*%zs~to-DTHJZnI{?*s7n@_VmxUhry{6}j+&F%hW%bwLdYVO>QxTp3p zm)t#Zpe32}J(7)y3qQK7zJ$5FW4Zy}#6w4Asl>uwOm0sh{3#xB*Dy#L+ST|3s*q;7Q%Jg{GStJ8bn1D@|l zrzO3HysCeobFk+_(qDBM69bO^o>ra<*`Mj*sWW$4KDvEPD|C9@_ikSkTKK^vN9hNX zN?FtDtQ`2#qS}Q|Pa0M7!6dzBlsr9Y8~UvH_Xg-W8UCX-taHJLC*}8k=wC6*dg@F8 zJw>Z}LOZ@y3rlkbl$M(J7>L(!?oQz8g=4|N(j2{?Rx&n6ZJ2ajF1qg48%}J4II(@@ z>u9PHnkqRCO-1#uf0m|(^`a^9(%v-H0584g1T@9^?x>SI)(mLP!f%V#*hd0hi>9`a zSM)?2PjvzG)C@hTpJR|m^i%_VX^ptmIl!bR(b8-G z1TEDT6!8<65VKjoM@>5`Z*o?5q*i4RzX+)3N4+; zZynV;P9&Qulc1v{W1{5Jt&1+J@3i;7#L`i3xs=gME=?HHQ!X8kh9rxsPe4Oi3EecL zx`XI}QMqLDeP~EB$w~aa75}dD{*$qhT6*Q9F4y2nXhn3Ty@i%+NeW9>l*|$>tVO0o zWlIY<`A2AhxZ^p0`fA#n(K=;o>RE59SF%BMOK&pw-%`J1*ze)H(fZf&`!eK(bk^SV zBU$pV%8Y7oTQWm(KzJT2GlbKU8C!eF49S;&Rb~j!d&>;r_PHmD7lvgo`9H?-q2Tz?ZX7>k+bN?sE?f84;dmwYXXPZG7{}4OmZWmm-SOlE>)1Kz z{frLIZ4Kuk8{3bA>qYQ#>0o=v%Xu|PU!a4C2BPVrfm^^s$q@_3tvf2kyM^C9=|bnw zayJ@!yy#-C%ffx(a8bn4t%SFtfp33o(LhxHvDN@7;VUB3-c-HabTQmq8+6w@9KTsg zwd9NHojb^)1$+`F4crXwTJlWyid*}rVrig=b!)8N6aaQd^(K?or^4$~V|ab)zm?Y) ze0=+w0DYF;bRu5A8`_BF^+l}hj@6q|ZM`Yg)|*moy(!h!n^H}^=|sH#Luljpy#DKG z;ALzr4%U=TYfTx-YaE8XMX~gXo7WnVHRkwA_<1F3i4b_R9K2})A1Vh<>s;w8tFJ~@ zFE7^|C55v&OC`X+*5tBJnKm(OX_cp7(zhxbf7bA>ehK@vHhI?q>&W++q7{u8>SD?gg1Iu z));@i)_6%F&RpUAmi;>Oa%91qfe-W7WMOmUJeSsenU;Olhzm{51}3s)TK3tba9}O= z+0{c5;_n?|+h>!)CHG^WT|6YAd|*Pgln>cj;)_kuX{f7$gA_g7!P}S zyX`xNuN4ki_8m8{kJ?(ZGb|f)bbrdFgQ~v#_4yMT>lbY9cxC6(>Q{f{pFFd;bWy)q zzkKtBPajKJQtWD-_@wW~T^kSHdsE->_m(xmgG~HQ_nGsYFI&8A!)(Sc81gra#tyH! z-p#(9J=oxz@#~dkblW8|fPw74Q9FgsC@ex4#&Tw&`ZIiT5CXi=z2>&wr zET3e-#dW}sF22{1GC_8U;NR~sVL9E9UE=HQOzE5@Rm>VrurD!Wb8%M}7$>&5WF3km ztmNNCKU#RUv9ENGw`uYie)r+u7?HV1_%mw6m_<`ZoV+Lr`&b)$%lCLglW%!~eIfYn zgcpts-66wS4%Oi6PX;IKs~nurk1@x7d-ZYf`-!B4l~*Mtlx!SSAA$yhqvKXp4d*$z74`ROUi?(6^DZc0<&B9|Nycb!bIoe^*(Wg=Wt6e5KKbnu|{6y#BWX(&c zdtMSXFYU`L`1+02%*8)#Lo#8_Je9@W@ktvn|DT>K@d_t*6H9)&@%j5ZBjW@+!K^n7 zihxfK9B#I7xVKN=os`!Yf4g-zU{VHqr_nXE=Fn4qTIoOTBnNwaEt#M>*4eQc@P^

?8*8?A8KRG6g_^~){;1hcLz+jBY8vKT}17v&^ z{P161x^Eq5l676lYy6`rTFWDvXAZ@D{^HL~?JJ>IB)0?$bH6BBpCkRE z_Ee_oS{>pzUj6|qBpa{}KJ3(e_Ht^Qi+ijgx9DRL^$~jKz75_t=7p;6bOS8}gYKKK zKBwZr%NAoDF-^8pp}?&k^L`W76pe_7V+7O1MRI&RCLMWrZFJ*9!~x2^SLk(fszpNh3?jH|jn4%y~&W0I@Z>*U1q4S-kIl@;y;OyZHcPQIaCZaMr$ z)Oufx7siZm=k^%iop{y`bC_p&-0$B1qg@ki&7;Yh^-7wn(|S4bTqI-2xlx|W!+B!> z<+;4z`wUpG6tFgi{2FKr=R6Qf^YOh-WQ77?Q4U9GPjkJ95WA4o3-fHuO)PcFet=xq z5IN5!*QFd5(Lp(&Q^-kSJ(l`kiCCrZq|R^=c{|9qoU8HzUaCD@#QE*d+frZfxA2eg z@Q;rGXPV~>L;gzZzb0x_i+XET3K$}23%FRU0@$B;J)>`dpP@b`v&R+ zW#2#tmQ{&9X&rujS5`yx5nZW}16qSm$2hfK>!-Z}@B{vfuvb7kR(j3;Bg%=kZud($ zfl7=`JbwFe{<)C;H0KY&zL0Rp<3P|t^Zz4|wfbrGgYvPSOXEthKdrA*4glv|p?GMZ6P1y1x{=iv8dt2+5Nu>U$Y}A4~E^GJgYOHx=cy4nTVs((%1Q`JSp=4TyJ`!1x|n`MbPdRy#hb zz1skoT(2NQcI3O%a#dCs@;a@{U>EKvyIWiMGRi01vBr}=(LM;jy@`_Z=`=r)_mfeM z--sL>wV8_80=Q$GURpsmB^UcV$Tl&S$898o-B#%&zK~34*O8ib%5rg|EBP-E_%BZ` zBgpMEV7;qwj*wey2A|aV+jZDOvVYUSLnG`>2If&sh_TLM4T<`_AbP`onl3(xaYF9U zQE)rigm(XEtdp)qsJ<{Ge%hO1C7aWVeRp5f?=8LD+91Df>~RWwh?4ZLXgbt-P zKi2rEC);YrTs~UQ8WDT)?@`!?JHQ)zgTX(71G-j*LSHZ+@n?!(C72|0)jIq8M(Ei< zhWtL@+1_GK(k+5J>2_1{#k=^e$;ujGYrjuEts7!~>W|{$tE1$#!ka0>FeZwOiE?~q zKs;i@2l84DddeC0jFD}V^&5H(UqUvB=Ez|fmpFWory^SXdA(f335*S-?^M==xdrWE zrG0-9fIA!?8b|UAptbOPFXm)I4EB9t58PtLb0??iIb^`jLYnuL5-jSI`lIjosB+=2 z+C;fOvNd|=6|4!_Ogw_8h@~Xx5ikUg<@=!CLBK zS^rd-$c10)g1B&U%e{Q1t?SMlqL1ci)V@w_k9`(u zE_NMggS-Qdyss}8F~A(qIv2KPrECkD_o$c9o;LI^fUfn3yEf=BPgCN0@{@B!Rz|t= z5~Un*WvR}{kSbs+VMC%ybh+hDv_l>cb6U2%oewJvhrcu8JNAYbO8A7-U_Z{nrNy+i zrsnOaFYSF1WGNl^AvP|<-ugxZ`YZy@R2Cwrd->$~2Ih5;Yk7|>{T}27{G|GOkk)e? zl3R5@1>sEj$-1tBjr8W~0>MdT72p@&cY!i>&qW<<%LnNH6w1`N!HzPrGp*+;O^eAc zdpWNSq4|#yKAB`t12@eI!i zKl1N&$R!e^jI4A2m;j7DaN#!1133fiw^ijE zHnKbf&lzM7`)#=lVvPm!9IU^>&en{o> z_u5u?lkK5C>=<{Fue$eckFfT z0(jWRrNXNZ)4)^qsK%qL#U547p33x4wAbvZtPg3`{(0=7Mj3ApoK4uDs@-2ndp)&# zT^C)_Ov|@?(5>Yg@j>OAy8kg9Jkatg9%~$T<5e#9NsdK-5!i1^`#ni#TI}_N&6|Tg zr~hoPXFYO!h!NlaclUbIp3tQji$0J!+7n89Jqs`ve^BmAfG_P4wPBB_4g86Lj2KYn zjlG^3Io=%$u-DUuedAUOvrJX?dWL%}{pWi<`?%#W|DWyk#NJ9rtG%8@!0BE140WGn zI_>q;z^q5Ewe=X$93dX%e6J^9(q2!3^9JDjclLVHp3vdoT`%xz0eFWPBv}IQXumz( zS7R&*2OIXVs=V8SGQy+v9G&?0YxjEcSOjt0zq{9y;G}!1dnx|Cy`FMxdFNiwP|Ov% zpMj4h-xG>`0OWffLrj7R3ip57y`G_nIr9-m8xcFlz*dxCT-CjwQxQwXjFkDD3)~4_ z1@Z|Lm!~2wv;!WM(f&_@asJKaNmGAQI{T$R$J$;lw%ZEO-k4)s-RJg#gSOjG6)i)K z8T*pVG_UEp-qdk&tNo#uu&zSz)SNr<>zDS2zNPscdBr-Kk0|`BfbXuu?~P6&#yX9%GpI{AGTN_#cRf)I)CY1%{`>a) z_~yJn?%Qhb4Z_WV_2MtrCtt0tUx(i#YVRqIxd>TC9Duz+g9aKqu(s6aaQFeOKQ|gX zwv7?Qto5iHV_;c`>yrsK)iL@6w~bjSW>KsX`Atq{mhCNIX9zktWkZ%`YTXDut zTcagt0OjAiK!;OR7?w_LV=4h3ZDagcRw;B^g@NBe4IT~{)aDfS$D6SaXR2~P3HL@H z|FQ7|Hy~)h)Bpz9p;?%txM2r$ZX0t-;S zeG0hu!5$;0g2O`CQlp1~<1mf)?>k_4fd7De1s5mhMSRw2=$^{wP=(*PZysYU4v@zd zI84I57Kc+9A1w}uA(MTvPi&7mK9B*Upwr-F7~lXt!vlOVHvR)j6x{XzxA2^xvFVtX zsJPkxKl0uMI;!i)_dcgvg6@_8y+A_PZV8iEYHY_C0aC^pHIF0$?AQqM@=PM}$XG)0 z#KLwAiHVv=5<%m{GWf~dg}``5YQo&ufr*u5f&fn+v1aJ=oZhtn385ko0nuX5^hMnk`&@I~3fsaE}f+VD@fb>595 zraJ8eXvgm}N-F!?8oRJbZNc;P@wODlqTiF@hq8w=`rArTd!w$ob>5uRsq+)sOrcGG zs!fujpK)YV$G(jFi2pu(V%4!R*M%Ru%iA-(8Ct(JKK$5Wb4(1n zG`wn#>QbEQEBJB$5v+VnM>Bg;s zH9*|n8Di1qtsc3MF==S;>zmdEjRJiC1Mt_eM&6raWc-o7UNOf{9aVi}@g~M@>BA#4 zx0%E}p$GhdaV$f>Q-9lurxIVPf2S{tCd9hUTkY%bBV>-h)$ZFL^HhfvLw}@#_GUfo z%iP4C2=;E&2MkUdesI>BFZodV0b?b$y@khO*5(49RXohRKo-qr9h|b)!_OnPkag~J53IrH zWoAsa`daiP`5>fMwBoy}$Jdt!Jkk~G$?H)?4iEP^2Ki;&zlX~mqqsn|uXa7)S4AJv z>w@OknnxJp<4MNehb9^g*MbxIEiAoI{i9cg++}~pxTqYl9r&)upJAO3wqqiC@X1OS zJP%)giu2!Yev}V>=ZypWD42UFmq~wW$Dkecr}~PWR~zFvf59ASDS|fNXK(vg&?4^l z#UGh%(MLGEx_m~l=p+ALVxAfGa}oY_)4CNOk91&zxF_`~nxN+)m$X+IzFha7(JbF# zrN_9uhW0fcDi=W))L6L3LFL@EAA<8OZkz{~t)y+W>-Z@L;t>X7LHqZ{@sX zQ`k)X%g&zn)%zaU8?S_(Zr_f@YqpQbg2lb3ZS(2ixNeJfl*eC3yr~_d|2R7TX2wb~ z<{itgJ8(|hIlDwZA&2Iz;1RstC=?D(f9mVc;ovUo9#fAIX(_-jCD_8mgGQK#?s1Xd z9lfGxF*J|F>25GLHJ;V{YoEtm-k>ePgFnpqv}6Ontxw;|Ycl*RvonIk{uY>#T%E1m zK%b0Zc z>?P)}vz83->ELzC%~L+;gl%M<$=*4wESn=7UNXBuG z(Qr39N;a~9+&+)_R_AQ>U9LPvoY8z=^4t{P>g0vK&yAnpL-(D9ys>@kw(QfoAUomy zfRWw=e{Ih+jyPrf)ejXHUY>JoZcTM@^TA-TkKevg;m68qs*0PA1&c)!t3J9WAS!#gIWO)`P)$sO&F0)2exZLD@;7r6w&PMpqNBr160V`g0hjKJw|5On#alt#1 za~mUAKa)e+=YAL2uecwrUrosV96xb{d^RuT%&E~-Ugr&TMUgKPj2AP0NIRvhH}m+t z+!HR5j#I(DPZ@I!-hH$N8vV>L((WZ6*Czj{=yP8gn{gYuXv7R2UyA;?lpG}6I3Hq? zGomzTtk}<+ld(4gZAF0);!_o$6t8H`}N!#%=NkQ;XS+5II?r0apbw#R=hVlq|Vt) zh&6eGJ=(7)J_ozSX!*U@;*BY-;1)?Srn&JuK>X`#p-4IVq1oz#b$Sr~6TyGdM0^>t zsnWGq?!*#LARalB{>F#iknT#%$KiMz*!M%)c#RlL`PZ*hf27CQ@?+ljAg@I;JC8u7 zVxG}!iHH9Xx+-)iV65G=&l}YmL6XYP2oO3=+ zYaZ!byzNu{3}Yi26E}8bN1UFbVF7TAw8|=9RZx6n(O0zXgtnS9--5QrNa7C;e!jRZ z#V8X0RkF8aP;VpnSkL8yru`qR`+RYe<;xWf?YULHEqPWkI}^I@#ZOZ(lCzP?#)>@bLz_q3kaFi;G0R?}M+(Ykc=3|4w?$`I1A}>z2$Lj!qG5TFy@N zicTL+pv4aCr0Ab+ooyJGQ1#CcXa#kkN@tX(r1k9z{dpy2m?jkUpA zpIJ*@TWU18*Jo?(VBIjNBbio-ebE6=y2nRjK4&I-iL}|dG+a_oY}Jb?bkh1ke`E|TK9BQ&;$r(| z>&);-^dcYnksm!NfWDN19-3;!xb@X}n)}FKl!u+mSeBee7v&srh;ziDi{2!3QY(KD z<7(@piYZ#dyspSJru=}l;RHHQF7r7f0mrrYXkYqNq}=l9F}A^UV@ea{x8oVAKcwvs+OfU|N%6L$#BZU>k7;4}~1=7M7xv?H!tw5 z>*odZBa7eA0XYvjgx_BJs{z<_R;P)z$v=}lbH7o$1ALoie~$cOgX_&=e!cd&h?SSR zO8V3N=ug+%@C?v6=uF7!;)2oEx%~{$_h0BgILerEg0+pceh>bj zk{@_KSNvuA_;4yQ?(06+BR!%<`aqC)Eo22bVPg2?u{#3ui_Mg%&IdEc7LBU@V(}~B zJBq!5-N=3RAEwno#}3-AQ7%o&?nbV%4yNy8o^0ZKDn8*G8OLlhx-HL_RT!Z|9fzfJ2t-=lpNjk{usb>{4~Z`*WTiq5Y(RV*d)}lNv zdL|uk2jlfD^RHtaat2wWwTFGJEfI8%3!L+{p2zbEPX8>KVn-1?m%c zaTfm2IW>0v7&nd{p0B^pUWa6VLEGM7wjG!LN#NwXM6dX72JfnPmjit6`qp{B2L@!B zbJmd9RV$V|vFvNmbHFES$Eh=xd+IosA{l-0XkSqW@HZaqvuH#Pts!%2&Q~Mlob}08 z`F9fV6g=yf4D_Kg+HMyEv%XlX{qO~=FWdGni>48 zj_Vo2*+#>TOyn87{#xA5i6j+Ichkm^U9z>VRHqWYQ||7`tZhLfWjQuPZ|sJ;!s^MM z!qdPYxxCzKloXoR9IBpRw9JH`eftZeL34c9o6KEze-pKqe9P8(DwB$5+|8a|)4_@t zgJy0`KK_Iz{6^#ke-ZnkW;^mOK1Rd<7}GoHYlC;ZrT2ES?yY3}Scfxw^!@|BE0*Y)A+8K<*cExi}}o|Hb3N9-y#{t$g)*}_OUvdPkk z8{xBO7Y_DQ$(JG>MShgiw1+>zYOfJ{Jv^L#GH)==?x*dikblL*R_J`NWEJ)Lzjtsx zbuqX|HtC&H#vtxLLcLaEDP)6IBw-(--@J&eqVJ8+#wS|`o!o~nr4!k$JPM+V+Hz>( z_+TA+?1dg3*p$-2PaqS0=-`gcuKol=Bk>njpZIk*p@&(%A$&(}{*WF%X#w%P;I|B& zQ~hZ@68(SAoel0Wcq%>y25VX*dFU8SDvy*)KB{l6n~|QOdEh49VdvCx!yrB3r8|jF zpst&S?lP8KyURT$13J8TTKwOPE#gbD?Ne-kqPa#+zisN+!puMR{s;Kqo$J!w-&*9u z`cEJuBs*u@=MOJ^DGAw`jO-kN4js>(Lyq(I7nzKMuaB`28VfZd7!zi>Ln$Es@UHor0BA;v*+uY%`KaR=RC{PBCCm)iK}4v#-J|FHN6u8#ku zIR3u{{~x&U*Vrf0U};>37TmXi{|8<8=Ys!M^ysJKG`Qp~o*};tGGWn)+474i|3xl# z`vh`+&%w!*LkM5Z_jl8e;cRO8m~Rx9T$eqnWS$<$`frx&D&*PAG!yv zxin|pQ2Y6$=J|T}{E_`^=h*0}_!xZsQPzRD9X;D#2Q*g5rRh)N^VtH-iSuL9TI?Xr z53jwK+<#sV{B;(ogY_AImiCg#A85u3u$Q&Ads(mKucAF`t=Dh)v!v%~%+b5CRmTFK z9gpJ9dooZz2z>|FVST8@$0QxyYNwLEH6J_Btt_3wYxnK0_XK?SdvF*F45x(4K^vD# zU-Cc`FLT}HzX7kg*!yMH{!>y2-H4bVd)~`dsK%ERL-x+Qmh-o)@e};`^sxOE-}W-| z^!MOv<)(^1Q{M6be0Lf-I}iH+hEKb_y1KZ=pBk;iK3I!Sc?UAwwmGynkpnMfhf>jn z!7Fq`^s{2AGogiYu-JA)czn+c*2$vt=w!g5+*Ot@+dY2TXIYP3kj{JGSk@XV{z2`? z-(&ZqJr?!zeWwlVkHj`6!B>ucG7cJkhqB0_UdbN2P3>i5#hMNVUmP9xL50~@Xpyc3 zTx!4A`&4cwaTx_;xMyJjXW*cfV;}0%?`>Qm8}S6s7000dI8PbshZCMz4BeeR)!*CD zsETL4{nIV^tF{%__%7qpN}DIZ*T$7Qn3NA`406MwK|KCrbkB?p_$r-!o;S&*wxNHY zXKXCX+UK#$+Wc(O?kRXk_@9K&-T0#?wj2f~=`dmT4SG_-Ey7)R`~Hh~JADan&O{Ev z`_Hwl*lVqy#J)gNJ13Rk`Y^QW{Bll)#z^~s+2)hE#pYAFedypOV?i(D%$+6&1chEM!q?{_HH#=awqxf$Oh(ldL%!=|U^cP=s^J9HQ0E4npeqoXfd zcS{8ge+_q&EJD7doB$^E>)u=W8Tw8S=K~}+|D7@K7-q~hFOk!O{D>FtnT;HD&O+Mp z9w+EiYn7Wm3)$Oxm7Gup@`jvSE&03`Z@PKXq6NN`L%{tMw7}kt4d8Ff|q^u$eOi{9F2{d4-uU!l)S zmXY(^(qZaGUc2HP@~n~hrtwFPFOqz`S96=#Rz2(W*5}rZ46b%DIES{PQ>NjcnfyHGSIHp zLz^BR`ok9$Uq`RL&f9&D?eAMUQU^4sWbN6;c;=yNs((A*h}H(X?|0b8d7E;lpyz9@ zIUpEC?_OZrhyC|M@=A(MdPdyO*^|r%=eGg>PBGStPr`foD6mkzmsOexftHX4zSl0i#9xe`-r}RPn{?rviSve~Hl`o^$%q`gwxB zm!eyGh)Gp00F@Qbsf^D=zXmP~PR5^@vDkThjMCBfuLTz1(YrQ$lFfWq9q!g>DA->R zb?VhYm*ezHyyl_<=$ErNpDsOKcex86`AQ0i)qdAZ>mQd0x{}q`ETiGTH)dMxIxz!I zAL>_ad#$~G8*bUT;xz}4W%My9jxl~#I+M6<-}4)C>9;5!ebC@v_i3oj2zrw{j!`jT z?%#a}2jBmtd>qy2VSd{3(M|#5DLw0i{5{FU&KX9Fd?Z!GP-;&e+;q=W?`eF6^7XQ2 zEK>iz_2Cy)R{n9TEbqeLR)#$E;ZqLkOeDS^$A8N}_4{u{Px)}w4n9jOZt4W*_Jxmh zhMQ;;*jng+N|^am4J@VVoAy{AxeH|5-HQ7|FDhldo#^&i*n}$ z1V6kucN95M;FE=8xkmt5vY)l?d(d+UzGdZqIKg=V8z#=%Qm;D8y5Fyey^ynCggCDSnI|8}d zOS5(6zruEQ^yD&Ps{&Wik)L2)ozC2Cqm5v4U3VqA@N1p`{!&EbhGtN<=z~rq_5&)(LLOIh$T~8$s-? ze}k{ChI@qlFgNb4zMdJvhsBK8fbm`OjXcBH`mDIB%-HlAA8}RVEMC@FqoZ2zhgq|K zZH>2$TbQ|^It7$h%-#4k(!;aCJ+5zoOTO?OH1^rCoVbnv>~UP|_FnZEy+LS?JlNyG zo;yHHp#%5TctN>`EFOdIS1PBmRBkTujUSi`Yy4aDiFvcf*v3`5YvnNf^Em#(O7Ir_ zk;(Y9uFRLM-iqUKeu(GT8=MEV09oRkZLxR)|Kx)fP2=+go>0D1TSv9w5>Kod!V_a- zPEKLy7N?`#h7IFTd){ipqS3%Ri!S!L;6eALDDFKUSb(=gd+L(+Rlr%r*&FwIalf8@ zBm5$=*UH-|*;eH-THIv{SeLB#$Ux$?dlTPR(?<2>KCKs1;3+#Vi1gv{^vkE4_U?Aw z&xN!5oy|A)zM;FEyNp}jp3uCF^JyRSMg~}Vg5)kdS!?Xy_6+6YIj@2t6F$1kogx?S zG4WdrzEdPo?pDE9ijn;cvR3nC13tv*@R`<8$1gFQPr^Ds#TW$8Q$iWWjEdxy-7}G6 z70BMO6^DqwF9)6l_eX%onJfPW?0NX@5Adv*`nJtEAQKgH*}Kf{iZ?r%oA6g}0qc_A z46iCRbC>6#SIC#ley$bca6R^^co_R{5j+GKC!Kx>^C?t4EQAm^6Fl^M`zmX`(B(eUqe1wM|Qmc-0t&S+ZiA6V!vF6Mr+`C zgYmZDWggWt=S90U$TJ`O>NCIcg3o8IcV{){IKTE@BM@$EF?$?t8 zm;3tlWJ^cJ51>97Blbxn8Q9v|8*h0Xn8|Zt$zJi2yKVgz4DM&@U+w65VtI$2ywAcO z>Cf{Qp&dQb|CP#w-%lC#NB&$pmG7gS$opx>rq@+rj=YaDt?#2urF|~)s(p35k9Lgr z(N6e%l!?5LGOh2U3}f{u|CVmWx@et`xEc@qf4%&bc-v=?j}zO|sIGoddZ2#KjsG^Q z3$1686ViodqEAV7`dFX+`Q)}>??-m?24sbARHQ}m6`|^a|5Tkk^6QH3ny>0#_LyL3 z;!}A~tN9GkSIG2DFC1_8p?z%s0$^HgGzZd+mO}EF_!k%@s_*tKM5OD}RvDja%g?9U zYLB;t&mmfg9v1=rs&YH8D6nkNckL@E$98pw(c+{1s&b>mt%oJ%U1&t_S6}Fwd#dTH zkWck>#%sgPJ`gbwW=whe+i1U@z28>)R)6{(5Du%&g@I&qYCC;__l(Ca8{O8ATRrR< zLkkYf6~*sU9%YoDmdmhXelA3N*E8tU(0UjzMZ&vwx?j$0GY1Q-4g>5%l}i`E10{gl(Y zD)bQt&UakrnhVHnqde%MDY^7|IX@hA#@D$!sDO9Ux!{>aMH*jz>&)~<+Rdw8-qS%J z^=5d6Xk3qe1P`B$QC4v!YdHI~AAZpKAwP(7hoZ_F+(qe>uc7=#bU@`pn3+$G*$8nN zrqLBfk0>P90sBr}`K?C7?dTtCSgY1t?%PX_!6IkANuJL_m)SXSVEtwt$L1T-Z&qjM z>qiUPTe^K&|JL2)JJntGaM@P>E$v4~UA|*;q0!O3`*K;dX|;c=|2yGAotqtv|44bt z$_(H9s{B;zUfMGs+DP1F%7l>7xWZ?SCLcnerkT75uds#(e(`vDd*8klz@6?h11aL2 zdZTB0ndwX6*#d0X^wfe`g*BgiynOyApIh;d{}d^Ibegds?Q4^_roUHrEbYC;o6|h$ zDYa%KBlXtw3G>Xflt0}RDc`g@Z9-c4y7Et~9&JA(FV(l7jh5d>ZmLnK;gAJ@`8D*Z`t}hzkhCyNr|qWy!Cc+Rm~$;)nPL|r4PRsIWtlYKmYCAFY&zQ^5V_& zk^?CLtXTPb&t69U@TM#*0odwyf?a{tEp^P9iTeSO@!jjwR-{=!`^Vef~&x~6>B z=QbS`4N`(F-O*pSb{Cp~Xw6M;bcf#g+Oc`7=Wo67Q{OC~fBDYMw^L^M<$2Nht5dgr zksPfx$|58w2BccDLe=x?Jx@4jjEsI7ne-O29VYyPrf z_v%k<{m07-Hh%{?y>j`E=(o^Yze79orj4HP2yLmI@6g8NmZy#u`Zpble&WUM!qwa( zS#hZQM!!Eg|4S#kH@*4ru_*A|dwKrmU6Mn_T2A{nBFDt5%Yn5{JVFl3FRrfGd}r~j!u#OWyWrIY@YzXtb=JeTY@Ktd z?%1qLi#N|Ql2VpIgFA0any|hmTK)p#G$*-n#bMKvauU8hnw~Ks3BG-6wP(Ufcs506 zHsIOAW>QMcsKymO7EqL{C z^5~SeX#1AHV<|`A)mMRajAu;B%`bc__mBQ>&A$^~C7({pru{eXnnT{K`(6we)_ZNtCt7I4-)zdqL!mkn9clD}R0ODDFxcosSFy+Ax)jn+N2p*u5z zIYzG$F?Jh9eFVKpU4_6=Py80y zS;%*1-G^hX=>^`*lzNZRQVh>4ZtMc<6NjOT{#EPQpz^lQa!m$%Mf4$mz;RDb^nOpy zA+2K6T==p3$!k^G;jKNKKPL32YjdW)<((S) z`zhO=DGhsTYtxJc|Df-UX6@mRrY^kSlM;B#Obx8K#!O$9WTv0;eh~lg4a7T+jH%od z&xpXQz2g7O(3IN;$ z-`8pDIpDhAGcNE?lzYuc3j8!ZSpKVYW5MBMGyS=1!jHXWW`w%E(_?8jk68Eybq{++ z2hMvx5c6gP%io~x8#-v!@whBtJJCoS|mWwz1RL60}^j(1Az79%aNoo7F}#>n`PXH1}h_LmwXh!M?a zKlFy!6ptC$Mn7*DN^6=NNb_WdGzPR65FNix->(77U7obSHu_s?j0{aN(nJ43S(O{@ z86EmAeKn98>M>wBLD`#+1dB&|#)Liu{zswx%_oAzH-kH8NE&9P8fOnf$9b&9H=hj_ zFaD!^5WXnyj^JxNavyvsz4UMST#T%p2j3jd4}@M>ov~1NTkm6xe-1xwA)MSq^`9@xSNV@MBAjKwuVQFbjI0@)nVsY-;Q^`dbVgH+upBjn7hp zy-@mH4~-5O9*d4kq0tnNC$yGv_&spE1sqEZ4{h9N@!q%1F@YPQ@$aeg3+gmLqcrGu zlV?=mKE`mjY2rumMZcpp9opW+_&4kOFM`E+_yu3SX~aU!!JDB)DYzcyOtE;O6udqp z9==?+xf^~EFWf@^hrxxp5I74Th(}I%Z;rK_fxu+oN0x`?flC+n=#)YW^qVtiW?cXD#2HQKON#X8Fc*R*03XnIxWO&N3eNIXpb@ zooD$AqqSS-n8usL0drp$dz5Fj$5P4q+9vRuAJ{r@&CXr z@Fvf`N7*Ns6Se%V2pP5a^KJ#-U*+9-=GUF%G5z4R=7N8rZki`6pn7$@dmCQ9A>By- zHT91mdmiL@aI#VR_q3J9-0tz-YR%g;&$yW8^_SIVl~Mas;JH8_6U{*TeV(+9f5Y=W z+Pgr#Db&N3iru4Uz;c$hKaCtIq5N57$qe2vP#JI9#%^S|WP-{g8#mr+rnGYa_DDJ9 z$|-XpqmH(+;f-5knzMhR%nUQNy_|I~&65%9795m+8@xV4``y%AqEGLwq5J8-0$9s` zxAFzirL@MVRUe{@aJ=BXMR^TE!ec4V9vWv9^|BYR-WVVF0knFTn85Y0D>~RK=NxtHIb&Sl*TCDu8vZ)#hSu0$0`CP+PT&o#$Hs`*ap3J?FJKGs3Krz! z#$N$1I#u9pWbYQ>eU3hvV@HnjehdF!@FZ{iSK!^tyVs!u{aE#1EZLj9k+mcA>NT9#!7g~+n;tvsof3Nkc;EJB#3a|>Ffs!R zSPRbpGvgL}9awdyMr+1Ars7k23C8Vx_`bzc~>Pb#vuFj zsd5GJ_W_>GbJb-r>#wJ>j(ktlKNZ*V?#Pc?Ye=F@mR$E4I_Js$Cv6zX_3<2&KWy$r zt|#uNZeyJ&rQiL?-un0&aSoXtG(BB@^nTlyHn4xwYso=-|He8Oj&Dlm#1+S&_&4d= zPiGiMBw7ZqGPydC)zaf5+WQ)1oR!Z? z@>=c5#?cvzSNW|y;o)%LoHa3Dx+~IiNb6=2ed8l~UU4u77^7y^7xH@6ROyzOC)Cjor!{I~%xLp@aY7Hp_M_OeU8qe!;rs z(~C7`+K<#4sB<1avuONd@&j;B73;n1KZE^2=^mnQC1WkyQhZf+ozeRM<5Iaca$Duv zHTHW9E++v;ob-EfpQ0BZ=3e=@`0C6s}B3Cx_ec8=Y}_e z-XNRXU~ihe#$H>0+h@_qxX+H`R2?S==YJNi@cV?z4b%UvKAgOr5$KC-v2r#S=sWw; zo$|-Cf9gl?!ZxUl!t)Lt*&ns?=2qdu_RY+TR^<+kBXRS<5^`I-M9vIn?-*KUxc4#K zWoJ=#4rga|W?1scU2eF274fbGFXu!4JK>$gJ+ki?-kp^FPs2-G%lm?t`DW3VIq9Z_ zn`WY~&dI!Ac$3I=Gd#S5^LWof_Ug<~qa}mw^VQ>sd2eEl)p^EsExGlH+&1wFxYYC6 z46nQluk@c$VZK>>f}CywkJDZwbic>nwFO<@ItL0)+tKsw`8YVw=+*GE*R3m;7Y_+X z#S**ck$A;@-`MwnS@NPPj)V9}{5}^PPEuApzbnr3It!-wjDEg%jf;EUUJY*X{gui( zFgxSoF6ZP2&SO6Mn4<;y91s5>w-#eFD$j$J6At(s8I=e}5_!wq{Na>y+U|(A-9(#7 zw7rZ^m5CSw_Y+E;kyijKr1D<^daao+A2-K)W^ zb=h6k-QTmE-Rb~l(Z?6>uZ`c&61S}W-1V;32V(?21NSsK^cjx!_IZQKY508cp%DAhV(E?iHcT@x@ZHE5_#Sk9zt;8rI_o>@qSc0(HPDvN%n!KRE`$%I zH@lz7pON^?7&XwZ@7`-Nd=GmHEjSoAgSc@ACO>O&fcF93b0<|x*(mOM0G9${$bE4* zoUv(j@vip+&nGu^V5FI?swV>$J;84^N@IHX2Ki`n?2umc>Zd<^#4lx z+y5KkAC6ZivR9o?AOE{D$jGttZ5!9vpXkGTSS!%^{joyUbl*8n8cV4g8Q*tRH3Z^}`omKY+c+K0}v@&wgOt=tACAv2JJ$an|%! zJ0>lw$+cha$XWNA?yPz4_ylL&bU$C!BfM57j z#qlYK<72OfX8(FPObyl48_RO3#>bzP_{ zWiFu8)T0CEGoGE-hsobj5GqY4?=I(RoH0=xhH{?ooNeDd;yic8+pQxz@2uDjbh~A< z2G(zz7p|Q9+o`K|#RJl(&&2g<*4^4pVkUiNaj5gs$Qe#q^`rYlCee>#9#7w(e2~R6 zdN}v}Y3NqxBlib1EASb6JFxSE#<;FF&Qvyf*o(w|V=nd*8@=ZQbaw7-=pi0j{3M-` zyb#3P5FZn#yT^;}m>s7(pQ3wpj!pNJ{#?bx9mVNh!+nMh-S|@f0`}xFi*f!*0d79@1%BO`7`xNrXT}ETR{$s?kP^J_5WSey_ z=&bQY_Ay11xpA7z;*5Dc{3~88akhI1FY?Tx$=%RHJSbiiJ!Zm(TSo@glcG0`fGrr4sr%(An$kAcrDtRMZPqV*#(ldU(=H4!N zi@kwf;hfLDg2M+<`Lg0Rr|_&)4tmaA=QFO40goFF>AReDmaN+XpJeo5vy>dni=HHo zz0))PQ1Ei_Y`wmZ2sdcVgXXxdlaJkf@z-nXpK;D1RbK4d`*6Hn_goU+1rzXh-aC4> zo0j6ANgu~om{4a4^HcL4pJEo9KD}z!pHSw{wY%*00ofotgzp7%Zx!5s?LuEZF;zFT z<@!$cO>@Iz@#I|g`6wq{v6+6|x|(E+y(a#cyE_c-8Mpi(PQ2(gig$C_%zNU;%)zdv7i@{qqi^jy!r>*Dkc>MVmM{jn&pN0N7lQPsB z@?N^-Ox7<;w;c3-u&=^5hjW`=-;A-qsQ638gsQ!NVm|ngwLWv){Ggdx(}gdh&6Am8 z-)UsWwYCwrsOaQbt?8Swmic3n?^w7CUhJ2>n{&f0@LG{%sh(?|`Y6*$jIIr@eXh-YSNoM< zw$H`dcigKjVBn5<);;c+8pqk`SBXix19*|CR=jEee|trteFrb=O~b4Be-^Xe=zK7F z18V1^A1Ma_`?~C<7+KTNubvFrr?AR zu2*qfg4Jhw4*7`rSTfOQmYhlKW3atq-<{S$8+l2_7$0+wv&xoyLMOOf1r6MGh`X-k zFF;mH7MB5Y74R}oiYno|R@$qI!;M~Ht)+GGb`#rktzp8gf4x(?f@=-2xHfOv`GqL6 zrO}#)gZDWc+9vrmF3$$yB|U4XQpJnag>3>prEo$=!E(w$X4s zdx`M2W!KK)97+dkynF?!bBgay8~yN+!_V@K9kkDLIx<``dO!UQmC-i5+vBhfeLr~K zXnm1<5&d*eiXZ(#xt3e4HAuF!FZL&3V_a(IGnWKsCG&U(vRm(zl%{d3=ZO9{X zQL%<)S??O-^jA5}Ysw-&vWAh_|9RM6{=W#@JLqK2eVdj{*>2WWfv04TBUjG29x5gK=vV8UKIJEty~>l3S$%m=nvo zWsvA9KIfcki!aA$38I%7*ph0?i0i;cBx$!1@$&EC-{jwp`IVfLEOKb0m;vYPh`W!l z{2FmN*CzQEAKOa!qzYMw{$|lm{xkWT)wjy%Q}9WK-cPx=p^Gyv1NhqVT=aCy#nR&V z-I?&A-g!Q0>xbeW$*@0{yY99{tS!ua(Pmtw(J&)oG!#cX4a&2mJ3j8_zn(Fdyw-WJ zeDajF@>?)BvIhV!6;;A}Ps2x_@Ot+V#qxfjpLC80bLk+IN; zm@b{MHjVLz+St<$p60wWc{*~5&(5H|nZz_XbvmF&F7d$c0;B!h&Oy=2bEk}aWNKS7 zX0dntA;Ipv3#Z$;sPE>pBc4x;{7Nxmu=j9Y)#9fJ@IM0|2`}Lwyq~t_z&OhvrI@%= z@q8EtXQVB@MYgp2u<`%`yhHg5&6E}c|W3Oh9f66?jCZHId-pdJ2mqD z8DzrWo$K2p{!m$+9gc8*TJKxm?whs&{51daiE)}nnL2(mcP&}lfo;Bq{+vDvct4l_ zdfKcWr~A1g8TV6ukWP)Qlf+piN7t!Ics~)HTl-Jf@tiYMkLo@@!4jt3IozkDdaR4s z{r1^->FKj%Kk@DpF4)kot_s^73H@4mj^lf1%F*ZGG!_{40)zVBndk1`mS5_B3H`qm ze|IV_*VaB3ZZ@ea-1Av`m+~K>4UL<0&70^${3G2+ej@3l4*xhjqdBGWZu-ftpF`e6 zhkk3}BlV*`1f$C9?3qJ5J=5Jq!_n;k>-MDhJBOZEgZsDe{~CBLkx#@Ae=hfj)|^Uf zop<~W@%Rhi^`WQa0jHl>w9@B|TIn;LlnwE0ZvM;9@Od=gIjESJGuwGCADr3>-o&|a z{9v~3lo*f8J*CivfB46=_*Ls;D>z7>FrlN?6YgoTd71Bt^4zJPpqqtc&#FG}`*klz zSCa0Q&%2?z+dyoNWFLDXEow(?2rh@;wvlVC(V~-dmVrBDRZetrXmnNjK$prmo%TZ? zr)^sg8fa5%iKFBGzXB8bLTwE;&v5r2mqD*W?1ve|ddZ*E=P|pqmdv$mOe2=VbH!yf zBI~3ZTYEFmO|eprzVWK)%lgQt74O1YQzCnfJ)lLzh@K@bvqAYAl;0R16>~CvF6Tc( ze;0o)w#L$y73iuZ5l<#})Y>*?Pld+frTG5jVE!$@j&x$P1)pRAI?NSq%5%J*0K5f_ zrgi57GPu7iLZm+zg7ie`hqB|Uu<6=ZQ)C}i@#*LWb?9qN%yZ4j%5t+%dP3sdP@MwS zQPmNhC6nD{;Mc5vyQ_aZ2J56MBfQ-8G}kKQwy9e;djOqN@FbSC;E3yXRrJ%u+Ee*H zbvyY1{j5=z>=|$S_y*}$(5PR(x&ob4*R3BV`UI^wOU-xq2fnl7ZTLROmJD-_dnPhN zJgd3ttRa)2k0blTyqkl(cI3F)GigWfSws5QnCFmpjg(a`mDgxX<@7Jv;k2bSOKbWG zc=G`LzC^o7>z2EVc{fzCRFM&2!s=tQ!JO0dj=~q{)e{x9u0slJrO}N1nB3D|@K6@<1fl%~O&=?%!^??X;;iWS!+#Gc7tfI-=xy7`}tA2CXNICwB4R zXA$ZPx5oGSiZbD;`{R1g`gne2Tkne71=72~b!YsY?mJW60Uzn$b;j9aAda|5egMr2 zJ2#*Qea^-`4yVe+KqEbI-0jTv^d|ID0oTjGTNNIho>WPyFQg2i@{?A@G8uWy2-*DcsoOv2be! zw|W`94owcRu$# zHQsMDtc}l;?Ru`CKhssDra2Kj0i!2l)z5OqM^95duc`)ai%&&!%!mIx^9}`mc|jUS3@s zxc4*1Qa-on*qPHT`r5?SlqSUBup)Ei6 zva1dCp}Oj~iN3<Q=IsDL#~+Lvr}sopa&2GI;Of@ZiVb#gC%H&S{1> ztsHP7O9D%># zdl}z5i6?N+#fhxj%WiPbMO)uiKX%*XFGju#{>PDdU$*u`2F`!D&xIFc(+B%UFx#GD z#!Gk?Tf82RGtm6vU1^=!Tt-!a)-xQL_JSr94L-GZOC+Q_!x3DZV| zIu*1b+D>P_mXe#ll=~b%$@dDrSMa?N8PLkV?!QfJcTNbsjpy6bZJj6Xd(T>v@Y~Uk z_78sU(w~0Rtou{?@6BMWY#+USkBsPtZ4r70UH=$#Z$n?=UuGUqpG~p#FX4*ywT3 z*sf0eZk3!Z6+HKQ#zqx8HQavad26r2WdGLI-FJF(&EcJ~xdId)WoAV59O$LYCO+PpU2H~J}5r16F zB<9D3g9X3h3QxyoHVghj@X~pq)7}lwoQ}7x_#nw~;IVwEg7->vcJ%&EU=h4N;Ozt_ zjm_K8#-GNx`H*w?6$+3&=odrorKdF1@zqne`NU1<4A@E2=L@_<9@ zt}jww?#|mm97eDF_-fC+h7(V>$K96pbE>SpQSzP9CozjU``l8x+H6M8?bZH4-Pg?K zN_blRIl7YCRNDjl0zYcLlrnf8_Z=L08*P4Q5{4mdy4yza9)UpB!WEel6Rx`}LrA zcgHuAcMGOQ)-KLdgn~v=?Lo#A-cKJ#t|VuUx3W*sN&glcz~cjkW?&HvHNe81ea+1u z`pag)pg!$9C0W+IbNW#G!d+{o`eY3FZGTr@`V+w0PaEDzr*_LEol|q{XVrJ?6lm1o z_+u_XQ^y}e8Ow&X$9}MH<{a%i@3CX_-CDmI;WxpAKLne`@hft6Ibk0z(PmcOHpPfo zd_`OGsjNkYIJnYZ%)t#GQti*;{z3IyiSFpUv*-8K?Q@OsOnA`QhqcROwE$7T#E-oG6R&;Z0>O$tT4;9@Zy?Ui@eMQl)v= z&&a6KN$l@PPr8cVsET#$LB{NAexu6KL-z?KOA^P_7-sKKGEwtav03c@S@RX&wIy@h zGN4kjEY*%zxEk(>vc%qNOF|z@#s(N+*#Mo;RX#2G4*Piu`6ORDbE4(sY@NyyooeHh<;-)z`cgcOPQD5Ut`1|G z=0|8T?Wn$FjOsOVFQ?|6WRUi%J?7Y{Ybe9Kv)&Kb*aJQf>6&i;z2u1dJX1aOwP(k@ z=?(JL$TsOj?^A!ems4>VYS(y<^X=;lOSkqhE^2`YcYD}d=H8Hx(1x}C^?7x_xUc!be61M) z_$LMaK{i*hZtHv|{G%8R>n>)_lWYEdIh)r%`{e$8%(#$8+|$2Y9h#AJnq4Shj(Mgjhe*$ zK{z~`tRr|U#@}EAsJfo%*5m zM{oY!H;$gWv%Pz7<=fp$r~P~PV-Nkfd)Cw6?QS@_ulv}Sc69&asa@T_%s9+UH}(Jz%W+&2D(aORk%T9*%9j@ZQp6r@oak;n@Y(M;{`$$x3pX ztV#=)d?hDbGGpaKJ;f_m_E>h|6f0*^bjHe6JwM^j%9YwLU-^|Da#2JdB4>%pJ#CDS zF3Sp+ykVqK?xCLJo{{Z6l)dMgaLG@MG0{mYm-X!RjA;Kgbw0TA9_pq>w|bJ>e`F*@ zKj8I8f4TPf=DllwwfP>N{k<_F`cdw1{FE^^`duTf{pX%B?VcsS*!-u(Ki_=8lNNo; zGq$~Z=Fd0Z=@}ROlbP0@c=t*tgwD@P6 zrvv-b-qdKZH>W*k_P=gU_oiF#zLFO%*>w45o0m-rmploNo~O-+ioqlDQ*uI%j7|m5 zmrZ|r;o_G!3x_SUe!2N4hTp>R>z?H3PmPi7I}A_z_dJ==2XCQX_@|p^T{^J&kH+Ze zPYh4=9_X;llN7zbNOXW+H-<~5t$fgGbLnm2lBp~2?uRWzB9T|57`7%GzHsN40MLq@eSXIW#AQHmF^eXDDcQP*2?Tk>LT>@v9-)_B6Z2*^E*COCIahX8FrCJh=b!uq z_F62zh6g!4On z|8p|-9oiO-tc6{T&^m%0>e&150H^vAt?j+Rv9TSrdBPjseg4y*fu^5^&YxK@U!ZX>;>lCp}Wc#S;X+V6672_g)V<}7VD*rryGs~&}BV2Af2{{ zql*)RYQ-)>7kgfMVkfR2=vVkjC$o8@pH`NCz@CGg&pv4DJeu!Lp2q&XCg4&9tiCT^ zGZo)V$cW$JW!X;|#Q32*5=$Ser=KS1rtfXzjADlll|1)>ho0>t4q!5|P4fMBF$X${ zWs(11z7yq^so)INP22^t5gUEpC|`8mnu?y=FRwgCUeQn#`pv)m@UeMst~@rmx~4c( zy}X!v7E9Vk7$quyoI7iko2I|sf82MByuzVf)a&x5hUUF;ANhypyuZ5tTs64v?yC1+ z_kUCluKP&k`>(tDGlT2m-+$jQe=cp|Abi;ic;9tD;u~C-{et&h7u`qwqSqYhI@@Q{ zn*9OQ*BEK6G)9L$XcTLFzJW}6m2pG150V4&8La2*(g43Jc6)Ffz5Lz7OI0ua28p6kUbgc7b)NV_djc^Obm%1tpnA z`j^qSm2Z!8%+sFqH!8K4WKjkb5X6<8K`_ zkF|HjTz2qMELuMI5<32xJp7p4p;@~NoBU<^kz5Yo*Oeca{K*YD-qiWrQB^y6RY6au zcU0^Vbp0TE9I4;inEOZWZ~Zp&ksQQ_m`|}cDgTe?7WfRa$nCix?RUn4zVYPwymedd zTi!7t^y(vB=_#>&%rkO4HjKh=`3rJnjyXU%@;;qLzaR4rb3xx&&Q$CB=gkG(j8_$K zRk0`Fz$_Z8k2m?$vsdt&iyqGVF!$m7690ka`}by3M)6exdjRg-SbbjmuJw!eB%#|R zBY#G)){Jbvj7)Omy$L;ZWjwq&X;Z!0C6d1oSPR8}z*jhtJRU90czF%hp# z`ryErIC9xpXOOk<-oTyl7w?JRla0+L+tQJ3;;}p@9}<05vWMinYn0ptp6$p)!DC$N zvthqpve{nGxM!y540|jU=f~&pJ`!Uq^wO?<|y*&F^*}vyZFq5yj)uC73 zJAFm_u-QA6EAE5F+0##M%Psvl`}*h*ItNKCaQb;-bA8;Yq#RtAzk21|nQO?gT!8K5 z%;f^&Zik!8J@Ay~v(M{`ie>@)_N*Vzmq4Qq=6o~ycp>?N@xLxmOoGnpo`R>dxTAhE zbM|U;x)PsyDRZ)hIa&4jb>(HNcCRR?E7%$!U$*b^(#_TIqm`ff_x=gk?3{&T&ylfH z9=1;JhTOk`=F)RyL+Y9C2rc#Ic6Bhu&C9=1Y}tT!0MiF2Y@M;+IAU^!Yw(!Za>n8z z=9d#k9J$;#ZMeDUv&Pr1tUdcU9^@;(MT&7MXa>Zb7 z;JXV+AFATsQsKvLDDemb{vBIa8u&fj{!u}ie0q}q270aTxw2y;Cep4mC*kqh{OhH& z*>lCXO1TsH1Lah2@P4_My|$qf)dSJCroKi~iPi`MsM?$`>ThgjuP`2IhZ z+2u#^9Ua3eKbr5v2Izb97{1?|v(PG^#`n)FpY_>Gb*G>+H`QrjA2TWY%!7<&$@O2yAh>SDzcc&Kh*uA$6Sb zd3*ReC&&*lq)vPsPoqZ-2ir_?6bz~3jQ5|0ud|()k|A~Cd{O<@@O4b`HVmob@XsHI zud~>?i#uUV<9v4d55w2lPYlzLejI-68oo}xWO5?!#QC=R%F%lhp%%2 z`IK14nFpue=$j@vfL?i|30;x1GiN2EHoe-nNcx6jtDXP!EcW{c_PJE%qP70HW5E@V zX#3BRN1RJV??r}buCVS&ce1`Cv(Ta3GB9zUY+z4I^3;E=(NM@*%^v63GuXvJf4E!g zGwW7hn(2$4qp#*b>)jjh@0X$55^Gkng&fpt@HIQ~@mD;r!oI6V2dGDG`^@pTvOiGL zNV&v4nMB*Mlw9qdtix`-YX^GpYenc@(8x!OtoHhSt1FL<8`b)of;8g@=aRcj#>$Sx z_QckrbH?cqYh|C~ID4CW>D%7-8@OKq-EU8mr?td??Z}1Ita+Wp8aX(a#3nl5u{*Pd zz%y+?50sv$vWa$wQ@@w7JNI56da%8IC?}q~J?WLNO&@6Q&G=Y5@tBH3UBdoGCu4~Y zNM8xDs2SVtcJE&siV3jz=fI%6T84ce+LlJfC-|_@j4uMeyPbQ>fu{pr6Ff-?xelCi zm5jf8Uraidk<`C;6Lb27{#nkRymNkmI9OsA%&v*rPfRtQKjj){r{77~J$ckELpO8o z>6nQAbDI3C1*t|uH91(FK7FfS-sHj63JM+q(j{|Ka`Za}*=A85g;pG9Zy3tq0>jN&l>fl-B&J|u&qiwt*oD*_z8f)QX z@0Env3yvH&nwd+`FSCpFa?u9LF7fyd305aJ!e(L-6eIb+gR7f|-7%;d$Kmv*iOehJ zBKX_6>9g5~Q7&9}-#g%=oy0V`>4^cHRUOb7V>4E2W_L}b4zV`RFNGHFx|Xd4FDO@R zCAjJy0{Md-zt}_Ing_2saRF|5>F`dUXiWQ}ac7*yYRjSVIE%)%{u_pGs-SP>Z;a;O zyXI$yGauj!;d%*9O313tKGxhh(qTY#ky-wQFbIX?CSrxQWE=bvPmj4!7>Y39|2WJiw z+qUz2d7Iz4Ui);(mR;?{rEVuyS9`CL!#4tFEB0%X;yo=tr_HnYF=LLM2mcny_bd5p z$EOFmdn6cILS5vEW#68JCR)RUcPsQ*4E!g7-N9cuBb@d$FC~-XaU5z>`;S)LO6u12 z^TtPkU+d^>{MWXx)WPfgr<3p(*mzYKdDh)p@=wg5T_?8A86VrWwa4Kkcs0&8j%Y7a zuw~6`1!6CqPfbbYzOO&RTo;E#P5B|Ycx3LKk~5i;lGwP zk1@^igTMFIbl)mZMsSsVZ$tgWwp?-}Etmasg7NL34Yf&bB-=j#?Q|{_UVJigsc+gV z@TA~*0NA8kSg=|C6x*H~M3aN^r6jX|GlIC#k@!=5_*4AQC(wL(w%M>PP9Np4T1i{P z*N2>V7}4fQVu`*=Zh7IVGPlw1Z$}xNYqe>VM{M(UXs~0Uapc)`#*v+yb^pBmF2Xs6 zChzBah^IQ64{i>vSewquPwxCi)~sst8$~+~e*VRCjB(jYXk%v8a0fx?B78Lyp8@;M zSrg69>3WCGwIIkDfhO9h4nJCcde!z7g&%0k#ZHnab#Sfnh{_XDf;oH?anI?Y%15+PTnwJbayP;lE4w0pmv!J$`#(lovyvQ9tR3sPSV>IeJ6iOEnr z!X@;z9`cx7b8h5x%^QtJk9R`o@7^9c-N$eF(d9oc`M0VU1@k}CHu=U^^iZz@-{84B z=P~|s;e#^x;p6bd$JlT9DE@xikJUHZ=9ddo6_+p)KJi(6BHN!B0OUeai2Q%VX6Vi; zTgGXgYhEhvo4uznj(*DM=i|*6rfQDT{%nuNf_ZK4rAdY~!Y`tUWXu7N_tq2ZG;a3$ zJo(M|t@nA1lfFyNICm@O#eI8vZ_Q!e>AUEwcAYugfqz8tX?nJODfO?9w+YPK$(`?( zLrwh7gPxL~*4&Q6XX^?>@sSRscpCcMZR4ki^cmi}_m?DF7a`YiMD8(&{TJL3 zWW3^)#-h8S2wQL%Q;b!Dg;AF-%S^r`-Nu3QAlr>*=By~NF6!{E<| z!%Cm_TH}IscsdM?W6}PY4_vF%#}}-2<2VfXx!tkuj;;$Y@5!S7bMV7h^iJW`nnDa7 z`pox<(NG+3A9kZ??Dj$Y zz`ukZ;wAB&{80Wc7$wNyY<#)Bb-*MVKEm%}KD9QXQ^fv*-x_m2;}&2H#cRqDY2d4u zOc?Zzyl%WZ#JfYbycin$@AxZ)ufaahlfZKx{GiG6&&Fvk_&T9`9&|qq-5r{ranZbk zdRL|03_*$&aQT6^ua*IsMw zwHsISU2qq|gNn$rfq&m2U*Xlp!~MzU{jDdWVG2dT^cHIa#;iq04ou@BFzv;58x7Y{ zWC_vIr@;lE-+lpH-cN;VX*683`+=?aKM7l9G;9eM!*+=S8|#(-5^S7x7u{!Ge5IUz zo8e^)n8w4=Fc$w!Fn+onrmyVWmS9Zz#r;Nt~la{*`zuUgUge z>;>7f#4ps(o_h?<8%avr6mQe`L-Fj_fG(Bxa8z2+c{yo)%rODR>1=GB-i7db&c2xq zJs8N#GvF<$X}KQ_ziJJ<#g;v5iG8HH4Y$!f+;7u46($|E#*42j3{UH1yzE0ZS2?1q z{>o|kxR5?*H`XCY;n#w$nFBR^LQ)0q`-^R|~J*9-%j_ z@sz%f{z#-h`j-d@I-&x9|h08 zD0rHp;EC>I19((l6YyxBr`{^Tqx8&a-P@RR4ft2IFOmaabiL}UXg{RSf^RSNdH$2| zNsbY34%63`3=^4m)ZT*rWEkLcU;~it`;bwv|5mL5Ucnh@OO;>}ynS)pmj-S5ws+5) z=&h4}M>^}+P*YK+lE{Wy;g7t?bKB z$=_dJl`M~+SIXRH^%*jhV9NleF8pz7;f)S2jHd6usSk(!7wD67j-z4zo9UDMp9^yw zFavi6a5FwHn%n+ggf*I8Gk`A#TAc&k=9b(2EO=Q*TK(LYpY;Rpc^hnB*?{vA|MR>j z?Z4Q!2BfTvVQtLEw<@RgSpHT!<@|=r!~0GU~e&eT5Dr`J?uSAdrWlAu5dSd=g$;G?TcGw z`yr$AvwWu`IV|y?nCm+JEAR{6thmpmC z3qx76iJvH0Om#YZK3aBRt!m{*-tE37A}7lSQ|(jR)b2Yu-$3g+m7%su{_NYHbo_tR zo^IrJr#%a3gVUbkGd)&&_A%FgR(qPjz4Ax5=OyG=$pO|Ji#&WOZMmp^bg3UwKeC|3 zYqiFT)+I=W7)id1WL5MxYR{+5g9iGW3+6#|2@Wl44zzI*v5QCc{hcYe4*HNz7$5gN z5xb2=H}3ESG_yzh3Jml=XMSPZ-|c;a%5T{>$Sa!Ee*U`g=yq2H&V0amMw|zH)iwAz z7|bQ!*$-yUIOi^ttzpe*4#u6`nYjl4jQyYVOlu#1p&x$}YxfUh&P@B^Sfl#ql&5|+ zz}aq>aZ)}VTIY?RZx29oe=K=0vyJ@JZ~3VS_j_3rouO}j4351Knv)IK=g=H$GcPn3 z#9k(xs%(emqUHZoWG&@4pt+<7&FTDB$G<>&X{W!nj&}A_M&m_tlx+)hg-l$F2ljtwx| z=0T@!b7Q-RvG%86yT}l{^1pN7Wo%E`gnz1F{?NVY4)tX%{_(yMy=*n!o6&xu~6ZR~pA%>GxwZHV^YF<+EEQ$9@6Z(cL`@O!85Q)Vx0 zW?-isb69zlKIArD(s!@?Xz>y6fX>0?Nu3eBiMSf959SBW5k6>r+8SR{RR{5tgV6kb zd>UpTXJZGSpUxV|X+skJt}53$M~Au#v2n_m{C3lTw@Vjrq2Kk{d!0Qp5#Q@5SZblY z$T`6or$43rjI9gXkA3m2Nc-PX`*{zVBYi>6Z`$YM9EV8zk2>v#=SR1Hc%=QpTP1BL zKG#XLJLjXG`I*=r_1*!^zV*LtKj^n^Fki6#v%iY63s% zyh?hSC&j}Y`e9xcZ8`m~zDE}X&%wu@Ji_A_p}X`GJ@b1a{nkUj)g4#ACHabv51Q8L z8*#qh9J;Gx-(+;ZjfkQ<+0aFI!t>H&gQlGZCedRD_DJdRq{DOiLGAPC>>qRFoKfI= zbfh0D!Ozi4-`u#GxguJxSA<^gjz~XjVg9i7dWrQPNA!9I{)WrwhhKH{Y+vK_1L@XA z^}`zGj(w52L-q9A5AZGJucRNIitdL9-nAZ=%$M^)&r1{O4?PE?fw zd~{EC_+#Qd*=H%(JTtnTo}ksnX6Z6+SNmvZd*mD|>Hi$ts&r>6pCCEgui;X=Y(147 zi%NTi&Y8jwW=l(9Frxv|qmb=<9#5kbRFX_6gX&Ew-Mz2;3EeyAtsD7BS!6 zd~DN3wM*xu=15JfE?i?RmqXPc)|g4LQUb)8@zq(VR1; zy^QZ-XvvGbA~_^_OpmhkkfZ9Iesae2!=fc~q%}t?eG&A%6ur1TM+)?v{6KA8cP;x4DqO@=l5YN*)pxYHS95N_#j&nTj}g|~sx=Phx^{`y#H01i%UUOB znpNIZ+xJl448B=+((B%Ly_n8_wN-jb*{YrRlDnDvfunl`azH!nt)#C6XD#0Fgg7 z4@x(TEaA|>x77#u4E61U4D@V~d=D$1$J=y=M|vp3cv$(rXub>5$MsVWIwGr{0U>k) z$n0Lbou0oRIWH$Aelp{edCiU^W7RpdpEA(7MB2L3Y3tvb=YsTU{nWwQKf0Y0`?ND7 zPWEVj#>AoA|M|YwoRp>8GKN{->L-o@u9Q$#?!PZ>_5JgG+j2~Qz4zajZVMXrTHb=| zf2huM`Fcmyo8!<5d{F*a{L8Z11MPTX?6GkXy+Dr_(F^B|2|vPrFfzWQX_)iKx>iQU zxkI-eXw;{Cml$FGF|K<3u~p9bbkMXX(oXadEvyx)J;Y21LNCmJ7qrC>9De>Oe>&wl zwCe3coRVnvvV?QDBWj?>`XrG_03+2}ssDB&2ApVoY*l)t`M!r+U@Gfj0U0WhJjrQ@; z{HFHG2czgxgEJ2`KifX+PI)HtMo+fU;!O>OucypSjIq7Q3rAVk-=s4&!SmxojfCCh z#Li|OJ5D<^*SzZMUC5Yo$#dY`!>y0U8ZRA3hUmesZ!>-# z+Jh&4NL|)?>bY{GyUu{@S9ey*e z`B_)yw4#}pRb}(P6x#Jc54pfT-fPUC2#hn}qsPV@)t9Fl)yI(=)c05_reKmFLrw(-K z-E;b>WAy-hC*xSNfrAeAcJ4M~yS8!{F5h*>*5?2tdxB5yg%=zr_QMKfm%usmB>a2+ z^~j%(pDb@}OoNBhp13a^*r@hgjy*^Hu$F(h{PTTjzrMfpYx+>>l%~XttwM+0uoc?q zi+}c?RJl*}Y%c+i&q@Bo@9x|qCVqzo{;9^vI@YN%=A#?GL|IGmiHtr!zHclC;RHEX zdJc;|wLfvoWPDT6={R(D4`q-B8em^I@@8Fj!4CPG%14#C`D7RQi_Hxi>sA$<$rxbw z>njnOmh2E6pF!zMNxR6j>3g;48@w~eG5=ne)@kee=w!~VV*jVwI^K#;l3}$IIHSkc zblRy{Q~`7zoz|Q@E3C5%-$&=6eLL(8@HufJM1MZ%p5P&xS7R9`n;0iABl~F|co6=S z3++m;b&N5xi1FflBNjsaV#dsV_}L=H%R2h=a>{6C%)IpA9V6R*){@gv5NhcUFq^jK@azW@8;LcF9MTx{usgR{gfG1N!G12OZZ%L~J6 zI;^#k*V-?kb_plZ{c@Cb5c6~wdmXDfw;JI>`ZmLC%F@0pm7%x;%9r6fGgW?q69+V9 z9Yt1bCazh3Js{aZ`<^(mUcW(EQ>DpVDiM(KaW23EqF-Vv`wS?!Xq94UEvad>_uI( z>7VrSLG$het{||Whqv}xizbAB?YZpxEf*L&fpI@D_V>SlGL8bHbf%&==7x*P_@e#x zL_hu3aK7LCpW1Jo^qUVnT?T(U)?kD~@cAlW1@9;2lU>?-^&s|I}}ypE%Rs{4D9hzKQMbxkl$~YdqIS{*zUEW)br3jL z)33!5+SRui)YC~l0qT+NiE(MIWxi5jqql01xfDB^L% zuf$i!;O`=j1y9smIX(hw-!`g!)Mv#B7QFKDvSXLqI+{((jqn4& zt~T|;e_ft@t89l!$VBKJTRQM{^tv*q zN*5m{7LX5_2pRUJ4#w7u$Qq)Jvee(yS?|~*Cd|1yS2ZxDo1&BKO~(O zr{c4s_m|PJTj{Vtcz7;)-7`jIx$%vUuKTmfY9jVRB6%Jlw#8Izq?gaCH!eA0#)`;4V?}-^@m{{pKgrGBp(zP7UUrw= zi4Eo&qc*>j@897{M^;l?q!&HSdQ|NRAxqXhfPQwsXzJp;X~qRKd9vdlMo-q-RdbK% z+>H&YGoSXXh%2kb&eXYc6YclJ9HQ@_)3`vFKFLk z#&C3-3VHt`^{8E{qsYbCKfrSom;*DfE8|Q8f7b-$Rx`asa%%zW9#6S{UNLKtqd!6h zVy|Eh&-y3%I2x9K;VN4Ysb4%KV5C~_A^OL94~5E#cs8zCy;1KM>3Ns==ZUwd4&gM! z+Ps5yr5hf<@JM^VfX2w?CSo3HI2ObRc44h})J^E_L7TyLf+J{sotQc-g);H~u+>72|_43$xX7QNw>1yGzR=P<8t#luf zN4RXGkAE1+i*4AVKdm*}z*BS^1o!IY3G>Xw#CM_|T$|! z`>5xdW6;`+v+gnva5y?RmE+Xs=+%Tn)fZeAKW`tf1i^0y_?;2KFMQjgrJ!Nc`YOr` zX7=Kfx!`>Hj!yj3>$tG&!aijmR@t;e;|Mw8Z>}ep9tuvpa%S-I%vr%JLfOGvb3(!F zn3=)vJ-06ZhM#;d|JBFWaaPBZ`2+51y#I#Fp1(iluAkiRn)K}b$a3&!um4fQ=l_l2 z_Y=q0e=EnttTz&Ji8q_O*)VgjnpK^cKWlyB!qBS3w9tyg%UyB)Jl9}9abNw!fAzCQ z$=z@Ia=T1_ZmcUdH+bus#N1ogCYIh>mALNKb&2Clm;X95#{UoIK>zp50T-9Qfbthm zej()-eu47uru@4p|8B~^dtKrz%D;>9AEW#)QT|NYTn!Ab1H)EeP@AJ+xI*oA#rtmt zjwQxm|54iRclmQ!6Xos$mgu$%md`DpHeVG5L*Mc}=vn*L5twb9jD{fyOncrZeoMR& z9GGMVhvv9~?ihDa^l8hXZfo!S>PtewikQ%Q&y4?SaJ472GdzAqFa*66r-p)^P+q?_gUOs+_Qs+-9~licz5vWYkt5-ex7R}2YSw;Me ze@_(-?v0t{jQh&|zQtXft_>eNr#vUG(NDUje$rL;^DWfRH>00#+Bey^-pYQyh5Gqs z^z)7Le=aVspKqalz8U>|Yhs`KMeXb7Td1FJMnB)0@GZQkJicj;Q$IU8c4y90pa1{) zxo4FfcmM3YUVNu~_#FC?^J4K8i?ibI>-?`VjN!vW*pthd5N+7HwRikO_aJ1nf!K2g zWSnuwV4rr^ccYK^2zgRt`vDLpVhlXWWSyoLyJ; z{)o^{>1gcod)rb7ZS-x2d=>hZoys@Ppexf^yq)eb8O6vN@3VhR{tlp{0q%*vz0`#p^u&|f(pgFop$R8|stBi0;A zUm=d-cJx}3YwZ8tjP1xWI`@q|I;G;V4}z=W*_=5?*_<6*Rtw+Lf7&usY2 z{C9FVPrU=3)fmnsVjX0aDY%8pHtIErX=6PD?+0^lhAwV`KIT9tx%k@6MpwZ(2CM9I z3`q9_E{k7BKil(yN#00&>}OxU^@L_;Y5f&2W32Ujbh<;pcL`^!JxjVu zY=$2(?mlMRopleukHQ{v@(;1`H>Rtd*nB_TdSke9WvF{a!pxm3htJ&kkF#cH{TO^4 z-YQ$=NNknK^?z}XsqdI;gxgKV4f|79la`n(rJIKu^Z$vwr~b%!PqU1Z9}=5G@v1d; zI>dN9bxGT*Ro7O!XS{*0PRm`X=Pp>pIeZcx@?@Dg?nuR=fDRZQJpV|dkW_V&AYMki04N^jMEm$%tNTE#1! zh^{0SeGU4Llh_<`rDMJmnwFo7>Q#NKf%z1=BlMJ0bT+%nanpVuy6J-H*w3Ib?}N)Z z|B12c_BJ1*JvUEB7#oT`)r_mEV4Uu53G7h0mR}j^@p)|SB<)esP9&}L+}amcFneO= z3evUleKWF)+VCOIYKL$k{5ZIvucvI5-xB=d5PZX;N80)!zFGg1ZAG5W?|93|+P!D& zj_*Gf>K=q1;|OhjhW7ttp5oOg9*g{#q=$%{GuUU`9U>OgtI%cN@hG}}dg6uS(K-9% zOu=l%P7Y(}MtH{!Vdo5#??Z2&SO02gSYxyfeWcb-Z>_ZbKh(G4jr)#1vc3x#>cMa6 z3ZwcMI+)P+DjF9&UeTD#`??jz$q+PoXL8z-!tc#!R2uQZx1hCD{3PERSpHt^v7Y(L zr*ihaSH7N@>Q(ieTTu$_tuwvNq3?yx-U+|JKJo&6I;jwQh-gG*807sL?ILareB#sN z3yDwk&m#u(%OhUByfPoVF>#tCgUW|$5OeN8=H3C!aWTxdZumj(xs?H9bk_=Edj1N0 zZE`1dwe$Sb@i&BP!SQCs_!j8x=i&vc#0!SQ3&y|;M%Q-~7~%hbKh`FpvmnhErbo*8 z!efWD{f!-q9(NmAJ&DH7pNbxlHI9&0^!S%-d%VaW@enk5I5KYPEPj<-nno=AUBK1@ zuhJOrAm1qZ%NPW28qzdfV@)zcFK-%d^QIw{(?g6={1IDvBD`sucoX@1qIi?nJ;LHm zL1K}5IZGwr#>UFt8;3U$&(`8ioPY8;ylHs7>ieI@t>$r?FLA~x&uW9km%xq1m%ziX z;7je|OWDksk$G|p^b>6-z}Iq0^t_}qHDA55GG98{=8Bd+wB?KRZ|ccjUs1^c;xCs_?|Gf4Tl)OZj^QM}Avvq356|cn&!8PX;Qm{9hGNeY z(yktOMjJlY7SEuZ&Ir%&apuqG@eGv_BJaIwm;1B#FYK6xAJly*^TapO)AnvGNS0i& z8o6R**Qyj~9=VuvX6Bs6?h`NvcC{xH&mUPN`0cUtg6;019mwH9bgt-EGrZ>Lt9QGM zlj0+%;2*>{gO4a4^qSEXKQPWz#B;^slNoQGDZF=G#?qp1gJRh2~vjh$j!*NAsh6 z`_laExz8kz&$~hQ9c@c~!}Eaa-d^$>o}WqIJb2)Be_7IaZS3IR@cc95(y`B&6UH9o zeZbg(dB5ZR*D1cdn=g8bcM2VfH9c%wcJjZkrm{5GBp2X?iJiS_}@7&ly%gdo>9j>#G|C?z`x|E zFO=0aIFxlP0YAi1f&9*aM%L^*zm{7v^J}?Pl(m=qojxP$=wSBX5{EX-yUwpG&80kd zFk^9ED69AeBda(+lvU4O#%I~nSc1-|^y{H4>5LlL>lifSa!YdA_jm_s^GW-yP*#!Y z$t_*L{p;)prM@8b72UxzG*v>q#oq!3o)_hjZvpj}6lXr7IravlS}+k8Blj5pyI2<< zEeT?)GLp7nyOTeP{FJS@?BdlT$9|o)ri!)vC5|D#`>~NB2UaQ8(<=DC>|%4?UA7+I zu&RF~&rX-W`I!6|kX6&5#dR}{7JTSi#QRbQthn|j_L68koRyv&zlKz71!|w#sWX1N zSv%~*hEq~nl*t|jE8T4LZ^fnQnb?BnbH?>a4|OVT{ws{-{$Ll}oJaA(Z0JM!T*p3k zrr>(yq3e)`9Gk0cEA!02N0GS19y9b}j@#3qJPRn_YaDr9^s93xil8I$HS~4~MbJ=} z#Ybe5{ae>s%l_NeS|0lNZ(VD_U;1B1?y>F7(Pv8*EW-}eXI-WBpw3(z0UgS|FWp^1 zlX0?;bOnZK`OGj5PkOL>4mVeAeCsjer06Dk4%1rmY5&Ett;)Xe{1x@(#pgGEt#+hAhgF=mm{AS|= zu7TA?^0*~wT>37)%NnQJ#hTpNH*jc3sIl@L*W8(JyXWGU+ZaN&m3%Ax;>CGvJB4UQ z=XYCc+HB1`G0@-u*0Tdy&qm@KvhLk65r46syIR5T_GsK_{=I7i{0;nS-72~C)7Gsq zBk{u`-CI{0Crx}tcJB%7=;<-Sb;z+{bV|G40e8$Rb*sjn30HhISchDo`A9ket!cM{ z!*pb_rxzM6Z;v;se}XSu8}pXUhey`GgUwZV8ATn@Z5+q>^iNawg))L2ukcL44Zs`m z7s$59TOBgz=hd;9KH5T`w9$^k$je9I4{yUK{sNDC2idfMc1UJ=1$?!W#_6LvzDc(t z{wLfsR=fXQW7WcaAG~LyM*yb*b5Pd`@Kqta!3RHJp5B^xT^L;(c#*6>5Z=U@^x()0 z#jwZNZr9ti;b@Dqm#2{Ra5SDIlUgc>?q2k*(2dPWucz=d3dHGfBUt zUp_01@YyC@u8M(<tvK_@d!c@K>2EzSS9`o8oa^;`ha5X-|-26R>z9XOy3NWE6AqX!yh!aFqBUy91(qgJT;JJdj z$MYUzu4P}^Ncgp__dkrhCfa|S{Pw=V5%lM1c-E-;YtTb>Y_k7rJX&LiHnjPhrg!tb z*8NY{*1iADOr5V#_kMEbFW7&e^Mrm$o0F+i`u5T0=&Azuh^|-Ib5KkBHuF#ANM5gV ze{;uC*XZVgnZ`*ky6~K<{%K>_oxFqdbhZcZInAaoXCq%WyGB>7L(f>jK7d*Db#74eCUIkSz~a1C~~Q{>T>jwPjE>u$vLCBiz9l;e}g}%&Xts1 z?&Ij0N|leYW)CP||C%eV>T#}vlv{|NX*1Wsh@Po3qGu|g4Q6$d>>6$ah=Rnt^Kb5Yf zBem(e1G@hBN%sA*zUWJ*?El`5Ev$YgeUuoX(_}NbO1im~#HQ_~)6w;X5jtJ#N{*t_ z4Hwbr8jDVot74&_Xgc+~ll#zV@_9OqMJEyb0(80nel9wd4aKH0)sy^%Xbdgf{Gzjg zsWy#ouxNauMdQimX*|yT`7~}ot9|KIvdUcxFV;7Seq-*k^-YJ};uB`e+w`M-{ye5l?_{-H0Q{w8$)4e0+4#=+k) z9&U$E-$qPtn@?-(So)?tInf2cp1%HGN4*A?g!AXEe{NUjwRQ{ zz^~oNb}macc=PzO_4a@1KWQ^<{L|o&wPw>e?F3erIjT98bDSkpjC9+vfo2ru0cOi#C3L?_ON`-{*FFm4LTC`hi6&o z(1ol)UsA+ny`vXdgYJa0c9R~TeZtR%g3dhq&(LOl#*&Z${eoWnjnPFcfeFw1> zI@y=W1;;xXn!!Y@2cK@W2k%AS3=!Ca*b{{4A1Ec z@6*7nm@+-CPqB$I?xjnXOmrvk|B`v5qvE?SR=7P~hx^E2lC>`3Y?i*ZDr=ocIT|+> zeRBU`ZXWHtnfBg9yXVmUT*mfn;Ii%9o3K$I>eF7yc&}3aapuUn_leEI{HArR#_$=& zxb&+X0i*lN$Sm(1Hp9~Ao;_iNPyf!vnl4bkY(!}NBRw~?hMA9ut5p39_)+Khn6PA; z3fJf^%^!z|Yl|ETzU5MVE6EK`P_+Bg7?_?P`C7KO6%m+ z9Kjyc>P6mV>sK?sJb*0pt}D6fIQ!>9$RV4fWD)7wB#UUiDwGdy=>wTZONuh3OAD7w z&eUA2Hm{UU?Od-;tqGi-{@twbJBMe6&z=Z{wdc{6DF?xW#-LlV;aC414%ob0_8#eJ zj{x7>@G054-(e0wR=_@QJcSR%_F81R&DK0%`vr(+Kg8O+lKReZhVI#WOlZIbEkxob zxv>lF@wEH`y~r8*S8H;u50B8thv{Rjg{;2WL+mXs7qYST1fN1a{}8@jyUOktt>yIJ zrZ@3JwKd|K0RL?R*IKK{hiRPYX-+ewOR)W0taTvpT(B;*)`|8y@=6NO&NAzb*?;yPt(kspowsG{G5XgbNv3OOY)YnkA3XFR^T}UN zwhfDi>x8`Sb7^!^M+_^RJ`mn~^2jE;|&z`Rw zUCl7)Krx+M^*zu6=PduIm!9nPwoOkX>ZRMZaFgw$77ske3!V9(Ge5jB7CG9ieyb3khTf;{{Tsr+>=Hk*^>d;h&*KTOvfhv z@np$C7oWLP0lX{Fcm1;ThOlI!X!r!1`cm{_%SN_b)HA`@>A-eqgHgQ-m^xOuEcm2{ zv3cUK^ZKxl*z@`^eLkN)?+>P!OZviep-u5)@E(0G47726P8aXcyo!FgD^+thx-DmJ zZv&oo`tK0^B6`w1?4*w_Bleiff|0+J_Uk*~najzrXzSeeAjLS8`Ux&(@A+ z&rn(M3v2NCk1q?pP&HcTjW#p33iv+f*X*xMV;=-X* zFm1xmdd?Hn^Sg+j&bwxuzmYvQi;EX$9w@#nQ|D^Su9lHv42>myZn-;g9eLu47qO4Y zJBRop>yHO2^Y?veA7|>utu5w^XD|6KLpDDKA6QG;Tx?5dV-^>Ncz^#ne3 z@{J~r$9m-nb0##lnU*}-_Lk{-!K6;5^`1k|>NQ%l&#I1Z(gCSY96eCQ3d7p-AY5pU zTXgp$>lb75dLrMbKEd2pi(g6O3Z7ROC!6pkImol-woS~9T4z@bz%Kk@&wQm_w77iz zaqzj=HKghw_&fn#YgyZ$U~S*Tx_)ycUm@wYMCP9U&Tk)O(ShSHXVh1OLMNr$ISl@% zB^uQ`UPqTYHnek`QES-;wEj74jf0W(6QG?3W`$awniZ-pA`a>s-0Rqjln9+F&v^1b zO@8UD?R8UPJ+jwR(LBE!K4Rm@=KIlp(uuT_6pz9v2>n@&NhadH5Dn*?B*@4?r66uhu)y!iAm z?ARl6iB*^T5%9k;j=gIW%wR3;IlXXZa5XyUf*IOhJgWXj3yk0g*bicnk#yI$H#oa% zAGXLDqtN5Q$35uUe9(F>blz+j@i#$JrQTT1(jH!g{Wzo047`zkt{~GhJ$_z>?rFXZ z>yD0bBJWC5#6DR)du9@M#!BPQ2r^FaYs*kuXVX@v?P@Fjn^s#ph?m{T9+{)WV2-Wu z%!{jtpXaX_IZy4*g(gdxA3nnN{;_*x#t3i}jf1lh*iSDsgFTejF=1wKQv_~g!Q46J zo_RrYOzv9NT2-v8oEX5u&l=WERjjQhl4dPystoo`1&I$_#rkQjwPs>%1HLZ9mVO>@ z#DyJwS19Pf@zFhIu$_AMg3AE7WDL&loH#QmzG3kUaJiVVy3QL{l@1Pa!ND4Q04u?# z+A{H6AX9DBJ%h_f{q|jW*1N~Lr=JXD4h0vVhAZSb){)q`fu{smmIB)%;8+YCtZ$Np zKb=7_5&Y(G%?8K0;P^7`rKFq4^LHuZVe&T%tCwL zg8KjajOn<`LP7DJ5@35)_~cB&C(H~VdP4ss;@ZqL{k}$Xi2sTKp@;SDx#^+xjnn70 z9++OSZHalg?=>^l|D5UbtuqJvkMaB@|JO~=Yn|i`J$!8X@@;d?%Y0p?-~Xf;$A-2c z{$`$+kfwC{&8@+>(8JBs%eOsePV~W-{Y%VPUoPdaR`turVbXLXA!E9KUSP9PwtxDV z$!YAP%Nu4SOuBu^Qt5#Xrd?ijU|4AVdVGjcF6B8hD<#v~+1nT84ij zFqIV-FMSfYZlN8=spFs-@4tfh?~`1E{U_kTEwt$%aQziHCw;YI+Y9C--({{?e~Sg% zP=74XKZw9~0@z}|x_sL$z!v9<^Z&pc436UcnoI68y;aYXt`Yd+2ZtVh7x;b$o{j?3 z^A>zV{63e@9|XR+z?TbrGhQ~zjsjmh_We1)H}Uq;rR+&lT)wK(v`JM)~`2es#7kS9=>Mr%b*VxH{R# zD7b=@!~Et~p9O&lUGr7@fJyzBO}|x5kDq)wmw$?3?a7I~HWW-hV^)XZ!zEl#Kzr|U zHSnyx_3J3-AlC^l%4qr7&|&l5!UxW$(^?+|$Z>vZ?zA?*cA*PB=S@?CDf zdvn3kS7}c*X`f`D(xcPOd6&3`PR=(H{H~V^maa0~b6y>gFmH%!$ef><33DFx8~6+*gf+lV-f{3BE5fhR$gLUSy53b>`4HCNKeG89KT7 zU6DRJz`dI5^4k|Ljd%Iy_=g(_SKVH=^lJLEfOseqhpicX!i<}9ko@bYTjl?TG58vI z8S>Tm$+6ekxM7YuFTX|0Tbj!>$7l{~cPl1N;`#MiUpc{%@eK0FCdPSy%(=Er+MX-z z^M<4A`v2-#dwI_kMEQEKMr5AM_<%Mzx^cxs6dbbu=>8Y(woi_;){%ZRF+*!)$M5}2 z!OSpgB=kkE*8SPMa6go_#$~QmS%nK+)y_Q5dy;K~jfDrs!3+D?Vcl+GZm~B4Kf~y? zlMB7fb;x;B$v>>ng&LX-lOGlGhnLmdAP1vOEaz=KoKz^!29}~FTUaNL|QqWq5&p~uv>5pC=cd?z^ z@^wtRSg*7NAIKQeU#M5=wY`3X?e*-vH#1kuFE96{`EtXG&Y-~vpUC4+G{i|f(^e^^o+Tr|P;TmD-Z#ln-7$%!`sLWBE zCFj&H(o=cxO+1YZRrk(U!@F23 zDgQ6G+Io(h2SPh$qnkhNGMbNaW=1YNNOcuGVC)F9CN0@!EOpwE#yYSz(mzee`%QVo zf_7b>^;;LdGz-n@L)m8aR?5|W4%^>h6!vKQOxjxFI=7>r*-D$V?pJ%|r|}`rD*q7w zq*GMeWV`9br)|e+daq~7X3E~eTGD|(m2Y_22ndx9VGGyvsrxGFXeuHiK&e=hhrGz_)mWbWRV$pDv&`X!*JcmHGGe^ZikL z>r49i{^}LjNBI7EHad;N9CR2zr;qlE)>#8wP&c&xD7wsb;3@jM#_FrA)gI&f7{;pX zZb_26-D4Q1gV>KUkTI)0DKU&+)+K&h=P#b2b;SqxN1pFv##|fg3BA*I?4=rB74+`i z$a#s)!JwyRvgxU+a1Fa?jB5;El2Dm{H*E+(PgZ$Ga@Wh)(dx48F`P!cy1met;$YhQ zQZDT0y6k{OYi-c(X6)z-tiHxBNLxbsHrZ%VTngpYw_5fX+T}>^X7Ab1zQfIv&6X|M zW{Z~f^H(0&Va7uFbV!sps4512-S z%M8z-j4?$nPqWwCx-oNeV$BX@@Aienr&(yWY^6;~&mJEu{|A z;|`^5b9tbQbPre4X2XOZmm~RNi61Y~f{?g%`u(fg5+61`kde2haF_PU(QQG&YI%->tKy z`^GpJra6!?pjZ#8=Yz<+rDyefn&>;i7ewD{(5KtBO=_MDT0Ex3pClUIYgBkt83iP2oP z3SIi!_}HinJEnf1{>$zGS{!{|Hjf^|98q!6M#i>)Y^V% z$lA{X9bF*TKs&EM$99{0V_t|hL`UKGjB4R$4ReP42>ZsQ`0s?pkqOzmYQ>TH?~*+o zoK634uE&9A{C{&j4m{rfp?Xey(lY|XA^VQqUBwYv68$WSFt1r@+Kt8M*6c@K*^d6$imj(Oa+(v~o>jG!}mtwOI*Qo(2QTZ+w^y_CSH3G z9jx|K%ci)-^scRiZ!R+Y&8!RM=il-;aRe*K%X+Z7(M->6{P(3VHdb$XQ|YA_mOfW| zA7-S4-b2S!-I=)QP1f^kiwsY5x?$P+EIuyyZJUcH+&xEUF-6&1+^*_OBc^(_F|tdt zi}obTJ|x~QzTQ1~^~TK>f0e(bd^T-6&`z52(@MS*(7j6K1%&z0DG z6kA+_YdCukVw>M}W79#u{xfvxW$Y<@Z}NtXhReJEpqbE|;2OUFDpx#LLVW^#lUEwBsMvi9R}(*kF$n^A;QJ9QEn5)N=s59(Vid)yBWl zHuN^lR}i1`O6r!b{z-F)?`N#hSFlZ-sWYPpF(elW)o+yRXj1XdhoW{Z78A4D9+DihfG+tsSLCcgMM$*7iiZj-zV(J;0L&4dQR9I=tp! zbXUHr;JF)GeO&2`m)cd=HrB5CN@FE^syZ6{;STmTy}LUu-1dEZI=*3aU#amseoi>N z=Z?(!);lsA4&RZv*X7wS8;OVUlyt6QL&v?L?q}b>BXe`Mt3|p359f#A?~>73iZAG% z(V0QsXQR75dJldAt)nw@c`q@28C?$$pY!nO%u?Q~On*kh`=c{8zjs_33Lc#_Gx%-- zeyOfe%_?uCIWnVTp?X}2m58<}sncgzcQn|qm38SFQ5J=UJrKE7#sHMoCP<#2cFTcBzBM7OVM9p%2u7)#K%F-_AGbsy0*eSq$X zP16VJ&YsLc+>hXs6VH9ylUa?EAA3LV#i}niUj5j6c_ojvExG2g!+BYc{UvWE&)F%H zmrQx=P+sO^Z|99p&RR0=`)y0My4PQumVEV+!|x2bcj{yBsuZDD0DZk2lB(N;+S3EzP^3Qn(QvOfg@s!FLPx9m?{~TDJ_X*El+V>xUioC%04(FXnsmtpL6y>G!e0WCFbhYtzwIgQc z+=a>EyoadwAE|dCc@hTAoI8s>fU`0-=e<5~=G;?UZ)9v9{B_=6qFsNWU9V@{IXFN4 z&b*cU+s^eqIC_dS^V2uyEl`Ov;{>o;G+K z<%$RVhJA?daK%4%1RRggb03MBJBxc-@)r8~;l>xMzT3D0KbdDp^8jh`xfb%=2;FH9 z;|lhR$|t9-y=OiF8Cr@>vqgS7rO<9EGF=7Cubs<0 zt#6IQS3bx%Z!||Gpre=mIfGaRFWii6SA5+KPd|+e@h)ozkH6`TV%E}YxtDU?#3lK& z?n_3n{&F+;>`-GTycge)+3@2W`0|bL=NsVD_WqjA@!9b2S@7|hi%)!I{~~*hW1qF5 zF%~e)GR4GneA7NphuDptLB2HduR6_KEkDT%-A*Afp1A zxrFCkZnH%^TYInm4ZpgO_Dtk=jvAdedf#L+4C23 zh{-;yQ1bXmD#L>6TMIH94;N%U_r7d|V{&Du%jGKNTF2GMb&#uWLx6k%@&(8j zAYXud0rCYbzN@hfbwo~T=bdl)_FnWjp}YLz1wz7d#|q(|DupR&-$+a9nGPg=&Cb3;A9`Vm>FhL z*N;}N*=U^)NE+tLD&u7rc-47*w$4y_o^p-o!shGmXf}3&&-sd#>>{1Ym44NUZD0_8 z_$71~n_R=Yils}4{FmRClctSz^Ha!|O7jx>vku1XA2gSdwzqB@ryo$C%J@+KX#WOu zergZ$E&IijN@r3>-7Hu2ABZn_GdPj#LdRJ5Z*ZSXpK#_wlJeKF?)Rbx^uFxMQW@Gy zvC`$W^-KISel57|wS3)5SM?O|wrQO0Pa%6^kaF0QWBFI;eHia+O4x@_*(LZ`l$!49 z*qKK4yU44B_*twZen;a9;ybUfVt7=CA~8Hd_+8}ktsS_9|2FWsiT(Jg$OOuJjPlmp zU%viX3v2&gWp&_ zw0tWxeG9Zb7d=HD_GEjHmK_J&44-D-*?GUjY&)J(8@$k2yJ%ma>a_YdWRw*`_v!=f z9dgczl0G3|j_6v!o(p)_4<0o%1{2ZI$TnohOi~%O@y3)7h{4HN`N1sGw7cze=i}3I zX6=Rfdv%;ve&XYG3<_nPbceDw%`(coDV}*(E?<*)-z--adrh)3cpp-}Hu2sYTvyK^zzk-MY*o5uEbDQG4Hd>*CZC_@qYwow(wqBzAmve-<9?581}aFeiQGDzRv$Z zC@YWm#_}f;7vJH^T7fS3`1nwk;hHeEotOb_DegRz%SaiJm&TQvGAM7KQ~tNeKY_UN zd@D@x=B?nG!@uV8s>IR-uB^%wf8Mc)p{&i^Yg6LLA4mQnd25{f|3LmLLRph|zmxB! zwBcr+*Ofn>xTu7-P7Y;VJ$6vy(6L7170Ul3^WS^i{VJl`gb>J3_7>lM z+Ew(JE6X#`mwWF@+OgJ^Rr-W0YtedF*5ZG3W!=A#cF|`=|J#+NIiungW9OT!8$W%F z*yoNhCakfs`W2gp?}d-rJUp@MA$a&{c&K!ny*$+B-%9^LgnzH5t`PiYhm&XY4wXiiwi<;)XK ztS5V(7}ixwzwKt8Fe39r*qS4f{)RbXm=!-{qM2mP4JFJG9DbnKWX+2r^8@nqNzD&8 zIr9UuP4E0L3|qU6^K*~vsiU7Rh&gKDTdTg4yi!QNIXZjY9ecav=t9nciuS=%dgUvm zZ=HFjkiI$p49=bB=(1G5EtmK1^OgUDQ(g#Kt-O?2LC|60rIphwGn%FsW^kXxeNyFg z(MJ(90jy2Hhpd4u;zHOA?+nT->YExbzSB zyNRv*l7k=Zy|@@3wvCXzMEKCk#$o$r7@ox3Xk147fAo%@P&a#Ox>=)iH8Fpx&Px0j zqT#Hh+&j5yfrE9&cIO{yWe-n~e3=g3REB-dVlR%)`;Nc^Rkq3qEHlE`kKn1c--u&> ztpy+BkmIjI?s8-+^jO3)wbMCgKse_pLEGR}^g!E?^(_4r`16=H{tk_2FGB@B-s~Gz z-Gvc*yMxQVXOi@X*AVTs@&bP*70p6t5uX4{p1aVF6Wyn>Gavcp1%1lgdSUvWRd$SyPt$#> zJs;CfY*o8ZC*UnKYwXXC0g_WUju~2&3o3&KSUNGLWHI{@N#zSrOV`x;^LDaG|U0b2|^s zugY118#$zO%dT5T3_8u3?`Oga(1>{%9C&zyr_w}A=5NP?eQ zzS`Y3*emN5&O>cT(g?A zKGNx|htltsEG;!}=iDeyz28ios`h5^Pv0Ai+o#dy>Z+azy0=utWKNx78d)E59+UjT zyv!3N-z{D`XFy6q#Z2ULV3>{X!H3A+r|6$#!Mm6k_&m46dzinIyeXkf$|&;;Sj|~> zp)BPu>A7NBEqZnWnU_ebRGHdsJD<^Dcc*OTR9;W6{zju94FekLd{`ed1X{_32G}oM22EEp zhs>W1ZIn`fX@oW^!FLcCW_*Z0$vD~#9pykDL1^;~?e_(gzGSJ+ge)cxI_k37locYM zAAEJ9bIv7wLr>2&_#@Y&6Wg9cTScFx-z{3IvgSai2J;ZOwZC12N}5%{bC1~!|ON0ZyX*SC^y18i3y~7YB^^{^{V`bD7SE|v0Zy1#M`ZQu&2ka z$M)Az{~IHbr72syRft6a=Q%M|IQ%q$M~p(B6FOf z=g1sq;N#;wGp{BookMT`2feBFKa$V!MR5NAoc|@sq0A!s%R^rU=qvTF+T6kVUAPlJ zacH9+niT&N-8icM}<+eRVaEoPcJqN+x{Q@>(r44EP2O)rH!^Z`6Z+4tg~qR2>wfM z>xBtEaKV51*1URa?|;EOxDQ?&*)!Vz#*s;1o!^`Heb$lD{q@GFo|k^nr@k%n<;la3 zu+Mkl{<^PM=D*v|_owGp=6{#(|9q~0-;*ZxRcnuse4j;Y*CZPWF8u2LmG}Z9S-%MH z9{7bffL!r#@zP?WXzIU?4Q2iqo@nzf+b>Ku1~vwZ{6Csd7O?47UEJ$z1@*BI(OU67d;W8A9x!#(#-Q@zpU zG+?hkg?#eRM?Ej4M#@93%uqSe?b-`Wt67JrT^*m%E(F*4Bm1-q`2aib@Hr;y`HSi& zz3RX1tm;RTF~3qHjUb6Ldj=beok6PDzEO*m)23KM&OM@;I|D~HN^Ab z$g}oF7V_R-oOtbTv;3sM!3U(*93^}h#H-f&##t{-!B52*lZA}OLjG60ZiH)D*9Zp9 z0ShC%U+W0ry(hBvG2n0VNBlNE-<6~fMaE(!vR)PW?_9A42z^w+1*3-G2lgwQhItWu)0Sk_}%lcw&s9 zCVM8Gc4+P%174i@mofhX`7k`<#vd@XGT)ht53*+bkhO#ScXbv-H{}VgGj4yzQDigX zqnG~Ou(cc0-RNo`DOwsfubj3f=9X!}LFv=HBS%gPR3n=a)1VMvnG$g7Cx$^cvP#ar z%uJObesz?&eKvEI%BnoqGk@_nikIGeE-=l{x&m3Yz7biB1A~wiNrzv%>Rn7(OOav1 z#S=4~ytV8XQQj`r7u}?}9J%pdDZi6^nlmxdO&Ljv-zaQBo zfXpi2BH8*&kWmY0*G$H__H%WUMsl&v$PJ>`PG4i*$~ie@Mf?ZR@y+aO%k}!J>R7Xf z%mC*A+UKDOR&br9GA8=jhe(+Z6R+q+%E=*(aGK5?dQF-wojEdMG40DDZ92FjF2qpe zy^NobKAkx~@NQ%d-;8VvpGxOEJC$FDPvlYhkh18oQ?$R7 z=S7cvd+8=KxkNJkrlZ&gfT4l7D;3Ddo8bpt%wrYE$$ub^lXf#{Z$gGW1}&V1hrPxA zxLnhiD*ia1?^;8k*XL}9VbXc5 z#_wokyaySJ9h_ZJM;+LvvOXeKtYXuPo{Jc(LH7uJIgF|_)^9V|4_k-Nt3%%g=c497 zlknpyo$iqt8PNW0`uHQpdNj>P)4AwjBzP_=&d5x+?L5^*%n_=47I8FyWi1GsTT?pC98Q1!zHs&C=3XW9zhS)?G@Y-?Ag-6ou_$K0C;$50=XYu_} z&WsSQqrZy>#q^2Auk?q+voDS2*|uK!i^vz}^-~d>RmkO;%D6#?B%N6Kdtut`TN;?> zH$yvv!#0hMT{f!~J9R=aYagwD)|x2^x_eDyXQ6TB)S#JswVoZFl~Wew?KC3iRbKGT z>zb!I(e?3di;_m1MlXy-NjQTJ9>V6)ci_QNnf{vv7GhOEptTwCr}`sin;JsvYnF$y&OMSFPER3D({k;9ofCG>aNumWaFMI>bx%*vdtK9R ze(?&%WXHJ&TIHjE*_4^#95cPyhhIugpZSTG7-t^{)eIe|+gV*9iTJ;2ea)V=xtS9iB8|=~j_SRhf zmtym6uJ9l5}O=T&QV@DcUH=Vn_H8xrIn_FX3 zb^ltchy1aZ==tx7#T-`^o37`(TRjJIt8&jRZuQ+gdb00IBg=PgR;zD{?zyeLOx^Qa zeb?%KM{De5#LrfH59Cz&Li)C#bqzLU-*tK}Y4x1Dzcu~gz+}%&MppW{8(TfM=svgA zGhg@HT0OVxUeN0KrtbH&dJ5T#d|)Np5U21 zox5HrkE?mQ{6G!9uMG#ym|c&SC)8Azzh1+h(}t^Du3cNoe^>K-`H&jU{cBi3d5@MG zHTu4lG%u2NOLD5dTL2Y$aH*No#iu&eaI{teJ7=>ofg2bwqFH_$NK zrRTjHI(fdF=h*%1Sw66D!?RZnud!$px){!t13hX^l26h!-ZyY9gW}vheeJ?h8NhWyO5S zKU0GJ4LN3gTC688*Yq~0x&6)Gzzy?)Wo%Tyf1w z#^9=-EFV_$^$K6jD3`zL@#UVHXO{m<&2L--8*(f5*A&y=b1UAg$u$S;`cg$)jSC;= ze_HOXSzh6-$>F+;tFyV{#a|l(8ZNCkP;@oB3w#4N_k$%w_850Xicm5Q_auI|E*>=c{;C12&Wmtce!cPCGZB-f7s=2 zsLJuy#L%u+D#p~L88N%Aqpq82&sF6A*NT6uX*698j~XL)O(kEWIlSR2(sJhFuHU@& z>kW#BnXHrz}4GGl1NhKi(`aTUL-nOZTV=5YDH)SM_EM!A7q->>*X&AqN6 z4VP5>zUIn`_?pAe$O$vPA?>x64fj#+d%p~IKk-pT>j~&0R57~dH{?A?-gwF%Yz%J5 zcMaTikow!f^N@qT+mH`E9yEtE%;oj3$*>$)cH0ve9!V^=zUPbJqh!{{IdV3 zIby`{eXj-QZ_7v3JZcPT_-*;0Y8F!7J>XLB_kc^i|Fk^WdjDzppRM<2z{#WZ`>)GK z^B&m6xZ?Rua4}%l-OER5oHg9N{7=^VGqhdr&(L=LU-;Uq8w|$rrOW#&w5|5d^CK*)v#dso7Vp= zw0|@8>)RIE)Ce5J5ZD!euxSH+?hV%iN4`ZLfnC1`r;YSOo@;o+Glu$XP{X~;|E=bM zDt@SSWp&Uo*rF}l@P%zydMQ^tV<2R1xPzwTq49WVFPG+yti zF?fHT@!AgmI|N^9flnQTPbvN5uiacVobj`j=Qy69DSxA88@zMsGIvd@E3skfvOP6N zNc(GWG!Qy#Bkx_Vn1*fe!dk=Fb@#G?jFkfxojkDYH#PVc>^fEMs!7neHHJ4FDt`qW z{vJ5vDf9O=joDMeS1yaMSpXeQUUmQ+$JI2_riZv6G)FW%#J8(lBX*rGA85V*rTjO% z58U++wCABS6|M2`fxl4SyVQTC{Es!K%SY5aKV)+FUfTIP*N|PrYXCn3cU@^DG~5rZ z#=Ax^21f2O>EC#l*?G`Z54^D_qTvK%{0hoxGVl4{ z8W+#0Z}~PC+zZD|DI@dr{Yh|oaJr|aV|S?g*e0V}JawDyzb3of zSM$^Iy)|{v)aA^FlbIKXFW*<=g?4V?{WjijXTHoOe;Myfc>nhQW$)bMtE#Sjzt-Lf zdA|dRgz$&0FRjSm|7EFL(!E7vIXlc*tEh<{FvWQeu zrQO&9qP%tz#HeUJ=a>+bo##%18dfQCzhmtcK+kFKy`RtheD1xU+dtN4t})kK^ZodZ zF~=N}e~+ zjJ2(dwN0#v1!}Z0hJG-IdZ=K%yTj=;Mmil{aF|h~4Dl{i!;KPWn6-|Us6)N4GH*St z#CU0IqehMOwmKq=So$V<|E%4qxRJ&&#?Lt7o58v`gYVVQV{Ka2&}Gmm(4$#LHxhpU z`f=(k4L?7A;kOOc-l6_v9X&$Zw9&`E&m27%`VDBM^rV(tnxY*n9i;t~`FjK3?#G>t z`)26}%qvdj{bO1MYu%fa1-l`}Z07JhCCR&V*2xp+siQMvjr+Sb*Bwf#=T`amFaAYgieGZe5)~dMChm3EF3?>$G#EH_jPr{J8W@=4FR=iu{~e9ZmnN(<;nAFS)xV%vg}>$$GnT*xzYqM`AKaVeR@6alemxb{U&Fs zVbT|S>5F}(Cp7fjyerH0Ym3ShEs?n%8^PX>=%aHTR~aACM}@w(EZU;)EvwU(^E?1u zO4_T)%NpD*xDsv-c)p1>VFc|no;BhCe1QUfP@SsrA$-DXtRMH#pYJU@sLd^NYV#Sh z-7AY3JB{hG91a}4&5P=*+_jwG)FHW?1)Sqzp)V(l1Sx4&|+ zGt~G?=^^dkN(X4~mmbtUD0OOYIYano5ZG}bZYpjHZWu1@%>Qf2SBU+;oBje8w9*Ku zgS``|hXDPIyT@^p!3v5sX9>1jLfiFYJ;4k0H-u^HR)=XtrD57mz6+icZ2k)G5A*I~ z{r){;>M7dnN!H!jtKZV{R)=VA<_bS^b%41#5x)@p`iRHNyuFuk`S~ivyuNh5HoR2P zzFd8ndQ36ifcMhD9_WmN$s&wDFy3;B=SJFkt7C|_YxM!Gd9|vYUH!K9#p+OPQt8{; zHKn0i1Z^~=?6CG0^W2TNxn*Hm7*8tgHl9Afxkazw!STfLfYV{jW^CjsR~d=a&l)gR zJn3y^eRolB%%k2g-UWL-qr~%1n0GgG*HG%>YW%MQ4?OA!2V1A|EyBXs*EvGGJ=BL_ z{t&P;cfA|eu-@g+zcT4-t^4BiO!|21a>dM~-?uJNOdSl=I!`fogNt-9N$b9FT?f0g z=3}dPmCLMQj_Pv6dS$#|Z{HhE+BIqj@8RC(NlV6%ua@*~UF~B&jRFVP!2?HYvna<*^4_)p z{VM7uoAPB+rfA#&xRI16oO~aoO@((YQKGz~S$mf;r?urw*M+Aoa7G&0&M4NLc=%sg zdxQ^;#T|efZLKE{u~xSig3ac+%uZ}=YSs~fawt7EmF#`#zP+S*dcJqO2Um`F8vb!KKvDM%n0U%Z!z|^ zG@O9%3Xaq9#Elr#I|Ba%=F4Q(NlCAgxn@89o9P?R&^OANe?}5!0N*7X_plhn@WKlD zC{_l06Zq$G!aT-*i{PbZBhPt*amRS~?qyDkcMLHy>@)&unm2@aM5Ys<4?INM29T`; zejKSuJ0uY9bLuLmuE=vWV_*2_UzR3o-(ucdL|-q$e_QE$+7#x(4_TwmGY>W~4{md& zcpqa-TqkRZQ!&279C|x*{9NYvQOtcw%wO@$e_I$U<%|Q9I=Y!KQ^;kTF@uVHSyi8XgJGJ$gN@3(R9LvCY9J z9GT{QmUUqS^)S~l*hph8X<`m!UGnxZ_Xs{7&Kl#UoQZYsR!UtwM)>i}eeY0jF8nhH zH@@NB%2!#(;#psXpOX5T<8XQt?e8*wzC!(f4(17fe+19MM;UWyH<4FdM_8FlMFtUg zI8y7c(~)1RQwOq#2rceXoxW+;>D$_;PlQ@^dMouQbsEarc{}yEVfDM<;Y2OtiaMQx z-(38@S*L5L|8na8=d8KEV9os&bM>{%)BSb&tTXZN*6Cbucr)YT6yrkbG!Hoi>oV?O zV=s03X~Wx>>NF3z0{z>24Rtx9?oDJaD)kv^)#t5*mAW4Jck9$))v0`!Iz53*qQ6cB z|4W@FT&h#Yf2z~X)ZK9E@U-1ee*>14I+gw_{q)!1+h9MvT&MZpsM96XUorJJ@`^f5 zz%S9R(|@I({#w?3>R~NdcpX@{zfONco&MCS)3>aC`k(7Gg!X#Nl7&f~p0>w})Tzi{ z%BfT3iaIT}`>Dukim6k>wL%pdNS2W6eDP#E_>TND_!mEx%BaAR>@H@dAihV`zc*gsk zluzb{fI0*^(U<@|0~uW__+th*v2_~Qrp#pyq)h^>e@*Zpr|VBt79k%96e?yB^%nsD z6tPAuW-J82FGZ{sd%zewnAcunUJI-czdCI;vcP*O%YD>E031`qdNF~vhgW9)3c*Eo zL;CT|M?d8Mv_~SfNH9ekHWwlVSAa*_%3Wpve36L!G7cOSD2&t-S0Cm5q&Ac`3-|`; zaqujO@X3SVlNb41&j!FtXX+Ms;=nSIwC&c0X`Z&JF?zrmQ~d$+=3l9ofyk!9kW)QF zxt^v>6{W|ud*L63u!g3whW0vRtDWGT1n^EQc~Z#FQ>AfQs}ZNqfQQ*ne_cntt)@ihO>tt{AT+! z&PjuPI>08Klc(w6A+HaN(>)103gDd1e3$tFYnUY~1PdwP&Kfm=`NN4j*vJIu)*v^Q z{e{`!9BiCg{3G%KFi{woVj!3(4osDZ8-g3^9RoHMSxhEvybS!>wYxwUj8(*Z(^EK8 z7hXg5B09i1br#l21G5YPbFrs^e4qpw-zIqEao`j%n-NR+(Zt0atlpKpXTcM<=g-nR z!tT%|4Z*`E^<~8g_8LxK$Cjt}QObdhP5NUpuIg>3|8+CgCNM@so*{f(GyOomWg%C2 zio9l$<~@=|Zn(CKeY6C|&J1Ybi96T_$pI(jfpf;fuORO;^1wYaks+-^E{1&9c;<d8BszBi73x{h^QZPQ9e`OKlt>gysgZmhM?chqmUrxrvB51Xt(38WSe+gslR>srAJl|(dyAxjh zaWGqnU^Z}#;F3Gx;n#yx)-&J!9-MR=;l%&`6f7-^ohPq?Dvi58QU(V&9=cub@a8;BN z1%?{voeP#_tgw$ajCWtZcR@Y8oQ4_P#GlF);ghlC!)oFugD zWe9yE`x+1PKAZ32Ujki37#Z`^@JBA?T~6E&;`bfG+|Kv!(?0{u154i}@c#(@m+x-cEQxiX557oY4ah6~P@7+xsy)m8RS9!jHf`yq&BW%-QraTB z&R5wCAH%+b#k0h-Zy|D+c#-LVS46HL?cX*kPLH6iq`hCGEw4p3*9yNr2|1a_-J<9Z z0o;ZyczvXZ(jxq*7deVFlbhOzY}-yY{lhM(Po`xC}a*OC~$qc~P? z&4|+L;h(CIm$#M1Xg=`US@6c6*?a3Kt=Ev18pl~L9%0|Bgnh4HfV1kH(cW{^)35M9 z&x78oQ3(d?Mjre(`dJHorjiuT znyh_i!47Ac(^BB=;^FPifG0MvXF++5Gw{jZcg7pLT_lVwd6nS;nqW`UVD!>fu6c{A8wWX=Vwul;); zvfm_fiRmK}G+6_8S@d+z5?t;Le{>-3R@TY+xHt01yi^bGbOheXKM5HV@(>TQzD>yb zWWG8^KRimmY|VD+t;`pHV?Oy6e!s+TBbc@`BU1N+3))0RW~lm8#MPRjm`@R3D>|MP zVBS{3w`ND^t^CtIDqL^lzgF=#LiJW;AYZ{-oaMhy`KOvWuOmB5uVxO^`LBw9{G&qj zBlPDs+WiRqTjTv-aX%-Yr^#mvbT70&TQU0>U!O7FcH#E|e!nBF-K6z0VQUCGn)YsH zJbhuU0}0wO{P*MUBdrgloRrZ|83m6a4`T1h0hWr!4K>;(=Ih9Tyr;_DI(r=WUj>F5 z3RY3P`;k8&%ki=<LDIW#)z7F}^o3PQeYt?J!PFb(sf{ zu{0oW5j=7VjB5D{{uCOlYSHu^p(XBU`m)S_68BR2VhHb}+4pg<4oC1_39oq*^VxL# zHo!YhVopnPCK-c}HN+unI0HV2rmdKB3@78(!~C;}xyZ%%n#q_;CXX@?O#+54=dKmDTgEv=LBwFmdLQg~IKt@N)^sZLr|Z^@)2;f`uy--j`BG>u_)5QF&g3&H$TL zQ9pN3pE^%9bu@rJ9rncA$XY|$V+mpJOV)6yx3`$926(RpGtDHN_+JZ#dWJR-|KH-j znKpQb^+2%Iad^brsp~@GA4hoEpD&>Pzf1kJ!ABhD8)1wR>Zt+$YjH>NP5SdV(#j-l znX81}RR4D6dg5RV89A&6o5-W|_n)yQ$UfO_{#i@dA9-=Q;Q_5c3TSq~@5Jve{B|)f7+{VX=7#p#P~8A~2ws~HeGmTkLjM~2 zH_&YvMSA<55WT(FW&SJwYy5v5ZVs-__Z{$)weXV$;YF@Lga2D|qV;FNSWkhs3dO%L zMt=(bnUdblFy14z&Yc7FR`{PgcwYez|5L(c6K}`vNIjdl+u5VYCXV(DbO%JC^^(@T~`4za1Vsgg8|GPvGBJ!bcHa_~i(~DTFI#507&Y#!@B1 z8%MjhGFOB%S2Z#Bg~JEtFiu*TXTsqtu4C?MWiHBqCv0U7n#j0XrbHSKvEEA`K(3D~ zvh~5%9>5IRtBrXo${{j;nJ*oDb!Ep zzys6%S1}jK{43!K7}LUg7Ra2)x)sIzG6J4%ID9|zpZ64fD26%7`o7$n6Rmvxhp%Gw(>kyh;8?5Jtw? zV)#?wn_-~s0Oa{7qi<@NLzWT)N- z;WeG`sS0vbiSKH7#6tef<6n`jX23Vj!ptas&B+7Cto_eLmScE9Q~)Mfj`n*hni`9S46C4?h&IJ;;1>H@xLan@>H+yiyF_ zzZ?GY5cA6+){EDf!=@2V{9k7d609ozUot;kPnh??Z(lMey$8K6Ssvrw;PIz+N`%tHq~^-r71acDC>~$WTSrCw%Gz;uAhqq2i1pHL$RqC^!Pu&I%_|JT5ip{5)c>FO)S;|b!l$mq&F2xm^|#O?!DdV0BgcSimhn6UhI*@PC^{=aouG2`gV6IZ z-YWYK_|!w-=n(JKV6(9nHVZMX2AjQud`SFX6uuKV(=+g?FXF!$KJ`}4BV-eQEa63W zwt#a955ms|`P88j20rxwd@AP>a7XYh$fpK%lrHnB2P+Q|hwvzIV6!^TFbJR8ApA3Y z>S4|?9Kv7r4w}Hx@Bzq2;4k18gg@O){59l7BoV=f6TKKKCfd(guWDB&(9vN zA0BiJ;cv!&B7P5pF*@O2$MAp0eZCnGF*o#?P_f-ftu_cett+yt-lHJKi=)6P-MmBadFdTGX3C-Px< zO=L{CBI6r~I|TQ?klWF|UGTuY(`M>TlemA1yo%gU_9QpS86{-T5?51xP(JuFyotyN zWskCHzR3KNEqUL&@MTsw`jg1{{>Zrp2_t=b4ErCC@=s8f=g`I=R}IQjrlXgVY{~OP zk9!j1Q{;J~!+j&;^E2c|18sSpoHY@dk?34_*fZS(f02MJF9unj=xa~pxe*@tCHCA3 z;J@7PWBJJPZiSzlWXtkCqtARn-1YENKSaKJSzo(fmY2ZTa~KJvt&kV&@>}Pnq%P#F z%@>qmH?q9(?3KNQ>`u;1<&duv_{;f^UU*OHn0`UsA=4AScN6_22mefDdLol}%93lv zd0*zAF+30RZ5eYw6#KOfR;p;R{fzf@C@{k{yIdDAXta&?I3HAI^4|sHG@ZFbIC@L&(MpPdaYwW;_LMq)X8P9oq7;G_<`O8 z07k3c36eod+-a#N9`{3jjw zQMc&BhYYuL;GaLJaBk-+Y@}ROUG2mcl)8S(Rm(U_!#T*Ht){E02MTSSt+@)jELT-0 zKxgi7>)D1&AL9(3tqGp1Nw&|`By0U=YF?u4`_Iu_D`yapI|t9vBxoz3uRL=jXHn;& z8#;$^P{6lGc$f1QTWGWOv|ayM)CZBrKZ?#{|5?;^j3qf&vz&3XnD%~utYG89AaJTNK@8{q@3t843jOmWOv3keO zpxjQ**vNUCxs-Dj9Jq#vagLS+lD6uZI5`keNz59b-R={R*RFav}Oba<&8= zANo%RZOJ(S#wufJGWRhueq=8&K)YCetO4Eog6qKflDX_*$vWdih8yCoU>~Am&n*0g zac1XOrK}NSm;-0hM`R7y#Xg7ZJ;_-T8B3P@l=Va8qMXfQT??Mql6|VKiFfFo$UjSH z>(5ur(OD}E_BTl@lr?MsF8fj?vYa;sfDa`lmA#k2Nz*%y1Qhh!7^K{P9c#$FUJ;CbVb>vC*l4bpRgub`znpjQt zK4)-NW)f~HuAe&qTOG;1Zq6CYJQC>~;-g+Ya-Qa4$6z0NSRMmhw#$*`V-Lr(iG6+6 zeXBn`%^FZOBG%e#kb3*(JhTbFD&``Q>B!tuRr@Xd^-r$T|8RV~{#tqBxwiusxAoih zlKORkITUOpEaJXKIg3cXBtO_c9_%@SEoF&c@ICBL22 z`B7Ew42$uMgFdE4Qr|J2F-b0S7PL=|qRwMHkMNHEnU6l_k#>~wNZm_$rT+Wt{=X{k z=tR*y~v4eqa0`498NB8>u*LNx2biFHg;!W6MpW@0L zo$AUR?{ei%n(fNHd8sS+hIm(Q#t>KTb+@{5bMJKJeoJxvF}1I>ab&V9ckFO%yH9uJ zj=IN{d*k<9xj!2E!`d-dyK-~xaOGb6ZCCE~-*@HSGxU+#?9te?ALGi+yv~(-%_3Ls z)epLIC$DzpPWgc=_m&^Ia@~Q|jeVzn+&K6`e&bC;zgzp~p^IuK4STfqCqq`%rVhQo z_WmLF)E*f6gWA3!%WA#pD{4PXzq@v5#O&I&L%&yha>(M^e@!o`4fn-WuO0Sa?Vcg` z*8U{DxHkN%8J<;XO5zOz=QTb*?Ax{5hRmtGFMUC+*w$E_c4ut?ws=|{nV$cuzJ`ug z^enOk({?x1y>subl=Z+-YS?EG|lr`(7 zsB6lnL|m_6#WM9DpfLHp-7 z5Kio@_uD^-p|6O2lNEW~AB8J+zryib11;xkCG3^^@qf_(vCNHXF^JK5B|ZpQ8IXC7WM;QDVFJt*TGIEB9sxZMgKI zEBodAXwr<~4im?g|J6E|wvjsSZy)OT5vlt=>YR1oC-vPTyd3sC#HNSc2D7-2#3Odr z*8D73|KZfXWjBWUk$c47pbRgFjhK8XM{@Napr5BqZ}K!@E9Upm2dIY^c%IwA9rDn- z_B^3??aR} zKbokRKg0gp%k<~v1x|g@fDqjm8s+Jp=GGVC7a0=iku$Ts%u_P=M1(|mzQeq<>Fu({ zuBk44xFgcTy6hWIm>Ry1nGmYU+$7_o2HjMdljmUX9e%_2D(`|nHd2OqHQLjmCVEsy zlqXz`_04j`$(qBQm_pbT&%+Z!^*UViZas?~1N28nhUwoM7p^~aZ3OK-6Z`vj=zR;M zPZV$;xYM#R^nXLY=)Xt)%D$0@9hm<9aRY7L-!G)UkN-yB82gRBk@^2{-*C|{;Hy0U zsBes?UvP%qb7kLb7(&rbc5uO8->lAByxH_1A z9_91U_jjprz8FV>FT)YAne5_2<4rpTe(yPW?6X3Wv&llW{#CFz2l0o=CBiBX)Y43~|1}P! zX3aXars`*ob7Ct;Y~~z^4ds2~l%}6;n6idBF@}0+CH*!@U+(?FubujuLcNS@R=3>C zbKmpImIcsDRdvfb?Ao2B-nP#|KDXDQH#yhb(mo8Fhh4eIC?&Be%2l&0W`-vlyL@9t zfEC=V|BJB&e$BDLn|Nw?#_=ozTeYXS%%{|06LodyM7jI&n7ZcKqiXs@l`=VbLU=-X z2JqbBRuaZ=kHivpX$|*$&e`+NovTY#LJgh&r_PktJ?d%_CR2%tvRGNthF- z@m~_bS#veIqK-QqM-nEVCzJ;}(64;Pcjm0>63Xbr)?!mwbj_)_n3~fmu{EEqT62s4 zykc&AIZuBo%cXDnbH4uc&2IgfYhC7+M3?y@{pvJ*Xaeo;QlmW2Tm3qOc8#R%V|*R7 zzqI|EYMe*fU)G%&Y7*a*X!j)AJ;}rQ4Az4Im0uG}r)%rSSma%0lJ zUpsn=E4MKH2enyX;LYie){Y4w{q#p_M=y2d&Hm}_U z*Jde__77_l(pS~a9$H#krAAg~#?GjY96Sr0spytHICZpT2X2{~>5+9=uxR9PRgVBq zUbb@=uJ<8Z_;S8&@6P#u7$Y4F+R&5vbp`D&7)kJtV5H^H&x407jFf?$b?CYqWe&~P ze|Pu^z1MlG{=BDDZ^>p%fnNj@`Lb@eFws$Lcm40cMgK!gbod*XhIvyA+dW}7^5T>JP|U_a3@7{`~w<>NOGKjwo=e#Q8$!0);%{L1mG#E)@! zDclbHYVl*7Uh+GLUn71p#{2851;4ZSxvubY4kUjAZ^~kBxfCt~zlr!wzrrsczj^rG zafM$oek<@}p1AaHIewM+F~?l;+ksy#e#}po{0`#Rh~Kxb@N2>EEPjiw@N*6#e}ity zdhiOr4E!eI$2@f@zI^=V;l~_z$*&l{75IJs3cqsvD)IZl6@EMLtHtj}SNI*ouMxl1 zm;I{G;+O9{VYCdosc_k{o0h8KQBfn5gzv=+Nn~9voW3m6x_@En1*KRK4@7i`$x^ z#a5QAq2DU*$6=|~8hW!ur&w}!`F^9&NqN{6B@VFT1nBL5ReH8YDqA?Wkg$V01(vd| zFP3$kFmj)CmGi1|vYsymPb^w@aLVF!Z%(Pg#?6}Y@+oV}*G*Z<+_!jLUQHD;x3$Rya+w#mj@J|*p=eAna%tGeeUYTdM8S-AQwXG62M*G|5 zJTtH|&-Ab2TZ#D9X`g%YOzw6!`!?j6UzF#WUxqo%FU$BoO}-+lM33cI9k)c!0o#MtJQ{p75%zg>}BEw%G?n$lfu(&B&+g@?s zxAsulJn}w}v&q!e65=cunzR;*J4kDrk4rh)CW#xbwM~?Ieot%LBW|+Rwp(1{E)$oy zmy1i@3&kbxQ^h5|9C3+nl(NIf~iEx2}M=gfGrByILeYA7^Ix zzV9miIPVSCzo~jG|3>j&`{Y4-6n#0IzU}L8WDy9e9nH#Z< z=HDHHU%cke5Wi#iMH0@TZ^Zth{}cEF>@oU%%qc?4JN7#b-m9$lfx3_PBi4J8o=y2i zQ@);gs_D;h>i1I*-=+@2(G?hsuD~m}yK#5X9xt=MBDx#?IK>QSOv!#g6nmcVE5=Ux z;12rVZ`nJ0fxWYt&;`)Qn%OHuU!8r8_9VC2wa=|LS27kE57-wr+SA--2>n&gMm>Wa z582x+;ks>w&a?5ChFQDg7PJVX9vf0R2u&F;+-K2hu5pveA-H?TKfe}?l+ z-5&9ma~6a{PS#znaE|(@bzVxsbxn4gO?>Yz6Ms2-DSI!Zzf$OTweD5H_^dr1WNcmV zQJctz?8S)uO7_T+Z<)U%?LMBD_{S<2dsVNJPVWlEe2sXm^3TII4t__WWzM$3fm2U~ zt-Zzijts!^D{-@@Lw&7sTl6k9+A4bh%qHjK)`;!KiG}R#5N5vQhk7iw{xt$iY&zej zr`a@`?^gI)w-sK_%u6|*WB+&)`}v(4Xy0PDxsmfp9hGj{X*zNf_Lx?4KlC+Yqox7oHp@=6`dbDM@U^;~<3+YD%uM(}J(1^d}nUm4~$JGQya&h4bL znfU1|?FS{DppFT5ch8c&wT?!2@NEA+w`rw+obb|~OYAyX8LX4QM4O&u)1z!UCrDrF zFZ1!IzXVQ_7Wuc@cVRGpT|3;IjUewkZF;Ir7Y1po&D%-eC-mhuxAGOR^HpxA>#_6k ziA|re>E$+E7Nq;zvg<7M^s(fvu5vBy+0kdkX9QZPC+aw`*9vb04olj!?|GZPXw$oG zdQXtay?4o+RgqBCsWp zXpQ@}o!lc(KKNYwUgT6|>`l;?ZF^>0Hmc<8h{T0_!f4-&ZFJgCun2AF?Ldyzf&K(} z@^-C|cn4bgIo^k_r>&vg zWPj42oupp-Z5PV8Se&rtma0)x^lE4NxkYP#I)(dHw)WcCtsCqX0Jn93)5bG@_tdJm ziCT{#?mJq~Dskhr(_prq5_vzab=ugiXPVG)S{K-@XR^H4feU!gmUq^b3~}Gmz68_t zq^YKyWs|u+lr>v$+EMhDKE0@#p{)DuV7`2z&#UG&eE;;UYJLYDn__gDn!soWz+5e0 z6*)W8(vHiw2MFKNDDU_kRLy)_C#Q3tYQ~_0)44)iht^pv?lG;iPh8G^1#nrs1gkmFojRqdoP$?c*Mc_5oAXukdDiXb7ICAr=8wfarZrWn zW)m2#`J~X1TC-0uXT8?EQ`{J>d58G3KCv!#F0s>FAnpfR=V5UNX`Oq;^>J2=Fdliw zhF(z+r*&=+nldaDmom)9l`>2cmoiLLO|d)Mxkubst#h}y#9byXaW5Cwr*#&J8>Mwl z6_@yO#3jB_;-b$ujIx8%q@4ttotj7bDJphs&@r>t_jk~-h}U}JR5O8oBG|jh6OGNw zceIw{s@W5TKkHai80|qg1%J`E>UIv*yTN14D^;@@ym!j}cPnlpxTALg_GrK!qN_3i z+|ipaZnXC4X8ObGpd>IG34X0xa8{~`GXcb z*ikr0kEUOT)1Unlll4vHZzK8h*Mis3vy-#mo6xn}NdNIq48>37+_m`C;}=6Xhkk_r z1+Q5)?!aqxoToj)Sz7DGIaK8C!GCa?Zlr#=S0WIE|ifj9Bj zs`~w;zaGDG=)quw0bqm__?3aQn}U8{oSfgL|Lvmx9RbhRgXKGS#E_4pywl$@koBTN z^)6$oo^w~783}ql`i-51@p=RC)f3k!#>h4F%?aqZ$=UDsi1z^TzDZi0ljHOcNb3>e zc$hdICEgw|(4)j%$omZ3HuPiS(DR)RW^A+82z_oQ_%?>Cf|p71FW~Q z*BH;4u-<(3TO`eS#4UN5Z__z8J;|m^>^!Xs<|z)HKgm;5k>u%kWfSW`@4iBvxQwO+ zk`8e$vHmrhN^E+XO&8jv+s6+dOa-c&sA@e5(cPBHSVECU}fC8iwCCaPD@}sgyR1 z_I4bUbS~pDaEK9Tbeojd+r7_iTInBmn~4hbzQnGRmBBh`nrPFLY*X<2JC?XWPIzup~o+wHXJsWx30q^-7WC%-HfCt4Ny-XOWuxGHq)MgJ}W+>sfF^RTi>+T3U4$Wmb7W#^EQ3argz))o**rG zl02$*drCWY?+fCw>(Ez~HGVVo8iTH<;M?7T&+ImBx&o649y!CSigKo^jR%Dwo>p7c9#URX!8C~JSO<<>v$~je+iFip~&lO zJk|>y>j95_4jvmT>-$Mrms#H%#eG-n1dohm&Flh?b+R^&Wxf@BGnP5G8ywaF))Fiw z@-@L?B4ZP*FqS#LbF#S1`~6rULoivaCi-rzX{s54Y-Jr-rI_bdo*34f&Woz~H0w-f zt+;Wl8G<)(&r4kR2gF6T21e^_SIwCc)+a7u_Nkm_fCk?@Ec9N&Vq2oKTwEtOQd}@d zpSWOpO{y00M}`I#>#US_)|n0BvOamlWqm3GugH3}KwRi~;(~KN5f_~E zvACoGHt7^x21e^VDDji8opxEa$+x3gXNkC^u`rmfg_Xb}7N!D=SeOcYmMQsIC1Jp4 z`8GaVAvEa}iA!0g*=5PG%aV;hSg6wwH{QaUW5E+aTt?hW#Giam6_0l`A zKJwnBj z$+xh_mb)s9IiM@j?@ELm=oU>58 zZE0Wy=65;6(Y}zp$@-DuHhXrv^ximZK(JO?>j(JEhb@Jd!Dn-v37ij+`+LN`I%{(h ze7}te#KyXuAL(VSZ>e;fr&&WkW1Y3aO?I1~v(^gc`!Wn(lyK;=8sor8Jz%qjOZdB+gT1L0Ou}e56mV!^XvF54sGb`{_cLDYlnCEp|~R&g6mLEPA_5*V^=+AkBFN z%kIT#1ApvgRMFS40dAb$E&L5_cTma(eb}Zyw&_oTwAchawHMvel)1Xt{S$25N*rRp zE%^GL?E4mdc~AC)&`Fo~Wb2`2-}rO%A!IN3%KhIF=sZck?%)3% z)%W%N-#>pNE$=tddi@(|y$b!!{ojlEssB(9>hI}uTr7`1F@1=V6oH=J^dTD~Gr5B} z@<(gt{!2)BVdm9Yn%6mOZdT1SeQ%gD_r76D;wm2Yoac;rZMwb+_x`eB^Oo}b)j8BR z?oTsxf4OR&cZU0>tAi{2WvaOp_qw+WbU#>Uqxfa0W)<#)Cku5ySm=oOfvNnsr-nKI zIP&Q`bU#=u+<`wBYc%fFKcA`lC#vRj@tcaDGPvT}|29kaPsWdTeFn)cwfamhzshBCFV! zs#l4BDDMX)jp&N37~c2TVG?);msw#3N_fdrbj7%v{mX;l{NTFme~~(*-lLScV-|yZsPl2(!KH89BXzxu|BLMO9_D?%o!+CogXJW> zPG_pmzrarKas21m;eX6~p&kAS%CQ!DnjP**-Y41Np5lG79qwt~^X+nM;eDbV{^z_8 zv%~+2_Y6Dyf8#yd4*xvwqk`etqnIn$d@1>pGG)KSx1``dQnoQVbXxGg+bHMQ8nA&g z)aOr;e?l1V5*9Z~+A^df`xV;jHMcqTkNg*=m_NZ!?gj9SNcLPr?PYBQGOqWg{(Z}ZI z={fFvef*4D_2Hqn=_AL3gP*=#{}c1!pO^>##2k3RneGc$(<=&iN_aN$)bKR$1bE^d z=@sL7=JF^?dc_EyJf2Lx72{rT-jekvCpwvGdNu!4|9hBn;wv!NmGK?pj`puI-0US? zjuRW`)nAPg>~}eCY`Ru|l_MDIavJs6cK^!4cK@{zKp&13*~O}U1wtTSB2Ca;rsK(T@BS=O%wTC zu*_241DtjFYQD(VE|;5oGOE9tCz$YZ`Hyms`B%lldtA=fL8r6&tA&E`s27jhw8{v^)u3y$p1la$#i?-G&81z)AWw7!dW#@g8o%b+1?_d}!?_e6KPb=SGAuF$7 zBP)MkAuC_tA1hB_Co4Z-DJw6>(czZ51!Gxx0H0augV(II`|i>E+s3LlaNU*t(Mo@h zV7tqG(#i+e?#jMt<;lX3m;0!dza1`k$6)v^)uw*BjQvdXCmh79IO@?n+P84g#c`L+bzl@VrBKJ&{HLv=@G`lTU$o_3=g~8amFv)J0V#!}>#V-E2Fxf8m62Zo) z6*Y{l3lr_KFBjf0wPH78>%uU*{3TM3)QaCRwk~AY?N}r>VN)w!VSHW4w%c?*cptx4 z8Dkel+3mYf%A3lVO=Zlc2K(9q*?&*1c#d&*AuibN*rKdBH_v50Pv5wZB>4)h2xknR z%XgVCFzzm-NqvM?#M1B1MY+sp9P!n23G?}|{69ug_H$w6)sa}unfQt?r*cO)b@K)dnof-Xhja?+B!6B9=1ZrQ)opLb%d?}b6aS|GDigGUy^;?vsJ-)-0CmY z$YVPg%Xd&`HTb>aNT?n`{M-pvo#Kc(_JJd*;$iCUfTD5^A(VMAwBnc}^4M`l+_4)S z(Z~AueoApvZylhVfETO2y3XZk=f7@8{IU6t80&vz*~d;e5{})iBv(lIyt-RGoqS_& z>DVMSxgxVZ&*Pb>>OM96*!SvYc;t-z8P1r5!gmV4ja}M`&G}A!GiTA{E?L}p1~b&CGq;Xg$d|$Cvw&eeXtkZ`ncb@^kbZv9;?tN!*A8ELH1b8 zqhVvH92=DX###F&@Q3K{{hB+L4s!l}G&0B+kv)|vX))yrTL*2}g*XJic!)bg+rVT6$V8UF-=2Y9;l##?D_`FVy|tmSaze7pyv>=+ z{fooAa$j5+I+mYPkJ4}YxD!e4Wf+A1<>|x-?&>|L$(;~ilFu8kHF7(;U}B>_oO@IM zf-K@Q^ea=jEBFZMe}>NG6y%AAuqS&bcSg5?71JHjp2?hB%i{i=ZQKp`YwI3Br#1*% z%BlE8aKBDG@#b@{^dan4v>=Br<~~5V2WqAx#&ah+qIaPidOvqS-^+c_)9rhSyJZg_ zIZ_F>>mA7Tx{;qIaQ8;H8tdsorh1G$!EwmG*w@8=!Vn{lyS+G5#{Sh%?_BQFL4IiM zWd)Goi4IxNEDD0IP1L4?czrq?UR*R2SS+9KY!{eGm2j zOP&HH(HEsAagHg;=QjrEV&`7&LK!idGa5s%bIzPv#QD_6uyHifx&tB6_#rlrMj=z( z#n==(*Eg~+A4<9%jLG}4T{@Ee`q!BYq-|uJ`?1TqP7U#8*5B?qgrDHf>B<0);BY^4 zdz}(u-T5tc@Wm$g`ntP4ACTt;=s^ zPyAO?-yc%3TFz$5Z6mrjy zVEWO>2U}TZ9$=jOnsPo#xtAa#UWtr2gME7GQ*u_WeP5U^wp!)Ri|e`D;#$(Un)Gg9 zUu8IZDkIp}7v959d^yx{E9;ruJt{oGQvBrpfCuQ8Vpl7bIZ$|m@VLQR+m1+mH1#?{ z{-OR097&!IcnTl%9n?uK;g?B%!P%|Qt?&q$%zf7r$FIISnEOf+wAR`I`jhPM%l(zD ztT}RbWxElgv&b0D`^!`EAC}8US+J7qc?kX z{eNJeD8#byDtC{FP2}Ld@3G2O)~ONknGsXT3&t zX1vWENOK#GR?ZzXSbKr_=q2Vj)*o*udo=@)sUr_H1|Y+~i?jzYUYC?Hryz3*!xqVx z*a?iz|-?yu4Djpm!&)9b(vs!Dq=<-X&1#$gn8 zOTw{Rva0ND#$uYc9@$(p`gp%19od)v9sZnI^@_Z{1lj$|4R2x3Ti!+PeWcPrZY?^9 zPcuI~LK_A3Y8{pys_b2gZtTlt>FAy&6W70!Mk@0A6z=aBYTcP;JN)iVj3SzqJ{Sn-DPe|&ZK zG;EyFZ)BVudW*2^lXvI1%5-nWH55_Dk9D$5x52n{mXN>&d)Bp-(9u@sDq~mwU)(`ywR_^4!_D#Lf9x z!o3l$%X!L<>_UC~i(&dv^2NPTmdBfGnTA z7T-gJFQ$H(<2d`C({&@5%EnIF&6I!(1mWI#W)Z%}?Lbe|~q-x;30vSv#evW$i6ZXV%{0H=M{@ zoSY2_o@4Ph%KHYwY@Bkj&uLEIm8Z`b?b7dfBVV6+lUtvSEs8nVqUb-D+U!*IPnmoE zN9R-J%-+|}sD^qTQbRo+o?Se>=bdKLMJIQ~hp<-^VzxwunEtpB&V7WKZ7CsUds>Lu zF)YNa;=IapKh3KV8x?(Ft}Tlm2-zaG5#;RZ?+-do^yP(a@lOmfn^V@^(v-CBmSuNi zcV&R9riybh6@+U$>oA)so4+sIY@(c1oQrvmb1~0zE~bL>gZ`)p_8!*X(pLBfxq-7nH*!{}dBxgW z+J+I=x=m9)cRI~4E^_YWyu(Dkn%w>g`}rT|nYpxK>Otq0k_cr>S+3HviMSli%AHH0 z{b95VvNdxpE&r}VXnV$aa-T^eDm|-eDjMP`DXLNd}LzzoRK-H zwVrg~rf~iupL{#8L-@Yd+9)pPLww>AW}mnzTI(M2#GKT6T-N7I&cL z_c+X@r0?G*Zi;qR%QsIiA@7wA^N9Fw5I2RjP{Kp66c>7h!`!&KQFP*PlQjQMT<)gv zSBjgYo!d+t9%Ql-W`nqdDMwZ-VOEI?y#lwa5&Kw#EpzaW-zv#Rqt>a^7>OTU+F=gUK=-q~ zOvN3fwXYQSEv~SuBx@?6E}O#?Nh}i&Pl3S zi2h=GkpmaH&|yZg#Kw8;QRLT68F1W`*Lv;we}^% z$=WtkzAYqP*3I^LlJ|GDQ0^^nkF&!?spiYr*;`IH16zCTCpq6D@$600rHUTPp)=ooDlXE@rE#81)YQkQ`} zBJ+Klb1dAw=u6StY85jFIt#jOYP6n1{RJjD@Jq(;pca@Y?+3KDFgfpp&Rvwy*iJo< z9;>8#QH6eou%vlb-Z@+KF*epnPtJ_xkY*b2b3Mgf0llNr^{2Q$ zp!JN<+?(wamwU7KihD?F-7M|^P42#aineZzV{Fsbtxj>@(^}g(7e`)OKM|KZgN}>K zy+J;4-(h@<8_&2!KSbzZ;zFm1`zGNPT!+?rSX}Itdc;jd-+*zvk~^BoQ-tJaVmP|7 zhj=G1*ffoxAGWqg9D}shkHsZ#hs7mt2gN0ChPcVxIi+Zi^R#Xk`T%$bz1hv|T`+%$ zzQuIrjUM^FO|@k1Gq~q#I(L5gM-A0yU{iKFx)yg}Yt}z%Aov&^40Llx!&?b%PlO)| zhaVCdcLaB(hhrl*n!D2dJLB|lZ0PzY#^}q4W2yCj7&c!IYyQG0T*82_k3a`DDCQf) zcNV(_d*S15=GjJ?>qzS(?i+oZ`x1Xi96u+HHSk!^!k3Ax{6C1}GxWS$(DB|(Je#1m zaL3g%+;No&JsNr^^;9Ez+S`YrcZ=S3iE7phU5xIO(AnZbj}ko|=pu2U3nd(P@?^+& z+{xmGXq`FY|DHAtKh9ah6Ng~S_dRSD2KB$*!>y-|8>nM9eDf)AHuiiB?E849gC~2D zLq>q9MZb0>cwcND_9EkLS#jVN(FYOxa{=ybdX>9B74F>?eMQkD6}^OheGf~I6dA9j zM}b_`qLB{^9RY^F4m{aYE;^G(D|`3kS-K3OTiAoV7WRB{ydb?B{WiW^ z`kcsmdn)C7P@j`~P|-aZfNn7P-A8!vRm+AV-O2;9TFW0fu|?PB1?jy(eG}PJxAJrl z{qLQUFI$)Mr1jnCt(A1pU-8*=qvQj6r4^siTV{VhY=1u<{0;`Ct}g3xb}u2%+t@!G zf$k16YT09!Fg@FmE84uHUV8()PMo&~yx3aEd6@aKub(kX>{<4}lSuic4$&d-%6X~Y z{JZt0!}GaQ3;lr|Qg7%CoRs*2=U^;-ffkoZI^Lc}uo?06e&P!1;;sU*=u5UGzws~(KrlU9ABUu=H|v&(m} zZQ6spyZ2+EgL(m0evpS-y1{$x^nAhengVuy`t1Cyw7+|T-=*%X{3M|da$fQj)CuTL zv2|y{$OpO+O=qm|MpHo2MK6Z^cuQv{Mfw5sVf*{>;CIQB^1LjnQnAbP8sl`@cb=B!h53wvp{6J$ZXEbUIH{aQWlL~VDNj8&Qu}{H!_t| zY53Q{uOj<8m63TNO>eMik4lw)L&|&jET%hRVm1qz0UY{G=YqX>9R1W%CH#_vs z$(;F{DEmp=y?!>&EWTaUExl~`EOg)aKi2cmIHz7A?nrF27IHSQ$ZbX`$nAXW6Qbu0 z@9*v0?KT&|^ORhREK|nvP0=c0@GW}mOK&bj5}S!Y!P7bPrnSd>kFV$&;rsHh-V=F%E z{G@yrd56eLDZTWD0jB@q3i90r?7drBsIdb=uK>X!N;A# zUd=)N`Qki!Ll^T*;bFy=+n@1U1Yg4SpmP%)+jFLb9~|wW}mn*TH786Hh?+1e_Y%k&)0TX-uY** zxDnVACZ1Y(=fB>*ri~P4h{Nl8L&HEKnUg7x)rM&Ym^L)Ys3C}0| zPuq5f*=F;7g%aOB@sHE~dWr9Y@7W=IAAFA{-;P;)Um-Ga;rj})e=K}oA#z9I`wGz$ z7rsyU8sYm2*$)xEuaG^G7s+F%&HEJ!k2y{Jqb=SqTjHInn%NTXB;muLi-b3WE`-O! z_JHtyCD&&Rs^zn;iVp;ZeQj9woeq^@oQv`!cTao0-@ncvfu^V;19B>lL?fg zcbWs9i!*!q;-1iYbHpW$N(pla8`MG{*4mPUR~w-9?h_s@Olyl1Iz{WP6}l0AEJ^F# zi>!LLoK0+G{{)^No*)su@!m-e{9^ILru9U5uY=cuZ$TE^8znS%HuS-3a2IRuMHL!( zHoRK|_p z1$K*F4c^nlg-#I{o*14pj(H()P~49#eke}zvPZ?XiJXsoTZ#<$jI`}{K3^%LT>^{i6fIg4#)!X3x zHY?n<@Sau$598mLuJ3;0Bi`TAUVY*!=w!VLUdQiC;@st5EPemS$~aG1hF_s#K3w)5 z?;mN)%lLOvoW8V-f8gh<*b5O}t&05+f3~>nvlK?+pKQr1vgw1R#P_4sgSnd$nf^+} z9K=1JVch%q-`RWj=%|h}-FvqhA%X4^Mu2PtAvPC*!Im@7gB^6i;UcgA32;IZ>?jj1 zvIje44#~l>g5?<7jYB}rkU2H$;6%wl(^kktnPDQ%I@p#Iu$zl*B_Suw8g#)(t-FL1 z+#xpK@2R~77$-iN%s1<-?>qjZ*Sp`U+EulycJHdEp10omSk!Dr zs>=c=c7}ZZ7kNDK=&#{p@NbTuhW;Y;e}nozgM1P>iuiQm`^$1e57AcrmA=?Rv{iqF zFSbnjWJ&Z%zSu13rIP3+zSteKp%S$NX1*(V4nF$$pAdvk}>u&;N?+ z&OH8S&X}-#tyj|4$64ziI#)yUpQo7vbk8od=U@o;B{I%;&(oZMy?(x|@C9OREecw+y= zIQC~~E(O;{ngMXd5Fc;=3^;>%)c|wJ*x-?sp_T=! z*%QH>t=5~vH7P%L->aUj56owAB^bwImoo)1aDPKfrEm)K|7u|%Uqj1b+kbFw!d&P% zUi@S?{t5=%OgI>@rCs#__khW0UyA{)e%khVgK&}6!9|Lv?%{z1>I_D8vHOV{Tc4yt zw?2ow@{W4->GSGy(W}oUFMhilueP%oFs(4wa#3}1_to}g+5EyS{=(Qy_F=ZP+4SL- zE|tr3WeEfE+}U~$&>Ow@h#RjuseZzMePFeLonXKc`eSMw-=cz8Tf!0-1Fi-SR=GH^ zRC{XkR6p8dw)?y;_8UuHISsLzd$b-A9-Qp14-D3lhP=g{X$__&Y%yR%>t2fi!)^Nt zv=4)Q6vBYm&X>t{3H$p?n){d~&Jwz9emrN@ zaP|q`kq&;P7XK{=3#Esj0|U-N@AG)JAAkXUaAZFO19n^zULVzP5G*L4Lb6Thx?B+J zpUnR>mv#ml;zzeZ{%M9V;<-FwLf4Ox;)0a-JU?N;IxwRBmT{gyC1E|_MQ~2!z`@y} z=fQ=}*Pghuk25Lm0h`r<`-BG%T!#l&_>$nhMn=LG4+;ZjL~dnFy3G+bd@mlH$X>3i zcyO4-gOe5{y$271#e&mV=iDgCxc@fDE|*`$gJXjCeHX0f;lX*_cVCfw z;|lwYJ}_5$tMt(p3(iI#eEV|tg*3iJ_$-t!<|w@G+hEQZzia&xCholImvBm2{M*8- z4*r%UeUk8)o$OI*&i>k6Q{gHdc*`hrI(&Q7#oE}%NuA`YzcXq0Pd5IRJu2w#ewa}Q zZlE5`_#PapXNJ|sqPz7>k?!5U=DK@_Uw3cZb@#q|&((XETzBt9#a&bG1*=~zx9^&J z@8aHGaB?#^xgVU|2TqReE9M+EFw#YMtw&N#H#oWLjCeIL+676tqc%y>oR-AL;i@~BIIZ0QeuJNw}R-PiMHpsvA6EiJsesA34s%+p4e> z_Oa4-V7WZ(;JS(>*}uGnyu_8xlTM$^l>|2nGtbsFdF4x{xR`k+*I*fOqj_K%VPuPK zDtHAOn$mv$>0Eb%*`|X5yPF*3Sknz|o-P{zzWvjwkM{a^Z*@rjGUe4+s5kEh_Hr-+6G0t??O1@;et0m)1_g2XlO!p>9$8=Xpo?@+n^{F-dH^HdU zc}{F<6&!J`B%JIX$)hGZ*@sLp-D~k#ki&hP={U9Ow3)%#kJ0*^&{Wo5qKC$X)?>f1 zLAD!foY(`bOKf=bSLQ*u%4q!!p$(6c_Ry%%Q#!M<1g;tWGHN7=->x$%(I=&FW@Q5X z;)^{3R(=<38w1;}!fvA+9DM_LISahJnmq2tKGTo%A-~NpTH(ab^9<*>Zy9+lC7(=W z2C|!Vktk~-M`@pvv`udwenGkJT`h@Th9vLaVoCJbKKye2+O+5UV!b809%nv9TP~m- zHzGSH2?xjV-$7#2*O@Dco~7^?Oz%A9^Md&twg_62+Dd!N$J9pJx(^%^jJq-1mR(qP ziupeCG3NGudtPOi@No@m^t`(|M?mKW=q%Lky@fHI9gx5;oge4L;Ws3UweuSq4q}Jf z5B|2;ZlBAW>1<2cx7o0Rg)#YS$Wg=VlbkkJs0s8$T~@1dx5(r`+~=@ zZc+X`CwSVn&rGj<^4<0sDE8vPbc(;ye^tVQ^xtL58R|bUr|qxVUVqJ1ThO1SV0%3S zcu>0SznQd0pLEX7_4bR~_Ly7fa=%Bsa!+~nn&;K4*sIr8FFxqTYt6v+;{tF{g4StH z)I6v4kW!mpcp#0vaayAQKiPf-XWM>T;Po3=&*~8`zDae%S_mKdU``r>EDry6w+()H_FQdbL08dt2$1yWJ}{=;?bsz1GwBd3xB@uk`00 z*0(mPZr=aW*m(SdscfF-pr_Y+`VmiW^z=iXe%RHA`crFLp__f2|LEGl5B>kdHHK#X zCFhFBFRQ~kV*=}8?iq}o`Gv8r3i%t$vHr#mz^Q_#!(Hp(8NuROGwTI|Tc5A9c?Ve| z8sZ-5$8dLXVQd0@Dy~&$wOEXrr8djKcQ9PvJYBO+SmJSrn>~Gtr?2t!wXRP2)*iYy zNH}X}eXA*tz7yZvyT@{x4ZT&?4`;Y{yQf!r`X*PmzF&{R&z4EQ>igAlou|BV>%DRh zdHPOIH=e%L)2m%w@8=2f>b*=Gw5e{#Yh=^ho$Ya*2_DyZ)}{~lb*XHgztPhpo?h$e zVOKxFe|(7Re2Tss!m>kLc6ZVzei91b8R|@8Ul@IX-C3D9a`@ngc+W7rr_Lwr^iQ9* z*f&12HT#9Trg5fDbaDYc-IJ$1cjNc((fK)xIm4jDm$>-$6JM>XWG`}U-4?fN z8S-I%6Ln?|nDRS(FIw?$(7b)yT`j?FceU=^c2`@?w!6;l*>=~PX4_ro_inqZy>{DO z{rk4vH4xr*m-tfQWnuAaG3@6{oM+#jTW|%RUyCb0LtJb&K5#rdtMeQ0C9EUU$+$e| zf4I}1IL*JE^Jd_6v912!?8%B_PgWdu+ z^^o{41%Z9z$K=0rS9)1#?wI^>{RM#yz7YpTEh`B4IDa8we0qNRTjZOYoRCgvN`C5~TTpMJa`FzS(lz!~oSFG}~dg1{%ZC+_irK=PD=K>T#hlq7D< zlia(bATXNi8(*W&KQ9RE8K0Q{CGIIF{jgaDfhVZb^XT#4Bu~niLm3&*76h{H;9XB} zVt-56jjCVm*H?7r7W|~&dG3o_*AzARe^n6p96s82kk4n5KN}qXuhg} z-!r>Y?kosAKzU_1jmhuKDfr1hzI$Xak#i@LZq6_xzFiP_gtQ-BcX!j+`2~T0rJT=F zkGONRUq?Zpo_1f#eIvU$$CB&lU)|l*=P!uOp#MJ0eV-$3g>U|@6V$)=fxRp4rkvd$ z+rB%{@YssS%d3MG`zv=Bao?@J=f0Rpxu2xo)9x*5YWeF0oHy-{R6O?e6`SV473GaJ z8zyI(UlM+QLWX(vbMu>ux#!f!)6J{XGR-Tuq?$by^P65AKGuv`UD)*V6&a?8y7qnC zZ#t*3-f&C0X&Ihr-dZu%T>M;y`4wrtzy1?VBlFVDh{=BAOJJW~S*FQeJJ!T!XPCFC za}n`VSKb>eU&a}vQ~aiISh`vL=}dF?sIjI9p15wqCz^_qR|Y>u+6QO*&8X$+#ux85 z*`G-@@i%0e#1Ui7cMnu*??vRhq-j`P6f7#Q#Ls$Mq-f>0u&^+6@*kyBKiO9fdx(F%lxMF&UDjG{|z7OH_5l9n_(HLCgo$9CTr?nKjmYVoatfO3yI+#;2Rd-(6Xw=dZhCtf^m;VV<9r zYW`tNy7_Kmrg>BCM;p9FyX>Ugy1yX)_Du5+<5JCcM~*fB#B=odZisw~`+r88jUxSa z%AM-9X}fa+J`YAkeoXkA-sl8+x%ai@H|F=gGruWyI{G_Hno?&ufm>JY4E8M_ zRhB-*3A{#{I_jUcA~(Nos>xB|KK}CO*@pPfUtKKH|<#Y zOt5ZwX4x|j-;}?Y@RWs4;F)*sZmQ&ZvD)vQrA?KzQSve;u;iVEO(V;lz~bfUWy$wC zfd|NQD(RkHo|FFo&pegBNWPD7p1YFg9r;w`YaRQe)lgvG@%xA}1dwy)Svuo%)+GfAA z%jcaH-O6<{c2!#2*4*H&QnwzLIoD2keBfTH#p zN#?_$wz$`ytL5Bqzwh-4+qU01aodx3>P()px#T-@Ye>HJ24)th7=)}FdpPpN!_a!U$hso07oK7viu+)<%>sDrf!tCGFPE2d>Gepy%}+|QbNM*{1O zRj-(igSnxFRp^%-@^}TCeXeKT6qo99|J=WaHI=uD( zEaJHq@=P6*6GIzVt6ML74fYX)tSyPIZwxKMPGq6%Lne=5ZvbhOCwmJz=3y6#4Vd;^ zYiYEb#=SejlmG!)HM`eYO4 z9{UWe4Lpw?&0^k69yT4gA)4mI>L_OsT!2kCuOPMTL6F&_W1}ijl1!?#EqEJgN&me5Rll3*$ z$a-hqjs3D~UlJs|d$#qF(!lx9VePq{h26dIWiR-uY>FFMvk?wI>gipc-skETch}?Jx_Ak`6kXhHG529N z@BTKgtaeYo39v z*`A*3=~kD9D*|4AV_~e6=W`|_IzJXsN_5{M+T7wwk zn-A395z>C({fr0N6Z{?I5AgdLs>Y_l_xPO-zCRy3b$QQoj1%%{S;h5!|EK3{c(foe z<)*~N>mPLj9g_-UK5Ugc@+6(Q`#BHJ=kwKFZcO_?y!wITU-hWh-}1)4-{4oKh4HU> zCS%~Fp)t^Zpp9{{9^D-a%NPq+x?`a~^~zYdznXIxH{W2#!TTT6c$~T`&KsX~J!Jc= zJevI}=&8GguC1&dNmz;-wtaP7M-aP>HqHR89>KZ7S#|Qa_e4Nr=A)s()qJn{X8&;V zR~a)u{kCkBuN^mg_(t0?Gd%VK$IRbX4vm@kd1maH0WbL`WA>FXlQF`MnQI7Re0b)X zG4q*g#>_g#%&<3Rh8Z(sn+n-qhg~jXW|%SakByg87#myGy5r>(jgO3%PkQ6!liqk4 zX1v^gWxRwx-8?j2GA?e_82Osz+}!aJKh=!YI#0wMGhbuOB%K{IUt`SF^>}!r*US{1 zNyeD@6xa5AGRDjhdF_8h;f$FT%v~5WQ!Nk8cam|lpYg|zms?n~UgKbg%2{xw?zq{{ znAyJ|A=ED(jxn=eJY0^x`|xmQCAt5!!#5uNuq1jt;f#;{MiRY-v%92kc4DuS_hiPo zn;GZw8RtIAI5!J^dLo?k?-(!NX1v_VJugwG+wfaEG+wUZzCDCJi~MKgKOu*ckN=wS zGCeNNjv3dEm-u98n1zj(9WP7x_HEL5d6M}@st7%ChZ^lyg zG=-ZN6i^1|+wtwtIdzO}c2D1}yidK1pSQy8+jNupp2P3=<}-g`e6;EI6u_&UFb@*0 z@zSQ-``+*{5-k zF*c&KjGs-OUh3&v;a_^=tgcC76ABV(loSf~BlZ-cZoSYQ*y5>GVfNKcB75RKmGFE>5&O;|I z?`dXi_)fL&^&fNHQN1Xju~K8r(0J*NFYY)rgbg)z4vkH|ZH^spTA16lGPWw*9g9X> z9iJ#eVbR(}f#%?%K*!ESf$v`^pA#*P`$_an{I1CZrC)yDzj97j($YXQZE4`#+NFU@ zkwt;dQ;P!qHH!juwdHeqE0zW_S?hIJ1FT1W9r*xjyLreb(WCfR>tKxCpS5yMCF`># zod4aKwKU+c*4bY|ezS8!FO&8MtmXEUE)D$V?4rOx+oHgCYs=>ROMTg#c-96x)-4VE zu5tcX-fCYI_~*v5Ig1GE>sl1Jgpaootl4(~Ody0#G@{{^ z(%K7UbN-d})Bj0$oxgm}t*lAME>OShrGdemrGfIB9;)xWNM6imqLlx6)>&&w+m}nZ zla>Z@SYusAJtvdLCux@-6;qG0m2>)O3zfZ)c344pKV$NF?(g5cG|;(aX`t`YqCn5S zMS&5-FC#uiIR~=J=k!fp8u*{wTUW7iPBHR4zrHZ0dwW-blf!hPrc)F*#w z;76qEsb9ny^Xu!gSZAC{oAiU8jLv&<_zbMoz@&2rZ04pN^U`t_-m%Y)ND zRk`~TbCYNvxSDmfONXfEVd`02KIb3G%I7>^Q9frA<*%Xqf!RFw+@*oPB(ErIB)_JA zpCCMXWKp2IaZz9f?YJEMyPM1B9H=gzGnaCnLhnAh$gblTaox$cNM~Qv)s)Y9iugr5 zMJp5q zjjW>z(uFn@T9^^dpw*#|BjqMW~uHy>xcdPEgxdol)f%*+WT-jZfU;4eeI zlE>h8An}&*CP+QxM>+9xnb!7Oo;BLzE%69)V>{usOP@&&~J}$FXiSJ^xO1ViDud~!f5|jrz5FXXCoN%#zeDVNus$_ zTM)~dl4veY`c!CHaf(?4Kk}>lQq0Op?89s5`20GpSknS?1h z=1X_vuqODK(4(`)n^hBNk9kW2mGD#D#Y+Qq*t2&nU>xE<`lSBT;O6yQ>ulg#i*n3B zTS06i@8YcV9LtUD;6J>c|7q}hmAiMAZ@9#l6bbYF*~mIRJbgsATAj>AdU*HR zX!k_^Z;KyX&?KAs#j8q!C2$50la_NqBC_E+u(BjLFneuiFyXVIV{wVW$A7=FDUURD zgjasQa(5n_h-_MJgX>~$8T=yr!AHt>2UoyBRN!;)N0j|{D^~=U{6ppL2EKJm(4Qgy zmA;h7NdABD6T!vYvz0Y+aZJj)2%c%$svW`GSr6YpSl5~ny9(jXqpSy1GTw_16#qAs z=k278PWeUzqpTh5fU`>`JQaSiJsE#_%$IuM>Yg3XHS>-<#=ljhAL*aJD|jF0_N{iy z+(^4bsKXOulFeqg4Dmfbb7(ihzCJ3|T=c@euQ2LgQSPSs7uvQ9zAz7tuZMc?`E(NB z6!-w{k20sZ7?%>60f)GhIy^#r&5{)J*_D4Ed^%jY`(M#F;|pyXeVxAQ@7d2VGPn^Q zaWQ$_#~i-ENj3L5N#=2IljDpIel#o9+?<_c{$g#inN9pHIVmQ;lyivIrkeR#N#>J; z-JP9mwyaGuUs;!GKA*+e+}SB`fyw5RpHDLL(^KFC;Ty?M|FzF0rkbyOKG}R84y%H& zMbxJP4yVFN3?}l7?d4Afi=2dDJ8j^2+)^UXMOdUgE-lzcnos0pnDtI#q?+e>79IuP z1d&G4bN)y0Sv}t>mpk3VyYPLutvmebJm>sfjieh+x>ajZOnW&T4e`&edLsC^lN~ut z-~5*~8Rnb#p%b?_X7!%nMdE+yabBnW*%9%KUm~B2Uf5MN6mw8qRwAjoMfhw?s2%Tv5a2{*aeSce8Cq*WH;r-zQ7r!!$+ES zzIzupW|;4L@A7Wm<#Tav{lD@Bx2$L3m;PqeNOS-2RI_e;ifN)wJLA$Kclg~ltSGMu zZl>-X~p@O$_Uj;x=MV*cu0${m(uo}kQipB-ubrX23`qsjCuXT0*9>pzlV z{%Uk8bxWp=p9ubpd;extlG$)eipe7174!|~wM4`>KJL|1{oud_mXYTWfBQ`*J#vop z;vm07{N{I8)|AuUyUB0e_*64UyX+(WpH{j2;$MwUk}ufEWWuJdbi?i+p28Y$LSzA9 zL+_H_qXf$7^U@^1NB$7~dvLq)lrxL>;{I_X%@=OTV1JT0W_T~!@NZTnn^*ApD^C6s ztF{Hd9~U3NjxE3}0URu5ZiKH4!dK=!j}Bj%_d_R;$9HiDeC4$LZvIP_=aT<| zrfL7;1P)N&#kP#Jvgto2Ut7*N$|-8f`yWoAg!t(%sJz9NlUxjMxe?xS+A;Eivz&Gu z9*{KRByB!$ms6=z-fP^;vrqfE``mfIq8_$>Ir(`!cV06(&z*P933PF9rR6ATgMW4F zxQI3ohdH$aZc*QKkH4JS@A8ytpQ&$MO7p7;*^Wa{0;uSo7>XCoBjj%6Fl%+)?$S>CnP&}M02tC zTT>L<&)&4oNkyEY(mbd$c}Fl7bxkgUvq_80d}ni05B@`RCR-=tNE*8QWU>bg-lnc%FL)bqyNSCe zE;VvH;rQN(;6o)SU(!=qpIS=%8^ntrS#*nIe#G^{k2pr_-dew^<0l(R`Qq$hFNN&X zdRQ-)k0yg9Gfj=w&a6d@@AY1JXAMe*^3Z>CR&h5Bo5B z*bnj|>)#`s);F4yup3L*cGrt>g>@~}xpf`b)#ds|banWg@+9^~C6i_Zb?#)H9AB%u za(&6TK5)wCO?3Y81;;60xM9QF5Ad5h(Rp2QBQ9f?#y+ac#iKv4ubV59-Sq;b*1Ba| zX4em{=%cRa?)taOPd8U2?P|GlZ_?E@2f|x<7uu-jfAg_UzI|m~Mnpe2vD!60D zGs_*bR{kFDnDuhmApfzoaLXOT(_YIRAA?&KcYF+f+j7UOjjz|b_z-toHnbKFPTB$< z`wwu(ufQ)Kv-~pLF+8&MGoW?wVz^`0q%C(0UVI;Sy!t!qdX+aG;99(Kw2Jj=KkL}V>2_?=ns`Umh=9hYT*rC1 zIeYK8h3{U@{y=WH@h-~^Yfsd<+T2~y+S$8Cezmx1+WL)ilHzkSljEzfv3G8t;RA2r z+jz;%$Hy(cIWjKSH;nCmPUd2MVIT9tcqdT!?&Wgbue_!)m&)@M{AfBd9>2-few=%D zU`Ou6JLS1C|G;|2;29g%&zW)g@*O>_L*Gi;KF%1qZA0Ij*W;W!W^L%0bNfe5j$0m= zo;2^{&cizx$8Xy(WzM_}Gv}m|CmdHv?#G?m@~|~eE>XTi2+^~T-~qz zPq@}P5`BJrBcw!ne5sLC=AwDv+C=8Gi|`lzwC6YcgnWnNr@R^e;Vt+NZ^eIj7yiRL z@E;zki>s38A?%pKWN@FaEr8veq!;V-;ni$B&uytA$PPT#i2?o|HU9xK8o zf%J`}KeFwv|91ZJo>*6L?7~5Oru7xa+QY>$?Y|#}UC4Uo5*-)tO{R6=3&r>*#Sht8 z=Cbh69etAckZzYG-5JTT=3EnLn&f|sIZv152-AIvur^(D-)TwiJ0*YF=n+Zuqe$%T zIvOQMn6}g0b41sqsh1?pLETGP%%QCf9rNk+D*LeHSaZG|f8+JscZl=~4@-{4H=FK9 zHlf{Q^&mD1@)_50nD7M($Jbi1q+?p!2%D#C_MXp`#NXE;!e--F z06xBJrX=gwlNHB)^GZqfn^&+O9UG0V%j_-3PQ&_(!)H|28R__8h7ZaQCHihKKybm2mEd_N9ka##Z@nL*Jr3@93K)(KoR#owGl*FTIlUKiqxk z=xeBx^worecXrTL|4iGghd-|F!_t32pRorY-&~uhTX&c*Y`c3l@$(K!Y zjpQ)WrH3ZyT=i2*&-v&_C7VpMk<22Uo?48_)Hks!d`i7Tm~v7 z(bq|yFavNL8Q69Vz@cXF{~p*WInoSNNj92+GD*J~0HbBFSAC#Z@)a`>*8L;Qz&^>J zn}O|;oa0_4*#yRr%rfKI+di;K*ZA9J-*(4Z+3}v{KPuZ^{39C4pYp#~INV2$WIBG_ zUgJBaxL@&I%E6!87|WL}l)edGMEY8tZ~s%XkhCjw?;(7C%N{8*Dzp*1qxG^o3Mb;f zoBV@tX`Fd)&)k&0jx!?Bo45L60~MS<%Qy0Od>?NF4~_*7?qR?Cx7g=ChVVGT{}w+J zPhj_SKk`1=Kdo_M-{U`8%m4G6_&In6{{~+~J}ln{%AdU7q@DU`qrREG*ePAFkwjnZ zi*1r#EQvnb7u$*c6xY#t^09$GbiXh5isWQTe70w^uV4BkN%Sm*H<>r{eX+h0U+n7& zOH=-Ew6yhc+WH6heQ7HEeWWz$du&^k(26Z1AA=T)O8lX}!kU{M2LTz!+)$s$Gz6BX&TS zT)%3Zi{kpyPGU{yB);96T;Fc&{bkRve6Oa0ykxAW;N_K)XC zckMu2|K7t~o1-(N2M^iuPkZH`amyb(vQtNYc>66!S8ztV#g*rrngUR zcGb7Huv;B#Qd-Zt6+74g?0Y&m^P^)m{=_)P!|tEP)~B-qemlt@>tRh!?SL&=_*M4A zCSo_*!y4Pb;Z>o*;(OW0{88+S@YCCcO|I8B)|Lo9)7sg>iK%`AaHeos>`}IRm&4l2 zY};(M*G6;QHj0*02=mZi^Su5lcI!D%DojLwmbvk^ z|5)Q0=#%dDpZd$ziS-~`Cpb|1-oTIAIxX<(RN~dC%8TFW#$V}2)_w-z9Mq35svlXq zkuBI@Zei>m+IA3pMtZ{wR(w@hsH+_=~08PfmB_T!oB`mxRH z$J1Uvp7r{1tJfw$ugz9_ZN}QJZNn;0uXgn-eYuu!^<|#BpV{`+I0wVl=;`&Yex)Dx@_*c-dY!C!N&Q%BdZVik^`qSv4klM$K80U){U14t5QDJbxc;(t5{?~w?;6Tb-Sr*V zqx|{rSJRi$gPy+0(>J?1zB`*4jl6m}?Ns6$NwkgSk4uS0(Zxb%D9@qs)!K zTJq(U#9TnWy^@#@bhS&8=8R+tKBDAHiZkB8TwPtdPBiinCO=*+U@rLy%hP?QB)KmF z=fM2I`u{qr>k;NWIBPU>FZlz@!{&R+BlyTZ92c8HI^nG;q!EsqLU|nr@okOmvhbCB zVt0eLnuWLOg^dW`CrP?m-G{zM61_&gvX6uDA)JT^%aBS`yn| zu+$2lnx(_?gA3j5+}BwsK+ z%neU~<9fD8zG2++STfCTz+3X)bb@)O&Sp8moU>;wdE#fSr%aMOnUmE?uZ%;YS5Q_J zda0!1DN}WrD~X;5|0F$E5wazJyX4OpJ`nuoxH=+kDAui(kX*^?Na8M@^RE!rZ7E+!hGg#?A%+y6h+K47c!GxEbEzuc|!q~qHyOFCuGl#ahL zzw`w1m5$%C3%Z}Wrb$0(vW-cn`44MdCv_U-Av+-jevCOOV7j-$n1-qzjVx_&zHM)<1(UaOtxp(eoua zE3FNm-}oqtf^SBsK6@p{nr~2l?S;5{cG5`BQ98;wO4Ox3k#m$HMn3sQ@Q%tS-w4&M zPkBX@7vnu5Qrj{3CF zF)*(%+A(nNEAqcxf&Cs~t;UHxN?u!8BlvrM*cMucMIbCkWSKV#2o2KgkT7g7I0>OKOQi2NmObCP!H&Bo6c*S$eW^zHm-q%V*} zFP0Cmh$-Rvw>hjsY+`+cc3edpb|O3HVN0g#x!8$GUn7ZLD*1+aj<$V}eGR>v$zSJU z`uxoOhc)a6TWKHbE7~X5j_o07?OeSKzc#DoSDp0>`lFBjn97*l&pdkv=WNP<_7B)s zIKa4{?oS7+`S7(Bhh$#G9AIcZq5l}zpkaV{KwH&|ciDKxe}z$|-AmTLS96_LYUF=Q za|G)bsloK%yMNL*oVp~qbvfhu{rbXC zJ+^2LNFABC*m|AP+zb7*=6D$m)^1UgM8-S8C2rdoYh4^7*B9Wd6~hvrh&N-y3Qz{#1y*3iljQTQSc9!wj9JWal`S zyt#RoH#Y}!afWC^E7*!Y47VE1&9(PL&!oL4!jb4;1*@01@too6;!^NUI)1cU{r1_z z17Hr?ls546cH8C+1FJoZwZ@IN^YTg5`GRzJUT*Q#WblycbIL0Z>|o2kt>2q(|9`Gs3^!B^~4X}xUIhg%a=FP>|X=HWc&WW5XMXS{eYjP#*- z`4ybJ4}1kaI*Grb=s|2ZIit(gdoy;%Nh_?6uBpu1g(cHj%b2RRDAn~?_jO+3C)9@J%e!(Bz=x|><|BvG@)yygw&U)gwU5nZKoyNCi3csneb0TLR4b9Q} z%KS0;((b78gM|z6_sU#6hxdnc@}(_1oJD*eg{|ZpyGOQ1Tm9G^jSP3r);pfYnY%-N zw%s$8j&sjq&Tje!JWpRS7{OaRX+ErZ|D=1m*MZe4{d~v$G5OQ3^CbtnSL4T5|Lrx! zv4I8b!I{VU)@JeUEz=42yjc8q$6f>^Vy*_!3D8cCH;38;Si=SH-YciG#ilPH7Y0 z|4MkK&D?(hT*jJMZ?G^1ero7G1BT@JS{h%xtM$l>ti6HL&KAbx2e`RpSnSQRVJ?2G zr~a#l#l%AuadxducbIflZai%o-pK#HD-GXY*{rd7z6ra)XxLxjmy&PTMeiGSN;nJs zw5!9Ng@fGNT~-w9*{=4z1{1^oP%AI_&e4>Tk+u~OxWRJ zLh*3IgyP(mg711RFuw-d2^035jfjqf(ON`^hBhOG&7mA^c;J!i1#RD=dhb=IkJid{0~KN4h9Du!!>Y zTpimf7fkfO&~?^QBDkmpOc;b`5C(jbxx3C23c?|DY?7X8dclM`TS&gPyDrJsGMIRs ziwV1!e_LLT`L}qvp2J`%aH04z>vKCI$(bi$!mgt_KM4+wxv}No4k`{@p0B*Y^LgUQ z@W))^LxRbfPllNfc5Rj99HlLi@LZLWndWz3!mf3?W$#gg~xF%tJ=8kzaw9yXQrMt=(TY~;$ z=F{hyAKUi@JopTH5IopbE&dLl*HwD1m&sGlIgEBiGS}BWnIQB0u09984jnugVNTxF z1(zn?^N{3la|_RPesf&x7M|;Tr6hTSC-UH9&X-B2jF~(qyv*n6+w-Lg1B2%&Y?zr$ zTc1DW5cYGh*(h^<@3>Gj0)~Lsyaf&|TBU2k*Ki*kS`>V!v!~CmmJY_s_1QD1&(D*d zZuyU?_zXTjTRIraulOJnCz}?q)r-{QIQ41)pLByuj>8|l zNWXR`__&TYEydV?(!b*Lj>A*6%#{wu2WC4CU)7Q=9geR_`man&g7nu+H<;=;&)#y; zhn{Y_Yox;o_DO#oY?5Jm&-h}gT+1hMs`PwGd=-NiQsuiC9GXgfdTS-)P47<0)24T= zWVY#DBl#=STO!Gx@uWE9NYi^+`QWR#OA^kZUGfdn+a#F@2RFv_p3=342M_bV#vak` z5!3#)Fnk*Jh{A&lu}2gZT!;_k-bSzzK9M_)D8A8j%pHTz9q{8}@FV=F>?8NXi*{5> zrkNk;OtkH~=AOfuoSPJ9I;x#mFY68+tT}Yd9U1Dt{!kdQ1AbB%GEwE0N~YnH=2i1{ zjxY9Yp6Pk6yA2#M*WG)3u?M6tkQ{05H3wK0%vraeCX^Y9G?KKO+|LTVf~cU3Inhod!6R)?31tbbmoFq zXRfGti|O_;{|GBy=d_-zxh-xq_LtcWwyZOxr#`m)EnfLsJ-;@mJUnn(^GkRBZ|ifG z^FV`U9$RF`=GcZ3rG}=syS+ zTJXuxx$U0{(MRA*wHvs)PkFj){uaAjA`dW^&KA-lzQg zt+jXyUX=cvM18@7L%tYnT_zX0b!qbI0xq+4VP0zMa>=X9PA|UJjaS>*`s6X^%pxuL zWdi*sA7eaQ_*`ybY!}ab?y`rg5>zjqF~`F#lk^^-pY`Iw6w*~E)o%j6h;BRiVvWu` zYON&hBYacp3u14kEeqLtZz+hKuW|9@S4+DY~zeoGO*;o+!sT1FD9vu3(Gdz5Lb3yF;_}e(o+|%l5MXt^~*6Pe% z75^muslLa5>&?l8EDry2YRiiehgj z6%wD@Pyx<*TVb=p%DJI|c@@#Bp=^Sb}uW^8=; ze1*#8*$#Soy{8}b^oXY)^7O;5u69!W#4%MIf4OGHG4>WYNevI)kzicxk=(F^u*4Hf zgI%;iA9L^>-v6u%OxS`SB4NTQ_~sTKe2o4U2iy%l9KwS-H@62YI767y!-LHp#_Iv& ziC=q_dlsKq9vtH9g!{U|ea+iAN2!=~pt*(DoXe|yjY&c6E$R6a@ZfV652i#?*k8&z znZ<)$d%%Nx!EP0Q01uXd=hnFEbG=~~4_YqH!-HVMVCO*>4|dlNi!BizJmliR?!#cr z&D`JT;Xxxz22Xg#eTUwI2isgc*s^a}Og>#~y2D^v13s*EF`>nSjr#98yUv}u4ijd9 z33LBMOxScCCM*RL?zs*VmRU^J&^!B&V8U!KzTLxwUDsj4DllQ?HJGs4!-ShXOt{*^ zd}}-mIM>sQJ^ixHFWj5-hcIEn`!J!fVBFV}>)wY2TZZqlIM5e=1qVj&cs~y82M6}T z4K{-Vd%%I>2H#*FHE80H>E?Ifz`^ZtjP);=!99|W8QdvJnyr%QW{`RF3h>upjU>Dv zIB+niYwp=1$=m{taB!2ZxsN&U3VbOIGOzw3`ThnRxPdW#@Pc%QJusZP+eaGk+d|>D zcG)|=U}X2Xka*d3?#E6^cAopORT=;f_SIAOv)DmWFWH2yr(UxAl*h`2!+Kp4c2MQNZrZ?x;x`v6Y+oFHxQn^QmddZNc;;s#u!|!N^WBBmrX_%>)h->( zdlzD(b|?A(++YXu--Ym49n60hf&ksWNkq-*!XU^%-vt5WipiO9^?wr9_zvcP!AEO+Pj3u~W0Yy10H4d$qx?xY%wRHU_?jxX5Vi z<|r2&vtIQCJ8giwSr4x4n0ynyFgfd~n7nw#=sZczoXMA@oSD=SyUGpNQtDio4PZQ- zTN0f#iu*>92l#G}@Y&DJB-&5>oUmWp+_=~z+A#_)n2K#?+idBS11_41eP-Ka>6CXy zdc?HlN~c_KiOTleOz`bBWGB z^*0Qy^V+ad_pBlI(>64Ne{5J#>70gXtU23rQ5nl`!}hD0v34b<4N z*5}H(vCMCq52;SaYre+%aJRAX;b!JHJLKz(`7-&1oA;;==-X|6;pQ4IKIp~Qxbd?6 zQ{8k<>kggMx{3M*3t~FYqI)ZIE%-odA6UaY%Ht6_!GTLyBOhe`-wB@R0ta?k97S7z zMZ}|O?KsLjR_&m+v}^YVnS&i&5o#?d4=tfDJL?N$tfe=|=geZb(;eK09}##?&tC6P zK}jQen*2xuPJJ>?AkH&zya?O2nr- z4HG$!YdIKV!pV~0!}LKIo~a9-snRzh!aE%7y2O0`0_XQK2VH!kAPB!0wEYP-ing;4 zsG=}7-H{C%|A{RAliSyZD!u-^o&IadDReo-G|t2prwI16=ki|ku1SMBSljZP;K6fyRWFZMjM(__xmuMg9PjCEp5Eu_ z7d*Y))4N<~$gppGSX}>cFq6*YoxuOoa#}n2PkNZK4{RxZE(KgV0DkNND|U(_ym%Mu6mZmVS{4tc20Q)naD&K%_}DZDnG_%E+-$K-u;(&3 z^CH+!xOWTr)UtL1A1J(M?MlyLV+!}zd~uk?cs5-dW#z`l2D^sE&RrPhraS885doL- zEqWT>&8E!)1LlY$&utKY*-1I#1+C5KCHK9vcCfN>IPKYvp3yfpr9t@qY3}Qu2^QR| zZ>W179dY5Fd=Km8>iY}-H`&vZJU!df`;-^)7hEj(H04{{(FI_^d8CDNEa2PGS>j>A z;-c8A)L$5rJ_z^D<-e-7oaE_wo}S?8X|67Qa4~h&_jmD(cq5<5L)^4*pvJroxIbaR zPB_C(q{|DA*j4oPjJmPg5-b*s!U=xiw)bPf!RxSKKUgrrI`9y_>N4zgV$Jswm{7cn z_#(~6yY}cB+{XOe$DDkDH&5@{sc<-?O_G`Bj=XRUMiZtK$5dJM#udEwJFukovQ^@bPS|ZdSWWxc@`N9^ONYm~ zARQc8g${O;&1(sBC}FzwV7RU>>D1>aI7#=nOXq$to-kn78R^^))|eeLbT!RJ4qfud*AB+XJsvPjoW)BMnh3k0sYRNy21>1xLng3mn z1=kDfF(+LwtT!9!VL^+r_Nsk}-!4gfmD&@1izNCwwH^8zN%YmE93g9T)5bqww7s z#c_V|T=9S4JMidoaBF8iXAmp?lEYaX#8*hCZ`*yb->{bSChJHqBVR%aBVLOM#S0E$ z!u4RnSMgUe81Z2f?_$C?kf9+=xQ72cm{2~oE5U@%faw;43G2Xwb{%&%KGLy~lE3M5 z%yn%T^A#5xCO1q656*D18vYU7`5pK~?O(c`xnfI+)}me89breyW0eY1!0}aS9uFt9 z-PM`%UV{f;scESgvKIyO7>&`)eOGJDcJZLqOEspWmubw+#9s6&9vre46)(6VZY*`8 ztWBh6ytU=8^UAOE>a$jOP@JRYv%Ut-4t48OT@-6MMB0Pv4_D zpfd-we!zoXe9()papQ&cR5#(lx*V6B9oAM9 ztYP@sRt~mdBbAbL2XGNHFO_@b6ijsYKxR(Gm0Hoz3sb(Zm`zSoJqKMAmZV{ z!v!&mC%}jIW24vxwz6}5u$7(rAJMZh_ixnP9xMP3v^qFPy71sM=G5XZg$LW3gn!h> zsw-`CO8tl4WZS->rOb<8?Z#^kHeGnI9iQoqdVcraxefd!?$Xw&R%wMlygD)Gw0f6U zr!8K5wHvSJ6TjOA_7kSx#+*OXKr5hNATd}Yw%#nb$GDk z58%O)>+oO+c<@@zZU_%r9A;epPTZpKpv7W)z(d#JL5t@uT*ZUp_O8W);`pw`gW~$G z#e?Gf{umw%G;jgd3gyXJY!l%K2PYM&}U4sb^%U=eV z5MS!ncMe$PdVX*tIBdNzVct#n-*7SEMh_Ei1j7jvZUnmt6RwB*+X&|;?6(o@r~U7p z@Piw{e(N8B58uOnKElNh3Ik3fe25?H1Y=CQh949LoCdBN;s@ogeHwKc;s-mybJM8T z5I@*?M7rbggFlBK9A){zLj0?UA1uVbiul1o_&D){h2rBPk}f}32xb&NSg5_dV6;Lo znE1g$FqinjLNJ&3!9p;X>_rQ~T;c}{!Cc}83oRyeEI(KXu3I5YXE7lduSVDmoppxW z;Rgr7ptr*h4u&QF%?wsaj>o1z@)sT!yul2Dc`PO@mi*JPpg8mE@u21Vc7lt9@4&q8 z=Ldgk@!xXR0$hF&e=p#|hcKb`4_cn2lz9Sk z*!S>++g<&7T-f}Fa3S-Ve?KmazseI{!G&;E>x3uZtSl}>x42Nc=DE&$aG}c+UW*G! zcUZWO`z$U*-y__IUTvQz+|1n2>J}FgZ*ig1@CR`rxT0>V&vY`!x`GSA7uW6~w73wQ z5d}k8TnG-axUlkrap4e8_#Rvc{(BEDJnG>>aL>P=C%iE%&hQU$gm7Z-;RvnXWZS)= z+2SMO!G_`puV6y3TJw>sn9%ZV;KV zbk*lQm~gwx5n7&iC-^YwI*xFGeLi?|;X&Sy(*>~!ym#UW--8La{{c*BnA=}?KPF5W z!h~7O$*b3fhA^S+yPU$<1UO!u1t|bC|x|HwYvoqP6QLS@B+RlOrZJCF>GQosa2NT*lfC;UB+S9>=(s?eoPDkM#_o`km)Wl(9+8nX*;kH_p z%d?#I^fpiL^Yjaz-tOsLuC8`c{VXN~Qwt9|@Q*2X3n&s7ta0@abb}6X6Fas!qp#u3-@}su-3zc`#fA2{v)_>i*Vu}z=drd zF026;?)eZG_NK9}1CRJ#o^aT|gC|S{7v{hdCSSpYpPu$1E*!G?{16wy$!+#{!VhsF z7?1V{3g3N*3qQn#!h0X$!uNB9AL2rb0XGfth0M=C#Dz8DsVrakAuhCMHvb>Rg{S`j zF6{ac7h0V7Aue?J!ao%kp5eVY`)A_9J`WdO@NnTp4;Nng09=?h{QZ345H4&37q)+h z3;)BouqAz0;fQT_6~%A6YpgHr3O4-3E$_#M@+;Ht?I-LDyMATb;RmhXm_44~82FwZ zY!-WJB=JRoy=PC5Yv$2CMpAx63EQb_`KgqYpGx_LdBOVNl%JYsxc63kAjm(>gZN9? zAphd+?9n1k^o*oq_ZCJ^<0po_gwYG^Z^4#Oz67KAAC>>YC_GZMNxlJ(Sv%Lkdg|O3 zhfere*N05BNixxlqO9mC<$KJmNAG}lTByB$eejCf`-d%6qVz^dd~`HYuIyEhXul!h z2fclV`;hqbkbP$v$&$OjJ~ivUvUj~dyc}8{r7`Bm#zP=+wI8;gT_9!bu01cb|!H~s~w%dB+hBI ze8ft{)B z(dsyN*1iD$gxF%X&sRv9=nf`{-Vh{&eu_}sYO_YOF*%_%MvU;c9FR+qr`+%(qG(9p+o* z7blFZp}9i?U6k(4SdCAZ@QNHehTbrY{}<^EWBEgPZa8J&mj}IJCGj`VjH-K-mp}p2oa3K2*`oAHat3 zG<5O@b}D?^KCne$Cg*JN`RnR`i(QDWQ+GcUqN~;25ryb!r86uixhfi z3JX_wX9^3^|4L_Ai0)N7!$SN5NoQDyZy@Om3$de=EodROlCt?M#I|`N_RFK0KbF>{ z6BcXG4rBMZUTasGXnfRF1`_MFhM^~PbOv&v^m}|;IFQ)OH-5zT{f_Xrg!9n%PDj`K z9%a5knO9TZY|7|I7$j^vrZNWE@ALc)$~-=uGnwU_W#s>LeQR8qba&Vej8lmH!Wh|A zKu=K!T_78C=*ga~xp&V6w)Ep!+wkwwc2quQ@pFaVPCkp|rxu?TuJogArP3|$vM-|! zA;K)eHu83nrxJTn-QBPVyRo^Kj_E22v?Y3r2V^EujuU0!@6 z@$xwuLvP0OMpj=h9brZ!zC<#3WcS!I85+Hlq4#<;KHuD~?UdIb+B;JypQG`>P_J%B z$WNJi-(h6j=KbjBJlgj+x?J~>W<{|7a!q~EYaBkLI{9Y`*O_$pa9r=89CU%?cMqcr zG<1zA&-fcP^jbgN_R_nkqw4l5=SSA~{zl{I3fJIow6$8g!pp+S6GvBAd5XW$)<8-m zzR=SZ_MIs-_GRb_rNim)ZAiIqHS!j=UG!Nb_6hc4+c;A=RW_vbA$*#NM;DjkpSy_? z-xbAQ4RY)_I>drthIhtLem<8J^KIyUmKUSX<80kAeH(PL>}{dZEye?*@VOF<#PP>C zLH3`^RCWu#fvCUQ1zS$qIdV9=#G`XeI~%{7CLLX&(&f)FO1pHSD?HqwZ})uQoQ3aI z*_2+T`aGq)yuaSBPrk~6F7WHK)K9PS()Dd;Q74@z+{M`?ohLlZc|ywi<~(7G$?G0K zhiA?YmYTBM1Ldl(cb?FkQQYFCt3EnUD1Wh)>c3UgcYbkV5obbU=nCb#)YQ46IKg?w z$l>Yc``p9m3UA{(W2K_$3;OH^`Zu3&QD8v0ZG2L~!G5$2`%(0|QTi*~HYEu^f#`-S zv18u8z)5MoNaqW^vAL9SiC)s23Cq^F@y>{vv6DMZ{TMNK&dZiH$LI|s@*QNp<(Tw_ zeA@#5TPviKgWl-Vu18CMZ~QAQB!1UhH3!gjX-*n{PRLi{vYD<|A7B@}#izIXbc08m zIaWpei!^qa-?W+hI~jZJYX80H3{AbZ`E-j<@AheQh9(_ssCsIQntJU-5BZep#(1M| z<583D9@wCF^F5#V^g*AF`}7f?KIGFek1nLGygI&9(@_|*b+%A?S?TFDFZ<3G_FzN0 z%b%OY=nggi+OQ#QE9E{1ohzI!TkVVpHWqFdHl)U$`zds1<=Bx~W4FfDN! zcF2ckm*DHq&sX4`iHl9=EOSvwqA4^08&A%vp{qTRTawV(MA@7gU&G_4C5oY2Iftlz z;ml#AyG-jE{-kEBy`i`I^fsSf<SO#MYn;q0NpzR- zEVj`Z^mq6C65Tr!IXp$rWx3oF9qArll6Xw#F*%D_taF&W2YcVhz6_ql{j6@0t~EElo1#0T1RUC3=dI68k16ac5gnB0fEd z?@3Bnh4+0waOQpApFw}E=9j`a(z(p_jNiWdL$o*aoh#HiP4%sJt}y#C`Q&NSSwqeg z%HQaf+xl^1ka)_G-wD9+F0zDw?z?pK({-II$3SwqJBBUJcl zQ((@pe}o>>9fB5j2<}^c-}hIBtReDc+IqGI%F&*!8?8 z`JPeua?dnp_~dW1jCaQ17t7$$(#R{^mPUFzJbW5wZrV5MTo32Q)+v0;ZijzM0~fcK zDr~Y-k7X+yVIKnr%;(OwYq+!RD=_9)*qt6)G0;8~>*q|z-trLq_;lcT*>1FJ<^Ie_k1Dsu)Q*GvKYUfn$CFhLUQRYaDHv22~ z)vsbx-MKBrY36*{=wI%&k4J;xfe-EDTNMtskJkqiqeU+dChoy^=a0t;pUJ!OsMGN>mGOa*LF@-3 zT}U1Cm`CR@=N46svU7i#Yac%mAkQ#6&UiW25KQC}KV0>S3%7h=_f`fIy^QA^z1vmX zFupI4*hAcL8#_$$3?uH#$^duKyup0nyk`#c6Aao4{+6H5RxqmZ_1mC$eE)7y$oyWe zkomnpA%2yL6e5$!rC-5{x)Z|q{hZAm65tZ~jG6#8XaeG=rplq~x* zty|kzn-sT9VV2#^T=eUlRDi+9a`scPL{k6GuHQl`E?J@8f<#I7UGMQ zbG{u1gNZfR_IB;Tk1N=`V|OrdlhVsYgVULx9j@ZYGhK1-*&R;>6HWLi?K-G3hS(hy zqDgNN&0UuBxI>e^>{=^28@Ww`-Blf6UH1G1%T~XVGp6P~Ov%3Dvc(={Z1$u0K~z=ZneLF-0_fhx6r&m2a4=5PCemT9JJ{gRIC!?hs4I2QoOj z!?uV=UYRU^!?e?0EAa~0`w`L}BGlcVPmsQZw4V{S!IQ_z;h`54GiMl&oSg;Zy0LYf z?`kM_KHYhxb8z`<-w(@w`egY>fG>kbH-7O7e7eY|<31e{?$jAQ;(Z*&nHRTvyScX^ za@d8}hnGCK&G!viDZU%uoXh>QTQQ%84>!I%=1ud`m&tEqKYaA0ySM4wTMhB}LHQKE zQMi@!Ywkh#NbW0)9E8_2beT`XKN)(jN1OAMpJ1CiU9|kHdicPcw>#p!=hFi5)zk}K z&D3L^UyqG`dcL0y&!u$vBQ^D^#-B&2_-^0d>PD09erlH_9>oXhr)zzBo&2fd-veHf z=iN_pd^+sYH6E?DI@RB5>UZ!X)o>AhQZ5Z=k+ue(9anOfiOzKzJK3oGlO{)ue1LY5 zFCB-oq%nN&q;po$^x-GqvdPoA3vY&_`#4O0fuH;OOa9qqx7E1}`%d_IbDsy8&G=je zM`F{94I{m*{T1WSKXt&gC3`Lg`TQ58ytZj_3qq&@6M#pbZ4N~XJFt8@y1}_ z6S5bD&i3i8>N99~V5RrnuOi&m$4d)anEOlWz4!FMH=Flnt8b{se7_z`{dD+blfJ}D z=ezuRaVK6fX?i%)|WDBtbbt-6rj;-~NR($!9?qwe0=tUD@a z7bl$4N7{_6}5#DDB?@(wfol_$L9`(V+Txm3=b8b3+8b0G)(1eU48 zS4Ve|FS96+Kb5PUFOOl@Y0k(Z*Vz4yt+TKYbJy)SRGgqcBb_b9x|_xAK3JT%61>n; zgDthr89!zEFVd51zQ^q;GVR8>T%TU$(Y)Io$b9Lxi3bn$gu!F;3IDz0OgmB!(_fLEEq*;3`s(GUFZa?lR!zOC z=tppo?$gnE*p5|xe=m@HiGHg0>8(BuMl$1JvQIbobkw8OR;uIEMjq8%)7hZ2u&m2_ zixb^;apH2}U;0u0t<1STzC(8twS#wcenhOi3XI$+<}QP$pc z;a%=K%m)Kc1_LKcUh!tlV%j=31(_6O3fGPWmzZ^U{ItX-)>E)xr0a<0%n%O)SDW{_ zU2D}=VB+mQy~m>;W?kRJw{&LkZLG^(M?HCk@k^5{c@F1qTZGN=HFHpX20c$UoX{0s zx;YE6uq4rWNa_D_x8XAN3GaPMZHKJU_37z8UGCG{eR`)yYkZn|?Z!XNHq|X!^Aq|m zcF?4|U7zUPlzYghV?Mn{^k^_EX>l*DGLUQRO})D5PDA!ua9ri0J1^+-P1AQrMJqT_ zK1pxC}0qe1}jC*HEeh@r;5Xsd$Gi6;yYASI6YE;R zo+*pIyx_}Y!Ni#U)@>=@Dt^4|CTmUy{I7hV>MjiVKox#$0V~DfC0f8sx{E#z4^xlN z_4px$Y4D#4$pcSQPo8)*m?&qD*PZln_?~k1`uJXjjdphnaV`4KbMPJI=p^Fsu4~~T zb)P|eyZ)!ye}@Mz0zby#Cyw%5#J8)JrlmB{fI*77`i#7uahngx`uqx|E*G(VjqOZl%8(2;;Iy;*t&bZ zeK}ZF{A~La(XZO;_&&8;`()7; z{CqmPIns+nzk`o@>QbQp@Uu&4H~3!ZIopMo$0-Ca=PDgt<^qN2GUrK$NuA&i7wcQ% z3SY`V;djja~_%B^+ zHqS`cdJKK4+7WQqpkXNq2+@C~~=BS6@n zauxo??mnvces(vwC=-2JH@tWzc&mG_Lf#MV%GCSo74rTXg}fiWIaBXnuIG3^xa(~2 zMK^flY;Z+)xx%;X?qdp5?d~HAc|Z91Y;?rkTNU#DRSJ3kGKH^`&Ub-Dy1_nYqmSxd zr;z%D6;hvSh16%cLh7?rA@x~;9~N+GcZEXe1qyf4UKU}pEgkSAeQ$$kPbM>o@4kt? z?5g@f$l;Fj)%`rmBF8K3cafkYfVX56+2!O&|J?zZFO6`yU#a}{znle4UGuxT8< zZ#+8EiKF+8w^)e+aD05BLg?8Fv%%&(zd`^1ivAMcv`?W^vSw{|U6`umV zO|owAK#ulwXm~QwhCfV4uLJ+$=^>hHz)$Gc`g?cN!$0U;l6gOTjCnu&xuM}T4Bg`K z{gRoR`oKeo$InDZvR^t9cnibVkJmfk7vVh&4ew#-xX<^)I~jVfpAN4gT5Y4c=}z;w z_<_MCH+a^_$@v)du39jXr9D^q24?<>Uvm8C(N47XRNlKa}W% zM^ihfE!*K2&0UG(Xpil4xto5T!Ey9kq!Zr0@2sQo0U76R4)k5!U_SG1@U_8jONzZV zS?*)De7}tfyf*5Ys`P)kn|>K_y3ZWGRrNOgvr2kS`U_s&(38D-O1Ed|GB4fqA3Uz~ zm3{rE{xWr%Jk6`qR=-X={W?wY>onD`(^5aZ+Dkv#kEP(Ckj7R^%|7*GnJLfh$(WWX z=i7VWlTAM!)4S={QorA(`~3=EZ_=Y)dS5>ZznOkq3vQcD|C~-g!uLzZW$L|9ZSD2r zG_afL#}n$?nPIh$Fr4YfQl6bpU&=3L1^o$*6L0-*{kcH>IosLSFvr}-X!>*aH~lF* zXZm!n-={5ppYAD^pH_Skt9^9#R^NlJr%de!U9RtiUh31!JUR`0Y39Lf;^nItY;m$* z=llJ*-0#;apAP%5U$JvQKN! z@l~o`{@h$=(p~vCMrRe-=lXQLPjB<-?LNK5r?+}^U!TfeLw#DtotkavrG?ET|JX!- z_4Q@nofpDvZ3Xy-5uRHh`+$+24M>jugUu_z^1pa-Dz)d+;*Sd>C;d7^hS>s&i@A61^)T|i8%X~KNp4NgzXHT`^U81 zsYB!gam-@|&rQUC1oKyz&eGk3;6vdsVX(T>PRvQNtRbyc7fe1izCG{6oC%MfIA3}> z>GImaJuz^a!9ifP!(g>Gu-fJD^t$JKAbfQvcwr!Xbr;WcfZ00X_0PoaQFoA^iM?Yd z_~1dwVCC;aB9BuCMc`(z5KIA=~aer2kPnES#}Hx;Jd? zPUv1eZ1A=!goa1W7Yz@V5B)07#o!CW#OdyK>G5Ll31QN7H$x0Q#N62j4;Q2Pg9EIG42p*QcO?tdTU})W?*a~jbJ&MxXO;Fz5(y>7Al&)=;X?IVb z%JaKxc`#Z=VMc*kptPpy+%7LElmp9ofZwK`huW0H6o?Qb!uY2UA z$2$gQIkquCILJP>P9b`{c?!|v!HXVS@uAV*9m7WR*bxi*Ep&IO_Mz=oVkgh;;JMF| zxib)~@mYF+5E{%fP36IF9~y5Zrjsv;-yp>?-@anpw-*d@q|56{PDfA2-Fx^b>Y8FD zc5#SvtKq3cxlmgyq4bfN9qpb%YNsY2u{ zxeC$cCDZ@X$$@hw=&rzWUzb;@aREI$khq<6>G4{@cQcf?ESGx&xl3={aHpQRS<8HE z1qaolC;O6h>vPs3`R|p^t##^9^5ojmxqVR&y?wCJx3z*1rDv0_ub%#RmUg(C=Wmvt z4XpJL`z`>ADTFZL97g(}Y{qRCSu-(A>y??t8}J>Npn)IVG6^c$?l@*51j z1brWJG~H_{yX@F1k^LKtA4}uEvH~64 z5%}CZE89J?RC>JZ$dQ9S9rx)e@Zcr?cJJU?&IqLJCNT!GPNXeJG!PLMLs=6K0)~27W2G&WRL0s zUErrr_R{62Q+3pRe6w^PUvhDx?5t6C&v>`_b`W+J?Zxcge<3l%y;XUD0QtgE04;OeP-v>ArNYzjjHVG~M8D zgS!lU!r(UaO|oZ`zR64PvoY>DrgZPVOV9q1JYnxW`*!;8-R;v;eR`fxC;NPUj_1cn ze7>m{Jm$Wr>gMZVb4|Lt51tcD6xmnm(;h~O>|1BbbN6lZ)93r?3k*JqsGU?t`9?MO zUX~Xp(&?}6ghAws&c962`I}^Q;^n4n>@xX}4Sg@h`vIG3rF&mvbxX=ycxSb*J z1K6VrJlH*DwqtZ-IbhkTbHVecU9lg$XZ)gqOZ(=Y?wdDufS(j6j$(IbY?F5yJm_|V z3z?S@-NORTb$izN?VfDp6|VGq$U!1KB5O7WniQpWf!t#{RQY**cO)w~M6@5(pn;CtCm@;&2ydbUp=H08NHM^qPmub)28OBcpe9ru9~ zcIl4SZN-V`nb>jcX8zO^C+e*XqgPj-F<&CcTgX2oGDEt(vT2F8keO|!uVdgt@6HGG zc`;;daMfcSUfv1Fgl_+*8zT%K2JKl*gW>W%2M?q{f;hXere*?zyRHg675(3 zmIw?A%NHv4>(Tf!e41DwI(Vm6qTxMg7X=O0Ztf;VXWgsWq?S>ME>qCiq z@fUQFH8^}_aA^4OGTLk@wzJzq>?Jwj4t}wnp+s!C+5kGrSgfM14I%6dON{)5dnWxm z?9tz?LPqCf*!^2{zXxl{TD4;^y1qK_j`Uz=&9Sj}*ceJ2+{zf<=H*+2t}#sec5I-2 z!lh4n@;-w#HR{p>pF8V{Ltw`-5ulX7D|9rx*-KHcKcn*+Jv(2@UJ zx<=_4g-KJsWo1j>*qZ!Mne>e5=oxii#>mt2ZH<+Z4VJ;C!mjIwTTe*0xc;E^&VkU# zy5B<|NH0!ID-Arheq8XK-$HMm@(ZWFVTJR@vgOYDRljte30>Q}q58+Yt;@lrRq*H4 zrHS{rQ-yJi?9qxMCkht_1NhAy9G+%{qWH=RZwL$xBUcJ9!G1TCxP5nQ6?Y)^!$&jy zdFDTs?(PVeChGd9g)is7+dn;gGvSu%AN6kPKOp?P1AsD(qVT&CD+mxy77XNEbotwqr*xG4OE++lDvm}G)*`bOmeXTvwwLK}>~Aea!INVHHUSXlRg zw1S0O=lK{v$A322d-iXXEBtPr-_0}I(6b_=aKWWFf|Xmx$>xve(^U@i7TIS)Z}c%f zJin<6SY375sq(;qro1Tq_=(zQgq@FkKysOU}V~r>}UPdc@p*PP+b&lRO3*Y_b}94gaHhNB$rus&^C(aCH9i7S24! z7Fg(Xu}j1jcQLxc7VZflr z%a#9QW21Wz9cmZ))1&C%zs-0V%UD`OTc$I|j)#;FUJYz7Tg%F-;hz2O5#jic?PE)X z_lJ9Uzg}^p?62bJ{D?dLl(7BB_9)`MUJ^)*0>>FU-CX(z8CL5Q#sRXb)_jHF@12SV zk8f4jWXoSy?F#JND-?q5Co2Tok3q*LKhsNu+j$;bZS3*aYCJ$M$k$qFgBGy1Y(ZMU+OpA=okzXm zmMa`=%U^RGytr0zV-#{0m32f|y_0bm&*oY5-toNwLe3~`kR0GGJKi9gv*O4YBvXr5 zi_WsYE@GU6Z6!yLU9Ll4>_ztR@rr@=W^j2N8Abtm?#@HO#Aex5>n2VkDiX%^%;@-DAHv|*S+>;VNq%wxuoeM>izFYKrcIW(H;&Rric#Y^G_5;4W zbPc#azAAuB<8{tya;HH&h|D3|?rgA-!M@HMr=5AOBPKiF-L@y2C0|rD`CL{=;LC*LwfVbDGv4kUhn?!GfWkZ49u^16|eyk&P}pvMJgciPyxgULJ6 zMWYkmI@;L;PX8lmwW5#6Za39_oVW)GWvAN#-sl9c#rIl?BiqXz$^JXw?>}GV+2{&~ zBOi}+PL>@m^8QjVgZQcfpDyz0xKD!#OnSYrg?G=G(Jg`d3apHX?uWmgdqa-E8`pqe zKd%&iAL4$#yg0EmI3)5p{H~$Fc7~oW+^qCzhL%6g>%kO9z*WNYpMwiLOaW%zAif_= zJbfB`9JIkB9%eSQ!3o*ud^tM@FMkA{yHB?yOwotW&3lVhXDj zpFY(~=i9t`!QXy9owO!jzXb0{dG6=%s%z01eh$xRX!zSWy#MDJKAr2+YkeC2Rq1Lg z)iDn|A8&rGrtS3M_Wtb`;j5H0OkjE8g@RB<zgl8ycqfc-3Y49TD^S!DI>G1o81`CK*JN**|oL!uFi$3dGqWN%XSQt@#b46&7 z@sqkM(4RXmMn1OxzWcr>z3w9E|K@?^b7=$mR(;rL^zxivEdtk9!e3&iD_yVdmX%#@ zH@3Qcx_KktJ49d5htli%HrK{RSNbW_uLp~bZ&qPagT0^9`B9|jy@Mt58ID-CespwPfbirF8 zwIS~vFI=R0`1Dr49y|N$<)>G9>8wv)y{b8bSWa4>oo?8qyWJJSYm~dir?>fZzE4l_ z>772^;?ZiWf49?R9pB5mu>aXkw}~}UZE@00w^HAi^)Gh1gFQRlYR^u$v;N0UM~1K8 zE%;~su5f*9Dn5wSkN5dDy7|+z7Q3BOrg=F3i01B4&rWxhX z&F0&LosXTO(;XxH$(p{~*Wn&gpFz*}vGYPN-Qes>aC1!Q|6-@RTz$fOH>mCC%X*(K z^Xb_>-Qd$vk3NZ=_kf+Zt8Ttd_mD|x|=x<|L-=s!Yz~k$wpVU zxx&kR`dne=Q+2w+&i|~_ooH-y|5cwm>D=RU9tYE%X!!nPpO;_kd^ztTr*}cA^VPx< z=j$cYoPR9eQTu9W!3Y0X{$I}Ld%c$YL;kTmLiqvS6Xbm%-rJAz`AbN0Zs(5;%bdPDmG&VA93IFFpBqRE|2mK!P6?(&FAbzd7jsrV z8WMjgdY17GN;MGjBxA5flhn$Jy2(>#`T9!{SbaNxB9+gMib^@ z^H)e%KsbwV9^p)E5KFK>97H&P@Jzz<2`6IHnTI`RI^j^l6l_Q>>_^8UW1E1#iB#^{ zMfQgsR){c@a5!Nd{^4T9cr2Jo@DPhR^6K&>radgy31X3tmz_z~j@Em-Fjo zK3(q9vweD;PmlNLzV%+~{4IsETi@AtwtMWTu~)Q>OLyAQ zt1g8h4XyPa%V&JwY^`OGvj0Gx(Pe^_3&%scbwk=euw$}Jv3%goUonW*Zkfe zbMLIPIB!0l-}dUEy$5S7=d+f8^LY+@eQ4-^d=VNtY1{GA-L=)hcXAgkzu=X$;>Uks zr8ahiQtO=RxxIIcfB$#2!Q#jJ2l~&f4;MN6Lc{8Q6CBjIESS~!p%rXA5K8A9`{=qS ztc9E|em~;(JANPY`#~Vs zIKi?Sm-GK`{89q_S3gJjFNEgw###GbP-;V`?CyF(nXad>Z}W%fTUyXM_ec{+_(iP_S`7`oZ17?8c#?evRjcLXFcy$&I&$ zG8@+h1L40~1EbGcfpEwg9DNO$_m6{C_;J>%eZl_WpRx{}g)H0&B!xd?P5aMaTJ%HK zveWQ8kQK}dUlvLVUlU9U-_BTC9vl^YG?X2ljjXU8x#5|lW$^oN19$YpbnZW1PknlPyC%O>~`z)Akhn4HjM_#bf%8eWYr@xQQ^t+t(Rs1pV`$24} zdx%r|yXXR+$Ch4qkZ;4b9-W-~Gs>(WZT>Gu+c!|o&q7I*_c!~7P(R8W=$F&%mCySQ zP>&=%__sgsj7)-;?2`bFNr)Uen&1i{P!Fr;hhgW(8%wCX7S5YbcX>AGw)lr9aO{ zr|@Uyz_!qk-p?pM&b#I#=eibo+iKP_`6#-K^{|rl?`HaSEoXRcYWhn}8t2h(VlDlQ zHC(>Tgso%?Re`-;89H5Ilsxi$#yTHEcTDBDlo^HUildRxd1~T`rB+usRtlnP*QlcH~4NK|I=UEdc7GehvKd_d)zJu|V z0S~YQ3>Shgc#rp2)9#yCi=Nn37B;$8)}UF86UI<@mVXyzKD^O`tThhn+=OFQyWLP$ zZ#pu*0i40t{&$AO*@l=lIdjMP_k^poB96*HHFMH$YEHk-65foghBUlbgLD}WYi~~oy40p zZE-8{7X8FMtL~o|&*Di!$baAE+)|u25pVGtay*Um%I{~}8OVh{;CxdHvXb+W^FGsC zwfl#`VeUD|eaGn;=F%+U&n1sHH~z-B9TIsN8Tc#6zjr07c7MQH@FSktW!4>dCcd+W zGdYT%Mf@So=_suWTix-<6lZZC?|9-)Cr=(SN8$K*^M^Hsw5{gxyZEelje4Jj3|Mvs z^QdD9-*67{>apDC^l1sTyNL07 zGxO^n=4}t{dM9b=%#~@h<#o(Ar9a^3KR_5hGu6JCu&k*poI^cs<^SufV+U*3*#R&qY2i-_Fm_FLRKW zzrx)$Tj{UYx$hhuTO^0^)xaI-2Z+yMEFHw=W*KX033n_n!%s+sl@mG2UMTt~`=aQ{ zyl)=zS=QyJ5+1)GHp*c#^7%j^S;UH4_ydge>yJ-(-b@0f+$4jUiZBA5Sa zi@lT?ij*QdH)9Vuy69?^%|0~4uiv|rt2#c-9{Qf%Lp`5nFICwg)gCeHnEw{S!@ym>rxF5~%HzIQBRTm4&%-sb1{j<^@w zocGw5CbKr*$Xx7Y-W_EgYHobQTuaBcHVwPl38Wo)YLxS9=HU~}!zXrxi=os}MW zr1|5TE5Hq_=|9%MNEtG_q3{7Sr5lEx8O(8`q2b1!VllFp{O0#-a#(*SkUj%!)x}yg zF_i7Tzafarw;GtB8*wTT5yFTg}hti;1MS!;4M|3}l4USSQaU|K)*!ChsJZH!V^} z-Z_+CX9c48KMN1UKIRJYy+Avu%*)BQA^kQdg*`Kc_L3dctBeiSxNzoh!W&Fa0J zzE7E!WIvmGtFweYe;oc&>)x&O%j4))Wczatd0vILJ%pTA`kMZ%&jqX_adhy)l3DP@ z`;c+e;`iuL)&`yV$_%D}JKLca@l~Uoa>mtQ z#!^ZkH@qCZ*9vrAOQauSyf5MX(o?L3u4n&W3ti8izLxwwjHNhZDPA_hX@TA!3e_pD zXD9C=en0x*IJ)8WssnnjwX9qF80R{_^*Hpi~h*iId`F(y`8irro3U!?Zhu3u4|l?xP`LgWrLk1 zlwV2t@nzV0qQfr0_A_68d#4U@3gF-J*&AY0Go5^}fb8G%!3D80-7Wc%UBI`>20vcV z-!V4$*kQ{b&u;3LPMAvAhVDF_I;2vEwt@jpDs^a^Y9&&s$N99+xwK1LSrYLd8vjHo z)GI`pLB6wfCw8Lf1Y)0{9~h79#Y&01#kgXgx{Zt}BfCad@ie?rJd|9=`8>~GW=nCR zhjH~P^F?{wrkyo;%q!>XrMrsub{AbH&OSh4J) zjBH#!INi`yy_Zu~TJz4DZ}Wb~Wj^pcye9IMQSRkngNf|hZ?G;thdh2@^IvMd!#vX- zs(fX%V z3}wAt$+y|`$dJHmg z$G}LEmF{K#Ri3@)j^Wc`>|4jPETArL(ubW1klq8u=MwszeaP*ie^M^Yz;6>{ z82MKB0>-BHTKZG=krUaYcFD&Iyzee}r1QWiZMoz{ZY8WBo?rV}*V5v|IQAlq**|;F zy7A?bh0O>jL)Y@2EY{Qb65df>oDkOB7MlAXFY_*obvRx{{QTm?@?`6(FG9JKg36mO zeH&?$bw@q)7}3LB^B*~xNh|Qv%8C=i;N32@QX^xVKd3Q2Z08{hq&|fztH{XJ@EV$gMU)W*kis$I<$B_X9V?3wg1d2zl;i>Ug*;`KE2MPKcvj= zZSx%2NP1;{c(Tm;(3QQW%nf`uZDZ=Y(Jv?Lm$TNVxA^o{kN${qze^n@@2Z2}TZ|4( zd~qS|EPPg#Y!!~xe`HTTAgtebyEATAdAN)J1x*)+gH5I3+i3R&ewPqGtL3AbBc!e6 z*F;@roHo!N%>RezyG_+|dL?H(pYjJ1X6~91{(ES^q^B!R%xMh`h_1n(P((t4z8Zbf6E%Mx)8dF z-*2ozb<3>Ox;86N*A*CChmNd{HL}i`a)Gls|3YVd@`}w51XETo<+p>f9t!EdRhJSN zP`5r5d`CKfm#tvk`&L$6ZD?e#rym&8`zQ1ObsO(?HlYU)54kz?!``!)OXd7-<@XrB z$Kk6Vg2%2cJCD8See6eu^8Z}tasEGK{-5K_f`6U?FI`(!#Ceb1b}f7AjnJ)}DR>CF zm3{vq(d_-_Aitl0{JyrV(7BZVGbGC&kNt_{`Yk$Fvd69k3)g~0TjQcXuv^*tYpKIM zh%Am4F5zZ`JI0(ABN5>2c6k)bY>&anT@g}e0eTU9bProj6aat`CW z@WIFd+()pXT#Nl=X($vqjd!hOo&O$u>yxBEPTp1ge-N4P{qS3BkZH&!P522O%e^<0 zjVxxcdpi5-ME2Oh)(FPuFn6;xkZ=G#k&+{6A^F?NVeAB5`MN_k$NwxNXSkAetPZRp zK5aGop=4K=qEmv`axZ1?&4Hf4SZzfvAv*`{bHn+)NnFaALu|=CQdkGu(UoOY4Yh|s zKgn7-rK-`MRF%fP1H+J+?BVQY4m!4vke!UMS5u!t=Hd-t<3jvMbP59?v#9_hV~gwF zD47Iuid*3wZik#5uI- zV&0$c$H@-*Vd6ZjMw{O@#D14?c_!&0es9u_x6=PF@f!ra5Ulnw|67Uw8CY#qDB1m( zG4dcX+fm3SGLcg(X8bz*x{>$Y##oYl@Jz<-dj6jVKROZq^m23#W#}J961SJ%4%+c! z#_AGe0oQ^1ZUD#s6db>kvHT8WISenj0z1*=*ogj^u#|8veA+eeY`Ylev@vpb(o`}_O1{8{(J8Yu%6gBeud-aFE{(+rs`{Y$MW71em_QT z+KgOqKQi!Zk(oA!2D*PkF8KS<=*SQ7`C4J>H`@IHK42Ah5B7bsTd3gNtj(TM%^d$7 z`-{f!6w)e?ON^wSRX5_{_bDU6X|*Bu=0>cKSUcymYu==R2#acS9o6jFLWO5BELL%D(<2P8aq1K z`Q6ES|2AP4@({_+n$H_%zsEd#hPZ)EmxmufA1^&X7HhzI;x_NPJp5v4Oz&Xke;4yA z&b*Rur99+>-(?+|!aDS4FvxRYl5^?%LdFCBW85Di$9e+aHr2?`A4DcG4|$f(!7WAh zP=SnOE_m~5aO>vmA2`o4@BWMVxS9F*2J>zQ^G>o;>0)Le@0f+G<2h?|WCZ2B#M<>t z==;ua%9+RS669(>LatUqnf>@Z$6D9Py16SLo@1Chit;SV+r>O8KxUgsoph%JXD1@p z(ZAE!Gc4Nj2h5MhcD=*h;z^MwSjXfCbS$#hDTsI@zcoW&iXx=fDcgQbUCYbp?#`|N8_up4F*|l5GclPq_ zAMoA%IfEVI{I#A*BY!&I_!rvYb-q1=ZyCflNG@aXy_d0HmubHy97vdkyf_8<@k074 z6+fpjWWMm8_z6jibhy)qK{={Y8EeXR>d}4orK?BJ>RC7hPl^gh9f7gaZi2M8prsA5%N{Gq&YYM>_I%m@CLv zkgHtXD;<=4_!`@=DdK0f#t&tW9ZfilP&{fX;h4x3l(m?$oa!I;x?rIe_J-Z;C+{)# zD^)Kr$Qtmn?#FTH<2Lpnhq2>S&+ApX11>S?^Yk8zeMC6#YCmnBNmISTyz4UmUGkwf zBQG8Q&B$7bt7Wfr7?;21y<_Q%Jo+M)_;h%dKO#$b3AxU*jFaaWC%5v8Ft%hfeLr=) zi}+VK2YLy-*K~NV60k=pd+U$r-#?J=QS!}^{F!kQL3Xi}F<=K%A}bgV*}-i0z0j!0 zGRj$qzNv^c{Xy2W^H|?ycWfc&M*i=fPkJYI7;b2I?}dy5)!$+tynu00OL?84w7NMw zGmqzIv+iEanmmhl)zPM`Es=#)#WVXn?2 zm$0_VzMyZ7{3&yL7Wx_ay&A`SF5LBQO(FBYgt;$%Xe{AXtPRshJ4`%!`N-MSNA>#- zX@#s0g;%HBjf{*{;tJCAiUk99MN=Pk;c4BvJEeA|4| ze#ahpE%CF7FX5dJpg%evefznr<+RTIsD0%NYOvM+WLuW1ohj=jcv!8mYG1`Y#+hJrZ4tHYIK``N zZ~3NePp4g%^0WN5{WI(PbFA-uZTki?$y3|*JAT_fN86r5yZ(gVNb-Aan?&2bM%xDL zpObGcd}IlH`F7%CC=`j1otyvRJ8MpoYw(VOJ{>=P*?vyp*U&n3IDQ&AY;d*}GtO**o z-kP9sdme3@N85&ILvKy+#_fN%CY;)~um2C$gj3sAYl7NV?Qz}zux+&_xbUv0wq>E; zz8cRLvn~|EOB_Z&R7e{fp02RPK8!A>5dGNUQiYuJVb3gthf-hsu{wwU&GrNEp?`!& zDug%HnzDhpq`UcUqdf61B~5SC9EJzEjdCZ$TOCFxb(sCqz#A8tj@w3zp3U8)V`^tPgJ`T#z@Zru6KbL`zZ z$Em$w0A+K(llu^u61iq148EKJZ}SV%kFy6S*n_)6gX(%&*S}z0|BSs=Hcwsf+DGBF zSHp7zcqW7Avsm9#u!TK5#Y#LzT_2^c;L1pB+YBd{ePamil1-Zgsjo%d{>a`hAET>y z?g7#tBmGg*A0~Yz>E=9C*(LZ)80mh%US{lOOC{GD<-Tj|Z8O{}(Bp50zkUn;W3%C# zk|I~Yi%GZ8r;A<;e-g$fVkWXe?p*VEqT!J<;C~Ho1uwja=VL`Poi2E*a(Ivz*~2U0 z^<842Yivjo4K1--R(SP?0zySM_7C?p?Il4VWsz5}1 z6}%&Nay8b>*E=puu{Yt5P*{33zYd*4f?v5GY*a}ZXTqtviaq6=)!;c87UhcF%*!Lw{h8 z@)ooeS#NCPEO#^CtFsF?W7l>I-z;D2mBhV`4F@)Zkv#amSFz&|X3RsLF_wL68oZp| zR{~!rUh60H(e<8Pb@s8vzp*)^(uc9pGY~*_E0Fr})6VvnrWeH-i_iBD{$3R@SzQ z`7J}2Eq}{p>X(p|!^sv2UCUZT4Iu7Ag0ai?cuh_x6LW53-0Pm;x%_^Pz5Oe!gLhzaKaaNk0z3M7tY@FYD^JF53I5KVjLnj_{mF}rBXTiVRrJM1#?n7hv+I5M%51ktWzZIx@SR2E z)mg`E_Egcry`pEc=8B%pS}eK(n^*ZZ8b?0ax)y;uWivVs?3u?im++fM+QpPtLiw5_ zo56sA6(6%^j$&^0r+!VWodXy{y3E)-nv%dx?Ii zWFB?W-;4*dPB!qZD*Jl)8Eo5-Em#p3dH6uS=@t5{!t`gf=1Kaxa&DIW2J5f-IKQPV zEPqQkGhWrd0s8q$_=cg3?Q+It8GOWxjM<@#bH-=nJob@H`nQ06=4Egnw!o1L#^n}d zkmoV3IalcpVSMWR>C4Qai;P|25cg%~)Pu-bbpG>P%3g=u1&rnn;h8hd9LkBTBmW-y z?FsVAKJVvzGh@iicfN&n=e?Tg$ccW&-qa~sGwVPLduKGX>O2HSyNUg&)#WZZ#>&I2Qe-_@)?g`8e{xRQ#c*upg(ehR9Zrvmu1iRrMoGHul34Swq^(N*u|x z4$Q`W2p;j>(BKH?n_YAc$SfsK8X1uuR(c!s34{ZUOsivSF+7|4i?faJOhz7+;pt5$ z(*BphQ+c`vopZvD)abmtb55N_-Wez9T4s`0x+9&5mmWiQAt&!bDe`ru$h(XVb-YjK zdo;2zBU`(fGQt`w1^9eo{ds{o^dj?N6XQ^89=5XX0c2ROA@ALVyjMKO0pximzFf8& z(D0mwMxG~HWe;GT)cU8gZ_LZG`|*DQV=Ty;B^g!?a*7M++Zn{I0$Wd}&$F?29L8MD zV6Gm*9(e$LqxC1m8WX0Eq(3ZXZM&THZU}WekKbhYIObqvHEUHhYu5wt)epi~UjQ$6 zHvC-;``~Yoe|IwXw#wcYIrvI`x&v$?d>`ilnSbinVG)b^4B~9MWq7Lqa`>U}138iX z*hFK4=2aqH0@&V2)Guso^N8FxvXJod!26^%eshNsiH zgmtvj&HS=`{~SMMpZq!d{0Q3;-rs4hICB!$6h2P+=arbF#_;oI(z~UY++KG1b*SNQ8 zqKvOWj4$2UtUJlQyRhB_t8jh--HdFWbmn_gVV14=B)zY6k`v(jOZr*2-OK+QXx9Lt z+EweFWV7{KmpOHOe=Y6MnxDe{GOzdN(04%pj?mntQiLxW_@;Jj5bMA!cfuzvgZ@3C zOPj|GFnQbZ6_R%h_b`CXi&xdo zS$>~LR~iFP=kwmp$ZVy{xCNQ}1C(D)`G*Tqo$-|aZOT54a?hd6Gf2xPO?OiUcrMHD z&w-??|5Hh~NPn9#q5ez3o~ezsrq6!&MRdt+tVQ=Kp7rT7(X2JQp*eqp&TM2Pid{7O zUIcvsdi;S#cW^1|V;W;KopGV_7`mSqn_)uEsk7!@%6KsLeylwm*pqd#u4U1eGgwo# z{z$iQ4z%p!-e#?oo>qQASc5r}uJwvD%Apo(7X^&Z@kbe6P+D9AF(xXRR4aTjbFe(n}m*O&-Ylr1WQyCzv>I-HfR2 zvRC+?|Bgx6?VYjf8+>}%uFJybu&%9yAGx2i1BI+pkAqD-Jed`_igijDWESgGDen_M zI}3bz1@B+UJ0;I81)s{!qMAN4@?HA60lU9PcvfrKH1gfg^Tn+3r;+D%>YPU&t#8+3 z=RM8Gh3Two*I~!{2>x{Od1?4H+2L0bKaTz2bujUD$d$&iKcMU6yg@%g75s!x^U#T|CoD{YM?}U{$ymOb{orE4O9*dZt(wm7u2V4T zk65oF@a50Ir@z6PlnY%%9`UN@L;n;R^%UmN4y{w9c^H*5aPTbi;9Z_$O~fBtBnQ4X z34RwHGB|>B9qcz3vDf^CJ37Rd=O8at{M9}toeR$>-fkZJ-W+(pS@4h9$OM<78%x0-$I@*naMu$ zKUz~wU%kfv^|V)BQ$x*IE5qzFYD*8J7KaPr2?v{W52LDWwMK5;cDExQ?6?07PQ4l( zK00&vYV`R!cXdAN{VTM?`KRpuaa2FX0I(*Pf6uFM7_%)$nlGcfRp z%{9zJx0t<6V?4bnTJtJcRckK%2|Df}gdxJ=gxN;tt^D%UTDNhs^E7?CNY7zEWn?`4 zzrm|9&UT5T+?T91PZ+$49*eRc1g|nq++jR(Hf3j`U)%w&{sb8I1Nin# z#=@O^H)F!g|8#KWt>D$UV5{#i{<@K4XkFMz`wDZ;Mpp6x?Ja%fY~&|PdHzfIMZG%? z?PRTzgw{1 zti*Qj4&=r+AvaEAZOGJmz!}PF=PHMVHSu|;G2x<|-2oO6|uG5?DHo56>@^i3=M zQh`jX7XI>A*sJ{(yEWPH3`cMIHG6lQbx{3hQ{ErIrHYSZlaatC<7>`tMzNPVj!y9y zI>$r0`w9Fi|38xB%8qg^>r@ArV=ZeI?E%l5jIGKj#k$nYux9v{2Qz~41Rrtk6DL*gH>}l4-hVPbT?z4Er#?OJ-MFW z>sL9SpgmdkR%sty=45BLBGzo=vun9xlx!glC6W!oJ({S3708)0qu# zMPCaWiw9Rf3#azsR)bgJ+xqb8zHJv9o8PWJylSv4emCGHgfzNN^}dK7q}8;=L$pJyn+9IJ zrgu5?3h0*!%{`yOpY9#bZ{RuZf%mwB@Fl_*2!9KIvkpGxXM{f?tlO~6*}}8Z&lV6q zOg`BkJxpF(BO^tp>j*ByZdo3j2o?BlY9a@gM;^cN2K+a@a>Yzjt|E!FS9 zxle+3Wz!>U8bePkJh}rJYmBw_49dvo`72m|V%%Z#ZORaz)rUg^K9)sS6WI)27KTmb zdG;oEKNz(WTrNATfOrbZ`B$7;&bfEt)Q!~rIlikE`HXPs+R!l0v3qAuZwsYHUSdCc z75gaJ&EU=|QU;$s0K2w6jG7NloWXk3hHP+>?iz<5WKAT@Bn+_sMQhF=PuupHj<9Jr z>zXI8ZGv}9#n(Ld(SbwP(`V1Dy2Crm!n57rS;;Hphd^=+`O@zOFB>0o;Aqj(y&9Ue zQFI-6w3E7&lVA4movgXtV9mo|$R79|@zPowrO$W zXOMds8hk8TzF zKbw0JzKuPCbic?2j6LfMU}*9Fx4|!p-;a|~5)6D;qz4wog>NxNHXLkjxgbfCXpT^b-NGfC}t{t!; zal%R>4#r8a0Vhq`lm*;Im?r+psnh1#jur{0vXvi}jgu7L*YyhMtyT_gQ_GH(-g_;K z(=Um0+b?nAwD*@+fKy@8AA}!9Hdy!lnK`q2cC`YWIN!Fn_m6#@J#*&FJoEgTXP)Po zIb8>!(O38hw^jH6)&)460ZzUNY%{Rggxh{>{C(iZlhJ2t4a77p*Zx zqiXD8ass~nAT}{J@8b^#G}%VE?Bt#Hn;R2>(dFzm;j59|fbSR?lYMXrxxE)Z&Y4Hx zF!s1|?}U5B`u+~w>)VL`$ok>W82jI2>mLJG*af^d?b~1B{}(Bft@uG=m48AVKlkgI z1$9;_Z3)pA{obG+Jk#gbGV5fZ_5ex7EWb*iBG>wna<=8PYSQU173@8s`Cln0-XN&IdMAu(eycS>g2r~ zPN!q5dz@msTAV7+eJoBLFPGwUVhK+Fn(-IoRPhe>BbD&!TZYpaj!&CIe0n6rr)vY* zufaFcjqKOp8_~WQ#eRiT?VC|fg6Go@Ap6>DP|f=tJwdxfju-@UnDtC zZ!ddi`uMNCGCDU?>qtG*UYQ>4m0?d}_KNqg4rf0pdu8|r#r6}cf1Q1HA7{Va$JlrG zYwW-KC}&uHB+GuhZk>xc+FZfDyvdYb#Pf@(H--9B*_U@o_8q$$vp4lNW>^1NGJEyY zNjrz%%)Y#9_%)(OHuCG>cbH!Gu=#c`LMC z3!UeZ^EQW^x0&QW*Wkmrp8D^h{s*|epX;BY8^3`L{B!19oiF}fuFrCPp7Ot2eUSw$~yY&-8W?wgSC58S?}6%yQXE`ip>{Z zxBfkLoz9)~dsQ{h{R43Y$%*#GOAd6lqk07nME0AS?$a^TVCJURoQPHQo#cFy zQ|tqOl`~TeGIN~s5z`f>-yAk~jIhr&*KE3nVzW34a%NwueZrnpw1QuZUzA^jpV^a` z`oQ(S|Ew9%`?;9v&!B#dZExewXt!%)j=di=X7Pq+qum=1QchjHV zb?4&#MfMEuoL(QL?HKr}aA(-YrW`m49@^68SdOzVJ1#ZrdjB#xu<}x~T5)*(-N94IFK2 z8o1;lv*d8>s)j$hcgLD-2LHl;c>K;ao4&YaaL2=I_P*z_HQOr8fi=;`@67#X|DAgu z-FfGIX2Ju1YNmD(KYJi;%mZ6ZgmVlkrgxdilhw{P)ArEKuWz^S{Xg&h)}7sd`Sms1 z&a^$;UGdbN?Mwb(4ST-29yFIcaPU9(-nr}d{==G!&Ba}RwRLq@x0&|9)TXPtc3t;J zcVdrq?b-U_E^^l&xVn9H-xs%jsH?-o9{5o59bE_Mm!MneC=Y~7_ z?p(BWW!E+no4ztx-!-2zO>f}{j#78IJ(!RRuV)|CU zSJJ2YQ$O9bxoYc;T`{ipP4!(jbKRU=)HRJOc?pw$mFuFWMO{@*4P96BU(Xx(e@pOO zZU5<%il@J^GqR|+Jvor=i!KsxR`DYbqMLYVcWuP9Hbw5=kz@W85B$kfX3^u92Xfz0 zLD?iL1G!kVy9b^>NSSydw?H}}>g1!{92nwWy$AhUHfW?c(1tM4A~tv2gUN^U!% z2ZoSW$?Pfg-U;MZa12g2i(8&e4wM`3hG?YQj=6b?8_T}Q-9!F=Gdxb42Pw1T+&7VD zP7mY`RdgTJeQ;JlZWH*S%+`xV>{WesR+z<~+jtXa;6|v+`2ysApr5TSbY*kUrL!%Z zpWC?Vg6ho%r{VTStIgB2xomWj*U^#S9D`Z5-QR1sbHcI(I72S9j|+u)P6;f(PhWy( zq%1scoO)IY|9G&Ae@g2Pm$W?u?saa1a6en;l812pd+iYm&lvnrPxGFmm-yGw?4@Yr z*o)VEeFtZi^ow3OJJ&hgw-P=UFMkz2Zuv|2xVgHRk3Xq1)IA>;&SX#1mU#CBbKL}J zpg!F_XBG1-f(+Ji_Jp4kGnBbG(VfYzxlHG_yZ8KjS$KB#?!U;6l$qx=_m9M)4X0v} z2Av77_fr!bEc);JdzEMY|Bs`lA6)fu9$$ZFG&#~~%#*6i{Rron^>v&ya74P1#*|*{$s!dVQLy}xvQ6Yje3;(dbyF& z#RJ?|sh%x&^%9iVh3aKak1igG&1p!3zxk9icQzcN@5A)>GW=xm`KoVQwv@wB?$qew zH258gIa?~l{bJr97#*E;_U`|TzT^z<)lqB1czTMDa+6HI`ugg%_$1*SwJ-Z71?`pq z>q+=7#dDS41s&B#0=oHnX?P+_F>FMqR#Z7X94?>F*edw;gx3YKxl7w|G>c?U64$kK1NTkQ)8Eqf zEb0v3i4x9Z4zKPDq62ZFV$XRT9fFdS`%^C{gGB^v~Cz2Ukc3e zbk!}j7n{~z>dJ1BjrM>smt3*AW$CKQ$z91v?Tek%y@a~;T&Hkd$@Lp-6x*u<+}N;*%if>en9lvIHd1*sQ&p&Q-gh$Yon&R`of>m&YjHmV z;CtEa-`Tq6_GISHo0zjW|7#UzORnNvq=w!}W^v8;AN)bhqRh|we`oM#f^T~=_cO_P z?Lu>`uDGp{%0zNmJW}($MUmtWc)xEL-RH-2?)q)EelPm|g6dCj?YE#eFQ|Ux^S1qZ z^v?;tJ0srGx?MafJ`fMrL$@lfE4hlkEnG$4POhSFFIUlbKi52cr@_M)CkND~_XCVJ zYc7aokK=zkyAPd@p6qEh2c-MGe#~&M`QTaFQdt82mY)9H=;+s^N0Z<|b@VLB7;Sxc zac59J7t)z&^t`W&{w(NtXt@)cXxl6|j=X*h$`{Tk=tn=V9mjWd_U`5^W3ciNe&<=* zIvjfE1UABGEXr6XGVe`d-eV0A%n3cnv&QS^gbcbqL)lPAVa$dyKNr^CQ`LGga_M!@ z{`mMhNOZXzI)q`HuX!M3-#LB%0cdgqdN*pvBK?G>Cq-;|tTs>TIX4)BJaHSusqdV_1j}?XSUWX?evw&h0EI z7d=*7nqITd+G-`fD)cvS<=2Xt8f#A!m9Z+2{ZUkwsUBNq%9LeT-%9LfMm8n;z zEOSYjdS%KoQ_IvVQ-&vNEPQ3kG8dPrSEej;QJH#W$}*G7)GJd~uHInP*mo0U%1oKE zROQ%rO_{P(yiC0^WhwOj82XkeOHC|OuS^+hz{T>Fmg-&E=aMhk6p}C56fIn(k2|?a zE_=C3F86blJ|5;OeH>@qB)P2T>gCeg6a~L*?TaluKaGs6q-Zny?d{ncg-byA5FNe39jJO-p7OMMed4S*&nBFy)h#j^`H7H`LDY68Smwv@vfe2 zQa#>p3F>JrdlG+zU&~s&xHkLtGk?1IqKP`1|J<5R{yq8g)Q84-*K{+oo&Tu-AHO@( z@Xb)IPm13wyKZ(c_F<#;cY^1Ww7b&8`+8}w6MP@XZ_>hj7?$w*5`Rh_j;~HMBaiT2 zI-u7hRc3?)mHu=$H7x9iT(uK%ASugw3? zkk94+=WZ&L=ZJ&m%ZZ)(|A}{j>o?4_Z?PY$=C|ffmk&z)Z=YyxvFmI6CB&E-UM0Sz z^32s{@u?r1>_-?&?;rl*nj1fJ+1d|QCm;G2d%rsWaNy1(cbI`2Clh0yY;O4}G1Tuz zFM7Uj-;AgG7DNv`z94d-^Ygur{*+kl_oJ21E0=%dIBQLC@f)0V{nJ05ko{1j>3*7e zw{vAb;q&pcpL}6pSLDEntIWVF-->02|F|Oi;#AqUiiOlR9ON5lf-Ak)EN+XLV<%=k zHuo=N`&oQCe_`fb*deshLz&`hb{xPHzW+G3NbkN|pRSx>rZsHYymXblE?WA4NnTqU znY$%E!Q8T7l>Hm*S5w?YeysyNsy8d?3N4YwQtIT5I>)p%= zFU>c{kl%Is=Gy{z=%sddf0TR81H;5Sk38O-P2ShGXa1Mk_N>}!y5n2TvE;nOr#H;2 z`*h;I<$D%U76G?W}WO7$!Y;qUz+Aecn z@=P7EuT^#Co5c3tnYhoK*+3hw?0SE;1zvUatEgYq^*z3yHhD&J>6MY>GVpSYJmOVX z%rHw;zqjMpmuA65CcsBLGUuA!j!T!;Z@y>gLHJp;j7Q8h^_#D^-=9qWis^48k2S}$ zgXr`_@RsoR=RGQ+uI1f!Tv(Hb{zdts*?!;PhI+z(2)G zhP9BF^LWFnvAC7>;n=JOGsCTu$lI`Xf_&G*v3U)W)q}{>5$Z~gCAVId8%95H-EJ$t zJf~r-Msy zOFtzer>~Q&F0k~evGOWeRUeYmi|`W-#?6x9Nv!q30l1!4J0aQH__I+fzo&jM`eZdW zqx8FCF7HF1`TxuLFJ6#eUNlylf!*xj1|H$XjvqTY$M}VpUFcW&12tYf8ziom(|Ce= z`6rX|mrz&j+dA?i;BV9z57N#d>g)ZNgZ2kmbALo|P{+bSo4Q*3SvVYBwO$>s9ro8) z{gpdAxdW zkl!$E#VfH5^&ek(CvfX}1lm?c%)l@95A*pZrO{%t@k&{2KKo2KAiBg^Q|4ibIwG12t516Q4R%Ey`D;jglG_-at^6!jGE zX=gm?XCvKPSvMRC@$^>c*uk^=SYPP7t=KsQo`;{WqwTMLB%1A{O=!XNX=+}D-}IeX z_^waoE!Kv2_D&}-x_cM*^7ujaYz*MkN1GU@?EL5KI>fhS+ka#9Nv#1@ru*KrqffqK zX&29=qxz=+KBQR(QdRu{sOeO*FHHB z*_eck#IeaMSvN(xg*$Q|7-u1$3Z7Ujztb~Q&B!wywT|BxxV4!26V1{WyETjGmgN7= zO{RO-0)1m)20F63?+esRqdPN!ER8lLj^58);_tDI8xGQk=;345W-_*WP=EG4$%h5Q zkdJ4gS98GN?=$!wdZ{ZJJcMjXk3}QWMJ^uyZD{m#$NJL)#NG<@34CSrGZdQ(AIw4D zSF;XrI%zQ9hwQ1@Je!l}6V@jUzMa2?|8~*$5b(G$xH&_($)WECkpFL&>35Krru6VZ z`VRMN@Ox~qHK>bZEXi$UE8PpyQvK7ii60bUdD zugJoCR`2H9fX~T)gCEQ1_{rzd5@%h_8e40>xc&pje()yRm*)Kmj?CxKsUL9U zXj*udLZ_(B3f2(f5slyXmxhLeQ75-A5X;L1|3#mE?w0_w=DX?8EKD!?*$;0n&5$$r;54(zwOz_@>QA~R zU4@PaaF&dkCH{Yod`$h{8|aTzJ5u07O! zR=S1p4Po1=2l(_{?S`M_ z;Fo9VbC9`fZ)omHP`>xejoI(;?Elr=wSf2x?H=a+pTJWFoZ$CZtTt_bJQqLuJ`>nj z>eJ&?bQ)$&-x)On8Z$o4A|A8+^BV>J5k5S>_%=%Ef=n>yt%S}WfZjJSU%j8$j+6V* zeJCeBckW@y>mY-`c2O zS{CNt^YUwlbW$WcLY)5e`WR!WfM+MzSh40u>DJ@GtQ@@4@T`1x^4*c&a z4uos;3-m?5pu_BQc&>jqM$SZRR+nO|Ic)tAaEpA`=&E@(hn^8Golbm+|Jx*yZ_5Pd2C zM=+`$xkF2K@t&KDT^_XOAsC~i{EA6 zeb@bSy)6``?LpCp7}Fu>!L_^RJi5swte?2XU&A(c4*S#dpma@w`?Ta0oN3Id`S2z8 z_CNVR$Y;O!Gwq+Fzti~RWnbsZu)Wbu{b_8yd>J-)Qf1gE`7-SA4DCqX!Zx#)zjC&B z*cUH&4f7|mW9@jwp<94sn0^ef=g@np0CxIZk_y%~N%Ti}p4muV%L?*cM9*-!=AYXt z3%WtH^tPt#Oy72GI@-!O*43tCttnl}4T-?-o{#GfZd+4p;#&^!EZqLHv|qt*7+y=j z6XCYQ_1dYkkod&^vbIFAehJeq3GHl76tWo3iPCtDXbG)E7i1M1$H_|yeQBRTGgI;` z9g2rjuRjdaeC0V6P|d z?D-_kf8nn*M<)!ga+;KvrLl&~o0QW;Y)QUgJrj*f+bPxQVVq-2mBqOUd;s`_SU(rz zTx0Y&A7q?idgN(^yfDV1XVAdChuoNwXJJ|y+6<3Tv|3RU9^<)bz{dW$!9-bK< z^P8hYi`&S(IHxR@@M2gNGw_|& zf6c}EFC#vpY-oYgc?s_2o7!I@CsE{N;pJoJ0m;v{%ffJ#(x5n((#v)leQaf$zEzgj z3COl!4L=jE?R&^J@=^3G>Ge0dB7@YtQjnN6{jxjm`d*Q9r2`lD@ z=~zZ5SpNDyKY!KH`2UVm`a?V{8S>YEjrqv`cIc^mi|Xu|U0S!!U`;rab?dC`*?kq= zJ*+8zpS9Yrp+6m6W2{-Vk1WdC+wGejVvR}c5MPY*e`e61UN7dz1(H2@8@Bes&{`lB z5IYR5-mN(YFuoC^PJs2Jy^{X|)Zhn4FtR@#7eT|L!QO5oe*2A}g3$2IOl9TCT zKFdw@QLRxmX5r-FH%9vfoBRoinTyxe-~O|s{o%fL0`p;PNP!sS|j+y-7=vU7v; zbDjEVke`Z=tC!p%?Xi`AL;kH^#xY?=a^$zT7W^MGtpE2g_&Txr1Hc~mO=8jR4EfuI zdJdnWUkckgKYs;y*4o$3`D27DARb2?wOnXy=dawP6Yo& zJ3p7DC?jSyAm3zlh$cyBB75LA@_#)|Jg)pRt=0T9--qJS@?VMuE%dY9h;DtgJBI%6(go51|7(FT(dg?6jM?`^mV8cU4;7gOTr{ zubKQ`?|V4Jn)H0W2hLjezK0!?8MojBKm8VmPDeI``=5`0t(Z}CgngqN$h#iwS*ZQsuP0Ft0I@~&@$lui=AA1yi5DEAyhKy9;?<)Ad@;)zk zOn9(9S@|u3`&`(L1QyB5bD^AWZ(nI`Z2gOY-^-Ufe`3MEW%maKzO9_)N$CqGw@L9O zel_dcg7!a#Hl@BT;V#UR?SWi-o|GIH{9ZPP#_9xQ&icLldiOZKLG2y!K5$PPf6e0| z=J1jNmZE;ofd`HKxcB4j3w-GNM4yW6N#b_)41}2TpQ}I7$m?+3dpVVTY2{yK9nS6- zjZ*NJ{J?qNEjZ~Be^JLi=iZOQ1pi%3qkw1eTv1G-44;L^E4@&>R&#whUc7;E1u>$1 z&Tko(qw~q}FW^JmVPm2terf5~JTIeH?79gYhW$oq@UlTTq+E4{rwt()O^@dv3S{8T z_#FP(>=&yO0^c|MR&L+exp+)-jOVEw_^~?doIK|EOa5#ZFLb<6%17b(C69l*53TsU z@#0Qi@Afno=0vU6GTaaCa`em~JHxZkCFJBavIk7hG>5js_o8=(HL1!F>ov3ZsVv7k zwvA2V6<3xamng@*o=YbX6X-vMd@m*!N%Ngzo>ih9pn+reUHe}~hp?Oy2 zQOf0)^?FM&LbW$u>}Byq%6XM-=VHX-apLg-49>1FiqA7f!6G}~|F>&#Yzhyjp5^T~ ze4}>}gG=&r<8e6k_!(MYx)pCyy`;*xAF6hE z8$@3XS0|Ts65ms~>M%$4e@*fh+$%op{~rqAb7#KHCjRB{o0d#&3f?D{9LBToS;1az z5-Dp+%NK@h%wV4Cn?XI_R{CVYR`j%~2<>wfZNjlNOIMyh7pkLnU3@*CzhrsB&x4)J zOP&8QNlx0#zDS+vp1;A3BmKtc;?B9rfq10$n$EdqK=}3eDILeQ(7gK-&2s_n;)XqR zb84q|at=oReezO7Pqmd|@3_yk@$mc>?~leNFegpPp1E7OB$r@sPs4Vd&YGi|y;-sD z2)1V=v?nWF=jNjxV060F$$QGn4Z2_bi6@ksE7{wMjV5^&TwxnlJR$z<*=G(s8}JQ0 zu{guM+Nhmpj`a{v^7o8!pz>FfPp|sUgKM52_=7c7-yOK~ibUql@ZQ6fiDKCkPdpd$ ziP*f!%gIFrmTQAPCDW&&-JD73HL?jsYr*Qz4lNpZb-@=GIo5W0b9% zyL!%}w|=GRbgtt&*RShXzck0b43GO1O2z*dZH5)2rp-F9d-!kh1dV=(UhR$6aE?n& zUpAUtmZfe}g*isjQukJJh)=R#MDOaX6Z;O&{|B^_EEkn?4nVHsx$AGme)@S~=>ZN7 zdRSa<96XDF-NRFdT`qXEf5ne&5LmSD-@_vKGMopH>)7{;!7=g8!|}BeI8r|o9MAqj zaC8DkPc;6faq_z*u$X@kEPH<;SbD17JWke>z%h74a18!JaC8EPaPq^Sj9NYskKF&0 z(Iw>Z9t-oxRrD=gb7J*cbjliZ%Pr&*-Hfi0o%mta^An^iYU0S9zJ-;#z2#}~&$SVA zU0CmJoXUFin!-G(b>F$#lszcDBL78GAaALc7&rH7-|*khi<$p5`ea@=#UfUxsZQ>H zQiuDY1(ELdppB$2J7n@@ng8MHZK95Bc0a%7{<|wzTj~EkYWLdqG)MBbNAADzTr!RR z_An+X^ZGpZx9)jQ2f5e}M-DUxFeHL{~t|=U)PD<(<%Q4 zHfEIlAHEIslcC)l?Sb>WJ!MqJy|)$97dd|Lw=wbemmzM zvi3Llars=a2G3V7qr)u^V6Tgph8D=zTF5m@0=x2c3qBXOXUV@OUdoZ97Cr;X<~Id! zm-=HoZq#SO?H{)5E{~6vCUlyKAB{jOU$&95Ch|l#AXj=XM-Hfe)-oSGS6ZL4D6+9( zzN?=JVtsnICE7H$K4s71%icf^uG7hr_%oetNE9tgJ}y z9j-6pvoU@oojsvk9_d=`XyOHI2A{DBy#$xFzi-0FDbw%d65rUx%EGKWAt0zr=pyEwIMutovC%Fp>33_?MKfa zQQi)9^gm_)yEAZ${dTu7uJ$G_nnlBXQ1?l{4*B5w! zXTa+4P!5l!d#aPjNHwrkb4@Y+LEzJTE;$xo?hW>X$o@#-r$``!s@Kl%5d7u+0vTZL zq^y!Xn4Im~wTQLwX4b-;;I9&xN@3ppz5>izw>vwvcu#itorBC{hnJJXRyyY}{@Wg7I(X_gOoxnSC$Xy(x}w4{7X-BS(9giOHb_j%U;6f)JqyYWa(SIc-~ZY+!${y{dB=UaRxS?QQ>TT%SZXIZZb{{~rA8|3MZ zXzbzl=8GqqU7T$^+s)_OdfQCxWsm_cFSRSou^4k@xLxVYg`A)0ZJ>e-l(!`!DUzWOSy8%h1&9GCl}^)_g*H@mtH3(^7la=v9&$q<8*o|&3eB`2LXE{ zK1_|N;9m;tne{LF{?X zq+y*1bbWUJG|$|r+0Kdfge|G`r_8%Y1%t$8tN~LbuS|4x$3Ta zA0ij}z!-Z85?CH!KmAR>GPx8M_HdTMA~?PZZgRUO zKtH!O5gih;&nO$>r}eVnR=K4aWryLTm+9{(j89|J^DdrCE{f_f)}PR?uhUMQWH5J# zUk-WP5Z|{l0XzxWRV8ys6Lwlf$$9`j=A6|+ob$C$a%S)yI^*jv?ViC>-EtdwxjI9J zyav{{)3awDl@GQC`3U8GbX0K0hLa7yx29A!HcT?>Jg=q$Jtbakp?o}EZJ%h?&4gEb zs-p*TcHf+INtjn>^sR+gSwG^NP7ln0*L&g9oj<$xh1`O|I`jzt_uno)ooV^BkM_pn z)9*$DKINUqsW%><9^|>`Bm8^)CK{BkH${Wnt{Q7YOK%Ieex7jg$wEHKYoA;PuC;br zlg}wRr+$h}JrGZFzF;kDw0X{sibr(bV0{DoxqntyYu0rh?Uc-jz*%do5 z@3%gHzh8MNIwxf!wtzb;hQ$omjm4AZ3Sw zGSRvtiYy#Let4#LZP`Y2h|2h>44pWl_Uzfv)H@Waix0PZXGiovX_;^9b@ZOz^Kc!4 zN7RSP^xm%EnaYNCRdoA%?Sr&sL4SvN=Gt&)x7e`-aM-bR#JcU+g0eik8ZSQ&PuYHj zCw{(f+wZ1me*Ct5-SZ2#HRQ_zJgLuv_{;^{A>dJ;D$Ca^f#YCM$F?sR)PCqa53BD} zZCTyh9I-f8`|%G+_bRT%Jd2JQ;@Lrd;dh4ip#!1$p%9!y3-IAkPi;uYSvXb3&+}2Z z%+;Gw;H%)>JnW@orawy$#-w*GPD6Yr`%FA`2-pq>aQQQ1G=@XKaX9G1m-np2huN$> zb%J?D-&5SH-QL*x)Bf2Z-if0_W*j4q67;L*;qmHuoafm0tKtzeow&&J7QQk4I@?Ba z;Q3p+M0nXSKfrT{UYv!|ov2Lik&a0{P_butK_fZ2jeA;dHzOPP))91Kp!fT^s_senGd0I7-v7qR7sBm7 z**s_IQ`K{p_QvKceP+QNYg;8|7x$;LZPZ3;mhaE)%~qMtG*Np!`yvN6f^(JWOp{W$ z(wt#p>pc-UFh8i5$HKzaTI*WwoukYhr*h%+3H1GJm z4^=gq?v`fLePox(at_M#bC2Hr&?~zlS@}@n%u9z9nOM7p%XI^}<1N*47zd^;COL#aDl!g0CWBb{97Jk=X z4qH#O_Vn$HB(HOA6~;Zt8feUW?57l;l-h9HLU{$+o2mB%ch2tVEU`K6Sc@$fwmFK= zN|&9Ycdg8`rf>N|0q*clg_=}&z)`{*G4gda{%4(OeiK5w!w zvG3xpFGL3B0;eHfrt(4S?_sUUx=Cvvlb*cCq^tN<@{9AE#BUY_3+>DYhnJ5bFIhb(est7 zJ z@AQ%d`e$I=3a(2hoMbr9p$iu z_o#+>Hc`T}J?Kk45AXXF567XS_&ENd?4xE{av=QN(<((yx0QppkZ%+4?fCwLGJ<&znNcD?XnHjux)!C2%kJ85y~&U*}xr}Eb9qY1`y0@z>Rr!iLIi_hM^ z`SfOZ^M3i|H11m~EpOtdvwPgb?fLN!o*A{i!?#9m-8`RW|I`1+_&qOm0uTPXF)(=A zi!Vff;YPMjYB=8OI;H17>`&v-Pq zbcKeZ_2SXde$Mdvg=lTqry!ntD``Clt$*+)X#zDDZ9dOj)Jc0=%- z_*vWME3<8Dg8Sdr^QvsyZwB{w>iI?4Hf(j<-{cT zZC?)Vck21{Y}=0D{!jG0I@|UigZppm`HXDap9lBo=(aazX50RYyKnpaY`*snr^J?(F$OJO0dF{H>hl;`ckm@0qi*=%hOVq`djZcUisGY(0zp#h$bw1Z}TCw=bdoEv#uIjr#M!w$J+SZlW(5?>O zXpAIBzRUa+Z=AL^zIk#3d43OWp-ktB#_yfFR&mtzk&BKViCxsUk$$ekPX6NA#uq;I zx!-yEPwrjK*%ni_#N=z`*#qoF!ME9W0$Qj)uTO#Dn2Dr!c-;BEdzU32O5l&xInuuF za_UARTX#f>X^4(KPI7vECGosMjtj8#iw269XnsOZG|aq`^$0YHfzK?s!v5%!Z%lEl zN4fewW_@ha>9)9ORh;~#*CMUG_ydU}T3btNNaYm0pZYI-!QtG$H~V9sJq>&{FMXNw zKzMim#K#>Z@MIUD{sA-hdw1a;}f$ z2E>Yq^ALQ(ia&+l^V>C}|;d?3g z*16#7U*n`7`ycpgJdEnY|HrP+|DQ!3!Qbf2DaPe&U&T+X?*bdi`SP6{IXQc5ra86? z+;;M?lR@}IfAtC3i|WUpqLTNAVchau-+7~I#I8ul;M^!0)h!#Gt}ZR%N?yw8o) z-4A|{siU3n`j|RZE^n-tIZJg~;Po+ernog4^SrHt{jqKu<1CCT(yi}DVt;q5@2{UG z7cM_$&dlW*KBfkE#XkQ}mfvgoJggeqiPbLlc6$AdtZfQ;JUSQf%=!qtTsRkSw0Zi0 za`P^5_j8`vgERTPivD_$-@#_iX{yGTv_O7+(=9tyHpuXq(XX+lS=@7oTsUMyBT)=MXs7f90&D*`tWuwtkU)UciSB$Hmjn zte1XtXZ?AdZtX(Oe-w^1S3BO2Z8W1V(>{4mroD<^CBHboN&F`Ao4~JvUyNUrUxc68 zlOb1Fuq01&1_eAi7}5s`p(ii;#vG&xv``>A%w_F~7*XSE2dlGx{M1%R<@O0Uf4v*n86FnX|cf;lpy*2iZ zi&LhsceGD0pU-~BRQzmX^VyNF?rcZoz$+8e55bEK-|C2TSN+pVKZ{4A-AjkyGh&%N zli!`)RsEjqA6^VFuy5}dgu|3~9^xkamq7KQ1kqD z;!`?@d1PXG`dr%3Jb5N|X&*VUt*_&U$sofYF!W6%PfPh1^zK_jOXqLSVY7Q1W=x*%9jlQ`mpd%mVsxLroqb96OqcTf zregGo8iT4DnDkHm9vGDzl3$2fk(6lqBQ45v=ALEeb9B`aip35 zYT)OSb$*F*QC5=MR39-G@1^}qCQ5%=*OuZ*=W+^1`;mF&(P$28 zA$B>F{Gq`>*7JDaUVBltZ#3P{5X0Ta*i+OMuAB`}zyW17>i;a?`h2a-_i@AYk?eUK zOWzFg%`p?iDXbh-7M@o%a&|U#R$kpXcV?vWru{cuORR`kbP&UUwj+bAORvReEjz*c zq4!Um*`=}R`xn~pGmCd-!vj^oxpMXFM=M#wKgqa8qce_jMs@e1YBM0eVf_{6b17`I zPR1!7m_trk0)PDeXyxR&7bhRm*q7sL}msOP_@m*}Bq zE$~7MbQ4aM?7zq_&bN8p8>y_0CzcH)EUa&jyN6IW8$wk@)(|jQt*yuEvl<%5{Ct6xXdNQx_VkuK(ftZlFzU?y+Z@Tbjm`BjnZzZ2!N6e~) z`#AdKYm6~|nLTU%Nv&Js(He~`VZ zI_D%DxAy!Tw$tB6-Dj+RaCFky&4Ne$x6p^^0sKX6?_@2un|z#b+n#Qop80kd)4AGt zZd&9#&|JT~T;Pb;P6R96vaXGhVGx)sDl1i)Xm8IzBOqiI$8# z#d)J& zb4x_O6tr?>jz-~_jBq(&4rlZ5o~L2>dB)VfIF>#xrgON2Hu|QQ+8Z-&_9S^e_iao6 z_-}xfj!!i4)Fnq=Mjm}#4~yW? zILE-vo+%Hv;0@Ooe|b4I*hh?8=V915W$mCjU7O@r!`vS74TsyGkFTgAd@d0DU6B9K zcka9mBsoN9NnZ^!hWPsn->FbOR2%a@KkK^=&maDO5xlgO2+b4H37xbVd56AnV)_%{ z!p{$yr@g-%J7-`KKiQRAu~GD%bVn~RRyK+sBYj7B-|<>?Ujn$;U)g#S>u$+*lrxK( ztS)xBir%N5q(5W#kQ99Ez{fY13-{x}5dn^RD+`f6^mu>eG6&NU%PS6sB=Q=@{j=!x z6`X%6e`dJ+Ah`*3gNzmbxQQTeE*%RAE$>?%&JF!#6lcI62#t3h=1bkrN0pDgN z?Q~X|5n?L?@{1g|b)4Q5KYBc>FDGy1>HmxNO$_&#`nU8&Pxx3=sU8aSYlFs_3dYGg z(vDN(Eyy7AB;$OHHu()a^P3Y}KLw7Td2vc>0(w02gDI`d8S9?eII*=+c_{(Dag08R zAGhY2x#%m^|3Rd+5g$_iIX*7MDf~SK+>@GD{5^}NCntsOw*ylc$9|l-GP*F#_fh2q zFDmFdbeWAsF&|jpfTKmRF7>)kIzhZ;?X?Qc*?W6Mzi|5-v7vO1YDkxs)pfqDI&e`< zTb~K>N7ybtU;E6d*bD_b`riic2DYc@aUgO|dbC52-E|j8588UO^eAor-#k5}kF}l| zM?RV)AMD+~Ao-xJH%pJw_RG-&87GIw>Ro#c&$rlM~I%v5}wfc)((6L9JD=aPPaAjn`s7G$Q}9+V|xjl zK z*=*I=&{`kVSi24Qit;xHnV+?WS$JibPu<+j+;~BDscdA=d$Og&e&7qEi;Klex2vtx znb9RW)1cH>`>&cVtWkb0x?J@ykuC*)NbGG%`@Lw{2Py32FulcBw_P2EUu#2WN964c z?B>{_bGNa(_{^Jp8{u`!Ud0hzFhB?{=B{J&en)!k1sGIXNi?Xb=FFA;T%3}KYM0nhO(h%cjlt_J3+ZE z!@r{Z29>2*@2X7y2hqb}JU+|%CG4;AvUYrd?6PLQNffbuksN*W;Kw0|n_y4!feYm2~Z4<~e;w zrxa$L3HL%txz)`@{xK)>I-kDW*#cSuO4cq;+V9Fst|f0_9~|1@|`usTEgR# zTy6_}ZzV66S4b}PjX)=t;dg|S3eGMJpPw*@4zO|*@*{egJZk4br*HE($FH{$+>eLz z!<;=7vN`km(&?+Q=ilt({0{jW8}T=4ZLE1#GIS98NBc8{GyPJ;yCh$-Q4+Fmuu-6k zwR1KQBh)+eYwO#+S-|LgDQ-VdZlWQd!To=G8C-_)CJaj zU1YV0h6kCWo-6w1htm=2cLTaZF!;Ub9vxJV@ynv~fvn7g&J5Vc{1Gjjy&|{-qqkW-yeVLXrhW1wqyreg zS^}f;6vKQf-d_0j0v{>HDVlk_NY;F8S+eV8PiJAOj+MP;N53Tf&ot?Wa@>nQv|ml< zFIfCA7ph$U6+6vwuEtB`5hi3uPcg?fXnplAcdn1*#QS*terSzLXTtdX=5{^|+}{IT4!-fN2RzLrV|C!b-)o%U6nT<8@AmwIqs9I? z&qmhqJRQ*YVeXapSqk&vcNS>MGi1!4QQ_ucufu!{{Z)TX&lw9~^0>(7c0%KW=fOn|ctlIVD!h37 z-})x;Gv=%#%X879bKX+SW8yU%cL{hc0UjL>xj0ycIZ^oV_{)Jm&4c>`{B`E>2fn}` z@CW$wI?FU%4DGZJPS-HMjfcw`aOvka<_F?0W6yB=zqqwIbpIE(|H}9_3U5b{gHqoG zdY^bhq;GwNx!US{?4_BkPhLb{@5koW*@*^yUs{%8ZYnJsWKJwC>rrkz=lFQNl0f#A zU-i@)lU1JeGxLefSbNOry(jPy?Z@ZWV)X&K0NGZ2^{3c%ih-*gpHnu6@l?~E)eFoq zGw?GVC|TFZmla;4meU2{J;JnK6pJY6{$l^pL2HZF_I-o?QuH0pFNz!4tHdc8mvnuL zA0J~;E{VqAzXd9N<71|j2l+RJxR=`MBwskr+IJ;a*-{>#>O;Cz_)LMz6glgi(2X?` z?{FnP)Hy#n&;pK?JCOzs^=;=N@SNrwX!$b!D-TBRJ3Y)981(7!zX#f?JRCFAScv(I z8ISr1>)U6sk9LRF5QVwC;OkWUUGu45#|?s0J9e%UiEZA%bvZl=yz7WD!k3XP)^D3& ze9RT%U*-#*MXP$TtHb>_VQ(GgeACkS>rUB{SutbwB2nb`3An-aJ^^gzk+p$#_szo8V`P5J0ARq zc0AbJ=N(URY%aeJ^z9dohxYU1VNcb$#-r~EmRnzzj^{A-!s7||M{cPb2YTat<2als z-(T5r&~APl5f>95k1h-6mv6Up9J{GE?l{P;u=K!gJl{BWFDTz%*>TWrVI0wO(&I4a zMqda$bdL16?5R$ey3ej)QjdUXZ;k{iyk1KXX7O?aL>bMYmMKYnye2R?16>qd$AO-p^dH9Nx>I zL-}@BYsy|LTIV)-wm>;c<PDhFwI*=^B8m0!^~NNeLg>p zQ)9@(kKOPoyH<6!#kt^*N|(PQy+-@*!{d@qm+j`YUIB0q%@*(MU4m{SS6cg3S2) zLH<{;e@}Tzs;lQ2cv1gT;qMdUuTfb#$k){W9PMr+2eOFX$ajJ7ot|*KQ*7@Gw_XQ1 zel31Jx=-JwjAu{YB;KmB-#=JP{)OO^Ej|p~(sjMMqQBU$bnGN~Qh|S|=z9oW_a%tS zSRZDGa-)ew1U}3ZIuM+7D;6NzT4NhTj#%H>^K=zkI2e>0$`L|WUos~=;Y-QbHVbjS z!My*(?azV+_FL*Xd@#0s+lIqWivPkvB{T@*az6U60)8prQ!=;;oG9+V-s62PPuj~> zJ@~2QXV3?A{M3)lrR6O8f~=gMUrKo-2|tA4lF#@#>>v-9e8!%iJg&>p+~O)YCqwUu zzqD6w1K)&Ze;GU(RqP;U7%;5Xzm&u{IXFDcs!T%Nzu7Kgz+&42NiWV{G>tm7(JN0zSR z#CL~7-$Qk@4EDQsIG&U5oblGgb)8W7U&;R?$Yf<@awN-D>vhSdzK5XosNitx(qcXo z?@D*g5IPFKKbmM*hbKqAs(boSne>pY6Y$87Sc|L9cGaPOOBZ0V zd>z<2fv&@b@i@jgekL=$Poqh>8@H&aP#KsYKSL^&xch-XP84lTV zI9v<|x-ahCxBlrC>bfzPk0VwB=P+=p9eo4$ZNPg3*tGxR5PR(p=g(XyrkCEkQTFIX z@CDZ;yr=QXuNeu^Nj52dJKA^WoceDQBqOKUV{96xm*|_F@*5S!T*lHQKL%9028-RZDE29*Qv=wI;rh2=Lq2KnZm3+>}^a2MY5^LDLaJsVo%)ut!5f-hij zb4l$Nt6DP_rrMUhWmAEQK`;-$CY_-OM?EgWMe^Up2z| zsXduqvkN=~b9aq!w}H0QPT02@Zf7TU$%=9PFJt%rO4rC<);HzF--5Yd|2P^C!aw0Y zWdDSH+_Gg{OyA+e%W^S~xbs2$zFxtvzQmtN>zgmwB7=6mcWud@(f(?k5vuyik?{Z7 zx5t0+vA)4j_-5#!{r08WbNV7_?@M8Gd#==`@F~1&9Dgmnw{NWNy~NIg>d)z6!R`Oc z4iX-F0$a%QLTVh_CsW4uF_e|Fx05Bd546bJJ{y7C!f)l-<{Vf#fj<|^4(i~!%Ofa! zH)Zew?e5*IiM)O5WTl+lU6^CN{UW`i{f>f5_JG5ayO&KO-ty1A?$kQS=SfI@HDgPG7zKeBPIImYU z_Igsh=z039wtdG7sdDXy_F;KAhT$#GuYyy2S89Ki<2}Fb^L+>W)=-Y$!nSt~o+`KA zOO)Zi^fN(dM{TDBfS07%pc6#A?VIQOR^CbAG4Tp!~I9u3O6kLA(E#-Otu0P9K zcB8j_{XQ-~PVtBIq_e|{a~=}J6MP>z_)k3F^I3QPm|#rib%Ntg!evsX?0h?(vw$k#m z=GaQ+(y%PH%N`_0xpWQI#5|^N@pxE7x3G<^Im_>(<;-_0_hxi-ahx#-Z?c!d^}UZ^ zz2Qs&=5J>kN>{~br=o8WF!ODNzC~L(hYZ_LI84L4YRmIO819Y0x3EM<`g)~ynbUd7 zPjP!Ja`0uiEzPG3v9ab`e2<-9YSWw@2;M|dxYc1m4y_Nuov zXIDio`rekv#ozmWWa{_gk;?Dg7@6GH8HxAR^9!&0T^?{Ody*Xb6RRg=l}GRSLT5b+ zZpm>NF7d@}p}bq=9wCp&;QMJO$cgW8d1L66Zs}n!uY+gh=W(*1I;-!3JHOirtHa%Y z@s;dr&sX5q`Vo|;==ahHuEn(5AJQG-um8ndRtl@W)%By2a`Dt*%B@`$(|28ivo7(Y zXkP1#HZI#wj(IsAlJ6)ypAClQvz}Pt+r5VJ4EOSBJ`1dZIThw9%02&NJWq8LzUgbE zE4lYLwC`IUay)gexvbQuBwl)sxvZ={3w_Jo*;F@?XSa%P(ztJ-mecd=p-~;OFJ2Ly zyp5ix6?8oxtx93E`UaYm!suz`<-fphWAoNZb)4YD7cd6S)IX!H@;YC#tNCcNbOrF- zXqb!cHOKasnTvF$K`CA|7d=;5tQWnmkAugRf$zwdMIy;PDz7tUPw6uc6LV1iO5msk zj(8b3!Z}7^o26WT8efF(myFk^fp26-WXMx+>&AjzBfj!>l+Iu%o-<48fdk2gcuzS( zm1gT2?DRDa*y?=0Z@?te*PCQJzYcy|ug9N1!1pr-s_M;vd~|ACXa9OThx3K)oE|PK zA*fr zF>Z~ilW!}uaGq7VeednZ7al^bgd zp4;D}dKuw?b0LTWU1QrjJGw-%U_XyIomD)(bNL8o1Eco|&ceRZy3g&qaO<@AJ;{ej zBI@6SZP>;+x}2@CEprT#JEYbLTkW+LzD95Us#C-5iL^1YTiyEkK^9rJGd zhk;&f(07ww4*Umc?12mM9ZsZe`5Ck})j67nSqHw%eCqSXPp=QY!P;!sLp77gW0^R0d8yt zcYHNB&~L0Q`S8#J*v1zgnnzJZShg~oFT(aZ0(*8R;yaj>J=`j#Q2gW_)YF zN1Mvb!G}xow9rj8pAG05)&t?Q7bP1nU4ow$-*%EQ<)Ce;EJ=HD&dmeyxLykB;>^HI6yhrz#eT{-xKYqt(5^Ig_v zr*}NwPL3lF9&atc$DXjG8_VG>v|mU(Q;fIq<<;YEFSwH~I+q?|ebX;qclZ&nOV5el zoE{oHGrIUN{M0-P9J5yXz^+ElLUKN4>2vgyl`D_O|7P)6;N5V0=h8u?_KN1^xM`nW zZ{m{`@2GtTzD#h0Eo8qH1c5KPVsp#VRh5&wSobv~BegH~Vs~gB8=6c!#JIS})~Uom zWPe1>z;5Vf<0d>;+#~^h!0CgV&;^6=$4=IXE0XCoY3kXw$er3s-FOf~$)K}-Gk6w{ z)LvuHyW#mtA7kM^@7cU^`qNojHNDE;=Kp>C*Vz^tgKVvM-4Ey9h>eW?xIIm~sz(l6 zYvf|S7jaSX`gJ4mu7y_>?B*hvwdN+*Y;6FS#(BH?dL!0)C1**5>qcp3H#t-*dHycW z-pmB{(-YV$p9tR9_X>KL2Qz_$9_tf9v_l{kks9fJ9_v<#Nr;F{h$EI^e6Z&4Xtb=Zq>EyEI z6E3?`|Mkr^cR%;e9_oCR`}_ah<K{esAI_T`xAw&SP2O@(^+q#M~cjr_{LyU)FIyxNRt z|D^2t@OvGh_mDaKI?jI+KePUYUgpj)Z|!8QciYVcUN9y-{kY#_xX<gElh4(*d@3i|a3Eu?ey`A9J$H3sNJY47@{7r!#E`d+JhYEhhygGItq+fH$KBB#T zf3G!8c)V)wxuW)5zdB3U#ai6Gc=jihx$mwNd{FW`X>Hj9-NJcHiID#?>}yJu@ih&W z_?qUk2g5Lr8_KO;s>9(*W#D{F{BAIysmDoDehT!Kr_G?ntxpEr2^#QOxd$YMcK5h|?x&JcxX4@Da?JveRD~fV4-a5Vs`z$l# z_$;CA7@uWw96m~mXXM`u@lg&Qas3qhm_IMyl;-1<@=f3$virs1;W1b7qx4v*EhK+s zX^d)XNsP+*?%(PdRq@nkj=x#XMJ#`va}$l*@r;uXZLN@Hs(UsxvQ(j?zvNz5hegNqZ7a}@5uEwx+zCC0O)_Z7?XafgJRAKqL%YsDB{Ssee8 z&se#gRqsd=&q@-{Y9yZ3c;WFZ^pWhGuzle9;#~2pin8&nv3gwgg={xJ@3Y>+zIgNT ztgXaJBWax#;^L&}uYa@gtkO8?U>UojG*+Z|)@|d&vsRoZo>i(hN@H2FCq<7WI=3gF z(}@tB%H=GS!YBK0A+l0V_77Vba&h89{zB>8P@MaD;c=}0|8$g(8NHb})^p@0l;T8l z&9*lc#~MGT{W zBvaVt$A<9_vfdamNA7+hY*U2ieZjen{n(|v5+xsHMJVSNdmw+VfL*gTPeA`q&7QgA z68yl^@CQ%FFIe|<;qzS&Q!Pjd<14(e*ks-EuCQ?aS} z-}6G`faV^R<)*l@A^P_@TS>}3#&_UUrZuMjcKtJaXK&Z*qqhG=lkR<}rO9+3SzxmD z$M1b;?z^_{xc=zf5Ap4(=Rd;zb+kV`)$loUQ}Zg{YUO)GTlj|Wx^ggE{8WYEaA%8| zqO#zeDb4`on{&rDV(;l&r*EVElxX+x~KpX30Gx?_H%)ZR&(RD|8r#@Eo{N`v?*X?|F z^`;rgrB_Ch%ic7r- zm2CU}Ya{Nz&Un2!_^a(w?~%jcIb&owyT zCve+y+cH{nGLIVgS#fa5jJ~z3F{MXFpHvQ8(cH=Ua(5`tdjs|P{&0hn85?V|GNZFx zPoa+#E0MoeG9>xYdWL-qwoWZ^;VY`lIz5{mJfDp|k^L}U{l|%ul-A#A{f2J8)M514 z`x#4$GhKHw2K6Vsqd23Uy^m*Ua__F?w-eaH{rEad^gh1OozSS<^LOYuwA~4<$~|ZP zvAK9Vp;@`-m+3jamYvY9-18ZF4(@hB!*b6#e`$LPz5Xuv8NE~^o$mLCpqtR+WA~km zqUW`CJ#z=P$R}gy_zHCR1ZNRUuI7E39(th zAf7o2&q(i{SbYOyct2xV!I+vETacf!FJk8_^~XH7Oz*`59#bFUG4-o{VzJI0b%9RL zkAXg(C$FSOXI9dN-Y4g1+5OYawCujxr{6uTdrjqKrg}Nw%e<5};`3Hc?tki$9nkGT zWT#<--`r{6yz_4QnRjn*)yxUzz>`tat#w@c%;eIS_?Ag5_UH~b$2cFX^oIOT|9+A= zuxygKMfQ>MTbR2KJdgcw4>CIZ`ENfOKfCFL%1_N(ORnur^|AQmPV$vB4z;CmcpT}> zkskI7I=OW7Rf02~pFo~fUv=k$LqC@ZueYCc-}~&N&iHe^(}QiqWVLSHfX&s59LSa? zw~e{Kwy%x0w6ACj&z?etUL^-g_!rHE|3&;%N4lpz(z(O)g4$fheF8gEgN za#Dmpr_1K#`SN*Uta@H}CR;~)w5l5tI-?k!Qv6)s?RL*+>$!9a{e69@#&9!fME}oaohyIYxwmLp}a`Z{%nUw1I@OiyXzXa#}GL~}on)8K!8yPH< zXMr4O?u@XH-r|`!8F@zyr^yf-MWl-CxcfXThkgVK|B7Q z94+K#E;{~Fa9InkYl$N|e$PP5GlA|BuVyY8?>*)1%*(%*nriyh58v*zc?bHA^xMIi zcpF^w+4W2CUuWBCAK*sj#g7Dae3^W)w@{{geK%Y6)K-Er{a5>S*yVmKf;DYz)OnVt z#HVfWd;IE0cbG+vPvz4yJ~a5X zIREC%9ohr?m-d@S!lUT(2)G>Gr(FF?c({uBWHR&0Ma(Z3Ge=Hgj*NEyk>#g}eZS3B zIaZIwrN_xRF;7pASAJ*5Db_%>k$FcqfrolC_ygI2asKC`pZpKz*Ai3A(qDaN+`RpA z^!l-t=;!_aaL)^`F}JEVnt4RQz zya)l5j0*XE*O?g@B3fyC@9pPv?;rcK&sqDu_u6Z(wf5S3+t*Ip)9N~4QXhU&{MnKN4NC^B_B}XYbvfUr zXj8q|ttp3pd_b#B?-e{MVV=o+d(oKQyNEIcCNkhf`g$XBpuAZk<35;mJsBC0x5fts zY?JKhBQ{-Q_j`=9di{S=H8bm>51DgQj@`e__}$*NQM^TV&~?BU4Gf#Uy5W}k%X!B< zTa9q99&D=jv0ly}GN|6V#I(ATac$t7%;q#}{d*6_t^VVK=G8YXm3QY&wyrToO?&xz zZIf|$?~BxX%c4B}tq0~y%C?-v+LlERXp;ZRNX5N|F*T`a^_z${0{(Nw;z6sQqO9j? zhxKj~T*hvz1w0SUh2zYLT-sX0d%#N#gX@K_m_#42uJZb1%n6#%h5tK*KBXQK7SIn3@QfpT75vB=!@v&S1)njFd7fpoZ_|u-^>(m^Fa~wn z=p|a#FjKu&dspx7V$*87`azzGs|4TBOH_?ef01WbKLqw+Uf_QX|4sQSF7RKIZ;#|3 zXHr$(hgaP?JhCP~oA0I2s`tTx(0DdK?9dKkZ}{f9nlBYT=vjw`-eiAP znyG&H#g6Ql*ooP3SKXMM=(r&}DRM&g0CQpXu+)O=_+j?!w(-1`L!bK4{T#ba*(SC# z$5?kvY2a+6J=<`rBYV(2h1uBN+6H{LAbarq3E4v@-;kY>ePedK67RIC6SF5N!=1Ut zB*3?;9hW4;vGmj~n8g_ZSkK$BhHworl?GsCK(s4?2sWlXXSGDbO%7$a@BVK?!yE?Y+0+Gj;)p9VLZjTYNy#spi3 zG0}F4`m&x;XQQp1b5LIxV{N^2BD1@zqp~~Ip;qTTZ#bV*hFL4|Z#E9H#@zjev)Pbp zZN9t7IZ=(bPP=QDbB-Emoil5fbG16y`u?o*JcV%=K&f%6x}Bx`r>2hQIcqpcgqec&8!9AdrmI{po5)|1zgPF1YGo5R0i zu@1t&%V@Q3{T^^bjP)sj8{@4HQqB-#B;~#DeAzIV`n>O4Z5(L*{5$VEcNvFSqi^2j z96`OElbf7&>RpLnVjOC%!S7UtQ$Fod(>}zq!_Hv7**>4`G4_->{2z+I@Oq9{golkI#OWQ*th-67;EiTW31m* zQ>^m^cAb4&JGz`{2BUSOl5CB^j?p*XzU^aUl#?$4Kxp3jB=DRy+G<$oaZYZ=VEiPXxzr z1lMnXPRm;o!TWWXFU&371?I!qIdBS@CU6#8?wJ?+__KEx$eDuXOrdLv+$9T1LWj$L z=q`XJS-<6fC;HqM1AGL!ejTRAg&wnCq4ONbrTTd|f!oC%09h@xmNv0=9~xud2G8X_ zNL~UD?bkLVkNVJ+vOm8~A6cGjGyoz1jC z;`DE)@KI}NYp7md)zuV<=x~r|=MGW$}Pa_f>5@pPosVv9a?D+2r?z zjc-$MOa^^N(FT|l#v{Pr%GsQnpq-+e%aQiT+8P|YGiP_^a^BDcPD3-N!dq;UvyC9x zS=tN@651TTf6h8|?w#+UIAQ!psP80hs7~->jPIBA53(;Beush1$0}#e9oRzcpbh>K z_$z5cx{^|PDSQ%jE<%P*TnjFS@KpF@(QAv&T;NL|v^RvtX9VpNn}_f_4bH4X!FELS z-`@?wU;Wbl?z#DhjyLqS?mF(g(Z`K;*r^Y8Wx6~=y*u{6LzU?DmGd)!J6C8^ihRqy zQb=daS{b~v`TV-|N#vb{{cmW#2l`D}6|(s)Va!9{0s0Ua{{g(w*I!QS-v>_z??evi z+e70ivU}+MhPB88!XqbA_dt6B{C*4bM+2`SH`uiZ=DqOY2MuPcJ_g)LDe2K+=<}}6 zpy)R90u#A{epn@E=6#$85P2|=Z@Q-j`}R%b=`)z>vrhG0leXCYxWr9Y(mJxffM22> za*ileH%TYq&^*o;pS=$$w1*%vslIP#6y7529894Kt&H-t!LN(mhVb6fcZYKn_cQt( zOa|&{hA)$|ThV%b1>c^5&wCo3%0c1<+7ftsFC=dY-_wkIEj(nXubY|E%W!x1JJ%mN zA9Cvc8_t{~3Ew{m)K8&&)$`0EDNpJYsn_Xn@T`6_yyqs~_!4}F?w;2!>Z{5R-y7|# zji7&GSdU^^m*QBT;+Z=M;CUkVjTnRLj)A%a_IY}deMD~Y2m4OOz@(&Z<{pe0L*dI- zTbrH~S#pUnqQ@ZePhpV$;=UU>3-f0qhpi2s`?MO4G)qe*6)CQkAD_U9jS&ovsHkha2j>xki9f8!jS=I~c zv@TQSy_*1D+JmsrSu%+SP157FFz%u=6POZ&1=0rBPS(dPv9!q^luMw8(gZf4z#&~=>3s}o#; z<4RM&H{~fw>DcWzL4VTC=-9-Ub8`698?qm8AzOw}`AxKInegZ5+E78Kw(D~8-<$99 zbJmUXzngBjGa%asXex5#NcI->{lFcY^m>ob@hGLQFd!>@HYbvPiK2g^!BrEus=9T1 z8)Wj|j+S$M0hzj`R_4zjeJ;zs{3pyK)>)hApvZTX3HyPM^*AD%4zwYU*#bHXIeV0h zj5^rUy8-zlczz~)eoMcNq|cUTpVdo<9{0qQNz`j1^}CUA3-WpB5OjK^&$n3Zi$$`R z8aCGojqWwrW|UI@P1HY~z3J`pjqEGm0?%T6PePNhSU3A#(nuU$%=7`;9}unL~Pi1=@EOFTYqMd$yC$ z;$*OlweTi#mNryo3G{w#t=K$>ZfSt$H+<`1%>PYe&}(vryroucgy+OJG)fq@4v)cW zJtkwc5gpLSII&G%Uk0tF&7t`$^t%_kgWL#Z)d=psdK$j`Oj_`|ZKvW6rEe)z+#ATl zK%SC^(DF9Y!q={{`}?kJC0zI!Y42G)NCywn(N&NCuRlnGgM00^tf7j2A1QsV&v!=( zx_8#Br*Ly$pWqVQXoeOFO&9@97MkEl3gCn2Y6#oISc8p832U>An?7FC8860qBjGo~XNAV>^F@mGCh-+? zKIg=*HSAx%!SJQ{pUqJ;=EJI*Sm^NvgS%zA(LItrR2Ylqm>|p;*jp^&f4%X}UWvDk z@+D3ady?yGZw#{e$n5zm)ZZ$IUu#C1v?2OUeO%Jtu=@om-B`Y4BsPeiOQvsqPP_dom|w zOg=Y2*M;uY&g}i>bT37xdry;=z5XjVG)&N1!Mzae6TAzjd4EEG9~$?jezfeXXx_i| zizhViRo<$QJ*U1x(YHs#)0kKz&8(Fc)=VpFd5k9d4q3~Y?=!US8#P%2e|wzuG`Oa( ztChP_&%dT`8kMg}-#(MRSd(=_)8n3hZU15vZ)R>VXku6Qd8MMKJKy>qaaI5EznQug zQD-N0zlkHjXwcye*&$SJq7rbf9M*2=$iB6 z`0{>t?T7Q87qZ5$Lw_&pyztcLtnuT|uJJA31lP;XUE@WjkTu>8zFznmKTyZ@HZ`!u zKfB=u?HPD1!S@WE2ME76B1JzdJtPd@{}F5ae-)i8{RVXIqP+9tz^lN|$LIaMbWZsP z(K&3d|7JQ@L0X}6&u+L;+qn7$Eky4^<1hUEFHW7MaohXRuCJnTFZGKTqH(_jE_TY$ zqM*!Tgib_2FZ#(XJFzF-U9c?+nKGRJDu9oCwV?laoGVv+Q9S{=BkzOF6X#bkpfE}*H6I;C%*aNqd zU->&`x6`4xJK%vvV2@jXJ+9c^R)*Q*+OfwK8(kG0-x~J8S+i%XiC%mR*?WehTY*h+ zxtd%r`DMGw4_n+y)wFj6_P7r0aVs+d_PF+-J+9<|9%qKcx03D=?2;#`ruqufial-& z_PFTvb$eWE&>r^?ahr`p;GaZqkp@pDcTEgsT};*YEl`mud<~e#A(d8P@+sJw*_I7J?63NV8#IAQ z_z3<(-vRrk0Q@68o!qA-dSbEl5<8=0=tm%*ukVv{Z5#FefhX3-?jO`Y&Hu&yA-F4c zI%oSsXlV+xG_arbxAw=W`@cqaQW&>?(?P@jwhbn??^&~!Rie6Y!imnTeM6+X1N}hD zhG?zz*(j~KjPFc?yY--|%f5Fr2il)EX*~M6$~WHO?~Bdxu5KA zxapHU4Kdt@`b+LX-K3hlkKn(l#?;AOsJxrzpL@CDZ=2}AR^`s#=f;0u>l)(lkN#wD zgXI%%!#q8m#k*Oxdh1k+o{lxlQ*njjKU(DQ|I#?Kw01qBh+C+{c^!)CJwh3?mH4{1 zRMj(kfZ{(m)8X%i_N~K?XMOGMy@$p){3R!v8l+5vV(>mpSv88Hm&rbU9mdU`y9X=& zDyK)KkyrcI}PN2NP6FVF3CC$T>RjU}ihm<7Js9yH*J$JJo`f-_q{lW;( z25e-WuDzr8#5E3o>xmr=Qsx9D!utemTxKxnWu7oZ)G3O=bKgkCf3Lx;wa#%M!;sGS z?cNjDIs6k(>}oJl-XT4m(fhC=S}#-5l_}Al`z}%ZWz#6L(&68L?b6e=qyuL{g6sw`oIAruFaU>S@8OeS`~J)twzJ%gGS@tiK@Z7QZ;(p zG9$J7_)fz$^1nij_I&@nNt&Fg+N7p z%?51~{=7>jXk&qi4VB4|<`MgWy8=TF&SES&auolubjANZ@$aIKHqyVZ=yZ)tZtu08Vx?JfLl+}$?X zf$zlWcpzuA6jR;D*e2PGmb$x{gK{rcry-`!Y&6%E8Z6qQ;N>Cq7D~XgdV{s@O(nK& zPEwS1DB14+r6I2FZ9_ucT$`#*I%a=--X#&5`KbNzyQ`wL2YzhQemuaeExcaQDz7$Z zRRu<^obu=1ruh2`cc0N7l`8Y@5tG;j?XgId` z!2eZJ_GV%Kc9Su=e$%M&TFfF<{G}b)!c@MfcXxSCZx;R|M;9OP@jZ#}xs}jQ}`0b*tys5RQAiB zMYC}@JVcu3+Rv99@L>!2`68os8r#Wo?7N$H3cp3%LgLmc`z2l(a6dRL@W9!-L9D@P zP3%~v###h6 z3)m4Irs`o!_&=)0P3-8_!`oG%IgTI8ln(+-r<(idhoaGIJa?NvUf@LLsr9XE35$f^-T*A_d5W)`cFOY=tHN*M>y z=_1GZFT)i-WbduUZH-cTy11_#n=kGxm$f?1%Utoi2@c0Tr1V~jleB}Alr0_f#X;!D z;Rd^QGk96ST@mv;A2{%s5?lXkT&WsUKNUAi4YfH@?}J%t0{3LbS)`Aa7(?w((!s@@Mv)Fi!s*6_bVNv_v$Eu^1K|1_%cmdo(pR1+;-^hYfH(uhCVpjzN7 zuIWM^Jz}(ax{Vh0ZkqD9<7P*1&#T2Xn!mcQTIi>yU|%KCS6!qJNoyuIyQSV675U z{}}Ep{v-tPC%$9p8T?5I;!k1_e**m@xOOi7g!(UlKkDCrKX+P{o(bSj3AiJ8WE^@? zu>uY$L)R4>>5s3&pF5+Kp0~lDPH;!?=utJH4*X?(iuJ_P2O<3VYj)UQ%cs^R?Qg3! zx#f=MmXD*W`>s>{&9zC5&9#Y*&Gj|;8A~6@%UHSs_b~1!xQFs&&)1@S!TDk&T**FY09G8w;n%^9av*Kz8kpDnj8g6i7^M^J0+|$@Q z@08;}rGLqRl|9Pil|Aa?mCTiSrwR^Ke)8afm4|^HHUwc44peqMaA4(|z}}1q!X_Q4 z{Er_USoyEO{?!zO-EyGvcMA@z%m!gm+ZMkj5o zq>WD67=TSU;G~U}w9!c$1F%U4oV2l$Haclz0Cvj(CvB{xjZWGqFy~TlgRNg1waf>p z|6(mG5!r$I`9=+7Z{q>&Ox?!}(mbQ?*J7x@#OcgT(>9IyF*3)ud(ZUA=)szqcCH}2 zEpvz_cU1ab;tosN={uliU-rD zyCRhRna0dIjA-_E{mH?*oEz$l^hwq!>UN6$KSh6@+S|~R?C|?`seX}x+V`pcjsvQ{ z{rT@`&z*Xs;pqGD^dCC>J)0GO=bu#n&DhCWREwqkMaAE4O!V|1C&iwAv%!Dr?S@YH zl&<$xzyCwkKUuMO)0CLH=hU=1k$u{CC2Mu?fGulo*Sa>RXp;62veMynhySDZ@6awK z{>ot7BL}I+YT*@BZzp{9apW8cYu_NS2=57GnNK>tt+hAEf3)`v*8g`-?Q8fcaZVzu z96Lz;pHTcB6}TbU+g>llsR-=?H^3ylN4?f1)fDm)T(SfcnVl!4xRjDx(VkvE#uIlt(6d8XFBNZ^CvqlxoF z%2NixD-ZQ{BU`jr%Ks4W#}ZaezbQk#?PcPNtTr6}J*}>7uj+66*zQl|KgE#feH%Vc z-~$cu-tIz&e}EwlKHTJei#Gll8MK`6Y`)(E=9}p7=kb3Xa^{g|zpHf@QRW=-k9PR? z68OVAbxYm_9Q1dl#j$oGRM~nXl50wld-@ z!tOwcvUPQe-j-*c`_cl~U(ua|6Hnf62EzqQvAA;plZYYj)zE-shms^c(WZ$@ifJ zwGRKds6RKfMeJ|r-ZfckffgQm*x`RO^0kJ}mxgOG%5d+=M-#Lo{SDKQ zg?gVIs+B`0YMDQs4GzC=CjEE-TK6Z1|HS?5;Vc197@K1U9sZB&9e$C!jviF}kAe3x zuUkKM_&e5K zoXl8lH}ZEIbRY`&3TQ^>YVrezTN>iY!=eoYJ{Q`22%PO$<3PqvtMg4~oguD#x4mf6 zd{fYGZ9o?W-E9Z21>S)^t%G^c`K*KUy%s%g$EZlHb99vEyN>vq9pqv4wlhCIt9JOm z*bBX01g&@_T{{9U>E#Rr|Cm!9&pZ65*TiYplh5astTW8H9?ne_LvtFTpKYTfv^~(F z6Mst5c2V{^y?j+`vtkqcqSVXeJ<41@!aVMJi8>{d=fDDg+soj=D-M4(bnCP3WbGLA z`4jeaj*}W2zz44Oz(0SIKAkl>)%$&PKF!d8UB+myZw>kt=HY|rgPNfgEkoeD8LQThRXIc9 zJ>Fo4M!~-^f2(NgCMDT>aNjMOkF{eh`OG)Qdb6N+KGu#b!j3anTOOUF`JPbxHydNT z7Nf;miY{ysdX$4tOxBwJr21Pv1aAwi?zyaohrxND%m-+*eS9g+vICnjpXdgd53pz9^o|1|4(0Dhz9V=NAxgf1l;0&&NX zUe?7|0%?5@EB?cyfeoa*9PIp9$4#u?K5+S?QNXRV1G*Ch>?79Ek1_?P2(MM3{iFdW zeDV0uA<>~eYE1AxW=!$UFq*w)qt)BNxcZ(~{oT;0qc6hmRN}z7wt)u!iI@4_i(^gc zScJbC|9*VNvSSH8flJL>Tn|BeQHXm`gG_>4oxar}Dx)%c6> z*Wg#G}+EI(YS@qw@{)6v%+J~$rJYVUr`ew9^hYln=h!^KB zS^8RD%fTkj?{R(!*Jd>DmHU`R#+r(aIAoyWjG>uTCCC#ILo1h&avNl74qy$?X1VSCDpC zW69Dzc`e7A@}=AoWSVwpmdr<~gF^X}7>{z*Ec)}h=HoT_(&xSo)sM~JD#2B;Oe@1DUdy{E#ol;H&FguiYIfy)Yl5TkikjVdISEbqSJv#wD~T}`7vPM<%b?!N zkp*AJ--!P)e!}pPRnvx#C?1PngFhQT`4)TQMaYe1Lo=#g8+tMQmQ&S$yL;$GRZFRR z1Z9;CeX%&1@{SJu7I|Jmo>x|F!96te;;M~9F9EitIO-NhNUE7i+>zchd3 za%Bqg*5kFmU7CLoIk-Ju@jqQL_X}N4Y_aq_^t5TrGxo@;jZGz&zmD6uJR$zIad}zs)A;;X%a{iKpDw-#SzpevYOT&(kEd>$)I((M(TgoZ zDiosH2lQ%D+=J+u90eyV}QG=4z+Uo%C@= ztf9CFTZgiYCg$n7;?j)mdE9;GUcSIsRkG^t;<5#5Rr=D@o{_7{inpT+>xiE3vM(;l>awjvI)==5d9q`Mbf(XDd9!1O zbY;$WwP(i-IWlU#t0FsoNcZSqyfJ}z5=X)%%$XmbOuetjrfqG7BVB?cGA4o-qp9ya zv)wg6(e4V2e`?Q4;x*#tnHAuQtA)BAA&uPohMwFeXTG~|E1*Abk;n6laR<6iIfv*p zEAClssXcb=NZu~5_)#M|0O5(ptLnmpE0pBK2jho~eK2AASW99NdM<0?^}wRs7WBYV z`L`q*(vxDM-e~w1yjZNk@#0ELm{YaPg?yY|V-jnXV zTQ3mrN4hqDaBFT`;q9)zoRO{y#yo`k=vJ&nk#+j~&nO&tAux0N4h$ONc@qm&h**DC4Ocw{y^f7>KA_q@kbLs zo%po3EtB{;!T6&XJMyj%<}Gz^A5DD5M#iZ_<_P0^Gwt|km(yi3EBn)1QeR+Cyr{m% z;$lzQChhQn2O(P4LAqwvlosZFEAG~|RCfgqo}oyoiF9Yw40adPM7R$UPu@1<43Ya4 z&b_{3QCvRydX}neYe&AD1r1rm8nnrZJ!TTi+vx+~Uf{_=_*=jS2I21j z9}k+)BO&>%AOq*H%t zxQ6%W_Q*cqcx1pO>C=C~UhrXbxo<}dDn=gIzfrlS?xb<}-dl$8uMVthH>MS#U)*Ln zwXyC7be9_yOC5Jx)U8K;-NOIH?Dq=Hm!tUCp=a2{f26LnwA6{r`CGnkKql1Vj8Xi* zMqU+p@M6Od9rgmUF8lu8Nc0YRoY9K^SLpS0*-%Z@Vb8OlycJpaHFc=Bx6tm_8v{8u#7U7LF4hX=Ir+-x2+U;k$p0g8ex%hGVMm2$El`SID@tK&=|WPnZ@Qr4_Rlhc(25Nh`v08e44`d zog!DFpZSTvkWH`T`+i_4_)h^l-cYEWK)mMz5v z$SJQ6{Z(;ik=?%l{x}(#W(#u6C&(gOkxN$L7U2?bSHzo&4ag9s!!xRu55K7D8Dy1} z$eYh1!#p(n;;Is44&(65s<($;QS8R$;E+4WTk)sCUu}u-Hnh{9H%GtL@Lt4w4Q0`< zH>{3+zu}pvzclUo@vB+cJs&e@H zW_&i&>i-N{uG4;e&Uw3=7{l7Id2(lMq&u(%M7neNKK)_>b2)*zoWNYRGMBB)V=MF6 z$~?9*kFCsOEA!aOJhuAnwM+8~YnSB})Yj%XYM197heouRl~wJ~gaD0Bx3$$8+;Z;N zhFvxH3){kJ9x_7W&8m{L1fKHJ@~j^w@_*V>-7n#!{%6)X(wtq}qFLJv`r5`FD6S7#+tRIyE1fqtKcTLnwJh6cs?T5@ z8yU8at*!X-IyT98n=4e#L8+ISQ+>g8w3TwoYR2kih02&@9N_AsT+a1x`+t9>yqfcr zw}`t9m+&@M26sQ7h(_;BnK~^GD>HoU4wbuxGS^V1tl2LI%l#xCT@5t1oHhHKwDm>$ zHB{ab@>@cFp?pJa4wZd^ddXR>Rg||TSl*|}f$|>thUH1!Lgi?r839jlh9B4xU9I9q zzz@jUxM_#erM>QSdAv@2JWOMiq)j_4u1#+_UDd3mU`_25W9Cd!jXv6%rOyhk0{;lx$VzC+O zvx+|FTl;SkJr4bU6}lOb(dAwWIeRGm_3n3tWd!`VxkPINd2F1;WfPWe&v0{bp? zweP&l{hy%=nEUpvxf=QrnbXZX2f8hb&1Yn6cp9rEa)qv6;@e^g(=Q3XHd6c?gf>#mo$I5mHx|cnWm+nT&Rb)zv@IQZZoD|YPwt3tbLZcx z=FLI*a3}UP(1mX#9}-vOLzyG9LNX%#EINrxaUvfsi#@v@h`z0Kd1-S4Vu9lZ?bG5!) zt%*`>l8(?zMw={TVA%hT4d`Zossi9!FCpg%R}PYe3fgZ_-5e{0acE$H8lFEorh-vYWuXw{FFD^r$y z%!Pm3Bi#8eM`LzkQ@*Wn$8(LDO7U+qql*7MGr9QrOk?ryGY1skoS_zfJ0rSyW=2YJ zaYjV(cQXbS*JT)rFO7^V&dp3Hz8|+YBeJ;e`@^d)jZ7-OR!uCmFFm*F_rNCM z?jM~I_Z03w((|hxJfy@A9(HZj>L;#`%LSHqSc$(A|GFpg;d}4guwb04yp13w{ zW_eaXm!4th+0MPvZME}U?GMj$b=1#ubv`lA)wOz_YowZ<#2iXGvSuFoq5@|D|4#n9 zH_t<7RN$P=KYVV|(dXx(H!5&0;~#kdSKwUFcO&18eDC1p+OKpBmyN?X{jxQaZV zo#&E1xSThLRz}|JTuEKpUJk^QIC{DJq(2q<_9o}(%LosCdoQ^xS9DuKCoUteHfYjW zd`xq{G4it9y|&A8-@N>?-2X|q>8mYuwLM(wYOgPKbv#k(>ReswQo$p18%bSjN?oQ% zhcknJ9alG((zgz$gMS@YpDzVh9nMnz1z#%pUdnd>PaV#6dF$()LG7UELc>p>?IMo>xj;$99&wns=4D8i}WuPabLz z$1B0pY&BNLRcEBrDfoaq?#u|{=%kFeA?+{GR&b_!Z>ei6VU8faPUBk*;%QeysS8^k z=gm<`I$kD#s|q+7Dz8$N`JzzQKp9SOtP^}a@~qTLNg54qHbzc%cE4Qe+LU1((zUOY z`6TnR*tzFo>yRUSOFa3PcwY8)HjlLq!H(3ud!!+E&n1Rjug#FV_i{t7!oG9(S-RQ5 z^MWnVREeL#`nrt!V3;*w}xu$(WfG#l@R3E^~z9vJvNU z;&@d{k;SCAE|0L*?~Ap&-cGf<_OrKC8LPOVGey{~75$7pe4aVKguTW$^1(A)Eoveeij4|rjsysSZrTgovj)_MzPk}p;5uF2bH{iwKQ z){mTgSDK}~*dlC*i|VM;lKrVYT(;<1N;ziA5IPXr6CKGuhU^7J%=P6hUp~9)A#@!- zX)1|h|1<7&_CB9s@AK7FrLxcY<$X_d&C7>wERLAFDWJQCf8GxNY;AVBVh%Z7u|B6O zj&{XUW~FK_lKs$?_>H)?aBaBid?ooY+zYsOa2dF6_F@tqw6IrZ88QuLdw{(_c(QJD ze39(Ybf{LV>`}(EmnQVRLedac!JZ8^)ZnKwbqrzb<5=p0VfB&q7Hq4bwaU~fgkf`R zc`g|CT;xiN@GH#Ssq~xWP2g`v{?r1lPHj}ilD(3p^s}%S6*Ajaw)}@cL?4LC* z27IV1ACgn?0{?;=i;dGOw(|{+NSO2c!>8AcwdPdp2NnqoxU)13SX53$O919vtWK}! z;hTNZ7~(j28=`KkIfp&QT!A?kM@+AX!P(Jm8hGL1F!-i4AYecFB9OJ9~*(KGkI2M+lcxixD) zcd57sBC|ICc6+|auiHOTr@Xst9Qy_tRZTy^2LAWkv18#}Dl|t?;&r&(CnWbmZvWZR z{HD64`P&~~nlE%ommz}jGMWU_uL(nmFzkAz#ur{bYOoj=Jsn zj>E<&l2`4=hAC1H2Ts!Ol=7(4cFNrO4a(H>CtU_*$X#YqhQOpev6GSiSGlSmb zB5hY{#_4tB4$)Q0V&%$q<3LZ*PjBe$oQs%>qsJddE?MQj@0Ee(eH?SCUTm{XCkL<-I3>hiF@Cg z*1x9n_0pE?r7>>LHZ7ba$`qRd+3ONI zz9eW*@K|}}kKUr4(6&U*27P0Dg4n1xb$fz1>fOj`cO?V z7ad-72Wuqh)Wo8A!dqs>y0}O34DPy>$Rb~1tn1(`9J)szdP~vaD@_3$ZY8eh8G6Cr z_KC5s&Z1b?ktwmRqtjzu$8L{xwUx!XI_AW>x+-H`-PN(Ko<->J(4mTsJ%sOrcILTH z$vtu4x!}0@8|wE%`S=!1b}@&+YxYQVdmwXtDYgT0@5*?w9avscRe&oE+77fAPNvT% zQ`gC^t|^mUN2X79b>BYOb#&%rSI?};u484BUCnbQyILwIyIQL!yAF~+c4tMEIQGoo zBTVoSrlM|Kg27ZY7RR~LB1JJ3W#9^MoGq0-W{;2d`lweseb^D~pDz062>sJd{~V>i zd+6I^^iwna)IvYC(oYuETyIB@5^94I)T!HpI`vN4&_x@L(1vc>uo69OCuMZfmPWq2 zD65M$y~Xzt857#p&389tchg2aK6U7%t$KXw(nXu~_|)kLZP(*dw{H62D1D%(p`Oo4 zS=6~DGQM4W$6cW$$ruLq+yk^Xl|A4t+VoRs%@O*8_W|78<#uLIee3B* z>+IMr?PFhE_LPLK3f=8NW|6bGN8#OV(2>!&o=9~%x*cbaF|lYYWhELCZDS1aPNB`v z>HU?b50|?n@G#&3~sZC$M&n zJtH%>A29sS(&1#5VUtsaT}PR#^O`bO*L7uQbvWb8&eh=*m7S}@nNs$jqr(|PIpI2- z!ZPS|nd{iBva>pzGKmwW!?L=slUmY z{I}_ESijEE->^pM`Wx08c(Sk5--s*_(&1qCtLs~Ief>^DZrd(HZu?$CZpXfWE=S%F zF|#fRz0Xp!>O>w%IklugWC+po2t0#3padS$^$1Ltd!V-=UC$X9cpnZsBdY}K5t3D! zGv)rpfPB=RY0s@R*mE}-QY_|SoFOx2du-TuTG10!VAol}TaJ~y!`ME`o+~g3)8SFT zExd0Uy&39tS)Lcuqff67T`QujvOL0DLg;>-xb510N22d_VYb;3I(-_JfZE zehKi2{ot1Xw*fEe2e$#g9Qc%e@XLW;0epHt_!Ypf27Y@#_|?F#1wOMM{954G1E19o zem(F4;AQ>b1;B3vKBpi2M&M51mHpsO;KjhJ`@xHWPXoTFAAB0{+kpSDAN)4pcLKk^ zAN)?>cL8704}KT$*}!Z2!Dj>i9`J|z!M_K*0(gBtcm?n(;E(o$R{_5lctbz9{~R`@YVg`KUQ+v*VuC_ALQOaaG5h2IJ0f;gGz2-|2_*H=-K-ozrdzU-U~Wc z54uO!g9;Cw6{EP(uZ)X9w`3806MCA;L?vln;-DOCl3aQicO1s{%o;ZyS*sEqj_AWT z4;z+KADNm{6iFPy(Ie$nq61o)rXHdQN@pz?>p< zmsY}JQVCC#@QCT?p$Q+FQ?I7v6k(@tB`hXQ!qn+2Q^_|qEvG0IIIx&uq|1=7sOj~? zhUYwICfqzArznkZ;4v5TPCB}?O7vs(!-nJ(4O3jQcNJ=@=$?d+4z=~ter@gF&e31d z&e5TE(#BZYBkioGjnC0mY3FF#X;v({4UgPQISZLdnURcLUNUEhhfQIBXv&D--mSUG z>9V})bXj-n_B6@nCUl5z=r%XWmRBt<%iHK&$MV?JZuE+O2*!DXIDZbtd7C(Y3C8&Y zanRXf1C(t3GjY(}I{CKzg*fPN^?cA-TG8d|anM_0yOV52cUdkz`b!h-NzYdnPC|YV zUPWwFRh$`}=Ezw4e9`Hpi~OB1`|^y0vdbOVBbg|3#PYSpQl6Bf{N{yXDIGp^bZ|Y}~ux!m_cj9c1(w1vlf6EIj0(gVFxEL6L&aRE{f3PycKN@yYKI--)@%s zq2;}(H8Dz$=rY%ul^OCrfV@w+G!5Nfl)W(_-QF0*c(>NrryO4pRh4*ebk#cx5~}WA zcFUA|mQ9^<)xF78)9+2J8fmztdbXjY`e~fO;HW;NII91!AgQXrFtz$3+z;+et$KpE z%M7K}cjNxNAf>9+u%P-?+(!OCxpzR-dkY3t8H@|74;dC#8<*Lqq%9g)RbX{gKW(vB z7n1*|MX6QqFBn`k(rT~12zV`J-LfdHYPNN1^&!(O)kfoj>eomsb^ObMAyo#;E!7d0 zsnvzV-)M1E-@7QGYMHgP`XWn7b(!^+>cgg~)l&D@7YwZ`05-u=T3u@`slFJ0)uN=T z9j1lVcUu-z?=&r_zQ?k#dKur#@yjeq=8FC?E0Yo5RK>8c-6B$b*V|fd8xskLo{`U~) zVZOIeZWLj&agoG}*3;g{xJ#ccAm4@63*(f=+2FwUh8r4Zf(KV&f4qrzS$WILbG0#b z?+|ospP{R~ocp@2;;pSciK%DRkG;tKxt}k2yd)`&yTIhV&>`G;HdqhyqhA#o8i0r1xli>R2mb$f`(so4{hXUf zLC=&-ozpxcuzeAGn*!>}UR#fodMV3G<%~;}+<_$a$sN!lspoFqcNHDK+*RiJ=*I_Y zD%$c&E86oa)CYcTMW4I*qaVL0X=^I9yc*!86&-nje@~u?vdfcF>!rMt7d>N#3o)_L02hy;jL5@HVTdqk#S@kK%p}*L}SuywRGa9rwNLfuDD zpHHQKsLxjF6AIVsN?qQiF1tyyJ6MV zbyMDQmi<1dOL?##*&{ns|8dkm&1m=230q3&%M8B7#<)4ym%YrZT;`0-xBlVMmxJJ0 zOr-Hqf6n0hcXKbS{HLgjU*2Mua0NRi!3V}>OKO6$E#(336*qFPB<-#kY~O}#?k*>t zg}xFV>8swm6a2D)1G8e4o}JtyK7jjSKI9#0NmCB}*>igFf$Yp$}J+O}{`R(Sucabjy&$Fq=c$NI3l^GR`m(x|=TLGRICEB-5jagOZR{PV-=Oqtz&D}GPIo9hX6EvM zrH?$hn|kiSJ+&dkZ ziy<89KNqj&-Fm@~&|IwPHy5ww-TVIGp}E)$9*p45OB3|O2OgwA9|T{*@MFK=hs~&5 z6^;Y7k;;sL;DEeEeiQe;x6!X=-i92Yk3VY*dDMV&@~-5+>EoZuoRIMkgh^g2(j z-^%z4y%QWc9~}tchVqrT@h5O&ppF~Q1#!c39^5dqFCloblRM$U@nRr&;iLYhFZ#BA zs^dkl{=BjGwe`Osy!h*N4B^H1KTtGz7vy|+Q6pnD$i6M~zNFv@Z!(N+V%=vhCzcOZ zwn^V^;yo?i5=${FHA(WHMP23nO_^)FZ|au0J3F|hWV?RQ%RQf4Mts+)Lo3EpP7UQS9t))$Df4{eRSr&tXvKywTA>B$1oYw@I??=B=)|V;(21|c zg>OJ7z=6Wgzy;`q89y8sLNsEM|6Cf;^xsG$o~8dwm`mYuu1+7AV}X11lRY7smU*YI z^WkyRFH&C67%N%NLh*zL(DN7}x>wc*#y^?6Ys15#abGHP?$2iR8Zwj@1P=oIVSw+E z?@-$F)j`Ty2OVf-Z46HrN+b0-AHM5+8N8CLBTrDayvO&-CCUq%pgC(Cg<M9 z?7?#Py3L6lMGNz6ylUu}#CZxkbKI$z_l`!FCHkyOd5>g14ttUwZ1zbLV=IMk=FK== zui~SB*Z!tqT21D!?o}E8@+)elnMbU>7n`kd*fIB56pPc&S&5~jkuh@+N74vxnafMY zfoE4L)D?cHL*mGNW)e@r17mzH|J_9YhHyERbTSrg^uyWp;9S00xhOE^I^Pb?{+zM- zBX6Ju_>1H-c2Yge8B>Hh)m)<_rkC?J;nw6TQ#5w|L7<+?gqL!=^OXNVsAW1Inb?OyaJ7IT_4q-->-ph z5!?`5SjYM`x8lBWtZP?_Of;Uium!(_?_U$8ydd@qYi!U3#_V4RZwk@|=;qclZy#Yx zJW}31veitJH-oO0aR|oaJZ)gD2cNc_;a3Eo0(9b)iYu{24132inAb(*6{0EfR=e<& z{pE;oT09HgS#4n4JkuHT?74HtmBV|R=VoD(h}{?Kvdl;9Sn9E7spoB$6roG&S3LIWi)rqnaaokbIa&8CB{|rCtO>{{L&;nE zc`*JYC3!Ep(w>9Vv(1>JpT)aUHPlO8HPTzCm(+EQ@P6ev;~do2O!-o`Y_Yit<|Qzx zb9mSZ>WzKfnR>6_&h`_$U9PA~edz7-{&Mkl#$L_^j%OWPL7imomjuU+bo#ixsMBcS zF~wFgV54}x@p^j9`Nu0bK-UMO!H9w;m2HXr@|5{7 z;hZ;=18b(xYdxP}on`%#|8RXqxLj;Vso9p5V&67NF;$i@2Sc=H8ST!9L8cH#*+Q>E zVRor2aG`~y*g}ptx(6 z1=fZd`k@KDFaVeSD`0=Q49A;6fi_W=zJ3r!opc_eCds}noBHv826i9gb{}uq@X+vM z18_3GbE`PhM_Gd+Yo@)6FZ{x-(Te*sWc61JgFF1_&vvjrWE)fKv;0dQ|GZ-EkFG@q zojY^TYE!Cx8*`>|FKdDLH{%Ojjb+@xl@P6I;*I)}Q+-#NC}ZwS(`p47n6{({9S?tZ z>9aWn^pWUGUf1;{eTDMAkx@II$zBLFHMFjpzL<4jH*J>m$1^3qyz8dwG*|RoGPZqk zmr0N&H*+^yXuO*TD%*eu_^f_u`;37%$Ud7B!FyDZoT-T7jm>D*6U7}G6RAVZ?6czn zUVnL9GN~)NOZr~N+w+Z0M!&I1Wjv$|!T)hTteLizu^32y2_A@y^PwTFL-Z#*pcf|I zJ1{dAzpW_$k+ds~@wjQpz|~7D%6p~EwWs^8X#!8LW*q(KV1;*(zLI=o3?@wvj6vw! zNH6C`KARJKAI}(kd;6RAMZq`d3-JEGv@fO)T%CcAc3C zS&M!{^rPWzT`z4t=Pl+yze<}$KLt+N*457HU2mNAo6vh}lIJF1(xuPPwubGVvGxUUru-j;Txn4QqCD4U7z&FvIn>KInN>K!M(ql9(+!bIuFzPBvAI+ z&-&1_D>kV|3FECYrrY6H851k;%w4snbECAme$QOY%Oyc^X2?04nh4!$wL;oJ6KSkdlIugp$aeNMYUd>i` zjS)IuloXmr@JAMDmuZBuEi|WAz(=g$J#R@XeTE;jRZ~`l($&DroiDrwo#}buQRj!R zV7zPCUy|{o-H(+~)^c1+ri_ui=gt}(TqEZW5dEKG+YOG-CEW_fO=yO~9>Dq1ho??&T^E`LKJ`M=Nc*MFaI5~n+(QSwO=Kf|>~;oZKABhjVd3isa@u2ySknd9B_C;L zifU(GBzqp=z8^E^W&{pzea^ZeJY*~5De{qBNq-laQ~#EInG*hmca%6L{A`@USq}Xl zepH2*4bJD3zlEXehMy7qMsH$EFNs+weJ~HaProc`;YxVN^i*}> zbI7yl8Op-7=-JaF)rBqCUQA-$v6HX)o|viQvja9a(jO+)iaH+Cv6h#QbDFL7b~XLo z74ZC5N!*2&spEOSeiQkAWnA)QqNb#$sS8V_{MXcl@=ll!_(cMD#8F4!e~eqWj{0P= zmm;!9`q-$2B?4a>wXg*}?_A0p1U!p$@XIMC{^^92P54RpyYUn7efV+sS@p#icFEBr6Ag9keCST^ll2c4;tbQfDzJ0tDesQfMJn8eAzpG5ucBaZy5^o!JYLGZtXy^2|H(~tPlzKS5c6xk??c;Dk+>LdES z@hdC~GpLv3Q%b(O3BQYQ2^-C~gtK2WV?4$sv|Eq2jyi23YzFZ}reaODRk9w=icuFf zNjoT8+T$ZmQLrpqFfTc)E9btX9(uadeOF08OFr4aI!;Aj<585WB@gsTGi02u4d%g_ zF}Vwu^L#Nj-i^9S@L&aLt_Y?Ng-gCtcZoM&)nzmtAF_h^NFJ9FemRc5xh5Fz%2_2* z3wd+S20y3cljtR+pCsQ)gZZ)Fchz&y6NxMRxq|u$e#w9Pz%_%h-L;VC)ti6|eudy- z3t0|)H*mo(fwvJ~X#ZSQx!MQ3860{9-vXXF!86lh^Xf_EbAJO~p1~!`gtrLj)MU)o z%9#8iZlUOHWNviRw}P`>;*-x|c$S0EA(^Kt|A(MK8PLT5ebV^`rU`g{0df0kMW+Uj zt*>(`>qB6Tll;j`U#AX%!-sJnQCGP?vX6aV!qCmJcGd>yuax^gA+HPR+Y5>N&)Rnv z(uNC(`_J0m{yIa^7owMij45aKq2(LC2|ggex1M0GAHbEs4@ua4@NBZqeAV8=e?=ML z{rfR*Py37!HlZIvGlYhmZ=UlWwErXaZ=?-hH@E*0`CSOETu9vTc7Ihn|2yc}g|y*9 z;{LO?_kVHx!q(yc9rJHSJ1?Z4E+p>%&Z7Vi_>Z9N;eGj!$nQeN@j~K;*Ylrgt@y8| zo&QX2zmV~}khuTMWBuvvL0zL!;Z72r-$b8#RzEHJc+tP@UGM$R1%p&n7x%ftL&ryFqNXf_n4~WxW55>?m)2 zOZbQcX#X)$B1}z?6r6GHuK+FE4t!A@YnKTdvwe1;ztBToxrsXO9Xl&de-!f+stJWRnTO$z~lk$<90P zE-lGm*~(>YZW5T$et%V`x{unjVfWpc-S^%1kN%v~b?WleQ_roQdaA1MUG?z2%F(po zaql%=^~fsxHQU2gBT4)>E?w(AXB#W!dHKfG@YX7L>{@t@GXy_v&k%$M{TQagUc_$J z(TV9&zxO2=AGg-nhu>K;pu0_cWap@?tDMC5I+nv970ef0=lo}>4`1}#hOcZg_$J2l z85r5e@{HeS$+lo@4e{(|%}Z-t8jmEjCONs=;G!z7IlInF);Gm13oqU@+ir1P^6eI< zo%0U4)|p3Mjg+x3qm+G(CGjz2_3OYPxv23V9va?QXxc{p#ofDLi4k+s2|VCx|3%Og zu^@5%-%O0!E@=55S;PD0dx`Iu;%(cC5BHDZpA>5|Dyv_H|Kc&pn`Y?r8#}!8c%8Rg z-;^ePWN$=#$d^Hqk&>B%d=uRbMb1M$S-DzM;%)0i4lMx=_TM6-=1_Jac@}W>bYkpi zWIjHFdHDV8TB!1O0aH7?*v+^&T37mE{K%Jr$Lb=zGjSsH-TvhLF)0lYl^Q!j~zp3XJ@XhnA0ym2D zU@aiO4laMLOBc_(cZbI?aJYWEcXvjp(iL+M%&WKo;I5KQ7u54wk5)eDH(ty5s4nf% zFt9R~g}N>7gLS(0-7{KJU0L(yjBVF5Hczqksk1Wh;jioA9`#!f#=2N{et{<=I zZMn7n3*wbv%$DMo95{m1zNE-ja}CrU9Z>=yZ>uE62Y!1L&i=))<%J~ z9QZ4+Ybtx*WL;f*kw<}Rpv&vY;REaLV6A_TcVy_0mp;13+9)sV3iUiS-qbVBeLjLM ziM=Ad2)A#}(Citmz+R1A^m>YKs?PpwrM+O3qo-^ztd$0v;5&an?$-zIBQ>9J{E zf+M!Id=+C{n7#wX-CfbO@jEX>1#4)^W5LRyY> z>f(HfNzyW`s|53PQ~wj-8$Ef%@r(ydFN6D`hnjmbqz^LA4p%X3%i$%7o+|dg=?>p| zJ&6bEB)(qd7xG{DYJ~o@KB@O&yQLpnKrqyTTj}gU@T`3JgiVZso^CuHOrK@_%F%;e zhrSLvT?4(YhHh6uzt=+3*ATA|F*btQ*Ba4y#}w#$KHnFRZz1{5qulw>_dBrL%a~J? zFlUIMufouI2wlbAhmP}}wD4H_T=u;Fi{~E3{^SsaeK+$P7$Q!oMlx?OYkqJ@tgw_jB=y<&hNk$;7(m&hox6tow|gXdUHVFz$q%|14{3 zz0V*sg7COD4@X(UT$5Z@(~j&zZYfrZ@xAF&*kvQ&hw~my->Uv3`JCc}GdnuF6no`( zK{1l`p}wDYvX46SX7VA;Nfh&^`d@=alGBN+8Grug!{g(p$n%|-p^5X!mtl-O_Eip0 z|DexTQT~Tw!dF#q&6X9*R0nqh@9V^FJpfJ)fRh8?dgfHHAOCRA@TnSNnNJ7s_#N;l z-S-~o%f3K7B*s`|HoQ^r(;Gf5BLwMW07$`{f%y z0UdoDdiof2^-<{SBhcT6S@WA>=udqL_M?UvZq+6HPh(78L05NPXU7FQZe5fy(Kp5I zUeDNg#M_v2okHh#t$`-ujQjDS#B#+X^kMg(SMH_1hYox0;FVpQFZ5=G?o2Q?zC42$ z4UI&amq$YjppiR%E*hbYeII*cywSm?z35(OE-~=Ljz9}RoEV(l7{CeR`tK&mbM*bG zwHP19R#U9M;<$?IDY-edb~WkDJJ{lA_XMc_vRiWKH^*X>#8mF%l3AB?8#{8yvn`s>i{tTL3|rr%O)eH!_oiQ@H_{b zU~{;->wL#sMR)_Alf%Rp)|~dXO{JY-bb)ExF=M}!)Bo3LZ!+5HWZ&s|@UN2>YD02y!-d#q;LoL_b1tjjo_wwW znE}nwy!Sv7nIc&)xuS82p_hU*a*(*dl^-kge-VAk5X+~$1K{v6aH#*g>q1B5k5hUs zGJ1u>ulY77bR82IP+u0}_#)_?St-bGg@IM>Cz zGw+s8vu#+LLNu!XG2jmujol8#G=4m__Q)jZC7(#GJxuy!d+yAhny+}HS9#vpRZ;dT zAV;+~Nj@R9vkL!64ZQA6m#nk)uyCmJ+uYh}F&=j#$5u{=MTBoSgRJHVu``Ng;oPyB zzqbArjZ5Zo8^f@OI!*tI#$^ZfJ$89&?XT&BVli%j2KR6D(tFpgUj{E3_!#eX``PQF zv`+TR2gfzcd}ZYoskQ$%)}jmA{u-`9+8+uJ3YA)~_S=@%uvW)Om{Ot+hW{7@eiF zsLQt=4pqj#Q_K13#1kF9b<46(^?Nrx3OM>=%prHz<1j{nXmell~^>ES%mHLWhOXWf5#5;-n+YnLFkjdFoIN@i_1T`*J?O zGYY*#nImn-SD?L2nxBYQP+L+;L(@qjQb?>1^pETd=yd&+{FKYi~;82?09o%})PMG=Kb!apd^2ZX$r!XU7A=g4=4U^&`%O9& zFCW6jDB7dbD*0>e)xtb-3S&|h=WJ`nrv%+$=aUI^(%z+sF+1nfJV*F;=grJzPFal~ zql);YImAL(*{AtU!Ty;OpLBj1o7j)yeKR&r!p0Au(`OW^I`Rg0jE({Os1N(=!0z_n zpN3{u(g!!+)fjp3_iLnoPh)5NExsQHUWZO6@VfjgCHPt7>wFFRvGc8(-W2}kRCx3X z@BQ4FNjv*1Sf(&s-Zm8=uw;4HCzuIz&eye6OaywouToxd?N!~q|26#W>os5QdJ(BZbTLfQ> z^6vPZebSs==EZ|}>BEjwf5i8Tx${`QwioHY<$L)x=I8ky`>%1B`f4K4k#^*lYe(g! zKcqX9CjXE6Fj@N9(o{||$NEzi8X4jER?i_|I%>YlM`-=U8RWoYtsk^9q$7-sk&n>g zsSjPbH}ZA+?e_4I4ZeJVE*tkQ`Ba1I#Qvz<3myeihI(`kiEC4|@Fo5S$7@jfb_x5d zNDum?UEd9TQkUl7F3rt%a=uT%;K+wj@E7MxPLdWQ&F$%NdxD&Q9N4S=d*6%wd77)$ z!e`RQIrvt-JoZ+@PgTgNkQobnT=5z&JaUk6S3jlGozFpjHskAzXm7$q|Jqxv%h|fL z$HmG+owX;ur7>~yCE-Z033t}M@_FH1-nRB>ZY|2(4`N_tU1MuMb5Ms{*|lyQYKT=G zs8ks{ca)8M75?hO$Ry>FuWB%|z^`Y)*7k}*J>sW)J=h%G@RR55wDJJox8(QpW!}ld z_%h!Br?2xnKec16_Ag71{4%`Y@Ir54z@tUij&P9 z{<+|}W%XObQ@nrgMfCLx@Rru(UHl|AR&TBqSzD)hZw>SNn$dB8zhwehGq@+w(~V80 zG2hF#6nn*tYzv$tpmlla&z;=%)>V#}ei@r<3UaHAwXIUd+xW+^xx$906VQbEQZvQ7 zM02j!=+hq=AFt*NR<4Mbf;8HK+m*VJ4v~?SM;DT|&=PE0_ zx$-Le2XC|N5HzQ9jYVZ8KTbo_`8|;l=68{qM_lZ-)|_7T<(cRk`oRyOxt`9E zWPHi5v5khl{)l+TtQ-6DyLThoHOAO>jIm_5-HT}SJpVP8$VceMj_WUs4e!T=)0XpN zG?G4tUy^xV0$X0?KFhpIay>XcX3kX|93R^T<3n9l?7h(1rcztjQ#hc z>m$swN|@`GntdJe`D?siVa?iKhl{)Q0Kwq_mm44HZp}SkU{34iOVaQ3ckCo*cEb1c z)#_DfXVN*-W9J9qpLo{57`~_AoXPIh4fRY0x8{Clf!oL-2e;;WtatlzqX4&T3Bi3R z54ZDm|I5HV8o;+tgL$~^{8Y5&*SV_(a|?Rfp47w)%1C*omi-$}P|D?TG|EKkLQhm}P+sN9*lGoBLN8!^p=2Mwg z??`tWF#~O0+V?Z{KE)cT;_oD1W7tOD!}q?II5=nP%g-XaP~Vdi=DOC$lbIwf=Eo@3 z%11zXQ+ATH41StD#Mtew^NysjxwstC>_xhc=Wf!wNoSs5$|vygNSDcPRQxR#(34N0 zC*=>#)yWq6nz4nfu0%gcSIQn@-AJ~{0C@x-c9)TNR##ehneWC`hhV>~NLN0AUQ8D0 zN2fnglKW=>qw7~6Hi71Z(u?TU{m^Lsn@7y1vqPotaS-ee>R8#_E4lmE*+8lz!}tg$ z7xQRzZO7!gHdvSR_0#-ZU2a_Dr>4F$;(q=)<<`*&=P#WZ-z#4@1_$=RL|?emvoE2q zUdG-hUSNWK&}Zg=)_;w@g6^y1FJOzjh|Me=E4*2|;4Sp)1iMCdLBSt9W^5VX9~`mg zrzpPQ%?^BN@SSk}0ybQb?_^7h*2H&)-vV>6)Fg8-A5O)Bok0&J3kqZCXkoIs*h|C% z1kYdj7u8D(3owd*|9`#of0iD$=VX=kymF~GX3ocI4VkmKBVx1Mt{EikT?-Dy$5#_eW#g@b<+a|u zn7tA@3w->LWKjw8sZ!=sWo93Qd}H!Y$p$${Gg|Y|7%)dPeT>m>;a&J0yxB|B zC4;vleJ8H$z+T1Z@lAb~56QsDe?2q!MGSt-_W*A3y<0rmIi_@S#*f9#$KsnaJ1q=3 zU$41&ehtSUAph36|E5jf_n~jitUC)&?*0Sa=L8N+ypO9(I3E>mBBkJFX3yy^&An%X zpE=;Cgm|-XuV5El&gIz+jfpmduem;r$d(a3btCH??P*Qa(VpTR9PRZ%lO}IRhPl%z8yN_bymi@r{hM z5_^CzlCuwqYvWmKY)?yjq65VMI3MuY@;O?2`?PnakJ$0yD@(<{jt?ylO7}awWZE1L z`Y?)iTD>FUJ;!I&0r|BDI>__r?Y7@3=!5v6bMj{&wsD?6>k9Oe5xwwV@Fc>c-*@lu z?3jC(3>%2ZMz%Z;ofsS3j)jH0kMpeD80PJf0H0E3ox`iza__}F{K`_%R)L3IT^c*f z!xL>S$-$$(Y-`ipM)<6gOw0Qs4ee#1?QUetZuTR&ehtuX2Zv<1wF&KcX2JEXVjIf& z+nv4lzXArG@8#$ld~%kF@DlK&9Wv*v^$xUZtoLz#oaI5wYt~1Xr+2gO4!J%x^c$e&B9Z-2yp z@sj+euQ>lBa$ozW>{+Mbo>!P_nAo5W|1O^rYxkJ;D)85GzG)x&CK>j!s#E)oJpP+^ z&Td0T8K17sQ3DnukIZ|iH`X5RYfACUaptxCjt^LKYxdYgd1@?FPX@W8?`BQdKS$H^ z)4UM%lBbV-L#__}*E_MBVjhI#FSzgemggm4P##mKa6=uAmQ9=pGEMWqSKPd+)s9Oa z0y`KVVEN6j=YKLR!L@%w6WAVa-r=9G2t8=d*)18!I7OlvGv+bmyv}hPWZs$sf3{y< znwax%=qyKL5Bg_0z634)#{fOb?=L=fKK^#&o(k8jLlaluX%*(6))u| zyOF#b{qjmz*@^jUbS_m_C;5ZvL7271zOz2H_Bm`v>AqmT`l#*=K+Uc((U* z#+h}L9Vx{ImVK8wGfzM|(F$gY0wQj?vlv=}lc z*C9LB?#oh|{_E+<-sHXeQj4Dq_H1|S`X^o4KF(ANj`>E`8gHpA;NW6#5d6M~?>htQ z!is^pq&N?F)ZTUZDAkUm`HaSk|J_6QUg22-A8FrXZs+`P1`qIFCK5TqxyI2Iq6WJl?2p z-He|by98;2)Njl9_|cNHBaaZ5xlip$pSd~z!{NCj*aGW*3w)pFoZ4|> znc5jo;q-Upt)j2LiLjU5|6filbOqz_E`DnmlY73kaMy_~w=O#l&bM;6W0XBGPjR2w zt?U=sQtB;l2Zr(Rw2@)%E5puM=f+a`xA6WUK5Xo+zIurUl-n{eP@Ds{i?9phr2!z z-qy^T!2;}s-ZzIzw1xp&R8oDae6Q%d*v-#J`0)(#ubY<2a$KT1n&E=_WbqW@jCFi2E49DkFV+h&(=nT_O*ZYjVpDJ!I}G4 z?R}3^@Y(10q_f8_LacE(E?ZBwfYxaCVt?ts-rwNq=9e!rCpiW#7Ms2(c3Sa!^Lo{n z7l`8{ud&;Vy!GcbrcA4sUilVfJa9Bb-ABo5{dPLXM03eG#%{qjF}Tgg3X?Acjx-*{ zcss~C%hABvtd+ltmz=my@{KDs=Pm4$96u!dRrHK~Olu!g!Sgiebvk>0!{**j&BqiQ z@v0x|r2YJgp_JVxI7B0&F&E<(W6tL6ThU94?;};ZcrAF|gvMKIL@O^!t!;#+Co7jk zht^ZS_UxVQ`zpRmP6od_|5$?kz?=DA0Uwofp86X0FnA5+yEv10Y=FKIi^*6jo(NgV z*k^##jlJ|Ebi8lxKXL9iy1iKMJk43=!M%j)&u;p23;P0`9@aQ0=Dc{kq=Oa*&O*22 z<;OArm*qK)-}@Mo8=(E`86%C|8hnnH_BA%U@yo~-acfU1mw9u%ac>RhE9-k3-~HI+ z-0AVgZ(xJ=)V1dKHb`#$C*)SJZ{oqHxx?jWl4lW}dsFOJFZeLKTdn`nzzgmqk20h= znWS`$z0xFOoIFV}u1fREO~9>a;+DWZCU65kYA$r9Z`#QoGjF4Q)d&CeX4G$fyF1vc zj=WK9rq-YJow(M|sErlp$XV`!B>RtRcqTdiU$tlj_fQVuGXC-MLoc{IT=S`|DjC@x$05 zQ@drOk*@zS*>Svg*I~!`_+s8+@H}wH%52FF<&`|ikv0G<#2jA|BL+{g#++*rFT|rP zB;MZl|CM^ON2^?0%(>$3ToyME%~6-?rVVKEgY^3Y^nV?AxEXw`MHb%#JzC!^{uuTL z;P+$=-0_fbnc(h0)#v;^`0pBD=l@gS*6u@@9KIBLRreDY;9yXU!2Xt4*Hh?l?pm5) z2OgB(xT?T++GA;O(ORH6c4UJ~@KYzgw>U_SjyDdl7jO^r(#Im$>hyOI9jQL2WUKM* z_!M|a=@I0wzsE51>UiVvy2KXMSIa&_gMZT8SZM##%j_Bb3qwEFUpBfvuvT(Nz7)$x zTKAS8%<)pr*akMH){Se1v6sAZ{F8J%RcB$%1^6k2AH?~cbJ(mw-Zs2dTfmdmuh%fH zS2M2ueG2r|%pvK!+K)k3#3UPeqW`k1)o;Cv*EFBd*rFGqHOFgaUq^gCb3yioPmnK~ z*OV+ut$m*K^4K@mM!BP_=kGE)(`Y2O|F(AJWi*zJv8kzsDn+DM$T#?P2x&K|T=l%4~p`!qkor{dc^Ccoy`@=NHB zgy2~k#p~TV)8i%drCSqAQCBDJD7F%PHTEk1Q@+2Z54r5#Ghy$*?S5YEKXYr@YS-Ou zJ$}f>IlqJ-Q0G%S9Cf$Z^?t!0V;`*i(1WrgB6hsoQ+z3S+<)ll3_8)g%IPsD42$;RP3sgV5nd)(hlQ zaC9NN1KQ2+S4-g&Q=bGIeAyG_o;2Nc>@l}-bfP|Jjv+YIzN<@mdy(vrxrP3!9`#N6 zRId0=Cs${2J>svG^Ei`Td~bYZ6MeO^n?!>H;GTUGmvl4#akzb%bm4Rzd$WWC$xyd` z@}s#}AoWLQ&gdQf`>gwu@HDj6r{z45|c z#f9i_#jsYR!>Z!+*T|=Yd@|(i4(P}Xw6wc!d(S|fPbX7sUg21HVSi_j_JeDW`g-Uj z1)T)xVTbIq33AfvSlMxZZ1%fbnvK0azF#<&{psjR|Ig5)2Cu8Y+qK~D8uX`srdg}I z+e$XZ^q$jqXdW|@JhRB_uN!wnu))3FzoCEff4TT%(GoHE1_$aFG;?IP$z$!v40w?} zCjWefZ{2&Wt%jb)2NX8G`jqqr--L7Qg?$rnptb(B1)fMSH#cL0?9|iNWAUK1HSVU) z)3Uz1G1j+Lnm2=^;`$$Zf1!S>i|o4Z==z($(fh%NY~J_f*MBqgLF?BB4xO=pt)zPt zhl~9}!2UF_YhS*xNh#M|r!{gLhtUUaRF~>ezw>#90`@F4n4wH}TVNet<&?Iku-=}7 z)|@=Zkk`#Ug#Qfr2KI#VdRy(j!anO)@yF`UaOaDYPQ7pv{M>Rg_H>c{3}fq*a9+eC zMd^yoc=`i&|KJ&TCjVE8^0!dWV;@YdW#9e;{j7Rca<;?{(&fuDxB)ND-W+|8rMVP+ zk&R_=_`7klAGg@%5+7z%wxeLXc%&^ymnnVB=gS20+vI~^4edaeW3s(!zPVPmLH!i( zi0p&oMRuQHy@j(QJ_M{sKWxuuT=~($9x%yv4FSuGjLET9$rr^2 znEh~Zo#)1RZx8nk8@um7J$G-+Cw}rMwhy#x_P;-mjT;I*`bcp-cHTa(cYtx7OC6aP zZ5?|xC-Uu=9Bs-c^Fh9^f|s!Q(9708{<#;%8)M*vvkfMWh4jfEq}JAuZs+RdJ#XAB z8BvLh2+Y@8{rNifhUBsQ9g@fFPr}D!{2k0o?3~^DH>_{a*mAxtEL-mJNa)Bdz+v}D zE3WZ8=9cr3yYrCmcHCo(pR?~@qfC&7-TP6}yQ%91aQtoNsLF5sCbnGIdj*p33*KZr&;gEqT6B=7by-d4Y*z=3;@O@@QkVjNiCzJ>7y+P$7R;dPvYWPKEQ zxk&p?E~fCw82rBk8Ns3XnR^$X$nPN9 z8648Nwwm+EuW92HO` z7I2u+{IA2}&&>%F0a+tFs;w(&OYMA}dPHy9TV6~%+V|NtNqWh(skL{JuDRfua~pi6 z(7g7JY5po4$^Jw(uN&HCpUA3SBNtt1)Hg# z_LNWa2F0YwPx=AUK2N>Ev+@YGKJe*q!@F63{u+3*>yg%{@eA;KE}VWnk5fypHU`eY zG1u7tn%hp?ha9|b)b2eKOdfa_ok_0fzwqVchaIQFy7}8(yD#~}f{gM0U$S<8%ctLZ z?LOFl(VEjG!eM(wqQ}u1xRlKI>0;uYd*|8{_)^54Au679XN*1uZG0BG`Yg{ebcyZ? zH}r--TVp0WEL54$*`7wu4e}HXOJ})ra&yvS{Fl9N#vB@ahB}`CZt4H|_;2)G{u6!g z=NofB^A3$(rnLF8-y-uyME}oGUU42cJgfc`nN^^dnmD#oRZu?3PrmZA1$xjNVH$Z{ zdl(A_riX~@wQ@EXi)nS5?5g0|G-vFyL{{pI9e1at^rdj47!l3Ulgw*YG3VQI>*i(U z242MgPrPGsN5s2KbHlLtE?;L2^Hyuyv9=3O)WkQV^9RuZLk7n-PFwqS$G3Yu!ja^6 z&iA?H{JEBeePUb6Yv)Q6)6W_EaA^9Gp0>n+r|?Uz;f$HRTN4L99J*^^FYnKj_R-Ln z7mo9+z$g8Y(A^8K3VGWut$uVN{-?`sMvlD!ZJoxB)H#`o?-qV`<7fP)@ip2rBt^$K z>-M?v)SPwv`Otx1vHrfGXk2$N*I)TiVO%BGe-JX~2%0kAr><}E)4BGNZR#_W+o&hL zpWZ>vSsc233bg8f9c8&a2&kN+Ed{qOPL+HRB`D$VCh zyjS&=qT@^RYp9t^0=5F_&Q{1>?B^XSp}ZgeZ_-LAUy`5uW!~f3B7G>5Z!33^*BHcO zYM!_6qtl3WY>VXklbq@`zVLkW0i_+K?>e8;+U9e6iA#7msq=IBCj1!t-hbEGNwOP4 z{yLn;*}R#K@Db%R{T_-Cza2T^?5f;szVpAkBVz1D0qrrD0j4;u=D-` zeclB9ibiKcqYlr=f~q_Yfx+QW^9$82ydL!F4EdVxgYfJ6fW2h%f>(#b6!JF1|88*T zY`Yw?LF1nxt$6%jWsGvN+ZjuZm)0H>OA`HJ&CSTfs#U=7%z55r@-OHNms*}Va51na zYVs$5VPIbKm|z}!D2jYC=b*<`7qXB27|mnHm+UxTzIR0PYal6L8YcaC-451AqWN`@ zz9Lv&XB|XvsBMRHhr@;QyvFZySMX$bjLkh0kE!a(@z{rKFgOq3F=o;x;xUDsn2bLA zpz+D*(IdT>9+S}he0=Lcn%wB~S4wm)`UM|uJaf>x!FNP4Ryup%%@@qQk@zwfutx09 zt&z9*{;MXdJLA)Pux`(!F_ylJ%*?vxConRNV><` zY$@$s^4}#hM3;F#2KiKvzKvPc7GW$V0 ztk1&wuPS?9Ytx=6KhETk{8oiEGU2oxn*w`vzigjP@WLYIKUeVU?y$ZBwKLE61LUA( z;?MRC5>IF5!x0fG_51Kgs11|?RZv0;QpFtjWX*iOvVM7_Pu4Hs%lFIamyE^~`0P5ar3sC*aO(Qt##j0!hfH_=xYyd`hr{P{$ohQV zyyGd>g@|qBE}sGX^7S5b{c_@|;T4aVcVx@~)v57)^NxOd&gG#JZ15R9r`ONKhcpXY zd^WzTi1A$w4B0W1Oflu?mz50xzg2*i!Tmnn4IG6=u*cskzmcQ!RM5XgzM#%GesAJV zbk9X``YnwU$LHl6*8=BF!25puT{qJA61!$jTe5M)GlDfgF7(0a2&K^%>0#tXAwB9< z#aDrI`2n;>TwgvBzD2T0IFDDcu9MZ9f#$>XdoI7AoOJsN)ypD;vwkT-~>4K$+w{Kba||f zu=U^*>QbC$jy1#Laai0`7>7q0ClGApxY}2J(D8o7V-}ZN$(gq}Ki+>GDUqc_04Jebvwe z6IgTKN~Qz3RVTUY%M0mv@~e+A&g0b>>wkA^!FMX%o8iA?q_a6SHV6GZeDbrZyl6oA z^zKdZ_KUw|iw0wJ6!Y?ozEP$dS>t41OlAFgpqu@YL#9sTuY1?rOzdG*K5%{6YW?Kl5vBCW|^ag;JTmp$0N z(svT?_Y=~^4>{)0+Q)$0m{jh`hofv_LlMwBOs+opS3V%HL5K?>>z;{|6$4b?TVX`0sEp*fiGI zk#XhKe~%o6;SEcoyA~}@EEjJH2RULC zRmR}Qe}^XWKA#*h3Jy1h-uc$uYRh`&n}2T+v5Bf97#kC$vl{Qbt=-zM<t7>p)c-vn`L!bm@sA8** zo>!2^h4C+n8Ts^$jDI0!#Lyt^b?>olsvTldEp3t>Tvtpn-Wk%AC&oVW3}puP1m+ML z<2LxBu8^iN&hs029ls^8P4H(w@JsZ1j{ISxXKml0M-vZU9P<&zFRC*Fe*`}Bb^2um zQxg2tL$A_r!SAk3eV4yyLcBcXgWosvJ$jb%IcTPn@8!^Y^drQ{W49|V9@)H4c$Ck; z;AE)4&nenen&8V6*-&Q8*q8875iN_wUKnT7~ke9CJIUy41b*O;_He1HN$bg9<%ln<;j{~dL zJ8k@}?q8H|(%!wO^0FEBm^@l@vFCi~Y-`TQH8z`*al%^=-y3~d_8aUsBg?46$+D3m zn@;`H{Q-ldH+YEy74UQ{kvQEPO1z29_`pVrKXp!m^$5C*?p1n z#HSKJbegl_Uijk&Tb|5ZR2lLPjEvvCcH_$37gc^K^O@Dl@0sJBzkB+g5^u(u+oCr& zgeoh%^J}MHS6)$B-V1pavyld`Idr<_GVegF zq_4@VPBl%oRyNuRa;W@pO=!-@<{h1n48yy<+<({=F7IOR-N{=A zyyfu2x?av(=z7sh-$(fysuRn&qvYgmTi&&7EBo^{5Z9-A8;F6wJsdrJRkL?;Kl@GY zxzHQyXYSuV2n{1QWG}ZeUXPN#y~R5jq2AB^_D>#Ey7f8C?Y)xk``O=k`}D+vPato$ zFY->-k*||FdbpcR@n7t-Ubi`1)fF8e&Y3wP^8mAda0_ks(rz?lzg_3USy}BZ>juV$ zXty|KVEYd53bK2(j%|rNY-sHyYp1yH20{Hck`(`AH0>ed%~4nYk+NQD0(<{SK{>6TJNtDcX_7;gUa>2 zF}_awO~(&STyxZV@cM-AR`GfxoC&{m_sWJXy;nDU>hi>aul#mV|fY z2sHNFJCje$_)_wTzvB6C?_BlVZJ}9}hkyFf=YG3?-E%Yk{C&^e6pp?Z7%KmLsJ!z1 zp&6C$2~VxO?Ykune|WI8;nSCU2aZQ7<0Fyj@!v*f#y``NX!ulbYXkcx;~T!$(y%Su z-0-`|jQGkgMR#3r=j>f=vl9pY70(~>JH>D1tnyu-tghJg_X{d^op?vZuGwp*@7g)5 za@P;5r|$aof~mVI;+4CWuBqJh-C5Ij{ib@_uBq=W-xZIS?<#*+`L3nQX6%}Fd34tw zE{^W%*>YXiyWSh!RZ$<^RZpK9-u&oupXS-s+|ad!=T`n-*SxgrR{#Al@1OGDx0Y8{ zu3zDu+)CfJ^p=7r@4(jGB@KID9bdPIGbz@`ERC`Dn!YC-wzR{3m}n^6^(f;I=3V1{ zg72%n=;1ZcukN_3^y%h0pKex{cxlxUN0wgItqe`C-28V}H>@VDfpNN*=S7UsX2y8+pS|z7 z|H@d+sJ*`OPoaYi***hnFuJ@uNiPy*1tuMLr6nkC_eXjbi zciQrz&roI8Wb~CUM)f9B5FH~%^`wRiQqr(W8%sH|bz)w3_1{fYUPc7~>PHH4;j-FuODAReCC z)zH35ckVT;YG2)TT{u)({$}#IEsWjf3quXTa~p#3NFMWl=_~QKY$V?8Iqbw{^UnEO zUOE{LWs~j<72+Cl;5E6(>PgxCE{4hM&GF{}=q~i<#Bb4^is!KBMTEI0n)4&ZG`8K) z?Lq3SEy0%354ws$*S0=;u0$WO1;_ej;1$d%?r`d%$b_9Z81=8w-H0sB(S+ zFK`|WJ`Hmojcf|(l{`Mnys=+USH{FE*txrKCqH{VIQS#Ztl7NKJFpL*`_~P8b9)t| zA{bJW!e{G{-?C5jZglWj+eLFKl~bRXV?Llh?ezPl{nO+Ani=?I4r|N&N7jv!Wxk!8 zAKz*-zHUuLcWwsPR1}x@3cgkoy8_NMULN=e#^ib6TzddyN4*t36dx4CM@n>P#(Lr% zCaz8DB24K<|tr@GJJ$#_YL!%K65gtwKy$279E6bpnlbBk-ntx=;Fe_3$O6 z&M^*~`R3KyG0>demCIqb25}msS@$m5ReAka9ffXr`Hs0h{kA^7A^#m8O>YvPU$Ebt4SY#EHcS;X@^IKoKSaNUZ{bek&>8lY7xS9F z1?!ls?8De`t{!+6AIZcxywf*^%o@%3p(#gdQd3Sw@k`ISxbqR&<%5@s|11pbku~d9 z?mzj{rvr73cNFg1$Z)qzEiha7nu!7S%$i8QH~Rf3aTix1gLux4{Z*&g;}?)Uy~3e> zIp$1yx^M1Doe%Ic^_}hAJ_+)xceWD1!9TSHASz^;@<+iM}}5iQd&6 zg40NQ-Dy-@|N{u@0G{A2GxDM z?y1}GBR}wDsIN)SjQ{NRpS%6%9{>56|NNH!{I>sm+<*R+|NLwJ`EUK_6aI6b|J?6C zzvn-{?>`Ut&%g1XKk%Rb&VT-`|NJ}u`IP_M>pw@J&mRAs`O?@I?oX|7ee+W7D_s9V zsU0g^AH%7R6|SF=)Xo*IuO+FwR=EC_roOzw^|>r{_X^kVDXGpCuJ1Eb_pEUJpOw0I zg~P$@RM!fJhdHVHRybT#rS4zh@KK%m$_j^*sj-su+|*ZBINW^WlU}wMKaboN$`<43 zn|~C}Iz0WGP-)inwY|J7>-y^Y*)eNM*7ei%@va5Ytm~ue-`&mSS=T?;xAf|Ytn1r1 zLo)*H%$%g1S!cA94pjxpRGTu^el_<_#{c}zNVfBWlI%k_Rc62Tk*V2ld~#a$k=v$c z?^-ZBdw27kY{#s**;MJg?5DPDe)5J@Tb8{Cz8DXMw%!}6s9b|>x<RpmRmPJpm?_{pFHN>1p{8xUuqVrkKK9UWsyu3H69=A?h5vXs3`c6d3aPTCt85bc0a*4~eP;Dc5?_(|hV9@LeM<#=F4DiU17riFz=774cJg!c z1}CSTEmv%NC;dIb8R;_r9lfz_FL(&nE8o&B{7wYsmu`RXpwUgzNzP8OPw87=-RIKj z(;2Xq;F~%dtY_@|jZ8crPB^u(&K9p~PdJOA&)czeYQc?b8(X81IOs9-VLlCJ zc$bXV{?y<(;}dW|JnK&Gj8YrH^hNaHG5k1%ekg`_Vm)U&?@;h*54UU_)vN#1W8MXm z{cq!!y!`*dIXOwjO>hU-7exnxX(jL$U~*$)&wnpI_s^XLYR-M^@NGTd5l%DMPlkS5 zC(>_5@Q^l8XX}pfe^~3gMKsw0-Rxv-B^dkQX!U4S5XOS-Z0(YXI23-wE3D^QUZHKJ zCE!o<4PMD{9)#f||63COuKC7UkzUa^`Qy#E*{rpno>(q}FW!8c%RZAgCVuO~CvUzj z^v05}PyCki*IJVAWY0b8(m_~sMuaK1$Q#RyPW%?*tO(&!-*fOxkiHC0v+w(R@SdYr z@3q2tZ^EVcbMgGt+U);i{#-oa?E8u1^FPX;p4Js30Xk>xQ2g3%_N@9iV2x1xI)Lm{ zUg1US#O<7=)Er35;FE8kofzweMqNHnX>*AM3Zx|^6BZ`MHUwlspJc*26Jz}WnGjRj zB4kG(&GMn`yJ$QHzU9*kj#2nrvf+$-nI_Wp{}R~{IM2!9&8~5uc_!#&XAQJ)W`bl^ zE%U0Ekr9PD>{w}@mH>wjL(3`6pBTTdnfadmp5&c*d6kU|Jj)reMe^Rw1J%}AHD&yDc^Bqrz+l1D`%zul^ zK6ps~yW5z@)!Fj()Bo=5h_}>he%;Q#DLzZX z^46JWg$N$oH-AsZzd&ElCQHxR*C3z1MPJX{M;Ru5+MWsG#v^0o+8ncMSJoOdH9XCqi5m!tiDN) z)3*86i997OyZPrK{2T?}pX_+ot{dNCU&BlIrxXwRKiuX&**4#<|1*I+^N@LVj`4Rr zuKgr^iIOgwkMbTqdFOLG$eTp3IU8&{G7lUa2)5Nn9+j&Jg+}hdhZ@EA<9%_%sO@`= z@m+X+-OAJB=g~RA;V;%s$R`*y77ixCB43j5Ej+q*`EPux8T4Z@&A2{jz0Tc{u05Rc zdl3treqQSv%$u|)wf2jj8)eN3y<63rVGp|eT(4n&sL!s=;JTP=H|e(<^ewt}_nLM^ zv$jpefj>o?gY;W%#=iJRqe)=UYYX~Qz_0M5{3jT^vHD`Nz>sp|X-Hd(hwCb)H{v+XQ^M#3?2L6lZ z8m4jX7wr)IA)YaG6U3#Xzn6Vq8*+GGg-?I$MJK?a_L$dlwnbh}_Tz7N6Z-(_fBf~huQE(@*HFppf+sQiR*J)4pN!DYBzN$E5`Xpb)yeZ;~ zc_XXY=as@1?WEuT5T19qfqki?WvjcQU;M(T)0xAZNg`g+9D9xSHE>=S=jokH5sy6A zuV)y4AZLYCy~@4{)w`Mhb^KR<>w!mj#W&Ks^ozHG%kW4a^aq~OI%}v6JSu+YRmMVa zxONru?b^;@<6e%;Rej>;9gKzY3if<{c-!R{-)HcLJj2<|I`0XZk4rCK%6Qxgj+LhI zeF9n%-H1nS=KTx2$7si`FO05l<-Sp^G01-#GXB;i`MjBl1EOc;Ev9Q|-|(u&B+7dV zIH8-9b3E(~XhL#UeDro`Vlw)gY_EPbbw`m6k_YlHe2@N%w|l@-lJv0m?EETq?+PVdwm1Hd2{1zSS&2b`h@JvB}nX;!bdN;ahV*olGs`;=nuY(t_!rMS6OcICeLC~T!~Svc)Na4L z`XPGCAUA?|i()$m@fKr^G0OgI;jNsf#&w728~a*yYzF@FIf(;XfVG^mTSNo!6#vJb zVVu+_ovS2$&A#|_O$2?d^B}(Ph0%7StLOISq&vx1{u1N0rD0TMqMNsjZl)d8FM8y{ z%ze`P$hIS)FQDi7=Jfoy&f50zC)uFywd3RaU#Fbv5}aq+ZIhj8`0qFeLhHHyoe${d zz2Cj>=jHW@p6~qT{-3|=`mg-_HvVs({@qhuKgpi@3x4-s^p~gh{>4vEExrEVpZbem z|K!vS_x>`zc~;y7~`4dta!ci?#Nyd;j*?XYXtO$wN!Cho5aA z?Ngzt)JhYnrY$pCB4vdxR4}D(6|9_5rQQD2uZaHm6 z|Mr=OH1~FAeMGa*KFfJ{&wA}Ye)i2f?A_ThU*3zKoZQhn^pjtY3+BDxXHqYH&L3SdW;=pI)Mp#Rz=}-dj{R_; zp1GplJ>K;#0eyQPzI`+(Gc^Xm|H>Dflgy#~?W{$IcqV5T+R=Pd`^u4f6J+pYXRlUM zR<_xGzaHX-t}k`+J|N*#(@;$U$%k6KlvZtTV`p+#?`7$8{gsjqH~p4 z+pfY+e4tHq22OP*<}D8v)&g9aoLOf(v{!upCim!`-V|al#>9Jc$2;a9vGEaFw7Qedy%g!IT13qSkvl|Bqyq5iV;5cyx=+hlcX?{cce(#IftGf*eKA-4H>OY1r6 z8o<^VWG}h;?{GKxJbny6uVB=E(0o2{bhdm+V#o9O==0g~#n_va&j()4mM_QJK|UY- zJX^jDYYO>%;KJoo9|plw8$9jOlKB3jckEpIea3y5*p|Je-WAHH_;lrQ`_t9$M3ucW zuzQcrC7OfJ%s*QI+S=3ciP4LpYbWD8=vsU8Zt>S+hkQF$>Bjfzp9$>JMeEQq`}S9& zH(R0e7U*5EH9s`;ALN(a)VY{7A^Db0Vs|-s1Y-<3J1hLtE&Lha@2=DRF+Tjzmd+^; zmeXE-)mP(HkF-xM><@}TBf`^haCBL7I2{dpS2$cLE-r|#KIYTf*WuuE=d^jyh42Ng zs@ylVm4FV;R#y`H+U^l?u-n)+Y-$60u-s8U?ybg~JJM~=2ev-!1ay&yy}jg|u;;L+ zCxbl(y-Wss5=Al6$nZSGd@pHy2r_ zIqWZeT`AdUW%XRvoUN{W26?>-IBcxE=-tZfS3iUm$%~ z340<-d*1A@ce_b%ArcA3% z>%*qI4jKxk<=D@d^S=w{?tRF#r~Mw{TT44BXy?DDE%A4-t(5jM($?o%?Aaf(1s-pI=$4q;-@33d9Xgnvj=l0?Gd=1SAUdHg@95zdkZWgg- z{8(Vmo5n5Zs|m(}#=!m9|AzE+&U48+W*NIcIFh}XY1Mw;0oEb zV+o~pV&H5=rGx0KUn0YwdZF5dqld}o=Y|ddrW7d z&db|mhQ6_zHiWUM{JgL6RC+p{d~xx==O1rzG%L$^gccdXq&o3=flZ>967 zZyxs5#CjI`u;}b~Yago36#6at%+53F>64vPhYdnqK^ufUgN;W!`c~vRo?bD~acIS0 z$H5gt9sMhYH?c1$JR`gDbE&3VzA`PF>v)FmKjQn}^Zkb_#Frbwv$Aa!Gx_%870KW3 zY|3@~lsrEn&tdXByCV5dJDWDVzO!lLt2>+8PVHo;$M z+E8&<)5fy9n%cs5H4Q(G%uv3^L+Run-eb#b;yxKumi?xB9^+n4p2;uW)3o7_?`hij zxqF)0K64Lck%jucDeUKGPr1n-viZM4{(H&)W%BR1r>PtnS1gwn2iHB3OXD50&Uv2E z|Kd4HuRAOD-0~=TWG?%z=6>^#E3Ci`wPdahs_3NGD;WzTw2JLu_s zl1JTpWJ^mHT6kjU?}_%6<-sJn+S*rV)|J9w59W zO1!ElyehtXBT{D0xgT!x#-i9uudsJfzNXi)B~F7&;YmEKG`;6;*E)v({^`Q|@br0I zxvk8z{dJPuCcf>NWpvc-U*Z1G+gab!^V7`b@8`LdwHiG)u^zxvd7UpacOPqbtPe!L zw{vYf_fJ>T9O+9QEJr*U#N@lh*%bTYvO(J0|Z#t8F87*V)_1?DX4c zoxBZfx^=%==IuM)2Ck5;U9I8ty~wbO2E6p~$a(RGP~yQ8e_5vcTGI94@jlKoSkqpa zzQ3a+-Lu~O+dU;ctFQ-#iKE)WJa{wn z$>Am8p5uFN=y~m0%H3GeqcI#_QrhrCzf z)7evR(v<%w=f0}mqcg7Q8ECsOpRTlA-Qu*{!(M+3{ouoP1iVHPF`5#Mn{3 z57Ook_3s4U7ySByHd3;lvAesq=LPnix%|qjx`O#)OQ;jv6JrKG=A>K5V{Iqfm)M2s z-{N!_K6dBgq%Oc-^Ko8}e_~*sqmPOHiNs=`wy3{0Ih(enJ8iwmI^er;t?t~YQv2?^ z@R3@?Sb%R=uj4y?%hcLBbCgjzk9unpv+{hGiBa#;wVYvAC?Djz?i$Vct^P{XOzej# z!+M|iDcGj>&a?L;_KvgnBXPdpk4frGo_FqkB$@Z*`{9=l_G80>LO(p_Lk4!}r5N@E zXA*0UCR`aA1-|lQz&WiNgJ9VSZB)~S@Tl>DHj3*``u@7f>P|7Q$=4kyKcW8Fe*HfE z1aY3iUOOAy8GOL`y8W`jdb?-%^-hBKKHo<-8O%BSboqKG!TA7wy5UU?*8X17VC?VX zA3_Fgiljw$Kb2cB-Kz3J(u zMXR4~s=MLore@k|nHI{%K1uop(mz7_CzM`7dL%pikE_RG+xWJHZ?`?&w2Hc#sjG#$ zV^@>j{B+ZC%SI`}lTV#ZFM%+#q`1p4~JTd%L>#UDNQZ zUhg$3mTo*;J@QL@5(C5@={}W#*6Hw?&S0J6>vlV@7EFC>ptalKts(jC-T5bh@2mNa ztuny4PWpWn-?#F;u4K~hnQM{Tdo<7R?SB4W5wYttqJ6E=Sea|>|HKWP`GtL%|AtJ> z+wSy_xWDxN9dpu`*Kr;SzJnqDzre41$F%ffbbA|e+6k@ECTV6^(a@ZI#6x(zO3TJNy9$gT8o;l6nq1K(G{x1-R9!^aSLUf|c=Qk8C_ zj&J#SgE%n#Z=wG#@9ueN(|_`t{`+Mn^gmGqL#{LrL++}gZ+)TxAHL#m8PS0K7W@6l zVSf?0j;Rmf^U`h9^)1T$J$Aq`zfJW;eTc0n^ugrc_)gmo%9wso?nUU;l~bA2?|F^C zCM|W>+U$-$>uc&rzdw6-|NF9c{pn5F)bY-y_TO|irS7^hJF=-f{hLkE^p2CAO&$Nx z*|g*S8?rn9b7#{n$hwio%hPxNxU=bT-hcCWG=1XIma)4AI-5SJZ^z2h5B#*V>96$d zSTz0R7do5%74NAdolO~~Eh$eQhwj>c(b?2(@=QrLU|;U&?`+y_zDLs?KkRJU!~2PU zoIMtY?|<|7l=RhqTAKZqzHge6{Wmp5kxZ{%w; z+27fc_5O5LHdUR-p1`*gx@UUU$oga9^vK7W$7Z&FWrgH@Bt0YReQjD+J|m-Fj)l-U zk#q^)TKU!2R-}(Fq0AF=#zN(#*;>+$<0D$6r~FN`BH5VUc? zHD=PtE1jYDOiUKC_Fp; zG;%?zol&9nj)#A7a7OwNykc!*$IIA_H(EI{G-r)(9~b!aC^A|$sH@AJIX=kT z>KFKLe|WGg{rC7Lf7DXR9Ih@s1T2!#vI(lE5`TgXJ51UjbEToy#8{c;64W=$9DW$v zd0?nEeU$IVfLC#u!^UpcSya{Lp3-Ni16#In;7|;CUT5G?Uv@B$8Q4>k9wOcGn86ci zEy%VZo-Ta{^PPc?cb=J-v=-#%5Kou)bc@HkoiE_~iRX~x18wg}4|YY2EKOlo4*X^7 z*kJ4V>7f8T=PHxKp3IjCz;&)N3GB*znE-r}V+J1Z))tUU_{P$M!0Gy-ImG}lwjj5M z_;yA*@^6Um6VmI>10UsQ=2tp$a){@I{6q88EkPI#%}WoFcGQPMw5PE$Fn3fN`F7NA zbHcaQIq5d!*HOQI_ibR$-1HE29i>jS>(Vu+8fdFB@bC2H?}Tr4j6Zel^yRPnR*diN zHtzn6ymM4ACh^O6cl^QV?hfugrys7L=PJ{O&6+O*tZ%1GOnyt(4mf!`W#n_um!aQp zr;OGL^JT#A+bNTn5-0->U731pIP~;HUp8~nqw5R4rB|@g`Yx;gAC;WdXHWuDke z=IPHtoqvcn;^W9S{9fnu`vv`4THiaGr0t^h;zfd~z5vsNGJM;~-E772Id4^_D!!wZ!>bCS+|t$QTu$j zeX-bIG4_TO`$D%97u-fXY!I)z8T-Zmx`5Zb zuNgT4OmCm=s7H5}IiI)gp_JeB^V{V&wRWET&h9;jFERg)E$-eo&p59u$9<%Ee<}Jm zw`ZoIq0#HSv1M1|8%19ZujGlnyH`)RluR?W<(ySx1I*D>-j=oNEH&Qzk?w@IPV*Oi(;AHRm)iPO zcjl_I*WHKRtGZpiDzBI`l~djQO}6f4<``$dj*rsRzv3MAU+Ke+Pt3J3q5j|V*1Z9I z;?3jqy=&0J2K9_j^hE3I^hjM<&rrpAU$klcpar`khadE1`QG@Zad0{&hd;~uL9IM_ z?Me@s3O$j}BcJM2yv1wyH{}oQJ`_2kHCv^7*d_nHFg!O241Mxv1=>4T`vZrT1H0co z>-?JA>whRTziSvy|*?a65ijH^t@aj8j#Rf;B>p{OBlU`%fk3;{XOT97qWQV|a zEoDaEW9uJS;*A;F#V_mON3-LuHSqZp*5O8%B4exVeR~t>-i~D-cO4nJr(RdbQGc9k zym=%2bG&tfOXLT*DBn-T4CuehAM~3gW}m&S1aShUtw34Vmf%!-%`?4q8q>+@#y(+R z7QRHrrog|pA4%c>RClm!aoroHdFwP@lhvJKz4dH$Ykkzf9VlB|cROcqYP=1ue43sY zviFC$`w%m-o6jRpogG7$o+BPbzUIN2iRm%YtqnVyd5_MwlU(xSU9qQgK99*ZiK1(x zSJ!ui8fdfi_YI%qphvwE`xO^|B>6u8j7ke5$CcJc9E#(aXA~QWJeU+eb1i;MeQj4E zH+}jc24(1X*N$D{+eV&zVCX4#_hOr8c~(BKXBK#uy@sD^JNG%x$7izPKaa2b3FS2Q z#z!_j-uOfRzjT+WOZw(>R^J5c694Zd7W)AC9Zc$vXzXl#NY3>80Q>`WP5C}#uzQCd zzjiEG&W*2VvU@uITpy)!)&3Vajf1LmZLo*ZlrUkPkq;Y+cR?wjB?Yw%~O zD?^;6kwHap=ZGsYa0ki-;U3`3dIxt3TX+K8GbV={`*%{fS%aSx?mpJw2hLJgu4Hn! zV=Z*f; zw|V3XY++4Wwyd>dZA`$|-yEM;Q|@g`u}|<}-nr{?->a0hzTlb2nX!zia~G3!Ohf z7i&!>sGCj99x`pf$RxYA=Vat$^`-87oAp6kZk_5}^?7#`>iYqDYZUo;8eIKqk%hk) z-dBOutm7K_qcb|KZ*vg4)7ldD|G=JQ=|TGBzURsk* zXLC0CiJfa@C#CLQkp1$b^GRPxdTUm;U3mM!rqtc%k-jkd;*P7c$8V*bcwf^M_@loZ zc}Mp66XCJ;W2q)r*T=B~BX>|{N;rG>45hEk9$V9zE&1xfrqV8@mt^n0E|NV)UBiA| zvMKNGD9w65I@r{?)f;PHnra$&XChnH@zoV&hYvPIx~65rKjV4mV3X|5IgcJ}iq-CD z@^&3;InbFk@?9baBi`kjMKw{+aS zqU7;|O+ENIj&Hgw9qF2xwZ6v7(#8+@cw^f8MykpBCmYi^WxtK(qP@SbbOO6JYU zE~bqkaQPVH`$?mN?Rv?qL({YSNo(sW%}(j~%8F3O{VRs?ktH80F>6G`gESt87Gn6G z7vX!Z!}mN)Js046UV;z$k{{og^`?|&V|U$GC*E`vKQ$6SXuf)J@NHUX$@tU=pEnj#U|erVjIG&6Gqds zt_x=`AQBh+NS?YqGtVX_!#$clK$ly{K=|g3Fpwx3mII?nm^O$HNN37uhv4$PHO0x!zO`)`b0e|lf=)v^oanIr#-|++2a_%6sLQF-vpYw}N z+mDCRPtOf!OK4ARAF7CC!_Z9MgQeLB^wS?tHF?le2s#`7Sz@dQ+;jFpc2OyPfj*wO zmHMC|>w8|F9)Wh$Zj#@~vE}JDp1rJ(iFSsevExfFOE;IZwn)0@!ot{?PB{PbvBvb@ zzq2I!0`ZnF5_h?(minPHjYSSV{sF$d{Nf6vRdjw{ZPMa6aGKKd4Qv|av|b@YAsE$V2!>@DlaeDE#m zsB3)7I#TQ2qK?R=Z&^ojZJ~~rr869Uo%|iTggUB_zgB11`HjvSw(FIH%%wHQ&3}&& zcf&a3{}0t8pD)kFHDN&lp&b;(s)10dgHdS4Duu1%uC~e8! zw7NMvZ{ESC@N>-ik+HL`3z5E(bY$$$`kSU4Q+f&Mk?c*ZWv|}CIyLLrv#*d$DmC&t z1V2e$zj94;wih0lJHyKBuU#85vj3H9TC-(C{Y@_;OT?RBgVzRp*?$t*|L_hk-A-Ni zz<+7#^3FThG;mEKYxv>{_Az%{Gq&!APIJyw=||_XaOp4sZNx`ZDwR{-)t8uNix~B9smPuD|I=VPxTt`kP7)_c!%_ z1wP*1-*mj~>akD<^{@^TUq7gKWTWKlhxCqI{IH(LM9E#r%a54+Q__;bA2s>eUx(~XnEX?WOl~%1rlg&0 zzVyfqS;^uSQ#NX4DDqD7xYg7VO-uirKz2$F8$E^Gl>EJhbjjK!%`MqEH+xprUD-VL z-m9ClU;CJs{nM@C>^It2vzt+pUG$%?&ZeeBvUednW6;e`#-s$=G4c$W`cX?bTM8YO zK}S=dgG+B(nZ5i2t=T&0LNf5@*MN6u;NX8L&CU{SF`i~D8OOdd@Wwb^SdHv{2Xd0} zJp^t;j6;NRy;$)KjBUMS8{={baUo&GM)Iwlb>iUoXl$NaTax|d2P0X@x3)+qyP?vK zOR5oF2M?TBa&cN^MSF_7FtoXE%NRMBd5;_&0wjEVj`sLRp+ zAoMTVH{-tP;|bqTnht<=`0@I5smT{lA19{g5IWQ2e}9F)eoB0g(O*lJq)!}MobKNNE%E*MrX@CZXUPTW z;h$Y?bl35#t{xMAiLQS*JCe=w*>o>Io*rwK&UO*c$Yv2Qi8sW5)^52mD_$@>059fw z0A3W&i3h}s#-3q4U3_t^(%?(UK7%Xl74e<1Pq0VA=*$1c-kZnAS)F;lZ&gWlNivHq zc_)-)8IWa?uy|8~+hxmu!6d{+9SG?}CCh1K#556*h5(66mXipaOc0O_((RJ%bR?zK zGjp*gR?>GY+ss@NdI>k%+@5=flI$chO1k4km_B| zdzR-s`+3fDcFy&T4lsf)V#a(IYwqYWnq!Swx{9I6uTS@5m!byVpN@r$t|Fae$3^H& z;8{B~m1J%!;jugC78yD`3U3;mR@7hln2i;B1>9OZdtLwFU%dBfh&9emDv)tOHkG0av8ETsE`5{{(oKpr4~(=bgrT#XGv1_!X{=LVvyJ zA19cjpMy7B_;wM`PcT1;;!uB*>z{v}xq?@`0!~%y9rM-Buc65;tl>gSj(&{J!5oTL z+zp;-E)&y3{abv!L;jtg!y|+74~l*8F6vkvD(^6{58=5Tt0NOTOw7Y8zeaC8zZm-*|GXA^L~2Q#joyI{ZXz@JQ6jrP@~|?WyC*xMDM|+KQ-SKcU3(W={N0M zF|A8=zrs9M6aUab{KF`1aNbVWWq%Rs{}gc$SG9-x|CBh0nCgLEr5XaD7vcA7| z8+?m6h>n?S`#(Y~MB*zK6Z^2Pzv;1={p}@j<}TFL+;ySVx6xByVICH%Z|JFsFI;43 zs_C%{`bW`a?U+5&mniWMuiRDw|06zv_=dRpcNcqNW)>S+5h9jO`my%pymAG$;RQuL z4T~@deg7@0JJ%4ZJI_UeW*LhwSg!@bAe+ZrRw6D($;@6SwxF22gYs4Y^6>$h( zCk{b=P~nM1%mepN99TL28}{M0 zANb=t`nwNLuvq*^e*Q)eo^Bi^2?d^NXmHry;(Qv2)`tI%&q^$g`2-YyDJK` zTZxbKeC;Z>QEgWZD%K|3b^;puP1>GYpzXMPqk%Ezk2%wJQt>X?wv(P`_H$|uD%r;# zq^TpKw~j1LX%CNyQ|PE>y*RtSCz!`zMElDaXI15Vza8e6HL5syyv_5$*e2W*zUGjXa1SbC~Bt^`%|w{JK=$SP>WJgBRvll%7ckTj$@yNfUBNn%#5b7s#9y}%2SxnpRP9yD*Qv2Ezr)n)#-eA~ z^|j_X-@E6B!d`24-hQPW(8SKp6s!(9XhnDb!dM^=1*^(9+=+(|Bg7r+ztr;+mq85AP+7~f%-oKE=A4WGnE?(zVU z+tlXCSWG?&m&YQuGjvjCC7inTW^z~D#QF7Mlj|>tHyXp%K)x5d_dK`!A7W4Ez5krc ztJROiU(4ce;k+}s`9s+c@_WmvaPVK=yg&Il75s<8*WUB^f4*tIvpjL!_8*z~U;X?>lXD9Gp<|f-pV!_D&RM-6H-_mq?(6TY zi;S|imCr+RX*Z{@8C~SxD*p@iy)ggFf4bL2Z@TW7!|NNDiW)J1IyIWR??^na~>bjLLHzuCnrkzS{Ea*-+jE)v2=DKa(a0`KeoPq2C+HhvdtL z`iPMy6GwGESlHx~$;zw2)uExm>y9%HwR@DariYRe@ z@%YL5JY8rHbNl?V+`hjH-Pg^Pn{1 z+#0Od>#9lN*?m>wC{sYfkFXwL$^Bj`Y59Z&B~ryNaQmX_WKv`=~wNCr$rON2Y_v z)1dugXuqg$ocYqe_6)ozBY3$pB`b;R%D{_vN5Cibg*Gb{vG758Z0#k@;KwNLVyOuaULgyM=_y(#ueDwmALV(YcB z^l3kznWe=A)T_M~_MPHpwNLUZnR;zJob`j){-(=pK8b9-{vI{ryt4gOT*W-&JkqjIFnlv*Ar#Z>GOCcSi!-GF$IF>Q&sReHZiQk2aB8{7ad770aQ$ z_}SRf1o-)Dt2gl!@M+ekv@jplhmN$(x-T=N| z58kiG_JAH7kE$1+|NYa$An|uWdI#sBB@5Td^ssi``RPG>sSD9V zlK9VTy_4yooqg2jqlYB>sFhzOpB@I`2ibZj)5Br*PoIw-2H^{Z=)ogKFI(?qdI%8% zdOmvahyyJ|4{>7ivh_};hqc6io{t{zK^3G2#pY$}olFmk{XBr&bajh+Xg(9AM4he03+`4~6O;%;67{>pl#BIKZ0S`Re|+z$5lu^Skqi z;eZYj$ea9@bnl;_GhKde;!Bfs@1y^}jyeQB?`gI?`*+b%*YD1o6v|}vbXm09Q)}&(9T^XUs+jp>~8Ov_UDwM z>*kl;#~GFAY_)0&o3Y{n&STIw&bQ@ql`$9lgSolYFOT?AeW&s+k2m-B40aGw#P!USn`6c@ zC|#TH(P7MeockVh7h8sU(Wil({|$K%d^<9ksawx%%xs!+g=`^{S2u7bsj-FVgN2Fv z&Dugv-#GWk`i!m-oDbEvm9s&AZq{#d^JuS`!k*bWD?5KWa|eGK=j1Urx3+I~db#Wy zkNHd1qJzJuJu}~50EeEM<$WAJGzl*jmuKshU6_v#mEhhad{}k8!H2{O;&H%#`5N2j^x%y6~E zcgtEd-;|k0Y;bgCa`VW0qtDK6vhRbrUM(*deX+I>VQm2%7~#C}623X{-jZkK8?Tw^ z4YXWyJ?E1Ui^p%Y*z0P!rg%KxKHj2rL(VUCG-Z7?*JDqu$FB0v5bUsaS8(nZX>EiY z&58pLo|B}pM{kM`;9p;6Xbu=VpNsSRKk%+%b7s8ysWan^on3F?`r7RgY~mv8_qaIz zaqV$bJ)(_RC^9O0P3KxwT;1_ZhK_g#ugTDnfunua7rg+QhjxThgZL2Fm#!rJUMq}6a%5$9qU)oq7I9pR? zMzr2x;1udTQ!f934=Zp+w4*WF@n!SC>c0Da+b{72bKh+56Wn)#8!gaU@51t2-k|pPbfaq35~QP5}RQQ2P8ddG=BA8U+4H~v}_ zG$Xth-KIK}n^$<7>x*zXsy%SflR?a0uat0T%UwMKS%594!K8?Rxl#-}eoSO=Xm?*o<9$ z*Zom@pVZj6w|&Z;+hOEU5%Ce)A8gxEoVtZUitlzaXF8`)T(PZe$!c zGv1pRm&SWzFXJ>cJMu1gD|ScPpQGd4>ss@ym?YUi>SHBquqnUqX8iuO>^BEn*@*7? zIM=ow?bVj=#`;P4wpPzo=Z}4S=x)|ptk)%f--Pe;OX(eL4C!5U7Jqa;&kKy5+$rNd z`sKb;zv!7Q{C*o;4$?`On2mkF@^5+W+Rb?nO)kDNxp{xycY@>Mw`bv)@#pz|y*|q4 zuYFFXE3AKKwjS|Ut@|5Y;d_s5uJls(1@(nW=={h(JhoXn!y?`}-g7>kq3Eh?{e^S} z&(|5;IfT)_e{6FNbys-NU6M&ja8~n?44ez)&J^Ui)hnma7ovY>>zYGdKc*h(4oUQc zsF$ld44b`Rb{^Br^^mVGq~RGYe5YsgN}&5QpEmkJg|9Cdot1a$A9WxXmGoA$X-2f10yn z)aG+MbA52_2kAigz8<~H;hTkvJrl;2$4>`uENol!F6FE`^c;r|(Uz7mWbf#mS3mYl z6#t}bjo|`ORKeDY&u} zT-lCZ2i$yIDK)tAPH-iN3zDN-*CjWX&i0@cVy*6Z>vRZr1+i;F!cm zg1(K?0`GJEBzB!+EBS2l>&fsU--q;HX!E>zS&o*xbOt=!gAaEMTr~Q~-Y~R19iB6d z9MQ$-u0`l@e(WOex{rm;+*AUqRL2jlOL5=*YWSr?^%VyXMJiUMB2St1Xyz`1lh?85 zvJ*J;T<-0EPI2J%4F})VY;kjA9&X+lvA9_q%7v3~bKj=q<|TR0HTOlto>ud`hBjWm z&FfX4Dt!FZx`FOBrxrhpyY`^7YQ61PWT8FBtO`EV903nz_D*cSm_I8I(&SVzxDX-U z&e!Wwix~G_U{p={W?OEMXKFix&w3xRXH%r9JBoiHYU0iYS4U6A$Ao)nV)I8{EgduU zb3fEUz6>AtQuQ`Q+0d4M4W9NHob}h`$f48a=;@hz*Y>8G?HKiIeNc8?(B5-a0Xn|g zO6`SL`(@Q<<&ge%$A?yFtm^-gP&qMiu|9GawVjPTX8AVx8}z=t!q%aDBf1X(d)1i? zt{3s#trra{R|EHJ{qN%b{bA-(-zndS?5ryME-L5NT|J)f0Y~&qIK3mpTC8$9=-&S} zO?-dw+hJ%>byo7cC(^KL+xF?Vx$iln@#gT`;!l2*dMa5n((|=`-^me@Q_nh|52eWu zqH-a8l&Ux3?tM6>StGLbXJH%npEdb)vwth6?k#Q|jpu3bNA=ouEqiU|*o@iEoz7x2 zeL#Ov**N#XF^7G8Ns`CG_9a%USoIZ*GtHWidDdKnJz()z>qI-@4Z?NJanN2NN5ryY zpC@PaXYBjoh=IM4@2Wq8-|7?e;BY9xyCJ?C<~xUjgK9faM(qxF*!SJwpT?3h`O`i$ zmfxn{4H6SQ(k)$1Lp3yc#;q`dX9BZHAxwxnL|mFV5us zhEI)q1pzvtgSS@s$E@!@Qnf{of;MZYsJ>+ty)^JHM?+m^xu-H)AR zzW`&_^$+rNnlNM9+6Zj&o~zyG$@e?V^P#}pD^A(Woj=dX*QvY1*4@+b{xP#I%DK#H ztB14F4F3D~;&&g%w*DZ0@8T~XH{3ZKadgZK9WdvPZzQpe94@Be?P|l&l)(#opFnQq zeCyMsbQIyJloI!LJ*PhD{cSiwu?QG7@Q-1lU3Y6dXr^(H- zeS(nV0PH}Mb!RTfd?lx{JcpdaNoAZ$W#5;KkoOuB| zrzsq&wYI#@7Ch2JdllP%9XSb|HdGb8?HavPA5!3mZ}-*eo_M^9mS4Z``x`>uff{1V zs=TPFNAKdYPmKLsZpsp4PT7PhyCJWv{BXgtvcp>P$_yGj$;Pf_V*zcSZQR*(?1oEv z-?;s4*b0|oD@-@B?eclB@YN;!lZ{^`ndy&7@$FI8)1$nr2nEgptylgLJMOsl1VHb@ zfoCb`NOPm}Z(KQ#XYLF!U|-u^t#fQ<_w9+qjINU8eK#>Kd+N!R8K_J3>@Ykh_iV{D zzIXN4)>Dqmv3|Kq=0ULq!S8~((o2oO*?Nd zobU1Zz?x&Qu07OM#G01$4b8o^AwJAJd-$-ZvUAqW+7)tC_5`L=0ZZ zKkM*HzAcAW^4$s!!mSbD?{Mou`tImmIOB2xCn+;jZE@1YfFfI$=`0r$|LVU}oeu8{ zou#9BD>TNUoOM2(>9>ioypJ*63cTKnU03AK&lG#KBGH$?6SK$R{z-IXed8@UGm?FQ z8tWY9NqrSel!vN;*c*896KD9=onIyUkQkZ$!c+O=Ro>%XwxT=tq`N)@{m36}`EVTl zWqu@tZ^J%!vPR|HGu5MS^v(Y0`;w_t3jV%E^+B$5% z6pLr+Q}yQN%1h!ekX*JjD&B2<&x7!c-1r~G{AJ_!4zuQI)?a8h0bkHLQ&nds8uI-L z4tE`GU7nA_qSwG$q}F3|b3$34`uqalJwGRi`*y6%Uk;y;%v?M#TW)gwcK*?u@Rybo z7pilpvU?hW`@GI;Pe&HNG+Q_VO&#!YOmMX{rE|P(&QtmH=W{H_#JbMJAODd0jQ|kdZ6M`RT7&EP^L%?buE3>T_4jm zb*fKi`5oG8b#B>k`hJ*uryFt}19``EW|iu-W03tdR3E~g(OE(E*`RDIp4lcJ=9EY6$9V7eNADn zKm8!j?mxVG_};^-kF_3N-4qUUmLxec$onxwj*nq-fE;^7&x?4@c`Qro$J0;o?(@7O zCrAr91)9hsv4uPcRqgNVU-Y?K``f8w$A#qUXeX!D=QeR)#692sZ0-1>P(yzeIU+jw zZU^7BoA2IB8PDWyk-R&>-oX*}eJtVJlv4PUr!`k(_i@$`MC;;>&3^oe_Hf_Ce6&Qo z6;HGG@~hLmllSwxc66d)f%_Kv+*+61Tqu6vcwnu=@&v1MIUUdGRSu4?{(55W8glJb z{m+SpS8t2=z6#Cj_bl}HhLLSLqvI0f!h*hi+D}jZ$vdYj*WQBBuU2!G0qYJ9=dDjc zF`$ZPFUM!^`!cWtg^zk}%T(mP#|9lbDw*ZWN$$lL7Qz=SzsAlmxW16MD?i=|T6`56 zYGVKYu>VfDTgmgLMWu%3js>14h`)UWJc$=y-@i_0Mv$}Odd`VR?`mi6+gA@i)lUAR zb^XU4XAJt;^Q~2UE61WzkAOF&g{Xe~NaCQ2AzIm{Hb^0^c z_YXI>uReAc-+%sw{#WSF&E%5%S!?_1U*6l!IX;nbooTU_91cI3zP^8WDLGx9BJTnD z8?OHpc@O3ea_&#KKYdYs{|MhYzR59I+uIv*u)Su)hi(#(y?B2m97PN^ZUy{1@G*jIPfs^XqGjUa2z^onEQ+ek=3K z@u3&hYX6D$plRNuW6Bngp71TL<7W1S%pcv8ziui15KnHVY>qzTjmPO?8J(xT=Da#XP#@78Jij(uht|QA3w>EYFEDXyzFtss(fnO$ z<#u*wL@x9gx0T25UxqA>A^Y{akXVIlbM=GxwcfJ*z-b5^cQQ(ROmc7teZ|fLsnT_NL-C9DXY(%XJ@~&?-Xy;bX8WCcvpGLzJec6@dmdaV@-&-3g*$wkK5;m z&zF1qeMUE+J*Vpr(q5YTQ~tg==|Z|!AEh6N)-3C13X8a0UAW zZT*7DuwOnDs@OGDX28s82DkVl=cg3xiZG zJcBk}*_`^9Oi}+5AI5?2a_X-M)PDuE3C|jq{$t>_pf5tMX!Rw%Sp14J^8Dv|rn6tp zL_{MNCK+0uj~s!ItIXhKz?|!$$iiCl4fo=UdKLyx^(^JrU2t60{*P2Mh zs5ui2eC$U4pMge%qeINI;G+H>lD{84+Lb>;eh10q*C{JKG%Itp2WlZQ+4A;;#t5DT z<#NvZMZhv5nQiSVtz{jA7UvrIVCTfh2g+zZHU5Owc>L>0_+PEFRpg(yV|DYIUq@VP zJ=Ae}s(OsxoULcr=-bNqWBWPOK~5gOE%m8e`T^e@V=j;L&XrR;(hrZLC%$rQ-S|(? zC4Y)8`LpW7tABaL;njP~uj@Y+JG{E5BmB}S;Mf;gF!on--`)SI1=sgS+COz&$2Ehi zr?-Flx{KRCbKPgw)%X8o;hg?s-%hUXm_zQ^`ilNflcRPN9U}di8~caR8IH}J-QO{X z+_kY;yyM&{XhyoiF>{^*j@0*$qD!2ho^JFV$?$#j^?IW_2tKjC>pvInuSAEaLWfv{{_xiw zmyYR7tfF>u#R8i+I#F`k_5C{-OUJBw#)dxhAJA={L!bF(`|2e57LV<2U%lf(s}Fr< z9s1B-^r5e#4}Bw`4}FPmp7r%1^rU0xR7M|S4vjv9e)UWAs}uMC2Ko@+8vTS{s}Iea zqz|29%o+!N7n4iA1AS;Gvf@+Bc?wvFhpvY{JZzC6aKh$bv3Qb1hZ0Y@IZwVyzAes) zC-8mS(2CkhLs#ZEV%wg|pRfeII$v(?BnIFWsvafT>XuX9Phe_w#@O&|UPHyLa zv+o_*chZUG6d2Rio3mvcFZvGct9)r*dF5_;J`ne%GU6vMgrH66UE{a%CJ#37mmqAG zotZc=LXHFZqRev#L(2UJ+E)IjHyT6u^1}EfBlx?Kz4awVr&10jr&Fmdr&GCo{i;v; z6!A~SRw&0-Na2@u{z<*pz2tz~V=kX$Vi+GD?-nulF1M2WYo>o1pMPz182?)GyBmCx z?c~noO9o<9(24g4=i~@;wVrr|H}l!Z&&+tyy=P642G@a|dzPSY@+s%z*D(D$z8TxXz~1I!P`(6>UG^5X>d7dv3Ma5ty|vz0 zNigR^#O`4~cht+~5+HA9_&*)aqFMIw)(EUHvOZV*{1aUjuDS-kaNG&Z@BE@Q_D;o@rz9zI88iMuls`>R?*i z%Z_96e%H0~)6*}56X5d4GHuwkI{EN3ensp^gUgw5SiW5eu4mh@d;E_3JU!;k8Lh&1 z?b;X&;P;+p+ph3CLA%4?rs@%XpZoQj;P<6(1;2Cm$iH5#IKS*3`QZSsIQPi6dkf`K zQtYsqJ9vQn(%PTka%?DWdj6yFr<`x25N+vn`H8 zPqj|h4aQd|h&_<5QB;yQPD8iZ^#|ot%H~tbjinx;FY3STi}wFSGyQk@K(q${pTqu; z8Ap^dll!PLwx2dO1DyumXwLM5hvdaIAGLe7#8=M?B8ZnnpaK z@*di~9&Rs)(CmY%@Z=#xW0EB z-Nfd=@p+t)3!z>PoS}~q`smAtde82gQ0!(@=N5YO(egQLXJBc4HRHZ45G@Q46E3;x z*6Nbb(80_z-!_6i>>OzQ%+e)wGw+suq6YR}?TF7awQiCGmqZKo{2u>g{Hft;E5Dtt zl0a@G*<%o=EseRe)W#k~fAQ#((aJx|?8Y@(qNE2`6T7-gK{REp~6`g&%z~x;Fk&^xXTtAG^Ri zxqgD-)->WTstNy9H`nWs1?N@hGM@^{nnGx`J!|dG)#D7MJ z`PSUTfXRz9y@t+dWwTCzW3Mx>XMY@Cg1^3Yh@UW89v=`)IY+TI1iVkrjSmdLui+Q9X<+Oj zXYUWsE>pb45PWu+eRz6~d|gJo^T2$@PzU@@N20ZiWm$HP=J%QJk++=DW9Dci5+5iJ zm6t6vZCV;KxpaIR-mWX!oH?9(IDq`FjfL)LOOY2M7J6UXX?%Zi`dCLhvCxLLG}pvg zF9%M-v#0g_9pJg07V%dR8$*#mR^;xP z4jY)pyz*Ai%-b!gKW&m6XwA13B|jd#a6bw z!p7gE_(pzL_AS+k3@fcsetn%Qk`C}QOU$W=6z;mnUzxclDkHxPY zooaldQPJlye@yy@`Gud^96V?5DgvIxz;znDY`U>SCa(4B9xRFvI9>mi1q|FM8RJpQ#CXD_#Gi+s>?-xW;QM4ZZD}6Yv4?7UBDkisLJ5 zpckEAn?mMvhvNe;hadgbk1zCQtqOH6IL`hv^@+3lYLyFHxnlnlFiT!IwsPd!cwLD% zzYJoUskreKp~n}ziq1WP?NX@ktSv8dZMZt6f7*J>`<|uV!7^KK4|;dOI!e9ee@wp% zzC-8!Vr0Y0{~S&ZJjML4K(9W)m|XnM7_`l5^|7&z|uoPu#t2 z)d;x&dymFe^?X0JN^_84Ee+Xnvgy|o4KF+#yKQ9J*h=}0xW0D7w6PV}(vKee5b0*C z*PMoDk1VvjdXAC%z7Ab%W8u>H@=e)#tIMd5>?>Xt?B7{vdc)ke-bZ+0rjOsJkB(=R zhsIWDukQ-@K`FnM2Ur?<&Kq0VGR>RW!tb2W{4()~Ifh5ffktlxmu~>4uZKtYd8Z;a zH=e_#AT9h6{se4%WP7;xRrJDh9Y&6J^`IxOB?hntI*5JTYx@pyCZf|adc+Cv zbsPA)vTq9Z_$V_QH@)l9(NnORko@AGNVEuWfj)Hvq3}h?OJL z_-&l--RJS^{6IgYRN5De@Zlpr8%l>lhDV3(g}h zU?DbvWR3K;apbC=Y2R)dS-hJyJ=U=skO%jTz=wB7ywS&Qj30aje@$tqw6+oYTU0W5 z=LyQcQvT%ydyd8q?v9j<%AdnN2xO?&#`@^M?K7WU@Iq+b%AxRlbX4hYvT0=pR`fjz z{Z&HOk{`i#o8FjcxQ9NauJv9z4E`IQ2_O2!S=Rrl2R)*8fOnPT6K4-fPMvp&S3uLM zQ?yh^{J>$+6L=#yyq|hsXUy`KY0R!&bdgbF-5P2l-mLA66&d(&6nMM=?>Z>ikIsjl z+@Ser2YxNIUGkxMw?V%Lw@r`NJyOPg$+ykBR`;TVJ5+_LgM*G8U{ zN6ye~s8@W;_+a5n(!*ahx;=VVJl=*3mkvQ(9{Nx@XF!14g5MC=+B5UV{0Y9>y`nbk znJLR20dIb2cy2{s0^TY)mYTKuPWeAiJKMtN348DN>LQUweE%{2{*mvuVDCs4Z1B9gLTyFibzX7jox<~$OW2p&7HZSn)y(i_b>h!;{gxb( z-S92SiBD<&JvNr%r)S`&8T%E!D!cwTJaq#+RXj;HtK#7mcPL#6o5%2@mUZzu&d|Is z9f<8qh$mt9Y0n{c3%akfrzN}WIq{m;6gIB4XQhK#dEso;CS>UrWNVSNX^k!&M}Emq z39eQ+oK#y|&LnbV-JT+f9oMFAUC-)8Mo*YB*4Q){Ef2hd?< zO1@5N^hj)e>0ugUB{0;wg05rpytW~5JcW&|dDOEs`b!V`d2GJdCVNOS)#P^MUA~^_ z)>C3XxUg*q+|l>4hr>pmmcv`EFDU;z2dgCG-67vRuyC+SGv562POc~M)2R){1pl_{ zsl!}LCSnsC-d2gN;okLNt7(kAz;sz?_nqjkri}V1ofF+0-Ol#0k}~=2=J!+aIX?nN zgU_|Lu#b8C9?!L|a|S&pxUN&6@}G>6gYh!Fd6K zX^OdsgO})9%+dtXbm<;+&rE z;rYHmt}HtTc5UX2@x$4*nU{ZbVOx?uy}a(iwzX!jg3Ytw@~kL^&cP<3_TbIO(FL^j z=bo#*Vd9scC${}K&owS|_xu#@wSU+>*LUjwKAvk1+<3L#dz5?2H;Q^+U5XwC zFO|Lo{Pw4-EnW}t3vb1))x5`QwU_)#;I{|(s_Za$A8c!DPV7B7)Rv0Q$PMPx*)i&K zbxB{t5AgJ`^e^fKwk@H|`3dpN7#>{d`Cf)(#^j zFO9(u)qmNbTGL7YZ2G<8(ap%N<9j&+khP^n+)p6ykSgrB-LKG6AaY*uV7xCpO30BvsnF0viGY{6dtXU316KmHoFx$snQ z0mt_{9hdVkPIh9uEf0O+8DqaK2>7cwyv6ye+`kvZEZyh~`j77Gfht28ReS_E5 zO&(Fbx;nog*ukGO%Iawo4Gqi5%RbLY91?B8%rqZ5ut#8&bmy2&tZvHOcWXiBF zMEz17(#v1I5Lr>~`Qx*4vy%L^Ezq`CjL*5_!(-dH#wH)ovx;JGpxy676ZxB6yAbz?Dy^E}n5l%krH5!4DRH5FY0DPx^Qoy-{U_b18U>;OW|^w(=hyfR8yzrsUbnSv&ye#rh(o*lF|7qxo0vc3(o2UX{;2mr zhuue(`c-b<_b^ZU*!Oxr-}Rsa_ne%_;X!+V{qfrj4V(EgYg$GgTYr(}%ll>Sd>!GN zot!^~Z>%B+rybDt@vX_tcjP_a0{r%|$M)vD=V5sCPS(iR=RFsF9cORsALT!1zx(s- z174N)d=Jly=+8Agw|HEX!MEMQn^z_pGzTRm@$n`2_)ALcoS1w3{kp#qUZS$?$efpF zq2~qSI~`xk=m>%MRznNOpPgImIb=b2XdFeH#|2X7z{&6rp2MSap6_6;);DMQ$_07v z!@&LdME1SYapUk@r%O87E*vZW;l%!trO5JP@9HM_=ScOsftDX=AF-7y!q-zq&$0S| z%AUYhQ2Ac*GUV`1e0jn#$+qEg`ROdrNQPFe1iufSs3!MKD7x|KaI_5mzH$ipG{;*w zOZ%+Jee1SErcWV~mCMm8;`?d;Fd80m^K$e|ye19&;y&M){ojTK&dxQOeSNG)#lUCB6!f^CFiFR z5B?uq<2-v;Juq5_ub%a{qrTrPQd8T<`64Sqp|S?XKZaiK#(Wsxg7m>9UTPM;pR(B7 zytd9cQ|lHj_3c@@5Go;w(L;1N9jiC%cg zE6_qJ6hBwS+{}RIwK6}^_sn>f^|Fc@`YWG;;JA%z_~{c#%8IY**<(B_5XgMTJM$scUL}G#+&J#lOJ>g-)f!WV;6b@^tYmu`xdS%`CUn0t?xMyM+hBz z%!~F}vJO>?PHOyA@@W|!%lJnk>^ndQDhb8wz5{RTJ+f>Uex=cEhF8RDD`_VY9{c7X zI?@Jowxje{+IiNgc)?T);bou_0IJSZKuHc8hZs6x&*Mkg@p8oPi-WKkB|FuPh$_}8xPjACW_4g&ZxfaGrW_B;Ys>le|&#Hzk;uW z;XTAKC$LM^cUPzFvu(r0SZH0gDUc&80i5^X=Qs{tIe2P(!8*>nzX^L>yE&9_B@vRx% zz~_%9=IUPN#J``<_e&UG9keQ5lD?mHH1^}3eWy1d-*gJNtG+b*fF;{?@Al?s?ZCso zr1#PF-ptS^;>2uOor-)_`x~`B0A9A>L+D}eDdi0AjD67RED4^Awv@MP_-NRiKc>1; z@LjzdYPNM>5{(a>rLDElY9nh8?Z~Rcr{lfN@RH;B6|{H$C)mP2#peAPa8@1imku8_ zdXl+Ml#H!>gLlS{3O~)*%FM5;i#?w+C)amL!TJWzO{~yfP5A+4qcgZVh_xtC$LxZ2 zpvSC`9W6c^J)pHBZ7?<)LtH%?|1aQA zYE$jKa3SzVr&e3$y4cQ#t~2viO$;~Bn|)eLQ=i_Ox%115e?hYq((!|Jj-dbID{l)S zJA>o;Cun&Ca}*0*()wNK^-u6`DG!P8MtEVyJ_YU!YCHkl5#FTmDLCGgBxZD;=Z#+y z^$bp#vVQ!l;z?co!T$Vkns-3!B--oa=;17V-yQZwJAO9NAU(gO*jsUec1M~cUGqM^ zZA^1I!Wyb8U-{FC1Fr#F(L@NE5dDgFONK&SqS*`$f7>(Ts~pbS)#4}8OLktC%eM`m zfyW$QoaHm(+p~a`lUXVwp1<#k+%l5yJ?MMNt0h@cgAbwynyJBG;%FEiL0*IN=g|tn zNq*Mgz4kzH|Frz9K|X9`1$-m!^XvpXYH$kPp3l#NvXiA zw}qHneBpJ>B#j&@$ayetTrj=m+tkRbuBPeLhHh zQePTbQBK=>#=5GZj~G6-Bghjyb9qVTGe#G~s=bfx*qyppjJk_gOyjF{b*qk};Cm-^ zbo%lriOfu6i+Sj9jQ42|f4g{iIr!^rE3Hkk7l*d2FA?2bey{ye@UaJdBG_KAe+k-< z?)WUW|; z=jNcJ)O%gEl)s6;5#X1u)|w5r`BL(blHb8wxncCK3C)qN&`2*ud*H$btYjond%%kc~g5Q#F z@T-}+FZ8YS3FME_d7_WbyDfGZzEs++VIG5Xy-s{5pvS1K=Zd`pth-l;Z^(vp^{cHx zbavGp><=_nn_uq{)~pueKZjvds7`(B`Y{Ck{Qy25y%KsH2(>kFulJhwVBZ$O+qR;& z2G6<|p6uXnF@8U%d#Qf)(ZZs_tnUSLKH2vccG{bjpKt2_>+`2rm>?{EU-P#QTKrw- z?>Ky<(ERNSocZya&)?*A&_;A;(OVNV6@^yOwXn?MKthdtq9eO+1l;?KLmuL|ysywURz*Hu>kuCVLS0o~`Q z;)<}-uz3}O(OqwI!7^XVlIUGS%@$uhcYm9`PhuD8y9@&@}JrDs+@o zq;X8|SjW}cbA|lxkML{S;&~76p(*gm(pOK|+ZZkJHi;g{X*Hm4qeaBd5-U?hy^8U| zm%K^uG}o?v)@fUZkV}*|cCYY?C zjQT77GN^a}!(XhdvGc}RzSUZnwS54`_N%<~zBt#CrRg@S`}w&W`;>#&^+)|pk<(G% zxH_ai*3g#2i(zyf$FmZu|2|uvJwF)R%+zP)qvDAKW9f71zpKN2pT=IWZDnJCa`riP zD1NH&9w5b%Za^=^cQvqvb$iWg6dO_dlmthOwS@a-aCyk|Io5YVeF@pQOu%a^s6#x5 zMbZ5l=L^)A#Q&o{#jYbRgt^jl*T!MLjc)K9`Zx9WvL55=6dtuu9-YwWLgLTM3(RYf zPXZU|T^Qz?$Jg@ty1~Q1d#&xa0HYSoz2BB>2t~09~=h%RDY#^ z&;BpN>r+@L$)uaS0!7 zpTWgQ7H`tvpTosv;Gl5s1?ox$agqA;+|_>=zA1cnxUIT__$^$V1MIRiXJMnUI-EQG zok`u2`*)q<_6%LKaP6vk^uVG%< z*FX-%LjC65M%J|o)whearTn(j>`^FGb}8#hEut0iw7j-AvR}B+H@k>$d4Tz7r_cF) zea{qq9VNCWzpnf~4hGhjg7uau=0frm`UpP9Fm4b%<<~2?^%2{xxsl$r3p_1UW+OP1 z|2)4>mBbw8mr?z#wA};^Hs$r{8_ZXJ`Q^~v-Ba|T55I-_xP|x91G7GV>Ce`76JJoA zrjg6gr;``b^PG+(+uG5U_?UcJ`|wSiF(k`Xb%m(1PTVYr}m@{FC2SP=@E$ovllDgQd~@dV>8; zLsNymkscKMPT%C;cY@#US&?**`F32+c5(HJ*XjExa6w*V_C3N|PFAt!(e=~et_M%U zwtE6!=@aw$)B3&6ER?Tu9z0y@1$P==E_=zsLhAvl$MNVU_<6QoJ-2?HCUl70=Qg%& z3qB!@!Pa4OZ(2Cb&atbSp_}%{uc|QKSdKp8-o5fpfnDNmk>#z?WWBjG;wb;mSEVTAyO=$OmhuGWI$UJGC z-0f=<{tNF{vQO+Zu{90{_5^e}@qk^mSz2G`!&WfWyKgKZZZZ^I>Bg!$WLpMlW}Qzr z?whh2z6oEIX-{*Y{bZT^1Te%n4r%U|_%Ge@UcdR9(sU++@;Cb#cG!%v2M znim{hE=%zk=`8ZG42Lam(fK%TPDW=F-{IpaIpnC@>LiSRxyGP=tN*S|S8uQ_hePb! z$<(`)7*Oe!L7#lbxY>uBm)qLH`+&D$Wsr|lk~>9wYRkdcjbRr$kjBtM{PX$7kd{oL?>p$TYp*k}|AWlMB>o@Bmty&UHa|w8*s)xn zQ|>x};^w6bDPBhF{~E)fkx`0$vu78Gw)Nb~D2vDR7a5g%{y=^|_XYBu*nZ}ge=G87 zCGx2R-h4B1WS1|WJ`j3rK?^c!D*2>+%sKKYPX>)5gB*_J%crv6LO!)3f5=`!>;m>jAPr0=m9)1Hkbbvi`GAbfyaHUp=_l^Iy5f5c4Gy0%{=p2X<@j>p

_c8#6THrq zzYKmL_=}Hf4#Yz>2ZF!quMX{arYgWIO#R3y>8->v^nGwTvFE@}I%`cNIiNkgkHbfn zXr4b2e^Tv8MlIU*=qmVPm)=Jr&+@tD)1sN1;gkF5hwD=%=aadyEy^34l|@#E42~@c zuhiJunM+rX(=F8hBLVv8473%r%N;*=eS4986sITYWP$m`26u2SIKLO1XMUlD^XX=z zzWuFvQU5hBZd{s!QS9)M1%-99GTu4(1;5#dY;ygL|DJTS(~-o=kxNZ3#r1Ib2s8U91x#MLBpcuZhp@_a@f@GeqEiSXZ1~UrFVkOM7`Z(oY_Oyp*5N; zOoH%u5gFLY*yWe-W?L8p^IN3w{}0ySf253T{BG6~TsgHXTW*-W8M5o0UE^}3r7q|E zweonK>uYBG;NOebWW#d{zZ=CKBM(u*@5=NpR`}gg?6l$P!tXXBABV3f{H_%_$R3b_ z?d_`M-8&1v`v&rFm^>*3$A>L8yt44SQRLz9y9>W7)4Mf=-z~j_clCweZNz39zOnGT zR^;ID#=`G*&F9^%h2MRH99zS;6@K?3vTykI!tX}ek1+hf!tcuTuCegDrPyuGKU4^& ztrZqmqu96db64;;+h4oM;-THME8WH6;UM{Rro=;h)KlUiKItj(Q17O~L*(U@c!;c= z5)ZM}ro=Zgh>v#CMuTS;ir|2HlL%(Pf%}T`EBl*y!@-Y8^YgNgB>6~ zto>h08SfYI5sMdVtyex_*5bPUJMqSf$A#Yx=o#@FU5Ad;jDDB?e&_Cwty(i4YTJf9 z_zvY1W4Y!N*q+?4S%U2z`tpJ`%e}TG`14MDchRcG>q2eoioBVl*rw=ZIeJqm&#*Hp z8pVtGKL0&FqJ~^OAe(RG+#}a>uA|KxiScZ{oU z$-^xVeW&z}6^~ET_1zC`L=-TL}o7YBP zda~B*8U-G4`o4(%?C|bbvEv=_x~m`F^3ciRJ64i6t2Xu>udVAB$l|l)r~8jx3mUKX z+Ws2cd>s8OPQ6Q(dkd?nZ~LS8Lzv5>#6#S~^KEq{3m5Zz_n&xeSMprXPOL3icp1+Q z{oHH&EV%gcFTJ)~_`QX?c7r=Z^yMb{vSwSz==tdP#$K#oJ{{glFL3hK;_BpFEVoc* zMs&u)Pt(?u*LYn&XCJ^n;2&}Il~HdiHqhM{lx_8aJ>2isd-%Y87su;vIb!cOaNktH91r^Mf%iT0;&q>+{2_hM{lB{;UiUZL zzpU?p@1Ir1>;94Z3BBk3-o^2{UveM2ocF-^qc!omnbg0A`wiT;T^X-ito9c39=NXu zW}BxKE!=!VbW`IyytbPt6NI_o;oxofg1^Uywckxm8=6+#xC&U%udP?b>pn%l4^eLm z_a9jnulp*;xnY`2c4OJBj|6z5-!hb1wX4cjCf>kaWDk~EV ziq}OqJr6E*@D~kTRMs2nGBz{3VEhE}!z1`jg7~61upo@CfXDt1aOg&OmSXmlZ)7Yl zkG$4U{G5V@XR1Drn7Jr;C7#nlexTX(r3t?IV5!&j5bS&#+nFQ3YBaIP zvHu+(0B{+BmZHU>O|g#vdu;F#_)_e&jrnoUYxEr6r00j>opU0gjj|!h6=nP!#N)Lp zZcBB8H_O&B7QJ_|KQZ=IxO8R!updWi+>;zzL z{fwT;!HKSAU=Wlc?mNbP@)&T@`oRjutMvnGKUtr)%DMHuw^C;?{_!aD;AqeBx=v(j zC;2Mg(%2{~c$%?s{g%h(fA^+iGj&=Y*PD)wvTr&ze0w$6pGD}s8n?!%In(@U{F*n7 zr;|1L7Uqjs4>P|%0_MTFb!%oSXJSW+iKAeSv=%Gc(HfD~U`035vssHcc_jR0vxXbl z_8|Cc*HiSpXsQGqd?H*j`VHUDueO3dq*J%%>JHK?oc?g$aR8GSPEH&+Zy8|H$$1po z6MeotZ#BrFI^>Vmq%=msMlti^8QO!dys%oI(wG-~qNj9WvGa>>{48~J3eEYdj7-%H1^v{6y3+)eIzDQgFkDN*{OZ}pA)-jz}Q*8FwqH|~|c#O{r7 zz6F(ceuDfsbio4N3Xib4VHJb)6o0b&cZcDJ;Ml2eK5cxKS|`{Yp40j`Jnd=n2KfE% zQ~e%#p2Lwe{-meDk(a|2twZ2P1+k~{Ey4R{!5=5BE9CbnN&EQziBGb78%}+5#}w_$ z|6u*0wtefTP8DdsaJ$*KlO!|-pR8TWem22GW1{X_Vl_v5{W&@nh|ASA^V8>IYJ)zp z-@UHf-0*@&Iq;Q_OR|uJ4F}Xe^;3Mz*(V8N88vTqUM#()7#I5YIQqo_=5-u8$dNf) zh?Q9%*o&b(-r_OhF9~!7lRJd{5L!c0o31UjVf$du+RgWCov)5lQ^@(#ks|i9M4-(u zw3&^Ujx#Qe^&oIa__E2J{ghx#>5PAFE;OWdcFPkhk;zsb+rA2RuHSmDvATQFS$?0l z=B~rx`sDPuhP7&hBKdi0tO`%^UA3)Sm4JF}4NgFn7&Vd`@HJ%metM@(fts zsC5o-ivHUi-~O2fIsA-va{J@=Q|*gJv`5JDjibhITL{LE&V8L1nkd3gV9qnBRXxHR z!AI9A=wCFSg|*KEfwkie#9lxbI#0#wtsZL+4nOQ%SYBaaZm;!T`}l&e9cJId;ze0r z;N(&q+3w;kBs+uOh<^m>$j(Q$4UIwYC_FEdZ2`#y;hBRC`Axw^a}KwGO^W$Ze6w&) zI=6InKOe4nZ^vl$P>nH|&qe(1{A0ARow~nM?-kXYS(z3wvexa}8}nrw`!ri`md?CA z{?u4x-bU7ru{9*$Y+p6MP6ru;2S^7|tb=s1!^l{{RWTh^$mV>VK>H;v&RM-+H~TKe zX#?MaiC>6@=51Uri&Jk`^oQ&&F zBmLg2}IC*w~_rk2o8_sr-T7kXF!J$wsA>45T1%0EVatgAnZt(J1SH~LZ) zu{Xhc<=xf2)8i|NDL-ZCK|YG|R>4C!UI-@Alfb_md_4lau77(L$NP<}vTHP+@6!tE zQp%Nd>ejHyS0TPv)yq#eCMrG?p(SBLq*;f1J91#QLk+Z3mAnz0ZNqS>6(-out7Fi?7Vhfw$3~#*Zv1d|ptTIz@AKZnASMJ;C6S!8wO-<*lM6^{EMbbMp%9D$b|3O2=HrUqX1w zpJ1JY*SPQ1_Wjs@Ps`TSAAM>m&12U`{;2Rav# z2bLJF5H|ffbhUQs)cy|Fp85+M$(@y51GX^A-Us#W=nU&y7p_m$H}6gQrn5JKee(=I z&9;}{pCgRDP`}UHPhebr0d_sV+Zb;J*W0Fm<-eK!vQC`oFW3L(`&$y|FW3Lp`WszL zjsgCn7YzQ>68@BHU6JQB{D&J&eMyytJsrx9j;w|qq zISQiSmIq$xUA})_??j8jLC1R@01xknCPnjRUG-Y|mqfGWCMGPit}0r;NM}jq`f3y}D+{s6kmm%ABy59O<)DP+Ox|cs)_vnwy;A!J} z7B1!tN1nk0mg!!;PFF4g99|`sQ+^Hce^;mA`D(TDQ|RnEyFO_81CRJmUp5Tlr+T$9`n5A+qkafnh8SA*zni~D2FW17~b`IfDhpG!Rm zXAhl5-^->I?P(pDzCV44x)-tT6|~hfZ?aS8f*&K$uH+qS6}~K1US*5VC2D=)MJ6+=wh*i{EjWv1yN2nm@IlV%qh96)KzWTi8O~i*xG8*n{Y8SslUAi}9bDn6KD6ZoV|9`CJ|ztv|Gb3*Q7bBhW>Q4>JcZ#f1tl zVolRbKK(&ok4sRG%ETU>);5Tq9=o#4x{M} z`xW#q&aZOdIQYImo>a}Fcr1Oab?t~ZxptDgQ#<0f6MtsgaW>JN;m(x~PG9%ov=SKY z^RI8`y4$~=%k^J!J#lxojwb3{@axZTzL|xG<-J+^;G!}Sek%4?(#R!N;Lz zK^~$yUoAs-LFTynkU!9h-j!`dmzRq{NT=OlmL{G6fq zKZybLan9ClZR{krx%yCT`k?b&EuYZ3RyT9?T!C-Wet+yY+S8EzCd6EHhRgfNYke|p z{1LhHVev2b8RLC|KO%&Hdqgz=YlBwH1Qw)t6r}HP7cb6HOsQ6v3 zbK0u1XJo!u_?CZNTVCAiD*5eX>a*{2bWH2Fu(8Yr$H9&5o4wxcpA7YO zLjRrU4F=!IrIzybtssp!S}^)|9{mWh}v<<))& z8>yY&N-suUS!-*FZgR@ZeDgBJ=xNB){VD44kdyk})#G5OKAQfa1F3%{$a3`GWop;q zi1Nw-V-tJjo&~>;GVbWxSVQOgLS=(>P5Q3txBL#AeQWJy{Z=0N!+^Enl?nKWcig-8 z6!Vb0u>CsexruObeW2?mzx(a9X9&E@FY9exocG^^g2U3t}K4f#5zlh4=@flzO?a8 z+qJ-~JkPZ;vbn`9e-}PVm*jl2{UzXdFYwW~mEhnDz~zN==t9s^C%>jno}WPeOO6I} z;kiB}_$I{MVM}E8^#FsX6Yt1{aqxQsBV=6;Efd$FF-y;kBQq3R+XP%yzv?SQ&r`iC zWRuOo|DyV}4(DK%g02)JqkFd|BlyHZvqwE+o8|7~J&G;pv9D46F?O%6+GGETtXY?_f)&9lW=@=a)!ob)VfFURAi>6*X9houa*iMK zcr|ctusNTt&S}?Tt=_KwtmS1j%wXa&w}$xOyGXmt3ASf`0zINTpweMtWV(gxAP!A+>g)UHJ)o8SfAMc z0x{g;Lxaqn@KgLLMSp~&$dLxMsj~X5gsxBBdM9)80b(BSV2 z)N2ms_P%lJJkBF7Hu~TiVhg+dxmlxiG0n{}=7u>mbF(HeH-YD7Zg?je3FpntP_>&I zt7DERUvgk>5}CQN@87uf4)p)q@pIY!x;atI4}I^;fA9Djywc=o_NdR%u3K9ZOdPK( z^ekUT4Y~DiVy)y$5nM$NN$Bkxa#JF__Uhrr>YtF!h0p>cR0Z3%}%i#_9e_rM#?1#>0e zqdEUcI)vs)&&9v=`&M{wJ9zhp;=MZGHlL4r$iDn%6CJ*cxP2b-eZDUzB-=UT;dho5 z73Yx^R)0>S!<6Iy60dE6&q{WPcg^N}8Sq~|?AB6f_W+ynjx1Vd$i+Iah zphJBJpO~q7^sU(srSFl`dgpkC=B+o`NN6|WzxJARH_fAs0ptslTI z@5`+YE4SR7+cl$5?-|ah$n2wq$GLbc^~LZya)H7xGUpiRdhh*;xAxf(C5RFcdqY}ckVja zKQ|85XJE(NEd7n=FdNtAa8xq=d~>M%e8GOaRXF8-W80l-?v(d=A~N0TkVj<)%tz;3 z0H0WB_=I=_XUAjjXy3fmp(IDM_#|0w^>Jk7vNPaL%jH>|H93{AV}SRvFNMAFmB8?3 z#-$kh4g40I4?nKW%!hy75}+wv>kOG!&|T*;7bDPNFZymDc86?~5p>wsVxGZar*~v+ z3u_Cg{S-Qc&Nu?^ua3iiwo&g~&XlS2X>USn1MqLPXY_ynxswU-0*6G{@G)y+1ll=$zklW5V2)m-{F|n z?83E;*kvzPdkr7B+}qELj8{hRD_mr8HdQIT13y-1aP@3{Uk5K_pI*oOeUZN}mwkS- z_NAO6cXc|FTwTH(>%2$Rk+EID-Pa?R)asjc|x(LXT$Y9_VD&6wIA{363%7}m5zFpFAJ6K zx`%Ve{*FH0659UcXV0zuen0+!&xJnm+~0=0f!5-9-7e0(+{l@TTtE5Oyt}9Plh1vX zcRG(*?N=6gx27VyuT$GEvY%Mz(7Aq8vfj3fer%^7FR%vnbNZq8qx`8ql579c?rpkw zhqvipIIHF2OTAeW9}l(t!?`yRiCLSEZ1BA;LIGQXdt?>C1oDEmd^i3Mvy zGe%pvu7pQ?j=uNP_rIZke?#B@9{9aSw#K%5R{eW)nSY?~|B-j!qwg1@wV`Zm-KZs9?X;n-a(i? zetN>dv?a2jEJ{0Gad)Eki-`8!A|EguKw<-yY zhD<)lg{G~Rqwm_)%etKAykxew>cyW)(gPDyYE@`jk{Y{alZ1$XOwt#GiFln z1zw%bmC?8dfk%k*Cq!$yPYOQtMf4^5{R%pA1@FmmpUV$ko;V=-7d|KWrreh|b2%3U z1-e4~Lw+Op0U*xZpR+!27Kgr9yVA4fQ~p(8$o|U%+rwTRe5NA!?XY5b3-kvQe@EZ#S|0xMfW2ws zWM-SWs&KYua2;8Gm9(`@jStx6-w|II9=NuhuPPd4KjH<%UBEAp6(%>p<9TP!gNFmb zd5*PVFUck##z5<}!}zWiv)2pbENA?Rd)ddC+WC7W6l=4d=Yp5~R+3R+d{fU;2klgZ z!7t$v@gudG!^t*&HZCUm*J0xqN)tCCI0gOvDdt@8)YyBt);euF=lq1RAyqFpVB&$Q zumPo8HMw_`3%(y@jC${4Ib6R|S~HUmU@bmX>X2VwaFRZ$xlvAam*2lx^D6ox?%wVF zQ<>nsnS0x|oqPX!;;7X*%zgp%S?v*+m~QCW*jyvbx%h_lpV>1m6K6TP>ovola zdF7P#SVJZ@)4+9v=g`E-S6MT6XJhy{BEO*V2O1j-S#M$c=4;VG_#Z-Np}tHXH4hdx z**-4yVY?T8qdsbW)JM}-;AM31ygsULLAZg_roX{wQ^7L$Jm6OzSDTt2!6OYkoUZ%( zD$^vIWR1MW^TxO68eG}Hwcx62&&ISsLMj7oTx|H4#RJ~O`G)?PHRd3_C*VaIljh&p zV3cL8V}Huu>#6zoLhwJHnVjf>y{HQkC}gYBpd)vtCGgA)sdM&sa@ z_@L_1+z!%5(;n|#-S~FKks&9w{%+xV#Kiri1Ow`9(YTrn?8VPaOmfbZkgb%Zkgsz6NL%I>_GtYqu|$x&9m6d6WA$ z?Jslnmf#hbQv)x5UVmqJ{ej!hz>9Wr;5Eg4yN{QOg{Xl(cewkiEWPI7r{xC+AV#`M%vfl6pq+MVcO6#4E#o-~;thr1K~0v`%vWeuI`SD(Lw z9}!u zTbIYDJ*!5x18)Fc-Mr>`FPKw*=a~BR*TLw12GK{LyROo~juXsDD>%<-E|^m{R{eH! zs`c8xG4(T|;5&i@dNrAG{ni5E1FmOt#=lOvGn zgeF3Lr0R##`;ys3trx;WI#}q|=m7oGeRp?`y|_~A*&O_o#Bmuf_%rmb^=k+_P&nsY zg9*+t;m+jX(IR68-xCE#FSFpF5aOWYO~JLth!r?IcBVO-?sw8jNC(7}z=6Aam5y z(;dHZM{=eWo^@wK=eS2KkIv2{jxN3DnngoFvQPIV32!P-a<_95-b=%`ec8@c1rp=;-JiILs1J_09vyB1Yy_&WBeKR+6;(_x^oRJ8sRzKv|=^L@w#{VW_JIhvlhI0uVY?>$0&(JIL`jRhSQJuf<898Zl#*md0-TVcy z=9|SszRW0S-6H=)IDy{#eVLH==s{z5&%h=8R+Bs8IrT9a5BlBrqlw!0;ilU6p*gkh ztUcBG8|T%&cO`4zxqq+!=jczgskWUy1`JhtbA1X2mr`%|cp=yz@K;l9TquOvoVQLPKY*?PisE0SEIDj#hR)0Wh1h$ z85w&Ad@mjUsATO@orPYbkyWqRyFk^K){-22H-t=dYm#&gzkjuz58G+uUDa3rKaL;W z_sMrGh`lh398WTS4zJxA$B$ZMVB1g-5*yjl9tOV~}q9X2jGHTaX* zzf>Xi%p7czUZgXfcB50J&=c@!vM$c_efhSE)?s{E|4hzRnu((VYg{Y3zRq~jnH{A3|T&e^}*YV|2lIHF4T_V1W|ok^da8Sd6SNR< znjQ?D)WeIv?<9B6ihi8FEWOa_%#Ctw-PtYL?=CQT# zt{WHr-3jSvl7~6Q?BrpWd`_$hD_9TQy~fyhJIbE#D=WDTjq6?WJzPTylsi7xS+06s z*(;s42_OC(^rE@wNAr-eNn~s@XPm^0J*jbZ0Ym=hu%($BpVkKCD+f=}y^{mP86Na> zurBK5zaC61F>*vP@b}ZtM*4dn{oY9b??orufUa$Ivbz^$ryt-Bg@F0Y{TzNU=wS3G_*1wcyXvo{{@+L9Zr8=W>clZ^Qn> zr!e{2JNonBHTf&qHC?gm`|>NW%ZSBUo1L5z`~`}c1hG@q?9ERA6WRG&O ztW3(knK+Xfr{teG@5Q`dX8*S8`R81&XRHLvQr}8+Oc9$J)3{vRI`?*bp4_dhaUL{x zEZaWwpJP4Zo~ESo!kAm#zno-DQ`kT2ur)N^sYH8*IW>7FPtvxJuf^c&Z&~YfH<c`%hX3GX?e{G^|`@@{At!MYcclUg*VEXI`mYnV)rY^d9rIoytJD{TlOAT)B25z;9 zJl_7DPWvu)km={{_gMPSbIT8{++Dr)d7UTpGUHIWp(*mZbT^x$E765;q37g$_2`*T zOJ9PPu46ny=B^w&=DWe~J>WN&So?f>fc-Fx!Oxjk!9H6%W}7FZvB(dnbv*VaJBAK& zCUeRqB>obkk0Tz=g4Uo%G|}}E{8Ps>mIlncFPZA^KUe9g;n(7}ya>4tZgcP`GGL)% ztm8*Me)#wK6z#ct>A>OXt>|av@Gd&p2QDv9b!00DC(Dt2Ujeq+p4)jsUIdTc(i|_| z$({z~N`G<-arLE~?G>9Jyr4UCgb%f+@kl>+a=^)e;{2(8Xz$t2lN%tKT?~(?{*#;s zdNXipEUt|ryr*ZBeMrwg!2VY8lY1`tm4n6{AL{po_%k?J>6LFn_*uheRBo?g?RWOJ z;a_-6@<6^)C-c&r5iOaw@h@vKZ}R!Iv&y_u^Hl$mzq4c2SpET-HuCC!{0y>j?d5FGm;yuYC_AqVV z_%-faqt9XHEdQTO{%)NNDZiyAKk~nBdB2PG?kH_MiHw}=2qu&xuJLSSE!7!rQ8=D> z6S+;4TU_Y=13Mn4&q?mQLS9F;efCF)ew(4$WGDU$`si9V_g2YdvmTJk`Up8Fl21Cj zi@xFEj*R>?x_embsdA(8$gYva_q6D2x*KBc^Erco%vT)e*!PJlZY{@OqNG#po z1%D@F$-a%|-cT!7?nS2D2fid%vdf?+_!e8c*VetVFUh<)x$D;@*Q4jZ;43@8d3fm4 zn-0upFO}hK>qkO==^3UU-OcNKUTNhaAk#D_)i#-zYX5DlS->p3D5v){?HwamSbZGl zTwvFZo~D?meZ=uN8PN`BdK{tUvoY*4=Qrh2LGX zv{T}a@BWVL^yklhq_68L`+k=C9kHe6y`!_>F}Nb=L7p%C81p3B(3tK)mun+#Gkjcg z5%eUHefX7L%`?vq7x!o$o^E+X{8i?T?;<*vXs4+B0QhwZ9VB_hx+%@+kl~#$R-Fi@ ze;2ydTBCQ|I^%SKFL8#7^-t&wm3H>0Tl&zt{-=ybYtP!m;?te139O@!=7BX0Yf`#sTf4ly>-x;r~vZGMV2FQuLGeA-zYwqx!-`|;W-HbXZVE2D(F zw0;BER%CFQJOZuP3HCe-hs=MEWb>B)RG7#aIHevxC0ZZ6CmC{6`jlLpt=r?f2_ zKyxCQ_Gic^$;BON7g_Aqf;Q-L19^EmKLUA?LN@MbLcg%QY0vT1y1WY;?kMz-th}S& zy_-a*lkEC6>67S3;vby}!dm~VY;*0+v+dY*K9&W4oDbw|_#$gr#|Cm>{v27#{O#J) z*6qe59YSL$a897$|KEY%wq^Ah$$aRl*YF@RV`$Fx{mQ+4EK={U=p*^Fb{}p2waU2b z`yg=!<*%SC7~KXwy;k~$bb8T<&TQ2j=ui4maixu~rN3S2AKtrpiZbfi`Ot6Zy!!jE zksWGZ?YMiC)vo&Jq>pFCXE)SnK>EtB0Cyuk6OTDu)zAUg%iB=hg+$HAEm%>G_%Ae*DF=O3g$ z)z{joaj5Q2#-zFd{OIZm2Eiyibk7-hjuf^;O;x08!G+D^x(`t;8Gy?3JR;xshve%q_#+Qkm< z(RkD0cz6B9{1J_{NZau0j`_^3=4&#sB%?f1jZO1(ma%>jdOOGG7x>is{(Nh$OZY58 z8-p{x?EXamUZP|eJ5fGe$Chwk;4iZm7aJ|FJ%8Mt)XDe9fm`y!l)anh%<1UhC zAl=}d{X@jFgvTQI(LIIaC~Z2%x*;C1a9iJ`{C|GV*-xuZbPU3e;8fg0;}Bl{Il&wC zvxaBt7=OIzQ6^MI3S zbC$t)7oYOsCV|=4`vj|ltRa%KL$ouA%-P7NWK!st zHgs>-4!fow)BGbNHFn99y1t3yKl3VmL;HUD9(<9jD3@PtV7_FwJ!kuiv{6R>4&-WO zk5d-3AQyq%%0bb&azjz^f+WcW4C9P`Dd-jPb|ILz7wAJ&pT?<&ad&$ns#dK z+cLlX0`k34`&w&<;+(H+__8CDdZjXU>}BDjM(_4sn&=rYCN5_Bb+oQ_Cb9ADx?W%3 zk1NX_GuYYI$EC6=_GE;b)qV1FMco+iIkXz!7eQ6I0~ z4BW^yd=-1zH9rtg5AsBDNP{QMa~XXCIQC1Aart+x4@5YQ!oJ!q+GnG-_+Va_p3oLhrcHN68y#ai}4qH)#VKM{fkGRxw@`@VwF!Bo$^xJ6m697 zH`L|YY)}q{^Ep^Mc<@GSBJfnyTL0@N|CFVk91rrea<^bhTUy)C*=NRfD)Za-=i(bQ zGH;N$7wAW!6cy{0NPV(A>lN`7$^L?lff8sU4 z^w4d5G7r1oZe_jJbj1{fPyP&k{dGZh*wB0AH@ACfTKGi2exWNi^u_#}X%G9^KFdzu zMBa*?iQdig6+EY3_ipt)!LhnQc{}9;4azf=-&iZpzn$MV;ahWXtmZd%(~N%lD2J{b zeAW8zq5Q+O@=x9n)Y=+Qo@KoZ_IYKic%`$(D-Lg>L3h@GXgnLzvfkDFZUeVD>?pGy zzRkWr2)*Xwb2-ng(HU=n_;r6HSrFBwB{Q{e-JL0__tMBW$t3x4^T;RHj-R{hu z2i>WF&HVVE&mYmc?(}HAFI`$b1@XJRZ!tl9x`{Y-%dS#!L155kG z^Fxb*aoLwS=1XuU(Zf!%M^?Gm&toUH@u{`Do%p8q{l0R=qqpqD7a^NQ@3>rL>0R0@ zoO^Bl$lxc5A-vuC+>T)bNd~yR_|nOG=ui65lkAy)a(&0)%3y3nednLgPH0d2v2El8 zuMhSOv#iubhh9|&Kb7(Isl6Qb zi|S5tcA0BC+U5_akA24c>Re&jE>?Hfdr8ib8^M>Q`MG0jFg^0tPj`Rv&F$S&*axyp zbNDA@N9N%n^}Xd+kr(nC5nth=+A&w|U@Een=HWvJr^5|8Vn*>jXl2s`@2ZZqPiy#7 zos!mL`V-FFS;CqR;ct-rsU_a;h%Mj#GBN0<&Qvxn1TVTUk6 zlhtR!W%Rkhaiq^d#yJ69EC1?1y#4gLf2wSd&s zOUmaZf0z7TQGb`{z}PYPjSZedpOeFXeCgE;(y*RSWT%QWz6AlDhaiMfD zt1qKxkGb#8=O!6eis5quFGC^B4|!vh?^69X;}2DTuH7=Wq-aI!p=effk`sQBhw4N8 z76-3}p3&dbhV|=PIyA5u{jhe%j&$n<*aD_MU~o8g;{?`T`L=EgVfuE2=F{x)zK$}K zwbWK*7*%(YeE_Pjd4B|W z?uIsBx>e({@&jEQnPtEG{sCJ))4tZY&Jib*pG-E^HZ@vZ&v3gct# zZa{az4=V=8?rs6vLLO;f=PmH_hv4g<$Jh2j_FFfF`#bCJkJOr^{nlEKbe55eaSq>Y zW1PbALk)N$2Q3`jW_`|Xe{>pOuJ&@8xML^hEFl-N%&%K7o!?1qo`OE3^im=oVr5q? zk5KDsbZt*!V;u#jjp}MVab%Xp6BOe6670unB1XLBkUcLI*?ujue^UwBE*olH7*7)3 zc=p0JVj$YD{0rb(wzA}$zvpKw`FVczE~=lPNuCbs+djmUhTe=#i3|Jbm91iIUXbCWq!N7tYKul)_CXdBCcd)nfPDt z;m0@pOm4zy<#%bkgK_!?zxVQan7MRosOD6Br#jA`@83HaFu%-I%KtnDjHaw9Yi;i3 zq0RmC_IEHmGap{`p*>fc_Y(a}zn6~cY!bESz8gEAel0E5&M7uDM!D9{vBseo8 zK03Vqn#1y+s{P`7*!T9s_z1d$avDZodM-9n;jE*|`e5RZ2H!n$c<(h+!fVHztL`it zKh5IN-y^p{?;em}>>cvm$UkNCE0XUdcjC1x`bQZ1PWJLihwO%qnqPYh`xD;TKgl{Q zKaAFu$v*rHv7S#V7U|~8;?b9(*6u8_hD;*6lCQj@Pd)_AX%aayN_tk2zEIUUK#tpwz`gS4B|}uFDnmF^ zwuNUZb9y_vpBa}MYXO;Y3>chmQZmH!Iq#a)H_+ZN&jg3~eJDuxPbaP#{iDP$PrXZh zv3_a{MflYD`&3r#A0B)f-Be|-r~h{K%lho{QjwvieVw18a?}2sY~PIk^dZKma??jx z9vx>kGR_kIRx{4THLEAUw;PwnD*MR)t$LYLOZp~PL%*qXe>3?hcYuq0u(a<>)ZLi6 zvS0KXyem6Bx_xGD}BgY!mUL<~qysH6g#Ph2P@vipq|K`_+>0d&ff7M&zK*7IbqUTp;^X!|OkG zIR7#{vzUJHQG7I!oj%NGiak5>UnJpC<@6k64wJMyym$H3VzBSI2`6JeeAha`dr^%D5$NMUqpiO^# z6FfW489;h=Fzjz=uJyG${4h51INd#n_FNvxTSwo}Qcr<*xG&wvsX_3j+)eEloW2-h2ljh^DJvT1NA-f_G=3jUL^=9bGD zujW9{M1Mz-?@8uhh)=zvdd<{v-?33AMuVf!YtKfF1X-2R>C zDw{^1tMqVK#+WNp9NFQ(m!l`ZO_6x+L2PapLnu94A*W2|S&~zLUPWGq`F`26+_8h~ z7wzbCbp17lhxh(6yu&$otP2HlH3DUnxz7PT!szeE4d2W>zs~pP2I!6ILpUtT2Oj<|h5qnCe2Td}L3n3^^?~QE5goLS z;^*J5PhaTEZ{8syLD5p?7*jk5nDD;S2lP&SmWzt1@PeGOL+Qo z&hr#K1d;LcJM@<~zVr5A%IuSw?q=Ui|8lDfs=e!D$ApeW{6g!}{-G7Q@ZSFksIVBnSf<&1M6{>q}TOm&8#se9Sudk5d&FWCfgb56D#srtb}|lukA}$nS@! z1K*D7*=}<5J_?NF+KehEQE)16uM2#gVs2FaZTxp{11?7s&{yxTc)zp6nl;WLaM_H! z>?Q_cVB>c;zen&N$^HxY9?)*1xz=;!9PwD_!K)+N2tBk)7u%qX2SfU>ZQ>(fzxpZi zG@F})iF+L!=$Y>a4i>|H4lE27brX zemAy>?2_hV!J01KAs#(;ALUk#S-(mN*(D!C8hM)yX|?Y!VT2=-RwCk zKR+!lRSq0!)F(;$%dLO zhawthDT5c$t9Vs*jKFQj@Z7pytx$N8=T%Jd$2 zoMxSWGPDOpr^(oTUl$G1cS`cWj-fv0;O4{HhV{?rGo`=i__TH$XH3?Hjj>K>pT4md zjU6G}sXfiD=2dpJA2V-bjz4GWC=bNS?i_P0|5*vRv*8?n@6Tf+jbM(#qrNw1IV(xH zVXleuy#TLmihk6;Y@f%Z*5-h6-W&*KgIx!5>-8J$8_Y0ih@*{`#A(8xS=%R0N& zuW#rhu=L@^>*ha)T$XG_=D#q>zCv_9d>Quqr{)FO>9q^)`|p$VCERq!Vxt-6xjXjo z7n?7$HoEH6o_9X%$^*)c-CZ!Wk|JUxnn}gFY@A;AIV;AVj17K0xxlvN!z}!Yrj0w3psOPDsw@-Y46}8aE7Xg_kZPYptDGq)cm|);;-N ztF{4pgq|s%&&-Etg?E4V)yn4!qDeDHmY)22`Yzp^=hZlOk$EgO?;13%@5 zLOU{5IieiiIrz@za;9=@AAmoK3^RCQ55#nrSzj!!3LdVG;Zr}p-p(`g*P~~O=?S*8 zAG{Gg`@Q(b?YTXa8C*CSQNT8hmK7V6l^T?l81_@#ZzBpU||D(!%`PK?7 zIdD;8o*L<4;%Q%w&1QS}<$i8f2KsnEe@2Ee2iR`=PQ5i4kw4n-!(N+{<-hOCg%Z3b zIuk8Rjt7>e#+eUurXO=zrBx>%c$U(4$sD&16&at}$%`J>*>yzEMQ3Gb#_v=0)R+2H ztp0*$AoAS7(#m=UzGj?(c)|7;UZj1VSKD9Mxc!;1v+ki&>b*R3>%JGwTI2SgBMZVh zsa4ns)HD9Oux0Qsz5&vOG;0 zW2%0it=vCP516X;!?X3aXg<+lx`KH+|9A(7dqPH>>0`20__*DnS?_e zxDDquV2pxmM%y0!%-Xi*MQz7tX`8XBZS~OwUXvS*F9vaEaVmX+^ZA$?d$x_%qwstV z@=J zH6z27!@cI!;fJ*ku4w#Q%H^>BAi?iqM%pV^#t-*>_ITV5{)-__$Rl{RBZ!^G&a9T@ zBnOzY7GSQOEz>whTy`yX=fuP8E8-0E?LA+6xcxfbe;i*ti&0N(j`aOjn}@(041Tir zdff|sHqo5XIo(lRtpM$`0rzI)wPrk7lYgU*S4*^A z<=60i$E(rt)@Z4APSWGxU|fAL_sF;%cO9zX;I0q{@}Upb;lPgD;vn>kfdj>nTA?@L zg4q8e=AwaaI5Qq8-%|lyNcpepxI0JjMzzg&_p^r!T%=Cl0ll^1tCTM5=14em-xb>u zKULUwp5zQW@%=Z^2cS803~RqHy)ru?I&;3RMlncoCMK4W`=WQ8-b~ziqL~=bT711X zAv@K_Wqd~Kh*m0`lce04Ge>^MR{V&o-dc-CTm3tvZ=<8vc+$WByHR{uXCIzpJe+;VxMn}!Cym_sXx-TC zo?DHLzcD+uC5&w`V{0>GfMY0Q_l~d*5YJ=XY_7!7%7xnrZ)DvCmo-J3mfZg^^>f*D>Xg{ngFJU8t zJX2mR1NY+jHt6&?d~R{=>rIJ z{ilH=N^2{W`_NgVH3yTmC9O^6=LIyDW1PJX|8Ul(p^F^rfbpLhzFo{3V9u>F&)^~E z$*xntd`U7%xY4@n)3RtLjhvEv+6hfP1`QHaHae^LRP>yy@@b8h3$xI230mGC((=ZT zmX%-U^W_S1dpiq_x;!Vv)mwP)abQwg2dXl|@`j!}z7X9uT0{Ibo;ilkVxznH)K~-LhsN$` zUVf?^u$CjfDxU_Tvf1)U&1VwjkHGLk0@{sBHlfcMKj}D1Cp+Qk1X9w$_ z6~cD2=F{dVsgJsMLc0eXnlq1`-^t&1ycS(j^!phzK1(y`>X}}2$+EGNtu7*ZEr))J zGBV&e-;eQJdwfqK!z`_!XX0njGx>zn?>DXpLcK_QW%*)Rl+M|Mw~GCZ^8fgBB)R(p z`mziZr9K3JYG zbOR3y59<3xa;^oZi@`V^b#xXT_aVmj4EqTijr(@?e!6kVj?vg%J3bDCqgBXUS66*I z9{2rx?j7Juq3?1=lcgtqJAYfs$rsg`t$vdFNql40o-_Wf8F7xH(T(Hqv%Pb7v-SbP zui_K=n1@2SnZusVg40|mH+Ladqyy&+FD^!2+Bu-ll&hm>s+Y5LzkiT68u6WEjBl5Q z`}fw=(CWDXvZ<3l!BjxrI^UI%SHQJ}zhn>_rL%D>i)(V+)fF868X|duoEwpi zsypG`d5;C=*3p%8_!aB{ZfdU4uG&){&Q_$|M|VG*9ocK>L-)1lEKA$J`b-XG3E>*p zpt*EsW~w) zMe3+c|GDeSy*q?IWe6I)C|nn)cS&$v09WvW@o(F>l4#iC@Qred2fJp(@%1N0UfpZ& z5_j?zIWd+9K6}eS>808)&3ypWWUPACoV5dz6h;b z?$fPhPG@`d{sGQ?kD0ui$`N}$#+lY&`c?W=|Kc^RxyM&p7}SUOO*!yptxniA3jeq5 zpK>d&%otJYYkr0^t>L*JN32iW_2=$`l78sMA25EkM>>`>&*HU!XWwL?x)cGQ|i;|7|BtcPoeRWm)n0(Fd1L)XZ}W5)V}HM)uf3tK zy`i7W=J@IB=QDjf34AWbcWnGF*gYmj9}5bck=usPy%is&e^y2kpFqur67};qyZ0o% zDw}UvmGk6~SX=q0`RomQ;|+Vm+0$?M6aLrpCq(6y_4`;KaWV9t$j{?wAWNC*SpP=mdX1GsWppO_c;r`Y?8CM4<|ncFUH|{H^y2@SK4TZxQVi%);;UAVjK)!C-uoBE zEi>|OXNehx=h?cL?S91&^-Qto$C<;s`708$Q=TiiTE;J4BA#hu(kWu9HU_Wt!Nq%B zT-oIu**$ceRd|8>`hJpezFu6t-ujJkTZ?_Bh~X(-QeZC|xKR#I6`zI0#FNDfA)bUg z#g_{=>71Kd?9;(y;+Tr#dw17FVIq7664+RrZ?K=}>IQ#`4dOgPUj zUqF3E%M5JB_A&cKUP#6YU({Y1_T!q|mS|3o`V2T{$eoAnV&X-{rMT?k?*=2OKaGtr zSKzfiX9j$6Zc5OvKAD?T?0VZraJ|i=arwht;FVm2v5u5I-%0xj3bgO&ns@hW?rQnP zjrUDoM>}dGAV)#>+ZQ=ANxx|OpSyV}09JUcNzwtV$w&SS_wHPqhy zy@%T8v&WzP*XFm%KgB!x{jc~`Tg}|FtKZxCos3;&+G!>}-px7L$ymGjogsH!?_S0^ z9^K@s3ogdJM&mDVrX6K#x~^V&T{mOb*@Q>Iz2f~td>TEIy*22vJ^p!{IdA`{+vA>F zku`Ekax=GDJi%TozIWOj6*Gsk?IG5^0v+r#j{)OC;5Y>zwS;*3(YeYdbB`2fubg5Y zb(V%;7ymmw*ygd=wXICfmzgJX*19)OoTCI?jk~@MLMN&hi`KiQzTOsc$5c;eo!8C# z3h3EuFUK5+|Nn1tO89Q}cXK|>Sf0Fx6#GnSy1Q~l+!+@2dza(pjPcsOXTyJtGk_*L zZoh2DZp}Mq9VKI_)toasakRyr(efS6gz3n~b`bk@vL@?vCn2u^=L^>K5qMh&JzcLn>lzyqRx3tzBb>sdj#;M@+)<1yy(Bk;87 zK;`Ny2cPNe7q?$S=ZO@~RmRlbL4#Z6TX&59_2tx~ezeVXoGty5p-FqbM~Sly+!;EG zd;b-`pXWRWxBitluV%KhLXJ-VX1pAi2KipZl&*rNw0pI4nT;k@j(c>-$L3uUdJ}YvBGY%(z#a>?USX~o`y?V?^ zum3w*&%q8~?Ni&zN6?()xF*@ceh z)@uD0pSXO960pw(^Ks6Qxm1{y-*!(tn4aX^kB&~8_aC$knKLG>?s6lv^j>HxJf}6> zk2-6P7j%5V9IyTw{YG=VTz;3!?Q-Dp-oZ((XZ}V*xqt8LRS+y=o;%*I+5mc|(RhCvZTNI!$5!oMcLNz;R}TJ-uK7EmQD5ig zoW%+0gi(K*Y$WLp(lODenXeA=$n82MJ?=ZK!;gbYoiiqxJ50Nex!>qacj06N9}!o3|U~a_7Hn1nTrBA65NGwK7?24VZy5^M<&(Uw|diH zWGt1v_I|5r^3$d^Cy*sgdKR}NRHoTCG7jMy+wH^tN1Aj2|#clLaX1$Q# z^IPO}IX{Hv@aFlPe*jD`Vy~P7&Qb_xX%;w3b#U6XC z{HSU(7F+TiGfvKuQdvB<`fRd*KO681G|-P3qX|BTT+4|7ZDbLpsm-dzG6;{^JE^1~hPxV1^Y{ke1S z`gFF39NeaKl+NDEd~HDXuOFFqd4PLu-l5w5ZN^?iPoAy)??c<41JA;pXkNUfyMr%8 z6PEtS(M2a6PMR|gj9(**j#+T{FgfL%G0Iq%p>L|(?d8>8F5$K#wro4LJ9-#A$k|KM z0et-H4xnYN+N);nEi`&;nliPeJ-~WTYxYWXU*S$PFM3SSUlV_lD=x=hvV^rc^OV_( zX7d?K>;Y1_|E}bX=-IU~9Of#{hCkht&3==KzNRVe1W1i$fJtq(A*UV#2P2=(JvT<5 zBk;KP59fg0<;myyj(-1$aJ~?E?)16Y`toT(`v`9Ds?maS-N7AlXLfq1(?j>hIS-?W zv*PA(X53upXC8EvgzuXR<={Fjzl|E>0)I$utCX)xAr=0DUe`7OFhOK${@ z0GaSE>f zts~bQ{ygm&nT6i>%DiBjd%-jEd7k0Dm!Z9#iPD;$_*6gVxqMdrCIjZ}zPs-oisk#* zyZmfk`xmh(be`l_;PG{4E^B8=7L!5mZ&JqIhaET1!$%Qc{)lA2@;Sk?L)*_?f0Q^; z`_+EizjbdHZA0VF=HrX!C-EJqeYFjJp}#H}l^***eDNa(xR>`oGFIiqF6NBf{lWEp zg5zvFSkpos2k%3`p1ki4!Q5ZCCRn6$)nnaT!x$D0#+Pr`S<4U8*3LwB&DmGi_P>A} z$Ww=N-xi*u9`_N9CS#>FXV~vP^jf9AS$F{M%zgQLUA-T@_8a~Gz$(z4*i60SM**_@Okxgu0GkZ1a^y}IOk7I)b6YcNYlz>Phh}`n-T&~w zXS-wn`s|lGuZ@-Y;jlL;hgg79O^rN4o_A2t@77fpE1nvD@b2hhwkdj#_Jd}?VEEh zojk}gz8@FPExapTLpa;2@8AWT8Qfgx+3OwOzx4Wz=Eud}{JqnmFJph9Y3f@ZZ5SC? zKnEF$TlvtuZ{3=1;xWzpVrw*?=6+9P$k|Y43SYNScDxegEKH(3 z=eP2GbAn$uxb(X(O?w}+q9--_)&$ou~<&mB$q@m#^ag?aB|?DCCZV~)9X#M-iU?SUpT zy_{*Tvk*=bXDQwyd&oXZ&ztH`1*!S#7`y+j#-R6hp$F)_w_-ck_iQ|pvl4bpeq(<- z!fpQQ$h*>S-TS@Z!SpNqn11cE0%swqU*;uc+DG@7&Zzgw(0Yz>YfTeO@@o%3e^!66 zI<;VXF>L!kLf5A4m6q-b)0Mt+w4pliXX@0q?vt^e{_*}NGWU$JXD@Qe!n@A8*pZ4(Tl)m?J~bM~kE zEgniWSmzv_I9!pp1QR|YhVt!zma#q;q(@LXAS7$ zyPj!12v}ojk8#)X_mfS*hjdSb;GV>$)w+Z&^{CFsd^iZMeCr+g>u+kF|4260@q98U zd=}k(-ypHj!5jE{ZO%xZIQQVETSf$D?rD4X(Q^85-zn#=P&3c?ZY>Sxpes}V?cpc! zK=b>C@RRtN`Td^ob0GZuu>F)xlMBBOA{Pa_j|a_*##&&m)DF7A3n!pwCsU-O?jiQ} z3_8~W+6rE)jO(4|t94&qFrMs01`$K@>u**4y0aMS&)#))>95L{`p#cNy&{@ZAzC{I z|Lj5^{U-Rq@0}4Hp0jaM*M`XjD&AswtprUJ!Z>P4IvnrY+>iQmg#Gwrg%iQj^Pzom;NqRH!4G{%&_u9Je)BE(?ZUgK^Qd)@%KC z_$eUgv^F{3DFL^eEC2iorzf~M^Pl}xV3f>b&8@=7?<$PQz@HpOPbPtX=>SFsN@nq0 z@;sV5k{9j9@V&7I-<>N_C)@mXnBxn!GpD{C={#Bs6o=2jSAM$&F63l3(ZH!aCANAqZjGf3s_x-zVCU2rD5A^K2 zDayiFRaW;zAgASP6)kSOA~x0WKroUl#zt~|!L;%!I>~1fTrO8hbeIFj1?aBGCu_w- zM|0DT0(nZnyuT=aZaDvvmoA@UH@ZoZ-+GqDC-2@Xp?jG37KQyqb7|%x z>XsMO+p0PAfh=Wi+y&lQ3T_l5SPGt4qf&W%u|qAv_NHzZtE`tN7nC{oyQsIrrh2YQ+TCf@){g23gALIAbBCk znO$Gkea}0g3Af%qj$Y=*vIf|rwBnvgXVDyO`Q_Ri4R=_dq3Bm}B**KrD~mh>ft!w@ zb2?a_B40pl?DpEwIECvH>&x(5JHJKlp>h2pr>4J48$SH*&Y;;~Rk?5y<;y|lPIO71 zRXP7I0s`dx+HBHzLOrqSj2N~&6VyC zzZ$y=9QEj#{4lC_hI@tl{hE^T(K4UcWkZ{MPUJ-=f3#8O-}LRGOFegbhU^H(kdJex zV{m1^!6R#V6pyBywK7^Bl_}9R8M`WDWhZwav*w5{HP6xYUHXR05tj@oVZQ{#1%x-z z3Tw}pzKj2JtYhCt2iM&T$zNN3>u@}n*iYFQvi~_g^Wc0K9b}N-f6x4B9rN2NakrnF zuL8EKVp7l4o$qD!?B{vc(WK)Y!T;Yxo5-hO+L!MC82tAn{rw5${`~phvy#u`a7pG) z8oucuCIJuOFUK!6u{IXl{#AHKzNb^1O&7E^KjP~F=KTesZa`bfBKH+03b%B`I_^w@ zr)2D*F9!Mil$GhV^-HoeC}u}kn_f5rzH)*CJleQH{dpw#^D@k5-5Dj~^CWtFp7)+Y z_wPhU51^S&&M%`KVmg}7q|sH>wrJMrFxB7ac!DddzIoTeIP<*QwjSq$knh;)EomdG ztgbG(tN4>>&c$R+{uONk%YMnsqGYXfnDBR+-^cjv=CNd9G;v(;zdDJ|m0}#j)R~0F z!2g7;-!U4GEjRI|tYY*$CvIf#2}ceq|FnA!z82n3CeeYRIrUkD{sQ>@SomACT7gak zvmg6CF>PZa?*0VH=^^B_Y|NQ5&W;}%BrY=Z98eeAfzC6Eefe|;Oiu2loIDYYb@Qir za&pD_@z1;!8HXQ#5;-TnJ+_4WE##fX=6L3yWZX*mnk`(CbCPlH_nEg!&M8*o;`zwA zNLeF4jQC#kp*)*v9yfEMIamH%0i60c)SZqhbF?74vLn`ZTK5cUtfCF0t6JHqyFhxu zZA$C5V%83qFB#eYjFJ6~;4(A@uesbt2b=IyW)0hQOEALS8588XnLQE0m1yxG{5**) z&2#SN8RUbBJpgYhqI;L2k1X#xy}As~_3;LKO(-rMdaENXC0z{>BH4I z2>GPZ7=dqwzae>hc1D z`{_LWMmB(W#l0tAP?@uUqrUibXaoAT!;iDxNq#h%Q?n)^Pc<&(jmO{<@m(iAngRY) zj-SKi+`g5Vl62vFkOAZTAusSNb!7IV8;dSg54v3V621j~pOhOtUi6;leR!Ka4NI$g8Y=6RFOeXA z+C&_64m$o^;;Qq=mq>Ewy^S*|X2(3hzv8><8P!Gxua!+o-^yQjGQQ-_SC)K%Gn^OS zd7jS>V)$F2am^LyRi~1i1^#4w>77@_4zzd7=e*Bfij91O*z$a2aNGRgLy7^DQ}bEf ze=b^mlDi{_oj?0$CZ}AvG8Q-Nr$+`B7Rh&K$8GZ{O79ECj-t~}1|RKbZQt<}eK*7N zYgyYKTfE=omFk>zbiN&LMR(RcOUbr5x8@T`Zi1USp4Aqk4fL?=u)gd%-@Iy)2#0kPreo#(K?^&vO0TmF!$V1aBlD4)ct9; z{)FZpeV02-4eqR-thl{BUo^W;v>@Ginaa@X?YIkB_LzV-BFeXnY&%#&_%a8`zsce(?+B8b7-qn*1~4AFbsgIlRj5 zaAW-3o@=JMWW&JY!tpD}^ls#03++FgXqkVL!Cwaa-Fp6KpL)3chF2=RExI1lc0?(-Sq$_04rHgZ1nY%{sl1JInxj**L? zvLv>_%VxYbhYB0R)qq4 zGJpJAm7i{MkgT0)$1XauV-;Q*|G4`5Fl*Xk)>-LKvTKANr$3dtZH!9#liJWTqd zG5XVS+DoEC2}h0>iZ55jSp$t-t@h*}Qy$uiP$x^j<@L8&ez7v%8P3To++F)Lyt^BE zv;ErGLT(i@lsP%deUVF-=$W;-li0UkM&6tS#&+hV3mNkS_ZUob_nV~$izCTl$zZLW zW$7Wvr{;zD_TZo9g;pN;_5Tq$Bs^-2gYk~3Vc;=mYs0f&*z@tJGuWy=4F8q2B^Td3 zwQ~>mc(Z;eCoK=psh^|FrQetC_7I#80>=zEd9SNt-}B$Gu+;KJwKkD=H74HVPW6RT zjQ>C)xqbVI$|m8#>D7P9_rVq$_x@XtuUQ+o=RBDBZ=z-8n_V63kPX$f%-(?|-~Q-p zm8x%FYe_cN@qEC0M|kI~bZySoA6lGzWJzrE)E{mQ_I(~*DGSZzkX3?L-<@u1eI<6! zOq%^AdZx8T^^EPp3}R3!g`p4l?!@ zWXp4`*UzE*l@^C|3nw=oP7N=`2vAr(63rjh{^P zHqs*bkQz;5b6y3G4X(hg#-nlvpURD23fZG_e=Jtlv+d@vm-O!a$mqvR9%HQyyXHuS z)MQGUeL0dLDwF(haznbCEf0)bkjx-I#@Jhu#o`&kB$-k~hhx0s26lXXS>Sgvy39Oj z+=5qdn{lv4tY;09{7-`$SGT~r5FOibqsP|9VApOt2jW53e;NF{{+XNcQ}E7kCOe@% zbQkh)CYUgB@la2YeAl|;=1aO%kvUQukHvyM$6JgOyKf_U+xyVpZbXlJFZx`#XJ)<4 zhnr-bA+9n#%z7#u=D(qJ$?6qqul)7OxOh?W#+AFe_y)|K96@a8Hs#s)_M`v3ve%wl z@#^|u-=+GSDo5(iy3n4mE@Nkqhb{g^rpIChqbHg59o_?8V_!NO!_C&BR+AM36u=bJb~-(_fhG5ttp zEagu+5BI*4kJK@$Tu#Xl&9VH%Er!l4-N^2_fAM479a_Ja@la%cWjk_RJR|yaxtYi{ z=2rQ}c5N!Mrz_3;r=dB?E#<-McL`iMS*QLUpg-L&FTLtGpMq2HPJ)Xe#*tz!n1itc z9l@PBbkKF=OiB-T_|K7V3hlGrSsoH!iME96p^jjYWN3+XOF6zy9vASh9VeIU!9}&) zkQMY716Q5Qa~4?C2DG0N-6~(0HF}fo0(5)B&VOP(bK>SICLOP?{XN7(pYZb4evaqx zToop@*Gjy|hiNPIo7#xgf(O<8Bx9C85r5tbr?5viGnO3hX)kY=-KV%e07v3=*}(E4 z{N-N+BhO(QTt|NnCmM_F2miO|dKYWfCjRt10B>qX-%FGk{{r80e3zYNbwxY3C3s{A z93>OML>u&`eHi{Y1{lXG@@^D^5X}iT$rZnj{F_fKso~%8zk|{F46JWW=lai%d-?8M z+nNV!uNu8O#qX-G$<43oL}PyP^UBZQavL;8!7g~54JaAw&X5p&>6xEr{Uv1bbI`Z7 ziR*J0d|!g?fA$!c_*woOHy`S&#JcEklO;YQzFx*3`c5_Gvj%>?jX&8A!l(QhvhV&b zVeVR4x=})Escf8S`LyLUT|A?`{s*?=aTK9vwFiF7Bo|@Nuj-qmN_siV&yf zt`>BN_9{-xmt7dA>(R}A4V-4dUD?BF0X!YW=9Qen_SsZoO)3K0!BAF0Z~Kd{R*am~ zGyTrlc;fyvp9V(CvhX_c7rK@lzskr0e~wG&PVQN4Usn65_CBc1LG%~p)w?x8F$u?) zlDXpfRh_l@xq-2`HA-ue)+38M>$A`rV{vEcwS*3zX6yyChFDpIFWbYX{1(fq_>`a9 zhhJ^`zS=KAqwvrSxwPsnH5lDkqO^8M`7Yl5L>Hn{D-UL;Lmx+R+TGyYAtjsp`{1#X zn1j!3;m9i=S%jagmHmWG`wpQ)qqmrS%#-X9MBX;cOJZ&?`>h<*`gRCiT=SJ}VP81y ze+V3OAqP~CKl5C6t?H!NJN^>=&-$GGIRC_Rz1ye{^yS_k@;og$vohEhPusP%04=%x zRPJCZ&Ix+|_5$q{(JP+206fJ+(EA;pchg@NYj-c>=vYS_7#&7=Tw7X$O<%%~{KVYs znlHCx*ZltF*)?vxC<8|6SHa3) z&2T(>ANGOCpD#n-$#-9QYofVy+d*WVTT9djbXvs?i`Jw2;RlrqUry&7o}0Z-ZMb(` zTbie68#CT*`3c^={3m#K(NFO1;-BE%_MhP0YcBoWMl@0Qr%G?;0yJFsN7g!?M|BX# z%Nwt(@$#Q|IfickihL1Hm)QlKy6-Sy^*c0F{r)NMyIVhZvksitR=8#TmBl+%=KR3h zyt*IvzWeXF?;qv)L$u@bSwZIr!Dk1t#}C10UxLq`fX}`RpE)?)`x`IPezw7L@l%yQ zfLlBeho9m%?uNJL842&kW`XX$zXCr_sGCf( zzq?W1wCaO@lOrj+)7gU7&r^%Rl`ao@>+l2J-M+4dpPuGm{6^res{;<3*3{}`qtB(2 z-cWlknYU%0wL=6~nlZ@!bugkwn0yia4$ylYKjo!Y&mrdm{z)dqLy(J%;rCpu!;N2Ks%wKinkU~=Yvb(M$~bWt*7uqD zM6%0>#~52}3%=DfJo&5OL-|acTbPj_F9}ZExkutF?fuss!M*r=h<&F5V#qoC0fNJS zjxVMsM%-9-4)?8E+++7aZ}7X3{ie+M74*LI3qi-`nTx$XZuN5$(^UPoreGRd*UXdr z0pyZmHn6skXI6&`@uYViqfxbV8&L{kF z^6j;`Q2#UJDlk5HZLN;;F`0fs|1|QoDii(tjeXyzl#Xz4$4>I`~Z!gjDMcI)b5Kp-nZMZqm8fR&u-skel zZ|EE-n@{cNLTiWM(OxG>esdpDV%`qv26}ROsJE z2J3gnmDI%_p}JawJE8AA(6{FHcSAZa!K)ohf)~DoJ>}Xw6xNw=b>PDf^WCkdtSi&| z;eXC2xxSh6NxohAjehL~bu^=XZT^IvH)I(w={!f>6S5?udqVa}rV#t|@$)q6+wER1 zvf$Bk!M%;Y0)5Drq4zaD>87)-<$WRSg0(x5dZd$cTe_Fm;MKfo?b2Q0(oGw+L;tDD zdV5~M)aE!bnFKzuCUeG?Y-G*jONl1#E;sjTXEbM(gwR%P1$raG+gDYw@;^ri4#=h9Bal*6o!3r@E*G`(gj=?i-T}_%hmKTpshVYz2 zE}Wx|>T4}e!?T}5FPem(tbHbYw1JP*=n#66>S@gu??>&hJ-~Q!aeB7Iu(hqeWzP?){EkL?&mrWFXdT(dd^7<=0$nH0JlUM; zob={ZcE8I}^ns(w^^C=K>?U^i6ldu;9ZYTHnu76cWPYAj%n6wx9n**J5amyJvZN*( zX67splPflC;w*MwjLDtjY*Nt!I?A~6nB6?uu}B_=auk?{->f-v?^4dY8i(H3Sjy;o zGwovg{)bIImWkP9u**dMqu*ez4#Jq?2g}8eeydDo*4g^ z`R&igR%rB@y7T>NusS%!Q-c3--o2O{e$k%oYV>Bk(^w8${hv7u<*@xdyBuz-%Hb?_ zd}BG>HX4<~=*KC+AlWvK93Gh=him;>IV{;L{?>dinN{As4LsD#&9+B+k(++|@UWS4 z$?}@~Y;03~?KR=G{@ju<_DPOFVA=^Jw~#v)HnmfWXI|ET$2Kgl(VwepeH2Gb4!e`r zFL4%_FRvv7;!WavozWZ14AAevZQ}Q~>fJB!PbSBiaKbHeVmwX%$&}S~EWe>=Sw78_ zI3G^+bk0NxnS$LqJ*j*qBZI*|_4K?E*l%0)aqjbt+Cf+C)vd;=7f3}GDvbMZt^2UTUNF>UKXzWJ%C@rmv;rYv^cb~CEBLwz~GB_{n*(y z;(TfN)cK8k8ws7j+%uo(w0RNL-%lBPXh!UPFbG~4X3k$s41G~&<_q`kUSsfK&Zt0` z)$Qjn=ToACxY)4jNya(5S^VJWu;x3p=hw3Kjs{DSQNWqxoaSLZ6Zl#Lr_T4t1s%`V z$t-M2-(IwIZO^ZDXM{9rGfwPjYuIMCL7OK%JK1mZDZvGO$H^_z`+`;P%TBC5BZoHn zED1i6JQ^FpmNI+1BwyX0UH?1tE4jtI%$}2A^CJ=&Ym?YDy8vCf z__y*9q+8t6g5N6<>|4X%ZTx9H7Jd1&^E7&wPjkvcuynjMCv5J>`x-oun^bfZ#e~vs~?Ke;xex4$>BKWA;WY!lHj3!qF<7_;P(8SN#m{V6PG}ZQeJqtDRzkv)ei;M`zG)|uNR~l&#i+anx_CitedwIdFxi!t@${XgyRsN1e^1@%H|Th`t4wDR95_%p!Wu7 z^L%vA)KxZ@0zG3ohs`Z`vsc%0smjZPv0s9AU4PPf72mghMLU1?jCJcb$S$_$L)$s9 zxXw|g`hMPh0$J?ql|KAVCm{|pT@KsRp070Um!j~Kdo0*f=r5Dxq7Thw{}|(N@LHK+ zZ5)j)mkN5uh<(eS{{oi3Cfjm*>0Ant&hA!-}p$?XBGZ3W#U_WXUu{3{@+!`MW>c_?YbS6 zJGU>JX$$Rvw@-TV=vRQjryJXzm2ca5=C`>O8_L()58;#f{Y&u4d?3=!acq@U_+FD{ z{FbKuek3z}|FPgZ|HE}=FT7~Yt@jpI8!LHJqz|>x^p2X`ZRDH0-LqMB9*+-0oUt~& zt@i#_e3QQleG2EQ$9h`zeS8`DQ3~x9AI>85tNMb|(3hbHJ6>1rY)PM1W}6Saqi1Sw zz{o7C^VRgt3!hEukMC*5w}Jdj&H%5o%~nwU1UZ@iHd?MZSz5z~lLz06)Em(I_(&8N z^7}iE|7ca(#wh)A(;s$2)MgiaC#moF{ZeUdGy=~a>E`58eL7MuI9L5lt^G@#UzDV} zajE?WuPNN}>yh@K#unDSCHYAC0OhORUhCJ<%Py}Tv=Z{9p&RLCP9CHj-KdVkbT#?-wEZvweYte9aM4V zoA~R9Ex%KE+rU`_uD-Qttvr89>k8|X+EKY|26vv5*2!qO+7j;7);9iRTWAh0mZvYB zNjmhQBOQn3qtqDEtVP2|HXmL_ds;iBKQCzx7D{*4Izrxd)HsRzAmAU)>rd zm|PvTtF_qIw~rHlSD9OXWFrRPTXj43$9H7ODerhRzT+VIklK@Y2$)=(O|0MQ`(|MA z%T=aaOSN$o@7x7EcM&(vvktm z(;t)i%roYrXDeeGpa0B<{r}*-i{-8Rc9{SD;`C&5)ukT@9^<1x-*Ge%pgV}JWS7Zr z;OsG-BWTBH*G}0Q>US95fz?Os8f9pNd}OsPJvn>1p34@nJ_Yn3e%tw1-K_a79mPJ+ zp?5p{1?ZH@Grp=Rm`*|`*clV+n8$VK;ZASN63^nSc<^uARD9dog?7H=7nhy&TPtl` zv(xCM?W3o#{R$?oxxCJ%I%M{&=&X7RkL&`cM<1t;Exf1wCm%p}F5p}0V?H&HozQG` zT@LSh&~KFs7s^w&eWylmRgO9~QkodJc-8V)Xrmc@&DvV>@w>Tj^8il3PrW~8{TX{E zeGLx#zTd9$vxNu6%=F#K2n)9ztJc$K8}2=~ZWPc3jh>XLtw%LKk?mJ)Tv+G0@Sco| z?emvBJi$EzzE7bDolSE80CtO^UE(lRxhTJadEv$DM#!W> zli3m3o6>K>n8E1sn3aidLnap4S7+@KE6;*R4hVGIWBI1NDjRbR%F+$W3gqyYp*!sf zx{p3NXRUW3V>pO?r*Zs0(9AJtTHpUv-;J)bWc1s7cXZ<9*9I@QPw+9RYIACAJF8$ z%}4hX+_S+*Eb-FnwO?AjL+JaGl|HUcfRFzS9TNY&w7$@Bj}nJ6W58$nDfCSPC*K$7 zyI|q_R~Vc8oq2L1P1|~Yk?}_NRKL7Z=T@yB@nvN+c9%vsCg#YVZsN@B0XvB9v(wCN z7+dFjn6%M1EM35pGkl_&yBx4S$zIbF>@`&kNiWVRJxITj z0jGgKjeM2uC0Q_}dE>WeO}rp}A5dN8c^<(KAEG5R?2KX$c1v;v<8KAN?YnL&!^%lcLBF(+Rza8194iT6XFjwdtbFK z3dZO07f3JE9zw}0t&2X+e~&h=g0B8c=qHw)p)nL#Z#5Tg-6ZD9T-4T4Yz}@a2inRp z=D5ecqP4oz&2F`FE`Npwc=k$Trk=?cq?9pLIH z4&}aUUx53r*tPpE{n>qoHmcvR>ck#r-`oo3(CMsM_$|*GjID0y)6XA0g0EjOEohH( zQ93fS(I9IFzLnYY@uD)VE8yNN=)%Y}VnyqatGi8{!P2yNT5?QrQ=3C!`E7`No3lJq zzK!1T=>XX~D*eW|UeO!IB{OZo2N$BcJcceIqr z5i<9o=(E}Kl)G~xARb((*t1vC;M|of5Bcl|W85`o?4n0chVt`|k#W*9ekEyjiR0)V zClYfFPK5)zo?Ba{R3}p{jynwvSbQ~ljvqYb*D25U<+5#Ko!3UXK_9hs*w)|jI_vL# zo%IjC&iYTi&icn*XZ@I;Cwd9^@$q#wycd zwPDsTPxmUKJ4EBr#)pR=F3b8Wdz$#(AEV=Fo>gzQm{-lls`<^8d*a##2Vwul21W!|^@xJ;}w zDvt38`+z@i#~s&iZ(i_7j{Uy@eAJ0f7R}7XqF7on9iaTik}bi zSztU{!Z8&%|Ji@Hz}U9%=gNRFwKg5>*r?pwra<&;a-p`+j%=nbe(O_r!RM(HFiz30 zWPm=Sd>!heGkiJ7F%zrT`vxz_&+l;t@7;3)oyR@l$CcEs`lP=e`pM|`Zo$L5Ny)(= znBL=lgZqvAPSc)+r?%D~qtC9OfdAB-Th)VpYHV!5SmYV;{t0redNkk8mKdT;@!1;R z*6{B5s1W*wPjWATlLva=;Z$(wjP1csc3mGW_vL@w$XqK2i+mScl3~J+<@Z)}H~Txs z+81rhhi8xM9dxrKu)DGN&*jTLNp7)&x6$}2N93cMGxG9v^3Tk}AC$x|)Qs-b!rp-x z`G;=3s+|KA;G>b9A%BSMigVz>u0cyir?DM07Uk@mH}BdrT~rnz=j9i1@tFbiXPAz6 zYwL}^t8N#*F8jVc2Q(S9&rh}m3$HT!N3HFVV+}!`5Cgo59JSCU!Uj-$LuG2G)A-EV ztH0CyR=ME4VO}up=YHy}Z`l$W59dY6zB4&uiYI7XGjQwKn({?nhfiY}G&WN=w!UQ5 zk!^MMgExWW_k-(=_}<v4~!=q>@%bYkmN)u=D=f};B#$$16 zV*y3x!{T2wXJOPFDIaT#+3#y{n5JwazRBjMV4v*76Dxy#r&h*BgiFOwbq& z_~>Rl*O^&!O?7r3}2UE%fCcQ#fhHkR-$IGpX|>mB}gBO08vzJ#hzL~D8h zpF$a)kiP0-B}L@8WVbIn9sC6sgG0_XnxEUzOWl0u7iHIItvLGXJkDTr`k?lx*5o&9 zin*JEHDscjzaZ9pvsr7d)cM;%zrJfs)=xce<=U&TryQX!H$i zxe4uaJe^oDx;8fd^j7rre60DA1+T7qZsUEQn!1ekFAFZ)-h__+Ro0k?SbJ3O1inFJ z$fG&%R00?DhwfcF3-#bOdyb;YORRr-c95Jv{T2?9C+7Z!GwUTM-e+`w7bA+o9fb2) z#E<{TBX9 z(5udVit(iyZmyE#r#pX<_FPyVsIL=ka|3IP&WRMy zoguC+e}>V`<^W*UC;*`~H6F=x;|m4)5!@CsO%Bw3(4E z(*oTqXXsc+_diO^$A{En=>Fzd@{#S(eb0T{r#?fx=54_OL-(Hn?|JB6^+fkoyd(dG z&%$hY$H%8<4)14$cg+=e)qCg#V|(^wzq&hKdUw1Kd^Hvn-aUlvyeB^J)!mnu-kp3W zc@*416%XQHjV&m=8$7RWO$Xh2H#!eKjt8_qux{_w%z5+cYmIn^H>k71usK?C+S_6S|-8$ny#5DT>!jeQStx8O1=Co^Iy8D(f4z`h#MnPTq6` zZQFC^{QAXpIVXFefotKFozmU0S%%R2ubZp0H#$aFQ?B;ZK6<*@%cDFF$$gdk`Abhj z>we$TTl~Iv)6eJ0i+%|`Mtc&!KtGb3#1h6Hqi^}J)erp7*zET#&n6?dK0%p}OTCkf z!q2(+f?wmw)1JR4bQ(SB)%*Xe+25r)*WsJQ9$9n_m>SKKV4ZD#es@9kv+Myg`%Bmp znpr!KyMY)tb|$!3k_q>snQ@6aA@JUV!g5O(74~vhVsSzN60ms)#8@Pc?Khn=W8>)6}= z%~-nc?L5m<_sMwjw4MnDz2kJ$fIi<$ojC8_-IVV4dF&bTjEV851f%xJN5>j4M;h

J7)4wUeH_xbB1n{zu)ic5b~v|?tDz~zul)cwRvE~pU=wP z*MF|EuRmQ(uMhS48FsYhy!8LE_ug?;9nJsvoZD%N6j4-)6|gHJsF90U5DnHCOCl&1 zilT_U1hAsmQ0zvr14a|OSV4`kMPoD?H7Xbjh&5Jh{N8iUJ#x8XVxH&s`Rn`O>w3ea}iSoXYS;$5o4=Jynxqq^1)LQkQaOg zxU%IK02$9PFNe%X)?%h;e*GdjePwWRi;NXG1OkR;&`!W<$99QiJ=*NN54eDg_Cg)JH}E>2tHZn* z=YV4T*oC0q86TOVJ|M|qer5~{?1ctD;=hN*4fYd;1?w7+^>*nt>_>(A;{a18V%Cy~ zx8nA3Q+uFG33(XrruqJfukt=>>3qYYv4DOR`38?i<{dm%nSUU@fw@-+U0JWW3#k8jC&SeG!x6Q3FNQl#Iq={vE%qA_^V(++%cT&(`9foin{qr(FqeA*{$>ZeB=-%| zILkeLE{}b}{sESoBVkiLq_7p&W>Xb*Cxc0s?<)FM^SGAyM2ZFCFvA}s7;W`H9eUJ( zvy^2e@HWc}U+ zHe4e6lX~nwfQ<6#i?tPQlPlx~@De!#d?@vhOCkx1lQP~Q!y7@?+BJk7r5di#M|}93 zRgmpE#MR1!ti$;Z;<>Bwhuom2NPQIooIF9@Y_o@c=TR2dRYv|W(EFov@&1W2!IAxc zxPHzbk8%}a%%P%r5$AoPobSkVDz}BO#=i}8h58_KK8%fHYzNJS?#FVSX`E#W+vu79 zN^*sDK%K0!MAsDOvfO7ni9K@#0)qqE~rLGMqBK1BY|jcTAE;hP50+n>e4;o+5wQRL~6P6|hFfv}61o zzhfE;fUM;`L8=mEZc$mXTxZ=;)`Mle)-*6O$r8KTvwxOheekFeb9xsxf z0(us8+GEn%vbfiN6=+cq_u3oAFW#|DLt3YiYy|L0%%6ySY%`Geiplm`#4Af0fqHpg zSsY@*0Y7%fU{6SeEyFku+btrIF9mu}Ly^9?@1^pYmW_3RP@J#59k$Cx%!m3p$94YPq->6-2>o(LRXjJ&e*<>Pwb-L6+tGQh zZTx;B<~)-TzlH5E#?KG&x=Dqi?>^NZLWBc!$9=>xOtQgmLkww-3zm)c=?!V_H|W(S zzNXSR;c+SJ+NLpNxNHJ_aX&M^w(CJ@xu{1+RKRtx4b`|UJdfo4w=xbGM#5Qkd=5uR zKDcF3F305(02|YpG-j}t2i=nAdR%`BZ0`JCekZ~N|47qkdc^-*0iZSG_c!pKeg3-Qy}_qh1e`x~hOb5QXpUhylWZB~;m?!dB(>qWuxK6%@ zGuQTT^nr;FP0bYINw^Mb=6OWcM;CYj6>Zr>?=Vp9G4AiI3DJ#`v6xAV_U&Y#8oVC#d#Tj zN0ILa=z;yzjN<~~{r}PWXVH3!QJh+a9m57bZw7kpBk4rNo-wa5wXeS#C}2I`DDEO; zgIt!e-y7>kGGEtY?k~?PneUB+El-|HN^(?^T_wez)r-C%Me%1tc>fS=-?EI#gsiD6 z(nQf7wGh#FyZGFb&m;;%8{O16+Yf!03wdEo53506{Xkzb?PC7>0c}?`qHVON*n8eP zv=%@4`^x`EF>PgB<0{TGn0NAhp}!LTE#_&@dhuQhOYA#SV9Xo&LK^Is1e=GcFQfu? z7UmV%@Pm>4Ay)%eY^##f{4NJ+nO>L&8lSB_3G;N8=iHx9JG2KJygm?!H9@85>+vz$ zzcI~Zf=*!pIOggxyQ1c`=SMYa(Tw|#qxvc zi+wacIls|5>*`O8xl-y=%SSs}f=9}DE3zAxye9B5x-;fw+{Y#HhgFdE&oOV1W1K$) z-m%u_DdQ9kT@R(Y>6>jM&P z$}#jNBF4ZZv`daBz*M@4kgtki&S2aY=`1&{Psu)6b`oro4kowL zS%)~mur2d^hTGZ*GKS|hJZ5yo+ErZthJRjH<1r<{B=KRn4VB@aDYZcwGkn$)x8WYH zvVO{IN5(O?<#|jo8R5^qbCS%19*LM~3Y>#r*!P1uL@vfG>zZP`D6O;>{3o9C`eaTO z?pq00Jmv}GHVm;yd4BUAW~>AAd_5uYi(mhkcYVxo)!?YvZ~V1wXznbJ9Z z41YG_sdO`pq2m27p1Xnmm&Ru~TPnkJ&)@JIM79Gs;Q3UY<8#z`&5`96x0U%K z+xgiaf!oVGk!|}@nz_CA9_moVb5PhEs}x@L_x8 zwiLsU!JcI7FL4-l1Q)a$v}Y&HBmRD$nXx^I*DqQAv0aJRO+=ai4IM%pS+?2n-e8gE zpzYvK&?h8ZV@!a4i?8Vz%RwoAiwd?YHEdTJ*sg>mj&;kvCoKEKK822YP($@o&?fMa zPV9r8fP2hW#B==2VUMF~>C0HxVOYd{+ZcPYzX0o}OuL!TWuMtnMheC@m&<9He=z^K z;V;nw>ha9AfPJwV&OC?T6lkjJG59}ly@R3W@OQbe-3isC^8wj6ldv8s$FO-jt|k0- zr5NDMk1yl>$8!|;a*E{#{AeG1@Sh6j7B zy|PT6#bMvIG3+VmKLYJ?yI60K;SE7QGrVl$Vt5hz^F3_3xDR3LV}e`I&31F(HW+)$ zYohIDun+OQ8{&8-R2I+t>FTb=np&mN+c?ehZMkke*KLGfhG8Z0NY7$L+%mk3lPu`e za-XiOPCP&5^Sc-?qOPwKzImTN4!QyBIBf`Ah&CC~KgMA!vE<{0s2Z0VJY)x>I@XK}hne=yD9pDanwcLj# z!Q}^=nlW5)4gUTcnT{p-Esf z!pYi8C&Y-f!0@j!g}?dV!y>l1iwXQK{^6S#@Eq9winX~3aLBP8oF%@HV$y&9z&kMw zLr-O!M?vYi;@nTh1-Czw$1L*b;dd0*q`3bKcNoZ7b6rD?l^*b zZu7wk(%L%f2KhL1L)N==fRAa7^B|5unH`3F2Ne{F!*;r^GQ4A0WLeDj&i$;SNChNrTzooNO$HTmBP$rA4zFmq)dBK1-{LP#TY*x zq=MY9O3{A;4qNcE5K#uhZ_~iXIW5cbRiJh7Fj23|hKysJ5oGz3Dr{%*hn+=|&EWAi zA3S3@?;^z?0lvjp0%ojVxTGy(J1fgBzDn;9vlqIKEA#+^{luSz>s(9c%~T z7?iSZm1!sk@wk&>54q)UL_0BIvU5XOoW6^`>r){s9V+n_gwe57wciz2PbdSeLMn_wa7jaKL@{?1r$ zT#e9dD#?S{?2io2gw88Hx=uju-PW=28(sIl{5C-pU+kOeZFs%2N8|7qk3_L$X zUdzXvn!n+9;A1vA=&CxwxxvWZ6&lzWA!vfuXP)5~CMP*2Hlj5<^ zs-}ba&WhSVxfe0I`lB?*XbcCUUnW z_W!Vsa1T5^3_1eu|6v`0$DJ%&n5W41rvB6M;6FUBTrdvV{-B3!>{AE2l0imhqTEcJ z%fR-9XW|}WPgzoo!rk^Nha_!P!*C zX}5|z&$ae)ck%O?4tkmh{UQwG#hv_o%oNsM#^WOse93q`F#Zw@d3|$)Vd(F!sZ`F( zO%Ix6`odV_JWPjtHLfd9LB;9{H>oS7gu22|wmZr;6Y6<^ro7x3M)*>|Pd@@}7Uu$7 zk6iD+sSo4rgSHvh2V2?)^>O`SOc>n-}An z>vUE-4*OVpQw@Cyo5g#$`l5dB7sg#U#-fa$0JKT$XYdmFS*l>jCls~Im1&ax@qH9R_m zK9`+|^^euCok?&=IF7?Us1N2h@KHcpKA2mr{Ycydm62}-+aXwQN$FlH6OdJJo^ z#&s!BPfPe)nEHb9a}{h5@?21+ha!K8*1$j8B8t{W3J**BCq=(ye<=>1j87N9l2b*( z2R~!nqi;CwxrlrA4>5*I^ie}w<@#AS{SXG}Y-!YM@UxxgAM&8>6a83p0M{Ijckml3Lc!x1X+ph;v+Ie%V0pPvt|KNh>JPu9Q z$Jpn{v|TshwPV1r2Fxq>g&KV5}{rTjh~vR)p0oR;|_*Dc3r6hxg| zTz3@5fjAxwZHLW?*YV-=S=={Gqye1iB;!i<-$EV9Jg$uAwbHxd&rJ1WS+{Z?k2BxE zi@BY~x+%jh(-`AU&d+-yWS$|?20CoRNBLr(GcRMBk^S$^fxd^o)iy@kV7n{VAWTCU><49B z{|&$>pZmmXXr}gAKa3k`E+>s0j_1Izavzd7rtH#NqfeP{F|T6UklG^dmlgdfI1RWU z)1@^)(9s9Hr6k^E3@498WBMqn=R-baI_~VTmd|+k4f3?OoR-E4{K4Pz4|$xql<+JL zd)JG`iS%tYd{<1L=}UN)VmRl}Rn!j*-rBINo?+J;;0;WJvQ3A}vd8&^{5|{0n8B~Ww-J0xFm_K=KJFMS zI7Gz5PYLmbqeH;6S*Oc_t;cr@*7Kl4`{qHOA?>UrpA7K!F*x&($BmgGtX%|E_`&`!Xa#vNksd^cJNu|@>u0> zAY;2uFX5X6!#7LNcE)iC)+!mFGOXYIhvhJCi~36HBgX4Ol(&;*DEcEFdEm1k;@biE zKIWvKmpe9WbgnYYYbWrAyp1^Ch%rqZ!Z_+zSK60i{CqW@->eze+215TKkrvNuJdPj z{@hTPouRG-)RkaVm*iJ3jb9mO#(2&fTO7~aj_Xb|ECsYy)K>d+*29fqW0)t`mtvn7 z_apa-arx6fQauuwv^H;4#pLiu;j? zvhe*{V-YWTD#{w?^km2&mh~*B!Zfyt;EPGzzpM|(YUnZIKcu(Acw_yMb;q{YTY4AI z5`ib={Vkx!(Rex4;iv!bN-pkua4a}0#o$IjlyI-fCa zMfqfOE{fEaBEDoQld>^qV_wLzmEol~eh}A&c_M7ptgod!n^zquJMSaXV4$q~A zgTLwo+mnzFyhpAW9g4W}EBc1%!dMSxec!l_7CaaHtayIL75f6oG-aHh_blB+`3$Qm z-X;Br@hX9`bP#Bgt%E$PYohF#DHCCNPF`3C#Pun#c%(~0s1 z@Jci*jTc^{2A;4CR;Km zWTBgcV=j0XWAPq-HPv*M?Ky#>uaS9vCgi_WScG@#7)Ki&_@1s3**J$&G_NnFf{%)6 z@KTO77c5xjhojtsJ1ClvKA0!P!8tfV5M$2-3l{lU)AVQom^iN)t_J~27QTTjNn*c6 z)}_U@0O(=Ro5cH)_5?$(1Kq2553mQ@lAeQS@qP=8yY13m0%s3-zMqZ0mtzRLz#0>1 z#^&v~BZfF}(%y2;%XzcaSu6e^sDU4p;S z9;^X-!=BR+u(14q?lPD63h_Hf@HKwUJcyq|#(3ZicMpEQ1kWX3L_XI~;F~pZhNHv5Ljca_=kh4L-M0@{bYum|z!~h5jXsXT&ZBp34Du4%pAY_$!-! z8@RlqtdRa0&Z7k1;4#koFzgsM`3x7#)v-Uif=#%BI=k5icm%-TLXN?Ufu3FgeI)Iv zbVT_TME>lec-a_uMH#%WQhLVixg+XKaW*BvQ4ug?egFf{vH$+8NFMLTe)+J2fZn8d zfGi(*KHpcQHBsLKjFMc+6lqQJ!^Fh}6zF&<*orx~;7nig`Qi>W0`PEMw8n7Fd}u_)Wr& z@A<4t3-=w^!?2R~7r=+|U<<^fg55rseb}uix)$zvzTtv*obJPU6gbNadqt{%RxtiV zeOR{LuMMT7b++seD8b`w4VeXfEf;=|={5Y_HzKA@EkWloQ!vNR!eixIrKqokDaa>W zLp~Aa&}B=JPaN>Xa2$Qr;sZL6?T#F;C;*syFyNJnvmYEeAyU6$&+!+@>K43 z9mb+Uus<22uuGhX_mZrY;%lekTNjKY9c*C=#O2P#x8Vx=lY(HE=;9~oO+yP`6r z_DFlVjPYnXrg@$rwSj#ziel`i;JFlsgmpv7E~f*pGlPs`KIV?A2j=y`kaORGk4IqK z1;f_h2bsw8gJ8(L5Iko&y9#{L1NPKl_(tn+<~Pe*57=6ju=l7i{?zydZ=&eiwkvzG z&7S9;@_C48Bk0Iv|1bQYT|l$kU-G%&%pXd6X1qrCv3tTi+Z8|H6h5{8U5riHkI9#m z`RHTBNTai?Qv{MO(E>kTvfP-7ehm*F%pk&px_>v zg7WG>e>n~PrEWZx`2qLW!zp?T?(^zTcXW=RXm`A;-C&lZuTVR372vXj|9M+{KNJ0Z z9QrShPq{9}w|qZYIU4Kk%KSWxfxCbc_5#eQb%}h>&s5kyQxi0h4?2Nfbv9T~<}(d} z-*@Hxjr`66?_xnOnW)z|j~nu^U7WwkRhp&8;XUIQJS1HJKl&56VOW?3fUBfX*pXV` ztbh=F2VLF=>&l*i(Es4S6iIl-bJtpE^XIt6qWwX*pN{q)#67qFMEx0Pzei*W{Ague z?CrRZ?|*!*EZX<@677w}-e1D+34)l*0 zvhW*rNawM$Txn^Jx%^|^8<+{+?*?0;bDE?hVsF~xEa27+-#J451R%c|bWmS+iblJ; znn6c(N4vNkzWpisIPk;kKrWc4vz`@?@>22bN~JEs75C$`REA-=37+bPJzuge))O%t zrzXUAY$UOvv*<`wjkvncCL zf!6Dw4Rk#0X=J%I5p}T6;%e|QWxCZtr{lI)6qY+4#y9&E)OfklsX-R*Wf%ptHP(Wn zPl9&$fCuI($|dG0o1}lCbU2B66U_wsL|?%+KLKsA2VV0OjwkPeU*rRq{=m&b(4|gk z3%YawU6vE+G8ep=@A+BT59reN6X;UPQ$&}x@9EMRb>*U5rpqS=x-1Jgm@e6##Pefg zx|{*p_)qE5)E4$;2+!+|iaI^UeiFvl7M{bj01gLX91OyKmd|lrDOic)U^eJvjtL*Q zSAV9+2WA@hz)J7|9tTVxZ9$J=pgD7;Lt>!P{3Ms1sIX1EhcRiGFKuBy!SxLekMO?# zs?c*b>N_Zuie#I}_o(j&)OQxwLX5Rvac{-E27G4|>I-Tx+wq`KClb19*JG$}ltOp% z8F1)^GDO;r3&tlwEiZ5DWU^xgFCN)0ISHk}T#qRtV(dE|kOf(-roKGZYSq znA;`s9E^ELp~60&aK1b97QSa5f^*s=S%vXNxQ|ej6Wht}xQ)!S(C)`BIAf7{)*y_% zl^A>eXx|{Ti}AJ+ZDT)8=4JOVRxAZe^Y-twjbjaS!pJE?r%2?B?N8Cu(bidjQI;Fb z<5jBBUKZeW5--)I=K-JC0|T1Hy@8k3Lfy5XCjgdWyp(k)e%Bs6Zzbv{;Kw)*(=1}e zLEo`J{BVh<#se49Gc)!DuyaP;uJ|qt$`Bl+g z`U26fQ;N%84m^)_SZ~nOImB{s)>3pL=*0zdIL3)s4s1Uh*MaMvjxoSxHbA|c&WG%{ zk6$gcfoYP*I-m0q0-h5DyYv~*WTAm3&p;kL1YJG^z44e^!*nTFi8hMsEEkZzo(CNQ zba)*$3LfjRuuE`#hnV*w?{r+R0}p;Yu2C2Bg7TtWl+RS*v!_M7LGk{;9FE(?`*PT> z$NA)TiLuUrD;}GsdVB!R)phohWF6C&sZP#1sw-rTuN_6(VIGl)esQi39Te@*1@!R_ zgDp|!2dgnR`m+k)wWXw62K}4oNF2L16?3Dz8}#n^m@Apikpi&qdJyI?39$K3hkbtr zZ2pN>#N4|+OV>efp{Dl%(ozW%7kIBp(!p`JJ5FM8*_t6 z`FIlQ-U9oquY!j8Riv)0@9ys`5Vh1VGUW6*s3L;f$uVd6WXHhu2^DBMY z=zjXNv4i~5mXFq_!S>;C^j*lgI~bd}xaMITm=}he%ZH7m7OwY|jvhg{K2%ol7>es- zWkrwqxIR@ndHjZJOCj#p79>2L483_BnOPhqbBjA`} ztluKZHm1dV+vFC>wmVuZu-zn-u{bT*T09i&EUXpw7Vd&oV4zScFj6QTI8(3=bni6X zHn7tS+sICdwlh1;wEf5O`=b25D8Dbt@B0bm_ec5tQGS1v-=E7j2mBU*-xBbfS?mD( z^#Okj;7M=K4l$_{Z{% zV0TAbZayj8v5v}G9F6Oic!wM;bn#y%x(nqj0^_?UMhfLEX2$nO+$1@>p z-ii3}oFh=M2s96??A^Dpa0kZ)EsPcLQ{bme`&77O_&#L}BF66H8;zjL7{=o6(bwC{ z<8e%?zCDl0Wux`&58^j&+QFdl_%O#~5y* zS41&SI;z)1F<Q0C@DyFY(l&gynwa!HyRljnXD5+n}4gF$a=od>v zznF>r!h9?S?PXrZ{lff=`-OQL_Y32n+r|CE?c)C7c5(l3yOT~ z{M;`LKlcm6&;7!@UW6b0Bf^jV5#dMwd>sB72Kc!@7=G>#hM)U`;phHh`0*b7!TrMh z!TrMh!TrMh73zY1aY4USM!$rhUqa9?eal4kyDjlzn!G!R`SE02nI~IM-5tbyxy9r? zLCl+v;>!HF^VB^-%%ejm?+udq^qtB3f@EGDGj)HE%&%Q1X9USSdmZkXZ`Yri5#*0K zwag3u4e$1Jx!%4c{!JA<(f8ITTq`yL?bx1ZQPB%DV}ByFV&f?OM&#+x)tILN~kcb#|&872{MT${NpdfB$EB z(1KKmnJzqDbEfb=YHvwx{XkY3+GQ-OLNKR+3_2^;4c(e?z&K+3Fm4zxVtXM&-{-@e zi1U@ye%O}9e2=P7d$uEGWEX(ZhV_C*>k7XI_ zsqVP4?5m9{>#Ho=SpGG_mGxGZaV!H_#<2|C2pPvR@Qm{TQ3kTCV;RV@j%8rXaL-AVi&Ja-4b2TvBhtTlw; zuZAnb-xgPv>4R})_>*vD_;=vS@QX46@QX46@H0M{$1*;d2QxmI2QxmI2agtIy17Mx zDAO%0#sZ(LyT1lLS$`i7e6s9#3w*NdP--RFQ3F?&9qn*s**64NmVNX2J^Eo6zehhP zzjOn<_7*j8W!cvbSC)N4aAnyyA6J$gyKrUM!T4v{!T4v{!T4v{$M|QwGyYljG5%Th zN%%K6;NQZ4e@hDq|7I49e}e3G;#&|L4jqZIgUix6XK!4oP*FNgzssDaH|DWiCpQImQE-%kVS^tygqpUB<^HF(@ z|EablmaS|@lIAr3;}idrtN)X$|C6hhq8{`=J@kKi=tuR?|4^>J9H`&KwwYH${5G*| z=FO-Uo7gtPHXF9hu+4^TGrB3eMcd3wT-i3mHXOF2C*#WY8MfuHJ)LbiY@-RBvIq0N ziWaAFWjhVqcG$jt0av!w#7sRH#B%usu54##n-AM-*xn=Bu&3+~Vw?NJDF=es?jAFB zZ_p;#-d{}J7xXaRI+5)^Y=dXp58Jrir(^`NEq)WOY>#JK5ZmN;;OY(ALrLx=9;-mvHRz@F0t_ME1oJ*O(Z(^YbbV!XOna*blV z23D#Z6Mb^hh(Q(Q9GP!M_q8L6ZOKWZj>GJkDHbfv>dOxz>gn7hYMgV^ zsO8ShqV_v~7In?Jd6aiSp@Xyzp!~=6iMQi+h-+}UH3Yz*01QgNpc?$7iyCWj8mz@> zu@h>NLw5)Uab#YNPI1sf|OjQhma*QkxFVN|k&H z6j(!6rsux{ z^+$VKqP>VK*{e0$+Xn3oKzrL_E$5`@=OV9_@D=OD>Ffh0KjS?T#%cEdHcs>28{_m% zlQjDb8^6D8lD=b-=2&IM`8l?!ahmrR7^it1-#E>Fg2riH<2Oz}FiAf&Nk1}4KQ>9T zpQ~|sym!So&2h+#)9n9goEGEF8sV2?(;L6%*!;$6_Hi>#!{4n~`i)8Ytw}mtIdFyX z_ccf^>#SbJu=<$VM>H4u{p@nZjU#`oAyaMOWfO*nhx*1&n>aAH(h+Oo`FXg)m)bEG z`NeWdV=tLNUgABz;cwmF9-FT#K)I+p7j@^>fd2}7LAdT4@F!t@h3^Y;(Jrw*)RT*P z?&8~glu=TB#{_E3dF4DPvmg)OxC1twVE!r(ZAJMglfTz*mCNS3;ls?nId(SqiEv8r zL^C|xPKMb{eQdrv;y%BJ8Rg^w*YDe6fR|&Y<~nd460StJ85TT)Zx`aJOKr-=_c{1p z-bWz$8{yp2N$?XxS=ggd@F(^r!8csY$NB%%qHmSlx6bKvuxCW{p9d{)pTdXf{og{| zwZw0>;kUr>2K#5lKeSQ&(;KcDH^YtLQp#|JKfU<(v1@6=d%3(gL)x@F_)&|0|CFzc zNj|+HZCW1sN&J(`(;L#J`RW;-%lYCAX&D~5UG+`!6&n7^n&8Fj6Z19xNIp~eLQV2f zobox5+>_ZU$TMtChhppdUwY8~*f$Yn*g-F(mbdYnhR^e*Q^4J=Fiv*xGesk(~;{%SXH@T7W;Ek67!&5!J;8voham#bc_ z5`xxRmn~<9KOAhtf4bxQo(#Ng7SVLWiOEwo58PYxW%9dWPokPV_No-zw(n4oRYDH-)^HNHURxnd(&6I+br9~-)Ms2R5(mFFzYZWT<(xn6oON~xx zrLfePlZ8&HveK&Y(9BXTlrCkZGAFG@X{OLwSXpRGSqe%sHI-KBGzxP~=~8AEO43;> zth9p4Ty3teX-1(6f`TJlPgMJN)eN!`_1T`Is(1O~mMBI^uE>kMV;)D+@D?N~8{SsOxzFzIHw8yh)+dA0xX*GD3S^R_s`{(HMr|ueO z@o0f-<*y=xCU(8hfBxx^trcUsW!i0+`S=f;5ht9R9=Lh7#b@X1t!cKi`jCUAF1HTX zep%zMO3U^o`zv3T`RV!Ght2P34*yp7*Z`-Cy4<_h;yOQgF*$wMca1)e@L1^hYjjWh zw!_=4{H3?5+}eAGvi+h;cRG2hYSQ-|S3Mo-vt)deDOGlFANxk()vMYUi|W_@`qkn; zXUyBIzV2>4aL}IP=jisCoE53HLdy!i-ET}!v-0+=u(4s`4|@YFgEO}LT<6CpSK8cK zw|tcOdY7TTSadTch&~3AP?~mG8B7&TnfF!t`&SI{^3sk zCtzHg{zD#_AtB%Utnw$Ha3yl#iWDU1L2v*5p8*1ff}8vQ@;}BStr^|J_QdB(+8<@# z)GbvY_e>#V^&K_sZI%*x6q~gQciuSdg^gA}q?8J*Q9(oBmYeft-ETx8miw3YeyF7t z?c>%jn4+ahZ&U#db}OjIEU>YrLHo5+<~LANyU*5~D;Q7IJV}31 z?L)LW=7NLU9-{HLpVn||j!h@>9voX~%p-+jRt6{QSZ zR&RinnjYLbU{(9Pf{s3#zSH5chAu`ooB!sHidt^n`Ofc*f<`({Ft6BMOOG0S-levK zmVTY~Dl`+PPpAI2y+z16fx4VsVSj46K&s8n(y#4S)9*XVba<4mpn1y&^z5-$L&0O0 zt=pEWpjh3*9@{o5>3j8+BdO0+q;BzxHZ?;{9q-!q`d-jdy+se&r~aU(n_om9x2~ii z>j<-B%hf9CAf(O;84J#znvv6Qm6rPd`etn|4x>Jm-l6gCeOl`9`NO9@>#E6mR>5L@ zeKqa>Vnp|(jS8Cn`!80$^EI@fMf<%|{Z%xxW8eCNPb%r?>S4RXLKU>E=HrNotJSp9 z?9J?qPD(1J-mv!I91T@i^zDMS9x8gfqP63#`AX{U)WA9~PD2OFg{jTexHkC0`ILu- zs=YdX$}e6)lWs>p?en>Udba%OX~QuJGAkT;BoCYYTePdQIP!anb5~FoY@L`mPoS@6k6!V(00+EoX?|w|c2iB6=n?<;ijo#B^4;U` z3S7i{`S#@qN;PZBHmjbX|GnE5-rm?mMfIcYN98|Ik)QUleR&swx-B1cdHDc=276v< zkl9;BhigUb{nANIYiCXvw-b}(hVFM-zM4!lW60OHg6svF8&hZU*KnG4xaoMLU!szt z+ucxDG-3?qs=TwtSqNHn=xr@zu36J2PeNqbOGdU+f*K&x8YCcPi-ql7$mCl7X z*fUB=aUGxSDQHS`E%?BM8b_2gul@P&8?8}O^ASt*WwStsH;2$Pm6nEFIB=p*Zw09a zbU)<=xNiJ3r%vKRHJ$0R|F<=5iEcl4>eaEVKvCU2r(PVOreEszJUXR?np}pzJk__i znp)1?(kCNQMLsUkYERHj(=ndGdpckvjV^2X%C%ZLT6xB3TO1D5%jd7Cc7sD0jZ z_B{n1zPE1Q2p=V#e=#MzY-=qoy@P-UONho6^c&NDvYI~YRgmKVi^-3^si)lo1loNs zI;gINmYVf@GuzHhOCx(NQ8phzG;rX?t-%M?bg@yZeTRdI4lTI4X!1BE~QyZc(88NK{+9*@@2)2xTXyW*_lwpBrK)ys^p zhJ(&7j9>ZL2uzNWJAZ3#@jy#8PPET|9j~NsLz_2oo~)(dmWS)z9jT#-ws$rV4hizS z^4Y@L*pN9(YjI~@Hzhfb9c6c-je>r8lNz71r}n zNyUAt}=iAAB{ECW|nH%CTw1M(NlH)hg2v)PLHhby&-B9 zRQ1TWzbfcJo2&}s<{`cHJdV*?6xmGl7r1&%E#SgYrFReD@z- zW0Tg|>bs`xuArjLNdw0BfG6&e(o1%BgxnckdEU4A=m*EC{i5%e(o)*dq1n-Z^FV9= z;VmZ+RZ8u*Zs$ZCv{q%r%eeb0>S)=j(t+0+y7Ir z*>=Au==HQavphO0>DPkcz10sCWUH(H+*_}Kesiw-8H}UBBW^C8P*+QVZ%T(dMQf?7 zRj)>?CnBK4&MCQP{vf)0_xzrBqZL%+k>{A_^Hg-+?Th$du4&0;fMcgV7?&;WuXU_* zS4~%b%U@NuP)P%P=FfCS(2_=F=ew#WLrhUMA5>7c&D{ptLC>m} zJ8kKuK!M)I{m}o!U4fpxGXEj;81$8h$tlCvLQis9{BRxk#_facnr(*uQEQUj_nu#= z=w9Kn2|KYv?&}@pRz`1wVf5Ujnf0-oc+sMyT@K?F)MuG)@(-<`*DD9U+&*1Jua<3( zt7xUAYORwdeDfRde5=3fuuLU&$S&`laZ61vQpev@TvO7+dHGFhTPvt_6U*N!&(u)R z^eOXG>p<^#^2Naw!CE@GaP8h;1Xil^<#MN)ebuzFa;|R6V$hS9`{p@ctI2I#+Sy~! z6GlvR8{`;4bpA}Q8P-cx!0&|FGaWQELKz+7`ADF}A%T6`Hqp}hgMUm7gfsfieh%Z$ zp9Ou_iKwrG+-lYFc&jVh6l7U%R(yw0frj5$nLFJ~L3Qrkosw8XMW=6!>)!+NdFZt6 z;b+m`^(?BZx8^~w9a?%pMm;UXo~qsC?I`%na#>W5f2KSnswbRnT z6Th5ot|#jJW6-olwUy+a@pzW%i9l7BIW)b9*{j8bHMhpy){t^iy{^OetI1=`9eY>k zvAgSK?9KR6Mb#UWPy8BsR=4v`bArmMC{|Nt%Y?mZI@Erv+k&$SdQ!LE?g8Inv`K;IKb2Vw(nt*oy-svLpb{lPY~(id9#x#~(NKP2Y1@IF)b!PYDZ3{g73gkgTJW!Z1e&n6%eWB;0_$40bYf0<4XN&B z-Ms!2BnJokoq2cpX=~tr&5LWV=0ML=?R)a}XD5NG-G4VH?~szzK5dq|R#Q`sO{aP7 zY&CRWv%O|A^ywQ{Gg}=Qih0e&Bb9$IqoM|n+8j~uR8#v$cOD&m2RPf*3g35HNxjp` zM=TyiR623gs`R@W+W2GphjkxAFCKryrAM5aYAq^=ZUa41pSkk-e&})WTjvqI5Ga4f z-9JVKDoFoR=Jl)^mm|YewXtpILOzmlzyG!>c*+4+K+ux=D}$1&|RB!7r`V#s!mNk zxkyQO#@HTveOOJ3y1lFI1HbM#bxF4uYc$kieD?WRcY!K8)lzH+AKTia$D{f61S)s5 zPTfZP1)6#{VcBTt2N?l(9m-&yaeIKa!M6<+w4rX3PE#+zN>m|dNfTcU4c>a;Oex6U zIkR#ag*8=E^b*(UtLkI^GHk@RP3j7C;z*Y~vVz>MJEY8YrG^r+vqv8KOi4@o6_#K4 zoj^z9I=pT*L_@3JWjydc1-W`<=&*iTfsR=Xzx&u)OV^w3K02_BlESRpb#CDezVfc# zx928k>6a8gSAWc>svX)L^e%xY@sVGszYX-2>a`vJYzsNNWqs^e7?b|^X4JgR@i^@I zkC#6ltgN89vmDlVbcP(C9yIL=Y>y2qOnx0#TSJRp)p!)uoG7>9!WGR@wDjYA9JAB`mGt<$rt=@#hui* z$_Q-AF4d&(SvSn9bZdl`(38#LzsNWr1wAbx<@said9GE4d^IFgMdvIo%(KUM&HZu8 zxRs#mdmXzu)E+C)imZc!n?qkJbs)yOQgbc6G_Ua6^L0uJ{?2NBw`m%xes9LO5#Xcy z-8}OxuQp=>{BoQ?YH`5)zw@O8s`$H3EPEt_4j;#aF{Gg=TW1nr_U72W8 zwY*W9O$r*@>f%5@GZjsY2$^xR66AROQ3qZT=)Yl^!(C2kDc(x=uKyV=t*Rglxb&lv zo*#XFMGrmy*vfBbLcO7xkz=|}xvZvYv|#9g-AXcBzrObL-w>oMu)OZGeW071mG!K= zG2eNxyH>M{D%zR3XVb*p8amMa>eY==N-F$ncrbJcXM z?A`GW(6`?1*wJd~C4ufOsoG&+6*bvbFIWB5OQOXyRf}Whz$R{gzC-nuO3E2$_HJXK zk{ULtrhL;>MNf7mz58jIg31O?zS(C3QSjkmHhsU+(DEC1t~g+x^DH@LVoWPFUG4aM z{e%8$YWvfy;T>I|S0%KLsU0oQ)%o>Lznl*JbiBjvs<3DLtoO8f6$3qf#d%AG58y1n zkrvlg(06a6mR?;6{^sVEmV8u8P1@aj@H6z*!(VOHHt4CQnLWHecXUwE$(Jjd&+vl5 z^}8FobdILBVUF)S=#O=~uU(NoOi6v)To~ksdF#yf$CsqTKGL#~9OyadPna1H6t1NU z4+8Su{zkNa___|RSirrY{H4oYd(3ZAYmHgqfN`Tg7Lk`C(9R}%Z_KZvpp#SE&ls^m zN$uWUXl{@Bqki$r%~d?Kv^;!C=L4N#Gp=I$@D}KO&#R-Q7NQ*^J8qu;ybR{!Cz8_- z{;8yCyGJIEX{Dku0j+J!z`tX!y|jM|e&*Eq;scM*RdjR1pw{QIP=seo<`lVfuCk>Qj zd1&fgd&uR~O;s-^3>N6R$AHS3#o*^X%kRq<)bv`DSMm3bD)Jq^x#Gg#F<$pfn0a`= zhC;XJY}kGd<7?B6YwaczZ46ylW7A0$jp*#Me$`GTof-T~QjJ{5^JZx$hJB`>r|DrE zcRf;5tI$2?t6f8XI$unwI#(b^>)DK_4OMuo0meK zZYjU@cPkZHU2|yly0w}{jLU7*b&;CF8jp)$J3)ic_H}zsQc;MXe{emNx4B!8aCMSE zDbxIQS214ap9&dR4vy=68g}X54Vy59-Cm(#;IH-lpSSJ`IcixxAhlT!B{`_753bb$ z^Ygt90ds8>^sMXdYvnQjo^UxN`#kIwmX$7)+7CXtVd>=FOUuEIw6%xx-tRPI8QP`I z!{?ZH)b?<14Snmv>RI&`$G{#`b*Op!QkYj?9Jl8C%cy^P^FJb?XWqVi?~g+01Bd5z zO+GXX3Qh!)s#aHw+sk&==)emhGfh(?0dgwo_og3JpD2x-;g{5toM_%)|USyo`%((mNIT zU#rpQMT|gO!hh~ky)@dJW3e*fv_NLsPRS8Nz)#E4uzEs^xPS&#XLP*ZA@b|t=5Hf>lUP>74J@7dQ)3L ztFoI~Z||X^s~)v|+bva7{_MTSJV9?}fjtg1^HI>X_7g`feg`{}rPbl=Utw>H9uT$& zLHd^X?EI!XqNtQVI&a5Me}ZqfR1Zqps-dPyd(6*zD(T9Z_#Hn(PxPA87E>XnLjh(hYkDfAf ztHXt+n7{O#aHq~44PE=(p>SB5K&6kygoeUVV&m4)b1GaQ`oSwJ@8LzF-^}|>ueed5 zMb1w*PYhO*)qRI2Uxusbn;OHvU!5e->r$;d_}A3Xn{%%+k3v5!-G1Esut^%~HO<=n z<#CKlb@r7zjbWd%YxZM1@Xte+_I_RJ2+I3v^YYinG<11a&R1VyJe=Cm@n-f7%rmwN z1MkBgP@PuC=A2VemliV<-Xv)$Yle2o9`vhynPuUx9Kkm`Hf>X}nSuf;-KaG14(v6n z+I;b=fP zf&N!>c^x}f*dxom3@G;#(bQ&De!tXCMfJMBoBd@j0;Ty49o$Q$BKvPVpIkViqM_yI zEPexfT~7Zs%^jY@&em#k!R1!yr@mK08)Lp*kYL`i0DAIq=LuP7?rF(s(nPJ>3DDog zEfX5<27g@O{cvy@HMRLB{qo!S0u7m#+ql_r1-+W|qno3@lE(a=c)2a)N5!nM`qb^1 zKR?P}@_N07j#jz3a|iUO3s)as@8|^j9ud@F&{A(RO=5@gM17l1d_EfdTNiU~`cy$fn%xekqf<2Wa>k-*XAeU@ zjhuKa=X))MZ8{eJS0&7|tFGOzX^Z*GQbu=#IAk)@#tSm$v!i)$Q}(x49{?lMo2)r{(Lu8Za9xtX9ePKY_0-sJN<0FzoZ; zlmEQ9c$}IhZ#p&PD(q+7=e}7uB}|}|eU#@TK!*>9jY{nSJ!|cOm_AWhFZwc~mhTIU zhsmDf-$V_?e8TIV&*;U_Q)AC8aE4y8@8-VQBQ`^?yS!^t50#eorUcj9-vRT&RU=L< zHdj%@5$2V1X2LF!m18~DRYUy_o{jr%ftI$_+@93-ia^8sm-Gt3c?r(+a2aamGJjzSee!GGk z7bfR)fZgR}UYgJ5983WVs_!`Fuck_Q1LN94t~wka((>EUDw@43NV{V4qrLl!mJ|3zaB?fUNVqH>s5?beRlRSWd| zEPT{wy2-G^p03@-4R*WE<6}BC9tnEWo%LvrdC*3$O-KK*RnUd~zv*wRhaU6p<(m$N zVE5V=Q1R67L}}%>N1aossB?bjgM4#; z_k@M8gLba_%Y&W*?Mwb8X@MQa#n3F(U&A!iB_iH-YE7&!-5av9W3oWseOLd)?`~>( zm9aZ!Fzm_O3bL1+guWKw<8|~^Ht6{0fSU(iKrWZQY+X7>MR_h8GX`ND>X$)xJG=qh zYa9J!KM(q;=g*OD84a<%wfxGSZ6`GJYX9|byo0oKsq~B=ZT-Rjs`l-cii2Q0?*DP| zPBQ%6%FK>=h4q=54}#5EzMe1t=-Z*NCoK87UZ5wz?p)ccPK!YbdbC3wp?N~IK29~K z@;m6XnX{yJCJY50D>_kEswJ62eMhVUTodb{U~Xk=gO)Sl@b=!?n8=Gtg$ zK_AZ!51?Ou5I!!S44$o`l($!0noffItM@YPnWXJ02UQe5pPc_$_m|+04~hcaYN5wS zA9*J-mCYcR0*tuZ(I@xINuFi*rV%Tje8sVo6rw70dt=@?7CB}Rq8ZSRI>Hy)dl>#p z$o73Ucl;=X8f8DxzXtbyXcPb5E+$!Om$LeRHiJAW2}pEKwGUt&+^U-Z@3C)WcHGReZjAEEVO zG_v}1YDMmL3OQ|IFj)7MK}wdW-k`6e5zc~?o=wmtlZQ+hjL&$k^65&tR0c_$>OOem z2ZeNmT;deM&)t+%V0I4rqrVg5HV1sw&VRov7gm91&FYVo>C%aq+`zjs^u1eaWM^H_ zA5Fv!eDmSY1(mry=g(yl?v5^VkKO2l3{^Ky{JS)P;(vc~=|p(t3i{^F3}WrZTC5;P zCFOaFyEOMx$*}Pj|K|^>BtS~4xCwkUhI?V(Uie0w&nK4m!mk-0^nPCVj6&`mpC1r{ z|1`ZQ;%&GMlQd-Ik8X-#686;6@D$+UxI2Q4#aM9H%jc|f7`)Oxv5?IW_qO_k?Fl*f zHV-vCGX~ixM6O%pd)X!Y`-VfMnK&=)ql?63z!RffjFxhGP>77*i)SZ}qn;`6_Pm;n z`}}TK4=3u%n#b90(ne%)ogw_E%S1f%@)yr^N+$X=7-JWdZtv zw)C-8*6`saxtvd|34k76$6x)n27cS&fPbpr33>f2>t8FL(`kb?F_RCd6C9UZH%-&w z_tuYQcTmXZkMxfttLWr?)xio(%af-KFQkQ!QpxC+htmyo=)VqGPA2fhodO4fPNOcq zwk&x5v`<}IHQkUE& z#QbvA*b4;sGWE|zJo#j%1}q{{KgQ9&+-lR&_RERJQa2Ue|@d3qjCa1 zGaDDTjyC*xla^;cU*<8$Sg4!e7x0}R4wZ1{2?mLJw7o*%0wEg2D#9&}PR>!xyb=@P zrzWXTqJZlg8+Roj7DZ+M@*k-QpkjtVlX@E@6QWnlgqkMCl;RZ=NK}` znY=G!=V8qG%$XT{q*BS=!X4$*QPfwZpaPd58tEO`w*UHi7-hV7`8MPJE>_&K>m<%+ z-fES7(R~c^;nS#~C_cxf^Z#@X!&m>!(zZVTg-WW{?2VmyN+nONS{q6q(aE~#k+nEF;{ z3b`cWSX5t3Cvja9{>c@14~MwUmj8x6x3Jmm&OC)=Y;@6@xr$uGUU|_roYT5Ew`JFO z7=&H@Zlpf&M`o?t(k|TVb=~DP$#_1y?Vj50@qylMmKO26m_^i!lyZ2_Gsx-1BSHh} z@aN>%9%W?!r_x27TIzAXx3T|n?qLzP_=X+2O-yn{+2_G9^q7-QtDYXNWf4`am^Seh z@Q($OH0=*V?;O*;;WSi%|k)4o@SCdlQtyyGB@$rG>h0voUR<(G@ zQ%G`yrOG=+_O6=4YafyjhregfiWt$wycF_M|Mq5H zV?wl@assly(MbV$=TGWrWb_Z`#~t7uj>0|j*&@Zm&+SwdJ z{$=%G{?8c(i^Lh1ulc?*%inuaB>`;u!#r%dhI;1Ri8mVU3P4_ zI>{odUBtr9>A^3e2*%#P|4%)UHKhhTSDC?`GXlI+t1eG(M!o)KOUXVNhWw1vy^^OX zRI=V~qrHkE{DzV1_vz4AM|M4L(7nPW7fmi1mf15%_?pYdWh3DezT3bp@Bn#&fqjnY zeT2M|l52Ql%phXJg89Za@O2-0c=8;llm5yb7x>Yi3Z-n1`~i-sZ@4~?9ZSenWxO{N#My3~whx>qqRf$nVrO`agnRqQu+S9|v4WF)n^Q2i`udnOhhE-KZh|QmA(y`iblz8@o&< z`59-hZXSJmT0weiFa!CC2wuJ{7wFc(_N6b;A6tF8UuZ)IS#z|jYsY;Cv9j)}AGydP zInB)Phrus&ayFEesYBo1d+VzF5RF6+5At~4MW0E#So88Q{Fu+wg&_C__5(A;_r-ue zZfU)^j(hf7w=?%A8}#To&bTIS^ojN3ouSCHnVDSw@c}xh&cu&aGx#mb+ajJnL0)F? z*pC$yoZ}bzo5ePWqs~}noIF;{B>vB+lSL;ntP0vni(eL4?W+&zY9k*jZe|z|T%VHW49Cb^eK?mI? zDLfMj-t4QXsdNdt%SykSqA#H7ly@c6k=rx4yhtbup9Z(flkcfTKJ@ z*?v-9!{@W9J1FoN{pL{FEj{Q6+C_03d;{Q5&i(%W@iekWvX(NuCbDxi1-_pEMOs#y>HG~jFMvKkR4c_vd8{|0@rpI%be1D+BY_%N%| z9ranGBgGqfmbW?-!$!VY#bt9~o`x(DyEA#*0l+E>Eg4V`%XNo(r>oRhurPDhlp zS)}rATI4wDFr_n%ZFf2FFuTgdj2SxFQ@(^%EpNcfjL_L@|<=~lA0H3V8{BVXeiwG?Ly?7OL z!~~9=yZf*l-`4FsYy1QByY|eV-t&6qFH^^t z`7}*y2(O|N<^uWt1wWtRBA?jnq72e1{yy3EByg@;Et^{}ZU*pAZt<-E=tM8#*% zO;W&nzIm!i;Qg~37V35b|8buwdcH4^Ms!n~$}^0hH#jTMS(5Mt0_P5gu~SJi>9K0q zLL=iXE+#Gb`veA8-&8{mb?wGi754t4?N>it3SCk}*+}>l_}wnx0oOvj%LOL6Is)XFyDYYr|YXiBYzUT1g(*C5S3scG8&jI9?3)6c*k%EHqDa^P8IAG{s`uZ!)lNZbWnuYcNe z!4l6;==klR3Fv1dZH%2V_=1bHhrQehCkT0T>E#VNACp|xioJ?2j3PNcD=Tbwvq*IR zf&KiK@Vshd5^BLCHd?zUeTV)PuyJbj=Ts&Maqv|M%Y|?Apx(k=1-#KBX)84xe9I-U zeDVnDCWrcxTXf*6+=Z5R;5FanTYMLWX=MAGiQ&+_$dQN*F)yQ@o#ych-{OnU-J1LA zz%J;1$K$VA!VkEa;>;*rK_ioEvle}X?zQ-Z5%-S?-~;E4OJEO^n%}X-smE9(=FLmz zXFc#Q_8R4f!!MKi?dzjM;4k&9sX4NVMcglzu=H;rkDxZU=M?_lfE|I!>9Np}4hqzK zW+8|7R!@Z;{P|qo*Bmy~>x76Wz3u2Pw~PxTMmkxJq{nm2F&$<6-cC9%4x3)w#1!L5|o~={er~?HmiB%45&~;b8bJoPU z$<5+(R`o{?rlDGY$9>?3kE|7`=tEx>lx7D?sic;9Px2jbLh6cF4TsSGm#k-F8D6Il z^(~zNx~=eYUbX+*<4PxqNxl)$Y{;Fg^qKAe?pRXAZCA4aUxbtULP+9&ez82-Aw(6= z<3zY81-f6&oKeyt^vhAlAT3G(ov5uBH`m8`DswLj;unU0QT|A46Yh<=$JJN&ei9;k zb|vrOj|}2kFl)+?ppmK2H|v@XQOHf+R^%JH%=?vD+yuyVYt$!3Ge44yYd|FrK+@N!u~Kqd={m*K1ZEXRS45m7ldze z?Y!QHd=|Mr`-{c5nn?yjw)sQ?Pn|my`aG^1x~u1?spznrTPrbtXzr@EU~Js{OUrHL|*|WaV=|vc8lDX#M4-b zW6)#V1iJbQkXM^(=4QJE9ZN#wW3@W|oI?8VS04!3rW1KOX)}wQw2fOnzY~3E`Ogw* z=t~o^Q*L7kbTT1yO41o$jQ06pk1tb$LRyYCS2;m9Ogt6Q(SSJ#1&4e3?s*i_CVr-K zq#wS85btAOoTu0~iQ>Xfk^3|jeLJq4|TXS(imk&|6!3|y@c0ne|6LsWT`%2NX@bj)Y?>5fB z=lS*`(R80ZlLQ_Z2$;A4|0VjFW*5FWLR9*l@?IGRIh^3Wc@OkH@0Jj=)AQgBhZpG# z1jFae^N7`trjhsR7mkcBr;}r0?*renGf3&jM@O}w4{5LaCb{qn{l)Nm&(K@E7kR-y z*J(83abnvGZzt&YA3r$y!bjoU;GsmVfZo~OaCrPZlSEnx9hS%Y{<~IN)3_J!o2?#%)Lr;QDy&h*Hy2F~18>G}Q|@Zu zqmj5aq3rcZOp;??|HvPD%aJ`(TV5j%GPe*`Ed_sO-x2v$X^R}nqrWA)*VT(t$;jHdjQ5U&lw2G-;R}B7dj9j;->ByXYKvW~ z(0`W&%TxayL++Zpma`Xm4X&3Kl{XgwFD2}x=&T2iRMLL3bQZX!zwff7D|DIu#x>5% zF;64$^_CL+fbG)z#m+%@9}!=)t;vW=(o%Ldmv|$GEo-=@JeWrMXjNt2DJ-&JX1DoX z9CCue2h{Ugz^5c70@aa=SBoxMJ`B83wtZFgN%-~mF1+l~=|`UNLe$c?;I|xXjV1bt zRFc?pZ6(Jd=;fKh6PLkh|C$qup%}?$M(60=)_FH$ED7&7rO> zR9Qb5dc-7VNyX#YU+b!nxR(KyUo#OI}1yznK& zNrLjH=QniChf7nY=u~1eHfbyO7kY%Q+ZRso@Qd^Uwd=NLY(}s;65>&FQK%;t`pGB7JSj}@H3;vHqz6F&JKFGpZU;9wtu&$qb zG@+k+Yq%|(LSL8beOa?l5dQVQv_+bdg!C%*57cvRYr4Zl5EYQJL2j*Ch1xKvCe zzT)|2y-@ptT-dstB_==I7-Wlbg2I$0lWcH^F4lHrl9odv3-UOpCytw$YnWmlsPw&J zE_B^HIV%M0F4GBznweui>Q4TSUtOzf;AdLj+_D>d)v@p0WCoK7AK9wr*(9BG4$i;N z2hWmR?!i`{n;Jb{oR;z91thw;2mDO>=b3SK)c}|8302d%dwu_H;dT zxZD4>+Zi;{$lm~y_6?}}vd{ZG${Uf3YjxWh?uIXl`}Jt?x|9GW9_3e<2w35&$xr<|vMX|Q0y&s!su?Y9HGBl^b}dlhsqG1|^jW#r?MmqiR9 zKXz$T#1ifsI48L|Cuf={#Kg*EfWJ`v>ZN(; zHr9W?Xoo$fkl#Z3wFLOu_UP>+hkY;~)uCSQ@)vc|EKB517nLk~vSdoK8#xYsS(#Gg zUVfQsh4?^kDp~wb=!OQ3y!5RzJ0gO6{?_7x$tC2AB(k~74&i>DzkakH`oE>3Mu&S5 z{8qK1;y=hcCR$YZZmDMyDMnac*naq&Wl`{nMsy%^Dd;j)S9(?W4SJcsP=*EWM&c+(SFKB!aB3FvJG2Z?>e(<+7 zp_cg`<8)$o(xl`Xa7fE&pRH>z>Y;NQ`R zP?aBS!*loeyv)8I{rDn#)SC)FUzu%9u^ObN51|{Lt?3XB7@{) ztu|-nFv(ekWulSnG~yVuHKWT5`eccr$>u5+xxFuiw5Ku2s#s$#cXjwqEXRP3L-3FE zho+@v;m=<-4eoqEBU-Y`N800X4sNJ6E#U8Y`%87Sqzit_iv2N5ZqUeSHG$>H;6YRG zm5Q8A@TH~EKYd>&A&=?BzDlbHxfVsAERAj8TMf;3B6Yw=Z$$G>-o;#*V*Wcr+=~Ze zi&izGuPzsP@ayS$%soAA;-Vc#ZqxtM#Tnqb1_$|X5o6GWQfV$mZ<(YcNZGYbf=ON- z-t6QDUv$@7MV(zy;KBFJHB;K5H#vO?c5Y#jkM+-sw9(hQy3$fyT`|WelOnVeJk@43rQCMo0pyu%WBO>0%1u_pZMDffl!_2CTidGl_!xe zxF+dey9oV8p>}8#eDSpOu$bUh@J4_2b5XcYwmZIrX1`_a!l|Fj*Ibb9M~r8EkEe^a9_&&R%^6Tx-Mj`|`mY#h;j>Bc%1IkcEjo{qjd=3w>t*F((blq@Z*X@d_- zd4E0zc;@#~-^qtFz-jO2rC%Vwp>)*y_O8X?VLo1m_IyL1*_JG*AB?={9DA^$D1ZI}M$F%k(1yF7Q>J>*Z6skPE3lANb%Qbk5thWv1hIFb5vE z()1K`!>C$&gG;=0G9Lcwmo?6@p^x;#T(@M-~F1e_4?GyBD51ybT{QR;LCme;%X~gMYW;_@C=o=D- zgQ>_P+_p+M*5UvhzlyC?WTh2K3TWqv0!GKQqXx zm4~m-KzF#$hz^qnuZXV^^1F(2##$qEE#@2Y9Wqn@PE6xVvU5KvXQFROlm(5>O3+Dz zi`SP(S@2)}PBmrl-Q@v3hBC`Bm$Ls#Uo3vUw>JV!`{IDJzaBeS0>AFVLQKfXR`kz@ zLJxx6>Ezv|p;TXaLX=B6D(Z!x_b%o-<&cklQr9H9HwF4iz~_mP6gs|m&o74CoREFH zH;6ZsVIERRg^LN^pddP}>$wK=DMpV3G$f$Atlerhb)7|y>LhG@G)^V^VmDn}i+;YQ zQpH#M9h2z1>)`E#eiOI3>IF%F|B$#xE)2Z8@DrD(KYa6ZJokBrRWR?Z_n_@0Kjv5; zxr(A4kd2F8mGXMhNa+rLlTAVJT}4`Ql3H10#h1b(r@vs{H_IworVskHTXf<_^wsUV zR~>KWrjg66?xCFBxDO)<6VefcxR&oy^n|a|WS(9$gTC=f<$T%0uPma&5M`W(-(V;D z>GRkR@Ry89wk(`aw$6fM;?P0=I!=rJ93INTcI*An? zivNQzEf?ST`zs6m`EI*up=L31G-4(NMr$$u!kuUkj`!PjoJ*>pf`(kkRTX9?beq^J zv($9dDb;i)M+0(hP5IUG;J?v69hWww;qxcCd!A~5{=Bc@g1HPK@c{-_J@6T2ZT!>D z!r%LQPrtPp?}g9(``~JNtOc=|hFUZ|(XY#i4H**Tr1e z?Mo%QUlzT#NB)RM{NeB$7tDoZN+z=YK!>jl;Lr@AlK_>*gh@>g!n!xQ#cEr;A)(9 zPeTv-fPcK9<0zdZyA6+Hna!G*){nd)-KRsQ$`02=(-*-sab&*0&zL+zP zxK1Z6@xq~!6YzzeW`+%N5W?xbo+oM}g~T*}-SuP~`rxl?6{e@By#f>}>O3k#(Ynst(O#US-Z$h#z{y{>3YwhIBlo zkrMi&cg3$US37Ynwi@}KedS^Uqbf}3ArI7^uSFhL`g8I};J!A+nx^)AphJHsN+?|h{IPZW2v0%= zeEQln?`y-*&-~Y(4WENPl6lZj6TU=s?ffNW@W}aJ)4ms>pFRnwv9P(1KJJ<%!$dyA zIB99&Uhwot%E{_Ca?o4691>NZ5mLo&YM0$*G(TUjm1AR@Ej z(!s#z1;-%}!uRw3;MTUT8T|Ts%#1qn4xDFt?Cn@|GXG~&!P!>SVL2~33w_MRHFnt? z9K`>h4Un_Og`M0u^eqT@^Q?~F<}<*ViJk{*%5&+2tLWhQq)_n8sx#~^$Zx#Jp$G>Z zr;v1t(DWJLBcb^BiBHeNPo|4 z%)Rl1KT9Y?FLl%QfNQ{Oo%fP6rqO?#c%Am6-U&3AoS8j=IrptvTUR6ZxsNSxQbYm! z2^4W#vfxMDEzNz#Pe|muXuD@A*rTw@B)Rx9-DMwGhXhV#H(Q7^?WL*g;Q7ODVh2fILQ{ z1|zB;c{+dg>A#1P;eQ6U57yOD$kF$D%RlPD?{kuOKB9*Fg!uX3NFDelRm{J$@YnwC z5~k*7Gs)d$?|zrd<4fzk=-aE(p|{;#x7`3ZLq=fyM5a8>v-#71de9jowVz}tp+62M zjtH3-Lf7W}cBUu-b^l~{OPDV9J~%Gk{RjBFAn0+__!#n2<@*Jy9x(`?Gkb_V>Px2l zXuT@xhw$?AJ=Nh9GGG!eVm$yqCCh?gY)mEN{v4qSz_Cxy3)~WeuH}3 zps(9J>nr3wLnA3A;wtfL;ZL%!oGAnz`fB#E?-}aM?hDh_LzqYLmRwf5>kaDq?iKD4 zxc~YZ>a6fPH25hdj~vaR3ts3kzYV^3^@+dR{t4tMHyx9muVj*5?so;;c#fYw8^&IM zew#WFbLkhJ|J_II>uueUGt51F-2gsSU6A4;PZt&mDgPo>M}cpLAc`~emTf%Q;l;=+ zQa*~Z?JA*?frTKUq%`zT{a4y$A>gm=eowx9r;z*AW&^w4vj|`84oOpdZo`m*4=<#l z$MZKq*+cV66Cy6FF;oMc+Z?+J2!#RB>N58GhB*V)KQB2N1pof=l{ImfV{P8cI4_v^xxqnwxxIvwRP&7I0*Jw zoIU^Hju;_du5f#u<3UcVWX%;x^npt}G6J7&!XM%s?DY?Z&!noO__GQ;%r@X;j|Xy) zVd3;E;05++6%OwJ+*hx46J7~kCUUu3;tcXkrSbKGLcr6u`|s=)Mc$`P^_g9X6MW<@ zj&BZ!kSp9@OpE^tywnuY`v$&=cJO0w6Xe4#9s!6&so@E}$ZI#a;% zyFFi_^PYahu}K!ZMdRyiE$WQwy0r3?D(oNFR8}twzFi$sC^!lo#LBeqgbDatlMqVc(eY7_$ z5xJ@Nn}2((MDDD|{dc(_AsPwC6-rqMPpx^V4J~@#WccpWdB_m=$m{UZyvlue-K{tY0WRp zb$z;G?)Y{;^pRiAx1JLQNj1&zId&U4A?`_rvlopf@fAcnIa zeQug@3NDA^P)HIRXIN}uc{p&=7>IBbS$*`@@nLCU1uvt z!jNCRCL&&Nol4HxY!^O=d_oG_SyrkTaH8*p`W?vEHvR56$N0%4KL1u5Oq(MovW&;@ z=KtsIRmROS^tD)B+8uK<_&eqPu}lf%5e@z84YV1gaZf5W6?)NF z1>7Y?SoN4QQeW9}^F$Pbteg;7mo|?)D_eox4fq!qd+H0XW3Gbho>bfr`iP)_z^~{e z8ku)EIeqgBgDATO%c^Rl&a8Gmu8!xkw#6<)9QR-Hv^8&e6Y!VKr?>w~aegwlaaBXl zXCxh_Nw~v*JrWt$vxiC+ZG5o(f8Klk$VKcMlQr# z?CYCF$SeQOy}h&<=Xx~F?A%kFkBsAa>*It-oGkKMlpYcrP3F`dz-PAa9E~rHsU?Z^h6pe_zhrk3Lt( z+2}k2pR+4&kt2H%bj_iEy>v6|<*Br)8v{<_v@^Baz6HGGHRpi_=E zB}^Co^{$nc?~bm44&ZW)#o2^>ABWKnxk&71Oc#$R1Am)bcGS9MAB`|Sa7e%Uf_W@w zy{-=n(B&$3$L`z;yzsn6G8ekp&Yh>#(~h#ptK6+tYr)r2{jb+-I|*J^q9l1e5bvjR zW{nbXWa4$^nNW>lluC~Fx-7NB{$ICoDANAXDWq8~Z208kzmzC9qdE(_W5^3<2M2nfs zKk)my6O>ZE^D#)~H>b~ozcEh}_PXcS8|;PgY1ttcg*`YcZ=6bnzwX(Xwjq!M`wo)G zP47wUuawh$yo|tS$z(fiha6F(#sd>J;Gh?OnZ@zQx4f)$Y+tk-{^Poh!EvhCJK#{a z)8Q`sf9)q#PmtFSqq)>7f!{Ars6G1>x{uN@Z`Yn2oaZ%9^NgT7P%T@8%S7-w^U}0) zp{G@MDY9QyKt0-AaNxmC%yYk9UDMKl{MFebl8-GhU-Dp8d2~08xSl`uZ~r8G`x{NB zO5lOK!k=sFbeP2Z{?ND$6MpAMX}(10+wOLr#$E7L&#aBtSn7beu818scHM;T(mPkD zi@t3X`H5QxIUciC+Z`t#!xwoXF*7O$+{EdeTIzzi_C5EB#bx9?X^s9DQTJ~})fZ$P zCFGa&kNPR}**goTy19@;xbpV#`>Xoc$LX?i$pU-E z-uCS1dR)uYr0;K?ec+=H9Y zhjMiFJC{*N-{thzY`~Yha)0Ekdx|{}H;lux@j0eC__*_PSfuCi8qt2>LhDVYm0NBD zhYV$3`HZ?*^+W5+?r+EoYSkMpISjnJ(}tdm`rNj8Ilm%!u3Esf$lC-8$r5~AQ)h|% z#O6$npUAlhQyeDm@li-AErn$Q9rcHo#E-sPbh7>8A|HQ8)a9n$+D4q8nLBJP%U}aA z%w8`1eF^<}?1xeCDHbta%Ompyd7;INtNa*2G$JIyMno6TclWf$@SS52gYK5(h<(Vx zFskY+p<7mD$-Fc$U=rtwkg0r6?6=nYb2Mr@{18FDzbg;nJ^HwAxHyQueoZZg4}A01 zg+4#2F$$?VVfbzge!VJ(v`(EXcyv^y+MnBmuq%j64hJ!aW3|4WBlyJibvFv7pg%Od zkQ!cRUC|CcofpTBiW zecMtxnOhR=cHEjp5?=?5rk)2+PnggC)Xya23Zq-4kmKN6m|ic=jyV}Cy*-s7IG+t7 z9Y5Z(*muGYfO-;e3Z5B_LPsc!eW;uH)gy z7J``MnY^~{p106dHX7CGma@oF|AT>o&bgXB*DmjXi)a##?zrq1Owk7FwXsT#mdZlL}u#=H9Gr z2J#E<+mo|bK=*O&E_`mp5B=;?o5E`7I8XCky{%tR$v-aHA)j>Yt=c>s_zV9n-IZ~- z4Zd${6vxTVRfKF<`mXUI_+EvkPnLcFjjS@;n7d^Moh(yLc79C(?u+1ilAJ*${o8iV zN5JnpFskR{Apk#H)6x3&Dd_kgGsc)ZF=x#>EUBmfKKU$RcYhpmQI{Pam_rvZ|J&{$ z4BS0XaO)KJddyF$TBa<6t}V8=ezqF<;YGImQv9fU!xZO-XMqnbhO}haR^mM-rD+MM zVVQFBm_AVy%jXlmru8v>ePGtb|-(DuY`HEF!)^??z+_Fpbm`hN-rzDhP|>z>tv2()5x~Ym)TeK z;bRV*s|u?JKA0;OJFpSH#igIyB-*ieJonn_-kntPt<>}9Nt~k%YFm9IFa-sXzc^GRX8HTLS0{rT|o>h=02;A70bD_Hv;{9{~jQO4%; z_`HLGL2}R!J{}X$Idca(P({7<8sNnpj}~oWD$_{8Ym=erGR#dLah&~m2|47qNnUSz zuvehi^pGe!_CSiA-Oc)gdvjX)cI#c>o59{@x09GZ>lI|^gLfHt)XcBpna z_Td%J(e@j$$Re?Lp)oZI$*WdTSiP2zlXqw0b`9Y9^6TyR|BDy6X$_v9FqHkme?D~? z#D3s0cK%DiA?~RTV-J3zPd|ONqiZ$tYd`vTe-|et`L%>%5$=EI(l(K8r4({J)z(OD zkU`=LivOx|L*Lzgz!-&-Sd5FgAAmpX>9eEh5BP>^=(lry-YjxXa)wNgB1g7YDQN$0 z}%oEiGHx)4V7g|YawV{)&FPDs; z&R`C%cx6<>QTQU){)(z#(1h1ce$f;`jwAKh(FEvR4-6+R#6y>(H^NY^QmSfLU0%gVodZBo_h|D4b zjk~4rGfLHpD%;tCe*y&1;0tUWQLieg}qbflR619&GUo{^7s31)`XH z)vS%x(ldjO@$2WmkAm1I^V7ukBY1Gftf?Xoa=4oc8D~Q?pcf1KCp7`L3`X;5*SJy1 z=aZ_hUV^Xg)id3F2L6>^>Vmv6=D|DG#$C<70baOPet#SILvD8QfHZWcj09n~i-F*! zW;&y>xUZdEWF{#p8F(Bb!n^lfi`h550QOSL;zVehDNbZ8ay_Z35* zt6Oxj7xsX3Nrw$|mn*6zGdQQAwLN>in9yV0?Ya-ZH_5tqU%E*KxOQDp-e%-*)Cz8j zZqGwrOUY}!KluE>TW{ly&DcX`%<5PU{Y_PRh1CIfauW@`2L#_F%IpDHmkE}lVpJk9N=OqUZ zexi|I12i?CLij$ zVv-N%|NJUnhdpW0|CoJ`X(WBw6Uj6- ztt{Yuv#!Ll+t7V3oWB#6i#&=#H`VGVa6(9JhLd3kk&ibS6DC^ zdy7W4)|wt#iT7j}Jg6)Z2R!IBbSC`+beSWp#entXrmlZeXB+T9zVpZoK4(?a*a1!C zVWQa99C5)t6-f>0TeSha;OK?+sWd7HPHERj1h05`)YcGzm z`s}B37{1iJhHN|tdZSIO+unZcVJ>;SPS6JP2DKkkJfU~1t7}f&M}5rraI)$t`q!0} z)x!y$*q6A0?+N!ygPW35czL9gGG zR;>sBXt&Q}u9x+=*GhXvi??E~*zq3MGF9LUEsG*YbtVygWw9n>73y!8b;@tz_| z>n=e5`Q;>cOAP&bWIAi|pc(S%l22P|;RinGXf5%>drOL0%Qb*=vHCdk#1foK%OUO9 zS>zA}+P{SdsN;F7L|!-N!g=6RZ4YKZ&x#rhoIOrQU3!(N*M;X}BT+a9T*daif6r0i zq|kUbp8fF4T28nQ{>6RMW>&ZF=3$Y`OIO9F|I9?>hOs|vUSuvw1LteQ@&(Rh_#<=n!dgeMpFrl}%sBMF*SyzH8bWW8 z-~U8v)C+p4TAh$%B!%34wQ@Ar0C>H8=dWG$gd93pSwm|=&cibzD8`TDzEtjFkQc7~CS;$aM8eDX_~7W(?h z5=ybe3%*7o%@biUl)-wkJ&Bw)*3^(&~qp1&XE+XKf_Rz;}qg)TYw z)Nl6;l|}l(>O}T$2d`8b+qMDo@Pch;59GlgxE&SgHCKi6P<19c2)wR7an78ek2T8` zoQt@RI&<->Rc{gYKD1J@=d!V9o$W**6?#C=*fDye4E9yYTWsFtg*sPxq$msbFj94T z-!OFd*&n6x%a9KqIWcs`2|3idKHjFcnfP9r$-M9Ya|3)7w>ptg`0){wy@iWau&P19pDZgj zl_iui$#K&?Z_`nSo~;=eL4(9O1&ml)KZWWV?pJU*qny>NO#Od_4l~Da^ia%La(V=LU-$VwaIrk8pnA@4zHI=*cUf2 z{9zvF?bsmGoPQI18a^bf5B_-|K!LvbtBKmsf_}aC&{!q>$rBnAHbp(yN9O4-A%}dlTGYjmj|t$7zoK8C ziNt(`^b+p1GSDS{Po5c3#l4)H-e(WLWK+?@DpUCSP4008>)>Ci9_4Ng2QMl)eL*ku zGIIW6)ScImpW`ygeH3#DyiI(+Cog=Nogd4Fw|XFVbYs)aW6-^JMpQ)eB*3Se7Z5kN z4}af1VrMI!W6f}B&u{e4Jsbh;J;4fs*Ibfa{oEmoy`24#(PJP)A{At_(!v-vdL=ip^IrUnM+?*;0LGh3RW^X9&KF$sM8?LX?? z0z8VV{Tn{#%*F$3NJ0W6Xs{%ZB_3k4o81U(k|mqPA-KB+5AN>n?(Qw6rIePUrACF8 zQoIyeqyl`uGqxMr=lS06`rhmMzi+P0%$Z|zZw27WM~<1Jfp>&N{mPOL@g79a zuYWAx6zdYlQ@vB;u|Dwo<{9TJ0>}5=An@-rj(Yt3m>>L3kMB2V`rA%QdW82#T8j31 zxJ`&%-vfR=!QFTM4D6fe9J1;${3$2Oe*bL3GVEVnx@cOh`_OZr3R5~=1P-4xt+)dG z_Wjo{zjW~c{6MD$B_HpP_kt$>@L~x3jVB|fov&OA_Q!=cD|X~D5|rrw-S0!(N$7#E zlfQb7eQ%$=yJ_cdcpqphHJ1?_7w#C){d;{oM7_$IT|#SK>Q6 zs*Z^7z_h!4ug_`7vmSlkh`@t?j!p2IS{eQz>y$z<>c@4qi?DxgoO!)2@e=ezn?K8Rfm{t-_+)DZ z>|-h}f2ZI1GI&ol?dOSgilDdJufO&&{5-o(d^_#0t?ndY%vaarW@6qW9}kZ23xCeH z_MKT7`2M5crbk(Un3reg$LDs!dl;W@?mi#;3SLBw?cOH_cE?w>^YY=pHx@2T1zD17 zlUu$@x(7eQ3Yt|NdTjs7%Xhkd0R1OiUDWzdd>>_f>;@ZfM$X8>ffnG^Vg4cGTC~Bs zWYC3#53lLSt=Q3n4XMD(TmC#ge>v>AOFa%f`rL!8jr?ZQLddzz`gVg`?!osDvPs%A z==0(|qa!!}B9Oc~3x4)LhkarP`i`g!c@j8#bdQVSct2)uc)g=t8Clt;>)LqONu%`D z?gl|Gf4m{G?Kte~TDL6V!4vF*t9Z-yYkRCq`BgaIBR&E9YSW{t-Hl_UB;Czi#2jqzC*=1h%(BPZnPgb47>^9EmDE%yy0z5i~U z)C=p87vi5csk{KssTqB_eFW%n#<&mba5-{k)|QjNwRwXp`b~TTI$!Y9-S%hk9lcGr zALrM???P;8fA&Y{hbKJ_{80IQ?1wdd^2Y-BE9(ajy79+L{2tK{$M47O$9Gg5^`^Xw zb&BhEmgpaXkAIoI&@*>3-nV={DzI8G|M1`#{903<&imAi{gM-eK^+%7#qXxAv@{+5%7fg= zso&IUgMamG@|Z_cAfC_V(0y3v9Wpp^P8M)u+VpN;Em;7(HS~P5aig#ws>U=&?gRKI z-h1z7uXE_%FI}hf+=KD?YTfYd)A1eZs1?`eN5PM}l8BK*@O}P{Z|-%+KEgkq9`(MC zb^P16M~3Y;@hIqleVy)wi%orCPpnz9)V;%C z@S}H1T$SaNoI17m`lkcom#i@L`%tW_1dhx9yf)SWzuvIz%lu0CUSsXKNvGmHuy5wi z@GZ6199f)0EtB?19`|pm_W1Z6S zd*$n8P=EEMd!o7m_xw2}qE)@}I`ZND1wVEu0RHT?5DH}2<8 zgDSz_JXIgN3wGRLN1L4FyVzkn_^3|h zFT_9K&$}{c)ssp1J%yh;j$8>p^#0SujXFnpkddqNPg}mjdnSJxW_|7sJrgxM?fGJN zQh)xh!I2d2)2;fb)ou6%=zxa-2eJM(*SBC4e;??F$HP`sfgkkvPZN(k!@M_%yfE!5 z_HX5#eDb3W_W1AfqmmYUiuW&jE$r!=0Nn7ZRcH$AvzS^{r+$NV7x%M6J3ob=aY?}7 zs~%UdZuF|}sSjW;t?T6X#c=ei=YhW;ef1LGHBNf>o4Y>)cmFm$Hh&51!j(_*2L6oS z%ke+?cvFdvRIPE*^ph3qF%@cUDVc`-TV0Qqc{vc@=_~lUY7F$^NAre$))4zg2UP1w zeeU49FY8_&>huKPKmM#z?4F+ZohQSWaf_E?96ljK*N?#dsh5GLA63zj#*-e`nRN;K zP#0vjxCOue7Ow-%iyPzj19PuTIt0A?L-hl;?AqLs#<_UxBXK5yesDQb+^fr zU~kW|{``J@?B^@j=(Dx$;E#QA;fvA!>-qv&TG;{TEd>=0&W@XfK?6)aO z{(KtN3m2z99R3IV+FOqe47~dQ?dZ{=?bym_f2R%fPv|3C&jmBfMqnM~)59&2v5%yr z_MK~Aj=}n3_?jCDYw`W*tNSVzLXW*kU0CC=4&Sw@H2C>4yf^w+^wS?JGT_HQw#?rR zf5FH5ehY~I6Z=xfzjN%=YpjC?%wLp!2Y%8z;}h@O@p~B`T?!ku&W(8gzB_n5{1OZ4 z$TVGZtWVv0?5GTT@2|mYKO6}=_JZS9$WQn2zRQdBD{*JtA^bo3GaLK%ddA)Ta4`HL z>u-3t7w;nEaN6N9jj;cF^33f!Z_S7O95+4fUM%+2oM*4}Gq4_A<><~cuy2PaUtBs9 z`?Pl2a$g5wAI_HQPli6jdPKy)zxV!ub%l@WmRYf|AJ!iq2ethf{IYcM%eq@n;60A# zx+?s8KbCb*jUNI34@expa}4%_R%+4v{jFQk|81s#Ar9C*Nw4R2g}=Mi$yQPRpx3(B zqnl3f!+Uen56*7#)Quc@{z7-XCBAdi_3HCG@V8GJBs^~4ULcdphd!JNJ8tjntPt}Q zd?&Oprsw^d@G}=aI8ZzR>q86YY}x)9_GxYza+j^e`(*pN`A>pB`<6$G`ui&3JGk|4 z8RueOM?>Zn;ochi1drV58gw4-D<-aUlmnkmpBGtW@dn8G^qRk!p;tSfW~msoq^=a)B=btE~j!{6V}aVIyETkiSKrtB^elcyYESlq)9@dRI`YT71#__8 z?0ac7D~I2o+N*E39r`1;mSe(A_(^A-xiz}Q1AOn`#OO6AVE3FF9Ny|cd5??(>VW}1Ei@Ban$I(QxH6}S60tg-E|2l@HPt@HtQ z>@({%_Ep>x>~o7fo3m#=zJDsT`o0bJ*S0_LW=mpqd=4sO zrpt4&kMf&2;kO=Bl30HCop$rFK6Ll;xcPhVzI$jzzdx}4{y+8mzyDLe!}~w=d$|8o zze^j{Y3t_c-QeFi@a5Em`}j_YY1!wWLw?`-sbb4JJF#B3EAiUuCfMI!vPu{OyQR;V z7|)I0;rnIdJC=WM1pFPkTU|cMawq3^Ro&#a68^?LmbvfV#qUwvv^2UEfcM2;&uE>3 z_1N z*v3{H>z^Zhrv~@Le)9`cgKKQmk?-vh1zovW`3o2D zy|j(9Ci-sxKB!sIWQQN7{j2Z3Tf7MC59Pd8t-c=9?K<4C zPqcqXuQpBB-OAdKHOGGGlDYEKU#>I|rtLZ1q5kT)2W5quNB-J$()^C^H1Besx6E4o zb87smH|BObcie7teQ(^FK4Xuco>cbt{^|a6t+qHU_U>`3>6}|vCtk1H_0Z4mUa$M?9a!P!^ot$3Y^xrf{mqEb9}>sT95OZ4b6ewn zscXijpK9K#;>GmF=dbD;f4S8kJ5WB0yad)17i6M9^#FtB4{-*foX$+{IBGt&JJxgW5_2hBeSLi8eead>Rz5{ zvEpep`v-&PRs6PodHcD(ms!)4&7(_(^a}m{WzT{W<6aspkDE@4e`oe3pXHf%)0e$^ z@m1Qy+qV)fEgk!yT`T*rkZRvNskZE4dvU?zHX-AF+_WqF%#B{}jhVBpX6vuYyk5K0 zukP{L^F8W&h!X;=akDP_y;*vL82WWNymstL&!ZO)Y&Bh*X!+sRoXyj!e=(TlcK*IF zaP{%>IbO!+`ml8q17CIT*}Ut4KGys1o@}395Mr);x^b;rUs;zA-u3tDSw6vC!>+jR z?Ec>FfQ$Qno4jU<-xq5P^KU%#X?*v&J-&N+zjilcH@+d>wU2fjzS8&l?PnpCDoo6s z-L~PF7e8KGXPn!it#1GF;MIkHUFoo>vggO6a?FE6qdxv%#1Au~PAvYV;`FwErH#K6 zc%xpxFXwZY|FvfNiJ*kaee3rA=DZjy&ilpbD%!;)HkQx_jE5aAbPo9kK}X33!XGz()ZWCmW0N?`vf9j?sf4%m7Uwz|SBQK5>>zs?&(N$=9aOAmjza}k@iF@}#)Nc*C zud=t9T5xOF+;#YV#^A9v%Pyd4cN#QU^jn!TwQ40LrS_dY?bO{9-P+CUI-^tFDtUt^ zZQWC@eA~m*CsZ0Xv|Y#PTT+g?HILX6-#|Zif6~FUA$=NcZ5Vf^%A7O9r^QvMedU~w zu4?EXE8RBtI#jV$Sf6=k8@@XG=bg=;lx-4RX5qPCLNlw*-?zVUL`K5vGl7279=9Bn z;y$$alg(v@7uEG?J#+O>+nX*o_4Bi(($A}(Ue>PC-Ep-_9z1HBkY(t&Zbqf;Qs|d`CxJ-;-9oa>EBc8<&PW?b&YB z3d@}R<=wB(4Bfw_c~MmUje=#PTF|1Wo1QnFTs^Awte(3k#P(^?E9hm!G^Ch;peXEX~OPSQC_p6J0 $%lo~26aF;JyApY{-PmzOQ(gtLR))Ne zC%b%jvC^f8?ak71FCFh#wEXhGH;?O{dgsgLsn42^zBi!Z!=-Zsd}czt;A6Q34~M%=kJxQoxm&W5{f z{&qC`B_QCMCHdudZfVC-zUWynuyvBxJL7BW8y|W98*AJ1PXZ?V;j`ji&51of@J#(W zwfv$f!5c@X*Zl6YDqFMOA8_ND(7XAajTz%(Ms~~`{X*X(II+(1eu+E(oPTzA*Uf_# z1(vny4*&h^T=hoFZj_Dxwb{ube@t277d*dnr90<#v^rONtp8F|LB@@b`uH4axFGEF zyJ1!PRo^o6!Ho$=r`>w*iyq0WS7Et{QHRRO<53IcEnRT~9yjzHed${qx@nYJK&M_1kiv zH@?(<@t6yya-CNV%+z^2ZT-8)mET(qc%%H)8C3IQ&)$Qd=$4*roEPWYtyC~hXHr}L^ss5y zx;Z~rZ8FL)Y|ZXXYo@jOt5@PLkB+$iez?sWpI(m=Hs3Q@fB$eyyN*K-P5Q}lrfHu( zaX;iI1Qb2(;~inBoYCmh0~HrN{#F+|d$?!grZrahCvSeohYh~aZMtV3t9K>jo01tF zKl~u}O!w;RzbP2#wE&t2%jP~s?HQKkoXN+&j)EM76 zp0U1Lr^fmo^o;YpGBwWkiD$g;o2l`><-8JnL#8G8MtUXsCQM88&Gkz1Z8I&&x4%~- z-@>Vld|!}c-&<3YeG5IK^&c;a)_)!tqkp_8M$an5>SO1`>ihV{=>r$X>C-F3>kAgg z>jzXw&`)2SpkGrVQGaT2qW(gKB>mmRNqQluk-q$rM*0Rp$@-in$@+dlDf$;BDf*J2 zRQirRyIqN!K^@74>hHi2BfAqu#L8sBau>(zjY_()SI{&`(^N zpf21q)ISW)(hJM7^uZOg^|hB}>r2Y!=-V&J(T7)P ztPk*w4yZ9RI-sF%OhCrWn1Ev>HsD1`Y`|O+9Xx$bbnr0}6TEg#Oz^>SvB8KBzE&eS zi$2#~Gc%@cAK%!z$4X-Bz94aRhtG_w`(4B6NdE=Vkq;ZjM84h^6InhwHZp8~Y-Dx5doe+6^e?sK<(TS1I_a{aM#3V(A9Y~6dk7*Ry_&}q`)-lPE zBMu}-*78q@OkR)@IXfmbvT#9a2BNGl9 zBOm&iBC`*gBBMMqB6}ami2O9#9Qpi!IkI!KC35Y4OQbF)6RV5ShQN|&Lsb%ENGypl zG$*l!0VT19ViISVTM}njN8$~~O5zP4k_5x`k_5vGl4#J4OEd)0Bt!JLBtsT$WN1CE zk)a<=Hk6D@HY}qlhQs4h3?I-`!jpfsRiz__1_D*!Xlq3=<9M<3&RuGa5RN zHyTDVlVR$3lVJtRFl-;6VR)CB4L8S|4Zksq!F__oP*un@G@6iUXf9+KdQ8YN3=^^q zQzv8_mIyh9Jri;a?+J|!*C#YKJQA81$iyZFADz_@GSO6RyhEHy7 zSnl4&aCmYX!x{Ish94)lHN19jXDBzNouQUTks)eIkztvxy`gbQd&5AV=-A0KqGLDs z#Kaz+5fgjXCpPx=jM&&8ed1!lGb!h1MyLGf8x0M=+ua`Fx%T-PmtFA~E2aptTZb^z*QaM#zydqWHR5?xj zc14=_qH?-eb!EC38zPF?D@Acah*4a<(kLDYF^M0qG>PAZWQe}2GQ^spX7N~wSxgMI zh>cfS#J-`K;_OwK;>yr0@%>d#*IV)->WV!f)3#jG`r#iFWB#F=ZF zi0i9b#e-|C;`OSzV%fF1VvTBfV$|9^ac8xB@#)%pF{ipsY`e}T&aK{5TwA?B{9s*y z_)T@Y_;{UN)YT{y>#Q#n3u-vTIqMzb!5YoPPuDjSZ`WupzFgm2EK{?E7`vf`*r{eq zaqfne;>Mb-#Dg1Ji5F_N7QfxlTKu(U8!>8Q8!;uUt=M5>TX9WTJMr{%9AQP`ryGmJ z8)5CmR~y@l?P_%p7jNny?yA*Md}mWf(WiDNvD)TNVnXfCVyDfW#WA(Jh>JFN5qH(@ zDt@uKtH|nf6SKB-6X(?FF7DmZUHq|54^h9hhuE-gPqFFNp5j;adWnB;>m`;C?=1?u zdW+HZ`-rV}^%1Am?<-#4)mLoLpr6=vcRz7>gZ|>;-TlRKo&&_Ky9bCT8VnSl>>en3 zMGX>bEgB?-MhzAd_6!!YqlSoW_6!kwMhzA3%^xbxi5eze+A~bNA5|>Y+*>R*G7J}O zdxwjo3?sxjdq;>H4I{qd)jqQ;2k4P(T;p<~6NYsQKv ztCfgft|}4tS05*~Upr15RDZk}v0}VfwdMpdd-DYGVdzA0)P{*74Vxs^+B8WV7dBZ8 zSvOfcR)2~(Xwww2N9Czvt1VN-qm`$LmKD>)#^KY&)MeAfPYg4}jNLOtzp$C&kYzK) zb5&-ERaVauUsRnf_FF$&>|1A!XxubMtXXHSXx}(jj1HeCu2?otbPJg;{=RFz_*sJm zV*PasL{ep;*lGJh@lvftVw=5-#I^Moi`UmK7K^Jd5i{2=5xaye6>n`?D(V|76IZTZ zCdSoRF1B2@T+FSqLM&drLfjX%Qe3-wr8uwJDskxARpRrI)uOK6@5aUT{xD9f``Vbk z0nGK$e%>Mq-*|io#XD9o|WEU=o$sX<> zZJo9t+Pcy|#(Hu=j1^eG3Y~BL$Un~d`GPp>Q~!8t@WOa&oqz;u+`$CTK3JG+eHD;m^<9)=treJREu5KZogbKHja`&xJs6m7 zy*EGI+Bi_Oc3B`=#|Ij%ZVQdpzJVrdtJr8;kAu;+!Lc#6i3ekBt72nqM-Il?&c?>s zZXArWJ&KLD35VisA#n+|s6z?1thhv5i$jUFK5*5;OjvQ)ayA+pf`{7Ws z?NwZgE#Pp9t$uu}E#q*i%@&_#>v}lNRve#hn>r!gHX~lNtvD>&4#gX79~?H?zKb{6 z{yJ>3`6Oi6Dj&(Pg(sM8X%lfISZr;MSZw_gGHsKNWZIS_WZ8Be$+BHd$hO@)l5P7f zA;;!DX-Y#tJ7kOpLoR;`%jN6 zuIn9Nj32fy&ht(v?l(Q5c)WLF@xtke#p}G2ice2ZD!%UBsQA|OM#Yc3lZ)w$(!W^SD$8Iqbvn329ew^+DF0jGV%M%mHeY6AF!4QsXfY7*aQu#cJmBWk(Zn zSAgE;IdY|8vld$|+PPCNsYPv+YcfCq%o?$Tk)j@vs8B z7WGz%Y)cC*DF^c|bpx$+Mk<4&K06PSVlfvXOBQdo7VW?^yWSKvGg=)MElL?qHAlX! zFeg6`T`}ghbmoyF?M3;ZC=g+hMu=)D{!l#IwG1DB^-*$5rExaeGjei@)V?YSoF1it zQh`EyFm7LTyx0*&)=Ms|KqhDDMEBo7q#56Pnp^*<`jH>=$( z%FmP@ZzrWj!G-HoA@L7x))IL2uAHnTfUN8gw0V$VcAg_MCyUs#A*~=T^DG3TVln3O zj_?|sf=n55i9R`1y4*{p2?ksya;cfwIoK>Fk;*^%sa2tgOV@U4k+y=ITu9+&7UIa0 zr5@OdQ;0U>N)z4|{EoaPdHK!rRL)Xwb1ineG0Re<%4};^enC!Qb}s6Z^V@T>@{EO! z0!xwcA8DML9C_MkaP|hZWMaU;m$Kk5m2PvGAf_~>P%4f05Ze*Cs(L${lXR63&&pL} zX1>jmR|F=;Z9#q$gl#!U!ocNmO(_$%tX?p=l0L~Z<>YIO2vP0Gwd8SmP~@;%NE1*x zgbD_iXX9kxQV*y(JKtWIXN1_YLp^c9VdgZ>bz12dyCWmJC^N^3dN`?bS&?gjEGPDs z5KvIRjy$8u3U0tNKv#vRFh8S-r4aF|j%|gyU56Isv-8auAjnr<4#mt6x7L;rfcXR+ zi7v8&9SgEzq><4i79XYpG}cy-58yydm`zntae9?Rri-?R%E#O_2L%*an#p79usZBe z>CO0zwz3rDb0x}EI|PEg&{&B1R4SEtJ}1xSkkLYc#q7vHFH{LBrD%5r#yqIWJSas@ z%&I_>xT473)L|?@A~?-;I55s>1qD&(u&@7E6z)nF+TcH%@k5sT!MqzOL7bWs5G68>ao>UV7Kv5SLhkO|1tUM2w#BXtPo~1cPM;axfk{94H z*v8HWP8t!;eOg+!krS?hhGfv6$0^7KU_dBhAP9sVXGoXvMLCrnWE`MMZd95rk!(|! zilr5a{5*{kG}+|D8!k~?9YQDa-f)(X>bI*x1ar@cSLWo5{QLqlM!OJHP%6P3ol|7V zur+bkDsdJR3bAAqWfkP3Uj76~7fG~ow&RIXO7y>$lM7*9WOFGe8XEB5pO6DPBi9B- z;?h<|7{JpCh|9>&1j2S1VxG4E`Vf7#<-@da$tfrB$%Dky;x#F&Rw)?NK~X$;nc_yW|d`*BKquB@JJ?S5J#S>*0U@sVX9;%Js3G;xFB~>=052WPVHw` z)VrLei8)ghu}Whl++pDgMeT)JsRB+^6IPNP3M!Gcgp2$IIhylx6@>z;Qfe-rIHgmX zoRg%mhFt&}a-l3h?dY>J7Ulu$VMuljv~XRh#yM%4K%Eq}EV9{~xZ0R`pi8MBpI{lS zaR>>U7FGdIaE&Z7D{-pL1W4*C25m+&7%WSMJ1Vu9WP81o^e;VHYEC6qf>~-DTEGE- zMtiwgnfS`IQ)U0_BW)Ha16PW*+3iIzatbj$T1^^i1f~M!kp`8^QcG?=RIZg{Sf{^$ zry4aO#;fKrEg)Mk1ZrEA$>$o#l4*qUR3IxC#wenyr(APJv^sx0DGw$hw;5$}M}%|! z6@})UL|LPiQr#LQNRMq?Tm+Zy8s(WMDOPT>4rwrFHq;4Mj|!jxPiyag(@beT>*9z`~( z$50$n$6W|ia-=~3LkVMQwRur1EUBAS8C$J1wG4c1WEEc@?1c|`*$P=XJx++J1tXJlJo zohtB&i;lOewQ~w7l}n0INU)_^RAqOKlVrwGqt(Yr%2lF7&BHFkNexq|ma@@mgZD=< z1GqoJVl04!;uJ)XX8(_AHtsE#WrIX+IdJVu{*+8iMxNQ8ZERv8#!Dumw!yKOy$&U%%ehaTzl6HYx!oRdvdfu@X^+OD@a zMM(u<;SK|s9L8oa!MR6+WLR?`bY!BCM^0^*OG2U5&Z${(mU3z@u<(US?hBJ0s60;6 zX6jTz^I`pr-^sORL#EnE281CjH&kYk{Uox`k~lya18qtag(_)x*-!V67;ZdpdXmW- zp1=%Z25HE$UzRUQtr{WmbfVv_h%d5m4LepTrK&PBQ`LoB&44&f%YNT@CMo}(1N7le#i+_kGI6OskG#oCKx0Rd!iXE_HM&bB&5D`ywJbOHvDc?p0J5|%h~ z$e4xuFR*N%U04XM1rgc8Ie zmfRHHm;JxI7@T*YzJDPM2}QeV)>8Gz!&`dsPO+{_<>NY5wTdNJ?y~;m+D&*0mEi|7 z@QhpxV!=d3W;_b$l1Ip0aEZ_c-DzDao(MZY7T3pcZSdtpj+inETR3l&7As?xpJBH- zu|+-zb-GM$$T3aan&W5CD$$Y^VB^{Dfu&q{s!} z<#VAN{CFuiUKZW1+Q%h}Y#~6psH4WYPBNOXbi?hbQho@hYfm*+6oJQ~q6XdJqXl$= zMCaZPQw}`aTwTH^8RMcr4pP)kFAlvk6;YxQV5i%>S^f2!ulnuimA1yw7~uh^IA+fg<2T!jZ8Hqx~aI zp)ih`U5mLC!Bb=!{ZHuymS)(Kfq`*(tZR9t7p2ps6VFViyb3O)xjf}ELtV4r(F*lSS^l-r8goH- zs${6)V_t(wg-F-p6_Dd}q^oWh@I%9xBF%6ixNp`_p#ozD$H!=09^cF2n(`KX$a+Dt zn*M7x4)w7*4gQD23L7%QqDofp@tb>RJmY1a0H#TM68xa4`x0 zB~`JwT~oMk4Ge)MW5=xQCw5K#50JZb7CV;Vu>X?tGQ^dGJJL%v`Yn~clTj zDeu}QIL4rHjo6REHyiQ7MQ>pRPCUvkBv+!5i~ye9#qWeB{JSmB8AICrBl~<+GtOlT zkYoecVDCY!YPp*m3%D&U^M?}8cXLVF*=di<1$ctJNsi6Nm7>%4=-dy2wRfa&ps&dt zzT%+bQ556-lbKlBZsQ_tcqYDcA;-#rinPhiCDl2!{}%a{i^nC4D#Ki&G>Zc&O9r7X zi82A9&GOoetUM(1OpS7#p?@TBWUd*9aBOH5DbPX#l3H!@W}{LS@ri=TE-CT1e8#Fp zs}^^auUZ^;Kk#)OVoV3- z(iMV`$MtPTyEF|-q>JW~V^kETY(_2}$$_7fBU;26l3>G|h!j9U*?8o#8rC3o0HN~` z^ttkqH5fX_%!yudy{WGns9IfxZJa8w9!MX=lzPTb$ea##sNeO&O zTr>E2Sl#JvhR0qt_ta66_xNF_hBi|28xP#ssLc9XDH6U^i)*q@%fz>cXtB=yCU~C$ zCY)MKtJ!XMKtpJ);uFn>t8|Pc^Jd3j<#?Mw6p)k!cnI zxG|;I0XR;<`!r5cl#E}l#4-yka5$<9=@?&WH025)J`0sST*{I%ckwt~;H~(QBN{22 z`d}!`w6rsVC#bPduu_~;vB}v%@Geo(dqGf}Mvk*2tS3>PmIHaw7&xR=7qGmkP;RG7 zq-N7Qa( z-@?%dUws)%+3ln9gI2A&4MvX-QF&VRB6wTjM%h7+@U1( z%vq203XHSfe{OtH3(H$5w1PIdgDyK{)Qph2@MtUP$~ZfV$z-kFs~cz4!t#I-_#n7c zD8+2j_SF1>EF-X}yqqiT;8QxlxmjKY;d+6~TF%2tJudpxB^HZ1@Yu^M@Biox3d

-b;y$4>IQwH!myF-3&Pp!N33oR0r*oo71#mP_EY)P<|DVy#JL%#h? zr|6g7xxgMziNqv7oZ{&IXOxS=C{;>wy~rKZI;EItk_ju<#N9D6-)Su5guDDzMQxts zk^I+0h&C4?#y#-LODh`1ssc{q0Zrs-F)|^m85LS|MOkVTH#amhnbZ~W^~)yy{*@}( zT1l^9{{J`)>e7jH>CmO9|G-{YQOG6L26gW+uuJD6#1HH;m}J|USn3-RNdG~-ih6V| z>fT{cchaM8*M4$H$%K!~kd7S&bt&rGuWzR=q)TysBGNH{HQV$*3E(wX!iWl1@rCkvS$DNlNmUZl0qMrbQ6V(o+? zp}o*S=qPj&ItyKdu0l7VyU;`EDfAM03w?yXLO-FuFhCe63=#$ly9oM4UeOnHHyI)f z6^04L!f;`PFj5#Lyry$074Rwx!Rsod8EH;hkXd9molRyECJ4fE){V3z4_GTQkB%WN zg@!GD~5pERCfzkr|nZWiT_duuPW4vRMvm%$hJO z%Vl{ipV?SbR>176kU3a0)||CqEm%=;|Q4sYdD%kz|rV zWC)o>djf+=MzpU7?;3 zE<^~CLVY1hFbEBWXaT>SK*o|k=$~{L*(Pikb_hF#-NGJWudq)T#){c+HiC_02WhMj zBjgHsLcU-V;)Hl1K}ZymghoQLkRqfCX+pXn3P!;sWC&)#B4i3#Lbi}2G!~i&R)LW{ zbT8dU2a^G0F2b5_!sA zvuEr#_J%!YzcV7dV27xu;3fD7-a?_^5DEml&{Sw994D2@2@*h}2)@rvbtF{SK&l8; zg=#`|p%y+G6-kQ81h$p!WV_gIwukLy``CVVfE{Fq*kN{r9c9PZadv{8WT)6W>|M5u zE~hK#O1g@!rfX}bA zF*KIO(Ri9b6RBQEqK#+Pd`bB3mNN5w-|(g_Ud-Tg}$65aLC=$yTzBY$t$y zWF1*g0!alDM1o00Qi&KyLlRA5NGypX@g#vHlAUA=IZ0NMRb(66&UUbMw1qI4wkF9m zg{IOpnodP(q$b*j_ND!3e>#8;q=V>SI)o0T!{{<$xv)Z5DXbD!3u}b6!a8BSutC@; zY!WsLTZLW1db)vbq?>4fFjgoL#tED07P^&gqk+PBVS+GG*iLuQopcwiAWRY_3sZ!( zY#m$AHn1~74WXuxMY2f_X-t|ByeUNTNIscCKBk}03-nWZkzS&g=@ojFUZbDU>-2N_ z1^tqKMZcyu=r{CRI)#2mzo$3p5A;WRi~dA!)1T=bdY9g#_vr)rkUpZn(8u&w`h-5E zztP|6Gy0q!rzhx1dWyb7-=(MNdvq#2L*J(#(6jVIdX9cX&(l-n9r7+YP2MAC$oph9 zSwq&6xnv%hPZp4cWD(gxCX*>-Dw#&6lc{VPd(3`iPuL7$rZ7wRfSe^Cl5^xEa-Mul zJ|P##r{p5JL@tvnU5H$hYJ>@;$jpejq=RTjVEl zoBT}fkh|m_xlbODhvX6Yg*+y|k|*RT`HlQeo{{I|1sP373opqZumbjWBM83ie2 zf}F}E8Q@K>bvxl}*PJ^>(;B2E2_p^2A##LFVw0Jha7s8T921TR%ckdA%nLF9m!@=i_{^tNnOaR z4rGB)Oh%C5WF+*2zru&@Np~^~I>ZR=v4+WW?PhK}J=De5wXcdx!RdhF(Nx3-{STiGrU&mbD@Sh32FW4gIgY z_X}+!a5>85rz%|!Ns{y(Mas(Z^%SJ)0O1xrK>UOgbSc>cAkmTx65`1cU;{20qai7l zk#4{mgP}od3BQ9Q9@G7FGM!0A3cW}-;efDT2qC*P9ko?ZwboK$3>^mKvYWgM?)(h= z`5auud37qdigS37uvU}f!2&+Q1=KSM2xTWE(-<`I`bC}>JMG-U(m z%L2hwo9v~#=^p5_pCJLR(&55!T29l3G0=u7(1)?mkWF25U^8gMhHvS}bWNj1L!-tC zb)e1aLZ^ibWd(1@?2eGyb0oRFmy|%J1wf`vfGi7yESn4&Rsk~1osJeVpcyRC5Hjcc zO7gus5ad?o0Ugl_`oacHVTYdJ+M}tYBbq~haE(z2O_BwD;x8PWav2)q(5QrLMD9;S@bL9(sz(bT>kt5 z*>fK<=?mr$RbUhHTye3C-p64|Eq<&ISM{XG6y{CXJwD z@SO%|-6qgHGoW?0u?Ns7y@h+wcm2t4&>@#;k#Gn)`7rd$N6^bBp`Fh`Yv4EY6uc8C z=~}LHD?s8#0gpd`9l))D9gJgtgRq#E#xmn*AsH$xVXx@{V3qUGJ6(mjw2yEaS`NR- z%!X4+exxf%O(2*sx(3z-N2VNsegJ%`qR@{e9J-u*O*wYuSd}B$YZ_wxQo^t*P90DC z3e#y1GL8(Q17IV#11FCLW*!U7JRZo|jd9yS2YlThSbG?d_F&-IAwbk&fw?;Yhqnh3=P0~0tOOBgzXI$Cj`+Ftpa2s|)>E@Tcuh1s-#JOw%!0ZVN@Z4djc zgYXHh1%%j>Y-hvhL0T*%08RB5uF!tM5V{%G)%OavFOB!ZVE4VCtAP}HL7Ml6JYUN8 zNfMk(-FJlvq#WerR63Dx-NvQgV93AvkX2ETb_I}m4I%HMVJR3idDILNNtJmcn2cQy zLkDtRp2B96m$2@}(sgu-MC+5G3pu?5moS;mvm{E-BS{LS=YrPvlYu~Z1Ay}e(Stya zvJPw|aH%j3co|{NbCa{`!M#ywoKy0JmRVMVhJXB-Dn#qz1M z9T{=mYa{*8WIL`WoD1Izk%7<)xqvQDId zAfqo={p-}bqp50zy6Ro0<(c&#H7?h;Z|hjDU%77mKTogzcdaVx(|^;Y|L15@6+3f{ z3ip@55%D3?k4<6^>14K;II*;>Rm(xIa;+)=_fk3&_WVE~Ur(Ux_N1543c4Z&I9t}U zT(53pBZ0Rc0Bdvoxdj@utT2@Jkx+Mk33o39+UD4M5iBTful_gf`k!>Gt6qIus}6f*$1Gw63aeWnKG!zlN1{E4P6L z!9v;qAH`bONbBIQSPv_IH4BF?g6m!GJ5}{1(78Kw9uA$SL+9<#`8Yha!X8Qy z54DJgTAPQUCaKkWC{3Uq?n;uHMWFoK>hApH#ZMmmh?Jzha-oSQWC zXtrBfIX_5V8byq>eAUV*luq4L%5_tl?dGiv4x>sf)T^vRSI?nqAXlQ)Wl-+aTlK2W zjaN9@fd7k$(n)=e)>gTN)Jv}g6hVV1HItWKYp`A&H7~tdm6u)}bT7TydM`b37ADTp z#95p;%M)h>#H9v}W%a~Kl-gvXdCq#Z$waKPUTrcF>#UbL>!r?mnX|pjSub<8mpSWY z&h|2Az06rJbE#L8TY4sOBIp9+sR|JURl$OwN;n8=ldf0AAur~fCFZA17%T4#`a6Rf z)#{l>xA;i~XNDkWFxVNa=nSe-5D%{Gj16%HxfJ32>7^H(!zVb0PjC*Orkaq~Iedb1 z_yp(hX?zdTa@OnStk>Nc>+TZke44v+vfQ0db61|m6hTE4c9btlq?>%_E?*SRPFdwz zPPyvkD^;FLmFH6BxlmzJYpL>Fsyvq}&!x(9nJUGV{DP7nT39MCDDBcI{nRPXgFcbc zb;|Q}N_m}9UZ<4TDbLd>&(o>(DgD$b{nRP_)G7VcDgAU)p6jMO*Nv(XYR}!&uDhvy zcT+o$^*_0la0ICVr5<-B!d<;r`s1$j$3sc?P|`h=bPqLM>92?K1P`UZ9!h^zqEV?v zB^wW=UmnW*d2mPss`4nWT>X_R*P%R~Yfyd-Qm(=B)l+GomwHv&>7}&OOKGQ<(oSzB zpSP0FTgm6G+dTzL{7e~CzSbVj4`ExhK}p0?m=WM^7Y z4e81_s2lzh6zQclQ+*yDCylf>aB;RHG|Um2;0Tq}XDUkYU-gkMT=HB@l@!OtR6&WA zffT>z(uiNVDB@QxhxnBXA%5lZ?qaIa((ws?5`e@{4pA*2AxR!1AxR#Pa1sv$a=6F? z71ThG8VFVc_0&MP8i-H>k&aL<{VyiUtxuFx9_|D$43aWV>Ts!7ss;o#pi=|hYCzDU z1UEHK=ghCA>YS~5777Euw5n8Ce7HXh{qO_1f3pLb2(OM`*3&m=o zI4u;fg%Y$-qC;1o^EPLC*o@MdGe5#g6m#ez9XeyT@NVIxTR80&E_4fb>lW_OE!-0^ zh$4t13p^3 zRKigiM+lBk993{s#Ze7MbsRNt)Wi{nqZW?ZIO^c2i=!S6-tq_>kvQt(Xn-RMhXF@J z9ML#paKz$>!x4`o0Y@T^Bpi)!B;!cIk%}V?M>-A>2gZe%aAe>x04No&vEaouv$J zQrHb)PlP-%=$&Qzh!RG|(u8Zl1SEuve5s#j#q zL74=qp>MFDCFu$T6s00rS5P97X~nN2tS4LlNUdE@>3Ol zs>)B*_^CQSdGk{ZeyYh&I(~BFrwaTO#7~r;7(bQcr(k}n$WN8{sWLwa{G{h6KYj}1 zr&|0}o1f}nfI&Do3H*c+r#d%&0x?jX2S0i8lNUdE^OFxh`NHu+9HG@6q4D7pJZCO% z0{sumQws{tpiWrd&`rP+wQ>zquJx3wnjWm&M=DoAxdtg$_;S1)p&^dY(C`VBW-d3& zX8;Q64uC?wx+_;1u)%F7(WR$s7IV*!M1?${P^?aYng*vyM4jd-m0VdIQ@E)xp`se7 zFHNsbCPSS}Y&wNJbqaOr6ynsWrk-jWtJW}6o~7Es%txtSP?WmV;8 zR+S%G)lDi_)m^@LNSA7IxoUEOYI1>Ua)D}cf$DOd)#WVJbk!46$Thpv)CSJ|Npap*!Fx+)G`Rfn#cLs#9QtKrbq zbm+nyx>^ohZHKOoLs!?Ki*o1;4qZcsF501sap+^(a%8cl{7SzFcsk*W>KM&P3fFuypWZx$P??_Hi z9$?%X$^(KL(5V48HQ=rWJk)@v8t_sB-fF-{4fv{oGHO6|^1$R7=cb>Woh}JD>O&x} zuuoMwbCE}VAll>%T*lF|QiifphO$zIvO+|cz7bveM|2qw(WRd4wWBCy*M8&h!bB>eQL^xLOAY{Vhr;Ndk){tZ(eUWxEp96Y=V*L6yGHLmNG@BpNV zI0oa$RKgj!)__XqzlF-Aqewl@$g)P z`5$l3AtlVO3aL3)C{!1bws`UHj$m!M!o?%(<#g|APBhhp=5+2V%AP5HE9Rvef4%#& zr01R$*9}>-^pO6U&#H(YI_I*X!G15JuEo@<8hP~jlhq3*4L@*X+=icPz8~^N_)6^k z@MiA)?^i9nGG#}d7y0)48-fQOyV7iJ-ni`#LTdC$3Td~m&finsU-bWw_x|y5Wm$gE z>mJRFrbpZBneoneW;{D@ckGP1SJjqexm)(SdnHSqam#=CO4s$|u=R8?J7 za?68R957(OfV1Ody&KP9f&+#)V3vk;h#?Lb;(!^vyG<|~voXXWhB#n|LwbX=&G&om zx$oWg>Q>3H`G*fzy7lh;o^#Lr{rkTA?tbYvKY!>iOT;_;j89K|H1l z=(_RkEx+~;{>tTM_4hyf#}0n{&Fb%d?r)v_g&!W+cyeyzjbDD{-Cz02`O0tq^*=N4 z^#i~8?E8PCvhkZU8~^U#+?U(jSKs>NI}_i^y!-u^f8*fwcehUel`k^&+hu;%Z2#7ze@UzVKE1 z^%v7mN;BKniAPq4MyS*-;x^g{TC4I6^5eigrt`rPL>U}4(Je)OXs9sE&%-yi)5;E#gi$IUbN!k-KKhQ|&BU;6x)9Q7@lw+5g8!dEEc zAC+QoH~EBp`}5zzlqpiEdI^NB6~`O4RRdT>h+ zeD@c=8&p?69Ry$a^4EjjOz_pSub$n5w&xq){HdU;tLrE5_nhim`{3Uk^g-x%q2Gi4 zW#~VS2>dDn_v_Gq8~QOc6-r>PQV6#XW{#X_7QN&MrB}IZt+N| z*=W{Z!#R=`O0`<{;f2A{;!@2^S@puj%Ib=b{V3`i30wPz3S0XJTlCMjhN(1IXybRO z()9VUa>T@LYq=1tlq!wV_lj=@E4ejeXo++6$S)Q16ePET@77oE-U{}Q&b_@Ws8mH< zP&-yy3s##;!_`XpL{KO$ZkLd;9n-1m85{ zMZdh630I}#g=v1012ju-jh{M=tN3)ZW;CH6x z_}vS2qr6r^>eFN<^n*L!ia#9~^sZKpRjMCUUTMjoMrE;<%O68(_YVwiAKLNy8^b$C z_l)7S#h|}GIP_90oM}f8_EdRnqK+;Wih0Q2TPl_dZw7tg{D~S$u=(||7b|4Z1v+lx`tt5f?K*!6$~ONQy0r3qEf#hmT0&f^uBy8eIh7rkSl>;%+`++ncai zA8`L*HX z%e7+4ZDp~z)~x5Y9jPp`YfB2YM8y1fvCak_715Qwy0i_62Ym3gU~73bsON{!us1UK zBYAli3&rhX*$yx``Fo7w%B zOO;|6?5U!F9mVxHLB6_DL&2`^3M<=k!I9Ncxfxa~##SrmniyHF7#m(nKL8hK1dP2> zZHBqyxl%cIq+E1LQDIpVtd^_iR+0gWXfU*t&qC=aCK~G4wICMz$A^NI!VsQ2@Z5px z^+pHyX7m6}gM&jf^FbRfz@`lk*tQP~jStv%3=ERS2P9>H3{YG~B;kuYM1n#i_im}V zOrt^r4mJ=J^WeyQ02U(v_fKUsTyzKPL`8;|rD`Q0QM{oSZOL&A+OtH_YReMGwJl4W z0Ie)>xkvoAK_|+TVy)SRk z+{_f_(Koj@*eY>@Xu){L;i5N$YTIPL?NQI zb68KcgNQSH2infTT04&n!8*&z+FAHEuJy>8d=#5$(ugS)sIBQgP5 zBhY-ch{h_5=NCYY;B-zL6XtQzDok%(nfCM+n46wv^R~Te>g<%+cSAO@&uhiI#BNIW2OX_N+v0AHD>&;@} zrBp&=_>ZNbWIYJV&@@0xbFEDy8p9|74(p2`pDWSSdAyf+#cTC4F&E4^sIJvl4EMYyyh~ zrn%CJm`0T`9dt3ngosXfh^8q`NRYzjNZ1|}mQl4wkJgLD71Sx**Eg4$7~5lJDww%Q z3hy=cJZ3aD#qB&z_{S&g%*MDMpMYFWeK3Iwu#Pk;nS{YXPG&v^flz}$svz`M5YCup z#|Fiboh8vu2HGP!LmmV+?Eu#5A`SIt{#dq~VnSD!$z%n3*Uk^oHE@ zMgmSi0#1aPw=*cNpvN376zatW?$fDYRdO}Y-HC$aJVr51BsLe6u!_)V^C^^G|_4<%)b_k)i+0vQagRvF%%XHQyE+LD4i(^VMNtsL`Ca$b1g1QIyZyl_c zIyV zX{nHbtH!EqAD|JNiY6b@oFCsF&KVj2f!7~_>!(dDiqzHP zt+-O4iH<#ZoG&Jt^}LDX?AQ+NqjzW@4LYJCbVQDHMvZnx?B{tY^Y<`c4>9bjv8!bA z+5XE`LR(O!&q2Qy*FSt9c4`4VZ{`@TEtIB+C6jl$hwm1T*j9)bnjh`p0(0ab!8j(T z5W+NLwNRWh-ElAmb7(Enw`17X#9)#Ep2)DX4;_RXjB`B0fUZ1XUmixb6*Py1;#8#& z>@Vf()kbxxiBWc;bi7npMf;oZ$nc`IbaON`O4VTA;?Sy=$HOe7mbB4`)4&=z4>Q4FTcS{JOL*yk1y1l;F2*Q{5uP=rE) zwHR!|0CKwUA?_Tc`fwn7N=;5x5{zhJbc&&U{ZN0JZ9Dp+6w`Ljc;``b%0-S;?3~2Z zyjJ$X4(x2-+K1MRik%R%1xy7-Lu^=&6;JHR9hG6}@Z2&MxKM=*OLfe*3uQC)k$Dg#Acfb^(>eV|(7-g(wF@1?35WiTs8VI;u zVFyU8yze(N`C22;vBh^$3(NxISawdyt5{~jY^{|=7Of5#B9ra)p{QGck=?@Fer#1| z#zrA)ZX3|vc)>F9Obu^E8E$$hJ`e=gn z6&XZ^O5`#mIv6wNz>48$XpN-Uc1{*6tz~L%CMY$k-1Ni}XNCu_a4YgmxL@qy9<^r< z&Ix>QEEjhvntTc{hj&DygVOEuq-a=+- znc?A%opb30_Zk}Z%iQ!B~ z8q-;83qJnN*qj#N7C#NGft9>QF-gqjY{+flk5U~Zv_-N6HJv+BEXN@OWu=TI!(62> ziEa%`ISHDEa1vv;1dbd-Io2t*>kZ}|xtg|gGDCBTHooz+!lj}WdnZ?3l{#pODFTOT zj8#p{(VG%*rzC->@@9)TE+7*gR~!KJzGzmnb!^_dl!h6Dxb13!%qpT?GG5>eOU@&SB;Q(H)}zUG8wQN=Ihd2NTuZDd7-JVQ_yeA+ z=a(@<@k?MPOViPk)`jEwMg~8QhvlQ0iMjE~53tH0Ly8$l?Vt0z2cbnozK|&wT#wKMOOa}zuSd0xMJEW_%SW-n=vrLiL}hhpW@)BgI$Em4 zZd2sh)@Cr_9D`4!zT04=1k7>O%qguY@+ePsqHebhz!)}iWj}WR`n~5IwEjl8v!N5`#Of>`b^!1(nE+H=j;Nd zxUh2Acu8GiAez;DRT7_qs`*Cb8!L!)kzc6|_G6_VhnleGSTE(Jv)W^An0KI`dq0mF zjLmV5Zi8GNon@iaoWKmRd4kqvu70$LUGk$rF2}B+Ud8G`mCe%j~M{n zY!&BItE&x6im)DFP;Md@>&~)C6T>w*(NFlokUG#vDXs9Zf8|OpI^lRvT|UE zY7qj*y9$euy=!3OkMfYuWsy+m4A@9AO@OgwVYh;FUu;_>sQ{zD@t~N5qjSPC_1uY- zl~GeTMJ{*`qF^>Lb2TFcqO0Jnu+dYmoL#P&sd4KQR>z{X5vQwX&=M3gNKjG7Oo(Ma zjU!?cmn14B0AkQ?b3weeT*tzxa@sPE3|uPJR}@7LOxwG;Qj^WFqFCrUij{=@82NEg z5MI@bN5`6&w-}?1vZAC$y{W}G;6hq(kpYw1SOi-Dvn48RLs}H5qo!M!!TAL4-aAgQ zc+7mnJj(%XO<<3YOmTvk;o)dzvlT+mq&{f^qOr+foeI-M$fKoFMK7#-3knsMSzt1p zqnT4mFRQpCuFR#);J{h#!r-yNGfQEBGZGRFrbp)kqGo05*MF@x%BBd=D3QnDb( z6&9m@gh@X-9z$iq;jTmJCfBj8HKyd}47#2I6RX#5ot^ zfQ1%B|HFJPu-{v4nB@hoq#9-eVrYYjZY_uMg3ZcCbGBM-24)3OjA$^-u^aAL$L$8T z1o|UV!?(qriO)ea0(>ut+u_0Z%y>}1w0>%o=ht$TT9Ulzl4(!k3u^%h80pt|xaM?hwIN_KJ zd2^gCDCB2kb14`fLuj$eTfy?HIhCUJU|eAMSH@~^5d}ON$uy<6ol`;>?ZL{vANC{4 zMI1n3HR39}jv2Ww1}htPv|e0XMmvlqf9(W|uI@9jhUr4ioNjOtO0Dr|WkW@!&y7GT zR86+^&?%<3lgum-E3PrcjDsA>c7+zF&*q~sQl*Ls*C@~BTJnLayX7b(IkJm3zLdd2 z(CdQ%K1V(kVhIRFBtKSoaAFWUrED0`4Iqmf=t(op52{K)T#9+qjk3=ZH#pjjrXVt^ zB%<35I=FqOWuQ?RXtWGFUI#<^cr7Zv>>#Q;fMTXj98}htOLp}_cDS>U>J6zyx{-@K(nZy;zSGT;S@B* zIffGuX06gA88ltUOb2DQ$XCo-ohZ&B2|kpClNxz^VWw0@%O}54ot0U65;EP9;WMqo zSQ(>G1MFj0hVca6zrid7N8hFI;+|e{>S(1}FY=5!N|oM7fy zwC$uDh8gE9lZh9%4P|!MJRu8QIPNL^?m={StLTX^eB)#X?HBUCFf(hq}0O8-duGNz03XsO|ArKll57lQAo@gTP>SlMtRlbic-DjB{O zWD?;5doY8}Xi@(1vVP&K0!{(ExUXhYff>q`O0$w_CNJ_j z2Zy&JqcArryA>GsHGq|i(?uL#i=fpb&3du8AKUXQt1D?Vx8|ZYYVn|>Ff~70G^hEn z`B5lUqa2k^qJi~A?oIXMs2zsgPAM_l3CoQ@wu1Ig&f)!3ZZIr2GRwsr!`_Gy>~XMm zq4QZTu4QVdS=e>WU`fJG6A7>2Ez}Ze5kXIXqgY9_q;z7|zgnnPPRJm?fv@vPbt{Gw z95rC$5=S}a<4F*f8;Tg-asYutV6q+>n$ZMtEM{ZAW6zC+GPYwOH?BDT5a*_=Hkxq5+JGp&O*{*1VqjRN%$v7%0m}RI!$?*<@SYK--^x_kM6}F8#xhkwuVWOG)ux$L}aS+ej@!Q z_)1XhC_6QdHB>fu=w$Xx*z!7Mt5J+ah1N1fg|-#2=}Q(Zw3aC@p&lf1mngL9Fqn+B z&fOyF#r9~VY`L{ek=^<#0Mb0ckn~Jg6iPT_8FF0OLK=yRfXI~~EpAfYIfZs2=`!h| zTkKHFthX-gcoh{ehczlr)@=+#9!tG&NvJR*RjPT07K;zN#%>D{nOgrPd@V-&#m@z5-}P#$R`V|U9V zL9|VXxRSMU)Wub-I!N~DdL&605P%8*ecJE6Oklpw0dwKV4iRF}<=8Qoi zT;iJui>Z|C_AQf{>!5tcXI4PsyhJua$tM=|9qTtII86xg&I``-o(R(+66Si0r z#xP`H#__ft zmS$pL6y+0p2oWhuHQ`3Ga=>*8P~16zd#NIN*Wmajf;p@uTtmd*zLV zd;!~hSiYMXoya1Ybd8C(f=taH%*+R+=4z%Hd}juCf@E;GCu7iG;#t@X4*y^~iFDY^ zfo4|Cj5}9o;CP-x3*8AM2G)(a6(o2b!JMvgD>q(Zi3nvOtTYa04>)9u&FlT0$4m6QQ@DPn6jlv|(48Qj9c1QE7&v z(uPgS(|5irg5{S1iws-D@Ywet45PX8z;aufabju1c=rgCCp1R#u#@bXObBJw1#^~K z4NDnZIb@H)RXnVX!WPnMCjsu_o^g`NRWP%!99`u&9F22WwiczADwtfAnxkdxPZ}eZ zck!x1ZiOcX5g;s*Vp|oRsL3waGoy?N5^;j$r%a4d=ari3S%+Yts7?cg+nzNtmy|IptXh0e1O3}(!{g! z$!&;6P_1zDp%FA|=2_Ecey~FlqSx=3ODuJj1x&!SG+`%p1&g{UQy<`(jyCXiKlhLy-r~yx53*)2p4Ri z;nE?AwmodU6fvX4{kWV>R(O=b5W@&Y(^kUU&2X0#gm#X2=m?z29V-`4U?F|*KxTU& zXEU}3E;wYsA)KwQXKEc6G#^peXO>z)OaM+~SwZWBhV>)Gvoe{c?Ed7q?UrUU6R~5vwEz zJW6m-YJ!6RIdqRO+C$}_SYQ3rVsG~hBbIn;5{sRf0ice!Q$cwZ%68}&zLV~GS;}2q zBo~%o)x*Sy!%*Iy!bZX|4r1pfCdQ?-HHzpkS;_=qJrIPYTM))p5XRE*ScK(@mtx3! zT5@!SclHRvL;3Q?L3EnMzB`Nlv{-;6xvqjQ(}qWggoMy~j!znfTps(;iR)1kY;uaJ zR^yOqK8MBQJeL144lBvgWO?~AvO%ahC(NS@`o5EHpKt_#NmV0XD$Qd)!m$YE>U$Xu z><_ZM*fW~6qAWO8X1rLPjZE$$@SRKS!6f!KYv>p_FiC)B@Zz}Eflm_Qcq@tUZXf$D z2k#@YW*rT=Rt)DHD@8e0%HhQuA0XC?>NsJC>kpPo^>Ph&W8yVFEzJ(5`Z0m^HIrJQYz_e0WJcu&weeNQIR+%HMh{G0DsC>G)G66=TA4Ub8E!WN=%gGj$KIqG=>>kL#I3!t! zI806eeSHXmY@K)PL=qmaBU94#xumuat7(d(Vw?!1w$mo1cmr36Hp_`J`yuIw1D=B@ zqv2(n7B9*PDsNjifG=S|av2RQ1}1i3w^t#)(#!lbM^SM|0}CL|f;Wz`7|gwcp@Fs6 z{PMn4td`*108R*CxpNGQ);MH{17656=V$|LGraVvxCiG(YRe~Z^8pUK>iZmqBCCPT z)CmsS*X(QhFk`KE9$_hA+0qH#QZA1pFrMQQYXgG=c5N-O=2@B>KcHf9{u_tYa0;Se zIkDP@mk0E;cR>$?N9XEosP`9f!2%A6AO(?F!fgdaH$~x%6TIdjG%T%gp<3U*3~(

&U3&+iWx=k8`~eP>+%ZMm@?*2 zaOtW;;n*67Kji&59eqb)FcNpfz!r&t*%6~7c1H|H?N$uUu^8H{7@A`-v_+wbR=($F zqbTvFTYDyO%;F4*;v!mc5e*zkVCSLkJR`z1=q{fP2bWwX^kgv_4|9VG7fCGW+|;mt z-(FmOdUR=kr(Nf8;59op$DIhArO9HS!^UP|elCj58kUiX(>sgPOq@4@L^D3#3&QzC zhO<5^2@^=eAu~W^oLz5m-ff7|s+E_ib|jzTrSGkBi6(gwMP3tyO%_J6*qF%`Yq)2t zCRgxP^p2LDuMG`yB#h0WQiW5SEN+vA$>+&G{?RfH4^ctAsuM_MfTZgcx7~4l6 z$=D$lNycWMJ!3z(XL@Q(tl8Lz1F{KDv5(GT5g4CymT$oe;{<%MEfcKYMTv--SqEQSj3NPX{j*o{0nUITKXX z{h0QRO;3!@ifQJ+^n1ac(ecdud)W!@Bjz(aRk14^>cg#?EuUc+pLjdNo*x%w_Bl6F z+F0SjA4H0;Z{S3DN~wEY1<*6#^${^1>FbBFB}^+iELE#K8FM-y_Fz8W@q`5VgEG6}~eNPU4`{d`IeB zM=I`H^-3P>DA`ckNj6lsK)aE0%!t=K-%pd6z0+?lvSy6hq{neA7W2~F*irb-3>GvK zX`&&o%6l8n$2x~OXwLn*1`8Ly?PM-pO=PfAcqjm@G9#=@8YKTh2YRZe9H-s;1I4i#`BPq5b8pX&#^|PW!b5f zhs2K>;h+^L&D_y9gVDLMsi}Y;p$R5&<`G|~nVv!i%1^Gy&&22f^Zh2A9SWc)_D$d; zM)=r}`|Tne7Z3DvF!sYUc(#5?XySl;Q3zkm!TXH!6S$xTpDEf$PhrvrfrF_J(a?@p z3U^Se8~JRGylE5c*`K9WLh`#dY70>L6W>FM?EEs4^L3>8iD~rc_Txx6oK~#!MG3y^ z!{{)W`k^KJRB!EPX|RR$UFdmy=qXE$vBVS-4nc%A7DWABd{c>>`ZRVVgV^`Z%72#H1l)m z0I>DLOIY9wd-Wq=A-J7R0k?X;6tJ%2o=klk6{81?@dm?d zUVBc0*?--IJJE%28pi`ebA1Dn>m@K8z+zI29GE#UfrN!%_iYk-d<+|+PGB1FS6}Z; zQ(i-}2E{khcsNfcx%7-6l@kpddBxDtc*py-T~AYGvbk6tECmfgwd6y#*nKay-V zQ3%ajX2?92jp2qpU*WjWAdUArxPXu|Hd1dlhg2*%I#CKkw%;bPQ6yldA-K zi$~D1Vtuhz$MZz+oz)6-8PoBj!5o&iX7G9~P86tcF`B}od?vTRC~fY zu!#DGCWR+f-}KUPi4f@9@JiM;e8iIq7Tf3EH#UKE7a?(Dj#$3MbNaFJ_;@ZfM3`Y!#xiren*S53UmFf7}0!V ztZ1*wl#6Zy^G2|gHISs7V%Gw{5aT-Do3Jjo zX(Rp2Caw4qvl$_@k!jc}Xu%R}xaumbE`_)ilp{*qg0Up&go^A0xgDO0S%`&2ycG~< zC(8|{yckb(EInp+6XF6UguRZTj_b8!HuBMDv(v^n-6hq{U?;Gj(!$X#haABbY;h(@ zVK4Iy7+!5ShOu|!6}dwtX~@tbsk6DklENA!#RB3w6Z>z69`klaM-^3 zL9x&m;+_2*z7v40S&6xPco>D8Zbc^E#fqvzLoXuHj9Mu*aN}%#SypLzZOjR*S`VqVHv<(t@Hp;|O)gI7b!xZXGsUDjGo%95qZR8I4Hirw*6s0S z2gi#_6&7=MAigY0qMUf-oBcQ~z?kLn(U}0Rp4v|s#g4-z+~}&t4}aUN=p+Srg(rMZ=b$tD$C1WBCq zt7mhoxa}g`vn!E#`GD`#iU zF_XBFG}G2aK5*V#M)x&6Gw1N-Dw3uIr9;m zxZ+M_J(zyM&@I-|tn2v)X1E-Hm}(hDpe?T+TdisGDxGa|D)$=rP%pZZVs1%#T9o>^ z(F6Q8k9=l2ogHQ*!aOk_tMd(}j&H|U%1c<{TATe0s(s1=bs$H87nvOa2A7NGYXoA{ zk&{OtV*-JEct@-aTq6j&3>QbI_u=c|u@U>}QHG-uLIkEuG1f9cTw6pLh=k2!;cd^s z`H297Omr02$Kin`U^rC@gZD!R8G% z9k~_R%CmaJa7n)F_xTn9nV@0k)5$B?qCE`loautx(W(UQ7b?ClTai(Qq|zBXS*Aqc z5;uNR7u%}ybGUPVVsS3}HcsKV)+s9=gFW*xs{q9pr*t&4afMwbT-DHNt z+41d*Iq<`kX&^=q&QH$FPR+l^O)P}i$kK?aNC^SigWXPV_7=9!`}?IxP83QwV5uLw zGxI8c!SXc;%!-0?F#$nurK)&P><3M`Tw9Hiksj6=Vvk3cCmUk3N>PR%i z#58=6^LId;wF5}OG>L-nJFX+)xv0U`v2hIGus;@!Yq;IX z3<)vya;WiE#_E>#5GBCRf zyK)Ecc~mW=&W?F@hFeJJj>Pbu>|`6`cMpzEi}m0fdZ(HBsj-Q`JZAAtP^`J(qz|S5 zs77YBj;m~Ac14+a5?RdpTy)13_{{794cz;B0XXh9sEHY0*n15hdBIh0Fz|>fnsJ=x zg~ham#)|vI(7xii=70` z(|hBi=`OHz{b~cu(UKz;HS1h^Mhv*V|0;F^%pfvK3@%5$+HkKwh#VW4{IqP);F@SJ zzmoh4*(dBQj3F@mdM?f?1?&80}(fYn>sy!>r7++nhVvt{yIuYBj2IA1hMjgv2PH&_C zGxtAYihYzz3NePwOM&KAdDWY&kzlTAjbprUO`Ogw@gzjuvYHQt!Pv>k^f z^~Jd=Zck&W!>j$}6KoLiXy7_Onz)iL<7!%A)ZSzyo+nA<_sQaCWD zrZtR6?WnTwnklYWYE~*PfsBW#=vgWyu7%I)8kE!47hWr6V=?ht8yMH=;SEak_b=!_ zkT|1bV-q;KfD?LS_$1;yXO;0tn?35H;lMi@@@fYcu4OGNAwSH7-ey_nm)ev2Mh528 zq)q0zgL~#@C(w0sF6s_1k6=+a&?PaPLy+aLc&Tm9th6RRtwX`@g(8l-K<_cre`z$c? z5>}pb!-x*|S17Z+&cawj%kEF1&NC4c^~L?8*({G^C9QKhEiyOQs^>bBPGDZ2S8}yZ zV>&4%QO|*11RV-Cv!&m`Q+t?}6A`aAcB8$(wu#)g_!jwgV;~n|Ja!obZjCtZwS?JiIwcP%NWH2mDUXvN6UVJ%}XmkN{q^Td9d0Up6!_?Low`oa!F0 zJaL0!VPckyZGpn_QjM%8VrTg(1; z1}CuazgEd)+;${T)#W^Cei6D`pF#KMUiy5`kG=dE*n6PA2E7sbQ=feDsZVZx@+laD z7gWc*!%Ou! z^9UGTs?VB7VB`2{wXf&@?=qmD{CMyO`drVhVkIqTw(+od+P%dspM6?9*zkofere-R zeEBPzzWTMVZ~n$l{=p~aulsXf{LR>LWj^l1^v^|--6x(y%qY8Kz|#$ z7y1?GSD}9fx(_-7{TlQ(=ziz{=t1c1&_mEWpkIf619}*GC-g4ppM~BHjYGK7hOqq@ zfgXk41I_kh9C`wJFZ4d>N$4r)??Ar|Jq^7d`T+C{bQb!%(6i8U(DTp-q2Gai7kUBu zJ?Ni@{-e-`pnn1S7oiuS4@2jmk3i?43(!UACFrBj%g`n0UxGdcU4~wPu0U6zYtZjQ z*P$^e3!2cY(8r-afL?<>0sTGbe+>F0^gj;$%h3M>^eN~+2K`S$|5MPXq5o;k=-A42~t(3hb9Rp>tr{jWh^hW<0q|2p))0euDf--Q0Rp#LoNRp>tl{cl76JJ8pl z|6Sb|^nVR~7y7rLe;fLDpg)5CZ=nAw^nVL|5Bk4@ z{$1$527Mp;zlZ)k=)VsA0Q!G`{vV^#20=x1k?H{~hT6 z75aaJeggf!L;oMpe;4{G^xuR2KcW9V^vBS@5B(3I|1aog(Ekwn51>DRcGU~8{GH$V zdxyT3|Kh@5z4-V4^zZ%t?`?GHFmKqPzzg4-4PH3;lP`R|=bKWeHz|II&uq^(`oI6; z`K~|F{lk}j&?EF=rGNOMp@-jp@nY8xKl6ibST{p2D7~HgHKn(6e?jSI_)PiV2k5%e zAJfCbJ>NJi;rq;=?Ecl4F7*7`%fG(iPkr&?#vgw92b(}m|!IifseK3^UQ=x$!IC!c~P3Om9ksb|`}HRZ|D!$Rlq zGrm`p|Iw#mStq_*z;aLd?=cLAdcKj3!p`*B@WU_uV56jq9bnbK#;_tE&)a;YoRIko z^?-5~+%$k3Nd?o!Pb%Lu{cYnP<<*o=_}j>1d@m?p`7^Mr6JPS*R{ku*xek8_mXDSH zGR(d_>IJ-+vY<|D8n%`(Q^LqQsl0b7*Xw`G+f?2U`2=q=Z%}q6cT8V-NqKiuF4C(L z?;YiRta;EbysQ%+EAKGO!8G&TEYhEkl#gw9oVRh9o+|wj=}=PtS+Afb%|q(O zX2m2uJ#pKu^b3xgtaU>y<%aRADZQWh>BODkKC85oj9xR;^ zZRq!v-j^sZaXomZbox)lxNOisjSzsJHoxg#pVBr^p5$MgN0c$Gbjd^5w?H3OOv2En z&XVtp@;!sOQ{BF%dHo%;NPyS;angu1yip};guh5%+ix)Kv7aUC27gm&PkLGD zGWJR39m8@~={C%Lz%D5!`R?sk<8fXH{=3TGsf~Q9JU78lMgO`#FUFvo?Q)xP$~g2Z zUz6;qID~+*N`FRrlm>AdO`fLm1c`c?4)imBK_hqObF5i<$D5i zk}sZn+)y5=$6yPg?yGktwW$wGrzgsDnqh)so^<`V7=w^w;+All zGC{X}%GYn$W$kK2G3n>msb76?S5tl&>#f7jbh)Jb%Za>-`|z7e*J3U4`AD%Q$31Q0 z!+1Yaz9F^^ZOS6+!WKpz>MVbd*S5`Pd`6TebA@%{6N0~{{13F9HR}p-*<-lQE6)b< zAp9fo-1VZJbCTtT^3e@d2z^(vTLciNw0ws7sq$=OSy(5`%!4gozzjPz7SNdW0>FdnV9xCs6oA7sik)B|@+nV0d z9G~gdr+jPQhQ%BHxG!e998&%o{Y~a$B$shLt$YQT({ZJo%SxAdQHSz;=Q;RTo}Vh; zH2rhhcE)kTmk6S4ag6XBaU4

mB0AI4mpQxej~`+d1VMhuIx_F>F_r_L%LIH_zkr zXA!@z{7+$~BKAZvDXXy4&#sO5fs#4M>FYk-9JI$ zX1zJ~BW{-%u0G|F`r9EsA$S**_bklGwl(g*Pb$xK@<1^i&nZST71QRjV&@1r?JsFJ zl{QJ*i{sH`f$r}sP0AANjKdSf7MPzM;y~WbU&asA7Ht>Wtv#`9PAczi=Jh)DhGAP% z{_DC9!8|&vSU1C#YG)aqt4g0{czk~7iZ8SJp7L&_{PCAJd>`RrIG-qf?K$gE_!T&U z>NXEk{uSGzn8aT(8UOjh=B!6E-`13Wgfb9UJIABU^Ge&zbZFBrhalZhJ}J`)zPOA% zu>NTMrTnLgEwJxs)1ER;n;B53HP-WW;za&wdE+|drw(I!K zvT>&xM{$fOF3(pZ}rhQHMpJ|*cE^J~P^?G8AL98`v0KDE^@e%A>FXrwnAgd3 z(uR~aOokLKtF(R(t*o?*DOw2o8Kudb%rkB!&s8g1%XnONOnoQMUFEr;ZAW_i%d+!S zc_jYQpTuR0d9aa8P;MUdD#rLz@wr>ECIKfMC}Tls`VjuIT87A?_-h_fzGOGSbpk#%my(f09B_ z9_X)=Ck*?r(%kq=D`wLo1m9uBHfecGms#?jRvtGUE_mc$_3+*F@O|Xrd*s2Md9V%N zM1Y_|`8DNyi((7J()q76H|+BsY}tdI^kC-{bJO**2fMDA)FlLq>3B!6VTKcm*aOA- z1TolC#oRD=hlZg``DoqDA1GNHMmb669jnhsNDgyO!qm-V{W}~AS@tvBv}3(G*@1SU z1MR~Ow7VT>k2}!1e<~0qO@foh4Cj^(w2=<9Lmg;q9cbq}(5`i$-RVGk)PdIZ)9vFP zDlJQvRJ!c$;BKLVyJiP>=Q_B%+QHrJ4(=Xya3_b<5H(-?Hh-&qx(qAL=Wf1(yIKc# zXFIsN(!t%W4(=XwaQ94U>=V*?yGcN_0Up|r(k4B$YzKGc4(`r$aCf6fG7B#&A3f=DD)W{k&pbaPD; z>MHld5s!9j9gN42@}7d(jR(^!tF-&fqttkmVXP^=8)hnEr#;vO4|dgq-Sl7|DaPgKc;f%usgx z$?$AZjPY{QowSh-v_nc8r#q)zp}RGuO_S!#=_LLgXxEg+Hp2}I<9J7DHXn#RP^^pm zP$BeF#nzbrZPIYl&wvKyrbC}%>G&|8CY5%Ujv|?6eVO#-4s^!(jM77x-FVUMWu-}4 zrP>tIZz;V-w<$W);GxoOT!?+_!Fu{AAdWNnLJx*7P>8bW%)cVDiQ6)!^(Eyw z4Rg9|)Bl@Fze#%1|7eeq(rp7C{f=>M|v z+=ba~3mM1LO1nauge{&!Gwm*0`J_V;yY9j6C?;hTJR$Uhl8CgrL%y^di%I*hyb?YqETmmj+Ig7WIupWrU1@UOK9TqFxb(g& z8*b?CiFL>E6VfzYAJ{!?+>Re8d4I!~m#KZMapjl1OO105D@}@^6F;WYNu^1dS*Ofh zQC?eSm|i!mdj>X@4=hvnQ*MYoQOwpOVqLn3Xv=d5Y?ES-VfLjH-R)K$8zy2|4^~ht zOIc9N+cm|`5pdFs@j9=xdl4MI(%PUI1KsuDq2ExtZ(WCF>%P*@F#mn+ znD$9b<8Dbbj8ho*L|+rnS6N>AmG2bH=`zPW$SQq=bf>+e+wwYY&vtNorGs0RsoP4w z$GAcfyRX<2K@9dpG09`#3|H4q!!S>`?iv>w$q>*MrMHf8<8m>nJa8h4{vT4zmJ4Dv z#kvifS^x217gE?J@LyGoX6BJC-;Bd;r7e?|Y76M^qm(?ld8XK7j~miA?;-)?Q~so6 zlD=E%=iAT^Dg7bop7MKA>1RFeLtqz`evkCXeO!mgb5nUfZo|X4KU5x@=1jkj6=OWy za!USbv3n4EEq#~~L@?Kgg3RGvHFH|=WN4^qYr zrT4egSyL`quOBGSdSm47-C%~g${)9#*S3$c`jkiNL5DVCUisE2E6TUHU27^m>!CAU z&nw+c>nk4YhGJcm14XxY727O`!5%8ce5aE9S4{dWDckY;VjJHye3N`Qv=G*QrAay^ z(!iv7FL>sa=eG8{?Z&?h?ZmxL()@e9s+u#^huVL zh@PxVJ#T>q6}I8&1Fc_q#$STP*QYpRW0sl2%72FQszkX;&MnU<-vzKyF^?`PHcSBd zVB0&=uDkqBKf^TrNNGKE2gUSzq}Ve8QT$E%F`V5$M*_w&jC*>Fq3=tFAoVNXW0;fi zG5OClnpd9FEST%05&2Im|AWu0&(FAjsQgl9oVb&AS7~c7yX_ijk2|>Q9-#xYOZ-X6 z+%iHCb3*<&G^X{4fS5Ov2E{PVkI;lX;!i5ANpFsj08#u&^(&NleuM-gi%*9A$_P!m zHkT?3w?>3y*6mWX2TGeJi$kM7&y@CrG$>*lM#U)ip3oFRZ&B;l_~beYp}EoEO;J~=~!^bDPM^jUsxDg6rT*gAI!Fpf`^pJpn` z=-wm7;OTS7U>i5A{LlRBCDA+VlwDBX`R9;L{_{30FT%1;{b4%ZQhs>{CDA6wV^_xY zvGNVWOeOIjGiE8PFw*~xid|$Iw@!M}|8eEN^a3o&HZEF+qF-g@V|k{c+f$02WL(>n z0V)5=7lO^LgS6jLnv~Ck|E5i18G58V7hz79Ps;BeCjspnf1El_w_B8Um9$j(W4y+d z-a|SR-7F|}h(M}7kiMpL>910B%DkZTEp!h>H&+#_5lFcq{f^Qfk?slSW2LkFQic4P z;1BYgd6y_VaoTNBp8I4>wPy_9xYFgFuKAZ+x_fqsj8j?px+w>WVLqi;yD(o;x*O&X z73&n{d&=VrGi80O^e&e1g_jT8cRteBr!d@G_TmT1hMRR{STT{mP8|)wzpVTtEp^1C zGt=>`@;rvQr7mb6%&>o`d<&m4e64|x-=lh89e+(#4U z4g87R#O*!9I;=dKTjCS9IpjNR`50Ez&1B&)tI8orXO!=5n{voBzp6aXb4G&v_mzK| zey@{9YFQhFEDGTo;B+RKTxe7Ot^Z0=Zl;}ig>vviMibNgGil|xD&CSBSYGj|ASRoX|S zEw`STWcZrOb6e%Nrn4!(ET5N@w;N`v5c)&Kt`KO`X5CYs8{|o~m5js3N@sey?LBE5 zze5l(f5dG(H|kfK)EB3ppu1_Mv23_9Ls*xUb_r%*nCbp(8}|(36{R)lJ{2F*Z!7&Y z=~10E^*jXhNa^x^lG{f*>zF-n)3J^_ow$X-dX*++%9G|2f90XsjX%S;Y-w6%%)UcB ze>x}YlA#X|+)ANebmtl6(whz`@O1u6X?Ht4P zRQWGyxRPyhd^U-)!~OVydY<>2$)8pJg)UguX>%E`Q_4RKb2?rZm3HenWHBG_D1SF) zK`~t)C?;ctC?8F^lX7}MScTX1pKdoRP5N0+p6qVpmSI^?nhguFvIjfm!OnZID<15I z2fORR9(u5kJy_3-Neh+{Duy{!jOjr|Y$(MS0-IDUV43o?59BE;&uy4}b&5Ral&7bI zoDY@f8s&KWVmZ90JR3d@%R1$daq7=M@#wl$N=dl%+TZB5O} zBp($0IjvaWn*;GKKfMo){#<(we?suxQ@(33w@agE%5&;D>KE%u-*+htWr9CW|FD5p zrP*@A=OM+!n^fJSo0CfKhM9`kxfI6qxvba?ZLiw3qvXA-yd%onu5BalGv!@=4!OOv zZ~*n;bI6@nURiVQ(C&wjcgo8B3@nL0DxQB`R-PMRN%svb6StHu`!_A+G#+C=RzA7U z&*K-1DU9Jhsn~ti(Kg{`m@cQ>GECPMYyKE4 z>x3x;%OmA~2D7j2VfpTvC(*2dq|0}&(%d-hR;?h~`>)t;#X>xX6zeqqUQizC z4?J~$P3dlWo=y41FkMPvOu`QpqdA>Vca>)25Q62QVx7X<{SJkp-PE*n$EOTOuhQM{ z?pDnDMZTxY1Pl^#%*Cv6$l zY31>y*K!Bi=?=6@9cVW?(C&4hJ?%i-@JA65C|?}!S3GVv{{lgr zG2u@toJ`-{O8-dd)?d;Vl*Y2*wo{}vl_qKLv>oIl$T|bTHV=Q+g$}91No!Go$-7r(p&t=8#5%7$M&UoZp z^vJokj-0znmw3Y~hUcM2&c}*9YZIPLizHyIXC5M_Pca)WiN9hrQ%U?iZkIi7PkP** zQ*5^p7le3TR!qX0Xj|g3(rx9DwKz}uKJv(Y_8fA6=K03ZYLbw#;_Zosa68G{bR8c{aZR%R1qp?7LRx3$P#! z>|KqdJyzO%m|YtE={`ab{nK-_;p87y{#(zHKIC6k{)=6(tP>CNUr>J87hi{;>3>`K z?fk`U=b8SGls>|AfubMJ6qEPa550V?tKBB3^7rNG60%;#&!Lweyx4)CW$lpi7wBi3 zvc|BTR=(XDwh-6_#kyaD#ZxvI=Nrl+<2$qq?wpPE`%2G#3Kl5~@%cfCztTfCXzQdg z`TGj^fs#AypM(F9@((?Se1`X|^509$k<3~({lBX8hh4B7dil}|9nwDp%YEfvCV%$j zku*EgUOvu)hpe~aNq;sL@dG9IG(Sf?$CZDWd9@Bd{lsS!MM?h(6a74+*rpd@Sto8= zz;a#r@59__y!k-+WQ|0|3GrUuGo|%XhBHQBcs4B&#MtLK=5dVEr1CSVsfZo&U^NeR z+Jjy2U{^iZO%L{w2Yckfo_VkhMoLKUHuk0m`^bYm z@?g(A*oLwZ?)tICgAIGIX%BYTgEc+a84q^RgI)7rw>;QA5BAuD$;bB)Ekup1uit_OSQ!9Mn2 zJ+;;}2tC-42b=U@hdfx#gPrzZ7d+Ti4|daoedNI&d9Y_5Y{UDlX|TnE4STR@4|dpt zH9goF4|dUmUGreKJlH)C_Sl2Thei?QMEh57O@m$!w%dbcJy^kmt$DDs9_*3_`_O~k z_F(rt*b@)d)o6|HCJ)xHm6d*q&(t1=FC1>TAAj1qG3y=VAEF#6+tx7*lY(eDNTmW*U{kz>J@2)9*gNM#=-&J}+pA6eWHP3t8klsZc>J)!cVW&*0cI}AGbEb_= zpXWJq;FB9dhE4aUFvs;OuFrJ0n>46y^9VvbvuX|)7f;z?Je$gMmCsaNVji7W`cQ{F zV)$+-pOgbbRK*J2FYh|(YP>BKjL^$;;A=~p~?LieZ00Ck-|k|(BJ*#hfDVo+C^rybV$ zZwXhNR*cg<#d`HgOu~q#jWhk1@`6V?Pc{PEto6dim+aPUyL7d@I+MB#F(Z zFow&v7gtDg(j|oTG%+Yiv#4!N))8?B9;PEz2yM&l5aR`R@xpz)-}wL}swRI@btELF zX(H`UIDC@1$a<_)Nu{ZkCBdSvMifCka3;FwNSO|4U?my3QY`O`uGw zcIE6k+bF1w&^8^PXxr_`9!+)I4Ko$7Gal@s2fOCMD5G8e+cHW&s9e4fcE*M3 z0e?LC%=qjk4NB^o6IWtBxxK)xT-j4?X_Mo#Z|k`)GroTa_y2GFXP9jGLzt;(xAmt+ zz$q`JO%j6&`GYjFeKy_L@_&aJzRvz6%l>(2svC@ZqCJSqKIPsZ6Vyka!OuE!$^V$l zPd|!SYf5=~^ zET~!+e%9fq{};&&mF169&PlsY4C*A)#L0VKe8^8t#k!C#54KKTdd~E+<%h+GDuiC6 z0qPomqJAb$ug!pMe4dcUi4U#og?m`t*m6vM8*Up8#%+>(P|viCWYe4c`tA_J(-cnd z@+sj-wu^+__KAMlbnGD!iWu{j%Ed+miO2fnn^%n4Pep85Oi8yVJ=i(LY+UK~vSO~h z>mIjvJlF%pTzO9wbLDkwopa-6>!FMFE1xUR)sH#-6n4rZ@4RBJJQ)w9 z+)6u@!tQ$HJ@m-?STQ$zJvwG_u~0ELzB2!Uzi#+s-kb`{A&bHg{xdI#mYmHP%#*kR>!<;lIL;B)1j z@yNUA!LE7a-BQezchBQizMq;3pACc?zKtr#mDj5lH@@;tc}iYZ`CNGgkGwUHyt5wc zk_Y?HgWdLE_dVDX57xysvs64bd9XeYHsZnLzMqsl`3`*wJLz#N_b{jUE_?Xw_e0(M zxZ~k_;KAgsqm&=^o3^gJ%^csP`1(`WM$pGo7~QblrfS!(SUR75!fED8G!h%30cyxR z1hf5$^pU{Hx2*ILeX`%O{ff|>{x<~eg7QiK(PrFzLwT<78S$7oH2u7K=bmeJmlmqiUBPS}cXnrpJA4pXhdkj-gID813!kjgtsPw^knWimDfSga#;?GhvL` zY5Y(&ticEanYt%*GoZ6dKg6dey{;;Ki#{2qn`(B$^pRrH$F8$~5orH)ied7-7Y4!f zr&swHXDWtaw_>*lw8Y(W#bx&sq#SjFmb53j3&oq3x*uM zmri*$AL!nlQ`3Hi7*v5j9{;Wohw{-W`?gSZTs(jIo8*?frOY3A}F+}QDxLszwiuJ%uMNIAx#nZ*cJ$wrutn9&Td(ce}pyxFwNrvH#)zI>B2+u%72ozCyFy7STO_{m4RtnSiz%J|+?nwwT1 zd9X){v93|kt<1gfbkk)+7pXdz#gqJ76uU2k)-};_rQ3X98p%B>cwVO)r#>~pu8&p2y1b zA)lUoixBVzZ9Dt;Y{N68Jj;A~{9+vKym~jx>2lgs_t_MUR+~=k@?$x2lkA6Wn)i?n z#V|~Z$)C<52lS9UsXRDM3`)X>__^;WT@s4l-HkT15coZ%UF6e~W+C8bq(Qag*$i5! zX?H!5_NH7i&Lc`MP>|Cek#V~YB zIWAkLPLa3&5LFiygs#6_0)wKT4_uS{X z_nar^zV9=$v*`bq=QHnn?)^UB^PJ~A=Q-z|d*657gr6UEJ7!@EHU|_2du8LFl1|3o z<#)+-;Q-ro_Y)Bg+FfE!9mfsr9%D?$(Djjd&R-f6S&L(FNy(0@L!}#Mic3CE`TwlO z>H(8_veqD%+UN!8b8q2(5c*!=B*S=9`2xMesT?WMPXH%rKp$0o_;dhD64-*k#|0da zxG}AfZz=JlUp;7p#w7ckw%8ZIb{D-MyYQyw4E)#$oTM%*oK4p!I5rB7Hy!$zvw(el?D+xx90~d`#=IevDwdcpQ>@>QI0S7Kzw-}D z%zxMy{}(`Vd06Z}Qi3{xldRxP=>gTU>-wqcrBqMsPGh~u`&Eoz3&AozN4am|GotJ{ z31YB^UXYXERk-2&wAb}$5!VZE{v_sO3 zH)R9*3hO7K&*PBo6;gr*S>KE@*B5bujXlh9Iq2HR)_zh&#|L9BIH>re+OlCtY`1aFc4i~uJ&iMQO}V(;VnNh*X4lG1Ai2P7@%MBK3f+I3&bQ zL@-&C{kkrmo;~ba+BlBFgDJEF@#lR?=MukpC|!(-c>^d`4`U_umO;wbtzx`8fs?qs zK&~&w8*9r>$KYo)tY4+$LSN)cO7JpsT)yQt z3J%&?XO8Pz&MD@sJV&e$7lJzS95Gf0`ablJ#Kl6{gnoqes~|=6ldNAW(a*8|M2UWh z^<{gI6RfXCeG=qG9Y14B0gzzsG&9x-{)THy@vOeWyne(om}A9#R7xuMnhQ)gLQOLV+}ywt+Gw`3^&Rz{%?l+&1I^ymtL`42aI?@{B;qS ztQUS<;V%S!K)|cufW+sy^}xfBCqp2S?7~|lPxb;Q>A{=29>JGc;3S=RQ`fn}z(}+X z{;fhm(w-I0=aYQw_;d`OyKkV<=ehd?!n)}N0k56sScgM0Ox6p(?f~;fJ>D>5V;(jh zu_x<=#JidJv&?hx@%j&+4zsS}*_HL8&%@T3x05m0O?dtc;@DfmVOQ3R2IxqDwKKmC zW%v1wupys2IDg58?6ooOgUmlb#~Ak%`?MR*y}q7KQFom6&L^kOv}kKT>*nYf0=}#l zZX6W<2=n(kcE(?2%&pgozs|Y=k1yZbm;vVT(U&%!dv3h*YkIc6Lf^~!<-BguSLo$) zhp`g9tQTt$J>qeI?e{@X0&Ib?5r<@JUH-WP`j`7zTq{6DU5G#LQ#wbCAuY(2$n_EW zE)YoE9Pn}mx&f#0Kab4D6FQj-ZVmA2!Iw#{*Uly4<;H-@F8D%Yk*%LuykYM!y&x{{ zNH2K@-6|9$uB~&rb0zGqI}PO~%5%KQM5nR10E11)3eO?faqUvM6ACZyaazmHFi0f6 z9d|AB;sSllPCMb^kNdt<^g2-d4rZAhzh4a?kpPo^36>I8p%=u(Jd#tW=VDD|9f%~b zGvN0m0l93 z-N>&E`;%fn+(POZdO>=@E!m?WmPbG$aqHDaoB7{y0SA4AoJqft!xdB}S;L#l;bQHB z?Lpuq(r5T5>%k7JVTRn0ezzO>N6{dO`%FD%pZ|U@I5(#Mn2Qw{A#r{3mK4}^>jRb2 zckoB(1?j+>w{}1`0gR*_Z=Mb@llgH7YkRCu-rtWzUM$56uO|0;-iyh5Bxh9;6-3GSh=l44Lq4K+h zph4!k@!4=co84bvZ1*y+2c@%QZ@v;643b3IFwmX7NDhy*J@pU#RH}Yri z-rw`V7#-oduAgd*jB1h2Y zDc@d6pV96D^LEj(-fO|ms=*F;^8KZ1F$PcWBWm#mIJc|uTFKtHfk(8OdD_JNgpY_f zWDeMd>t{BnyGbQ^x{UA9jKuy<6OYNZo{P3!xntW^7jJubx~=z;ZI5W#cJ*DiJre#S z@AlIRg7NU@S38}~10!ieKWpS2c$iZVe;t)}fS-h&4Sg#9wp&VS^bO*^w;t>>if0^d zT!^y zIzNrEE?I9-cQ4PgdOC&x+s~NT1Lo!)l|FVj!jtD6zCC%~(LnVfu$S;U;g0DvrB@SU zuK(n-eoog;9QWLiO81?)8nGc-%{&_f$;$`v$DgmjFs6{EtZ;TQRuCVnI3&aXmD%%S zQq7(p_kM1}kMWSg;O}n6T2ZP#PO%QT0zn@SxT7q81Y2Ot_w#53JI#JIKCe^p&>zY3RkHU1{;EZdgxfRBe5bK|Vmhm>?HtRF!c%%g1!LV;a{Kl9s_a!M|6O6e%Nl81hzAW8|D%6NE{90w3%eSPHo#&6=Y{Tcy#r_NY zMqXP^-OTY9s{Q6Q_!Z{wzbBp4_}kgwk1&5Yvp-(#H=QxY)6DOtW1WYvx4`-Y_6+fG z&#Z_#d>b1-#dwm;VbU4w%lEjuKU|xS{*AN!K04O-FzDYj>)o?hL;Fk2KYUxNY~ag< zYRd3?^X+7^ofnQ3#C_-alhyKr7}4tr)>2tt)TF+us!HA$*bb@EGPB&E4?x;jBL?sRro< zX#+1`vx>cCt@e+hvRaRkN7DXMiGBb$$r#@9JwvvaN(HBKgkIV{pqO94nxQ0_$qILl zm_yvydiy>2+2b_4E~z-e))4DmU2nWmSH{up#Z(MXSA1~yuFiJx*~|jlZQv5V%k>#k z8v^XOJ1VZRO?1A_n8X05a_r{`e2{qT1JS2zDrfEivZWr(^Wb9WE%Kqd#&#)Iz87{9xlAp!hr=F&SqYyI~_T7v#E$cr6IF)|Bx@X`XhCXz&jYD*-#}#%UW%JAJ+q^jhdosV~ zQBlPN`hMUfuDytUG*eTfbP&-MoqDkFws)wTS*C>vxs3FVA|`!Hd*) z&%sGG2EAJ2UH>_kN1%_?chBfZRaSprjrs>!UsnHUjru2R)R*}c^FNj^n7_^FE6F%) z>slyT2^n$p&^5zL*KHxOP|3UG;Pk{M8#`;$H7wq|q`HnWG zndkU!?6PYc+Hmbsc>gxHX$f)Nx!Yr|A{T1-bup?J1inRgwFa1v=LC z0mb5p{-Q6CLCpP<{$kuJ^n%Rb|JcXYUH&XACAIXc18ZVnGh6@B-${Bw8W3mIANVx~ zCCN120vq8tEJIJ?u1VfFq=d=*b>oq@QRE8zkn7`aI@WPZ3F_oIZ~*!e8#|e^ADqZM z-p%?I*8AT>KwtN>z6mAO*UyhoEjE5B;WB<3uTNR5WA)m+dX~>lG5$UDg6x5hRmLB- zM?oYRtixNC=h>tNe}-O=CIdg#pOorK9Nd~7i6Q#XMK8z!^nuo%!43D`#b<~^j>-E! zI!3!LN2uJvI|E`=oB6m&iD(eC<-Q|H zWlAsKC!FtPyKY^kbwTfOk=F;9a{_JGm= z{Z!{qo*Ttlhq!m~{!YdYm^>fxv0V|~SOk;rn@L^xG0i-;21p;?TKIu^c$hgeJSO42 zdH7wG6U^=5m=tj?#u>43|A&*xcJQeG@)-~M2r1jQrciqM23sA#NO0`yT)cphv}A?L z=UseU?_pzn?DHlfylKWHhRDBz3d3ovAHbZCR7%?^9V7RgY=~KLP3U8a)Po)AM-Ox= zCgZ?Jv<`W@-)ZQL+w-q)&>v#`BFa1`vb=_Vh4rf_^V}`;>#U!T=wop~UnDLAsH6HK z$n(WG~*-dI|kBaFSWPDLrg104EWfz>YeE*Bv?r zc07WuGgi+fcy9hvImQ_5wqRUHcH>R?0DU*>-S|iJyI9|bQjHJdw1@RQbgW}N&AK7z zoNaHP%(^naR#+eN3+=8~Y1e&zK%7{+ZeL2evUdA5>xKl6NSj^jhgT=K3P zDV<9HW}wU0ts>6o*8sgBv0NCIejG*+^vy@Iw~-Qb$Y5i&hK+>hOf^4Rm=p7(5x$Z5`2!4N36We&>9`F5iQBV8<|pd) zIYzPfhMirEIh~h_h|xIfPNGz60_;r#ClNnj@1R5Y`)J^F?x`9Z&omJ{d{>19-t5R>SN_$7D)H_~M4`Wcr`Qh##)fgbAl0VV@b6wpJ z*xkvxb;KrOcXvtMl;~4c>cU(j-bnnsP3au|LYDCs$x-;#1s#dI?&ov2xF6Y>sk40d zawsKyOmv86iT(Y|*})ut?SS8hST8vZY>BZ3E`c56W0`j;ou6WC3S~+Au3b`3fTQBx zL{Jy!g0v4B+JpGh%LB>BO6=I|7Vk5pQ`vvN32O zXc9Qd0^Ull74Uf;dXm3fhtr;UHlE+ySK>sL|ceGRWuGt6;$ zqviwrKg@c`7x=!+nCpi(M{s_Ub?qpXPWJI>L?>}|`R?TlZ1(V&^rD`pYob%x$BTcU z#NrOj`Aem65o6aLmDBXn*JrsY=XIP*I!7j$n?kQ_!lwhQccmJC=#Q}8^#Uoph?!dew3_R=*K+sT<+@6i{4&5D+2czb5{|E=<~Mh`7XFJzvQ`K*)u3` z|g3h4*~D6*mg*UEl04mh&|c=`t3IH z-oeLOBUo1i>x*E!BG{P1(AETFF25*m};^hFDiYS>rnGkHZT1sx9a{fs>rVn;HlBKLDJh;@;2h zdL3Jj;ggI*Oph3>u`ezc&+>W=`(^7je3Nx#5k9DRqOPnX6VQ8O7t4<}qM(iwtV_|g zvH0F;D^YqfcJ}=<8vk&8%)UPdN~}G!CGE|Dl(NOHXgy; zcoFXNW+S{q5o{@f9gAS66xKrL4ZQBIU=1tTt70tNHHS*~*;I|OfL(X(Lp|6n84K8* z;Pw~5i+;XYj4@&d@z+z>ka62>$dh*BOPZmTn&RUDbQ*cCncTq$IYim zETHdV8)GQFx!+Ew1FSm)e`@4Ds4+i)i67EeV3IF_fm5Lu#I-vT?lpF1s;F*^bO z2ec#Wi?q{9*evrGP*&L^A}5Z5L*n*dn(KW}dOf3MpZnH`73{Y0{6EEG?cFQqpLL@@ z{mff|eS_US%&+Dz+CRX&lU3SB{EjkD;s>9OGv<7+;S>1s`HqDT-+Hhnl1$@`=7ATR z{F(X=QjIWgKX_`Nf^nA5cicUq9y{-T1U?>OTkc+?3KvZwE)akHaQ)2SWVVhD3~}jU zep2>5E${#L!@lJC@OicE!$-;UojhKypWNo+t?8h~|2gR*${OR4ktCtcc@pJu;_=@_I^nz6I z=Glgy2Y`_X2iO7tlJ=}{{W;3Vf*}US8FN15<5G-wJ;$iYv$KP-eIC}%*cfB*xtp;e zVAN;-etnR2txA{D`EJ%NLznwh#m@# z>rZHVAM3%@&p+jPm)503J>uJ?d6hl4EyfI-6U=e zh5yJ4x1Ld12NDUeA+F=+#csx+hoF>wL%l;XY$n2+k6=d_^Yd|)G2h-v#(ZDgb4Y4a zcujP?1NUkq!o#un>dzNoGGB%{zNp`Z3M6CP9*%3(N1j5!llp!fD^Qa7JePxn2@k#u zfke`SH*YP1-95laeEw7hMfnF==kph<@Q+3Kr>gLqIA&rWKDILE_p>X)>x=MQZj%kM zhj@%JFBT7(Z$5vv3jc7#581!?{;oxM3Fm^(llkViFVB}_{&uqspFhA@j6bUQn8SM+ z+eOF4`d;jdW~=BC&qdbvqQ1(nW2!yyPgUVJ@jR3MxbbJqkCS{4%je1Wa($luUalK| zwik=fKGi<>vsL)jzK7-eQSEzJK2N@fCH+GC?sxpCjQQKmM4vBze=5cwReU%8jP0T} z^!U5}vpzPyhm}3>m#gsI{+&2Xacf)sHZ&ZrV>=l0dF>Hix8kAw0mh>JkMQ?a;mhBj z5wpD)vzBH;G8)kL#Lh7kTaOHx;i5_n;)wo*RG0V*Qc7-|6!Qs_;jZ zeK-D$#rosMpY_r4SN7caSK*&je8iz1zk5L9$7=^;(l7AZBfM_KbK}ogEMB7#{@yD5 z8O3+w&sbT!maEu1sqDeu`g-&}KEGR7=f|OwvDU1bn?t=3-e80`s(5IBFJnEhr`GS8 z2!FnWkA2Qj#fM3k>s0#tq?FFlHe>>C`8+E2sBHvyK}X{L-$adPIj}eE*klf+w-_cNRC?F6j?Cvo>)HGBjw77w%|@z@8F^S#(hrv!BZCt1N;?ne=? z7J_#|M>37K;C{OJzaNO}9_UHjp16k3;LE;m59V(TeoB;M^ny&`S|9k4Jr`*uSnjW9 zus7Oxzn1^cR&YCb|FlTQ5pM81nR0*Kj_Y;}UlH?3wtWb;y_`wu^Z@HzUPWS#*eo%p z4}GoC9&F0K&*f7jHWR*# z&pGDvcQ6*?cPc(?^fKoAF&N>=eTUDJ`wqW-c|IL$e_q)||KvVD#y_t3@E1~c9qIu; zl3S?fa+yl;HKpS|dO^y@vxRh{j=`S+lswl(KlU^407^G!v*)oXow~fDvaFq0zktCm z#E*Gf2Ic(#ufmwm>sLJ38e%LK>pc})iC*v`S`J6v*%k~i| zL7nu1>-zvWkz7UnSR7NrrG58|C34+?kCNxkzVZ?EchU>u#@owN=*FC8qYnP; zW1aYx()lc7E*J8)ivEIoggJh_RmSE~M(Uv-?m9u`aKI^^X|(W~Iu*n^)1xoltly3L zUO!=5_7~&1uGptRKhAYeLa+95=*Kkc8=xlvc95}phh*4d1Y3z*KXc`ldoJj-$f{W;G13Sts%v-s{1`qRwgG!-oBAC4%s(al480)3c%!`0 zpD(~iiQhDHux!iGi zQN*>4s> zbC7jwb#xNcFaDM&=IaXcBzDL<`MriA#HOS!X`<@_Vj}B-d)8eeCdio{7$Z3bUu*Ee zgWr&{^=KwjCn=Ti2jb>OWL-e6^f?CI*I=yG7^eh{u)YKFQ27Z}%pb%+;xGo1tC#Je z!FOXurNkYW#G##zA@FUdJK}v%#JAn7AKfrk#r&FPj`JgrL9zE(V0|~rh<=sz(B5`R0}@~SJWB}|yS*S~W3s>awo1Gn>PWp7)T8#~I~Zt3@*#ze1eoN5AE%v8 zTio}7H^P|D+Y`a2BG>`OB*w6}5W$W{u;YwLyBME!#_G640h!c+_tmIB!unW!^lg&$Mcj+H9w^bFD~)&~@$)LBbJ&DPtn^+mRu6Fs>Z$br zx=t7+abxN9#d_YKsq(c7{2|7=Q7XR7&lcvurzt*e#<^s#<@(RQ zG{FuDY|Ho$15mb8g4}$e()E*KP~0D6*FV@j!FJo|7y`R;KROFQ*+tytdH2p-UyQZ8 zzakuVAn2ppS5xV(V}T#V=N#|_QkJg?_8&prq7S+rY{5@ReO9>nAbqU!unHghJjqv| zH^jUKukP+h-ATs$x-$`MK7t*IV5<@AWCW|{arE1@>@Sc{vcHfRzA1p&`4T>KN2};gRME*g5bIYf$33Q#xVqeN^C+7q z@WtH^Q`v=fJzWc(?q-|EpbK)om@nYXFmHMTFPj^HW8(;4;RD3QH(%SbwXc=%PN${$ zi|;~gSeL@TgS3melPGgr#aatrWgM5_b9mpB|Nn%PRCDx#l-a@@mT|1Fqmvr&Y>C{w6j{J z9mLe_m8n?3amiSL*UI<$)nWvmd~dB9&-I_}#o~jxC(kE(=-6LJ(S|&qSca}-uE2&o zpXdgU))2X8O6l|zx9`@Vz(%$-{e<{f#UUZq&lq>nT`Pwen?;$gt=T$_w)V2Vo%Qm3v6aqeSXaS#ZCu0i?_nTc zmzX<^GSbco*7vYp+G(M4xjr^+$cy57g*MzXA}VDp{O>xXgv+|>uBmk0)BA03qS*QUfP8-nt3hDA&_EjD?$*RLYp9bUed+H~)*Vcw3g) z*>@fmnd5RT8j~y^v6VW>Txo-#=sp**kUTgH62&6i(`0KwN~#LIAbaqZ=Yn`x+x`sd zZ5a2=KJudiJ;@M!FX2HS%V%KH4>wkHj=aDNGGn;bqW(_D=KD0aPG$Eam}6tCn?kAj zkGc-0vWNAu{=+xPXYe5C@1i@Rv5L=!{Mv*1Cz&htQM$F8N@v^i6@6~u@vk%V8-43% z{uIhQ|FW?~`;fBr!(BUrIaL1K0c}Yi+}u-fOiABKFNo8VFR^Db(EI+trr6yFr56w2 z9l%KX@aERXY+Nx84x{o2K7-qkcg3C_aotTXNOv8*Mdx6#E~P{{KrcvV5Z7Y;L~NHF zqgW3RqhpNCp;R$K9f;q5VAB5vr_G)*z-P!#ys7H~_`SeMT+VuNfo{lYIIle&Y`Qgo z$`gh-z?REVDs?;Xdx>5U@f(=*ALb#zPPwCkhq04=mD_*N*bN5vnRGqp&$vA#Ov2#5Gse+K1PO6QV)<5(Z_ zHK~YQ3&9igg1CL%hPhkpW2OJ@^Ye%;*ogJZU$2HiQt?18bpj`G-!H0>gW&mjEQF5@@>QY2^5eiw8k?*9hWSO?L^VaMic zXrzy>E#fpV4|S&bcoAjpM|Mquj|;#_dfZzvcT+lF0Y?8C zXnq#gtTH?BLHs~I`Fr7%PCI~+?893=R>fRR2_ArsWDIW+4q~|*I+9-Z7RD0#{lH1e z^oKHacKyiP$i@m|zQTH!Qzc^oULB9A<5%IeG4D9+mhe)jn713e+^-@&XmgA?Zk$SN zfj7;(IoK-UA#WC$w~R76?%DkU##QbY+!%YGOY9(>%X=!ru`Tky9eGdEgEuv|;cp-7 z<#|Nx{sL=}JP-BPfC;V}8*kKsl&z-=P%3}WpHAQ;vv`Z>2Y{2f_(t?&nYvUzRYeb< z=UG3KAth*)^?RVFJm+U!!Se}uZtrXabD_8gY2_S3n-KUT z-z#)$8J$BXd3uVDwLh3oBW&jw$_@9)#j_*W+Rxk*bX?5$V$R5O`+n$Ej=?{OpVt^W zyda}^b9IV)(+*%H2l1A#FIjsrd%(n=j3cl%)F<(=ibF!o`K@?Eiq}NvyA_7h-;_US zSNj8O5>Ao$eV)mn97C+;8N-_9U;kj^DC>M1$0OK!1Zz}t1NP+p-M1(AFM`3RUalMS zN%kGWhh2A1O{I^yb(yewdO^UOVY@yyAHj}9FqyZ0UAevp2H)#>j-+&~<0;>t5I%hB zWWJA~sy|OK_h1_`gf}&}pz8!qQo);BH;Xk;^4i6d)M(e)q0+}Bj|79=NqRvlc=N8I z&>a9q;@Vca#Y`2|9V^kHp9#l)1;?tN@H=IFFZ3kvL)L#+-}56Sovi;S>9|-!iaiSI zkFw33%#mkYDV<9mtwI-BixI1XT>mgieZR&}fZ^K;^IUAQYg_&uN%*nO`ffV*V~x7a zoF^{V)moU6Uh>Grr?{@<&sq_?oou6(jv=rs>wnBH>P&K-dQ>0*HWR_-8B0MTf$bxV z%>q#UO$l<(e5ve0zYCx9Ya!ZlpC?i&?Wc6y!k-K5LA~JKA-g_;)5DyB5)Q^qK3_Ni zPRY2z2l>4b@d0Bczc+$@`eOzDVQyRaz?LJ}S_Dh#V6f;f>dNnp`1a)YMtrO*QnxRH z?TTPy5o{uY$>+9yy9Xn@#R#?%!Q8Vp)!#b)?A33hIfAuCF!|ipuiGEt4Mi|_U#)zZ zjPT_5M*KG9_eOl|NTlv6WB#@3WCU~1K*$&2AUGfzB0dA_b4ZBoV$97QIz~Ch*gDF{xvlD$yZk%dA76A;8vD+b*`eX1inNf$!%Pbnp|>lof6a+xXax zuNp(N+spbvlq%M+ISib{_i@}I1qR(d#+)wF&cP~rv~!g8ejkrVuyuu@ZOMmm=pt>m zb4+7;wAaUazwKQSY%GFJFy``tY{7=)gC8^5kN9~e&rJlwxUH}~!3c`Zf3%~=J0+}* zUXV`MDX!o7o&!Ghfk3j1H??np%@N=vJ$Uox5Ofp3NOt4R~739C(3wXbOj99dA+~6YwrHcWT&L7o}e&#Qs^mMQ_ z!n%4oh5(cK?_*Pnhc*u|HiU}Gu8gf=YL_RGYZAtNnqH7z_qOqQ(*kgkm_8+Z zm0pkr#HXZZlwfCz8r(T#D-iidcbjGS$sZ)u^8eu&?gAuyPL6g0A7s2 zmwfTZQ}V^f7T87;Y>>ppy^U}g&zAG)q{coXC5r0@mG1r_(r2_YOfQJ!Ir=sZfFy-q zR8M~wY8pzC!+3LRLJ=p_UjR-rhqs7+6*$Qv-qcvRoaT7A&(t_6XJ; z!3HAOa0DBVVDkMozuj5piGL~iC(j={(4WYdfV-;dVVvA|Rj3@Imw(*=U+zC!p(6ob z?mzbfa54X9ZXRd4lumcD&Rt_7{<-{T&N%UlJ`~S9r&(VIJqhNfd~f(5 z`c`9ZBFB%hjT0z?`{&~SLBp2@ZsZ^xYhR#mW4+7syg!An^1WeMThR6(*Es;2!Mad< zZiu+=Wu8Cg`y<#KV-2uJg1UzzJo&v#-`-k;m+-xq@Gz!LjCG*_Z%oma{NAPT5tnY} zx99v~jly{CVtpSf)fg|dv5)zFA7>*Nn)9#M@EtG67~VYJ;b#Xh5*c6rvl!ItcUtCo zdEP?!2O1lTxZh#LghKE@MEdb$fu0b*#{zF}C67rhL9BSW3KU=1tIXaa|Ad z;4pLiJ})Z_KFM=K$yc@Zjen^E&7lc4gm;zR0>Qd{AH;;?H~d4_lCayr~>Volf8+;6hOL zx+7YWP`ddZ&Wqt1`U%#Lp;T?cp98FSZF=`-@Mn>A4O{|SiC`xpSRKy`zix8`lX>s+ zDiL0P1e5)m#0&n(e$BV1_iNzGe$9=AiYx3K=Jq7-QD>R4vN|&Fr4H;g@La($1ZAq` zkLb$sWhW};Ye9A`$2uqZlEAMj>-`|9Aub1UJK;RvlTq^Lgy`=SV|^$ixiimtaQ%6a z(&V6dX%qgRf{x@Q-b(fzt)xmh?knJJ=x6bHIBd#wVj0{Lo8XPI%?Xqxyp&Y? znKwwsW&K!S&M|PR*g9^oCHc}&#V^ELt`j3@Q;khZP(SC`8uXF)Bj;k*3DEsK1g{w& zNmEw19B$)dH}-T4UL}G7DzhhcQCHi8-3q-RZY`m>`qz|{@IiV(Tps26Ft4F6Yu{fZ zqMTMc?D~wIjG4f0Anbui9lIyd3W7KWtHDph&EA}3UODF4xp?CRF)Rpz8tld$r z8*5iS-!5x+u1dQ{SXb7r>{Day*7H8Etld`D$NJmNy0Uh6u|C%Bc#U?atF(KlM!PFj z+Liy8T-M*_It(m76IA2d!Md{k_Om|L-x1dBf$>OAPO?50=L4)OYxfB2W9=Si-JX(m ztp?F z;Lo$m+HGTftlb{gm9;y>`dGW}_wlLUvyu2B9y2xkI$XuC)f#>!`2ScWF~8*RX_UpI zi|fYXF~GXAc#KtPcOUD<;aFsj94u)U>$3ZeM=EuH8exmXzs>`bYg~iVX4m32KK8Ln z1nZArLyR?X*+S)RKAu4t?2)tY2Lb*~`Gt0rLGr%<+Qs&;l?AMAKAT}izm;i!x5X%_p^R5qDLN&vc3s>&%C23 zOL&N*%x8&N8)5PstiFy;44;+A=a!&DU{^l3lz0M@&n=}bV34wWJPM`WmjWXh#M^Hm zA2CKlXq%)1v2{Ka_f636g_5Kb`h0CIa$weJi$3VR<|6AWTp~^@d|b~Z=IjYRZbeCc z$XXPOD=?Yoe*7`s5Fe{JB*gk7*iZ!99l<6e*h~bQXH0Siu{^?92TF>id`}#wzwUm* z9|-)DehLQs*X@r#X5x>J>A1sh9rv5UZ?w}7!zAJlj(^+Z1OIeZ=5bpmSjPb8tF_z(&e@w0`iF z4RHMH1Z;@Ul4HQyKqT?8ibFz7=VwYBSYBDi$Q-sjqh&q?`6QwAiW^Nc%y#G8V+A}10(T$narSI->T;&?9MaK`J(0#RDQnr z{TYPPi&sjg(jT{{%g3S^d-ys)FNpZsM8~dA9tJ(Q5Wjt3@Bt$AfweiLXdhUGF`w7Z zSjr`ANxt?1^ZElDdw`LMePB}#Df|O=Ac8G0=C=>X?@tSzOMiAE4}&!*{9aLo)R1cS z;EUMvd2OyHucOSVFgAkH%cqo1cLF1EeGPmn*2Qth;P19XIPgXCt&X{vuk(C-5M`bt z*?fiX%dB^~R3jf#;-U`ZINpML(#%)*(FGlea1oC_hfvPkf({J(^Ks_;aowjd*q>$0 z;y>acJ{>?kHx9)ukqQeaJV-mfs6#@g}w zGY*m(U#xl3pFPO;Dr+9NyXXZu!1rlo>tjlsNf1enVl6GM)A|3&gKq~xAnAZTb82qKB!-e?8|*j|M-(fNLb;j~u%jDS>SK1`wi z(fq0X`zeUC#AO6TgV_Q8>L4?e9k=NQTopD+%xU&b*6WhdvCVDL%y%VQv^`Ga^4bDe(Z)qZ_% zi4OK>Scf(sz~&>^5yr$Pl&cZ!Bx8QA%JUT;ljkdSXp{u@P0f{q^)#V-1H7mU#ube%+dl7H@5dX4tL?}0IrHndxVkK7sqnM8a6HsO#En~q=yBiLdD zTZv#NB3PXo6Zp~`!P+8NC4%)wu%QUHJAzF{Fj>DOR*1K(UoLlQ#2f3$aklF|cZu?| z^#p6Adu~moi)o&Z*&aG2-0g3ubT)%^KiiMMKgquqtWAu^tjcF# z^8Z>SF2I%|ykiPOZl7Yzt)1Sr#PuJ0D3S?q+@7Y`GouZNzh0+wF7w5$t*Q?Av3h7r z>g@qZ?MG6AI)RfkV*K*4DAoqp-3bDTABT|)3NY7(;!P&S%A&i|`Idu;mE07QqsZv-pC3 zH!+6z`ukn@uJa4|qw@>ZVsQl~ajgf5B*yc{^#Dj}Tv4YJIEmN;*6WbMCUk?0&7*Yd zT=p3?bh}yS;^*nm{uJw45DTX()?(Ck_NeR!&-qt;|M4g=5_gS`)IFK0vp#rr(FeEQ zQYrC4Th0e6hv?md4C$1!uiA5^2SXuE^??m8drV~Vz8arNiLFr2C~FY2Ht!MOFhqavqp z8nd4gF5|WaQl!7&bU{ZlihW8DyW%fJeegPA|gbS>V z>-ktEg7rtRGtDRXJ)`X5H0C#a7QcHz^5%Lgopt~t*@Jx8Fn6mzr-C1&s7xaL$8pRL zKX0Z%qVe$O7jm)_ILSiPm*V?VgN{|SiT1P~!1hLXfc)z>Vj%Hx*Ul<2fREiUKvLO| zcg4IxP7FI1?N7n0aSxCZWxw!IMsgngS%8j2VjYWfN_y$fagg&k7wZN3A@ipV-{aiS z=PcH+vx{Dk-FPFv{LjY5fss_)d$xbu$Hy}$^R|o6AP%y=9i?~gk<#fBFcKGwNDMGm zCmn<18eQkIdpX1=aRKsR&Q5 zTf&1cF3+hPp_d;E_#)3wTz~Ue6meYVHe6lRk7oE!vWB-v-A>jc5BwOwr+(H|BD#?( zI(HqRI-QYva{n5$dAN$r)hfF65*@~*neSm`4gzaq%*Bh&fmIkAqhkoL{s=b2nB+Ei zyBQlmMG|0>jL8@Sn_;XQBof4Up0T3l`rHhe&uZet8^A-AD){mof^S{`G#@b1VmbU|&dHxma59)Q%3&QTZ zI(-?GwdvZ*_Osv*vkpE%fQ{pTMB0N+#%LT0HHV=;2%KaMZ@F*Tyn_BHaFTJnMe3gf zPSV4DOYyye8_vBRW1iAW?pqGiabdscJKE?(U6P3)K7|hhtRDeM`Or$x80+2tt)Xj6 zpZ;#c4HsPBL_D-L!`wr3tZhMmnDx$PBp%0D@8TcPyK5%d8KhUtehbf27uQJrZr0DE zenh{^udiYO|M#$dZ=^nQWQO&K2L#wWW0HHojxe?Y5=lxgS$~{unj6LEQ^m8sI-bjG zh*R`>RNQ00W(V`f=(y-_kst77fH{6%4>LBz_58d;9OU-}+;~Uk@d2*CD^fot>`7Xap+5ip-`qRpR_A&WgQXlJ6JoJATV;wL?^{E_T*srbLNA~1lAEA$dR;=VFY?&a;r|KYC8?&b zJf%1AUZs$-?!Qv;c<2>MYmh=X4HTLruT}{Ew=jhk*CO+TEGR>C7?TzFfn7%yPWlLW*!?FBef& zg)XeBEmz*YTvb(b+p5}f<(bZ(i^@$_)nNa4CUWtaRH8chI&zxz%dVHT%&cSaC8@>J zdh8ibN2Fi3eNgq)TaT~Q>uasvT3Nkw?|ypqgk9as?3xveTdjI!`Z8Sn(dFr`n{JR# zW1LTSeLY?KTTZtFIsodtK@vsbXL?$9mhGK$mixQ?EZf_5miyayo;-a!(-Fw(HJ(?0 zR<>{L4QYDgJjrTT&XS$RhQ`xfLZj}dXVK2-u0b(}(&k3_h&-k~E$qhl^E7G+iG#F8 zxrbg4J&i@}E?f_TbSCxDF8r54#{b8z(79Dw8e7hED;G4;k(?zvXUU)Lv*b@({f@H~ zpR;49DQP+@{se<(IKjS0_C84OEj1=ht;Cd}PMl=}Z`ypwrcqXzp#z4EVBr;Zg}2r;o&*Gg@=0(3-5MD9-h}*?BVkVOI+|A-(v3$#KRn}C3wDX z;oZ^5OO3oc5ziu*5D9a$mfX1(f%Pp$-d%`i8IQXf?cL4DYc=xjPCU!FU25dr!`Lpq zPh*M8J&o;NW^DIf#&+9@XPF=OHu5ev^6q2gbr^Z~HS+FfooEnKs?L7UKjB!@*oR|I1e`Re#gkG5YI9%A3{7!o<7uQ?{|&7ZezQ@XXO39vE7Fm?e!RW zR~mU&8F>#k@_LQDM;Lim8+ng3^7@Epkw+29vX6Z<@htnv#~6A2M&4tMyvG@Nk2mrL zjJzipc~3O*oc~2#tWq&_t2rx^5q?rslluIcjEsOMkrw}6Ks?L-#riqT zi^!g3-0-}~((biJdqgwIONeE8-ZVx$%YN;prdE^WWk%l1jXW#u4~b~GZ+r#uEbGP} z5zi98apGCV_m#x6#Q9Z5-m8tgJx1PZjJ)fJhi7cH^P7#lw-|YUV&v^J^4@CXy^VO5dH$zH-jtE|b|dc{ zM&3J(y#2(p<2^>+dx>XRPiKt0_ZfNbC!R(Aj7XOL z&Kh|iF!DZVBk!P*_etVe zJWHJa!pJ*BJj*=#OX6Ab`Ljme=Zw4sBk%J@ z-WQC#FB*A=iD$W9e#yxDvXS>!M&6>4_Z1`Wt47{m8+k{JyssH~e`DnRt&z86}c_)m#e>d`eX5{^c zk$2L_`?-<#3nTA8jl5Gv-hUZ+zcljx+sIot^8Uxj`(GpPS4JK-HHS+Fc zk@pZI z@1aKC?-I|FSKUV5?-_Z&Z{$79$ir`LTKaLNk$07m_i!Vx*T{Q>k$1I`_edkJ&&Yd} zk@sjL?=ePRzmfM?BkyrW-s6qD0VD4TM&1*RyeAoXJB_?28+mkFYm%oL?F|}ve_-T2 z&B%MYk+;jpyT-_ShLQJ7BX7vadzO*+Y$NYEM&7WI_gvyxuD{PS@}6(xjTm_^F!Ek# z+5o$g7zsOn4pHv*f|+ ziD$`!3F2A$`v&4!_OWj?^4?_RO%l)2-!~h1Z!z-z#K^Ob+gr(=CI8+=Jj-+MKQ;2E zjJ&rK&oaL6F!J7MjCgGSzmjJyLz-iM96j}XtYUVW5!mb{uX@;+wdeVlmoucmy0NS1yaG`9Om z;#t<0PZ7^Dk3MbW%^P`tZsdK2c$Vw_Ul@6ZjJ&@z@;+-NHu8=cc|S1n zerV+V$jCcx3t<7=Y?BkvbR z-hUF$vOhgVJj;Fee-Y2}|37|dw-CwV z-#JF!RwJ*@$lGS*oonRXjChvkYxPFn&5gWU770Y=^xM&1LBye=c}K}Oz#jlAD6@+wB&LySE9tryF9 z{H~GLZRGu)k@x#X-ouQ%9wYBcBkw9B@8L#XuaWl%BkyV>?~z7cpON<{Bk$2h-eZis zek1R(M&9F$yvG}P14iBxjJzirc~3I(b{ct4Hu9cg^EFz0AmaxskVqg%H7#ZpL<7jl8=Xd6yb__b~F>jJ$gqd6yB-BKI=dYd7-lZRA~U$h)tR zcRwTV{zhJ>k@o;2?+PRDfks}Jk@p}Y@4-gi?-+R%Bkv(b-b0PN-!<~OjlAD8@_ygQ zdzg{eW8__F1CaHS!)|%3o^0ej#mIZAkvC}M{ehA9G$ZfnM&2$X?;0cT z8AjeSjl3Zv?^#CPvyHsx7EYB@oK|G865%Db7g>fVAl}6sHjJ#JHd3%h!*BE)% z8F{ZY^7azXB7bb;z0SycJ@G90GGXMs!N_|f@hqRuyoq?0{F^lL-b_4;yv4}-6C-b* zk@r?3?`=ljpAyd!zbWEb?&IHXwD%4p@0~{8ek1RCBku+y?_EaTw2}92Bkw&%-g}L_ z86)p~M&A34ygxJYW{tcL5YO@)^Mgj-hm5=fM&5^sXPIvwG1~j6kvC`Leay)FIPom< z2_x?y@hsF&8hM|x7^4n++Q^$X^8Vb&`;3wI7e?M8BkwPbyw4hWpEL3nh-aaG-pKm` z@nZAntu&^WUe|Nof1bCcVavJY|6^j(=WQwHy~XEkE$6+v;B7lE>KPGkgjk-HzJ>tOtZ10D8y{yFsi=YFu`f0YD$ z{~UaOw&2)5M}5C!PVo#6y{`q-yevzj~|NL|Kx82jDzJCt;O-k>d!@fSh zy~js<{ByK_fu~1({~YU+zb2r4eST}NKJ@2!8HW1)IrLkU-am&w+dMta&sFC)Q|EQw zImV~nJ4b(U{$?sIB0QNR@INNPleyu?#ODhS{f79toFUn}w5RR(xeaET(Kp{WBk+GJ z0=v%8TjW1pzalvk6F0U#<|XF%nYNF*nEPj1pQ<{M^+C?d)+OQTbwt)Fsju~j)9DEM z138^K7OwX5Z1>aRLyS}Ahrf41JsnrERW>eiT@YTY9B?W16kPMP%wJux%wNr`b=?wv zDhI06ank)1I_~p)Y4=Ye$2wm+nIm!2{lk93mp=dGMjW55c*E~ltjqeN^JnZv^ubb9 z{1EPq?YG#|W&W1=q2pZE53z48f7|`g{V3~qS={vaS?7^%SD&BlxXE(>-A=9ZGCy>^vbbrU zH9o1XSaRN4f@`>41AP9+T*~;Ctrx=!ps zEAD6Nht#X(kLLZR;-Sa+*X@TMSBcw<9H_F)zxOGgoR;xLFJ&!Wt$YzXQa)1-ZsHRE zFY4DJ6RMH2c)gB!lHX-KWp2Z1Szc&d?;EZ6xw3z)<)`e2rQNc1N9<_59-dV7RL?)9 z&QH&Fzoh@tFaJ9vd82e7Jn4t-pKygI{n6v1d2&7QzxyH_lx6YM`>WKiM91flqvC^7 z{aQ}NZ{3*0S>qB{jhFR7;->jJE}}2ncb3h|vVD`-)8%hlf6MxHbL}{v>*p;(D~p4y z2g19l%hSE?yyB*Ii0zM*4g6Vdzib|yX)}|mVp+aO_w;(F=dspX*J<%X+Bw^P>^1gN zc(wcxp7g)WU*XBRR>qV5%lMY@#Gb5swRo})*5b*!Sc@lmDOFg5@22`Xz24|Nk$(Gi zsvV#1I?z+i*jdzFc@}L|Gj&xpd z6M?DIop&Fj+NV3Wg9eQ!Z=?nL*U^sAoei|I^-``gdOeiuiWt&*YhMS%z)f80`{A3a zIsE?Xrrh)qIMcku-y8XD61fi-pUUQ;@XGov^~?0KzZ0Im-?!c;2~XN7^Y@L?&`n&v zKpeS=+ri(*`E3&2?XqzYo?f4IceGyWoo=6RDnGP;wfukcnRehbJ1q0ERyE;?TV-() zJEyyk!S9p*HcMH5B_5|czSjN4qkmmNdF<1!ectG`>C=b*;CatXUwq9AU-Yc!KQF!a z<(IWz)_%|XT<8I#RC*_;iVE5zoixp{5ayk2hZ3O092o4ZHa zKyU7mH}4xZ?~XR_7&q^tH=h-3K0n!frnLFwZ1ZX2<}=gH=g6DS*72Zh^X_Q#?r8Jw zX!Gu9^X_Q#?r8JwX!Gu9^X_Q#?r8JwX!Gu9^X_Q#?r8HnXPe)w`+xe|hBd$Gxi$Y^ z>LGP&@E0En-PV%-v9mS!3m86M{x@TR;b?2guL*4p{t`w}XKTr?LT?TJ(n7}1zCY{# z#fJ>fJlT@WJ-M)pBmDgf{BQl$=I|S|+23&3l2mRN;)ek3i177 z|3dknxeiF)%lP6QLi~dc_y4j-#>fAc3;%*ihR?g={OrVg|C~D}e^$eB|B}PECs|$; z6^<}}_iI9bzRvj4-Vpy5;|E?J;@@Muazlt8XMFs_A^vZ||6GXwg7Kwqg!unBeB-y; z>s&XtB-5(Dw_rT|UKoc)#%H&MU*Nxx@rj#<_zuPgFAMQY7++F&E8~@Wh5XAHpI&ku z$=~k7_?+TDfbq0FwDUWRPb&QP7*FmU@*mFlh{7Mm_^QGm&v@nX(9V+?pX&(mr!(Gn z{}6u`<0lmUe8!J|HxGe37-f92Gqm$E##gTh@o~oIt`70*7$13bh)*y+{gx1a3*$@M z!vC=~CHT1^egor^=ZE-=;I|6#4>CUTfDoT!JUQYH@?db-jKl<6{cHlJRAQ_c7kCuH%nqJW<#2r!YRK@M{?F zRM*qzFg~ZQ`!8gCNnQ6}%J>O&-5+PXPhH<%%lLxA-za=_-G3|NjrR@nVL#(b>iYg( z#s}5){exm(UEe>(_`Hh4rx{;W*Zt3m{bz;OwJ$Ngq^`e57_a+c1Ok6h*&%4cOWPp@HoN#W07Jk1uIJkBp*{KVB^ z{9nTOoVw29@7&{l=Y+bxd|Eu4L z+kbjU&;4%-w_S<&-(F&W?7MOMFE6qG&=ULeCH4<~KW_gcCH6;3><_#otRV5(`Qy0# z#gLxIC)@8AN{P>GiT&B1#OtgwxvY+C96ot-4v{iB;4L4|Dpyj|Z$ z6!YchaevNNag+J@ONC2+)0YO#=Js3uJG9@#^R6|#TqN0jUwzV^J&?(b$+)Zse}y(- z{`TZ?%1$;fXniQLQ@{0f!=OgvWtg@etOI>n*6(1QF{retS z94<%()gvA0?@H9qy5w4AU-F?co*F58ojEB~{6s85#Fgp_u7+$@ZbtTU_1j;u4M zc83j%oxQgV?POJQ0D z{_l8VXkYw%i?Snrj!eY;oOyEG&O(Wug%Ue;PY>;6XLZR3lpWbG^}I3kCmZ(*k|A}S z&92M0pua61N;dA>lb*fXkYSBeXPOzH_8+FVO6ds{_F^w z&DX1wdqPEawl#Tni9aW@52SLZGJhJAS=DY9pSt7+Dh}e$RbjKaKTEF*72?m=OZ=Jr z)7%wzApV>x@#nUo`9%B~Q@D&*x-V3SKkLdL8JD|-^n6@;RHDeb@qWe6{2}t&!+wcB z^=}U=WM_5Bt`N@eFODi)=I{JF;`VpFE3A;6ZB6d1#!>P!d1q)x;y2GuPfobln*dPD1&`@^Pm>gIB%lLjUr04BErKH`y zl6IG7LqpkFUGlLI&h1Z>*l)c)?~*%^evN)8G?blfO)6>}<+}Nq68m!{_IG_aX1^}^ z+Yrv5lN?v}^Y#CRxc|ckLqpkFU9uL!yszGxsBI(f|Fs&SP0wOG<_{inhPq}}tP z{%=pZm3_&#q3L+PPJJn~FW1KxDmxON*>}h7jD97wlbvl%Izl+lpJ`=Z{9G-u-}cqe zkofsG%8vLs`JT9+V=5sst98kpO5(Y$?2DfZ?~mKB{9EX!+{ayd^N^qUU!TlpUxdh& zGGCguh7O6Hff74QAIeR*1F^I3W}zMFZ)*tW^Wr*XU*g$(Aa4K2%|k=t=Rsvh`a4)+ zr&T3%=I6Ez-&B(47~fa+^XC}Kezs1AV}hP!>wja?sqAFWG3t_w)woMMM{X7NH?!QB zEGj#)K39~TEPu8qjp`ANtOH9Qj>mca4)JyelpSgJ871vLSn;LZMfJc@`rCfzc)Q1y z9l8E4el+x7{CU0dCyW2qL|u0B>+i6#FaAul#r+w}zIc{5F6+ZPlpV?EzU+%eIbZA# zcEs#&P3Bb!W&LVQ=2g2gzKg0|iSukpyED;tDL)%>7u|vM>lezt^lSR#Az%8HJ~-B| z#$-&{m+|_v8ZYTri|ViRtNs)5b|<3ko|~j0J-;qITG^NNcJ7m51?kuNRk40;O}-q$ zx&84H`%|Ba+h2WbXedjAt;sh+IDek@jgq*1M71k%oBMRU-KnRB4P>|5+mjV#N7mb0 zsBx6_w)r!0`;`~P?dyD#cAuf_%X9C23eWthPkKt)oi1tj3(AhPdqUw^{4YqR)%~yJ z?H08T%Q`=Dei#SI=Znt^aT%AX68~3}|CvAMCexvr{PT{+L!lz`b8B)U>Ss76sG0e* zJ?T|`O8y@k4eN+MX%@h|aao^77IMfPWd3YR(h$x+e;K+iRER$>EAgl431P=Ff3_ya z-w@gnf6~u~c;-)IGNr~#?$;g@n$P1iTjI~b!LUN+PhIl-5YG2M-%xh)byfK(@o(Q1 z8j}9bzA@~V^tba1Auj!$E9vhN1hQ@kp5n%){U&)3zAtik7Qn4uI$Ua z==oykzqH#v5^wiX)vjE>297t%xBI@5cJHCumHsy0 zDzq>CZ9Nj=(r(ko;_V(TY4-}%uJrf!RlCyP!IE}&d?MEF)?{7Tzs$M4JsDN@v#%r4 z=eA!9`z7<`gqknex^#;~U8WMbkNA=5Z+3m8&%19O+LySsFNFSQ%lOu$ep2z>^Su2jYTc0W9a8Pe_@@6F zZ+G%Zv3{MKv}YTkyppv0zLIv|R?=?$iQI%ckbK@Z61FSz;;^!l#j`$1e-^hhbU3sl zaeI!6n~clPlzkcZ!T*Tc@B3QZ{>znp+25vWeU|<0z|TYb63;mmPkDYaaNCeC-}jqV z{%7;$78{=1OPnW;#{A!!9M~ETu*BzT<-f#d?4Gv$*{al-OS`vA=Lm+;*$UM z+v4`SF9>gVB>!Ke>`VMRlzkcBN{RhrCH6mDV*hC+_B-oK{NEAx|Gv)*;~?>wRQ4r4 zjW>_mUr*!qA5vofvnBSIOYE=RDQ16bvM>9O!+9sN`CgYiR<$eZ_L^!}*6r!+KN{zD zByU$PiM3moJXhJ5ala_KAE0&hmhre9zH8k6q_Us&t1;1^qe;JdRJ(b<&WpEutUcCl zV>0rQJOu7Q_Q|W~hjt{+v&zqGUEP|zUyV!V&-UcS%1?>&z6ZzrsY`yT?2A9AE{OTF zHTk(}SJwHVkB0pce`ZSjS$|sSPuAMDq%|~?fBy3K%8tzUk?o#(#tulUmL_-(@eO1pcn zjko(lWk>dG8YTU*DhbsHxe`EFo0{JM5|NY9ojLV3! zleJ6xI`zF=Ss!jte94paw(+>FsdmNxBg&5WKU89;=Vf7h#Q$F^JDLA=$!&)65V!;J zzcu?|lUynO&y}>BygY1I#`kf`j*Rcv?c#CR^P13(#9@!JBXO83v9n%c=i?=ITC*RH z$onh#&@mbMBXR3caT7mROY9Gp*?&uDU&ibFi*i@oLDudC$%vY#GG1MZFXJ_Thj^U# zm9+b8Wk=dwQtit6JbuT}zFaRJui_)ui`%Mwk*v>Cs$Gfy%3H(uWd1ZJjdNjq#GmDs zxIb;r3i;yC1?Pr*@#o7W{v7*h%%8gCnaaNSGnoCrNZxoBANoG9YB%$TJ{R7ZQ{931 zbF##rQT4&OrQP}dSi5z}zbpHahi_5#B@f5iao8`h z->Lp%u*}CDZw~FtKDJ%i$>LL=G+q&p^T8WJJCZ-2RDO#6ruE>-Du3=hy&vlCjn^+J|G8<6c>R`t(w%apf4(>BlxzK{eE;}z?YTSm$@p?r zuUTHDbAPmQi&j(a`kTeuY2|i0x$E%j=9+vua<~BF9d%r?6)_dlI}K9Q~FLbDxMWz~ZOb(Qon7 zeQ><}R&LX4)0g|=rPJ$weKq<=SEIk%(Jw1zd-?I|SB*nDbwJ;$pPHYC9DB^qUTj`} zmG~+@PdRp4+-9tpuD(SAJx?KdoI#|Lw@f#1g#U9s4z| zo8?tI{l(g)Hz9tbp~ZP&C|sC|{@MPr>GaI^u6FcW{4^drz5b4r zc>R_qI~+Zh&qK#guV;9(cs*w4VUC^Vhff^+=7;jt=+6jEr{8}M)aj@eZ)ZB?TAoba zJl=1Xuf|tXZqb72%Jt8MaP(XM-N(^y{!cBM-fvy$)9Fw4>Ys|Y)9TgXlxy`WbIP@P zc_phUci-vDb@!7if6n*raP(V0YIgLSov%A~T7S=V`nx?Jc_+r#*W$k=I=!8l&&JDJ zxr_f6&#hg09s8|as?VI>Ke>laS8js$FGs({^G}X`i|0`3^!i(-)t~G|pNqHO>h-Eq zuC;smf_Qmr_wv=0o9}Eiw|*L_j@M)LI?B;+^=dzR`g)E2Wjenldy~({>$m%|cTT(> zt8czzk3F|WoH$W^=X=$Tofbc7h11*9+#PR^m3z&!<<9cDojh;;|GQJJ`9HBNzFuZe z?FrM{ll#K-_Pp=dW9>5JlxyuWzM66~i>5EPe>LTPx0-U-+9KXgE4O;#^!06AO}U9Z z@p{bvdt4sRt-g`flp8sB`f?|yEq9hT?6jlhw=*35tMZ$pUv~QW*|A^o>94ms_FH}{ zcjDIKA$;QW?Gk=D-Vf%VFCG0BhYgPX7Kel7)B9)mwCT!S&+ByTRQt~NUU2kV{){Y| zUVqn_)9Fv}*1saYUZ#J1HTn}5Pp^OKoOt~dMw`Z96c82 zg%#7=Q*-Y0dM;j#p4Qdq89OgtkMgs>KRhwMT=QG2qu<)4(K&d_;%#ivbo!IMaBsZd zEZ%l@+RNhYZKqs|x5B^1+iB&NT{eBW^{XlOT&G-XmxL|j?X-63UQM~tE2b;gKflQF zr`?aj7slIf{XP0he7V-&mpXRJ5A(g99Xrhr<+^B6TA(sj@NH~_Fj+YR&Lj7 z%I#lGx%G|Hm7DB^9Q{_`GaY-Z+^<$sZgSQ1^{u&o`f_{Uh_9EGyJu}Yw{laris#n8 z^_NXwZt_2;FSq~gcs*9`zSqTb%O?jq<;tE!ulw@p%k6z}`f{U#@%pXYi|XRJ)wjYa z*XldDnsT#yrYm=rx7}*`b>|iF_RAiBpU=DT_E^7m&v&wZeV=2e^{=F5)7g{kRS(7M zH$OajeLOcm^gH^^58XBK_FK8(SEetw`=faMR_;ryDfjo)l$(0h^yQYkI(@m7AIFz# zc{^k4cy4*S{OalT*S|iUet&+?8J}3*ZglimeRsMczFf6$ve*7eJh%2e-m%mC+&Ha0 z{`n`XiMPVq_d5rv)~=@9L8n}c!}Y@Pc3K>^ zuBP0nucj}z@r!spR^Lc{Jh%EropP(%@1boys`+0*u;`QEFJ{vBdw_~%_;AFtp1@R(z# z`jKxks)#%S(H(tN2nB_G){nHy=ECj!0{!sg;6>j^ zz6rh%UU#o5lm@SX7gYI%`By%CDZGg|Ool%Q&)QS*lR$lYjk9ml;_6-a;QDGWyDfbS z53>(P*7|kze=(?UO0vj=FBe?v`FzIA|9?;4&KcSo`KBvne~QGtz2SD=l<7YN9=>0O z*C2l^ymwd)P(-~-;a&7Q({nkzYI7+Vq}^_Sr}ryPdeDCtJZ}xz*$RIYUbDU8)8e5I zK0&+JA^#D)@qXzE!M}yuJ~6X1VNLn7?l{RCPw{yWZ@GTI4=#(ht&q>6-*v}+>Uq1s zGni+~fFA)b`#|wv{bDgZ>18?6;_VuE)$a078G3@_JA!s^-b{98!ykla=mToJ=iqsN zH$7)aPYd$P;9VRTXa4*E9@<*+#=n8vxwx(9`5m6TKyh0O4_;#r>}>dtJXsCj3SPQg z{c9M0Bs}e2fp+*A@aC(erxJcCyoGbU^i$8f6F&Su`N!<(gy($d|HHp}iQ5<9-t&_0 zPEY}T@Dk3G1bc(t8>>n?F^7mIs0llm`B>bA3zElMHWQAL%G@ zw&P;k_YiuR-J7m(89r_^_jAhX0F!oheDu&>^$D1@LTV zJhl_OoBdJxEzdguKF0d8wO1j$^+i9h{mag;3bykFcC01eUJTF9^9}Z|=GdQ} z7ldmdU%W`%rqOSM*U(<(pLTfXpCoVnx(^=ayA0*%f6w$g@%cHtjQHrF9e;-BaZqd- ze6HWk13S}>mtwPj6L>r40s6llyS9PX{6(ajev}QbTqr(B+#UkAeVEpNgJrLnKb<(N zfOkLU|HHqm++aF7khkwojmCcJc~_hKS*lP4{C0T%HgZG({`d#H?E$X@Oj|3ZstGDZ<)xaFkb3G{{irv zGl&P;y%=8chWfRQ&x7-E0{<5oeA_LFiti-FTwkM zQ-{csS>9XlimS;F*#9v+*YVE}@Tmu-xd;EuO;)+XJb#&;3*db(sJ=F?*b`p%ru5`e zZh_B(abxYB0;Z=7`6kCdm%#_fpH|VEyZMcC>8W%tL| z;3Lhds697*01w|OM`q%OIqS*~RjlKfJ)6KQKbId$C^rkw$1uyc%Sp! zn&h9$5X9&3yKCQhN9VyyO#W+)PmEW?i)!To^YdNs z5bN)`==nR`-XFC1>4cBGEKMBubKZCS+-kkaJPe0F_mY24I zS05z5+2@>MGCc2K#ak-!i{X{dxaAsnKhKHQUiZM$Ik+=} z_I z#<=fiz^B;%Tpar?&)d)Bo#*;u_~gkFH2Nl01I`nJ~ zZ)Kjr;$cttF#Ceco;>)_70P2a&vP1lkmn9-m-FFePX4(H-p2ke)87aWV^2PIw!`zk zS3b0Q1?NEo_39Z{JXl^GfcL(Ko#^=z-s1Gf|H11XmV6TNJl}smKhU4_cUhQ-o(R17 z4Eb|}K*@)Dld`iN`BULN_0nVYy%e6o{n~H7*mbMvA&@(<=OK86^)=J;A9(Jsvd8>C z4DV@G0NQiJAEy6%@d)K^=D$}T)HnM|=_!Zr1Rwu8-Vb^3Mt#`YGx^|rfk00K_wi!v zKO5fe`2P~PookVT{8D%u9cTo5?t&LM@%gCfKPLYE)eWz5^6jheLVehG)q4yd!4sWv z!Y@7#`d9QV8Df4*_B&2c->5UMz6*TlTg8>N%OUVe<|Qnz7Q?&P$7}6-KD_^5imN94 zQw6X1Rq@}9f0n?z%ajO5$yay5)4x;untTVmneXJb{|4n>edJbN4etce94o?Xl^!&@( zeFSdrT{dF>5AY;DOlW!Oces6D()4WXzwaHyXEE_$e%ltF`<5Ek^y~po{6h7$es?Im z`*k_S+VMnq+FmlSpZncncroi%roR@RG(+P7yN}#uobO)cQQt@4ZG2zV%6$gj?C5_R z-s#+5K83fFpKaX!GramZ`9DIOud%WGR(ppGDZ`$5@RDa$(J}Zo@Z>=$7=TCNdFx1j zCcFqf;EeYw;F&!4S$?<{9$`Jp^xOf@epPX0{(lT!O8Z(oJm>Quk7fQthD5OEE#&Pz z8uRm4@an_Wk0y}+5pL)28K3JL9K_q;>8fuF^6Bt0XI*k{crNGP`spHe9SrxJ_B{!n z?Bv@^;e*aR+Y)&GHPTy3zrGXR_D^}n`gJ>es#@|D`pbI?Zu^1FpZ|pyou>X$V0jYW zyruk*j-IdJ9(msU<830pHNP(dE0JFxUf|3}Z3QnoP;qGX>hRmOaC=|C%Do+)biU+GPm6KZPd#sEc*L0p_%pnZaY736N5Mz9UzmSR^?8t=>z|gO<>y7n+j$)}A9X!^ zz!?wU10QkbVLITQ&N@gRyknskySnw4_fAND=y&d?Bk-Y@)Q;x=U*XAof86-I&84T= z8J}+f4+jf>{xux?)AuKQC{y~&;0O3T@J}k^TJz5d$VYgt=|uho0iA}X*2W-74TFhJj_4W!98c5uo<4vD9IYieIDMy zec$5z9eB;Rs#hNJ-@scI$ZytPeuLXN09LQLTgX3I%+nU4XJdF5Jg)E%*)j8hFk}@y{K1z=!fx?l|&)ho`V!kO_YlUg*px zuYh-buZBvby@uga%#&oG=Novc6Q47EhXi@JY()L83i%XxeTD3AhHnk;WSz_WvoE~L znU^~XUOanNOhY+(ihUmR-}0FP)_*IJZ)P1K0r|_}O%?KUF8n6reE1~T4;NgIz(xwu|NXDE<%Lw+Z|?!gmkN&UN4|eAvnE zFI&Jn50ipAneXihAK*S{_8$aK=uy4ukv|fizOLHK_z7@3Pj3wQa(KPde{0}nr^pYf z$Tz@S_fkLYg+C4t1q;XiWp@4--tO#+_z~W`cD$eGZzaDqIC*tzcqjWq5-2wUpWwdM z2j3r_#eLu8{{oMq-|RdSKJ=#QW#jw{;rZXGU*w|yMtJ{5YA?J0J_^r#TXAmspN89a zJ&eBwA8`CL00q?m&?OTaGbGDY>N}YW&8^FD=?CB>yw}Iz1s^cZo|Mr9r zuc!N6HTn;Sch8i6+R$?*yx@d6G09HkFMyBjp!O|;Uk8tJ?uXT@*|;;VdjdYnx}?c> z!Bd_4*Q@Y$XZ-Wzd-&%vwPQW?{Q&uVXC874?%g26%Lt$uVd=?r#`&AW>kpTobMQ~F ze?70| zvo*Z$eZ`xN6LvOv=Q-j?c;;foVF`Lpf|on(bs@a1PllWR8{t(Sr~!>X0?%gLm52Tp z;LZPAGe*q*et7>`iU-s4K0MQTe*X#{x>)v`pMQb3ttmUL9h0{uo?nuG60v6!cschw zyT5D)w{z6Z&VAs+SE*c+KLXz6+&4?$^%H8yYRbJ3p803>ceB3+KE?T##_xj{agI|6 zJ^zM#$FCV95%|mS>J8K`<@B!);kC=xib-Z7zY^Ymv;5zubmpzSo%}X&js%;L-w0mL zcYBNA+rgXnk^jxl+3;20U&Edw;Wf+~bC)BnrP6UL9<(^e@xD1RmOO?HISb z+5(^WUG-&H;QbSxxsBv&V!!2ieelG7dETB|--i$VDsJWe3NLcjBa$=dr#HyX66(7Z ze2D#@=C{4zNk>Sq9(!_4{ubF;3qK8Bdw)`l48a${E4PXthg=4)cjgb5!rK=qo~_^A z15t;p0d6CS+Gc;5`S(6 zPZ&_VwURG)gck=dAoy2QKlb)Ad1wCrKzN~(_fCQ*vrcVsbuPS<{1%p3-WBk1=Q;g0 zcyvnbIEDS~@SHznU=?;g3vW45?P7VX4{qnBm#DjXBk;&x(r@)m+(CXTxlIOkVdsYM zBI3l_eFu2^GWjipd^WsmBk9kD=fj(w`{`NmeB#sc(q(Y_-ma}z-VSejR}Qee`geFK z>;A@FBe3|NJcm4Rt@41yPag6u&iLVEc)D}HtArlm{;Q3Bo+6%twJbCJS zAl$w?(@ebz;Zx2$=Na%i=RKe$aBn{~cm{gzgSYXVXzkbuuXpzSz6Kw4#?_;6`#$m* z`hSL3IP2pxcaeW;gN@(*Rge7o@C4S~a^PWj>-us`B76^cqVv3b2t3)D4>=j$?)d*g zc-KnBVKVyb;mv$^#@hEDc->Wse_M}u-1NUG-h-ZQxP7NyrTFiQz$06!Uz8*NHr#t# z`P}UJ7@m5h@<}i9KfnhTsobdk^5$j9&qEtZzpWc?3a`IddaT?id^kb!Hb3wecnjmG zA<8`ko^`7FX#>0r-gT_nw-|m2yp{JyEKaV6XP>G1PSC#|gHLXyywn2!H++=mg);On zGd`qoLO1*!c(v2+Kg0VLOVIMq%w6TTI^x#)#X9ivKg(}@=-&ih;jGJV4^Lm9epiqD zzVI~GQ<%>7j)o84p^6rg2hN0dI^+CmcvrvLs{{Sl!FzX+|E+!Rf)8{{zm0$X0Z(!E z#r43e&yhb%(f_{bcg6`T;T`X&9ql<~65imO7KJh4xpl6pM`pQuv5u=Ts=;4Q@x%s@{cJkyzX{TQB*t@tTJ{{%esed*7Iuf2!- zR^!Bf2=2Y7_8mrk2Y4gzX{NyUG5L1sx96$D;T3NvKa?VW0(=SsJK?9p`%hOpTK`=H zujM^lyFcCt?{(s#2|n2^#aU_w?;r5&9|UZl&kOMG1La_T&07J_;#^IO^H1Re?CUT; zOu$EOlOLL>*PK1&=akdM`{8Lm51vQ58JGLb6uWjtKKDZPUyq;fgFM@TSIx)fBj4zZ z+l%3~AE{isuPrwDb5&j~9nxP7OlhjKTBx4b4`>n6LJyfbb*7~af_ zv)1k<@P-Q&pMF+3cOzyH>o{y(b$GqI-?-tnw7TYl??=aB&NkbfDTbcle(?d$N2 zXH;%4@+0u-J;m$cKf$Y<{Jc)K{5ddB?U=9Xd7Ho^+lpJi+Z{f^b6EoIcm%xlOZE3K z<(>sE;XA?!@Je{4v)<7JFLv%1Pr^g&bErbk3X^y4U!TE8d4H`N`3ZPYul!^EH)(JA zp`87(mVXw&`Erge|?wpAHU*T<^sX+?J zV>iO>-1SQ2AAslZ-A`NJc^2O3?6dk1UVNV#(BkJ?ldqFv{_=i-k24RGPPuFBBfs?@ zrE$C2zcIY(GR1#B@|p15N9BPK@pC9VIZxxOc6hPrah`Lpgb(rFwDqqW;U&&KzR&^Q2mTB9IOjIO(=`OIcjgbjgSRjqs73yFcqQ|S zsg%3!pH<(aHx(xqZ(G7!SpZ2;wY@#zeJf<3*>gC&+*yw}4c^WBVy3?e-jyoFjnuae zo^p};V-fZ@_&hd_S}tJze-Qb$?<8;isKfZC(jP)k7u;J<^(}_K1usaFo&op>JiSez zSk3Hx3!m&neujSjKe*>SN6g(%ey-xV!}`m{@GNIuHv>L-yA+$B_ky>bF8edE^H8{b z|HAxsIy`AY@@XOwtYV}JQAC89hT(yw_N!n4kk|HJ6n#^-@OVc}Kd=RJ|H zWj(hG`2*ms0ifM@TgI4?$iPk8r2*%LzkBzQ@cU9Nt;w}m1(O$R0 z3!L*49)wpodE+T~t@GUR8r;6y8^WHC;5jcUZmZ$n!JGdqkWHRUI7ogQXCF}r`4spt z>y_5-Tf)OL67a6p$;wm0hX-k6`Dz@P21r zE(2ce@B`t)tnc)%A$ocOuiQaBKCKLi{ia&)rrEO#g52Y$s37J6Qfq-CymPi2g0%X}m9H z_oH3ltzRfke6_LbAb7<`ijy(;(eO<6)lhA3A$;r-8D6-ie&HH;Xb0JE@o*QshxG-! z?>_>sI!eE9{$j+IaZ(nzYW6c7s#Jhudm^y>7bIxo zz$)aE6II_9{ICRG%&e)L(kh6M~m^t3|9`_JZ4YF{+V23|>V3tb(5gZ*=yVUk|TlzR3K4 zE4+~Rt!mKI3a@nL(|X}UixlT=`pf$S-gu%K#NJQ&25#ROv3kw)9T=>?R66s$bB*Un zaVhP)IlO9x;?w%Yw(th$J+*9jDf@hS)SO<4&x81ECJ-#H79-zsf%FgHhs)tbuPe`3 zxsC9$r4p<|{(ktxWwO5>-VU#wvsR2u!C!zkgp*>#{J#R8#(v8JMy@|gVKtBqX|_)wnguhOr12f@3YeHTZ9jojs6)&$PXFI1nS`H!G{~< z&k%eQc*%XT$KrWMcqRKc%ny6R8_J}h6g>ySC!KRpkAe5UB>nQL=as>0X|ELYTmUcr zLw1hA>*4u}rJ)jjH@q%G11{756ug7|8=1(z49|1ke;I-|at@^F`2jwDliJbv?0oq- z$64Rs0-m^rI-T4t@GSOAnBNYEx8mR&^2TxSDxPPPv8N2){(<6c1b#8R(pjf& zfM=d2L2Jhrcq8l1Vf1vs2b?_F3vYJrkMF^USyxI&&q{bU>ow-*+5R{+xL@}=R4n^(<`?T>uH)^bcI{y82#ezM}n-jg~L-g3AUS-aeAdJc{6*Z+j4Zzl^gvA+jC zc3Qmr+ddEM?3Vji+4(i{IU&j0eKX-`)i*I!`imGpYyfXOTK&T0_kvIDtNUX)_8evM z-$_9?emDhQ&i&o&Uj)xdksqqja}nIW3ts_$!w-OA@Y>+OaQ|vTPZoUa z0rbERfhRldbrL+mdA>UzKIx1zJKvI>BQ+|w3jLQOAH6}IwENMm@Coum6#0kX#m;*4 zi|{e_nG_-avd@D!OnyNi0>7d{_Ox$KyAvlX&{MV6+A+yY#$BJIr~k!xJwGE~FeLd} z^sje}^ylLr%NtwzJg{dpMS|8YyC7e}`5qzk902!jiNC++!^_WJL}{(^XFgTxjQJ&G+_U2 z@Wzvsmn`1yh4*o;R5tQG@NQ@QeGs0({CP9-U%|bP^usdPLO>pW*f$`3m@~ z$X9<+R8{rXWy!RkHrB`;^I>OWNLC2n6c+Zw9H-!H8d_KePzs)=7dBObiJ@Tz` zzcjx@>6{Gq!xZZyoLL+>2HJEcfe(p=RE}<3M;Nm{=e{1o|kPsZWuo7%$xlT?{)Zk zC&+KvzF&iDIQFOKZ3gdf<^i(dDdRK;mpGy4sT*TaS%O)@JweO=}eyoaW(#&1TC(rkZ;&P^_@V^&G5;X9mk%-eICmj+beH)lzSTTrT%k6aAm4HdFR2K*$9)T zAA6U-XxJRt^L}?Oyr1`lGby(iUUY`;rxp*3;bSW$ z$m=EE74Z5x6*z*P+e|;}-DU6=`1oRhb~@Oj@LcD4rx)Jitb=?EA1qgco8M-iEWag{ z$UnKnLkc|NyswuIZ{|JFD0c1zZ{>aSA@m#$FDRB^KJur+!xw5?IvCXtE`#T%)4zz@ z+ubm;D1U%(w$>-3W zrr=4NDE}0rX9NEq!FaoLd+~aBhR*{#CqEJ>g=hIZkk5Zj2Ij%{gI8RyIO&HU2d|E* zUVZR0eIDqy?=FeHD;?G^@#Wd8b`MvevC2uKyEdT5PpSnu*s-)aq;fddhC%}(@ z_px8g$~_6*?tFLVe0XTDnK2EvKcNyH;ambM_iA__=fJd5?k(_S=X;2)@N8%Q^Rw^_ z?!P7Ic>|t06+f>2816ayG`@q^@f`>A!&;}w&uxdv!FGSy1U~G{hwKCovHq2aJ%_+6 zo%aZig4eRo*2+B--gW4Vn1&AYEP@wbtQN8Osew0bEBPGcZ!tYi+_swh`)c=2J!CqP`cy(-KwS5WEK7vrK-jg5U1*AP+}h5r|+< zGxFu^-%dro9bUbc5>~Nme6&i_=1P5%nDOS;mZ*9EV0_Tjt@Pv$+@LG=F*-tFA)=AEH>rTkO%vOE@s zhgcUjd-jD-ZL5BijQ%6xIfpAitbd&Y@8z5{tM5hdgws^6Jx5#(?`oS9)9i;q?79^` zLjP)p-v>{-L!b=)Fg$sE#YrW+2cAk?nLWesLcV{Lfc*FH8fTx_tTW}enj+lZ`tLCy`UL;nx(0p~p?uT*}>bo{dpJnbggWBqhvcuG!NzOd*|KKUh)Q(oKHP4bilbv~(P2r(N88Ss4-UeQCzWmURojbwXcyGn}>Avv# zi8W)A)-H#^8@P}7=Ebg);Wf_u-eP#OGar5{7(`5H+X5CEE&Xae>z)!u8j)V^VSyd=5>^Z!|2I?=f19b z*?h>s@Zn?Dh)GT;ti7Y)Vds7AQ{k;t$l84|JdJZ{$|(0*c=1}QZ!P?Oc>0I4W26h- z0Ux=1q%fsZ@mz)9nr12%-7gmdKQ zzIz3F(31=wX8bnB_-AW)i8BwdKYZv))hi7>$HKc_7nq>jbKpfUi(C9$0k3BKX@0l` zJ`#NJ)W53G(*_?%Q2Sb5eHK2&dru?CFNaUODm(kJ^Aq^ck88#xE0JFbkC2zr;XlEv z?v#8pe2yO&!FVzm?*BJ-rNXmjuNC|M6g&)X9FQSN@V(%fJTIrg4~6&iNz(jN3@_eC z{;5X33f||;tKS08xKQOrk$((6;jE`W3r`x5{ieSU-swF5egyC0dzWVCN_fIi>Zitk zhgZy#{l+(1D1R1Qv3ATt%ZJ;+Q{R^TCLe{5GHy(wUMIp^o#(8D@N^C^s3jgQhmSMw zYWsX{fM+}*`>h|{ZSvo%|2D}@-ZSu2#)m1`^A6l&KH2ij_weLxRHHJ5wKwZr`Jt3` zhb;7L44-tynLEO3k5b3&r2ifPFL&}oiO+-Qh~bZ=xD@^8Bj4%FV_c7XEqWu!KY)CP zGoSNMcsK9yS^s(-p5&}Md;l-~MSd=&UB=<5&iyX&Jo%?7JTGR6<$?9#!_IojR`43~ zn8nXQ@QM}c*U6N7EWCvGYAp`S;GI{>&I0^!89d~)%Tjpj{JAkni_b^lqq~dOqh}es za=G-I{Bn3ohT^Rb`H$i4g$lp~_!K;Rx;Wd6ye<8T#O4F}&YJll0x#t}aLdn!!OK`z zvggf{;3L%6>^$G}JI^&&!*eHPPZxf^+w_q4GO)i5-rXfX*m&Scc*XJZgXPIr;Hlfl zk{0v~!lTaf;~2bu4aJZD-`MpFyor5))_-T7FTbVny}4H8H-KjhD}Ib;!W$RFw|f*G z$r7(Y&yn!H&t!i){1kY;GyeQ5ym&p?pNIT4@a*U0=WO_0@L^{j^`G#e{Uta?ySxk^ z9Fd+ddOmh@LjeU86#ND}F@*Yxyb--pcm`Egx!?iAuKeM;c0L1FG1w6s|{^lO=sIwpYFnEdc-o#(vQ_LGwV&~cL z3MWrq1Rq-(pJ%Rv7d!LAkHQ-{XUXzvH@xy1>9P9u!*g~}`&MJmhwvu$zctY=U%|tN zDNd@8{|#R6oCCk%U**p!`itey?cm%lc%2=zX0B`rrNz1 z`5Jg4aXtWVgeN=u=l=!II`$|F_^H>@Tu*{LJ(?{qA>o1^M6FWkbK? z#O{N9hr-$=9iGQJNILfH2KOeE_ln?0!Lt^KXVYG1z=x8RABK=GhYx?Peq{Ds4{vwY z1s;YMIrF!j@QFvII1~NL;N`c*$McZsC!R-X_m%Lm&DD-!^vt?Q{;6~JTW$;w*42Zn zP=9%0_|QFS5o?zN;7PBkzFGL^IQRtXBj*1ycouop^jr)d*hb^Damu|J9%0|F#b+}- z^%a$yM7f>tLBZ4>|j{xAu9^->a1# zR=rQL8}j{}``w711L673IPi3M9^(-6&qeSQ-fPRn&Ib56`x)}l|1dn^V(#O}KMSv0 zFP`_C{95AXhtJ^U&U3*p@Oo#QmVAl)mce&aLzKHYeB7CD$?|#Nx7_z67(qS<`95d8 z<5YO5b00h(p2xV<{B|`w(|P{73+_43U;l)cZK61=#Gfz0lPun_^L=>lO6377cN{*| zA(DptZ2yKBkKH#5;G?&wUG%5toeMAGTrcAn z!H1mn-#U1Sv;X`a_`pjVH}-EXgPwv{v9CJ~JA2@H?3Xh>1n=Oz?*Zh0h9`cgd}#Ge zyiES7@D$HY$S;7GXR3WiXy1L{o%B1)x5t?t#`!hqISpRRdZqcN%Je(mm%j!+b&lGr z7(I>fVdwe%arj84+R@HccmW<}f4=$WZFs7)&iFOFcYEonqTHX1Z?1SKgRk*7`E7u4 zh{a(Fyq5i|CCKjxFLuu7%!ZF0AP1YB$G{8y`GDYx#{TrYQ{aitd9dfhGhUUQgUDZH z{OkDp+WqiJXFvQ?@PyYjkljoePFnnit``e21T=G>8yqf!a7V^dLL=HS_ggJTL^Egk^C6to(<1rU9159S9s}9ink*85_p+2 zUwsd}gZD$3mi3;3r#a8RFPl8it)=My$mcVDSH%10YtzsBhUT|ld>-_#;{V8y2==UfwRrAO zJWum^5T8}+NPi~syTDr?i!XOSc#e~Yi_o7uJ6``na1G@^BS#o(`{b z?z6kW+wPZO9s2h-{p0cd`UH4!y8K*({Mqp8)5SC37sHc^=EO)V{5p8se-)qRhr8jW z&VB7^c=6})@!1d0ciQ)Bcn0SWq*87|t^8K`q3Ub>D;eJ4yg$AbyoT|E^}F5SDV&36 z^*sbWhMyBDw+P<)fdZ}yel9%CInS^PUf7^~HG+JD&x8Il`l&!EycPLu=UkK?cmee_ z``<-RJ9;AMS&97QY4QE&4|vv%iYr^sO}$qBOmgP8GvVD`Ys56$`%U}63!L%T5%7w& zq`#TCJriEKgY2on&MJ5>`&X?UYvE?NBB-+4)Xtldrm%I_d5Bl!|{JQJeTjF<)SA7FW5tQ(#8pg!xLGrr`fzB zc=8O*OB4}53*mLn`7M{jn_0gw|KA7i{Z{Q|?-x7)uXg75UWNB~@>`g|8i5xSi?i*? z`yC#6bj?^zZQQuN@9^OMSbx79P>vrKz`fm6p&IyZ@MPXEF!_Vw1&pinkUzona9;?+ z&xMb19*g<^T6mX}4{wD>kJo*{;;jun(Imy==&JTmXhdv>OOgB#@MDEYzOuiVb(f&HZvXn8V%eAn?R(Bk1>cqi)`rvF%Y z@nfoQ6?T@w!_N5OGI-_F5;Q$G!pE>b8$FM}+j;IV-VHBs?j!HO8_L&;X=tT>pTl$e z6|h#Wccc6>$@7}E`&@WZzZ$p*d(z-d%u7tdcY%*G?>!9P&-mQAF;WLFhG+6V9cjiZ zgHL`V3(cM@;W^7>kHtg1&x3XxWXh*vS*&xSXW&&>}cb=uhkPbf| zK0t$nbQ|_6;gK&H=a5fsg158&Ywhwdd~`>(OF8mwuRSpZMFNgBH0d&48_W4C;j2XDJl`Fsrd6XDG#C_fa!&x4n}DaRD!hrhw| zKUO;?!LNh2vJPVYc?jO))VBkk#Jo+Ia$klIAFFb0{`O0F!GDk>3#ByRq8Q^kl)CXT{kT)$-QP*x>U9BpnD@L& zDYpimc%SSq$Dg;ri=1`a7M}G_DydwBC3AnKq$#-}& z(X$jjNxPUmkHDk6|6+dVfVVsQ)qCN6mnq&XZU^D5OBnyqF2nFPzSCEYJ>D(yPae1@aHVyB)th4bS2nyd310!P8miwf6l0Uh3>`jJ_qmC10ldatJ-& zA)hi!@s^I?eut0ttDhR5cdPXDY$pd;y*7n6^IT?pcX*ihhO#L45O~O$w>cG__MkKj zBVP&c{Z8?3&yV%+0mir1z7N1#ocZu4;EB$DfH&Zk&iH%;KI-nng!h)nKb_c_c$@q) z`L*n~INt(Zo1pmbKz?U{+ll^ATlkj9`KJ!(d2l>$JQh}D|-;eQGUj3co!S`H)YXUtj&VG#9jq*<+&xs8Z z_cn!RovpYszwHd~;QfeJ5G(4vXQ?OUb3tBs{9YH`B1zY`Br$x zMY1OXe*zvpN9ESiU*3c_@m_Ey@*lwKocEYk!rPf2Q0w?UzFq#wAd8YtNNUrl0(2@%b1$>Wqh< zflp;9-Ym{vhmZ5UPP6ALc$RaY`qk%w{e$nw@KWqw)6c)b_`h_X+R^lH1Rpy={jL!I zWWiIH$`PsPITk*0y6RgAFM$_3`S~KB2liBR<7GMDt3|$GODQNv&u#FD!vqH4_nH1T z<)0{V^>29CnIC=$p8dP(TT6R>3U7Ao{24w-`&wMB<@ejbZ)wcK*JDo_eClu+;`jX6 zwF^9#eu_K2L*NCKicgD&W8n=>9ylAG>Dc)uJ=T;1F@p-I&(Xdvp zcI3O3D{}IXpL|1p$Yfk$@-HBt*)97m&imm7>>~=J=R0_%v)(k@f8Gw_bBuMy4CMa= z?<*3hg>M3%V4px4JOiHW`y9Z#@*t5e^$NPsn-VZgg3FWx_|!uy?g_{`@)e0D0_R?X*6B0tHwQg!@% z?!EG7UWxkSkf&>Vc<&Z+WEys6!yDOGUyXbLyxpnqdGL@ECpGY?eCfC6!TaGE&iOE% z@Y=QIpD^VvgO9>3J_q2#bEMzoKY)jLFTNB#-^0_KarMmmKNMn52|W27HI$8uD&Z}oYA+iX-3aewKSM5h9`tz-52f7# z5%?3x54TGZ)FOWlI{hmH zo^+M`*?|21@G@uIUIZV#OXb!hUkx96L;erLZ!rDNzVv(Hea^hcKi~<@`N!FJyf=0r~yl zeVm(=3_l7!#dEaDm%1Rp*@ zU<`gZJnD>lPlMMx`)SWJ{lBPRSYEvpKKYaC)rS5h@R~gFX8O^+@S=0oq05ke8eYME zU1bB$TMnQ4O7%5946lAhWCA_k!CTpvk_eyqu>4t;Ap6VV>%r51R{pp57j}o|Rfy*x zf0XHAoNxA@3vcB+(GleTX7bBrzxBtZ@J46f+5_~`cAz(eKg7bW;@XZWzw9}j{TI{U*>pEV@?A0p`!A;Ysf)ek{+t36Gp5`APJQ_&m5z4HIV;|34w` zInR~z+vFd+?{@He>G04svU7mEu`9gz6O~(ud>*|1LIJyfmBAxJGBAyHzYdVUVxt1nfYr@)_rH&+QXp#Md97W>>}mFK+!uXXm5kHRb1Pt}M1Nq9TY#TJM2 z|1N)Ku`er({MPWEA7qH#-*<<1u@37esn~Teyu`^fC&DLAl%U1iVxI^7qSv3_4KB0i zYUCRuDt8n=G{7Uy`=0-T*Er8p|A9}vJ2$4^{Pq^S5_xO)F?bK>z1V&8CwSeM`j`1< z-aq8GG3Pvl9pUNhd$jxGq42(kmU&$|fuGUxr8o8V(7Dh_+` ze+xY8TiKb1p6B7wYn87W;s1pX&5ifZ*Kp5yKPACWfWf#cWg8Wkj-K`5{XCzVpLc{$ zIQwdH;Ps6v*T%`mz^k0^5|+Rxx0if5k!Jnx_KbCL5t z^``Ko@7InQltRDQ!{jf}4WXa<9tQ8cPL}w^#jdmAV_(RgViNaN@Qz~nvkdurd>;6r z@e2X-!xPANmn*Jn@xvSNE@%Aq89e07FO9>S7$2J7eu3w_qj)aIo;m-Lf5sE#=Rx>Z z@UU~qbm#l>M!aJP(A>YE&{~XnN8{_y?*IV=P}37)^1@>ntaTzJ8$YDXIv-3Tva-p1~O55mX8a+u|r zC*a-A^VbW;Z7oawKu%R z*qC4Zw|pq_61{S>&z1_vv* z9NzD=%T@4H#}Bu_6PZF{Bgt}|6`KJpj) zJg9H}^YP`@BOhvz{l&<)z-u-ZpMZD3OPzBty5Xth4QsCzJ`c+6?}{(?BjkIZk8k%$ zc>S;PLp$ZB{agO2bH=wj!CUB$1<3CU&t~6<#nmzJNoQa5+3Wkq89zk+xBhY#ymN{2hCj5AU6;YV1NDE~58nWv!wJ+j;NR+C2oXcAm3#hBq?*X?cEM z_z>?;wW)Y7AKo`p{l&i1cZ$!0ykYGWLH=Ci>o-z7+s`kBw>tH$hYv27f*$nz6W;9X zJ6-1Upxo|J36>)NF7h4QsN5R(7`*8<**^~d4L!ww5~zo-{fzuvd!6J*h=(+IJLiNa zBEK7a#5pG|7oOtW*N%fH|4I48;%za!{sGzFjsC0QQD>d;K6uF4FZXYF|18}ft5glI z58k)0^f#mbeRwJNqg?n()AOt1tq{J3f1e2AaEN?jeh9-mk5|2lk>3|SzO8`G;~fJZ zS)l$nf_w?QW3KK9#n^uVypesOX3tIV)?q!@*nQyv`1mi#=J$c=bmLv^4lZ@Zn`DH-k7V zgjaI@VKV$oc<#4qFSEZK-q#{OSl+9KH*!vk$v47FIj2;=<$3Ks5BlBkd>L4Yoi89i zxtr{?ezzR?!OtaV`QanvvkzAs=AdUKJpZ}){Pr_EdW{018u|Ip$ykz}!(DaZu^0D)CcqQLAw|V3By5)x|=X;~+@canlH|+T{Jcs?amIn@pr#Sl+ zPl88|m!CVN&RYZ@KiP|2iTcaC2;S?Q_jMgSb-vo&;-m?le-#R7ug8pEBFSWUH$24p zn&pAz@G$!}J5cu}ywe%~Ou`fRK3XaAYyC(5OmNo6L-1;6ytE^{rC$EA{4MlahTf6 zzN38jk8a$8u<}; z%_oW<9^1T0_~>6$-vQ+3^vFMD+!s>eTl+kS=gCe1i|1XDFLd_L?}L2jXOg#eJRF`& z0Ggg6^rSlL%ZuURA7pOIPw|JKB(W}#m>3t>%1g?4&1DA%hA6HJc;L#9QbzdRMtUEJ_;Y(KzVgSOr=hXn}X|{$?@qo$%3!^whvtz=xjG zeYty2Y)~{cImpJnYL-6RfvOf|3 ze-CeV_G!%NmHm~sC~~ab{{*k*`ydwQTfs-1`Lu(59@rmRLj{_jk3+u0Sx-C*o^+V} zpNSuS+C%nCU90%%!v0F+Yk5D*^1~hQj9mHI>}-QqbgNz#x83joXI^3jJi_}U){j1h zH>Ak_iP-ZyyxsA`2CvBe5ylAx$nOpxW!-iRo)7OmTwoM_B0M}t<=XoAh48-b#G}M* zExg@%?rVl;y*nqSxexu1!YebR$MVv%CeJ)=E%I;qJZRtCPXtQgpCRw@-3PmG{)Bw* zhy*Pj)_hg|={sZ1*biFJvkAQX9@%4Ym;n#5j+u}AUhup>t6l>M`avGN_ahQ2adi@W zg7a!DPJ;7lgFKV;7WN>24ZN7=Ws|=JUcmZnF7~v-J)Xy-@J{$J-%GW8xD1~9j2h75 z?LBz!IN~_btd+YDJcIp*4fx?0c&}6L zS@2SaSHb(8=iHm%)laV-v!o4s9)eHt{og8h7ySPidmkt}udP1pKAv6>;DAC5QHVkW zh(x5q%#0*kP93U0Gk#JmOY<}%M+TRxJ9F=7=4t+1&%Gm$i3@_5R8VI{DN3UxPNEjK zOKH?bfEP8X7l@#=T8UEx7!V+W6I|*fN}>>xm{dT2zu(^HeEU21URJf<^UUnK@A=Nz zXaC>(obQ&OUwFyk|H$E+-p94o;rAVW?PraD62JXhhaWHAyZ2iTf7|m^i4V6zK*$dd zJbp=h{*?}Y=Da;H>ES=>@cZBOCHi2~=ktWa-}d`^6Z}s*{B^%y?v~?!i^JdXdpRC+ z_<4u#`$AK!XC3~U!#6z-mhk@~;FQyY_Y5)7;RhW5tmiqGeViY5_|0O!?l}DNAGdsI zqQfsa{EnXs*yrQ?YlnYW==nzuKj`_lv|pe3Cr0P@3;p@E4!>R0kM=wKy5})ce0s#; zAAIxg*G!V$n05Fwub6&F{PS%Nzxj2Bf79pRb@)ZMvyVCaqQf75^u>aF;QIFa9e($V zY@ExEf79U~yM5W^@E>>hohbvPefb%OKlURwPI~UIJN)38I{ZI6e2e#aZujxG{$EDV z?spmBk;DIx!?$`J>bS$d!Qmf$v5i0G@PiKj_%jAi`}=1dzN0wzy6W&dU;L#S;h>N6 zoeqE8`%Kclyy5VpMZM$iIDBi-|NLVPzkl8KaoWfKCk}tBxEJCBhacSfrNVsR_`l)s zuIIaUJN%1LU!lCeUC7Z6hd);E^FD{4`6i=J+V^K2eskIE$gG>6Z*}+;?-x4g&s|LT z-bb3`V#DDteTj{q_~$PJPPx8}JSG1n{&_2n?|leo^=YH=!w!Gf`#0P?Hf}lm;^&M$ zyIjxnYoBhUS@5s08$Qne?en?vWwxqIzPK;?X`|2CUp7MS zaQG7r?~fV%6Z{z9+ah87_s@-hcSgY1eEj?0W%OM1ef-NK@c)|QfBfIsd_M8#-g5X3 zhhzEr_v;S-!}f92 z@!$6PMZ*6J4!`?dw%*i7`U4LCc*ghF`R$g&7k}IUi9Wv$_^{`;e{MMZU->xQ$vU0C z9Qfpiv#!SyJ)dy+ZkLz4PM_lrpLRPn>G0Rz8vfk#Bj)qnKF)jI_n6l8w?^RqPmX{4 zubACzJAHn_;Wz#M)z^GJzcyl=-*WuNTzEP!w(tbVT@JmJC-LLN&zTTGO zKjY)S>Er*m4uA8a@m0!u|6Ra`?c)zQ{^L)WKe;ch%i)*(ecx9c{;6NE`R}=B(Bizhwpg5E-!!6;b#iI{fQCd{~sgZ z|9AxaU;eq_^W;5NQjdQx2aWI9KK!|jUmgzM3OMEB=q(e7H+(*S(&4-P9+)wQA008yw>kc%?^p7dE;{_N zg3kYo!w+1xg(mrW&*8WHeTZlLx&Ol9N59no#~uDT)J=xb`BV38UDv~Q!lhhKMp?}5W79lqy(tFPy1PPu;kg7I^r&vPU2UmO8%kAQc5{9A>e`G&*aF68A$9X|Qz zZM|>%e!cJTErmbxZvh{+U;kkQ{C9ku?N@BQ$&dP~4~!0H{JqT6PS0lmA2$9;$A8B2 zy4M_ka|HhPI{t&dYR^sl{DTg^*D!xC>9JpM_?=b5zvy)Mm~beO>mM0?c7CRze_#L4 zZ2m9#z9&8KtiwNO**FiK-(Gfj_jgP#&e|}ID}WDM@859zE9VUH;HT{8SKS?s|L%x! z-t%#`73=+t5%|9~0{*)`&NF_0-7cU1AO7b?hsm?H&;t&i0DRcG4mkdv3x@x=B-}G@7oz7i`w0;=Ixc@N3aYGz8#BoEMFq8>HnJ|huOSs z+BR#Ow9Q$Mwi(-m_i6x}uFcjaYm?lkPxoo~eHvbX{aVj{4YuDPLfJ2rC-v!*`qbw4 zq&|I8pX%4Agz}V7p3(qM8C)m_^yvY8dO)8Z(5DCVsr^SNPYdN~p*$^=r}60~Sz_~v zasRLX0NDrw+4uvLZMuc7QU zl)Z*xuziL|Qeq0EC4XQk{DHObhZf@#Ayok*S@A<7=@~XBo6>}awh7sMY&td@n~crH zrXqBk2zhh!3GyWVtLg63Gsu{mPmnM1Uwyh?pYGSE`jw2i`2_hA{}sxU1{cax`t&J% z`jkF>N}oQZPwhWKIUtk+LOCFm1N!u7efqRMeOjMBtxuoEr|l>7AN&m!0KE1SKx;n% zEc~r+j5m(W%$z=U;7eO>66D!%r+O+JDtXv{bNrzkDNN*JlE+rPffjW^0}!= z1J2BzJT=ukGJA#}jWst``|BIMey81-o_fCd%KB2j)0|scYfc{Rw$@uKy#St^Inz!V=(VkfHFLBsL z4}Tt-IWgYEOs76Ob*iy6(W(RZ@FjeIwcYHlt@oS#wPtT^{ydgJP^;ZuZ=5=GVzRls z)@nBwmX`MEj5n;ZRw1NPb6tNl)|`N~p%ksmDem)2HW%guJH-!dA!Fm>wKvoAKM z51l&nd~<%e)4~dtTjzR_LOnc@#G7AVHn39>%k1O->r1WW6B{dYo%P0%!!yEct-ji9 z^;X9N$+(zP71^{a-L>VV`B$6si=FxNjp^r(%skcXzuN6ImwGnCxz%Rx<@M(L+G?-g zUs~x@B$}B$g}rV}9cf|@Nc)MojfKY43)9WXrE{HL|JdqMUj)~4PECCdRDSkkW7GEP zTnDriWg3T1G}n8JOAGzRCinzfw%S_hH0M{k{G_|SwAybjbT#nN>F11DI-A^$2G`eI z?<~x(fpMDc&b)R7)b2OGy|cd70HC|Z@Ao>(oq3y0MF5V9<*lu9D$SL()&9A)mCpLB zeC*0vyNQQP2&`x0(JzWoMe(I`tF8XVdZ)S4Zis_UpE!nnoH=yd$kN2xweF=}Z=c$F~cK*C^*$aEc zGZ$LR8xXj)wdID$G&5sdIn!M2ywbR^)?HsPs`Rk_#`%-o&g#s}@l%~vZ*BDjez&J7 zl0xg9{`#xUUbiz3))WCT9Xxe;ndCJtpTm-7jvm@SKGB@m|77#oCCJ49|2DC8E1lJT z^t#h4Kh<)D$>%<|Tb4!|Q%Wa$Y z;zqx{_R1>yE4~bJC6y8%bZIvM^j!V7?hn*Kxmpjegd}|q+tR`9D;tS0S zt#v69m$GGv{&@4{jU{LxKBr}>uGR0aH|Jh$o;>_#w4<#KRBQ{Hl)N%OhX*aT#+&`+ zo>&I@YGajb33iuSfY^7=K_BAl(3%~ve^w`r!>6BZ_WJ9q?G5Rexz&lerPXfB$tK3& zN0Z<<7oxqHBG81Zq$Fpuy0-X=rs7!AwIUT&9Y~KElbTuPKRb0|>eQj*$G&B1lH5w= z`Pow^!D7_ynl?3moO@lDa-WL0+(R%O8NTHlIMtHcQsotYj(MHeXg3+Pnwp zom<;9eNT7g#L3xXN2X3qJ==JGa(|s+pk!$9O`)HgUm2e`koeUe(%X>K2kWDmh{5Tj zU=v~P1e-p6YWn2Nlo(My7)4o2Ug`7~4F@U@e0l67^tS{m?W&W%sc~th%znaekV1rL zLhFiPK`$1bU$0N~G03lr2*l?LA_^=H9c5k=}Od2&pvy=U6iP6$D4Ctv36tX z#AlD4m;&dYgTO#STFc9Da;UkWD8wJI7M*ok%?o=CF#F`VtJ-9v&AEVzGXXd`3ss$n zK&rw*k<4aRp^!*Z+I3fv`g*U~d3l2-5^|tDp+c7L1!rpV7`(#S7d0liz0Ut+SV}E4 zS9@vooW4$)Kr7OPn~>y~iI|#g9y;-2V?H^&(27$>W*fcp((*FPLUczsxb3!2lw;^( zXDIV)DFN$rgUKOlASqTLdDjXk$id02ct;{+)@YaqaU6>x-$$mJG5)I*2Whdq7-os* zjx}2wm6vymVV@ z0nQdY(KQGfd=qHY#^FOV$Bs0QoIC+eI0RzN*c>STau8cR+MuS5m$qwuVUD5+yJ;So z`K|3WY}njz1t!f@BXT<&zi=g#rfd&N&sS16$7JZ0} zbiZXbsh&Al2npob`^4N5_tz6!(}iv>&|jn3H<_q})nYY0v*r`g9RiKv!55(lBD`u9 zB?r_skVci-GVjL3f}w-H2XiULG($8G7FmLK(s2K^d7-o3Lr~V3Ja!5~aq`rQQOs#a zH2e{m%xsw{sZ<%Q<#Xh?#g!gIBpHV1Pa^E4Cr@2P#&`kDxbUiZw-U0_ToKVFn?7C> zt{LSDu;am?niKAL&%=D4kppj0vL0k^KX@lQ`$p}JIXVk%+q)yrA3EZ$HW^40I(%%l z>AG_ImQgsD@|WT!n$+JugUAh(*`UXPES@4Iz%1`}(Er$HLV5VNOF zBQr6J{KE-4-q;w17R?Le)P!VrKBUeqbU!_2?UIZ#hZR?6=OPJ#>-G?})wK{+7jqX7 ze+AtY6^v}s_2dYxH;Z=Abt#l~)noCu@wc=&%p1Inlm`Gok(J03o;ng_iaTP#y78z& z_7LF6k#gO*f|zmTxWvHmp+yGHk_aQJ~$0g+fq6 zIl{CpHXY0zp6?)bT7dGRE%J>?Y}=eU_F2OpQ1)#k+BF?HE_LyOiCaQiLLZCdl@%qs zFSUnd^`I4s<>{;74T>3(M@)K1CndJ2%&L7;qz~??K~q+XLUQ={q35P14kOwV_exPQ zP?3*b#9dLYj~qWX1r02BY4%ie^3>ta8pll@g%xn0PU%Frdh2k%HkpK&KtdM;wWK9; zPh21TH&VTac#rl0+r+d9_gj8L+5xUb@}4yp0BNr^?~_Mn;eokX;pkZ&VVtY%rpKkr z*k7ZElmQY{ii$MS>DeR7bF|u@A8?cEqt+yy8b@1%eGt2A3rk^sdRW{{7OW2fGb zI#@$6M{|SlQo%VDvvyr{N{%dvJuuFNaip5NQ2&(=MT?eHriR~u^8i~UHn%)8X`$F= zW0~5*oPVi^ja7yYh)#OQIoHKY2A%pv1C`E}`#s4KNnXYLQg;!onTGOk7g<2$I+b81 zS2DreWC%dNTWK8TG#Cc}RBeH!lI0UNYoSt3QPR!eo+dX)Tu_U*`8e=1SOk(pq*N zPf3R_181B`a(LWi&t1U(pE#E=ZnZlN}J3c)PK(ng6rv9qzkSCACRh6TZGUjrZ zluSuMAvmtNiP@!~L2H915xGFyA)El}k2e?Bkhv)=1C^5-2e>PijLvSqS3mGM?Msqh z8X<)+&p~_B^{`z#Yl7~p3(Ulnd#-OSww8>0bE==auGC-phBOy6{HYhEoZUlk<(OiA zGlb-1EtEXTO_GRXS%}D?JtXJU<`NsO*dlc(+`1~Q8+H=3Rt=ysV0nt_EG4vO;lcNi z5?$f2hmRjSG0DQ1*-mI*=fC+)k+NLE%T?@^_q%oQ{pUn0Prw2>D^n@BEhVJEg7nsTV2GdmI$t*;kxE? z-exk&n2@5MC4fn;Ni3fAp3^gjK09S(S($U~I=|K(Li9H3#FeDYus%ZWqcpkope%~O zP6)TASSa|1_G1INrdLiJdR7*bsV?MnrM>j6V~6&8h(@|x*lY1ME#M-Q1fNyxp1xY; zW0jq2q;g*iv4@qCRELxzs4ZIbs7HQLvq(NdeKs#sL@?!gn7phcI@uMPgi?a+j3ygX zTiOI<{iPvO+P_b;9z+MF0}3sz$$$mfL``0D4rdk_UU;ombz^eMQ$bk`K%b0-n5$Z1 z&0iAwq2r%Dc`Ap6O|J%#Q7|!OzVII;;6-?OWmZPj-@d(88DhO_)x%3mlbQmffFTzp zC!#7qHhU|`Ekyn3ravY!A>*r-%GBc!^{*hUfhs_c77~v zQ}B(rA?rQNdYqhH_$PWWeCS-!7=wbAzl}hxqO(X#ck3uK5!5M?D6Jyb(kkIlc^#Y) zsEoBTStJ)lHh_T&_nP5RS%O5!fa+ul@06ly&sD{%?5E3cd2yfnYc=KNwO3S1meVg9 zK?~%F3%s-vieLCvO#Uc61BZ|!(~8j*S4Jh zcj);qP4otIbKW^ra457QYX<>|d=l&;3PI5RZbGW8f}SY}(vE@&sLPOr98`*Jv?VdW zzpZZY15R(u)aUpf|;|9HK3ay@>0)DoofKa&-VT+f9S}kInjF0L8 z<ai z%pO7ouQ`yhrCK1hnMaPIO5$QsV;07MUc)Nsl8Y?E^q^4xV=;VuZ>3l`uZndvQ>Hj9 z5zp;%v%)1<-d8?y@-iV_>N8;(oK&WkMWoA4ArKVh7bZi{p@p_ADNmqyunCV+d#1QZ zIh&*d*-s#kBLS>W#FezzFlhsLHix}ChVDD}Ev9*5`gWoT%V;!A{v&ypnSq&UW|3rO z#M)rPs5fLmv6`fI*bjmhKIW9u_Cu#ApWcrieG7tzI6^LDN?t62(^^eb%5xB9LV_#< zhBJ|<@=lp%ij-i`)L>R|pQx?+KDmqhm@-P0DOFS-c9@@#+|m-Jc=<(wYnelC4m`+2 zqaa^dvfWYa=k`6xS=G#>95z-%qZQP$cF>Ktijdqks1x>(nO75im~pJj6LM6PVIKTi z*0t!<(np?INa;ngP~hOK!=&!?g%=JT7n#AR?1G@b+Gov_9ee5zG_2Tv*Kf_Cc_sO4 zSxtkC>NTkwSTK_ltma>!11PmH(BF_|!~kQ>q=s_SBZ!JNh?F8oGPoRqvAW&AAp_6K(836^Mm) zq|cdJ6GD~$&_?9Cpts+&)>r1yZ#FF+%5k^ngET-&DOsB$+f7@PTZF}okZA|d4qEXe z8JK<>&3Yu;p(72BbnMwQ6(57rHHR9min0wVGem|QW5FTP(Rpz^2}l+oSBi#9 zYC|)2&@Huw(4*=!^$!?7 zuV{VaQ&GuB&jUM_kiN`iS*oXcjWtP?X%Y#1$W~->9Z~w!b9*F0f!Rv^G`jE zzTt^6G+^gm;FznI4l|fC+^b5MRXRRPOwjY$NmNK-oCwy!C}T}d$(Np!0yEzJ;eH)uxAN6Q_?KPd*dr z(SFsEVV>uzJUq9zUL_anWM%$>SvAY!sgZR+Yi{DyLH7Syh+scq9txeB0KV8Df087sYBK!Cz^?$tjkNzqdfT* zxE+;K@WlifCyz{9L>NvM&-oVhq({Y6Eez>#gtg3fg(esP!O*A(rW6! z*nm9DrA-Tg8kJOI`qarY==^8#NbyYNG>Fg^_LhDyZNLS69vw6G~bpVSL&rYQg-HCklsGN;s$xAI1W>a1`HggQ8 zAVTK$$Ud7xCX$|otht(P~{uTST5?G?}NlkV-Mg@vpp4ut)J zzNk!McACnRBH5OP16s|2*dg0$Zyl$%jRA2oq8H$kbB!9)DzytCn+-jmP)M zbIJx1)zoe-*dkS$C{Q^*&rhLAaZ>gjBeU2{e!}E0FrryW^ne09F~t)Xt*$atFt+Px zu4I{Gh-Xo`ew+`gN#x7IKzdS!kv2c6buxs5a`-ZWcsaeEWUDgkmXU_Wv-2^edav7p zDcV=vkDkJ5!dkj7`_nIT7pyA45&>sbOKsQM-kS&PDFewJ1BAWvIsxZ|u+Vaq z%RC+xzbcApzbco)bwMHyrBpOjfc`8`DT38C3yjO277{=s(-tf(FC*8u4%H7IPbEL} zqN0@==ef|fx}Y@2pcu7rGeQ)0V@h}U6;lRphRol=F(gacf9^C+l<~Y7tZHKLjlC1- z`o;IEoC5^`EH)l91ZI|5_u(hxe+oVK9lxTlU}6qOq6Q9=?YA9ZzbV+v%1g%bevBGl z?)EwxXmO^`XxQLHlxcuJW`C=Vhg`}AzNC?TuK=<1lu}QK4Ix48HRXcV&n3z5Qx(;b zr<51Km?>2*ezam<+3to@i+GG18BpHZ`Dn$x-l9Ar1IcIw8r}2rJshx|!`T);Ax74i zR70>>!x(TjREWsu@TSn_S%r|@m%ZQF4vMkD1UKB=c$&=OD1r^@t`$8qksD3Z6Nqb# zp1!?q_;ln;o`btMP-6M;PsQnEIbW_C1z_LoaHa^yAw8#H5mMz3hR$eC_w)=7KIxzu zIMB{1GB7i*oi=M>X%mr`?-1ng)$zS!`%OG@C}D?!C6L*U#e7TpdO9A#gyK4m?rN^I zpr+=T?nd$ziHQmJkPNVI+ZoW*r#O&3j5bWL(qq#4ar6Cnjn&U6gLBCybq?z(5(1pvgq9F=3BBBmBC}(iPasL{aE8_pirgSP2PYyTgV-x8hN!#XvS{w` z_WWowE5hBiu4y<;j1n16PPyM?XxTtaXhjXTS?og1${RGWJQud3hd9t&yQ(!v-<+;| zS1w^lMZBp-8RJ;Gi*?6c9nc#i@`5=HE!3Bi7AxnFfW~m0H(#@pTWKe`=iClfF}n~vKHYNjs5vm}AKYr`x5^$V4APkfleY@_{x$PM(8c_P7da?shXjd z)jFER#|u|F%C*+&pwZd2I$aESHJl@yiAAL2yl1~I=Se4;JSX|ldf-8+BM^($1qkGz zEE-i{C@rWQY4+bMm63yu+^o=+2!qOF&4t!HjxIYvXoaXCat>aN&Px*)YEHyV#Xexe zF|hCjTm^xo8uqsC_>St!qML^k({^H`5(-TYIam3De;4>kO_Ed=>;WtbO`mMs@p8&jgHa#*E|lx!M6JZ z-2KZ*3rIess8@>t1`eTVa#{hWn>kgLGyX**Q<GFH;ThTUurPN%q>r45)y-*-mOwW@g>&`Hzv`NL zfKd=^m{kYt2mUvK`lCD94VE^QI^u05HZXLY(x}2JUMOt!I?8l~JqngVuviXy$uWIti z$$>t_F?$4*7@<-D+$AaZ8m=eYl3D95u5B#CDS#Y=L_A3qj=a_spNJ!hV(;ltSlM|4 z8{k1%nifY%&oSOX1G(kfq~+v6aF+J;5JN#^s0MQ#KsnQO1Z&inFtc_N)?Jy%qTG-o zimVJD?Ns(gohYB<62>k6C=j)YPn_{N^m4^!o(M+-Hp)avl~gvAW*pOny;<)p>(Z2E z6y(&dTd5HE9u{KKe%g&`t81_tYVJnAFk+W#<7+)5d5m10GftOhoApe_N_{)7jzVt- z=UFdNkp!Me3s>Nz=6ecW%4IS&yWY-6R&c@)mz06+>7DIwP9J`5^4W=|y58BLY_U!b zjB1)uJOUZwCTcItPLM-#TVkuf*t0PPH5mBegfrsC{ED3TXaTh)c4n)dwO%ULpT+ODE(;e~?r#P;j2C?%55kTtWFfqLPM z5h9Lv(}-vu+07n3g>v{Yw)r8X+rYJMOY@CWNBp26*&l1+L&c`%WUwqz-+JK0cEt&Z zL&(DM>$!xXC_;UsRWB69xV;4T2uv}*xa7Btk&-YOWE}o#MrZC-9q|v9N%B$AQ?+Dt!-}93Mz!j$0vBYf2R~(lsr`NS|UM z@PqT$VzRShQ|~X8e>5a3Paf>~H3MYWGH@3c14z7lg@tS1F{)la!<5xmR&pVd5G}Lb zR`qt^B%8Tx$)4oinEo1$xgfA|H;mIzKFUh{QN%D81XQ?IO)532ChD1-NI{W;tgTX( zzD|MTl(>R?m#33L5{f*-LZYo7cb>-mh~o22kn953Lub}tMLjhvhd`@VI>ik`%BKwL zr{wk}H$w$**h?J7;f-OeAz6*jBqP@n)IXK-oP>?><%W~*mYTrew-3(t?|=%DHcGU%|HI7yW31p95g zlBD_8Oi)&6*1M_5X>{YwfL^wPaOza)oC`<3d61bK0(}#*C4?wdLc8vlJw;w7X=_P@ z%KFBZ8G2ti8>|d%jT5 zNYhwSrZ8&UcY8wei|AczOFS0VlNHM62)q{kfUD(vX?YuF00zp4ypjhl2P`JDIlc+h z5^}_$-Ki}`^vi&P6EceN|SEMv*j(p!(@&$P7Kx1 z$tav(I6Y;e!3|XvTX{A#d|}NB#>{Us&7LhdF0wYCLD#%hY9HUjrO4Giu9ofRJ^=@p zCKq>hv5lq*(XjwcS2nCvY}@KCYp=Yh?0C;hC^sF zs}Cf7?_yiIn2ZXsZ(~wS_yTT*NOpwVNzJL_WVwkT>&sjva3|QE)p$3bW{2Q6x3_7n zls2<}bf*QPKE;mc_v+|E$~h+8V5cuIr_WpD2Co1|ByriCC8DePI`=|bk?V0)l6t*` zvy%{ zF)4rEz-^_^0hQZE@8JM&(*puC_^tD)F^Bs}E07MOvsDd7>r(QPs)BA#@lX!4Kyi0-FKXk+VhjI6ZVA~4#0WV{0j4V}z0jugeWEiweQL@s zUaLG+lG!AQ8V*)9)6o2A5L4MY zII}d-H^<2m&U#P_^(JqRDng)&!Ks$=g&t1T0mf=SY3ym6>_NB}cc`U7uQXGsDPCmG zQj=@|rp{11nq;FAn1KxnRZ%W0puF#eyGb(CPuDp2F!a-sbA@rGwb{h6?R8dJj2G3^ zAYM;dYxql2w4`UPQo+m~12Cm)(#l*}S1B8=4h}cCkH6`99(avt@67vy`HoSaq*#PZ z#I&NdR!9$3b$d9&5LhUi78;TA5bk4A&sUp9t>i0D=SG$mnym}C$69G=5;AH`+r3(U z9Z6YL1I2af1W;`{i+{zy*1#7xkvpAD94^kn1vK+RbP`@GLKeX;_u(`5{Qd#FM8Gbj zo}b&BQUi2abkRLYRFxn^rcj$RPI7-c-926R80rb;wfR1#>SwYCd0R(ZC1rkkUA}`I z!8gKr@G4tmbT9+v9isTSM-y0Sw$M3yDm10Qe4~j;>JjfFKmbXP#9zR$%6ttNGb<~w z6cn;eK*owYre?$xHiD?8^OBhE=R0eLB~$hYJ8oC0)YGrF zM9q?-MCxY6;l45V#wr%7N^1}G1&W1!86-sJ4@ne5Gq?`*en{)kjarMF#PKZl#35#0 z%;0&5=mYKJ1?A=%r9D-tE#D{N`h>9&(=Z~5ChFXa!4`P6BJu?05R=ECX9H8_wG9d} zs%)CIJV~nakC{;tfp8CBV9Rx+yXK89{GSy$7Y#T!;A^w`A+W-k6lROtnx7S*>k=E}|QeIrZC%{#D4$r{@FS`fSiz zGT?Cy-s6dTmJ2Eui{?uzBpm-a{QR`1kEAu}ANdJ=1>v;+Eh2}31qSyJA!d5|K#K;UMifT>Lf!h{(6v~R;i~S z$e)DZdFH^_g7Xz{g?Rw#So8}d$b&^e`M@Yi$zvqPS+JSh9iO_dL?`c)njv!G`0%)G z@_TY6Ho4fGcl@qQo%@QiINA-fPj;G_G9(GfY&6IrZNJ+_UzUB&6{@h=%x+Rocjno= z4xO3L&v;g;l5J%|2h91V-<53Bn{R11&@&sAO3ro!nc(rlAQW7YX6koI@o&t=J-uX{ zLP}_0B5g%VY<;~@BUdBG5!s2TlnZBOxlr3}oQ`70MQO~4hFp$CG)YKvYc)lCd1}^ZCfh)dnzCKog~PW*a%iXbHzMc$y;bU|LZ9%bcUG#0S}V#)m{3npCS@a+DH6 zdTeDXpi&6|2LeVtUQ)!mktI?o*T~s3HKe!Z*gEVYMa*o>te6hEv4J`Z2`x}|wU&!3 zV5KsU`Kk33Y4_dCrK)jV#<nOv6+cn^n8J%0i1=Fj8$iD9R#o;@}_V`YAI z9C-deCqL5V5k2IcMTT0L9#SF|l;82x?wsT4wY2VRKj0g$rie&;U?ii#Aub}V$}LKg zJ?tiqTwbjE%@7s_Ym#HXgFYFFr{rOUJHBkol1l)8KY6a?EJdFuI5kIr2(++qM1p^4KtY9{d@7GC)X$N~f^+K*T-Xy@TqqON7rP5X8G844W`PRV= zkixSym;hH&q5f9tkNp0}loNzVTSmu&mqfJ#qMAq3UNWFpRJ-`uWj`gX6+IRzugZG_ zvfJIDlq1qsTqR3q43_H_wU)Nfy~QAa{+r#wq&@dbp5UTq*3(5q)V1D=VM2z#Gi#?? z<;dD8Kg%ZYoTQywZ{hV()WRaVN$sSvhVA2asYr6HHiqPgGqI~Xd=x@ju8&hoAu=MD zSLo%}Bl?;<&SjcA&M#Jp91jtYPbK#cd4CTXk(xypf292808jIsBPl1zM_C@)Jqkv_ zfLYL**(?R@Y2JK+puE3W#zRZ7_P073&-qB_AfKRnA;lQbz>>(6Y17>#aKWIzde&sd zp&|Xa>$J|X@P%^QD#oTO5ifLfnbf%?dq<%)R<QLoeXfNw~hyuZ2v>HXdHHd|uV6 zgtr^6bzu{LI1@?}#B z%#&TVW_=4TMdO@&)4NWM?EcEgk-5%IymXF}is879feLC4w70x!!0f(S!f-OYzsqfD z{m?c{Dzuf}!CFbCbbr$F)L0536sFP`=s~sai6Or7f%Gy}oZ@7#VU=BO2dmo!i{t~U zV!YN|4wxzrseTVXUt;OUq(~jeJTH-RLU4|QmksA?5o*)^0ti--k{Y-EjGkF_b6rB* z$oh`LMk*Wfg-c$%r%{zaC<+rOk4059qBL8mP_v3T?P*CK9vEb{f`(H13@1(fETh80 zT2fqmEQvH_?MKyJ^HvX}n1qam`g+K<-6cjR8pZrhImFfLNX2u;XtITTNpaQ@`X178 z@y38E-D(wA*j-eScom*no=)k_d3qibFIbS@d>#qu)#@> zB3(!AY2j40Q}kXu`(?UKqf6G5Qry4`LUFw;HwG5d)Jn}v)O|GK%^((KbWIiJb#S^v z!RCV%sOj{mYARwHSct(S&D0Lvwa9VH}pBNGdghC@Q@PmA*!y zzc6iTQaY4Mi=?-_B)5yQA)leHpREbZoCzo!#0Pw_qZ%FRw=z~IVP$rrx>FOUdriE9 zOEasS1lkn}MV;Vc9*?fY-ipPIU8^|C;?C@q3^}9BMN_-Tq$>zy!WuWiBu&LotY&rW zHbOXiRT~CQ1i6OdUV;awaRP|pQ*CriQwpzg?G^gL_tX(NW}LYykG|kX*d-QPDMMh& z2mLV+LwuR~(A$z%(4Ot+MgepZ8J8s?#aH`_+FbAij+S1)4GHs04ez%I2dresDhBpc zAnBjyp$ImGG{fHSPVY$hHs zdXC&uF{P=qftN^*@(uj0Fi;cN{diK2+vRU=r$4ujLNR!Wk3lyGPQxvoC9CWNoy^{-TAZassz+%cS2cWK-Dsr& zYcYN9xu#+WLe5=bMrFVa*c^Y#<`uPMef#;+K?;42{ZcP*Rt;9uGCP+W(3tZ=q@zXK z9LWtywPo8uX=C)sSEM0Z0P(COgA&8kRCp(0F2|G98Wai&ZPN}Z5=1J0y0TJ$_Erga^t1s3P-l9X{@aTF0L4%~x@W{Ou} zU>Xwf_$Iu>f9a5zm{-H*E-PxXaq~^}L6tF;4MTz}RnN}B_raY;iR{T{$0pobeu!$M z=Gai_An=y;ph|{n@H@aTiDkZtUSkK39BujX$EC2zcXbb~IMPX)cmbNeDmKjqq{jeC zWKmcFH&OFT%Uj(qn>gU|)eSs}WU56eJ~$sp9a>U>?7+9N+SssDc+oCRfL#lQuqpM* zCQYUXhp3x-pHuI&bCeW1_)l?0Xu|Q!0Z2bCJahy`(||lT(<;fvL0DTd$*ksgc$I=@ zapdE{-CDIC!y&~$<7^9j6X9IF3$-KPFpt8zXf%4@>=q42%*lQWa^ z)qW}ir+t$#lit)gyp)OEoBFJBAMEV2?gPGXz%TC7H);RsM}+2=mzWRZV?$ZY`G`wo zI*6i}d)oEjXTz0KS!$UpQS!8^6>4I(c%s!j@SsJYRC&M>sz+vb_y#gpDfx14tx_f$Uk47M&r&O_$o z30E7ztUgsY)8$(&&%|+XmBGN*9%#0`pWx$D+^>s(Y=Bq*6n+ zV>)>lycDGlgjMsBKt){E-&G%I-m=s%QxQ9DQMx&x+K|d1fzq;>8~wHEEN``wKX}zo zV#{i1%pg@uxD%Qp9aI>dy44tZ%Yy6irS>K*Y*OJGWNp6JMF?Vi=Df?dnyt;7H4^HG;H)2a$qRdQ(n+KW~J3eKig6l z1u}h#|K#^DWWtKyYV5&5`7x4^Fjw)?0MBM3cma9Wao3a#b!tfC$$xY!F%6pnL!~^( z{Aw`aYFL0uQ$|VyDqtOFLp>GCBafO`DM)@Tew=14T5>~1-yroR*_JAZ44p}CJk;55 zZ?}P(pwW4S@5qGSm3?4t&k9wVjTF6n-gHb;7tCT=N-==J`OZ{kWbms=0N0$(8}P#6 zYz672hseN9I@yP_phhD`w}pCAmJ2HxR1F1L)HN|XJ8BBum&clknwL>b&0(r&m^4!5dP}tt9R0khKiKL&7;EXAg;c`Yqul$l6UMkg{waHIb45Vxo zGb_fM$+64M^gzt7w_9R26(nLy80|w~L|wIMDsqHp#g6u@kYaCvh?fr(w8Ee-I)rss1=q?FG&?-wDRQu%mB7Z^=aHlm@Eu;^Kp(}DS0KX}#TqM(l|pr_;^ z4YHhGm}3hYx_b}oYi_Q9nieqjdarCW+v}}`{upk@v;M7k1Ath=D>=M&)$0$oIni;R z(1~_F&>~z=L2Q}wnw}NsRZzI%XAw6nd()@iNg-W~%iqy3=l*%~`9ssw`L)ei*Jc~< z(qzFb`G-UBmL)5C<*7;wdTzuxhns5FhiM~`xq62tb+?0#9TiixZ9O0`Hx+ql-p6<{am66?#Ze8r9z(13``X`!q5CRNH5TW)-O_>L3>Yj^ z%gK7P!!asq%uMb0bZxc>t(l8!4SR+-1*2dJNSj-e_-YA*clo$$g zUS$FpcmSv2ei-hRz`;i&lUKu3 zRTeKuZKzlvwyhaRQj(FJIh)D`+gp*6adFMUcb5CzK48GLxeH5c8$H}x#>VHh9s)Z! zNpso=4{Y=(npW~zxL;gasJKp3xPd*X7I4Wa6yz$ix&vCEje-W8RXb*+FITq2)bB9j z>kJJ@nRk!XPOd*C_^?zYpmX7qGaXV4OSZChPBfWorcZRA_eK{I=^ZDM4@=P6sZUMe zFpjbIX4jsB=5|q5KEAi2rLpfQv#A7YfC?9$_T~;+9g2Wl1B8e?GpI*c1L9${z93X| zwqWX+&XNSOwn>!-sotMsr;wOFdFn-HMu^Qyd*5IfLu&pW2O>hUPnRx=zf=1eiSIGR z;OfT5eR;(O+bIdId06nOHas+{RY%{!$R0}R*}NNwJZX}qzc3A*tkyoofk{+U9qqVJ z3Q*}3X-Z`5n*1v230I0Jq8V6Nd#`!Uu+JRd4wpr-*KP|?C1S~^RalHUM(;gWnHdbH zEwwqiCdTF^?W7DEdZGBzVyI+pA6Lc@l`C^rq~6HRd^V9)HoJbR%D-fH4*QD`wRlbj z+DE1a-5C~kOXp)(aI1#%q}^x5B{Ewx#2jD@c6XfLkjFr80WY1j41{WKDJ{s&!^7Z- zuXH^=kvrfqP@=)Abj!k0et|+hB|(nNxn#?6>JmG^$LK1sucf*#7&)KZMPG1fni0Wv zT(owBMs^d5bXJl7_7oBn6RcRil!of@LNC2Ci%$SAnH-t1qvpy6PpXi0w3KEt&PaZX zs)mY7)^IByb4zjR(vPsqv;zFB4dY`C*jzyj=@RGETJf2lx4@orRz29<82rV@tVhYL z#o{!eIev-NJx{cXL17?p1sdWjr!wTJ-b=tpf(&7I7`eNmTov;X6c?L?pQE?NT!~(a zOUaa!ktw~|($ZYyi`pfYM$u&K!fQvx6se}Z4nv8zl~pYI@_41E6pH+n*ElfElu1<{8gU4$WVo~1d#nb1_F)Nd06->qxU2_;D_NYJ2?8w z4v@N{O3`NdMzj;Syr229DH|m5hl8vK`v0 z*ybRjW!{^B%D};6-Owz>xLTZ<$yq2+#d7J|NbIMTSs~UCM;doKFjM7=INwUPIdfd4 zge*{_d2S7@=13c>dwi|gY;J&``%8PtB?_#y8Ey}xvl*+nct3l+la}s$QpXJ8@rl}D z0vb3E`Q4YGGD>Jfe=woV>c65a-C~?WWeY0NuiZnVXhR=(QE%alrMAGyiQ+cLIH;LJEFiN z-I`7XR+dH*t0Q`$S(@vI8xf9&Xwt!!bL*hH)9Ws2+l?i_e6`mZFssArm2SYorE7Ng z>F9R&Mz~FO{Siq6=}=2z6mvhLUJ-H7t+bYxs-GX(V|; z+)59JvT8w5%~7RdC#Uh|eJQb;sm3JH2GHrOmr5@6Mw^q!MWq@TLLG$q!|YcuEa{Dt z@N8&Z_+U3;dSg*VUZXZG8lCoBq><1PO2zG@=jPzg?AhnkQss=utMhgtR0E~kZPj{l z1^5VpkBi9A6)Y=SF9j*w((Thh+dCm}_nltQLrTnG*Xh$y^Tx!o`vTlrdX}6zbc@a| zCPk@%t2#<`dWdzwTk)v~8%QID&R#e3E_QUuBd=Cj zG&}gsdcu&GYp#LmAV4{Mj2rAtb5vY-*c|kWUBvH>iHbI+H#w1orOq;z>#qw7wNR48 zvpGg7VB_T#E4Y)cZkvIKg0`yl`3?8l2%8kgaeJljxrB0h*`sE-0IG35@rW{-QBtR# z2BgOIT%!J#NO7P+f8BRC7sKj(97%7SZ!ho+XXsU-I9Tj6jAyg%aGOE-Dm?p?zJ>&n zz3CpXeWL2zx0AB?US3kjveqkx!&~hr+}SZoi2+z161v{Y=FEhsExe1*s(;#SkkTtHmSi zzC!cWmg#~oKJdH}fICpl6YJ-2w~xS!iTzqX*ahE-xt=puy$HH}nL*l;J6 zo1PCUF%6hq0?#Hf`px5Wa_-Zv@kP?Ohy!*XK`D5}RvheP-SB9}{5}r%9`2wO%%h|l zSuCCDj1L|p08Mwf>^@^+C}DULUZ zNPY(95?@F|cd>=L(2(|H{Nm@{5q&~w*j-WJYQ9;_Ys9DPSBwpl!O%Xzm=;U6^JOVB z%lTy80a_--J$P3V?BE6_Mw_1R`XY7cWm*jHW>M)WYmD%B-qzfRu$>YY@nDjQs*{fU znqo`e_8eW-C>so?o9YzcON9E!Y@piZNtbjo0av~-ftFlpO@zKcyTgm#@lsGaaj>V= zwa*L`R^vS$8eRPk5XbCC$icL&=eBclwLUg)(}VXaUx*#TO{=~Sn5<2_Vj1?@HQNeK z6Cm{fmxYeLEF&KZ3#bDV9))=lmLXxKQY-hvKNiU`JHL-g-M>hAe7nmJC!WvC$E1^_ zLB!W45-+_CnW`t+Doc+h?}eC55U}Mg@8aNs;VNnL)b^ZgnQ0W9Ovig&r(QIi^$y>U zXsKbS4fL<}Sf+vdsf8m^*ui^03^yFFv9}kZT8)FclZ*)bfrohsGk7j_7uVZ13?4~u90)e3&eA{^AW!WAL)ZW1jU_)Wp57&+V^g&iaXGAh2@De*b1sEd2)`Tz&tj=bGR()B zpTLLV;7L>lHbGvr zt{=51*SS{rBWK?XEB7u)_JPqitMxHMwcs+~qk7vtj`k&GO81LPgYENIAK5h`@HIIg z-smCbmSS35Tf%;sS%Ui~+U0YMVEEM01D`?-85H^j>Y)EYJ;|+wB|`}vl`^OlNwC=Pv~}**{up8^t%{-LZ4VNE*uR9 zn!aS)MAhnVrIi<=UVFQ|NNdT2vIL@F>Sy8XNE=eh7oSC!fd>cX%Bhwyh|3|XQA7IC zF(;0L1&%eBUWS3-P%r2Zht~o4C|D&8S92KQ(US+sF3Dmki>azSV$*yg6yY{a&!E>f zX0fV#0;wR9=LM_%C0$^v=d9ejurt~CI|NqxGAAl08s*MV!lsq4?16c^u(|F$LuzqU zg@%y%8?x-7+^wLW;D{ZI`oIK25QB@jw#8#$7Y%9fzjIS^*98+9lmRST_Jx;lyKU^J+ z$6t7dr0AFhOr!Er4?@i27l>QKBWPfCwk;qqQ8S!AtKJFZ86WGb)ew{-PQy3O`V0KP zw{BX)W90a0B&<-ZsTIuQ3S;L$eh4CPFt8sd(Ss^s?oD4aiR726(2APE!Ye)=)>y47 z9KkeADm)Av+mmrrk~lCRnw5}+)59u-%fY}0Ob)XF96vn~Gcz^Y^hVvF3Pfm1k9(q+ zp@r%80!R8GgKu~AK)%=6K=-6+3i3P-w`nrmmj0ZZb%MUNfu82w9$iMcW^LU}m^0bPeS}H2 zkPczIs4rLQjlyis9L%qMD6(e_Q(0JWji{7PZ^$R$z6@NG%t4U_)}u^qXZs_1nK7Vh z6iQ8N=;>BL(uX7i4$QT2CZA=lg}G3s5Tg}U6C2XpCtG^iWmt7K?xrs)tk_Hqc($Q@>$HQ``c5_^&^_7)cpPc~N39AD`WltFQNVHtgM z0}WUnrIApiC?g^(Se4xgH5H=Pp*gC75{*7|%2k)2L31F(i1z{_>_(f(60X-=9vFbB zdfXiB+8J-|g0Ws0z~W<^acFbExVdW>ZtR6d*DnnM;pM?D;H9()w*HD5t=8N8F)%Wv zh7?Z)4n}9?LP(2zXRyX~3=SR6Gy?Y>Cx7tzl>sEK9ZO#t zzILfL=bpyPysCL%0N<}1*ouSs>gfgY>nL=poq`#=Xs)b|(NP#2f_8v@>#&VW2EZb%QZpdJ zhh-hyORfOht(+4u`Y42tc&_}ofhpnZm8S^NDW7X+S_X&2_pCTmt`ZzHJ9(z=T*@{KdH(oFu}XVHW#T=?E7aUQ z93X0NIq*l3m_=cB=&-{V1sO+?%VTVRbItm|011m%04()3;pq&K2f3r+B@RPoK_W?( z&b5}UvZSd9hwn1k|7#-UgypFrG3PF5By@+-$6-Vi%DV&{_yw@xN(^N_uw)dNSJTz1>)Mg`$`rZ%SdCn??tHDOFIRs~y@huhT zM@>cB6Gj-sOWGs_^S`&UX12H_-QoPA6r?+l;AATVqQ~ldS@{L7N)xkw&mo#OHNisj z{{P6in7@v!tXUd}7IS0eQ%&t4B+YsUzWCbw(@!^hNEr-CpyVA(!JkM&!G+I2J|CR8 z#BnGynjoR~ZDD?ONJ@tvr+|3K#D`g+JiVdprkRZLVB}lD0dQSZK9GtoO(roZ9X8fE znI$Um^Grr*$BZ!4VLBPKh;Qut>zY*YTzponSa)7`5#TEQY zfd5*+zZ&2_5ypQr!2f!f&$R%*72t0L_?Lc3_1xlK*2l%@Iz9+!HF2KhE{3`-{Ux04}_<;cbjsSlq!2eW$ z9}MuX3Gm4P|Jwn6G{ENr{CI$WLx4{Q_SJTnYmWrC;0UO|BUN`8wGxXzg^(p_3_^+@Du!2 zfxq4HZx{Fp{$7E9+4u5pfuG>_3jBLM{`~?!!9OhUuWd2PeN^Bl_`?GKvh(7{1%84* zD)5gc-u)T-CGBs5Z*_R$hciB(#|r!ef4smSa~arP;3xRb0{p5f40C+@RthwgTCIg1%84r7Wf}H{&Inz z;Qa#ss^f1K_z8Zo!2iVO|9XL+;BOT87oDD$3;YDXTHqgW{5K2y1b?f*-|4=>^#VV^ zZx;CXeEhcy`~-iuz+d$7Zx#3ney70S?fCB%_zC`gfq&ES?-lq7{y~A?b^H$t`~-hc z;D6%y4-5PR|D?cw$MGK(_zAw{XN_T!yx(=3wAJBBKP33J0{^n(KVIM`_>KbqpyTf> z@DqG@f!}caJq3P(?xIsSnHKfwi8E6`~<&L;BWK!yiwpM_>}^G)A6qs_z8Zk zz(4BvZx#3nexty@>G(Gb`~-iez`yAD?-uw8e!IZ`$nozK_z8Zuz<~fuG9F7Ok4xxl~f_}v0O!8Z&1MaO@wz)$ek3;c(Uf2qJv@XH1M zO~=1d;3xQ-1^z|E6a06rz)$e&1^z+Dzfs^P_}c~k0mpx*z)$d71^y>CoyP3~Kf&KC z@bCEecMJRkzgOU2a{T)Reu95k;BWf^o6tuEeu6(N@bCKg9~bxu{;0q|wEA4;1)k9sijE zKfxyp{IO3P{f`#-2|iumKlJfu3;YCsslea#@y{0c3BFk1A8`ET0zbj~1^z9^-z@MG z{9=KB(eYm|@Du!v0)N`$h06tgf?qB0w>kcs1%86RRp4)R{ObjNg5NCg@A&-RF7Oll z-2(p|w=cH}`~<&K;NNrn_X_+3f4{&#>$#PC1%85mP~cDh0pqt13;YCsP~cy7{D%d8 zf`3xrZ}a@gqXIv{xBPtFAGquJjjaw(`XRx$75G;j|M3Dp!FLq+R~&z5fuG>J3;cVI zzo)=Y@O=gT2abQBz)$dl1^zXs=VXDO;KvL6hWi841%85`Deyn?@n0(N6TDsEzv1|c z1%85e3;ZjN-!JeJ{IvpqxAW)40zbho75E=HJ>Mws6Z}en|IqQT7WfH%t-!zJ^M9+r zPw*QB{#D1nS>Px5I}U#ecJc3pJmbV3;XCxeDIE696q0& z4ln1k&*A0x#{>NDgz+~6Jl18d1bC#+odA#ZosS$&KP1xUfy2vrHh#(0RnGJE0FU*c z8v!2c4m*Fj8Yj+wkHgFPj5)lV&tw=U?#sdZ)%d>{_^ln_@wt}*{Kq_(%zeD=@HC&V zA`t)XI6TcK!S9E0;(T`eN;RL~3G;c);pO-j9bS%qIgAs>e?P$ggU4!|=f?s5pTcvu z{L^Yakspo*_}6$$%yG^JcpU#?fXDGK2Y4L+s>9QICpb9%z3K3@-UPoH#)<2_9pK*= z^uuGnTCMAJnE##tkMn#cz~ek89iHZS+@{$$>hLtr1b-=v6X$s&z~lID2YBSe`wmaf zo%iQ{;PCX^1phdU6Q8^1pH*~tA@K7v0seT<+h+p&^8x-=fJeE0H^BD>{5uXW=l`C= z%lUs0#)!dDA2>YGGr=E)aVCQu-10B0^+x(U z?(j7JpY!pzJ3Nh_;CsS2alZ}(`2P_0>$L!ndh%+3pAPsp0{mFeSMLURq|a@Kr}_V{ zKL0xoPxDXk`(d0o|BptD^I*g{k4B8M^zUJ_9y%!x` zuJ>{nC$9Ip!^!7A75LsU5 zTr387d~P?uKO5xkjR241Tyc0g&#MkE=XoQH6X$t5z`wz!tQFt+x7GaPe(iWz!Q*_! z0zBd`j(}ftcsc*K9A3`#dKMwFX|DC^KzU(G-6`*MIsd%YRppZDAYH|&iF5BB2D2>62lkM@1b$JKnIec$Eq zk`B8aUee*2FizaB<0HnI9x+aP#5nx`k9>PGz@vS?8{pBtf9UXXT^~8TT-T#8PF&aa z-!!^W|9n}{KW&GXcKou#({q2-^~@EAr{^a4^)OC+?)zb!U|t&c!Z;EBFpTq|=Mwnn zPXhcqf}XtoA1Z$M`}V75`gVXv{9XUikji!Kc6hn2XB=M2%fVutR4j1%X7y%^^+;4l8WQH+z| z?}Tx_Ci?%M4ByA20Ur19n!~w|o`TnN-*PzjF~V;IeC87peQpN)2){J~|Mm#{2M%Z6 z>CND;K6E(qP7%K4w}$iKR)?2-xWnNb|1Sl-y3^qtKf=dG;O`rOKRE*b=m`8X0sl_e z$CmkX4{7r|Ka{Wetza8j&Ex^A#=>NM8FX#Eb!^?So zGy?y@2>izXThTMxg{=V|_xJGt|AAl_b_Dn@1^z!1;4z=}Mu0~@>Sln~@@WAc{oaoq zp6K(X;79)Z#NmlP3I5ol;p^SuaN6Hr4fKC0;752rz~lVi2=IviW`O_UU>|P=c%<_? z4o~aa?dy8i;b~n7ekY6*$8Y?0wcZHd=I}KBH~RRGJ3Nh_;ImA$ z@e}>uD#lOnx5GG*4<~=e22Jx!_(vU{=9%Cxjle%U0>AI@QciCMc--HI0Ur136Ni`c zeB|(Qp4)!6+LyTAT>&1S`%-{M{=ew(^0}`&ynOD}Fiw2#?EsJKdT#{$gAwpgM!+9y zm@y!oKjF9mp<|K$ZkF6!@s(Ke>4LB!3g}u7ub9fo$06W-xh}_Iw$xxhjYKa zFT{h}i*f$6kF%o~C&71xapL)iJ;gXvKF(M%PJ$m8G0wqaoIm5^OcvuL`0)|r%ogL! z_&8^ZaT5IOh;c3l_{l)G+hP2;zjqv7?(ddQSNlajdAoM2(b(y5?pK7j13t~mS+9dH zI-KK2c-P_F-)q5M_ebDwhVe<7`@hfT_nN~wp9sGc#{a@F{^b$lUk&)b8SLX*4lm{6 zdKf3t^Sv-mjH5poG0ul0#%XM^^^rauP+)=vJ<4hr@}_dA{NNv(w>e zo(aCo;iSWA;DP#<469#JYxJSVSLU%@&DB@euTdj#*cKqF=G6; z1Ae6Q$0P7R3Hb4x+E%A4=@#wm0f&?RjHADmlf}Ph98UU2`0NP$Gb8X99nR-QyZlxd zC-TX4hnIYEGvITI+rH5F>Fomkp8x%h|4jUo@ZT-q3ICSE%je#9IPG;j4|p%Yqd&02 z=S6z{n-E{`bU5b|;kz8p@nao%_lR-!j2LGujB`53#l8{a92haqGhv(;LmYQ-#5j{9 z#yJ|sc`U@U%MK?$#5&-W0RP(|Ubyb?#Gl`Z@A2OahbR6_@LOS=$ZsD6c&u0M+*;}L zIG=+79_x~e0Uqbsb$B_?zQfCTUJB#Hd0q+dIL})SC!e%}VY?mRKNRvFTfV4TSHyoj zz$5@cjUfeE2ZH zzct9k_AjaCAIBdH@HqZ60UpPHDZq~hz42Or$LBuwSoPem4fMYh;4u!m7T^*8_6Ycc z0FQCgmft`8xowA2F1|bTAzTUY7-zlo2dZ(RTwnQegL9ln&sz>BzePT|7vK^9VSq<@ z+4%>n@uS|DbvVaA9QbE3z;D=B#pjm-JkI}}0FU-EIYV+o`%?SIt9Aw2TW)c}ulz8&DP-g?jB zX@ArF?>oGl&%-cIT-VmGuI3Z@>Og?Uywhs|9`P?Zobw4~mc|+>gzpaUxUMmWr*$P3-RJPMt^_|C@Zs9qeP<;Yq%}+2_CL@I;>k ze{BT*#S!>dM&Mr^fq%o{CH)@+c#JQ$x-l;2|Cqze`R{aiIexboXW8k{FW_e!eyJEg z;lEM96aFoS^SQB3(fGP*eO4?mu3wi+Q1RUT=@X zIsXVh{wM1A+x)rH4o~5&Ygq#rW^|_>JAwJPG=7 zhi`Fs+LwgCwSXu5Z4T#rVjswkV*LNp$KP3uli<5YjB~9RC(-AvVw?oOH3I+k2>dPI zP^Uv0XRE^#9TI%e;au;D5XW5!@GBwD^Jaj56yP@kd^5yxyZ@xkhvR=b#P3%E{ON#y zJ;390Zw7dL?mG@oa*@{cuEWdq-W`Ge{s{b!M&Lgffxq=X8@}Fs0Up=&R)EKK-3jnW zpZftG$9a8E_1p-5&*3F~?mE1r&w~;84@cl{`NrzG(f@qR;e2k?C)*s(=SKL!fKSm% z`#2f!BmC?L{Pqa^>m%@QjKKfE;gXA>e?AHD8lOL5bSUY($KfTN501c}9D#pj1pd_# z_;(!6`A7cwFu)_9JP7c}hdaKh+TYXmD|V;RIPUOrz0(da*V`U}zc>Q_wGsFiN8s=C zi@eJD9B_C!pX(#=Z;ZgdH3I+k2>g2^@b8bnf9P=TSCpg2$A|OPc88bi+T-wYoC5(K z_xIfq*|jfXLH0jZ;ZgdJOcmD2>ka(;7{+b*4q#Mz-EB|V94WL zb9mD8U+I3)TMj23sOJ;>b{OaLfu38Qte*R`A^-ol!%Ml|?(mY%2f{e9FYEY-ai&L% z^I90^uY`HN8Q?K*^LBv8`1($O|CeE$PXhee0N?(U{ZX!Whr`SDj*Y3{3 z|B}N?zP%jau^;ly5#wJQG5*_OoT&HS4e&^}djTHl{DH$ux_#*Il5P#Z=&!`z;_woG zyTeO5+zjxjAKn=;{<|Z_|8T@OyPqD;4|^P5&hxzy_;*L(f9UXXUEBWD@aI16@bbC4 z9bS&}@rZFg88Ob}e?I)VM;%^1_a%py&+P~Ji#DYEmWu)Y?}DDW9N;nDyc*zfoX4NB zLHXR+hcM>wlCSnTyqy2$2>kz#uKR&+c&+L?9aFE`=sx!>RUo!|5OlRs@Yjrv`2x7`F@H|-fY`$o=zQQtP|`{Hi9oX?4o zb86%ak;C)-3eM+~l}Arr4;gVi&qJgB$f!RNcl*Wn`4f)`$Cu}I9?t&v;Jlunz;ES0 zc5?o*xL!YbalOB*$YDRnaQ4$P^7}^qxlw;%)JM{jkJpsA?muSK&l&X#;_i5He~U)W zx{=dG&U^5j6S*@S7kU)V&k>g3tUnZY$MNQMu6+2@5qEQ-&wN|h?lbUuGa>HR!yn1> zRZ`r~)BCznUoz^q#q~TRj|=_q=Ml1SzF)Kn=j+N#ICC<~A^%Uu|MBMf+=laYYZuP^ z^>3e?Q-yQ8ZTPKxIP(wXGICC0?H^trge*Hg@-R~Oj&w;o*-|0ul`DT3n*oSkwLpbk8GqN4M&eMjk!XJ+7 zRT0kZZov86zGL_yoS&-}zI!|me_efyTvyk`{dLuQMcnPzOYyvP0{<2~2gWmD{ct{I z_?O~+?}51QXGQus7x(>mk3Aveb3REp*Hs$M?PlQ2S%r6SUD^?M*ORXsw{Ua4t)l+z z_<}+Q{xRGiM{xENdt%rxURRTFURPJ(xB7>34kb9Zy9sAb1fV0o(?+N?G z`~;kRrr_*z1lDuW$Oz8g z+ZK6B*sncYCuiV)J}$XAAMWbejc$8=kcnGyE(W=$HfpdS0;yQm_T<32g=MElsIQy>|`Flow3pva`Fml>PPS?m;cv_gx8*vApFSh*&bxm>pR-0z)X0e;=czbe zaX9BN59j%t5O@85H*%8Vu7COha@hZ(k+Wpvq>#h@m*MPx1z_U?uCJdnM$W8}6GaaDpM$giIGp{@i@W)M5!O#a-1SdSB8T%|Fme`+oF(M2 z|1_NaFT>gYin#0lW4Qig#9jaNEOOX?&dA9dIjhKF|7&peUxc&&b#d4KeR2ISiM#&k zW#q8`4I^jM$k{>;``>}H{|cP_?~1$rvp9dN;;w&s4LR(8&&b&~a_Y!o|4lgiZ^7CB zfw=4cxAD5QE$;fKA0mhS9~n6vBj*@7?7s(R|9v?7KM{BRe-7*CRNVDXA0UVQpBXvl zM$QFt*#8L5{x9L||4Q8T|C@MSC{o{_VU9L}e1kC4OpTpBr7Mo#4W#t)f-KrJs+PRHNQXf z!#+<9AHiqG|EhbNDl)$oa_Ady=FdHUa((SZ!8zv(aX*J&l{pN>{T#ec{Yc2+9OmFW z?pebNaIT+2_-pW7bPi|!C7d~#7l%GszY1slP+ZSpB(CQ$T@LxT<{++f;^I1I->9z} z^=)x?esQ~9Bd2HNWPfzrzwR?9uKO&C>+NnDIa@}~!b>J^cTrq#cST%pw_xO~89BSi z;m=2(8#xz7PUOcXANQ!Zo@Y#4?^nsFFB|nc;(88;M$VCu(>HPw8SskIRa`J5Ozr$)}u$XR;X z=`*NBWGmfTpBquo0E^%k+?rz?~(gaSKRNH_xb-ic@7D2U+?c< zDRDiAqLH(1!ad4(MM?A?>+HZShy=5rF_ zdJb1cedH&``MN$TuJdC?eNtS{dBMn8G;&sqoOL6oWaQM0`aPrmRNVE?=cOT>&t1D) z;kdBA1?O|ffw-P$TU^h-Yt;9Q`k_%jGU^*IpL`xQ#dSYNMt#SqKQZc0jryTce`(Zj zz9P(@&qW9DTfhHAT+jbhT<`A?Im{m!IhRJx%ui09^Q^eu?t)RjXw+>#SL9j>woL|_kkeCy$$bQs`tge=DMDK zVfYX^-0n!+9T)ngxa;TB=x2UAtV3Q0^5X9L&$-248S435x*+b?=lkS7xG3(|iT4%c zaD5h#<7ShW&nniCLoXudkK7K+KYK>bzLC>3>RU$rg}9r~r~E;@-uBe1!hGoShA$gl zhW}^0uB^cykK=d*=XL&ATpyRNxIQie^T-kXkzyZO*p#NBzs??FwyCiM9M9IqU_g#B&9 zSw9eW{kZamtp77{*AM+1Ib8o!uMPch9me7OJ7r7adb=rcz1=)=n7?6o4f*c*@UP_h zu#bFt6FL0-Y)5cz_uTO5%H%oZ;Ge?-^t=;zq*f#DZ$-cP50I&AkR zu|DVEoLdsk{arFV4}S|jk1N67hWqI*d;|Nt2j}{1!oM2zLpaxMR^VLcS;O;& zuZsKr{kkfM`#!ywk;6G`svN&xTPnx<4sy6(yDGwoBhf4xe)l;opbrWZ%d?G4e-7 zPV|kTe?D(4!C#2|T88s{EWkO3eK?;Jy6{&c{{+tb5uEvpZwmeMd7uVoejU#I0i5~q z|1mkgDDIB0dw%|?++)_o-SMSYRsAQWzNYHEAB(&7#{2$kZQPH0UG{9uZPDvlz+?H0uSy7j(@9Io3eoa-u&e0N`a@VJf0D)Q+idylI6ywt~( zKSO*@<@oxza$mnF?$(>XHe9zANyB-)T@%;qr>OG%`q@Gb*U7fZNlE`Z%Kde$qTKho zEAHp!bE?XHPEEPbX^89VVMpBW?{lTkW90?$uFCiIJ>|asOy&5wovV89SK_Wu&U5AG z#|=2=daH~3{@0|>193k$?-$7V0=#dqwjc8O`;c3P_Y6NbJoO8c^J|9p4UhlgILGa; zdlab2^T52g+h2N0+|7;mkrl&B$am-O-7?QI^65Ls;qlsq^L@XX;b(BZ4>SEsVSl;Z z8F7DneV++&x4+CO7&&W3&bGLIzrAXBQ`~Kr_q7u^pKl}e$@?`WuJA9wFfpr){b)Qw_u+M$?4

p{!#d);VZu$`hO?t z*TnsG$^R{-qPV}#c)vmp=dkk|A)j7&``CT{mR!dw;y&N|{yRbrKfgN{_c^|w3vr+0 zz3^Khhy7d_K7A1Cx!oQ33_d@q!S8|39U9{PxPN3E8)=IB>)sP7o{C*u0PHiEwl z&uNk04*SKwJ3kA5DAvOYJPOZ>>;1}!>-{Pt=kM|P#TNW7`COl~aOT9}tX~w@b667BbI2fvbI8HD zzpL<1VEt^vr!j{roc-^^c^zoMxnCXleQ;jH4#V8o=MtRT&BFf%pKq?gSzm#(pX__W zcDX+DaIViY_?@_(jNmWBJg46q^0{9zIM-Vo&i?n{zl*sYz!$I%yKv^rzi-@+Usqo& zSqX8!uDmabyYrpT+skm~XH@>ZBtNV2y{{sN`Rj0A4>yqSUhnwp*f#R%P2@1YaukjW zy>0k~;qmuR&dC|RWB8%rL&N8PZ}N8YhF1(fGJIrs;scYnyJ~nJet(>&XYfzszCVQX z{f)U!*e;(3*5KcS>v>b$uXBI@YKi-G?)?HeJl|(N7`Dsjp9Gx!EW$h3uavm%CoQh~ z$svc=^D>;*t8F;1GZk^Y-Cc3L-8yo(-5#9JEmI!~^WpQ!oVefam&$b@F7CJMeGxg_ z?kb$`1FVbd@3mIN^>%CGdbJP!}xd|f~NKga#M^VdBeE{*?dWJcVbzw`}pxBg!u??t)u zs4ni#Q@+pBL_Pa#!?|v|aORxAnR5YW{Uw}po02zs38!a27joaa#*&h?y!^E_(6 z`8;rF_z2GHz+x|~H|FfaS>G^x1m}9l{I8JDoSflZICENm9CCQS7{Kq3=hEIsLp^im z`@xx0hqL|)&ibuC2|27kfwR8!vB~v2h94L{^YM_w{G8zfIQvYTOwK97S>J+lyO}=? zIjrx%SwHuQ$@Nt@>yP2QuU)~p-SVG>eCG7wtk0ZIuD^h@zWC>p>yP2AU;gCe`X-$9 z(Z85nUxBlJdN8?u1J3#pobxGuD&(;K49@z(UykeD_4yp{qqfA|^^o^3|3h@nnV&T;jACPSwDLga#&x2vwjcG`jNQXue)&HPyJQM=YEyp%;~_n-7`4rQ-3`A?9s--ok)`Lm% zl;NMic5CAP{f+y}YpOkQ|Ne&ehPcbW6R*Eo;y!0y{%;53KF9m1Q9m&1hvII#{CUz# z_=j;^rtdLsK=&Dg^YfsDxbA;JT=$YC1Gw~ zj_cJN{65H!!@q9)ue!HGBJ=Pm0C6(iS!^qiEIsP2mRyp1)Mov}bJYM>#sT}Y7MovTJJXvy@ zD#!bQk#neWo+UX)D#!b=k<(K-cS%lP<#<08*T?-#+^?UPNY1&+@jf(iE>+GeB6RgU+hk+Z0BepzysRF3zwk+Y(5-XS>| zmE%2US!OUUFJ0$9vnzIZ`?PTHH}N-n&LlU*+6G?hPj@$NRv@IafJfA~_c-$NR|0xl%dz z_4lfo@u2+q<$YRQpQj0NcYpl9<45nC``RL$_s2Ax_pc0`_t`w$&)98X4bJ;)3I0;t z*EZo-cy8Z;e;e+dokydxVwM3@+Db|WpQ_Y(Kl87meg;l zdhac9w_nf2>$MJY+|MQXXWV1t&`*u}fl)saciZLnOro=4KA*!J;^J-&?qlKE>;LEe zNr>N1c@_2SvnKAZOMbr&jrt>_ekktx-^ASN_X+*;eTK|e1b-XO$DFu-KJoqJ#dV+S zMt#Ys-xk+%?!y0W+}h1N+tKlV(fu5X>wZS!dJd;|Oy1wrR|dZ|ANbw4KIFu8KY4N8 z&$>}xGU~UD`W>VGP~7b==hiiHdPdF}a=8BUUp09?o8oQ`xGY7sl>75yTl`_Fen+{l zpZl7yU0w$k#P$3a#r6DGjQWgGUl7;pa|_PvKn3~kIuN^Awb#FYSKMC*yth&Bu9L@d zJvPfIk*K^|fK0us#ZBeMVgGZ&qCIZ`r8dFzV06-Tv~rIy7=dM$U9R>=)0+ z44mitHk{Y7+53kaUdLkMdJc2qdJYRl{i0F7V$^4h`hvJ#Cx>v(a{%WYa$gtrm&d(m z_=e#-hBx5+{$v}@?H(K6hp%!yKVWkIvvAfgh`ZzHPW8N89~Q;^^~8Hh)%)N5omTbU zH&O4d8_$#L$rkGARinOU)HlWTagWT0Iq>?hDel+pfAk~n*RA)eQC~Cao8r2k-3LzY zXYRpc*ZsuBbw681{kBnGls7hAKb%A7A(OXzEUveEYSa&m`o)Ka{pEEdC9d~3Ev~nl zLk_QF9r#1=Tzvvx!gJRZoaf!l!$P0D?#;oOvtW1*&ipkv^UHAN?;5@be=S~jSCZj4 zx>M_1&fi^eH&1#^)h|fao~rkLgnDyVyY2+s9Wg|mJi{-@)A_4=qq zA}#pO;Cwj}cju$~o@zsSIu>_xqxX!Qf#E~Lryd@T7xQPt^>(A;ZvN~)VR*{$75ER} zeXypuzb^T8*b>+4r(@I~8}+9~{lKVSendF#Jia+NudA!#y8nW>?!Sy2URNXE6t??u zIoI9#$%yOxthml!Lk{y#;mnWA2VOdVUR>udiGSYth#c4chFss)kVCH`hv!#a<+LTI zp>n*pRQ;vYAEkl3Y{f#a%r;Ew1-B3xCo$(v2aq3I81zB>z;z-8#8B zjYjdhc~r?|)Xgq3XT2RDD+73p-Ht-VarMP3n(Sz4v2PKal#a zs`uVk^$B?fI#KoBryn~Wx;rlXd|?(|!t0Aw_}}CDxi0SBKd+*`ChpH`e=PUJ-SKkI z1Kv-NpG3}?k#lb3Or^v6Wd5|c-fmpn&4KTKrj49sBPVavuNw6wqrPm^?})oTd0lP8 zKZx^X0Dm>EGgt5r;PZv(onbxvHJ%d^aON+;zXLhTa3043Tzwz~j-n_TnU|6v(^f_0cTd>#I1)bGG~zix@^^Ws2Uug_zn zzH8JEjQTU9KKZ!G=gWe)?q}JkUoq;p#ofB)@vXvneCu$ot7CCJx30ME^9(sWujiJ- zdf;(ifb+O78=g0O9nSTz3BR?!@RwrU9>JfA&sn-~&L{HiVZT@(hx0jS$?#=yJ?9m1 zJ?B-UzF^ds#r1XU2+sZ^@&zPU&)3&6IO`YTpT&Ku2HQg!|u(?XF8{_+MbVIXI8+4*U_wufw_i58!V^{gJp{4;^v69!`w< zQ=@(;uGhmAoX;CmD`C!j-pIoFJd=m>d8P&bYTWPUzBAaNo)DbtYVnCiK0>NiwEz6LCEm8orVX^~}G5e=Blko*L?( z1D`W|(eMoX3iro6oZGF!x!s202k;+6pYf-K{&_t~zf|EU|^GCcD1(El=y`y8D2 z&7`=yF5SFOGXB>i3*zoRMPEh^pS!X~PR__#Lk{P&Zse4VoNeT=pSjgA2Oh5soX58e zXFoN=kKoLSJah7P*Wg?yjc1MP-TMIC?xDC_Km2*OE}ZAf2+nmCd3NZB>uSdEnBfU= z*C&5IYZ>)dcwM#LXRh0se4&v1tj;IjO#r@oTeOI}!KM{9xt72}`&%J%Te9nw= zpEE12w;NUN>*vJvc2|(^-Y2|}^_E2reHA$m!#ua({QYt@mG9T>p33*$LJrsS2+qF~ z8u|V(H`nJsNdHsf{(SL1E$-%UPt1Q2&flZ8jC^I{BQ%y|U=2<|Ua#c`4D zb6UCIZd6?N8B^}-(36H`T6Hhp2Mngzh7(O zdJaY9zP>E3kJlcY>%T7Uj*C0L{CV0yKK&3mJb!y|{ypDQBY$AzkC4OsD%k6I+M zt#baK;Jd$JiGws-vuti zc^}+@Gv^r2oEdp8bK7Okvba9(E8_k<^6P39IXr*6@C2T3PvE>?kKnuyPXF-a>->yz zf8CxH*Vp-|a$i3$?&iSzT?)?gYsK)K;j7|$o&|9|&oXj2&n-Cbj}^nKaQ1%)XHEys z`YSk}Cud$5)-Bi19Gv&Zd2u%fJ_jb?*Z-%8f1Xb&_s44i?s7ghZX>cJ?&it-G@SX% z%6xxPY`~dQ6?f+&*J0i8mbgB@4v^31u4ALVYt#>n`ZJ^c(x|^O>StdZ z))mk97@YU74EzDOU*yCec|AAz(-ZD-CXyFlQoe80*NyrEqrPp_9~<>uqyALf9Y^** z5O?dGevW$g^16PXo866Ez_0(6$d&x}A#zwhg0uco+`UioO1ysedCq?d?~ldG;k;)4 z9Gv-aakpQrpNF$PA@0r#_LGD^8TZ*mao6V+UazIa-JIQ{ZAo6^EsMK;=vmae^XS`U z7CF?@*HF)#BI@a7)H7!T_4Fgub8a2@^)CF!aX&^5>$`B)_r&#_TN~l{y6e?Y=5Q?T z=0-2P^LG7?9D_A+U+=vn?zYSC|C}2+7e>ydku&ot z_s@>F|GahoMz4Rq5cO^jY02-2`+V>Hciql!NzT-}$L{mJUmV`9Ka%>n_uQ`cKJ~s( z&wk?Kx}PEH-Tw9@KX!CG-}{`nJC9ubK80STPr_f0?WW*0c*gKNd>Qox_`T83I-GsB9~1gy zKgV$Pb87g7;g@js8F_5jF8eG!A@~aBeE7t%yLE-f@JLtOttj?o&fQye~BKVZV6ZwZ--MvLipJsL#8_7f;Sv64yC<<#c;( zaZ+CxoY&8FareCXYJ84-gnC|o*6ugX@pCB3HLED@`|(~Dcm41@T6ucthwn%2!1?=i zYlb)Aj~ltCcc-(j3yg%;4*=PQlx7SJHHRBDe zDlfij>;-YZeti9!a$mnC?$*^S@tjtH{~&HKdvIPq8}OrX%Qp=jz<&+T6{%;1`S5Gx!

xZhvDUpeKzz9_Euw+!e0Zo_#U*o7}*Zu{_`9Y2cR%%KVA91h^T zU-#j>U!NI%W%$gq!)&05YqGY^#N9flUm&N9_j9J76ZV&X&u#_&v6~kj{7W#0A^fv= zeQ_zS`@a&`{m(u(92fSVfj}ZpHD8~5v-r+TA0soV4llx z&aD9F-?1vfdERZpAB6kVHk|b}IP2^1yX72p$Lj#j->ct)v;IWfpD!{kwVIyzloq zx7x0s`NiEl>8q%BmzkFATLJa-HtJnYQ}Pc{PoFAIo@ZLz^~wBYan~n(9XUKNHsPG} zKAiO}IP3dx)}O&yAAf$>FV-)>S)YZoz5r+a7M%6FaMrirtUrRYK7QBjb#frbabDc7 z6Yopn?)BrlWR19Wl^1u{4PIB*4c~#Y&pkME8gSMh7=9@3uP2r9Zbpv8{q@9q->5$^ z>Mz9I{_^@W{em!0_uS?4XTs>?zihbDeiLa#C0zX=NvL{-bae!`na!)>-ldP_1i{$&8Xiq z>W@_YJ7gVpRK54ExSIpNpWIhD@06SqmE(P2!uFun`%DJE9#8i&=xRH}kIS-MXq{{KWXyl|+&Lbozt#Z7t7&%#$ z^BBp=sT}XCM$Vebd7|VLRgU+Pk+Y$4o+de)D#!b_kyBAQFOZyFmE*l;+~F?kn$Y?TY*L;JuCkprkve{z6) z`Z;pmkN3%k@F(H*;HBY_7mbgLn-A-!4WBhU27dvLSKROf{1K>M64#%H=1~6{ystPb zA3D1J`Mzb`@S5Qb!`p_(UL5B3ZhUVi4(IP_Nx=Dggx28vJf#Td=Ne@=KiAlV^K*?I z!>fkx8{Ra$ZFtA4zsBb{k#d;x6LG%R;C$cy0M5_NkKvs2iQ(}d4cnEkkldW7 z%Z8_466zm{^-zHS+qmQ=rvhjH4LJKB!P!sj$HI2$(T(8jXA#bRvT*jZX85+@HTVN@ zyiVcl^AgTJXI~on=W(Bh%a7#V%rgW3UR)mvaDJXxhBIde9!LLm_+xP#n{ck%L-=#> zIb+}OGx*1G-JbsOFb5v5Rrsyr1!q5HIQ!X!bHDcCUyc1efb(;)KD>|f_Y5w-BJSpR zUBKDr6`aQ<{<1I!=BMENd~+H8S$W2B8_vLapW1?Ro;5h{FZ+f!3~#~tx!a-P$A%|1 z!yNcLlZW$prU2*jOcBn0%7$+l-hyA?K7K5&pO?Dg`gv)996m42{MWF*ybs3V{Jd`o z{?~Y}TY*u8!>R*HYoA3wY zI&)xn8_v0P;5;rD@FMPmSBB62M3@7w|8wwn;Ch~fzY3l*d=>utSf3?0pQAS5e2&_M zzZ2VS!v7u5;cYmtOMUpWa9qye>}LpPKhs-bZtQ0s&VCl)>?Z}k3;nMco`ZAUmc{k? zz9Fv9_X=`&zE|N~|9gfv;XJ<%;Cx+kXn4o)A)IqdzdX#J=g~5p=S#-$BAnN&Z8)z> zdxjsvdA&M;KX%;m&HZ--|18#X(q<&N`g^ zmkr-E{0M#*o@Zu%GR%k9)j2rV!@S{1!x!MZuBPEUPc!f+uD7dj|2yN|fiJ?DQ-(8V z8_t|2JcV`DhTnyLdT?InFW~+&9M|Xcc9=6g4(EBX4F4^BFSh{a`Y*w`UpwM@Jy*o_ zdfrD4*K-qo>$(Kz_3hB`j^Wd<4D(sVeIy2dFOJJRoZC$rz6j^{zDn?a#&(b4yf2)? zzXQ)3(N~53nLiJ|)u-W$aOM=?oWl(trPd3{QGq|akozB ztK#l`sv}%aHpSiZoBSxDTmF%4_*+oFha7&7t_A0LcL?Wme$VhT!!He=*$Kyy`AImx zf3*(h^=HHIZNn?#{ycrC+{1Ro{dwxWZqzr7`a^Mdym(&s;hgix@Tpgab>hCK;rp2u z*L^09`URstFYfxhFP`7ZaDH!R6VB(8T{yodS%b5_31@v9E|2^->-k7rAFqzMp2G=p zIR63sh1lQtYr;C@_fi(&{GQ~B;W_xT@V-GwT=!oV*ZprJhyCvuITa&k-^l607xB90 z9M0oDg!4E~y*A8^$8iSE`Z%2R2{`LhaMmxwS)YfqehtobwJxrYOG*6mjtg>lTq){N}`b#+LBmXVTpY>5V>*H{)w}iN!b5dN-IgK37c?Hh(R)llC)!P#A2XL;dD{;NQk=KpqsrPqQT;DgN;yNd0fzati0qK@8zMkEV9Roar&clZK}a&%k-!t%~b86vXu$ zO32}LrflSF7&#RqrwixLU-aSrZw$HzzH>OA(?)Q9?>+U?Vb1*diwyji@%nKU-o@v1 zWjKHS;sDP658AI|=paP~ifbNx(J!+zzEABD63 zB%J+k!QYDa4R+x_f#X{f_vi29_isn=PvCq>ym7qq zx}T)D?k6p-?_WD`evhJRJx7Y$MIE|{}TLxc)gZ}|2XQi@b_SDML6#l z8*pC#cMPw>c|C8y?}N`J55@g)`2p$aNZcP6?|tOlf%SZ1@d2^U2-xrO-S)YbKAN{Yv`F`oTxbD9suKV9c4*TDO z|0&j02hKTn;hgg+oO3=C*L|Lg>priL!#=0p66VRdEyH>J$-;R*D#E$WH{e|7JBC-` zT;~lquQP3NJ%>YaJ%=80IETKGb7JIN7&#+2uQR(p6XyI~SPxD344%^t;e373HT(q5 zbutjw^EngO^SMM0=M&ir{oh(AaIWVJoa?y&XU;mD&p!unuD33n>+KZI^>$(SC7kPR z`e(!b@;PcwT+cHuuIIUk9L_TZ=Q`Phb3Ihxe7)aGF0PMz8_s@?jQoy~e}WvIk7q{Cxsh{a|8GYaSDzjN?spnehl zAv{-S;G9EFTpyRbxIQlH$l)9|;9NfyIJaAaKN+vn>u~OG6VCk|z(hp3;M}iOIOnh}Tqi!W`&xaONc7>?Z|hKg)3DY{0qQis5xQ zb6Rlr(}A;}E}S`2^~rOH8NL8#P72O`vT*j3hcl-F=X~}JZ^N0>fwP|zIQtpEnX~xT z@qFC(PpWu7WLezZUygCT&4}ysIxDWv>ow%?ysp7{{i(x0h3|2-;Ozex&YV-jhlWr8 za#$yC!Sh2D&g~}P+-}P76*%{+0Oxks;oR<);k$6IhX$O_MMrSvcMU&*GyfdU*EK^p z>m$Ds=FIw8alNjh;(A>rjQXTepEl~3jru)txBmIMsR`%jM@Mkhcj0^=tOqaR{5pky z0Db`<;`<&`jWADcHwu3-p7Y~yzK&alGbe9&5q^OC<}Un|=)VE~IXtHw!&!d5A+&ymCH`O>dVUWYk2e~(ZB&f~i!u8+&MxIQkY$l>}K!MWa|Zwr00J`3mdJP+sG z*5JH;Zoqln+kx|a)GC}g4LEb!aOQO2%sGKG=N!(Q5u7>G%`i9S#Nf<{i|gY!FRqW{ zl2M;B>a*hdeB6cexupkxE3QkY;=0d)xbAa=9IpT9uZQ{Yz7~hSW?XXf{>dVouYc2U z&Up*Y_xCFBx8u2G5B@Y-7_PdzdHJ&kUUN&%^nC+6J8ON9~F0 ze)h$6KL^NRKRqL-Z{(aC^%q9{Vk^vn*WnzTKSxl8vwl}x?{8IH?{5P++~1Cob8O_C z8aWqme(rW<;4DG;dAvl{N0$(2+q01-x1d5 zH=&;doY%JnIDc+y8P4~~v+!HzHT*mAoV*L?&wIAukHdZ)!Fj#y!5@tJ0i5s8U%+|& zyrN@1Q@<7F#-DqdfxiLUjlwJN9GuUw8*m=qJ@^N4zpIP8_2bs(qh3E=w+(T(e&}r@ zrwe~B)^iX3O!R*WzYD%{5a#pq@SfrM-wyRDtcMbO5wGtC;{JT;$oYOI?#~zRm&mze zys4W3#osypFFI#lT<4U;_4R5K&iU-XIiDe%^U42Cn8TOjeX2Ea-Dgo;_ql1*ZyEJf zas8ZGY=?f9u>Lm(gEL?vm?aRowMS-$%|nk#k^p7yeOPmoDM# zC-R>0PWpZ}rJpHr-;eiMakrk?&%EJFhGz^f7+!{Rzoy;KAhX_z&VE#IJbKyuFs=$aeW?LA&2MD^ii1G7vX$g zhJP9EBO7o&x9`IFdSqYR^?Ch2k;{*dw|64$`lO#Br-<#Q-XHp8KYMU)w<)f-dnT^8 zJ46n*8~MHQcKw{6DffUWaX)A8%i`|5<9t?C&Z^`TRF3y8Bj*y%Ijnpj%!hNxi|aY; zit9P-A%}D5z;A80V{BLa^R_GgdD}$}x7$FD`?+90=O%LKBjm8p)CVW`nGx50Zj0+a zcag(B+i-4o@k5ihyDYA^yD6@>yMr8Vw~8Fjp@tm#06FY)25nK{CQr-#P#~gitF{WiX5(=lDPX^yNTzP zE#$inhVpw>w~qzTtJ`e;WC1aov9h^}mPLkLTiU zZa25PFTZZ;`k$e=n;ZQS_3k|SjNFs1P*0!vgYofl`Og1Y>Sx7WK0PJw?iXK!J~PN+ zKUw6^OR9cWj#pXLd#{Q=@_M`9falMe_>%G_>fev|(^{yfUyA!VOv{1468CfPKKtSE z++083=oiWL{G#HnANstw%Xj}~;w!HIKli`IT|RwD+^v&$V}Ey$!+BPaLvM)d<8@@@ zbc~!c)VtRaSMof6j(Ykf>fQQzx4hQ9LOp%z4{xu-4@>>DxSzlGd2ziS65@J2ETW#r zeF^pSE!6WkZlj*w5clinAEf`LxbNTlfvUf!oJ(z0@BK*C-&g88s@{7~)jvemXkXQP zzYurpWEt-#jNp79b*?);UatNlxDKQZUo(8i@P@dbr~e%&O>sX@?}x}?{~eWcKbga^ z%JF_`$JGf$;p3TmjCT@yl2JTb#EW{_ky_F-yYW6 z9-Q+(fb)Jjg!B1u{v)A(&S6p9_wQd1u8aHry>B3ga~Q&zU+9JH^0;in{}1L+hx7G* z8_qcl;N0IKoc%=p*SH_Ozf0nJf0xDGapC@E;oNQu&h3uie}emILjX^rNAF_A@W8`&kv&{S=YIes$H(FrRzkJ~#*G zc9Y_IZfoLtZYAV!ZhLU{a{}ia67s&3n-A+(;Ou`*T)*xpqn`V<(H zvnOGm>@#log5hbyvxXN8FB!gN_^#pmhPMnqGQ4N_!0@5rkw2Y0=UKz!;`+Q>L_OC- z7S7`s`9#?6%Wz+w5qImyy&hST*LSnxZvD{X$SEKv3I79l8h(J+cN=iNFI^RP{kYd1 zUn^NPan}#MiJUveyLkO?MIsmCZf<;kduZg3jQr_83v*-sqPWgq64(8w#C88!Bfkdc z=Sp?>7vuihhV%XZKKzq7E@$Gp&vS9z=M{1|hndqbAAT;jB<|+J?JlF9p9@ss+~0jT z_xAwK{q4c;#PirdT<`ChxZdAOSH<=Etf?ITH-VB}nh>-j`JGww&vCn~PzvjS&7tKvGp zVC0vP!}(l^>+5;seB7s=&z!hkZ*kOf9VSuF>&XJ@=_%CndXh#xJ%f5)PqL_|m&Ntm zHpKODsfg?2va53Z^`xqDyze20*O?xi&l|IUGkM)c#Xs-3i0l1|i|hSb6xaKe5!c5z zE3U5tdDQbbuA-j4hI$^yBI@ZS)ZaResHfM(^&A@FdJc!;dJY{ppVNkLKBvw6?f7`< z?aqqp?aqtq?Iu)?Uq4Be<9!i1TvsVL`!B+|-WuZiI?xo?>+L{X?{8aN?{8OJ@9&wo zUT^2(dc6%%&vi9IJ^c#xTvw653)eULw7Bbs>uLt|^pv=sLt0$VAt$cqunOn#+JSSu z)y4I88{&Gqhsfde|48Ndb=6Th-n+=*dh5g4|CP%3&r6Yu@%(k4QE@$=w7A~iWg{nV z#RS(^Z&8oQ=c98>H6W%d(IiYV0a3C_c-$Ah03zH-!K0&X)EG>KHgW6!{fLM z=g;r&!+#p@s~o_860e&E;<}$Raox|QQGaFB&;I>*=XHKmT<0gm^?F!JThx2%? z!8!k;xIW+4#ohIX=leEt_;ZCjMoz`Z*+UM09<~8zpH1ZRd9{Un`Z03YXV=K-894*w zu+IxP`y3*l&w(T4(`Wu6oL}s7R$Si~qT>3#FpnJexd3OMi^%8wVhQ>5EOOXq&dA9d zIYs2K&oZ2SZXlocsZHe5tH@!WH6v%w$Y~;neO`&{^EWaaA4h%uM#c5{n}+i|&BFP6 zs7i3wZyUY`=XI|I=XLK?T<_OFT<_NiIlKr7N!?^jG*?^hBz+^_0LJ^W^ny2G09J0{$U$MuVGi8i8Th@BABQt13FrQ9!1;SE8t^V&AGO5w91g_w9FCF0IrQNC z{S~wSJb8a(aPIFsd>NltF2Fg5G@SF#z&W2Poa?Xwe-iEsZ8+z74(B|t#PvKQm*Y9; zc}B(c`7#IRJQHxvVI9tORfcoUTksy%TLsSiJvi@o4LIjKgmcbQ|2M3M1kURyoO51= zbIy5jJ?B+%J?9c~xNbM#obxuEb2x@`&OJEid`Im4$FHQYRm>cJufpg9U zcn{kx!8zxBIOlvIuIJnq*K_V7hjZ@3Ip+bKb4dKZ@&3BkiSNaIEh+9^C(=`>|1j27 z8uj!n>SLHs4)ydk)ISf;QAO0#H^tp~&G%#X;cvis*MV~mT{zz-JQw%Jr7YL13vqv3 zyhpCW`r&bz7S}m5;yNd8^P1tVwK zs9!Pa8%BN8s6P_deMbI$^8QYV>-~+1>zss>-16eO|C*7rXXLbuoFgNrW8_SK!Q}pD#C891aovBx$XPRTHjJDd zBd22I^o;txQGYJ3`%m0s@*I-ldJbuEos%_kaz;+gsNXZ{TjHO$-7lQne@BlzsNwVU_5x^UhXuHd}C%uY?-uc)}*uY^&bH0pCkecq_wGwSz^ z`U7!2=Z=wcY~;+yn-TgtGb^s=FfXpRTZZ$ww_)Trjr=3z@IKo&a!!n#$bT9iU)Lws zLrh%n@0_^a--1!UX4G$p>-ikRIiD*dKXT7;|GJ;3xXw?A>-|a^IXUETKI=wK$;hcA z=kD>X{^opa!5BoWECm z3C_P)wG8L)kzm5dbkkR{S3u*KT}^4=Ei%0KxewE;y&xW|(-%WA7zq`oc@6T+({}8Y158<4{F`Vbc ztSlOLesR6U;rxC6OK{d_49|({^Cd5?&zCji@O&x5dA{tx*-s5F|MBK}ScmhxI1tyz zr7fr-oN2sYU4p*>@6&F>Szm>-z5!=_ z8_xPmIM;dnOT&3eUom`5+|7aK=_cy=e#L>|mvH|bB6r}Yzbwp|?>{VwyLs~W*5=^+ zz38iO)|cS?y|SC|SB+b^S%(!kKNoJm`99~7xL=6{yUZK1Q-}TG(2*juwTrXH9T&3T3qkfvbf%_b#b>o`TfZqBd22I?2GH`e;>}j zGj#^%bH#<-h4Xbsi;m}zLpYzWy5f4>_QdtNJwp!H?c5z< z&YXV|&iSVd&%)n?IaJ|K8gI%i|41Fqb=VZw`_&TH`_(}X_p1x%`n-Vidu5k!)=%9x z%!hr>i0eLQ#dV+a$YGyJIIjaKIM0_d{O$PuOa;#Mwg>0yjsrOBj}7mM>+_{AuFsbN za(KR6z`5Qo;XIFKzB0_8ea7MZyE92R&zF?AK3-{YeY|qW;qfYqyZcuf*U4?v^Eqt~ z&i$>!`S;qI$mi>n7V4WgkGgQ?j|`uVjsIoWKkp-Pad$su&Vu1-IR6gyD)PCWw^7g6 z9W^+=PuqZJ@qS1f&et6saesV2Eyw0q+#g@>r^w;)J%=-Y>8r+b)A=cJou4)8b4Gnp zTtClL;4jDdehPms<}(!6eU8L+pVMC*&M(ek5zgygO5ErFtIRnq?(@Cpk;CVZH8}Ij zaITYGIFCzHT=&xw*Zp*i`eUR1R9qjI*nbXl<8^7l@MXg@;;w)9^8)@kBrERvr>`Q1 z*VPi7{cOScyitWSXCKb%=b^Zs^O3lob00ZeSDCpmHy-z#xX#au>-=@(Fuw+$!E;m{ z&h56~T%U(<)_37tpJ(tl`h$4=oHK%R-A2CV_VvV{FH_=re`7}doKe3j?$#~W!#bSL z1KV)c*9_km*Xy<}uGeh~Ib3fYIJbLZ_ywFfmvFAz>HAHd^NhHjbKIz(H|m$f_4Q!` z&ULa2=Q`PkbDcEB^?A_}*Zp^l`eUR1R9yET|Jrb#vi}sEedfh=pR3}!&yrDJHtKi8 zb)Ow0=h(Hd?CO9#&PnMZKuU%?~e z$eY(?sjmz9d|!GQ&YXt`Nb zgERjaIqyP!7xmoVf#K(HuEW^}hPkznzXZP<&!wBr+=ie9C^FK!p=buc3WfDGrcu9T)K|sz@x6eTu%6>z zAJ#2D-&r!eX!w@lHN#tm9~(X}{L=8*Z!q>t+|7skTQYnT&exSY;(8rc#PvGaM-H#I zhj6~0J%)3;)89DWFV{a`FGu05j~kv4_x(RYo|ls1zJKp&vjO=x}AMQm>btg9M1QJmf)<< z7@iZ?>p3s3*Yg^3xSluQ+-}A2J@~`$9Mynx-L}Q`{13(T{CmjZ{4d1a^JfnC!4dqA z;aBh#o=m~{xk(0oh}U1Ma6T6m#r+(fAlL16aX$y|Tgc%Y zDsbixjr@_3KfO4fgYIWWT=x?<>gSF6C8IuN)Mv%@^G^x>EWD1}HS()Q{*h7NG3rmm zbw5+z9L{TAXJ*9xJfA1WcUIib(|ZCre12GjGk+P*^;v*(J#32WezwGQKUJf?X4E&u z^?c6Zyq-k)-v}B!9n-i@W~mN#yYQmWFe?S@^B{GMqUjIInLNaXsf< zaXsfca(G_PJu=LP$9-O0=O@H#Yjsb{mEt!kKdn z=ej)+*KwZ#?4(plk=dZy30?*q8_}lRFAcux`;U~x$7(RkO8uc@e34QYY_9C49Y{I$ST{!c% z9~<(SQ-d?731?0pUPb>4>5$L&_ln}~b;{r3xpz<8onP)_x7b(Sygd-v7kBHK-ct3K z_Z`^zxY!5wmc_aA)ob;JIC|!=c%us z7I)kID{MC-uIH0Q4(C%)^?nX(s^0sys`qo)QT5*U#r1sZ$l?Arl)ql)(?mY&TgrWX zTU^iQ3i+Hv9gW~o_-EdRquUK)%!Utse12OaXp_La=5>Fq&w+yct-ZH!c=l$^n&hNX9#QpvHmt~%p;{LqzKC>L= z!{@qrIIjas;y(XS@>AkI-}?%3cwXmJ&POFDul&@n2bJ&Z3(9?cQRQ4n&bq4iz9FvH z&$i0Bhg|n|l;2CdqVj$Hu5w@BQ#p4?PG8k~AFBEXN&QIGd!POG@$vP?>l>s#D(;V$ z_XSn|U!;Cf)qBsX`a7jQr|P|zRDDM3%c|b{p13b{wpDo+Xi2Ln&&#U_9Nd2m+_r9j;pDXo6RquUM zT(9#3IQws_{Fh1op>p5Pk+|P4U*A#g>$@uFC6eD)_1*{Ky8jXUn=t>`@3_7GcO`#L z`K!f~;=X@hzogvP=frhCRh9o!lE0^Nyze9DA?}7P|Fq#;=N%*e*vRiA=d192u%(sT z^Lc~xnNt4i;%RX|A78($+}Gz+&M!z#Ue$Xqio1F8{Ms;l*YJknM~3&|yw48doc|S^ z_ut5O-kxV$_IFy`&&_*OT(6(F%K4Dw%&Q#lX;t5q`ejw`eNEN>vD6n;z4vWZe-&>iK_R{C#S03`%v7?jn6GtaNaMn-xcl){5hRfIDfB2QQTj*&!qp7 zxId2GH<81i`>ViTg7dBce|J-J0QbaX%k_ zzBk1Ee7v_*y+7X%RK53}xI4Z)?@r+S{^}5ZFZ>+k75vtDnla8(ao_)coTuXYJe^lL z{(MZR9PfGLJQAN{mQ{{l=Nl@=`wnur{;P1V|2;Ur_f>~~c07`sJ5LkNoYE6+&+Xpw z_n^z-es11(#PxZ4Zsc4TIq@fk_009T2!A)$`6`_6x5U3Eu%P{|Qxc?mhZpSX+{CnTg+_*W{|0j`?g1--*7uR!Jg>!BNIOkSD zKIc<|b3RQt=hKFBJ{>sc(}(l#q@Te#pU6|geB>>kn{_e^=XMit&aDLJd9(w6A>Qw; z!V|cz*5Mz)^J)wJbmVl!{rU1Bxo-5t{rTek3^}~M4UL?Uku&|YFgNDR!g)TlNQ(g6yZOQ{0(u}=j-5G@Tb6g$l>=1BhL)$>2reBmdl}zcA_}&kFm+e&*pkj*D;}$1I%R4_t?Hze?h6 zZtmyBzR&+0ner!#Z;HElvVKdsuWzaxpWjmcY{@@VIllf#xv!5sdptLN+~>sgabFPE z>o#rVEE_pJw(veq_{s`Kk9!DOWYq9@2jf*%E zZa(k9{jm<`_XFGTJ8_@w8a{yE2lW@?e!pHTeGbL_etDmJPMFVgaot!D_c?EnoF#Fe z<9!1;uSHG;z6r0X{5MH{UFCc4BZv3vfy(&>$vIa!-lNZ*yv}3ddYvc5^*TR-^E%Ko z^7}^qxlw;%)JMKQ94}tq;&5Ky7T~*Ky?FZC~a1`nqyoe}x<#m&gx}=cbQKR9w$_UR)pF zgpt!g4(Hi6at@80o>AX7>d(b>|IV!1?9fJ zqH_Fk-&O99`<}}2_4~?w{SY}^CnMC;r=K6@$@@i2T(6TkalPIa#og+K>db{UF{e@8< zSr2{kcn#qXL;o8;6zch0v?=b_`4i>2Xj|N`XYUut;q&SUIc{A&PhMYNB8NWp!=WEO z$422F9GBeO@8%6({Qq>l4}84sIp#ej)u_QBB_%5DhE6qQ+6{uiU}#!HgLK6jc6dV5 zN*RoOhYjz%Yr3LuR1oCt4m(Sbu9V@;?gnWM4VyCT(6B+YK`fIP-P}&b;--eSXfxeSWUs!~EPv zc&eJ@f%(aR(`Poq=fRnuMR4Y475p{0?@clarZ zKiBbPr!Ppq;`GK>oqk#RveO%{IDJL>HK#Ye?(|jZH=N#h)#)43*PPyX-RXCv-*kH8 z4X1BQ-*kH8TTb7Re%tAd?>K!|`dz0tzUTCP>03^3yzTT?((gOH@dKy7k^a!>jdz^> z;il1jy&XBd@nfgYgquwFKPOIayzBI{(w{oL@yQ=c=EX7Ax3sve8$YUbH6w28hVdEr zd>VXm5nhb&l?bnZm*Ic+pB^87<|h))c;+H}5uE-T;LJ}Goc^r{KLn?L=k-aPKZpBE zQ$I82?^>5Mj??1rT9?FUoW3AF>-5IwoPJsQtkWBxclwI-Ij1+i;Ph4L7oFaC-sv0C z7o6UB(dl=jUvhfmC8uvozwGqJSDd~h{i@R&FFSo#`ij#VUvv7t^y^MEb_34& zcq{JLtC6^0uO^QZf6m{T2+u|MQiQL9bG|oElXm&M#6g6gg8v7sd*|SM-e5t8<8WO@ zUW)LFc(@*n-d@MJ~;C^1gHPbuO>d!AA(aq z`D=-u?cRaYXR4Rz>C*zI{urG4sb5cg*zN*2&)ZAlVH{tD=S()Cem;ByK6 zZA8EL8%dn>Uj^s;(Hr1ww+7C3cfjd?1x}wE@sJ1lr20vm%-cLT{Y&7CzxSJoPl@@7 z@Ri?6^z<)_hxIBfgAw;2uSWcv@S*=UIM)$jPn-q6E3eWJ}8_9QmKM? z$Pf9Fc-W`jit$>3&;5T&tz3Pg^Vf&)r~U|>`pN&1)H%m-6`bGSvIWlXd)Wo2 zz74Le<38F{sxNMJa-}?>Y{X|i;**0<829hFd`NR@0i5GrfIsz1;MCW}!+d!i=KCf5!@L-1 z9IxO*K7+(9k$zop8N=$-;Z<#&im5m;Ci&`p=aseAIBf+g!#;fhdLzBK_9w% zqj|9aJ$YU{j0@+*5`6Ce)4TS;lH*qA%kZau#c|VD#QnV3fPaY7*0Cyl$ZPQ7yx5HR zG$KCDh|d;$!g<)vSKII*Z^MV@qH}Q8$xVdkE|a>w8~@+?)>ElGIM2f+@NdEU5fyMg z-&GS2b;bDW;-Rj{x8cKn?Sk|DjwA3t!uv|6;5;AB{6W%RelPbN`0KF_ALnDd4IjpH49@lK6r6Q+5#cxBjC1y_ zN&Y!574eYIFt5`(_pXWCK4`oSJ=d8{=*f4)!#cpv>9pVz+O4YHw&Qj2efU#<;JE1z z#Y4Nlfb)L`{vpl_t)EBmAwPjWw7aEvx{mLOpTdXwGsjKe6ZdhRJO7^iFC0G?zjXel zzjEC4*W$k2q4U3z|Bd4V@muF_`a8!>KN9!tPQGnipH_!KFeoneXBHqVt~j9lZa^i-)|CuQ~mp^y^M< zJo`tF`kzQYFK+(Ecdj3=-xc@z3+Nvr|C90WUqeqmfIghN{@oJ~-A&yY=pC4<-$CH)b>Zh#N^WgN)iCcb5 zzW`2sN!;hhe$U5KLA#;9TY9|#fAT8yq1~T(Vw|@+^yE$P&@ShfwG;RP?pJKXKeT(K z*L(0MZ$Zy?_n{~6h=+DLzpNb}PY?c~-PE6r>!%M+|8ulU{RKGnH{!m2tep_g|3aNl zt9`4Vl3ve%(|=an>c{kR;MC{Eef`+)`FNJmZs>1augmZ!uRtH#{rM+CQt!Xh33~FH zcxadPW9*r#&vtjACvS^~c3D5xj*sUA{-NC)z3zh3|5V(@ z%k*d9)L)7F`mx^&@q8K16_bN;FgUCM{n+pMcvhkRR;&YS z;6+?VRKb4-_puw`{CgiK;4i~|dInDab8z}!gVTTh&mYa_ieBfyLwMtIxpC!GX2B-gwxQ&&Jf2$FqlaLp)u*-iJT=0ra8Wt0(UNasShSp8P~Sw9ERjb^@e;=X?D_d-11i21dQc0(ST zdc6Wp|5b5|$Mj`z>TBY@e(d*rJZuNdfBQWj&oC!ud+;Z3K_A++`MVE2c}G07%lT{V1pZ1~*B`?_w0ou3r|>5~gP!g7p(no-5AAaP zT01_TJNSoo=l^Ovm?Lodr}W=#yi7j7g#1FkSfAz>__reeY3VJV1-+iuzbzi)Gtjf$Iq1oA;-OvEr}_DKO7Oq`l~hBo zm%-`3B5rY-eifYhs<^LD`@Im)H)DUE9N&cucT|YgWar9vXUG1`qK+b?yEi_dgYJ>#yn8z^Si_zgzyr zLw}EOfA2ut;_2)4Avpaz;ueqTkHD$#iu?TA@A-Jn(Qc@RkzQZHpZps7(5~$-L+Hux z#6!EBzt&FR--!Jsbu%7c%THFX)B3mN!FUFGwmS_y`J8xYm-E;Bd^`pChdk8ux(H7H zC2@<>^d)fW*TjAO*zY~WiR=1pv>W2->h%sd{ddJJ9@FoEQ{NHy^<%&1x3k!Qq1yPUt)j*n+vdaIv`UgyB+zaVboW%@;M>X*fR z{n+n?c&;&j>u5LR;ZUzP!Rg-+w|Gq71gE|w?(4^X&&Sh;{+SrZ0r+3wdy;R#UyXT@ z)=l=1=Mc}cH6JtLHjc*U#6z5XzGxGi-v_%5&hP)+1^;E-XE*}?F6=KS;udE?adyQm zPUC&}@O|M6=Tnl;mGd!v9q}1DpD&fqt@AN{7x78mCi`Z{|JTW9Qr!AwJS`sb&wfog zpKq4WjPo%*8}Z3HpI6H#=X{JWM11nj=e6=FIv?Xp5ua7~gn4)Nx8rK)0x$vU4Ew{>s&@5Z{UxUDC~b56f5{i4$w zUltGb!{jeDmc)so&{BWF_`>MGAQC)<7 zF`f+g592&PEpF?Ht#32pHt&q*;KOxqG2)Yt_$)_!D&T*EeP<1v@o#{0U2TFt^1aI7 ztlPZ^Z%6nD{A)0dCDlvF|1**27C7JUz6EDJWc09d@cCiP({1oYvEXT+_pY`vWlx4JT(h0j-`U#sBHMEzI6e+l_-id(x@ zw_D=YuJKkx-;U^yBKqTqz9$~Wk@Mve{Eg_>{5!|_wD|vj+jqn*e&dTy|2paOPH(*E z^ly-U$?1(RJN>UnzvA@9SDpU9OJ8<+&__=WTTd--2Ff8&FQ&kZ>Dsj0tzv`*e8{~2+s6XW~hA%32d&%k+o zbPmpQ@|C#N=Rc_3YjJDW_#J#$|7)XU-Qd2zA#VOJ{>t&TR(1R*#A}Y9h}RuI6W?_F z{l04K-w?O>t=*>M*6x<$*6z0B*6xnu*6yBo7#E&n_rbYO9Y*+3g!jOi=PPiwdlTWQ ze@MoQ`l$$?i|~1I8{aF9%YwM&-}qw0XDPy0od2!-%g*0;CE~LY@u@|8>Jgu&^O;n= zZ95<1I}x9DgdarwI}!h5r~jAAPuJ;^YyRe9oPZ@r#JhmGjw@&%pT@A4Ys` zozJ#>M$X50>K`9p&y(U-pZ{Jy8F8ym<8$!gxxE0+>#TKf&g&X@4dwvS};|M>E@cDmA@>a#UbRoj?5ncy>8qdk%*56N5e~-kizs83VpXt=t zG}JBk%^div@jgol{5d#JZi4gsC3e86?}D>m7vOI~f3G5Z5aB~{%a84|H{zBb;}cIx z^1%H!E$)3X;@)R2;)*XfP-#6vxE9M7GP#dG0&j1S?% z{HNb*oHy&QUC&O5TYrtui2HcvoR77ebw0+|BKq}+e$(mg`myQs#<#_NoV(7);@NXP z#&6-n`$DOwJeoJtPl#LIj88}OGZFoQc!;0vE`#%Xz3w9ZqlkZgGKv4ixIa)35Al;X z#6vuvf&G0S{DfgqzDDKCx3?H_;4$gLK5ndPf?QV+uc6Z>z`Fjh_`w!WtCVAuM%ND?S z|Dho6<0*>!cvj)Vcuv82|MLu-_dl<|S?5D>AJ2`rk7wq6lK%30%!=UjUj=WWp4Y^E zyX)e<-A(u~4?EzjhgO6iMEFsJpMZ0}yB7EH55#@^Bls}>*>sXm-Zx$p5B^*q^5Vgt zyb2%Yxem_tqy^6P zKF04NKI!*O^3VJKQ{Y@z=fS^e{HqV^=Mwl!aot)0|0}GYb#Sh4TM@o1Zuz(Mb5Gpz zZ~WNlpQZaYCr)qtR6MNzyg$}+J|8WgzVk7D5%IZlKA#|;Yv*Hp81cDvKA$O{JLh9O z^?u3tvR{+pmd}^SCoOLIG(HvaSr8BR=f52FPyqh`T#uK)@18u~dc!|g!QYAV_8RyH z;(o=Rco;8Uj~s#XdtK7+pXA}4*x#qX=`$^E`FWns&$Hr|ALH}zc{=L67~#v#->!pJ zoWJo(#HR|*__x6s&z`vT%hrdMxb@5ULB!`6ocmxVljQl=Furr(jAt4A&oM6R;M8w| zb3bZ`TfYh#uco;5%lHm_=zkF5N6z2I<=FWfKaKcYfiwPr^S5&TzVrVQt%nEB-}ni9=zj{%@vVGN(yzB;eQSb$F!s%DaqI6lD4rd0>#y;B_%NPx z@IOPlL-4OgyCd*(Tu)6*jpGmT-2X3i`(fkPli=aGum5QKh*|zlGWt517WZ{BFCP3^Ckx>0@5~1$b=$=Ca#q~ue_q_@e+@oq)L|8z{n`ZQ zxNL!^Fn@Q!8UFz|pZ7iz_jx-O_j&8Vhj}{(XZ*PjN%F>ZZylWLTTR@@Qy2H~Y{Q4~ z48Ym$tZr_Gac8^p;=bLSxNo-zAGX^DXS)~RZ1-B+w>uE`?T+BXc2}SN_&o1`v)z`s zZ?`S(+dYC0+r0y4e={GN#Pdqj`3yMYSrGT}EQ`k$d)>U-eSUyJ+tv35c{|A2izJu_ZstbPi5odKu+l(^N8 z>8HV|&x!l`vETFYthshyuk%mU`5WJXKhNQ9=ko^n>^mRh9r*D6#$*1ppj9)~2uAI;0%kGQl{^#2H7#~J_Zk^AE$mh=a7*Bn8vL7)&^WdC!OW<73 zm&N^gZ$;dn_jcgJ^Ii*_=cNO1p7)NxdEPq%=eh12oaeywGm<>;dF*L%+kfAt@tqO3 z{nvO7KHPuv;JofDM);bzZ+BhXx4Q`+w%Y_}KDWigJiUCcajk`acA)3E(~tV=itk^G zpNLyLrtgANeehHhJhaRDv33HN z<-J=fH7$Lp&(Ll`ujk-To`s(Ab^|Dm|WWBLv_^=IO~e(d*rJd^({S-15S5%*E0Qd#gc z?u+IlyeJ;VJ$w)I?nLNaDzzjY;wN8$&(Gp|c^#bXHX?in{AaLk?}O9lB*OdP{CiTD z;QV`1Lva3miaT*zpI@r^H4?Y^Wjr&NLZgp@bjK&@aMp13Y__w0cU^b!TEX2960?K z!Rb>0XS@60{QEw~5#AN|^W{|B&zC-Y_;-S?!P)L8!ZRP0vL5+TyK(>#Y3L&|Cj3K#*J6RL!Qak#lwE_yBPO6__rfJ zo8ms6hPaQXDemLh68G`!i2HcQ;5wNF=Q>%4@G>~p z&oywapPS%s#=5r!PW>)8_pdfM^&N12j{6jx_1Oo1E6y_);9L){z?tV8aE{k4IQ>W9 z^qG53GA?YlARg*1oQqzm{kJ3@>WzF2KD=(NgLAx^;NOOMu?x<4PQ`sZeQ_Vp06vUo z1kQLSKRU_7G{$8boblwvZ9XpPbwU5O`DnZ-9?p$Fi1WaPc$lYLhwI=RuWfLylY8L2 z&N>ADp{G0?O&_x2+xBv&qeSQ&ND0EoY!S= z{$0y;@vvWWAFPUp{hGWcZu6q2^Fv+S=7sT1alcYgI-@P^RPbD!MV=tfYYZ9&UNNe-1gIN(EffU9`YIXcjLG4 z;q`U)W0QH!&l{G&xh}1NQ@M=^N_c!xXnk~m*>T; zevB`|hx>I2oPYPT0?u)%gL7OO;=aF4ao^uP_%Q$b;QTwG^UqJllZek*#HSbW8Ni4A8iBJO z(l1Ez|5RSjg7b551#zFBqPWk`DtwrqHE`BL4V-nj8R1RvCu4q{iTgNv;y%s+e7Fvb zB0i~qKF*u>nGz54n*D8ne-!HcEW)qA{|ofD5k9$)jN@ByostD-yLoW>FN4!(6P)Ye z(Z`M34S5dfzkB_|GL||P5BVYQI(=XIQ>QoHbNbnz9Q*g3-uSh6$Um=B?jk(>@k!oz z-)Rn2O&t6SrB z`0)LUE%=0Ui0up8@F8zQALhkK?e0TQ-VqP=%yzrZXHN6t)cF|iM|`fFPf0%4&d2yo z#AoDuZ2nGs;&@yvpT_6KL%+D*7Q}r$6yd{su156bh`uWRZtHWzry23ti}>t=bN@O7 z=jZ;e!TGuD5ja1WJ@ZN9eER&%iu?Ie77zVp{nsLVE5diddA@3i`*_;oKAt1^aQ@#(?mi;=f}#OFNXa{-?;&WBT$8593Hagb(wXDkSl99i9Z|Iy?=|x|$WYx;oMI_?)=amGMRRu+9tM zd~UV`&h>K}oa=lGoa=lCoa_9lxX)BQC55@hcDme4sjPN~h*3|(x z>-kLF_qQkR`#X&2ZzB5q3m?tr@9O+h5I2A0b?EO)GTv6ReHUN2<8na>&UPsI0w6~TGGaT%QYGC12^2WPum;6IH0x&_YpdkoI|nG?!u z$Q$>O8F1EH7M$_q#C`oNh}-zu`DY0}TyIyvIgT6PjAsj+@$8BFcv|8*h!}|Zr+865ZCvU=sb=3lAe>)L= z7U7o>ejDML&q?xpiR<5K@sKy}Yct{@Z{%6{uwRSdoR39tj@KGE@8i|Lc|Na;hdA&5 zmui)@zKMr8$@k#Hacskf>)1Yg$d93C9!{VqKNAn@1M_nU&T+qnKjR<3pM0`3?zgY= zw79SH*@%8FqA!bw_<28YBf^{De1Gr&ocZrWcsIgtBYfg>$9eG2rDVlJ{QSQ6MR0z9 zbqV}^aX(}u!uP=Ga{|u1^&0kACB(@_}lQlz?HavzV2GwKVLTx5AlTcaO=y*`5lUfc*t+X!#cpvJJdcu8JBOx z`LhN7EZo;U0O$312b|Z}XW-0p`3sVEIgT6PydG?b`}{Y>eg600!~CCsvmQ>ttH{Fz z_(zXJepojK;JojY`og4NkGwAf&gUPp;MC_MyeJ;>z&mPdmpJ#4Vr3OYmVn zE8uLm9^qTytcNx@eU2jhMBL)H`!ii}i{E$;K8*hsobR_zzBI`{uRqrOniRMBWqe9JoRc{&^Wco95aA_o zo@2}4yxv&@=Y63XIG@{Zg7f+IZSl}w-nZEi5B(+IhY$DPE;##p9^sebmgk}Jd?jvq zHa>(8^E{#ZSRwyxcRIr7!RfOI{vLR)rU=e@+Xm;nI0ff@s*4D}2In}YzBHLH^htwL zKPB$Raa!Du<9tM)i|C8uASZe@@)TpB4A<=i$Tni{QL}QjYjnBL20Az8=x6!N8$RSm@Zou* z3r_zFaL$)ugr_RWxKN)4r~fQC>pu@ppCxemtVDPv!Z*Nqf1?gg|1I!O$NTbo;4M67 z)fV^lwlD7M?HE3+w=Ou(b?4wej{B?E;5;|pi2HbM#eFJ+g%3d{mE5v-)>plw_A|=JObw?e-)5I>LwI7SBH_o*QwC z$M^_7jAv>s$tUBYLz<=SbY<`#bd<(XqJAcjGULiC?5R7?d|oSy8p-hPeDBRlP|-Ec_@RkZmZzz*CsgYb{m}jd*JkMgY*8+Avpby zBm4}U<23~T3*1*pe^ruCevWcR+>h6+xF4^Dh<-7mUlkAQGq3yF;5gZ! zeD>fIuH$Szw%|kFfj;;*H1Cd}C+~`facBH}=d&lDbLV6HD&lkFd^+;Ebw0*Z>&dt? zo{YGyCuj1R61Vll_-w>y1)TLz0cZWJi~D-s5cl=mi0GRU{l0j}KjS$9=kujqaDG0k z5B{%lpXUmkJ~!Z8mqy@R_aw+`?XU_lq<==Du#xLN*d2|K-^Y8x<;=?~~ z!8wkpS3G{)(-A%;?#FRj+>hfTeAsRgoOM!)_%BENH{iqjGj(wKH^Hgj0jItN&hx+_ zIOkU%ocsO_IQRY3SC8}W^En~z^EoH(_wo6NPcGuK1bw(1&#F|G#h-Cs-sCGzpOb#o z>5Z42eo^|G(;F{;ZBmE){+Y(tC7kaEZHtGzg_$_e>mA2$^?FbL4*8_M<+$kzBc z0q3`4@PEMbG{wC!4Ji;%*Sr2#M z{64+(Hzf7L{49X4AkTSmpPz!`*59JI&(D(Mre7BK`Kf?2KkMK_#90&fan>ETb~nX+ zoDIiKzat*vd>)=tYJoGJ190ZK6X7@D9LLF8GG62};PhVu=XzcR=X$;^9_HN$_aQsb zvmTDY{|WQ=RNUwP%yG+SPu%Cf@3`qN#6$i+2l>ASXZ~-%8RrO`c}r`4hdhwagVR4R z9^!eVKB4FPXf5%OpYZm0Zfd+>wZ%go$PeNFwahd8{}}uX`me(Jc_HrGy%hKD4&d`v ztUtHlUx(*cbN@Q2&o!)X1@LpM&+Fj4pLQZ1;tcXDUGH?oL!9Ji5q&SBKac1yBKp$* zHSSl4CoD6$aM5}Hvn>8x$5))bApNS-8!tQkvh)?FH@@cd73tTV-uQ;oSEa8yz44mU zH>9sSz41+_-;uuI^v0V`-5XqYeMkBor#HUq^j+!qoZfiL>HE^Ro!UMm{>5EQpe97q_ z7TvJkI=%4~r_bmtSay2j6{nw-e%8G9E_>9xf zN5b=|ep&jW(;HuM`ik@=r#HUr^i}Cso!)ra=^N5l zoZk4F)9*;X;q=C6c*!oLC6Svhdt z*IfkvZRktjABF4L6>#d;!Ktr-^SXXhJgg_-==rqu`+wa3G{nR86!|WE_`YNd{3j9r z3Ha}8Z43Tq;IDxGT-?WVA@1Xu+)VP!>*x%4UNsfkodstevf{qod2!!v0Y1#b5;*g) z17Tj1}5>*Y>_pMdjy`3rF$|E0K(e+VDOe-rV!jrdG{OOk*36v00d{aOa+b8!{$ zKga!n8aSUPY>NB-Zi)N;w&24!_rV`|{tcY-_XeEvH}$Pa9{7G@M%>3aCGO+QM)dO$ zeL+0jUt+(Oz*&cD;9NKA;9NHv;MDJeQ{Muoz5`DEF*x--aO%&&sULt-e*;ea#Q&X) z7xigy>Sw{J&w^8*2d91soa@iBxUZ8HabG7J@OeJg&sxN%9`QMV57*BQ__Hw|yWouf zOx(xc6Zi37!H0D_0B7B18_9Ta{agg+^IauyuB(*@uSNJ)gtsER6XB;3ei7l<;9Tc# z#eJUd#C@J8|DPmp%yU}Y`((tu&s@Z(0?u`Q1DxypCirv5p@nTZwFAy|zAf(K+!yz8 z9>a(I?SgZipZK>)epvr$@JG%M;H=MiaK4{X17{wZ;N0(a!FzZP{1BY+55XD#EjZ`z zYn1!w(CHk1A`KN;{x#uuFH zTUOlH;k>x7!vcI*hfCnh{|Y$YS1OD9b}Qn(-5Pw@?j|_%-vMX-Pr#Y~9yrJS3Y_`B z1!w+8;H=N|tCI0z{-?x!9;U^89_Hc0JS>1S{{?X7e@Wc8TN3x}R^Y>S*TI?pHu!gA zA3p;BeDEIl-{E@j8l0aS%KW<|pL}0XZ>PJJ7^hJJOxsXrADbrPPh zsOq_kGw}QWl$zNc=e;K$>WBJ1IQ8e^p{^LuCH#X=P3>NZf4KaO51hU({m|)+--w5H zKMZ-8RzCt~9qDbXX7XE=^}3z;6DLA1n2sn z()d`vEY3;s5a;j1X9}F_@FFpb=S<9~;Kkxz<;e7-6amVV~MEkAwrD+`|>H@*OU zxDWqD+P@Z|CohSIc6t8Xf=_tfzOLuwci}_chEG9V4P7{l_;eyZ#}S_!@DIm1b`LJ?fe+){i1<_^KJ|#tJ~-p-fUjd- zpMvvqvX|gxjQbFr`iZ@_X&*DDJ zHTW~|e%1(_{^|d3oS#sKoTnM_ux^lN#r^y(MEF|7e?8*A1)mGt*WCwazfQo}uM2SM z2jIMKIrZA4PN<&;r+*QgaaO?TQwOKdE;#l3;Eb~mPW=F!{;7YT^ow!MfYWCIoIcCo z)K|b6XI0$SRZZO2)gJU=f3bb74L$ij^!FwDuKn&1dh%oOP`BLgF5ts`?GirZ1L!#~ zhR~CzT1o!7-xa}m->Cx5^{@v1QFy<23;aprrouLu+6CwR(l$8nUmbz}XRI4NaK>{5 z&UkLY8PCKICV5~y8F0ok2hMo%;EZP(objxIGoBha<7t31o?URp(*~#hK-|~=p}4RA zE__%gckp5Tr+#Rh&)`EoAs*Ug{imTPpBDG?Vi7*9|2%xim!N0;m!K!Fi2Hq{1I~GI z49;=yfpgq1z&XCx;2f_z@XyBmwDf;S>X!a9;PlUe(?1VR|7CFcSHS7N0Z#u0IQ@6Q z>Aw$7{|-3)Pr>Pb0Z#t`IQ?(I=|9;{@=X63aQe@K(|-}1{v~kwH^6x=-2;CU&i|+2 z)L(*ApZbe9qZCrgx`YeQuV< z1*cC3ocb;}&y(lkzWy)7efH>cIOAN1_%BBMOYoupvbfLBin!0us<_WjS={Gm zO+3s~=H~!DTz@+7AwPmX?ms2{eL2ois}WuY=lN$FoZka>1kOD7!8tBNaPD7|Kas>q zpDZ|iis00*fOG%a1gCxvoc>4PjI$3;pBr%cqz@n8uNiR0xd=}G6>$1j!KvSk@D4bA z`r!1riSYF6lYY@B3r?S<2wwxIPXnAjnV(A9W!~n*{ruZ@FA|_y5O%12TlE)gHt~Qr~VF{=Zf@yN#f-CHV0lFOCDOD2d7T~oIb1I^r?W; zrv^@+ZE*VRgR{R!;LLLmoO!zjr_TtS`l9YY&p9VO6_Q2`W2B*&vIDLBH z^f?Eo&j6f0sh>^qNuRWMSZ{g#m=X8qhdKE0{ICGd=V9^@UX1Wkgs((+8Jy1#Z;AVU zZHxPUwIlldi2hjIU+11ge7X^z^N9W;q92O;c5fm+w-KMopG)e2<2Vh@b7mHt^|k^& zh3l+}xX=HZxX*tbK8$A(vPZ6B=waO7*i|}J`j@Jb^$M+VT`gAvmpYOk9!Kp8T z)4u{veKW$_;Pg2Gr_WV{kHG0O{fkMz=u-s${;}ktqRSCpi|`$AUdOe-S#L++kE|Qu z&j??@r=JUO-d9Zh(&PIz4bD7d#r-;*7x(LM0X|&MYZ0HVh|hM!=K!4dc}~GOUYFqP z*Bv0jItT&Nv6))Td69e$js#oN+FI)29SZ zpLKBR>)?#D8R0wN{JWwp@E2jfH~{};>@P>)Jhz{M^L_0LaO!Wwef>}T@;INq{wKx# zIV1!A-FQD@THO23MErB`;rv#4V>$C9h~Qc zEpVO(_P}`_I0WZ&K1bke_Y9ovUVyXR0XW+ofwSF-|CZ#9?M{QU-9>P=y9Ca5E8uLm z3eNLS1DyA-7T%o1$?+}x+T(c%oc$_;vtR4r>{kt({n`R&zjnacZX2BK9)h#oV{o?H z182ME;B5CAobBF#v)vIm+s*WnJhRH zg0tN{aJJh9XS*G6wtE83cF(}s?iD!Oy#eQZN&R{Y?h@#%uIetO`{!+C^XM)-Av4&)bB!&)c-PKX=VUd}bp) z3laTdL|=;Nmm~T*^x?Q__Zu6~lQ*Fc=O23>Y#Vy=ws^<`?>F|~6a4LdV;?@`m(cUR z;uZAdx8gqk%NNOf&F{depZonJPVziBeO4m8BJT6EChqf7kLWie z`a|fso^+rmKZ2g?$qDr2r{aE{>BEQX$vJ$;2k_zj!<&fDt$6r*PxP6*OvZ)xALhh; zp0naU&w2Q;4%grl+TGLV);HioUWGp7tv?*cSBIXwA@1|pf=}@8=nqh};X{51J=f{sd!#{CX?CQpm|{?3bs@nXMn@FCAb&wdr4Ctnfw{oRBQ z`_+UG`4;r-*ADdLEpgx96Zo)SUHFjqpl84O(34+_`~IfiIvy9xv(@vIco;ACcN%*3 zYZiL)thn!Q5kBnK5`4&4pl82Up(o!E_x)|bhyB`z5BUM~>{kbR@-uPY-w}M+uhiR; zc|o2Q_v=*#diHlt-1m1CKI~ToKICiAvtJv~lQ+bDe-Giqes$nOegZxF)rFq?T-^6} z;_C7BoEG=>oPnPGnueZyUflP06+Y}&89wCe(6e6~(33aBeSZ((6Z~!dcHl#P1U>t8 z0zLVuxbJTtKJ3>ye8>mzd1QZ&_}q%y{%-r--G<}V z?zXtC|GPTR?1w9>b;x@j< z58$(a=gj-g=lkVz?tF|-XnaDy_4^h=itoqH8}G;6t_J8i1K_RZh1C7f)DdE^QTFE zIFA;vkk=b^AKiZR*d*{k6I^ zo)!=58|!u+oOv#SGoKZ3>YEYX0;kV0IDIZ7{1%)(nZJ1a_%1|v37kIb;EZQG!uP@H z(*>u`b%c+==`;P8kMCC@!dJoRQv+u_tq4B?r%xZ8K6eqG(fy=QZ}gc5r%w@_^RX)K z=VMLW&&MtJa6ayWb3V4fIUg^?L%Y0QxC9UT?@w#qU4h^KN^1JA#^ZPGcv*blc>Ax% z`k{E}7u&r7XS=uHZ1>J_Yj@Z&xhjH?)$y`esJ!8I^x!@@pJg_+TcJd78gpD%#(@7FJjTYl!1pA~V-kMVW*a9pb39GA_A zesX9{dgCUws(hD&C;!*u>nAPleTw3tU(A0A{CmR2ub(|| z?so^^ydJ**=e)ZX5BrQ2>z_k)ZZrK#d@0%_w_jmPJLS3w_671y0HPy&r@uI^Zvj#IQ4CC>QBIR zi{fD=>w|M$x)S&6@U^(F+dKGhd{cin&S%I2*M|x?=T{y4N#kFAh;u8#cfnboEpZ=z zTinOrh0mv8|GJ3yTt<9u;KMx3-X(c>4erw}f`1*pXSfK?eRCO{{Vju2zYb1)1N`?9 z&o=mzk%t3t=I12B2jV{eLvf$~iT|DChwV;^d!Mwp_nD38=OX$=ald{Rzm6|J zj~#HrnoB8{sU+iyA-1{tud!G&XFh4bLo)1qV{@sZGIeZxBB{=gx z1m|^hW;E`v@7I*L?^jmb*Z)Pt=Q84R6Y-h*ha~^3ha5Q1Q6+Hhk7aP4t2e-T{o4j- z{Tzt<{2Yq={B$Gw(}?~;+~@NeocrJ~;(rtI&-`POPwv-q;=W&5ao?{7d^j%K;M{-r z!8w1g#eKU2ao_GJqEG$PxL;mBD<1O6^ad<{Owc>bpb{%PQw;GFMU;LO7wIDPiP z%kb}jGoCIuefkl82~Pis_e}E7JWqii;dAJ75k4;-@*Lh*`q=jh6Fim5iHAIs=i$Ta zz7jawEl2p8xV2kQyX)fCuJIat*zO)U+ig4lMfvYLf8!na(EkdY{sZU#LirD!zwtZx z(0_6w8Atk0NBBHAee&S+DT-U3KTvTliCdnHufT`?6>!d%4RFqvO>p{bgEP)uaf|aA zigQog;xxVwANu#ed2Shim+<|N6HiX^|DNEp;Joj#0M2%c;MA{zKL!3ZaJJh7zZ{45 zFduio`8^c};M~Vgz?p|LaPIF{;N0Km-fJ907#H5p%!-F`A3?(1X~K0FUsz}fD4 zgjdCVyESp&?p8#<9nrVN{k%Si_#8%jx)Gll)$MkgY*4`E%8uS;q9`v zeO^F3)D`(I^!NWMb@i-q+%4$I_r=4w@N?@O_yqq0wR1sQrxd6R}r7p(jthZ!#}9-_znYUN)~Y;y!O#`0#sg^5C4mE8v{JYvO)htc&|RZ$|Wuh<;bx z=eZ9b=JNtRqcHY_>dQ%5Baxq+7k5S6>-0wY{G~6Z@`CqH=^H*=nut1yUg=V#OF5RGx-6J z=Ev5(w76gQX2nChT(9OMJRjjp;Jlw-0q1?@b#WU zIgI#pBR)NF-XA!R@XH9l2IqaqrKcr%_@(jxyk`jDN8mj7_P{w`_C7f2FTY>02hP7kbOp}8D|8Fa?_ErNNaD|RV+x#g zI}gt5;stQ}EP>Of0#2U|@pr3dabM3(_^_V0B0k#@pLWEj1I~HZ1!sRRz^Cy3Z;sp(kG!_veH%e0bea5%=?A9X^jd{|q0l zOLcMI-|dKgC!*gM5ApMQ=PcsWi}+l@hxLAw!nePk1y=dNvV zj!PSyb=3jq{pwS2zQ1z?&iL=Z+25&|$LD7boc+y3cpjYJ`>_Ph@BLT-=ie!)fdAe& zw1M>K~e90yXf;?}P5qIl@4tbw2j~vUxu@27X z0IT95{xH6F|F$mf=k*Ts+`o3kZQL!-2jafYkHEPeo`7>bochQl{~VV&aE{BoxQ)yA zX|GkT^9H8RK;x_ws}_*_w#WJ{#^HV!8spW;GB<{Y*HtW+|L0&#OHaJ z!RfOqZt-7g{V$7K{Kl*BVf?4yFAWn_KLc>aa|h0NR-Tjei=T7Z0Oxb#+u$FH_uu!x z`FwBcqZ9uFjPcyA96#bi{4E{#N64ByQtn zycf}*NAv@6zhB&dGoN?hj5GDzB+ulF;vxR~|E2CeW~|GLhxo~t#lv%w`xxIH_=J7% zBVREtxLx>=_n;5wf!At3>O)U{1%2>&Klxufo)I6whx%K`O+PU|?zfHOlzb)~|6uX7 zxQ(yrryVza*7;bw^Nvr;Kks}@UvS*?OU}piCC5KZ{$=N5`ikSGUw1ywkk5wW&l0aX zAJf+yH~p@7sB?Wp{-J=b!2i{Fh#q+Ed5?~l)!Tx&jf?RO@!+}43pyI(+k$^sAD*rJZ^NIw2YpzVe#q7<=*f%EPvQ?g&yoL5ccD{&~`$JH7G33z9nddyH2Jocrb)IQ3O=t55TN3Ko z|9O(zF2 z#(Pd*mA>!v#s}h|-Pb(zzGM2i1Ah_DvFT4t>V)UsEI7YkXi?ni$J)({TON!r!-w@# zj`&m}KDCIx9?@@$hdi*|J#elMZE&84FTr_zF#!KXoMT7eUxfTme^Qd?4)i&2`sBd} zn0L$IEvy4;;x;a?wz?9xaWTFLpGWcozBLZ{p@Q1rpND<+5S;O!fPXUT?F^jyD{%Jr z7M%S}fAXXA(fXAU_x+uV=(7?1ns}%mp5JQV&&D`5!P&1v@SnqYoq_Xv!}{WW9M8pl zzXlQgFrrW8lRD(MFM@wL&bI||A5T%-$FmyImm~UmM86r)??m*w5&gM%7{@=yIb`H~ zepK@%^(o{0Sig*C#Ql0w6Sw@Bz8>+}iujzs=RVZb`e%*f=);Hn7CwJFmOjkWl}}B^ zw}yJFh+CX5-xzNUYvR^l0sc0e-?qVj1na;)IL~{>;+B8Q&xyF@-*`Ww zKac3|#6v#!CLV_B;U5!)aejQelj6SJ8S&ur63mw(_#3gW)xfFW0{=4jw7_SO&wX(p z=YhD7^8`MBgLuxsS^pQ{--mY7pPtkY&jVB9;W>vdg??H*Jm)|@BOc7T!+u#Lw*_2Uq$q{5&d06pZ?6puS*$mKVEaQhmF=e$n6 zaNJ)X|BSfr?`%ZB8qt>{`pKnnyWT%7?&Fyif4BMWd`^|mobxfBhY!cM=zM-vK1dgE26H~*T`8^06}b@CF--<MMqmlf#A z*TsE(?nZp}B0fhEpJV6q#Kt&rC(g(C8GN{IOn=UJynKF2;2($ee?{ES(^YXlPd6g^ zYDC`@_jzl>C)^&M9(Omj4|=|tSd z_Xjq{UR`k;U*qTS;l7sp+_99C8Z&9K?Ak9^wh-jboiRuEaw;`TUt z`Fzfa`+R1_Lms{k^I{2{?XH5e-3{<3Jhb~X+!tMn_>>|(m59$4IQO*<{J9<;!JqsXJ{*^B#OE~P za~ARGgY!Ia6X7FqtN)zN2`T;C_`F_E=-)OkOh4(k>C@t2TzF2H5%=c-`#sOsrMGyp zT7PP;UE?jZ%Q`=b@H24E-*a&8n?rD3f8Bwz-SihG>k{w(&wz7%$bo+i>bU?;eHnZS z^L-th>&%|GpN}nZKOZ~r;rzM=f27{ve?RmotCL&DZM^TqeO-+lH+@Ru@9Sz3obhDD zeSfFKeSeRk59jms@v@gXfu8(YJjC<7@E`Ou0RMH2;|TmYI45Ucn$$@P`+foZD{x)2 z4F2udH`l=FQw4wfxT%Loo8p$AU(`CkC2sjK-hvP7;RO5~{q2J@{!4M+?v=Q2_YOXc zfBIh}c{@bjX2re#oVfR2jOg;Z&jUc)CvVFM(xq6VJu8% z3=)S5VT?|k>0p&O7R~kcTniShL&c61C|b2h!Gaazv1-676{1845;bU$0A(l|pkj53 zlxx7M9qd5CsMV?59&ePY^X}%m_&x99-RJXu4(B|q^ZeFcd+q)Em!_NGoUaBr`=<%c z{y6|=|MbDX1AUeHwxmAygQvkig!{@VaC)Y}S^rsaU+0pzuk#{2?4M2Wk7FOJf;0b` zxIb=P+#h!z9_D`v&i*-%_%9;eGhDn-&jsBQJ>i^Ue%B;dF7vSN%FGW1d5zj`%a|r${ ztfM1vK36#bfAg>ex95d(@b}`pHm*8_I*@0Fl`rC&^44!X8V9{Tin*m#ItX=jZ{b6){F5Yc(|^6;LNiR&O9&0!#@9P zo&h-PkovE8_rr6P=ZLuVgYhwO-w#=E z)*hyE?+v3hPhkMW&|rv}bCH=O_V%CqVG z#@p~P&m-_(zi=QE}f7P_&xzY{Eq=jqi(eM^`K*I~>2Qd*No|6^68CWx@L$6HZ&lpt{2b-E zD{grjZ@|O)w7~fur0x7Kl)vNr#=G#)e+2#^jH?I!IPg<(8`n?kxM$)vF5`W8c-$-S zccE@K5kC6e!^sHq#eCA@mQP*zjEh@7#xw9RpGoI=ojg;{V>}n}zmL_tG{kLQjPJw4^GHuTJTK*O z3*U41`Q=IS7sbtQyd)mxi{JY(?>r0gEI5zx<%nkk{Bv-g+I0SB$iL@PIQKK+mXF1k9Jly+ai7m3IP117ZuvY+$6axJMSRt9>;H9e%hNm?j+$+m`HiQ={X9;9KNtJS6!?pAJ(CCLzFh)mKg^4V_cg1yZeI`&?`y~x#Y5fh{7Id! z4#&A99>zt!A|A%Y&lzrj^LnNNe|R4F2-U3$Klv^^+=mhN9L#V?MIG@KJ zgAZ_??TK4o*}6D&+}8EExb=g@UpQ{@eR1C>1Mm*=8GY7penLFgMG^doh%bv<{*P1r z7sV}4<4f?c-!`1*E9Kd89^>2aa2}h^^8|U?&SU%t9_Dl6JhuPzoX7YDJj`d{Ja*h0 z=P^E}^=Hf|9kS!JCE@tcsQ;#a6Q_*JqhoDXNM)Z<#llzujScr{6os8DQ@Gn_?F`qf8adl z@^oFi@e^@hp9|-?|NCy!PxYP0_!T@{*CWqO`holZI5^L1)8Idg>y3iA)$L24H_WFf zZuK!f3lH;Ibe_+aXUTbtufoIYu1)Ya;69}a&imgzai4!p+~?nfhyAwiJdaZT2hL;s zDB|fk&lBW1bspmv5zjSv7VCO^Et&TjT$fIYTOF*QryT#d`Zg;F=XsSp`;ObXIBcVrN8-N!FTlBPUy1wr zTsyzb?+rZMhsVAz>8oGB^NK7upHoeP^Ep*P-12#g>Qi*w#ycZ!^Jww2j$8bkxUbJV zIGYY`#(UzSKe<2OIM2BHF!ck&x|zrL zsJQR*N$~H&`6UO=pT{hLGky-7pKn|N=kFg`7q>c0EB_5~%is7GJUl;EBc9!erxx+F zBA#}{vmfysMLfq5PcP!Rh`#O(_`##A;Jd+VmHsUEnJjIA- zHsYC&corg_rHE%O;#rS)HY1*$h^HFy>_t4yh^H0tbRwR^i03HcIf;1ABc6+h=Q85C ziFi^!boYK`>wQ$*_u+)N@8?X!GZpdVBc4LUGZXQYBcAz)XEEYgjd<1~o{fm767lRr zJi8H31Dv0;YC8WDwQska-*^We?%O?Zo-eMzdA_(2_w%0Gi1d&6r}U4w_hcfTsfZ^Z z@f0GSnTV$x@ytg&ixJOi#IqLhY(zYjh-W9_*^PJ_5l=JXX-7QWi03fkIgWVFBA)Yz zryubQBA%OwXXN?A{`7q~F7EqqLfoI1CnKKeh$kQM6eFIwh^HL!EJQpj5zlJGvmWtm zM?95?ryB9pBc4XY(~5WwBA#xr~vvYy8~B+kM%E zi#L8H9@abaoO*aoD_`YBo@#ICshxhxh(YR(2PhJ-H`_lZ2 z?#|Q3wIFVJ8ebCkA`T6z>=YNO%*UoQzers4CU$^xLuZdgV+Vh#ZxXp|44m^Br(*@`H8hddvU!k6# z`TfIwOFMq0agB@HaVgB`|&P0zs<|C^B7-)ht~sD=lLwC&o9r{aYr2A5Fd5?dEyyy zn@96ZI&Pkv+63pgw!t~BIylGG z2Io8;fOEV@;(or4#r=5CBk>oJ_<^{u&&UHwzcHU#@Vn|J9`>atqo3Ereg5m>KL2g_ z*>A_-{JmYL;GC~MIOppMobxsIlgW5FUlZW;Oo4MAr@>jbqPVZajJU7EJUpz!g7f^G z_S;40F}?y1e~-qR^Vq((?mWgT@GzfUaE`YI&bsx%Igg_|N&VSBqn=drrYIFIo;cv#OmIM4fC@CUK~AA|F}KmAil9q1{8)3XRpPX(Nw8aO?N;EeA@ zcpsdeYw-4PD7OzvGCw{1m#{y4D?Z0KDgG(*DE=w)DDL;GIdJB`8R1oM=3fJ6{`=xS z{{wNKe^=b+--G`?^h5e*l6hyJPk?j3S_9|rf2@G>_wLof`MIEd@Gr-F9fR}tPF{h( z6`$)%Rg?UAeV75~_r*<%`?}@Decej%ux^XsZ$$p9;LK-J+#h#K+#h!r9v-&_&fjy_ z0Oxow!P%dqFB>N9ujdQmq0fI4=hIbie!gfY!uR3-Sv=<-eR(op^kgG^O+4gD&weES zG{Pr;HW@EHE8=0i%%>9JClSxY?!CuVi100OKd#B2ySFC?&iC>qaK4wXf^%FoaC-K^ z>A4aQdGhxMjs5(+^Bf2NY25csfIkWSkOlv@h%bV_1-uOYN9fNLaQ@!;LvYsN1e|ra z1ZN$lUXk<<>rfOA{qxu1#fko!jquc7;$a_7iw6(a=`1+U7iI8|;J$1LoSsI6A4K>G zIFCC3XFVr=;okjF1phqD`?`4Ot2bdDJBTMg1phVc|L5Yiuf9sxr5ED1uNogj;%_4H z=~pJ>;yyej?vI-l_s1H6BUglW?zw0^*oc=C2{j0x}_?NNn*1=i-3OMV$1O5c;KYQTx9D@HDes1do z{E@@dZg#!JsQIDh{_37mP(gVVnXPX8u2^Q?f=QwOK# zOx*UFH*0@87q@-Jc;CgpNAZ^~-uShPf1lz9F5Y;mKCGwZ^C88Lh+96!$6WlC;?pkP z_=Jo9C&g!6yz!iPIFB5ne+u9~g?(cd{JYWrW$^z3z6gGeeQyQ)IXLb*_$$%pTj1}9 ze^)&0^Djf6w-L{A9e{ION8lV+51ivV2j{ph!8xwfFDL7Wd1k~z{W;z&ILA8;&T$pM zIj$LSj;jRDah1V2t_5(8Yen4Ge+%&(R|TBos>8#d%Qyq)=Q?t)8P+q@jePI5NuB9A z2LC5q|D1@2^?2t`YPm7|?|b55J(8co!{76D3C{O21MnB(xRW|gsN3VQE^^?1kNz)! z^F7FHgwKKBRUh$Cx5o~LdV9WTfPVzfHxA%=0OzSb_`hJ?U4wI6sn;d*!t>fVIP;tY zXM7%<=hJO))@MiD=J)E&!#t{vclGbP`d^!Oi{EqH;%nkz9{D{sO>oZRfw=G6OT_c{ zOx;A{M}H-$Cx5Tdgt+(5AfEM{2WLH3!5O~^&h^y>=X0ALIOliz^-2ExeWqLB+DdQx zb6eczar`aA|Gpw_^JRPwo`()YZ$10q9Pc4Gf1hbT!f(J?pNVENF7g~WkGliT>%d*` zZ^J&2`PIbF`b>)Z`b>%Y`sCqxDC#p0&ODpo%<}-8d0v9EPsV;N$)EF{1*bm`{$tob z=fSyNmc>II!sq=yYyEcGQ!C=34&t6w9{oC+x9i4!49bJNR z9Sy+Qw-awj#>ITH;(mT};(mT-;9(!mfpZ-#fHR*JaIT|GaMouVoc&o5_xbOL`~2(h zF#i@f*U=d`>(&Qno>$<^^IF{JIS}`G?)^qGUtC8u@!;Wlsfz~>c^e+Cqtb8Q+dn7n z{bh0QUxJ7JEpV>81~}Kz0XXA(;9RGvc9K8WX$hRy=ZoN6M>TNzTj1=^eQ>V39yt5w zBEkpYUyl3Si8m(WV!vg<>CcIW?{8%Mw0QXbM)JJ4&F_t_lMCWDzs6_8{dMmgIQxGA zoORv;XZ{s%Ue6zca~}KPtlQ{s-Men%;LLLpoOv#RvmaK$xxa0IvrqQGIo@W3x4~J5 zGjMt?z&WnIc<2Z6OYzVT52L!?z81HBFn%NM`(gS`N&Vk|=SU@R&et9|`?CSg zJlo)$uQPD&ljq_#F1y~i5Vvs|zlMkV*hD887x$%UaP~{w@AnsqP>Z9PlYh2=C zUc$CFt!t*5_+uTfBR*WuPw6^;Up&ksc~9IQ_X?czbpy`#1tV`w=KVRS!zB0y?jv&G z{C)ImZ%aInL4D4^zXtQN^52vAH9Rlc0H>!8&N}ad^E%{2Jk&qb?MbR&w1?Tno zDLB{r1^Dk^-mk#n+PBO?W9jWhCa!F^ZSAG;^BJWgP6xT z@o+srUWVr%u`V{m!@M)kZE)sO7x%|)i2LL2i-)@1kA3D0{7Z0ueFe^aVDfj8`Y?W0 z+~-pg_xUWs!+f^D>E8usK8NC=Zl8~Foq+#2-p`(ae-P*8EBN_&=J9Sa-V5|k0sQkZ zk89!~AD-{Fz`p@~RR!mI@50aDgM5bgKJqz7{9~|RW#5_P|8$JE2+sIb@sR(s;HgCT z5j^ih|D1zwVSg^YE6IoPOW=$jfHOY*?!?3R4RFR+!5N=D9D2fdpN9Mw#KS%r@c!*C znMy5+|0~CrBD^gg)*U~W)sOfu#lybJpM!Hf zUW3y!`kvvqL*2+T;Pg*|)1L>YrwYz~xDfaA+ZXrqdkqigcMyrcfuHl3`n};u*lhI^RU%Q%A#k zhWfD1BjUc!X>niYDR{zt#1HB^GYb!S5uW?7zV_hZywu)# zZ^Zrlj{N@J_1XJ_;lGcHTYZd=iHG{|a{_5`@6RBf&x>;6etk_xJVkgo?=zA3S@=2c zC2<>9Kk`mI`Iw8pRD9aS8=r9T<9B@FuZ)W~KIP(ziqE=uoIhkYj0-}st%=ugh$y7P49*$@x?89c@} zBc3hiv3cAUw|+2Qb@2locURoJSFF`eQ8eI@;AQV;=4NTqPXR6 zd`aBrzwA71c~-{C?>Nt?JXLYa-}r9C zvj-2aOKajGAM!fl!y&7>|7|$l*7>_B9`a#)%W;cui-+;@^Nk&GpHD`|5AnQDY>0<- z8XhB+-h8`kQ%&)Z4|xai;rgxi!eRVA;>nN2!*O}vdJWF+JxKrIaNqFpIdERD7Qp%Q z+Es8Kw*^kmJ~%yN@4I(C)8O>%fb+Obaep6r8i~I~Jiliqf0E?G_w2LaJZ>5M)p(D& z4*p2o-|dLo_3*njzg6+j4`F_dH{juQY%AhvM?8lS&oTHao*(wW`TqS{+~+?K_xX># zKdC44&x5l+7sSInelGG^6!*tn68FblgP+IU2mcfJkHPu#>^*S)Jo^p!v+$fYr%9Wban-=-X^H!J zX^Z>(k0YK7aON}ifn+`MJT(W-e3roJsem)S3C{6$z&Vdy@FlFH8*uu^KbYjtd@|s7 zjSHNfEpUELwGPhD;k3a2E?jWyuO2w_nfT)*PkM6TUy1jRC2;1s8sS^uJnjxS-@iA& z>E8#Z=MbFr>4DQTdYX)vJOfVuH27mN?{nas#|k+6stwNLcEQpIvZXM;(LnxR()rCGPXN7Wes#{#i0!)?q{3dp5j-0uGz{!7R|d`zIMefUs3+?SDGiHCK;{v7>Kk|&=BPJ%Q4EI2>U zHUr+ne!d`Xc`hi=C2`Bs_%1we2secKtL{8Y;!Woryq0!-Z!*4kk@)%hCK}+c z#phJ_!5@!(pa=f>=-bps6F)!SQUs@e4gA%(Z`}pwareQ`kk2JJ{gWR{@}Ykgocwu+s>?0O#k`FU5U6SK>aO zk^XSJK7Lf($Ipp}^B2EYZ5h0V{bVD;x52kC-aYW&Mqf3+S)Vre`*B`40RIsDN8oQk zd=LCxIPN+4?;`#Nd>r#Q`j<)nJQDGf;Lk(g@@~X3H)(5U#~>`s}cVeJoHz<`ExoQ@Q-1g9!K~MIQusB*GWB}i@qHP zr#~0rE8wrfy4wNgajW1w?xA>?m)q$LA40$L*Rgn*7xErFT^#pXJe+^ujXt>neF%C zBkrG{?2G&7CkNso&pUrU`P`-}9`YnV6c2gwxy>;=cl9$ohdT2*Kli_r zK4Be-;H<-(xUWN5+}B}V+}B}2+}B}I+}B|l9*%bv9`bc~Scg9NW3Ufjf%E%<(pO1+ z-iY%;M%?=F@Adv-Qr!B`_!K-3!9F|p&?iTKH_T%Oe)3rt-}r}N{DOFxuR~lH zEsBTvB42WT^K3YO>ElEHri(XTb@650@9nyH<4qSoCx6Su8}GXK)Puu(4qd$Qa~FR# z7{*_?c;f@{P`7Wxetsh!>PDW{{Dk-;oG-@3Lp*sw-1^7fa}~v{e~g#K{XRAi5Bq-s z9`a>)xGvVfxeu(vAKnXFKAZ59x8dPF-v|F^tfQ*tIgE?fu{H5fPhQW|#X~*G8{)Rl zwDp|4EpGda@gwnY+y`+U9Q*%Aa=MQ^-pNxz5M~w(?fzxvh&gVAi|3C46;I=_;PqV24IPWX>z(0!h*am0c z9)bTd=Jy<&{dNh?dJe!DKcfA^_fHy}@2yJU%yR*p=h+qU(EohCy(%91pL|W+`rqCY zt&3a#8{ZHQ`Lmz5;o-iq0}uHwJls!C!1?^Gr1MfZ?)PFIFTr1n``pogO!|cN&qjC= zoby-}_xtUxxZiJ^@Z5*~xq|1;5K<$b80L2k4|z`izhA#I;LLLcoa5aA=ljHtc(|_P z_XZq*^Lqx4z(0iRpVUoKXI`I7hzCEfPv#KMer|y?|9*tufU^$8e@gPw9h~u7 z;Gf6qOmKQy5q=oqr{Fy96*%j*{pm@4xc^imyaCSlHP_(0&dhv9;^+6w(g-lg65^^__5}t<+vTU?YJGcBW`(`f8TNQA2@FQuH)uE z6c6KiIIc4%N0a)$2=A}wz*C4{0_XfT!5M!5&iHZF$*->oalgJY;x_NLjwZ#eZpNp? z{XFKt`8nPqIQQW)IQQFmaDKje1)QJz+5o4&4bJ_<=FP7coBzQ1^RNSWIFHj0Pv)2N zG7HXm*#l>M3!L#IpOyG|KavM$d=Z@aH^jrZo{H;)7WfCi`|xlc2jHxKZ7j)?^*Iu^ zzOr?6?6}RxiMaKf#rGVy_)~G;hkfuL9bS6h?t3@j9M{-qC;4++IdIlF56*s@0q5rr zm%!;6c|>yDhv2zT4xD{515VGbc&Kx@Z5rtNPxi#^=ckM};i;oOtw?+u{yT?Am9;;2 z#BIKecj131{6`W03F5gAT!3@Dml1vy@edHspFg^Z#E*Q=a9*r$3;Op_{jZJJ_?UR; z!@ItRLEP6rgLw8^Nj$96U&Z-iUfj>`Ld3rWKl^hVp71zo<*m2NBDEtP#znq|c=lCI z+>fg%9`ffr9z;Cdh^HqW>dF2*jl`e9f9F5>WPhHE+k9DnUc%4*ypH&95YKU?(@CF% z_X7W{_hRGX;ke`(@h~pV@09aA4>M`JY(_{oyYiW#53nSUno!6d5kYa zJWI~=XnB^M$M|Z*vj)#?f9?(||=xb0Wl`u8z#KDSJZ+q$s$ad5^@i2L(wM%?GqK|H^o?L<86 z5BiAN?L=OK^Ly2DpO>5;`F&+G;QT!24mjiM;EX>7=RR`*&i(TS{H}fA^OHOoKMT&^ zYqKaG>X60x@f4ijmo+w?_&Kf&ILEaD&hNF`0O$AGHN`_d7kHoBj_@8l{CUy=;y*D= z`F4J1?@RJ$eOAC(&vkJA{PGSsJ#}z;Zov6Hw}mgbcRmZ?^elrjpAIeKMSvze4AuDRDbr8!y0fAKpjIf`4RqsM|i@1LwF};2c*6 zoZ~tH=eRD#eg0SCKL3#~PU^t?GvLgB6`b?l0q4AT!7F%+@UWgOaMrUAeuDapWRmf+Khxm!l)dXMOtMtk1~58Yb=QGb--ulMxTsQLN9T^E}!1CFe0d4bP)cw=y{Evk1=d?nQVV zoOL)5_v7t~`|;9rR6NEhIDJwFk*d3=ic z?MmF{(fEj(%*T(4`}mBw@AIjMCmZn;Bc54sj%y426FBcz!LRVS&>A@F+=}o+aQb`T zY532;ndgPLuV-J}*YhS4pL+DLZ+-l@_@~q#ocUzMeLlH}e+C||>qU5;jq9-`c*vK< z!@B!N)NLi=S&ews;JF{yY3mWsM#QrT&r`9VY(+fV5l;o4G1OrPo)7@UT96 z5l=1Rsl&tiG~nU9G~prdz;lRkU5bZ(TL-@Z=Xq!RUnl$j8?lc~f-`;^{ORbEE%0w0 zDsRsK$KZd7ef0wToAG?L56x+0qaUgf&u+w1gXfEpe-j?&--3s{3lH--j(AQYo^yDZPwL+$ z^Y!nrzDC5ue36fdhxuYY*@!0>@#NuQJ~QyV2X&i;hkOAZ=Cd5}tVBHP@URaz;CUPV z&%wj`lp~(`h-Vod)@LQ+S&eu$;bDEYBA)GtXBQsUr!5|?2Ofp>at!|W*oXVz--7e| z0G!vW>Flsig8u>3e-51f6>$1D!0B&;Gyfy-7vcWm4E!6B&m}nhBagXv{zY*5%i#1c zfzw|HXZ{D^tj{U9IRZUmK<{+=s#GzXHE2|6Gzk{Uvbv7r^PSf;0an_z$2@ z4!~KTV{rN}z?pyME0X-_p9ZIY2AuvaaOPhFXMOg;{~3LC1Wx}s_+9z`yCi@53*hvZ z!0F!tXa0NOYsj+&&iWjH)87MU{$r0z@~3|ioc?KW`q#jj{|-3o(*%Du_Wylw`cJ^` z%6~e^pZ+X3{RMFP*T9*71^n}|&)2|NpB6a%hv3Zr2Aux%S0>}4e-fPjC2;1y3C{ZL zf&Wk3FEqjF?}FczKREppk5BTaKMPL(5;*hU0Po2H8D z|1)s94wX{#o!Z#q~@Poc%TjPX97E^RI!^-v+0@3r>HkaPRyx;H*yp{PpP15;*-! z;CJN@PX9hQ{YT*Rr@s2$`A>lV6Yi&S;H*y(oc?)m=D!0@e;u6uHaPuP;2+1nH}W<2 z9#;mO$DIb}ac97J+$C_1YX$sS!xV1s7xuupPCMY7#}n}1<^BN9dPY%IZ&mK7am*C8Qs+iAMSj3Z#c*fyjohRUV=P!J)i zR9`&I%PIK$lahV= z88|O5fxiL$Qx^~UgwyiqJ8s)5)esN;K;A}txLhjf`&v8V;pb(@&&5N1_&K!kuNx*2 z^5^-zBp&j)^XHTGpA!%Hke9`S|KFev4S1MOOWfz#g=Y<)pXq^5qMn!FpM~p?^Vy{S zRor)9lH>C&*WmoQm754pef`iMp64tfpHcDfJcoQt-0GPv4gdSJxYg76xOk{1zh7bv z{FQi)w+X(2>*rl?*5@F?FCski4M{!ux%Yg8m%txHKg@&k=a1^({9f)RIFEZ2;b-7H z?iKj=qCVqKPR7Nb*Pa6BzA+0<&ocPK&~Izt@5g*?gL7Q92ycUPT!-MS=cxM2?{8z` zq2IW_O^SzpgAv){hMPtp`7OA0GDS_*}B?_$+6jU$2(M!@77Vt{dmY!@3|}fQR$781XDcJj?KKzE&ch)re;e z9`^Hk#Iq6cY{J8S-imm(Bc3We?4MnD_+D=h9`YJItaCl$X+%6tcv$CF#M6#=I`FX0 z`w`DU#M6a`bv}%Ejv}5OJgjp+;<=1?uEfK-rYH53;d%_~g7Y#W9@Yiq77M$@VabJgdaMocl!Ykm9 z!F^v7oZk!42IuwXQG}m?KZxt43vhY{;EW$F59cL}m-n+7aQ;5fEI9o|@h~skH)h2B zeo}&m`^g+UcT}mf|7VzA+3_RsdH5N>;JC#viTn9ohCf`-*#58r5BVlM_o4nRc$iPy z@k8a`fuHgFj$3?J+~+^~eQ^@gGP0eR$}^*LJ-G?a?>DG|zZU1g4!ADmZqM)6;QYO%Q}an3 z-iGIFWpKtfBK!dS!??c6-aqvFdgjD^J!i#3|FAyu;GC~YgjdDGalaJ%ZB0BJm%IrN z=kXAn>-`j*`CN+o@m`7h@ebhOd2LMleW(MkZzsWd+^o1C@3godZxJ4jcLAK^T>aKhMdChq}E3_7R4rx5WJ;o*5Z^6U&ar@wW?{*0O za`gX+xX-^Q?(;u~hwJDX`~v&f4fto_xMNRC`r$?3Zn?>+rBY8xc=4;%ULd`m`gSPQrx)>@Mm%Tmus-Jz&qc)3hllmKjCigho@;nmp8-5SjOQdb@Q|mTK3u1MeT|5R zb;|fr@vu(G$KYXo(h<*i#4`a8>ywFiCL^9Hcvzn-JnO@u-`-f};31!ehy9a}cnT3u z5gyiOCgPcmcuMfFK64RIIpUdzhxJ*2=dGyEB0S_v@UTA15zk7*vkDLEvlj8JM?4$w zus)j+&sM~<4G-&6iFkG*o;`SYe(Z>c`_L)eZyrSa-H87X9**|{{8_jkyawlS2jXG9 zbAD6bF>Hdc-pR+rL;jriNpK!F2hQUb!QX~Dl*B_m;r@5|#kb2eH76eOAzy;$KHTrD z!o&R6;2~d!hx1+s=kE*X!XFO1ru)hx_{mS;>0-QB;$a_tH=Z*Lz+Z{@>F*rQi=VH& zxSy|CaX()R5zk`8vl{W#!2bYwo<#h;i2n>8)_-E@-s8=P`|)PQ!+5!$%!1c&{V*T# zFGT!H@X)^rPJcDx-;Ma|@X&t%PX8%5pP%=|eV<&3`?}r0!{bhT*RcMfo;>axIPY`U z#KUoUKHU%x$0gqq5B<;MRwACAh^HFyw8caIUxd#aA4K>GIG^91NBGEpP3pt=u?R1K z^ZT(Y;-L=wTzX49)HD3Z%K1a@{KK8U+Tx*}tw8;(mpDjw?0-@~2;U&8({0nX>)li>V0lq~oR@}CBO`!KcJ`V_$Vb0st2UxN4& z_+!u~^AWxQ&fgcaEgtH|^HfDV)Q!9oiQkXJAB%@N-xnr8f1ShgEqIP}0S|d!++Y7+ zMm$#$&ow+;zk`V9CgMpg4<{q!!|Rz5@la3ZKPn#TNj?S-&m+Z%XC~sA6%Tc0K8xUA zhW^KbRKdyneAJ+{$%xC<&he?Dy`5rAV?(>;LJlEY7IN!gIK6B{z zd5($uJk#R7Zh3G%7n%j^X!8&&(ZHm>d!o9 z#KX_Kk`5YnqjKl8kn5f62KKi1=vc&IaZR^0MmeD=_r6Sw@0PmB9H=f%TunNLwX9G84X z+>X1V{duQ`_`9xKz`4)wgY!CM0M7Ukk@!x8AA!@;1LwYd5#a;yG2Hj% zo}1*)^Th%<_xY6w-vnnJ>f)h4i+E1k5D)!H-W0d~JlDUs^uN}h#yjG^KYQTZhcCs= zKhVEl>3_{{{8~KBBhT;YwPD@-{*V_B`Eb7~h}&`Zzi;^87sc(k#^>PSezgeBerSTT z{@n=gfzxvh&V6t8c}bseJuZQ>54Xi_yjIVOxQ*BN4m_-L4V-=02Is!f1!w#@IM;Pb z^WgWfym**L*0Ti8x|P9MwrW$9wwsjQ-c^Z1Izh zTl|!`Uq^ZIuzs6(9#s?%>z8~++~-*m_xY@fhvV|+g15kV-?szK`OJiKnX27ev)rI8mT zb>R7WQrz}uJ8o9o_GjZ|cv$Bpa2|IJoX6b)r)L+O^VJ4t-44N7haNbOJF=P7fybSU z@H{y4DS-2OY!00M#R%U3r@sRJ4|q<}0OvYA2IqP_1LyVIB{=Jodf~n6GXc){EI7wo z1n0O);2hT?IP=^F=XFILoY!wH@CVTUm*9O|UtNJS{}HXfaGgNUF8IT6e^(O^>nPk8 zKVJ9Cb@8x{$XoF2BhL;v_n9N`ufcoOb8zO<7q@&0%I8wt@-aSuhxw#_B+r8fo`=qF`5ZaF@iX|D=OE&_iFooaPU_5j7Qo+t{1?GLhM$jE0q6IKu7W=u z&;K{UdE5#(_qSc}H)39z;M{M!;(p!_#r?crMB@9A_#5%CUReK;mn8N4I-HNj!1>-` z9GvfkXT(GPFGk&F#Y6t&CGpT#{CwbC#8ZxV=Ha;?bzX>g79*Y|c=(=oIpSG~cvj)z z=L&Yj{rzbj{6Xa30{Kyc>hOlx3^Tm z@xKwD5x2fI&#dF-DLHPQHSth4)@KX6g>_wx@D}(JSWj@S$0Kmo=K`GPi<=0a*d87% zJXiTT?4KF&@LYv_QasfE&Yx6sclh5=iHCZU=fp#O_?)KzPq;q$Wz9$5Lz{qw(c+ylpL-VepCPb~h(af|PX`+m3pXFsHVEa`vFdm5bco&o2$3gDdg zMR182b|wK)CH&i1bhkCtEb{NkJdkD;x=E#ui#<- z44lX2_r`IX-_%Qo^JRXEA938`)8f7#Cc)Vcd2r5S8JvBx1kO6Ig0r5R;=XQM;x;a; z+b%q;TMeA^(unw*5&r=^^moPmzH}(=_oX9ozb_q&hjDRV>WTY(=>{I|KdB$Td)}=+ zz|PS3u$^~qnTPY%SbPmCYI!+!2XJg1I-T>i6&|J-ql z?~D6=BmI-Z{tx+o`knL97wP;pE*|nHpGJH*A3gj>@BHn~UwOon7hU|k;%8jE@sf-G zcE!)Rc;oXf{?UqGaPh{MT>N({e%ZwvUlk8^`zZFeZSYs&{J7)%UoC&t`HkKi@cy@sXWmU!^Av{t`T&nGpBuC?oFI z(G)!N=bY!I8t=687@v)J79)H;!gnIP5#a|B-iz?d2)`1yx;>!rUW;4ZjNicX81(JP zPbK@nXWUuOJMxT*o5y%s-1lJ#ocHMq;Ji;+1%D8IyA96!pj~j@2i3vpZ;M-f?0UW< zZsRh31P`zCPsIIwN>AM1r<{t1%3$;^DaD7viCwe10 zPtAFZHzJ;v^ZdR%ZRat*AMtdZ=l${=I*;+=h^OZ~*0-n5WBd{x_VbnV{F(B(b{^xY zpGo%fM-Bfmoc2?r;?{?D+%a+ML*tY1FrTV;==0yhdG;9be1CB+9*!HXPadu7mcDp6 zF8K{SUF4sxCgb`8yuX_S=g-Gw#r=45;(oj{@Nm3y5l=bdS&n#CBc8R0XFKBA1%Dsv zPzQf3=A{kJ-{W}zp27X~88|<;b_HI-`|ca?hv9kk*vpdn;``!^xSy9vaX&A4csMUJ z5zlPIvk>ttgY&ui8u%}w54XWzfx6YeUyJLdHuy)uyWsnHk9G>qdR~EN;K{svnB1q- zQ~Xov8Hq1M;^)M}`H1x|JI~v-FU>oT@g;b;FReO{?LTYIV|*JP=2LN=k1L-Y=P|wq z5A&&m^ZjNEob%Wg_x10H`}!Zj!~Dm8Hd!xUkNM4m=g^1q;EzE33ix;8ImsIMIpWvB z--mr;8+;PidpqDCK|Z_S-2Xe^ybe4N_jT)v`?~euVcjmlIo>O9j`tdz<4x(kS?F`- zp8;q7)8MRsQQVJfM%<5U9v+TsDdJgR5QZ&!6z}lhvGKBU!r+A61Q;~ zKZA$;c@gpSBc7XxXY}Wj`3?2|D&;fg_>6ek@h6Lqi(CHYnQ+`Z8OO~tB_8IB=Y_0z zs2lq&2M>839)7N4A>vt#c$UQd=U$d0o|TAa6`uRiS8EZ^dc?B<57*ab#IqIgY{SF) z9Eykf|2m#~oPzUtY~~fi{t59nIDh59xxQw=xxSXcxxUsTyc*&A;7`Q)@dTXtoQvCf z{1)}|g}C*z@c}$skEy-8*OA4Khh*qcbwni_Z_$RBXQqvm*A|!@+*`2^M0)Y{@XbJ?uz?5?1}q2wBTVK z+RkI+>Nt<_6L@&Pe*yjp?6=q8d~T3>RWe?FFHjczb8-Dv5clIPiu>`F;o*4aoo7k& zyWl*=m*L@gd;^?6SH1<#&#CT!^EpOK+>fg*?#Fcq565)_J~1rq?S?W{OX|FcdC80W z;}*pIapxlOL$j{jOb zjEnq6Jmkse@L4^q37ppz)8f8vd2wI25kuA}YwVYkaq+w`0nUAR8vH@j zVFvu!L*?yewgCPz>~Blpt2n=}g7diB;5_awIFDNcr@skK|EYMmFCNADu^-{%uSx30 z_#F6KFpqihu&*+of_T_h$&2E)udeC*H7joWs_{8-zpqx|;r_V`4|x+F_Q^%W(~o#= zBA!`|BaG{|%zt>>CaIEm7#I1bc$k-GpntZ&*|%-+PzTQMzPPQIU(!11?;cO8GL z__4UHFY}x@Zl0dw=D85}c@DtY=jle$Z~WX#2ArR($%6Cq9y{RtoJI|t*JCYk*0UpS z_56_^AI@V}-0EZe$i;t?;*VXt@pJJ|ANJujIP)2OT~Z&`Eep=)Ftgx%?^YHM;~L=k z@Vs~!7x^MQe15e`j=rsfGtZ{D)$^sQPg~sTX?!0Zj;rfDuaM`+d5j;!!_SADI?t=* zIddN4=MhipSCV;QoyWw(c;EEUVef>$r^Ul~$;aVgou|P0eI|MM*RT&4;3qG_L;pNE z=5Ym_^SCB%^Y|;O+lIK!qwy_xIFA+Q$;(r99^<J$vBXXU@U7uCF3|8kvHofBy^*A^roj2$Ef3D)&WQW_pjmN$A5;<#^M2<~ zYS13$R~8TRPChU0&)19Kmsl4Y@UzaF@RM)B!}{03dA;2R=jUDy!C9YcaK67DZ6@== z^UF9m>z@VZ^R5|idP?Gc-K3oiGaz`9dUqF%rKf?yomC#Qi?7Dem`yEpfjOY>WGSU`O2V1H15W zTzl}4x8S)C_htLe^F7-C4;)_;?>hcN;)mkahvqqQ+&ssQo2Mrp#``F&qcd^qf1BTP z=P^Ejhu;ry6Y->eZFn%t-#p{ue%>d<{k&(z{k-SI{k%_$`*|;j`+1*%hx0oN5BUN- zocE=OXF1~8h2rWh6e;8qS;FheyP1-P!&*A@0XJeBN~NoH1 zlP|8^K4wdeiGNBzIBxM1&hsHX$Cz~S#&hDnZUu1mPtp0UPiCFpcnKc%&pbHmvjYAg zt}E8T`Tf9EajWM$HQt)I)y;U*#lKhaZ5MBRU)lUf7x&}JfHR+*xYhZQ^5>o3cmW>H`z$#93*emhRd9MX!T$*F zE34p)-vj6859{JKF6-N-xYf;g3m*CpoM%e)IdmT5C-89JDC+q^m=`|(p95#z=EXz) z{~L8!0N1Oe+YMz&JdBI+%ixS(7Z3SxUUtAgj`xgv;3<4gy9LhYq6^Vpk`^BwyzE$;mj;=#k~t0{1f zw;1uyMEoUq=r2b+^AXQt#IpiVxDMRV{I0@7z6H;HI1g69zYgoY3eN8>+!YV=d*@H; zQZMoL!1v&ZNE z9rr}sj%)lB9v=4soadL+o0EBD{1`avFaiEc=+7x|=06S2f*#T#E25A)7(ZGkhN8aU&d;H*OjoOS4evku4LJZ|bO$v(+_bwoVWfqYc_Q=acd zJn4vM9G?5JKTJeCnTTf+9-e=vBA#r-lY@u*^E5m>kL2MYFTlg+55w#<~m-`3gL&&uYZ87V)gZ!}@GQJev{E7Cfxa zcEnSOcy{1neX8(0fX`#^!b83X59?ElcP10L3=8S%6to;EzJPbcEpk9ZE?VSUac zo{Na*O8oYGIyyXu-~Ror$$5nP+l097^PjErSH|%#5T6#e{omsAj$3?5Jmkag4OjqY zKC9plV&AKQ^SZqi;T>@s*OQe0fw<*wyc_WxInP(v`Q3Sp_adG%=Xs<&7tUk6AMs@O zlk*X;S99VvF1x;+5fAmh5A~ddhwG~Z4|y3L_U9%%%x4Q8@?ChCPu+RGQT1s!{;lFo z$DbW-VIBkuF>f^)w*2IuwXDLCtY0nR$yh+7@LOMRaD@AvM*5pf%@ z#g95};~f|GUsCJHN#*IBxOF;{Ld6 z&i{HHcinl6S6%$u6u;}Z9e2-pEWYNr#W%%$o|n%5Cpzwx|g8F5<|#bH}5;m^@zz&T%2;#U86X&q(3!)?m>2X4!m%7KS*ohp7B zJj4$ap9c@|*NQKS+x*&bXTW*fS#Tb=1kU5mf%CWv;$a@yhb!Rxey1&P?i zwLCY@V|?Uyl0N6WjEP&FyYi&Ptyf_<5hTgzNm@&`qagJeH!AvK2337pSJj?)aRYay5sdgN!-R|*Q;g6(|YePFK*+t z_$9|JeoZ{&!|UEnaDI>9wz%c<_R4VmR-E5>6&~LA)xha*IRBSuTutXU-iC+%E;#*1 z&j0($|JeDB_u!%b9Gw2X^IM*m&Tsr09{LB)^D*Ul<2=Sk-j(zZJ!x>}IU#QIX!&Hs zt$&P9!9#!6c|J|&g`D#k&qq8n;LNk+{Fcw0^BbRshj}hIPgZ#@I*;+?h-VF)d2Tqr z<+JJh#<$^No)zc$kIHlB|Il?m@b33x{lG_a8-|13Oy;(mVKfYj#j2^%VpthYOidj+ z7%fd!mR6=tj8?5$Of8nCR_#}-M(3xM(b6ys2g7L9DU)HeSowYTypm|i z-}JMfeB&#Xqx-z1oL8gIHRTxJ+T=Liadm#_K3#A=kKAxRk31?z_vxjaKS!TF$}t|W z$q7=9c^)rBImTn~!|S%XpQOsy>piydQyVYY_?eA2ZMu77`DUAg|g+?H~k zKUc2bzqeAZ>vzg^KS%GpI?nay*8R%$`?x~Nb$$$P_DiiMvx~#celea=Ir{!s7Jj%t zra#A*gCFjXX+MDTZ?yV?tIzCTt}Ifuu&rq7bf(Oy$Iy8kBSbTNk( z`Tv2p$%pU`+|147bjeLlkKE)8;D`0zETg%;V`lKf+&-y}|GCQ1egWtAdn{~nmNq#n zmGjiwTyN$2zb>k3RnDE&@l#Ma+KVbj&!=RQQ?|*es2n|?s!h(B zO-@ba==s!bavC-{O_ihP(^5If+g)7;+A2qTN9E}GbZv5aHaUHjqvtcQ$r;+@oU0r? zpOH<@*d}M9a`b$rDn}nDGnJ!#p>oFRdhYoLx#%CRV~5|{^= z_TYS-@5A{zf3EWNexEAW-@l#w$E$wy_mrL}f0X+CLKS}K=Wu`Hk6$C_#u?n)A28lh zIX9~PwNQ?ypsok4mFw?Q+AG)Jr{sCJ^w0fx;oMIcewe@hJv9-VoTyDsO6BNvHI(c7 zpDoJ2-D_oT9m+R8R5@Q(bDJuElq~&v&_cPc-zeAj=Xc8WoL&EPbv$VIDc8qISh@Z^ zZgJ)M_a>)p{8+jET+*p>Jgf4#1Vay^F_{IK1Zs_SY3e%P+|w93)PNmjYO zZWNU3$5~bF>iW=E{&01CPL%88XQ5mlKbOk&Cu)+`~aIq~`8g!AJj z7o5*Kw@uEG%6Y1~o_lO^yf!&Lm7~v7zfDfSCMT$J^!>V!%6XdVGpus7M^ui!-y5~b ziP_}DRgRud!X_talao?8dOm5JoQzG*vC7f&IfWmNfBkvzhN{=!JKBLCj+4VUH_tkp zb=Q6`H2fy=fvP{8kBRrmb!`YYwL3(oaEIA5>A%Jq4A3O}58+AHwGb`P)1_dj!(=C$X;;D_yMpQ?I2{~4U;e*r)A z*;d!dg-!iZY16RlMGu88QML6%TDxCM%Sk>$OHG%W~n!$O0&28#0RKDI{3pnquOO>zp z*TyD)r|R|oa((b>KKg!gLb;yXF`V~f7S8*zpmOwnJhREE+2r(8y`Fy`&hsCr`olcO zxK0kqv$zhP!_Ayc{fOMukKu>?s~=BI;M~tf)lby(Lf-k+{Pq2rGv)g6MN7Hfk6q>Z z`h2cj=Um#j^Fvqt=z6bmz1@Ivz1_6(+pF^~t6a~as$9<@_~EO5{zg6Cj49WTThq$* z{f(mX*GS~Gqr%~6DgTt}bEbT(u0I#b_3uwv!}+|}!1=uJ;CMV7KYCqZ<$BH$<$Ajb z%~6!q0hIf{TqZI`qUm# zIeI=Zm2EQlkO66!zs~r9Q|6|JeQ{`hq3a9tK)F4Tp!OX<@$Ku zD%a!T8C_WNI>e>dFhcjJEe;W*U$J*aZ@{tc-d?GcruZ}(#=NAJhD%F&**$tkLw z!+tdVmsF1Sn#$4Z8c@y$F`p6T7@t%9Cs2Pu^~U$AUa!mXG1)JCJUiis#~u1Oal!e# zaNFb@sT@6jkIK>e%d2v<`&5qZ$8VDpu*nIk9NkX}emLG9tFE^h<^Qd&GbhURabC3X zs*Sgl>->Rooxf17>wO=;y1v~(^&e6GBkFNhRQXcXpD5ScEh*R6x4Lp&zqE13;;K(w z?@_Mvi^_F<&BoixbW@9s}t?RP!@DBR5X%a}tPZsuS-p>lLTCCd44-tmWy1t@Z*VmNm z`i^p4--Vm~?!kG{hnxLwe4ui4{#3cnzfi90H_CPWUb(LKEN$kmT-QgH>->arU7uC1 z>ra*I`igR0UsJB@JIZx^U%9TIDA)BfxY=J`?5_*B*xxU}-{mj*V)Snj)+jvI#oz-@W%5^_&8}HlrO8JY_ z?Y{4yuloEu^|&%-K1jpMrCrS>?Z@o`*Ssn|_{*?VeJ; z@q)_H=TVVzj*(NM9OG4$qtDYb%6SHIYUF0Ub;>vO4RTZ8hVy*-%Ju6_=gM`TbGVt? zPoU2Wa}t!(S@b zzb|Z~T>pOU9h~3)vxoEhe;ofNO&pGsYyUVl{~>>O!Vl}!?uH-w|ERhShm`;9;e|~6 zq*eamc@=ZKWmLZQQZ|a>cJ-X= zlw;=8AUE@AlAHOo;AXuhr%i5hI^-s&2j@8tmFwG`m2y4LJ^Zj=zE#~`I6ixI9na-zH~hlXGs9GqcHAP|n|BT}$$J!&l_*hhM_Y98Aud+~jP?P0kL^*YiF6Fn@jA zIzD%Geb(-RA9D108iI39*d`|e=hrKvHaRhyoVd!-{hY!Ned^<_tXv=eb>;f=CT$z< zE7zYZKUc1|>-f*B^G?4mf23U3d*O$9zEr&q=!YMU2kjx1qt}&GuJ0#jZM>jdU$3gl z_4^0v%60#3xH+%y^=oq7?!e9QY<#G4^m#o}IoFo#IRCuNajZP1<}*?Gx_+u$*U#aH z<3vB6y-@jw>#*r_p>niuRK4ErR=M8pPUYzOy>eae#Jagp7o6wphVz{LDo4*bL^+Sf z{tA;P;1TjCz@u=pU6T_dH#u=~laquW)~oO5r{Rb7>bYf<>$x4Pd|jVauIo?WJm*uD zulIXi~}Bu)8Rh2IUY>CpWM`k;D>(n^WhQYx}O-_^mB~u#wp);QswC9pVP{9ewOl0|2cBg z{|Wi?(a$OQ3A_O3`4q`beu>=Vm&r~38T>F$z21h6x0UNToGaJ+Wujc)?ktt-`kiuJ z@A`rqZ)QK5{@rjhALAZ4A17hudc9HQdR+;)+3vHkUy|fzyJ@)T$JA%YO??i|^Uo{S z{Zy3exz&{GxpkE5`kiw9{@B15ug+`z_%Q`HbI4;3X>xNMX5eNHrv8}R)Stq6f92u) ze02fN&sP`Whd!_U;~0NM)>DEX`q5s2AGWJ+-_Mlm=PSl4|8PBj9p*4m`PyAyvL3g; zf_gXH%*Xf<)tmWvsNT3A&U1?^f24Y!TSa+Y`2@~$p2B&~GdRzA4(B;9;5_HGa(%lK z-(DSu`uI=5&2ji*a~zVJ`DEZ`&ZhpD+|-}Kd7ee(x}P%K^kZ@=Hu*KGH@6pc@}I@J znv`SeTjZv`3qSO)uLC3H`Z_RE{xbD^^+LIReRic>zu*26Zst%y{~NfOzj4QxulBF* z$EWo6$!ZM$J`F4;iezs8I^N)m2;|G@Anern{}1R&3>tno9&*# zO+O~5Ms9NIolKt zN6Pj7^()u=E23QQuQTO0tNq(nuKVvPf0cT@a-;mS%H98Ub)7$aeO>zS=A&yrNASaX zwMSL`p`9H*KO2La&-EBj!VmM&pWjT`)TdScwf~D_c?UU}GVnt`+H)#jf6l9FlV4Z$ z`Z}{veqZ%Herx6LP>;uV$}{TuSm*BQ`cP2MH+q#nP~Cn7ls{7K-)>daC4j+-@*^)k-ond_}Vw0Pf@v^=b3Un&vP4JDc7Gz*eL%Kb)4*#2bFvGSAAyH zah_DJ`zhOa-^MSL>*Hag+|sA=Q+2$#|L3Yto#R)okB6pmUEfo#>&MD<{iSj|lsuev zjxF3A&jlRMJGeQXjUWB*RsT9Cp!{9xIuKH>Z)d~G^>Ln3u5V|LmFt|Wa-DOoe69L% zeqH)MtXJQ@xZr&I;(_z+i`S;!r}7WyowuSLd&yVTjXKs^oVUx3h^L#FC>enh?&u0VY`RrA`p3jj(u4jk+cz9g-C%9kj zfgf_T2jPc4Z&cTZl*-X_OT&3?$0|pkUsaW(_e&jq=tp}))$8px;k?~8{LsJN?$oA! zrt0^YK%)sXtTs*GBP;^Q#8uOvm+hJYW{mS+8CqWxe!})rZf%81Gs{Sya{I^IS zIk=gR@e}x=PyKx|r#AUTRj*&qs>1nvJcA#$tIx-l%F*XzSGk_gz{W>5K7n&TQ#kjt zR5`jI7v{$~ZaC+JZ0f@{^$GZ4{(8Gv<$4Y$Ha@WNa~q$+57&R4zku`cwuJNXwo>)i zq8uLF&%7kB;_qwxX^ulvzacmETlir<`hMvSe(3XXT{_0&%02v^OE9%+(-47sP|L7@gUWE4=2a9pAgj>k5GLQ^--!f9;f;e>JwCNJVo_g)TgQ5 z_%YRApgv3W#!ujU{FEr?6mu)X568)2{~E8t566Q(ZfiDPr+jliszLe2n>INu$~i-y zZ8#r4J*sb_z7IF+GCqX!x<)oWru+)>CzNk|YLhdg9CJL+;bvXNmsCH&c2{t-F5_!B zuWM`LJIe1Pe^2?w9k;r=oz=&K6K<{#m&kF!&ANV}pHRN>Q=6PTML-wF5_o#URT}58x0QR?u2u` z3vR9(7szqL&AN}o17S&Z-0xbUO%r=Qm&s@ zslX5OIb6cb^FlTFVZGX2x4ybQ>+eesEB`U|Jabg}pQ-0jW=!l!p7@(9p=#gP4X1o;qI`btz18^*io*ZCye0n$Ki3!ZPfe2)9}M_ zdpL#u?$@u!J2LRYajQKCKlG!YCplHFKX+DEu0QwGP_FCe%Ju6w8|6LqI-2w7YW^=! zuSdJ#W?gT_x{lyxUB&}8^+B8Zm`#1$ral8d%uPR@E!pIhZF1^1^$nZ)E}Xa9S8n;- zjdHzTcFOgBJi3$2pXcm>^PGcl?kA#L_mfwypD(J}cvJa<)$^G><@){76Xp7On@hM^ z*Sm21tl?%|#vOOQIu7;zbt~8R!@V{hhVynKaNcfG<>>9EmFw+h;fL#hexG^SrvA*v z8#dli`FguOxLMZ{^X!xV3w!`K>oxU5a#KHs^SY*#Z*pdoV|;Ftvx6Uw+b^iwWzSu# z$G(xB<{ykQ% z^G}uQ>t|89K7QJ8?xzFieugSX&v~R=_p_sXa~<1LzH#T>uGXvXzq#S2&(E6sOK{Vt zaj#8|pK>wH`JU#i>X3mZSemk}ItbbVC0zCV_?@qvx+lg|T% zJckJU|C@tNeafajXH$P-Q(uPjeA>$Od{#F3mp1th-_;y+PF%U3TT;2c9nZjdZpUz* zTVCbp>p)St&M&L{Yln(s{6OiuqCBSV*Hz(%?dtk7<+{EGKg{`~5`F!ikZ)gvr+kn=Y@>N?UV|U{zxIz~hU32hH^;g07Mzdgg>wBp*c;{gd$704_4i== z{a5qR&yz=OJf-~0>hX9-xt?2Jxz3;1_(HkPzf`VYkMP}m)&GyE`4{14&X<^T32x?W zysUEc`=HL0>(3W7D1VFmCgmG%s~pSw(6p<^eN*L@=j-5RUBPdY^{>f$_ZHv4&3aA! zmfY0u;C#FVkazIss6M00UniTqe!Wd752@#8(r`XsGH^a$j^Sp#=Df(k&AN=A!nyxE z{IFg9`#TEo!*;b7;byxFbNs-~c8yoyyxk_{nEAKJ&HUSxZ|XbbroIb5JU^yy@63Nc zxaGQfpR4ob5OoB9^zL~z`;sowa2>hlkk?T)D4 z_yznhe|`N~Dc9E@$9*O5P_NyiTwi~(%5&;@o04*UyHHoIug@Lj`uf~euCLFL`(5>^ z_g7!}4eEUK-T$gye}8fSZuajwZpb zyr5j4r&Z;;|CVyye^zobzaQ)HGzqN7R zAM)?4_HXjRGUvnbc{qMzIIc4A!||#87=Fmn-^<+%fAgFkoO6b7&T&8NYQO6~N6J&` zb}jtyZ(d(g{t9&-rE&fpwyQm>T<@iorj%w?Z@<)xv%^^Kt6`2$U6^^`Xc$}f#NOl=!3+k)5+b4?e$R|${cjLWPrvLtv#m#p=8sEX=RKNNG zsW+cZHudEn6faW!=~Kk(GK>OAm6~_ z%Z*zT8UZj?AcQ9!F#2QFX3Tw|Bp(2nmqht z;wR+36Y&~(@;TxI^2Bq+=j2`Zmb~%fQh$W|RHpy=sd#`q_&o6_c@3T-kG(+ZPswNS zD)|=PByZ#;XF$G(Psj%^l==mE@kQbr@+RDg=YGu`{68V}UUK(Oibu$g;c4Y8~+|{g=hfV+YgcuqGaH%b&&*uaUnWlRI83UM0`tb=wZPc^!F1e)8LrvnBU8#eKJz zKTSWr*U8_b;P0Q=8F}gt#JA+>KNNT2{;cU|-W3m%Z~s_4K_2Ld z7s;!CA>JWBdaL-Dy!1Bl3-T)5f&0;>&)rDsgXE!ii6_X1@FMy6-BRBq@4QERL_T<* z_?-L#z9a9>q&|2j`P1}&{z>_Jl6>JM#6*#Qk1t|A|+M zr^(M>EnXoHzE-?NehQzGhniBqBVYWExaaQHes=I6`5vAiU%pOqisaEZpilBhTl}27 z249e`;Cu4i8ztxHTdn;E-y|L&@4=(w(T>!gl6&4J-XK5zTk$S=4t`F43ZIb|;4AVH zd`Dh|`|e>~Z*nC4M9Jsy47vO7q`p8NgV)F};C=G--%HM%+&32Akq_P}?)6#wFTG1V zL|%c%$(!&jx%(d^r$8Qr*T}Q*F8KgHCihGve?^}AM{&nJt?L@XgXFHM)F;R*@MH2i zJWt++SIB$t2KfNqB|nGH+21RD?#TP^6ZhX_U2pRJ;xY2<2gTFmr|=W<68wz3K9`&p zc@y3z@4(08J@^Ir5WXfK!5#Oqu6F|Wkk8;j@(nyep8Sxk>zF(Z&yyd+E95zNgZvcU zB`?Cy$t&;~`2fBmU&D9g-Ve*V+c0G=Q}x{#a`@)f*7?)a$Gx5$0)A$b%& zC(pn)&70E;JI(Zr1BX7bdPke!pG!}rQ|Qkqwqa>1@67Cb-hD)gxv9I$xo9<;d$~3{EWN>Z;?m;S@QejZTO75 zvy%Et^7Ai>yY6RQ*Z51~0dmJyJV8FaoAenV z@4=JoUa8NLpTp0{Gd`*BllN{CpOR1EJM#X`Qtx|!wg2#a#FOMcyfB_655TMB(fdkH zlROR|kZ0i+lBM&`D>bvAA_=LO(za)1(SaSB{ z9{5qnx-LIFKpuie$)oTTc^rO9UVvB02kPmq`3r{v4WN`0Ap4X=~C9w+rZ@;rP*UV>keZ@*7+ z+z+*`%k%x>QS#1{#8c!Oc!~Vv2c^D7-iNozx9~ChQzU0ao_?zMjywhthIpI24nHRkJX7kI0Xz_aAZg4CDDFW@zD$4^RqkNgroBCoty z>X+mTxbqRTu9rxCfZX%b;z{z@OT|yf>+lkJ170I{lq9E19*57!2R|eAYw|Vx=#kcS zjbA495%TWOi6_aEFBi{}r{ERxExb)${dvh5kxwe(OY+$-h`XcK{*SBT5%SS1#WUpb zUlK2nSKxJW$1h8Lk30^al8@j^^5&}~XG?zeYH`?>hUz0cCjz?M7+lBkd8^0la#>u@6te3n8uaMV&Q|jB~ zzTXlblW*adlk|*G0@)W#Ho_(G4Ga?VZ zUVKGtvceo8)poA>XV=l{!pDD_9*W$l05 z6_1dw-XeZN9vq0*$op>Q9(*yRH5E&!s*>e)50CkIB<- z7e6DP|GoH-eDIIrbMhH{L!NxM)Vt%>K2P95@&!CW?)xXnIVSJHOXMe0sc(|^;63sQ zd_wMikL0Y#({RUQ9M^x$an*u*$ZPMFoFI7{o+3YepVa5clQZ!Oc?RAkUw=UAC*;n# z_>R2yQE~V8Sl4w9kCFF3CH1G|y?+sJk~=;tJ|W+JPJBb|_@cP;d#(LM;a>6$JV{>r zAIT|@hrTXeB~QS6i?(2{p3k_iah%gsV|a;ep>vDJPseQ z`y9c;&yknm74j*(K|Y6f$rtcBd8>l{f6&_h;upk2 zvkgwny@@QS^Jx{UrdHx&XLGl^=n7s8ysn3&l;1%*7 zyi0!8m7H_(I($v;{41$H%2@k%{Iz(9JOq!EN8lOqIQ*2{JCyt;d1xj+BKN;vd`X`F zfcVi|hR!lUHAxzuOL!yghavwv8;PM(8z$Vc!Y`5rze_k2Y1FUh@d_tUKF z4P8imh}`)x@i@5~o*_@ePsx|?GI`+RlHX=uh>yrepAcV>Pd+8?db)L8lcji&Jn$Lu z7&kvfJV1U5&ycUbD)m+J zvs*Z?2M@@*w-%p~Z{S<<=xwCl|3lV3OKx%VeG=w*p%MI;>Z7-p`XYG+-XR~}QR+wJ zjwA6Ux$jQm?q^v0?0dvR!8_!~cbEJT`4GM!_kOF?@5oDV z&oiy-x`2nt!}pM!6nPn5BzO3vzD}Nl_sDzjDS7Uml4HKN!yFGM@IBQx;ohuuT@!ec zymzzYm&o(?6>pNK?c!IqDAjvr}zY z;ZnaQKl*lYN6xz56g)tle1y~|$Y+lfKPGoa#mnTb?+|a1=N={ACvU@NXBOkVv9@f>;n@5Rr^XYUYik-Oh1J|g$L zPkc$<{eZaR#M}$vf~9@-DnY z-h1cfu3oF8DFI8=faWf>+2r z@CLaT-X-_J&&mDp8F>J{A`ilM*EO{JWAWy)n=417+048J7L!uRAk_|Xfjb31_t$WP%>@;p36UV!Jwi|`_O34TUihPTKo z@IHAJJ|?fjFUVW)HF+2A$Xn+#fP2VC@F4jV9wWbir^#3F6Y>qbM81dD$Xy?h>qDE| z10Rt4;S=%@d_f+CZ^#pH=L@ZKOT)e7S$K&26dorp!ZYL*_$he}UM6qC>*O7HhrACT zlApt;6ylY9a1 zkzc|`(;JkbDY{kzc^m8mE_>z1M-;yukuAj2bZ4LL4@8Dr_=ZA6qCqIH8ll$O#@*uoI9)UN=Q~`cNeX5JA?bl8}JBu8=fTZ!L#H;c!7KjZ;>B;MD|Oc+ylQL z&t6Eq^Ci}Gxj!ZzB2Rx@JWk$*=gGYbsjrh?!pG#@Pe}cWJn%_z-%nfnT*6c2rB6wH zp1ivhuaLVxE#4-Nd`5guK7en?+xVh-=S!`9_TT~X(7#K5lspPAl4t)z>Ko+#&x()9 zyYLJ09(+sgSWAwlWbJ?WIq?{|VF! zFTh*mZTLC)0)9ar^-KPaya9Jtto^s(e)0}HLf(UC$p`Q%`6awdKDk-?T#!fZE$;gT z$Mqj`KfiDv@htfQzd)u%?!BMX_sOI1DR~!uNj`ylf6>}c;~|nCCr>|Ayg(j^inqzr zj}o7d=e|?i{R-=LD{=8KdFnCZIdcEw#Ovhs$BXyKm+%F7HYN2t@+v%7we}fEOMQ$y z1kaH#;0^NW4@gd*-1&pzV{$iqL+*N-)CXQ^?bG>m@hJHbJVow<=g0%_B6$#gMjnB; z$m8%nc@jP*Pr)z9kKt?b6S(7-taHf2J>&&=kh~0!k)OfS`V|Z^LWkJ$RdZ z03VPK;S=&Pd_g{gZ^$p;&R@39Z2|X^U&2G=TX>v&56_T0j&HcW!BcWKyiD$e*UA0x z4tW4RBoD)<)bMMA9)TQCO?HI$n)@H@)A5xUWHf4Yw!kn9o{8x z!OzLN@ELg@z9JvMcjP0u`&X=Uo5KC%b9jXO0-hva!L#HWc!7KeuafWKO>!508EKE) z10Rw5;dAm3{E|Eh-;*ccN3XKZEe#KlXW>!uQ+SHJ2+xsM;6?Hp{EWN_Z;^N4eeynh zOnwf(AfLe3YrS>wMf<@i_Sao*|#YYvi40Nlu%*3m=eIb5g$`cmA08hCB&(zQ)>r z79J+=pGZ!cd~+&ZAWuC{yh>hxH_5B;G5O&6lCvg{{DipqJ!a8Hhe zcfJwGG$8S(=Bl)M5jlh@#N@+Q1P-hmIv`|v6G zIebYzhHuHIaM!O{=d*zO$T#pXx$|dbJ_+(8_%XR3o+l5%E94n?i@XgVk~>}|{mjX8 z@D2G0?*4V_9DHTT@skJO5%Lf`NuGpf$usZ*c?Vu6ul$_!(;;ubN93uOOZ}R>^$Kyv zZ&=schkM9}@G!Z%DmiKLWB3Vq7G5IH!)xSac$>TiACR};6Y?H>L4FS3kdNWchIKwu zxR-nm50Nk6aq<;BL%xQW$+z$pdFz!j|2}yaJ|y46=Brm;5JWGBCFOWCkHS!_6Pd@5M{+xXA2jZ9H%QuTVTh{)Ae<&Uy zufX%U-p&zZ74QyZ%bt`FqxWj^RP_ z-B9Y&{ z5xyr6y<7V9z0tZZ=Rb+Z$-PtY0(tVi;yv=x`@~1&Rrr$JJ(GIJo2>nu!hPiD@ECdF z{gQJ^UjCqXnY;-%zlYrH-vN9;^=EU*xgbCJkocZF`C;*3$GWb_N5zxmj*p4w$(Qgt z`S9aX-zRS@#K+`w_=>#$38{Dffwj-ZC&dHg#ZQSR$a72a6Y}(@#jE7m&xkk4PvAZB zDtu0UzLK0h`O&|M``>I`m+Rle6Xa`nkvz4Q`ZoFSKgAd1@z0BI$dhpAA6ok)jPmp*1 zOX_pvj-7asybrIFFaKNWJLIQd6(5n$z9v2=5AMY`i;VJUytt2N$ehROUcW#jS z7WoW5B#+!$>eu8AxT9z7zi=C=kC0E{N%H7zrM^rayuJ9Cyl_YH3-U62O@0PH`V(uP zsUyh=kf-4p@{&jDtK>be_<(%t6JL`L?#?*21t|4Dd=JQ9$cIC&IaAkW+%eUeunh(5_{A@oV!guDCJK0ELr zx%WYm6C?M*kIB>UB6$VgA&-S6e@1@#Q1Lx^>tW)d|6}dH_Hgk$c`hPeA7ZChx*4k%!JVoAt=g9l;BKbM|jC=xbk+m)C7Vh~=Yd_iVmz)^+7=A(?dc4%v$Q$q}`5wL`KT1iC>#wZ+ zjGic-CT~7PJWoD=56G8KmHH+5{8-%i*VgUso+%zAUuDHpsjKP6wntK{Jyk@^mK z89pU%!Y|3UaOcq4e<&yU0rECHPQHd`$y3jkoDz8t-XPz=`{a=ym7E#*1nzjNwg34G zq~1e*0gsWFUMTfx@(TQfyb3RopTTS7HF%r60UwaJ;S=&cd`&)mk@O#Vn{^KHpAtVI zZ^KLE19**m0w0hs;1lvo_=0>7-;g_s(x>xpto^&-Uh*S&gggpQl4s#r@(R2_UV~T3 zoA4%i8{Q-D!bjvi_?&zIza$^Ro#)p1Ea4&Y6+A^=c!|t8M;?5sc%9ra6h9|Vy;Xch zzJhPaqi>UX&;Pad--SoXN9R(XC11Q%s6 zU)&(|o{_bm_D$jm^61mVYvi6E!gk3W&k&!HN8vm2^|Pct_IHl!Ki_!%HYc7X_di>_ zO78qI@pJOw2qjA9)QPChx)%4HR(wR>{Z;WLd8aP!m{|Mw z{hGL+yatbxJAYm3bL2&Mg?tTflV^WJaz^BH_?A4;kow3!TKgaWruZ>=@VCW_$0o_T}R_s9or@eA_fKNR1S z*WM!T`zLFk%|8-PkVpSmJV)N?iC4*Ue z5igVb{zAM*9{nrv3-a^77I(eJx?SJ7c#1qc5-*TD|4zI`-v4{?KKT?rCclI)$-D26 z9LIaDeNM*W9`Y4DOx}8@)ThY@?-D;DpTR5SrxU4fkQdgi|{3R^?j0aG_&?!e7|^@y#E35 z6nXK3;sx^RT)awt25*wr;63s>d_>-W&&iwc9l85M(of+1*7f#3jCGOkJ|bQw4}Mg< zNuGoc$aC-sc@@4OufaFueYo=j*8YcZFZnqXlTYAf_K(SW>*OlY*J|%C#m*fNZmV63#eZ;!n8Qe!chlj~8;0f{t{FruP?~;aqGHH;Q{gsc$_?Z3(3inx8Wu7 z9lSw)dP~XalaJst^1M^(*W?ShYhhhiU9oK)%>lfZ{mHHU@7M>+v-vj-VhkW97^6)*y`{e1H#AoDt_=dcFFR6Eb z#@c_xFCHZC!eiupc$$0&uaYm}ZSu^`vfUAR;NId3@;rP`?!1rG2maZ*u2?`kP2Rq* zc$vI%fAKE)ASga3cRo;jOYVMqyh2`uH^^J? zF8Kg{PCkXt$XD-DF`2v1IK6r@aRLT2c@eaA?q2gomHGD;W z`7o*9k#FGcf3^0%gZs%H50{)2xeJ~nKY~}tyYLo!MDnNPm+&?D_}iu4{cqO(&mSS~ zC*Q;4 z@)>+azJTw@hmVzY1^>f3hs*C1Pm}u|FWw+uq{PSM$7yl*XRZ0!r-=K>bMOfH2|P)D z3eS@tXC%Kuo`pBabMP+t34BGKcq-PlwyrDsH1ROG@Yv_9{nwv~KFOQ#6Y@5^LcW8y$kSQLACi~hQ}QZ&N1k|=8gD(_skWb(P@{<=y z{gS-;6XJo5wVy^oJVPFPiFlR$W#R+!?wR<6-1#c;9r^V2;?XZy`>DTKJVhRQi+GN_ z@<-xr^5)-&56HuB7oU*F;4AVHd`DjVTgi!i(c1s%SUgLq5ZG`vaPfDg#$@EN)Dy^_BrAHt8e*8X?!0QuSb zBqvHfgr~?a;d%1ROmZsZr|<^(9^NG{zF%_2hM_@va=$=yrzPo9R4$usZ^@*I3kUVuAx z)^(NO9`ZAIkh}?xkx$`i@;Us3dqkonD$K)RPk~|CFlIP&AuUhAD2KSNI;9>Fs zJV8E$=g1xZCjA%5o$xw&3f>`4!-wQ0_>{a1Uy^s=TkkQ7 zpR(O4xf{MDkHEL&QTWlbL6z8rFTywE z=WypOtm_@Yz2ukh5cwJ&C-;0&`pl4f;RW&>yh?roZBCEPhSuljNSgc!_-bzv5l;(yeZH z{rH}eAGySLT?j-e>Q3yie}Cm(*X7kKtSLf?w)Gx3TuW zhsVhSH=}>@ApDd(4KI^t;7#%tyhq-KPslIfTk5u8{`-8bMh5@O@8w2lJC6(t@jb)335+V zJWn2Zlz5Fi`e^ZU^3r#T@5vkAC4O{AYd<}BfP4s#l8@mj@)5)(2 z6Y_jq>R052$A~+Rtm}$>k9e58^}XU*^3nH+pOG(<;$8C9_lr--qbczvc?|BnleNzU z+)wU)qU0pVV^0!4A+NxzJV{=HXUUuJ0(l!=CGWtS$OM!trp$&)XYc~;qfR=i1Ghfm2JFO&K;`5Nx>TKhaH zOMQ^s|8wF=@)7)$y!P`_UnO@|#5?4%Ul1RYFW@Wk%r8p4^X}IE$M67o>=jaH{cuc0o;9)bq+IlkbDhKkh^|E_HT|n056gU;dSx^ zyhomcPsq#g6?qfxxR-TZ1Gtae*O30B!{n8>i64`P{zm+a{Ny9z zee$CV@dbJ7Mp-b;ogzp7Z|ygFTuuG}WcS(3I6iJKD6}YFb0n z8k({yt<|PXi5eOVjauZePD6)Atv1yy!6H}$i*Q!u%OV)$Fozrl!5~-!(>7QdEPnTA zulK#)dH){Q^+$H^=YIBeUrFZ9%+Bo2iZA}e%`b=_gfEFN{nX9x5uf{+^HuQ?{Gj-* z0rvUu$$f79x%0I6E_gwF+b`VwcJVg6A%5_eZhoJ5X20{E_!js9@!GH4{H9Hl`)>@L zZxvr&cU~0l!I#A2x4Zd<_&j`Bym5z{KOnvz9(}~*K1c9r@q_S`c=S%!pA(;gFNp7j zSH$QZlxcRd9^k1Ae#5djLyeppj ztMj4w7#=-wa-Xw*bMq3n<;c{buRo2&*Q3r8$;o|| zk959Sd(3-p9?yA33?tjWOq0@o3z6S$yGm=MC|} z!<_FEk3HOZUwkY4fOs7qJ!x{EyWun9{Y|c)7hgWn`I2}KzDIm#(#`J|k3Z7+)X9_k z*$3YuzUgE)Ul894uZfROar1k`XHIp#BEAeCich87{6X3TGo0@f zFT+>FW6yN+1MzA20r4a}dfMdvH^ZmJGw_Uf=L+m!d~3n^Zt=!*oiB?|EjZtB`s9AL zKHvE!@fCPlybmvm4;Ec#r}#R&Ena@Hn;(kjUgkV{#^gS`@M-Z?_^kM@ZLX6S-w)p| zUU-$8-z}bdwew~1!fTxG7vFQO^G%y4_rF$gzMy`c^F89@CFfo7sn0zAztQ7ImeqOw|!+BLa zbEEU!;(7S8_&R*Q_~x6i&$A}?xm^Zx>&K*TjeL-Qow}ZShFM^;g8F-~;hEeCjci``-jlh^OG2#b@DJ@hp5^ zd@H;pUVtx&FT(5MW%wTPC3si7311W63m=Jh;2UNqADzg&;v3)V zp2w1S0=^_Z1Fws3hVK!dg?Gf~;H%@c3gVAGhuB8Sy3fR`DJ1ZQ=*u zHSx{wbC26@@jSdOz8$_I-hdCq2k;G#o4jA~_q+2Z#B=aj@hW^?d|@}9ckvc{hxiJ- zCEodf>#T@Rf6)0z{2)Aj?&SUIG~Ik!y!v71Tg6x4+r+aUb@O%c;vVOF#B1;s@u`oy z`GNRG_yO^0cr-J4zh>b{@%`{E;)#|!Z$Uf>UlQN*NjKjV-|*kgd*TQ7I^QpT5FR;i za{uv9yZMdc33yUG37-{D!E@qi_=0!_UKY>7cZlcU4e>mDuXq986)(cq#7ppzcp1Lo z{K?0y0*{MV;WOejct*Sq-zwgK7sZ?K?cyzXO}q`?E#85*#k=qo@g962-iIF$AHbuJ zpM2bg@M-Z8JSBb*J|`Z%&Ar{`#W%uth-cxe;+4<2&RBfgKIc<&ll!m06XHAIo5h>( zt>U{s@A^gYz3?UR(ihx(U3@!yk9ZZnA|Csq>kP#=!#6x(^8W6F$Hlww8SzzkMtlID z7vIov`zebj;XB2*z?O>=fwBJ^Wq2Ki{kNRcixKl zX82C=47@461->ethY!UU;Zxbk`@8$AZa*{P+rQ>KE4~b05YK$w&6mZO;5)_l!uN{j zyRI`3uYbe&0r3_*cH!jxIsl&$UtV#YjQ9$CtN1FsD82??5}*5D*RPAu!}p5U;A`T$ z;2WMadA~aFgm@o5C%*VCx1XZ;e)taY(zo6G9`Swf74c}#&5y)4{-5*MlPC9Ig>M#L z{EnO7D!vz96z{>8#3SEzox1oGe2;h>zA8Qg->_wJ|GA&Leo}n!OXsuVL-@RS^jB_v zyZ8!xm-zNyyZL?MbH8!EU%d7^=h3H3?tky^oo^B!!PDYn_!jZVy6Y6gqwsCwF?dxx z4&No7fVaex@MZB7yf2=CuZw5lk&7lDpB#Lncpjbw@Ll5j zZg-D=OMC^sBEI*C3S?tVoso_riq@Pv2)o)d3vxX+=#2eKf(557aZ3vY^N{=;>;;s@aS#gq4R^HY~h z?tc_@o)YgK>3mLn1)dl0!MBSS?&UfS@gck;9>2GnABfMx4~SRb(Wgz`uR45Mya7*% zH{o;QEqGqM4PO*rf$tEHO}YEk6kmX^h?no<=GVo0@W|H5`@06;C_aRz#kbwp^|y#` zhZn?`;1%)oQLeL7d<(oKz8$_Sz6ZWvd=zv2$kQk9@66H8H;Sj>N%1-OtauKd7hi%e ziPzw}#rMP8;*tBgefGr*@UeIY9=~+*{-%#{oz3D~;aTwld|rGJUJ@_Em&BLgb@3W} zkN7TlN4yDN72gXViud3L#n<4m%O)S6{qU4{dZT;X=EO7b1@WEmviL6e4)Hzkz2bY} ztKzZyyZszge}MBue)4`*;hV*G!nca=hnK`7$GZMb@tyE};?=mDABrzL(0T0g$$ic~ z$az}4`(Wqu;>l^}OX5=xao!YPg!jbD4|Ve+@gaQUGbZ=BdYqe|6(7KJ;s@Xh;<1G5 z>=2)UH^k@Qd&LXzRq=)6U4QDCllz~4nDc~q5x!Y`8$2ssfzONYfS1JU@Fnrx@Va;# zzE6D1!`=SZ#9Q#l{N(*DY;yCP#rMItil-jo=8NK6;M>K^@S1o7zFT}5-WJ~vUlEU; z;Px{RPs0z0&%>ivOg;`}__TNpo)T}u=fpekym%kJC_aK$#G@y=`?XU%0dI<@;rqmM z@Sb=PzF)ioAB)%F@n=mwZpkFxe#GnWt>V*PtG-iPlH&z|n)_lU2+yW;6H-270y3*YdZ$^EA{yZKGx``{Vz+K6T~f{oQ_+n@@@l;aTx=+RZPB58+GV zi)Xv}hIk*|5wD!%<_F@j$2dPIUV%?Pck+I1n051M@e({Q9(k;r-zHvy?-V}(Z;2Nk z=Q=&{0eoFNcdnbCUYOkfK6pyJ3!f8Th3CZw@I~=;ctt#tar@aPz8l^XZ^8GA?}LxU zyYQ*!P2S&CctU&#-z7p(>t)H^q0uyW+)*TxTfWg~whvd4Jb(ZayvEy2SYw@qO^^;>(x1`I>kazFT|^ zz9K$^55@Og=K9kwn%w_%-g!zq37-?+49|;a;EUp0;5)=Cm%H=s5pO@k`HFb_na&5| zdH4bG0({frJcnjVa-v?h8@4_Q5nS2~p;Ty#V z@TB-Ue5?2vUKHPOg?pU0i^t$K@oD%z@g%$_z8St>JOdw#Z-Gx;J^47~;R*2t_-64E zJS)B(J}+K{m&A9$YvMbf^;w^Yrd>y_fegHlaKM3DgntU8a&vxfci!VOM`4;gd zctLz8ydu8oO4r#Xz5s8DSK!OyJKzVz2hVl==u0Q>*E)P!d<;*CZ&+}hIq?|0DBgwd z5U)JXbsFM(;CsdU@Ky2c&v%^z;)$!A$F7;YzeV_rcniK&d>_0dK2>!6UE--1Id6;a zg0F}-;REq~@B`vq_@Ac@7K&r+&(vn=izDbB7BQ@8NN+?3BF5waJ4({viLf@FFuB^i*GEsPW0uI_iG70 zBR>67H=h%aT;qH}d;@$*yba$gz7Fq;ufELn*TvW2)32D^f8xK~d`f%-uZrnb$cViEn{#c;)0i^YFO%0(?%q1YZyz!E55%mfU{!i6^diJ`g`}gY!sv za-YdJJKrR};YR0a@oD(H_|BW${F3y=PzFT|@Ul*^{-F`N{YI2{ccQ~IFUwNnV1@ZX1o$nAYy~p_;@d3Oi zK5V%8vG~e+olm`ba-VDPg!noF3zE^xNyer;;uZgd~N8)|>hX0y; z-1fuc;v@L1c<1Bpd0!MCx13kRH+<6h9`P7_O?>sg-Tc(GllzR^<~$)j1>YD82+gC|-ldDwB`fF8C(#COj>^7rsTj z1K%#b+;-1PQ+(!g&b#6V;OpXRpLg@qubtd~q~m;6ybI5Xufi9^2k^4^I(&!t7~T}0 z{gT_ynt1ms&Nsepa{sf-&Nqv9;Cb=hSKa)g_!_(-K7{WSKLBrvN51CztKw7ep?DmA zP<#_ScHQLtO~E&b&%)E(#Kd=VbMe)9fq>bcHl@gaPx_|$jYd`Y|juZcIl z>*n`}_u(D!0enq7yXra{s+0R4e$V-gcrv#pmET@f>`+ z_&mHW-h?lU&)n|rS6@60->_rye$Bx*iSLJR5#N2M>legZ@NMGz;Jd`T@UHmEA6$PV zK6Su(;?0x$FaE{(ocJ<)QM?DQiMQ`^owoS?e>z_kFZ|2-P`m+;-Z;6>xyXGF{rjU$ z;@jX^@z~wm{5J8$dpNI(FTr<<_u$LoTkh#PeetdEb@6$4&%u|)Yw&@14}MTQdN0?H*Cy|87QR`$3eSmm;fvzYd%J!` zd>eeH_ zBt8SLi>Kjj@m|dJ*Tr*3JCD6(a{u%9bG}Ku0MCf;fo~P>!i(YqcvZY`j5}{re9K1X zUGWw8P<-P9-2BunllQ9+pAlb(yZJ5RtMIaTYue4%#TOsqye+=}q0al_x#OIV#arkeD-+fdGXl8oR`Jx@EziN;0^H>e6RS9hr51XeB&nP(OW0?A34GKjCdKI z5wF1u;$wJ4d{@%-8{&~iI$suFg%8D-Pjd4I#e4ABTPN?=8hn%Z5S|u40N*N}JlUPM zD83oKBtA3a=Ii29k8<7>Up&qEe)06_&ZpisdA}AmJD(FDU+TOdp1I8VHu2TG^Z23n z@{!2hg45h1`1v)94ieFP#w&zrS==JpBIBMRGgu8qQlIxATVISGg@7 ze!rBic=-KNdgRuxZF4Xpw|@BjL&oGb|4z)uZ75jw`0#v!+~z-s`3yPFXUT2;lbA1( z^L&Zi=D&b>yt_NRpTpnhMCMm8-zK-8hVvbA>;D+@19JOm`1lOTZGMRP?A?QdVA|rZk_JUZoVY`U3iV$I^o9~b#m+c1oI8?A-qFwo$%w6F1dC7 zi20uQJ>L@iVz5T!)(JnJ8IxP*ewaUWQ3c20^>sWvVMB21gdhJT$?c~nV?HJRSa^=y zI^oAld2;*dlQ3TpzZ6~}w@&!+Rh8U+`Yg=X#9s(+ky|JHc&trsKYa=2JL0c`56G<( ze*88hx1YWq^CR&(JQz8&!t1vg2E?o9AwYgCzLkTKy=~jF4*tuTL&vd0x6aRVf5bW@ z{JP4Xp!q)>iG$#WJh|=U<#wloRXB9}@3)`d!S(g?4tPoC{{k;FLLm{be;zf?_b#82G8Ptgnk{o zBK}smz8=0GuCHTlcoIK`{cqy9AU?oxUHncQ_r(8-Y3s z@sn{p6h8~ciF;0-_X2ocd@H;rekHsmUV^vDUrev(J@ROX<#xWjci;w^Yze9N2N{6KueP0oknMfga32oK+3hi}ivx=bW$Pe!oJZJ&u- z-7mz%_req6*|)m+qiy=ACcRB zKH@ksCb#{}d>FrgkF~<*y$+9yM-fVhZ~Un1B*jzkjCl1Z_lB7h-x70P5YNGj;^mEQ zzAAoT+Id|(>^H^3eoH*;_r!Y-as7dK;yC9c@lEitcq8HF!+$Hb@Maq%2HEgtr>;$c58zUy>%-h%j!Go07O7dJa^h;M`U#rMJS-;N%>zwJl6 z&Pe79XE~4KeR}wI6?PKhVJ9UXcJksgk8}Nk_yQdN9ns-^4&XJJ&z|c#`0rj0&zIm0 znIE6;=G)?1p6DFk=JjwVnRVWm`S830@$kGu@$kH3@f!LO{Mj~qoWuRZ#SdUUAs+50 zDIV@8B_8f4D;}P=AU=PgdmM`5;dx8q;d#sA;d!g#;p0#f5BJj)U&ek~;^BVq*9s3m zkKums*YXZ~xSzgs!t;*AXP)F9hp~8gUVQoXa6ddRzHE8e!}H?HEr&gP9Pnk2!yfJ@ z?LMu1*mq(-8S!vGS@Cc`Iq`5mMe*>wC35?C;BI(7R2IKCydwTUcvbvFcuo9Fc%9t- z$T)nny_X9<4kEw)C}(!tA-8>g3Z1U_ZSX$%`P3PZTj#TwABukgJ|-_wCxV~bb#0w5 zV?HYWb$Fb74|Njc)>*-PQvAE{H2LSKlOeaxk1(GV|2aHQ9_}IdZIJ@Gb%vNPir)z@ zlV5?KTc<*9oxfndD*g|6o&2rTX^>lI1K!^^#qR@elk@Y{A-B#0Fy9q_D7;V3odLOZ z9*Oy(`04O5Id>wl;5P>=eEWGE=Hul2cAFr#^InAcr1+)qG&!F)LvEcHVLmIq4W1|G zx7z}_b#B0XQT$eTnVjElE9BPs80M?u;m3=0@&q2+;I~B@{L``x^F99|GV16~w=GQ1>?e_k9Z zi@z5074f&jtKuJo*TnxDUKjr|ydnO7@TT}L;4SgL!Q0~Z!uzL=cpTmp$6sfN^u+OH z^GIL(Jah))PlXS~uYixlUjiSCUki`iZ}RQ`MtD?wH#{c(Ie1+B8}Nkqo$#di5qM2W zi9Z0ICjTP6{$$9XhSvtWM|pC4eONle{bE6UKI*(EUOm!zNqjH7EIzoGn{SFAytng~ z_=YLxZSfeqBR&i7im$?Z;sv~89*7s=L-Aekk@x^U7LVW8?LTtNzu$iBaUQ^9;*F!+ zd|JE<&xluIZaym>KiYXgymde4Me+VI&P(Ev`#Ud-Z-ZCFx8ehrrg-UC*J+8D;cf96 zyd&O$cf|+rp7<0#LDd(}!$;x;cx2<`^Hqe$#G?;%_bVa32VNA9KM0Sr_yKrXeEq?0 zz9K#|?Yt_UdWiFycn%*p*2NFP8{&=QT&F3%IpMr5-h_9=TkwH+8$J>rz{lcSk9X&d z+<)?U+4L~yQSn81Onk$`-F!lPc9Zjzc;gYy)8dsAooB@NCY|TSH=N|WB))cv^RoEf zQ=M1DTPf#N@r|cBuZge2+u}p~0iYv3f_KHo@S%9*40qnh116uBC_E+}gXhGX@Phhg z*Ds3?;T7@aGx7L{?|U>JAMu0mx_Bh*<{RRPvz<4^m*Fk(;yG@qNz?@PznIcv8FpPl@k=XT;m^toSlKC*FhS$?eZIHM}1!h`$wH z5pTe&;va(7$?fwwulT)tyqe^8-Y;UlCB6*rkXvUvIz4jh{2cRr@n6A*kWi|EA2t#cjbK>$8FK6V2%Q|cb&kb+Ui`uE zBDr;bf=-#-I>%wY;_(`}b$*UcgWNigK&R>PHo0|vi%yr^Iw^E|9v_ff=a1-&$gOi8 zI%AJV9~=w?E4)tsj!vB1I!{L@;qer??PtTfRU?rMxpl5VC+qP%xpnS?PLbR?*P&DL zc!k_L4?w3zZk@NGQ}=k2+&agh(K&Kv&usxSUPbjIQjgGU|`{N`YV&&$d1g!pE7 zQhXMkCbxY)75mJR+dk(opA+8#FNtr3m&NDdb@2swLwph55#I*yiidv=?33I5x(xSg zNN)FQJ31rrC3xha!BDWm*RgqYV&v9&JLco!AAqODKMBu>e*vB&xBWi{=Pi)idB2JI zqWE{=WpeAh0G%qib$*Qbn)rTrOZ;|t+v8nwJMT+y-afgV_fO~yJU$|~&MVM~92Xn} zD}4J8|NI>Fc%0li*P@doxBVQAKOd$%o*}nR6`dTpbsmCF-s44b>)eb^ncO-jqf_yC zjodo#K&L@&owLwsdb~|;o%f^DCAUr%ou0=BDF@n|9#3RZaCeHxv3 z;t(Hx-d}=F!s97&+s_x!$&lNAcA%3LzZIS*x6aqmDUw^~zcF7D|2(`xZk=zTQzN&| z8s_WbzkxT&t@C|!+T_;x8|FLW_r#x*2jcgG55N(zASzuJ}*!ux6Xagsgql08uJbD6W}d!>pTFR4!L#0 z&+l}_!_V*Z$*pr7Izw{ngrDCTiC=^LL>?Xt1m<>Mkz41@n2(FU1D+(e&S~hR z$*uDV%xAmvx6VH>UlTv#fx#~Zt3hs^E$Fn! ztrN$5Tl_?Lm)tr}N2gD2ohM*^Abt@%vMCq}R(RcA29J6?PHyLY7S5X_xAR_sPD=b5 zc!u0M1$1)c)(JmPlox+HIz@8pJQtlZxph8*`HFZ4UL&{8^U-OLTPOTHQB(X*blT+B zc>y|Ia_bz0&pY(Q9|9kcTW1lS5xI3{F+Uc63OxFVU?^DO^>{TpadPWCAM*+E5%1JDBDr-wh53^B|G+Ec)+wV?Be%|PF<%!CKOfX2x6Z54 zX_H&$E_6EL|AY_3{{x?o7>ZB9qbCH>V1?J+G4Po9gWxIgWC4M=)C%yphi(dsFlG{FaV4q`h+viI$ zA2~5N2v+#`Z-d9kt#cDP33BUf$9&S`X>#kl1)UPPbzYB7S^S;wD!FxTMW;?~ozG&v zA^uf(i`+VObUNhL2|pj#^?0A$I`2YfNN$~<;JhP`N0Px%u)^1+20Afv>--X(xW|*^ zwx9Q-lP0&$o#im~V=I0^TOK&NtB+kz42gVSX(Bb$IloU?^DO z+kX$8IJtGg&#NZH2k4~8Z9m^fCqr(XA?CBRJp8!-M1(UXINV1;kDr(ixNel9#gZk^wvlOngr=W@)aJ)R}E&N@1Ia_c+` zor1?pXBRLHgx*p zUxp9Kt#c$gV{+?!8}pHw;2>Dx^Y}A(jNCd$qmv-F&L1$J6#pkYO>UhBqLU@J&J;dB zn-hNkyg+W9bgJamIT@WgxpfvW-w=NZyhU!EGtudgTjx!f?~30H z?~_~STy%!y*7*eHN8+D`M;;Xn1uJ|VyAYiixplsW`MCIx;Yo7a&(qLJlUrwu`HcA8 z@OjuAxpn5zDUe%d8uLZ*6X0cX>pUBsD!FwYi}{-P7I=f)I#;68BDc;w=G)>6@GiM^ zo`+7K+&Zts{6M@4ACX(x%s0ia zgty79vkRRrxpiKH`JTrI@c=Xg@C|Kcj`bl)+z*xplsdPLbR?A4&u_!76#YLT;V!pi?8a&Lrm5m&M-zuaet&&&PS|>qt$HNYdMdIT3 zg(t~vKhH-eO>Ui&FrN`W4W1*nP6?d?xpf|o`J%_mH5@$1~*CxfPupxpm%(PF_6x`d^XUI`2ZKOm3ZzqEiw747^5eoe!YXAh*sk=9}W- z*ActoE12(zhhJYDklT4bhVzcd?Y!aF9mnE#q95HH3C+6`4xpjVqPKw<26Mo${ z?eQ$Rb$*LZp4>X~*iXUZC35Th37rbLbzXo@)#G(?>-+(J?Yd`NDcqtO|YTjwTpB99IZf)zfGp~uLr^I&um-oW~2~);SHG61jE0j856(RdVahqEjcg&iB!2c)Ue!oeR+EkXz@^=yW~aC%4We z=nToNvk_k>9(g=+RxlK-@OAYHbYkSzIRl-z$CKo?pCUSGa_d}zPR8Roa_hVdodUUa zo{vt^<7IN|{1-Y^a_hVrotnoR_n$eZk-RIGw}F`+&b?; zCz1{hf)!qmpF=0=@i@74K7vk?-1hTbbW$GAkXz@|=;X+)b0<1^j~B_U(?O?9Zk;K7 zeZAuG8o718iB5yuIwzvj^mv=xI^Rd9OKzR>(CK-6KyIC%qcbA6&K2m4Jsv$f7z$Q+ zovx!3C%4Ya(MfnbMQ;1K3!MzPb#6o_>+w9fb?*L$;3il_a_f8)os!2Zs*aa)#G(?>pTOUCb@NP zK&R#L4!L!nhfa^&Iv+%*@9`nIbxP=r$*uEMbRv%l4uTavkD#kl0i7(lb^e7;&f^7g>)eb^iQGEV_?2d|mxKIx%wVybYbW$CKo?pDsFSa_h9w$#^_R zZk_LCXZk^wv(;~OdvG{u@ZI5@!t#bgKKDl*H zLucUe5xI5#g-+zL!9lRX>+y-`L_HoSx6Zx(c<8rBlH|6Z@b3eqJf0!9&i&EJkz40K zv7fxhi{#cxpi?Hd&Q0i4JYFNW&dKOB$gQ&*ou+=foi;{$T*oQKYc z+&bSzXYBFlg{y zDtWv@Zk-pSQzN&|Dd^Na-Xyn98J#w{b)JGw$KyS6>s*J*nph544pJLJ~+GCDnS>)Zo>zpC%?A-Q$_2c0pwb&f6a_jsQof5fq9*R!c<5hC&{0f~q zxpf|aPQ&9Za_g+4(;>Ic$>?-F-Y2)tpU@eSTjz9iMjnrx7Yqd}d|mw;Ix%wVoQ+Q0 z<4JPc&)xoH)!^?*ky|JHdx{y4=g6%SMW;Y+oeQv^qQ}eR);S8DD!Fy$(W!a7L2jL6 z(P@!e=cVYhJ>Dg^&T;7U$*uDSbOs(Dkz40PbRy>m2f+%j$9JL=^?01zI;WzOB)9#1 z2%VJ2GvwAe3!NOfbv}ho-s44b>zs>DncO;EbSfUNkz3~ibQ!a_sTwWDqf;ce&Xdt8dAveyomZk$Be%|F=+r&lB)87B=(NeL^IUW~9`BJ`=X!Jo zhU_cbv}VkliWIAL8s;M4!LzcgHDg!I;-gPJw7D2&KJ=c zlUwI^=tQ0n90V(T9z&0jTj%TOB*?83!QZb+6{^D}hnj@&v&90+cLRUo&{Zgh$s zFOys6D0Hgi*7+PdHIFyQt#d3oEpqGpA3AN1cgd}D96Eh+>-++pfyYPW);STK$OXYc zu)^zcj84?!adPXNicXT;_H#e{{ppm)GvwAe3!NOfbsmLI-s44b>zs>DncO;$N2lWP z8o6~YK&L@&oy*Z_db~|;ou{JHCAZFt(dl`7KyIDO&>4|i=Q?!89*<^&p9f&^ zlUwKQ=p;OzBDeiqg-(XtIv++w9fb*@IINN%0~hfc}k6>{sm5}g{kb(Ybod%Q_* zoomr)lUpbJ_X8b|_sFeNMQ1>6oj+hdLywQit#dOv(F=ovV1?J|QKz`$n8y?3)_Dgy zDRSG-3_59#XUVPeesuEW);SNIg2zkb*4cwjh1@#x=u|ykC%4Y0(P@%f=cVYhJl-L< z&KJ<>ky~d8oxaD1B1-Nx?y|!sjvc7`b)6jZT8xI=j(HdOS^Togbi+ zCAZE#baEaqkXz?x=#aP zhJqDdr&pm9C%4Z1QisMO36H19Z9i9|lOeaxiRffKo+r1?E72*ETj#OplssM`x6ZZb z)X1(P%qZ<1T*dUV?4)_E~H9gp|Ot#cDP19Izx|9)xc@iDn|-iA)(5&P+Td`NDcFQPLhw@&o5;KtTd-4Eg8A9{@3I$uX8L2jM!-(@8|o+h`>x6#Rx zTjx>OPtM~7a_js6of5fq&PJ!~@hZ7>euhq++&baE2Wxn|MQ)wnpwl6@&NH!}uE+c2 z*0~d%A-Q#4h|b94kz6notnl^lE_7n#)_Dy&aq&09ljOFaf1#5mx6ZpUpAr8cJV$Pw zBmNTH1gk)9osVO_C?5Vhw=%hPjzXtOZk<(hYT`eFH^{9MN2f(@onK+TE&h9Wm)ttX zqthq1&Rv)vh~NA4;1`26BDc;-=tM3)^vj1|4f%Sio8;Dc4LWUd>l}mm zj`*?g9=Ub?3!MSEbsmiQp?Cs5Cbv!no#@kogJ6a4Hy?rdnE0vi1i5vtLnlRU`#Br) zY4OLwv*gyf9-Tb7buPqwLHts9iQGDGLZ?D*o#$e{D*hsPo!mM%q0=O{&dV_065kH* zkXz>#bb930c|GR);yd6&a_hVeoiVv}ZozzHYj6;(@Ocb9MsA&VqLU!EP92@3_-=Tb z+&b?;CrfUf7Upx}{|{aux6W>KO61o0GUm(TUxio6t@AN->g3k>9_Ab3Yw#Aibv}d6 zklZ@I#QaG7AUyK)U?^DO>*1HsiIH39{+kbtMdBV$lG}ck(MgkA=QwmS;wQp$lkj+o-1ZYiCqr(X96DK#=gF;e6gow6>pT;klE*9L);SiP8o70z zk51j=O>*lThfbT^Ixj`1>w0uz9#4>4 z=PYzmFFTM^Rl3S;M&Y0Xf;lCS?Tpk<*D|{X|JlY+{$gT4NbQ0v& ziD5n|J`GQkTjv^dvgFoDVm>Fn8D1c_&a2TWky|H&`Lg&Hc$M5bOX$?et&_)mLwo_= zBDc<)(dm#|r-b>g_;z@o+&XVXXGm_HD&|MxJK>RM1Vh0JUsvCQPK?|-;lF#2i|;`v zNpAaTqLU`KP8;(X@nv|9+&Z5`r$BC<9_EYUYw$9;bv}zumE1bvzpJl_A4I1?Zk?~7 z(;~Od{mu$*g4Gs30p2CI&ezcClUrvN^8@iq;UjYE{4Y9@X9fqs3a`hPVLmGUMtGdu zI;-d;$!$OH#eB-+8FK6V7@Zusbv}qr-s44b>#U(uCb!N<(5ZO5MsA&-q0=C@&d1Sd zdb~|;onNEVCAZFAbb1~ikXz>tbVlUX`8qmdk4NW&p0Ri=$*r@7PQv3Ua@$X2 zY&XH{AGvjIMZI`>1TMsA%W)4@%!>K<>BTW1=bHo0{k zj!wtpJ#y=ufX;y2I;WyD^!S+EIw^FbR|E&a3a``0pcC_Wg4{aippzoE{X8C>w8yjL z)|o>mPi~zp=oCC&BDc;(=v2t9b1^zqkJrhqlSijXZk+-;EsuA|t#c(hJ#y=m(CK@8 zNN$})bjIY?c@;X5X9Wkr3ZKW&W8~I(1v&|G>)eP=(&K4z>r~Lml3VB9=;SZj0&kz40>%*Q>RB)9$SLnlpcox7hM+ypBlegr&6Zk?~8Qy{m_{V`wk zc$wTfJ#?z%)_D**HIFyQt@9&vTIAMwBsy)6cgd}@ADuqAbvC0j@c4+_I(MKGDFg?> z3a`g=(1{if@&C`` z-1c)ZIu(!C$gT4LbQbqt6M3 zf)!q;o6(7rTjyqU5*|;H+kPI0PKMk%??Wf+@jSV8vgj1at#cbXC68Cgt#b)FHFE2O z-`A$@@g})-=Fw@BTjzhVpN_|SDWMa+GB^lUc%9ykPR!#8 za_hVbofNt4=g;V*J)R}E&JsF#a_ijdoZu!{1&^1=t#czf6>{qwgHF}sb#m*}(P@%f zXBwTB$2;WKc^^7Ga_gLcPT%80a_j6tXH0IL)6t1MH#i7Z_&kOlBe%|N=p@Lk^LTWU z9#4~7r-M$G+&Y(_lk<3i+&bStr$la@1$4?DuaaA56`eY{b*@3D;qex^b$*IYhuk{h z_gCtAyiabOAv!~H>%0s58F@Ui5DWz?d|mw`Ix%wVd=j0w$CKo?pM&V6$*uD>bTS^# zkz41Ue+zDcRUo&{chM<&yi9JL7&=vQ>xADQs^;+qxpf|dPK(?+f5v{=9`BM{XA?So za_dAMV>iL)Ydt<9x6Uc(M4or(w;jG7k3lEu@i@74(&!|~Z9k7hC*|=BxpmG*Cr56b zbJ59ryhv`HE$EcVt#dIt6_3}*t#c_l4RY&TflkxoZF1`r(CLy}=eg+gJU$?|&I{2Q zkz42G=!`uceSR<$tnfPBhEAN^Iyaz`5WfYUBDej#5}gdWb#`Gs>+w9fb+)5ZB)87T z(J6VnLT;Vcp;IHb&KJ_VqPZk^LHUlpH)*U7E(ZgiUD z)_D@`Tjyiwl*p~~VRXtKuaaA*g-)H^I-fzO;qex^ zb@rmuA-B%g(CK=-Pi~zyIzw{ntfDjWc;p4aP_V++!+q$)$gT5pbmAUQlG}bd=%mT5 z^E-4h9?y|mXBnLWxpnSBr|9uAxplheRLQL~_1NGhST&C~$gQ)2PK(?+4@Rf$@h-V_ zdg%1Yt&>7$;PDZ;bym@dyf8QjR(L&T(TRFIPHvq(I!SWdPXV2j$1~*CSwkmBZk=n; z$$Pv=Zk+)-WpeAh9-WHEYvk71k4}T!I&VRz>G3wXb%yA4$*uEVbb1~ikXvURoe{Zp zK84QM4_h=V9m!Jw7J4P86N! zqC0_#W@;@}`y;qw@JjNCe# z&`FS6C;YyXNsp(=t&>D2OKzPN>?h~(0=ac&&?%8y=O^ftJzgcZP70kmxpnSDr{VDy zxpg+9(;>Ic-Odeeg4OkSpWHfWbcW>Cxj#B1k4Ii&XZiQ*>MS}ja_gLgPTb>3a@$V^ zoiw?1&P6BV@f^8z=FlmSTjvsViXJbMTPKT7mE1ZD=+r#kAh*sIbXw%r*^W-z<6Uy= z9-Sn)?I-;Hp(&4N$gMMvPLA9< ztJqK8<3)1o6woP?Tj$s4R6JfIx6T4O4RY(;g-+AsZF1`r(dm*~=g3TO6Re)c2jtdS zL}x^9orh$Cn_!JS9xb_F4?q4Xp%W*!&P>M5B|M%YxBYBGCqr(X^E1Isu(BS{lUt{Z zPLbR?mu7;SV3j;xA-B$UbZX?*xhfOf1gq}xCb@Mg=(NeLQ_ci8!RmOtM{b=ZbOz+s zxgitW1Z(K=F}ZcB=tN(7=(iodPT!Sr$1#s5$gQ&jofNt4=M(6pJ)R}EP7R$rxplsb zPQl|Pa_j6wr$TO>AE8tAc%9rjb#$8K*0}?nmd88f*4c$lkK8(UKQFimR^Q`8a_cnE z8IxP*Sac%SSnc1hx1q<#t+N}Q1i5uiL?`L-G`V$}=w!*Q6Mp~PoW~2~*4cwjiQGC_ z?5FJUD!Fx9=+w!r^GtLa9&eFbXD>P(a_d};PS@joa_h9w8IoJ)b?A&d9(h?X6s+)d zbssu0a_iiJPTb>3a@$V_oiw?1K7dZf<2iEcETdB(x6W2Ad_ZoUb#zAL)_EN|V~1_!|kpU2Q+&&22BDc;@&?$SoN^YGLI(2gE`~{tc$6Msq*^Ewy+&cH23vPnd^?0A$I%#x<uh*Ja1*SG z$7|%)DWcOLx6ZNXG(FxXx6X^v>5^OLk?8b1J|MTwHRz1Utuu?xSUmi`?a@~SL%|9^ z{&^)jadPV{ppy{42A(3f{k#U947qidFrO8F8$3^Lo$Jskl3VA)m@kQc4qhR*&KuFG zkz40Gn6HcPhd0Tsa}zpka_bz#e8=NGa_iiR&VbxHM?EpP3D(f#V{+@f9i8Z_5B;{o z*J%Qsn8y?3)_E5?DRSG-Iq0N4o+Y==d(p|0TPKT7!Q&-z>wEy63b}PIL#OKTI=OW| zj82o>I*aJEJl-L<&d1Q{ky~dwI(_li!-wS7`4l>1a_iiP`N;O*AXwq+ZRjy_>wFfS z1i5wIk4{qj!|<&5C*V2pFTzXW--egPe-E#c+djW?Ft`a;o!s_$#07^q(h!fsTjbVR zMyEq=ozpPi6+a8!C%4YG&>50j=NXtEiC+bey(Sn6R`|SZgU7{R3r~yR2+xSW6J8Jx zzdwFa{L`4Pihmhi6aO~6CB6o4i~knh7yk=({N5zkZC&eEGPl+et zIq^rs^Wt;xviK$NiumR58o9ll^znAmAh)-Zt1#d6c$?fhKSrlZZk=n;>3MuWZk?Z^ zGa|Rnf1)!MzaAdFHW&(4`2PJ@=)}pb^8w5!#KZ67pCY&Y+>TC$+&W)HCoBE~c%Ixk ze@3TBZk=CZz9jx9c!k_L|3IfkZk>By7~BM_F8)w>liWIyf7ng%`3-XGoP_y~_?hq? zxpkuG49KnX6wD9B!~YLpOm3Z{(TP@qgJ6ZPKjHre5UU*G!~SaY6Xe!;5IQMx+s`eS zPm8}Bo+Y==!_mo;Tjw^+7sNjgFOgek2AvAIb(S$-75^r@PHvqu(P@%f=R25hiT@DZ zA-B%s(CLv|XMp*>_;27ta_d}x&Y0XfcVIs9+Tb8q;qw@JjNCdobQ0v&x#yGYcL$%h z@OYZsIv1mpCAZEo=;Sg_h9~I=%mT5^E7la z9?y|mXFECta_c+`oubFfGy$)Z=k->+D7+Nq&#OZ$&5N@eH|j_Mnp^w@&!~dE`A_ zB)869bjsw``6%{N@pz5gI{VORkXz?AbebM-lUrvQoi4d`zJyNC;{$T*te`U@x6TSW zV~BPIk*W{$KyS6>l{R9KyID;qBHdPnA|!W{u$f^EBbo( zV|blD5S^IE6Xe#JLMKIT``Ls}+T&Sr>uf|PPi~!4(J6SmL~fmFbSmW5IUAj-$Lr+Q zIUb!Rxpf|oPRrvRa_gLcPLJF=PeG^e@gcc&PDW=;Zk@}}iM$~=2v+z!h8`ogP70j_ zxpkg{PSWFPa_gLlPL|v{FG45h@dCMZ&OxU{Zk?B-Q}%e3+&br?Qzy61wdgcF-Xgco z96B9x>%0-2uE+c2*0~U!A-Q#KL1*Og$o0Wcu)^2Xi_nRYTjyQq#66xQxBWZ~oiw?1 zK7>xj<2iEchU3MuWZk-#@ z8IfD({^*Q79(`jl6s+(%y$PK-xpj_1C*koFx$S2sIvH~7JQAI($MfXYc{@5qa_gLd zPRZjHa_hVsof^4y9*a)h<4tnwydRx5xpgi;r{nP+xpkW849Kl>F*-w!kIAj`F?6Cg z1P8$iuhVCu6Z3e2+&Z5^Cq-`ic^*1xk7voP^BHvVThOU` zyiRVNFQL;Ux6Vh_P=rMBZ z^w3F=Tjx%6k{(Z!TjzV|WXY{_&!+@8!OD5OKyIBMp;IEa&O^{Cd%Q|+ou8poC%4X- z=rlauBDc&*&7$t@9mpisIq_GglS=4d!d&e}=cj55n8x z_qixId9b?Vw$Cy4*(bMsJ{0o<@l)X=a_ijVU%`#7H@hFg>nnr#sQAV3IJtH1i%yc< z_H!lXQ{pd!XUMJdKy-5C)>*=QUi?;gk=#1Rqf;ig&Id7H5&sOlMsA%)qSGL^P8ah{ z@gKt5Wxphv# zd_p_}&xl_F&x$X=i{h_qyFW^J*1Muig|9;%; z@wsQt9mm9vg(t}E`MMB~bBf$L;s0Zo7C#%EEV*?qMkh~hohM$M7M!b*@4uQ40=&6~2z$ z?_zhH6h9W8Cb!ND(W#T$ex@aYAjr%Zhd~2^L>MKCN(9G=1tB1XC`H3XjG{GiYX(6gVhN1WAfOSs zL=X&!(C^9je4J+KF;~F@$fl(RdIBh?9|24`8+!f;}_6d;^?&4>4>9qCFi@we@yR-qw`I6hT`Z9 zIX{Z5HRt2s?uaABm&$5IYlb zbdF(X8sYJC-H_YD>+}hBlH%x`%1$c6GvZj!GwkHV(K&~me1sRp(V6G|4_jFrolDrM zM0iacorUZ)#L>Byoo0l$#nIW0ovt`KeRg^gJ`hLeW$cW^(Yc46afDCB(Rmd+@vpcY zw}sc~Z`nyicuE|d-Pp;9V?9r@la27aI6AwtQxr#M^Y^(6x0NEiB96}9?9{~3c_};f z2ycp`vmZNcaddWNrxW2ladh6r&OjWUJ=hsW_*fjBgV~viqw@}SV(Z+F+rr}*JRy$G zhuBGpqw{Wd(h;5&M`sy3d2w_;z)m5;OXBDp!%jsUof11$<7?@4adeJnrzwuk<(zLB zzm47zN9SYg^u*D5ob!F-&(eqD=zM~mu{b)5-tR8lHZdMP|1$Pfe|>mgJ(Zn=I67}; zCu#hx^t3qEa|SzEadh6p`JC~k^ny4#pJS&aj?QwaPMeL-- zv7SdcpD`X=ile#Tqs7s=jGclwIxppXF~ZB@=v={0RUDlxJGBUJh@*22J1uc^itMx_ zyep2*b?o%T(K(TwL4=RQ(YcHy;dya%=3xPD zD~h8tW~UV46>)Up?9{~3S$v4Qa9cgXo8stf%T8Myojus;M0igeogLX3h@*1|JHrSc zi=(p(J5zCVPGKkZuWrX}7*kJ(qw^YeQsS7ugq?JRXT{O^J9hHo=-kRqA;L@I=TadbYyPDdP_%?@=JZtF&PUmTr}u`?7$X9sph5k3(|r^-(3e7EB^?4t8} zcH+kOr6pdHak^ubS~k1&G-g- zLmZv;?6kzunR32u{FNVcSGuh$j?RVb^u^IBaDHHX6@4U*&SmUO#L-#L`Kj^q>B+CV zA-Cb?n7@dgGJXX;BaY*KhsVu{qjMAI^TvNpFN&knWv48T&V!t<7=NB#6G!Jdb{gX7 zZ2uv5;kIUkx5d%9ft{{6Iw^K~5k3${=Vo?B;^^$o&N#xS;^=H(Cw_t3aT|8gc{@9a z2v3Qlb1OR;adZx1CmZ2;add8Hrznn2_*~UegjdATxr3dWI6C2TSnCnq6i4Tm?6k$v zS(-cQ%{$cLIZLJ9Jh@#4kVWTn?8GBHDUQw-?4-rfSiJhc4I!Sg?5uOo8XJ>YD;^@4VoqU8B#nIV?ow7JOd$LoB z@R~R}DRvs-=)8-aW`wuJ(RnpHU2$|i%uX-D2jb|wj-8P>I?LG^NBC46o!!`pf5Yv# zExb-oWG7+#WO~N)U-Wv3>N&efc+M|e{l zop-X+7Dwl1b~?uIr1!+pc`rKyadbwU9~ys@J{Cu($j($8oo6^7yTt9dEj(Vq6XNJB zV<#n!&f>#yYxmzJ8GkuFD~`@b*vX5d^S7KY7~hj#5=Z9*b}HiN?8o_PgxAHX&=Tde$;^=I4gu8HC*La-X z7f0t?>UqVkC--n(t{!V(q_`&p|@gwL} z<16SjBlot!v2yKp`q;YD$DZe^z|j?Np|sYG~99GzdX(-22zUv`=i-WEsaUUs_T z=p4jOFTw}n==_eIkvKXZW@jAXQ*m@A?8Mt{$8F(tv9dJVjU^&HC63P1>}15To>SS$ zMtEKvo%x%&Uo72L6i4TaC1@;Gitvg!I$N_-6G!LkC3oSrdW1K{(b=Azwm3Rhl-z~e zIuYIzM`ssy2IA=asN^o(HjMDGI6ALmXDW`)Z6$Ys?VJ8fcpQT##L;;ZJ1KE=eqHjn zPe*uG9GxsXd2w_eVW$w`C2@52W2YjH&R^N78jmk?SGuh(j?Mw>G{w<*Dd$@e-VsOV zeeCqa(bsadgV;WW~|B zh@D)77sSz7#ZE~aotxMxM|f2noi*&##nE|~okoPW#L+pGosKv|@{GIgp75;vN z^K%eAVSFh)WBhP>Ho}X>mvg=p;T7@uZfWQ7c~TSK%=z)`)FZqpj?M+_w8hb>u+uUA zNqSElor~BRiSN3=UBPWEUfDLN`~6FNp5yAiThFeHf7{RC{6D?r+n#^UF18>Zd!Q2drfb3PScBAr;r&)___<^0FR zciL*MlMr7oouv3>`nZVSDeFm#?=0shBmV5-x#MQVZnV#rx%phb zBK{V6o>#>e$Z>1pJ?YfNFO>B(#IKd}&=LQk%y-4xavpl(cgS)3;tOQ`1M$7&xI^(* z$>TT@KSI_MyK?S%g4e~ykNEwB@$k9DDdS_#XN*5W&l&$Cy+eM^am+8~d|O=Sd*XPzO>loCj?O}^b8I|({@=v-jjR1Sr^dtQ0>-}UuMg+* zR?f$b59kTwchZx_!{-a8jQ@)BY2zb$#`pvDtnu(Ug*oF7b3SkUi8cOy7L1>Ns`sMt zr#N3SzSD_*zHEF?dd2t=^s4bs(`&{rq1TOHPj46>(woM&`nX?b%lMO=ZyVp0^Bv=R z(7VRN=X>>xf06Tjh{un)J{KTs7ri`znr;T4h<a-o;Cg#dd~Q6C;8*%jW4AajIX5^jenC~GJZ3? zY<%aF{c$VCujl!x8sC=duNi-Y{krizIo~k;4?J$u_;K`>@eAl}<5$u<#&4o`jo(l2 z8Q<}f{yg-J??E3JKZrgwem(E+$awgin6dGT*qIo=ojx`GI6d|~zuxft5ATO@Nt|;qj`8>*LiD$NX{Zx5dATCl+AQt zzbSF_-;(#|Gi|(efcLyO)_)GyUl7;#hl)7nzsC8h_zL;^TT>kK7jwQPu74-*isL+F zxIYv}=LB}9#>3|W#s0$$xeez>pKnQV^hdmXRvi7)*)JMjSaVmptt77JrzVb0qK0Yr zb3^=g`8#Jz9P7z(zbB5)EnLsY_>MJqrQ62h3*_(Tu^;>EUw9pHE+vlsJ?!UJ{K`}B_SUlsiPNF3{_bAKX^ z^*n!?Ur(avzlPV*$7_B+DXy>gtT;NS)ZB&Ja=qD?+4D_b??v(1>-|H1omFwHbISGA zjpw=F6vuH3HFx2*Zg2MGg`cw*)ck%=Tz?*o#L>C5<}Tbe?#;f;I{Nb^{*yV!{I_d< zKOz1jdH>9aWB$9G&x-56=PHQLbMw#g{8Yqoep)?u;kKIb9QPaIIPRG>OuPRM%6P9f z<5*XGfBAVj6h~(R=SSlDd~pAdDP~)E{`{QtadCYlv_H5Z}!CA8WJmSjG4&*{_P%5Cb#1@oF6^^DRIo7$N99lzK`X_F@G`V3*sls^PwV+`O7(9 z71w@K9P?Lmz9p{D|DHJJzsLE$xITZz;+X#l=O^MipSal#xh*`eZsmMZTz@ahh~xRt z;Ny`KpYMFk_oae3*0YrTit)SXRq-|Qx^9Z2b06nh;`+Gv#4#V9Cw*}}4OsM^OojZN*tZv^L}N-KP~^8)@+N zS#fk$v6C0i%lk}Cd>@3k)x~jsCa3%J&=J?pSX?_3adg(K^_}D`{y?~2+9`-@r!J0V zCV%R0-xkOH{mU8NyW+2w`#TZGdan73U(eKdY@PQEj}zX<7O(aFtoS#jUlhlB5}YrI z>*H7v$NU+buNwany>5IRy=mXG{VXo);`ePi=Phw$%Dg`v zaXh{+;c>ghUqkO3-;+Kt{?GK0@%Pim#+TEl#!sZjZu9pgoaZy?3FG1Olun` zeaB*?{y&^4+{vWyijQG_Hd=r;>aonvj*HIQn=acNzjXz6o zi0gVf;^=&q^IdTqH~w>X;kJSC3il`C+DQ!j?ZWG8*E9WoQvB3K-f)=}N9PTk&xv2Y z)!ckh9P6BN9aV93*71HdjlYHcmbmtN;^^$h`M$XRTpNjFJvHvfc>cn92%le=632Xw z`x)ac?w7=|p3S+Qvbg^9dqW)ai#gvEuWaM4;MNt#{LY;3iR-_I8j556={tRBDvr+5 zy7%}U{wvNy(ZA$okQc}6G;yWBvS9qqtG!pmwbK#TPS<$ojK#6e+dk*lHxbw0R};VR z*N4Y(Bj=Oi`gh=rIMy@m@qUTpybXA~lJOMxE8IhUQD zxW507#4&#!=f~oDeqwz5aei>Ws+>!SqjLZ|Ipcrk`t#zC$@^_t9G!4~E8=>88{(K> z{CRibwx+oL9@`bi{EnROiR=7G9P_(yek`u%GyY2)eeUlAZ{&PJT>BYu^!Mg`R$S)` z;yC{WuA?H3&T^jrn)v6pa942aiQ{?OyVgI6`o?eUdLN6Ue;xZ1b+_($k9vZ}{2Fl?ANud{y8H8jInRp69S``p7L4cb_P42sxz4SX?_P9v|!1PTF|rl*DzNWpVv|xGs+Q$9caR;yT|E$NV$laS_+wmj>cE&lT=Z z#L?-oleow2xGlU-#=hwHlj4^x@`lT-I68|tpA*;lqBzzwz}XeoOq7 z`g24aomX?dFRs6@j>R#b;rv8g=Mx*om;x%k0R1565wjzQsRJa>l1W z^q_%GyraxAX%iQmkYHM?IrUl7;%s<_VA#OJwW<7bO!;g0xO z@^h^#{$BB(@v>iDtZzL08D?NSi-WsuXuL%q8IRBR^JC)``b7LZIsa4f$2Rwk+2#HI zdpu9REYI_}@o>Kq;^+8NHVY)hCvtvL;-$wh9P=OJd{bQC2fE^zKZ)}_ah)HE<2)3&KNUykKz5QmPvQOc)AW@1_qTC3 z;Fc3d=UmR`#dW?YzN0+PTjF@jXx;D6XHWb}d0Zyqm|ygOpO636FDyJ>33^(5OL<*X z#L-D|zG{5)2YtUKj{E!k+5UKKasBz#7svcI4L?5+*WXLW;&{C3+>igx-!42Z;q!gd z#&=*pBd*Vff;iUm2F@47cb3PuB98SWxZe;*=fQ9u#4(>8y9>AV#W5c~KX@q4|5Rc& zpWyAn<9OH~{P|BBZ_^9n=pPvFm$;sXsyODCalR(5^G)%%oA3O7w#-;p9G&oa!+r5X zxA3#GOWrQruYY=k&s*aU&~xJGPr1&#xIW*?;+Wt1%l_CEahoL16pNvaRIBDgYWk<%AoUmrK|5^^;tzN!j z*^)KOt7~FQR)6&9Wowp&ubAC^$?h-g9(BT+tnTdo_qzAyJ=`8r%gaX`vwGRe<=kZv z*BrO%xHU&CTfKVONxbeDCz}9CREpeBa*u!}9$ZcnG(7Bsl5o+PVADW?yWwjw;`Xh-`rD^Az4;60FF2kDSie1g zJ>I^)KHO6u3hVZJ`25lrfBdSe@W{Hy_1*sVc>HkNaQpE1o$L$~c#Z3pU$>p##gjv} zaQi?fx^G_W`P2QuD`q1j-X6!tkNa@@aQx3W!!z`M9sg_o_+j3S%(k!}zSf++*zub` z_Qwy$!SV4n6K)s$tIqI9+2a@fkH^Q`>x&(~^CHK`{j|rw%-M^b|00i{= "v7" // will be something like v5, v7, v8, v8l +} diff --git a/pkg/tls/internal/cpu/cpu_arm64.go b/pkg/tls/internal/cpu/cpu_arm64.go new file mode 100644 index 000000000..4a302f27d --- /dev/null +++ b/pkg/tls/internal/cpu/cpu_arm64.go @@ -0,0 +1,69 @@ +// Copyright 2017 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package cpu + +// CacheLinePadSize is used to prevent false sharing of cache lines. +// We choose 128 because Apple Silicon, a.k.a. M1, has 128-byte cache line size. +// It doesn't cost much and is much more future-proof. +const CacheLinePadSize = 128 + +func doinit() { + options = []option{ + {Name: "aes", Feature: &ARM64.HasAES}, + {Name: "pmull", Feature: &ARM64.HasPMULL}, + {Name: "sha1", Feature: &ARM64.HasSHA1}, + {Name: "sha2", Feature: &ARM64.HasSHA2}, + {Name: "sha512", Feature: &ARM64.HasSHA512}, + {Name: "crc32", Feature: &ARM64.HasCRC32}, + {Name: "atomics", Feature: &ARM64.HasATOMICS}, + {Name: "cpuid", Feature: &ARM64.HasCPUID}, + {Name: "isNeoverse", Feature: &ARM64.IsNeoverse}, + } + + // arm64 uses different ways to detect CPU features at runtime depending on the operating system. + osInit() +} + +func getisar0() uint64 + +func getMIDR() uint64 + +func extractBits(data uint64, start, end uint) uint { + return (uint)(data>>start) & ((1 << (end - start + 1)) - 1) +} + +func parseARM64SystemRegisters(isar0 uint64) { + // ID_AA64ISAR0_EL1 + switch extractBits(isar0, 4, 7) { + case 1: + ARM64.HasAES = true + case 2: + ARM64.HasAES = true + ARM64.HasPMULL = true + } + + switch extractBits(isar0, 8, 11) { + case 1: + ARM64.HasSHA1 = true + } + + switch extractBits(isar0, 12, 15) { + case 1: + ARM64.HasSHA2 = true + case 2: + ARM64.HasSHA2 = true + ARM64.HasSHA512 = true + } + + switch extractBits(isar0, 16, 19) { + case 1: + ARM64.HasCRC32 = true + } + + switch extractBits(isar0, 20, 23) { + case 2: + ARM64.HasATOMICS = true + } +} diff --git a/pkg/tls/internal/cpu/cpu_arm64.s b/pkg/tls/internal/cpu/cpu_arm64.s new file mode 100644 index 000000000..d6e7f4437 --- /dev/null +++ b/pkg/tls/internal/cpu/cpu_arm64.s @@ -0,0 +1,18 @@ +// Copyright 2020 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +#include "textflag.h" + +// func getisar0() uint64 +TEXT ·getisar0(SB),NOSPLIT,$0 + // get Instruction Set Attributes 0 into R0 + MRS ID_AA64ISAR0_EL1, R0 + MOVD R0, ret+0(FP) + RET + +// func getMIDR() uint64 +TEXT ·getMIDR(SB), NOSPLIT, $0-8 + MRS MIDR_EL1, R0 + MOVD R0, ret+0(FP) + RET diff --git a/pkg/tls/internal/cpu/cpu_arm64_android.go b/pkg/tls/internal/cpu/cpu_arm64_android.go new file mode 100644 index 000000000..fbdf7baca --- /dev/null +++ b/pkg/tls/internal/cpu/cpu_arm64_android.go @@ -0,0 +1,11 @@ +// Copyright 2020 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +//go:build arm64 + +package cpu + +func osInit() { + hwcapInit("android") +} diff --git a/pkg/tls/internal/cpu/cpu_arm64_darwin.go b/pkg/tls/internal/cpu/cpu_arm64_darwin.go new file mode 100644 index 000000000..60beadddb --- /dev/null +++ b/pkg/tls/internal/cpu/cpu_arm64_darwin.go @@ -0,0 +1,33 @@ +// Copyright 2020 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +//go:build arm64 && darwin && !ios + +package cpu + +func osInit() { + ARM64.HasATOMICS = sysctlEnabled([]byte("hw.optional.armv8_1_atomics\x00")) + ARM64.HasCRC32 = sysctlEnabled([]byte("hw.optional.armv8_crc32\x00")) + ARM64.HasSHA512 = sysctlEnabled([]byte("hw.optional.armv8_2_sha512\x00")) + + // There are no hw.optional sysctl values for the below features on Mac OS 11.0 + // to detect their supported state dynamically. Assume the CPU features that + // Apple Silicon M1 supports to be available as a minimal set of features + // to all Go programs running on darwin/arm64. + ARM64.HasAES = true + ARM64.HasPMULL = true + ARM64.HasSHA1 = true + ARM64.HasSHA2 = true +} + +//go:noescape +func getsysctlbyname(name []byte) (int32, int32) + +func sysctlEnabled(name []byte) bool { + ret, value := getsysctlbyname(name) + if ret < 0 { + return false + } + return value > 0 +} diff --git a/pkg/tls/internal/cpu/cpu_arm64_freebsd.go b/pkg/tls/internal/cpu/cpu_arm64_freebsd.go new file mode 100644 index 000000000..96ed359ca --- /dev/null +++ b/pkg/tls/internal/cpu/cpu_arm64_freebsd.go @@ -0,0 +1,14 @@ +// Copyright 2020 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +//go:build arm64 + +package cpu + +func osInit() { + // Retrieve info from system register ID_AA64ISAR0_EL1. + isar0 := getisar0() + + parseARM64SystemRegisters(isar0) +} diff --git a/pkg/tls/internal/cpu/cpu_arm64_hwcap.go b/pkg/tls/internal/cpu/cpu_arm64_hwcap.go new file mode 100644 index 000000000..2fabbb6ed --- /dev/null +++ b/pkg/tls/internal/cpu/cpu_arm64_hwcap.go @@ -0,0 +1,66 @@ +// Copyright 2020 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +//go:build arm64 && linux + +package cpu + +// HWCap may be initialized by archauxv and +// should not be changed after it was initialized. +var HWCap uint + +// HWCAP bits. These are exposed by Linux. +const ( + hwcap_AES = 1 << 3 + hwcap_PMULL = 1 << 4 + hwcap_SHA1 = 1 << 5 + hwcap_SHA2 = 1 << 6 + hwcap_CRC32 = 1 << 7 + hwcap_ATOMICS = 1 << 8 + hwcap_CPUID = 1 << 11 + hwcap_SHA512 = 1 << 21 +) + +func hwcapInit(os string) { + // HWCap was populated by the runtime from the auxiliary vector. + // Use HWCap information since reading aarch64 system registers + // is not supported in user space on older linux kernels. + ARM64.HasAES = isSet(HWCap, hwcap_AES) + ARM64.HasPMULL = isSet(HWCap, hwcap_PMULL) + ARM64.HasSHA1 = isSet(HWCap, hwcap_SHA1) + ARM64.HasSHA2 = isSet(HWCap, hwcap_SHA2) + ARM64.HasCRC32 = isSet(HWCap, hwcap_CRC32) + ARM64.HasCPUID = isSet(HWCap, hwcap_CPUID) + ARM64.HasSHA512 = isSet(HWCap, hwcap_SHA512) + + // The Samsung S9+ kernel reports support for atomics, but not all cores + // actually support them, resulting in SIGILL. See issue #28431. + // TODO(elias.naur): Only disable the optimization on bad chipsets on android. + ARM64.HasATOMICS = isSet(HWCap, hwcap_ATOMICS) && os != "android" + + // Check to see if executing on a Neoverse core and in order to do that, + // check the AUXV for the CPUID bit. The getMIDR function executes an + // instruction which would normally be an illegal instruction, but it's + // trapped by the kernel, the value sanitized and then returned. + // Without the CPUID bit the kernel will not trap the instruction and the + // process will be terminated with SIGILL. + if ARM64.HasCPUID { + midr := getMIDR() + part_num := uint16((midr >> 4) & 0xfff) + implementor := byte((midr >> 24) & 0xff) + + // d0c - NeoverseN1 + // d40 - NeoverseV1 + // d49 - NeoverseN2 + // d4f - NeoverseV2 + if implementor == 'A' && (part_num == 0xd0c || part_num == 0xd40 || + part_num == 0xd49 || part_num == 0xd4f) { + ARM64.IsNeoverse = true + } + } +} + +func isSet(hwc uint, value uint) bool { + return hwc&value != 0 +} diff --git a/pkg/tls/internal/cpu/cpu_arm64_linux.go b/pkg/tls/internal/cpu/cpu_arm64_linux.go new file mode 100644 index 000000000..d746bdb06 --- /dev/null +++ b/pkg/tls/internal/cpu/cpu_arm64_linux.go @@ -0,0 +1,11 @@ +// Copyright 2020 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +//go:build arm64 && linux && !android + +package cpu + +func osInit() { + hwcapInit("linux") +} diff --git a/pkg/tls/internal/cpu/cpu_arm64_openbsd.go b/pkg/tls/internal/cpu/cpu_arm64_openbsd.go new file mode 100644 index 000000000..12593098e --- /dev/null +++ b/pkg/tls/internal/cpu/cpu_arm64_openbsd.go @@ -0,0 +1,28 @@ +// Copyright 2022 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +//go:build arm64 + +package cpu + +const ( + // From OpenBSD's sys/sysctl.h. + _CTL_MACHDEP = 7 + + // From OpenBSD's machine/cpu.h. + _CPU_ID_AA64ISAR0 = 2 + _CPU_ID_AA64ISAR1 = 3 +) + +//go:noescape +func sysctlUint64(mib []uint32) (uint64, bool) + +func osInit() { + // Get ID_AA64ISAR0 from sysctl. + isar0, ok := sysctlUint64([]uint32{_CTL_MACHDEP, _CPU_ID_AA64ISAR0}) + if !ok { + return + } + parseARM64SystemRegisters(isar0) +} diff --git a/pkg/tls/internal/cpu/cpu_arm64_other.go b/pkg/tls/internal/cpu/cpu_arm64_other.go new file mode 100644 index 000000000..44592cfce --- /dev/null +++ b/pkg/tls/internal/cpu/cpu_arm64_other.go @@ -0,0 +1,13 @@ +// Copyright 2020 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +//go:build arm64 && !linux && !freebsd && !android && (!darwin || ios) && !openbsd + +package cpu + +func osInit() { + // Other operating systems do not support reading HWCap from auxiliary vector, + // reading privileged aarch64 system registers or sysctl in user space to detect + // CPU features at runtime. +} diff --git a/pkg/tls/internal/cpu/cpu_loong64.go b/pkg/tls/internal/cpu/cpu_loong64.go new file mode 100644 index 000000000..1c90c24fe --- /dev/null +++ b/pkg/tls/internal/cpu/cpu_loong64.go @@ -0,0 +1,13 @@ +// Copyright 2022 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +//go:build loong64 + +package cpu + +// CacheLinePadSize is used to prevent false sharing of cache lines. +// We choose 64 because Loongson 3A5000 the L1 Dcache is 4-way 256-line 64-byte-per-line. +const CacheLinePadSize = 64 + +func doinit() {} diff --git a/pkg/tls/internal/cpu/cpu_mips.go b/pkg/tls/internal/cpu/cpu_mips.go new file mode 100644 index 000000000..14a9c975e --- /dev/null +++ b/pkg/tls/internal/cpu/cpu_mips.go @@ -0,0 +1,10 @@ +// Copyright 2017 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package cpu + +const CacheLinePadSize = 32 + +func doinit() { +} diff --git a/pkg/tls/internal/cpu/cpu_mips64x.go b/pkg/tls/internal/cpu/cpu_mips64x.go new file mode 100644 index 000000000..c452ffd8b --- /dev/null +++ b/pkg/tls/internal/cpu/cpu_mips64x.go @@ -0,0 +1,32 @@ +// Copyright 2019 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +//go:build mips64 || mips64le + +package cpu + +const CacheLinePadSize = 32 + +// This is initialized by archauxv and should not be changed after it is +// initialized. +var HWCap uint + +// HWCAP bits. These are exposed by the Linux kernel 5.4. +const ( + // CPU features + hwcap_MIPS_MSA = 1 << 1 +) + +func doinit() { + options = []option{ + {Name: "msa", Feature: &MIPS64X.HasMSA}, + } + + // HWCAP feature bits + MIPS64X.HasMSA = isSet(HWCap, hwcap_MIPS_MSA) +} + +func isSet(hwc uint, value uint) bool { + return hwc&value != 0 +} diff --git a/pkg/tls/internal/cpu/cpu_mipsle.go b/pkg/tls/internal/cpu/cpu_mipsle.go new file mode 100644 index 000000000..14a9c975e --- /dev/null +++ b/pkg/tls/internal/cpu/cpu_mipsle.go @@ -0,0 +1,10 @@ +// Copyright 2017 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package cpu + +const CacheLinePadSize = 32 + +func doinit() { +} diff --git a/pkg/tls/internal/cpu/cpu_no_name.go b/pkg/tls/internal/cpu/cpu_no_name.go new file mode 100644 index 000000000..2adfa1b70 --- /dev/null +++ b/pkg/tls/internal/cpu/cpu_no_name.go @@ -0,0 +1,18 @@ +// Copyright 2020 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +//go:build !386 && !amd64 && !ppc64 && !ppc64le + +package cpu + +// Name returns the CPU name given by the vendor +// if it can be read directly from memory or by CPU instructions. +// If the CPU name can not be determined an empty string is returned. +// +// Implementations that use the Operating System (e.g. sysctl or /sys/) +// to gather CPU information for display should be placed in internal/sysinfo. +func Name() string { + // "A CPU has no name". + return "" +} diff --git a/pkg/tls/internal/cpu/cpu_ppc64x.go b/pkg/tls/internal/cpu/cpu_ppc64x.go new file mode 100644 index 000000000..c4a08fe1b --- /dev/null +++ b/pkg/tls/internal/cpu/cpu_ppc64x.go @@ -0,0 +1,35 @@ +// Copyright 2017 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +//go:build ppc64 || ppc64le + +package cpu + +const CacheLinePadSize = 128 + +func doinit() { + options = []option{ + {Name: "darn", Feature: &PPC64.HasDARN}, + {Name: "scv", Feature: &PPC64.HasSCV}, + {Name: "power9", Feature: &PPC64.IsPOWER9}, + } + + osinit() +} + +func isSet(hwc uint, value uint) bool { + return hwc&value != 0 +} + +func Name() string { + switch { + case PPC64.IsPOWER10: + return "POWER10" + case PPC64.IsPOWER9: + return "POWER9" + case PPC64.IsPOWER8: + return "POWER8" + } + return "" +} diff --git a/pkg/tls/internal/cpu/cpu_ppc64x_aix.go b/pkg/tls/internal/cpu/cpu_ppc64x_aix.go new file mode 100644 index 000000000..f05ed6fad --- /dev/null +++ b/pkg/tls/internal/cpu/cpu_ppc64x_aix.go @@ -0,0 +1,25 @@ +// Copyright 2020 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +//go:build ppc64 || ppc64le + +package cpu + +const ( + // getsystemcfg constants + _SC_IMPL = 2 + _IMPL_POWER8 = 0x10000 + _IMPL_POWER9 = 0x20000 + _IMPL_POWER10 = 0x40000 +) + +func osinit() { + impl := getsystemcfg(_SC_IMPL) + PPC64.IsPOWER8 = isSet(impl, _IMPL_POWER8) + PPC64.IsPOWER9 = isSet(impl, _IMPL_POWER9) + PPC64.IsPOWER10 = isSet(impl, _IMPL_POWER10) +} + +// getsystemcfg is defined in runtime/os2_aix.go +func getsystemcfg(label uint) uint diff --git a/pkg/tls/internal/cpu/cpu_ppc64x_linux.go b/pkg/tls/internal/cpu/cpu_ppc64x_linux.go new file mode 100644 index 000000000..9df82ca8a --- /dev/null +++ b/pkg/tls/internal/cpu/cpu_ppc64x_linux.go @@ -0,0 +1,33 @@ +// Copyright 2020 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +//go:build ppc64 || ppc64le + +package cpu + +// ppc64 doesn't have a 'cpuid' equivalent, so we rely on HWCAP/HWCAP2. +// These are initialized by archauxv and should not be changed after they are +// initialized. +var HWCap uint +var HWCap2 uint + +// HWCAP bits. These are exposed by Linux. +const ( + // ISA Level + hwcap2_ARCH_2_07 = 0x80000000 + hwcap2_ARCH_3_00 = 0x00800000 + hwcap2_ARCH_3_1 = 0x00040000 + + // CPU features + hwcap2_DARN = 0x00200000 + hwcap2_SCV = 0x00100000 +) + +func osinit() { + PPC64.IsPOWER8 = isSet(HWCap2, hwcap2_ARCH_2_07) + PPC64.IsPOWER9 = isSet(HWCap2, hwcap2_ARCH_3_00) + PPC64.IsPOWER10 = isSet(HWCap2, hwcap2_ARCH_3_1) + PPC64.HasDARN = isSet(HWCap2, hwcap2_DARN) + PPC64.HasSCV = isSet(HWCap2, hwcap2_SCV) +} diff --git a/pkg/tls/internal/cpu/cpu_ppc64x_other.go b/pkg/tls/internal/cpu/cpu_ppc64x_other.go new file mode 100644 index 000000000..d5b629dbe --- /dev/null +++ b/pkg/tls/internal/cpu/cpu_ppc64x_other.go @@ -0,0 +1,13 @@ +// Copyright 2023 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +//go:build (ppc64 || ppc64le) && !aix && !linux + +package cpu + +func osinit() { + // Other operating systems do not support reading HWCap from auxiliary vector, + // reading privileged system registers or sysctl in user space to detect CPU + // features at runtime. +} diff --git a/pkg/tls/internal/cpu/cpu_riscv64.go b/pkg/tls/internal/cpu/cpu_riscv64.go new file mode 100644 index 000000000..2173fe888 --- /dev/null +++ b/pkg/tls/internal/cpu/cpu_riscv64.go @@ -0,0 +1,10 @@ +// Copyright 2019 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package cpu + +const CacheLinePadSize = 64 + +func doinit() { +} diff --git a/pkg/tls/internal/cpu/cpu_s390x.go b/pkg/tls/internal/cpu/cpu_s390x.go new file mode 100644 index 000000000..45d8ed27f --- /dev/null +++ b/pkg/tls/internal/cpu/cpu_s390x.go @@ -0,0 +1,205 @@ +// Copyright 2017 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package cpu + +const CacheLinePadSize = 256 + +var HWCap uint + +// bitIsSet reports whether the bit at index is set. The bit index +// is in big endian order, so bit index 0 is the leftmost bit. +func bitIsSet(bits []uint64, index uint) bool { + return bits[index/64]&((1<<63)>>(index%64)) != 0 +} + +// function is the function code for the named function. +type function uint8 + +const ( + // KM{,A,C,CTR} function codes + aes128 function = 18 // AES-128 + aes192 function = 19 // AES-192 + aes256 function = 20 // AES-256 + + // K{I,L}MD function codes + sha1 function = 1 // SHA-1 + sha256 function = 2 // SHA-256 + sha512 function = 3 // SHA-512 + sha3_224 function = 32 // SHA3-224 + sha3_256 function = 33 // SHA3-256 + sha3_384 function = 34 // SHA3-384 + sha3_512 function = 35 // SHA3-512 + shake128 function = 36 // SHAKE-128 + shake256 function = 37 // SHAKE-256 + + // KLMD function codes + ghash function = 65 // GHASH +) + +const ( + // KDSA function codes + ecdsaVerifyP256 function = 1 // NIST P256 + ecdsaVerifyP384 function = 2 // NIST P384 + ecdsaVerifyP521 function = 3 // NIST P521 + ecdsaSignP256 function = 9 // NIST P256 + ecdsaSignP384 function = 10 // NIST P384 + ecdsaSignP521 function = 11 // NIST P521 + eddsaVerifyEd25519 function = 32 // Curve25519 + eddsaVerifyEd448 function = 36 // Curve448 + eddsaSignEd25519 function = 40 // Curve25519 + eddsaSignEd448 function = 44 // Curve448 +) + +// queryResult contains the result of a Query function +// call. Bits are numbered in big endian order so the +// leftmost bit (the MSB) is at index 0. +type queryResult struct { + bits [2]uint64 +} + +// Has reports whether the given functions are present. +func (q *queryResult) Has(fns ...function) bool { + if len(fns) == 0 { + panic("no function codes provided") + } + for _, f := range fns { + if !bitIsSet(q.bits[:], uint(f)) { + return false + } + } + return true +} + +// facility is a bit index for the named facility. +type facility uint8 + +const ( + // mandatory facilities + zarch facility = 1 // z architecture mode is active + stflef facility = 7 // store-facility-list-extended + ldisp facility = 18 // long-displacement + eimm facility = 21 // extended-immediate + + // miscellaneous facilities + dfp facility = 42 // decimal-floating-point + etf3eh facility = 30 // extended-translation 3 enhancement + + // cryptography facilities + msa facility = 17 // message-security-assist + msa3 facility = 76 // message-security-assist extension 3 + msa4 facility = 77 // message-security-assist extension 4 + msa5 facility = 57 // message-security-assist extension 5 + msa8 facility = 146 // message-security-assist extension 8 + msa9 facility = 155 // message-security-assist extension 9 + + // vector facilities + vxe facility = 135 // vector-enhancements 1 + + // Note: vx requires kernel support + // and so must be fetched from HWCAP. + + hwcap_VX = 1 << 11 // vector facility +) + +// facilityList contains the result of an STFLE call. +// Bits are numbered in big endian order so the +// leftmost bit (the MSB) is at index 0. +type facilityList struct { + bits [4]uint64 +} + +// Has reports whether the given facilities are present. +func (s *facilityList) Has(fs ...facility) bool { + if len(fs) == 0 { + panic("no facility bits provided") + } + for _, f := range fs { + if !bitIsSet(s.bits[:], uint(f)) { + return false + } + } + return true +} + +// The following feature detection functions are defined in cpu_s390x.s. +// They are likely to be expensive to call so the results should be cached. +func stfle() facilityList +func kmQuery() queryResult +func kmcQuery() queryResult +func kmctrQuery() queryResult +func kmaQuery() queryResult +func kimdQuery() queryResult +func klmdQuery() queryResult +func kdsaQuery() queryResult + +func doinit() { + options = []option{ + {Name: "zarch", Feature: &S390X.HasZARCH}, + {Name: "stfle", Feature: &S390X.HasSTFLE}, + {Name: "ldisp", Feature: &S390X.HasLDISP}, + {Name: "msa", Feature: &S390X.HasMSA}, + {Name: "eimm", Feature: &S390X.HasEIMM}, + {Name: "dfp", Feature: &S390X.HasDFP}, + {Name: "etf3eh", Feature: &S390X.HasETF3EH}, + {Name: "vx", Feature: &S390X.HasVX}, + {Name: "vxe", Feature: &S390X.HasVXE}, + {Name: "kdsa", Feature: &S390X.HasKDSA}, + } + + aes := []function{aes128, aes192, aes256} + facilities := stfle() + + S390X.HasZARCH = facilities.Has(zarch) + S390X.HasSTFLE = facilities.Has(stflef) + S390X.HasLDISP = facilities.Has(ldisp) + S390X.HasEIMM = facilities.Has(eimm) + S390X.HasDFP = facilities.Has(dfp) + S390X.HasETF3EH = facilities.Has(etf3eh) + S390X.HasMSA = facilities.Has(msa) + + if S390X.HasMSA { + // cipher message + km, kmc := kmQuery(), kmcQuery() + S390X.HasAES = km.Has(aes...) + S390X.HasAESCBC = kmc.Has(aes...) + if facilities.Has(msa4) { + kmctr := kmctrQuery() + S390X.HasAESCTR = kmctr.Has(aes...) + } + if facilities.Has(msa8) { + kma := kmaQuery() + S390X.HasAESGCM = kma.Has(aes...) + } + + // compute message digest + kimd := kimdQuery() // intermediate (no padding) + klmd := klmdQuery() // last (padding) + S390X.HasSHA1 = kimd.Has(sha1) && klmd.Has(sha1) + S390X.HasSHA256 = kimd.Has(sha256) && klmd.Has(sha256) + S390X.HasSHA512 = kimd.Has(sha512) && klmd.Has(sha512) + S390X.HasGHASH = kimd.Has(ghash) // KLMD-GHASH does not exist + sha3 := []function{ + sha3_224, sha3_256, sha3_384, sha3_512, + shake128, shake256, + } + S390X.HasSHA3 = kimd.Has(sha3...) && klmd.Has(sha3...) + S390X.HasKDSA = facilities.Has(msa9) // elliptic curves + if S390X.HasKDSA { + kdsa := kdsaQuery() + S390X.HasECDSA = kdsa.Has(ecdsaVerifyP256, ecdsaSignP256, ecdsaVerifyP384, ecdsaSignP384, ecdsaVerifyP521, ecdsaSignP521) + S390X.HasEDDSA = kdsa.Has(eddsaVerifyEd25519, eddsaSignEd25519, eddsaVerifyEd448, eddsaSignEd448) + } + } + + S390X.HasVX = isSet(HWCap, hwcap_VX) + + if S390X.HasVX { + S390X.HasVXE = facilities.Has(vxe) + } +} + +func isSet(hwc uint, value uint) bool { + return hwc&value != 0 +} diff --git a/pkg/tls/internal/cpu/cpu_s390x.s b/pkg/tls/internal/cpu/cpu_s390x.s new file mode 100644 index 000000000..4ffbbde38 --- /dev/null +++ b/pkg/tls/internal/cpu/cpu_s390x.s @@ -0,0 +1,63 @@ +// Copyright 2018 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +#include "textflag.h" + +// func stfle() facilityList +TEXT ·stfle(SB), NOSPLIT|NOFRAME, $0-32 + MOVD $ret+0(FP), R1 + MOVD $3, R0 // last doubleword index to store + XC $32, (R1), (R1) // clear 4 doublewords (32 bytes) + WORD $0xb2b01000 // store facility list extended (STFLE) + RET + +// func kmQuery() queryResult +TEXT ·kmQuery(SB), NOSPLIT|NOFRAME, $0-16 + MOVD $0, R0 // set function code to 0 (KM-Query) + MOVD $ret+0(FP), R1 // address of 16-byte return value + KM R2, R4 // cipher message (KM) + RET + +// func kmcQuery() queryResult +TEXT ·kmcQuery(SB), NOSPLIT|NOFRAME, $0-16 + MOVD $0, R0 // set function code to 0 (KMC-Query) + MOVD $ret+0(FP), R1 // address of 16-byte return value + KMC R2, R4 // cipher message with chaining (KMC) + RET + +// func kmctrQuery() queryResult +TEXT ·kmctrQuery(SB), NOSPLIT|NOFRAME, $0-16 + MOVD $0, R0 // set function code to 0 (KMCTR-Query) + MOVD $ret+0(FP), R1 // address of 16-byte return value + KMCTR R2, R4, R4 // cipher message with counter (KMCTR) + RET + +// func kmaQuery() queryResult +TEXT ·kmaQuery(SB), NOSPLIT|NOFRAME, $0-16 + MOVD $0, R0 // set function code to 0 (KMA-Query) + MOVD $ret+0(FP), R1 // address of 16-byte return value + KMA R2, R6, R4 // cipher message with authentication (KMA) + RET + +// func kimdQuery() queryResult +TEXT ·kimdQuery(SB), NOSPLIT|NOFRAME, $0-16 + MOVD $0, R0 // set function code to 0 (KIMD-Query) + MOVD $ret+0(FP), R1 // address of 16-byte return value + KIMD R2, R4 // compute intermediate message digest (KIMD) + RET + +// func klmdQuery() queryResult +TEXT ·klmdQuery(SB), NOSPLIT|NOFRAME, $0-16 + MOVD $0, R0 // set function code to 0 (KLMD-Query) + MOVD $ret+0(FP), R1 // address of 16-byte return value + KLMD R2, R4 // compute last message digest (KLMD) + RET + +// func kdsaQuery() queryResult +TEXT ·kdsaQuery(SB), NOSPLIT|NOFRAME, $0-16 + MOVD $0, R0 // set function code to 0 (KLMD-Query) + MOVD $ret+0(FP), R1 // address of 16-byte return value + KDSA R0, R4 // compute digital signature authentication + RET + diff --git a/pkg/tls/internal/cpu/cpu_s390x_test.go b/pkg/tls/internal/cpu/cpu_s390x_test.go new file mode 100644 index 000000000..000c6ca27 --- /dev/null +++ b/pkg/tls/internal/cpu/cpu_s390x_test.go @@ -0,0 +1,64 @@ +// Copyright 2018 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package cpu_test + +import ( + "errors" + "os" + "regexp" + "testing" + + . "github.com/panjf2000/gnet/v2/pkg/tls/internal/cpu" +) + +func getFeatureList() ([]string, error) { + cpuinfo, err := os.ReadFile("/proc/cpuinfo") + if err != nil { + return nil, err + } + r := regexp.MustCompile("features\\s*:\\s*(.*)") + b := r.FindSubmatch(cpuinfo) + if len(b) < 2 { + return nil, errors.New("no feature list in /proc/cpuinfo") + } + return regexp.MustCompile("\\s+").Split(string(b[1]), -1), nil +} + +func TestS390XAgainstCPUInfo(t *testing.T) { + // mapping of linux feature strings to S390X fields + mapping := make(map[string]*bool) + for _, option := range Options { + mapping[option.Name] = option.Feature + } + + // these must be true on the machines Go supports + mandatory := make(map[string]bool) + mandatory["zarch"] = false + mandatory["eimm"] = false + mandatory["ldisp"] = false + mandatory["stfle"] = false + + features, err := getFeatureList() + if err != nil { + t.Error(err) + } + for _, feature := range features { + if _, ok := mandatory[feature]; ok { + mandatory[feature] = true + } + if flag, ok := mapping[feature]; ok { + if !*flag { + t.Errorf("feature '%v' not detected", feature) + } + } else { + t.Logf("no entry for '%v'", feature) + } + } + for k, v := range mandatory { + if !v { + t.Errorf("mandatory feature '%v' not detected", k) + } + } +} diff --git a/pkg/tls/internal/cpu/cpu_test.go b/pkg/tls/internal/cpu/cpu_test.go new file mode 100644 index 000000000..90e240c44 --- /dev/null +++ b/pkg/tls/internal/cpu/cpu_test.go @@ -0,0 +1,63 @@ +// Copyright 2017 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package cpu_test + +import ( + "internal/testenv" + "os" + "os/exec" + "testing" + + "github.com/panjf2000/gnet/v2/pkg/tls/internal/godebug" + + . "github.com/panjf2000/gnet/v2/pkg/tls/internal/cpu" +) + +func MustHaveDebugOptionsSupport(t *testing.T) { + if !DebugOptions { + t.Skipf("skipping test: cpu feature options not supported by OS") + } +} + +func MustSupportFeatureDetection(t *testing.T) { + // TODO: add platforms that do not have CPU feature detection support. +} + +func runDebugOptionsTest(t *testing.T, test string, options string) { + MustHaveDebugOptionsSupport(t) + + testenv.MustHaveExec(t) + + env := "GODEBUG=" + options + + cmd := exec.Command(os.Args[0], "-test.run=^"+test+"$") + cmd.Env = append(cmd.Env, env) + + output, err := cmd.CombinedOutput() + if err != nil { + t.Fatalf("%s with %s: run failed: %v output:\n%s\n", + test, env, err, string(output)) + } +} + +func TestDisableAllCapabilities(t *testing.T) { + MustSupportFeatureDetection(t) + runDebugOptionsTest(t, "TestAllCapabilitiesDisabled", "cpu.all=off") +} + +func TestAllCapabilitiesDisabled(t *testing.T) { + MustHaveDebugOptionsSupport(t) + + if godebug.New("#cpu.all").Value() != "off" { + t.Skipf("skipping test: GODEBUG=cpu.all=off not set") + } + + for _, o := range Options { + want := false + if got := *o.Feature; got != want { + t.Errorf("%v: expected %v, got %v", o.Name, want, got) + } + } +} diff --git a/pkg/tls/internal/cpu/cpu_wasm.go b/pkg/tls/internal/cpu/cpu_wasm.go new file mode 100644 index 000000000..2310ad6a4 --- /dev/null +++ b/pkg/tls/internal/cpu/cpu_wasm.go @@ -0,0 +1,10 @@ +// Copyright 2018 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package cpu + +const CacheLinePadSize = 64 + +func doinit() { +} diff --git a/pkg/tls/internal/cpu/cpu_x86.go b/pkg/tls/internal/cpu/cpu_x86.go new file mode 100644 index 000000000..f8aa53abe --- /dev/null +++ b/pkg/tls/internal/cpu/cpu_x86.go @@ -0,0 +1,215 @@ +// Copyright 2017 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +//go:build 386 || amd64 + +package cpu + +const CacheLinePadSize = 64 + +// cpuid is implemented in cpu_x86.s. +func cpuid(eaxArg, ecxArg uint32) (eax, ebx, ecx, edx uint32) + +// xgetbv with ecx = 0 is implemented in cpu_x86.s. +func xgetbv() (eax, edx uint32) + +// getGOAMD64level is implemented in cpu_x86.s. Returns number in [1,4]. +func getGOAMD64level() int32 + +const ( + // edx bits + cpuid_SSE2 = 1 << 26 + + // ecx bits + cpuid_SSE3 = 1 << 0 + cpuid_PCLMULQDQ = 1 << 1 + cpuid_SSSE3 = 1 << 9 + cpuid_FMA = 1 << 12 + cpuid_SSE41 = 1 << 19 + cpuid_SSE42 = 1 << 20 + cpuid_POPCNT = 1 << 23 + cpuid_AES = 1 << 25 + cpuid_OSXSAVE = 1 << 27 + cpuid_AVX = 1 << 28 + + // ebx bits + cpuid_BMI1 = 1 << 3 + cpuid_AVX2 = 1 << 5 + cpuid_BMI2 = 1 << 8 + cpuid_ERMS = 1 << 9 + cpuid_AVX512F = 1 << 16 + cpuid_ADX = 1 << 19 + cpuid_SHA = 1 << 29 + cpuid_AVX512BW = 1 << 30 + cpuid_AVX512VL = 1 << 31 + + // edx bits for CPUID 0x80000001 + cpuid_RDTSCP = 1 << 27 +) + +var maxExtendedFunctionInformation uint32 + +func doinit() { + options = []option{ + {Name: "adx", Feature: &X86.HasADX}, + {Name: "aes", Feature: &X86.HasAES}, + {Name: "erms", Feature: &X86.HasERMS}, + {Name: "pclmulqdq", Feature: &X86.HasPCLMULQDQ}, + {Name: "rdtscp", Feature: &X86.HasRDTSCP}, + {Name: "sha", Feature: &X86.HasSHA}, + } + level := getGOAMD64level() + if level < 2 { + // These options are required at level 2. At lower levels + // they can be turned off. + options = append(options, + option{Name: "popcnt", Feature: &X86.HasPOPCNT}, + option{Name: "sse3", Feature: &X86.HasSSE3}, + option{Name: "sse41", Feature: &X86.HasSSE41}, + option{Name: "sse42", Feature: &X86.HasSSE42}, + option{Name: "ssse3", Feature: &X86.HasSSSE3}) + } + if level < 3 { + // These options are required at level 3. At lower levels + // they can be turned off. + options = append(options, + option{Name: "avx", Feature: &X86.HasAVX}, + option{Name: "avx2", Feature: &X86.HasAVX2}, + option{Name: "bmi1", Feature: &X86.HasBMI1}, + option{Name: "bmi2", Feature: &X86.HasBMI2}, + option{Name: "fma", Feature: &X86.HasFMA}) + } + if level < 4 { + // These options are required at level 4. At lower levels + // they can be turned off. + options = append(options, + option{Name: "avx512f", Feature: &X86.HasAVX512F}, + option{Name: "avx512bw", Feature: &X86.HasAVX512BW}, + option{Name: "avx512vl", Feature: &X86.HasAVX512VL}, + ) + } + + maxID, _, _, _ := cpuid(0, 0) + + if maxID < 1 { + return + } + + maxExtendedFunctionInformation, _, _, _ = cpuid(0x80000000, 0) + + _, _, ecx1, _ := cpuid(1, 0) + + X86.HasSSE3 = isSet(ecx1, cpuid_SSE3) + X86.HasPCLMULQDQ = isSet(ecx1, cpuid_PCLMULQDQ) + X86.HasSSSE3 = isSet(ecx1, cpuid_SSSE3) + X86.HasSSE41 = isSet(ecx1, cpuid_SSE41) + X86.HasSSE42 = isSet(ecx1, cpuid_SSE42) + X86.HasPOPCNT = isSet(ecx1, cpuid_POPCNT) + X86.HasAES = isSet(ecx1, cpuid_AES) + + // OSXSAVE can be false when using older Operating Systems + // or when explicitly disabled on newer Operating Systems by + // e.g. setting the xsavedisable boot option on Windows 10. + X86.HasOSXSAVE = isSet(ecx1, cpuid_OSXSAVE) + + // The FMA instruction set extension only has VEX prefixed instructions. + // VEX prefixed instructions require OSXSAVE to be enabled. + // See Intel 64 and IA-32 Architecture Software Developer’s Manual Volume 2 + // Section 2.4 "AVX and SSE Instruction Exception Specification" + X86.HasFMA = isSet(ecx1, cpuid_FMA) && X86.HasOSXSAVE + + osSupportsAVX := false + osSupportsAVX512 := false + // For XGETBV, OSXSAVE bit is required and sufficient. + if X86.HasOSXSAVE { + eax, _ := xgetbv() + // Check if XMM and YMM registers have OS support. + osSupportsAVX = isSet(eax, 1<<1) && isSet(eax, 1<<2) + + // AVX512 detection does not work on Darwin, + // see https://github.com/golang/go/issues/49233 + // + // Check if opmask, ZMMhi256 and Hi16_ZMM have OS support. + osSupportsAVX512 = osSupportsAVX && isSet(eax, 1<<5) && isSet(eax, 1<<6) && isSet(eax, 1<<7) + } + + X86.HasAVX = isSet(ecx1, cpuid_AVX) && osSupportsAVX + + if maxID < 7 { + return + } + + _, ebx7, _, _ := cpuid(7, 0) + X86.HasBMI1 = isSet(ebx7, cpuid_BMI1) + X86.HasAVX2 = isSet(ebx7, cpuid_AVX2) && osSupportsAVX + X86.HasBMI2 = isSet(ebx7, cpuid_BMI2) + X86.HasERMS = isSet(ebx7, cpuid_ERMS) + X86.HasADX = isSet(ebx7, cpuid_ADX) + X86.HasSHA = isSet(ebx7, cpuid_SHA) + + X86.HasAVX512F = isSet(ebx7, cpuid_AVX512F) && osSupportsAVX512 + if X86.HasAVX512F { + X86.HasAVX512BW = isSet(ebx7, cpuid_AVX512BW) + X86.HasAVX512VL = isSet(ebx7, cpuid_AVX512VL) + } + + var maxExtendedInformation uint32 + maxExtendedInformation, _, _, _ = cpuid(0x80000000, 0) + + if maxExtendedInformation < 0x80000001 { + return + } + + _, _, _, edxExt1 := cpuid(0x80000001, 0) + X86.HasRDTSCP = isSet(edxExt1, cpuid_RDTSCP) +} + +func isSet(hwc uint32, value uint32) bool { + return hwc&value != 0 +} + +// Name returns the CPU name given by the vendor. +// If the CPU name can not be determined an +// empty string is returned. +func Name() string { + if maxExtendedFunctionInformation < 0x80000004 { + return "" + } + + data := make([]byte, 0, 3*4*4) + + var eax, ebx, ecx, edx uint32 + eax, ebx, ecx, edx = cpuid(0x80000002, 0) + data = appendBytes(data, eax, ebx, ecx, edx) + eax, ebx, ecx, edx = cpuid(0x80000003, 0) + data = appendBytes(data, eax, ebx, ecx, edx) + eax, ebx, ecx, edx = cpuid(0x80000004, 0) + data = appendBytes(data, eax, ebx, ecx, edx) + + // Trim leading spaces. + for len(data) > 0 && data[0] == ' ' { + data = data[1:] + } + + // Trim tail after and including the first null byte. + for i, c := range data { + if c == '\x00' { + data = data[:i] + break + } + } + + return string(data) +} + +func appendBytes(b []byte, args ...uint32) []byte { + for _, arg := range args { + b = append(b, + byte((arg >> 0)), + byte((arg >> 8)), + byte((arg >> 16)), + byte((arg >> 24))) + } + return b +} diff --git a/pkg/tls/internal/cpu/cpu_x86.s b/pkg/tls/internal/cpu/cpu_x86.s new file mode 100644 index 000000000..2ee8eca24 --- /dev/null +++ b/pkg/tls/internal/cpu/cpu_x86.s @@ -0,0 +1,43 @@ +// Copyright 2017 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +//go:build 386 || amd64 + +#include "textflag.h" + +// func cpuid(eaxArg, ecxArg uint32) (eax, ebx, ecx, edx uint32) +TEXT ·cpuid(SB), NOSPLIT, $0-24 + MOVL eaxArg+0(FP), AX + MOVL ecxArg+4(FP), CX + CPUID + MOVL AX, eax+8(FP) + MOVL BX, ebx+12(FP) + MOVL CX, ecx+16(FP) + MOVL DX, edx+20(FP) + RET + +// func xgetbv() (eax, edx uint32) +TEXT ·xgetbv(SB),NOSPLIT,$0-8 + MOVL $0, CX + XGETBV + MOVL AX, eax+0(FP) + MOVL DX, edx+4(FP) + RET + +// func getGOAMD64level() int32 +TEXT ·getGOAMD64level(SB),NOSPLIT,$0-4 +#ifdef GOAMD64_v4 + MOVL $4, ret+0(FP) +#else +#ifdef GOAMD64_v3 + MOVL $3, ret+0(FP) +#else +#ifdef GOAMD64_v2 + MOVL $2, ret+0(FP) +#else + MOVL $1, ret+0(FP) +#endif +#endif +#endif + RET diff --git a/pkg/tls/internal/cpu/cpu_x86_test.go b/pkg/tls/internal/cpu/cpu_x86_test.go new file mode 100644 index 000000000..16494573e --- /dev/null +++ b/pkg/tls/internal/cpu/cpu_x86_test.go @@ -0,0 +1,59 @@ +// Copyright 2018 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +//go:build 386 || amd64 + +package cpu_test + +import ( + "testing" + + "github.com/panjf2000/gnet/v2/pkg/tls/internal/godebug" + + . "github.com/panjf2000/gnet/v2/pkg/tls/internal/cpu" +) + +func TestX86ifAVX2hasAVX(t *testing.T) { + if X86.HasAVX2 && !X86.HasAVX { + t.Fatalf("HasAVX expected true when HasAVX2 is true, got false") + } +} + +func TestX86ifAVX512FhasAVX2(t *testing.T) { + if X86.HasAVX512F && !X86.HasAVX2 { + t.Fatalf("HasAVX2 expected true when HasAVX512F is true, got false") + } +} + +func TestX86ifAVX512BWhasAVX512F(t *testing.T) { + if X86.HasAVX512BW && !X86.HasAVX512F { + t.Fatalf("HasAVX512F expected true when HasAVX512BW is true, got false") + } +} + +func TestX86ifAVX512VLhasAVX512F(t *testing.T) { + if X86.HasAVX512VL && !X86.HasAVX512F { + t.Fatalf("HasAVX512F expected true when HasAVX512VL is true, got false") + } +} + +func TestDisableSSE3(t *testing.T) { + if GetGOAMD64level() > 1 { + t.Skip("skipping test: can't run on GOAMD64>v1 machines") + } + runDebugOptionsTest(t, "TestSSE3DebugOption", "cpu.sse3=off") +} + +func TestSSE3DebugOption(t *testing.T) { + MustHaveDebugOptionsSupport(t) + + if godebug.New("#cpu.sse3").Value() != "off" { + t.Skipf("skipping test: GODEBUG=cpu.sse3=off not set") + } + + want := false + if got := X86.HasSSE3; got != want { + t.Errorf("X86.HasSSE3 expected %v, got %v", want, got) + } +} diff --git a/pkg/tls/internal/cpu/export_test.go b/pkg/tls/internal/cpu/export_test.go new file mode 100644 index 000000000..91bfc1bbc --- /dev/null +++ b/pkg/tls/internal/cpu/export_test.go @@ -0,0 +1,9 @@ +// Copyright 2018 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package cpu + +var ( + Options = options +) diff --git a/pkg/tls/internal/cpu/export_x86_test.go b/pkg/tls/internal/cpu/export_x86_test.go new file mode 100644 index 000000000..a12b6f272 --- /dev/null +++ b/pkg/tls/internal/cpu/export_x86_test.go @@ -0,0 +1,11 @@ +// Copyright 2022 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +//go:build 386 || amd64 + +package cpu + +var ( + GetGOAMD64level = getGOAMD64level +) diff --git a/pkg/tls/key_agreement.go b/pkg/tls/key_agreement.go new file mode 100644 index 000000000..2c8c5b8d7 --- /dev/null +++ b/pkg/tls/key_agreement.go @@ -0,0 +1,366 @@ +// Copyright 2010 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package tls + +import ( + "crypto" + "crypto/ecdh" + "crypto/md5" + "crypto/rsa" + "crypto/sha1" + "crypto/x509" + "errors" + "fmt" + "io" +) + +// a keyAgreement implements the client and server side of a TLS key agreement +// protocol by generating and processing key exchange messages. +type keyAgreement interface { + // On the server side, the first two methods are called in order. + + // In the case that the key agreement protocol doesn't use a + // ServerKeyExchange message, generateServerKeyExchange can return nil, + // nil. + generateServerKeyExchange(*Config, *Certificate, *clientHelloMsg, *serverHelloMsg) (*serverKeyExchangeMsg, error) + processClientKeyExchange(*Config, *Certificate, *clientKeyExchangeMsg, uint16) ([]byte, error) + + // On the client side, the next two methods are called in order. + + // This method may not be called if the server doesn't send a + // ServerKeyExchange message. + processServerKeyExchange(*Config, *clientHelloMsg, *serverHelloMsg, *x509.Certificate, *serverKeyExchangeMsg) error + generateClientKeyExchange(*Config, *clientHelloMsg, *x509.Certificate) ([]byte, *clientKeyExchangeMsg, error) +} + +var errClientKeyExchange = errors.New("tls: invalid ClientKeyExchange message") +var errServerKeyExchange = errors.New("tls: invalid ServerKeyExchange message") + +// rsaKeyAgreement implements the standard TLS key agreement where the client +// encrypts the pre-master secret to the server's public key. +type rsaKeyAgreement struct{} + +func (ka rsaKeyAgreement) generateServerKeyExchange(config *Config, cert *Certificate, clientHello *clientHelloMsg, hello *serverHelloMsg) (*serverKeyExchangeMsg, error) { + return nil, nil +} + +func (ka rsaKeyAgreement) processClientKeyExchange(config *Config, cert *Certificate, ckx *clientKeyExchangeMsg, version uint16) ([]byte, error) { + if len(ckx.ciphertext) < 2 { + return nil, errClientKeyExchange + } + ciphertextLen := int(ckx.ciphertext[0])<<8 | int(ckx.ciphertext[1]) + if ciphertextLen != len(ckx.ciphertext)-2 { + return nil, errClientKeyExchange + } + ciphertext := ckx.ciphertext[2:] + + priv, ok := cert.PrivateKey.(crypto.Decrypter) + if !ok { + return nil, errors.New("tls: certificate private key does not implement crypto.Decrypter") + } + // Perform constant time RSA PKCS #1 v1.5 decryption + preMasterSecret, err := priv.Decrypt(config.rand(), ciphertext, &rsa.PKCS1v15DecryptOptions{SessionKeyLen: 48}) + if err != nil { + return nil, err + } + // We don't check the version number in the premaster secret. For one, + // by checking it, we would leak information about the validity of the + // encrypted pre-master secret. Secondly, it provides only a small + // benefit against a downgrade attack and some implementations send the + // wrong version anyway. See the discussion at the end of section + // 7.4.7.1 of RFC 4346. + return preMasterSecret, nil +} + +func (ka rsaKeyAgreement) processServerKeyExchange(config *Config, clientHello *clientHelloMsg, serverHello *serverHelloMsg, cert *x509.Certificate, skx *serverKeyExchangeMsg) error { + return errors.New("tls: unexpected ServerKeyExchange") +} + +func (ka rsaKeyAgreement) generateClientKeyExchange(config *Config, clientHello *clientHelloMsg, cert *x509.Certificate) ([]byte, *clientKeyExchangeMsg, error) { + preMasterSecret := make([]byte, 48) + preMasterSecret[0] = byte(clientHello.vers >> 8) + preMasterSecret[1] = byte(clientHello.vers) + _, err := io.ReadFull(config.rand(), preMasterSecret[2:]) + if err != nil { + return nil, nil, err + } + + rsaKey, ok := cert.PublicKey.(*rsa.PublicKey) + if !ok { + return nil, nil, errors.New("tls: server certificate contains incorrect key type for selected ciphersuite") + } + encrypted, err := rsa.EncryptPKCS1v15(config.rand(), rsaKey, preMasterSecret) + if err != nil { + return nil, nil, err + } + ckx := new(clientKeyExchangeMsg) + ckx.ciphertext = make([]byte, len(encrypted)+2) + ckx.ciphertext[0] = byte(len(encrypted) >> 8) + ckx.ciphertext[1] = byte(len(encrypted)) + copy(ckx.ciphertext[2:], encrypted) + return preMasterSecret, ckx, nil +} + +// sha1Hash calculates a SHA1 hash over the given byte slices. +func sha1Hash(slices [][]byte) []byte { + hsha1 := sha1.New() + for _, slice := range slices { + hsha1.Write(slice) + } + return hsha1.Sum(nil) +} + +// md5SHA1Hash implements TLS 1.0's hybrid hash function which consists of the +// concatenation of an MD5 and SHA1 hash. +func md5SHA1Hash(slices [][]byte) []byte { + md5sha1 := make([]byte, md5.Size+sha1.Size) + hmd5 := md5.New() + for _, slice := range slices { + hmd5.Write(slice) + } + copy(md5sha1, hmd5.Sum(nil)) + copy(md5sha1[md5.Size:], sha1Hash(slices)) + return md5sha1 +} + +// hashForServerKeyExchange hashes the given slices and returns their digest +// using the given hash function (for >= TLS 1.2) or using a default based on +// the sigType (for earlier TLS versions). For Ed25519 signatures, which don't +// do pre-hashing, it returns the concatenation of the slices. +func hashForServerKeyExchange(sigType uint8, hashFunc crypto.Hash, version uint16, slices ...[]byte) []byte { + if sigType == signatureEd25519 { + var signed []byte + for _, slice := range slices { + signed = append(signed, slice...) + } + return signed + } + if version >= VersionTLS12 { + h := hashFunc.New() + for _, slice := range slices { + h.Write(slice) + } + digest := h.Sum(nil) + return digest + } + if sigType == signatureECDSA { + return sha1Hash(slices) + } + return md5SHA1Hash(slices) +} + +// ecdheKeyAgreement implements a TLS key agreement where the server +// generates an ephemeral EC public/private key pair and signs it. The +// pre-master secret is then calculated using ECDH. The signature may +// be ECDSA, Ed25519 or RSA. +type ecdheKeyAgreement struct { + version uint16 + isRSA bool + key *ecdh.PrivateKey + + // ckx and preMasterSecret are generated in processServerKeyExchange + // and returned in generateClientKeyExchange. + ckx *clientKeyExchangeMsg + preMasterSecret []byte +} + +func (ka *ecdheKeyAgreement) generateServerKeyExchange(config *Config, cert *Certificate, clientHello *clientHelloMsg, hello *serverHelloMsg) (*serverKeyExchangeMsg, error) { + var curveID CurveID + for _, c := range clientHello.supportedCurves { + if config.supportsCurve(c) { + curveID = c + break + } + } + + if curveID == 0 { + return nil, errors.New("tls: no supported elliptic curves offered") + } + if _, ok := curveForCurveID(curveID); !ok { + return nil, errors.New("tls: CurvePreferences includes unsupported curve") + } + + key, err := generateECDHEKey(config.rand(), curveID) + if err != nil { + return nil, err + } + ka.key = key + + // See RFC 4492, Section 5.4. + ecdhePublic := key.PublicKey().Bytes() + serverECDHEParams := make([]byte, 1+2+1+len(ecdhePublic)) + serverECDHEParams[0] = 3 // named curve + serverECDHEParams[1] = byte(curveID >> 8) + serverECDHEParams[2] = byte(curveID) + serverECDHEParams[3] = byte(len(ecdhePublic)) + copy(serverECDHEParams[4:], ecdhePublic) + + priv, ok := cert.PrivateKey.(crypto.Signer) + if !ok { + return nil, fmt.Errorf("tls: certificate private key of type %T does not implement crypto.Signer", cert.PrivateKey) + } + + var signatureAlgorithm SignatureScheme + var sigType uint8 + var sigHash crypto.Hash + if ka.version >= VersionTLS12 { + signatureAlgorithm, err = selectSignatureScheme(ka.version, cert, clientHello.supportedSignatureAlgorithms) + if err != nil { + return nil, err + } + sigType, sigHash, err = typeAndHashFromSignatureScheme(signatureAlgorithm) + if err != nil { + return nil, err + } + } else { + sigType, sigHash, err = legacyTypeAndHashFromPublicKey(priv.Public()) + if err != nil { + return nil, err + } + } + if (sigType == signaturePKCS1v15 || sigType == signatureRSAPSS) != ka.isRSA { + return nil, errors.New("tls: certificate cannot be used with the selected cipher suite") + } + + signed := hashForServerKeyExchange(sigType, sigHash, ka.version, clientHello.random, hello.random, serverECDHEParams) + + signOpts := crypto.SignerOpts(sigHash) + if sigType == signatureRSAPSS { + signOpts = &rsa.PSSOptions{SaltLength: rsa.PSSSaltLengthEqualsHash, Hash: sigHash} + } + sig, err := priv.Sign(config.rand(), signed, signOpts) + if err != nil { + return nil, errors.New("tls: failed to sign ECDHE parameters: " + err.Error()) + } + + skx := new(serverKeyExchangeMsg) + sigAndHashLen := 0 + if ka.version >= VersionTLS12 { + sigAndHashLen = 2 + } + skx.key = make([]byte, len(serverECDHEParams)+sigAndHashLen+2+len(sig)) + copy(skx.key, serverECDHEParams) + k := skx.key[len(serverECDHEParams):] + if ka.version >= VersionTLS12 { + k[0] = byte(signatureAlgorithm >> 8) + k[1] = byte(signatureAlgorithm) + k = k[2:] + } + k[0] = byte(len(sig) >> 8) + k[1] = byte(len(sig)) + copy(k[2:], sig) + + return skx, nil +} + +func (ka *ecdheKeyAgreement) processClientKeyExchange(config *Config, cert *Certificate, ckx *clientKeyExchangeMsg, version uint16) ([]byte, error) { + if len(ckx.ciphertext) == 0 || int(ckx.ciphertext[0]) != len(ckx.ciphertext)-1 { + return nil, errClientKeyExchange + } + + peerKey, err := ka.key.Curve().NewPublicKey(ckx.ciphertext[1:]) + if err != nil { + return nil, errClientKeyExchange + } + preMasterSecret, err := ka.key.ECDH(peerKey) + if err != nil { + return nil, errClientKeyExchange + } + + return preMasterSecret, nil +} + +func (ka *ecdheKeyAgreement) processServerKeyExchange(config *Config, clientHello *clientHelloMsg, serverHello *serverHelloMsg, cert *x509.Certificate, skx *serverKeyExchangeMsg) error { + if len(skx.key) < 4 { + return errServerKeyExchange + } + if skx.key[0] != 3 { // named curve + return errors.New("tls: server selected unsupported curve") + } + curveID := CurveID(skx.key[1])<<8 | CurveID(skx.key[2]) + + publicLen := int(skx.key[3]) + if publicLen+4 > len(skx.key) { + return errServerKeyExchange + } + serverECDHEParams := skx.key[:4+publicLen] + publicKey := serverECDHEParams[4:] + + sig := skx.key[4+publicLen:] + if len(sig) < 2 { + return errServerKeyExchange + } + + if _, ok := curveForCurveID(curveID); !ok { + return errors.New("tls: server selected unsupported curve") + } + + key, err := generateECDHEKey(config.rand(), curveID) + if err != nil { + return err + } + ka.key = key + + peerKey, err := key.Curve().NewPublicKey(publicKey) + if err != nil { + return errServerKeyExchange + } + ka.preMasterSecret, err = key.ECDH(peerKey) + if err != nil { + return errServerKeyExchange + } + + ourPublicKey := key.PublicKey().Bytes() + ka.ckx = new(clientKeyExchangeMsg) + ka.ckx.ciphertext = make([]byte, 1+len(ourPublicKey)) + ka.ckx.ciphertext[0] = byte(len(ourPublicKey)) + copy(ka.ckx.ciphertext[1:], ourPublicKey) + + var sigType uint8 + var sigHash crypto.Hash + if ka.version >= VersionTLS12 { + signatureAlgorithm := SignatureScheme(sig[0])<<8 | SignatureScheme(sig[1]) + sig = sig[2:] + if len(sig) < 2 { + return errServerKeyExchange + } + + if !isSupportedSignatureAlgorithm(signatureAlgorithm, clientHello.supportedSignatureAlgorithms) { + return errors.New("tls: certificate used with invalid signature algorithm") + } + sigType, sigHash, err = typeAndHashFromSignatureScheme(signatureAlgorithm) + if err != nil { + return err + } + } else { + sigType, sigHash, err = legacyTypeAndHashFromPublicKey(cert.PublicKey) + if err != nil { + return err + } + } + if (sigType == signaturePKCS1v15 || sigType == signatureRSAPSS) != ka.isRSA { + return errServerKeyExchange + } + + sigLen := int(sig[0])<<8 | int(sig[1]) + if sigLen+2 != len(sig) { + return errServerKeyExchange + } + sig = sig[2:] + + signed := hashForServerKeyExchange(sigType, sigHash, ka.version, clientHello.random, serverHello.random, serverECDHEParams) + if err := verifyHandshakeSignature(sigType, cert.PublicKey, sigHash, signed, sig); err != nil { + return errors.New("tls: invalid signature by the server certificate: " + err.Error()) + } + return nil +} + +func (ka *ecdheKeyAgreement) generateClientKeyExchange(config *Config, clientHello *clientHelloMsg, cert *x509.Certificate) ([]byte, *clientKeyExchangeMsg, error) { + if ka.ckx == nil { + return nil, nil, errors.New("tls: missing ServerKeyExchange message") + } + + return ka.preMasterSecret, ka.ckx, nil +} diff --git a/pkg/tls/key_schedule.go b/pkg/tls/key_schedule.go new file mode 100644 index 000000000..d7f082c9e --- /dev/null +++ b/pkg/tls/key_schedule.go @@ -0,0 +1,159 @@ +// Copyright 2018 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package tls + +import ( + "crypto/ecdh" + "crypto/hmac" + "errors" + "fmt" + "hash" + "io" + + "golang.org/x/crypto/cryptobyte" + "golang.org/x/crypto/hkdf" +) + +// This file contains the functions necessary to compute the TLS 1.3 key +// schedule. See RFC 8446, Section 7. + +const ( + resumptionBinderLabel = "res binder" + clientEarlyTrafficLabel = "c e traffic" + clientHandshakeTrafficLabel = "c hs traffic" + serverHandshakeTrafficLabel = "s hs traffic" + clientApplicationTrafficLabel = "c ap traffic" + serverApplicationTrafficLabel = "s ap traffic" + exporterLabel = "exp master" + resumptionLabel = "res master" + trafficUpdateLabel = "traffic upd" +) + +// expandLabel implements HKDF-Expand-Label from RFC 8446, Section 7.1. +func (c *cipherSuiteTLS13) expandLabel(secret []byte, label string, context []byte, length int) []byte { + var hkdfLabel cryptobyte.Builder + hkdfLabel.AddUint16(uint16(length)) + hkdfLabel.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { + b.AddBytes([]byte("tls13 ")) + b.AddBytes([]byte(label)) + }) + hkdfLabel.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { + b.AddBytes(context) + }) + hkdfLabelBytes, err := hkdfLabel.Bytes() + if err != nil { + // Rather than calling BytesOrPanic, we explicitly handle this error, in + // order to provide a reasonable error message. It should be basically + // impossible for this to panic, and routing errors back through the + // tree rooted in this function is quite painful. The labels are fixed + // size, and the context is either a fixed-length computed hash, or + // parsed from a field which has the same length limitation. As such, an + // error here is likely to only be caused during development. + // + // NOTE: another reasonable approach here might be to return a + // randomized slice if we encounter an error, which would break the + // connection, but avoid panicking. This would perhaps be safer but + // significantly more confusing to users. + panic(fmt.Errorf("failed to construct HKDF label: %s", err)) + } + out := make([]byte, length) + n, err := hkdf.Expand(c.hash.New, secret, hkdfLabelBytes).Read(out) + if err != nil || n != length { + panic("tls: HKDF-Expand-Label invocation failed unexpectedly") + } + return out +} + +// deriveSecret implements Derive-Secret from RFC 8446, Section 7.1. +func (c *cipherSuiteTLS13) deriveSecret(secret []byte, label string, transcript hash.Hash) []byte { + if transcript == nil { + transcript = c.hash.New() + } + return c.expandLabel(secret, label, transcript.Sum(nil), c.hash.Size()) +} + +// extract implements HKDF-Extract with the cipher suite hash. +func (c *cipherSuiteTLS13) extract(newSecret, currentSecret []byte) []byte { + if newSecret == nil { + newSecret = make([]byte, c.hash.Size()) + } + return hkdf.Extract(c.hash.New, newSecret, currentSecret) +} + +// nextTrafficSecret generates the next traffic secret, given the current one, +// according to RFC 8446, Section 7.2. +func (c *cipherSuiteTLS13) nextTrafficSecret(trafficSecret []byte) []byte { + return c.expandLabel(trafficSecret, trafficUpdateLabel, nil, c.hash.Size()) +} + +// trafficKey generates traffic keys according to RFC 8446, Section 7.3. +func (c *cipherSuiteTLS13) trafficKey(trafficSecret []byte) (key, iv []byte) { + key = c.expandLabel(trafficSecret, "key", nil, c.keyLen) + iv = c.expandLabel(trafficSecret, "iv", nil, aeadNonceLength) + return +} + +// finishedHash generates the Finished verify_data or PskBinderEntry according +// to RFC 8446, Section 4.4.4. See sections 4.4 and 4.2.11.2 for the baseKey +// selection. +func (c *cipherSuiteTLS13) finishedHash(baseKey []byte, transcript hash.Hash) []byte { + finishedKey := c.expandLabel(baseKey, "finished", nil, c.hash.Size()) + verifyData := hmac.New(c.hash.New, finishedKey) + verifyData.Write(transcript.Sum(nil)) + return verifyData.Sum(nil) +} + +// exportKeyingMaterial implements RFC5705 exporters for TLS 1.3 according to +// RFC 8446, Section 7.5. +func (c *cipherSuiteTLS13) exportKeyingMaterial(masterSecret []byte, transcript hash.Hash) func(string, []byte, int) ([]byte, error) { + expMasterSecret := c.deriveSecret(masterSecret, exporterLabel, transcript) + return func(label string, context []byte, length int) ([]byte, error) { + secret := c.deriveSecret(expMasterSecret, label, nil) + h := c.hash.New() + h.Write(context) + return c.expandLabel(secret, "exporter", h.Sum(nil), length), nil + } +} + +// generateECDHEKey returns a PrivateKey that implements Diffie-Hellman +// according to RFC 8446, Section 4.2.8.2. +func generateECDHEKey(rand io.Reader, curveID CurveID) (*ecdh.PrivateKey, error) { + curve, ok := curveForCurveID(curveID) + if !ok { + return nil, errors.New("tls: internal error: unsupported curve") + } + + return curve.GenerateKey(rand) +} + +func curveForCurveID(id CurveID) (ecdh.Curve, bool) { + switch id { + case X25519: + return ecdh.X25519(), true + case CurveP256: + return ecdh.P256(), true + case CurveP384: + return ecdh.P384(), true + case CurveP521: + return ecdh.P521(), true + default: + return nil, false + } +} + +func curveIDForCurve(curve ecdh.Curve) (CurveID, bool) { + switch curve { + case ecdh.X25519(): + return X25519, true + case ecdh.P256(): + return CurveP256, true + case ecdh.P384(): + return CurveP384, true + case ecdh.P521(): + return CurveP521, true + default: + return 0, false + } +} diff --git a/pkg/tls/key_schedule_test.go b/pkg/tls/key_schedule_test.go new file mode 100644 index 000000000..79ff6a62b --- /dev/null +++ b/pkg/tls/key_schedule_test.go @@ -0,0 +1,175 @@ +// Copyright 2018 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package tls + +import ( + "bytes" + "encoding/hex" + "hash" + "strings" + "testing" + "unicode" +) + +// This file contains tests derived from draft-ietf-tls-tls13-vectors-07. + +func parseVector(v string) []byte { + v = strings.Map(func(c rune) rune { + if unicode.IsSpace(c) { + return -1 + } + return c + }, v) + parts := strings.Split(v, ":") + v = parts[len(parts)-1] + res, err := hex.DecodeString(v) + if err != nil { + panic(err) + } + return res +} + +func TestDeriveSecret(t *testing.T) { + chTranscript := cipherSuitesTLS13[0].hash.New() + chTranscript.Write(parseVector(` + payload (512 octets): 01 00 01 fc 03 03 1b c3 ce b6 bb e3 9c ff + 93 83 55 b5 a5 0a db 6d b2 1b 7a 6a f6 49 d7 b4 bc 41 9d 78 76 + 48 7d 95 00 00 06 13 01 13 03 13 02 01 00 01 cd 00 00 00 0b 00 + 09 00 00 06 73 65 72 76 65 72 ff 01 00 01 00 00 0a 00 14 00 12 + 00 1d 00 17 00 18 00 19 01 00 01 01 01 02 01 03 01 04 00 33 00 + 26 00 24 00 1d 00 20 e4 ff b6 8a c0 5f 8d 96 c9 9d a2 66 98 34 + 6c 6b e1 64 82 ba dd da fe 05 1a 66 b4 f1 8d 66 8f 0b 00 2a 00 + 00 00 2b 00 03 02 03 04 00 0d 00 20 00 1e 04 03 05 03 06 03 02 + 03 08 04 08 05 08 06 04 01 05 01 06 01 02 01 04 02 05 02 06 02 + 02 02 00 2d 00 02 01 01 00 1c 00 02 40 01 00 15 00 57 00 00 00 + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 00 29 00 dd 00 b8 00 b2 2c 03 5d 82 93 59 ee 5f f7 af 4e c9 00 + 00 00 00 26 2a 64 94 dc 48 6d 2c 8a 34 cb 33 fa 90 bf 1b 00 70 + ad 3c 49 88 83 c9 36 7c 09 a2 be 78 5a bc 55 cd 22 60 97 a3 a9 + 82 11 72 83 f8 2a 03 a1 43 ef d3 ff 5d d3 6d 64 e8 61 be 7f d6 + 1d 28 27 db 27 9c ce 14 50 77 d4 54 a3 66 4d 4e 6d a4 d2 9e e0 + 37 25 a6 a4 da fc d0 fc 67 d2 ae a7 05 29 51 3e 3d a2 67 7f a5 + 90 6c 5b 3f 7d 8f 92 f2 28 bd a4 0d da 72 14 70 f9 fb f2 97 b5 + ae a6 17 64 6f ac 5c 03 27 2e 97 07 27 c6 21 a7 91 41 ef 5f 7d + e6 50 5e 5b fb c3 88 e9 33 43 69 40 93 93 4a e4 d3 57 fa d6 aa + cb 00 21 20 3a dd 4f b2 d8 fd f8 22 a0 ca 3c f7 67 8e f5 e8 8d + ae 99 01 41 c5 92 4d 57 bb 6f a3 1b 9e 5f 9d`)) + + type args struct { + secret []byte + label string + transcript hash.Hash + } + tests := []struct { + name string + args args + want []byte + }{ + { + `derive secret for handshake "tls13 derived"`, + args{ + parseVector(`PRK (32 octets): 33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c e2 + 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a`), + "derived", + nil, + }, + parseVector(`expanded (32 octets): 6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba + b6 97 16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba`), + }, + { + `derive secret "tls13 c e traffic"`, + args{ + parseVector(`PRK (32 octets): 9b 21 88 e9 b2 fc 6d 64 d7 1d c3 29 90 0e 20 bb + 41 91 50 00 f6 78 aa 83 9c bb 79 7c b7 d8 33 2c`), + "c e traffic", + chTranscript, + }, + parseVector(`expanded (32 octets): 3f bb e6 a6 0d eb 66 c3 0a 32 79 5a ba 0e + ff 7e aa 10 10 55 86 e7 be 5c 09 67 8d 63 b6 ca ab 62`), + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + c := cipherSuitesTLS13[0] + if got := c.deriveSecret(tt.args.secret, tt.args.label, tt.args.transcript); !bytes.Equal(got, tt.want) { + t.Errorf("cipherSuiteTLS13.deriveSecret() = % x, want % x", got, tt.want) + } + }) + } +} + +func TestTrafficKey(t *testing.T) { + trafficSecret := parseVector( + `PRK (32 octets): b6 7b 7d 69 0c c1 6c 4e 75 e5 42 13 cb 2d 37 b4 + e9 c9 12 bc de d9 10 5d 42 be fd 59 d3 91 ad 38`) + wantKey := parseVector( + `key expanded (16 octets): 3f ce 51 60 09 c2 17 27 d0 f2 e4 e8 6e + e4 03 bc`) + wantIV := parseVector( + `iv expanded (12 octets): 5d 31 3e b2 67 12 76 ee 13 00 0b 30`) + + c := cipherSuitesTLS13[0] + gotKey, gotIV := c.trafficKey(trafficSecret) + if !bytes.Equal(gotKey, wantKey) { + t.Errorf("cipherSuiteTLS13.trafficKey() gotKey = % x, want % x", gotKey, wantKey) + } + if !bytes.Equal(gotIV, wantIV) { + t.Errorf("cipherSuiteTLS13.trafficKey() gotIV = % x, want % x", gotIV, wantIV) + } +} + +func TestExtract(t *testing.T) { + type args struct { + newSecret []byte + currentSecret []byte + } + tests := []struct { + name string + args args + want []byte + }{ + { + `extract secret "early"`, + args{ + nil, + nil, + }, + parseVector(`secret (32 octets): 33 ad 0a 1c 60 7e c0 3b 09 e6 cd 98 93 68 0c + e2 10 ad f3 00 aa 1f 26 60 e1 b2 2e 10 f1 70 f9 2a`), + }, + { + `extract secret "master"`, + args{ + nil, + parseVector(`salt (32 octets): 43 de 77 e0 c7 77 13 85 9a 94 4d b9 db 25 90 b5 + 31 90 a6 5b 3e e2 e4 f1 2d d7 a0 bb 7c e2 54 b4`), + }, + parseVector(`secret (32 octets): 18 df 06 84 3d 13 a0 8b f2 a4 49 84 4c 5f 8a + 47 80 01 bc 4d 4c 62 79 84 d5 a4 1d a8 d0 40 29 19`), + }, + { + `extract secret "handshake"`, + args{ + parseVector(`IKM (32 octets): 8b d4 05 4f b5 5b 9d 63 fd fb ac f9 f0 4b 9f 0d + 35 e6 d6 3f 53 75 63 ef d4 62 72 90 0f 89 49 2d`), + parseVector(`salt (32 octets): 6f 26 15 a1 08 c7 02 c5 67 8f 54 fc 9d ba b6 97 + 16 c0 76 18 9c 48 25 0c eb ea c3 57 6c 36 11 ba`), + }, + parseVector(`secret (32 octets): 1d c8 26 e9 36 06 aa 6f dc 0a ad c1 2f 74 1b + 01 04 6a a6 b9 9f 69 1e d2 21 a9 f0 ca 04 3f be ac`), + }, + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + c := cipherSuitesTLS13[0] + if got := c.extract(tt.args.newSecret, tt.args.currentSecret); !bytes.Equal(got, tt.want) { + t.Errorf("cipherSuiteTLS13.extract() = % x, want % x", got, tt.want) + } + }) + } +} diff --git a/pkg/tls/link_test.go b/pkg/tls/link_test.go new file mode 100644 index 000000000..454d370c8 --- /dev/null +++ b/pkg/tls/link_test.go @@ -0,0 +1,107 @@ +// Copyright 2020 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package tls + +import ( + "bytes" + "internal/testenv" + "os" + "os/exec" + "path/filepath" + "testing" +) + +// Tests that the linker is able to remove references to the Client or Server if unused. +func TestLinkerGC(t *testing.T) { + if testing.Short() { + t.Skip("skipping in short mode") + } + t.Parallel() + goBin := testenv.GoToolPath(t) + testenv.MustHaveGoBuild(t) + + tests := []struct { + name string + program string + want []string + bad []string + }{ + { + name: "empty_import", + program: `package main +import _ "crypto/tls" +func main() {} +`, + bad: []string{ + "tls.(*Conn)", + "type:crypto/tls.clientHandshakeState", + "type:crypto/tls.serverHandshakeState", + }, + }, + { + name: "client_and_server", + program: `package main +import "crypto/tls" +func main() { + tls.Dial("", "", nil) + tls.Server(nil, nil) +} +`, + want: []string{ + "crypto/tls.(*Conn).clientHandshake", + "crypto/tls.(*Conn).serverHandshake", + }, + }, + { + name: "only_client", + program: `package main +import "crypto/tls" +func main() { tls.Dial("", "", nil) } +`, + want: []string{ + "crypto/tls.(*Conn).clientHandshake", + }, + bad: []string{ + "crypto/tls.(*Conn).serverHandshake", + }, + }, + // TODO: add only_server like func main() { tls.Server(nil, nil) } + // That currently brings in the client via Conn.handleRenegotiation. + + } + tmpDir := t.TempDir() + goFile := filepath.Join(tmpDir, "x.go") + exeFile := filepath.Join(tmpDir, "x.exe") + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + if err := os.WriteFile(goFile, []byte(tt.program), 0644); err != nil { + t.Fatal(err) + } + os.Remove(exeFile) + cmd := exec.Command(goBin, "build", "-o", "x.exe", "x.go") + cmd.Dir = tmpDir + if out, err := cmd.CombinedOutput(); err != nil { + t.Fatalf("compile: %v, %s", err, out) + } + + cmd = exec.Command(goBin, "tool", "nm", "x.exe") + cmd.Dir = tmpDir + nm, err := cmd.CombinedOutput() + if err != nil { + t.Fatalf("nm: %v, %s", err, nm) + } + for _, sym := range tt.want { + if !bytes.Contains(nm, []byte(sym)) { + t.Errorf("expected symbol %q not found", sym) + } + } + for _, sym := range tt.bad { + if bytes.Contains(nm, []byte(sym)) { + t.Errorf("unexpected symbol %q found", sym) + } + } + }) + } +} diff --git a/pkg/tls/notboring.go b/pkg/tls/notboring.go new file mode 100644 index 000000000..7d85b39c5 --- /dev/null +++ b/pkg/tls/notboring.go @@ -0,0 +1,20 @@ +// Copyright 2022 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +//go:build !boringcrypto + +package tls + +func needFIPS() bool { return false } + +func supportedSignatureAlgorithms() []SignatureScheme { + return defaultSupportedSignatureAlgorithms +} + +func fipsMinVersion(c *Config) uint16 { panic("fipsMinVersion") } +func fipsMaxVersion(c *Config) uint16 { panic("fipsMaxVersion") } +func fipsCurvePreferences(c *Config) []CurveID { panic("fipsCurvePreferences") } +func fipsCipherSuites(c *Config) []uint16 { panic("fipsCipherSuites") } + +var fipsSupportedSignatureAlgorithms []SignatureScheme diff --git a/pkg/tls/prf.go b/pkg/tls/prf.go new file mode 100644 index 000000000..a7fa3370e --- /dev/null +++ b/pkg/tls/prf.go @@ -0,0 +1,299 @@ +// Copyright 2009 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package tls + +import ( + "crypto" + "crypto/hmac" + "crypto/md5" + "crypto/sha1" + "crypto/sha256" + "crypto/sha512" + "errors" + "fmt" + "hash" +) + +// Split a premaster secret in two as specified in RFC 4346, Section 5. +func splitPreMasterSecret(secret []byte) (s1, s2 []byte) { + s1 = secret[0 : (len(secret)+1)/2] + s2 = secret[len(secret)/2:] + return +} + +// pHash implements the P_hash function, as defined in RFC 4346, Section 5. +func pHash(result, secret, seed []byte, hash func() hash.Hash) { + h := hmac.New(hash, secret) + h.Write(seed) + a := h.Sum(nil) + + j := 0 + for j < len(result) { + h.Reset() + h.Write(a) + h.Write(seed) + b := h.Sum(nil) + copy(result[j:], b) + j += len(b) + + h.Reset() + h.Write(a) + a = h.Sum(nil) + } +} + +// prf10 implements the TLS 1.0 pseudo-random function, as defined in RFC 2246, Section 5. +func prf10(result, secret, label, seed []byte) { + hashSHA1 := sha1.New + hashMD5 := md5.New + + labelAndSeed := make([]byte, len(label)+len(seed)) + copy(labelAndSeed, label) + copy(labelAndSeed[len(label):], seed) + + s1, s2 := splitPreMasterSecret(secret) + pHash(result, s1, labelAndSeed, hashMD5) + result2 := make([]byte, len(result)) + pHash(result2, s2, labelAndSeed, hashSHA1) + + for i, b := range result2 { + result[i] ^= b + } +} + +// prf12 implements the TLS 1.2 pseudo-random function, as defined in RFC 5246, Section 5. +func prf12(hashFunc func() hash.Hash) func(result, secret, label, seed []byte) { + return func(result, secret, label, seed []byte) { + labelAndSeed := make([]byte, len(label)+len(seed)) + copy(labelAndSeed, label) + copy(labelAndSeed[len(label):], seed) + + pHash(result, secret, labelAndSeed, hashFunc) + } +} + +const ( + masterSecretLength = 48 // Length of a master secret in TLS 1.1. + finishedVerifyLength = 12 // Length of verify_data in a Finished message. +) + +var masterSecretLabel = []byte("master secret") +var extendedMasterSecretLabel = []byte("extended master secret") +var keyExpansionLabel = []byte("key expansion") +var clientFinishedLabel = []byte("client finished") +var serverFinishedLabel = []byte("server finished") + +func prfAndHashForVersion(version uint16, suite *cipherSuite) (func(result, secret, label, seed []byte), crypto.Hash) { + switch version { + case VersionTLS10, VersionTLS11: + return prf10, crypto.Hash(0) + case VersionTLS12: + if suite.flags&suiteSHA384 != 0 { + return prf12(sha512.New384), crypto.SHA384 + } + return prf12(sha256.New), crypto.SHA256 + default: + panic("unknown version") + } +} + +func prfForVersion(version uint16, suite *cipherSuite) func(result, secret, label, seed []byte) { + prf, _ := prfAndHashForVersion(version, suite) + return prf +} + +// masterFromPreMasterSecret generates the master secret from the pre-master +// secret. See RFC 5246, Section 8.1. +func masterFromPreMasterSecret(version uint16, suite *cipherSuite, preMasterSecret, clientRandom, serverRandom []byte) []byte { + seed := make([]byte, 0, len(clientRandom)+len(serverRandom)) + seed = append(seed, clientRandom...) + seed = append(seed, serverRandom...) + + masterSecret := make([]byte, masterSecretLength) + prfForVersion(version, suite)(masterSecret, preMasterSecret, masterSecretLabel, seed) + return masterSecret +} + +// extMasterFromPreMasterSecret generates the extended master secret from the +// pre-master secret. See RFC 7627. +func extMasterFromPreMasterSecret(version uint16, suite *cipherSuite, preMasterSecret, transcript []byte) []byte { + masterSecret := make([]byte, masterSecretLength) + prfForVersion(version, suite)(masterSecret, preMasterSecret, extendedMasterSecretLabel, transcript) + return masterSecret +} + +// keysFromMasterSecret generates the connection keys from the master +// secret, given the lengths of the MAC key, cipher key and IV, as defined in +// RFC 2246, Section 6.3. +func keysFromMasterSecret(version uint16, suite *cipherSuite, masterSecret, clientRandom, serverRandom []byte, macLen, keyLen, ivLen int) (clientMAC, serverMAC, clientKey, serverKey, clientIV, serverIV []byte) { + seed := make([]byte, 0, len(serverRandom)+len(clientRandom)) + seed = append(seed, serverRandom...) + seed = append(seed, clientRandom...) + + n := 2*macLen + 2*keyLen + 2*ivLen + keyMaterial := make([]byte, n) + prfForVersion(version, suite)(keyMaterial, masterSecret, keyExpansionLabel, seed) + clientMAC = keyMaterial[:macLen] + keyMaterial = keyMaterial[macLen:] + serverMAC = keyMaterial[:macLen] + keyMaterial = keyMaterial[macLen:] + clientKey = keyMaterial[:keyLen] + keyMaterial = keyMaterial[keyLen:] + serverKey = keyMaterial[:keyLen] + keyMaterial = keyMaterial[keyLen:] + clientIV = keyMaterial[:ivLen] + keyMaterial = keyMaterial[ivLen:] + serverIV = keyMaterial[:ivLen] + return +} + +func newFinishedHash(version uint16, cipherSuite *cipherSuite) finishedHash { + var buffer []byte + if version >= VersionTLS12 { + buffer = []byte{} + } + + prf, hash := prfAndHashForVersion(version, cipherSuite) + if hash != 0 { + return finishedHash{hash.New(), hash.New(), nil, nil, buffer, version, prf} + } + + return finishedHash{sha1.New(), sha1.New(), md5.New(), md5.New(), buffer, version, prf} +} + +// A finishedHash calculates the hash of a set of handshake messages suitable +// for including in a Finished message. +type finishedHash struct { + client hash.Hash + server hash.Hash + + // Prior to TLS 1.2, an additional MD5 hash is required. + clientMD5 hash.Hash + serverMD5 hash.Hash + + // In TLS 1.2, a full buffer is sadly required. + buffer []byte + + version uint16 + prf func(result, secret, label, seed []byte) +} + +func (h *finishedHash) Write(msg []byte) (n int, err error) { + h.client.Write(msg) + h.server.Write(msg) + + if h.version < VersionTLS12 { + h.clientMD5.Write(msg) + h.serverMD5.Write(msg) + } + + if h.buffer != nil { + h.buffer = append(h.buffer, msg...) + } + + return len(msg), nil +} + +func (h finishedHash) Sum() []byte { + if h.version >= VersionTLS12 { + return h.client.Sum(nil) + } + + out := make([]byte, 0, md5.Size+sha1.Size) + out = h.clientMD5.Sum(out) + return h.client.Sum(out) +} + +// clientSum returns the contents of the verify_data member of a client's +// Finished message. +func (h finishedHash) clientSum(masterSecret []byte) []byte { + out := make([]byte, finishedVerifyLength) + h.prf(out, masterSecret, clientFinishedLabel, h.Sum()) + return out +} + +// serverSum returns the contents of the verify_data member of a server's +// Finished message. +func (h finishedHash) serverSum(masterSecret []byte) []byte { + out := make([]byte, finishedVerifyLength) + h.prf(out, masterSecret, serverFinishedLabel, h.Sum()) + return out +} + +// hashForClientCertificate returns the handshake messages so far, pre-hashed if +// necessary, suitable for signing by a TLS client certificate. +func (h finishedHash) hashForClientCertificate(sigType uint8, hashAlg crypto.Hash) []byte { + if (h.version >= VersionTLS12 || sigType == signatureEd25519) && h.buffer == nil { + panic("tls: handshake hash for a client certificate requested after discarding the handshake buffer") + } + + if sigType == signatureEd25519 { + return h.buffer + } + + if h.version >= VersionTLS12 { + hash := hashAlg.New() + hash.Write(h.buffer) + return hash.Sum(nil) + } + + if sigType == signatureECDSA { + return h.server.Sum(nil) + } + + return h.Sum() +} + +// discardHandshakeBuffer is called when there is no more need to +// buffer the entirety of the handshake messages. +func (h *finishedHash) discardHandshakeBuffer() { + h.buffer = nil +} + +// noEKMBecauseRenegotiation is used as a value of +// ConnectionState.ekm when renegotiation is enabled and thus +// we wish to fail all key-material export requests. +func noEKMBecauseRenegotiation(label string, context []byte, length int) ([]byte, error) { + return nil, errors.New("crypto/tls: ExportKeyingMaterial is unavailable when renegotiation is enabled") +} + +// noEKMBecauseNoEMS is used as a value of ConnectionState.ekm when Extended +// Master Secret is not negotiated and thus we wish to fail all key-material +// export requests. +func noEKMBecauseNoEMS(label string, context []byte, length int) ([]byte, error) { + return nil, errors.New("crypto/tls: ExportKeyingMaterial is unavailable when neither TLS 1.3 nor Extended Master Secret are negotiated; override with GODEBUG=tlsunsafeekm=1") +} + +// ekmFromMasterSecret generates exported keying material as defined in RFC 5705. +func ekmFromMasterSecret(version uint16, suite *cipherSuite, masterSecret, clientRandom, serverRandom []byte) func(string, []byte, int) ([]byte, error) { + return func(label string, context []byte, length int) ([]byte, error) { + switch label { + case "client finished", "server finished", "master secret", "key expansion": + // These values are reserved and may not be used. + return nil, fmt.Errorf("crypto/tls: reserved ExportKeyingMaterial label: %s", label) + } + + seedLen := len(serverRandom) + len(clientRandom) + if context != nil { + seedLen += 2 + len(context) + } + seed := make([]byte, 0, seedLen) + + seed = append(seed, clientRandom...) + seed = append(seed, serverRandom...) + + if context != nil { + if len(context) >= 1<<16 { + return nil, fmt.Errorf("crypto/tls: ExportKeyingMaterial context too long") + } + seed = append(seed, byte(len(context)>>8), byte(len(context))) + seed = append(seed, context...) + } + + keyMaterial := make([]byte, length) + prfForVersion(version, suite)(keyMaterial, masterSecret, []byte(label), seed) + return keyMaterial, nil + } +} diff --git a/pkg/tls/prf_test.go b/pkg/tls/prf_test.go new file mode 100644 index 000000000..8233985a6 --- /dev/null +++ b/pkg/tls/prf_test.go @@ -0,0 +1,140 @@ +// Copyright 2009 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package tls + +import ( + "encoding/hex" + "testing" +) + +type testSplitPreMasterSecretTest struct { + in, out1, out2 string +} + +var testSplitPreMasterSecretTests = []testSplitPreMasterSecretTest{ + {"", "", ""}, + {"00", "00", "00"}, + {"0011", "00", "11"}, + {"001122", "0011", "1122"}, + {"00112233", "0011", "2233"}, +} + +func TestSplitPreMasterSecret(t *testing.T) { + for i, test := range testSplitPreMasterSecretTests { + in, _ := hex.DecodeString(test.in) + out1, out2 := splitPreMasterSecret(in) + s1 := hex.EncodeToString(out1) + s2 := hex.EncodeToString(out2) + if s1 != test.out1 || s2 != test.out2 { + t.Errorf("#%d: got: (%s, %s) want: (%s, %s)", i, s1, s2, test.out1, test.out2) + } + } +} + +type testKeysFromTest struct { + version uint16 + suite *cipherSuite + preMasterSecret string + clientRandom, serverRandom string + masterSecret string + clientMAC, serverMAC string + clientKey, serverKey string + macLen, keyLen int + contextKeyingMaterial, noContextKeyingMaterial string +} + +func TestKeysFromPreMasterSecret(t *testing.T) { + for i, test := range testKeysFromTests { + in, _ := hex.DecodeString(test.preMasterSecret) + clientRandom, _ := hex.DecodeString(test.clientRandom) + serverRandom, _ := hex.DecodeString(test.serverRandom) + + masterSecret := masterFromPreMasterSecret(test.version, test.suite, in, clientRandom, serverRandom) + if s := hex.EncodeToString(masterSecret); s != test.masterSecret { + t.Errorf("#%d: bad master secret %s, want %s", i, s, test.masterSecret) + continue + } + + clientMAC, serverMAC, clientKey, serverKey, _, _ := keysFromMasterSecret(test.version, test.suite, masterSecret, clientRandom, serverRandom, test.macLen, test.keyLen, 0) + clientMACString := hex.EncodeToString(clientMAC) + serverMACString := hex.EncodeToString(serverMAC) + clientKeyString := hex.EncodeToString(clientKey) + serverKeyString := hex.EncodeToString(serverKey) + if clientMACString != test.clientMAC || + serverMACString != test.serverMAC || + clientKeyString != test.clientKey || + serverKeyString != test.serverKey { + t.Errorf("#%d: got: (%s, %s, %s, %s) want: (%s, %s, %s, %s)", i, clientMACString, serverMACString, clientKeyString, serverKeyString, test.clientMAC, test.serverMAC, test.clientKey, test.serverKey) + } + + ekm := ekmFromMasterSecret(test.version, test.suite, masterSecret, clientRandom, serverRandom) + contextKeyingMaterial, err := ekm("label", []byte("context"), 32) + if err != nil { + t.Fatalf("ekmFromMasterSecret failed: %v", err) + } + + noContextKeyingMaterial, err := ekm("label", nil, 32) + if err != nil { + t.Fatalf("ekmFromMasterSecret failed: %v", err) + } + + if hex.EncodeToString(contextKeyingMaterial) != test.contextKeyingMaterial || + hex.EncodeToString(noContextKeyingMaterial) != test.noContextKeyingMaterial { + t.Errorf("#%d: got keying material: (%s, %s) want: (%s, %s)", i, contextKeyingMaterial, noContextKeyingMaterial, test.contextKeyingMaterial, test.noContextKeyingMaterial) + } + } +} + +// These test vectors were generated from GnuTLS using `gnutls-cli --insecure -d 9 ` +var testKeysFromTests = []testKeysFromTest{ + { + VersionTLS10, + cipherSuiteByID(TLS_RSA_WITH_RC4_128_SHA), + "0302cac83ad4b1db3b9ab49ad05957de2a504a634a386fc600889321e1a971f57479466830ac3e6f468e87f5385fa0c5", + "4ae66303755184a3917fcb44880605fcc53baa01912b22ed94473fc69cebd558", + "4ae663020ec16e6bb5130be918cfcafd4d765979a3136a5d50c593446e4e44db", + "3d851bab6e5556e959a16bc36d66cfae32f672bfa9ecdef6096cbb1b23472df1da63dbbd9827606413221d149ed08ceb", + "805aaa19b3d2c0a0759a4b6c9959890e08480119", + "2d22f9fe519c075c16448305ceee209fc24ad109", + "d50b5771244f850cd8117a9ccafe2cf1", + "e076e33206b30507a85c32855acd0919", + 20, + 16, + "4d1bb6fc278c37d27aa6e2a13c2e079095d143272c2aa939da33d88c1c0cec22", + "93fba89599b6321ae538e27c6548ceb8b46821864318f5190d64a375e5d69d41", + }, + { + VersionTLS10, + cipherSuiteByID(TLS_RSA_WITH_RC4_128_SHA), + "03023f7527316bc12cbcd69e4b9e8275d62c028f27e65c745cfcddc7ce01bd3570a111378b63848127f1c36e5f9e4890", + "4ae66364b5ea56b20ce4e25555aed2d7e67f42788dd03f3fee4adae0459ab106", + "4ae66363ab815cbf6a248b87d6b556184e945e9b97fbdf247858b0bdafacfa1c", + "7d64be7c80c59b740200b4b9c26d0baaa1c5ae56705acbcf2307fe62beb4728c19392c83f20483801cce022c77645460", + "97742ed60a0554ca13f04f97ee193177b971e3b0", + "37068751700400e03a8477a5c7eec0813ab9e0dc", + "207cddbc600d2a200abac6502053ee5c", + "df3f94f6e1eacc753b815fe16055cd43", + 20, + 16, + "2c9f8961a72b97cbe76553b5f954caf8294fc6360ef995ac1256fe9516d0ce7f", + "274f19c10291d188857ad8878e2119f5aa437d4da556601cf1337aff23154016", + }, + { + VersionTLS10, + cipherSuiteByID(TLS_RSA_WITH_RC4_128_SHA), + "832d515f1d61eebb2be56ba0ef79879efb9b527504abb386fb4310ed5d0e3b1f220d3bb6b455033a2773e6d8bdf951d278a187482b400d45deb88a5d5a6bb7d6a7a1decc04eb9ef0642876cd4a82d374d3b6ff35f0351dc5d411104de431375355addc39bfb1f6329fb163b0bc298d658338930d07d313cd980a7e3d9196cac1", + "4ae663b2ee389c0de147c509d8f18f5052afc4aaf9699efe8cb05ece883d3a5e", + "4ae664d503fd4cff50cfc1fb8fc606580f87b0fcdac9554ba0e01d785bdf278e", + "1aff2e7a2c4279d0126f57a65a77a8d9d0087cf2733366699bec27eb53d5740705a8574bb1acc2abbe90e44f0dd28d6c", + "3c7647c93c1379a31a609542aa44e7f117a70085", + "0d73102994be74a575a3ead8532590ca32a526d4", + "ac7581b0b6c10d85bbd905ffbf36c65e", + "ff07edde49682b45466bd2e39464b306", + 20, + 16, + "678b0d43f607de35241dc7e9d1a7388a52c35033a1a0336d4d740060a6638fe2", + "f3b4ac743f015ef21d79978297a53da3e579ee047133f38c234d829c0f907dab", + }, +} diff --git a/pkg/tls/quic.go b/pkg/tls/quic.go new file mode 100644 index 000000000..3518169bf --- /dev/null +++ b/pkg/tls/quic.go @@ -0,0 +1,421 @@ +// Copyright 2023 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package tls + +import ( + "context" + "errors" + "fmt" +) + +// QUICEncryptionLevel represents a QUIC encryption level used to transmit +// handshake messages. +type QUICEncryptionLevel int + +const ( + QUICEncryptionLevelInitial = QUICEncryptionLevel(iota) + QUICEncryptionLevelEarly + QUICEncryptionLevelHandshake + QUICEncryptionLevelApplication +) + +func (l QUICEncryptionLevel) String() string { + switch l { + case QUICEncryptionLevelInitial: + return "Initial" + case QUICEncryptionLevelEarly: + return "Early" + case QUICEncryptionLevelHandshake: + return "Handshake" + case QUICEncryptionLevelApplication: + return "Application" + default: + return fmt.Sprintf("QUICEncryptionLevel(%v)", int(l)) + } +} + +// A QUICConn represents a connection which uses a QUIC implementation as the underlying +// transport as described in RFC 9001. +// +// Methods of QUICConn are not safe for concurrent use. +type QUICConn struct { + conn *Conn + + sessionTicketSent bool +} + +// A QUICConfig configures a [QUICConn]. +type QUICConfig struct { + TLSConfig *Config +} + +// A QUICEventKind is a type of operation on a QUIC connection. +type QUICEventKind int + +const ( + // QUICNoEvent indicates that there are no events available. + QUICNoEvent QUICEventKind = iota + + // QUICSetReadSecret and QUICSetWriteSecret provide the read and write + // secrets for a given encryption level. + // QUICEvent.Level, QUICEvent.Data, and QUICEvent.Suite are set. + // + // Secrets for the Initial encryption level are derived from the initial + // destination connection ID, and are not provided by the QUICConn. + QUICSetReadSecret + QUICSetWriteSecret + + // QUICWriteData provides data to send to the peer in CRYPTO frames. + // QUICEvent.Data is set. + QUICWriteData + + // QUICTransportParameters provides the peer's QUIC transport parameters. + // QUICEvent.Data is set. + QUICTransportParameters + + // QUICTransportParametersRequired indicates that the caller must provide + // QUIC transport parameters to send to the peer. The caller should set + // the transport parameters with QUICConn.SetTransportParameters and call + // QUICConn.NextEvent again. + // + // If transport parameters are set before calling QUICConn.Start, the + // connection will never generate a QUICTransportParametersRequired event. + QUICTransportParametersRequired + + // QUICRejectedEarlyData indicates that the server rejected 0-RTT data even + // if we offered it. It's returned before QUICEncryptionLevelApplication + // keys are returned. + QUICRejectedEarlyData + + // QUICHandshakeDone indicates that the TLS handshake has completed. + QUICHandshakeDone +) + +// A QUICEvent is an event occurring on a QUIC connection. +// +// The type of event is specified by the Kind field. +// The contents of the other fields are kind-specific. +type QUICEvent struct { + Kind QUICEventKind + + // Set for QUICSetReadSecret, QUICSetWriteSecret, and QUICWriteData. + Level QUICEncryptionLevel + + // Set for QUICTransportParameters, QUICSetReadSecret, QUICSetWriteSecret, and QUICWriteData. + // The contents are owned by crypto/tls, and are valid until the next NextEvent call. + Data []byte + + // Set for QUICSetReadSecret and QUICSetWriteSecret. + Suite uint16 +} + +type quicState struct { + events []QUICEvent + nextEvent int + + // eventArr is a statically allocated event array, large enough to handle + // the usual maximum number of events resulting from a single call: transport + // parameters, Initial data, Early read secret, Handshake write and read + // secrets, Handshake data, Application write secret, Application data. + eventArr [8]QUICEvent + + started bool + signalc chan struct{} // handshake data is available to be read + blockedc chan struct{} // handshake is waiting for data, closed when done + cancelc <-chan struct{} // handshake has been canceled + cancel context.CancelFunc + + // readbuf is shared between HandleData and the handshake goroutine. + // HandshakeCryptoData passes ownership to the handshake goroutine by + // reading from signalc, and reclaims ownership by reading from blockedc. + readbuf []byte + + transportParams []byte // to send to the peer +} + +// QUICClient returns a new TLS client side connection using QUICTransport as the +// underlying transport. The config cannot be nil. +// +// The config's MinVersion must be at least TLS 1.3. +func QUICClient(config *QUICConfig) *QUICConn { + return newQUICConn(Client(nil, config.TLSConfig)) +} + +// QUICServer returns a new TLS server side connection using QUICTransport as the +// underlying transport. The config cannot be nil. +// +// The config's MinVersion must be at least TLS 1.3. +func QUICServer(config *QUICConfig) *QUICConn { + return newQUICConn(Server(nil, config.TLSConfig)) +} + +func newQUICConn(conn *Conn) *QUICConn { + conn.quic = &quicState{ + signalc: make(chan struct{}), + blockedc: make(chan struct{}), + } + conn.quic.events = conn.quic.eventArr[:0] + return &QUICConn{ + conn: conn, + } +} + +// Start starts the client or server handshake protocol. +// It may produce connection events, which may be read with [QUICConn.NextEvent]. +// +// Start must be called at most once. +func (q *QUICConn) Start(ctx context.Context) error { + if q.conn.quic.started { + return quicError(errors.New("tls: Start called more than once")) + } + q.conn.quic.started = true + if q.conn.config.MinVersion < VersionTLS13 { + return quicError(errors.New("tls: Config MinVersion must be at least TLS 1.13")) + } + go q.conn.HandshakeContext(ctx) + if _, ok := <-q.conn.quic.blockedc; !ok { + return q.conn.handshakeErr + } + return nil +} + +// NextEvent returns the next event occurring on the connection. +// It returns an event with a Kind of [QUICNoEvent] when no events are available. +func (q *QUICConn) NextEvent() QUICEvent { + qs := q.conn.quic + if last := qs.nextEvent - 1; last >= 0 && len(qs.events[last].Data) > 0 { + // Write over some of the previous event's data, + // to catch callers erroniously retaining it. + qs.events[last].Data[0] = 0 + } + if qs.nextEvent >= len(qs.events) { + qs.events = qs.events[:0] + qs.nextEvent = 0 + return QUICEvent{Kind: QUICNoEvent} + } + e := qs.events[qs.nextEvent] + qs.events[qs.nextEvent] = QUICEvent{} // zero out references to data + qs.nextEvent++ + return e +} + +// Close closes the connection and stops any in-progress handshake. +func (q *QUICConn) Close() error { + if q.conn.quic.cancel == nil { + return nil // never started + } + q.conn.quic.cancel() + for range q.conn.quic.blockedc { + // Wait for the handshake goroutine to return. + } + return q.conn.handshakeErr +} + +// HandleData handles handshake bytes received from the peer. +// It may produce connection events, which may be read with [QUICConn.NextEvent]. +func (q *QUICConn) HandleData(level QUICEncryptionLevel, data []byte) error { + c := q.conn + if c.in.level != level { + return quicError(c.in.setErrorLocked(errors.New("tls: handshake data received at wrong level"))) + } + c.quic.readbuf = data + <-c.quic.signalc + _, ok := <-c.quic.blockedc + if ok { + // The handshake goroutine is waiting for more data. + return nil + } + // The handshake goroutine has exited. + c.handshakeMutex.Lock() + defer c.handshakeMutex.Unlock() + c.hand.Write(c.quic.readbuf) + c.quic.readbuf = nil + for q.conn.hand.Len() >= 4 && q.conn.handshakeErr == nil { + b := q.conn.hand.Bytes() + n := int(b[1])<<16 | int(b[2])<<8 | int(b[3]) + if n > maxHandshake { + q.conn.handshakeErr = fmt.Errorf("tls: handshake message of length %d bytes exceeds maximum of %d bytes", n, maxHandshake) + break + } + if len(b) < 4+n { + return nil + } + if err := q.conn.handlePostHandshakeMessage(); err != nil { + q.conn.handshakeErr = err + } + } + if q.conn.handshakeErr != nil { + return quicError(q.conn.handshakeErr) + } + return nil +} + +type QUICSessionTicketOptions struct { + // EarlyData specifies whether the ticket may be used for 0-RTT. + EarlyData bool +} + +// SendSessionTicket sends a session ticket to the client. +// It produces connection events, which may be read with [QUICConn.NextEvent]. +// Currently, it can only be called once. +func (q *QUICConn) SendSessionTicket(opts QUICSessionTicketOptions) error { + c := q.conn + if !c.isHandshakeComplete.Load() { + return quicError(errors.New("tls: SendSessionTicket called before handshake completed")) + } + if c.isClient { + return quicError(errors.New("tls: SendSessionTicket called on the client")) + } + if q.sessionTicketSent { + return quicError(errors.New("tls: SendSessionTicket called multiple times")) + } + q.sessionTicketSent = true + return quicError(c.sendSessionTicket(opts.EarlyData)) +} + +// ConnectionState returns basic TLS details about the connection. +func (q *QUICConn) ConnectionState() ConnectionState { + return q.conn.ConnectionState() +} + +// SetTransportParameters sets the transport parameters to send to the peer. +// +// Server connections may delay setting the transport parameters until after +// receiving the client's transport parameters. See [QUICTransportParametersRequired]. +func (q *QUICConn) SetTransportParameters(params []byte) { + if params == nil { + params = []byte{} + } + q.conn.quic.transportParams = params + if q.conn.quic.started { + <-q.conn.quic.signalc + <-q.conn.quic.blockedc + } +} + +// quicError ensures err is an AlertError. +// If err is not already, quicError wraps it with alertInternalError. +func quicError(err error) error { + if err == nil { + return nil + } + var ae AlertError + if errors.As(err, &ae) { + return err + } + var a alert + if !errors.As(err, &a) { + a = alertInternalError + } + // Return an error wrapping the original error and an AlertError. + // Truncate the text of the alert to 0 characters. + return fmt.Errorf("%w%.0w", err, AlertError(a)) +} + +func (c *Conn) quicReadHandshakeBytes(n int) error { + for c.hand.Len() < n { + if err := c.quicWaitForSignal(); err != nil { + return err + } + } + return nil +} + +func (c *Conn) quicSetReadSecret(level QUICEncryptionLevel, suite uint16, secret []byte) { + c.quic.events = append(c.quic.events, QUICEvent{ + Kind: QUICSetReadSecret, + Level: level, + Suite: suite, + Data: secret, + }) +} + +func (c *Conn) quicSetWriteSecret(level QUICEncryptionLevel, suite uint16, secret []byte) { + c.quic.events = append(c.quic.events, QUICEvent{ + Kind: QUICSetWriteSecret, + Level: level, + Suite: suite, + Data: secret, + }) +} + +func (c *Conn) quicWriteCryptoData(level QUICEncryptionLevel, data []byte) { + var last *QUICEvent + if len(c.quic.events) > 0 { + last = &c.quic.events[len(c.quic.events)-1] + } + if last == nil || last.Kind != QUICWriteData || last.Level != level { + c.quic.events = append(c.quic.events, QUICEvent{ + Kind: QUICWriteData, + Level: level, + }) + last = &c.quic.events[len(c.quic.events)-1] + } + last.Data = append(last.Data, data...) +} + +func (c *Conn) quicSetTransportParameters(params []byte) { + c.quic.events = append(c.quic.events, QUICEvent{ + Kind: QUICTransportParameters, + Data: params, + }) +} + +func (c *Conn) quicGetTransportParameters() ([]byte, error) { + if c.quic.transportParams == nil { + c.quic.events = append(c.quic.events, QUICEvent{ + Kind: QUICTransportParametersRequired, + }) + } + for c.quic.transportParams == nil { + if err := c.quicWaitForSignal(); err != nil { + return nil, err + } + } + return c.quic.transportParams, nil +} + +func (c *Conn) quicHandshakeComplete() { + c.quic.events = append(c.quic.events, QUICEvent{ + Kind: QUICHandshakeDone, + }) +} + +func (c *Conn) quicRejectedEarlyData() { + c.quic.events = append(c.quic.events, QUICEvent{ + Kind: QUICRejectedEarlyData, + }) +} + +// quicWaitForSignal notifies the QUICConn that handshake progress is blocked, +// and waits for a signal that the handshake should proceed. +// +// The handshake may become blocked waiting for handshake bytes +// or for the user to provide transport parameters. +func (c *Conn) quicWaitForSignal() error { + // Drop the handshake mutex while blocked to allow the user + // to call ConnectionState before the handshake completes. + c.handshakeMutex.Unlock() + defer c.handshakeMutex.Lock() + // Send on blockedc to notify the QUICConn that the handshake is blocked. + // Exported methods of QUICConn wait for the handshake to become blocked + // before returning to the user. + select { + case c.quic.blockedc <- struct{}{}: + case <-c.quic.cancelc: + return c.sendAlertLocked(alertCloseNotify) + } + // The QUICConn reads from signalc to notify us that the handshake may + // be able to proceed. (The QUICConn reads, because we close signalc to + // indicate that the handshake has completed.) + select { + case c.quic.signalc <- struct{}{}: + c.hand.Write(c.quic.readbuf) + c.quic.readbuf = nil + case <-c.quic.cancelc: + return c.sendAlertLocked(alertCloseNotify) + } + return nil +} diff --git a/pkg/tls/quic_test.go b/pkg/tls/quic_test.go new file mode 100644 index 000000000..323906a2f --- /dev/null +++ b/pkg/tls/quic_test.go @@ -0,0 +1,489 @@ +// Copyright 2023 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package tls + +import ( + "context" + "errors" + "reflect" + "testing" +) + +type testQUICConn struct { + t *testing.T + conn *QUICConn + readSecret map[QUICEncryptionLevel]suiteSecret + writeSecret map[QUICEncryptionLevel]suiteSecret + gotParams []byte + complete bool +} + +func newTestQUICClient(t *testing.T, config *Config) *testQUICConn { + q := &testQUICConn{t: t} + q.conn = QUICClient(&QUICConfig{ + TLSConfig: config, + }) + t.Cleanup(func() { + q.conn.Close() + }) + return q +} + +func newTestQUICServer(t *testing.T, config *Config) *testQUICConn { + q := &testQUICConn{t: t} + q.conn = QUICServer(&QUICConfig{ + TLSConfig: config, + }) + t.Cleanup(func() { + q.conn.Close() + }) + return q +} + +type suiteSecret struct { + suite uint16 + secret []byte +} + +func (q *testQUICConn) setReadSecret(level QUICEncryptionLevel, suite uint16, secret []byte) { + if _, ok := q.writeSecret[level]; !ok { + q.t.Errorf("SetReadSecret for level %v called before SetWriteSecret", level) + } + if level == QUICEncryptionLevelApplication && !q.complete { + q.t.Errorf("SetReadSecret for level %v called before HandshakeComplete", level) + } + if _, ok := q.readSecret[level]; ok { + q.t.Errorf("SetReadSecret for level %v called twice", level) + } + if q.readSecret == nil { + q.readSecret = map[QUICEncryptionLevel]suiteSecret{} + } + switch level { + case QUICEncryptionLevelHandshake, QUICEncryptionLevelApplication: + q.readSecret[level] = suiteSecret{suite, secret} + default: + q.t.Errorf("SetReadSecret for unexpected level %v", level) + } +} + +func (q *testQUICConn) setWriteSecret(level QUICEncryptionLevel, suite uint16, secret []byte) { + if _, ok := q.writeSecret[level]; ok { + q.t.Errorf("SetWriteSecret for level %v called twice", level) + } + if q.writeSecret == nil { + q.writeSecret = map[QUICEncryptionLevel]suiteSecret{} + } + switch level { + case QUICEncryptionLevelHandshake, QUICEncryptionLevelApplication: + q.writeSecret[level] = suiteSecret{suite, secret} + default: + q.t.Errorf("SetWriteSecret for unexpected level %v", level) + } +} + +var errTransportParametersRequired = errors.New("transport parameters required") + +func runTestQUICConnection(ctx context.Context, cli, srv *testQUICConn, onEvent func(e QUICEvent, src, dst *testQUICConn) bool) error { + a, b := cli, srv + for _, c := range []*testQUICConn{a, b} { + if !c.conn.conn.quic.started { + if err := c.conn.Start(ctx); err != nil { + return err + } + } + } + idleCount := 0 + for { + e := a.conn.NextEvent() + if onEvent != nil && onEvent(e, a, b) { + continue + } + switch e.Kind { + case QUICNoEvent: + idleCount++ + if idleCount == 2 { + if !a.complete || !b.complete { + return errors.New("handshake incomplete") + } + return nil + } + a, b = b, a + case QUICSetReadSecret: + a.setReadSecret(e.Level, e.Suite, e.Data) + case QUICSetWriteSecret: + a.setWriteSecret(e.Level, e.Suite, e.Data) + case QUICWriteData: + if err := b.conn.HandleData(e.Level, e.Data); err != nil { + return err + } + case QUICTransportParameters: + a.gotParams = e.Data + if a.gotParams == nil { + a.gotParams = []byte{} + } + case QUICTransportParametersRequired: + return errTransportParametersRequired + case QUICHandshakeDone: + a.complete = true + if a == srv { + opts := QUICSessionTicketOptions{} + if err := srv.conn.SendSessionTicket(opts); err != nil { + return err + } + } + } + if e.Kind != QUICNoEvent { + idleCount = 0 + } + } +} + +func TestQUICConnection(t *testing.T) { + config := testConfig.Clone() + config.MinVersion = VersionTLS13 + + cli := newTestQUICClient(t, config) + cli.conn.SetTransportParameters(nil) + + srv := newTestQUICServer(t, config) + srv.conn.SetTransportParameters(nil) + + if err := runTestQUICConnection(context.Background(), cli, srv, nil); err != nil { + t.Fatalf("error during connection handshake: %v", err) + } + + if _, ok := cli.readSecret[QUICEncryptionLevelHandshake]; !ok { + t.Errorf("client has no Handshake secret") + } + if _, ok := cli.readSecret[QUICEncryptionLevelApplication]; !ok { + t.Errorf("client has no Application secret") + } + if _, ok := srv.readSecret[QUICEncryptionLevelHandshake]; !ok { + t.Errorf("server has no Handshake secret") + } + if _, ok := srv.readSecret[QUICEncryptionLevelApplication]; !ok { + t.Errorf("server has no Application secret") + } + for _, level := range []QUICEncryptionLevel{QUICEncryptionLevelHandshake, QUICEncryptionLevelApplication} { + if _, ok := cli.readSecret[level]; !ok { + t.Errorf("client has no %v read secret", level) + } + if _, ok := srv.readSecret[level]; !ok { + t.Errorf("server has no %v read secret", level) + } + if !reflect.DeepEqual(cli.readSecret[level], srv.writeSecret[level]) { + t.Errorf("client read secret does not match server write secret for level %v", level) + } + if !reflect.DeepEqual(cli.writeSecret[level], srv.readSecret[level]) { + t.Errorf("client write secret does not match server read secret for level %v", level) + } + } +} + +func TestQUICSessionResumption(t *testing.T) { + clientConfig := testConfig.Clone() + clientConfig.MinVersion = VersionTLS13 + clientConfig.ClientSessionCache = NewLRUClientSessionCache(1) + clientConfig.ServerName = "example.go.dev" + + serverConfig := testConfig.Clone() + serverConfig.MinVersion = VersionTLS13 + + cli := newTestQUICClient(t, clientConfig) + cli.conn.SetTransportParameters(nil) + srv := newTestQUICServer(t, serverConfig) + srv.conn.SetTransportParameters(nil) + if err := runTestQUICConnection(context.Background(), cli, srv, nil); err != nil { + t.Fatalf("error during first connection handshake: %v", err) + } + if cli.conn.ConnectionState().DidResume { + t.Errorf("first connection unexpectedly used session resumption") + } + + cli2 := newTestQUICClient(t, clientConfig) + cli2.conn.SetTransportParameters(nil) + srv2 := newTestQUICServer(t, serverConfig) + srv2.conn.SetTransportParameters(nil) + if err := runTestQUICConnection(context.Background(), cli2, srv2, nil); err != nil { + t.Fatalf("error during second connection handshake: %v", err) + } + if !cli2.conn.ConnectionState().DidResume { + t.Errorf("second connection did not use session resumption") + } +} + +func TestQUICFragmentaryData(t *testing.T) { + clientConfig := testConfig.Clone() + clientConfig.MinVersion = VersionTLS13 + clientConfig.ClientSessionCache = NewLRUClientSessionCache(1) + clientConfig.ServerName = "example.go.dev" + + serverConfig := testConfig.Clone() + serverConfig.MinVersion = VersionTLS13 + + cli := newTestQUICClient(t, clientConfig) + cli.conn.SetTransportParameters(nil) + srv := newTestQUICServer(t, serverConfig) + srv.conn.SetTransportParameters(nil) + onEvent := func(e QUICEvent, src, dst *testQUICConn) bool { + if e.Kind == QUICWriteData { + // Provide the data one byte at a time. + for i := range e.Data { + if err := dst.conn.HandleData(e.Level, e.Data[i:i+1]); err != nil { + t.Errorf("HandleData: %v", err) + break + } + } + return true + } + return false + } + if err := runTestQUICConnection(context.Background(), cli, srv, onEvent); err != nil { + t.Fatalf("error during first connection handshake: %v", err) + } +} + +func TestQUICPostHandshakeClientAuthentication(t *testing.T) { + // RFC 9001, Section 4.4. + config := testConfig.Clone() + config.MinVersion = VersionTLS13 + cli := newTestQUICClient(t, config) + cli.conn.SetTransportParameters(nil) + srv := newTestQUICServer(t, config) + srv.conn.SetTransportParameters(nil) + if err := runTestQUICConnection(context.Background(), cli, srv, nil); err != nil { + t.Fatalf("error during connection handshake: %v", err) + } + + certReq := new(certificateRequestMsgTLS13) + certReq.ocspStapling = true + certReq.scts = true + certReq.supportedSignatureAlgorithms = supportedSignatureAlgorithms() + certReqBytes, err := certReq.marshal() + if err != nil { + t.Fatal(err) + } + if err := cli.conn.HandleData(QUICEncryptionLevelApplication, append([]byte{ + byte(typeCertificateRequest), + byte(0), byte(0), byte(len(certReqBytes)), + }, certReqBytes...)); err == nil { + t.Fatalf("post-handshake authentication request: got no error, want one") + } +} + +func TestQUICPostHandshakeKeyUpdate(t *testing.T) { + // RFC 9001, Section 6. + config := testConfig.Clone() + config.MinVersion = VersionTLS13 + cli := newTestQUICClient(t, config) + cli.conn.SetTransportParameters(nil) + srv := newTestQUICServer(t, config) + srv.conn.SetTransportParameters(nil) + if err := runTestQUICConnection(context.Background(), cli, srv, nil); err != nil { + t.Fatalf("error during connection handshake: %v", err) + } + + keyUpdate := new(keyUpdateMsg) + keyUpdateBytes, err := keyUpdate.marshal() + if err != nil { + t.Fatal(err) + } + if err := cli.conn.HandleData(QUICEncryptionLevelApplication, append([]byte{ + byte(typeKeyUpdate), + byte(0), byte(0), byte(len(keyUpdateBytes)), + }, keyUpdateBytes...)); !errors.Is(err, alertUnexpectedMessage) { + t.Fatalf("key update request: got error %v, want alertUnexpectedMessage", err) + } +} + +func TestQUICPostHandshakeMessageTooLarge(t *testing.T) { + config := testConfig.Clone() + config.MinVersion = VersionTLS13 + cli := newTestQUICClient(t, config) + cli.conn.SetTransportParameters(nil) + srv := newTestQUICServer(t, config) + srv.conn.SetTransportParameters(nil) + if err := runTestQUICConnection(context.Background(), cli, srv, nil); err != nil { + t.Fatalf("error during connection handshake: %v", err) + } + + size := maxHandshake + 1 + if err := cli.conn.HandleData(QUICEncryptionLevelApplication, []byte{ + byte(typeNewSessionTicket), + byte(size >> 16), + byte(size >> 8), + byte(size), + }); err == nil { + t.Fatalf("%v-byte post-handshake message: got no error, want one", size) + } +} + +func TestQUICHandshakeError(t *testing.T) { + clientConfig := testConfig.Clone() + clientConfig.MinVersion = VersionTLS13 + clientConfig.InsecureSkipVerify = false + clientConfig.ServerName = "name" + + serverConfig := testConfig.Clone() + serverConfig.MinVersion = VersionTLS13 + + cli := newTestQUICClient(t, clientConfig) + cli.conn.SetTransportParameters(nil) + srv := newTestQUICServer(t, serverConfig) + srv.conn.SetTransportParameters(nil) + err := runTestQUICConnection(context.Background(), cli, srv, nil) + if !errors.Is(err, AlertError(alertBadCertificate)) { + t.Errorf("connection handshake terminated with error %q, want alertBadCertificate", err) + } + var e *CertificateVerificationError + if !errors.As(err, &e) { + t.Errorf("connection handshake terminated with error %q, want CertificateVerificationError", err) + } +} + +// Test that QUICConn.ConnectionState can be used during the handshake, +// and that it reports the application protocol as soon as it has been +// negotiated. +func TestQUICConnectionState(t *testing.T) { + config := testConfig.Clone() + config.MinVersion = VersionTLS13 + config.NextProtos = []string{"h3"} + cli := newTestQUICClient(t, config) + cli.conn.SetTransportParameters(nil) + srv := newTestQUICServer(t, config) + srv.conn.SetTransportParameters(nil) + onEvent := func(e QUICEvent, src, dst *testQUICConn) bool { + cliCS := cli.conn.ConnectionState() + if _, ok := cli.readSecret[QUICEncryptionLevelApplication]; ok { + if want, got := cliCS.NegotiatedProtocol, "h3"; want != got { + t.Errorf("cli.ConnectionState().NegotiatedProtocol = %q, want %q", want, got) + } + } + srvCS := srv.conn.ConnectionState() + if _, ok := srv.readSecret[QUICEncryptionLevelHandshake]; ok { + if want, got := srvCS.NegotiatedProtocol, "h3"; want != got { + t.Errorf("srv.ConnectionState().NegotiatedProtocol = %q, want %q", want, got) + } + } + return false + } + if err := runTestQUICConnection(context.Background(), cli, srv, onEvent); err != nil { + t.Fatalf("error during connection handshake: %v", err) + } +} + +func TestQUICStartContextPropagation(t *testing.T) { + const key = "key" + const value = "value" + ctx := context.WithValue(context.Background(), key, value) + config := testConfig.Clone() + config.MinVersion = VersionTLS13 + calls := 0 + config.GetConfigForClient = func(info *ClientHelloInfo) (*Config, error) { + calls++ + got, _ := info.Context().Value(key).(string) + if got != value { + t.Errorf("GetConfigForClient context key %q has value %q, want %q", key, got, value) + } + return nil, nil + } + cli := newTestQUICClient(t, config) + cli.conn.SetTransportParameters(nil) + srv := newTestQUICServer(t, config) + srv.conn.SetTransportParameters(nil) + if err := runTestQUICConnection(ctx, cli, srv, nil); err != nil { + t.Fatalf("error during connection handshake: %v", err) + } + if calls != 1 { + t.Errorf("GetConfigForClient called %v times, want 1", calls) + } +} + +func TestQUICDelayedTransportParameters(t *testing.T) { + clientConfig := testConfig.Clone() + clientConfig.MinVersion = VersionTLS13 + clientConfig.ClientSessionCache = NewLRUClientSessionCache(1) + clientConfig.ServerName = "example.go.dev" + + serverConfig := testConfig.Clone() + serverConfig.MinVersion = VersionTLS13 + + cliParams := "client params" + srvParams := "server params" + + cli := newTestQUICClient(t, clientConfig) + srv := newTestQUICServer(t, serverConfig) + if err := runTestQUICConnection(context.Background(), cli, srv, nil); err != errTransportParametersRequired { + t.Fatalf("handshake with no client parameters: %v; want errTransportParametersRequired", err) + } + cli.conn.SetTransportParameters([]byte(cliParams)) + if err := runTestQUICConnection(context.Background(), cli, srv, nil); err != errTransportParametersRequired { + t.Fatalf("handshake with no server parameters: %v; want errTransportParametersRequired", err) + } + srv.conn.SetTransportParameters([]byte(srvParams)) + if err := runTestQUICConnection(context.Background(), cli, srv, nil); err != nil { + t.Fatalf("error during connection handshake: %v", err) + } + + if got, want := string(cli.gotParams), srvParams; got != want { + t.Errorf("client got transport params: %q, want %q", got, want) + } + if got, want := string(srv.gotParams), cliParams; got != want { + t.Errorf("server got transport params: %q, want %q", got, want) + } +} + +func TestQUICEmptyTransportParameters(t *testing.T) { + config := testConfig.Clone() + config.MinVersion = VersionTLS13 + + cli := newTestQUICClient(t, config) + cli.conn.SetTransportParameters(nil) + srv := newTestQUICServer(t, config) + srv.conn.SetTransportParameters(nil) + if err := runTestQUICConnection(context.Background(), cli, srv, nil); err != nil { + t.Fatalf("error during connection handshake: %v", err) + } + + if cli.gotParams == nil { + t.Errorf("client did not get transport params") + } + if srv.gotParams == nil { + t.Errorf("server did not get transport params") + } + if len(cli.gotParams) != 0 { + t.Errorf("client got transport params: %v, want empty", cli.gotParams) + } + if len(srv.gotParams) != 0 { + t.Errorf("server got transport params: %v, want empty", srv.gotParams) + } +} + +func TestQUICCanceledWaitingForData(t *testing.T) { + config := testConfig.Clone() + config.MinVersion = VersionTLS13 + cli := newTestQUICClient(t, config) + cli.conn.SetTransportParameters(nil) + cli.conn.Start(context.Background()) + for cli.conn.NextEvent().Kind != QUICNoEvent { + } + err := cli.conn.Close() + if !errors.Is(err, alertCloseNotify) { + t.Errorf("conn.Close() = %v, want alertCloseNotify", err) + } +} + +func TestQUICCanceledWaitingForTransportParams(t *testing.T) { + config := testConfig.Clone() + config.MinVersion = VersionTLS13 + cli := newTestQUICClient(t, config) + cli.conn.Start(context.Background()) + for cli.conn.NextEvent().Kind != QUICTransportParametersRequired { + } + err := cli.conn.Close() + if !errors.Is(err, alertCloseNotify) { + t.Errorf("conn.Close() = %v, want alertCloseNotify", err) + } +} diff --git a/pkg/tls/testdata/Client-TLSv10-ClientCert-ECDSA-ECDSA b/pkg/tls/testdata/Client-TLSv10-ClientCert-ECDSA-ECDSA new file mode 100644 index 000000000..e018e87b0 --- /dev/null +++ b/pkg/tls/testdata/Client-TLSv10-ClientCert-ECDSA-ECDSA @@ -0,0 +1,135 @@ +>>> Flow 1 (client to server) +00000000 16 03 01 00 fe 01 00 00 fa 03 03 00 00 00 00 00 |................| +00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000020 00 00 00 00 00 00 00 00 00 00 00 20 00 00 00 00 |........... ....| +00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 32 cc a9 |.............2..| +00000050 cc a8 c0 2b c0 2f c0 2c c0 30 c0 09 c0 13 c0 0a |...+./.,.0......| +00000060 c0 14 00 9c 00 9d 00 2f 00 35 c0 12 00 0a c0 23 |......./.5.....#| +00000070 c0 27 00 3c c0 07 c0 11 00 05 13 03 13 01 13 02 |.'.<............| +00000080 01 00 00 7f 00 05 00 05 01 00 00 00 00 00 0a 00 |................| +00000090 0a 00 08 00 1d 00 17 00 18 00 19 00 0b 00 02 01 |................| +000000a0 00 00 0d 00 1a 00 18 08 04 04 03 08 07 08 05 08 |................| +000000b0 06 04 01 05 01 06 01 05 03 06 03 02 01 02 03 ff |................| +000000c0 01 00 01 00 00 17 00 00 00 12 00 00 00 2b 00 09 |.............+..| +000000d0 08 03 04 03 03 03 02 03 01 00 33 00 26 00 24 00 |..........3.&.$.| +000000e0 1d 00 20 2f e5 7d a3 47 cd 62 43 15 28 da ac 5f |.. /.}.G.bC.(.._| +000000f0 bb 29 07 30 ff f6 84 af c4 cf c2 ed 90 99 5f 58 |.).0.........._X| +00000100 cb 3b 74 |.;t| +>>> Flow 2 (server to client) +00000000 16 03 01 00 5d 02 00 00 59 03 01 8d 16 c0 c7 69 |....]...Y......i| +00000010 4a 19 df eb e0 a2 f1 43 43 d6 4a ac 8c cd ee 58 |J......CC.J....X| +00000020 2e f9 f2 7d d2 61 df 54 0c e8 4e 20 2e 1c 65 31 |...}.a.T..N ..e1| +00000030 60 6d 7f f9 10 9b fd d1 31 fa 0c 45 01 ca 06 e3 |`m......1..E....| +00000040 30 9a ab b4 b7 96 b3 99 de 8c 10 84 c0 09 00 00 |0...............| +00000050 11 ff 01 00 01 00 00 0b 00 04 03 00 01 02 00 17 |................| +00000060 00 00 16 03 01 02 0e 0b 00 02 0a 00 02 07 00 02 |................| +00000070 04 30 82 02 00 30 82 01 62 02 09 00 b8 bf 2d 47 |.0...0..b.....-G| +00000080 a0 d2 eb f4 30 09 06 07 2a 86 48 ce 3d 04 01 30 |....0...*.H.=..0| +00000090 45 31 0b 30 09 06 03 55 04 06 13 02 41 55 31 13 |E1.0...U....AU1.| +000000a0 30 11 06 03 55 04 08 13 0a 53 6f 6d 65 2d 53 74 |0...U....Some-St| +000000b0 61 74 65 31 21 30 1f 06 03 55 04 0a 13 18 49 6e |ate1!0...U....In| +000000c0 74 65 72 6e 65 74 20 57 69 64 67 69 74 73 20 50 |ternet Widgits P| +000000d0 74 79 20 4c 74 64 30 1e 17 0d 31 32 31 31 32 32 |ty Ltd0...121122| +000000e0 31 35 30 36 33 32 5a 17 0d 32 32 31 31 32 30 31 |150632Z..2211201| +000000f0 35 30 36 33 32 5a 30 45 31 0b 30 09 06 03 55 04 |50632Z0E1.0...U.| +00000100 06 13 02 41 55 31 13 30 11 06 03 55 04 08 13 0a |...AU1.0...U....| +00000110 53 6f 6d 65 2d 53 74 61 74 65 31 21 30 1f 06 03 |Some-State1!0...| +00000120 55 04 0a 13 18 49 6e 74 65 72 6e 65 74 20 57 69 |U....Internet Wi| +00000130 64 67 69 74 73 20 50 74 79 20 4c 74 64 30 81 9b |dgits Pty Ltd0..| +00000140 30 10 06 07 2a 86 48 ce 3d 02 01 06 05 2b 81 04 |0...*.H.=....+..| +00000150 00 23 03 81 86 00 04 00 c4 a1 ed be 98 f9 0b 48 |.#.............H| +00000160 73 36 7e c3 16 56 11 22 f2 3d 53 c3 3b 4d 21 3d |s6~..V.".=S.;M!=| +00000170 cd 6b 75 e6 f6 b0 dc 9a df 26 c1 bc b2 87 f0 72 |.ku......&.....r| +00000180 32 7c b3 64 2f 1c 90 bc ea 68 23 10 7e fe e3 25 |2|.d/....h#.~..%| +00000190 c0 48 3a 69 e0 28 6d d3 37 00 ef 04 62 dd 0d a0 |.H:i.(m.7...b...| +000001a0 9c 70 62 83 d8 81 d3 64 31 aa 9e 97 31 bd 96 b0 |.pb....d1...1...| +000001b0 68 c0 9b 23 de 76 64 3f 1a 5c 7f e9 12 0e 58 58 |h..#.vd?.\....XX| +000001c0 b6 5f 70 dd 9b d8 ea d5 d7 f5 d5 cc b9 b6 9f 30 |._p............0| +000001d0 66 5b 66 9a 20 e2 27 e5 bf fe 3b 30 09 06 07 2a |f[f. .'...;0...*| +000001e0 86 48 ce 3d 04 01 03 81 8c 00 30 81 88 02 42 01 |.H.=......0...B.| +000001f0 88 a2 4f eb e2 45 c5 48 7d 1b ac f5 ed 98 9d ae |..O..E.H}.......| +00000200 47 70 c0 5e 1b b6 2f bd f1 b6 4d b7 61 40 d3 11 |Gp.^../...M.a@..| +00000210 a2 ce ee 0b 7e 92 7e ff 76 9d c3 3b 7e a5 3f ce |....~.~.v..;~.?.| +00000220 fa 10 e2 59 ec 47 2d 7c ac da 4e 97 0e 15 a0 6f |...Y.G-|..N....o| +00000230 d0 02 42 01 4d fc be 67 13 9c 2d 05 0e bd 3f a3 |..B.M..g..-...?.| +00000240 8c 25 c1 33 13 83 0d 94 06 bb d4 37 7a f6 ec 7a |.%.3.......7z..z| +00000250 c9 86 2e dd d7 11 69 7f 85 7c 56 de fb 31 78 2b |......i..|V..1x+| +00000260 e4 c7 78 0d ae cb be 9e 4e 36 24 31 7b 6a 0f 39 |..x.....N6$1{j.9| +00000270 95 12 07 8f 2a 16 03 01 00 b5 0c 00 00 b1 03 00 |....*...........| +00000280 1d 20 2a 39 4c 47 2f 16 34 c1 2b 55 8b 1f 26 bb |. *9LG/.4.+U..&.| +00000290 f7 27 e1 e1 6c 62 e3 76 16 ed ff 23 bf 07 09 3c |.'..lb.v...#...<| +000002a0 24 1c 00 8b 30 81 88 02 42 01 34 ea 39 ef 28 c1 |$...0...B.4.9.(.| +000002b0 f9 00 fc a9 37 0e a8 ce 4e 17 0e 8d c3 3d 27 9b |....7...N....='.| +000002c0 87 ce b2 d1 31 e3 82 9b 7b e6 40 19 c9 da ba 7f |....1...{.@.....| +000002d0 03 f9 57 01 c9 f0 28 66 64 1a f6 f7 6a 67 09 b4 |..W...(fd...jg..| +000002e0 b9 c7 ef 1f 37 fd 7c 04 ba 4e ef 02 42 00 e1 15 |....7.|..N..B...| +000002f0 c9 22 ae 13 8d bc 24 26 ce 62 09 9e c4 95 80 65 |."....$&.b.....e| +00000300 b3 dc a4 df 98 c8 cd 95 8c 55 c7 af 27 b1 31 2c |.........U..'.1,| +00000310 df 62 72 47 b4 e8 df 76 43 16 60 7f 42 60 b0 eb |.brG...vC.`.B`..| +00000320 b8 f7 75 75 ef d6 7e aa d9 c5 9c 9d f0 0d d8 16 |..uu..~.........| +00000330 03 01 00 0a 0d 00 00 06 03 01 02 40 00 00 16 03 |...........@....| +00000340 01 00 04 0e 00 00 00 |.......| +>>> Flow 3 (client to server) +00000000 16 03 01 02 0a 0b 00 02 06 00 02 03 00 02 00 30 |...............0| +00000010 82 01 fc 30 82 01 5e 02 09 00 9a 30 84 6c 26 35 |...0..^....0.l&5| +00000020 d9 17 30 09 06 07 2a 86 48 ce 3d 04 01 30 45 31 |..0...*.H.=..0E1| +00000030 0b 30 09 06 03 55 04 06 13 02 41 55 31 13 30 11 |.0...U....AU1.0.| +00000040 06 03 55 04 08 13 0a 53 6f 6d 65 2d 53 74 61 74 |..U....Some-Stat| +00000050 65 31 21 30 1f 06 03 55 04 0a 13 18 49 6e 74 65 |e1!0...U....Inte| +00000060 72 6e 65 74 20 57 69 64 67 69 74 73 20 50 74 79 |rnet Widgits Pty| +00000070 20 4c 74 64 30 1e 17 0d 31 32 31 31 31 34 31 33 | Ltd0...12111413| +00000080 32 35 35 33 5a 17 0d 32 32 31 31 31 32 31 33 32 |2553Z..221112132| +00000090 35 35 33 5a 30 41 31 0b 30 09 06 03 55 04 06 13 |553Z0A1.0...U...| +000000a0 02 41 55 31 0c 30 0a 06 03 55 04 08 13 03 4e 53 |.AU1.0...U....NS| +000000b0 57 31 10 30 0e 06 03 55 04 07 13 07 50 79 72 6d |W1.0...U....Pyrm| +000000c0 6f 6e 74 31 12 30 10 06 03 55 04 03 13 09 4a 6f |ont1.0...U....Jo| +000000d0 65 6c 20 53 69 6e 67 30 81 9b 30 10 06 07 2a 86 |el Sing0..0...*.| +000000e0 48 ce 3d 02 01 06 05 2b 81 04 00 23 03 81 86 00 |H.=....+...#....| +000000f0 04 00 95 8c 91 75 14 c0 5e c4 57 b4 d4 c3 6f 8d |.....u..^.W...o.| +00000100 ae 68 1e dd 6f ce 86 e1 7e 6e b2 48 3e 81 e5 4e |.h..o...~n.H>..N| +00000110 e2 c6 88 4b 64 dc f5 30 bb d3 ff 65 cc 5b f4 dd |...Kd..0...e.[..| +00000120 b5 6a 3e 3e d0 1d de 47 c3 76 ad 19 f6 45 2c 8c |.j>>...G.v...E,.| +00000130 bc d8 1d 01 4c 1f 70 90 46 76 48 8b 8f 83 cc 4a |....L.p.FvH....J| +00000140 5c 8f 40 76 da e0 89 ec 1d 2b c4 4e 30 76 28 41 |\.@v.....+.N0v(A| +00000150 b2 62 a8 fb 5b f1 f9 4e 7a 8d bd 09 b8 ae ea 8b |.b..[..Nz.......| +00000160 18 27 4f 2e 70 fe 13 96 ba c3 d3 40 16 cd 65 4e |.'O.p......@..eN| +00000170 ac 11 1e e6 f1 30 09 06 07 2a 86 48 ce 3d 04 01 |.....0...*.H.=..| +00000180 03 81 8c 00 30 81 88 02 42 00 e0 14 c4 60 60 0b |....0...B....``.| +00000190 72 68 b0 32 5d 61 4a 02 74 5c c2 81 b9 16 a8 3f |rh.2]aJ.t\.....?| +000001a0 29 c8 36 c7 81 ff 6c b6 5b d9 70 f1 38 3b 50 48 |).6...l.[.p.8;PH| +000001b0 28 94 cb 09 1a 52 f1 5d ee 8d f2 b9 f0 f0 da d9 |(....R.]........| +000001c0 15 3a f9 bd 03 7a 87 a2 23 35 ec 02 42 01 a3 d4 |.:...z..#5..B...| +000001d0 8a 78 35 1c 4a 9a 23 d2 0a be 2b 10 31 9d 9c 5f |.x5.J.#...+.1.._| +000001e0 be e8 91 b3 da 1a f5 5d a3 23 f5 26 8b 45 70 8d |.......].#.&.Ep.| +000001f0 65 62 9b 7e 01 99 3d 18 f6 10 9a 38 61 9b 2e 57 |eb.~..=....8a..W| +00000200 e4 fa cc b1 8a ce e2 23 a0 87 f0 e1 67 51 eb 16 |.......#....gQ..| +00000210 03 01 00 25 10 00 00 21 20 2f e5 7d a3 47 cd 62 |...%...! /.}.G.b| +00000220 43 15 28 da ac 5f bb 29 07 30 ff f6 84 af c4 cf |C.(.._.).0......| +00000230 c2 ed 90 99 5f 58 cb 3b 74 16 03 01 00 91 0f 00 |...._X.;t.......| +00000240 00 8d 00 8b 30 81 88 02 42 01 9a ce de b0 79 2f |....0...B.....y/| +00000250 8b f3 6a ab 71 75 38 58 6a 85 d5 eb 60 ee de d0 |..j.qu8Xj...`...| +00000260 c8 61 46 fc 41 2a d7 dd b5 db cd d8 74 4e a2 62 |.aF.A*......tN.b| +00000270 c8 a5 1c f6 62 7a 04 ea 0b 70 39 cd 68 75 d2 b6 |....bz...p9.hu..| +00000280 cc f9 71 ee f2 cc 9a a2 12 78 bc 02 42 01 4d 03 |..q......x..B.M.| +00000290 1a 75 bb 13 64 ab 08 c5 fb f3 ff 18 74 c5 25 dd |.u..d.......t.%.| +000002a0 27 99 5b ad 76 7a a7 e2 4d a7 1d d7 ba 6e e4 e7 |'.[.vz..M....n..| +000002b0 32 00 70 4a 35 6c c4 bb 03 5b 83 d5 e5 fc 53 e4 |2.pJ5l...[....S.| +000002c0 7e 1b f3 e7 18 79 b3 d4 76 ac 0f 74 6e 8f f7 14 |~....y..v..tn...| +000002d0 03 01 00 01 01 16 03 01 00 30 1a 3f 4b ba 4c e4 |.........0.?K.L.| +000002e0 6d 21 25 4d 90 2b 94 01 2b 82 f6 0a 0f a9 f9 95 |m!%M.+..+.......| +000002f0 03 1f 13 ee cf 27 d2 84 8a 59 cd ca 8d a8 c1 07 |.....'...Y......| +00000300 3f f6 c3 2b d5 91 21 2a 84 23 |?..+..!*.#| +>>> Flow 4 (server to client) +00000000 14 03 01 00 01 01 16 03 01 00 30 ac 6a 3b cf 6b |..........0.j;.k| +00000010 fc d7 25 1d ee d1 c0 61 65 73 be df 21 65 07 b8 |..%....aes..!e..| +00000020 9d 88 13 b9 b2 23 9c 90 a5 b4 71 31 75 b9 2e 97 |.....#....q1u...| +00000030 73 a1 c0 85 cc 6c f5 ac 49 2e 5f |s....l..I._| +>>> Flow 5 (client to server) +00000000 17 03 01 00 20 46 71 8d 32 ba c1 05 5c 59 bc 82 |.... Fq.2...\Y..| +00000010 e1 bc 6f eb de 23 26 8d 9c b2 b4 e8 c8 69 f3 46 |..o..#&......i.F| +00000020 0b 07 61 69 ae 17 03 01 00 20 e5 a5 ea 4c 59 7d |..ai..... ...LY}| +00000030 74 cd b8 0a 66 b6 ec 95 b0 8a 86 3a 9c e3 f5 11 |t...f......:....| +00000040 5b 05 62 9a ce 2e 87 8e 41 f4 15 03 01 00 20 be |[.b.....A..... .| +00000050 0a 29 47 93 e8 ef ad d4 5d f9 e1 a4 46 1a 51 98 |.)G.....]...F.Q.| +00000060 f0 8c be 3b fc cc a0 ed 7c 18 ac bf 94 35 93 |...;....|....5.| diff --git a/pkg/tls/testdata/Client-TLSv10-ClientCert-ECDSA-RSA b/pkg/tls/testdata/Client-TLSv10-ClientCert-ECDSA-RSA new file mode 100644 index 000000000..364d33d86 --- /dev/null +++ b/pkg/tls/testdata/Client-TLSv10-ClientCert-ECDSA-RSA @@ -0,0 +1,139 @@ +>>> Flow 1 (client to server) +00000000 16 03 01 00 fe 01 00 00 fa 03 03 00 00 00 00 00 |................| +00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000020 00 00 00 00 00 00 00 00 00 00 00 20 00 00 00 00 |........... ....| +00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 32 cc a9 |.............2..| +00000050 cc a8 c0 2b c0 2f c0 2c c0 30 c0 09 c0 13 c0 0a |...+./.,.0......| +00000060 c0 14 00 9c 00 9d 00 2f 00 35 c0 12 00 0a c0 23 |......./.5.....#| +00000070 c0 27 00 3c c0 07 c0 11 00 05 13 03 13 01 13 02 |.'.<............| +00000080 01 00 00 7f 00 05 00 05 01 00 00 00 00 00 0a 00 |................| +00000090 0a 00 08 00 1d 00 17 00 18 00 19 00 0b 00 02 01 |................| +000000a0 00 00 0d 00 1a 00 18 08 04 04 03 08 07 08 05 08 |................| +000000b0 06 04 01 05 01 06 01 05 03 06 03 02 01 02 03 ff |................| +000000c0 01 00 01 00 00 17 00 00 00 12 00 00 00 2b 00 09 |.............+..| +000000d0 08 03 04 03 03 03 02 03 01 00 33 00 26 00 24 00 |..........3.&.$.| +000000e0 1d 00 20 2f e5 7d a3 47 cd 62 43 15 28 da ac 5f |.. /.}.G.bC.(.._| +000000f0 bb 29 07 30 ff f6 84 af c4 cf c2 ed 90 99 5f 58 |.).0.........._X| +00000100 cb 3b 74 |.;t| +>>> Flow 2 (server to client) +00000000 16 03 01 00 5d 02 00 00 59 03 01 a1 07 34 d5 08 |....]...Y....4..| +00000010 09 17 79 08 6e 26 2b b3 2f e5 35 08 54 b4 5b 0e |..y.n&+./.5.T.[.| +00000020 c8 58 57 2b 5a 75 8d e8 d2 9e 35 20 ae bf 94 16 |.XW+Zu....5 ....| +00000030 e5 a9 f6 05 18 1f 7f a4 1e e9 cd 4a c0 7d a6 4d |...........J.}.M| +00000040 75 4f 06 de e0 6c 79 b3 39 5c a7 ed c0 13 00 00 |uO...ly.9\......| +00000050 11 ff 01 00 01 00 00 0b 00 04 03 00 01 02 00 17 |................| +00000060 00 00 16 03 01 02 59 0b 00 02 55 00 02 52 00 02 |......Y...U..R..| +00000070 4f 30 82 02 4b 30 82 01 b4 a0 03 02 01 02 02 09 |O0..K0..........| +00000080 00 e8 f0 9d 3f e2 5b ea a6 30 0d 06 09 2a 86 48 |....?.[..0...*.H| +00000090 86 f7 0d 01 01 0b 05 00 30 1f 31 0b 30 09 06 03 |........0.1.0...| +000000a0 55 04 0a 13 02 47 6f 31 10 30 0e 06 03 55 04 03 |U....Go1.0...U..| +000000b0 13 07 47 6f 20 52 6f 6f 74 30 1e 17 0d 31 36 30 |..Go Root0...160| +000000c0 31 30 31 30 30 30 30 30 30 5a 17 0d 32 35 30 31 |101000000Z..2501| +000000d0 30 31 30 30 30 30 30 30 5a 30 1a 31 0b 30 09 06 |01000000Z0.1.0..| +000000e0 03 55 04 0a 13 02 47 6f 31 0b 30 09 06 03 55 04 |.U....Go1.0...U.| +000000f0 03 13 02 47 6f 30 81 9f 30 0d 06 09 2a 86 48 86 |...Go0..0...*.H.| +00000100 f7 0d 01 01 01 05 00 03 81 8d 00 30 81 89 02 81 |...........0....| +00000110 81 00 db 46 7d 93 2e 12 27 06 48 bc 06 28 21 ab |...F}...'.H..(!.| +00000120 7e c4 b6 a2 5d fe 1e 52 45 88 7a 36 47 a5 08 0d |~...]..RE.z6G...| +00000130 92 42 5b c2 81 c0 be 97 79 98 40 fb 4f 6d 14 fd |.B[.....y.@.Om..| +00000140 2b 13 8b c2 a5 2e 67 d8 d4 09 9e d6 22 38 b7 4a |+.....g....."8.J| +00000150 0b 74 73 2b c2 34 f1 d1 93 e5 96 d9 74 7b f3 58 |.ts+.4......t{.X| +00000160 9f 6c 61 3c c0 b0 41 d4 d9 2b 2b 24 23 77 5b 1c |.la<..A..++$#w[.| +00000170 3b bd 75 5d ce 20 54 cf a1 63 87 1d 1e 24 c4 f3 |;.u]. T..c...$..| +00000180 1d 1a 50 8b aa b6 14 43 ed 97 a7 75 62 f4 14 c8 |..P....C...ub...| +00000190 52 d7 02 03 01 00 01 a3 81 93 30 81 90 30 0e 06 |R.........0..0..| +000001a0 03 55 1d 0f 01 01 ff 04 04 03 02 05 a0 30 1d 06 |.U...........0..| +000001b0 03 55 1d 25 04 16 30 14 06 08 2b 06 01 05 05 07 |.U.%..0...+.....| +000001c0 03 01 06 08 2b 06 01 05 05 07 03 02 30 0c 06 03 |....+.......0...| +000001d0 55 1d 13 01 01 ff 04 02 30 00 30 19 06 03 55 1d |U.......0.0...U.| +000001e0 0e 04 12 04 10 9f 91 16 1f 43 43 3e 49 a6 de 6d |.........CC>I..m| +000001f0 b6 80 d7 9f 60 30 1b 06 03 55 1d 23 04 14 30 12 |....`0...U.#..0.| +00000200 80 10 48 13 49 4d 13 7e 16 31 bb a3 01 d5 ac ab |..H.IM.~.1......| +00000210 6e 7b 30 19 06 03 55 1d 11 04 12 30 10 82 0e 65 |n{0...U....0...e| +00000220 78 61 6d 70 6c 65 2e 67 6f 6c 61 6e 67 30 0d 06 |xample.golang0..| +00000230 09 2a 86 48 86 f7 0d 01 01 0b 05 00 03 81 81 00 |.*.H............| +00000240 9d 30 cc 40 2b 5b 50 a0 61 cb ba e5 53 58 e1 ed |.0.@+[P.a...SX..| +00000250 83 28 a9 58 1a a9 38 a4 95 a1 ac 31 5a 1a 84 66 |.(.X..8....1Z..f| +00000260 3d 43 d3 2d d9 0b f2 97 df d3 20 64 38 92 24 3a |=C.-...... d8.$:| +00000270 00 bc cf 9c 7d b7 40 20 01 5f aa d3 16 61 09 a2 |....}.@ ._...a..| +00000280 76 fd 13 c3 cc e1 0c 5c ee b1 87 82 f1 6c 04 ed |v......\.....l..| +00000290 73 bb b3 43 77 8d 0c 1c f1 0f a1 d8 40 83 61 c9 |s..Cw.......@.a.| +000002a0 4c 72 2b 9d ae db 46 06 06 4d f4 c1 b3 3e c0 d1 |Lr+...F..M...>..| +000002b0 bd 42 d4 db fe 3d 13 60 84 5c 21 d3 3b e9 fa e7 |.B...=.`.\!.;...| +000002c0 16 03 01 00 aa 0c 00 00 a6 03 00 1d 20 6d 79 f8 |............ my.| +000002d0 b3 f9 f8 39 10 ea 9a f0 d7 40 a7 94 b4 5b 87 fc |...9.....@...[..| +000002e0 63 e1 7f 82 f8 cd e9 02 f7 0c 83 e0 48 00 80 cc |c...........H...| +000002f0 23 b7 af c6 3b 6a ed cd 07 be 81 cd 81 f9 85 f1 |#...;j..........| +00000300 a2 32 82 3b 1c 02 3e 02 20 da 71 e0 3a cc 4b 49 |.2.;..>. .q.:.KI| +00000310 09 36 af 1e 9e b5 14 6e 4c d1 4d df 87 38 92 52 |.6.....nL.M..8.R| +00000320 47 0c e7 e8 2b 2e 65 38 e3 c4 d7 24 db bb fb 2c |G...+.e8...$...,| +00000330 04 2c 9e e5 a7 9d 4b 03 b8 cb 71 c6 62 e0 42 f7 |.,....K...q.b.B.| +00000340 d7 1e 62 7e 21 e0 4d 37 e2 67 46 fa 82 df 49 62 |..b~!.M7.gF...Ib| +00000350 33 fe e1 44 fd 62 31 46 b7 66 27 ce 85 99 00 b2 |3..D.b1F.f'.....| +00000360 2c 94 1b c1 66 7b 95 a9 2c d2 33 5c 57 50 f1 16 |,...f{..,.3\WP..| +00000370 03 01 00 0a 0d 00 00 06 03 01 02 40 00 00 16 03 |...........@....| +00000380 01 00 04 0e 00 00 00 |.......| +>>> Flow 3 (client to server) +00000000 16 03 01 02 0a 0b 00 02 06 00 02 03 00 02 00 30 |...............0| +00000010 82 01 fc 30 82 01 5e 02 09 00 9a 30 84 6c 26 35 |...0..^....0.l&5| +00000020 d9 17 30 09 06 07 2a 86 48 ce 3d 04 01 30 45 31 |..0...*.H.=..0E1| +00000030 0b 30 09 06 03 55 04 06 13 02 41 55 31 13 30 11 |.0...U....AU1.0.| +00000040 06 03 55 04 08 13 0a 53 6f 6d 65 2d 53 74 61 74 |..U....Some-Stat| +00000050 65 31 21 30 1f 06 03 55 04 0a 13 18 49 6e 74 65 |e1!0...U....Inte| +00000060 72 6e 65 74 20 57 69 64 67 69 74 73 20 50 74 79 |rnet Widgits Pty| +00000070 20 4c 74 64 30 1e 17 0d 31 32 31 31 31 34 31 33 | Ltd0...12111413| +00000080 32 35 35 33 5a 17 0d 32 32 31 31 31 32 31 33 32 |2553Z..221112132| +00000090 35 35 33 5a 30 41 31 0b 30 09 06 03 55 04 06 13 |553Z0A1.0...U...| +000000a0 02 41 55 31 0c 30 0a 06 03 55 04 08 13 03 4e 53 |.AU1.0...U....NS| +000000b0 57 31 10 30 0e 06 03 55 04 07 13 07 50 79 72 6d |W1.0...U....Pyrm| +000000c0 6f 6e 74 31 12 30 10 06 03 55 04 03 13 09 4a 6f |ont1.0...U....Jo| +000000d0 65 6c 20 53 69 6e 67 30 81 9b 30 10 06 07 2a 86 |el Sing0..0...*.| +000000e0 48 ce 3d 02 01 06 05 2b 81 04 00 23 03 81 86 00 |H.=....+...#....| +000000f0 04 00 95 8c 91 75 14 c0 5e c4 57 b4 d4 c3 6f 8d |.....u..^.W...o.| +00000100 ae 68 1e dd 6f ce 86 e1 7e 6e b2 48 3e 81 e5 4e |.h..o...~n.H>..N| +00000110 e2 c6 88 4b 64 dc f5 30 bb d3 ff 65 cc 5b f4 dd |...Kd..0...e.[..| +00000120 b5 6a 3e 3e d0 1d de 47 c3 76 ad 19 f6 45 2c 8c |.j>>...G.v...E,.| +00000130 bc d8 1d 01 4c 1f 70 90 46 76 48 8b 8f 83 cc 4a |....L.p.FvH....J| +00000140 5c 8f 40 76 da e0 89 ec 1d 2b c4 4e 30 76 28 41 |\.@v.....+.N0v(A| +00000150 b2 62 a8 fb 5b f1 f9 4e 7a 8d bd 09 b8 ae ea 8b |.b..[..Nz.......| +00000160 18 27 4f 2e 70 fe 13 96 ba c3 d3 40 16 cd 65 4e |.'O.p......@..eN| +00000170 ac 11 1e e6 f1 30 09 06 07 2a 86 48 ce 3d 04 01 |.....0...*.H.=..| +00000180 03 81 8c 00 30 81 88 02 42 00 e0 14 c4 60 60 0b |....0...B....``.| +00000190 72 68 b0 32 5d 61 4a 02 74 5c c2 81 b9 16 a8 3f |rh.2]aJ.t\.....?| +000001a0 29 c8 36 c7 81 ff 6c b6 5b d9 70 f1 38 3b 50 48 |).6...l.[.p.8;PH| +000001b0 28 94 cb 09 1a 52 f1 5d ee 8d f2 b9 f0 f0 da d9 |(....R.]........| +000001c0 15 3a f9 bd 03 7a 87 a2 23 35 ec 02 42 01 a3 d4 |.:...z..#5..B...| +000001d0 8a 78 35 1c 4a 9a 23 d2 0a be 2b 10 31 9d 9c 5f |.x5.J.#...+.1.._| +000001e0 be e8 91 b3 da 1a f5 5d a3 23 f5 26 8b 45 70 8d |.......].#.&.Ep.| +000001f0 65 62 9b 7e 01 99 3d 18 f6 10 9a 38 61 9b 2e 57 |eb.~..=....8a..W| +00000200 e4 fa cc b1 8a ce e2 23 a0 87 f0 e1 67 51 eb 16 |.......#....gQ..| +00000210 03 01 00 25 10 00 00 21 20 2f e5 7d a3 47 cd 62 |...%...! /.}.G.b| +00000220 43 15 28 da ac 5f bb 29 07 30 ff f6 84 af c4 cf |C.(.._.).0......| +00000230 c2 ed 90 99 5f 58 cb 3b 74 16 03 01 00 91 0f 00 |...._X.;t.......| +00000240 00 8d 00 8b 30 81 88 02 42 00 f7 1a 73 32 b1 a7 |....0...B...s2..| +00000250 04 a2 26 85 14 53 5a 70 76 c4 44 4c 0d f8 5a a6 |..&..SZpv.DL..Z.| +00000260 bc 64 44 88 3f 01 80 a4 0d 17 ce 30 ca 92 4c 29 |.dD.?......0..L)| +00000270 b2 f3 a4 65 1e 28 55 bc b8 47 64 39 b7 49 20 05 |...e.(U..Gd9.I .| +00000280 9d a4 84 6b 1b 8b df eb b6 f6 b9 02 42 01 68 c8 |...k........B.h.| +00000290 fd 3c ad 36 ad 15 28 4f f2 ac b3 7f 63 28 30 5c |.<.6..(O....c(0\| +000002a0 68 59 f5 84 b2 cf 23 d6 dd 3b f5 7b 2b 1a ac 32 |hY....#..;.{+..2| +000002b0 20 da 76 af 63 2a 68 6e 18 cd 07 82 41 6f 50 91 | .v.c*hn....AoP.| +000002c0 d0 51 3b 9b ab 71 84 d4 be 15 dd 4b 8c 57 b7 14 |.Q;..q.....K.W..| +000002d0 03 01 00 01 01 16 03 01 00 30 e3 e6 b9 cb 0b 0f |.........0......| +000002e0 71 55 4e 15 53 85 5c 2a 55 ac 83 cc e9 71 69 eb |qUN.S.\*U....qi.| +000002f0 dd 64 cb 2f 9f 74 b4 e6 80 52 9e a0 08 e3 7e 14 |.d./.t...R....~.| +00000300 2c 5e 15 e4 81 38 11 aa fb ab |,^...8....| +>>> Flow 4 (server to client) +00000000 14 03 01 00 01 01 16 03 01 00 30 bb 2d 20 48 7a |..........0.- Hz| +00000010 53 bf 3a ee c3 91 ec 1b be cf 4a 18 57 5a c4 a7 |S.:.......J.WZ..| +00000020 57 d7 51 fa 4a 69 8a bf cd ff 2e 64 e7 76 a7 49 |W.Q.Ji.....d.v.I| +00000030 1e 19 34 8d 4f c3 40 14 5d 68 8c |..4.O.@.]h.| +>>> Flow 5 (client to server) +00000000 17 03 01 00 20 c6 82 9a ee a3 de fe 3f cd 56 92 |.... .......?.V.| +00000010 20 b3 27 ae 5d db 4c 6c a3 a9 01 ba ce 98 c5 d7 | .'.].Ll........| +00000020 af be 49 92 50 17 03 01 00 20 35 a5 2d 8e 5a 4f |..I.P.... 5.-.ZO| +00000030 0d a8 ea 08 f8 dd 6c 01 04 d9 a7 2b 71 b1 c9 84 |......l....+q...| +00000040 9d de d3 ce 69 4c 7a 3e 3c 7b 15 03 01 00 20 5c |....iLz><{.... \| +00000050 00 f6 57 56 dc f9 fc 36 15 85 71 01 7b 18 ae 11 |..WV...6..q.{...| +00000060 51 0b f7 a3 e4 f8 d9 d8 ae 1d 0b 68 0f 4c 87 |Q..........h.L.| diff --git a/pkg/tls/testdata/Client-TLSv10-ClientCert-Ed25519 b/pkg/tls/testdata/Client-TLSv10-ClientCert-Ed25519 new file mode 100644 index 000000000..a14cef135 --- /dev/null +++ b/pkg/tls/testdata/Client-TLSv10-ClientCert-Ed25519 @@ -0,0 +1,110 @@ +>>> Flow 1 (client to server) +00000000 16 03 01 00 fa 01 00 00 f6 03 03 00 00 00 00 00 |................| +00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000020 00 00 00 00 00 00 00 00 00 00 00 20 00 00 00 00 |........... ....| +00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 32 cc a8 |.............2..| +00000050 cc a9 c0 2f c0 2b c0 30 c0 2c c0 27 c0 13 c0 23 |.../.+.0.,.'...#| +00000060 c0 09 c0 14 c0 0a 00 9c 00 9d 00 3c 00 2f 00 35 |...........<./.5| +00000070 c0 12 00 0a 00 05 c0 11 c0 07 13 01 13 03 13 02 |................| +00000080 01 00 00 7b 00 05 00 05 01 00 00 00 00 00 0a 00 |...{............| +00000090 0a 00 08 00 1d 00 17 00 18 00 19 00 0b 00 02 01 |................| +000000a0 00 00 0d 00 1a 00 18 08 04 08 05 08 06 04 01 04 |................| +000000b0 03 05 01 05 03 06 01 06 03 02 01 02 03 08 07 ff |................| +000000c0 01 00 01 00 00 12 00 00 00 2b 00 09 08 03 04 03 |.........+......| +000000d0 03 03 02 03 01 00 33 00 26 00 24 00 1d 00 20 2f |......3.&.$... /| +000000e0 e5 7d a3 47 cd 62 43 15 28 da ac 5f bb 29 07 30 |.}.G.bC.(.._.).0| +000000f0 ff f6 84 af c4 cf c2 ed 90 99 5f 58 cb 3b 74 |.........._X.;t| +>>> Flow 2 (server to client) +00000000 16 03 01 00 59 02 00 00 55 03 01 55 df 11 fe c6 |....Y...U..U....| +00000010 aa d4 85 4b 87 c2 35 4c ac a9 c3 15 a3 7f 6d 7e |...K..5L......m~| +00000020 15 d1 47 b2 d2 09 16 4d 08 1b dd 20 49 d9 51 42 |..G....M... I.QB| +00000030 97 cf 36 b3 74 3e 05 0a e5 c9 97 ef 01 9c 24 34 |..6.t>........$4| +00000040 31 17 e1 8a 6a ce 37 60 02 47 46 7f c0 13 00 00 |1...j.7`.GF.....| +00000050 0d ff 01 00 01 00 00 0b 00 04 03 00 01 02 16 03 |................| +00000060 01 02 59 0b 00 02 55 00 02 52 00 02 4f 30 82 02 |..Y...U..R..O0..| +00000070 4b 30 82 01 b4 a0 03 02 01 02 02 09 00 e8 f0 9d |K0..............| +00000080 3f e2 5b ea a6 30 0d 06 09 2a 86 48 86 f7 0d 01 |?.[..0...*.H....| +00000090 01 0b 05 00 30 1f 31 0b 30 09 06 03 55 04 0a 13 |....0.1.0...U...| +000000a0 02 47 6f 31 10 30 0e 06 03 55 04 03 13 07 47 6f |.Go1.0...U....Go| +000000b0 20 52 6f 6f 74 30 1e 17 0d 31 36 30 31 30 31 30 | Root0...1601010| +000000c0 30 30 30 30 30 5a 17 0d 32 35 30 31 30 31 30 30 |00000Z..25010100| +000000d0 30 30 30 30 5a 30 1a 31 0b 30 09 06 03 55 04 0a |0000Z0.1.0...U..| +000000e0 13 02 47 6f 31 0b 30 09 06 03 55 04 03 13 02 47 |..Go1.0...U....G| +000000f0 6f 30 81 9f 30 0d 06 09 2a 86 48 86 f7 0d 01 01 |o0..0...*.H.....| +00000100 01 05 00 03 81 8d 00 30 81 89 02 81 81 00 db 46 |.......0.......F| +00000110 7d 93 2e 12 27 06 48 bc 06 28 21 ab 7e c4 b6 a2 |}...'.H..(!.~...| +00000120 5d fe 1e 52 45 88 7a 36 47 a5 08 0d 92 42 5b c2 |]..RE.z6G....B[.| +00000130 81 c0 be 97 79 98 40 fb 4f 6d 14 fd 2b 13 8b c2 |....y.@.Om..+...| +00000140 a5 2e 67 d8 d4 09 9e d6 22 38 b7 4a 0b 74 73 2b |..g....."8.J.ts+| +00000150 c2 34 f1 d1 93 e5 96 d9 74 7b f3 58 9f 6c 61 3c |.4......t{.X.la<| +00000160 c0 b0 41 d4 d9 2b 2b 24 23 77 5b 1c 3b bd 75 5d |..A..++$#w[.;.u]| +00000170 ce 20 54 cf a1 63 87 1d 1e 24 c4 f3 1d 1a 50 8b |. T..c...$....P.| +00000180 aa b6 14 43 ed 97 a7 75 62 f4 14 c8 52 d7 02 03 |...C...ub...R...| +00000190 01 00 01 a3 81 93 30 81 90 30 0e 06 03 55 1d 0f |......0..0...U..| +000001a0 01 01 ff 04 04 03 02 05 a0 30 1d 06 03 55 1d 25 |.........0...U.%| +000001b0 04 16 30 14 06 08 2b 06 01 05 05 07 03 01 06 08 |..0...+.........| +000001c0 2b 06 01 05 05 07 03 02 30 0c 06 03 55 1d 13 01 |+.......0...U...| +000001d0 01 ff 04 02 30 00 30 19 06 03 55 1d 0e 04 12 04 |....0.0...U.....| +000001e0 10 9f 91 16 1f 43 43 3e 49 a6 de 6d b6 80 d7 9f |.....CC>I..m....| +000001f0 60 30 1b 06 03 55 1d 23 04 14 30 12 80 10 48 13 |`0...U.#..0...H.| +00000200 49 4d 13 7e 16 31 bb a3 01 d5 ac ab 6e 7b 30 19 |IM.~.1......n{0.| +00000210 06 03 55 1d 11 04 12 30 10 82 0e 65 78 61 6d 70 |..U....0...examp| +00000220 6c 65 2e 67 6f 6c 61 6e 67 30 0d 06 09 2a 86 48 |le.golang0...*.H| +00000230 86 f7 0d 01 01 0b 05 00 03 81 81 00 9d 30 cc 40 |.............0.@| +00000240 2b 5b 50 a0 61 cb ba e5 53 58 e1 ed 83 28 a9 58 |+[P.a...SX...(.X| +00000250 1a a9 38 a4 95 a1 ac 31 5a 1a 84 66 3d 43 d3 2d |..8....1Z..f=C.-| +00000260 d9 0b f2 97 df d3 20 64 38 92 24 3a 00 bc cf 9c |...... d8.$:....| +00000270 7d b7 40 20 01 5f aa d3 16 61 09 a2 76 fd 13 c3 |}.@ ._...a..v...| +00000280 cc e1 0c 5c ee b1 87 82 f1 6c 04 ed 73 bb b3 43 |...\.....l..s..C| +00000290 77 8d 0c 1c f1 0f a1 d8 40 83 61 c9 4c 72 2b 9d |w.......@.a.Lr+.| +000002a0 ae db 46 06 06 4d f4 c1 b3 3e c0 d1 bd 42 d4 db |..F..M...>...B..| +000002b0 fe 3d 13 60 84 5c 21 d3 3b e9 fa e7 16 03 01 00 |.=.`.\!.;.......| +000002c0 aa 0c 00 00 a6 03 00 1d 20 17 27 58 d2 5f 59 a3 |........ .'X._Y.| +000002d0 62 62 d4 97 4a 49 c4 ff ec dc f7 d3 c9 ea f3 00 |bb..JI..........| +000002e0 61 1b d3 73 38 9e af 7d 17 00 80 59 7a 4e 55 97 |a..s8..}...YzNU.| +000002f0 5a 81 0e 2e 85 0b c2 61 f0 79 72 0e d1 d5 3b bf |Z......a.yr...;.| +00000300 6a 77 03 0a 9a 51 42 f5 98 2f 09 d5 7b 17 76 b8 |jw...QB../..{.v.| +00000310 2c a7 95 ee 61 65 d7 37 b3 1b 16 3c 48 7e 9d ed |,...ae.7...>> Flow 3 (client to server) +00000000 16 03 01 01 3c 0b 00 01 38 00 01 35 00 01 32 30 |....<...8..5..20| +00000010 82 01 2e 30 81 e1 a0 03 02 01 02 02 10 17 d1 81 |...0............| +00000020 93 be 2a 8c 21 20 10 25 15 e8 34 23 4f 30 05 06 |..*.! .%..4#O0..| +00000030 03 2b 65 70 30 12 31 10 30 0e 06 03 55 04 0a 13 |.+ep0.1.0...U...| +00000040 07 41 63 6d 65 20 43 6f 30 1e 17 0d 31 39 30 35 |.Acme Co0...1905| +00000050 31 36 32 31 35 34 32 36 5a 17 0d 32 30 30 35 31 |16215426Z..20051| +00000060 35 32 31 35 34 32 36 5a 30 12 31 10 30 0e 06 03 |5215426Z0.1.0...| +00000070 55 04 0a 13 07 41 63 6d 65 20 43 6f 30 2a 30 05 |U....Acme Co0*0.| +00000080 06 03 2b 65 70 03 21 00 0b e0 b5 60 b5 e2 79 30 |..+ep.!....`..y0| +00000090 3d be e3 1e e0 50 b1 04 c8 6d c7 78 6c 69 2f c5 |=....P...m.xli/.| +000000a0 14 ad 9a 63 6f 79 12 91 a3 4d 30 4b 30 0e 06 03 |...coy...M0K0...| +000000b0 55 1d 0f 01 01 ff 04 04 03 02 05 a0 30 13 06 03 |U...........0...| +000000c0 55 1d 25 04 0c 30 0a 06 08 2b 06 01 05 05 07 03 |U.%..0...+......| +000000d0 02 30 0c 06 03 55 1d 13 01 01 ff 04 02 30 00 30 |.0...U.......0.0| +000000e0 16 06 03 55 1d 11 04 0f 30 0d 82 0b 65 78 61 6d |...U....0...exam| +000000f0 70 6c 65 2e 63 6f 6d 30 05 06 03 2b 65 70 03 41 |ple.com0...+ep.A| +00000100 00 fc 19 17 2a 94 a5 31 fa 29 c8 2e 7f 5b a0 5d |....*..1.)...[.]| +00000110 8a 4e 34 40 39 d6 b3 10 dc 19 fe a0 22 71 b3 f5 |.N4@9......."q..| +00000120 8f a1 58 0d cd f4 f1 85 24 bf e6 3d 14 df df ed |..X.....$..=....| +00000130 0e e1 17 d8 11 a2 60 d0 8a 37 23 2a c2 46 aa 3a |......`..7#*.F.:| +00000140 08 16 03 01 00 25 10 00 00 21 20 2f e5 7d a3 47 |.....%...! /.}.G| +00000150 cd 62 43 15 28 da ac 5f bb 29 07 30 ff f6 84 af |.bC.(.._.).0....| +00000160 c4 cf c2 ed 90 99 5f 58 cb 3b 74 16 03 01 00 46 |......_X.;t....F| +00000170 0f 00 00 42 00 40 14 6a d7 c1 9c 3d 81 fa e9 da |...B.@.j...=....| +00000180 96 5c 3a 09 e2 fc 36 e2 30 39 e4 6e 0d ac aa 54 |.\:...6.09.n...T| +00000190 24 4d 8c f0 35 14 b0 0b e9 5b 57 52 31 02 9f 6c |$M..5....[WR1..l| +000001a0 6f 6c d7 e9 b5 7f cb 30 fe b9 ba b9 7a 46 67 e3 |ol.....0....zFg.| +000001b0 a7 50 ca ce e4 04 14 03 01 00 01 01 16 03 01 00 |.P..............| +000001c0 30 8d 0a ca d1 5e 2c 7e 92 d0 69 f4 d9 e8 5d 0a |0....^,~..i...].| +000001d0 11 72 67 20 3e 80 64 29 e5 79 f5 33 ad 06 78 07 |.rg >.d).y.3..x.| +000001e0 4c 03 fc 2e 16 35 70 b1 72 e7 35 a9 cc 49 b8 29 |L....5p.r.5..I.)| +000001f0 30 |0| +>>> Flow 4 (server to client) +00000000 15 03 01 00 02 02 50 |......P| diff --git a/pkg/tls/testdata/Client-TLSv10-ClientCert-RSA-ECDSA b/pkg/tls/testdata/Client-TLSv10-ClientCert-RSA-ECDSA new file mode 100644 index 000000000..d150babc2 --- /dev/null +++ b/pkg/tls/testdata/Client-TLSv10-ClientCert-RSA-ECDSA @@ -0,0 +1,134 @@ +>>> Flow 1 (client to server) +00000000 16 03 01 00 fe 01 00 00 fa 03 03 00 00 00 00 00 |................| +00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000020 00 00 00 00 00 00 00 00 00 00 00 20 00 00 00 00 |........... ....| +00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 32 cc a9 |.............2..| +00000050 cc a8 c0 2b c0 2f c0 2c c0 30 c0 09 c0 13 c0 0a |...+./.,.0......| +00000060 c0 14 00 9c 00 9d 00 2f 00 35 c0 12 00 0a c0 23 |......./.5.....#| +00000070 c0 27 00 3c c0 07 c0 11 00 05 13 03 13 01 13 02 |.'.<............| +00000080 01 00 00 7f 00 05 00 05 01 00 00 00 00 00 0a 00 |................| +00000090 0a 00 08 00 1d 00 17 00 18 00 19 00 0b 00 02 01 |................| +000000a0 00 00 0d 00 1a 00 18 08 04 04 03 08 07 08 05 08 |................| +000000b0 06 04 01 05 01 06 01 05 03 06 03 02 01 02 03 ff |................| +000000c0 01 00 01 00 00 17 00 00 00 12 00 00 00 2b 00 09 |.............+..| +000000d0 08 03 04 03 03 03 02 03 01 00 33 00 26 00 24 00 |..........3.&.$.| +000000e0 1d 00 20 2f e5 7d a3 47 cd 62 43 15 28 da ac 5f |.. /.}.G.bC.(.._| +000000f0 bb 29 07 30 ff f6 84 af c4 cf c2 ed 90 99 5f 58 |.).0.........._X| +00000100 cb 3b 74 |.;t| +>>> Flow 2 (server to client) +00000000 16 03 01 00 5d 02 00 00 59 03 01 53 6b 9f 42 b4 |....]...Y..Sk.B.| +00000010 38 d0 d3 ef 17 52 44 10 a5 70 61 35 8c ae a9 52 |8....RD..pa5...R| +00000020 6c d6 e2 c3 bd c4 3c b9 3c 09 83 20 aa 22 81 b5 |l.....<.<.. ."..| +00000030 02 b5 aa e6 24 88 e6 75 70 1c 32 9a 3b 2c 2f 05 |....$..up.2.;,/.| +00000040 e0 eb 59 65 4c 9e 45 82 fd d7 37 5e c0 09 00 00 |..YeL.E...7^....| +00000050 11 ff 01 00 01 00 00 0b 00 04 03 00 01 02 00 17 |................| +00000060 00 00 16 03 01 02 0e 0b 00 02 0a 00 02 07 00 02 |................| +00000070 04 30 82 02 00 30 82 01 62 02 09 00 b8 bf 2d 47 |.0...0..b.....-G| +00000080 a0 d2 eb f4 30 09 06 07 2a 86 48 ce 3d 04 01 30 |....0...*.H.=..0| +00000090 45 31 0b 30 09 06 03 55 04 06 13 02 41 55 31 13 |E1.0...U....AU1.| +000000a0 30 11 06 03 55 04 08 13 0a 53 6f 6d 65 2d 53 74 |0...U....Some-St| +000000b0 61 74 65 31 21 30 1f 06 03 55 04 0a 13 18 49 6e |ate1!0...U....In| +000000c0 74 65 72 6e 65 74 20 57 69 64 67 69 74 73 20 50 |ternet Widgits P| +000000d0 74 79 20 4c 74 64 30 1e 17 0d 31 32 31 31 32 32 |ty Ltd0...121122| +000000e0 31 35 30 36 33 32 5a 17 0d 32 32 31 31 32 30 31 |150632Z..2211201| +000000f0 35 30 36 33 32 5a 30 45 31 0b 30 09 06 03 55 04 |50632Z0E1.0...U.| +00000100 06 13 02 41 55 31 13 30 11 06 03 55 04 08 13 0a |...AU1.0...U....| +00000110 53 6f 6d 65 2d 53 74 61 74 65 31 21 30 1f 06 03 |Some-State1!0...| +00000120 55 04 0a 13 18 49 6e 74 65 72 6e 65 74 20 57 69 |U....Internet Wi| +00000130 64 67 69 74 73 20 50 74 79 20 4c 74 64 30 81 9b |dgits Pty Ltd0..| +00000140 30 10 06 07 2a 86 48 ce 3d 02 01 06 05 2b 81 04 |0...*.H.=....+..| +00000150 00 23 03 81 86 00 04 00 c4 a1 ed be 98 f9 0b 48 |.#.............H| +00000160 73 36 7e c3 16 56 11 22 f2 3d 53 c3 3b 4d 21 3d |s6~..V.".=S.;M!=| +00000170 cd 6b 75 e6 f6 b0 dc 9a df 26 c1 bc b2 87 f0 72 |.ku......&.....r| +00000180 32 7c b3 64 2f 1c 90 bc ea 68 23 10 7e fe e3 25 |2|.d/....h#.~..%| +00000190 c0 48 3a 69 e0 28 6d d3 37 00 ef 04 62 dd 0d a0 |.H:i.(m.7...b...| +000001a0 9c 70 62 83 d8 81 d3 64 31 aa 9e 97 31 bd 96 b0 |.pb....d1...1...| +000001b0 68 c0 9b 23 de 76 64 3f 1a 5c 7f e9 12 0e 58 58 |h..#.vd?.\....XX| +000001c0 b6 5f 70 dd 9b d8 ea d5 d7 f5 d5 cc b9 b6 9f 30 |._p............0| +000001d0 66 5b 66 9a 20 e2 27 e5 bf fe 3b 30 09 06 07 2a |f[f. .'...;0...*| +000001e0 86 48 ce 3d 04 01 03 81 8c 00 30 81 88 02 42 01 |.H.=......0...B.| +000001f0 88 a2 4f eb e2 45 c5 48 7d 1b ac f5 ed 98 9d ae |..O..E.H}.......| +00000200 47 70 c0 5e 1b b6 2f bd f1 b6 4d b7 61 40 d3 11 |Gp.^../...M.a@..| +00000210 a2 ce ee 0b 7e 92 7e ff 76 9d c3 3b 7e a5 3f ce |....~.~.v..;~.?.| +00000220 fa 10 e2 59 ec 47 2d 7c ac da 4e 97 0e 15 a0 6f |...Y.G-|..N....o| +00000230 d0 02 42 01 4d fc be 67 13 9c 2d 05 0e bd 3f a3 |..B.M..g..-...?.| +00000240 8c 25 c1 33 13 83 0d 94 06 bb d4 37 7a f6 ec 7a |.%.3.......7z..z| +00000250 c9 86 2e dd d7 11 69 7f 85 7c 56 de fb 31 78 2b |......i..|V..1x+| +00000260 e4 c7 78 0d ae cb be 9e 4e 36 24 31 7b 6a 0f 39 |..x.....N6$1{j.9| +00000270 95 12 07 8f 2a 16 03 01 00 b5 0c 00 00 b1 03 00 |....*...........| +00000280 1d 20 fc 74 81 8e 09 19 14 86 d3 4d 8d cf 7d 00 |. .t.......M..}.| +00000290 c1 83 83 b5 9a 32 f1 38 01 ae a9 9b a1 d9 26 54 |.....2.8......&T| +000002a0 a4 08 00 8b 30 81 88 02 42 00 a1 56 29 a7 ba 25 |....0...B..V)..%| +000002b0 bb 6a 12 51 77 c1 28 35 1e 4b 3e a8 01 63 e6 f6 |.j.Qw.(5.K>..c..| +000002c0 f3 99 05 7b 0f 1f 21 dd 9e de c9 c1 08 c6 bc 23 |...{..!........#| +000002d0 71 87 1e a1 30 07 0c 5d f6 9f bf 45 7d 60 3c c2 |q...0..]...E}`<.| +000002e0 48 65 3d 3f a3 b4 67 89 90 1d 12 02 42 00 93 43 |He=?..g.....B..C| +000002f0 12 c1 46 b5 6d 2e cc 60 50 11 95 86 bd 36 53 fc |..F.m..`P....6S.| +00000300 92 01 6a 11 92 97 69 c2 cf c9 b0 a0 4a 42 0b d2 |..j...i.....JB..| +00000310 c4 0c 84 e5 9e f6 2c a3 91 70 45 25 1f 78 17 b0 |......,..pE%.x..| +00000320 1f 0e f7 a2 d5 4d 1c 77 ec f9 04 ca ab 68 26 16 |.....M.w.....h&.| +00000330 03 01 00 0a 0d 00 00 06 03 01 02 40 00 00 16 03 |...........@....| +00000340 01 00 04 0e 00 00 00 |.......| +>>> Flow 3 (client to server) +00000000 16 03 01 01 fd 0b 00 01 f9 00 01 f6 00 01 f3 30 |...............0| +00000010 82 01 ef 30 82 01 58 a0 03 02 01 02 02 10 5c 19 |...0..X.......\.| +00000020 c1 89 65 83 55 6f dc 0b c9 b9 93 9f e9 bc 30 0d |..e.Uo........0.| +00000030 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 12 31 |..*.H........0.1| +00000040 10 30 0e 06 03 55 04 0a 13 07 41 63 6d 65 20 43 |.0...U....Acme C| +00000050 6f 30 1e 17 0d 31 36 30 38 31 37 32 31 35 32 33 |o0...16081721523| +00000060 31 5a 17 0d 31 37 30 38 31 37 32 31 35 32 33 31 |1Z..170817215231| +00000070 5a 30 12 31 10 30 0e 06 03 55 04 0a 13 07 41 63 |Z0.1.0...U....Ac| +00000080 6d 65 20 43 6f 30 81 9f 30 0d 06 09 2a 86 48 86 |me Co0..0...*.H.| +00000090 f7 0d 01 01 01 05 00 03 81 8d 00 30 81 89 02 81 |...........0....| +000000a0 81 00 ba 6f aa 86 bd cf bf 9f f2 ef 5c 94 60 78 |...o........\.`x| +000000b0 6f e8 13 f2 d1 96 6f cd d9 32 6e 22 37 ce 41 f9 |o.....o..2n"7.A.| +000000c0 ca 5d 29 ac e1 27 da 61 a2 ee 81 cb 10 c7 df 34 |.])..'.a.......4| +000000d0 58 95 86 e9 3d 19 e6 5c 27 73 60 c8 8d 78 02 f4 |X...=..\'s`..x..| +000000e0 1d a4 98 09 a3 19 70 69 3c 25 62 66 2a ab 22 23 |......pi<%bf*."#| +000000f0 c5 7b 85 38 4f 2e 09 73 32 a7 bd 3e 9b ad ca 84 |.{.8O..s2..>....| +00000100 07 e6 0f 3a ff 77 c5 9d 41 85 00 8a b6 9b ee b0 |...:.w..A.......| +00000110 a4 3f 2d 4c 4c e6 42 3e bb 51 c8 dd 48 54 f4 0c |.?-LL.B>.Q..HT..| +00000120 8e 47 02 03 01 00 01 a3 46 30 44 30 0e 06 03 55 |.G......F0D0...U| +00000130 1d 0f 01 01 ff 04 04 03 02 05 a0 30 13 06 03 55 |...........0...U| +00000140 1d 25 04 0c 30 0a 06 08 2b 06 01 05 05 07 03 01 |.%..0...+.......| +00000150 30 0c 06 03 55 1d 13 01 01 ff 04 02 30 00 30 0f |0...U.......0.0.| +00000160 06 03 55 1d 11 04 08 30 06 87 04 7f 00 00 01 30 |..U....0.......0| +00000170 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 03 81 |...*.H..........| +00000180 81 00 46 ab 44 a2 fb 28 54 f8 5a 67 f8 62 94 f1 |..F.D..(T.Zg.b..| +00000190 9a b2 18 9e f2 b1 de 1d 7e 6f 76 95 a9 ba e7 5d |........~ov....]| +000001a0 a8 16 6c 9c f7 09 d3 37 e4 4b 2b 36 7c 01 ad 41 |..l....7.K+6|..A| +000001b0 d2 32 d8 c3 d2 93 f9 10 6b 8e 95 b9 2c 17 8a a3 |.2......k...,...| +000001c0 44 48 bc 59 13 83 16 04 88 a4 81 5c 25 0d 98 0c |DH.Y.......\%...| +000001d0 ac 11 b1 28 56 be 1d cd 61 62 84 09 bf d6 80 c6 |...(V...ab......| +000001e0 45 8d 82 2c b4 d8 83 9b db c9 22 b7 2a 12 11 7b |E..,......".*..{| +000001f0 fa 02 3b c1 c9 ff ea c9 9d a8 49 d3 95 d7 d5 0e |..;.......I.....| +00000200 e5 35 16 03 01 00 25 10 00 00 21 20 2f e5 7d a3 |.5....%...! /.}.| +00000210 47 cd 62 43 15 28 da ac 5f bb 29 07 30 ff f6 84 |G.bC.(.._.).0...| +00000220 af c4 cf c2 ed 90 99 5f 58 cb 3b 74 16 03 01 00 |......._X.;t....| +00000230 86 0f 00 00 82 00 80 3b af ba ad 44 f1 06 e4 79 |.......;...D...y| +00000240 d7 fa 41 42 2a 7e 45 3d fc 9d f7 5d a9 13 b9 35 |..AB*~E=...]...5| +00000250 49 ea 28 6a 03 48 0b 14 c9 43 69 16 32 b7 6b b5 |I.(j.H...Ci.2.k.| +00000260 a7 11 44 15 26 61 04 ea f8 1e a0 32 3d 6b 26 be |..D.&a.....2=k&.| +00000270 37 44 34 0e 06 62 ee cf b9 41 4c 84 ba 3f aa 5f |7D4..b...AL..?._| +00000280 d7 ea 31 c8 77 07 13 38 66 ba ec b4 b0 6c 44 ee |..1.w..8f....lD.| +00000290 8e d4 49 1d 9e 7b 2d b2 48 23 a0 06 04 22 9b 3a |..I..{-.H#...".:| +000002a0 3f 71 13 13 ce 67 3f e8 84 0f a4 8d ff 2c de f5 |?q...g?......,..| +000002b0 ce 8d 15 8d 64 bc 5e 14 03 01 00 01 01 16 03 01 |....d.^.........| +000002c0 00 30 f6 42 8a 63 15 7b 24 63 62 dc f7 6a ab 38 |.0.B.c.{$cb..j.8| +000002d0 33 32 6d c6 44 5e 10 8a 7a f8 f0 77 e7 5c 2a 6e |32m.D^..z..w.\*n| +000002e0 8f 18 72 c6 e2 42 66 c0 f7 7a 45 fb 68 01 30 8a |..r..Bf..zE.h.0.| +000002f0 59 1a |Y.| +>>> Flow 4 (server to client) +00000000 14 03 01 00 01 01 16 03 01 00 30 1f a1 61 8d 3e |..........0..a.>| +00000010 6e 5d 29 bd d0 14 80 ec 55 fc 7d b2 02 bd 6d c5 |n]).....U.}...m.| +00000020 93 50 67 30 4f ce d5 8a 8b 80 3c 9a a6 0f ac be |.Pg0O.....<.....| +00000030 dd b0 1b 22 0d 89 dc cd 73 ba 99 |..."....s..| +>>> Flow 5 (client to server) +00000000 17 03 01 00 20 23 4b ba 47 65 fb 41 fb ad c6 06 |.... #K.Ge.A....| +00000010 c2 c7 ed 6e b4 d0 42 48 6b 68 60 69 7c f0 91 85 |...n..BHkh`i|...| +00000020 f3 a2 ea b1 5b 17 03 01 00 20 d2 fa 3c a5 d2 ea |....[.... ..<...| +00000030 b8 81 7a fb 31 95 bc e5 e3 4d 1a 15 e7 e3 96 8e |..z.1....M......| +00000040 bc 77 26 b1 5c b5 61 14 99 7c 15 03 01 00 20 b2 |.w&.\.a..|.... .| +00000050 0c 6a 3d 02 6b 32 2f 43 9e 5e ac f1 c3 97 e2 27 |.j=.k2/C.^.....'| +00000060 c1 a1 b9 b6 b7 11 36 17 27 0a 7a 8d 53 18 d6 |......6.'.z.S..| diff --git a/pkg/tls/testdata/Client-TLSv10-ClientCert-RSA-RSA b/pkg/tls/testdata/Client-TLSv10-ClientCert-RSA-RSA new file mode 100644 index 000000000..b3157bb18 --- /dev/null +++ b/pkg/tls/testdata/Client-TLSv10-ClientCert-RSA-RSA @@ -0,0 +1,138 @@ +>>> Flow 1 (client to server) +00000000 16 03 01 00 fe 01 00 00 fa 03 03 00 00 00 00 00 |................| +00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000020 00 00 00 00 00 00 00 00 00 00 00 20 00 00 00 00 |........... ....| +00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 32 cc a9 |.............2..| +00000050 cc a8 c0 2b c0 2f c0 2c c0 30 c0 09 c0 13 c0 0a |...+./.,.0......| +00000060 c0 14 00 9c 00 9d 00 2f 00 35 c0 12 00 0a c0 23 |......./.5.....#| +00000070 c0 27 00 3c c0 07 c0 11 00 05 13 03 13 01 13 02 |.'.<............| +00000080 01 00 00 7f 00 05 00 05 01 00 00 00 00 00 0a 00 |................| +00000090 0a 00 08 00 1d 00 17 00 18 00 19 00 0b 00 02 01 |................| +000000a0 00 00 0d 00 1a 00 18 08 04 04 03 08 07 08 05 08 |................| +000000b0 06 04 01 05 01 06 01 05 03 06 03 02 01 02 03 ff |................| +000000c0 01 00 01 00 00 17 00 00 00 12 00 00 00 2b 00 09 |.............+..| +000000d0 08 03 04 03 03 03 02 03 01 00 33 00 26 00 24 00 |..........3.&.$.| +000000e0 1d 00 20 2f e5 7d a3 47 cd 62 43 15 28 da ac 5f |.. /.}.G.bC.(.._| +000000f0 bb 29 07 30 ff f6 84 af c4 cf c2 ed 90 99 5f 58 |.).0.........._X| +00000100 cb 3b 74 |.;t| +>>> Flow 2 (server to client) +00000000 16 03 01 00 5d 02 00 00 59 03 01 a1 43 a5 02 b9 |....]...Y...C...| +00000010 48 81 74 51 b7 89 df 36 43 1c a3 5e f3 11 7e 81 |H.tQ...6C..^..~.| +00000020 2d 43 b5 86 e8 4a f4 fe 5e 5e 92 20 10 31 08 7a |-C...J..^^. .1.z| +00000030 cc 0e 5a 90 0e 07 aa 2f c7 17 b8 c9 d5 93 36 e3 |..Z..../......6.| +00000040 ca 34 ed a2 e2 3d 6c 0c fd 56 d9 64 c0 13 00 00 |.4...=l..V.d....| +00000050 11 ff 01 00 01 00 00 0b 00 04 03 00 01 02 00 17 |................| +00000060 00 00 16 03 01 02 59 0b 00 02 55 00 02 52 00 02 |......Y...U..R..| +00000070 4f 30 82 02 4b 30 82 01 b4 a0 03 02 01 02 02 09 |O0..K0..........| +00000080 00 e8 f0 9d 3f e2 5b ea a6 30 0d 06 09 2a 86 48 |....?.[..0...*.H| +00000090 86 f7 0d 01 01 0b 05 00 30 1f 31 0b 30 09 06 03 |........0.1.0...| +000000a0 55 04 0a 13 02 47 6f 31 10 30 0e 06 03 55 04 03 |U....Go1.0...U..| +000000b0 13 07 47 6f 20 52 6f 6f 74 30 1e 17 0d 31 36 30 |..Go Root0...160| +000000c0 31 30 31 30 30 30 30 30 30 5a 17 0d 32 35 30 31 |101000000Z..2501| +000000d0 30 31 30 30 30 30 30 30 5a 30 1a 31 0b 30 09 06 |01000000Z0.1.0..| +000000e0 03 55 04 0a 13 02 47 6f 31 0b 30 09 06 03 55 04 |.U....Go1.0...U.| +000000f0 03 13 02 47 6f 30 81 9f 30 0d 06 09 2a 86 48 86 |...Go0..0...*.H.| +00000100 f7 0d 01 01 01 05 00 03 81 8d 00 30 81 89 02 81 |...........0....| +00000110 81 00 db 46 7d 93 2e 12 27 06 48 bc 06 28 21 ab |...F}...'.H..(!.| +00000120 7e c4 b6 a2 5d fe 1e 52 45 88 7a 36 47 a5 08 0d |~...]..RE.z6G...| +00000130 92 42 5b c2 81 c0 be 97 79 98 40 fb 4f 6d 14 fd |.B[.....y.@.Om..| +00000140 2b 13 8b c2 a5 2e 67 d8 d4 09 9e d6 22 38 b7 4a |+.....g....."8.J| +00000150 0b 74 73 2b c2 34 f1 d1 93 e5 96 d9 74 7b f3 58 |.ts+.4......t{.X| +00000160 9f 6c 61 3c c0 b0 41 d4 d9 2b 2b 24 23 77 5b 1c |.la<..A..++$#w[.| +00000170 3b bd 75 5d ce 20 54 cf a1 63 87 1d 1e 24 c4 f3 |;.u]. T..c...$..| +00000180 1d 1a 50 8b aa b6 14 43 ed 97 a7 75 62 f4 14 c8 |..P....C...ub...| +00000190 52 d7 02 03 01 00 01 a3 81 93 30 81 90 30 0e 06 |R.........0..0..| +000001a0 03 55 1d 0f 01 01 ff 04 04 03 02 05 a0 30 1d 06 |.U...........0..| +000001b0 03 55 1d 25 04 16 30 14 06 08 2b 06 01 05 05 07 |.U.%..0...+.....| +000001c0 03 01 06 08 2b 06 01 05 05 07 03 02 30 0c 06 03 |....+.......0...| +000001d0 55 1d 13 01 01 ff 04 02 30 00 30 19 06 03 55 1d |U.......0.0...U.| +000001e0 0e 04 12 04 10 9f 91 16 1f 43 43 3e 49 a6 de 6d |.........CC>I..m| +000001f0 b6 80 d7 9f 60 30 1b 06 03 55 1d 23 04 14 30 12 |....`0...U.#..0.| +00000200 80 10 48 13 49 4d 13 7e 16 31 bb a3 01 d5 ac ab |..H.IM.~.1......| +00000210 6e 7b 30 19 06 03 55 1d 11 04 12 30 10 82 0e 65 |n{0...U....0...e| +00000220 78 61 6d 70 6c 65 2e 67 6f 6c 61 6e 67 30 0d 06 |xample.golang0..| +00000230 09 2a 86 48 86 f7 0d 01 01 0b 05 00 03 81 81 00 |.*.H............| +00000240 9d 30 cc 40 2b 5b 50 a0 61 cb ba e5 53 58 e1 ed |.0.@+[P.a...SX..| +00000250 83 28 a9 58 1a a9 38 a4 95 a1 ac 31 5a 1a 84 66 |.(.X..8....1Z..f| +00000260 3d 43 d3 2d d9 0b f2 97 df d3 20 64 38 92 24 3a |=C.-...... d8.$:| +00000270 00 bc cf 9c 7d b7 40 20 01 5f aa d3 16 61 09 a2 |....}.@ ._...a..| +00000280 76 fd 13 c3 cc e1 0c 5c ee b1 87 82 f1 6c 04 ed |v......\.....l..| +00000290 73 bb b3 43 77 8d 0c 1c f1 0f a1 d8 40 83 61 c9 |s..Cw.......@.a.| +000002a0 4c 72 2b 9d ae db 46 06 06 4d f4 c1 b3 3e c0 d1 |Lr+...F..M...>..| +000002b0 bd 42 d4 db fe 3d 13 60 84 5c 21 d3 3b e9 fa e7 |.B...=.`.\!.;...| +000002c0 16 03 01 00 aa 0c 00 00 a6 03 00 1d 20 62 23 e4 |............ b#.| +000002d0 5c 02 03 2d 62 41 93 e8 99 9d 01 cb 55 2c 7d 8d |\..-bA......U,}.| +000002e0 fd db d6 ac c6 99 d0 78 0f 27 27 37 70 00 80 6a |.......x.''7p..j| +000002f0 58 5e 29 6b 93 82 42 fa a2 b7 5c 06 d8 ac ae 85 |X^)k..B...\.....| +00000300 48 37 98 35 cf 31 09 8e d6 a3 37 26 d1 e5 b3 3b |H7.5.1....7&...;| +00000310 98 53 dc b5 d2 9d 73 80 89 04 35 20 e6 e7 ac 48 |.S....s...5 ...H| +00000320 88 6f 42 ac 1b 46 d3 78 6a f0 5d a0 68 e1 83 db |.oB..F.xj.].h...| +00000330 8a f3 bc f0 d2 35 b7 ae 8d 38 75 9f d6 76 01 ce |.....5...8u..v..| +00000340 d7 a9 0f 69 11 09 75 4a 20 b4 3b ec 14 fd 2b 7b |...i..uJ .;...+{| +00000350 e1 cf 12 89 d2 a2 94 3d 76 d5 b8 65 b4 17 24 43 |.......=v..e..$C| +00000360 96 68 c4 c9 cc a2 08 e7 ca bc 2d 14 90 fa 53 16 |.h........-...S.| +00000370 03 01 00 0a 0d 00 00 06 03 01 02 40 00 00 16 03 |...........@....| +00000380 01 00 04 0e 00 00 00 |.......| +>>> Flow 3 (client to server) +00000000 16 03 01 01 fd 0b 00 01 f9 00 01 f6 00 01 f3 30 |...............0| +00000010 82 01 ef 30 82 01 58 a0 03 02 01 02 02 10 5c 19 |...0..X.......\.| +00000020 c1 89 65 83 55 6f dc 0b c9 b9 93 9f e9 bc 30 0d |..e.Uo........0.| +00000030 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 12 31 |..*.H........0.1| +00000040 10 30 0e 06 03 55 04 0a 13 07 41 63 6d 65 20 43 |.0...U....Acme C| +00000050 6f 30 1e 17 0d 31 36 30 38 31 37 32 31 35 32 33 |o0...16081721523| +00000060 31 5a 17 0d 31 37 30 38 31 37 32 31 35 32 33 31 |1Z..170817215231| +00000070 5a 30 12 31 10 30 0e 06 03 55 04 0a 13 07 41 63 |Z0.1.0...U....Ac| +00000080 6d 65 20 43 6f 30 81 9f 30 0d 06 09 2a 86 48 86 |me Co0..0...*.H.| +00000090 f7 0d 01 01 01 05 00 03 81 8d 00 30 81 89 02 81 |...........0....| +000000a0 81 00 ba 6f aa 86 bd cf bf 9f f2 ef 5c 94 60 78 |...o........\.`x| +000000b0 6f e8 13 f2 d1 96 6f cd d9 32 6e 22 37 ce 41 f9 |o.....o..2n"7.A.| +000000c0 ca 5d 29 ac e1 27 da 61 a2 ee 81 cb 10 c7 df 34 |.])..'.a.......4| +000000d0 58 95 86 e9 3d 19 e6 5c 27 73 60 c8 8d 78 02 f4 |X...=..\'s`..x..| +000000e0 1d a4 98 09 a3 19 70 69 3c 25 62 66 2a ab 22 23 |......pi<%bf*."#| +000000f0 c5 7b 85 38 4f 2e 09 73 32 a7 bd 3e 9b ad ca 84 |.{.8O..s2..>....| +00000100 07 e6 0f 3a ff 77 c5 9d 41 85 00 8a b6 9b ee b0 |...:.w..A.......| +00000110 a4 3f 2d 4c 4c e6 42 3e bb 51 c8 dd 48 54 f4 0c |.?-LL.B>.Q..HT..| +00000120 8e 47 02 03 01 00 01 a3 46 30 44 30 0e 06 03 55 |.G......F0D0...U| +00000130 1d 0f 01 01 ff 04 04 03 02 05 a0 30 13 06 03 55 |...........0...U| +00000140 1d 25 04 0c 30 0a 06 08 2b 06 01 05 05 07 03 01 |.%..0...+.......| +00000150 30 0c 06 03 55 1d 13 01 01 ff 04 02 30 00 30 0f |0...U.......0.0.| +00000160 06 03 55 1d 11 04 08 30 06 87 04 7f 00 00 01 30 |..U....0.......0| +00000170 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 03 81 |...*.H..........| +00000180 81 00 46 ab 44 a2 fb 28 54 f8 5a 67 f8 62 94 f1 |..F.D..(T.Zg.b..| +00000190 9a b2 18 9e f2 b1 de 1d 7e 6f 76 95 a9 ba e7 5d |........~ov....]| +000001a0 a8 16 6c 9c f7 09 d3 37 e4 4b 2b 36 7c 01 ad 41 |..l....7.K+6|..A| +000001b0 d2 32 d8 c3 d2 93 f9 10 6b 8e 95 b9 2c 17 8a a3 |.2......k...,...| +000001c0 44 48 bc 59 13 83 16 04 88 a4 81 5c 25 0d 98 0c |DH.Y.......\%...| +000001d0 ac 11 b1 28 56 be 1d cd 61 62 84 09 bf d6 80 c6 |...(V...ab......| +000001e0 45 8d 82 2c b4 d8 83 9b db c9 22 b7 2a 12 11 7b |E..,......".*..{| +000001f0 fa 02 3b c1 c9 ff ea c9 9d a8 49 d3 95 d7 d5 0e |..;.......I.....| +00000200 e5 35 16 03 01 00 25 10 00 00 21 20 2f e5 7d a3 |.5....%...! /.}.| +00000210 47 cd 62 43 15 28 da ac 5f bb 29 07 30 ff f6 84 |G.bC.(.._.).0...| +00000220 af c4 cf c2 ed 90 99 5f 58 cb 3b 74 16 03 01 00 |......._X.;t....| +00000230 86 0f 00 00 82 00 80 3d 7f 32 50 ff aa 3d ff 0f |.......=.2P..=..| +00000240 f8 68 64 fb 2d 34 b8 5b 5e 4b 49 04 b8 eb f7 07 |.hd.-4.[^KI.....| +00000250 b7 bf 55 17 e5 11 66 87 23 16 3e ba 87 2f 58 23 |..U...f.#.>../X#| +00000260 28 d4 df 15 75 eb 7b f6 38 94 a8 73 8a d2 1f 51 |(...u.{.8..s...Q| +00000270 0f b5 90 16 0f db f9 23 a0 bc a5 96 48 ac a6 fa |.......#....H...| +00000280 fd e7 b4 94 5e c6 d4 a6 69 61 97 1a c3 ed 1e 5a |....^...ia.....Z| +00000290 db d9 c5 8f 58 97 6c 2a 88 f8 fb 52 14 10 a6 5a |....X.l*...R...Z| +000002a0 62 7a f8 37 40 e7 fd 27 c6 27 32 12 10 75 83 e3 |bz.7@..'.'2..u..| +000002b0 66 c1 77 78 90 38 5d 14 03 01 00 01 01 16 03 01 |f.wx.8].........| +000002c0 00 30 47 b5 75 6f 94 df 88 65 2d fc 45 33 29 d0 |.0G.uo...e-.E3).| +000002d0 be 8d c0 72 59 be 7e 57 aa d8 42 d5 61 95 24 53 |...rY.~W..B.a.$S| +000002e0 19 94 06 5b 48 34 22 44 6e 6e bf 2a 3d 0d 83 f6 |...[H4"Dnn.*=...| +000002f0 a7 3b |.;| +>>> Flow 4 (server to client) +00000000 14 03 01 00 01 01 16 03 01 00 30 c1 88 7e 9e de |..........0..~..| +00000010 d3 2d 1d 27 bf d5 49 c5 a7 67 cc 0b fc ca a6 9b |.-.'..I..g......| +00000020 1b c7 96 59 ff 4f b9 7d a0 7a 5e ed eb 77 04 5f |...Y.O.}.z^..w._| +00000030 ba b6 ea 33 80 b0 28 ef 96 ba 6a |...3..(...j| +>>> Flow 5 (client to server) +00000000 17 03 01 00 20 55 4a e0 a0 68 5f 32 17 9a a3 fd |.... UJ..h_2....| +00000010 01 e9 2c fa 19 12 56 6f c6 d7 a7 8d b7 8b 74 8a |..,...Vo......t.| +00000020 3a ae 72 9f 1e 17 03 01 00 20 b2 07 ca 31 62 b7 |:.r...... ...1b.| +00000030 cb 46 d4 33 61 6c 81 11 d8 8b f3 cf 6a ac a8 c7 |.F.3al......j...| +00000040 06 9c dc d9 49 ad 39 2a 6a ea 15 03 01 00 20 ee |....I.9*j..... .| +00000050 53 44 2e a0 bc 8d 74 8c 12 6b 3d a8 3e a5 98 00 |SD....t..k=.>...| +00000060 03 e8 bb 34 f5 a9 29 81 0a 6f e6 d3 0e ad 9d |...4..)..o.....| diff --git a/pkg/tls/testdata/Client-TLSv10-ECDHE-ECDSA-AES b/pkg/tls/testdata/Client-TLSv10-ECDHE-ECDSA-AES new file mode 100644 index 000000000..d146d7994 --- /dev/null +++ b/pkg/tls/testdata/Client-TLSv10-ECDHE-ECDSA-AES @@ -0,0 +1,92 @@ +>>> Flow 1 (client to server) +00000000 16 03 01 00 fe 01 00 00 fa 03 03 00 00 00 00 00 |................| +00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000020 00 00 00 00 00 00 00 00 00 00 00 20 00 00 00 00 |........... ....| +00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 32 cc a9 |.............2..| +00000050 cc a8 c0 2b c0 2f c0 2c c0 30 c0 09 c0 13 c0 0a |...+./.,.0......| +00000060 c0 14 00 9c 00 9d 00 2f 00 35 c0 12 00 0a c0 23 |......./.5.....#| +00000070 c0 27 00 3c c0 07 c0 11 00 05 13 03 13 01 13 02 |.'.<............| +00000080 01 00 00 7f 00 05 00 05 01 00 00 00 00 00 0a 00 |................| +00000090 0a 00 08 00 1d 00 17 00 18 00 19 00 0b 00 02 01 |................| +000000a0 00 00 0d 00 1a 00 18 08 04 04 03 08 07 08 05 08 |................| +000000b0 06 04 01 05 01 06 01 05 03 06 03 02 01 02 03 ff |................| +000000c0 01 00 01 00 00 17 00 00 00 12 00 00 00 2b 00 09 |.............+..| +000000d0 08 03 04 03 03 03 02 03 01 00 33 00 26 00 24 00 |..........3.&.$.| +000000e0 1d 00 20 2f e5 7d a3 47 cd 62 43 15 28 da ac 5f |.. /.}.G.bC.(.._| +000000f0 bb 29 07 30 ff f6 84 af c4 cf c2 ed 90 99 5f 58 |.).0.........._X| +00000100 cb 3b 74 |.;t| +>>> Flow 2 (server to client) +00000000 16 03 01 00 5d 02 00 00 59 03 01 1c a5 a3 a1 49 |....]...Y......I| +00000010 4e 93 54 cf 5a a2 8b 57 e7 f9 7b ce 53 48 fb 5b |N.T.Z..W..{.SH.[| +00000020 82 51 d6 0d aa c7 8b 40 44 5f 18 20 e3 b4 ca 5c |.Q.....@D_. ...\| +00000030 fd 20 e3 ae d2 a4 df e6 af db 4f 8b e9 95 41 1e |. ........O...A.| +00000040 8f 6f 1e 0a 33 e4 0b 0b 1b aa 54 a7 c0 09 00 00 |.o..3.....T.....| +00000050 11 ff 01 00 01 00 00 0b 00 04 03 00 01 02 00 17 |................| +00000060 00 00 16 03 01 02 0e 0b 00 02 0a 00 02 07 00 02 |................| +00000070 04 30 82 02 00 30 82 01 62 02 09 00 b8 bf 2d 47 |.0...0..b.....-G| +00000080 a0 d2 eb f4 30 09 06 07 2a 86 48 ce 3d 04 01 30 |....0...*.H.=..0| +00000090 45 31 0b 30 09 06 03 55 04 06 13 02 41 55 31 13 |E1.0...U....AU1.| +000000a0 30 11 06 03 55 04 08 13 0a 53 6f 6d 65 2d 53 74 |0...U....Some-St| +000000b0 61 74 65 31 21 30 1f 06 03 55 04 0a 13 18 49 6e |ate1!0...U....In| +000000c0 74 65 72 6e 65 74 20 57 69 64 67 69 74 73 20 50 |ternet Widgits P| +000000d0 74 79 20 4c 74 64 30 1e 17 0d 31 32 31 31 32 32 |ty Ltd0...121122| +000000e0 31 35 30 36 33 32 5a 17 0d 32 32 31 31 32 30 31 |150632Z..2211201| +000000f0 35 30 36 33 32 5a 30 45 31 0b 30 09 06 03 55 04 |50632Z0E1.0...U.| +00000100 06 13 02 41 55 31 13 30 11 06 03 55 04 08 13 0a |...AU1.0...U....| +00000110 53 6f 6d 65 2d 53 74 61 74 65 31 21 30 1f 06 03 |Some-State1!0...| +00000120 55 04 0a 13 18 49 6e 74 65 72 6e 65 74 20 57 69 |U....Internet Wi| +00000130 64 67 69 74 73 20 50 74 79 20 4c 74 64 30 81 9b |dgits Pty Ltd0..| +00000140 30 10 06 07 2a 86 48 ce 3d 02 01 06 05 2b 81 04 |0...*.H.=....+..| +00000150 00 23 03 81 86 00 04 00 c4 a1 ed be 98 f9 0b 48 |.#.............H| +00000160 73 36 7e c3 16 56 11 22 f2 3d 53 c3 3b 4d 21 3d |s6~..V.".=S.;M!=| +00000170 cd 6b 75 e6 f6 b0 dc 9a df 26 c1 bc b2 87 f0 72 |.ku......&.....r| +00000180 32 7c b3 64 2f 1c 90 bc ea 68 23 10 7e fe e3 25 |2|.d/....h#.~..%| +00000190 c0 48 3a 69 e0 28 6d d3 37 00 ef 04 62 dd 0d a0 |.H:i.(m.7...b...| +000001a0 9c 70 62 83 d8 81 d3 64 31 aa 9e 97 31 bd 96 b0 |.pb....d1...1...| +000001b0 68 c0 9b 23 de 76 64 3f 1a 5c 7f e9 12 0e 58 58 |h..#.vd?.\....XX| +000001c0 b6 5f 70 dd 9b d8 ea d5 d7 f5 d5 cc b9 b6 9f 30 |._p............0| +000001d0 66 5b 66 9a 20 e2 27 e5 bf fe 3b 30 09 06 07 2a |f[f. .'...;0...*| +000001e0 86 48 ce 3d 04 01 03 81 8c 00 30 81 88 02 42 01 |.H.=......0...B.| +000001f0 88 a2 4f eb e2 45 c5 48 7d 1b ac f5 ed 98 9d ae |..O..E.H}.......| +00000200 47 70 c0 5e 1b b6 2f bd f1 b6 4d b7 61 40 d3 11 |Gp.^../...M.a@..| +00000210 a2 ce ee 0b 7e 92 7e ff 76 9d c3 3b 7e a5 3f ce |....~.~.v..;~.?.| +00000220 fa 10 e2 59 ec 47 2d 7c ac da 4e 97 0e 15 a0 6f |...Y.G-|..N....o| +00000230 d0 02 42 01 4d fc be 67 13 9c 2d 05 0e bd 3f a3 |..B.M..g..-...?.| +00000240 8c 25 c1 33 13 83 0d 94 06 bb d4 37 7a f6 ec 7a |.%.3.......7z..z| +00000250 c9 86 2e dd d7 11 69 7f 85 7c 56 de fb 31 78 2b |......i..|V..1x+| +00000260 e4 c7 78 0d ae cb be 9e 4e 36 24 31 7b 6a 0f 39 |..x.....N6$1{j.9| +00000270 95 12 07 8f 2a 16 03 01 00 b5 0c 00 00 b1 03 00 |....*...........| +00000280 1d 20 d8 71 32 54 18 4e 03 b2 c7 dd 0d 04 2f c5 |. .q2T.N....../.| +00000290 c4 da f0 c8 72 b5 c0 b8 c1 a9 f7 e3 8d 1f 0d 3b |....r..........;| +000002a0 2a 08 00 8b 30 81 88 02 42 01 b6 59 64 4b 72 d6 |*...0...B..YdKr.| +000002b0 ef 9e 3e 18 1d d4 da 89 e1 59 91 96 47 55 09 cd |..>......Y..GU..| +000002c0 ee a1 e9 0c db c9 6c bc 09 82 e1 4e 03 e7 c9 c5 |......l....N....| +000002d0 78 bd 2f 28 dc fc 6a 8c ed e7 43 74 4e e0 06 f6 |x./(..j...CtN...| +000002e0 ee 85 f5 0f f9 c4 92 96 7d 69 4e 02 42 01 3f cc |........}iN.B.?.| +000002f0 89 ce 81 42 00 4f 89 28 3d 6d 6a 70 5a 6c d9 87 |...B.O.(=mjpZl..| +00000300 a3 80 36 7f fa c1 a1 50 57 4b 93 bf a3 16 01 f5 |..6....PWK......| +00000310 d4 07 4d fd 33 4a 2f 50 36 83 82 40 ef 8d aa 10 |..M.3J/P6..@....| +00000320 6d d0 e0 24 bd d6 33 d0 96 87 ce 43 28 44 86 16 |m..$..3....C(D..| +00000330 03 01 00 04 0e 00 00 00 |........| +>>> Flow 3 (client to server) +00000000 16 03 01 00 25 10 00 00 21 20 2f e5 7d a3 47 cd |....%...! /.}.G.| +00000010 62 43 15 28 da ac 5f bb 29 07 30 ff f6 84 af c4 |bC.(.._.).0.....| +00000020 cf c2 ed 90 99 5f 58 cb 3b 74 14 03 01 00 01 01 |....._X.;t......| +00000030 16 03 01 00 30 56 e4 5e 74 7d 22 11 ce 6a 97 42 |....0V.^t}"..j.B| +00000040 9f 6f 71 26 d4 a3 0f e4 03 1d 96 e1 ed a5 bd e4 |.oq&............| +00000050 a5 96 7c b0 49 d4 bf fe b2 3e d4 ed b0 52 f0 1b |..|.I....>...R..| +00000060 72 f4 45 ab a3 |r.E..| +>>> Flow 4 (server to client) +00000000 14 03 01 00 01 01 16 03 01 00 30 85 b6 39 e7 4e |..........0..9.N| +00000010 2d d9 aa 9c a7 a7 e9 13 a7 05 cb a4 c0 11 62 67 |-.............bg| +00000020 34 6f b1 33 05 1e d0 a6 d1 20 f3 cc 47 7d ea 63 |4o.3..... ..G}.c| +00000030 99 dc 34 46 8e 47 eb 5f 2c 1b b5 |..4F.G._,..| +>>> Flow 5 (client to server) +00000000 17 03 01 00 20 35 6d 66 48 4a a0 ee 5a b7 2a 15 |.... 5mfHJ..Z.*.| +00000010 c8 0c f7 86 16 f1 6a 96 51 28 9b 81 14 fd ac 92 |......j.Q(......| +00000020 7b d0 9d be 24 17 03 01 00 20 08 f2 38 45 8e a3 |{...$.... ..8E..| +00000030 89 50 5d 7f c8 5e 4f 71 7e 23 17 da 9b 99 a9 9d |.P]..^Oq~#......| +00000040 ed 51 8b 1a c8 67 fe 6c c8 2a 15 03 01 00 20 e1 |.Q...g.l.*.... .| +00000050 ef 54 d4 d3 e3 1e 5a db c0 e9 92 8c 27 e5 86 dd |.T....Z.....'...| +00000060 29 78 cc 90 6b a7 9c 7b b4 9b 1b 5d 1a 65 18 |)x..k..{...].e.| diff --git a/pkg/tls/testdata/Client-TLSv10-ECDHE-RSA-AES b/pkg/tls/testdata/Client-TLSv10-ECDHE-RSA-AES new file mode 100644 index 000000000..e66b88a5c --- /dev/null +++ b/pkg/tls/testdata/Client-TLSv10-ECDHE-RSA-AES @@ -0,0 +1,96 @@ +>>> Flow 1 (client to server) +00000000 16 03 01 00 fe 01 00 00 fa 03 03 00 00 00 00 00 |................| +00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000020 00 00 00 00 00 00 00 00 00 00 00 20 00 00 00 00 |........... ....| +00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 32 cc a9 |.............2..| +00000050 cc a8 c0 2b c0 2f c0 2c c0 30 c0 09 c0 13 c0 0a |...+./.,.0......| +00000060 c0 14 00 9c 00 9d 00 2f 00 35 c0 12 00 0a c0 23 |......./.5.....#| +00000070 c0 27 00 3c c0 07 c0 11 00 05 13 03 13 01 13 02 |.'.<............| +00000080 01 00 00 7f 00 05 00 05 01 00 00 00 00 00 0a 00 |................| +00000090 0a 00 08 00 1d 00 17 00 18 00 19 00 0b 00 02 01 |................| +000000a0 00 00 0d 00 1a 00 18 08 04 04 03 08 07 08 05 08 |................| +000000b0 06 04 01 05 01 06 01 05 03 06 03 02 01 02 03 ff |................| +000000c0 01 00 01 00 00 17 00 00 00 12 00 00 00 2b 00 09 |.............+..| +000000d0 08 03 04 03 03 03 02 03 01 00 33 00 26 00 24 00 |..........3.&.$.| +000000e0 1d 00 20 2f e5 7d a3 47 cd 62 43 15 28 da ac 5f |.. /.}.G.bC.(.._| +000000f0 bb 29 07 30 ff f6 84 af c4 cf c2 ed 90 99 5f 58 |.).0.........._X| +00000100 cb 3b 74 |.;t| +>>> Flow 2 (server to client) +00000000 16 03 01 00 5d 02 00 00 59 03 01 4c dc 79 d9 cc |....]...Y..L.y..| +00000010 4d 3e e9 7d b2 7c 46 0d 2d 2f ff 27 47 b1 e3 52 |M>.}.|F.-/.'G..R| +00000020 b1 b4 34 80 6e 60 d5 b6 2d ab bd 20 d4 59 df e1 |..4.n`..-.. .Y..| +00000030 99 75 36 f3 ac 26 40 99 74 f3 78 43 20 e0 da 18 |.u6..&@.t.xC ...| +00000040 ae 5c bb bc b5 cc 3f c5 32 7e 3c ba c0 13 00 00 |.\....?.2~<.....| +00000050 11 ff 01 00 01 00 00 0b 00 04 03 00 01 02 00 17 |................| +00000060 00 00 16 03 01 02 59 0b 00 02 55 00 02 52 00 02 |......Y...U..R..| +00000070 4f 30 82 02 4b 30 82 01 b4 a0 03 02 01 02 02 09 |O0..K0..........| +00000080 00 e8 f0 9d 3f e2 5b ea a6 30 0d 06 09 2a 86 48 |....?.[..0...*.H| +00000090 86 f7 0d 01 01 0b 05 00 30 1f 31 0b 30 09 06 03 |........0.1.0...| +000000a0 55 04 0a 13 02 47 6f 31 10 30 0e 06 03 55 04 03 |U....Go1.0...U..| +000000b0 13 07 47 6f 20 52 6f 6f 74 30 1e 17 0d 31 36 30 |..Go Root0...160| +000000c0 31 30 31 30 30 30 30 30 30 5a 17 0d 32 35 30 31 |101000000Z..2501| +000000d0 30 31 30 30 30 30 30 30 5a 30 1a 31 0b 30 09 06 |01000000Z0.1.0..| +000000e0 03 55 04 0a 13 02 47 6f 31 0b 30 09 06 03 55 04 |.U....Go1.0...U.| +000000f0 03 13 02 47 6f 30 81 9f 30 0d 06 09 2a 86 48 86 |...Go0..0...*.H.| +00000100 f7 0d 01 01 01 05 00 03 81 8d 00 30 81 89 02 81 |...........0....| +00000110 81 00 db 46 7d 93 2e 12 27 06 48 bc 06 28 21 ab |...F}...'.H..(!.| +00000120 7e c4 b6 a2 5d fe 1e 52 45 88 7a 36 47 a5 08 0d |~...]..RE.z6G...| +00000130 92 42 5b c2 81 c0 be 97 79 98 40 fb 4f 6d 14 fd |.B[.....y.@.Om..| +00000140 2b 13 8b c2 a5 2e 67 d8 d4 09 9e d6 22 38 b7 4a |+.....g....."8.J| +00000150 0b 74 73 2b c2 34 f1 d1 93 e5 96 d9 74 7b f3 58 |.ts+.4......t{.X| +00000160 9f 6c 61 3c c0 b0 41 d4 d9 2b 2b 24 23 77 5b 1c |.la<..A..++$#w[.| +00000170 3b bd 75 5d ce 20 54 cf a1 63 87 1d 1e 24 c4 f3 |;.u]. T..c...$..| +00000180 1d 1a 50 8b aa b6 14 43 ed 97 a7 75 62 f4 14 c8 |..P....C...ub...| +00000190 52 d7 02 03 01 00 01 a3 81 93 30 81 90 30 0e 06 |R.........0..0..| +000001a0 03 55 1d 0f 01 01 ff 04 04 03 02 05 a0 30 1d 06 |.U...........0..| +000001b0 03 55 1d 25 04 16 30 14 06 08 2b 06 01 05 05 07 |.U.%..0...+.....| +000001c0 03 01 06 08 2b 06 01 05 05 07 03 02 30 0c 06 03 |....+.......0...| +000001d0 55 1d 13 01 01 ff 04 02 30 00 30 19 06 03 55 1d |U.......0.0...U.| +000001e0 0e 04 12 04 10 9f 91 16 1f 43 43 3e 49 a6 de 6d |.........CC>I..m| +000001f0 b6 80 d7 9f 60 30 1b 06 03 55 1d 23 04 14 30 12 |....`0...U.#..0.| +00000200 80 10 48 13 49 4d 13 7e 16 31 bb a3 01 d5 ac ab |..H.IM.~.1......| +00000210 6e 7b 30 19 06 03 55 1d 11 04 12 30 10 82 0e 65 |n{0...U....0...e| +00000220 78 61 6d 70 6c 65 2e 67 6f 6c 61 6e 67 30 0d 06 |xample.golang0..| +00000230 09 2a 86 48 86 f7 0d 01 01 0b 05 00 03 81 81 00 |.*.H............| +00000240 9d 30 cc 40 2b 5b 50 a0 61 cb ba e5 53 58 e1 ed |.0.@+[P.a...SX..| +00000250 83 28 a9 58 1a a9 38 a4 95 a1 ac 31 5a 1a 84 66 |.(.X..8....1Z..f| +00000260 3d 43 d3 2d d9 0b f2 97 df d3 20 64 38 92 24 3a |=C.-...... d8.$:| +00000270 00 bc cf 9c 7d b7 40 20 01 5f aa d3 16 61 09 a2 |....}.@ ._...a..| +00000280 76 fd 13 c3 cc e1 0c 5c ee b1 87 82 f1 6c 04 ed |v......\.....l..| +00000290 73 bb b3 43 77 8d 0c 1c f1 0f a1 d8 40 83 61 c9 |s..Cw.......@.a.| +000002a0 4c 72 2b 9d ae db 46 06 06 4d f4 c1 b3 3e c0 d1 |Lr+...F..M...>..| +000002b0 bd 42 d4 db fe 3d 13 60 84 5c 21 d3 3b e9 fa e7 |.B...=.`.\!.;...| +000002c0 16 03 01 00 aa 0c 00 00 a6 03 00 1d 20 ee 7b 17 |............ .{.| +000002d0 15 a8 03 82 b4 bc ec 9a 6f 77 a8 29 29 2f ed 2e |........ow.))/..| +000002e0 65 91 4f 38 b4 e3 a8 f6 48 be c9 c4 26 00 80 ae |e.O8....H...&...| +000002f0 ef 11 b3 78 c2 8b 4d 86 38 c6 4e 86 1c 26 57 24 |...x..M.8.N..&W$| +00000300 cf 21 12 b1 74 13 eb 12 c4 90 5a a2 eb 2c 9b 97 |.!..t.....Z..,..| +00000310 23 f6 8f 4f 25 b8 70 fe b1 dc 95 b5 0c 8f 0b 0d |#..O%.p.........| +00000320 d9 23 40 a9 48 c3 52 08 0f 4b d4 7d 9f f3 e3 4e |.#@.H.R..K.}...N| +00000330 8e 14 98 7c ac e9 ee a3 53 0c 25 bf 8e 06 a5 cb |...|....S.%.....| +00000340 6e 96 76 37 be 8a c8 2e c3 72 cc 8d 12 78 bc 20 |n.v7.....r...x. | +00000350 8c 53 0e e7 72 59 4d 46 34 72 27 37 6d 2c 88 d6 |.S..rYMF4r'7m,..| +00000360 cd 0f ab 6d e1 2d a0 3c df 04 35 d9 d2 2d f5 16 |...m.-.<..5..-..| +00000370 03 01 00 04 0e 00 00 00 |........| +>>> Flow 3 (client to server) +00000000 16 03 01 00 25 10 00 00 21 20 2f e5 7d a3 47 cd |....%...! /.}.G.| +00000010 62 43 15 28 da ac 5f bb 29 07 30 ff f6 84 af c4 |bC.(.._.).0.....| +00000020 cf c2 ed 90 99 5f 58 cb 3b 74 14 03 01 00 01 01 |....._X.;t......| +00000030 16 03 01 00 30 af af 7d 17 17 49 08 86 ba 49 c7 |....0..}..I...I.| +00000040 01 e9 f2 85 f4 70 2d 37 38 b3 38 4d c3 23 0f f5 |.....p-78.8M.#..| +00000050 fe f3 22 58 6a ec cd ee 17 92 d0 fe aa d8 68 ff |.."Xj.........h.| +00000060 1d b1 7a 5b 6a |..z[j| +>>> Flow 4 (server to client) +00000000 14 03 01 00 01 01 16 03 01 00 30 30 b9 1b da 00 |..........00....| +00000010 85 eb 23 f3 69 6a 96 34 f1 03 b8 51 c4 0c 09 a7 |..#.ij.4...Q....| +00000020 62 4c 14 c6 fb ee b0 2b f0 fc e6 9b b6 97 47 83 |bL.....+......G.| +00000030 20 3d fe c4 42 43 6f c1 2f 09 6a | =..BCo./.j| +>>> Flow 5 (client to server) +00000000 17 03 01 00 20 42 e3 37 32 c0 b5 bb fb 9b 26 9e |.... B.72.....&.| +00000010 1b b1 28 ee c7 44 c3 7c c8 51 88 3a e9 5a c7 2f |..(..D.|.Q.:.Z./| +00000020 b6 0d 73 ee 3e 17 03 01 00 20 20 33 1e 5f 0f 81 |..s.>.... 3._..| +00000030 aa 06 15 f1 e6 24 f3 12 07 ad 78 a6 0f 18 ad 33 |.....$....x....3| +00000040 67 d4 1c ec 28 15 65 de e2 6e 15 03 01 00 20 b0 |g...(.e..n.... .| +00000050 93 62 04 fe 6e 3f 41 a5 c8 e8 6c 9d a7 96 59 ba |.b..n?A...l...Y.| +00000060 aa 81 c8 ff ef 66 91 89 5f 9c ba d1 aa e7 ef |.....f.._......| diff --git a/pkg/tls/testdata/Client-TLSv10-Ed25519 b/pkg/tls/testdata/Client-TLSv10-Ed25519 new file mode 100644 index 000000000..e69de29bb diff --git a/pkg/tls/testdata/Client-TLSv10-ExportKeyingMaterial b/pkg/tls/testdata/Client-TLSv10-ExportKeyingMaterial new file mode 100644 index 000000000..8225f78eb --- /dev/null +++ b/pkg/tls/testdata/Client-TLSv10-ExportKeyingMaterial @@ -0,0 +1,96 @@ +>>> Flow 1 (client to server) +00000000 16 03 01 00 fe 01 00 00 fa 03 03 00 00 00 00 00 |................| +00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000020 00 00 00 00 00 00 00 00 00 00 00 20 00 00 00 00 |........... ....| +00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 32 cc a9 |.............2..| +00000050 cc a8 c0 2b c0 2f c0 2c c0 30 c0 09 c0 13 c0 0a |...+./.,.0......| +00000060 c0 14 00 9c 00 9d 00 2f 00 35 c0 12 00 0a c0 23 |......./.5.....#| +00000070 c0 27 00 3c c0 07 c0 11 00 05 13 03 13 01 13 02 |.'.<............| +00000080 01 00 00 7f 00 05 00 05 01 00 00 00 00 00 0a 00 |................| +00000090 0a 00 08 00 1d 00 17 00 18 00 19 00 0b 00 02 01 |................| +000000a0 00 00 0d 00 1a 00 18 08 04 04 03 08 07 08 05 08 |................| +000000b0 06 04 01 05 01 06 01 05 03 06 03 02 01 02 03 ff |................| +000000c0 01 00 01 00 00 17 00 00 00 12 00 00 00 2b 00 09 |.............+..| +000000d0 08 03 04 03 03 03 02 03 01 00 33 00 26 00 24 00 |..........3.&.$.| +000000e0 1d 00 20 2f e5 7d a3 47 cd 62 43 15 28 da ac 5f |.. /.}.G.bC.(.._| +000000f0 bb 29 07 30 ff f6 84 af c4 cf c2 ed 90 99 5f 58 |.).0.........._X| +00000100 cb 3b 74 |.;t| +>>> Flow 2 (server to client) +00000000 16 03 01 00 5d 02 00 00 59 03 01 b7 20 c3 67 7b |....]...Y... .g{| +00000010 94 6e d7 da ea e0 77 4e 05 ad e0 9b a2 97 59 e3 |.n....wN......Y.| +00000020 de 61 a2 49 d0 2f 27 7d fc 7c 4e 20 9a 18 52 f9 |.a.I./'}.|N ..R.| +00000030 bf ec 13 7d 28 1a 44 14 ea 77 25 7a 30 81 36 1e |...}(.D..w%z0.6.| +00000040 18 b3 23 37 79 dc 10 e8 f2 18 90 c7 c0 13 00 00 |..#7y...........| +00000050 11 ff 01 00 01 00 00 0b 00 04 03 00 01 02 00 17 |................| +00000060 00 00 16 03 01 02 59 0b 00 02 55 00 02 52 00 02 |......Y...U..R..| +00000070 4f 30 82 02 4b 30 82 01 b4 a0 03 02 01 02 02 09 |O0..K0..........| +00000080 00 e8 f0 9d 3f e2 5b ea a6 30 0d 06 09 2a 86 48 |....?.[..0...*.H| +00000090 86 f7 0d 01 01 0b 05 00 30 1f 31 0b 30 09 06 03 |........0.1.0...| +000000a0 55 04 0a 13 02 47 6f 31 10 30 0e 06 03 55 04 03 |U....Go1.0...U..| +000000b0 13 07 47 6f 20 52 6f 6f 74 30 1e 17 0d 31 36 30 |..Go Root0...160| +000000c0 31 30 31 30 30 30 30 30 30 5a 17 0d 32 35 30 31 |101000000Z..2501| +000000d0 30 31 30 30 30 30 30 30 5a 30 1a 31 0b 30 09 06 |01000000Z0.1.0..| +000000e0 03 55 04 0a 13 02 47 6f 31 0b 30 09 06 03 55 04 |.U....Go1.0...U.| +000000f0 03 13 02 47 6f 30 81 9f 30 0d 06 09 2a 86 48 86 |...Go0..0...*.H.| +00000100 f7 0d 01 01 01 05 00 03 81 8d 00 30 81 89 02 81 |...........0....| +00000110 81 00 db 46 7d 93 2e 12 27 06 48 bc 06 28 21 ab |...F}...'.H..(!.| +00000120 7e c4 b6 a2 5d fe 1e 52 45 88 7a 36 47 a5 08 0d |~...]..RE.z6G...| +00000130 92 42 5b c2 81 c0 be 97 79 98 40 fb 4f 6d 14 fd |.B[.....y.@.Om..| +00000140 2b 13 8b c2 a5 2e 67 d8 d4 09 9e d6 22 38 b7 4a |+.....g....."8.J| +00000150 0b 74 73 2b c2 34 f1 d1 93 e5 96 d9 74 7b f3 58 |.ts+.4......t{.X| +00000160 9f 6c 61 3c c0 b0 41 d4 d9 2b 2b 24 23 77 5b 1c |.la<..A..++$#w[.| +00000170 3b bd 75 5d ce 20 54 cf a1 63 87 1d 1e 24 c4 f3 |;.u]. T..c...$..| +00000180 1d 1a 50 8b aa b6 14 43 ed 97 a7 75 62 f4 14 c8 |..P....C...ub...| +00000190 52 d7 02 03 01 00 01 a3 81 93 30 81 90 30 0e 06 |R.........0..0..| +000001a0 03 55 1d 0f 01 01 ff 04 04 03 02 05 a0 30 1d 06 |.U...........0..| +000001b0 03 55 1d 25 04 16 30 14 06 08 2b 06 01 05 05 07 |.U.%..0...+.....| +000001c0 03 01 06 08 2b 06 01 05 05 07 03 02 30 0c 06 03 |....+.......0...| +000001d0 55 1d 13 01 01 ff 04 02 30 00 30 19 06 03 55 1d |U.......0.0...U.| +000001e0 0e 04 12 04 10 9f 91 16 1f 43 43 3e 49 a6 de 6d |.........CC>I..m| +000001f0 b6 80 d7 9f 60 30 1b 06 03 55 1d 23 04 14 30 12 |....`0...U.#..0.| +00000200 80 10 48 13 49 4d 13 7e 16 31 bb a3 01 d5 ac ab |..H.IM.~.1......| +00000210 6e 7b 30 19 06 03 55 1d 11 04 12 30 10 82 0e 65 |n{0...U....0...e| +00000220 78 61 6d 70 6c 65 2e 67 6f 6c 61 6e 67 30 0d 06 |xample.golang0..| +00000230 09 2a 86 48 86 f7 0d 01 01 0b 05 00 03 81 81 00 |.*.H............| +00000240 9d 30 cc 40 2b 5b 50 a0 61 cb ba e5 53 58 e1 ed |.0.@+[P.a...SX..| +00000250 83 28 a9 58 1a a9 38 a4 95 a1 ac 31 5a 1a 84 66 |.(.X..8....1Z..f| +00000260 3d 43 d3 2d d9 0b f2 97 df d3 20 64 38 92 24 3a |=C.-...... d8.$:| +00000270 00 bc cf 9c 7d b7 40 20 01 5f aa d3 16 61 09 a2 |....}.@ ._...a..| +00000280 76 fd 13 c3 cc e1 0c 5c ee b1 87 82 f1 6c 04 ed |v......\.....l..| +00000290 73 bb b3 43 77 8d 0c 1c f1 0f a1 d8 40 83 61 c9 |s..Cw.......@.a.| +000002a0 4c 72 2b 9d ae db 46 06 06 4d f4 c1 b3 3e c0 d1 |Lr+...F..M...>..| +000002b0 bd 42 d4 db fe 3d 13 60 84 5c 21 d3 3b e9 fa e7 |.B...=.`.\!.;...| +000002c0 16 03 01 00 aa 0c 00 00 a6 03 00 1d 20 99 c4 bc |............ ...| +000002d0 cb 82 39 73 e7 54 86 b6 36 ae 7a 82 4e 4a fc 6a |..9s.T..6.z.NJ.j| +000002e0 19 ed 81 7b 53 03 2f 90 92 de 2a 84 65 00 80 01 |...{S./...*.e...| +000002f0 4d 05 a7 5b ac 30 c4 47 68 1b 27 ce f9 9b bd 31 |M..[.0.Gh.'....1| +00000300 08 90 21 16 c9 20 3c 72 da e4 8b ce 6b d5 d6 47 |..!.. >> Flow 3 (client to server) +00000000 16 03 01 00 25 10 00 00 21 20 2f e5 7d a3 47 cd |....%...! /.}.G.| +00000010 62 43 15 28 da ac 5f bb 29 07 30 ff f6 84 af c4 |bC.(.._.).0.....| +00000020 cf c2 ed 90 99 5f 58 cb 3b 74 14 03 01 00 01 01 |....._X.;t......| +00000030 16 03 01 00 30 43 fc 64 73 ed 5b eb ac 0e 09 cf |....0C.ds.[.....| +00000040 ae 3e 3c 8c 0a ab b5 a9 c0 32 ed 8d ea 71 ed 87 |.><......2...q..| +00000050 e5 ee d7 0c 9d a4 09 c6 9b 1d b2 86 2f a3 2e 77 |............/..w| +00000060 aa b2 5c 6f b0 |..\o.| +>>> Flow 4 (server to client) +00000000 14 03 01 00 01 01 16 03 01 00 30 c5 aa 36 4d 9a |..........0..6M.| +00000010 7a e6 ea 66 2e 63 2d 69 9b b4 91 fa fc f1 f7 a5 |z..f.c-i........| +00000020 19 17 eb da d6 95 d9 95 42 09 4c 54 30 60 c9 00 |........B.LT0`..| +00000030 d4 a1 9e 25 dd 62 f0 33 29 43 9c |...%.b.3)C.| +>>> Flow 5 (client to server) +00000000 17 03 01 00 20 44 84 33 58 99 c7 71 39 e6 fa 89 |.... D.3X..q9...| +00000010 f9 a2 bd 15 9a 41 2f e7 27 1a 33 e9 89 ce 24 4c |.....A/.'.3...$L| +00000020 db cf c6 11 15 17 03 01 00 20 e5 5a 7b 6b ea 19 |......... .Z{k..| +00000030 f1 55 77 54 b6 a0 c0 c6 02 d6 ce 49 b6 93 91 d3 |.UwT.......I....| +00000040 7f 8a 93 d1 73 8d d6 f6 56 b6 15 03 01 00 20 71 |....s...V..... q| +00000050 26 23 0c 06 c6 08 13 2d f3 b2 c0 91 f3 11 c4 23 |&#.....-.......#| +00000060 c3 57 79 eb ff 8b e1 81 12 fb 13 02 26 b1 5b |.Wy.........&.[| diff --git a/pkg/tls/testdata/Client-TLSv10-RSA-RC4 b/pkg/tls/testdata/Client-TLSv10-RSA-RC4 new file mode 100644 index 000000000..219462a31 --- /dev/null +++ b/pkg/tls/testdata/Client-TLSv10-RSA-RC4 @@ -0,0 +1,86 @@ +>>> Flow 1 (client to server) +00000000 16 03 01 00 fe 01 00 00 fa 03 03 00 00 00 00 00 |................| +00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000020 00 00 00 00 00 00 00 00 00 00 00 20 00 00 00 00 |........... ....| +00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 32 cc a9 |.............2..| +00000050 cc a8 c0 2b c0 2f c0 2c c0 30 c0 09 c0 13 c0 0a |...+./.,.0......| +00000060 c0 14 00 9c 00 9d 00 2f 00 35 c0 12 00 0a c0 23 |......./.5.....#| +00000070 c0 27 00 3c c0 07 c0 11 00 05 13 03 13 01 13 02 |.'.<............| +00000080 01 00 00 7f 00 05 00 05 01 00 00 00 00 00 0a 00 |................| +00000090 0a 00 08 00 1d 00 17 00 18 00 19 00 0b 00 02 01 |................| +000000a0 00 00 0d 00 1a 00 18 08 04 04 03 08 07 08 05 08 |................| +000000b0 06 04 01 05 01 06 01 05 03 06 03 02 01 02 03 ff |................| +000000c0 01 00 01 00 00 17 00 00 00 12 00 00 00 2b 00 09 |.............+..| +000000d0 08 03 04 03 03 03 02 03 01 00 33 00 26 00 24 00 |..........3.&.$.| +000000e0 1d 00 20 2f e5 7d a3 47 cd 62 43 15 28 da ac 5f |.. /.}.G.bC.(.._| +000000f0 bb 29 07 30 ff f6 84 af c4 cf c2 ed 90 99 5f 58 |.).0.........._X| +00000100 cb 3b 74 |.;t| +>>> Flow 2 (server to client) +00000000 16 03 01 00 55 02 00 00 51 03 01 73 52 96 88 0a |....U...Q..sR...| +00000010 35 f9 ca 22 44 32 ec 69 08 b1 4d b3 6b 70 18 92 |5.."D2.i..M.kp..| +00000020 af 91 bf 82 00 be 1d bf b4 2f 00 20 f3 e2 c8 e0 |........./. ....| +00000030 5f 1a 7f 0c 69 f4 6b 74 44 39 b1 2a b9 33 8f 32 |_...i.ktD9.*.3.2| +00000040 50 37 63 15 69 bc 45 d3 db a7 28 09 00 05 00 00 |P7c.i.E...(.....| +00000050 09 ff 01 00 01 00 00 17 00 00 16 03 01 02 59 0b |..............Y.| +00000060 00 02 55 00 02 52 00 02 4f 30 82 02 4b 30 82 01 |..U..R..O0..K0..| +00000070 b4 a0 03 02 01 02 02 09 00 e8 f0 9d 3f e2 5b ea |............?.[.| +00000080 a6 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 |.0...*.H........| +00000090 30 1f 31 0b 30 09 06 03 55 04 0a 13 02 47 6f 31 |0.1.0...U....Go1| +000000a0 10 30 0e 06 03 55 04 03 13 07 47 6f 20 52 6f 6f |.0...U....Go Roo| +000000b0 74 30 1e 17 0d 31 36 30 31 30 31 30 30 30 30 30 |t0...16010100000| +000000c0 30 5a 17 0d 32 35 30 31 30 31 30 30 30 30 30 30 |0Z..250101000000| +000000d0 5a 30 1a 31 0b 30 09 06 03 55 04 0a 13 02 47 6f |Z0.1.0...U....Go| +000000e0 31 0b 30 09 06 03 55 04 03 13 02 47 6f 30 81 9f |1.0...U....Go0..| +000000f0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 |0...*.H.........| +00000100 81 8d 00 30 81 89 02 81 81 00 db 46 7d 93 2e 12 |...0.......F}...| +00000110 27 06 48 bc 06 28 21 ab 7e c4 b6 a2 5d fe 1e 52 |'.H..(!.~...]..R| +00000120 45 88 7a 36 47 a5 08 0d 92 42 5b c2 81 c0 be 97 |E.z6G....B[.....| +00000130 79 98 40 fb 4f 6d 14 fd 2b 13 8b c2 a5 2e 67 d8 |y.@.Om..+.....g.| +00000140 d4 09 9e d6 22 38 b7 4a 0b 74 73 2b c2 34 f1 d1 |...."8.J.ts+.4..| +00000150 93 e5 96 d9 74 7b f3 58 9f 6c 61 3c c0 b0 41 d4 |....t{.X.la<..A.| +00000160 d9 2b 2b 24 23 77 5b 1c 3b bd 75 5d ce 20 54 cf |.++$#w[.;.u]. T.| +00000170 a1 63 87 1d 1e 24 c4 f3 1d 1a 50 8b aa b6 14 43 |.c...$....P....C| +00000180 ed 97 a7 75 62 f4 14 c8 52 d7 02 03 01 00 01 a3 |...ub...R.......| +00000190 81 93 30 81 90 30 0e 06 03 55 1d 0f 01 01 ff 04 |..0..0...U......| +000001a0 04 03 02 05 a0 30 1d 06 03 55 1d 25 04 16 30 14 |.....0...U.%..0.| +000001b0 06 08 2b 06 01 05 05 07 03 01 06 08 2b 06 01 05 |..+.........+...| +000001c0 05 07 03 02 30 0c 06 03 55 1d 13 01 01 ff 04 02 |....0...U.......| +000001d0 30 00 30 19 06 03 55 1d 0e 04 12 04 10 9f 91 16 |0.0...U.........| +000001e0 1f 43 43 3e 49 a6 de 6d b6 80 d7 9f 60 30 1b 06 |.CC>I..m....`0..| +000001f0 03 55 1d 23 04 14 30 12 80 10 48 13 49 4d 13 7e |.U.#..0...H.IM.~| +00000200 16 31 bb a3 01 d5 ac ab 6e 7b 30 19 06 03 55 1d |.1......n{0...U.| +00000210 11 04 12 30 10 82 0e 65 78 61 6d 70 6c 65 2e 67 |...0...example.g| +00000220 6f 6c 61 6e 67 30 0d 06 09 2a 86 48 86 f7 0d 01 |olang0...*.H....| +00000230 01 0b 05 00 03 81 81 00 9d 30 cc 40 2b 5b 50 a0 |.........0.@+[P.| +00000240 61 cb ba e5 53 58 e1 ed 83 28 a9 58 1a a9 38 a4 |a...SX...(.X..8.| +00000250 95 a1 ac 31 5a 1a 84 66 3d 43 d3 2d d9 0b f2 97 |...1Z..f=C.-....| +00000260 df d3 20 64 38 92 24 3a 00 bc cf 9c 7d b7 40 20 |.. d8.$:....}.@ | +00000270 01 5f aa d3 16 61 09 a2 76 fd 13 c3 cc e1 0c 5c |._...a..v......\| +00000280 ee b1 87 82 f1 6c 04 ed 73 bb b3 43 77 8d 0c 1c |.....l..s..Cw...| +00000290 f1 0f a1 d8 40 83 61 c9 4c 72 2b 9d ae db 46 06 |....@.a.Lr+...F.| +000002a0 06 4d f4 c1 b3 3e c0 d1 bd 42 d4 db fe 3d 13 60 |.M...>...B...=.`| +000002b0 84 5c 21 d3 3b e9 fa e7 16 03 01 00 04 0e 00 00 |.\!.;...........| +000002c0 00 |.| +>>> Flow 3 (client to server) +00000000 16 03 01 00 86 10 00 00 82 00 80 b9 65 8d bf a7 |............e...| +00000010 c8 4b 79 ce 6f cb 8b 13 1c ac b9 7d 66 5e e9 ba |.Ky.o......}f^..| +00000020 1d 71 4e a9 e9 34 ae f6 64 65 90 3b d8 16 52 a2 |.qN..4..de.;..R.| +00000030 6f f4 cb 8a 13 74 a2 ee b7 27 69 b4 41 c0 90 68 |o....t...'i.A..h| +00000040 bc 02 69 e1 c6 48 4f 39 36 30 25 ca 4c 17 ce 83 |..i..HO960%.L...| +00000050 9e 08 56 e3 05 49 93 9e 2e c4 fb e6 c8 01 f1 0f |..V..I..........| +00000060 c5 70 0f 08 83 48 e9 48 ef 6e 50 8b 05 7e e5 84 |.p...H.H.nP..~..| +00000070 25 fa 55 c7 ae 31 02 27 00 ef 3f 98 86 20 12 89 |%.U..1.'..?.. ..| +00000080 91 59 28 b4 f7 d7 af d2 69 61 35 14 03 01 00 01 |.Y(.....ia5.....| +00000090 01 16 03 01 00 24 bd d6 29 83 bf 42 06 cf 06 86 |.....$..)..B....| +000000a0 09 8a 2f 4c 72 d3 98 45 6b 24 2f 58 da 45 a3 9d |../Lr..Ek$/X.E..| +000000b0 86 7b e0 5e 8f 52 6c ee 97 1a |.{.^.Rl...| +>>> Flow 4 (server to client) +00000000 14 03 01 00 01 01 16 03 01 00 24 b2 c6 b8 54 c9 |..........$...T.| +00000010 8b 16 cb d4 40 54 08 a4 39 f9 88 37 2e d7 e2 f4 |....@T..9..7....| +00000020 17 26 ec 00 0b d3 36 42 2f 7b 6d 3f 10 e0 6d |.&....6B/{m?..m| +>>> Flow 5 (client to server) +00000000 17 03 01 00 1a 75 40 46 0c 9d 5a 40 b9 b8 7c fa |.....u@F..Z@..|.| +00000010 a3 bf ff 37 2b 30 72 cc a6 5c 8d c9 8a d6 64 15 |...7+0r..\....d.| +00000020 03 01 00 16 f4 f1 6d 64 0a 21 35 dc c9 de b5 c4 |......md.!5.....| +00000030 d7 2c 0a 6e 2a e5 90 21 20 cf |.,.n*..! .| diff --git a/pkg/tls/testdata/Client-TLSv11-ECDHE-ECDSA-AES b/pkg/tls/testdata/Client-TLSv11-ECDHE-ECDSA-AES new file mode 100644 index 000000000..cc9dd829a --- /dev/null +++ b/pkg/tls/testdata/Client-TLSv11-ECDHE-ECDSA-AES @@ -0,0 +1,94 @@ +>>> Flow 1 (client to server) +00000000 16 03 01 00 fe 01 00 00 fa 03 03 00 00 00 00 00 |................| +00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000020 00 00 00 00 00 00 00 00 00 00 00 20 00 00 00 00 |........... ....| +00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 32 cc a9 |.............2..| +00000050 cc a8 c0 2b c0 2f c0 2c c0 30 c0 09 c0 13 c0 0a |...+./.,.0......| +00000060 c0 14 00 9c 00 9d 00 2f 00 35 c0 12 00 0a c0 23 |......./.5.....#| +00000070 c0 27 00 3c c0 07 c0 11 00 05 13 03 13 01 13 02 |.'.<............| +00000080 01 00 00 7f 00 05 00 05 01 00 00 00 00 00 0a 00 |................| +00000090 0a 00 08 00 1d 00 17 00 18 00 19 00 0b 00 02 01 |................| +000000a0 00 00 0d 00 1a 00 18 08 04 04 03 08 07 08 05 08 |................| +000000b0 06 04 01 05 01 06 01 05 03 06 03 02 01 02 03 ff |................| +000000c0 01 00 01 00 00 17 00 00 00 12 00 00 00 2b 00 09 |.............+..| +000000d0 08 03 04 03 03 03 02 03 01 00 33 00 26 00 24 00 |..........3.&.$.| +000000e0 1d 00 20 2f e5 7d a3 47 cd 62 43 15 28 da ac 5f |.. /.}.G.bC.(.._| +000000f0 bb 29 07 30 ff f6 84 af c4 cf c2 ed 90 99 5f 58 |.).0.........._X| +00000100 cb 3b 74 |.;t| +>>> Flow 2 (server to client) +00000000 16 03 02 00 5d 02 00 00 59 03 02 7f 08 c0 d7 77 |....]...Y......w| +00000010 20 72 4a f2 a2 2c 41 99 b0 3e 9f c8 9d ff 9b b5 | rJ..,A..>......| +00000020 ea 99 73 91 7b 81 51 e2 1a 7e 9b 20 5d 47 a5 63 |..s.{.Q..~. ]G.c| +00000030 86 cb fe bf 40 8e f9 f8 1c cf 4b cf 8b f2 af 56 |....@.....K....V| +00000040 94 a3 71 ad 53 ab 30 71 2a 07 f3 a0 c0 09 00 00 |..q.S.0q*.......| +00000050 11 ff 01 00 01 00 00 0b 00 04 03 00 01 02 00 17 |................| +00000060 00 00 16 03 02 02 0e 0b 00 02 0a 00 02 07 00 02 |................| +00000070 04 30 82 02 00 30 82 01 62 02 09 00 b8 bf 2d 47 |.0...0..b.....-G| +00000080 a0 d2 eb f4 30 09 06 07 2a 86 48 ce 3d 04 01 30 |....0...*.H.=..0| +00000090 45 31 0b 30 09 06 03 55 04 06 13 02 41 55 31 13 |E1.0...U....AU1.| +000000a0 30 11 06 03 55 04 08 13 0a 53 6f 6d 65 2d 53 74 |0...U....Some-St| +000000b0 61 74 65 31 21 30 1f 06 03 55 04 0a 13 18 49 6e |ate1!0...U....In| +000000c0 74 65 72 6e 65 74 20 57 69 64 67 69 74 73 20 50 |ternet Widgits P| +000000d0 74 79 20 4c 74 64 30 1e 17 0d 31 32 31 31 32 32 |ty Ltd0...121122| +000000e0 31 35 30 36 33 32 5a 17 0d 32 32 31 31 32 30 31 |150632Z..2211201| +000000f0 35 30 36 33 32 5a 30 45 31 0b 30 09 06 03 55 04 |50632Z0E1.0...U.| +00000100 06 13 02 41 55 31 13 30 11 06 03 55 04 08 13 0a |...AU1.0...U....| +00000110 53 6f 6d 65 2d 53 74 61 74 65 31 21 30 1f 06 03 |Some-State1!0...| +00000120 55 04 0a 13 18 49 6e 74 65 72 6e 65 74 20 57 69 |U....Internet Wi| +00000130 64 67 69 74 73 20 50 74 79 20 4c 74 64 30 81 9b |dgits Pty Ltd0..| +00000140 30 10 06 07 2a 86 48 ce 3d 02 01 06 05 2b 81 04 |0...*.H.=....+..| +00000150 00 23 03 81 86 00 04 00 c4 a1 ed be 98 f9 0b 48 |.#.............H| +00000160 73 36 7e c3 16 56 11 22 f2 3d 53 c3 3b 4d 21 3d |s6~..V.".=S.;M!=| +00000170 cd 6b 75 e6 f6 b0 dc 9a df 26 c1 bc b2 87 f0 72 |.ku......&.....r| +00000180 32 7c b3 64 2f 1c 90 bc ea 68 23 10 7e fe e3 25 |2|.d/....h#.~..%| +00000190 c0 48 3a 69 e0 28 6d d3 37 00 ef 04 62 dd 0d a0 |.H:i.(m.7...b...| +000001a0 9c 70 62 83 d8 81 d3 64 31 aa 9e 97 31 bd 96 b0 |.pb....d1...1...| +000001b0 68 c0 9b 23 de 76 64 3f 1a 5c 7f e9 12 0e 58 58 |h..#.vd?.\....XX| +000001c0 b6 5f 70 dd 9b d8 ea d5 d7 f5 d5 cc b9 b6 9f 30 |._p............0| +000001d0 66 5b 66 9a 20 e2 27 e5 bf fe 3b 30 09 06 07 2a |f[f. .'...;0...*| +000001e0 86 48 ce 3d 04 01 03 81 8c 00 30 81 88 02 42 01 |.H.=......0...B.| +000001f0 88 a2 4f eb e2 45 c5 48 7d 1b ac f5 ed 98 9d ae |..O..E.H}.......| +00000200 47 70 c0 5e 1b b6 2f bd f1 b6 4d b7 61 40 d3 11 |Gp.^../...M.a@..| +00000210 a2 ce ee 0b 7e 92 7e ff 76 9d c3 3b 7e a5 3f ce |....~.~.v..;~.?.| +00000220 fa 10 e2 59 ec 47 2d 7c ac da 4e 97 0e 15 a0 6f |...Y.G-|..N....o| +00000230 d0 02 42 01 4d fc be 67 13 9c 2d 05 0e bd 3f a3 |..B.M..g..-...?.| +00000240 8c 25 c1 33 13 83 0d 94 06 bb d4 37 7a f6 ec 7a |.%.3.......7z..z| +00000250 c9 86 2e dd d7 11 69 7f 85 7c 56 de fb 31 78 2b |......i..|V..1x+| +00000260 e4 c7 78 0d ae cb be 9e 4e 36 24 31 7b 6a 0f 39 |..x.....N6$1{j.9| +00000270 95 12 07 8f 2a 16 03 02 00 b5 0c 00 00 b1 03 00 |....*...........| +00000280 1d 20 23 be e0 2b 65 34 a4 91 3c 4e 3c 84 51 98 |. #..+e4...U..sM~uKs.M| +00000300 62 de 29 b8 0e 59 68 0a 14 a5 75 31 4f 9d db 64 |b.)..Yh...u1O..d| +00000310 d0 b4 f4 78 ae 30 99 2f fb 33 ea 1a 21 46 33 57 |...x.0./.3..!F3W| +00000320 59 00 5d 84 4b b3 fe a1 60 3d ae 71 af b9 ea 16 |Y.].K...`=.q....| +00000330 03 02 00 04 0e 00 00 00 |........| +>>> Flow 3 (client to server) +00000000 16 03 02 00 25 10 00 00 21 20 2f e5 7d a3 47 cd |....%...! /.}.G.| +00000010 62 43 15 28 da ac 5f bb 29 07 30 ff f6 84 af c4 |bC.(.._.).0.....| +00000020 cf c2 ed 90 99 5f 58 cb 3b 74 14 03 02 00 01 01 |....._X.;t......| +00000030 16 03 02 00 40 00 00 00 00 00 00 00 00 00 00 00 |....@...........| +00000040 00 00 00 00 00 ef 00 72 e6 a4 f6 8b 7f 98 ef e0 |.......r........| +00000050 15 01 2c fc 31 7a e7 ba fa 07 ec 0e c1 4b 69 39 |..,.1z.......Ki9| +00000060 89 97 fa a8 8b bf 3b 7f 1a 00 32 26 72 64 19 1c |......;...2&rd..| +00000070 0c 2f 4b ba 78 |./K.x| +>>> Flow 4 (server to client) +00000000 14 03 02 00 01 01 16 03 02 00 40 d7 89 58 0a f0 |..........@..X..| +00000010 bd c1 a0 bb b5 f0 b4 1a 0b 08 25 e8 5a 73 04 04 |..........%.Zs..| +00000020 01 99 65 e1 9c 80 24 e5 80 a8 a8 a1 29 bd af 99 |..e...$.....)...| +00000030 06 4d 9a 48 59 95 0a 0e bc 72 7d 90 cb 62 5a 2d |.M.HY....r}..bZ-| +00000040 7b 19 53 83 10 47 55 8b c3 e0 84 |{.S..GU....| +>>> Flow 5 (client to server) +00000000 17 03 02 00 30 00 00 00 00 00 00 00 00 00 00 00 |....0...........| +00000010 00 00 00 00 00 5d d8 f2 5e 83 a1 39 cb 57 a9 7f |.....]..^..9.W..| +00000020 93 35 72 a3 ce 15 f6 4c 5c 06 8f d1 f5 77 7c ca |.5r....L\....w|.| +00000030 a9 59 5f e9 ce 15 03 02 00 30 00 00 00 00 00 00 |.Y_......0......| +00000040 00 00 00 00 00 00 00 00 00 00 2b 0a 90 aa 87 8f |..........+.....| +00000050 ff 26 85 22 26 26 bd 0e a3 40 88 e1 72 21 76 69 |.&."&&...@..r!vi| +00000060 4c 69 22 2c 6c 72 a3 64 6e 61 |Li",lr.dna| diff --git a/pkg/tls/testdata/Client-TLSv11-ECDHE-RSA-AES b/pkg/tls/testdata/Client-TLSv11-ECDHE-RSA-AES new file mode 100644 index 000000000..5bde683b7 --- /dev/null +++ b/pkg/tls/testdata/Client-TLSv11-ECDHE-RSA-AES @@ -0,0 +1,98 @@ +>>> Flow 1 (client to server) +00000000 16 03 01 00 fe 01 00 00 fa 03 03 00 00 00 00 00 |................| +00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000020 00 00 00 00 00 00 00 00 00 00 00 20 00 00 00 00 |........... ....| +00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 32 cc a9 |.............2..| +00000050 cc a8 c0 2b c0 2f c0 2c c0 30 c0 09 c0 13 c0 0a |...+./.,.0......| +00000060 c0 14 00 9c 00 9d 00 2f 00 35 c0 12 00 0a c0 23 |......./.5.....#| +00000070 c0 27 00 3c c0 07 c0 11 00 05 13 03 13 01 13 02 |.'.<............| +00000080 01 00 00 7f 00 05 00 05 01 00 00 00 00 00 0a 00 |................| +00000090 0a 00 08 00 1d 00 17 00 18 00 19 00 0b 00 02 01 |................| +000000a0 00 00 0d 00 1a 00 18 08 04 04 03 08 07 08 05 08 |................| +000000b0 06 04 01 05 01 06 01 05 03 06 03 02 01 02 03 ff |................| +000000c0 01 00 01 00 00 17 00 00 00 12 00 00 00 2b 00 09 |.............+..| +000000d0 08 03 04 03 03 03 02 03 01 00 33 00 26 00 24 00 |..........3.&.$.| +000000e0 1d 00 20 2f e5 7d a3 47 cd 62 43 15 28 da ac 5f |.. /.}.G.bC.(.._| +000000f0 bb 29 07 30 ff f6 84 af c4 cf c2 ed 90 99 5f 58 |.).0.........._X| +00000100 cb 3b 74 |.;t| +>>> Flow 2 (server to client) +00000000 16 03 02 00 5d 02 00 00 59 03 02 a4 97 26 eb 45 |....]...Y....&.E| +00000010 35 28 1a 9a 6b 3e b3 e6 c0 9f 4a c7 6f 57 70 9a |5(..k>....J.oWp.| +00000020 fe 3a 1a a5 c3 05 d3 50 45 43 ee 20 3e 34 5b ef |.:.....PEC. >4[.| +00000030 64 f3 f8 40 e4 69 7d 3a 46 db 4e 83 6c ff 68 2a |d..@.i}:F.N.l.h*| +00000040 f9 f4 45 5e 7c 25 5f a0 d5 89 7e 83 c0 13 00 00 |..E^|%_...~.....| +00000050 11 ff 01 00 01 00 00 0b 00 04 03 00 01 02 00 17 |................| +00000060 00 00 16 03 02 02 59 0b 00 02 55 00 02 52 00 02 |......Y...U..R..| +00000070 4f 30 82 02 4b 30 82 01 b4 a0 03 02 01 02 02 09 |O0..K0..........| +00000080 00 e8 f0 9d 3f e2 5b ea a6 30 0d 06 09 2a 86 48 |....?.[..0...*.H| +00000090 86 f7 0d 01 01 0b 05 00 30 1f 31 0b 30 09 06 03 |........0.1.0...| +000000a0 55 04 0a 13 02 47 6f 31 10 30 0e 06 03 55 04 03 |U....Go1.0...U..| +000000b0 13 07 47 6f 20 52 6f 6f 74 30 1e 17 0d 31 36 30 |..Go Root0...160| +000000c0 31 30 31 30 30 30 30 30 30 5a 17 0d 32 35 30 31 |101000000Z..2501| +000000d0 30 31 30 30 30 30 30 30 5a 30 1a 31 0b 30 09 06 |01000000Z0.1.0..| +000000e0 03 55 04 0a 13 02 47 6f 31 0b 30 09 06 03 55 04 |.U....Go1.0...U.| +000000f0 03 13 02 47 6f 30 81 9f 30 0d 06 09 2a 86 48 86 |...Go0..0...*.H.| +00000100 f7 0d 01 01 01 05 00 03 81 8d 00 30 81 89 02 81 |...........0....| +00000110 81 00 db 46 7d 93 2e 12 27 06 48 bc 06 28 21 ab |...F}...'.H..(!.| +00000120 7e c4 b6 a2 5d fe 1e 52 45 88 7a 36 47 a5 08 0d |~...]..RE.z6G...| +00000130 92 42 5b c2 81 c0 be 97 79 98 40 fb 4f 6d 14 fd |.B[.....y.@.Om..| +00000140 2b 13 8b c2 a5 2e 67 d8 d4 09 9e d6 22 38 b7 4a |+.....g....."8.J| +00000150 0b 74 73 2b c2 34 f1 d1 93 e5 96 d9 74 7b f3 58 |.ts+.4......t{.X| +00000160 9f 6c 61 3c c0 b0 41 d4 d9 2b 2b 24 23 77 5b 1c |.la<..A..++$#w[.| +00000170 3b bd 75 5d ce 20 54 cf a1 63 87 1d 1e 24 c4 f3 |;.u]. T..c...$..| +00000180 1d 1a 50 8b aa b6 14 43 ed 97 a7 75 62 f4 14 c8 |..P....C...ub...| +00000190 52 d7 02 03 01 00 01 a3 81 93 30 81 90 30 0e 06 |R.........0..0..| +000001a0 03 55 1d 0f 01 01 ff 04 04 03 02 05 a0 30 1d 06 |.U...........0..| +000001b0 03 55 1d 25 04 16 30 14 06 08 2b 06 01 05 05 07 |.U.%..0...+.....| +000001c0 03 01 06 08 2b 06 01 05 05 07 03 02 30 0c 06 03 |....+.......0...| +000001d0 55 1d 13 01 01 ff 04 02 30 00 30 19 06 03 55 1d |U.......0.0...U.| +000001e0 0e 04 12 04 10 9f 91 16 1f 43 43 3e 49 a6 de 6d |.........CC>I..m| +000001f0 b6 80 d7 9f 60 30 1b 06 03 55 1d 23 04 14 30 12 |....`0...U.#..0.| +00000200 80 10 48 13 49 4d 13 7e 16 31 bb a3 01 d5 ac ab |..H.IM.~.1......| +00000210 6e 7b 30 19 06 03 55 1d 11 04 12 30 10 82 0e 65 |n{0...U....0...e| +00000220 78 61 6d 70 6c 65 2e 67 6f 6c 61 6e 67 30 0d 06 |xample.golang0..| +00000230 09 2a 86 48 86 f7 0d 01 01 0b 05 00 03 81 81 00 |.*.H............| +00000240 9d 30 cc 40 2b 5b 50 a0 61 cb ba e5 53 58 e1 ed |.0.@+[P.a...SX..| +00000250 83 28 a9 58 1a a9 38 a4 95 a1 ac 31 5a 1a 84 66 |.(.X..8....1Z..f| +00000260 3d 43 d3 2d d9 0b f2 97 df d3 20 64 38 92 24 3a |=C.-...... d8.$:| +00000270 00 bc cf 9c 7d b7 40 20 01 5f aa d3 16 61 09 a2 |....}.@ ._...a..| +00000280 76 fd 13 c3 cc e1 0c 5c ee b1 87 82 f1 6c 04 ed |v......\.....l..| +00000290 73 bb b3 43 77 8d 0c 1c f1 0f a1 d8 40 83 61 c9 |s..Cw.......@.a.| +000002a0 4c 72 2b 9d ae db 46 06 06 4d f4 c1 b3 3e c0 d1 |Lr+...F..M...>..| +000002b0 bd 42 d4 db fe 3d 13 60 84 5c 21 d3 3b e9 fa e7 |.B...=.`.\!.;...| +000002c0 16 03 02 00 aa 0c 00 00 a6 03 00 1d 20 46 15 e3 |............ F..| +000002d0 8f f8 ab 26 88 9c 0f 28 30 d6 58 96 77 55 77 62 |...&...(0.X.wUwb| +000002e0 26 a1 64 98 df b3 cc 15 48 fc 90 2b 30 00 80 7d |&.d.....H..+0..}| +000002f0 e3 98 42 4a 27 c1 08 29 93 22 0e 7e 53 4e b7 03 |..BJ'..).".~SN..| +00000300 ca c1 67 34 0e 8d c0 94 cb dd 38 34 f4 d8 0e 10 |..g4......84....| +00000310 68 bb e7 01 3e 4b 22 27 bb 43 e2 cf da e2 6c 49 |h...>K"'.C....lI| +00000320 d7 31 2f 31 04 b2 7a 8f 86 35 5e f8 16 3f 80 b7 |.1/1..z..5^..?..| +00000330 1e 06 e1 3e 57 89 24 d7 25 65 8b 13 84 27 b6 eb |...>W.$.%e...'..| +00000340 e9 64 bd 69 22 17 bc 53 57 2c 78 b3 1d 01 97 65 |.d.i"..SW,x....e| +00000350 d9 0e b7 a7 bf d3 86 d3 a4 24 07 0f 16 0f fb 3a |.........$.....:| +00000360 e8 35 ce 80 79 93 2f 26 75 36 fa ad 99 d3 88 16 |.5..y./&u6......| +00000370 03 02 00 04 0e 00 00 00 |........| +>>> Flow 3 (client to server) +00000000 16 03 02 00 25 10 00 00 21 20 2f e5 7d a3 47 cd |....%...! /.}.G.| +00000010 62 43 15 28 da ac 5f bb 29 07 30 ff f6 84 af c4 |bC.(.._.).0.....| +00000020 cf c2 ed 90 99 5f 58 cb 3b 74 14 03 02 00 01 01 |....._X.;t......| +00000030 16 03 02 00 40 00 00 00 00 00 00 00 00 00 00 00 |....@...........| +00000040 00 00 00 00 00 89 35 3f 26 26 9c d0 87 70 65 56 |......5?&&...peV| +00000050 b4 32 f9 9e 3f 1f 20 6f 8d 71 eb 6c 45 15 a0 f4 |.2..?. o.q.lE...| +00000060 ff 02 60 8c 01 1a b7 2b 0d 1e 56 e7 be 06 ac 16 |..`....+..V.....| +00000070 74 73 be 0a 95 |ts...| +>>> Flow 4 (server to client) +00000000 14 03 02 00 01 01 16 03 02 00 40 04 35 19 05 8e |..........@.5...| +00000010 c6 68 3e 37 75 5f 5d bb 41 58 8b a7 b3 cf 97 28 |.h>7u_].AX.....(| +00000020 60 ad b7 be db b1 31 b9 9c f5 d2 57 49 17 7c f6 |`.....1....WI.|.| +00000030 de 60 24 87 cb c5 51 2d 7a 8d f1 4b e5 7f 2d c7 |.`$...Q-z..K..-.| +00000040 7f f4 e1 94 d9 6f 5c 2a 68 f0 24 |.....o\*h.$| +>>> Flow 5 (client to server) +00000000 17 03 02 00 30 00 00 00 00 00 00 00 00 00 00 00 |....0...........| +00000010 00 00 00 00 00 a2 ba 70 25 b0 a9 b0 ea 87 7e 6b |.......p%.....~k| +00000020 ef 89 e3 10 f4 98 da 12 cf bc 20 f6 18 76 c7 ad |.......... ..v..| +00000030 b7 12 1e 7b 12 15 03 02 00 30 00 00 00 00 00 00 |...{.....0......| +00000040 00 00 00 00 00 00 00 00 00 00 91 33 9b b8 76 89 |...........3..v.| +00000050 39 ef 4b 3f d1 09 40 e4 68 6f 30 35 d9 a9 82 c1 |9.K?..@.ho05....| +00000060 9d c6 c2 a5 dc cb 1d 43 83 0a |.......C..| diff --git a/pkg/tls/testdata/Client-TLSv11-Ed25519 b/pkg/tls/testdata/Client-TLSv11-Ed25519 new file mode 100644 index 000000000..e69de29bb diff --git a/pkg/tls/testdata/Client-TLSv11-RSA-RC4 b/pkg/tls/testdata/Client-TLSv11-RSA-RC4 new file mode 100644 index 000000000..addd48064 --- /dev/null +++ b/pkg/tls/testdata/Client-TLSv11-RSA-RC4 @@ -0,0 +1,86 @@ +>>> Flow 1 (client to server) +00000000 16 03 01 00 fe 01 00 00 fa 03 03 00 00 00 00 00 |................| +00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000020 00 00 00 00 00 00 00 00 00 00 00 20 00 00 00 00 |........... ....| +00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 32 cc a9 |.............2..| +00000050 cc a8 c0 2b c0 2f c0 2c c0 30 c0 09 c0 13 c0 0a |...+./.,.0......| +00000060 c0 14 00 9c 00 9d 00 2f 00 35 c0 12 00 0a c0 23 |......./.5.....#| +00000070 c0 27 00 3c c0 07 c0 11 00 05 13 03 13 01 13 02 |.'.<............| +00000080 01 00 00 7f 00 05 00 05 01 00 00 00 00 00 0a 00 |................| +00000090 0a 00 08 00 1d 00 17 00 18 00 19 00 0b 00 02 01 |................| +000000a0 00 00 0d 00 1a 00 18 08 04 04 03 08 07 08 05 08 |................| +000000b0 06 04 01 05 01 06 01 05 03 06 03 02 01 02 03 ff |................| +000000c0 01 00 01 00 00 17 00 00 00 12 00 00 00 2b 00 09 |.............+..| +000000d0 08 03 04 03 03 03 02 03 01 00 33 00 26 00 24 00 |..........3.&.$.| +000000e0 1d 00 20 2f e5 7d a3 47 cd 62 43 15 28 da ac 5f |.. /.}.G.bC.(.._| +000000f0 bb 29 07 30 ff f6 84 af c4 cf c2 ed 90 99 5f 58 |.).0.........._X| +00000100 cb 3b 74 |.;t| +>>> Flow 2 (server to client) +00000000 16 03 02 00 55 02 00 00 51 03 02 66 66 1b 2f 55 |....U...Q..ff./U| +00000010 a4 db ad db 42 88 e0 12 12 36 60 41 32 ca 27 0f |....B....6`A2.'.| +00000020 36 22 d1 0b 4e 0e ba df 44 71 9f 20 7a fa f5 a7 |6"..N...Dq. z...| +00000030 ba ca 0a 9a be c5 b7 a8 98 a7 d9 0f d8 24 d4 cf |.............$..| +00000040 ab f5 13 84 03 45 57 ab 89 6d 43 42 00 05 00 00 |.....EW..mCB....| +00000050 09 ff 01 00 01 00 00 17 00 00 16 03 02 02 59 0b |..............Y.| +00000060 00 02 55 00 02 52 00 02 4f 30 82 02 4b 30 82 01 |..U..R..O0..K0..| +00000070 b4 a0 03 02 01 02 02 09 00 e8 f0 9d 3f e2 5b ea |............?.[.| +00000080 a6 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 |.0...*.H........| +00000090 30 1f 31 0b 30 09 06 03 55 04 0a 13 02 47 6f 31 |0.1.0...U....Go1| +000000a0 10 30 0e 06 03 55 04 03 13 07 47 6f 20 52 6f 6f |.0...U....Go Roo| +000000b0 74 30 1e 17 0d 31 36 30 31 30 31 30 30 30 30 30 |t0...16010100000| +000000c0 30 5a 17 0d 32 35 30 31 30 31 30 30 30 30 30 30 |0Z..250101000000| +000000d0 5a 30 1a 31 0b 30 09 06 03 55 04 0a 13 02 47 6f |Z0.1.0...U....Go| +000000e0 31 0b 30 09 06 03 55 04 03 13 02 47 6f 30 81 9f |1.0...U....Go0..| +000000f0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 |0...*.H.........| +00000100 81 8d 00 30 81 89 02 81 81 00 db 46 7d 93 2e 12 |...0.......F}...| +00000110 27 06 48 bc 06 28 21 ab 7e c4 b6 a2 5d fe 1e 52 |'.H..(!.~...]..R| +00000120 45 88 7a 36 47 a5 08 0d 92 42 5b c2 81 c0 be 97 |E.z6G....B[.....| +00000130 79 98 40 fb 4f 6d 14 fd 2b 13 8b c2 a5 2e 67 d8 |y.@.Om..+.....g.| +00000140 d4 09 9e d6 22 38 b7 4a 0b 74 73 2b c2 34 f1 d1 |...."8.J.ts+.4..| +00000150 93 e5 96 d9 74 7b f3 58 9f 6c 61 3c c0 b0 41 d4 |....t{.X.la<..A.| +00000160 d9 2b 2b 24 23 77 5b 1c 3b bd 75 5d ce 20 54 cf |.++$#w[.;.u]. T.| +00000170 a1 63 87 1d 1e 24 c4 f3 1d 1a 50 8b aa b6 14 43 |.c...$....P....C| +00000180 ed 97 a7 75 62 f4 14 c8 52 d7 02 03 01 00 01 a3 |...ub...R.......| +00000190 81 93 30 81 90 30 0e 06 03 55 1d 0f 01 01 ff 04 |..0..0...U......| +000001a0 04 03 02 05 a0 30 1d 06 03 55 1d 25 04 16 30 14 |.....0...U.%..0.| +000001b0 06 08 2b 06 01 05 05 07 03 01 06 08 2b 06 01 05 |..+.........+...| +000001c0 05 07 03 02 30 0c 06 03 55 1d 13 01 01 ff 04 02 |....0...U.......| +000001d0 30 00 30 19 06 03 55 1d 0e 04 12 04 10 9f 91 16 |0.0...U.........| +000001e0 1f 43 43 3e 49 a6 de 6d b6 80 d7 9f 60 30 1b 06 |.CC>I..m....`0..| +000001f0 03 55 1d 23 04 14 30 12 80 10 48 13 49 4d 13 7e |.U.#..0...H.IM.~| +00000200 16 31 bb a3 01 d5 ac ab 6e 7b 30 19 06 03 55 1d |.1......n{0...U.| +00000210 11 04 12 30 10 82 0e 65 78 61 6d 70 6c 65 2e 67 |...0...example.g| +00000220 6f 6c 61 6e 67 30 0d 06 09 2a 86 48 86 f7 0d 01 |olang0...*.H....| +00000230 01 0b 05 00 03 81 81 00 9d 30 cc 40 2b 5b 50 a0 |.........0.@+[P.| +00000240 61 cb ba e5 53 58 e1 ed 83 28 a9 58 1a a9 38 a4 |a...SX...(.X..8.| +00000250 95 a1 ac 31 5a 1a 84 66 3d 43 d3 2d d9 0b f2 97 |...1Z..f=C.-....| +00000260 df d3 20 64 38 92 24 3a 00 bc cf 9c 7d b7 40 20 |.. d8.$:....}.@ | +00000270 01 5f aa d3 16 61 09 a2 76 fd 13 c3 cc e1 0c 5c |._...a..v......\| +00000280 ee b1 87 82 f1 6c 04 ed 73 bb b3 43 77 8d 0c 1c |.....l..s..Cw...| +00000290 f1 0f a1 d8 40 83 61 c9 4c 72 2b 9d ae db 46 06 |....@.a.Lr+...F.| +000002a0 06 4d f4 c1 b3 3e c0 d1 bd 42 d4 db fe 3d 13 60 |.M...>...B...=.`| +000002b0 84 5c 21 d3 3b e9 fa e7 16 03 02 00 04 0e 00 00 |.\!.;...........| +000002c0 00 |.| +>>> Flow 3 (client to server) +00000000 16 03 02 00 86 10 00 00 82 00 80 b9 65 8d bf a7 |............e...| +00000010 c8 4b 79 ce 6f cb 8b 13 1c ac b9 7d 66 5e e9 ba |.Ky.o......}f^..| +00000020 1d 71 4e a9 e9 34 ae f6 64 65 90 3b d8 16 52 a2 |.qN..4..de.;..R.| +00000030 6f f4 cb 8a 13 74 a2 ee b7 27 69 b4 41 c0 90 68 |o....t...'i.A..h| +00000040 bc 02 69 e1 c6 48 4f 39 36 30 25 ca 4c 17 ce 83 |..i..HO960%.L...| +00000050 9e 08 56 e3 05 49 93 9e 2e c4 fb e6 c8 01 f1 0f |..V..I..........| +00000060 c5 70 0f 08 83 48 e9 48 ef 6e 50 8b 05 7e e5 84 |.p...H.H.nP..~..| +00000070 25 fa 55 c7 ae 31 02 27 00 ef 3f 98 86 20 12 89 |%.U..1.'..?.. ..| +00000080 91 59 28 b4 f7 d7 af d2 69 61 35 14 03 02 00 01 |.Y(.....ia5.....| +00000090 01 16 03 02 00 24 a9 03 2f 22 ef b7 e8 78 38 a9 |.....$../"...x8.| +000000a0 12 07 27 e3 bf 3b a9 50 5a 83 9c 6b 83 06 07 4d |..'..;.PZ..k...M| +000000b0 38 33 12 dc 21 aa 95 3c f0 cc |83..!..<..| +>>> Flow 4 (server to client) +00000000 14 03 02 00 01 01 16 03 02 00 24 df db 82 41 b6 |..........$...A.| +00000010 3f 2d d5 0f d1 7e ca 3c 73 e0 31 58 ae f5 08 fd |?-...~.>> Flow 5 (client to server) +00000000 17 03 02 00 1a b6 12 91 b4 74 7f 92 b5 fd 7e 8c |.........t....~.| +00000010 15 1d 51 f9 e1 a3 d6 74 6e b2 07 c2 f0 a8 11 15 |..Q....tn.......| +00000020 03 02 00 16 ca 4b cb cf 88 2d 48 a7 27 29 19 ef |.....K...-H.')..| +00000030 eb 4e 58 ac 57 e2 ed af e2 a0 |.NX.W.....| diff --git a/pkg/tls/testdata/Client-TLSv12-AES128-GCM-SHA256 b/pkg/tls/testdata/Client-TLSv12-AES128-GCM-SHA256 new file mode 100644 index 000000000..22cff4534 --- /dev/null +++ b/pkg/tls/testdata/Client-TLSv12-AES128-GCM-SHA256 @@ -0,0 +1,88 @@ +>>> Flow 1 (client to server) +00000000 16 03 01 00 fe 01 00 00 fa 03 03 00 00 00 00 00 |................| +00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000020 00 00 00 00 00 00 00 00 00 00 00 20 00 00 00 00 |........... ....| +00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 32 cc a9 |.............2..| +00000050 cc a8 c0 2b c0 2f c0 2c c0 30 c0 09 c0 13 c0 0a |...+./.,.0......| +00000060 c0 14 00 9c 00 9d 00 2f 00 35 c0 12 00 0a c0 23 |......./.5.....#| +00000070 c0 27 00 3c c0 07 c0 11 00 05 13 03 13 01 13 02 |.'.<............| +00000080 01 00 00 7f 00 05 00 05 01 00 00 00 00 00 0a 00 |................| +00000090 0a 00 08 00 1d 00 17 00 18 00 19 00 0b 00 02 01 |................| +000000a0 00 00 0d 00 1a 00 18 08 04 04 03 08 07 08 05 08 |................| +000000b0 06 04 01 05 01 06 01 05 03 06 03 02 01 02 03 ff |................| +000000c0 01 00 01 00 00 17 00 00 00 12 00 00 00 2b 00 09 |.............+..| +000000d0 08 03 04 03 03 03 02 03 01 00 33 00 26 00 24 00 |..........3.&.$.| +000000e0 1d 00 20 2f e5 7d a3 47 cd 62 43 15 28 da ac 5f |.. /.}.G.bC.(.._| +000000f0 bb 29 07 30 ff f6 84 af c4 cf c2 ed 90 99 5f 58 |.).0.........._X| +00000100 cb 3b 74 |.;t| +>>> Flow 2 (server to client) +00000000 16 03 03 00 55 02 00 00 51 03 03 9f d7 f5 00 f6 |....U...Q.......| +00000010 a1 c5 37 e8 2b 2e 66 42 54 c6 67 29 b6 ad bb 5f |..7.+.fBT.g)..._| +00000020 23 b7 bb 56 2e 8a 15 a9 7a ce a2 20 47 be 36 13 |#..V....z.. G.6.| +00000030 31 d7 51 a6 ec d1 67 e7 e3 8c fb e2 f5 d2 61 e6 |1.Q...g.......a.| +00000040 4e 11 0c 03 b0 5e b1 ae e7 8c 61 c8 00 9c 00 00 |N....^....a.....| +00000050 09 ff 01 00 01 00 00 17 00 00 16 03 03 02 59 0b |..............Y.| +00000060 00 02 55 00 02 52 00 02 4f 30 82 02 4b 30 82 01 |..U..R..O0..K0..| +00000070 b4 a0 03 02 01 02 02 09 00 e8 f0 9d 3f e2 5b ea |............?.[.| +00000080 a6 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 |.0...*.H........| +00000090 30 1f 31 0b 30 09 06 03 55 04 0a 13 02 47 6f 31 |0.1.0...U....Go1| +000000a0 10 30 0e 06 03 55 04 03 13 07 47 6f 20 52 6f 6f |.0...U....Go Roo| +000000b0 74 30 1e 17 0d 31 36 30 31 30 31 30 30 30 30 30 |t0...16010100000| +000000c0 30 5a 17 0d 32 35 30 31 30 31 30 30 30 30 30 30 |0Z..250101000000| +000000d0 5a 30 1a 31 0b 30 09 06 03 55 04 0a 13 02 47 6f |Z0.1.0...U....Go| +000000e0 31 0b 30 09 06 03 55 04 03 13 02 47 6f 30 81 9f |1.0...U....Go0..| +000000f0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 |0...*.H.........| +00000100 81 8d 00 30 81 89 02 81 81 00 db 46 7d 93 2e 12 |...0.......F}...| +00000110 27 06 48 bc 06 28 21 ab 7e c4 b6 a2 5d fe 1e 52 |'.H..(!.~...]..R| +00000120 45 88 7a 36 47 a5 08 0d 92 42 5b c2 81 c0 be 97 |E.z6G....B[.....| +00000130 79 98 40 fb 4f 6d 14 fd 2b 13 8b c2 a5 2e 67 d8 |y.@.Om..+.....g.| +00000140 d4 09 9e d6 22 38 b7 4a 0b 74 73 2b c2 34 f1 d1 |...."8.J.ts+.4..| +00000150 93 e5 96 d9 74 7b f3 58 9f 6c 61 3c c0 b0 41 d4 |....t{.X.la<..A.| +00000160 d9 2b 2b 24 23 77 5b 1c 3b bd 75 5d ce 20 54 cf |.++$#w[.;.u]. T.| +00000170 a1 63 87 1d 1e 24 c4 f3 1d 1a 50 8b aa b6 14 43 |.c...$....P....C| +00000180 ed 97 a7 75 62 f4 14 c8 52 d7 02 03 01 00 01 a3 |...ub...R.......| +00000190 81 93 30 81 90 30 0e 06 03 55 1d 0f 01 01 ff 04 |..0..0...U......| +000001a0 04 03 02 05 a0 30 1d 06 03 55 1d 25 04 16 30 14 |.....0...U.%..0.| +000001b0 06 08 2b 06 01 05 05 07 03 01 06 08 2b 06 01 05 |..+.........+...| +000001c0 05 07 03 02 30 0c 06 03 55 1d 13 01 01 ff 04 02 |....0...U.......| +000001d0 30 00 30 19 06 03 55 1d 0e 04 12 04 10 9f 91 16 |0.0...U.........| +000001e0 1f 43 43 3e 49 a6 de 6d b6 80 d7 9f 60 30 1b 06 |.CC>I..m....`0..| +000001f0 03 55 1d 23 04 14 30 12 80 10 48 13 49 4d 13 7e |.U.#..0...H.IM.~| +00000200 16 31 bb a3 01 d5 ac ab 6e 7b 30 19 06 03 55 1d |.1......n{0...U.| +00000210 11 04 12 30 10 82 0e 65 78 61 6d 70 6c 65 2e 67 |...0...example.g| +00000220 6f 6c 61 6e 67 30 0d 06 09 2a 86 48 86 f7 0d 01 |olang0...*.H....| +00000230 01 0b 05 00 03 81 81 00 9d 30 cc 40 2b 5b 50 a0 |.........0.@+[P.| +00000240 61 cb ba e5 53 58 e1 ed 83 28 a9 58 1a a9 38 a4 |a...SX...(.X..8.| +00000250 95 a1 ac 31 5a 1a 84 66 3d 43 d3 2d d9 0b f2 97 |...1Z..f=C.-....| +00000260 df d3 20 64 38 92 24 3a 00 bc cf 9c 7d b7 40 20 |.. d8.$:....}.@ | +00000270 01 5f aa d3 16 61 09 a2 76 fd 13 c3 cc e1 0c 5c |._...a..v......\| +00000280 ee b1 87 82 f1 6c 04 ed 73 bb b3 43 77 8d 0c 1c |.....l..s..Cw...| +00000290 f1 0f a1 d8 40 83 61 c9 4c 72 2b 9d ae db 46 06 |....@.a.Lr+...F.| +000002a0 06 4d f4 c1 b3 3e c0 d1 bd 42 d4 db fe 3d 13 60 |.M...>...B...=.`| +000002b0 84 5c 21 d3 3b e9 fa e7 16 03 03 00 04 0e 00 00 |.\!.;...........| +000002c0 00 |.| +>>> Flow 3 (client to server) +00000000 16 03 03 00 86 10 00 00 82 00 80 b9 65 8d bf a7 |............e...| +00000010 c8 4b 79 ce 6f cb 8b 13 1c ac b9 7d 66 5e e9 ba |.Ky.o......}f^..| +00000020 1d 71 4e a9 e9 34 ae f6 64 65 90 3b d8 16 52 a2 |.qN..4..de.;..R.| +00000030 6f f4 cb 8a 13 74 a2 ee b7 27 69 b4 41 c0 90 68 |o....t...'i.A..h| +00000040 bc 02 69 e1 c6 48 4f 39 36 30 25 ca 4c 17 ce 83 |..i..HO960%.L...| +00000050 9e 08 56 e3 05 49 93 9e 2e c4 fb e6 c8 01 f1 0f |..V..I..........| +00000060 c5 70 0f 08 83 48 e9 48 ef 6e 50 8b 05 7e e5 84 |.p...H.H.nP..~..| +00000070 25 fa 55 c7 ae 31 02 27 00 ef 3f 98 86 20 12 89 |%.U..1.'..?.. ..| +00000080 91 59 28 b4 f7 d7 af d2 69 61 35 14 03 03 00 01 |.Y(.....ia5.....| +00000090 01 16 03 03 00 28 00 00 00 00 00 00 00 00 10 d7 |.....(..........| +000000a0 17 1b 75 0d 79 ed 8d bc fb 1c c4 d6 35 44 f0 ed |..u.y.......5D..| +000000b0 ed 03 24 02 df 44 9b 70 df 4b 51 19 e6 72 |..$..D.p.KQ..r| +>>> Flow 4 (server to client) +00000000 14 03 03 00 01 01 16 03 03 00 28 68 9f 7c f3 ac |..........(h.|..| +00000010 31 93 86 d0 b7 0a 68 55 7a 93 00 4e c3 d6 dc 60 |1.....hUz..N...`| +00000020 d1 c5 4a 04 53 da 27 ed c1 0e 14 41 a5 27 f1 d5 |..J.S.'....A.'..| +00000030 2e 4a 43 |.JC| +>>> Flow 5 (client to server) +00000000 17 03 03 00 1e 00 00 00 00 00 00 00 01 e7 e6 3e |...............>| +00000010 e9 04 96 38 0c d4 e1 46 c6 d2 2a 1b b0 b3 11 9b |...8...F..*.....| +00000020 6d f4 81 15 03 03 00 1a 00 00 00 00 00 00 00 02 |m...............| +00000030 a3 60 58 f2 f6 60 95 f3 c4 e1 95 23 22 52 55 63 |.`X..`.....#"RUc| +00000040 b9 75 |.u| diff --git a/pkg/tls/testdata/Client-TLSv12-AES128-SHA256 b/pkg/tls/testdata/Client-TLSv12-AES128-SHA256 new file mode 100644 index 000000000..ee6ab629e --- /dev/null +++ b/pkg/tls/testdata/Client-TLSv12-AES128-SHA256 @@ -0,0 +1,97 @@ +>>> Flow 1 (client to server) +00000000 16 03 01 00 fe 01 00 00 fa 03 03 00 00 00 00 00 |................| +00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000020 00 00 00 00 00 00 00 00 00 00 00 20 00 00 00 00 |........... ....| +00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 32 cc a9 |.............2..| +00000050 cc a8 c0 2b c0 2f c0 2c c0 30 c0 09 c0 13 c0 0a |...+./.,.0......| +00000060 c0 14 00 9c 00 9d 00 2f 00 35 c0 12 00 0a c0 23 |......./.5.....#| +00000070 c0 27 00 3c c0 07 c0 11 00 05 13 03 13 01 13 02 |.'.<............| +00000080 01 00 00 7f 00 05 00 05 01 00 00 00 00 00 0a 00 |................| +00000090 0a 00 08 00 1d 00 17 00 18 00 19 00 0b 00 02 01 |................| +000000a0 00 00 0d 00 1a 00 18 08 04 04 03 08 07 08 05 08 |................| +000000b0 06 04 01 05 01 06 01 05 03 06 03 02 01 02 03 ff |................| +000000c0 01 00 01 00 00 17 00 00 00 12 00 00 00 2b 00 09 |.............+..| +000000d0 08 03 04 03 03 03 02 03 01 00 33 00 26 00 24 00 |..........3.&.$.| +000000e0 1d 00 20 2f e5 7d a3 47 cd 62 43 15 28 da ac 5f |.. /.}.G.bC.(.._| +000000f0 bb 29 07 30 ff f6 84 af c4 cf c2 ed 90 99 5f 58 |.).0.........._X| +00000100 cb 3b 74 |.;t| +>>> Flow 2 (server to client) +00000000 16 03 03 00 55 02 00 00 51 03 03 b3 4d 83 66 45 |....U...Q...M.fE| +00000010 e7 32 1f e5 99 ea a0 90 c7 12 91 2b 25 82 ba ca |.2.........+%...| +00000020 01 c1 a9 22 1f 1d 06 62 e1 37 6a 20 a4 87 9b c0 |..."...b.7j ....| +00000030 7f 86 ff c1 0f 49 56 fe c4 49 f7 fb e5 97 23 dc |.....IV..I....#.| +00000040 fc 51 80 75 f7 03 52 5e 86 80 97 0f 00 3c 00 00 |.Q.u..R^.....<..| +00000050 09 ff 01 00 01 00 00 17 00 00 16 03 03 02 59 0b |..............Y.| +00000060 00 02 55 00 02 52 00 02 4f 30 82 02 4b 30 82 01 |..U..R..O0..K0..| +00000070 b4 a0 03 02 01 02 02 09 00 e8 f0 9d 3f e2 5b ea |............?.[.| +00000080 a6 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 |.0...*.H........| +00000090 30 1f 31 0b 30 09 06 03 55 04 0a 13 02 47 6f 31 |0.1.0...U....Go1| +000000a0 10 30 0e 06 03 55 04 03 13 07 47 6f 20 52 6f 6f |.0...U....Go Roo| +000000b0 74 30 1e 17 0d 31 36 30 31 30 31 30 30 30 30 30 |t0...16010100000| +000000c0 30 5a 17 0d 32 35 30 31 30 31 30 30 30 30 30 30 |0Z..250101000000| +000000d0 5a 30 1a 31 0b 30 09 06 03 55 04 0a 13 02 47 6f |Z0.1.0...U....Go| +000000e0 31 0b 30 09 06 03 55 04 03 13 02 47 6f 30 81 9f |1.0...U....Go0..| +000000f0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 |0...*.H.........| +00000100 81 8d 00 30 81 89 02 81 81 00 db 46 7d 93 2e 12 |...0.......F}...| +00000110 27 06 48 bc 06 28 21 ab 7e c4 b6 a2 5d fe 1e 52 |'.H..(!.~...]..R| +00000120 45 88 7a 36 47 a5 08 0d 92 42 5b c2 81 c0 be 97 |E.z6G....B[.....| +00000130 79 98 40 fb 4f 6d 14 fd 2b 13 8b c2 a5 2e 67 d8 |y.@.Om..+.....g.| +00000140 d4 09 9e d6 22 38 b7 4a 0b 74 73 2b c2 34 f1 d1 |...."8.J.ts+.4..| +00000150 93 e5 96 d9 74 7b f3 58 9f 6c 61 3c c0 b0 41 d4 |....t{.X.la<..A.| +00000160 d9 2b 2b 24 23 77 5b 1c 3b bd 75 5d ce 20 54 cf |.++$#w[.;.u]. T.| +00000170 a1 63 87 1d 1e 24 c4 f3 1d 1a 50 8b aa b6 14 43 |.c...$....P....C| +00000180 ed 97 a7 75 62 f4 14 c8 52 d7 02 03 01 00 01 a3 |...ub...R.......| +00000190 81 93 30 81 90 30 0e 06 03 55 1d 0f 01 01 ff 04 |..0..0...U......| +000001a0 04 03 02 05 a0 30 1d 06 03 55 1d 25 04 16 30 14 |.....0...U.%..0.| +000001b0 06 08 2b 06 01 05 05 07 03 01 06 08 2b 06 01 05 |..+.........+...| +000001c0 05 07 03 02 30 0c 06 03 55 1d 13 01 01 ff 04 02 |....0...U.......| +000001d0 30 00 30 19 06 03 55 1d 0e 04 12 04 10 9f 91 16 |0.0...U.........| +000001e0 1f 43 43 3e 49 a6 de 6d b6 80 d7 9f 60 30 1b 06 |.CC>I..m....`0..| +000001f0 03 55 1d 23 04 14 30 12 80 10 48 13 49 4d 13 7e |.U.#..0...H.IM.~| +00000200 16 31 bb a3 01 d5 ac ab 6e 7b 30 19 06 03 55 1d |.1......n{0...U.| +00000210 11 04 12 30 10 82 0e 65 78 61 6d 70 6c 65 2e 67 |...0...example.g| +00000220 6f 6c 61 6e 67 30 0d 06 09 2a 86 48 86 f7 0d 01 |olang0...*.H....| +00000230 01 0b 05 00 03 81 81 00 9d 30 cc 40 2b 5b 50 a0 |.........0.@+[P.| +00000240 61 cb ba e5 53 58 e1 ed 83 28 a9 58 1a a9 38 a4 |a...SX...(.X..8.| +00000250 95 a1 ac 31 5a 1a 84 66 3d 43 d3 2d d9 0b f2 97 |...1Z..f=C.-....| +00000260 df d3 20 64 38 92 24 3a 00 bc cf 9c 7d b7 40 20 |.. d8.$:....}.@ | +00000270 01 5f aa d3 16 61 09 a2 76 fd 13 c3 cc e1 0c 5c |._...a..v......\| +00000280 ee b1 87 82 f1 6c 04 ed 73 bb b3 43 77 8d 0c 1c |.....l..s..Cw...| +00000290 f1 0f a1 d8 40 83 61 c9 4c 72 2b 9d ae db 46 06 |....@.a.Lr+...F.| +000002a0 06 4d f4 c1 b3 3e c0 d1 bd 42 d4 db fe 3d 13 60 |.M...>...B...=.`| +000002b0 84 5c 21 d3 3b e9 fa e7 16 03 03 00 04 0e 00 00 |.\!.;...........| +000002c0 00 |.| +>>> Flow 3 (client to server) +00000000 16 03 03 00 86 10 00 00 82 00 80 b9 65 8d bf a7 |............e...| +00000010 c8 4b 79 ce 6f cb 8b 13 1c ac b9 7d 66 5e e9 ba |.Ky.o......}f^..| +00000020 1d 71 4e a9 e9 34 ae f6 64 65 90 3b d8 16 52 a2 |.qN..4..de.;..R.| +00000030 6f f4 cb 8a 13 74 a2 ee b7 27 69 b4 41 c0 90 68 |o....t...'i.A..h| +00000040 bc 02 69 e1 c6 48 4f 39 36 30 25 ca 4c 17 ce 83 |..i..HO960%.L...| +00000050 9e 08 56 e3 05 49 93 9e 2e c4 fb e6 c8 01 f1 0f |..V..I..........| +00000060 c5 70 0f 08 83 48 e9 48 ef 6e 50 8b 05 7e e5 84 |.p...H.H.nP..~..| +00000070 25 fa 55 c7 ae 31 02 27 00 ef 3f 98 86 20 12 89 |%.U..1.'..?.. ..| +00000080 91 59 28 b4 f7 d7 af d2 69 61 35 14 03 03 00 01 |.Y(.....ia5.....| +00000090 01 16 03 03 00 50 00 00 00 00 00 00 00 00 00 00 |.....P..........| +000000a0 00 00 00 00 00 00 ad 28 77 9e 77 a8 54 2d df fe |.......(w.w.T-..| +000000b0 b3 d1 3a 88 49 e8 ee 86 a1 46 d8 46 26 98 88 f3 |..:.I....F.F&...| +000000c0 eb e1 bd 26 38 26 78 53 90 47 bf 76 4b 29 a6 db |...&8&xS.G.vK)..| +000000d0 e5 c5 5d aa e7 cc d1 ad ee 3f 27 72 a3 a7 06 8b |..]......?'r....| +000000e0 1a da 35 1a 57 4a |..5.WJ| +>>> Flow 4 (server to client) +00000000 14 03 03 00 01 01 16 03 03 00 50 b6 40 f7 ea 59 |..........P.@..Y| +00000010 29 60 1f b0 00 78 db 1b 29 4e 4f 7d 02 12 a9 f9 |)`...x..)NO}....| +00000020 98 fb 89 9e 08 8d 55 91 f3 d1 b3 58 73 ba 58 12 |......U....Xs.X.| +00000030 2e b3 3a da 3a 96 76 63 5c 89 7b d5 64 9a 41 3f |..:.:.vc\.{.d.A?| +00000040 f9 55 4c 19 d7 08 a1 b2 c4 cc f0 6a e3 7d ab 6b |.UL........j.}.k| +00000050 26 cf 80 10 a9 c6 1a d6 2d 0e 77 |&.......-.w| +>>> Flow 5 (client to server) +00000000 17 03 03 00 40 00 00 00 00 00 00 00 00 00 00 00 |....@...........| +00000010 00 00 00 00 00 04 1d bb 53 4a 08 73 26 c2 33 d5 |........SJ.s&.3.| +00000020 95 2c cf aa 74 1b 58 27 11 99 f9 67 e7 93 56 72 |.,..t.X'...g..Vr| +00000030 a5 0b 96 9e ea 32 b2 c8 c3 2e 47 b4 91 81 47 86 |.....2....G...G.| +00000040 f2 31 fd 7a f8 15 03 03 00 40 00 00 00 00 00 00 |.1.z.....@......| +00000050 00 00 00 00 00 00 00 00 00 00 55 3a e3 6d aa 75 |..........U:.m.u| +00000060 31 f5 92 6c ae f8 8d fc f4 6e 20 de a6 66 7c 97 |1..l.....n ..f|.| +00000070 51 e5 c7 8b 4a 1d 0e e8 38 f5 9f 0a 6b b6 63 c1 |Q...J...8...k.c.| +00000080 85 97 c6 3c d2 79 b5 a3 42 1d |...<.y..B.| diff --git a/pkg/tls/testdata/Client-TLSv12-AES256-GCM-SHA384 b/pkg/tls/testdata/Client-TLSv12-AES256-GCM-SHA384 new file mode 100644 index 000000000..0166f1ab3 --- /dev/null +++ b/pkg/tls/testdata/Client-TLSv12-AES256-GCM-SHA384 @@ -0,0 +1,88 @@ +>>> Flow 1 (client to server) +00000000 16 03 01 00 fe 01 00 00 fa 03 03 00 00 00 00 00 |................| +00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000020 00 00 00 00 00 00 00 00 00 00 00 20 00 00 00 00 |........... ....| +00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 32 cc a9 |.............2..| +00000050 cc a8 c0 2b c0 2f c0 2c c0 30 c0 09 c0 13 c0 0a |...+./.,.0......| +00000060 c0 14 00 9c 00 9d 00 2f 00 35 c0 12 00 0a c0 23 |......./.5.....#| +00000070 c0 27 00 3c c0 07 c0 11 00 05 13 03 13 01 13 02 |.'.<............| +00000080 01 00 00 7f 00 05 00 05 01 00 00 00 00 00 0a 00 |................| +00000090 0a 00 08 00 1d 00 17 00 18 00 19 00 0b 00 02 01 |................| +000000a0 00 00 0d 00 1a 00 18 08 04 04 03 08 07 08 05 08 |................| +000000b0 06 04 01 05 01 06 01 05 03 06 03 02 01 02 03 ff |................| +000000c0 01 00 01 00 00 17 00 00 00 12 00 00 00 2b 00 09 |.............+..| +000000d0 08 03 04 03 03 03 02 03 01 00 33 00 26 00 24 00 |..........3.&.$.| +000000e0 1d 00 20 2f e5 7d a3 47 cd 62 43 15 28 da ac 5f |.. /.}.G.bC.(.._| +000000f0 bb 29 07 30 ff f6 84 af c4 cf c2 ed 90 99 5f 58 |.).0.........._X| +00000100 cb 3b 74 |.;t| +>>> Flow 2 (server to client) +00000000 16 03 03 00 55 02 00 00 51 03 03 38 33 33 fb 62 |....U...Q..833.b| +00000010 ff ce 69 f1 cd 8c fe 50 05 bd 1e ce f9 ad a5 e6 |..i....P........| +00000020 ee d7 71 82 97 25 04 2a cd aa c5 20 13 68 7a d0 |..q..%.*... .hz.| +00000030 0f cc 61 05 63 31 cc 47 24 1c 52 81 8d cc d3 d1 |..a.c1.G$.R.....| +00000040 d1 53 97 70 e9 f1 98 3b 00 2d df ab 00 9d 00 00 |.S.p...;.-......| +00000050 09 ff 01 00 01 00 00 17 00 00 16 03 03 02 59 0b |..............Y.| +00000060 00 02 55 00 02 52 00 02 4f 30 82 02 4b 30 82 01 |..U..R..O0..K0..| +00000070 b4 a0 03 02 01 02 02 09 00 e8 f0 9d 3f e2 5b ea |............?.[.| +00000080 a6 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 |.0...*.H........| +00000090 30 1f 31 0b 30 09 06 03 55 04 0a 13 02 47 6f 31 |0.1.0...U....Go1| +000000a0 10 30 0e 06 03 55 04 03 13 07 47 6f 20 52 6f 6f |.0...U....Go Roo| +000000b0 74 30 1e 17 0d 31 36 30 31 30 31 30 30 30 30 30 |t0...16010100000| +000000c0 30 5a 17 0d 32 35 30 31 30 31 30 30 30 30 30 30 |0Z..250101000000| +000000d0 5a 30 1a 31 0b 30 09 06 03 55 04 0a 13 02 47 6f |Z0.1.0...U....Go| +000000e0 31 0b 30 09 06 03 55 04 03 13 02 47 6f 30 81 9f |1.0...U....Go0..| +000000f0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 |0...*.H.........| +00000100 81 8d 00 30 81 89 02 81 81 00 db 46 7d 93 2e 12 |...0.......F}...| +00000110 27 06 48 bc 06 28 21 ab 7e c4 b6 a2 5d fe 1e 52 |'.H..(!.~...]..R| +00000120 45 88 7a 36 47 a5 08 0d 92 42 5b c2 81 c0 be 97 |E.z6G....B[.....| +00000130 79 98 40 fb 4f 6d 14 fd 2b 13 8b c2 a5 2e 67 d8 |y.@.Om..+.....g.| +00000140 d4 09 9e d6 22 38 b7 4a 0b 74 73 2b c2 34 f1 d1 |...."8.J.ts+.4..| +00000150 93 e5 96 d9 74 7b f3 58 9f 6c 61 3c c0 b0 41 d4 |....t{.X.la<..A.| +00000160 d9 2b 2b 24 23 77 5b 1c 3b bd 75 5d ce 20 54 cf |.++$#w[.;.u]. T.| +00000170 a1 63 87 1d 1e 24 c4 f3 1d 1a 50 8b aa b6 14 43 |.c...$....P....C| +00000180 ed 97 a7 75 62 f4 14 c8 52 d7 02 03 01 00 01 a3 |...ub...R.......| +00000190 81 93 30 81 90 30 0e 06 03 55 1d 0f 01 01 ff 04 |..0..0...U......| +000001a0 04 03 02 05 a0 30 1d 06 03 55 1d 25 04 16 30 14 |.....0...U.%..0.| +000001b0 06 08 2b 06 01 05 05 07 03 01 06 08 2b 06 01 05 |..+.........+...| +000001c0 05 07 03 02 30 0c 06 03 55 1d 13 01 01 ff 04 02 |....0...U.......| +000001d0 30 00 30 19 06 03 55 1d 0e 04 12 04 10 9f 91 16 |0.0...U.........| +000001e0 1f 43 43 3e 49 a6 de 6d b6 80 d7 9f 60 30 1b 06 |.CC>I..m....`0..| +000001f0 03 55 1d 23 04 14 30 12 80 10 48 13 49 4d 13 7e |.U.#..0...H.IM.~| +00000200 16 31 bb a3 01 d5 ac ab 6e 7b 30 19 06 03 55 1d |.1......n{0...U.| +00000210 11 04 12 30 10 82 0e 65 78 61 6d 70 6c 65 2e 67 |...0...example.g| +00000220 6f 6c 61 6e 67 30 0d 06 09 2a 86 48 86 f7 0d 01 |olang0...*.H....| +00000230 01 0b 05 00 03 81 81 00 9d 30 cc 40 2b 5b 50 a0 |.........0.@+[P.| +00000240 61 cb ba e5 53 58 e1 ed 83 28 a9 58 1a a9 38 a4 |a...SX...(.X..8.| +00000250 95 a1 ac 31 5a 1a 84 66 3d 43 d3 2d d9 0b f2 97 |...1Z..f=C.-....| +00000260 df d3 20 64 38 92 24 3a 00 bc cf 9c 7d b7 40 20 |.. d8.$:....}.@ | +00000270 01 5f aa d3 16 61 09 a2 76 fd 13 c3 cc e1 0c 5c |._...a..v......\| +00000280 ee b1 87 82 f1 6c 04 ed 73 bb b3 43 77 8d 0c 1c |.....l..s..Cw...| +00000290 f1 0f a1 d8 40 83 61 c9 4c 72 2b 9d ae db 46 06 |....@.a.Lr+...F.| +000002a0 06 4d f4 c1 b3 3e c0 d1 bd 42 d4 db fe 3d 13 60 |.M...>...B...=.`| +000002b0 84 5c 21 d3 3b e9 fa e7 16 03 03 00 04 0e 00 00 |.\!.;...........| +000002c0 00 |.| +>>> Flow 3 (client to server) +00000000 16 03 03 00 86 10 00 00 82 00 80 b9 65 8d bf a7 |............e...| +00000010 c8 4b 79 ce 6f cb 8b 13 1c ac b9 7d 66 5e e9 ba |.Ky.o......}f^..| +00000020 1d 71 4e a9 e9 34 ae f6 64 65 90 3b d8 16 52 a2 |.qN..4..de.;..R.| +00000030 6f f4 cb 8a 13 74 a2 ee b7 27 69 b4 41 c0 90 68 |o....t...'i.A..h| +00000040 bc 02 69 e1 c6 48 4f 39 36 30 25 ca 4c 17 ce 83 |..i..HO960%.L...| +00000050 9e 08 56 e3 05 49 93 9e 2e c4 fb e6 c8 01 f1 0f |..V..I..........| +00000060 c5 70 0f 08 83 48 e9 48 ef 6e 50 8b 05 7e e5 84 |.p...H.H.nP..~..| +00000070 25 fa 55 c7 ae 31 02 27 00 ef 3f 98 86 20 12 89 |%.U..1.'..?.. ..| +00000080 91 59 28 b4 f7 d7 af d2 69 61 35 14 03 03 00 01 |.Y(.....ia5.....| +00000090 01 16 03 03 00 28 00 00 00 00 00 00 00 00 2b 4c |.....(........+L| +000000a0 62 77 65 ac 19 53 aa 52 8e 3d 92 5b e1 45 c6 90 |bwe..S.R.=.[.E..| +000000b0 bf 01 bb e3 9c d2 6a ed bf e6 8c 53 3d 58 |......j....S=X| +>>> Flow 4 (server to client) +00000000 14 03 03 00 01 01 16 03 03 00 28 77 7f 9b a4 ea |..........(w....| +00000010 30 03 8f fd 22 37 60 78 db b1 1a 37 bc 2d 50 ad |0..."7`x...7.-P.| +00000020 40 b4 a6 8f f8 0c e8 ab 24 54 82 12 75 be 0b 8c |@.......$T..u...| +00000030 9f 35 e2 |.5.| +>>> Flow 5 (client to server) +00000000 17 03 03 00 1e 00 00 00 00 00 00 00 01 01 66 69 |..............fi| +00000010 ac a4 9d 4f d2 59 01 4e d6 04 98 e5 c8 83 b3 cb |...O.Y.N........| +00000020 36 4d cf 15 03 03 00 1a 00 00 00 00 00 00 00 02 |6M..............| +00000030 17 80 89 ac 0b d6 00 8c 1d ae b2 c2 46 42 69 82 |............FBi.| +00000040 da ac |..| diff --git a/pkg/tls/testdata/Client-TLSv12-ALPN b/pkg/tls/testdata/Client-TLSv12-ALPN new file mode 100644 index 000000000..4ae1fe9f3 --- /dev/null +++ b/pkg/tls/testdata/Client-TLSv12-ALPN @@ -0,0 +1,93 @@ +>>> Flow 1 (client to server) +00000000 16 03 01 01 12 01 00 01 0e 03 03 00 00 00 00 00 |................| +00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000020 00 00 00 00 00 00 00 00 00 00 00 20 00 00 00 00 |........... ....| +00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 32 cc a9 |.............2..| +00000050 cc a8 c0 2b c0 2f c0 2c c0 30 c0 09 c0 13 c0 0a |...+./.,.0......| +00000060 c0 14 00 9c 00 9d 00 2f 00 35 c0 12 00 0a c0 23 |......./.5.....#| +00000070 c0 27 00 3c c0 07 c0 11 00 05 13 03 13 01 13 02 |.'.<............| +00000080 01 00 00 93 00 05 00 05 01 00 00 00 00 00 0a 00 |................| +00000090 0a 00 08 00 1d 00 17 00 18 00 19 00 0b 00 02 01 |................| +000000a0 00 00 0d 00 1a 00 18 08 04 04 03 08 07 08 05 08 |................| +000000b0 06 04 01 05 01 06 01 05 03 06 03 02 01 02 03 ff |................| +000000c0 01 00 01 00 00 17 00 00 00 10 00 10 00 0e 06 70 |...............p| +000000d0 72 6f 74 6f 32 06 70 72 6f 74 6f 31 00 12 00 00 |roto2.proto1....| +000000e0 00 2b 00 09 08 03 04 03 03 03 02 03 01 00 33 00 |.+............3.| +000000f0 26 00 24 00 1d 00 20 2f e5 7d a3 47 cd 62 43 15 |&.$... /.}.G.bC.| +00000100 28 da ac 5f bb 29 07 30 ff f6 84 af c4 cf c2 ed |(.._.).0........| +00000110 90 99 5f 58 cb 3b 74 |.._X.;t| +>>> Flow 2 (server to client) +00000000 16 03 03 00 6a 02 00 00 66 03 03 a8 8a 7d 2c f6 |....j...f....},.| +00000010 d0 44 0a 7b 16 26 e5 aa 6e 4b 78 7c ff 7f 07 86 |.D.{.&..nKx|....| +00000020 48 cc 3a dd 73 95 94 d2 75 d8 87 20 6d 0b 3a a3 |H.:.s...u.. m.:.| +00000030 71 b9 50 4e c7 ad 33 04 8a 9c d8 71 48 93 ec ae |q.PN..3....qH...| +00000040 db ad 5f 79 d5 7c 65 33 37 06 73 0e cc a8 00 00 |.._y.|e37.s.....| +00000050 1e ff 01 00 01 00 00 0b 00 04 03 00 01 02 00 10 |................| +00000060 00 09 00 07 06 70 72 6f 74 6f 31 00 17 00 00 16 |.....proto1.....| +00000070 03 03 02 59 0b 00 02 55 00 02 52 00 02 4f 30 82 |...Y...U..R..O0.| +00000080 02 4b 30 82 01 b4 a0 03 02 01 02 02 09 00 e8 f0 |.K0.............| +00000090 9d 3f e2 5b ea a6 30 0d 06 09 2a 86 48 86 f7 0d |.?.[..0...*.H...| +000000a0 01 01 0b 05 00 30 1f 31 0b 30 09 06 03 55 04 0a |.....0.1.0...U..| +000000b0 13 02 47 6f 31 10 30 0e 06 03 55 04 03 13 07 47 |..Go1.0...U....G| +000000c0 6f 20 52 6f 6f 74 30 1e 17 0d 31 36 30 31 30 31 |o Root0...160101| +000000d0 30 30 30 30 30 30 5a 17 0d 32 35 30 31 30 31 30 |000000Z..2501010| +000000e0 30 30 30 30 30 5a 30 1a 31 0b 30 09 06 03 55 04 |00000Z0.1.0...U.| +000000f0 0a 13 02 47 6f 31 0b 30 09 06 03 55 04 03 13 02 |...Go1.0...U....| +00000100 47 6f 30 81 9f 30 0d 06 09 2a 86 48 86 f7 0d 01 |Go0..0...*.H....| +00000110 01 01 05 00 03 81 8d 00 30 81 89 02 81 81 00 db |........0.......| +00000120 46 7d 93 2e 12 27 06 48 bc 06 28 21 ab 7e c4 b6 |F}...'.H..(!.~..| +00000130 a2 5d fe 1e 52 45 88 7a 36 47 a5 08 0d 92 42 5b |.]..RE.z6G....B[| +00000140 c2 81 c0 be 97 79 98 40 fb 4f 6d 14 fd 2b 13 8b |.....y.@.Om..+..| +00000150 c2 a5 2e 67 d8 d4 09 9e d6 22 38 b7 4a 0b 74 73 |...g....."8.J.ts| +00000160 2b c2 34 f1 d1 93 e5 96 d9 74 7b f3 58 9f 6c 61 |+.4......t{.X.la| +00000170 3c c0 b0 41 d4 d9 2b 2b 24 23 77 5b 1c 3b bd 75 |<..A..++$#w[.;.u| +00000180 5d ce 20 54 cf a1 63 87 1d 1e 24 c4 f3 1d 1a 50 |]. T..c...$....P| +00000190 8b aa b6 14 43 ed 97 a7 75 62 f4 14 c8 52 d7 02 |....C...ub...R..| +000001a0 03 01 00 01 a3 81 93 30 81 90 30 0e 06 03 55 1d |.......0..0...U.| +000001b0 0f 01 01 ff 04 04 03 02 05 a0 30 1d 06 03 55 1d |..........0...U.| +000001c0 25 04 16 30 14 06 08 2b 06 01 05 05 07 03 01 06 |%..0...+........| +000001d0 08 2b 06 01 05 05 07 03 02 30 0c 06 03 55 1d 13 |.+.......0...U..| +000001e0 01 01 ff 04 02 30 00 30 19 06 03 55 1d 0e 04 12 |.....0.0...U....| +000001f0 04 10 9f 91 16 1f 43 43 3e 49 a6 de 6d b6 80 d7 |......CC>I..m...| +00000200 9f 60 30 1b 06 03 55 1d 23 04 14 30 12 80 10 48 |.`0...U.#..0...H| +00000210 13 49 4d 13 7e 16 31 bb a3 01 d5 ac ab 6e 7b 30 |.IM.~.1......n{0| +00000220 19 06 03 55 1d 11 04 12 30 10 82 0e 65 78 61 6d |...U....0...exam| +00000230 70 6c 65 2e 67 6f 6c 61 6e 67 30 0d 06 09 2a 86 |ple.golang0...*.| +00000240 48 86 f7 0d 01 01 0b 05 00 03 81 81 00 9d 30 cc |H.............0.| +00000250 40 2b 5b 50 a0 61 cb ba e5 53 58 e1 ed 83 28 a9 |@+[P.a...SX...(.| +00000260 58 1a a9 38 a4 95 a1 ac 31 5a 1a 84 66 3d 43 d3 |X..8....1Z..f=C.| +00000270 2d d9 0b f2 97 df d3 20 64 38 92 24 3a 00 bc cf |-...... d8.$:...| +00000280 9c 7d b7 40 20 01 5f aa d3 16 61 09 a2 76 fd 13 |.}.@ ._...a..v..| +00000290 c3 cc e1 0c 5c ee b1 87 82 f1 6c 04 ed 73 bb b3 |....\.....l..s..| +000002a0 43 77 8d 0c 1c f1 0f a1 d8 40 83 61 c9 4c 72 2b |Cw.......@.a.Lr+| +000002b0 9d ae db 46 06 06 4d f4 c1 b3 3e c0 d1 bd 42 d4 |...F..M...>...B.| +000002c0 db fe 3d 13 60 84 5c 21 d3 3b e9 fa e7 16 03 03 |..=.`.\!.;......| +000002d0 00 ac 0c 00 00 a8 03 00 1d 20 fe 7c 30 da b3 7e |......... .|0..~| +000002e0 b9 f5 74 9f c2 5a 3b 2e a4 c4 fe 98 50 1d 14 ea |..t..Z;.....P...| +000002f0 31 f0 ff d9 90 88 42 77 f6 18 08 04 00 80 70 97 |1.....Bw......p.| +00000300 1d e4 fb 40 de b5 9a cc 6a 63 63 86 b4 91 55 c4 |...@....jcc...U.| +00000310 ad b7 2f a2 8f 4f 28 22 86 df ec 2f 7c d2 83 b7 |../..O(".../|...| +00000320 28 9c 22 e7 73 74 51 f0 1e 20 50 d5 f1 3c 15 65 |(.".stQ.. P..<.e| +00000330 d9 cb 7f 4e 82 11 41 f8 c6 2a 23 ed b5 b4 cf 2d |...N..A..*#....-| +00000340 02 e2 8e 8b e8 88 bb 8c 63 1e 9c 37 44 c3 89 cf |........c..7D...| +00000350 ea 68 4b 81 73 0e 57 82 c9 dc ab f3 0c 63 ce f6 |.hK.s.W......c..| +00000360 c3 3a a3 da df be a7 10 4a 27 e1 bd b3 88 47 a2 |.:......J'....G.| +00000370 0d 02 03 17 3c 6c 7f 6e 04 26 75 1c a0 3e 16 03 |......| +00000380 03 00 04 0e 00 00 00 |.......| +>>> Flow 3 (client to server) +00000000 16 03 03 00 25 10 00 00 21 20 2f e5 7d a3 47 cd |....%...! /.}.G.| +00000010 62 43 15 28 da ac 5f bb 29 07 30 ff f6 84 af c4 |bC.(.._.).0.....| +00000020 cf c2 ed 90 99 5f 58 cb 3b 74 14 03 03 00 01 01 |....._X.;t......| +00000030 16 03 03 00 20 a0 68 d5 5a 22 13 42 16 b2 13 f4 |.... .h.Z".B....| +00000040 99 a1 5c f7 38 22 a1 8b e0 6b c2 7e f9 e5 a0 ef |..\.8"...k.~....| +00000050 79 ce 5a 74 d1 |y.Zt.| +>>> Flow 4 (server to client) +00000000 14 03 03 00 01 01 16 03 03 00 20 dd a3 ff 04 65 |.......... ....e| +00000010 4b 49 77 b6 88 ab f3 31 07 3d 2e 30 ec b3 e1 1f |KIw....1.=.0....| +00000020 18 0f ef a9 2d 32 1f e6 b9 71 3f |....-2...q?| +>>> Flow 5 (client to server) +00000000 17 03 03 00 16 54 7a 06 57 6b 66 e0 93 f8 f5 7a |.....Tz.Wkf....z| +00000010 ab 1a d1 f4 53 91 47 e8 5c 11 15 15 03 03 00 12 |....S.G.\.......| +00000020 42 b6 c5 6f 63 b6 72 8b 85 c3 ba c5 e3 38 8f e2 |B..oc.r......8..| +00000030 42 dd |B.| diff --git a/pkg/tls/testdata/Client-TLSv12-ALPN-NoMatch b/pkg/tls/testdata/Client-TLSv12-ALPN-NoMatch new file mode 100644 index 000000000..62e7d11bb --- /dev/null +++ b/pkg/tls/testdata/Client-TLSv12-ALPN-NoMatch @@ -0,0 +1,91 @@ +>>> Flow 1 (client to server) +00000000 16 03 01 00 9c 01 00 00 98 03 03 00 00 00 00 00 |................| +00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 28 c0 2f |.............(./| +00000030 c0 2b c0 30 c0 2c c0 27 c0 13 c0 23 c0 09 c0 14 |.+.0.,.'...#....| +00000040 c0 0a 00 9c 00 9d 00 3c 00 2f 00 35 c0 12 00 0a |.......<./.5....| +00000050 00 05 c0 11 c0 07 01 00 00 47 33 74 00 00 00 05 |.........G3t....| +00000060 00 05 01 00 00 00 00 00 0a 00 08 00 06 00 17 00 |................| +00000070 18 00 19 00 0b 00 02 01 00 00 0d 00 0e 00 0c 04 |................| +00000080 01 04 03 05 01 05 03 02 01 02 03 ff 01 00 01 00 |................| +00000090 00 10 00 09 00 07 06 70 72 6f 74 6f 33 00 12 00 |.......proto3...| +000000a0 00 |.| +>>> Flow 2 (server to client) +00000000 16 03 03 00 59 02 00 00 55 03 03 36 0e 9f 51 42 |....Y...U..6..QB| +00000010 82 65 fa b5 17 7a 86 d6 40 33 a9 67 d3 3d aa 2f |.e...z..@3.g.=./| +00000020 89 a0 39 82 af 16 30 8e 64 80 d4 20 23 a6 d0 12 |..9...0.d.. #...| +00000030 ff 8c fc b4 b5 47 ec 10 fe ba 73 fb 0f ab e8 1c |.....G....s.....| +00000040 15 c1 fb 11 c1 b2 e1 8a f7 5d 5b ad c0 2f 00 00 |.........][../..| +00000050 0d ff 01 00 01 00 00 0b 00 04 03 00 01 02 16 03 |................| +00000060 03 02 59 0b 00 02 55 00 02 52 00 02 4f 30 82 02 |..Y...U..R..O0..| +00000070 4b 30 82 01 b4 a0 03 02 01 02 02 09 00 e8 f0 9d |K0..............| +00000080 3f e2 5b ea a6 30 0d 06 09 2a 86 48 86 f7 0d 01 |?.[..0...*.H....| +00000090 01 0b 05 00 30 1f 31 0b 30 09 06 03 55 04 0a 13 |....0.1.0...U...| +000000a0 02 47 6f 31 10 30 0e 06 03 55 04 03 13 07 47 6f |.Go1.0...U....Go| +000000b0 20 52 6f 6f 74 30 1e 17 0d 31 36 30 31 30 31 30 | Root0...1601010| +000000c0 30 30 30 30 30 5a 17 0d 32 35 30 31 30 31 30 30 |00000Z..25010100| +000000d0 30 30 30 30 5a 30 1a 31 0b 30 09 06 03 55 04 0a |0000Z0.1.0...U..| +000000e0 13 02 47 6f 31 0b 30 09 06 03 55 04 03 13 02 47 |..Go1.0...U....G| +000000f0 6f 30 81 9f 30 0d 06 09 2a 86 48 86 f7 0d 01 01 |o0..0...*.H.....| +00000100 01 05 00 03 81 8d 00 30 81 89 02 81 81 00 db 46 |.......0.......F| +00000110 7d 93 2e 12 27 06 48 bc 06 28 21 ab 7e c4 b6 a2 |}...'.H..(!.~...| +00000120 5d fe 1e 52 45 88 7a 36 47 a5 08 0d 92 42 5b c2 |]..RE.z6G....B[.| +00000130 81 c0 be 97 79 98 40 fb 4f 6d 14 fd 2b 13 8b c2 |....y.@.Om..+...| +00000140 a5 2e 67 d8 d4 09 9e d6 22 38 b7 4a 0b 74 73 2b |..g....."8.J.ts+| +00000150 c2 34 f1 d1 93 e5 96 d9 74 7b f3 58 9f 6c 61 3c |.4......t{.X.la<| +00000160 c0 b0 41 d4 d9 2b 2b 24 23 77 5b 1c 3b bd 75 5d |..A..++$#w[.;.u]| +00000170 ce 20 54 cf a1 63 87 1d 1e 24 c4 f3 1d 1a 50 8b |. T..c...$....P.| +00000180 aa b6 14 43 ed 97 a7 75 62 f4 14 c8 52 d7 02 03 |...C...ub...R...| +00000190 01 00 01 a3 81 93 30 81 90 30 0e 06 03 55 1d 0f |......0..0...U..| +000001a0 01 01 ff 04 04 03 02 05 a0 30 1d 06 03 55 1d 25 |.........0...U.%| +000001b0 04 16 30 14 06 08 2b 06 01 05 05 07 03 01 06 08 |..0...+.........| +000001c0 2b 06 01 05 05 07 03 02 30 0c 06 03 55 1d 13 01 |+.......0...U...| +000001d0 01 ff 04 02 30 00 30 19 06 03 55 1d 0e 04 12 04 |....0.0...U.....| +000001e0 10 9f 91 16 1f 43 43 3e 49 a6 de 6d b6 80 d7 9f |.....CC>I..m....| +000001f0 60 30 1b 06 03 55 1d 23 04 14 30 12 80 10 48 13 |`0...U.#..0...H.| +00000200 49 4d 13 7e 16 31 bb a3 01 d5 ac ab 6e 7b 30 19 |IM.~.1......n{0.| +00000210 06 03 55 1d 11 04 12 30 10 82 0e 65 78 61 6d 70 |..U....0...examp| +00000220 6c 65 2e 67 6f 6c 61 6e 67 30 0d 06 09 2a 86 48 |le.golang0...*.H| +00000230 86 f7 0d 01 01 0b 05 00 03 81 81 00 9d 30 cc 40 |.............0.@| +00000240 2b 5b 50 a0 61 cb ba e5 53 58 e1 ed 83 28 a9 58 |+[P.a...SX...(.X| +00000250 1a a9 38 a4 95 a1 ac 31 5a 1a 84 66 3d 43 d3 2d |..8....1Z..f=C.-| +00000260 d9 0b f2 97 df d3 20 64 38 92 24 3a 00 bc cf 9c |...... d8.$:....| +00000270 7d b7 40 20 01 5f aa d3 16 61 09 a2 76 fd 13 c3 |}.@ ._...a..v...| +00000280 cc e1 0c 5c ee b1 87 82 f1 6c 04 ed 73 bb b3 43 |...\.....l..s..C| +00000290 77 8d 0c 1c f1 0f a1 d8 40 83 61 c9 4c 72 2b 9d |w.......@.a.Lr+.| +000002a0 ae db 46 06 06 4d f4 c1 b3 3e c0 d1 bd 42 d4 db |..F..M...>...B..| +000002b0 fe 3d 13 60 84 5c 21 d3 3b e9 fa e7 16 03 03 00 |.=.`.\!.;.......| +000002c0 cd 0c 00 00 c9 03 00 17 41 04 11 b4 a9 10 7e 5c |........A.....~\| +000002d0 41 5e 39 12 15 a3 ed 5b 3e 5d 68 c8 ad 48 39 ef |A^9....[>]h..H9.| +000002e0 09 8b b1 a7 bf db 5f 54 49 cd d5 de 4d b3 47 4c |......_TI...M.GL| +000002f0 18 02 84 7c ec 75 4e d0 3e 8a d1 6c 80 83 98 64 |...|.uN.>..l...d| +00000300 4a 81 bc 8f 84 c7 e5 b4 2d fa 04 01 00 80 72 ee |J.......-.....r.| +00000310 41 38 f2 b8 a1 56 81 d8 04 78 75 05 f4 78 5f f2 |A8...V...xu..x_.| +00000320 2b 5d a2 46 23 9d 48 c8 63 a9 1d de a8 78 6e 99 |+].F#.H.c....xn.| +00000330 cd 59 6b 19 20 f5 b1 11 e1 f8 1c 5b 40 c3 b8 cd |.Yk. ......[@...| +00000340 66 a3 98 37 c5 c2 5c b7 d6 cc 61 b4 5e 97 fa dd |f..7..\...a.^...| +00000350 b7 85 5d b6 34 8c 39 4a 60 5a 03 20 47 7f e3 65 |..].4.9J`Z. G..e| +00000360 01 18 00 2c c3 eb be d4 aa 58 57 a9 5e 69 fb 3c |...,.....XW.^i.<| +00000370 fa c6 28 1a 5c f7 00 d5 21 e5 c1 30 db 84 38 c3 |..(.\...!..0..8.| +00000380 08 aa 08 5f c9 fd a0 b7 8e d0 66 77 bf 13 16 03 |..._......fw....| +00000390 03 00 04 0e 00 00 00 |.......| +>>> Flow 3 (client to server) +00000000 16 03 03 00 46 10 00 00 42 41 04 1e 18 37 ef 0d |....F...BA...7..| +00000010 19 51 88 35 75 71 b5 e5 54 5b 12 2e 8f 09 67 fd |.Q.5uq..T[....g.| +00000020 a7 24 20 3e b2 56 1c ce 97 28 5e f8 2b 2d 4f 9e |.$ >.V...(^.+-O.| +00000030 f1 07 9f 6c 4b 5b 83 56 e2 32 42 e9 58 b6 d7 49 |...lK[.V.2B.X..I| +00000040 a6 b5 68 1a 41 03 56 6b dc 5a 89 14 03 03 00 01 |..h.A.Vk.Z......| +00000050 01 16 03 03 00 28 00 00 00 00 00 00 00 00 4f 7e |.....(........O~| +00000060 9a 3a cc 74 a4 91 77 01 0b 0e 28 0a c5 bd 55 b7 |.:.t..w...(...U.| +00000070 9a 4c 40 4e e9 c9 46 d5 5f c5 e1 77 c3 f2 |.L@N..F._..w..| +>>> Flow 4 (server to client) +00000000 14 03 03 00 01 01 16 03 03 00 28 62 4b 13 ef 22 |..........(bK.."| +00000010 f9 a8 8d ec 42 3a 36 80 5d a8 5b e9 60 d1 ba 65 |....B:6.].[.`..e| +00000020 2b d8 37 64 e5 12 b2 ef 84 75 87 0c 0f 3d 35 6e |+.7d.....u...=5n| +00000030 59 7c 51 |Y|Q| +>>> Flow 5 (client to server) +00000000 17 03 03 00 1e 00 00 00 00 00 00 00 01 5f cd 4d |............._.M| +00000010 7b a7 c0 f9 6c 1f 80 93 cf 55 3b 12 c7 21 12 86 |{...l....U;..!..| +00000020 f6 b1 52 15 03 03 00 1a 00 00 00 00 00 00 00 02 |..R.............| +00000030 fd 31 a4 4b d1 e9 f0 e0 18 b5 96 28 f7 b4 0c 29 |.1.K.......(...)| +00000040 8c 0c |..| diff --git a/pkg/tls/testdata/Client-TLSv12-ClientCert-ECDSA-ECDSA b/pkg/tls/testdata/Client-TLSv12-ClientCert-ECDSA-ECDSA new file mode 100644 index 000000000..4b40e44a5 --- /dev/null +++ b/pkg/tls/testdata/Client-TLSv12-ClientCert-ECDSA-ECDSA @@ -0,0 +1,140 @@ +>>> Flow 1 (client to server) +00000000 16 03 01 00 fe 01 00 00 fa 03 03 00 00 00 00 00 |................| +00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000020 00 00 00 00 00 00 00 00 00 00 00 20 00 00 00 00 |........... ....| +00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 32 cc a9 |.............2..| +00000050 cc a8 c0 2b c0 2f c0 2c c0 30 c0 09 c0 13 c0 0a |...+./.,.0......| +00000060 c0 14 00 9c 00 9d 00 2f 00 35 c0 12 00 0a c0 23 |......./.5.....#| +00000070 c0 27 00 3c c0 07 c0 11 00 05 13 03 13 01 13 02 |.'.<............| +00000080 01 00 00 7f 00 05 00 05 01 00 00 00 00 00 0a 00 |................| +00000090 0a 00 08 00 1d 00 17 00 18 00 19 00 0b 00 02 01 |................| +000000a0 00 00 0d 00 1a 00 18 08 04 04 03 08 07 08 05 08 |................| +000000b0 06 04 01 05 01 06 01 05 03 06 03 02 01 02 03 ff |................| +000000c0 01 00 01 00 00 17 00 00 00 12 00 00 00 2b 00 09 |.............+..| +000000d0 08 03 04 03 03 03 02 03 01 00 33 00 26 00 24 00 |..........3.&.$.| +000000e0 1d 00 20 2f e5 7d a3 47 cd 62 43 15 28 da ac 5f |.. /.}.G.bC.(.._| +000000f0 bb 29 07 30 ff f6 84 af c4 cf c2 ed 90 99 5f 58 |.).0.........._X| +00000100 cb 3b 74 |.;t| +>>> Flow 2 (server to client) +00000000 16 03 03 00 5d 02 00 00 59 03 03 7c 3c 83 43 cf |....]...Y..|<.C.| +00000010 60 91 0b 04 73 55 30 be 25 6b 41 c9 4c 67 5b 91 |`...sU0.%kA.Lg[.| +00000020 af 04 b5 34 c7 61 c7 d3 62 2e ca 20 88 47 3a 15 |...4.a..b.. .G:.| +00000030 b4 8d 3f eb a6 b3 fd ae a4 e9 d9 db 5b 59 3b 1c |..?.........[Y;.| +00000040 e6 47 e3 98 74 da 32 04 32 b0 57 81 c0 09 00 00 |.G..t.2.2.W.....| +00000050 11 ff 01 00 01 00 00 0b 00 04 03 00 01 02 00 17 |................| +00000060 00 00 16 03 03 02 0e 0b 00 02 0a 00 02 07 00 02 |................| +00000070 04 30 82 02 00 30 82 01 62 02 09 00 b8 bf 2d 47 |.0...0..b.....-G| +00000080 a0 d2 eb f4 30 09 06 07 2a 86 48 ce 3d 04 01 30 |....0...*.H.=..0| +00000090 45 31 0b 30 09 06 03 55 04 06 13 02 41 55 31 13 |E1.0...U....AU1.| +000000a0 30 11 06 03 55 04 08 13 0a 53 6f 6d 65 2d 53 74 |0...U....Some-St| +000000b0 61 74 65 31 21 30 1f 06 03 55 04 0a 13 18 49 6e |ate1!0...U....In| +000000c0 74 65 72 6e 65 74 20 57 69 64 67 69 74 73 20 50 |ternet Widgits P| +000000d0 74 79 20 4c 74 64 30 1e 17 0d 31 32 31 31 32 32 |ty Ltd0...121122| +000000e0 31 35 30 36 33 32 5a 17 0d 32 32 31 31 32 30 31 |150632Z..2211201| +000000f0 35 30 36 33 32 5a 30 45 31 0b 30 09 06 03 55 04 |50632Z0E1.0...U.| +00000100 06 13 02 41 55 31 13 30 11 06 03 55 04 08 13 0a |...AU1.0...U....| +00000110 53 6f 6d 65 2d 53 74 61 74 65 31 21 30 1f 06 03 |Some-State1!0...| +00000120 55 04 0a 13 18 49 6e 74 65 72 6e 65 74 20 57 69 |U....Internet Wi| +00000130 64 67 69 74 73 20 50 74 79 20 4c 74 64 30 81 9b |dgits Pty Ltd0..| +00000140 30 10 06 07 2a 86 48 ce 3d 02 01 06 05 2b 81 04 |0...*.H.=....+..| +00000150 00 23 03 81 86 00 04 00 c4 a1 ed be 98 f9 0b 48 |.#.............H| +00000160 73 36 7e c3 16 56 11 22 f2 3d 53 c3 3b 4d 21 3d |s6~..V.".=S.;M!=| +00000170 cd 6b 75 e6 f6 b0 dc 9a df 26 c1 bc b2 87 f0 72 |.ku......&.....r| +00000180 32 7c b3 64 2f 1c 90 bc ea 68 23 10 7e fe e3 25 |2|.d/....h#.~..%| +00000190 c0 48 3a 69 e0 28 6d d3 37 00 ef 04 62 dd 0d a0 |.H:i.(m.7...b...| +000001a0 9c 70 62 83 d8 81 d3 64 31 aa 9e 97 31 bd 96 b0 |.pb....d1...1...| +000001b0 68 c0 9b 23 de 76 64 3f 1a 5c 7f e9 12 0e 58 58 |h..#.vd?.\....XX| +000001c0 b6 5f 70 dd 9b d8 ea d5 d7 f5 d5 cc b9 b6 9f 30 |._p............0| +000001d0 66 5b 66 9a 20 e2 27 e5 bf fe 3b 30 09 06 07 2a |f[f. .'...;0...*| +000001e0 86 48 ce 3d 04 01 03 81 8c 00 30 81 88 02 42 01 |.H.=......0...B.| +000001f0 88 a2 4f eb e2 45 c5 48 7d 1b ac f5 ed 98 9d ae |..O..E.H}.......| +00000200 47 70 c0 5e 1b b6 2f bd f1 b6 4d b7 61 40 d3 11 |Gp.^../...M.a@..| +00000210 a2 ce ee 0b 7e 92 7e ff 76 9d c3 3b 7e a5 3f ce |....~.~.v..;~.?.| +00000220 fa 10 e2 59 ec 47 2d 7c ac da 4e 97 0e 15 a0 6f |...Y.G-|..N....o| +00000230 d0 02 42 01 4d fc be 67 13 9c 2d 05 0e bd 3f a3 |..B.M..g..-...?.| +00000240 8c 25 c1 33 13 83 0d 94 06 bb d4 37 7a f6 ec 7a |.%.3.......7z..z| +00000250 c9 86 2e dd d7 11 69 7f 85 7c 56 de fb 31 78 2b |......i..|V..1x+| +00000260 e4 c7 78 0d ae cb be 9e 4e 36 24 31 7b 6a 0f 39 |..x.....N6$1{j.9| +00000270 95 12 07 8f 2a 16 03 03 00 b6 0c 00 00 b2 03 00 |....*...........| +00000280 1d 20 b5 f3 76 c4 a9 33 34 2a 38 16 b1 38 f5 a1 |. ..v..34*8..8..| +00000290 dc f7 60 67 32 cf 6b aa 82 0c b5 db 31 c4 b4 36 |..`g2.k.....1..6| +000002a0 3e 16 04 03 00 8a 30 81 87 02 41 34 fc 19 0c 94 |>.....0...A4....| +000002b0 d7 c3 9d ed ae 75 7a 20 b5 b0 93 69 85 8e 4b 20 |.....uz ...i..K | +000002c0 27 03 83 12 12 8d d5 e4 cc 06 95 a7 dc 7c b2 dc |'............|..| +000002d0 71 6e 8c 18 89 4b fe 14 41 59 f7 af c8 1f d4 b8 |qn...K..AY......| +000002e0 7b c4 1f cb 75 53 04 29 87 df 92 37 02 42 01 e7 |{...uS.)...7.B..| +000002f0 c3 86 70 fa 8e 5e 21 16 52 0e 87 65 4a 69 aa ae |..p..^!.R..eJi..| +00000300 4c 4f 1e b5 91 17 24 b9 7d 18 7e 0f d0 db a5 33 |LO....$.}.~....3| +00000310 19 7d 98 7b 5e 15 23 d2 8c 52 8d 17 56 08 60 d6 |.}.{^.#..R..V.`.| +00000320 7c 2c 19 11 e1 d7 37 a7 b0 68 7b df 8c ae 3d 3e ||,....7..h{...=>| +00000330 16 03 03 00 3a 0d 00 00 36 03 01 02 40 00 2e 04 |....:...6...@...| +00000340 03 05 03 06 03 08 07 08 08 08 09 08 0a 08 0b 08 |................| +00000350 04 08 05 08 06 04 01 05 01 06 01 03 03 02 03 03 |................| +00000360 01 02 01 03 02 02 02 04 02 05 02 06 02 00 00 16 |................| +00000370 03 03 00 04 0e 00 00 00 |........| +>>> Flow 3 (client to server) +00000000 16 03 03 02 0a 0b 00 02 06 00 02 03 00 02 00 30 |...............0| +00000010 82 01 fc 30 82 01 5e 02 09 00 9a 30 84 6c 26 35 |...0..^....0.l&5| +00000020 d9 17 30 09 06 07 2a 86 48 ce 3d 04 01 30 45 31 |..0...*.H.=..0E1| +00000030 0b 30 09 06 03 55 04 06 13 02 41 55 31 13 30 11 |.0...U....AU1.0.| +00000040 06 03 55 04 08 13 0a 53 6f 6d 65 2d 53 74 61 74 |..U....Some-Stat| +00000050 65 31 21 30 1f 06 03 55 04 0a 13 18 49 6e 74 65 |e1!0...U....Inte| +00000060 72 6e 65 74 20 57 69 64 67 69 74 73 20 50 74 79 |rnet Widgits Pty| +00000070 20 4c 74 64 30 1e 17 0d 31 32 31 31 31 34 31 33 | Ltd0...12111413| +00000080 32 35 35 33 5a 17 0d 32 32 31 31 31 32 31 33 32 |2553Z..221112132| +00000090 35 35 33 5a 30 41 31 0b 30 09 06 03 55 04 06 13 |553Z0A1.0...U...| +000000a0 02 41 55 31 0c 30 0a 06 03 55 04 08 13 03 4e 53 |.AU1.0...U....NS| +000000b0 57 31 10 30 0e 06 03 55 04 07 13 07 50 79 72 6d |W1.0...U....Pyrm| +000000c0 6f 6e 74 31 12 30 10 06 03 55 04 03 13 09 4a 6f |ont1.0...U....Jo| +000000d0 65 6c 20 53 69 6e 67 30 81 9b 30 10 06 07 2a 86 |el Sing0..0...*.| +000000e0 48 ce 3d 02 01 06 05 2b 81 04 00 23 03 81 86 00 |H.=....+...#....| +000000f0 04 00 95 8c 91 75 14 c0 5e c4 57 b4 d4 c3 6f 8d |.....u..^.W...o.| +00000100 ae 68 1e dd 6f ce 86 e1 7e 6e b2 48 3e 81 e5 4e |.h..o...~n.H>..N| +00000110 e2 c6 88 4b 64 dc f5 30 bb d3 ff 65 cc 5b f4 dd |...Kd..0...e.[..| +00000120 b5 6a 3e 3e d0 1d de 47 c3 76 ad 19 f6 45 2c 8c |.j>>...G.v...E,.| +00000130 bc d8 1d 01 4c 1f 70 90 46 76 48 8b 8f 83 cc 4a |....L.p.FvH....J| +00000140 5c 8f 40 76 da e0 89 ec 1d 2b c4 4e 30 76 28 41 |\.@v.....+.N0v(A| +00000150 b2 62 a8 fb 5b f1 f9 4e 7a 8d bd 09 b8 ae ea 8b |.b..[..Nz.......| +00000160 18 27 4f 2e 70 fe 13 96 ba c3 d3 40 16 cd 65 4e |.'O.p......@..eN| +00000170 ac 11 1e e6 f1 30 09 06 07 2a 86 48 ce 3d 04 01 |.....0...*.H.=..| +00000180 03 81 8c 00 30 81 88 02 42 00 e0 14 c4 60 60 0b |....0...B....``.| +00000190 72 68 b0 32 5d 61 4a 02 74 5c c2 81 b9 16 a8 3f |rh.2]aJ.t\.....?| +000001a0 29 c8 36 c7 81 ff 6c b6 5b d9 70 f1 38 3b 50 48 |).6...l.[.p.8;PH| +000001b0 28 94 cb 09 1a 52 f1 5d ee 8d f2 b9 f0 f0 da d9 |(....R.]........| +000001c0 15 3a f9 bd 03 7a 87 a2 23 35 ec 02 42 01 a3 d4 |.:...z..#5..B...| +000001d0 8a 78 35 1c 4a 9a 23 d2 0a be 2b 10 31 9d 9c 5f |.x5.J.#...+.1.._| +000001e0 be e8 91 b3 da 1a f5 5d a3 23 f5 26 8b 45 70 8d |.......].#.&.Ep.| +000001f0 65 62 9b 7e 01 99 3d 18 f6 10 9a 38 61 9b 2e 57 |eb.~..=....8a..W| +00000200 e4 fa cc b1 8a ce e2 23 a0 87 f0 e1 67 51 eb 16 |.......#....gQ..| +00000210 03 03 00 25 10 00 00 21 20 2f e5 7d a3 47 cd 62 |...%...! /.}.G.b| +00000220 43 15 28 da ac 5f bb 29 07 30 ff f6 84 af c4 cf |C.(.._.).0......| +00000230 c2 ed 90 99 5f 58 cb 3b 74 16 03 03 00 92 0f 00 |...._X.;t.......| +00000240 00 8e 04 03 00 8a 30 81 87 02 42 00 92 a9 5e 4b |......0...B...^K| +00000250 9d ee cc 03 2e 34 e8 5b bd 7b 11 5a 25 00 80 a6 |.....4.[.{.Z%...| +00000260 83 44 79 07 06 0d ba 0f 76 4d e9 40 50 52 9a c3 |.Dy.....vM.@PR..| +00000270 24 43 e4 2a 2c 29 d8 da 78 af a4 ad b1 db 0f e6 |$C.*,)..x.......| +00000280 29 a8 be ec d5 c9 79 4e dc e6 6b 39 77 02 41 45 |).....yN..k9w.AE| +00000290 be 07 99 32 88 da 0b 8c 33 48 91 78 2e 23 03 9a |...2....3H.x.#..| +000002a0 6a 92 b3 4c 82 c0 fd cf 0f 08 b5 19 f6 6d 21 95 |j..L.........m!.| +000002b0 32 7a bc 6f 4b a8 01 b2 e2 a3 48 6c d0 ec 77 1c |2z.oK.....Hl..w.| +000002c0 30 83 f4 6c 12 a7 50 ea de a3 6e 47 59 cc 0d 35 |0..l..P...nGY..5| +000002d0 14 03 03 00 01 01 16 03 03 00 40 00 00 00 00 00 |..........@.....| +000002e0 00 00 00 00 00 00 00 00 00 00 00 65 d3 93 a7 5f |...........e..._| +000002f0 ff 8c 1e 8f e5 9b 61 fe df ac b6 9d e3 68 31 f8 |......a......h1.| +00000300 2b d0 70 32 2a 07 13 fe 34 5d a2 ab 35 f1 4c 81 |+.p2*...4]..5.L.| +00000310 28 34 50 0d 21 bc 4a a9 2d 90 c4 |(4P.!.J.-..| +>>> Flow 4 (server to client) +00000000 14 03 03 00 01 01 16 03 03 00 40 49 93 f4 1d 25 |..........@I...%| +00000010 62 e3 5d 46 a2 ae 3d d2 4c 35 a9 06 f0 e1 ca d7 |b.]F..=.L5......| +00000020 43 c1 96 27 96 ce d1 f6 d5 07 cc ec 6a 4a 96 c6 |C..'........jJ..| +00000030 1f 89 14 ff 15 6f 79 bc 90 3e fd 63 ed 21 69 95 |.....oy..>.c.!i.| +00000040 91 a1 08 4a 7e e6 f0 5d e6 ae b6 |...J~..]...| +>>> Flow 5 (client to server) +00000000 17 03 03 00 30 00 00 00 00 00 00 00 00 00 00 00 |....0...........| +00000010 00 00 00 00 00 88 36 f6 a8 b4 e5 b6 58 ec 9b 08 |......6.....X...| +00000020 6f bf 5a 7c f1 b5 81 b2 6b 93 f2 35 40 34 89 61 |o.Z|....k..5@4.a| +00000030 a9 ef 6d fe 2c 15 03 03 00 30 00 00 00 00 00 00 |..m.,....0......| +00000040 00 00 00 00 00 00 00 00 00 00 97 6d 99 d3 e5 8b |...........m....| +00000050 54 93 b6 fd 3f ec 6e 03 03 4e 04 39 35 2c bb 10 |T...?.n..N.95,..| +00000060 02 d0 8d 48 4e 56 1a e5 98 97 |...HNV....| diff --git a/pkg/tls/testdata/Client-TLSv12-ClientCert-ECDSA-RSA b/pkg/tls/testdata/Client-TLSv12-ClientCert-ECDSA-RSA new file mode 100644 index 000000000..b7323e548 --- /dev/null +++ b/pkg/tls/testdata/Client-TLSv12-ClientCert-ECDSA-RSA @@ -0,0 +1,140 @@ +>>> Flow 1 (client to server) +00000000 16 03 01 00 fe 01 00 00 fa 03 03 00 00 00 00 00 |................| +00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000020 00 00 00 00 00 00 00 00 00 00 00 20 00 00 00 00 |........... ....| +00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 32 cc a9 |.............2..| +00000050 cc a8 c0 2b c0 2f c0 2c c0 30 c0 09 c0 13 c0 0a |...+./.,.0......| +00000060 c0 14 00 9c 00 9d 00 2f 00 35 c0 12 00 0a c0 23 |......./.5.....#| +00000070 c0 27 00 3c c0 07 c0 11 00 05 13 03 13 01 13 02 |.'.<............| +00000080 01 00 00 7f 00 05 00 05 01 00 00 00 00 00 0a 00 |................| +00000090 0a 00 08 00 1d 00 17 00 18 00 19 00 0b 00 02 01 |................| +000000a0 00 00 0d 00 1a 00 18 08 04 04 03 08 07 08 05 08 |................| +000000b0 06 04 01 05 01 06 01 05 03 06 03 02 01 02 03 ff |................| +000000c0 01 00 01 00 00 17 00 00 00 12 00 00 00 2b 00 09 |.............+..| +000000d0 08 03 04 03 03 03 02 03 01 00 33 00 26 00 24 00 |..........3.&.$.| +000000e0 1d 00 20 2f e5 7d a3 47 cd 62 43 15 28 da ac 5f |.. /.}.G.bC.(.._| +000000f0 bb 29 07 30 ff f6 84 af c4 cf c2 ed 90 99 5f 58 |.).0.........._X| +00000100 cb 3b 74 |.;t| +>>> Flow 2 (server to client) +00000000 16 03 03 00 5d 02 00 00 59 03 03 75 bb 71 f8 35 |....]...Y..u.q.5| +00000010 6c a2 b1 c8 b1 a1 dc 40 01 bc e7 0c 8c 22 90 2c |l......@.....".,| +00000020 aa 34 d3 d2 c8 b1 96 3b bf 4a bf 20 b3 2a f7 96 |.4.....;.J. .*..| +00000030 9d 79 53 4b 64 b2 80 4d 0e ab f8 3d cd 82 2d 78 |.ySKd..M...=..-x| +00000040 47 8e cd 9b 14 8c 1e 6d 0e 52 7b db c0 2f 00 00 |G......m.R{../..| +00000050 11 ff 01 00 01 00 00 0b 00 04 03 00 01 02 00 17 |................| +00000060 00 00 16 03 03 02 59 0b 00 02 55 00 02 52 00 02 |......Y...U..R..| +00000070 4f 30 82 02 4b 30 82 01 b4 a0 03 02 01 02 02 09 |O0..K0..........| +00000080 00 e8 f0 9d 3f e2 5b ea a6 30 0d 06 09 2a 86 48 |....?.[..0...*.H| +00000090 86 f7 0d 01 01 0b 05 00 30 1f 31 0b 30 09 06 03 |........0.1.0...| +000000a0 55 04 0a 13 02 47 6f 31 10 30 0e 06 03 55 04 03 |U....Go1.0...U..| +000000b0 13 07 47 6f 20 52 6f 6f 74 30 1e 17 0d 31 36 30 |..Go Root0...160| +000000c0 31 30 31 30 30 30 30 30 30 5a 17 0d 32 35 30 31 |101000000Z..2501| +000000d0 30 31 30 30 30 30 30 30 5a 30 1a 31 0b 30 09 06 |01000000Z0.1.0..| +000000e0 03 55 04 0a 13 02 47 6f 31 0b 30 09 06 03 55 04 |.U....Go1.0...U.| +000000f0 03 13 02 47 6f 30 81 9f 30 0d 06 09 2a 86 48 86 |...Go0..0...*.H.| +00000100 f7 0d 01 01 01 05 00 03 81 8d 00 30 81 89 02 81 |...........0....| +00000110 81 00 db 46 7d 93 2e 12 27 06 48 bc 06 28 21 ab |...F}...'.H..(!.| +00000120 7e c4 b6 a2 5d fe 1e 52 45 88 7a 36 47 a5 08 0d |~...]..RE.z6G...| +00000130 92 42 5b c2 81 c0 be 97 79 98 40 fb 4f 6d 14 fd |.B[.....y.@.Om..| +00000140 2b 13 8b c2 a5 2e 67 d8 d4 09 9e d6 22 38 b7 4a |+.....g....."8.J| +00000150 0b 74 73 2b c2 34 f1 d1 93 e5 96 d9 74 7b f3 58 |.ts+.4......t{.X| +00000160 9f 6c 61 3c c0 b0 41 d4 d9 2b 2b 24 23 77 5b 1c |.la<..A..++$#w[.| +00000170 3b bd 75 5d ce 20 54 cf a1 63 87 1d 1e 24 c4 f3 |;.u]. T..c...$..| +00000180 1d 1a 50 8b aa b6 14 43 ed 97 a7 75 62 f4 14 c8 |..P....C...ub...| +00000190 52 d7 02 03 01 00 01 a3 81 93 30 81 90 30 0e 06 |R.........0..0..| +000001a0 03 55 1d 0f 01 01 ff 04 04 03 02 05 a0 30 1d 06 |.U...........0..| +000001b0 03 55 1d 25 04 16 30 14 06 08 2b 06 01 05 05 07 |.U.%..0...+.....| +000001c0 03 01 06 08 2b 06 01 05 05 07 03 02 30 0c 06 03 |....+.......0...| +000001d0 55 1d 13 01 01 ff 04 02 30 00 30 19 06 03 55 1d |U.......0.0...U.| +000001e0 0e 04 12 04 10 9f 91 16 1f 43 43 3e 49 a6 de 6d |.........CC>I..m| +000001f0 b6 80 d7 9f 60 30 1b 06 03 55 1d 23 04 14 30 12 |....`0...U.#..0.| +00000200 80 10 48 13 49 4d 13 7e 16 31 bb a3 01 d5 ac ab |..H.IM.~.1......| +00000210 6e 7b 30 19 06 03 55 1d 11 04 12 30 10 82 0e 65 |n{0...U....0...e| +00000220 78 61 6d 70 6c 65 2e 67 6f 6c 61 6e 67 30 0d 06 |xample.golang0..| +00000230 09 2a 86 48 86 f7 0d 01 01 0b 05 00 03 81 81 00 |.*.H............| +00000240 9d 30 cc 40 2b 5b 50 a0 61 cb ba e5 53 58 e1 ed |.0.@+[P.a...SX..| +00000250 83 28 a9 58 1a a9 38 a4 95 a1 ac 31 5a 1a 84 66 |.(.X..8....1Z..f| +00000260 3d 43 d3 2d d9 0b f2 97 df d3 20 64 38 92 24 3a |=C.-...... d8.$:| +00000270 00 bc cf 9c 7d b7 40 20 01 5f aa d3 16 61 09 a2 |....}.@ ._...a..| +00000280 76 fd 13 c3 cc e1 0c 5c ee b1 87 82 f1 6c 04 ed |v......\.....l..| +00000290 73 bb b3 43 77 8d 0c 1c f1 0f a1 d8 40 83 61 c9 |s..Cw.......@.a.| +000002a0 4c 72 2b 9d ae db 46 06 06 4d f4 c1 b3 3e c0 d1 |Lr+...F..M...>..| +000002b0 bd 42 d4 db fe 3d 13 60 84 5c 21 d3 3b e9 fa e7 |.B...=.`.\!.;...| +000002c0 16 03 03 00 ac 0c 00 00 a8 03 00 1d 20 f1 7e d0 |............ .~.| +000002d0 74 5c 5a ab 67 9d 3e ad b5 4a 07 22 4a b7 3c e5 |t\Z.g.>..J."J.<.| +000002e0 dd 4a 1f ba 33 b5 73 91 87 2a ef 5d 2b 08 04 00 |.J..3.s..*.]+...| +000002f0 80 d7 78 82 c0 ee 54 02 e8 69 66 94 4b 92 74 0b |..x...T..if.K.t.| +00000300 be 72 05 ef 78 e2 60 c0 72 3a 09 42 4b d3 0d a0 |.r..x.`.r:.BK...| +00000310 8b 50 b2 48 33 e4 d2 9f 64 4b 81 8c 5a c4 ad 8d |.P.H3...dK..Z...| +00000320 52 7c c4 79 10 1c df a8 80 bc 91 bc a7 5e b9 87 |R|.y.........^..| +00000330 8c 68 63 41 dc 95 b0 b7 65 c4 e8 54 39 ce 2b f8 |.hcA....e..T9.+.| +00000340 36 76 7f d1 1f ec 84 2b 08 63 10 d0 3c c0 4a 61 |6v.....+.c..<.Ja| +00000350 5f 74 6a e2 94 93 82 e9 4f 81 bf 93 65 e8 09 06 |_tj.....O...e...| +00000360 b6 61 14 ed 1a e0 52 f7 4f 08 2d 93 1e 1a 83 e2 |.a....R.O.-.....| +00000370 17 16 03 03 00 3a 0d 00 00 36 03 01 02 40 00 2e |.....:...6...@..| +00000380 04 03 05 03 06 03 08 07 08 08 08 09 08 0a 08 0b |................| +00000390 08 04 08 05 08 06 04 01 05 01 06 01 03 03 02 03 |................| +000003a0 03 01 02 01 03 02 02 02 04 02 05 02 06 02 00 00 |................| +000003b0 16 03 03 00 04 0e 00 00 00 |.........| +>>> Flow 3 (client to server) +00000000 16 03 03 02 0a 0b 00 02 06 00 02 03 00 02 00 30 |...............0| +00000010 82 01 fc 30 82 01 5e 02 09 00 9a 30 84 6c 26 35 |...0..^....0.l&5| +00000020 d9 17 30 09 06 07 2a 86 48 ce 3d 04 01 30 45 31 |..0...*.H.=..0E1| +00000030 0b 30 09 06 03 55 04 06 13 02 41 55 31 13 30 11 |.0...U....AU1.0.| +00000040 06 03 55 04 08 13 0a 53 6f 6d 65 2d 53 74 61 74 |..U....Some-Stat| +00000050 65 31 21 30 1f 06 03 55 04 0a 13 18 49 6e 74 65 |e1!0...U....Inte| +00000060 72 6e 65 74 20 57 69 64 67 69 74 73 20 50 74 79 |rnet Widgits Pty| +00000070 20 4c 74 64 30 1e 17 0d 31 32 31 31 31 34 31 33 | Ltd0...12111413| +00000080 32 35 35 33 5a 17 0d 32 32 31 31 31 32 31 33 32 |2553Z..221112132| +00000090 35 35 33 5a 30 41 31 0b 30 09 06 03 55 04 06 13 |553Z0A1.0...U...| +000000a0 02 41 55 31 0c 30 0a 06 03 55 04 08 13 03 4e 53 |.AU1.0...U....NS| +000000b0 57 31 10 30 0e 06 03 55 04 07 13 07 50 79 72 6d |W1.0...U....Pyrm| +000000c0 6f 6e 74 31 12 30 10 06 03 55 04 03 13 09 4a 6f |ont1.0...U....Jo| +000000d0 65 6c 20 53 69 6e 67 30 81 9b 30 10 06 07 2a 86 |el Sing0..0...*.| +000000e0 48 ce 3d 02 01 06 05 2b 81 04 00 23 03 81 86 00 |H.=....+...#....| +000000f0 04 00 95 8c 91 75 14 c0 5e c4 57 b4 d4 c3 6f 8d |.....u..^.W...o.| +00000100 ae 68 1e dd 6f ce 86 e1 7e 6e b2 48 3e 81 e5 4e |.h..o...~n.H>..N| +00000110 e2 c6 88 4b 64 dc f5 30 bb d3 ff 65 cc 5b f4 dd |...Kd..0...e.[..| +00000120 b5 6a 3e 3e d0 1d de 47 c3 76 ad 19 f6 45 2c 8c |.j>>...G.v...E,.| +00000130 bc d8 1d 01 4c 1f 70 90 46 76 48 8b 8f 83 cc 4a |....L.p.FvH....J| +00000140 5c 8f 40 76 da e0 89 ec 1d 2b c4 4e 30 76 28 41 |\.@v.....+.N0v(A| +00000150 b2 62 a8 fb 5b f1 f9 4e 7a 8d bd 09 b8 ae ea 8b |.b..[..Nz.......| +00000160 18 27 4f 2e 70 fe 13 96 ba c3 d3 40 16 cd 65 4e |.'O.p......@..eN| +00000170 ac 11 1e e6 f1 30 09 06 07 2a 86 48 ce 3d 04 01 |.....0...*.H.=..| +00000180 03 81 8c 00 30 81 88 02 42 00 e0 14 c4 60 60 0b |....0...B....``.| +00000190 72 68 b0 32 5d 61 4a 02 74 5c c2 81 b9 16 a8 3f |rh.2]aJ.t\.....?| +000001a0 29 c8 36 c7 81 ff 6c b6 5b d9 70 f1 38 3b 50 48 |).6...l.[.p.8;PH| +000001b0 28 94 cb 09 1a 52 f1 5d ee 8d f2 b9 f0 f0 da d9 |(....R.]........| +000001c0 15 3a f9 bd 03 7a 87 a2 23 35 ec 02 42 01 a3 d4 |.:...z..#5..B...| +000001d0 8a 78 35 1c 4a 9a 23 d2 0a be 2b 10 31 9d 9c 5f |.x5.J.#...+.1.._| +000001e0 be e8 91 b3 da 1a f5 5d a3 23 f5 26 8b 45 70 8d |.......].#.&.Ep.| +000001f0 65 62 9b 7e 01 99 3d 18 f6 10 9a 38 61 9b 2e 57 |eb.~..=....8a..W| +00000200 e4 fa cc b1 8a ce e2 23 a0 87 f0 e1 67 51 eb 16 |.......#....gQ..| +00000210 03 03 00 25 10 00 00 21 20 2f e5 7d a3 47 cd 62 |...%...! /.}.G.b| +00000220 43 15 28 da ac 5f bb 29 07 30 ff f6 84 af c4 cf |C.(.._.).0......| +00000230 c2 ed 90 99 5f 58 cb 3b 74 16 03 03 00 93 0f 00 |...._X.;t.......| +00000240 00 8f 04 03 00 8b 30 81 88 02 42 01 8a 49 56 8a |......0...B..IV.| +00000250 3d 09 db 5b ae 29 2f 93 04 b1 7a 80 95 5c 30 4b |=..[.)/...z..\0K| +00000260 9a 90 5a 64 3d 12 72 03 7a 8f 4d 40 a8 b0 fd d3 |..Zd=.r.z.M@....| +00000270 2d e5 3f a4 ce 97 34 e6 e4 23 4f 0b 00 7c 89 8e |-.?...4..#O..|..| +00000280 f2 37 14 a8 50 d3 d6 ec 99 f2 ff c6 8e 02 42 01 |.7..P.........B.| +00000290 75 ba 90 7c 16 88 9f 93 73 2a ec e8 e0 53 82 6c |u..|....s*...S.l| +000002a0 85 a9 1f 42 7e a2 db 55 e9 cd a7 b0 b2 c6 a2 38 |...B~..U.......8| +000002b0 14 75 ea 91 2f 10 c7 0a f4 98 14 c7 a4 71 72 af |.u../........qr.| +000002c0 d1 b3 2b 86 a7 25 97 5f de 5a c3 79 fe 44 42 b1 |..+..%._.Z.y.DB.| +000002d0 dd 14 03 03 00 01 01 16 03 03 00 28 00 00 00 00 |...........(....| +000002e0 00 00 00 00 a8 a3 81 5b 57 fb 9e 15 5a aa 77 1c |.......[W...Z.w.| +000002f0 39 cb 84 05 dc 58 2e 65 3c 25 b2 46 9a b3 17 a4 |9....X.e<%.F....| +00000300 2f 6c ae fb |/l..| +>>> Flow 4 (server to client) +00000000 14 03 03 00 01 01 16 03 03 00 28 fd 91 33 fe 0c |..........(..3..| +00000010 f3 cf d7 9d b0 d1 e7 63 ea 06 f7 93 d3 f5 cd 33 |.......c.......3| +00000020 32 ac 94 78 8e 15 ac 57 c9 b4 44 36 97 96 8d f1 |2..x...W..D6....| +00000030 c3 20 0d |. .| +>>> Flow 5 (client to server) +00000000 17 03 03 00 1e 00 00 00 00 00 00 00 01 99 85 0f |................| +00000010 d6 6c 5e b9 55 12 d5 b5 93 a8 b8 85 cb 0b 8f cd |.l^.U...........| +00000020 f5 fc a1 15 03 03 00 1a 00 00 00 00 00 00 00 02 |................| +00000030 e3 c0 5e 6a 72 6c 2d 5a 4c 94 0d 1e 77 85 ef 4a |..^jrl-ZL...w..J| +00000040 90 a5 |..| diff --git a/pkg/tls/testdata/Client-TLSv12-ClientCert-Ed25519 b/pkg/tls/testdata/Client-TLSv12-ClientCert-Ed25519 new file mode 100644 index 000000000..c683f6d4c --- /dev/null +++ b/pkg/tls/testdata/Client-TLSv12-ClientCert-Ed25519 @@ -0,0 +1,120 @@ +>>> Flow 1 (client to server) +00000000 16 03 01 00 fe 01 00 00 fa 03 03 00 00 00 00 00 |................| +00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000020 00 00 00 00 00 00 00 00 00 00 00 20 00 00 00 00 |........... ....| +00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 32 cc a9 |.............2..| +00000050 cc a8 c0 2b c0 2f c0 2c c0 30 c0 09 c0 13 c0 0a |...+./.,.0......| +00000060 c0 14 00 9c 00 9d 00 2f 00 35 c0 12 00 0a c0 23 |......./.5.....#| +00000070 c0 27 00 3c c0 07 c0 11 00 05 13 03 13 01 13 02 |.'.<............| +00000080 01 00 00 7f 00 05 00 05 01 00 00 00 00 00 0a 00 |................| +00000090 0a 00 08 00 1d 00 17 00 18 00 19 00 0b 00 02 01 |................| +000000a0 00 00 0d 00 1a 00 18 08 04 04 03 08 07 08 05 08 |................| +000000b0 06 04 01 05 01 06 01 05 03 06 03 02 01 02 03 ff |................| +000000c0 01 00 01 00 00 17 00 00 00 12 00 00 00 2b 00 09 |.............+..| +000000d0 08 03 04 03 03 03 02 03 01 00 33 00 26 00 24 00 |..........3.&.$.| +000000e0 1d 00 20 2f e5 7d a3 47 cd 62 43 15 28 da ac 5f |.. /.}.G.bC.(.._| +000000f0 bb 29 07 30 ff f6 84 af c4 cf c2 ed 90 99 5f 58 |.).0.........._X| +00000100 cb 3b 74 |.;t| +>>> Flow 2 (server to client) +00000000 16 03 03 00 5d 02 00 00 59 03 03 6c b5 d2 af 6d |....]...Y..l...m| +00000010 6d 09 3b 84 5c 76 fc 25 81 84 b9 07 01 e9 54 cc |m.;.\v.%......T.| +00000020 4f 3f ab da ef 02 e7 59 8a e6 10 20 f9 72 db 0c |O?.....Y... .r..| +00000030 a4 c6 29 f6 ce 25 04 5d af 3c 0f fa 97 28 ee 43 |..)..%.].<...(.C| +00000040 b1 e5 5f 0a 42 36 2b 63 06 7d d0 de cc a8 00 00 |.._.B6+c.}......| +00000050 11 ff 01 00 01 00 00 0b 00 04 03 00 01 02 00 17 |................| +00000060 00 00 16 03 03 02 59 0b 00 02 55 00 02 52 00 02 |......Y...U..R..| +00000070 4f 30 82 02 4b 30 82 01 b4 a0 03 02 01 02 02 09 |O0..K0..........| +00000080 00 e8 f0 9d 3f e2 5b ea a6 30 0d 06 09 2a 86 48 |....?.[..0...*.H| +00000090 86 f7 0d 01 01 0b 05 00 30 1f 31 0b 30 09 06 03 |........0.1.0...| +000000a0 55 04 0a 13 02 47 6f 31 10 30 0e 06 03 55 04 03 |U....Go1.0...U..| +000000b0 13 07 47 6f 20 52 6f 6f 74 30 1e 17 0d 31 36 30 |..Go Root0...160| +000000c0 31 30 31 30 30 30 30 30 30 5a 17 0d 32 35 30 31 |101000000Z..2501| +000000d0 30 31 30 30 30 30 30 30 5a 30 1a 31 0b 30 09 06 |01000000Z0.1.0..| +000000e0 03 55 04 0a 13 02 47 6f 31 0b 30 09 06 03 55 04 |.U....Go1.0...U.| +000000f0 03 13 02 47 6f 30 81 9f 30 0d 06 09 2a 86 48 86 |...Go0..0...*.H.| +00000100 f7 0d 01 01 01 05 00 03 81 8d 00 30 81 89 02 81 |...........0....| +00000110 81 00 db 46 7d 93 2e 12 27 06 48 bc 06 28 21 ab |...F}...'.H..(!.| +00000120 7e c4 b6 a2 5d fe 1e 52 45 88 7a 36 47 a5 08 0d |~...]..RE.z6G...| +00000130 92 42 5b c2 81 c0 be 97 79 98 40 fb 4f 6d 14 fd |.B[.....y.@.Om..| +00000140 2b 13 8b c2 a5 2e 67 d8 d4 09 9e d6 22 38 b7 4a |+.....g....."8.J| +00000150 0b 74 73 2b c2 34 f1 d1 93 e5 96 d9 74 7b f3 58 |.ts+.4......t{.X| +00000160 9f 6c 61 3c c0 b0 41 d4 d9 2b 2b 24 23 77 5b 1c |.la<..A..++$#w[.| +00000170 3b bd 75 5d ce 20 54 cf a1 63 87 1d 1e 24 c4 f3 |;.u]. T..c...$..| +00000180 1d 1a 50 8b aa b6 14 43 ed 97 a7 75 62 f4 14 c8 |..P....C...ub...| +00000190 52 d7 02 03 01 00 01 a3 81 93 30 81 90 30 0e 06 |R.........0..0..| +000001a0 03 55 1d 0f 01 01 ff 04 04 03 02 05 a0 30 1d 06 |.U...........0..| +000001b0 03 55 1d 25 04 16 30 14 06 08 2b 06 01 05 05 07 |.U.%..0...+.....| +000001c0 03 01 06 08 2b 06 01 05 05 07 03 02 30 0c 06 03 |....+.......0...| +000001d0 55 1d 13 01 01 ff 04 02 30 00 30 19 06 03 55 1d |U.......0.0...U.| +000001e0 0e 04 12 04 10 9f 91 16 1f 43 43 3e 49 a6 de 6d |.........CC>I..m| +000001f0 b6 80 d7 9f 60 30 1b 06 03 55 1d 23 04 14 30 12 |....`0...U.#..0.| +00000200 80 10 48 13 49 4d 13 7e 16 31 bb a3 01 d5 ac ab |..H.IM.~.1......| +00000210 6e 7b 30 19 06 03 55 1d 11 04 12 30 10 82 0e 65 |n{0...U....0...e| +00000220 78 61 6d 70 6c 65 2e 67 6f 6c 61 6e 67 30 0d 06 |xample.golang0..| +00000230 09 2a 86 48 86 f7 0d 01 01 0b 05 00 03 81 81 00 |.*.H............| +00000240 9d 30 cc 40 2b 5b 50 a0 61 cb ba e5 53 58 e1 ed |.0.@+[P.a...SX..| +00000250 83 28 a9 58 1a a9 38 a4 95 a1 ac 31 5a 1a 84 66 |.(.X..8....1Z..f| +00000260 3d 43 d3 2d d9 0b f2 97 df d3 20 64 38 92 24 3a |=C.-...... d8.$:| +00000270 00 bc cf 9c 7d b7 40 20 01 5f aa d3 16 61 09 a2 |....}.@ ._...a..| +00000280 76 fd 13 c3 cc e1 0c 5c ee b1 87 82 f1 6c 04 ed |v......\.....l..| +00000290 73 bb b3 43 77 8d 0c 1c f1 0f a1 d8 40 83 61 c9 |s..Cw.......@.a.| +000002a0 4c 72 2b 9d ae db 46 06 06 4d f4 c1 b3 3e c0 d1 |Lr+...F..M...>..| +000002b0 bd 42 d4 db fe 3d 13 60 84 5c 21 d3 3b e9 fa e7 |.B...=.`.\!.;...| +000002c0 16 03 03 00 ac 0c 00 00 a8 03 00 1d 20 05 e2 67 |............ ..g| +000002d0 4b 7b e7 b3 0f 62 ff 90 4d 73 b1 c6 b7 ef 9c 33 |K{...b..Ms.....3| +000002e0 30 83 7d 09 66 b6 d8 10 51 c6 95 b3 64 08 04 00 |0.}.f...Q...d...| +000002f0 80 71 0d e7 a9 1b d7 2e 08 90 5b aa 30 cf c1 e0 |.q........[.0...| +00000300 26 df 57 2d b2 95 4a 69 51 e4 b1 26 ad 91 1a 3e |&.W-..JiQ..&...>| +00000310 38 9f 4e 9e e3 72 7a a7 a8 57 79 3d e5 94 ab c2 |8.N..rz..Wy=....| +00000320 e3 0f e9 07 aa 31 c9 d6 d8 3d 9c 00 2e c3 8b 3f |.....1...=.....?| +00000330 23 5a a9 af f0 6b f0 8f 55 b5 5d b3 67 7a cf b5 |#Z...k..U.].gz..| +00000340 b4 c7 52 29 e9 3a 05 d2 cd d9 a9 99 13 49 15 8a |..R).:.......I..| +00000350 85 92 60 9a ed 72 c7 75 34 0f b5 26 70 ba 67 0b |..`..r.u4..&p.g.| +00000360 6e fb 52 97 01 bd 32 59 5b 56 bc e5 d9 68 cd 88 |n.R...2Y[V...h..| +00000370 7c 16 03 03 00 3a 0d 00 00 36 03 01 02 40 00 2e ||....:...6...@..| +00000380 04 03 05 03 06 03 08 07 08 08 08 09 08 0a 08 0b |................| +00000390 08 04 08 05 08 06 04 01 05 01 06 01 03 03 02 03 |................| +000003a0 03 01 02 01 03 02 02 02 04 02 05 02 06 02 00 00 |................| +000003b0 16 03 03 00 04 0e 00 00 00 |.........| +>>> Flow 3 (client to server) +00000000 16 03 03 01 3c 0b 00 01 38 00 01 35 00 01 32 30 |....<...8..5..20| +00000010 82 01 2e 30 81 e1 a0 03 02 01 02 02 10 17 d1 81 |...0............| +00000020 93 be 2a 8c 21 20 10 25 15 e8 34 23 4f 30 05 06 |..*.! .%..4#O0..| +00000030 03 2b 65 70 30 12 31 10 30 0e 06 03 55 04 0a 13 |.+ep0.1.0...U...| +00000040 07 41 63 6d 65 20 43 6f 30 1e 17 0d 31 39 30 35 |.Acme Co0...1905| +00000050 31 36 32 31 35 34 32 36 5a 17 0d 32 30 30 35 31 |16215426Z..20051| +00000060 35 32 31 35 34 32 36 5a 30 12 31 10 30 0e 06 03 |5215426Z0.1.0...| +00000070 55 04 0a 13 07 41 63 6d 65 20 43 6f 30 2a 30 05 |U....Acme Co0*0.| +00000080 06 03 2b 65 70 03 21 00 0b e0 b5 60 b5 e2 79 30 |..+ep.!....`..y0| +00000090 3d be e3 1e e0 50 b1 04 c8 6d c7 78 6c 69 2f c5 |=....P...m.xli/.| +000000a0 14 ad 9a 63 6f 79 12 91 a3 4d 30 4b 30 0e 06 03 |...coy...M0K0...| +000000b0 55 1d 0f 01 01 ff 04 04 03 02 05 a0 30 13 06 03 |U...........0...| +000000c0 55 1d 25 04 0c 30 0a 06 08 2b 06 01 05 05 07 03 |U.%..0...+......| +000000d0 02 30 0c 06 03 55 1d 13 01 01 ff 04 02 30 00 30 |.0...U.......0.0| +000000e0 16 06 03 55 1d 11 04 0f 30 0d 82 0b 65 78 61 6d |...U....0...exam| +000000f0 70 6c 65 2e 63 6f 6d 30 05 06 03 2b 65 70 03 41 |ple.com0...+ep.A| +00000100 00 fc 19 17 2a 94 a5 31 fa 29 c8 2e 7f 5b a0 5d |....*..1.)...[.]| +00000110 8a 4e 34 40 39 d6 b3 10 dc 19 fe a0 22 71 b3 f5 |.N4@9......."q..| +00000120 8f a1 58 0d cd f4 f1 85 24 bf e6 3d 14 df df ed |..X.....$..=....| +00000130 0e e1 17 d8 11 a2 60 d0 8a 37 23 2a c2 46 aa 3a |......`..7#*.F.:| +00000140 08 16 03 03 00 25 10 00 00 21 20 2f e5 7d a3 47 |.....%...! /.}.G| +00000150 cd 62 43 15 28 da ac 5f bb 29 07 30 ff f6 84 af |.bC.(.._.).0....| +00000160 c4 cf c2 ed 90 99 5f 58 cb 3b 74 16 03 03 00 48 |......_X.;t....H| +00000170 0f 00 00 44 08 07 00 40 2f cb 89 2f a3 4e ee bb |...D...@/../.N..| +00000180 1a b0 77 a1 9f e3 0e 21 60 58 8d 62 86 2c 23 74 |..w....!`X.b.,#t| +00000190 bd b9 2c 48 7f d3 fa 98 85 01 3a 49 7c a3 f6 c9 |..,H......:I|...| +000001a0 b7 89 83 39 03 21 ed 6b 4a 31 76 b1 20 49 10 1c |...9.!.kJ1v. I..| +000001b0 55 ee bc 1c fb c3 ad 0c 14 03 03 00 01 01 16 03 |U...............| +000001c0 03 00 20 7d f4 a6 96 ba b1 c3 87 f7 1b 61 ca 88 |.. }.........a..| +000001d0 b2 7b 18 f6 92 27 e3 47 fb 46 7b aa 5f ed a1 4c |.{...'.G.F{._..L| +000001e0 00 64 d7 |.d.| +>>> Flow 4 (server to client) +00000000 14 03 03 00 01 01 16 03 03 00 20 97 ae 75 77 58 |.......... ..uwX| +00000010 02 f2 b3 fe ef cf 61 fe e8 d9 b3 49 02 49 64 c2 |......a....I.Id.| +00000020 4b 94 fe 05 8d c1 46 ef 5b 53 8c |K.....F.[S.| +>>> Flow 5 (client to server) +00000000 17 03 03 00 16 16 ea 3f e3 7d 1f 53 af a2 74 82 |.......?.}.S..t.| +00000010 6e 8a 01 6a ea 75 8b a8 4e 76 74 15 03 03 00 12 |n..j.u..Nvt.....| +00000020 e3 d8 78 82 9f db 28 60 01 c6 03 f0 e7 86 52 ba |..x...(`......R.| +00000030 2c 45 |,E| diff --git a/pkg/tls/testdata/Client-TLSv12-ClientCert-RSA-AES256-GCM-SHA384 b/pkg/tls/testdata/Client-TLSv12-ClientCert-RSA-AES256-GCM-SHA384 new file mode 100644 index 000000000..9631c0c0b --- /dev/null +++ b/pkg/tls/testdata/Client-TLSv12-ClientCert-RSA-AES256-GCM-SHA384 @@ -0,0 +1,138 @@ +>>> Flow 1 (client to server) +00000000 16 03 01 00 fe 01 00 00 fa 03 03 00 00 00 00 00 |................| +00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000020 00 00 00 00 00 00 00 00 00 00 00 20 00 00 00 00 |........... ....| +00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 32 cc a9 |.............2..| +00000050 cc a8 c0 2b c0 2f c0 2c c0 30 c0 09 c0 13 c0 0a |...+./.,.0......| +00000060 c0 14 00 9c 00 9d 00 2f 00 35 c0 12 00 0a c0 23 |......./.5.....#| +00000070 c0 27 00 3c c0 07 c0 11 00 05 13 03 13 01 13 02 |.'.<............| +00000080 01 00 00 7f 00 05 00 05 01 00 00 00 00 00 0a 00 |................| +00000090 0a 00 08 00 1d 00 17 00 18 00 19 00 0b 00 02 01 |................| +000000a0 00 00 0d 00 1a 00 18 08 04 04 03 08 07 08 05 08 |................| +000000b0 06 04 01 05 01 06 01 05 03 06 03 02 01 02 03 ff |................| +000000c0 01 00 01 00 00 17 00 00 00 12 00 00 00 2b 00 09 |.............+..| +000000d0 08 03 04 03 03 03 02 03 01 00 33 00 26 00 24 00 |..........3.&.$.| +000000e0 1d 00 20 2f e5 7d a3 47 cd 62 43 15 28 da ac 5f |.. /.}.G.bC.(.._| +000000f0 bb 29 07 30 ff f6 84 af c4 cf c2 ed 90 99 5f 58 |.).0.........._X| +00000100 cb 3b 74 |.;t| +>>> Flow 2 (server to client) +00000000 16 03 03 00 5d 02 00 00 59 03 03 b7 f3 10 78 e0 |....]...Y.....x.| +00000010 58 51 c7 7c 5c 88 27 e1 ce e4 df 24 45 36 7c fe |XQ.|\.'....$E6|.| +00000020 9b 5c a1 89 0a 6e af 2a 73 b9 93 20 40 64 4c 4d |.\...n.*s.. @dLM| +00000030 9d 10 58 ef 28 30 5d 81 2b 91 3b 5d 2b 67 b4 61 |..X.(0].+.;]+g.a| +00000040 ef 24 f1 23 e2 32 46 4c 3e 96 7a a2 c0 30 00 00 |.$.#.2FL>.z..0..| +00000050 11 ff 01 00 01 00 00 0b 00 04 03 00 01 02 00 17 |................| +00000060 00 00 16 03 03 02 59 0b 00 02 55 00 02 52 00 02 |......Y...U..R..| +00000070 4f 30 82 02 4b 30 82 01 b4 a0 03 02 01 02 02 09 |O0..K0..........| +00000080 00 e8 f0 9d 3f e2 5b ea a6 30 0d 06 09 2a 86 48 |....?.[..0...*.H| +00000090 86 f7 0d 01 01 0b 05 00 30 1f 31 0b 30 09 06 03 |........0.1.0...| +000000a0 55 04 0a 13 02 47 6f 31 10 30 0e 06 03 55 04 03 |U....Go1.0...U..| +000000b0 13 07 47 6f 20 52 6f 6f 74 30 1e 17 0d 31 36 30 |..Go Root0...160| +000000c0 31 30 31 30 30 30 30 30 30 5a 17 0d 32 35 30 31 |101000000Z..2501| +000000d0 30 31 30 30 30 30 30 30 5a 30 1a 31 0b 30 09 06 |01000000Z0.1.0..| +000000e0 03 55 04 0a 13 02 47 6f 31 0b 30 09 06 03 55 04 |.U....Go1.0...U.| +000000f0 03 13 02 47 6f 30 81 9f 30 0d 06 09 2a 86 48 86 |...Go0..0...*.H.| +00000100 f7 0d 01 01 01 05 00 03 81 8d 00 30 81 89 02 81 |...........0....| +00000110 81 00 db 46 7d 93 2e 12 27 06 48 bc 06 28 21 ab |...F}...'.H..(!.| +00000120 7e c4 b6 a2 5d fe 1e 52 45 88 7a 36 47 a5 08 0d |~...]..RE.z6G...| +00000130 92 42 5b c2 81 c0 be 97 79 98 40 fb 4f 6d 14 fd |.B[.....y.@.Om..| +00000140 2b 13 8b c2 a5 2e 67 d8 d4 09 9e d6 22 38 b7 4a |+.....g....."8.J| +00000150 0b 74 73 2b c2 34 f1 d1 93 e5 96 d9 74 7b f3 58 |.ts+.4......t{.X| +00000160 9f 6c 61 3c c0 b0 41 d4 d9 2b 2b 24 23 77 5b 1c |.la<..A..++$#w[.| +00000170 3b bd 75 5d ce 20 54 cf a1 63 87 1d 1e 24 c4 f3 |;.u]. T..c...$..| +00000180 1d 1a 50 8b aa b6 14 43 ed 97 a7 75 62 f4 14 c8 |..P....C...ub...| +00000190 52 d7 02 03 01 00 01 a3 81 93 30 81 90 30 0e 06 |R.........0..0..| +000001a0 03 55 1d 0f 01 01 ff 04 04 03 02 05 a0 30 1d 06 |.U...........0..| +000001b0 03 55 1d 25 04 16 30 14 06 08 2b 06 01 05 05 07 |.U.%..0...+.....| +000001c0 03 01 06 08 2b 06 01 05 05 07 03 02 30 0c 06 03 |....+.......0...| +000001d0 55 1d 13 01 01 ff 04 02 30 00 30 19 06 03 55 1d |U.......0.0...U.| +000001e0 0e 04 12 04 10 9f 91 16 1f 43 43 3e 49 a6 de 6d |.........CC>I..m| +000001f0 b6 80 d7 9f 60 30 1b 06 03 55 1d 23 04 14 30 12 |....`0...U.#..0.| +00000200 80 10 48 13 49 4d 13 7e 16 31 bb a3 01 d5 ac ab |..H.IM.~.1......| +00000210 6e 7b 30 19 06 03 55 1d 11 04 12 30 10 82 0e 65 |n{0...U....0...e| +00000220 78 61 6d 70 6c 65 2e 67 6f 6c 61 6e 67 30 0d 06 |xample.golang0..| +00000230 09 2a 86 48 86 f7 0d 01 01 0b 05 00 03 81 81 00 |.*.H............| +00000240 9d 30 cc 40 2b 5b 50 a0 61 cb ba e5 53 58 e1 ed |.0.@+[P.a...SX..| +00000250 83 28 a9 58 1a a9 38 a4 95 a1 ac 31 5a 1a 84 66 |.(.X..8....1Z..f| +00000260 3d 43 d3 2d d9 0b f2 97 df d3 20 64 38 92 24 3a |=C.-...... d8.$:| +00000270 00 bc cf 9c 7d b7 40 20 01 5f aa d3 16 61 09 a2 |....}.@ ._...a..| +00000280 76 fd 13 c3 cc e1 0c 5c ee b1 87 82 f1 6c 04 ed |v......\.....l..| +00000290 73 bb b3 43 77 8d 0c 1c f1 0f a1 d8 40 83 61 c9 |s..Cw.......@.a.| +000002a0 4c 72 2b 9d ae db 46 06 06 4d f4 c1 b3 3e c0 d1 |Lr+...F..M...>..| +000002b0 bd 42 d4 db fe 3d 13 60 84 5c 21 d3 3b e9 fa e7 |.B...=.`.\!.;...| +000002c0 16 03 03 00 ac 0c 00 00 a8 03 00 1d 20 e4 a0 4d |............ ..M| +000002d0 a8 b2 65 c0 a7 f8 46 a3 79 1c c6 32 7d 1e c4 7b |..e...F.y..2}..{| +000002e0 09 4a cd 92 5d a6 64 20 b7 c2 0e 5e 50 08 04 00 |.J..].d ...^P...| +000002f0 80 32 80 e3 3b 30 c3 d9 67 9a ef ea 95 f1 c3 50 |.2..;0..g......P| +00000300 cb 98 82 3e 92 fd 4c 1b 76 53 4e 31 41 f4 30 9a |...>..L.vSN1A.0.| +00000310 0a c0 8b 50 5c d6 5c ce 9f ee d9 c6 02 79 48 58 |...P\.\......yHX| +00000320 97 04 9f 7f 86 f2 7b 61 87 f8 5a d1 92 c3 57 d4 |......{a..Z...W.| +00000330 c8 86 a2 be 75 3c 13 75 71 13 e2 20 e7 03 b6 6e |....u<.uq.. ...n| +00000340 97 d5 32 f5 af ce d5 4f e6 7d a6 b3 36 11 f5 ae |..2....O.}..6...| +00000350 4a 0a fb 43 fa 2c c5 29 e6 fa 59 5f 20 e4 41 f1 |J..C.,.)..Y_ .A.| +00000360 3b be e1 1e 80 92 74 1c 8e fe 3a f8 c3 ef ed 93 |;.....t...:.....| +00000370 02 16 03 03 00 3a 0d 00 00 36 03 01 02 40 00 2e |.....:...6...@..| +00000380 04 03 05 03 06 03 08 07 08 08 08 09 08 0a 08 0b |................| +00000390 08 04 08 05 08 06 04 01 05 01 06 01 03 03 02 03 |................| +000003a0 03 01 02 01 03 02 02 02 04 02 05 02 06 02 00 00 |................| +000003b0 16 03 03 00 04 0e 00 00 00 |.........| +>>> Flow 3 (client to server) +00000000 16 03 03 01 fd 0b 00 01 f9 00 01 f6 00 01 f3 30 |...............0| +00000010 82 01 ef 30 82 01 58 a0 03 02 01 02 02 10 5c 19 |...0..X.......\.| +00000020 c1 89 65 83 55 6f dc 0b c9 b9 93 9f e9 bc 30 0d |..e.Uo........0.| +00000030 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 12 31 |..*.H........0.1| +00000040 10 30 0e 06 03 55 04 0a 13 07 41 63 6d 65 20 43 |.0...U....Acme C| +00000050 6f 30 1e 17 0d 31 36 30 38 31 37 32 31 35 32 33 |o0...16081721523| +00000060 31 5a 17 0d 31 37 30 38 31 37 32 31 35 32 33 31 |1Z..170817215231| +00000070 5a 30 12 31 10 30 0e 06 03 55 04 0a 13 07 41 63 |Z0.1.0...U....Ac| +00000080 6d 65 20 43 6f 30 81 9f 30 0d 06 09 2a 86 48 86 |me Co0..0...*.H.| +00000090 f7 0d 01 01 01 05 00 03 81 8d 00 30 81 89 02 81 |...........0....| +000000a0 81 00 ba 6f aa 86 bd cf bf 9f f2 ef 5c 94 60 78 |...o........\.`x| +000000b0 6f e8 13 f2 d1 96 6f cd d9 32 6e 22 37 ce 41 f9 |o.....o..2n"7.A.| +000000c0 ca 5d 29 ac e1 27 da 61 a2 ee 81 cb 10 c7 df 34 |.])..'.a.......4| +000000d0 58 95 86 e9 3d 19 e6 5c 27 73 60 c8 8d 78 02 f4 |X...=..\'s`..x..| +000000e0 1d a4 98 09 a3 19 70 69 3c 25 62 66 2a ab 22 23 |......pi<%bf*."#| +000000f0 c5 7b 85 38 4f 2e 09 73 32 a7 bd 3e 9b ad ca 84 |.{.8O..s2..>....| +00000100 07 e6 0f 3a ff 77 c5 9d 41 85 00 8a b6 9b ee b0 |...:.w..A.......| +00000110 a4 3f 2d 4c 4c e6 42 3e bb 51 c8 dd 48 54 f4 0c |.?-LL.B>.Q..HT..| +00000120 8e 47 02 03 01 00 01 a3 46 30 44 30 0e 06 03 55 |.G......F0D0...U| +00000130 1d 0f 01 01 ff 04 04 03 02 05 a0 30 13 06 03 55 |...........0...U| +00000140 1d 25 04 0c 30 0a 06 08 2b 06 01 05 05 07 03 01 |.%..0...+.......| +00000150 30 0c 06 03 55 1d 13 01 01 ff 04 02 30 00 30 0f |0...U.......0.0.| +00000160 06 03 55 1d 11 04 08 30 06 87 04 7f 00 00 01 30 |..U....0.......0| +00000170 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 03 81 |...*.H..........| +00000180 81 00 46 ab 44 a2 fb 28 54 f8 5a 67 f8 62 94 f1 |..F.D..(T.Zg.b..| +00000190 9a b2 18 9e f2 b1 de 1d 7e 6f 76 95 a9 ba e7 5d |........~ov....]| +000001a0 a8 16 6c 9c f7 09 d3 37 e4 4b 2b 36 7c 01 ad 41 |..l....7.K+6|..A| +000001b0 d2 32 d8 c3 d2 93 f9 10 6b 8e 95 b9 2c 17 8a a3 |.2......k...,...| +000001c0 44 48 bc 59 13 83 16 04 88 a4 81 5c 25 0d 98 0c |DH.Y.......\%...| +000001d0 ac 11 b1 28 56 be 1d cd 61 62 84 09 bf d6 80 c6 |...(V...ab......| +000001e0 45 8d 82 2c b4 d8 83 9b db c9 22 b7 2a 12 11 7b |E..,......".*..{| +000001f0 fa 02 3b c1 c9 ff ea c9 9d a8 49 d3 95 d7 d5 0e |..;.......I.....| +00000200 e5 35 16 03 03 00 25 10 00 00 21 20 2f e5 7d a3 |.5....%...! /.}.| +00000210 47 cd 62 43 15 28 da ac 5f bb 29 07 30 ff f6 84 |G.bC.(.._.).0...| +00000220 af c4 cf c2 ed 90 99 5f 58 cb 3b 74 16 03 03 00 |......._X.;t....| +00000230 88 0f 00 00 84 08 04 00 80 57 04 14 cf f4 73 9e |.........W....s.| +00000240 5d 94 16 54 3a 06 6b 37 03 b2 15 52 f1 27 86 2e |]..T:.k7...R.'..| +00000250 66 e3 0b 4c da f9 71 1b 6a 5b 65 d8 7c 43 80 6a |f..L..q.j[e.|C.j| +00000260 d1 5c 5c 3b ff 44 dc c7 a9 74 01 51 76 69 79 24 |.\\;.D...t.Qviy$| +00000270 c5 91 79 65 73 7e b7 1b 15 80 34 b4 31 89 c4 e9 |..yes~....4.1...| +00000280 f8 e3 18 fd 68 65 b9 65 d7 31 cc d0 8d 00 4e 55 |....he.e.1....NU| +00000290 3f dc 17 58 b3 b8 aa 98 4e 73 c5 05 bb 54 81 e3 |?..X....Ns...T..| +000002a0 42 5d b3 1b 6e b0 f8 a0 2c 00 52 e0 e1 16 18 d3 |B]..n...,.R.....| +000002b0 d1 df 2b b9 15 20 69 d6 1a 14 03 03 00 01 01 16 |..+.. i.........| +000002c0 03 03 00 28 00 00 00 00 00 00 00 00 b7 cd 13 34 |...(...........4| +000002d0 56 65 49 f9 1c 23 7f 7d 45 18 91 0f 23 27 c8 78 |VeI..#.}E...#'.x| +000002e0 cb 34 f8 7c 90 58 5f 29 ff ac f8 1c |.4.|.X_)....| +>>> Flow 4 (server to client) +00000000 14 03 03 00 01 01 16 03 03 00 28 c0 cc d9 54 39 |..........(...T9| +00000010 73 0a 5f d9 33 a2 00 cc 18 f6 73 c9 b1 c6 35 b7 |s._.3.....s...5.| +00000020 49 85 5c 0d 46 21 84 4e 3d b8 ca b8 66 04 e7 96 |I.\.F!.N=...f...| +00000030 e6 55 26 |.U&| +>>> Flow 5 (client to server) +00000000 17 03 03 00 1e 00 00 00 00 00 00 00 01 61 6d a3 |.............am.| +00000010 bd c6 12 0d b3 42 56 a3 e3 c9 e6 4d 38 bf 1d 4c |.....BV....M8..L| +00000020 59 82 c8 15 03 03 00 1a 00 00 00 00 00 00 00 02 |Y...............| +00000030 ea 55 21 35 64 fd c6 7c 0e f3 2d 67 d6 53 03 20 |.U!5d..|..-g.S. | +00000040 64 06 |d.| diff --git a/pkg/tls/testdata/Client-TLSv12-ClientCert-RSA-ECDSA b/pkg/tls/testdata/Client-TLSv12-ClientCert-RSA-ECDSA new file mode 100644 index 000000000..ccb5998df --- /dev/null +++ b/pkg/tls/testdata/Client-TLSv12-ClientCert-RSA-ECDSA @@ -0,0 +1,139 @@ +>>> Flow 1 (client to server) +00000000 16 03 01 00 fe 01 00 00 fa 03 03 00 00 00 00 00 |................| +00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000020 00 00 00 00 00 00 00 00 00 00 00 20 00 00 00 00 |........... ....| +00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 32 cc a9 |.............2..| +00000050 cc a8 c0 2b c0 2f c0 2c c0 30 c0 09 c0 13 c0 0a |...+./.,.0......| +00000060 c0 14 00 9c 00 9d 00 2f 00 35 c0 12 00 0a c0 23 |......./.5.....#| +00000070 c0 27 00 3c c0 07 c0 11 00 05 13 03 13 01 13 02 |.'.<............| +00000080 01 00 00 7f 00 05 00 05 01 00 00 00 00 00 0a 00 |................| +00000090 0a 00 08 00 1d 00 17 00 18 00 19 00 0b 00 02 01 |................| +000000a0 00 00 0d 00 1a 00 18 08 04 04 03 08 07 08 05 08 |................| +000000b0 06 04 01 05 01 06 01 05 03 06 03 02 01 02 03 ff |................| +000000c0 01 00 01 00 00 17 00 00 00 12 00 00 00 2b 00 09 |.............+..| +000000d0 08 03 04 03 03 03 02 03 01 00 33 00 26 00 24 00 |..........3.&.$.| +000000e0 1d 00 20 2f e5 7d a3 47 cd 62 43 15 28 da ac 5f |.. /.}.G.bC.(.._| +000000f0 bb 29 07 30 ff f6 84 af c4 cf c2 ed 90 99 5f 58 |.).0.........._X| +00000100 cb 3b 74 |.;t| +>>> Flow 2 (server to client) +00000000 16 03 03 00 5d 02 00 00 59 03 03 62 ba 01 96 bd |....]...Y..b....| +00000010 12 c5 9d 43 86 5e fe 8d 9e 77 a2 17 dc f3 a2 d6 |...C.^...w......| +00000020 ca 8f d4 49 ff 9b cb a5 bc 86 29 20 58 57 f3 d7 |...I......) XW..| +00000030 5e d8 b9 d7 95 54 f9 50 5c b6 78 44 29 bb 83 21 |^....T.P\.xD)..!| +00000040 77 b2 95 23 5d 4f bb 6a 15 60 e6 86 c0 09 00 00 |w..#]O.j.`......| +00000050 11 ff 01 00 01 00 00 0b 00 04 03 00 01 02 00 17 |................| +00000060 00 00 16 03 03 02 0e 0b 00 02 0a 00 02 07 00 02 |................| +00000070 04 30 82 02 00 30 82 01 62 02 09 00 b8 bf 2d 47 |.0...0..b.....-G| +00000080 a0 d2 eb f4 30 09 06 07 2a 86 48 ce 3d 04 01 30 |....0...*.H.=..0| +00000090 45 31 0b 30 09 06 03 55 04 06 13 02 41 55 31 13 |E1.0...U....AU1.| +000000a0 30 11 06 03 55 04 08 13 0a 53 6f 6d 65 2d 53 74 |0...U....Some-St| +000000b0 61 74 65 31 21 30 1f 06 03 55 04 0a 13 18 49 6e |ate1!0...U....In| +000000c0 74 65 72 6e 65 74 20 57 69 64 67 69 74 73 20 50 |ternet Widgits P| +000000d0 74 79 20 4c 74 64 30 1e 17 0d 31 32 31 31 32 32 |ty Ltd0...121122| +000000e0 31 35 30 36 33 32 5a 17 0d 32 32 31 31 32 30 31 |150632Z..2211201| +000000f0 35 30 36 33 32 5a 30 45 31 0b 30 09 06 03 55 04 |50632Z0E1.0...U.| +00000100 06 13 02 41 55 31 13 30 11 06 03 55 04 08 13 0a |...AU1.0...U....| +00000110 53 6f 6d 65 2d 53 74 61 74 65 31 21 30 1f 06 03 |Some-State1!0...| +00000120 55 04 0a 13 18 49 6e 74 65 72 6e 65 74 20 57 69 |U....Internet Wi| +00000130 64 67 69 74 73 20 50 74 79 20 4c 74 64 30 81 9b |dgits Pty Ltd0..| +00000140 30 10 06 07 2a 86 48 ce 3d 02 01 06 05 2b 81 04 |0...*.H.=....+..| +00000150 00 23 03 81 86 00 04 00 c4 a1 ed be 98 f9 0b 48 |.#.............H| +00000160 73 36 7e c3 16 56 11 22 f2 3d 53 c3 3b 4d 21 3d |s6~..V.".=S.;M!=| +00000170 cd 6b 75 e6 f6 b0 dc 9a df 26 c1 bc b2 87 f0 72 |.ku......&.....r| +00000180 32 7c b3 64 2f 1c 90 bc ea 68 23 10 7e fe e3 25 |2|.d/....h#.~..%| +00000190 c0 48 3a 69 e0 28 6d d3 37 00 ef 04 62 dd 0d a0 |.H:i.(m.7...b...| +000001a0 9c 70 62 83 d8 81 d3 64 31 aa 9e 97 31 bd 96 b0 |.pb....d1...1...| +000001b0 68 c0 9b 23 de 76 64 3f 1a 5c 7f e9 12 0e 58 58 |h..#.vd?.\....XX| +000001c0 b6 5f 70 dd 9b d8 ea d5 d7 f5 d5 cc b9 b6 9f 30 |._p............0| +000001d0 66 5b 66 9a 20 e2 27 e5 bf fe 3b 30 09 06 07 2a |f[f. .'...;0...*| +000001e0 86 48 ce 3d 04 01 03 81 8c 00 30 81 88 02 42 01 |.H.=......0...B.| +000001f0 88 a2 4f eb e2 45 c5 48 7d 1b ac f5 ed 98 9d ae |..O..E.H}.......| +00000200 47 70 c0 5e 1b b6 2f bd f1 b6 4d b7 61 40 d3 11 |Gp.^../...M.a@..| +00000210 a2 ce ee 0b 7e 92 7e ff 76 9d c3 3b 7e a5 3f ce |....~.~.v..;~.?.| +00000220 fa 10 e2 59 ec 47 2d 7c ac da 4e 97 0e 15 a0 6f |...Y.G-|..N....o| +00000230 d0 02 42 01 4d fc be 67 13 9c 2d 05 0e bd 3f a3 |..B.M..g..-...?.| +00000240 8c 25 c1 33 13 83 0d 94 06 bb d4 37 7a f6 ec 7a |.%.3.......7z..z| +00000250 c9 86 2e dd d7 11 69 7f 85 7c 56 de fb 31 78 2b |......i..|V..1x+| +00000260 e4 c7 78 0d ae cb be 9e 4e 36 24 31 7b 6a 0f 39 |..x.....N6$1{j.9| +00000270 95 12 07 8f 2a 16 03 03 00 b7 0c 00 00 b3 03 00 |....*...........| +00000280 1d 20 e7 43 a8 15 b3 d3 ea fd b4 dd 02 83 09 c8 |. .C............| +00000290 76 8f 9b 0e d8 f1 9c e7 99 d5 80 0e fb b8 a1 5c |v..............\| +000002a0 f2 1e 04 03 00 8b 30 81 88 02 42 01 22 7d 76 28 |......0...B."}v(| +000002b0 67 0b 8c 78 65 0b d8 11 3e 29 70 02 49 d1 d7 c4 |g..xe...>)p.I...| +000002c0 50 7b fb 07 2e 8d 91 f6 c4 f8 56 be 75 c6 61 05 |P{........V.u.a.| +000002d0 43 42 2f f9 46 25 09 a6 a8 29 1d 95 6a 5c 65 fd |CB/.F%...)..j\e.| +000002e0 07 c1 88 1b f3 fd 52 7a e4 17 01 fe ad 02 42 01 |......Rz......B.| +000002f0 4f 77 cd d5 34 45 7d 3f 8f 70 ad 80 70 b9 77 9a |Ow..4E}?.p..p.w.| +00000300 08 c6 96 1c 95 14 76 17 90 05 fd 9a 38 be aa ff |......v.....8...| +00000310 64 76 35 ae 91 85 14 e5 e8 37 f7 0a b1 50 16 69 |dv5......7...P.i| +00000320 ab 80 14 77 ee c0 56 77 e5 17 ea d4 57 3c 04 23 |...w..Vw....W<.#| +00000330 d7 16 03 03 00 3a 0d 00 00 36 03 01 02 40 00 2e |.....:...6...@..| +00000340 04 03 05 03 06 03 08 07 08 08 08 09 08 0a 08 0b |................| +00000350 08 04 08 05 08 06 04 01 05 01 06 01 03 03 02 03 |................| +00000360 03 01 02 01 03 02 02 02 04 02 05 02 06 02 00 00 |................| +00000370 16 03 03 00 04 0e 00 00 00 |.........| +>>> Flow 3 (client to server) +00000000 16 03 03 01 fd 0b 00 01 f9 00 01 f6 00 01 f3 30 |...............0| +00000010 82 01 ef 30 82 01 58 a0 03 02 01 02 02 10 5c 19 |...0..X.......\.| +00000020 c1 89 65 83 55 6f dc 0b c9 b9 93 9f e9 bc 30 0d |..e.Uo........0.| +00000030 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 12 31 |..*.H........0.1| +00000040 10 30 0e 06 03 55 04 0a 13 07 41 63 6d 65 20 43 |.0...U....Acme C| +00000050 6f 30 1e 17 0d 31 36 30 38 31 37 32 31 35 32 33 |o0...16081721523| +00000060 31 5a 17 0d 31 37 30 38 31 37 32 31 35 32 33 31 |1Z..170817215231| +00000070 5a 30 12 31 10 30 0e 06 03 55 04 0a 13 07 41 63 |Z0.1.0...U....Ac| +00000080 6d 65 20 43 6f 30 81 9f 30 0d 06 09 2a 86 48 86 |me Co0..0...*.H.| +00000090 f7 0d 01 01 01 05 00 03 81 8d 00 30 81 89 02 81 |...........0....| +000000a0 81 00 ba 6f aa 86 bd cf bf 9f f2 ef 5c 94 60 78 |...o........\.`x| +000000b0 6f e8 13 f2 d1 96 6f cd d9 32 6e 22 37 ce 41 f9 |o.....o..2n"7.A.| +000000c0 ca 5d 29 ac e1 27 da 61 a2 ee 81 cb 10 c7 df 34 |.])..'.a.......4| +000000d0 58 95 86 e9 3d 19 e6 5c 27 73 60 c8 8d 78 02 f4 |X...=..\'s`..x..| +000000e0 1d a4 98 09 a3 19 70 69 3c 25 62 66 2a ab 22 23 |......pi<%bf*."#| +000000f0 c5 7b 85 38 4f 2e 09 73 32 a7 bd 3e 9b ad ca 84 |.{.8O..s2..>....| +00000100 07 e6 0f 3a ff 77 c5 9d 41 85 00 8a b6 9b ee b0 |...:.w..A.......| +00000110 a4 3f 2d 4c 4c e6 42 3e bb 51 c8 dd 48 54 f4 0c |.?-LL.B>.Q..HT..| +00000120 8e 47 02 03 01 00 01 a3 46 30 44 30 0e 06 03 55 |.G......F0D0...U| +00000130 1d 0f 01 01 ff 04 04 03 02 05 a0 30 13 06 03 55 |...........0...U| +00000140 1d 25 04 0c 30 0a 06 08 2b 06 01 05 05 07 03 01 |.%..0...+.......| +00000150 30 0c 06 03 55 1d 13 01 01 ff 04 02 30 00 30 0f |0...U.......0.0.| +00000160 06 03 55 1d 11 04 08 30 06 87 04 7f 00 00 01 30 |..U....0.......0| +00000170 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 03 81 |...*.H..........| +00000180 81 00 46 ab 44 a2 fb 28 54 f8 5a 67 f8 62 94 f1 |..F.D..(T.Zg.b..| +00000190 9a b2 18 9e f2 b1 de 1d 7e 6f 76 95 a9 ba e7 5d |........~ov....]| +000001a0 a8 16 6c 9c f7 09 d3 37 e4 4b 2b 36 7c 01 ad 41 |..l....7.K+6|..A| +000001b0 d2 32 d8 c3 d2 93 f9 10 6b 8e 95 b9 2c 17 8a a3 |.2......k...,...| +000001c0 44 48 bc 59 13 83 16 04 88 a4 81 5c 25 0d 98 0c |DH.Y.......\%...| +000001d0 ac 11 b1 28 56 be 1d cd 61 62 84 09 bf d6 80 c6 |...(V...ab......| +000001e0 45 8d 82 2c b4 d8 83 9b db c9 22 b7 2a 12 11 7b |E..,......".*..{| +000001f0 fa 02 3b c1 c9 ff ea c9 9d a8 49 d3 95 d7 d5 0e |..;.......I.....| +00000200 e5 35 16 03 03 00 25 10 00 00 21 20 2f e5 7d a3 |.5....%...! /.}.| +00000210 47 cd 62 43 15 28 da ac 5f bb 29 07 30 ff f6 84 |G.bC.(.._.).0...| +00000220 af c4 cf c2 ed 90 99 5f 58 cb 3b 74 16 03 03 00 |......._X.;t....| +00000230 88 0f 00 00 84 08 04 00 80 47 44 b3 b1 39 6e 07 |.........GD..9n.| +00000240 14 9c 0d 2f bd 5e 39 06 7a af b2 d0 52 9c 6b b8 |.../.^9.z...R.k.| +00000250 6e 07 59 e7 a2 c2 33 83 31 d6 42 79 25 ed 37 b0 |n.Y...3.1.By%.7.| +00000260 97 25 d5 cc a7 7b 54 36 a3 a2 7c 67 38 c2 92 e9 |.%...{T6..|g8...| +00000270 ab 58 59 4f 22 89 57 2b 27 2c d4 e8 7b 1d 5f 0b |.XYO".W+',..{._.| +00000280 1f 94 15 b0 38 67 0d a7 ff 66 2d fd 02 65 d6 8b |....8g...f-..e..| +00000290 ce e2 2a 3c 83 70 56 26 00 e6 1b 47 69 9e 9d 3b |..*<.pV&...Gi..;| +000002a0 81 88 49 58 a6 3a a1 5f 27 dc 7e 79 86 40 af 8c |..IX.:._'.~y.@..| +000002b0 35 17 83 92 da 81 7c 41 0d 14 03 03 00 01 01 16 |5.....|A........| +000002c0 03 03 00 40 00 00 00 00 00 00 00 00 00 00 00 00 |...@............| +000002d0 00 00 00 00 09 20 b3 66 7d 40 5d 62 f0 21 0c 02 |..... .f}@]b.!..| +000002e0 66 75 9e 32 f7 28 e4 8e ad 90 18 7d 6a 2b f0 1c |fu.2.(.....}j+..| +000002f0 3e d4 6d 55 c7 a6 74 88 58 25 c3 69 df 0f 86 10 |>.mU..t.X%.i....| +00000300 3c 51 88 26 |>> Flow 4 (server to client) +00000000 14 03 03 00 01 01 16 03 03 00 40 80 4c 52 cc b6 |..........@.LR..| +00000010 b3 e1 4d 8c a7 26 70 f3 47 21 ed ff 01 45 41 91 |..M..&p.G!...EA.| +00000020 b7 ce 09 87 4d 5b d8 48 c5 9e b1 5d 42 e4 43 1c |....M[.H...]B.C.| +00000030 e0 90 c6 e2 20 64 80 30 6a e7 25 0f 7b 40 fe 8c |.... d.0j.%.{@..| +00000040 5f 80 b3 92 25 96 2b e9 38 f2 e3 |_...%.+.8..| +>>> Flow 5 (client to server) +00000000 17 03 03 00 30 00 00 00 00 00 00 00 00 00 00 00 |....0...........| +00000010 00 00 00 00 00 6c d5 26 50 49 6f 1a 46 3a d2 3a |.....l.&PIo.F:.:| +00000020 ff b2 0b 17 65 ed 7f a4 b8 e8 82 f6 89 af 07 04 |....e...........| +00000030 bc 77 d6 74 34 15 03 03 00 30 00 00 00 00 00 00 |.w.t4....0......| +00000040 00 00 00 00 00 00 00 00 00 00 ca b6 5b 91 20 9d |............[. .| +00000050 91 42 33 eb f4 49 b6 38 24 fc 3c 8b f7 6c 6b fd |.B3..I.8$.<..lk.| +00000060 df e8 aa 07 18 29 cd 04 85 70 |.....)...p| diff --git a/pkg/tls/testdata/Client-TLSv12-ClientCert-RSA-RSA b/pkg/tls/testdata/Client-TLSv12-ClientCert-RSA-RSA new file mode 100644 index 000000000..c36f2825f --- /dev/null +++ b/pkg/tls/testdata/Client-TLSv12-ClientCert-RSA-RSA @@ -0,0 +1,138 @@ +>>> Flow 1 (client to server) +00000000 16 03 01 00 fe 01 00 00 fa 03 03 00 00 00 00 00 |................| +00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000020 00 00 00 00 00 00 00 00 00 00 00 20 00 00 00 00 |........... ....| +00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 32 cc a9 |.............2..| +00000050 cc a8 c0 2b c0 2f c0 2c c0 30 c0 09 c0 13 c0 0a |...+./.,.0......| +00000060 c0 14 00 9c 00 9d 00 2f 00 35 c0 12 00 0a c0 23 |......./.5.....#| +00000070 c0 27 00 3c c0 07 c0 11 00 05 13 03 13 01 13 02 |.'.<............| +00000080 01 00 00 7f 00 05 00 05 01 00 00 00 00 00 0a 00 |................| +00000090 0a 00 08 00 1d 00 17 00 18 00 19 00 0b 00 02 01 |................| +000000a0 00 00 0d 00 1a 00 18 08 04 04 03 08 07 08 05 08 |................| +000000b0 06 04 01 05 01 06 01 05 03 06 03 02 01 02 03 ff |................| +000000c0 01 00 01 00 00 17 00 00 00 12 00 00 00 2b 00 09 |.............+..| +000000d0 08 03 04 03 03 03 02 03 01 00 33 00 26 00 24 00 |..........3.&.$.| +000000e0 1d 00 20 2f e5 7d a3 47 cd 62 43 15 28 da ac 5f |.. /.}.G.bC.(.._| +000000f0 bb 29 07 30 ff f6 84 af c4 cf c2 ed 90 99 5f 58 |.).0.........._X| +00000100 cb 3b 74 |.;t| +>>> Flow 2 (server to client) +00000000 16 03 03 00 5d 02 00 00 59 03 03 04 e5 45 68 3b |....]...Y....Eh;| +00000010 73 6e 96 92 17 2a e1 5e f8 6a 16 a1 5e a9 55 d0 |sn...*.^.j..^.U.| +00000020 f5 2a 30 1d 94 96 5b 76 d4 c3 d5 20 2b 8a eb 6d |.*0...[v... +..m| +00000030 9c 5a 72 4e a9 df e0 5b 91 7e eb c7 e4 12 6d 1d |.ZrN...[.~....m.| +00000040 a5 3f 54 e2 27 dd 07 4f df be b2 e7 c0 2f 00 00 |.?T.'..O...../..| +00000050 11 ff 01 00 01 00 00 0b 00 04 03 00 01 02 00 17 |................| +00000060 00 00 16 03 03 02 59 0b 00 02 55 00 02 52 00 02 |......Y...U..R..| +00000070 4f 30 82 02 4b 30 82 01 b4 a0 03 02 01 02 02 09 |O0..K0..........| +00000080 00 e8 f0 9d 3f e2 5b ea a6 30 0d 06 09 2a 86 48 |....?.[..0...*.H| +00000090 86 f7 0d 01 01 0b 05 00 30 1f 31 0b 30 09 06 03 |........0.1.0...| +000000a0 55 04 0a 13 02 47 6f 31 10 30 0e 06 03 55 04 03 |U....Go1.0...U..| +000000b0 13 07 47 6f 20 52 6f 6f 74 30 1e 17 0d 31 36 30 |..Go Root0...160| +000000c0 31 30 31 30 30 30 30 30 30 5a 17 0d 32 35 30 31 |101000000Z..2501| +000000d0 30 31 30 30 30 30 30 30 5a 30 1a 31 0b 30 09 06 |01000000Z0.1.0..| +000000e0 03 55 04 0a 13 02 47 6f 31 0b 30 09 06 03 55 04 |.U....Go1.0...U.| +000000f0 03 13 02 47 6f 30 81 9f 30 0d 06 09 2a 86 48 86 |...Go0..0...*.H.| +00000100 f7 0d 01 01 01 05 00 03 81 8d 00 30 81 89 02 81 |...........0....| +00000110 81 00 db 46 7d 93 2e 12 27 06 48 bc 06 28 21 ab |...F}...'.H..(!.| +00000120 7e c4 b6 a2 5d fe 1e 52 45 88 7a 36 47 a5 08 0d |~...]..RE.z6G...| +00000130 92 42 5b c2 81 c0 be 97 79 98 40 fb 4f 6d 14 fd |.B[.....y.@.Om..| +00000140 2b 13 8b c2 a5 2e 67 d8 d4 09 9e d6 22 38 b7 4a |+.....g....."8.J| +00000150 0b 74 73 2b c2 34 f1 d1 93 e5 96 d9 74 7b f3 58 |.ts+.4......t{.X| +00000160 9f 6c 61 3c c0 b0 41 d4 d9 2b 2b 24 23 77 5b 1c |.la<..A..++$#w[.| +00000170 3b bd 75 5d ce 20 54 cf a1 63 87 1d 1e 24 c4 f3 |;.u]. T..c...$..| +00000180 1d 1a 50 8b aa b6 14 43 ed 97 a7 75 62 f4 14 c8 |..P....C...ub...| +00000190 52 d7 02 03 01 00 01 a3 81 93 30 81 90 30 0e 06 |R.........0..0..| +000001a0 03 55 1d 0f 01 01 ff 04 04 03 02 05 a0 30 1d 06 |.U...........0..| +000001b0 03 55 1d 25 04 16 30 14 06 08 2b 06 01 05 05 07 |.U.%..0...+.....| +000001c0 03 01 06 08 2b 06 01 05 05 07 03 02 30 0c 06 03 |....+.......0...| +000001d0 55 1d 13 01 01 ff 04 02 30 00 30 19 06 03 55 1d |U.......0.0...U.| +000001e0 0e 04 12 04 10 9f 91 16 1f 43 43 3e 49 a6 de 6d |.........CC>I..m| +000001f0 b6 80 d7 9f 60 30 1b 06 03 55 1d 23 04 14 30 12 |....`0...U.#..0.| +00000200 80 10 48 13 49 4d 13 7e 16 31 bb a3 01 d5 ac ab |..H.IM.~.1......| +00000210 6e 7b 30 19 06 03 55 1d 11 04 12 30 10 82 0e 65 |n{0...U....0...e| +00000220 78 61 6d 70 6c 65 2e 67 6f 6c 61 6e 67 30 0d 06 |xample.golang0..| +00000230 09 2a 86 48 86 f7 0d 01 01 0b 05 00 03 81 81 00 |.*.H............| +00000240 9d 30 cc 40 2b 5b 50 a0 61 cb ba e5 53 58 e1 ed |.0.@+[P.a...SX..| +00000250 83 28 a9 58 1a a9 38 a4 95 a1 ac 31 5a 1a 84 66 |.(.X..8....1Z..f| +00000260 3d 43 d3 2d d9 0b f2 97 df d3 20 64 38 92 24 3a |=C.-...... d8.$:| +00000270 00 bc cf 9c 7d b7 40 20 01 5f aa d3 16 61 09 a2 |....}.@ ._...a..| +00000280 76 fd 13 c3 cc e1 0c 5c ee b1 87 82 f1 6c 04 ed |v......\.....l..| +00000290 73 bb b3 43 77 8d 0c 1c f1 0f a1 d8 40 83 61 c9 |s..Cw.......@.a.| +000002a0 4c 72 2b 9d ae db 46 06 06 4d f4 c1 b3 3e c0 d1 |Lr+...F..M...>..| +000002b0 bd 42 d4 db fe 3d 13 60 84 5c 21 d3 3b e9 fa e7 |.B...=.`.\!.;...| +000002c0 16 03 03 00 ac 0c 00 00 a8 03 00 1d 20 77 dc b7 |............ w..| +000002d0 44 64 c9 3b e9 e2 bf b5 01 47 c9 64 f8 ef ee 33 |Dd.;.....G.d...3| +000002e0 e2 81 a1 af 05 c0 31 37 1f 8d 3c 55 45 08 04 00 |......17......k2..D...| +00000320 54 7e 57 74 92 a3 4e f9 cf 70 52 b1 50 9a 60 4f |T~Wt..N..pR.P.`O| +00000330 79 72 5d c4 53 ba 19 ff 05 56 1d 41 be 18 77 71 |yr].S....V.A..wq| +00000340 5c 00 84 5e 70 fa cf 9e 8e d2 62 7d 48 6a fe 75 |\..^p.....b}Hj.u| +00000350 6a 67 5b 82 52 76 d4 fc 96 a4 ad fa a9 ea fc e5 |jg[.Rv..........| +00000360 97 dd 53 a0 ef 53 00 27 72 ae 5b c9 06 f6 43 c8 |..S..S.'r.[...C.| +00000370 d5 16 03 03 00 3a 0d 00 00 36 03 01 02 40 00 2e |.....:...6...@..| +00000380 04 03 05 03 06 03 08 07 08 08 08 09 08 0a 08 0b |................| +00000390 08 04 08 05 08 06 04 01 05 01 06 01 03 03 02 03 |................| +000003a0 03 01 02 01 03 02 02 02 04 02 05 02 06 02 00 00 |................| +000003b0 16 03 03 00 04 0e 00 00 00 |.........| +>>> Flow 3 (client to server) +00000000 16 03 03 01 fd 0b 00 01 f9 00 01 f6 00 01 f3 30 |...............0| +00000010 82 01 ef 30 82 01 58 a0 03 02 01 02 02 10 5c 19 |...0..X.......\.| +00000020 c1 89 65 83 55 6f dc 0b c9 b9 93 9f e9 bc 30 0d |..e.Uo........0.| +00000030 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 12 31 |..*.H........0.1| +00000040 10 30 0e 06 03 55 04 0a 13 07 41 63 6d 65 20 43 |.0...U....Acme C| +00000050 6f 30 1e 17 0d 31 36 30 38 31 37 32 31 35 32 33 |o0...16081721523| +00000060 31 5a 17 0d 31 37 30 38 31 37 32 31 35 32 33 31 |1Z..170817215231| +00000070 5a 30 12 31 10 30 0e 06 03 55 04 0a 13 07 41 63 |Z0.1.0...U....Ac| +00000080 6d 65 20 43 6f 30 81 9f 30 0d 06 09 2a 86 48 86 |me Co0..0...*.H.| +00000090 f7 0d 01 01 01 05 00 03 81 8d 00 30 81 89 02 81 |...........0....| +000000a0 81 00 ba 6f aa 86 bd cf bf 9f f2 ef 5c 94 60 78 |...o........\.`x| +000000b0 6f e8 13 f2 d1 96 6f cd d9 32 6e 22 37 ce 41 f9 |o.....o..2n"7.A.| +000000c0 ca 5d 29 ac e1 27 da 61 a2 ee 81 cb 10 c7 df 34 |.])..'.a.......4| +000000d0 58 95 86 e9 3d 19 e6 5c 27 73 60 c8 8d 78 02 f4 |X...=..\'s`..x..| +000000e0 1d a4 98 09 a3 19 70 69 3c 25 62 66 2a ab 22 23 |......pi<%bf*."#| +000000f0 c5 7b 85 38 4f 2e 09 73 32 a7 bd 3e 9b ad ca 84 |.{.8O..s2..>....| +00000100 07 e6 0f 3a ff 77 c5 9d 41 85 00 8a b6 9b ee b0 |...:.w..A.......| +00000110 a4 3f 2d 4c 4c e6 42 3e bb 51 c8 dd 48 54 f4 0c |.?-LL.B>.Q..HT..| +00000120 8e 47 02 03 01 00 01 a3 46 30 44 30 0e 06 03 55 |.G......F0D0...U| +00000130 1d 0f 01 01 ff 04 04 03 02 05 a0 30 13 06 03 55 |...........0...U| +00000140 1d 25 04 0c 30 0a 06 08 2b 06 01 05 05 07 03 01 |.%..0...+.......| +00000150 30 0c 06 03 55 1d 13 01 01 ff 04 02 30 00 30 0f |0...U.......0.0.| +00000160 06 03 55 1d 11 04 08 30 06 87 04 7f 00 00 01 30 |..U....0.......0| +00000170 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 03 81 |...*.H..........| +00000180 81 00 46 ab 44 a2 fb 28 54 f8 5a 67 f8 62 94 f1 |..F.D..(T.Zg.b..| +00000190 9a b2 18 9e f2 b1 de 1d 7e 6f 76 95 a9 ba e7 5d |........~ov....]| +000001a0 a8 16 6c 9c f7 09 d3 37 e4 4b 2b 36 7c 01 ad 41 |..l....7.K+6|..A| +000001b0 d2 32 d8 c3 d2 93 f9 10 6b 8e 95 b9 2c 17 8a a3 |.2......k...,...| +000001c0 44 48 bc 59 13 83 16 04 88 a4 81 5c 25 0d 98 0c |DH.Y.......\%...| +000001d0 ac 11 b1 28 56 be 1d cd 61 62 84 09 bf d6 80 c6 |...(V...ab......| +000001e0 45 8d 82 2c b4 d8 83 9b db c9 22 b7 2a 12 11 7b |E..,......".*..{| +000001f0 fa 02 3b c1 c9 ff ea c9 9d a8 49 d3 95 d7 d5 0e |..;.......I.....| +00000200 e5 35 16 03 03 00 25 10 00 00 21 20 2f e5 7d a3 |.5....%...! /.}.| +00000210 47 cd 62 43 15 28 da ac 5f bb 29 07 30 ff f6 84 |G.bC.(.._.).0...| +00000220 af c4 cf c2 ed 90 99 5f 58 cb 3b 74 16 03 03 00 |......._X.;t....| +00000230 88 0f 00 00 84 08 04 00 80 56 b9 1d 6a ed f4 b2 |.........V..j...| +00000240 e9 2b 9c 6b a3 18 78 1c 76 18 57 7d a3 05 6f 7e |.+.k..x.v.W}..o~| +00000250 36 52 e2 d7 35 f9 c2 2d 81 db ca ee 85 f9 45 d8 |6R..5..-......E.| +00000260 d7 ec 76 9c 1d 85 b7 38 9d 12 f6 64 dc fe ca 16 |..v....8...d....| +00000270 2f ad 91 ae b5 a1 18 bf 85 df 07 bc 7b 42 5b 6d |/...........{B[m| +00000280 ad 54 c7 ae 42 b0 3b e7 b7 70 b9 80 ef a1 65 e7 |.T..B.;..p....e.| +00000290 46 aa e4 9a 22 d9 ce 1f 7d 33 b9 62 4d 3d 77 8a |F..."...}3.bM=w.| +000002a0 b8 ac 38 64 f0 aa 95 be be 78 bc ad 94 b8 90 29 |..8d.....x.....)| +000002b0 72 7f d1 ed f0 bf 79 13 00 14 03 03 00 01 01 16 |r.....y.........| +000002c0 03 03 00 28 00 00 00 00 00 00 00 00 b6 3d 7b 87 |...(.........={.| +000002d0 c8 a0 18 96 ec f8 36 f4 4c 18 7e 13 6b 56 1e de |......6.L.~.kV..| +000002e0 80 8a 37 1b 4e 84 85 3f 60 e8 50 55 |..7.N..?`.PU| +>>> Flow 4 (server to client) +00000000 14 03 03 00 01 01 16 03 03 00 28 38 5d b5 b3 a8 |..........(8]...| +00000010 94 65 de ee 2e e9 4f f3 13 9e ff 0a f4 d2 b0 9e |.e....O.........| +00000020 e7 ec 8c 7c 03 8f c3 fc c6 97 75 5b 96 1d 64 ad |...|......u[..d.| +00000030 4f ee dd |O..| +>>> Flow 5 (client to server) +00000000 17 03 03 00 1e 00 00 00 00 00 00 00 01 a5 03 23 |...............#| +00000010 3a 39 6b b5 e5 71 c8 87 07 b4 c9 79 2b 84 d9 9d |:9k..q.....y+...| +00000020 1b 21 26 15 03 03 00 1a 00 00 00 00 00 00 00 02 |.!&.............| +00000030 f5 e9 fb d2 c8 57 34 45 e1 27 8e 35 6d 36 95 10 |.....W4E.'.5m6..| +00000040 76 0d |v.| diff --git a/pkg/tls/testdata/Client-TLSv12-ClientCert-RSA-RSAPKCS1v15 b/pkg/tls/testdata/Client-TLSv12-ClientCert-RSA-RSAPKCS1v15 new file mode 100644 index 000000000..bf2f5c4e2 --- /dev/null +++ b/pkg/tls/testdata/Client-TLSv12-ClientCert-RSA-RSAPKCS1v15 @@ -0,0 +1,135 @@ +>>> Flow 1 (client to server) +00000000 16 03 01 00 fe 01 00 00 fa 03 03 00 00 00 00 00 |................| +00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000020 00 00 00 00 00 00 00 00 00 00 00 20 00 00 00 00 |........... ....| +00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 32 cc a9 |.............2..| +00000050 cc a8 c0 2b c0 2f c0 2c c0 30 c0 09 c0 13 c0 0a |...+./.,.0......| +00000060 c0 14 00 9c 00 9d 00 2f 00 35 c0 12 00 0a c0 23 |......./.5.....#| +00000070 c0 27 00 3c c0 07 c0 11 00 05 13 03 13 01 13 02 |.'.<............| +00000080 01 00 00 7f 00 05 00 05 01 00 00 00 00 00 0a 00 |................| +00000090 0a 00 08 00 1d 00 17 00 18 00 19 00 0b 00 02 01 |................| +000000a0 00 00 0d 00 1a 00 18 08 04 04 03 08 07 08 05 08 |................| +000000b0 06 04 01 05 01 06 01 05 03 06 03 02 01 02 03 ff |................| +000000c0 01 00 01 00 00 17 00 00 00 12 00 00 00 2b 00 09 |.............+..| +000000d0 08 03 04 03 03 03 02 03 01 00 33 00 26 00 24 00 |..........3.&.$.| +000000e0 1d 00 20 2f e5 7d a3 47 cd 62 43 15 28 da ac 5f |.. /.}.G.bC.(.._| +000000f0 bb 29 07 30 ff f6 84 af c4 cf c2 ed 90 99 5f 58 |.).0.........._X| +00000100 cb 3b 74 |.;t| +>>> Flow 2 (server to client) +00000000 16 03 03 00 5d 02 00 00 59 03 03 0d ab 4e 27 0a |....]...Y....N'.| +00000010 9c 1b 91 00 41 33 eb a7 d6 84 45 e0 dd f7 8a a1 |....A3....E.....| +00000020 62 c4 e0 2d 2f 51 4f 33 21 2a 6d 20 24 2d d0 3f |b..-/QO3!*m $-.?| +00000030 cc 5a 9c 5f b7 53 54 fc c7 bf a9 2c 8e 39 16 e4 |.Z._.ST....,.9..| +00000040 7d 80 72 6b 95 93 51 41 8a da 67 29 c0 2f 00 00 |}.rk..QA..g)./..| +00000050 11 ff 01 00 01 00 00 0b 00 04 03 00 01 02 00 17 |................| +00000060 00 00 16 03 03 02 59 0b 00 02 55 00 02 52 00 02 |......Y...U..R..| +00000070 4f 30 82 02 4b 30 82 01 b4 a0 03 02 01 02 02 09 |O0..K0..........| +00000080 00 e8 f0 9d 3f e2 5b ea a6 30 0d 06 09 2a 86 48 |....?.[..0...*.H| +00000090 86 f7 0d 01 01 0b 05 00 30 1f 31 0b 30 09 06 03 |........0.1.0...| +000000a0 55 04 0a 13 02 47 6f 31 10 30 0e 06 03 55 04 03 |U....Go1.0...U..| +000000b0 13 07 47 6f 20 52 6f 6f 74 30 1e 17 0d 31 36 30 |..Go Root0...160| +000000c0 31 30 31 30 30 30 30 30 30 5a 17 0d 32 35 30 31 |101000000Z..2501| +000000d0 30 31 30 30 30 30 30 30 5a 30 1a 31 0b 30 09 06 |01000000Z0.1.0..| +000000e0 03 55 04 0a 13 02 47 6f 31 0b 30 09 06 03 55 04 |.U....Go1.0...U.| +000000f0 03 13 02 47 6f 30 81 9f 30 0d 06 09 2a 86 48 86 |...Go0..0...*.H.| +00000100 f7 0d 01 01 01 05 00 03 81 8d 00 30 81 89 02 81 |...........0....| +00000110 81 00 db 46 7d 93 2e 12 27 06 48 bc 06 28 21 ab |...F}...'.H..(!.| +00000120 7e c4 b6 a2 5d fe 1e 52 45 88 7a 36 47 a5 08 0d |~...]..RE.z6G...| +00000130 92 42 5b c2 81 c0 be 97 79 98 40 fb 4f 6d 14 fd |.B[.....y.@.Om..| +00000140 2b 13 8b c2 a5 2e 67 d8 d4 09 9e d6 22 38 b7 4a |+.....g....."8.J| +00000150 0b 74 73 2b c2 34 f1 d1 93 e5 96 d9 74 7b f3 58 |.ts+.4......t{.X| +00000160 9f 6c 61 3c c0 b0 41 d4 d9 2b 2b 24 23 77 5b 1c |.la<..A..++$#w[.| +00000170 3b bd 75 5d ce 20 54 cf a1 63 87 1d 1e 24 c4 f3 |;.u]. T..c...$..| +00000180 1d 1a 50 8b aa b6 14 43 ed 97 a7 75 62 f4 14 c8 |..P....C...ub...| +00000190 52 d7 02 03 01 00 01 a3 81 93 30 81 90 30 0e 06 |R.........0..0..| +000001a0 03 55 1d 0f 01 01 ff 04 04 03 02 05 a0 30 1d 06 |.U...........0..| +000001b0 03 55 1d 25 04 16 30 14 06 08 2b 06 01 05 05 07 |.U.%..0...+.....| +000001c0 03 01 06 08 2b 06 01 05 05 07 03 02 30 0c 06 03 |....+.......0...| +000001d0 55 1d 13 01 01 ff 04 02 30 00 30 19 06 03 55 1d |U.......0.0...U.| +000001e0 0e 04 12 04 10 9f 91 16 1f 43 43 3e 49 a6 de 6d |.........CC>I..m| +000001f0 b6 80 d7 9f 60 30 1b 06 03 55 1d 23 04 14 30 12 |....`0...U.#..0.| +00000200 80 10 48 13 49 4d 13 7e 16 31 bb a3 01 d5 ac ab |..H.IM.~.1......| +00000210 6e 7b 30 19 06 03 55 1d 11 04 12 30 10 82 0e 65 |n{0...U....0...e| +00000220 78 61 6d 70 6c 65 2e 67 6f 6c 61 6e 67 30 0d 06 |xample.golang0..| +00000230 09 2a 86 48 86 f7 0d 01 01 0b 05 00 03 81 81 00 |.*.H............| +00000240 9d 30 cc 40 2b 5b 50 a0 61 cb ba e5 53 58 e1 ed |.0.@+[P.a...SX..| +00000250 83 28 a9 58 1a a9 38 a4 95 a1 ac 31 5a 1a 84 66 |.(.X..8....1Z..f| +00000260 3d 43 d3 2d d9 0b f2 97 df d3 20 64 38 92 24 3a |=C.-...... d8.$:| +00000270 00 bc cf 9c 7d b7 40 20 01 5f aa d3 16 61 09 a2 |....}.@ ._...a..| +00000280 76 fd 13 c3 cc e1 0c 5c ee b1 87 82 f1 6c 04 ed |v......\.....l..| +00000290 73 bb b3 43 77 8d 0c 1c f1 0f a1 d8 40 83 61 c9 |s..Cw.......@.a.| +000002a0 4c 72 2b 9d ae db 46 06 06 4d f4 c1 b3 3e c0 d1 |Lr+...F..M...>..| +000002b0 bd 42 d4 db fe 3d 13 60 84 5c 21 d3 3b e9 fa e7 |.B...=.`.\!.;...| +000002c0 16 03 03 00 ac 0c 00 00 a8 03 00 1d 20 94 9e e3 |............ ...| +000002d0 41 3b c6 0c cc 05 92 ac ea 8c 9e 2d e5 bc 42 30 |A;.........-..B0| +000002e0 47 87 d6 b3 6e d5 73 9f ca 2a 48 9a 04 04 01 00 |G...n.s..*H.....| +000002f0 80 d6 f2 ef 4a 3f ca 47 9a 13 e4 38 3b d8 23 77 |....J?.G...8;.#w| +00000300 b4 84 fa 89 c4 e6 e2 84 e2 a7 50 81 e4 b2 b8 1f |..........P.....| +00000310 04 15 0d 50 5f 4a 95 e3 0d 27 c3 2f 96 9b 92 c0 |...P_J...'./....| +00000320 fb 6a 52 c1 a4 39 39 7e 8f da 53 5e 34 db 62 01 |.jR..99~..S^4.b.| +00000330 6d 0a 14 bd b5 0a 24 b5 df b2 99 56 cd 68 a6 75 |m.....$....V.h.u| +00000340 9f 70 1a f6 d3 6b f6 68 ef bc 75 09 69 c4 18 4a |.p...k.h..u.i..J| +00000350 dc 51 c2 65 01 36 f1 c0 d9 34 66 d1 c2 dc d9 0d |.Q.e.6...4f.....| +00000360 f5 74 4f 84 df b0 c2 d2 0a d6 51 fc 6e 3c d8 74 |.tO.......Q.n<.t| +00000370 35 16 03 03 00 0c 0d 00 00 08 01 01 00 02 04 01 |5...............| +00000380 00 00 16 03 03 00 04 0e 00 00 00 |...........| +>>> Flow 3 (client to server) +00000000 16 03 03 01 fd 0b 00 01 f9 00 01 f6 00 01 f3 30 |...............0| +00000010 82 01 ef 30 82 01 58 a0 03 02 01 02 02 10 5c 19 |...0..X.......\.| +00000020 c1 89 65 83 55 6f dc 0b c9 b9 93 9f e9 bc 30 0d |..e.Uo........0.| +00000030 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 12 31 |..*.H........0.1| +00000040 10 30 0e 06 03 55 04 0a 13 07 41 63 6d 65 20 43 |.0...U....Acme C| +00000050 6f 30 1e 17 0d 31 36 30 38 31 37 32 31 35 32 33 |o0...16081721523| +00000060 31 5a 17 0d 31 37 30 38 31 37 32 31 35 32 33 31 |1Z..170817215231| +00000070 5a 30 12 31 10 30 0e 06 03 55 04 0a 13 07 41 63 |Z0.1.0...U....Ac| +00000080 6d 65 20 43 6f 30 81 9f 30 0d 06 09 2a 86 48 86 |me Co0..0...*.H.| +00000090 f7 0d 01 01 01 05 00 03 81 8d 00 30 81 89 02 81 |...........0....| +000000a0 81 00 ba 6f aa 86 bd cf bf 9f f2 ef 5c 94 60 78 |...o........\.`x| +000000b0 6f e8 13 f2 d1 96 6f cd d9 32 6e 22 37 ce 41 f9 |o.....o..2n"7.A.| +000000c0 ca 5d 29 ac e1 27 da 61 a2 ee 81 cb 10 c7 df 34 |.])..'.a.......4| +000000d0 58 95 86 e9 3d 19 e6 5c 27 73 60 c8 8d 78 02 f4 |X...=..\'s`..x..| +000000e0 1d a4 98 09 a3 19 70 69 3c 25 62 66 2a ab 22 23 |......pi<%bf*."#| +000000f0 c5 7b 85 38 4f 2e 09 73 32 a7 bd 3e 9b ad ca 84 |.{.8O..s2..>....| +00000100 07 e6 0f 3a ff 77 c5 9d 41 85 00 8a b6 9b ee b0 |...:.w..A.......| +00000110 a4 3f 2d 4c 4c e6 42 3e bb 51 c8 dd 48 54 f4 0c |.?-LL.B>.Q..HT..| +00000120 8e 47 02 03 01 00 01 a3 46 30 44 30 0e 06 03 55 |.G......F0D0...U| +00000130 1d 0f 01 01 ff 04 04 03 02 05 a0 30 13 06 03 55 |...........0...U| +00000140 1d 25 04 0c 30 0a 06 08 2b 06 01 05 05 07 03 01 |.%..0...+.......| +00000150 30 0c 06 03 55 1d 13 01 01 ff 04 02 30 00 30 0f |0...U.......0.0.| +00000160 06 03 55 1d 11 04 08 30 06 87 04 7f 00 00 01 30 |..U....0.......0| +00000170 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 03 81 |...*.H..........| +00000180 81 00 46 ab 44 a2 fb 28 54 f8 5a 67 f8 62 94 f1 |..F.D..(T.Zg.b..| +00000190 9a b2 18 9e f2 b1 de 1d 7e 6f 76 95 a9 ba e7 5d |........~ov....]| +000001a0 a8 16 6c 9c f7 09 d3 37 e4 4b 2b 36 7c 01 ad 41 |..l....7.K+6|..A| +000001b0 d2 32 d8 c3 d2 93 f9 10 6b 8e 95 b9 2c 17 8a a3 |.2......k...,...| +000001c0 44 48 bc 59 13 83 16 04 88 a4 81 5c 25 0d 98 0c |DH.Y.......\%...| +000001d0 ac 11 b1 28 56 be 1d cd 61 62 84 09 bf d6 80 c6 |...(V...ab......| +000001e0 45 8d 82 2c b4 d8 83 9b db c9 22 b7 2a 12 11 7b |E..,......".*..{| +000001f0 fa 02 3b c1 c9 ff ea c9 9d a8 49 d3 95 d7 d5 0e |..;.......I.....| +00000200 e5 35 16 03 03 00 25 10 00 00 21 20 2f e5 7d a3 |.5....%...! /.}.| +00000210 47 cd 62 43 15 28 da ac 5f bb 29 07 30 ff f6 84 |G.bC.(.._.).0...| +00000220 af c4 cf c2 ed 90 99 5f 58 cb 3b 74 16 03 03 00 |......._X.;t....| +00000230 88 0f 00 00 84 04 01 00 80 81 fe 69 7d 68 10 74 |...........i}h.t| +00000240 e4 9a d0 11 7a c4 e4 11 4c 7c 8a 13 f1 cf 0e 33 |....z...L|.....3| +00000250 a5 3d d2 1f a2 73 c4 8e 2d 9e 87 45 b6 d2 dc 98 |.=...s..-..E....| +00000260 fe 4d 86 8d ad 87 a8 2c e3 9f 08 a0 4f 78 4d 9c |.M.....,....OxM.| +00000270 de c2 92 7e dc 48 6b a9 e7 cc 58 a9 45 41 04 fb |...~.Hk...X.EA..| +00000280 48 fa d1 e4 5c 71 92 d5 bf e4 92 a1 66 07 b8 73 |H...\q......f..s| +00000290 b0 45 98 12 8e d8 2d e8 3e 85 05 e5 d3 38 ea 3a |.E....-.>....8.:| +000002a0 5d 33 4a 32 f9 ff 8b 18 ae 55 b7 f3 d2 0e e7 b8 |]3J2.....U......| +000002b0 4e e8 bc 4f c6 a3 65 c1 a1 14 03 03 00 01 01 16 |N..O..e.........| +000002c0 03 03 00 28 00 00 00 00 00 00 00 00 da 49 06 a7 |...(.........I..| +000002d0 0e a4 7a df 94 f1 57 43 21 ef 85 ee 9f 52 f2 03 |..z...WC!....R..| +000002e0 5a 79 58 7a a0 b2 1f 9e 1d f9 5a d3 |ZyXz......Z.| +>>> Flow 4 (server to client) +00000000 14 03 03 00 01 01 16 03 03 00 28 22 7a 58 97 ef |..........("zX..| +00000010 f2 e6 4a c1 10 ca 63 52 e0 82 87 b4 9d d5 2f c4 |..J...cR....../.| +00000020 68 f1 4a d5 e8 ae 3a 22 9e f7 b3 07 8f a4 8c 18 |h.J...:"........| +00000030 2c 44 65 |,De| +>>> Flow 5 (client to server) +00000000 17 03 03 00 1e 00 00 00 00 00 00 00 01 2c ee 44 |.............,.D| +00000010 2d 89 8f 1f bd c2 de ac 8b 3c f2 35 d1 bd 17 4e |-........<.5...N| +00000020 65 3c 47 15 03 03 00 1a 00 00 00 00 00 00 00 02 |e>> Flow 1 (client to server) +00000000 16 03 01 00 fe 01 00 00 fa 03 03 00 00 00 00 00 |................| +00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000020 00 00 00 00 00 00 00 00 00 00 00 20 00 00 00 00 |........... ....| +00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 32 cc a9 |.............2..| +00000050 cc a8 c0 2b c0 2f c0 2c c0 30 c0 09 c0 13 c0 0a |...+./.,.0......| +00000060 c0 14 00 9c 00 9d 00 2f 00 35 c0 12 00 0a c0 23 |......./.5.....#| +00000070 c0 27 00 3c c0 07 c0 11 00 05 13 03 13 01 13 02 |.'.<............| +00000080 01 00 00 7f 00 05 00 05 01 00 00 00 00 00 0a 00 |................| +00000090 0a 00 08 00 1d 00 17 00 18 00 19 00 0b 00 02 01 |................| +000000a0 00 00 0d 00 1a 00 18 08 04 04 03 08 07 08 05 08 |................| +000000b0 06 04 01 05 01 06 01 05 03 06 03 02 01 02 03 ff |................| +000000c0 01 00 01 00 00 17 00 00 00 12 00 00 00 2b 00 09 |.............+..| +000000d0 08 03 04 03 03 03 02 03 01 00 33 00 26 00 24 00 |..........3.&.$.| +000000e0 1d 00 20 2f e5 7d a3 47 cd 62 43 15 28 da ac 5f |.. /.}.G.bC.(.._| +000000f0 bb 29 07 30 ff f6 84 af c4 cf c2 ed 90 99 5f 58 |.).0.........._X| +00000100 cb 3b 74 |.;t| +>>> Flow 2 (server to client) +00000000 16 03 03 00 5d 02 00 00 59 03 03 87 97 ae 0d d7 |....]...Y.......| +00000010 e4 be cd c5 ca 90 a8 85 23 c8 e3 32 15 f4 29 d8 |........#..2..).| +00000020 47 d7 ae e7 d8 7b 71 f5 c4 ea 07 20 e4 fd d6 48 |G....{q.... ...H| +00000030 10 13 e0 9b 06 e1 d7 b1 93 94 38 16 b7 a0 ef 80 |..........8.....| +00000040 2e b7 67 d6 ff 73 99 bf 67 cc 62 a1 c0 2f 00 00 |..g..s..g.b../..| +00000050 11 ff 01 00 01 00 00 0b 00 04 03 00 01 02 00 17 |................| +00000060 00 00 16 03 03 02 66 0b 00 02 62 00 02 5f 00 02 |......f...b.._..| +00000070 5c 30 82 02 58 30 82 01 8d a0 03 02 01 02 02 11 |\0..X0..........| +00000080 00 f2 99 26 eb 87 ea 8a 0d b9 fc c2 47 34 7c 11 |...&........G4|.| +00000090 b0 30 41 06 09 2a 86 48 86 f7 0d 01 01 0a 30 34 |.0A..*.H......04| +000000a0 a0 0f 30 0d 06 09 60 86 48 01 65 03 04 02 01 05 |..0...`.H.e.....| +000000b0 00 a1 1c 30 1a 06 09 2a 86 48 86 f7 0d 01 01 08 |...0...*.H......| +000000c0 30 0d 06 09 60 86 48 01 65 03 04 02 01 05 00 a2 |0...`.H.e.......| +000000d0 03 02 01 20 30 12 31 10 30 0e 06 03 55 04 0a 13 |... 0.1.0...U...| +000000e0 07 41 63 6d 65 20 43 6f 30 1e 17 0d 31 37 31 31 |.Acme Co0...1711| +000000f0 32 33 31 36 31 36 31 30 5a 17 0d 31 38 31 31 32 |23161610Z..18112| +00000100 33 31 36 31 36 31 30 5a 30 12 31 10 30 0e 06 03 |3161610Z0.1.0...| +00000110 55 04 0a 13 07 41 63 6d 65 20 43 6f 30 81 9f 30 |U....Acme Co0..0| +00000120 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 81 |...*.H..........| +00000130 8d 00 30 81 89 02 81 81 00 db 46 7d 93 2e 12 27 |..0.......F}...'| +00000140 06 48 bc 06 28 21 ab 7e c4 b6 a2 5d fe 1e 52 45 |.H..(!.~...]..RE| +00000150 88 7a 36 47 a5 08 0d 92 42 5b c2 81 c0 be 97 79 |.z6G....B[.....y| +00000160 98 40 fb 4f 6d 14 fd 2b 13 8b c2 a5 2e 67 d8 d4 |.@.Om..+.....g..| +00000170 09 9e d6 22 38 b7 4a 0b 74 73 2b c2 34 f1 d1 93 |..."8.J.ts+.4...| +00000180 e5 96 d9 74 7b f3 58 9f 6c 61 3c c0 b0 41 d4 d9 |...t{.X.la<..A..| +00000190 2b 2b 24 23 77 5b 1c 3b bd 75 5d ce 20 54 cf a1 |++$#w[.;.u]. T..| +000001a0 63 87 1d 1e 24 c4 f3 1d 1a 50 8b aa b6 14 43 ed |c...$....P....C.| +000001b0 97 a7 75 62 f4 14 c8 52 d7 02 03 01 00 01 a3 46 |..ub...R.......F| +000001c0 30 44 30 0e 06 03 55 1d 0f 01 01 ff 04 04 03 02 |0D0...U.........| +000001d0 05 a0 30 13 06 03 55 1d 25 04 0c 30 0a 06 08 2b |..0...U.%..0...+| +000001e0 06 01 05 05 07 03 01 30 0c 06 03 55 1d 13 01 01 |.......0...U....| +000001f0 ff 04 02 30 00 30 0f 06 03 55 1d 11 04 08 30 06 |...0.0...U....0.| +00000200 87 04 7f 00 00 01 30 41 06 09 2a 86 48 86 f7 0d |......0A..*.H...| +00000210 01 01 0a 30 34 a0 0f 30 0d 06 09 60 86 48 01 65 |...04..0...`.H.e| +00000220 03 04 02 01 05 00 a1 1c 30 1a 06 09 2a 86 48 86 |........0...*.H.| +00000230 f7 0d 01 01 08 30 0d 06 09 60 86 48 01 65 03 04 |.....0...`.H.e..| +00000240 02 01 05 00 a2 03 02 01 20 03 81 81 00 cd ac 4e |........ ......N| +00000250 f2 ce 5f 8d 79 88 10 42 70 7f 7c bf 1b 5a 8a 00 |.._.y..Bp.|..Z..| +00000260 ef 19 15 4b 40 15 17 71 00 6c d4 16 26 e5 49 6d |...K@..q.l..&.Im| +00000270 56 da 0c 1a 13 9f d8 46 95 59 3c b6 7f 87 76 5e |V......F.Y<...v^| +00000280 18 aa 03 ea 06 75 22 dd 78 d2 a5 89 b8 c9 23 64 |.....u".x.....#d| +00000290 e1 28 38 ce 34 6c 6e 06 7b 51 f1 a7 e6 f4 b3 7f |.(8.4ln.{Q......| +000002a0 fa b1 3f 14 11 89 66 79 d1 8e 88 0e 0b a0 9e 30 |..?...fy.......0| +000002b0 2a c0 67 ef ca 46 02 88 e9 53 81 22 69 22 97 ad |*.g..F...S."i"..| +000002c0 80 93 d4 f7 dd 70 14 24 d7 70 0a 46 a1 16 03 03 |.....p.$.p.F....| +000002d0 00 ac 0c 00 00 a8 03 00 1d 20 19 11 2f cc 8b d4 |......... ../...| +000002e0 74 7c 77 34 b0 c7 4f 49 85 d1 f3 b0 2c 0e 83 26 |t|w4..OI....,..&| +000002f0 ee c1 2c 32 c1 82 43 3c cd 1b 08 04 00 80 68 33 |..,2..C<......h3| +00000300 a3 71 38 a8 70 34 04 91 e0 7b b3 44 46 45 54 a9 |.q8.p4...{.DFET.| +00000310 af ad 50 0d b6 91 7c 87 c7 4c 99 2d 02 9d 57 57 |..P...|..L.-..WW| +00000320 ae 2a 25 63 82 32 f0 4a 14 cd d3 b4 ca b8 bc d9 |.*%c.2.J........| +00000330 ff 1e 01 93 20 6e 27 97 04 31 c4 d8 e9 a6 84 1e |.... n'..1......| +00000340 96 6c a6 25 cc 93 e7 2d 15 32 e1 ad 01 7d fb 2c |.l.%...-.2...}.,| +00000350 12 04 5d 59 f6 bc 90 e8 cc d7 48 6d 46 c4 ed 64 |..]Y......HmF..d| +00000360 6b 41 5b 9d 9a 3b c8 11 57 bb b8 b1 cb c6 54 d6 |kA[..;..W.....T.| +00000370 08 34 7e ad e3 59 7b f7 90 77 e6 50 95 aa 16 03 |.4~..Y{..w.P....| +00000380 03 00 0c 0d 00 00 08 01 01 00 02 08 04 00 00 16 |................| +00000390 03 03 00 04 0e 00 00 00 |........| +>>> Flow 3 (client to server) +00000000 16 03 03 02 66 0b 00 02 62 00 02 5f 00 02 5c 30 |....f...b.._..\0| +00000010 82 02 58 30 82 01 8d a0 03 02 01 02 02 11 00 f2 |..X0............| +00000020 99 26 eb 87 ea 8a 0d b9 fc c2 47 34 7c 11 b0 30 |.&........G4|..0| +00000030 41 06 09 2a 86 48 86 f7 0d 01 01 0a 30 34 a0 0f |A..*.H......04..| +00000040 30 0d 06 09 60 86 48 01 65 03 04 02 01 05 00 a1 |0...`.H.e.......| +00000050 1c 30 1a 06 09 2a 86 48 86 f7 0d 01 01 08 30 0d |.0...*.H......0.| +00000060 06 09 60 86 48 01 65 03 04 02 01 05 00 a2 03 02 |..`.H.e.........| +00000070 01 20 30 12 31 10 30 0e 06 03 55 04 0a 13 07 41 |. 0.1.0...U....A| +00000080 63 6d 65 20 43 6f 30 1e 17 0d 31 37 31 31 32 33 |cme Co0...171123| +00000090 31 36 31 36 31 30 5a 17 0d 31 38 31 31 32 33 31 |161610Z..1811231| +000000a0 36 31 36 31 30 5a 30 12 31 10 30 0e 06 03 55 04 |61610Z0.1.0...U.| +000000b0 0a 13 07 41 63 6d 65 20 43 6f 30 81 9f 30 0d 06 |...Acme Co0..0..| +000000c0 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 81 8d 00 |.*.H............| +000000d0 30 81 89 02 81 81 00 db 46 7d 93 2e 12 27 06 48 |0.......F}...'.H| +000000e0 bc 06 28 21 ab 7e c4 b6 a2 5d fe 1e 52 45 88 7a |..(!.~...]..RE.z| +000000f0 36 47 a5 08 0d 92 42 5b c2 81 c0 be 97 79 98 40 |6G....B[.....y.@| +00000100 fb 4f 6d 14 fd 2b 13 8b c2 a5 2e 67 d8 d4 09 9e |.Om..+.....g....| +00000110 d6 22 38 b7 4a 0b 74 73 2b c2 34 f1 d1 93 e5 96 |."8.J.ts+.4.....| +00000120 d9 74 7b f3 58 9f 6c 61 3c c0 b0 41 d4 d9 2b 2b |.t{.X.la<..A..++| +00000130 24 23 77 5b 1c 3b bd 75 5d ce 20 54 cf a1 63 87 |$#w[.;.u]. T..c.| +00000140 1d 1e 24 c4 f3 1d 1a 50 8b aa b6 14 43 ed 97 a7 |..$....P....C...| +00000150 75 62 f4 14 c8 52 d7 02 03 01 00 01 a3 46 30 44 |ub...R.......F0D| +00000160 30 0e 06 03 55 1d 0f 01 01 ff 04 04 03 02 05 a0 |0...U...........| +00000170 30 13 06 03 55 1d 25 04 0c 30 0a 06 08 2b 06 01 |0...U.%..0...+..| +00000180 05 05 07 03 01 30 0c 06 03 55 1d 13 01 01 ff 04 |.....0...U......| +00000190 02 30 00 30 0f 06 03 55 1d 11 04 08 30 06 87 04 |.0.0...U....0...| +000001a0 7f 00 00 01 30 41 06 09 2a 86 48 86 f7 0d 01 01 |....0A..*.H.....| +000001b0 0a 30 34 a0 0f 30 0d 06 09 60 86 48 01 65 03 04 |.04..0...`.H.e..| +000001c0 02 01 05 00 a1 1c 30 1a 06 09 2a 86 48 86 f7 0d |......0...*.H...| +000001d0 01 01 08 30 0d 06 09 60 86 48 01 65 03 04 02 01 |...0...`.H.e....| +000001e0 05 00 a2 03 02 01 20 03 81 81 00 cd ac 4e f2 ce |...... ......N..| +000001f0 5f 8d 79 88 10 42 70 7f 7c bf 1b 5a 8a 00 ef 19 |_.y..Bp.|..Z....| +00000200 15 4b 40 15 17 71 00 6c d4 16 26 e5 49 6d 56 da |.K@..q.l..&.ImV.| +00000210 0c 1a 13 9f d8 46 95 59 3c b6 7f 87 76 5e 18 aa |.....F.Y<...v^..| +00000220 03 ea 06 75 22 dd 78 d2 a5 89 b8 c9 23 64 e1 28 |...u".x.....#d.(| +00000230 38 ce 34 6c 6e 06 7b 51 f1 a7 e6 f4 b3 7f fa b1 |8.4ln.{Q........| +00000240 3f 14 11 89 66 79 d1 8e 88 0e 0b a0 9e 30 2a c0 |?...fy.......0*.| +00000250 67 ef ca 46 02 88 e9 53 81 22 69 22 97 ad 80 93 |g..F...S."i"....| +00000260 d4 f7 dd 70 14 24 d7 70 0a 46 a1 16 03 03 00 25 |...p.$.p.F.....%| +00000270 10 00 00 21 20 2f e5 7d a3 47 cd 62 43 15 28 da |...! /.}.G.bC.(.| +00000280 ac 5f bb 29 07 30 ff f6 84 af c4 cf c2 ed 90 99 |._.).0..........| +00000290 5f 58 cb 3b 74 16 03 03 00 88 0f 00 00 84 08 04 |_X.;t...........| +000002a0 00 80 a2 37 90 1d d9 05 16 91 e6 5d 93 ec d0 4c |...7.......]...L| +000002b0 c9 eb ed d3 66 fc 36 55 ee cb e0 bc aa 41 11 fb |....f.6U.....A..| +000002c0 91 d5 2c 81 d4 08 ee ce f8 96 cd 73 20 73 5b 8c |..,........s s[.| +000002d0 85 45 17 fa 6d 06 db a6 68 49 5e a8 2b 86 83 0f |.E..m...hI^.+...| +000002e0 e2 52 04 96 8c c9 a0 f8 ed 64 51 e3 6e b4 b1 48 |.R.......dQ.n..H| +000002f0 c7 f6 21 c9 aa c0 8d 01 00 43 14 d3 16 ed 9a 3c |..!......C.....<| +00000300 d2 14 57 90 22 f6 52 bc 44 64 88 40 03 93 56 8a |..W.".R.Dd.@..V.| +00000310 4f 50 ad 73 ff bc b4 72 cd e2 01 01 50 88 f9 1c |OP.s...r....P...| +00000320 4f 4d 14 03 03 00 01 01 16 03 03 00 28 00 00 00 |OM..........(...| +00000330 00 00 00 00 00 07 15 02 d9 a8 bd 4b c4 61 57 e0 |...........K.aW.| +00000340 a6 c0 11 05 bc 25 0b 4d fb 36 c4 19 80 e2 59 3e |.....%.M.6....Y>| +00000350 00 a0 7b 87 42 |..{.B| +>>> Flow 4 (server to client) +00000000 14 03 03 00 01 01 16 03 03 00 28 8b ae 36 31 a0 |..........(..61.| +00000010 0a ba f4 e8 45 6d e2 55 8d 9d 61 e4 80 b6 4e bb |....Em.U..a...N.| +00000020 8c 7f e0 2b ea fc 4d e7 4c 60 c1 c6 91 92 ef 46 |...+..M.L`.....F| +00000030 00 19 b9 |...| +>>> Flow 5 (client to server) +00000000 17 03 03 00 1e 00 00 00 00 00 00 00 01 61 0d 4c |.............a.L| +00000010 bf 57 34 f8 b3 f7 33 d6 49 46 66 14 e8 b2 e4 e0 |.W4...3.IFf.....| +00000020 de 82 d1 15 03 03 00 1a 00 00 00 00 00 00 00 02 |................| +00000030 76 2e 52 63 53 26 93 e3 32 59 de d9 62 e8 f4 93 |v.RcS&..2Y..b...| +00000040 65 bc |e.| diff --git a/pkg/tls/testdata/Client-TLSv12-ECDHE-ECDSA-AES b/pkg/tls/testdata/Client-TLSv12-ECDHE-ECDSA-AES new file mode 100644 index 000000000..dd7dfab1c --- /dev/null +++ b/pkg/tls/testdata/Client-TLSv12-ECDHE-ECDSA-AES @@ -0,0 +1,94 @@ +>>> Flow 1 (client to server) +00000000 16 03 01 00 fe 01 00 00 fa 03 03 00 00 00 00 00 |................| +00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000020 00 00 00 00 00 00 00 00 00 00 00 20 00 00 00 00 |........... ....| +00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 32 cc a9 |.............2..| +00000050 cc a8 c0 2b c0 2f c0 2c c0 30 c0 09 c0 13 c0 0a |...+./.,.0......| +00000060 c0 14 00 9c 00 9d 00 2f 00 35 c0 12 00 0a c0 23 |......./.5.....#| +00000070 c0 27 00 3c c0 07 c0 11 00 05 13 03 13 01 13 02 |.'.<............| +00000080 01 00 00 7f 00 05 00 05 01 00 00 00 00 00 0a 00 |................| +00000090 0a 00 08 00 1d 00 17 00 18 00 19 00 0b 00 02 01 |................| +000000a0 00 00 0d 00 1a 00 18 08 04 04 03 08 07 08 05 08 |................| +000000b0 06 04 01 05 01 06 01 05 03 06 03 02 01 02 03 ff |................| +000000c0 01 00 01 00 00 17 00 00 00 12 00 00 00 2b 00 09 |.............+..| +000000d0 08 03 04 03 03 03 02 03 01 00 33 00 26 00 24 00 |..........3.&.$.| +000000e0 1d 00 20 2f e5 7d a3 47 cd 62 43 15 28 da ac 5f |.. /.}.G.bC.(.._| +000000f0 bb 29 07 30 ff f6 84 af c4 cf c2 ed 90 99 5f 58 |.).0.........._X| +00000100 cb 3b 74 |.;t| +>>> Flow 2 (server to client) +00000000 16 03 03 00 5d 02 00 00 59 03 03 53 0a a8 7d 57 |....]...Y..S..}W| +00000010 28 ed 64 43 b5 dd b2 15 a8 6f 88 09 6a 90 4c 23 |(.dC.....o..j.L#| +00000020 06 49 b6 1a 56 b5 a0 a2 68 af 7d 20 5a 4a d6 c3 |.I..V...h.} ZJ..| +00000030 ed 18 12 98 b4 4e f8 f2 df d7 ee 6f e9 c6 c7 82 |.....N.....o....| +00000040 5c bb 79 70 a5 59 51 c7 7f 41 7e 8e c0 09 00 00 |\.yp.YQ..A~.....| +00000050 11 ff 01 00 01 00 00 0b 00 04 03 00 01 02 00 17 |................| +00000060 00 00 16 03 03 02 0e 0b 00 02 0a 00 02 07 00 02 |................| +00000070 04 30 82 02 00 30 82 01 62 02 09 00 b8 bf 2d 47 |.0...0..b.....-G| +00000080 a0 d2 eb f4 30 09 06 07 2a 86 48 ce 3d 04 01 30 |....0...*.H.=..0| +00000090 45 31 0b 30 09 06 03 55 04 06 13 02 41 55 31 13 |E1.0...U....AU1.| +000000a0 30 11 06 03 55 04 08 13 0a 53 6f 6d 65 2d 53 74 |0...U....Some-St| +000000b0 61 74 65 31 21 30 1f 06 03 55 04 0a 13 18 49 6e |ate1!0...U....In| +000000c0 74 65 72 6e 65 74 20 57 69 64 67 69 74 73 20 50 |ternet Widgits P| +000000d0 74 79 20 4c 74 64 30 1e 17 0d 31 32 31 31 32 32 |ty Ltd0...121122| +000000e0 31 35 30 36 33 32 5a 17 0d 32 32 31 31 32 30 31 |150632Z..2211201| +000000f0 35 30 36 33 32 5a 30 45 31 0b 30 09 06 03 55 04 |50632Z0E1.0...U.| +00000100 06 13 02 41 55 31 13 30 11 06 03 55 04 08 13 0a |...AU1.0...U....| +00000110 53 6f 6d 65 2d 53 74 61 74 65 31 21 30 1f 06 03 |Some-State1!0...| +00000120 55 04 0a 13 18 49 6e 74 65 72 6e 65 74 20 57 69 |U....Internet Wi| +00000130 64 67 69 74 73 20 50 74 79 20 4c 74 64 30 81 9b |dgits Pty Ltd0..| +00000140 30 10 06 07 2a 86 48 ce 3d 02 01 06 05 2b 81 04 |0...*.H.=....+..| +00000150 00 23 03 81 86 00 04 00 c4 a1 ed be 98 f9 0b 48 |.#.............H| +00000160 73 36 7e c3 16 56 11 22 f2 3d 53 c3 3b 4d 21 3d |s6~..V.".=S.;M!=| +00000170 cd 6b 75 e6 f6 b0 dc 9a df 26 c1 bc b2 87 f0 72 |.ku......&.....r| +00000180 32 7c b3 64 2f 1c 90 bc ea 68 23 10 7e fe e3 25 |2|.d/....h#.~..%| +00000190 c0 48 3a 69 e0 28 6d d3 37 00 ef 04 62 dd 0d a0 |.H:i.(m.7...b...| +000001a0 9c 70 62 83 d8 81 d3 64 31 aa 9e 97 31 bd 96 b0 |.pb....d1...1...| +000001b0 68 c0 9b 23 de 76 64 3f 1a 5c 7f e9 12 0e 58 58 |h..#.vd?.\....XX| +000001c0 b6 5f 70 dd 9b d8 ea d5 d7 f5 d5 cc b9 b6 9f 30 |._p............0| +000001d0 66 5b 66 9a 20 e2 27 e5 bf fe 3b 30 09 06 07 2a |f[f. .'...;0...*| +000001e0 86 48 ce 3d 04 01 03 81 8c 00 30 81 88 02 42 01 |.H.=......0...B.| +000001f0 88 a2 4f eb e2 45 c5 48 7d 1b ac f5 ed 98 9d ae |..O..E.H}.......| +00000200 47 70 c0 5e 1b b6 2f bd f1 b6 4d b7 61 40 d3 11 |Gp.^../...M.a@..| +00000210 a2 ce ee 0b 7e 92 7e ff 76 9d c3 3b 7e a5 3f ce |....~.~.v..;~.?.| +00000220 fa 10 e2 59 ec 47 2d 7c ac da 4e 97 0e 15 a0 6f |...Y.G-|..N....o| +00000230 d0 02 42 01 4d fc be 67 13 9c 2d 05 0e bd 3f a3 |..B.M..g..-...?.| +00000240 8c 25 c1 33 13 83 0d 94 06 bb d4 37 7a f6 ec 7a |.%.3.......7z..z| +00000250 c9 86 2e dd d7 11 69 7f 85 7c 56 de fb 31 78 2b |......i..|V..1x+| +00000260 e4 c7 78 0d ae cb be 9e 4e 36 24 31 7b 6a 0f 39 |..x.....N6$1{j.9| +00000270 95 12 07 8f 2a 16 03 03 00 b7 0c 00 00 b3 03 00 |....*...........| +00000280 1d 20 f5 a1 40 c1 31 8d 23 ee 2a 95 de 6f 22 a4 |. ..@.1.#.*..o".| +00000290 98 03 77 82 92 67 0e cd 75 5a ac 95 90 07 70 77 |..w..g..uZ....pw| +000002a0 c0 5b 04 03 00 8b 30 81 88 02 42 00 92 88 e3 97 |.[....0...B.....| +000002b0 42 e5 0a ca b7 48 db 4a f0 a2 1d c7 b8 1b bb 4b |B....H.J.......K| +000002c0 ea 5e 6c 40 b7 f7 de e1 b7 e5 b0 5e 8f fd 99 5b |.^l@.......^...[| +000002d0 14 e4 4d 55 4b cb cd f7 9a 3a 77 a7 41 cf 15 26 |..MUK....:w.A..&| +000002e0 79 a5 75 d8 c5 29 64 17 b7 16 7e e4 38 02 42 01 |y.u..)d...~.8.B.| +000002f0 b2 74 0c 2f 4d 18 e3 88 6e fe 90 59 12 5d 2e ef |.t./M...n..Y.]..| +00000300 36 c6 12 04 d5 aa 60 06 83 00 72 93 8c 5c f5 08 |6.....`...r..\..| +00000310 26 38 f7 f6 64 b1 66 2f e4 35 cb 56 0c 67 61 1a |&8..d.f/.5.V.ga.| +00000320 4d 16 8a ba 28 ba b5 ec 0b 61 38 79 db a3 65 c7 |M...(....a8y..e.| +00000330 3e 16 03 03 00 04 0e 00 00 00 |>.........| +>>> Flow 3 (client to server) +00000000 16 03 03 00 25 10 00 00 21 20 2f e5 7d a3 47 cd |....%...! /.}.G.| +00000010 62 43 15 28 da ac 5f bb 29 07 30 ff f6 84 af c4 |bC.(.._.).0.....| +00000020 cf c2 ed 90 99 5f 58 cb 3b 74 14 03 03 00 01 01 |....._X.;t......| +00000030 16 03 03 00 40 00 00 00 00 00 00 00 00 00 00 00 |....@...........| +00000040 00 00 00 00 00 7a 74 f0 c3 20 b7 87 3b 1b a6 86 |.....zt.. ..;...| +00000050 0a cf c3 b9 0f 3e 40 39 ed 4e e0 db c0 77 69 b6 |.....>@9.N...wi.| +00000060 79 cb 28 84 1f 88 72 5d 85 df 92 d2 05 ad bd 1b |y.(...r]........| +00000070 34 ba 21 ee 46 |4.!.F| +>>> Flow 4 (server to client) +00000000 14 03 03 00 01 01 16 03 03 00 40 f3 23 7b 1c 0b |..........@.#{..| +00000010 b3 07 a9 28 3f 33 84 7b 91 9c 7a b2 c2 df 89 6e |...(?3.{..z....n| +00000020 aa 54 35 d7 09 ae 61 cf 90 3a 86 cd 7a 00 6b b1 |.T5...a..:..z.k.| +00000030 1e 7f 55 4c f2 9e e5 4e 69 87 4f a1 eb bb d5 16 |..UL...Ni.O.....| +00000040 03 11 08 24 1d bc 83 29 4d 48 41 |...$...)MHA| +>>> Flow 5 (client to server) +00000000 17 03 03 00 30 00 00 00 00 00 00 00 00 00 00 00 |....0...........| +00000010 00 00 00 00 00 f7 2c 65 61 5d 89 5d de 8d 42 92 |......,ea].]..B.| +00000020 91 1e f4 71 39 42 a3 92 91 98 96 9f 95 04 86 99 |...q9B..........| +00000030 c6 f3 e8 e1 e7 15 03 03 00 30 00 00 00 00 00 00 |.........0......| +00000040 00 00 00 00 00 00 00 00 00 00 81 23 13 80 00 d8 |...........#....| +00000050 1a 93 58 38 4d f0 6f 87 43 05 6d 63 6c e8 b9 80 |..X8M.o.C.mcl...| +00000060 1c 52 12 59 ae ca a6 c8 3c e3 |.R.Y....<.| diff --git a/pkg/tls/testdata/Client-TLSv12-ECDHE-ECDSA-AES-GCM b/pkg/tls/testdata/Client-TLSv12-ECDHE-ECDSA-AES-GCM new file mode 100644 index 000000000..1b3e1e569 --- /dev/null +++ b/pkg/tls/testdata/Client-TLSv12-ECDHE-ECDSA-AES-GCM @@ -0,0 +1,89 @@ +>>> Flow 1 (client to server) +00000000 16 03 01 00 fe 01 00 00 fa 03 03 00 00 00 00 00 |................| +00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000020 00 00 00 00 00 00 00 00 00 00 00 20 00 00 00 00 |........... ....| +00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 32 cc a9 |.............2..| +00000050 cc a8 c0 2b c0 2f c0 2c c0 30 c0 09 c0 13 c0 0a |...+./.,.0......| +00000060 c0 14 00 9c 00 9d 00 2f 00 35 c0 12 00 0a c0 23 |......./.5.....#| +00000070 c0 27 00 3c c0 07 c0 11 00 05 13 03 13 01 13 02 |.'.<............| +00000080 01 00 00 7f 00 05 00 05 01 00 00 00 00 00 0a 00 |................| +00000090 0a 00 08 00 1d 00 17 00 18 00 19 00 0b 00 02 01 |................| +000000a0 00 00 0d 00 1a 00 18 08 04 04 03 08 07 08 05 08 |................| +000000b0 06 04 01 05 01 06 01 05 03 06 03 02 01 02 03 ff |................| +000000c0 01 00 01 00 00 17 00 00 00 12 00 00 00 2b 00 09 |.............+..| +000000d0 08 03 04 03 03 03 02 03 01 00 33 00 26 00 24 00 |..........3.&.$.| +000000e0 1d 00 20 2f e5 7d a3 47 cd 62 43 15 28 da ac 5f |.. /.}.G.bC.(.._| +000000f0 bb 29 07 30 ff f6 84 af c4 cf c2 ed 90 99 5f 58 |.).0.........._X| +00000100 cb 3b 74 |.;t| +>>> Flow 2 (server to client) +00000000 16 03 03 00 5d 02 00 00 59 03 03 d8 ac 8a ae 13 |....]...Y.......| +00000010 8a e4 2d ac c0 a1 a3 d5 32 5b ca 18 5a 73 22 83 |..-.....2[..Zs".| +00000020 d0 76 39 5c 48 40 b0 3a 75 87 5d 20 fd a3 fd b4 |.v9\H@.:u.] ....| +00000030 32 cc 05 54 aa 59 cc 76 81 7b 29 c3 bc c6 32 c0 |2..T.Y.v.{)...2.| +00000040 a9 52 fc ea 08 51 20 13 e3 e4 8e 68 c0 2b 00 00 |.R...Q ....h.+..| +00000050 11 ff 01 00 01 00 00 0b 00 04 03 00 01 02 00 17 |................| +00000060 00 00 16 03 03 02 0e 0b 00 02 0a 00 02 07 00 02 |................| +00000070 04 30 82 02 00 30 82 01 62 02 09 00 b8 bf 2d 47 |.0...0..b.....-G| +00000080 a0 d2 eb f4 30 09 06 07 2a 86 48 ce 3d 04 01 30 |....0...*.H.=..0| +00000090 45 31 0b 30 09 06 03 55 04 06 13 02 41 55 31 13 |E1.0...U....AU1.| +000000a0 30 11 06 03 55 04 08 13 0a 53 6f 6d 65 2d 53 74 |0...U....Some-St| +000000b0 61 74 65 31 21 30 1f 06 03 55 04 0a 13 18 49 6e |ate1!0...U....In| +000000c0 74 65 72 6e 65 74 20 57 69 64 67 69 74 73 20 50 |ternet Widgits P| +000000d0 74 79 20 4c 74 64 30 1e 17 0d 31 32 31 31 32 32 |ty Ltd0...121122| +000000e0 31 35 30 36 33 32 5a 17 0d 32 32 31 31 32 30 31 |150632Z..2211201| +000000f0 35 30 36 33 32 5a 30 45 31 0b 30 09 06 03 55 04 |50632Z0E1.0...U.| +00000100 06 13 02 41 55 31 13 30 11 06 03 55 04 08 13 0a |...AU1.0...U....| +00000110 53 6f 6d 65 2d 53 74 61 74 65 31 21 30 1f 06 03 |Some-State1!0...| +00000120 55 04 0a 13 18 49 6e 74 65 72 6e 65 74 20 57 69 |U....Internet Wi| +00000130 64 67 69 74 73 20 50 74 79 20 4c 74 64 30 81 9b |dgits Pty Ltd0..| +00000140 30 10 06 07 2a 86 48 ce 3d 02 01 06 05 2b 81 04 |0...*.H.=....+..| +00000150 00 23 03 81 86 00 04 00 c4 a1 ed be 98 f9 0b 48 |.#.............H| +00000160 73 36 7e c3 16 56 11 22 f2 3d 53 c3 3b 4d 21 3d |s6~..V.".=S.;M!=| +00000170 cd 6b 75 e6 f6 b0 dc 9a df 26 c1 bc b2 87 f0 72 |.ku......&.....r| +00000180 32 7c b3 64 2f 1c 90 bc ea 68 23 10 7e fe e3 25 |2|.d/....h#.~..%| +00000190 c0 48 3a 69 e0 28 6d d3 37 00 ef 04 62 dd 0d a0 |.H:i.(m.7...b...| +000001a0 9c 70 62 83 d8 81 d3 64 31 aa 9e 97 31 bd 96 b0 |.pb....d1...1...| +000001b0 68 c0 9b 23 de 76 64 3f 1a 5c 7f e9 12 0e 58 58 |h..#.vd?.\....XX| +000001c0 b6 5f 70 dd 9b d8 ea d5 d7 f5 d5 cc b9 b6 9f 30 |._p............0| +000001d0 66 5b 66 9a 20 e2 27 e5 bf fe 3b 30 09 06 07 2a |f[f. .'...;0...*| +000001e0 86 48 ce 3d 04 01 03 81 8c 00 30 81 88 02 42 01 |.H.=......0...B.| +000001f0 88 a2 4f eb e2 45 c5 48 7d 1b ac f5 ed 98 9d ae |..O..E.H}.......| +00000200 47 70 c0 5e 1b b6 2f bd f1 b6 4d b7 61 40 d3 11 |Gp.^../...M.a@..| +00000210 a2 ce ee 0b 7e 92 7e ff 76 9d c3 3b 7e a5 3f ce |....~.~.v..;~.?.| +00000220 fa 10 e2 59 ec 47 2d 7c ac da 4e 97 0e 15 a0 6f |...Y.G-|..N....o| +00000230 d0 02 42 01 4d fc be 67 13 9c 2d 05 0e bd 3f a3 |..B.M..g..-...?.| +00000240 8c 25 c1 33 13 83 0d 94 06 bb d4 37 7a f6 ec 7a |.%.3.......7z..z| +00000250 c9 86 2e dd d7 11 69 7f 85 7c 56 de fb 31 78 2b |......i..|V..1x+| +00000260 e4 c7 78 0d ae cb be 9e 4e 36 24 31 7b 6a 0f 39 |..x.....N6$1{j.9| +00000270 95 12 07 8f 2a 16 03 03 00 b7 0c 00 00 b3 03 00 |....*...........| +00000280 1d 20 1b e5 74 f7 2a 8e 86 7d 32 5b 99 f7 e0 2d |. ..t.*..}2[...-| +00000290 0d 96 a7 38 59 6c d9 50 7c 8a a2 2a 06 76 85 1f |...8Yl.P|..*.v..| +000002a0 77 7b 04 03 00 8b 30 81 88 02 42 01 9e 35 d1 fc |w{....0...B..5..| +000002b0 b8 16 97 b6 7b c4 6e 16 a9 de 5c 90 78 a6 d8 78 |....{.n...\.x..x| +000002c0 be 38 98 ba 50 bc 88 bb f0 15 30 62 29 96 43 15 |.8..P.....0b).C.| +000002d0 a7 7e 93 d4 3a 8c 2c 24 a5 7b e3 51 eb ef d4 16 |.~..:.,$.{.Q....| +000002e0 9b d7 c2 c3 b1 10 54 fe 26 55 05 a7 79 02 42 01 |......T.&U..y.B.| +000002f0 ca 62 10 6d b0 be 85 cf 3d ef a1 2f 9a 04 b9 6b |.b.m....=../...k| +00000300 1d ec bf fc 4e 77 81 b2 70 50 98 26 b4 89 5f a9 |....Nw..pP.&.._.| +00000310 d8 63 1a 54 79 f2 39 83 88 57 a0 25 cc a6 36 fa |.c.Ty.9..W.%..6.| +00000320 31 c1 45 c5 8d 04 83 42 89 a4 15 c3 3e 61 71 1c |1.E....B....>aq.| +00000330 53 16 03 03 00 04 0e 00 00 00 |S.........| +>>> Flow 3 (client to server) +00000000 16 03 03 00 25 10 00 00 21 20 2f e5 7d a3 47 cd |....%...! /.}.G.| +00000010 62 43 15 28 da ac 5f bb 29 07 30 ff f6 84 af c4 |bC.(.._.).0.....| +00000020 cf c2 ed 90 99 5f 58 cb 3b 74 14 03 03 00 01 01 |....._X.;t......| +00000030 16 03 03 00 28 00 00 00 00 00 00 00 00 4f 28 16 |....(........O(.| +00000040 51 9e e7 01 d2 5c 25 d7 bb 42 4c fc d9 dc d7 7f |Q....\%..BL.....| +00000050 2b 6c 5e 03 63 ce 19 ae 92 b8 c1 46 20 |+l^.c......F | +>>> Flow 4 (server to client) +00000000 14 03 03 00 01 01 16 03 03 00 28 31 c5 7a e8 49 |..........(1.z.I| +00000010 52 3d 85 b0 c4 7d 82 fa 08 a3 84 a9 58 8a 05 8c |R=...}......X...| +00000020 9a 7c 6c 4e 29 fd 46 53 06 27 09 d2 38 f5 7c 5c |.|lN).FS.'..8.|\| +00000030 fb ba 6b |..k| +>>> Flow 5 (client to server) +00000000 17 03 03 00 1e 00 00 00 00 00 00 00 01 df 67 c1 |..............g.| +00000010 b4 dd 34 b2 32 ea b4 00 1b b9 67 60 03 91 bf 17 |..4.2.....g`....| +00000020 0d dd dc 15 03 03 00 1a 00 00 00 00 00 00 00 02 |................| +00000030 7c a9 51 36 43 33 ab e4 35 15 cf 6f ef c5 ed c7 ||.Q6C3..5..o....| +00000040 2f 4d |/M| diff --git a/pkg/tls/testdata/Client-TLSv12-ECDHE-ECDSA-AES128-SHA256 b/pkg/tls/testdata/Client-TLSv12-ECDHE-ECDSA-AES128-SHA256 new file mode 100644 index 000000000..1e871a468 --- /dev/null +++ b/pkg/tls/testdata/Client-TLSv12-ECDHE-ECDSA-AES128-SHA256 @@ -0,0 +1,98 @@ +>>> Flow 1 (client to server) +00000000 16 03 01 00 fe 01 00 00 fa 03 03 00 00 00 00 00 |................| +00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000020 00 00 00 00 00 00 00 00 00 00 00 20 00 00 00 00 |........... ....| +00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 32 cc a9 |.............2..| +00000050 cc a8 c0 2b c0 2f c0 2c c0 30 c0 09 c0 13 c0 0a |...+./.,.0......| +00000060 c0 14 00 9c 00 9d 00 2f 00 35 c0 12 00 0a c0 23 |......./.5.....#| +00000070 c0 27 00 3c c0 07 c0 11 00 05 13 03 13 01 13 02 |.'.<............| +00000080 01 00 00 7f 00 05 00 05 01 00 00 00 00 00 0a 00 |................| +00000090 0a 00 08 00 1d 00 17 00 18 00 19 00 0b 00 02 01 |................| +000000a0 00 00 0d 00 1a 00 18 08 04 04 03 08 07 08 05 08 |................| +000000b0 06 04 01 05 01 06 01 05 03 06 03 02 01 02 03 ff |................| +000000c0 01 00 01 00 00 17 00 00 00 12 00 00 00 2b 00 09 |.............+..| +000000d0 08 03 04 03 03 03 02 03 01 00 33 00 26 00 24 00 |..........3.&.$.| +000000e0 1d 00 20 2f e5 7d a3 47 cd 62 43 15 28 da ac 5f |.. /.}.G.bC.(.._| +000000f0 bb 29 07 30 ff f6 84 af c4 cf c2 ed 90 99 5f 58 |.).0.........._X| +00000100 cb 3b 74 |.;t| +>>> Flow 2 (server to client) +00000000 16 03 03 00 5d 02 00 00 59 03 03 32 b8 00 e5 21 |....]...Y..2...!| +00000010 98 b0 8b 40 56 f2 af 06 fa 7d 1c 23 6a 01 c6 95 |...@V....}.#j...| +00000020 41 9d 08 ac 5d de 0e 7e 39 57 07 20 b5 df a0 9a |A...]..~9W. ....| +00000030 13 3f b4 ae 1f 54 eb 47 6a 5a d5 f1 07 22 8f 29 |.?...T.GjZ...".)| +00000040 00 e8 9e e9 f6 76 80 ab 7d a8 23 4a c0 23 00 00 |.....v..}.#J.#..| +00000050 11 ff 01 00 01 00 00 0b 00 04 03 00 01 02 00 17 |................| +00000060 00 00 16 03 03 02 0e 0b 00 02 0a 00 02 07 00 02 |................| +00000070 04 30 82 02 00 30 82 01 62 02 09 00 b8 bf 2d 47 |.0...0..b.....-G| +00000080 a0 d2 eb f4 30 09 06 07 2a 86 48 ce 3d 04 01 30 |....0...*.H.=..0| +00000090 45 31 0b 30 09 06 03 55 04 06 13 02 41 55 31 13 |E1.0...U....AU1.| +000000a0 30 11 06 03 55 04 08 13 0a 53 6f 6d 65 2d 53 74 |0...U....Some-St| +000000b0 61 74 65 31 21 30 1f 06 03 55 04 0a 13 18 49 6e |ate1!0...U....In| +000000c0 74 65 72 6e 65 74 20 57 69 64 67 69 74 73 20 50 |ternet Widgits P| +000000d0 74 79 20 4c 74 64 30 1e 17 0d 31 32 31 31 32 32 |ty Ltd0...121122| +000000e0 31 35 30 36 33 32 5a 17 0d 32 32 31 31 32 30 31 |150632Z..2211201| +000000f0 35 30 36 33 32 5a 30 45 31 0b 30 09 06 03 55 04 |50632Z0E1.0...U.| +00000100 06 13 02 41 55 31 13 30 11 06 03 55 04 08 13 0a |...AU1.0...U....| +00000110 53 6f 6d 65 2d 53 74 61 74 65 31 21 30 1f 06 03 |Some-State1!0...| +00000120 55 04 0a 13 18 49 6e 74 65 72 6e 65 74 20 57 69 |U....Internet Wi| +00000130 64 67 69 74 73 20 50 74 79 20 4c 74 64 30 81 9b |dgits Pty Ltd0..| +00000140 30 10 06 07 2a 86 48 ce 3d 02 01 06 05 2b 81 04 |0...*.H.=....+..| +00000150 00 23 03 81 86 00 04 00 c4 a1 ed be 98 f9 0b 48 |.#.............H| +00000160 73 36 7e c3 16 56 11 22 f2 3d 53 c3 3b 4d 21 3d |s6~..V.".=S.;M!=| +00000170 cd 6b 75 e6 f6 b0 dc 9a df 26 c1 bc b2 87 f0 72 |.ku......&.....r| +00000180 32 7c b3 64 2f 1c 90 bc ea 68 23 10 7e fe e3 25 |2|.d/....h#.~..%| +00000190 c0 48 3a 69 e0 28 6d d3 37 00 ef 04 62 dd 0d a0 |.H:i.(m.7...b...| +000001a0 9c 70 62 83 d8 81 d3 64 31 aa 9e 97 31 bd 96 b0 |.pb....d1...1...| +000001b0 68 c0 9b 23 de 76 64 3f 1a 5c 7f e9 12 0e 58 58 |h..#.vd?.\....XX| +000001c0 b6 5f 70 dd 9b d8 ea d5 d7 f5 d5 cc b9 b6 9f 30 |._p............0| +000001d0 66 5b 66 9a 20 e2 27 e5 bf fe 3b 30 09 06 07 2a |f[f. .'...;0...*| +000001e0 86 48 ce 3d 04 01 03 81 8c 00 30 81 88 02 42 01 |.H.=......0...B.| +000001f0 88 a2 4f eb e2 45 c5 48 7d 1b ac f5 ed 98 9d ae |..O..E.H}.......| +00000200 47 70 c0 5e 1b b6 2f bd f1 b6 4d b7 61 40 d3 11 |Gp.^../...M.a@..| +00000210 a2 ce ee 0b 7e 92 7e ff 76 9d c3 3b 7e a5 3f ce |....~.~.v..;~.?.| +00000220 fa 10 e2 59 ec 47 2d 7c ac da 4e 97 0e 15 a0 6f |...Y.G-|..N....o| +00000230 d0 02 42 01 4d fc be 67 13 9c 2d 05 0e bd 3f a3 |..B.M..g..-...?.| +00000240 8c 25 c1 33 13 83 0d 94 06 bb d4 37 7a f6 ec 7a |.%.3.......7z..z| +00000250 c9 86 2e dd d7 11 69 7f 85 7c 56 de fb 31 78 2b |......i..|V..1x+| +00000260 e4 c7 78 0d ae cb be 9e 4e 36 24 31 7b 6a 0f 39 |..x.....N6$1{j.9| +00000270 95 12 07 8f 2a 16 03 03 00 b6 0c 00 00 b2 03 00 |....*...........| +00000280 1d 20 f1 d6 ed a5 69 28 d2 bd 97 e3 00 e0 81 74 |. ....i(.......t| +00000290 8d 36 6e 77 73 40 10 a1 73 b3 4d 8e 04 41 b1 0e |.6nws@..s.M..A..| +000002a0 08 28 04 03 00 8a 30 81 87 02 42 01 4b b4 14 32 |.(....0...B.K..2| +000002b0 13 88 f1 8d 3a 66 e2 a2 d6 d4 de 26 50 7d 74 22 |....:f.....&P}t"| +000002c0 f9 56 83 00 0a b7 34 b3 96 99 0e c4 1d 8d 86 df |.V....4.........| +000002d0 22 2b 1c d7 75 f5 c9 45 2a c7 8a 74 40 ae 04 ac |"+..u..E*..t@...| +000002e0 b3 b4 5e c1 c5 e6 9c c3 01 ad 10 37 2b 02 41 4f |..^........7+.AO| +000002f0 74 33 31 aa c0 f8 8e ac cf 5a 90 a5 b8 d1 52 76 |t31......Z....Rv| +00000300 c3 a3 4f 0d 7d d7 8a 50 d3 bb 49 ce 22 ec d0 d3 |..O.}..P..I."...| +00000310 b5 e3 5c c2 a9 54 2e 6f 9c d1 24 3d 70 7f 2b a3 |..\..T.o..$=p.+.| +00000320 fe 24 fc 48 14 d3 8a f0 70 f3 1f af fe ae e3 fe |.$.H....p.......| +00000330 16 03 03 00 04 0e 00 00 00 |.........| +>>> Flow 3 (client to server) +00000000 16 03 03 00 25 10 00 00 21 20 2f e5 7d a3 47 cd |....%...! /.}.G.| +00000010 62 43 15 28 da ac 5f bb 29 07 30 ff f6 84 af c4 |bC.(.._.).0.....| +00000020 cf c2 ed 90 99 5f 58 cb 3b 74 14 03 03 00 01 01 |....._X.;t......| +00000030 16 03 03 00 50 00 00 00 00 00 00 00 00 00 00 00 |....P...........| +00000040 00 00 00 00 00 ea c6 10 80 cf 85 ad 7c 5f 6b 98 |............|_k.| +00000050 7b 5a d6 47 84 dc 95 c9 ed 6e e6 c3 56 d5 91 93 |{Z.G.....n..V...| +00000060 0e 3f b5 6c 2f 73 d9 72 9b f7 64 47 29 9e 75 4f |.?.l/s.r..dG).uO| +00000070 97 2e 6d 94 52 f7 8f c9 24 5b d0 fe 05 aa e6 93 |..m.R...$[......| +00000080 79 ea 37 0f 9e |y.7..| +>>> Flow 4 (server to client) +00000000 14 03 03 00 01 01 16 03 03 00 50 ed 02 93 7e 89 |..........P...~.| +00000010 d5 d7 e9 0b 21 71 a9 cd b6 ac 65 6f 83 b2 0f 35 |....!q....eo...5| +00000020 d6 1c bb df c5 c2 d6 6c b6 32 37 14 a0 0c fd ae |.......l.27.....| +00000030 18 75 9e 82 df 00 ec 6c 99 e2 31 a3 35 e0 82 6d |.u.....l..1.5..m| +00000040 57 5b 60 82 ec 69 8a 79 30 96 4f 96 bb 99 66 75 |W[`..i.y0.O...fu| +00000050 5d 41 f9 04 fc f2 c6 bb 92 1c cb |]A.........| +>>> Flow 5 (client to server) +00000000 17 03 03 00 40 00 00 00 00 00 00 00 00 00 00 00 |....@...........| +00000010 00 00 00 00 00 23 62 3f ed a2 99 3b ac 03 f5 8c |.....#b?...;....| +00000020 3c 9f 71 25 b5 5c ec 2c 79 d5 70 ae 23 cf 2f 65 |<.q%.\.,y.p.#./e| +00000030 3d 28 5f dd fb d6 6a 12 b5 5f eb 9f 2a 8e 79 80 |=(_...j.._..*.y.| +00000040 eb 77 6e 7e b0 15 03 03 00 40 00 00 00 00 00 00 |.wn~.....@......| +00000050 00 00 00 00 00 00 00 00 00 00 13 e1 0c 7b 01 90 |.............{..| +00000060 e8 0d 2d 41 b5 c3 67 0a 37 c4 28 fa b6 88 cc 99 |..-A..g.7.(.....| +00000070 f7 0a d9 25 09 24 88 f7 38 78 c4 1c 37 b4 3c a8 |...%.$..8x..7.<.| +00000080 3d 2d ac a7 0d 45 62 9c 61 53 |=-...Eb.aS| diff --git a/pkg/tls/testdata/Client-TLSv12-ECDHE-ECDSA-AES256-GCM-SHA384 b/pkg/tls/testdata/Client-TLSv12-ECDHE-ECDSA-AES256-GCM-SHA384 new file mode 100644 index 000000000..6477993b2 --- /dev/null +++ b/pkg/tls/testdata/Client-TLSv12-ECDHE-ECDSA-AES256-GCM-SHA384 @@ -0,0 +1,89 @@ +>>> Flow 1 (client to server) +00000000 16 03 01 00 fe 01 00 00 fa 03 03 00 00 00 00 00 |................| +00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000020 00 00 00 00 00 00 00 00 00 00 00 20 00 00 00 00 |........... ....| +00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 32 cc a9 |.............2..| +00000050 cc a8 c0 2b c0 2f c0 2c c0 30 c0 09 c0 13 c0 0a |...+./.,.0......| +00000060 c0 14 00 9c 00 9d 00 2f 00 35 c0 12 00 0a c0 23 |......./.5.....#| +00000070 c0 27 00 3c c0 07 c0 11 00 05 13 03 13 01 13 02 |.'.<............| +00000080 01 00 00 7f 00 05 00 05 01 00 00 00 00 00 0a 00 |................| +00000090 0a 00 08 00 1d 00 17 00 18 00 19 00 0b 00 02 01 |................| +000000a0 00 00 0d 00 1a 00 18 08 04 04 03 08 07 08 05 08 |................| +000000b0 06 04 01 05 01 06 01 05 03 06 03 02 01 02 03 ff |................| +000000c0 01 00 01 00 00 17 00 00 00 12 00 00 00 2b 00 09 |.............+..| +000000d0 08 03 04 03 03 03 02 03 01 00 33 00 26 00 24 00 |..........3.&.$.| +000000e0 1d 00 20 2f e5 7d a3 47 cd 62 43 15 28 da ac 5f |.. /.}.G.bC.(.._| +000000f0 bb 29 07 30 ff f6 84 af c4 cf c2 ed 90 99 5f 58 |.).0.........._X| +00000100 cb 3b 74 |.;t| +>>> Flow 2 (server to client) +00000000 16 03 03 00 5d 02 00 00 59 03 03 99 43 3d 42 93 |....]...Y...C=B.| +00000010 5a 7a 04 30 74 51 61 36 15 df ef a7 26 ef b8 76 |Zz.0tQa6....&..v| +00000020 87 35 7a 88 75 83 9e 0d 2c d4 3d 20 1f 29 99 ea |.5z.u...,.= .)..| +00000030 71 f7 c3 c4 68 3e 7f 58 7a 07 c7 2d a3 38 47 8d |q...h>.Xz..-.8G.| +00000040 c9 ed 05 b4 8e e7 b6 85 5d a1 62 6b c0 2c 00 00 |........].bk.,..| +00000050 11 ff 01 00 01 00 00 0b 00 04 03 00 01 02 00 17 |................| +00000060 00 00 16 03 03 02 0e 0b 00 02 0a 00 02 07 00 02 |................| +00000070 04 30 82 02 00 30 82 01 62 02 09 00 b8 bf 2d 47 |.0...0..b.....-G| +00000080 a0 d2 eb f4 30 09 06 07 2a 86 48 ce 3d 04 01 30 |....0...*.H.=..0| +00000090 45 31 0b 30 09 06 03 55 04 06 13 02 41 55 31 13 |E1.0...U....AU1.| +000000a0 30 11 06 03 55 04 08 13 0a 53 6f 6d 65 2d 53 74 |0...U....Some-St| +000000b0 61 74 65 31 21 30 1f 06 03 55 04 0a 13 18 49 6e |ate1!0...U....In| +000000c0 74 65 72 6e 65 74 20 57 69 64 67 69 74 73 20 50 |ternet Widgits P| +000000d0 74 79 20 4c 74 64 30 1e 17 0d 31 32 31 31 32 32 |ty Ltd0...121122| +000000e0 31 35 30 36 33 32 5a 17 0d 32 32 31 31 32 30 31 |150632Z..2211201| +000000f0 35 30 36 33 32 5a 30 45 31 0b 30 09 06 03 55 04 |50632Z0E1.0...U.| +00000100 06 13 02 41 55 31 13 30 11 06 03 55 04 08 13 0a |...AU1.0...U....| +00000110 53 6f 6d 65 2d 53 74 61 74 65 31 21 30 1f 06 03 |Some-State1!0...| +00000120 55 04 0a 13 18 49 6e 74 65 72 6e 65 74 20 57 69 |U....Internet Wi| +00000130 64 67 69 74 73 20 50 74 79 20 4c 74 64 30 81 9b |dgits Pty Ltd0..| +00000140 30 10 06 07 2a 86 48 ce 3d 02 01 06 05 2b 81 04 |0...*.H.=....+..| +00000150 00 23 03 81 86 00 04 00 c4 a1 ed be 98 f9 0b 48 |.#.............H| +00000160 73 36 7e c3 16 56 11 22 f2 3d 53 c3 3b 4d 21 3d |s6~..V.".=S.;M!=| +00000170 cd 6b 75 e6 f6 b0 dc 9a df 26 c1 bc b2 87 f0 72 |.ku......&.....r| +00000180 32 7c b3 64 2f 1c 90 bc ea 68 23 10 7e fe e3 25 |2|.d/....h#.~..%| +00000190 c0 48 3a 69 e0 28 6d d3 37 00 ef 04 62 dd 0d a0 |.H:i.(m.7...b...| +000001a0 9c 70 62 83 d8 81 d3 64 31 aa 9e 97 31 bd 96 b0 |.pb....d1...1...| +000001b0 68 c0 9b 23 de 76 64 3f 1a 5c 7f e9 12 0e 58 58 |h..#.vd?.\....XX| +000001c0 b6 5f 70 dd 9b d8 ea d5 d7 f5 d5 cc b9 b6 9f 30 |._p............0| +000001d0 66 5b 66 9a 20 e2 27 e5 bf fe 3b 30 09 06 07 2a |f[f. .'...;0...*| +000001e0 86 48 ce 3d 04 01 03 81 8c 00 30 81 88 02 42 01 |.H.=......0...B.| +000001f0 88 a2 4f eb e2 45 c5 48 7d 1b ac f5 ed 98 9d ae |..O..E.H}.......| +00000200 47 70 c0 5e 1b b6 2f bd f1 b6 4d b7 61 40 d3 11 |Gp.^../...M.a@..| +00000210 a2 ce ee 0b 7e 92 7e ff 76 9d c3 3b 7e a5 3f ce |....~.~.v..;~.?.| +00000220 fa 10 e2 59 ec 47 2d 7c ac da 4e 97 0e 15 a0 6f |...Y.G-|..N....o| +00000230 d0 02 42 01 4d fc be 67 13 9c 2d 05 0e bd 3f a3 |..B.M..g..-...?.| +00000240 8c 25 c1 33 13 83 0d 94 06 bb d4 37 7a f6 ec 7a |.%.3.......7z..z| +00000250 c9 86 2e dd d7 11 69 7f 85 7c 56 de fb 31 78 2b |......i..|V..1x+| +00000260 e4 c7 78 0d ae cb be 9e 4e 36 24 31 7b 6a 0f 39 |..x.....N6$1{j.9| +00000270 95 12 07 8f 2a 16 03 03 00 b5 0c 00 00 b1 03 00 |....*...........| +00000280 1d 20 fb 11 a5 85 16 55 f9 09 56 4a 4c f7 c8 a1 |. .....U..VJL...| +00000290 fd 57 e3 4d 1e b5 78 df 7a b1 02 0c 42 60 80 f9 |.W.M..x.z...B`..| +000002a0 4b 6e 04 03 00 89 30 81 86 02 41 4d 4a 3c 11 e1 |Kn....0...AMJ<..| +000002b0 72 33 71 38 77 52 4d d8 78 ee 23 f9 f3 00 20 76 |r3q8wRM.x.#... v| +000002c0 04 19 b2 4c 28 34 9d 22 b7 3e 1d 35 8f 93 ab 66 |...L(4.".>.5...f| +000002d0 09 c4 7a 8e 8c 5a fc ae 1d c7 ba 2e 36 ea e7 0b |..z..Z......6...| +000002e0 43 ae 03 e3 ec 6b f7 81 2e 22 e5 f0 02 41 39 95 |C....k..."...A9.| +000002f0 22 5f b0 1a 5c 13 a0 c5 08 47 a7 51 9c fa 15 32 |"_..\....G.Q...2| +00000300 95 84 95 8f 2f ed 38 19 bb b5 2b ac 39 90 a1 4c |..../.8...+.9..L| +00000310 b5 20 49 cd 87 17 9d ef b4 c3 22 05 56 23 7d bc |. I.......".V#}.| +00000320 6a d6 ae d9 e5 50 65 6c 8b df 4b 2e 6d e9 e3 16 |j....Pel..K.m...| +00000330 03 03 00 04 0e 00 00 00 |........| +>>> Flow 3 (client to server) +00000000 16 03 03 00 25 10 00 00 21 20 2f e5 7d a3 47 cd |....%...! /.}.G.| +00000010 62 43 15 28 da ac 5f bb 29 07 30 ff f6 84 af c4 |bC.(.._.).0.....| +00000020 cf c2 ed 90 99 5f 58 cb 3b 74 14 03 03 00 01 01 |....._X.;t......| +00000030 16 03 03 00 28 00 00 00 00 00 00 00 00 ef cc 31 |....(..........1| +00000040 f9 de 58 68 c9 6a c7 c4 3e 60 1f 4e f9 bf 27 87 |..Xh.j..>`.N..'.| +00000050 b0 17 ed 83 17 a0 45 b7 a9 d8 95 b6 51 |......E.....Q| +>>> Flow 4 (server to client) +00000000 14 03 03 00 01 01 16 03 03 00 28 61 eb 42 a7 10 |..........(a.B..| +00000010 6f 1a ef 4d e5 4d df 75 cb 8e 59 f8 06 e0 f9 ee |o..M.M.u..Y.....| +00000020 d1 a9 11 7b 89 97 62 b9 76 d1 8e eb ee 30 dd 0f |...{..b.v....0..| +00000030 60 b1 e1 |`..| +>>> Flow 5 (client to server) +00000000 17 03 03 00 1e 00 00 00 00 00 00 00 01 fb 32 66 |..............2f| +00000010 d6 d5 e1 52 31 8d 63 4f 5c a0 ac b5 f3 64 dc 40 |...R1.cO\....d.@| +00000020 f5 93 5a 15 03 03 00 1a 00 00 00 00 00 00 00 02 |..Z.............| +00000030 6b 66 c3 db e8 33 66 14 9b 4b 1c 59 bf 9e 6c 7e |kf...3f..K.Y..l~| +00000040 2d 1e |-.| diff --git a/pkg/tls/testdata/Client-TLSv12-ECDHE-ECDSA-CHACHA20-POLY1305 b/pkg/tls/testdata/Client-TLSv12-ECDHE-ECDSA-CHACHA20-POLY1305 new file mode 100644 index 000000000..e1b45cb7b --- /dev/null +++ b/pkg/tls/testdata/Client-TLSv12-ECDHE-ECDSA-CHACHA20-POLY1305 @@ -0,0 +1,84 @@ +>>> Flow 1 (client to server) +00000000 16 03 01 00 d4 01 00 00 d0 03 03 00 00 00 00 00 |................| +00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000020 00 00 00 00 00 00 00 00 00 00 00 20 00 00 00 00 |........... ....| +00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 08 cc a9 |................| +00000050 13 03 13 01 13 02 01 00 00 7f 00 05 00 05 01 00 |................| +00000060 00 00 00 00 0a 00 0a 00 08 00 1d 00 17 00 18 00 |................| +00000070 19 00 0b 00 02 01 00 00 0d 00 1a 00 18 08 04 04 |................| +00000080 03 08 07 08 05 08 06 04 01 05 01 06 01 05 03 06 |................| +00000090 03 02 01 02 03 ff 01 00 01 00 00 17 00 00 00 12 |................| +000000a0 00 00 00 2b 00 09 08 03 04 03 03 03 02 03 01 00 |...+............| +000000b0 33 00 26 00 24 00 1d 00 20 2f e5 7d a3 47 cd 62 |3.&.$... /.}.G.b| +000000c0 43 15 28 da ac 5f bb 29 07 30 ff f6 84 af c4 cf |C.(.._.).0......| +000000d0 c2 ed 90 99 5f 58 cb 3b 74 |...._X.;t| +>>> Flow 2 (server to client) +00000000 16 03 03 00 5d 02 00 00 59 03 03 f0 39 6d 08 4c |....]...Y...9m.L| +00000010 1e c8 06 4d 9e 1e 2a 27 d9 17 6f 39 19 38 ba 49 |...M..*'..o9.8.I| +00000020 a5 fa b2 6d a2 70 e8 9d b2 03 92 20 09 ef 68 cb |...m.p..... ..h.| +00000030 58 2a fd 4b 60 9a 1e af f4 02 c0 cb 10 b2 dd 73 |X*.K`..........s| +00000040 0c e0 6a da 3f cd 3a a3 a3 55 58 00 cc a9 00 00 |..j.?.:..UX.....| +00000050 11 ff 01 00 01 00 00 0b 00 04 03 00 01 02 00 17 |................| +00000060 00 00 16 03 03 02 0e 0b 00 02 0a 00 02 07 00 02 |................| +00000070 04 30 82 02 00 30 82 01 62 02 09 00 b8 bf 2d 47 |.0...0..b.....-G| +00000080 a0 d2 eb f4 30 09 06 07 2a 86 48 ce 3d 04 01 30 |....0...*.H.=..0| +00000090 45 31 0b 30 09 06 03 55 04 06 13 02 41 55 31 13 |E1.0...U....AU1.| +000000a0 30 11 06 03 55 04 08 13 0a 53 6f 6d 65 2d 53 74 |0...U....Some-St| +000000b0 61 74 65 31 21 30 1f 06 03 55 04 0a 13 18 49 6e |ate1!0...U....In| +000000c0 74 65 72 6e 65 74 20 57 69 64 67 69 74 73 20 50 |ternet Widgits P| +000000d0 74 79 20 4c 74 64 30 1e 17 0d 31 32 31 31 32 32 |ty Ltd0...121122| +000000e0 31 35 30 36 33 32 5a 17 0d 32 32 31 31 32 30 31 |150632Z..2211201| +000000f0 35 30 36 33 32 5a 30 45 31 0b 30 09 06 03 55 04 |50632Z0E1.0...U.| +00000100 06 13 02 41 55 31 13 30 11 06 03 55 04 08 13 0a |...AU1.0...U....| +00000110 53 6f 6d 65 2d 53 74 61 74 65 31 21 30 1f 06 03 |Some-State1!0...| +00000120 55 04 0a 13 18 49 6e 74 65 72 6e 65 74 20 57 69 |U....Internet Wi| +00000130 64 67 69 74 73 20 50 74 79 20 4c 74 64 30 81 9b |dgits Pty Ltd0..| +00000140 30 10 06 07 2a 86 48 ce 3d 02 01 06 05 2b 81 04 |0...*.H.=....+..| +00000150 00 23 03 81 86 00 04 00 c4 a1 ed be 98 f9 0b 48 |.#.............H| +00000160 73 36 7e c3 16 56 11 22 f2 3d 53 c3 3b 4d 21 3d |s6~..V.".=S.;M!=| +00000170 cd 6b 75 e6 f6 b0 dc 9a df 26 c1 bc b2 87 f0 72 |.ku......&.....r| +00000180 32 7c b3 64 2f 1c 90 bc ea 68 23 10 7e fe e3 25 |2|.d/....h#.~..%| +00000190 c0 48 3a 69 e0 28 6d d3 37 00 ef 04 62 dd 0d a0 |.H:i.(m.7...b...| +000001a0 9c 70 62 83 d8 81 d3 64 31 aa 9e 97 31 bd 96 b0 |.pb....d1...1...| +000001b0 68 c0 9b 23 de 76 64 3f 1a 5c 7f e9 12 0e 58 58 |h..#.vd?.\....XX| +000001c0 b6 5f 70 dd 9b d8 ea d5 d7 f5 d5 cc b9 b6 9f 30 |._p............0| +000001d0 66 5b 66 9a 20 e2 27 e5 bf fe 3b 30 09 06 07 2a |f[f. .'...;0...*| +000001e0 86 48 ce 3d 04 01 03 81 8c 00 30 81 88 02 42 01 |.H.=......0...B.| +000001f0 88 a2 4f eb e2 45 c5 48 7d 1b ac f5 ed 98 9d ae |..O..E.H}.......| +00000200 47 70 c0 5e 1b b6 2f bd f1 b6 4d b7 61 40 d3 11 |Gp.^../...M.a@..| +00000210 a2 ce ee 0b 7e 92 7e ff 76 9d c3 3b 7e a5 3f ce |....~.~.v..;~.?.| +00000220 fa 10 e2 59 ec 47 2d 7c ac da 4e 97 0e 15 a0 6f |...Y.G-|..N....o| +00000230 d0 02 42 01 4d fc be 67 13 9c 2d 05 0e bd 3f a3 |..B.M..g..-...?.| +00000240 8c 25 c1 33 13 83 0d 94 06 bb d4 37 7a f6 ec 7a |.%.3.......7z..z| +00000250 c9 86 2e dd d7 11 69 7f 85 7c 56 de fb 31 78 2b |......i..|V..1x+| +00000260 e4 c7 78 0d ae cb be 9e 4e 36 24 31 7b 6a 0f 39 |..x.....N6$1{j.9| +00000270 95 12 07 8f 2a 16 03 03 00 b7 0c 00 00 b3 03 00 |....*...........| +00000280 1d 20 f0 e0 d6 3e 40 a0 97 de 26 8a 52 25 2c a7 |. ...>@...&.R%,.| +00000290 78 c5 ed 73 5c 59 ca 02 a8 9e 0d 69 bd cc bb 4b |x..s\Y.....i...K| +000002a0 11 3d 04 03 00 8b 30 81 88 02 42 00 ed 4d bc dc |.=....0...B..M..| +000002b0 d7 5e 95 b4 13 b3 fb 40 38 1a 53 09 71 a4 14 2a |.^.....@8.S.q..*| +000002c0 45 6f e3 fe db 0a c8 32 05 e6 98 17 bb f8 e9 72 |Eo.....2.......r| +000002d0 db 5d e8 f5 b2 ad df 1b 62 dd b2 98 f8 6b 38 13 |.]......b....k8.| +000002e0 a9 2f 13 1b ea db 58 24 4b e2 3a b9 5a 02 42 00 |./....X$K.:.Z.B.| +000002f0 ea cd 03 cb b9 67 5c f3 99 35 cc 57 2a 58 12 45 |.....g\..5.W*X.E| +00000300 c9 f1 e4 27 1a 42 2c ce 9c ba 10 f8 6f 15 41 67 |...'.B,.....o.Ag| +00000310 07 33 38 94 dd 34 57 90 41 cf 16 04 b7 fc af ae |.38..4W.A.......| +00000320 6b ac 16 87 75 6d 60 52 e7 b9 1e 85 a3 45 92 a4 |k...um`R.....E..| +00000330 cf 16 03 03 00 04 0e 00 00 00 |..........| +>>> Flow 3 (client to server) +00000000 16 03 03 00 25 10 00 00 21 20 2f e5 7d a3 47 cd |....%...! /.}.G.| +00000010 62 43 15 28 da ac 5f bb 29 07 30 ff f6 84 af c4 |bC.(.._.).0.....| +00000020 cf c2 ed 90 99 5f 58 cb 3b 74 14 03 03 00 01 01 |....._X.;t......| +00000030 16 03 03 00 20 24 01 e0 f7 26 b8 69 62 f7 98 45 |.... $...&.ib..E| +00000040 6f 6d fc eb 37 c9 69 f1 21 eb 13 70 57 a9 5b de |om..7.i.!..pW.[.| +00000050 37 30 64 cc c1 |70d..| +>>> Flow 4 (server to client) +00000000 14 03 03 00 01 01 16 03 03 00 20 8d fd f9 fd 18 |.......... .....| +00000010 08 fa c1 5b 1c d1 03 bc ba 36 6b 69 30 72 9c 92 |...[.....6ki0r..| +00000020 f9 56 0c 5e ed 7b 91 e8 42 6c 26 |.V.^.{..Bl&| +>>> Flow 5 (client to server) +00000000 17 03 03 00 16 94 1f 97 8b 5b 66 15 63 a5 1e 78 |.........[f.c..x| +00000010 c2 e3 4e 96 ae 08 16 d6 33 b8 60 15 03 03 00 12 |..N.....3.`.....| +00000020 f9 71 c8 e5 93 b4 0d 17 97 0f 6d cb 58 0f 59 64 |.q........m.X.Yd| +00000030 12 0f |..| diff --git a/pkg/tls/testdata/Client-TLSv12-ECDHE-RSA-AES b/pkg/tls/testdata/Client-TLSv12-ECDHE-RSA-AES new file mode 100644 index 000000000..d5665daa2 --- /dev/null +++ b/pkg/tls/testdata/Client-TLSv12-ECDHE-RSA-AES @@ -0,0 +1,98 @@ +>>> Flow 1 (client to server) +00000000 16 03 01 00 fe 01 00 00 fa 03 03 00 00 00 00 00 |................| +00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000020 00 00 00 00 00 00 00 00 00 00 00 20 00 00 00 00 |........... ....| +00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 32 cc a9 |.............2..| +00000050 cc a8 c0 2b c0 2f c0 2c c0 30 c0 09 c0 13 c0 0a |...+./.,.0......| +00000060 c0 14 00 9c 00 9d 00 2f 00 35 c0 12 00 0a c0 23 |......./.5.....#| +00000070 c0 27 00 3c c0 07 c0 11 00 05 13 03 13 01 13 02 |.'.<............| +00000080 01 00 00 7f 00 05 00 05 01 00 00 00 00 00 0a 00 |................| +00000090 0a 00 08 00 1d 00 17 00 18 00 19 00 0b 00 02 01 |................| +000000a0 00 00 0d 00 1a 00 18 08 04 04 03 08 07 08 05 08 |................| +000000b0 06 04 01 05 01 06 01 05 03 06 03 02 01 02 03 ff |................| +000000c0 01 00 01 00 00 17 00 00 00 12 00 00 00 2b 00 09 |.............+..| +000000d0 08 03 04 03 03 03 02 03 01 00 33 00 26 00 24 00 |..........3.&.$.| +000000e0 1d 00 20 2f e5 7d a3 47 cd 62 43 15 28 da ac 5f |.. /.}.G.bC.(.._| +000000f0 bb 29 07 30 ff f6 84 af c4 cf c2 ed 90 99 5f 58 |.).0.........._X| +00000100 cb 3b 74 |.;t| +>>> Flow 2 (server to client) +00000000 16 03 03 00 5d 02 00 00 59 03 03 1e 8b e8 b6 ab |....]...Y.......| +00000010 28 56 58 92 6d 03 e6 46 aa 94 dc 6d a0 7b 6f db |(VX.m..F...m.{o.| +00000020 09 22 9f 48 14 de 37 bf 54 68 42 20 f8 0f 31 09 |.".H..7.ThB ..1.| +00000030 56 de 8f ad db d7 ab 38 66 8b cf 86 1c 84 0d 9c |V......8f.......| +00000040 ad 24 c8 35 a8 28 8d 06 10 23 5e 34 c0 13 00 00 |.$.5.(...#^4....| +00000050 11 ff 01 00 01 00 00 0b 00 04 03 00 01 02 00 17 |................| +00000060 00 00 16 03 03 02 59 0b 00 02 55 00 02 52 00 02 |......Y...U..R..| +00000070 4f 30 82 02 4b 30 82 01 b4 a0 03 02 01 02 02 09 |O0..K0..........| +00000080 00 e8 f0 9d 3f e2 5b ea a6 30 0d 06 09 2a 86 48 |....?.[..0...*.H| +00000090 86 f7 0d 01 01 0b 05 00 30 1f 31 0b 30 09 06 03 |........0.1.0...| +000000a0 55 04 0a 13 02 47 6f 31 10 30 0e 06 03 55 04 03 |U....Go1.0...U..| +000000b0 13 07 47 6f 20 52 6f 6f 74 30 1e 17 0d 31 36 30 |..Go Root0...160| +000000c0 31 30 31 30 30 30 30 30 30 5a 17 0d 32 35 30 31 |101000000Z..2501| +000000d0 30 31 30 30 30 30 30 30 5a 30 1a 31 0b 30 09 06 |01000000Z0.1.0..| +000000e0 03 55 04 0a 13 02 47 6f 31 0b 30 09 06 03 55 04 |.U....Go1.0...U.| +000000f0 03 13 02 47 6f 30 81 9f 30 0d 06 09 2a 86 48 86 |...Go0..0...*.H.| +00000100 f7 0d 01 01 01 05 00 03 81 8d 00 30 81 89 02 81 |...........0....| +00000110 81 00 db 46 7d 93 2e 12 27 06 48 bc 06 28 21 ab |...F}...'.H..(!.| +00000120 7e c4 b6 a2 5d fe 1e 52 45 88 7a 36 47 a5 08 0d |~...]..RE.z6G...| +00000130 92 42 5b c2 81 c0 be 97 79 98 40 fb 4f 6d 14 fd |.B[.....y.@.Om..| +00000140 2b 13 8b c2 a5 2e 67 d8 d4 09 9e d6 22 38 b7 4a |+.....g....."8.J| +00000150 0b 74 73 2b c2 34 f1 d1 93 e5 96 d9 74 7b f3 58 |.ts+.4......t{.X| +00000160 9f 6c 61 3c c0 b0 41 d4 d9 2b 2b 24 23 77 5b 1c |.la<..A..++$#w[.| +00000170 3b bd 75 5d ce 20 54 cf a1 63 87 1d 1e 24 c4 f3 |;.u]. T..c...$..| +00000180 1d 1a 50 8b aa b6 14 43 ed 97 a7 75 62 f4 14 c8 |..P....C...ub...| +00000190 52 d7 02 03 01 00 01 a3 81 93 30 81 90 30 0e 06 |R.........0..0..| +000001a0 03 55 1d 0f 01 01 ff 04 04 03 02 05 a0 30 1d 06 |.U...........0..| +000001b0 03 55 1d 25 04 16 30 14 06 08 2b 06 01 05 05 07 |.U.%..0...+.....| +000001c0 03 01 06 08 2b 06 01 05 05 07 03 02 30 0c 06 03 |....+.......0...| +000001d0 55 1d 13 01 01 ff 04 02 30 00 30 19 06 03 55 1d |U.......0.0...U.| +000001e0 0e 04 12 04 10 9f 91 16 1f 43 43 3e 49 a6 de 6d |.........CC>I..m| +000001f0 b6 80 d7 9f 60 30 1b 06 03 55 1d 23 04 14 30 12 |....`0...U.#..0.| +00000200 80 10 48 13 49 4d 13 7e 16 31 bb a3 01 d5 ac ab |..H.IM.~.1......| +00000210 6e 7b 30 19 06 03 55 1d 11 04 12 30 10 82 0e 65 |n{0...U....0...e| +00000220 78 61 6d 70 6c 65 2e 67 6f 6c 61 6e 67 30 0d 06 |xample.golang0..| +00000230 09 2a 86 48 86 f7 0d 01 01 0b 05 00 03 81 81 00 |.*.H............| +00000240 9d 30 cc 40 2b 5b 50 a0 61 cb ba e5 53 58 e1 ed |.0.@+[P.a...SX..| +00000250 83 28 a9 58 1a a9 38 a4 95 a1 ac 31 5a 1a 84 66 |.(.X..8....1Z..f| +00000260 3d 43 d3 2d d9 0b f2 97 df d3 20 64 38 92 24 3a |=C.-...... d8.$:| +00000270 00 bc cf 9c 7d b7 40 20 01 5f aa d3 16 61 09 a2 |....}.@ ._...a..| +00000280 76 fd 13 c3 cc e1 0c 5c ee b1 87 82 f1 6c 04 ed |v......\.....l..| +00000290 73 bb b3 43 77 8d 0c 1c f1 0f a1 d8 40 83 61 c9 |s..Cw.......@.a.| +000002a0 4c 72 2b 9d ae db 46 06 06 4d f4 c1 b3 3e c0 d1 |Lr+...F..M...>..| +000002b0 bd 42 d4 db fe 3d 13 60 84 5c 21 d3 3b e9 fa e7 |.B...=.`.\!.;...| +000002c0 16 03 03 00 ac 0c 00 00 a8 03 00 1d 20 e6 56 06 |............ .V.| +000002d0 58 6f 5d 7a 59 32 f5 3e 7b 07 17 de 27 62 9e e8 |Xo]zY2.>{...'b..| +000002e0 d0 42 f1 97 56 66 d0 d5 c1 06 b9 48 2f 08 04 00 |.B..Vf.....H/...| +000002f0 80 1d 63 88 8e ed 58 f2 0e d3 b3 17 46 f3 9c 49 |..c...X.....F..I| +00000300 bb 22 22 eb e2 77 13 6c a5 aa 77 fe ad 16 06 23 |.""..w.l..w....#| +00000310 c3 2a ec b9 76 43 4a 7f 41 72 5f 53 ae de 70 3a |.*..vCJ.Ar_S..p:| +00000320 f2 e9 60 92 30 2e f3 df a1 3d 4a c1 1f 26 fa 42 |..`.0....=J..&.B| +00000330 c8 31 cb 97 c0 5c 6b 8e d9 18 28 be 99 7c d1 75 |.1...\k...(..|.u| +00000340 05 ad 22 91 4f 55 ae 50 2c fa 37 ee 28 e9 64 1c |..".OU.P,.7.(.d.| +00000350 2b 2a c5 95 f5 90 ae ae d4 a3 50 f3 fe 26 71 4f |+*........P..&qO| +00000360 55 db 32 03 1f 5c 3f 91 20 85 d5 e1 73 45 43 59 |U.2..\?. ...sECY| +00000370 e5 16 03 03 00 04 0e 00 00 00 |..........| +>>> Flow 3 (client to server) +00000000 16 03 03 00 25 10 00 00 21 20 2f e5 7d a3 47 cd |....%...! /.}.G.| +00000010 62 43 15 28 da ac 5f bb 29 07 30 ff f6 84 af c4 |bC.(.._.).0.....| +00000020 cf c2 ed 90 99 5f 58 cb 3b 74 14 03 03 00 01 01 |....._X.;t......| +00000030 16 03 03 00 40 00 00 00 00 00 00 00 00 00 00 00 |....@...........| +00000040 00 00 00 00 00 f9 b1 38 55 39 80 ba c1 07 e1 40 |.......8U9.....@| +00000050 b9 ac 39 da bc 66 ad c3 6d dc 1b f0 bd 2a 92 ce |..9..f..m....*..| +00000060 4b b5 97 33 5b 3b 21 6d 91 f4 dd 09 07 73 5d a2 |K..3[;!m.....s].| +00000070 b4 a3 a0 6d 43 |...mC| +>>> Flow 4 (server to client) +00000000 14 03 03 00 01 01 16 03 03 00 40 82 12 f1 e0 35 |..........@....5| +00000010 74 0c e5 68 7c 6b b6 fb e9 36 b3 5e 95 13 6b 04 |t..h|k...6.^..k.| +00000020 00 59 18 f0 51 50 93 2e e9 1b c6 e9 11 62 7c 01 |.Y..QP.......b|.| +00000030 43 e8 68 7b 87 a9 d5 17 3f 73 de f2 06 12 9f c7 |C.h{....?s......| +00000040 a4 81 45 52 dd 9f 6f fa ab 82 86 |..ER..o....| +>>> Flow 5 (client to server) +00000000 17 03 03 00 30 00 00 00 00 00 00 00 00 00 00 00 |....0...........| +00000010 00 00 00 00 00 21 96 5b 74 b3 c1 96 e9 4f 6d 97 |.....!.[t....Om.| +00000020 70 1c 5d c2 60 32 a1 98 12 2b 0d 4c 11 03 fe 17 |p.].`2...+.L....| +00000030 28 92 06 2f 84 15 03 03 00 30 00 00 00 00 00 00 |(../.....0......| +00000040 00 00 00 00 00 00 00 00 00 00 78 bf 75 9e 08 8d |..........x.u...| +00000050 57 5a 22 17 e9 d3 bd 3c e4 ac e6 58 7a e8 5e 45 |WZ"....<...Xz.^E| +00000060 63 10 b6 b8 df 78 c5 10 48 c0 |c....x..H.| diff --git a/pkg/tls/testdata/Client-TLSv12-ECDHE-RSA-AES128-SHA256 b/pkg/tls/testdata/Client-TLSv12-ECDHE-RSA-AES128-SHA256 new file mode 100644 index 000000000..03679a4fc --- /dev/null +++ b/pkg/tls/testdata/Client-TLSv12-ECDHE-RSA-AES128-SHA256 @@ -0,0 +1,102 @@ +>>> Flow 1 (client to server) +00000000 16 03 01 00 fe 01 00 00 fa 03 03 00 00 00 00 00 |................| +00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000020 00 00 00 00 00 00 00 00 00 00 00 20 00 00 00 00 |........... ....| +00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 32 cc a9 |.............2..| +00000050 cc a8 c0 2b c0 2f c0 2c c0 30 c0 09 c0 13 c0 0a |...+./.,.0......| +00000060 c0 14 00 9c 00 9d 00 2f 00 35 c0 12 00 0a c0 23 |......./.5.....#| +00000070 c0 27 00 3c c0 07 c0 11 00 05 13 03 13 01 13 02 |.'.<............| +00000080 01 00 00 7f 00 05 00 05 01 00 00 00 00 00 0a 00 |................| +00000090 0a 00 08 00 1d 00 17 00 18 00 19 00 0b 00 02 01 |................| +000000a0 00 00 0d 00 1a 00 18 08 04 04 03 08 07 08 05 08 |................| +000000b0 06 04 01 05 01 06 01 05 03 06 03 02 01 02 03 ff |................| +000000c0 01 00 01 00 00 17 00 00 00 12 00 00 00 2b 00 09 |.............+..| +000000d0 08 03 04 03 03 03 02 03 01 00 33 00 26 00 24 00 |..........3.&.$.| +000000e0 1d 00 20 2f e5 7d a3 47 cd 62 43 15 28 da ac 5f |.. /.}.G.bC.(.._| +000000f0 bb 29 07 30 ff f6 84 af c4 cf c2 ed 90 99 5f 58 |.).0.........._X| +00000100 cb 3b 74 |.;t| +>>> Flow 2 (server to client) +00000000 16 03 03 00 5d 02 00 00 59 03 03 3d 4c 61 a3 1e |....]...Y..=La..| +00000010 dd 9a c3 52 42 9d ee 2b 7b f6 24 a4 38 d7 93 e9 |...RB..+{.$.8...| +00000020 f5 f4 09 a2 0f 2b 45 ae 7d fd 97 20 3b b6 27 a6 |.....+E.}.. ;.'.| +00000030 88 dd af 75 8d 27 1c c6 ef 8f 4b 33 c6 30 be 08 |...u.'....K3.0..| +00000040 7d bd 8d cd 2e d8 37 0b 67 e3 39 30 c0 27 00 00 |}.....7.g.90.'..| +00000050 11 ff 01 00 01 00 00 0b 00 04 03 00 01 02 00 17 |................| +00000060 00 00 16 03 03 02 59 0b 00 02 55 00 02 52 00 02 |......Y...U..R..| +00000070 4f 30 82 02 4b 30 82 01 b4 a0 03 02 01 02 02 09 |O0..K0..........| +00000080 00 e8 f0 9d 3f e2 5b ea a6 30 0d 06 09 2a 86 48 |....?.[..0...*.H| +00000090 86 f7 0d 01 01 0b 05 00 30 1f 31 0b 30 09 06 03 |........0.1.0...| +000000a0 55 04 0a 13 02 47 6f 31 10 30 0e 06 03 55 04 03 |U....Go1.0...U..| +000000b0 13 07 47 6f 20 52 6f 6f 74 30 1e 17 0d 31 36 30 |..Go Root0...160| +000000c0 31 30 31 30 30 30 30 30 30 5a 17 0d 32 35 30 31 |101000000Z..2501| +000000d0 30 31 30 30 30 30 30 30 5a 30 1a 31 0b 30 09 06 |01000000Z0.1.0..| +000000e0 03 55 04 0a 13 02 47 6f 31 0b 30 09 06 03 55 04 |.U....Go1.0...U.| +000000f0 03 13 02 47 6f 30 81 9f 30 0d 06 09 2a 86 48 86 |...Go0..0...*.H.| +00000100 f7 0d 01 01 01 05 00 03 81 8d 00 30 81 89 02 81 |...........0....| +00000110 81 00 db 46 7d 93 2e 12 27 06 48 bc 06 28 21 ab |...F}...'.H..(!.| +00000120 7e c4 b6 a2 5d fe 1e 52 45 88 7a 36 47 a5 08 0d |~...]..RE.z6G...| +00000130 92 42 5b c2 81 c0 be 97 79 98 40 fb 4f 6d 14 fd |.B[.....y.@.Om..| +00000140 2b 13 8b c2 a5 2e 67 d8 d4 09 9e d6 22 38 b7 4a |+.....g....."8.J| +00000150 0b 74 73 2b c2 34 f1 d1 93 e5 96 d9 74 7b f3 58 |.ts+.4......t{.X| +00000160 9f 6c 61 3c c0 b0 41 d4 d9 2b 2b 24 23 77 5b 1c |.la<..A..++$#w[.| +00000170 3b bd 75 5d ce 20 54 cf a1 63 87 1d 1e 24 c4 f3 |;.u]. T..c...$..| +00000180 1d 1a 50 8b aa b6 14 43 ed 97 a7 75 62 f4 14 c8 |..P....C...ub...| +00000190 52 d7 02 03 01 00 01 a3 81 93 30 81 90 30 0e 06 |R.........0..0..| +000001a0 03 55 1d 0f 01 01 ff 04 04 03 02 05 a0 30 1d 06 |.U...........0..| +000001b0 03 55 1d 25 04 16 30 14 06 08 2b 06 01 05 05 07 |.U.%..0...+.....| +000001c0 03 01 06 08 2b 06 01 05 05 07 03 02 30 0c 06 03 |....+.......0...| +000001d0 55 1d 13 01 01 ff 04 02 30 00 30 19 06 03 55 1d |U.......0.0...U.| +000001e0 0e 04 12 04 10 9f 91 16 1f 43 43 3e 49 a6 de 6d |.........CC>I..m| +000001f0 b6 80 d7 9f 60 30 1b 06 03 55 1d 23 04 14 30 12 |....`0...U.#..0.| +00000200 80 10 48 13 49 4d 13 7e 16 31 bb a3 01 d5 ac ab |..H.IM.~.1......| +00000210 6e 7b 30 19 06 03 55 1d 11 04 12 30 10 82 0e 65 |n{0...U....0...e| +00000220 78 61 6d 70 6c 65 2e 67 6f 6c 61 6e 67 30 0d 06 |xample.golang0..| +00000230 09 2a 86 48 86 f7 0d 01 01 0b 05 00 03 81 81 00 |.*.H............| +00000240 9d 30 cc 40 2b 5b 50 a0 61 cb ba e5 53 58 e1 ed |.0.@+[P.a...SX..| +00000250 83 28 a9 58 1a a9 38 a4 95 a1 ac 31 5a 1a 84 66 |.(.X..8....1Z..f| +00000260 3d 43 d3 2d d9 0b f2 97 df d3 20 64 38 92 24 3a |=C.-...... d8.$:| +00000270 00 bc cf 9c 7d b7 40 20 01 5f aa d3 16 61 09 a2 |....}.@ ._...a..| +00000280 76 fd 13 c3 cc e1 0c 5c ee b1 87 82 f1 6c 04 ed |v......\.....l..| +00000290 73 bb b3 43 77 8d 0c 1c f1 0f a1 d8 40 83 61 c9 |s..Cw.......@.a.| +000002a0 4c 72 2b 9d ae db 46 06 06 4d f4 c1 b3 3e c0 d1 |Lr+...F..M...>..| +000002b0 bd 42 d4 db fe 3d 13 60 84 5c 21 d3 3b e9 fa e7 |.B...=.`.\!.;...| +000002c0 16 03 03 00 ac 0c 00 00 a8 03 00 1d 20 a4 26 51 |............ .&Q| +000002d0 47 58 cf 92 87 27 f0 c1 c0 39 55 dd 20 16 39 de |GX...'...9U. .9.| +000002e0 ed 79 66 3a 97 54 75 35 27 20 7b 99 76 08 04 00 |.yf:.Tu5' {.v...| +000002f0 80 34 32 55 55 c1 56 69 b8 4a f7 a6 d1 9d ae f6 |.42UU.Vi.J......| +00000300 0d de 13 e2 bd b8 9a 5c 42 f2 b5 42 d9 25 69 fe |.......\B..B.%i.| +00000310 ef b3 c3 0f 1b b7 a0 61 1d 1d 59 31 1c 4c 61 17 |.......a..Y1.La.| +00000320 6e 2d bc b4 08 76 ee d2 46 d4 81 c1 cc e9 96 22 |n-...v..F......"| +00000330 10 07 a5 c0 c6 26 42 c6 37 42 56 e5 47 f2 44 d1 |.....&B.7BV.G.D.| +00000340 57 1d c8 8d c1 2c 28 be e9 7a 82 2e f1 8e 1a bf |W....,(..z......| +00000350 4a f0 f2 22 de 78 00 c2 d3 f4 99 ba e9 d3 7e fc |J..".x........~.| +00000360 83 bf ef 7c 64 c6 c4 dd fb 30 e2 f9 43 43 91 60 |...|d....0..CC.`| +00000370 83 16 03 03 00 04 0e 00 00 00 |..........| +>>> Flow 3 (client to server) +00000000 16 03 03 00 25 10 00 00 21 20 2f e5 7d a3 47 cd |....%...! /.}.G.| +00000010 62 43 15 28 da ac 5f bb 29 07 30 ff f6 84 af c4 |bC.(.._.).0.....| +00000020 cf c2 ed 90 99 5f 58 cb 3b 74 14 03 03 00 01 01 |....._X.;t......| +00000030 16 03 03 00 50 00 00 00 00 00 00 00 00 00 00 00 |....P...........| +00000040 00 00 00 00 00 06 06 f1 9b b7 1f f1 0d 24 fe 76 |.............$.v| +00000050 8a 72 84 58 8c 56 bd c3 73 4e c8 99 3c 5b 21 79 |.r.X.V..sN..<[!y| +00000060 17 23 21 bd 72 0d fb f7 22 36 99 78 1f 88 d1 87 |.#!.r..."6.x....| +00000070 73 c3 62 aa a5 22 a6 63 68 41 bb 61 34 50 b9 e7 |s.b..".chA.a4P..| +00000080 ce 6d 0b 18 f0 |.m...| +>>> Flow 4 (server to client) +00000000 14 03 03 00 01 01 16 03 03 00 50 f4 00 f2 81 78 |..........P....x| +00000010 0f 4b d9 3a 2d 62 34 77 74 6e b6 d5 e8 62 55 88 |.K.:-b4wtn...bU.| +00000020 7e 60 e4 e7 b7 35 9d dc 50 02 d2 10 ae 36 7a 5d |~`...5..P....6z]| +00000030 36 c5 89 2c 4e db 9c 83 9e d0 ec de 6e 63 1c 94 |6..,N.......nc..| +00000040 4c ed 12 ca ef 62 a1 26 a7 f9 fd 52 ad b9 1a 2b |L....b.&...R...+| +00000050 cc bc 01 bb cc 86 b5 1b 74 60 80 |........t`.| +>>> Flow 5 (client to server) +00000000 17 03 03 00 40 00 00 00 00 00 00 00 00 00 00 00 |....@...........| +00000010 00 00 00 00 00 67 6b 64 7b 02 ce ad 5c df 4d 26 |.....gkd{...\.M&| +00000020 f9 ef d5 94 ec 34 28 de 52 1a d9 1b e3 af 89 11 |.....4(.R.......| +00000030 7b aa f6 46 8a 27 e7 15 c0 81 89 78 20 09 ca 37 |{..F.'.....x ..7| +00000040 dc a3 c2 5c 4f 15 03 03 00 40 00 00 00 00 00 00 |...\O....@......| +00000050 00 00 00 00 00 00 00 00 00 00 61 45 e8 a0 f8 70 |..........aE...p| +00000060 7b a3 75 09 42 b2 41 54 79 b3 75 48 47 f1 36 1b |{.u.B.ATy.uHG.6.| +00000070 4c cd 29 57 fe 9f 41 a7 7f 5c a9 12 7a ec c6 1d |L.)W..A..\..z...| +00000080 9c fb ff 1e e5 58 04 ae 16 50 |.....X...P| diff --git a/pkg/tls/testdata/Client-TLSv12-ECDHE-RSA-CHACHA20-POLY1305 b/pkg/tls/testdata/Client-TLSv12-ECDHE-RSA-CHACHA20-POLY1305 new file mode 100644 index 000000000..3c5779c4e --- /dev/null +++ b/pkg/tls/testdata/Client-TLSv12-ECDHE-RSA-CHACHA20-POLY1305 @@ -0,0 +1,88 @@ +>>> Flow 1 (client to server) +00000000 16 03 01 00 d4 01 00 00 d0 03 03 00 00 00 00 00 |................| +00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000020 00 00 00 00 00 00 00 00 00 00 00 20 00 00 00 00 |........... ....| +00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 08 cc a8 |................| +00000050 13 03 13 01 13 02 01 00 00 7f 00 05 00 05 01 00 |................| +00000060 00 00 00 00 0a 00 0a 00 08 00 1d 00 17 00 18 00 |................| +00000070 19 00 0b 00 02 01 00 00 0d 00 1a 00 18 08 04 04 |................| +00000080 03 08 07 08 05 08 06 04 01 05 01 06 01 05 03 06 |................| +00000090 03 02 01 02 03 ff 01 00 01 00 00 17 00 00 00 12 |................| +000000a0 00 00 00 2b 00 09 08 03 04 03 03 03 02 03 01 00 |...+............| +000000b0 33 00 26 00 24 00 1d 00 20 2f e5 7d a3 47 cd 62 |3.&.$... /.}.G.b| +000000c0 43 15 28 da ac 5f bb 29 07 30 ff f6 84 af c4 cf |C.(.._.).0......| +000000d0 c2 ed 90 99 5f 58 cb 3b 74 |...._X.;t| +>>> Flow 2 (server to client) +00000000 16 03 03 00 5d 02 00 00 59 03 03 fa 07 a1 2e 81 |....]...Y.......| +00000010 44 c8 72 44 5b 86 21 61 2f 3e 37 92 0f d5 7f d3 |D.rD[.!a/>7.....| +00000020 0b 11 9a 5f d9 40 db 25 e4 2d da 20 11 0f ba 98 |..._.@.%.-. ....| +00000030 8b fd 6f 93 c7 05 08 69 d6 c5 bc ef 3e 2b b8 98 |..o....i....>+..| +00000040 10 f6 bc 57 72 81 a9 c0 96 1e a4 d2 cc a8 00 00 |...Wr...........| +00000050 11 ff 01 00 01 00 00 0b 00 04 03 00 01 02 00 17 |................| +00000060 00 00 16 03 03 02 59 0b 00 02 55 00 02 52 00 02 |......Y...U..R..| +00000070 4f 30 82 02 4b 30 82 01 b4 a0 03 02 01 02 02 09 |O0..K0..........| +00000080 00 e8 f0 9d 3f e2 5b ea a6 30 0d 06 09 2a 86 48 |....?.[..0...*.H| +00000090 86 f7 0d 01 01 0b 05 00 30 1f 31 0b 30 09 06 03 |........0.1.0...| +000000a0 55 04 0a 13 02 47 6f 31 10 30 0e 06 03 55 04 03 |U....Go1.0...U..| +000000b0 13 07 47 6f 20 52 6f 6f 74 30 1e 17 0d 31 36 30 |..Go Root0...160| +000000c0 31 30 31 30 30 30 30 30 30 5a 17 0d 32 35 30 31 |101000000Z..2501| +000000d0 30 31 30 30 30 30 30 30 5a 30 1a 31 0b 30 09 06 |01000000Z0.1.0..| +000000e0 03 55 04 0a 13 02 47 6f 31 0b 30 09 06 03 55 04 |.U....Go1.0...U.| +000000f0 03 13 02 47 6f 30 81 9f 30 0d 06 09 2a 86 48 86 |...Go0..0...*.H.| +00000100 f7 0d 01 01 01 05 00 03 81 8d 00 30 81 89 02 81 |...........0....| +00000110 81 00 db 46 7d 93 2e 12 27 06 48 bc 06 28 21 ab |...F}...'.H..(!.| +00000120 7e c4 b6 a2 5d fe 1e 52 45 88 7a 36 47 a5 08 0d |~...]..RE.z6G...| +00000130 92 42 5b c2 81 c0 be 97 79 98 40 fb 4f 6d 14 fd |.B[.....y.@.Om..| +00000140 2b 13 8b c2 a5 2e 67 d8 d4 09 9e d6 22 38 b7 4a |+.....g....."8.J| +00000150 0b 74 73 2b c2 34 f1 d1 93 e5 96 d9 74 7b f3 58 |.ts+.4......t{.X| +00000160 9f 6c 61 3c c0 b0 41 d4 d9 2b 2b 24 23 77 5b 1c |.la<..A..++$#w[.| +00000170 3b bd 75 5d ce 20 54 cf a1 63 87 1d 1e 24 c4 f3 |;.u]. T..c...$..| +00000180 1d 1a 50 8b aa b6 14 43 ed 97 a7 75 62 f4 14 c8 |..P....C...ub...| +00000190 52 d7 02 03 01 00 01 a3 81 93 30 81 90 30 0e 06 |R.........0..0..| +000001a0 03 55 1d 0f 01 01 ff 04 04 03 02 05 a0 30 1d 06 |.U...........0..| +000001b0 03 55 1d 25 04 16 30 14 06 08 2b 06 01 05 05 07 |.U.%..0...+.....| +000001c0 03 01 06 08 2b 06 01 05 05 07 03 02 30 0c 06 03 |....+.......0...| +000001d0 55 1d 13 01 01 ff 04 02 30 00 30 19 06 03 55 1d |U.......0.0...U.| +000001e0 0e 04 12 04 10 9f 91 16 1f 43 43 3e 49 a6 de 6d |.........CC>I..m| +000001f0 b6 80 d7 9f 60 30 1b 06 03 55 1d 23 04 14 30 12 |....`0...U.#..0.| +00000200 80 10 48 13 49 4d 13 7e 16 31 bb a3 01 d5 ac ab |..H.IM.~.1......| +00000210 6e 7b 30 19 06 03 55 1d 11 04 12 30 10 82 0e 65 |n{0...U....0...e| +00000220 78 61 6d 70 6c 65 2e 67 6f 6c 61 6e 67 30 0d 06 |xample.golang0..| +00000230 09 2a 86 48 86 f7 0d 01 01 0b 05 00 03 81 81 00 |.*.H............| +00000240 9d 30 cc 40 2b 5b 50 a0 61 cb ba e5 53 58 e1 ed |.0.@+[P.a...SX..| +00000250 83 28 a9 58 1a a9 38 a4 95 a1 ac 31 5a 1a 84 66 |.(.X..8....1Z..f| +00000260 3d 43 d3 2d d9 0b f2 97 df d3 20 64 38 92 24 3a |=C.-...... d8.$:| +00000270 00 bc cf 9c 7d b7 40 20 01 5f aa d3 16 61 09 a2 |....}.@ ._...a..| +00000280 76 fd 13 c3 cc e1 0c 5c ee b1 87 82 f1 6c 04 ed |v......\.....l..| +00000290 73 bb b3 43 77 8d 0c 1c f1 0f a1 d8 40 83 61 c9 |s..Cw.......@.a.| +000002a0 4c 72 2b 9d ae db 46 06 06 4d f4 c1 b3 3e c0 d1 |Lr+...F..M...>..| +000002b0 bd 42 d4 db fe 3d 13 60 84 5c 21 d3 3b e9 fa e7 |.B...=.`.\!.;...| +000002c0 16 03 03 00 ac 0c 00 00 a8 03 00 1d 20 c7 4c 84 |............ .L.| +000002d0 aa 9d be 0a bb 72 d2 bc 76 73 59 9b 07 e1 6f 94 |.....r..vsY...o.| +000002e0 25 e7 13 7a 4c a5 8d f9 ab 9d 30 d0 4c 08 04 00 |%..zL.....0.L...| +000002f0 80 88 4d ea e2 83 d7 b6 50 fb 22 e0 a9 32 87 8e |..M.....P."..2..| +00000300 cf e3 3d 94 bc 07 99 c3 b7 53 9d f6 0c 80 77 f7 |..=......S....w.| +00000310 96 50 39 eb 85 33 9e 17 72 14 f7 3f e6 c2 9b 94 |.P9..3..r..?....| +00000320 bb bc 26 b9 c6 68 1f 2a 19 d6 40 f5 8b 85 a4 8d |..&..h.*..@.....| +00000330 c8 29 96 bf d1 e1 15 f7 f8 75 66 42 00 45 d3 ff |.).......ufB.E..| +00000340 4d ef f7 ad 7b b5 00 3e 9f 08 b8 ce 87 df d9 fa |M...{..>........| +00000350 79 b9 d1 a4 a3 a7 ad 0b 2b fc 65 c2 51 dc 8c 29 |y.......+.e.Q..)| +00000360 85 31 92 f9 b3 dd 1a a1 f1 f0 9c 21 9d a0 6e 49 |.1.........!..nI| +00000370 ff 16 03 03 00 04 0e 00 00 00 |..........| +>>> Flow 3 (client to server) +00000000 16 03 03 00 25 10 00 00 21 20 2f e5 7d a3 47 cd |....%...! /.}.G.| +00000010 62 43 15 28 da ac 5f bb 29 07 30 ff f6 84 af c4 |bC.(.._.).0.....| +00000020 cf c2 ed 90 99 5f 58 cb 3b 74 14 03 03 00 01 01 |....._X.;t......| +00000030 16 03 03 00 20 61 fc dc e1 f7 bf 7b 90 e4 af 71 |.... a.....{...q| +00000040 03 22 10 79 6d d9 e9 aa 1d 60 8e 40 d1 1e 3a 94 |.".ym....`.@..:.| +00000050 ca 78 86 ad e6 |.x...| +>>> Flow 4 (server to client) +00000000 14 03 03 00 01 01 16 03 03 00 20 39 ee c6 1c d9 |.......... 9....| +00000010 83 3e d3 bf 8a c3 3d bb 0a 27 7a 95 84 ef 82 e1 |.>....=..'z.....| +00000020 80 6b 25 bf 68 dc 58 63 21 80 7d |.k%.h.Xc!.}| +>>> Flow 5 (client to server) +00000000 17 03 03 00 16 e6 75 bb fe 46 1a 4c 75 41 36 eb |......u..F.LuA6.| +00000010 a9 31 d9 59 74 9d 75 76 db 00 94 15 03 03 00 12 |.1.Yt.uv........| +00000020 f0 a9 56 8e bd a5 bb c8 2d ea be d7 7f 9e 39 7a |..V.....-.....9z| +00000030 4f de |O.| diff --git a/pkg/tls/testdata/Client-TLSv12-Ed25519 b/pkg/tls/testdata/Client-TLSv12-Ed25519 new file mode 100644 index 000000000..b2380ed6e --- /dev/null +++ b/pkg/tls/testdata/Client-TLSv12-Ed25519 @@ -0,0 +1,69 @@ +>>> Flow 1 (client to server) +00000000 16 03 01 00 fe 01 00 00 fa 03 03 00 00 00 00 00 |................| +00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000020 00 00 00 00 00 00 00 00 00 00 00 20 00 00 00 00 |........... ....| +00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 32 cc a9 |.............2..| +00000050 cc a8 c0 2b c0 2f c0 2c c0 30 c0 09 c0 13 c0 0a |...+./.,.0......| +00000060 c0 14 00 9c 00 9d 00 2f 00 35 c0 12 00 0a c0 23 |......./.5.....#| +00000070 c0 27 00 3c c0 07 c0 11 00 05 13 03 13 01 13 02 |.'.<............| +00000080 01 00 00 7f 00 05 00 05 01 00 00 00 00 00 0a 00 |................| +00000090 0a 00 08 00 1d 00 17 00 18 00 19 00 0b 00 02 01 |................| +000000a0 00 00 0d 00 1a 00 18 08 04 04 03 08 07 08 05 08 |................| +000000b0 06 04 01 05 01 06 01 05 03 06 03 02 01 02 03 ff |................| +000000c0 01 00 01 00 00 17 00 00 00 12 00 00 00 2b 00 09 |.............+..| +000000d0 08 03 04 03 03 03 02 03 01 00 33 00 26 00 24 00 |..........3.&.$.| +000000e0 1d 00 20 2f e5 7d a3 47 cd 62 43 15 28 da ac 5f |.. /.}.G.bC.(.._| +000000f0 bb 29 07 30 ff f6 84 af c4 cf c2 ed 90 99 5f 58 |.).0.........._X| +00000100 cb 3b 74 |.;t| +>>> Flow 2 (server to client) +00000000 16 03 03 00 5d 02 00 00 59 03 03 17 80 d3 0b 73 |....]...Y......s| +00000010 6d e4 3e 2d 7a 35 ab ab 65 ad a0 03 14 cb e8 98 |m.>-z5..e.......| +00000020 3a d3 c6 41 39 b2 78 c2 1b 06 da 20 ec 80 a9 c4 |:..A9.x.... ....| +00000030 7c b8 9b cc b3 98 7a cd 97 40 41 39 b7 75 13 7a ||.....z..@A9.u.z| +00000040 40 33 ec 9d 69 97 32 5b f5 6e 4f bc cc a9 00 00 |@3..i.2[.nO.....| +00000050 11 ff 01 00 01 00 00 0b 00 04 03 00 01 02 00 17 |................| +00000060 00 00 16 03 03 01 3c 0b 00 01 38 00 01 35 00 01 |......<...8..5..| +00000070 32 30 82 01 2e 30 81 e1 a0 03 02 01 02 02 10 0f |20...0..........| +00000080 43 1c 42 57 93 94 1d e9 87 e4 f1 ad 15 00 5d 30 |C.BW..........]0| +00000090 05 06 03 2b 65 70 30 12 31 10 30 0e 06 03 55 04 |...+ep0.1.0...U.| +000000a0 0a 13 07 41 63 6d 65 20 43 6f 30 1e 17 0d 31 39 |...Acme Co0...19| +000000b0 30 35 31 36 32 31 33 38 30 31 5a 17 0d 32 30 30 |0516213801Z..200| +000000c0 35 31 35 32 31 33 38 30 31 5a 30 12 31 10 30 0e |515213801Z0.1.0.| +000000d0 06 03 55 04 0a 13 07 41 63 6d 65 20 43 6f 30 2a |..U....Acme Co0*| +000000e0 30 05 06 03 2b 65 70 03 21 00 3f e2 15 2e e6 e3 |0...+ep.!.?.....| +000000f0 ef 3f 4e 85 4a 75 77 a3 64 9e ed e0 bf 84 2c cc |.?N.Juw.d.....,.| +00000100 92 26 8f fa 6f 34 83 aa ec 8f a3 4d 30 4b 30 0e |.&..o4.....M0K0.| +00000110 06 03 55 1d 0f 01 01 ff 04 04 03 02 05 a0 30 13 |..U...........0.| +00000120 06 03 55 1d 25 04 0c 30 0a 06 08 2b 06 01 05 05 |..U.%..0...+....| +00000130 07 03 01 30 0c 06 03 55 1d 13 01 01 ff 04 02 30 |...0...U.......0| +00000140 00 30 16 06 03 55 1d 11 04 0f 30 0d 82 0b 65 78 |.0...U....0...ex| +00000150 61 6d 70 6c 65 2e 63 6f 6d 30 05 06 03 2b 65 70 |ample.com0...+ep| +00000160 03 41 00 63 44 ed 9c c4 be 53 24 53 9f d2 10 8d |.A.cD....S$S....| +00000170 9f e8 21 08 90 95 39 e5 0d c1 55 ff 2c 16 b7 1d |..!...9...U.,...| +00000180 fc ab 7d 4d d4 e0 93 13 d0 a9 42 e0 b6 6b fe 5d |..}M......B..k.]| +00000190 67 48 d7 9f 50 bc 6c cd 4b 03 83 7c f2 08 58 cd |gH..P.l.K..|..X.| +000001a0 ac cf 0c 16 03 03 00 6c 0c 00 00 68 03 00 1d 20 |.......l...h... | +000001b0 6b 23 39 84 eb 4d db d0 0c f4 5a 9f ce bf 3a a8 |k#9..M....Z...:.| +000001c0 52 df 00 9b 14 10 31 95 21 35 07 f1 7f 22 bf 14 |R.....1.!5..."..| +000001d0 08 07 00 40 f6 b8 53 ed 97 7f 5a 28 88 84 f4 aa |...@..S...Z(....| +000001e0 64 30 dc 4c 80 1f 8f 62 9d 52 aa bb e7 98 e1 7f |d0.L...b.R......| +000001f0 12 19 b5 84 d2 4b 92 b1 38 a9 4e c2 09 1a 91 bf |.....K..8.N.....| +00000200 4a 83 5e a4 82 a0 36 84 85 0d bd b5 a9 4f 2f 60 |J.^...6......O/`| +00000210 a4 2f 33 0d 16 03 03 00 04 0e 00 00 00 |./3..........| +>>> Flow 3 (client to server) +00000000 16 03 03 00 25 10 00 00 21 20 2f e5 7d a3 47 cd |....%...! /.}.G.| +00000010 62 43 15 28 da ac 5f bb 29 07 30 ff f6 84 af c4 |bC.(.._.).0.....| +00000020 cf c2 ed 90 99 5f 58 cb 3b 74 14 03 03 00 01 01 |....._X.;t......| +00000030 16 03 03 00 20 a2 a9 10 50 bb d9 12 ee 74 a1 79 |.... ...P....t.y| +00000040 cb fa 36 73 26 89 4e a4 2d 14 c0 ac f3 7b 82 c6 |..6s&.N.-....{..| +00000050 cf fb 00 88 9e |.....| +>>> Flow 4 (server to client) +00000000 14 03 03 00 01 01 16 03 03 00 20 22 85 b9 b0 e7 |.......... "....| +00000010 14 c0 a6 a9 91 4e 08 80 83 75 92 b5 45 9d 13 e9 |.....N...u..E...| +00000020 0f 45 e7 55 ac b7 68 93 b4 bb 00 |.E.U..h....| +>>> Flow 5 (client to server) +00000000 17 03 03 00 16 0a c8 36 60 97 80 1c d5 d5 3c 3d |.......6`.....<=| +00000010 07 4f 9b 2c 75 6c a0 b1 9a 2c b8 15 03 03 00 12 |.O.,ul...,......| +00000020 fc a4 95 ae ee fe e2 4f ad b2 13 e0 c9 a7 2a 5a |.......O......*Z| +00000030 54 2c |T,| diff --git a/pkg/tls/testdata/Client-TLSv12-ExportKeyingMaterial b/pkg/tls/testdata/Client-TLSv12-ExportKeyingMaterial new file mode 100644 index 000000000..cbd1fbd03 --- /dev/null +++ b/pkg/tls/testdata/Client-TLSv12-ExportKeyingMaterial @@ -0,0 +1,91 @@ +>>> Flow 1 (client to server) +00000000 16 03 01 00 fe 01 00 00 fa 03 03 00 00 00 00 00 |................| +00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000020 00 00 00 00 00 00 00 00 00 00 00 20 00 00 00 00 |........... ....| +00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 32 cc a9 |.............2..| +00000050 cc a8 c0 2b c0 2f c0 2c c0 30 c0 09 c0 13 c0 0a |...+./.,.0......| +00000060 c0 14 00 9c 00 9d 00 2f 00 35 c0 12 00 0a c0 23 |......./.5.....#| +00000070 c0 27 00 3c c0 07 c0 11 00 05 13 03 13 01 13 02 |.'.<............| +00000080 01 00 00 7f 00 05 00 05 01 00 00 00 00 00 0a 00 |................| +00000090 0a 00 08 00 1d 00 17 00 18 00 19 00 0b 00 02 01 |................| +000000a0 00 00 0d 00 1a 00 18 08 04 04 03 08 07 08 05 08 |................| +000000b0 06 04 01 05 01 06 01 05 03 06 03 02 01 02 03 ff |................| +000000c0 01 00 01 00 00 17 00 00 00 12 00 00 00 2b 00 09 |.............+..| +000000d0 08 03 04 03 03 03 02 03 01 00 33 00 26 00 24 00 |..........3.&.$.| +000000e0 1d 00 20 2f e5 7d a3 47 cd 62 43 15 28 da ac 5f |.. /.}.G.bC.(.._| +000000f0 bb 29 07 30 ff f6 84 af c4 cf c2 ed 90 99 5f 58 |.).0.........._X| +00000100 cb 3b 74 |.;t| +>>> Flow 2 (server to client) +00000000 16 03 03 00 5d 02 00 00 59 03 03 86 45 94 b6 f3 |....]...Y...E...| +00000010 30 74 36 25 50 09 38 f6 3e 4a 5a b6 bf 06 fd 01 |0t6%P.8.>JZ.....| +00000020 4b 35 b0 bc ef 77 bf f6 e9 a2 84 20 97 96 9b ba |K5...w..... ....| +00000030 24 5f 28 cd 16 3f d3 f4 2b 92 da 09 a5 18 2f 21 |$_(..?..+...../!| +00000040 d8 23 85 9a c9 4a 69 36 93 ab c2 5a cc a8 00 00 |.#...Ji6...Z....| +00000050 11 ff 01 00 01 00 00 0b 00 04 03 00 01 02 00 17 |................| +00000060 00 00 16 03 03 02 59 0b 00 02 55 00 02 52 00 02 |......Y...U..R..| +00000070 4f 30 82 02 4b 30 82 01 b4 a0 03 02 01 02 02 09 |O0..K0..........| +00000080 00 e8 f0 9d 3f e2 5b ea a6 30 0d 06 09 2a 86 48 |....?.[..0...*.H| +00000090 86 f7 0d 01 01 0b 05 00 30 1f 31 0b 30 09 06 03 |........0.1.0...| +000000a0 55 04 0a 13 02 47 6f 31 10 30 0e 06 03 55 04 03 |U....Go1.0...U..| +000000b0 13 07 47 6f 20 52 6f 6f 74 30 1e 17 0d 31 36 30 |..Go Root0...160| +000000c0 31 30 31 30 30 30 30 30 30 5a 17 0d 32 35 30 31 |101000000Z..2501| +000000d0 30 31 30 30 30 30 30 30 5a 30 1a 31 0b 30 09 06 |01000000Z0.1.0..| +000000e0 03 55 04 0a 13 02 47 6f 31 0b 30 09 06 03 55 04 |.U....Go1.0...U.| +000000f0 03 13 02 47 6f 30 81 9f 30 0d 06 09 2a 86 48 86 |...Go0..0...*.H.| +00000100 f7 0d 01 01 01 05 00 03 81 8d 00 30 81 89 02 81 |...........0....| +00000110 81 00 db 46 7d 93 2e 12 27 06 48 bc 06 28 21 ab |...F}...'.H..(!.| +00000120 7e c4 b6 a2 5d fe 1e 52 45 88 7a 36 47 a5 08 0d |~...]..RE.z6G...| +00000130 92 42 5b c2 81 c0 be 97 79 98 40 fb 4f 6d 14 fd |.B[.....y.@.Om..| +00000140 2b 13 8b c2 a5 2e 67 d8 d4 09 9e d6 22 38 b7 4a |+.....g....."8.J| +00000150 0b 74 73 2b c2 34 f1 d1 93 e5 96 d9 74 7b f3 58 |.ts+.4......t{.X| +00000160 9f 6c 61 3c c0 b0 41 d4 d9 2b 2b 24 23 77 5b 1c |.la<..A..++$#w[.| +00000170 3b bd 75 5d ce 20 54 cf a1 63 87 1d 1e 24 c4 f3 |;.u]. T..c...$..| +00000180 1d 1a 50 8b aa b6 14 43 ed 97 a7 75 62 f4 14 c8 |..P....C...ub...| +00000190 52 d7 02 03 01 00 01 a3 81 93 30 81 90 30 0e 06 |R.........0..0..| +000001a0 03 55 1d 0f 01 01 ff 04 04 03 02 05 a0 30 1d 06 |.U...........0..| +000001b0 03 55 1d 25 04 16 30 14 06 08 2b 06 01 05 05 07 |.U.%..0...+.....| +000001c0 03 01 06 08 2b 06 01 05 05 07 03 02 30 0c 06 03 |....+.......0...| +000001d0 55 1d 13 01 01 ff 04 02 30 00 30 19 06 03 55 1d |U.......0.0...U.| +000001e0 0e 04 12 04 10 9f 91 16 1f 43 43 3e 49 a6 de 6d |.........CC>I..m| +000001f0 b6 80 d7 9f 60 30 1b 06 03 55 1d 23 04 14 30 12 |....`0...U.#..0.| +00000200 80 10 48 13 49 4d 13 7e 16 31 bb a3 01 d5 ac ab |..H.IM.~.1......| +00000210 6e 7b 30 19 06 03 55 1d 11 04 12 30 10 82 0e 65 |n{0...U....0...e| +00000220 78 61 6d 70 6c 65 2e 67 6f 6c 61 6e 67 30 0d 06 |xample.golang0..| +00000230 09 2a 86 48 86 f7 0d 01 01 0b 05 00 03 81 81 00 |.*.H............| +00000240 9d 30 cc 40 2b 5b 50 a0 61 cb ba e5 53 58 e1 ed |.0.@+[P.a...SX..| +00000250 83 28 a9 58 1a a9 38 a4 95 a1 ac 31 5a 1a 84 66 |.(.X..8....1Z..f| +00000260 3d 43 d3 2d d9 0b f2 97 df d3 20 64 38 92 24 3a |=C.-...... d8.$:| +00000270 00 bc cf 9c 7d b7 40 20 01 5f aa d3 16 61 09 a2 |....}.@ ._...a..| +00000280 76 fd 13 c3 cc e1 0c 5c ee b1 87 82 f1 6c 04 ed |v......\.....l..| +00000290 73 bb b3 43 77 8d 0c 1c f1 0f a1 d8 40 83 61 c9 |s..Cw.......@.a.| +000002a0 4c 72 2b 9d ae db 46 06 06 4d f4 c1 b3 3e c0 d1 |Lr+...F..M...>..| +000002b0 bd 42 d4 db fe 3d 13 60 84 5c 21 d3 3b e9 fa e7 |.B...=.`.\!.;...| +000002c0 16 03 03 00 ac 0c 00 00 a8 03 00 1d 20 34 09 94 |............ 4..| +000002d0 56 6a c3 3b 88 60 42 3d 1d f2 99 a1 8e 56 72 e3 |Vj.;.`B=.....Vr.| +000002e0 09 83 17 04 60 08 ad db 70 c6 f6 77 2a 08 04 00 |....`...p..w*...| +000002f0 80 80 1c d5 53 c0 5b 1f 86 e9 d7 16 18 0d 50 3c |....S.[.......P<| +00000300 b6 40 1f 58 ea 79 e6 af cf a1 cf 55 3f e1 fe 04 |.@.X.y.....U?...| +00000310 bc e5 1c 4a ae 36 e9 7b 64 a1 76 ea 43 bc 8f a7 |...J.6.{d.v.C...| +00000320 0a 8a 8b d1 af 54 57 21 9b 55 10 90 91 07 f7 96 |.....TW!.U......| +00000330 68 68 33 ec 4b c4 70 08 88 92 59 2d 4d 86 47 d9 |hh3.K.p...Y-M.G.| +00000340 8a a7 d2 22 b4 ab 83 0e 3b 29 79 fd 1b f7 5b c8 |..."....;)y...[.| +00000350 b2 d5 3a be 74 e7 b5 c8 6e 4e c4 8d c5 70 6c 98 |..:.t...nN...pl.| +00000360 fe 57 f9 2e c0 8c d3 38 39 e9 0e c1 17 c9 8d 36 |.W.....89......6| +00000370 47 16 03 03 00 04 0e 00 00 00 |G.........| +>>> Flow 3 (client to server) +00000000 16 03 03 00 25 10 00 00 21 20 2f e5 7d a3 47 cd |....%...! /.}.G.| +00000010 62 43 15 28 da ac 5f bb 29 07 30 ff f6 84 af c4 |bC.(.._.).0.....| +00000020 cf c2 ed 90 99 5f 58 cb 3b 74 14 03 03 00 01 01 |....._X.;t......| +00000030 16 03 03 00 20 35 b3 34 ef 69 93 b1 31 f1 da 9c |.... 5.4.i..1...| +00000040 3f 49 e5 99 8f af 4f 3b 48 52 b9 a3 fa 42 e7 3e |?I....O;HR...B.>| +00000050 29 4c 22 b7 0a |)L"..| +>>> Flow 4 (server to client) +00000000 14 03 03 00 01 01 16 03 03 00 20 cd 8f ee d3 57 |.......... ....W| +00000010 a5 e4 c0 4c 83 91 37 e2 5b 30 aa a1 52 ed 6c 42 |...L..7.[0..R.lB| +00000020 5b d6 59 1c 9f f7 c6 69 c9 2a 5d |[.Y....i.*]| +>>> Flow 5 (client to server) +00000000 17 03 03 00 16 c9 3b 66 6a 59 3a b6 be 39 a0 db |......;fjY:..9..| +00000010 e9 b4 d8 e1 f5 a6 15 70 4a fc e7 15 03 03 00 12 |.......pJ.......| +00000020 1b c5 fe f3 89 a3 0d d6 1e 23 2d 54 d6 01 62 3c |.........#-T..b<| +00000030 af 0c |..| diff --git a/pkg/tls/testdata/Client-TLSv12-P256-ECDHE b/pkg/tls/testdata/Client-TLSv12-P256-ECDHE new file mode 100644 index 000000000..9b6c75008 --- /dev/null +++ b/pkg/tls/testdata/Client-TLSv12-P256-ECDHE @@ -0,0 +1,98 @@ +>>> Flow 1 (client to server) +00000000 16 03 01 01 19 01 00 01 15 03 03 00 00 00 00 00 |................| +00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000020 00 00 00 00 00 00 00 00 00 00 00 20 00 00 00 00 |........... ....| +00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 32 cc a9 |.............2..| +00000050 cc a8 c0 2b c0 2f c0 2c c0 30 c0 09 c0 13 c0 0a |...+./.,.0......| +00000060 c0 14 00 9c 00 9d 00 2f 00 35 c0 12 00 0a c0 23 |......./.5.....#| +00000070 c0 27 00 3c c0 07 c0 11 00 05 13 03 13 01 13 02 |.'.<............| +00000080 01 00 00 9a 00 05 00 05 01 00 00 00 00 00 0a 00 |................| +00000090 04 00 02 00 17 00 0b 00 02 01 00 00 0d 00 1a 00 |................| +000000a0 18 08 04 04 03 08 07 08 05 08 06 04 01 05 01 06 |................| +000000b0 01 05 03 06 03 02 01 02 03 ff 01 00 01 00 00 17 |................| +000000c0 00 00 00 12 00 00 00 2b 00 09 08 03 04 03 03 03 |.......+........| +000000d0 02 03 01 00 33 00 47 00 45 00 17 00 41 04 1e 18 |....3.G.E...A...| +000000e0 37 ef 0d 19 51 88 35 75 71 b5 e5 54 5b 12 2e 8f |7...Q.5uq..T[...| +000000f0 09 67 fd a7 24 20 3e b2 56 1c ce 97 28 5e f8 2b |.g..$ >.V...(^.+| +00000100 2d 4f 9e f1 07 9f 6c 4b 5b 83 56 e2 32 42 e9 58 |-O....lK[.V.2B.X| +00000110 b6 d7 49 a6 b5 68 1a 41 03 56 6b dc 5a 89 |..I..h.A.Vk.Z.| +>>> Flow 2 (server to client) +00000000 16 03 03 00 5d 02 00 00 59 03 03 a4 cd 94 7e 17 |....]...Y.....~.| +00000010 86 6e 81 dc 58 f5 86 34 fc 66 25 77 df 05 e5 85 |.n..X..4.f%w....| +00000020 98 2e b4 38 e3 54 98 93 f5 ef 9e 20 db e9 53 1a |...8.T..... ..S.| +00000030 67 e3 18 c1 64 66 4f 92 7f d6 44 42 a0 b3 04 d9 |g...dfO...DB....| +00000040 c3 5f f2 6a 89 e6 fd e9 6d bf 2c a6 c0 2f 00 00 |._.j....m.,../..| +00000050 11 ff 01 00 01 00 00 0b 00 04 03 00 01 02 00 17 |................| +00000060 00 00 16 03 03 02 59 0b 00 02 55 00 02 52 00 02 |......Y...U..R..| +00000070 4f 30 82 02 4b 30 82 01 b4 a0 03 02 01 02 02 09 |O0..K0..........| +00000080 00 e8 f0 9d 3f e2 5b ea a6 30 0d 06 09 2a 86 48 |....?.[..0...*.H| +00000090 86 f7 0d 01 01 0b 05 00 30 1f 31 0b 30 09 06 03 |........0.1.0...| +000000a0 55 04 0a 13 02 47 6f 31 10 30 0e 06 03 55 04 03 |U....Go1.0...U..| +000000b0 13 07 47 6f 20 52 6f 6f 74 30 1e 17 0d 31 36 30 |..Go Root0...160| +000000c0 31 30 31 30 30 30 30 30 30 5a 17 0d 32 35 30 31 |101000000Z..2501| +000000d0 30 31 30 30 30 30 30 30 5a 30 1a 31 0b 30 09 06 |01000000Z0.1.0..| +000000e0 03 55 04 0a 13 02 47 6f 31 0b 30 09 06 03 55 04 |.U....Go1.0...U.| +000000f0 03 13 02 47 6f 30 81 9f 30 0d 06 09 2a 86 48 86 |...Go0..0...*.H.| +00000100 f7 0d 01 01 01 05 00 03 81 8d 00 30 81 89 02 81 |...........0....| +00000110 81 00 db 46 7d 93 2e 12 27 06 48 bc 06 28 21 ab |...F}...'.H..(!.| +00000120 7e c4 b6 a2 5d fe 1e 52 45 88 7a 36 47 a5 08 0d |~...]..RE.z6G...| +00000130 92 42 5b c2 81 c0 be 97 79 98 40 fb 4f 6d 14 fd |.B[.....y.@.Om..| +00000140 2b 13 8b c2 a5 2e 67 d8 d4 09 9e d6 22 38 b7 4a |+.....g....."8.J| +00000150 0b 74 73 2b c2 34 f1 d1 93 e5 96 d9 74 7b f3 58 |.ts+.4......t{.X| +00000160 9f 6c 61 3c c0 b0 41 d4 d9 2b 2b 24 23 77 5b 1c |.la<..A..++$#w[.| +00000170 3b bd 75 5d ce 20 54 cf a1 63 87 1d 1e 24 c4 f3 |;.u]. T..c...$..| +00000180 1d 1a 50 8b aa b6 14 43 ed 97 a7 75 62 f4 14 c8 |..P....C...ub...| +00000190 52 d7 02 03 01 00 01 a3 81 93 30 81 90 30 0e 06 |R.........0..0..| +000001a0 03 55 1d 0f 01 01 ff 04 04 03 02 05 a0 30 1d 06 |.U...........0..| +000001b0 03 55 1d 25 04 16 30 14 06 08 2b 06 01 05 05 07 |.U.%..0...+.....| +000001c0 03 01 06 08 2b 06 01 05 05 07 03 02 30 0c 06 03 |....+.......0...| +000001d0 55 1d 13 01 01 ff 04 02 30 00 30 19 06 03 55 1d |U.......0.0...U.| +000001e0 0e 04 12 04 10 9f 91 16 1f 43 43 3e 49 a6 de 6d |.........CC>I..m| +000001f0 b6 80 d7 9f 60 30 1b 06 03 55 1d 23 04 14 30 12 |....`0...U.#..0.| +00000200 80 10 48 13 49 4d 13 7e 16 31 bb a3 01 d5 ac ab |..H.IM.~.1......| +00000210 6e 7b 30 19 06 03 55 1d 11 04 12 30 10 82 0e 65 |n{0...U....0...e| +00000220 78 61 6d 70 6c 65 2e 67 6f 6c 61 6e 67 30 0d 06 |xample.golang0..| +00000230 09 2a 86 48 86 f7 0d 01 01 0b 05 00 03 81 81 00 |.*.H............| +00000240 9d 30 cc 40 2b 5b 50 a0 61 cb ba e5 53 58 e1 ed |.0.@+[P.a...SX..| +00000250 83 28 a9 58 1a a9 38 a4 95 a1 ac 31 5a 1a 84 66 |.(.X..8....1Z..f| +00000260 3d 43 d3 2d d9 0b f2 97 df d3 20 64 38 92 24 3a |=C.-...... d8.$:| +00000270 00 bc cf 9c 7d b7 40 20 01 5f aa d3 16 61 09 a2 |....}.@ ._...a..| +00000280 76 fd 13 c3 cc e1 0c 5c ee b1 87 82 f1 6c 04 ed |v......\.....l..| +00000290 73 bb b3 43 77 8d 0c 1c f1 0f a1 d8 40 83 61 c9 |s..Cw.......@.a.| +000002a0 4c 72 2b 9d ae db 46 06 06 4d f4 c1 b3 3e c0 d1 |Lr+...F..M...>..| +000002b0 bd 42 d4 db fe 3d 13 60 84 5c 21 d3 3b e9 fa e7 |.B...=.`.\!.;...| +000002c0 16 03 03 00 cd 0c 00 00 c9 03 00 17 41 04 28 4d |............A.(M| +000002d0 03 04 41 d2 e5 04 f6 34 90 21 2e bc da 53 95 9d |..A....4.!...S..| +000002e0 2b 10 d8 b5 e2 e1 47 06 08 b7 7a 4a d4 13 3a f9 |+.....G...zJ..:.| +000002f0 50 22 c0 fb 4e 13 b9 1f b9 43 20 71 be b8 e1 9b |P"..N....C q....| +00000300 c8 6b 48 fb 80 22 87 8a 61 54 fb c1 7a 7e 08 04 |.kH.."..aT..z~..| +00000310 00 80 86 09 16 06 8e 1c c9 02 ec 9d d9 4d c0 d1 |.............M..| +00000320 d1 d0 48 96 f6 31 4a 69 02 9e 27 26 ca ff bb 1e |..H..1Ji..'&....| +00000330 94 3b fb 41 fa 11 a5 cd ec a7 a0 6f 4c 35 dc 7a |.;.A.......oL5.z| +00000340 fb fd c4 41 ab 5b ee 21 96 16 9d 42 8f ce b6 50 |...A.[.!...B...P| +00000350 6a 48 9f 92 d2 00 70 53 30 c3 3d 5e a9 cb e3 f1 |jH....pS0.=^....| +00000360 52 19 c8 1a 58 f5 19 9a 11 a2 ea 9d a2 29 5e b2 |R...X........)^.| +00000370 ef bb c1 a6 c5 2c e4 33 2f 6d 60 ac 34 42 dc 42 |.....,.3/m`.4B.B| +00000380 85 69 e3 c6 b8 2d af c4 37 8e b8 b6 39 4e 07 ff |.i...-..7...9N..| +00000390 88 d0 16 03 03 00 04 0e 00 00 00 |...........| +>>> Flow 3 (client to server) +00000000 16 03 03 00 46 10 00 00 42 41 04 1e 18 37 ef 0d |....F...BA...7..| +00000010 19 51 88 35 75 71 b5 e5 54 5b 12 2e 8f 09 67 fd |.Q.5uq..T[....g.| +00000020 a7 24 20 3e b2 56 1c ce 97 28 5e f8 2b 2d 4f 9e |.$ >.V...(^.+-O.| +00000030 f1 07 9f 6c 4b 5b 83 56 e2 32 42 e9 58 b6 d7 49 |...lK[.V.2B.X..I| +00000040 a6 b5 68 1a 41 03 56 6b dc 5a 89 14 03 03 00 01 |..h.A.Vk.Z......| +00000050 01 16 03 03 00 28 00 00 00 00 00 00 00 00 e3 ce |.....(..........| +00000060 26 ff 24 7b cf 1a 6e 65 68 3d 56 ca 11 6c 7c a6 |&.${..neh=V..l|.| +00000070 de 97 f1 f3 cd 04 4e 38 bd 0c 5b 08 1b dd |......N8..[...| +>>> Flow 4 (server to client) +00000000 14 03 03 00 01 01 16 03 03 00 28 38 ac 96 e8 6f |..........(8...o| +00000010 bc 22 ba 46 a9 64 f6 dc 19 79 5e 01 cd 50 db 9e |.".F.d...y^..P..| +00000020 98 23 19 2a f2 25 49 b9 f1 cb 63 c5 5e 32 85 c4 |.#.*.%I...c.^2..| +00000030 e0 e5 16 |...| +>>> Flow 5 (client to server) +00000000 17 03 03 00 1e 00 00 00 00 00 00 00 01 b7 b1 9c |................| +00000010 5d 9f f1 b7 21 b3 30 00 9d 39 26 5f 6e 99 67 e8 |]...!.0..9&_n.g.| +00000020 47 01 62 15 03 03 00 1a 00 00 00 00 00 00 00 02 |G.b.............| +00000030 2a 2f 3f 76 2a 10 9b ee c0 86 41 8a fe cf c5 70 |*/?v*.....A....p| +00000040 c7 ac |..| diff --git a/pkg/tls/testdata/Client-TLSv12-RSA-RC4 b/pkg/tls/testdata/Client-TLSv12-RSA-RC4 new file mode 100644 index 000000000..f995680c3 --- /dev/null +++ b/pkg/tls/testdata/Client-TLSv12-RSA-RC4 @@ -0,0 +1,86 @@ +>>> Flow 1 (client to server) +00000000 16 03 01 00 fe 01 00 00 fa 03 03 00 00 00 00 00 |................| +00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000020 00 00 00 00 00 00 00 00 00 00 00 20 00 00 00 00 |........... ....| +00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 32 cc a9 |.............2..| +00000050 cc a8 c0 2b c0 2f c0 2c c0 30 c0 09 c0 13 c0 0a |...+./.,.0......| +00000060 c0 14 00 9c 00 9d 00 2f 00 35 c0 12 00 0a c0 23 |......./.5.....#| +00000070 c0 27 00 3c c0 07 c0 11 00 05 13 03 13 01 13 02 |.'.<............| +00000080 01 00 00 7f 00 05 00 05 01 00 00 00 00 00 0a 00 |................| +00000090 0a 00 08 00 1d 00 17 00 18 00 19 00 0b 00 02 01 |................| +000000a0 00 00 0d 00 1a 00 18 08 04 04 03 08 07 08 05 08 |................| +000000b0 06 04 01 05 01 06 01 05 03 06 03 02 01 02 03 ff |................| +000000c0 01 00 01 00 00 17 00 00 00 12 00 00 00 2b 00 09 |.............+..| +000000d0 08 03 04 03 03 03 02 03 01 00 33 00 26 00 24 00 |..........3.&.$.| +000000e0 1d 00 20 2f e5 7d a3 47 cd 62 43 15 28 da ac 5f |.. /.}.G.bC.(.._| +000000f0 bb 29 07 30 ff f6 84 af c4 cf c2 ed 90 99 5f 58 |.).0.........._X| +00000100 cb 3b 74 |.;t| +>>> Flow 2 (server to client) +00000000 16 03 03 00 55 02 00 00 51 03 03 d4 a4 5a fb c9 |....U...Q....Z..| +00000010 93 ee 7e 5a c4 04 8e bb 72 da ad a4 0f 9c 0f 6e |..~Z....r......n| +00000020 2b 28 9a ef 28 be d4 49 9b 50 56 20 f8 5a e3 7b |+(..(..I.PV .Z.{| +00000030 c7 96 74 ff 52 4f 68 32 08 15 2b 46 ad 47 3e 49 |..t.ROh2..+F.G>I| +00000040 f9 a7 f8 65 78 fe 01 c0 8f ab 8e 14 00 05 00 00 |...ex...........| +00000050 09 ff 01 00 01 00 00 17 00 00 16 03 03 02 59 0b |..............Y.| +00000060 00 02 55 00 02 52 00 02 4f 30 82 02 4b 30 82 01 |..U..R..O0..K0..| +00000070 b4 a0 03 02 01 02 02 09 00 e8 f0 9d 3f e2 5b ea |............?.[.| +00000080 a6 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 |.0...*.H........| +00000090 30 1f 31 0b 30 09 06 03 55 04 0a 13 02 47 6f 31 |0.1.0...U....Go1| +000000a0 10 30 0e 06 03 55 04 03 13 07 47 6f 20 52 6f 6f |.0...U....Go Roo| +000000b0 74 30 1e 17 0d 31 36 30 31 30 31 30 30 30 30 30 |t0...16010100000| +000000c0 30 5a 17 0d 32 35 30 31 30 31 30 30 30 30 30 30 |0Z..250101000000| +000000d0 5a 30 1a 31 0b 30 09 06 03 55 04 0a 13 02 47 6f |Z0.1.0...U....Go| +000000e0 31 0b 30 09 06 03 55 04 03 13 02 47 6f 30 81 9f |1.0...U....Go0..| +000000f0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 |0...*.H.........| +00000100 81 8d 00 30 81 89 02 81 81 00 db 46 7d 93 2e 12 |...0.......F}...| +00000110 27 06 48 bc 06 28 21 ab 7e c4 b6 a2 5d fe 1e 52 |'.H..(!.~...]..R| +00000120 45 88 7a 36 47 a5 08 0d 92 42 5b c2 81 c0 be 97 |E.z6G....B[.....| +00000130 79 98 40 fb 4f 6d 14 fd 2b 13 8b c2 a5 2e 67 d8 |y.@.Om..+.....g.| +00000140 d4 09 9e d6 22 38 b7 4a 0b 74 73 2b c2 34 f1 d1 |...."8.J.ts+.4..| +00000150 93 e5 96 d9 74 7b f3 58 9f 6c 61 3c c0 b0 41 d4 |....t{.X.la<..A.| +00000160 d9 2b 2b 24 23 77 5b 1c 3b bd 75 5d ce 20 54 cf |.++$#w[.;.u]. T.| +00000170 a1 63 87 1d 1e 24 c4 f3 1d 1a 50 8b aa b6 14 43 |.c...$....P....C| +00000180 ed 97 a7 75 62 f4 14 c8 52 d7 02 03 01 00 01 a3 |...ub...R.......| +00000190 81 93 30 81 90 30 0e 06 03 55 1d 0f 01 01 ff 04 |..0..0...U......| +000001a0 04 03 02 05 a0 30 1d 06 03 55 1d 25 04 16 30 14 |.....0...U.%..0.| +000001b0 06 08 2b 06 01 05 05 07 03 01 06 08 2b 06 01 05 |..+.........+...| +000001c0 05 07 03 02 30 0c 06 03 55 1d 13 01 01 ff 04 02 |....0...U.......| +000001d0 30 00 30 19 06 03 55 1d 0e 04 12 04 10 9f 91 16 |0.0...U.........| +000001e0 1f 43 43 3e 49 a6 de 6d b6 80 d7 9f 60 30 1b 06 |.CC>I..m....`0..| +000001f0 03 55 1d 23 04 14 30 12 80 10 48 13 49 4d 13 7e |.U.#..0...H.IM.~| +00000200 16 31 bb a3 01 d5 ac ab 6e 7b 30 19 06 03 55 1d |.1......n{0...U.| +00000210 11 04 12 30 10 82 0e 65 78 61 6d 70 6c 65 2e 67 |...0...example.g| +00000220 6f 6c 61 6e 67 30 0d 06 09 2a 86 48 86 f7 0d 01 |olang0...*.H....| +00000230 01 0b 05 00 03 81 81 00 9d 30 cc 40 2b 5b 50 a0 |.........0.@+[P.| +00000240 61 cb ba e5 53 58 e1 ed 83 28 a9 58 1a a9 38 a4 |a...SX...(.X..8.| +00000250 95 a1 ac 31 5a 1a 84 66 3d 43 d3 2d d9 0b f2 97 |...1Z..f=C.-....| +00000260 df d3 20 64 38 92 24 3a 00 bc cf 9c 7d b7 40 20 |.. d8.$:....}.@ | +00000270 01 5f aa d3 16 61 09 a2 76 fd 13 c3 cc e1 0c 5c |._...a..v......\| +00000280 ee b1 87 82 f1 6c 04 ed 73 bb b3 43 77 8d 0c 1c |.....l..s..Cw...| +00000290 f1 0f a1 d8 40 83 61 c9 4c 72 2b 9d ae db 46 06 |....@.a.Lr+...F.| +000002a0 06 4d f4 c1 b3 3e c0 d1 bd 42 d4 db fe 3d 13 60 |.M...>...B...=.`| +000002b0 84 5c 21 d3 3b e9 fa e7 16 03 03 00 04 0e 00 00 |.\!.;...........| +000002c0 00 |.| +>>> Flow 3 (client to server) +00000000 16 03 03 00 86 10 00 00 82 00 80 b9 65 8d bf a7 |............e...| +00000010 c8 4b 79 ce 6f cb 8b 13 1c ac b9 7d 66 5e e9 ba |.Ky.o......}f^..| +00000020 1d 71 4e a9 e9 34 ae f6 64 65 90 3b d8 16 52 a2 |.qN..4..de.;..R.| +00000030 6f f4 cb 8a 13 74 a2 ee b7 27 69 b4 41 c0 90 68 |o....t...'i.A..h| +00000040 bc 02 69 e1 c6 48 4f 39 36 30 25 ca 4c 17 ce 83 |..i..HO960%.L...| +00000050 9e 08 56 e3 05 49 93 9e 2e c4 fb e6 c8 01 f1 0f |..V..I..........| +00000060 c5 70 0f 08 83 48 e9 48 ef 6e 50 8b 05 7e e5 84 |.p...H.H.nP..~..| +00000070 25 fa 55 c7 ae 31 02 27 00 ef 3f 98 86 20 12 89 |%.U..1.'..?.. ..| +00000080 91 59 28 b4 f7 d7 af d2 69 61 35 14 03 03 00 01 |.Y(.....ia5.....| +00000090 01 16 03 03 00 24 f7 3b 92 e7 9f 80 de 5b d4 9e |.....$.;.....[..| +000000a0 d3 02 d3 d9 2c e1 74 2e 98 90 fe d9 ee 08 57 28 |....,.t.......W(| +000000b0 47 99 86 84 f5 95 c5 a6 7f 82 |G.........| +>>> Flow 4 (server to client) +00000000 14 03 03 00 01 01 16 03 03 00 24 c9 09 6c e8 0b |..........$..l..| +00000010 44 56 62 ed 1f f1 ef 9d a9 cd a4 49 01 0d 2b e3 |DVb........I..+.| +00000020 8f 3d 31 6d bf c5 63 af d4 59 30 47 c6 cd 20 |.=1m..c..Y0G.. | +>>> Flow 5 (client to server) +00000000 17 03 03 00 1a 65 05 a9 14 f7 fd 4e e1 68 20 7e |.....e.....N.h ~| +00000010 32 79 ca e6 e7 79 a3 d6 ce fd 28 37 c7 e2 c5 15 |2y...y....(7....| +00000020 03 03 00 16 87 82 bc 62 e3 c0 4d 2e 75 86 21 05 |.......b..M.u.!.| +00000030 c0 3d 40 d4 1d fc 1b 42 ef 55 |.=@....B.U| diff --git a/pkg/tls/testdata/Client-TLSv12-RenegotiateOnce b/pkg/tls/testdata/Client-TLSv12-RenegotiateOnce new file mode 100644 index 000000000..30db28992 --- /dev/null +++ b/pkg/tls/testdata/Client-TLSv12-RenegotiateOnce @@ -0,0 +1,246 @@ +>>> Flow 1 (client to server) +00000000 16 03 01 00 fe 01 00 00 fa 03 03 00 00 00 00 00 |................| +00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000020 00 00 00 00 00 00 00 00 00 00 00 20 00 00 00 00 |........... ....| +00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 32 cc a9 |.............2..| +00000050 cc a8 c0 2b c0 2f c0 2c c0 30 c0 09 c0 13 c0 0a |...+./.,.0......| +00000060 c0 14 00 9c 00 9d 00 2f 00 35 c0 12 00 0a c0 23 |......./.5.....#| +00000070 c0 27 00 3c c0 07 c0 11 00 05 13 03 13 01 13 02 |.'.<............| +00000080 01 00 00 7f 00 05 00 05 01 00 00 00 00 00 0a 00 |................| +00000090 0a 00 08 00 1d 00 17 00 18 00 19 00 0b 00 02 01 |................| +000000a0 00 00 0d 00 1a 00 18 08 04 04 03 08 07 08 05 08 |................| +000000b0 06 04 01 05 01 06 01 05 03 06 03 02 01 02 03 ff |................| +000000c0 01 00 01 00 00 17 00 00 00 12 00 00 00 2b 00 09 |.............+..| +000000d0 08 03 04 03 03 03 02 03 01 00 33 00 26 00 24 00 |..........3.&.$.| +000000e0 1d 00 20 2f e5 7d a3 47 cd 62 43 15 28 da ac 5f |.. /.}.G.bC.(.._| +000000f0 bb 29 07 30 ff f6 84 af c4 cf c2 ed 90 99 5f 58 |.).0.........._X| +00000100 cb 3b 74 |.;t| +>>> Flow 2 (server to client) +00000000 16 03 03 00 5d 02 00 00 59 03 03 6d a7 e6 c4 60 |....]...Y..m...`| +00000010 8e dd 95 85 14 dc 69 2b d5 16 35 dd 4f a1 43 d4 |......i+..5.O.C.| +00000020 3c 8f 0f 55 4b f1 86 68 51 5b 17 20 d8 44 06 84 |<..UK..hQ[. .D..| +00000030 d5 1d 9b ed 45 25 d0 e8 a2 73 fd 44 01 fa 38 63 |....E%...s.D..8c| +00000040 c3 18 35 1c b8 54 ec 78 ab 5f 3d f3 cc a8 00 00 |..5..T.x._=.....| +00000050 11 ff 01 00 01 00 00 0b 00 04 03 00 01 02 00 17 |................| +00000060 00 00 16 03 03 02 59 0b 00 02 55 00 02 52 00 02 |......Y...U..R..| +00000070 4f 30 82 02 4b 30 82 01 b4 a0 03 02 01 02 02 09 |O0..K0..........| +00000080 00 e8 f0 9d 3f e2 5b ea a6 30 0d 06 09 2a 86 48 |....?.[..0...*.H| +00000090 86 f7 0d 01 01 0b 05 00 30 1f 31 0b 30 09 06 03 |........0.1.0...| +000000a0 55 04 0a 13 02 47 6f 31 10 30 0e 06 03 55 04 03 |U....Go1.0...U..| +000000b0 13 07 47 6f 20 52 6f 6f 74 30 1e 17 0d 31 36 30 |..Go Root0...160| +000000c0 31 30 31 30 30 30 30 30 30 5a 17 0d 32 35 30 31 |101000000Z..2501| +000000d0 30 31 30 30 30 30 30 30 5a 30 1a 31 0b 30 09 06 |01000000Z0.1.0..| +000000e0 03 55 04 0a 13 02 47 6f 31 0b 30 09 06 03 55 04 |.U....Go1.0...U.| +000000f0 03 13 02 47 6f 30 81 9f 30 0d 06 09 2a 86 48 86 |...Go0..0...*.H.| +00000100 f7 0d 01 01 01 05 00 03 81 8d 00 30 81 89 02 81 |...........0....| +00000110 81 00 db 46 7d 93 2e 12 27 06 48 bc 06 28 21 ab |...F}...'.H..(!.| +00000120 7e c4 b6 a2 5d fe 1e 52 45 88 7a 36 47 a5 08 0d |~...]..RE.z6G...| +00000130 92 42 5b c2 81 c0 be 97 79 98 40 fb 4f 6d 14 fd |.B[.....y.@.Om..| +00000140 2b 13 8b c2 a5 2e 67 d8 d4 09 9e d6 22 38 b7 4a |+.....g....."8.J| +00000150 0b 74 73 2b c2 34 f1 d1 93 e5 96 d9 74 7b f3 58 |.ts+.4......t{.X| +00000160 9f 6c 61 3c c0 b0 41 d4 d9 2b 2b 24 23 77 5b 1c |.la<..A..++$#w[.| +00000170 3b bd 75 5d ce 20 54 cf a1 63 87 1d 1e 24 c4 f3 |;.u]. T..c...$..| +00000180 1d 1a 50 8b aa b6 14 43 ed 97 a7 75 62 f4 14 c8 |..P....C...ub...| +00000190 52 d7 02 03 01 00 01 a3 81 93 30 81 90 30 0e 06 |R.........0..0..| +000001a0 03 55 1d 0f 01 01 ff 04 04 03 02 05 a0 30 1d 06 |.U...........0..| +000001b0 03 55 1d 25 04 16 30 14 06 08 2b 06 01 05 05 07 |.U.%..0...+.....| +000001c0 03 01 06 08 2b 06 01 05 05 07 03 02 30 0c 06 03 |....+.......0...| +000001d0 55 1d 13 01 01 ff 04 02 30 00 30 19 06 03 55 1d |U.......0.0...U.| +000001e0 0e 04 12 04 10 9f 91 16 1f 43 43 3e 49 a6 de 6d |.........CC>I..m| +000001f0 b6 80 d7 9f 60 30 1b 06 03 55 1d 23 04 14 30 12 |....`0...U.#..0.| +00000200 80 10 48 13 49 4d 13 7e 16 31 bb a3 01 d5 ac ab |..H.IM.~.1......| +00000210 6e 7b 30 19 06 03 55 1d 11 04 12 30 10 82 0e 65 |n{0...U....0...e| +00000220 78 61 6d 70 6c 65 2e 67 6f 6c 61 6e 67 30 0d 06 |xample.golang0..| +00000230 09 2a 86 48 86 f7 0d 01 01 0b 05 00 03 81 81 00 |.*.H............| +00000240 9d 30 cc 40 2b 5b 50 a0 61 cb ba e5 53 58 e1 ed |.0.@+[P.a...SX..| +00000250 83 28 a9 58 1a a9 38 a4 95 a1 ac 31 5a 1a 84 66 |.(.X..8....1Z..f| +00000260 3d 43 d3 2d d9 0b f2 97 df d3 20 64 38 92 24 3a |=C.-...... d8.$:| +00000270 00 bc cf 9c 7d b7 40 20 01 5f aa d3 16 61 09 a2 |....}.@ ._...a..| +00000280 76 fd 13 c3 cc e1 0c 5c ee b1 87 82 f1 6c 04 ed |v......\.....l..| +00000290 73 bb b3 43 77 8d 0c 1c f1 0f a1 d8 40 83 61 c9 |s..Cw.......@.a.| +000002a0 4c 72 2b 9d ae db 46 06 06 4d f4 c1 b3 3e c0 d1 |Lr+...F..M...>..| +000002b0 bd 42 d4 db fe 3d 13 60 84 5c 21 d3 3b e9 fa e7 |.B...=.`.\!.;...| +000002c0 16 03 03 00 ac 0c 00 00 a8 03 00 1d 20 f1 ac a3 |............ ...| +000002d0 08 ba 9d 89 8e 71 c3 db b1 46 f0 ac 2f 32 13 ad |.....q...F../2..| +000002e0 f7 42 ee b5 9f e5 5c 52 46 0a 9a 53 75 08 04 00 |.B....\RF..Su...| +000002f0 80 89 8c 5b cd e9 fe 7f 6b 15 36 bc d7 43 ed f3 |...[....k.6..C..| +00000300 96 df 69 7c 65 26 f8 68 4f 5b fb 53 75 2c 5a 65 |..i|e&.hO[.Su,Ze| +00000310 4d b4 7b c5 bd 36 71 ea 43 bb 84 ec f3 8f 6b 49 |M.{..6q.C.....kI| +00000320 26 cb fa c1 4c 8b 92 e1 91 ed 09 61 7d 85 44 ea |&...L......a}.D.| +00000330 a7 1c a4 47 02 d2 b4 c0 bf 44 14 e8 03 64 8d 86 |...G.....D...d..| +00000340 80 5c 63 eb ab a0 66 ca 30 2e d7 04 54 d8 91 94 |.\c...f.0...T...| +00000350 37 e8 6c b8 00 a0 06 98 5c 67 c2 46 a2 e9 5c b8 |7.l.....\g.F..\.| +00000360 66 46 b8 82 65 22 29 80 b8 af 50 37 5c 00 96 a5 |fF..e")...P7\...| +00000370 85 16 03 03 00 04 0e 00 00 00 |..........| +>>> Flow 3 (client to server) +00000000 16 03 03 00 25 10 00 00 21 20 2f e5 7d a3 47 cd |....%...! /.}.G.| +00000010 62 43 15 28 da ac 5f bb 29 07 30 ff f6 84 af c4 |bC.(.._.).0.....| +00000020 cf c2 ed 90 99 5f 58 cb 3b 74 14 03 03 00 01 01 |....._X.;t......| +00000030 16 03 03 00 20 ca 08 57 0f 80 64 62 ad 11 01 27 |.... ..W..db...'| +00000040 39 d8 80 6c a6 05 f6 75 a1 b6 0d 72 c0 25 f7 bc |9..l...u...r.%..| +00000050 f0 de 76 ee 29 |..v.)| +>>> Flow 4 (server to client) +00000000 14 03 03 00 01 01 16 03 03 00 20 27 45 9d b0 c3 |.......... 'E...| +00000010 18 c6 34 cb 1a 38 33 ac 91 4f f1 e5 d5 02 ed 62 |..4..83..O.....b| +00000020 c0 46 1e a0 4a b3 46 35 2e e1 a2 |.F..J.F5...| +>>> Flow 5 (client to server) +00000000 17 03 03 00 16 50 48 06 41 d8 9d 1b e9 8b 55 9b |.....PH.A.....U.| +00000010 3c ba ea 58 93 5b 56 17 6e 94 18 |<..X.[V.n..| +>>> Flow 6 (server to client) +00000000 16 03 03 00 14 4c 65 ba 49 aa 53 4c 73 0a 51 ac |.....Le.I.SLs.Q.| +00000010 43 0d 4c 1f 83 6b d9 b1 06 |C.L..k...| +>>> Flow 7 (client to server) +00000000 16 03 03 01 1a fd 7a 4e 2b 7b 8a 07 cc cb 5b 82 |......zN+{....[.| +00000010 df d1 00 69 f8 6f 89 28 4b 91 87 c8 18 20 ec 41 |...i.o.(K.... .A| +00000020 ec c7 bd 04 3d 02 a5 42 fe e1 23 cc 20 aa 22 e8 |....=..B..#. .".| +00000030 31 2e 09 a3 ac c1 3d 04 29 2e 82 1c 31 27 8e e2 |1.....=.)...1'..| +00000040 50 de ca 3d 4d ad 7e 01 74 94 40 3d 7c 2d 08 56 |P..=M.~.t.@=|-.V| +00000050 d2 89 7b 3a b8 2a b1 34 22 65 25 48 bb 24 1b 4b |..{:.*.4"e%H.$.K| +00000060 a2 96 a8 7f ac f2 46 84 4f e2 c8 1c 25 41 eb df |......F.O...%A..| +00000070 52 ec 9b bd 89 b8 a8 c3 62 f2 75 16 de 61 63 b0 |R.......b.u..ac.| +00000080 70 9c d2 c5 b0 86 6b 2a 17 64 9a d1 6d 5c e9 48 |p.....k*.d..m\.H| +00000090 f5 02 e3 0f 16 df f9 6e 99 56 93 85 2b 10 bc da |.......n.V..+...| +000000a0 6e 02 8b 94 ac d2 dc 56 93 ad 8b 1d d6 ff e3 d9 |n......V........| +000000b0 f8 ee 11 15 c7 e4 ae 4d fe 88 0c c9 7f 30 1a 2a |.......M.....0.*| +000000c0 99 ab f8 0d a2 a9 57 87 35 a4 a9 87 b0 4f 46 8a |......W.5....OF.| +000000d0 ec 47 39 32 a7 94 3a 15 08 80 e5 1e 81 4b cd 2e |.G92..:......K..| +000000e0 76 9d 99 5b 86 89 37 09 a0 08 86 6e bb 67 ad 3f |v..[..7....n.g.?| +000000f0 a2 e9 1f 37 75 4b 0f 07 8c f3 e7 34 05 74 33 a9 |...7uK.....4.t3.| +00000100 5a e3 5b 0e 68 d0 54 e4 24 c9 6c 42 2d 81 8f 29 |Z.[.h.T.$.lB-..)| +00000110 17 97 3d a8 00 00 27 50 ae 5d 97 6d fa 7e c0 |..=...'P.].m.~.| +>>> Flow 8 (server to client) +00000000 16 03 03 00 85 74 29 5c 40 48 b9 9c 76 e4 eb a1 |.....t)\@H..v...| +00000010 44 7e f1 72 cd 7b fe 11 47 4d 48 fe bc 75 4e e1 |D~.r.{..GMH..uN.| +00000020 b4 8d cb d1 0e d7 16 cc 4b d4 61 f9 47 69 cd aa |........K.a.Gi..| +00000030 c4 ad bf fd 01 6b 5c a6 63 d4 73 a4 21 f8 fe 72 |.....k\.c.s.!..r| +00000040 00 48 55 4e 40 6b 85 e5 1c f2 36 c1 91 2e e2 70 |.HUN@k....6....p| +00000050 38 95 5a aa 0c c7 32 c9 a5 ac 94 dc 6c 50 f5 e9 |8.Z...2.....lP..| +00000060 9f 14 48 f0 b3 d1 45 99 d3 aa 68 28 22 4a ae 66 |..H...E...h("J.f| +00000070 3a 2f 06 c1 86 fb 0c f2 b0 ca 6f e2 93 fe 47 e6 |:/........o...G.| +00000080 2f 33 2d 60 38 42 2f 56 f7 52 16 03 03 02 69 46 |/3-`8B/V.R....iF| +00000090 86 2d bb 38 d9 57 1c 29 bd 28 17 a8 ef 4e 26 68 |.-.8.W.).(...N&h| +000000a0 16 73 f7 2c 52 fb 54 f8 4d 6d 1e c2 57 0d 44 16 |.s.,R.T.Mm..W.D.| +000000b0 24 3d 5d b5 22 8c 13 b0 09 10 45 65 48 ec 5c 3f |$=].".....EeH.\?| +000000c0 c4 9f c1 ee ff 2b 6e 36 76 bc 01 5d f4 96 44 43 |.....+n6v..]..DC| +000000d0 bb 90 04 ec 18 d6 0b 29 2d 1f 08 0b 02 0d cf 43 |.......)-......C| +000000e0 7c a0 76 40 6d f0 eb 14 42 5a 9d df 29 35 1c 4f ||.v@m...BZ..)5.O| +000000f0 35 ef ad 60 18 16 51 97 2c 73 40 e5 74 1c 48 a7 |5..`..Q.,s@.t.H.| +00000100 e5 4d 35 2c 1a 4c 35 f6 9a eb 0d d7 49 5f 04 06 |.M5,.L5.....I_..| +00000110 da 56 8d f4 3b 3f 20 09 91 fd d3 51 31 65 05 f5 |.V..;? ....Q1e..| +00000120 fa 85 4b 1b 3a 00 33 b0 96 28 d7 3b d7 92 d0 5c |..K.:.3..(.;...\| +00000130 04 13 4d d9 a5 02 19 19 13 1d 8a 9d f4 68 c0 98 |..M..........h..| +00000140 2f f0 86 b2 6b 05 af af 65 a5 0d ab 8e af 74 dc |/...k...e.....t.| +00000150 a6 fa 41 0a 23 4b e6 1a 13 8d 96 01 9a 40 5b 09 |..A.#K.......@[.| +00000160 3b 8f 70 ab 1f d6 8c 27 f6 3d bf 85 b0 f5 66 f7 |;.p....'.=....f.| +00000170 ae 94 df ee 5f 75 47 19 e4 a1 a6 58 bf f2 8b 0e |...._uG....X....| +00000180 05 8a 3a 40 13 35 05 f1 7d 89 f6 6d 14 1c 5f 1c |..:@.5..}..m.._.| +00000190 e7 86 cc b5 83 52 55 9f 28 bf 56 54 96 91 92 7e |.....RU.(.VT...~| +000001a0 18 a6 21 8f e0 98 ee 6d 6b 19 53 0e f1 25 86 ec |..!....mk.S..%..| +000001b0 0e 5d 97 34 36 55 e3 a7 a8 5a 9f 43 8a ed ad c6 |.].46U...Z.C....| +000001c0 cb 81 96 6f 9f 3b 2c db 24 4c 32 05 c0 8e d8 5a |...o.;,.$L2....Z| +000001d0 b3 87 33 b8 5c d8 57 6b d0 94 7f 22 62 7c 15 d8 |..3.\.Wk..."b|..| +000001e0 0f 05 b0 e7 04 85 94 5f 7b b2 25 e2 a2 46 c1 43 |......._{.%..F.C| +000001f0 ac ef f7 c3 89 06 11 d6 c5 a9 0f 3d e0 7a fa 66 |...........=.z.f| +00000200 31 44 1b a8 ff 2c 11 a7 1e 43 73 1d dd c4 a8 36 |1D...,...Cs....6| +00000210 85 45 9e 34 46 78 ba 9a 9c 6a da 58 82 9a b0 2b |.E.4Fx...j.X...+| +00000220 6b 74 98 bb 6a 9d 2d 54 1b 80 09 01 13 85 60 8a |kt..j.-T......`.| +00000230 75 96 df 35 33 72 a4 d6 d3 6e 1a 0a 11 0a 0b b3 |u..53r...n......| +00000240 5c 87 82 69 09 9d 22 a9 8b e4 b2 fb af 5c fd 82 |\..i.."......\..| +00000250 32 30 f4 a8 ca a1 83 3e 8b 4d 3b 00 a6 63 7f c2 |20.....>.M;..c..| +00000260 36 60 80 f2 b5 40 76 98 a6 f9 e8 49 04 62 c0 31 |6`...@v....I.b.1| +00000270 06 da 4c a7 ff 6b 52 e2 7e af 22 b2 2c 84 df 8c |..L..kR.~.".,...| +00000280 d1 5e 7d 19 7b c7 9e da 14 e0 7e 9f 78 4a 0c bb |.^}.{.....~.xJ..| +00000290 77 28 3e 12 03 c3 59 91 2a b1 6c 7e 78 ce d6 ac |w(>...Y.*.l~x...| +000002a0 a0 57 06 20 d1 2b 74 59 20 e0 7f 4d 35 31 1a 3d |.W. .+tY ..M51.=| +000002b0 67 e9 1b 84 92 17 81 04 10 a4 5e 4d c2 00 ea 64 |g.........^M...d| +000002c0 b9 fb 82 41 2e c0 66 68 2a 9e 1d 86 ee df f4 f9 |...A..fh*.......| +000002d0 c5 6b d0 f6 07 61 93 22 31 a7 31 ee bc f3 c8 a7 |.k...a."1.1.....| +000002e0 dc 21 ea eb 61 94 aa 6f 9a a2 0a 74 d9 db 39 48 |.!..a..o...t..9H| +000002f0 21 8a f4 0a 6d f0 e7 07 16 03 03 00 bc 03 03 f8 |!...m...........| +00000300 01 78 b0 ea 48 3d 57 b3 c7 69 62 74 ee 0e 92 a4 |.x..H=W..ibt....| +00000310 d0 96 ed fe 94 2b 11 cd d1 13 f7 e8 cc 61 0c 6e |.....+.......a.n| +00000320 8a 28 70 e1 c2 01 fe 19 66 eb 47 b3 e8 7b ff fc |.(p.....f.G..{..| +00000330 e6 c0 4e 5e 15 ae b6 14 04 64 33 d3 77 bc ce ea |..N^.....d3.w...| +00000340 47 4a 85 ef ff 16 79 33 1b 2e db 42 ab ee 7c 7f |GJ....y3...B..|.| +00000350 37 65 b5 ee 70 71 f1 7b 99 9b 63 c5 23 dd 7b 0c |7e..pq.{..c.#.{.| +00000360 ed 48 07 a4 d5 a2 63 5b fd 99 01 f4 df b6 a7 95 |.H....c[........| +00000370 23 a5 c0 00 e9 b4 2b f4 f8 3e 9b ca b3 34 ff e6 |#.....+..>...4..| +00000380 5a 2f 0a 7a 55 81 77 3b 7a c5 66 e8 2c 4a 01 50 |Z/.zU.w;z.f.,J.P| +00000390 13 13 79 8a b3 9f 9b 49 e9 e7 0a a7 d4 c9 7f 10 |..y....I........| +000003a0 29 89 70 d9 83 5d 21 a9 40 7a 17 1f 6e 3d 4e 2a |).p..]!.@z..n=N*| +000003b0 48 e7 1c fa 07 2f 3f 5d 32 16 03 03 00 4a f9 74 |H..../?]2....J.t| +000003c0 d5 eb 38 ef d8 bf 7a 69 2f b0 d3 e0 e1 57 d7 fc |..8...zi/....W..| +000003d0 01 57 2e e6 99 ba 0c 23 07 59 f3 75 28 1d 77 26 |.W.....#.Y.u(.w&| +000003e0 2f 4d f4 f3 16 0a d6 2e 38 50 48 e3 a2 90 e1 0b |/M......8PH.....| +000003f0 78 99 35 81 d1 d9 4a 7b 47 a2 e1 95 39 f6 02 87 |x.5...J{G...9...| +00000400 1f fe 4f 7e 2e ee 9a 17 16 03 03 00 14 98 8e a2 |..O~............| +00000410 b6 b6 79 35 d1 fe b2 cb 90 ea 7c 91 5a 37 53 e4 |..y5......|.Z7S.| +00000420 73 |s| +>>> Flow 9 (client to server) +00000000 16 03 03 02 69 ad fd 5e 51 7c 1a 62 01 a3 c7 84 |....i..^Q|.b....| +00000010 d6 d8 2d 47 2b 00 d5 d4 7c e6 16 94 7e 32 74 85 |..-G+...|...~2t.| +00000020 ce 13 d9 af d7 27 77 86 43 77 1b ca 68 f5 1f da |.....'w.Cw..h...| +00000030 20 d8 61 29 b0 11 3d 40 66 62 a0 82 ff 38 85 07 | .a)..=@fb...8..| +00000040 52 fc 59 92 44 c4 ea 12 70 62 cd 05 66 0a b4 cb |R.Y.D...pb..f...| +00000050 38 23 f4 35 58 a0 4c 1e bc 1a 5a 6a be ad 81 c9 |8#.5X.L...Zj....| +00000060 22 97 dc 7d 77 76 da e8 b5 30 be d3 28 be b2 30 |"..}wv...0..(..0| +00000070 05 52 8f 41 d3 a1 78 68 9b 76 ad 29 42 ec 90 c5 |.R.A..xh.v.)B...| +00000080 61 f2 aa f2 f0 fb dd 08 42 f3 5a a8 3c 8d f9 98 |a.......B.Z.<...| +00000090 90 00 2e e1 aa 7c ac 3f cf 34 9d ed 56 09 30 d3 |.....|.?.4..V.0.| +000000a0 1b 03 9e fb 0c 16 4c 99 0f 86 a9 03 44 ce 8b 66 |......L.....D..f| +000000b0 a6 42 bb 0b dc a4 82 47 7d fc 09 48 1d 47 85 da |.B.....G}..H.G..| +000000c0 3f 30 d1 94 36 a0 ac 44 72 2f a4 cc 5a fd 6c 96 |?0..6..Dr/..Z.l.| +000000d0 05 14 0c 25 5c 19 44 1e c2 40 12 57 be 30 1d bb |...%\.D..@.W.0..| +000000e0 62 f4 2c c2 f1 46 83 1b ad bd f4 e0 ff b2 de 62 |b.,..F.........b| +000000f0 85 04 61 3d 61 67 aa d1 f7 ba db 6f 80 75 1e 9c |..a=ag.....o.u..| +00000100 70 42 ff 6f 35 83 32 34 fc 12 08 e5 44 92 cb 99 |pB.o5.24....D...| +00000110 a5 d0 ef c3 f2 9e b2 86 ff c1 e5 87 01 bf d1 7a |...............z| +00000120 d9 57 ef 21 cf c9 fd 5f 30 6c 54 7c ac 95 54 72 |.W.!..._0lT|..Tr| +00000130 3d 46 88 4d 9f 8e a8 75 81 a0 81 50 11 1e f7 92 |=F.M...u...P....| +00000140 f5 a2 5d 49 5a f8 c1 b8 06 f3 6f 99 64 77 ee fe |..]IZ.....o.dw..| +00000150 40 fe 94 51 67 db e1 a0 d7 a4 09 cc 52 9c 1b 27 |@..Qg.......R..'| +00000160 5b 45 4a 71 ff 60 aa 52 56 07 f6 4e ad 23 b8 2c |[EJq.`.RV..N.#.,| +00000170 87 d3 2b 04 56 21 ed 51 ce 81 59 ae 3d a7 1b f5 |..+.V!.Q..Y.=...| +00000180 75 3f 8a 83 c3 ee e9 76 94 dd 48 c4 d1 69 2f af |u?.....v..H..i/.| +00000190 b1 f9 2f db 72 ef da 33 6b 87 78 64 24 3a 42 46 |../.r..3k.xd$:BF| +000001a0 e0 ed 91 60 89 dd 5a 9e 9b 93 4a 0e a3 30 32 4d |...`..Z...J..02M| +000001b0 0e 5f c6 49 26 49 18 73 8d 2d 73 d5 4c 49 3f df |._.I&I.s.-s.LI?.| +000001c0 d9 55 b7 11 7e 24 1b d6 cb 71 68 ba 6c c7 72 b2 |.U..~$...qh.l.r.| +000001d0 2e aa 39 89 ac 1b 96 a3 78 11 4d 37 ba 25 88 43 |..9.....x.M7.%.C| +000001e0 d2 8a 55 28 99 b3 f0 59 d5 92 cc 94 51 e2 f2 18 |..U(...Y....Q...| +000001f0 3b d1 1a 9b a6 ee f1 b1 91 62 6b a0 da 75 f6 69 |;........bk..u.i| +00000200 23 56 22 29 dd d0 63 05 be a9 f7 38 fc 0d a2 64 |#V")..c....8...d| +00000210 e4 09 2c d5 5f ca ee 91 81 91 d1 ee 62 04 e9 ce |..,._.......b...| +00000220 5f 49 8e 70 cf fd 5a b5 cf c1 e5 ae 53 3e 16 d0 |_I.p..Z.....S>..| +00000230 f0 49 9b 61 32 14 38 27 b5 c9 93 13 be e4 5a f0 |.I.a2.8'......Z.| +00000240 10 5f 7c 14 11 68 70 4d 6d 02 9f 51 51 94 e0 0e |._|..hpMm..QQ...| +00000250 04 a2 ae 6c 3c f0 94 11 9c 66 58 b3 a2 e8 04 f1 |...l<....fX.....| +00000260 01 b7 88 0d 74 cf 8a 63 f8 e6 c4 bb 10 bb 16 03 |....t..c........| +00000270 03 00 35 7b 36 f4 cf b3 8a 4a 7c 7e fc 7a 6d ae |..5{6....J|~.zm.| +00000280 5e fe 3b c5 e1 16 44 ab 72 0a 07 10 69 e1 11 db |^.;...D.r...i...| +00000290 6d 86 f9 43 d0 87 82 3a 28 83 b4 15 76 76 2a f9 |m..C...:(...vv*.| +000002a0 52 80 7f 2f c2 52 e1 2c 16 03 03 00 98 e8 a2 d5 |R../.R.,........| +000002b0 d6 57 15 7c 33 27 e2 29 d4 82 7b fd 2d c3 00 db |.W.|3'.)..{.-...| +000002c0 83 90 44 4b 3a be 01 4d d7 76 a5 03 cf ec 60 b5 |..DK:..M.v....`.| +000002d0 93 ba 4d 4d 74 30 a3 bb 47 3b a2 94 98 1e e9 b8 |..MMt0..G;......| +000002e0 d2 99 55 05 c7 59 cb e4 55 3e c0 c9 8c 90 40 91 |..U..Y..U>....@.| +000002f0 2e c0 64 f2 6e 09 96 7c b6 0a e0 ad fd a2 7a c4 |..d.n..|......z.| +00000300 b0 e6 0f 40 2a e5 37 fa 72 f3 89 1c 78 47 ca c7 |...@*.7.r...xG..| +00000310 e5 83 7b 1f a6 e5 39 32 c6 94 1e e4 7a 51 d9 36 |..{...92....zQ.6| +00000320 67 d9 b3 78 58 f9 ae 65 60 ee 41 c8 81 8a 04 49 |g..xX..e`.A....I| +00000330 35 2a d8 22 b3 8b 64 49 13 a0 36 e0 37 68 ea b7 |5*."..dI..6.7h..| +00000340 99 9e 1f e1 ea 14 03 03 00 11 b9 18 a2 5e 19 5f |.............^._| +00000350 77 58 6c a3 e9 97 4b 34 5e ff ff 16 03 03 00 20 |wXl...K4^...... | +00000360 71 d4 9f 5a 6f fa e4 28 bb f1 9d e5 0b c3 da 4b |q..Zo..(.......K| +00000370 ef a3 78 28 c5 e3 43 ff f7 5c a1 94 57 0d ee 41 |..x(..C..\..W..A| +>>> Flow 10 (server to client) +00000000 14 03 03 00 11 ed 11 8d d8 09 71 3a d8 53 25 f9 |..........q:.S%.| +00000010 a9 2f 70 b9 21 fb 16 03 03 00 20 14 a7 ba 54 0e |./p.!..... ...T.| +00000020 5c a9 53 ab d4 d6 c0 3f 10 6b 2d 84 8d 66 e5 04 |\.S....?.k-..f..| +00000030 96 f9 a9 18 1d f8 c1 76 49 18 35 17 03 03 00 19 |.......vI.5.....| +00000040 5e b0 d2 83 83 7d 35 ac e5 74 9a 68 b5 d8 4d 32 |^....}5..t.h..M2| +00000050 a1 d0 bf 8d 8f 1a 2f f7 33 |....../.3| +>>> Flow 11 (client to server) +00000000 15 03 03 00 12 3d 6c 11 84 f3 af 5e 9b ee c3 56 |.....=l....^...V| +00000010 96 c1 78 a9 12 31 ba |..x..1.| diff --git a/pkg/tls/testdata/Client-TLSv12-RenegotiateTwice b/pkg/tls/testdata/Client-TLSv12-RenegotiateTwice new file mode 100644 index 000000000..ff6da0aeb --- /dev/null +++ b/pkg/tls/testdata/Client-TLSv12-RenegotiateTwice @@ -0,0 +1,346 @@ +>>> Flow 1 (client to server) +00000000 16 03 01 00 fe 01 00 00 fa 03 03 00 00 00 00 00 |................| +00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000020 00 00 00 00 00 00 00 00 00 00 00 20 00 00 00 00 |........... ....| +00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 32 cc a9 |.............2..| +00000050 cc a8 c0 2b c0 2f c0 2c c0 30 c0 09 c0 13 c0 0a |...+./.,.0......| +00000060 c0 14 00 9c 00 9d 00 2f 00 35 c0 12 00 0a c0 23 |......./.5.....#| +00000070 c0 27 00 3c c0 07 c0 11 00 05 13 03 13 01 13 02 |.'.<............| +00000080 01 00 00 7f 00 05 00 05 01 00 00 00 00 00 0a 00 |................| +00000090 0a 00 08 00 1d 00 17 00 18 00 19 00 0b 00 02 01 |................| +000000a0 00 00 0d 00 1a 00 18 08 04 04 03 08 07 08 05 08 |................| +000000b0 06 04 01 05 01 06 01 05 03 06 03 02 01 02 03 ff |................| +000000c0 01 00 01 00 00 17 00 00 00 12 00 00 00 2b 00 09 |.............+..| +000000d0 08 03 04 03 03 03 02 03 01 00 33 00 26 00 24 00 |..........3.&.$.| +000000e0 1d 00 20 2f e5 7d a3 47 cd 62 43 15 28 da ac 5f |.. /.}.G.bC.(.._| +000000f0 bb 29 07 30 ff f6 84 af c4 cf c2 ed 90 99 5f 58 |.).0.........._X| +00000100 cb 3b 74 |.;t| +>>> Flow 2 (server to client) +00000000 16 03 03 00 5d 02 00 00 59 03 03 bc 20 d6 8b 64 |....]...Y... ..d| +00000010 c1 9f de ba 8e c1 6f 37 b8 5c 82 c3 1b 5e 11 3d |......o7.\...^.=| +00000020 ac 5d 16 4b 40 96 d6 ae 29 74 91 20 65 7d d0 51 |.].K@...)t. e}.Q| +00000030 d8 a2 2d c6 db 53 f6 04 16 dd 70 4a bd 44 a4 b6 |..-..S....pJ.D..| +00000040 ef e0 f0 d3 ec 6a 31 18 91 df 09 90 cc a8 00 00 |.....j1.........| +00000050 11 ff 01 00 01 00 00 0b 00 04 03 00 01 02 00 17 |................| +00000060 00 00 16 03 03 02 59 0b 00 02 55 00 02 52 00 02 |......Y...U..R..| +00000070 4f 30 82 02 4b 30 82 01 b4 a0 03 02 01 02 02 09 |O0..K0..........| +00000080 00 e8 f0 9d 3f e2 5b ea a6 30 0d 06 09 2a 86 48 |....?.[..0...*.H| +00000090 86 f7 0d 01 01 0b 05 00 30 1f 31 0b 30 09 06 03 |........0.1.0...| +000000a0 55 04 0a 13 02 47 6f 31 10 30 0e 06 03 55 04 03 |U....Go1.0...U..| +000000b0 13 07 47 6f 20 52 6f 6f 74 30 1e 17 0d 31 36 30 |..Go Root0...160| +000000c0 31 30 31 30 30 30 30 30 30 5a 17 0d 32 35 30 31 |101000000Z..2501| +000000d0 30 31 30 30 30 30 30 30 5a 30 1a 31 0b 30 09 06 |01000000Z0.1.0..| +000000e0 03 55 04 0a 13 02 47 6f 31 0b 30 09 06 03 55 04 |.U....Go1.0...U.| +000000f0 03 13 02 47 6f 30 81 9f 30 0d 06 09 2a 86 48 86 |...Go0..0...*.H.| +00000100 f7 0d 01 01 01 05 00 03 81 8d 00 30 81 89 02 81 |...........0....| +00000110 81 00 db 46 7d 93 2e 12 27 06 48 bc 06 28 21 ab |...F}...'.H..(!.| +00000120 7e c4 b6 a2 5d fe 1e 52 45 88 7a 36 47 a5 08 0d |~...]..RE.z6G...| +00000130 92 42 5b c2 81 c0 be 97 79 98 40 fb 4f 6d 14 fd |.B[.....y.@.Om..| +00000140 2b 13 8b c2 a5 2e 67 d8 d4 09 9e d6 22 38 b7 4a |+.....g....."8.J| +00000150 0b 74 73 2b c2 34 f1 d1 93 e5 96 d9 74 7b f3 58 |.ts+.4......t{.X| +00000160 9f 6c 61 3c c0 b0 41 d4 d9 2b 2b 24 23 77 5b 1c |.la<..A..++$#w[.| +00000170 3b bd 75 5d ce 20 54 cf a1 63 87 1d 1e 24 c4 f3 |;.u]. T..c...$..| +00000180 1d 1a 50 8b aa b6 14 43 ed 97 a7 75 62 f4 14 c8 |..P....C...ub...| +00000190 52 d7 02 03 01 00 01 a3 81 93 30 81 90 30 0e 06 |R.........0..0..| +000001a0 03 55 1d 0f 01 01 ff 04 04 03 02 05 a0 30 1d 06 |.U...........0..| +000001b0 03 55 1d 25 04 16 30 14 06 08 2b 06 01 05 05 07 |.U.%..0...+.....| +000001c0 03 01 06 08 2b 06 01 05 05 07 03 02 30 0c 06 03 |....+.......0...| +000001d0 55 1d 13 01 01 ff 04 02 30 00 30 19 06 03 55 1d |U.......0.0...U.| +000001e0 0e 04 12 04 10 9f 91 16 1f 43 43 3e 49 a6 de 6d |.........CC>I..m| +000001f0 b6 80 d7 9f 60 30 1b 06 03 55 1d 23 04 14 30 12 |....`0...U.#..0.| +00000200 80 10 48 13 49 4d 13 7e 16 31 bb a3 01 d5 ac ab |..H.IM.~.1......| +00000210 6e 7b 30 19 06 03 55 1d 11 04 12 30 10 82 0e 65 |n{0...U....0...e| +00000220 78 61 6d 70 6c 65 2e 67 6f 6c 61 6e 67 30 0d 06 |xample.golang0..| +00000230 09 2a 86 48 86 f7 0d 01 01 0b 05 00 03 81 81 00 |.*.H............| +00000240 9d 30 cc 40 2b 5b 50 a0 61 cb ba e5 53 58 e1 ed |.0.@+[P.a...SX..| +00000250 83 28 a9 58 1a a9 38 a4 95 a1 ac 31 5a 1a 84 66 |.(.X..8....1Z..f| +00000260 3d 43 d3 2d d9 0b f2 97 df d3 20 64 38 92 24 3a |=C.-...... d8.$:| +00000270 00 bc cf 9c 7d b7 40 20 01 5f aa d3 16 61 09 a2 |....}.@ ._...a..| +00000280 76 fd 13 c3 cc e1 0c 5c ee b1 87 82 f1 6c 04 ed |v......\.....l..| +00000290 73 bb b3 43 77 8d 0c 1c f1 0f a1 d8 40 83 61 c9 |s..Cw.......@.a.| +000002a0 4c 72 2b 9d ae db 46 06 06 4d f4 c1 b3 3e c0 d1 |Lr+...F..M...>..| +000002b0 bd 42 d4 db fe 3d 13 60 84 5c 21 d3 3b e9 fa e7 |.B...=.`.\!.;...| +000002c0 16 03 03 00 ac 0c 00 00 a8 03 00 1d 20 71 9d 55 |............ q.U| +000002d0 00 99 f1 f9 90 c2 8f 82 27 d7 5c 0e 96 97 a9 f7 |........'.\.....| +000002e0 be ab c4 76 41 9b 86 86 43 d7 43 78 0c 08 04 00 |...vA...C.Cx....| +000002f0 80 96 cb 93 b2 0c 1e e3 92 b1 4e 28 30 48 85 09 |..........N(0H..| +00000300 c1 cf 73 66 7b 3b 3d 7d 83 c2 a3 2a 93 14 58 c0 |..sf{;=}...*..X.| +00000310 1c 6c 7c 92 9c 3f 8b 80 d1 c4 54 d8 2b 65 38 35 |.l|..?....T.+e85| +00000320 08 a6 d2 ec 4e 84 e7 49 78 13 3f 2a 41 60 1d ea |....N..Ix.?*A`..| +00000330 09 c8 30 37 35 88 b3 eb 5c ad 16 46 19 5f f1 62 |..075...\..F._.b| +00000340 8b 49 8a 9a 47 87 a4 14 d3 17 e1 d5 79 0e 9f c4 |.I..G.......y...| +00000350 4e db 6f 38 8e 77 ec 37 74 e8 20 01 54 75 e1 8e |N.o8.w.7t. .Tu..| +00000360 5c d1 19 51 d8 c8 89 6c 27 01 54 ca 18 dd d9 2e |\..Q...l'.T.....| +00000370 8f 16 03 03 00 04 0e 00 00 00 |..........| +>>> Flow 3 (client to server) +00000000 16 03 03 00 25 10 00 00 21 20 2f e5 7d a3 47 cd |....%...! /.}.G.| +00000010 62 43 15 28 da ac 5f bb 29 07 30 ff f6 84 af c4 |bC.(.._.).0.....| +00000020 cf c2 ed 90 99 5f 58 cb 3b 74 14 03 03 00 01 01 |....._X.;t......| +00000030 16 03 03 00 20 46 e6 c1 9e c0 cc 46 24 6e 0c 6c |.... F.....F$n.l| +00000040 1b c5 7d b4 dc a1 b5 d4 bf db 32 69 12 8a 89 ea |..}.......2i....| +00000050 c1 bf 26 b8 ee |..&..| +>>> Flow 4 (server to client) +00000000 14 03 03 00 01 01 16 03 03 00 20 08 9b ed a2 75 |.......... ....u| +00000010 a9 2d 92 f7 dc e1 93 7a 3d c3 75 33 a8 43 17 2b |.-.....z=.u3.C.+| +00000020 50 71 58 d7 40 2a ea 1b 0a 3b 0b |PqX.@*...;.| +>>> Flow 5 (client to server) +00000000 17 03 03 00 16 7e a3 48 7f 20 07 19 31 8b d2 18 |.....~.H. ..1...| +00000010 81 1d 4a a1 db 72 4a 88 2d ee 18 |..J..rJ.-..| +>>> Flow 6 (server to client) +00000000 16 03 03 00 14 b4 c3 67 a8 fc 66 ad 48 f9 3f 6b |.......g..f.H.?k| +00000010 97 4b 55 f8 4d 92 a1 2e d8 |.KU.M....| +>>> Flow 7 (client to server) +00000000 16 03 03 01 1a 57 92 7f 92 07 a2 88 ca ea e3 5d |.....W.........]| +00000010 38 79 fd 42 41 5b 73 e5 52 34 c3 f5 10 67 3d 0b |8y.BA[s.R4...g=.| +00000020 42 58 50 d7 f1 da 6b a6 4f 6a 89 2b f7 3c 4d a0 |BXP...k.Oj.+.......| +00000050 48 06 3b 1e df 97 26 e9 59 34 59 c8 e3 05 0b 22 |H.;...&.Y4Y...."| +00000060 d1 66 0e 42 ac e0 4a e1 89 c3 80 ae ee 32 65 93 |.f.B..J......2e.| +00000070 09 6b 1f bc 03 4d 0d 85 bc e8 46 12 09 0b 0c 44 |.k...M....F....D| +00000080 20 a0 26 12 70 80 45 9c ba c2 9d 6a 7a ec bb 92 | .&.p.E....jz...| +00000090 c5 b3 49 2e 18 99 e8 19 a8 37 9d e2 28 c8 69 19 |..I......7..(.i.| +000000a0 ed 12 a6 f2 e7 84 a3 7f 7e 49 74 34 67 66 1f fc |........~It4gf..| +000000b0 02 58 0d 8e 6c ec 1c 14 8c 2a 74 b8 f2 b1 8e 6a |.X..l....*t....j| +000000c0 5f 4d 76 13 d6 7f cf c3 2d 85 18 9b 04 87 d9 9a |_Mv.....-.......| +000000d0 db 8f 09 ce 3f 47 55 fc e9 bf 6c cb 42 bf d4 c4 |....?GU...l.B...| +000000e0 76 91 3e d6 d8 32 4e fe 24 39 1b 66 38 83 32 7f |v.>..2N.$9.f8.2.| +000000f0 ee 84 d3 13 39 73 bb 41 a2 d4 ef a7 1c aa cb e3 |....9s.A........| +00000100 c2 25 6a a3 f2 fb 6f 94 eb 9d 08 1b 4e 6b 09 8a |.%j...o.....Nk..| +00000110 00 0a e3 1b e1 57 7b 58 14 d1 0a 1d 11 7a e0 |.....W{X.....z.| +>>> Flow 8 (server to client) +00000000 16 03 03 00 85 f1 26 e0 cc 3f 3d a3 e6 57 21 a0 |......&..?=..W!.| +00000010 25 c6 fd 11 f5 92 2e 73 21 32 2b 07 76 73 2b e3 |%......s!2+.vs+.| +00000020 0a 45 1e 01 c8 28 01 1b ba 23 d8 4e 7c 9f 2b 2e |.E...(...#.N|.+.| +00000030 5a ef df 4f 0d 77 76 27 8b 1e df 94 a4 90 1e cb |Z..O.wv'........| +00000040 5a 19 6b f0 c6 85 71 7b 6b cd 59 e1 32 a5 a5 18 |Z.k...q{k.Y.2...| +00000050 01 25 13 84 09 e5 30 6a d3 f2 80 07 1d 48 9b 72 |.%....0j.....H.r| +00000060 d2 6e 76 e3 de 85 0b 9d ec 5f e3 48 02 61 6c b1 |.nv......_.H.al.| +00000070 1a 1b 89 7e 44 f8 af fd a9 42 63 3e f6 3c f6 22 |...~D....Bc>.<."| +00000080 ff 45 b4 f2 ec 31 65 58 8c 06 16 03 03 02 69 50 |.E...1eX......iP| +00000090 e3 4b 21 fd f3 73 28 b1 b2 dc f4 46 d3 37 c1 c9 |.K!..s(....F.7..| +000000a0 15 9c 83 a0 4d b5 6e c1 8c 97 26 05 20 4d cf 92 |....M.n...&. M..| +000000b0 9a e4 e6 ff c2 d1 d4 c9 28 ca 08 00 ed ba 2a e1 |........(.....*.| +000000c0 d2 71 62 4a 1a ca 7d db 19 86 81 a1 4b c4 f7 19 |.qbJ..}.....K...| +000000d0 d2 b1 99 4a 82 39 e5 d2 90 59 ca 19 a5 1c 07 1c |...J.9...Y......| +000000e0 c1 44 d5 f3 a4 e5 33 ce 98 fc 24 e9 65 04 b9 08 |.D....3...$.e...| +000000f0 2f f7 d6 87 91 33 64 8c 9e e9 50 35 28 76 3d 77 |/....3d...P5(v=w| +00000100 b2 84 16 23 a1 6f d1 92 da 37 28 88 63 51 db 55 |...#.o...7(.cQ.U| +00000110 5d d4 29 ab 64 e8 dd 1f ef 06 31 78 ab f1 11 82 |].).d.....1x....| +00000120 76 35 17 66 87 62 bc 9e 18 be 35 96 4d 5c 2d c6 |v5.f.b....5.M\-.| +00000130 84 13 08 00 ec f9 bd b8 24 88 f5 2a 2b 11 0b ec |........$..*+...| +00000140 55 a2 f3 c7 b4 7d cf 56 90 1f d9 c0 4a 0e 8c 8c |U....}.V....J...| +00000150 d4 72 60 18 f6 eb 6a ae 83 35 bf d2 4f 0e f3 06 |.r`...j..5..O...| +00000160 73 3f e1 3a 03 1f 51 02 2f dc e1 f8 87 95 8a 13 |s?.:..Q./.......| +00000170 d3 89 ac af 36 c8 1d 19 08 61 97 c9 e3 0a b9 1a |....6....a......| +00000180 12 6e f1 fd d5 e3 78 bc 34 b7 6b 1d b4 48 3e d5 |.n....x.4.k..H>.| +00000190 61 99 04 e5 74 ca 53 66 65 21 c2 2c fb e6 12 3d |a...t.Sfe!.,...=| +000001a0 5e 48 ac b9 ef d8 a3 75 32 85 eb 6f 88 84 b6 2f |^H.....u2..o.../| +000001b0 d4 67 e7 25 26 80 c0 39 73 97 fb e5 8d ed 65 7e |.g.%&..9s.....e~| +000001c0 a4 35 4e b7 e3 92 72 23 80 c2 f5 db b4 02 26 33 |.5N...r#......&3| +000001d0 ff 46 3e 0d e6 e0 02 b1 65 e0 3f 8e 7d fd 12 73 |.F>.....e.?.}..s| +000001e0 62 20 6a fc 00 2b 19 cb 17 c7 de 14 05 4b b5 f6 |b j..+.......K..| +000001f0 49 78 92 f4 84 1d 94 1b b1 23 67 5e b2 ae 75 4e |Ix.......#g^..uN| +00000200 f3 52 72 af fb 2e 12 7c cc 6b b6 f3 3a 8a e4 ae |.Rr....|.k..:...| +00000210 03 db ed 20 b1 e5 a9 7b 0d df ae 75 c9 71 42 c4 |... ...{...u.qB.| +00000220 e5 c9 a7 ac c8 f4 a5 e6 84 05 a0 be ca d8 d0 d1 |................| +00000230 30 a0 84 42 82 df ba ba d7 11 a5 f9 93 fd 8e 91 |0..B............| +00000240 89 2e 2f b2 98 05 06 dc 2c a4 2a 6f f4 0f 9d 1d |../.....,.*o....| +00000250 16 2f d8 b9 06 02 43 92 cc 96 bc 6a a4 93 86 ef |./....C....j....| +00000260 43 11 ec b7 4e 39 9f 1f 75 71 76 1a 7b 1d 2e 68 |C...N9..uqv.{..h| +00000270 ad 36 c7 ae 3a 7a 70 10 46 4e 76 9b f5 8c 1d b7 |.6..:zp.FNv.....| +00000280 5d 62 86 70 1c 27 84 ae 8a 05 65 a2 01 bf 3b 0f |]b.p.'....e...;.| +00000290 d3 43 74 9d a0 ed 7f e4 63 dc b9 e6 7b d6 c1 2d |.Ct.....c...{..-| +000002a0 96 ae 51 6e 07 47 8b f8 f7 e2 71 19 3a df 7d cb |..Qn.G....q.:.}.| +000002b0 ef 82 2a 11 fd 9c e9 24 9d b0 9e e4 1f f2 4e 8b |..*....$......N.| +000002c0 17 02 4a 27 33 85 61 d3 55 6d 82 77 ce 55 d3 be |..J'3.a.Um.w.U..| +000002d0 94 9f 6d 1d f0 16 1d 19 bd 1f ac 77 e7 13 32 94 |..m........w..2.| +000002e0 86 8c c8 c9 33 f0 b0 47 cf 9c 7c ef 97 c3 37 25 |....3..G..|...7%| +000002f0 bf a7 09 82 35 ff 9f 79 16 03 03 00 bc 8c 34 16 |....5..y......4.| +00000300 37 9c cb db aa dc 23 ba 07 28 88 be 6f f0 cc 42 |7.....#..(..o..B| +00000310 22 31 2c fc a4 ce d8 bf 58 54 a7 62 6b 54 8b b1 |"1,.....XT.bkT..| +00000320 0b 44 29 a9 64 2f af ee f1 7b 79 1c 26 02 a3 bd |.D).d/...{y.&...| +00000330 e5 dd 60 89 ef e9 31 bc 5d 17 fc a9 05 77 38 00 |..`...1.]....w8.| +00000340 e8 d9 8c b3 c6 7d fb a0 f8 d1 87 2a c6 74 d6 2c |.....}.....*.t.,| +00000350 39 c8 3c d8 0d 0d a6 e2 ea 6b 88 9d 7d ee cc 4e |9.<......k..}..N| +00000360 69 2a ac 41 7e ac b8 fe b4 8f 43 ef 2d a7 45 78 |i*.A~.....C.-.Ex| +00000370 bf 29 72 b5 4b cf bb aa 1a 64 3c dd 38 07 ab 60 |.)r.K....d<.8..`| +00000380 b3 ee e3 0b 40 a1 72 4d 61 1a ba d8 24 a7 46 3f |....@.rMa...$.F?| +00000390 77 c9 bd 11 37 d7 ae c9 92 d8 78 a5 13 f8 2c 2f |w...7.....x...,/| +000003a0 10 50 7c e5 16 2c 56 e7 a6 10 cb fc 62 a2 6f 83 |.P|..,V.....b.o.| +000003b0 30 74 d3 94 23 78 c8 6d 28 16 03 03 00 4a 76 dc |0t..#x.m(....Jv.| +000003c0 db 13 a2 52 07 65 62 35 36 56 42 95 1d 34 8f 2a |...R.eb56VB..4.*| +000003d0 cd 5e 63 aa 56 70 ac 16 76 7b 7d b6 3f a4 57 6b |.^c.Vp..v{}.?.Wk| +000003e0 f1 9e 6a a7 ca e5 cb b0 44 5e 8b 6a ea 78 45 ad |..j.....D^.j.xE.| +000003f0 0c 9d 44 8c 1f 03 27 9b 90 2e 9e fc 50 44 1f 4d |..D...'.....PD.M| +00000400 f3 ac 1f 2f 6d ed 49 29 16 03 03 00 14 ba 05 de |.../m.I)........| +00000410 4f 96 62 af d1 e0 a6 64 0d f3 ee 50 ca 1f d1 50 |O.b....d...P...P| +00000420 bb |.| +>>> Flow 9 (client to server) +00000000 16 03 03 02 69 54 06 eb 58 fb 0c cd 83 50 78 6d |....iT..X....Pxm| +00000010 e1 63 b0 24 eb 11 2b b3 76 77 c9 7b e4 ad c8 a9 |.c.$..+.vw.{....| +00000020 71 73 68 a2 89 ba bc fd 0d d4 cc 7b 33 0a 11 c6 |qsh........{3...| +00000030 a0 56 0f b4 86 e6 e5 31 85 2d 98 1b f0 28 67 2b |.V.....1.-...(g+| +00000040 d2 c8 9a 32 83 c1 50 10 16 08 70 72 fb 80 c7 a4 |...2..P...pr....| +00000050 fa 95 88 bc 7c 45 67 1d 43 24 7b 56 9a 09 b6 38 |....|Eg.C${V...8| +00000060 e2 4c 25 93 7a 02 f8 c4 f2 52 7e e4 8e 99 ad 9c |.L%.z....R~.....| +00000070 1d 8f 54 a5 67 d1 27 5d c7 d0 76 47 a8 7f 54 79 |..T.g.']..vG..Ty| +00000080 4c f2 98 bc 8c 3c 78 9b 6e c1 8b 2c 09 40 77 a9 |L....s| +00000100 d5 cd e8 4e 1b a2 4a 52 38 43 6a b1 fc 85 98 7e |...N..JR8Cj....~| +00000110 db 7d 0a 9c d9 bc 6e 7b 19 ce 3c 49 2f 8a d1 6d |.}....n{...| +000001d0 3a 52 24 2f 0a 33 c1 3b 34 74 ef 06 c5 5e 14 fb |:R$/.3.;4t...^..| +000001e0 b8 30 a3 80 2e c4 11 f3 a2 4c 03 65 60 c0 b0 0c |.0.......L.e`...| +000001f0 aa cd e8 2e f1 d8 f2 5a 4b 48 c0 5b 47 57 1d 9a |.......ZKH.[GW..| +00000200 a0 cc 9e dd 6f 22 7c 8b f8 e3 21 2c fc 87 6e b0 |....o"|...!,..n.| +00000210 cd bf 90 e4 05 f7 93 af 4a f0 73 73 4e af 70 ce |........J.ssN.p.| +00000220 8d 96 e3 b0 bc e8 3e e2 92 09 a4 74 52 1c 7c 55 |......>....tR.|U| +00000230 5c 5c 64 07 05 9d f5 54 0f ff 1b 02 0c c4 22 94 |\\d....T......".| +00000240 aa 7b 43 e0 9d 67 25 23 da 8b 03 26 02 1b 22 92 |.{C..g%#...&..".| +00000250 ff f8 f6 be 40 54 c2 9b 18 af 53 63 70 76 7c ce |....@T....Scpv|.| +00000260 d4 e7 b6 f6 89 43 ec 11 af b3 05 ee de ad 16 03 |.....C..........| +00000270 03 00 35 72 0c 52 b0 32 0a 1f fc 27 13 34 67 25 |..5r.R.2...'.4g%| +00000280 a8 39 89 9e 6c ea 6f 25 72 f7 40 63 b2 c9 e2 e0 |.9..l.o%r.@c....| +00000290 d4 eb 44 ad ae d0 58 1e 54 9c db 31 ba 03 44 9d |..D...X.T..1..D.| +000002a0 95 f5 f3 bb ef d6 4d f5 16 03 03 00 98 d6 86 68 |......M........h| +000002b0 3d 68 f6 6d 2d cf 30 e8 32 2d 8e 1e b9 67 a1 8d |=h.m-.0.2-...g..| +000002c0 91 ae 10 8a d6 ce 3c f0 98 01 6a 96 c1 41 cc d4 |......<...j..A..| +000002d0 b1 dc 49 25 be 0f 5b 59 6d f2 12 4d 49 92 e7 2d |..I%..[Ym..MI..-| +000002e0 3d 59 53 38 ff ca 2c 52 ea 30 1c 55 9d 7c 7c 3b |=YS8..,R.0.U.||;| +000002f0 2b 4f 53 0d d7 0f 50 1e ac f9 97 de cb 46 f9 74 |+OS...P......F.t| +00000300 78 ac 4b 82 e4 25 10 63 04 5c 64 c1 d6 e3 4b c1 |x.K..%.c.\d...K.| +00000310 5a 41 02 79 06 bd 75 6f 54 8e a4 a8 6d 7d 30 98 |ZA.y..uoT...m}0.| +00000320 3f 65 fb 6c dd 59 39 e5 8e a4 08 96 62 70 12 2f |?e.l.Y9.....bp./| +00000330 c5 94 3a 1b 2a 99 cc da fb d3 85 19 5b 10 3c d9 |..:.*.......[.<.| +00000340 b4 f9 e8 df c8 14 03 03 00 11 c3 3f 56 55 75 1b |...........?VUu.| +00000350 90 77 ff 04 f4 24 0d 0b 04 ac 2b 16 03 03 00 20 |.w...$....+.... | +00000360 63 1a 0b 3e 2b 0b f0 d7 11 11 03 b0 0d f8 0c ce |c..>+...........| +00000370 25 c6 b4 0d ee 5c 95 40 9a 86 29 1d ee 06 29 88 |%....\.@..)...).| +>>> Flow 10 (server to client) +00000000 14 03 03 00 11 5e 2d 5e 29 92 98 7e cd a8 00 b6 |.....^-^)..~....| +00000010 08 53 39 b6 a2 d1 16 03 03 00 20 6e 0e 3e 92 3a |.S9....... n.>.:| +00000020 b5 a6 ec 3e f2 38 3e 78 86 77 3e 50 9d 29 de bc |...>.8>x.w>P.)..| +00000030 07 e7 d3 eb 20 ee a7 e9 5e 4c f6 17 03 03 00 19 |.... ...^L......| +00000040 06 47 a1 60 72 a7 0d 81 84 86 5e 80 a7 73 7e d9 |.G.`r.....^..s~.| +00000050 db f7 d6 97 f7 9c 12 66 b3 16 03 03 00 14 2b 6d |.......f......+m| +00000060 1a cb 48 9f a3 84 45 a6 d7 c9 ed 4f 15 44 ec c8 |..H...E....O.D..| +00000070 9b a5 |..| +>>> Flow 11 (client to server) +00000000 16 03 03 01 1a 57 f6 a3 85 62 29 d9 5d b5 40 f7 |.....W...b).].@.| +00000010 71 ce d5 59 fa a4 5f a7 b7 a0 37 4a 5c 6c 9c 85 |q..Y.._...7J\l..| +00000020 e5 df be 22 14 a5 75 e5 79 0f 0f f9 91 00 74 f3 |..."..u.y.....t.| +00000030 5f b9 2f a8 1b e4 4a d4 7b 7d 79 e1 81 e4 7e 6c |_./...J.{}y...~l| +00000040 7b b8 d4 c9 69 85 2a e7 4e 33 75 47 84 e6 7a 1c |{...i.*.N3uG..z.| +00000050 9f 14 76 07 2c 53 e0 ab ba 5a c6 e3 a4 08 12 9e |..v.,S...Z......| +00000060 99 15 ed ce 17 e1 6e 20 a8 f2 24 84 53 da c6 0f |......n ..$.S...| +00000070 2f d5 c7 bf 23 00 90 1f 9f af 0f f7 d6 ad f6 4a |/...#..........J| +00000080 3f 88 ec c2 a7 04 08 0f 97 e4 b5 6b a5 19 a4 98 |?..........k....| +00000090 f7 ab a3 e1 44 56 39 b0 1d 2d c4 59 a7 3c d6 b4 |....DV9..-.Y.<..| +000000a0 44 8d ae 56 0e d5 6b ab a4 33 da d1 c3 38 4b fe |D..V..k..3...8K.| +000000b0 cc 40 3b 78 67 26 50 dd 75 3e a5 23 37 05 32 cf |.@;xg&P.u>.#7.2.| +000000c0 b4 6d a3 c1 a3 83 f8 1d a4 80 7c e9 69 84 5c 55 |.m........|.i.\U| +000000d0 92 7a 99 d7 86 27 dc be 54 27 d3 1d 1e ad 01 6d |.z...'..T'.....m| +000000e0 58 27 e2 82 a1 e4 55 03 67 b9 ee 51 b1 2d f9 25 |X'....U.g..Q.-.%| +000000f0 28 a3 c7 44 08 b0 3b 60 46 23 2c 17 76 f2 78 1e |(..D..;`F#,.v.x.| +00000100 3c f2 b5 5c b0 1e 5d a7 9c e6 4f c3 ba 34 40 30 |<..\..]...O..4@0| +00000110 d6 e3 68 2a d6 d2 75 04 d5 44 2d 41 87 c8 96 |..h*..u..D-A...| +>>> Flow 12 (server to client) +00000000 16 03 03 00 85 77 11 78 f7 3a 59 c7 f1 a4 e6 6c |.....w.x.:Y....l| +00000010 3d e2 e0 1e 96 f7 2c d6 ce ef 27 3b 7f 37 cb bc |=.....,...';.7..| +00000020 8e ca c0 57 ab 03 1e cc d1 fb 6c 49 e2 89 48 a1 |...W......lI..H.| +00000030 84 00 a2 9b cb ae 2a ec 7c 60 9c 0c bf ff 07 ae |......*.|`......| +00000040 13 16 7b 7b a2 80 35 d3 5d 17 18 5a fb d8 87 46 |..{{..5.]..Z...F| +00000050 43 6e e7 e9 35 5f bb 5c 87 03 0d 3c 93 6d f9 9b |Cn..5_.\...<.m..| +00000060 28 b9 42 c3 ea f0 11 60 a1 f4 72 c0 f9 4c e9 36 |(.B....`..r..L.6| +00000070 77 c7 d0 e4 4b 7e d8 b4 68 d9 7f 97 bc 07 c5 4b |w...K~..h......K| +00000080 5e 11 1d ab 6e a4 24 41 2c d3 16 03 03 02 69 e7 |^...n.$A,.....i.| +00000090 68 ab 42 56 cb b5 70 a0 3b 63 c4 a6 10 49 1d d5 |h.BV..p.;c...I..| +000000a0 15 33 29 54 8f 36 a8 3c b7 8e 79 5a e7 45 6d cc |.3)T.6.<..yZ.Em.| +000000b0 c0 5f da 0a c1 13 56 b5 2d 8e 56 16 b4 ca 48 1d |._....V.-.V...H.| +000000c0 30 3f 58 c6 79 06 a2 c0 3f 6f 59 4a dc f0 09 5d |0?X.y...?oYJ...]| +000000d0 45 2a 23 4f ab 72 f4 4c 4d e0 05 44 7f 4c ab 25 |E*#O.r.LM..D.L.%| +000000e0 6f 9c 6a c4 cf c0 bd 86 03 c1 b2 b2 12 4e c2 0b |o.j..........N..| +000000f0 3e 8d 06 89 bb 46 70 79 51 33 eb 0d be ed 6e 0e |>....FpyQ3....n.| +00000100 33 08 48 53 2a 2a fb da 13 61 da 21 df 8b 74 85 |3.HS**...a.!..t.| +00000110 42 25 1f cf 7f 00 4c ca 80 9a 3d 25 07 da 22 bd |B%....L...=%..".| +00000120 17 47 75 e5 da 60 88 67 65 19 55 b6 05 fc 6d fa |.Gu..`.ge.U...m.| +00000130 9c 3d 19 fd 61 87 92 87 c5 95 80 06 d0 1a 71 7f |.=..a.........q.| +00000140 05 67 f3 f6 af da 35 1f d1 49 63 49 89 28 d1 21 |.g....5..IcI.(.!| +00000150 14 e0 06 14 14 83 a9 d9 86 21 68 0f 66 86 62 4d |.........!h.f.bM| +00000160 cc 7f 9e dc 79 fd eb 14 59 e7 cc bd 5c 29 86 4a |....y...Y...\).J| +00000170 5f 64 d2 7b 37 d1 72 4b ae 5b 12 c3 0c b0 a6 8a |_d.{7.rK.[......| +00000180 99 e5 89 e7 9e 76 1e 85 fc b6 ae 4b fd 20 8b 6a |.....v.....K. .j| +00000190 7d 7d 2b ff 11 d4 82 f0 2a d7 d6 9e e7 48 6e 1c |}}+.....*....Hn.| +000001a0 1d 33 2b 31 af aa 67 a7 66 b0 47 10 b8 f7 b8 0e |.3+1..g.f.G.....| +000001b0 0c ef 09 93 0a 42 2b 68 c8 30 cf d6 d4 8c 23 71 |.....B+h.0....#q| +000001c0 ef c3 bd f6 eb 74 b5 4e 1a 94 44 43 98 c8 ec b3 |.....t.N..DC....| +000001d0 51 10 44 2c f3 ae 27 c7 f3 5c 63 74 a8 1c f8 ff |Q.D,..'..\ct....| +000001e0 a9 38 c2 7f b4 66 fd 3b 9d a7 9c 7a 93 fd a3 09 |.8...f.;...z....| +000001f0 a6 51 c5 fd 6f 82 cc fb d2 58 bf 6e be 0d f2 4e |.Q..o....X.n...N| +00000200 2c 8c 08 6f 25 ae 82 bf b6 bf b7 71 44 b6 4f 90 |,..o%......qD.O.| +00000210 2e 1d 4e 1d 62 19 ee c7 4b 47 08 af 14 e3 cd 43 |..N.b...KG.....C| +00000220 fb 37 e0 d2 58 d7 03 7e f6 81 74 e9 a8 33 a2 7f |.7..X..~..t..3..| +00000230 06 94 5a 74 63 15 e1 f9 95 d3 b5 d6 52 e4 a4 5f |..Ztc.......R.._| +00000240 7d 16 3d 6e c6 53 3c 45 f5 f3 bc 91 7d 48 55 58 |}.=n.S\-p[.:t..c.z/..| +000002b0 4b 53 31 72 3d 20 89 60 8c 6e ce c7 07 d4 a9 6d |KS1r= .`.n.....m| +000002c0 28 76 a3 78 e0 ae 11 3f 31 e5 64 fe 35 39 d8 88 |(v.x...?1.d.59..| +000002d0 40 eb d0 f2 df db 1b 16 3a 11 33 ce 7c 63 cd 34 |@.......:.3.|c.4| +000002e0 17 8c a3 d5 d1 8f 34 21 a7 fa b3 8f f1 84 b0 06 |......4!........| +000002f0 d1 83 15 ac 26 1b 68 74 16 03 03 00 bc d2 f0 3d |....&.ht.......=| +00000300 2b a9 8c 75 e9 24 7a e8 0a ec 11 d7 cf 08 8e 5d |+..u.$z........]| +00000310 00 13 51 7f 2e 7a 6c 4b e2 35 c2 e0 9d c3 cb 79 |..Q..zlK.5.....y| +00000320 8f ec 2b 21 8f 96 4d b8 b8 0c b7 d8 d1 7f dc 5b |..+!..M........[| +00000330 85 8b b9 54 ba f6 65 76 5f b4 99 20 47 52 d8 96 |...T..ev_.. GR..| +00000340 ac 12 b0 84 77 9b 42 09 fe c4 cf b4 22 e3 e8 3c |....w.B....."..<| +00000350 a0 a0 e8 8e ab 61 0b 16 98 f3 bd ae 60 36 55 5a |.....a......`6UZ| +00000360 6b 85 8b 79 03 4f 65 15 83 06 45 eb c7 d9 de 41 |k..y.Oe...E....A| +00000370 53 0f 1f 12 ef 13 33 cc a6 fc 91 e4 7e a7 a3 31 |S.....3.....~..1| +00000380 6f 40 f4 d3 0e 2c 22 de 72 64 0d cd e0 e8 ee 21 |o@...,".rd.....!| +00000390 4b bd ef 53 78 9e 41 ce 04 96 3a 2f bc e7 41 6b |K..Sx.A...:/..Ak| +000003a0 e0 a8 9e 40 02 1b 09 ab 8b 37 4c 2b b4 bc e1 72 |...@.....7L+...r| +000003b0 06 af 88 24 75 6d 10 3a d5 16 03 03 00 14 8d 09 |...$um.:........| +000003c0 7b 2e 7a 58 f8 1c 63 44 0a a9 c4 5d 9f 5c cc 73 |{.zX..cD...].\.s| +000003d0 47 1a |G.| +>>> Flow 13 (client to server) +00000000 16 03 03 00 35 e1 bc fd 92 30 16 7d 71 c5 fc 15 |....5....0.}q...| +00000010 6f eb 98 2b 8c bb b6 d3 0b 6d 71 12 54 7d 08 a6 |o..+.....mq.T}..| +00000020 f1 a0 5b 37 6b 8b b7 f9 d6 11 53 c9 2c a4 b2 d3 |..[7k.....S.,...| +00000030 52 db 73 f4 75 3d 45 78 68 e5 14 03 03 00 11 51 |R.s.u=Exh......Q| +00000040 52 83 7e bd 5f 63 51 a4 1e 78 06 3b f1 f9 f8 a3 |R.~._cQ..x.;....| +00000050 16 03 03 00 20 44 02 6e 8f fe 3a 25 40 e5 63 29 |.... D.n..:%@.c)| +00000060 51 ce 94 55 cb 16 5a 9e 0d ec a8 73 f9 e8 46 06 |Q..U..Z....s..F.| +00000070 b5 98 7f c2 98 |.....| +>>> Flow 14 (server to client) +00000000 14 03 03 00 11 da c7 c6 7f 04 1e 65 7a cb 53 02 |...........ez.S.| +00000010 57 f7 6c f5 3b ca 16 03 03 00 20 9e 0e 55 81 35 |W.l.;..... ..U.5| +00000020 15 c9 22 94 be 1e f4 5e 1e 95 99 e5 ba 4a b6 1a |.."....^.....J..| +00000030 38 b5 31 25 85 4c a9 a8 39 fc 10 17 03 03 00 19 |8.1%.L..9.......| +00000040 61 c9 ca 41 f7 9d 66 08 bd 30 42 b2 7f 56 a7 46 |a..A..f..0B..V.F| +00000050 f4 23 18 30 c3 ec 96 cf 7f |.#.0.....| +>>> Flow 15 (client to server) +00000000 15 03 03 00 12 3a 24 58 49 ca a4 b1 6e 58 f2 e1 |.....:$XI...nX..| +00000010 df 3c c2 63 3d 59 e4 |.<.c=Y.| diff --git a/pkg/tls/testdata/Client-TLSv12-RenegotiateTwiceRejected b/pkg/tls/testdata/Client-TLSv12-RenegotiateTwiceRejected new file mode 100644 index 000000000..898f5f2b9 --- /dev/null +++ b/pkg/tls/testdata/Client-TLSv12-RenegotiateTwiceRejected @@ -0,0 +1,249 @@ +>>> Flow 1 (client to server) +00000000 16 03 01 00 fe 01 00 00 fa 03 03 00 00 00 00 00 |................| +00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000020 00 00 00 00 00 00 00 00 00 00 00 20 00 00 00 00 |........... ....| +00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 32 cc a9 |.............2..| +00000050 cc a8 c0 2b c0 2f c0 2c c0 30 c0 09 c0 13 c0 0a |...+./.,.0......| +00000060 c0 14 00 9c 00 9d 00 2f 00 35 c0 12 00 0a c0 23 |......./.5.....#| +00000070 c0 27 00 3c c0 07 c0 11 00 05 13 03 13 01 13 02 |.'.<............| +00000080 01 00 00 7f 00 05 00 05 01 00 00 00 00 00 0a 00 |................| +00000090 0a 00 08 00 1d 00 17 00 18 00 19 00 0b 00 02 01 |................| +000000a0 00 00 0d 00 1a 00 18 08 04 04 03 08 07 08 05 08 |................| +000000b0 06 04 01 05 01 06 01 05 03 06 03 02 01 02 03 ff |................| +000000c0 01 00 01 00 00 17 00 00 00 12 00 00 00 2b 00 09 |.............+..| +000000d0 08 03 04 03 03 03 02 03 01 00 33 00 26 00 24 00 |..........3.&.$.| +000000e0 1d 00 20 2f e5 7d a3 47 cd 62 43 15 28 da ac 5f |.. /.}.G.bC.(.._| +000000f0 bb 29 07 30 ff f6 84 af c4 cf c2 ed 90 99 5f 58 |.).0.........._X| +00000100 cb 3b 74 |.;t| +>>> Flow 2 (server to client) +00000000 16 03 03 00 5d 02 00 00 59 03 03 cc a3 9c c7 68 |....]...Y......h| +00000010 f8 de 98 95 45 68 9f 10 2e ba 1f cf 81 a9 51 52 |....Eh........QR| +00000020 14 b7 ed a8 36 5a 40 43 e8 e8 bb 20 9a 57 99 f3 |....6Z@C... .W..| +00000030 a8 be d3 2a 86 8d b5 9b af 91 83 13 00 33 5e 4e |...*.........3^N| +00000040 f3 1c 42 67 08 65 54 40 dc 88 fb 90 cc a8 00 00 |..Bg.eT@........| +00000050 11 ff 01 00 01 00 00 0b 00 04 03 00 01 02 00 17 |................| +00000060 00 00 16 03 03 02 59 0b 00 02 55 00 02 52 00 02 |......Y...U..R..| +00000070 4f 30 82 02 4b 30 82 01 b4 a0 03 02 01 02 02 09 |O0..K0..........| +00000080 00 e8 f0 9d 3f e2 5b ea a6 30 0d 06 09 2a 86 48 |....?.[..0...*.H| +00000090 86 f7 0d 01 01 0b 05 00 30 1f 31 0b 30 09 06 03 |........0.1.0...| +000000a0 55 04 0a 13 02 47 6f 31 10 30 0e 06 03 55 04 03 |U....Go1.0...U..| +000000b0 13 07 47 6f 20 52 6f 6f 74 30 1e 17 0d 31 36 30 |..Go Root0...160| +000000c0 31 30 31 30 30 30 30 30 30 5a 17 0d 32 35 30 31 |101000000Z..2501| +000000d0 30 31 30 30 30 30 30 30 5a 30 1a 31 0b 30 09 06 |01000000Z0.1.0..| +000000e0 03 55 04 0a 13 02 47 6f 31 0b 30 09 06 03 55 04 |.U....Go1.0...U.| +000000f0 03 13 02 47 6f 30 81 9f 30 0d 06 09 2a 86 48 86 |...Go0..0...*.H.| +00000100 f7 0d 01 01 01 05 00 03 81 8d 00 30 81 89 02 81 |...........0....| +00000110 81 00 db 46 7d 93 2e 12 27 06 48 bc 06 28 21 ab |...F}...'.H..(!.| +00000120 7e c4 b6 a2 5d fe 1e 52 45 88 7a 36 47 a5 08 0d |~...]..RE.z6G...| +00000130 92 42 5b c2 81 c0 be 97 79 98 40 fb 4f 6d 14 fd |.B[.....y.@.Om..| +00000140 2b 13 8b c2 a5 2e 67 d8 d4 09 9e d6 22 38 b7 4a |+.....g....."8.J| +00000150 0b 74 73 2b c2 34 f1 d1 93 e5 96 d9 74 7b f3 58 |.ts+.4......t{.X| +00000160 9f 6c 61 3c c0 b0 41 d4 d9 2b 2b 24 23 77 5b 1c |.la<..A..++$#w[.| +00000170 3b bd 75 5d ce 20 54 cf a1 63 87 1d 1e 24 c4 f3 |;.u]. T..c...$..| +00000180 1d 1a 50 8b aa b6 14 43 ed 97 a7 75 62 f4 14 c8 |..P....C...ub...| +00000190 52 d7 02 03 01 00 01 a3 81 93 30 81 90 30 0e 06 |R.........0..0..| +000001a0 03 55 1d 0f 01 01 ff 04 04 03 02 05 a0 30 1d 06 |.U...........0..| +000001b0 03 55 1d 25 04 16 30 14 06 08 2b 06 01 05 05 07 |.U.%..0...+.....| +000001c0 03 01 06 08 2b 06 01 05 05 07 03 02 30 0c 06 03 |....+.......0...| +000001d0 55 1d 13 01 01 ff 04 02 30 00 30 19 06 03 55 1d |U.......0.0...U.| +000001e0 0e 04 12 04 10 9f 91 16 1f 43 43 3e 49 a6 de 6d |.........CC>I..m| +000001f0 b6 80 d7 9f 60 30 1b 06 03 55 1d 23 04 14 30 12 |....`0...U.#..0.| +00000200 80 10 48 13 49 4d 13 7e 16 31 bb a3 01 d5 ac ab |..H.IM.~.1......| +00000210 6e 7b 30 19 06 03 55 1d 11 04 12 30 10 82 0e 65 |n{0...U....0...e| +00000220 78 61 6d 70 6c 65 2e 67 6f 6c 61 6e 67 30 0d 06 |xample.golang0..| +00000230 09 2a 86 48 86 f7 0d 01 01 0b 05 00 03 81 81 00 |.*.H............| +00000240 9d 30 cc 40 2b 5b 50 a0 61 cb ba e5 53 58 e1 ed |.0.@+[P.a...SX..| +00000250 83 28 a9 58 1a a9 38 a4 95 a1 ac 31 5a 1a 84 66 |.(.X..8....1Z..f| +00000260 3d 43 d3 2d d9 0b f2 97 df d3 20 64 38 92 24 3a |=C.-...... d8.$:| +00000270 00 bc cf 9c 7d b7 40 20 01 5f aa d3 16 61 09 a2 |....}.@ ._...a..| +00000280 76 fd 13 c3 cc e1 0c 5c ee b1 87 82 f1 6c 04 ed |v......\.....l..| +00000290 73 bb b3 43 77 8d 0c 1c f1 0f a1 d8 40 83 61 c9 |s..Cw.......@.a.| +000002a0 4c 72 2b 9d ae db 46 06 06 4d f4 c1 b3 3e c0 d1 |Lr+...F..M...>..| +000002b0 bd 42 d4 db fe 3d 13 60 84 5c 21 d3 3b e9 fa e7 |.B...=.`.\!.;...| +000002c0 16 03 03 00 ac 0c 00 00 a8 03 00 1d 20 1e f7 67 |............ ..g| +000002d0 0a a6 d0 af 27 2d 0d 36 24 23 a5 97 90 ef 75 4a |....'-.6$#....uJ| +000002e0 fc 0b 12 91 5d 92 bd bf 2d 7c 0c a2 06 08 04 00 |....]...-|......| +000002f0 80 71 f3 c0 ff 7a 01 b2 15 21 06 ae a1 f8 fa b5 |.q...z...!......| +00000300 19 f2 d0 f6 25 b2 7e 9f f1 8a 1c a1 a8 5d 2a 0a |....%.~......]*.| +00000310 ec 42 5c f8 6e 8e 8d c9 38 53 d0 c2 f3 7d f3 c8 |.B\.n...8S...}..| +00000320 12 f1 30 4b 7f 9a 9e 7c f8 78 56 9c ff 11 fd 36 |..0K...|.xV....6| +00000330 60 c9 3d b5 f7 6e 0f 7a 22 aa 3d a1 30 98 93 1d |`.=..n.z".=.0...| +00000340 7c 48 1f 79 24 cd a6 c2 d2 e8 f6 90 fe 19 6f 0d ||H.y$.........o.| +00000350 3a a6 65 35 8d 19 e4 3c cb 3a 07 5e 62 57 3d 67 |:.e5...<.:.^bW=g| +00000360 37 fa 23 26 0a 92 db 30 16 a8 37 3d d2 16 9d e4 |7.#&...0..7=....| +00000370 a7 16 03 03 00 04 0e 00 00 00 |..........| +>>> Flow 3 (client to server) +00000000 16 03 03 00 25 10 00 00 21 20 2f e5 7d a3 47 cd |....%...! /.}.G.| +00000010 62 43 15 28 da ac 5f bb 29 07 30 ff f6 84 af c4 |bC.(.._.).0.....| +00000020 cf c2 ed 90 99 5f 58 cb 3b 74 14 03 03 00 01 01 |....._X.;t......| +00000030 16 03 03 00 20 22 30 b4 cc f8 e7 83 e4 72 5a 41 |.... "0......rZA| +00000040 39 fa 92 4e ef c5 bb 6b 6e ec d5 55 9d 2f 53 99 |9..N...kn..U./S.| +00000050 72 b6 99 55 a6 |r..U.| +>>> Flow 4 (server to client) +00000000 14 03 03 00 01 01 16 03 03 00 20 b7 be 6c 7a 7f |.......... ..lz.| +00000010 00 e7 aa 12 ca 2d 29 6f eb f0 f1 5c 97 e5 d4 a2 |.....-)o...\....| +00000020 08 ab e3 04 ba e4 4d 15 08 ef 86 |......M....| +>>> Flow 5 (client to server) +00000000 17 03 03 00 16 5f 25 54 0e dd 48 23 b4 d9 00 3f |....._%T..H#...?| +00000010 1f 43 46 8e 32 64 3b 6a 42 70 ec |.CF.2d;jBp.| +>>> Flow 6 (server to client) +00000000 16 03 03 00 14 f7 db b2 a3 97 fd 00 16 52 c6 bf |.............R..| +00000010 57 78 21 37 02 02 ed 25 32 |Wx!7...%2| +>>> Flow 7 (client to server) +00000000 16 03 03 01 1a 9e a2 a0 cc d3 e9 25 e7 3c 11 9b |...........%.<..| +00000010 ab c4 a1 eb 5a 4a 5d c1 38 74 7e dc 8b 4c 1d 41 |....ZJ].8t~..L.A| +00000020 69 18 a6 b8 4c 67 3f 5b 90 50 ed f4 ab 34 ad 77 |i...Lg?[.P...4.w| +00000030 f6 28 f3 5b c9 db 16 ca 89 19 7c 90 f3 27 9e 0b |.(.[......|..'..| +00000040 8c ca 7e 9e a4 9e 2c ba 22 9e 85 be 8e ba 58 c7 |..~...,.".....X.| +00000050 c2 a3 da a2 55 ca 64 04 53 a5 92 43 8f 52 c0 63 |....U.d.S..C.R.c| +00000060 b5 9b 6d eb 0e 09 2e 0f 42 a7 c5 72 87 34 c2 d2 |..m.....B..r.4..| +00000070 9f 32 ce 25 58 be 94 21 4b d3 3b d8 9b 42 68 e3 |.2.%X..!K.;..Bh.| +00000080 27 75 a3 15 57 8b cf e0 a8 ac 23 94 8e 4a b0 92 |'u..W.....#..J..| +00000090 96 6f e4 a1 62 7d 24 67 92 b9 8a ec 76 1e bd ed |.o..b}$g....v...| +000000a0 1e 05 d9 c1 03 6c 6a 43 f6 22 8d bb c6 c0 58 7e |.....ljC."....X~| +000000b0 8e 49 f8 ef 9a 72 7c 3f 1b ff 98 fa 88 f4 ec b5 |.I...r|?........| +000000c0 47 b1 29 19 c8 85 98 86 bd 75 9a bc ad 02 30 41 |G.)......u....0A| +000000d0 21 e8 8f c1 69 d9 e0 b9 c2 b8 d7 91 8a 13 5b b5 |!...i.........[.| +000000e0 7f 9a df 12 2e 61 4c 54 b1 ca 12 dd bf 83 0b e7 |.....aLT........| +000000f0 68 fe 90 d9 2c 9c 86 9f 0e 57 19 e1 ba e5 2e c4 |h...,....W......| +00000100 f0 c4 b4 dd e5 0f 36 98 0f 94 26 cb 92 32 03 57 |......6...&..2.W| +00000110 78 15 19 3d bc 1e dd d1 46 28 24 06 c5 3d ed |x..=....F($..=.| +>>> Flow 8 (server to client) +00000000 16 03 03 00 85 90 29 5c 91 ed 28 4f 54 29 f4 e7 |......)\..(OT)..| +00000010 b2 41 c9 38 5d ec 4a 38 22 0d a9 13 e9 65 fe 8c |.A.8].J8"....e..| +00000020 a4 e8 1a a0 6e 07 d2 4d 35 55 a7 65 92 cd da 75 |....n..M5U.e...u| +00000030 ca 0e 61 e3 6a 83 a0 30 bb 03 2a 6a e8 f0 69 3f |..a.j..0..*j..i?| +00000040 95 8d 97 c3 1b ef 74 58 68 f0 88 82 16 96 62 0a |......tXh.....b.| +00000050 49 7f 5b ec ee a1 6b 14 f6 5b 17 88 80 f6 70 e2 |I.[...k..[....p.| +00000060 d9 a3 3a dc 46 65 63 ec 37 aa b6 53 a8 13 f3 44 |..:.Fec.7..S...D| +00000070 5b 16 bd 4b ce 03 da 6f ba 2c 6a 5d 71 45 db 49 |[..K...o.,j]qE.I| +00000080 1c 00 17 d5 d8 40 0a 14 bb e8 16 03 03 02 69 d3 |.....@........i.| +00000090 cf e0 f6 ea fa 19 64 e9 af c4 47 2e 0d a5 14 20 |......d...G.... | +000000a0 cd 7e 97 0d 45 16 85 34 e7 f0 ed c1 fe 3c 12 f2 |.~..E..4.....<..| +000000b0 3f 2e f5 93 b0 95 f5 2c cd b1 ab 4b 8b e7 0d af |?......,...K....| +000000c0 7d 99 41 1e 9e 9e 18 90 6c e3 35 15 0b 89 fe 0f |}.A.....l.5.....| +000000d0 2f a2 e5 5c 67 bd 07 54 af 23 f2 ab 59 de 71 a2 |/..\g..T.#..Y.q.| +000000e0 5e 04 21 2c d9 da bf 3a 41 53 18 c8 c9 d5 82 ac |^.!,...:AS......| +000000f0 ba 31 25 fe e8 0f 94 c8 41 42 a0 43 d3 3f fb ea |.1%.....AB.C.?..| +00000100 0a b5 3f 66 ff da 49 a9 1b 20 f6 26 b3 48 4a 75 |..?f..I.. .&.HJu| +00000110 3f 88 74 d9 54 71 af d1 05 e3 9d 32 41 08 b8 8f |?.t.Tq.....2A...| +00000120 a9 fb f9 dd 5a c0 10 23 0d 8c 60 33 c1 2e b5 57 |....Z..#..`3...W| +00000130 dc 4c e2 95 82 be d0 39 10 f9 8c 48 62 df 11 f5 |.L.....9...Hb...| +00000140 d8 be 5e 46 26 3b 44 3a 36 31 8c 53 4e c6 6e 65 |..^F&;D:61.SN.ne| +00000150 28 e1 db 36 07 73 38 00 64 d6 ae fb 4e 35 a1 89 |(..6.s8.d...N5..| +00000160 03 f7 f3 22 5e 7a 69 0b 6c fa c2 5a d3 b1 ba ad |..."^zi.l..Z....| +00000170 e8 af 1f 21 31 c6 9d be 24 5d 4a f4 c3 69 61 36 |...!1...$]J..ia6| +00000180 8f ce 81 10 d4 99 82 94 66 53 f7 50 dd e3 d0 5a |........fS.P...Z| +00000190 ce 79 d8 0f 43 09 2a 2b 67 da 31 b5 0c ff c6 32 |.y..C.*+g.1....2| +000001a0 13 a4 cd 26 1d 16 49 24 45 f8 24 40 12 ea 7a f1 |...&..I$E.$@..z.| +000001b0 33 47 2d b7 1f 09 b4 fc 7e 00 dc 0d 3f a8 52 11 |3G-.....~...?.R.| +000001c0 f6 03 b0 c0 87 e4 be f7 0c 2b 6a c9 e5 ef 00 62 |.........+j....b| +000001d0 6d b6 b3 93 5f 60 08 f0 4f 3f be b7 8e 02 a8 c8 |m..._`..O?......| +000001e0 5f 38 0a 6d c1 f3 4d df 49 b5 6d 31 80 d9 5b 81 |_8.m..M.I.m1..[.| +000001f0 99 45 5d 43 cb 58 4e 28 5f 4f 6f e8 49 de cf ab |.E]C.XN(_Oo.I...| +00000200 2a ab 85 7a ef 9f 10 77 00 9e 38 99 57 25 14 40 |*..z...w..8.W%.@| +00000210 47 46 4a 30 4e 6a 75 f0 51 de 37 a0 6f 9a e6 17 |GFJ0Nju.Q.7.o...| +00000220 f5 6b 48 16 62 0d 38 2d 3f 99 ff 94 b3 e7 6e 5b |.kH.b.8-?.....n[| +00000230 3d 6f 15 5a e2 df c3 45 66 d6 52 1d a3 79 eb 01 |=o.Z...Ef.R..y..| +00000240 94 3a 4f 30 2e 6b 30 82 8e 58 3b 9a fe c8 a1 a2 |.:O0.k0..X;.....| +00000250 84 8b cd 0b 71 16 9e ea 81 23 b7 78 29 ba 5a 59 |....q....#.x).ZY| +00000260 8c 89 60 8c f8 d4 a9 80 02 b9 fb 41 fc 21 3f 4a |..`........A.!?J| +00000270 0f b3 c1 13 eb 07 f9 a0 13 d1 aa 3d c3 83 1e 53 |...........=...S| +00000280 b3 b6 f9 61 51 28 60 ab 1f 5e f0 f5 e4 94 43 c2 |...aQ(`..^....C.| +00000290 fc 53 aa d7 a3 47 f0 2e a0 e2 12 ee 21 c0 f6 81 |.S...G......!...| +000002a0 cc 60 51 66 1b fc e9 f2 64 78 d3 b3 0c 96 6b b5 |.`Qf....dx....k.| +000002b0 dc 22 7f d1 90 e9 ec ae 2f 50 81 b8 16 e7 07 83 |."....../P......| +000002c0 db 75 8c b0 fd 63 a5 c9 b1 bc 01 08 e6 53 86 3c |.u...c.......S.<| +000002d0 fe 98 67 ef 7a 7a 0a 33 2c 0b d7 57 25 8f 9d d2 |..g.zz.3,..W%...| +000002e0 ce ba 62 2c 81 f9 f9 87 6c a3 64 ba 32 34 23 02 |..b,....l.d.24#.| +000002f0 97 d7 42 cf f2 04 a9 08 16 03 03 00 bc c2 93 00 |..B.............| +00000300 26 dc ce 86 67 d7 7d 15 52 0e de 5c 2c 87 da 62 |&...g.}.R..\,..b| +00000310 4a 4f f5 cf 95 b0 c0 df 09 4a 4f 59 01 04 4b 3b |JO.......JOY..K;| +00000320 db 90 f7 ec 64 5a 71 1a 34 6c 67 ff e6 88 b1 39 |....dZq.4lg....9| +00000330 67 11 84 fc 30 26 16 00 2c 8e 0e e5 bd 3f d9 24 |g...0&..,....?.$| +00000340 46 ad c9 71 bc 2a c0 09 11 32 36 38 38 91 8d 96 |F..q.*...2688...| +00000350 73 e5 8b a4 b7 6e fb 80 fc 68 d5 a8 c7 ff 04 00 |s....n...h......| +00000360 b8 31 e8 30 17 97 db 43 ba b3 d8 4e 9f 48 c6 4b |.1.0...C...N.H.K| +00000370 23 7a a0 cb 2f 68 db 02 f2 f0 df 38 8f 4c d8 a8 |#z../h.....8.L..| +00000380 f5 27 e5 fe ca 10 2c 26 51 3c 37 07 14 66 93 9b |.'....,&Q<7..f..| +00000390 15 b0 c9 e2 f2 78 74 4d c6 e4 42 79 ff f1 cf 9d |.....xtM..By....| +000003a0 a1 c6 a5 5b 7f 4d 85 b3 fb 2b 46 96 c9 49 99 b6 |...[.M...+F..I..| +000003b0 08 58 8e 6f 95 1e 2e 6d 93 16 03 03 00 4a 55 ef |.X.o...m.....JU.| +000003c0 94 9b f2 d3 38 44 2c 39 17 07 2f 2c 76 0b c0 81 |....8D,9../,v...| +000003d0 d4 0b 5c df cf c3 07 62 c8 dc 82 bb 92 04 84 76 |..\....b.......v| +000003e0 e2 74 57 21 f6 7f ee 8f 5f c8 57 bd 97 c8 35 e7 |.tW!...._.W...5.| +000003f0 25 12 00 4b 72 c0 de c4 9e 82 5a 4d bf 05 f9 ab |%..Kr.....ZM....| +00000400 b1 5c 2e 64 66 38 95 0a 16 03 03 00 14 35 f4 4d |.\.df8.......5.M| +00000410 20 b9 38 cb 40 3e 46 83 28 b0 c7 19 ba 83 6a cd | .8.@>F.(.....j.| +00000420 e4 |.| +>>> Flow 9 (client to server) +00000000 16 03 03 02 69 6d 51 fa 86 0f dd 19 19 7a e9 f5 |....imQ......z..| +00000010 40 f7 4f 7a 10 c0 33 01 b8 14 32 92 7b 92 e0 c0 |@.Oz..3...2.{...| +00000020 04 84 cf 1c d8 15 2a be 12 0b 65 15 f2 bc 96 cf |......*...e.....| +00000030 9e d7 eb 5a f6 06 ee b0 8e e4 fc b9 c6 d6 81 52 |...Z...........R| +00000040 c1 4c a9 d7 33 a1 f8 b6 cd 79 eb 7d 44 5a 99 c0 |.L..3....y.}DZ..| +00000050 5b 8b 9d 8c 93 53 b6 27 f2 a0 e2 7a a2 66 de 3f |[....S.'...z.f.?| +00000060 65 0d 13 14 09 8b 1c 2a 85 7d 24 26 9a 64 b2 d1 |e......*.}$&.d..| +00000070 7c 10 ce b2 1e 86 df f1 a8 2c 2a 47 ae fe fe 1c ||........,*G....| +00000080 23 14 eb 78 40 bf 88 25 db 1a 7e 60 4d 3e b8 cb |#..x@..%..~`M>..| +00000090 7d 3c 2f d1 a7 6b 22 ee 99 21 88 50 d7 2d 06 2d |}.t..N.%.....7V.| +000001b0 fc 69 fe ad 75 67 34 7b ac e4 4f d5 82 b9 36 3e |.i..ug4{..O...6>| +000001c0 74 51 a5 32 3b 77 27 15 22 d8 8b c9 ad a6 98 5b |tQ.2;w'."......[| +000001d0 c5 4e 8d 62 bf ef 2d 41 b8 6d 5b 09 13 b3 40 ea |.N.b..-A.m[...@.| +000001e0 19 c4 08 78 e3 c1 a1 5e 05 a3 79 6a 27 d5 41 3e |...x...^..yj'.A>| +000001f0 c5 a6 f4 20 4c 93 92 77 c5 4a e8 1f f5 4b 83 87 |... L..w.J...K..| +00000200 66 40 c2 c1 aa 89 69 00 5b fb 54 94 1f b7 39 cd |f@....i.[.T...9.| +00000210 cd 9b 53 ad 08 63 30 05 e4 72 33 f0 ba b9 9d d9 |..S..c0..r3.....| +00000220 d1 fe c3 fc de 07 a2 a3 b2 85 0b 33 4a bd 54 77 |...........3J.Tw| +00000230 53 7c 8e 70 ed 9f ae 9d 2f 56 19 ce d6 1b 7a 64 |S|.p..../V....zd| +00000240 80 72 bc 86 b7 1a d6 5b ac a2 0c b2 c4 fa 79 f2 |.r.....[......y.| +00000250 16 7f 06 01 47 d3 f3 9b 4b 24 e2 f7 6b 33 45 4e |....G...K$..k3EN| +00000260 b0 84 f8 f6 4d b4 4a 3f 37 20 49 77 ff 6f 16 03 |....M.J?7 Iw.o..| +00000270 03 00 35 3b d6 d8 46 3a 93 f9 f4 29 b3 b7 9c cf |..5;..F:...)....| +00000280 b9 2d 90 58 78 91 ee d5 30 bd 59 e2 5a 1f 30 8c |.-.Xx...0.Y.Z.0.| +00000290 6e f9 1e d8 64 85 aa 1c 8b 41 10 07 d5 b2 7d 55 |n...d....A....}U| +000002a0 13 73 ad 0e 2d e0 d4 ff 16 03 03 00 98 75 4a 72 |.s..-........uJr| +000002b0 0f 07 ff 07 e3 80 96 7d c6 1b ab b8 c4 fc 38 0f |.......}......8.| +000002c0 f6 f8 f9 06 95 d4 7b 93 85 0f b3 34 11 cd 70 6f |......{....4..po| +000002d0 9b 3b a3 33 e5 fe e7 6a df 4b 02 e1 91 18 f3 e2 |.;.3...j.K......| +000002e0 3e d0 7c e4 95 c2 e7 ef dc 20 c3 6b b7 9e 1d 9a |>.|...... .k....| +000002f0 8c 23 c7 22 91 e7 7d 17 e4 5e 02 39 c3 6a b3 46 |.#."..}..^.9.j.F| +00000300 31 32 4a 8b 7b 0a 4a f4 51 ba a7 01 58 a9 bc 52 |12J.{.J.Q...X..R| +00000310 64 a9 e2 93 ad 34 c8 16 ad 66 67 e3 e7 3c 2c 66 |d....4...fg..<,f| +00000320 59 e8 df f7 cf 96 00 57 85 63 f1 4b 45 c6 8a e7 |Y......W.c.KE...| +00000330 54 9f 22 0c 74 2e 0c 1a cb df d0 98 55 bc d1 fd |T.".t.......U...| +00000340 2a e2 73 eb 1b 14 03 03 00 11 02 c8 fe cd 2a 0d |*.s...........*.| +00000350 c2 35 3c ff dd 23 e7 15 bf fe a0 16 03 03 00 20 |.5<..#......... | +00000360 7b ea 15 d3 2d 51 57 39 76 4b ef 16 0d 19 5d e0 |{...-QW9vK....].| +00000370 22 5e 68 19 c9 94 7e e9 67 41 12 85 2c e2 7c b8 |"^h...~.gA..,.|.| +>>> Flow 10 (server to client) +00000000 14 03 03 00 11 6b a1 f5 7f f5 64 ff 54 2a 67 95 |.....k....d.T*g.| +00000010 f5 25 5b fe 38 39 16 03 03 00 20 be 49 c4 6c 7a |.%[.89.... .I.lz| +00000020 12 cf 16 5b 1c b3 14 53 79 3e 8d 01 85 75 91 1a |...[...Sy>...u..| +00000030 3a fe bc a9 c5 11 3f d5 88 4b 3e 17 03 03 00 19 |:.....?..K>.....| +00000040 89 9c 38 5f 11 ba 1e 81 8a 09 ae 95 03 28 47 6c |..8_.........(Gl| +00000050 db 9b 38 9d e7 37 75 01 af 16 03 03 00 14 c3 86 |..8..7u.........| +00000060 cd a6 a3 dd 62 c9 4b be e5 2d 3f 31 a0 cc 87 f8 |....b.K..-?1....| +00000070 78 61 |xa| +>>> Flow 11 (client to server) +00000000 15 03 03 00 12 35 45 94 25 9c 40 dd df 00 a9 13 |.....5E.%.@.....| +00000010 f2 7c 47 63 98 22 c5 15 03 03 00 12 60 26 66 bb |.|Gc."......`&f.| +00000020 8b 92 9d da 32 e3 97 92 ae 89 a9 2a d0 9a |....2......*..| diff --git a/pkg/tls/testdata/Client-TLSv12-RenegotiationRejected b/pkg/tls/testdata/Client-TLSv12-RenegotiationRejected new file mode 100644 index 000000000..8307ee39d --- /dev/null +++ b/pkg/tls/testdata/Client-TLSv12-RenegotiationRejected @@ -0,0 +1,96 @@ +>>> Flow 1 (client to server) +00000000 16 03 01 00 fe 01 00 00 fa 03 03 00 00 00 00 00 |................| +00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000020 00 00 00 00 00 00 00 00 00 00 00 20 00 00 00 00 |........... ....| +00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 32 cc a9 |.............2..| +00000050 cc a8 c0 2b c0 2f c0 2c c0 30 c0 09 c0 13 c0 0a |...+./.,.0......| +00000060 c0 14 00 9c 00 9d 00 2f 00 35 c0 12 00 0a c0 23 |......./.5.....#| +00000070 c0 27 00 3c c0 07 c0 11 00 05 13 03 13 01 13 02 |.'.<............| +00000080 01 00 00 7f 00 05 00 05 01 00 00 00 00 00 0a 00 |................| +00000090 0a 00 08 00 1d 00 17 00 18 00 19 00 0b 00 02 01 |................| +000000a0 00 00 0d 00 1a 00 18 08 04 04 03 08 07 08 05 08 |................| +000000b0 06 04 01 05 01 06 01 05 03 06 03 02 01 02 03 ff |................| +000000c0 01 00 01 00 00 17 00 00 00 12 00 00 00 2b 00 09 |.............+..| +000000d0 08 03 04 03 03 03 02 03 01 00 33 00 26 00 24 00 |..........3.&.$.| +000000e0 1d 00 20 2f e5 7d a3 47 cd 62 43 15 28 da ac 5f |.. /.}.G.bC.(.._| +000000f0 bb 29 07 30 ff f6 84 af c4 cf c2 ed 90 99 5f 58 |.).0.........._X| +00000100 cb 3b 74 |.;t| +>>> Flow 2 (server to client) +00000000 16 03 03 00 5d 02 00 00 59 03 03 8a 1d c8 bd c6 |....]...Y.......| +00000010 43 4c 78 5c 99 f4 8f e3 72 4b 73 a3 20 10 5b 8b |CLx\....rKs. .[.| +00000020 3e 04 7f 4c 5c 58 fb d5 ed c6 d9 20 ff 23 98 81 |>..L\X..... .#..| +00000030 0a 7f d2 f4 ed ae 87 2e ad e7 a9 60 31 b1 36 ab |...........`1.6.| +00000040 f4 b6 cc 98 a0 8b 62 ca 57 ed 58 87 cc a8 00 00 |......b.W.X.....| +00000050 11 ff 01 00 01 00 00 0b 00 04 03 00 01 02 00 17 |................| +00000060 00 00 16 03 03 02 59 0b 00 02 55 00 02 52 00 02 |......Y...U..R..| +00000070 4f 30 82 02 4b 30 82 01 b4 a0 03 02 01 02 02 09 |O0..K0..........| +00000080 00 e8 f0 9d 3f e2 5b ea a6 30 0d 06 09 2a 86 48 |....?.[..0...*.H| +00000090 86 f7 0d 01 01 0b 05 00 30 1f 31 0b 30 09 06 03 |........0.1.0...| +000000a0 55 04 0a 13 02 47 6f 31 10 30 0e 06 03 55 04 03 |U....Go1.0...U..| +000000b0 13 07 47 6f 20 52 6f 6f 74 30 1e 17 0d 31 36 30 |..Go Root0...160| +000000c0 31 30 31 30 30 30 30 30 30 5a 17 0d 32 35 30 31 |101000000Z..2501| +000000d0 30 31 30 30 30 30 30 30 5a 30 1a 31 0b 30 09 06 |01000000Z0.1.0..| +000000e0 03 55 04 0a 13 02 47 6f 31 0b 30 09 06 03 55 04 |.U....Go1.0...U.| +000000f0 03 13 02 47 6f 30 81 9f 30 0d 06 09 2a 86 48 86 |...Go0..0...*.H.| +00000100 f7 0d 01 01 01 05 00 03 81 8d 00 30 81 89 02 81 |...........0....| +00000110 81 00 db 46 7d 93 2e 12 27 06 48 bc 06 28 21 ab |...F}...'.H..(!.| +00000120 7e c4 b6 a2 5d fe 1e 52 45 88 7a 36 47 a5 08 0d |~...]..RE.z6G...| +00000130 92 42 5b c2 81 c0 be 97 79 98 40 fb 4f 6d 14 fd |.B[.....y.@.Om..| +00000140 2b 13 8b c2 a5 2e 67 d8 d4 09 9e d6 22 38 b7 4a |+.....g....."8.J| +00000150 0b 74 73 2b c2 34 f1 d1 93 e5 96 d9 74 7b f3 58 |.ts+.4......t{.X| +00000160 9f 6c 61 3c c0 b0 41 d4 d9 2b 2b 24 23 77 5b 1c |.la<..A..++$#w[.| +00000170 3b bd 75 5d ce 20 54 cf a1 63 87 1d 1e 24 c4 f3 |;.u]. T..c...$..| +00000180 1d 1a 50 8b aa b6 14 43 ed 97 a7 75 62 f4 14 c8 |..P....C...ub...| +00000190 52 d7 02 03 01 00 01 a3 81 93 30 81 90 30 0e 06 |R.........0..0..| +000001a0 03 55 1d 0f 01 01 ff 04 04 03 02 05 a0 30 1d 06 |.U...........0..| +000001b0 03 55 1d 25 04 16 30 14 06 08 2b 06 01 05 05 07 |.U.%..0...+.....| +000001c0 03 01 06 08 2b 06 01 05 05 07 03 02 30 0c 06 03 |....+.......0...| +000001d0 55 1d 13 01 01 ff 04 02 30 00 30 19 06 03 55 1d |U.......0.0...U.| +000001e0 0e 04 12 04 10 9f 91 16 1f 43 43 3e 49 a6 de 6d |.........CC>I..m| +000001f0 b6 80 d7 9f 60 30 1b 06 03 55 1d 23 04 14 30 12 |....`0...U.#..0.| +00000200 80 10 48 13 49 4d 13 7e 16 31 bb a3 01 d5 ac ab |..H.IM.~.1......| +00000210 6e 7b 30 19 06 03 55 1d 11 04 12 30 10 82 0e 65 |n{0...U....0...e| +00000220 78 61 6d 70 6c 65 2e 67 6f 6c 61 6e 67 30 0d 06 |xample.golang0..| +00000230 09 2a 86 48 86 f7 0d 01 01 0b 05 00 03 81 81 00 |.*.H............| +00000240 9d 30 cc 40 2b 5b 50 a0 61 cb ba e5 53 58 e1 ed |.0.@+[P.a...SX..| +00000250 83 28 a9 58 1a a9 38 a4 95 a1 ac 31 5a 1a 84 66 |.(.X..8....1Z..f| +00000260 3d 43 d3 2d d9 0b f2 97 df d3 20 64 38 92 24 3a |=C.-...... d8.$:| +00000270 00 bc cf 9c 7d b7 40 20 01 5f aa d3 16 61 09 a2 |....}.@ ._...a..| +00000280 76 fd 13 c3 cc e1 0c 5c ee b1 87 82 f1 6c 04 ed |v......\.....l..| +00000290 73 bb b3 43 77 8d 0c 1c f1 0f a1 d8 40 83 61 c9 |s..Cw.......@.a.| +000002a0 4c 72 2b 9d ae db 46 06 06 4d f4 c1 b3 3e c0 d1 |Lr+...F..M...>..| +000002b0 bd 42 d4 db fe 3d 13 60 84 5c 21 d3 3b e9 fa e7 |.B...=.`.\!.;...| +000002c0 16 03 03 00 ac 0c 00 00 a8 03 00 1d 20 ba 3a 8d |............ .:.| +000002d0 07 bd 2e fa bd 85 70 45 e9 b6 eb 1f 2c 15 a2 15 |......pE....,...| +000002e0 d7 29 2c a9 a8 ec 46 b0 77 0a 49 c2 49 08 04 00 |.),...F.w.I.I...| +000002f0 80 5c a8 eb 85 8d 5f 01 9f 19 b8 6b 9a 66 ed 07 |.\...._....k.f..| +00000300 ad e9 2e 85 c1 b8 94 56 17 84 0d d4 14 7b e2 c1 |.......V.....{..| +00000310 89 80 f5 92 31 a0 90 6f 59 fb e7 af a9 e9 6d f3 |....1..oY.....m.| +00000320 72 aa aa e5 d9 4c d9 ac bb 05 ac 51 e2 3f 64 05 |r....L.....Q.?d.| +00000330 e8 e4 fd 80 b3 b9 6f 54 91 13 72 8d 45 ea 0f 13 |......oT..r.E...| +00000340 f7 22 19 92 ce 66 fc d0 be af d3 8e 01 ef a5 7a |."...f.........z| +00000350 08 6e f3 f7 28 55 33 bf e9 2a b6 60 d5 32 3f df |.n..(U3..*.`.2?.| +00000360 e7 df 11 21 e4 c5 6e 13 bb f7 ad c7 ca 2e 11 2e |...!..n.........| +00000370 22 16 03 03 00 04 0e 00 00 00 |".........| +>>> Flow 3 (client to server) +00000000 16 03 03 00 25 10 00 00 21 20 2f e5 7d a3 47 cd |....%...! /.}.G.| +00000010 62 43 15 28 da ac 5f bb 29 07 30 ff f6 84 af c4 |bC.(.._.).0.....| +00000020 cf c2 ed 90 99 5f 58 cb 3b 74 14 03 03 00 01 01 |....._X.;t......| +00000030 16 03 03 00 20 46 20 45 1d b3 e5 62 1d 89 b7 67 |.... F E...b...g| +00000040 23 76 0b f4 fb c3 fd 57 80 09 ee 69 e3 ad bb 42 |#v.....W...i...B| +00000050 56 55 b6 6b 73 |VU.ks| +>>> Flow 4 (server to client) +00000000 14 03 03 00 01 01 16 03 03 00 20 69 d6 1d dd 67 |.......... i...g| +00000010 bb 02 a5 41 a5 11 6d e2 54 9a e8 c7 e5 b5 60 b5 |...A..m.T.....`.| +00000020 77 fb e6 61 22 c7 0d 2f bb bf d4 |w..a"../...| +>>> Flow 5 (client to server) +00000000 17 03 03 00 16 bb a9 4d d8 15 fc 1f 99 96 03 80 |.......M........| +00000010 5e fc b5 f8 ac 14 10 82 f5 08 c6 |^..........| +>>> Flow 6 (server to client) +00000000 16 03 03 00 14 0f 7d 98 6c 60 b3 cc cf c5 f3 0a |......}.l`......| +00000010 8f d2 40 6a 5b e5 45 1b 8b |..@j[.E..| +>>> Flow 7 (client to server) +00000000 15 03 03 00 12 f4 9f 10 dc f2 69 4c 21 0c a0 8f |..........iL!...| +00000010 6b fd aa a1 93 9a 3a 15 03 03 00 12 be 68 f2 b8 |k.....:......h..| +00000020 8b 0d a5 1f 98 f0 c2 dd d4 0a 8c 46 b8 f5 |...........F..| diff --git a/pkg/tls/testdata/Client-TLSv12-SCT b/pkg/tls/testdata/Client-TLSv12-SCT new file mode 100644 index 000000000..01fa29926 --- /dev/null +++ b/pkg/tls/testdata/Client-TLSv12-SCT @@ -0,0 +1,114 @@ +>>> Flow 1 (client to server) +00000000 16 03 01 00 fe 01 00 00 fa 03 03 00 00 00 00 00 |................| +00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000020 00 00 00 00 00 00 00 00 00 00 00 20 00 00 00 00 |........... ....| +00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 32 cc a9 |.............2..| +00000050 cc a8 c0 2b c0 2f c0 2c c0 30 c0 09 c0 13 c0 0a |...+./.,.0......| +00000060 c0 14 00 9c 00 9d 00 2f 00 35 c0 12 00 0a c0 23 |......./.5.....#| +00000070 c0 27 00 3c c0 07 c0 11 00 05 13 03 13 01 13 02 |.'.<............| +00000080 01 00 00 7f 00 05 00 05 01 00 00 00 00 00 0a 00 |................| +00000090 0a 00 08 00 1d 00 17 00 18 00 19 00 0b 00 02 01 |................| +000000a0 00 00 0d 00 1a 00 18 08 04 04 03 08 07 08 05 08 |................| +000000b0 06 04 01 05 01 06 01 05 03 06 03 02 01 02 03 ff |................| +000000c0 01 00 01 00 00 17 00 00 00 12 00 00 00 2b 00 09 |.............+..| +000000d0 08 03 04 03 03 03 02 03 01 00 33 00 26 00 24 00 |..........3.&.$.| +000000e0 1d 00 20 2f e5 7d a3 47 cd 62 43 15 28 da ac 5f |.. /.}.G.bC.(.._| +000000f0 bb 29 07 30 ff f6 84 af c4 cf c2 ed 90 99 5f 58 |.).0.........._X| +00000100 cb 3b 74 |.;t| +>>> Flow 2 (server to client) +00000000 16 03 03 01 ca 02 00 01 c6 03 03 37 df c1 4d 8a |...........7..M.| +00000010 eb 27 a3 6c ec 70 05 9f f0 86 80 01 6e ad 88 55 |.'.l.p......n..U| +00000020 f2 1a 44 fb 42 d6 03 5d f8 74 18 20 0a f5 d0 22 |..D.B..].t. ..."| +00000030 aa f2 9f e3 9a 0c 86 27 2e 66 be d5 3a c2 4d 77 |.......'.f..:.Mw| +00000040 f8 5e 78 2b 71 ab 5e 0a 09 bc e1 d6 cc a8 00 01 |.^x+q.^.........| +00000050 7e 00 12 01 69 01 67 00 75 00 a4 b9 09 90 b4 18 |~...i.g.u.......| +00000060 58 14 87 bb 13 a2 cc 67 70 0a 3c 35 98 04 f9 1b |X......gp.<5....| +00000070 df b8 e3 77 cd 0e c8 0d dc 10 00 00 01 47 97 99 |...w.........G..| +00000080 ee 16 00 00 04 03 00 46 30 44 02 20 1c 4b 82 5d |.......F0D. .K.]| +00000090 95 6e 67 5b db 04 95 4b f6 ce f4 32 3e 86 7a 7a |.ng[...K...2>.zz| +000000a0 32 ab 18 60 74 de 08 da 05 91 4c 2f 02 20 73 54 |2..`t.....L/. sT| +000000b0 1b 6e 7f a1 b0 7d 11 bc e6 f3 85 2f 97 66 1a f7 |.n...}...../.f..| +000000c0 8a e4 10 25 8f 12 f4 6f 39 0f d2 9e 18 f0 00 76 |...%...o9......v| +000000d0 00 68 f6 98 f8 1f 64 82 be 3a 8c ee b9 28 1d 4c |.h....d..:...(.L| +000000e0 fc 71 51 5d 67 93 d4 44 d1 0a 67 ac bb 4f 4f fb |.qQ]g..D..g..OO.| +000000f0 c4 00 00 01 47 97 e1 b5 70 00 00 04 03 00 47 30 |....G...p.....G0| +00000100 45 02 20 32 21 14 38 06 d8 72 2e 00 30 64 1a e2 |E. 2!.8..r..0d..| +00000110 e8 6d 4e 5a e1 d9 42 1e 82 4b 96 25 89 d5 26 13 |.mNZ..B..K.%..&.| +00000120 d3 9c fa 02 21 00 8f 12 28 64 51 4f 44 d5 8c 18 |....!...(dQOD...| +00000130 62 23 b2 43 93 33 05 f3 43 55 a1 d9 ee cd c5 71 |b#.C.3..CU.....q| +00000140 35 91 dd 49 d1 0b 00 76 00 ee 4b bd b7 75 ce 60 |5..I...v..K..u.`| +00000150 ba e1 42 69 1f ab e1 9e 66 a3 0f 7e 5f b0 72 d8 |..Bi....f..~_.r.| +00000160 83 00 c4 7b 89 7a a8 fd cb 00 00 01 48 5c 64 8a |...{.z......H\d.| +00000170 87 00 00 04 03 00 47 30 45 02 20 29 89 d6 b0 53 |......G0E. )...S| +00000180 d3 d2 e9 91 bc f1 b5 40 be 1e 2e e7 5c b4 74 27 |.......@....\.t'| +00000190 ed 8f 9b 02 e9 fa c2 4c ba a2 be 02 21 00 af 43 |.......L....!..C| +000001a0 64 52 71 15 29 58 40 91 c7 08 16 96 03 a8 73 a5 |dRq.)X@.......s.| +000001b0 65 a0 6c b8 48 56 5a b6 29 83 64 6d 2a 9d ff 01 |e.l.HVZ.).dm*...| +000001c0 00 01 00 00 0b 00 04 03 00 01 02 00 17 00 00 16 |................| +000001d0 03 03 02 59 0b 00 02 55 00 02 52 00 02 4f 30 82 |...Y...U..R..O0.| +000001e0 02 4b 30 82 01 b4 a0 03 02 01 02 02 09 00 e8 f0 |.K0.............| +000001f0 9d 3f e2 5b ea a6 30 0d 06 09 2a 86 48 86 f7 0d |.?.[..0...*.H...| +00000200 01 01 0b 05 00 30 1f 31 0b 30 09 06 03 55 04 0a |.....0.1.0...U..| +00000210 13 02 47 6f 31 10 30 0e 06 03 55 04 03 13 07 47 |..Go1.0...U....G| +00000220 6f 20 52 6f 6f 74 30 1e 17 0d 31 36 30 31 30 31 |o Root0...160101| +00000230 30 30 30 30 30 30 5a 17 0d 32 35 30 31 30 31 30 |000000Z..2501010| +00000240 30 30 30 30 30 5a 30 1a 31 0b 30 09 06 03 55 04 |00000Z0.1.0...U.| +00000250 0a 13 02 47 6f 31 0b 30 09 06 03 55 04 03 13 02 |...Go1.0...U....| +00000260 47 6f 30 81 9f 30 0d 06 09 2a 86 48 86 f7 0d 01 |Go0..0...*.H....| +00000270 01 01 05 00 03 81 8d 00 30 81 89 02 81 81 00 db |........0.......| +00000280 46 7d 93 2e 12 27 06 48 bc 06 28 21 ab 7e c4 b6 |F}...'.H..(!.~..| +00000290 a2 5d fe 1e 52 45 88 7a 36 47 a5 08 0d 92 42 5b |.]..RE.z6G....B[| +000002a0 c2 81 c0 be 97 79 98 40 fb 4f 6d 14 fd 2b 13 8b |.....y.@.Om..+..| +000002b0 c2 a5 2e 67 d8 d4 09 9e d6 22 38 b7 4a 0b 74 73 |...g....."8.J.ts| +000002c0 2b c2 34 f1 d1 93 e5 96 d9 74 7b f3 58 9f 6c 61 |+.4......t{.X.la| +000002d0 3c c0 b0 41 d4 d9 2b 2b 24 23 77 5b 1c 3b bd 75 |<..A..++$#w[.;.u| +000002e0 5d ce 20 54 cf a1 63 87 1d 1e 24 c4 f3 1d 1a 50 |]. T..c...$....P| +000002f0 8b aa b6 14 43 ed 97 a7 75 62 f4 14 c8 52 d7 02 |....C...ub...R..| +00000300 03 01 00 01 a3 81 93 30 81 90 30 0e 06 03 55 1d |.......0..0...U.| +00000310 0f 01 01 ff 04 04 03 02 05 a0 30 1d 06 03 55 1d |..........0...U.| +00000320 25 04 16 30 14 06 08 2b 06 01 05 05 07 03 01 06 |%..0...+........| +00000330 08 2b 06 01 05 05 07 03 02 30 0c 06 03 55 1d 13 |.+.......0...U..| +00000340 01 01 ff 04 02 30 00 30 19 06 03 55 1d 0e 04 12 |.....0.0...U....| +00000350 04 10 9f 91 16 1f 43 43 3e 49 a6 de 6d b6 80 d7 |......CC>I..m...| +00000360 9f 60 30 1b 06 03 55 1d 23 04 14 30 12 80 10 48 |.`0...U.#..0...H| +00000370 13 49 4d 13 7e 16 31 bb a3 01 d5 ac ab 6e 7b 30 |.IM.~.1......n{0| +00000380 19 06 03 55 1d 11 04 12 30 10 82 0e 65 78 61 6d |...U....0...exam| +00000390 70 6c 65 2e 67 6f 6c 61 6e 67 30 0d 06 09 2a 86 |ple.golang0...*.| +000003a0 48 86 f7 0d 01 01 0b 05 00 03 81 81 00 9d 30 cc |H.............0.| +000003b0 40 2b 5b 50 a0 61 cb ba e5 53 58 e1 ed 83 28 a9 |@+[P.a...SX...(.| +000003c0 58 1a a9 38 a4 95 a1 ac 31 5a 1a 84 66 3d 43 d3 |X..8....1Z..f=C.| +000003d0 2d d9 0b f2 97 df d3 20 64 38 92 24 3a 00 bc cf |-...... d8.$:...| +000003e0 9c 7d b7 40 20 01 5f aa d3 16 61 09 a2 76 fd 13 |.}.@ ._...a..v..| +000003f0 c3 cc e1 0c 5c ee b1 87 82 f1 6c 04 ed 73 bb b3 |....\.....l..s..| +00000400 43 77 8d 0c 1c f1 0f a1 d8 40 83 61 c9 4c 72 2b |Cw.......@.a.Lr+| +00000410 9d ae db 46 06 06 4d f4 c1 b3 3e c0 d1 bd 42 d4 |...F..M...>...B.| +00000420 db fe 3d 13 60 84 5c 21 d3 3b e9 fa e7 16 03 03 |..=.`.\!.;......| +00000430 00 ac 0c 00 00 a8 03 00 1d 20 63 41 30 1c 95 79 |......... cA0..y| +00000440 1b a6 85 f4 e1 b6 d7 f5 82 e2 4f 2b ae cd 7b 4b |..........O+..{K| +00000450 20 e2 7e 43 f1 59 e5 83 92 55 08 04 00 80 5c aa | .~C.Y...U....\.| +00000460 39 6d 57 d3 b6 15 4d 9e c8 e1 dc 50 b3 89 69 99 |9mW...M....P..i.| +00000470 da 07 64 74 c4 ab d3 83 f0 9b fc 3a da 26 9f ce |..dt.......:.&..| +00000480 37 e9 7a 50 e5 70 d1 71 0b 0d 73 03 9c c1 3f 81 |7.zP.p.q..s...?.| +00000490 f9 1d 57 32 6b 48 50 1d 5d 7d 64 56 f0 c9 8c 69 |..W2kHP.]}dV...i| +000004a0 d6 91 15 85 95 9a 0c 76 f0 9c d2 fe d4 df 65 00 |.......v......e.| +000004b0 a1 cc 65 4a a2 8e 06 fc 50 77 ff 00 44 b5 cc f5 |..eJ....Pw..D...| +000004c0 9f 39 2f 95 72 4f 51 af 21 09 6a 6a 21 60 24 65 |.9/.rOQ.!.jj!`$e| +000004d0 78 20 9b 06 0e 24 1b 79 f2 8d 15 35 49 44 16 03 |x ...$.y...5ID..| +000004e0 03 00 04 0e 00 00 00 |.......| +>>> Flow 3 (client to server) +00000000 16 03 03 00 25 10 00 00 21 20 2f e5 7d a3 47 cd |....%...! /.}.G.| +00000010 62 43 15 28 da ac 5f bb 29 07 30 ff f6 84 af c4 |bC.(.._.).0.....| +00000020 cf c2 ed 90 99 5f 58 cb 3b 74 14 03 03 00 01 01 |....._X.;t......| +00000030 16 03 03 00 20 d0 2b f9 13 8b 71 de 1b 1d 63 2e |.... .+...q...c.| +00000040 66 05 12 ee 11 d5 9b 75 ee 51 fa 42 fa 5d 86 eb |f......u.Q.B.]..| +00000050 f0 c5 c5 cb 5b |....[| +>>> Flow 4 (server to client) +00000000 14 03 03 00 01 01 16 03 03 00 20 71 ac 7b 2e ba |.......... q.{..| +00000010 d5 7e 70 6c 7c 94 0e 55 0f 65 8c 1d ff 5e 79 d6 |.~pl|..U.e...^y.| +00000020 21 9b 8a f4 82 35 69 b8 5a d9 1a |!....5i.Z..| +>>> Flow 5 (client to server) +00000000 17 03 03 00 16 82 6e 37 1a 95 19 06 bf da ca 8c |......n7........| +00000010 f4 07 3a 63 69 c7 00 ce 5c b9 bf 15 03 03 00 12 |..:ci...\.......| +00000020 eb 05 f5 6f 8c 59 16 ed 26 1b f9 1f 2e 4e b8 89 |...o.Y..&....N..| +00000030 80 77 |.w| diff --git a/pkg/tls/testdata/Client-TLSv12-X25519-ECDHE b/pkg/tls/testdata/Client-TLSv12-X25519-ECDHE new file mode 100644 index 000000000..372abea6d --- /dev/null +++ b/pkg/tls/testdata/Client-TLSv12-X25519-ECDHE @@ -0,0 +1,92 @@ +>>> Flow 1 (client to server) +00000000 16 03 01 00 f8 01 00 00 f4 03 03 00 00 00 00 00 |................| +00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000020 00 00 00 00 00 00 00 00 00 00 00 20 00 00 00 00 |........... ....| +00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 32 cc a9 |.............2..| +00000050 cc a8 c0 2b c0 2f c0 2c c0 30 c0 09 c0 13 c0 0a |...+./.,.0......| +00000060 c0 14 00 9c 00 9d 00 2f 00 35 c0 12 00 0a c0 23 |......./.5.....#| +00000070 c0 27 00 3c c0 07 c0 11 00 05 13 03 13 01 13 02 |.'.<............| +00000080 01 00 00 79 00 05 00 05 01 00 00 00 00 00 0a 00 |...y............| +00000090 04 00 02 00 1d 00 0b 00 02 01 00 00 0d 00 1a 00 |................| +000000a0 18 08 04 04 03 08 07 08 05 08 06 04 01 05 01 06 |................| +000000b0 01 05 03 06 03 02 01 02 03 ff 01 00 01 00 00 17 |................| +000000c0 00 00 00 12 00 00 00 2b 00 09 08 03 04 03 03 03 |.......+........| +000000d0 02 03 01 00 33 00 26 00 24 00 1d 00 20 2f e5 7d |....3.&.$... /.}| +000000e0 a3 47 cd 62 43 15 28 da ac 5f bb 29 07 30 ff f6 |.G.bC.(.._.).0..| +000000f0 84 af c4 cf c2 ed 90 99 5f 58 cb 3b 74 |........_X.;t| +>>> Flow 2 (server to client) +00000000 16 03 03 00 5d 02 00 00 59 03 03 19 05 85 f6 4a |....]...Y......J| +00000010 53 c9 c6 4f ac 38 b7 cc d8 5d 00 dc 3b 97 9c 0d |S..O.8...]..;...| +00000020 d0 e0 9f d8 71 28 a1 ab e8 b7 cc 20 a6 a4 8c 69 |....q(..... ...i| +00000030 6e 9c ee ae 75 14 b8 0f 93 b3 c2 82 ff 01 9b d7 |n...u...........| +00000040 25 90 d7 53 02 6d 3b ec e9 1a 21 e5 c0 2f 00 00 |%..S.m;...!../..| +00000050 11 ff 01 00 01 00 00 0b 00 04 03 00 01 02 00 17 |................| +00000060 00 00 16 03 03 02 59 0b 00 02 55 00 02 52 00 02 |......Y...U..R..| +00000070 4f 30 82 02 4b 30 82 01 b4 a0 03 02 01 02 02 09 |O0..K0..........| +00000080 00 e8 f0 9d 3f e2 5b ea a6 30 0d 06 09 2a 86 48 |....?.[..0...*.H| +00000090 86 f7 0d 01 01 0b 05 00 30 1f 31 0b 30 09 06 03 |........0.1.0...| +000000a0 55 04 0a 13 02 47 6f 31 10 30 0e 06 03 55 04 03 |U....Go1.0...U..| +000000b0 13 07 47 6f 20 52 6f 6f 74 30 1e 17 0d 31 36 30 |..Go Root0...160| +000000c0 31 30 31 30 30 30 30 30 30 5a 17 0d 32 35 30 31 |101000000Z..2501| +000000d0 30 31 30 30 30 30 30 30 5a 30 1a 31 0b 30 09 06 |01000000Z0.1.0..| +000000e0 03 55 04 0a 13 02 47 6f 31 0b 30 09 06 03 55 04 |.U....Go1.0...U.| +000000f0 03 13 02 47 6f 30 81 9f 30 0d 06 09 2a 86 48 86 |...Go0..0...*.H.| +00000100 f7 0d 01 01 01 05 00 03 81 8d 00 30 81 89 02 81 |...........0....| +00000110 81 00 db 46 7d 93 2e 12 27 06 48 bc 06 28 21 ab |...F}...'.H..(!.| +00000120 7e c4 b6 a2 5d fe 1e 52 45 88 7a 36 47 a5 08 0d |~...]..RE.z6G...| +00000130 92 42 5b c2 81 c0 be 97 79 98 40 fb 4f 6d 14 fd |.B[.....y.@.Om..| +00000140 2b 13 8b c2 a5 2e 67 d8 d4 09 9e d6 22 38 b7 4a |+.....g....."8.J| +00000150 0b 74 73 2b c2 34 f1 d1 93 e5 96 d9 74 7b f3 58 |.ts+.4......t{.X| +00000160 9f 6c 61 3c c0 b0 41 d4 d9 2b 2b 24 23 77 5b 1c |.la<..A..++$#w[.| +00000170 3b bd 75 5d ce 20 54 cf a1 63 87 1d 1e 24 c4 f3 |;.u]. T..c...$..| +00000180 1d 1a 50 8b aa b6 14 43 ed 97 a7 75 62 f4 14 c8 |..P....C...ub...| +00000190 52 d7 02 03 01 00 01 a3 81 93 30 81 90 30 0e 06 |R.........0..0..| +000001a0 03 55 1d 0f 01 01 ff 04 04 03 02 05 a0 30 1d 06 |.U...........0..| +000001b0 03 55 1d 25 04 16 30 14 06 08 2b 06 01 05 05 07 |.U.%..0...+.....| +000001c0 03 01 06 08 2b 06 01 05 05 07 03 02 30 0c 06 03 |....+.......0...| +000001d0 55 1d 13 01 01 ff 04 02 30 00 30 19 06 03 55 1d |U.......0.0...U.| +000001e0 0e 04 12 04 10 9f 91 16 1f 43 43 3e 49 a6 de 6d |.........CC>I..m| +000001f0 b6 80 d7 9f 60 30 1b 06 03 55 1d 23 04 14 30 12 |....`0...U.#..0.| +00000200 80 10 48 13 49 4d 13 7e 16 31 bb a3 01 d5 ac ab |..H.IM.~.1......| +00000210 6e 7b 30 19 06 03 55 1d 11 04 12 30 10 82 0e 65 |n{0...U....0...e| +00000220 78 61 6d 70 6c 65 2e 67 6f 6c 61 6e 67 30 0d 06 |xample.golang0..| +00000230 09 2a 86 48 86 f7 0d 01 01 0b 05 00 03 81 81 00 |.*.H............| +00000240 9d 30 cc 40 2b 5b 50 a0 61 cb ba e5 53 58 e1 ed |.0.@+[P.a...SX..| +00000250 83 28 a9 58 1a a9 38 a4 95 a1 ac 31 5a 1a 84 66 |.(.X..8....1Z..f| +00000260 3d 43 d3 2d d9 0b f2 97 df d3 20 64 38 92 24 3a |=C.-...... d8.$:| +00000270 00 bc cf 9c 7d b7 40 20 01 5f aa d3 16 61 09 a2 |....}.@ ._...a..| +00000280 76 fd 13 c3 cc e1 0c 5c ee b1 87 82 f1 6c 04 ed |v......\.....l..| +00000290 73 bb b3 43 77 8d 0c 1c f1 0f a1 d8 40 83 61 c9 |s..Cw.......@.a.| +000002a0 4c 72 2b 9d ae db 46 06 06 4d f4 c1 b3 3e c0 d1 |Lr+...F..M...>..| +000002b0 bd 42 d4 db fe 3d 13 60 84 5c 21 d3 3b e9 fa e7 |.B...=.`.\!.;...| +000002c0 16 03 03 00 ac 0c 00 00 a8 03 00 1d 20 3d 1d f3 |............ =..| +000002d0 d4 cb 57 6a d8 c4 23 34 84 30 2a 80 02 0c 86 de |..Wj..#4.0*.....| +000002e0 94 ae c8 78 07 f5 0c eb 61 f2 2f a6 2d 08 04 00 |...x....a./.-...| +000002f0 80 08 5e b0 4b ed 7b e1 48 45 80 6a 63 5c 1e 9a |..^.K.{.HE.jc\..| +00000300 01 4e f1 c3 92 b2 a4 83 18 ee 55 01 36 55 57 59 |.N........U.6UWY| +00000310 84 46 70 60 43 32 05 25 18 de 05 76 24 57 69 a3 |.Fp`C2.%...v$Wi.| +00000320 34 a6 bd 4c b5 45 2c 6e 63 81 a3 82 a7 4a a5 5f |4..L.E,nc....J._| +00000330 27 c2 a2 58 2b 77 9f cf cb 63 e0 2b da 75 eb 9c |'..X+w...c.+.u..| +00000340 6e 6b cd d5 ae 59 8d c8 0f c6 34 30 68 42 67 d5 |nk...Y....40hBg.| +00000350 1f e7 b1 22 60 b5 ca 4b a5 bd ce a0 44 50 df 45 |..."`..K....DP.E| +00000360 8b d8 e4 04 53 8a f8 fa 91 b2 09 fb 42 92 5f dd |....S.......B._.| +00000370 05 16 03 03 00 04 0e 00 00 00 |..........| +>>> Flow 3 (client to server) +00000000 16 03 03 00 25 10 00 00 21 20 2f e5 7d a3 47 cd |....%...! /.}.G.| +00000010 62 43 15 28 da ac 5f bb 29 07 30 ff f6 84 af c4 |bC.(.._.).0.....| +00000020 cf c2 ed 90 99 5f 58 cb 3b 74 14 03 03 00 01 01 |....._X.;t......| +00000030 16 03 03 00 28 00 00 00 00 00 00 00 00 bb 7a 8d |....(.........z.| +00000040 2b 4d 9e e9 b6 b7 bf 30 e3 fd 4b e6 2e 6c ba 61 |+M.....0..K..l.a| +00000050 2b 15 58 52 d0 70 36 e5 da 64 21 28 06 |+.XR.p6..d!(.| +>>> Flow 4 (server to client) +00000000 14 03 03 00 01 01 16 03 03 00 28 11 6b 33 c7 32 |..........(.k3.2| +00000010 9b 34 14 98 1d 90 97 cc 3a fe c1 98 f7 9d e3 dc |.4......:.......| +00000020 dc f2 e2 34 c9 5d aa 5b 02 e3 9f 33 88 5b 21 65 |...4.].[...3.[!e| +00000030 b0 f1 36 |..6| +>>> Flow 5 (client to server) +00000000 17 03 03 00 1e 00 00 00 00 00 00 00 01 4b 49 39 |.............KI9| +00000010 01 d1 34 c1 b9 72 f6 25 39 c9 e6 77 5c f3 7a 4f |..4..r.%9..w\.zO| +00000020 fa f7 43 15 03 03 00 1a 00 00 00 00 00 00 00 02 |..C.............| +00000030 99 cf 0c 0e 51 f8 37 22 50 2e 98 30 bc 13 e9 f5 |....Q.7"P..0....| +00000040 d3 75 |.u| diff --git a/pkg/tls/testdata/Client-TLSv13-AES128-SHA256 b/pkg/tls/testdata/Client-TLSv13-AES128-SHA256 new file mode 100644 index 000000000..1097116b7 --- /dev/null +++ b/pkg/tls/testdata/Client-TLSv13-AES128-SHA256 @@ -0,0 +1,91 @@ +>>> Flow 1 (client to server) +00000000 16 03 01 00 fe 01 00 00 fa 03 03 00 00 00 00 00 |................| +00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000020 00 00 00 00 00 00 00 00 00 00 00 20 00 00 00 00 |........... ....| +00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 32 cc a9 |.............2..| +00000050 cc a8 c0 2b c0 2f c0 2c c0 30 c0 09 c0 13 c0 0a |...+./.,.0......| +00000060 c0 14 00 9c 00 9d 00 2f 00 35 c0 12 00 0a c0 23 |......./.5.....#| +00000070 c0 27 00 3c c0 07 c0 11 00 05 13 03 13 01 13 02 |.'.<............| +00000080 01 00 00 7f 00 05 00 05 01 00 00 00 00 00 0a 00 |................| +00000090 0a 00 08 00 1d 00 17 00 18 00 19 00 0b 00 02 01 |................| +000000a0 00 00 0d 00 1a 00 18 08 04 04 03 08 07 08 05 08 |................| +000000b0 06 04 01 05 01 06 01 05 03 06 03 02 01 02 03 ff |................| +000000c0 01 00 01 00 00 17 00 00 00 12 00 00 00 2b 00 09 |.............+..| +000000d0 08 03 04 03 03 03 02 03 01 00 33 00 26 00 24 00 |..........3.&.$.| +000000e0 1d 00 20 2f e5 7d a3 47 cd 62 43 15 28 da ac 5f |.. /.}.G.bC.(.._| +000000f0 bb 29 07 30 ff f6 84 af c4 cf c2 ed 90 99 5f 58 |.).0.........._X| +00000100 cb 3b 74 |.;t| +>>> Flow 2 (server to client) +00000000 16 03 03 00 7a 02 00 00 76 03 03 0e f8 bf 2d c5 |....z...v.....-.| +00000010 14 c9 b0 54 dd 64 27 22 ce 6e e1 cb 24 46 76 5c |...T.d'".n..$Fv\| +00000020 3c 6b cf 3a 1a bb ca d9 55 18 d2 20 00 00 00 00 |...^. h..u..| +00000140 5a ba 16 71 8c 97 db 6d 90 7c 64 56 0d 29 99 16 |Z..q...m.|dV.)..| +00000150 9b f2 85 4c 84 11 b0 c4 76 f2 d8 bd 7f 19 cb 80 |...L....v.......| +00000160 ec ad 18 e0 d5 c7 a7 f7 70 08 36 c6 0c 8a 88 ef |........p.6.....| +00000170 d9 20 7e e2 b8 a7 c9 18 26 d3 8e c6 d6 48 02 1c |. ~.....&....H..| +00000180 cb 02 7b 52 93 dc 4b da 82 9d 07 b9 65 0d 2a 7a |..{R..K.....e.*z| +00000190 3a 8b 3a 3d 58 79 e2 a8 14 83 25 06 64 e0 48 71 |:.:=Xy....%.d.Hq| +000001a0 ef 2f 28 74 3f 46 04 f5 60 01 fb 53 d5 ff ca 7f |./(t?F..`..S....| +000001b0 89 4c 80 e6 e7 44 cb ad 93 d0 6a 8a 14 13 cc 09 |.L...D....j.....| +000001c0 bf 54 12 56 94 17 1e f3 c5 7a 06 d3 28 3d 61 0d |.T.V.....z..(=a.| +000001d0 1e ad d3 55 28 1e e7 f6 6a e6 da 31 3d 99 61 df |...U(...j..1=.a.| +000001e0 94 d1 1a 58 f6 06 55 0a 43 20 23 dc 58 2b d4 db |...X..U.C #.X+..| +000001f0 35 91 16 e1 29 62 e7 fd aa fe 65 d7 ef b2 a6 2b |5...)b....e....+| +00000200 6b c8 29 4b c0 94 ca bc 32 c4 d8 7a 2a 66 ea 25 |k.)K....2..z*f.%| +00000210 ee 8f fc 85 28 5f b6 1a 11 0b cb dc 57 0b 70 7e |....(_......W.p~| +00000220 58 fc f5 09 41 88 0d a0 fc 03 58 a6 e3 48 29 ed |X...A.....X..H).| +00000230 4e e4 ff cc 4b 42 fd 53 e7 e5 2d 57 0e 6a 88 96 |N...KB.S..-W.j..| +00000240 12 03 54 c3 de 8f 9a 46 98 2c ef ac cd 72 bc 7f |..T....F.,...r..| +00000250 f6 1b cb 98 d4 0c 46 32 1e 18 51 39 d1 ee bf 83 |......F2..Q9....| +00000260 71 e1 df 3a 31 82 22 2f ba 0e 69 a3 93 9d 0c 5c |q..:1."/..i....\| +00000270 8f e5 ea e8 25 26 b1 40 8e 19 0c f4 55 ff 7b cb |....%&.@....U.{.| +00000280 96 d2 0f 07 a0 da 99 38 df 63 9b 9e 33 5b 87 f2 |.......8.c..3[..| +00000290 1b f7 3f 36 e4 65 ae 95 69 0f ec fc 34 fb 1e e5 |..?6.e..i...4...| +000002a0 f7 ce 78 b0 c5 d6 94 e8 e5 ee 37 56 20 ac 58 c4 |..x.......7V .X.| +000002b0 3a 5e cd e2 7f ac 23 c6 5e 2e 45 aa 8a d5 ea 0e |:^....#.^.E.....| +000002c0 0b 1d 13 19 72 0f 8d 48 6b 2f aa 8d d3 74 bb d2 |....r..Hk/...t..| +000002d0 ff fb 46 f7 7f 7d 03 50 9e 3b a8 2d 73 c4 e5 db |..F..}.P.;.-s...| +000002e0 82 8a 48 5f b4 4e 49 35 4b 04 ca 70 35 30 c4 c9 |..H_.NI5K..p50..| +000002f0 d5 94 cb 58 e3 40 e4 8f 3f 17 f5 dd c8 80 d9 41 |...X.@..?......A| +00000300 e2 2a 7b 63 e7 87 84 9a aa 54 3c 1f 4b 64 7b 32 |.*{c.....T<.Kd{2| +00000310 17 d4 f3 17 03 03 00 99 47 1a 1f d9 17 60 17 4a |........G....`.J| +00000320 7a 68 c2 69 4f 59 6e b5 72 2f e9 a8 42 db 9c 49 |zh.iOYn.r/..B..I| +00000330 62 3c db 0c fd 49 2f 0b 4f fa de db ef 7d 5e 60 |b<...I/.O....}^`| +00000340 6b 99 39 ab b3 44 ac bc 68 2b 86 fd db 91 63 6c |k.9..D..h+....cl| +00000350 da 2f 6b 32 c4 99 b4 51 84 5c a8 0d 1d 31 05 f3 |./k2...Q.\...1..| +00000360 45 e3 b4 83 3d c8 17 2e f9 4e f7 61 6c 4b e5 d4 |E...=....N.alK..| +00000370 24 04 2e 3f c9 f4 c9 8a 2d 8f 50 d0 c2 f8 35 56 |$..?....-.P...5V| +00000380 1a 59 08 99 3d 0e 47 ea 54 44 75 d1 2b 31 28 71 |.Y..=.G.TDu.+1(q| +00000390 fb 88 69 0a d2 50 30 77 41 ab ed 29 51 58 75 87 |..i..P0wA..)QXu.| +000003a0 5a 59 bc 66 6b f3 d5 5f ad c4 26 9d e6 a8 7e 70 |ZY.fk.._..&...~p| +000003b0 b3 17 03 03 00 35 fe f7 08 e7 c6 3e 00 c3 5e a3 |.....5.....>..^.| +000003c0 87 23 df 10 46 4f bb 17 ee bf 93 df b7 6d f0 45 |.#..FO.......m.E| +000003d0 77 bf 60 6d f9 bb ce 58 f2 59 4a 40 5e d6 dd 0b |w.`m...X.YJ@^...| +000003e0 19 9a 41 8e 6b 03 16 e3 ce cd b6 |..A.k......| +>>> Flow 3 (client to server) +00000000 14 03 03 00 01 01 17 03 03 00 35 3c 85 dc 33 0a |..........5<..3.| +00000010 bd 78 f0 fc 0a 07 3a 9e a5 31 ca b8 f6 23 d5 26 |.x....:..1...#.&| +00000020 2a 60 ce d9 d2 da 37 e5 e8 27 bb 99 a3 43 ad 66 |*`....7..'...C.f| +00000030 e2 07 33 de ca dc 2f d4 73 f4 71 50 d0 99 3b 7d |..3.../.s.qP..;}| +00000040 17 03 03 00 17 de 7a 55 7a 1d e3 1e 51 10 df 9e |......zUz...Q...| +00000050 30 a6 b9 15 79 b4 20 82 01 e5 b2 34 17 03 03 00 |0...y. ....4....| +00000060 13 85 50 af bc 99 0b eb 84 58 b9 6c 46 88 22 b0 |..P......X.lF.".| +00000070 7e 42 79 01 |~By.| diff --git a/pkg/tls/testdata/Client-TLSv13-AES256-SHA384 b/pkg/tls/testdata/Client-TLSv13-AES256-SHA384 new file mode 100644 index 000000000..39b2e0982 --- /dev/null +++ b/pkg/tls/testdata/Client-TLSv13-AES256-SHA384 @@ -0,0 +1,93 @@ +>>> Flow 1 (client to server) +00000000 16 03 01 00 fe 01 00 00 fa 03 03 00 00 00 00 00 |................| +00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000020 00 00 00 00 00 00 00 00 00 00 00 20 00 00 00 00 |........... ....| +00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 32 cc a9 |.............2..| +00000050 cc a8 c0 2b c0 2f c0 2c c0 30 c0 09 c0 13 c0 0a |...+./.,.0......| +00000060 c0 14 00 9c 00 9d 00 2f 00 35 c0 12 00 0a c0 23 |......./.5.....#| +00000070 c0 27 00 3c c0 07 c0 11 00 05 13 03 13 01 13 02 |.'.<............| +00000080 01 00 00 7f 00 05 00 05 01 00 00 00 00 00 0a 00 |................| +00000090 0a 00 08 00 1d 00 17 00 18 00 19 00 0b 00 02 01 |................| +000000a0 00 00 0d 00 1a 00 18 08 04 04 03 08 07 08 05 08 |................| +000000b0 06 04 01 05 01 06 01 05 03 06 03 02 01 02 03 ff |................| +000000c0 01 00 01 00 00 17 00 00 00 12 00 00 00 2b 00 09 |.............+..| +000000d0 08 03 04 03 03 03 02 03 01 00 33 00 26 00 24 00 |..........3.&.$.| +000000e0 1d 00 20 2f e5 7d a3 47 cd 62 43 15 28 da ac 5f |.. /.}.G.bC.(.._| +000000f0 bb 29 07 30 ff f6 84 af c4 cf c2 ed 90 99 5f 58 |.).0.........._X| +00000100 cb 3b 74 |.;t| +>>> Flow 2 (server to client) +00000000 16 03 03 00 7a 02 00 00 76 03 03 fc b2 8e 30 c0 |....z...v.....0.| +00000010 a2 bd d8 1c 4b 68 bc e0 a1 56 5f 5b 05 54 b7 7a |....Kh...V_[.T.z| +00000020 60 9a 49 68 f5 f4 f0 b1 49 27 79 20 00 00 00 00 |`.Ih....I'y ....| +00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000040 00 00 00 00 00 00 00 00 00 00 00 00 13 02 00 00 |................| +00000050 2e 00 2b 00 02 03 04 00 33 00 24 00 1d 00 20 d3 |..+.....3.$... .| +00000060 d7 9e 72 ae 5f f9 92 24 6b 76 e5 a1 00 71 78 cf |..r._..$kv...qx.| +00000070 e9 55 29 5b fe a8 71 14 e9 02 b0 65 12 e8 04 14 |.U)[..q....e....| +00000080 03 03 00 01 01 17 03 03 00 17 24 a0 73 a6 7b ab |..........$.s.{.| +00000090 9c d8 69 e7 15 68 4b 26 0a 15 0c ff c4 40 7d b8 |..i..hK&.....@}.| +000000a0 ad 17 03 03 02 6d 05 b2 f9 6e 05 48 18 92 2b 87 |.....m...n.H..+.| +000000b0 29 1c 5b 8c a8 ae 0e 4b fc 3b 1e b9 2c c2 0c 33 |).[....K.;..,..3| +000000c0 f8 5d 16 37 39 b3 b2 4e 12 a4 02 4c fb 3b 16 4e |.].79..N...L.;.N| +000000d0 63 92 72 56 49 d6 5b 63 34 20 67 c8 07 a2 b6 0d |c.rVI.[c4 g.....| +000000e0 f1 06 b4 bd 88 54 4d 33 66 1a d4 fc 42 9c 4e 00 |.....TM3f...B.N.| +000000f0 40 34 5d cf c4 5d f1 ba 14 de 34 50 f5 2f 3d b7 |@4]..]....4P./=.| +00000100 1c 17 33 6e 9a 2b 39 1b f1 a6 0d fb b7 0c c3 b3 |..3n.+9.........| +00000110 02 f8 0c 30 e8 31 d7 ee bf a1 a0 64 28 67 64 50 |...0.1.....d(gdP| +00000120 24 ce 37 fd 15 2e c7 13 1b 8b f0 22 19 e4 ec c8 |$.7........"....| +00000130 8c b0 76 b8 d0 2d 87 99 86 8b ec ca e9 9d 8f 23 |..v..-.........#| +00000140 bf 3d bf b8 ed 85 34 85 31 15 dd 7a 36 f7 3e 0e |.=....4.1..z6.>.| +00000150 df e7 4c e8 ae 5a 98 05 f8 34 76 33 c3 4c 81 fb |..L..Z...4v3.L..| +00000160 d8 29 14 b3 47 32 eb 5f 73 5a 95 4a c7 3d 89 2a |.)..G2._sZ.J.=.*| +00000170 21 22 bd 97 b2 9d 4b dd 2c eb a5 e3 37 d6 a9 84 |!"....K.,...7...| +00000180 0c b6 02 2f 1f 5c 18 1b be 92 be 58 a7 e1 a0 49 |.../.\.....X...I| +00000190 95 dc d7 07 70 b1 5b 15 86 3f 55 fc ad 32 39 5d |....p.[..?U..29]| +000001a0 95 63 fd d4 85 55 b2 e9 c2 68 d0 09 f9 53 f9 4f |.c...U...h...S.O| +000001b0 0e 89 1c a0 85 74 7f 10 97 e7 86 8a 18 28 83 e6 |.....t.......(..| +000001c0 66 3c 2a f5 8f 14 1d 90 58 ef ad 1f d3 7f 42 0a |f<*.....X.....B.| +000001d0 08 d5 b4 96 b0 9d 3f 72 49 5a 06 13 7c 4b bc 79 |......?rIZ..|K.y| +000001e0 8c db 1f 1f 5e 3d c2 fe ad 57 e6 d9 14 bb d0 72 |....^=...W.....r| +000001f0 d7 90 14 35 ec 34 31 f6 fd b1 fd 3d 46 6e 4f a7 |...5.41....=FnO.| +00000200 1e 7d 14 40 17 0c ef c0 c8 70 fe dc 6a f1 78 6a |.}.@.....p..j.xj| +00000210 c6 df 70 2e ac 07 d9 6d f7 90 0e 4a 92 08 cf 88 |..p....m...J....| +00000220 26 c0 11 4a 7d e4 34 ba 86 43 cb 94 f8 d7 61 5a |&..J}.4..C....aZ| +00000230 05 f5 f9 49 b4 04 f1 c8 43 b6 12 52 ae cf 7c b9 |...I....C..R..|.| +00000240 39 d1 90 91 6e 80 43 cf 4c 23 3d 7c c0 c8 88 46 |9...n.C.L#=|...F| +00000250 e2 91 86 e4 41 cb ed f2 3a 92 01 9f 04 7c d2 81 |....A...:....|..| +00000260 42 18 6c 04 91 25 8a 29 0e d9 23 aa 58 e5 e8 ee |B.l..%.)..#.X...| +00000270 39 79 a5 a7 3a 4d e3 cc 15 79 3f 7b f9 e4 21 76 |9y..:M...y?{..!v| +00000280 5c 9a d8 de d3 9a f3 9e 69 44 c0 2a 56 04 b4 d2 |\.......iD.*V...| +00000290 c3 c1 4c d6 ad b8 d8 ad c8 c2 0d fa ea e1 bc 11 |..L.............| +000002a0 67 15 80 ef c6 01 48 7f de f1 c2 36 a7 dd a9 38 |g.....H....6...8| +000002b0 31 8b 14 ed 5c 2a 66 55 3b 25 e3 85 cb d9 a9 82 |1...\*fU;%......| +000002c0 7a 95 99 b3 c8 aa ac 66 30 b0 c5 3d d1 2a ab b9 |z......f0..=.*..| +000002d0 56 b3 5e 9d e0 d7 81 ac 6f 2e ae 62 a2 ef ca ef |V.^.....o..b....| +000002e0 7b cf 0f af f6 0b 29 97 2d 27 33 58 ad b6 1b d2 |{.....).-'3X....| +000002f0 0a c7 11 ec 89 b0 0d 2e ff 27 64 c2 bf 8e 85 a4 |.........'d.....| +00000300 ea 14 52 71 55 1a ec ef 0d ff 14 00 ce 3d 9d 3d |..RqU........=.=| +00000310 a9 d3 17 17 03 03 00 99 5e ba 1f f3 93 71 7a 88 |........^....qz.| +00000320 bc 14 71 7e 85 15 c9 da fe ee c1 b1 3d f6 ff 67 |..q~........=..g| +00000330 fd 28 96 f3 44 44 6f 8f 32 b4 22 be 69 29 e6 dd |.(..DDo.2.".i)..| +00000340 60 07 1d 98 0b 0c 0f ec df fa 46 c0 67 66 f2 18 |`.........F.gf..| +00000350 bf 5e 36 56 b2 b2 25 ef aa 76 51 ea f7 47 1d ee |.^6V..%..vQ..G..| +00000360 7b 25 e5 97 89 4a 04 07 f8 ff 05 73 25 71 e4 28 |{%...J.....s%q.(| +00000370 9e 91 45 ff 4c df 82 dc 85 16 02 ba 15 9b 37 91 |..E.L.........7.| +00000380 eb 65 12 66 38 59 8a 85 a2 2e af 2f d7 74 75 c1 |.e.f8Y...../.tu.| +00000390 7e f6 64 87 7e 4c 86 c8 25 bb 59 8d f8 9c e3 e5 |~.d.~L..%.Y.....| +000003a0 a4 53 a5 c6 00 bd 78 d8 07 0e f5 42 92 e3 42 11 |.S....x....B..B.| +000003b0 57 17 03 03 00 45 77 98 db b2 e4 66 e3 dc 3e 4f |W....Ew....f..>O| +000003c0 49 92 b3 ac 74 cd 1c 3b e2 81 3c 64 0b a5 c9 8c |I...t..;..>> Flow 3 (client to server) +00000000 14 03 03 00 01 01 17 03 03 00 45 75 66 f7 1c cc |..........Euf...| +00000010 a5 d2 e0 60 37 ff ab 89 16 88 c1 27 ba 57 0c 0d |...`7......'.W..| +00000020 28 c9 c3 8a 53 57 05 1c 2a 47 52 b6 98 f9 26 4f |(...SW..*GR...&O| +00000030 34 7c 7a 71 00 87 47 c3 a5 b8 0c 8c 03 87 5e de |4|zq..G.......^.| +00000040 a1 40 33 9b e1 7f ad 36 71 10 9a e7 28 45 e1 e2 |.@3....6q...(E..| +00000050 17 03 03 00 17 a3 83 88 cd fa fc f4 60 12 e7 be |............`...| +00000060 8d 11 31 74 3f 25 3e 32 6f 7f 73 57 17 03 03 00 |..1t?%>2o.sW....| +00000070 13 7f ab 29 bc f6 7e ea f7 17 ee 7a ef 38 ff bc |...)..~....z.8..| +00000080 82 68 f5 07 |.h..| diff --git a/pkg/tls/testdata/Client-TLSv13-ALPN b/pkg/tls/testdata/Client-TLSv13-ALPN new file mode 100644 index 000000000..b29125902 --- /dev/null +++ b/pkg/tls/testdata/Client-TLSv13-ALPN @@ -0,0 +1,93 @@ +>>> Flow 1 (client to server) +00000000 16 03 01 01 12 01 00 01 0e 03 03 00 00 00 00 00 |................| +00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000020 00 00 00 00 00 00 00 00 00 00 00 20 00 00 00 00 |........... ....| +00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 32 cc a9 |.............2..| +00000050 cc a8 c0 2b c0 2f c0 2c c0 30 c0 09 c0 13 c0 0a |...+./.,.0......| +00000060 c0 14 00 9c 00 9d 00 2f 00 35 c0 12 00 0a c0 23 |......./.5.....#| +00000070 c0 27 00 3c c0 07 c0 11 00 05 13 03 13 01 13 02 |.'.<............| +00000080 01 00 00 93 00 05 00 05 01 00 00 00 00 00 0a 00 |................| +00000090 0a 00 08 00 1d 00 17 00 18 00 19 00 0b 00 02 01 |................| +000000a0 00 00 0d 00 1a 00 18 08 04 04 03 08 07 08 05 08 |................| +000000b0 06 04 01 05 01 06 01 05 03 06 03 02 01 02 03 ff |................| +000000c0 01 00 01 00 00 17 00 00 00 10 00 10 00 0e 06 70 |...............p| +000000d0 72 6f 74 6f 32 06 70 72 6f 74 6f 31 00 12 00 00 |roto2.proto1....| +000000e0 00 2b 00 09 08 03 04 03 03 03 02 03 01 00 33 00 |.+............3.| +000000f0 26 00 24 00 1d 00 20 2f e5 7d a3 47 cd 62 43 15 |&.$... /.}.G.bC.| +00000100 28 da ac 5f bb 29 07 30 ff f6 84 af c4 cf c2 ed |(.._.).0........| +00000110 90 99 5f 58 cb 3b 74 |.._X.;t| +>>> Flow 2 (server to client) +00000000 16 03 03 00 7a 02 00 00 76 03 03 90 3b d5 53 eb |....z...v...;.S.| +00000010 af 38 68 af fc 8f 47 f5 3f 13 5c c5 46 9d 97 b7 |.8h...G.?.\.F...| +00000020 e2 c4 0c 93 d4 91 2b 45 77 11 1b 20 00 00 00 00 |......+Ew.. ....| +00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000040 00 00 00 00 00 00 00 00 00 00 00 00 13 03 00 00 |................| +00000050 2e 00 2b 00 02 03 04 00 33 00 24 00 1d 00 20 a6 |..+.....3.$... .| +00000060 5a 75 77 6c 3a 65 d9 7d c4 72 ef 66 3e 15 80 e4 |Zuwl:e.}.r.f>...| +00000070 b6 c5 55 2e fb cf 3a 17 9e 28 de de b1 ce 06 14 |..U...:..(......| +00000080 03 03 00 01 01 17 03 03 00 24 45 28 86 50 9e 48 |.........$E(.P.H| +00000090 66 13 75 a6 43 19 b2 ce 79 2b 5c 06 d0 f7 ff 4c |f.u.C...y+\....L| +000000a0 d5 bb 39 67 50 aa 78 97 1b 5a 58 a7 95 44 17 03 |..9gP.x..ZX..D..| +000000b0 03 02 6d 10 9e 3c f4 7e c6 2d e4 2a 04 10 95 dd |..m..<.~.-.*....| +000000c0 47 56 02 08 91 5e 60 c5 5c eb a1 65 f0 9d a6 2a |GV...^`.\..e...*| +000000d0 55 bc fe 58 1a b0 3e f9 d6 f0 1c 7c 70 c5 bf 14 |U..X..>....|p...| +000000e0 3c c7 bf a4 ac f8 c5 77 1c 7b f2 bb 15 01 f8 c6 |<......w.{......| +000000f0 2c 19 dd 22 29 3b 32 09 33 b7 c5 be 2e 9b 43 7c |,..");2.3.....C|| +00000100 1f b7 a2 99 09 e6 42 c3 13 b0 10 2b 15 e8 8a 89 |......B....+....| +00000110 62 ac 27 b1 09 cc e3 78 67 07 8e c9 21 d4 17 df |b.'....xg...!...| +00000120 dc db 30 9b 8e a4 6f 8e fb 1b 5a d9 22 b0 5d 9b |..0...o...Z.".].| +00000130 f1 d0 c7 d6 5e 64 00 23 36 96 8e 22 39 ab 52 3a |....^d.#6.."9.R:| +00000140 10 02 c3 6b 02 c7 87 8f cd 45 40 18 26 41 ca 06 |...k.....E@.&A..| +00000150 36 09 59 fc 0c d8 fc fe 35 b6 fb 9e 2a e3 db 29 |6.Y.....5...*..)| +00000160 dc 1b 89 08 f2 e5 06 a1 2a 62 cb 89 39 be 30 47 |........*b..9.0G| +00000170 81 5d 12 5d e5 f2 38 ae f9 6a 0a bc b6 7d 1a fc |.].]..8..j...}..| +00000180 62 24 1f ab 25 1a 81 4e 29 c1 32 89 9e 75 3d e9 |b$..%..N).2..u=.| +00000190 aa a7 ab 15 0f eb f6 e6 a4 1c c2 c6 48 8b 88 a9 |............H...| +000001a0 24 34 92 49 f9 85 4e 2c b5 eb 69 d7 55 db e5 b6 |$4.I..N,..i.U...| +000001b0 ec 09 5d 08 b0 d3 8f 0c 01 47 46 3f f8 ae eb ef |..]......GF?....| +000001c0 72 37 2e 48 03 5a 03 ed 1c 5e 6e be 59 f1 16 98 |r7.H.Z...^n.Y...| +000001d0 f9 0e 3e 04 6d 9f 53 72 29 62 5b b3 f1 b9 1a 72 |..>.m.Sr)b[....r| +000001e0 61 06 ad 97 e1 e1 31 d4 ae a0 92 02 27 94 66 ca |a.....1.....'.f.| +000001f0 21 37 dd 2e a4 b4 4b 8f 7d 47 1c 3c 3d 14 ca 92 |!7....K.}G.<=...| +00000200 e3 fc 9f 73 4f 17 3e 2a 62 9b 45 bd 5d 6b d2 90 |...sO.>*b.E.]k..| +00000210 b4 77 5b 61 81 52 10 b6 d4 0e 48 f4 d1 b4 a5 eb |.w[a.R....H.....| +00000220 4c c2 29 dd e0 74 b0 2b d0 28 09 65 bc f2 f4 12 |L.)..t.+.(.e....| +00000230 6d 25 c7 7d 84 39 4a 2a 36 4e 4c 94 bb 02 66 2e |m%.}.9J*6NL...f.| +00000240 58 17 0c 3d 1f aa 6b 25 92 d5 a3 39 9c 50 28 43 |X..=..k%...9.P(C| +00000250 5c 39 17 34 4a 59 f9 6c 65 a3 4d 35 74 65 11 04 |\9.4JY.le.M5te..| +00000260 25 99 d1 42 93 70 95 28 6f 59 a0 13 95 2c bb 79 |%..B.p.(oY...,.y| +00000270 05 dd 8c 82 e1 08 57 6d c4 8e fc c4 f5 49 17 1f |......Wm.....I..| +00000280 94 4c cc ea 6f cd ab a9 33 ed 4b fa 47 02 1a f2 |.L..o...3.K.G...| +00000290 5b 64 8d 3f e4 65 ea 78 82 78 f0 0d eb 74 c1 cc |[d.?.e.x.x...t..| +000002a0 25 f7 d4 7c 74 fc 8d 53 76 f6 fb 31 62 8d d6 83 |%..|t..Sv..1b...| +000002b0 57 56 43 dc 40 51 94 b0 44 db d2 7f f3 fe 58 ff |WVC.@Q..D.....X.| +000002c0 c5 13 22 aa bf 77 ea 16 93 85 b0 89 cf b2 1d 0b |.."..w..........| +000002d0 8c 89 9f 4c 68 43 98 53 c0 97 ba aa 82 d0 e5 e4 |...LhC.S........| +000002e0 ce 8d 16 91 46 c0 ff 38 1f 2d 3d cd 9e 65 c9 7d |....F..8.-=..e.}| +000002f0 a2 b6 21 b3 55 9d 2c ff b5 c7 aa cb 5a 51 ce e6 |..!.U.,.....ZQ..| +00000300 5c 6f 72 58 fc 8d 49 68 13 b3 a9 14 03 8a 89 ff |\orX..Ih........| +00000310 1e 05 91 a3 30 64 3a 10 06 c8 1f b0 b8 b6 4d 95 |....0d:.......M.| +00000320 17 03 03 00 99 2f cd 21 80 f7 39 77 c5 ed 5f b8 |...../.!..9w.._.| +00000330 75 fb bd 82 f1 84 09 d3 bc 2f 21 f6 d3 a2 4b b1 |u......../!...K.| +00000340 e4 67 59 7d db 64 47 20 19 9b 9d 68 33 4a 9d e1 |.gY}.dG ...h3J..| +00000350 c5 ec cc ab 66 25 a2 1b 89 6c a6 03 b6 20 3d c6 |....f%...l... =.| +00000360 03 fd 12 80 70 b9 e5 2e 27 c8 25 d2 00 00 4e e9 |....p...'.%...N.| +00000370 1a 65 4a 52 31 a0 3f e6 7c fc 77 48 83 76 11 34 |.eJR1.?.|.wH.v.4| +00000380 c1 71 36 0d 56 13 7f a2 3c 4a ac 5c 73 82 b1 f5 |.q6.V...>> Flow 3 (client to server) +00000000 14 03 03 00 01 01 17 03 03 00 35 fc ac 12 d4 36 |..........5....6| +00000010 13 c6 fe 02 f8 ea 05 0b 5c cb 31 d4 8d ee ba 6f |........\.1....o| +00000020 36 ac aa 89 b9 10 f3 b3 a1 89 03 0e d2 5a 92 c7 |6............Z..| +00000030 62 4c 56 0c 42 69 68 a5 d7 79 cc b5 24 25 7b 80 |bLV.Bih..y..$%{.| +00000040 17 03 03 00 17 a3 f6 4f 1d 36 bb 5f 0b 59 12 ef |.......O.6._.Y..| +00000050 72 d4 c6 1d c8 82 94 1d f2 9c 46 d5 17 03 03 00 |r.........F.....| +00000060 13 3c 66 6b 59 a1 b2 e9 47 e8 06 fe 15 3f 0c 39 |.>> Flow 1 (client to server) +00000000 16 03 01 00 fe 01 00 00 fa 03 03 00 00 00 00 00 |................| +00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000020 00 00 00 00 00 00 00 00 00 00 00 20 00 00 00 00 |........... ....| +00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 32 cc a9 |.............2..| +00000050 cc a8 c0 2b c0 2f c0 2c c0 30 c0 09 c0 13 c0 0a |...+./.,.0......| +00000060 c0 14 00 9c 00 9d 00 2f 00 35 c0 12 00 0a c0 23 |......./.5.....#| +00000070 c0 27 00 3c c0 07 c0 11 00 05 13 03 13 01 13 02 |.'.<............| +00000080 01 00 00 7f 00 05 00 05 01 00 00 00 00 00 0a 00 |................| +00000090 0a 00 08 00 1d 00 17 00 18 00 19 00 0b 00 02 01 |................| +000000a0 00 00 0d 00 1a 00 18 08 04 04 03 08 07 08 05 08 |................| +000000b0 06 04 01 05 01 06 01 05 03 06 03 02 01 02 03 ff |................| +000000c0 01 00 01 00 00 17 00 00 00 12 00 00 00 2b 00 09 |.............+..| +000000d0 08 03 04 03 03 03 02 03 01 00 33 00 26 00 24 00 |..........3.&.$.| +000000e0 1d 00 20 2f e5 7d a3 47 cd 62 43 15 28 da ac 5f |.. /.}.G.bC.(.._| +000000f0 bb 29 07 30 ff f6 84 af c4 cf c2 ed 90 99 5f 58 |.).0.........._X| +00000100 cb 3b 74 |.;t| +>>> Flow 2 (server to client) +00000000 16 03 03 00 7a 02 00 00 76 03 03 ce bd 20 50 3d |....z...v.... P=| +00000010 7e 80 5d e3 c4 d1 f4 d7 9b 28 0d ad c7 2c c9 b0 |~.]......(...,..| +00000020 bb 25 e4 98 56 77 9a dd 7c 2e e7 20 00 00 00 00 |.%..Vw..|.. ....| +00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000040 00 00 00 00 00 00 00 00 00 00 00 00 13 03 00 00 |................| +00000050 2e 00 2b 00 02 03 04 00 33 00 24 00 1d 00 20 75 |..+.....3.$... u| +00000060 35 5d ce ae 93 0b e6 2c c7 aa 67 6d 9d bd b2 8d |5].....,..gm....| +00000070 83 ac 17 7c 21 21 b2 c1 dc a1 4d 54 72 66 05 14 |...|!!....MTrf..| +00000080 03 03 00 01 01 17 03 03 00 17 88 68 f2 3c 98 b5 |...........h.<..| +00000090 ef 6e 2b ba aa d3 d4 0c 28 aa 3a 6f 51 a7 dc 89 |.n+.....(.:oQ...| +000000a0 fb 17 03 03 02 6d ae f6 44 17 0d 3b ee 41 5b a9 |.....m..D..;.A[.| +000000b0 d2 63 7c 98 25 e7 ca 46 29 05 9e 75 9f 71 58 99 |.c|.%..F)..u.qX.| +000000c0 57 a3 c3 88 08 54 88 ea 8f ea ca 87 88 c0 53 d7 |W....T........S.| +000000d0 de b6 3d 14 98 64 1a 6b 8f 90 e7 6a 10 e2 4b 42 |..=..d.k...j..KB| +000000e0 13 59 f0 bc a0 74 3b 5b a8 15 74 3a 30 9f 28 ed |.Y...t;[..t:0.(.| +000000f0 b2 a0 48 15 5a 3b 0c 61 26 4e 3f 5a 33 3d d9 88 |..H.Z;.a&N?Z3=..| +00000100 97 9f fe 2a d5 df f7 01 40 84 75 90 89 7d 34 23 |...*....@.u..}4#| +00000110 3e 70 85 82 94 b7 21 94 e6 0c d1 f1 88 06 ff 34 |>p....!........4| +00000120 64 2f e5 e6 80 10 2b 0c fe 18 f5 2c cc b0 27 37 |d/....+....,..'7| +00000130 2b 5a 4b 43 e8 b7 ad 97 a0 8c d1 49 bb f9 4a 65 |+ZKC.......I..Je| +00000140 99 bf cd 7f 77 ef 0f b6 d7 91 ce 4d 53 79 d0 5e |....w......MSy.^| +00000150 b7 51 5e 8d 0f 13 85 53 7d 81 27 b2 e1 5a e0 d0 |.Q^....S}.'..Z..| +00000160 d9 b0 3b c6 30 15 ac 3e 60 7f 01 90 da b1 c5 8c |..;.0..>`.......| +00000170 06 7c 8f 31 86 7e 53 5b 1a 4b 8f d0 ff 2c f9 9e |.|.1.~S[.K...,..| +00000180 c4 08 02 12 e4 97 af 3f 07 d0 25 0d 50 90 21 1f |.......?..%.P.!.| +00000190 fa 8d ea 02 16 a4 56 2e 2b e1 3f c2 e2 f5 53 d0 |......V.+.?...S.| +000001a0 6e a2 d4 b9 b6 ae 69 12 74 d4 2f 8f 55 1e 5f b8 |n.....i.t./.U._.| +000001b0 1f b6 29 ee 11 21 81 9f 37 6e 40 b1 27 22 15 7b |..)..!..7n@.'".{| +000001c0 ba bb bd ee 7a 7e 1f e4 7e 63 a1 60 53 a1 c7 0f |....z~..~c.`S...| +000001d0 f8 2e c3 07 cd 60 ec 83 0f 18 55 50 5c 11 ec 93 |.....`....UP\...| +000001e0 85 dd 38 5c 7e 4a 0a af 4b c9 22 8d 43 ce 76 62 |..8\~J..K.".C.vb| +000001f0 d7 73 3f ef 67 2d 6a 02 bd b5 8f c4 8b 64 b1 a3 |.s?.g-j......d..| +00000200 c4 40 c1 ea 7e 57 b9 25 45 61 96 97 69 69 9f 2b |.@..~W.%Ea..ii.+| +00000210 a7 56 b5 8b 80 25 3e 3c 73 14 b2 21 10 ee 47 cd |.V...%>....| +00000300 e2 01 51 80 b3 de cb ac 67 41 cb e9 92 4b ba 18 |..Q.....gA...K..| +00000310 c5 58 f4 17 03 03 00 99 9c bf 47 cb 60 c1 51 50 |.X........G.`.QP| +00000320 73 87 10 02 5b e7 b4 f5 4f 60 65 de 44 ae 5c 15 |s...[...O`e.D.\.| +00000330 0e df 8b fa 47 0f 51 0a a1 05 70 a6 8f a0 2a 27 |....G.Q...p...*'| +00000340 84 e9 a1 38 43 3d 2a e5 10 45 22 01 0a b2 8e 6d |...8C=*..E"....m| +00000350 27 53 b9 ea b5 5d 6d a7 50 69 c2 4c 50 cf 3d d9 |'S...]m.Pi.LP.=.| +00000360 47 82 62 4b 0b 42 6a 3f e5 4f a8 04 9b 7d f2 26 |G.bK.Bj?.O...}.&| +00000370 15 ce 88 74 40 59 87 2b 11 a5 ac 9a e5 3f 03 db |...t@Y.+.....?..| +00000380 33 cb 27 be d9 2a 69 1d 1e 68 6b 0e 54 0a f4 1c |3.'..*i..hk.T...| +00000390 63 b3 bb 55 63 e7 b6 b7 0e 2c ad 9e b5 1d 51 b4 |c..Uc....,....Q.| +000003a0 41 77 4b 80 17 47 c9 8f 9e 02 cd 87 2e 20 72 e4 |AwK..G....... r.| +000003b0 44 17 03 03 00 35 0e 4f 8b e7 ae ca 38 35 85 d8 |D....5.O....85..| +000003c0 fb 23 c3 39 d4 80 25 15 d3 39 4e 19 34 93 21 13 |.#.9..%..9N.4.!.| +000003d0 a2 84 2c 0f 3e 5e c3 62 95 41 c7 4d a7 81 2d 60 |..,.>^.b.A.M..-`| +000003e0 99 56 db d5 0e 2e 42 b3 16 72 22 |.V....B..r"| +>>> Flow 3 (client to server) +00000000 14 03 03 00 01 01 17 03 03 00 35 db e3 68 0f 7c |..........5..h.|| +00000010 36 8e c4 5b 10 11 89 61 b7 f1 a9 f3 43 a5 28 e6 |6..[...a....C.(.| +00000020 86 8c f0 c3 3b 54 5b 86 3c b6 42 6e 3d 56 93 0a |....;T[.<.Bn=V..| +00000030 2c ca 2e 39 27 1c 12 e2 d7 e7 b5 57 a6 29 5c 4a |,..9'......W.)\J| +00000040 17 03 03 00 17 02 0d 23 ca 06 5e 1c 0f a8 a2 39 |.......#..^....9| +00000050 32 00 01 b5 ba e7 52 82 fa 2c e3 27 17 03 03 00 |2.....R..,.'....| +00000060 13 ea 39 b7 18 2d 01 1a c3 9c b5 51 cc d2 f3 40 |..9..-.....Q...@| +00000070 55 69 87 65 |Ui.e| diff --git a/pkg/tls/testdata/Client-TLSv13-ClientCert-ECDSA-RSA b/pkg/tls/testdata/Client-TLSv13-ClientCert-ECDSA-RSA new file mode 100644 index 000000000..8e87aa50e --- /dev/null +++ b/pkg/tls/testdata/Client-TLSv13-ClientCert-ECDSA-RSA @@ -0,0 +1,140 @@ +>>> Flow 1 (client to server) +00000000 16 03 01 00 fe 01 00 00 fa 03 03 00 00 00 00 00 |................| +00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000020 00 00 00 00 00 00 00 00 00 00 00 20 00 00 00 00 |........... ....| +00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 32 cc a9 |.............2..| +00000050 cc a8 c0 2b c0 2f c0 2c c0 30 c0 09 c0 13 c0 0a |...+./.,.0......| +00000060 c0 14 00 9c 00 9d 00 2f 00 35 c0 12 00 0a c0 23 |......./.5.....#| +00000070 c0 27 00 3c c0 07 c0 11 00 05 13 03 13 01 13 02 |.'.<............| +00000080 01 00 00 7f 00 05 00 05 01 00 00 00 00 00 0a 00 |................| +00000090 0a 00 08 00 1d 00 17 00 18 00 19 00 0b 00 02 01 |................| +000000a0 00 00 0d 00 1a 00 18 08 04 04 03 08 07 08 05 08 |................| +000000b0 06 04 01 05 01 06 01 05 03 06 03 02 01 02 03 ff |................| +000000c0 01 00 01 00 00 17 00 00 00 12 00 00 00 2b 00 09 |.............+..| +000000d0 08 03 04 03 03 03 02 03 01 00 33 00 26 00 24 00 |..........3.&.$.| +000000e0 1d 00 20 2f e5 7d a3 47 cd 62 43 15 28 da ac 5f |.. /.}.G.bC.(.._| +000000f0 bb 29 07 30 ff f6 84 af c4 cf c2 ed 90 99 5f 58 |.).0.........._X| +00000100 cb 3b 74 |.;t| +>>> Flow 2 (server to client) +00000000 16 03 03 00 7a 02 00 00 76 03 03 98 a2 b1 a3 c2 |....z...v.......| +00000010 3a ad 0c cb df b0 4b 9d 37 a9 57 5f f0 c5 3f dd |:.....K.7.W_..?.| +00000020 73 c1 e6 7f 1e 45 7d ef 17 e8 61 20 00 00 00 00 |s....E}...a ....| +00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000040 00 00 00 00 00 00 00 00 00 00 00 00 13 03 00 00 |................| +00000050 2e 00 2b 00 02 03 04 00 33 00 24 00 1d 00 20 9b |..+.....3.$... .| +00000060 8a e8 f7 9b f3 9a 73 54 81 4c aa 41 06 e8 fd 21 |......sT.L.A...!| +00000070 f7 e6 62 2e 7a 1f 29 0e 1c 48 21 dc 82 3b 1b 14 |..b.z.)..H!..;..| +00000080 03 03 00 01 01 17 03 03 00 17 07 dc 9b 84 a2 d4 |................| +00000090 b9 80 93 7f 29 3e 7c 97 9e 46 e0 6d 0c 3d 24 4b |....)>|..F.m.=$K| +000000a0 1c 17 03 03 00 42 2c 3c 9c 8d 63 93 a7 02 57 8b |.....B,<..c...W.| +000000b0 3d e6 d1 f0 05 03 ff 91 77 55 01 6c 65 57 8f 67 |=.......wU.leW.g| +000000c0 44 f8 c1 8f c5 ee 00 9f 45 66 b0 c5 f0 61 20 b7 |D.......Ef...a .| +000000d0 4f f0 14 05 1d 47 10 af f9 11 ed 62 5e 78 12 60 |O....G.....b^x.`| +000000e0 65 b7 65 33 a9 b3 38 61 17 03 03 02 6d 9e c3 b9 |e.e3..8a....m...| +000000f0 0e 43 aa bd 17 a2 51 a8 9b a0 62 73 73 58 84 21 |.C....Q...bssX.!| +00000100 d2 fa 4f ad fe c3 56 b6 7f 93 e9 4d 4b 83 59 0c |..O...V....MK.Y.| +00000110 be 47 fd c5 f7 01 b2 03 18 77 9c ae 41 dd 26 44 |.G.......w..A.&D| +00000120 a2 8a 45 56 6d 61 bc 16 ff 52 d0 1a 48 37 c5 e8 |..EVma...R..H7..| +00000130 07 71 d1 3d c9 e2 75 3b 6f 16 43 9d a2 56 9c d6 |.q.=..u;o.C..V..| +00000140 90 d1 d4 fd 23 5e 32 84 bc 97 9e 33 4e cd 54 b6 |....#^2....3N.T.| +00000150 66 5c 52 be b0 b7 10 70 5c 3a 61 ec 4a e2 d4 43 |f\R....p\:a.J..C| +00000160 b0 87 8a 48 bd f5 81 cb ee 5a 72 de 26 13 49 31 |...H.....Zr.&.I1| +00000170 e7 02 53 54 b3 fc 86 b4 70 25 a6 f8 83 24 31 f3 |..ST....p%...$1.| +00000180 22 dd b1 ca 96 7e f3 9e dc 3b ce 7c 1f 7e 44 37 |"....~...;.|.~D7| +00000190 ba be 42 e3 14 29 14 8f ad 79 e6 d7 64 a9 11 ac |..B..)...y..d...| +000001a0 78 f5 fc 3c af e7 0a 55 26 07 a1 7e 81 1f 16 b5 |x..<...U&..~....| +000001b0 ad 4b cf 46 cf 7a ba d3 3b 2d 97 55 31 bb 20 68 |.K.F.z..;-.U1. h| +000001c0 c6 f6 19 99 af 98 25 cd 6e 76 39 03 32 14 08 fd |......%.nv9.2...| +000001d0 77 43 7d d0 f4 d4 8b 58 42 d6 6c 45 a5 b6 af 04 |wC}....XB.lE....| +000001e0 14 28 47 9f 45 bb af e8 8d e0 d6 54 55 e5 d2 ae |.(G.E......TU...| +000001f0 84 a1 0c 0b 42 5f 9a 9c 93 fb b9 cd e6 43 5f a3 |....B_.......C_.| +00000200 cc 6a 6a da 85 7d c1 37 af 04 1a 8b e7 4a 40 82 |.jj..}.7.....J@.| +00000210 82 88 0f dc 78 51 74 f7 2c c8 e0 01 eb f7 f9 ca |....xQt.,.......| +00000220 28 0a 79 c9 f9 fb 35 c1 e7 8e 65 9e 8b 40 75 29 |(.y...5...e..@u)| +00000230 f1 56 79 33 41 39 96 c4 ab 15 28 7c cc 5a cd 81 |.Vy3A9....(|.Z..| +00000240 c4 57 d2 d9 86 f7 7f 63 30 2d 89 71 29 3c 99 cc |.W.....c0-.q)<..| +00000250 d8 fb 01 03 f3 de 3d 57 5d f3 85 b5 7a a8 f1 5c |......=W]...z..\| +00000260 05 39 d7 ac 15 03 be 88 fb e8 4c d2 8f 0f 3f 68 |.9........L...?h| +00000270 c2 e0 e8 44 c0 97 83 f4 3f f2 4a ba 9e 4c b7 c1 |...D....?.J..L..| +00000280 ea 55 e4 f4 ce 55 69 83 5b 6e 02 07 06 c4 f3 70 |.U...Ui.[n.....p| +00000290 13 3e ed 76 f0 ec 7b 5d 1e 9b 5e 73 5f ef 5b 33 |.>.v..{]..^s_.[3| +000002a0 41 e9 38 45 80 c8 f2 3e 17 ec 30 8b ce 35 87 00 |A.8E...>..0..5..| +000002b0 a8 02 66 b4 fc d4 69 ae 12 df c6 a4 68 06 2d 8b |..f...i.....h.-.| +000002c0 9c b6 e3 0e 2c 2a d9 05 cc ac f1 32 e9 57 6d e4 |....,*.....2.Wm.| +000002d0 0e f5 ed d0 05 a4 4a 10 02 87 5b 90 f9 89 88 30 |......J...[....0| +000002e0 3a 65 9d 2d 41 07 7a d7 8b 16 cb 57 01 9d ad bb |:e.-A.z....W....| +000002f0 76 4a 6a 3f 77 ae 29 55 61 b5 04 6b 9f eb 6e 34 |vJj?w.)Ua..k..n4| +00000300 a7 c6 97 92 6f d3 29 0e 65 1e 83 74 e9 2c 5a 8a |....o.).e..t.,Z.| +00000310 a8 a7 7a b1 55 76 b9 6a 98 b9 09 d5 01 48 ae 06 |..z.Uv.j.....H..| +00000320 ff 88 cb 59 f4 64 f2 ad 3b 4c 8c 39 85 b1 5f ae |...Y.d..;L.9.._.| +00000330 07 c1 a9 0f f5 0e 02 27 28 74 0d 9f c5 b2 8e 18 |.......'(t......| +00000340 6a 66 b9 86 ca 41 1f 6f 4a 05 d1 0d 69 ad f0 b6 |jf...A.oJ...i...| +00000350 2d 6a 24 df 6f 9b 5c 07 b1 04 17 03 03 00 99 11 |-j$.o.\.........| +00000360 46 8d 44 89 36 f4 ff dc 5a 8e 1e 68 f3 63 03 b6 |F.D.6...Z..h.c..| +00000370 40 40 26 1b 28 41 d9 78 f5 5e 51 c6 21 b8 fa c5 |@@&.(A.x.^Q.!...| +00000380 a7 c4 20 d3 b0 c0 f0 ec 9a 0e 1a 5b 1c 8d 57 58 |.. ........[..WX| +00000390 32 f9 75 69 9a 5e 1d 96 0b fa 77 d8 c7 d1 a0 8b |2.ui.^....w.....| +000003a0 e6 f8 33 3a f9 90 22 a7 19 37 50 d8 f0 90 34 4f |..3:.."..7P...4O| +000003b0 c3 bb 1c a2 c3 b8 3e d3 6b ee a0 39 40 98 e5 93 |......>.k..9@...| +000003c0 f8 16 29 6a 1e 12 20 4d 5c bd fd 11 f6 c5 cc d6 |..)j.. M\.......| +000003d0 08 d9 bc f5 ce 95 70 2c dd 9f 70 08 7c c4 55 59 |......p,..p.|.UY| +000003e0 8f 57 25 16 36 53 b4 3c 14 df af 1c 5f ec 2a 5a |.W%.6S.<...._.*Z| +000003f0 61 7c c4 1e 96 9c aa 9b 17 03 03 00 35 ef b8 e8 |a|..........5...| +00000400 5d ef 00 77 46 05 77 37 7b f6 3e b4 e9 b4 67 a8 |]..wF.w7{.>...g.| +00000410 88 49 6d d8 2f 3a 88 db 48 47 e1 cb a5 f9 38 17 |.Im./:..HG....8.| +00000420 09 c8 a7 0b 92 7c d9 17 9f 2d 34 9c 9a d0 da 02 |.....|...-4.....| +00000430 a8 d0 |..| +>>> Flow 3 (client to server) +00000000 14 03 03 00 01 01 17 03 03 02 1e 57 f6 58 1b c5 |...........W.X..| +00000010 ad 34 85 01 b8 a0 3f a6 b4 b8 e1 b1 7b fa 10 f8 |.4....?.....{...| +00000020 05 c3 07 ba ef a7 08 ed d0 0e f4 4a e0 1e 49 d8 |...........J..I.| +00000030 d8 a6 82 3c ca cd 4c b8 c3 27 40 28 49 69 47 a2 |...<..L..'@(IiG.| +00000040 ab 4b 14 e2 b5 ac 02 aa 7c 92 17 c0 6e cc 42 dc |.K......|...n.B.| +00000050 ce 10 d1 cb 25 9e fe 4f 21 a3 76 1b b4 d4 62 5b |....%..O!.v...b[| +00000060 51 8a 64 4a 6c 4c 7b e8 87 79 50 51 4a b3 39 f3 |Q.dJlL{..yPQJ.9.| +00000070 37 9f 30 23 eb 6a 26 bc 49 3f 41 76 d2 c9 06 63 |7.0#.j&.I?Av...c| +00000080 41 11 58 02 0b ae ac 52 4b e6 4e 03 88 ef e6 8d |A.X....RK.N.....| +00000090 51 7b 02 e2 a5 a3 70 79 d1 16 5f 8b b9 2e d6 48 |Q{....py.._....H| +000000a0 87 2b c9 49 7f 1a 33 65 55 61 80 bd e5 cb dc 74 |.+.I..3eUa.....t| +000000b0 84 4d dd c8 9a 6b 84 c2 b5 68 de 5e 9b 42 cf 99 |.M...k...h.^.B..| +000000c0 a5 69 93 89 63 a7 94 60 0c 97 7c ab ec 18 61 a8 |.i..c..`..|...a.| +000000d0 68 e3 c8 66 ab 08 2c 96 49 76 b2 3e 40 22 5e 95 |h..f..,.Iv.>@"^.| +000000e0 7e 79 f0 53 43 2f 0d a0 c2 ec eb 6f ec 41 da ef |~y.SC/.....o.A..| +000000f0 a0 6f cb 22 bb 55 19 2d 6d 6e 04 cc 77 fb 00 a2 |.o.".U.-mn..w...| +00000100 99 53 cf b6 30 95 f4 04 83 9e ab a9 c4 cd 21 a4 |.S..0.........!.| +00000110 4a d9 e4 f9 a6 96 5e ef 8d b7 c0 62 2a 25 68 a4 |J.....^....b*%h.| +00000120 53 50 7c cf d5 9d b9 3d 78 2b 76 65 63 95 b4 8d |SP|....=x+vec...| +00000130 87 41 68 3d dc 80 be 40 24 33 b5 c3 90 ee 8f fa |.Ah=...@$3......| +00000140 f8 25 0d 48 6a c7 b5 e6 b5 ab b5 10 4b ad b3 95 |.%.Hj.......K...| +00000150 62 6b 76 9b 21 b2 96 86 0d f6 c1 a8 d3 5a 9f 3e |bkv.!........Z.>| +00000160 e8 50 2f 72 49 1c 0a fa 47 90 87 75 f8 a4 7e 95 |.P/rI...G..u..~.| +00000170 d2 74 ca 78 c5 fa f8 8d ca 83 81 ec 93 89 e0 50 |.t.x...........P| +00000180 62 49 15 87 5e 16 4c 17 aa f3 a1 1b 0c 4b 9a 68 |bI..^.L......K.h| +00000190 1b d5 48 a5 da fe c8 84 fe e6 fc 24 3d 9d 14 e8 |..H........$=...| +000001a0 e5 38 45 20 bd cb 22 2a 95 3e de 84 4f 85 6b e2 |.8E .."*.>..O.k.| +000001b0 be dc e1 1a 55 78 68 dc fd c7 c8 e2 d6 90 a7 14 |....Uxh.........| +000001c0 44 b6 6a a0 4e 01 0f 73 9b 97 ac ef 17 91 90 16 |D.j.N..s........| +000001d0 14 e5 f7 88 df 08 8b d6 48 49 c5 9b 72 81 0b b8 |........HI..r...| +000001e0 67 e4 5a b0 a6 a8 37 ef d3 96 28 dd f9 cc 24 c0 |g.Z...7...(...$.| +000001f0 6f fc 7e 68 f5 25 df 38 73 1a ea b1 3d 8d 88 90 |o.~h.%.8s...=...| +00000200 90 51 f3 f5 02 df 5a b2 5a 29 81 3c b6 aa 60 f2 |.Q....Z.Z).<..`.| +00000210 79 ea 11 54 9d 6e ad e4 9b 48 35 6a 7b 95 ac 75 |y..T.n...H5j{..u| +00000220 5e a5 dd 55 c7 97 10 aa 22 17 03 03 00 a2 12 24 |^..U...."......$| +00000230 cd 8b fc be 73 28 ab a6 1e e6 f9 c2 d3 5e 98 db |....s(.......^..| +00000240 a9 30 02 c7 87 20 c9 34 d3 11 ea 3e 9f 3e 12 c7 |.0... .4...>.>..| +00000250 55 16 8d 3a 33 8f 71 08 b0 10 e4 0a 43 6d 1e 59 |U..:3.q.....Cm.Y| +00000260 79 e4 f0 86 6a bb 4a 4e bf 03 7a 5a 7d 76 a1 be |y...j.JN..zZ}v..| +00000270 26 95 87 e4 8c 14 85 f3 a6 ec 9c 44 e2 80 04 96 |&..........D....| +00000280 12 6a c5 97 c0 0c 4e 94 49 ef f9 78 38 09 c7 65 |.j....N.I..x8..e| +00000290 6c 51 2b 2a a3 da 9c 95 37 1a da 37 f6 da c2 79 |lQ+*....7..7...y| +000002a0 be 5a 1f 0a 59 5b d8 31 b8 c5 b1 12 ef 57 1b fc |.Z..Y[.1.....W..| +000002b0 62 8f de 94 3d 02 3c 96 cf 76 02 46 b7 64 0a 41 |b...=.<..v.F.d.A| +000002c0 87 94 d6 98 61 82 8c ff 9f 42 dc f0 8e 6a 59 a5 |....a....B...jY.| +000002d0 17 03 03 00 35 ec 44 9e 59 91 95 ae 8d f5 90 13 |....5.D.Y.......| +000002e0 6e cf e5 4c a3 89 a0 65 54 f8 6c c0 b7 12 2b 26 |n..L...eT.l...+&| +000002f0 fb d6 16 33 1e cd 5f dc c1 06 f3 6e 9a 5a 30 c8 |...3.._....n.Z0.| +00000300 87 6a ee 13 06 b8 30 c6 33 3b 17 03 03 00 17 a4 |.j....0.3;......| +00000310 d8 51 e6 cd d0 30 f3 2b 5d 17 fa d4 c8 96 d1 8c |.Q...0.+].......| +00000320 2d b6 58 68 c7 93 17 03 03 00 13 1b a1 ec 18 a4 |-.Xh............| +00000330 6f c6 5a 27 a3 1c a3 75 6d bd 68 61 28 cd |o.Z'...um.ha(.| diff --git a/pkg/tls/testdata/Client-TLSv13-ClientCert-Ed25519 b/pkg/tls/testdata/Client-TLSv13-ClientCert-Ed25519 new file mode 100644 index 000000000..94abf0667 --- /dev/null +++ b/pkg/tls/testdata/Client-TLSv13-ClientCert-Ed25519 @@ -0,0 +1,123 @@ +>>> Flow 1 (client to server) +00000000 16 03 01 00 fe 01 00 00 fa 03 03 00 00 00 00 00 |................| +00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000020 00 00 00 00 00 00 00 00 00 00 00 20 00 00 00 00 |........... ....| +00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 32 cc a9 |.............2..| +00000050 cc a8 c0 2b c0 2f c0 2c c0 30 c0 09 c0 13 c0 0a |...+./.,.0......| +00000060 c0 14 00 9c 00 9d 00 2f 00 35 c0 12 00 0a c0 23 |......./.5.....#| +00000070 c0 27 00 3c c0 07 c0 11 00 05 13 03 13 01 13 02 |.'.<............| +00000080 01 00 00 7f 00 05 00 05 01 00 00 00 00 00 0a 00 |................| +00000090 0a 00 08 00 1d 00 17 00 18 00 19 00 0b 00 02 01 |................| +000000a0 00 00 0d 00 1a 00 18 08 04 04 03 08 07 08 05 08 |................| +000000b0 06 04 01 05 01 06 01 05 03 06 03 02 01 02 03 ff |................| +000000c0 01 00 01 00 00 17 00 00 00 12 00 00 00 2b 00 09 |.............+..| +000000d0 08 03 04 03 03 03 02 03 01 00 33 00 26 00 24 00 |..........3.&.$.| +000000e0 1d 00 20 2f e5 7d a3 47 cd 62 43 15 28 da ac 5f |.. /.}.G.bC.(.._| +000000f0 bb 29 07 30 ff f6 84 af c4 cf c2 ed 90 99 5f 58 |.).0.........._X| +00000100 cb 3b 74 |.;t| +>>> Flow 2 (server to client) +00000000 16 03 03 00 7a 02 00 00 76 03 03 63 7c fe 18 f1 |....z...v..c|...| +00000010 82 47 f8 e9 56 0a ef 41 1c da 7b ef 4e 37 f7 37 |.G..V..A..{.N7.7| +00000020 9c 70 58 73 97 a4 2b df 93 24 98 20 00 00 00 00 |.pXs..+..$. ....| +00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000040 00 00 00 00 00 00 00 00 00 00 00 00 13 03 00 00 |................| +00000050 2e 00 2b 00 02 03 04 00 33 00 24 00 1d 00 20 fe |..+.....3.$... .| +00000060 8e 92 58 47 f1 85 83 58 b6 18 1a 05 fb 40 99 25 |..XG...X.....@.%| +00000070 10 d0 6d 4c c0 43 8b b5 a9 18 51 8f 84 73 56 14 |..mL.C....Q..sV.| +00000080 03 03 00 01 01 17 03 03 00 17 3e f9 39 72 d3 bd |..........>.9r..| +00000090 1f 3f ff 30 cb 7e f8 3d a7 7d 8c 09 94 d3 79 24 |.?.0.~.=.}....y$| +000000a0 10 17 03 03 00 42 28 16 54 10 dd db 62 c6 08 c9 |.....B(.T...b...| +000000b0 56 43 8d 0e 04 bc d1 78 54 21 1f 08 c0 80 e2 76 |VC.....xT!.....v| +000000c0 8b 64 e2 63 97 a8 73 8a 14 16 2f 92 39 9c 59 e9 |.d.c..s.../.9.Y.| +000000d0 59 a0 88 4b 9d 19 49 cf 34 98 c5 2a 48 eb d2 0f |Y..K..I.4..*H...| +000000e0 95 7a 25 f2 23 b3 88 61 17 03 03 02 6d 98 62 0c |.z%.#..a....m.b.| +000000f0 ed 07 3e a7 5b 8e 69 20 90 cb ff 25 06 fb 80 dc |..>.[.i ...%....| +00000100 b6 e6 bc 95 9c 6b 1e b4 11 a7 2f 72 17 c7 b5 67 |.....k..../r...g| +00000110 93 a9 5c b8 ef aa e1 cb 6b f4 2d db e3 a4 c9 cf |..\.....k.-.....| +00000120 66 45 d9 1d 02 1d 9c b7 84 4f 83 5b 7f f3 16 0a |fE.......O.[....| +00000130 f7 37 86 19 c0 29 95 5a aa 46 62 10 c9 22 62 f0 |.7...).Z.Fb.."b.| +00000140 4f a9 a3 75 ea 46 af 75 54 9e 69 87 ce a9 d9 b9 |O..u.F.uT.i.....| +00000150 35 d6 c0 4a f0 22 0b d1 e5 4b 48 99 70 fa bc ed |5..J."...KH.p...| +00000160 8a 8b 7d a2 f0 52 3d e0 bc d3 7e ca 1b 89 b6 78 |..}..R=...~....x| +00000170 24 8d 13 0d 7d f2 3f d7 71 c9 d6 5a 00 8e 8c 7f |$...}.?.q..Z....| +00000180 ed 5b 39 f3 67 76 c3 7a 75 1e 4a 4b 63 36 e7 d4 |.[9.gv.zu.JKc6..| +00000190 04 46 e0 17 f4 d0 41 9d cf 01 f4 f7 b4 7e 11 73 |.F....A......~.s| +000001a0 c4 46 ac d3 78 54 17 83 10 12 48 d1 36 ee 37 90 |.F..xT....H.6.7.| +000001b0 f1 5f 7d f9 bc ac 95 ae 01 0e ca 0d 93 07 6e 87 |._}...........n.| +000001c0 c9 27 79 46 0f 27 a1 31 f8 92 9e 73 3d 2e 29 f5 |.'yF.'.1...s=.).| +000001d0 88 d1 67 a6 6a fb d5 59 39 65 46 b0 92 11 55 de |..g.j..Y9eF...U.| +000001e0 6f 9f 1d ea a0 71 65 4c c8 03 b7 f1 25 ff f1 c9 |o....qeL....%...| +000001f0 fa a7 1e 36 f3 91 bd d7 91 00 b5 3e 6f b1 67 5b |...6.......>o.g[| +00000200 fc 64 1d 76 0e a7 36 15 93 a1 ea 53 06 15 2b cf |.d.v..6....S..+.| +00000210 29 ea c6 5b 58 bb 08 a0 b8 9c e1 70 8d 2d 55 81 |)..[X......p.-U.| +00000220 ac d9 0d 45 ec f9 c3 56 31 00 db 46 81 68 98 db |...E...V1..F.h..| +00000230 8d 97 ce d1 b9 83 af 5f 6a a2 1a 22 2f 52 a0 d1 |......._j.."/R..| +00000240 8c 40 35 68 a2 ee 30 ef d4 bf 08 46 76 7c dd 57 |.@5h..0....Fv|.W| +00000250 c3 fb 7d fd af 01 37 cc c2 44 f6 cf 80 f4 ab c2 |..}...7..D......| +00000260 2e 82 18 5e c4 91 a8 b7 ad 29 e7 54 4f 02 47 5e |...^.....).TO.G^| +00000270 82 26 25 c6 b5 8e c9 a7 19 00 32 1b 3b e8 8c 35 |.&%.......2.;..5| +00000280 25 01 ed e4 b2 29 e2 f4 d7 0f c8 39 f8 5d 7b 1e |%....).....9.]{.| +00000290 db 7b 39 f4 e2 cd 1a 57 07 48 2b 15 e4 39 03 54 |.{9....W.H+..9.T| +000002a0 cf 39 fe 3d 15 47 bb 87 cf a5 f4 17 cc ad dd fa |.9.=.G..........| +000002b0 58 b6 e8 23 9c 1d 92 6b 32 36 12 ba 87 56 a4 2f |X..#...k26...V./| +000002c0 fe cc 93 98 62 84 5c e6 f9 fd d4 86 df ce 42 32 |....b.\.......B2| +000002d0 08 da a4 13 40 a0 33 c2 2a 54 2b da 50 5b 27 d9 |....@.3.*T+.P['.| +000002e0 3a 76 16 6c 89 bf 31 48 a3 ad c3 a6 ee 17 7d 86 |:v.l..1H......}.| +000002f0 88 52 57 77 01 94 ba dc f0 a6 c3 d3 30 ae be aa |.RWw........0...| +00000300 11 0a e8 54 8c b2 cb 7f e6 b6 d3 17 f4 2e 54 94 |...T..........T.| +00000310 31 43 33 07 5d 51 96 11 21 91 f9 7e 93 79 70 85 |1C3.]Q..!..~.yp.| +00000320 d3 0b ee fd 0e eb db ad 71 fe ba fc fe fa ef 0e |........q.......| +00000330 a1 a4 c5 99 e2 fa 3c df 8b 52 33 89 fd 15 45 1b |......<..R3...E.| +00000340 4e 5f 0e ca e9 c5 6e 11 06 ae 37 2a db 4c 9f 2c |N_....n...7*.L.,| +00000350 21 67 af e7 ae 09 e8 96 2f f0 17 03 03 00 99 ed |!g....../.......| +00000360 df 2c ff 14 ed 8e 5e 83 63 5d 82 99 19 ef 4c b1 |.,....^.c]....L.| +00000370 4b f6 88 29 27 72 b4 47 41 ab 61 58 67 7f 1c d0 |K..)'r.GA.aXg...| +00000380 a5 6d 83 3a 4e be 98 7d 55 e3 cc a5 24 41 28 91 |.m.:N..}U...$A(.| +00000390 33 b8 94 a8 e3 54 88 2b 22 89 c2 b8 86 96 d0 24 |3....T.+"......$| +000003a0 99 6c 4c 26 ee 39 67 b6 8b 30 49 b9 d4 cd c0 b3 |.lL&.9g..0I.....| +000003b0 bd f0 1d 2c 96 c7 9c 10 a7 4b 0e 2b 51 92 96 2f |...,.....K.+Q../| +000003c0 70 40 12 f3 91 53 eb 25 34 e6 ae ef df d4 3e f5 |p@...S.%4.....>.| +000003d0 fa 9f c2 85 71 5d 21 fd ee e0 3b 5a 23 db 19 e6 |....q]!...;Z#...| +000003e0 ce 04 6c e6 37 2c 43 df 4c 1f 0a 84 36 5e 26 82 |..l.7,C.L...6^&.| +000003f0 fa f4 38 ea 49 bb d2 65 17 03 03 00 35 a7 a0 78 |..8.I..e....5..x| +00000400 91 74 da 83 6f bd 49 ae 52 e2 c2 a7 d9 b4 a1 bc |.t..o.I.R.......| +00000410 b8 59 ab 56 25 60 05 39 db 3b 5e 95 6f a6 43 b9 |.Y.V%`.9.;^.o.C.| +00000420 1b 7a 84 ac ea 8a 62 f2 7c 50 68 43 0a c8 71 25 |.z....b.|PhC..q%| +00000430 44 a0 |D.| +>>> Flow 3 (client to server) +00000000 14 03 03 00 01 01 17 03 03 01 50 e5 d5 ff 01 ac |..........P.....| +00000010 29 be dc aa 07 05 88 f6 e6 ae aa 3f 10 c6 72 1e |)..........?..r.| +00000020 31 1a dc e5 64 ab 1f 82 60 0a a3 24 59 4a 91 86 |1...d...`..$YJ..| +00000030 d0 90 e5 5a ca ad 5b c4 18 a6 c3 d8 56 7b 86 7c |...Z..[.....V{.|| +00000040 53 b4 59 7e 91 5d 9c 32 11 44 66 7c 75 43 d1 d9 |S.Y~.].2.Df|uC..| +00000050 dc bd 99 7d 37 37 c1 be ef 61 bf fb b4 f4 2e 2e |...}77...a......| +00000060 c5 66 fa d2 a1 86 4e 42 03 ed 7b 78 2b 82 f8 6d |.f....NB..{x+..m| +00000070 f5 12 6f 60 c7 93 03 12 43 5a 4b 21 25 88 8b 54 |..o`....CZK!%..T| +00000080 37 2e 9b 1d bb 86 4a 85 80 e2 cb b1 0b 38 05 b1 |7.....J......8..| +00000090 d2 a7 04 c6 a3 db df cb 18 90 db 17 dd f1 04 44 |...............D| +000000a0 c0 5a ce ed 39 4e 89 91 8c 00 a2 8e 5f c4 64 8d |.Z..9N......_.d.| +000000b0 22 e5 53 7c ea 2d 09 65 0f 76 31 ef 50 b6 b7 6f |".S|.-.e.v1.P..o| +000000c0 a4 63 83 c2 90 07 67 28 37 c2 56 cb 56 71 92 3c |.c....g(7.V.Vq.<| +000000d0 ea 34 3b 54 58 78 b1 c0 ef 1c fc 4e c4 c5 f7 89 |.4;TXx.....N....| +000000e0 55 f4 95 c0 bc af 1f 9e 0d f3 b8 35 54 64 c2 4b |U..........5Td.K| +000000f0 cc 4b 30 6f e0 5c 7b 51 1c 05 51 b3 6a f2 60 1f |.K0o.\{Q..Q.j.`.| +00000100 a5 26 ec ad 5f 93 1a 45 f9 88 73 5a 9a 51 fe c8 |.&.._..E..sZ.Q..| +00000110 1a e7 9b 8c 9d a6 55 68 57 80 a5 81 8e bd 1a 5f |......UhW......_| +00000120 9d 56 89 8f 32 9a 5b 4c 60 e0 b2 73 e5 5c 04 62 |.V..2.[L`..s.\.b| +00000130 62 1c ee 89 6d 00 4a bb e0 b9 5f 6f f3 a7 5e bc |b...m.J..._o..^.| +00000140 95 a1 a8 a7 94 c2 06 19 97 0f 2f ff b0 95 c6 39 |........../....9| +00000150 8d 96 59 71 87 90 34 76 b2 3b 7d 17 03 03 00 59 |..Yq..4v.;}....Y| +00000160 7d ba 65 99 35 1b 2b 93 b1 76 99 9a 5a 90 4c 2a |}.e.5.+..v..Z.L*| +00000170 2a 14 1e 99 dd 23 10 95 fb 5b 9f 28 47 4d 41 3e |*....#...[.(GMA>| +00000180 71 d4 93 20 ee 69 32 85 b5 59 2a d0 1c 19 53 84 |q.. .i2..Y*...S.| +00000190 46 0d cc 6a 9b a3 83 68 22 79 e5 e3 f4 56 a9 76 |F..j...h"y...V.v| +000001a0 a0 9f d9 3c 27 3f 28 cb ab eb f3 55 41 2b ce 6f |...<'?(....UA+.o| +000001b0 5a e5 22 c1 c9 0f 44 fc 8f 17 03 03 00 35 f6 80 |Z."...D......5..| +000001c0 8e d2 cc 5b 6d 94 18 83 d2 70 87 e5 2c f2 0a 7a |...[m....p..,..z| +000001d0 44 a4 e9 6d f3 74 02 61 1b 87 6c b7 bf 8a ba 41 |D..m.t.a..l....A| +000001e0 3b d8 18 2f 1d ad c3 9c c8 6c c9 a0 82 7c bf 2b |;../.....l...|.+| +000001f0 f8 c2 09 17 03 03 00 17 79 0a 43 29 1d d6 b5 fc |........y.C)....| +00000200 fe 27 55 b8 5a 69 f1 b9 ed 31 63 2f 51 76 e1 17 |.'U.Zi...1c/Qv..| +00000210 03 03 00 13 72 86 7e a3 6c af 2b e3 85 4c 16 74 |....r.~.l.+..L.t| +00000220 97 73 48 96 ba 46 bd |.sH..F.| diff --git a/pkg/tls/testdata/Client-TLSv13-ClientCert-RSA-ECDSA b/pkg/tls/testdata/Client-TLSv13-ClientCert-RSA-ECDSA new file mode 100644 index 000000000..e0acf8984 --- /dev/null +++ b/pkg/tls/testdata/Client-TLSv13-ClientCert-RSA-ECDSA @@ -0,0 +1,135 @@ +>>> Flow 1 (client to server) +00000000 16 03 01 00 fe 01 00 00 fa 03 03 00 00 00 00 00 |................| +00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000020 00 00 00 00 00 00 00 00 00 00 00 20 00 00 00 00 |........... ....| +00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 32 cc a9 |.............2..| +00000050 cc a8 c0 2b c0 2f c0 2c c0 30 c0 09 c0 13 c0 0a |...+./.,.0......| +00000060 c0 14 00 9c 00 9d 00 2f 00 35 c0 12 00 0a c0 23 |......./.5.....#| +00000070 c0 27 00 3c c0 07 c0 11 00 05 13 03 13 01 13 02 |.'.<............| +00000080 01 00 00 7f 00 05 00 05 01 00 00 00 00 00 0a 00 |................| +00000090 0a 00 08 00 1d 00 17 00 18 00 19 00 0b 00 02 01 |................| +000000a0 00 00 0d 00 1a 00 18 08 04 04 03 08 07 08 05 08 |................| +000000b0 06 04 01 05 01 06 01 05 03 06 03 02 01 02 03 ff |................| +000000c0 01 00 01 00 00 17 00 00 00 12 00 00 00 2b 00 09 |.............+..| +000000d0 08 03 04 03 03 03 02 03 01 00 33 00 26 00 24 00 |..........3.&.$.| +000000e0 1d 00 20 2f e5 7d a3 47 cd 62 43 15 28 da ac 5f |.. /.}.G.bC.(.._| +000000f0 bb 29 07 30 ff f6 84 af c4 cf c2 ed 90 99 5f 58 |.).0.........._X| +00000100 cb 3b 74 |.;t| +>>> Flow 2 (server to client) +00000000 16 03 03 00 7a 02 00 00 76 03 03 17 5d 17 94 35 |....z...v...]..5| +00000010 cc 45 ba fc 44 dd 02 57 2c 67 67 c1 f9 7d bb 52 |.E..D..W,gg..}.R| +00000020 fb 5e dd a2 29 43 14 95 be a7 98 20 00 00 00 00 |.^..)C..... ....| +00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000040 00 00 00 00 00 00 00 00 00 00 00 00 13 03 00 00 |................| +00000050 2e 00 2b 00 02 03 04 00 33 00 24 00 1d 00 20 8f |..+.....3.$... .| +00000060 cd f2 33 7c ee 70 18 fa 98 64 43 1b 24 e2 80 80 |..3|.p...dC.$...| +00000070 a9 e3 3c 49 f3 a2 68 b6 ba 09 3b ef f4 4e 20 14 |..-..@..7S..| +00000120 8a da 06 d7 26 a9 ae e0 f4 b3 d2 33 37 06 8d 76 |....&......37..v| +00000130 24 63 42 33 65 ad dd 23 c3 cb b3 6f 8c 0c ee be |$cB3e..#...o....| +00000140 63 1a 61 13 29 2a af 74 67 6a 19 d7 22 12 8a dc |c.a.)*.tgj.."...| +00000150 ce 77 81 26 b1 1a 2b 5d 77 0c 9a 65 6d 75 f0 90 |.w.&..+]w..emu..| +00000160 95 66 84 3d d6 fd 95 c5 dd fd 80 5b 8e ab 1b 0b |.f.=.......[....| +00000170 f1 f0 b9 8c fc e2 3b ce 05 03 ef dc 4b 08 69 af |......;.....K.i.| +00000180 22 58 7b ab 6b cf 8e 63 40 e4 8d c3 5c f4 29 cc |"X{.k..c@...\.).| +00000190 d7 d2 17 94 af a3 ff 31 e4 75 78 c5 17 fb 84 f5 |.......1.ux.....| +000001a0 e0 4b f8 70 3d 57 e0 dc 70 c5 5e 44 5a ea 2a 33 |.K.p=W..p.^DZ.*3| +000001b0 22 47 a3 e4 7a 95 d6 10 7e 6f 87 b4 bc 5a 9a ba |"G..z...~o...Z..| +000001c0 99 af 7c 0d 6f 4d cc c7 0d 12 c9 99 e1 d7 90 2d |..|.oM.........-| +000001d0 8c 7b 24 11 c6 3e d0 16 fb a5 87 06 8f b5 e3 a5 |.{$..>..........| +000001e0 f2 e5 d4 76 09 9e 9f ec ef 58 b0 34 9c ff 21 aa |...v.....X.4..!.| +000001f0 48 a0 c8 2e ca 2d 8a cc ad aa 9a 07 bd cc e4 12 |H....-..........| +00000200 cd 33 5d b2 a7 95 a2 8c e0 74 5b 6f e3 dd ce af |.3]......t[o....| +00000210 05 8a fe 52 d8 23 b8 70 bd 45 90 38 05 bf d5 89 |...R.#.p.E.8....| +00000220 0f 4b 08 83 03 07 f0 24 bc 9d a9 d7 f4 0a 2b 94 |.K.....$......+.| +00000230 82 f1 7a 3b 49 85 06 0e d9 e6 c8 7c 69 f9 f6 61 |..z;I......|i..a| +00000240 34 0e 6e 8c c5 76 18 f0 88 22 a0 3d b5 9a 92 55 |4.n..v...".=...U| +00000250 88 37 ff 06 53 a9 64 4c 7d 12 c8 ac 72 de 74 d6 |.7..S.dL}...r.t.| +00000260 62 ea 27 f5 e8 d1 09 a2 b1 df 1d 32 d3 15 b0 52 |b.'........2...R| +00000270 98 fd 24 0b dd 33 0a 88 92 d1 cf c5 1a ef 27 8a |..$..3........'.| +00000280 7d b2 59 74 97 24 9c c3 cc 0e 1c a5 26 c7 5a 10 |}.Yt.$......&.Z.| +00000290 0d be 10 b2 bc 79 76 21 b5 b7 48 24 59 08 41 4d |.....yv!..H$Y.AM| +000002a0 3c 31 ad cf 02 4b ed a5 fb 0d d7 55 60 fa cf 04 |<1...K.....U`...| +000002b0 dd 84 0c 0b e9 eb ea 6d e2 33 9d 04 1d 0b fe b1 |.......m.3......| +000002c0 e2 cd 2d c8 84 2d be fd ae 9e 1a 61 70 b9 d4 6e |..-..-.....ap..n| +000002d0 74 9f 68 b3 60 aa 42 bc 98 8d d7 45 f4 3b 00 2b |t.h.`.B....E.;.+| +000002e0 0d 55 f4 14 5d 9a ab f9 d1 af 9c b3 18 e3 8d f9 |.U..]...........| +000002f0 8d 11 89 3e e7 6a f2 b8 52 fd 67 71 37 b4 ec c1 |...>.j..R.gq7...| +00000300 6f d9 d6 57 67 4d 05 48 22 3a 4b 79 3b 2c 70 17 |o..WgM.H":Ky;,p.| +00000310 03 03 00 a3 c6 8b 11 15 2c 6f 55 2f 96 01 24 f1 |........,oU/..$.| +00000320 bd c2 79 09 2f d3 ff 9a bb a4 b8 f5 f3 fe 85 d7 |..y./...........| +00000330 7a 21 b9 92 e6 b5 89 c9 fb fb e2 4a 8f 5a 5c 63 |z!.........J.Z\c| +00000340 7d 8c 4e 9a 27 1b 4a bb e4 bb f0 cf 3f 5c c6 db |}.N.'.J.....?\..| +00000350 d8 83 bf 57 be ac ed 5f 1a 2c 10 77 7c b7 70 0f |...W..._.,.w|.p.| +00000360 4b 2d 93 e5 46 d1 75 fa e4 da 73 c2 72 d6 48 6f |K-..F.u...s.r.Ho| +00000370 0d 21 eb 9d 2b d3 12 d9 d1 3c 9b 56 c3 90 2d 1b |.!..+....<.V..-.| +00000380 79 9a ab e8 2c 55 0e 67 0b 58 f8 ac 24 3a 6c a5 |y...,U.g.X..$:l.| +00000390 34 29 30 6a b3 84 5a bc 59 f8 9c 07 75 b1 e8 ed |4)0j..Z.Y...u...| +000003a0 80 96 11 ad da 74 3b d8 9c 5c 71 8f a6 30 ad 77 |.....t;..\q..0.w| +000003b0 e7 64 13 50 5e 76 ef 17 03 03 00 35 b3 db 05 94 |.d.P^v.....5....| +000003c0 08 9b e0 1d 45 12 11 c7 b0 5e 61 ac a0 e7 8e 80 |....E....^a.....| +000003d0 30 7f 20 19 69 da 73 06 a5 dd 7c 85 4e fa cc 37 |0. .i.s...|.N..7| +000003e0 2c f8 4e fd ce 2b 4b f4 fd 68 de 23 15 36 00 8c |,.N..+K..h.#.6..| +000003f0 e7 |.| +>>> Flow 3 (client to server) +00000000 14 03 03 00 01 01 17 03 03 02 11 ee 00 8e e7 34 |...............4| +00000010 b5 6f 32 2e e9 11 e3 7f 24 ff 64 6a 47 04 6d f7 |.o2.....$.djG.m.| +00000020 3a 92 d5 45 12 92 c7 67 ea 91 31 9e 6e 61 a1 52 |:..E...g..1.na.R| +00000030 9c e6 16 17 d3 8e 9e 41 85 1f a5 6a 69 97 53 f8 |.......A...ji.S.| +00000040 35 b8 81 43 af 59 25 fc 78 42 b4 6f c1 4b 54 e2 |5..C.Y%.xB.o.KT.| +00000050 e1 c1 97 b5 74 ea c8 b7 42 20 b2 42 27 68 7d f7 |....t...B .B'h}.| +00000060 8c e0 18 53 46 e1 fc 86 55 bc 28 8a e1 95 94 24 |...SF...U.(....$| +00000070 d4 38 80 a7 7e 85 2c a9 81 c2 4b c7 51 d5 0f 1f |.8..~.,...K.Q...| +00000080 88 8a 93 7d 74 53 1e f3 2b b6 b3 4a b5 a8 0c ea |...}tS..+..J....| +00000090 c4 6e 10 c3 8f ac 96 2f c5 6b 63 f0 11 b0 38 81 |.n...../.kc...8.| +000000a0 16 3c 96 fb d0 e9 18 5a 08 a0 f4 5e f0 6d 01 ff |.<.....Z...^.m..| +000000b0 13 04 c3 f7 e8 23 2a 06 32 6d 2b f1 d4 cc 60 ab |.....#*.2m+...`.| +000000c0 c9 9e c8 08 1d 8a 06 ff 7f 26 e1 db 13 d5 cd 3e |.........&.....>| +000000d0 5f 61 11 9b 43 cc 1e 19 32 6e 01 f0 79 3e cb 02 |_a..C...2n..y>..| +000000e0 7d 4c 27 ee b0 4a 24 44 c7 ff 16 e5 59 c0 b1 2f |}L'..J$D....Y../| +000000f0 9a f6 c5 39 1f f2 f3 f0 70 89 e3 cb a4 43 81 16 |...9....p....C..| +00000100 40 dd e2 3a e1 12 be 29 64 cb f3 f9 20 2c c9 62 |@..:...)d... ,.b| +00000110 84 9c 31 fb 9b 95 a4 ac 3e 1d f4 19 bb 0a ce 89 |..1.....>.......| +00000120 3a 33 9e 40 2b da 42 5c 71 59 54 bb 65 de eb 9e |:3.@+.B\qYT.e...| +00000130 71 46 40 9f 3d 6d 88 3a 0d b9 08 63 7d 4f a3 5b |qF@.=m.:...c}O.[| +00000140 9a 67 03 a0 d9 c6 47 4b 3b 11 d0 7b 13 fb 93 d1 |.g....GK;..{....| +00000150 fc 63 dc 45 f2 b4 8b 22 12 31 20 48 6e 9a 4e 7d |.c.E...".1 Hn.N}| +00000160 3f 7e cd 09 6a ea 5f a1 0a e5 d8 80 c0 ed 6a cb |?~..j._.......j.| +00000170 0a af 1e 8f 88 63 63 13 49 02 d9 01 87 03 4f 9f |.....cc.I.....O.| +00000180 cc a2 5f 2f a8 3d 2b 9f a2 f0 81 b5 b0 d2 92 6c |.._/.=+........l| +00000190 8f 3b f6 5c 66 27 d4 98 6e 86 e5 a5 ab 3c 1b b8 |.;.\f'..n....<..| +000001a0 eb cb 72 d9 6c d8 49 9a 33 db 75 e6 3f ff 2a b0 |..r.l.I.3.u.?.*.| +000001b0 77 c6 02 f1 c0 a5 74 99 42 42 e8 97 b5 27 a9 11 |w.....t.BB...'..| +000001c0 af b7 65 b3 a8 51 dd 44 35 6e 0c 34 d5 b2 38 75 |..e..Q.D5n.4..8u| +000001d0 f0 cf 10 ff 5a 7a 16 ca bd 44 e8 99 91 50 9f db |....Zz...D...P..| +000001e0 8c ff 54 3a 24 73 de d1 29 5a 49 fc b3 d0 31 80 |..T:$s..)ZI...1.| +000001f0 6f 16 84 c1 83 cf 9d 75 d4 b5 a5 a0 a0 15 bc 03 |o......u........| +00000200 38 61 89 f5 16 98 25 f0 e8 72 28 3e d4 d6 64 66 |8a....%..r(>..df| +00000210 de ff be 71 34 7c b1 63 38 38 81 03 17 03 03 00 |...q4|.c88......| +00000220 99 3d e0 6d 2f 4c 22 62 d8 5f 0b 53 8a 99 c4 b2 |.=.m/L"b._.S....| +00000230 66 88 d0 71 0c 90 b3 2e 9c 24 d1 89 4d f0 4d 29 |f..q.....$..M.M)| +00000240 a7 11 87 db 08 cd 04 6c 1f 60 54 12 47 83 c7 82 |.......l.`T.G...| +00000250 be 1b d8 ed 2f 43 c1 cf 63 21 bc 21 80 ad 7b ed |..../C..c!.!..{.| +00000260 5c 0b 41 0d 5e 63 eb 82 15 69 d7 11 c4 3f 0d fb |\.A.^c...i...?..| +00000270 07 96 34 a9 2c 9f 7f d7 fa 2c 24 c8 52 59 c3 07 |..4.,....,$.RY..| +00000280 03 c7 88 65 8a 20 f2 1a 23 f8 18 2e 94 c6 be 77 |...e. ..#......w| +00000290 bc 6e ff 7e 83 3e 9f 1f 77 b5 2b 67 e9 3d 03 c7 |.n.~.>..w.+g.=..| +000002a0 b4 be 58 d1 12 69 39 3c 2d b3 dd 2e fb 41 b3 0b |..X..i9<-....A..| +000002b0 b2 74 d0 80 8a 90 40 ab 59 30 17 03 03 00 35 ef |.t....@.Y0....5.| +000002c0 7c c8 f8 01 6b 69 36 b2 26 9f 65 d8 a8 04 8a 41 ||...ki6.&.e....A| +000002d0 58 e3 7a 6d 55 94 ec 09 df 6a a8 0d 86 54 c3 00 |X.zmU....j...T..| +000002e0 a8 c2 46 e1 c0 83 fd 16 40 98 b3 5d c6 cc dc 3f |..F.....@..]...?| +000002f0 c2 4f 95 61 17 03 03 00 17 39 cc 91 bc 98 39 0c |.O.a.....9....9.| +00000300 1c 43 3c b5 cb 3b c0 99 68 9c 31 b5 1a d0 41 f9 |.C<..;..h.1...A.| +00000310 17 03 03 00 13 65 9c ec ea 6e ac de 8c aa 1d 5e |.....e...n.....^| +00000320 ff 7f 0d 3e 84 7a 90 6a |...>.z.j| diff --git a/pkg/tls/testdata/Client-TLSv13-ClientCert-RSA-RSAPSS b/pkg/tls/testdata/Client-TLSv13-ClientCert-RSA-RSAPSS new file mode 100644 index 000000000..ec1818751 --- /dev/null +++ b/pkg/tls/testdata/Client-TLSv13-ClientCert-RSA-RSAPSS @@ -0,0 +1,144 @@ +>>> Flow 1 (client to server) +00000000 16 03 01 00 fe 01 00 00 fa 03 03 00 00 00 00 00 |................| +00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000020 00 00 00 00 00 00 00 00 00 00 00 20 00 00 00 00 |........... ....| +00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 32 cc a9 |.............2..| +00000050 cc a8 c0 2b c0 2f c0 2c c0 30 c0 09 c0 13 c0 0a |...+./.,.0......| +00000060 c0 14 00 9c 00 9d 00 2f 00 35 c0 12 00 0a c0 23 |......./.5.....#| +00000070 c0 27 00 3c c0 07 c0 11 00 05 13 03 13 01 13 02 |.'.<............| +00000080 01 00 00 7f 00 05 00 05 01 00 00 00 00 00 0a 00 |................| +00000090 0a 00 08 00 1d 00 17 00 18 00 19 00 0b 00 02 01 |................| +000000a0 00 00 0d 00 1a 00 18 08 04 04 03 08 07 08 05 08 |................| +000000b0 06 04 01 05 01 06 01 05 03 06 03 02 01 02 03 ff |................| +000000c0 01 00 01 00 00 17 00 00 00 12 00 00 00 2b 00 09 |.............+..| +000000d0 08 03 04 03 03 03 02 03 01 00 33 00 26 00 24 00 |..........3.&.$.| +000000e0 1d 00 20 2f e5 7d a3 47 cd 62 43 15 28 da ac 5f |.. /.}.G.bC.(.._| +000000f0 bb 29 07 30 ff f6 84 af c4 cf c2 ed 90 99 5f 58 |.).0.........._X| +00000100 cb 3b 74 |.;t| +>>> Flow 2 (server to client) +00000000 16 03 03 00 7a 02 00 00 76 03 03 60 e7 99 c9 b0 |....z...v..`....| +00000010 be be 74 84 1e 55 cd 83 d6 0d ba 9c a0 44 fb b4 |..t..U.......D..| +00000020 a8 f6 3c 93 12 de 47 4a 7f 32 a6 20 00 00 00 00 |..<...GJ.2. ....| +00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000040 00 00 00 00 00 00 00 00 00 00 00 00 13 03 00 00 |................| +00000050 2e 00 2b 00 02 03 04 00 33 00 24 00 1d 00 20 1d |..+.....3.$... .| +00000060 6d 42 7d 8f 02 04 a1 81 8a eb 36 fd 64 4b d1 6c |mB}.......6.dK.l| +00000070 98 e8 69 82 2e 92 7a 27 53 4f 74 bb 68 f2 7d 14 |..i...z'SOt.h.}.| +00000080 03 03 00 01 01 17 03 03 00 17 2d 08 0f 31 27 58 |..........-..1'X| +00000090 7b 40 eb cc 81 b9 7b 78 b4 c1 60 1e 10 74 3e f7 |{@....{x..`..t>.| +000000a0 dc 17 03 03 00 20 af 35 53 ab e6 10 47 24 e5 79 |..... .5S...G$.y| +000000b0 70 53 da 8e a2 bf 9a 81 ab 4d ba 80 09 40 e4 02 |pS.......M...@..| +000000c0 8c cb cc 78 1c d4 17 03 03 02 7a 9a eb 2c 4f f5 |...x......z..,O.| +000000d0 1a b9 d5 bc 47 d1 bc 35 47 07 66 bf 6d c9 35 b2 |....G..5G.f.m.5.| +000000e0 b2 78 ef 18 22 9a e4 fa b4 f8 12 0e fd aa a4 f7 |.x.."...........| +000000f0 9f f6 5b 2a 7b 05 c1 52 f8 2e 53 84 6c ef 51 e7 |..[*{..R..S.l.Q.| +00000100 4f e2 f5 e9 4b 20 da 94 5d 97 bb c2 66 fb 74 38 |O...K ..]...f.t8| +00000110 d6 15 0c c9 6e c6 67 ac ad 6f 4d d2 bf a2 13 29 |....n.g..oM....)| +00000120 87 69 9b 4d cd 2e 83 60 db 5f ee f3 80 64 02 93 |.i.M...`._...d..| +00000130 4f 1e 35 0b 01 25 1f cd 27 24 7a 82 8d 00 94 3a |O.5..%..'$z....:| +00000140 34 b0 f2 53 36 0b f6 04 d3 25 2a 4e 2a 7e 26 98 |4..S6....%*N*~&.| +00000150 41 ce 68 64 17 c9 65 9e f7 f9 bb df ee fb cb 74 |A.hd..e........t| +00000160 db 7d 8a 43 d2 49 03 f6 e5 be e1 5e 45 df 77 c4 |.}.C.I.....^E.w.| +00000170 1d 6e 9c ec 29 51 2b 7f 5e 75 46 05 50 39 5f fa |.n..)Q+.^uF.P9_.| +00000180 5f 53 04 56 25 87 09 26 36 8d 55 ac 03 87 35 28 |_S.V%..&6.U...5(| +00000190 52 05 c0 23 ff d5 57 58 7a 63 09 9d 87 15 b4 35 |R..#..WXzc.....5| +000001a0 d9 40 19 4e 67 ce cd be 5b a0 14 e2 a8 4a ad 44 |.@.Ng...[....J.D| +000001b0 ea a9 1b 14 e7 30 05 c9 23 48 4a 7a 7a 3f cc 9a |.....0..#HJzz?..| +000001c0 ce ca 0e 5f a0 79 17 e0 e7 5b 30 79 38 2d 5b 1e |..._.y...[0y8-[.| +000001d0 5c ae 4e 1f 00 ed fb 9f b6 e7 92 42 7d f0 30 82 |\.N........B}.0.| +000001e0 70 18 dc 07 c1 64 ec 09 7e d7 8f eb 68 31 75 cb |p....d..~...h1u.| +000001f0 69 24 30 89 8b 69 df 69 86 23 77 d2 61 4b 66 7e |i$0..i.i.#w.aKf~| +00000200 6d 34 50 a5 da 86 12 22 e3 51 ac 6a 23 55 d4 d5 |m4P....".Q.j#U..| +00000210 51 73 ac 85 c9 3a 57 c2 4b 55 96 4b c6 cc 62 15 |Qs...:W.KU.K..b.| +00000220 c9 10 09 ac ec 75 1a a6 3e e8 da aa 4d fe 7d 51 |.....u..>...M.}Q| +00000230 80 c3 a7 98 5d 29 cf c6 a0 8c 37 6e a8 f0 ad 41 |....])....7n...A| +00000240 34 60 44 98 57 3a 97 1f 29 08 f4 fc 4e 76 2e 0b |4`D.W:..)...Nv..| +00000250 26 8d fa 6c 38 0e 17 8a 2c de 51 94 f5 37 63 a0 |&..l8...,.Q..7c.| +00000260 40 71 51 c0 b9 d4 04 b2 ef 88 80 8f 34 74 35 5a |@qQ.........4t5Z| +00000270 c4 96 68 4f 27 0c 53 db f4 3c d1 88 86 b2 24 4f |..hO'.S..<....$O| +00000280 c7 a7 d9 b4 56 22 e5 9d 3f ec eb 1a af 77 9a 47 |....V"..?....w.G| +00000290 26 bb d5 3d 90 1d 6d fb d9 29 7e b4 b2 b2 ec 10 |&..=..m..)~.....| +000002a0 67 de d2 02 74 b3 91 a0 c4 b3 7c ba bb 90 b5 da |g...t.....|.....| +000002b0 97 fb 84 cd 4b 5e 33 c0 0a 56 73 98 8c 81 5b 9d |....K^3..Vs...[.| +000002c0 8d 83 df c3 8d 3d 3c 58 55 a3 e7 bd ef d0 37 0b |.....=....| +000002f0 c8 ae d8 84 06 2c 64 3c 35 a7 39 e4 a6 9e 0c 59 |.....,d<5.9....Y| +00000300 89 59 9a dd c3 fb 6c ae 34 ec 66 c5 d5 1f 7b 13 |.Y....l.4.f...{.| +00000310 66 23 8d 22 93 da 53 6c 3f 85 bb 5c 52 75 ba 81 |f#."..Sl?..\Ru..| +00000320 e8 bf 57 ce a8 45 68 ad 57 2f 4e 51 d3 65 f3 d0 |..W..Eh.W/NQ.e..| +00000330 1f 09 1e 3f 5e a1 9e 56 61 ca 88 e7 44 f6 f6 93 |...?^..Va...D...| +00000340 cb ae 28 2b 74 17 03 03 00 99 de 30 0f 41 8e d8 |..(+t......0.A..| +00000350 37 a0 c4 f3 af c3 f8 39 b7 44 83 6a c4 11 9e a4 |7......9.D.j....| +00000360 a9 f0 08 22 77 ce 09 a3 2d 94 99 2a c7 1b 9c 25 |..."w...-..*...%| +00000370 b6 79 ec 7b 2f 70 6a bd 2f f0 0f e0 6d 6e c0 69 |.y.{/pj./...mn.i| +00000380 0c 52 13 1f f9 99 97 04 2f fc fb f8 0a 4b ab bc |.R....../....K..| +00000390 a3 00 02 7f 0f 30 e2 66 c2 df 63 69 ad 08 76 ec |.....0.f..ci..v.| +000003a0 58 99 42 6a 11 e6 7a 27 57 98 71 c9 4d 78 c8 4a |X.Bj..z'W.q.Mx.J| +000003b0 3a 62 59 62 fb 2b 6f 15 79 22 50 40 bf db 29 d5 |:bYb.+o.y"P@..).| +000003c0 32 e5 e7 1e 76 50 05 e4 26 24 97 79 2a 9a a5 ec |2...vP..&$.y*...| +000003d0 c7 8c 68 e3 71 97 0c 85 51 74 db 5b 86 fb fb 23 |..h.q...Qt.[...#| +000003e0 e6 ef 57 17 03 03 00 35 5c 96 e3 26 e5 49 d8 02 |..W....5\..&.I..| +000003f0 b0 d0 4d 20 15 72 76 49 48 ee 2b 0a 19 44 05 cd |..M .rvIH.+..D..| +00000400 b1 0a 76 4e a9 21 45 5e de 00 6b c3 53 7c c9 8d |..vN.!E^..k.S|..| +00000410 43 72 06 78 0c ce 78 0f 01 ca d1 92 e5 |Cr.x..x......| +>>> Flow 3 (client to server) +00000000 14 03 03 00 01 01 17 03 03 02 7a 98 e7 1d af de |..........z.....| +00000010 f0 97 05 09 b8 cc a4 5e e2 ba 26 13 bd dd a4 de |.......^..&.....| +00000020 c6 fd 81 dc 0c 55 68 d8 90 32 36 e2 1d 05 15 c4 |.....Uh..26.....| +00000030 d2 c6 2b 99 b3 22 fd 4a 15 82 34 93 f8 39 04 6c |..+..".J..4..9.l| +00000040 e0 d1 c3 d3 16 77 dc 51 65 f9 ac 04 1d 38 8e e7 |.....w.Qe....8..| +00000050 10 ee 22 c6 25 6b 20 e7 1d e7 89 c1 88 ee d9 80 |..".%k .........| +00000060 29 45 83 64 12 a6 50 18 42 04 1f 34 15 35 24 f9 |)E.d..P.B..4.5$.| +00000070 86 0b a0 be c6 4b 9b ab 7f 07 7f 74 09 78 56 77 |.....K.....t.xVw| +00000080 72 ef 57 52 22 14 38 ee 70 e8 93 38 b0 cc cc 13 |r.WR".8.p..8....| +00000090 fe 3f 04 a2 af 20 f4 cf f4 bc 22 76 54 9e 43 63 |.?... ...."vT.Cc| +000000a0 e6 2d 77 c3 b8 b2 79 79 b8 89 86 9e 3c 01 c2 4b |.-w...yy....<..K| +000000b0 a7 48 3c 7b 5d 74 6e 79 88 e1 3b 73 e0 04 57 20 |.H<{]tny..;s..W | +000000c0 f7 36 c8 1a 9a 09 b2 77 20 6d 1b 7c 01 d2 6a 66 |.6.....w m.|..jf| +000000d0 8e 9a 14 02 ef 7d 26 52 eb 50 93 56 77 d7 04 3b |.....}&R.P.Vw..;| +000000e0 62 6f 9e 64 f4 f5 d6 83 f6 27 d8 37 05 cb dc 86 |bo.d.....'.7....| +000000f0 df 7f 0a 7e bc 23 bf 5a b4 72 b9 5e 1c 8b b5 e8 |...~.#.Z.r.^....| +00000100 b8 d7 3e a8 72 0a 2b c0 cc b0 6b a2 f9 5a db 1d |..>.r.+...k..Z..| +00000110 ea 5a b1 28 d0 ad 0c db 91 45 b9 b7 cd 25 51 1b |.Z.(.....E...%Q.| +00000120 47 e8 9e bf 25 6b 65 a9 c7 ed 39 a1 68 49 83 55 |G...%ke...9.hI.U| +00000130 3c 74 36 dc 71 f6 38 72 20 94 53 bf fb 0a 1c b4 |..r....v..Z/..c| +00000170 70 06 40 a8 57 46 c5 02 e1 74 71 2b e3 16 9e 6e |p.@.WF...tq+...n| +00000180 54 00 cc f1 9b ab e5 89 88 f8 84 47 c4 8a da 4a |T..........G...J| +00000190 62 d2 8d 64 8d 38 58 23 29 fa e9 41 c3 72 7b 3a |b..d.8X#)..A.r{:| +000001a0 5c fa b4 f5 12 be 1f cc 35 92 ec 24 8b c4 78 ef |\.......5..$..x.| +000001b0 3e db 36 a1 78 6c e6 51 a7 c4 1b fd bd 4d 6f b9 |>.6.xl.Q.....Mo.| +000001c0 7d 51 c3 a5 e7 cb 2a 20 99 74 4e 1d 1a 4f 6d ce |}Q....* .tN..Om.| +000001d0 fb 11 77 1c e5 20 f1 0e 38 8b 5e 6c af f4 98 63 |..w.. ..8.^l...c| +000001e0 e7 38 1c 31 62 12 0e e7 13 4b b9 ec c0 8d 84 aa |.8.1b....K......| +000001f0 1c 18 6e 4d 90 13 dc 01 a2 87 0e d8 b2 36 c1 d6 |..nM.........6..| +00000200 03 f6 a0 4c 83 de 88 b2 4e 97 be 4f 75 7b fb 42 |...L....N..Ou{.B| +00000210 84 e2 94 28 68 b0 37 4f bc 86 5d d4 74 84 15 53 |...(h.7O..].t..S| +00000220 a8 c8 47 86 0e fc d0 54 59 81 cb a6 c1 37 3b 1a |..G....TY....7;.| +00000230 2d a3 d7 2c 8c 23 f6 1f 0e 31 98 09 57 00 45 dc |-..,.#...1..W.E.| +00000240 35 e7 8f a7 24 74 e6 b0 3a 40 8c be e3 ff 0b 08 |5...$t..:@......| +00000250 3d c8 3d 84 ce 2c 1c 05 81 0c b5 83 8a de 2f 9f |=.=..,......../.| +00000260 6a 83 88 a0 c2 9d 26 2d 0f 9e 40 33 48 b7 59 c3 |j.....&-..@3H.Y.| +00000270 98 9c aa 3c 95 4b 86 35 02 91 dd 62 e0 2c 67 b6 |...<.K.5...b.,g.| +00000280 65 33 09 dc b4 17 03 03 00 99 94 6d 12 c3 3d 58 |e3.........m..=X| +00000290 0d 5d 8b 94 ba 26 20 97 12 a8 65 02 d1 d2 8c 8d |.]...& ...e.....| +000002a0 82 cb eb fa b3 e8 72 8b f2 4f 17 c8 52 53 9e 83 |......r..O..RS..| +000002b0 54 dc 84 37 be 3b 79 81 59 61 6f 67 ff cb c3 ae |T..7.;y.Yaog....| +000002c0 a1 9f d9 b0 a9 9d d0 8a 55 1f 58 48 a8 c6 2e c9 |........U.XH....| +000002d0 8e 79 6d 16 1b 68 db 45 40 84 a5 6a b1 fe a6 76 |.ym..h.E@..j...v| +000002e0 de 22 c9 a9 9a 95 a2 1d 96 86 9e 79 8f ed 0f fb |.".........y....| +000002f0 63 10 a0 d5 38 d5 78 e2 a6 6d 97 09 6e 17 1a 85 |c...8.x..m..n...| +00000300 2b 51 a4 a8 59 a1 06 6b 89 37 1e 5a 99 a3 66 89 |+Q..Y..k.7.Z..f.| +00000310 50 bc f7 49 e7 a9 82 da ec cf eb 33 76 af 65 76 |P..I.......3v.ev| +00000320 a5 84 93 17 03 03 00 35 5d 1d 31 e0 3b 1f 3f d6 |.......5].1.;.?.| +00000330 6c f9 55 6e 8f 86 1f 4f 85 a1 b5 3f c3 1e 3e ff |l.Un...O...?..>.| +00000340 29 9c a7 1d 06 e9 de d2 98 d5 fb 37 2e e6 2e ba |)..........7....| +00000350 b3 77 d0 d0 e6 ef 84 4e 05 14 47 2c 5e 17 03 03 |.w.....N..G,^...| +00000360 00 17 80 d7 97 10 67 71 db aa 0f 6f 76 86 20 37 |......gq...ov. 7| +00000370 0e a7 f1 53 71 c1 fe f7 09 17 03 03 00 13 79 a8 |...Sq.........y.| +00000380 bd 36 37 a9 5b b0 57 de c7 ea 2e 71 25 62 81 ea |.67.[.W....q%b..| +00000390 b5 |.| diff --git a/pkg/tls/testdata/Client-TLSv13-ECDSA b/pkg/tls/testdata/Client-TLSv13-ECDSA new file mode 100644 index 000000000..b1d1e6aac --- /dev/null +++ b/pkg/tls/testdata/Client-TLSv13-ECDSA @@ -0,0 +1,87 @@ +>>> Flow 1 (client to server) +00000000 16 03 01 00 fe 01 00 00 fa 03 03 00 00 00 00 00 |................| +00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000020 00 00 00 00 00 00 00 00 00 00 00 20 00 00 00 00 |........... ....| +00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 32 cc a9 |.............2..| +00000050 cc a8 c0 2b c0 2f c0 2c c0 30 c0 09 c0 13 c0 0a |...+./.,.0......| +00000060 c0 14 00 9c 00 9d 00 2f 00 35 c0 12 00 0a c0 23 |......./.5.....#| +00000070 c0 27 00 3c c0 07 c0 11 00 05 13 03 13 01 13 02 |.'.<............| +00000080 01 00 00 7f 00 05 00 05 01 00 00 00 00 00 0a 00 |................| +00000090 0a 00 08 00 1d 00 17 00 18 00 19 00 0b 00 02 01 |................| +000000a0 00 00 0d 00 1a 00 18 08 04 04 03 08 07 08 05 08 |................| +000000b0 06 04 01 05 01 06 01 05 03 06 03 02 01 02 03 ff |................| +000000c0 01 00 01 00 00 17 00 00 00 12 00 00 00 2b 00 09 |.............+..| +000000d0 08 03 04 03 03 03 02 03 01 00 33 00 26 00 24 00 |..........3.&.$.| +000000e0 1d 00 20 2f e5 7d a3 47 cd 62 43 15 28 da ac 5f |.. /.}.G.bC.(.._| +000000f0 bb 29 07 30 ff f6 84 af c4 cf c2 ed 90 99 5f 58 |.).0.........._X| +00000100 cb 3b 74 |.;t| +>>> Flow 2 (server to client) +00000000 16 03 03 00 7a 02 00 00 76 03 03 be 96 55 22 ae |....z...v....U".| +00000010 2e be 57 a1 0a 48 2e e3 ac 8e a7 d0 d5 a6 47 a9 |..W..H........G.| +00000020 c4 11 bb e1 37 73 19 6b de 6b 2e 20 00 00 00 00 |....7s.k.k. ....| +00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000040 00 00 00 00 00 00 00 00 00 00 00 00 13 03 00 00 |................| +00000050 2e 00 2b 00 02 03 04 00 33 00 24 00 1d 00 20 0f |..+.....3.$... .| +00000060 ae 71 f3 56 39 91 5f 75 18 40 73 b7 82 b9 67 05 |.q.V9._u.@s...g.| +00000070 09 d6 be 04 1f 66 b4 c4 18 1a 19 1d e7 bb 15 14 |.....f..........| +00000080 03 03 00 01 01 17 03 03 00 17 7d 5b c9 52 40 79 |..........}[.R@y| +00000090 4b 2b 2e b9 cb 7c 16 1b 2e df 3c e9 69 24 ea 47 |K+...|....<.i$.G| +000000a0 7f 17 03 03 02 22 a0 a0 bf fa 2c 0c 99 08 ad 4d |....."....,....M| +000000b0 03 05 54 93 67 8f 95 31 61 16 cb ef 2f 30 7f b8 |..T.g..1a.../0..| +000000c0 f8 97 c9 7a a8 71 e8 f2 ab 73 51 c4 1c a5 f4 6c |...z.q...sQ....l| +000000d0 54 6e f0 42 ae 58 25 84 de 9b e1 08 2a df ba 1e |Tn.B.X%.....*...| +000000e0 e5 c7 8e 57 b8 a6 e4 6a c8 02 0d 77 e7 79 f7 a2 |...W...j...w.y..| +000000f0 3a 18 f2 c5 f5 74 71 83 26 49 a6 2f 5c ac a4 a7 |:....tq.&I./\...| +00000100 0d f3 65 5a a9 ed a0 f5 f1 ce c9 80 bc 75 f2 e7 |..eZ.........u..| +00000110 68 11 b5 fb aa a8 e0 85 b9 37 b6 04 f6 f3 6d 8a |h........7....m.| +00000120 ed 5c 0e 9a 25 52 f2 84 ca 2c 19 54 c1 0c 5e 24 |.\..%R...,.T..^$| +00000130 e2 32 3e 99 18 84 17 84 8c 03 55 06 4f a0 ff 16 |.2>.......U.O...| +00000140 89 9e 1e d4 75 1e 3f a5 4d 0b 24 41 bc ca 6e 48 |....u.?.M.$A..nH| +00000150 77 53 e3 12 ee 00 69 11 19 c8 9b 43 b0 49 d3 a7 |wS....i....C.I..| +00000160 48 69 08 d0 14 fa d1 2b d5 66 a3 40 b4 51 4b e3 |Hi.....+.f.@.QK.| +00000170 f0 d3 c2 97 de 19 e8 02 66 9a ba 9f 59 7a 77 a4 |........f...Yzw.| +00000180 d1 29 71 5f 60 04 f6 f2 f5 d6 ce df 6a 19 6d 6a |.)q_`.......j.mj| +00000190 ae a5 df 25 d3 fb da 4c 54 d1 1e d8 68 59 d0 a8 |...%...LT...hY..| +000001a0 3d 6a ce 84 57 0e 01 8f d6 f1 7f cd 9f 4c 26 ae |=j..W........L&.| +000001b0 88 b5 af 31 b4 15 c0 bc 70 86 d4 7e 3f 7c 69 39 |...1....p..~?|i9| +000001c0 ff db 74 5b 18 54 dc 55 ec 7f 60 c8 38 03 1f e8 |..t[.T.U..`.8...| +000001d0 a0 9f 3b 79 12 ca c4 3f 41 d3 3d 80 88 a2 7e fa |..;y...?A.=...~.| +000001e0 a1 5c f0 df 1b 61 73 e0 2a d3 d8 88 0e 22 20 09 |.\...as.*...." .| +000001f0 62 42 3a 09 77 e5 39 c1 f2 a1 e5 29 f8 ab 4b de |bB:.w.9....)..K.| +00000200 0c 3c 39 e8 13 34 73 d0 e3 25 39 bf f7 23 c4 1b |.<9..4s..%9..#..| +00000210 06 c0 c4 16 80 14 15 a0 09 ac f0 fb 77 40 30 14 |............w@0.| +00000220 07 5d 1c 34 58 90 27 53 3f da c5 2a 7d 0f b7 4c |.].4X.'S?..*}..L| +00000230 15 09 ea cf f1 51 6c 84 3a f1 f7 d0 66 b8 fb 0c |.....Ql.:...f...| +00000240 82 1e 86 2d 23 84 b8 d2 df d7 db a6 f2 7c da d8 |...-#........|..| +00000250 e3 f8 a9 2c 0a fb 65 e8 2a 16 f6 c8 b7 dc b5 03 |...,..e.*.......| +00000260 fd bc 76 67 c5 0a 9e 8a c6 89 04 b4 e1 5b 23 89 |..vg.........[#.| +00000270 ca 03 73 4c e2 49 3e a8 ce c9 4c 0a 98 8c 78 b9 |..sL.I>...L...x.| +00000280 12 d4 32 94 84 66 5a d3 07 78 df 74 00 d7 ca df |..2..fZ..x.t....| +00000290 40 e6 b6 37 08 bc a8 fa 9a 28 e7 77 e2 78 39 d8 |@..7.....(.w.x9.| +000002a0 e3 71 e5 2b f6 dc 9b 20 3e 38 77 80 f7 c9 e2 81 |.q.+... >8w.....| +000002b0 07 4c 06 43 b7 b1 ff 1d f9 b4 24 ca ad db d3 f5 |.L.C......$.....| +000002c0 3b 05 d8 0f 1e 6d 1a 6d 17 03 03 00 a4 fd 5d 1f |;....m.m......].| +000002d0 1c 88 af a8 df 19 44 bd 80 81 78 fd 2d 84 ff a4 |......D...x.-...| +000002e0 51 45 9a 98 7c 45 cb 84 2c fb 54 d1 33 06 67 e4 |QE..|E..,.T.3.g.| +000002f0 95 f2 c5 5e 1b 49 41 b3 73 6c 5e 4d 2c 2d 77 1f |...^.IA.sl^M,-w.| +00000300 59 cb 39 e9 87 3a 10 83 72 ab b3 ce f8 28 94 8f |Y.9..:..r....(..| +00000310 47 8f 3d 2e 65 0a 42 b0 a5 13 61 bb 3b c7 a9 52 |G.=.e.B...a.;..R| +00000320 cd 26 f6 ab c1 d3 3a a4 51 a6 7a 74 3b 76 19 ee |.&....:.Q.zt;v..| +00000330 71 09 b6 b8 e6 3d 3e a3 df db a9 69 52 fe 66 3a |q....=>....iR.f:| +00000340 dc 19 f6 56 ea 81 10 ab 43 2e e2 17 20 08 92 62 |...V....C... ..b| +00000350 62 98 73 cb 16 9a 13 7d b3 b4 6a fd 18 28 25 05 |b.s....}..j..(%.| +00000360 b2 3f e7 14 94 cf 9d 67 74 11 83 21 da d8 36 da |.?.....gt..!..6.| +00000370 8e 17 03 03 00 35 89 67 70 a6 1c 3b 7c 59 59 23 |.....5.gp..;|YY#| +00000380 92 33 ee 35 11 5d 8c fb bd f0 21 a4 8d 09 e3 e7 |.3.5.]....!.....| +00000390 dd 96 8c ad cc 57 97 6a 4d 33 49 cc f6 c6 a9 4d |.....W.jM3I....M| +000003a0 9b 3f 22 88 f5 06 b3 c2 a3 34 46 |.?"......4F| +>>> Flow 3 (client to server) +00000000 14 03 03 00 01 01 17 03 03 00 35 f4 b7 bd 05 e3 |..........5.....| +00000010 04 c1 da 80 2f 16 6c 14 fe 7e bd 74 65 ab 76 e8 |..../.l..~.te.v.| +00000020 7a 62 dc 89 11 10 ee 58 93 fc 30 0e 30 fa b6 a0 |zb.....X..0.0...| +00000030 48 11 5d 78 9a fc 6b 44 1c 67 52 21 b4 b8 69 18 |H.]x..kD.gR!..i.| +00000040 17 03 03 00 17 12 f2 ed 80 d2 91 8a bc 19 25 1d |..............%.| +00000050 54 d6 56 04 b4 4d 1a 01 9f ea 7f 0c 17 03 03 00 |T.V..M..........| +00000060 13 aa bb f9 4e 8f 2e 49 9c 07 65 31 8a 14 05 d8 |....N..I..e1....| +00000070 d5 3a 83 23 |.:.#| diff --git a/pkg/tls/testdata/Client-TLSv13-Ed25519 b/pkg/tls/testdata/Client-TLSv13-Ed25519 new file mode 100644 index 000000000..e509e8adf --- /dev/null +++ b/pkg/tls/testdata/Client-TLSv13-Ed25519 @@ -0,0 +1,69 @@ +>>> Flow 1 (client to server) +00000000 16 03 01 00 fe 01 00 00 fa 03 03 00 00 00 00 00 |................| +00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000020 00 00 00 00 00 00 00 00 00 00 00 20 00 00 00 00 |........... ....| +00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 32 cc a9 |.............2..| +00000050 cc a8 c0 2b c0 2f c0 2c c0 30 c0 09 c0 13 c0 0a |...+./.,.0......| +00000060 c0 14 00 9c 00 9d 00 2f 00 35 c0 12 00 0a c0 23 |......./.5.....#| +00000070 c0 27 00 3c c0 07 c0 11 00 05 13 03 13 01 13 02 |.'.<............| +00000080 01 00 00 7f 00 05 00 05 01 00 00 00 00 00 0a 00 |................| +00000090 0a 00 08 00 1d 00 17 00 18 00 19 00 0b 00 02 01 |................| +000000a0 00 00 0d 00 1a 00 18 08 04 04 03 08 07 08 05 08 |................| +000000b0 06 04 01 05 01 06 01 05 03 06 03 02 01 02 03 ff |................| +000000c0 01 00 01 00 00 17 00 00 00 12 00 00 00 2b 00 09 |.............+..| +000000d0 08 03 04 03 03 03 02 03 01 00 33 00 26 00 24 00 |..........3.&.$.| +000000e0 1d 00 20 2f e5 7d a3 47 cd 62 43 15 28 da ac 5f |.. /.}.G.bC.(.._| +000000f0 bb 29 07 30 ff f6 84 af c4 cf c2 ed 90 99 5f 58 |.).0.........._X| +00000100 cb 3b 74 |.;t| +>>> Flow 2 (server to client) +00000000 16 03 03 00 7a 02 00 00 76 03 03 41 71 01 fb 3b |....z...v..Aq..;| +00000010 86 8b 75 5d 8d 98 1d 98 e7 19 0c 87 87 d0 a6 b5 |..u]............| +00000020 5f 51 70 32 37 bc 58 b6 93 fb b1 20 00 00 00 00 |_Qp27.X.... ....| +00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000040 00 00 00 00 00 00 00 00 00 00 00 00 13 03 00 00 |................| +00000050 2e 00 2b 00 02 03 04 00 33 00 24 00 1d 00 20 17 |..+.....3.$... .| +00000060 4e 27 d2 df c9 6d 88 15 a2 02 f2 fc 4d 87 65 92 |N'...m......M.e.| +00000070 67 92 90 6c 8b e0 fb 27 2b d6 e8 e1 0e b2 7b 14 |g..l...'+.....{.| +00000080 03 03 00 01 01 17 03 03 00 17 ef ca 93 ae 3b 4b |..............;K| +00000090 ef ba c7 f1 44 89 61 b5 6c 05 c5 d9 59 4d 50 ab |....D.a.l...YMP.| +000000a0 ff 17 03 03 01 50 71 7e a6 0b 61 c5 f1 b0 9b ab |.....Pq~..a.....| +000000b0 3e 15 7a 0c ac 01 d7 cb 3e 04 85 e1 7a 59 95 92 |>.z.....>...zY..| +000000c0 cb 91 5f 91 a4 e2 1b 6a d7 72 d5 ee 70 ae 51 ed |.._....j.r..p.Q.| +000000d0 c7 78 ea 69 e5 a6 0b cc 72 43 6f 2e da c3 74 4c |.x.i....rCo...tL| +000000e0 00 53 79 38 3b 10 7e 98 25 32 ad 7f e4 0b 9b ad |.Sy8;.~.%2......| +000000f0 4a 5d f4 d9 a1 fe d6 ce 32 ff 2d 2e 26 49 78 3f |J]......2.-.&Ix?| +00000100 4e 37 e9 c7 d3 af b7 4d 75 f2 71 f2 20 b8 28 64 |N7.....Mu.q. .(d| +00000110 7c 0c 7a 3c f0 35 4e c6 ba 2d fc 76 53 a5 76 f9 ||.z<.5N..-.vS.v.| +00000120 3e e3 4e 41 b9 52 e1 dc 62 9f 13 bf b7 ef c2 c1 |>.NA.R..b.......| +00000130 ef 9c 04 4d 4c d0 20 e8 7e 62 bc 23 8a c0 02 62 |...ML. .~b.#...b| +00000140 1d 8e c1 6f e0 23 70 0e 08 5c a0 47 92 40 5c 31 |...o.#p..\.G.@\1| +00000150 d9 03 5b a5 9a dd 2f b9 4f 8a 4a 8d d9 c3 63 cb |..[.../.O.J...c.| +00000160 61 16 3c be 9e dc 9d 11 bf c8 b9 5b 2d 69 5d 94 |a.<........[-i].| +00000170 ef 6b 87 2d 59 42 05 51 88 9d 5a 8d bc ae 7c 65 |.k.-YB.Q..Z...|e| +00000180 e2 a1 b5 eb c6 23 30 3c ab 52 f1 a3 90 77 1c a2 |.....#0<.R...w..| +00000190 65 e0 ef 9c c7 1f b3 ad 7a 63 01 d9 b6 5c de c5 |e.......zc...\..| +000001a0 3e ec b0 0c 1c 34 ea e1 8e d9 68 67 d8 1b 0c 94 |>....4....hg....| +000001b0 4d 0a e1 e7 c7 4f 6e 03 c2 0f d6 4e 87 b9 e4 5c |M....On....N...\| +000001c0 d6 d7 4a f0 90 fb 8c 56 ce 20 d3 09 db a2 3a 8f |..J....V. ....:.| +000001d0 56 bc 1f 5d d8 0f ab 05 9c 2e 96 7e 09 bf 0f 45 |V..].......~...E| +000001e0 81 83 81 63 d5 0e ef fb bd db 1d c8 17 4a ef d1 |...c.........J..| +000001f0 ce 9d 76 c5 1c 3a 17 03 03 00 59 f8 6e 9b 48 45 |..v..:....Y.n.HE| +00000200 96 86 f0 87 4f 95 75 72 90 16 ee 40 e6 a5 da d6 |....O.ur...@....| +00000210 9a 93 5a f2 e1 14 c7 ef 99 5e 55 80 9c 2b a5 f0 |..Z......^U..+..| +00000220 24 d0 0c b3 5c cd 7e 9f a7 8d 80 6d 24 0f 55 44 |$...\.~....m$.UD| +00000230 25 23 04 30 0a b8 4b 87 81 7d f6 46 af a0 e9 6c |%#.0..K..}.F...l| +00000240 ce cc 3b 8f 93 75 2b d3 65 84 0d fc 11 b3 49 93 |..;..u+.e.....I.| +00000250 21 8c 12 28 17 03 03 00 35 11 5a 66 4d 6e f2 a1 |!..(....5.ZfMn..| +00000260 d5 c7 e0 0d fb c0 23 72 61 40 56 c9 2b cf 19 91 |......#ra@V.+...| +00000270 1e 9a 0b 20 65 dd f2 ec 54 f8 6a 6f a0 7f bf d2 |... e...T.jo....| +00000280 92 e0 41 ae 8c a0 4e 33 be a0 f8 8e b3 c7 |..A...N3......| +>>> Flow 3 (client to server) +00000000 14 03 03 00 01 01 17 03 03 00 35 a6 8b c2 c6 31 |..........5....1| +00000010 c1 73 78 0f f6 09 bb 09 d5 bc da 6b e6 21 e7 3e |.sx........k.!.>| +00000020 19 ba 60 74 d4 32 71 37 a0 13 d8 ae e0 85 f7 71 |..`t.2q7.......q| +00000030 d0 4e 2f 29 81 bb 8b 86 24 67 5b c9 b7 6e 6a 11 |.N/)....$g[..nj.| +00000040 17 03 03 00 17 43 59 8a 71 7c f9 e8 b9 36 56 bc |.....CY.q|...6V.| +00000050 07 67 34 1c f9 47 b0 fa 3a a0 15 9a 17 03 03 00 |.g4..G..:.......| +00000060 13 dc 3e d0 92 97 41 13 06 65 b2 af e5 fa 16 d5 |..>...A..e......| +00000070 9b 82 57 91 |..W.| diff --git a/pkg/tls/testdata/Client-TLSv13-ExportKeyingMaterial b/pkg/tls/testdata/Client-TLSv13-ExportKeyingMaterial new file mode 100644 index 000000000..13ac4fcf8 --- /dev/null +++ b/pkg/tls/testdata/Client-TLSv13-ExportKeyingMaterial @@ -0,0 +1,91 @@ +>>> Flow 1 (client to server) +00000000 16 03 01 00 fe 01 00 00 fa 03 03 00 00 00 00 00 |................| +00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000020 00 00 00 00 00 00 00 00 00 00 00 20 00 00 00 00 |........... ....| +00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 32 cc a9 |.............2..| +00000050 cc a8 c0 2b c0 2f c0 2c c0 30 c0 09 c0 13 c0 0a |...+./.,.0......| +00000060 c0 14 00 9c 00 9d 00 2f 00 35 c0 12 00 0a c0 23 |......./.5.....#| +00000070 c0 27 00 3c c0 07 c0 11 00 05 13 03 13 01 13 02 |.'.<............| +00000080 01 00 00 7f 00 05 00 05 01 00 00 00 00 00 0a 00 |................| +00000090 0a 00 08 00 1d 00 17 00 18 00 19 00 0b 00 02 01 |................| +000000a0 00 00 0d 00 1a 00 18 08 04 04 03 08 07 08 05 08 |................| +000000b0 06 04 01 05 01 06 01 05 03 06 03 02 01 02 03 ff |................| +000000c0 01 00 01 00 00 17 00 00 00 12 00 00 00 2b 00 09 |.............+..| +000000d0 08 03 04 03 03 03 02 03 01 00 33 00 26 00 24 00 |..........3.&.$.| +000000e0 1d 00 20 2f e5 7d a3 47 cd 62 43 15 28 da ac 5f |.. /.}.G.bC.(.._| +000000f0 bb 29 07 30 ff f6 84 af c4 cf c2 ed 90 99 5f 58 |.).0.........._X| +00000100 cb 3b 74 |.;t| +>>> Flow 2 (server to client) +00000000 16 03 03 00 7a 02 00 00 76 03 03 5a a0 51 7e b3 |....z...v..Z.Q~.| +00000010 75 e4 ba 57 52 a0 56 68 55 2b 40 16 e3 d4 b1 4f |u..WR.VhU+@....O| +00000020 5e 2c a0 ab 31 76 e8 c5 ab ca 60 20 00 00 00 00 |^,..1v....` ....| +00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000040 00 00 00 00 00 00 00 00 00 00 00 00 13 03 00 00 |................| +00000050 2e 00 2b 00 02 03 04 00 33 00 24 00 1d 00 20 1e |..+.....3.$... .| +00000060 8e a4 e9 85 bd af 87 81 48 56 10 3d 4d d2 07 42 |........HV.=M..B| +00000070 7f a2 db 93 42 98 df 67 6d 79 b3 fb 4f bb 67 14 |....B..gmy..O.g.| +00000080 03 03 00 01 01 17 03 03 00 17 db c6 9e 4c ff 07 |.............L..| +00000090 33 5a d9 47 e2 08 d5 10 bf 70 c5 5b 22 48 a7 fd |3Z.G.....p.["H..| +000000a0 8d 17 03 03 02 6d cd a7 97 1c 26 3c a9 70 93 c5 |.....m....&<.p..| +000000b0 98 ac 09 11 75 24 a1 97 4a a7 65 a0 d7 40 08 c9 |....u$..J.e..@..| +000000c0 fd 31 5f 47 c3 95 38 cf cd e0 77 52 db c1 fe 3a |.1_G..8...wR...:| +000000d0 2e 5f ae 5a 9a cf 96 5f 83 f5 7e 6b b0 d7 bf 27 |._.Z..._..~k...'| +000000e0 bd 22 af a1 05 79 48 c7 56 e9 56 a9 4f 34 82 9c |."...yH.V.V.O4..| +000000f0 41 c5 cf 72 d1 56 18 d4 fb d7 94 e1 72 9f 2a c0 |A..r.V......r.*.| +00000100 2f 3b fe de 46 36 4f 0d 15 12 4d e2 2a fb 42 20 |/;..F6O...M.*.B | +00000110 1e 7f 0f 50 be 56 10 2d 83 9f c0 c4 9e 0a 29 c4 |...P.V.-......).| +00000120 07 a1 ba c0 70 d4 93 8a 27 a1 e2 00 98 11 3e 4e |....p...'.....>N| +00000130 07 46 54 68 5a d2 e3 85 ca 6d 66 b1 28 d7 a3 c9 |.FThZ....mf.(...| +00000140 cb 9b 5b 4c 94 4a 56 69 dc 6e ba 84 08 7e 31 14 |..[L.JVi.n...~1.| +00000150 5d a0 e0 00 b2 23 63 fe 67 8c ae 75 56 44 9c 9c |]....#c.g..uVD..| +00000160 c4 4c 31 a9 d7 df 3b ec 59 1e 2e 85 fd 08 8d ba |.L1...;.Y.......| +00000170 b2 09 f6 3e 19 7b 29 ab 6a b3 5a 00 be 76 fb 39 |...>.{).j.Z..v.9| +00000180 98 c4 3e 4b a6 ae 68 ba 6c 9a a6 5d 20 33 96 55 |..>K..h.l..] 3.U| +00000190 27 66 aa c2 c0 6d f0 80 cc c7 64 5f 7b 42 56 b4 |'f...m....d_{BV.| +000001a0 a2 6b a3 29 9a 49 d2 fc 74 53 21 fe e3 87 ab d9 |.k.).I..tS!.....| +000001b0 e4 3e e7 8a a0 c6 49 08 d1 45 14 53 fb 28 39 cb |.>....I..E.S.(9.| +000001c0 99 86 c2 3f dc b3 f6 86 a7 87 b2 88 d9 4f 62 d6 |...?.........Ob.| +000001d0 d4 bb 84 93 56 5a 99 8e 8a 5b 1b 9a 1c ef 4a f1 |....VZ...[....J.| +000001e0 85 62 08 1f 27 c2 20 a1 9c 73 91 05 d8 9b 32 90 |.b..'. ..s....2.| +000001f0 74 80 08 dd 52 87 9f 6e c3 89 14 f3 23 0e 1f d0 |t...R..n....#...| +00000200 3c e0 51 48 a4 b2 f2 43 05 bd a3 95 35 70 37 cc |<.QH...C....5p7.| +00000210 89 f3 23 b7 70 5f 36 24 78 ea 21 ec 7c 06 3a d6 |..#.p_6$x.!.|.:.| +00000220 b5 fd d1 c4 bb 32 39 78 6a f6 ed 91 83 c8 d4 bd |.....29xj.......| +00000230 33 55 cf a8 5a b9 46 ec fa 87 5a c0 35 d1 f6 5e |3U..Z.F...Z.5..^| +00000240 1f 7a 8e 82 e1 97 38 f9 ad 6e 00 ba d1 4b 82 dd |.z....8..n...K..| +00000250 b0 87 0e 18 70 27 6c cd dd 0d d7 4b 46 e9 a3 dc |....p'l....KF...| +00000260 5d 60 e7 eb a9 b4 99 f2 bc 9f a4 ed dc c6 63 24 |]`............c$| +00000270 f8 91 f3 ee 7f 47 40 03 95 34 53 8c 38 90 3f 0f |.....G@..4S.8.?.| +00000280 a6 d8 a1 a7 39 64 45 7e 9e 94 aa 3e 19 df 28 f1 |....9dE~...>..(.| +00000290 ab 14 22 ce e8 80 a6 73 59 f7 92 85 13 20 6c cf |.."....sY.... l.| +000002a0 d8 ff ce f4 5d 79 f8 37 38 b6 9f 81 97 9f 72 31 |....]y.78.....r1| +000002b0 e0 fe ca d2 03 cd 3b 00 9f cb 55 a7 de 79 80 d8 |......;...U..y..| +000002c0 0b ae 5a e6 a7 ba a5 35 da d3 03 95 56 c0 ac c9 |..Z....5....V...| +000002d0 2a 36 cf 53 d0 44 48 b3 19 6c 44 ab 6b a1 7f a2 |*6.S.DH..lD.k...| +000002e0 f6 18 90 4f 16 a9 d5 77 ef 01 81 e1 ef a7 b9 3f |...O...w.......?| +000002f0 35 82 66 c7 9c 82 cc 00 fa 74 71 ed 99 ab fc d5 |5.f......tq.....| +00000300 ce 0a 05 80 56 5f 54 79 a9 b2 82 38 af 52 94 d1 |....V_Ty...8.R..| +00000310 7e 15 1e 17 03 03 00 99 94 6e e7 f3 9a a6 90 24 |~........n.....$| +00000320 c8 59 16 e6 58 d1 a2 55 ab 90 d6 59 00 06 0f 22 |.Y..X..U...Y..."| +00000330 2d 7e 1a 13 ce 64 05 a0 e2 a2 22 36 d4 51 69 ce |-~...d...."6.Qi.| +00000340 8c 13 85 2e ad a3 9d c9 cf 50 be 06 db 75 41 1e |.........P...uA.| +00000350 01 64 8e 55 13 31 42 a0 b9 90 30 75 a3 b5 a1 36 |.d.U.1B...0u...6| +00000360 e8 1d 5f 32 f4 8f 68 f3 ca d9 f2 36 cf 77 2a ae |.._2..h....6.w*.| +00000370 03 db 01 bb 51 25 bb 65 76 0a 81 bf db 6a 0a 85 |....Q%.ev....j..| +00000380 3d 2a ee 71 ff a5 91 75 3f 44 23 31 70 1f b4 4c |=*.q...u?D#1p..L| +00000390 a1 f2 ec cb ac bb de 36 3a 46 a6 3d a8 c5 57 92 |.......6:F.=..W.| +000003a0 a4 7c d4 54 fa de b6 77 62 95 24 aa 63 70 4a 04 |.|.T...wb.$.cpJ.| +000003b0 cb 17 03 03 00 35 07 18 23 d6 3d 11 1c 50 e1 22 |.....5..#.=..P."| +000003c0 c7 83 33 84 c3 e1 30 b0 43 68 19 2b c4 43 95 25 |..3...0.Ch.+.C.%| +000003d0 8c b7 37 c1 d0 3c ef f4 4f 29 b7 18 34 25 d2 8a |..7..<..O)..4%..| +000003e0 44 52 37 4e ff f9 aa 2b 33 61 4a |DR7N...+3aJ| +>>> Flow 3 (client to server) +00000000 14 03 03 00 01 01 17 03 03 00 35 7d e0 1b 46 05 |..........5}..F.| +00000010 4a e2 11 2c a4 22 62 cb bc e7 f4 11 d2 05 ca c6 |J..,."b.........| +00000020 17 98 10 88 03 12 d1 1e 6a dc e8 bb 91 df 65 47 |........j.....eG| +00000030 78 f0 32 d1 7d c0 56 92 78 56 6b 75 cc 2d eb 2d |x.2.}.V.xVku.-.-| +00000040 17 03 03 00 17 ad cc 95 e5 1c 77 7c de 6f e8 8d |..........w|.o..| +00000050 06 8e b6 8e d0 95 3f 71 0b 15 6e 0e 17 03 03 00 |......?q..n.....| +00000060 13 8e 23 c7 75 9d f7 e1 b9 b5 ed 79 86 e0 64 68 |..#.u......y..dh| +00000070 01 ef 70 e1 |..p.| diff --git a/pkg/tls/testdata/Client-TLSv13-HelloRetryRequest b/pkg/tls/testdata/Client-TLSv13-HelloRetryRequest new file mode 100644 index 000000000..d6b570f24 --- /dev/null +++ b/pkg/tls/testdata/Client-TLSv13-HelloRetryRequest @@ -0,0 +1,119 @@ +>>> Flow 1 (client to server) +00000000 16 03 01 00 fa 01 00 00 f6 03 03 00 00 00 00 00 |................| +00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000020 00 00 00 00 00 00 00 00 00 00 00 20 00 00 00 00 |........... ....| +00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 32 cc a9 |.............2..| +00000050 cc a8 c0 2b c0 2f c0 2c c0 30 c0 09 c0 13 c0 0a |...+./.,.0......| +00000060 c0 14 00 9c 00 9d 00 2f 00 35 c0 12 00 0a c0 23 |......./.5.....#| +00000070 c0 27 00 3c c0 07 c0 11 00 05 13 03 13 01 13 02 |.'.<............| +00000080 01 00 00 7b 00 05 00 05 01 00 00 00 00 00 0a 00 |...{............| +00000090 06 00 04 00 1d 00 17 00 0b 00 02 01 00 00 0d 00 |................| +000000a0 1a 00 18 08 04 04 03 08 07 08 05 08 06 04 01 05 |................| +000000b0 01 06 01 05 03 06 03 02 01 02 03 ff 01 00 01 00 |................| +000000c0 00 17 00 00 00 12 00 00 00 2b 00 09 08 03 04 03 |.........+......| +000000d0 03 03 02 03 01 00 33 00 26 00 24 00 1d 00 20 2f |......3.&.$... /| +000000e0 e5 7d a3 47 cd 62 43 15 28 da ac 5f bb 29 07 30 |.}.G.bC.(.._.).0| +000000f0 ff f6 84 af c4 cf c2 ed 90 99 5f 58 cb 3b 74 |.........._X.;t| +>>> Flow 2 (server to client) +00000000 16 03 03 00 58 02 00 00 54 03 03 cf 21 ad 74 e5 |....X...T...!.t.| +00000010 9a 61 11 be 1d 8c 02 1e 65 b8 91 c2 a2 11 16 7a |.a......e......z| +00000020 bb 8c 5e 07 9e 09 e2 c8 a8 33 9c 20 00 00 00 00 |..^......3. ....| +00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000040 00 00 00 00 00 00 00 00 00 00 00 00 13 03 00 00 |................| +00000050 0c 00 2b 00 02 03 04 00 33 00 02 00 17 14 03 03 |..+.....3.......| +00000060 00 01 01 |...| +>>> Flow 3 (client to server) +00000000 14 03 03 00 01 01 16 03 03 01 1b 01 00 01 17 03 |................| +00000010 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000030 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |. ..............| +00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000050 00 00 00 32 cc a9 cc a8 c0 2b c0 2f c0 2c c0 30 |...2.....+./.,.0| +00000060 c0 09 c0 13 c0 0a c0 14 00 9c 00 9d 00 2f 00 35 |............./.5| +00000070 c0 12 00 0a c0 23 c0 27 00 3c c0 07 c0 11 00 05 |.....#.'.<......| +00000080 13 03 13 01 13 02 01 00 00 9c 00 05 00 05 01 00 |................| +00000090 00 00 00 00 0a 00 06 00 04 00 1d 00 17 00 0b 00 |................| +000000a0 02 01 00 00 0d 00 1a 00 18 08 04 04 03 08 07 08 |................| +000000b0 05 08 06 04 01 05 01 06 01 05 03 06 03 02 01 02 |................| +000000c0 03 ff 01 00 01 00 00 17 00 00 00 12 00 00 00 2b |...............+| +000000d0 00 09 08 03 04 03 03 03 02 03 01 00 33 00 47 00 |............3.G.| +000000e0 45 00 17 00 41 04 1e 18 37 ef 0d 19 51 88 35 75 |E...A...7...Q.5u| +000000f0 71 b5 e5 54 5b 12 2e 8f 09 67 fd a7 24 20 3e b2 |q..T[....g..$ >.| +00000100 56 1c ce 97 28 5e f8 2b 2d 4f 9e f1 07 9f 6c 4b |V...(^.+-O....lK| +00000110 5b 83 56 e2 32 42 e9 58 b6 d7 49 a6 b5 68 1a 41 |[.V.2B.X..I..h.A| +00000120 03 56 6b dc 5a 89 |.Vk.Z.| +>>> Flow 4 (server to client) +00000000 16 03 03 00 9b 02 00 00 97 03 03 4f 5c 5c 6c f2 |...........O\\l.| +00000010 79 f3 d8 d4 be 78 c3 a4 b6 82 a5 ee 37 c3 a1 f7 |y....x......7...| +00000020 87 83 ac 75 62 29 48 80 55 64 9b 20 00 00 00 00 |...ub)H.Ud. ....| +00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000040 00 00 00 00 00 00 00 00 00 00 00 00 13 03 00 00 |................| +00000050 4f 00 2b 00 02 03 04 00 33 00 45 00 17 00 41 04 |O.+.....3.E...A.| +00000060 be 02 77 b3 71 8c 25 30 15 18 cd 54 f8 99 b7 a4 |..w.q.%0...T....| +00000070 1b 43 6e a5 bf 94 d3 7e 8f 07 4e 78 15 af 48 fe |.Cn....~..Nx..H.| +00000080 14 60 0d f1 1b 31 f5 30 5b 37 34 da d2 b8 a9 43 |.`...1.0[74....C| +00000090 5e 5e 9e 32 9c 7c 94 21 fc 1e db 0a b3 e1 f5 7a |^^.2.|.!.......z| +000000a0 17 03 03 00 17 fc 15 53 2f 26 26 78 e5 5e 22 74 |.......S/&&x.^"t| +000000b0 8a cb 74 2c f8 4c 04 5d 0b 53 d9 93 17 03 03 02 |..t,.L.].S......| +000000c0 6d 58 f2 20 bc 2e 2b c7 67 79 b1 19 09 d8 73 9c |mX. ..+.gy....s.| +000000d0 74 b4 55 b4 24 5e a3 66 f1 a3 81 55 cb 77 5e c1 |t.U.$^.f...U.w^.| +000000e0 5e b1 ba 4e ff 29 6e 10 a3 9c 20 68 fb c1 35 a8 |^..N.)n... h..5.| +000000f0 02 10 0e b6 b1 a1 84 d1 e4 41 92 15 93 ea 9c c1 |.........A......| +00000100 93 4b 54 28 da 49 f5 eb a5 a5 92 3b 91 37 48 8a |.KT(.I.....;.7H.| +00000110 4a 0a 3c 3a b9 10 2b 1b e8 33 4f e2 1b a4 e1 0e |J.<:..+..3O.....| +00000120 4c 81 38 13 36 f2 87 e9 58 be e4 16 d9 eb 17 9d |L.8.6...X.......| +00000130 61 69 7b 41 c9 29 99 bd b1 5b 66 49 3d f1 e5 6f |ai{A.)...[fI=..o| +00000140 e4 91 a1 48 a3 89 91 00 8c 33 2c 0b 07 82 10 26 |...H.....3,....&| +00000150 fb 7b c6 b0 64 56 1b 2b 1f 21 3a be 72 6d 9b fe |.{..dV.+.!:.rm..| +00000160 ad bd 1c 59 05 38 9b 27 88 55 76 88 45 cf 03 be |...Y.8.'.Uv.E...| +00000170 2a 8d 5f a6 39 1f 5e b7 1c 68 28 60 f5 cb e4 5e |*._.9.^..h(`...^| +00000180 08 6c 3c 85 72 6f 31 26 30 0c 25 94 0e 4d 5b 5b |.l<.ro1&0.%..M[[| +00000190 46 ba 0e 27 e1 17 3d 68 95 7e 2f a4 a0 16 54 e2 |F..'..=h.~/...T.| +000001a0 35 3b a5 79 c8 45 2d e0 57 33 02 4e 81 bd dc 6a |5;.y.E-.W3.N...j| +000001b0 9b b7 1e a8 9e ff 75 7f 11 47 9c ac 60 05 bd 9d |......u..G..`...| +000001c0 59 2b 92 5a 94 f4 ca 8f 3e 53 b3 8a a5 ab 28 e2 |Y+.Z....>S....(.| +000001d0 9f ed 29 f2 8b c7 82 92 86 d8 12 71 b1 97 24 26 |..)........q..$&| +000001e0 f5 96 fc 16 a8 ff 39 1c 87 62 ec 4a b4 c3 03 13 |......9..b.J....| +000001f0 e8 17 57 6b 48 6c 08 08 b0 6d 1f 1a 8c 1f 48 66 |..WkHl...m....Hf| +00000200 aa 51 38 59 ac 1e 58 e7 ff 85 e1 60 e0 e5 42 65 |.Q8Y..X....`..Be| +00000210 9e ff ab 65 bb 06 b2 8b c6 f2 95 ad 3c eb c7 1c |...e........<...| +00000220 d6 2a 60 d3 e4 5f cb 65 ee 3d 45 75 93 53 eb 70 |.*`.._.e.=Eu.S.p| +00000230 5c f4 ae 5c 6b e0 f1 6d 2c fe 88 cb 32 b4 53 90 |\..\k..m,...2.S.| +00000240 c5 5b 9e 8c de 08 ff 49 86 2a a5 ef 59 50 f8 68 |.[.....I.*..YP.h| +00000250 2a 3b e5 44 2a e8 7d c9 6e 5c c1 4f 99 d7 2b 67 |*;.D*.}.n\.O..+g| +00000260 98 72 38 64 b3 e9 64 95 c1 1c 9d 5c 82 d9 e7 1e |.r8d..d....\....| +00000270 ac cf 12 05 d8 da eb 75 69 e3 fb 08 c3 c7 d2 2d |.......ui......-| +00000280 aa 3f 9d cc b7 31 b5 03 59 67 03 32 6f ed bc 87 |.?...1..Yg.2o...| +00000290 47 c6 69 79 23 98 94 b7 4a 58 5f 68 5c 14 77 b5 |G.iy#...JX_h\.w.| +000002a0 4b db 6e d9 c2 74 d0 8a 94 a6 3f 61 7a 1d b8 53 |K.n..t....?az..S| +000002b0 c7 fb 1c d7 b7 ae 2b f2 c7 fc ed c3 77 47 8a be |......+.....wG..| +000002c0 c4 0a e2 3a da f6 f0 06 15 df 32 06 5e 81 17 aa |...:......2.^...| +000002d0 25 5c b0 56 56 ce 93 11 42 4d b1 b5 b5 d4 c9 47 |%\.VV...BM.....G| +000002e0 df 7c 44 ac 23 bc 49 f6 aa f8 9a e3 fc 4e 7e 11 |.|D.#.I......N~.| +000002f0 e5 da cc 0e c3 4e 57 5e 0d 7c 5a 98 e8 25 65 2e |.....NW^.|Z..%e.| +00000300 d0 9e 73 f1 eb 16 3b c4 bc 87 97 37 38 45 a0 77 |..s...;....78E.w| +00000310 79 37 30 aa 05 0a 42 04 e2 e3 09 ce 5b d7 04 c1 |y70...B.....[...| +00000320 b1 c4 89 bc 5d 92 eb 9a a2 b4 12 87 98 05 17 03 |....]...........| +00000330 03 00 99 0d 23 22 ba 58 d1 0a 8d 15 c6 ab 47 92 |....#".X......G.| +00000340 4b ab 8b 31 d3 cd f6 c9 17 31 62 e2 4f 78 3d 87 |K..1.....1b.Ox=.| +00000350 9f f9 54 10 4b db 86 99 dd eb e7 75 9d d1 dc 1c |..T.K......u....| +00000360 03 e2 b2 ae 61 69 66 33 e0 0f 95 4a 41 4f 36 6d |....aif3...JAO6m| +00000370 ed bd 80 51 8b 6c 92 dc 29 af 8d 17 12 b8 3d d7 |...Q.l..).....=.| +00000380 db 05 63 4f ad e5 6e 32 5b 02 27 f6 8f e3 7c 02 |..cO..n2[.'...|.| +00000390 15 c8 5e c8 f3 14 45 7c 2f 2d 81 aa ec 01 4f 12 |..^...E|/-....O.| +000003a0 f3 aa c8 e5 ca 52 62 41 7d ca f2 9e 40 c3 36 d3 |.....RbA}...@.6.| +000003b0 d8 40 be 59 0c 6a 67 aa 75 03 1c b7 b7 4b 21 3f |.@.Y.jg.u....K!?| +000003c0 13 28 10 e7 3f a1 25 1a 5d e4 a0 b9 17 03 03 00 |.(..?.%.].......| +000003d0 35 93 e3 71 c4 3b b0 4a 37 6d 1a 97 a5 c4 17 c4 |5..q.;.J7m......| +000003e0 cd 0c a0 f5 bb 06 1d 0c f6 0f c4 c3 de b9 0a b7 |................| +000003f0 37 9c d6 d4 43 a6 37 78 76 69 31 33 ed d8 db b4 |7...C.7xvi13....| +00000400 3a ac cc 0d db 1b |:.....| +>>> Flow 5 (client to server) +00000000 17 03 03 00 35 ee c2 44 be 17 16 64 cc e6 68 9b |....5..D...d..h.| +00000010 4d 75 86 c5 b5 9b f3 1c 7c b5 98 3f 9c 7b 07 65 |Mu......|..?.{.e| +00000020 53 f1 6c d9 cd 17 54 3f 64 d3 ca 47 9c 1e 2d 13 |S.l...T?d..G..-.| +00000030 fa 29 5e d8 91 5a 05 e8 03 21 17 03 03 00 17 41 |.)^..Z...!.....A| +00000040 a1 aa 11 80 44 b8 26 a8 06 62 46 65 59 35 0b 06 |....D.&..bFeY5..| +00000050 8e bf 6c 02 9d 5f 17 03 03 00 13 40 6d 8b 65 c6 |..l.._.....@m.e.| +00000060 9c 9d b1 ec 29 f3 3d 23 56 28 f6 5a 5b e3 |....).=#V(.Z[.| diff --git a/pkg/tls/testdata/Client-TLSv13-KeyUpdate b/pkg/tls/testdata/Client-TLSv13-KeyUpdate new file mode 100644 index 000000000..02c0a1ae7 --- /dev/null +++ b/pkg/tls/testdata/Client-TLSv13-KeyUpdate @@ -0,0 +1,103 @@ +>>> Flow 1 (client to server) +00000000 16 03 01 00 fe 01 00 00 fa 03 03 00 00 00 00 00 |................| +00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000020 00 00 00 00 00 00 00 00 00 00 00 20 00 00 00 00 |........... ....| +00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 32 cc a9 |.............2..| +00000050 cc a8 c0 2b c0 2f c0 2c c0 30 c0 09 c0 13 c0 0a |...+./.,.0......| +00000060 c0 14 00 9c 00 9d 00 2f 00 35 c0 12 00 0a c0 23 |......./.5.....#| +00000070 c0 27 00 3c c0 07 c0 11 00 05 13 03 13 01 13 02 |.'.<............| +00000080 01 00 00 7f 00 05 00 05 01 00 00 00 00 00 0a 00 |................| +00000090 0a 00 08 00 1d 00 17 00 18 00 19 00 0b 00 02 01 |................| +000000a0 00 00 0d 00 1a 00 18 08 04 04 03 08 07 08 05 08 |................| +000000b0 06 04 01 05 01 06 01 05 03 06 03 02 01 02 03 ff |................| +000000c0 01 00 01 00 00 17 00 00 00 12 00 00 00 2b 00 09 |.............+..| +000000d0 08 03 04 03 03 03 02 03 01 00 33 00 26 00 24 00 |..........3.&.$.| +000000e0 1d 00 20 2f e5 7d a3 47 cd 62 43 15 28 da ac 5f |.. /.}.G.bC.(.._| +000000f0 bb 29 07 30 ff f6 84 af c4 cf c2 ed 90 99 5f 58 |.).0.........._X| +00000100 cb 3b 74 |.;t| +>>> Flow 2 (server to client) +00000000 16 03 03 00 7a 02 00 00 76 03 03 70 a7 d4 99 55 |....z...v..p...U| +00000010 7d 12 fd ca 3a 43 97 78 16 66 c2 bd 22 8b 6c 91 |}...:C.x.f..".l.| +00000020 85 92 99 76 c8 4c 0f 4c dc 94 0b 20 00 00 00 00 |...v.L.L... ....| +00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000040 00 00 00 00 00 00 00 00 00 00 00 00 13 03 00 00 |................| +00000050 2e 00 2b 00 02 03 04 00 33 00 24 00 1d 00 20 df |..+.....3.$... .| +00000060 af ca 9c 12 9b 83 69 24 89 3e 44 fe 1c 31 dd 0d |......i$.>D..1..| +00000070 3b 52 fd 8e b6 c6 7b 05 9e d4 cc 62 a5 f0 27 14 |;R....{....b..'.| +00000080 03 03 00 01 01 17 03 03 00 17 a8 47 c6 45 41 bc |...........G.EA.| +00000090 7e e3 fb 85 43 5d 6a 69 07 7f 62 05 9d 9e 5f 1f |~...C]ji..b..._.| +000000a0 9a 17 03 03 02 6d 7d 46 ba ff 8a 8a 3d a2 d0 29 |.....m}F....=..)| +000000b0 1e 0d 18 03 84 13 03 de cf 64 15 28 71 9a bb 80 |.........d.(q...| +000000c0 d0 4f de 07 d8 f4 47 d5 78 1c 93 e1 50 27 70 81 |.O....G.x...P'p.| +000000d0 34 c2 0d 63 ee 76 20 dd c7 34 71 e5 c7 04 91 62 |4..c.v ..4q....b| +000000e0 06 73 5c 71 e9 ce 13 f9 1c 5b 29 b5 16 64 0f 5b |.s\q.....[)..d.[| +000000f0 35 53 0d ba a6 26 1c 98 fa 20 41 a0 08 b1 d1 74 |5S...&... A....t| +00000100 cd 00 92 7e b4 ce 0e b8 2a 6d e0 25 57 2f e1 af |...~....*m.%W/..| +00000110 2c 23 03 03 1d b6 98 70 ec 7d 57 a9 6c 8f 25 3d |,#.....p.}W.l.%=| +00000120 63 a3 0e 53 b2 15 8d 1d 62 14 04 50 a9 bc ab 7d |c..S....b..P...}| +00000130 ac fa 6a 68 ed f0 72 fd 9a 04 ac bd 44 10 a6 f0 |..jh..r.....D...| +00000140 df 55 30 54 eb a1 c8 27 4d 6d 97 a1 c0 fc ca a5 |.U0T...'Mm......| +00000150 c0 9c b8 29 53 13 f2 c8 81 f1 3d f8 35 e5 8d b0 |...)S.....=.5...| +00000160 d9 c1 68 31 80 4f fb 3a 7a fc 20 ce 75 22 dc f6 |..h1.O.:z. .u"..| +00000170 94 e9 ff c4 5a c2 1d e9 a2 55 11 df 5d 29 92 17 |....Z....U..])..| +00000180 5e 9d df 16 97 e3 f0 d0 b6 bd 88 cf 5f 53 e5 da |^..........._S..| +00000190 08 98 37 ec d5 1d 8b 4b 59 33 6e 67 d7 e5 eb 9e |..7....KY3ng....| +000001a0 31 90 6b 75 c7 41 7c 1d 84 c3 78 03 0e 2b ce 5c |1.ku.A|...x..+.\| +000001b0 9a c2 e8 20 7c 8e bc 4a 6e e6 b9 30 ff b3 c0 33 |... |..Jn..0...3| +000001c0 73 91 f7 b6 13 bc 2c 85 97 ed a6 23 ed c1 e0 ce |s.....,....#....| +000001d0 8a 67 9a a3 b2 80 bb 06 ea 9c ec cd 27 f6 1f ae |.g..........'...| +000001e0 22 6e e4 c6 ec 5d e3 d9 99 8d 5e 15 5c d0 f1 83 |"n...]....^.\...| +000001f0 f2 dc 20 a0 67 ee e0 94 05 e3 d7 e9 a2 65 ae d8 |.. .g........e..| +00000200 da 12 2a db cd 2b 31 c3 ec 12 5b e0 5e 48 66 00 |..*..+1...[.^Hf.| +00000210 d9 f5 b8 28 1f ef 90 e8 8f a7 78 d7 1c 49 1d 10 |...(......x..I..| +00000220 d0 79 08 23 12 e1 30 91 7f 26 43 e2 0d dd 0f 6b |.y.#..0..&C....k| +00000230 ca ac 25 5f 18 86 40 fd 04 50 f6 dc fb 25 e4 67 |..%_..@..P...%.g| +00000240 d5 94 fe 3a 55 7f 0e 63 31 f2 96 40 cd 61 c4 e1 |...:U..c1..@.a..| +00000250 06 bc 5f 80 e9 1d 69 7c 70 7e e6 7f 25 00 75 ce |.._...i|p~..%.u.| +00000260 49 e4 bc 4c f4 79 8a d7 67 f3 50 a3 85 d2 96 cb |I..L.y..g.P.....| +00000270 51 f4 99 93 d6 20 cf 0d 5f 2d 87 83 df 7b d2 76 |Q.... .._-...{.v| +00000280 da 9c 47 fb 08 80 43 8e 1f c7 db 8e a9 a7 d5 bb |..G...C.........| +00000290 a3 af 0a 3e a3 a3 8c eb eb e0 93 45 56 a3 eb f0 |...>.......EV...| +000002a0 6e cd be 8f 42 4c aa 39 36 0e f2 d6 cc 37 ce a4 |n...BL.96....7..| +000002b0 31 c0 e0 24 3e 52 8c 3f dc 6e 73 e0 0e ef 54 b7 |1..$>R.?.ns...T.| +000002c0 27 2f 80 f8 16 0b 27 ea 73 66 c1 59 0b 91 a6 ae |'/....'.sf.Y....| +000002d0 f9 d7 d3 60 c0 b0 da 0f 83 19 c2 e0 6e e0 d0 a6 |...`........n...| +000002e0 87 74 91 f8 6c 46 e3 cd 3a 4c e5 ee 48 94 5b bc |.t..lF..:L..H.[.| +000002f0 e4 b5 ed 35 ba 11 c7 0d 76 e9 0a 52 11 a1 35 c2 |...5....v..R..5.| +00000300 e3 c3 9d fa 9d 9b 45 59 6a de 5b 9c c8 7e c3 00 |......EYj.[..~..| +00000310 16 06 d9 17 03 03 00 99 63 23 47 37 41 24 5e b5 |........c#G7A$^.| +00000320 7a 9d 0c 74 c7 f8 c8 62 9e c1 8a 44 29 22 d0 96 |z..t...b...D)"..| +00000330 c7 94 a1 c5 f6 80 1f 23 70 d5 61 cf b5 87 41 26 |.......#p.a...A&| +00000340 74 74 9b f4 1c 9d eb b3 da 39 0f 93 74 6a 2d 44 |tt.......9..tj-D| +00000350 b2 04 31 c0 b0 e8 27 1e eb 6e 1d 76 aa a7 15 11 |..1...'..n.v....| +00000360 fd 5a 46 68 e2 76 ec 92 fe 25 41 10 0f 99 da cf |.ZFh.v...%A.....| +00000370 1a 04 a2 09 8e a1 73 ca 74 7e f7 d2 0e f1 cf 74 |......s.t~.....t| +00000380 14 c4 bc 66 6e 28 58 24 09 cb bc da 4d da 4f af |...fn(X$....M.O.| +00000390 b8 c5 18 37 34 02 e2 60 b9 cc e9 4b 93 08 0a 22 |...74..`...K..."| +000003a0 b6 a1 85 b2 ab cd 9c b6 1b 1d 18 46 63 4c 11 c5 |...........FcL..| +000003b0 67 17 03 03 00 35 10 30 1b 3e 00 ea 4a 8a ab f7 |g....5.0.>..J...| +000003c0 19 f8 3b 99 5f 56 a6 a3 ed dd 43 33 d9 8f 17 30 |..;._V....C3...0| +000003d0 f5 a9 fb cd df 5e 95 e8 ff 35 1d 8d de d2 48 5a |.....^...5....HZ| +000003e0 af a1 b5 60 4f 75 98 58 1c 24 a1 |...`Ou.X.$.| +>>> Flow 3 (client to server) +00000000 14 03 03 00 01 01 17 03 03 00 35 a5 8d 0a 81 b7 |..........5.....| +00000010 76 39 48 24 74 8a a8 f0 91 9b b7 10 14 e3 1f fe |v9H$t...........| +00000020 a5 2f 96 6a 7a c3 9d 90 66 99 46 78 c8 d0 1d ba |./.jz...f.Fx....| +00000030 34 be 04 c1 a9 4d 17 60 06 a8 04 18 f3 53 9b 33 |4....M.`.....S.3| +00000040 17 03 03 00 17 14 2c cf 98 1c b3 44 d5 cb 9a 8a |......,....D....| +00000050 46 84 e8 d2 7d 81 bf 74 e6 08 4b 1c |F...}..t..K.| +>>> Flow 4 (server to client) +00000000 17 03 03 00 16 3e c3 0e 81 bd 7c e9 21 c8 d1 3f |.....>....|.!..?| +00000010 94 a9 37 43 21 42 3b 81 ba 65 53 |..7C!B;..eS| +>>> Flow 5 (client to server) +00000000 17 03 03 00 16 63 a6 48 59 77 ae a9 a7 40 e2 57 |.....c.HYw...@.W| +00000010 9b 41 bb e8 14 06 01 46 71 46 77 |.A.....FqFw| +>>> Flow 6 (server to client) +00000000 17 03 03 00 1a 20 8a 20 30 bc 48 17 8f ed 57 bb |..... . 0.H...W.| +00000010 e8 2a da 2a 21 5b 4d 11 74 13 32 6f 1c d6 7c |.*.*![M.t.2o..|| +>>> Flow 7 (client to server) +00000000 17 03 03 00 1d fb 5b 0c dc f1 6b 02 a7 f6 68 21 |......[...k...h!| +00000010 a4 5c 29 7e 52 08 5f 4d fb cb e4 a6 ae c9 e0 09 |.\)~R._M........| +00000020 01 02 17 03 03 00 13 4e 79 eb 2d 97 87 45 9d 73 |.......Ny.-..E.s| +00000030 6f 13 be c5 68 50 ef 03 4c 18 |o...hP..L.| diff --git a/pkg/tls/testdata/Client-TLSv13-P256-ECDHE b/pkg/tls/testdata/Client-TLSv13-P256-ECDHE new file mode 100644 index 000000000..7280dafde --- /dev/null +++ b/pkg/tls/testdata/Client-TLSv13-P256-ECDHE @@ -0,0 +1,94 @@ +>>> Flow 1 (client to server) +00000000 16 03 01 01 19 01 00 01 15 03 03 00 00 00 00 00 |................| +00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000020 00 00 00 00 00 00 00 00 00 00 00 20 00 00 00 00 |........... ....| +00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 32 cc a9 |.............2..| +00000050 cc a8 c0 2b c0 2f c0 2c c0 30 c0 09 c0 13 c0 0a |...+./.,.0......| +00000060 c0 14 00 9c 00 9d 00 2f 00 35 c0 12 00 0a c0 23 |......./.5.....#| +00000070 c0 27 00 3c c0 07 c0 11 00 05 13 03 13 01 13 02 |.'.<............| +00000080 01 00 00 9a 00 05 00 05 01 00 00 00 00 00 0a 00 |................| +00000090 04 00 02 00 17 00 0b 00 02 01 00 00 0d 00 1a 00 |................| +000000a0 18 08 04 04 03 08 07 08 05 08 06 04 01 05 01 06 |................| +000000b0 01 05 03 06 03 02 01 02 03 ff 01 00 01 00 00 17 |................| +000000c0 00 00 00 12 00 00 00 2b 00 09 08 03 04 03 03 03 |.......+........| +000000d0 02 03 01 00 33 00 47 00 45 00 17 00 41 04 1e 18 |....3.G.E...A...| +000000e0 37 ef 0d 19 51 88 35 75 71 b5 e5 54 5b 12 2e 8f |7...Q.5uq..T[...| +000000f0 09 67 fd a7 24 20 3e b2 56 1c ce 97 28 5e f8 2b |.g..$ >.V...(^.+| +00000100 2d 4f 9e f1 07 9f 6c 4b 5b 83 56 e2 32 42 e9 58 |-O....lK[.V.2B.X| +00000110 b6 d7 49 a6 b5 68 1a 41 03 56 6b dc 5a 89 |..I..h.A.Vk.Z.| +>>> Flow 2 (server to client) +00000000 16 03 03 00 9b 02 00 00 97 03 03 fe 3a 17 76 b0 |............:.v.| +00000010 7f a1 ed 8e fa 88 7a c6 d0 78 62 83 db b8 a3 72 |......z..xb....r| +00000020 77 c7 18 54 f3 07 3b 08 f0 fb be 20 00 00 00 00 |w..T..;.... ....| +00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000040 00 00 00 00 00 00 00 00 00 00 00 00 13 03 00 00 |................| +00000050 4f 00 2b 00 02 03 04 00 33 00 45 00 17 00 41 04 |O.+.....3.E...A.| +00000060 e2 a0 62 23 50 9d 82 7d bc f4 f4 e7 ed d0 6c 6e |..b#P..}......ln| +00000070 f2 46 f4 e6 11 5f e0 f3 02 e3 13 67 e3 92 da 39 |.F..._.....g...9| +00000080 15 a2 3a c7 80 16 e6 25 fd 86 59 56 08 ee 78 eb |..:....%..YV..x.| +00000090 d9 ba 36 69 d3 fe bc fc 92 a1 1b 48 a1 a5 6c 09 |..6i.......H..l.| +000000a0 14 03 03 00 01 01 17 03 03 00 17 0f 26 b2 e7 86 |............&...| +000000b0 1a 6f e5 19 28 d1 0c 5f 4d 45 7e e6 9f f8 16 03 |.o..(.._ME~.....| +000000c0 d2 71 17 03 03 02 6d 2e bc 2a 2c eb e1 97 06 37 |.q....m..*,....7| +000000d0 87 39 bf f1 79 3a ba 23 51 26 37 a1 ba 2c 30 d9 |.9..y:.#Q&7..,0.| +000000e0 65 f8 8e 54 b7 1a 8a ff e8 eb 50 ab f4 e5 0f 07 |e..T......P.....| +000000f0 94 6b 3d 40 2f bc f7 1c 51 b7 6a 22 78 da 4c ab |.k=@/...Q.j"x.L.| +00000100 74 2b b5 f9 c5 2f f5 b8 8a c0 3b c3 56 d8 79 94 |t+.../....;.V.y.| +00000110 d7 2c bc 7e 2d a8 aa 7d 93 1e 24 49 34 a2 c8 83 |.,.~-..}..$I4...| +00000120 fc 0e b2 c7 f8 15 9c fd 6f 67 d8 32 e4 ce e6 c2 |........og.2....| +00000130 a5 ae c2 8b 40 dd b5 46 dc b9 40 e1 21 47 0e 55 |....@..F..@.!G.U| +00000140 7b f5 87 35 6d 10 22 04 a3 4f f8 95 54 0c 41 a6 |{..5m."..O..T.A.| +00000150 95 7b 0e 96 4b 73 c2 75 c9 87 ce a9 89 06 a9 7a |.{..Ks.u.......z| +00000160 26 ec 81 70 48 4d 24 f4 09 00 aa 92 ac a2 77 9d |&..pHM$.......w.| +00000170 ad aa 18 0f e0 f7 91 c9 80 46 c2 db e7 87 fd 3d |.........F.....=| +00000180 f2 8f ee cb 26 7d ae 1f 17 6e d0 d4 cd 11 80 a2 |....&}...n......| +00000190 57 57 88 78 2e 32 ac 2f 1c ad 5b 86 d2 94 55 9f |WW.x.2./..[...U.| +000001a0 cd 41 b7 cf 6d bb 45 6a 0b 72 79 91 81 1a 79 b3 |.A..m.Ej.ry...y.| +000001b0 6e 7f f4 8a 7b c0 b0 a6 00 0e c0 fe 67 4e e3 96 |n...{.......gN..| +000001c0 5b 0f 1b 47 b5 43 94 91 e9 c4 5f 0b 04 46 bd 53 |[..G.C...._..F.S| +000001d0 f0 44 a9 0c 46 39 d0 e0 9c 25 76 4e 26 f4 49 12 |.D..F9...%vN&.I.| +000001e0 42 7a a7 19 98 f0 93 1f 42 78 c7 1c 87 f0 92 ab |Bz......Bx......| +000001f0 ec 8b f9 4f e3 60 ea fd 88 b5 9d 68 18 59 60 ee |...O.`.....h.Y`.| +00000200 66 a9 0a 24 33 4a 9f c1 c0 e1 70 a0 c3 b1 8d f5 |f..$3J....p.....| +00000210 4a eb 5e f6 8f a9 2f c7 df 88 40 41 61 b3 3e 18 |J.^.../...@Aa.>.| +00000220 66 f7 e1 b7 a6 a9 3a 10 73 ab a4 ce 39 40 8a 78 |f.....:.s...9@.x| +00000230 47 7f bc c9 08 c3 f0 0e 1e 09 87 bf fc e0 46 38 |G.............F8| +00000240 e7 79 4e 9e 50 94 e7 94 ab 54 47 a7 07 7f 9d 7c |.yN.P....TG....|| +00000250 9e 83 9b ba dd 33 5d de db 80 9f a0 7d 9f c3 57 |.....3].....}..W| +00000260 83 45 0d a6 82 61 75 b7 14 54 0c 7e 94 8a fb 4a |.E...au..T.~...J| +00000270 9b 62 bf 8f ae 37 76 23 a0 e0 c0 e0 c1 2c 53 28 |.b...7v#.....,S(| +00000280 4c 5b b7 b3 c1 4e bb e5 cd e8 b0 7b 8e 38 b0 bb |L[...N.....{.8..| +00000290 74 d2 00 63 b4 7b 97 a3 48 52 0f f2 60 0c 0b e4 |t..c.{..HR..`...| +000002a0 b4 0f 1c 9c 97 e1 fa ff 26 61 f8 3c ee 41 66 f8 |........&a.<.Af.| +000002b0 b3 91 cd 30 bd ef 81 cf 23 3a ea fd b8 96 b6 e3 |...0....#:......| +000002c0 bd 32 f2 0f 7a 3d 08 2c 50 a4 16 4e a6 2b 6b 2e |.2..z=.,P..N.+k.| +000002d0 3e 7e a0 bc 10 c2 3c 30 65 fc 26 cd 2b 51 54 27 |>~....<0e.&.+QT'| +000002e0 29 62 eb 99 bb 0b f8 29 ce 8a 21 87 c1 8e f8 6c |)b.....)..!....l| +000002f0 17 fe 96 08 db 03 ef 22 ab 2a 55 8e 11 15 19 97 |.......".*U.....| +00000300 66 9b f3 16 b4 ce 7c 29 f7 e0 ba 1a 14 46 42 20 |f.....|).....FB | +00000310 38 8b 26 8a 53 13 83 a0 a5 76 2d 4c 3c 88 6e a0 |8.&.S....v-L<.n.| +00000320 38 23 69 20 d1 3e c9 40 9b 46 4c 09 d9 50 80 49 |8#i .>.@.FL..P.I| +00000330 bd 59 d9 ec 17 03 03 00 99 a2 f2 c7 ce c6 45 c8 |.Y............E.| +00000340 45 9a 9d a8 83 d9 81 ff 2d ef 81 f9 b7 3d 0e 79 |E.......-....=.y| +00000350 54 5f f4 ca f0 41 20 91 f7 5c 53 49 09 ee b6 27 |T_...A ..\SI...'| +00000360 82 61 0f 1e b9 2d 0f 4e dd e7 3f 05 3c eb bc 2c |.a...-.N..?.<..,| +00000370 81 ca 5d 2f e5 56 f8 ec e5 cb 69 da e9 16 79 ba |..]/.V....i...y.| +00000380 61 8d a9 09 31 2f d3 4c 87 bf 6c 1a 50 df 81 cd |a...1/.L..l.P...| +00000390 ba 4c 28 a1 47 05 13 65 f5 6d a0 fb 04 f6 5f 78 |.L(.G..e.m...._x| +000003a0 d9 28 67 99 ee b9 a1 07 85 3c 5b 17 48 f3 87 43 |.(g......<[.H..C| +000003b0 ca 40 12 59 85 34 da 67 8a 26 3e 0c 11 9f 42 82 |.@.Y.4.g.&>...B.| +000003c0 81 80 56 5b a9 6f c2 73 9d 9a 5e ab 97 a2 a4 49 |..V[.o.s..^....I| +000003d0 9f 73 17 03 03 00 35 7c 74 eb 0d 2b 2f b3 92 2e |.s....5|t..+/...| +000003e0 54 12 f9 cb ae fb d4 8d 6f 7f 93 c5 bd 54 1d d5 |T.......o....T..| +000003f0 06 71 bf 3f 43 71 7b ce 20 9d a9 12 bf dd 2c 3c |.q.?Cq{. .....,<| +00000400 b5 7e 9d 3a 56 e3 8b d1 15 0e 69 35 |.~.:V.....i5| +>>> Flow 3 (client to server) +00000000 14 03 03 00 01 01 17 03 03 00 35 07 f8 0f 71 b3 |..........5...q.| +00000010 74 36 f9 e0 2c a4 ac bc 9f 19 fc a7 aa 3d 8e cb |t6..,........=..| +00000020 22 4b 8f 54 f3 4f b2 a5 85 8a c9 ab b0 b7 62 61 |"K.T.O........ba| +00000030 58 dc 64 88 bb 43 6e 61 af 02 88 ca d8 15 b3 02 |X.d..Cna........| +00000040 17 03 03 00 17 25 37 e4 43 40 29 dd 4b fd a6 22 |.....%7.C@).K.."| +00000050 00 75 02 49 c6 64 a1 ed de ed 96 cb 17 03 03 00 |.u.I.d..........| +00000060 13 d6 49 0b ba 13 f3 5b 80 63 79 c8 6a f6 2d df |..I....[.cy.j.-.| +00000070 3f d3 2c 8b |?.,.| diff --git a/pkg/tls/testdata/Client-TLSv13-X25519-ECDHE b/pkg/tls/testdata/Client-TLSv13-X25519-ECDHE new file mode 100644 index 000000000..b430ce03f --- /dev/null +++ b/pkg/tls/testdata/Client-TLSv13-X25519-ECDHE @@ -0,0 +1,90 @@ +>>> Flow 1 (client to server) +00000000 16 03 01 00 f8 01 00 00 f4 03 03 00 00 00 00 00 |................| +00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000020 00 00 00 00 00 00 00 00 00 00 00 20 00 00 00 00 |........... ....| +00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000040 00 00 00 00 00 00 00 00 00 00 00 00 00 32 cc a9 |.............2..| +00000050 cc a8 c0 2b c0 2f c0 2c c0 30 c0 09 c0 13 c0 0a |...+./.,.0......| +00000060 c0 14 00 9c 00 9d 00 2f 00 35 c0 12 00 0a c0 23 |......./.5.....#| +00000070 c0 27 00 3c c0 07 c0 11 00 05 13 03 13 01 13 02 |.'.<............| +00000080 01 00 00 79 00 05 00 05 01 00 00 00 00 00 0a 00 |...y............| +00000090 04 00 02 00 1d 00 0b 00 02 01 00 00 0d 00 1a 00 |................| +000000a0 18 08 04 04 03 08 07 08 05 08 06 04 01 05 01 06 |................| +000000b0 01 05 03 06 03 02 01 02 03 ff 01 00 01 00 00 17 |................| +000000c0 00 00 00 12 00 00 00 2b 00 09 08 03 04 03 03 03 |.......+........| +000000d0 02 03 01 00 33 00 26 00 24 00 1d 00 20 2f e5 7d |....3.&.$... /.}| +000000e0 a3 47 cd 62 43 15 28 da ac 5f bb 29 07 30 ff f6 |.G.bC.(.._.).0..| +000000f0 84 af c4 cf c2 ed 90 99 5f 58 cb 3b 74 |........_X.;t| +>>> Flow 2 (server to client) +00000000 16 03 03 00 7a 02 00 00 76 03 03 94 fd 21 44 52 |....z...v....!DR| +00000010 54 21 7e 4a 1c 83 6a ce c7 21 df b2 f3 1e 4c 73 |T!~J..j..!....Ls| +00000020 d3 f0 8b cc 24 58 17 5c 9c 0c 28 20 00 00 00 00 |....$X.\..( ....| +00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000040 00 00 00 00 00 00 00 00 00 00 00 00 13 03 00 00 |................| +00000050 2e 00 2b 00 02 03 04 00 33 00 24 00 1d 00 20 a0 |..+.....3.$... .| +00000060 72 12 62 31 e2 99 77 93 96 75 a3 64 33 87 33 ab |r.b1..w..u.d3.3.| +00000070 be 61 78 45 34 c4 e7 14 d0 c1 3b cc bb cc 78 14 |.axE4.....;...x.| +00000080 03 03 00 01 01 17 03 03 00 17 13 0e ae 6e fd 8b |.............n..| +00000090 f0 27 06 82 41 f5 68 63 1c 58 38 ad 3a 9e 59 4d |.'..A.hc.X8.:.YM| +000000a0 49 17 03 03 02 6d d8 a3 1c 91 84 93 3d 8d 27 4e |I....m......=.'N| +000000b0 70 a7 fd ac be cb 87 bc 20 19 ef c3 1a be ad b2 |p....... .......| +000000c0 b2 9d 4a e8 00 31 81 e0 43 09 4a b4 90 cc 1a d5 |..J..1..C.J.....| +000000d0 e9 47 56 64 cc e6 cc 3e fa a6 a9 8f 79 0c ea 47 |.GVd...>....y..G| +000000e0 55 5c 29 1a 3c ce 32 ea 45 30 66 01 07 30 22 60 |U\).<.2.E0f..0"`| +000000f0 a0 2b 63 40 29 18 a2 7f 81 bd af 6a dd a9 44 8f |.+c@)......j..D.| +00000100 d3 e8 58 8d 63 11 00 e2 31 9f 98 3c 15 a0 8b 9e |..X.c...1..<....| +00000110 61 12 df a8 87 b5 2e 81 41 ed 3b a6 12 77 05 69 |a.......A.;..w.i| +00000120 09 d1 9d cb 56 ee 86 24 cc ac 4c ff 17 b6 99 a2 |....V..$..L.....| +00000130 c9 22 8a 9c 07 b3 a6 72 aa 33 30 8e 42 18 1d af |.".....r.30.B...| +00000140 73 a5 28 99 12 05 bd 5e 34 cc 72 9a e4 51 2d 46 |s.(....^4.r..Q-F| +00000150 35 55 8d 7b f3 ce f5 50 43 70 f1 4a ea 92 eb bd |5U.{...PCp.J....| +00000160 18 72 b4 e9 90 fe e2 18 64 61 20 02 18 78 e8 75 |.r......da ..x.u| +00000170 33 00 ff cc 72 f2 89 0e fe 7d 7a 07 f8 64 95 6f |3...r....}z..d.o| +00000180 0b 3b 76 96 8f c1 d9 9f 6b 1a 10 28 d7 94 36 dc |.;v.....k..(..6.| +00000190 87 de f2 95 a3 f6 15 44 13 2e 0d 88 aa 86 10 38 |.......D.......8| +000001a0 ff 5f 58 a9 b8 e0 b9 4c fb a6 bb 1f f5 f6 25 4c |._X....L......%L| +000001b0 d5 ab bb 62 70 82 7f 47 5e 05 99 aa 1c d4 12 be |...bp..G^.......| +000001c0 77 2c 67 a3 5f 6c 9f 93 37 36 5f 96 34 8e 22 9d |w,g._l..76_.4.".| +000001d0 a4 5e 4f 8c ce 54 e7 ea 7c 40 f5 9b 20 84 2e 96 |.^O..T..|@.. ...| +000001e0 32 37 6b 65 cf e8 0d cb 3b 54 67 32 ed f6 49 b9 |27ke....;Tg2..I.| +000001f0 d0 4f 36 e6 8a 1c df 35 ee 8a be 3f 8f 5a c9 35 |.O6....5...?.Z.5| +00000200 3d 1b 7e 78 e4 0a d6 f4 6d 3e 48 dc 0d 4e 03 47 |=.~x....m>H..N.G| +00000210 81 db 60 a9 fb 17 8c 39 5e 7d 77 07 21 13 3b 53 |..`....9^}w.!.;S| +00000220 f2 50 bb c3 16 37 24 b8 ef 4a 45 ad 3e ce 05 6a |.P...7$..JE.>..j| +00000230 25 fa 27 05 c8 f9 c5 d5 c3 b0 82 a8 0c ca ef 66 |%.'............f| +00000240 58 a4 51 85 ee 94 2a 07 d9 a4 e5 1a b9 b8 9d a1 |X.Q...*.........| +00000250 42 ae 3c 01 dc c2 96 84 a6 bd e4 e2 e6 37 f4 16 |B.<..........7..| +00000260 51 62 9c ce 26 d5 fe ce 69 7a f5 dd f2 b9 7c d5 |Qb..&...iz....|.| +00000270 9f 9d f6 ca d2 a3 3b 9d 73 99 72 38 3b be 3e 93 |......;.s.r8;.>.| +00000280 d1 81 19 76 10 25 5b f7 3b b9 c3 21 b5 ef 1b 09 |...v.%[.;..!....| +00000290 a5 97 76 a2 b6 4e a7 9e 9c b5 0a 9a a4 99 ec 5c |..v..N.........\| +000002a0 02 fc 1a 83 b8 a2 f1 a5 16 0f 09 7a 21 2b 75 cd |...........z!+u.| +000002b0 23 b5 cc 29 d5 09 3a 5e 88 9b 6b 4f 41 30 2a 42 |#..)..:^..kOA0*B| +000002c0 03 98 56 2b 19 da e0 6f 5b f0 ee b9 a0 3d 98 12 |..V+...o[....=..| +000002d0 41 af 96 ee 1c ae 55 84 b4 c5 98 f7 50 a7 62 cd |A.....U.....P.b.| +000002e0 d7 99 4f be c8 65 fa 64 a3 2b bd b2 cc 9a 96 89 |..O..e.d.+......| +000002f0 bb 9a 78 8f 60 5f 37 12 96 28 21 3d b5 0f 9c 3e |..x.`_7..(!=...>| +00000300 ce 74 8b 9a 66 f0 ef af 38 1e 07 8e ca 6f 5a 35 |.t..f...8....oZ5| +00000310 c9 87 71 17 03 03 00 99 c1 76 e9 d2 52 3f 6d 1b |..q......v..R?m.| +00000320 ca eb 7d 24 2e c9 12 1b 44 f0 9c 06 95 26 d0 a3 |..}$....D....&..| +00000330 04 e1 f1 8f e4 c0 83 91 e2 cf da 6c a1 b3 87 05 |...........l....| +00000340 18 ae f1 7f 8d d3 43 9a f9 a8 9e 73 89 1a 61 2d |......C....s..a-| +00000350 4f 2b 33 0b fd c0 12 0e d2 32 06 52 26 99 1d ce |O+3......2.R&...| +00000360 49 11 a2 ec 23 ad 7f 22 1f 6e c6 12 21 f3 56 1c |I...#..".n..!.V.| +00000370 fe d1 32 dd 1f b5 36 5d e3 78 fb 9c 3e 74 00 aa |..2...6].x..>t..| +00000380 9d fd 92 f8 45 f9 1f e8 c3 4d 89 a8 91 d0 6c 2c |....E....M....l,| +00000390 4f 82 52 f4 43 b0 1b fa 16 75 a4 78 f9 24 d1 3a |O.R.C....u.x.$.:| +000003a0 1e 6b 97 6f 0e 3d bb 34 b3 0a 83 2f 56 88 b8 0e |.k.o.=.4.../V...| +000003b0 90 17 03 03 00 35 cd f0 e5 f9 3f 62 e7 67 25 5f |.....5....?b.g%_| +000003c0 4f 11 d9 d9 d0 e3 3b 9a a9 c0 27 1d d3 a4 06 1f |O.....;...'.....| +000003d0 8d 61 b4 38 aa fe fd f8 6c 10 57 b6 7d 9c 92 96 |.a.8....l.W.}...| +000003e0 c9 70 c2 67 a7 76 7d bb ab 0e 2d |.p.g.v}...-| +>>> Flow 3 (client to server) +00000000 14 03 03 00 01 01 17 03 03 00 35 7d 7c fa 64 ea |..........5}|.d.| +00000010 ba 90 be e8 a7 0c 0c 48 10 fc 2d ac 5e dd 1c cf |.......H..-.^...| +00000020 e8 d3 d9 98 3b c2 2b 80 93 44 22 85 bf cb ec c6 |....;.+..D".....| +00000030 4a 13 6d 68 80 22 8b af aa f4 7c de 6b 28 fe ef |J.mh."....|.k(..| +00000040 17 03 03 00 17 4e bd e5 fe 5c 6b 9c bb 48 b8 23 |.....N...\k..H.#| +00000050 55 0f f7 21 25 cb 4c ae 74 b7 54 a2 17 03 03 00 |U..!%.L.t.T.....| +00000060 13 c8 35 e9 be f6 74 09 23 55 ec 78 05 83 89 38 |..5...t.#U.x...8| +00000070 ee 1c b3 3e |...>| diff --git a/pkg/tls/testdata/Server-TLSv10-ECDHE-ECDSA-AES b/pkg/tls/testdata/Server-TLSv10-ECDHE-ECDSA-AES new file mode 100644 index 000000000..c5d947c2c --- /dev/null +++ b/pkg/tls/testdata/Server-TLSv10-ECDHE-ECDSA-AES @@ -0,0 +1,79 @@ +>>> Flow 1 (client to server) +00000000 16 03 01 00 51 01 00 00 4d 03 01 5e bf ff e7 c2 |....Q...M..^....| +00000010 c1 98 4a a3 cf 5a e8 8d 8f 19 9e 85 48 5b 92 cc |..J..Z......H[..| +00000020 7d 0c 14 1e 2e 50 5b d7 dd fe ef 00 00 04 c0 0a |}....P[.........| +00000030 00 ff 01 00 00 20 00 0b 00 04 03 00 01 02 00 0a |..... ..........| +00000040 00 0c 00 0a 00 1d 00 17 00 1e 00 19 00 18 00 16 |................| +00000050 00 00 00 17 00 00 |......| +>>> Flow 2 (server to client) +00000000 16 03 01 00 3b 02 00 00 37 03 01 00 00 00 00 00 |....;...7.......| +00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000020 00 00 00 44 4f 57 4e 47 52 44 00 00 c0 0a 00 00 |...DOWNGRD......| +00000030 0f ff 01 00 01 00 00 17 00 00 00 0b 00 02 01 00 |................| +00000040 16 03 01 02 0e 0b 00 02 0a 00 02 07 00 02 04 30 |...............0| +00000050 82 02 00 30 82 01 62 02 09 00 b8 bf 2d 47 a0 d2 |...0..b.....-G..| +00000060 eb f4 30 09 06 07 2a 86 48 ce 3d 04 01 30 45 31 |..0...*.H.=..0E1| +00000070 0b 30 09 06 03 55 04 06 13 02 41 55 31 13 30 11 |.0...U....AU1.0.| +00000080 06 03 55 04 08 13 0a 53 6f 6d 65 2d 53 74 61 74 |..U....Some-Stat| +00000090 65 31 21 30 1f 06 03 55 04 0a 13 18 49 6e 74 65 |e1!0...U....Inte| +000000a0 72 6e 65 74 20 57 69 64 67 69 74 73 20 50 74 79 |rnet Widgits Pty| +000000b0 20 4c 74 64 30 1e 17 0d 31 32 31 31 32 32 31 35 | Ltd0...12112215| +000000c0 30 36 33 32 5a 17 0d 32 32 31 31 32 30 31 35 30 |0632Z..221120150| +000000d0 36 33 32 5a 30 45 31 0b 30 09 06 03 55 04 06 13 |632Z0E1.0...U...| +000000e0 02 41 55 31 13 30 11 06 03 55 04 08 13 0a 53 6f |.AU1.0...U....So| +000000f0 6d 65 2d 53 74 61 74 65 31 21 30 1f 06 03 55 04 |me-State1!0...U.| +00000100 0a 13 18 49 6e 74 65 72 6e 65 74 20 57 69 64 67 |...Internet Widg| +00000110 69 74 73 20 50 74 79 20 4c 74 64 30 81 9b 30 10 |its Pty Ltd0..0.| +00000120 06 07 2a 86 48 ce 3d 02 01 06 05 2b 81 04 00 23 |..*.H.=....+...#| +00000130 03 81 86 00 04 00 c4 a1 ed be 98 f9 0b 48 73 36 |.............Hs6| +00000140 7e c3 16 56 11 22 f2 3d 53 c3 3b 4d 21 3d cd 6b |~..V.".=S.;M!=.k| +00000150 75 e6 f6 b0 dc 9a df 26 c1 bc b2 87 f0 72 32 7c |u......&.....r2|| +00000160 b3 64 2f 1c 90 bc ea 68 23 10 7e fe e3 25 c0 48 |.d/....h#.~..%.H| +00000170 3a 69 e0 28 6d d3 37 00 ef 04 62 dd 0d a0 9c 70 |:i.(m.7...b....p| +00000180 62 83 d8 81 d3 64 31 aa 9e 97 31 bd 96 b0 68 c0 |b....d1...1...h.| +00000190 9b 23 de 76 64 3f 1a 5c 7f e9 12 0e 58 58 b6 5f |.#.vd?.\....XX._| +000001a0 70 dd 9b d8 ea d5 d7 f5 d5 cc b9 b6 9f 30 66 5b |p............0f[| +000001b0 66 9a 20 e2 27 e5 bf fe 3b 30 09 06 07 2a 86 48 |f. .'...;0...*.H| +000001c0 ce 3d 04 01 03 81 8c 00 30 81 88 02 42 01 88 a2 |.=......0...B...| +000001d0 4f eb e2 45 c5 48 7d 1b ac f5 ed 98 9d ae 47 70 |O..E.H}.......Gp| +000001e0 c0 5e 1b b6 2f bd f1 b6 4d b7 61 40 d3 11 a2 ce |.^../...M.a@....| +000001f0 ee 0b 7e 92 7e ff 76 9d c3 3b 7e a5 3f ce fa 10 |..~.~.v..;~.?...| +00000200 e2 59 ec 47 2d 7c ac da 4e 97 0e 15 a0 6f d0 02 |.Y.G-|..N....o..| +00000210 42 01 4d fc be 67 13 9c 2d 05 0e bd 3f a3 8c 25 |B.M..g..-...?..%| +00000220 c1 33 13 83 0d 94 06 bb d4 37 7a f6 ec 7a c9 86 |.3.......7z..z..| +00000230 2e dd d7 11 69 7f 85 7c 56 de fb 31 78 2b e4 c7 |....i..|V..1x+..| +00000240 78 0d ae cb be 9e 4e 36 24 31 7b 6a 0f 39 95 12 |x.....N6$1{j.9..| +00000250 07 8f 2a 16 03 01 00 b5 0c 00 00 b1 03 00 1d 20 |..*............ | +00000260 2f e5 7d a3 47 cd 62 43 15 28 da ac 5f bb 29 07 |/.}.G.bC.(.._.).| +00000270 30 ff f6 84 af c4 cf c2 ed 90 99 5f 58 cb 3b 74 |0.........._X.;t| +00000280 00 8b 30 81 88 02 42 00 c3 eb 60 b8 d3 af cb 2d |..0...B...`....-| +00000290 4f ca 46 6d e4 fe 47 41 82 1e d4 14 0f 08 ab b6 |O.Fm..GA........| +000002a0 b8 41 8b 46 f5 28 bb 87 28 73 a0 5c e9 ce f5 56 |.A.F.(..(s.\...V| +000002b0 11 02 17 2c 39 b6 28 6c ec de 12 bf 22 91 3d 06 |...,9.(l....".=.| +000002c0 ac 8e 0a 92 b1 46 69 86 44 02 42 01 fd 70 6e 63 |.....Fi.D.B..pnc| +000002d0 1b 2a 21 47 9b 42 9c d4 4a 38 20 dd 94 05 c4 0f |.*!G.B..J8 .....| +000002e0 5d b2 48 c8 17 90 01 4d 4f 7e 7a ef bb b2 5b 26 |].H....MO~z...[&| +000002f0 7e e1 24 f5 80 93 69 72 3f cf bb 5d 52 ee ec b4 |~.$...ir?..]R...| +00000300 cc 0c 96 1f 93 4c d6 a8 c7 b2 91 f5 6d 16 03 01 |.....L......m...| +00000310 00 04 0e 00 00 00 |......| +>>> Flow 3 (client to server) +00000000 16 03 01 00 25 10 00 00 21 20 ec f2 2d ca 02 ce |....%...! ..-...| +00000010 11 2d eb 26 d7 d9 fc b2 a7 2d 34 5b a9 3a 0b 2f |.-.&.....-4[.:./| +00000020 5c 49 a9 69 1a 3a 83 90 ec 5f 14 03 01 00 01 01 |\I.i.:..._......| +00000030 16 03 01 00 30 9f 06 c7 a7 a0 c3 a5 3d 60 6e fb |....0.......=`n.| +00000040 c6 18 a4 d2 80 2e ad 8f cf 92 84 94 36 f8 81 28 |............6..(| +00000050 c5 3f 37 e8 d6 e7 6d a3 f5 32 63 a0 ab 7a db 12 |.?7...m..2c..z..| +00000060 17 e1 e4 33 d6 |...3.| +>>> Flow 4 (server to client) +00000000 14 03 01 00 01 01 16 03 01 00 30 18 29 35 d7 c5 |..........0.)5..| +00000010 a2 31 3b 26 85 de 50 26 39 4d 16 22 58 a2 17 bd |.1;&..P&9M."X...| +00000020 4b 73 33 8d dc 3f 92 20 f2 ca 22 00 f5 31 db a7 |Ks3..?. .."..1..| +00000030 18 79 fc 71 87 68 a5 1d a6 db 33 17 03 01 00 20 |.y.q.h....3.... | +00000040 0d be 57 e4 12 6d 2d 3a 33 24 a0 0c c4 9b 27 09 |..W..m-:3$....'.| +00000050 85 e0 0e 42 04 79 21 9a bf 47 fa 0b 38 1a ce 8f |...B.y!..G..8...| +00000060 17 03 01 00 30 6d 27 f1 9b cf 55 4d 65 48 38 1b |....0m'...UMeH8.| +00000070 d9 dd 1d 5b 81 2f 10 a5 65 28 83 93 b3 b1 3a 72 |...[./..e(....:r| +00000080 f0 15 9a e5 9f 21 80 f1 59 a5 0e f1 0c 2b d1 0c |.....!..Y....+..| +00000090 d4 27 73 f3 7e 15 03 01 00 20 6f 08 27 3a d2 60 |.'s.~.... o.':.`| +000000a0 c3 27 bc 73 55 bb 43 53 e2 e0 87 16 ca 8f 49 f0 |.'.sU.CS......I.| +000000b0 88 a8 20 30 9d 42 86 d9 c3 36 |.. 0.B...6| diff --git a/pkg/tls/testdata/Server-TLSv10-ExportKeyingMaterial b/pkg/tls/testdata/Server-TLSv10-ExportKeyingMaterial new file mode 100644 index 000000000..b3d0f7d05 --- /dev/null +++ b/pkg/tls/testdata/Server-TLSv10-ExportKeyingMaterial @@ -0,0 +1,92 @@ +>>> Flow 1 (client to server) +00000000 16 03 01 00 55 01 00 00 51 03 01 e0 8d 7b f2 8d |....U...Q....{..| +00000010 45 9f c5 40 1b be 81 05 a1 83 82 c1 54 4a c7 1c |E..@........TJ..| +00000020 f1 f8 d5 6c 7a ff 93 81 e2 a2 ba 00 00 04 c0 14 |...lz...........| +00000030 00 ff 01 00 00 24 00 0b 00 04 03 00 01 02 00 0a |.....$..........| +00000040 00 0c 00 0a 00 1d 00 17 00 1e 00 19 00 18 00 23 |...............#| +00000050 00 00 00 16 00 00 00 17 00 00 |..........| +>>> Flow 2 (server to client) +00000000 16 03 01 00 3f 02 00 00 3b 03 01 00 00 00 00 00 |....?...;.......| +00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000020 00 00 00 44 4f 57 4e 47 52 44 00 00 c0 14 00 00 |...DOWNGRD......| +00000030 13 00 23 00 00 ff 01 00 01 00 00 17 00 00 00 0b |..#.............| +00000040 00 02 01 00 16 03 01 02 59 0b 00 02 55 00 02 52 |........Y...U..R| +00000050 00 02 4f 30 82 02 4b 30 82 01 b4 a0 03 02 01 02 |..O0..K0........| +00000060 02 09 00 e8 f0 9d 3f e2 5b ea a6 30 0d 06 09 2a |......?.[..0...*| +00000070 86 48 86 f7 0d 01 01 0b 05 00 30 1f 31 0b 30 09 |.H........0.1.0.| +00000080 06 03 55 04 0a 13 02 47 6f 31 10 30 0e 06 03 55 |..U....Go1.0...U| +00000090 04 03 13 07 47 6f 20 52 6f 6f 74 30 1e 17 0d 31 |....Go Root0...1| +000000a0 36 30 31 30 31 30 30 30 30 30 30 5a 17 0d 32 35 |60101000000Z..25| +000000b0 30 31 30 31 30 30 30 30 30 30 5a 30 1a 31 0b 30 |0101000000Z0.1.0| +000000c0 09 06 03 55 04 0a 13 02 47 6f 31 0b 30 09 06 03 |...U....Go1.0...| +000000d0 55 04 03 13 02 47 6f 30 81 9f 30 0d 06 09 2a 86 |U....Go0..0...*.| +000000e0 48 86 f7 0d 01 01 01 05 00 03 81 8d 00 30 81 89 |H............0..| +000000f0 02 81 81 00 db 46 7d 93 2e 12 27 06 48 bc 06 28 |.....F}...'.H..(| +00000100 21 ab 7e c4 b6 a2 5d fe 1e 52 45 88 7a 36 47 a5 |!.~...]..RE.z6G.| +00000110 08 0d 92 42 5b c2 81 c0 be 97 79 98 40 fb 4f 6d |...B[.....y.@.Om| +00000120 14 fd 2b 13 8b c2 a5 2e 67 d8 d4 09 9e d6 22 38 |..+.....g....."8| +00000130 b7 4a 0b 74 73 2b c2 34 f1 d1 93 e5 96 d9 74 7b |.J.ts+.4......t{| +00000140 f3 58 9f 6c 61 3c c0 b0 41 d4 d9 2b 2b 24 23 77 |.X.la<..A..++$#w| +00000150 5b 1c 3b bd 75 5d ce 20 54 cf a1 63 87 1d 1e 24 |[.;.u]. T..c...$| +00000160 c4 f3 1d 1a 50 8b aa b6 14 43 ed 97 a7 75 62 f4 |....P....C...ub.| +00000170 14 c8 52 d7 02 03 01 00 01 a3 81 93 30 81 90 30 |..R.........0..0| +00000180 0e 06 03 55 1d 0f 01 01 ff 04 04 03 02 05 a0 30 |...U...........0| +00000190 1d 06 03 55 1d 25 04 16 30 14 06 08 2b 06 01 05 |...U.%..0...+...| +000001a0 05 07 03 01 06 08 2b 06 01 05 05 07 03 02 30 0c |......+.......0.| +000001b0 06 03 55 1d 13 01 01 ff 04 02 30 00 30 19 06 03 |..U.......0.0...| +000001c0 55 1d 0e 04 12 04 10 9f 91 16 1f 43 43 3e 49 a6 |U..........CC>I.| +000001d0 de 6d b6 80 d7 9f 60 30 1b 06 03 55 1d 23 04 14 |.m....`0...U.#..| +000001e0 30 12 80 10 48 13 49 4d 13 7e 16 31 bb a3 01 d5 |0...H.IM.~.1....| +000001f0 ac ab 6e 7b 30 19 06 03 55 1d 11 04 12 30 10 82 |..n{0...U....0..| +00000200 0e 65 78 61 6d 70 6c 65 2e 67 6f 6c 61 6e 67 30 |.example.golang0| +00000210 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 03 81 |...*.H..........| +00000220 81 00 9d 30 cc 40 2b 5b 50 a0 61 cb ba e5 53 58 |...0.@+[P.a...SX| +00000230 e1 ed 83 28 a9 58 1a a9 38 a4 95 a1 ac 31 5a 1a |...(.X..8....1Z.| +00000240 84 66 3d 43 d3 2d d9 0b f2 97 df d3 20 64 38 92 |.f=C.-...... d8.| +00000250 24 3a 00 bc cf 9c 7d b7 40 20 01 5f aa d3 16 61 |$:....}.@ ._...a| +00000260 09 a2 76 fd 13 c3 cc e1 0c 5c ee b1 87 82 f1 6c |..v......\.....l| +00000270 04 ed 73 bb b3 43 77 8d 0c 1c f1 0f a1 d8 40 83 |..s..Cw.......@.| +00000280 61 c9 4c 72 2b 9d ae db 46 06 06 4d f4 c1 b3 3e |a.Lr+...F..M...>| +00000290 c0 d1 bd 42 d4 db fe 3d 13 60 84 5c 21 d3 3b e9 |...B...=.`.\!.;.| +000002a0 fa e7 16 03 01 00 aa 0c 00 00 a6 03 00 1d 20 2f |.............. /| +000002b0 e5 7d a3 47 cd 62 43 15 28 da ac 5f bb 29 07 30 |.}.G.bC.(.._.).0| +000002c0 ff f6 84 af c4 cf c2 ed 90 99 5f 58 cb 3b 74 00 |.........._X.;t.| +000002d0 80 3d ff b7 ad d5 15 4f 10 6e 8a d2 ad 8a 6b 1b |.=.....O.n....k.| +000002e0 9d 6c f2 92 99 c7 d7 d8 07 d5 c7 77 09 22 41 4f |.l.........w."AO| +000002f0 7f ca 3e 8c 22 ba 2b f2 75 5f 47 c9 7e 0c 03 5d |..>.".+.u_G.~..]| +00000300 1a 66 c3 c8 f3 76 f0 f6 fa 03 40 3a 9b e7 2b 35 |.f...v....@:..+5| +00000310 bc c7 5e 62 a6 97 8a 1a 17 e3 13 4c 1f 88 39 2a |..^b.......L..9*| +00000320 5b cc 9c 65 df 27 1e b3 26 d7 46 3e 76 a9 ae 71 |[..e.'..&.F>v..q| +00000330 11 4d d6 10 b4 2e 30 37 a1 b4 ff 46 91 77 c7 4c |.M....07...F.w.L| +00000340 f9 8e e3 96 88 d2 1e c5 9d fb a1 be c6 ef 5d f0 |..............].| +00000350 52 16 03 01 00 04 0e 00 00 00 |R.........| +>>> Flow 3 (client to server) +00000000 16 03 01 00 25 10 00 00 21 20 01 39 8b 2b 21 99 |....%...! .9.+!.| +00000010 fd fc b8 20 f1 51 97 c7 85 13 05 64 55 41 6b c4 |... .Q.....dUAk.| +00000020 1a 5e d5 b2 7c 8b 31 08 0f 78 14 03 01 00 01 01 |.^..|.1..x......| +00000030 16 03 01 00 30 d8 3b e6 9f f8 a8 b2 6b 8b fb 89 |....0.;.....k...| +00000040 71 3b 55 cd c3 c9 78 3c 45 1b 8d 5f 70 4f bd 64 |q;U...x>> Flow 4 (server to client) +00000000 16 03 01 00 83 04 00 00 7f 00 00 00 00 00 79 00 |..............y.| +00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 94 |................| +00000020 6d 2d 70 97 51 ed 14 ef 68 ca 42 c5 4c 71 8e 74 |m-p.Q...h.B.Lq.t| +00000030 d4 83 d6 4a 5b 69 f8 af 61 3a 98 83 19 d5 7c 60 |...J[i..a:....|`| +00000040 4a 1e f4 b7 26 b8 99 b5 45 6f a3 8d 97 63 5f 1b |J...&...Eo...c_.| +00000050 ab f4 84 59 db ce 99 ce b8 6a 23 d5 15 49 38 16 |...Y.....j#..I8.| +00000060 7e 51 5c e5 15 c0 58 7d c0 ee 59 1b e4 6e 1f c8 |~Q\...X}..Y..n..| +00000070 fc d4 2c 33 ed 0a 2b e0 78 04 64 4b 56 e4 af 61 |..,3..+.x.dKV..a| +00000080 c6 b5 7d f5 a0 86 9f e3 14 03 01 00 01 01 16 03 |..}.............| +00000090 01 00 30 73 2b f0 16 d3 a8 02 b3 73 98 5e 4e a0 |..0s+......s.^N.| +000000a0 ca 5b c4 50 fb 5a 92 11 43 97 e9 e3 16 9f 08 0a |.[.P.Z..C.......| +000000b0 56 73 e6 44 67 70 aa 3d bb c1 36 c8 63 1c 2b 51 |Vs.Dgp.=..6.c.+Q| +000000c0 1f 3b 81 17 03 01 00 20 4c 93 10 5c 01 e2 63 12 |.;..... L..\..c.| +000000d0 97 6b e1 89 fb e7 14 cf ec 70 d1 fe 6f ea 8b 09 |.k.......p..o...| +000000e0 63 5f 8c 8a 9e b5 ac b8 17 03 01 00 30 a1 ad dd |c_..........0...| +000000f0 92 ac a8 6e 77 ed c2 ed 59 b6 a8 41 ad 45 59 8c |...nw...Y..A.EY.| +00000100 4e 1d 16 36 57 e6 2f 47 3d 10 0f 36 04 00 b0 c1 |N..6W./G=..6....| +00000110 a7 94 25 8e 77 1e 69 20 41 6c c0 9d 26 15 03 01 |..%.w.i Al..&...| +00000120 00 20 c5 83 26 5d 20 cb 16 7e 27 63 d7 96 aa 96 |. ..&] ..~'c....| +00000130 37 19 2a 7a 18 d4 85 08 25 32 85 d5 b5 e3 4e 9b |7.*z....%2....N.| +00000140 98 f5 |..| diff --git a/pkg/tls/testdata/Server-TLSv10-RSA-3DES b/pkg/tls/testdata/Server-TLSv10-RSA-3DES new file mode 100644 index 000000000..e4853a4cc --- /dev/null +++ b/pkg/tls/testdata/Server-TLSv10-RSA-3DES @@ -0,0 +1,73 @@ +>>> Flow 1 (client to server) +00000000 16 03 01 00 39 01 00 00 35 03 01 51 7a 48 8d de |....9...5..QzH..| +00000010 0b 30 0f 9a 91 56 30 20 30 dd bd 74 3b e2 d7 db |.0...V0 0..t;...| +00000020 46 3d bf 6f b6 ae 53 8a 7d 18 50 00 00 04 00 0a |F=.o..S.}.P.....| +00000030 00 ff 01 00 00 08 00 16 00 00 00 17 00 00 |..............| +>>> Flow 2 (server to client) +00000000 16 03 01 00 35 02 00 00 31 03 01 00 00 00 00 00 |....5...1.......| +00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000020 00 00 00 44 4f 57 4e 47 52 44 00 00 00 0a 00 00 |...DOWNGRD......| +00000030 09 ff 01 00 01 00 00 17 00 00 16 03 01 02 59 0b |..............Y.| +00000040 00 02 55 00 02 52 00 02 4f 30 82 02 4b 30 82 01 |..U..R..O0..K0..| +00000050 b4 a0 03 02 01 02 02 09 00 e8 f0 9d 3f e2 5b ea |............?.[.| +00000060 a6 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 |.0...*.H........| +00000070 30 1f 31 0b 30 09 06 03 55 04 0a 13 02 47 6f 31 |0.1.0...U....Go1| +00000080 10 30 0e 06 03 55 04 03 13 07 47 6f 20 52 6f 6f |.0...U....Go Roo| +00000090 74 30 1e 17 0d 31 36 30 31 30 31 30 30 30 30 30 |t0...16010100000| +000000a0 30 5a 17 0d 32 35 30 31 30 31 30 30 30 30 30 30 |0Z..250101000000| +000000b0 5a 30 1a 31 0b 30 09 06 03 55 04 0a 13 02 47 6f |Z0.1.0...U....Go| +000000c0 31 0b 30 09 06 03 55 04 03 13 02 47 6f 30 81 9f |1.0...U....Go0..| +000000d0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 |0...*.H.........| +000000e0 81 8d 00 30 81 89 02 81 81 00 db 46 7d 93 2e 12 |...0.......F}...| +000000f0 27 06 48 bc 06 28 21 ab 7e c4 b6 a2 5d fe 1e 52 |'.H..(!.~...]..R| +00000100 45 88 7a 36 47 a5 08 0d 92 42 5b c2 81 c0 be 97 |E.z6G....B[.....| +00000110 79 98 40 fb 4f 6d 14 fd 2b 13 8b c2 a5 2e 67 d8 |y.@.Om..+.....g.| +00000120 d4 09 9e d6 22 38 b7 4a 0b 74 73 2b c2 34 f1 d1 |...."8.J.ts+.4..| +00000130 93 e5 96 d9 74 7b f3 58 9f 6c 61 3c c0 b0 41 d4 |....t{.X.la<..A.| +00000140 d9 2b 2b 24 23 77 5b 1c 3b bd 75 5d ce 20 54 cf |.++$#w[.;.u]. T.| +00000150 a1 63 87 1d 1e 24 c4 f3 1d 1a 50 8b aa b6 14 43 |.c...$....P....C| +00000160 ed 97 a7 75 62 f4 14 c8 52 d7 02 03 01 00 01 a3 |...ub...R.......| +00000170 81 93 30 81 90 30 0e 06 03 55 1d 0f 01 01 ff 04 |..0..0...U......| +00000180 04 03 02 05 a0 30 1d 06 03 55 1d 25 04 16 30 14 |.....0...U.%..0.| +00000190 06 08 2b 06 01 05 05 07 03 01 06 08 2b 06 01 05 |..+.........+...| +000001a0 05 07 03 02 30 0c 06 03 55 1d 13 01 01 ff 04 02 |....0...U.......| +000001b0 30 00 30 19 06 03 55 1d 0e 04 12 04 10 9f 91 16 |0.0...U.........| +000001c0 1f 43 43 3e 49 a6 de 6d b6 80 d7 9f 60 30 1b 06 |.CC>I..m....`0..| +000001d0 03 55 1d 23 04 14 30 12 80 10 48 13 49 4d 13 7e |.U.#..0...H.IM.~| +000001e0 16 31 bb a3 01 d5 ac ab 6e 7b 30 19 06 03 55 1d |.1......n{0...U.| +000001f0 11 04 12 30 10 82 0e 65 78 61 6d 70 6c 65 2e 67 |...0...example.g| +00000200 6f 6c 61 6e 67 30 0d 06 09 2a 86 48 86 f7 0d 01 |olang0...*.H....| +00000210 01 0b 05 00 03 81 81 00 9d 30 cc 40 2b 5b 50 a0 |.........0.@+[P.| +00000220 61 cb ba e5 53 58 e1 ed 83 28 a9 58 1a a9 38 a4 |a...SX...(.X..8.| +00000230 95 a1 ac 31 5a 1a 84 66 3d 43 d3 2d d9 0b f2 97 |...1Z..f=C.-....| +00000240 df d3 20 64 38 92 24 3a 00 bc cf 9c 7d b7 40 20 |.. d8.$:....}.@ | +00000250 01 5f aa d3 16 61 09 a2 76 fd 13 c3 cc e1 0c 5c |._...a..v......\| +00000260 ee b1 87 82 f1 6c 04 ed 73 bb b3 43 77 8d 0c 1c |.....l..s..Cw...| +00000270 f1 0f a1 d8 40 83 61 c9 4c 72 2b 9d ae db 46 06 |....@.a.Lr+...F.| +00000280 06 4d f4 c1 b3 3e c0 d1 bd 42 d4 db fe 3d 13 60 |.M...>...B...=.`| +00000290 84 5c 21 d3 3b e9 fa e7 16 03 01 00 04 0e 00 00 |.\!.;...........| +000002a0 00 |.| +>>> Flow 3 (client to server) +00000000 16 03 01 00 86 10 00 00 82 00 80 54 53 e6 48 5d |...........TS.H]| +00000010 bb 47 19 7e ab 31 3b 4a c8 fb da 69 9d 74 b3 e1 |.G.~.1;J...i.t..| +00000020 dc 8c ea 36 f7 a1 06 68 52 79 c3 08 be b9 5c 1a |...6...hRy....\.| +00000030 80 cc 13 b8 7b b8 02 98 5e f8 50 47 a5 0d 37 dd |....{...^.PG..7.| +00000040 86 c5 69 9c 1c 1c 91 39 ea 80 dc d1 87 d3 f8 f6 |..i....9........| +00000050 84 c6 65 72 af 71 dc 98 56 9e bc e7 a9 9d 9b 31 |..er.q..V......1| +00000060 d0 c3 54 28 05 86 91 e4 03 40 f7 2a cb 07 13 41 |..T(.....@.*...A| +00000070 1e 30 0b b1 2d 52 ae 1f a1 6b a9 db c2 76 1d 4a |.0..-R...k...v.J| +00000080 a6 81 ba 3c cb e9 3a 6b f3 70 ed 14 03 01 00 01 |...<..:k.p......| +00000090 01 16 03 01 00 28 01 84 d8 e4 7a b1 11 3e 27 fb |.....(....z..>'.| +000000a0 66 10 1a db 20 fb 9e e3 f1 a5 a7 86 2f fd c9 d2 |f... ......./...| +000000b0 1c b8 a4 2b af 2b 66 fc ad 31 72 28 d7 1a |...+.+f..1r(..| +>>> Flow 4 (server to client) +00000000 14 03 01 00 01 01 16 03 01 00 28 67 3d c4 e9 a6 |..........(g=...| +00000010 bb 99 57 90 eb fa 86 ee ab 00 08 61 2d c8 50 5b |..W........a-.P[| +00000020 83 9c ce 83 60 7a 89 33 90 b7 f9 31 e9 37 04 3d |....`z.3...1.7.=| +00000030 d6 01 44 17 03 01 00 18 0a 1c 6c 75 23 bc b2 e7 |..D.......lu#...| +00000040 30 2d 61 57 d3 a6 a2 72 6a 7a 2d 8a 7b fd 45 67 |0-aW...rjz-.{.Eg| +00000050 17 03 01 00 28 23 8b 77 dd a3 f2 b6 0e 59 40 3b |....(#.w.....Y@;| +00000060 4e 3a 1b 0c 11 2f 99 00 b9 e1 2c 11 89 53 fb 23 |N:.../....,..S.#| +00000070 fb 6c 60 71 db a8 43 a4 92 ad 68 24 e9 15 03 01 |.l`q..C...h$....| +00000080 00 18 24 19 84 35 13 29 ed 3a f0 57 a9 e1 b6 e9 |..$..5.).:.W....| +00000090 05 64 fe 46 c0 ca b1 88 12 a7 |.d.F......| diff --git a/pkg/tls/testdata/Server-TLSv10-RSA-AES b/pkg/tls/testdata/Server-TLSv10-RSA-AES new file mode 100644 index 000000000..f362a7a61 --- /dev/null +++ b/pkg/tls/testdata/Server-TLSv10-RSA-AES @@ -0,0 +1,76 @@ +>>> Flow 1 (client to server) +00000000 16 03 01 00 39 01 00 00 35 03 01 96 f7 15 21 fc |....9...5.....!.| +00000010 31 f5 cf cf e9 82 0f 84 db 34 a8 e4 3c e9 39 b4 |1........4..<.9.| +00000020 90 af d7 47 2b b5 71 8a bb 26 b5 00 00 04 00 2f |...G+.q..&...../| +00000030 00 ff 01 00 00 08 00 16 00 00 00 17 00 00 |..............| +>>> Flow 2 (server to client) +00000000 16 03 01 00 35 02 00 00 31 03 01 00 00 00 00 00 |....5...1.......| +00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000020 00 00 00 44 4f 57 4e 47 52 44 00 00 00 2f 00 00 |...DOWNGRD.../..| +00000030 09 ff 01 00 01 00 00 17 00 00 16 03 01 02 59 0b |..............Y.| +00000040 00 02 55 00 02 52 00 02 4f 30 82 02 4b 30 82 01 |..U..R..O0..K0..| +00000050 b4 a0 03 02 01 02 02 09 00 e8 f0 9d 3f e2 5b ea |............?.[.| +00000060 a6 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 |.0...*.H........| +00000070 30 1f 31 0b 30 09 06 03 55 04 0a 13 02 47 6f 31 |0.1.0...U....Go1| +00000080 10 30 0e 06 03 55 04 03 13 07 47 6f 20 52 6f 6f |.0...U....Go Roo| +00000090 74 30 1e 17 0d 31 36 30 31 30 31 30 30 30 30 30 |t0...16010100000| +000000a0 30 5a 17 0d 32 35 30 31 30 31 30 30 30 30 30 30 |0Z..250101000000| +000000b0 5a 30 1a 31 0b 30 09 06 03 55 04 0a 13 02 47 6f |Z0.1.0...U....Go| +000000c0 31 0b 30 09 06 03 55 04 03 13 02 47 6f 30 81 9f |1.0...U....Go0..| +000000d0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 |0...*.H.........| +000000e0 81 8d 00 30 81 89 02 81 81 00 db 46 7d 93 2e 12 |...0.......F}...| +000000f0 27 06 48 bc 06 28 21 ab 7e c4 b6 a2 5d fe 1e 52 |'.H..(!.~...]..R| +00000100 45 88 7a 36 47 a5 08 0d 92 42 5b c2 81 c0 be 97 |E.z6G....B[.....| +00000110 79 98 40 fb 4f 6d 14 fd 2b 13 8b c2 a5 2e 67 d8 |y.@.Om..+.....g.| +00000120 d4 09 9e d6 22 38 b7 4a 0b 74 73 2b c2 34 f1 d1 |...."8.J.ts+.4..| +00000130 93 e5 96 d9 74 7b f3 58 9f 6c 61 3c c0 b0 41 d4 |....t{.X.la<..A.| +00000140 d9 2b 2b 24 23 77 5b 1c 3b bd 75 5d ce 20 54 cf |.++$#w[.;.u]. T.| +00000150 a1 63 87 1d 1e 24 c4 f3 1d 1a 50 8b aa b6 14 43 |.c...$....P....C| +00000160 ed 97 a7 75 62 f4 14 c8 52 d7 02 03 01 00 01 a3 |...ub...R.......| +00000170 81 93 30 81 90 30 0e 06 03 55 1d 0f 01 01 ff 04 |..0..0...U......| +00000180 04 03 02 05 a0 30 1d 06 03 55 1d 25 04 16 30 14 |.....0...U.%..0.| +00000190 06 08 2b 06 01 05 05 07 03 01 06 08 2b 06 01 05 |..+.........+...| +000001a0 05 07 03 02 30 0c 06 03 55 1d 13 01 01 ff 04 02 |....0...U.......| +000001b0 30 00 30 19 06 03 55 1d 0e 04 12 04 10 9f 91 16 |0.0...U.........| +000001c0 1f 43 43 3e 49 a6 de 6d b6 80 d7 9f 60 30 1b 06 |.CC>I..m....`0..| +000001d0 03 55 1d 23 04 14 30 12 80 10 48 13 49 4d 13 7e |.U.#..0...H.IM.~| +000001e0 16 31 bb a3 01 d5 ac ab 6e 7b 30 19 06 03 55 1d |.1......n{0...U.| +000001f0 11 04 12 30 10 82 0e 65 78 61 6d 70 6c 65 2e 67 |...0...example.g| +00000200 6f 6c 61 6e 67 30 0d 06 09 2a 86 48 86 f7 0d 01 |olang0...*.H....| +00000210 01 0b 05 00 03 81 81 00 9d 30 cc 40 2b 5b 50 a0 |.........0.@+[P.| +00000220 61 cb ba e5 53 58 e1 ed 83 28 a9 58 1a a9 38 a4 |a...SX...(.X..8.| +00000230 95 a1 ac 31 5a 1a 84 66 3d 43 d3 2d d9 0b f2 97 |...1Z..f=C.-....| +00000240 df d3 20 64 38 92 24 3a 00 bc cf 9c 7d b7 40 20 |.. d8.$:....}.@ | +00000250 01 5f aa d3 16 61 09 a2 76 fd 13 c3 cc e1 0c 5c |._...a..v......\| +00000260 ee b1 87 82 f1 6c 04 ed 73 bb b3 43 77 8d 0c 1c |.....l..s..Cw...| +00000270 f1 0f a1 d8 40 83 61 c9 4c 72 2b 9d ae db 46 06 |....@.a.Lr+...F.| +00000280 06 4d f4 c1 b3 3e c0 d1 bd 42 d4 db fe 3d 13 60 |.M...>...B...=.`| +00000290 84 5c 21 d3 3b e9 fa e7 16 03 01 00 04 0e 00 00 |.\!.;...........| +000002a0 00 |.| +>>> Flow 3 (client to server) +00000000 16 03 01 00 86 10 00 00 82 00 80 47 20 04 47 3e |...........G .G>| +00000010 d0 67 d1 d9 5d 17 eb 85 2c 3f 1c 4b 93 f9 ff 51 |.g..]...,?.K...Q| +00000020 ca 61 eb 04 54 6d 49 97 02 67 fe 28 79 be 4d 37 |.a..TmI..g.(y.M7| +00000030 f7 ba e8 e0 2b 90 31 fe 66 d8 04 ad bf fb 2c 05 |....+.1.f.....,.| +00000040 7e 41 a0 5d 00 47 20 84 83 2c 39 7f 29 aa 72 72 |~A.].G ..,9.).rr| +00000050 89 e3 c7 bb ea 07 d2 29 94 de 54 23 eb 9f ae fa |.......)..T#....| +00000060 3b 9a 23 bd a8 43 11 ab b5 6c 8a ae c6 71 2c c4 |;.#..C...l...q,.| +00000070 f6 4d 0d 19 8e f6 7e 44 d2 04 58 68 a7 bd 84 34 |.M....~D..Xh...4| +00000080 5f e5 98 56 a5 1e 61 57 f2 f4 ea 14 03 01 00 01 |_..V..aW........| +00000090 01 16 03 01 00 30 eb 07 c2 ed 41 24 ab 50 74 82 |.....0....A$.Pt.| +000000a0 c4 83 28 2c b3 33 88 a1 c7 61 89 61 29 58 78 fc |..(,.3...a.a)Xx.| +000000b0 b5 99 54 d2 c2 2b 14 e4 6b a9 9b b8 69 17 6c 53 |..T..+..k...i.lS| +000000c0 dd dd d7 7b a5 a7 |...{..| +>>> Flow 4 (server to client) +00000000 14 03 01 00 01 01 16 03 01 00 30 17 39 24 df 39 |..........0.9$.9| +00000010 2f b4 09 7b d8 76 fa c2 0a e2 68 f9 23 0c be 1b |/..{.v....h.#...| +00000020 9d ba 91 16 2c f3 5b 6a 3d d3 63 12 35 76 91 38 |....,.[j=.c.5v.8| +00000030 f3 a5 37 4a bc 65 f4 85 cb b8 65 17 03 01 00 20 |..7J.e....e.... | +00000040 0c 59 ac 4f 44 97 46 bd d5 ae 98 74 9f 86 3e ef |.Y.OD.F....t..>.| +00000050 b3 09 3c c4 0c 45 58 10 4f fd e0 be 86 ac 3e c8 |..<..EX.O.....>.| +00000060 17 03 01 00 30 8c 76 1f 5a 4a 3b 98 4d 5c 0d c7 |....0.v.ZJ;.M\..| +00000070 dc 55 df 70 ed 75 22 d2 a5 28 a7 4e 9f ed 83 3b |.U.p.u"..(.N...;| +00000080 88 85 7d 1a 7e f9 6f e7 f3 26 e1 b1 7b 4e 52 a5 |..}.~.o..&..{NR.| +00000090 29 55 a4 04 df 15 03 01 00 20 8b 10 5c 79 5e f8 |)U....... ..\y^.| +000000a0 1d 41 1c b2 05 fd 58 5a 80 69 e5 ce db c3 ac a4 |.A....XZ.i......| +000000b0 e6 95 1d 9d 32 e2 66 4b af 43 |....2.fK.C| diff --git a/pkg/tls/testdata/Server-TLSv10-RSA-RC4 b/pkg/tls/testdata/Server-TLSv10-RSA-RC4 new file mode 100644 index 000000000..e07b8d855 --- /dev/null +++ b/pkg/tls/testdata/Server-TLSv10-RSA-RC4 @@ -0,0 +1,70 @@ +>>> Flow 1 (client to server) +00000000 16 03 01 00 39 01 00 00 35 03 01 eb 78 34 78 f6 |....9...5...x4x.| +00000010 8f 87 2f ee 5e da ee 37 5d 0a d5 79 d5 0e db b1 |../.^..7]..y....| +00000020 b7 03 37 1f 2d ce 04 b9 2d 65 d7 00 00 04 00 05 |..7.-...-e......| +00000030 00 ff 01 00 00 08 00 16 00 00 00 17 00 00 |..............| +>>> Flow 2 (server to client) +00000000 16 03 01 00 35 02 00 00 31 03 01 00 00 00 00 00 |....5...1.......| +00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000020 00 00 00 44 4f 57 4e 47 52 44 00 00 00 05 00 00 |...DOWNGRD......| +00000030 09 ff 01 00 01 00 00 17 00 00 16 03 01 02 59 0b |..............Y.| +00000040 00 02 55 00 02 52 00 02 4f 30 82 02 4b 30 82 01 |..U..R..O0..K0..| +00000050 b4 a0 03 02 01 02 02 09 00 e8 f0 9d 3f e2 5b ea |............?.[.| +00000060 a6 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 |.0...*.H........| +00000070 30 1f 31 0b 30 09 06 03 55 04 0a 13 02 47 6f 31 |0.1.0...U....Go1| +00000080 10 30 0e 06 03 55 04 03 13 07 47 6f 20 52 6f 6f |.0...U....Go Roo| +00000090 74 30 1e 17 0d 31 36 30 31 30 31 30 30 30 30 30 |t0...16010100000| +000000a0 30 5a 17 0d 32 35 30 31 30 31 30 30 30 30 30 30 |0Z..250101000000| +000000b0 5a 30 1a 31 0b 30 09 06 03 55 04 0a 13 02 47 6f |Z0.1.0...U....Go| +000000c0 31 0b 30 09 06 03 55 04 03 13 02 47 6f 30 81 9f |1.0...U....Go0..| +000000d0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 |0...*.H.........| +000000e0 81 8d 00 30 81 89 02 81 81 00 db 46 7d 93 2e 12 |...0.......F}...| +000000f0 27 06 48 bc 06 28 21 ab 7e c4 b6 a2 5d fe 1e 52 |'.H..(!.~...]..R| +00000100 45 88 7a 36 47 a5 08 0d 92 42 5b c2 81 c0 be 97 |E.z6G....B[.....| +00000110 79 98 40 fb 4f 6d 14 fd 2b 13 8b c2 a5 2e 67 d8 |y.@.Om..+.....g.| +00000120 d4 09 9e d6 22 38 b7 4a 0b 74 73 2b c2 34 f1 d1 |...."8.J.ts+.4..| +00000130 93 e5 96 d9 74 7b f3 58 9f 6c 61 3c c0 b0 41 d4 |....t{.X.la<..A.| +00000140 d9 2b 2b 24 23 77 5b 1c 3b bd 75 5d ce 20 54 cf |.++$#w[.;.u]. T.| +00000150 a1 63 87 1d 1e 24 c4 f3 1d 1a 50 8b aa b6 14 43 |.c...$....P....C| +00000160 ed 97 a7 75 62 f4 14 c8 52 d7 02 03 01 00 01 a3 |...ub...R.......| +00000170 81 93 30 81 90 30 0e 06 03 55 1d 0f 01 01 ff 04 |..0..0...U......| +00000180 04 03 02 05 a0 30 1d 06 03 55 1d 25 04 16 30 14 |.....0...U.%..0.| +00000190 06 08 2b 06 01 05 05 07 03 01 06 08 2b 06 01 05 |..+.........+...| +000001a0 05 07 03 02 30 0c 06 03 55 1d 13 01 01 ff 04 02 |....0...U.......| +000001b0 30 00 30 19 06 03 55 1d 0e 04 12 04 10 9f 91 16 |0.0...U.........| +000001c0 1f 43 43 3e 49 a6 de 6d b6 80 d7 9f 60 30 1b 06 |.CC>I..m....`0..| +000001d0 03 55 1d 23 04 14 30 12 80 10 48 13 49 4d 13 7e |.U.#..0...H.IM.~| +000001e0 16 31 bb a3 01 d5 ac ab 6e 7b 30 19 06 03 55 1d |.1......n{0...U.| +000001f0 11 04 12 30 10 82 0e 65 78 61 6d 70 6c 65 2e 67 |...0...example.g| +00000200 6f 6c 61 6e 67 30 0d 06 09 2a 86 48 86 f7 0d 01 |olang0...*.H....| +00000210 01 0b 05 00 03 81 81 00 9d 30 cc 40 2b 5b 50 a0 |.........0.@+[P.| +00000220 61 cb ba e5 53 58 e1 ed 83 28 a9 58 1a a9 38 a4 |a...SX...(.X..8.| +00000230 95 a1 ac 31 5a 1a 84 66 3d 43 d3 2d d9 0b f2 97 |...1Z..f=C.-....| +00000240 df d3 20 64 38 92 24 3a 00 bc cf 9c 7d b7 40 20 |.. d8.$:....}.@ | +00000250 01 5f aa d3 16 61 09 a2 76 fd 13 c3 cc e1 0c 5c |._...a..v......\| +00000260 ee b1 87 82 f1 6c 04 ed 73 bb b3 43 77 8d 0c 1c |.....l..s..Cw...| +00000270 f1 0f a1 d8 40 83 61 c9 4c 72 2b 9d ae db 46 06 |....@.a.Lr+...F.| +00000280 06 4d f4 c1 b3 3e c0 d1 bd 42 d4 db fe 3d 13 60 |.M...>...B...=.`| +00000290 84 5c 21 d3 3b e9 fa e7 16 03 01 00 04 0e 00 00 |.\!.;...........| +000002a0 00 |.| +>>> Flow 3 (client to server) +00000000 16 03 01 00 86 10 00 00 82 00 80 d4 db 61 0b 26 |.............a.&| +00000010 06 af 94 37 9d fc 50 3f 50 4f 58 37 b9 b1 c2 d2 |...7..P?POX7....| +00000020 92 2b f5 c9 fe 7f 3d f4 32 e3 ee ba 46 ea e5 36 |.+....=.2...F..6| +00000030 9b fd c5 89 c9 14 45 e7 f7 ea 1a a9 63 c5 62 fb |......E.....c.b.| +00000040 34 c4 80 1e 59 60 39 d9 ca 68 3f 3f 1a f9 6a 14 |4...Y`9..h??..j.| +00000050 f7 c8 91 3b 7d eb cc b9 8c 42 f1 ef d8 0f cd 17 |...;}....B......| +00000060 64 f3 b8 30 6e 50 d4 23 bb 26 78 c3 fe f0 c4 42 |d..0nP.#.&x....B| +00000070 0a 89 90 fb 43 fe 7f 0f 06 82 e8 7f fb 42 dd 46 |....C........B.F| +00000080 fc 38 6e d0 14 05 41 b8 05 6b e7 14 03 01 00 01 |.8n...A..k......| +00000090 01 16 03 01 00 24 b4 bb 3e 8f 6b 91 43 c2 b9 16 |.....$..>.k.C...| +000000a0 59 ba 7d f9 89 a4 89 ce 12 c8 76 b0 e3 8f 36 03 |Y.}.......v...6.| +000000b0 f7 48 03 7e 4a fe e5 8e 88 91 |.H.~J.....| +>>> Flow 4 (server to client) +00000000 14 03 01 00 01 01 16 03 01 00 24 06 5d 9f 70 98 |..........$.].p.| +00000010 8b 42 79 f1 ba 73 40 8e b3 f6 ff a1 45 57 c4 f3 |.By..s@.....EW..| +00000020 6d 00 4e b5 52 f5 3d 08 b4 57 33 74 ab 6f 62 17 |m.N.R.=..W3t.ob.| +00000030 03 01 00 21 6e 3a c7 a5 63 fb 81 78 10 9c 85 ab |...!n:..c..x....| +00000040 3d 3b 50 3a 12 0b c2 0f f5 7e a2 d3 f7 82 3c 7f |=;P:.....~....<.| +00000050 45 29 2c 1e eb 15 03 01 00 16 66 a4 bb 6d d1 fc |E),.......f..m..| +00000060 36 b2 a9 e7 e5 7a da a1 37 f1 cf fa 8f 0c 73 f5 |6....z..7.....s.| diff --git a/pkg/tls/testdata/Server-TLSv11-FallbackSCSV b/pkg/tls/testdata/Server-TLSv11-FallbackSCSV new file mode 100644 index 000000000..7bd034105 --- /dev/null +++ b/pkg/tls/testdata/Server-TLSv11-FallbackSCSV @@ -0,0 +1,11 @@ +>>> Flow 1 (client to server) +00000000 16 03 01 00 77 01 00 00 73 03 02 0a 6b c9 55 9d |....w...s...k.U.| +00000010 bf 4e 61 b2 0a c7 c6 96 9f eb 90 91 87 ca d3 d3 |.Na.............| +00000020 62 dc b6 b4 db ea 41 fe 43 3e a3 00 00 14 c0 0a |b.....A.C>......| +00000030 c0 14 00 39 c0 09 c0 13 00 33 00 35 00 2f 00 ff |...9.....3.5./..| +00000040 56 00 01 00 00 36 00 00 00 0e 00 0c 00 00 09 31 |V....6.........1| +00000050 32 37 2e 30 2e 30 2e 31 00 0b 00 04 03 00 01 02 |27.0.0.1........| +00000060 00 0a 00 0c 00 0a 00 1d 00 17 00 1e 00 19 00 18 |................| +00000070 00 23 00 00 00 16 00 00 00 17 00 00 |.#..........| +>>> Flow 2 (server to client) +00000000 15 03 02 00 02 02 56 |......V| diff --git a/pkg/tls/testdata/Server-TLSv11-RSA-RC4 b/pkg/tls/testdata/Server-TLSv11-RSA-RC4 new file mode 100644 index 000000000..27062da0d --- /dev/null +++ b/pkg/tls/testdata/Server-TLSv11-RSA-RC4 @@ -0,0 +1,70 @@ +>>> Flow 1 (client to server) +00000000 16 03 01 00 39 01 00 00 35 03 02 ac 4f 36 f3 4c |....9...5...O6.L| +00000010 64 ae 8d fc 50 a3 e1 e4 70 5d ba 8c de de c8 07 |d...P...p]......| +00000020 70 24 8d bd c1 69 a3 0e ad 16 38 00 00 04 00 05 |p$...i....8.....| +00000030 00 ff 01 00 00 08 00 16 00 00 00 17 00 00 |..............| +>>> Flow 2 (server to client) +00000000 16 03 02 00 35 02 00 00 31 03 02 00 00 00 00 00 |....5...1.......| +00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000020 00 00 00 44 4f 57 4e 47 52 44 00 00 00 05 00 00 |...DOWNGRD......| +00000030 09 ff 01 00 01 00 00 17 00 00 16 03 02 02 59 0b |..............Y.| +00000040 00 02 55 00 02 52 00 02 4f 30 82 02 4b 30 82 01 |..U..R..O0..K0..| +00000050 b4 a0 03 02 01 02 02 09 00 e8 f0 9d 3f e2 5b ea |............?.[.| +00000060 a6 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 |.0...*.H........| +00000070 30 1f 31 0b 30 09 06 03 55 04 0a 13 02 47 6f 31 |0.1.0...U....Go1| +00000080 10 30 0e 06 03 55 04 03 13 07 47 6f 20 52 6f 6f |.0...U....Go Roo| +00000090 74 30 1e 17 0d 31 36 30 31 30 31 30 30 30 30 30 |t0...16010100000| +000000a0 30 5a 17 0d 32 35 30 31 30 31 30 30 30 30 30 30 |0Z..250101000000| +000000b0 5a 30 1a 31 0b 30 09 06 03 55 04 0a 13 02 47 6f |Z0.1.0...U....Go| +000000c0 31 0b 30 09 06 03 55 04 03 13 02 47 6f 30 81 9f |1.0...U....Go0..| +000000d0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 |0...*.H.........| +000000e0 81 8d 00 30 81 89 02 81 81 00 db 46 7d 93 2e 12 |...0.......F}...| +000000f0 27 06 48 bc 06 28 21 ab 7e c4 b6 a2 5d fe 1e 52 |'.H..(!.~...]..R| +00000100 45 88 7a 36 47 a5 08 0d 92 42 5b c2 81 c0 be 97 |E.z6G....B[.....| +00000110 79 98 40 fb 4f 6d 14 fd 2b 13 8b c2 a5 2e 67 d8 |y.@.Om..+.....g.| +00000120 d4 09 9e d6 22 38 b7 4a 0b 74 73 2b c2 34 f1 d1 |...."8.J.ts+.4..| +00000130 93 e5 96 d9 74 7b f3 58 9f 6c 61 3c c0 b0 41 d4 |....t{.X.la<..A.| +00000140 d9 2b 2b 24 23 77 5b 1c 3b bd 75 5d ce 20 54 cf |.++$#w[.;.u]. T.| +00000150 a1 63 87 1d 1e 24 c4 f3 1d 1a 50 8b aa b6 14 43 |.c...$....P....C| +00000160 ed 97 a7 75 62 f4 14 c8 52 d7 02 03 01 00 01 a3 |...ub...R.......| +00000170 81 93 30 81 90 30 0e 06 03 55 1d 0f 01 01 ff 04 |..0..0...U......| +00000180 04 03 02 05 a0 30 1d 06 03 55 1d 25 04 16 30 14 |.....0...U.%..0.| +00000190 06 08 2b 06 01 05 05 07 03 01 06 08 2b 06 01 05 |..+.........+...| +000001a0 05 07 03 02 30 0c 06 03 55 1d 13 01 01 ff 04 02 |....0...U.......| +000001b0 30 00 30 19 06 03 55 1d 0e 04 12 04 10 9f 91 16 |0.0...U.........| +000001c0 1f 43 43 3e 49 a6 de 6d b6 80 d7 9f 60 30 1b 06 |.CC>I..m....`0..| +000001d0 03 55 1d 23 04 14 30 12 80 10 48 13 49 4d 13 7e |.U.#..0...H.IM.~| +000001e0 16 31 bb a3 01 d5 ac ab 6e 7b 30 19 06 03 55 1d |.1......n{0...U.| +000001f0 11 04 12 30 10 82 0e 65 78 61 6d 70 6c 65 2e 67 |...0...example.g| +00000200 6f 6c 61 6e 67 30 0d 06 09 2a 86 48 86 f7 0d 01 |olang0...*.H....| +00000210 01 0b 05 00 03 81 81 00 9d 30 cc 40 2b 5b 50 a0 |.........0.@+[P.| +00000220 61 cb ba e5 53 58 e1 ed 83 28 a9 58 1a a9 38 a4 |a...SX...(.X..8.| +00000230 95 a1 ac 31 5a 1a 84 66 3d 43 d3 2d d9 0b f2 97 |...1Z..f=C.-....| +00000240 df d3 20 64 38 92 24 3a 00 bc cf 9c 7d b7 40 20 |.. d8.$:....}.@ | +00000250 01 5f aa d3 16 61 09 a2 76 fd 13 c3 cc e1 0c 5c |._...a..v......\| +00000260 ee b1 87 82 f1 6c 04 ed 73 bb b3 43 77 8d 0c 1c |.....l..s..Cw...| +00000270 f1 0f a1 d8 40 83 61 c9 4c 72 2b 9d ae db 46 06 |....@.a.Lr+...F.| +00000280 06 4d f4 c1 b3 3e c0 d1 bd 42 d4 db fe 3d 13 60 |.M...>...B...=.`| +00000290 84 5c 21 d3 3b e9 fa e7 16 03 02 00 04 0e 00 00 |.\!.;...........| +000002a0 00 |.| +>>> Flow 3 (client to server) +00000000 16 03 02 00 86 10 00 00 82 00 80 49 c4 5f 04 e0 |...........I._..| +00000010 63 96 72 bd c9 00 af 17 b1 59 b4 c7 40 a5 b7 b5 |c.r......Y..@...| +00000020 68 79 d2 7b b0 2a e7 06 7e 97 ad da d8 3f cb f8 |hy.{.*..~....?..| +00000030 7c b9 f1 9d be 49 7c 09 6a b0 25 49 9c 06 2a c3 ||....I|.j.%I..*.| +00000040 d5 0a ae cc cc 08 31 5d 14 82 06 a7 57 fc 66 9c |......1]....W.f.| +00000050 90 b7 be aa 15 46 2b aa ae fc 3a ce 3d 64 4e 80 |.....F+...:.=dN.| +00000060 90 3f 77 c6 60 cd 6b dc 69 c1 92 a9 1e 8e 30 6a |.?w.`.k.i.....0j| +00000070 34 a3 db 1a f5 a3 f9 ac 1c 07 4f be 38 d1 a5 61 |4.........O.8..a| +00000080 e5 5f 84 99 f0 87 40 dc b2 cc 05 14 03 02 00 01 |._....@.........| +00000090 01 16 03 02 00 24 eb d9 48 20 7b db 97 48 f2 c7 |.....$..H {..H..| +000000a0 bb c1 ef fa 74 44 d8 a1 55 63 f3 d0 90 ef f2 0b |....tD..Uc......| +000000b0 67 10 98 27 76 8a 70 78 0b df |g..'v.px..| +>>> Flow 4 (server to client) +00000000 14 03 02 00 01 01 16 03 02 00 24 41 50 b9 88 0e |..........$AP...| +00000010 3f 27 36 f0 27 70 ca b8 bc 38 df e9 68 3e 29 cf |?'6.'p...8..h>).| +00000020 80 b5 e8 59 bd 52 45 b7 0d fa a7 6d 77 a0 9e 17 |...Y.RE....mw...| +00000030 03 02 00 21 94 2a 6a ca f0 b3 7e 1c d6 58 3f 64 |...!.*j...~..X?d| +00000040 ef 62 35 72 aa c6 84 7b 19 c6 07 0e 04 63 c4 14 |.b5r...{.....c..| +00000050 43 d8 73 ff 2f 15 03 02 00 16 5a 45 ba 51 95 c9 |C.s./.....ZE.Q..| +00000060 53 2a a6 b1 61 35 db 0a 7b f9 8e a9 fb 18 87 b1 |S*..a5..{.......| diff --git a/pkg/tls/testdata/Server-TLSv12-ALPN b/pkg/tls/testdata/Server-TLSv12-ALPN new file mode 100644 index 000000000..ccd4a086a --- /dev/null +++ b/pkg/tls/testdata/Server-TLSv12-ALPN @@ -0,0 +1,91 @@ +>>> Flow 1 (client to server) +00000000 16 03 01 00 9d 01 00 00 99 03 03 f7 12 13 92 75 |...............u| +00000010 34 ab f3 e8 a2 19 2d 3c 0c 8b 9e c3 e8 22 7e d8 |4.....-<....."~.| +00000020 66 f9 08 88 70 9b cc 37 95 43 a7 00 00 04 cc a8 |f...p..7.C......| +00000030 00 ff 01 00 00 6c 00 0b 00 04 03 00 01 02 00 0a |.....l..........| +00000040 00 0c 00 0a 00 1d 00 17 00 1e 00 19 00 18 00 23 |...............#| +00000050 00 00 00 10 00 10 00 0e 06 70 72 6f 74 6f 32 06 |.........proto2.| +00000060 70 72 6f 74 6f 31 00 16 00 00 00 17 00 00 00 0d |proto1..........| +00000070 00 30 00 2e 04 03 05 03 06 03 08 07 08 08 08 09 |.0..............| +00000080 08 0a 08 0b 08 04 08 05 08 06 04 01 05 01 06 01 |................| +00000090 03 03 02 03 03 01 02 01 03 02 02 02 04 02 05 02 |................| +000000a0 06 02 |..| +>>> Flow 2 (server to client) +00000000 16 03 03 00 4c 02 00 00 48 03 03 00 00 00 00 00 |....L...H.......| +00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000020 00 00 00 44 4f 57 4e 47 52 44 01 00 cc a8 00 00 |...DOWNGRD......| +00000030 20 00 23 00 00 ff 01 00 01 00 00 17 00 00 00 10 | .#.............| +00000040 00 09 00 07 06 70 72 6f 74 6f 31 00 0b 00 02 01 |.....proto1.....| +00000050 00 16 03 03 02 59 0b 00 02 55 00 02 52 00 02 4f |.....Y...U..R..O| +00000060 30 82 02 4b 30 82 01 b4 a0 03 02 01 02 02 09 00 |0..K0...........| +00000070 e8 f0 9d 3f e2 5b ea a6 30 0d 06 09 2a 86 48 86 |...?.[..0...*.H.| +00000080 f7 0d 01 01 0b 05 00 30 1f 31 0b 30 09 06 03 55 |.......0.1.0...U| +00000090 04 0a 13 02 47 6f 31 10 30 0e 06 03 55 04 03 13 |....Go1.0...U...| +000000a0 07 47 6f 20 52 6f 6f 74 30 1e 17 0d 31 36 30 31 |.Go Root0...1601| +000000b0 30 31 30 30 30 30 30 30 5a 17 0d 32 35 30 31 30 |01000000Z..25010| +000000c0 31 30 30 30 30 30 30 5a 30 1a 31 0b 30 09 06 03 |1000000Z0.1.0...| +000000d0 55 04 0a 13 02 47 6f 31 0b 30 09 06 03 55 04 03 |U....Go1.0...U..| +000000e0 13 02 47 6f 30 81 9f 30 0d 06 09 2a 86 48 86 f7 |..Go0..0...*.H..| +000000f0 0d 01 01 01 05 00 03 81 8d 00 30 81 89 02 81 81 |..........0.....| +00000100 00 db 46 7d 93 2e 12 27 06 48 bc 06 28 21 ab 7e |..F}...'.H..(!.~| +00000110 c4 b6 a2 5d fe 1e 52 45 88 7a 36 47 a5 08 0d 92 |...]..RE.z6G....| +00000120 42 5b c2 81 c0 be 97 79 98 40 fb 4f 6d 14 fd 2b |B[.....y.@.Om..+| +00000130 13 8b c2 a5 2e 67 d8 d4 09 9e d6 22 38 b7 4a 0b |.....g....."8.J.| +00000140 74 73 2b c2 34 f1 d1 93 e5 96 d9 74 7b f3 58 9f |ts+.4......t{.X.| +00000150 6c 61 3c c0 b0 41 d4 d9 2b 2b 24 23 77 5b 1c 3b |la<..A..++$#w[.;| +00000160 bd 75 5d ce 20 54 cf a1 63 87 1d 1e 24 c4 f3 1d |.u]. T..c...$...| +00000170 1a 50 8b aa b6 14 43 ed 97 a7 75 62 f4 14 c8 52 |.P....C...ub...R| +00000180 d7 02 03 01 00 01 a3 81 93 30 81 90 30 0e 06 03 |.........0..0...| +00000190 55 1d 0f 01 01 ff 04 04 03 02 05 a0 30 1d 06 03 |U...........0...| +000001a0 55 1d 25 04 16 30 14 06 08 2b 06 01 05 05 07 03 |U.%..0...+......| +000001b0 01 06 08 2b 06 01 05 05 07 03 02 30 0c 06 03 55 |...+.......0...U| +000001c0 1d 13 01 01 ff 04 02 30 00 30 19 06 03 55 1d 0e |.......0.0...U..| +000001d0 04 12 04 10 9f 91 16 1f 43 43 3e 49 a6 de 6d b6 |........CC>I..m.| +000001e0 80 d7 9f 60 30 1b 06 03 55 1d 23 04 14 30 12 80 |...`0...U.#..0..| +000001f0 10 48 13 49 4d 13 7e 16 31 bb a3 01 d5 ac ab 6e |.H.IM.~.1......n| +00000200 7b 30 19 06 03 55 1d 11 04 12 30 10 82 0e 65 78 |{0...U....0...ex| +00000210 61 6d 70 6c 65 2e 67 6f 6c 61 6e 67 30 0d 06 09 |ample.golang0...| +00000220 2a 86 48 86 f7 0d 01 01 0b 05 00 03 81 81 00 9d |*.H.............| +00000230 30 cc 40 2b 5b 50 a0 61 cb ba e5 53 58 e1 ed 83 |0.@+[P.a...SX...| +00000240 28 a9 58 1a a9 38 a4 95 a1 ac 31 5a 1a 84 66 3d |(.X..8....1Z..f=| +00000250 43 d3 2d d9 0b f2 97 df d3 20 64 38 92 24 3a 00 |C.-...... d8.$:.| +00000260 bc cf 9c 7d b7 40 20 01 5f aa d3 16 61 09 a2 76 |...}.@ ._...a..v| +00000270 fd 13 c3 cc e1 0c 5c ee b1 87 82 f1 6c 04 ed 73 |......\.....l..s| +00000280 bb b3 43 77 8d 0c 1c f1 0f a1 d8 40 83 61 c9 4c |..Cw.......@.a.L| +00000290 72 2b 9d ae db 46 06 06 4d f4 c1 b3 3e c0 d1 bd |r+...F..M...>...| +000002a0 42 d4 db fe 3d 13 60 84 5c 21 d3 3b e9 fa e7 16 |B...=.`.\!.;....| +000002b0 03 03 00 ac 0c 00 00 a8 03 00 1d 20 2f e5 7d a3 |........... /.}.| +000002c0 47 cd 62 43 15 28 da ac 5f bb 29 07 30 ff f6 84 |G.bC.(.._.).0...| +000002d0 af c4 cf c2 ed 90 99 5f 58 cb 3b 74 08 04 00 80 |......._X.;t....| +000002e0 2a 3d 85 27 96 fe 41 e2 5a cc 39 dd 8a 8e 64 73 |*=.'..A.Z.9...ds| +000002f0 ef 98 04 5c ac d2 8f 5e 55 b8 37 da 10 68 33 b8 |...\...^U.7..h3.| +00000300 63 83 e1 c9 9a e6 3a e9 c9 20 cc 57 58 e2 ba bc |c.....:.. .WX...| +00000310 e3 ac ab aa 08 e2 1e 6f 66 90 d7 66 c5 73 60 0d |.......of..f.s`.| +00000320 19 4f eb 99 9d d1 b1 91 36 80 b9 20 aa f5 d9 c8 |.O......6.. ....| +00000330 44 a7 99 c9 a6 4d 2c ff ca 4d 84 f2 a5 bf 02 c5 |D....M,..M......| +00000340 61 77 7e 4a e6 7c dd bf 48 fc a6 53 fb c4 d3 dd |aw~J.|..H..S....| +00000350 e6 20 b9 74 90 82 4a 3a 73 0a 81 74 07 a3 23 fe |. .t..J:s..t..#.| +00000360 16 03 03 00 04 0e 00 00 00 |.........| +>>> Flow 3 (client to server) +00000000 16 03 03 00 25 10 00 00 21 20 d1 bb f1 17 6c 41 |....%...! ....lA| +00000010 8f 14 84 d2 98 99 30 0c 8a 00 4c 39 37 15 f5 be |......0...L97...| +00000020 81 8d 08 e0 11 c1 f7 65 43 0b 14 03 03 00 01 01 |.......eC.......| +00000030 16 03 03 00 20 ab 15 bb 47 30 42 c9 7d 45 f8 5d |.... ...G0B.}E.]| +00000040 21 79 3b 4d 5e a9 99 f5 7d f3 4e 7e ba b9 9b 30 |!y;M^...}.N~...0| +00000050 b6 14 4d ba f9 |..M..| +>>> Flow 4 (server to client) +00000000 16 03 03 00 83 04 00 00 7f 00 00 00 00 00 79 00 |..............y.| +00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 94 |................| +00000020 6f 2d 7c 2b 51 ed 14 ef 68 ca 42 c5 4c f3 5c b9 |o-|+Q...h.B.L.\.| +00000030 84 7d 30 9e 2f 9d 4d 0e 59 b4 28 fd 17 10 cd 1e |.}0./.M.Y.(.....| +00000040 1c d3 2c 5e d9 dc db 26 d0 b9 00 4b 0a 13 54 90 |..,^...&...K..T.| +00000050 f2 7b 68 75 6b 00 34 66 9e 43 29 06 16 49 38 16 |.{huk.4f.C)..I8.| +00000060 7e 51 5c e5 15 c0 58 7d 52 0b 16 21 d8 2c e8 c8 |~Q\...X}R..!.,..| +00000070 8e 3a f6 aa fa 21 45 4a 17 02 67 7d 93 1c 95 88 |.:...!EJ..g}....| +00000080 36 a5 19 53 74 74 81 e1 14 03 03 00 01 01 16 03 |6..Stt..........| +00000090 03 00 20 3d 66 04 37 0c 40 cc 20 2c 1c 16 ba 05 |.. =f.7.@. ,....| +000000a0 d6 7b 40 04 27 40 6f cc d7 af 68 fb 32 49 6c 4f |.{@.'@o...h.2IlO| +000000b0 f3 01 bf 17 03 03 00 1d 99 10 78 bc fa 7e 8a 86 |..........x..~..| +000000c0 4c b8 e4 7c e2 79 70 eb ad 33 44 e1 ab 7a c9 ae |L..|.yp..3D..z..| +000000d0 47 fe 39 50 d1 15 03 03 00 12 9e 9a be b0 55 c3 |G.9P..........U.| +000000e0 3a 5f 5c e0 4b 8f 4f 81 52 d3 89 09 |:_\.K.O.R...| diff --git a/pkg/tls/testdata/Server-TLSv12-ALPN-Fallback b/pkg/tls/testdata/Server-TLSv12-ALPN-Fallback new file mode 100644 index 000000000..070201253 --- /dev/null +++ b/pkg/tls/testdata/Server-TLSv12-ALPN-Fallback @@ -0,0 +1,90 @@ +>>> Flow 1 (client to server) +00000000 16 03 01 00 a6 01 00 00 a2 03 03 ea e2 1b 90 0e |................| +00000010 91 d5 9f b2 c6 ee 72 37 19 f5 14 cd ca a9 ca 03 |......r7........| +00000020 98 c4 2e d4 85 05 4a a5 02 e1 4b 00 00 04 cc a8 |......J...K.....| +00000030 00 ff 01 00 00 75 00 0b 00 04 03 00 01 02 00 0a |.....u..........| +00000040 00 0c 00 0a 00 1d 00 17 00 1e 00 19 00 18 00 23 |...............#| +00000050 00 00 00 10 00 19 00 17 06 70 72 6f 74 6f 33 08 |.........proto3.| +00000060 68 74 74 70 2f 31 2e 31 06 70 72 6f 74 6f 34 00 |http/1.1.proto4.| +00000070 16 00 00 00 17 00 00 00 0d 00 30 00 2e 04 03 05 |..........0.....| +00000080 03 06 03 08 07 08 08 08 09 08 0a 08 0b 08 04 08 |................| +00000090 05 08 06 04 01 05 01 06 01 03 03 02 03 03 01 02 |................| +000000a0 01 03 02 02 02 04 02 05 02 06 02 |...........| +>>> Flow 2 (server to client) +00000000 16 03 03 00 3f 02 00 00 3b 03 03 00 00 00 00 00 |....?...;.......| +00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000020 00 00 00 44 4f 57 4e 47 52 44 01 00 cc a8 00 00 |...DOWNGRD......| +00000030 13 00 23 00 00 ff 01 00 01 00 00 17 00 00 00 0b |..#.............| +00000040 00 02 01 00 16 03 03 02 59 0b 00 02 55 00 02 52 |........Y...U..R| +00000050 00 02 4f 30 82 02 4b 30 82 01 b4 a0 03 02 01 02 |..O0..K0........| +00000060 02 09 00 e8 f0 9d 3f e2 5b ea a6 30 0d 06 09 2a |......?.[..0...*| +00000070 86 48 86 f7 0d 01 01 0b 05 00 30 1f 31 0b 30 09 |.H........0.1.0.| +00000080 06 03 55 04 0a 13 02 47 6f 31 10 30 0e 06 03 55 |..U....Go1.0...U| +00000090 04 03 13 07 47 6f 20 52 6f 6f 74 30 1e 17 0d 31 |....Go Root0...1| +000000a0 36 30 31 30 31 30 30 30 30 30 30 5a 17 0d 32 35 |60101000000Z..25| +000000b0 30 31 30 31 30 30 30 30 30 30 5a 30 1a 31 0b 30 |0101000000Z0.1.0| +000000c0 09 06 03 55 04 0a 13 02 47 6f 31 0b 30 09 06 03 |...U....Go1.0...| +000000d0 55 04 03 13 02 47 6f 30 81 9f 30 0d 06 09 2a 86 |U....Go0..0...*.| +000000e0 48 86 f7 0d 01 01 01 05 00 03 81 8d 00 30 81 89 |H............0..| +000000f0 02 81 81 00 db 46 7d 93 2e 12 27 06 48 bc 06 28 |.....F}...'.H..(| +00000100 21 ab 7e c4 b6 a2 5d fe 1e 52 45 88 7a 36 47 a5 |!.~...]..RE.z6G.| +00000110 08 0d 92 42 5b c2 81 c0 be 97 79 98 40 fb 4f 6d |...B[.....y.@.Om| +00000120 14 fd 2b 13 8b c2 a5 2e 67 d8 d4 09 9e d6 22 38 |..+.....g....."8| +00000130 b7 4a 0b 74 73 2b c2 34 f1 d1 93 e5 96 d9 74 7b |.J.ts+.4......t{| +00000140 f3 58 9f 6c 61 3c c0 b0 41 d4 d9 2b 2b 24 23 77 |.X.la<..A..++$#w| +00000150 5b 1c 3b bd 75 5d ce 20 54 cf a1 63 87 1d 1e 24 |[.;.u]. T..c...$| +00000160 c4 f3 1d 1a 50 8b aa b6 14 43 ed 97 a7 75 62 f4 |....P....C...ub.| +00000170 14 c8 52 d7 02 03 01 00 01 a3 81 93 30 81 90 30 |..R.........0..0| +00000180 0e 06 03 55 1d 0f 01 01 ff 04 04 03 02 05 a0 30 |...U...........0| +00000190 1d 06 03 55 1d 25 04 16 30 14 06 08 2b 06 01 05 |...U.%..0...+...| +000001a0 05 07 03 01 06 08 2b 06 01 05 05 07 03 02 30 0c |......+.......0.| +000001b0 06 03 55 1d 13 01 01 ff 04 02 30 00 30 19 06 03 |..U.......0.0...| +000001c0 55 1d 0e 04 12 04 10 9f 91 16 1f 43 43 3e 49 a6 |U..........CC>I.| +000001d0 de 6d b6 80 d7 9f 60 30 1b 06 03 55 1d 23 04 14 |.m....`0...U.#..| +000001e0 30 12 80 10 48 13 49 4d 13 7e 16 31 bb a3 01 d5 |0...H.IM.~.1....| +000001f0 ac ab 6e 7b 30 19 06 03 55 1d 11 04 12 30 10 82 |..n{0...U....0..| +00000200 0e 65 78 61 6d 70 6c 65 2e 67 6f 6c 61 6e 67 30 |.example.golang0| +00000210 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 03 81 |...*.H..........| +00000220 81 00 9d 30 cc 40 2b 5b 50 a0 61 cb ba e5 53 58 |...0.@+[P.a...SX| +00000230 e1 ed 83 28 a9 58 1a a9 38 a4 95 a1 ac 31 5a 1a |...(.X..8....1Z.| +00000240 84 66 3d 43 d3 2d d9 0b f2 97 df d3 20 64 38 92 |.f=C.-...... d8.| +00000250 24 3a 00 bc cf 9c 7d b7 40 20 01 5f aa d3 16 61 |$:....}.@ ._...a| +00000260 09 a2 76 fd 13 c3 cc e1 0c 5c ee b1 87 82 f1 6c |..v......\.....l| +00000270 04 ed 73 bb b3 43 77 8d 0c 1c f1 0f a1 d8 40 83 |..s..Cw.......@.| +00000280 61 c9 4c 72 2b 9d ae db 46 06 06 4d f4 c1 b3 3e |a.Lr+...F..M...>| +00000290 c0 d1 bd 42 d4 db fe 3d 13 60 84 5c 21 d3 3b e9 |...B...=.`.\!.;.| +000002a0 fa e7 16 03 03 00 ac 0c 00 00 a8 03 00 1d 20 2f |.............. /| +000002b0 e5 7d a3 47 cd 62 43 15 28 da ac 5f bb 29 07 30 |.}.G.bC.(.._.).0| +000002c0 ff f6 84 af c4 cf c2 ed 90 99 5f 58 cb 3b 74 08 |.........._X.;t.| +000002d0 04 00 80 85 e9 a6 5c 79 bc db ed 97 fb 30 ca fd |......\y.....0..| +000002e0 32 13 19 3f da 6f fd c1 11 74 fe e9 6f 60 ec 7e |2..?.o...t..o`.~| +000002f0 48 7e 17 33 9b 8d 2a c2 82 e0 18 38 f3 0f 20 27 |H~.3..*....8.. '| +00000300 81 0f c9 47 bf 5f 2b 2f 65 1c 6b e3 b7 72 85 46 |...G._+/e.k..r.F| +00000310 5c 15 dc fd e6 be cf 50 51 62 f5 d9 17 e2 e8 bf |\......PQb......| +00000320 08 7f 37 71 91 88 83 7f e3 90 66 66 c4 d8 60 25 |..7q......ff..`%| +00000330 53 f7 9f 44 20 89 48 ff c2 3b 6d 21 e5 8c dc e5 |S..D .H..;m!....| +00000340 42 ea d8 14 93 96 2f 53 24 66 e7 bb e7 2c 1f 92 |B...../S$f...,..| +00000350 90 80 23 16 03 03 00 04 0e 00 00 00 |..#.........| +>>> Flow 3 (client to server) +00000000 16 03 03 00 25 10 00 00 21 20 e8 d1 46 5e 70 b5 |....%...! ..F^p.| +00000010 34 1c 6f cd be f0 86 24 2a d6 55 ae 97 de 52 0c |4.o....$*.U...R.| +00000020 67 10 a0 02 ed ae f8 47 aa 52 14 03 03 00 01 01 |g......G.R......| +00000030 16 03 03 00 20 52 cf 5d 07 bb bc e8 86 d4 f4 3e |.... R.].......>| +00000040 49 51 a7 1d f5 df 10 c4 5a 77 37 ba 68 3d 4e c5 |IQ......Zw7.h=N.| +00000050 11 ac 67 b7 e2 |..g..| +>>> Flow 4 (server to client) +00000000 16 03 03 00 83 04 00 00 7f 00 00 00 00 00 79 00 |..............y.| +00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 94 |................| +00000020 6f 2d 7c 2b 51 ed 14 ef 68 ca 42 c5 4c 26 1d 23 |o-|+Q...h.B.L&.#| +00000030 c4 90 54 85 8b 21 f5 0d e8 48 f2 5f 4e 6b f1 25 |..T..!...H._Nk.%| +00000040 e8 46 8a e5 3c 09 57 df dd 37 a7 57 c5 a5 28 5a |.F..<.W..7.W..(Z| +00000050 21 83 2a 98 4b a5 44 aa 5b cc 30 e9 62 49 38 16 |!.*.K.D.[.0.bI8.| +00000060 7e 51 5c e5 15 c0 58 7d a4 aa c5 93 39 bb e2 b6 |~Q\...X}....9...| +00000070 4f c4 3e 1e 03 dc 46 b1 f3 0d d2 61 6c 1e c5 e1 |O.>...F....al...| +00000080 8f 18 2a 3c 85 83 c4 33 14 03 03 00 01 01 16 03 |..*<...3........| +00000090 03 00 20 63 76 4f b3 77 4d 63 6c eb 73 f3 b2 ec |.. cvO.wMcl.s...| +000000a0 b8 49 3e c5 81 d5 53 0c 96 77 2f 3f 52 d0 e1 5b |.I>...S..w/?R..[| +000000b0 62 fa 0b 17 03 03 00 1d 2f 60 09 31 db e9 c5 23 |b......./`.1...#| +000000c0 98 5c 46 23 a6 58 80 66 7d 50 84 f1 42 b8 65 65 |.\F#.X.f}P..B.ee| +000000d0 77 2d d2 e4 be 15 03 03 00 12 b7 e8 e1 13 04 68 |w-.............h| +000000e0 d5 21 c8 98 db 1b 1c 6e 4f b5 0b 9c |.!.....nO...| diff --git a/pkg/tls/testdata/Server-TLSv12-ALPN-NoMatch b/pkg/tls/testdata/Server-TLSv12-ALPN-NoMatch new file mode 100644 index 000000000..2d8a2eb8e --- /dev/null +++ b/pkg/tls/testdata/Server-TLSv12-ALPN-NoMatch @@ -0,0 +1,14 @@ +>>> Flow 1 (client to server) +00000000 16 03 01 00 9d 01 00 00 99 03 03 24 15 a8 f2 f5 |...........$....| +00000010 53 02 78 f0 4c f7 82 3c 68 7d a0 b1 9a 0f 29 32 |S.x.L..>> Flow 2 (server to client) +00000000 15 03 03 00 02 02 78 |......x| diff --git a/pkg/tls/testdata/Server-TLSv12-ALPN-NotConfigured b/pkg/tls/testdata/Server-TLSv12-ALPN-NotConfigured new file mode 100644 index 000000000..79f0748af --- /dev/null +++ b/pkg/tls/testdata/Server-TLSv12-ALPN-NotConfigured @@ -0,0 +1,90 @@ +>>> Flow 1 (client to server) +00000000 16 03 01 00 9d 01 00 00 99 03 03 19 26 ad 3f c0 |............&.?.| +00000010 d6 a0 cc ac 9b 2a 91 d3 1a d5 96 78 5f 7c 3f e0 |.....*.....x_|?.| +00000020 23 08 75 a1 ca cb aa da d7 c8 0b 00 00 04 cc a8 |#.u.............| +00000030 00 ff 01 00 00 6c 00 0b 00 04 03 00 01 02 00 0a |.....l..........| +00000040 00 0c 00 0a 00 1d 00 17 00 1e 00 19 00 18 00 23 |...............#| +00000050 00 00 00 10 00 10 00 0e 06 70 72 6f 74 6f 32 06 |.........proto2.| +00000060 70 72 6f 74 6f 31 00 16 00 00 00 17 00 00 00 0d |proto1..........| +00000070 00 30 00 2e 04 03 05 03 06 03 08 07 08 08 08 09 |.0..............| +00000080 08 0a 08 0b 08 04 08 05 08 06 04 01 05 01 06 01 |................| +00000090 03 03 02 03 03 01 02 01 03 02 02 02 04 02 05 02 |................| +000000a0 06 02 |..| +>>> Flow 2 (server to client) +00000000 16 03 03 00 3f 02 00 00 3b 03 03 00 00 00 00 00 |....?...;.......| +00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000020 00 00 00 44 4f 57 4e 47 52 44 01 00 cc a8 00 00 |...DOWNGRD......| +00000030 13 00 23 00 00 ff 01 00 01 00 00 17 00 00 00 0b |..#.............| +00000040 00 02 01 00 16 03 03 02 59 0b 00 02 55 00 02 52 |........Y...U..R| +00000050 00 02 4f 30 82 02 4b 30 82 01 b4 a0 03 02 01 02 |..O0..K0........| +00000060 02 09 00 e8 f0 9d 3f e2 5b ea a6 30 0d 06 09 2a |......?.[..0...*| +00000070 86 48 86 f7 0d 01 01 0b 05 00 30 1f 31 0b 30 09 |.H........0.1.0.| +00000080 06 03 55 04 0a 13 02 47 6f 31 10 30 0e 06 03 55 |..U....Go1.0...U| +00000090 04 03 13 07 47 6f 20 52 6f 6f 74 30 1e 17 0d 31 |....Go Root0...1| +000000a0 36 30 31 30 31 30 30 30 30 30 30 5a 17 0d 32 35 |60101000000Z..25| +000000b0 30 31 30 31 30 30 30 30 30 30 5a 30 1a 31 0b 30 |0101000000Z0.1.0| +000000c0 09 06 03 55 04 0a 13 02 47 6f 31 0b 30 09 06 03 |...U....Go1.0...| +000000d0 55 04 03 13 02 47 6f 30 81 9f 30 0d 06 09 2a 86 |U....Go0..0...*.| +000000e0 48 86 f7 0d 01 01 01 05 00 03 81 8d 00 30 81 89 |H............0..| +000000f0 02 81 81 00 db 46 7d 93 2e 12 27 06 48 bc 06 28 |.....F}...'.H..(| +00000100 21 ab 7e c4 b6 a2 5d fe 1e 52 45 88 7a 36 47 a5 |!.~...]..RE.z6G.| +00000110 08 0d 92 42 5b c2 81 c0 be 97 79 98 40 fb 4f 6d |...B[.....y.@.Om| +00000120 14 fd 2b 13 8b c2 a5 2e 67 d8 d4 09 9e d6 22 38 |..+.....g....."8| +00000130 b7 4a 0b 74 73 2b c2 34 f1 d1 93 e5 96 d9 74 7b |.J.ts+.4......t{| +00000140 f3 58 9f 6c 61 3c c0 b0 41 d4 d9 2b 2b 24 23 77 |.X.la<..A..++$#w| +00000150 5b 1c 3b bd 75 5d ce 20 54 cf a1 63 87 1d 1e 24 |[.;.u]. T..c...$| +00000160 c4 f3 1d 1a 50 8b aa b6 14 43 ed 97 a7 75 62 f4 |....P....C...ub.| +00000170 14 c8 52 d7 02 03 01 00 01 a3 81 93 30 81 90 30 |..R.........0..0| +00000180 0e 06 03 55 1d 0f 01 01 ff 04 04 03 02 05 a0 30 |...U...........0| +00000190 1d 06 03 55 1d 25 04 16 30 14 06 08 2b 06 01 05 |...U.%..0...+...| +000001a0 05 07 03 01 06 08 2b 06 01 05 05 07 03 02 30 0c |......+.......0.| +000001b0 06 03 55 1d 13 01 01 ff 04 02 30 00 30 19 06 03 |..U.......0.0...| +000001c0 55 1d 0e 04 12 04 10 9f 91 16 1f 43 43 3e 49 a6 |U..........CC>I.| +000001d0 de 6d b6 80 d7 9f 60 30 1b 06 03 55 1d 23 04 14 |.m....`0...U.#..| +000001e0 30 12 80 10 48 13 49 4d 13 7e 16 31 bb a3 01 d5 |0...H.IM.~.1....| +000001f0 ac ab 6e 7b 30 19 06 03 55 1d 11 04 12 30 10 82 |..n{0...U....0..| +00000200 0e 65 78 61 6d 70 6c 65 2e 67 6f 6c 61 6e 67 30 |.example.golang0| +00000210 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 03 81 |...*.H..........| +00000220 81 00 9d 30 cc 40 2b 5b 50 a0 61 cb ba e5 53 58 |...0.@+[P.a...SX| +00000230 e1 ed 83 28 a9 58 1a a9 38 a4 95 a1 ac 31 5a 1a |...(.X..8....1Z.| +00000240 84 66 3d 43 d3 2d d9 0b f2 97 df d3 20 64 38 92 |.f=C.-...... d8.| +00000250 24 3a 00 bc cf 9c 7d b7 40 20 01 5f aa d3 16 61 |$:....}.@ ._...a| +00000260 09 a2 76 fd 13 c3 cc e1 0c 5c ee b1 87 82 f1 6c |..v......\.....l| +00000270 04 ed 73 bb b3 43 77 8d 0c 1c f1 0f a1 d8 40 83 |..s..Cw.......@.| +00000280 61 c9 4c 72 2b 9d ae db 46 06 06 4d f4 c1 b3 3e |a.Lr+...F..M...>| +00000290 c0 d1 bd 42 d4 db fe 3d 13 60 84 5c 21 d3 3b e9 |...B...=.`.\!.;.| +000002a0 fa e7 16 03 03 00 ac 0c 00 00 a8 03 00 1d 20 2f |.............. /| +000002b0 e5 7d a3 47 cd 62 43 15 28 da ac 5f bb 29 07 30 |.}.G.bC.(.._.).0| +000002c0 ff f6 84 af c4 cf c2 ed 90 99 5f 58 cb 3b 74 08 |.........._X.;t.| +000002d0 04 00 80 4f 9e 64 41 a6 8a 41 ab 9c c8 09 3e 94 |...O.dA..A....>.| +000002e0 ee d2 9b ad 1b 3e a9 3c 7b 43 96 95 eb 4d b5 04 |.....>.<{C...M..| +000002f0 1a 5f 0c b2 b3 a6 2c a4 e6 78 a8 b8 d5 6c 7f d0 |._....,..x...l..| +00000300 16 e8 56 31 e0 4a 69 d3 6b 27 18 a3 4e f5 d1 6a |..V1.Ji.k'..N..j| +00000310 36 15 b5 fc 4d 15 50 90 a0 30 b9 49 3d ac 8c 84 |6...M.P..0.I=...| +00000320 d2 15 31 70 df e5 a6 97 d0 64 f7 1d 8a a1 87 4d |..1p.....d.....M| +00000330 3c ee da 69 20 e4 31 67 ca f2 c0 09 ee 13 7c 78 |<..i .1g......|x| +00000340 d6 c2 c0 39 e0 b8 00 52 a9 bf d0 99 e0 b0 66 70 |...9...R......fp| +00000350 46 ae 62 16 03 03 00 04 0e 00 00 00 |F.b.........| +>>> Flow 3 (client to server) +00000000 16 03 03 00 25 10 00 00 21 20 b0 1a 5b c3 55 5f |....%...! ..[.U_| +00000010 0b b8 f3 69 ba 4f 49 93 05 0f b1 f1 d7 6b 6c 0c |...i.OI......kl.| +00000020 98 d0 22 78 0c ad 15 6b 24 5b 14 03 03 00 01 01 |.."x...k$[......| +00000030 16 03 03 00 20 9d aa 3f 17 b3 16 88 d5 44 3d 03 |.... ..?.....D=.| +00000040 3c 3c 8d 92 f1 2f e4 38 cc 42 20 2f ef 6a 29 c6 |<<.../.8.B /.j).| +00000050 5c ca 44 81 f6 |\.D..| +>>> Flow 4 (server to client) +00000000 16 03 03 00 83 04 00 00 7f 00 00 00 00 00 79 00 |..............y.| +00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 94 |................| +00000020 6f 2d 7c 2b 51 ed 14 ef 68 ca 42 c5 4c 9a f3 2b |o-|+Q...h.B.L..+| +00000030 7a 66 76 26 4f 73 12 14 ef a1 f4 8c c2 08 03 42 |zfv&Os.........B| +00000040 4d d5 f9 d7 ab 31 78 51 f3 f4 94 49 5f 9d bf 23 |M....1xQ...I_..#| +00000050 b2 11 7b ac 42 df 71 1a 37 db 64 99 a0 49 38 16 |..{.B.q.7.d..I8.| +00000060 7e 51 5c e5 15 c0 58 7d 2d 89 ac 0d 05 31 27 ae |~Q\...X}-....1'.| +00000070 85 ff 27 56 24 4c 26 b3 bc 6c f6 20 80 dd bd ba |..'V$L&..l. ....| +00000080 a3 34 c2 32 a8 58 1b b9 14 03 03 00 01 01 16 03 |.4.2.X..........| +00000090 03 00 20 74 e1 8a e6 a6 02 0d f7 e1 28 3a f4 c4 |.. t........(:..| +000000a0 a6 8c 32 81 84 85 ec 58 6a 10 8a 6d c4 cc 10 3a |..2....Xj..m...:| +000000b0 32 3e df 17 03 03 00 1d fd a8 94 23 3e 5d 96 b1 |2>.........#>]..| +000000c0 68 a6 24 55 bf 29 08 93 c7 7b 9b 05 fc 0b 97 ff |h.$U.)...{......| +000000d0 7c 93 b0 34 82 15 03 03 00 12 43 9f 44 e4 63 e7 ||..4......C.D.c.| +000000e0 3c 30 a5 da 9f 58 ac 01 e4 e2 a7 30 |<0...X.....0| diff --git a/pkg/tls/testdata/Server-TLSv12-ClientAuthRequestedAndECDSAGiven b/pkg/tls/testdata/Server-TLSv12-ClientAuthRequestedAndECDSAGiven new file mode 100644 index 000000000..41ed6c4e1 --- /dev/null +++ b/pkg/tls/testdata/Server-TLSv12-ClientAuthRequestedAndECDSAGiven @@ -0,0 +1,126 @@ +>>> Flow 1 (client to server) +00000000 16 03 01 00 6d 01 00 00 69 03 03 5e 92 9d 30 27 |....m...i..^..0'| +00000010 23 da fa a0 07 30 03 c8 bd 60 f2 db e9 5e b3 fc |#....0...`...^..| +00000020 65 d3 c5 e1 49 35 63 86 53 ec 87 00 00 04 00 2f |e...I5c.S....../| +00000030 00 ff 01 00 00 3c 00 16 00 00 00 17 00 00 00 0d |.....<..........| +00000040 00 30 00 2e 04 03 05 03 06 03 08 07 08 08 08 09 |.0..............| +00000050 08 0a 08 0b 08 04 08 05 08 06 04 01 05 01 06 01 |................| +00000060 03 03 02 03 03 01 02 01 03 02 02 02 04 02 05 02 |................| +00000070 06 02 |..| +>>> Flow 2 (server to client) +00000000 16 03 03 00 35 02 00 00 31 03 03 00 00 00 00 00 |....5...1.......| +00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000020 00 00 00 44 4f 57 4e 47 52 44 01 00 00 2f 00 00 |...DOWNGRD.../..| +00000030 09 ff 01 00 01 00 00 17 00 00 16 03 03 02 59 0b |..............Y.| +00000040 00 02 55 00 02 52 00 02 4f 30 82 02 4b 30 82 01 |..U..R..O0..K0..| +00000050 b4 a0 03 02 01 02 02 09 00 e8 f0 9d 3f e2 5b ea |............?.[.| +00000060 a6 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 |.0...*.H........| +00000070 30 1f 31 0b 30 09 06 03 55 04 0a 13 02 47 6f 31 |0.1.0...U....Go1| +00000080 10 30 0e 06 03 55 04 03 13 07 47 6f 20 52 6f 6f |.0...U....Go Roo| +00000090 74 30 1e 17 0d 31 36 30 31 30 31 30 30 30 30 30 |t0...16010100000| +000000a0 30 5a 17 0d 32 35 30 31 30 31 30 30 30 30 30 30 |0Z..250101000000| +000000b0 5a 30 1a 31 0b 30 09 06 03 55 04 0a 13 02 47 6f |Z0.1.0...U....Go| +000000c0 31 0b 30 09 06 03 55 04 03 13 02 47 6f 30 81 9f |1.0...U....Go0..| +000000d0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 |0...*.H.........| +000000e0 81 8d 00 30 81 89 02 81 81 00 db 46 7d 93 2e 12 |...0.......F}...| +000000f0 27 06 48 bc 06 28 21 ab 7e c4 b6 a2 5d fe 1e 52 |'.H..(!.~...]..R| +00000100 45 88 7a 36 47 a5 08 0d 92 42 5b c2 81 c0 be 97 |E.z6G....B[.....| +00000110 79 98 40 fb 4f 6d 14 fd 2b 13 8b c2 a5 2e 67 d8 |y.@.Om..+.....g.| +00000120 d4 09 9e d6 22 38 b7 4a 0b 74 73 2b c2 34 f1 d1 |...."8.J.ts+.4..| +00000130 93 e5 96 d9 74 7b f3 58 9f 6c 61 3c c0 b0 41 d4 |....t{.X.la<..A.| +00000140 d9 2b 2b 24 23 77 5b 1c 3b bd 75 5d ce 20 54 cf |.++$#w[.;.u]. T.| +00000150 a1 63 87 1d 1e 24 c4 f3 1d 1a 50 8b aa b6 14 43 |.c...$....P....C| +00000160 ed 97 a7 75 62 f4 14 c8 52 d7 02 03 01 00 01 a3 |...ub...R.......| +00000170 81 93 30 81 90 30 0e 06 03 55 1d 0f 01 01 ff 04 |..0..0...U......| +00000180 04 03 02 05 a0 30 1d 06 03 55 1d 25 04 16 30 14 |.....0...U.%..0.| +00000190 06 08 2b 06 01 05 05 07 03 01 06 08 2b 06 01 05 |..+.........+...| +000001a0 05 07 03 02 30 0c 06 03 55 1d 13 01 01 ff 04 02 |....0...U.......| +000001b0 30 00 30 19 06 03 55 1d 0e 04 12 04 10 9f 91 16 |0.0...U.........| +000001c0 1f 43 43 3e 49 a6 de 6d b6 80 d7 9f 60 30 1b 06 |.CC>I..m....`0..| +000001d0 03 55 1d 23 04 14 30 12 80 10 48 13 49 4d 13 7e |.U.#..0...H.IM.~| +000001e0 16 31 bb a3 01 d5 ac ab 6e 7b 30 19 06 03 55 1d |.1......n{0...U.| +000001f0 11 04 12 30 10 82 0e 65 78 61 6d 70 6c 65 2e 67 |...0...example.g| +00000200 6f 6c 61 6e 67 30 0d 06 09 2a 86 48 86 f7 0d 01 |olang0...*.H....| +00000210 01 0b 05 00 03 81 81 00 9d 30 cc 40 2b 5b 50 a0 |.........0.@+[P.| +00000220 61 cb ba e5 53 58 e1 ed 83 28 a9 58 1a a9 38 a4 |a...SX...(.X..8.| +00000230 95 a1 ac 31 5a 1a 84 66 3d 43 d3 2d d9 0b f2 97 |...1Z..f=C.-....| +00000240 df d3 20 64 38 92 24 3a 00 bc cf 9c 7d b7 40 20 |.. d8.$:....}.@ | +00000250 01 5f aa d3 16 61 09 a2 76 fd 13 c3 cc e1 0c 5c |._...a..v......\| +00000260 ee b1 87 82 f1 6c 04 ed 73 bb b3 43 77 8d 0c 1c |.....l..s..Cw...| +00000270 f1 0f a1 d8 40 83 61 c9 4c 72 2b 9d ae db 46 06 |....@.a.Lr+...F.| +00000280 06 4d f4 c1 b3 3e c0 d1 bd 42 d4 db fe 3d 13 60 |.M...>...B...=.`| +00000290 84 5c 21 d3 3b e9 fa e7 16 03 03 00 23 0d 00 00 |.\!.;.......#...| +000002a0 1f 02 01 40 00 18 08 04 04 03 08 07 08 05 08 06 |...@............| +000002b0 04 01 05 01 06 01 05 03 06 03 02 01 02 03 00 00 |................| +000002c0 16 03 03 00 04 0e 00 00 00 |.........| +>>> Flow 3 (client to server) +00000000 16 03 03 02 0a 0b 00 02 06 00 02 03 00 02 00 30 |...............0| +00000010 82 01 fc 30 82 01 5e 02 09 00 9a 30 84 6c 26 35 |...0..^....0.l&5| +00000020 d9 17 30 09 06 07 2a 86 48 ce 3d 04 01 30 45 31 |..0...*.H.=..0E1| +00000030 0b 30 09 06 03 55 04 06 13 02 41 55 31 13 30 11 |.0...U....AU1.0.| +00000040 06 03 55 04 08 13 0a 53 6f 6d 65 2d 53 74 61 74 |..U....Some-Stat| +00000050 65 31 21 30 1f 06 03 55 04 0a 13 18 49 6e 74 65 |e1!0...U....Inte| +00000060 72 6e 65 74 20 57 69 64 67 69 74 73 20 50 74 79 |rnet Widgits Pty| +00000070 20 4c 74 64 30 1e 17 0d 31 32 31 31 31 34 31 33 | Ltd0...12111413| +00000080 32 35 35 33 5a 17 0d 32 32 31 31 31 32 31 33 32 |2553Z..221112132| +00000090 35 35 33 5a 30 41 31 0b 30 09 06 03 55 04 06 13 |553Z0A1.0...U...| +000000a0 02 41 55 31 0c 30 0a 06 03 55 04 08 13 03 4e 53 |.AU1.0...U....NS| +000000b0 57 31 10 30 0e 06 03 55 04 07 13 07 50 79 72 6d |W1.0...U....Pyrm| +000000c0 6f 6e 74 31 12 30 10 06 03 55 04 03 13 09 4a 6f |ont1.0...U....Jo| +000000d0 65 6c 20 53 69 6e 67 30 81 9b 30 10 06 07 2a 86 |el Sing0..0...*.| +000000e0 48 ce 3d 02 01 06 05 2b 81 04 00 23 03 81 86 00 |H.=....+...#....| +000000f0 04 00 95 8c 91 75 14 c0 5e c4 57 b4 d4 c3 6f 8d |.....u..^.W...o.| +00000100 ae 68 1e dd 6f ce 86 e1 7e 6e b2 48 3e 81 e5 4e |.h..o...~n.H>..N| +00000110 e2 c6 88 4b 64 dc f5 30 bb d3 ff 65 cc 5b f4 dd |...Kd..0...e.[..| +00000120 b5 6a 3e 3e d0 1d de 47 c3 76 ad 19 f6 45 2c 8c |.j>>...G.v...E,.| +00000130 bc d8 1d 01 4c 1f 70 90 46 76 48 8b 8f 83 cc 4a |....L.p.FvH....J| +00000140 5c 8f 40 76 da e0 89 ec 1d 2b c4 4e 30 76 28 41 |\.@v.....+.N0v(A| +00000150 b2 62 a8 fb 5b f1 f9 4e 7a 8d bd 09 b8 ae ea 8b |.b..[..Nz.......| +00000160 18 27 4f 2e 70 fe 13 96 ba c3 d3 40 16 cd 65 4e |.'O.p......@..eN| +00000170 ac 11 1e e6 f1 30 09 06 07 2a 86 48 ce 3d 04 01 |.....0...*.H.=..| +00000180 03 81 8c 00 30 81 88 02 42 00 e0 14 c4 60 60 0b |....0...B....``.| +00000190 72 68 b0 32 5d 61 4a 02 74 5c c2 81 b9 16 a8 3f |rh.2]aJ.t\.....?| +000001a0 29 c8 36 c7 81 ff 6c b6 5b d9 70 f1 38 3b 50 48 |).6...l.[.p.8;PH| +000001b0 28 94 cb 09 1a 52 f1 5d ee 8d f2 b9 f0 f0 da d9 |(....R.]........| +000001c0 15 3a f9 bd 03 7a 87 a2 23 35 ec 02 42 01 a3 d4 |.:...z..#5..B...| +000001d0 8a 78 35 1c 4a 9a 23 d2 0a be 2b 10 31 9d 9c 5f |.x5.J.#...+.1.._| +000001e0 be e8 91 b3 da 1a f5 5d a3 23 f5 26 8b 45 70 8d |.......].#.&.Ep.| +000001f0 65 62 9b 7e 01 99 3d 18 f6 10 9a 38 61 9b 2e 57 |eb.~..=....8a..W| +00000200 e4 fa cc b1 8a ce e2 23 a0 87 f0 e1 67 51 eb 16 |.......#....gQ..| +00000210 03 03 00 86 10 00 00 82 00 80 02 50 e4 cc a3 ad |...........P....| +00000220 fb 33 24 a1 b3 0a 7c 0f 00 e6 1a 06 2b 9f 1e 1f |.3$...|.....+...| +00000230 cc b8 b2 80 90 e7 86 20 32 40 06 ac 1b b0 41 b7 |....... 2@....A.| +00000240 0d 9c 4c 41 90 01 0b 7a 7e b2 b2 46 39 dc 51 25 |..LA...z~..F9.Q%| +00000250 98 e0 b9 ec 36 fc 08 64 f0 51 2a 41 e1 e5 61 3d |....6..d.Q*A..a=| +00000260 fc 07 c1 9b 1f 6f 48 d4 1f 46 bf 14 e6 92 61 1a |.....oH..F....a.| +00000270 bd 5f 25 1f 5e b1 3c ac c7 58 63 02 0d 3a e0 d6 |._%.^.<..Xc..:..| +00000280 e9 39 fc ec 59 66 2e 91 b2 65 37 eb a8 b5 60 d9 |.9..Yf...e7...`.| +00000290 49 05 9f 6f cc 71 79 bb f7 68 16 03 03 00 93 0f |I..o.qy..h......| +000002a0 00 00 8f 04 03 00 8b 30 81 88 02 42 00 bd 6a 29 |.......0...B..j)| +000002b0 21 06 1a e2 67 a1 7f 10 ab ca 3f 74 5a bc 2f 5d |!...g.....?tZ./]| +000002c0 53 d0 59 90 f2 d0 b4 2d 75 47 67 0b 67 55 b6 4f |S.Y....-uGg.gU.O| +000002d0 75 7d 32 d8 a7 25 c8 4c 90 0b 56 65 be 60 5d ee |u}2..%.L..Ve.`].| +000002e0 f7 b3 80 79 26 e5 25 1d 17 cc d8 36 fc 39 02 42 |...y&.%....6.9.B| +000002f0 01 c3 32 d6 f2 59 9e 10 c8 bf 7f 74 27 a1 00 df |..2..Y.....t'...| +00000300 55 05 f0 b3 81 a1 6e 10 a6 fb 0b e4 1c 3f 62 02 |U.....n......?b.| +00000310 c9 cc c2 4b 97 ad 0c 88 98 07 6c 98 6d db 9d 9f |...K......l.m...| +00000320 68 a0 56 ab 5f f9 a2 21 33 86 64 53 de 37 ff 68 |h.V._..!3.dS.7.h| +00000330 04 9d 14 03 03 00 01 01 16 03 03 00 40 85 14 34 |............@..4| +00000340 d6 74 a9 d0 0b e9 1f 34 a9 e9 6c cf 5a ac 88 22 |.t.....4..l.Z.."| +00000350 51 4d ae 16 05 dd 9e c1 36 5e e3 cf b1 5a b5 48 |QM......6^...Z.H| +00000360 6c 24 b1 d6 fb 7f 03 6a 98 41 90 de 6d c7 b2 49 |l$.....j.A..m..I| +00000370 d9 a3 c7 45 ff 18 7c f7 a4 cf 05 59 87 |...E..|....Y.| +>>> Flow 4 (server to client) +00000000 14 03 03 00 01 01 16 03 03 00 40 00 00 00 00 00 |..........@.....| +00000010 00 00 00 00 00 00 00 00 00 00 00 63 1a 77 66 2a |...........c.wf*| +00000020 49 3a b2 17 83 74 e1 d9 70 96 de 01 84 09 f4 88 |I:...t..p.......| +00000030 c3 e7 3b 65 11 6f 13 32 b8 b4 f4 41 ca 6a d6 d7 |..;e.o.2...A.j..| +00000040 51 a3 a1 f0 2d 5b b4 55 29 f9 d3 17 03 03 00 40 |Q...-[.U)......@| +00000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000060 d7 30 0f 03 89 22 4c 19 5f 06 a7 4b 95 59 91 52 |.0..."L._..K.Y.R| +00000070 2a 65 ab 99 cb 71 99 8b 13 82 44 92 6b ff 59 07 |*e...q....D.k.Y.| +00000080 28 ca 01 68 ab ad ba ee 6c 6a 19 0b e5 6d 82 24 |(..h....lj...m.$| +00000090 15 03 03 00 30 00 00 00 00 00 00 00 00 00 00 00 |....0...........| +000000a0 00 00 00 00 00 fc 07 f4 d4 bb 24 a3 f1 cf dc 3c |..........$....<| +000000b0 ac 14 63 50 32 34 fd 73 c0 eb f2 78 7b 3b ea 58 |..cP24.s...x{;.X| +000000c0 cc 3e ff 7f e5 |.>...| diff --git a/pkg/tls/testdata/Server-TLSv12-ClientAuthRequestedAndEd25519Given b/pkg/tls/testdata/Server-TLSv12-ClientAuthRequestedAndEd25519Given new file mode 100644 index 000000000..f8cc96058 --- /dev/null +++ b/pkg/tls/testdata/Server-TLSv12-ClientAuthRequestedAndEd25519Given @@ -0,0 +1,109 @@ +>>> Flow 1 (client to server) +00000000 16 03 01 00 6d 01 00 00 69 03 03 8a fe ad ad 75 |....m...i......u| +00000010 e4 8c bf bf b7 b6 66 14 92 eb 84 85 9c c8 a7 66 |......f........f| +00000020 04 2a d0 63 5e a6 bf 85 e9 4f 49 00 00 04 00 2f |.*.c^....OI..../| +00000030 00 ff 01 00 00 3c 00 16 00 00 00 17 00 00 00 0d |.....<..........| +00000040 00 30 00 2e 04 03 05 03 06 03 08 07 08 08 08 09 |.0..............| +00000050 08 0a 08 0b 08 04 08 05 08 06 04 01 05 01 06 01 |................| +00000060 03 03 02 03 03 01 02 01 03 02 02 02 04 02 05 02 |................| +00000070 06 02 |..| +>>> Flow 2 (server to client) +00000000 16 03 03 00 35 02 00 00 31 03 03 00 00 00 00 00 |....5...1.......| +00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000020 00 00 00 44 4f 57 4e 47 52 44 01 00 00 2f 00 00 |...DOWNGRD.../..| +00000030 09 ff 01 00 01 00 00 17 00 00 16 03 03 02 59 0b |..............Y.| +00000040 00 02 55 00 02 52 00 02 4f 30 82 02 4b 30 82 01 |..U..R..O0..K0..| +00000050 b4 a0 03 02 01 02 02 09 00 e8 f0 9d 3f e2 5b ea |............?.[.| +00000060 a6 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 |.0...*.H........| +00000070 30 1f 31 0b 30 09 06 03 55 04 0a 13 02 47 6f 31 |0.1.0...U....Go1| +00000080 10 30 0e 06 03 55 04 03 13 07 47 6f 20 52 6f 6f |.0...U....Go Roo| +00000090 74 30 1e 17 0d 31 36 30 31 30 31 30 30 30 30 30 |t0...16010100000| +000000a0 30 5a 17 0d 32 35 30 31 30 31 30 30 30 30 30 30 |0Z..250101000000| +000000b0 5a 30 1a 31 0b 30 09 06 03 55 04 0a 13 02 47 6f |Z0.1.0...U....Go| +000000c0 31 0b 30 09 06 03 55 04 03 13 02 47 6f 30 81 9f |1.0...U....Go0..| +000000d0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 |0...*.H.........| +000000e0 81 8d 00 30 81 89 02 81 81 00 db 46 7d 93 2e 12 |...0.......F}...| +000000f0 27 06 48 bc 06 28 21 ab 7e c4 b6 a2 5d fe 1e 52 |'.H..(!.~...]..R| +00000100 45 88 7a 36 47 a5 08 0d 92 42 5b c2 81 c0 be 97 |E.z6G....B[.....| +00000110 79 98 40 fb 4f 6d 14 fd 2b 13 8b c2 a5 2e 67 d8 |y.@.Om..+.....g.| +00000120 d4 09 9e d6 22 38 b7 4a 0b 74 73 2b c2 34 f1 d1 |...."8.J.ts+.4..| +00000130 93 e5 96 d9 74 7b f3 58 9f 6c 61 3c c0 b0 41 d4 |....t{.X.la<..A.| +00000140 d9 2b 2b 24 23 77 5b 1c 3b bd 75 5d ce 20 54 cf |.++$#w[.;.u]. T.| +00000150 a1 63 87 1d 1e 24 c4 f3 1d 1a 50 8b aa b6 14 43 |.c...$....P....C| +00000160 ed 97 a7 75 62 f4 14 c8 52 d7 02 03 01 00 01 a3 |...ub...R.......| +00000170 81 93 30 81 90 30 0e 06 03 55 1d 0f 01 01 ff 04 |..0..0...U......| +00000180 04 03 02 05 a0 30 1d 06 03 55 1d 25 04 16 30 14 |.....0...U.%..0.| +00000190 06 08 2b 06 01 05 05 07 03 01 06 08 2b 06 01 05 |..+.........+...| +000001a0 05 07 03 02 30 0c 06 03 55 1d 13 01 01 ff 04 02 |....0...U.......| +000001b0 30 00 30 19 06 03 55 1d 0e 04 12 04 10 9f 91 16 |0.0...U.........| +000001c0 1f 43 43 3e 49 a6 de 6d b6 80 d7 9f 60 30 1b 06 |.CC>I..m....`0..| +000001d0 03 55 1d 23 04 14 30 12 80 10 48 13 49 4d 13 7e |.U.#..0...H.IM.~| +000001e0 16 31 bb a3 01 d5 ac ab 6e 7b 30 19 06 03 55 1d |.1......n{0...U.| +000001f0 11 04 12 30 10 82 0e 65 78 61 6d 70 6c 65 2e 67 |...0...example.g| +00000200 6f 6c 61 6e 67 30 0d 06 09 2a 86 48 86 f7 0d 01 |olang0...*.H....| +00000210 01 0b 05 00 03 81 81 00 9d 30 cc 40 2b 5b 50 a0 |.........0.@+[P.| +00000220 61 cb ba e5 53 58 e1 ed 83 28 a9 58 1a a9 38 a4 |a...SX...(.X..8.| +00000230 95 a1 ac 31 5a 1a 84 66 3d 43 d3 2d d9 0b f2 97 |...1Z..f=C.-....| +00000240 df d3 20 64 38 92 24 3a 00 bc cf 9c 7d b7 40 20 |.. d8.$:....}.@ | +00000250 01 5f aa d3 16 61 09 a2 76 fd 13 c3 cc e1 0c 5c |._...a..v......\| +00000260 ee b1 87 82 f1 6c 04 ed 73 bb b3 43 77 8d 0c 1c |.....l..s..Cw...| +00000270 f1 0f a1 d8 40 83 61 c9 4c 72 2b 9d ae db 46 06 |....@.a.Lr+...F.| +00000280 06 4d f4 c1 b3 3e c0 d1 bd 42 d4 db fe 3d 13 60 |.M...>...B...=.`| +00000290 84 5c 21 d3 3b e9 fa e7 16 03 03 00 23 0d 00 00 |.\!.;.......#...| +000002a0 1f 02 01 40 00 18 08 04 04 03 08 07 08 05 08 06 |...@............| +000002b0 04 01 05 01 06 01 05 03 06 03 02 01 02 03 00 00 |................| +000002c0 16 03 03 00 04 0e 00 00 00 |.........| +>>> Flow 3 (client to server) +00000000 16 03 03 01 3c 0b 00 01 38 00 01 35 00 01 32 30 |....<...8..5..20| +00000010 82 01 2e 30 81 e1 a0 03 02 01 02 02 10 17 d1 81 |...0............| +00000020 93 be 2a 8c 21 20 10 25 15 e8 34 23 4f 30 05 06 |..*.! .%..4#O0..| +00000030 03 2b 65 70 30 12 31 10 30 0e 06 03 55 04 0a 13 |.+ep0.1.0...U...| +00000040 07 41 63 6d 65 20 43 6f 30 1e 17 0d 31 39 30 35 |.Acme Co0...1905| +00000050 31 36 32 31 35 34 32 36 5a 17 0d 32 30 30 35 31 |16215426Z..20051| +00000060 35 32 31 35 34 32 36 5a 30 12 31 10 30 0e 06 03 |5215426Z0.1.0...| +00000070 55 04 0a 13 07 41 63 6d 65 20 43 6f 30 2a 30 05 |U....Acme Co0*0.| +00000080 06 03 2b 65 70 03 21 00 0b e0 b5 60 b5 e2 79 30 |..+ep.!....`..y0| +00000090 3d be e3 1e e0 50 b1 04 c8 6d c7 78 6c 69 2f c5 |=....P...m.xli/.| +000000a0 14 ad 9a 63 6f 79 12 91 a3 4d 30 4b 30 0e 06 03 |...coy...M0K0...| +000000b0 55 1d 0f 01 01 ff 04 04 03 02 05 a0 30 13 06 03 |U...........0...| +000000c0 55 1d 25 04 0c 30 0a 06 08 2b 06 01 05 05 07 03 |U.%..0...+......| +000000d0 02 30 0c 06 03 55 1d 13 01 01 ff 04 02 30 00 30 |.0...U.......0.0| +000000e0 16 06 03 55 1d 11 04 0f 30 0d 82 0b 65 78 61 6d |...U....0...exam| +000000f0 70 6c 65 2e 63 6f 6d 30 05 06 03 2b 65 70 03 41 |ple.com0...+ep.A| +00000100 00 fc 19 17 2a 94 a5 31 fa 29 c8 2e 7f 5b a0 5d |....*..1.)...[.]| +00000110 8a 4e 34 40 39 d6 b3 10 dc 19 fe a0 22 71 b3 f5 |.N4@9......."q..| +00000120 8f a1 58 0d cd f4 f1 85 24 bf e6 3d 14 df df ed |..X.....$..=....| +00000130 0e e1 17 d8 11 a2 60 d0 8a 37 23 2a c2 46 aa 3a |......`..7#*.F.:| +00000140 08 16 03 03 00 86 10 00 00 82 00 80 77 8b 9f 34 |............w..4| +00000150 b4 db a7 0d 5b ed 1b 2f 4a 41 64 f5 ce 4a 00 7c |....[../JAd..J.|| +00000160 91 32 b3 cf 61 18 41 04 ae fa 3b 14 de 19 0e 64 |.2..a.A...;....d| +00000170 f9 ec 75 a6 48 7e 28 57 26 f5 1c 75 1d 42 73 fc |..u.H~(W&..u.Bs.| +00000180 11 51 2b ef e5 08 83 ac 17 ec 78 b8 5b 14 84 c9 |.Q+.......x.[...| +00000190 bc 7f 22 fd 54 69 7a 82 36 c7 21 bc d6 04 c4 e7 |..".Tiz.6.!.....| +000001a0 bc 48 c8 72 56 5d 1e 65 41 21 0a 26 85 a0 d8 c3 |.H.rV].eA!.&....| +000001b0 50 f0 b6 07 25 ee 79 b8 f5 e6 17 85 d4 09 e7 d7 |P...%.y.........| +000001c0 ab 8f 17 cb c2 13 a0 5a 50 cb e4 a7 16 03 03 00 |.......ZP.......| +000001d0 48 0f 00 00 44 08 07 00 40 b7 24 50 46 db d4 8c |H...D...@.$PF...| +000001e0 68 17 f5 5e 79 a9 80 8c 40 23 92 33 4e 1e cc ee |h..^y...@#.3N...| +000001f0 d5 35 4d b8 2a 52 f0 7f 50 8e c6 d5 5f bc 08 35 |.5M.*R..P..._..5| +00000200 a2 6d db cb 96 52 ec 92 c7 62 c7 59 ab d8 6f 9d |.m...R...b.Y..o.| +00000210 d7 46 35 71 28 41 89 59 02 14 03 03 00 01 01 16 |.F5q(A.Y........| +00000220 03 03 00 40 3e 12 44 bc c6 3d 88 71 ba d3 0c 26 |...@>.D..=.q...&| +00000230 20 72 b0 7f 25 83 9f fd 77 c1 f5 1e 47 28 2e 60 | r..%...w...G(.`| +00000240 53 e0 ac 52 e8 94 e4 87 90 3f af f3 a4 c0 d3 ba |S..R.....?......| +00000250 fe b7 06 54 f7 13 33 36 47 8f 5e 45 22 84 18 3a |...T..36G.^E"..:| +00000260 1f 14 21 85 |..!.| +>>> Flow 4 (server to client) +00000000 14 03 03 00 01 01 16 03 03 00 40 00 00 00 00 00 |..........@.....| +00000010 00 00 00 00 00 00 00 00 00 00 00 d4 e6 b8 6f 53 |..............oS| +00000020 6a d9 37 2b a4 95 9f 04 e5 99 2f f9 9a 16 fd a7 |j.7+....../.....| +00000030 2d 39 d9 aa 7c 26 9e 44 4b 7f 8f d5 c6 24 4d ac |-9..|&.DK....$M.| +00000040 13 ca 8a 45 1e 66 dc 9a bf 76 22 17 03 03 00 40 |...E.f...v"....@| +00000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000060 3f 5c 60 f8 22 7b aa 82 38 c4 4a 2e 07 50 cb 6c |?\`."{..8.J..P.l| +00000070 3f 6f a9 39 bf 21 ce 7a 30 72 03 90 ec bc 9c 18 |?o.9.!.z0r......| +00000080 1f a9 7f 82 3a d9 46 d9 d8 b8 77 65 e8 b3 e7 f5 |....:.F...we....| +00000090 15 03 03 00 30 00 00 00 00 00 00 00 00 00 00 00 |....0...........| +000000a0 00 00 00 00 00 6d 29 d4 87 0a b4 1d b4 9d f4 12 |.....m).........| +000000b0 bc 3d a3 1b 79 21 85 0d e7 10 64 92 40 39 05 99 |.=..y!....d.@9..| +000000c0 c8 a7 dd ef 0e |.....| diff --git a/pkg/tls/testdata/Server-TLSv12-ClientAuthRequestedAndGiven b/pkg/tls/testdata/Server-TLSv12-ClientAuthRequestedAndGiven new file mode 100644 index 000000000..cc6450a4c --- /dev/null +++ b/pkg/tls/testdata/Server-TLSv12-ClientAuthRequestedAndGiven @@ -0,0 +1,125 @@ +>>> Flow 1 (client to server) +00000000 16 03 01 00 6d 01 00 00 69 03 03 e9 31 0f d0 25 |....m...i...1..%| +00000010 ef 25 a7 1a 9b 8c 4b a3 ca 2b a6 54 89 1c e1 68 |.%....K..+.T...h| +00000020 6f b2 b2 60 6f 8a dc 87 24 8c 7b 00 00 04 00 2f |o..`o...$.{..../| +00000030 00 ff 01 00 00 3c 00 16 00 00 00 17 00 00 00 0d |.....<..........| +00000040 00 30 00 2e 04 03 05 03 06 03 08 07 08 08 08 09 |.0..............| +00000050 08 0a 08 0b 08 04 08 05 08 06 04 01 05 01 06 01 |................| +00000060 03 03 02 03 03 01 02 01 03 02 02 02 04 02 05 02 |................| +00000070 06 02 |..| +>>> Flow 2 (server to client) +00000000 16 03 03 00 35 02 00 00 31 03 03 00 00 00 00 00 |....5...1.......| +00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000020 00 00 00 44 4f 57 4e 47 52 44 01 00 00 2f 00 00 |...DOWNGRD.../..| +00000030 09 ff 01 00 01 00 00 17 00 00 16 03 03 02 59 0b |..............Y.| +00000040 00 02 55 00 02 52 00 02 4f 30 82 02 4b 30 82 01 |..U..R..O0..K0..| +00000050 b4 a0 03 02 01 02 02 09 00 e8 f0 9d 3f e2 5b ea |............?.[.| +00000060 a6 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 |.0...*.H........| +00000070 30 1f 31 0b 30 09 06 03 55 04 0a 13 02 47 6f 31 |0.1.0...U....Go1| +00000080 10 30 0e 06 03 55 04 03 13 07 47 6f 20 52 6f 6f |.0...U....Go Roo| +00000090 74 30 1e 17 0d 31 36 30 31 30 31 30 30 30 30 30 |t0...16010100000| +000000a0 30 5a 17 0d 32 35 30 31 30 31 30 30 30 30 30 30 |0Z..250101000000| +000000b0 5a 30 1a 31 0b 30 09 06 03 55 04 0a 13 02 47 6f |Z0.1.0...U....Go| +000000c0 31 0b 30 09 06 03 55 04 03 13 02 47 6f 30 81 9f |1.0...U....Go0..| +000000d0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 |0...*.H.........| +000000e0 81 8d 00 30 81 89 02 81 81 00 db 46 7d 93 2e 12 |...0.......F}...| +000000f0 27 06 48 bc 06 28 21 ab 7e c4 b6 a2 5d fe 1e 52 |'.H..(!.~...]..R| +00000100 45 88 7a 36 47 a5 08 0d 92 42 5b c2 81 c0 be 97 |E.z6G....B[.....| +00000110 79 98 40 fb 4f 6d 14 fd 2b 13 8b c2 a5 2e 67 d8 |y.@.Om..+.....g.| +00000120 d4 09 9e d6 22 38 b7 4a 0b 74 73 2b c2 34 f1 d1 |...."8.J.ts+.4..| +00000130 93 e5 96 d9 74 7b f3 58 9f 6c 61 3c c0 b0 41 d4 |....t{.X.la<..A.| +00000140 d9 2b 2b 24 23 77 5b 1c 3b bd 75 5d ce 20 54 cf |.++$#w[.;.u]. T.| +00000150 a1 63 87 1d 1e 24 c4 f3 1d 1a 50 8b aa b6 14 43 |.c...$....P....C| +00000160 ed 97 a7 75 62 f4 14 c8 52 d7 02 03 01 00 01 a3 |...ub...R.......| +00000170 81 93 30 81 90 30 0e 06 03 55 1d 0f 01 01 ff 04 |..0..0...U......| +00000180 04 03 02 05 a0 30 1d 06 03 55 1d 25 04 16 30 14 |.....0...U.%..0.| +00000190 06 08 2b 06 01 05 05 07 03 01 06 08 2b 06 01 05 |..+.........+...| +000001a0 05 07 03 02 30 0c 06 03 55 1d 13 01 01 ff 04 02 |....0...U.......| +000001b0 30 00 30 19 06 03 55 1d 0e 04 12 04 10 9f 91 16 |0.0...U.........| +000001c0 1f 43 43 3e 49 a6 de 6d b6 80 d7 9f 60 30 1b 06 |.CC>I..m....`0..| +000001d0 03 55 1d 23 04 14 30 12 80 10 48 13 49 4d 13 7e |.U.#..0...H.IM.~| +000001e0 16 31 bb a3 01 d5 ac ab 6e 7b 30 19 06 03 55 1d |.1......n{0...U.| +000001f0 11 04 12 30 10 82 0e 65 78 61 6d 70 6c 65 2e 67 |...0...example.g| +00000200 6f 6c 61 6e 67 30 0d 06 09 2a 86 48 86 f7 0d 01 |olang0...*.H....| +00000210 01 0b 05 00 03 81 81 00 9d 30 cc 40 2b 5b 50 a0 |.........0.@+[P.| +00000220 61 cb ba e5 53 58 e1 ed 83 28 a9 58 1a a9 38 a4 |a...SX...(.X..8.| +00000230 95 a1 ac 31 5a 1a 84 66 3d 43 d3 2d d9 0b f2 97 |...1Z..f=C.-....| +00000240 df d3 20 64 38 92 24 3a 00 bc cf 9c 7d b7 40 20 |.. d8.$:....}.@ | +00000250 01 5f aa d3 16 61 09 a2 76 fd 13 c3 cc e1 0c 5c |._...a..v......\| +00000260 ee b1 87 82 f1 6c 04 ed 73 bb b3 43 77 8d 0c 1c |.....l..s..Cw...| +00000270 f1 0f a1 d8 40 83 61 c9 4c 72 2b 9d ae db 46 06 |....@.a.Lr+...F.| +00000280 06 4d f4 c1 b3 3e c0 d1 bd 42 d4 db fe 3d 13 60 |.M...>...B...=.`| +00000290 84 5c 21 d3 3b e9 fa e7 16 03 03 00 23 0d 00 00 |.\!.;.......#...| +000002a0 1f 02 01 40 00 18 08 04 04 03 08 07 08 05 08 06 |...@............| +000002b0 04 01 05 01 06 01 05 03 06 03 02 01 02 03 00 00 |................| +000002c0 16 03 03 00 04 0e 00 00 00 |.........| +>>> Flow 3 (client to server) +00000000 16 03 03 01 fd 0b 00 01 f9 00 01 f6 00 01 f3 30 |...............0| +00000010 82 01 ef 30 82 01 58 a0 03 02 01 02 02 10 5c 19 |...0..X.......\.| +00000020 c1 89 65 83 55 6f dc 0b c9 b9 93 9f e9 bc 30 0d |..e.Uo........0.| +00000030 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 12 31 |..*.H........0.1| +00000040 10 30 0e 06 03 55 04 0a 13 07 41 63 6d 65 20 43 |.0...U....Acme C| +00000050 6f 30 1e 17 0d 31 36 30 38 31 37 32 31 35 32 33 |o0...16081721523| +00000060 31 5a 17 0d 31 37 30 38 31 37 32 31 35 32 33 31 |1Z..170817215231| +00000070 5a 30 12 31 10 30 0e 06 03 55 04 0a 13 07 41 63 |Z0.1.0...U....Ac| +00000080 6d 65 20 43 6f 30 81 9f 30 0d 06 09 2a 86 48 86 |me Co0..0...*.H.| +00000090 f7 0d 01 01 01 05 00 03 81 8d 00 30 81 89 02 81 |...........0....| +000000a0 81 00 ba 6f aa 86 bd cf bf 9f f2 ef 5c 94 60 78 |...o........\.`x| +000000b0 6f e8 13 f2 d1 96 6f cd d9 32 6e 22 37 ce 41 f9 |o.....o..2n"7.A.| +000000c0 ca 5d 29 ac e1 27 da 61 a2 ee 81 cb 10 c7 df 34 |.])..'.a.......4| +000000d0 58 95 86 e9 3d 19 e6 5c 27 73 60 c8 8d 78 02 f4 |X...=..\'s`..x..| +000000e0 1d a4 98 09 a3 19 70 69 3c 25 62 66 2a ab 22 23 |......pi<%bf*."#| +000000f0 c5 7b 85 38 4f 2e 09 73 32 a7 bd 3e 9b ad ca 84 |.{.8O..s2..>....| +00000100 07 e6 0f 3a ff 77 c5 9d 41 85 00 8a b6 9b ee b0 |...:.w..A.......| +00000110 a4 3f 2d 4c 4c e6 42 3e bb 51 c8 dd 48 54 f4 0c |.?-LL.B>.Q..HT..| +00000120 8e 47 02 03 01 00 01 a3 46 30 44 30 0e 06 03 55 |.G......F0D0...U| +00000130 1d 0f 01 01 ff 04 04 03 02 05 a0 30 13 06 03 55 |...........0...U| +00000140 1d 25 04 0c 30 0a 06 08 2b 06 01 05 05 07 03 01 |.%..0...+.......| +00000150 30 0c 06 03 55 1d 13 01 01 ff 04 02 30 00 30 0f |0...U.......0.0.| +00000160 06 03 55 1d 11 04 08 30 06 87 04 7f 00 00 01 30 |..U....0.......0| +00000170 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 03 81 |...*.H..........| +00000180 81 00 46 ab 44 a2 fb 28 54 f8 5a 67 f8 62 94 f1 |..F.D..(T.Zg.b..| +00000190 9a b2 18 9e f2 b1 de 1d 7e 6f 76 95 a9 ba e7 5d |........~ov....]| +000001a0 a8 16 6c 9c f7 09 d3 37 e4 4b 2b 36 7c 01 ad 41 |..l....7.K+6|..A| +000001b0 d2 32 d8 c3 d2 93 f9 10 6b 8e 95 b9 2c 17 8a a3 |.2......k...,...| +000001c0 44 48 bc 59 13 83 16 04 88 a4 81 5c 25 0d 98 0c |DH.Y.......\%...| +000001d0 ac 11 b1 28 56 be 1d cd 61 62 84 09 bf d6 80 c6 |...(V...ab......| +000001e0 45 8d 82 2c b4 d8 83 9b db c9 22 b7 2a 12 11 7b |E..,......".*..{| +000001f0 fa 02 3b c1 c9 ff ea c9 9d a8 49 d3 95 d7 d5 0e |..;.......I.....| +00000200 e5 35 16 03 03 00 86 10 00 00 82 00 80 29 51 da |.5...........)Q.| +00000210 8e 5c 3e fb 44 8a 0f 97 42 23 8b e2 73 cc e2 90 |.\>.D...B#..s...| +00000220 11 c4 98 01 e9 60 96 9e a9 96 30 c5 95 f8 56 0e |.....`....0...V.| +00000230 4a 2e 77 e7 7e 23 b7 49 31 c4 87 c5 69 c6 ca 6f |J.w.~#.I1...i..o| +00000240 ea 53 41 b4 2e 1e f6 0b 33 f5 e1 40 69 c0 91 6f |.SA.....3..@i..o| +00000250 88 c1 68 c8 18 99 6e fe b3 5f 9b ee f1 4a 76 41 |..h...n.._...JvA| +00000260 1f d1 05 f5 39 76 61 e6 a6 ea 75 0e 50 32 a1 19 |....9va...u.P2..| +00000270 20 6a 4c 5d 62 6e 2a 6e af f9 9c 38 b6 3a bc 86 | jL]bn*n...8.:..| +00000280 eb ac 6d d3 b5 48 30 11 4d 98 2e 61 34 16 03 03 |..m..H0.M..a4...| +00000290 00 88 0f 00 00 84 08 04 00 80 82 ed 3f da b5 50 |............?..P| +000002a0 d2 50 51 14 cf ee f7 b9 7b a9 0c 77 2f 88 42 0a |.PQ.....{..w/.B.| +000002b0 34 a9 5d e7 32 26 3a 28 87 49 fb c4 83 31 68 c6 |4.].2&:(.I...1h.| +000002c0 0d 32 d4 31 0a d1 d6 1e 6f 7f 89 93 bf b7 7c c7 |.2.1....o.....|.| +000002d0 95 f8 c3 69 d8 58 4e e4 76 07 36 84 b7 c3 e7 22 |...i.XN.v.6...."| +000002e0 01 4c 59 ae 89 95 bb e0 07 e0 31 6a e2 95 4c d4 |.LY.......1j..L.| +000002f0 01 54 9d 27 82 60 31 13 39 07 47 c2 0c 08 5c d4 |.T.'.`1.9.G...\.| +00000300 03 5a 6f d7 89 a0 67 5e 2d a0 11 03 bf 0e 35 d8 |.Zo...g^-.....5.| +00000310 d0 78 2f 1e d8 15 47 ce c9 d3 14 03 03 00 01 01 |.x/...G.........| +00000320 16 03 03 00 40 d0 0a 0e 93 dd 9a 51 4f a9 7f 5f |....@......QO.._| +00000330 93 a6 60 a6 f2 10 f1 bd bd ae 13 5d 11 b7 0d 1a |..`........]....| +00000340 3d 1e f3 0c b7 53 7c 10 ed fa 8c d7 3f 20 ec f2 |=....S|.....? ..| +00000350 7d e9 15 87 3d d3 05 21 3a bc a5 54 fa 40 3b 53 |}...=..!:..T.@;S| +00000360 41 7c ea c6 28 |A|..(| +>>> Flow 4 (server to client) +00000000 14 03 03 00 01 01 16 03 03 00 40 00 00 00 00 00 |..........@.....| +00000010 00 00 00 00 00 00 00 00 00 00 00 a8 8e 30 08 f0 |.............0..| +00000020 87 7b 13 31 99 6d 7e 9a 9b 03 d3 6f 84 d8 d9 31 |.{.1.m~....o...1| +00000030 2b d2 aa d4 0e ae 6e 72 03 ac e7 7e 5c 22 cc ac |+.....nr...~\"..| +00000040 33 b5 df 04 b2 4a 2b 6f bb a1 6f 17 03 03 00 40 |3....J+o..o....@| +00000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000060 50 9c 81 04 9b 1d 61 8a 30 9c 18 68 c7 e1 c9 f3 |P.....a.0..h....| +00000070 70 f0 1b b6 4a dd fc c7 e3 e3 20 e2 4d 6f 9f bf |p...J..... .Mo..| +00000080 17 b0 5e 5b 45 73 29 1e d4 30 b4 03 ca 8e 69 63 |..^[Es)..0....ic| +00000090 15 03 03 00 30 00 00 00 00 00 00 00 00 00 00 00 |....0...........| +000000a0 00 00 00 00 00 28 ca 6a 4c 1b 3c 11 61 ce b2 58 |.....(.jL.<.a..X| +000000b0 94 e7 e4 7d c5 ce 51 03 c4 ae b5 4c 33 0b 3c 95 |...}..Q....L3.<.| +000000c0 ec b1 65 ea da |..e..| diff --git a/pkg/tls/testdata/Server-TLSv12-ClientAuthRequestedAndPKCS1v15Given b/pkg/tls/testdata/Server-TLSv12-ClientAuthRequestedAndPKCS1v15Given new file mode 100644 index 000000000..875fe1bec --- /dev/null +++ b/pkg/tls/testdata/Server-TLSv12-ClientAuthRequestedAndPKCS1v15Given @@ -0,0 +1,125 @@ +>>> Flow 1 (client to server) +00000000 16 03 01 00 6d 01 00 00 69 03 03 dc f3 c6 52 a4 |....m...i.....R.| +00000010 9a 9c 53 e0 5a 3c cc 4c 4f 09 32 7f f1 7c 86 6b |..S.Z<.LO.2..|.k| +00000020 75 59 68 a5 81 72 45 46 fb 94 a8 00 00 04 00 2f |uYh..rEF......./| +00000030 00 ff 01 00 00 3c 00 16 00 00 00 17 00 00 00 0d |.....<..........| +00000040 00 30 00 2e 04 03 05 03 06 03 08 07 08 08 08 09 |.0..............| +00000050 08 0a 08 0b 08 04 08 05 08 06 04 01 05 01 06 01 |................| +00000060 03 03 02 03 03 01 02 01 03 02 02 02 04 02 05 02 |................| +00000070 06 02 |..| +>>> Flow 2 (server to client) +00000000 16 03 03 00 35 02 00 00 31 03 03 00 00 00 00 00 |....5...1.......| +00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000020 00 00 00 44 4f 57 4e 47 52 44 01 00 00 2f 00 00 |...DOWNGRD.../..| +00000030 09 ff 01 00 01 00 00 17 00 00 16 03 03 02 59 0b |..............Y.| +00000040 00 02 55 00 02 52 00 02 4f 30 82 02 4b 30 82 01 |..U..R..O0..K0..| +00000050 b4 a0 03 02 01 02 02 09 00 e8 f0 9d 3f e2 5b ea |............?.[.| +00000060 a6 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 |.0...*.H........| +00000070 30 1f 31 0b 30 09 06 03 55 04 0a 13 02 47 6f 31 |0.1.0...U....Go1| +00000080 10 30 0e 06 03 55 04 03 13 07 47 6f 20 52 6f 6f |.0...U....Go Roo| +00000090 74 30 1e 17 0d 31 36 30 31 30 31 30 30 30 30 30 |t0...16010100000| +000000a0 30 5a 17 0d 32 35 30 31 30 31 30 30 30 30 30 30 |0Z..250101000000| +000000b0 5a 30 1a 31 0b 30 09 06 03 55 04 0a 13 02 47 6f |Z0.1.0...U....Go| +000000c0 31 0b 30 09 06 03 55 04 03 13 02 47 6f 30 81 9f |1.0...U....Go0..| +000000d0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 |0...*.H.........| +000000e0 81 8d 00 30 81 89 02 81 81 00 db 46 7d 93 2e 12 |...0.......F}...| +000000f0 27 06 48 bc 06 28 21 ab 7e c4 b6 a2 5d fe 1e 52 |'.H..(!.~...]..R| +00000100 45 88 7a 36 47 a5 08 0d 92 42 5b c2 81 c0 be 97 |E.z6G....B[.....| +00000110 79 98 40 fb 4f 6d 14 fd 2b 13 8b c2 a5 2e 67 d8 |y.@.Om..+.....g.| +00000120 d4 09 9e d6 22 38 b7 4a 0b 74 73 2b c2 34 f1 d1 |...."8.J.ts+.4..| +00000130 93 e5 96 d9 74 7b f3 58 9f 6c 61 3c c0 b0 41 d4 |....t{.X.la<..A.| +00000140 d9 2b 2b 24 23 77 5b 1c 3b bd 75 5d ce 20 54 cf |.++$#w[.;.u]. T.| +00000150 a1 63 87 1d 1e 24 c4 f3 1d 1a 50 8b aa b6 14 43 |.c...$....P....C| +00000160 ed 97 a7 75 62 f4 14 c8 52 d7 02 03 01 00 01 a3 |...ub...R.......| +00000170 81 93 30 81 90 30 0e 06 03 55 1d 0f 01 01 ff 04 |..0..0...U......| +00000180 04 03 02 05 a0 30 1d 06 03 55 1d 25 04 16 30 14 |.....0...U.%..0.| +00000190 06 08 2b 06 01 05 05 07 03 01 06 08 2b 06 01 05 |..+.........+...| +000001a0 05 07 03 02 30 0c 06 03 55 1d 13 01 01 ff 04 02 |....0...U.......| +000001b0 30 00 30 19 06 03 55 1d 0e 04 12 04 10 9f 91 16 |0.0...U.........| +000001c0 1f 43 43 3e 49 a6 de 6d b6 80 d7 9f 60 30 1b 06 |.CC>I..m....`0..| +000001d0 03 55 1d 23 04 14 30 12 80 10 48 13 49 4d 13 7e |.U.#..0...H.IM.~| +000001e0 16 31 bb a3 01 d5 ac ab 6e 7b 30 19 06 03 55 1d |.1......n{0...U.| +000001f0 11 04 12 30 10 82 0e 65 78 61 6d 70 6c 65 2e 67 |...0...example.g| +00000200 6f 6c 61 6e 67 30 0d 06 09 2a 86 48 86 f7 0d 01 |olang0...*.H....| +00000210 01 0b 05 00 03 81 81 00 9d 30 cc 40 2b 5b 50 a0 |.........0.@+[P.| +00000220 61 cb ba e5 53 58 e1 ed 83 28 a9 58 1a a9 38 a4 |a...SX...(.X..8.| +00000230 95 a1 ac 31 5a 1a 84 66 3d 43 d3 2d d9 0b f2 97 |...1Z..f=C.-....| +00000240 df d3 20 64 38 92 24 3a 00 bc cf 9c 7d b7 40 20 |.. d8.$:....}.@ | +00000250 01 5f aa d3 16 61 09 a2 76 fd 13 c3 cc e1 0c 5c |._...a..v......\| +00000260 ee b1 87 82 f1 6c 04 ed 73 bb b3 43 77 8d 0c 1c |.....l..s..Cw...| +00000270 f1 0f a1 d8 40 83 61 c9 4c 72 2b 9d ae db 46 06 |....@.a.Lr+...F.| +00000280 06 4d f4 c1 b3 3e c0 d1 bd 42 d4 db fe 3d 13 60 |.M...>...B...=.`| +00000290 84 5c 21 d3 3b e9 fa e7 16 03 03 00 23 0d 00 00 |.\!.;.......#...| +000002a0 1f 02 01 40 00 18 08 04 04 03 08 07 08 05 08 06 |...@............| +000002b0 04 01 05 01 06 01 05 03 06 03 02 01 02 03 00 00 |................| +000002c0 16 03 03 00 04 0e 00 00 00 |.........| +>>> Flow 3 (client to server) +00000000 16 03 03 01 fd 0b 00 01 f9 00 01 f6 00 01 f3 30 |...............0| +00000010 82 01 ef 30 82 01 58 a0 03 02 01 02 02 10 5c 19 |...0..X.......\.| +00000020 c1 89 65 83 55 6f dc 0b c9 b9 93 9f e9 bc 30 0d |..e.Uo........0.| +00000030 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 12 31 |..*.H........0.1| +00000040 10 30 0e 06 03 55 04 0a 13 07 41 63 6d 65 20 43 |.0...U....Acme C| +00000050 6f 30 1e 17 0d 31 36 30 38 31 37 32 31 35 32 33 |o0...16081721523| +00000060 31 5a 17 0d 31 37 30 38 31 37 32 31 35 32 33 31 |1Z..170817215231| +00000070 5a 30 12 31 10 30 0e 06 03 55 04 0a 13 07 41 63 |Z0.1.0...U....Ac| +00000080 6d 65 20 43 6f 30 81 9f 30 0d 06 09 2a 86 48 86 |me Co0..0...*.H.| +00000090 f7 0d 01 01 01 05 00 03 81 8d 00 30 81 89 02 81 |...........0....| +000000a0 81 00 ba 6f aa 86 bd cf bf 9f f2 ef 5c 94 60 78 |...o........\.`x| +000000b0 6f e8 13 f2 d1 96 6f cd d9 32 6e 22 37 ce 41 f9 |o.....o..2n"7.A.| +000000c0 ca 5d 29 ac e1 27 da 61 a2 ee 81 cb 10 c7 df 34 |.])..'.a.......4| +000000d0 58 95 86 e9 3d 19 e6 5c 27 73 60 c8 8d 78 02 f4 |X...=..\'s`..x..| +000000e0 1d a4 98 09 a3 19 70 69 3c 25 62 66 2a ab 22 23 |......pi<%bf*."#| +000000f0 c5 7b 85 38 4f 2e 09 73 32 a7 bd 3e 9b ad ca 84 |.{.8O..s2..>....| +00000100 07 e6 0f 3a ff 77 c5 9d 41 85 00 8a b6 9b ee b0 |...:.w..A.......| +00000110 a4 3f 2d 4c 4c e6 42 3e bb 51 c8 dd 48 54 f4 0c |.?-LL.B>.Q..HT..| +00000120 8e 47 02 03 01 00 01 a3 46 30 44 30 0e 06 03 55 |.G......F0D0...U| +00000130 1d 0f 01 01 ff 04 04 03 02 05 a0 30 13 06 03 55 |...........0...U| +00000140 1d 25 04 0c 30 0a 06 08 2b 06 01 05 05 07 03 01 |.%..0...+.......| +00000150 30 0c 06 03 55 1d 13 01 01 ff 04 02 30 00 30 0f |0...U.......0.0.| +00000160 06 03 55 1d 11 04 08 30 06 87 04 7f 00 00 01 30 |..U....0.......0| +00000170 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 03 81 |...*.H..........| +00000180 81 00 46 ab 44 a2 fb 28 54 f8 5a 67 f8 62 94 f1 |..F.D..(T.Zg.b..| +00000190 9a b2 18 9e f2 b1 de 1d 7e 6f 76 95 a9 ba e7 5d |........~ov....]| +000001a0 a8 16 6c 9c f7 09 d3 37 e4 4b 2b 36 7c 01 ad 41 |..l....7.K+6|..A| +000001b0 d2 32 d8 c3 d2 93 f9 10 6b 8e 95 b9 2c 17 8a a3 |.2......k...,...| +000001c0 44 48 bc 59 13 83 16 04 88 a4 81 5c 25 0d 98 0c |DH.Y.......\%...| +000001d0 ac 11 b1 28 56 be 1d cd 61 62 84 09 bf d6 80 c6 |...(V...ab......| +000001e0 45 8d 82 2c b4 d8 83 9b db c9 22 b7 2a 12 11 7b |E..,......".*..{| +000001f0 fa 02 3b c1 c9 ff ea c9 9d a8 49 d3 95 d7 d5 0e |..;.......I.....| +00000200 e5 35 16 03 03 00 86 10 00 00 82 00 80 b5 77 6b |.5............wk| +00000210 fa 10 fb df 48 8f e7 51 b4 cb 14 c5 48 bd 63 d6 |....H..Q....H.c.| +00000220 0e 19 d0 81 a8 5a d7 b5 43 84 35 85 37 b7 8d 2e |.....Z..C.5.7...| +00000230 c7 c8 70 4c f4 45 bf be 17 86 e7 40 1d 6f 88 2a |..pL.E.....@.o.*| +00000240 91 b5 aa aa 34 f7 9a f3 96 e4 dd 51 15 88 be f1 |....4......Q....| +00000250 80 a9 6f 94 ed c7 5d 28 66 b4 37 e8 22 4f 42 c3 |..o...](f.7."OB.| +00000260 b5 f0 2f dd 57 dc 8d e5 5a c0 9d fa ce 3c 7a 2d |../.W...Z....>> Flow 4 (server to client) +00000000 14 03 03 00 01 01 16 03 03 00 40 00 00 00 00 00 |..........@.....| +00000010 00 00 00 00 00 00 00 00 00 00 00 a2 b0 ad 7e 71 |..............~q| +00000020 0c 2c db df 4c b1 4f 19 e6 00 4f 11 ff 5e 4a c5 |.,..L.O...O..^J.| +00000030 c2 9d 8c 6c 03 50 12 3d 81 ec 44 5a 75 ba 2d 48 |...l.P.=..DZu.-H| +00000040 7a 74 c3 a3 68 5a 26 ee 7e f5 a2 17 03 03 00 40 |zt..hZ&.~......@| +00000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000060 ad 1b 16 8e 39 99 64 7c c5 49 24 83 c4 4e f6 86 |....9.d|.I$..N..| +00000070 6b 5d 68 ae f4 0b 58 23 83 eb ab 01 52 4d 07 a1 |k]h...X#....RM..| +00000080 59 00 e8 dc a5 a1 6f 76 e2 e9 f2 e1 21 58 6b a0 |Y.....ov....!Xk.| +00000090 15 03 03 00 30 00 00 00 00 00 00 00 00 00 00 00 |....0...........| +000000a0 00 00 00 00 00 3c 6e a7 81 36 d0 8c 99 d8 f3 55 |.....>> Flow 1 (client to server) +00000000 16 03 01 00 6d 01 00 00 69 03 03 ac ea d9 49 98 |....m...i.....I.| +00000010 9a 0c 7c 86 64 7c 73 72 6d 79 3f 7b e9 11 8b 1d |..|.d|srmy?{....| +00000020 79 95 f5 f5 23 9f b2 f1 9c f4 b5 00 00 04 00 2f |y...#........../| +00000030 00 ff 01 00 00 3c 00 16 00 00 00 17 00 00 00 0d |.....<..........| +00000040 00 30 00 2e 04 03 05 03 06 03 08 07 08 08 08 09 |.0..............| +00000050 08 0a 08 0b 08 04 08 05 08 06 04 01 05 01 06 01 |................| +00000060 03 03 02 03 03 01 02 01 03 02 02 02 04 02 05 02 |................| +00000070 06 02 |..| +>>> Flow 2 (server to client) +00000000 16 03 03 00 35 02 00 00 31 03 03 00 00 00 00 00 |....5...1.......| +00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000020 00 00 00 44 4f 57 4e 47 52 44 01 00 00 2f 00 00 |...DOWNGRD.../..| +00000030 09 ff 01 00 01 00 00 17 00 00 16 03 03 02 59 0b |..............Y.| +00000040 00 02 55 00 02 52 00 02 4f 30 82 02 4b 30 82 01 |..U..R..O0..K0..| +00000050 b4 a0 03 02 01 02 02 09 00 e8 f0 9d 3f e2 5b ea |............?.[.| +00000060 a6 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 |.0...*.H........| +00000070 30 1f 31 0b 30 09 06 03 55 04 0a 13 02 47 6f 31 |0.1.0...U....Go1| +00000080 10 30 0e 06 03 55 04 03 13 07 47 6f 20 52 6f 6f |.0...U....Go Roo| +00000090 74 30 1e 17 0d 31 36 30 31 30 31 30 30 30 30 30 |t0...16010100000| +000000a0 30 5a 17 0d 32 35 30 31 30 31 30 30 30 30 30 30 |0Z..250101000000| +000000b0 5a 30 1a 31 0b 30 09 06 03 55 04 0a 13 02 47 6f |Z0.1.0...U....Go| +000000c0 31 0b 30 09 06 03 55 04 03 13 02 47 6f 30 81 9f |1.0...U....Go0..| +000000d0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 |0...*.H.........| +000000e0 81 8d 00 30 81 89 02 81 81 00 db 46 7d 93 2e 12 |...0.......F}...| +000000f0 27 06 48 bc 06 28 21 ab 7e c4 b6 a2 5d fe 1e 52 |'.H..(!.~...]..R| +00000100 45 88 7a 36 47 a5 08 0d 92 42 5b c2 81 c0 be 97 |E.z6G....B[.....| +00000110 79 98 40 fb 4f 6d 14 fd 2b 13 8b c2 a5 2e 67 d8 |y.@.Om..+.....g.| +00000120 d4 09 9e d6 22 38 b7 4a 0b 74 73 2b c2 34 f1 d1 |...."8.J.ts+.4..| +00000130 93 e5 96 d9 74 7b f3 58 9f 6c 61 3c c0 b0 41 d4 |....t{.X.la<..A.| +00000140 d9 2b 2b 24 23 77 5b 1c 3b bd 75 5d ce 20 54 cf |.++$#w[.;.u]. T.| +00000150 a1 63 87 1d 1e 24 c4 f3 1d 1a 50 8b aa b6 14 43 |.c...$....P....C| +00000160 ed 97 a7 75 62 f4 14 c8 52 d7 02 03 01 00 01 a3 |...ub...R.......| +00000170 81 93 30 81 90 30 0e 06 03 55 1d 0f 01 01 ff 04 |..0..0...U......| +00000180 04 03 02 05 a0 30 1d 06 03 55 1d 25 04 16 30 14 |.....0...U.%..0.| +00000190 06 08 2b 06 01 05 05 07 03 01 06 08 2b 06 01 05 |..+.........+...| +000001a0 05 07 03 02 30 0c 06 03 55 1d 13 01 01 ff 04 02 |....0...U.......| +000001b0 30 00 30 19 06 03 55 1d 0e 04 12 04 10 9f 91 16 |0.0...U.........| +000001c0 1f 43 43 3e 49 a6 de 6d b6 80 d7 9f 60 30 1b 06 |.CC>I..m....`0..| +000001d0 03 55 1d 23 04 14 30 12 80 10 48 13 49 4d 13 7e |.U.#..0...H.IM.~| +000001e0 16 31 bb a3 01 d5 ac ab 6e 7b 30 19 06 03 55 1d |.1......n{0...U.| +000001f0 11 04 12 30 10 82 0e 65 78 61 6d 70 6c 65 2e 67 |...0...example.g| +00000200 6f 6c 61 6e 67 30 0d 06 09 2a 86 48 86 f7 0d 01 |olang0...*.H....| +00000210 01 0b 05 00 03 81 81 00 9d 30 cc 40 2b 5b 50 a0 |.........0.@+[P.| +00000220 61 cb ba e5 53 58 e1 ed 83 28 a9 58 1a a9 38 a4 |a...SX...(.X..8.| +00000230 95 a1 ac 31 5a 1a 84 66 3d 43 d3 2d d9 0b f2 97 |...1Z..f=C.-....| +00000240 df d3 20 64 38 92 24 3a 00 bc cf 9c 7d b7 40 20 |.. d8.$:....}.@ | +00000250 01 5f aa d3 16 61 09 a2 76 fd 13 c3 cc e1 0c 5c |._...a..v......\| +00000260 ee b1 87 82 f1 6c 04 ed 73 bb b3 43 77 8d 0c 1c |.....l..s..Cw...| +00000270 f1 0f a1 d8 40 83 61 c9 4c 72 2b 9d ae db 46 06 |....@.a.Lr+...F.| +00000280 06 4d f4 c1 b3 3e c0 d1 bd 42 d4 db fe 3d 13 60 |.M...>...B...=.`| +00000290 84 5c 21 d3 3b e9 fa e7 16 03 03 00 23 0d 00 00 |.\!.;.......#...| +000002a0 1f 02 01 40 00 18 08 04 04 03 08 07 08 05 08 06 |...@............| +000002b0 04 01 05 01 06 01 05 03 06 03 02 01 02 03 00 00 |................| +000002c0 16 03 03 00 04 0e 00 00 00 |.........| +>>> Flow 3 (client to server) +00000000 16 03 03 00 07 0b 00 00 03 00 00 00 16 03 03 00 |................| +00000010 86 10 00 00 82 00 80 2e 37 44 fb d7 1d 2f 3d a5 |........7D.../=.| +00000020 1b 43 cf f4 1c cf 9d 95 fa be 9f 9d 96 8a 27 5d |.C............']| +00000030 7b be 19 10 bd 5e 9a 3e 49 49 d2 af 85 07 70 f8 |{....^.>II....p.| +00000040 c8 4f 69 02 ff 4e 9d ee f4 0d 4d 54 a1 aa 61 a3 |.Oi..N....MT..a.| +00000050 e0 cc db a7 2c 46 80 6e eb 10 fb cd 2e 3b c5 50 |....,F.n.....;.P| +00000060 2b a5 d9 a0 bf 01 d2 f8 d8 51 2b ad 40 6f c6 6f |+........Q+.@o.o| +00000070 0e 30 53 27 73 89 b7 1b c1 28 ff ff 18 4c fa 6f |.0S's....(...L.o| +00000080 fa 5f 16 b3 38 36 9f f4 07 74 ca bb bb c2 3f aa |._..86...t....?.| +00000090 0d e7 42 24 fb f8 4c 14 03 03 00 01 01 16 03 03 |..B$..L.........| +000000a0 00 40 19 02 9e 3a ce b9 38 40 ce d6 3b 87 b2 f6 |.@...:..8@..;...| +000000b0 1b 7d ee 76 62 f8 6e 04 80 8f cb 1b f7 1e 1d a6 |.}.vb.n.........| +000000c0 50 8a 59 b1 ad 7d c5 9d 2f 2d 14 56 2e e5 3b b3 |P.Y..}../-.V..;.| +000000d0 db da 7e 37 10 97 71 91 d3 7b 93 f6 64 a4 d7 8b |..~7..q..{..d...| +000000e0 d2 f0 |..| +>>> Flow 4 (server to client) +00000000 14 03 03 00 01 01 16 03 03 00 40 00 00 00 00 00 |..........@.....| +00000010 00 00 00 00 00 00 00 00 00 00 00 46 c8 31 06 11 |...........F.1..| +00000020 01 8e df b0 e7 cc 16 d3 97 2e a2 68 e7 a4 d1 0f |...........h....| +00000030 91 71 dd ba db 97 20 45 60 c2 47 c7 ee 56 c4 68 |.q.... E`.G..V.h| +00000040 a4 b1 05 09 e2 68 4d 54 fa ff 01 17 03 03 00 40 |.....hMT.......@| +00000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000060 79 bf ad 63 e3 11 2b d0 41 0e 24 85 92 c4 9b b5 |y..c..+.A.$.....| +00000070 b2 d3 2e fc aa 46 84 85 a7 37 90 fc f0 2b 5a 7e |.....F...7...+Z~| +00000080 28 9f 2e 57 1d 8f c3 ca eb 40 32 79 af 4b b8 28 |(..W.....@2y.K.(| +00000090 15 03 03 00 30 00 00 00 00 00 00 00 00 00 00 00 |....0...........| +000000a0 00 00 00 00 00 8b 6c 27 b8 ff f9 ea ca 68 75 54 |......l'.....huT| +000000b0 bf bf a7 f4 b1 58 a5 b3 31 01 4d c7 85 58 31 d4 |.....X..1.M..X1.| +000000c0 e7 da 7e 77 68 |..~wh| diff --git a/pkg/tls/testdata/Server-TLSv12-ECDHE-ECDSA-AES b/pkg/tls/testdata/Server-TLSv12-ECDHE-ECDSA-AES new file mode 100644 index 000000000..697b8102d --- /dev/null +++ b/pkg/tls/testdata/Server-TLSv12-ECDHE-ECDSA-AES @@ -0,0 +1,84 @@ +>>> Flow 1 (client to server) +00000000 16 03 01 00 85 01 00 00 81 03 03 83 21 a6 e4 ea |............!...| +00000010 e9 7b 3a 7c 72 28 ee 68 c5 c7 fa f1 98 ed 4a be |.{:|r(.h......J.| +00000020 b8 42 13 fb d3 ab 63 16 d2 74 c8 00 00 04 c0 0a |.B....c..t......| +00000030 00 ff 01 00 00 54 00 0b 00 04 03 00 01 02 00 0a |.....T..........| +00000040 00 0c 00 0a 00 1d 00 17 00 1e 00 19 00 18 00 16 |................| +00000050 00 00 00 17 00 00 00 0d 00 30 00 2e 04 03 05 03 |.........0......| +00000060 06 03 08 07 08 08 08 09 08 0a 08 0b 08 04 08 05 |................| +00000070 08 06 04 01 05 01 06 01 03 03 02 03 03 01 02 01 |................| +00000080 03 02 02 02 04 02 05 02 06 02 |..........| +>>> Flow 2 (server to client) +00000000 16 03 03 00 3b 02 00 00 37 03 03 00 00 00 00 00 |....;...7.......| +00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000020 00 00 00 44 4f 57 4e 47 52 44 01 00 c0 0a 00 00 |...DOWNGRD......| +00000030 0f ff 01 00 01 00 00 17 00 00 00 0b 00 02 01 00 |................| +00000040 16 03 03 02 0e 0b 00 02 0a 00 02 07 00 02 04 30 |...............0| +00000050 82 02 00 30 82 01 62 02 09 00 b8 bf 2d 47 a0 d2 |...0..b.....-G..| +00000060 eb f4 30 09 06 07 2a 86 48 ce 3d 04 01 30 45 31 |..0...*.H.=..0E1| +00000070 0b 30 09 06 03 55 04 06 13 02 41 55 31 13 30 11 |.0...U....AU1.0.| +00000080 06 03 55 04 08 13 0a 53 6f 6d 65 2d 53 74 61 74 |..U....Some-Stat| +00000090 65 31 21 30 1f 06 03 55 04 0a 13 18 49 6e 74 65 |e1!0...U....Inte| +000000a0 72 6e 65 74 20 57 69 64 67 69 74 73 20 50 74 79 |rnet Widgits Pty| +000000b0 20 4c 74 64 30 1e 17 0d 31 32 31 31 32 32 31 35 | Ltd0...12112215| +000000c0 30 36 33 32 5a 17 0d 32 32 31 31 32 30 31 35 30 |0632Z..221120150| +000000d0 36 33 32 5a 30 45 31 0b 30 09 06 03 55 04 06 13 |632Z0E1.0...U...| +000000e0 02 41 55 31 13 30 11 06 03 55 04 08 13 0a 53 6f |.AU1.0...U....So| +000000f0 6d 65 2d 53 74 61 74 65 31 21 30 1f 06 03 55 04 |me-State1!0...U.| +00000100 0a 13 18 49 6e 74 65 72 6e 65 74 20 57 69 64 67 |...Internet Widg| +00000110 69 74 73 20 50 74 79 20 4c 74 64 30 81 9b 30 10 |its Pty Ltd0..0.| +00000120 06 07 2a 86 48 ce 3d 02 01 06 05 2b 81 04 00 23 |..*.H.=....+...#| +00000130 03 81 86 00 04 00 c4 a1 ed be 98 f9 0b 48 73 36 |.............Hs6| +00000140 7e c3 16 56 11 22 f2 3d 53 c3 3b 4d 21 3d cd 6b |~..V.".=S.;M!=.k| +00000150 75 e6 f6 b0 dc 9a df 26 c1 bc b2 87 f0 72 32 7c |u......&.....r2|| +00000160 b3 64 2f 1c 90 bc ea 68 23 10 7e fe e3 25 c0 48 |.d/....h#.~..%.H| +00000170 3a 69 e0 28 6d d3 37 00 ef 04 62 dd 0d a0 9c 70 |:i.(m.7...b....p| +00000180 62 83 d8 81 d3 64 31 aa 9e 97 31 bd 96 b0 68 c0 |b....d1...1...h.| +00000190 9b 23 de 76 64 3f 1a 5c 7f e9 12 0e 58 58 b6 5f |.#.vd?.\....XX._| +000001a0 70 dd 9b d8 ea d5 d7 f5 d5 cc b9 b6 9f 30 66 5b |p............0f[| +000001b0 66 9a 20 e2 27 e5 bf fe 3b 30 09 06 07 2a 86 48 |f. .'...;0...*.H| +000001c0 ce 3d 04 01 03 81 8c 00 30 81 88 02 42 01 88 a2 |.=......0...B...| +000001d0 4f eb e2 45 c5 48 7d 1b ac f5 ed 98 9d ae 47 70 |O..E.H}.......Gp| +000001e0 c0 5e 1b b6 2f bd f1 b6 4d b7 61 40 d3 11 a2 ce |.^../...M.a@....| +000001f0 ee 0b 7e 92 7e ff 76 9d c3 3b 7e a5 3f ce fa 10 |..~.~.v..;~.?...| +00000200 e2 59 ec 47 2d 7c ac da 4e 97 0e 15 a0 6f d0 02 |.Y.G-|..N....o..| +00000210 42 01 4d fc be 67 13 9c 2d 05 0e bd 3f a3 8c 25 |B.M..g..-...?..%| +00000220 c1 33 13 83 0d 94 06 bb d4 37 7a f6 ec 7a c9 86 |.3.......7z..z..| +00000230 2e dd d7 11 69 7f 85 7c 56 de fb 31 78 2b e4 c7 |....i..|V..1x+..| +00000240 78 0d ae cb be 9e 4e 36 24 31 7b 6a 0f 39 95 12 |x.....N6$1{j.9..| +00000250 07 8f 2a 16 03 03 00 b7 0c 00 00 b3 03 00 1d 20 |..*............ | +00000260 2f e5 7d a3 47 cd 62 43 15 28 da ac 5f bb 29 07 |/.}.G.bC.(.._.).| +00000270 30 ff f6 84 af c4 cf c2 ed 90 99 5f 58 cb 3b 74 |0.........._X.;t| +00000280 04 03 00 8b 30 81 88 02 42 00 b9 39 44 59 12 77 |....0...B..9DY.w| +00000290 8d e2 79 25 01 d1 6a 05 3d 53 ea f3 91 d6 c5 09 |..y%..j.=S......| +000002a0 24 bd 0c ad 24 cc 1c a7 fb 03 eb 0a 0d f4 30 96 |$...$.........0.| +000002b0 8d 28 a1 b3 64 ba 30 27 95 29 23 22 91 62 c3 1f |.(..d.0'.)#".b..| +000002c0 51 aa c8 be 17 85 31 8e f5 40 3e 02 42 00 ee a1 |Q.....1..@>.B...| +000002d0 64 14 a1 52 b3 e5 54 c9 24 53 94 5a 43 d8 4f 79 |d..R..T.$S.ZC.Oy| +000002e0 69 4b a8 51 ee de b3 b0 f7 1a 57 a3 28 72 d2 13 |iK.Q......W.(r..| +000002f0 a6 d3 17 0b c4 45 34 7f 10 3b 81 cb 0c 8d 51 b6 |.....E4..;....Q.| +00000300 0b 86 21 d0 ee 1d 7e 73 6b ea 77 8c 66 dc 65 16 |..!...~sk.w.f.e.| +00000310 03 03 00 04 0e 00 00 00 |........| +>>> Flow 3 (client to server) +00000000 16 03 03 00 25 10 00 00 21 20 ed 3e ba a7 43 53 |....%...! .>..CS| +00000010 5e e4 60 aa 31 3f e1 69 60 32 25 3d fd 8b 32 da |^.`.1?.i`2%=..2.| +00000020 f2 c5 db c7 02 e6 4d d0 de 15 14 03 03 00 01 01 |......M.........| +00000030 16 03 03 00 40 ee 28 f2 27 82 24 9d 17 d1 48 7a |....@.(.'.$...Hz| +00000040 74 2d dd 16 18 b7 70 97 2f 2b 91 47 eb c2 1d ae |t-....p./+.G....| +00000050 3f 48 52 cd ff e7 9e 0b 35 ad 1f 60 5e 07 b1 5e |?HR.....5..`^..^| +00000060 1c ba 6a 85 bb 6b 30 94 41 8a 59 81 cf 37 5f 26 |..j..k0.A.Y..7_&| +00000070 b1 52 36 5f df |.R6_.| +>>> Flow 4 (server to client) +00000000 14 03 03 00 01 01 16 03 03 00 40 00 00 00 00 00 |..........@.....| +00000010 00 00 00 00 00 00 00 00 00 00 00 f5 05 5a a6 22 |.............Z."| +00000020 90 4e 8d d9 f1 55 c4 78 f2 ec 9d 97 cd fe af ae |.N...U.x........| +00000030 b7 62 00 67 2e b2 d9 1e 0c a3 c8 6a bf d2 3c 42 |.b.g.......j..B.a..I...| +000000b0 c2 a3 76 74 1e 4f 53 0a fc 71 de 0d d2 44 c8 ac |..vt.OS..q...D..| +000000c0 2e 09 27 e6 ad |..'..| diff --git a/pkg/tls/testdata/Server-TLSv12-Ed25519 b/pkg/tls/testdata/Server-TLSv12-Ed25519 new file mode 100644 index 000000000..42bb15412 --- /dev/null +++ b/pkg/tls/testdata/Server-TLSv12-Ed25519 @@ -0,0 +1,58 @@ +>>> Flow 1 (client to server) +00000000 16 03 01 00 85 01 00 00 81 03 03 f3 04 e3 e7 a2 |................| +00000010 39 79 b2 9e 94 35 cf c3 a8 54 77 ab 96 72 b6 40 |9y...5...Tw..r.@| +00000020 de 59 6b cf d4 f5 f4 2c fd 7d f6 00 00 04 cc a9 |.Yk....,.}......| +00000030 00 ff 01 00 00 54 00 0b 00 04 03 00 01 02 00 0a |.....T..........| +00000040 00 0c 00 0a 00 1d 00 17 00 1e 00 19 00 18 00 16 |................| +00000050 00 00 00 17 00 00 00 0d 00 30 00 2e 04 03 05 03 |.........0......| +00000060 06 03 08 07 08 08 08 09 08 0a 08 0b 08 04 08 05 |................| +00000070 08 06 04 01 05 01 06 01 03 03 02 03 03 01 02 01 |................| +00000080 03 02 02 02 04 02 05 02 06 02 |..........| +>>> Flow 2 (server to client) +00000000 16 03 03 00 3b 02 00 00 37 03 03 00 00 00 00 00 |....;...7.......| +00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000020 00 00 00 44 4f 57 4e 47 52 44 01 00 cc a9 00 00 |...DOWNGRD......| +00000030 0f ff 01 00 01 00 00 17 00 00 00 0b 00 02 01 00 |................| +00000040 16 03 03 01 3c 0b 00 01 38 00 01 35 00 01 32 30 |....<...8..5..20| +00000050 82 01 2e 30 81 e1 a0 03 02 01 02 02 10 0f 43 1c |...0..........C.| +00000060 42 57 93 94 1d e9 87 e4 f1 ad 15 00 5d 30 05 06 |BW..........]0..| +00000070 03 2b 65 70 30 12 31 10 30 0e 06 03 55 04 0a 13 |.+ep0.1.0...U...| +00000080 07 41 63 6d 65 20 43 6f 30 1e 17 0d 31 39 30 35 |.Acme Co0...1905| +00000090 31 36 32 31 33 38 30 31 5a 17 0d 32 30 30 35 31 |16213801Z..20051| +000000a0 35 32 31 33 38 30 31 5a 30 12 31 10 30 0e 06 03 |5213801Z0.1.0...| +000000b0 55 04 0a 13 07 41 63 6d 65 20 43 6f 30 2a 30 05 |U....Acme Co0*0.| +000000c0 06 03 2b 65 70 03 21 00 3f e2 15 2e e6 e3 ef 3f |..+ep.!.?......?| +000000d0 4e 85 4a 75 77 a3 64 9e ed e0 bf 84 2c cc 92 26 |N.Juw.d.....,..&| +000000e0 8f fa 6f 34 83 aa ec 8f a3 4d 30 4b 30 0e 06 03 |..o4.....M0K0...| +000000f0 55 1d 0f 01 01 ff 04 04 03 02 05 a0 30 13 06 03 |U...........0...| +00000100 55 1d 25 04 0c 30 0a 06 08 2b 06 01 05 05 07 03 |U.%..0...+......| +00000110 01 30 0c 06 03 55 1d 13 01 01 ff 04 02 30 00 30 |.0...U.......0.0| +00000120 16 06 03 55 1d 11 04 0f 30 0d 82 0b 65 78 61 6d |...U....0...exam| +00000130 70 6c 65 2e 63 6f 6d 30 05 06 03 2b 65 70 03 41 |ple.com0...+ep.A| +00000140 00 63 44 ed 9c c4 be 53 24 53 9f d2 10 8d 9f e8 |.cD....S$S......| +00000150 21 08 90 95 39 e5 0d c1 55 ff 2c 16 b7 1d fc ab |!...9...U.,.....| +00000160 7d 4d d4 e0 93 13 d0 a9 42 e0 b6 6b fe 5d 67 48 |}M......B..k.]gH| +00000170 d7 9f 50 bc 6c cd 4b 03 83 7c f2 08 58 cd ac cf |..P.l.K..|..X...| +00000180 0c 16 03 03 00 6c 0c 00 00 68 03 00 1d 20 2f e5 |.....l...h... /.| +00000190 7d a3 47 cd 62 43 15 28 da ac 5f bb 29 07 30 ff |}.G.bC.(.._.).0.| +000001a0 f6 84 af c4 cf c2 ed 90 99 5f 58 cb 3b 74 08 07 |........._X.;t..| +000001b0 00 40 a2 12 66 be 81 b1 24 93 f2 e1 60 9f c4 13 |.@..f...$...`...| +000001c0 04 3f 39 77 8f fe e4 33 5b f7 9d 84 f5 0f 96 aa |.?9w...3[.......| +000001d0 a0 d6 9d da ae b2 eb 76 64 02 82 58 d4 bc 5a 44 |.......vd..X..ZD| +000001e0 b9 5a f5 33 57 fa a6 9c d5 05 84 9a 19 0b 65 37 |.Z.3W.........e7| +000001f0 bc 05 16 03 03 00 04 0e 00 00 00 |...........| +>>> Flow 3 (client to server) +00000000 16 03 03 00 25 10 00 00 21 20 95 58 05 04 03 27 |....%...! .X...'| +00000010 5e 14 d4 41 5a 3b eb d3 13 ad d4 16 fb 43 bf d6 |^..AZ;.......C..| +00000020 7c 0a 1e a9 6c f9 72 84 47 1a 14 03 03 00 01 01 ||...l.r.G.......| +00000030 16 03 03 00 20 06 f8 af f4 38 35 de 88 74 d6 cc |.... ....85..t..| +00000040 a8 fa 2c ee a4 88 42 5c 4a aa 62 49 dc 32 da 15 |..,...B\J.bI.2..| +00000050 1d 9c 5a b8 59 |..Z.Y| +>>> Flow 4 (server to client) +00000000 14 03 03 00 01 01 16 03 03 00 20 3a 16 00 b6 c5 |.......... :....| +00000010 76 1f 39 6b 17 2d 2f 34 83 c2 fd 1b 57 c4 0c 02 |v.9k.-/4....W...| +00000020 18 16 6c d2 92 69 63 9b 32 33 e0 17 03 03 00 1d |..l..ic.23......| +00000030 04 97 df f0 2c 4b 3d 69 99 36 eb 0b 11 56 97 ab |....,K=i.6...V..| +00000040 98 5d d9 d4 6f 93 92 5c cc f6 7e 77 40 15 03 03 |.]..o..\..~w@...| +00000050 00 12 58 cf 6e 90 04 6b ae 4f cf 6b 71 15 80 22 |..X.n..k.O.kq.."| +00000060 f5 80 fa df |....| diff --git a/pkg/tls/testdata/Server-TLSv12-ExportKeyingMaterial b/pkg/tls/testdata/Server-TLSv12-ExportKeyingMaterial new file mode 100644 index 000000000..ff8d63568 --- /dev/null +++ b/pkg/tls/testdata/Server-TLSv12-ExportKeyingMaterial @@ -0,0 +1,96 @@ +>>> Flow 1 (client to server) +00000000 16 03 01 00 89 01 00 00 85 03 03 ad 13 87 9e b3 |................| +00000010 c7 71 bb bf be e3 b9 80 3f 17 bf 41 37 95 22 e6 |.q......?..A7.".| +00000020 f2 98 a9 15 62 1d 65 06 69 ea 53 00 00 04 c0 14 |....b.e.i.S.....| +00000030 00 ff 01 00 00 58 00 0b 00 04 03 00 01 02 00 0a |.....X..........| +00000040 00 0c 00 0a 00 1d 00 17 00 1e 00 19 00 18 00 23 |...............#| +00000050 00 00 00 16 00 00 00 17 00 00 00 0d 00 30 00 2e |.............0..| +00000060 04 03 05 03 06 03 08 07 08 08 08 09 08 0a 08 0b |................| +00000070 08 04 08 05 08 06 04 01 05 01 06 01 03 03 02 03 |................| +00000080 03 01 02 01 03 02 02 02 04 02 05 02 06 02 |..............| +>>> Flow 2 (server to client) +00000000 16 03 03 00 3f 02 00 00 3b 03 03 00 00 00 00 00 |....?...;.......| +00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000020 00 00 00 44 4f 57 4e 47 52 44 01 00 c0 14 00 00 |...DOWNGRD......| +00000030 13 00 23 00 00 ff 01 00 01 00 00 17 00 00 00 0b |..#.............| +00000040 00 02 01 00 16 03 03 02 59 0b 00 02 55 00 02 52 |........Y...U..R| +00000050 00 02 4f 30 82 02 4b 30 82 01 b4 a0 03 02 01 02 |..O0..K0........| +00000060 02 09 00 e8 f0 9d 3f e2 5b ea a6 30 0d 06 09 2a |......?.[..0...*| +00000070 86 48 86 f7 0d 01 01 0b 05 00 30 1f 31 0b 30 09 |.H........0.1.0.| +00000080 06 03 55 04 0a 13 02 47 6f 31 10 30 0e 06 03 55 |..U....Go1.0...U| +00000090 04 03 13 07 47 6f 20 52 6f 6f 74 30 1e 17 0d 31 |....Go Root0...1| +000000a0 36 30 31 30 31 30 30 30 30 30 30 5a 17 0d 32 35 |60101000000Z..25| +000000b0 30 31 30 31 30 30 30 30 30 30 5a 30 1a 31 0b 30 |0101000000Z0.1.0| +000000c0 09 06 03 55 04 0a 13 02 47 6f 31 0b 30 09 06 03 |...U....Go1.0...| +000000d0 55 04 03 13 02 47 6f 30 81 9f 30 0d 06 09 2a 86 |U....Go0..0...*.| +000000e0 48 86 f7 0d 01 01 01 05 00 03 81 8d 00 30 81 89 |H............0..| +000000f0 02 81 81 00 db 46 7d 93 2e 12 27 06 48 bc 06 28 |.....F}...'.H..(| +00000100 21 ab 7e c4 b6 a2 5d fe 1e 52 45 88 7a 36 47 a5 |!.~...]..RE.z6G.| +00000110 08 0d 92 42 5b c2 81 c0 be 97 79 98 40 fb 4f 6d |...B[.....y.@.Om| +00000120 14 fd 2b 13 8b c2 a5 2e 67 d8 d4 09 9e d6 22 38 |..+.....g....."8| +00000130 b7 4a 0b 74 73 2b c2 34 f1 d1 93 e5 96 d9 74 7b |.J.ts+.4......t{| +00000140 f3 58 9f 6c 61 3c c0 b0 41 d4 d9 2b 2b 24 23 77 |.X.la<..A..++$#w| +00000150 5b 1c 3b bd 75 5d ce 20 54 cf a1 63 87 1d 1e 24 |[.;.u]. T..c...$| +00000160 c4 f3 1d 1a 50 8b aa b6 14 43 ed 97 a7 75 62 f4 |....P....C...ub.| +00000170 14 c8 52 d7 02 03 01 00 01 a3 81 93 30 81 90 30 |..R.........0..0| +00000180 0e 06 03 55 1d 0f 01 01 ff 04 04 03 02 05 a0 30 |...U...........0| +00000190 1d 06 03 55 1d 25 04 16 30 14 06 08 2b 06 01 05 |...U.%..0...+...| +000001a0 05 07 03 01 06 08 2b 06 01 05 05 07 03 02 30 0c |......+.......0.| +000001b0 06 03 55 1d 13 01 01 ff 04 02 30 00 30 19 06 03 |..U.......0.0...| +000001c0 55 1d 0e 04 12 04 10 9f 91 16 1f 43 43 3e 49 a6 |U..........CC>I.| +000001d0 de 6d b6 80 d7 9f 60 30 1b 06 03 55 1d 23 04 14 |.m....`0...U.#..| +000001e0 30 12 80 10 48 13 49 4d 13 7e 16 31 bb a3 01 d5 |0...H.IM.~.1....| +000001f0 ac ab 6e 7b 30 19 06 03 55 1d 11 04 12 30 10 82 |..n{0...U....0..| +00000200 0e 65 78 61 6d 70 6c 65 2e 67 6f 6c 61 6e 67 30 |.example.golang0| +00000210 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 03 81 |...*.H..........| +00000220 81 00 9d 30 cc 40 2b 5b 50 a0 61 cb ba e5 53 58 |...0.@+[P.a...SX| +00000230 e1 ed 83 28 a9 58 1a a9 38 a4 95 a1 ac 31 5a 1a |...(.X..8....1Z.| +00000240 84 66 3d 43 d3 2d d9 0b f2 97 df d3 20 64 38 92 |.f=C.-...... d8.| +00000250 24 3a 00 bc cf 9c 7d b7 40 20 01 5f aa d3 16 61 |$:....}.@ ._...a| +00000260 09 a2 76 fd 13 c3 cc e1 0c 5c ee b1 87 82 f1 6c |..v......\.....l| +00000270 04 ed 73 bb b3 43 77 8d 0c 1c f1 0f a1 d8 40 83 |..s..Cw.......@.| +00000280 61 c9 4c 72 2b 9d ae db 46 06 06 4d f4 c1 b3 3e |a.Lr+...F..M...>| +00000290 c0 d1 bd 42 d4 db fe 3d 13 60 84 5c 21 d3 3b e9 |...B...=.`.\!.;.| +000002a0 fa e7 16 03 03 00 ac 0c 00 00 a8 03 00 1d 20 2f |.............. /| +000002b0 e5 7d a3 47 cd 62 43 15 28 da ac 5f bb 29 07 30 |.}.G.bC.(.._.).0| +000002c0 ff f6 84 af c4 cf c2 ed 90 99 5f 58 cb 3b 74 08 |.........._X.;t.| +000002d0 04 00 80 41 24 c2 f9 e8 40 21 47 3c ab 8e 99 5e |...A$...@!G<...^| +000002e0 0e 08 27 86 6c 29 ae 36 ed 21 18 23 67 cc f7 d5 |..'.l).6.!.#g...| +000002f0 3f e2 2c 48 2f 3d 47 e5 af d5 61 86 0f 91 69 30 |?.,H/=G...a...i0| +00000300 cf 84 56 f2 d3 c1 9a a3 a1 a2 c8 ef 4d 33 de 12 |..V.........M3..| +00000310 d6 46 55 5b c6 6a 65 a5 36 b5 51 5b db 04 25 aa |.FU[.je.6.Q[..%.| +00000320 1c af a0 b0 2d ee db 00 c5 ad 1b 94 d3 90 11 86 |....-...........| +00000330 10 83 35 41 65 9e a4 2c a9 ee 37 ac d4 cc 05 76 |..5Ae..,..7....v| +00000340 92 59 f9 51 68 79 6d 9e 5f eb 80 47 3a 7c e0 74 |.Y.Qhym._..G:|.t| +00000350 ac f5 36 16 03 03 00 04 0e 00 00 00 |..6.........| +>>> Flow 3 (client to server) +00000000 16 03 03 00 25 10 00 00 21 20 d2 ed 26 ce 1f 5d |....%...! ..&..]| +00000010 50 b8 f4 19 fc 63 e2 b6 3d 7d 39 54 c2 c1 61 a9 |P....c..=}9T..a.| +00000020 2a 82 d8 e3 a9 2f 22 8c b2 18 14 03 03 00 01 01 |*..../".........| +00000030 16 03 03 00 40 82 78 f0 1e e6 03 20 67 66 4e d6 |....@.x.... gfN.| +00000040 93 25 69 9e 38 c6 dd 17 92 02 18 7f 5f 9c 9c f0 |.%i.8......._...| +00000050 a3 f7 45 d3 ba 82 e3 01 38 e5 4f cf 8b 0e 77 6e |..E.....8.O...wn| +00000060 91 99 83 e0 f1 3d e8 a1 39 d4 ea b3 2e 1c 67 59 |.....=..9.....gY| +00000070 c5 5d 83 30 dc |.].0.| +>>> Flow 4 (server to client) +00000000 16 03 03 00 83 04 00 00 7f 00 00 00 00 00 79 00 |..............y.| +00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 94 |................| +00000020 6f 2d 70 97 51 ed 14 ef 68 ca 42 c5 4c ff 6b a2 |o-p.Q...h.B.L.k.| +00000030 3e f9 07 a9 91 ad 0d c7 23 bd 7f 04 cf 4d a0 eb |>.......#....M..| +00000040 58 e0 e1 37 73 d3 cc 4b e2 7f 6d 3a 2e 47 b5 b4 |X..7s..K..m:.G..| +00000050 60 dd e6 9a ea 30 1e 6e 7a e7 8e 84 ca 49 38 16 |`....0.nz....I8.| +00000060 7e 51 5c e5 15 c0 58 7d a2 ba e2 ca 90 24 11 ea |~Q\...X}.....$..| +00000070 53 9c 7d cb 47 13 91 cf f6 05 f0 2f db 57 1a 40 |S.}.G....../.W.@| +00000080 57 b0 d4 97 8e 23 7e f5 14 03 03 00 01 01 16 03 |W....#~.........| +00000090 03 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 |..@.............| +000000a0 00 00 00 72 43 0e f2 f3 bb e8 6d 3b f2 ff 96 53 |...rC.....m;...S| +000000b0 12 36 07 e0 f0 17 35 e7 52 87 a3 12 7b 53 d4 83 |.6....5.R...{S..| +000000c0 cc d2 d3 06 4b e2 3a fc 38 4f a7 75 d8 3c 6a a4 |....K.:.8O.u.>> Flow 1 (client to server) +00000000 16 03 01 00 71 01 00 00 6d 03 03 bf f8 80 5d 1b |....q...m.....].| +00000010 ea 95 cb 32 3b 8f ff 5e f9 4d 58 7d dc a4 50 cc |...2;..^.MX}..P.| +00000020 68 4d 40 98 11 af f3 e4 d7 31 43 00 00 04 00 2f |hM@......1C..../| +00000030 00 ff 01 00 00 40 00 23 00 00 00 16 00 00 00 17 |.....@.#........| +00000040 00 00 00 0d 00 30 00 2e 04 03 05 03 06 03 08 07 |.....0..........| +00000050 08 08 08 09 08 0a 08 0b 08 04 08 05 08 06 04 01 |................| +00000060 05 01 06 01 03 03 02 03 03 01 02 01 03 02 02 02 |................| +00000070 04 02 05 02 06 02 |......| +>>> Flow 2 (server to client) +00000000 16 03 03 00 39 02 00 00 35 03 03 00 00 00 00 00 |....9...5.......| +00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000020 00 00 00 44 4f 57 4e 47 52 44 01 00 00 2f 00 00 |...DOWNGRD.../..| +00000030 0d 00 23 00 00 ff 01 00 01 00 00 17 00 00 16 03 |..#.............| +00000040 03 02 59 0b 00 02 55 00 02 52 00 02 4f 30 82 02 |..Y...U..R..O0..| +00000050 4b 30 82 01 b4 a0 03 02 01 02 02 09 00 e8 f0 9d |K0..............| +00000060 3f e2 5b ea a6 30 0d 06 09 2a 86 48 86 f7 0d 01 |?.[..0...*.H....| +00000070 01 0b 05 00 30 1f 31 0b 30 09 06 03 55 04 0a 13 |....0.1.0...U...| +00000080 02 47 6f 31 10 30 0e 06 03 55 04 03 13 07 47 6f |.Go1.0...U....Go| +00000090 20 52 6f 6f 74 30 1e 17 0d 31 36 30 31 30 31 30 | Root0...1601010| +000000a0 30 30 30 30 30 5a 17 0d 32 35 30 31 30 31 30 30 |00000Z..25010100| +000000b0 30 30 30 30 5a 30 1a 31 0b 30 09 06 03 55 04 0a |0000Z0.1.0...U..| +000000c0 13 02 47 6f 31 0b 30 09 06 03 55 04 03 13 02 47 |..Go1.0...U....G| +000000d0 6f 30 81 9f 30 0d 06 09 2a 86 48 86 f7 0d 01 01 |o0..0...*.H.....| +000000e0 01 05 00 03 81 8d 00 30 81 89 02 81 81 00 db 46 |.......0.......F| +000000f0 7d 93 2e 12 27 06 48 bc 06 28 21 ab 7e c4 b6 a2 |}...'.H..(!.~...| +00000100 5d fe 1e 52 45 88 7a 36 47 a5 08 0d 92 42 5b c2 |]..RE.z6G....B[.| +00000110 81 c0 be 97 79 98 40 fb 4f 6d 14 fd 2b 13 8b c2 |....y.@.Om..+...| +00000120 a5 2e 67 d8 d4 09 9e d6 22 38 b7 4a 0b 74 73 2b |..g....."8.J.ts+| +00000130 c2 34 f1 d1 93 e5 96 d9 74 7b f3 58 9f 6c 61 3c |.4......t{.X.la<| +00000140 c0 b0 41 d4 d9 2b 2b 24 23 77 5b 1c 3b bd 75 5d |..A..++$#w[.;.u]| +00000150 ce 20 54 cf a1 63 87 1d 1e 24 c4 f3 1d 1a 50 8b |. T..c...$....P.| +00000160 aa b6 14 43 ed 97 a7 75 62 f4 14 c8 52 d7 02 03 |...C...ub...R...| +00000170 01 00 01 a3 81 93 30 81 90 30 0e 06 03 55 1d 0f |......0..0...U..| +00000180 01 01 ff 04 04 03 02 05 a0 30 1d 06 03 55 1d 25 |.........0...U.%| +00000190 04 16 30 14 06 08 2b 06 01 05 05 07 03 01 06 08 |..0...+.........| +000001a0 2b 06 01 05 05 07 03 02 30 0c 06 03 55 1d 13 01 |+.......0...U...| +000001b0 01 ff 04 02 30 00 30 19 06 03 55 1d 0e 04 12 04 |....0.0...U.....| +000001c0 10 9f 91 16 1f 43 43 3e 49 a6 de 6d b6 80 d7 9f |.....CC>I..m....| +000001d0 60 30 1b 06 03 55 1d 23 04 14 30 12 80 10 48 13 |`0...U.#..0...H.| +000001e0 49 4d 13 7e 16 31 bb a3 01 d5 ac ab 6e 7b 30 19 |IM.~.1......n{0.| +000001f0 06 03 55 1d 11 04 12 30 10 82 0e 65 78 61 6d 70 |..U....0...examp| +00000200 6c 65 2e 67 6f 6c 61 6e 67 30 0d 06 09 2a 86 48 |le.golang0...*.H| +00000210 86 f7 0d 01 01 0b 05 00 03 81 81 00 9d 30 cc 40 |.............0.@| +00000220 2b 5b 50 a0 61 cb ba e5 53 58 e1 ed 83 28 a9 58 |+[P.a...SX...(.X| +00000230 1a a9 38 a4 95 a1 ac 31 5a 1a 84 66 3d 43 d3 2d |..8....1Z..f=C.-| +00000240 d9 0b f2 97 df d3 20 64 38 92 24 3a 00 bc cf 9c |...... d8.$:....| +00000250 7d b7 40 20 01 5f aa d3 16 61 09 a2 76 fd 13 c3 |}.@ ._...a..v...| +00000260 cc e1 0c 5c ee b1 87 82 f1 6c 04 ed 73 bb b3 43 |...\.....l..s..C| +00000270 77 8d 0c 1c f1 0f a1 d8 40 83 61 c9 4c 72 2b 9d |w.......@.a.Lr+.| +00000280 ae db 46 06 06 4d f4 c1 b3 3e c0 d1 bd 42 d4 db |..F..M...>...B..| +00000290 fe 3d 13 60 84 5c 21 d3 3b e9 fa e7 16 03 03 00 |.=.`.\!.;.......| +000002a0 04 0e 00 00 00 |.....| +>>> Flow 3 (client to server) +00000000 16 03 03 00 86 10 00 00 82 00 80 35 d7 dd 48 68 |...........5..Hh| +00000010 17 8c 9b 02 75 0c 6b 76 17 0a e1 f8 06 c0 d7 1d |....u.kv........| +00000020 bf a5 97 d2 59 0f c9 90 4a f0 6f 40 dc e7 30 c4 |....Y...J.o@..0.| +00000030 75 ab 74 9c 32 48 a4 84 3c 40 a0 bd 03 aa 09 2b |u.t.2H..<@.....+| +00000040 b2 4c 80 82 17 b8 3d 27 16 9a b7 90 66 f2 10 4e |.L....='....f..N| +00000050 41 7e 78 24 de 27 91 f9 e9 bc bf 15 3a 35 1b ae |A~x$.'......:5..| +00000060 28 9e e1 09 f0 7a 4d 66 7e de d1 43 bf f5 e4 09 |(....zMf~..C....| +00000070 a7 21 cb 0e 1d 59 6d a0 a6 41 44 58 f4 ab ac 6a |.!...Ym..ADX...j| +00000080 98 db 25 e3 57 ee 94 87 85 51 ea 14 03 03 00 01 |..%.W....Q......| +00000090 01 16 03 03 00 40 c9 64 79 e7 15 1d 30 15 95 89 |.....@.dy...0...| +000000a0 b1 9b 12 42 69 4b 22 20 54 5a aa b6 71 02 1c 3f |...BiK" TZ..q..?| +000000b0 7c b5 66 07 b5 1f 55 96 3f ce 47 1f 66 52 d8 6b ||.f...U.?.G.fR.k| +000000c0 65 71 c0 4e 0b 7e 55 e0 f5 af 42 29 af 2b 1d 0e |eq.N.~U...B).+..| +000000d0 e6 96 cd 7b fc d3 |...{..| +>>> Flow 4 (server to client) +00000000 16 03 03 00 83 04 00 00 7f 00 00 00 00 00 79 00 |..............y.| +00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 94 |................| +00000020 6f 2d b0 ac 51 ed 14 ef 68 ca 42 c5 4c 85 f6 26 |o-..Q...h.B.L..&| +00000030 0d a4 ad a8 f5 14 64 4f b9 c3 fb 1e 55 c1 1f c7 |......dO....U...| +00000040 31 57 72 68 db 03 37 a8 c9 07 f4 ca 62 6c 5c f3 |1Wrh..7.....bl\.| +00000050 8b 5a 3d 76 dd 63 ea 68 61 6b a1 2d 95 49 38 16 |.Z=v.c.hak.-.I8.| +00000060 7e 51 5c e5 15 c0 58 7d c5 67 4a 6f 64 b6 79 1a |~Q\...X}.gJod.y.| +00000070 41 9b b1 33 15 38 74 92 5c a5 48 c3 f2 94 bb 33 |A..3.8t.\.H....3| +00000080 ec af cf d7 e7 c9 3e 35 14 03 03 00 01 01 16 03 |......>5........| +00000090 03 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 |..@.............| +000000a0 00 00 00 19 51 7c 1c a3 80 34 e1 81 30 3f f9 a4 |....Q|...4..0?..| +000000b0 a0 97 97 fd 94 fb ab e8 80 48 25 7b 83 ca 38 61 |.........H%{..8a| +000000c0 34 95 d0 52 6f 09 ad 4f 74 35 c5 3d e8 bb aa 5d |4..Ro..Ot5.=...]| +000000d0 d0 fc 85 17 03 03 00 40 00 00 00 00 00 00 00 00 |.......@........| +000000e0 00 00 00 00 00 00 00 00 e7 19 f9 fd 10 7c 17 04 |.............|..| +000000f0 2d ce 5f a6 41 33 3d 05 b0 29 91 ff a0 a5 76 52 |-._.A3=..)....vR| +00000100 e1 b9 ba 6a ca d3 79 60 11 ac 43 b5 30 f7 15 dc |...j..y`..C.0...| +00000110 6f b1 d2 b2 00 85 43 40 15 03 03 00 30 00 00 00 |o.....C@....0...| +00000120 00 00 00 00 00 00 00 00 00 00 00 00 00 19 99 8a |................| +00000130 4c 18 e0 03 cc 27 7a be 2c e5 d2 16 95 f6 a4 6e |L....'z.,......n| +00000140 11 d3 1d f4 01 52 2b fc 98 04 b1 0b 31 |.....R+.....1| diff --git a/pkg/tls/testdata/Server-TLSv12-IssueTicketPreDisable b/pkg/tls/testdata/Server-TLSv12-IssueTicketPreDisable new file mode 100644 index 000000000..20ce3c3cc --- /dev/null +++ b/pkg/tls/testdata/Server-TLSv12-IssueTicketPreDisable @@ -0,0 +1,90 @@ +>>> Flow 1 (client to server) +00000000 16 03 01 00 71 01 00 00 6d 03 03 a1 ba 69 29 39 |....q...m....i)9| +00000010 b5 fc c7 90 90 54 35 be 5a ad 4a e2 b2 3d b9 01 |.....T5.Z.J..=..| +00000020 f0 48 fd 77 b5 9e bc 89 f5 d4 df 00 00 04 00 2f |.H.w.........../| +00000030 00 ff 01 00 00 40 00 23 00 00 00 16 00 00 00 17 |.....@.#........| +00000040 00 00 00 0d 00 30 00 2e 04 03 05 03 06 03 08 07 |.....0..........| +00000050 08 08 08 09 08 0a 08 0b 08 04 08 05 08 06 04 01 |................| +00000060 05 01 06 01 03 03 02 03 03 01 02 01 03 02 02 02 |................| +00000070 04 02 05 02 06 02 |......| +>>> Flow 2 (server to client) +00000000 16 03 03 00 39 02 00 00 35 03 03 00 00 00 00 00 |....9...5.......| +00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000020 00 00 00 44 4f 57 4e 47 52 44 01 00 00 2f 00 00 |...DOWNGRD.../..| +00000030 0d 00 23 00 00 ff 01 00 01 00 00 17 00 00 16 03 |..#.............| +00000040 03 02 59 0b 00 02 55 00 02 52 00 02 4f 30 82 02 |..Y...U..R..O0..| +00000050 4b 30 82 01 b4 a0 03 02 01 02 02 09 00 e8 f0 9d |K0..............| +00000060 3f e2 5b ea a6 30 0d 06 09 2a 86 48 86 f7 0d 01 |?.[..0...*.H....| +00000070 01 0b 05 00 30 1f 31 0b 30 09 06 03 55 04 0a 13 |....0.1.0...U...| +00000080 02 47 6f 31 10 30 0e 06 03 55 04 03 13 07 47 6f |.Go1.0...U....Go| +00000090 20 52 6f 6f 74 30 1e 17 0d 31 36 30 31 30 31 30 | Root0...1601010| +000000a0 30 30 30 30 30 5a 17 0d 32 35 30 31 30 31 30 30 |00000Z..25010100| +000000b0 30 30 30 30 5a 30 1a 31 0b 30 09 06 03 55 04 0a |0000Z0.1.0...U..| +000000c0 13 02 47 6f 31 0b 30 09 06 03 55 04 03 13 02 47 |..Go1.0...U....G| +000000d0 6f 30 81 9f 30 0d 06 09 2a 86 48 86 f7 0d 01 01 |o0..0...*.H.....| +000000e0 01 05 00 03 81 8d 00 30 81 89 02 81 81 00 db 46 |.......0.......F| +000000f0 7d 93 2e 12 27 06 48 bc 06 28 21 ab 7e c4 b6 a2 |}...'.H..(!.~...| +00000100 5d fe 1e 52 45 88 7a 36 47 a5 08 0d 92 42 5b c2 |]..RE.z6G....B[.| +00000110 81 c0 be 97 79 98 40 fb 4f 6d 14 fd 2b 13 8b c2 |....y.@.Om..+...| +00000120 a5 2e 67 d8 d4 09 9e d6 22 38 b7 4a 0b 74 73 2b |..g....."8.J.ts+| +00000130 c2 34 f1 d1 93 e5 96 d9 74 7b f3 58 9f 6c 61 3c |.4......t{.X.la<| +00000140 c0 b0 41 d4 d9 2b 2b 24 23 77 5b 1c 3b bd 75 5d |..A..++$#w[.;.u]| +00000150 ce 20 54 cf a1 63 87 1d 1e 24 c4 f3 1d 1a 50 8b |. T..c...$....P.| +00000160 aa b6 14 43 ed 97 a7 75 62 f4 14 c8 52 d7 02 03 |...C...ub...R...| +00000170 01 00 01 a3 81 93 30 81 90 30 0e 06 03 55 1d 0f |......0..0...U..| +00000180 01 01 ff 04 04 03 02 05 a0 30 1d 06 03 55 1d 25 |.........0...U.%| +00000190 04 16 30 14 06 08 2b 06 01 05 05 07 03 01 06 08 |..0...+.........| +000001a0 2b 06 01 05 05 07 03 02 30 0c 06 03 55 1d 13 01 |+.......0...U...| +000001b0 01 ff 04 02 30 00 30 19 06 03 55 1d 0e 04 12 04 |....0.0...U.....| +000001c0 10 9f 91 16 1f 43 43 3e 49 a6 de 6d b6 80 d7 9f |.....CC>I..m....| +000001d0 60 30 1b 06 03 55 1d 23 04 14 30 12 80 10 48 13 |`0...U.#..0...H.| +000001e0 49 4d 13 7e 16 31 bb a3 01 d5 ac ab 6e 7b 30 19 |IM.~.1......n{0.| +000001f0 06 03 55 1d 11 04 12 30 10 82 0e 65 78 61 6d 70 |..U....0...examp| +00000200 6c 65 2e 67 6f 6c 61 6e 67 30 0d 06 09 2a 86 48 |le.golang0...*.H| +00000210 86 f7 0d 01 01 0b 05 00 03 81 81 00 9d 30 cc 40 |.............0.@| +00000220 2b 5b 50 a0 61 cb ba e5 53 58 e1 ed 83 28 a9 58 |+[P.a...SX...(.X| +00000230 1a a9 38 a4 95 a1 ac 31 5a 1a 84 66 3d 43 d3 2d |..8....1Z..f=C.-| +00000240 d9 0b f2 97 df d3 20 64 38 92 24 3a 00 bc cf 9c |...... d8.$:....| +00000250 7d b7 40 20 01 5f aa d3 16 61 09 a2 76 fd 13 c3 |}.@ ._...a..v...| +00000260 cc e1 0c 5c ee b1 87 82 f1 6c 04 ed 73 bb b3 43 |...\.....l..s..C| +00000270 77 8d 0c 1c f1 0f a1 d8 40 83 61 c9 4c 72 2b 9d |w.......@.a.Lr+.| +00000280 ae db 46 06 06 4d f4 c1 b3 3e c0 d1 bd 42 d4 db |..F..M...>...B..| +00000290 fe 3d 13 60 84 5c 21 d3 3b e9 fa e7 16 03 03 00 |.=.`.\!.;.......| +000002a0 04 0e 00 00 00 |.....| +>>> Flow 3 (client to server) +00000000 16 03 03 00 86 10 00 00 82 00 80 cc 4e 62 e0 bf |............Nb..| +00000010 21 65 dc f2 57 fb fe 6e e4 cc de b4 1f aa af 52 |!e..W..n.......R| +00000020 a4 e0 0e 1b fa 8b 23 4b d9 e2 4b 62 6a 26 80 f7 |......#K..Kbj&..| +00000030 15 82 ba 44 4a 18 b8 97 ca a1 79 4b 11 59 90 7d |...DJ.....yK.Y.}| +00000040 ea 89 7c f9 6b 5f 29 c7 ca 32 bf 3b 53 b2 bb bb |..|.k_)..2.;S...| +00000050 77 0a 5c 1f c2 d8 20 cf 59 19 4e a0 ff ef ca ca |w.\... .Y.N.....| +00000060 25 39 ac c7 64 b9 e8 68 09 f2 49 96 8e 49 c7 4c |%9..d..h..I..I.L| +00000070 cd ff 28 6f d8 0d d3 7a ae 7a 51 9e 04 70 8a 59 |..(o...z.zQ..p.Y| +00000080 8c 05 61 c9 2b bd e1 05 5a 12 63 14 03 03 00 01 |..a.+...Z.c.....| +00000090 01 16 03 03 00 40 ac 30 bb 83 2f e2 a1 98 a3 c5 |.....@.0../.....| +000000a0 9c e3 55 36 70 a0 10 fc 53 7e 2d ae f1 02 d7 04 |..U6p...S~-.....| +000000b0 1f 4e 5d ed 33 29 99 04 54 8e 51 74 d5 2a 73 21 |.N].3)..T.Qt.*s!| +000000c0 4f bf 8b 0c 04 b2 f2 d4 3e a7 f6 ee 8b fb 3a 0b |O.......>.....:.| +000000d0 86 27 7c a7 bb 32 |.'|..2| +>>> Flow 4 (server to client) +00000000 16 03 03 00 83 04 00 00 7f 00 00 00 00 00 79 00 |..............y.| +00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 94 |................| +00000020 6f 2d b0 ac 51 ed 14 ef 68 ca 42 c5 4c fa 53 68 |o-..Q...h.B.L.Sh| +00000030 d9 20 e9 d9 c1 9c 90 3b f2 e6 57 af 04 e5 db 6b |. .....;..W....k| +00000040 36 0b b5 b8 e2 a5 a4 bf 52 31 80 32 b9 da d9 32 |6.......R1.2...2| +00000050 36 e7 31 d3 22 78 12 ae 7a 80 ac fa 6d 49 38 16 |6.1."x..z...mI8.| +00000060 7e 51 5c e5 15 c0 58 7d d6 77 d5 17 1b d9 a8 74 |~Q\...X}.w.....t| +00000070 be 93 25 54 84 a7 1a 93 1f 20 a4 49 eb 26 e7 8e |..%T..... .I.&..| +00000080 d3 0f cf 9c 75 cc 6f 36 14 03 03 00 01 01 16 03 |....u.o6........| +00000090 03 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 |..@.............| +000000a0 00 00 00 eb f1 52 79 ff b8 6c 9c 23 f3 22 bc 96 |.....Ry..l.#."..| +000000b0 2a bc e7 73 05 32 4b 2e e4 5e 31 97 62 86 cc 12 |*..s.2K..^1.b...| +000000c0 ae 22 77 92 37 5d 82 41 57 48 aa f4 0a f3 94 30 |."w.7].AWH.....0| +000000d0 5d 06 7b 17 03 03 00 40 00 00 00 00 00 00 00 00 |].{....@........| +000000e0 00 00 00 00 00 00 00 00 8f 8d a7 06 a7 d6 52 5a |..............RZ| +000000f0 b9 66 5e ef e3 8d 1d 91 d0 6d 30 29 92 4e 6a 81 |.f^......m0).Nj.| +00000100 f4 77 97 06 de a8 c8 d1 4c 6b 15 07 1f 9b 59 6d |.w......Lk....Ym| +00000110 cb 4f 23 20 58 aa 22 21 15 03 03 00 30 00 00 00 |.O# X."!....0...| +00000120 00 00 00 00 00 00 00 00 00 00 00 00 00 06 55 3d |..............U=| +00000130 42 f5 12 b2 66 aa af 00 91 5e b8 31 ae 19 0e 35 |B...f....^.1...5| +00000140 a2 d7 a6 e7 0c 3c 2b 95 62 69 d7 a0 81 |.....<+.bi...| diff --git a/pkg/tls/testdata/Server-TLSv12-P256 b/pkg/tls/testdata/Server-TLSv12-P256 new file mode 100644 index 000000000..349857e94 --- /dev/null +++ b/pkg/tls/testdata/Server-TLSv12-P256 @@ -0,0 +1,84 @@ +>>> Flow 1 (client to server) +00000000 16 03 01 00 7d 01 00 00 79 03 03 26 b5 ad b7 ec |....}...y..&....| +00000010 e9 2f d5 cc 9e c2 f6 6f dd ab c5 4b 2c 74 48 a5 |./.....o...K,tH.| +00000020 9c c5 21 41 fd 32 91 04 8f 1b 6c 00 00 04 cc a8 |..!A.2....l.....| +00000030 00 ff 01 00 00 4c 00 0b 00 04 03 00 01 02 00 0a |.....L..........| +00000040 00 04 00 02 00 17 00 16 00 00 00 17 00 00 00 0d |................| +00000050 00 30 00 2e 04 03 05 03 06 03 08 07 08 08 08 09 |.0..............| +00000060 08 0a 08 0b 08 04 08 05 08 06 04 01 05 01 06 01 |................| +00000070 03 03 02 03 03 01 02 01 03 02 02 02 04 02 05 02 |................| +00000080 06 02 |..| +>>> Flow 2 (server to client) +00000000 16 03 03 00 3b 02 00 00 37 03 03 00 00 00 00 00 |....;...7.......| +00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000020 00 00 00 44 4f 57 4e 47 52 44 01 00 cc a8 00 00 |...DOWNGRD......| +00000030 0f ff 01 00 01 00 00 17 00 00 00 0b 00 02 01 00 |................| +00000040 16 03 03 02 59 0b 00 02 55 00 02 52 00 02 4f 30 |....Y...U..R..O0| +00000050 82 02 4b 30 82 01 b4 a0 03 02 01 02 02 09 00 e8 |..K0............| +00000060 f0 9d 3f e2 5b ea a6 30 0d 06 09 2a 86 48 86 f7 |..?.[..0...*.H..| +00000070 0d 01 01 0b 05 00 30 1f 31 0b 30 09 06 03 55 04 |......0.1.0...U.| +00000080 0a 13 02 47 6f 31 10 30 0e 06 03 55 04 03 13 07 |...Go1.0...U....| +00000090 47 6f 20 52 6f 6f 74 30 1e 17 0d 31 36 30 31 30 |Go Root0...16010| +000000a0 31 30 30 30 30 30 30 5a 17 0d 32 35 30 31 30 31 |1000000Z..250101| +000000b0 30 30 30 30 30 30 5a 30 1a 31 0b 30 09 06 03 55 |000000Z0.1.0...U| +000000c0 04 0a 13 02 47 6f 31 0b 30 09 06 03 55 04 03 13 |....Go1.0...U...| +000000d0 02 47 6f 30 81 9f 30 0d 06 09 2a 86 48 86 f7 0d |.Go0..0...*.H...| +000000e0 01 01 01 05 00 03 81 8d 00 30 81 89 02 81 81 00 |.........0......| +000000f0 db 46 7d 93 2e 12 27 06 48 bc 06 28 21 ab 7e c4 |.F}...'.H..(!.~.| +00000100 b6 a2 5d fe 1e 52 45 88 7a 36 47 a5 08 0d 92 42 |..]..RE.z6G....B| +00000110 5b c2 81 c0 be 97 79 98 40 fb 4f 6d 14 fd 2b 13 |[.....y.@.Om..+.| +00000120 8b c2 a5 2e 67 d8 d4 09 9e d6 22 38 b7 4a 0b 74 |....g....."8.J.t| +00000130 73 2b c2 34 f1 d1 93 e5 96 d9 74 7b f3 58 9f 6c |s+.4......t{.X.l| +00000140 61 3c c0 b0 41 d4 d9 2b 2b 24 23 77 5b 1c 3b bd |a<..A..++$#w[.;.| +00000150 75 5d ce 20 54 cf a1 63 87 1d 1e 24 c4 f3 1d 1a |u]. T..c...$....| +00000160 50 8b aa b6 14 43 ed 97 a7 75 62 f4 14 c8 52 d7 |P....C...ub...R.| +00000170 02 03 01 00 01 a3 81 93 30 81 90 30 0e 06 03 55 |........0..0...U| +00000180 1d 0f 01 01 ff 04 04 03 02 05 a0 30 1d 06 03 55 |...........0...U| +00000190 1d 25 04 16 30 14 06 08 2b 06 01 05 05 07 03 01 |.%..0...+.......| +000001a0 06 08 2b 06 01 05 05 07 03 02 30 0c 06 03 55 1d |..+.......0...U.| +000001b0 13 01 01 ff 04 02 30 00 30 19 06 03 55 1d 0e 04 |......0.0...U...| +000001c0 12 04 10 9f 91 16 1f 43 43 3e 49 a6 de 6d b6 80 |.......CC>I..m..| +000001d0 d7 9f 60 30 1b 06 03 55 1d 23 04 14 30 12 80 10 |..`0...U.#..0...| +000001e0 48 13 49 4d 13 7e 16 31 bb a3 01 d5 ac ab 6e 7b |H.IM.~.1......n{| +000001f0 30 19 06 03 55 1d 11 04 12 30 10 82 0e 65 78 61 |0...U....0...exa| +00000200 6d 70 6c 65 2e 67 6f 6c 61 6e 67 30 0d 06 09 2a |mple.golang0...*| +00000210 86 48 86 f7 0d 01 01 0b 05 00 03 81 81 00 9d 30 |.H.............0| +00000220 cc 40 2b 5b 50 a0 61 cb ba e5 53 58 e1 ed 83 28 |.@+[P.a...SX...(| +00000230 a9 58 1a a9 38 a4 95 a1 ac 31 5a 1a 84 66 3d 43 |.X..8....1Z..f=C| +00000240 d3 2d d9 0b f2 97 df d3 20 64 38 92 24 3a 00 bc |.-...... d8.$:..| +00000250 cf 9c 7d b7 40 20 01 5f aa d3 16 61 09 a2 76 fd |..}.@ ._...a..v.| +00000260 13 c3 cc e1 0c 5c ee b1 87 82 f1 6c 04 ed 73 bb |.....\.....l..s.| +00000270 b3 43 77 8d 0c 1c f1 0f a1 d8 40 83 61 c9 4c 72 |.Cw.......@.a.Lr| +00000280 2b 9d ae db 46 06 06 4d f4 c1 b3 3e c0 d1 bd 42 |+...F..M...>...B| +00000290 d4 db fe 3d 13 60 84 5c 21 d3 3b e9 fa e7 16 03 |...=.`.\!.;.....| +000002a0 03 00 cd 0c 00 00 c9 03 00 17 41 04 1e 18 37 ef |..........A...7.| +000002b0 0d 19 51 88 35 75 71 b5 e5 54 5b 12 2e 8f 09 67 |..Q.5uq..T[....g| +000002c0 fd a7 24 20 3e b2 56 1c ce 97 28 5e f8 2b 2d 4f |..$ >.V...(^.+-O| +000002d0 9e f1 07 9f 6c 4b 5b 83 56 e2 32 42 e9 58 b6 d7 |....lK[.V.2B.X..| +000002e0 49 a6 b5 68 1a 41 03 56 6b dc 5a 89 08 04 00 80 |I..h.A.Vk.Z.....| +000002f0 ca 2e 5d 9c 99 56 e6 7a 60 e2 b6 65 09 2e 4f ee |..]..V.z`..e..O.| +00000300 5d 7f d0 c0 f6 01 fe 62 13 12 14 dd 4d c9 eb e5 |]......b....M...| +00000310 ee 27 ab 56 77 d1 0b 65 83 96 e5 72 ea 9a 78 85 |.'.Vw..e...r..x.| +00000320 07 e6 86 bf 58 84 a8 4d 08 4a 56 14 a6 7f 0c 5a |....X..M.JV....Z| +00000330 68 3c 6a 9e 0e 2a 70 6a 4f 58 96 45 f2 14 11 45 |h>> Flow 3 (client to server) +00000000 16 03 03 00 46 10 00 00 42 41 04 1c 05 a2 39 1b |....F...BA....9.| +00000010 b9 e6 ef 38 6d 6f fe 95 0e ef 8d 8a 1b 70 10 b6 |...8mo.......p..| +00000020 fc 0e 5f ee 0f 6e 08 b6 2d 4f 26 b1 5a af be f8 |.._..n..-O&.Z...| +00000030 77 72 e4 19 5d a3 91 c6 0c 72 a3 19 9f 20 4f 6e |wr..]....r... On| +00000040 75 91 ef 62 4f 1a aa 29 b2 75 6f 14 03 03 00 01 |u..bO..).uo.....| +00000050 01 16 03 03 00 20 44 af 52 7b ff ca cf 30 ce 71 |..... D.R{...0.q| +00000060 94 6d 90 2b 6d f3 0e a6 5d 60 15 29 b2 03 81 59 |.m.+m...]`.)...Y| +00000070 ec 37 a1 cf a5 79 |.7...y| +>>> Flow 4 (server to client) +00000000 14 03 03 00 01 01 16 03 03 00 20 af 15 24 30 06 |.......... ..$0.| +00000010 dd 4c 8b 8a 87 e1 f5 24 ac 36 bc 43 8d 89 20 19 |.L.....$.6.C.. .| +00000020 04 d2 9c 14 c4 af 24 30 bf ef 1e 17 03 03 00 1d |......$0........| +00000030 82 3b 55 e7 67 fe 89 bf 5b c1 7e d6 98 94 36 1f |.;U.g...[.~...6.| +00000040 74 f3 34 2b cb 95 48 ed 4d 33 64 b9 ce 15 03 03 |t.4+..H.M3d.....| +00000050 00 12 ca bf 01 54 b4 c3 b4 f8 04 87 6d 75 ef 8c |.....T......mu..| +00000060 c7 9d 1b 1c |....| diff --git a/pkg/tls/testdata/Server-TLSv12-RSA-3DES b/pkg/tls/testdata/Server-TLSv12-RSA-3DES new file mode 100644 index 000000000..0298d49ca --- /dev/null +++ b/pkg/tls/testdata/Server-TLSv12-RSA-3DES @@ -0,0 +1,78 @@ +>>> Flow 1 (client to server) +00000000 16 03 01 00 6d 01 00 00 69 03 03 6c 16 54 e2 20 |....m...i..l.T. | +00000010 da ff dc 37 ae f5 5d e2 77 32 fe 7b 7a cc 31 1f |...7..].w2.{z.1.| +00000020 f5 49 6e 75 89 27 b0 aa 67 e7 99 00 00 04 00 0a |.Inu.'..g.......| +00000030 00 ff 01 00 00 3c 00 16 00 00 00 17 00 00 00 0d |.....<..........| +00000040 00 30 00 2e 04 03 05 03 06 03 08 07 08 08 08 09 |.0..............| +00000050 08 0a 08 0b 08 04 08 05 08 06 04 01 05 01 06 01 |................| +00000060 03 03 02 03 03 01 02 01 03 02 02 02 04 02 05 02 |................| +00000070 06 02 |..| +>>> Flow 2 (server to client) +00000000 16 03 03 00 35 02 00 00 31 03 03 00 00 00 00 00 |....5...1.......| +00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000020 00 00 00 44 4f 57 4e 47 52 44 01 00 00 0a 00 00 |...DOWNGRD......| +00000030 09 ff 01 00 01 00 00 17 00 00 16 03 03 02 59 0b |..............Y.| +00000040 00 02 55 00 02 52 00 02 4f 30 82 02 4b 30 82 01 |..U..R..O0..K0..| +00000050 b4 a0 03 02 01 02 02 09 00 e8 f0 9d 3f e2 5b ea |............?.[.| +00000060 a6 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 |.0...*.H........| +00000070 30 1f 31 0b 30 09 06 03 55 04 0a 13 02 47 6f 31 |0.1.0...U....Go1| +00000080 10 30 0e 06 03 55 04 03 13 07 47 6f 20 52 6f 6f |.0...U....Go Roo| +00000090 74 30 1e 17 0d 31 36 30 31 30 31 30 30 30 30 30 |t0...16010100000| +000000a0 30 5a 17 0d 32 35 30 31 30 31 30 30 30 30 30 30 |0Z..250101000000| +000000b0 5a 30 1a 31 0b 30 09 06 03 55 04 0a 13 02 47 6f |Z0.1.0...U....Go| +000000c0 31 0b 30 09 06 03 55 04 03 13 02 47 6f 30 81 9f |1.0...U....Go0..| +000000d0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 |0...*.H.........| +000000e0 81 8d 00 30 81 89 02 81 81 00 db 46 7d 93 2e 12 |...0.......F}...| +000000f0 27 06 48 bc 06 28 21 ab 7e c4 b6 a2 5d fe 1e 52 |'.H..(!.~...]..R| +00000100 45 88 7a 36 47 a5 08 0d 92 42 5b c2 81 c0 be 97 |E.z6G....B[.....| +00000110 79 98 40 fb 4f 6d 14 fd 2b 13 8b c2 a5 2e 67 d8 |y.@.Om..+.....g.| +00000120 d4 09 9e d6 22 38 b7 4a 0b 74 73 2b c2 34 f1 d1 |...."8.J.ts+.4..| +00000130 93 e5 96 d9 74 7b f3 58 9f 6c 61 3c c0 b0 41 d4 |....t{.X.la<..A.| +00000140 d9 2b 2b 24 23 77 5b 1c 3b bd 75 5d ce 20 54 cf |.++$#w[.;.u]. T.| +00000150 a1 63 87 1d 1e 24 c4 f3 1d 1a 50 8b aa b6 14 43 |.c...$....P....C| +00000160 ed 97 a7 75 62 f4 14 c8 52 d7 02 03 01 00 01 a3 |...ub...R.......| +00000170 81 93 30 81 90 30 0e 06 03 55 1d 0f 01 01 ff 04 |..0..0...U......| +00000180 04 03 02 05 a0 30 1d 06 03 55 1d 25 04 16 30 14 |.....0...U.%..0.| +00000190 06 08 2b 06 01 05 05 07 03 01 06 08 2b 06 01 05 |..+.........+...| +000001a0 05 07 03 02 30 0c 06 03 55 1d 13 01 01 ff 04 02 |....0...U.......| +000001b0 30 00 30 19 06 03 55 1d 0e 04 12 04 10 9f 91 16 |0.0...U.........| +000001c0 1f 43 43 3e 49 a6 de 6d b6 80 d7 9f 60 30 1b 06 |.CC>I..m....`0..| +000001d0 03 55 1d 23 04 14 30 12 80 10 48 13 49 4d 13 7e |.U.#..0...H.IM.~| +000001e0 16 31 bb a3 01 d5 ac ab 6e 7b 30 19 06 03 55 1d |.1......n{0...U.| +000001f0 11 04 12 30 10 82 0e 65 78 61 6d 70 6c 65 2e 67 |...0...example.g| +00000200 6f 6c 61 6e 67 30 0d 06 09 2a 86 48 86 f7 0d 01 |olang0...*.H....| +00000210 01 0b 05 00 03 81 81 00 9d 30 cc 40 2b 5b 50 a0 |.........0.@+[P.| +00000220 61 cb ba e5 53 58 e1 ed 83 28 a9 58 1a a9 38 a4 |a...SX...(.X..8.| +00000230 95 a1 ac 31 5a 1a 84 66 3d 43 d3 2d d9 0b f2 97 |...1Z..f=C.-....| +00000240 df d3 20 64 38 92 24 3a 00 bc cf 9c 7d b7 40 20 |.. d8.$:....}.@ | +00000250 01 5f aa d3 16 61 09 a2 76 fd 13 c3 cc e1 0c 5c |._...a..v......\| +00000260 ee b1 87 82 f1 6c 04 ed 73 bb b3 43 77 8d 0c 1c |.....l..s..Cw...| +00000270 f1 0f a1 d8 40 83 61 c9 4c 72 2b 9d ae db 46 06 |....@.a.Lr+...F.| +00000280 06 4d f4 c1 b3 3e c0 d1 bd 42 d4 db fe 3d 13 60 |.M...>...B...=.`| +00000290 84 5c 21 d3 3b e9 fa e7 16 03 03 00 04 0e 00 00 |.\!.;...........| +000002a0 00 |.| +>>> Flow 3 (client to server) +00000000 16 03 03 00 86 10 00 00 82 00 80 bc bb c4 2a df |..............*.| +00000010 56 75 8b 3e e1 cd 12 f8 58 29 4d 4d ab f0 12 0c |Vu.>....X)MM....| +00000020 d7 20 3b cb d5 68 5e c1 a4 03 89 f7 d4 f4 ee c9 |. ;..h^.........| +00000030 38 8e bb 42 de e4 fb c6 9f df db 7f af 6c ae b5 |8..B.........l..| +00000040 6a 99 70 3c 1e 88 38 22 aa 1e 81 51 1e 7d 36 31 |j.p<..8"...Q.}61| +00000050 4e d2 a9 08 c0 bc 11 d8 27 41 26 75 f3 35 74 74 |N.......'A&u.5tt| +00000060 ef 50 0e 2b bd da 41 ed 81 56 b9 e4 13 74 e9 80 |.P.+..A..V...t..| +00000070 9f a2 90 d1 fd 85 26 02 f3 aa 75 53 d9 58 bc 2f |......&...uS.X./| +00000080 3b e5 60 cb f8 ac e6 32 6e 5f 80 14 03 03 00 01 |;.`....2n_......| +00000090 01 16 03 03 00 30 8c e6 a6 6a 76 aa 84 32 0c 6b |.....0...jv..2.k| +000000a0 17 41 9d 56 46 46 5c 34 a1 37 d5 7f e6 ab 55 de |.A.VFF\4.7....U.| +000000b0 70 54 69 0a 6d 18 1c 14 87 ee 73 8b f9 57 37 2f |pTi.m.....s..W7/| +000000c0 2e bb 07 4c f1 a9 |...L..| +>>> Flow 4 (server to client) +00000000 14 03 03 00 01 01 16 03 03 00 30 00 00 00 00 00 |..........0.....| +00000010 00 00 00 49 b9 2a 89 cb 6e 15 d4 a6 f7 24 a5 3a |...I.*..n....$.:| +00000020 da f3 5b ac ff 43 a2 a6 5b 27 36 9c 6d 55 ba c8 |..[..C..['6.mU..| +00000030 f4 77 f7 44 8c bc a7 5e 3f c6 59 17 03 03 00 30 |.w.D...^?.Y....0| +00000040 00 00 00 00 00 00 00 00 44 44 d7 76 36 88 a6 84 |........DD.v6...| +00000050 02 27 40 d6 d1 bb a5 20 41 d5 06 66 3a 56 05 94 |.'@.... A..f:V..| +00000060 41 97 fc 85 95 70 28 85 7a 7a ce 43 71 5d ad a8 |A....p(.zz.Cq]..| +00000070 15 03 03 00 20 00 00 00 00 00 00 00 00 8e 63 57 |.... .........cW| +00000080 61 6d c1 0b ca ea 89 9e b4 9e 6d fb 9f 3b 2a fc |am........m..;*.| +00000090 a0 56 d1 21 5d |.V.!]| diff --git a/pkg/tls/testdata/Server-TLSv12-RSA-AES b/pkg/tls/testdata/Server-TLSv12-RSA-AES new file mode 100644 index 000000000..68a1cb1bc --- /dev/null +++ b/pkg/tls/testdata/Server-TLSv12-RSA-AES @@ -0,0 +1,82 @@ +>>> Flow 1 (client to server) +00000000 16 03 01 00 6d 01 00 00 69 03 03 0a b6 18 8a 8f |....m...i.......| +00000010 90 e2 fb ee cd e3 d5 62 53 17 45 bd b3 7f 53 4d |.......bS.E...SM| +00000020 4e 06 62 66 25 60 b1 3f 96 b0 21 00 00 04 00 2f |N.bf%`.?..!..../| +00000030 00 ff 01 00 00 3c 00 16 00 00 00 17 00 00 00 0d |.....<..........| +00000040 00 30 00 2e 04 03 05 03 06 03 08 07 08 08 08 09 |.0..............| +00000050 08 0a 08 0b 08 04 08 05 08 06 04 01 05 01 06 01 |................| +00000060 03 03 02 03 03 01 02 01 03 02 02 02 04 02 05 02 |................| +00000070 06 02 |..| +>>> Flow 2 (server to client) +00000000 16 03 03 00 35 02 00 00 31 03 03 00 00 00 00 00 |....5...1.......| +00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000020 00 00 00 44 4f 57 4e 47 52 44 01 00 00 2f 00 00 |...DOWNGRD.../..| +00000030 09 ff 01 00 01 00 00 17 00 00 16 03 03 02 59 0b |..............Y.| +00000040 00 02 55 00 02 52 00 02 4f 30 82 02 4b 30 82 01 |..U..R..O0..K0..| +00000050 b4 a0 03 02 01 02 02 09 00 e8 f0 9d 3f e2 5b ea |............?.[.| +00000060 a6 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 |.0...*.H........| +00000070 30 1f 31 0b 30 09 06 03 55 04 0a 13 02 47 6f 31 |0.1.0...U....Go1| +00000080 10 30 0e 06 03 55 04 03 13 07 47 6f 20 52 6f 6f |.0...U....Go Roo| +00000090 74 30 1e 17 0d 31 36 30 31 30 31 30 30 30 30 30 |t0...16010100000| +000000a0 30 5a 17 0d 32 35 30 31 30 31 30 30 30 30 30 30 |0Z..250101000000| +000000b0 5a 30 1a 31 0b 30 09 06 03 55 04 0a 13 02 47 6f |Z0.1.0...U....Go| +000000c0 31 0b 30 09 06 03 55 04 03 13 02 47 6f 30 81 9f |1.0...U....Go0..| +000000d0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 |0...*.H.........| +000000e0 81 8d 00 30 81 89 02 81 81 00 db 46 7d 93 2e 12 |...0.......F}...| +000000f0 27 06 48 bc 06 28 21 ab 7e c4 b6 a2 5d fe 1e 52 |'.H..(!.~...]..R| +00000100 45 88 7a 36 47 a5 08 0d 92 42 5b c2 81 c0 be 97 |E.z6G....B[.....| +00000110 79 98 40 fb 4f 6d 14 fd 2b 13 8b c2 a5 2e 67 d8 |y.@.Om..+.....g.| +00000120 d4 09 9e d6 22 38 b7 4a 0b 74 73 2b c2 34 f1 d1 |...."8.J.ts+.4..| +00000130 93 e5 96 d9 74 7b f3 58 9f 6c 61 3c c0 b0 41 d4 |....t{.X.la<..A.| +00000140 d9 2b 2b 24 23 77 5b 1c 3b bd 75 5d ce 20 54 cf |.++$#w[.;.u]. T.| +00000150 a1 63 87 1d 1e 24 c4 f3 1d 1a 50 8b aa b6 14 43 |.c...$....P....C| +00000160 ed 97 a7 75 62 f4 14 c8 52 d7 02 03 01 00 01 a3 |...ub...R.......| +00000170 81 93 30 81 90 30 0e 06 03 55 1d 0f 01 01 ff 04 |..0..0...U......| +00000180 04 03 02 05 a0 30 1d 06 03 55 1d 25 04 16 30 14 |.....0...U.%..0.| +00000190 06 08 2b 06 01 05 05 07 03 01 06 08 2b 06 01 05 |..+.........+...| +000001a0 05 07 03 02 30 0c 06 03 55 1d 13 01 01 ff 04 02 |....0...U.......| +000001b0 30 00 30 19 06 03 55 1d 0e 04 12 04 10 9f 91 16 |0.0...U.........| +000001c0 1f 43 43 3e 49 a6 de 6d b6 80 d7 9f 60 30 1b 06 |.CC>I..m....`0..| +000001d0 03 55 1d 23 04 14 30 12 80 10 48 13 49 4d 13 7e |.U.#..0...H.IM.~| +000001e0 16 31 bb a3 01 d5 ac ab 6e 7b 30 19 06 03 55 1d |.1......n{0...U.| +000001f0 11 04 12 30 10 82 0e 65 78 61 6d 70 6c 65 2e 67 |...0...example.g| +00000200 6f 6c 61 6e 67 30 0d 06 09 2a 86 48 86 f7 0d 01 |olang0...*.H....| +00000210 01 0b 05 00 03 81 81 00 9d 30 cc 40 2b 5b 50 a0 |.........0.@+[P.| +00000220 61 cb ba e5 53 58 e1 ed 83 28 a9 58 1a a9 38 a4 |a...SX...(.X..8.| +00000230 95 a1 ac 31 5a 1a 84 66 3d 43 d3 2d d9 0b f2 97 |...1Z..f=C.-....| +00000240 df d3 20 64 38 92 24 3a 00 bc cf 9c 7d b7 40 20 |.. d8.$:....}.@ | +00000250 01 5f aa d3 16 61 09 a2 76 fd 13 c3 cc e1 0c 5c |._...a..v......\| +00000260 ee b1 87 82 f1 6c 04 ed 73 bb b3 43 77 8d 0c 1c |.....l..s..Cw...| +00000270 f1 0f a1 d8 40 83 61 c9 4c 72 2b 9d ae db 46 06 |....@.a.Lr+...F.| +00000280 06 4d f4 c1 b3 3e c0 d1 bd 42 d4 db fe 3d 13 60 |.M...>...B...=.`| +00000290 84 5c 21 d3 3b e9 fa e7 16 03 03 00 04 0e 00 00 |.\!.;...........| +000002a0 00 |.| +>>> Flow 3 (client to server) +00000000 16 03 03 00 86 10 00 00 82 00 80 19 dc d4 4c b0 |..............L.| +00000010 5c 30 24 b8 fd e1 cd 4e af bc c3 f5 78 12 8c 51 |\0$....N....x..Q| +00000020 a9 a9 ab fd 87 72 a4 bc 0c fc 87 5e 1d af 67 02 |.....r.....^..g.| +00000030 13 c5 c2 8c 00 5f 33 d1 86 43 50 b3 3a 1d b8 69 |....._3..CP.:..i| +00000040 b1 2f ce 82 cd 8d 31 0d 15 c1 fb af b3 47 64 57 |./....1......GdW| +00000050 38 24 33 46 03 d5 ba 33 36 a0 eb de 21 2b ae 64 |8$3F...36...!+.d| +00000060 cc 0c 43 fe a3 7b 34 a1 d2 de d5 85 ec ac c7 0d |..C..{4.........| +00000070 04 ec 63 62 ab fe 86 ba e9 ee 31 2c 09 84 13 6a |..cb......1,...j| +00000080 10 bc 0f 71 93 9d e8 c4 e3 f6 a9 14 03 03 00 01 |...q............| +00000090 01 16 03 03 00 40 b7 75 28 6e 6b 9a 60 8f fc 5b |.....@.u(nk.`..[| +000000a0 91 0a 16 54 ec b1 4b 55 b8 b2 5c 53 48 92 aa dc |...T..KU..\SH...| +000000b0 55 64 2c b0 dc 77 b4 6f 7a a9 23 9c 44 8b 74 64 |Ud,..w.oz.#.D.td| +000000c0 c5 28 ea c7 8d 97 9b c8 a3 ec 11 d7 93 81 08 20 |.(............. | +000000d0 9c 2f 79 32 92 45 |./y2.E| +>>> Flow 4 (server to client) +00000000 14 03 03 00 01 01 16 03 03 00 40 00 00 00 00 00 |..........@.....| +00000010 00 00 00 00 00 00 00 00 00 00 00 92 50 e8 02 a0 |............P...| +00000020 14 d6 03 5d db bb 29 21 09 a3 71 08 54 f3 5e 7c |...]..)!..q.T.^|| +00000030 9a 64 18 f3 4f 64 84 4d b7 e9 82 a8 2c 3b 46 70 |.d..Od.M....,;Fp| +00000040 cb cb de b5 e3 c3 12 d5 7b 6f 08 17 03 03 00 40 |........{o.....@| +00000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000060 4f 4f fe dd e5 b1 38 6b b1 2f 5d 23 8b b2 34 b1 |OO....8k./]#..4.| +00000070 c6 9f 8d 32 83 5f b5 36 0b df a6 aa 3f 90 30 b7 |...2._.6....?.0.| +00000080 1d 66 26 89 29 ab 71 dc 00 14 d6 8e 7e 47 bd ee |.f&.).q.....~G..| +00000090 15 03 03 00 30 00 00 00 00 00 00 00 00 00 00 00 |....0...........| +000000a0 00 00 00 00 00 e3 72 e5 7c 8c c6 f5 72 ba 37 52 |......r.|...r.7R| +000000b0 be 38 a0 a2 62 71 d9 f6 a2 9e b5 4a af 0f 13 3e |.8..bq.....J...>| +000000c0 3c 85 ab ea eb |<....| diff --git a/pkg/tls/testdata/Server-TLSv12-RSA-AES-GCM b/pkg/tls/testdata/Server-TLSv12-RSA-AES-GCM new file mode 100644 index 000000000..8d8c3b402 --- /dev/null +++ b/pkg/tls/testdata/Server-TLSv12-RSA-AES-GCM @@ -0,0 +1,81 @@ +>>> Flow 1 (client to server) +00000000 16 03 01 00 85 01 00 00 81 03 03 6e 70 d5 90 98 |...........np...| +00000010 0a 70 40 22 4f 31 e8 7d a0 81 bd 22 e8 4e 97 8b |.p@"O1.}...".N..| +00000020 4d bb 3d d1 d6 2f 09 b9 bd 2f 43 00 00 04 c0 2f |M.=../.../C..../| +00000030 00 ff 01 00 00 54 00 0b 00 04 03 00 01 02 00 0a |.....T..........| +00000040 00 0c 00 0a 00 1d 00 17 00 1e 00 19 00 18 00 16 |................| +00000050 00 00 00 17 00 00 00 0d 00 30 00 2e 04 03 05 03 |.........0......| +00000060 06 03 08 07 08 08 08 09 08 0a 08 0b 08 04 08 05 |................| +00000070 08 06 04 01 05 01 06 01 03 03 02 03 03 01 02 01 |................| +00000080 03 02 02 02 04 02 05 02 06 02 |..........| +>>> Flow 2 (server to client) +00000000 16 03 03 00 3b 02 00 00 37 03 03 00 00 00 00 00 |....;...7.......| +00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000020 00 00 00 44 4f 57 4e 47 52 44 01 00 c0 2f 00 00 |...DOWNGRD.../..| +00000030 0f ff 01 00 01 00 00 17 00 00 00 0b 00 02 01 00 |................| +00000040 16 03 03 02 59 0b 00 02 55 00 02 52 00 02 4f 30 |....Y...U..R..O0| +00000050 82 02 4b 30 82 01 b4 a0 03 02 01 02 02 09 00 e8 |..K0............| +00000060 f0 9d 3f e2 5b ea a6 30 0d 06 09 2a 86 48 86 f7 |..?.[..0...*.H..| +00000070 0d 01 01 0b 05 00 30 1f 31 0b 30 09 06 03 55 04 |......0.1.0...U.| +00000080 0a 13 02 47 6f 31 10 30 0e 06 03 55 04 03 13 07 |...Go1.0...U....| +00000090 47 6f 20 52 6f 6f 74 30 1e 17 0d 31 36 30 31 30 |Go Root0...16010| +000000a0 31 30 30 30 30 30 30 5a 17 0d 32 35 30 31 30 31 |1000000Z..250101| +000000b0 30 30 30 30 30 30 5a 30 1a 31 0b 30 09 06 03 55 |000000Z0.1.0...U| +000000c0 04 0a 13 02 47 6f 31 0b 30 09 06 03 55 04 03 13 |....Go1.0...U...| +000000d0 02 47 6f 30 81 9f 30 0d 06 09 2a 86 48 86 f7 0d |.Go0..0...*.H...| +000000e0 01 01 01 05 00 03 81 8d 00 30 81 89 02 81 81 00 |.........0......| +000000f0 db 46 7d 93 2e 12 27 06 48 bc 06 28 21 ab 7e c4 |.F}...'.H..(!.~.| +00000100 b6 a2 5d fe 1e 52 45 88 7a 36 47 a5 08 0d 92 42 |..]..RE.z6G....B| +00000110 5b c2 81 c0 be 97 79 98 40 fb 4f 6d 14 fd 2b 13 |[.....y.@.Om..+.| +00000120 8b c2 a5 2e 67 d8 d4 09 9e d6 22 38 b7 4a 0b 74 |....g....."8.J.t| +00000130 73 2b c2 34 f1 d1 93 e5 96 d9 74 7b f3 58 9f 6c |s+.4......t{.X.l| +00000140 61 3c c0 b0 41 d4 d9 2b 2b 24 23 77 5b 1c 3b bd |a<..A..++$#w[.;.| +00000150 75 5d ce 20 54 cf a1 63 87 1d 1e 24 c4 f3 1d 1a |u]. T..c...$....| +00000160 50 8b aa b6 14 43 ed 97 a7 75 62 f4 14 c8 52 d7 |P....C...ub...R.| +00000170 02 03 01 00 01 a3 81 93 30 81 90 30 0e 06 03 55 |........0..0...U| +00000180 1d 0f 01 01 ff 04 04 03 02 05 a0 30 1d 06 03 55 |...........0...U| +00000190 1d 25 04 16 30 14 06 08 2b 06 01 05 05 07 03 01 |.%..0...+.......| +000001a0 06 08 2b 06 01 05 05 07 03 02 30 0c 06 03 55 1d |..+.......0...U.| +000001b0 13 01 01 ff 04 02 30 00 30 19 06 03 55 1d 0e 04 |......0.0...U...| +000001c0 12 04 10 9f 91 16 1f 43 43 3e 49 a6 de 6d b6 80 |.......CC>I..m..| +000001d0 d7 9f 60 30 1b 06 03 55 1d 23 04 14 30 12 80 10 |..`0...U.#..0...| +000001e0 48 13 49 4d 13 7e 16 31 bb a3 01 d5 ac ab 6e 7b |H.IM.~.1......n{| +000001f0 30 19 06 03 55 1d 11 04 12 30 10 82 0e 65 78 61 |0...U....0...exa| +00000200 6d 70 6c 65 2e 67 6f 6c 61 6e 67 30 0d 06 09 2a |mple.golang0...*| +00000210 86 48 86 f7 0d 01 01 0b 05 00 03 81 81 00 9d 30 |.H.............0| +00000220 cc 40 2b 5b 50 a0 61 cb ba e5 53 58 e1 ed 83 28 |.@+[P.a...SX...(| +00000230 a9 58 1a a9 38 a4 95 a1 ac 31 5a 1a 84 66 3d 43 |.X..8....1Z..f=C| +00000240 d3 2d d9 0b f2 97 df d3 20 64 38 92 24 3a 00 bc |.-...... d8.$:..| +00000250 cf 9c 7d b7 40 20 01 5f aa d3 16 61 09 a2 76 fd |..}.@ ._...a..v.| +00000260 13 c3 cc e1 0c 5c ee b1 87 82 f1 6c 04 ed 73 bb |.....\.....l..s.| +00000270 b3 43 77 8d 0c 1c f1 0f a1 d8 40 83 61 c9 4c 72 |.Cw.......@.a.Lr| +00000280 2b 9d ae db 46 06 06 4d f4 c1 b3 3e c0 d1 bd 42 |+...F..M...>...B| +00000290 d4 db fe 3d 13 60 84 5c 21 d3 3b e9 fa e7 16 03 |...=.`.\!.;.....| +000002a0 03 00 ac 0c 00 00 a8 03 00 1d 20 2f e5 7d a3 47 |.......... /.}.G| +000002b0 cd 62 43 15 28 da ac 5f bb 29 07 30 ff f6 84 af |.bC.(.._.).0....| +000002c0 c4 cf c2 ed 90 99 5f 58 cb 3b 74 08 04 00 80 49 |......_X.;t....I| +000002d0 51 c7 81 cd e1 9f 67 83 76 7e 51 19 83 2a 34 47 |Q.....g.v~Q..*4G| +000002e0 5a e8 6d 13 dd e5 44 eb 1a 20 42 ac d3 65 e8 2e |Z.m...D.. B..e..| +000002f0 8d c5 79 56 e6 5e 26 00 9b 2a 80 16 d8 2e af 42 |..yV.^&..*.....B| +00000300 35 b7 0f f8 6a 41 87 b6 c5 6a 37 6e bc 17 5e a4 |5...jA...j7n..^.| +00000310 1f ba 93 33 98 92 92 2e 76 7b 49 55 8d 37 c2 c3 |...3....v{IU.7..| +00000320 d5 65 4a 73 84 28 6c 0a 4b 26 62 61 fa 46 0f 47 |.eJs.(l.K&ba.F.G| +00000330 d5 e5 99 05 57 23 76 6d c9 7b 0d 8d ff 91 98 eb |....W#vm.{......| +00000340 17 96 c0 00 a6 88 3c be 03 5b db e7 a5 84 ae 16 |......<..[......| +00000350 03 03 00 04 0e 00 00 00 |........| +>>> Flow 3 (client to server) +00000000 16 03 03 00 25 10 00 00 21 20 7d 0c 38 84 cd 0b |....%...! }.8...| +00000010 d1 65 02 f7 ab 8b 8b 4e 8f 05 a5 ea 7a 32 db 1b |.e.....N....z2..| +00000020 e7 42 5b 2b 83 95 2b e1 aa 30 14 03 03 00 01 01 |.B[+..+..0......| +00000030 16 03 03 00 28 7d f6 5b 8f 2e 17 84 50 23 db ad |....(}.[....P#..| +00000040 47 84 59 ba e8 d7 ab c5 28 dc 06 51 aa 9c 7a d0 |G.Y.....(..Q..z.| +00000050 6e ae 27 90 e9 aa 92 9e 83 6f 4e eb 6a |n.'......oN.j| +>>> Flow 4 (server to client) +00000000 14 03 03 00 01 01 16 03 03 00 28 00 00 00 00 00 |..........(.....| +00000010 00 00 00 a5 ec 31 bb 01 5d a3 15 01 22 88 0e f1 |.....1..]..."...| +00000020 2a 21 18 47 10 64 3d f0 d0 fb f8 fd 27 ed 34 88 |*!.G.d=.....'.4.| +00000030 c1 b5 b3 17 03 03 00 25 00 00 00 00 00 00 00 01 |.......%........| +00000040 e4 3c 6a db 2b a9 59 64 d1 3f 4b a0 98 37 52 03 |.>> Flow 1 (client to server) +00000000 16 03 01 00 85 01 00 00 81 03 03 0f 5a 3f b1 98 |............Z?..| +00000010 d1 40 d3 93 3a cf 86 50 56 51 7a b4 1d f5 c8 53 |.@..:..PVQz....S| +00000020 74 9e 5b c3 27 a3 7d fe a3 4a 73 00 00 04 c0 30 |t.[.'.}..Js....0| +00000030 00 ff 01 00 00 54 00 0b 00 04 03 00 01 02 00 0a |.....T..........| +00000040 00 0c 00 0a 00 1d 00 17 00 1e 00 19 00 18 00 16 |................| +00000050 00 00 00 17 00 00 00 0d 00 30 00 2e 04 03 05 03 |.........0......| +00000060 06 03 08 07 08 08 08 09 08 0a 08 0b 08 04 08 05 |................| +00000070 08 06 04 01 05 01 06 01 03 03 02 03 03 01 02 01 |................| +00000080 03 02 02 02 04 02 05 02 06 02 |..........| +>>> Flow 2 (server to client) +00000000 16 03 03 00 3b 02 00 00 37 03 03 00 00 00 00 00 |....;...7.......| +00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000020 00 00 00 44 4f 57 4e 47 52 44 01 00 c0 30 00 00 |...DOWNGRD...0..| +00000030 0f ff 01 00 01 00 00 17 00 00 00 0b 00 02 01 00 |................| +00000040 16 03 03 02 59 0b 00 02 55 00 02 52 00 02 4f 30 |....Y...U..R..O0| +00000050 82 02 4b 30 82 01 b4 a0 03 02 01 02 02 09 00 e8 |..K0............| +00000060 f0 9d 3f e2 5b ea a6 30 0d 06 09 2a 86 48 86 f7 |..?.[..0...*.H..| +00000070 0d 01 01 0b 05 00 30 1f 31 0b 30 09 06 03 55 04 |......0.1.0...U.| +00000080 0a 13 02 47 6f 31 10 30 0e 06 03 55 04 03 13 07 |...Go1.0...U....| +00000090 47 6f 20 52 6f 6f 74 30 1e 17 0d 31 36 30 31 30 |Go Root0...16010| +000000a0 31 30 30 30 30 30 30 5a 17 0d 32 35 30 31 30 31 |1000000Z..250101| +000000b0 30 30 30 30 30 30 5a 30 1a 31 0b 30 09 06 03 55 |000000Z0.1.0...U| +000000c0 04 0a 13 02 47 6f 31 0b 30 09 06 03 55 04 03 13 |....Go1.0...U...| +000000d0 02 47 6f 30 81 9f 30 0d 06 09 2a 86 48 86 f7 0d |.Go0..0...*.H...| +000000e0 01 01 01 05 00 03 81 8d 00 30 81 89 02 81 81 00 |.........0......| +000000f0 db 46 7d 93 2e 12 27 06 48 bc 06 28 21 ab 7e c4 |.F}...'.H..(!.~.| +00000100 b6 a2 5d fe 1e 52 45 88 7a 36 47 a5 08 0d 92 42 |..]..RE.z6G....B| +00000110 5b c2 81 c0 be 97 79 98 40 fb 4f 6d 14 fd 2b 13 |[.....y.@.Om..+.| +00000120 8b c2 a5 2e 67 d8 d4 09 9e d6 22 38 b7 4a 0b 74 |....g....."8.J.t| +00000130 73 2b c2 34 f1 d1 93 e5 96 d9 74 7b f3 58 9f 6c |s+.4......t{.X.l| +00000140 61 3c c0 b0 41 d4 d9 2b 2b 24 23 77 5b 1c 3b bd |a<..A..++$#w[.;.| +00000150 75 5d ce 20 54 cf a1 63 87 1d 1e 24 c4 f3 1d 1a |u]. T..c...$....| +00000160 50 8b aa b6 14 43 ed 97 a7 75 62 f4 14 c8 52 d7 |P....C...ub...R.| +00000170 02 03 01 00 01 a3 81 93 30 81 90 30 0e 06 03 55 |........0..0...U| +00000180 1d 0f 01 01 ff 04 04 03 02 05 a0 30 1d 06 03 55 |...........0...U| +00000190 1d 25 04 16 30 14 06 08 2b 06 01 05 05 07 03 01 |.%..0...+.......| +000001a0 06 08 2b 06 01 05 05 07 03 02 30 0c 06 03 55 1d |..+.......0...U.| +000001b0 13 01 01 ff 04 02 30 00 30 19 06 03 55 1d 0e 04 |......0.0...U...| +000001c0 12 04 10 9f 91 16 1f 43 43 3e 49 a6 de 6d b6 80 |.......CC>I..m..| +000001d0 d7 9f 60 30 1b 06 03 55 1d 23 04 14 30 12 80 10 |..`0...U.#..0...| +000001e0 48 13 49 4d 13 7e 16 31 bb a3 01 d5 ac ab 6e 7b |H.IM.~.1......n{| +000001f0 30 19 06 03 55 1d 11 04 12 30 10 82 0e 65 78 61 |0...U....0...exa| +00000200 6d 70 6c 65 2e 67 6f 6c 61 6e 67 30 0d 06 09 2a |mple.golang0...*| +00000210 86 48 86 f7 0d 01 01 0b 05 00 03 81 81 00 9d 30 |.H.............0| +00000220 cc 40 2b 5b 50 a0 61 cb ba e5 53 58 e1 ed 83 28 |.@+[P.a...SX...(| +00000230 a9 58 1a a9 38 a4 95 a1 ac 31 5a 1a 84 66 3d 43 |.X..8....1Z..f=C| +00000240 d3 2d d9 0b f2 97 df d3 20 64 38 92 24 3a 00 bc |.-...... d8.$:..| +00000250 cf 9c 7d b7 40 20 01 5f aa d3 16 61 09 a2 76 fd |..}.@ ._...a..v.| +00000260 13 c3 cc e1 0c 5c ee b1 87 82 f1 6c 04 ed 73 bb |.....\.....l..s.| +00000270 b3 43 77 8d 0c 1c f1 0f a1 d8 40 83 61 c9 4c 72 |.Cw.......@.a.Lr| +00000280 2b 9d ae db 46 06 06 4d f4 c1 b3 3e c0 d1 bd 42 |+...F..M...>...B| +00000290 d4 db fe 3d 13 60 84 5c 21 d3 3b e9 fa e7 16 03 |...=.`.\!.;.....| +000002a0 03 00 ac 0c 00 00 a8 03 00 1d 20 2f e5 7d a3 47 |.......... /.}.G| +000002b0 cd 62 43 15 28 da ac 5f bb 29 07 30 ff f6 84 af |.bC.(.._.).0....| +000002c0 c4 cf c2 ed 90 99 5f 58 cb 3b 74 08 04 00 80 da |......_X.;t.....| +000002d0 4d 5e f1 10 1f ed 70 d1 88 7a 22 79 6e 5c c9 4c |M^....p..z"yn\.L| +000002e0 e3 e7 a2 bd f4 3d f4 75 dc a3 85 5e f1 af 55 6f |.....=.u...^..Uo| +000002f0 e3 36 21 c6 8a 44 e9 58 29 89 32 4d 14 90 9d 1b |.6!..D.X).2M....| +00000300 bd 0e fa c3 eb 40 5d 05 5d ba 58 55 3e f9 30 b8 |.....@].].XU>.0.| +00000310 8f 56 35 71 12 33 92 0e 14 f9 90 2c ee 36 03 50 |.V5q.3.....,.6.P| +00000320 1c f6 76 a7 99 3e fd bb 5f 21 96 c5 56 1e ed 28 |..v..>.._!..V..(| +00000330 00 0b cd ac cd 70 1a 7e 2d 2d 7d 1d 76 7d e6 89 |.....p.~--}.v}..| +00000340 ba 35 dc e1 9f 48 39 ff 9e a9 48 77 8e d3 71 16 |.5...H9...Hw..q.| +00000350 03 03 00 04 0e 00 00 00 |........| +>>> Flow 3 (client to server) +00000000 16 03 03 00 25 10 00 00 21 20 80 4d 7d 95 1c e0 |....%...! .M}...| +00000010 d5 c1 f6 6d 43 92 08 23 82 cb 30 e0 d7 15 d8 51 |...mC..#..0....Q| +00000020 14 2f 8a 1c 3a 07 be d9 96 54 14 03 03 00 01 01 |./..:....T......| +00000030 16 03 03 00 28 00 a6 4e 03 ff 76 94 d4 b8 c6 c5 |....(..N..v.....| +00000040 7d 4d 2b 7e 5d 4f 5c b8 5a 78 46 c9 0f ce 57 7f |}M+~]O\.ZxF...W.| +00000050 02 a0 1a 83 b1 92 3f 96 ce 8a 00 8f 30 |......?.....0| +>>> Flow 4 (server to client) +00000000 14 03 03 00 01 01 16 03 03 00 28 00 00 00 00 00 |..........(.....| +00000010 00 00 00 2f ec 4b c3 a6 99 1f ab 91 62 01 d5 e6 |.../.K......b...| +00000020 93 23 20 7e b8 61 be 90 a0 10 e3 f1 8a 82 f9 bc |.# ~.a..........| +00000030 27 fe 65 17 03 03 00 25 00 00 00 00 00 00 00 01 |'.e....%........| +00000040 54 bd d1 e8 02 9a ab fa 2f d1 19 e9 45 81 05 d1 |T......./...E...| +00000050 ba d2 d7 77 54 88 cc fe 14 b3 3b d1 28 15 03 03 |...wT.....;.(...| +00000060 00 1a 00 00 00 00 00 00 00 02 de 3f 93 32 6e f5 |...........?.2n.| +00000070 07 60 ed 65 6f 81 62 90 52 f6 4a a2 |.`.eo.b.R.J.| diff --git a/pkg/tls/testdata/Server-TLSv12-RSA-RC4 b/pkg/tls/testdata/Server-TLSv12-RSA-RC4 new file mode 100644 index 000000000..30b00f653 --- /dev/null +++ b/pkg/tls/testdata/Server-TLSv12-RSA-RC4 @@ -0,0 +1,74 @@ +>>> Flow 1 (client to server) +00000000 16 03 01 00 6d 01 00 00 69 03 03 dd 92 e1 75 15 |....m...i.....u.| +00000010 1d 9f 00 c5 2b 8a 14 86 aa 93 7c c0 32 2a 29 14 |....+.....|.2*).| +00000020 38 75 ce 62 a7 df c1 4a eb 1e 0c 00 00 04 00 05 |8u.b...J........| +00000030 00 ff 01 00 00 3c 00 16 00 00 00 17 00 00 00 0d |.....<..........| +00000040 00 30 00 2e 04 03 05 03 06 03 08 07 08 08 08 09 |.0..............| +00000050 08 0a 08 0b 08 04 08 05 08 06 04 01 05 01 06 01 |................| +00000060 03 03 02 03 03 01 02 01 03 02 02 02 04 02 05 02 |................| +00000070 06 02 |..| +>>> Flow 2 (server to client) +00000000 16 03 03 00 35 02 00 00 31 03 03 00 00 00 00 00 |....5...1.......| +00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000020 00 00 00 44 4f 57 4e 47 52 44 01 00 00 05 00 00 |...DOWNGRD......| +00000030 09 ff 01 00 01 00 00 17 00 00 16 03 03 02 59 0b |..............Y.| +00000040 00 02 55 00 02 52 00 02 4f 30 82 02 4b 30 82 01 |..U..R..O0..K0..| +00000050 b4 a0 03 02 01 02 02 09 00 e8 f0 9d 3f e2 5b ea |............?.[.| +00000060 a6 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 |.0...*.H........| +00000070 30 1f 31 0b 30 09 06 03 55 04 0a 13 02 47 6f 31 |0.1.0...U....Go1| +00000080 10 30 0e 06 03 55 04 03 13 07 47 6f 20 52 6f 6f |.0...U....Go Roo| +00000090 74 30 1e 17 0d 31 36 30 31 30 31 30 30 30 30 30 |t0...16010100000| +000000a0 30 5a 17 0d 32 35 30 31 30 31 30 30 30 30 30 30 |0Z..250101000000| +000000b0 5a 30 1a 31 0b 30 09 06 03 55 04 0a 13 02 47 6f |Z0.1.0...U....Go| +000000c0 31 0b 30 09 06 03 55 04 03 13 02 47 6f 30 81 9f |1.0...U....Go0..| +000000d0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 |0...*.H.........| +000000e0 81 8d 00 30 81 89 02 81 81 00 db 46 7d 93 2e 12 |...0.......F}...| +000000f0 27 06 48 bc 06 28 21 ab 7e c4 b6 a2 5d fe 1e 52 |'.H..(!.~...]..R| +00000100 45 88 7a 36 47 a5 08 0d 92 42 5b c2 81 c0 be 97 |E.z6G....B[.....| +00000110 79 98 40 fb 4f 6d 14 fd 2b 13 8b c2 a5 2e 67 d8 |y.@.Om..+.....g.| +00000120 d4 09 9e d6 22 38 b7 4a 0b 74 73 2b c2 34 f1 d1 |...."8.J.ts+.4..| +00000130 93 e5 96 d9 74 7b f3 58 9f 6c 61 3c c0 b0 41 d4 |....t{.X.la<..A.| +00000140 d9 2b 2b 24 23 77 5b 1c 3b bd 75 5d ce 20 54 cf |.++$#w[.;.u]. T.| +00000150 a1 63 87 1d 1e 24 c4 f3 1d 1a 50 8b aa b6 14 43 |.c...$....P....C| +00000160 ed 97 a7 75 62 f4 14 c8 52 d7 02 03 01 00 01 a3 |...ub...R.......| +00000170 81 93 30 81 90 30 0e 06 03 55 1d 0f 01 01 ff 04 |..0..0...U......| +00000180 04 03 02 05 a0 30 1d 06 03 55 1d 25 04 16 30 14 |.....0...U.%..0.| +00000190 06 08 2b 06 01 05 05 07 03 01 06 08 2b 06 01 05 |..+.........+...| +000001a0 05 07 03 02 30 0c 06 03 55 1d 13 01 01 ff 04 02 |....0...U.......| +000001b0 30 00 30 19 06 03 55 1d 0e 04 12 04 10 9f 91 16 |0.0...U.........| +000001c0 1f 43 43 3e 49 a6 de 6d b6 80 d7 9f 60 30 1b 06 |.CC>I..m....`0..| +000001d0 03 55 1d 23 04 14 30 12 80 10 48 13 49 4d 13 7e |.U.#..0...H.IM.~| +000001e0 16 31 bb a3 01 d5 ac ab 6e 7b 30 19 06 03 55 1d |.1......n{0...U.| +000001f0 11 04 12 30 10 82 0e 65 78 61 6d 70 6c 65 2e 67 |...0...example.g| +00000200 6f 6c 61 6e 67 30 0d 06 09 2a 86 48 86 f7 0d 01 |olang0...*.H....| +00000210 01 0b 05 00 03 81 81 00 9d 30 cc 40 2b 5b 50 a0 |.........0.@+[P.| +00000220 61 cb ba e5 53 58 e1 ed 83 28 a9 58 1a a9 38 a4 |a...SX...(.X..8.| +00000230 95 a1 ac 31 5a 1a 84 66 3d 43 d3 2d d9 0b f2 97 |...1Z..f=C.-....| +00000240 df d3 20 64 38 92 24 3a 00 bc cf 9c 7d b7 40 20 |.. d8.$:....}.@ | +00000250 01 5f aa d3 16 61 09 a2 76 fd 13 c3 cc e1 0c 5c |._...a..v......\| +00000260 ee b1 87 82 f1 6c 04 ed 73 bb b3 43 77 8d 0c 1c |.....l..s..Cw...| +00000270 f1 0f a1 d8 40 83 61 c9 4c 72 2b 9d ae db 46 06 |....@.a.Lr+...F.| +00000280 06 4d f4 c1 b3 3e c0 d1 bd 42 d4 db fe 3d 13 60 |.M...>...B...=.`| +00000290 84 5c 21 d3 3b e9 fa e7 16 03 03 00 04 0e 00 00 |.\!.;...........| +000002a0 00 |.| +>>> Flow 3 (client to server) +00000000 16 03 03 00 86 10 00 00 82 00 80 8d bb 5a 48 87 |.............ZH.| +00000010 95 ca 2d eb a8 47 de 35 4d 70 3e 89 a1 ce c5 8d |..-..G.5Mp>.....| +00000020 02 95 f6 ac e6 2f 1f ae c5 4a 82 08 22 d5 89 0b |...../...J.."...| +00000030 c1 0e be 18 39 d0 e9 e5 ed 87 92 6e 61 3f 68 e5 |....9......na?h.| +00000040 ed 1d a5 cc 43 d1 42 28 be 4d 31 11 27 f7 dd 25 |....C.B(.M1.'..%| +00000050 58 b7 fc 76 bb 7c 06 d8 c2 69 0a 87 2b 54 bf 4e |X..v.|...i..+T.N| +00000060 8a fa 54 db 78 d4 98 51 21 e4 32 28 49 31 51 c0 |..T.x..Q!.2(I1Q.| +00000070 a8 7e f0 97 d9 f3 f7 18 d7 a9 74 79 4d 2f 3f df |.~........tyM/?.| +00000080 b1 25 88 9e 15 cf 94 42 15 68 65 14 03 03 00 01 |.%.....B.he.....| +00000090 01 16 03 03 00 24 cb ac 7c 7c 16 02 a9 08 c3 53 |.....$..||.....S| +000000a0 b8 0e ee 24 fa 51 e0 ce 37 40 e7 f2 ab 93 3d 81 |...$.Q..7@....=.| +000000b0 58 49 96 0e e7 54 43 67 42 1b |XI...TCgB.| +>>> Flow 4 (server to client) +00000000 14 03 03 00 01 01 16 03 03 00 24 e4 2f 5e 7f 6f |..........$./^.o| +00000010 46 22 85 a0 2d 5a fd 36 0b 9f eb 26 80 89 1d 7e |F"..-Z.6...&...~| +00000020 ca 57 a7 f5 5d 54 1c e4 85 77 f5 28 54 a5 15 17 |.W..]T...w.(T...| +00000030 03 03 00 21 84 a2 f5 c9 e4 df b4 31 8a cf 04 77 |...!.......1...w| +00000040 22 ab 93 9a ae d2 45 d0 d1 7d 42 11 92 b6 b5 1c |".....E..}B.....| +00000050 ac 60 0b d1 9e 15 03 03 00 16 ed f3 12 75 df bc |.`...........u..| +00000060 32 e6 c3 fa 74 7a 32 c6 d7 21 67 0a df be b1 15 |2...tz2..!g.....| diff --git a/pkg/tls/testdata/Server-TLSv12-RSA-RSAPKCS1v15 b/pkg/tls/testdata/Server-TLSv12-RSA-RSAPKCS1v15 new file mode 100644 index 000000000..1c7bceae0 --- /dev/null +++ b/pkg/tls/testdata/Server-TLSv12-RSA-RSAPKCS1v15 @@ -0,0 +1,77 @@ +>>> Flow 1 (client to server) +00000000 16 03 01 00 59 01 00 00 55 03 03 01 3d 46 ff b5 |....Y...U...=F..| +00000010 47 eb 03 bd 9b 27 66 92 92 db 11 f9 58 1d 21 ba |G....'f.....X.!.| +00000020 b9 51 90 81 d0 8f 7e 3c cd 7b b8 00 00 04 cc a8 |.Q....~<.{......| +00000030 00 ff 01 00 00 28 00 0b 00 04 03 00 01 02 00 0a |.....(..........| +00000040 00 0c 00 0a 00 1d 00 17 00 1e 00 19 00 18 00 16 |................| +00000050 00 00 00 17 00 00 00 0d 00 04 00 02 04 01 |..............| +>>> Flow 2 (server to client) +00000000 16 03 03 00 3b 02 00 00 37 03 03 00 00 00 00 00 |....;...7.......| +00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000020 00 00 00 44 4f 57 4e 47 52 44 01 00 cc a8 00 00 |...DOWNGRD......| +00000030 0f ff 01 00 01 00 00 17 00 00 00 0b 00 02 01 00 |................| +00000040 16 03 03 02 59 0b 00 02 55 00 02 52 00 02 4f 30 |....Y...U..R..O0| +00000050 82 02 4b 30 82 01 b4 a0 03 02 01 02 02 09 00 e8 |..K0............| +00000060 f0 9d 3f e2 5b ea a6 30 0d 06 09 2a 86 48 86 f7 |..?.[..0...*.H..| +00000070 0d 01 01 0b 05 00 30 1f 31 0b 30 09 06 03 55 04 |......0.1.0...U.| +00000080 0a 13 02 47 6f 31 10 30 0e 06 03 55 04 03 13 07 |...Go1.0...U....| +00000090 47 6f 20 52 6f 6f 74 30 1e 17 0d 31 36 30 31 30 |Go Root0...16010| +000000a0 31 30 30 30 30 30 30 5a 17 0d 32 35 30 31 30 31 |1000000Z..250101| +000000b0 30 30 30 30 30 30 5a 30 1a 31 0b 30 09 06 03 55 |000000Z0.1.0...U| +000000c0 04 0a 13 02 47 6f 31 0b 30 09 06 03 55 04 03 13 |....Go1.0...U...| +000000d0 02 47 6f 30 81 9f 30 0d 06 09 2a 86 48 86 f7 0d |.Go0..0...*.H...| +000000e0 01 01 01 05 00 03 81 8d 00 30 81 89 02 81 81 00 |.........0......| +000000f0 db 46 7d 93 2e 12 27 06 48 bc 06 28 21 ab 7e c4 |.F}...'.H..(!.~.| +00000100 b6 a2 5d fe 1e 52 45 88 7a 36 47 a5 08 0d 92 42 |..]..RE.z6G....B| +00000110 5b c2 81 c0 be 97 79 98 40 fb 4f 6d 14 fd 2b 13 |[.....y.@.Om..+.| +00000120 8b c2 a5 2e 67 d8 d4 09 9e d6 22 38 b7 4a 0b 74 |....g....."8.J.t| +00000130 73 2b c2 34 f1 d1 93 e5 96 d9 74 7b f3 58 9f 6c |s+.4......t{.X.l| +00000140 61 3c c0 b0 41 d4 d9 2b 2b 24 23 77 5b 1c 3b bd |a<..A..++$#w[.;.| +00000150 75 5d ce 20 54 cf a1 63 87 1d 1e 24 c4 f3 1d 1a |u]. T..c...$....| +00000160 50 8b aa b6 14 43 ed 97 a7 75 62 f4 14 c8 52 d7 |P....C...ub...R.| +00000170 02 03 01 00 01 a3 81 93 30 81 90 30 0e 06 03 55 |........0..0...U| +00000180 1d 0f 01 01 ff 04 04 03 02 05 a0 30 1d 06 03 55 |...........0...U| +00000190 1d 25 04 16 30 14 06 08 2b 06 01 05 05 07 03 01 |.%..0...+.......| +000001a0 06 08 2b 06 01 05 05 07 03 02 30 0c 06 03 55 1d |..+.......0...U.| +000001b0 13 01 01 ff 04 02 30 00 30 19 06 03 55 1d 0e 04 |......0.0...U...| +000001c0 12 04 10 9f 91 16 1f 43 43 3e 49 a6 de 6d b6 80 |.......CC>I..m..| +000001d0 d7 9f 60 30 1b 06 03 55 1d 23 04 14 30 12 80 10 |..`0...U.#..0...| +000001e0 48 13 49 4d 13 7e 16 31 bb a3 01 d5 ac ab 6e 7b |H.IM.~.1......n{| +000001f0 30 19 06 03 55 1d 11 04 12 30 10 82 0e 65 78 61 |0...U....0...exa| +00000200 6d 70 6c 65 2e 67 6f 6c 61 6e 67 30 0d 06 09 2a |mple.golang0...*| +00000210 86 48 86 f7 0d 01 01 0b 05 00 03 81 81 00 9d 30 |.H.............0| +00000220 cc 40 2b 5b 50 a0 61 cb ba e5 53 58 e1 ed 83 28 |.@+[P.a...SX...(| +00000230 a9 58 1a a9 38 a4 95 a1 ac 31 5a 1a 84 66 3d 43 |.X..8....1Z..f=C| +00000240 d3 2d d9 0b f2 97 df d3 20 64 38 92 24 3a 00 bc |.-...... d8.$:..| +00000250 cf 9c 7d b7 40 20 01 5f aa d3 16 61 09 a2 76 fd |..}.@ ._...a..v.| +00000260 13 c3 cc e1 0c 5c ee b1 87 82 f1 6c 04 ed 73 bb |.....\.....l..s.| +00000270 b3 43 77 8d 0c 1c f1 0f a1 d8 40 83 61 c9 4c 72 |.Cw.......@.a.Lr| +00000280 2b 9d ae db 46 06 06 4d f4 c1 b3 3e c0 d1 bd 42 |+...F..M...>...B| +00000290 d4 db fe 3d 13 60 84 5c 21 d3 3b e9 fa e7 16 03 |...=.`.\!.;.....| +000002a0 03 00 ac 0c 00 00 a8 03 00 1d 20 2f e5 7d a3 47 |.......... /.}.G| +000002b0 cd 62 43 15 28 da ac 5f bb 29 07 30 ff f6 84 af |.bC.(.._.).0....| +000002c0 c4 cf c2 ed 90 99 5f 58 cb 3b 74 04 01 00 80 21 |......_X.;t....!| +000002d0 b5 82 7e 5a 7d 93 55 15 db e1 eb cc 62 8d f8 45 |..~Z}.U.....b..E| +000002e0 2f e0 5d 57 51 08 80 86 b6 43 85 0f be f7 49 ca |/.]WQ....C....I.| +000002f0 97 f2 f1 20 51 e6 29 8d c6 88 91 e3 60 8c 88 69 |... Q.).....`..i| +00000300 73 9b 38 70 ad 2f 5b 44 62 05 05 20 28 92 57 f9 |s.8p./[Db.. (.W.| +00000310 51 6e 6b 8c b7 3f c3 6e a3 53 b9 bd 02 bd 69 ae |Qnk..?.n.S....i.| +00000320 ee 5f 96 57 7b a2 02 86 70 33 6b e7 ad 03 25 13 |._.W{...p3k...%.| +00000330 10 f8 d7 cb 2e 33 b2 1f 53 64 77 d1 e5 8a 32 bc |.....3..Sdw...2.| +00000340 e0 bc 65 9d 94 de fb 9a d5 66 00 7a 79 dc da 16 |..e......f.zy...| +00000350 03 03 00 04 0e 00 00 00 |........| +>>> Flow 3 (client to server) +00000000 16 03 03 00 25 10 00 00 21 20 6d d3 b6 6a f0 ac |....%...! m..j..| +00000010 40 6e e8 73 db a2 04 41 6a 7f c1 cc ae 13 44 e1 |@n.s...Aj.....D.| +00000020 1c f4 5a 59 1b 88 4b a8 89 61 14 03 03 00 01 01 |..ZY..K..a......| +00000030 16 03 03 00 20 5f 09 a4 44 8e a8 6d 09 14 32 05 |.... _..D..m..2.| +00000040 ce ae f9 ad ad a2 d9 45 77 be e2 2c bd 97 22 1a |.......Ew..,..".| +00000050 7d 3b 54 db 82 |};T..| +>>> Flow 4 (server to client) +00000000 14 03 03 00 01 01 16 03 03 00 20 54 52 24 a8 3a |.......... TR$.:| +00000010 e3 45 a2 49 1c c5 10 62 6e d1 32 fe 70 0f 32 e0 |.E.I...bn.2.p.2.| +00000020 fc 95 22 81 32 38 ab f2 0a ba 6c 17 03 03 00 1d |..".28....l.....| +00000030 b7 a9 2a a5 ad e5 9e 39 cc a9 bc 81 ef a1 67 e1 |..*....9......g.| +00000040 85 08 9f f4 e7 04 c8 0b 0d fd 5c ec 94 15 03 03 |..........\.....| +00000050 00 12 d7 18 99 08 6c 98 dc 05 20 19 cd dd f2 29 |......l... ....)| +00000060 14 3c cf 31 |.<.1| diff --git a/pkg/tls/testdata/Server-TLSv12-RSA-RSAPSS b/pkg/tls/testdata/Server-TLSv12-RSA-RSAPSS new file mode 100644 index 000000000..46ee1aae4 --- /dev/null +++ b/pkg/tls/testdata/Server-TLSv12-RSA-RSAPSS @@ -0,0 +1,77 @@ +>>> Flow 1 (client to server) +00000000 16 03 01 00 5b 01 00 00 57 03 03 ee 47 d0 cd 83 |....[...W...G...| +00000010 ff 1e f3 45 81 2e 59 6a 84 da c9 29 bd b0 8b f5 |...E..Yj...)....| +00000020 3c 47 58 b0 94 59 33 9a f6 00 2d 00 00 04 cc a8 |>> Flow 2 (server to client) +00000000 16 03 03 00 3b 02 00 00 37 03 03 00 00 00 00 00 |....;...7.......| +00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000020 00 00 00 44 4f 57 4e 47 52 44 01 00 cc a8 00 00 |...DOWNGRD......| +00000030 0f ff 01 00 01 00 00 17 00 00 00 0b 00 02 01 00 |................| +00000040 16 03 03 02 59 0b 00 02 55 00 02 52 00 02 4f 30 |....Y...U..R..O0| +00000050 82 02 4b 30 82 01 b4 a0 03 02 01 02 02 09 00 e8 |..K0............| +00000060 f0 9d 3f e2 5b ea a6 30 0d 06 09 2a 86 48 86 f7 |..?.[..0...*.H..| +00000070 0d 01 01 0b 05 00 30 1f 31 0b 30 09 06 03 55 04 |......0.1.0...U.| +00000080 0a 13 02 47 6f 31 10 30 0e 06 03 55 04 03 13 07 |...Go1.0...U....| +00000090 47 6f 20 52 6f 6f 74 30 1e 17 0d 31 36 30 31 30 |Go Root0...16010| +000000a0 31 30 30 30 30 30 30 5a 17 0d 32 35 30 31 30 31 |1000000Z..250101| +000000b0 30 30 30 30 30 30 5a 30 1a 31 0b 30 09 06 03 55 |000000Z0.1.0...U| +000000c0 04 0a 13 02 47 6f 31 0b 30 09 06 03 55 04 03 13 |....Go1.0...U...| +000000d0 02 47 6f 30 81 9f 30 0d 06 09 2a 86 48 86 f7 0d |.Go0..0...*.H...| +000000e0 01 01 01 05 00 03 81 8d 00 30 81 89 02 81 81 00 |.........0......| +000000f0 db 46 7d 93 2e 12 27 06 48 bc 06 28 21 ab 7e c4 |.F}...'.H..(!.~.| +00000100 b6 a2 5d fe 1e 52 45 88 7a 36 47 a5 08 0d 92 42 |..]..RE.z6G....B| +00000110 5b c2 81 c0 be 97 79 98 40 fb 4f 6d 14 fd 2b 13 |[.....y.@.Om..+.| +00000120 8b c2 a5 2e 67 d8 d4 09 9e d6 22 38 b7 4a 0b 74 |....g....."8.J.t| +00000130 73 2b c2 34 f1 d1 93 e5 96 d9 74 7b f3 58 9f 6c |s+.4......t{.X.l| +00000140 61 3c c0 b0 41 d4 d9 2b 2b 24 23 77 5b 1c 3b bd |a<..A..++$#w[.;.| +00000150 75 5d ce 20 54 cf a1 63 87 1d 1e 24 c4 f3 1d 1a |u]. T..c...$....| +00000160 50 8b aa b6 14 43 ed 97 a7 75 62 f4 14 c8 52 d7 |P....C...ub...R.| +00000170 02 03 01 00 01 a3 81 93 30 81 90 30 0e 06 03 55 |........0..0...U| +00000180 1d 0f 01 01 ff 04 04 03 02 05 a0 30 1d 06 03 55 |...........0...U| +00000190 1d 25 04 16 30 14 06 08 2b 06 01 05 05 07 03 01 |.%..0...+.......| +000001a0 06 08 2b 06 01 05 05 07 03 02 30 0c 06 03 55 1d |..+.......0...U.| +000001b0 13 01 01 ff 04 02 30 00 30 19 06 03 55 1d 0e 04 |......0.0...U...| +000001c0 12 04 10 9f 91 16 1f 43 43 3e 49 a6 de 6d b6 80 |.......CC>I..m..| +000001d0 d7 9f 60 30 1b 06 03 55 1d 23 04 14 30 12 80 10 |..`0...U.#..0...| +000001e0 48 13 49 4d 13 7e 16 31 bb a3 01 d5 ac ab 6e 7b |H.IM.~.1......n{| +000001f0 30 19 06 03 55 1d 11 04 12 30 10 82 0e 65 78 61 |0...U....0...exa| +00000200 6d 70 6c 65 2e 67 6f 6c 61 6e 67 30 0d 06 09 2a |mple.golang0...*| +00000210 86 48 86 f7 0d 01 01 0b 05 00 03 81 81 00 9d 30 |.H.............0| +00000220 cc 40 2b 5b 50 a0 61 cb ba e5 53 58 e1 ed 83 28 |.@+[P.a...SX...(| +00000230 a9 58 1a a9 38 a4 95 a1 ac 31 5a 1a 84 66 3d 43 |.X..8....1Z..f=C| +00000240 d3 2d d9 0b f2 97 df d3 20 64 38 92 24 3a 00 bc |.-...... d8.$:..| +00000250 cf 9c 7d b7 40 20 01 5f aa d3 16 61 09 a2 76 fd |..}.@ ._...a..v.| +00000260 13 c3 cc e1 0c 5c ee b1 87 82 f1 6c 04 ed 73 bb |.....\.....l..s.| +00000270 b3 43 77 8d 0c 1c f1 0f a1 d8 40 83 61 c9 4c 72 |.Cw.......@.a.Lr| +00000280 2b 9d ae db 46 06 06 4d f4 c1 b3 3e c0 d1 bd 42 |+...F..M...>...B| +00000290 d4 db fe 3d 13 60 84 5c 21 d3 3b e9 fa e7 16 03 |...=.`.\!.;.....| +000002a0 03 00 ac 0c 00 00 a8 03 00 1d 20 2f e5 7d a3 47 |.......... /.}.G| +000002b0 cd 62 43 15 28 da ac 5f bb 29 07 30 ff f6 84 af |.bC.(.._.).0....| +000002c0 c4 cf c2 ed 90 99 5f 58 cb 3b 74 08 04 00 80 95 |......_X.;t.....| +000002d0 e0 3f 63 8b d7 e0 51 5a eb ea 5e de ce da 62 02 |.?c...QZ..^...b.| +000002e0 7d 7d 42 7f 9f db 53 a2 a9 e5 be b4 32 47 65 9a |}}B...S.....2Ge.| +000002f0 cc d6 9f ee 4c bc 28 7d 27 00 69 e2 fa fd fa 65 |....L.(}'.i....e| +00000300 a0 3d c1 00 85 a9 28 8c d1 9b 6d 49 2f 84 17 b0 |.=....(...mI/...| +00000310 59 cd ac 79 a8 6d cc 8a a0 05 e9 ca e8 df 14 2d |Y..y.m.........-| +00000320 a0 59 a3 75 a6 c6 ec 91 37 e1 e6 dc 6d d8 74 96 |.Y.u....7...m.t.| +00000330 95 bc ff 11 ca fe 91 4a d6 9e d7 73 5f bd 28 6a |.......J...s_.(j| +00000340 23 6d c5 2b ee 25 17 6c e1 50 c1 f9 42 7e 3c 16 |#m.+.%.l.P..B~<.| +00000350 03 03 00 04 0e 00 00 00 |........| +>>> Flow 3 (client to server) +00000000 16 03 03 00 25 10 00 00 21 20 51 de e0 c4 a5 8f |....%...! Q.....| +00000010 ee 05 c5 d5 a2 ce 9c 4a 19 6d 14 cb 61 88 a6 fe |.......J.m..a...| +00000020 38 24 b6 4e d7 f0 c5 27 97 32 14 03 03 00 01 01 |8$.N...'.2......| +00000030 16 03 03 00 20 0e 14 d4 f5 c2 10 a1 80 b3 b4 90 |.... ...........| +00000040 17 43 1f 22 69 78 00 bb 87 c3 78 23 8e 03 8f c4 |.C."ix....x#....| +00000050 28 1c f8 42 e6 |(..B.| +>>> Flow 4 (server to client) +00000000 14 03 03 00 01 01 16 03 03 00 20 6f a9 ff 13 fb |.......... o....| +00000010 85 fa e4 fc cd ca 74 59 21 cd 3c fd 73 43 a2 48 |......tY!.<.sC.H| +00000020 f5 cf cd f7 9b 24 1d db 8a 52 a6 17 03 03 00 1d |.....$...R......| +00000030 63 25 92 b2 0c f7 d1 92 83 95 3c 13 ee 78 4c c1 |c%........<..xL.| +00000040 60 66 60 ed 8e 86 5b 1d 2d 1b a5 ab 38 15 03 03 |`f`...[.-...8...| +00000050 00 12 d5 3c b4 59 87 f5 45 fc 68 9b 03 7e 5b 97 |...<.Y..E.h..~[.| +00000060 c1 83 13 33 |...3| diff --git a/pkg/tls/testdata/Server-TLSv12-Resume b/pkg/tls/testdata/Server-TLSv12-Resume new file mode 100644 index 000000000..cd0a1240b --- /dev/null +++ b/pkg/tls/testdata/Server-TLSv12-Resume @@ -0,0 +1,54 @@ +>>> Flow 1 (client to server) +00000000 16 03 01 01 0a 01 00 01 06 03 03 2d b6 ca ea 39 |...........-...9| +00000010 59 17 86 df 90 2f 73 e0 a0 5c 6e 28 09 78 69 d6 |Y..../s..\n(.xi.| +00000020 30 06 b7 7b 17 a9 79 30 2a d8 57 20 c5 5c ed 86 |0..{..y0*.W .\..| +00000030 15 f4 3b c8 d2 5f 7a 80 2a 6a cd 40 c2 da 6f a8 |..;.._z.*j.@..o.| +00000040 cd d7 e7 bf 48 bd fb a1 e9 4b 9b a9 00 04 00 2f |....H....K...../| +00000050 00 ff 01 00 00 b9 00 23 00 79 00 00 00 00 00 00 |.......#.y......| +00000060 00 00 00 00 00 00 00 00 00 00 94 6f 2d b0 ac 51 |...........o-..Q| +00000070 ed 14 ef 68 ca 42 c5 4c 85 f6 26 0d a4 ad a8 f5 |...h.B.L..&.....| +00000080 14 64 4f b9 c3 fb 1e 55 c1 1f c7 31 57 72 68 db |.dO....U...1Wrh.| +00000090 03 37 a8 c9 07 f4 ca 62 6c 5c f3 8b 5a 3d 76 dd |.7.....bl\..Z=v.| +000000a0 63 ea 68 61 6b a1 2d 95 49 38 16 7e 51 5c e5 15 |c.hak.-.I8.~Q\..| +000000b0 c0 58 7d c5 67 4a 6f 64 b6 79 1a 41 9b b1 33 15 |.X}.gJod.y.A..3.| +000000c0 38 74 92 5c a5 48 c3 f2 94 bb 33 ec af cf d7 e7 |8t.\.H....3.....| +000000d0 c9 3e 35 00 16 00 00 00 17 00 00 00 0d 00 30 00 |.>5...........0.| +000000e0 2e 04 03 05 03 06 03 08 07 08 08 08 09 08 0a 08 |................| +000000f0 0b 08 04 08 05 08 06 04 01 05 01 06 01 03 03 02 |................| +00000100 03 03 01 02 01 03 02 02 02 04 02 05 02 06 02 |...............| +>>> Flow 2 (server to client) +00000000 16 03 03 00 59 02 00 00 55 03 03 00 00 00 00 00 |....Y...U.......| +00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000020 00 00 00 44 4f 57 4e 47 52 44 01 20 c5 5c ed 86 |...DOWNGRD. .\..| +00000030 15 f4 3b c8 d2 5f 7a 80 2a 6a cd 40 c2 da 6f a8 |..;.._z.*j.@..o.| +00000040 cd d7 e7 bf 48 bd fb a1 e9 4b 9b a9 00 2f 00 00 |....H....K.../..| +00000050 0d 00 23 00 00 ff 01 00 01 00 00 17 00 00 16 03 |..#.............| +00000060 03 00 83 04 00 00 7f 00 00 00 00 00 79 00 00 00 |............y...| +00000070 00 00 00 00 00 00 00 00 00 00 00 00 00 94 6f 2d |..............o-| +00000080 b0 ac 51 ed 14 ef 68 ca 42 c5 4c 85 f6 26 0d a4 |..Q...h.B.L..&..| +00000090 ad a8 f5 14 64 4f b9 c3 fb 1e 55 c1 1f c7 31 57 |....dO....U...1W| +000000a0 72 68 db 03 37 a8 c9 07 f4 ca 62 6c 5c f3 8b 5a |rh..7.....bl\..Z| +000000b0 3d 76 dd 63 ea 68 61 6b a1 2d 95 49 38 16 7e 51 |=v.c.hak.-.I8.~Q| +000000c0 5c e5 15 c0 58 7d c5 67 4a 6f 64 b6 79 1a 41 9b |\...X}.gJod.y.A.| +000000d0 b1 33 15 38 74 92 5c a5 48 c3 f2 94 bb 33 ec af |.3.8t.\.H....3..| +000000e0 cf d7 e7 c9 3e 35 14 03 03 00 01 01 16 03 03 00 |....>5..........| +000000f0 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |@...............| +00000100 00 47 68 3a 66 5b d6 ed b7 60 a9 fb e8 37 d6 9d |.Gh:f[...`...7..| +00000110 a6 b9 4d d5 f3 9f 0f c6 3c 21 6e d5 80 08 a8 34 |..M.......k| +00000130 40 |@| +>>> Flow 3 (client to server) +00000000 14 03 03 00 01 01 16 03 03 00 40 46 34 b3 97 54 |..........@F4..T| +00000010 20 5b 95 f3 22 f8 a1 89 c8 95 93 ba 7b a4 a8 8f | [..".......{...| +00000020 46 a8 d6 c1 b3 ac f0 e0 49 3d 8d e4 1c ac b8 a4 |F.......I=......| +00000030 01 21 5e d8 f0 f5 10 10 f7 de 8b 33 9d 94 cf f6 |.!^........3....| +00000040 f2 9b 39 22 5c e6 c0 5e b4 1d cd |..9"\..^...| +>>> Flow 4 (server to client) +00000000 17 03 03 00 40 00 00 00 00 00 00 00 00 00 00 00 |....@...........| +00000010 00 00 00 00 00 5c bc 45 06 2e d3 7b 30 99 a6 af |.....\.E...{0...| +00000020 64 0e 63 93 73 6f 0a e7 a4 1d ac 94 25 11 a5 63 |d.c.so......%..c| +00000030 8d b2 44 aa 98 44 f8 b5 51 ea 2c fb 26 99 f6 a4 |..D..D..Q.,.&...| +00000040 2c f8 15 c3 90 15 03 03 00 30 00 00 00 00 00 00 |,........0......| +00000050 00 00 00 00 00 00 00 00 00 00 c6 58 8e 7c 97 de |...........X.|..| +00000060 3b b8 39 cd 7b 1d 67 77 27 da 93 39 52 a7 81 9b |;.9.{.gw'..9R...| +00000070 ab 5a bc e9 00 1a 64 3a ca f5 |.Z....d:..| diff --git a/pkg/tls/testdata/Server-TLSv12-ResumeDisabled b/pkg/tls/testdata/Server-TLSv12-ResumeDisabled new file mode 100644 index 000000000..9110f5435 --- /dev/null +++ b/pkg/tls/testdata/Server-TLSv12-ResumeDisabled @@ -0,0 +1,91 @@ +>>> Flow 1 (client to server) +00000000 16 03 01 01 06 01 00 01 02 03 03 dc 6d 25 a7 37 |............m%.7| +00000010 5a 18 ef e8 ba a7 4b cb 25 8b 5a 61 bd fd 99 56 |Z.....K.%.Za...V| +00000020 a8 7f 10 26 f7 f4 e9 3e 16 89 ce 20 ac c3 35 13 |...&...>... ..5.| +00000030 d1 28 31 15 15 2d 6b e9 50 20 07 2c c5 48 6c 21 |.(1..-k.P .,.Hl!| +00000040 78 bf c9 7c c4 39 e7 2e 0a ed 71 21 00 04 00 2f |x..|.9....q!.../| +00000050 00 ff 01 00 00 b5 00 23 00 75 00 00 00 00 00 00 |.......#.u......| +00000060 00 00 00 00 00 00 00 00 00 00 94 6f 2d b0 ac 51 |...........o-..Q| +00000070 ed 14 ef 68 ca 42 c5 4c 22 21 0e 9f b0 e7 07 47 |...h.B.L"!.....G| +00000080 1d 09 01 ee 9b 67 49 2f 06 cb 51 1b d9 33 b3 ff |.....gI/..Q..3..| +00000090 30 6c d4 a3 d6 6b 49 aa f8 2e 20 35 79 5a 76 91 |0l...kI... 5yZv.| +000000a0 46 71 26 91 22 4f 32 50 49 38 16 7f 51 5c e5 47 |Fq&."O2PI8..Q\.G| +000000b0 26 64 f4 0c dd 12 66 59 0d 8f 92 07 ab ff 68 01 |&d....fY......h.| +000000c0 0d d5 54 06 2d 08 b1 09 a1 3c ff f9 bc 78 03 00 |..T.-....<...x..| +000000d0 16 00 00 00 17 00 00 00 0d 00 30 00 2e 04 03 05 |..........0.....| +000000e0 03 06 03 08 07 08 08 08 09 08 0a 08 0b 08 04 08 |................| +000000f0 05 08 06 04 01 05 01 06 01 03 03 02 03 03 01 02 |................| +00000100 01 03 02 02 02 04 02 05 02 06 02 |...........| +>>> Flow 2 (server to client) +00000000 16 03 03 00 35 02 00 00 31 03 03 00 00 00 00 00 |....5...1.......| +00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000020 00 00 00 44 4f 57 4e 47 52 44 01 00 00 2f 00 00 |...DOWNGRD.../..| +00000030 09 ff 01 00 01 00 00 17 00 00 16 03 03 02 59 0b |..............Y.| +00000040 00 02 55 00 02 52 00 02 4f 30 82 02 4b 30 82 01 |..U..R..O0..K0..| +00000050 b4 a0 03 02 01 02 02 09 00 e8 f0 9d 3f e2 5b ea |............?.[.| +00000060 a6 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 |.0...*.H........| +00000070 30 1f 31 0b 30 09 06 03 55 04 0a 13 02 47 6f 31 |0.1.0...U....Go1| +00000080 10 30 0e 06 03 55 04 03 13 07 47 6f 20 52 6f 6f |.0...U....Go Roo| +00000090 74 30 1e 17 0d 31 36 30 31 30 31 30 30 30 30 30 |t0...16010100000| +000000a0 30 5a 17 0d 32 35 30 31 30 31 30 30 30 30 30 30 |0Z..250101000000| +000000b0 5a 30 1a 31 0b 30 09 06 03 55 04 0a 13 02 47 6f |Z0.1.0...U....Go| +000000c0 31 0b 30 09 06 03 55 04 03 13 02 47 6f 30 81 9f |1.0...U....Go0..| +000000d0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 |0...*.H.........| +000000e0 81 8d 00 30 81 89 02 81 81 00 db 46 7d 93 2e 12 |...0.......F}...| +000000f0 27 06 48 bc 06 28 21 ab 7e c4 b6 a2 5d fe 1e 52 |'.H..(!.~...]..R| +00000100 45 88 7a 36 47 a5 08 0d 92 42 5b c2 81 c0 be 97 |E.z6G....B[.....| +00000110 79 98 40 fb 4f 6d 14 fd 2b 13 8b c2 a5 2e 67 d8 |y.@.Om..+.....g.| +00000120 d4 09 9e d6 22 38 b7 4a 0b 74 73 2b c2 34 f1 d1 |...."8.J.ts+.4..| +00000130 93 e5 96 d9 74 7b f3 58 9f 6c 61 3c c0 b0 41 d4 |....t{.X.la<..A.| +00000140 d9 2b 2b 24 23 77 5b 1c 3b bd 75 5d ce 20 54 cf |.++$#w[.;.u]. T.| +00000150 a1 63 87 1d 1e 24 c4 f3 1d 1a 50 8b aa b6 14 43 |.c...$....P....C| +00000160 ed 97 a7 75 62 f4 14 c8 52 d7 02 03 01 00 01 a3 |...ub...R.......| +00000170 81 93 30 81 90 30 0e 06 03 55 1d 0f 01 01 ff 04 |..0..0...U......| +00000180 04 03 02 05 a0 30 1d 06 03 55 1d 25 04 16 30 14 |.....0...U.%..0.| +00000190 06 08 2b 06 01 05 05 07 03 01 06 08 2b 06 01 05 |..+.........+...| +000001a0 05 07 03 02 30 0c 06 03 55 1d 13 01 01 ff 04 02 |....0...U.......| +000001b0 30 00 30 19 06 03 55 1d 0e 04 12 04 10 9f 91 16 |0.0...U.........| +000001c0 1f 43 43 3e 49 a6 de 6d b6 80 d7 9f 60 30 1b 06 |.CC>I..m....`0..| +000001d0 03 55 1d 23 04 14 30 12 80 10 48 13 49 4d 13 7e |.U.#..0...H.IM.~| +000001e0 16 31 bb a3 01 d5 ac ab 6e 7b 30 19 06 03 55 1d |.1......n{0...U.| +000001f0 11 04 12 30 10 82 0e 65 78 61 6d 70 6c 65 2e 67 |...0...example.g| +00000200 6f 6c 61 6e 67 30 0d 06 09 2a 86 48 86 f7 0d 01 |olang0...*.H....| +00000210 01 0b 05 00 03 81 81 00 9d 30 cc 40 2b 5b 50 a0 |.........0.@+[P.| +00000220 61 cb ba e5 53 58 e1 ed 83 28 a9 58 1a a9 38 a4 |a...SX...(.X..8.| +00000230 95 a1 ac 31 5a 1a 84 66 3d 43 d3 2d d9 0b f2 97 |...1Z..f=C.-....| +00000240 df d3 20 64 38 92 24 3a 00 bc cf 9c 7d b7 40 20 |.. d8.$:....}.@ | +00000250 01 5f aa d3 16 61 09 a2 76 fd 13 c3 cc e1 0c 5c |._...a..v......\| +00000260 ee b1 87 82 f1 6c 04 ed 73 bb b3 43 77 8d 0c 1c |.....l..s..Cw...| +00000270 f1 0f a1 d8 40 83 61 c9 4c 72 2b 9d ae db 46 06 |....@.a.Lr+...F.| +00000280 06 4d f4 c1 b3 3e c0 d1 bd 42 d4 db fe 3d 13 60 |.M...>...B...=.`| +00000290 84 5c 21 d3 3b e9 fa e7 16 03 03 00 04 0e 00 00 |.\!.;...........| +000002a0 00 |.| +>>> Flow 3 (client to server) +00000000 16 03 03 00 86 10 00 00 82 00 80 c0 3f 68 b7 3f |............?h.?| +00000010 6c 1f de 6b 2d 67 9e 1b 13 13 ad 67 d8 0f b2 b1 |l..k-g.....g....| +00000020 95 17 e7 0b e1 ba 6f 93 20 43 aa c7 a4 02 8e 38 |......o. C.....8| +00000030 01 6b 53 55 33 6e 82 ea 70 d7 e2 a6 bd be 57 2d |.kSU3n..p.....W-| +00000040 85 1c 4a 28 30 42 34 e6 f9 38 9c 59 ed 1c fc ff |..J(0B4..8.Y....| +00000050 19 0f 1d 71 f1 4b 2a 7a b1 c6 d9 11 a5 5e ca 1c |...q.K*z.....^..| +00000060 14 70 71 4c 3a c8 8d ca d9 4b 57 f8 76 2c 8f 89 |.pqL:....KW.v,..| +00000070 84 41 96 fb 37 2d 17 a9 28 c8 c6 47 1b fb 3d 42 |.A..7-..(..G..=B| +00000080 64 12 8f c7 e7 36 35 bf ce df d7 14 03 03 00 01 |d....65.........| +00000090 01 16 03 03 00 40 47 f9 4a d1 3b af 27 48 8a 15 |.....@G.J.;.'H..| +000000a0 c1 61 61 41 cc c3 4f 1d 9c 86 42 a9 17 1d e3 68 |.aaA..O...B....h| +000000b0 84 1f ae b7 9f 4b 70 be 72 0b 2c 48 88 ea ff 43 |.....Kp.r.,H...C| +000000c0 37 01 cc 37 c0 2d e9 da 8b 94 ef ed f9 02 95 a9 |7..7.-..........| +000000d0 bf 63 0f 6a 7c c0 |.c.j|.| +>>> Flow 4 (server to client) +00000000 14 03 03 00 01 01 16 03 03 00 40 00 00 00 00 00 |..........@.....| +00000010 00 00 00 00 00 00 00 00 00 00 00 4a bf f1 2b 6a |...........J..+j| +00000020 af e5 b9 51 69 38 3e a3 47 bf 0b 67 83 15 e0 91 |...Qi8>.G..g....| +00000030 c6 b3 cb fc 24 05 31 b7 51 3d fa bb 08 9a f9 f8 |....$.1.Q=......| +00000040 89 2a f1 5a b1 a8 1a ed aa 63 00 17 03 03 00 40 |.*.Z.....c.....@| +00000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000060 80 37 dc f6 b1 a2 80 91 0e c9 71 c6 1c 1e 45 14 |.7........q...E.| +00000070 50 cd 39 85 73 8a f5 90 75 28 05 ab 69 ae 1a bd |P.9.s...u(..i...| +00000080 b9 ee 39 e8 3f 2d 73 4d 21 fa 2e 05 b4 a1 02 64 |..9.?-sM!......d| +00000090 15 03 03 00 30 00 00 00 00 00 00 00 00 00 00 00 |....0...........| +000000a0 00 00 00 00 00 14 1e f7 64 d8 47 a6 93 aa 03 aa |........d.G.....| +000000b0 7c f3 a2 fb b8 6f cf f2 0d e4 2d d1 d6 67 f3 6b ||....o....-..g.k| +000000c0 ef e3 5d dc 5b |..].[| diff --git a/pkg/tls/testdata/Server-TLSv12-SNI b/pkg/tls/testdata/Server-TLSv12-SNI new file mode 100644 index 000000000..c3dc1b6e5 --- /dev/null +++ b/pkg/tls/testdata/Server-TLSv12-SNI @@ -0,0 +1,83 @@ +>>> Flow 1 (client to server) +00000000 16 03 01 00 81 01 00 00 7d 03 03 cc a1 7b c4 56 |........}....{.V| +00000010 9f 65 31 01 b0 23 09 18 10 50 7c 1e 14 7b b5 dd |.e1..#...P|..{..| +00000020 d4 70 07 3e 0b 19 19 31 6b f7 4d 00 00 04 00 2f |.p.>...1k.M..../| +00000030 00 ff 01 00 00 50 00 00 00 10 00 0e 00 00 0b 73 |.....P.........s| +00000040 6e 69 74 65 73 74 2e 63 6f 6d 00 16 00 00 00 17 |nitest.com......| +00000050 00 00 00 0d 00 30 00 2e 04 03 05 03 06 03 08 07 |.....0..........| +00000060 08 08 08 09 08 0a 08 0b 08 04 08 05 08 06 04 01 |................| +00000070 05 01 06 01 03 03 02 03 03 01 02 01 03 02 02 02 |................| +00000080 04 02 05 02 06 02 |......| +>>> Flow 2 (server to client) +00000000 16 03 03 00 35 02 00 00 31 03 03 00 00 00 00 00 |....5...1.......| +00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000020 00 00 00 44 4f 57 4e 47 52 44 01 00 00 2f 00 00 |...DOWNGRD.../..| +00000030 09 ff 01 00 01 00 00 17 00 00 16 03 03 02 59 0b |..............Y.| +00000040 00 02 55 00 02 52 00 02 4f 30 82 02 4b 30 82 01 |..U..R..O0..K0..| +00000050 b4 a0 03 02 01 02 02 09 00 e8 f0 9d 3f e2 5b ea |............?.[.| +00000060 a6 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 |.0...*.H........| +00000070 30 1f 31 0b 30 09 06 03 55 04 0a 13 02 47 6f 31 |0.1.0...U....Go1| +00000080 10 30 0e 06 03 55 04 03 13 07 47 6f 20 52 6f 6f |.0...U....Go Roo| +00000090 74 30 1e 17 0d 31 36 30 31 30 31 30 30 30 30 30 |t0...16010100000| +000000a0 30 5a 17 0d 32 35 30 31 30 31 30 30 30 30 30 30 |0Z..250101000000| +000000b0 5a 30 1a 31 0b 30 09 06 03 55 04 0a 13 02 47 6f |Z0.1.0...U....Go| +000000c0 31 0b 30 09 06 03 55 04 03 13 02 47 6f 30 81 9f |1.0...U....Go0..| +000000d0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 |0...*.H.........| +000000e0 81 8d 00 30 81 89 02 81 81 00 db 46 7d 93 2e 12 |...0.......F}...| +000000f0 27 06 48 bc 06 28 21 ab 7e c4 b6 a2 5d fe 1e 52 |'.H..(!.~...]..R| +00000100 45 88 7a 36 47 a5 08 0d 92 42 5b c2 81 c0 be 97 |E.z6G....B[.....| +00000110 79 98 40 fb 4f 6d 14 fd 2b 13 8b c2 a5 2e 67 d8 |y.@.Om..+.....g.| +00000120 d4 09 9e d6 22 38 b7 4a 0b 74 73 2b c2 34 f1 d1 |...."8.J.ts+.4..| +00000130 93 e5 96 d9 74 7b f3 58 9f 6c 61 3c c0 b0 41 d4 |....t{.X.la<..A.| +00000140 d9 2b 2b 24 23 77 5b 1c 3b bd 75 5d ce 20 54 cf |.++$#w[.;.u]. T.| +00000150 a1 63 87 1d 1e 24 c4 f3 1d 1a 50 8b aa b6 14 43 |.c...$....P....C| +00000160 ed 97 a7 75 62 f4 14 c8 52 d7 02 03 01 00 01 a3 |...ub...R.......| +00000170 81 93 30 81 90 30 0e 06 03 55 1d 0f 01 01 ff 04 |..0..0...U......| +00000180 04 03 02 05 a0 30 1d 06 03 55 1d 25 04 16 30 14 |.....0...U.%..0.| +00000190 06 08 2b 06 01 05 05 07 03 01 06 08 2b 06 01 05 |..+.........+...| +000001a0 05 07 03 02 30 0c 06 03 55 1d 13 01 01 ff 04 02 |....0...U.......| +000001b0 30 00 30 19 06 03 55 1d 0e 04 12 04 10 9f 91 16 |0.0...U.........| +000001c0 1f 43 43 3e 49 a6 de 6d b6 80 d7 9f 60 30 1b 06 |.CC>I..m....`0..| +000001d0 03 55 1d 23 04 14 30 12 80 10 48 13 49 4d 13 7e |.U.#..0...H.IM.~| +000001e0 16 31 bb a3 01 d5 ac ab 6e 7b 30 19 06 03 55 1d |.1......n{0...U.| +000001f0 11 04 12 30 10 82 0e 65 78 61 6d 70 6c 65 2e 67 |...0...example.g| +00000200 6f 6c 61 6e 67 30 0d 06 09 2a 86 48 86 f7 0d 01 |olang0...*.H....| +00000210 01 0b 05 00 03 81 81 00 9d 30 cc 40 2b 5b 50 a0 |.........0.@+[P.| +00000220 61 cb ba e5 53 58 e1 ed 83 28 a9 58 1a a9 38 a4 |a...SX...(.X..8.| +00000230 95 a1 ac 31 5a 1a 84 66 3d 43 d3 2d d9 0b f2 97 |...1Z..f=C.-....| +00000240 df d3 20 64 38 92 24 3a 00 bc cf 9c 7d b7 40 20 |.. d8.$:....}.@ | +00000250 01 5f aa d3 16 61 09 a2 76 fd 13 c3 cc e1 0c 5c |._...a..v......\| +00000260 ee b1 87 82 f1 6c 04 ed 73 bb b3 43 77 8d 0c 1c |.....l..s..Cw...| +00000270 f1 0f a1 d8 40 83 61 c9 4c 72 2b 9d ae db 46 06 |....@.a.Lr+...F.| +00000280 06 4d f4 c1 b3 3e c0 d1 bd 42 d4 db fe 3d 13 60 |.M...>...B...=.`| +00000290 84 5c 21 d3 3b e9 fa e7 16 03 03 00 04 0e 00 00 |.\!.;...........| +000002a0 00 |.| +>>> Flow 3 (client to server) +00000000 16 03 03 00 86 10 00 00 82 00 80 04 36 4c 25 96 |............6L%.| +00000010 b0 1a 33 80 88 98 4f 2a c8 93 24 81 0a 78 6c 85 |..3...O*..$..xl.| +00000020 06 4d f1 cf 25 18 e0 f0 61 50 c5 45 c1 24 1b b3 |.M..%...aP.E.$..| +00000030 d6 3c d3 49 a6 40 81 2c bb ef 49 76 c0 10 4c ad |.<.I.@.,..Iv..L.| +00000040 2e 7d 4d f4 0b 96 bc 1c eb 3d 1d 7d 18 25 34 14 |.}M......=.}.%4.| +00000050 ed 76 f2 a1 17 aa 87 1b ef ff 11 93 a7 44 0c 33 |.v...........D.3| +00000060 86 27 38 3d 5d 3f bb f1 8d a9 f5 44 28 d1 28 41 |.'8=]?.....D(.(A| +00000070 bb b7 9a fb 83 81 91 92 4e 7d 71 55 43 ed 42 12 |........N}qUC.B.| +00000080 86 5f de 02 13 1f c4 63 08 87 db 14 03 03 00 01 |._.....c........| +00000090 01 16 03 03 00 40 32 01 5f a2 e1 08 cf 6b ce 11 |.....@2._....k..| +000000a0 db 82 94 c5 f1 12 9a ac 68 dc f9 c8 2c 00 a5 dd |........h...,...| +000000b0 6b 49 c8 8b b7 9f e3 90 27 a5 c2 45 fc 75 e5 ac |kI......'..E.u..| +000000c0 77 0c 80 bd 43 41 d4 00 c0 fb 8d 08 a6 f4 f7 63 |w...CA.........c| +000000d0 07 01 09 06 e5 fc |......| +>>> Flow 4 (server to client) +00000000 14 03 03 00 01 01 16 03 03 00 40 00 00 00 00 00 |..........@.....| +00000010 00 00 00 00 00 00 00 00 00 00 00 6d 31 fe 01 3d |...........m1..=| +00000020 2a c3 97 67 9f 08 f8 c9 ce 57 5c 4a e6 da 17 f2 |*..g.....W\J....| +00000030 f8 47 2b d9 9d 7e af 59 b8 a9 23 9d 7e d5 ed 77 |.G+..~.Y..#.~..w| +00000040 3b cd d4 b7 76 5b 6f 6d 09 bd 0c 17 03 03 00 40 |;...v[om.......@| +00000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000060 d2 8c 47 46 36 47 fa d8 f8 1c b4 fc f6 fd fb 4b |..GF6G.........K| +00000070 79 e1 a3 39 df ac 6c 94 61 dd 20 1a e7 c0 4c 9c |y..9..l.a. ...L.| +00000080 45 69 69 cf 73 cb b1 6c fc 71 49 de 41 ca 4d 4f |Eii.s..l.qI.A.MO| +00000090 15 03 03 00 30 00 00 00 00 00 00 00 00 00 00 00 |....0...........| +000000a0 00 00 00 00 00 d1 66 64 ce 59 eb 23 13 e9 92 28 |......fd.Y.#...(| +000000b0 a4 2a 7a b0 e1 79 ce 92 34 77 6e b3 8d d3 bb e6 |.*z..y..4wn.....| +000000c0 ad 90 e8 a2 1a |.....| diff --git a/pkg/tls/testdata/Server-TLSv12-SNI-GetCertificate b/pkg/tls/testdata/Server-TLSv12-SNI-GetCertificate new file mode 100644 index 000000000..474ab1ab1 --- /dev/null +++ b/pkg/tls/testdata/Server-TLSv12-SNI-GetCertificate @@ -0,0 +1,83 @@ +>>> Flow 1 (client to server) +00000000 16 03 01 00 81 01 00 00 7d 03 03 02 34 82 a7 1a |........}...4...| +00000010 fe 81 b0 1c 2e df cc 04 2d f7 22 39 34 95 c7 c1 |........-."94...| +00000020 b2 92 a2 d2 aa ca 57 0f 9c be b4 00 00 04 00 2f |......W......../| +00000030 00 ff 01 00 00 50 00 00 00 10 00 0e 00 00 0b 73 |.....P.........s| +00000040 6e 69 74 65 73 74 2e 63 6f 6d 00 16 00 00 00 17 |nitest.com......| +00000050 00 00 00 0d 00 30 00 2e 04 03 05 03 06 03 08 07 |.....0..........| +00000060 08 08 08 09 08 0a 08 0b 08 04 08 05 08 06 04 01 |................| +00000070 05 01 06 01 03 03 02 03 03 01 02 01 03 02 02 02 |................| +00000080 04 02 05 02 06 02 |......| +>>> Flow 2 (server to client) +00000000 16 03 03 00 35 02 00 00 31 03 03 00 00 00 00 00 |....5...1.......| +00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000020 00 00 00 44 4f 57 4e 47 52 44 01 00 00 2f 00 00 |...DOWNGRD.../..| +00000030 09 ff 01 00 01 00 00 17 00 00 16 03 03 02 59 0b |..............Y.| +00000040 00 02 55 00 02 52 00 02 4f 30 82 02 4b 30 82 01 |..U..R..O0..K0..| +00000050 b4 a0 03 02 01 02 02 09 00 e8 f0 9d 3f e2 5b ea |............?.[.| +00000060 a6 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 |.0...*.H........| +00000070 30 1f 31 0b 30 09 06 03 55 04 0a 13 02 47 6f 31 |0.1.0...U....Go1| +00000080 10 30 0e 06 03 55 04 03 13 07 47 6f 20 52 6f 6f |.0...U....Go Roo| +00000090 74 30 1e 17 0d 31 36 30 31 30 31 30 30 30 30 30 |t0...16010100000| +000000a0 30 5a 17 0d 32 35 30 31 30 31 30 30 30 30 30 30 |0Z..250101000000| +000000b0 5a 30 1a 31 0b 30 09 06 03 55 04 0a 13 02 47 6f |Z0.1.0...U....Go| +000000c0 31 0b 30 09 06 03 55 04 03 13 02 47 6f 30 81 9f |1.0...U....Go0..| +000000d0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 |0...*.H.........| +000000e0 81 8d 00 30 81 89 02 81 81 00 db 46 7d 93 2e 12 |...0.......F}...| +000000f0 27 06 48 bc 06 28 21 ab 7e c4 b6 a2 5d fe 1e 52 |'.H..(!.~...]..R| +00000100 45 88 7a 36 47 a5 08 0d 92 42 5b c2 81 c0 be 97 |E.z6G....B[.....| +00000110 79 98 40 fb 4f 6d 14 fd 2b 13 8b c2 a5 2e 67 d8 |y.@.Om..+.....g.| +00000120 d4 09 9e d6 22 38 b7 4a 0b 74 73 2b c2 34 f1 d1 |...."8.J.ts+.4..| +00000130 93 e5 96 d9 74 7b f3 58 9f 6c 61 3c c0 b0 41 d4 |....t{.X.la<..A.| +00000140 d9 2b 2b 24 23 77 5b 1c 3b bd 75 5d ce 20 54 cf |.++$#w[.;.u]. T.| +00000150 a1 63 87 1d 1e 24 c4 f3 1d 1a 50 8b aa b6 14 43 |.c...$....P....C| +00000160 ed 97 a7 75 62 f4 14 c8 52 d7 02 03 01 00 01 a3 |...ub...R.......| +00000170 81 93 30 81 90 30 0e 06 03 55 1d 0f 01 01 ff 04 |..0..0...U......| +00000180 04 03 02 05 a0 30 1d 06 03 55 1d 25 04 16 30 14 |.....0...U.%..0.| +00000190 06 08 2b 06 01 05 05 07 03 01 06 08 2b 06 01 05 |..+.........+...| +000001a0 05 07 03 02 30 0c 06 03 55 1d 13 01 01 ff 04 02 |....0...U.......| +000001b0 30 00 30 19 06 03 55 1d 0e 04 12 04 10 9f 91 16 |0.0...U.........| +000001c0 1f 43 43 3e 49 a6 de 6d b6 80 d7 9f 60 30 1b 06 |.CC>I..m....`0..| +000001d0 03 55 1d 23 04 14 30 12 80 10 48 13 49 4d 13 7e |.U.#..0...H.IM.~| +000001e0 16 31 bb a3 01 d5 ac ab 6e 7b 30 19 06 03 55 1d |.1......n{0...U.| +000001f0 11 04 12 30 10 82 0e 65 78 61 6d 70 6c 65 2e 67 |...0...example.g| +00000200 6f 6c 61 6e 67 30 0d 06 09 2a 86 48 86 f7 0d 01 |olang0...*.H....| +00000210 01 0b 05 00 03 81 81 00 9d 30 cc 40 2b 5b 50 a0 |.........0.@+[P.| +00000220 61 cb ba e5 53 58 e1 ed 83 28 a9 58 1a a9 38 a4 |a...SX...(.X..8.| +00000230 95 a1 ac 31 5a 1a 84 66 3d 43 d3 2d d9 0b f2 97 |...1Z..f=C.-....| +00000240 df d3 20 64 38 92 24 3a 00 bc cf 9c 7d b7 40 20 |.. d8.$:....}.@ | +00000250 01 5f aa d3 16 61 09 a2 76 fd 13 c3 cc e1 0c 5c |._...a..v......\| +00000260 ee b1 87 82 f1 6c 04 ed 73 bb b3 43 77 8d 0c 1c |.....l..s..Cw...| +00000270 f1 0f a1 d8 40 83 61 c9 4c 72 2b 9d ae db 46 06 |....@.a.Lr+...F.| +00000280 06 4d f4 c1 b3 3e c0 d1 bd 42 d4 db fe 3d 13 60 |.M...>...B...=.`| +00000290 84 5c 21 d3 3b e9 fa e7 16 03 03 00 04 0e 00 00 |.\!.;...........| +000002a0 00 |.| +>>> Flow 3 (client to server) +00000000 16 03 03 00 86 10 00 00 82 00 80 d9 90 3c 11 be |.............<..| +00000010 f3 48 de f0 8f 9e 12 ca e0 ab 86 e0 7e e7 8b ea |.H..........~...| +00000020 1a 76 3e 65 8d 7a d6 1c 72 2a f7 1e aa 0a 12 8f |.v>e.z..r*......| +00000030 54 ac 33 95 9d 00 a9 a6 94 54 7b 6a d9 e3 f4 67 |T.3......T{j...g| +00000040 a6 d3 b1 c1 5d 86 51 aa 63 67 6b 6e cb 3b 5e 59 |....].Q.cgkn.;^Y| +00000050 02 c2 57 fd 37 39 1b 73 9a 61 b0 78 de e8 cc f8 |..W.79.s.a.x....| +00000060 b3 01 11 e5 e9 31 85 4d fe 60 d4 12 70 71 64 45 |.....1.M.`..pqdE| +00000070 e8 7d fb be 5b 82 c0 c4 e1 57 09 2c f2 d7 a3 79 |.}..[....W.,...y| +00000080 1c 40 08 e1 e6 cd e2 3e e7 55 da 14 03 03 00 01 |.@.....>.U......| +00000090 01 16 03 03 00 40 29 9e b7 cf 5e 7c e9 40 91 5f |.....@)...^|.@._| +000000a0 b6 12 d4 42 ec 6a bc 03 d9 fa e4 d8 bf c7 2c c5 |...B.j........,.| +000000b0 52 74 17 77 b1 aa 13 87 f0 81 da 0d ca 7f d9 ca |Rt.w............| +000000c0 18 46 55 62 3f 90 21 60 fa 85 8c 80 6b 23 45 e7 |.FUb?.!`....k#E.| +000000d0 0b 6e 8c e2 c3 f6 |.n....| +>>> Flow 4 (server to client) +00000000 14 03 03 00 01 01 16 03 03 00 40 00 00 00 00 00 |..........@.....| +00000010 00 00 00 00 00 00 00 00 00 00 00 ee 8d 0f cd 15 |................| +00000020 db b4 cd 25 27 b6 7e 9b 82 91 2f 01 e1 4f f9 0c |...%'.~.../..O..| +00000030 68 4c bf 26 2b 4b 49 f5 0a 67 8a 4f 12 35 37 75 |hL.&+KI..g.O.57u| +00000040 16 fe cc 26 35 66 60 8c ed 42 40 17 03 03 00 40 |...&5f`..B@....@| +00000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000060 f5 7a ee 53 aa 85 bb 81 c4 57 68 12 f1 40 4c 20 |.z.S.....Wh..@L | +00000070 2a ff fc 6c dd 73 65 fc 41 e6 5b 96 6b 35 2f 8a |*..l.se.A.[.k5/.| +00000080 62 49 4a da f4 df 93 a0 ab e1 12 4d 8d 34 2c 6a |bIJ........M.4,j| +00000090 15 03 03 00 30 00 00 00 00 00 00 00 00 00 00 00 |....0...........| +000000a0 00 00 00 00 00 1c 08 e5 52 29 79 d6 15 07 10 44 |........R)y....D| +000000b0 95 07 07 cb 3b 2b 37 2f e3 dc 17 f9 27 b6 5d 44 |....;+7/....'.]D| +000000c0 d0 30 4b 2e 21 |.0K.!| diff --git a/pkg/tls/testdata/Server-TLSv12-SNI-GetCertificateNotFound b/pkg/tls/testdata/Server-TLSv12-SNI-GetCertificateNotFound new file mode 100644 index 000000000..0c06ce98d --- /dev/null +++ b/pkg/tls/testdata/Server-TLSv12-SNI-GetCertificateNotFound @@ -0,0 +1,83 @@ +>>> Flow 1 (client to server) +00000000 16 03 01 00 81 01 00 00 7d 03 03 77 e7 c3 97 fa |........}..w....| +00000010 59 80 de d1 f5 9f ce e5 a5 38 60 2c 30 b2 64 5b |Y........8`,0.d[| +00000020 6c 0a 56 49 1d 6f 19 57 5a ac 05 00 00 04 00 2f |l.VI.o.WZ....../| +00000030 00 ff 01 00 00 50 00 00 00 10 00 0e 00 00 0b 73 |.....P.........s| +00000040 6e 69 74 65 73 74 2e 63 6f 6d 00 16 00 00 00 17 |nitest.com......| +00000050 00 00 00 0d 00 30 00 2e 04 03 05 03 06 03 08 07 |.....0..........| +00000060 08 08 08 09 08 0a 08 0b 08 04 08 05 08 06 04 01 |................| +00000070 05 01 06 01 03 03 02 03 03 01 02 01 03 02 02 02 |................| +00000080 04 02 05 02 06 02 |......| +>>> Flow 2 (server to client) +00000000 16 03 03 00 35 02 00 00 31 03 03 00 00 00 00 00 |....5...1.......| +00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000020 00 00 00 44 4f 57 4e 47 52 44 01 00 00 2f 00 00 |...DOWNGRD.../..| +00000030 09 ff 01 00 01 00 00 17 00 00 16 03 03 02 59 0b |..............Y.| +00000040 00 02 55 00 02 52 00 02 4f 30 82 02 4b 30 82 01 |..U..R..O0..K0..| +00000050 b4 a0 03 02 01 02 02 09 00 e8 f0 9d 3f e2 5b ea |............?.[.| +00000060 a6 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 |.0...*.H........| +00000070 30 1f 31 0b 30 09 06 03 55 04 0a 13 02 47 6f 31 |0.1.0...U....Go1| +00000080 10 30 0e 06 03 55 04 03 13 07 47 6f 20 52 6f 6f |.0...U....Go Roo| +00000090 74 30 1e 17 0d 31 36 30 31 30 31 30 30 30 30 30 |t0...16010100000| +000000a0 30 5a 17 0d 32 35 30 31 30 31 30 30 30 30 30 30 |0Z..250101000000| +000000b0 5a 30 1a 31 0b 30 09 06 03 55 04 0a 13 02 47 6f |Z0.1.0...U....Go| +000000c0 31 0b 30 09 06 03 55 04 03 13 02 47 6f 30 81 9f |1.0...U....Go0..| +000000d0 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 |0...*.H.........| +000000e0 81 8d 00 30 81 89 02 81 81 00 db 46 7d 93 2e 12 |...0.......F}...| +000000f0 27 06 48 bc 06 28 21 ab 7e c4 b6 a2 5d fe 1e 52 |'.H..(!.~...]..R| +00000100 45 88 7a 36 47 a5 08 0d 92 42 5b c2 81 c0 be 97 |E.z6G....B[.....| +00000110 79 98 40 fb 4f 6d 14 fd 2b 13 8b c2 a5 2e 67 d8 |y.@.Om..+.....g.| +00000120 d4 09 9e d6 22 38 b7 4a 0b 74 73 2b c2 34 f1 d1 |...."8.J.ts+.4..| +00000130 93 e5 96 d9 74 7b f3 58 9f 6c 61 3c c0 b0 41 d4 |....t{.X.la<..A.| +00000140 d9 2b 2b 24 23 77 5b 1c 3b bd 75 5d ce 20 54 cf |.++$#w[.;.u]. T.| +00000150 a1 63 87 1d 1e 24 c4 f3 1d 1a 50 8b aa b6 14 43 |.c...$....P....C| +00000160 ed 97 a7 75 62 f4 14 c8 52 d7 02 03 01 00 01 a3 |...ub...R.......| +00000170 81 93 30 81 90 30 0e 06 03 55 1d 0f 01 01 ff 04 |..0..0...U......| +00000180 04 03 02 05 a0 30 1d 06 03 55 1d 25 04 16 30 14 |.....0...U.%..0.| +00000190 06 08 2b 06 01 05 05 07 03 01 06 08 2b 06 01 05 |..+.........+...| +000001a0 05 07 03 02 30 0c 06 03 55 1d 13 01 01 ff 04 02 |....0...U.......| +000001b0 30 00 30 19 06 03 55 1d 0e 04 12 04 10 9f 91 16 |0.0...U.........| +000001c0 1f 43 43 3e 49 a6 de 6d b6 80 d7 9f 60 30 1b 06 |.CC>I..m....`0..| +000001d0 03 55 1d 23 04 14 30 12 80 10 48 13 49 4d 13 7e |.U.#..0...H.IM.~| +000001e0 16 31 bb a3 01 d5 ac ab 6e 7b 30 19 06 03 55 1d |.1......n{0...U.| +000001f0 11 04 12 30 10 82 0e 65 78 61 6d 70 6c 65 2e 67 |...0...example.g| +00000200 6f 6c 61 6e 67 30 0d 06 09 2a 86 48 86 f7 0d 01 |olang0...*.H....| +00000210 01 0b 05 00 03 81 81 00 9d 30 cc 40 2b 5b 50 a0 |.........0.@+[P.| +00000220 61 cb ba e5 53 58 e1 ed 83 28 a9 58 1a a9 38 a4 |a...SX...(.X..8.| +00000230 95 a1 ac 31 5a 1a 84 66 3d 43 d3 2d d9 0b f2 97 |...1Z..f=C.-....| +00000240 df d3 20 64 38 92 24 3a 00 bc cf 9c 7d b7 40 20 |.. d8.$:....}.@ | +00000250 01 5f aa d3 16 61 09 a2 76 fd 13 c3 cc e1 0c 5c |._...a..v......\| +00000260 ee b1 87 82 f1 6c 04 ed 73 bb b3 43 77 8d 0c 1c |.....l..s..Cw...| +00000270 f1 0f a1 d8 40 83 61 c9 4c 72 2b 9d ae db 46 06 |....@.a.Lr+...F.| +00000280 06 4d f4 c1 b3 3e c0 d1 bd 42 d4 db fe 3d 13 60 |.M...>...B...=.`| +00000290 84 5c 21 d3 3b e9 fa e7 16 03 03 00 04 0e 00 00 |.\!.;...........| +000002a0 00 |.| +>>> Flow 3 (client to server) +00000000 16 03 03 00 86 10 00 00 82 00 80 67 0c a0 f8 da |...........g....| +00000010 2e d9 9e 9d ef c8 9b 77 f5 fe 25 32 74 49 1d a7 |.......w..%2tI..| +00000020 7d 69 37 2a 94 07 5a 15 e8 f1 1d 36 25 ae 32 e4 |}i7*..Z....6%.2.| +00000030 9c f5 35 fb 54 81 f2 19 4f 8d 6b 64 1a b2 a2 2e |..5.T...O.kd....| +00000040 c4 cb 5b 73 9d 46 97 01 33 d3 b8 a9 18 39 2c ad |..[s.F..3....9,.| +00000050 f2 eb 6b 02 38 44 f8 cf ae ac a6 e6 54 92 29 ae |..k.8D......T.).| +00000060 a6 8a 4e 82 99 f3 77 8c b6 3a a1 5c 4f 25 3b 7f |..N...w..:.\O%;.| +00000070 39 2f cd 51 dc e3 fc 7c 5a 5a 33 e4 af 43 d0 d3 |9/.Q...|ZZ3..C..| +00000080 eb 3b 86 71 af 92 53 6e 02 b9 59 14 03 03 00 01 |.;.q..Sn..Y.....| +00000090 01 16 03 03 00 40 8b e4 6f d3 88 e7 6a e9 aa f2 |.....@..o...j...| +000000a0 4f 67 69 80 bc f1 78 ca a9 f9 29 ce 44 93 81 46 |Ogi...x...).D..F| +000000b0 0e 18 d1 2a 14 8b 3b b5 15 e4 b5 2a bb 88 d4 80 |...*..;....*....| +000000c0 7b 2f 03 c7 83 7c 61 24 29 fe dd bc 49 8a b1 88 |{/...|a$)...I...| +000000d0 41 ac 8a 12 f8 d6 |A.....| +>>> Flow 4 (server to client) +00000000 14 03 03 00 01 01 16 03 03 00 40 00 00 00 00 00 |..........@.....| +00000010 00 00 00 00 00 00 00 00 00 00 00 e7 d3 34 46 88 |.............4F.| +00000020 0e 7f ae 5b d6 e5 70 d2 7d 99 25 1b 27 89 8a a4 |...[..p.}.%.'...| +00000030 02 03 01 a4 e1 d6 72 af c3 5a 55 f7 56 69 60 91 |......r..ZU.Vi`.| +00000040 49 29 68 36 99 e5 09 ac 7a e3 4f 17 03 03 00 40 |I)h6....z.O....@| +00000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000060 71 d0 36 7d 2c 3b 40 e3 a9 3f c1 d0 5e 3a ee d2 |q.6},;@..?..^:..| +00000070 4d 0d b7 f4 83 3e 75 e0 ed 8a fc b2 9b ed 98 a8 |M....>u.........| +00000080 ec 49 65 83 53 e0 79 52 03 2b 78 8a 64 3e 4c 5e |.Ie.S.yR.+x.d>L^| +00000090 15 03 03 00 30 00 00 00 00 00 00 00 00 00 00 00 |....0...........| +000000a0 00 00 00 00 00 76 38 c3 3d 86 d8 58 f2 16 48 94 |.....v8.=..X..H.| +000000b0 46 65 ea 80 46 74 fe 66 7c 72 99 30 b3 05 08 14 |Fe..Ft.f|r.0....| +000000c0 19 e3 ee 6f cf |...o.| diff --git a/pkg/tls/testdata/Server-TLSv12-X25519 b/pkg/tls/testdata/Server-TLSv12-X25519 new file mode 100644 index 000000000..09f321e3e --- /dev/null +++ b/pkg/tls/testdata/Server-TLSv12-X25519 @@ -0,0 +1,80 @@ +>>> Flow 1 (client to server) +00000000 16 03 01 00 7d 01 00 00 79 03 03 dc 04 e9 5b d1 |....}...y.....[.| +00000010 6b d9 b9 5e f7 4c 01 7e 58 4a 99 d9 90 c8 a2 7b |k..^.L.~XJ.....{| +00000020 f4 55 08 68 9b 42 34 6a 14 6c 01 00 00 04 cc a8 |.U.h.B4j.l......| +00000030 00 ff 01 00 00 4c 00 0b 00 04 03 00 01 02 00 0a |.....L..........| +00000040 00 04 00 02 00 1d 00 16 00 00 00 17 00 00 00 0d |................| +00000050 00 30 00 2e 04 03 05 03 06 03 08 07 08 08 08 09 |.0..............| +00000060 08 0a 08 0b 08 04 08 05 08 06 04 01 05 01 06 01 |................| +00000070 03 03 02 03 03 01 02 01 03 02 02 02 04 02 05 02 |................| +00000080 06 02 |..| +>>> Flow 2 (server to client) +00000000 16 03 03 00 3b 02 00 00 37 03 03 00 00 00 00 00 |....;...7.......| +00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000020 00 00 00 44 4f 57 4e 47 52 44 01 00 cc a8 00 00 |...DOWNGRD......| +00000030 0f ff 01 00 01 00 00 17 00 00 00 0b 00 02 01 00 |................| +00000040 16 03 03 02 59 0b 00 02 55 00 02 52 00 02 4f 30 |....Y...U..R..O0| +00000050 82 02 4b 30 82 01 b4 a0 03 02 01 02 02 09 00 e8 |..K0............| +00000060 f0 9d 3f e2 5b ea a6 30 0d 06 09 2a 86 48 86 f7 |..?.[..0...*.H..| +00000070 0d 01 01 0b 05 00 30 1f 31 0b 30 09 06 03 55 04 |......0.1.0...U.| +00000080 0a 13 02 47 6f 31 10 30 0e 06 03 55 04 03 13 07 |...Go1.0...U....| +00000090 47 6f 20 52 6f 6f 74 30 1e 17 0d 31 36 30 31 30 |Go Root0...16010| +000000a0 31 30 30 30 30 30 30 5a 17 0d 32 35 30 31 30 31 |1000000Z..250101| +000000b0 30 30 30 30 30 30 5a 30 1a 31 0b 30 09 06 03 55 |000000Z0.1.0...U| +000000c0 04 0a 13 02 47 6f 31 0b 30 09 06 03 55 04 03 13 |....Go1.0...U...| +000000d0 02 47 6f 30 81 9f 30 0d 06 09 2a 86 48 86 f7 0d |.Go0..0...*.H...| +000000e0 01 01 01 05 00 03 81 8d 00 30 81 89 02 81 81 00 |.........0......| +000000f0 db 46 7d 93 2e 12 27 06 48 bc 06 28 21 ab 7e c4 |.F}...'.H..(!.~.| +00000100 b6 a2 5d fe 1e 52 45 88 7a 36 47 a5 08 0d 92 42 |..]..RE.z6G....B| +00000110 5b c2 81 c0 be 97 79 98 40 fb 4f 6d 14 fd 2b 13 |[.....y.@.Om..+.| +00000120 8b c2 a5 2e 67 d8 d4 09 9e d6 22 38 b7 4a 0b 74 |....g....."8.J.t| +00000130 73 2b c2 34 f1 d1 93 e5 96 d9 74 7b f3 58 9f 6c |s+.4......t{.X.l| +00000140 61 3c c0 b0 41 d4 d9 2b 2b 24 23 77 5b 1c 3b bd |a<..A..++$#w[.;.| +00000150 75 5d ce 20 54 cf a1 63 87 1d 1e 24 c4 f3 1d 1a |u]. T..c...$....| +00000160 50 8b aa b6 14 43 ed 97 a7 75 62 f4 14 c8 52 d7 |P....C...ub...R.| +00000170 02 03 01 00 01 a3 81 93 30 81 90 30 0e 06 03 55 |........0..0...U| +00000180 1d 0f 01 01 ff 04 04 03 02 05 a0 30 1d 06 03 55 |...........0...U| +00000190 1d 25 04 16 30 14 06 08 2b 06 01 05 05 07 03 01 |.%..0...+.......| +000001a0 06 08 2b 06 01 05 05 07 03 02 30 0c 06 03 55 1d |..+.......0...U.| +000001b0 13 01 01 ff 04 02 30 00 30 19 06 03 55 1d 0e 04 |......0.0...U...| +000001c0 12 04 10 9f 91 16 1f 43 43 3e 49 a6 de 6d b6 80 |.......CC>I..m..| +000001d0 d7 9f 60 30 1b 06 03 55 1d 23 04 14 30 12 80 10 |..`0...U.#..0...| +000001e0 48 13 49 4d 13 7e 16 31 bb a3 01 d5 ac ab 6e 7b |H.IM.~.1......n{| +000001f0 30 19 06 03 55 1d 11 04 12 30 10 82 0e 65 78 61 |0...U....0...exa| +00000200 6d 70 6c 65 2e 67 6f 6c 61 6e 67 30 0d 06 09 2a |mple.golang0...*| +00000210 86 48 86 f7 0d 01 01 0b 05 00 03 81 81 00 9d 30 |.H.............0| +00000220 cc 40 2b 5b 50 a0 61 cb ba e5 53 58 e1 ed 83 28 |.@+[P.a...SX...(| +00000230 a9 58 1a a9 38 a4 95 a1 ac 31 5a 1a 84 66 3d 43 |.X..8....1Z..f=C| +00000240 d3 2d d9 0b f2 97 df d3 20 64 38 92 24 3a 00 bc |.-...... d8.$:..| +00000250 cf 9c 7d b7 40 20 01 5f aa d3 16 61 09 a2 76 fd |..}.@ ._...a..v.| +00000260 13 c3 cc e1 0c 5c ee b1 87 82 f1 6c 04 ed 73 bb |.....\.....l..s.| +00000270 b3 43 77 8d 0c 1c f1 0f a1 d8 40 83 61 c9 4c 72 |.Cw.......@.a.Lr| +00000280 2b 9d ae db 46 06 06 4d f4 c1 b3 3e c0 d1 bd 42 |+...F..M...>...B| +00000290 d4 db fe 3d 13 60 84 5c 21 d3 3b e9 fa e7 16 03 |...=.`.\!.;.....| +000002a0 03 00 ac 0c 00 00 a8 03 00 1d 20 2f e5 7d a3 47 |.......... /.}.G| +000002b0 cd 62 43 15 28 da ac 5f bb 29 07 30 ff f6 84 af |.bC.(.._.).0....| +000002c0 c4 cf c2 ed 90 99 5f 58 cb 3b 74 08 04 00 80 27 |......_X.;t....'| +000002d0 d6 32 9d 2d 17 61 04 13 02 29 ad c2 af f7 ac 7b |.2.-.a...).....{| +000002e0 65 1c 6b cd 1d 7d 05 d7 b9 55 82 1b 23 92 6b b5 |e.k..}...U..#.k.| +000002f0 a2 d6 65 d7 42 6f a3 b6 2a f0 ac a4 6c dd f3 11 |..e.Bo..*...l...| +00000300 a0 20 ee 45 42 33 fc 45 d1 9e d7 bb 75 0e d1 bd |. .EB3.E....u...| +00000310 cd 8f 64 35 85 79 88 9b 63 1e 8c 08 1b fd 19 5e |..d5.y..c......^| +00000320 a9 ac 06 79 1e 4a 95 fa cd 60 86 e3 10 e4 d0 39 |...y.J...`.....9| +00000330 0c a0 0b 6f 6f 55 a4 7d 65 d4 41 ee 60 62 42 a8 |...ooU.}e.A.`bB.| +00000340 5e 22 55 48 3c 54 53 f0 28 e1 7f 67 4f f0 1f 16 |^"UH>> Flow 3 (client to server) +00000000 16 03 03 00 25 10 00 00 21 20 35 e6 c9 e2 76 cf |....%...! 5...v.| +00000010 36 af dc 27 30 6b eb f4 ae 62 f1 f4 40 81 04 d2 |6..'0k...b..@...| +00000020 f1 c7 d5 af 7d 64 ef 64 d0 58 14 03 03 00 01 01 |....}d.d.X......| +00000030 16 03 03 00 20 5b 64 ec 49 29 26 ba 8c ed 85 fb |.... [d.I)&.....| +00000040 3e 09 c4 66 bb 60 4e d7 b1 69 73 5a 67 51 77 20 |>..f.`N..isZgQw | +00000050 5b 14 1f c0 69 |[...i| +>>> Flow 4 (server to client) +00000000 14 03 03 00 01 01 16 03 03 00 20 74 49 81 b6 d3 |.......... tI...| +00000010 79 68 0d 78 47 7a 97 a7 cd 3b 2c 24 a3 42 83 18 |yh.xGz...;,$.B..| +00000020 e4 0c c3 da 4a 1c ff 7b 5d 4c 08 17 03 03 00 1d |....J..{]L......| +00000030 c2 8a f4 f2 de db 53 69 79 61 c9 30 7b ae 74 cc |......Siya.0{.t.| +00000040 eb 37 b7 e8 19 cb e6 5f 49 7f 3d a0 37 15 03 03 |.7....._I.=.7...| +00000050 00 12 99 68 9b 76 f6 66 52 55 fc 8e 4f 17 56 a7 |...h.v.fRU..O.V.| +00000060 33 0b db 05 |3...| diff --git a/pkg/tls/testdata/Server-TLSv13-AES128-SHA256 b/pkg/tls/testdata/Server-TLSv13-AES128-SHA256 new file mode 100644 index 000000000..465d5f9f7 --- /dev/null +++ b/pkg/tls/testdata/Server-TLSv13-AES128-SHA256 @@ -0,0 +1,97 @@ +>>> Flow 1 (client to server) +00000000 16 03 01 00 ca 01 00 00 c6 03 03 8e 4c 3b 7c dc |............L;|.| +00000010 d6 2d c0 19 de dd 85 01 ce 5a 48 3e 63 ab 4a 21 |.-.......ZH>c.J!| +00000020 9c 0e 23 4f 41 99 43 bd 78 5b 82 20 90 e6 4e 23 |..#OA.C.x[. ..N#| +00000030 34 72 2a ad 9a cf 95 20 20 f0 e9 cf 7a 4a 57 65 |4r*.... ...zJWe| +00000040 87 09 c7 76 79 25 9c 3e 16 22 4c c5 00 04 13 01 |...vy%.>."L.....| +00000050 00 ff 01 00 00 79 00 0b 00 04 03 00 01 02 00 0a |.....y..........| +00000060 00 0c 00 0a 00 1d 00 17 00 1e 00 19 00 18 00 16 |................| +00000070 00 00 00 17 00 00 00 0d 00 1e 00 1c 04 03 05 03 |................| +00000080 06 03 08 07 08 08 08 09 08 0a 08 0b 08 04 08 05 |................| +00000090 08 06 04 01 05 01 06 01 00 2b 00 03 02 03 04 00 |.........+......| +000000a0 2d 00 02 01 01 00 33 00 26 00 24 00 1d 00 20 74 |-.....3.&.$... t| +000000b0 47 39 80 c0 36 61 58 c4 16 58 d5 e1 9f 60 ca a8 |G9..6aX..X...`..| +000000c0 f8 ef 86 40 65 2d 5b 5d 4b cc 37 1d 66 15 66 |...@e-[]K.7.f.f| +>>> Flow 2 (server to client) +00000000 16 03 03 00 7a 02 00 00 76 03 03 00 00 00 00 00 |....z...v.......| +00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000020 00 00 00 00 00 00 00 00 00 00 00 20 90 e6 4e 23 |........... ..N#| +00000030 34 72 2a ad 9a cf 95 20 20 f0 e9 cf 7a 4a 57 65 |4r*.... ...zJWe| +00000040 87 09 c7 76 79 25 9c 3e 16 22 4c c5 13 01 00 00 |...vy%.>."L.....| +00000050 2e 00 2b 00 02 03 04 00 33 00 24 00 1d 00 20 2f |..+.....3.$... /| +00000060 e5 7d a3 47 cd 62 43 15 28 da ac 5f bb 29 07 30 |.}.G.bC.(.._.).0| +00000070 ff f6 84 af c4 cf c2 ed 90 99 5f 58 cb 3b 74 14 |.........._X.;t.| +00000080 03 03 00 01 01 17 03 03 00 17 e2 d2 17 5f 12 74 |............._.t| +00000090 c1 79 bc 63 27 63 e7 52 05 50 f5 13 16 ea 3e 9e |.y.c'c.R.P....>.| +000000a0 19 17 03 03 02 6d dd 67 27 89 03 8e f4 db 9b 65 |.....m.g'......e| +000000b0 bc ff 5e 8a 9b a2 20 3c 4d ee b2 98 e3 52 94 b1 |..^... ...i| +000001c0 69 d5 56 45 b2 3b 5f 24 42 b9 4f 43 ec 0d 0d 6c |i.VE.;_$B.OC...l| +000001d0 0e 44 10 e6 45 e1 a2 11 27 e6 70 a8 d3 a4 2e a1 |.D..E...'.p.....| +000001e0 43 d6 a5 46 79 d1 e8 37 07 c0 29 68 fa ab dc 67 |C..Fy..7..)h...g| +000001f0 91 94 04 28 aa 12 01 3f c7 4f d6 a8 93 99 53 5e |...(...?.O....S^| +00000200 0b 5f ff 83 a0 14 47 23 e6 5e 3c a0 e4 47 28 74 |._....G#.^<..G(t| +00000210 20 a4 cc 28 03 41 62 5a 27 eb 22 33 ba ac e2 63 | ..(.AbZ'."3...c| +00000220 c7 a6 09 c7 87 70 45 1a 8b df 96 89 bc 3f 14 0d |.....pE......?..| +00000230 28 5a 67 a1 d4 30 a3 c3 3a 4b 1f 0e a7 7d 40 cd |(Zg..0..:K...}@.| +00000240 0e 59 12 2d be 40 ea c1 cb fc b0 d3 42 72 56 4b |.Y.-.@......BrVK| +00000250 7a a8 e8 70 d6 07 e0 0a 69 ad e6 0b e9 da b7 27 |z..p....i......'| +00000260 57 e6 aa d3 0d 46 86 93 c0 ce e6 1a b8 8f bb 95 |W....F..........| +00000270 09 58 e7 51 96 53 4e 71 70 bf 34 7a b0 e9 a8 e7 |.X.Q.SNqp.4z....| +00000280 51 0f 0c 68 f1 9f 17 28 53 d4 ac 7a 9f 06 cc ce |Q..h...(S..z....| +00000290 36 81 e7 bf f2 85 b5 5b 4e 23 84 70 67 d5 45 a3 |6......[N#.pg.E.| +000002a0 3a df f2 26 7c 93 d0 47 f9 0d 87 21 a0 e3 05 a3 |:..&|..G...!....| +000002b0 ed 7b 99 7d 56 1f 43 77 4e fb db 7d 63 70 a0 fb |.{.}V.CwN..}cp..| +000002c0 bf 41 d7 48 a8 ae b1 70 1e 99 ae 2b e5 1c 7b 4d |.A.H...p...+..{M| +000002d0 a8 a6 86 39 83 d4 63 32 56 57 44 4c 44 2e 77 22 |...9..c2VWDLD.w"| +000002e0 7b e4 33 3a 40 df f1 7e 21 8a 8d da 72 dd 6f 29 |{.3:@..~!...r.o)| +000002f0 5a de 90 0c a2 76 e0 73 7a 82 d3 26 88 e1 f7 c5 |Z....v.sz..&....| +00000300 69 c2 04 9b 98 4b 49 7f e3 ac 18 90 85 4f ec c7 |i....KI......O..| +00000310 29 67 b7 17 03 03 00 99 1c 83 e0 03 3a 6e 3e 08 |)g..........:n>.| +00000320 e5 33 26 ca 22 a7 01 d9 8c fa f8 75 74 4a 34 a9 |.3&."......utJ4.| +00000330 12 f7 0a fd 49 2e ef 7d 07 97 59 d7 5a 69 b2 cb |....I..}..Y.Zi..| +00000340 07 a4 5e 5d 52 f5 4b 50 b3 df 46 fd 3e 86 fe 07 |..^]R.KP..F.>...| +00000350 98 94 ad cd 2b a2 11 03 1c 1b 13 03 ba 13 68 e4 |....+.........h.| +00000360 45 5a 70 41 92 a1 67 65 a3 23 4b 81 47 3b 18 a4 |EZpA..ge.#K.G;..| +00000370 6e 8f 62 e1 2b ee 5f 77 35 e2 07 f7 c9 39 ec 9f |n.b.+._w5....9..| +00000380 e5 dc b6 e9 64 b9 83 50 02 3f e6 2f ba 3e f6 97 |....d..P.?./.>..| +00000390 0b 75 9d e2 d6 ac 86 89 a2 ce 99 29 7b 11 de 6a |.u.........){..j| +000003a0 23 da 7c 84 ec d3 71 f4 fd 6b 5c 0a c0 25 3e c0 |#.|...q..k\..%>.| +000003b0 11 17 03 03 00 35 39 bb d8 45 80 5d 07 86 99 65 |.....59..E.]...e| +000003c0 7c 85 6f 3a 08 e2 a4 fa 2e be 23 63 51 64 71 7c ||.o:......#cQdq|| +000003d0 d7 5d 87 31 91 53 6e 77 7d ea d1 66 fd b7 a9 0e |.].1.Snw}..f....| +000003e0 c9 da dc ba b7 d9 5f 0f 33 fd 52 17 03 03 00 8b |......_.3.R.....| +000003f0 99 86 2a e1 93 87 40 c9 6e 9d 27 7d dd a0 03 a2 |..*...@.n.'}....| +00000400 65 cb c2 63 33 59 2f 4a a7 01 56 94 28 e4 ec c7 |e..c3Y/J..V.(...| +00000410 8f 62 ed 71 c1 80 b9 f8 55 07 0b ab 2a bd f8 68 |.b.q....U...*..h| +00000420 7d 90 a9 98 36 5b d8 f3 00 22 d9 a9 76 30 ef cd |}...6[..."..v0..| +00000430 3f 42 68 af 70 5b 12 c8 9d f8 00 01 3d 02 82 44 |?Bh.p[......=..D| +00000440 2d a6 2e dc 3b b4 42 5c c6 01 c4 fb a3 32 86 10 |-...;.B\.....2..| +00000450 d8 25 ab 87 24 d7 38 7f dd b8 5f f9 5e 47 a9 57 |.%..$.8..._.^G.W| +00000460 cc 48 fb 0f 74 4a db 4f db 92 21 be 08 7c 53 6f |.H..tJ.O..!..|So| +00000470 89 3f 68 77 cd 02 a7 aa 9c 9d b5 |.?hw.......| +>>> Flow 3 (client to server) +00000000 14 03 03 00 01 01 17 03 03 00 35 1d f1 fe e2 c3 |..........5.....| +00000010 4e 95 57 0b 7e d6 32 45 6b 9c ed 89 c2 69 62 70 |N.W.~.2Ek....ibp| +00000020 79 0f a8 42 72 94 05 ad f5 fe a5 83 4b 56 80 41 |y..Br.......KV.A| +00000030 2c 58 e0 e2 00 70 de c1 39 c8 fa c4 bb 89 57 aa |,X...p..9.....W.| +>>> Flow 4 (server to client) +00000000 17 03 03 00 1e a3 8a 39 2d 93 5d d3 ce cd 5a 31 |.......9-.]...Z1| +00000010 19 21 b8 b5 6f 3e 58 7a 0c 09 9b a8 4b 23 3d 3d |.!..o>Xz....K#==| +00000020 d7 73 7a 17 03 03 00 13 d1 a5 7c 5e 2e fa 6b 86 |.sz.......|^..k.| +00000030 f9 36 3c 8d 2b 5b 7e 58 db c8 0d |.6<.+[~X...| diff --git a/pkg/tls/testdata/Server-TLSv13-AES256-SHA384 b/pkg/tls/testdata/Server-TLSv13-AES256-SHA384 new file mode 100644 index 000000000..64310a154 --- /dev/null +++ b/pkg/tls/testdata/Server-TLSv13-AES256-SHA384 @@ -0,0 +1,100 @@ +>>> Flow 1 (client to server) +00000000 16 03 01 00 ca 01 00 00 c6 03 03 c4 ac 32 36 24 |.............26$| +00000010 08 b0 6c 1d 1e 58 7e b3 3d 52 35 29 85 52 3a b3 |..l..X~.=R5).R:.| +00000020 32 a2 71 86 4b 33 5d bb b8 b8 ac 20 77 6d 45 2f |2.q.K3].... wmE/| +00000030 a3 fe 59 3f 9b cf 4e 60 55 84 f7 99 c2 f5 7e 1e |..Y?..N`U.....~.| +00000040 6f 0a 4d fe bf 13 e8 95 80 a7 7d c6 00 04 13 02 |o.M.......}.....| +00000050 00 ff 01 00 00 79 00 0b 00 04 03 00 01 02 00 0a |.....y..........| +00000060 00 0c 00 0a 00 1d 00 17 00 1e 00 19 00 18 00 16 |................| +00000070 00 00 00 17 00 00 00 0d 00 1e 00 1c 04 03 05 03 |................| +00000080 06 03 08 07 08 08 08 09 08 0a 08 0b 08 04 08 05 |................| +00000090 08 06 04 01 05 01 06 01 00 2b 00 03 02 03 04 00 |.........+......| +000000a0 2d 00 02 01 01 00 33 00 26 00 24 00 1d 00 20 8f |-.....3.&.$... .| +000000b0 5a 28 ca 6a 1b 42 2f 1a 53 8f cc 4f 88 b3 0c ad |Z(.j.B/.S..O....| +000000c0 35 59 c5 10 46 ef a4 5f 1e d4 63 69 93 4f 15 |5Y..F.._..ci.O.| +>>> Flow 2 (server to client) +00000000 16 03 03 00 7a 02 00 00 76 03 03 00 00 00 00 00 |....z...v.......| +00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000020 00 00 00 00 00 00 00 00 00 00 00 20 77 6d 45 2f |........... wmE/| +00000030 a3 fe 59 3f 9b cf 4e 60 55 84 f7 99 c2 f5 7e 1e |..Y?..N`U.....~.| +00000040 6f 0a 4d fe bf 13 e8 95 80 a7 7d c6 13 02 00 00 |o.M.......}.....| +00000050 2e 00 2b 00 02 03 04 00 33 00 24 00 1d 00 20 2f |..+.....3.$... /| +00000060 e5 7d a3 47 cd 62 43 15 28 da ac 5f bb 29 07 30 |.}.G.bC.(.._.).0| +00000070 ff f6 84 af c4 cf c2 ed 90 99 5f 58 cb 3b 74 14 |.........._X.;t.| +00000080 03 03 00 01 01 17 03 03 00 17 e4 b2 43 7d 15 fc |............C}..| +00000090 ae 58 44 9d 0d 82 a4 1c 21 c4 3f 86 fb 4b 6b d1 |.XD.....!.?..Kk.| +000000a0 96 17 03 03 02 6d 03 84 7a 2c 7e d8 c8 ca 31 07 |.....m..z,~...1.| +000000b0 fc 2c 47 5b e4 c1 e1 5f 1a c9 a0 45 4e 9a 3d 63 |.,G[..._...EN.=c| +000000c0 11 3b 26 d7 05 e3 6c 36 c3 49 46 c3 73 4e ee 97 |.;&...l6.IF.sN..| +000000d0 dc 4e 09 f4 22 0f 34 05 e1 84 d5 ed 76 a1 4e ba |.N..".4.....v.N.| +000000e0 7c d7 9c 9d 16 ae 96 0f 62 41 64 80 ed fc 4c 1e ||.......bAd...L.| +000000f0 75 a4 5a fe bf 7c 95 6f 81 ef bb e9 9c 69 63 df |u.Z..|.o.....ic.| +00000100 b0 07 d1 4f 1e 96 9e c9 a4 09 d6 79 f2 33 58 eb |...O.......y.3X.| +00000110 78 a5 a7 29 27 58 1b 99 79 79 e3 1d 61 6e fd 7b |x..)'X..yy..an.{| +00000120 c8 7f c6 07 3a f5 23 d6 4d 7a 74 af 53 f6 b1 63 |....:.#.Mzt.S..c| +00000130 2f eb 51 65 b5 91 ac af 4b bf 9e 98 90 8a ae 02 |/.Qe....K.......| +00000140 86 35 78 66 13 2c de 95 5b e1 d8 78 18 bf 65 8f |.5xf.,..[..x..e.| +00000150 a2 30 ae e7 fa aa ac bc 44 72 03 f5 86 b1 1b c2 |.0......Dr......| +00000160 d5 61 dc 4d 74 47 73 67 f1 43 11 1a 95 6f e3 88 |.a.MtGsg.C...o..| +00000170 51 9a 4b c7 bd dc 36 8f 5d de 56 4c 8d 30 8d ec |Q.K...6.].VL.0..| +00000180 08 0b 90 be c8 dc df 7d 6e e7 85 c9 ab dd be a9 |.......}n.......| +00000190 57 c4 6a 76 36 bb a8 4b e2 be d1 28 67 3b a9 0c |W.jv6..K...(g;..| +000001a0 a1 78 2e e4 af f4 51 a3 f5 8c b3 8d c8 7c 8e e7 |.x....Q......|..| +000001b0 d2 7f 38 91 04 42 f4 e9 ae e2 3a 3d 37 10 78 f3 |..8..B....:=7.x.| +000001c0 2d 9c 9f f7 4f 49 f0 45 bd 1e 8d 7d e3 84 b9 9a |-...OI.E...}....| +000001d0 75 40 fb 2b 4f 71 2d b7 bd 1a 6e 4a 7a b4 53 f8 |u@.+Oq-...nJz.S.| +000001e0 d7 c9 6e d9 f6 7b de fa f0 12 5d fc c0 71 1a bf |..n..{....]..q..| +000001f0 76 d8 c4 ad c5 f7 e2 79 55 79 40 e5 55 ee bc dc |v......yUy@.U...| +00000200 42 06 97 89 da 2d a7 e9 26 e4 82 e1 63 5f e2 ee |B....-..&...c_..| +00000210 1a 37 6d 65 bf d7 5f 2e 86 a5 a8 4d b2 e1 31 2f |.7me.._....M..1/| +00000220 8b c5 0b 88 03 bf 1f 37 8c 96 ec 54 4f 75 9b f9 |.......7...TOu..| +00000230 00 98 96 e6 db c1 24 94 6a d1 dd f7 9b d2 2e 24 |......$.j......$| +00000240 82 c7 34 5a f6 aa 36 5b b7 63 11 b2 1d 15 a6 48 |..4Z..6[.c.....H| +00000250 74 5c a7 70 a9 c4 fc 14 67 51 7e 16 7c 90 5b 64 |t\.p....gQ~.|.[d| +00000260 ff 49 02 f6 4d 7a c2 f9 d7 1d 47 4b de bf ae ca |.I..Mz....GK....| +00000270 03 56 84 31 01 37 80 85 79 fb d8 f4 72 9f 98 a3 |.V.1.7..y...r...| +00000280 44 d4 52 f8 af 8c 98 d8 66 69 f7 71 58 db 42 fa |D.R.....fi.qX.B.| +00000290 d7 c9 05 d1 9d 7a df 9f a9 b1 12 53 d2 70 fa ca |.....z.....S.p..| +000002a0 7e a6 de 8d ed 08 69 b2 34 45 3a a5 ba 1d 2e d8 |~.....i.4E:.....| +000002b0 d5 ee ee 60 16 18 cc e1 db aa e6 1b 19 5a ec e6 |...`.........Z..| +000002c0 b8 ec 51 46 99 6d 1e 83 9b 9d 44 a7 85 5a 10 23 |..QF.m....D..Z.#| +000002d0 74 a3 b6 09 b5 d7 2a 12 6a e2 2a da 5d 87 d9 fe |t.....*.j.*.]...| +000002e0 b6 c7 8f c8 03 27 b0 6e 98 57 6f e4 d5 8b 88 5d |.....'.n.Wo....]| +000002f0 0a b3 c4 a1 ae df 89 53 af d5 8e 59 97 2d 65 c0 |.......S...Y.-e.| +00000300 52 e8 5f 8a 37 3f 8b ef 77 fc 93 0c b5 50 3b 94 |R._.7?..w....P;.| +00000310 13 1b 3b 17 03 03 00 99 3e e8 05 5a 69 dc 0c 90 |..;.....>..Zi...| +00000320 a3 17 35 ea 27 2b da 64 44 72 30 5b 9c a5 6b 1b |..5.'+.dDr0[..k.| +00000330 c2 a8 af 38 c3 43 52 14 fd ec a8 8b c9 ab 6b 67 |...8.CR.......kg| +00000340 32 84 f9 b4 e1 89 08 8f 6a c2 2a 17 b9 f5 92 c8 |2.......j.*.....| +00000350 3a 97 62 98 b8 93 94 5d a1 6b 05 17 56 5d 6e b5 |:.b....].k..V]n.| +00000360 d3 72 a6 06 77 b2 45 fe 2d 37 10 7e b8 16 16 f4 |.r..w.E.-7.~....| +00000370 70 86 56 a4 be 52 54 3e 90 7d 47 66 23 35 e9 a2 |p.V..RT>.}Gf#5..| +00000380 e9 4f 86 e2 a7 b9 20 b6 c8 9f 19 08 6b 73 93 86 |.O.... .....ks..| +00000390 d7 8d 1a 9a 00 6b cf fb cb 32 5d 36 91 4f 39 e2 |.....k...2]6.O9.| +000003a0 f5 0d fa 37 3d b8 c6 86 cb 57 71 a8 c6 f8 74 cb |...7=....Wq...t.| +000003b0 c0 17 03 03 00 45 67 fe 1b 83 1a bf ac 3b ee 0f |.....Eg......;..| +000003c0 31 35 da 42 6c e3 3f 14 63 4a f3 5b 5b 02 76 c8 |15.Bl.?.cJ.[[.v.| +000003d0 21 84 7e 11 42 e3 8c e7 b6 7c 1d ba 41 ec dd 68 |!.~.B....|..A..h| +000003e0 73 4a 1b c5 bc 11 fa 22 33 9b 51 7d f0 27 88 4a |sJ....."3.Q}.'.J| +000003f0 1b bf e8 a9 3f f5 2f 9a 05 ce 07 17 03 03 00 9b |....?./.........| +00000400 da 09 d0 83 a3 24 92 94 b7 9f 34 10 7b 1c b9 e4 |.....$....4.{...| +00000410 ca 56 c9 8f 71 03 99 0b c5 ea 6d 50 6d 75 dd 7b |.V..q.....mPmu.{| +00000420 28 4d 5c 6e 32 83 61 36 68 0b 64 ac b7 6b ec bb |(M\n2.a6h.d..k..| +00000430 22 72 56 4b 6a 58 98 a2 62 9c 15 28 fa a8 38 a3 |"rVKjX..b..(..8.| +00000440 63 b7 8b d4 3d 63 3f 64 34 45 e2 f1 ad e6 3e 66 |c...=c?d4E....>f| +00000450 8e 45 5f 3e ca fc 5e a8 40 17 a9 ac c6 52 e4 4e |.E_>..^.@....R.N| +00000460 14 15 0b a1 00 db 8c a2 dd 41 35 74 1f f4 06 ac |.........A5t....| +00000470 72 8c 86 1f a9 de 6d 1c 24 6d 2d 37 f2 dd 1a f9 |r.....m.$m-7....| +00000480 60 0d 48 fc 8e a3 97 5a 9b 6b 99 13 77 4c f8 bf |`.H....Z.k..wL..| +00000490 b3 e5 db 07 31 3d b9 a9 56 9f c2 |....1=..V..| +>>> Flow 3 (client to server) +00000000 14 03 03 00 01 01 17 03 03 00 45 2a e9 8b e0 d6 |..........E*....| +00000010 52 b2 a9 01 20 d1 48 61 5e 6a c3 cf 79 14 f3 c0 |R... .Ha^j..y...| +00000020 8e 1f 76 2b 16 d5 53 c8 ae a8 a5 7b 14 aa 8c 4b |..v+..S....{...K| +00000030 5d 76 e6 dd 5b b9 1f 87 39 62 f6 e5 72 13 1e d0 |]v..[...9b..r...| +00000040 48 06 f5 d9 ce b8 4d 32 42 49 f1 dd 52 96 e5 68 |H.....M2BI..R..h| +>>> Flow 4 (server to client) +00000000 17 03 03 00 1e 97 3a d5 e2 f1 22 da d5 0a 3a 2c |......:..."...:,| +00000010 c1 c0 53 ff 44 bd 06 02 02 eb b6 91 c5 b3 d7 c7 |..S.D...........| +00000020 c2 6e 56 17 03 03 00 13 af c2 91 94 6e db 5e 62 |.nV.........n.^b| +00000030 9a 1e 40 e4 50 a1 b4 9c 16 45 be |..@.P....E.| diff --git a/pkg/tls/testdata/Server-TLSv13-ALPN b/pkg/tls/testdata/Server-TLSv13-ALPN new file mode 100644 index 000000000..7537272ee --- /dev/null +++ b/pkg/tls/testdata/Server-TLSv13-ALPN @@ -0,0 +1,100 @@ +>>> Flow 1 (client to server) +00000000 16 03 01 00 e2 01 00 00 de 03 03 35 09 24 92 91 |...........5.$..| +00000010 f9 de f8 f0 68 a2 6d f2 e6 2a df de f1 7c c4 44 |....h.m..*...|.D| +00000020 7b 22 14 03 29 2a f2 1b 6c a2 0e 20 e4 bc 0e 83 |{"..)*..l.. ....| +00000030 35 d7 c1 4c ea 8f ba 77 32 ae c9 44 b0 51 16 05 |5..L...w2..D.Q..| +00000040 06 03 6b c9 23 06 42 26 80 25 6d 67 00 04 13 03 |..k.#.B&.%mg....| +00000050 00 ff 01 00 00 91 00 0b 00 04 03 00 01 02 00 0a |................| +00000060 00 0c 00 0a 00 1d 00 17 00 1e 00 19 00 18 00 23 |...............#| +00000070 00 00 00 10 00 10 00 0e 06 70 72 6f 74 6f 32 06 |.........proto2.| +00000080 70 72 6f 74 6f 31 00 16 00 00 00 17 00 00 00 0d |proto1..........| +00000090 00 1e 00 1c 04 03 05 03 06 03 08 07 08 08 08 09 |................| +000000a0 08 0a 08 0b 08 04 08 05 08 06 04 01 05 01 06 01 |................| +000000b0 00 2b 00 03 02 03 04 00 2d 00 02 01 01 00 33 00 |.+......-.....3.| +000000c0 26 00 24 00 1d 00 20 59 cf 4e a0 d2 89 c8 fd 8b |&.$... Y.N......| +000000d0 22 e8 ce 43 a4 b4 2b b3 9f 12 46 c0 21 2a 10 55 |"..C..+...F.!*.U| +000000e0 fd a7 6f 65 04 51 21 |..oe.Q!| +>>> Flow 2 (server to client) +00000000 16 03 03 00 7a 02 00 00 76 03 03 00 00 00 00 00 |....z...v.......| +00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000020 00 00 00 00 00 00 00 00 00 00 00 20 e4 bc 0e 83 |........... ....| +00000030 35 d7 c1 4c ea 8f ba 77 32 ae c9 44 b0 51 16 05 |5..L...w2..D.Q..| +00000040 06 03 6b c9 23 06 42 26 80 25 6d 67 13 03 00 00 |..k.#.B&.%mg....| +00000050 2e 00 2b 00 02 03 04 00 33 00 24 00 1d 00 20 2f |..+.....3.$... /| +00000060 e5 7d a3 47 cd 62 43 15 28 da ac 5f bb 29 07 30 |.}.G.bC.(.._.).0| +00000070 ff f6 84 af c4 cf c2 ed 90 99 5f 58 cb 3b 74 14 |.........._X.;t.| +00000080 03 03 00 01 01 17 03 03 00 24 7a a5 d4 28 fe 61 |.........$z..(.a| +00000090 12 68 43 19 5a 01 88 e7 ae 24 e4 6f d3 c6 e7 13 |.hC.Z....$.o....| +000000a0 32 aa 80 56 e2 1b 8c bb 5f ee 33 5f 86 8e 17 03 |2..V...._.3_....| +000000b0 03 02 6d ee 98 f9 eb 4c 74 7f 2b 73 22 7e 79 e7 |..m....Lt.+s"~y.| +000000c0 ed ed 93 f5 0b 68 0b 5a 14 79 45 83 9a b7 ea e7 |.....h.Z.yE.....| +000000d0 9b 89 21 97 c4 dc cd 89 e7 27 44 d9 5c de a2 79 |..!......'D.\..y| +000000e0 5c bb 9b f1 4a fc 3e 04 64 b4 70 cc 30 a3 3a bc |\...J.>.d.p.0.:.| +000000f0 4c d3 4d 90 b8 1c cf 3f ad 63 12 a6 b7 df 6a a5 |L.M....?.c....j.| +00000100 03 1f a6 96 d5 94 ea fd fc a3 95 2b 38 cb 25 47 |...........+8.%G| +00000110 63 d4 42 10 2c 91 d3 d9 12 79 e2 ba 3e 0b 82 09 |c.B.,....y..>...| +00000120 c6 02 ee 55 14 17 73 3e 11 17 e9 d7 b5 9c d2 b7 |...U..s>........| +00000130 d7 2f f0 23 51 a1 d3 71 68 9d 4c 01 98 a9 07 e0 |./.#Q..qh.L.....| +00000140 b0 fd f8 74 0c bc eb 5e 57 1d 48 65 ac 80 d4 f4 |...t...^W.He....| +00000150 4e 56 1d 89 ce ab 21 5e 5f a0 5c ed a3 e7 07 5d |NV....!^_.\....]| +00000160 c3 d9 9d 31 62 e0 91 2b c6 e2 5c f6 69 2a 06 b8 |...1b..+..\.i*..| +00000170 e1 24 92 39 7b 06 58 72 a1 84 87 c4 e9 53 83 12 |.$.9{.Xr.....S..| +00000180 2a 03 24 6a 9d 84 55 30 04 15 7b 68 88 46 75 6e |*.$j..U0..{h.Fun| +00000190 3f 0a f7 e8 9f 64 04 32 b7 5e 8c 64 82 ec 6d 9b |?....d.2.^.d..m.| +000001a0 e0 41 33 69 e4 75 51 d9 e3 ba 7a 9e 7b 8f b7 3e |.A3i.uQ...z.{..>| +000001b0 bc 30 3a 55 10 81 ec 1f f9 c1 77 30 3d 7e 3f b5 |.0:U......w0=~?.| +000001c0 db 44 a5 54 d1 b3 81 64 20 5d 8d 31 48 19 5a 2f |.D.T...d ].1H.Z/| +000001d0 4a b9 b2 31 b8 56 f4 9c 9d ac 35 5d 54 55 0b 09 |J..1.V....5]TU..| +000001e0 e0 10 13 47 b1 ad 3f 9b 62 39 84 4e 49 99 d0 38 |...G..?.b9.NI..8| +000001f0 fe 7d 8b f2 a5 50 ab 62 54 85 7f 70 ae 51 13 6a |.}...P.bT..p.Q.j| +00000200 7a 5d eb cd c6 e2 29 47 a6 e0 a2 b1 46 da bc 7c |z]....)G....F..|| +00000210 38 8b 45 a7 07 c1 f4 e6 fe f0 83 24 fa 87 d1 17 |8.E........$....| +00000220 d1 6b 0d 6f 96 2a 28 35 81 5c 78 6e a8 16 f9 0a |.k.o.*(5.\xn....| +00000230 71 47 72 5d 21 ad b9 93 63 16 b9 58 e6 22 66 86 |qGr]!...c..X."f.| +00000240 b5 43 c0 91 c9 cd 70 8e f9 c0 38 c9 4d 04 fa 39 |.C....p...8.M..9| +00000250 e1 02 46 59 85 67 38 35 ce 84 ec b9 34 50 84 03 |..FY.g85....4P..| +00000260 82 12 75 ee 4a c5 db 61 d1 31 2e c5 62 88 cb 10 |..u.J..a.1..b...| +00000270 c9 bc 65 7b cd df d5 0a 56 75 81 a0 a8 f0 ee 54 |..e{....Vu.....T| +00000280 f5 b3 c8 36 13 c7 6d 95 4a 72 61 d9 98 c4 08 dc |...6..m.Jra.....| +00000290 7f 35 de 4c 5b aa 6f 7d 6d f2 e0 e2 46 1f 5d 72 |.5.L[.o}m...F.]r| +000002a0 a5 c1 ee 5e af 34 44 8b 07 90 9a 2f d3 3e cf 8d |...^.4D..../.>..| +000002b0 69 54 19 ae 3e c2 89 55 5e 0b 98 e1 24 c5 6b 88 |iT..>..U^...$.k.| +000002c0 2e 67 83 9e cc 97 b0 06 58 7d 5f 82 55 21 d3 79 |.g......X}_.U!.y| +000002d0 04 d8 2e 59 08 67 78 70 ee bc 9b 26 12 50 da 5a |...Y.gxp...&.P.Z| +000002e0 40 66 45 b8 36 16 50 5b 93 15 a9 a8 c0 85 34 ee |@fE.6.P[......4.| +000002f0 d2 ee 4e 7d 66 28 f6 65 5c 88 3c b1 de e9 de 8b |..N}f(.e\.<.....| +00000300 e8 b2 51 d7 f0 51 69 fd fe f1 8c 57 df 3f d5 40 |..Q..Qi....W.?.@| +00000310 e8 54 a0 b2 59 e1 75 27 fc fd b7 41 d9 ad 49 5e |.T..Y.u'...A..I^| +00000320 17 03 03 00 99 2c 47 73 11 39 91 57 05 d0 f6 0f |.....,Gs.9.W....| +00000330 8c 6c f2 66 a0 d1 cd 3f 80 3c bb f3 27 78 83 64 |.l.f...?.<..'x.d| +00000340 4d 33 de b8 f5 8b 27 a9 1f 8b 75 9f b2 c6 d7 08 |M3....'...u.....| +00000350 13 8e 73 a6 81 0e 71 fd 7b 33 87 c2 23 6f bc ad |..s...q.{3..#o..| +00000360 9b e6 60 91 12 3f 74 de 8f 7c 49 9f 0a 74 cc e0 |..`..?t..|I..t..| +00000370 68 e3 50 cc ca 2f a2 30 a9 32 31 ec 92 5f 4d d1 |h.P../.0.21.._M.| +00000380 39 f1 4d f6 2d 21 3c 54 33 38 a2 46 c0 7a 55 8c |9.M.-!>> Flow 3 (client to server) +00000000 14 03 03 00 01 01 17 03 03 00 35 de e1 cc 43 bc |..........5...C.| +00000010 ae b2 a6 66 68 d4 c4 b9 18 72 1f 26 f7 03 c9 6e |...fh....r.&...n| +00000020 9b 12 0e ff 65 ff f5 5f 84 6c fb 99 be e6 b3 07 |....e.._.l......| +00000030 db ea d2 33 cc 7e 8c eb 42 db db fd e8 21 62 b0 |...3.~..B....!b.| +>>> Flow 4 (server to client) +00000000 17 03 03 00 1e 1e 5c 6b 1e dd ea a2 1d bd 6e 66 |......\k......nf| +00000010 0b 99 e0 91 0b c1 3e 9b 49 e7 40 0d a7 7a bb 31 |......>.I.@..z.1| +00000020 4c 5c c2 17 03 03 00 13 a5 98 a7 8a 05 a7 bb 60 |L\.............`| +00000030 11 aa b3 05 f6 cd 8b 16 3d 97 3e |........=.>| diff --git a/pkg/tls/testdata/Server-TLSv13-ALPN-Fallback b/pkg/tls/testdata/Server-TLSv13-ALPN-Fallback new file mode 100644 index 000000000..d4a054d68 --- /dev/null +++ b/pkg/tls/testdata/Server-TLSv13-ALPN-Fallback @@ -0,0 +1,99 @@ +>>> Flow 1 (client to server) +00000000 16 03 01 00 eb 01 00 00 e7 03 03 ca 9d 80 22 cc |..............".| +00000010 77 d9 f2 87 3f a8 93 a1 13 6f a0 f5 4e d0 1b fe |w...?....o..N...| +00000020 cc 04 c0 7c 8d 7d 2e 5c c2 6d 69 20 1e 1f 96 97 |...|.}.\.mi ....| +00000030 82 97 85 5b fd c1 59 cb a5 2a 91 c1 b5 88 06 6c |...[..Y..*.....l| +00000040 b0 ed 5c 41 78 cc f6 3c 28 d9 29 2b 00 04 13 03 |..\Ax..<(.)+....| +00000050 00 ff 01 00 00 9a 00 0b 00 04 03 00 01 02 00 0a |................| +00000060 00 0c 00 0a 00 1d 00 17 00 1e 00 19 00 18 00 23 |...............#| +00000070 00 00 00 10 00 19 00 17 06 70 72 6f 74 6f 33 08 |.........proto3.| +00000080 68 74 74 70 2f 31 2e 31 06 70 72 6f 74 6f 34 00 |http/1.1.proto4.| +00000090 16 00 00 00 17 00 00 00 0d 00 1e 00 1c 04 03 05 |................| +000000a0 03 06 03 08 07 08 08 08 09 08 0a 08 0b 08 04 08 |................| +000000b0 05 08 06 04 01 05 01 06 01 00 2b 00 03 02 03 04 |..........+.....| +000000c0 00 2d 00 02 01 01 00 33 00 26 00 24 00 1d 00 20 |.-.....3.&.$... | +000000d0 c1 26 2b f3 64 5e 41 1a 11 9c 1d 4b 09 bd f4 98 |.&+.d^A....K....| +000000e0 b4 7d 06 bb 88 97 5c ef 01 24 0b 3d 9e ed 91 0f |.}....\..$.=....| +>>> Flow 2 (server to client) +00000000 16 03 03 00 7a 02 00 00 76 03 03 00 00 00 00 00 |....z...v.......| +00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000020 00 00 00 00 00 00 00 00 00 00 00 20 1e 1f 96 97 |........... ....| +00000030 82 97 85 5b fd c1 59 cb a5 2a 91 c1 b5 88 06 6c |...[..Y..*.....l| +00000040 b0 ed 5c 41 78 cc f6 3c 28 d9 29 2b 13 03 00 00 |..\Ax..<(.)+....| +00000050 2e 00 2b 00 02 03 04 00 33 00 24 00 1d 00 20 2f |..+.....3.$... /| +00000060 e5 7d a3 47 cd 62 43 15 28 da ac 5f bb 29 07 30 |.}.G.bC.(.._.).0| +00000070 ff f6 84 af c4 cf c2 ed 90 99 5f 58 cb 3b 74 14 |.........._X.;t.| +00000080 03 03 00 01 01 17 03 03 00 17 ca 84 74 0d 35 9d |............t.5.| +00000090 80 3d d8 95 cb f2 12 f1 10 6b f6 91 12 ab 37 ea |.=.......k....7.| +000000a0 a2 17 03 03 02 6d 1e 6b ca 76 70 67 ce 22 70 8c |.....m.k.vpg."p.| +000000b0 ab 4d 33 a8 2e 93 77 2c 2f b1 7a e3 42 ca 83 e2 |.M3...w,/.z.B...| +000000c0 e5 c9 45 dc 97 d3 85 64 e8 07 13 c8 55 7c cd bf |..E....d....U|..| +000000d0 20 d1 3b 43 a7 13 a1 f6 66 0e 98 e7 23 18 cf 38 | .;C....f...#..8| +000000e0 d3 92 d7 29 30 44 fa dc 81 1d e3 04 ca b0 b3 08 |...)0D..........| +000000f0 d4 a4 64 18 f4 4f 06 ca ca a0 bb 90 38 6d 09 21 |..d..O......8m.!| +00000100 42 c1 a0 c4 51 90 78 61 b1 55 eb 63 8d 65 73 47 |B...Q.xa.U.c.esG| +00000110 7c 6d f5 7f c6 dc 55 a1 a3 a4 16 6b 2d 62 d2 8d ||m....U....k-b..| +00000120 1f 96 8f 84 96 a6 94 f0 a0 9e 03 04 67 a2 e9 e3 |............g...| +00000130 38 0c cd f3 af 45 77 65 33 06 e7 aa cf a0 e6 01 |8....Ewe3.......| +00000140 a7 5f 62 95 32 18 b9 58 03 db 9c ca c7 50 80 cf |._b.2..X.....P..| +00000150 15 1c b0 7e 97 30 bb e2 bf d5 67 f4 e1 87 1e 07 |...~.0....g.....| +00000160 71 2f f5 31 7e 7e 05 8a cb a1 98 83 de de aa 87 |q/.1~~..........| +00000170 b9 d2 4a 5e 4c 27 04 15 6b 3a 21 02 28 2c 3a 76 |..J^L'..k:!.(,:v| +00000180 64 1f b0 f3 45 1e 2a fc 97 3f 0e 18 c8 00 a2 0b |d...E.*..?......| +00000190 51 4a 8f 1d d7 a6 d7 b9 64 11 bc ed 74 c9 90 bd |QJ......d...t...| +000001a0 a3 27 b3 c0 95 ea 49 88 af de 76 d9 82 67 01 0f |.'....I...v..g..| +000001b0 60 f1 f7 84 7e 56 46 65 c7 42 cc fb 99 25 a3 77 |`...~VFe.B...%.w| +000001c0 c5 8c 02 87 4e d4 78 17 0d 16 f1 00 de f9 d5 0b |....N.x.........| +000001d0 36 28 f5 27 59 4b fd ba 38 cb 3c 53 3d 02 3b 77 |6(.'YK..8....f..I| +00000200 9a cd 52 91 5e bc 1f a5 c6 78 2c d0 a4 67 14 3f |..R.^....x,..g.?| +00000210 94 2a 9c 9f 47 ee fa c7 50 ca 00 c2 30 69 d9 ca |.*..G...P...0i..| +00000220 30 b7 ac f4 3b d9 91 d7 33 40 87 de d9 a2 7f 77 |0...;...3@.....w| +00000230 5b b0 57 ca 10 03 ec 3b 95 e9 c2 de 50 f1 28 7a |[.W....;....P.(z| +00000240 49 c1 be ef 6d 99 ea 98 47 8b af 51 d0 fb 0a d0 |I...m...G..Q....| +00000250 b5 b2 ad e3 69 ba fc 34 c7 aa 04 8b d5 fc 17 54 |....i..4.......T| +00000260 e1 51 f0 26 32 21 71 90 0e 30 10 f6 68 6f 53 b7 |.Q.&2!q..0..hoS.| +00000270 b6 d8 1c 13 0a c9 fb 9e 46 13 22 4c 7c 93 18 ed |........F."L|...| +00000280 b8 72 69 56 00 ab df ec f5 4c 32 60 0e a4 a3 b0 |.riV.....L2`....| +00000290 b3 12 5c 61 26 1c aa b2 c2 68 64 65 cc 01 57 c9 |..\a&....hde..W.| +000002a0 70 18 f7 db 2c 0d 24 b3 68 3a 08 db 07 ff 3c f5 |p...,.$.h:....<.| +000002b0 2e 9a 1e d1 9c 62 4d 6d 4b 48 37 dd 62 0b 2b ab |.....bMmKH7.b.+.| +000002c0 49 a1 0f 7e 1b 6f 4e 43 69 63 3d 8e ce 51 f9 32 |I..~.oNCic=..Q.2| +000002d0 4e f4 21 97 f5 16 e4 2b 0b f3 6f 5d 15 7e 68 dd |N.!....+..o].~h.| +000002e0 c6 5b 5f ac 56 42 99 76 28 38 d2 8b ed 0e c6 a4 |.[_.VB.v(8......| +000002f0 69 d3 f1 c4 a9 d6 7a d2 00 ac ad ff 9c d2 8d 1e |i.....z.........| +00000300 46 88 64 24 51 78 2a a8 4a ea a4 fa 28 3b 70 3a |F.d$Qx*.J...(;p:| +00000310 75 8b 9d 17 03 03 00 99 22 d3 e9 8f ae 4e 5e 17 |u......."....N^.| +00000320 3e 86 54 cd fd 66 68 c6 fe 73 ac 19 98 c1 a1 66 |>.T..fh..s.....f| +00000330 4f 7a 4f 5e 0b c5 a1 43 74 d4 c2 0a ce 45 05 2f |OzO^...Ct....E./| +00000340 5f f1 1b 50 eb 08 8f 36 30 f0 78 e9 1d c1 e5 b0 |_..P...60.x.....| +00000350 cf 27 14 ed 67 ed 12 7e f1 4c 10 e8 ff 6f 13 7d |.'..g..~.L...o.}| +00000360 0f a8 c3 b6 19 22 9a 68 9b ab 6d 77 09 f5 56 de |.....".h..mw..V.| +00000370 84 23 d6 ed 38 62 06 4b 05 9b 59 39 2f 09 65 70 |.#..8b.K..Y9/.ep| +00000380 9e 9c f9 fe a2 e4 db 1e c0 12 d2 ee 41 77 b3 05 |............Aw..| +00000390 a1 c3 bb 41 70 0e dd f7 0d ca 41 58 12 9e 4f 23 |...Ap.....AX..O#| +000003a0 2e 72 00 9b 19 70 78 54 b4 27 69 16 15 e8 6f d4 |.r...pxT.'i...o.| +000003b0 e7 17 03 03 00 35 ad df 36 e1 d4 a4 04 8e fa 1a |.....5..6.......| +000003c0 77 da e7 99 62 e9 8f a0 27 af a6 ba 7f 47 49 47 |w...b...'....GIG| +000003d0 aa a3 bd bb cd 32 f6 e6 90 77 95 34 e5 72 f0 f9 |.....2...w.4.r..| +000003e0 75 8c cf 25 5b bc 2a b0 98 be fb 17 03 03 00 8b |u..%[.*.........| +000003f0 e9 20 f8 90 78 d5 78 11 c3 bb 5c 41 f0 cd 51 3e |. ..x.x...\A..Q>| +00000400 a1 20 bb 72 98 e3 d1 fe 9d 61 ae a4 8f 71 57 6c |. .r.....a...qWl| +00000410 e7 68 de 63 95 ed 46 00 f4 8f cd 59 c7 97 7f 98 |.h.c..F....Y....| +00000420 61 f3 68 18 18 1e 94 16 f7 f2 de 73 81 3d a5 7e |a.h........s.=.~| +00000430 12 68 65 70 6f ca bd 2b 92 f8 7c ec 88 2c 3f c0 |.hepo..+..|..,?.| +00000440 76 52 cc e3 38 e0 ce 0b dc 35 ef 87 cf ea 4b 2b |vR..8....5....K+| +00000450 53 88 52 3f f6 e1 d7 ea 5f a2 d9 4f a7 03 ac c1 |S.R?...._..O....| +00000460 7d ab 95 ce a5 f5 00 53 f6 6d ab 7e 07 88 51 9b |}......S.m.~..Q.| +00000470 2c e9 e9 ac 1b f9 17 ac 33 17 00 |,.......3..| +>>> Flow 3 (client to server) +00000000 14 03 03 00 01 01 17 03 03 00 35 52 13 5e 7a c8 |..........5R.^z.| +00000010 3e b6 e1 8e 59 c9 cf 54 0b c8 c2 17 ab 76 0d 3d |>...Y..T.....v.=| +00000020 ec 5c 76 2c 21 21 f3 1e a7 25 ba 67 97 8a 8f de |.\v,!!...%.g....| +00000030 03 7d 1a bc 0a 9e c7 e7 02 52 cf d4 80 3e 80 7e |.}.......R...>.~| +>>> Flow 4 (server to client) +00000000 17 03 03 00 1e 77 f7 66 ab db 08 5c e5 9d 7f a3 |.....w.f...\....| +00000010 f7 37 24 70 e7 7c d2 44 25 de 3d c3 71 18 aa 24 |.7$p.|.D%.=.q..$| +00000020 9b 9d 18 17 03 03 00 13 e3 6e e2 8a d9 ae 0f c3 |.........n......| +00000030 ad 90 03 90 40 be 42 fe 4e ad d2 |....@.B.N..| diff --git a/pkg/tls/testdata/Server-TLSv13-ALPN-NoMatch b/pkg/tls/testdata/Server-TLSv13-ALPN-NoMatch new file mode 100644 index 000000000..a8b3d8073 --- /dev/null +++ b/pkg/tls/testdata/Server-TLSv13-ALPN-NoMatch @@ -0,0 +1,18 @@ +>>> Flow 1 (client to server) +00000000 16 03 01 00 e2 01 00 00 de 03 03 3d ae 42 d4 d3 |...........=.B..| +00000010 a9 75 5b a6 8f 9f 47 6f fe e7 3d 3e 5c d8 35 01 |.u[...Go..=>\.5.| +00000020 c9 25 fd 94 e4 ac 7e b4 e1 4e 0f 20 56 29 44 cd |.%....~..N. V)D.| +00000030 7f 99 7b a6 9a 4d d4 3c e8 01 00 93 e5 e0 a8 7b |..{..M.<.......{| +00000040 81 13 85 e9 2e 4e 12 a2 b9 d4 7d 8e 00 04 13 03 |.....N....}.....| +00000050 00 ff 01 00 00 91 00 0b 00 04 03 00 01 02 00 0a |................| +00000060 00 0c 00 0a 00 1d 00 17 00 1e 00 19 00 18 00 23 |...............#| +00000070 00 00 00 10 00 10 00 0e 06 70 72 6f 74 6f 32 06 |.........proto2.| +00000080 70 72 6f 74 6f 31 00 16 00 00 00 17 00 00 00 0d |proto1..........| +00000090 00 1e 00 1c 04 03 05 03 06 03 08 07 08 08 08 09 |................| +000000a0 08 0a 08 0b 08 04 08 05 08 06 04 01 05 01 06 01 |................| +000000b0 00 2b 00 03 02 03 04 00 2d 00 02 01 01 00 33 00 |.+......-.....3.| +000000c0 26 00 24 00 1d 00 20 3c 8b f2 09 ad ff 96 76 0f |&.$... <......v.| +000000d0 9b 05 eb c8 5a 48 68 be a6 6e dd f6 f5 7d 56 89 |....ZHh..n...}V.| +000000e0 ff 37 75 13 b1 1b 01 |.7u....| +>>> Flow 2 (server to client) +00000000 15 03 03 00 02 02 78 |......x| diff --git a/pkg/tls/testdata/Server-TLSv13-ALPN-NotConfigured b/pkg/tls/testdata/Server-TLSv13-ALPN-NotConfigured new file mode 100644 index 000000000..c4bd0356a --- /dev/null +++ b/pkg/tls/testdata/Server-TLSv13-ALPN-NotConfigured @@ -0,0 +1,99 @@ +>>> Flow 1 (client to server) +00000000 16 03 01 00 e2 01 00 00 de 03 03 1f f5 b0 88 a0 |................| +00000010 fd 0e cd 4d 25 21 88 bf 07 16 95 49 6a 78 2d 70 |...M%!.....Ijx-p| +00000020 25 f7 06 36 f2 98 4c 23 16 41 a5 20 87 60 d3 78 |%..6..L#.A. .`.x| +00000030 c7 ab 8b f9 2b 2c 21 1e f4 5b 25 bc 81 53 18 5c |....+,!..[%..S.\| +00000040 3b 7e dd 3e 7b c4 ee d1 f8 9d bf 7a 00 04 13 03 |;~.>{......z....| +00000050 00 ff 01 00 00 91 00 0b 00 04 03 00 01 02 00 0a |................| +00000060 00 0c 00 0a 00 1d 00 17 00 1e 00 19 00 18 00 23 |...............#| +00000070 00 00 00 10 00 10 00 0e 06 70 72 6f 74 6f 32 06 |.........proto2.| +00000080 70 72 6f 74 6f 31 00 16 00 00 00 17 00 00 00 0d |proto1..........| +00000090 00 1e 00 1c 04 03 05 03 06 03 08 07 08 08 08 09 |................| +000000a0 08 0a 08 0b 08 04 08 05 08 06 04 01 05 01 06 01 |................| +000000b0 00 2b 00 03 02 03 04 00 2d 00 02 01 01 00 33 00 |.+......-.....3.| +000000c0 26 00 24 00 1d 00 20 5f 8f fa 0f 94 46 78 3d a9 |&.$... _....Fx=.| +000000d0 7d d8 2b 65 f6 c1 55 6b fd aa 4b 65 23 7b ad 13 |}.+e..Uk..Ke#{..| +000000e0 88 06 ce 54 f1 77 63 |...T.wc| +>>> Flow 2 (server to client) +00000000 16 03 03 00 7a 02 00 00 76 03 03 00 00 00 00 00 |....z...v.......| +00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000020 00 00 00 00 00 00 00 00 00 00 00 20 87 60 d3 78 |........... .`.x| +00000030 c7 ab 8b f9 2b 2c 21 1e f4 5b 25 bc 81 53 18 5c |....+,!..[%..S.\| +00000040 3b 7e dd 3e 7b c4 ee d1 f8 9d bf 7a 13 03 00 00 |;~.>{......z....| +00000050 2e 00 2b 00 02 03 04 00 33 00 24 00 1d 00 20 2f |..+.....3.$... /| +00000060 e5 7d a3 47 cd 62 43 15 28 da ac 5f bb 29 07 30 |.}.G.bC.(.._.).0| +00000070 ff f6 84 af c4 cf c2 ed 90 99 5f 58 cb 3b 74 14 |.........._X.;t.| +00000080 03 03 00 01 01 17 03 03 00 17 30 cc 27 0f 8c cd |..........0.'...| +00000090 77 85 98 61 e4 19 19 63 ac 5b 55 37 c2 73 6d f6 |w..a...c.[U7.sm.| +000000a0 a1 17 03 03 02 6d 5f 60 9f d3 fc 5e 57 fb b6 35 |.....m_`...^W..5| +000000b0 99 3c a7 65 6f eb b5 89 5a 3c be e1 a5 c7 af 14 |.<.eo...Z<......| +000000c0 67 d4 0c 87 d4 dd c9 28 1c 5c 89 c6 55 68 e0 b3 |g......(.\..Uh..| +000000d0 42 d8 e4 4f 64 df 26 4a a2 14 eb 34 69 9f 8d 8e |B..Od.&J...4i...| +000000e0 fc 21 db 17 93 37 7d d4 57 bb 76 4d 1e 70 9f 58 |.!...7}.W.vM.p.X| +000000f0 f3 ae 12 71 aa 4b 30 e3 86 92 32 c6 55 12 08 42 |...q.K0...2.U..B| +00000100 bf 6a 6a f9 79 b9 50 37 11 15 a4 b3 c8 a8 16 da |.jj.y.P7........| +00000110 e9 62 ed 3d 80 da 38 22 c6 c3 fd 1c b2 d2 8c 74 |.b.=..8".......t| +00000120 23 39 70 67 b0 34 25 24 eb 72 e2 c1 63 d6 48 09 |#9pg.4%$.r..c.H.| +00000130 ee d7 5e 15 2b 78 64 97 c8 d0 6b 2a 1c b6 d8 12 |..^.+xd...k*....| +00000140 9e 9a b5 dc 24 51 5a 38 a1 4c 9c df 74 3f 63 f0 |....$QZ8.L..t?c.| +00000150 d2 45 49 58 5c 3c 42 f2 56 fd bc 0e c1 d6 8b 7d |.EIX\@;#...| +00000350 b0 1d b7 bb 4f 90 8c 73 5a d2 f5 5b 4a 74 b0 25 |....O..sZ..[Jt.%| +00000360 eb a8 7e a0 9d 1a e4 4e bf 4f 55 b8 9d 93 cf 5b |..~....N.OU....[| +00000370 a4 22 3d 3b d5 8f 23 de 41 70 47 d8 3b 82 6b ba |."=;..#.ApG.;.k.| +00000380 26 f2 a2 e9 45 8e a9 72 1e 37 2e 0d a9 4b 54 b2 |&...E..r.7...KT.| +00000390 6f 8f ec 04 97 86 b4 e4 4c cc f1 ed c9 e1 61 b1 |o.......L.....a.| +000003a0 f8 a2 d7 fc a5 1a 8c 44 95 16 fc e3 25 b1 a9 d6 |.......D....%...| +000003b0 21 17 03 03 00 35 fa ad 27 32 8d 61 3a 32 36 ef |!....5..'2.a:26.| +000003c0 ea ff 4e 95 cd a6 83 19 e2 72 85 44 33 b2 c0 45 |..N......r.D3..E| +000003d0 f0 34 92 ca 5a a2 14 4c 6c a3 95 bd fe 3b f8 fd |.4..Z..Ll....;..| +000003e0 e1 11 9b f6 8f 4f c6 ae 05 31 55 17 03 03 00 8b |.....O...1U.....| +000003f0 8a a3 df b3 a0 68 8a e1 4f db c6 2a 8e df dc b6 |.....h..O..*....| +00000400 07 b5 c4 c7 34 7f d8 e9 3f 88 0f 15 14 01 50 bc |....4...?.....P.| +00000410 64 05 8d 91 fa 24 1e 0e cf db 11 8c 46 58 6e f1 |d....$......FXn.| +00000420 09 68 14 9a 89 e0 6b ef ac 90 27 69 2b 01 6c 2e |.h....k...'i+.l.| +00000430 6d e9 26 9f b1 ff b8 6c 8b 33 bb e8 42 54 85 c9 |m.&....l.3..BT..| +00000440 14 d5 89 48 50 a6 8d be dd b8 96 f1 45 4f 90 08 |...HP.......EO..| +00000450 da cf 1f 75 33 85 d9 be 8e a5 4a c5 be a9 a3 16 |...u3.....J.....| +00000460 f6 37 02 79 ea c3 e5 10 ed ff d5 f2 3d 46 7b ed |.7.y........=F{.| +00000470 bf be 36 a2 8a 00 9f 30 02 54 71 |..6....0.Tq| +>>> Flow 3 (client to server) +00000000 14 03 03 00 01 01 17 03 03 00 35 b6 3d e7 c7 a8 |..........5.=...| +00000010 2d c2 a7 8b cc 13 db 7d c2 75 18 f9 86 20 2b f0 |-......}.u... +.| +00000020 e1 5d 11 b1 2d df 0c 12 a7 c5 3a 28 97 6e f8 f0 |.]..-.....:(.n..| +00000030 7f c0 81 72 68 a5 41 68 59 ef da 3e 2f ef 97 45 |...rh.AhY..>/..E| +>>> Flow 4 (server to client) +00000000 17 03 03 00 1e fd 53 e4 87 a2 41 38 98 a6 d8 fa |......S...A8....| +00000010 7b 65 66 98 37 a6 4a 06 6b 25 11 66 ed 9c 00 22 |{ef.7.J.k%.f..."| +00000020 83 6e f5 17 03 03 00 13 fc bb b9 93 79 3c 94 6c |.n..........y<.l| +00000030 1d 48 d9 5c 3e 51 86 fb 2a 0d d8 |.H.\>Q..*..| diff --git a/pkg/tls/testdata/Server-TLSv13-CHACHA20-SHA256 b/pkg/tls/testdata/Server-TLSv13-CHACHA20-SHA256 new file mode 100644 index 000000000..1357ed41b --- /dev/null +++ b/pkg/tls/testdata/Server-TLSv13-CHACHA20-SHA256 @@ -0,0 +1,97 @@ +>>> Flow 1 (client to server) +00000000 16 03 01 00 ca 01 00 00 c6 03 03 c4 32 0e 10 66 |............2..f| +00000010 40 b2 cd 10 90 69 42 31 34 21 b1 a4 0e 15 f9 1e |@....iB14!......| +00000020 cd 2b 1d 1a 9a a5 4c 27 87 aa ba 20 6a f8 a9 57 |.+....L'... j..W| +00000030 72 d6 5b 81 86 e7 df a0 9c a3 f4 21 30 c9 68 f3 |r.[........!0.h.| +00000040 81 7c 2a 3a c6 fe 97 d7 40 c9 41 79 00 04 13 03 |.|*:....@.Ay....| +00000050 00 ff 01 00 00 79 00 0b 00 04 03 00 01 02 00 0a |.....y..........| +00000060 00 0c 00 0a 00 1d 00 17 00 1e 00 19 00 18 00 16 |................| +00000070 00 00 00 17 00 00 00 0d 00 1e 00 1c 04 03 05 03 |................| +00000080 06 03 08 07 08 08 08 09 08 0a 08 0b 08 04 08 05 |................| +00000090 08 06 04 01 05 01 06 01 00 2b 00 03 02 03 04 00 |.........+......| +000000a0 2d 00 02 01 01 00 33 00 26 00 24 00 1d 00 20 89 |-.....3.&.$... .| +000000b0 77 64 a7 d7 9f 30 4d 07 5c 4c f5 3b 67 a3 f2 e3 |wd...0M.\L.;g...| +000000c0 55 bb bb 9f 2e 18 26 04 b2 1a a2 64 c5 39 67 |U.....&....d.9g| +>>> Flow 2 (server to client) +00000000 16 03 03 00 7a 02 00 00 76 03 03 00 00 00 00 00 |....z...v.......| +00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000020 00 00 00 00 00 00 00 00 00 00 00 20 6a f8 a9 57 |........... j..W| +00000030 72 d6 5b 81 86 e7 df a0 9c a3 f4 21 30 c9 68 f3 |r.[........!0.h.| +00000040 81 7c 2a 3a c6 fe 97 d7 40 c9 41 79 13 03 00 00 |.|*:....@.Ay....| +00000050 2e 00 2b 00 02 03 04 00 33 00 24 00 1d 00 20 2f |..+.....3.$... /| +00000060 e5 7d a3 47 cd 62 43 15 28 da ac 5f bb 29 07 30 |.}.G.bC.(.._.).0| +00000070 ff f6 84 af c4 cf c2 ed 90 99 5f 58 cb 3b 74 14 |.........._X.;t.| +00000080 03 03 00 01 01 17 03 03 00 17 db 02 44 4c 7e 06 |............DL~.| +00000090 95 c7 f2 f7 8f f7 80 96 d0 11 b7 d7 d6 9e 40 3b |..............@;| +000000a0 0f 17 03 03 02 6d 63 90 e6 9e e7 fd 52 34 74 8f |.....mc.....R4t.| +000000b0 e5 db e8 90 49 90 89 8a c3 7f 33 a0 c7 91 2a 3f |....I.....3...*?| +000000c0 c5 1f 0c 00 58 9f 5e d7 01 35 24 92 a7 66 db 0e |....X.^..5$..f..| +000000d0 fd d3 6c ff 58 61 56 39 b3 9b 05 d2 a1 9f ab f1 |..l.XaV9........| +000000e0 29 ce b0 c6 37 c5 56 8d 0b 2a bd 0c 04 a3 c8 4e |)...7.V..*.....N| +000000f0 61 08 44 4b b7 f1 12 60 a9 f6 e7 02 14 e7 d4 1a |a.DK...`........| +00000100 cf e6 4d ce 11 7c e3 7b 44 95 6d fa 8e b2 3b f4 |..M..|.{D.m...;.| +00000110 bb 8e fa ed be ec fb f4 1d d0 12 56 d3 64 c8 cd |...........V.d..| +00000120 58 e0 e0 df c1 f2 c7 b5 7a 6c 23 ff d1 78 b7 76 |X.......zl#..x.v| +00000130 a5 96 66 5c 4e 49 5a 8e fd 9d 74 dc e7 f0 99 f8 |..f\NIZ...t.....| +00000140 d5 95 7a 5b ba b6 ab 87 90 a5 35 19 bf 99 2c 04 |..z[......5...,.| +00000150 93 61 e3 9b 5c 06 48 38 f0 25 8a be 30 cd 43 c0 |.a..\.H8.%..0.C.| +00000160 10 c9 1d 51 3e 93 5f 6c 02 1c 38 fe 78 44 1a ea |...Q>._l..8.xD..| +00000170 99 a4 ef 7d 03 ce 71 95 d7 1d e1 b3 b8 e2 20 99 |...}..q....... .| +00000180 aa 30 0f c1 75 a7 0d 39 98 12 96 27 c6 39 b8 57 |.0..u..9...'.9.W| +00000190 6e ab 79 c7 91 c2 56 9d b3 e1 cb 17 6a cc 42 47 |n.y...V.....j.BG| +000001a0 fc a4 52 10 ab cd 4b 1f 65 3e 35 61 ed 38 99 7b |..R...K.e>5a.8.{| +000001b0 a7 79 02 f2 16 cb 85 fb 85 f8 86 56 40 6b ee 2f |.y.........V@k./| +000001c0 38 c6 4f 9c 25 14 b6 e4 5f 5c cc 73 ef 69 f3 5a |8.O.%..._\.s.i.Z| +000001d0 c6 ef 0d 65 e8 d4 f8 c6 0c 5b 09 88 4d 09 e7 50 |...e.....[..M..P| +000001e0 86 d0 2d 6c 8c 99 d0 d9 6a 24 77 97 47 59 9d ce |..-l....j$w.GY..| +000001f0 b9 a5 34 99 f6 0b 08 9a 7e 79 8d 84 8e c2 ae ac |..4.....~y......| +00000200 ca b3 af 5d 7d 96 d2 99 3b da ee ec 36 b3 ad 71 |...]}...;...6..q| +00000210 89 17 de 52 71 75 99 ca e7 02 c2 ab ae da 5b 22 |...Rqu........["| +00000220 a7 88 0c ae c5 c0 b0 1f 3c cd da fa e7 8b 39 46 |........<.....9F| +00000230 84 c0 1a 33 29 ed 90 0e 5b 32 86 96 9f 97 69 66 |...3)...[2....if| +00000240 90 08 0e 0e 84 4d 43 55 c1 be 08 20 85 fc 9d 7a |.....MCU... ...z| +00000250 a6 df e8 31 b0 35 c3 69 b6 14 b2 ec 6c 7d ad ae |...1.5.i....l}..| +00000260 2b b4 c0 5a d1 07 a7 45 17 93 d6 a5 50 d0 e4 cc |+..Z...E....P...| +00000270 97 85 5d 06 21 62 e2 95 d7 b5 a5 a9 08 cf 34 f4 |..].!b........4.| +00000280 ae cc 17 e4 0e 4e 5a 13 b1 73 03 45 b9 29 b5 45 |.....NZ..s.E.).E| +00000290 77 a1 4b 2f 8f c5 72 41 dc ab f9 b7 f3 72 28 f4 |w.K/..rA.....r(.| +000002a0 cb 08 07 0a 20 7c 8b 26 70 92 7b 7b b9 99 61 0a |.... |.&p.{{..a.| +000002b0 63 17 e2 96 86 0a 6a 56 a1 90 1f 5e 50 bb 7f 72 |c.....jV...^P..r| +000002c0 73 58 f4 25 c8 18 ec a5 b1 86 cd 96 77 57 91 67 |sX.%........wW.g| +000002d0 76 e1 7a bf 1b 40 62 a0 58 d7 e8 2c 4c 86 7b ed |v.z..@b.X..,L.{.| +000002e0 7f 3f 43 38 88 97 f7 a1 5f 22 0c a0 4a a4 b3 b9 |.?C8...._"..J...| +000002f0 11 2c 31 f3 98 f0 21 42 fb 42 a7 9e 38 ce 58 5f |.,1...!B.B..8.X_| +00000300 bc d0 a5 43 07 d2 e1 4b 5f 5c fd 56 da 99 63 2a |...C...K_\.V..c*| +00000310 0d 7f 46 17 03 03 00 99 bf be 5f 82 e4 2b d8 9f |..F......._..+..| +00000320 cf ab 68 b0 3d a4 a0 c7 c3 41 dd e5 46 cf 7b 55 |..h.=....A..F.{U| +00000330 c7 6d 76 e4 62 60 c5 ae d3 a0 f0 44 8c 88 de 05 |.mv.b`.....D....| +00000340 5e 5e 03 61 fe 66 22 31 cf f5 75 b6 97 51 36 79 |^^.a.f"1..u..Q6y| +00000350 f0 b7 d1 7f e6 1a fa 04 73 23 ad 66 f8 6c 47 a7 |........s#.f.lG.| +00000360 cc 0b 96 c4 a7 a8 e8 4c 91 bc c9 32 30 ec db 2e |.......L...20...| +00000370 73 68 00 5b c3 83 17 60 51 b1 03 8d c3 f9 e1 e8 |sh.[...`Q.......| +00000380 f7 e7 a8 f4 94 b7 4f c1 bf aa 50 49 61 b1 11 0a |......O...PIa...| +00000390 78 24 cc 16 3b e5 10 72 95 df e4 a3 5d 2c ff ad |x$..;..r....],..| +000003a0 bd 50 04 93 3c 3c 48 28 0b e3 d9 d3 db 4d 4a 8f |.P..<.n....Rs| +00000410 b0 01 2c 04 8e 7b 70 c3 36 85 a4 44 aa 15 63 d6 |..,..{p.6..D..c.| +00000420 7d f4 81 86 3c 1e ad d3 b3 2c ea 33 bf 0e 71 68 |}...<....,.3..qh| +00000430 4a 1a 3a 98 bb 21 d4 75 6c 0d d2 30 b4 b3 86 5d |J.:..!.ul..0...]| +00000440 90 ab 49 dc 18 4f 08 10 8b 23 8d bd 61 68 75 ee |..I..O...#..ahu.| +00000450 87 62 54 2d 2d 1e c0 39 5c eb 32 40 7a da 4d 2f |.bT--..9\.2@z.M/| +00000460 83 f9 e8 1f 71 d7 79 99 24 8a b7 13 25 64 a6 ae |....q.y.$...%d..| +00000470 29 e2 48 6f f7 52 cf a4 aa c2 70 |).Ho.R....p| +>>> Flow 3 (client to server) +00000000 14 03 03 00 01 01 17 03 03 00 35 5e e5 2f e4 ed |..........5^./..| +00000010 87 c3 26 01 1a d0 4d c7 95 16 76 be 17 a3 f4 1f |..&...M...v.....| +00000020 57 27 f6 19 62 30 7e f0 47 6e 11 7f ce 85 54 9a |W'..b0~.Gn....T.| +00000030 1e 86 9a c6 10 5e 38 3c 0a de d1 4e 7e f1 9d 0f |.....^8<...N~...| +>>> Flow 4 (server to client) +00000000 17 03 03 00 1e 1f a0 f2 e5 47 62 54 e2 07 3d e2 |.........GbT..=.| +00000010 42 8a be ec e0 92 4e ae 1e 7a 75 6f 8d c0 65 73 |B.....N..zuo..es| +00000020 b5 eb bc 17 03 03 00 13 89 03 04 f9 42 a9 6d cf |............B.m.| +00000030 68 67 f4 ca e0 87 f9 ef d4 42 6a |hg.......Bj| diff --git a/pkg/tls/testdata/Server-TLSv13-ClientAuthRequestedAndECDSAGiven b/pkg/tls/testdata/Server-TLSv13-ClientAuthRequestedAndECDSAGiven new file mode 100644 index 000000000..a957c2639 --- /dev/null +++ b/pkg/tls/testdata/Server-TLSv13-ClientAuthRequestedAndECDSAGiven @@ -0,0 +1,180 @@ +>>> Flow 1 (client to server) +00000000 16 03 01 00 ca 01 00 00 c6 03 03 cd 87 c0 5e 7c |..............^|| +00000010 7b d7 c6 77 d9 21 6f 46 00 07 88 61 18 8c b9 d4 |{..w.!oF...a....| +00000020 ad 25 6a 9d 7e 54 cc 70 52 7c 0f 20 67 9b dd 18 |.%j.~T.pR|. g...| +00000030 84 bb 23 7d 53 10 b9 6c 01 ef 30 6f 79 7d 64 5c |..#}S..l..0oy}d\| +00000040 79 3e c1 11 8f 75 cf 83 02 d3 e8 d9 00 04 13 01 |y>...u..........| +00000050 00 ff 01 00 00 79 00 0b 00 04 03 00 01 02 00 0a |.....y..........| +00000060 00 0c 00 0a 00 1d 00 17 00 1e 00 19 00 18 00 16 |................| +00000070 00 00 00 17 00 00 00 0d 00 1e 00 1c 04 03 05 03 |................| +00000080 06 03 08 07 08 08 08 09 08 0a 08 0b 08 04 08 05 |................| +00000090 08 06 04 01 05 01 06 01 00 2b 00 03 02 03 04 00 |.........+......| +000000a0 2d 00 02 01 01 00 33 00 26 00 24 00 1d 00 20 d7 |-.....3.&.$... .| +000000b0 18 8a c1 a5 4d cb 7c f2 7d e4 cf 7a c6 92 28 ee |....M.|.}..z..(.| +000000c0 a6 b4 79 65 bf 2b fb 71 2e a5 2a 58 da 6f 5e |..ye.+.q..*X.o^| +>>> Flow 2 (server to client) +00000000 16 03 03 00 7a 02 00 00 76 03 03 00 00 00 00 00 |....z...v.......| +00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000020 00 00 00 00 00 00 00 00 00 00 00 20 67 9b dd 18 |........... g...| +00000030 84 bb 23 7d 53 10 b9 6c 01 ef 30 6f 79 7d 64 5c |..#}S..l..0oy}d\| +00000040 79 3e c1 11 8f 75 cf 83 02 d3 e8 d9 13 01 00 00 |y>...u..........| +00000050 2e 00 2b 00 02 03 04 00 33 00 24 00 1d 00 20 2f |..+.....3.$... /| +00000060 e5 7d a3 47 cd 62 43 15 28 da ac 5f bb 29 07 30 |.}.G.bC.(.._.).0| +00000070 ff f6 84 af c4 cf c2 ed 90 99 5f 58 cb 3b 74 14 |.........._X.;t.| +00000080 03 03 00 01 01 17 03 03 00 17 4d 4b 33 12 cb ed |..........MK3...| +00000090 f7 a2 55 e7 a6 ab 5b b1 55 16 30 c3 ee e1 5c 14 |..U...[.U.0...\.| +000000a0 b8 17 03 03 00 3e 30 04 2a e5 e8 b8 f3 25 9b a9 |.....>0.*....%..| +000000b0 92 e6 eb d9 fb b6 62 64 e2 de 9d c0 48 68 b3 d7 |......bd....Hh..| +000000c0 0f 8b ad 21 69 c7 f0 d7 96 ff 6a 24 2f 01 c9 e7 |...!i.....j$/...| +000000d0 e9 06 4b 93 94 67 97 44 46 c4 69 2f 0e aa e0 9b |..K..g.DF.i/....| +000000e0 8d 19 f2 2c 17 03 03 02 6d a1 fb 2b 5f 10 e9 62 |...,....m..+_..b| +000000f0 8b ad c1 33 58 f6 a7 89 78 a6 dd 64 ff c2 c7 57 |...3X...x..d...W| +00000100 80 9f 59 be 2d bd f5 b9 8a 6b d9 22 1c fe 10 ea |..Y.-....k."....| +00000110 c4 a5 3e 45 d9 d7 12 cf 48 d5 26 18 49 50 80 69 |..>E....H.&.IP.i| +00000120 44 28 03 3b b6 f8 0a 0e b4 cb 5e 5b 57 0f c0 2f |D(.;......^[W../| +00000130 59 4f 13 e3 9c 02 18 b1 ce 94 78 05 18 64 73 c6 |YO........x..ds.| +00000140 05 89 d1 54 37 18 ea 09 61 08 c5 6a 54 f6 48 44 |...T7...a..jT.HD| +00000150 40 63 6a 53 b9 41 5f 4f 8e 05 e7 31 7b 08 d0 67 |@cjS.A_O...1{..g| +00000160 8e bf 56 c4 56 0a 82 b2 74 6a 89 dd b4 f7 3c 0b |..V.V...tj....<.| +00000170 3c fd 21 1f 00 72 1d 4f be b1 50 44 9a 14 67 7d |<.!..r.O..PD..g}| +00000180 a9 93 30 a2 4e ea 61 c9 fd 44 de 5c 88 36 59 a2 |..0.N.a..D.\.6Y.| +00000190 e3 63 b1 9c ea dd 47 0a ca 63 9e 50 9d ca 57 12 |.c....G..c.P..W.| +000001a0 05 9b fc f1 26 a2 5e 18 9b 32 00 38 1f ce a6 58 |....&.^..2.8...X| +000001b0 58 0f 61 e2 44 c2 89 34 cc f4 fd 9a dc 1a 67 a6 |X.a.D..4......g.| +000001c0 e8 b1 fc 9f dc bd 0b 21 01 49 0d 9b e1 40 00 f6 |.......!.I...@..| +000001d0 33 1a 57 c5 84 c1 98 3d 7f 53 d3 4d 2e 04 5e 40 |3.W....=.S.M..^@| +000001e0 7d 38 80 66 bc c5 40 d9 14 f6 83 26 82 9b c8 14 |}8.f..@....&....| +000001f0 61 aa 6c 1c a1 53 81 f8 b0 7f 06 92 5c af be 57 |a.l..S......\..W| +00000200 1a 54 97 02 27 31 1f 58 52 cf 39 2f 82 26 ae 6c |.T..'1.XR.9/.&.l| +00000210 86 d9 46 cd 38 16 e2 67 62 82 2e 53 7a 86 15 30 |..F.8..gb..Sz..0| +00000220 08 0c a7 e2 85 18 55 79 16 44 4d 50 9e b5 e7 e1 |......Uy.DMP....| +00000230 2c 1e 1d eb e1 83 f3 9e d0 7b 45 b8 1e 51 d9 79 |,........{E..Q.y| +00000240 91 7a b8 90 bc 18 94 69 ad 94 08 e5 23 de 2b fa |.z.....i....#.+.| +00000250 8d ef 23 4c 40 df e1 43 0d 71 51 ef 88 a9 bb 89 |..#L@..C.qQ.....| +00000260 59 87 9c db e1 d4 31 94 a7 f5 af 7d 51 be e9 d0 |Y.....1....}Q...| +00000270 f2 49 12 72 47 65 a0 5b 7d 9f 91 85 f7 e8 d6 90 |.I.rGe.[}.......| +00000280 b3 4d f3 5d 6a 51 96 a9 81 84 72 95 47 e8 0a f5 |.M.]jQ....r.G...| +00000290 8d d6 2a 64 c2 34 1b d8 f0 f9 62 0c be 17 12 9b |..*d.4....b.....| +000002a0 40 a2 c3 8a eb 30 20 04 e4 69 a3 27 90 a6 1a 4f |@....0 ..i.'...O| +000002b0 3f 95 65 e6 9e c7 ad 03 e1 d2 34 d2 84 d5 f6 8c |?.e.......4.....| +000002c0 1e 8a aa e4 75 c0 7f 1d 79 4e 70 10 4e 18 9c eb |....u...yNp.N...| +000002d0 17 76 0c 66 6c 82 72 41 83 98 fc 41 41 4a 07 03 |.v.fl.rA...AAJ..| +000002e0 a6 16 51 0d 60 96 43 0a 97 27 72 42 31 70 6b 02 |..Q.`.C..'rB1pk.| +000002f0 e4 58 b0 15 4f 2e a3 5a ed dc 82 99 82 47 d5 6c |.X..O..Z.....G.l| +00000300 4b b4 68 70 f5 a3 31 36 52 8d af ab d1 ac f6 28 |K.hp..16R......(| +00000310 2e 18 bc 4f 1b 7c a8 ad c3 1f 2f 70 a6 c4 39 c6 |...O.|..../p..9.| +00000320 ae 0f 2e b7 58 c9 c0 2a 4b 34 c2 42 12 e3 5d ed |....X..*K4.B..].| +00000330 d1 ac e1 f1 14 66 d4 09 1c a0 99 82 d3 04 13 2a |.....f.........*| +00000340 a4 20 c4 e7 38 1e 0a 02 4e 96 02 71 9d f6 f7 86 |. ..8...N..q....| +00000350 f7 30 1a 5d 65 4f 17 03 03 00 99 3f 3d 4a 91 ae |.0.]eO.....?=J..| +00000360 0f 80 52 0f 1c d1 a2 75 83 e5 08 d8 1f 9d c8 24 |..R....u.......$| +00000370 fc 85 ba 76 1f 9e 1e 35 a3 dd 45 83 8e b9 55 a6 |...v...5..E...U.| +00000380 3b 26 ae 82 4f 1f 2e 8f e5 25 fb d6 22 0f 55 d6 |;&..O....%..".U.| +00000390 ac fa 93 6d d1 d3 7c 41 af c0 15 5c 8b e1 64 c1 |...m..|A...\..d.| +000003a0 3f a2 c8 9e 48 f5 63 61 3a df 13 6e f4 e3 60 9d |?...H.ca:..n..`.| +000003b0 bc 52 bd b7 94 e9 4b 7a 65 97 28 ac 39 6a 77 a7 |.R....Kze.(.9jw.| +000003c0 86 1d b4 6b e4 15 c4 bd 2b 41 b6 06 ac ff b5 9f |...k....+A......| +000003d0 17 47 b4 a7 1d 69 8b 6e 82 eb f7 39 03 95 10 dd |.G...i.n...9....| +000003e0 18 78 50 58 c8 78 80 ae 45 dc 54 0f 33 cb 4a d2 |.xPX.x..E.T.3.J.| +000003f0 90 00 12 d4 17 03 03 00 35 76 fa bf ab 3f c3 3d |........5v...?.=| +00000400 dd 78 65 cc 35 1e 24 35 4f 7d 3c e4 bb 73 d8 19 |.xe.5.$5O}<..s..| +00000410 56 94 f4 ce ad bc 1d 6a fb 1b 75 01 93 36 2b 44 |V......j..u..6+D| +00000420 3a 3c a3 9b 7c 57 6f 98 24 a3 64 b1 13 47 |:<..|Wo.$.d..G| +>>> Flow 3 (client to server) +00000000 14 03 03 00 01 01 17 03 03 02 1e e0 29 6d d1 38 |............)m.8| +00000010 a6 03 d7 fc 2b df a4 a4 d0 ae 87 01 b8 82 5d eb |....+.........].| +00000020 3c 25 3e a1 33 89 b5 05 eb bc 02 0f ad 84 f0 2b |<%>.3..........+| +00000030 5f 14 af 0d f8 f1 08 e3 ca c1 8e ad 4b a5 a0 09 |_...........K...| +00000040 b8 a0 4f bf e4 0f 93 a9 4a 35 35 26 22 d7 04 03 |..O.....J55&"...| +00000050 70 95 4f 80 df d4 47 5b 21 14 27 d6 17 ea 32 6e |p.O...G[!.'...2n| +00000060 ea 3a ca 31 7c f2 d1 46 a2 ef 47 b9 16 d6 18 d5 |.:.1|..F..G.....| +00000070 17 35 71 9d 14 37 63 cd e1 c6 ff 3d ec a5 d8 53 |.5q..7c....=...S| +00000080 48 d5 d8 0b 75 39 c1 d2 66 ad 97 4e 5f eb c3 c7 |H...u9..f..N_...| +00000090 e0 77 95 fd 16 84 e2 a3 6a f2 a8 88 5e 4c 86 be |.w......j...^L..| +000000a0 81 a5 f2 6b 12 86 63 f1 4f a6 8d 63 7c 07 0f 8d |...k..c.O..c|...| +000000b0 53 d5 d4 00 c7 b7 2a ef b2 1d 07 4e 43 d6 25 35 |S.....*....NC.%5| +000000c0 c9 b1 fa 91 d1 f7 87 c6 98 c7 e7 c2 c3 7d 42 09 |.............}B.| +000000d0 e5 3c 50 83 1b 20 ef ec e4 ac 2e f2 3e 03 73 52 |..sR| +000000e0 2e 1d 20 cf e2 8d 15 c3 c7 a6 2f 68 b5 8e 5f bc |.. ......./h.._.| +000000f0 c5 73 61 ff 52 3c b0 7b 47 82 47 a0 73 f8 1c ab |.sa.R<.{G.G.s...| +00000100 4d ea 15 fa 94 e0 7f 70 c1 c8 9c 55 f0 96 38 42 |M......p...U..8B| +00000110 76 d4 26 6d a7 73 11 59 43 19 2f 49 70 a9 18 1c |v.&m.s.YC./Ip...| +00000120 12 9e ee d3 eb ca 1c c0 3b e1 99 e3 c2 25 de 39 |........;....%.9| +00000130 1a 15 e0 d7 20 9d 1b 95 74 8c ee 96 7b 5e de 13 |.... ...t...{^..| +00000140 99 56 54 a2 31 7b e9 96 02 9e 86 7b 15 9d c6 3e |.VT.1{.....{...>| +00000150 24 a5 19 e5 8e de 85 97 05 68 4f 39 d1 49 05 c9 |$........hO9.I..| +00000160 7a 54 90 29 e7 93 ec 8e 6f cc 73 73 82 7d 72 8d |zT.)....o.ss.}r.| +00000170 4a 85 29 7f a5 53 13 26 16 b2 fa c3 ce 1f 8b ae |J.)..S.&........| +00000180 e6 60 8c 2d b0 64 66 d4 29 7c b5 2d 1d 11 c5 09 |.`.-.df.)|.-....| +00000190 bb a5 44 c6 c8 af e6 f1 d5 f8 d9 45 97 64 7f 03 |..D........E.d..| +000001a0 02 f7 f5 9f cb 31 1e 89 e4 5d a0 e9 34 db be 28 |.....1...]..4..(| +000001b0 51 15 68 54 01 7c e5 1d b4 05 d2 d6 24 ca 10 69 |Q.hT.|......$..i| +000001c0 31 bf 8b 7a ee d9 bf e1 2a d4 7c c8 e8 79 ca dd |1..z....*.|..y..| +000001d0 0f 73 09 c8 cf 97 28 78 04 5b 04 51 44 c4 5f d1 |.s....(x.[.QD._.| +000001e0 dc da 4f f5 d9 5c 9c b1 ea f8 1b f7 43 90 c0 c0 |..O..\......C...| +000001f0 fd 82 56 e3 71 15 18 5e 7e 5c 61 5e b3 80 c1 1c |..V.q..^~\a^....| +00000200 22 92 32 67 23 f6 3b 74 e4 20 4e 1f fb f8 89 55 |".2g#.;t. N....U| +00000210 e7 3c 18 30 24 77 7c 33 5c 89 91 60 65 14 06 9e |.<.0$w|3\..`e...| +00000220 e2 6d f0 07 84 4b b4 14 e8 17 03 03 00 a3 a7 e1 |.m...K..........| +00000230 f7 26 48 56 da 6d ef a5 f4 5f 19 52 37 9e e7 6d |.&HV.m..._.R7..m| +00000240 28 07 70 ee 1e de 85 2b 7a 2d bf eb 48 06 f5 d4 |(.p....+z-..H...| +00000250 ea 4d 83 86 59 d4 14 4f 46 bc 17 89 f1 f5 37 0e |.M..Y..OF.....7.| +00000260 84 60 6e ba 73 d7 c1 bc 6f d7 aa cf f0 36 96 a2 |.`n.s...o....6..| +00000270 83 60 81 6f 48 6c 9d 87 e5 b6 5e 77 ab c5 e3 cb |.`.oHl....^w....| +00000280 8e 55 94 dc 94 f3 8a ce cb f7 b4 d5 33 55 df 88 |.U..........3U..| +00000290 22 44 04 ee 4e f5 30 e7 30 94 dc 95 2d 97 2c e4 |"D..N.0.0...-.,.| +000002a0 34 58 4d 38 9e 25 61 96 c1 37 66 34 2b be ee e6 |4XM8.%a..7f4+...| +000002b0 ee 39 73 89 a3 aa 1b 0a 5a bf 44 23 4e 19 5c c4 |.9s.....Z.D#N.\.| +000002c0 3f 27 47 5c 40 67 6c 50 b8 3f 7c c9 97 f0 55 02 |?'G\@glP.?|...U.| +000002d0 16 17 03 03 00 35 82 8b 0d 4e 87 3c c6 bc 41 8b |.....5...N.<..A.| +000002e0 ec ab 71 9d 57 7b e6 22 e4 87 82 61 5d f8 69 31 |..q.W{."...a].i1| +000002f0 8a 2c be 2c d8 4d 2f dc 9a 91 31 7a ab d8 a4 0e |.,.,.M/...1z....| +00000300 ba cb fc ef 17 a4 7c 87 ca 13 bb 17 03 03 00 13 |......|.........| +00000310 3b d0 da 9f d4 be fa 59 7a 30 8b 7e 8e a0 99 c0 |;......Yz0.~....| +00000320 c2 36 f3 |.6.| +>>> Flow 4 (server to client) +00000000 17 03 03 02 90 a2 a0 e4 83 63 ad 8d d5 45 25 dc |.........c...E%.| +00000010 41 02 31 28 8d b0 87 85 66 b8 9c 36 f3 1f 97 87 |A.1(....f..6....| +00000020 8c c9 e6 b4 67 1e 42 ab 84 c4 eb 0a 41 b1 0f 50 |....g.B.....A..P| +00000030 25 c3 7e 69 20 cf 8a d0 56 79 61 e3 e1 5b cc a4 |%.~i ...Vya..[..| +00000040 24 5a c7 2d 3b 17 33 92 59 6c 7e 29 a9 a2 2c 73 |$Z.-;.3.Yl~)..,s| +00000050 3e b1 65 32 3d 6a 2b 61 5d 76 c4 66 0e 4f f1 da |>.e2=j+a]v.f.O..| +00000060 dd d3 7e 29 3d f5 42 99 9e 04 60 a4 9a a1 c0 f7 |..~)=.B...`.....| +00000070 54 4e d5 58 73 85 02 83 38 ba 4e 93 9a 69 68 07 |TN.Xs...8.N..ih.| +00000080 71 c9 a7 e4 83 51 4c 11 21 26 b2 dd ad 4b 2a ef |q....QL.!&...K*.| +00000090 23 9b b0 f6 d6 96 9f 99 1f 69 fe 35 28 86 49 bc |#........i.5(.I.| +000000a0 ec 97 11 4d 4e b7 c1 c2 da 6c ae c7 40 b9 2a 1f |...MN....l..@.*.| +000000b0 ff 9d 9d ea 90 b9 61 6f 76 ae fe 55 70 f6 ee 54 |......aov..Up..T| +000000c0 54 62 6d 19 9a fc 40 16 e5 c2 e2 3e d1 68 c6 09 |Tbm...@....>.h..| +000000d0 be 54 64 25 8a a0 2b e6 b3 14 7e 74 17 91 f0 de |.Td%..+...~t....| +000000e0 87 e8 3c 3e 58 8d 1b b2 4e 2d 7d c1 f8 aa 16 ca |..<>X...N-}.....| +000000f0 2a 3e 8f aa 52 14 e4 f2 2a b9 6e 62 46 ab ed 3a |*>..R...*.nbF..:| +00000100 ff a1 51 53 92 7a 78 c4 ed 9d fd 1f b4 62 2e e7 |..QS.zx......b..| +00000110 cc 9d 09 fa 06 2e 9e 55 e5 98 9e b8 be e9 12 94 |.......U........| +00000120 33 58 6b be 71 a1 4f f8 a0 83 85 f8 7e b4 28 a7 |3Xk.q.O.....~.(.| +00000130 ee 1b ac 3c 46 b6 ac 60 af 5d cc b0 a8 2c 3f 95 |.....Z.| +00000210 6b 5c d2 4d b2 20 35 63 9e 83 c0 7e 83 60 46 57 |k\.M. 5c...~.`FW| +00000220 c0 80 0d d7 b9 9f 14 c0 58 2d 48 2a cc 8c 1d 32 |........X-H*...2| +00000230 2c 34 ec 10 f2 34 b4 28 e1 0e 83 38 c4 2e 5a 09 |,4...4.(...8..Z.| +00000240 ff e6 3f d3 9a 32 8e 33 9e 31 18 e5 1d 6b 97 12 |..?..2.3.1...k..| +00000250 9b 93 84 86 62 8a 0a 8a ab 8d 37 68 af a1 ec 8e |....b.....7h....| +00000260 38 c8 47 ef 10 f8 64 7c e1 13 0a 33 eb c2 4b bf |8.G...d|...3..K.| +00000270 47 49 6d 93 3c c9 44 aa 74 67 a9 93 dd de 66 47 |GIm.<.D.tg....fG| +00000280 1e b3 55 47 b1 16 88 68 82 24 d6 b8 81 b0 5a b6 |..UG...h.$....Z.| +00000290 27 7a f8 0b 5c 17 03 03 00 1e a5 9b 8c d2 3e 96 |'z..\.........>.| +000002a0 f3 49 7a ed d9 fc 33 62 15 12 43 76 11 f9 dc fc |.Iz...3b..Cv....| +000002b0 ea d2 d7 87 22 6f 9e 3d 17 03 03 00 13 e1 30 4e |...."o.=......0N| +000002c0 4c 1d 02 78 57 a5 ee 8f 1c 5f 19 f0 57 3a 8d 7e |L..xW...._..W:.~| diff --git a/pkg/tls/testdata/Server-TLSv13-ClientAuthRequestedAndEd25519Given b/pkg/tls/testdata/Server-TLSv13-ClientAuthRequestedAndEd25519Given new file mode 100644 index 000000000..6943bf656 --- /dev/null +++ b/pkg/tls/testdata/Server-TLSv13-ClientAuthRequestedAndEd25519Given @@ -0,0 +1,149 @@ +>>> Flow 1 (client to server) +00000000 16 03 01 00 ca 01 00 00 c6 03 03 e4 83 a9 75 06 |..............u.| +00000010 0f 8b c9 35 1e 62 89 7f a8 df 7c 93 b6 f0 8f 94 |...5.b....|.....| +00000020 ea 31 dc 66 11 66 bd 77 33 54 bf 20 38 77 15 8d |.1.f.f.w3T. 8w..| +00000030 b4 21 50 72 6f 95 61 6c 15 b8 35 c9 92 10 72 99 |.!Pro.al..5...r.| +00000040 bc 41 03 53 7c 5e 7b b3 a4 2e b4 19 00 04 13 01 |.A.S|^{.........| +00000050 00 ff 01 00 00 79 00 0b 00 04 03 00 01 02 00 0a |.....y..........| +00000060 00 0c 00 0a 00 1d 00 17 00 1e 00 19 00 18 00 16 |................| +00000070 00 00 00 17 00 00 00 0d 00 1e 00 1c 04 03 05 03 |................| +00000080 06 03 08 07 08 08 08 09 08 0a 08 0b 08 04 08 05 |................| +00000090 08 06 04 01 05 01 06 01 00 2b 00 03 02 03 04 00 |.........+......| +000000a0 2d 00 02 01 01 00 33 00 26 00 24 00 1d 00 20 8e |-.....3.&.$... .| +000000b0 cf 32 24 aa f2 36 c7 41 50 66 dd 57 ce 97 72 8d |.2$..6.APf.W..r.| +000000c0 f3 b6 7d a0 a4 5e 5d fe be bb ce 32 9f 03 75 |..}..^]....2..u| +>>> Flow 2 (server to client) +00000000 16 03 03 00 7a 02 00 00 76 03 03 00 00 00 00 00 |....z...v.......| +00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000020 00 00 00 00 00 00 00 00 00 00 00 20 38 77 15 8d |........... 8w..| +00000030 b4 21 50 72 6f 95 61 6c 15 b8 35 c9 92 10 72 99 |.!Pro.al..5...r.| +00000040 bc 41 03 53 7c 5e 7b b3 a4 2e b4 19 13 01 00 00 |.A.S|^{.........| +00000050 2e 00 2b 00 02 03 04 00 33 00 24 00 1d 00 20 2f |..+.....3.$... /| +00000060 e5 7d a3 47 cd 62 43 15 28 da ac 5f bb 29 07 30 |.}.G.bC.(.._.).0| +00000070 ff f6 84 af c4 cf c2 ed 90 99 5f 58 cb 3b 74 14 |.........._X.;t.| +00000080 03 03 00 01 01 17 03 03 00 17 3b ca 9a d3 b7 99 |..........;.....| +00000090 d7 d8 c9 f9 96 b8 70 69 3b 22 42 0f c4 72 de 7c |......pi;"B..r.|| +000000a0 05 17 03 03 00 3e 38 d7 00 60 b9 ce 17 31 26 9f |.....>8..`...1&.| +000000b0 db ef e2 b1 99 55 c8 f9 f3 a0 81 19 12 a7 63 85 |.....U........c.| +000000c0 5a 26 2d d1 1c ad 5d ae d6 4b 66 93 62 d7 fe 08 |Z&-...]..Kf.b...| +000000d0 40 e9 fa 16 8b 89 f8 04 e8 33 67 20 2b 21 91 a0 |@........3g +!..| +000000e0 c6 0a 87 ff 17 03 03 02 6d 79 97 6c 2f f6 01 7b |........my.l/..{| +000000f0 3a 49 0e 1a 00 96 10 fd 7f 77 db 76 b2 d4 e4 68 |:I.......w.v...h| +00000100 46 4e 4f 3c 64 54 ca 27 9a 5c 78 98 f4 96 a4 fe |FNO.....u.(..| +00000120 ff d8 ec 27 2c f2 4c e5 a0 6e 88 ce 67 6e 35 f4 |...',.L..n..gn5.| +00000130 e5 d5 96 2d 40 af fa 88 12 8a 48 24 2c f9 82 f5 |...-@.....H$,...| +00000140 cb a4 6e 95 a6 53 bc 79 f7 6a ef 66 77 bc 46 f0 |..n..S.y.j.fw.F.| +00000150 1b 0d 6b 5c 76 82 15 c4 d0 1c dd ec cc ce 09 93 |..k\v...........| +00000160 ce 21 55 9b d8 8a 11 1b 0c 24 fa 9e 5f 29 4a f1 |.!U......$.._)J.| +00000170 2a 2e ad c0 6d 6d 46 06 5b c9 75 b3 3e 32 45 67 |*...mmF.[.u.>2Eg| +00000180 05 26 cc d8 a8 4a a9 b1 67 71 a6 82 1c dc f0 15 |.&...J..gq......| +00000190 6d 25 f5 6e be a2 5f 45 39 dc d1 2e df fa e1 e9 |m%.n.._E9.......| +000001a0 48 ca 7a 78 fa 0e 53 d1 5c 8f c2 40 91 d5 fa 40 |H.zx..S.\..@...@| +000001b0 7e a1 52 23 c8 56 1f 31 17 91 5c 38 bb 54 56 f3 |~.R#.V.1..\8.TV.| +000001c0 1e 14 90 43 b7 ef fd 56 b5 ae 13 90 97 dc 60 15 |...C...V......`.| +000001d0 67 72 fc c2 0a 32 90 be ec de 69 16 d3 1b 22 2c |gr...2....i...",| +000001e0 25 9f 91 27 a7 6d 8c a4 de 02 fd 0e da bf ca 71 |%..'.m.........q| +000001f0 77 9b 56 b8 07 e8 80 00 9b d9 36 1c 09 4f 9f 54 |w.V.......6..O.T| +00000200 76 d5 76 f4 9a 03 94 bb 9e 93 f0 b5 3c a1 71 ec |v.v.........<.q.| +00000210 b3 83 3a 06 b4 46 97 bf ef bb f0 26 94 4e b0 08 |..:..F.....&.N..| +00000220 3b ec 81 20 66 92 11 85 a0 c2 90 fd c5 bc ae 39 |;.. f..........9| +00000230 2c 87 ec e4 5d 59 ee b4 e9 0d f7 2a e0 3b 2a 94 |,...]Y.....*.;*.| +00000240 1a 79 2f e8 5c 88 d3 61 2e 47 c0 f3 c4 01 84 a9 |.y/.\..a.G......| +00000250 cf f6 36 13 cb 4b 0b f7 9a 14 f1 d5 0e 10 80 fd |..6..K..........| +00000260 11 79 20 20 ae 56 5e de 58 53 19 38 26 e2 ac bc |.y .V^.XS.8&...| +00000270 0c 40 38 8b f9 67 62 4c 42 7d 18 4f 27 e9 53 96 |.@8..gbLB}.O'.S.| +00000280 78 4b fa 44 fe c2 c3 d9 99 f2 2c 59 2b 2b 2c 88 |xK.D......,Y++,.| +00000290 5b dc a8 98 3d 17 14 09 70 ce e4 02 8b 3c 5d 94 |[...=...p....<].| +000002a0 44 ac ba 57 2d a9 bf b8 70 e9 b8 a8 c3 b8 90 da |D..W-...p.......| +000002b0 ec b1 b4 57 d6 e3 0f 41 82 bb 21 4a 57 dc ac 4b |...W...A..!JW..K| +000002c0 89 34 75 fc c4 56 6b 70 3d 83 2b fa be c8 2b cd |.4u..Vkp=.+...+.| +000002d0 f8 4f 9f 9e 9a 0e d2 d0 46 cd 21 a5 f7 07 a6 2a |.O......F.!....*| +000002e0 85 7b 30 92 78 a2 da a5 1d 1c 1c 54 63 4b 66 b2 |.{0.x......TcKf.| +000002f0 f1 a7 c4 43 57 97 7f 28 37 e7 15 62 9b 1c f5 90 |...CW..(7..b....| +00000300 0c 19 36 1a c1 48 48 e5 7d 56 93 3c 13 e3 cd 6a |..6..HH.}V.<...j| +00000310 aa aa ba d5 24 95 c7 df 9c a9 76 6c 07 bf 09 2d |....$.....vl...-| +00000320 4b 7b 55 94 37 ec d4 69 ce ab 0f 48 37 74 37 99 |K{U.7..i...H7t7.| +00000330 83 0d 60 8a 73 56 fb e2 9e 0c 39 0e 23 bf 68 b2 |..`.sV....9.#.h.| +00000340 92 51 12 bc cf 1b af 9d 7c fe 77 14 c8 66 4a 6f |.Q......|.w..fJo| +00000350 91 06 55 6a 11 61 17 03 03 00 99 c2 bf 26 a6 fa |..Uj.a.......&..| +00000360 67 16 a3 b9 1f 36 f8 4f 5d 59 b1 be 43 3a 70 01 |g....6.O]Y..C:p.| +00000370 c0 3a 4b c5 20 b1 22 49 04 22 bb 7f 5f f4 bb f8 |.:K. ."I.".._...| +00000380 35 03 0e dc ba ce de 2a 25 ea 96 dd 3d 64 34 90 |5......*%...=d4.| +00000390 30 f8 34 22 bb e4 94 00 bb b3 ea 3c d2 87 90 9a |0.4".......<....| +000003a0 86 76 6b b7 e3 78 fc 35 10 50 ce b6 c0 71 52 ae |.vk..x.5.P...qR.| +000003b0 a5 f7 bf 8c 5e 5d c1 96 c7 92 6f f0 04 87 d9 a8 |....^]....o.....| +000003c0 72 f4 9e ed 6d ab 28 42 7c c8 60 39 81 66 74 a1 |r...m.(B|.`9.ft.| +000003d0 79 79 6a 59 02 29 b8 14 12 34 a7 96 8f e0 c1 d6 |yyjY.)...4......| +000003e0 4e da e2 63 22 c1 60 b1 87 64 d3 80 b9 c4 df 9a |N..c".`..d......| +000003f0 5f 2c 22 91 17 03 03 00 35 9a 62 4d a2 ba 27 31 |_,".....5.bM..'1| +00000400 fc 8e 23 cc 5f f0 5c 8c 9b c1 b0 ae 7b b8 fa e2 |..#._.\.....{...| +00000410 f3 af 6c 6c ac 86 1e e1 2b 9f 14 a1 f3 5f b5 f9 |..ll....+...._..| +00000420 76 b6 dd 73 f5 6a 08 29 f1 29 9e 79 87 aa |v..s.j.).).y..| +>>> Flow 3 (client to server) +00000000 14 03 03 00 01 01 17 03 03 01 50 ef 68 27 d6 ec |..........P.h'..| +00000010 76 00 e1 c6 ed 3c f6 a1 83 b4 4b 26 28 ba 0f d6 |v....<....K&(...| +00000020 2a fd f0 4a 10 8f 9c ed 84 3f 0a 0e 5b 77 e2 7d |*..J.....?..[w.}| +00000030 1e 03 2a 76 5b 2b 87 78 ad bd 45 8b 03 b3 8d e7 |..*v[+.x..E.....| +00000040 b7 66 ca 5e 36 f8 53 87 90 3c 1a 33 46 1d 32 4f |.f.^6.S..<.3F.2O| +00000050 f1 90 fb 36 da 96 1c 1a db 9f 9b e6 9f 85 f8 13 |...6............| +00000060 7d e1 ab e1 ca c6 05 df 15 ea af dd 55 58 c7 5f |}...........UX._| +00000070 de 62 1b 93 60 a4 fc 39 0a ef 95 bc 0c ca 8f 84 |.b..`..9........| +00000080 98 0a 6d 5b fd c6 0c ad 02 7f 0c f8 b4 be fe 5a |..m[...........Z| +00000090 fb 22 00 08 09 5d c7 47 76 89 e5 06 d1 90 5b e6 |."...].Gv.....[.| +000000a0 63 64 06 28 37 d9 1b e9 0d 27 45 f7 72 30 d7 f2 |cd.(7....'E.r0..| +000000b0 db 8e bf 95 97 29 43 e7 16 bf a0 59 9c fa d9 59 |.....)C....Y...Y| +000000c0 a0 a6 9b 1f b5 74 80 87 d0 61 2f d5 a5 ac dd b2 |.....t...a/.....| +000000d0 8d 27 fc e6 68 eb 07 b3 3d 97 a9 93 5b 35 99 e9 |.'..h...=...[5..| +000000e0 ba 99 fe 49 d6 39 1a 0a 38 98 cd 47 b9 67 9b 9a |...I.9..8..G.g..| +000000f0 77 65 45 f8 48 fb d3 1c 0f a2 2e af e0 29 68 bc |weE.H........)h.| +00000100 81 24 3b 9b 36 0a ef 51 75 ff 61 6a d4 6c 59 42 |.$;.6..Qu.aj.lYB| +00000110 54 31 47 e9 02 9e 58 33 9e 89 65 b6 65 db b2 81 |T1G...X3..e.e...| +00000120 bd c1 f4 0a 34 eb f3 26 f5 8d 36 6d da 78 e6 88 |....4..&..6m.x..| +00000130 00 8f 92 24 dc 76 e3 95 dc 13 b5 92 91 ee c0 82 |...$.v..........| +00000140 cb 63 85 b6 59 67 dc 14 2e 2d 58 8e 56 7e 7c db |.c..Yg...-X.V~|.| +00000150 2f 54 01 ed 17 8d 9a 97 22 39 7f 17 03 03 00 59 |/T......"9.....Y| +00000160 a1 f2 0d 19 e7 d8 a8 6d cd ea f6 82 ee 5d 0a 55 |.......m.....].U| +00000170 22 61 11 21 f7 b0 1d 86 a8 4d c2 e2 9b ac bb 87 |"a.!.....M......| +00000180 a2 82 67 ee 78 76 9b e0 c0 00 85 bf 1e 2b ab e6 |..g.xv.......+..| +00000190 f1 43 79 69 a0 3d 04 b7 d9 7f 31 c7 7a b7 4f 5c |.Cyi.=....1.z.O\| +000001a0 9f 62 84 dc f4 6d a1 ce 3d ff 24 88 15 10 4a e6 |.b...m..=.$...J.| +000001b0 5c 12 68 08 3c 55 a2 a9 d7 17 03 03 00 35 f4 d9 |\.h.>> Flow 4 (server to client) +00000000 17 03 03 01 c2 80 69 97 9a 20 30 2a 1c f4 31 f9 |......i.. 0*..1.| +00000010 0f cf f7 79 c0 01 e1 f3 35 f5 16 a0 33 d6 eb 21 |...y....5...3..!| +00000020 44 db bc c6 c4 91 6b a6 75 da ca d3 63 78 47 8b |D.....k.u...cxG.| +00000030 96 e5 6f 63 2c 77 c0 33 29 d8 3e ee bf 8e 6b d4 |..oc,w.3).>...k.| +00000040 de f7 1b 0e e6 ae ce cd 17 0d 24 77 10 3d e4 89 |..........$w.=..| +00000050 06 07 a3 77 68 ac 20 ec 0b ae 47 41 3b 80 4e 95 |...wh. ...GA;.N.| +00000060 02 aa 13 36 19 03 06 1c 47 b3 f7 f0 4b 6d 5a c6 |...6....G...KmZ.| +00000070 42 14 95 03 20 c7 46 96 42 d3 18 5a 40 bd a1 03 |B... .F.B..Z@...| +00000080 b6 d2 8b f9 ff 2d d1 b1 3c 8a 34 af 23 64 31 7d |.....-..<.4.#d1}| +00000090 46 47 21 b4 82 16 df a2 a4 0f 96 03 4b 38 3d 5d |FG!.........K8=]| +000000a0 d0 d1 78 d1 6e 6a a2 95 c0 a7 e6 ee 07 eb 77 68 |..x.nj........wh| +000000b0 35 78 72 3e df d9 4b e9 1b ab 34 99 2d fe 52 99 |5xr>..K...4.-.R.| +000000c0 6e 57 63 13 39 ae 5e ce b6 43 21 07 fd fe b7 6d |nWc.9.^..C!....m| +000000d0 8f 72 a4 f8 7e 0a 56 60 61 d5 5a d4 01 b3 47 8e |.r..~.V`a.Z...G.| +000000e0 f0 48 cd 85 61 a3 d2 d1 eb ba 04 39 6b 5e 5f fc |.H..a......9k^_.| +000000f0 e3 90 c1 cb 3f 40 30 00 5c 94 df bf 5b 89 6d ab |....?@0.\...[.m.| +00000100 15 1e 72 50 ac 56 ee 16 7d 84 4c e6 0c 89 68 fa |..rP.V..}.L...h.| +00000110 d5 8d 5f 09 85 25 5f 8c 70 df 0b b7 94 15 40 20 |.._..%_.p.....@ | +00000120 b1 ff 41 50 5d 9f c6 8a 9b 7f 40 6f dc bd 4f 54 |..AP].....@o..OT| +00000130 d8 1f e6 f1 44 00 11 97 45 ca 80 bc 15 eb 93 01 |....D...E.......| +00000140 dd 54 c6 75 7e 08 b9 38 f5 4d 97 c5 50 56 97 3c |.T.u~..8.M..PV.<| +00000150 3c 72 9a 33 7c 68 b1 73 2b 38 c7 b8 a8 3c 5d af |.....6....[..z| +00000170 f5 74 8d ac a4 0f 38 34 ee cd 08 50 e0 33 b0 e1 |.t....84...P.3..| +00000180 52 e1 5d f2 7d c6 7b 64 c7 46 f6 9e d0 a2 cf 89 |R.].}.{d.F......| +00000190 3c c9 ab 2f fb 8a f3 ba 78 e9 4c c5 2d 62 32 6b |<../....x.L.-b2k| +000001a0 50 4c a0 7e d3 bb 2a 66 57 99 38 69 e8 77 ef 18 |PL.~..*fW.8i.w..| +000001b0 24 af b3 cb e5 c0 37 a2 97 f6 00 d4 68 8a 71 af |$.....7.....h.q.| +000001c0 24 a4 ab 19 07 3b c0 17 03 03 00 1e 60 b4 fc 15 |$....;......`...| +000001d0 f9 9c b1 a1 60 1a ba f5 1b b9 c1 33 f1 8b e5 c0 |....`......3....| +000001e0 48 77 4f 11 42 21 ad 8c d2 d6 17 03 03 00 13 5c |HwO.B!.........\| +000001f0 db 07 5e 65 40 58 74 a4 7f ab 5f cc f0 9a 91 0c |..^e@Xt..._.....| +00000200 17 3d |.=| diff --git a/pkg/tls/testdata/Server-TLSv13-ClientAuthRequestedAndGiven b/pkg/tls/testdata/Server-TLSv13-ClientAuthRequestedAndGiven new file mode 100644 index 000000000..8ba88ebf3 --- /dev/null +++ b/pkg/tls/testdata/Server-TLSv13-ClientAuthRequestedAndGiven @@ -0,0 +1,177 @@ +>>> Flow 1 (client to server) +00000000 16 03 01 00 ca 01 00 00 c6 03 03 56 2e 3c 64 35 |...........V.>> Flow 2 (server to client) +00000000 16 03 03 00 7a 02 00 00 76 03 03 00 00 00 00 00 |....z...v.......| +00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000020 00 00 00 00 00 00 00 00 00 00 00 20 7c d3 26 20 |........... |.& | +00000030 a0 dc e9 7a 07 71 02 2d 3b 27 85 16 fb 6e 26 e5 |...z.q.-;'...n&.| +00000040 c3 67 e5 0b bd e5 50 8f bd 39 6f 2c 13 01 00 00 |.g....P..9o,....| +00000050 2e 00 2b 00 02 03 04 00 33 00 24 00 1d 00 20 2f |..+.....3.$... /| +00000060 e5 7d a3 47 cd 62 43 15 28 da ac 5f bb 29 07 30 |.}.G.bC.(.._.).0| +00000070 ff f6 84 af c4 cf c2 ed 90 99 5f 58 cb 3b 74 14 |.........._X.;t.| +00000080 03 03 00 01 01 17 03 03 00 17 43 8e 41 a4 04 13 |..........C.A...| +00000090 01 08 9f 6e 1a fd 00 68 38 5c 93 d9 9a f7 1e 36 |...n...h8\.....6| +000000a0 ea 17 03 03 00 3e 9f ae 80 ef f4 20 66 e7 44 fc |.....>..... f.D.| +000000b0 4d a4 3f 0e dc bb 33 47 0f 13 96 fa 03 07 d6 6f |M.?...3G.......o| +000000c0 cc 9f 3c fd 01 f5 87 d9 ec c9 d0 fc dd bf c8 5c |..<............\| +000000d0 0b 3d aa a7 c6 1d 90 18 d9 a1 1a a0 a1 ea 49 32 |.=............I2| +000000e0 9e 45 86 f7 17 03 03 02 6d 61 29 fe 45 7e 5c b3 |.E......ma).E~\.| +000000f0 8a 73 f2 65 c1 90 4e 93 0d 84 b2 bd e4 46 93 c2 |.s.e..N......F..| +00000100 52 3f 07 38 e7 23 db 25 5e 71 98 a9 7d fd e9 ef |R?.8.#.%^q..}...| +00000110 3f 2c d8 9c ae 41 c4 d3 c7 9e d5 6e f0 0c 33 78 |?,...A.....n..3x| +00000120 98 cf bf 22 3d 1f d0 f3 c8 a2 34 e8 ce 5e 0d 37 |..."=.....4..^.7| +00000130 52 e2 b8 e3 50 ea 35 3e e5 59 a0 6d ed 9e 09 36 |R...P.5>.Y.m...6| +00000140 59 20 33 08 a9 41 f4 72 aa 2d 0c b5 d6 96 d9 04 |Y 3..A.r.-......| +00000150 1a f1 d8 45 ed 67 ab f9 15 fa 25 ef 6d 87 72 ad |...E.g....%.m.r.| +00000160 f0 06 59 a5 8e 61 80 8b 28 f9 a0 df 5b b2 a2 3a |..Y..a..(...[..:| +00000170 1c 91 43 18 f4 a2 f3 4e db dc 24 1b c3 0e 77 22 |..C....N..$...w"| +00000180 83 ae 88 9f 8e 8d 48 38 f4 60 51 42 fa f2 a4 de |......H8.`QB....| +00000190 33 78 35 d0 b6 01 3d 7a f5 54 68 51 fd 0e 4c 9b |3x5...=z.ThQ..L.| +000001a0 92 7c a5 01 96 52 7e de 38 b9 b0 ee 60 1e aa eb |.|...R~.8...`...| +000001b0 8c e6 b4 f4 7c 35 d2 0b 9b 83 94 ac ac ce 7e 58 |....|5........~X| +000001c0 51 6e c3 ae 3b cd f5 85 8a 1e 43 78 19 ee dc a1 |Qn..;.....Cx....| +000001d0 a3 d0 93 24 0d 3b 6a 4b cd dc 78 9c 0b 2f bc 41 |...$.;jK..x../.A| +000001e0 46 2f 64 3c 23 95 04 8b 60 75 bf 4d 45 3b e4 1e |F/d<#...`u.ME;..| +000001f0 9c 5b 1a 46 bb f3 4d a9 1b 59 33 b4 40 78 bd ff |.[.F..M..Y3.@x..| +00000200 30 7d d4 cc 5e 83 03 de 8d a3 a6 27 b4 bc 12 6e |0}..^......'...n| +00000210 5e f2 88 e8 b6 60 f3 01 e8 4a 53 c7 a9 fc a1 cc |^....`...JS.....| +00000220 27 45 c1 06 90 38 9a fb 1b 2a 9e ed 9e f6 19 85 |'E...8...*......| +00000230 dd f7 8a 7f 95 08 3a 25 c0 5b 63 96 44 71 c2 16 |......:%.[c.Dq..| +00000240 9c e1 10 69 e5 6a 5c 4a e8 2a ed 6f bd de f5 98 |...i.j\J.*.o....| +00000250 c0 a0 c5 54 7c cc 06 11 b2 54 1a c3 b4 46 c2 b4 |...T|....T...F..| +00000260 97 d8 9c 7d f1 f3 d4 6f 3c a0 ef 18 c5 a6 e9 13 |...}...o<.......| +00000270 e9 f4 9d bf 9b 25 a2 da c6 ba 7a 6d 91 fd 41 a4 |.....%....zm..A.| +00000280 e8 88 e3 79 2c 99 df 4d 21 48 89 57 5a bf 2a 2d |...y,..M!H.WZ.*-| +00000290 72 4e 1e 3a e8 c9 82 7b c0 ff 6b 7c e8 8f 41 bf |rN.:...{..k|..A.| +000002a0 83 19 9e 96 d1 3f 2b 60 8f 7f 0b f8 6c 70 82 dd |.....?+`....lp..| +000002b0 34 da 91 62 17 20 e9 99 2e e2 a9 9a 9d fd 5d f8 |4..b. ........].| +000002c0 a5 c0 ac e8 a3 df 11 b5 df 2c bd e1 e8 0f 7e 0a |.........,....~.| +000002d0 f2 47 4c 92 33 7b 6b 49 e5 30 31 8b 2e 16 81 3e |.GL.3{kI.01....>| +000002e0 79 25 f7 d7 d2 8f 5e e6 e3 2d ed 0d e1 08 97 13 |y%....^..-......| +000002f0 f3 ce 7d b1 36 0d 7c b0 4f 23 6b 12 ef 3a a4 8b |..}.6.|.O#k..:..| +00000300 b5 d0 c9 ee 48 77 70 28 61 ff ad 49 f6 48 4c 37 |....Hwp(a..I.HL7| +00000310 7b 00 c4 01 5d 8b 54 bc 44 5c 5f 98 6f 7d 84 84 |{...].T.D\_.o}..| +00000320 c8 d0 55 88 f9 17 f6 02 f1 84 b6 3c 1a 03 e8 7b |..U........<...{| +00000330 b9 4e 24 c6 d8 0a f6 8c b9 49 c6 10 38 53 e1 10 |.N$......I..8S..| +00000340 8f 91 cd 39 9a 3a e8 c7 10 f3 c3 91 84 3c 8c a6 |...9.:.......<..| +00000350 55 ab f4 f5 ab e7 17 03 03 00 99 e5 40 f6 35 34 |U...........@.54| +00000360 2d 42 3e 7f e1 51 26 56 50 4e 60 b0 2f 65 e3 cd |-B>..Q&VPN`./e..| +00000370 c7 08 0e 96 77 08 c7 f6 4f e6 70 90 bc 80 95 e7 |....w...O.p.....| +00000380 b2 df 98 83 94 4d 9e 5c 8a af d3 45 da e9 d7 fa |.....M.\...E....| +00000390 d8 d2 60 f8 b1 06 d9 27 64 45 4d e8 d3 07 8a bb |..`....'dEM.....| +000003a0 72 7a c6 71 00 7e 8b b0 2b 7d d0 f7 ab 1a bf d2 |rz.q.~..+}......| +000003b0 50 be a9 3a 0c 68 b8 48 9a 91 ee db 26 4d d3 66 |P..:.h.H....&M.f| +000003c0 5b 00 ef c3 cc b8 f2 4e 1e 51 c7 9b 34 3c e3 01 |[......N.Q..4<..| +000003d0 7f 75 4e 41 e4 56 34 ec 14 92 0f 1e 6d dd 51 9a |.uNA.V4.....m.Q.| +000003e0 e0 8b 33 54 df 77 1f ff d3 72 67 4c 62 16 b7 f8 |..3T.w...rgLb...| +000003f0 4f 8f f8 ee 17 03 03 00 35 b7 83 d2 27 a3 15 f2 |O.......5...'...| +00000400 75 55 aa 06 8c 5f c4 fa 0f 43 88 c9 c5 e3 c7 36 |uU..._...C.....6| +00000410 40 6b 35 0b 7e 60 a1 1e 48 ef 46 2c d6 e4 48 80 |@k5.~`..H.F,..H.| +00000420 91 b0 e5 3b c0 58 5d fe 5d bd 0a 6c 19 ea |...;.X].]..l..| +>>> Flow 3 (client to server) +00000000 14 03 03 00 01 01 17 03 03 02 11 9e 9e cf 44 84 |..............D.| +00000010 df e7 23 47 2d 4e 85 fa f2 02 2a 79 4d 3a 3d df |..#G-N....*yM:=.| +00000020 48 95 2e d7 0d 3c d0 05 fc bf bb 23 0a 25 59 76 |H....<.....#.%Yv| +00000030 fd 04 f8 f0 81 88 85 9f 99 f0 55 91 9a 79 8a 39 |..........U..y.9| +00000040 f4 6e 49 92 be ed 1d d1 20 19 77 bc 55 9b b0 da |.nI..... .w.U...| +00000050 d1 c4 9f b5 2f 5c 1a 60 38 e1 92 9b f9 a1 97 6b |..../\.`8......k| +00000060 1b d0 d0 d0 05 7a 41 26 d4 6b 12 a0 b3 c6 33 13 |.....zA&.k....3.| +00000070 4f 74 10 d6 91 fb b0 69 46 46 ca de 7c 05 d6 62 |Ot.....iFF..|..b| +00000080 51 23 12 58 00 ff 25 8e c8 5f 54 85 f4 2f e9 f9 |Q#.X..%.._T../..| +00000090 f1 1e 32 b9 f1 a6 fb 90 9b a9 65 d2 c9 ea a7 1a |..2.......e.....| +000000a0 e8 c9 a8 bb 7e 3d 3f 03 62 fc f4 06 a4 a2 f7 41 |....~=?.b......A| +000000b0 60 f5 f1 df 3e d6 31 51 f4 dc b1 d3 60 4b 84 4f |`...>.1Q....`K.O| +000000c0 99 e2 9f b2 f0 d5 fd b2 f3 5c 24 5f 91 a6 94 cd |.........\$_....| +000000d0 37 61 91 4e cc ae cd c1 b5 cc 58 5f 9a 91 a1 13 |7a.N......X_....| +000000e0 23 42 8a c5 27 4c 66 32 69 9c 75 9f 2a ed 73 1d |#B..'Lf2i.u.*.s.| +000000f0 29 2e 36 50 34 b4 80 d2 08 e6 9f c6 3e da df 9f |).6P4.......>...| +00000100 e0 2a 08 88 47 b6 d3 ff f7 6c 6c 91 1a 8e 53 89 |.*..G....ll...S.| +00000110 53 6c b8 d7 83 37 ab 03 59 e6 4f 41 42 af d4 f9 |Sl...7..Y.OAB...| +00000120 ac 9d ae d1 77 f1 71 79 a0 16 c4 c7 b5 a6 a9 9f |....w.qy........| +00000130 59 da 55 fb c5 88 8c 13 04 c2 06 39 8f ae 7e ca |Y.U........9..~.| +00000140 99 ce cd aa 86 0a 00 bd 56 f1 98 d9 c8 d2 c1 c0 |........V.......| +00000150 df 16 c2 6f 78 da 66 3f cc 43 c7 38 33 1b 3b 5b |...ox.f?.C.83.;[| +00000160 f8 7e d8 b7 ef 4c 6d c7 f6 84 56 8d 76 f7 0d 83 |.~...Lm...V.v...| +00000170 94 e6 ad c5 f3 05 5c f4 17 69 d5 83 98 c3 43 8e |......\..i....C.| +00000180 9f a5 5c 7b 12 ea f4 1f 39 ce 0d 83 15 b1 e6 ce |..\{....9.......| +00000190 c1 35 9b 8c ec c6 d2 d7 f9 02 36 90 24 f4 3a 70 |.5........6.$.:p| +000001a0 ce bb 8d bb 4b b2 aa 64 f0 b5 c0 88 cc 06 e3 9c |....K..d........| +000001b0 f7 70 64 fd 5d 48 f5 c8 07 48 c2 09 c4 07 56 b9 |.pd.]H...H....V.| +000001c0 86 e9 d6 7b dc ac a5 00 2c 1d 80 8f 47 f2 c4 c7 |...{....,...G...| +000001d0 ab dc 7b 41 7b 3d 47 db 09 12 02 9f 1b 63 e7 cc |..{A{=G......c..| +000001e0 38 1d 33 56 e0 ae 63 7a 95 73 5f e6 da 13 53 49 |8.3V..cz.s_...SI| +000001f0 5f 69 e9 ff 86 26 bd 9a dd be 5c 75 e7 69 66 b4 |_i...&....\u.if.| +00000200 27 3f 79 d2 2e 8e 79 9e 89 42 58 20 a2 ca 8c 2a |'?y...y..BX ...*| +00000210 37 b8 99 81 66 3a 31 66 1a 95 4c 47 17 03 03 00 |7...f:1f..LG....| +00000220 99 66 08 07 06 6d 95 fe f1 72 2a 7c de 84 06 b0 |.f...m...r*|....| +00000230 3d d7 d1 6b 47 0e 4d fb 9e ab 55 f7 71 c5 5d 11 |=..kG.M...U.q.].| +00000240 cb c7 fb 45 90 9d 22 eb ec 03 d6 ce 8c 01 ff 81 |...E..".........| +00000250 a2 90 23 1d 7a f3 cb 16 76 a5 05 57 77 f6 af f0 |..#.z...v..Ww...| +00000260 29 6c 6c 39 9e 99 55 c0 38 c3 31 68 49 b3 bf cc |)ll9..U.8.1hI...| +00000270 31 e2 6d a4 4c e7 99 53 2f 31 3f 05 2c 7c 1b 10 |1.m.L..S/1?.,|..| +00000280 60 ce 8b 60 47 16 eb e5 8b be 1b 7a 95 b9 3c 60 |`..`G......z..<`| +00000290 1c d6 b5 13 5f ad b9 bb 13 dd d6 08 8e 70 cb 2a |...._........p.*| +000002a0 26 3e df ce 7c 21 e5 27 7e 27 ec 75 b6 47 a0 89 |&>..|!.'~'.u.G..| +000002b0 2e e1 3c ab 0d 72 90 d1 d5 07 17 03 03 00 35 82 |..<..r........5.| +000002c0 6b 48 4a 9a 63 16 07 8f b2 d3 4a 65 7d e0 c4 e8 |kHJ.c.....Je}...| +000002d0 27 3e ce 4a 0a c8 63 e0 f9 70 98 c0 6a 12 39 ec |'>.J..c..p..j.9.| +000002e0 e1 52 de 73 58 2d f0 7c bc 8d 41 16 be 89 a0 88 |.R.sX-.|..A.....| +000002f0 56 e5 ef f6 |V...| +>>> Flow 4 (server to client) +00000000 17 03 03 02 83 ce c4 10 39 1a fe 62 a2 ff 27 6d |........9..b..'m| +00000010 b7 e3 1d d6 8e b8 a2 7e f5 30 87 35 16 41 fb 04 |.......~.0.5.A..| +00000020 3c 79 9e 02 9b 06 4c a7 ba 01 5b cf 94 bc c8 08 |.| +00000050 58 7d fe c1 e3 78 79 31 48 d2 74 c0 8d 17 97 6f |X}...xy1H.t....o| +00000060 30 bb 8a 2c 8c d4 76 3d 3f f0 20 24 3d 5a 21 0c |0..,..v=?. $=Z!.| +00000070 37 7b 14 45 e6 69 db ed 52 50 a0 77 e9 a2 84 59 |7{.E.i..RP.w...Y| +00000080 0c 96 c1 ad 48 ed 8d 9f 00 4d f2 15 86 71 c0 fa |....H....M...q..| +00000090 14 b9 77 cb 9f 04 d9 1b be da 68 8e 31 8f 25 14 |..w.......h.1.%.| +000000a0 f5 43 bd e5 6e c5 10 ab f7 68 22 7f c2 ba 5c a6 |.C..n....h"...\.| +000000b0 88 31 c0 a5 fb 63 05 95 52 b3 04 94 14 fe eb 0c |.1...c..R.......| +000000c0 53 a0 c2 bf ae 58 e3 f9 84 22 6b ca 95 33 12 80 |S....X..."k..3..| +000000d0 09 e2 97 b0 2b 4b ed fa 34 e1 5a b1 de 52 b1 2c |....+K..4.Z..R.,| +000000e0 a0 aa 11 d6 fa 07 e1 41 ed 36 9f 9a 1a 56 18 b0 |.......A.6...V..| +000000f0 ef e7 85 dc 5b 53 23 56 c2 ac 34 64 c8 9d 4b 49 |....[S#V..4d..KI| +00000100 6d 29 7e 4b 73 4f 0b 8e 30 86 87 ea cf 1c dd 62 |m)~KsO..0......b| +00000110 c0 a4 96 aa fe 41 e7 25 94 8e 08 b5 4d 42 26 d3 |.....A.%....MB&.| +00000120 ba 84 98 bf 27 2b d5 3d 37 b9 b1 b5 24 33 e3 4d |....'+.=7...$3.M| +00000130 3f 05 38 54 fe 2c 15 63 20 2e 70 c0 c6 da 0e 89 |?.8T.,.c .p.....| +00000140 b6 99 07 db e3 7c 3e 58 d0 a3 2b 50 c4 f3 21 92 |.....|>X..+P..!.| +00000150 62 e0 e9 b5 d4 7a 6b 23 a2 05 ef 9c f5 f5 05 57 |b....zk#.......W| +00000160 cd d4 4d 0a 2f 17 ca ac fc 9d 7e 60 ec 3c 80 8c |..M./.....~`.<..| +00000170 1f 99 da b7 f6 14 7a e1 86 76 50 8d f8 6b 92 24 |......z..vP..k.$| +00000180 f2 b7 82 fa 3c 9b 14 af 0f 37 40 ae 7f 10 f5 0a |....<....7@.....| +00000190 f2 0f 0f bd 01 b7 0a f7 b6 d0 7f cf bf e6 67 55 |..............gU| +000001a0 cc 36 af a6 d8 c4 ca 80 c7 af 35 ff 6e 83 56 30 |.6........5.n.V0| +000001b0 62 26 49 bb 1a 04 8b 39 10 7b 0f 09 19 2b 0f 95 |b&I....9.{...+..| +000001c0 08 9d c8 85 3b 5d 8c 97 16 ae cd 92 00 d5 3e 50 |....;]........>P| +000001d0 54 66 85 8f 42 9b 60 3d f8 99 ca c7 07 3b 51 18 |Tf..B.`=.....;Q.| +000001e0 d5 20 37 57 35 0a d8 c6 13 0f 48 94 8f 50 7d 0e |. 7W5.....H..P}.| +000001f0 5a f0 98 b2 5d 5f 46 fb ba 85 c8 4f ba 02 19 86 |Z...]_F....O....| +00000200 0b ef 4a 04 49 1f 06 cd be dc d5 32 74 14 d8 60 |..J.I......2t..`| +00000210 17 a5 b5 a2 70 8e b1 75 29 bc e0 02 e0 a2 1c 7b |....p..u)......{| +00000220 58 cd 96 69 84 0f 95 7b 78 3e 09 72 a6 e0 50 7e |X..i...{x>.r..P~| +00000230 76 b0 7b 44 11 9b b8 7e 7d 09 49 91 75 5b 9b 6f |v.{D...~}.I.u[.o| +00000240 42 a4 e6 54 4d c6 21 65 c4 64 7d c6 29 74 13 8d |B..TM.!e.d}.)t..| +00000250 69 5f 20 8c f1 88 e8 1e 2d c3 13 d5 f5 52 70 24 |i_ .....-....Rp$| +00000260 de ec 64 c7 00 3f 57 e2 3f c4 23 fe e9 65 e6 d9 |..d..?W.?.#..e..| +00000270 92 ae f0 2f 05 4d 01 72 be 0d 7d c0 f4 30 ac 69 |.../.M.r..}..0.i| +00000280 3c 7c c1 72 c1 b7 c4 c9 17 03 03 00 1e 73 8f 48 |<|.r.........s.H| +00000290 cf 34 35 31 9b 63 59 59 1b 23 e1 6b b2 3a 0f df |.451.cYY.#.k.:..| +000002a0 21 69 8e 73 1a 61 09 5b 82 c7 78 17 03 03 00 13 |!i.s.a.[..x.....| +000002b0 4f a0 ab 25 3f a4 85 9e 78 58 69 d2 2c c3 b6 df |O..%?...xXi.,...| +000002c0 32 4a 7f |2J.| diff --git a/pkg/tls/testdata/Server-TLSv13-ClientAuthRequestedNotGiven b/pkg/tls/testdata/Server-TLSv13-ClientAuthRequestedNotGiven new file mode 100644 index 000000000..b839c9587 --- /dev/null +++ b/pkg/tls/testdata/Server-TLSv13-ClientAuthRequestedNotGiven @@ -0,0 +1,103 @@ +>>> Flow 1 (client to server) +00000000 16 03 01 00 ca 01 00 00 c6 03 03 4a ea 7e 77 82 |...........J.~w.| +00000010 17 37 46 db 49 14 d2 41 e4 14 b0 46 20 9d 50 45 |.7F.I..A...F .PE| +00000020 d1 75 08 82 2b 8d bc 9a 75 e3 71 20 ce 77 9a 79 |.u..+...u.q .w.y| +00000030 98 24 bc 15 be ac 30 fe 66 35 ab 51 be bd b4 fa |.$....0.f5.Q....| +00000040 6f 53 1f e9 5f 54 58 75 ce 94 f9 47 00 04 13 01 |oS.._TXu...G....| +00000050 00 ff 01 00 00 79 00 0b 00 04 03 00 01 02 00 0a |.....y..........| +00000060 00 0c 00 0a 00 1d 00 17 00 1e 00 19 00 18 00 16 |................| +00000070 00 00 00 17 00 00 00 0d 00 1e 00 1c 04 03 05 03 |................| +00000080 06 03 08 07 08 08 08 09 08 0a 08 0b 08 04 08 05 |................| +00000090 08 06 04 01 05 01 06 01 00 2b 00 03 02 03 04 00 |.........+......| +000000a0 2d 00 02 01 01 00 33 00 26 00 24 00 1d 00 20 e0 |-.....3.&.$... .| +000000b0 64 7e 58 b6 e7 32 fc c9 d6 3e f7 e0 f5 6a 9c 3a |d~X..2...>...j.:| +000000c0 e6 8f 83 d7 1c 27 62 72 71 06 71 de 49 96 05 |.....'brq.q.I..| +>>> Flow 2 (server to client) +00000000 16 03 03 00 7a 02 00 00 76 03 03 00 00 00 00 00 |....z...v.......| +00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000020 00 00 00 00 00 00 00 00 00 00 00 20 ce 77 9a 79 |........... .w.y| +00000030 98 24 bc 15 be ac 30 fe 66 35 ab 51 be bd b4 fa |.$....0.f5.Q....| +00000040 6f 53 1f e9 5f 54 58 75 ce 94 f9 47 13 01 00 00 |oS.._TXu...G....| +00000050 2e 00 2b 00 02 03 04 00 33 00 24 00 1d 00 20 2f |..+.....3.$... /| +00000060 e5 7d a3 47 cd 62 43 15 28 da ac 5f bb 29 07 30 |.}.G.bC.(.._.).0| +00000070 ff f6 84 af c4 cf c2 ed 90 99 5f 58 cb 3b 74 14 |.........._X.;t.| +00000080 03 03 00 01 01 17 03 03 00 17 d0 8f 0a 7e 6c 33 |.............~l3| +00000090 0b be 2a 24 0e fc af df 6e 7d ad 22 28 82 77 60 |..*$....n}."(.w`| +000000a0 3d 17 03 03 00 3e 8f 87 8f f1 5a f6 6f eb eb d9 |=....>....Z.o...| +000000b0 da aa fc 3c 6d ac 73 94 a3 13 5f fe 01 bb 75 eb |........| +000001f0 50 76 d6 79 39 e8 25 bc 3b d9 5a a4 a8 5e 08 6a |Pv.y9.%.;.Z..^.j| +00000200 1c 48 b1 11 f0 d9 b9 48 39 e1 23 db 41 8c bf bd |.H.....H9.#.A...| +00000210 20 27 7b 0c 89 10 1f b0 ae 70 18 9a 7f f2 b4 1d | '{......p......| +00000220 20 cd 6d 80 38 00 a4 33 de 22 ef f6 42 52 c7 66 | .m.8..3."..BR.f| +00000230 83 4a 67 18 6b a6 38 27 d3 40 cf a2 a9 3e 58 06 |.Jg.k.8'.@...>X.| +00000240 91 a7 36 08 29 10 4d 8f 1b f9 7c 5a 17 05 81 b9 |..6.).M...|Z....| +00000250 4b 60 48 40 49 73 63 8a ef 9f f2 9e 80 85 57 fa |K`H@Isc.......W.| +00000260 0a b8 72 83 f3 26 fa 07 ae d2 47 99 b5 a6 5d c5 |..r..&....G...].| +00000270 1e b5 fc ea 0f 17 f8 ba e2 5c 7d 59 70 53 2e 23 |.........\}YpS.#| +00000280 f7 55 75 cb de 82 dc ca b1 bf 3f 5f 7d 7d 92 3c |.Uu.......?_}}.<| +00000290 29 29 64 30 74 0a 01 0b c0 95 db 45 fe 20 be 38 |))d0t......E. .8| +000002a0 c5 87 b7 e4 a9 93 63 67 6b 9a 2f 24 9e 62 8f 1d |......cgk./$.b..| +000002b0 bd 8c 4a d4 b0 0f 95 2f 56 b2 1c e8 5a 58 81 2e |..J..../V...ZX..| +000002c0 b5 b5 b5 f2 1b 7f 6c 39 58 75 51 dc 83 2a 59 0b |......l9XuQ..*Y.| +000002d0 78 5e 22 7e af ee 59 af b9 8f dc 65 97 af a5 b5 |x^"~..Y....e....| +000002e0 b8 50 af 35 51 30 e7 0a 75 e2 d0 33 e2 fb f4 b1 |.P.5Q0..u..3....| +000002f0 99 cd 5f 72 6b a9 f8 85 a1 a5 19 7e 2b 91 01 19 |.._rk......~+...| +00000300 09 dd 88 6e a7 d6 54 57 cd ef d0 97 6a 68 d9 6e |...n..TW....jh.n| +00000310 52 38 ef a5 fa 84 63 70 f0 6d 64 ec 66 1a c9 b5 |R8....cp.md.f...| +00000320 78 ba 17 74 f4 b4 2b a2 fe 9a 7f 38 b8 5e 8b 56 |x..t..+....8.^.V| +00000330 a6 7b 2c 92 7f db 58 c8 fa f9 2d 6b 00 25 dc 0a |.{,...X...-k.%..| +00000340 aa 13 e8 40 f3 fd 47 23 f6 bf 1c 30 fc 91 18 95 |...@..G#...0....| +00000350 ac a8 82 3d f5 ef 17 03 03 00 99 7e 30 4f f1 00 |...=.......~0O..| +00000360 1e dd eb c6 54 d2 f5 f7 21 aa 6b b0 83 0c fa 8b |....T...!.k.....| +00000370 12 af ac 15 3e 54 b6 1c 85 9b 0c 80 02 d8 e3 5f |....>T........._| +00000380 36 57 64 fe 7a b8 31 d0 aa 59 f1 e6 af e0 27 c5 |6Wd.z.1..Y....'.| +00000390 b8 d8 2f ab e0 cc c3 02 18 73 30 36 b5 2a 0d 12 |../......s06.*..| +000003a0 a4 45 e6 c3 79 9f 54 cb 51 61 1a b8 aa 87 45 43 |.E..y.T.Qa....EC| +000003b0 8e 93 58 66 f2 97 cb 3b 44 df ae 93 17 de 22 99 |..Xf...;D.....".| +000003c0 3c b4 9d 21 a6 db 03 ce 7b fb 67 b9 6e fb ab 50 |<..!....{.g.n..P| +000003d0 f8 33 9f 20 a0 fb e9 54 bb 62 16 19 d6 df 8c fe |.3. ...T.b......| +000003e0 3d 63 42 7c b0 72 2b 0d 87 1e f7 7d bb 59 ba f5 |=cB|.r+....}.Y..| +000003f0 d6 e8 f3 57 17 03 03 00 35 9e 6f 39 92 2e 32 10 |...W....5.o9..2.| +00000400 03 cd f0 28 2c 1a 32 77 19 c8 39 38 60 0c 28 b7 |...(,.2w..98`.(.| +00000410 8c 3a d8 50 a1 44 e4 d6 c5 64 59 88 2d a4 23 c9 |.:.P.D...dY.-.#.| +00000420 26 d1 96 0c c9 5d da 84 3e 8a 7d fe 80 77 |&....]..>.}..w| +>>> Flow 3 (client to server) +00000000 14 03 03 00 01 01 17 03 03 00 19 87 49 99 a6 d9 |............I...| +00000010 ed cd f7 7a 75 14 e1 26 41 d2 6e 5c 79 a6 be 7c |...zu..&A.n\y..|| +00000020 5d 9d 44 36 17 03 03 00 35 1b 51 a9 b1 ce 11 ed |].D6....5.Q.....| +00000030 95 47 34 b9 3d 2f 6e 27 b2 e5 31 54 7f e3 8a 11 |.G4.=/n'..1T....| +00000040 fd 54 75 2c b6 8a 56 25 00 29 a7 5f 7a 1e 16 be |.Tu,..V%.)._z...| +00000050 16 e3 86 3a 72 84 0e bc 40 ef fd ad 18 33 |...:r...@....3| +>>> Flow 4 (server to client) +00000000 17 03 03 00 8b 69 2e 81 c4 4d 43 a6 1f 96 b7 8e |.....i...MC.....| +00000010 87 4a 9b be 48 3c 31 18 98 f4 8c 04 24 b2 52 96 |.J..H<1.....$.R.| +00000020 04 b5 12 7c 54 37 83 6d 51 42 c6 52 f4 a5 bc d3 |...|T7.mQB.R....| +00000030 d1 c8 29 ab 4f e4 02 da 74 ec 8e 13 ad 03 f3 e0 |..).O...t.......| +00000040 7f 44 58 6b c7 28 a5 6a 75 30 b8 b1 31 38 fe ba |.DXk.(.ju0..18..| +00000050 e7 27 ae b3 e7 cb 5e 78 24 82 03 61 ba ae dd 4c |.'....^x$..a...L| +00000060 c6 7b f3 45 cf 6f a8 dc 7d 5d 73 65 db ae dc 10 |.{.E.o..}]se....| +00000070 ff 32 dc 4c b4 5e dc ce 4c 34 37 83 a0 0c d5 20 |.2.L.^..L47.... | +00000080 f1 f6 81 42 bc 63 65 47 80 d0 d6 f3 08 aa e2 58 |...B.ceG.......X| +00000090 17 03 03 00 1e 85 84 f3 e4 0f a8 24 c0 fe fa 2c |...........$...,| +000000a0 8b 60 52 32 73 2b 95 e9 37 3d 1c bd 2f ee ff e2 |.`R2s+..7=../...| +000000b0 70 13 df 17 03 03 00 13 65 2b 11 5f 50 7c 11 eb |p.......e+._P|..| +000000c0 3b 06 75 23 28 13 ca 4a b5 fb dc |;.u#(..J...| diff --git a/pkg/tls/testdata/Server-TLSv13-ECDHE-ECDSA-AES b/pkg/tls/testdata/Server-TLSv13-ECDHE-ECDSA-AES new file mode 100644 index 000000000..d2ed2ee64 --- /dev/null +++ b/pkg/tls/testdata/Server-TLSv13-ECDHE-ECDSA-AES @@ -0,0 +1,93 @@ +>>> Flow 1 (client to server) +00000000 16 03 01 00 ca 01 00 00 c6 03 03 be 5b 8c 08 2b |............[..+| +00000010 26 a0 41 0f e3 4e b6 5c 9f 5d 53 04 67 4a 1d a2 |&.A..N.\.]S.gJ..| +00000020 26 3b 83 ab b4 7b c6 ec f8 a6 41 20 a6 de ad e2 |&;...{....A ....| +00000030 0c fd 02 99 11 51 c6 be e8 52 df 0b e2 b3 6f fe |.....Q...R....o.| +00000040 33 3e 2f 90 ac d2 e8 a2 53 8b d9 05 00 04 13 01 |3>/.....S.......| +00000050 00 ff 01 00 00 79 00 0b 00 04 03 00 01 02 00 0a |.....y..........| +00000060 00 0c 00 0a 00 1d 00 17 00 1e 00 19 00 18 00 16 |................| +00000070 00 00 00 17 00 00 00 0d 00 1e 00 1c 04 03 05 03 |................| +00000080 06 03 08 07 08 08 08 09 08 0a 08 0b 08 04 08 05 |................| +00000090 08 06 04 01 05 01 06 01 00 2b 00 03 02 03 04 00 |.........+......| +000000a0 2d 00 02 01 01 00 33 00 26 00 24 00 1d 00 20 31 |-.....3.&.$... 1| +000000b0 8e dd f4 7c cf 22 04 c1 c3 04 5c 24 49 db ae ab |...|."....\$I...| +000000c0 0a d0 42 e8 70 51 c7 4f 88 e2 4e 2e 0b 80 65 |..B.pQ.O..N...e| +>>> Flow 2 (server to client) +00000000 16 03 03 00 7a 02 00 00 76 03 03 00 00 00 00 00 |....z...v.......| +00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000020 00 00 00 00 00 00 00 00 00 00 00 20 a6 de ad e2 |........... ....| +00000030 0c fd 02 99 11 51 c6 be e8 52 df 0b e2 b3 6f fe |.....Q...R....o.| +00000040 33 3e 2f 90 ac d2 e8 a2 53 8b d9 05 13 01 00 00 |3>/.....S.......| +00000050 2e 00 2b 00 02 03 04 00 33 00 24 00 1d 00 20 2f |..+.....3.$... /| +00000060 e5 7d a3 47 cd 62 43 15 28 da ac 5f bb 29 07 30 |.}.G.bC.(.._.).0| +00000070 ff f6 84 af c4 cf c2 ed 90 99 5f 58 cb 3b 74 14 |.........._X.;t.| +00000080 03 03 00 01 01 17 03 03 00 17 cc d0 60 a1 dc d6 |............`...| +00000090 46 57 69 3d df 0e 0f 7f a8 34 2d 87 71 84 16 54 |FWi=.....4-.q..T| +000000a0 9d 17 03 03 02 22 cb 9c f9 3e a0 fd bf 07 03 7c |....."...>.....|| +000000b0 53 0c 15 22 0b 78 e5 02 36 e6 e7 6c 5b f9 aa 8d |S..".x..6..l[...| +000000c0 54 8e b1 15 d4 23 05 12 5e 6e 0f 0f 65 77 bf b5 |T....#..^n..ew..| +000000d0 32 28 0e 32 ca 9f 61 c3 37 23 87 e8 ec 19 1d ba |2(.2..a.7#......| +000000e0 ef f5 18 eb ba 49 2d 86 a6 d1 f7 c1 9e 67 10 9f |.....I-......g..| +000000f0 a1 d2 62 bd 4c 6c 5e a4 41 f6 1e fa fd e7 55 bc |..b.Ll^.A.....U.| +00000100 16 ad 91 91 de 03 86 d7 e1 88 87 ab 0e f4 f5 bb |................| +00000110 16 da 37 bb a4 ce 4e 6c 5f 88 41 f9 a2 90 9a 2d |..7...Nl_.A....-| +00000120 5c 14 d5 01 28 06 a9 20 a4 ae 92 17 c5 95 b1 dc |\...(.. ........| +00000130 02 a8 3f 3b a7 97 91 5a 4f 56 bb db b6 30 0d 80 |..?;...ZOV...0..| +00000140 35 ac 91 6f 4f ba 1e 10 c6 fc d2 ca 96 e4 9d 1f |5..oO...........| +00000150 2f 29 00 3a 11 b7 77 dd d5 ed 76 9f 67 a1 b1 0c |/).:..w...v.g...| +00000160 5d 34 34 eb 42 49 23 15 49 12 24 24 73 be a9 65 |]44.BI#.I.$$s..e| +00000170 99 b6 b4 3f 18 0c d1 32 26 eb 86 93 5c 0e e8 06 |...?...2&...\...| +00000180 fb d7 9f 0e d9 26 14 47 b8 e5 67 8c c8 cb 0c 55 |.....&.G..g....U| +00000190 61 70 a9 ce 0d 4e bf ca 40 9c e7 0d 2b 5d 54 b7 |ap...N..@...+]T.| +000001a0 5a 64 50 e6 a1 c9 fc 47 7d e7 0a 13 36 8d 70 eb |ZdP....G}...6.p.| +000001b0 68 65 e4 9b 9d 12 d1 d9 0d 32 72 59 0f 46 b2 e2 |he.......2rY.F..| +000001c0 21 ab 13 d4 ab f3 6e b6 44 16 b8 85 bb dc f4 f7 |!.....n.D.......| +000001d0 d6 ce 5c 9f c0 4c 28 8f 36 39 ec 29 c7 33 bd ea |..\..L(.69.).3..| +000001e0 2d 10 16 84 50 c5 18 5b 2c a3 99 bb 3b 0b 70 66 |-...P..[,...;.pf| +000001f0 72 9a 83 01 06 2a bf 4a 60 c5 5d 41 a1 f0 92 bb |r....*.J`.]A....| +00000200 3b 2a 1a 41 3a 57 c3 22 13 2c b4 7b 3e 47 52 ea |;*.A:W.".,.{>GR.| +00000210 79 8a bf ef 2e 2c f7 89 c7 36 5a df 38 c2 04 b6 |y....,...6Z.8...| +00000220 6f 96 cd 7c 01 b3 e3 cd 4a 83 56 40 06 58 8a 7c |o..|....J.V@.X.|| +00000230 8c 75 df b6 b8 76 63 71 89 72 0a 64 de 23 7d 50 |.u...vcq.r.d.#}P| +00000240 77 a8 f6 a0 81 9d e9 ed 81 5e 20 c8 9f 65 3c 95 |w........^ ..e<.| +00000250 cf ed 99 80 71 06 5e 00 46 0d 0c 22 b3 88 f0 c5 |....q.^.F.."....| +00000260 33 3e 13 6b f2 07 9c db 20 31 9c 8d ea d7 73 e8 |3>.k.... 1....s.| +00000270 00 e1 2b f4 c8 d7 34 37 4a 98 b9 4d 28 db 15 8a |..+...47J..M(...| +00000280 af 53 14 3b 02 54 a3 0b 5f 10 ff 5d 20 1c 19 ae |.S.;.T.._..] ...| +00000290 6b 8a 99 a5 8f e0 ac dd c1 ba 1f 85 56 a3 94 bc |k...........V...| +000002a0 79 03 5f d5 dd e1 8e 62 b7 82 fa 92 c3 d5 8a fc |y._....b........| +000002b0 6b 17 24 d9 af db 3d 9c 0f 51 82 3d a2 ec 5f 9c |k.$...=..Q.=.._.| +000002c0 dc 69 a5 ce db d8 8b 87 17 03 03 00 a3 69 cd 7b |.i...........i.{| +000002d0 9f ac ad 72 11 b2 5d ee 19 63 d0 35 12 6d 5e 3f |...r..]..c.5.m^?| +000002e0 81 a8 18 4a d4 09 f3 80 38 4a 31 08 3e a0 4c 78 |...J....8J1.>.Lx| +000002f0 48 08 e9 90 ba e7 2a b4 73 2e 2b 2b 15 60 ce 09 |H.....*.s.++.`..| +00000300 7d df 49 31 e1 9d ff 92 1d b4 af 2e 8c f8 a6 2e |}.I1............| +00000310 93 d7 b9 10 69 10 7f 04 0d 8d e2 37 09 a7 d0 2a |....i......7...*| +00000320 ac ea 51 49 50 1d 1c 54 7f b9 15 ad 8c 77 ef 1d |..QIP..T.....w..| +00000330 a6 59 a3 bf b2 53 f7 6c 21 92 e0 36 c5 0d 61 94 |.Y...S.l!..6..a.| +00000340 be 61 5e 77 25 35 df e4 5f 67 c1 c6 af 51 e4 ce |.a^w%5.._g...Q..| +00000350 c4 28 c5 4e bc f6 c6 ba 32 dc 8e c7 45 f3 4d a1 |.(.N....2...E.M.| +00000360 70 53 98 46 8f 39 c2 cc b7 fc f7 24 11 97 72 b3 |pS.F.9.....$..r.| +00000370 17 03 03 00 35 76 be b6 7a 3f e3 08 7a a2 65 25 |....5v..z?..z.e%| +00000380 fd 0b c3 87 be ba eb ca cb 3d c1 25 10 e0 7b 00 |.........=.%..{.| +00000390 37 7a 52 9e d6 b2 e7 ba 8e 51 de 15 c4 e8 16 eb |7zR......Q......| +000003a0 c6 21 92 42 b1 62 f4 ce 27 ba 17 03 03 00 8b 54 |.!.B.b..'......T| +000003b0 03 de d7 a7 85 2f 4b 23 2d d5 3a b4 3d 3d f6 00 |...../K#-.:.==..| +000003c0 ac ab bd 6f dd bf 9f 24 fb 1b d4 01 39 3e c0 87 |...o...$....9>..| +000003d0 bb 32 ca f6 61 b2 ef 5d 9c 2c 1b a5 10 66 7b fd |.2..a..].,...f{.| +000003e0 4b d0 03 dc 53 a9 0d 5a d5 c4 4c 25 9c 55 e6 f8 |K...S..Z..L%.U..| +000003f0 d1 d8 49 dc 36 a1 92 ae f1 3e 2f 11 66 87 93 69 |..I.6....>/.f..i| +00000400 24 2e 5d 6c f6 79 15 68 a8 99 2e 1a 9c e2 85 4e |$.]l.y.h.......N| +00000410 5f d6 a8 3c 70 e1 67 cb df b2 1b ab 2b ed dc b6 |_..>> Flow 3 (client to server) +00000000 14 03 03 00 01 01 17 03 03 00 35 46 8b fa 42 0d |..........5F..B.| +00000010 fa 3e 9e 80 76 12 ce 73 ae 85 67 ee af 1e 25 6e |.>..v..s..g...%n| +00000020 0b 46 4c bd 5a 46 8e 5c 27 7a 0a 8d d3 9c 3c 29 |.FL.ZF.\'z....<)| +00000030 4c c8 08 78 ac 9f f4 7a 38 8d 49 6a 01 b6 f5 83 |L..x...z8.Ij....| +>>> Flow 4 (server to client) +00000000 17 03 03 00 1e c2 1a dc 0a cb 9a 11 f7 a1 c2 1f |................| +00000010 54 7d 32 6f 0e 13 b6 6b 9f e1 c6 14 63 fc 18 b9 |T}2o...k....c...| +00000020 81 53 44 17 03 03 00 13 c9 72 ae 5e 2b c1 6f 64 |.SD......r.^+.od| +00000030 e0 70 47 15 b1 ec c3 25 00 7f 4e |.pG....%..N| diff --git a/pkg/tls/testdata/Server-TLSv13-Ed25519 b/pkg/tls/testdata/Server-TLSv13-Ed25519 new file mode 100644 index 000000000..dea367527 --- /dev/null +++ b/pkg/tls/testdata/Server-TLSv13-Ed25519 @@ -0,0 +1,75 @@ +>>> Flow 1 (client to server) +00000000 16 03 01 00 ca 01 00 00 c6 03 03 08 d3 0c d5 aa |................| +00000010 d7 b1 55 99 bc fa a7 17 09 ed 93 47 96 44 70 28 |..U........G.Dp(| +00000020 03 b7 c6 40 ee 98 fe 30 83 86 ea 20 d0 89 76 54 |...@...0... ..vT| +00000030 87 71 b7 9c b7 fd f2 19 15 5f 3b 39 c9 ad 6b 97 |.q......._;9..k.| +00000040 89 6e c4 69 cc 83 b1 f0 e7 94 68 85 00 04 13 03 |.n.i......h.....| +00000050 00 ff 01 00 00 79 00 0b 00 04 03 00 01 02 00 0a |.....y..........| +00000060 00 0c 00 0a 00 1d 00 17 00 1e 00 19 00 18 00 16 |................| +00000070 00 00 00 17 00 00 00 0d 00 1e 00 1c 04 03 05 03 |................| +00000080 06 03 08 07 08 08 08 09 08 0a 08 0b 08 04 08 05 |................| +00000090 08 06 04 01 05 01 06 01 00 2b 00 03 02 03 04 00 |.........+......| +000000a0 2d 00 02 01 01 00 33 00 26 00 24 00 1d 00 20 d8 |-.....3.&.$... .| +000000b0 dc 54 00 21 d1 f5 6e 1b fc a4 44 4e eb 97 4d 0f |.T.!..n...DN..M.| +000000c0 4a 5c ab 4c 27 72 23 69 72 7e 37 e8 bf 69 15 |J\.L'r#ir~7..i.| +>>> Flow 2 (server to client) +00000000 16 03 03 00 7a 02 00 00 76 03 03 00 00 00 00 00 |....z...v.......| +00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000020 00 00 00 00 00 00 00 00 00 00 00 20 d0 89 76 54 |........... ..vT| +00000030 87 71 b7 9c b7 fd f2 19 15 5f 3b 39 c9 ad 6b 97 |.q......._;9..k.| +00000040 89 6e c4 69 cc 83 b1 f0 e7 94 68 85 13 03 00 00 |.n.i......h.....| +00000050 2e 00 2b 00 02 03 04 00 33 00 24 00 1d 00 20 2f |..+.....3.$... /| +00000060 e5 7d a3 47 cd 62 43 15 28 da ac 5f bb 29 07 30 |.}.G.bC.(.._.).0| +00000070 ff f6 84 af c4 cf c2 ed 90 99 5f 58 cb 3b 74 14 |.........._X.;t.| +00000080 03 03 00 01 01 17 03 03 00 17 6a 47 be 2b 06 13 |..........jG.+..| +00000090 cf 8b 2f c5 ee d5 b0 5b c1 47 9a b2 5e a2 0d c5 |../....[.G..^...| +000000a0 41 17 03 03 01 50 c0 1e e0 f5 55 6e 92 52 99 d8 |A....P....Un.R..| +000000b0 62 06 9a 59 c7 b0 d7 5e c9 6d 76 a6 7a c9 55 fe |b..Y...^.mv.z.U.| +000000c0 83 d5 84 fc 3c f0 02 fe 0f f8 b4 2e a0 45 29 cd |....<........E).| +000000d0 37 ea 9d 2e 75 c4 06 1e 58 5f 21 31 4b 8c 5e 91 |7...u...X_!1K.^.| +000000e0 83 c1 0d 2c 21 68 1b 05 85 d2 35 1c 36 ee 9c b2 |...,!h....5.6...| +000000f0 14 52 49 d8 7f 59 80 9c 80 a3 d8 99 34 d4 5c 01 |.RI..Y......4.\.| +00000100 03 6c 52 fe cf a0 0a 47 11 e8 45 7c 85 76 6e 6e |.lR....G..E|.vnn| +00000110 29 1f af b7 97 bb fd 52 bd 4d 0a 4d 53 04 db 01 |)......R.M.MS...| +00000120 5c 63 da c6 5a 7c d4 d8 fb ab bf fb bd 6f 64 58 |\c..Z|.......odX| +00000130 8b e4 91 48 16 20 06 ca 2a 1f 5e 1e 33 c3 e8 cb |...H. ..*.^.3...| +00000140 ab d6 98 25 a6 12 86 28 95 d4 0c 0d c7 1e e3 ba |...%...(........| +00000150 f5 78 f9 10 97 60 19 8c 43 90 f6 aa 4d df da 91 |.x...`..C...M...| +00000160 89 63 f4 38 18 e6 70 42 66 be f2 ec d9 85 88 ad |.c.8..pBf.......| +00000170 59 c7 d1 57 3c 52 70 4a d4 db c8 b4 2c 37 7b 61 |Y..W>> Flow 3 (client to server) +00000000 14 03 03 00 01 01 17 03 03 00 35 b0 21 d1 14 37 |..........5.!..7| +00000010 3e 4f 3c 00 bf 99 4d da f5 22 f8 ab d0 9b 0e 59 |>O<...M..".....Y| +00000020 33 1c 21 44 53 cf c7 31 16 df 3f fb a7 e2 f6 32 |3.!DS..1..?....2| +00000030 2c a6 c2 9f 35 d6 8a cc 0a 82 6c 46 c4 55 b1 a8 |,...5.....lF.U..| +>>> Flow 4 (server to client) +00000000 17 03 03 00 1e 0a 98 f1 c8 c1 dd 02 e9 bd b4 99 |................| +00000010 80 aa dd 14 1d 2a 73 e2 20 e3 55 14 f8 5b c8 b6 |.....*s. .U..[..| +00000020 55 98 73 17 03 03 00 13 e6 93 11 04 c5 32 15 7d |U.s..........2.}| +00000030 44 db bd 6c 6d 84 60 90 11 0c 52 |D..lm.`...R| diff --git a/pkg/tls/testdata/Server-TLSv13-ExportKeyingMaterial b/pkg/tls/testdata/Server-TLSv13-ExportKeyingMaterial new file mode 100644 index 000000000..0b4f8c091 --- /dev/null +++ b/pkg/tls/testdata/Server-TLSv13-ExportKeyingMaterial @@ -0,0 +1,98 @@ +>>> Flow 1 (client to server) +00000000 16 03 01 00 ce 01 00 00 ca 03 03 4b 42 c7 99 9e |...........KB...| +00000010 1a 3d 10 18 84 4b 27 8e b7 49 cd 95 34 42 54 6e |.=...K'..I..4BTn| +00000020 fa 08 92 9b 43 f5 ca b4 57 44 2b 20 2d 75 50 cf |....C...WD+ -uP.| +00000030 7c f7 1a 45 b0 6d a0 d9 29 ee ac 2c 1f c9 b3 96 ||..E.m..)..,....| +00000040 2f ad 77 69 fc 92 65 75 af 9f ab da 00 04 13 03 |/.wi..eu........| +00000050 00 ff 01 00 00 7d 00 0b 00 04 03 00 01 02 00 0a |.....}..........| +00000060 00 0c 00 0a 00 1d 00 17 00 1e 00 19 00 18 00 23 |...............#| +00000070 00 00 00 16 00 00 00 17 00 00 00 0d 00 1e 00 1c |................| +00000080 04 03 05 03 06 03 08 07 08 08 08 09 08 0a 08 0b |................| +00000090 08 04 08 05 08 06 04 01 05 01 06 01 00 2b 00 03 |.............+..| +000000a0 02 03 04 00 2d 00 02 01 01 00 33 00 26 00 24 00 |....-.....3.&.$.| +000000b0 1d 00 20 1c b6 f8 ed 5c d6 4c 45 22 bb 99 6f e9 |.. ....\.LE"..o.| +000000c0 f8 d8 78 d7 6f a3 28 4f 06 16 f9 18 64 6c 30 23 |..x.o.(O....dl0#| +000000d0 8a a5 14 |...| +>>> Flow 2 (server to client) +00000000 16 03 03 00 7a 02 00 00 76 03 03 00 00 00 00 00 |....z...v.......| +00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000020 00 00 00 00 00 00 00 00 00 00 00 20 2d 75 50 cf |........... -uP.| +00000030 7c f7 1a 45 b0 6d a0 d9 29 ee ac 2c 1f c9 b3 96 ||..E.m..)..,....| +00000040 2f ad 77 69 fc 92 65 75 af 9f ab da 13 03 00 00 |/.wi..eu........| +00000050 2e 00 2b 00 02 03 04 00 33 00 24 00 1d 00 20 2f |..+.....3.$... /| +00000060 e5 7d a3 47 cd 62 43 15 28 da ac 5f bb 29 07 30 |.}.G.bC.(.._.).0| +00000070 ff f6 84 af c4 cf c2 ed 90 99 5f 58 cb 3b 74 14 |.........._X.;t.| +00000080 03 03 00 01 01 17 03 03 00 17 1b 8e de 2f c7 92 |............./..| +00000090 de 8e 8c fa 0c 7a e5 1f ee 4c 4c d9 42 de 76 3d |.....z...LL.B.v=| +000000a0 2f 17 03 03 02 6d e9 b0 9a 48 a0 96 b9 52 a1 88 |/....m...H...R..| +000000b0 e4 03 62 85 7d 6b 08 37 dc 50 13 7d aa 99 ba 73 |..b.}k.7.P.}...s| +000000c0 38 08 e8 64 cd 37 a4 44 9d 86 e3 5e 24 df d9 da |8..d.7.D...^$...| +000000d0 0a 3b 97 9c 30 37 d9 99 0f a6 17 ef 5a e7 1b e9 |.;..07......Z...| +000000e0 f6 5e c3 2b fc cc 8c 98 b9 7e 5f de bb 3c 19 9a |.^.+.....~_..<..| +000000f0 59 75 e4 5e db 06 64 28 8d 26 88 41 b3 c2 2e 7f |Yu.^..d(.&.A....| +00000100 fd 17 78 79 a0 ab 9a 48 7e 3d ef 78 c0 f1 9c 96 |..xy...H~=.x....| +00000110 b2 21 b1 a8 18 d2 69 25 ad 51 8c 48 0f 66 28 a5 |.!....i%.Q.H.f(.| +00000120 cf 76 16 c3 68 17 d9 33 f2 1f 5c 5f a1 19 08 e8 |.v..h..3..\_....| +00000130 77 da d0 e0 c0 dc 4a 77 78 65 d1 3a 36 60 d9 0b |w.....Jwxe.:6`..| +00000140 e9 f8 5e 4f 41 32 71 c4 a9 6c ca 29 da 25 ad 35 |..^OA2q..l.).%.5| +00000150 da 14 79 21 6d cb 57 b8 49 03 59 d4 d8 8b 76 71 |..y!m.W.I.Y...vq| +00000160 11 9d 5f 03 62 52 01 bb 69 77 45 19 ee 5b 11 8f |.._.bR..iwE..[..| +00000170 75 65 49 e4 df cd 87 7c ab c9 7d 0c 1c ed b0 08 |ueI....|..}.....| +00000180 c7 ba 08 2d a7 26 75 80 1d 1d 0c 7f 01 15 6f 82 |...-.&u.......o.| +00000190 bf 5a a3 84 cd ac 91 56 cb d2 17 78 a5 b0 22 bf |.Z.....V...x..".| +000001a0 d2 f3 1e 9f 8f f7 66 b7 a0 ec 28 f1 c5 b6 4e 24 |......f...(...N$| +000001b0 63 46 88 d2 7a 84 11 8e ce 5d ab 5f e7 81 7d a5 |cF..z....]._..}.| +000001c0 2f df f3 a6 2d 1f d9 e1 01 80 53 cf 4f 2c be bc |/...-.....S.O,..| +000001d0 dd 68 cf fe c1 ce 15 ed 7d 59 e2 48 57 ac c6 73 |.h......}Y.HW..s| +000001e0 b0 70 68 d1 a3 9a b0 f2 e2 07 2c ae 8a 5f 04 e9 |.ph.......,.._..| +000001f0 f2 f7 d8 d4 63 92 7d a1 bd 8b 57 61 1f 13 48 7e |....c.}...Wa..H~| +00000200 8a a2 5d 51 a8 fb 0a a7 02 73 c7 33 4b 9e 28 d5 |..]Q.....s.3K.(.| +00000210 ea dd a5 84 21 c4 ba 0b 77 2c 08 f1 30 ff 92 9b |....!...w,..0...| +00000220 8b c3 17 db 08 15 b3 f7 7b 01 8b 2c a8 e1 a7 f6 |........{..,....| +00000230 a3 73 3d 5f 03 13 b8 e8 8c 19 a1 d6 7f fd f7 9f |.s=_............| +00000240 37 ee ce f5 70 26 d2 18 39 54 c4 4e 4e e6 08 5d |7...p&..9T.NN..]| +00000250 6b 7f cc b4 68 78 50 75 e2 f1 ec 73 93 a3 12 7f |k...hxPu...s....| +00000260 e5 1a ec 55 f4 85 d0 10 12 29 fd b0 e1 3e d5 d1 |...U.....)...>..| +00000270 a6 d1 25 48 01 45 82 ec 83 e0 83 29 7b 46 c7 a9 |..%H.E.....){F..| +00000280 5c ca bf e9 28 f1 76 ef c5 72 5f 92 41 84 0e 64 |\...(.v..r_.A..d| +00000290 af 6f f4 94 23 0a b5 2d 8b 56 66 a8 6b bb 4f a9 |.o..#..-.Vf.k.O.| +000002a0 90 b6 d5 0a ab 76 7e 18 5c 3f 67 d5 7b c2 01 80 |.....v~.\?g.{...| +000002b0 ce c8 8e d4 cd 86 0b 90 84 3a 68 82 f4 46 bc 72 |.........:h..F.r| +000002c0 91 aa 92 46 e8 40 3e 40 21 c9 6a e5 d6 5a b2 01 |...F.@>@!.j..Z..| +000002d0 d0 ef a7 f1 4e f6 e6 32 0c e1 07 19 cc fb 6e ff |....N..2......n.| +000002e0 f7 53 35 81 4d 09 75 fb 42 42 41 18 8f be cf 71 |.S5.M.u.BBA....q| +000002f0 43 20 e0 23 b6 39 1c ab 52 6e 8e bf b2 d3 59 16 |C .#.9..Rn....Y.| +00000300 a8 15 d6 b7 cc cd ed 28 5a 8e de 64 ae 85 f5 0d |.......(Z..d....| +00000310 7f 58 66 17 03 03 00 99 51 80 02 3d be 7a 45 b3 |.Xf.....Q..=.zE.| +00000320 c3 f6 68 39 59 03 7b 2e 0c b3 22 f1 b3 6e a6 b2 |..h9Y.{..."..n..| +00000330 64 f4 c6 77 7b 38 e0 94 97 2c 69 5b 29 63 e2 6b |d..w{8...,i[)c.k| +00000340 d5 d4 d0 b4 c1 45 04 4c c4 19 6d 75 fd ef 3a 77 |.....E.L..mu..:w| +00000350 f2 81 e4 8d 51 97 11 6b 6c ce b7 7a 11 fd 71 f7 |....Q..kl..z..q.| +00000360 ee 67 c6 83 27 31 39 1f d4 d1 be b8 c2 06 11 e3 |.g..'19.........| +00000370 34 36 ff f3 c7 e6 1d b5 87 6b cf 12 56 2c e8 03 |46.......k..V,..| +00000380 83 bf 03 f8 57 fd 54 c7 32 19 b1 ba fe e4 58 05 |....W.T.2.....X.| +00000390 77 6f 48 f4 af 2f 99 dd 47 a5 1a 30 17 2f 1d 25 |woH../..G..0./.%| +000003a0 80 8c d7 cd 33 b7 db d0 9d 58 4c 5d ef 14 2f 7a |....3....XL]../z| +000003b0 f2 17 03 03 00 35 04 7f e7 0b a2 30 a0 93 c2 f7 |.....5.....0....| +000003c0 84 64 be 47 37 b0 46 8d 78 1b 69 b8 40 90 db 57 |.d.G7.F.x.i.@..W| +000003d0 f9 e5 4e fa ba a4 3c 3e af db 67 18 2c 5f 32 77 |..N...<>..g.,_2w| +000003e0 88 1e 30 85 b4 c0 46 c9 5c 85 ef 17 03 03 00 8b |..0...F.\.......| +000003f0 a6 13 6e 2a 9f 36 5e 06 de 8a f8 95 68 0a 05 2b |..n*.6^.....h..+| +00000400 e7 e7 fa 1b 2c 69 0c 30 75 a1 81 5a e6 e6 ab c5 |....,i.0u..Z....| +00000410 22 b0 7d e1 ba 4f d7 75 89 88 23 35 be 36 9d 64 |".}..O.u..#5.6.d| +00000420 3e 16 8d 5f 42 0f 6f 9a 78 8f 45 df 21 3e 4b 34 |>.._B.o.x.E.!>K4| +00000430 6c ae ea c6 4a 71 0b d8 fd 70 f3 ac ce 68 3d f8 |l...Jq...p...h=.| +00000440 62 d4 86 1e ac 3f ab 7d 36 83 80 4f c6 be 54 b7 |b....?.}6..O..T.| +00000450 c1 1e bd 82 ea ad 42 9a f0 c8 79 77 24 27 dd 24 |......B...yw$'.$| +00000460 68 b0 ca 17 a6 a2 14 2e 1f 57 54 d1 79 94 99 d3 |h........WT.y...| +00000470 96 68 db c2 19 14 ce 89 04 c2 b8 |.h.........| +>>> Flow 3 (client to server) +00000000 14 03 03 00 01 01 17 03 03 00 35 96 8c 0d e9 39 |..........5....9| +00000010 98 d4 ed 41 d5 fe f8 55 00 51 f0 71 6c 12 ed bd |...A...U.Q.ql...| +00000020 13 40 7d 4e 85 ef 8b 88 80 88 c3 fd 55 41 cb 7f |.@}N........UA..| +00000030 d7 96 04 3d f0 d5 26 c7 92 0a 64 bf 59 18 2a bd |...=..&...d.Y.*.| +>>> Flow 4 (server to client) +00000000 17 03 03 00 1e 90 ae 0a 4e 61 d1 14 64 90 3b a0 |........Na..d.;.| +00000010 cd 33 67 f7 87 e6 93 3d 41 18 81 66 0c b2 26 f0 |.3g....=A..f..&.| +00000020 76 94 cd 17 03 03 00 13 ef 96 85 4e 34 8a 64 ed |v..........N4.d.| +00000030 5d 4a 58 e4 74 50 35 7c 47 a6 a5 |]JX.tP5|G..| diff --git a/pkg/tls/testdata/Server-TLSv13-HelloRetryRequest b/pkg/tls/testdata/Server-TLSv13-HelloRetryRequest new file mode 100644 index 000000000..55ecaf405 --- /dev/null +++ b/pkg/tls/testdata/Server-TLSv13-HelloRetryRequest @@ -0,0 +1,123 @@ +>>> Flow 1 (client to server) +00000000 16 03 01 00 c4 01 00 00 c0 03 03 53 14 36 0d 63 |...........S.6.c| +00000010 da e2 6a da b6 ce ab a7 79 a4 49 94 af fc b3 cd |..j.....y.I.....| +00000020 18 bb c3 4e ca c2 40 07 01 2b 5c 20 90 fc 6b be |...N..@..+\ ..k.| +00000030 26 4f 94 c1 f7 06 e6 ae e6 0f 67 2f c7 de b0 6b |&O........g/...k| +00000040 4a f8 9c a2 43 b6 64 62 08 27 0b 45 00 04 13 03 |J...C.db.'.E....| +00000050 00 ff 01 00 00 73 00 0b 00 04 03 00 01 02 00 0a |.....s..........| +00000060 00 06 00 04 00 1d 00 17 00 16 00 00 00 17 00 00 |................| +00000070 00 0d 00 1e 00 1c 04 03 05 03 06 03 08 07 08 08 |................| +00000080 08 09 08 0a 08 0b 08 04 08 05 08 06 04 01 05 01 |................| +00000090 06 01 00 2b 00 03 02 03 04 00 2d 00 02 01 01 00 |...+......-.....| +000000a0 33 00 26 00 24 00 1d 00 20 a5 12 8a 90 4d a6 20 |3.&.$... ....M. | +000000b0 36 c8 47 e0 0e 02 2e c3 24 dd f0 33 b2 aa 57 54 |6.G.....$..3..WT| +000000c0 9d e7 c4 d7 7a f1 42 12 0e |....z.B..| +>>> Flow 2 (server to client) +00000000 16 03 03 00 58 02 00 00 54 03 03 cf 21 ad 74 e5 |....X...T...!.t.| +00000010 9a 61 11 be 1d 8c 02 1e 65 b8 91 c2 a2 11 16 7a |.a......e......z| +00000020 bb 8c 5e 07 9e 09 e2 c8 a8 33 9c 20 90 fc 6b be |..^......3. ..k.| +00000030 26 4f 94 c1 f7 06 e6 ae e6 0f 67 2f c7 de b0 6b |&O........g/...k| +00000040 4a f8 9c a2 43 b6 64 62 08 27 0b 45 13 03 00 00 |J...C.db.'.E....| +00000050 0c 00 2b 00 02 03 04 00 33 00 02 00 17 14 03 03 |..+.....3.......| +00000060 00 01 01 |...| +>>> Flow 3 (client to server) +00000000 14 03 03 00 01 01 16 03 03 00 e5 01 00 00 e1 03 |................| +00000010 03 53 14 36 0d 63 da e2 6a da b6 ce ab a7 79 a4 |.S.6.c..j.....y.| +00000020 49 94 af fc b3 cd 18 bb c3 4e ca c2 40 07 01 2b |I........N..@..+| +00000030 5c 20 90 fc 6b be 26 4f 94 c1 f7 06 e6 ae e6 0f |\ ..k.&O........| +00000040 67 2f c7 de b0 6b 4a f8 9c a2 43 b6 64 62 08 27 |g/...kJ...C.db.'| +00000050 0b 45 00 04 13 03 00 ff 01 00 00 94 00 0b 00 04 |.E..............| +00000060 03 00 01 02 00 0a 00 06 00 04 00 1d 00 17 00 16 |................| +00000070 00 00 00 17 00 00 00 0d 00 1e 00 1c 04 03 05 03 |................| +00000080 06 03 08 07 08 08 08 09 08 0a 08 0b 08 04 08 05 |................| +00000090 08 06 04 01 05 01 06 01 00 2b 00 03 02 03 04 00 |.........+......| +000000a0 2d 00 02 01 01 00 33 00 47 00 45 00 17 00 41 04 |-.....3.G.E...A.| +000000b0 de 5f 45 a6 5a fb df 47 33 52 cf 63 63 b7 e2 c1 |._E.Z..G3R.cc...| +000000c0 f0 ad 4e b7 a3 09 7a 83 cf 58 cb 26 98 51 59 ee |..N...z..X.&.QY.| +000000d0 9e 33 a4 39 0d 49 17 98 35 31 99 9c 5a 84 c8 e5 |.3.9.I..51..Z...| +000000e0 8c d4 90 22 45 ef 65 3b 9d 85 0f 92 b0 ab 0e 8f |..."E.e;........| +>>> Flow 4 (server to client) +00000000 16 03 03 00 9b 02 00 00 97 03 03 00 00 00 00 00 |................| +00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000020 00 00 00 00 00 00 00 00 00 00 00 20 90 fc 6b be |........... ..k.| +00000030 26 4f 94 c1 f7 06 e6 ae e6 0f 67 2f c7 de b0 6b |&O........g/...k| +00000040 4a f8 9c a2 43 b6 64 62 08 27 0b 45 13 03 00 00 |J...C.db.'.E....| +00000050 4f 00 2b 00 02 03 04 00 33 00 45 00 17 00 41 04 |O.+.....3.E...A.| +00000060 1e 18 37 ef 0d 19 51 88 35 75 71 b5 e5 54 5b 12 |..7...Q.5uq..T[.| +00000070 2e 8f 09 67 fd a7 24 20 3e b2 56 1c ce 97 28 5e |...g..$ >.V...(^| +00000080 f8 2b 2d 4f 9e f1 07 9f 6c 4b 5b 83 56 e2 32 42 |.+-O....lK[.V.2B| +00000090 e9 58 b6 d7 49 a6 b5 68 1a 41 03 56 6b dc 5a 89 |.X..I..h.A.Vk.Z.| +000000a0 17 03 03 00 17 41 5e 1d 29 7e 4d ad 56 1c e4 42 |.....A^.)~M.V..B| +000000b0 9d 99 61 93 95 d3 7a 1c 9c b0 1b ba 17 03 03 02 |..a...z.........| +000000c0 6d 62 fd b6 84 db 87 5f ec 30 bc df 0c 5d b7 f9 |mb....._.0...]..| +000000d0 58 6b 7e ce 19 54 a9 0c 3f 66 f6 23 b6 36 19 a9 |Xk~..T..?f.#.6..| +000000e0 ba e2 44 28 70 b9 35 14 fe 33 50 64 30 dd b1 35 |..D(p.5..3Pd0..5| +000000f0 9c e5 f6 f5 66 09 be 05 82 c8 9c 7a 28 d1 6a 3d |....f......z(.j=| +00000100 31 a3 9d 0b 5a 1c 9e f1 77 c8 be eb 71 a7 9d 63 |1...Z...w...q..c| +00000110 20 18 ef 97 4b fb 60 4d 2f 31 49 b2 1c 47 30 eb | ...K.`M/1I..G0.| +00000120 80 c1 e6 28 e0 67 a8 1b 8f 79 9f 40 ca 97 bd d9 |...(.g...y.@....| +00000130 b9 cc 55 56 00 32 8d 76 76 88 be 62 42 e9 2f 53 |..UV.2.vv..bB./S| +00000140 9b ab 56 98 e6 03 15 17 1a 2b 70 50 8a d8 ba 9d |..V......+pP....| +00000150 ab 5a ea 68 ec 98 7a f5 c1 9b 21 f8 f3 0b 5d a3 |.Z.h..z...!...].| +00000160 7a 70 ae ff 67 e0 e8 2d 97 e5 72 d7 c4 27 9b 8d |zp..g..-..r..'..| +00000170 f8 47 dd 9e 15 2a 1e 38 eb 82 24 e5 85 55 ec a4 |.G...*.8..$..U..| +00000180 22 ee 1f 9d c2 f3 1c 47 7a 26 0b 1a 4b d8 e4 58 |"......Gz&..K..X| +00000190 ad b2 99 72 5b f8 97 33 f6 26 58 e3 58 1e 66 12 |...r[..3.&X.X.f.| +000001a0 51 ba dc 66 bb c7 7d af 90 4b c2 79 2c b3 d8 34 |Q..f..}..K.y,..4| +000001b0 2a d2 6b 37 71 88 e0 4a c3 16 50 81 21 e1 a7 6d |*.k7q..J..P.!..m| +000001c0 42 e7 f5 86 7e b3 4b b8 9d bb dc 49 7d ce 6c 98 |B...~.K....I}.l.| +000001d0 fd 87 2e fc 1a 17 34 12 90 a0 bc 06 46 7b e9 0b |......4.....F{..| +000001e0 d3 aa f7 77 30 43 6e 5f 4e fa e3 b1 a6 c8 80 47 |...w0Cn_N......G| +000001f0 16 71 a0 bc 9e d3 89 14 49 ca 9a 87 8b b0 3b c7 |.q......I.....;.| +00000200 a7 f4 6d 2a cb 0a 5e 8a e5 f1 45 65 e4 51 da b1 |..m*..^...Ee.Q..| +00000210 5c e2 88 90 46 e7 cb 01 0b 99 64 fe 5b b4 b3 e6 |\...F.....d.[...| +00000220 aa 6f 59 25 25 79 2b 8e 6b 59 65 15 51 a1 8f a2 |.oY%%y+.kYe.Q...| +00000230 f5 cd db df 63 fb 86 72 a5 9d 6c 7d b9 a0 e9 d5 |....c..r..l}....| +00000240 c7 79 ca f1 3f c3 ed 72 29 3c 58 ed bd 4e 3a 27 |.y..?..r)/rs...).?| +000003f0 fa 0f 96 72 46 7d 6b 2f ed 23 63 75 b7 26 f2 ea |...rF}k/.#cu.&..| +00000400 77 0f 3a 68 1e ee 17 03 03 00 8b b0 54 d9 ec c4 |w.:h........T...| +00000410 44 cb e4 f6 f2 cb 66 31 c7 d8 ef 45 bf 9c 03 c4 |D.....f1...E....| +00000420 7c 3f 91 e1 cf e8 c6 e5 a8 12 f1 e0 72 6b a2 9a ||?..........rk..| +00000430 f7 73 3d 13 3d 30 91 54 27 02 f7 ab a3 7e bb 5f |.s=.=0.T'....~._| +00000440 21 a6 fa 09 98 39 7f 99 13 5a c5 c5 6c 7b d2 91 |!....9...Z..l{..| +00000450 7c de 26 88 b9 17 bd b9 b2 9a 7c 01 35 ad 7b 3b ||.&.......|.5.{;| +00000460 3d 15 33 9e 78 ea a1 df 94 80 fa e4 59 ef 49 06 |=.3.x.......Y.I.| +00000470 31 41 8a 83 e9 98 37 e6 5a 69 f9 0a 7d 63 8e 6a |1A....7.Zi..}c.j| +00000480 9c bd 5b d4 69 72 3d 82 c9 c0 11 d6 68 13 17 9d |..[.ir=.....h...| +00000490 0e 32 48 bf 33 ab |.2H.3.| +>>> Flow 5 (client to server) +00000000 17 03 03 00 35 c6 da dd 4b 11 a3 87 cd fd f9 99 |....5...K.......| +00000010 a6 0b 76 c0 00 89 e1 87 d1 2c 43 0b f1 74 e5 60 |..v......,C..t.`| +00000020 49 94 5f d2 d9 b5 0b bd 6c d8 2c 84 4d 4f da 43 |I._.....l.,.MO.C| +00000030 f0 33 dd 54 bd 0c d9 f2 71 82 |.3.T....q.| +>>> Flow 6 (server to client) +00000000 17 03 03 00 1e 6d f2 53 68 26 89 6e 4a 66 6a a9 |.....m.Sh&.nJfj.| +00000010 12 9e 89 f0 be eb ff ed b4 f0 ca f2 b8 7a b2 5e |.............z.^| +00000020 98 50 cb 17 03 03 00 13 ab 2b 9c 98 f0 1b 5c a2 |.P.......+....\.| +00000030 f3 b2 a1 16 e0 74 eb 02 c4 7d d5 |.....t...}.| diff --git a/pkg/tls/testdata/Server-TLSv13-IssueTicket b/pkg/tls/testdata/Server-TLSv13-IssueTicket new file mode 100644 index 000000000..7fe5184f1 --- /dev/null +++ b/pkg/tls/testdata/Server-TLSv13-IssueTicket @@ -0,0 +1,98 @@ +>>> Flow 1 (client to server) +00000000 16 03 01 00 ce 01 00 00 ca 03 03 9b 80 62 b8 bb |.............b..| +00000010 fc 09 cc 19 31 91 f7 4b 8a e8 fc 69 45 33 bd 64 |....1..K...iE3.d| +00000020 8c 88 6e 07 0d 33 e7 f2 ce 4b 46 20 81 23 01 a2 |..n..3...KF .#..| +00000030 64 c3 6d 55 ee 3c f1 c5 16 48 cb a7 61 fe 15 57 |d.mU.<...H..a..W| +00000040 fa 9e 36 f2 ad 5b 19 2e 73 b9 8f 57 00 04 13 01 |..6..[..s..W....| +00000050 00 ff 01 00 00 7d 00 0b 00 04 03 00 01 02 00 0a |.....}..........| +00000060 00 0c 00 0a 00 1d 00 17 00 1e 00 19 00 18 00 23 |...............#| +00000070 00 00 00 16 00 00 00 17 00 00 00 0d 00 1e 00 1c |................| +00000080 04 03 05 03 06 03 08 07 08 08 08 09 08 0a 08 0b |................| +00000090 08 04 08 05 08 06 04 01 05 01 06 01 00 2b 00 03 |.............+..| +000000a0 02 03 04 00 2d 00 02 01 01 00 33 00 26 00 24 00 |....-.....3.&.$.| +000000b0 1d 00 20 e2 26 c1 8e 1b 73 8a e1 ec 95 a0 01 1a |.. .&...s.......| +000000c0 15 98 9d a2 d0 ac 02 4d 14 a9 8d 42 3a 68 e6 d2 |.......M...B:h..| +000000d0 9f 09 49 |..I| +>>> Flow 2 (server to client) +00000000 16 03 03 00 7a 02 00 00 76 03 03 00 00 00 00 00 |....z...v.......| +00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000020 00 00 00 00 00 00 00 00 00 00 00 20 81 23 01 a2 |........... .#..| +00000030 64 c3 6d 55 ee 3c f1 c5 16 48 cb a7 61 fe 15 57 |d.mU.<...H..a..W| +00000040 fa 9e 36 f2 ad 5b 19 2e 73 b9 8f 57 13 01 00 00 |..6..[..s..W....| +00000050 2e 00 2b 00 02 03 04 00 33 00 24 00 1d 00 20 2f |..+.....3.$... /| +00000060 e5 7d a3 47 cd 62 43 15 28 da ac 5f bb 29 07 30 |.}.G.bC.(.._.).0| +00000070 ff f6 84 af c4 cf c2 ed 90 99 5f 58 cb 3b 74 14 |.........._X.;t.| +00000080 03 03 00 01 01 17 03 03 00 17 c9 df 69 cf ca 6d |............i..m| +00000090 b4 7b 81 46 34 f6 0c e3 5b 88 92 91 24 80 93 03 |.{.F4...[...$...| +000000a0 f8 17 03 03 02 6d b9 46 75 89 0d 64 9d 7b 9a 2a |.....m.Fu..d.{.*| +000000b0 48 78 eb 93 8d c8 4d 16 fb 7e 95 77 ff 06 d2 aa |Hx....M..~.w....| +000000c0 30 34 cc 9e 5a f3 c1 b6 d5 17 fb b2 15 bb eb 11 |04..Z...........| +000000d0 28 5a 2f 6b d6 87 8c c6 17 00 4d 58 d1 27 af 88 |(Z/k......MX.'..| +000000e0 39 1f db 2e 0a 5b 36 8f a1 26 a9 00 be ba 5a b2 |9....[6..&....Z.| +000000f0 65 fa 14 8a 53 3c 6a 9e b7 73 1f fa 80 fd 03 c2 |e...S..|..|..=.h| +00000200 de 8f 68 89 02 c5 67 5a ff 71 02 34 00 96 15 d4 |..h...gZ.q.4....| +00000210 01 6d 6d 31 dc 77 62 b8 3e 72 b0 ab 4d da ea 6d |.mm1.wb.>r..M..m| +00000220 9a 2d 0e 5d b7 8e cc bc 5c 0a b3 13 5b 8c 86 de |.-.]....\...[...| +00000230 e3 1a 70 cd 9d 63 4c ea e2 56 f9 3b 05 8e 0b 96 |..p..cL..V.;....| +00000240 16 c9 a4 67 09 fe 88 ae 4b 8c d1 b3 19 10 0f fd |...g....K.......| +00000250 07 33 86 3a 6a 54 ef 69 27 02 bf 76 7c 05 ab 40 |.3.:jT.i'..v|..@| +00000260 e6 43 9e 3c 9b ee 0c d8 14 ff c1 09 a6 73 65 66 |.C.<.........sef| +00000270 54 1f a9 9c af fb 73 c4 cb 8c a7 3b c7 23 d6 99 |T.....s....;.#..| +00000280 a7 c6 af a1 62 54 30 f7 18 30 23 7d c0 e6 d3 fe |....bT0..0#}....| +00000290 a0 58 f1 c5 5e 37 70 90 47 73 45 b0 70 a9 45 1c |.X..^7p.GsE.p.E.| +000002a0 87 9f 0d ed bc ee 65 c2 50 91 55 a3 f9 eb 71 e8 |......e.P.U...q.| +000002b0 5a ee b3 3f 79 75 3a c9 98 7d 57 fc 51 78 b5 e5 |Z..?yu:..}W.Qx..| +000002c0 33 90 f1 d0 74 86 1a 51 2b f4 89 1a 19 48 2d 68 |3...t..Q+....H-h| +000002d0 d0 7b be c1 bb 9e c7 3e af 4b 80 1c ab 8f a2 9d |.{.....>.K......| +000002e0 17 96 da 42 16 49 a6 74 35 07 9a 7d 89 80 4d d6 |...B.I.t5..}..M.| +000002f0 04 43 11 68 6b e4 87 32 33 43 82 b3 9e b0 03 eb |.C.hk..23C......| +00000300 b9 15 01 86 01 db ea e3 67 5b 7f 9c 0e 54 03 21 |........g[...T.!| +00000310 04 29 7e 17 03 03 00 99 21 c7 e4 ea 6e 27 82 c6 |.)~.....!...n'..| +00000320 15 6a 4d cd 8d c5 41 e5 1e aa 5c 8b b9 e8 ee 2a |.jM...A...\....*| +00000330 04 53 ee 39 3d a1 9b 53 ab f8 4a 97 95 69 53 ef |.S.9=..S..J..iS.| +00000340 9b a9 3a d5 d1 0c a6 e3 fb 7d 30 b1 00 45 43 58 |..:......}0..ECX| +00000350 51 65 1f 60 e7 f4 0a 6a f6 8a 06 60 9b 5b 60 31 |Qe.`...j...`.[`1| +00000360 d5 df 8b 28 1a c4 cb 39 5d a3 2b fb eb c8 07 14 |...(...9].+.....| +00000370 07 ee 02 11 7f 85 c9 78 d8 f5 c1 6b 70 c1 b3 c1 |.......x...kp...| +00000380 c0 a8 a0 08 ac d3 4e 39 ca 21 b0 e6 1d ea 97 58 |......N9.!.....X| +00000390 6a e0 ac ad 10 19 75 13 7e 35 5d c6 2c ad a1 a2 |j.....u.~5].,...| +000003a0 79 ac 33 ed 4d 77 41 29 6c e2 05 80 d7 7b 05 a4 |y.3.MwA)l....{..| +000003b0 03 17 03 03 00 35 4b 22 e9 78 9e b1 75 a9 cd 91 |.....5K".x..u...| +000003c0 c6 4d f1 e9 f2 a7 42 59 d5 c0 9e f3 9e 8f 7a 17 |.M....BY......z.| +000003d0 21 ba 01 5b d3 0f 91 52 63 12 d9 4f be 84 75 2e |!..[...Rc..O..u.| +000003e0 a2 46 a9 45 f5 d6 a1 60 a0 17 79 17 03 03 00 8b |.F.E...`..y.....| +000003f0 92 fc 11 26 97 33 82 f1 e4 62 5d 2a 56 3c d8 80 |...&.3...b]*V<..| +00000400 6b 6d ce f9 5f 43 2f 8e 24 0b 46 0b a5 5a 22 d5 |km.._C/.$.F..Z".| +00000410 ff 33 d7 e6 04 2e 37 5b 00 45 9d 8b 62 49 81 b1 |.3....7[.E..bI..| +00000420 97 ca d5 84 dd f9 7e 1a 7a a3 45 46 b9 db a7 d4 |......~.z.EF....| +00000430 07 3d 54 39 b1 de 54 16 bc d7 ba e7 b8 92 02 eb |.=T9..T.........| +00000440 0c 3c b1 48 40 53 68 f5 fc 0f 6a 64 67 fb 79 cd |.<.H@Sh...jdg.y.| +00000450 75 ed 65 7c 88 01 04 43 ed 00 44 68 c3 74 c1 bc |u.e|...C..Dh.t..| +00000460 63 4a cf e9 e5 20 21 0e da da 09 fd ac c6 1c 7a |cJ... !........z| +00000470 69 e4 90 fc e2 3b 12 df 3a 11 f4 |i....;..:..| +>>> Flow 3 (client to server) +00000000 14 03 03 00 01 01 17 03 03 00 35 0f c5 0c ac c4 |..........5.....| +00000010 a9 7e 32 56 fd 68 b8 86 66 8a 66 da 65 0a 5a ee |.~2V.h..f.f.e.Z.| +00000020 1a a5 11 ec 1c 42 28 2f 8e a3 98 49 80 a5 9e e3 |.....B(/...I....| +00000030 5f cf 51 93 44 b2 f2 e0 6e 58 ea c6 50 84 14 ef |_.Q.D...nX..P...| +>>> Flow 4 (server to client) +00000000 17 03 03 00 1e 3c 0f a4 3b d6 72 2e 40 dd 5d 79 |.....<..;.r.@.]y| +00000010 e4 57 25 46 95 76 98 6a 4f aa 75 b5 2f 40 67 2e |.W%F.v.jO.u./@g.| +00000020 ff ac 49 17 03 03 00 13 93 90 ac d8 14 54 32 66 |..I..........T2f| +00000030 fa af 38 24 7c 58 75 62 88 60 34 |..8$|Xub.`4| diff --git a/pkg/tls/testdata/Server-TLSv13-IssueTicketPreDisable b/pkg/tls/testdata/Server-TLSv13-IssueTicketPreDisable new file mode 100644 index 000000000..abdf41d89 --- /dev/null +++ b/pkg/tls/testdata/Server-TLSv13-IssueTicketPreDisable @@ -0,0 +1,98 @@ +>>> Flow 1 (client to server) +00000000 16 03 01 00 ce 01 00 00 ca 03 03 1f 69 f6 99 9f |............i...| +00000010 ee 81 23 41 5d 81 d6 aa 1b 5a 44 9e 56 78 21 6a |..#A]....ZD.Vx!j| +00000020 fa a1 17 9b 6f 97 3d d5 ee 11 7a 20 01 bd 29 e6 |....o.=...z ..).| +00000030 6b be 9e 23 35 3a ab 47 92 6f 71 b3 69 82 63 7d |k..#5:.G.oq.i.c}| +00000040 43 c0 ae eb 05 8e 54 9b e9 55 ec c2 00 04 13 01 |C.....T..U......| +00000050 00 ff 01 00 00 7d 00 0b 00 04 03 00 01 02 00 0a |.....}..........| +00000060 00 0c 00 0a 00 1d 00 17 00 1e 00 19 00 18 00 23 |...............#| +00000070 00 00 00 16 00 00 00 17 00 00 00 0d 00 1e 00 1c |................| +00000080 04 03 05 03 06 03 08 07 08 08 08 09 08 0a 08 0b |................| +00000090 08 04 08 05 08 06 04 01 05 01 06 01 00 2b 00 03 |.............+..| +000000a0 02 03 04 00 2d 00 02 01 01 00 33 00 26 00 24 00 |....-.....3.&.$.| +000000b0 1d 00 20 9c 90 86 ec 0c c9 4e 43 4d d7 00 3d 39 |.. ......NCM..=9| +000000c0 50 25 c9 b9 f8 7f cc 6a 39 95 bc f0 1f 0d bc a7 |P%.....j9.......| +000000d0 21 ff 69 |!.i| +>>> Flow 2 (server to client) +00000000 16 03 03 00 7a 02 00 00 76 03 03 00 00 00 00 00 |....z...v.......| +00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000020 00 00 00 00 00 00 00 00 00 00 00 20 01 bd 29 e6 |........... ..).| +00000030 6b be 9e 23 35 3a ab 47 92 6f 71 b3 69 82 63 7d |k..#5:.G.oq.i.c}| +00000040 43 c0 ae eb 05 8e 54 9b e9 55 ec c2 13 01 00 00 |C.....T..U......| +00000050 2e 00 2b 00 02 03 04 00 33 00 24 00 1d 00 20 2f |..+.....3.$... /| +00000060 e5 7d a3 47 cd 62 43 15 28 da ac 5f bb 29 07 30 |.}.G.bC.(.._.).0| +00000070 ff f6 84 af c4 cf c2 ed 90 99 5f 58 cb 3b 74 14 |.........._X.;t.| +00000080 03 03 00 01 01 17 03 03 00 17 05 f8 de 75 03 3e |.............u.>| +00000090 8f 8d df 8d c4 31 5e 59 2b a6 26 2c 81 86 e0 93 |.....1^Y+.&,....| +000000a0 98 17 03 03 02 6d 73 67 7c 14 ba 17 23 fc f1 2e |.....msg|...#...| +000000b0 53 5b 47 58 e2 ed b3 6a 30 70 40 98 82 4b 43 0d |S[GX...j0p@..KC.| +000000c0 f6 e4 74 09 c8 08 9e a2 6d 23 3c 81 64 a9 39 e4 |..t.....m#<.d.9.| +000000d0 be cc 6e 4c f1 df 7c b1 a5 cd 91 7c e7 e0 e9 97 |..nL..|....|....| +000000e0 a3 06 20 92 7c 1c f6 e1 93 cd b2 65 ba 10 c0 54 |.. .|......e...T| +000000f0 32 89 60 7e 6f ac 29 7f df e8 ff d2 0f 0d 8a f8 |2.`~o.).........| +00000100 2a 56 fd 4a 07 27 f1 cc c1 81 fb bd 5e 33 92 34 |*V.J.'......^3.4| +00000110 24 e9 a6 7f ff 76 e4 19 82 ca b8 92 aa 98 9c ac |$....v..........| +00000120 51 25 fc 3a 74 f6 f3 36 b4 ae 00 cd d9 e0 17 c4 |Q%.:t..6........| +00000130 9f 56 67 d0 ab 22 a1 38 57 a9 58 66 b4 f8 60 0b |.Vg..".8W.Xf..`.| +00000140 20 c4 0c d0 f1 bc ce 4d 20 d2 e0 6f 1e f2 dd f0 | ......M ..o....| +00000150 14 98 5c 33 92 08 af a9 42 ec 9e 8d 6e 92 cf 87 |..\3....B...n...| +00000160 b7 79 90 18 1b 3b 78 77 1e 55 c7 68 9b 98 ae ae |.y...;xw.U.h....| +00000170 33 d8 50 b8 3d fa 6b 96 99 7a b5 ca 98 fa a9 21 |3.P.=.k..z.....!| +00000180 46 6a a1 74 bf bc 2f 51 0e 66 e2 35 2c d3 c9 3c |Fj.t../Q.f.5,..<| +00000190 06 d0 79 31 00 d2 0a 1d 77 dd da 07 3a 31 7c 51 |..y1....w...:1|Q| +000001a0 5e 53 b0 fe 55 21 1c 6c fa d2 a3 71 18 1d 8f ec |^S..U!.l...q....| +000001b0 a3 ab 89 10 19 6d 45 50 9e f8 bf aa 3a 91 3b 80 |.....mEP....:.;.| +000001c0 68 33 c0 d2 4c 10 39 b6 01 79 aa 27 a5 3e e7 59 |h3..L.9..y.'.>.Y| +000001d0 6e fa c3 16 68 7f 7e ce 05 b0 96 e9 dd 2c 4a 7b |n...h.~......,J{| +000001e0 5e 63 65 e6 6f f1 05 95 40 e3 71 15 c6 bd ec 60 |^ce.o...@.q....`| +000001f0 01 08 2b 23 d6 be c6 7f 00 aa 32 78 cb 77 d8 5c |..+#......2x.w.\| +00000200 e5 b6 b8 be 08 84 1a 47 57 b7 d8 72 27 e7 f6 08 |.......GW..r'...| +00000210 7b 8a fa d8 a6 06 15 68 cc 90 a4 fe 8e 25 5c cb |{......h.....%\.| +00000220 03 e8 ab 19 32 05 f4 88 d9 11 03 72 48 a3 a9 b2 |....2......rH...| +00000230 41 d3 60 80 d5 93 ae 18 1e 3d ed a7 ac 7f a6 eb |A.`......=......| +00000240 3c 5c 78 11 fb a6 b8 00 d6 7b 98 67 d5 fd 7c 87 |<\x......{.g..|.| +00000250 80 b9 a4 23 71 31 93 77 98 90 fc 29 95 f4 6d 09 |...#q1.w...)..m.| +00000260 87 2e 4b e7 a7 98 af 72 10 c2 dd 05 6e 60 b9 4c |..K....r....n`.L| +00000270 33 65 cf 26 fc 7d 81 cc f0 4d 83 34 11 d2 0f 13 |3e.&.}...M.4....| +00000280 7f 97 4a 12 17 44 fc 9a 32 08 de eb 5e 2a 87 d6 |..J..D..2...^*..| +00000290 ed 7f ea 2a ed e3 2d 7a ea 19 40 7c 6e a2 13 e6 |...*..-z..@|n...| +000002a0 ff 9b f6 3c ff 5e 97 9c de f8 c3 52 cb d8 d2 b0 |...<.^.....R....| +000002b0 45 45 6e 63 d4 9f bf a5 7c c8 f4 65 84 ff 62 30 |EEnc....|..e..b0| +000002c0 71 d4 65 a8 9e 43 e2 73 12 e9 d0 58 8c 1a 6e 0c |q.e..C.s...X..n.| +000002d0 2f 64 02 4d 1f 4f c0 69 d8 d5 44 97 7b 8a 09 d4 |/d.M.O.i..D.{...| +000002e0 8f 68 13 68 b9 7f 7b d8 29 b8 d7 3a 8f 78 eb 73 |.h.h..{.)..:.x.s| +000002f0 1b eb 1b 2d 7e 46 78 0b ad 89 e5 d9 69 4b 1c 46 |...-~Fx.....iK.F| +00000300 e7 13 c3 0d 54 f0 70 f8 99 60 45 78 fc a3 fc 72 |....T.p..`Ex...r| +00000310 ca 84 57 17 03 03 00 99 05 02 eb 76 1b 1a f0 aa |..W........v....| +00000320 dd 0d 91 1e 0b c1 14 1c 6f 5e 9b b3 33 8c 70 87 |........o^..3.p.| +00000330 f2 0e 1e 45 0e 36 1a 06 77 97 a1 95 cd d1 ec 3e |...E.6..w......>| +00000340 24 f9 b2 d5 47 5a c8 99 49 ca 59 bc 1d 6a 16 e7 |$...GZ..I.Y..j..| +00000350 9a 51 c8 9a f7 ab b9 e4 fe 1e 22 1f ed c8 bf 1a |.Q........".....| +00000360 8e 06 6a 07 4a c7 ef 57 f9 4a 84 1c 4b 1b 60 24 |..j.J..W.J..K.`$| +00000370 5a d7 c0 34 57 68 1c fd 3f 2a 0a 17 9a 1f 70 19 |Z..4Wh..?*....p.| +00000380 08 ff c5 33 79 4e 85 fb 8c 8d 76 6c be 8c 9c bf |...3yN....vl....| +00000390 7a ac 87 8a d1 ea d0 a4 1e 25 64 ae 63 e7 29 59 |z........%d.c.)Y| +000003a0 d8 27 88 4c e2 c7 42 9d 08 75 62 49 df fa 84 e8 |.'.L..B..ubI....| +000003b0 11 17 03 03 00 35 39 db 59 c8 ab 08 33 da 2c 19 |.....59.Y...3.,.| +000003c0 04 10 bb 18 b3 10 78 4b 2c a2 2b a2 e2 67 d1 6f |......xK,.+..g.o| +000003d0 07 9c 0b d2 e1 24 a8 ac 7b ce 77 55 7d b8 b3 9b |.....$..{.wU}...| +000003e0 82 7f bc 18 7a 61 a8 28 e2 a9 1e 17 03 03 00 8b |....za.(........| +000003f0 6e a6 11 39 b9 d7 7b a0 67 76 c2 a6 d0 e4 c4 ba |n..9..{.gv......| +00000400 a3 3d 37 bb 6d 82 5e 2e 80 e8 e6 4b 98 89 69 e9 |.=7.m.^....K..i.| +00000410 27 cb c9 83 a5 2b a4 78 00 dd 46 4d 45 f7 4e a7 |'....+.x..FME.N.| +00000420 3b c2 e1 84 5c ff af 75 25 1a 52 c4 b6 29 48 bb |;...\..u%.R..)H.| +00000430 31 30 e2 8c ac f0 e8 bd 78 26 f2 d1 d6 1e d5 3e |10......x&.....>| +00000440 6d 61 7e 80 e5 bc 81 28 e3 1f 62 40 0e 31 0b e1 |ma~....(..b@.1..| +00000450 23 1c e1 fa 32 94 c3 4e 1d 09 81 d9 b6 89 c4 9c |#...2..N........| +00000460 5e 38 85 ab 38 29 03 42 ea c0 94 d7 65 40 1f 1d |^8..8).B....e@..| +00000470 49 39 9a e9 76 92 38 2f 17 8b ee |I9..v.8/...| +>>> Flow 3 (client to server) +00000000 14 03 03 00 01 01 17 03 03 00 35 e1 c3 64 6d 3b |..........5..dm;| +00000010 7d 3c d3 c6 ee 3a f9 cc a6 29 18 3a 7b bd b1 07 |}<...:...).:{...| +00000020 01 b4 06 8d fe a0 6e 23 40 52 5a f1 a3 4c 59 0a |......n#@RZ..LY.| +00000030 ea b5 e3 7f e3 b9 0e e5 70 8a 47 a1 1e 2a 00 03 |........p.G..*..| +>>> Flow 4 (server to client) +00000000 17 03 03 00 1e 4e a9 f3 57 a0 f8 b2 0b dd 8e 90 |.....N..W.......| +00000010 61 96 d9 53 c8 69 87 65 fd f4 fb ae 55 95 0d 07 |a..S.i.e....U...| +00000020 69 e3 29 17 03 03 00 13 02 ba 24 dc 82 fc 91 9f |i.).......$.....| +00000030 91 ff b9 6e 71 8e e3 2d 2f e8 8f |...nq..-/..| diff --git a/pkg/tls/testdata/Server-TLSv13-P256 b/pkg/tls/testdata/Server-TLSv13-P256 new file mode 100644 index 000000000..c3a2ee02f --- /dev/null +++ b/pkg/tls/testdata/Server-TLSv13-P256 @@ -0,0 +1,101 @@ +>>> Flow 1 (client to server) +00000000 16 03 01 00 e3 01 00 00 df 03 03 18 3b 05 4d 40 |............;.M@| +00000010 41 61 2a 64 35 7a e4 a7 c2 8b ab e5 e3 90 04 6d |Aa*d5z.........m| +00000020 18 75 15 88 88 c7 af ba 05 e7 9c 20 78 e2 6d 28 |.u......... x.m(| +00000030 fb 06 f6 e8 33 cd cc ba db 53 6d 4e 28 54 ca 62 |....3....SmN(T.b| +00000040 c8 44 e3 cc 58 b5 07 ec 84 c9 e6 45 00 04 13 03 |.D..X......E....| +00000050 00 ff 01 00 00 92 00 0b 00 04 03 00 01 02 00 0a |................| +00000060 00 04 00 02 00 17 00 16 00 00 00 17 00 00 00 0d |................| +00000070 00 1e 00 1c 04 03 05 03 06 03 08 07 08 08 08 09 |................| +00000080 08 0a 08 0b 08 04 08 05 08 06 04 01 05 01 06 01 |................| +00000090 00 2b 00 03 02 03 04 00 2d 00 02 01 01 00 33 00 |.+......-.....3.| +000000a0 47 00 45 00 17 00 41 04 a1 27 f2 a0 16 66 17 e9 |G.E...A..'...f..| +000000b0 73 ff 49 d4 99 47 19 b6 c1 ea 67 ea ef fd ad 07 |s.I..G....g.....| +000000c0 c8 f4 19 e8 16 da a2 d0 bc c2 cc 58 c8 e4 d0 89 |...........X....| +000000d0 c6 75 8f ac 87 e0 d6 4a 44 fa 14 c5 d6 ac ce d8 |.u.....JD.......| +000000e0 8f 1d 5f d0 06 96 6c bb |.._...l.| +>>> Flow 2 (server to client) +00000000 16 03 03 00 9b 02 00 00 97 03 03 00 00 00 00 00 |................| +00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000020 00 00 00 00 00 00 00 00 00 00 00 20 78 e2 6d 28 |........... x.m(| +00000030 fb 06 f6 e8 33 cd cc ba db 53 6d 4e 28 54 ca 62 |....3....SmN(T.b| +00000040 c8 44 e3 cc 58 b5 07 ec 84 c9 e6 45 13 03 00 00 |.D..X......E....| +00000050 4f 00 2b 00 02 03 04 00 33 00 45 00 17 00 41 04 |O.+.....3.E...A.| +00000060 1e 18 37 ef 0d 19 51 88 35 75 71 b5 e5 54 5b 12 |..7...Q.5uq..T[.| +00000070 2e 8f 09 67 fd a7 24 20 3e b2 56 1c ce 97 28 5e |...g..$ >.V...(^| +00000080 f8 2b 2d 4f 9e f1 07 9f 6c 4b 5b 83 56 e2 32 42 |.+-O....lK[.V.2B| +00000090 e9 58 b6 d7 49 a6 b5 68 1a 41 03 56 6b dc 5a 89 |.X..I..h.A.Vk.Z.| +000000a0 14 03 03 00 01 01 17 03 03 00 17 ab 5f 7d 4f ab |............_}O.| +000000b0 25 00 54 5f b7 5a f9 e3 f8 ce c1 79 9f db 25 bd |%.T_.Z.....y..%.| +000000c0 23 17 17 03 03 02 6d 2f 59 02 6a af c5 7d a1 e1 |#.....m/Y.j..}..| +000000d0 b3 f8 4d 80 c5 9f 54 2f 27 4c a0 c0 0d dd 0e b5 |..M...T/'L......| +000000e0 5b 2c a4 54 f3 25 65 aa 3e 43 fb 5b de 15 76 51 |[,.T.%e.>C.[..vQ| +000000f0 f0 5f a0 8f ce 3d 2b 27 de 0e cb af 97 65 7a 81 |._...=+'.....ez.| +00000100 a3 d2 a1 f1 44 75 04 12 41 48 b0 70 7a b7 ce ba |....Du..AH.pz...| +00000110 de b5 ba 49 a4 25 08 6c 90 cb 82 b9 74 02 cf 09 |...I.%.l....t...| +00000120 f0 83 77 a3 a4 30 ea 49 fb 61 ea 89 f6 96 b8 c1 |..w..0.I.a......| +00000130 8a 5d a6 3d f4 f8 66 9c 3f d8 66 90 b2 93 7c 5e |.].=..f.?.f...|^| +00000140 3e 9d d7 4c bc 4a 2e ef d9 d1 00 db fd 83 f3 43 |>..L.J.........C| +00000150 a4 d7 fa 84 dd 4f a4 44 2f d2 b7 4f 5e ab a2 0e |.....O.D/..O^...| +00000160 86 ab 65 8d 3c 63 a2 e4 55 ce b5 72 3f 77 e8 a7 |..e.._| +00000250 da 15 87 69 99 e1 64 2c fc 6b 07 61 9d ca 2f 8f |...i..d,.k.a../.| +00000260 b2 d4 bb a4 0e ec e2 66 eb ca aa b2 fe 91 eb 2f |.......f......./| +00000270 b0 d9 98 bb 9e 36 e1 e0 1f 89 5d cd 87 c8 28 85 |.....6....]...(.| +00000280 ef c9 4a 57 6e 45 ca 07 02 be 30 1b 74 0a e4 4d |..JWnE....0.t..M| +00000290 2c c1 77 fe 42 73 63 e6 e4 11 15 5b c4 df 40 f7 |,.w.Bsc....[..@.| +000002a0 83 b5 43 50 f2 a1 04 fe b1 0e 49 63 8c 73 ab b8 |..CP......Ic.s..| +000002b0 b4 31 d7 5e d3 50 c4 2a a8 51 2b 81 c3 80 70 22 |.1.^.P.*.Q+...p"| +000002c0 af d3 1f 36 ba b5 b3 d9 d9 49 17 8f d8 f7 a2 05 |...6.....I......| +000002d0 6d 5e 46 7b 40 be 86 58 0e 90 42 46 91 6e 0d d7 |m^F{@..X..BF.n..| +000002e0 7e f0 7f e9 5b 6e 9c d8 b5 fe 3b 8e 03 57 0a 9b |~...[n....;..W..| +000002f0 72 ee 5c 49 50 79 0e 75 8f 84 dd e8 2e 8d d6 37 |r.\IPy.u.......7| +00000300 ad a8 f4 47 a6 e4 c9 e4 3b a5 7c 7f 2a 36 c5 39 |...G....;.|.*6.9| +00000310 32 77 e1 7b a9 e7 47 b9 f2 a6 6b 75 ab 90 63 66 |2w.{..G...ku..cf| +00000320 8d 50 62 d3 76 07 65 aa 57 87 bb a6 01 fc cb 93 |.Pb.v.e.W.......| +00000330 c8 ed b8 64 17 03 03 00 99 1b b1 7a 13 30 73 85 |...d.......z.0s.| +00000340 5a a4 81 29 0b 66 58 57 93 d9 24 f9 2e f9 8d cd |Z..).fXW..$.....| +00000350 18 d7 48 16 8d d5 95 68 42 d0 c1 1d 08 6d 12 85 |..H....hB....m..| +00000360 ed 3d 0f a7 33 86 d9 92 fe 02 58 ce 74 7d 5c 04 |.=..3.....X.t}\.| +00000370 12 3d af 89 c5 83 1e cd 6b 25 3a c2 c1 50 23 9a |.=......k%:..P#.| +00000380 f7 0f 7f c4 d8 a3 a4 99 50 a0 56 81 30 09 93 db |........P.V.0...| +00000390 7a eb 51 2f 65 f3 96 95 eb be 92 c6 47 57 d4 d7 |z.Q/e.......GW..| +000003a0 cf 7c 97 19 1f 87 76 8e 41 16 af 2d 3e af 1c 1d |.|....v.A..->...| +000003b0 ee 0d 51 99 5b 59 e4 03 3c cb ad 18 a1 3a ae 18 |..Q.[Y..<....:..| +000003c0 10 f2 f0 38 8f ee a0 8a 65 fd 10 ac 64 ac a8 72 |...8....e...d..r| +000003d0 cf 54 17 03 03 00 35 bc e8 03 81 94 22 f7 a9 16 |.T....5....."...| +000003e0 0e 65 d4 7e 8d 18 58 b0 3c 18 97 35 0e 73 bf d0 |.e.~..X.<..5.s..| +000003f0 65 dc 63 d7 e6 51 f6 52 75 22 f0 cf f7 70 1e ae |e.c..Q.Ru"...p..| +00000400 cd 4c fb 1e 21 97 ea db 07 36 8a d3 17 03 03 00 |.L..!....6......| +00000410 8b 73 a1 d3 6c f8 7d d5 c0 79 dc 30 e4 40 f8 2a |.s..l.}..y.0.@.*| +00000420 60 57 69 61 b9 cb 81 9f de 74 7c c1 ee d2 bd f5 |`Wia.....t|.....| +00000430 bf 22 99 17 e3 05 25 3c 94 22 ee e6 6b 01 6a e9 |."....%<."..k.j.| +00000440 39 8b 9a 08 4e 2a a8 7d 96 ae 6d 43 25 e0 03 11 |9...N*.}..mC%...| +00000450 07 84 fb 47 fa ff 13 8f 0d a2 7e e8 a5 5d 76 e5 |...G......~..]v.| +00000460 07 10 7d 6d f4 64 d4 54 ff 45 d9 17 18 5f e2 dd |..}m.d.T.E..._..| +00000470 54 ef 32 4a 69 7c 4a 16 06 6d 21 dc 67 0a 84 33 |T.2Ji|J..m!.g..3| +00000480 13 65 86 99 0d 09 33 59 96 d8 5a 6c f4 b1 c7 8c |.e....3Y..Zl....| +00000490 fc bf 2b 8e e2 ee 63 28 62 bd 73 fb |..+...c(b.s.| +>>> Flow 3 (client to server) +00000000 14 03 03 00 01 01 17 03 03 00 35 4c 7a 0a 1d 11 |..........5Lz...| +00000010 7c 9f 98 44 c7 f6 03 8b 9f 7b b1 dc 25 18 c2 f0 ||..D.....{..%...| +00000020 17 b4 8c 83 68 11 0e 95 7e ce 9c ad 13 cb 79 63 |....h...~.....yc| +00000030 03 80 d8 59 7e 25 e9 75 95 d0 6c 40 ab f2 8b f9 |...Y~%.u..l@....| +>>> Flow 4 (server to client) +00000000 17 03 03 00 1e ce 93 89 a4 0d db 14 53 be 22 ff |............S.".| +00000010 53 1d 78 31 d3 17 c7 90 66 8d 2e e0 fe 98 e6 4b |S.x1....f......K| +00000020 ee 6d 41 17 03 03 00 13 5d b7 e7 82 68 6a 7a 71 |.mA.....]...hjzq| +00000030 32 25 34 83 c4 63 12 f5 8e ab e9 |2%4..c.....| diff --git a/pkg/tls/testdata/Server-TLSv13-RSA-RSAPSS b/pkg/tls/testdata/Server-TLSv13-RSA-RSAPSS new file mode 100644 index 000000000..1caf8316f --- /dev/null +++ b/pkg/tls/testdata/Server-TLSv13-RSA-RSAPSS @@ -0,0 +1,96 @@ +>>> Flow 1 (client to server) +00000000 16 03 01 00 b2 01 00 00 ae 03 03 4f 1c 96 1a 7c |...........O...|| +00000010 56 ea 59 60 5f bc 59 a4 c8 c1 ab 17 86 0b f9 d6 |V.Y`_.Y.........| +00000020 7d 15 e4 b7 01 d3 27 55 af 8d 45 20 4b 2c f9 5c |}.....'U..E K,.\| +00000030 05 ff 79 28 e6 63 7e 1f d7 10 26 07 2d ec c7 ed |..y(.c~...&.-...| +00000040 1c c2 07 f1 ac 3b e9 2d 1a 8d 71 a0 00 04 13 03 |.....;.-..q.....| +00000050 00 ff 01 00 00 61 00 0b 00 04 03 00 01 02 00 0a |.....a..........| +00000060 00 0c 00 0a 00 1d 00 17 00 1e 00 19 00 18 00 16 |................| +00000070 00 00 00 17 00 00 00 0d 00 06 00 04 08 06 08 04 |................| +00000080 00 2b 00 03 02 03 04 00 2d 00 02 01 01 00 33 00 |.+......-.....3.| +00000090 26 00 24 00 1d 00 20 bd 6f e3 5c 82 72 3d cf 0d |&.$... .o.\.r=..| +000000a0 2e 49 d0 c9 7e cc 36 88 ff 05 ed b3 c6 f1 93 9b |.I..~.6.........| +000000b0 2a 6c 5f ca e5 eb 0f |*l_....| +>>> Flow 2 (server to client) +00000000 16 03 03 00 7a 02 00 00 76 03 03 00 00 00 00 00 |....z...v.......| +00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000020 00 00 00 00 00 00 00 00 00 00 00 20 4b 2c f9 5c |........... K,.\| +00000030 05 ff 79 28 e6 63 7e 1f d7 10 26 07 2d ec c7 ed |..y(.c~...&.-...| +00000040 1c c2 07 f1 ac 3b e9 2d 1a 8d 71 a0 13 03 00 00 |.....;.-..q.....| +00000050 2e 00 2b 00 02 03 04 00 33 00 24 00 1d 00 20 2f |..+.....3.$... /| +00000060 e5 7d a3 47 cd 62 43 15 28 da ac 5f bb 29 07 30 |.}.G.bC.(.._.).0| +00000070 ff f6 84 af c4 cf c2 ed 90 99 5f 58 cb 3b 74 14 |.........._X.;t.| +00000080 03 03 00 01 01 17 03 03 00 17 ce 73 37 c4 06 32 |...........s7..2| +00000090 74 c4 3d 2d 55 10 b4 ce 3f 66 fa ec 9a 8c d1 4a |t.=-U...?f.....J| +000000a0 cd 17 03 03 02 6d 6a 73 5d 98 e7 fc 37 d2 b8 5d |.....mjs]...7..]| +000000b0 2a 1c 75 80 b3 a9 ce 6e e2 d0 b5 5c 70 2b e5 c0 |*.u....n...\p+..| +000000c0 28 4e bf 8c af 5a 78 a2 bc 29 fd 60 68 f8 fa ed |(N...Zx..).`h...| +000000d0 5d 92 b2 d0 e8 69 e7 f7 1b 71 0b 30 4b c5 46 53 |]....i...q.0K.FS| +000000e0 df 73 b9 95 65 6e cd df 26 b3 2b fd 7a 41 e9 4b |.s..en..&.+.zA.K| +000000f0 8c 27 a3 d5 96 ed 44 01 9d 50 a8 39 28 f7 63 3d |.'....D..P.9(.c=| +00000100 9e b7 1c 70 bf 2c d9 c4 67 5f 4f a7 7d b1 7a 4d |...p.,..g_O.}.zM| +00000110 eb bd a3 4c 3b 0b ca 92 c4 db 21 dd 36 f2 4e ce |...L;.....!.6.N.| +00000120 17 95 25 df bc 4a 2a 82 bb 5c 12 e4 6f ab 5a 03 |..%..J*..\..o.Z.| +00000130 b7 7b 9f 8b 8e df ce c1 14 61 39 f1 8d f6 bb 90 |.{.......a9.....| +00000140 a6 3a c0 21 13 9b a0 28 f6 05 34 a1 5a c5 ed 13 |.:.!...(..4.Z...| +00000150 43 3d b6 3a 06 f8 89 ac fe 8f 71 76 58 43 32 56 |C=.:......qvXC2V| +00000160 71 5c ad 4c 19 e6 54 ba 32 49 83 c7 b6 5a a8 9d |q\.L..T.2I...Z..| +00000170 00 37 05 09 50 db c9 52 98 0d 96 03 11 22 a3 39 |.7..P..R.....".9| +00000180 75 fe a7 34 20 0e f6 9c a9 79 0f 9e 05 fc 5a 4e |u..4 ....y....ZN| +00000190 76 7c 13 0e a7 6a 1e 4a f7 ba a7 a8 18 8d 89 4a |v|...j.J.......J| +000001a0 ad 34 40 81 2c e9 07 18 ba 95 48 dd 11 e7 11 0b |.4@.,.....H.....| +000001b0 27 fe 9f 3c e6 44 72 16 89 dc 7d 8e 22 cf 4d 96 |'..<.Dr...}.".M.| +000001c0 60 3c 78 7a ed 6e a9 ba d1 c3 59 b7 a7 32 bc 44 |`C...| +00000360 41 51 24 49 1f e3 09 16 cd b6 4a db 62 ce 8f 79 |AQ$I......J.b..y| +00000370 19 6b 4d e4 e9 61 4f ef 43 31 e1 82 e3 57 32 01 |.kM..aO.C1...W2.| +00000380 58 d5 67 5f bd 5e d6 f5 b9 3c 91 65 96 49 81 b2 |X.g_.^...<.e.I..| +00000390 8c 6d a8 ba 37 2f dd 8b bc 3a 33 9a 44 8a da e7 |.m..7/...:3.D...| +000003a0 16 e1 d7 67 09 3a 3c d6 9f be bd 2b 50 d6 5d 3f |...g.:<....+P.]?| +000003b0 96 17 03 03 00 35 77 34 06 35 5c 89 77 e6 a2 f8 |.....5w4.5\.w...| +000003c0 3f b4 9e 45 ce 29 a8 f7 24 45 7c 00 36 96 f9 c4 |?..E.)..$E|.6...| +000003d0 7b 6b 29 78 9e 13 78 95 9f 21 64 cb 5f a0 f1 ef |{k)x..x..!d._...| +000003e0 3b 19 47 30 85 08 67 8f 84 b8 9c 17 03 03 00 8b |;.G0..g.........| +000003f0 af fb c3 c3 f4 33 c3 e7 52 e0 c2 1b 3d f3 7f 40 |.....3..R...=..@| +00000400 7d 33 38 8e 59 7d 3e 4f 8e 93 95 f8 9c 09 56 1b |}38.Y}>O......V.| +00000410 68 d8 0c 11 a9 e6 6a c6 ea 6c 00 1e eb 3d d1 7b |h.....j..l...=.{| +00000420 fc 1b 8e 52 69 f1 30 8c 3d 9d 3a 26 6e 9e 72 d9 |...Ri.0.=.:&n.r.| +00000430 c4 00 a1 ae 87 ca 21 fc 45 ae af 58 9f 09 38 10 |......!.E..X..8.| +00000440 94 b2 4c 58 46 da 8f fd c5 4a 60 0c ee 79 b7 6b |..LXF....J`..y.k| +00000450 5a 74 f6 b4 e6 a0 1b 0c 8f 94 d9 79 07 36 05 ea |Zt.........y.6..| +00000460 3b a3 11 ec 4a 86 b8 22 3c 94 eb da e1 d6 d4 91 |;...J.."<.......| +00000470 e7 99 af 6b 39 4a 6c ef d7 8b c7 |...k9Jl....| +>>> Flow 3 (client to server) +00000000 14 03 03 00 01 01 17 03 03 00 35 e9 ef 1b b1 01 |..........5.....| +00000010 b9 f2 6f e6 eb a0 52 01 81 f6 18 cf 28 f7 8a 09 |..o...R.....(...| +00000020 65 32 30 4b 67 1b df d5 9c 4c cb 83 11 4e 3d 7f |e20Kg....L...N=.| +00000030 d2 b8 a2 03 de 28 2d ef d0 68 b0 92 db 70 04 e2 |.....(-..h...p..| +>>> Flow 4 (server to client) +00000000 17 03 03 00 1e d8 d0 6a a0 02 0a cf 78 95 08 e1 |.......j....x...| +00000010 2f dd 6b e3 db dc 8c f7 e3 5d 6e e2 48 5d d7 2c |/.k......]n.H].,| +00000020 2c 26 7b 17 03 03 00 13 0a cd 02 95 d2 79 5a 1c |,&{..........yZ.| +00000030 8a 27 a4 90 d3 7f ff 5c f1 b9 d8 |.'.....\...| diff --git a/pkg/tls/testdata/Server-TLSv13-RSA-RSAPSS-TooSmall b/pkg/tls/testdata/Server-TLSv13-RSA-RSAPSS-TooSmall new file mode 100644 index 000000000..6d27e9074 --- /dev/null +++ b/pkg/tls/testdata/Server-TLSv13-RSA-RSAPSS-TooSmall @@ -0,0 +1,15 @@ +>>> Flow 1 (client to server) +00000000 16 03 01 00 b0 01 00 00 ac 03 03 15 df ef fb ff |................| +00000010 00 89 4d bf 59 d2 30 f1 f3 e7 20 24 c6 06 ba a4 |..M.Y.0... $....| +00000020 28 b4 ba 3d 00 f2 18 9b 98 a3 f2 20 7e d9 d0 58 |(..=....... ~..X| +00000030 50 25 90 2d f0 af 72 66 fb f8 54 33 6e d4 2b f0 |P%.-..rf..T3n.+.| +00000040 0f 1a ea dc 9e 08 34 ed 68 a8 d8 bd 00 04 13 03 |......4.h.......| +00000050 00 ff 01 00 00 5f 00 0b 00 04 03 00 01 02 00 0a |....._..........| +00000060 00 0c 00 0a 00 1d 00 17 00 1e 00 19 00 18 00 16 |................| +00000070 00 00 00 17 00 00 00 0d 00 04 00 02 08 06 00 2b |...............+| +00000080 00 03 02 03 04 00 2d 00 02 01 01 00 33 00 26 00 |......-.....3.&.| +00000090 24 00 1d 00 20 6e 42 98 d4 04 32 d1 21 0f 64 c9 |$... nB...2.!.d.| +000000a0 b7 f2 b2 52 6f 2b b7 b1 95 4b 57 85 7b 69 d9 63 |...Ro+...KW.{i.c| +000000b0 19 48 d2 1c 1e |.H...| +>>> Flow 2 (server to client) +00000000 15 03 03 00 02 02 28 |......(| diff --git a/pkg/tls/testdata/Server-TLSv13-Resume b/pkg/tls/testdata/Server-TLSv13-Resume new file mode 100644 index 000000000..29e41c630 --- /dev/null +++ b/pkg/tls/testdata/Server-TLSv13-Resume @@ -0,0 +1,59 @@ +>>> Flow 1 (client to server) +00000000 16 03 01 01 66 01 00 01 62 03 03 45 a3 e1 2e f2 |....f...b..E....| +00000010 03 d1 82 45 cb cd fc da ae 9d 47 ce 2b fd 5a df |...E......G.+.Z.| +00000020 ad dd 7b 1a 4a 14 93 bb d1 fe f5 20 78 6c c9 94 |..{.J...... xl..| +00000030 6a b6 3e 65 97 42 9f c3 80 3c 8a 23 f5 af 6d 4b |j.>e.B...<.#..mK| +00000040 cb dc e9 93 22 bd bf b5 e6 09 0d e1 00 04 13 01 |...."...........| +00000050 00 ff 01 00 01 15 00 0b 00 04 03 00 01 02 00 0a |................| +00000060 00 0c 00 0a 00 1d 00 17 00 1e 00 19 00 18 00 23 |...............#| +00000070 00 00 00 16 00 00 00 17 00 00 00 0d 00 1e 00 1c |................| +00000080 04 03 05 03 06 03 08 07 08 08 08 09 08 0a 08 0b |................| +00000090 08 04 08 05 08 06 04 01 05 01 06 01 00 2b 00 03 |.............+..| +000000a0 02 03 04 00 2d 00 02 01 01 00 33 00 26 00 24 00 |....-.....3.&.$.| +000000b0 1d 00 20 49 31 09 86 3b 71 6b ff 6c bc 6f 40 4c |.. I1..;qk.l.o@L| +000000c0 3a 04 44 c3 83 6c 9b 1d 99 a6 10 c7 07 f9 9d 57 |:.D..l.........W| +000000d0 2d b4 59 00 29 00 94 00 6f 00 69 00 00 00 00 00 |-.Y.)...o.i.....| +000000e0 00 00 00 00 00 00 00 00 00 00 00 94 68 2d a3 82 |............h-..| +000000f0 51 ed 14 ef 68 ca 42 c5 5c 95 7a 77 9a 7a 61 99 |Q...h.B.\.zw.za.| +00000100 c6 44 1e e6 5d 71 41 c8 77 d1 d4 b6 39 bb 38 57 |.D..]qA.w...9.8W| +00000110 41 b8 41 f2 02 96 d0 b0 5b 99 76 3c 2b 52 f2 8f |A.A.....[.v<+R..| +00000120 5f 33 94 fa 66 74 cc f0 60 1b ee 0a 38 30 78 b2 |_3..ft..`...80x.| +00000130 9e 54 16 d6 71 0e b2 ea 4e 0f 13 f0 6e 63 88 e7 |.T..q...N...nc..| +00000140 9f 55 65 0b 00 00 00 00 00 21 20 21 c5 95 b2 62 |.Ue......! !...b| +00000150 61 dc b6 32 34 60 19 58 8c 6b 4b de dc 39 c7 d6 |a..24`.X.kK..9..| +00000160 82 55 c8 de 80 dc b7 05 0c be a6 |.U.........| +>>> Flow 2 (server to client) +00000000 16 03 03 00 80 02 00 00 7c 03 03 00 00 00 00 00 |........|.......| +00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000020 00 00 00 00 00 00 00 00 00 00 00 20 78 6c c9 94 |........... xl..| +00000030 6a b6 3e 65 97 42 9f c3 80 3c 8a 23 f5 af 6d 4b |j.>e.B...<.#..mK| +00000040 cb dc e9 93 22 bd bf b5 e6 09 0d e1 13 01 00 00 |...."...........| +00000050 34 00 2b 00 02 03 04 00 33 00 24 00 1d 00 20 2f |4.+.....3.$... /| +00000060 e5 7d a3 47 cd 62 43 15 28 da ac 5f bb 29 07 30 |.}.G.bC.(.._.).0| +00000070 ff f6 84 af c4 cf c2 ed 90 99 5f 58 cb 3b 74 00 |.........._X.;t.| +00000080 29 00 02 00 00 14 03 03 00 01 01 17 03 03 00 17 |)...............| +00000090 b4 11 54 4d 78 28 66 53 0f fd c8 7c d5 1c 1d b2 |..TMx(fS...|....| +000000a0 06 31 23 27 a4 70 b2 17 03 03 00 35 86 87 b6 21 |.1#'.p.....5...!| +000000b0 1c db f6 8c 4f ae 46 26 27 23 5d 1f 41 1d 42 94 |....O.F&'#].A.B.| +000000c0 68 32 e5 49 19 e9 bc ba 4e 0a e2 71 7e 31 d2 a0 |h2.I....N..q~1..| +000000d0 c2 24 b3 a9 3d 26 a5 eb c9 44 09 03 7a 14 54 5d |.$..=&...D..z.T]| +000000e0 8f 17 03 03 00 8b fd cd ed ac c5 f2 7c 99 66 85 |............|.f.| +000000f0 e6 0c 3b 9d ca a2 fb 22 69 fc 40 61 3a 98 f2 db |..;...."i.@a:...| +00000100 84 7b d9 70 06 7f 00 20 53 cb ce 27 f1 93 fd 01 |.{.p... S..'....| +00000110 fb 0d 32 61 0d 04 93 d3 53 94 a4 37 ed a6 6e 5c |..2a....S..7..n\| +00000120 2f 9a 9a a9 1b b2 26 1d 24 9f 78 05 53 1d aa 40 |/.....&.$.x.S..@| +00000130 bb 3f 27 29 ac 56 97 d7 f8 a8 77 e9 d4 b3 c0 43 |.?').V....w....C| +00000140 a8 27 12 0f 13 fd 62 27 01 54 90 b5 66 fd d8 41 |.'....b'.T..f..A| +00000150 a0 3a 5f b5 eb 53 25 83 f0 35 65 b2 7b f7 c6 a1 |.:_..S%..5e.{...| +00000160 47 20 c5 91 00 69 b4 28 32 3c 55 8d 34 b9 ab b7 |G ...i.(2>> Flow 3 (client to server) +00000000 14 03 03 00 01 01 17 03 03 00 35 fb 04 e7 9f ad |..........5.....| +00000010 51 52 7e 72 61 46 df d0 80 5b 1a f3 ce 78 9e ae |QR~raF...[...x..| +00000020 f8 cb 08 7e 2b 45 e9 f6 20 10 e0 99 4f 1a 62 51 |...~+E.. ...O.bQ| +00000030 4f b6 d4 2a 5e b8 04 2b 09 06 4a 03 c4 01 ca bf |O..*^..+..J.....| +>>> Flow 4 (server to client) +00000000 17 03 03 00 1e 5c c3 b1 a5 d9 f3 a7 0b 48 b6 1f |.....\.......H..| +00000010 73 ca d2 f5 07 6c e5 37 e9 b0 5f 87 a4 59 0d da |s....l.7.._..Y..| +00000020 e2 3f ee 17 03 03 00 13 06 d0 6c 12 91 3c 0d cf |.?........l..<..| +00000030 d2 0f 7f 74 e6 26 79 87 cf 76 71 |...t.&y..vq| diff --git a/pkg/tls/testdata/Server-TLSv13-Resume-HelloRetryRequest b/pkg/tls/testdata/Server-TLSv13-Resume-HelloRetryRequest new file mode 100644 index 000000000..8896455f9 --- /dev/null +++ b/pkg/tls/testdata/Server-TLSv13-Resume-HelloRetryRequest @@ -0,0 +1,94 @@ +>>> Flow 1 (client to server) +00000000 16 03 01 01 60 01 00 01 5c 03 03 c6 2c d1 55 71 |....`...\...,.Uq| +00000010 9a 6b 02 54 cb 33 30 34 5f 22 2a bc 96 df 2e d3 |.k.T.304_"*.....| +00000020 43 9c 9a be c9 93 b9 e1 9f 42 74 20 5d a2 d5 2d |C........Bt ]..-| +00000030 d6 9f 76 0c 14 dd e0 d3 71 a6 44 6a bc 3c ff a5 |..v.....q.Dj.<..| +00000040 97 49 56 e0 3f 5b 47 87 31 83 1f 80 00 04 13 01 |.IV.?[G.1.......| +00000050 00 ff 01 00 01 0f 00 0b 00 04 03 00 01 02 00 0a |................| +00000060 00 06 00 04 00 1d 00 17 00 23 00 00 00 16 00 00 |.........#......| +00000070 00 17 00 00 00 0d 00 1e 00 1c 04 03 05 03 06 03 |................| +00000080 08 07 08 08 08 09 08 0a 08 0b 08 04 08 05 08 06 |................| +00000090 04 01 05 01 06 01 00 2b 00 03 02 03 04 00 2d 00 |.......+......-.| +000000a0 02 01 01 00 33 00 26 00 24 00 1d 00 20 8e a4 3b |....3.&.$... ..;| +000000b0 ae a1 3e 4f be 70 12 25 be 4d 07 59 da dc 08 4c |..>O.p.%.M.Y...L| +000000c0 53 e3 f3 15 b0 99 6f 5a 2d 16 30 e6 37 00 29 00 |S.....oZ-.0.7.).| +000000d0 94 00 6f 00 69 00 00 00 00 00 00 00 00 00 00 00 |..o.i...........| +000000e0 00 00 00 00 00 94 68 2d a3 82 51 ed 14 ef 68 ca |......h-..Q...h.| +000000f0 42 c5 5c 95 7a 77 9a 7a 61 99 c6 44 1e e6 5d 71 |B.\.zw.za..D..]q| +00000100 41 c8 77 d1 d4 b6 39 bb 38 57 41 b8 41 f2 02 96 |A.w...9.8WA.A...| +00000110 d0 b0 5b 99 76 3c 2b 52 f2 8f 5f 33 94 fa 66 74 |..[.v<+R.._3..ft| +00000120 cc f0 60 1b ee 0a 38 30 78 b2 9e 54 16 d6 71 0e |..`...80x..T..q.| +00000130 b2 ea 4e 0f 13 f0 6e 63 88 e7 9f 55 65 0b 00 00 |..N...nc...Ue...| +00000140 00 00 00 21 20 f1 10 27 87 e9 eb 1d b9 5f 0e f4 |...! ..'....._..| +00000150 67 e3 19 b6 52 b4 1a 9f b7 68 0c 4e 25 42 3a 78 |g...R....h.N%B:x| +00000160 91 e1 9d 62 f4 |...b.| +>>> Flow 2 (server to client) +00000000 16 03 03 00 58 02 00 00 54 03 03 cf 21 ad 74 e5 |....X...T...!.t.| +00000010 9a 61 11 be 1d 8c 02 1e 65 b8 91 c2 a2 11 16 7a |.a......e......z| +00000020 bb 8c 5e 07 9e 09 e2 c8 a8 33 9c 20 5d a2 d5 2d |..^......3. ]..-| +00000030 d6 9f 76 0c 14 dd e0 d3 71 a6 44 6a bc 3c ff a5 |..v.....q.Dj.<..| +00000040 97 49 56 e0 3f 5b 47 87 31 83 1f 80 13 01 00 00 |.IV.?[G.1.......| +00000050 0c 00 2b 00 02 03 04 00 33 00 02 00 17 14 03 03 |..+.....3.......| +00000060 00 01 01 |...| +>>> Flow 3 (client to server) +00000000 14 03 03 00 01 01 16 03 03 01 81 01 00 01 7d 03 |..............}.| +00000010 03 c6 2c d1 55 71 9a 6b 02 54 cb 33 30 34 5f 22 |..,.Uq.k.T.304_"| +00000020 2a bc 96 df 2e d3 43 9c 9a be c9 93 b9 e1 9f 42 |*.....C........B| +00000030 74 20 5d a2 d5 2d d6 9f 76 0c 14 dd e0 d3 71 a6 |t ]..-..v.....q.| +00000040 44 6a bc 3c ff a5 97 49 56 e0 3f 5b 47 87 31 83 |Dj.<...IV.?[G.1.| +00000050 1f 80 00 04 13 01 00 ff 01 00 01 30 00 0b 00 04 |...........0....| +00000060 03 00 01 02 00 0a 00 06 00 04 00 1d 00 17 00 23 |...............#| +00000070 00 00 00 16 00 00 00 17 00 00 00 0d 00 1e 00 1c |................| +00000080 04 03 05 03 06 03 08 07 08 08 08 09 08 0a 08 0b |................| +00000090 08 04 08 05 08 06 04 01 05 01 06 01 00 2b 00 03 |.............+..| +000000a0 02 03 04 00 2d 00 02 01 01 00 33 00 47 00 45 00 |....-.....3.G.E.| +000000b0 17 00 41 04 ef 92 7c 5c e3 0d 1b 5c 8f 56 a2 93 |..A...|\...\.V..| +000000c0 62 86 e4 5d ea 0b 63 1e e1 ea db 85 a0 28 68 89 |b..]..c......(h.| +000000d0 07 47 d6 18 b0 6e db c2 3c 7d b4 7e a3 cb 54 25 |.G...n..<}.~..T%| +000000e0 73 9f f6 d1 83 c1 2e 67 2a db ec 4a 09 9e 20 cf |s......g*..J.. .| +000000f0 3f 8b 5d 9d 00 29 00 94 00 6f 00 69 00 00 00 00 |?.]..)...o.i....| +00000100 00 00 00 00 00 00 00 00 00 00 00 00 94 68 2d a3 |.............h-.| +00000110 82 51 ed 14 ef 68 ca 42 c5 5c 95 7a 77 9a 7a 61 |.Q...h.B.\.zw.za| +00000120 99 c6 44 1e e6 5d 71 41 c8 77 d1 d4 b6 39 bb 38 |..D..]qA.w...9.8| +00000130 57 41 b8 41 f2 02 96 d0 b0 5b 99 76 3c 2b 52 f2 |WA.A.....[.v<+R.| +00000140 8f 5f 33 94 fa 66 74 cc f0 60 1b ee 0a 38 30 78 |._3..ft..`...80x| +00000150 b2 9e 54 16 d6 71 0e b2 ea 4e 0f 13 f0 6e 63 88 |..T..q...N...nc.| +00000160 e7 9f 55 65 0b 00 00 00 00 00 21 20 fa ea cb 6c |..Ue......! ...l| +00000170 87 dc 71 c9 d3 b8 c5 6b d2 4d a7 dd 01 6c f0 26 |..q....k.M...l.&| +00000180 c6 bd 6a ce e8 37 5b a9 d3 ac 87 2d |..j..7[....-| +>>> Flow 4 (server to client) +00000000 16 03 03 00 a1 02 00 00 9d 03 03 00 00 00 00 00 |................| +00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000020 00 00 00 00 00 00 00 00 00 00 00 20 5d a2 d5 2d |........... ]..-| +00000030 d6 9f 76 0c 14 dd e0 d3 71 a6 44 6a bc 3c ff a5 |..v.....q.Dj.<..| +00000040 97 49 56 e0 3f 5b 47 87 31 83 1f 80 13 01 00 00 |.IV.?[G.1.......| +00000050 55 00 2b 00 02 03 04 00 33 00 45 00 17 00 41 04 |U.+.....3.E...A.| +00000060 1e 18 37 ef 0d 19 51 88 35 75 71 b5 e5 54 5b 12 |..7...Q.5uq..T[.| +00000070 2e 8f 09 67 fd a7 24 20 3e b2 56 1c ce 97 28 5e |...g..$ >.V...(^| +00000080 f8 2b 2d 4f 9e f1 07 9f 6c 4b 5b 83 56 e2 32 42 |.+-O....lK[.V.2B| +00000090 e9 58 b6 d7 49 a6 b5 68 1a 41 03 56 6b dc 5a 89 |.X..I..h.A.Vk.Z.| +000000a0 00 29 00 02 00 00 17 03 03 00 17 47 b9 2a 97 3d |.).........G.*.=| +000000b0 84 f9 65 f5 cf 27 b3 52 6d 2d 49 9d c1 c4 ea 14 |..e..'.Rm-I.....| +000000c0 d5 dc 17 03 03 00 35 21 4d a1 eb 9f 49 63 35 99 |......5!M...Ic5.| +000000d0 a3 85 ce 3a 40 cf 53 29 e6 d5 59 d5 26 12 78 c6 |...:@.S)..Y.&.x.| +000000e0 be 01 c9 a2 f2 3d ba f9 ad 80 a1 f4 78 08 71 5e |.....=......x.q^| +000000f0 04 7c df 80 0f 2d 5d e4 be 50 74 31 17 03 03 00 |.|...-]..Pt1....| +00000100 8b 90 1a fd 79 a1 b9 08 4d db 32 01 6d 36 be 1a |....y...M.2.m6..| +00000110 3f a8 b3 c7 5b 7b b1 f0 5d 55 67 ed af 87 50 16 |?...[{..]Ug...P.| +00000120 ad d9 f1 af d2 3c 18 83 52 d5 3b e3 6d 7e ab 9a |.....<..R.;.m~..| +00000130 33 cd 2c e7 f4 18 84 3a db 8b 73 d2 89 45 39 cf |3.,....:..s..E9.| +00000140 f0 19 78 ab 20 b6 81 3c 3b b5 55 2c c1 6d 6f d8 |..x. ..<;.U,.mo.| +00000150 52 1f 90 b5 ed eb e3 0c 35 40 16 ff f3 15 06 4e |R.......5@.....N| +00000160 7e 98 3b f7 43 f9 98 80 84 36 1c 63 a0 3c 4b 57 |~.;.C....6.c.>> Flow 5 (client to server) +00000000 17 03 03 00 35 dc 6e fd 7a 4f d5 b9 d5 d8 71 b7 |....5.n.zO....q.| +00000010 14 b1 cb 86 5b e0 01 b1 75 ff 33 a3 42 36 bf fc |....[...u.3.B6..| +00000020 98 cc 15 c6 27 b2 57 1b ce f0 b7 93 15 52 29 77 |....'.W......R)w| +00000030 9e fe d2 4e fe 05 d3 a5 f7 01 |...N......| +>>> Flow 6 (server to client) +00000000 17 03 03 00 1e 70 33 b5 fd 3d b0 d6 e4 54 9b 15 |.....p3..=...T..| +00000010 f9 d5 2e 12 4a ce d2 ba b2 5d fe 92 ab d0 26 da |....J....]....&.| +00000020 7c 0b 9e 17 03 03 00 13 ba a1 6a a9 db 16 2d cf ||.........j...-.| +00000030 7e 54 77 8b 0a 6e 7d 31 fc dd 5e |~Tw..n}1..^| diff --git a/pkg/tls/testdata/Server-TLSv13-ResumeDisabled b/pkg/tls/testdata/Server-TLSv13-ResumeDisabled new file mode 100644 index 000000000..9f14b602b --- /dev/null +++ b/pkg/tls/testdata/Server-TLSv13-ResumeDisabled @@ -0,0 +1,99 @@ +>>> Flow 1 (client to server) +00000000 16 03 01 01 6e 01 00 01 6a 03 03 0f 31 f0 17 d6 |....n...j...1...| +00000010 3e ee f6 b9 14 05 57 cb 41 0b a4 6a 2f 70 9e 69 |>.....W.A..j/p.i| +00000020 09 2a eb ec 9a f4 47 61 09 43 09 20 d2 5d cf 57 |.*....Ga.C. .].W| +00000030 b8 81 3c a5 0a 77 50 0a c3 88 79 7a dc d0 2f 8a |..<..wP...yz../.| +00000040 08 ea 5f 53 54 a6 ff 43 d2 03 55 0e 00 04 13 01 |.._ST..C..U.....| +00000050 00 ff 01 00 01 1d 00 0b 00 04 03 00 01 02 00 0a |................| +00000060 00 0c 00 0a 00 1d 00 17 00 1e 00 19 00 18 00 23 |...............#| +00000070 00 00 00 16 00 00 00 17 00 00 00 0d 00 1e 00 1c |................| +00000080 04 03 05 03 06 03 08 07 08 08 08 09 08 0a 08 0b |................| +00000090 08 04 08 05 08 06 04 01 05 01 06 01 00 2b 00 03 |.............+..| +000000a0 02 03 04 00 2d 00 02 01 01 00 33 00 26 00 24 00 |....-.....3.&.$.| +000000b0 1d 00 20 b4 ef 07 d4 1b 0e a1 42 ee f1 f3 84 3e |.. .......B....>| +000000c0 9f fe bb a6 af 59 9d 04 96 03 1b 43 1a b8 f7 7f |.....Y.....C....| +000000d0 44 64 60 00 29 00 9c 00 77 00 71 50 46 ad c1 db |Dd`.)...w.qPF...| +000000e0 a8 38 86 7b 2b bb fd d0 c3 42 3e 00 00 00 00 00 |.8.{+....B>.....| +000000f0 00 00 00 00 00 00 00 00 00 00 00 94 68 2c a3 82 |............h,..| +00000100 51 ed 14 ef 68 ca 42 c5 5c 90 6b 88 83 a9 b3 63 |Q...h.B.\.k....c| +00000110 7c 1c 04 ce dd be 5a 26 ef 4e 37 52 ea 9a 45 6b ||.....Z&.N7R..Ek| +00000120 ea 89 a5 26 7d c3 ea 67 db 99 76 3c e5 52 89 d0 |...&}..g..v<.R..| +00000130 4b 46 41 2e 62 5c ce a8 2e 9a 67 e9 52 f0 40 d2 |KFA.b\....g.R.@.| +00000140 f1 0e ab 02 0f 54 c8 0b 5e 91 8f 8b 00 00 00 00 |.....T..^.......| +00000150 00 21 20 e0 71 35 06 a0 30 9f bf 5a 6e f3 14 fd |.! .q5..0..Zn...| +00000160 34 0b 6d d5 36 08 82 8f d0 79 cc f3 74 7c a9 a5 |4.m.6....y..t|..| +00000170 c3 81 27 |..'| +>>> Flow 2 (server to client) +00000000 16 03 03 00 7a 02 00 00 76 03 03 00 00 00 00 00 |....z...v.......| +00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000020 00 00 00 00 00 00 00 00 00 00 00 20 d2 5d cf 57 |........... .].W| +00000030 b8 81 3c a5 0a 77 50 0a c3 88 79 7a dc d0 2f 8a |..<..wP...yz../.| +00000040 08 ea 5f 53 54 a6 ff 43 d2 03 55 0e 13 01 00 00 |.._ST..C..U.....| +00000050 2e 00 2b 00 02 03 04 00 33 00 24 00 1d 00 20 2f |..+.....3.$... /| +00000060 e5 7d a3 47 cd 62 43 15 28 da ac 5f bb 29 07 30 |.}.G.bC.(.._.).0| +00000070 ff f6 84 af c4 cf c2 ed 90 99 5f 58 cb 3b 74 14 |.........._X.;t.| +00000080 03 03 00 01 01 17 03 03 00 17 df 85 83 6b 9d e0 |.............k..| +00000090 8d b4 da b1 f2 c7 ff c1 13 33 d4 53 b8 92 bf 83 |.........3.S....| +000000a0 6c 17 03 03 02 6d 6b 0f f6 15 41 46 aa 92 06 af |l....mk...AF....| +000000b0 c9 a2 73 c5 31 64 c1 cd 3a e5 e6 9a d9 04 f4 01 |..s.1d..:.......| +000000c0 d5 0e d6 30 e2 7a 6d 0c 23 d5 4b b1 70 58 c8 ca |...0.zm.#.K.pX..| +000000d0 5d 1f c9 7c 76 f8 f9 90 b0 f6 05 f6 85 d2 10 b6 |]..|v...........| +000000e0 bb b1 49 07 8a ba 9b d8 1a f4 48 18 f5 c5 90 f1 |..I.......H.....| +000000f0 a7 24 cd 3b ab 2f 49 28 fa 3c 64 80 50 a6 38 d9 |.$.;./I(..H2..| +00000170 37 13 08 f2 cc cb bb f5 55 d5 7d 97 5e 6a df 11 |7.......U.}.^j..| +00000180 33 fd 34 65 99 c2 40 7b a3 7a 04 92 63 ad 19 9d |3.4e..@{.z..c...| +00000190 02 2a 6f d1 c8 f7 e1 d1 0f a1 c3 5b 81 70 b0 e5 |.*o........[.p..| +000001a0 97 a4 b2 76 c5 9b 55 f5 da 2d 53 d2 49 4b a7 6a |...v..U..-S.IK.j| +000001b0 0f 0f c8 d6 a5 00 83 52 fb 12 c6 6b 98 51 a3 4e |.......R...k.Q.N| +000001c0 86 39 ab 7e 76 1f 31 b5 5e 50 53 1b 21 af 7f a0 |.9.~v.1.^PS.!...| +000001d0 b9 3c cf 59 19 c7 c8 b6 ef d7 4f e5 ea 5e bc 67 |.<.Y......O..^.g| +000001e0 00 47 97 50 85 15 54 19 eb de b8 11 0e 39 9a b0 |.G.P..T......9..| +000001f0 be cd db d9 53 88 9c 78 e8 b9 5e 12 4b 30 63 d5 |....S..x..^.K0c.| +00000200 eb 48 d1 d4 95 94 58 61 9c 53 ad 97 bd 45 3a 09 |.H....Xa.S...E:.| +00000210 d0 83 a7 ba 8c 64 87 42 b7 e1 fa 1b 32 58 8b de |.....d.B....2X..| +00000220 70 34 34 6d fb 0f a0 27 c3 8b 69 61 43 30 24 b2 |p44m...'..iaC0$.| +00000230 32 4b ca 6c 0b ea f7 4b df e5 5f 3d 06 ea 0d 31 |2K.l...K.._=...1| +00000240 4a c6 19 44 61 a1 5b 45 ee 9b ea 69 42 8f 35 86 |J..Da.[E...iB.5.| +00000250 09 c7 83 51 32 e6 7b 45 bb fb 11 1f 4d 3f b8 10 |...Q2.{E....M?..| +00000260 6a 0c 52 4c fd 20 62 0f 75 26 8a 65 67 e9 7e 56 |j.RL. b.u&.eg.~V| +00000270 f4 ed 01 67 9e 27 0d 39 98 b4 97 44 50 f6 26 11 |...g.'.9...DP.&.| +00000280 3c e4 40 17 5c f1 eb 85 1f 13 f9 8d 22 66 2d 2e |<.@.\......."f-.| +00000290 3b f8 eb 08 7d df f6 ba 7b ec 15 34 04 e2 6d aa |;...}...{..4..m.| +000002a0 e2 1c 5a e6 e8 4f 00 0c 07 1b dd 6e 07 03 ed 6d |..Z..O.....n...m| +000002b0 df c0 7d ed 05 84 bb ad 0c 1f df 8b 8d 0a ad 33 |..}............3| +000002c0 90 38 44 db 8a 32 9f 9d b3 ae 2e 92 d6 ab d3 25 |.8D..2.........%| +000002d0 12 32 2d 6e a9 17 0d c9 f9 79 25 17 f0 62 1b 91 |.2-n.....y%..b..| +000002e0 ad d5 2d ec 0d ea cd c4 86 77 04 92 ab a8 8d ea |..-......w......| +000002f0 ce fc 13 7b a0 ca 32 96 50 49 99 dd 25 d7 73 93 |...{..2.PI..%.s.| +00000300 f2 00 72 ca 31 07 fd 7e 12 8a 8b 76 51 4e fe 30 |..r.1..~...vQN.0| +00000310 4d 5c 65 17 03 03 00 99 5b 19 25 c3 5a 4d f0 bd |M\e.....[.%.ZM..| +00000320 71 0e 48 63 61 bb 55 6b d3 26 81 25 cf ea 45 e6 |q.Hca.Uk.&.%..E.| +00000330 52 e4 4e c9 5a a8 c2 e2 72 97 51 8a 38 c6 8d 27 |R.N.Z...r.Q.8..'| +00000340 8d df 09 ce 37 87 a6 41 cb c4 bd 6d 19 ef 56 1a |....7..A...m..V.| +00000350 e8 79 df ad 76 9e a6 92 e3 da b3 a6 0d 9f 6f 6f |.y..v.........oo| +00000360 3f 76 0b 62 b4 cf 2c 5b 24 65 bd c1 90 bb 88 ec |?v.b..,[$e......| +00000370 8b 0c 7d 6b 42 38 26 78 62 5c b0 21 74 95 5f fe |..}kB8&xb\.!t._.| +00000380 68 7d 31 8c 5f f5 dc a4 f0 23 6b 75 be 70 ea b3 |h}1._....#ku.p..| +00000390 19 cc 83 9b 8a f6 cb cc 04 2e 66 b5 77 bb 11 68 |..........f.w..h| +000003a0 56 85 0c b1 b8 b1 4e ed ca bd ea 3c 91 38 8a 63 |V.....N....<.8.c| +000003b0 f3 17 03 03 00 35 06 2f 99 10 0c 41 cf 70 d2 aa |.....5./...A.p..| +000003c0 f9 74 e7 3a cb bb 77 1c e6 5c bf f9 3f 02 df af |.t.:..w..\..?...| +000003d0 ba 08 fa f7 42 60 ad de 65 62 2e 54 5f 35 90 4f |....B`..eb.T_5.O| +000003e0 9c b1 34 3d 5d f5 6e 04 d8 5a 50 |..4=].n..ZP| +>>> Flow 3 (client to server) +00000000 14 03 03 00 01 01 17 03 03 00 35 7e dc fc 3f 66 |..........5~..?f| +00000010 cb ed 57 e3 5c 83 19 22 31 18 cb eb d5 b8 d2 3c |..W.\.."1......<| +00000020 6c 10 1f be 5c 04 cf 88 6b ec 04 3d aa 0d 15 68 |l...\...k..=...h| +00000030 e4 42 bb c9 86 12 ef f7 90 c4 f5 41 39 56 62 d0 |.B.........A9Vb.| +>>> Flow 4 (server to client) +00000000 17 03 03 00 1e ee b9 1c 7b 56 61 76 91 40 90 11 |........{Vav.@..| +00000010 61 4a 0c 46 60 e2 c1 a7 dd 0c a1 0d da 65 98 3e |aJ.F`........e.>| +00000020 30 62 98 17 03 03 00 13 27 7a 29 e5 53 f1 9b 41 |0b......'z).S..A| +00000030 7a 19 ec cd 29 0e 04 57 90 59 7e |z...)..W.Y~| diff --git a/pkg/tls/testdata/Server-TLSv13-X25519 b/pkg/tls/testdata/Server-TLSv13-X25519 new file mode 100644 index 000000000..62cd23bf2 --- /dev/null +++ b/pkg/tls/testdata/Server-TLSv13-X25519 @@ -0,0 +1,97 @@ +>>> Flow 1 (client to server) +00000000 16 03 01 00 c2 01 00 00 be 03 03 c1 f4 f0 72 fe |..............r.| +00000010 b9 17 c8 9e 71 08 cf 40 80 1a 11 06 68 dc de 21 |....q..@....h..!| +00000020 14 fe e2 2f 6e 55 cf 9b 83 87 dd 20 63 a3 3f 38 |.../nU..... c.?8| +00000030 4c 26 be 3c c0 2e e0 e0 5d 49 1b 92 45 6b 82 a9 |L&.<....]I..Ek..| +00000040 10 ae c0 e4 65 b0 ce 48 75 5f 5b 12 00 04 13 03 |....e..Hu_[.....| +00000050 00 ff 01 00 00 71 00 0b 00 04 03 00 01 02 00 0a |.....q..........| +00000060 00 04 00 02 00 1d 00 16 00 00 00 17 00 00 00 0d |................| +00000070 00 1e 00 1c 04 03 05 03 06 03 08 07 08 08 08 09 |................| +00000080 08 0a 08 0b 08 04 08 05 08 06 04 01 05 01 06 01 |................| +00000090 00 2b 00 03 02 03 04 00 2d 00 02 01 01 00 33 00 |.+......-.....3.| +000000a0 26 00 24 00 1d 00 20 3e 7f 8c d5 2f 42 d2 cd 67 |&.$... >.../B..g| +000000b0 24 07 69 fe 7e d0 3e 70 24 e4 62 aa 19 d6 c2 00 |$.i.~.>p$.b.....| +000000c0 5c 0d 25 10 5f 36 09 |\.%._6.| +>>> Flow 2 (server to client) +00000000 16 03 03 00 7a 02 00 00 76 03 03 00 00 00 00 00 |....z...v.......| +00000010 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| +00000020 00 00 00 00 00 00 00 00 00 00 00 20 63 a3 3f 38 |........... c.?8| +00000030 4c 26 be 3c c0 2e e0 e0 5d 49 1b 92 45 6b 82 a9 |L&.<....]I..Ek..| +00000040 10 ae c0 e4 65 b0 ce 48 75 5f 5b 12 13 03 00 00 |....e..Hu_[.....| +00000050 2e 00 2b 00 02 03 04 00 33 00 24 00 1d 00 20 2f |..+.....3.$... /| +00000060 e5 7d a3 47 cd 62 43 15 28 da ac 5f bb 29 07 30 |.}.G.bC.(.._.).0| +00000070 ff f6 84 af c4 cf c2 ed 90 99 5f 58 cb 3b 74 14 |.........._X.;t.| +00000080 03 03 00 01 01 17 03 03 00 17 4f 52 70 18 74 9c |..........ORp.t.| +00000090 40 4e b0 5a 7a bc aa b0 b9 22 70 b1 90 9c 04 ef |@N.Zz...."p.....| +000000a0 e7 17 03 03 02 6d a8 7e 5a 4a 5f 3d 97 f2 74 93 |.....m.~ZJ_=..t.| +000000b0 ce 75 f5 be 0f 2e c4 58 d6 91 4d fb 9f 80 56 3c |.u.....X..M...V<| +000000c0 9c d8 ea 20 2e f7 ce 34 80 af 47 0f 41 3f f9 2f |... ...4..G.A?./| +000000d0 23 c1 94 9e de 51 43 c5 1e 31 98 e6 15 33 63 64 |#....QC..1...3cd| +000000e0 22 39 87 83 87 66 d0 9e 85 2a b2 62 5e fd 50 ec |"9...f...*.b^.P.| +000000f0 0f d0 ec dd d4 75 57 0d 3f 7e a3 a4 40 f7 67 d2 |.....uW.?~..@.g.| +00000100 22 ba 5f a1 38 0b ea 8e 7d 95 43 70 52 0f b0 5f |"._.8...}.CpR.._| +00000110 ef 26 5a 52 a6 94 b4 69 89 e9 0e 4f f5 d8 60 1b |.&ZR...i...O..`.| +00000120 d3 6a fd 74 8d 19 ce 6a 72 f1 c1 96 f9 86 66 3b |.j.t...jr.....f;| +00000130 2b 38 b3 e3 76 4b fd 4a 82 3e f2 2c bc 4c 19 d7 |+8..vK.J.>.,.L..| +00000140 7a 62 21 3e 7c 41 ff 23 87 66 81 79 f0 ad a1 3e |zb!>|A.#.f.y...>| +00000150 c2 e9 f3 ba 38 3a b5 ad 49 f3 ae 70 71 0a af d2 |....8:..I..pq...| +00000160 f3 ae 70 df fd 93 8c 3d ca bd 8c 86 39 c9 9c d4 |..p....=....9...| +00000170 a9 a8 37 04 92 9b 0a 4e 8d 43 96 3d a4 b5 e0 5d |..7....N.C.=...]| +00000180 18 b1 03 32 0a b5 f2 e6 8c ca 1d ff cf 39 b7 00 |...2.........9..| +00000190 5a 5a 1a 3d de 75 17 84 12 a4 f1 08 9d b3 ae 56 |ZZ.=.u.........V| +000001a0 9d e9 af 30 67 64 fb 13 9a de 2e ba 03 ee 52 4c |...0gd........RL| +000001b0 4f 85 f3 1b fc d0 ef 75 1a 31 99 d9 89 74 41 9d |O......u.1...tA.| +000001c0 c8 96 48 49 f5 f3 ca 8c 6f 08 67 2a d1 b5 05 19 |..HI....o.g*....| +000001d0 13 6b 0b 4c 87 f8 00 ab 83 70 4e bb 7e c7 f3 1e |.k.L.....pN.~...| +000001e0 ba 83 4b 7f 65 c2 42 8d 00 b1 3e 3d f8 4d c3 7a |..K.e.B...>=.M.z| +000001f0 b9 af 68 dc 0d 24 7a a6 41 15 16 db fb 57 99 68 |..h..$z.A....W.h| +00000200 a9 35 77 40 6a 45 94 d3 e0 03 8d 41 86 d5 51 c6 |.5w@jE.....A..Q.| +00000210 05 27 c5 56 97 30 41 44 26 18 e0 0f 93 cc f2 5e |.'.V.0AD&......^| +00000220 f1 35 35 0f 54 25 51 23 78 37 39 80 d9 c2 e8 54 |.55.T%Q#x79....T| +00000230 79 16 e0 e0 36 cf f1 8b 23 fa 67 46 66 e0 25 0e |y...6...#.gFf.%.| +00000240 25 33 c4 52 93 ac 12 e0 8e f9 e8 c9 ec e7 f8 e6 |%3.R............| +00000250 09 81 c1 d1 89 33 24 a3 c6 c7 27 6c 3b c8 b7 4f |.....3$...'l;..O| +00000260 8a 14 ed 58 a7 5f ba fc cc 4f 6b eb ff c2 60 68 |...X._...Ok...`h| +00000270 41 9c 4b b6 34 10 a6 8f f8 3c 47 2f 39 75 86 03 |A.K.4.....<...| +00000290 66 3c 9c c9 6b 32 3f ea bd 5d 4d 75 e5 4b 88 93 |f<..k2?..]Mu.K..| +000002a0 1f 47 73 3b 55 8a e0 e4 7e e5 2f dc 2d d4 f6 c0 |.Gs;U...~./.-...| +000002b0 3a b4 e4 72 b2 5a 0d d1 10 28 3f 61 73 96 94 d0 |:..r.Z...(?as...| +000002c0 fb 26 83 95 0e 7a 47 6d 75 d4 f4 ad cc 3e 8f 4c |.&...zGmu....>.L| +000002d0 3b 95 83 61 40 4f 3e 82 58 d0 ca 7f 1d 9a e3 86 |;..a@O>.X.......| +000002e0 48 53 1f 5d 35 9d 1e 46 c2 4b 70 53 60 1e 1d 04 |HS.]5..F.KpS`...| +000002f0 9c 5b 6a f2 0b fc 4d 04 a6 38 85 b8 f1 06 cd 40 |.[j...M..8.....@| +00000300 bb 73 fa bf 75 21 70 93 31 83 8d 8a a4 b3 4a 2f |.s..u!p.1.....J/| +00000310 45 f0 b2 17 03 03 00 99 eb ae 23 e6 63 22 52 ac |E.........#.c"R.| +00000320 2b 69 05 9d 7d b3 c6 b6 1f 5b 00 7c fb 67 1b af |+i..}....[.|.g..| +00000330 42 38 40 ea ca bb dc 7d 92 94 dd ed 1a 20 65 8a |B8@....}..... e.| +00000340 5c a3 5c 28 9f 10 8b 11 61 bb 0a 56 5a ef ec 7a |\.\(....a..VZ..z| +00000350 50 b5 2d 67 62 77 80 dc ee a6 cd f3 09 ff 8f d8 |P.-gbw..........| +00000360 ff 6d d8 47 95 58 cf 2b e7 b0 f8 26 61 58 35 a3 |.m.G.X.+...&aX5.| +00000370 07 4d 2f 99 5d 33 6b e8 ac 6a 14 ef 2c 57 9a e3 |.M/.]3k..j..,W..| +00000380 b7 1b bf d6 bf b8 6a 29 4a 74 0d 15 91 90 c3 4a |......j)Jt.....J| +00000390 40 13 8c 52 e6 67 d6 de 6c d8 4e 35 20 d3 0b e6 |@..R.g..l.N5 ...| +000003a0 36 58 4e 79 3a 03 f0 bc 34 1b 3e 7e e3 ad d8 e3 |6XNy:...4.>~....| +000003b0 58 17 03 03 00 35 ba 6d a2 40 3a cb 43 80 cb af |X....5.m.@:.C...| +000003c0 df 8f 2c 0d 20 53 f5 13 06 6b 0b e8 e7 36 31 4b |..,. S...k...61K| +000003d0 19 ad 86 5e 39 2e 52 5a d9 86 f4 64 0e 8c 9a d5 |...^9.RZ...d....| +000003e0 9a a2 c1 81 65 1e da 05 28 8a 36 17 03 03 00 8b |....e...(.6.....| +000003f0 48 2d b0 5b 7e 39 95 b2 6a de 46 53 fb ba 7b 12 |H-.[~9..j.FS..{.| +00000400 26 a1 1a b0 24 c0 8c c3 77 e1 0e 09 1c 5f 6a 7b |&...$...w...._j{| +00000410 03 0b 3d 92 77 81 b1 97 22 0f 6e cd 04 97 28 79 |..=.w...".n...(y| +00000420 eb 88 3d 7b 20 93 0b 67 df 32 2e bb 38 13 8f 28 |..={ ..g.2..8..(| +00000430 c1 b8 2c 22 75 42 01 b8 50 2c 20 30 91 0d e5 a0 |..,"uB..P, 0....| +00000440 5c dd 5b 53 c6 30 fd b4 a5 f7 e9 6f 49 61 70 32 |\.[S.0.....oIap2| +00000450 7f fd bb 08 c4 93 e8 e2 0a f6 7d 0f e8 94 22 fe |..........}...".| +00000460 af b7 b6 4a 35 d1 63 6c bd ce 1e 72 63 ca 05 7c |...J5.cl...rc..|| +00000470 64 4d ae 94 28 b2 15 b5 71 16 77 |dM..(...q.w| +>>> Flow 3 (client to server) +00000000 14 03 03 00 01 01 17 03 03 00 35 97 9f be 06 f2 |..........5.....| +00000010 96 ae fa 11 e0 23 2b 6a b0 2e f5 e9 fc 10 b2 36 |.....#+j.......6| +00000020 dc 62 b0 70 1e 42 e3 c5 ce c8 f7 a7 cb 1b c6 3b |.b.p.B.........;| +00000030 59 23 d0 10 be f5 f0 1e 38 f4 63 bd 36 28 24 eb |Y#......8.c.6($.| +>>> Flow 4 (server to client) +00000000 17 03 03 00 1e 05 1b a2 f1 4b 74 46 76 1b 23 77 |.........KtFv.#w| +00000010 79 df f1 67 bf e9 39 f3 b7 56 76 ba fa 4f 30 49 |y..g..9..Vv..O0I| +00000020 18 7b 52 17 03 03 00 13 ef 66 20 67 cb 74 a9 b6 |.{R......f g.t..| +00000030 93 6f cc a3 9e d5 f2 7d 81 10 71 |.o.....}..q| diff --git a/pkg/tls/testdata/example-cert.pem b/pkg/tls/testdata/example-cert.pem new file mode 100644 index 000000000..e0bf7db58 --- /dev/null +++ b/pkg/tls/testdata/example-cert.pem @@ -0,0 +1,11 @@ +-----BEGIN CERTIFICATE----- +MIIBhTCCASugAwIBAgIQIRi6zePL6mKjOipn+dNuaTAKBggqhkjOPQQDAjASMRAw +DgYDVQQKEwdBY21lIENvMB4XDTE3MTAyMDE5NDMwNloXDTE4MTAyMDE5NDMwNlow +EjEQMA4GA1UEChMHQWNtZSBDbzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABD0d +7VNhbWvZLWPuj/RtHFjvtJBEwOkhbN/BnnE8rnZR8+sbwnc/KhCk3FhnpHZnQz7B +5aETbbIgmuvewdjvSBSjYzBhMA4GA1UdDwEB/wQEAwICpDATBgNVHSUEDDAKBggr +BgEFBQcDATAPBgNVHRMBAf8EBTADAQH/MCkGA1UdEQQiMCCCDmxvY2FsaG9zdDo1 +NDUzgg4xMjcuMC4wLjE6NTQ1MzAKBggqhkjOPQQDAgNIADBFAiEA2zpJEPQyz6/l +Wf86aX6PepsntZv2GYlA5UpabfT2EZICICpJ5h/iI+i341gBmLiAFQOyTDT+/wQc +6MF9+Yw1Yy0t +-----END CERTIFICATE----- diff --git a/pkg/tls/testdata/example-key.pem b/pkg/tls/testdata/example-key.pem new file mode 100644 index 000000000..104fb099f --- /dev/null +++ b/pkg/tls/testdata/example-key.pem @@ -0,0 +1,5 @@ +-----BEGIN EC PRIVATE KEY----- +MHcCAQEEIIrYSSNQFaA2Hwf1duRSxKtLYX5CB04fSeQ6tF1aY/PuoAoGCCqGSM49 +AwEHoUQDQgAEPR3tU2Fta9ktY+6P9G0cWO+0kETA6SFs38GecTyudlHz6xvCdz8q +EKTcWGekdmdDPsHloRNtsiCa697B2O9IFA== +-----END EC PRIVATE KEY----- diff --git a/pkg/tls/ticket.go b/pkg/tls/ticket.go new file mode 100644 index 000000000..b71e3afdb --- /dev/null +++ b/pkg/tls/ticket.go @@ -0,0 +1,421 @@ +// Copyright 2012 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package tls + +import ( + "crypto/aes" + "crypto/cipher" + "crypto/hmac" + "crypto/sha256" + "crypto/subtle" + "crypto/x509" + "errors" + "io" + + "golang.org/x/crypto/cryptobyte" +) + +// A SessionState is a resumable session. +type SessionState struct { + // Encoded as a SessionState (in the language of RFC 8446, Section 3). + // + // enum { server(1), client(2) } SessionStateType; + // + // opaque Certificate<1..2^24-1>; + // + // Certificate CertificateChain<0..2^24-1>; + // + // opaque Extra<0..2^24-1>; + // + // struct { + // uint16 version; + // SessionStateType type; + // uint16 cipher_suite; + // uint64 created_at; + // opaque secret<1..2^8-1>; + // Extra extra<0..2^24-1>; + // uint8 ext_master_secret = { 0, 1 }; + // uint8 early_data = { 0, 1 }; + // CertificateEntry certificate_list<0..2^24-1>; + // CertificateChain verified_chains<0..2^24-1>; /* excluding leaf */ + // select (SessionState.early_data) { + // case 0: Empty; + // case 1: opaque alpn<1..2^8-1>; + // }; + // select (SessionState.type) { + // case server: Empty; + // case client: struct { + // select (SessionState.version) { + // case VersionTLS10..VersionTLS12: Empty; + // case VersionTLS13: struct { + // uint64 use_by; + // uint32 age_add; + // }; + // }; + // }; + // }; + // } SessionState; + // + + // Extra is ignored by crypto/tls, but is encoded by [SessionState.Bytes] + // and parsed by [ParseSessionState]. + // + // This allows [Config.UnwrapSession]/[Config.WrapSession] and + // [ClientSessionCache] implementations to store and retrieve additional + // data alongside this session. + // + // To allow different layers in a protocol stack to share this field, + // applications must only append to it, not replace it, and must use entries + // that can be recognized even if out of order (for example, by starting + // with an id and version prefix). + Extra [][]byte + + // EarlyData indicates whether the ticket can be used for 0-RTT in a QUIC + // connection. The application may set this to false if it is true to + // decline to offer 0-RTT even if supported. + EarlyData bool + + version uint16 + isClient bool + cipherSuite uint16 + // createdAt is the generation time of the secret on the sever (which for + // TLS 1.0–1.2 might be earlier than the current session) and the time at + // which the ticket was received on the client. + createdAt uint64 // seconds since UNIX epoch + secret []byte // master secret for TLS 1.2, or the PSK for TLS 1.3 + extMasterSecret bool + peerCertificates []*x509.Certificate + activeCertHandles []*activeCert + ocspResponse []byte + scts [][]byte + verifiedChains [][]*x509.Certificate + alpnProtocol string // only set if EarlyData is true + + // Client-side TLS 1.3-only fields. + useBy uint64 // seconds since UNIX epoch + ageAdd uint32 +} + +// Bytes encodes the session, including any private fields, so that it can be +// parsed by [ParseSessionState]. The encoding contains secret values critical +// to the security of future and possibly past sessions. +// +// The specific encoding should be considered opaque and may change incompatibly +// between Go versions. +func (s *SessionState) Bytes() ([]byte, error) { + var b cryptobyte.Builder + b.AddUint16(s.version) + if s.isClient { + b.AddUint8(2) // client + } else { + b.AddUint8(1) // server + } + b.AddUint16(s.cipherSuite) + addUint64(&b, s.createdAt) + b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { + b.AddBytes(s.secret) + }) + b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) { + for _, extra := range s.Extra { + b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) { + b.AddBytes(extra) + }) + } + }) + if s.extMasterSecret { + b.AddUint8(1) + } else { + b.AddUint8(0) + } + if s.EarlyData { + b.AddUint8(1) + } else { + b.AddUint8(0) + } + marshalCertificate(&b, Certificate{ + Certificate: certificatesToBytesSlice(s.peerCertificates), + OCSPStaple: s.ocspResponse, + SignedCertificateTimestamps: s.scts, + }) + b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) { + for _, chain := range s.verifiedChains { + b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) { + // We elide the first certificate because it's always the leaf. + if len(chain) == 0 { + b.SetError(errors.New("tls: internal error: empty verified chain")) + return + } + for _, cert := range chain[1:] { + b.AddUint24LengthPrefixed(func(b *cryptobyte.Builder) { + b.AddBytes(cert.Raw) + }) + } + }) + } + }) + if s.EarlyData { + b.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) { + b.AddBytes([]byte(s.alpnProtocol)) + }) + } + if s.isClient { + if s.version >= VersionTLS13 { + addUint64(&b, s.useBy) + b.AddUint32(s.ageAdd) + } + } + return b.Bytes() +} + +func certificatesToBytesSlice(certs []*x509.Certificate) [][]byte { + s := make([][]byte, 0, len(certs)) + for _, c := range certs { + s = append(s, c.Raw) + } + return s +} + +// ParseSessionState parses a [SessionState] encoded by [SessionState.Bytes]. +func ParseSessionState(data []byte) (*SessionState, error) { + ss := &SessionState{} + s := cryptobyte.String(data) + var typ, extMasterSecret, earlyData uint8 + var cert Certificate + var extra cryptobyte.String + if !s.ReadUint16(&ss.version) || + !s.ReadUint8(&typ) || + (typ != 1 && typ != 2) || + !s.ReadUint16(&ss.cipherSuite) || + !readUint64(&s, &ss.createdAt) || + !readUint8LengthPrefixed(&s, &ss.secret) || + !s.ReadUint24LengthPrefixed(&extra) || + !s.ReadUint8(&extMasterSecret) || + !s.ReadUint8(&earlyData) || + len(ss.secret) == 0 || + !unmarshalCertificate(&s, &cert) { + return nil, errors.New("tls: invalid session encoding") + } + for !extra.Empty() { + var e []byte + if !readUint24LengthPrefixed(&extra, &e) { + return nil, errors.New("tls: invalid session encoding") + } + ss.Extra = append(ss.Extra, e) + } + switch extMasterSecret { + case 0: + ss.extMasterSecret = false + case 1: + ss.extMasterSecret = true + default: + return nil, errors.New("tls: invalid session encoding") + } + switch earlyData { + case 0: + ss.EarlyData = false + case 1: + ss.EarlyData = true + default: + return nil, errors.New("tls: invalid session encoding") + } + for _, cert := range cert.Certificate { + c, err := globalCertCache.newCert(cert) + if err != nil { + return nil, err + } + ss.activeCertHandles = append(ss.activeCertHandles, c) + ss.peerCertificates = append(ss.peerCertificates, c.cert) + } + ss.ocspResponse = cert.OCSPStaple + ss.scts = cert.SignedCertificateTimestamps + var chainList cryptobyte.String + if !s.ReadUint24LengthPrefixed(&chainList) { + return nil, errors.New("tls: invalid session encoding") + } + for !chainList.Empty() { + var certList cryptobyte.String + if !chainList.ReadUint24LengthPrefixed(&certList) { + return nil, errors.New("tls: invalid session encoding") + } + var chain []*x509.Certificate + if len(ss.peerCertificates) == 0 { + return nil, errors.New("tls: invalid session encoding") + } + chain = append(chain, ss.peerCertificates[0]) + for !certList.Empty() { + var cert []byte + if !readUint24LengthPrefixed(&certList, &cert) { + return nil, errors.New("tls: invalid session encoding") + } + c, err := globalCertCache.newCert(cert) + if err != nil { + return nil, err + } + ss.activeCertHandles = append(ss.activeCertHandles, c) + chain = append(chain, c.cert) + } + ss.verifiedChains = append(ss.verifiedChains, chain) + } + if ss.EarlyData { + var alpn []byte + if !readUint8LengthPrefixed(&s, &alpn) { + return nil, errors.New("tls: invalid session encoding") + } + ss.alpnProtocol = string(alpn) + } + if isClient := typ == 2; !isClient { + if !s.Empty() { + return nil, errors.New("tls: invalid session encoding") + } + return ss, nil + } + ss.isClient = true + if len(ss.peerCertificates) == 0 { + return nil, errors.New("tls: no server certificates in client session") + } + if ss.version < VersionTLS13 { + if !s.Empty() { + return nil, errors.New("tls: invalid session encoding") + } + return ss, nil + } + if !s.ReadUint64(&ss.useBy) || !s.ReadUint32(&ss.ageAdd) || !s.Empty() { + return nil, errors.New("tls: invalid session encoding") + } + return ss, nil +} + +// sessionState returns a partially filled-out [SessionState] with information +// from the current connection. +func (c *Conn) sessionState() (*SessionState, error) { + return &SessionState{ + version: c.vers, + cipherSuite: c.cipherSuite, + createdAt: uint64(c.config.time().Unix()), + alpnProtocol: c.clientProtocol, + peerCertificates: c.peerCertificates, + activeCertHandles: c.activeCertHandles, + ocspResponse: c.ocspResponse, + scts: c.scts, + isClient: c.isClient, + extMasterSecret: c.extMasterSecret, + verifiedChains: c.verifiedChains, + }, nil +} + +// EncryptTicket encrypts a ticket with the [Config]'s configured (or default) +// session ticket keys. It can be used as a [Config.WrapSession] implementation. +func (c *Config) EncryptTicket(cs ConnectionState, ss *SessionState) ([]byte, error) { + ticketKeys := c.ticketKeys(nil) + stateBytes, err := ss.Bytes() + if err != nil { + return nil, err + } + return c.encryptTicket(stateBytes, ticketKeys) +} + +func (c *Config) encryptTicket(state []byte, ticketKeys []ticketKey) ([]byte, error) { + if len(ticketKeys) == 0 { + return nil, errors.New("tls: internal error: session ticket keys unavailable") + } + + encrypted := make([]byte, aes.BlockSize+len(state)+sha256.Size) + iv := encrypted[:aes.BlockSize] + ciphertext := encrypted[aes.BlockSize : len(encrypted)-sha256.Size] + authenticated := encrypted[:len(encrypted)-sha256.Size] + macBytes := encrypted[len(encrypted)-sha256.Size:] + + if _, err := io.ReadFull(c.rand(), iv); err != nil { + return nil, err + } + key := ticketKeys[0] + block, err := aes.NewCipher(key.aesKey[:]) + if err != nil { + return nil, errors.New("tls: failed to create cipher while encrypting ticket: " + err.Error()) + } + cipher.NewCTR(block, iv).XORKeyStream(ciphertext, state) + + mac := hmac.New(sha256.New, key.hmacKey[:]) + mac.Write(authenticated) + mac.Sum(macBytes[:0]) + + return encrypted, nil +} + +// DecryptTicket decrypts a ticket encrypted by [Config.EncryptTicket]. It can +// be used as a [Config.UnwrapSession] implementation. +// +// If the ticket can't be decrypted or parsed, DecryptTicket returns (nil, nil). +func (c *Config) DecryptTicket(identity []byte, cs ConnectionState) (*SessionState, error) { + ticketKeys := c.ticketKeys(nil) + stateBytes := c.decryptTicket(identity, ticketKeys) + if stateBytes == nil { + return nil, nil + } + s, err := ParseSessionState(stateBytes) + if err != nil { + return nil, nil // drop unparsable tickets on the floor + } + return s, nil +} + +func (c *Config) decryptTicket(encrypted []byte, ticketKeys []ticketKey) []byte { + if len(encrypted) < aes.BlockSize+sha256.Size { + return nil + } + + iv := encrypted[:aes.BlockSize] + ciphertext := encrypted[aes.BlockSize : len(encrypted)-sha256.Size] + authenticated := encrypted[:len(encrypted)-sha256.Size] + macBytes := encrypted[len(encrypted)-sha256.Size:] + + for _, key := range ticketKeys { + mac := hmac.New(sha256.New, key.hmacKey[:]) + mac.Write(authenticated) + expected := mac.Sum(nil) + + if subtle.ConstantTimeCompare(macBytes, expected) != 1 { + continue + } + + block, err := aes.NewCipher(key.aesKey[:]) + if err != nil { + return nil + } + plaintext := make([]byte, len(ciphertext)) + cipher.NewCTR(block, iv).XORKeyStream(plaintext, ciphertext) + + return plaintext + } + + return nil +} + +// ClientSessionState contains the state needed by a client to +// resume a previous TLS session. +type ClientSessionState struct { + ticket []byte + session *SessionState +} + +// ResumptionState returns the session ticket sent by the server (also known as +// the session's identity) and the state necessary to resume this session. +// +// It can be called by [ClientSessionCache.Put] to serialize (with +// [SessionState.Bytes]) and store the session. +func (cs *ClientSessionState) ResumptionState() (ticket []byte, state *SessionState, err error) { + return cs.ticket, cs.session, nil +} + +// NewResumptionState returns a state value that can be returned by +// [ClientSessionCache.Get] to resume a previous session. +// +// state needs to be returned by [ParseSessionState], and the ticket and session +// state must have been returned by [ClientSessionState.ResumptionState]. +func NewResumptionState(ticket []byte, state *SessionState) (*ClientSessionState, error) { + return &ClientSessionState{ + ticket: ticket, session: state, + }, nil +} diff --git a/pkg/tls/ticket_test.go b/pkg/tls/ticket_test.go new file mode 100644 index 000000000..f925451ce --- /dev/null +++ b/pkg/tls/ticket_test.go @@ -0,0 +1,8 @@ +// Copyright 2023 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package tls + +var _ = &Config{WrapSession: (&Config{}).EncryptTicket} +var _ = &Config{UnwrapSession: (&Config{}).DecryptTicket} diff --git a/pkg/tls/tls.go b/pkg/tls/tls.go new file mode 100644 index 000000000..89d039f5f --- /dev/null +++ b/pkg/tls/tls.go @@ -0,0 +1,355 @@ +// Copyright 2009 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +// Package tls partially implements TLS 1.2, as specified in RFC 5246, +// and TLS 1.3, as specified in RFC 8446. +package tls + +// BUG(agl): The crypto/tls package only implements some countermeasures +// against Lucky13 attacks on CBC-mode encryption, and only on SHA1 +// variants. See http://www.isg.rhul.ac.uk/tls/TLStiming.pdf and +// https://www.imperialviolet.org/2013/02/04/luckythirteen.html. + +import ( + "bytes" + "crypto" + "crypto/ecdsa" + "crypto/ed25519" + "crypto/rsa" + "crypto/x509" + "encoding/pem" + "errors" + "fmt" + "net" + "os" + "strings" +) + +// Server returns a new TLS server side connection +// using conn as the underlying transport. +// The configuration config must be non-nil and must include +// at least one certificate or else set GetCertificate. +func Server(conn net.Conn, config *Config) *Conn { + c := &Conn{ + conn: conn, + config: config, + } + c.handshakeFn = c.serverHandshake + return c +} + +// Client returns a new TLS client side connection +// using conn as the underlying transport. +// The config cannot be nil: users must set either ServerName or +// InsecureSkipVerify in the config. +func Client(conn net.Conn, config *Config) *Conn { + c := &Conn{ + conn: conn, + config: config, + isClient: true, + } + c.handshakeFn = c.clientHandshake + return c +} + +// A listener implements a network listener (net.Listener) for TLS connections. +type listener struct { + net.Listener + config *Config +} + +// Accept waits for and returns the next incoming TLS connection. +// The returned connection is of type *Conn. +func (l *listener) Accept() (net.Conn, error) { + c, err := l.Listener.Accept() + if err != nil { + return nil, err + } + return Server(c, l.config), nil +} + +// NewListener creates a Listener which accepts connections from an inner +// Listener and wraps each connection with [Server]. +// The configuration config must be non-nil and must include +// at least one certificate or else set GetCertificate. +func NewListener(inner net.Listener, config *Config) net.Listener { + l := new(listener) + l.Listener = inner + l.config = config + return l +} + +// Listen creates a TLS listener accepting connections on the +// given network address using net.Listen. +// The configuration config must be non-nil and must include +// at least one certificate or else set GetCertificate. +func Listen(network, laddr string, config *Config) (net.Listener, error) { + if config == nil || len(config.Certificates) == 0 && + config.GetCertificate == nil && config.GetConfigForClient == nil { + return nil, errors.New("tls: neither Certificates, GetCertificate, nor GetConfigForClient set in Config") + } + l, err := net.Listen(network, laddr) + if err != nil { + return nil, err + } + return NewListener(l, config), nil +} + +type timeoutError struct{} + +func (timeoutError) Error() string { return "tls: DialWithDialer timed out" } +func (timeoutError) Timeout() bool { return true } +func (timeoutError) Temporary() bool { return true } + +// DialWithDialer connects to the given network address using dialer.Dial and +// then initiates a TLS handshake, returning the resulting TLS connection. Any +// timeout or deadline given in the dialer apply to connection and TLS +// handshake as a whole. +// +// DialWithDialer interprets a nil configuration as equivalent to the zero +// configuration; see the documentation of [Config] for the defaults. +// +// DialWithDialer uses context.Background internally; to specify the context, +// use [Dialer.DialContext] with NetDialer set to the desired dialer. +//func DialWithDialer(dialer *net.Dialer, network, addr string, config *Config) (*Conn, error) { +// return dial(context.Background(), dialer, network, addr, config) +//} +// +//func dial(ctx context.Context, netDialer *net.Dialer, network, addr string, config *Config) (*Conn, error) { +// if netDialer.Timeout != 0 { +// var cancel context.CancelFunc +// ctx, cancel = context.WithTimeout(ctx, netDialer.Timeout) +// defer cancel() +// } +// +// if !netDialer.Deadline.IsZero() { +// var cancel context.CancelFunc +// ctx, cancel = context.WithDeadline(ctx, netDialer.Deadline) +// defer cancel() +// } +// +// rawConn, err := netDialer.DialContext(ctx, network, addr) +// if err != nil { +// return nil, err +// } +// +// colonPos := strings.LastIndex(addr, ":") +// if colonPos == -1 { +// colonPos = len(addr) +// } +// hostname := addr[:colonPos] +// +// if config == nil { +// config = defaultConfig() +// } +// // If no ServerName is set, infer the ServerName +// // from the hostname we're connecting to. +// if config.ServerName == "" { +// // Make a copy to avoid polluting argument or default. +// c := config.Clone() +// c.ServerName = hostname +// config = c +// } +// +// conn := Client(rawConn, config) +// if err := conn.HandshakeContext(ctx); err != nil { +// rawConn.Close() +// return nil, err +// } +// return conn, nil +//} +// +//// Dial connects to the given network address using net.Dial +//// and then initiates a TLS handshake, returning the resulting +//// TLS connection. +//// Dial interprets a nil configuration as equivalent to +//// the zero configuration; see the documentation of Config +//// for the defaults. +//func Dial(network, addr string, config *Config) (*Conn, error) { +// return DialWithDialer(new(net.Dialer), network, addr, config) +//} +// +//// Dialer dials TLS connections given a configuration and a Dialer for the +//// underlying connection. +//type Dialer struct { +// // NetDialer is the optional dialer to use for the TLS connections' +// // underlying TCP connections. +// // A nil NetDialer is equivalent to the net.Dialer zero value. +// NetDialer *net.Dialer +// +// // Config is the TLS configuration to use for new connections. +// // A nil configuration is equivalent to the zero +// // configuration; see the documentation of Config for the +// // defaults. +// Config *Config +//} +// +//// Dial connects to the given network address and initiates a TLS +//// handshake, returning the resulting TLS connection. +//// +//// The returned [Conn], if any, will always be of type *[Conn]. +//// +//// Dial uses context.Background internally; to specify the context, +//// use [Dialer.DialContext]. +//func (d *Dialer) Dial(network, addr string) (net.Conn, error) { +// return d.DialContext(context.Background(), network, addr) +//} +// +//func (d *Dialer) netDialer() *net.Dialer { +// if d.NetDialer != nil { +// return d.NetDialer +// } +// return new(net.Dialer) +//} +// +//// DialContext connects to the given network address and initiates a TLS +//// handshake, returning the resulting TLS connection. +//// +//// The provided Context must be non-nil. If the context expires before +//// the connection is complete, an error is returned. Once successfully +//// connected, any expiration of the context will not affect the +//// connection. +//// +//// The returned [Conn], if any, will always be of type *[Conn]. +//func (d *Dialer) DialContext(ctx context.Context, network, addr string) (net.Conn, error) { +// c, err := dial(ctx, d.netDialer(), network, addr, d.Config) +// if err != nil { +// // Don't return c (a typed nil) in an interface. +// return nil, err +// } +// return c, nil +//} + +// LoadX509KeyPair reads and parses a public/private key pair from a pair +// of files. The files must contain PEM encoded data. The certificate file +// may contain intermediate certificates following the leaf certificate to +// form a certificate chain. On successful return, Certificate.Leaf will +// be nil because the parsed form of the certificate is not retained. +func LoadX509KeyPair(certFile, keyFile string) (Certificate, error) { + certPEMBlock, err := os.ReadFile(certFile) + if err != nil { + return Certificate{}, err + } + keyPEMBlock, err := os.ReadFile(keyFile) + if err != nil { + return Certificate{}, err + } + return X509KeyPair(certPEMBlock, keyPEMBlock) +} + +// X509KeyPair parses a public/private key pair from a pair of +// PEM encoded data. On successful return, Certificate.Leaf will be nil because +// the parsed form of the certificate is not retained. +func X509KeyPair(certPEMBlock, keyPEMBlock []byte) (Certificate, error) { + fail := func(err error) (Certificate, error) { return Certificate{}, err } + + var cert Certificate + var skippedBlockTypes []string + for { + var certDERBlock *pem.Block + certDERBlock, certPEMBlock = pem.Decode(certPEMBlock) + if certDERBlock == nil { + break + } + if certDERBlock.Type == "CERTIFICATE" { + cert.Certificate = append(cert.Certificate, certDERBlock.Bytes) + } else { + skippedBlockTypes = append(skippedBlockTypes, certDERBlock.Type) + } + } + + if len(cert.Certificate) == 0 { + if len(skippedBlockTypes) == 0 { + return fail(errors.New("tls: failed to find any PEM data in certificate input")) + } + if len(skippedBlockTypes) == 1 && strings.HasSuffix(skippedBlockTypes[0], "PRIVATE KEY") { + return fail(errors.New("tls: failed to find certificate PEM data in certificate input, but did find a private key; PEM inputs may have been switched")) + } + return fail(fmt.Errorf("tls: failed to find \"CERTIFICATE\" PEM block in certificate input after skipping PEM blocks of the following types: %v", skippedBlockTypes)) + } + + skippedBlockTypes = skippedBlockTypes[:0] + var keyDERBlock *pem.Block + for { + keyDERBlock, keyPEMBlock = pem.Decode(keyPEMBlock) + if keyDERBlock == nil { + if len(skippedBlockTypes) == 0 { + return fail(errors.New("tls: failed to find any PEM data in key input")) + } + if len(skippedBlockTypes) == 1 && skippedBlockTypes[0] == "CERTIFICATE" { + return fail(errors.New("tls: found a certificate rather than a key in the PEM for the private key")) + } + return fail(fmt.Errorf("tls: failed to find PEM block with type ending in \"PRIVATE KEY\" in key input after skipping PEM blocks of the following types: %v", skippedBlockTypes)) + } + if keyDERBlock.Type == "PRIVATE KEY" || strings.HasSuffix(keyDERBlock.Type, " PRIVATE KEY") { + break + } + skippedBlockTypes = append(skippedBlockTypes, keyDERBlock.Type) + } + + // We don't need to parse the public key for TLS, but we so do anyway + // to check that it looks sane and matches the private key. + x509Cert, err := x509.ParseCertificate(cert.Certificate[0]) + if err != nil { + return fail(err) + } + + cert.PrivateKey, err = parsePrivateKey(keyDERBlock.Bytes) + if err != nil { + return fail(err) + } + + switch pub := x509Cert.PublicKey.(type) { + case *rsa.PublicKey: + priv, ok := cert.PrivateKey.(*rsa.PrivateKey) + if !ok { + return fail(errors.New("tls: private key type does not match public key type")) + } + if pub.N.Cmp(priv.N) != 0 { + return fail(errors.New("tls: private key does not match public key")) + } + case *ecdsa.PublicKey: + priv, ok := cert.PrivateKey.(*ecdsa.PrivateKey) + if !ok { + return fail(errors.New("tls: private key type does not match public key type")) + } + if pub.X.Cmp(priv.X) != 0 || pub.Y.Cmp(priv.Y) != 0 { + return fail(errors.New("tls: private key does not match public key")) + } + case ed25519.PublicKey: + priv, ok := cert.PrivateKey.(ed25519.PrivateKey) + if !ok { + return fail(errors.New("tls: private key type does not match public key type")) + } + if !bytes.Equal(priv.Public().(ed25519.PublicKey), pub) { + return fail(errors.New("tls: private key does not match public key")) + } + default: + return fail(errors.New("tls: unknown public key algorithm")) + } + + return cert, nil +} + +// Attempt to parse the given private key DER block. OpenSSL 0.9.8 generates +// PKCS #1 private keys by default, while OpenSSL 1.0.0 generates PKCS #8 keys. +// OpenSSL ecparam generates SEC1 EC private keys for ECDSA. We try all three. +func parsePrivateKey(der []byte) (crypto.PrivateKey, error) { + if key, err := x509.ParsePKCS1PrivateKey(der); err == nil { + return key, nil + } + if key, err := x509.ParsePKCS8PrivateKey(der); err == nil { + switch key := key.(type) { + case *rsa.PrivateKey, *ecdsa.PrivateKey, ed25519.PrivateKey: + return key, nil + default: + return nil, errors.New("tls: found unknown private key type in PKCS#8 wrapping") + } + } + if key, err := x509.ParseECPrivateKey(der); err == nil { + return key, nil + } + + return nil, errors.New("tls: failed to parse private key") +} diff --git a/pkg/tls/tls_test.go b/pkg/tls/tls_test.go new file mode 100644 index 000000000..42a0272f0 --- /dev/null +++ b/pkg/tls/tls_test.go @@ -0,0 +1,1807 @@ +// Copyright 2012 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package tls + +import ( + "bytes" + "context" + "crypto" + "crypto/x509" + "encoding/json" + "errors" + "fmt" + "internal/testenv" + "io" + "math" + "net" + "os" + "reflect" + "sort" + "strings" + "testing" + "time" +) + +var rsaCertPEM = `-----BEGIN CERTIFICATE----- +MIIB0zCCAX2gAwIBAgIJAI/M7BYjwB+uMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNV +BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX +aWRnaXRzIFB0eSBMdGQwHhcNMTIwOTEyMjE1MjAyWhcNMTUwOTEyMjE1MjAyWjBF +MQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50 +ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANLJ +hPHhITqQbPklG3ibCVxwGMRfp/v4XqhfdQHdcVfHap6NQ5Wok/4xIA+ui35/MmNa +rtNuC+BdZ1tMuVCPFZcCAwEAAaNQME4wHQYDVR0OBBYEFJvKs8RfJaXTH08W+SGv +zQyKn0H8MB8GA1UdIwQYMBaAFJvKs8RfJaXTH08W+SGvzQyKn0H8MAwGA1UdEwQF +MAMBAf8wDQYJKoZIhvcNAQEFBQADQQBJlffJHybjDGxRMqaRmDhX0+6v02TUKZsW +r5QuVbpQhH6u+0UgcW0jp9QwpxoPTLTWGXEWBBBurxFwiCBhkQ+V +-----END CERTIFICATE----- +` + +var rsaKeyPEM = testingKey(`-----BEGIN RSA TESTING KEY----- +MIIBOwIBAAJBANLJhPHhITqQbPklG3ibCVxwGMRfp/v4XqhfdQHdcVfHap6NQ5Wo +k/4xIA+ui35/MmNartNuC+BdZ1tMuVCPFZcCAwEAAQJAEJ2N+zsR0Xn8/Q6twa4G +6OB1M1WO+k+ztnX/1SvNeWu8D6GImtupLTYgjZcHufykj09jiHmjHx8u8ZZB/o1N +MQIhAPW+eyZo7ay3lMz1V01WVjNKK9QSn1MJlb06h/LuYv9FAiEA25WPedKgVyCW +SmUwbPw8fnTcpqDWE3yTO3vKcebqMSsCIBF3UmVue8YU3jybC3NxuXq3wNm34R8T +xVLHwDXh/6NJAiEAl2oHGGLz64BuAfjKrqwz7qMYr9HCLIe/YsoWq/olzScCIQDi +D2lWusoe2/nEqfDVVWGWlyJ7yOmqaVm/iNUN9B2N2g== +-----END RSA TESTING KEY----- +`) + +// keyPEM is the same as rsaKeyPEM, but declares itself as just +// "PRIVATE KEY", not "RSA PRIVATE KEY". https://golang.org/issue/4477 +var keyPEM = testingKey(`-----BEGIN TESTING KEY----- +MIIBOwIBAAJBANLJhPHhITqQbPklG3ibCVxwGMRfp/v4XqhfdQHdcVfHap6NQ5Wo +k/4xIA+ui35/MmNartNuC+BdZ1tMuVCPFZcCAwEAAQJAEJ2N+zsR0Xn8/Q6twa4G +6OB1M1WO+k+ztnX/1SvNeWu8D6GImtupLTYgjZcHufykj09jiHmjHx8u8ZZB/o1N +MQIhAPW+eyZo7ay3lMz1V01WVjNKK9QSn1MJlb06h/LuYv9FAiEA25WPedKgVyCW +SmUwbPw8fnTcpqDWE3yTO3vKcebqMSsCIBF3UmVue8YU3jybC3NxuXq3wNm34R8T +xVLHwDXh/6NJAiEAl2oHGGLz64BuAfjKrqwz7qMYr9HCLIe/YsoWq/olzScCIQDi +D2lWusoe2/nEqfDVVWGWlyJ7yOmqaVm/iNUN9B2N2g== +-----END TESTING KEY----- +`) + +var ecdsaCertPEM = `-----BEGIN CERTIFICATE----- +MIIB/jCCAWICCQDscdUxw16XFDAJBgcqhkjOPQQBMEUxCzAJBgNVBAYTAkFVMRMw +EQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0 +eSBMdGQwHhcNMTIxMTE0MTI0MDQ4WhcNMTUxMTE0MTI0MDQ4WjBFMQswCQYDVQQG +EwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lk +Z2l0cyBQdHkgTHRkMIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQBY9+my9OoeSUR +lDQdV/x8LsOuLilthhiS1Tz4aGDHIPwC1mlvnf7fg5lecYpMCrLLhauAc1UJXcgl +01xoLuzgtAEAgv2P/jgytzRSpUYvgLBt1UA0leLYBy6mQQbrNEuqT3INapKIcUv8 +XxYP0xMEUksLPq6Ca+CRSqTtrd/23uTnapkwCQYHKoZIzj0EAQOBigAwgYYCQXJo +A7Sl2nLVf+4Iu/tAX/IF4MavARKC4PPHK3zfuGfPR3oCCcsAoz3kAzOeijvd0iXb +H5jBImIxPL4WxQNiBTexAkF8D1EtpYuWdlVQ80/h/f4pBcGiXPqX5h2PQSQY7hP1 ++jwM1FGS4fREIOvlBYr/SzzQRtwrvrzGYxDEDbsC0ZGRnA== +-----END CERTIFICATE----- +` + +var ecdsaKeyPEM = testingKey(`-----BEGIN EC PARAMETERS----- +BgUrgQQAIw== +-----END EC PARAMETERS----- +-----BEGIN EC TESTING KEY----- +MIHcAgEBBEIBrsoKp0oqcv6/JovJJDoDVSGWdirrkgCWxrprGlzB9o0X8fV675X0 +NwuBenXFfeZvVcwluO7/Q9wkYoPd/t3jGImgBwYFK4EEACOhgYkDgYYABAFj36bL +06h5JRGUNB1X/Hwuw64uKW2GGJLVPPhoYMcg/ALWaW+d/t+DmV5xikwKssuFq4Bz +VQldyCXTXGgu7OC0AQCC/Y/+ODK3NFKlRi+AsG3VQDSV4tgHLqZBBus0S6pPcg1q +kohxS/xfFg/TEwRSSws+roJr4JFKpO2t3/be5OdqmQ== +-----END EC TESTING KEY----- +`) + +var keyPairTests = []struct { + algo string + cert string + key string +}{ + {"ECDSA", ecdsaCertPEM, ecdsaKeyPEM}, + {"RSA", rsaCertPEM, rsaKeyPEM}, + {"RSA-untyped", rsaCertPEM, keyPEM}, // golang.org/issue/4477 +} + +func TestX509KeyPair(t *testing.T) { + t.Parallel() + var pem []byte + for _, test := range keyPairTests { + pem = []byte(test.cert + test.key) + if _, err := X509KeyPair(pem, pem); err != nil { + t.Errorf("Failed to load %s cert followed by %s key: %s", test.algo, test.algo, err) + } + pem = []byte(test.key + test.cert) + if _, err := X509KeyPair(pem, pem); err != nil { + t.Errorf("Failed to load %s key followed by %s cert: %s", test.algo, test.algo, err) + } + } +} + +func TestX509KeyPairErrors(t *testing.T) { + _, err := X509KeyPair([]byte(rsaKeyPEM), []byte(rsaCertPEM)) + if err == nil { + t.Fatalf("X509KeyPair didn't return an error when arguments were switched") + } + if subStr := "been switched"; !strings.Contains(err.Error(), subStr) { + t.Fatalf("Expected %q in the error when switching arguments to X509KeyPair, but the error was %q", subStr, err) + } + + _, err = X509KeyPair([]byte(rsaCertPEM), []byte(rsaCertPEM)) + if err == nil { + t.Fatalf("X509KeyPair didn't return an error when both arguments were certificates") + } + if subStr := "certificate"; !strings.Contains(err.Error(), subStr) { + t.Fatalf("Expected %q in the error when both arguments to X509KeyPair were certificates, but the error was %q", subStr, err) + } + + const nonsensePEM = ` +-----BEGIN NONSENSE----- +Zm9vZm9vZm9v +-----END NONSENSE----- +` + + _, err = X509KeyPair([]byte(nonsensePEM), []byte(nonsensePEM)) + if err == nil { + t.Fatalf("X509KeyPair didn't return an error when both arguments were nonsense") + } + if subStr := "NONSENSE"; !strings.Contains(err.Error(), subStr) { + t.Fatalf("Expected %q in the error when both arguments to X509KeyPair were nonsense, but the error was %q", subStr, err) + } +} + +func TestX509MixedKeyPair(t *testing.T) { + if _, err := X509KeyPair([]byte(rsaCertPEM), []byte(ecdsaKeyPEM)); err == nil { + t.Error("Load of RSA certificate succeeded with ECDSA private key") + } + if _, err := X509KeyPair([]byte(ecdsaCertPEM), []byte(rsaKeyPEM)); err == nil { + t.Error("Load of ECDSA certificate succeeded with RSA private key") + } +} + +func newLocalListener(t testing.TB) net.Listener { + ln, err := net.Listen("tcp", "127.0.0.1:0") + if err != nil { + ln, err = net.Listen("tcp6", "[::1]:0") + } + if err != nil { + t.Fatal(err) + } + return ln +} + +func TestDialTimeout(t *testing.T) { + if testing.Short() { + t.Skip("skipping in short mode") + } + + timeout := 100 * time.Microsecond + for !t.Failed() { + acceptc := make(chan net.Conn) + listener := newLocalListener(t) + go func() { + for { + conn, err := listener.Accept() + if err != nil { + close(acceptc) + return + } + acceptc <- conn + } + }() + + addr := listener.Addr().String() + dialer := &net.Dialer{ + Timeout: timeout, + } + if conn, err := DialWithDialer(dialer, "tcp", addr, nil); err == nil { + conn.Close() + t.Errorf("DialWithTimeout unexpectedly completed successfully") + } else if !isTimeoutError(err) { + t.Errorf("resulting error not a timeout: %v\nType %T: %#v", err, err, err) + } + + listener.Close() + + // We're looking for a timeout during the handshake, so check that the + // Listener actually accepted the connection to initiate it. (If the server + // takes too long to accept the connection, we might cancel before the + // underlying net.Conn is ever dialed — without ever attempting a + // handshake.) + lconn, ok := <-acceptc + if ok { + // The Listener accepted a connection, so assume that it was from our + // Dial: we triggered the timeout at the point where we wanted it! + t.Logf("Listener accepted a connection from %s", lconn.RemoteAddr()) + lconn.Close() + } + // Close any spurious extra connecitions from the listener. (This is + // possible if there are, for example, stray Dial calls from other tests.) + for extraConn := range acceptc { + t.Logf("spurious extra connection from %s", extraConn.RemoteAddr()) + extraConn.Close() + } + if ok { + break + } + + t.Logf("with timeout %v, DialWithDialer returned before listener accepted any connections; retrying", timeout) + timeout *= 2 + } +} + +func TestDeadlineOnWrite(t *testing.T) { + if testing.Short() { + t.Skip("skipping in short mode") + } + + ln := newLocalListener(t) + defer ln.Close() + + srvCh := make(chan *Conn, 1) + + go func() { + sconn, err := ln.Accept() + if err != nil { + srvCh <- nil + return + } + srv := Server(sconn, testConfig.Clone()) + if err := srv.Handshake(); err != nil { + srvCh <- nil + return + } + srvCh <- srv + }() + + clientConfig := testConfig.Clone() + clientConfig.MaxVersion = VersionTLS12 + conn, err := Dial("tcp", ln.Addr().String(), clientConfig) + if err != nil { + t.Fatal(err) + } + defer conn.Close() + + srv := <-srvCh + if srv == nil { + t.Error(err) + } + + // Make sure the client/server is setup correctly and is able to do a typical Write/Read + buf := make([]byte, 6) + if _, err := srv.Write([]byte("foobar")); err != nil { + t.Errorf("Write err: %v", err) + } + if n, err := conn.Read(buf); n != 6 || err != nil || string(buf) != "foobar" { + t.Errorf("Read = %d, %v, data %q; want 6, nil, foobar", n, err, buf) + } + + // Set a deadline which should cause Write to timeout + if err = srv.SetDeadline(time.Now()); err != nil { + t.Fatalf("SetDeadline(time.Now()) err: %v", err) + } + if _, err = srv.Write([]byte("should fail")); err == nil { + t.Fatal("Write should have timed out") + } + + // Clear deadline and make sure it still times out + if err = srv.SetDeadline(time.Time{}); err != nil { + t.Fatalf("SetDeadline(time.Time{}) err: %v", err) + } + if _, err = srv.Write([]byte("This connection is permanently broken")); err == nil { + t.Fatal("Write which previously failed should still time out") + } + + // Verify the error + if ne := err.(net.Error); ne.Temporary() != false { + t.Error("Write timed out but incorrectly classified the error as Temporary") + } + if !isTimeoutError(err) { + t.Error("Write timed out but did not classify the error as a Timeout") + } +} + +type readerFunc func([]byte) (int, error) + +func (f readerFunc) Read(b []byte) (int, error) { return f(b) } + +// TestDialer tests that tls.Dialer.DialContext can abort in the middle of a handshake. +// (The other cases are all handled by the existing dial tests in this package, which +// all also flow through the same code shared code paths) +func TestDialer(t *testing.T) { + ln := newLocalListener(t) + defer ln.Close() + + unblockServer := make(chan struct{}) // close-only + defer close(unblockServer) + go func() { + conn, err := ln.Accept() + if err != nil { + return + } + defer conn.Close() + <-unblockServer + }() + + ctx, cancel := context.WithCancel(context.Background()) + d := Dialer{Config: &Config{ + Rand: readerFunc(func(b []byte) (n int, err error) { + // By the time crypto/tls wants randomness, that means it has a TCP + // connection, so we're past the Dialer's dial and now blocked + // in a handshake. Cancel our context and see if we get unstuck. + // (Our TCP listener above never reads or writes, so the Handshake + // would otherwise be stuck forever) + cancel() + return len(b), nil + }), + ServerName: "foo", + }} + _, err := d.DialContext(ctx, "tcp", ln.Addr().String()) + if err != context.Canceled { + t.Errorf("err = %v; want context.Canceled", err) + } +} + +func isTimeoutError(err error) bool { + if ne, ok := err.(net.Error); ok { + return ne.Timeout() + } + return false +} + +// tests that Conn.Read returns (non-zero, io.EOF) instead of +// (non-zero, nil) when a Close (alertCloseNotify) is sitting right +// behind the application data in the buffer. +func TestConnReadNonzeroAndEOF(t *testing.T) { + // This test is racy: it assumes that after a write to a + // localhost TCP connection, the peer TCP connection can + // immediately read it. Because it's racy, we skip this test + // in short mode, and then retry it several times with an + // increasing sleep in between our final write (via srv.Close + // below) and the following read. + if testing.Short() { + t.Skip("skipping in short mode") + } + var err error + for delay := time.Millisecond; delay <= 64*time.Millisecond; delay *= 2 { + if err = testConnReadNonzeroAndEOF(t, delay); err == nil { + return + } + } + t.Error(err) +} + +func testConnReadNonzeroAndEOF(t *testing.T, delay time.Duration) error { + ln := newLocalListener(t) + defer ln.Close() + + srvCh := make(chan *Conn, 1) + var serr error + go func() { + sconn, err := ln.Accept() + if err != nil { + serr = err + srvCh <- nil + return + } + serverConfig := testConfig.Clone() + srv := Server(sconn, serverConfig) + if err := srv.Handshake(); err != nil { + serr = fmt.Errorf("handshake: %v", err) + srvCh <- nil + return + } + srvCh <- srv + }() + + clientConfig := testConfig.Clone() + // In TLS 1.3, alerts are encrypted and disguised as application data, so + // the opportunistic peek won't work. + clientConfig.MaxVersion = VersionTLS12 + conn, err := Dial("tcp", ln.Addr().String(), clientConfig) + if err != nil { + t.Fatal(err) + } + defer conn.Close() + + srv := <-srvCh + if srv == nil { + return serr + } + + buf := make([]byte, 6) + + srv.Write([]byte("foobar")) + n, err := conn.Read(buf) + if n != 6 || err != nil || string(buf) != "foobar" { + return fmt.Errorf("Read = %d, %v, data %q; want 6, nil, foobar", n, err, buf) + } + + srv.Write([]byte("abcdef")) + srv.Close() + time.Sleep(delay) + n, err = conn.Read(buf) + if n != 6 || string(buf) != "abcdef" { + return fmt.Errorf("Read = %d, buf= %q; want 6, abcdef", n, buf) + } + if err != io.EOF { + return fmt.Errorf("Second Read error = %v; want io.EOF", err) + } + return nil +} + +func TestTLSUniqueMatches(t *testing.T) { + ln := newLocalListener(t) + defer ln.Close() + + serverTLSUniques := make(chan []byte) + parentDone := make(chan struct{}) + childDone := make(chan struct{}) + defer close(parentDone) + go func() { + defer close(childDone) + for i := 0; i < 2; i++ { + sconn, err := ln.Accept() + if err != nil { + t.Error(err) + return + } + serverConfig := testConfig.Clone() + serverConfig.MaxVersion = VersionTLS12 // TLSUnique is not defined in TLS 1.3 + srv := Server(sconn, serverConfig) + if err := srv.Handshake(); err != nil { + t.Error(err) + return + } + select { + case <-parentDone: + return + case serverTLSUniques <- srv.ConnectionState().TLSUnique: + } + } + }() + + clientConfig := testConfig.Clone() + clientConfig.ClientSessionCache = NewLRUClientSessionCache(1) + conn, err := Dial("tcp", ln.Addr().String(), clientConfig) + if err != nil { + t.Fatal(err) + } + + var serverTLSUniquesValue []byte + select { + case <-childDone: + return + case serverTLSUniquesValue = <-serverTLSUniques: + } + + if !bytes.Equal(conn.ConnectionState().TLSUnique, serverTLSUniquesValue) { + t.Error("client and server channel bindings differ") + } + if serverTLSUniquesValue == nil || bytes.Equal(serverTLSUniquesValue, make([]byte, 12)) { + t.Error("tls-unique is empty or zero") + } + conn.Close() + + conn, err = Dial("tcp", ln.Addr().String(), clientConfig) + if err != nil { + t.Fatal(err) + } + defer conn.Close() + if !conn.ConnectionState().DidResume { + t.Error("second session did not use resumption") + } + + select { + case <-childDone: + return + case serverTLSUniquesValue = <-serverTLSUniques: + } + + if !bytes.Equal(conn.ConnectionState().TLSUnique, serverTLSUniquesValue) { + t.Error("client and server channel bindings differ when session resumption is used") + } + if serverTLSUniquesValue == nil || bytes.Equal(serverTLSUniquesValue, make([]byte, 12)) { + t.Error("resumption tls-unique is empty or zero") + } +} + +func TestVerifyHostname(t *testing.T) { + testenv.MustHaveExternalNetwork(t) + + c, err := Dial("tcp", "www.google.com:https", nil) + if err != nil { + t.Fatal(err) + } + if err := c.VerifyHostname("www.google.com"); err != nil { + t.Fatalf("verify www.google.com: %v", err) + } + if err := c.VerifyHostname("www.yahoo.com"); err == nil { + t.Fatalf("verify www.yahoo.com succeeded") + } + + c, err = Dial("tcp", "www.google.com:https", &Config{InsecureSkipVerify: true}) + if err != nil { + t.Fatal(err) + } + if err := c.VerifyHostname("www.google.com"); err == nil { + t.Fatalf("verify www.google.com succeeded with InsecureSkipVerify=true") + } +} + +func TestConnCloseBreakingWrite(t *testing.T) { + ln := newLocalListener(t) + defer ln.Close() + + srvCh := make(chan *Conn, 1) + var serr error + var sconn net.Conn + go func() { + var err error + sconn, err = ln.Accept() + if err != nil { + serr = err + srvCh <- nil + return + } + serverConfig := testConfig.Clone() + srv := Server(sconn, serverConfig) + if err := srv.Handshake(); err != nil { + serr = fmt.Errorf("handshake: %v", err) + srvCh <- nil + return + } + srvCh <- srv + }() + + cconn, err := net.Dial("tcp", ln.Addr().String()) + if err != nil { + t.Fatal(err) + } + defer cconn.Close() + + conn := &changeImplConn{ + Conn: cconn, + } + + clientConfig := testConfig.Clone() + tconn := Client(conn, clientConfig) + if err := tconn.Handshake(); err != nil { + t.Fatal(err) + } + + srv := <-srvCh + if srv == nil { + t.Fatal(serr) + } + defer sconn.Close() + + connClosed := make(chan struct{}) + conn.closeFunc = func() error { + close(connClosed) + return nil + } + + inWrite := make(chan bool, 1) + var errConnClosed = errors.New("conn closed for test") + conn.writeFunc = func(p []byte) (n int, err error) { + inWrite <- true + <-connClosed + return 0, errConnClosed + } + + closeReturned := make(chan bool, 1) + go func() { + <-inWrite + tconn.Close() // test that this doesn't block forever. + closeReturned <- true + }() + + _, err = tconn.Write([]byte("foo")) + if err != errConnClosed { + t.Errorf("Write error = %v; want errConnClosed", err) + } + + <-closeReturned + if err := tconn.Close(); err != net.ErrClosed { + t.Errorf("Close error = %v; want net.ErrClosed", err) + } +} + +func TestConnCloseWrite(t *testing.T) { + ln := newLocalListener(t) + defer ln.Close() + + clientDoneChan := make(chan struct{}) + + serverCloseWrite := func() error { + sconn, err := ln.Accept() + if err != nil { + return fmt.Errorf("accept: %v", err) + } + defer sconn.Close() + + serverConfig := testConfig.Clone() + srv := Server(sconn, serverConfig) + if err := srv.Handshake(); err != nil { + return fmt.Errorf("handshake: %v", err) + } + defer srv.Close() + + data, err := io.ReadAll(srv) + if err != nil { + return err + } + if len(data) > 0 { + return fmt.Errorf("Read data = %q; want nothing", data) + } + + if err := srv.CloseWrite(); err != nil { + return fmt.Errorf("server CloseWrite: %v", err) + } + + // Wait for clientCloseWrite to finish, so we know we + // tested the CloseWrite before we defer the + // sconn.Close above, which would also cause the + // client to unblock like CloseWrite. + <-clientDoneChan + return nil + } + + clientCloseWrite := func() error { + defer close(clientDoneChan) + + clientConfig := testConfig.Clone() + conn, err := Dial("tcp", ln.Addr().String(), clientConfig) + if err != nil { + return err + } + if err := conn.Handshake(); err != nil { + return err + } + defer conn.Close() + + if err := conn.CloseWrite(); err != nil { + return fmt.Errorf("client CloseWrite: %v", err) + } + + if _, err := conn.Write([]byte{0}); err != errShutdown { + return fmt.Errorf("CloseWrite error = %v; want errShutdown", err) + } + + data, err := io.ReadAll(conn) + if err != nil { + return err + } + if len(data) > 0 { + return fmt.Errorf("Read data = %q; want nothing", data) + } + return nil + } + + errChan := make(chan error, 2) + + go func() { errChan <- serverCloseWrite() }() + go func() { errChan <- clientCloseWrite() }() + + for i := 0; i < 2; i++ { + select { + case err := <-errChan: + if err != nil { + t.Fatal(err) + } + case <-time.After(10 * time.Second): + t.Fatal("deadlock") + } + } + + // Also test CloseWrite being called before the handshake is + // finished: + { + ln2 := newLocalListener(t) + defer ln2.Close() + + netConn, err := net.Dial("tcp", ln2.Addr().String()) + if err != nil { + t.Fatal(err) + } + defer netConn.Close() + conn := Client(netConn, testConfig.Clone()) + + if err := conn.CloseWrite(); err != errEarlyCloseWrite { + t.Errorf("CloseWrite error = %v; want errEarlyCloseWrite", err) + } + } +} + +func TestWarningAlertFlood(t *testing.T) { + ln := newLocalListener(t) + defer ln.Close() + + server := func() error { + sconn, err := ln.Accept() + if err != nil { + return fmt.Errorf("accept: %v", err) + } + defer sconn.Close() + + serverConfig := testConfig.Clone() + srv := Server(sconn, serverConfig) + if err := srv.Handshake(); err != nil { + return fmt.Errorf("handshake: %v", err) + } + defer srv.Close() + + _, err = io.ReadAll(srv) + if err == nil { + return errors.New("unexpected lack of error from server") + } + const expected = "too many ignored" + if str := err.Error(); !strings.Contains(str, expected) { + return fmt.Errorf("expected error containing %q, but saw: %s", expected, str) + } + + return nil + } + + errChan := make(chan error, 1) + go func() { errChan <- server() }() + + clientConfig := testConfig.Clone() + clientConfig.MaxVersion = VersionTLS12 // there are no warning alerts in TLS 1.3 + conn, err := Dial("tcp", ln.Addr().String(), clientConfig) + if err != nil { + t.Fatal(err) + } + defer conn.Close() + if err := conn.Handshake(); err != nil { + t.Fatal(err) + } + + for i := 0; i < maxUselessRecords+1; i++ { + conn.sendAlert(alertNoRenegotiation) + } + + if err := <-errChan; err != nil { + t.Fatal(err) + } +} + +func TestCloneFuncFields(t *testing.T) { + const expectedCount = 8 + called := 0 + + c1 := Config{ + Time: func() time.Time { + called |= 1 << 0 + return time.Time{} + }, + GetCertificate: func(*ClientHelloInfo) (*Certificate, error) { + called |= 1 << 1 + return nil, nil + }, + GetClientCertificate: func(*CertificateRequestInfo) (*Certificate, error) { + called |= 1 << 2 + return nil, nil + }, + GetConfigForClient: func(*ClientHelloInfo) (*Config, error) { + called |= 1 << 3 + return nil, nil + }, + VerifyPeerCertificate: func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error { + called |= 1 << 4 + return nil + }, + VerifyConnection: func(ConnectionState) error { + called |= 1 << 5 + return nil + }, + UnwrapSession: func(identity []byte, cs ConnectionState) (*SessionState, error) { + called |= 1 << 6 + return nil, nil + }, + WrapSession: func(cs ConnectionState, ss *SessionState) ([]byte, error) { + called |= 1 << 7 + return nil, nil + }, + } + + c2 := c1.Clone() + + c2.Time() + c2.GetCertificate(nil) + c2.GetClientCertificate(nil) + c2.GetConfigForClient(nil) + c2.VerifyPeerCertificate(nil, nil) + c2.VerifyConnection(ConnectionState{}) + c2.UnwrapSession(nil, ConnectionState{}) + c2.WrapSession(ConnectionState{}, nil) + + if called != (1< len(p) { + allowed = len(p) + } + if wrote < allowed { + n, err := c.Conn.Write(p[wrote:allowed]) + wrote += n + if err != nil { + return wrote, err + } + } + } + return len(p), nil +} + +func latency(b *testing.B, version uint16, bps int, dynamicRecordSizingDisabled bool) { + ln := newLocalListener(b) + defer ln.Close() + + N := b.N + + go func() { + for i := 0; i < N; i++ { + sconn, err := ln.Accept() + if err != nil { + // panic rather than synchronize to avoid benchmark overhead + // (cannot call b.Fatal in goroutine) + panic(fmt.Errorf("accept: %v", err)) + } + serverConfig := testConfig.Clone() + serverConfig.DynamicRecordSizingDisabled = dynamicRecordSizingDisabled + srv := Server(&slowConn{sconn, bps}, serverConfig) + if err := srv.Handshake(); err != nil { + panic(fmt.Errorf("handshake: %v", err)) + } + io.Copy(srv, srv) + } + }() + + clientConfig := testConfig.Clone() + clientConfig.DynamicRecordSizingDisabled = dynamicRecordSizingDisabled + clientConfig.MaxVersion = version + + buf := make([]byte, 16384) + peek := make([]byte, 1) + + for i := 0; i < N; i++ { + conn, err := Dial("tcp", ln.Addr().String(), clientConfig) + if err != nil { + b.Fatal(err) + } + // make sure we're connected and previous connection has stopped + if _, err := conn.Write(buf[:1]); err != nil { + b.Fatal(err) + } + if _, err := io.ReadFull(conn, peek); err != nil { + b.Fatal(err) + } + if _, err := conn.Write(buf); err != nil { + b.Fatal(err) + } + if _, err = io.ReadFull(conn, peek); err != nil { + b.Fatal(err) + } + conn.Close() + } +} + +func BenchmarkLatency(b *testing.B) { + for _, mode := range []string{"Max", "Dynamic"} { + for _, kbps := range []int{200, 500, 1000, 2000, 5000} { + name := fmt.Sprintf("%sPacket/%dkbps", mode, kbps) + b.Run(name, func(b *testing.B) { + b.Run("TLSv12", func(b *testing.B) { + latency(b, VersionTLS12, kbps*1000, mode == "Max") + }) + b.Run("TLSv13", func(b *testing.B) { + latency(b, VersionTLS13, kbps*1000, mode == "Max") + }) + }) + } + } +} + +func TestConnectionStateMarshal(t *testing.T) { + cs := &ConnectionState{} + _, err := json.Marshal(cs) + if err != nil { + t.Errorf("json.Marshal failed on ConnectionState: %v", err) + } +} + +func TestConnectionState(t *testing.T) { + issuer, err := x509.ParseCertificate(testRSACertificateIssuer) + if err != nil { + panic(err) + } + rootCAs := x509.NewCertPool() + rootCAs.AddCert(issuer) + + now := func() time.Time { return time.Unix(1476984729, 0) } + + const alpnProtocol = "golang" + const serverName = "example.golang" + var scts = [][]byte{[]byte("dummy sct 1"), []byte("dummy sct 2")} + var ocsp = []byte("dummy ocsp") + + for _, v := range []uint16{VersionTLS12, VersionTLS13} { + var name string + switch v { + case VersionTLS12: + name = "TLSv12" + case VersionTLS13: + name = "TLSv13" + } + t.Run(name, func(t *testing.T) { + config := &Config{ + Time: now, + Rand: zeroSource{}, + Certificates: make([]Certificate, 1), + MaxVersion: v, + RootCAs: rootCAs, + ClientCAs: rootCAs, + ClientAuth: RequireAndVerifyClientCert, + NextProtos: []string{alpnProtocol}, + ServerName: serverName, + } + config.Certificates[0].Certificate = [][]byte{testRSACertificate} + config.Certificates[0].PrivateKey = testRSAPrivateKey + config.Certificates[0].SignedCertificateTimestamps = scts + config.Certificates[0].OCSPStaple = ocsp + + ss, cs, err := testHandshake(t, config, config) + if err != nil { + t.Fatalf("Handshake failed: %v", err) + } + + if ss.Version != v || cs.Version != v { + t.Errorf("Got versions %x (server) and %x (client), expected %x", ss.Version, cs.Version, v) + } + + if !ss.HandshakeComplete || !cs.HandshakeComplete { + t.Errorf("Got HandshakeComplete %v (server) and %v (client), expected true", ss.HandshakeComplete, cs.HandshakeComplete) + } + + if ss.DidResume || cs.DidResume { + t.Errorf("Got DidResume %v (server) and %v (client), expected false", ss.DidResume, cs.DidResume) + } + + if ss.CipherSuite == 0 || cs.CipherSuite == 0 { + t.Errorf("Got invalid cipher suite: %v (server) and %v (client)", ss.CipherSuite, cs.CipherSuite) + } + + if ss.NegotiatedProtocol != alpnProtocol || cs.NegotiatedProtocol != alpnProtocol { + t.Errorf("Got negotiated protocol %q (server) and %q (client), expected %q", ss.NegotiatedProtocol, cs.NegotiatedProtocol, alpnProtocol) + } + + if !cs.NegotiatedProtocolIsMutual { + t.Errorf("Got false NegotiatedProtocolIsMutual on the client side") + } + // NegotiatedProtocolIsMutual on the server side is unspecified. + + if ss.ServerName != serverName { + t.Errorf("Got server name %q, expected %q", ss.ServerName, serverName) + } + if cs.ServerName != serverName { + t.Errorf("Got server name on client connection %q, expected %q", cs.ServerName, serverName) + } + + if len(ss.PeerCertificates) != 1 || len(cs.PeerCertificates) != 1 { + t.Errorf("Got %d (server) and %d (client) peer certificates, expected %d", len(ss.PeerCertificates), len(cs.PeerCertificates), 1) + } + + if len(ss.VerifiedChains) != 1 || len(cs.VerifiedChains) != 1 { + t.Errorf("Got %d (server) and %d (client) verified chains, expected %d", len(ss.VerifiedChains), len(cs.VerifiedChains), 1) + } else if len(ss.VerifiedChains[0]) != 2 || len(cs.VerifiedChains[0]) != 2 { + t.Errorf("Got %d (server) and %d (client) long verified chain, expected %d", len(ss.VerifiedChains[0]), len(cs.VerifiedChains[0]), 2) + } + + if len(cs.SignedCertificateTimestamps) != 2 { + t.Errorf("Got %d SCTs, expected %d", len(cs.SignedCertificateTimestamps), 2) + } + if !bytes.Equal(cs.OCSPResponse, ocsp) { + t.Errorf("Got OCSPs %x, expected %x", cs.OCSPResponse, ocsp) + } + // Only TLS 1.3 supports OCSP and SCTs on client certs. + if v == VersionTLS13 { + if len(ss.SignedCertificateTimestamps) != 2 { + t.Errorf("Got %d client SCTs, expected %d", len(ss.SignedCertificateTimestamps), 2) + } + if !bytes.Equal(ss.OCSPResponse, ocsp) { + t.Errorf("Got client OCSPs %x, expected %x", ss.OCSPResponse, ocsp) + } + } + + if v == VersionTLS13 { + if ss.TLSUnique != nil || cs.TLSUnique != nil { + t.Errorf("Got TLSUnique %x (server) and %x (client), expected nil in TLS 1.3", ss.TLSUnique, cs.TLSUnique) + } + } else { + if ss.TLSUnique == nil || cs.TLSUnique == nil { + t.Errorf("Got TLSUnique %x (server) and %x (client), expected non-nil", ss.TLSUnique, cs.TLSUnique) + } + } + }) + } +} + +// Issue 28744: Ensure that we don't modify memory +// that Config doesn't own such as Certificates. +func TestBuildNameToCertificate_doesntModifyCertificates(t *testing.T) { + c0 := Certificate{ + Certificate: [][]byte{testRSACertificate}, + PrivateKey: testRSAPrivateKey, + } + c1 := Certificate{ + Certificate: [][]byte{testSNICertificate}, + PrivateKey: testRSAPrivateKey, + } + config := testConfig.Clone() + config.Certificates = []Certificate{c0, c1} + + config.BuildNameToCertificate() + got := config.Certificates + want := []Certificate{c0, c1} + if !reflect.DeepEqual(got, want) { + t.Fatalf("Certificates were mutated by BuildNameToCertificate\nGot: %#v\nWant: %#v\n", got, want) + } +} + +func testingKey(s string) string { return strings.ReplaceAll(s, "TESTING KEY", "PRIVATE KEY") } + +func TestClientHelloInfo_SupportsCertificate(t *testing.T) { + rsaCert := &Certificate{ + Certificate: [][]byte{testRSACertificate}, + PrivateKey: testRSAPrivateKey, + } + pkcs1Cert := &Certificate{ + Certificate: [][]byte{testRSACertificate}, + PrivateKey: testRSAPrivateKey, + SupportedSignatureAlgorithms: []SignatureScheme{PKCS1WithSHA1, PKCS1WithSHA256}, + } + ecdsaCert := &Certificate{ + // ECDSA P-256 certificate + Certificate: [][]byte{testP256Certificate}, + PrivateKey: testP256PrivateKey, + } + ed25519Cert := &Certificate{ + Certificate: [][]byte{testEd25519Certificate}, + PrivateKey: testEd25519PrivateKey, + } + + tests := []struct { + c *Certificate + chi *ClientHelloInfo + wantErr string + }{ + {rsaCert, &ClientHelloInfo{ + ServerName: "example.golang", + SignatureSchemes: []SignatureScheme{PSSWithSHA256}, + SupportedVersions: []uint16{VersionTLS13}, + }, ""}, + {ecdsaCert, &ClientHelloInfo{ + SignatureSchemes: []SignatureScheme{PSSWithSHA256, ECDSAWithP256AndSHA256}, + SupportedVersions: []uint16{VersionTLS13, VersionTLS12}, + }, ""}, + {rsaCert, &ClientHelloInfo{ + ServerName: "example.com", + SignatureSchemes: []SignatureScheme{PSSWithSHA256}, + SupportedVersions: []uint16{VersionTLS13}, + }, "not valid for requested server name"}, + {ecdsaCert, &ClientHelloInfo{ + SignatureSchemes: []SignatureScheme{ECDSAWithP384AndSHA384}, + SupportedVersions: []uint16{VersionTLS13}, + }, "signature algorithms"}, + {pkcs1Cert, &ClientHelloInfo{ + SignatureSchemes: []SignatureScheme{PSSWithSHA256, ECDSAWithP256AndSHA256}, + SupportedVersions: []uint16{VersionTLS13}, + }, "signature algorithms"}, + + {rsaCert, &ClientHelloInfo{ + CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256}, + SignatureSchemes: []SignatureScheme{PKCS1WithSHA1}, + SupportedVersions: []uint16{VersionTLS13, VersionTLS12}, + }, "signature algorithms"}, + {rsaCert, &ClientHelloInfo{ + CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256}, + SignatureSchemes: []SignatureScheme{PKCS1WithSHA1}, + SupportedVersions: []uint16{VersionTLS13, VersionTLS12}, + config: &Config{ + CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256}, + MaxVersion: VersionTLS12, + }, + }, ""}, // Check that mutual version selection works. + + {ecdsaCert, &ClientHelloInfo{ + CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256}, + SupportedCurves: []CurveID{CurveP256}, + SupportedPoints: []uint8{pointFormatUncompressed}, + SignatureSchemes: []SignatureScheme{ECDSAWithP256AndSHA256}, + SupportedVersions: []uint16{VersionTLS12}, + }, ""}, + {ecdsaCert, &ClientHelloInfo{ + CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256}, + SupportedCurves: []CurveID{CurveP256}, + SupportedPoints: []uint8{pointFormatUncompressed}, + SignatureSchemes: []SignatureScheme{ECDSAWithP384AndSHA384}, + SupportedVersions: []uint16{VersionTLS12}, + }, ""}, // TLS 1.2 does not restrict curves based on the SignatureScheme. + {ecdsaCert, &ClientHelloInfo{ + CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256}, + SupportedCurves: []CurveID{CurveP256}, + SupportedPoints: []uint8{pointFormatUncompressed}, + SignatureSchemes: nil, + SupportedVersions: []uint16{VersionTLS12}, + }, ""}, // TLS 1.2 comes with default signature schemes. + {ecdsaCert, &ClientHelloInfo{ + CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256}, + SupportedCurves: []CurveID{CurveP256}, + SupportedPoints: []uint8{pointFormatUncompressed}, + SignatureSchemes: []SignatureScheme{ECDSAWithP256AndSHA256}, + SupportedVersions: []uint16{VersionTLS12}, + }, "cipher suite"}, + {ecdsaCert, &ClientHelloInfo{ + CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256}, + SupportedCurves: []CurveID{CurveP256}, + SupportedPoints: []uint8{pointFormatUncompressed}, + SignatureSchemes: []SignatureScheme{ECDSAWithP256AndSHA256}, + SupportedVersions: []uint16{VersionTLS12}, + config: &Config{ + CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256}, + }, + }, "cipher suite"}, + {ecdsaCert, &ClientHelloInfo{ + CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256}, + SupportedCurves: []CurveID{CurveP384}, + SupportedPoints: []uint8{pointFormatUncompressed}, + SignatureSchemes: []SignatureScheme{ECDSAWithP256AndSHA256}, + SupportedVersions: []uint16{VersionTLS12}, + }, "certificate curve"}, + {ecdsaCert, &ClientHelloInfo{ + CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256}, + SupportedCurves: []CurveID{CurveP256}, + SupportedPoints: []uint8{1}, + SignatureSchemes: []SignatureScheme{ECDSAWithP256AndSHA256}, + SupportedVersions: []uint16{VersionTLS12}, + }, "doesn't support ECDHE"}, + {ecdsaCert, &ClientHelloInfo{ + CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256}, + SupportedCurves: []CurveID{CurveP256}, + SupportedPoints: []uint8{pointFormatUncompressed}, + SignatureSchemes: []SignatureScheme{PSSWithSHA256}, + SupportedVersions: []uint16{VersionTLS12}, + }, "signature algorithms"}, + + {ed25519Cert, &ClientHelloInfo{ + CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256}, + SupportedCurves: []CurveID{CurveP256}, // only relevant for ECDHE support + SupportedPoints: []uint8{pointFormatUncompressed}, + SignatureSchemes: []SignatureScheme{Ed25519}, + SupportedVersions: []uint16{VersionTLS12}, + }, ""}, + {ed25519Cert, &ClientHelloInfo{ + CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256}, + SupportedCurves: []CurveID{CurveP256}, // only relevant for ECDHE support + SupportedPoints: []uint8{pointFormatUncompressed}, + SignatureSchemes: []SignatureScheme{Ed25519}, + SupportedVersions: []uint16{VersionTLS10}, + config: &Config{MinVersion: VersionTLS10}, + }, "doesn't support Ed25519"}, + {ed25519Cert, &ClientHelloInfo{ + CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256}, + SupportedCurves: []CurveID{}, + SupportedPoints: []uint8{pointFormatUncompressed}, + SignatureSchemes: []SignatureScheme{Ed25519}, + SupportedVersions: []uint16{VersionTLS12}, + }, "doesn't support ECDHE"}, + + {rsaCert, &ClientHelloInfo{ + CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA}, + SupportedCurves: []CurveID{CurveP256}, // only relevant for ECDHE support + SupportedPoints: []uint8{pointFormatUncompressed}, + SupportedVersions: []uint16{VersionTLS10}, + config: &Config{MinVersion: VersionTLS10}, + }, ""}, + {rsaCert, &ClientHelloInfo{ + CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256}, + SupportedVersions: []uint16{VersionTLS12}, + config: &Config{ + CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256}, + }, + }, ""}, // static RSA fallback + } + for i, tt := range tests { + err := tt.chi.SupportsCertificate(tt.c) + switch { + case tt.wantErr == "" && err != nil: + t.Errorf("%d: unexpected error: %v", i, err) + case tt.wantErr != "" && err == nil: + t.Errorf("%d: unexpected success", i) + case tt.wantErr != "" && !strings.Contains(err.Error(), tt.wantErr): + t.Errorf("%d: got error %q, expected %q", i, err, tt.wantErr) + } + } +} + +func TestCipherSuites(t *testing.T) { + var lastID uint16 + for _, c := range CipherSuites() { + if lastID > c.ID { + t.Errorf("CipherSuites are not ordered by ID: got %#04x after %#04x", c.ID, lastID) + } else { + lastID = c.ID + } + + if c.Insecure { + t.Errorf("%#04x: Insecure CipherSuite returned by CipherSuites()", c.ID) + } + } + lastID = 0 + for _, c := range InsecureCipherSuites() { + if lastID > c.ID { + t.Errorf("InsecureCipherSuites are not ordered by ID: got %#04x after %#04x", c.ID, lastID) + } else { + lastID = c.ID + } + + if !c.Insecure { + t.Errorf("%#04x: not Insecure CipherSuite returned by InsecureCipherSuites()", c.ID) + } + } + + CipherSuiteByID := func(id uint16) *CipherSuite { + for _, c := range CipherSuites() { + if c.ID == id { + return c + } + } + for _, c := range InsecureCipherSuites() { + if c.ID == id { + return c + } + } + return nil + } + + for _, c := range cipherSuites { + cc := CipherSuiteByID(c.id) + if cc == nil { + t.Errorf("%#04x: no CipherSuite entry", c.id) + continue + } + + if tls12Only := c.flags&suiteTLS12 != 0; tls12Only && len(cc.SupportedVersions) != 1 { + t.Errorf("%#04x: suite is TLS 1.2 only, but SupportedVersions is %v", c.id, cc.SupportedVersions) + } else if !tls12Only && len(cc.SupportedVersions) != 3 { + t.Errorf("%#04x: suite TLS 1.0-1.2, but SupportedVersions is %v", c.id, cc.SupportedVersions) + } + + if got := CipherSuiteName(c.id); got != cc.Name { + t.Errorf("%#04x: unexpected CipherSuiteName: got %q, expected %q", c.id, got, cc.Name) + } + } + for _, c := range cipherSuitesTLS13 { + cc := CipherSuiteByID(c.id) + if cc == nil { + t.Errorf("%#04x: no CipherSuite entry", c.id) + continue + } + + if cc.Insecure { + t.Errorf("%#04x: Insecure %v, expected false", c.id, cc.Insecure) + } + if len(cc.SupportedVersions) != 1 || cc.SupportedVersions[0] != VersionTLS13 { + t.Errorf("%#04x: suite is TLS 1.3 only, but SupportedVersions is %v", c.id, cc.SupportedVersions) + } + + if got := CipherSuiteName(c.id); got != cc.Name { + t.Errorf("%#04x: unexpected CipherSuiteName: got %q, expected %q", c.id, got, cc.Name) + } + } + + if got := CipherSuiteName(0xabc); got != "0x0ABC" { + t.Errorf("unexpected fallback CipherSuiteName: got %q, expected 0x0ABC", got) + } + + if len(cipherSuitesPreferenceOrder) != len(cipherSuites) { + t.Errorf("cipherSuitesPreferenceOrder is not the same size as cipherSuites") + } + if len(cipherSuitesPreferenceOrderNoAES) != len(cipherSuitesPreferenceOrder) { + t.Errorf("cipherSuitesPreferenceOrderNoAES is not the same size as cipherSuitesPreferenceOrder") + } + if len(defaultCipherSuites) >= len(defaultCipherSuitesWithRSAKex) { + t.Errorf("defaultCipherSuitesWithRSAKex should be longer than defaultCipherSuites") + } + + // Check that disabled suites are marked insecure. + for _, badSuites := range []map[uint16]bool{disabledCipherSuites, rsaKexCiphers} { + for id := range badSuites { + c := CipherSuiteByID(id) + if c == nil { + t.Errorf("%#04x: no CipherSuite entry", id) + continue + } + if !c.Insecure { + t.Errorf("%#04x: disabled by default but not marked insecure", id) + } + } + } + + for i, prefOrder := range [][]uint16{cipherSuitesPreferenceOrder, cipherSuitesPreferenceOrderNoAES} { + // Check that insecure and HTTP/2 bad cipher suites are at the end of + // the preference lists. + var sawInsecure, sawBad bool + for _, id := range prefOrder { + c := CipherSuiteByID(id) + if c == nil { + t.Errorf("%#04x: no CipherSuite entry", id) + continue + } + + if c.Insecure { + sawInsecure = true + } else if sawInsecure { + t.Errorf("%#04x: secure suite after insecure one(s)", id) + } + + if http2isBadCipher(id) { + sawBad = true + } else if sawBad { + t.Errorf("%#04x: non-bad suite after bad HTTP/2 one(s)", id) + } + } + + // Check that the list is sorted according to the documented criteria. + isBetter := func(a, b int) bool { + aSuite, bSuite := cipherSuiteByID(prefOrder[a]), cipherSuiteByID(prefOrder[b]) + aName, bName := CipherSuiteName(prefOrder[a]), CipherSuiteName(prefOrder[b]) + // * < RC4 + if !strings.Contains(aName, "RC4") && strings.Contains(bName, "RC4") { + return true + } else if strings.Contains(aName, "RC4") && !strings.Contains(bName, "RC4") { + return false + } + // * < CBC_SHA256 + if !strings.Contains(aName, "CBC_SHA256") && strings.Contains(bName, "CBC_SHA256") { + return true + } else if strings.Contains(aName, "CBC_SHA256") && !strings.Contains(bName, "CBC_SHA256") { + return false + } + // * < 3DES + if !strings.Contains(aName, "3DES") && strings.Contains(bName, "3DES") { + return true + } else if strings.Contains(aName, "3DES") && !strings.Contains(bName, "3DES") { + return false + } + // ECDHE < * + if aSuite.flags&suiteECDHE != 0 && bSuite.flags&suiteECDHE == 0 { + return true + } else if aSuite.flags&suiteECDHE == 0 && bSuite.flags&suiteECDHE != 0 { + return false + } + // AEAD < CBC + if aSuite.aead != nil && bSuite.aead == nil { + return true + } else if aSuite.aead == nil && bSuite.aead != nil { + return false + } + // AES < ChaCha20 + if strings.Contains(aName, "AES") && strings.Contains(bName, "CHACHA20") { + return i == 0 // true for cipherSuitesPreferenceOrder + } else if strings.Contains(aName, "CHACHA20") && strings.Contains(bName, "AES") { + return i != 0 // true for cipherSuitesPreferenceOrderNoAES + } + // AES-128 < AES-256 + if strings.Contains(aName, "AES_128") && strings.Contains(bName, "AES_256") { + return true + } else if strings.Contains(aName, "AES_256") && strings.Contains(bName, "AES_128") { + return false + } + // ECDSA < RSA + if aSuite.flags&suiteECSign != 0 && bSuite.flags&suiteECSign == 0 { + return true + } else if aSuite.flags&suiteECSign == 0 && bSuite.flags&suiteECSign != 0 { + return false + } + t.Fatalf("two ciphersuites are equal by all criteria: %v and %v", aName, bName) + panic("unreachable") + } + if !sort.SliceIsSorted(prefOrder, isBetter) { + t.Error("preference order is not sorted according to the rules") + } + } +} + +func TestVersionName(t *testing.T) { + if got, exp := VersionName(VersionTLS13), "TLS 1.3"; got != exp { + t.Errorf("unexpected VersionName: got %q, expected %q", got, exp) + } + if got, exp := VersionName(0x12a), "0x012A"; got != exp { + t.Errorf("unexpected fallback VersionName: got %q, expected %q", got, exp) + } +} + +// http2isBadCipher is copied from net/http. +// TODO: if it ends up exposed somewhere, use that instead. +func http2isBadCipher(cipher uint16) bool { + switch cipher { + case TLS_RSA_WITH_RC4_128_SHA, + TLS_RSA_WITH_3DES_EDE_CBC_SHA, + TLS_RSA_WITH_AES_128_CBC_SHA, + TLS_RSA_WITH_AES_256_CBC_SHA, + TLS_RSA_WITH_AES_128_CBC_SHA256, + TLS_RSA_WITH_AES_128_GCM_SHA256, + TLS_RSA_WITH_AES_256_GCM_SHA384, + TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, + TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, + TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, + TLS_ECDHE_RSA_WITH_RC4_128_SHA, + TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, + TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, + TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, + TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, + TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256: + return true + default: + return false + } +} + +type brokenSigner struct{ crypto.Signer } + +func (s brokenSigner) Sign(rand io.Reader, digest []byte, opts crypto.SignerOpts) (signature []byte, err error) { + // Replace opts with opts.HashFunc(), so rsa.PSSOptions are discarded. + return s.Signer.Sign(rand, digest, opts.HashFunc()) +} + +// TestPKCS1OnlyCert uses a client certificate with a broken crypto.Signer that +// always makes PKCS #1 v1.5 signatures, so can't be used with RSA-PSS. +func TestPKCS1OnlyCert(t *testing.T) { + clientConfig := testConfig.Clone() + clientConfig.Certificates = []Certificate{{ + Certificate: [][]byte{testRSACertificate}, + PrivateKey: brokenSigner{testRSAPrivateKey}, + }} + serverConfig := testConfig.Clone() + serverConfig.MaxVersion = VersionTLS12 // TLS 1.3 doesn't support PKCS #1 v1.5 + serverConfig.ClientAuth = RequireAnyClientCert + + // If RSA-PSS is selected, the handshake should fail. + if _, _, err := testHandshake(t, clientConfig, serverConfig); err == nil { + t.Fatal("expected broken certificate to cause connection to fail") + } + + clientConfig.Certificates[0].SupportedSignatureAlgorithms = + []SignatureScheme{PKCS1WithSHA1, PKCS1WithSHA256} + + // But if the certificate restricts supported algorithms, RSA-PSS should not + // be selected, and the handshake should succeed. + if _, _, err := testHandshake(t, clientConfig, serverConfig); err != nil { + t.Error(err) + } +} + +func TestVerifyCertificates(t *testing.T) { + // See https://go.dev/issue/31641. + t.Run("TLSv12", func(t *testing.T) { testVerifyCertificates(t, VersionTLS12) }) + t.Run("TLSv13", func(t *testing.T) { testVerifyCertificates(t, VersionTLS13) }) +} + +func testVerifyCertificates(t *testing.T, version uint16) { + tests := []struct { + name string + + InsecureSkipVerify bool + ClientAuth ClientAuthType + ClientCertificates bool + }{ + { + name: "defaults", + }, + { + name: "InsecureSkipVerify", + InsecureSkipVerify: true, + }, + { + name: "RequestClientCert with no certs", + ClientAuth: RequestClientCert, + }, + { + name: "RequestClientCert with certs", + ClientAuth: RequestClientCert, + ClientCertificates: true, + }, + { + name: "RequireAnyClientCert", + ClientAuth: RequireAnyClientCert, + ClientCertificates: true, + }, + { + name: "VerifyClientCertIfGiven with no certs", + ClientAuth: VerifyClientCertIfGiven, + }, + { + name: "VerifyClientCertIfGiven with certs", + ClientAuth: VerifyClientCertIfGiven, + ClientCertificates: true, + }, + { + name: "RequireAndVerifyClientCert", + ClientAuth: RequireAndVerifyClientCert, + ClientCertificates: true, + }, + } + + issuer, err := x509.ParseCertificate(testRSACertificateIssuer) + if err != nil { + t.Fatal(err) + } + rootCAs := x509.NewCertPool() + rootCAs.AddCert(issuer) + + for _, test := range tests { + test := test + t.Run(test.name, func(t *testing.T) { + t.Parallel() + + var serverVerifyConnection, clientVerifyConnection bool + var serverVerifyPeerCertificates, clientVerifyPeerCertificates bool + + clientConfig := testConfig.Clone() + clientConfig.Time = func() time.Time { return time.Unix(1476984729, 0) } + clientConfig.MaxVersion = version + clientConfig.MinVersion = version + clientConfig.RootCAs = rootCAs + clientConfig.ServerName = "example.golang" + clientConfig.ClientSessionCache = NewLRUClientSessionCache(1) + serverConfig := clientConfig.Clone() + serverConfig.ClientCAs = rootCAs + + clientConfig.VerifyConnection = func(cs ConnectionState) error { + clientVerifyConnection = true + return nil + } + clientConfig.VerifyPeerCertificate = func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error { + clientVerifyPeerCertificates = true + return nil + } + serverConfig.VerifyConnection = func(cs ConnectionState) error { + serverVerifyConnection = true + return nil + } + serverConfig.VerifyPeerCertificate = func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error { + serverVerifyPeerCertificates = true + return nil + } + + clientConfig.InsecureSkipVerify = test.InsecureSkipVerify + serverConfig.ClientAuth = test.ClientAuth + if !test.ClientCertificates { + clientConfig.Certificates = nil + } + + if _, _, err := testHandshake(t, clientConfig, serverConfig); err != nil { + t.Fatal(err) + } + + want := serverConfig.ClientAuth != NoClientCert + if serverVerifyPeerCertificates != want { + t.Errorf("VerifyPeerCertificates on the server: got %v, want %v", + serverVerifyPeerCertificates, want) + } + if !clientVerifyPeerCertificates { + t.Errorf("VerifyPeerCertificates not called on the client") + } + if !serverVerifyConnection { + t.Error("VerifyConnection did not get called on the server") + } + if !clientVerifyConnection { + t.Error("VerifyConnection did not get called on the client") + } + + serverVerifyPeerCertificates, clientVerifyPeerCertificates = false, false + serverVerifyConnection, clientVerifyConnection = false, false + cs, _, err := testHandshake(t, clientConfig, serverConfig) + if err != nil { + t.Fatal(err) + } + if !cs.DidResume { + t.Error("expected resumption") + } + + if serverVerifyPeerCertificates { + t.Error("VerifyPeerCertificates got called on the server on resumption") + } + if clientVerifyPeerCertificates { + t.Error("VerifyPeerCertificates got called on the client on resumption") + } + if !serverVerifyConnection { + t.Error("VerifyConnection did not get called on the server on resumption") + } + if !clientVerifyConnection { + t.Error("VerifyConnection did not get called on the client on resumption") + } + }) + } +} diff --git a/tls.go b/tls.go new file mode 100644 index 000000000..7ddc1f984 --- /dev/null +++ b/tls.go @@ -0,0 +1,222 @@ +package gnet + +import ( + "bytes" + "errors" + "io" + "net" + "runtime/debug" + "time" + + "github.com/panjf2000/gnet/v2/pkg/logging" + "github.com/panjf2000/gnet/v2/pkg/tls" +) + +type tlsConn struct { + raw Conn + rawTLSConn *tls.Conn + inboundBuffer *bytes.Buffer + handshakeCompleted bool + count int + ctx interface{} +} + +func (c *tlsConn) Read(p []byte) (n int, err error) { + return c.inboundBuffer.Read(p) +} + +func (c *tlsConn) WriteTo(w io.Writer) (n int64, err error) { + return c.inboundBuffer.WriteTo(w) +} + +func (c *tlsConn) Next(n int) (buf []byte, err error) { + if n < 0 || n > c.inboundBuffer.Len() { + n = c.inboundBuffer.Len() + } + return c.inboundBuffer.Next(n), nil +} + +func (c *tlsConn) Peek(n int) (buf []byte, err error) { + if c.inboundBuffer.Len() < n { + return nil, io.ErrShortBuffer + } + return c.inboundBuffer.Bytes()[:n], nil +} + +func (c *tlsConn) Discard(n int) (discarded int, err error) { + r, err := io.CopyN(io.Discard, c.inboundBuffer, int64(n)) + return int(r), err +} + +func (c *tlsConn) InboundBuffered() (n int) { + return c.inboundBuffer.Len() +} + +func (c *tlsConn) Write(p []byte) (n int, err error) { + return c.rawTLSConn.Write(p) +} + +func (c *tlsConn) ReadFrom(r io.Reader) (n int64, err error) { + return c.inboundBuffer.ReadFrom(r) +} + +func (c *tlsConn) Writev(bs [][]byte) (n int, err error) { + // TODO: + var bb []byte + for _, b := range bs { + bb = append(bb, b...) + } + return c.Write(bb) +} + +func (c *tlsConn) Flush() (err error) { + return c.raw.Flush() +} + +func (c *tlsConn) OutboundBuffered() (n int) { + return c.raw.OutboundBuffered() +} + +func (c *tlsConn) AsyncWrite(buf []byte, callback AsyncCallback) (err error) { + _, err = c.Write(buf) + return callback(c, err) +} + +func (c *tlsConn) AsyncWritev(bs [][]byte, callback AsyncCallback) (err error) { + _, err = c.Writev(bs) + return callback(c, err) +} + +func (c *tlsConn) Fd() int { + return c.raw.Fd() +} + +func (c *tlsConn) Dup() (int, error) { + return c.raw.Dup() +} + +func (c *tlsConn) SetReadBuffer(bytes int) error { + return c.raw.SetReadBuffer(bytes) +} + +func (c *tlsConn) SetWriteBuffer(bytes int) error { + return c.raw.SetWriteBuffer(bytes) +} + +func (c *tlsConn) SetLinger(sec int) error { + return c.raw.SetLinger(sec) +} + +func (c *tlsConn) SetKeepAlivePeriod(d time.Duration) error { + return c.raw.SetKeepAlivePeriod(d) +} + +func (c *tlsConn) SetNoDelay(noDelay bool) error { + return c.raw.SetNoDelay(noDelay) +} + +func (c *tlsConn) Context() (ctx interface{}) { + return c.ctx +} + +func (c *tlsConn) SetContext(ctx interface{}) { + c.ctx = ctx +} + +func (c *tlsConn) LocalAddr() (addr net.Addr) { + return c.raw.LocalAddr() +} + +func (c *tlsConn) RemoteAddr() (addr net.Addr) { + return c.raw.RemoteAddr() +} + +func (c *tlsConn) Wake(callback AsyncCallback) (err error) { + return c.raw.Wake(callback) +} + +func (c *tlsConn) CloseWithCallback(callback AsyncCallback) (err error) { + return c.raw.CloseWithCallback(callback) +} + +func (c *tlsConn) Close() (err error) { + return c.raw.Close() +} + +func (c *tlsConn) SetDeadline(t time.Time) (err error) { + return c.raw.SetDeadline(t) +} + +func (c *tlsConn) SetReadDeadline(t time.Time) (err error) { + return c.raw.SetReadDeadline(t) +} + +func (c *tlsConn) SetWriteDeadline(t time.Time) (err error) { + return c.SetWriteDeadline(t) +} + +type tlsEventHandler struct { + EventHandler + tlsConfig *tls.Config +} + +func (h *tlsEventHandler) OnOpen(c Conn) (out []byte, action Action) { + // upgrade Conn to TLSConn + tc := tls.Server(c, h.tlsConfig) + c.SetContext(&tlsConn{ + raw: c, + rawTLSConn: tc, + inboundBuffer: bytes.NewBuffer(make([]byte, 0, 512)), + }) + // The code here does not need call OnOpen now; it can be deferred until the handshake complete + return +} + +func (h *tlsEventHandler) OnTraffic(c Conn) (action Action) { + tc := c.Context().(*tlsConn) + if !tc.rawTLSConn.HandshakeCompleted() { + err := tc.rawTLSConn.Handshake() + if err != nil && !errors.Is(err, tls.ErrNotEnough) { + logging.Error(err) + return Close + } + + if tc.rawTLSConn.HandshakeCompleted() { + // fire OnOpen when handshake completed + out, act := h.EventHandler.OnOpen(tc) + if act != None { + return act + } + if _, err := tc.Write(out); err != nil { + return Close + } + } + + return None + } + // TODO: cache buffer + buffer := make([]byte, 1024*1024) + for { + n, err := tc.rawTLSConn.Read(buffer) + if errors.Is(err, tls.ErrNotEnough) { + break + } + if err != nil { + if errors.Is(err, io.EOF) { + return None + } + logging.Errorf("tls conn OnTraffic err: %v, stack: %s", err, debug.Stack()) + return Close + } + tc.inboundBuffer.Write(buffer[:n]) + if tc.raw.InboundBuffered() == 0 { + break + } + } + + if tc.inboundBuffer.Len() > 0 { + return h.EventHandler.OnTraffic(tc) + } + + return None +} diff --git a/tls_test.go b/tls_test.go new file mode 100644 index 000000000..acb628150 --- /dev/null +++ b/tls_test.go @@ -0,0 +1,132 @@ +package gnet + +import ( + tls2 "crypto/tls" + + "github.com/panjf2000/gnet/v2/pkg/tls" +) + +var serverCRT = `-----BEGIN CERTIFICATE----- +MIIDczCCAlugAwIBAgIJAM0/vF9KXTQbMA0GCSqGSIb3DQEBCwUAMFAxCzAJBgNV +BAYTAkNOMQwwCgYDVQQIDANGRUkxFTATBgNVBAcMDERlZmF1bHQgQ2l0eTEcMBoG +A1UECgwTRGVmYXVsdCBDb21wYW55IEx0ZDAeFw0yNDAzMjIwNzIxMTNaFw0yNTAz +MjIwNzIxMTNaMFAxCzAJBgNVBAYTAkNOMQwwCgYDVQQIDANGRUkxFTATBgNVBAcM +DERlZmF1bHQgQ2l0eTEcMBoGA1UECgwTRGVmYXVsdCBDb21wYW55IEx0ZDCCASIw +DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPXZ3mcbFEMmmDaQWyKOMOfPmxQG +lWGdQg9STQard+K/RY36WTYshTHNAQzZX1TqdCdReCSDgGkE5pcb7Pvw1UBa6c2b +BfpbmPwAG7oEQvyqIRgxW65w9ZUHl0A2+Ynvfz6mRJdZ1VRXbUKBZAjdHTwGbOZb +Tdw6niih42i8TUPrgCEq1F/NomiVsZqJTfXXwxsRCo7oZ1Gepb/ljOJ8Q3Iu78Ng +AQHCj+a2oxuRPMydHAhBbdPgQWSvO/C4864cXt6gtetsj4wR99syFX0k6vYeMdmZ +G9OE7jCmvU+F/hIDa60PXYXG4C+rKe01paUMIhrMyhV6GoGvrr97sX9Bp4UCAwEA +AaNQME4wHQYDVR0OBBYEFIYICdXG8UZbNja0OJP4E0UdhzQXMB8GA1UdIwQYMBaA +FIYICdXG8UZbNja0OJP4E0UdhzQXMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEL +BQADggEBABBsRLAtQP+92tXcTNkiZ86R6PSpRAJQB88OCvqVF6JZPFvOQjDHhjvW +mwhEEgbUZACTetQpcCk/SbOebeZUnmm1dx0XG7qaLVVSedUy9gjHnxkhS5Ws8cOW +vZVot9ucr3p7cGBYDGtUZ7oN/f2HpwoiQg2DqEHgx/1cNKza3x1+WANIZNoKNjP5 +ZDhDuHqt2/AHxyrlkVbpVS+g2Mn9K68rwJV6cHe3usXrlc4VT2fDTkFbPgVbyhBx +l8lG16b/ko5jSa4NN8MKZKZZYZnZr/452qc9E3/nk6MTimkCB6zWfDx2RsDR7+nE +jqzuMt+wx35XZSA5Jfms71+cU8KvAEw= +-----END CERTIFICATE----- +` + +var serverKey = `-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEA9dneZxsUQyaYNpBbIo4w58+bFAaVYZ1CD1JNBqt34r9FjfpZ +NiyFMc0BDNlfVOp0J1F4JIOAaQTmlxvs+/DVQFrpzZsF+luY/AAbugRC/KohGDFb +rnD1lQeXQDb5ie9/PqZEl1nVVFdtQoFkCN0dPAZs5ltN3DqeKKHjaLxNQ+uAISrU +X82iaJWxmolN9dfDGxEKjuhnUZ6lv+WM4nxDci7vw2ABAcKP5rajG5E8zJ0cCEFt +0+BBZK878Ljzrhxe3qC162yPjBH32zIVfSTq9h4x2Zkb04TuMKa9T4X+EgNrrQ9d +hcbgL6sp7TWlpQwiGszKFXoaga+uv3uxf0GnhQIDAQABAoIBAGEjEfKfCmR1zVJR +uxBuKfiNWHKTH1aQMden5vMpsJaQiETOk40KDh5dJ3sSL853TCl00QlsQ8I6w3kU ++Y+Z2kgxI4uvIq+GnW2EBXB72pPGDIlohxbnXsDhXOtsTTAoxpfUTemW/ujyGiNa +yFGQO8rJpyFlFeBb8L2RKS7qp4Sbs6cC0qAzMIW+OBoSKu07bTphWKxyiextVB7d +z9JEEnpLb6VMRA2SEQAUNJ0uekM1oXfYh5hFjUtd+UKCF+KFTqXh1N7exFEeY5dO +thateML4BaFH1bvhE3TzR3i/el2NGWJ/BUCkm5kjIoLqw/We2TCnz5RWmtjArpQS +7iAIdgECgYEA+8WB7jktLEQm5Sr1EVVdNfkYl4UYaKQyOOWSQi4XN4cL+4Te62HD +mZqrsD/x84Nv36gzcUzfyQvPzz72Cav3Z8SZHP/YhHSRD+U7bxtyo6z+Kv0WDtQD +ZeLdjZW0X/Vl9kwZU3udM0MHOsPRjcxQVhWNwEknfUwwgvkoJ0buxEUCgYEA+frn ++m2DuWubpSTp8UxIOYPSLag9q+sQKMriJPUXvzIpZpBdcLhvINPAjluzTU2HHekK +nF0ciDxJ0QR1SB8UhbtVGYlASxP/K0BEYhydOdDg053qiD7ZtNobZedEcp72pRhF +lpG1IaqNUUY/MC7qbuoqzum0FTeY7ATzt+fcqkECgYAFu1Vd6wdQPqz0AqpZnqvk +kqswp+MKXtKV4QQXZZ05smVfcILysOMXGCJYfNwxQwjE+rtRFQLzPMWaXkCTr8qO +HjeuJVT0jwLObdWQjftqJoIS0Hg0FjeNlkCc/I+Cr7+Gf+0DrYjCpgAAIn0e0Uvy +6cK0YfX4MEfac3mqiz7cUQKBgFS2a2CZNjdiuQcY4FKOODeNbW9dgTC+YuaAAmzl +xdtcI12HdLLbPYWRXMKhXrzGlhBTxe3BPAcK7zTu3tPG/IxpNGiH84q9xw4gJExf +SASsvVPZQv5S1jIMa5Z37eEt74V5GTPyQsCa7HLrbERm0bkuj704w3chNShecT0U +TNpBAoGBAI4b2Unjae+qIFncPGdZhJBIj4UlEC5ePCtUo16Bys/IvFcIveonP3iq +lHi05PF9PNyPGFY0/h3sHfarq5K4cBZ+dsHBV7/KzJltZ3K0mZodaI3E/hB0SZgn +oHQA9bqSDRzT61MFUomrk/56XIXYFjSPBWQI8AwTy8+8Xm+NczxN +-----END RSA PRIVATE KEY----- +` + +var clientCRT = `-----BEGIN CERTIFICATE----- +MIIDHDCCAgQCCQChed2z264DpDANBgkqhkiG9w0BAQsFADBQMQswCQYDVQQGEwJD +TjEMMAoGA1UECAwDRkVJMRUwEwYDVQQHDAxEZWZhdWx0IENpdHkxHDAaBgNVBAoM +E0RlZmF1bHQgQ29tcGFueSBMdGQwHhcNMjQwMzIyMDcyMTU4WhcNMjUwMzIyMDcy +MTU4WjBQMQswCQYDVQQGEwJDTjEMMAoGA1UECAwDRkVJMRUwEwYDVQQHDAxEZWZh +dWx0IENpdHkxHDAaBgNVBAoME0RlZmF1bHQgQ29tcGFueSBMdGQwggEiMA0GCSqG +SIb3DQEBAQUAA4IBDwAwggEKAoIBAQClSoCJXax5xhGM+c1ux7nElmwbjKj3fvS8 +opMj9nNp1Q5XuauNjgZSvkMAYBQYsrBn5RG+7EpwzPwQMSowzv8RkviDYz9i0/SO +YZLyX/Y4f7DTL21ryKXoxirxB+LHvZSvs7iunhqB3AIXeIlu6WsvGMXhhHOP0diS +n9Uq1598m8OWB4x9k573Lr3UoyOAOQPPra3wZxsVRn+7W6K5xnmPgzYm0p3ac5jF ++E9ZhUlVbuMxKF6xl+X3pGyu53BqcXdWDWdRI+TJyMRzB0kXdOQx536wW6i/1aUv +crgIo2zEoVBH3vylOXfp0K7l3+jc9fQRqEb6xiZru95jZDpPCuYTAgMBAAEwDQYJ +KoZIhvcNAQELBQADggEBAN58zr83coygDbo61HDSdARQ3XWyeTazsmbuy6WIwXrl +zPwoFcksjCOwraFccnowwQfteHMdL5EB0Lk2ihwtIxUwzJVOQTovb2B4TqcpV0nd +/xC5aWJr3JiX+FKiDk450FXQXx5xMR1zA6YsoDmXd7wmK0Z6pv49V+7WjdIDeZlm +FnZ9l3GOT8WdbLmzZ1K1Qsa1L723ENTJhIQJR/UsiJJl0ATykd6y/wX3aUUUtBmq +9P6jcQoRp/x+9eM5iIa+YTKBaUEwTRUEZmklb1s82FC8jhly7B9bmMYEDs8QfNdX +rngcyY2rD5ATuODBRks1LO2G7JDx4vJt1Wh04RInEg0= +-----END CERTIFICATE----- +` +var clientKey = `-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEApUqAiV2secYRjPnNbse5xJZsG4yo9370vKKTI/ZzadUOV7mr +jY4GUr5DAGAUGLKwZ+URvuxKcMz8EDEqMM7/EZL4g2M/YtP0jmGS8l/2OH+w0y9t +a8il6MYq8Qfix72Ur7O4rp4agdwCF3iJbulrLxjF4YRzj9HYkp/VKteffJvDlgeM +fZOe9y691KMjgDkDz62t8GcbFUZ/u1uiucZ5j4M2JtKd2nOYxfhPWYVJVW7jMShe +sZfl96RsrudwanF3Vg1nUSPkycjEcwdJF3TkMed+sFuov9WlL3K4CKNsxKFQR978 +pTl36dCu5d/o3PX0EahG+sYma7veY2Q6TwrmEwIDAQABAoIBABjl8BbBFYoCXAJw +XpGhZEpInmBH/+vII/WGR8PTC++VOGPehAj+q9Uq88zKrDxMLmZ4CwRHc68qMY3+ +2ewgQivTh7vC53lrlBsed5QrAFviYDBvpHvn7ZXyw+Uq2u5bkFonKFqlVjjZezct +4QXkA1FE2gnuebngUk9D5Ehf0pZiYki3t5+UbZ/2XIlU6qcwYXwTD8N3NDmhKDcn +2q/JatBp/l7gE+RJPYyBPgM9ffw273GraQhMwmeBkP0wfmxN/rntrO1ViuHaxwk9 +qS6lBNghBcM8uIpihrm7hf080VqDUte4OG8Z6gP3kLeLg7vBubFUN/weGqRGKcDN +Ifoa9oECgYEA0Sfu/54O2fNSI3UiHrzExmeLpCDTYJAWMNViporSML6V0DnM0Hso +D+flogxns8t4QW1pJ5AlANmm13piavl44eKO5UyE5bIzCzbOi3v75aTgtIOd4M77 +7HId0TR62xAeK23j7rBNoIpwNu9vYIYhh8kD3RJ+8DC1akhy2+398X8CgYEAyk+M +TTPZEajkk74Q46vu1ByAVL2OIqQq3dO292vW9z0YKl0WvehKPgjXEmxZtuUdvwAK +3dQgDNaF3kMAx0mluwCoPHFDgMR0tw51q3Jxb3sIgQo9RKUMuhTRzAwZQQW2qVYq +w+moY6rZgEiwjSEqKxBEviAiHAeOLjg5E4HobW0CgYEAlWMZYDerUd5px2uNIDkh +rrgcU/EiKLEhOGXgnSU/9ZLafCwcbrfYKGwwZqrHkvJ8BPc5iQl6dH4AnZ0LGG7w ++R2RhJM/xLOfo53UrmmyxBYcbLIpHH2aEAp944PBUB/V/JzzlPMVrtnSRlqDyYRk +BJD9knP4eGPB35S5fP4iR88CgYAcFp1JHri1jfhmVs4rffSDuI1MtqCkSJy2/az6 +fxtyaiYPw6rjpPuhz0JlCWwPS5IssYnQsKHehm5BpJXYFW6QHxA8jBEuMJhvze8i +ZZpAOxm8KLrG7A9vSnKyXL+o2m0454C6gJdjdxYJjI4OmhsrrW+N4hI6SAZCfoXW +IoQtpQKBgF/JXD9cy4CJjJC2RQ4SSEz+yljYdQECeBtQjiodDq7x/l2ELr5gIO1A +VHDSuE+GXiRlWz1OmRpVh6DiXR6wIYdHJ8xw4rBPGtxEeBUoMWL+xpa6OJ1OX/2s +nXNUa+27KshlpdWNlwJOtkeeP7yMQGf7irAelQ/P0a3qmoop8YvC +-----END RSA PRIVATE KEY----- +` + +func getServerConfig() *tls.Config { + cert, err := tls.X509KeyPair([]byte(serverCRT), []byte(serverKey)) + if nil != err { + panic(err) + } + return &tls.Config{Certificates: []tls.Certificate{cert}} +} + +func getClientTLSConfig() *tls.Config { + crt, err := tls.X509KeyPair([]byte(clientCRT), []byte(clientKey)) + if err != nil { + panic(err) + } + return &tls.Config{Certificates: []tls.Certificate{crt}, InsecureSkipVerify: true} +} + +func getGoClientTLSConfig() *tls2.Config { + crt, err := tls2.X509KeyPair([]byte(clientCRT), []byte(clientKey)) + if err != nil { + panic(err) + } + return &tls2.Config{Certificates: []tls2.Certificate{crt}, InsecureSkipVerify: true} +}

#)cr`?q4>;sM|t9-#>j>g!0TWq-!n=iUADw_8#=qNI}dwxVm5%_d;{zOOZ*fzT9 zXxP`#QL;%#hip1($G#`JkiGUF(^2wKI@)L2F6C=HF&%9Iw|mpVU#r0P2L~styx~|{ z@RGmao}`5A^DSDag%%W(5sf8~ER~H!^V>5n!%_bwKEdO~oD})}9WBrV`;zg|wY?!) z5s#e?Znk01>1}iQGV0@NwrH()Ji;rcER>DU+TUIp;cVL@k#X-ZAI~wj1`5l z7nOhubI}d0J6e;&vV&poH|=58+9?s;GbLOCPDri@cZ3H8#7}{5m*`zMz+R-CvdT@*_?3N)XR^ShapP;&x8UE}j9o_goaA#de>y)+ zde8Cf?XmlWucm!BaUGTDVV_;xeHUR9`{=W&E1h_%8OUq(bw2Io$8lDN5gG#ifk%m) zVTk|5%J+=!Ds}Qr>C#X8kuF_mDmqzI2UGu)7X2MeA4YZ%Ki^;8WUS5M`6AC;vo3#^_HSyw1glp`U%JuX zbw78Je`@+8wwu2CXd9f@#QxGyVJ80%JB+o(^gG&C)9gXB-=h34`H$w0=DoL9-r|b~ z&HfGfUNG|>izBfySbKnvV7-^8@M0BZf}h|!n#6qIkD9_c`V-E4aQ*KYM=|`%IsyD~KQGbvXKyu|Nf=kNQJ6TYRNZY<7&kNxbZelFTi z4ByFji??;pxpBdu*|(FvkpE(6r}v&(!Rr;^rFQ+~xoPyA`U3n}2Ioa$^X>{V$3faD zc@j82Av#G4=a4Uo2N&@!e2^ZlJ+NBG6aWk9ice8*v<~#*EgjIi==^Xme_y1c-!AuQ zd5v1*s2_quJ9HY_9)~RneF_>#ztO_k%5Mn%q%o&jhkwp{3g6a}*VGAYdP$~V#zE08{fwBixQIFh5AC|x|=%ePP(`L|nXn&ZA28+Xu~`B@(}+252uvXT1v zwrwi*HnYv4;V(!l9v-cq{Ps8H|CDc`6xH9I|0B}4tIw{Vb0+L>%KyIV=i4^UZj08x zNA+_rh}D1c+uxM`ZPm|R^xL*~=l{Lx=MH+S|C}LXe^dU~R6pOgO?4fuzg6`oM(ZcP z{Z09sRX^v=Zrk3S{}-yCJMFCcIru@&Te!gv+8h5n*XH`G<(_8%~zx_@5pHlst zCAW=vjE?t7)ju#=e;?|%zA1l=>gU@w&LNHFU$6QHMC&KN{Z0ArSN;7}e|P?SRlhe{ ze_!gizA69Rs-JJ$ruIErf4S=SMC&KN{Z09oss4D?-<|*as^1;0zaRBm-<1D))z7!z zPwjWKeyul4NcVH+auYg`^q$=ntU-ujVm;q5pWpM!{XCl{@4cV%ZXTK1FqJil)+2lG z&u=hTlT00P%A&tLGOb}0>4uqpK6y?ikJ2w7PbPVk|3dPdOdh2d#MCoArk+4dJu_nJ zxhSTdnPxqIyIJd_Q>feOkNPs7`O-R_rnd&YFcRaxZ^MFY(yIWRlA312Y{{ibx;HXSFp8l|n^*(ZFF)=p8<66A+ zU~)}r1-$ht+7vGx>KN)<#{2HR+$&Ez5Ay8?{LZ^}V1k?9!}$ka!|BK~#fhOHRP)}k z)M@Oz2c7I^(nrXzIA%k(Z&$d1rP{zLFi@pkDamRvYC79c81FQh+|OAu_{+90{~GQ3&3fMpBY zu+&(s{zYZ(kquVgwqZa03-6|kp?^*EPqKzH4(6mkY%Jb}?{?^~6V4Eiw(KLs3|VE* z+{TzI?Qx;+&B^#x!tB5D?Kjr<4tVpNljv7e@3<6Q2R()Jw+vtHSCNUMm}lgOZ@XQe zpZXZ5`q}jHWjfmzCt!nJkLM2^HSUw-Ddj zc|ZCMpI&eXXNs9}v0D~5dj=(h7>~|adY7|I6nk|m<$LGb`{2OY#df|ioX@I!*ORZE z`rN>5?*qqvzn1U8(OQ=#vd%HO@J}-q%U>F+LxdPx?6{NAsWs*#bp6U<(q-KfLr#C! z<HZ>`l$T3ychFq9R(-ojWmj1Dzw z{jRmoJU{C;_^UyT_(ozKHu3G1bpy{3{ylI%X9n>tJ<({a8|`nj?EI|dy+-3a&Z0`> zZXu&DHdn^Efqe+NOZ#2=kB$=l@e=qEXWkXl-lqAA)s){&wo}8roBc;u@SQVS^xdl0 zDy#3sS4P(P@tu@`Gn}iRq&(5O^YUC^pAR%~upAtGWu%2$f2b91aVC<9vsxQ>+ZE0DcH5TpE^#=z|8q2PtLoQT zS4yAjX|JA=Wti*kiqEWewhsc=!C|$Xb(*p3Q#0<9yRNa#l|!@npW68ba_*SN>d$8S zW9hLyZR7RM#GQ%*(j2=pprZlUtPSJV5ImvDgFQAqRQR$vmb1fd?rnUBb8gzX=*Knikk60{Ue>v)bDqAp+x7A76=44X-!tvB?Uacl?S0Zb z>@6ue+2~k_f2#`HD1qC%IB)NO?1-D*v+5Ylc&`~8Dtw##iYc$<8~cZ<9qd7okGI%{ z;f>IBERT`@@kIL|j^f8&s}12t+|c9W$7tcl9xLBe`tmsW1fSDv_+$e=w?D*Pp+-20 z8||kUx8yLEjej0ETXH_v3v?K4i6J&LnE5)>N zMbm@qv9M&4VoipJ$53ARNgpSeyIsSoxo;}>MEEuQD1P?$2{PtQ zf9i(KHJp2X2IF+uX-?oZ4gdaF(n`U-67VpJZ>5g1H$0pPjIC)`DgPIN-`@*fm(##| z1M%rUc6h2jc721prB4sP>gZq9?r>MF0w3Luf#DjX|A8>ymm~A{bKgLTBfiR;ZS0zU zWM$PtM^@F8BjNp$$--Y0*PX(Zc9>3rJsyio*7<^EhQq|o=3U+Rup%Q=s5q>t^vh+ZmxCu`Mp+lzjSG&_+oec1oimwjOU@E^JH!^PuY^042)vHElN?tF)Rh&EcO_O&aST1M9eT@e?H+HO&$QVjx!D($j-Pe3;J>50p2ztv`nZNZ zAp3pDRCsxSaZG1C1&r%L#%JH@)@+??Sl~*k)||F+PQ1>p--C|@+Xb?#uW6t9f_TfK zWFzM==_hSQPGR#*a}C`&-<9~3_-=^uYO{zo+g;}{>iW*%3TX5}0N-j%MDYIyNZ z!;!Spy31>5xRAUXw+@`$hOb|`@60ukb;DgrI~9|14&Or9y{){8GfAQ^!%Sb@T?Tp> zGW1ho5gVc9XzXAd_>u6L%$Hz%F3-%DtvQfhH|F$Eq3oK( ze3Vx<;VBi^?R8fJzZKJ5xp3JU&az%DpWea?{uMt<(t%oZX){)r`8Q*Am)v32wa`5O z4SPQ0{knKvo%I@G93Ju?pbus|GG&7J$4(TFEc>E#{#`%Bmc;lJGhXFPtX8aX;QW8S z|5KQ!CeFK8+&K3VoBdzN94U4@K!415YS~IA5>=+_XD@x;CMW^?tx~# zoLg+&H(BeN(lC!ZrXGeCxsw~+q5Iw}tz$GF*vNg;iO)!f=IWbAK5qb<+Hd$9*D=-* zWwjTvw&Lo}HT>SP;Jo@e;%93sj9s$b*SW6l)O*yH=#HL2YNv0w-`G_S?4s#q&fy0Z zFmK)E&@Van)T--F^ZetRX=f?_#th&X0G`u`opWfNLEOA{U_vdr zqHsNWPHX{ni567vbi3Z*k;s-0&H0IAemw9UFLm{&&H>atkU1Juf26{>`e$eR*#jls z+85qx-FKpWk)mB#KTCHE zKd=Y5wYze{+E>^)IXs3k(Y0LxJn3`z+A#2}*5zRC6t`{p`rie|<=gS2Pd|h` zCp{CIhu(xIlP#JLZ+gt4_l?rA&b4Ho%T5zq-aXsm!%o`Nx+cziO0T|{vCjeqGl9iL zz+?un4FFqgVXSk~E4aVS<{7MGlia1t)`aQb^b7x0Uu=rWBhs}u!{!n0rFX0;aimtO zKJ;eus~{A7nB zp+lAO0r%-R63D4}H1+F=K52{SE)_{bSLGN*vi$@X1|n=}YK6 z5ogMQ_#-P@r!&{yJ}Is2p9+_PJJ&6|B?n!q;~t0qjcz^4T_qg~-D#KfsXFwi-#SvN zIGe1h|BCt4~uIyTz!XC!rOhITpYt7{%|O*+)=j8X94j6QxX@6xA$ zQ*t|dLgHPi)!FC&YkPbm^ra169bsRH|0u6csh00J08W(1cg)x%Yy9l>85OhFC&S+B zqdJ=4)m7?$zQwB#U+)J0gTDGv5c`R&&UL+f?+?Y5q{*Ex<|NI$1Ys{r{h=|Jzw7$8&f0 zqe(qlU{85Wv($8324ZWim zEzT_^8hIJrgVD0qVS8?(4)P2t}#n{zbZ>{(wOpl#&yINe#2hu(8; zzs`x^c%wDO6ffs!&7clokzDHMyK8Cpyp6daRH(Jxf+aCDFxBF-&5NzHJA)M5CSAb^yrb!seqs62qk4qeng{RPey9KbXqg`Q(d&Ba1M}2Z=5sf;FX_7C8Q&!h z8XD)q-W`HpjFuhZ!cd|1a-p*>-Y6Ubu1UN5UP@Mg%OZi^~4vL4&gNLjdW$hO% zj_w!4_Rw@7GG`8LH_z^=e@NGk+P&R|bziG=8o?sEwllC-t(jucs{y@6(^SPM& zIB=j3xX>4z=m$S?!;iQdi*hyaq3;_j)=&3_8mD6$yb<110Q|t~j_kW?*6XZ~=y@hu zhl@XPCr?K?aFYzt{v)mJeB7VsMb|etGx-Dd*E@I$W~<0682Lxk&YH)W8j5+#;N20I zGD~M{Xy3lqzPklEwbMPoQ|;ltAY^#Q42RdeF9@24f2D@6V2n}TcCO9a+{7$KdE1EF z{cEmd{ZxsqOzS1Bk@7FM=3VxcS1z*G@0VF=vNepEVd42}k61b$_luaefBl9RK}Q9^ z>_T970WdrtSWZKyVPAN@wZ2rp&W?e-`jB=wGQNyG4(ylN741ti`s~)e;_uqS3Qzao zM*)VFtP7Llja@EacyLhX#6$Q}xXZ5b5z>QRV;B6xTqnCO=^n>57l#Vp1TUVm`T7&| zRq+6!f$-27T6Ze8GdcW|d$F4`4{gLP{t+Ehv6>oRG;KKLGr0fa0m|2MzJ%8L*d@dN z$?vXGM|~Eu_cq2LTDq0k8sVJo$J#J+;0;QPrDLTl&C)f|`R#Q=ce?1i`woNd^x;R> z2kkD-{pZet>jiuCg+)AdN1O0nI(!>3OzMN#e^U>$Y**1Ww8pvlaAe&_@ZmP>*zN37 ztwgWmJn-uH54C^VD2#U)xykr5q^ngh55%MI+D|^t5HQ!zPr-AF9NaMp&(3B|UxNJD zicA^JZ}AD)681aech-|W*4Eq55zM{LQ9W^B51BIX7@1Ou{bOY^@wgr7Ia;q=!(6(i z+VczVT`?2|*8Tob2b>Q~ag zH4fQkHSQ|nmiM7QX>A(dES#roo>y$|kruzR=+` zA5t%8@9x}(9;LfG!|*?3aJ6i9U&jYkpW|R;&QIy9@;|{-V{y>e-abC9j|^;Y@2$7= z2V|^yCq!|1--crDDJtfkqGIkTD(0S|V(uv_#=l&Qf7#S2p~2TESBxHs?PJT6z-n8S zGvO7|^se;Z@Q&U?Y+b0Zq|j)*aX$Ohr-N6N4PIt6{)q24jkfOV*kb2($NRflOkTx) zB=D4a#wQ?utUH*8hBuK<<=62nrtZz=Z}eH7lI@D2b)7x%22)OH&b_w$xAXP(`$gr# z_tpOu&V;q(6Ysz25y7iF{zm>gtql#oWA!TX82Dn;zPrCgThh6#{`$M_5^n1Z8V*O`#ldj+HsQ(O^KMwzy{5!F>a*g+P)xr0qUUjH$)lp~r&ThnC^wp^jgk=DE1MZL>$S59oXX(~rr?{eq$ zF2~&|vE?SH9BIAFozc78XseuHE4XB-9BDW9g6C+vT+oK6WQy{SAiX$1oD+AR70>c_ z{fC}~{;q3y-gw!u?I-kZe{RoyyVX8vz5DI#UGD0h<-Xudnj1;$UG6i|d*H$Rp5;DJ zInsKUd#_iyV5`5eg}5r6(W7zymG4T+f*&j9F}M)j}L#@Dy!C@wxTk?ie`H(hGdo8Z@eJNe???awJ(#**grk{e;fU-wF0J z$$oO~gPG2m0p>Hqdd`!)qmC?tJKpq8Jq5fk&^vW8zh-_jA9WthN4?6Yy3B9XfAkw| z=$lyw?F8+7$BQdTHrq}Px7clq*D7|6y#?A+gpWMkcRDbZuTyrc4dCI;{I}cw^)@GW zaseCtCjZ0;{M5q5x4 zN&W}m2{-Yqv&+>|ZUNu*TjjPMEjKiL73ud6G`ciT(HNcB^Cf!wcZZqq9A=Fjc#3bz zC#$iy*kkYQQ`P!iFz7v&^G-099MW$ZVs!l%Wp0As^d8F@Cm4&5^c#mo$I{bxeB607 z=RY}IKs(w)A3KkA%x&dpjnBoLx)qOT&g=1DbfP)#OMlvJn8(hsLHdKK_8i0Cdc&oY zbEu9t$Dfe?z)AKT)3@Gm+0Xam&GEaW-#^-d%j@V2$Ad-C&{*SqI%`8V7p)z&M@s9N zN?;+KSu#+zt6FR+=S}KfPr1B zy!W#KH%NwWM25dYJhAk$=jfwBOwjS*`;X2P;XXoN)Hi3*oMkhTE$7*O@F?1Mvu4wn zT4-PP8;vEIen*^%rXRE7(0~N>X%9BtI5T!D-M5B5$*%A*V>YngIby~fEn9$n&tM9=HcDouJb=Q?$1 z4bpt`fE$YGi)l-?V*;+X`=Yv9$&*FB!9wF!@!walMOkZ;#PBxWVG5?-`&!Bn>(ccn z#@xt%i2s@)#DbvL*9_!|&R)~kSiGF`b1eUb{9b9{1o*%9mhAn=f{FU^N+xmKq{Zgr zyeQM&`X0~s`Tq&!h;dtdV1O}a9X`A-@n;4(*E5N+MSXqCCt|B24)Xx;t3pW6=6m{^B6tGTZIBW-amV$=FEEaixcgXg`U5 z`Dwcxo>}1uHJ*E(?iK5tSn-}!Wierl-jGRmw(r_cY3l^*pw&n7)>f%M+A@cZkG zwIgQ8?wA&SkM}=2#Y6D1^6n_c>d3)m<)FD%(y^9bLG`Ia4U{Al{LsH<$v$Jh;{=ZNih4y^u|`TV`_Y2FQnHc#jLf&_BkR^+Cvi%|-$9S@aS2lk-cQ&;{$hAin5XEW zPEX+Yr1@L6zOO%Dr5?JRGRo-41QuGmwmLo4Ue;Gy=L&~fS@Y_AqK(YAY&sucr(fk5 zRy~%n$p^sRfNBrplb@jKV0wEy()?{88ssbYV{y542*itT-z1c#9`m`_H3%EuOLNebuHD`MHR<*WAox z9GaWcz>Owg{?a+!av)k(JW)2M3&|^9D85rP$l^Oi*r=CNcf@CO6v+P6Y_*{{AjOFx zFOo8MT4~}tD<+2u#S`V9+0I-vZ?nEd=~?n<(+<0z&~w}rtDl*6KZOrtct_s_54z*p zzKGc`+x`vNky6ZfwB}#f{Sm()9!);X9rV{_r$^~rF;x4UDLdWp6vd$homLzg@!@71 zS{iN22iY$BJ8@{=1_te}6znC*)rv!tzW2N-SLH9$88<26{*-9}uic~gH+jP_zDcGk zhS>5?7{q!BZ@TYVwZ3gc&V|?mxeojio^2=3iQ*=20VgEub+4}}>#-X}_e0m2eX@Na z^hNM(W1gqR%(I)jawYS3XNs>|d%i50Kh%`@mDC~m3jUAR++BeW&<`IHO-6Nq=FKrW z0Q^+A_45a#Izab4#l|0+ct5fy-gEvWHe3g`M<+JOm@_tIe>2C~7oEmBZ`aaktT9VQ zDt^bp{o$rQkjj{fTuG)r;Cjx+DRBRB+s|+>{nP!*-(XA`jO9pfH||Hv3ir#9t)HO> z)tdC58orBi;@fTTnIhLvGfq$ZSo0h-?X%+B^3kU-&z7E5%sF(jcQik1^}{K-GtGk2 zb#_10&M0`6Vk;}2vGSQZ1O5uZbH1HVYrO@$qn|+oJ>$`0&o8#*M|VF4fKyF}BZ^C1 z+(bKS4_nEcGIWLwJS`m5{Oe3S`J;x0XM7%6N8WL|>-rBz@w8_i?R$&r3=#ZShYlg9 z@SQDq${s6pJgp#9_)E$k1fNxx-WP=JIgt$zAH~c6W*lD`GoNnmeg0Q){OaT2_@>8V zaNLf~I`Y8REhGkB&WKMx`YES@qfd;@LBr%{WZZRys-pu-X2 zv*FWCq@4qQ3c+KRqx((ena{KGTy$@A+06g6#xY+qZg!|JL;T}DD^2_(Zk9Fgh4wh) z6G^$xCU%yY`_ZaHQ zT-DvyG<-GURTKFpm{p=1N#|Q>>wJQ}biPV-z7X43 zmxKy`#@J%@)>ib^aID_S-iI)HrKz{lXX&lKG4Ne5{x$?K2n_KI=1lY1qvtz^m`0Z=b`r^}dStO}ATp-y^<#DgUHN@7+mE z{y(Mn;v3vWnFY65^*E_#%$!i+64IhJegm7_@SJXW9JM)02arA@--O{XhRF6O`<$M= zeI|-GiRwZ7!H*5>lj@djiQzkRCQUkfPVD_f+E-x=u9+J>yT{0ItiDsbDtRvE`E_yd zI$KNeh}L;Tj&RxS9`>mj;qL+8V90Yx`T%2b3o>?x*GQ;hFW1~ z?LRBv8P8MkSJFB5UTevK?V2yYwcjC&Jkx^%5~_&(^PKE?Brw>YTZHd*IsH{y8fmxa zE&!L-N-3q~^kdU^t$NC-C+<8uPR>r-h`#^0y{5B=#Y4?b+yDUR?_C<@Z`V2+cJqYakF0B?J`!M0!-8|;dK^msec*h zYwhs3ATW}@RdG7)@L)IXEW}@&!CnaYRFxit7u8blYn;UdA7IXUuB}bkM(nLcUnkxN z(n1_Xx}(p5ZSW@1XeTkCUBrNX2|S}~RN0kfI~HAJnR>FdMwPBDnfDX=P)zz03)mk? zo^E|K4SiJc+bQ9@(JlSh8CrmcV4!;b!-PR}ZKX33bsk4DFith+OY*S!;%=OnMy!wM zrHQ%2T5rys;z*+XxJR(~GO{IeRyS@bhDrQ$Io|}kL6p~1^!9b_4+P%gE1$AoOKYo} zj>5U8-X2REUx%l4@WpoKx!x@p_aQEkJH?snL%>;aD}r%0x|a=SU$%*VDd7z8!dzEe zXpPA^1R6#s&!his*eHH6p&JhGv^o|a#bfU7aljL5;6Y8u$cpp3;kaUYs8Dh9QMgTE zY#Hb(vJvdgjN+zZakZvRWln~hcI0c1ptpe2NAW#T_&yALA8OLYlZt->hxcsq*B2S? z1KVhKD)YPnJe90Ejdq%lO__Q2{9seP2K`O*Gn{X-XDDAP@9o?f6r?WU_%MEp1{O@| zp4VvstDN^}xnu21u{5ByxaxMvJ4DRea1%Vo#6@Kb9x ztw+SpiB9M{=aIa3cpchwx$+2v%{ujk$3OJ74T z6^cXk)E~N1=g#*h-fMsvi!NAejR23^>>ibu8;mz5idUlZXbmy${?SwGk)s{^i0@>N zZAUvaN(^J5z+p__j(5%rfwl&7R|ELde7e=o`J$U|Te2_HPTS5pChl^p@3+!l;h*SY zC37VD^HGO~^{_!qk0UKEzD%Sa}luBSs=u=S6K0sna}h;#;0)( z^;C?B!GkM8g)c%IwTx$?+Q`4!Y_ryNRp;6EZ{}v=R@X>S6+cw7vFmiRFW<59Rb1Jb zZT~j&Ris(@G99}zNpHX0+TYxk>F-Lne=A=kGwMfmtRAlPDRw^O@lgA>nJ?MSx5-#N zNa?5A`H-<*`?r}7d2af1^NrPgNG}Fv8!mMv>{;_(!b$qgJV#cWcp5&!^I68cjb5~De3C}2=MDrekKMx?kc}8|e zWP;8pFQ;4q`=#6ePTjy)dXnVcO7<;>q%Y8Z9k|Cj?s?TuOjqeB_>bm$gRACwCphQ= z2M;0twsJ;}J1#U=e6nI#49>X<3KD=)lX^S*IaP2+Dy8MUlC1~CH4DWyA zU$VWH`LX;;!@_xI!(-^rI{G{6vG)?RmV1(XZ7#*zShmI-^3>Aya%e7#F;$|gl(SaX z_zEbS|78E!#k9Q=HTvrU30aC-w%^6`V$Qar``JoO$Z1F!7afj5BT`; zF~JviZ6s|IeU%SR{*{x7Ys4l$ZUgE1wwFFezn#Q4?o=2@{PFVz_)_Xz)Xo0zdg{pr zmh2r}?Bf|=U%>%*W`Fz$HN=9>M|O>+?@7$rJ;aPUMA!U3#h$;sk?vW(dB*CG@O4ck zcJx*9E9N$jIMHIokK!j#%xE-rRQEi2?ATGa!@DzkfVX-qv7_{(W1+)i#*Qw;uT3oR z^DXFgnQjX{dt~1z3Kc#N9O^2rdLF;pxO&%Bo&Rs?bL$t8E#;&0k@fImc(BQf;mO1p zm$so#%5UHMoA|Ul&X_P2Iky~KX+vk$TxuS_tv!C|2TCu;AK!*9qPf(!OZX<(`(_L^anS;#Sf!675x3630t^dKJ!Tb8$zVdXPxmb@GSp(z>gAPcHJ$)P*ikeU--IX7F*-SN%=j_{RR! z$G^^Ts`&xyQ@%AHvA)TF^9udl&$kT55?iOvWIf*fN1|8B+bn3g#$KPs`eddB7*WkDE0r z@!Lo8-t@3WzQVC`z4jFD0C%z?cf45{XKX2kACCI;jyKll!CSEnI)SIY zr}XmOOV8U4-wn|>@$n#hsYU!8eAu-7Se|s74S)5spfhq@Kj%xpQ#Qh=uYU*iXRx4#v3?t@Rx1exHvqxxr!a z^mx_>v9vxGxJ3EWMw>rL=4%g=?1KL{_*9YfEodBCYuwD(ExU7E{h_ha;cR;|H0wr( zlTHKdO&u=FEgdc~T!HRd%pP6?y=fG1_p`4vR%hB8Ij>%8nC~;s!bzXbi9 zcDCo5i=Mw3{Y?8_+DRvdd*arLlR8bi^&h*-j=9!a%c|TQ=5E0?$LeMOMfv8ptTM8b zTobg~d)0350?MhM`W+JO^>-yWFM2QGef4_T)d(9&FKUg60(4i`MVawjQG`{9IcyU+*6Cv_+x9X7KD?o}%}6ujeeo z*R1badx(ElQBH8wSgU!r{A-rI|Ik?JzntCcvh4hl|Lq;fQRXL>w*FUTKl={n0h8LL z!bRNyCm&vVc*~veun*8(uyv}hqu8$_+q~c?JUjHkpb0@>BU+0aTmf%dB}Dadh6~51mf`3h3vB^!Eb#t$Pibw+d_C7R=~LAAe`u z;>S^+&3DmBZUm>bfj~)-a`*coR z&}{WpewkNT3rTJ_Z@1D!hbve|3hzF+*TOsPyF1M9%75T9+4iwB!THVi5+alneYWvb zfB(u8-|OZYSHj}u@OAa~mJcKAbT6CY`IYB6@&p%AhWGU8lXAB3Tk925){%Cui@Ab# zNj@&S3|)vA_hpWhiLRHeeowX6l5bFE!An+}=;xZbp~ByimgY>ExO_jpF50tV*hYlc ztIZ|;uA7NLPIsgpKsTGS4*g8=$q{_dvhQe*hU^3yzu>T#_kFjOt?`V~Sp=MW!(NM- zjb-(#@YMwJ*tap*Xxz!abYz{u0lzh4ecS`$tM`%Li(agKDkbFEK%U!{7+u6tj8nX` zV6L^)Ci+FW%~{Za+c0uVM$fE&$(7zYg7Z)&UU7S;_+rGFVCqa}dWf@jK8UP41b$56 zTl;P4mqxU98Y-PNVR1a)Q_ozP>POFbvH7Iumr=j`eX?!d!h0?9D6Kzw4z{Qk_J1lS zyAD{-0}f7NxfDBAM!xx^Z%07_1H)4FXDVZ6ZRk7fO7(4{U&YHN zb`l@BS^G6>T*;+^jmp(i$5i&OYTOxlS=EPt<+XO5*^GT3@hrEKPch*)FT1_-BEAVu z%N814(|K2aUu?em`P*8J#^55uJX_#Y($~TJ=YuB;0>UT7JXmLBxxu+w&gC@aLp=BO zvGxn|EFo`+p6ngS))U=)A9A~7H1{L&oX$G6#7%tIEPvP7QS8rSeLBVAEoINroa^x0 zvbO4~LFYT|f$H_ESpR5!RSqsG?(lSAa}#5D$yL<3)tOuh{N@xdyQ%Ye;IajHM4UrQ zmje&MGl{+n)X{MEb=pe3`YJ#VH!C8!Wz*6rPBV>`yQ@FR1d@E5GzbpUO&*bMqJfPJG|>Cb%nBbwK~tsmR#=Ifzt!TmRm z_-d`4_nWXEXs(?F_pe(!ZzYB?x^^CLf_?}t-e*>(mZ1-h#ot;$f3o>6|ZhSLQLh(Rl1wRp?zfitNR15)A?6CB6!j&xQVv$Q8i}sZ?1*euU+8a&QAE*ru(|_ z_!`!m!sAQ9ap7?Z>((^*xoCEeWCwT>#g%6-#O{u5Bpw`bYwYylf73_4U}g6>9$yeD zd=>ipIv=^>Iio)Esl5N6`p7eYm2{(%fYra^*KWd|{VshhDTJ=zU-2gY@|2bcx1n=4 z{7bYx_JOMP+||4jyfX1zdy12UQ{edk_5%yYnd9mP8=u5mgj2#L;nazEOPQm;xwlxn zrT?u9CI2{^F8%;#BAL9U`Y(|!(k&#LT3AO{vW{N=HS6drSx1+#j?M;_LDtdj=mOF= z<{{sHxe6Hpu2sT=6l3#{glAMANyb*+gpZB+$ z!T{E>w)U6LimWT*EC)As&UT}7;=ath`Y-VDen~z1hB%*(qB(J^e)bb=$d|ON#{!9TO>2v-{?1CG&s>t zTg#xiedq$yS^IdvkAlol<39W~#B`MI07v%Gw(z8k{qbIKM0Uj}o@``Jg(u?8Ul41o zeILS?)BjEQa@tXRaUaE(8J&?WwaC*w^j$HnT2EY1fSe&NHJUCN!&;4R&hSRb8P10J z8~Hc5%IfzJm!t2Sh+pSkldjB*`2KlhoM7S32DS$yYrgKf zj`I7hcBAP}`>;8Ywk#9dCcOT(GXMSQj*k0aI837j?$9R?_*nHk{cX#?0t5C6K2^JP}S&pvc{OkO!4|rneC=e+0@nB-rdStb?@629JXW29K%^noKci4Jvoj2A0~b7jf_{CF~{H7 zM4V6tbgSoy?3jtgj@6dUNcX`w!X=F7!HxO3;z>c?KksYVpswM)lJu+uV`2!}hVPpE zQNEbAi<$2LdlS*g$ z$nzkwF8wU($vm#)+kT{@_A_N%%F@w}S!be`ZAv3FYx z)<)mb7^tI`yZy2_1Nj}!MQ(v_)i7tWb8F8_N{04+yTftc05>`F#O)3>s!XzpD=8+f z>~IQKl8=Kcip59{-v*xH&m7l+4VQCk4jAlDYNbppuAEO_WUI7rCE3K4n;psjO#Vn&~I1-#%7;Kfkz0@?8oX?MHL=M_sB zg;jMnvh4lHQQB>T&-bR?%jlma8`%40;!H|-I?pRUi;REdDD3`cX}W56WQ$3cS2Oo~Ex$%@$L{HKFrI&OMpEHCtxIWDay76CnO@V+$kxYdqJW;ik~ zVL#Z6l#}}>yhPmNflOC+)*XE>mETIX9qaLvcyz;dl66jIFhR7>0Ok>wfgE>C!RL$(1IZynuLy5!C0} zq7h|v)n_{9V1Gy zKMh7loHNd8>HP(lYF}$=cpy5sc$wb4yw_sG(z}~?#SrMd5AU)g>)pw_WRBh=XGYdN zUoo;XXCn49^sDv>#^&Gg|1_2ex5BJ>|N%$UGb%>!0X-Y`w&jQm4z%CZ^ouC=$FjGevtAEINmA9QbkdOHNtTnNxq@*+8xaL_;Np@!? zJ~q>rj_tr~kG)hnd-p}!YdVuS4EUA4cei&{=Suk4@!Bgl+qojQ=^jg{on8r*8n zZ?(tzs*d@UPEm<2p>zJ&j6Ax|B=R{G@z#w%Vf+vFAWtq$0_=~o^6`JgK;{3W`kJJD#& z7j7cQrjSRvLaZFq+E9IM!N;#W6UY18A6_nj9&GymtSxTes1N7SATlvVc&i%OqX+x zPr+zxy4+u!&V2>*;g`We{J`nRLuj+Jl5tZ<5ZHSW&qzLwoLCG4P$Vt#)}J~wpB z+2&orfkvaw8r!?#Sef|_`Pl2-bx_|cj{W|Yz5~|}`F;!a78v~#9FDvO=Kz1hl*p9D z4ws|B=#$^z9AuC-wZZ7;;`jOdcJg}~zx(j}LVm~b`+^4b$>`UQ-+dc`&;onN8b84H zx(A<O1rI zJl_k9@>w^M(X{tx#Q5{X#Y#%@`I!GIT z;QvKiFTy5MN(|$iTIN+TWl_Co1!F0*^&+>UbAoId53qLVgg@(j894XQWll_JoJ~$Y zzYjc@-|)8t$+0}%Z{lBkxEB6u#T#%wG}eNkBZGAD1@Vw9#x@k&%}R7W#i_M% zz9{`3=jQwf(>KpqrOTNQ$zRFZqcLLiNiipG?r_Sy$-_ zeh#lweEc_oM{~)s_|}&^HShw-%I4s)-@m$>@9+WH?lf;xiI<5x&GN@TwDWEvD5k4KeZgbsBe3jMCk*s-uv zUAMfb6T8l?{n!9bLq89qFS*@Dqv9Fkc@|)oOHVKw)37n58^cSNQ&zf$&OjI{-#@k` z{f;|GKk=Ih4&VNRH$i%c;%Wr9a`_@_LWS~an!kx-8nYo(sB;(Ev3FF0SE}QhL-d(C zmI9Mc(Wip8o-H1{3fSm(J7;~B!H1)<{wnt#{v>z{>$|T%Z&du}HtMMaCP8GYc=b|X zwiH~CZELaJR*<+=wIy4r%9g4uyd%hbif1mxX4Jdv{1cS@j>s|KJ z6O^5)vd~%({1Go+3V-TdcG?Nbo~N?VWDxyVe0nK*Oz*PePf+%oDhu8P(Yr-+OVPP{ zmp$bKWiwP(@*166^td$h*s{qdC_7kXM^iSFvZIZz;u-#~xvT*z1EkF$EkN4E{;qE+ zZ5C-4lZI`k_)_Agl~zdFrKDkxS$g@g?RNdZ!lmBx`zh&_mr?d|%3@PkN_=(i@$NrC z*>_cTE@g>#uVLM{wCLEfZ=ay-?^O0`$`(|AG+^(4wdqlZ5|#p;XQNg*8L{4!7HuN zvgohDxj}}3zLgM~>`pLpqk9=M_$E7~&e&-q7EbTtsb*S+>v!q=-+lT++kbQBm3eJn zEb}aGn!5Gkd9M%n_NqgDzFfQV&6mQdv(Ha&UiJJ#KiIVQy2B0UY`NmpJ4W?uy=dgO z#{FgP>91@)SU3LK_u?1c_2X+_T=MCnN#`8A_=&Q@ftRcb_Ic!~KUSm<|83iq?j0|E zsyyfZsC9+%jqP0fmGX8>7+IwJyUO2dP?_}W&Ks+8r7!1wsj|0@x-(Jb4U~!4zp42% zGiEHh{^ms)d5f0b{M{wd@7gp+}W#5HkOdy6+=daE}fjD61N<8N@rb7wp6 zncUMpjsJbW_0F!ndons{UPIMu-r0SI`x`d89-H*|ph*p*(P`UBtL=AggP*cbq@B|+ zW@ui+^w+(!Hx9}%b>98Eyf?Ist(d&~n-!BYs3Z7>_lC!lbIHejjF}aa_nulYc`Ehn zc+;EEmQ231ipgs0-9Z(T|CU%WIgWeCH-?+Aw{WH=)jzdP}7Py#EpDPbodWq1|;xZWjKbwx5vpGo>+(UsLx^ z)jh2td$GT>Z5`hp(YL&Y_80qfweQVd-L^M-)&A? z?L_{b3|?Q89$B~aN8W@@fAOB7?@E_ktLVcT@mynEwC*2LcP+6%p-tU&UwoaJHh!JH z(Qd{Q$F{+l6TSz?w*~sG-Oye3gB7f!&{Gsos=FvX&|y1#BzhO6AALdgL8G?2%*T|e zMem80IRdTsF5?2$%i&Q^JMa^7ZvQ59lYNYfb-j6}!4ya0fgouM=`%P#E>uIG^F99$ zb?*WfRhd8jpK}IuhT$^GP0<3RltJxksjaR9m?4(AYGv)kTNjYh%!DcVpV!P|HOu&1k#remBrckjgYmAdUa~bIuHmgqQv9_y7IAe!e`fGd$qM3D=>1_INFNt<4G#3@@t!hTpg+Irse58@f8G!3&nlxo{R913 z*Hh*z@K#`4RM}JaNa@et>CdX5{%rO4hq}H2Kbp`L=T-ES5&Rb&zOKBd?!nY!ewTXu z^Cfd7YtE`)_LQ@cC+D3m*5ZtNExf_Gbz=9NI*opBaawI9Zv@i~b{S%8G$lhfhqR8a zHlDAwj&m8`hSsmpe-+PO`k2DsX4a7PgE_axJz}zlH7Q+L+B{g9y`q%1g!VQ4E^E)x zE|VTxx{mveR~-0?bzQWljyfLc=NRu^ZM7M=N^CJ?v_%a8&tuz4si(Cov*Wo(tl*)l z$3C~mip~#hQ@73s!1+%zNh17&FoLPu0qAVXa(y5 z*4j-gthW8H^}sDh>SJv^E2s3GmseLGnMXY@=QJE?&WtU;bmze%e=cPmN?LPfba^em zn;2Jf=791)^1G;z-?X=%yr1y>Q_??68KCpA5%9OKM`#_5<>Y(VYRmkq^-g^pz+oC~ zR&ft=-O5v!C$?Uil;2KyM?QW2b5HpnNqOuFMGt{9w69Xm+8+}%p6`UV`I$b ztz9;eJ6XJs0(%XeLvSnW^)6d+@xv2}i&yfL@DxwLKlMc8{Z^Yfr0$(2@(yDhLhDVd zVrp6n)sB5XRZo0F`kwp1HQE;b72l8Fyj6TyuUtvrimbMUulQk%O(=?fBymUcynftc z9GPBI`j;+SD^Cc0Xm-ZeBnzJN_td`{^!W*GNm>?v;|uYJ4H;_rzE!a`(q}VrrS)aC zW2(~hPIF0Ijp$E-e(wKU(ZrUL@bN_hS5GJ!SjOX=(B)M-T3=K2LV!E^If_G}3PN z?~^IOp$qy6)VH)(ee0 z6VFpTE}r!~l{{;C;0;aiB4}!&@cu67CD8s)dbj_qbw+wt&)Ush>;FWaCf3Ml&q`Xn zXDfAMkK3$ZYdBv|8|3*jX`-Vi^Y;U+cT@fQf=T4r!Z-O_)b?o^Z&Wot~$ojC-E`Fjq&JV#aoPH^bthSU5J$z-R z2^-Bf#<`rwTa5h*Z0ehvLL)9x;Y;}5d#+5yzQCGaAw4M~;-dM`nxs#Xbk_3@Z1P3n z5w<}7@siG3UG68VizXd>k^GlRy4Xaq?JMy;>7yl`HMT;!BcUgKgru{6cCaTO8|%w>&mq!##|=J6TD?E- z$K82}$4mM>)LZSZw+edvm^ArY>V2&{Z>;A-(%+p-ANGfr*Uhxr64CLq;0^mrY~=!z z5FIWtp00TKNi@$8t)r#OHhxr&ZASm(DP-(jk7l9rRT8E7qWCioN+eF0?)8R zJFOq|b zpW_(cx{!B-04`_o~O2TNg$2-mIZ!O-+h7K)c24LpAYt`3T@;6h;2{c za_Ib%;nIxHLOn1`DM4>3xujg+(`>SpYrtBE)7NSboHj)naC%POz{x9bKb&5S8sGYI z)X8xA6KSs+X|1pE4u;cqzWptb=7-ZR()Ji>I-D87#6yC?%rT~XuvY0x0PEBhY=9;Qpmn@gf}SSX|y zvA$D&Z1vNp5ntlX-=P<=cPhN$W@L!I2YfO7Zz%iZ;Iq)L@T>YX9p5jj+ZIwDO}fZc ziBr{7Tr{Dn7~K<{rwQGs2_2{jU8t$}5uQ~%r97*7%6ObSYbJCp=5E0t9U&jS5zJ>C z_gHN!&<$iAD0-8P_Ik_I2G)ip5!Q>kd655n($N+4jlLh_Eqj0Pxs&?-iF~K;aVGdV z`m%!Ftdtbe@hJga%ic$_?ICL}IVIwa21Cd&`o{=3vozdzs&v+*R^ zjlIrE=*_9vmj9H--Z0O;?H84&h#n6<8|OF@J;{H8zuB3G%!_nhA@?S)g$F3qVdRt8 zE{WLSJqrIy|yo^3*&5-yhDoS?Hk^nR`XDTCS#u%*Owmza@|CJ&3;H z7>?e&PbnYbr>Df^kfr<1BW4z5hjPBJWm#nT5YElp)4A)N^NRcZ<>j7RSzkyS^G!pY z@=fYBlP^$r3NpNud22FVSl&!MA|t4em{;K7FmMnUtp!HnQ&9(Rm3`&8z)1E}#BLan zKi@L%!FW+O-+ECpWw#0Z*N4rRM;lUiz^CdS>a2JixsYtc{*!hjO-VA^5Wj_hjZaU!5Dn+w@hi&~K_5vQFk2!w5Y96qjOF8*l_&7SCvg^!klGBf!me;?<2=_F)!h#Hk^O1vbC@($XYJ3_M; zk?&9E1@pJ0r5lE_F9YmlUq)gS4q7MsH6csC<99OOGUq|(nRb2sAi6<6mG!l>gYSs= zhe_L)(zc{Yf9H1hH^DPn`pbMKR&a)lGcZltL(4a0s>EYZ_husJXZ(XbMfUq7U38C4 z*m=aZ6vDS9|3r6WuX6v-tQS?8OnU=svd`pfKk4;p))|(ccG;>-A50j=dc%axOs|Kr zD4fsG@UPk5KendnxuS^&Xa|^&5&LalZM9sbcFdwZbi6V9Z?xW7WeVwTuYvZe;CE6^ zJrBAs;+*h}){BhwjI4P>%Qe!QO2TTIN-R8Pp8h=jctUwXcuYK64f^)FBKEXhz-2?+ z*S7bmOMaUfZ)@gg>XO(77nFaxeRTPOlF>R}6`B4SdXV_FgR32vtHwGw^Lmj-7wBa~ z7NNVWt74D&3dX3MFwS6$&1_;X9G^GKdS^22tqr1sF}?CQvRT8DC%_-;>1S{L7`*2A zJXjP=ACU2h$~WT+|G$t-}{AK)d~WoK2sE-6?!s_IO`UFxG}9e_Am@=xCLM=W#oS5o0)%!joUs~<-D%Od14diiIwtU@HNr9C2k`zVvt3##EUcH%w8bv zpPz@#a@Xkt?)I!q?IOeQ)_=86g6_QY0vudwlzdlY3|>s;>lxeK|O)4D0c9$e0Bsk_O})AC%Hy^uPj|4(HowMCj*Q=}>ESBOszcSk}iVUn*u zILv#|FvZ@251pPy>=h$TwR6rv|DA)M(Q|qq8);`0b2q=^h^@f?J5fn!LrPI z`F0%od=F-SZ===1>_q2pv1F2j6*Ad&T)IEsb-+ZmO@x9^PJZDg; zU+R{6Ume2P8NpxuOs)7Vi+&Y{eie)F(GbrcSZmK?zv38o6k4dKnL2+$o$_1sm(6?n zx&M4Ada%FzK4>+#j%Q2ewo5&yyX)~cCM71iJt?Q zx~c=6)q(EnSTR9WiY5wt!Uib%xr@GHVP{~!uvBN*1^3NAbJR{d{_{qAMD)n)%gPeu z?1k8{x!c-msn+bNtQ9QWuV+`IJ(E=Ra0a+tN{n6umyNjk7Xkm9%*0GL5@j8Ry5~aUFP!-d?ld`zek4 z#0I9@0b)I`lQ-wH2P?MFk7aR=iblQ_(T?yf*`KbY4`I|F;8$`NlfWdvvwFv@wF868 z?lkCFc%az!tAprS_MHOsTy@e|64Q<>4<1LX=Xdlin3j9z|BU>rH)hy-#*SZ`pN>nP z4YNN=c^Us}jK7NUS26xl4c|}y7$k3whMy|;w(Gz9@mqXEB^@6@d{B(v_%Y&B(oN5@ zhaQNrD{U{kLy1ZB?{|OjWa!rZf6u=>{=e?LX#9vpw)3wR z@K5?AIB1vOb*zmPtw#3OlSo^Qd=;Fu+)ms|KmIA9MH2&i>Sx*yKU4h{^rlnQABbIy zPr*84j<@P^X$m-aO59JKY~X&*X>dO^Od)$A6yg$Hw+Udr9`Y?_9&l>lE!DUtdChqHFNld%+q;bT0o}_Pm;=Vus z2=cEUHo0%yA0BRhjPgIg{l)n9E;a5UrhiQOAFyj@&rvjTQeK{in#Y>JR&Cr|VB& zykH~tdQ0kLxA|>Ht;j-=ef9{=iyVAHWMCZkFJ^y};k2ZNxO4Cu5PuP5+Ag{8Y-&Ib zrb|pkL+;#B055n4JQ7~;j#4Y}#otFZ>9VgoAM{VY9{wNad5XLu_eB0(bC0sFP}2^Z zsDHutS2YG?-c_VmYthbS366?bHF}rGJi{Jjv^||VE2-zK>7FrP#`r{cl{>d(yt>TW zs_HtdF7w!b6CGA$SdPeieGJ4f>h3?W+8BEhebe!lJvY%`d*`>4KX=$*iX#Dw_*~sE-yt?L@rNW1n~inZ0AlHy%87HV?=zS3R-wOo-r~1lh7Ozh z%w8JeULfpb@HtP5# zvLnv(;@#jExK+dS~At~VylVg?{6B3 zpTgZZ(vL8{$=%AYZBv(qrIRPHCi3G`9r)C}Ci3G{6?F%%ZJhKc7^nIwQ%RZDl*#Vk zasj+*84>P&kUB2KX5I2W{?XvoPH0$UNHOipnamb+#R2qP-`AwyGWR)=|BZc3%AR&# zlkY0~nltq=%9`pYtiNY4-@?DA6DKRATzKaH29KIdAI^qHT|vH6@u>5FYhOI-T*0B! z@Tl{t^M8v+g?IPg;5WyXos3Vtd6Yu_)A6VSl>dL3N6B3NahY+S#wmS5GsE`YMBMZi z_(&iwy69s~+fDEY6Kksw*0g5MVD@L-+z)vf>UqtS(B8FQ;!{nisWSbD=Zcypla(i& zCjxt_*jUBZYN_e+Dji3u>-@iAGfq;*yo|m0estI0@EEZU278*YYhkA!(>Ye@cyO3n z{x$jU<}J1_v6Xxv-xG=HNZI48w}+|)f0(Zo{6WtDHD9Q7ye;3)#pemya+l0*-zPQ* z>=D(bnD$imKSW+_*)zpmOS)bLpL^K{sV1-fH*0j+b1{?myAeu92fpzqe>dcjcGM0Db=1y&NO&9lV+_^OKm4tvy+E0Lv?=uk>T2GuG2S26 z6-`~~)YXB#A^@*-)b~v^XPB^8x0HmIw{BO?7Et;tYd6{@`?HCVU>4 z1f>Pw*Bj;nr(+NHz>tl4j`b#Pk>hV25$L0L3 zIc+0yL}ZlMq{OG^0^TBD7WmUe-*4lrOX;GADq4{(az01&iebdz$XkJKzd||ez#nuz zzNJYIPpYw#rlMQOon7-d=l4{GBelz*aPIS;+Be`GmYGSR5o}j#eILZH>7Sq-=kg@!U zvu!#agO7eVw3J-0;Bw#fJ*Ll* z5o2v1^&Q2|t+W~Uq%?th;)nMzd8$k|v~Pyqe+8c?=I?6L9FBJ4H>El{s!DEXm$rmY ziLIo{bYuHE_{IHtzMF#b-PoP4NY8g&yYQmLdcNy}@?F=RPxiA^_8y9g*G?!Zer&=5 z@;2>)?xC|k(wDjX-O|YX`uozf$Dm>93$Uqa`Uk#O^yNCqw?8P~$36L^&rPp7IBmGV>k2BnzNf6-k4;8DE|q-VpnT8uGH`r}G<=vnz6kRTukpCmxDG_lZQujdGvJ zG?kxtfcv;7M%liuZL-z#B;xbhIznPQMz^($eJTMxGOQ(@*uZ}|-siWRLCWPVk9^VR zw-&x-{rpIu-*N^kmz$S#_4%zuzP)scatYMA{mZ_~@vZv4uo-=gfiqT@x4dlWyPSO6 za*A?8sWUFD?{a**i#b?v@e$h#z)^m0s12L3AAMh!+vuILPuq2=@O=$=tnw%|tOv>` zzk#2D#2A4;y^H+Zs73D*U0>)|{8M%M<=Y06$TiZt`GG^{2eI&jCuy@$m(Ajz7412^ z7QWB^t<)JPC+mg)&(_mRPF-Ia^}SY1Y*OL?HX#FKEfI?>dzkc=lpvhsoLVr=i`>bV zJjnEJT12h|^2`$&vvTH2@*pd_^B_k9d1MWt<2HG7$k+7KDBHq6gw5DMe>Lonmvpc< z&H7>F*T_lUN3XpWJf4nC^&0j@4E;T@7uFyf_n!s=cOv&p`e1$hw2v$a>ArW)D` z+JC){KICK54CLR^EB}J3CR_Sv_(<|r;Dd{U>h|=?t3B0ZYyO0DA)Aitc^3xdeX3X9 zjlXNMt>7GO=IvkTdFKS>UDqpb#&4T!$@}O-#t}X5H9>h-_sYBPi6-0DCj6LZ$(okC zaD(zL@0GXsH%+$rALA3b&Zu{6P~K&|@(%lTlTG~>V|(^Xz1~qld2@Q@-S&8sZ3Ab6 zN^T09A$>>=%KP(Pc^CW&`2GVpJZ{nJm9rgzxtQ52ueJ{OerUCA#}`HFwFc$As#o5P z6~LGCFs62+-lt=uY#-du9u;#Puw}o^-^Z8y@Gk1`Q5kOAxOBHR+2J@#Gz~8MKnZCWZtB-C#1u;%Aq}r9A!WCj`ZrW6(Ucj))1Ukayki@t zke+T*%kI={Wp~i;3rvw^m9(){RU6(?BN}ifY4}!&D?6eLEZd_*m93(UdevN(VbaRp zRbtAVinVNw5?=O+5?a=(SjwW*sD=+1+fr>n*&Awn*#)ZB@Jq$kP^`o>e4<(#QcR{Y z?kI0~30Uk_Z4DW~xCWRk0uHNHOT#sM9-L^-SiUE(BD=y)k%sYd3Chwbh-@^M5-nQbso^pQAEZ*wbz~31~ z+dZ53du7oZo;Ub=Z_!@Q4*pIieLsIcQ?$eL8GkS2-S5$m3fs0Fp5eS_@}9ywqi%=i zR^BUlKf?QB(x2s>%-=hBKg0Vo-V1q~9}Tat^JMen@vPyg;n~e|h{v2!@0psh)06FJ z@Hid2Jfkw+^o(}A<$1xe+q1;6$72Q-VWU*Wt1(`aTWljrh@-}QUWQwHw*Qi_QJL7n};59jy!{4PS5-t?KaWZTeN7Keu1zog&ntZTzhOm2*L>+Z%khVEbd zNXVe+Yibnw5>nA`=V9lrjH`N@NPBA6QvFCT%$#JM6Vylw_oCCyXL>{Z`=vK90V`C z;FU&x+mlMgn%|i#hSQJv5$5UOX~PBNy_meMPGx_bI%pLsB<9E0gPQ310pL8&` z492$mcl75;bHyRvGkMqW&ZABTV|{w)d5d?e13ZV+fgalQ)X|@njEOqHw@7d^s)0S; z208x~!k%5YS?Mr8t+|z=6%)dS8aDj@6THjt;~noQz&OL<$2;DS@b|@}Kg&CrzjyF{ zhWBT@7xF$M-faW#wt;tb;9VVfw++0j1Mlj!l*6}s%>KFdtv zu2wn52kuyrIQ;E?yLu}6g80;XIiFc|sj~S7&I5=|HqjK{#+iZHMof=*Y%9^8Z*M@) zxI|(mogCA_YF1|N!q26zm<|^qZ{&WKdx;^Ch`oLVw((Ql&tgHhlKWZegYIX!kh4b) zIg3E-1AOcB`&q=_=v&tI=kuP2&vjfM_q5z6;~_Q>XE0+7|NLmr!#C0YQGN8EKAo!n zImD!>4`a`swo;Qg=dR!7Ol%pcpLjqssDCHlC05191C`nw;=k7W@1(iUKj!p4#yp2u zx)OWI&Ns6^madFNC6?}yd-3NGe@_3H@8=wd<{xW(ud&K`f#80Pr(fdND|31|zs0{; zeqYLO@qt>W`;kR^F63|7SCKu3!71EnfG_C#Jezsyn9Hrik=e+56YnEK87ucn%bw1- zgs%0~!>8EI4Alor?41x&htkJt*N zPSMxfW3hQ)C#&c0dTbV3X{U%sVjpd1?1EpVl&Qx@pwti3EbvtJOul2h0%LqX^m~6E z^uu^VA21HYD_+eviC4_tjehTs#4G*{?bHRq_#t2{Xa94#ms;9+&kt{jT`copW}g5b z2HlS~7~cPNF21nDrJ2C}4tfk@a5W46C0AiT;4>ueYTBOPUm2j=wut*t%h;>9?^ zLlU>g3S6d|936{@$1kzQGLn^Yi8m&`SjF^F)+JfQ*vcYLt7%A@#Q$=}D+474*eLqx zOy2cG)dGoyZ)Kg6h<#9ed*sgMXph7r8_GNcsubaT5-mrF3@2OxdG$gQI9n_a(a7NDQ{Te)UKvOR24er|mL47+qgn9U`>vG~> zr**P+o`gSS>Z+%nz#ri7Fk*Db9;fV8NxUReisjCE)V&dZzME5xvsOO#PKCb+y;iH- zeNl;vo+0*2 z`iK4UlyT8T4)w$lw(PP*S$+_Ma}jnk;XlH6v7@F5ACkY_Ji;GRxo@t8G`;`C-`*)U zq)hSU6x}$4yJkZ1W$nj0yg&9Nv-`w$r5xYFv<_2fTBj)_O?(Ukd)tLWm8IV-FRUB| z56v>gTkSj=@%zu?F>oOonnvCsf2*~GX=ZhBUeRcHEZ<9aU*Xdt@x}X`6|&7y}=9FFe-y3H2?&CfdZFiP%XvACV?8$-d+7eJQH@&g<~IH^n$( zc;vp4^Gxy64BNQir}!cc*7M&=KDig9YZx)r6>~#1d7BxJ;Rhi57DGM9;D5(VLp+nN z=~^%Ma!7kphtzikY0cO{ejOF-%m4?^^W&k!b2$Lb2gcom{aPz1sN`=eaIhBbN!5Af zSa9u2c;$EC_H3E6<&MguOBDCr@n*&*XIP9r824!7=L$?dqwXtIWnFMz-cZ8Q%UmYVYd;?}{ z_=fK9{X+j1?ww}g8}_|$>|Ql|ll_K4B}zGa0o~;*NuL%$>{35{3(U6BN6s&EA4{YM zU2pR!d@UkYIohR9i^(s2YUC|>k>Q80<~*<5wb6O+xwG!ya|LrLGDdJi&K<>iHpO+V zmwgk-|DmE>ewhB?JK*`8?=mM66Zd)WK+^O%0uIyFaHkzOm}zUzWe&HD+pI=;>w!fU zu#mrVRI`^lNssW>1BWc&@Yck1J#RJN1P8%G2S-` z(!XKMrS#9uxUY_gb$-EJBhwlGTJbkgBlYoPN1z|Z_~lIVi~jL@q1CC-nBbwrUu!ds z^oUQ(C^go3dsMjdV=cUGft7o9qGO$jrtmh6-*T_cV|-tW|3r-zzU%g=Nay0HDCZv9 z`z3IYJ6sN_VP!VWS{9{6dDhaF_@k_e8bIF?Jzw(NNUY+uS32BpBe%8;RQA@;zuok& zMzwh#1zvBV1Iyp6550$g3APjOqrmGebg;+L)7^*kypdk&qD++cQQ-9!vCX8+d&Nq* z)Fb6yVEkW@_89P50~{IWVQF7r_AB6Z2w44+e(!yRyJsl#HhEv7%?K^gC;7M|=cvpbqPqAN-bhK-BrO2j|)8E_H4!;k`rf-l_-yxrl zvqltu1HJ)Z3E-S7|3~M;eSJ+8SxoE_5EsZOzVn&?Z?Ve;fYzMSmau4kX$qB zko(7%AUje`2_w%RA#1}}>%84|WLe+!wxAyh|JP+&iB?{V-$3SL9j?GOYT+#DR(F%2M95wv?RvipaWTcyo-VT(%G17KoMpFn2s` z*5#Z5E0N_zq%}jcMUin%*^|uY@9(htqoc=&{FME2sROuoL?hb*b-|m`dSp_xhdnF3 zZkYp#(<}2K^#jk7@)eU$+S>=OmNt#=BI5@m|A z@>~N>NAcK9R-Mn?p+$Iwe+&IZaK82$cw7{Zq{-f~@Z7`DAht(uIBWK+;dN0wU%;a; zfWAIQCJ2qLfkwm81+RwRMe+!33(qt2yh$FRaj8T2cR1@a;d_zLxb$%WeBTGW*z4ac zeXpU+V&?za+{NuSo;=oTOSCAxpNF7tksaI})+S|N%)Ov}1N1Ri=l`f`i$^k`e;el?~v#fYWzF>&UP5hF2^`=RUm zafdH!^%i_yBZKOZ^{wzkspqfMQ+=-0wmR8r8w?Ex(r=bC3tvUpc3u=|BmTxx`+%pO zkbdPn8|7|>2b7MDw8 zkb3IA@47s5hs9RMSrj=N`Z{O-MSdM2zv1(1oL!W&Kt1PxeD3d%Nu9T8tRqdVBSTn6 zhU#Y`V}NDgoSLj5ON-IN@uv+P>ZlEQJ7A}gHGuH67=6FIw-3a3v?cuy#LqEP_VMM8 zj#$cPajt6p_g$O2GL*ynp;OLh>M?>u|NjnHT1tm4|@gX5Q*b5>AjmWv72x{tp$1YP^MBoX`*s?Jnw4ejD0wG&EU423}tUJcXfS@ z?d1_2uA-awj6?3@(Box?cddUDT$cW@-aM>fr`Bx|nq^lWKG@;trxugNIU1j$$9S^Q z!_XtM@9_H+b^Ta5oJC9y3wzpj?yH%UtQ<}u&i5jG+^y;O&LAf?GS`bTlya*Y?<`cq z+EUJ+rfm`;y|Fd9+=qg|&rK=Rxr?F_1>Rwccy|$hZ~^_5Z*rcu_25IgT|~xmJ7f5QwjB6&ExOJXO^|p*Z0NS}z%I^{WSaDz*icHTqXiq(>P0#2WqCR6 z_%j}!3Lgnerp%($_7?C+&KVtK{@a-oX>TKIy6-46hgey?>r5}+p!kFx1QkO#YZ#kcKYUAv}oKK=0nz(*fa)U zBgytIN*kvF7i77fKWCAgxA|ebv|yeu_*WQ2KjGlrD^&0Zi;;jnaD^ZLboOVfQ=utz0W&&6k3R4h&Vu1veXXX;u2eB_Cqk3L^XC;?YvvV)@mP4wJpFn4@r3e(@R(}mB@|7ZSFG||shI~) zND6;=LdYOT?L8U&*sG9zgG5j6Qf%1Qs~vYE9~VARTx;+X`4;0Dh@V+1^qTXS#<@D) zWm;_<@XIO7kbADjNdEbHT?YT@M}D!Lj;ueCu==}SE^EA=*ce*?^9 ze|8_b>rwDu;MWYT)^kSimh00ydipDSKrx@&8z7$zGM5 zk&-h_@PdY^$o`z+id)Le)BZJKK76_fnwPjFN#M84&pgtKc<1~Am`vAde zWlIjR-Yv=}?|@qa!_*kB_*c$VEp29GCVd?%eal^Ry?YU{>|{)vxyMENd5|%F4qbTR zQ4u+}j}v+@!=r9wp9cG4wl!yz&ZFi+D+k%r5*}4=RW6h9CE=SZ{#y?NzmfI8hxC#B zefN_YwPVX7gzukhJ!Qe^k13jWbe=%u| z(90zF@&fpq)ECW|QsJ4R2f2|A+36~Gyqi5q=q$3IBer1Sl>t5(IO`_-ZW4RwP4NFo z{R@t8ABFCZzKH&%eqB%@eRSiGE`2{V_;2#N( zih)OouHT=zDT2;(ka3BMxlLr?(Q75{$hK;A3I6u}-={h^CGxAVy-=R{xYr!4hyN7QRmcnh99kx`2uabC9I7J2IZaBu*Jt<(b!r`7SE zM}0-awY-OZO{Jb{S*J}@mS*8EB0R_}JP2B=@83RFa3B0+?7$`7QZN z!T&mcKH;&iknf%+wc1OJK3-f$KCv@QL&i%V&1&p4IS;XmHH`H081)*Ltz_=WL{ZoF&j@0`CRn4VDWlws)=1r7eL`D*JI> z+5Z7HdAwyjL;Q7A!&jvac*z)jEc)6sk!#MGE8tfRtdfvHNBwbZg4cq*Wy^!~UGmNo zxdP6L?kRoDrEda1__0$}wOx0TPsWA7j)_H{1;)9Ny)l7p99@@ZP;i(4^is_|{wWO}XFr7j};E zzVJs=ekQ-}K-Uoc<2jUHu}2Kzk+q<-1N}X}%Vu4L9h}C}mCb<6K z^+8Nu^*?}qU3GT#!?$()J-Gg0{XMd;`tPOwO=nksaZvyJ($BtP?gT!%ezv*mWc`dd z%esC>Y;|2fBSw2~{S126;huB~_kZBeZl{QVE9+}g8xf?_`l_c|DGShf1@A%g7^II z#{283SMXc(ZM&{>E5yWhoFEr54$!^PtK2tJuNl7trjW8HWNt0^=l1B{Ka8hkR`8eO ze8k6^sjVLV9jnVYO}EQQJm~wCxLwuD#jX?YT)`tcgPcP+hQ83H4Qit=$hw|bTSDsr zo0ZV>v!@u3<4ohhHfH~YF`leW&Xo5t9;x4Riu$LVseaB$*opNg@Zzq&KI;#b{T8*T zqP1)Pk*WA%e}c~4f}Sn*AJGSpv9niy<)|PIz~MS%-og=vZEu_SzT8E8Blsr!^oPYp zG)66X;;AXh;f0h*8Sb|M5{qEvGQ$RVn0pLFPY%`@<_%NI=W8LzLy4tn_KaK18YaPz z4|iu+#s}vW9iz*n>V7BUV^X!sQB%$N6pLf(cqIvaowN8YBQ!U>6(9ag&Vv}fGhN#i z%77~+$et1D?l6D;7L(G^>Q&qz8u>HuwINOnZJhSLmhJua{`o5QbAROMaG7Gg+kwgU zbB(cXWUL_%6wRC^FfoO+NsN*G=NRAi0k4&OyP9tu>_6^c{qD=;ersUdlBtx-`cV8- zg$^XX!`6MKa&0*A6FKAiHRpTf4te7&ubk;6cA|;ci6+kTnmE^MB6gyQ*oh`$Cz^=YonI5E0(KU(DkTx>jG47h&+s7d<2iRGU%)yc@>{`CmH zRGqXf>yg#{mCITwn?%{<6>51W`(#3MU*gLr_T_~!et5}!at|7Kv(S$>UEBMe_I%sd z)bZe#`9}n21*QsZsI(#Hh$R+k9qo)aB{-KwIw~$@El`L}GR2=)^nN@0pi8X$n!Av zv?y$4MXX16qCeccjdNS=U1PSe-jy;N$M%#F+qT$*rHtk;Blo`DKpD9kuB9@)_Ul)T z^;-*bB|2Cz4Cb*GYaKb+-FE4fZb^@m@%CEVa;6nu^za6OnfMX4jtq56xuz)YGl*vm zmx&DqIxoJo^a)wZNo+ps0Go@5Qz7^j#XPmJ&nA3w2>uOR6cAtNx7P;NJ~`NH1(tT6 ze`oDe$ePT7jkXY5Z51|GSu;sJIoNBlOR+vX^V&!1NTTec^y^GCo`No44UK;d{dKYK zNoQ>?{>3dO1)SB0o!3LF>VAV(k3!dS7GGlPb+DFcDuGtdBF<@33FiSzI2&gwn)p|_ zTZlG{eOmEv9qiduho25-?OLGKYH*?zo)?DwKS+);a{iN7`XT-Ng+D74bB?kR2)5nBg-WllkJLdF3*6}+1 z2DKNU-y+uXLchcSuK1DAZ;GFO$!pN>kRbZycQE~uhdYj)x&C$h>FIY!5B;uEYeVDH zJI;qDd*(&_rz9?6tmgyP4)j;2-@d+27W#yyTT0SvWlp|*S>G#4)9Ev4jCDGFW>243-?@5 zea!Zjo;eFyRWwt4XoQA!`Yk!xc9Dba;voI|x9OL;(CHW3MK}FYPmXT8I7|Aajvo5$ zv0Vgo7SUHs%v0eg-~eAY?epWO;Nse%nF-*mtntJ~lY5b}Hw?Y!AbL-k5>_@BeMj)F z3|(igU)M1;8Rdg@ok^;4I1Cui=1fCC*V+CrBVTcluJgx5XV!I2zI0jjo@VJk|IXJ@#|X2V|m)r6}c}T%zoKhCJqrmAxG)*vs)LdW8Ij9wNRw z(fVD&-{ok z*P(}PE_tU17EeFU9ZA5V3pnI3ubcK7--ItsUT?tR8b2I@bw4Y*p*tnr-JtY$X3%%h zD-VDxi}+na|69-(iJ8=K=l5OfgUg*spBCH{ojP$Sx-I<))~UC@Y4j}^&-&7-OLiIg zg7Iu<_goq_IniHx>(mSVcqZ`dty2f<(;r`?92UQ~YKNm8{{K=H`m1GVdWRXiw{9l| zpBDbj4@Y81g={i-{`MV4+Az|d-eAD?+gt+k2sk*yh4Yw)`7#Ug3wcB?&kHU-p~E$T3--({ac=3qYgBEaKKulB%rWlhmc z*5@&nr1XwJK6FTZu4JATP$tD^5Je2)hiL)l> zx+J!mv7R^Y%3&RENp{$av3DZt^mUIr#bmD~eb8N9>pdx%_OukmUMjqV`i{Y0WUWt( zMb`S0X)_akm_Z)`J|o5+Looh{e@{=0?r2XgV=mIyv0C}9@*BIptZ5hWTkyqz$2R{y z*vatdk1t9;-H%1{+^lHjwMmRx`;i=mXYap*=w;D zm}jM`%J`9?%6MymZI-!U(5$op{B2RjPm^yE%J?kOvq>KrtBg+_tc*`PM;RZOtMRP4 zCYci2ve^5`p}y73aTs&mguF52im|Rbn4;RJ5+iyg<8MYzh%H5)-tov+V{0;VXJ9h> zz52R)D>0l`a98aLu|FAca}~Z{{YT?o-{8I77}6#7p7K+f0g`2VU80$ao}P-MQO^3jg*sqzt%^LVq~Nq zn>fcGmpF%WQ4*6lCsOvxepl-nG!?R6m_c>|5!R#JN_s68l;u_O+_w zqNUVW?l9u43v6$0?TQz=4#=cu_*>dLoA}p#wP(Sedb;+qdbPLO-`@XZ{NDhd%4PpU z;NX^h5d3G7_-!EuuqBtXLIoji?k24ZdihW9M-Pq{eOmlA|KH&6{#(xue?KJO zsqlCEFZ#yczmR@9{C%A||2OdW`R=|O_`9BdoeqDi$bUNgT}Ao-SMc{gjR$?!_)F~P z{|o+mDRXr;F@){iI3Q>3Pv*bTr@-HcGvIFwb^dSQ@9|p#v}fS&fuElqf4?IC>G1b` z%KyKDzo%QT$el@|3&}l6O3=DRSz%)R5>lgVEz@;Q6+J1S8}*ip!McE~7c;i7cD<`7 zj()IAnemySuYP-j%9`BpZ~af!K#z3KtKej;=PBCmQ(yJ3fgU7(Uu&Rp%JrqE{%W6E z{y1Yf-8yKs55Fw*f-|n$ngu3_X*YKFSPA_bsd|S3#AL_qv+dmPsXkO-*QjJBL8ph$tdMc3O&!Tlh<}# zB_`JT7I()iv8PzEZG)^!YDtl3hs{NqETADNhKY8}vUU?E7 zE=BA=@pHMXj0%&(lKno9h7lWv#UNS-cJD09zU z21}x_?c2yVfcyiQ|7iRmOy#B+WwYbFx`~1Vfin@bJ29i^%9^YkM@M>U-9+(Cc!2W` zsYwd=zN$6JA=pHK<@$}>KMDSKvNyRMn7j^5#yJFT#@W*67z6QJ4j)?}@ya>Zgl+Ak z3`gx;=HiAk;Fs*tWPx86?ywfRw%=fJb>mpX*5?Js0{FG!2l$nsVqI0OXlxj9IMJy_uc?pt4%*`58#;FG^AZ{OvV+! zF)no2dnO!9pl``HB)9}0HjzIV&wfWdpds8*Fd8@nU^@YSiemChADSt1E$|I|OPw{u zr9ndh+{z02CV0GoG8=g^g3`xQ*Eq@v{szumUlH{E82G6A@l?KF8uU%-3Y4NI=YZpA$frcfQvTgVq|mo+7Ah9D;PrDvORb#$BfiH{jkoYvi7zw- zn83f53J;cV!h-|fga=C=;lY-BmRETEJow*<2PFP25)VkB53-(gbJvO;{2A$|4~g+0 zJUC0|!D$EEh>^7+Mdmyj|DjmV*h=CE5F;xmp{O>Cx5P24;=91~VdjJ5G)tQ}tGed@ zps!A7R_1ww@bFCG->PRNb9^uJ{zvw?w;?M6eZ85!N?!R}#p2g2_J-U31^CM|A0o$OFJ9!`sqSJqlN=LT zJ6n25D>8JJ|Ab!b;isn;=S%AB)GSBGsHUmy_B*Gxk9K6Y5Bx7j#V>g-=BXxz=+w@_ zMk`ND!A_T@z~Z{MV1O%)zwas7>$0nH-hJG;p)I$$t}J-RHKkynE54w?6;=@DTBpVO zHkAx+Z~l?ep)P;hWhyYcLJI0#*{bIKjbnRdv!?oTOI5jRA6-_D+#{asACy* zSPOQ!h!@;;Px=Ry3r@^vym8{3Mz3P+d_x)Ry>R&em&EP4VEJCxAvKy9HT`|@bLTW3 zVz2Gk6*pAuRzo@usqx+`91WEcduAMM9KuiV_{R_YVYfPn_%%a08yxGscfy>;{fzPT z6ZbdnZr)S5R?~bk9*K2f2WP%iLwwuPcUERhm{YM)(Y)6zAE>u`_40RI#FS~fkg_|Q zcUG=Z)lR8{vyg3Nw0*Af)jRfN$4lAjxxUflNhi)8UE>p9@^GVr-ZQN7AnUGEIB6;;67eBX5)I)Wd#H(MRzn@?TSns-%ZP|q%CX}Xf= zTR_?_(ujBCyeZ%8T0&hn=GOz41n+~?J(jdN`J|Z!`z|Madj8w4cvHOhe%jux#`zwk zANSJkF>MfO^`s^E5;EVb!s%3eVqlIhc8C9*SFiT2K> z?hM+w%GBSN44m%)MtQ(!A8n0Ptlsy2Jf|_8cJi1TnZuOKJ(bDSKaT!AqYULv3zN6; zpN@)Wn|6>s$oI_g`y2Dre%@py)OUWn&G zN28e=dvinOPQ~IC-jzbXM$o<+9Jsx`uyGo{zu;|GHRqy^!p6nm`4Vt{GjA{N%L?9f zjVcHS&%(Wv3${Z~CfC>be{&tk@9(-Cx=QoY)%^VJu3Pd=u8ri`M4qt)5w6h%Z@I=n zpLXcjtSl^%+WgHy*$UaJZNE+)}Q%`Z=1y& zKB`1?zRtWz{|~8y+IFgz&ToG)r}0bR{2ug0-=U#6?-S__IxK!e9pDJ#9}L|Lbq>>E zu)C7=k(Ud3eR~-5V(4f$upGwkg?!Hi9&O3foNJXx@6)v7QNr3rDdC+44VgLv^fQY5 zQ^_l|(@K5#KGB9j59y?3^9?%jjszcWB<~_%4}Wnc7n)re(8777r4-h?(xIyi=;7DU z!xe=#SEgd}t%n{)7QXG8V;bbW33|v=<9!*>!wt~GAX5Tq^`vROjLi2dHIwF@1HM&K z=i}gN9(-gK_5BLm1;$?Dn)@y*9O$~d5dNjb@^_q%yZPFPXWn_mggK4Npr;4Zw^bgX zpZafL_6Ru6ci+R{`wm5Gdz7{xqaW*NcMW}53%#s{UVaU|tb|^K{}G4Wds*RL*Z9H# zF5>0m+)J`W5M4w%)8+4SDQlJw>Y*|eg)l#41N$^cz}>0*=nfw=6^XV zzHVxSezFi5O+4bZ2&wjPaOar z2%bmrR@>l{jWy8KZuq<4&Th_%-b(pA>XN^OXVs|v@boCE$YTy$pqm#|vu|b6)y_L; zQ~1~(@;jk<;lWpvwwR}l^i|MGBhL~w)Op|X2v>UnG*QsswSlyIm%rsYp!N5jm;a_~ zcz(F+?*);rj)JYO<^t9Ao;Jw$ZozKXv4SYd>~U?-RBtTvxehuQ%zP%p)4l;-@^{|y zH(j?Z4|jDIM7sz>%iP3zAISKq@;&I}p6>;2gS~$T#yhxY`f|p)Qi<+__jxx#dn=jO zjnLmhXea|-cq8&?p%UsH|Dzi!rYTn60?JlqY=uuJ`ktV!4Co6wgcfbiTXYz0t88Q3 znedB^TBz?T_|z?oeHQaFO?X&RhI2o1XuD$amcbvSz18pveA?UWY7D%}$~(GK=Elyv zBm?u|)H@%%FH!ozR~7F<#q2we`sX)ot-O_bg(h}TkMN|+N#9EPZNPH}vK`*(EP+o| z=D+S*mmlK#fcNXX$HR+8z>A2l?_H3;%XLq_)%E`J_gwESkAtsoccs9Sh@s)jg`X{g zpS?kzUE~>&-;cT3L3tJ4zty!}GkGs}d?<3pcLg}P5I9~Af0Dmf^7|vl-zocJK5+L#1!d< zwa`ES-YI@~Z(@D~zv-V(@OvR}&j9XIs57HU`lIy;^IL$w0rwE+CgA>Z{u{2%`Jur5 z4PY4B4fkix67H}6H{kwEFStMRZ^J$0jBpqD2H@@ug1gK|0PgF6`&QuoiSX<*z+G@R z4cObkb!3B=GeOLg$YQfE!~bopeAD2I(DAW-$OqDA=SR6d)k2*&z$!1rqU@gnU%tVMW_Xak9<80L*sY`%l( z^_9p(?^no)8Jf-a2W_x-9=vR(Hq@&qLwK9pqLir4s)=(NXKIR9$!Mq)o~i!^-w&yZ zuL+s@wqomq|9CT?ACbq?lyi}v;a)T4gn#3Y=iQn9md=+BLmzL_9_wuQ?*QlF=66UB z_ZAaXZX+ka@K`u6smdZR`tPS-3o_XAd z4rK;DUgotKovMj>v1yujpUk1E`qCYBm0XzWO^5f$-|7U`3FuWv(5o(%boh#ycJ<%D z8ee{2y6|G=S$M=H%D_$)nF4S2ZlxbH!Mh|yY1>L4p#RQcVtGM;;ROvtkhtdG6OkT;MCxyb27$m#px zM|sGB7I@p+e0v?4aVxT788RaeUF0xwf z(1rZ{M$$~@CDb9fZ&wG>#<{%1eX-;b+)iU&sui<$DtYbvos6BEvtZ6RzHcCYT+OBV z?iWga+WvJxoU66qJ=fjvsr%q*%ivi@3SwOg;5C=3(Y}KPe|OD;_vFHN=sPlek1GtF z+Tqw)DZIl0d>qh513FeVJo6oNtHabaka1Qmk92)SeHW9jYWZ$xMu7$_ZO~5VHuR=C z^e4vemGma?U-CKNOEz$F48MN@4BOy+gR}v@7Wg2sSlgQE%ct~hpI@JQiFVEEz|P;( z?#1YI^T@Z5G8$|16m*8CY2#Vi`a6BeP!!)g^y4=4G-#kv=AxB#*XPj7f{gbWPonQO z+GM@rjWvZki^18=``#tJzi$h$MsM=YM4!8E-_FX}`uxSVnbDt03Hlp^Eeb^gWLwNuu1+)1OaL4*!v9U`>2h2FQY#_iyqZVS{A(OGy1a){<0x!V>YH_1iSgad-25>=%=KJ;gT978>UdA*XR@9@ z%KQTZ-xzqK9bSn&q>Z&<=WOUg;B}OK$Qq`Sdo7RB2i6>&*O5=wJlT{%&idZ{1^P7W z#AV>$-K=?JO!{y5SvGaE7In^UZmg8{WL;;*&JmWrqY|0G+A_@Rp+0GYbzGb1)X1++ zt(ouqy?{B)Nb2EZqJPOe1@o^K^etH`mw;2F-5Qj`IRZwr?Li-n5;F} z!Va(|$WR9R{yBFJYmNA}-@?CSEpb2@>U}x=P3ADsw*?p)`C@%5z{jD;?G{kq2F3;n9%3k<@SC zc?{nJ_+1*rzjnaCxJ$?x#&_Xg-u@4|Wv|MY-{`u1xz%;Y@?Eaaxp#KW@_N@oo(0Rz zuFuDs+`r;IZ~0c&(&eh_aq_Gu?;K!!qrf;n+BJ)H$5pI5hLd&)X&3VMDE{_>@2RW@ ze@odXDO;1zeB{TVmu+=TC;e$?A&uY31);9<3*K<$GQO4Y#Zq8;5WA3^Rx(Glg`ryGUtjSxq@w2yj_!<0I+JNu1Jr7TIs@Bf%X1??Ho4{vH@)`IUYZ-I`_?e>fGs<`Kv*#%< z{7h_LSMWTs->p z`Swc2yOpc3+iucj%OLN5a3@2F2cP3~K8D=U`Pd;f79KU!dmnn3z~X-9&d4{&cN=p7 z4#R&;*zIlbu>|i*_*EsmY&N{+OK|m2^R~)i@Us>Ad`5e*UFf__?7+gyE>H|!ww1i# z1a+yp9wxjDJA50uR5vfnhR$To5zxaP0A^lbD1Vp0(+oZ)dYJGr1Gf{%6Tod~w_6Vr zJ~j?MHiYlO$2OEa=-z0$seNQ&s4KPb4cEXz#r2c?A+D+U|8PxU{V|}h4jX)e%T}nO zkI}dMk6clOTV0ky%>_U9+6uS14k8bu&?&eV&Km_>uVvk}hishPTF5W`w~B2($`KB+gy})kDnjuzjb~T1@8)L`$_&_*G%eV zEzmh5|3l`#&h-;*fLEg)=EOIUx`v_K&7)23hVw0^J@hYK?~=Z-?$-I$l8k@qdoBxf zy-Q+z+ng@~n@7QSXh!E(tYf^K-S!nDn;-Mfm$VzuyDq1V8)#Q})d3ai1b)5{mTIV9*B)Zr%a3fe3>)~7BC-E&4^#$g(1^y=V z9pGCR`1w{GYp-jtv+qIQ+>P#;tMjexz&BFoTc2}oUHDexa?!=2eA|}qBySvZ676kd zts{JDLB<}PZwYMV?|tC?yUW9<&){3z(%inI3g3!pgGY7qtp)Hz+1rAb zwJm@z%D88dPxiyI;itm4iqXS_ZygHaTl(*l_|~3N@~t#@qqHG>Y81RNm~VX!%+AEO z>d%62edgE0#!;W4hlM+jg%-{HG)n2%kNj^=R64@pQ=*GyqKi#Fg)VkJy4V<97Ypgu z#Z-8j25h(YD*V-B++xP8D%N z+iUsWYXs*gig9Z7b|(QONihXQNL`Wl`JPjuOK*3-erx^LfBpZfYpq&)pL6!vd!If0 z=HG8ypF_`n0X_TriqF6oZ~4RBjLtCUtfzqkZh;gA?L2y@Z((b`bV5a0~oZ%YOI$Z)x7VcV1yE+2} zn#8w+F?DFM%pcHV4+5LIXtD8wyJ)dYn-)t%?&8p5i6QCPPt#)6Uh8PLztUm{I44JZ zw`j3xu5N#m7V7~m)-y_reQVQV@WS9;>F~Q?+A!A-VOj>fi)gVdQ?yvNf6R*a{bN^T z_@(DBLT1)Qi*>=Y!8S}w4-EpQjY0P=+G{YncSlwxTI{c~vRBy$LzvI8HcT^v&H0Y3 z4164HwqcqX8id|#IC?br;P6;zG4V0Tw}ScT*EPQ2@^C&ncFD@5!xODFm3Kw})4F73 zqK~gVO^cDYVVVi7O7P{|w3zufX|ZJN6uM}!RBRGrVcOrO#S(wWTiP(K2eeqvze|hF zW$g3#3!Zg{7CR0t)=}cJjsVL>0?Vc`_8!tS;8QyAX%=v;47gUY{4;2@9AMVFemC^h zui0Nd_SP!+$-ChztDr^3LZ6L;K3l^cT+1H32fD5fy6!i~MAjo4IUCt!mOIPVslfXO z$0NVaL~a7yx8-8UW^B0_yh9`to&S&mhaS6tHSLt^6Z!@7;m~7Q&|`vS-GY6ASsU~J zRA<0{JM`EGbq}Iv`8Rt`vw>rdTr8Hi+#Q8y$eC?;Cb?KW`b9@B7E6zH{{cL^opI}; z$FfhuvMzeeS>L@W)3v_YzdwLw7}}oZD_gO-eHNN*6fkT!uq%Nyg|rR0H7yFWsu{~Q zjO7;Swj}hyiRg#Nkd7rap@Uq|MUz>7m$4Sl<@!9X{j8mTV=Z0196D*a;eT+&cIL_O zcVjMP`yw4gHgnUPx#8UDkYX^bqm74XYn8iq@D_J=s1A67d@@+a*q6Dwg|dt+F z(`|b8F#8@j6ge2Bmr9uz(Ho@&yV-N%Z^-j5XSD$Hvci2>KRK+Q50O6~Vs77O?y-eo z?%kw4NaI7pr~|wlYzCgCM|B1|k1E}+$MlJo+W@U5np(W2=(Goz$0{>DELyGDl^!|t zN8ps(+vx_5X-*~2I)om7hASfkjT$}#{W%u;y`DM3o+4Ne-L^jet-AH#tSCJZ90h#r z%1f3V2ONtBj=hacdmnI2veM!7cNB8zt>`OMM)bLdI)}rziU*#slyebm4{DuQO)4o&u^O^;;e`)$IQ`N z%+({vY#u^p^C$M!yX>uRqkAi2^PN4Td&|YRcKgxZO0@UZ;2-QQmFp9_^#^;)WN&r< zn|te7WX}Khd&~Vd_Eygy>@AJk-``u#n8(U&V)vGKopWRMmW90er6J3#{~F@$EP-F2 z2Cp7;_c`HX{4PaqKLxpcaN7meJ&fh_WuNlAm;V89$OiC9A$u<$`ry|qK4l;ELVokM z|25wGGi9q*e&k=gvO9D`l7BblKcu{O`KQQsdig6>zT>Z4nauorir%@G|8i^`kV%Ao z3Ey-lJk*XAebGgK;V*V&21mG3pcQt&*QErzXoV5LGHegPsTskiS?kCE!XH2@2>$^8 zLPuG*;)@FpJfjAJ_kJ$$_D<`t~IUrI)PFFA;K zAf+0I4EC7h2#48YvT+lyl0tnRcrnq0vQJ2$FXim{eD>1_@(t`8crjlwdut}}%?o^6 zN?J+U9bUtP?~tx*Fto!N&=YSWr+x!Dbr0rL_JYWMLxte;Y2f!Il(~g6J)!YrPM1h#4qSrfcc(Ns(YF2c-HLvPJGV7*r#cTe_E8_f@0(YhWe`d3$ z3s~C|xIdEnwoZw5f+ZJP6R7uW>O6FFOugWG;WrpSwH`yG`m_{spw3Y_Ix+vhrVJ zUs12UzOzCdtbgzh`k^@r0`-RGx8yF zg~z~uW$^L_d&tpoo1wcWNw;m<`zaq1$F%#Ni6wjxyr)IOaGF=J53Cz(z_Rj+L$#v|Pv#}2wj(yl=%+ECD z=UnjGNL&7$h3g>)2Nd(22@ERtOMD}NQAy0rI9GOLJp09-55`DvFOxBz zg}txFf4nQ+mceMNSQ z6j+KwIEt|y%@}V*=e-bEv-P}5)&cmeA>@Ywe{SYK2YhuI_-Z=$uH?EFx}gX-bq4V2 zOwt>9e<}6+iaB|NImt%{U5YOHXV~ang^k|TJTKl=C-x-f_w0{jz3p2d8jUqg2` z(#B6I!Ib>%_L>~byGgt|nKiiv8v|^-BEzunO~T$If%zE)&Ug>ntc>^I)1Vo%gJJNK z8Koh!nS1eOPZ%k_eB=n5kyWf`tYt$hc{VzY&^^$D&oiH^8TUcx71rm!S9d=$k@@gv z$>64X=CT0Z?CH9@tQRR)$h*^<-mBZp9+M2y(3)ZH3&4}`&0+LVkzK$M;aBKO^iVoW zFfHf-e%)FS@BHnV*nLLV3_ z-$#y+;XlZ|ccB@eNrOv}W4KnP33i1RBiArjzDKznTUYIZ2gBCGw)wE_Ic(hE*nGHG zrX#=I1;6Ond}xi^dB#j*xd~l*J-T(|*0#;ZAja6{bD>MRY(AQyQ^d#apqy+zcJYp6 z)m?n7V3FoRw6LA0Zg^Y9DaH3HwjOG47vC)!|AGAXZ5vwA{ZC^Hp*A$0&tV%e&XpOd z#fDwiSle3HYS&vNlL7Oi|9?bn|u2j~7hxtw7{(E)2Z{KesUZ?$?jPH8( z)NjlT-7Nk4`QtMpd(2C zzNqmm#<~Taf$R`p2Zu~yO}_>n!A37Qgn4?Ma{E~qXEJX)C^wWbmkr$+jJs^;p7g#} zw_bIk>wc2C*=U#NK6TYnz6?0|B=wDl9{6f`u6_O0@-OY{GH?*EBy#;E;gR^@K6H5F z88bUiUH4L+=b;BF{|59H@WwYDzB?0r_fxcU27Gu2`2H!{*$-W{k2VFH4%6OYBO~;> z^FDL>rQhb8XlE?zZ5F-_non$~g0pCcISDNRFX_69v4^(~Ez(>e=UBouu-cxZTIz>p z3q4D{_I%JzJ#|ZGnC5bak-J33(S~ID!ZDeHOMF$V2}f_|oY_2`IoAA1_9fkV4f75j z4sJJZ{GITY(J!Y|^a(W5X`ZT`@s&-9&JYlPW#kSj-9!xPEoc42dd&UXN%)>Vw59rr z6RiV`7uK%)6dL?v|3?0+R`&4MtnB5thD@^VU)ktizp@*9>q}&Px&HZF-^le{Bv_@WN-AtV;sHc#0GHG{oQhm``4d?nit~0?uU%UFk4|Wfg z&~7R3U%>ty!QL&`cYu#(=YL+;%j^~`0v28fKd=`284Fy2E-B1+MMQrIz6yQ{-d3T1 zxA{rs(ZSoW7uvDR)i<)&hzp)cJLk}j^h~R<#TZxu}kUJRXJ-;CtG^rW)qX&G4T8zb>uV9G1%znyld&WdM}uKLbR^>JYM~U59p3>a?Z}lC$wK& zdWMZt-d~_=Ow;G4-5#`i^|DXEgFWHxdP6gQ0!`o3{}6r5IaSnHiVmqByND!sYXjc8 z*NQ*+`>g2g?~6P+6WK0u0^m<(@KWwi;r=Z2@mHabpSJ8Xc<>x}14niuzn4p>V={GE z(9Rj~ehzsP-<&|2Wb*|dK>ykM z2YOPpnw{qzXyuUXgGDnx3msS^Is}^beRl@5Y@gt4`dvo9@hjq5`g-P;y2QgR$=_wm zg+&i9p)U4$C<~aXYtf~xtj7%IFvFD*&g2?>apbV*ALg5U=-DZESj$i1HquYp+8mgi=@oTHh(GgD~r$iG9zSwD)}x z^Sg!jRQ56UvuLZ~%MK{e@<&;E^@tCst9D_rzED z-`Qon`6oR1rCCERwu*-0L$CLaTynxGJIN}VH~EBpZ~NqExr?kKeB7M+i=*W(pw42a z96oQGY0s(iLaUs9scboYQJrl=;;nMpx9>&UZX1$dl}FnykG9=5#BG&F+b)l`-8O{S zRMED}@vn30GpWyMyPUQk=lj)m8*yh_3ys>go&1S0yO43;#54J_rjVb9pR>lvqdY#N zo9J^q`LCDCpME-Va2}$e_8*V2z9Dvu<-hHGr)d?W{q@^Eay#FqzU@|?Z&SR2UF5$8W}dw3QhcbL z7{C884!XPl?q>9cO$*|9UvVPbftF0;q1K%)drV*Y&2P$neZ#%BpZ-MTg}=dn`;p(g ze9P@OJb8;`Ha+n%RUGRPq{B#?syU;enzIV36YE3#ve?bqDq?&u^we@k~` z4$S1)!v+}Hp5?vz4lr}7T=*g@)@c)M?&0smdDMAtJ&DUe3=Y0Kw)|@1S6zIwyQ2dC zX2q_s>tE^a@DNX{_*7xzy2^_4r>20P&v@t2;ih+E3Uv?b#vGn>o_Ugh&1byzsE21= z?-nZtI(3c6Flt9r$NiNzoj-%}8!B%;e`JbLJBIp3B@$npck9pC_2?p=Jy5ym{C3*d z5G_~5vxYMo9$im5^`_j}2hMo+(W&OLja8fhoNV5;ZT&C%&#vO^sx5a6n7!Uyu@M-< znMEr}Qv={TonI74Iyt$qofwhCF>jcJe|D!ksiD~HU9;Bhsj;8a=YjD>z82;k8O)3OIXSXPYf>e0mf=b?oo!nNyw(V~rk zgUD=BLu&us!>5pwrE=Xj;vbI=^x$aGm{AvDBz7XOEUd?~fu~U%Bvn?Y~O)T-9t~I{Ruk*Xmz6&)1#t z_M>Yn%g-OqJ{y?i-B!##8yN51RzVpL&kWPMt?Ror9_By!9iKAi<$H|U3gAMj+5x_( zFO|TAsy$AB1#2pKww6BEaGt69rhcvE9ra1DVJfhpt8eRgcPjn!(!c-Sw_btIGyb_T zepY>Z)7*U*Fm}Ka&Z&1Z{&G?aK|!mM=#d6&L{aR-f;GSaEI_l z5-_{Gzi>ofa71pE&TzRi!NDUs17>qSV@?k7fmSXuI^F_y_oV#FMedGu#Cj1<+NV47HWixSeM$jS_{LX>odrj7{(g-{DOqca@MD( zqPIWM%&ASfJEzuT_9n)K(?@5I{ji^+6~<})H@j-9zAtPHvVYQ|?N;nCYZoT7S6ZMS zXs-%fq&=kmZK2Q8qvh0R?VGNC24ecz)kpPDeM_Wot*fB34A$2_=$Bw_GW~iGm|C9w zxAAV*{0!%;7UA8>bffkrz9AOxRwWy?i};3xoS*&wCf+5^#;i8*?o>0WrrZ?XO%5c3 zcZ!@(%GM!r7@jznSOq4HM5oyJ2F%L>AdNI3w6VxpZ*w+wf(Fz`@8wB8!AK z?fTM#18sRlN~j$i{0=yn_u*ADPs=aFKW~ATkqwi0mt@)#|0>x9{E$y){j@`)f7XRx zqjUUM{QAT7*M(m8TBXJ z{}kQAe{lUW*I$x0khYV`hwd%(e7n%|m13j%BxRqX?EjM8Hus9)Z!3`{tm58(@vMW? z=k6a`O&is;ag6i`X`Ad5Wt#|JEPCo-K7ReYcMzUgy3PCX_gP}|>hb8-<7}QCd0J$* z&9lQ>qmz~G4mQ1~`E2(O(RAwR+n3|(svn`d7K zeU}Q)?&x<@gQ>KSoHTUA=GilY@^`dtW?7H4AAXQ)bPy5o>*CwVhmMqZt&SAOR!id_ z%d;bAi6GyI+C4y1+Uwu8qYN&DXP4XoI@y*5vUhBrU2>yXo?Z97$m)`@e+W>QFTPC3b3Okmnt*1Pod z(!=xZwjN%xNy+<6=DUcp(^NO@uA}{?7}&-cX27--&Ms3NG{HAhJSp>B$h>kMAn-!5 zv_}riw?+*0S_5*8ms6>0^l!b-kNK^4pA2@XG5 z6VN=9-#y~w%DRK@5%6#$YAX2Gn905%bxdOoOt<%HMosC-xs9Bqn3o!7S8_dLz(e5pf?yivTHHq6KyO}X?@M&208ri|n416umRe$V=uO59O0)Qg$xouAQRhYQDeL#L^TVKwf_vKi7t9w~r4KQBbx1p!SnVe_) z#(Ax^9?na9rmwX&m2|(+SvAmWwQl1KA>H5B$13N3`0?JB=`y;{J;!UcJ;ga`OY*J# zBYRlM*b)ZWhteNEf_+R4_A!s*XZ9QX%+S>bPeRiUWxw2rymTpYQ$M!0K5T7|6Z2w4 zk=MF*X1+CqJ#`Oq`+Je!vp0f&^1fcT0GsI7zSAD*9efnM$O7~<4^zjlsAE045#pGH ze}mk84dZ=)*e&woxDgn>nYP7`KSuin#1t^F>9`X8v+Sr9pTRH^A_c@2xHamNyOcJZ za@|6*v*o!@HXpA{n%gMb=7jGYKin2@0`lOX6B7X6Qe^UR?C&*ptN?s#(Fv&CO!NXN z&?E({z2qj@@wg+ZL$ZJrS3;!A?-?FFG?Oxl86&y_nQt(Iy_v<{luWq;`6>G{n2zk% zgX~xS@{bMl`dVK}u+s7G^Wfh%E&6`zD~a6ul6$%S>!>T4x>{d}=iZ;W*WZrU(fUen zu0P~D+rNf>3AVPr($`vrzGtoB@)a;gKJ-1a@vHDM9|^<_NylF;1%I{hh1pgLa_}%~ zV#D%3Q?9>1{Kr1l2H>U-_?eD;JbZDc9*cq}&X?sg!S=N*_|FpSVz=_G^sJG}=q%eiF}_3v|61p)ufi zbe+L5tSR(kpy>3_DP2hjC)+LI5PVWx&#kvYnyO7i%l zGYn$erAJ!FdOJ6xKWUxl?R*XY_yTm4)#wD#We3r-gp$Ey*snk*V9O6k#@&MHXa+O2NlkGo_5NbmNEcIeQ;JOvRyc?Dsw4 zb~8Eh409+O1nD|9FgMC?;2q)HXVAN?NA|Y_eP6b_8+siVv|?XU!?w$VZ)xn(nT^Nh zK|aHxDaPCHXWR2S3w^8Z3BR)jLNmeN_)CRnaxFhB(Tj1+>w4&oXVFRRcIVphFOVBX zkWn@Uq5Ixryz2)|^-blQSa-<620%}X-yvqAy>3#1KI)T>(#4$0pB%r#p!~^YdpnY~ zqEV+9Sv7lO@42u;t3Q%KQ}kbwxnOf{~_44 zO=nvfp=O`AQ?_2s8`u}QWv0peJZ)j0$+uMg=j#W}^rc1joNc2D2oPX;}eXU_UD<$9l z40!*2qjMPfwx>h`z`Lo;D}AiTjO`aadr7{P_R6WuMf?XPdFvG~x|siD&R2Po|4010 z6E}5FrnmmX(5cKB{qn8EG*9U`{%f&~={qT>G>P;w*Y=ApfEFJHExux9lD}u1r?eOG zuWyH@Shn(QYzX^<|1$k?fA)U(GS5Oh`=tMwi;nj{d(l+Z@&(|6`&)FM5=;)SVu@0Q~uF|38#IL4UTh9MXIH zKUw-w|4?bi{=}OH151VgQ?7T#2d-r8y^;HJ=|lbhqx1&vj=Cp|4DMxd@5R!G?(Lw? z!~n6IcfYZwqf|b-_quNQ-3sW5!vkE_6LH4w_l-V*H)wY#cio z0}TJVA#OMHOkD8y@RYKrdzm$-YuVEcCof;HW5AALYycJ*J=s>&IW}gYA=rWg=dc(0 z2zt`Z-bxNLz7fT5k=Ka0O>+QO+ujP6V@9KIF@9J7~Kn<|?0JN$@cY=fIFZOu8X+~;jaPw<*9ffXd zmgbK!dxSY|YuR1*wwV+@V8fQw$T`fzD%Rju#;7Or;o*DMF}7R4bq}&1TA{19fb(vl zjOdfCe81#4*XkMc*H&nqEzmlx6T6XrmApy5yETkhg8|08b+*wt8o!ibeA5_wQw|PE z9|)vhnzN~I1D@3&6Ouny3-R{GRB zF^>F)`=nQkeJWf3-Hc4lqF zw;uoZjB^v?9iEtGGQCQi2qtQ8nx>}(L zMa!PgyJzz5;bkBD4=(HBKY(q_er#h#U~f1P`$J?>p`qC6orB%paBOGBV?!fe2{}+` z6t>a5z{|ssN0jsZ;lE%P0lX-I?i*!DznPAmUZ!o+CAky_3SbMC6*)L*uIRkrL1tM zo1Q%m?x9~D)y+F?SRt4t`8f1L$O}w>hOudiGS+_?w(>1Apsi%P&fM)m25$HBa&PB3 z(eJOqZwh!FaUmzihSa7f@b3uUz#I^FH+bx3#-24kesGyj`-1qqp<~y0JMCvTdOLLu zehj~ZEz?);L-YB)olk-zWt&Lspz!{G$7Yjx!gnhoT!Zhc{SEihf9&1D)%b3z|ImYx zX)W99fOlcVx%%pH(Ri-NY9lv%9eu%0Gx*h0%s=!YcE%fjMgP|T!2jW4p>G}{&m8)Cb^1447@Lk)DXVgwu~FF9j|ndDm=eJ=UwmE2$V6J)Hw zoo|q{8D_HYE#O42#GFM>_CLGy4xWFUd)A`;_1`A z3;kax{T3SLmj2I|){)M#^M5Gi`vSB2KUW%d4+~64$SFl0*I31WeE$ihmF9@#k*u?8 zPL{Mkh90pgajwp99WN}jS}*P)8~K;B zban;LBv%^Fm}KR8O3xr|d&xlNY@8iIuXU3D_xz7SlO2I(Yj^hz+>P#W3ov%SJ2|ir zxl=pOjzXV(g}gT%nz9gI;Mef`LUt6q1fSsDjMXlD!FCX@ljwCj&)!V|=kq+21kP^(b~^s5E?*0MRQ$F~?8=+z z<4kyc7dGYc6`8*>0lQRJ@P?IdaGemk7nzQHHtKA@&#Uo45v!MNDY7Drg3m=qYH1udt2Wk8LE+LXuzS(;mDErq#2YAEp8Q9-{7=H7yi3wbP=6`NtjxAf-%sU65%L|cpEnqH1bL=1A z$A5tF{+e_eb2*214v=1^ccIsR%DV?huTUMd{d2pHSN&HiC5F#l;*+g0Qhn?B{}=mp zFZ*MBv9~^nI#PJ=?Xwd64P$fs*R70$_xZyAXLp?MHU6UWPeSi}PhbA0yMOShTqjQR zwrRbH4cyDWf|$Sy@cUcA+Q~!D^*uTdT|a$(vVV*_J#+=@FOPG7iIEnWgFNhPcX#w! zS)p#!$GzZa{E(glk8lr}*MLwXYecrtjjWG)>`J@w{!;9{;U^=9$j@P19zgH*kz&`PO)P=dUpxui&ic@P7(ZD4Q^-JA zbCM@{pod;$kB>%|W?x6wR0ZoU*M$u(~QN7LbB zJBX2&#aJKdCAxs;=7gG`!Z&5Ql53E~1&$2xcD55cFEA{fIK{8BkF#s|j=+(=@ZEnj zI$Mc(*N%V7efe+IodwO7#q;6Rv5NUZjuV&)Ez|aj(U}A;78D zcgqLG!?PHjMU*-4mn*ERDWkZDleu5c7`BcyIu$daoITe1RFYMJUsXB&Rjp@blmC)@ zF88}zt)F^3Zvu`iXUy+_-&q7rUja?uhD^DF{rn5|)Sb+6+j&`53geNa7>i>Q$-hfJ zm3%kyUy{!ypJpY&3miHtlaxA;rKfzVyi=@qo=GA9C3(G*PW~nx`37S1dxp^r17zJJsC?zw#T z0c1qeSZ@cOinpe*-iUV|Ean^Y`KANNjKt>@@U5-jnF+|!1|j#b;AP*$ZqWiRB(X2o z;`=k2m=V%L*0X+?v+!Z~n|k8e%>chB7J%0ASk{_BzICLxbF96Vk)gU1!_*OxJbf{C z@>el0mom=JAtP5ji81JGgcmt;BUH}*5PT3m8t476ZZGQ|fy12X)Ye;dHLY01qwJqT&w7M=U(U+j;2XDOSg%xs3^|#RF#q++L_N$A1 zxAPaQ?JqM{Z6yA2@W{{Ly95Kdcj9M1v-z%$ZSWeo=a!21>KN(6C+sp=cz+}lt&ZG;JxE~ z(r=W(*Gaay_r95yXbE_bpm?R#&^UXS+Vaof-rL0cARB!@dJS)(YtdZ!;GP!Xzi27N z+7oS5z?`k-TKj(laB~{5+mPLd%j_}Bj%;KOH!*()>*iQ{dd;?^YskdEdMdF(9|wl4 zfyY~5q=z>U8wTAI#2V4Lxal=)dg941kC(XvqmqL>%e<|Z5 zpSF>%?%|Wn`wa2+@%_U0QYYUOxe;1&sp;vMG9bZ!1N3E>J+pz>yYpAR=6@f4=+cxp z|7zmzwlKznCMh-%eu<3#4*bm&*GusbHU8+c!qA+N!|^@rbUv|G^;|lik;oxBXk!qv zV#V*d8+b`P{P1ev%2e<`0dp|{zih@XQkLMd(`%s_SZm>Hc^^Oji0OT>YzAv?f8teE znX&4_Y~#pLt*c?gbh2gE#C4LqdIE4rF*jQqx?2;FsSHD=(z*eeHn6MpQ>8inbT3l5(x-LAlxl0pM7Kw*JnC#~NVBqmn@QBwRt@f@ zF2Uj?U}xI`rPTLSvXw-;nXK#Q1(Ux}xt{n4W(J>SzV3l$TmwzkAK2UW2xk-_vq?f` z)16q<2C=A{>Wofw8gos4-AI9ht;3HU@UpnnSn$`@}pKFHZ&*`D)G zM7VE1v``6aE`vI3T*w%PFNXdBXCibxs(W9-dnQ5$O=Z6K=bmZXfP`6V8yH))hwP{! zV^z~p?I)e{a~OL1$X`}Guk}5{mCWv z7p!C-w6Ru}U_;OrOtsorKUYpk0k^*EUq-$w9{wHJ7qlT4JHg&M&VGv{HbEA#33{S0 zl>RS8@uP{Om&EgQo+C#=FP|Q4+6gb4`|YB*{@*TI(Ep`HYxuh}jru0w=U4P$AMJOi zEyX8D<~oh*a^m?6N8XFBBJ4Gch}m=szQt600N?%x8F1vN=Jg0NmX1fT0RwK!KeQug%jH5xk>l7n0a%A`TIgt9^!hK(^*A^F z{BCs2_yH210UVJ?+B1aQ1f6yF(0ChuJ9+~Cd#2i(b#2U&~s*S4FJuUqCo$8Ju(ZburCQPTgem_YV- ze2V;%J+p^3t2K1x*HAl736f6jERZ*A~)wvD{p+T8!v(oNv)0=wMi(t)|h7bTxzT86pmqJJch zk*(3GYMpzUiEUmMHhS6E>UG0ruRAt*J*;Q30Sb)Ew^|Z2tUIssTGH1QfGcjlD&MNc zc48g26eZA<``qc4!TphpMKN?{e$);x9^ShfF$yZ!8`a43S0T^e$iDHjf1vq;{|3Fd z0orjP`q6oXAJ!GZFI3_SdpF~@(3KmmoHV!bF>o-x98#B>KenOcf_~Zu-Gm=jneFOYHh<$7f zEb~dm%AT;#_?o~OUzv(!g3ecRA?biWK+Y}u2*nr>eHWOXZ;8eOHiq2z7)jQwa<9XK z&S7k|7p`3q@2>_ANmiVRJoMnr=x%vFl(Gv}yzY;8rTBc{tlt8+FSBI=DV!;k=I;mW zE?`a+hu~)P0XlDMF>o;7-OuNOk3Rz5C=!mN-U)`MVG;X3#q8s2eJa%w%x(p~k8*o_ z9=^{sb9{_J!#K0Iul11>tBvOd@P1gF>1%eyH&n%^_(m8>%KI`CGJ%1d|HrfIk*8dX zOryD%$BIWrWg@R??v-qr+>7T~GrZIw(g|E2O-!^l!h_59Wh1<|ZC}Ir4M(A`vpK`z z=n$i`jOQgh+gFlcg~xIq_?`lM50|*D6xLW6J=RFpSvLQ0FXdDHN1rjVB|?Y9TI|VM z%xCSCi8o;#^koh8U|ogL3H}^e#u=0uNSTq0<0!^XG7SsfA^>l36S~m(=sbbJ$Vgm~ zM&OCguF{(M8od2GTYl0%xF04>U?M^(Zt`gMje>l-#1J2Zu6VKXySPRKgMDY(;+>^Po(R@zK1$@ z!^4dMKJA8|1II=>fTi#p;ST0+{NNcry$6qB`~1tMSiZ*@&AaMkYbNEn@QLq0_sCYh9Uk*NXrYPRpAO!tK#uwje%h+D z5?Si|_-Bg-IZS!%X@Z9-E1Q`2sbe?q4o0^j8-~HixIUr|#kqa}8f`wl+L9lwhHhJc z@3wF!dZaKi+DHp=jcs`oF^$m)g)X-R1wW-u&JYY8=Noi=oc`g@GZv!1zq3EX-xL%Nk7!5r3wY_saI|H^=GKbnG%U^ikJ0;`{M_e8Iji(btL z;sj=dvg7dzL& z&l;z6#!P&(;tXnh9)Qoc^_r|@TRsK<3?FL87{tdQ@;p4^d+3$-zEW&8mv}pobqAX- zclxgNHWuB{IQHi0SSNh5?2tr9XkWhzJ@71b*AsU`e7$7b@3GIsr#{VG+|Sr5e$4xn z83P@pcLdk}#QzX`@mXNLVz7)S*5-ELk>YMP0J}7<+o4x=mQNU3Vk|KM2g7rY1zyO0 zVg_)00y0POi-p8g)tM#FL8o3qjMbs6XZdL)rNXBXZqUjxCAkb3MBb zURe3-m_z9dq|e+-pQQhs3{Lr&m|RZ~i{v%pb6o~5S%a=madsX<$M`yMe53XQxL0%h zd-_H!l#r3C_!a{qLy6a<`{JK%y(~J*eD>&3TzDwu z(Jx0*`34W)6UX;uqMN)7T2y|t;Oo$u)YLGrDZ)M`jgMf<(kK}RurxSiP`+=nW%3NHu9RsSFw+8z&?K1D6h3S)oTrm%eQ{tJs*6De#c1hEnqBH8HR5Y zJObyl`8>-E|4?FTuZ7==TejVQ1~IjN&$yofZ+H%T<{yX=O+SKvVEr24e9ou~-3tEe zMI5hBpsVi$ANB=Drhp$OQP)M(VG!r*a>{y%^K?Ei^*mtftFHJk`s>KU*UW8HY&xAk zC_VMV@EOWK%v{M{T6)|+6n_4zr7M2|IB474ux}Zcu+A*Ro;$Ly%G>!MvJ=i93EhG|*kry6n?9&} z*3~b9{g#hdJ7MuF;)mgxgA7SP`#tP90W|A4i@Ia9&;(8Jh5gsc?>{w?3R{MY6}v!lCieJafoZzp+2 z>s_*mfc~W2D)h*Em=A0ae1o{wT4{nt*ayvEjyA0u(XpA(?5)7$HPn5r^lspqD(p#? zVqfx6^bEw|%>7;H?|L0ufxSleP~&W`^)chLgYjy6JjvS3T7P{(zO@!Q&;#v9?CORt zI-iBTp226Nq#ZLc!tZ@5ZgdTdM zGQocV^_@+9*YfNZU`X5JiPld@pGBth405K?;JuOH!MCuH+KtWB&a2&iVhIO_;!`jX z-R^BXzm?|}xc6o7Ft`yM)I0c}&}i>s|I%R8Kzu?yXs_OXS|>K){N>G0#=MxT66 z9yq?EZhpE8`;~P2Tsp-z0&aqDGDFj$5oFIIS*PxI@!I5l2WN1`cxqz!i15m>H$|gG zbZ(0Dz0!Nt6O)j$NW<`RkSl1^2d@VTbd*$tV{HEwv^IC$K6>tvx(s~7_ChxO1J z{0(eby`A5nBRtW8fiF$}-7uem;s4tg%~OWpUJjT{l5HTh%P*XMH`ja}lI zM4lKey1ymeb7ELDPK)Of?h~iQE?-1G8mq-KjXbehbpNgNWZHA$wY-(Ued4v)_mjyJ zvqf=C-byz*@qy~@IhEh&o(}zpKk@bW6Q_K4>XGBC&Dv9|dv@dyXJa0*Jjz|Ye1_?+ zHSc!Uy3DxR+rLjdH}P(>Hpz5xwmp8)*i-B!KFB_Nx8;l4hClRyqd%;tnOGs;%$UsB zUBWsnWGodMB_Dr2$L~wyIFE6h$2iVo9P^Wm7vw)KpJaS*1H{1y9N>SD{~`W|`5)om z!T%`#z5Ms_FW7F>K4}>5ypefn;LYy}8nG1`F~#`#i8tad9r1>Noe_4m`;CMe&VUWz zd)_%^)z430Yg>CUwn@6r`D%e%;<#^IeL~lq;}%%rQ90)t`BPwVs-9nCKR;|H25!#O zbLSepWMENuJ;!E=_le;YxG9J0IOm!(iUSLCxyCn2&#@B>R1M@BA1Pg9R~V=q%5|o5 zjm=@8Vi?!mk@c-IYxy2@zzKo!QAX#hCr-_=0 z9;9c=^VhSzddA+=bszgZl{0tuiph76$#16Ir*?fVyPRTPJmx0PKRG6!7?Y2S$(u3x z?}<&&^{(PCy-K}J_@=6^<2+Nong2I2`Hq;p`tpL_aXaPO^-OvG`(yHZWAe>0`9H_x zzlh0y7L)%tCjVhf{{5KzyD|B}e;t!Q5|cj|lW&j7?~lm~#&y-H`FJYnuh;(>^X&7OykK0{ zJ0Hd5cgN&+#pD}e@^8iDUysS}h{^vkCjUQT@-N5a{}7Yk7L$KACSMz zCch~r|GStx3W3w#`|Fte!!h}dG5HNK`SmgRbusySWAZJ)w&Iv^Uui!x?0vJ0{6`++ z1si`s18roToW@^nqxM4H3yfW1SwmJ@@h*WIGDym8&F zN*6b-osaK1@2&4+p^46{}^0q<4Z5nLWYCNXd`$uDD)Q)A$PLC0= z=%^>=n&*eOjvcdw(J@;X9kYeeFzdCh z=38^Uka@0*&SzlkGWPy*d+#qi(`0Yc{}D>*#~7v5H$iDR{Z&f*iNU75_ZMDZI^X>h zlReFQm+G4Do~mo!E7djqDAP6HU0^!j{ZrHV?ki2_yRSB#@4i9z`R+>H=erl_KHojx zwDZ#A9ozSDHRdxdH5{e}1HIqlWxIp4k7wD*4117=>uM*8wA`thilSN=OQ zFEI8_zWXlZ3)7u%ztqLI@eNaz^6jNc`Gzv3eEUz8^6dpK``at8cJWQj!3|1h(r2Z7 z`y!=$!!1hb%dJXz?@pz}Nm$|H+j#F@rMy?8l=mJ`%6l7?^4_nM^6jf#_P1C3&c!zt zHC8;SbY^2kKq+(nw9;!(Qoen&%l`I-SGw}5=F|40uDptnE3f>2x$?f5 zF@rrB7u}OiJkxJxBoe2_{Ly}N1roaUS+!B??%HE+qt=M-FY!c*J*xfH74Nh+{8HDR zQhd>WwLR57w!muRoIm@!|AqEc`&eS949Wi&+)q>3PybvD-4oz9_+&eduIpU~Z%PKz zNu1W#equay4tuZ(I<1+wlV?GjolCvu5Z&t;7{c{=)m#@UHd?R10IrFj7Pu0e+!q<0 zw zXbj-^`quYdRyX?Ja$lj<_ISQ^I%X^N??pDWk8$gYBR7=3d<*{my05oW?RC}5S)030 z;Saew*O>DOv4dOfxRBk63)!P;7<^+&wEnKTyXrj%4G>%QExzs4A@`EEkwKviS#o#0 z6Dtzk8EmT2y>$h$(JbPDxjiF>6CbgHIG-NHY9wBwr=ss{k9pU|wsa$l*nlHO@Vt^Z zpTl`xO#H;*#QPmitY2hMqI3Rs8O19l{-a5m)&wJ~m3EST)Q+1tgFKrx;G}!Ww=;~F zi;;s$#;Ev~r@oE$J>p){%)M9nj#m19h}e3z%#wTy`8|wlY#korWB#qS;%I9hF&D3| zy#D+_9(Q1myVr;X9`DA-hwglI!R-TPFECc3YjX$Codt$`H@We;IAhj6ViT`1%$g?* zvw_&34UdyYZ;4FPyRka1(6_f2{vY(MOLi(*U#z?oI`Y5CQ(L&V(r|_E$ysjQcl!zp zLu2dL*ls;MH{W__T7eaD|NG}N+{Djvr`Hhspk|sowFdoQO_@8p1{=ManeNP*Vs}za zi94lcsyn%+h*-&yZvX!IWOsbc8%Cd+{rvyz?o)FY|9|73!yjLxnipMtYChrr5P#w_ z)f6C)eTG;GyNvX}L1GoZ>rM^KLw3H=ogF}@6Tl`gVBx!R%_T-hgDWLa<4O*c+Y6QXKODWzA%O7soYQFemdncD3@vVVx6^*EwK)!V9z&XnvEN_#*2rX z*|;@H>D%eeb^WJEOz7CAn z_2Nd9{5GAr^&E%34&*uXb?_pGzTP_7p|1nQ4v!g}?$Fm(zQbc~o#oKify*5FI(UUc zUt2$Sc+9QWJM?v+!lAFXT~wHqsq@`uh<>L3 z!#dU=`Z`eT(AQh1JM?v6mP20$^Bwwn z>tzmo9k{}wuY*5#=Yu+E{cx7_W}*TMVEJge5s+xjqc^>56)Ex$GS?iqadOy|2Ni+1L_iqVuD8@Ft7XzQ(4xblM6y7*>Sp7pXTZ_EF5<^4Y!^II|U74O(x-vfNAILN1CelH{D z_f^FFp5)Cd$@N0(|M!^Rw|(yZQOxg*AH@7_DU`e;C-4e1f)m@DnBVq2C%(562c7os zi?3h1h*;mH#QGlN#QOeQ?Zw6yS4{CIRPW9o$N%mTjiK!5;}rjUT%z&N7vQ9>vdz#x zPMl?@%(80t?l}03a$;mxz|Y&UyTONwul)$|u{~#e`e>!w<;3|WKb2>SsXdH1%8IdV z5JS1#?dBW^C&qR$Wrjy%e(PO>n8jUVar-~nXE%K=uO_B4F~ru{Fjn%%!VIxY$N_&+|ZM5qxMvF_uY~|Heo~Ew7>%_bfbrk!v;dJ>Ro|v zx%UR=bNy*Ga8j~HckjRsu0MAngOschpPv84b?cslTE(f)0X{d8-(%OM7}z<`cD>+{v_+AmzlYFuu+ zd^2^mxcgFPuFVgfs5Y$QZlm)rl-~o5^`$Gm_D`$%_SJFG^0}1nO&fi9r?34^6LunM z<3qiJox|s@gxW7wC)Dn6CED-kyP7Gxmp1nCuKLxI;k@%Y@9fL)cK*rbsr_=bhjyHI znklDm*~7bgf7H%@oNgzHc9Li(`A6+&jGXW3Y9|(6-aQGB1)LlxAcPIOy(JKmPtcE6vV1 z-0|BlitABO-|XXzj}0z64!Yu^+x%>T@tn7tG3VFtv!_-V9TnIw%;kN_!T0e0F|NFT zb*6HyN$`BEoi^5-aFlS9@Q!d(C$aL|S%;o8{`BZ@{yKL+_^RvN0pYA+;LJAGz239& z8Rc{iMG-On_0BMzLBP2R#gDi%hxPXOk{aEaiDo+XHtERVoxV9|5&RIBE9U>%%$dHg zl{MYQUifkU+Sy+Y{`_nI)Tgfg*?of_{YU*;x6$cW@h zkND=)+1HrHlApxJ)dm8+s3-Bbv(!JNH%5-@0iKHwvlmG+fJj_?%%;v=V*;dF4Ohh zKVB=^*RqBBfOD>{v-z~i;EaDod96b${p-nV9U960?tdZr0KETq<2X5fgE~tu#X5$s z^EWfntdl!|QMRp`bd<84{Qs7%TFEfSR!#cOM>$KWOLr~1Cj1UDeTn2{s5WtmoN*^Cn~BL_7xYXtJ>?d*kwXjjOS}FLb3g;MWsucBeM%0p46pYyuNM zD*61b!XDa19@&u(9~0zCE}x!l=G`ZF7x|Gd-$-k~7a$mCrZvR#?B6LDN4g4s3Z;|@ zZZxwS)?oAeIQ8NC66Bm(pPsc<&wIWMKachJWNtQH4b_x6bTKfBKB!&Alf=g$B>!fE zYkYEo^_11S(~UIW4*Efis^Cug;x*D6bf3Nk-DY|NJ~eh5D|vS(@9d!dU9|szk#65t zKU7|IuA+@p+Eg3ZR|nI%rhfZcHqg4pUp$y?KX=}1qHWs1#@X%LL;KlAhTT4LH~OB@ z;HK;~_*b>ic9Ur|9Hwpjt$ez_khYX^UUcvlwMASD)vZ{A_yqZ8;7h4*);-xa>w06n z@tlDjag*C9dCVM$|Fg@-7)6rs_3#p#K=-$EU-z&XDQPhWhiM~1Y=R(u8^Tj11I&@( z6z;9;XWa7alx5bYUdt^{*1vxq1|KanQ){x#?3$a*v>M`))DRD(27AgHY@K!XP0dtS zY5<%SNJTD+J#(P_ta#4%Nqz@k;&(Uo3%z-VR(kW={ocI8cX{)w`V}<>`_0^T@EUL4 zdh)yYPvg4%XOtr)zGPlK_u3xu=1tfA+q`+YBIhu+N(}tzY@J_L1Ja6w=li-n`Lzelzl=ev7xYm(WMj z!)JN(()7H_n>U8E?LM{5^BdLn?b{Ad@#dv--CC{oZ{OB7MD5?ct$l&o=Xs$wufil& zpy~06W(k@ZzF3%Kjh$o#hFoOz;OvbpXDzeZ$4<7kp10i6o@b4{gOB+;HD>xdy!VcD zD8=^Kh)IER!+1fqC!8nIT{bG;%$N@Rmi{?sH}Eef-$>ey4{kg8arkx&#@A!Q_i6r{@WVY=;<9eR5BEJgZ(1Lc z|AzcA($VwZ^z{o=D=y`_qInTc2*-6sxNiW1_^E`Yt z1(&u{_9*FL(m^^GhM3CeOF}jH37`|fuOKO?SiFD>K!q#G_ci>Jhd351@io&u;%3?D4V10IR|xvjrZd^Q#BCrx z2Yy^?SH7@e;BzwZ=4aBr&fU?zA{GJfJNxMaR}Z_aVzYh2v-!mJtCLUC?0oA5&W1V0 zJw1Ct_uxeza`o^XOSI!_+RvV)Pb!l{OeOhUZRUMls}H)~#=E+%#CKQM>+x4nJ0C0) z-0u-=T(-;K!}ebbaq| z&fAFg#ZJ4v>B(rH@bCG-H!h@&hg>;6eW%U^Qr+i*V>0=!iTF%@>`FTQooBLERX26{ zj&VlW9~r;F;GlEOo()<%?46*KI=K+(|ESg&du~+=e6tocGl2X`#Rgc z#xKVnHv_*q-OmK~s+^1O%%IH#zS9IxgYz54@q9Nl$Uc1ZrN8*Eiy8>2to*iQh!b9lL&g=P2qEJ)!pS0gCo3)0YWe?I89b`nQtt=J+seMMknm zX1Sbuv!eIV+m&oICxjV~i10P|IdsUKUUJGD6UHYb@)vOGA@q%h!KHui{HRvbQ}cnD zS;IKhG=NtbpPJofRt@7)gWr`MJFfz`Hv*kvkn><$hZ@8ci)`tqIlw+#p#$F~ulJoK%rXRrbIwi`d! zUR>YKJiUQWZYTMV*i*gSy@DSTfAZJtsXXqzNKCXhPp13z?kQr`?kAPczvg-e@iO+~ zclj>!@igr`OWXPQ&E>c`j|JbkU*ZRPCw`#|821I7Wutd)B{uv=M)!uL-1~+#jz5x3 z18UE_vFvUC`R-KTH#}1ec|FsaRl0tOGjH&(30+2e>dTAx@5Ynn5KBpY&vC~G)nA=I z@AMHrcdqx-?s48f#vanO;EAq}^IfXvEB0cZJKdK<{vrJFRM)Q<2lip`5ys&&^rfm- zJ6D-EXm1VQ*^~Th z_(5uJ*6@uV(I>@%ew=xEf_b}~I1^>Wnb2Ot&)D8$_!Qgz&6{aQ@8v^R@8G?|>^*&R z2l2j?Djw#3_U2LcsIJRsQ`gOu*EM>4;7o5HG{0{z_g7P|?tjZ3R4m!Ap;NyCj(psPj0Vl$#qNyYad6cM;!j9+(FG^)L$YHP2u|?*KJ8caLouw?zF>{M<5lV# zME`Xy{$dB$f;rN0KMlQ0`#$N&<&XX%>#Cl$`XFV90T2{#qWC_Gxei0eseQo{^^2I^ z#0eb`B6ftmzvbVk*a@TAr`qrMIs$ik;4A9DboFn64O=*LcC9Kc(!NOxsZ`n}zt6nrcJKGz+yDRj{r>+`W8Qh5 znP;APX6Bh^mUrG?bk23?9Pq-t18jkJLSJ%(&^Z=$&~x7cp>tmT)H!a@3%#KqTxF0? z+CbRgV_?mD;Cf@zmBFSY+N++U+v@PU`-$nX}62;JMmlWQ?oE?e**4F>BkgxGNbfkip;o_eoT@1I7%OIcS?U+5#D74kJF0G zgDCxJMV$zx54cp?%|?Q9v6R!HchhrO{Pc9#tU@ay=yeKvjJ0;$ADg$?jeV_(!^>;r$mf0M z$XPVt`4jdhzG8o(24~1pe>ATiC5LaM55>8=B-mll@tD7>`rVR!AzfsV zU8J(8p02XOrb}704K2s}`3t`$6}>|Hy4-X*3u}=+J6TrDxb~*0Jd2KFv`x`*%m?F~ z5N)a+cVz!tyLyXuMBB_ew4b)N)DP{7wk5ptnua@A(3Vv5(orVJF)!EDPL^-kS$2{w zEyzjfRhhhZ;jT%eZxo&eIOPZOu0y%M(Ybs+=JFJV zIdC0x5qOope?|F(jHpb^U9Iw|UShs$1=--vpVqmrQu;2;xfWy18GNSGdVvmLXwkM} zj$=6Z}!zG#vd+ zM*Ey;XITc``=#>8fum;wmLR;pB0+X2WyqJurQD1yOkdH2a$5No=MAS}H%`VA zz~~-d0Kzqv{bdC>Du8w9c`vz|{Fg@J#V7_pG0c=hw%q?sPz3CrX46VO0VY#4o_^tH)DV4FUfd!IT$X#>0%b`JA|~y`81QXwmu{w1pA6D{m2-1 zY!pDJ;2le!<1Ax_=g!bq$I+kEpqu#6QLoXjs=%ii;iv7zx|1!=y6r;0n#_v+6uzs@w`#hAM#Ga{rG7$&>3kc3+5Zpp-Op=-S7@B+#%@48cTt!&QvJ-(7JEUg07@z zXlQ$Tf;gueX`5nYVpT)oV7+?RjGFrw{ar;?I8m zXW#v^KVL$BrtJ$hSsm8In0EMQ`%?W&`|?E_qI0bXv@dGEO@>aUcfGaQbLD7rXp`yn zEI}P?A!;Liqw}Rs>`pk#NOdy5uFkSA?&LN4Ms@CD=v)e4jP~9JD`-b~^QxT|%6H(y?ti9kv>y%iHwnLKg0sL|J7f z&ayDzs7~^NE~5H$vm5pR;GUozfv744@B!aJR2qCL2wZOoF@S-Q&} zV?Ad%>WS+8HhY1#gAB-OXDe@iwhe{9v<+I$U8tYehe}Q)?HS4+`VPb2@8kqI zWBmg69VMUW!Ad#NgW$e{-JH>13RA{>p>jmONI%Xd@6b=v>3C23@D|*2p8`kq5B4u` zPFD%%Wfjwm_1odj0h0mQh!1(wai8he7#Gv}vsLnJ*d&kMO+ami0*=8Kl9JqGcZ%T` zRkli+4dmPz=PT$sfid_%8%VnX`u=QXYNO}*vQ_im0nf!9=Vy?2GVTL0*6)COF*gse zX5${Rxye0jaCb)kUQ(H#kE^TzI;9@Yj;)y14-Wj~QJq5d3DqmKedJsAkX?d}Nc9bD zHQf0ig54%cyVBbgW4m(NBBXhRwK=Mj>fvyY3uDXFL8q31#v)@POE+i9HZPb}@Z3;Z zPy<~`AOk9gQ;XVPKw zc4qp2o6Y+k<-j=1*u3D2v3b$f85{RGY!z$R58kadFy;{$!|7e(nBQ=;4-aU%kVR!i z?P9to1zs83U@~k9DmP;?W}kO$?d4!qHMj3sQ^w)t2akMui5ZSB&C-I=iqj0{QaTeJh( zE~&1AZIOmOS-NJLM%$+Xz;ntAixENkRT+bQm6POC?r`rvC~^PQiz zEn{;u-^-#l!gAClfjnC3lQ8v}-i+^{Kz>P(ADu%apS^%J$e50|R&1-fCEZhGyZFU0f6SO}p>`4B{ylY`cmMnM2Oj+LUMA^=R zvt+xD&z3!g-ta`fqIR7Z(zdLn|G$}g|Gm$Uzv!S}`wX3Tx5$~U)&1}Hn*)&PdC0RC zvP(mIdxbGJ*R-cBk7M+u25Spx)>7DIig~Z-`htrq(yYV&$Tz&}Y=vRY zggeIrzu?|oX5K8rT!yx9j5~E0cd)i7eg6{e`yzBFY^}p@TrHTk1Y4fbk+iMlcfna! z;JjhSVa*~PZ6-Yz?P?*FdnZ>J?I$167x6CEpKYDfV!P2czO%KBN4CO#ZR3kuVgJ;| z(MOmz{_2;tg|L5U<6%GB_$-+^+FK6fL&q(ula!&8aMWDx z_mHLk)ahcJu@&bH_<}lR`sFOyWN+NR2^m^}=Oy6v4fGe~_t&xh*LgbSxgL9@BJ?Nv z-8-t&lE8nP-ojny%-oymuC_I;AdHWE%&n=;iUR*a@QZOU4f+i2KuGUCW7ZxNQ9d8G zWt{-!iiYjD6Xl^cI5UT7t;bie%P*jO6#i@dDnh^glfC|TeTBMa+E`d8f_2ot&TD90 ze(?2&9q0#pa3JhLU!46Pz`Wz%j5Q*=y?7=?rNjwc+GIvoH=AF#eHv5 z-1jEMeQ!oYP^ZS5E#s&r$)2Gu3t<~zJV(9ppwoF6(|8zfc#sP(%^U6+lUL8;VC{mN=O-mH->xi~8czzk_&z+&CiikB_?{>4FX=E|=3##V z;{qoS-fmloUF>D)VNdHj@J+xQA`cPhKE<7v^|`P=vX0sXZk%rq_;!*6UeWeejkb8JzIRV*puJ8qPL=3#dGZOV;$xq^x8$(j~CD4 zokn~+G!1v3reS|84fD>j_bO7%a}3M8S)8(J%&oBZTc*P1mR;ov${=$%wK94~G``_j zArkV-%)WY-)nYz`@3NGIurun5Bh;S`V9Gs_Q3RorkQ`;E2i&6e8zhZ^qmNLH>A5QSwZiK>;s?9rQUSHnVk1H zi^USxJ)!GnurcwWLP z88nLr$P4dOIp*p~i|PB-{qUXuQCsI9L^j911nvXQN?(9aY0z_NIgmw89LYG*F4?~w z^o9xCL*R|Lr0@jF5C0vDO9nTf4K>X?#q6IMS(C}Z9Kayg#~iGCB0laAxb}GFahVbL ztD*3jCv)k&0*i*TV`v}e<80fU;cVM>tmJi%IsClcNb_sHm`_@qXw5hHJIR_*PNga#ggW}e87tBRKB;W) zqrUKNJ>FS6;gTD~7V&XsB}q>1(FERG&eHz7?rGw%GJ2_#*b}G|x4lG^j6CP^ll`~N zPWGqoZt#`9>AjP5tjK3c_qrPJ2UrB-UMP-I9=(gQy!9-gEAE{PqW4ka?g4rSW!qhp z*;vD;cTqkDP1sl$&6O0=|9%hUL_+p^iloJ!;H#^GjzZWLX*WDOhIMq6%~Yd(P*CRz znFx6NbR!mdXWrymA>=0ek76xamknFW9Jqzei4`?0vOfrCALleAR_H=j7|ZvC;k;uI z?p>XQbs~CRj^g#EnSG&f`hH9p?qQV&+)R?}ALdV{bMf3Y&R`Jbf&abPfu7SGee=g^ zNk_6zhV`*P4#pp?Y+dZNoPbTA>kwuxdaY9;JX8KIaJq7!^ ze=qkGl$qj#bpN@0lW6&Lh(o}S-{mxS`~&dZCXd)eq~Uw!1sU{A;i zHkw5(Mf-33iS6$4mGJ_Wo13I%vKr$C_O^M<2n zk;f7$3~&+Imm!Wf;@~@_KHiAqjX2%{JhK!Pyj|19{eWN0&`|VQ4E$o?7Yh`9UUL*I z(mXymoh*vZi7_X`aLg-FOE&;@!6?PdttaPCtwP<#56X)SG8+oJNxkJUy!NNh6t zU=4IW?ybx)!kp_Q^so);b{f*WK{;zU+7@`{$iWNGk6QH(=ALB{7%MJ9?<7HwJVCu! zAig%zQCetMb*G@0-lDD|f6+r}&_gWfAv5Tq*O<$)p@#~P9`8M6{F@$1!rlVERS#hf z2R$TAx1i^hA#3o#+=qLf13iTHOvg$qYqG*s{;ueY6lSUS_PvR_(#WVC;>BArI1Nmf3M*X=G?CtU{n`)K4^9nLS9>wTE>el zs>%LO(_6-i3h++jP`xKXe5%vT%9|a-x8OVmWKMOT+4Qh4VQM)0{i9jykG9|N;eT}M zWD^oQJtjWdW_)-|+@$Dn36Y^TW20<>$BpY0LjDaqHtIi+A@S4x13NB!%70)(r^Q4^ zg+|4P2gip;|5qjxLjH?CU;{&^#m5FCtCk|be2#2r)VZechV^bs?o3w}D9)3$igpr^<;sFoG<^m6gFw$`W2ObXjp}6?4 z8pw*^Fcm9~Nmhud@2ltksc1dDtuMI z5k`9C4Ig1z0Q^vp76DMeuLVL-0%r?6e3mV65;*uQ_$*Xs1OkZibpv3 z5HP~PBOUS=A%79_M;H!1@<$lV(;qYh{?Pv|0^sxE!vRF=hYdWf7dG$+a}kCQN1F+i z95f2kX!$IpgX0U}!vW892H=@S2|U6`Cx8z}v!xjbX-05DRz$45;7;xZ#Cqx1W95I6rM9x$ z7XdE<9$}<|10G@U$^1}T_z%rY*@1)4R0LEl01^Zwz)OHf7!E%02)CfA)~8Xq+;)f# z2cHWcctn7M4?NDwU;2OsnimLNVHeBcqk9l~(%fkzlh8e@{YJfE+iproX%EE0*u8XB6KIy$<# z`uavj5{ZdPhYlS(nwwi#SXtTF*x7aN?BL+!)U~U#vx`g5o>HlsTc19C`+9kKd-v<- z>+9#|?>~6((4oVIjT||8^q4Wh!DGjc8#iG>SXe~Fq)AaxF)?v*2?&?y?S>z*8NoIVW|z4RCtf}Ie7Wj7dsECL;hXb2p zpFfUK^j+h4VQA7A@zDJZy02XVLPJuoM#%*leY9^M9NJV_Y51sOM)2uf?7ee7-A+&p z38}V8{MvJU`|^!hmm2NIsk?TmlCA7wU7m8L`1ZRVE~b(p_jj-JF4;0{@Rx#?Qa3mM zvy8$ggvQ0&jAOiivsXhyAWHh@KO)2h(-?8o^#8|{qyZXv-&%4?O8T+ z*_A+(n3b7hru99=GfSH8TE6pZ^5?<|6|Emla}Vw8HO1Ta`rd|*yE~<&XxrcayyfB1 z?jbrB@tovNnxh`{~^&GAo@;hKwdF1Z6 z-ikdh)LCt=_|T->bo+pJw>jQr(&dXbZ+qEkSX7FNn$5@l=Ns(YLM$%cuRWN)HMjDt z{eW3Eu}6e`)A}sb%s5h5Hq-uyYS0GWpaDj^doSoDxgKWv&85o%?lkY28{Ed^#;bI@ zmvTS)M`3R1mP6gSDc`*{*4n3}?$mnSFV}g|;h<=P>|@>uMT-)L&l~sft9=7^zob=& zy`y8%O5B)b4T(?a^k2jMnH3I6U$23KBtEW#C4Hip4vY*AkBY}C zg7E_DHK#7wjdXqdZKiPYiQdP3gRd$LTl|^VxMESokv!djeT+&MA6heiYjx!Jg6{i= znVXT}j_loaEbH3AAE77bS{#@hs5|Si zp5>E4-!^-EyS1#)`}F-qU-zl^f4K6cdH9q$TSwX7cDnt|L#MCJyX6OimqkCY>oswl zQg65Z?tKRN*tPndTYdX&wln$}1!>;$b*(BfJ#FfABdJ*Q<;d==j6)0C7k>J3)NYmB zl!u)!o0}hw34D3t;=^+Z%O9(Zu~PDqRNAI|;g2}`Yo z)6tkgvEOfSrpGkOtt_;d>si(Fy?tZ7`J8rrq;4_gD*TE1^MW@nEjqD!Ku-3C`@5Y- z*}Z)qUwSm^rs3Wahxpi0e&*>5x^I2o!Q_ViT)iI^XW#6SM?I zR2N=Pd6zrH(mu%Wo}t|59frB}oc@ZRQW9poRX_J+Mfd#^hHUpt>c0K>X9M>?9A2-# z>6d3UpgbtBR=M(Wor&p}#y-y+LZ&8lO1`qO)AuI>6U_U5*q!mZOVybA@j1<=-xtgd znx`_@Z-`3R+7rF%wr}pcXFhw+`I^3BxyuLBt~&R78Y+Bd$4lG zf|nKTx7Qcl=WXBy`8>>B&Yw9ka9^*xXN;n5YCH_x7BzO`vfN|yKM9sgw|_7>^Qr56 zCH>dl!d=@sp6XN~9v}SDk)AGU!IMkiQCn|bsl*BbEZfa<(WH3fSiFAeV2Gz;nP{~R@u7*9WcL9 z65;-}{?3Ojhdp0*OBmkyvz^r%bxW^D>;t1G3kKdZx%aHy%KzZVKQt~hblhJVl5CsG zyQi)?WpeM4w{LCtP4D(zKKz}NJSCZpUQ zr}$Ya`3z}a`gD8lliHQ$2S&q`NzLD^5s#81!A3 zQoF^X=&h;Z;m_aZx~NYzm~TG4+tjp5<&B+>KRx)kV?f}y!LGOxF(a3r%dVyRpac<2~#QEsb55 zbe=;G1@*XKTmsEP82W%#Gizo%iy?m5Do>Y9luei#k}h z`_rCY)d$xtwfXvBQbWJI_d8>noF-rGxKDS8VXd;8)77DYX$seZ&WF9IF8`92b9g~5 z+`T&8Nu$cR+WiKsJXNzpW#Gq?FOSMa+}fbc9bz}}gmsswqCGDT&uxske>85^_Mr|# zH(npu{B0?3-m$e6mW~$BEB+7Rv$L~bZ_vZCr3+?-p$#m`|aKW`889P8^7OmS83kraSF!|EfMv7Qdy=~ z^2}+kvtxx`=*wO2IZqBeYOO5l|9Q_lTXmiF*=@t^L;B_IGb9sc3^tlQKPl%VXMk15$$RB& ziy}2H?dzaZoS=p z9r!Q~QZSQdT+0CX&uM-c9ch|ALk0%A_HlI&bQ?S@FdW)SGCn$1LNl=I+|}9xda1=M zY|WJdei?562Zgv$D7)WM_%9x!V?v|;oq|0E&A&6i!2U*Zkf*D)9o43UK4E(B^V!j^ zGxO{}$d%d^9yB+`@D&mY8WcVu>L)%90azhSm;F-?G}@5R*zobwX~aL_ecastC(Rb1 zKWXs?wfdBBaC|~+=s!`ILTQJGFayJ1@qHOaCGpXckl4`R_)rNm^N~!5jZTO`1&xrn zMNf)Jh;K;=MV}BE|2N=Y81CEGP2%oJ`u27A{Ie9yum!1v#?lO^1et-Ub=aU`x556_ z4D4siU_x$@p~10Cg2DY@m$~=-%k$5;giSbvN92hDQNjYKm}n6LVnjL+b7Dzsh$C?( zF2s#^5HI3O29e<;n1qrEB!WyLlSvXuA&W>lSxHutjbtm?K?+C_*-ws>ljICJM=Ho8 zQca$bT2fEmkwz>#%d?bNDl83_4oi>Kfo0EfVs&G=uzXm4tdXqItYFpzRx~StHItRZ zN@Xp>~D2_8ImS_AT}U zb~XD2yPo}#jpIZd9!JbE;FxnPIgT7Bjx)!FTx@8O}W;m9_60op5tETUg1`9tGIRCCT=sA!xQinc&a=N zo)%A!XUa3@+3@^$LwTclp}eWQIlN`OEZ$1qT3$A92QIQG;1%(X^Dgi%@~-f%@hW-u zcrSPjyhfh9oRXZXoR*xCoQa&JoQ<4|oU5FNoR?gGxj}LPawFwJ<)+Ie$)(7p%59X( zk=rU)AXh9`B6mjavRsAS9l1wx@8mwqHOe)~3FO7{M)IcePV#-^edK-R{p17Whsp=b zPm+(5pDv#+zeIkce75|4`4ah3`3v%w<*&$B$lsH%lCP70E&o}b$5-KN@QwKDg5>PZ2oqB0skofIKPyCk$;c>fM3P0<=68+@^R=y zATKZwmPQCy^$p}10UqhgWbe#K(N62)_h)r!v)>lEK9epYN$WGQi!RFuR@MoPv? zmP*!2E=s+We3b%}!j+~g%~48KTA-A!v_xsEQohnbrK3vclrAV;R;o~{RJy11OzDME zgHn@HvywnrOW8o#SlLwBM%hu>8L!C=RUWQ9S~)^_vT}lQqVfXeWy&j+*DDt)A5<<@ zE>*s!T&a9d`L%Mr@>gYf6$KR~6)lwxD&{J7DsCzsD*aV_RR*aHR~e}?K_x;ZNoA!< zj>=Y*9V!JXMJoGMN>r|?RH)ohsa2_0X;f)a;fPd3Mj~TT2a%uK()zgaca}m64jQetybHuR;0FHtyt~2+DWy`YS+{rsWqv|iYtkzhs zv0tM^YqVB~ z)>N&TT1&K6YOUAG*4nOBq*bhST?r2Ca`;&06x>Vr>I$M{OrjDPSj4)PSswfy2P#; zx~jTby2iRDy4Jcjx{kWNbo=Z2>4xh@=+4wl)Lo#vNH9K>k0J5`a1fi`j-0E`u6%R`hE0$^nLXM^yBpB=%?#1(O;{-Re!tw ze*J^`7xb(28}z^G3k>uOj15c-91Xe|^fGWY@G%%h9!n44bK>!GrVZ{z_8k|-te(|vX3j6iz?(Z zsP1UMlr{5@gc`{0xio0cC+G4WJx#9%`9x@4dtYVM+vCfT=g&g6N#9T9B+jv}v)}w7 zr(2)fYfi25t?vEghi=mPr7!BdXQ^z`v@EwD8euo4{Ne#=nA35;kCYF}TN^(|o_{OY zp|xpVLvh)u?;#!he&zdr=h?Hrt6Lyl7r^P3Kg})*{WHYO7U{~>gxK)-=`B-6x_K*- zNR#!t&~?H#@%`hvV(Wp9(7@o(IJ$z$r(5K7w~}rc(r3m;_$RC_4&6|sdreFnS~?o1 zHEoMWcRgF^F>xsg8o4DJO$hp}G?-_K!;eYB#09dApH|XsY3Pn?E01jqAc*aG8oy;X zmgdRu#_-8xN~u#qv`jR6x}DGPjb|ob9JUfkX#|o?myAVH{FRE5X_!bE7@n~yOyLX+ z&or*IH7H1R|O46H3(3yAVSqf>MX4;0SC zVaWW#-%oxhFH8c;8}rEI2iQ;k8JcZ;x8_R;bJ1<2Om#5Lt+kq|7;)|b$CoG$&ol-c zbC!eg0cWa`iNjP2jlr}u(4%RYs-Q5M62CTDz)-rNC8cpFoT1zDOtDg$8_g3x2G>G? z(rU?*NkjQUJo;m3G3B82TKH|DL3yERD9yGqwWVQVfCeSoDnSV@4weuWc7q8Y&p_cB zI0>HM0LL@MF>xpkKPDanqc|%5*0e2YBmgmKT4*E0&~J@PpOI$^%@*8W@}s=9<=c{9 z3ttpQ>9_DhpXm>{pS*!4ekcRw`DdAE8YUjaAui!d2}zbRP>PVWJOd$>kYpMgKAa>O zID#L18lS->0}c=qho(zLfCh<_@flh)PBMUSNGJJ;qcmw;21ao$&lJX_0|-Ch@t5L2 zlhQz5)KQue`V4sMGlQe_Xne#499aA$hy$1uIHXB#!7(sOE14m}Mm(I8;6f8o&sBrZD73e=Rr~hdK(A z!nNUAU~TDvXu&ajwmdWWF+5N{dV_W=jaFVLjPml6zgE6l_?J>)B})jID@kt66q(~W z87Y$CQ#kXJAP%5xIL4=Nz-Zbw7$8hqCJo^9H<$jAARbMNG&FuPK$OWg+AU%H1)jnv zj;5hMniu7REkPRi$rJ{kQlWn-Y_5cc;P6b-G5i5S(=agLXc~qWJkxwAA1!=a&fyZ1 z0bYX!W4(y(jH+JOOB8`Sa`xa#^ zeJ7|IqSMXq)$FX9n*Jw_Iu{<7cZ_?q(8bE(U40*;8xaG05pp(lsoX&>xAyX;o)^cP ztlZao!?-!!c)j);e=*w~6w%-1aE{NIsr4_0oBc32X}YC3_o2OK(aF?_z1M%8J=^Zo zv!ml#+TF}2PFv@Ef;%cLaGzD8-kmic-MxmccMsFreN@Y|=Xk5tZ(`Su`Or~%W?(U^ zSAl%6V~?2mTVhX17am(NCHva=fxnf*H^2D{QjXiKib%S|^875=e${#Zg+q%rcnmZ{U$C&|2_WqB0HNMPkO$1x@IXaqWX)qj<&&u zs2_7&)i~<>Wdp?vMw}heZAn_EYa1<6&%dsCWl^8Epsd}obe_}F!gGcVl7jds1Lv{n zJJzom{@L~M+`$%I1K96J9}h5(>^^u**Vrk-gI%;9davqe6+L>>n&X+7_sze2FgR+q zPJLGGT|4pqw}(y$g9^(HX3yC;!_8pU@|Vhi|5k=`A^qokaI$_hOjl{I=bjxiUcJ(p zcjB?$Jvb-oN2M{ z;=mkz_=WfXZyt>eMycLR?o1rosh%2AaguPniL4^GEIaH4>B0`xk~d9VM*auvJ?UH9lcg6B$!3?LU6U5#nZ%w&YRocI3?Z zuX{?ojELKY`@25B!#y-$oQ4h?vqw&u6=4=o+NWJ1qLcoD8h z|MjK-(krdJWNWP^@!WCh_NDu8$fS+~UoX#oM;?6*J-+XKK6$l!S>MpEc0@~*s zsNd4B?wB9B%2keR-t#TPyfK3)bg$ZG`l_BBTN;>_x0Xvr?;bx@DoP*&2P*}e-T(!Sv4-m1zH^6J~hs>_WJNRman*>|%_iTjh+%cnIO{+51DqH)>s zP5ns8@QfX=^sbRv=@(AfFKH%TUj!?PL>clnL8{s_P6u}`kFS{;asv`9@%kD|CWA` zO7wKwm50byLHKpc+5&QSo@Zl6hJ1 zx`mGLdNOMt`7n3?pvVs#QIBG~`J~u-&7Kd{FMdmZrhd~+T#bIkQgt$aTlvG_bOD&z$8&M+e{vxnM>rtwMqs!Q7=dVeHG#-_fjGy8q} zuN!xM)>^x4(r--q^^D7MBu_v2SsOhd_t@&r@&yk`*3FS_ z^Ztk@!#b=o^4Rg_xBUM`z5XAg2Y-ApsblCWVqG7UeoMTHXl=XKZ>woJvHL!;|G^Oz zWK7}1b`LJ4lKhF?r#*8rCTFu2H(hbfA=WCjw%Q{cf6IU9!@Pn4Ub>{mv!osU@7^Ty zU*)edU;BboFAwSwP#Q}5X6-Rj2>wQPd#5Q3KKqX3U#z$!);&YgPHF3nTuTl9|Nhml zj9oe;ej4E}sczKSH=nFi3fQq+?mn^KdCYy{stRHwHh+~IYe^ccITM}pj^VY6r)jqn z@8ghPwYbBW>%XPn^sQ6fP|r-V+^(H#x#dpseNcdV&fTS?a;#$$88(*~kC!b~pT2}F zd40!4f3peMuel=IIDI#Hd3Wk5#e27ZOaCp|QCKRQLNcD8TYr6LEivUp=vo_xlVgLc zl4{$9ki4;@`<}_}OL)!;wO_j~Aqy?fjNi4?i1;1rkag_))8Eq9+}UH;qrkbOJA3A= zRJ^Pn%JPZV>JdiXy}!HVYO^}|s@+?=i*sjk!^3&ND|at)MR#7Z?Z}g)#7uY3jdF$G z(m(xC$)w%ROp^OLMC#n&PqGvh7wGi5NbLRpu=JIalFUWEnQt|J5Uu?mM{KcXkv~j6 zw=Ws0OX`)TOgZvJ?zi-dXU+LMFUFfpTlc1`eEt#AvGk6r;mMw4m#&I(t;&6}Jmu^5 zO(9oEe51`4q2nlW&_kM5`)wWR^Ihxasi>8|r9bi5Nza>dZe;AX3+b0VGD#`-V&mTgK2)2{U(4aN3R z^Fz=5mcCs0*Y@Q ziy@l3hYcBjMofnN7{8If^7r=Dat|DmtXCnOM(?rjG8He^>aXm+q1_5nqU!Z1=4c5C zQ?+tgb#^a_Q?lIQ5hx&X3zXB|3yz4qY`xs$i_dEtUT4;l0GSJ zYLA>F$enF7mIU0A5|>G%8k+@aq-#_5=qSf^M1Q?+;Jdity8 zD_-}LDDZwuf7QCgUHZPSiSYD_g3oV8k@fWr&fZI>k}>;BU8eEk$=R9%!LvL%6Wq-{ zboIo2S4D$vf#~ zaA&GSFVXz!`RPcBQ9kWH@?CZ=ub>+m$h;nwtE)6<0-#6_ISJ~kphvEPYVDS4Ul ziXGkhWxEV@y7YY7SdA>jl(^`Kk+CH!ItZQ|cR!Uoc0$elWu@y*W`x9aeNef5)re2+ zD~xX}s0@A?H+k!pxG6QE=~D;sljoWA+;^B~=>A1?tlqe<+7H!lP1%K3mPU*8O?qS& zj$Cq>wY2O^+60%Y2ksve8}-{0HB9ij#`M`)N5vit&NhL+Y{SS1vt$mRk-~DRE z?#(w%zxP;wEoJAK^~Ktw*9Gqj!k1`utGZ4+I;_hJFU!z_hh8rTe4|dp3YVMfcI`D) z*%%;;S8kZRjmopY0PmKMat3eKJ^m@rV;ef0^4 z{OP6dhfJJz?Tf*@bh$UV^aFU-+AD~^5?o82K304IVC>KJC$%g zQ8-UmIlDTs>(pCHk=wm4Z8D6H z(PUZIh~qw!ng-NwDE&5QTYjb4r?2Nnh&LSja(?BCSbgE~u?^12r-RLR-UxZbndiER z)V|8N_*HO{H+03Yt1GXbI+0rUV3iBMc)h!H#uCf$c~ypQI{7-3u8+6P=sl!*gi>Me z?VhH3UI7+yqN310HuOE&PdCutV7Pg&HNJ-;Mn=D=nirVuT0i^PqMXCYt8NfAEBktF zqkt(P>-;=i+4IdLZ)1x(?lfF;^?Y6Gj%lTxR2< z)b0T(p_e|!!kKm+9i3fQxlA4=WxO1FF2yZr?`cU~eROyPB z<0O@5_BY0izx*va+&+5Wch&NpO(VmD*38=N|3rC?Rmt$lRVsZ#XF8@Q96R>tbL`9P zoAI-GmVLD1GG|Oqy%9d8S4~N{QF%n-g4nscz6h3>x_2JD%X8(1lc%a5227Ro(W#HV z6MS?*shM?QeUCZXdE*|%-n@1sTWQbW$s;*Xrn^zXRE8lK8 z)~#|vuG9Jx7v?`@UB7&@O=gz&@_Wgso$i_iD;j47St@=-u5vQ|_`#w+*=m z4SW8P$vJlY-3xogd;Q04xxdPDjlG7lvA)TY#ZzNy%x2WYR1FCaer~W)VZ$EFt`|zZ z6W6Q>_v0PYx%ok`>+}?pbeF7Nx}gUj8+_ocu0FRysjES$-D01Wsa+Ix-;X3NgTgLs zI+qYN_Ljonjc0p%BxsfGy?6an^WCUR+8e#KjxJVes+ra&FKfY=1<$SWH;8vkk=@Jb zxlc9UsXX)gaDUmmB;ovb^OhO2^-{$J-yXiSY`4QbLumPG+RiO!hJSnSCuNW5TJ90N z{nfRMLqAIPeJ(gX|IWRGn;JCK z7v{~0T)m|D~ux@rN7QkeqHRND~ojI;^sfV-h$o@A))V0;lyWXoFqOhI39mOf4+GY6CE8X2@8&sL`BC-#)jg& zDm|u)mkPpXgpTVZ@efAiSeh(K5`w!d!lM#GB~!!W!z4%;+eXC-5yImnF|pAhp>c7* z<9)BOkOsAoZu-qWg0vdua^nQPX>wq0C$f*gZm5^>^5Mq1TWgyj0>G& zlhDe2>)}qx&`?Q8a1`b9Cnw=iEjfn-$APUdhWnN`cW_S$&Ei)=q=gVY;L02W{udm$ zl8lcGo)9M)9}C(22Y>i(if+i`}y`6*2j%<{7W>{OI7uUp7vR`rvpQ+FCQ?} zoIKX^tHNTFCo3&8KDV#1-`g|gbjRa9egP4aJ=I5O-JT~D8qZz-#^&18qJeK$pUN6} zFM=J}zxZaEch>n`gB$#&)}2m0(k0A(`@N;-#w3~PjkxXJu5-lg*gc(IcDEd(rnh@~yyE!l8Q&LFm8`aS`ap7` ztH+5cy>ix%k~BA;^K$ODd+i@R=Z+d?io2#uH610jZ#8DPRvP)gd{oe{MCl?oW6#Rm z@(xYc$9hbCBYx)@yXlVg^T2IqH;vePcFSj>rq-?qecM?f{FE1NuLh5?;wy~lyF--a zHfTV#W?Vq|`xPgS72(Zs8!N->E>?x>joIagRtEasG486`WzV`U`Kvt=K6h$LFdC-0 z;gfpp(yieeH_rbtO3zvKW5Bqnr@s%%TRbg0Az#uxXR1>>_R_&=6ZFSC?s>=E>6-bQ zA(6K0vije-cZQ>za7pD<@cziL*=KXlr3GoJj_p?;Z@0Q&k#&uoLHe+{)g0Z3N4@5}$EGKKpOEKq;Km5i@M`JkFSeOQWBb+J z(}@tA+4{DmS>@D?^%n;F7Jsek_qMv<^1Cxwr?O9?h-c3@Tc43OwsBcAkG<;monQluk z8)X|l(ERT6>m}~ZzK@2URNd-#SZh%~)(OSc4g;@rHau~3rsMvJ9WTA?w{(H`g!GDM zzTJa7hjX*K-I~>?qw7#vv-?FmE2UEz;Rk9hYW4d?Et7uC?Kw9*{8)D4sHDtkT3aW% zTF1WbHTm1>eIZYM@ATy~k~-U%V!u1W>t6=mXmp$RW#_QcnI8u(TbTG@|2~WKTm4Ob z?5@>pcir{%!uK&3``4YEy!y04&k@$E^1n5yrC0PEz>DVA4ez0x6L)OmS{vTi!AsT{ zDxFp=wKZvecGa?SfaT_0hdR&elip*}TTz!y6HiYllYN(4b@j;IYXJdErW${k+s!GX za`ljD=X+cn^XdLD&!Sl?%)5;XJ({Sys$-L$ar`-RjTeHSq&N;v+IVSjPYRti3m9gXT2vyzl4zeg2>E<6)n@_FB(+o@YI`^{jQ) z&N+B{qw9~U_$5`G|NFznteulTWLeEq|5bBiQAETaX8rEWoIQzghZaPT3$q zC3>WanM3BSP4J8lPYlzuEWD#4(<9X*Q@vINhw<-W$;MG>!96l3;e5AA^Xv(&+p6`| zYwLEuwm$VSWFAY1v*Y|<;Qf$-E8(l3b<*4OYc`7TjmztixkSN#=&ZHgzl1;G^OQa~ zabs||Ou|W@s?Q`^@=#8FR1NalUCXJ!ia}0S)F- z&o@>3YkeK^y}jH%?_`1wd`dI0F|qU=^u?uzCsH}evbreu^sG1fa6h*v@Mny+;efK#D-ufx?d zxM${RoQFyHl>ld=iz(0bxL3bx@u$938mMm-f4kByRk><$Sf`X#sLy~?9lrDaapo_< z&qsf4VcVdu4Vw(iBH|2M0iUs*-%lK3V#%?%(sLcky5d|~DrXZ&=ED;OTuJ`h;+phA zc;fev%_@vpsPa5adEQ@n-axVoyZ1}&cY!Z)6|7+xt`GNHQv6GBvhbWSPsfzbA0(cG ze&;IvEmZnjq4cK%-s_ZS>y>BkE6>QDS18Xam1kcn&#ZV>hwrEG`2ioIi+Ga<9oPul zm()2jlW6G%{@L-aqVBj(3Vt)OKd!TZlkNu2{H$PGLm{&yKLTLfjZa}pd4F7qe+2U# z@TYbC*7X)D?N%u5QgYeW^-9_MO4(=NQKeG$rBX(GJB9B*;8O=5MzlnB?w?6~BpM>| zA^F=F>@HgZoAPVzC+T{=x4k?U^3L_#kB#w$JxDRI236nhrt6mm6cihb6%$Mz%;E_- zlkolFPQi&djLT9PyeV-hY=Jk*mY^)oo7H@YG7)&Hc9bddE#Mjk9dCtPm|ns!I+ZoCY#z7-{&Z@I{@F~t~Vv4-Bt!UO~JY2G**|yg5uWv zY}RYQB^#>pQI*%$^+Q|L)6Lq~Y!?^e8I6$$f3Qxew_YhDepM)Cl}Z`$tPbB#;X^o* zA4-GV5?yx4aMxcUpPw4+Kh#;^PxSU5)}^v!I?JBUBfm0Ma9(>{=e&_7I)~@kZ(g6- zeQ(du%94%W=N!z#`QEkPWv`eqsIugnY~$)OJF7W|cWs+;jH}Ifhx6yz`qen|xo}I) z=c~WK`M)QDTMfSBJ%_~sI8Qnp@E*o{tjoHvnx|2giFP z4X%Vc^;d;=WK(~5Z+9`_y%IRJ#`_rsXTs&kl9sp=4un79&>9}$Pk3?sbs;ye-EJzQ z_5|ndbXYm=gcIRIZHXSd!yWX*I9E0{m8rB)pJkz};S|meuGjhABDlm)Di6r{A=0}=WVZ{Hz}UN{NUoLM3S2i?~t3u488NmIUdfsHlEHN!FFeOw^(OH?>J}g zs3FeNbGq+UWeM|*!jG6x;|aSpUleLmvY9g_Tfj$$kBE;R9}j#y@$quTF?5tdVH`F57c;8@%J9A3kI7 zS*i2goQZ3huFdvWajn()ZGR8f8#>GOhU}`I(GEJ z5|XnryoWst_q96T?XTc^190BOH4ydua=g&avON;l34oJ`>l|I1;+eRjpUum0rGB>J zD)+Nn>1Vgn&u-MWY|qNsz53B{3rj#_@eSbn3ho1e&%3w|MnC;>45)9}J_gr0z#|ja zmFVYHT!F{t_i&Z*s8;Z(COo#!#Jkp4g5Kr0K9;($1pF&Tz0F&3FXL-e>KT=K&~=@q zcq{Y<&o?JRZ)7-ol;?ZsIq2E5dVKoA5{yML@Bx2Kgb(;@!gJ!U3G`cvv+zE6;{PkS z693=DmH59r$GjS2$a%XJ-(}wJCEgalo3oem?!6pug?IZ_W2`w}uzJ52d?_ZHGhr7n z{zQ-CM{l<6EZ$e}Fk~b$m-Y?kQ^+iP{k?Ifc&@NW1((Y&2x zb+G8Yy$b-5u`?+i7?1jgECz;*9l%k7Au1Mz$AZUT~hv-VNEryWSylG7P*^2=aAR-)3{0 zpFc19D3{d)2yM3a`}vEa`HNZ2{do8IsERn}G{{ZQZj~h&ke7FId{%GC*}uBxc1;n% zeoU}zr}wiH{CR@!_Awt0aT2W86*${DjG@kNfJ3jS$`ZnX`lo&g7lK2$;Ab3#2bm1( zDkC_t9L{Qt!}_9!ohn{hoCqJnLB)x1Ab2WHSH{{oPJ|E1CE@ga(-%b~m%yu-WO7Zm zbv4N%*}rR#D?CnqF zf+1%lr@@djlG9+w8OiBatJ_1qF5^0g%js9E$8$OTYBlUC*X_iduM}DTN|E)i6j}dj zHQ`C}PPU5V95P<~5qOjMkli_YXe{1^t1Bg)C7mICNqi^{dguo|v}_+ebO`jYMceHU zwqx6dLWYSi#1G;H$*QWC|F7yK=_1iN3pObpcuT-L0ps@|;tJBqUu%b2>*X%!(OVDN z8y|-pp7df3nL5wyufm>LN6Yriv$NevHqC%{ov1d=)K|7?q~G564{-`Qp%AiCOkR6Y_aU7V z@X=0mBFkAw{d7bOMSYM@Kb6+qF{M>s>8<)20NB)5G+>{^yV5@KvNsZ3f=RZ6Y({4P zCB+nTyxRZe;wiy#&HU`;*1^#-NJn)=$Zvu((pY7?P5^x z1n|8;5)l=eG>liKbAv<^&OFZ0)_ehimBd)}IgbH2Rfvb`6F20EC8u(T399*sT6@74> zqcd%GWgmsTF>ik!?=>sad2hdn`&u1jIp-*k8T#NlE_%j{+u>R!z0fI8mW zy>oWp2K(o;y$`O}bqs!=Y#iPVEDC$6PwJ2Q`sr3v znX4Ap$2F?%QPPh>b91d_NICyUlr-Nu{ z%*ehu7Q84@XxWDPhtcPC)cXpwWQZPnU3j07mL4rF`!)VrD;xBEoOj&K&KR#Lo$OAU zi=}subxwjGA3GLtz}PtFqmR=(a)^`Q(fDe|oZA1tINsW^4u-!Xd6e#h%^oYH=l*AbBCVNMSw~xorFfwqO`+0py1A&8=()w+|#cnA5he!#jC?#Alk$ z_u?(Q_spSdbL(T+@pp87w+Np#utQ@JL+#gDZYi=>_$Xqe35!{wsW)??-7W7Z!O4Ih zwS5BfNNP*)Pod6~5V;n(wrA|j zNKfy?(Q($y*?RgOHY%xezr?iU*ilJwZ8QBkM*?bDD?n>^Hz z`JTa}uixpezNrSW@4C8B->rTgeIs!{$4~70LEQk~_XF{~b7*D~)d>{)Ms^;MN%iK0 zihYw%PIders7d_Y0|yfWUZ_cY?1h7gD?3NyxY~i4Wt|5l-sn8I`F{BWhZDbi;7DTO z3x^XAzHlVb?*+fi$k`UaLw`?NGn1xqo*>UYAd`V74EgA^;BI}tH+XRzCjrM(bz!~@ zeqPNuUP1pq1mbyT5s)MSl9e2hsPJfq34z3-CjoKt1On)hi0sgNI!*sm{NP-;TO&cknO{_{9M~ zKf4ZihT_u&pMII4`oK&}^7EtGCcg-IjKuc^{F($F+C2j^;~q9-w$(3~NjX;l=Vk>&z<~RXoi38Uq{m&V~@ngj>YMQbf%@OUz2gV;uC`gM-VTy*+sqHy|qUkiBEmh&l+ zk8Rt!E52QzCwMPoW+-^k7P`bxM&s5F_cd|tu$FRvW&rd(;GLE_Y*Fk%)I0VBvI&u< z&_uEexu?(gMt1IsKF=hsKi%*z^-271=6frf!O$OKPM*(?dgmm!MfanO=k|g3=%!LI=Rw05%*xF>;* z9iW3@-C_Od9}-6cRvgxDsn0O1KWO<${ZQYeGsIWwQ{^r7P52OxssA*Lfy(PNlo39J z8{xDA@75!^=J+GVCb`T-UWn>b9ShdB{-=3-hwT1~zM*w&N%!izT;FZWR(?PPQn)peRJETr7?_Fv3B`zPCN?VgCW1>zl`UG+n6J~ZIfq&PjRd1CbD*=dG~kVD7d9WB15h!*vmzn;Edp+uQFmFV=W4b8Q zcAdYe z^N&`df$&_3y0xZ1;oe|giMm*qJAQ9^jGUebyu+~44cM zcjC=^)8x%*+5(vOrpJfV^Jl=kkEQ&RG4ka!T?Wj1)6<62^F3fj=BE6UG4kUyMVkKE z7+E+y1Ab0Dh`ErYr74Y>CG9w+F+WKjD=VihEqk#Qzs8re z%g(cIWL}b%&W+4R(#qpTW|d@_)N^__X1`>uVg^Y&hE>d0(#j>??Jdc&>A~r)%3fkU z$BdG8EYGnvl2%5~F})bx$Kv%56yie>7f%_W*Y=k3tr%@M=f|^5IhuKcyV4B za`LTspEr0BAgOw26D-nTu^rmUx@Z$T!5ahTgDq#N74IYkAN(a%A0@$x`T?jT>!c)j zfiFhR11V>jHAC+FTQ9lrM zWc@4}_I7y?#0$(9(v} z>-XYvYotzWL2snai281NBXz!@#gEe)`C_4Uj!xf#Ud)YA-%T&pi9oM~(>v$IA}i^K zmR`~iExn{4H*{7`uc{kbdPz65^pbAW>O@Yjsu$YvCB4wnOL|cTdrr1j)d}tRl1^yp zC7oCayG}M()d%hPl0InZC4C4KJvqIk3#0>DdPxVg^pXzTfQ={rqRPLPURnO#@=Wqy z3;8EMqsqUQURnO#<4f{i2Kgs?Rr%M_E6cxod`bS1L*w+4{I6O4T2l6zt+PoFv~EqCbDUy52VZFx5%cEKHSiGbNWdiUe^Ug6vGdb zUXV_MS0=J+q!*;q+~2|1l3pO+#rZ&b(LwZ&2on8Gq#vZ)kP#EvHqsB$ZSK$EcS%3W zpdZ8!(vL=6V8ku>XwnnXamb2^>>KF`={U6``$l?#wF=G`(vxGl_7TT*?MAbnE#LcT`J7t$*& zU%0OkJvd)TuT;K}ztQrA^h?VZ?r#t~k-m_AseBJ ze=1){|FnD|{nPS=^zR1z5b=fdPvr~gpO!DAe_Fnf{vk)s`9k`q@`dzI%NNo=Eni6g z%AkKFFQk7eUr7J7d?EeQ@`dydYyX@tq<>#Muqx?^g!0)ce@G9t{2@Km@`v;g>x!H| zs=sQ~#0#>&a>om#e>dQ-h%c(Y(%M(qU%Blo=^fS~IX_f?Rj!E_WPjzhucU8f&^O|P z>aSkc#0#>&a@$wZvz5>@k_**eY3-`)uiSQ(^ea%*b9z;OrKMN)S8jSquWrC!5xuIv z($XvYD>uEQPqok|(hJpJY3Y^ym78ADqcZ3b(X09^Exoe8a??xtvl9A4^s4?!ORwy& z-1L&(1d2vZuj;R~^veFqO)u#S);Kx6YP_bUSN2nGdPz@ep(jMI8n0>TmE$!xy`&#l zU*Yts@tT%iIbL(qOM0;qdO`H6@tT%iIbL(qOZtF4K%8DRUenSm$7^nSN&c}PhSRIc zzm{HE{@wJF{9|tor&pDKExoe*yXhtQ$6g*zFUh~&-)_^=tBs9TLhgx9&)`^_N~1Ow z!uhY|G#@R4Jd%v9grAUO9fR3FnPGk|V1CZZb&H$Iu3)d(HS9CHfjwr8SeN{fuS-6B z^KN_h@0KrUU8e58-_?fsg<)?b!@f@;*Y1OSZ_V;>dqTHR?C(ZCAkTpP%lP;&c`LCB z*LK)z8?agPF8hx=3(Ffm}s+lglb!zX^$&ub#pvGY1_ zCBB5RZ~Ez*>qP_3CX~J0&!f3s6kzQ}Su;GpfQiwq;raPbi~>F_;PHB`;GtgfUEn?1 z8eS;XYXvVfVB({#@#FPc;fH$9+y&m;*6@JeGp*qPzqty2oOis=+licKc&3(xC+&o7#w{j9%uEK~dW>f?^DYCpA=Pr9@pypAVQ z`QFnxP8Gi5)`-dOv+DYrNM-n-)34R?{S?7yZv*&|HrAWlHW5q$H z`N)w)>Z}n(@Ueb-SJ>l_G#_#88qsQ^cw!Ca+%-`(C<``!1-N;D*FCT@ zoa%lb^qO@7%FjJ;M6zHW@Q^srGyy&>QWqSNjk%~_-`&#F=GCZUF=zEWAz`njd5$jF zRI3ZZ)n94=+zG&o@I?-80@eE>h+=iCx%z=xsR8p0t9ZX@FycwVb*$JCFsr3_b1~{z z%wu{U$DB*XmF(3TJhw#GpiIWK3NW!>IGpOf7bNG^oDUq9YA_G^Nf&LR`5fW;kQfBG zdnB9rb>!MC=E$DMV7p~pSLy zi{ok)I{>CjGGT5)@xGjbeKa1E5Q0Jj!+5npL9Kh+!E zu^72Yt2yDp<5HFwWGd1Y9`IMwaf@pYct?DOC;X^hyxlr0W6(L9s*N;2rzcfYg+^TCyxsz2p@zRe3D{%szu!%IoD8^6JfT zmF4wwY39A;6>wE~MUJzDyjHZ3S09e6EUy)k{a*449Z==<0ASw7WO@Cj4J%h=c2f(P z_2u}=GFv6}xQEP=-l{T-{3(~&b0RBO<@V(ka@&UEEX(a~$?G0+OM0uyErTwE8SFNa z+j=inuF7tD3)y8HXIXZurTTlwt_3_+Wj744ziDGHC;2^ZX63334{ssE0>@jH;XTrx zd&qDkV5>452iWICdpXJQ1@Kyx-L#r)BX>xW&oISq2S{1t z4@ov#oRr5XkJ8bs>Ovkf;k(702OQ3u?d6v+UaAe>8@$9yHhkL9#a6Q8)43k#(f1K4 zV|W#(o9oDwBT_*$*>ag~Y2;2R!{=e#lV1Bvh2u|1l5L2zkx?!t$gJwiMrOu$i+Lk( zxPUSJ7UQYf`b)ttTglcthUQtx-jC$^;(@+vrGnwRIo({BrqoJXqRHmVbZ3m*B^CHQ zqWFN0($?|Er3~9psfx+@996HXFb3473OHQEn183yEuT*LR`Lh$41LK;KA|tyCr|W! zSlTkYn$yj7ZOUQkKs5OUneKv-pGjMM;uSv;B-M;RCKcF*N#_{D_y%Ik_hpU#_3gCON`7Pi&?Q##9c{SId7E1H3N;=>( zT=6Fzq=xZFr7gCHC4(SfeA{Ep6`vwdzSv?m2tMX-G2V3={T$V4nU#FYcSB#cl7Fe= zI%z=PC#1{6U7T*NuTxG)EQ)-LO!tA2yQRxMlHzj$CCj)Y(gE8el1$9y9k!I~_Xe)t zCiHzw3X9*z>E?b5`W+YL)^C=uM+);!aO?ND!x9T0E@cR`hUnJs42%KkcLs2%!+2v4 zZL@xF==2A!-?77%as6J*_1lcTk4kaz`#Ig*zd^s#qTKo&mf(`&yhpnAd)y%@EL@Tb z1X`DL>vsXhfb_cnIGnUUn0TfgHH z_DX5qiEjNKcS4E_A0cfKXr0ro-&-&Sq~BYB!)c87*Bbpk+v!!V-;0M8aQz;}_1g!1 z*GhTupL4oZ{oWYm*6*~0eNvwHD7Su(J1(V#CrAebdF@oy?*kYE(r=voVm^cM*7{D5 z;9RcXZw>nc*KgTh`l9c{(#H4-PPeMxRZ(vJ&P&)YZS=Og^?TegDKC7abXlOaShs#( z#u$)(Uj`0mG2UAL+9P-&*YD4Uy~6cd_Ni^q_aUh&zLL|e>i4-Qw|;L-I3QJd$GY`< z+)-&`cp{EqFt*Td{4SX5H)9^=uQA?Q|NBVrBCg-x411O9x9oEn`aU6@i{HWNR`uHu z?bh$AgwLgO-f?dI9)Cot3Lhnf!ES5yJB(4T$YKry4&b8CI8*r3C%@U-M1{RaOl9S z&ws2a+jyev{Np=*H@LylF#fGYF)I#F4Bot|)a$75_~N#oycF4OXO8!ybASKI?4P&( zBlm63uU5}(SY25;b@kaLk9=~u>W#`a`__ARo7ww(pVGX!(pS#+o;aT0_-xXc->#Zb z6mrQ@{IVh}S-=Ajm9%=O%G&XsT>8X!Q z)1K|SXUD>qde2_5zW&nt0_JQv@y?Bn;MKJX46ER`Nj9OYW`_?4M`)4yBv>fD)W8|V4YtIjj%b{E`g`egaV z>7(De@n+*EKg`RjqCHv20ni(H<@3k>n^}O?^ZH+Vuja29&OvzdN|T?OubPECmYTDo zd==%X+9GE)0Ot^7;h7)uGH->4Po%R6LhXJNV@LZ<+?DDzk=jKfKl54hGYg(sCVri& zpD4H6l=w~aGr8T8R1c-y+lenXKa<#@A|6T|X8NZinXJXguR&k(rR?=PCL2N}5?C-yfv11HBhy9D#xj`PJ?&AFYD zgD=}}B0h2P+>Up}alZ$T79qFe@Ju=C!rWmQ<_*h`+i_s7P>NW>9EJNIYYk;dJzXoN&j;{bW5AcxNDWSUGKX9Z7xgE#3iAP+R7c9e^U>R~d zfE!$jI00~XyPlqN0(C5otoA2di2og!2Q5QPfUCc&0dNufI|$#6fJ^nhc%ZfjxgAIK z#99~P{bh*tmm#;qafSZ}%xYKsoa3ltag1qy+=bi@#}&C9TsyifOKVUj<5~rn^jmPM z``!bGi?BxPa85kzLM*=war`pmb~vu^?SQ+-Wt(#hbu5m^_Qzbv?QmS-$8imEMFKA3 zb&l&fz@>W2A2?Km+>T?}#6vE`=*tkFgJ)hGSNLqebh%7(j-rmmVQGKVh1?Fu74bK& z9b97o6LC1_tHGz@IC48BRCm^cCyKD{?Z`+u;X?eq46!$OX5hHO9|P`Q*TvaKP{-nE zXm`Yg96!euz8BX(R~FzR#^$)%0GH~Ge(-n^ayyQMl;bYM)yoi5FGFsJ;|f0unEPD& zX4j&Q#Zl9))`i>-#}z&m*Y>VLz(nlKag_iQxt$WK+wZ|+MOZU;^hr79!kl;+=EKX7 z+u^v94Ejm?U0Y@!MjeY|YrDfPY zUh)bZQ04UiU?R7}@jH;XSTB_mJU8z*c2A4zLjyHj)e@Hf&Voc&UC@5y^3QLS+%j zaw(Txox@K$=CXzDa*=K0a=q!8OIk|uY~k{3xK`=1bsDP3cRSaZHx9cD9b#R`?Knu* zRT)Qa2j49Ydn0l?jjFtt>OU(Y`#d~hM-ka*2bXaXeIIp6VV|LI#a?eZ>dIJ3 zcG|*q)OKx$OX@UCvD*QztTzt1Y#riU$n7}DhO4@O+z!559LVi}pY}%Nb{bV1zE@vW zL^ga{!p76)=W;J3XIxt&JU)?d=^E+Sj+NZ3_G_I@PS7Z3DZ>naG_&FSX4 zw5is$WhvQwneL2hyIcjG9#MQiN7vRjj=M5C40R#5;~;;a>J@T3_-=6^x8p!=rxCfG zX5I4fs4gOZ@J_;KMdTCua((hd--lgW!m2slT-P=ob{$wsenFOKM~}r zdE=O?pu;d1ayuB`K#aNKD=-FJ?|=hxJB`TgH0xhqk3B`?H})q~6_M{~!*$LJeIIfi z2;0Ny=K8qlkn8eN@*gtYTdq~P4s;r>_>&H`#O@hO5YzFQo~ z?KqIzX+&v!DMy{@$2M7MsgIpK;69N|K4r-gnax5M=t zxg7^`JB`TgH0$?SkI%V&FCMv%>-R9O-#+NO)|D6fIj39I?~VCx{Z6~O&y^QE%B|mP zj=RzV6I{scw9s$lcDQ~cx8p!=r%~%WJ@ge^zuy|UpX;~mFMZMXVb{jc3Qo7G-&Of; z{m#3(-?cH=?$+-$$6R@VBVEYtw9s$lcDQ~cx8p!=r%~%)d*~~zt82n^?T#h1FovzShs$!IqKRNnCL=or-gpgnQx@u$n7|g+iBGL-$(R2 zxPE^#@^h}=vd?Ac`-JOU=nhV|s^5mCZvC#h`nl^|aGYDe-#Fr`3LND^Zl{HQBe%o# z8@U|^`Dm?wPS@|``t6la!S!4A$pZR5?lOe!0Ar^}zik5CS0|5KN{ zQXc2N2S;9_T+YWQmM)}x&Y-gRE0oje@P)@;D6g}6REKvdw-dN<#&OE;#OcI0DaZ54 z%vr-I&r|UJ*+k0qoZi-SnDRX{m(Krzaz0!C)b2sb`$V_h-JNnjD|<}+obo?kN)7)- zIiNG$M-8GpP}$)E2jzmETJz3xln;7F*K0iGgchIOlu3D^LqEp;jdDX}V=ap*KeYMe zl&AIcNOg#EaRaz$r-FMmS$q8+c6{DyKy-QPA9QQm0gBC(EgN3$}0O_V?S z>Ao)?rW{g_Jw2YFJkqxjyCzUB>Es80e1q~y|44h+K{=(8_n&)+@=D+Q`P)Y*xAb82 zB7e#+O%@vxD90r9i~E@JOogxA{DN{#{XR+dqx`o&jHQZA|_e)TEJN2N{J^BLu&_AZM(LwTt=XVRXd z+|-*NzF$lEsh{4z{Cmn#rQX+m2<53}Z~lHg<*F_Xo*YE^s_@QfT`6aE{%?!^L3yiy z=d0eQ+*Pl!v(HfeYR#k`7Y_Wkr^{!;?eb;Nxod_@Lw%a~`v#bBdpX>=R zeez!qCHVNQ+4Xd%A%BVc?cPrgeU=dM;!{7Zu`L*X=~nFnn`iD#X+Q1}si4Eq>6AaC zf5@RlNA~}}$)Ww)T-)912|AH^czWrLCbNOgRn~r|XKJ}xkLsx3>6yp`otNIj(`+!B z)RURDWoo%vrmah5_%EWl7n+;tU}xrGYNI#$iUuE@m$%?)W=5S^@8j79`<_K_4_`0l zWAf5t4b9-8YvXP76mtcGPa97UUu<188AUIBu9vxur%5juQNi2SM`W`iCakJ|e}`dS zm!#!&+g)sAc4SUJAz|UZ+wc9fHFrPT{kNIzXMFj^yb|4KFML`Wz@~kavT^R&&u>Nd zimh4R`4!gn^sRtHf%jiN*4L+U-;D>^Z%6Na_0;OEL$5{nXTET9BeR_{+4C<>mAWq4 zT%ERl2kVw)t}1%r^#1!+ef;S8zfNQ+$!7iIquT@xOSE*3l>*pP9;x3fKC@(HL*dog z?VoFlV?X{=tf;HvahjfAyX?n{C+o&B=X_UQJS>4y$p{zrgM zV5E)3ZTr)T$z8tCANt|F>ks!xWlxXaziHLV%8b%S`~TLv=?eSeP>(;Y_~GIAu5X*H zPsNL1D@&X9Z+g_b|8K{y%DD3MO7_UvH-8^g{&V9eohH0>#_q)y-(Pn1xgD{c-w5A) zVd_^Y?C|K9LR_PYUr*Q*yku;x$fTeC^7glnTdEgDy*RUb(J@xLC&U#j9$qqf)awbw zFO99A|J5juKSgeM+5dykX^j*2v$v1ESUuD7m!BT*z9_2bTZs+u@A>4IXNMiQef<18 zYd>`S<-0fDEiYUgvM?umq+wOWESCD0THEloO@{PO{t*`Y+6{K;h{e<$LJF%%37JpTCf68;6-?+MYM{M}-a40!`d_4N8*)yJ* zJ83Tc%s6(~SnZCtkyA6C3XPvMxzEXjaeZ*!ujahz^Ed-49%rMD_`1ojU(U&dQ^Apmb$aia3w1)` z1|3Tb#qW^mx2yijZ}_JPLSZ*impBP^nJD6%>wcL};huh58;AR$IraqT4bJ%Nj&pGJ ziS!%U$+&01T{ANppI<@s3?6KZfPNVIc?$i|@4kniuc7!(=Yi6h+3YrfZe4<36OU>7N;hcd=oS9vXPbi(kiQlc#bCuq` zf0ya4>=c<;;o&{=Jg)V)65UI6MoxRF&cNvp?`>^<8*iG&3Po@xymQAAoEJ<)Q9uSAjmw+KwreS>3B}OGj!_Z<{#i_d1wUg z2H;M-oB`a4pSDinoTno|1MxKh<;2?z^h5kDz?FC`>CBwZBXr)J*HR}N=XVC$6VDBe zZl3ScnVR`tk9Nd+qEV%d#y|kRTKO^^mE~{mS51B-gL5H+^YF=5mO)lO{snn$=FeUYf2!{;!^Ed$7;lwVINOTzOVY@3gu*xCmp9~-cxHoK65sN9 zJn1*RMcx8bK()|5l;&=^@z95yVN5-@6*&HexKLWYvwy(YI(29 zIE}%yd&+nh$an-FmjYaWjf~gdkjIMTo5t!qWShoKm2VoiaOfPvy9flK<@lK@oBU>- z(~a7@Q?av<>uDIHXK@ZnukB5K;~?u#;1dscQ}NO22H6jF{J+DvGn{=wXPhr!Y^4{j z5g#}CA+A7vl11Bbj)DiqOaP2D=-Ck58=x=r4v2b@CEIasj~!>jG3=!uh4yw2w(S{Q ze`)^K&cjG+hJ}7%Tcw^#Kz;Wzu@_Q5X z5na8in*8E$E)dy~x!_+Mej`9_hjTcKS+()1 z@1v`Le(TVG<;}zgIw8W?-2MQ@!|o zp4}@`^^b2ant2vwm9Pn6Xcr26d(xTG8eh!u4UXh~ zk#v~s9N9Q+9X)uPCa`Ed`T&0lkv~pch)-91^3V^L55Nyp^m`$EY#v}DicRb)l79v7 zP&W?uao}N^rfiW?_NG#{1NT(-Eba*|)nAPEG%h5AhDugwfKMk`RB=@0xxVM8Gi=!& zV{s;sW%&2}eHTdv&)hGElAPnc6ZJhSr{8V7eyP1}M(|joHx79hycZ=YJX;uR5azGI z=ga#5^OxW)g4}+JcRfIUaZbgj{G5sg#5||zY<|e@hqs$v6E!}>i_T5QSZzmnD9-VY zjAISyc&A0KCWg?;mkN{Uy>Q>BGcFDMbjEivpUzPGpm$5e{M__fj4t~J=tDBWAA);& zcf>c)2epskct&u2*PTpQtUM13?wk2dr*{)W*8z`3tbyL&L1*577gIU?(!k2;7w)T^ z-kR=T!e^15ZEMB}=it8#yq*V*F*^GXwC|qmhbM5$Mj7G8@xmE>ReEOGO?z*HgA=EM zhnIo#clfB~mr?EsoJ*B?l$>0q~x}OMJb^h?!PoL=Txj4%EsijGO3n9Bq z@94OhA~>%}vm!vz{y+pDPa0pLHQ z!@82#KB8TYz39VsY|s&bMG1giCk7y%X;%u|R#M+3x^@mT`ZogRg^=7NDeP#FO)!~^ z4IzVcfJx8ObqwwNBd(4b0y^SAPptFy{9QapLipkg+z1t~^dG$jh6{#)@q*vLbRlqH zz7RUFLPE%X~`=;UQ39FHKDAB4E1iE1e|=d z2@$Lp8Qy0_{S&;ugYI;bz40XCqhpW(!?)Qh(nUk5LCASO-NYJ4fW|tp1FxGZvTZlf ze>q^)iGii3#P%3x`B^pgH5gB+<9j0LF|7CVF+L@aF};5y)zjYiypEOI(VqHF2jAy; zvc_~zR*rcY=wyw5#itxNX=&+V0RO;4m4Aou-jgr*c-<-Y=f$vy@L*<%L5v*%_%_Ib zVe7)6N5l36VGOgbi+>ElyQa1op$jJHNBbPnN<0k*-6=x*41<9+&cM5J<^tEbI##wp z&!PzLn~-^7fxV~>aVz0YW5Y0~P1og?8%4v27!Q`U8SQeh7w@!aj8Ji%3;O1P=K2@y zMN6lp54s>mM-X3ZLc55i)4~T$!?|@SXp21o$?524xCbkgkdHJEpEd}G??&4^aIP%c z1AYUQCm`ky1zmU36M8R&iklth6u0K#u8wXV;_Tmu%iy8PE8`PHpPi z%l#5BsNW`>7k_)c#s*^VJK4T#B8vz^oi6wgjtYMw1^~Zw=tDl_j@}VN>*J)ixfmy^ za~-B#C?6;gYe=h3*HRp8WPP5)CJ%Q`Qvoq+cnH5dgpn98c#BL*Ok?r0*$8!u);IIuVit^ zO~Tu*8#J&Uzo!TR-^0N7de{_vZ@|h?vU73D&2aFU>V^vT!K8EW6Xk>}$`bsAuH~(BD+pF}q^pL-CC0O@$pyMOjEF8;qc(aVqL8#r;*`=3k>=XOV-u1Fvpo zHxEg7ua1g?jDlARPFF?$z42kWN#sB3!Q%^7R+v0Bd{9USyjv4;o(_Aw^5^)Xxp;pS z-j`RiOm}nOMbw#&eL4k*MMy7tLuc!N^Le!QHnN&NkmXF^_NrhUF?0CLL0i!7fM9gM z4s-kTxd$68&^tweFZzri`vd(cZ;cz1?O?f42<#tY(`PLNF5Di1Pvl>qGb_jzm|!a} zqHhUfNVbyVB)Y#OnoCCn*axBC2FKs$eXtOHX8hdr*AT!;4R9Q%wzud1&3O&+3Lg`Z z71DT+oRf_}f6ehi9sCr{o+j-&$Td{5X;WxU95sIcjJbri*!?u<5X34!g?1QJHd@aht zagT#glB7P~9Y@3(#w_@Qkd@yH{&S(%7zb?j^kIwJN|EM{CVy5QVU*z!tn>)L@o~ec zx7`UR9%W{KdpW_91hZK}pB#?G4JSMta01+LN_uMG3GieK*9~zymqmF$Ql|9v)^NY{K^x&|<)|i0*Ef z`CVD^2(&lYKsR`j@_V%JqG@kHdz+>`o<;Q0v=3|5{#&#U)wG9Q3y(zmE$IJmEUUUb zXdw9ya}{sKI)j;g@dIL(3k>DZo$|-XHsHO!+Hp(Ay*h3Z;fQgo?gTtEV-$~j?HE-D z-`NK7T5^PDJW4vEjb=Q;ao^kz@e<>aAA~lVF)-kscpi>%FoUODK03%ehz~P&G@xAw z#-KV7GOFQwJnpr8CqAfrH-M%P@I4%5T3(m5LmLgR!*SoD4S1a&fHoTbrsG}XcjNCm zyl1?K?AGu(gF?z#RxH+;N%f5tmX zx1jE)f^WtQl#v~COwAaS0s6VV*$}6SKBaFWzWme!y61=S$KGfwU`6biGl*<`%2t;3 z4%$V)PNr;OS+Ez$FJi1y%JA-Gd{3DwWW@saIhZS`c-13LeFk;tKBFD8EI?fC4LV?R zEe6=jUQ^Qtk!~{++g1R*CmqLoPm{gja|)pMf55X(Nq@ar@<`C05$V%0gY-TU(B_??=bocJa#|Zp3pv<^qVbatbV@HPIeF$i1);|My5UtT4FL_K&(7$++1N1@ss>eC$n`wLo!^Yuz zysFR8k%PeL6~wtJ%yi@;v@q-ScghLDj7NDXV5R^jejkxcaIyhs8F-gM^rOrKo=D(b zg2ID*#JJSrC+<^EJ@g`t5#}2ueE3Zq#yHL8)Iw<-@ zEJ3)!#ziCf&*KW@0V33VPcG)m&mva%6P~3bZU`9(c>-T^b#ffI4ly^)tx{2k;601@ zz}Y3vwy9mLt+cb5;BAB&7g-<|+Sq~S3VFa;)is*`nOfB$nz|uIr#|Sp3R}*X-5Kksu?EFo z6bs6823lh@w7?bf?mKV=ZOyo%A1>#rjBD}M;sm}DPA%#JSL7w#agPCU4`Q5hs}R^W z93QgTr=Uwj(*n$)nLc*{>6F?Rm4$;h47NyHu8rj|PuoU09HP-ALLU%AAzxAMEmRD) zp$`Z01a@QW3+Kh9$W^ecZ()nq;`-g&Yl9$YQQYnex~x60O_Y-$pW_3(Wgb&5(jD(z z@sjfeQK%DwIRn|lOQ3tN;A5IAn9N1U$wA&5M|iR*?*KN4@G{{$rhTwu(ygXwqLb!}M6)bwZho8=P0eybbQ>z8G&x*%J?isAz`H&F zBWELQ+RYRlbWeo+fjtyiVf;@M55n$lYav_hpc5V3Izf6nA9zsSRn3dqF~6d`s1?_8 zTq`_f`?L=CHz4=FgPjT&D+cF#+#DDW{Ldp#NwzW^bE-PzEkRor`R0>YQ@(&4Ry=Z9 zM|Fn1VV2j6Pb0TUa``Cwq$}xrs+nygI0U0be?Q%sXPeyBjr&U2!F=FHdDm2or>eU| z)5CyIFex`ma0kl-POqt8Iob%GyF!*Tl zr38~~_95gH4nq!9ACvD}ar_zdL$Ik#9Y+JR4>rJG!JqT7h=x6(=ag3SHcH zc&dR#8}#eME>b@u4 zd&|$$@w`K;d(1ujakeUNpO5F{Yqa+??>6|$&r9%}berx=DEEeYdM}nC5V8c_sK&h^ zAivlM-gXfT7+!sYkL*avcg-ch1T0J&qNy2{e|!W(@0rKaC0T@898n z0MP~h(|E)KXU;$Ho9@$bPriZpN%#4kaKDBxcjE_xyh0Y_e39{gFkb{% z|7yMnyViMJM`N7}+SJ?;gPapzv^gUx`)4^L2W$iJlH@_#*8X!-^isf^rpYf|fF082 zk=8*DekqTXE3)Wx=&KDd$X88;eBLd$)GgAjgZIiUy>(y9da14KwQQH}jJN)!+>$c3 z|4MF2ALYhN#=-4hzlPj@gAc~azeyAk<9j-Pn(2l0L<4N65jNBWUu(wPLnyq7cb+$j z9;MesJ?0)_#5KhI6g#EpS>%ttXYlHHC zoWCN)^29WQWleF&PhytI7cR z#Cy6ze!_eoSIG63;gD_Ptdl<&!YYc5xmSOHzh72@ceK)aHqlBn$KYMh8JOdq)OEPn z1=kj1g1qWbjEg$Ip!pTetJZ-(f<8CtjIw?!pd9|D5CM;W2;e!8M>weqyf_?JEj(J| z?xx9g-U&~Rom6-mXdFNTjUUa^?>0uMh>vNE{

Jtx_izucpP%#E>(-aTMD4kVT!Hj@^oy`KX)K{fd1IW(V>&JUr{~Zk3?gKn~-#%6cv7zXU$hs|xozjDCbZH{gPvzFfAqIG#UOph2pYx&?!d zAl57&#Lfo2!&_dmpC?KGxy64$>R~Q!Fy;1*;{_#SxJGb1pQJ4FCog;q|NG@xeKO;6SiPzGFj0+Tg%F4%8t=Wpy0M=}>uelhB^+{!?KzA?=<2 zp$7Cm;6?Zi^x0~9NpRg>B>F5KctLc>8AWmgEVZTa?WLzVozL!k*53J?z^rvH$`7S# zVs`eY{DLB2H@=p9CO;C_1d|g4km$D8-?8&4?AI$1dU9{~d{JbM-%%>Xn94bL*i2$bA~zjFs|wKSlpP&e%K~@jE2ijJY%1 zxMSIQ1kmYxJD{>NBfzvYzL8`URjl}7*Lw*B+9{CtjWCVq@pxX&0UyRmBf=7^gCZmF z#M6HS%ROY>N+TEf3J#=)|Iw2<8%kTM+2&N*?#bj%ZSCC71YC7;s5egU+GqYmyF!Y<{! zn=z^5V3=rIuam#K;Z*`=SG5)?O+mbQY$BrVGZ3fIb_9BSKywUz9Ztm!Fw7YK5043! zHk=JC`d}5!z<(($E@KSKsnOPzju!h1fv>4Hh+m+-WBdFr!9N|2|DpI-_^J)@74R30 z7IRfdXZFQk~T;GAWmO6BfqC>Gy1luoX`74wL6smK0O$#9bpdc-fSexSIDE$*1m=T*# zIxeW+X5QzMJh|_HeQ{s{0Bb6`+fjtIh(o*>@-WY{Qw^oV~ z*Wku_SV+*S3ss8YO!zpjF^CW#dX+B#Pokl1l-&A+=y*L859=6{9(gevf0ghE9|G?B zPp5NM+@6Y1gUN3Kj|cGC2k_mc%KZVIk+c=+*-qDPpg^f;EN{tz_w`;HaalfBoNarGiWSUx7 z$#%p=lHGe2P#>5oj8;I9?A{im6$EhyhUVvkK>2znah+7X; zI9Q>_&>jFLh5I3o+B*lz%0|E@eie=|@Lrm1e(>}g4r=d0mr!Z2J{2}#;@6 z`1f8B>5QXEH&1m3)JpvfzZw1s(->mWO1+C@U=lZ;$Fc76uF7v=C{}tk(}QzUDw5ws zin(1q{ktrbdICw)`Hqs6&f}+mT!Hl8-~(rf&an)u%H>p*dqrv+0)#rPwYBINQq!P| z*!MS}=)E|x;u#SP7FLS4I=tN#*4O&rgN!Fx;_I!u*W;3CWE{m$((lm_zm3m`*a5o^r2%h?qixQeKu-xu=k}d=J6KF!vOaQ`jWJ5#M3( z4dPK@VQK>geHp@1upQ2I?q7AI93uK%p+6Ngs$UmrVGWfwuehAQF?T*vLM9;VpCKup z#9M-9>2oh9e2;7rZb{01_JE8KFHbC8zF6>@bP*4n+X%%DfYZ)moYp-+&;_wc$6mfy zusZeu4goRMfrJMLzFxk`ntTn)2#O+Qs=_ir7q0#nh5ZzME!``&96)jcB6{$=2Iw`c z+Q6nnn3nrEP5OhfxDgetwm+U{9P?M~|CL&2yg@@+5&gL&K9xQj3gG{5e^WGTsU7I+|D)fC88e`? z1oj8DO%eptZ~=e>x)p~`7h`}uK$+5SyByIfLiql1-@1S2!}m{cqy2YRY2Y-x|JZM+ zv^vsc6geS{@WHF1{!u*ot@ihO*TsR$fSOOCnG0$M{@3O&jLBP#O?YPHd_=%_2$2B& z=L?TP`9r8RrFnp<$_+PJvSHscAJE-uR8T<)eh14%rb!NmN3xkM_(z2hWJovg2M5<~ zxLU`e7~P58k%jG03B|ODIWNkOe?WdM^J93)8d9pDo9Jjm2lY@O`dq6WIwyaO^13U* z$}aA=3tIxGAW|6MLHP@${6p@f_DrIo9S9g_7aoh0iw?N7eAC}p-ua;NoUe6#m>4rz zR!Y2+{C=6Go;#6cP3XBz{aK~{^vIv4h1P_odHAmb|25&iI{X*Me^u55>V7czVvlO} zU(@MnpgQp-@`-!$0B<7%X*jpU6;)FLhf;m+xB-uQE|$tq3!2I-MrQD)duFj5c$%Pr zDsXcUVp*EoCpigySQ*^IJjma5LWNu2?-eTCiP#Mm%9Gd@+yL2lZA{3!=p&q=RUOXq z0m3L92~}NOyx(B_FC1n8VihxnJ}HqZ)PQ?XKapLgw&?AdWgTW`PaIr}{n;^LhsLm2 zx=%Z=XrH!0>^+T?OiiOA2!zW1ZHLK=lOy81Ut#-0FpLl1SUDZj99Gde}ET8AcSf6y>~ z+D@RZE%P~GM_-7+;*;Vm|}FXFbB#Q2inQ2}G7m&PFvjfMLhUpG0z>BMW?if79h z6`+JKd0_rf+0=wd?ig;f(n9V2D@3F$8u*F8@{vDO^K0>S(pk>8=mGq37B!P9QEfoa zPdb^;*YV)`5wEMVEV&t~QVUiVyiGu|x73hP@%83qKWoeWM85E#S3U*+@Yg+&(Qgs- z6i!tb^U|2OF_ApSkv!Ep%#RW1;1s+KvS|4R&P_0byv(EYxtXx@ER<>6gH3Q1V!yj5 z$jmTq-8IDf3V_0ispee7!$|5aHIAB?eHVbyugc&TbJBtHX^Bh3ISDevb4KPQ#yOc7 znG=9b*bx4%FZdZHhlL_!p3!4Z5x32T>>r-t3+MQ9mFY z+wm8~+Ovy5zDfjSMi9f(*ilok+ViL3km!D5NS&yZ9;h(5xXeRN#oN++qbSBM7T>|D z@#$>b4jVr`T28{jU_m49yFhXg3ttizz99G+K{+79RZU~A`8>Yt-YX1DW@JS>mJe>l zmR12Gge~2QRlBJ&I9(Yl&(?tSl0c* zkoh2fBfpR4l<#nUB* zLIG?&Mz(&60nF2mj6YB>r}#ULZEf(v8*7}?J-XugTf3D!70e?d4wJYNXR`I*>Mi2Y<8OrY*& zV1x^(xN>r$?Tv!lxax)rx3Pc80~yG&{7AuuL7$w81^cZCMHKP3xblQl{EcI4!eF>j z$V{sVww?N#C!{zYl@;p;&-*_MGaL@4=ipFbT-ma7@UkJ43)0hh*(s-(Dym^#vJ2S= zHMq|khE4-&%haoD#x2=g)MsuDkXn?&-l=#60HA=pu*F#b0;N4jU#uGgxIbGTs$d>KBp0PT*h<3SrOh7yd2+tau!z$?xGECrsc)Y66=ufi&PX zVc#?5NK-=qYm;~>%J~OljOg01=z;>L;`-2%hl+a4Lo1Kq{rxagQc(LCsTsn2JqP=( zsh(d)_#)>g%U>ZUg(X!VnfOl%z>Lle1XhE{w6X3%NeAH_LmMqrK3>yCD5L^BgZkWq z68_2BJ7pHy10Cnu@t3QLL}e*ard@65RcL^O7`c~hrq*Nt1g^&W*o2~O>{ajJSLY7tO20P3KouVEAo0A1 zPrAtd8K8h`=q-`gP@cS=BxPPGk^Pu*>xJ?#Cy}`bWr+_#M)F{KHJ9{p?T_=PN=QYu zD=D`#qZGb~9xS}_B)mJcp+7$+_z5?o06}!O!NU|lPLawk@OG=~>)PH2dtCQynJ=y5 zhRjlruedymN9|ohzh}&j@;}JSc}3ru8O7iJq6H=S#ozv-g(dmL-~OVmlKkRt|DGPq zSg>DlGB*`}`}eFU$uIu)@8Mo5TEF<)zvo*e`NiM12UcptC}u-eWBbL!%KXQ7 zpaN7REVipqXzgaH53lmT@7+puBZJhx3DW+47C=*ANw`K!S%U39HhyT*go41@mG)|o z%k#YxMIJ1{gR930{k9?INF7fi<7kjBn5Lox1p7-RJ3E`}IUcxe@|0hl2!UH!#xEEa zTr6M+fLY)mm)10q-E{ywH6(M~nrV-v3+VH$*9YfY-BW6CEn|L*bq)5nNNlyP@0)L3Go2sSN?rno|6k0y@kRVffNvG< zWsc*$Gs3!w=N)iC_FmXkzZG@R9a~imhxq-^NP`(VgukS!H+~d0LE!T80L)%8hAw-cr9qaeFAU*h<(7Z z1#tWsaJ)@8-WE8L$K&Ul(p&OOWWB>4-jp7!6dxnaw;25v0B@82f}xq3?xx~#6t}{d z$*B9d)O|w3n)?r)jy{B#l!Ig59P_XWfDQ2UG;~*TVo9zI)>pfMM$8AISKf|aZH+Iu zEsp=NJQ93}v-7dG@)xW$5A*XU@nWWAxG(oigA2*%fyx?A0#Y6C;c`=$VHW1E%1q(Q zm6a3~0zzsj6s2K7Se61AA#mKyXp2!a*|i(@pYUE9;Z3`%%$;;|WmV<&`mNLETL1cB zw(^tZ>%H~mtFYz770;7fvM1u2iSsuYAq)^A4y~@Er+4( zHdR{Fc@t{ob9lqb!J2h4iCF#CkXM+?(vwy-t*B!afL$(N-;Ej}&URRLPnnQiw!NvR zaQU^5H(7TN&L1edvAS^s*ab@${`R?M#OUb67(GtIDPRX$vy{OyJVlRXC026ybsm3@mFtTg3{yuH-s)j!oE{}3HjTiVply@<>IWiK$$iO>?&FSA zdjLlCNRVSJx!Cmcg3eRVzS3 zeDTo(Y_bB=l-F0`?Sk<64*;oWD|pR0(~O8ILN;hoQ;xT5vO8N|0!hwYW1*7WOUJvs zd8#@rxkhFe1kOt{Rl^?sNM?Od`0=(JF$O|j(>6bG|Qa{ zXG$EE)oG1}CvSMkMqnW!oxlL~r^w+{G&+4o5GJ-x6P+FeDo4Ooe7hz13I6#3{sXwb zNS`*cVh3^q0Aduf0Y}IW03)E_T;L=pg9mM8%TR})@>M8jt|Xv8XlS=0T-!7ivR|J8 z@RSQ7K?38b=vVqYzfRhX9+~U?g~G3f2L`7oKzw2#0+K$4Q7|dA4-Xa`E2X;-LFU&7 zzlZE`LG=B*H!udUf8(L`>@GOXOIq*G;*MS=A-IJq`9$_GDiW?nY z)^ZcH|2koFrNDCN|C8;@Y!Mo6F=c;FpR|2{hwyY1kJpy*ektbGMF$*@4%nD6Xg%SG zF-7F;r9&>7pMQ3L0Y2cmEc%eRG6Ns``UaiD5=W%L>LW``e>QQIttzD-0I5O1|qN-=f?*zHHBUzJmL1-Ya!*_j6n1(h@Y2)^#gsXhPJ4tvm8q%9NJr&G=yy zAnt&FiSPQp!RE%e^^LyrJ}8;F?;}afFu8Bz7jDpHTjBpXdeLOR&&gKy7+IU0wjOOG zkZj>ovAl~Y)8HTi4hMUIUVXJnh-h(v0-wLLxPH+KiRq>3?=@)d&3E$5Y zV#r>Out2eE&xWd<%~a_6r~7rGAi z3ZuIx!OjyUiOTgnYjQF|ov^lI4#D$9WQ5hR-+(*|NM%0(#p{b*+}|6+SmC)t|4@)~ z18)TH%{B}5?PvQ(h=)M_GHhk5A`P5WG8WoyM2nFFddURNM)M}b&g8wCe8cPTUqYXD zFZC-aD#L96Sw#jM^$+o0aoYXgv>+0u|A^!N4h|wV?*q#ck%(N2PQ_ZNq|G;0vS22! zr|-J)#lq@KGw59IhnV&j)B$@5kTSnyOh1N+C^(sln=v(sxw=o5&=khrXP@ZYS}`4M zVm(P7AF7GNL=Z<*;l;Zum<8*V~W0wAmz&|JxhFFNgGyG+=|?3xbg5YYgIDgC#@^JSRwRmc2EV$^FDp$xAAa$r zvGD76MPIKMeT~KZgeCdrcaEVP6-5XwtJ#aZWo?SP%Rfvhyb=wpf4Gu-5#Ym>BzmY4J^d^5hs%X+ToRr|JPX7`f^^^=p%alVMTNyJWEUCpKyW5YTHQ5t+UbT+=9a9b|}}@NfMCfQw+%SNyG5B z8RKO$8n=6C;}Kl%Bc{q7CO`1`7}oqYq;)0mSUZ1PIC)&J>OHJSN+aD&1nfG}&0m6@ zxNg>fyj(!0nO{KG0WYG>LmnCYnn*4Z^A998Y^0+FbQot#S%--6! zetQhAb#zjPR7+$Q#q7+%0s&bQw(@^}Kx$!{*dBcKF#LytW-mO=0nb@nLXCe=+C=+PmPSw0${g5PxQs-n7$^`-h7?RCqd z)c$tz;5F3f1qjK8Fb`n$$0odWv{IM3#^`Bg`5YwLy}!l3L$1Km9&Yz;z`uetd*CLT z=!MoEfOtdzwjEgT3nF?>d**ZT_ROLNDWC9fk^@>y8v^Ms3QTQWE7R#2YFed>6_f{@ zgaRuV-zU@@aZOSq!TL;KSL}5;Wy#sO%}g;C-V%+E{xqghf;s{J^POGxz{(GJA12U>80G z2cZq9x8kfAq)7T!w9FTj;n?-Ef|G5M-QXFOU~?$?sR)YT4lLLhj!_w=5USz^yT;GE6Q;It+2EYyl*TZs8VcJU}@#Nuj@2_FP68z6HsZ6W zZvt&ATo&x?r8U?*VnPrxN|&;|4SN%vZ>cHpbJ*S6{vQO{B}4lGJA&x}L2ec`=*o%C zpK+2@<;ES>P25T1hDUs`=}@>DfmJ5XY0q+Ap*I6d8R1yn$trcW~xnQOX;XILTC z?C`MF-&FX$i1G?F#Y-hRPYl#R)i(qMm)3OPc1SqIEM~}!2&KzDJvGb~5_oD{`$+B* zq-uO7{O<~O6+fJekzi>_XeGPw1Y6jM?iE*vENwb(aVM$A5poo;pBeGY!W!@v9T0?$ zR$nJAtjS#oN_+p=m5vJ+@)_xn&|vRkMSr7+9wMqqs3su5TQ0%cfF=}>(I{e{?14A@0e*-SD zE~kOX+xlN7RF3}(aIq)?%BI>oV?fIkjdSv_8JH)bybcQI@T zu}FoJE;*iqj8ZJo4KAzb5}Ank_J{80Y~HyE>B07eZAFuybm~v6x_xmW&N3Jrw(jr* z$m6^Z3r*pLzK*)SFkKZP8ps6waPjefA%z5#kR8MfV#xm(qfW>;1X6 z$b*MBg6u{~0YTTK*u{#-tw)t`-WAxX7uhTYmk^tkPQJq>p~aBp&&Q`>fKgGz+A(W| zy!RyIPfcUVU^ZI)Kjl6ub;qLvc5f6M8=rPBqbB6G@04(NO&|w8SoyFn0@nN3dA`D!`EeNh(qlRr zEo!;Y?*EW-A%fy+GQ)eYv|xg+Ez@-?gSy1-``2BJx~A4L9nP@qfv~os3kp1=fwTP(nGjT3c!-{b&5V`$I?4+wp^)%8 zDIBI{m!o0;C$y6UZbrIS*T2e2=5{MxFtiNeO?@(Ya3P4Mc7MAxhUez&w& zi$i}|?jkXy(Yg$gxEcTf>W4jgq!%{;9RqQu7_ zQOWr9+D&xc!|BnO7raC?B`ZajMzo33Y8;E?IY~7z%;|G=EL+NU*I9C1YuGe`9dL0pu z=Kjntr4|$3+%xzt?wux{6pyCp7~pkvp%R}eHse%E`&!EIHAq$#I9buH_<~1U_KKR> zQ2By2Vw8W}Iybi*y3QbF%+}vnMf?)*Ve*4J#_Q6&mNouHw2qijFNJ)@(WxA@ zAZ@7B0zce0&mwh>=(H;;VN~+53{`W}^ zr1;m=iJKRVuv^&P=Ks;#xYzdYhyY+X4*)=jd&hqklE+%XLrMc^<15L@28!Funh+ay zya6Uhw>U!@%A`s)ugaYcred@waIBdcO6Z0Gl(Knx4Jt_t^6O)U*m9?n%GH>tekA-m zWK7Z0R*IuHH4JEg$yvYsENA^L1aIk&IY$K{6^gccuC?rAy8SU|KR;G~kowyF2O^ze z8icuj4>?#GnioWNjjnaW$-4G_(WY>Vf7qtn%Y;W_NPS@masI@FDMY~SDLa?Kf7#)h zK%CCMO3yMsh&26PZVsu|f3DqsH`jrma-<4xITgbx5>Ywy55Rl#=nx+Gk$6amkD-W_ zhXOcYg093TClAFlPgeS2l)i5q{;|DjHRIh$xqF$waWTQN(x5`cWt|LUCJuM$(zDgH z4+rI{!Im%aX{;U;q#v`>_{_CCdZtxhg8Qb>$zn+6B@1^yd2JIud3lRF0A<~w!9!Xs z&_`Jhe}HQO4@sdAkH#nBb~YlmOC~Z71P~L)qT%&Bj%>+J0i2t#4Ai8lGYY|s1QL~a zRP4Ry06bupc$vW9>%lZZN*pJc zIZ9(@3NbTLrVprLNPUHxJZ`ySN{iBfF5EJwx8IPg{2!wR#-jUxJZbd0o63^=;i)0V zTh>(Oo*L|+UNqakD?wd$?~7nJGBa(616srip=9Azrf#Ts?RdThf6i4;w;P@!CqeoO zpm1eFW@iuW>ssmSHT0GL+R)r3lAA-W_$;9Vto1dQAa%zkt#44S>+}lPHg^0}r_Vt; zZu-MR^*Uu+hjOy=b4cX6`H0jAEIBJ_zk&cUM^h|%8IlxXQmdgQ5IjWRmQ)gy=_An_ zDr!7MBr5FOs?FiD9^H4=UC44WGZBXV<+Zn9oU-9GA<@|5*CTb|6nv@}g0yTGv9T%C z0$9Ei<;8-mfNb2j;)|7=$H)y4|AyqeImQdJ=ltLZ( z3k5iL2TDg5XwiAI|9kZYjsHYAi>L&Tzf)+N<)bXVx~oeKFa2)-7O5qw9rQ%)|Bv&g z*Gd~Y-KS_TYA87iDJ33!N__?ka>lGr9*{q^zAu{M9s{U&uy`2d%0bXYjWQ{xa(omi zKSBkML`1Y8Dy}8*#2hs0zXO*gKo3fDYbpgfVN{q(Mz;&(En-h?M?n$7;!jcXosm6E zSYBVh4C-fO(;4PF8QI!|{udcJbbFs~(L&`IQGh5qZKOZRO?`kbT7PrN_ftjR{-Rjq zxN;Tl+ZOqwl=`P2zdBmpe-qlmLmC||`aF4Nht0=XV4j9|Ld$E|bjeV#hs}4 z#RxrAaF2tFLb5sEpoung@4FFj+Px3QfbH+&r{2P_{xWkefSO}kGF_Eu!ab!$>j?GR zsN%qhu8@qEtOQS*d=^dSXW`b!&&vTC)RuF_g5n+`UW%!Ql4q%;nzH1S7Qd?|f3m+I zuJha%hk2JrLHZb)-NBy45fPMDa@9uY&HoFvs}Nr^*RhIJBk^7i&07VI+k#{Sj_Xr@ zxIg=Q!pJ!TJ=;;0|HCDaIp(#d5Xp)+yk12=6)DgG~{PqH+Q4vtQ^9dOeM{3IgC zOc9N6z+(dc2WJADG8Pbg-MfzzT$a>9>IRzQ{B$z+-NrvCqFL^M#{~WldEeq6DkBP5 z7m`;GN%ne}lpQ&f_5J3B!iRFdl0-QwF;c!6Np|o4C?+T}63xd(Q$-{(D@d&ynR;&v zDp?b}KJ|yQfUn!s9}Ws%J@Tg+3%hw9{=>pt1-Q#_aptbq;kvQA@U-sb-EGZ4R zbSO8G?8^(=MLG313)>CltG_EEt&05Vuw`~2-Qu|UQ7s$q)sDFmROijY7Ras~4JVNI=&6o%@s}sr(skVYsO1l1 zo5M~h<2{Z9o~Y0cB|Bu*Y+MC2K^&I4HUvPK+{TD3JJw;=&^LC0JP^e)`Vu;>@5_A? zjSwD~I={j;rJ(VM@@Zd_@=KAa_0H)!|-}2;>NlW_v@lx!S|vLoS_fh z;OAsNLrmdUwV&Zwi1{ixB%}ymLks=X3k?yH@>*z`Y1qy+AOK= z7t{ywI&%R|w0U@cgqS%~tgISBah(l(ObzvV!{verR~WV%H@fvOzE1D%!5T`R0ozXg zbfFJgolhAMavp)^g@6k)8_;jQde~%Oe7NpBj*R~Uq!4O=vI%!KaJA?S(>p~)k)k?kl#4o7`#U|uuEx%+?++2OoPIK&=snLU{1d^cHX7v$dV|BAyl zX2KyhLhbWk><&U!X|1H|pzeDte&&9}@4*=j74Apyr>P=<>=z+QeZu(zPH+MIA&9>ZO7_BbK3(uthtwO0_ zS%V@k2tJ}?cMrMYbdA7@q_HlKLvw+pv}%~Pr=ab`K-$n(K;h`-3UTFYjXRkRdZ&d} zVfQfG7u$6ypgD}AsAPAG9#(8f*U95^YrrJOr2prvn31WCJE4o2MOYj|Y9VZT?Scwo4PO4J_CcZDSc+ zAHPE>-j?}Z&29J#ZlS8e{vZ72E>>--9V7?8$s)CT=r(}!jsAQEk27?zSs?U4>56); zN<;hLI2uIw`rj{rg{rPT(04NT*Q{ny@G|WKjRu&)|1tMA{zdMQV6ZnpO(9;HFJd;Znc+hAU6p( zPN470`3lufhEsr~r3999`6ICm4@ZDw#RO|mnLb${F>ps<3dgE1ffT`p6?lE_aZaYP z<^d3E8IHeW?%}E;bmZcSBZUcyr|Zxy8RI+9UaGt%+;O_B*fQy6zI@;|w1-!Zh+Alg zprLPyN|$l!TA()wEO_EZUH2!&{TB*~HH3EeL}o2ZODUXdS6usD(cTc!_$XsvC-W>S z#=xUVoLT8av&IIS8e{I(g#VRZG-wZeT!_@!mETp|;UtuBYKfr@@a15Or}uEV(py$+?<1 z%q8VoW>6QmG9OJ0kaLK>hCp$2Sbxi$YAIhjkFWRzMj&`{$8)R@+@~Mille&v#jKs7Za7)nq{s`g z6AR`A7RMO5`PDUDZT|f=J*Ytbxvy z`#(+-9?0+KZ`rxUPPa~Re~w7taWYhOehl#y&`QXgL2-D%%pPp5i@QCzpd1I(cBXyu zW4Yxo(64>W`sIJ&Um$K=0xoB05V~{e`J_fuRQ}#@de9sCs0luzW!wX97;6uv1pO6w z`UZV8nS$6WBs%}Sh8v0mczT4D^kI!TjZZb5LECNFpxmHzfHed#?kus#m4vf}Op zu!!;ABa=nw<Jl-RCsTDqiIpv@M;SAh2W`ZE8M8X(j?ZmJ8g{Jd zr|=iM%W)_>1q-%?ULdo$aPB8noJ+=Y8)EpCt<%z$7|f7S0*@m1Fz(lp$D&_GWje}2}6;ZE)c|T z^9O|}Uj?_baTq;=>_BmYss@?*Rgfy8YylYV1@Q!LYAI6MGI%TmwxusgE_T6;o!Nxl zJZOQNAlBR;&Dh>q@SZ26uq**`RM`pXM6M8=#ijp*l-zM>iKUYVLt2Kdq<@aOxqhi* zLSV4*pCd&vyLour9B7{>J0a}AV7o8{;WP&xIZxt=_ec{un_ISd3V#GQ48sXJ`~_pX za`#D?@rHz10Kj_Sr;G zg1W~xl!$2ToH1POz$2Iud?gflWXv;lz%G3k%M&l=kwCBU?Sf383= zM2}<}<0LULFd9inQw%WetAGET9(B1n~U@E=Gjt})57UWQdFC#DO71^CqqRSrg2lC$zm$=R3KH6TTNd2VP7 zAO$24yTg=mCq>0Bh`Xg`VNa~Wlx_FV$dA^uQQx$*R>4D3!;3E%aUMg-Oluq;70E*|XD8uTd9ub^94~W^$h6jA5gdmj!sa-B`^`0w zT7EO+L34G!K_#M&C3WytIL;JDs6sr*43cXLOqN>EZNYgEQ_?>V9;Vyh!&FzJb|r3W z4>VU3jSxCxY13dZj%1y{bqwEnzzO)d($7cm#&lhodt|~p8~XaLWRp5C(6j+~8*{rk z9YKPX;s!@rf-Mnd5U^=0)uYnNY1lmvX^mycg%}s6AJSDFrA;3r(?1_-gQ96>51?Ma z*`|OnkHJ@4cI3yxI%wQ4rvf(L#`X$969p28FhT;)Rx5S40p&0S$_>?J zI3o1AYGGadG4gU$(B<|j%%Rn|hzj(;5X7*9|0h^%xX9Psu&Jp5uZ0dq9Le-$cZwF= zw1u$a(h@F&1oMbJq3aX&i|~9x#JGYDPbxiX`c#oOBjO`0W1m*U0=_Q;s4a7^ka0lM6!Bxx>Kz9`z3xeAUqdkyqf>MSI}?FW8D5ertk z|JmAhf2rW=W(tV&8dlg1xx-Ob)=OaD#h9h(?{I4Tw-Ruh)~g*xsMBtR;EAsGcA#;A zbe-^LfG7013j(VaKF&pJkTcNtkQ#^(z2RW#GsRK}Zldj9Ogojb$g~0(bZx)gb3t`a zK9(4mAv{j4PRvZOKM(j>KBxERq|>s9zF7Jlo^Rq!-mUH=6>c6ZS$j_t5bPVz6*|B| z($)Yv6Vg-qPwkocnEmG?h<6{8vCw-TM6ZN>f)@nZL1A&RDdc+td29MdfFT-?ymzYH zQI5B#GC7UQ^9~{_gG&0Co0WD4af*S#~%>}VGJq?^jvcmp*ur+U6&K8iGl{^73zstMvB zM#m$P z^F9t50=3n^s6szWY_Wgm!>|HN)stjF`ur7>JwE7>F~ZWXCXZIvOkB#+Hy}D8OAmnt zu9luMWtEWQ1453xo1$OZ!hScw$aV5$uh|7FhyhIUtA@>^r+}HHxlb?&+GLiShcr_- zM;3(nV*HONM#MrYo`*ZiQ3A3A!a;G>;OW_DkWbjl8W1Qju!r%Rdo<&ZpyabSFjon} zlo_2bD!Au6oljxym=&ZK5BwVSAU|mF2&`Z)dhv)2SYAU?jyb{~Gc!u)t0(}EdheWY z1>vpSs}&M;LU#O>lxj3i2bO8ul+H{M<2o$yeWVGw4|El8C1gUirKq)_f@(bvMQr++ zAV5_ph@<5m9V^ z>3qal|H3E}*Qb0lmceusDf2e%(aTlsSLulkirGW)TNP=0deJzu;Vw?1E(99na|FwEw@n6-Z01zO!X!VDV|2m}o_`ceYYbs>>@ekF$ zk}p{Qz>|q+&BdgDb7h|z4M3StnTAsR*?5_WCp?iVu+uz^gn=dpYe2>83?wbyLq!Z* zfl@?H^f6Sm|B>~qms|_*%kQS@2!G{wyyW|X@=N2D)|S+d#4m*wgC72dc*G^=C7_2> zga{=>q|>-4=F(F{O$@L(NyMABX(jx*vHVC-6HbC5VYfx100-waCGVG@{S%|@pWz}} zaoGHUN_t9njPx{o;~|seP$T3Hev0_YGI25o{4U~uJWsSGz9d2^8_RC&e#lt0CD_2lM5O{7LOj+W0W0yqX`r}$i;g0QBxxmfC3ZgV4D_=m z&Qr3LN2)8e9ve{BK0}?94BGw!LH>Ap8|}|kU6*2up}AG#Q`f^7ia4nenF~^Gis6=$ zY=`h%Nj&>`L`e9JZMD5ZCu}@w`YbeQ1X32;BMfkYY&@E91nxY(qWrLn?luMLCG`!h zK$CBrM;&@+daDY2W?Rm4ZJFcD1_EKuoX#DqI3fpO&yGcU0AwcEIAK`N;(`@Jv=SeB zZxNCI>?e3?PwP8K`iTE_dax@lYT(%dKQ7cYzHvP+7U7j71~QLwL?}FF{@C9B5CW|qd^k`m=+wRUtnYcxd*1y>z;b(|e!hopf4-!q zMcF($?z}VL&c@>`bP{6m++6%W%>4{Y1@5NN9sd{Brpvl|!32!(0nR83gLepKxlKK- zqGvswzb@`0r=+*%INnhukJ|7nOWSJu(Sy5dEo*_zp?*=mjI>?E#G{tBt^5&9t-3ee zibnsk#k$(i2d{6=k-=_D?Mo~H^f28&3%l7TEj@Hh%pkzOuEOrc#zjvH$ zX4uv!0T)Ar0|S1N3v#R;FONdV?{Z_%wJG*G-cXx?&J{Da`D3P;73Kqu+|XG-#dYh+ zQ1C@aY|!Zxv-aABJ>u)Xms9FDlO@0`c-aFKyXDntngTamYaYjpGY@^7Z?pIfYLML*OvaI5Fc3U9RsRQ7^sx>!1XgYmlsXm{pPWbVF$qd)DC;~!0cX4`$wFv z^L}yit@&b9;B@kPPXb2+0AmU*j4>S@l}^~WN&NZ6=uU#7gl1*jit+5j@7j27R*-IPNe9W*6X}LS{sy*L`N%1|>gA*C_s07vR39Iquu_tOD_K3?-A86i(wdO--@z>#K!0k+toE14YDKcwY zt$Z*P32W{62}K{H!G*pB_R*3zj0UAIdL%5uFwIVL#O%22}Y#zLYMKkcKq0{Zn{_ME9Obh-#OYi1}JON8Kd5H zNg&)@`}iVzivIC32>9r94Vh=toMfJjZe*T!P#@iwQ@&UgpHKfZ?u?OGQoK~hIu3R( zmR}f!qu`(_U)kDJ+SLJ4IbaRem80xMZ~Rtw?Gg+NNj|P@6&ZAgSMBX7wS22Sxq^oN zt}z$`&D5@9^4D0|d3MIB__67h1%`uYg8rM$@DK{s$`$m^l~k2?S_AQH9WE15mD;Iz zyX1k6VS8J8vR3o*WZ=*JwUmChC@kO+@-mQ3>CGhZbeQAK9iq4w=r|a;dqU|w1*L2C z^T%{z^FQI)AD6#BDO?PwvYfQ1VzZP>{%@Xrn9 z`D@(-u0?qgFl{ZT?y1lsL%0PpMp%E=Pa+=`cwa#_B%N&K%uqNK;k;llPxn@);SvhzilbB7@-f87t6gIkcYGEn^w{FWp{ckl>e@~i2H(CLKwXi?$Cm${mmG z;dtyK%$9r1MJ?-l@?@iU_;}rf#x%gB8@x`~;O*)4a{To4*s&WU`0qO}P@MtYs*F!? zE1TLW{sSjMIspvxa1rrcp(A9pq#qPbDaGAFmoC#t(6<7L%DU)21x0l*F^@4|n10-J0B`6YJj~wEKcI&Soa-C>+w0`tTs{di zw}oq;#SbVRVw?2kAg`YaySPsMr5(Q0HdJ8f%m26adH>t`wbyOG+J=1!n-G^|Cj8j> z^83gnkYhRQn+$&#i)Ja_1xqJdR@sfcQJ8hZ^!G%!U8-iqb;X|9&(i(k{nbf+g42b! zOQkBrwSVmSz3%p2uf4DV-obu^4}^>1E1{Y`<_wrB2Ycl@Ag&Ei?i<1|^swuu`DOsI zd?@2M6*vp2QvFynCQDc#i<#QDN3evai(&eE_nlat;bKe2=7th3 zADz2?F;lS9Qk9sIO*u<81k?$~E!e>1@UbE+rq{U+SWuZ-Ph*+P9|E&paH5ZTfQ@;X zXU6F5*O--l;PRtj*{i$jyGUf)B5-susJVhzvrF1HDfX?&95Tz!yCY*C9+}cyYF=+r zhwDGS{E|#}Yk^nY^FoCR0GoZvqmxQxyj#KA5uOa%UyVbdO*}XzXZ$-XzX&Gx-pbpk zS3ILUIx*_+VOZr+V()dKoQvlq7Pb zDBSNjR@KZiRo#(=)l#zPGL80V2`=?yl(M z=bL{XKVRNFq5MK~bn?A;R!l0tFySg1u_mWCt!gcAZnr0rWwj9;L~cQ5Q{LR=+B=+f zu2*7#eC2(u(M>z)?UA~^r~eDQjBa{g^SZ}cr`})H?K6r8U#dmf8_cFH!ibpR=zW^e zABa9t^cV=A1gG(6tL9_Xc%0`jmS0`Tuf?qC0RSl*_LoH9VQ0y@=mKv=M~;?$RXZ$) z=h=~K9@Wa(pz{^5(EBiCld44hiy51Ei?Af`XD*o~(H<>LaqWIOTW(Q(IbsopOA6O- zCCRj6l(J<%U0=2_w4 z@QyZ3uLI&SX92U)?67KM`MLKO*Bzsg6mLC7cvt*4`%E}_fQyCxP@swN zklg|_O!DHi)ut=yO>bOF^1dkVO$TL+uDon3rt>S_bjL(381S5yz|k@<3Odt(&Imo| zCZcxOmh$UDoyvYQ>e~=-|I83i zxzbDXtN+C?*9M$}_YASRYNFRS;g)B-rbKQ-2a->18p6`7^L;dMpf$A8VrM_&%CO=GpUABf>nT}%moFwwVghKsU;S4Go~#e^-1Z>9K*=2rva~8+UP(Op z*#Q=|+ry9;?O%f{wf!8v`usL-yyUlu%AYhOUkMR()^24?`I%)*32QxE+U(5gv_)*y zOqQv*G9WwK&Uk(TB|XYgDCH4#jCL!(MDV$Eg%AtU0~St~Q#c&AJXy4yJ8jwE zArXbc?;XuA<6LL_sgo}}!`1~IsrSEo-TZ$;dyan(eYnYjS;S0{MC@2E?bvHPxQ+8; z`Hd4#u`7k%g=_1>r93}v`Nm23XnxerL6Ly2kRoi=!IHj6twvB8q`MHe%rG`g?s`PN z>n$hK0TYU0M^&IkX4BoG;Ib8eu$m99OJIxPiG<@QCA8?S5&uwx6!)JOJ zr-2+fkR>;CV?deO+#QvW=W>c5o(_1WTy}e>{?{j3kg*)ei$@E;JlY+_3KUu(=h+a_ z%9Tb=6NGciLl9>jL>zbEYmHgS#J+B0;N%aWEBb8J5AsTw zvo82?AP4+ydZ#04FFQ%jffi}|apL4>B>@|x^rDoUk|D!NIW52CSx=H8q{5b8@c689CJyd(AOD1Q{7MFvXByMZ4M}jc740_MoS8X-#>F2-@C@-g zIq~96+!C!7AyJk)kK`^csJ@rCg`l7o6fSWAZ5vTOAvobGT7-JO@T6=ylDQsrG# znQH>YdT&f$>-OL7N(qq{#xS$$zvR76|Fl1XYyYME|r|34()!+E$us8hB{MO2PhbG(s+5 z#uwKbXXkD$F3FP?Zr!8py-R*C6qU=U0_&V7bZ>L1sg_H4k-@pMTsOai41{hPRx?K@ zxuN;M&L(u5=4<3KE5mtyyCL4Zj-Op*M2Oru(5`U3=?Ru{D5Q$86@CVcO(FNZgeu*9 zeQbEAEl4uQC-?w3W@t1@7(6Vn&XmNFPfrZ0CHgjknke4c(^i~gO}U_x{$a?7Exe@o zELQx050#!aT4lLYUfNfSMSU!EH9ZVSse-G0)akT+-o#S+z#JRX|LHwI^cF_0ero+1W zx2`y|E4t|y4nUQrk?uv!?Zs~Kk`RT_+~A4Lc$TmJVf9#+Fs*I$NFuevczPT-iUQTC zj3n$&ZoY}GpTgUd2KPIJtx$KH6Z+xq=%%;!^#5vw^MU6iJ$|HnF`XYsr;45=J>n>e zkWH(9QeDSvpl4gE_wd8o6{Ah)93;L=b2tM3PNuQdPos6D`y! z&Xl&@iIaxSI$#R0;Q@gQop(o9e+WUbHcM$f)7EO=&TTrOozhLlp4eiMs{P#nKiRFK zVSSVUYL1cXg>jz4oep8W43S+FinhZX@Jza_-!+mK8oG7^4K;5NeM{Phyxl&q)y8zi z{?#v1AW(m1<|b9WUj1*)#TT~+xtfj^iV|O5h)>{vOoZ{``Ss(>4}N^c!W7oRzj4M3 zK8`!!6?PLq(mX@G%K(LD61Cji587b&I*NZn8KY5)GN+EMkD*uX`;J~2Bb*Kiefr!^ zT~h6cbHi8gvr%3@_0ENK=r9%t$PQxyLRVKqMm<-=N35I>o{VGUx`=HH5{0CBE3|z< zAntT-*>mmYXh4w*FYOz6!$ zB`_wARcd}N-^qbn{8+CRpOqizzlOpevCPGubRwA=)!3lS@1;-~lr7wR0whdn%=7JU6k3d%c z!a-P}#YWJ5sGdm7Y368#2%nUlMOI;7t#f_p$ndZrzT+zlA;}mZ!YqYE$H=Wc{F58{ zcmCRNYkSBUDob$_isXZWvjjx>xwfBQY2mBA4|Ht)!n%BhNj#~AVE@P|U_>4aY!IJ! zDCi&G0}nM%$CI?B@%pZBlN$A*(pziAZI?l1g5rp6%vuyGd*^4})!Y0S`)d^m-U9z!qL6LUpg~YXYm)s~tcZ)c8sprc{h#q~W9OdC{CcG}G@?Lz zYU+xh8HZ+*!l{1}3^S=du7646a%|EvbBo)3~XJ60oA~f@FOeEZQf98;mh*C6~`@PaWoS+7fEkQW?j_88c@I!Z(gr>m>;(o6DLkzdL}U&m*0 zrIya{zIK0}l6lm}E6c6LkC!bc_39zgroLT)$2N-v@rOYa3<~~`;y11Y?u4xE9+XDm z6b`Chr+Uq9D1U9I=StY(`#O!=cn2>j6UgKz+{#yuM>%h&t$ss3CUXGvv0^Nzf@fVC z1H-RV7n)WUFzr>mwyt3W+{rOy3 zS-z21ZWF9o{|$BKVN{j&ke#A;?)%`W?VkPxHq|e-`&_wlQTVYq{J13iSQ>t;@IP+r zOWLj6_LcCvdNsdjHF?1;fcmZfY9CP+KC*KGtvRlh@^cfH?e8f-s+pG2IX5I`wblWJ zEp@1#a<_A_q-Atx8m7Wct5mGYr}%3Pr&{Shiae0eJItYA+=WnMG+x}qrC#mApM2$S zZ{$HV4Z@SMhB{i}0rzRR_yN=Ml9$lmZ)JW&CXJnlzNkBXK~iH9J0J3TZ!ONsSCTg5 zgijUj8+IV{Up95=C?S!+Q=yHF{pXK4e#vBYf0Y z>AXdD)k?HfT4S=8bv5K8Ybb9c++KOdFTi>S5yi<8AJqBt_FhL2A^IhDXu7l_q_OQj z;pjy4=I+{qYyw-TLDomir`$Eh+eud`F>=pYd1}mfE_l`BG3h#8t&qDR^;+BUh(xbA zgRcoVd`Mm*$~>*$K^(Ck0O_*MHu;JJ$tGcAlf-@a>uh~&Gt?)Jga+P11ML(Ww}GzK z&;lgwx%&GDsQa#M+B21*^j6c8+Cl5KNn*iF&Ufb!XDL-)9^>C|@zOv>wb2KjMmbrx z_7w`~!}s`5XQzw$zs)OfjYfb1>Jn)k|+u?f7j5hI5aB&ze&s!Q!OokQpf0d>H!KKX3L)7x1ME!*Hqx;HO zpzc%iTWfF0myaTm{RQ@Uc7q8jDu0bqR111wY)~B|C`R0!A=aZNh7MjcbJMS^bU%)H zl0g)2)CURbPjVXU6o$o62cD*BeGL9UYHi?37?$dP^2LFze^**Zq1bnFC#d*Pnpw&S zyS3n%r|PfN+~C~5pn^x#FkK7*t-R%{hir{uq>wF=q&smy5o^r-%or%!R_|ULuu<4k zG@zUDk|zGUu8FAsTD2c(@l-W*pDQfCNU-cHf1wS`l9Q5oDmi*3f9g5f*VstFP|uFJ?soZv0SHZw zrs%W>pgC$S5LPJ++!)Gt&mmvIFibiBj@j?V)KMHE`;t}@yX*M1G38&Szei9-+E7L& zwv;$!Fvkwg)ivGq#0e|);M_wRUkB=v&9`&vLZuNRVgD#Dr}!qdnF7>18Yoe^4lvTD zdD|(c31E5X&UV1%K*HlG5C!+3dog(Nv5sNL&JDxs9%+duN)EZSH@>n}Z19z21c&FG z-&WXkLMv@F)&7hlsjj)wHv`}F(4Biy0>LxKKe?d``D@(-QMLL$p`>Rd!%NHpLNulQ zMWgKVtIO+Z00z~#kLtdBA4gw3W_=iVi*!tu)2mB&fAD5^5_IlL>fBX3kxpmbBa`wI zeL^zRXH9~Mp6)96^3z66oH-%-EPJYZQ#Sqng=QXqj{s{vIx)gHiuKQ#9n6@~{5NUL6r= zgr>DKGE-k`bL}LpkNo#|cUHb~M5V3#SeyJdy~cvqA2p4JT>QGwpq$W_>)Vx$w-S1q zraoETi-v-Gyx8u`{T8O?A~3;_ui;jV=;}_9DBU-tdwTm$=_C~vZySGZ*IhiR#p4qS&w2){fP@%vTutIN}`nfXC3 zsxnQ6VGCR47)Y`b#)-;@O~GWzMuoqI-z1E;%M&pEZ5W^9zb!u{ranV~ml86`)U+0P zya(SL%ZnKBVQ4maq82^Z&O?qk)5WSrTH9*c9G zBSxr)`R|7z&RJjypzqiW2tT_n{*L3~P0#FpI{bW<=MlhhPR&7Zv+GR#Ae>|T;M{Al z>Z3LJMp#AXz_RLt1)N7A9D{Q&q(HCB`GjL~#zLkmGMQImQ0wmz9n;Zr+K8fj_`aU6ByOZN*K zbCIPi1#byec}WJQIm{T(D*TCX#h7dl=A#@xXyY4P$W=(A&#rG`*W&yI2i<*-+&yRV zs)f_;cD?J4x}U^5p|lI_O%qkBKDCqZA5(F7BZrSJ>hP7)FL2Ybh{E*f)58>ZnW#ya z>x{we+2MC_xAF<2@pnOA2x)ZvHI$bT2$PkkpD?w!y^H?csy}`kBo^$b|7;DWa{4?o zpg((8Q!C#2d&WO2zsQJDfwVT?qA{26mq){@KU??Yr1E3U-OVqQ@8ZY7Ob#=w<8`E~yV zJ^V#}-Ant114ZtPiC0jFf`Rj(vQ=aEzJ#yGLSTrYrfD;)Dl*CPnpTREb3R3P`& zkJEkm`3cd$%1O>iW1z?n>2teW9FW!o;xbx&FD2y#u5Z)fLhh6(V68$$Quz@8x}`h}yCcW6&*eMU z;ZX-bt4Qx8cHWX7?12y8*p9paDGq8|QMTaACDqR+>$XmFdES;n`REx(*5#l^<j9_5Kc}ca(p+HZRzd;Psm)WU80enL?_# zQ@pPHC?ncj+Qo{5@+6@aYd$j?(EW1y)B4sB!9rZwKEI;=zu>*Qz%j^mx})`< zcq@@0@Ht?Q+D=)EC33YJm4khk_l`@xazNf_g;N@i=hhjtg?Q;4?m)5&cMCuMIl0 z_>W;<>e%GYgsruG48lP~>_mvBTvWcoRvZ?=IbQ)}nMgHp z){Zpi~+TJ44IbFccx9+1>v_^w}OUVV5i`(FCQD13=E30M(6fEA$_L*l-I^~R%4VwT^ zKZbwOI~b|7E{@fo(Nj18dOMdIpN?ZL#$15#HP|AFJSkpM%7}?&nTQ4!YqY>SWd><2^mB zv1uZ8@F7m@>Qg{iIes2J!$2Di=*+1K8T1aJbS6H1{?ni7)7AcyHC4l5uD+-H`8-}v z%jagmoP`O)y%)d`{h^_k{?#Lyd-{U!yY%MTF8|h?j8Zqz;cRI|`yVPDBP3afkfwjT zbni4=RA3+-v!SNnR=r0zvc(VACWbY%7JX4|Uk2Yq8(dy}ch*^vu7!7{&(y974Wpfb z{B&_sD$16@mag*f%WS)8wRH$z{c48&`CPqzzVZ20%0G(VQ99R{fCmJ2;D%P*Qcro1 zZS;D|d`xt@JK+JeLocOlMsOq@^PV$;QX>`$xk#D1mUMnOjc2B%gpvyJ$}TP_CEoS+ z1BUrS;s>}A(RGf7H$G&ByV@06%25n8nT?nvFj*0#4({&A_5IkWN79#gAQKeQBSQ>y zWwCKFnfd@@ju@M|SJA+?X&>Taa`jp|sC^+FGVuxa!LC5A8_3NJi4*ssmz)_5B#Dw;Z|et=0SNrPE=gz<{7MzQVC#w75X3kG!=i?7xcUl7~Nmgd`8$ zGLVR;+{5>reZQT*)=eM- zVS@#!Eu+p()O10A7=Ego(vn{II&>1DH$ zGM$=223d0}_cb`dej;E_MI+{vG4|JbNjFEselGYcebPH4qW-;EdXr`|r{P<92LuKW z)kJCs03@V)#Lrx$z^BsU>PFrN`k3)ImnbMwmV`fWKbGX2%!?0b`yGkv*$ch#qdgwq zwX&CG4-=cI9}qMBo2rg14}Y~NN>Kb_J((zd)^0$B9{BG!G<+X$^SG7CHEp?USDT8; zoZTiW;B~YPykL6`1F&HZzw43b6dLfzgQKd;-{Ehh9uMCClaI6TK5ra&=irp&*KdfU z?bokTe!dy_itzxxL7oC?#|Ln7R8%wIjQW2>3)=zdSF7K%F1ncdN(1M&8^HCCIVAb! zqLWmOS6@PnJ5C3BS*p0=A8m=#JsS1*Q!bDJBa+MQh4ezn-sV2)QK#QzhldGe$1CD` z4}H1MnSi`-<|`l%C4|Eg54-AKDMc8wZc>d{|5Y(Jy@Lnyw@LPg4BOZMUyNHGI@3bT z6F@)D0bQDxEX<1+WXIot!hcyie_Tq`83q+*GKOLeGRoZ0+mdpFbH4^&jzw7K)J>po zLa=;?I1+h-*tOQw;WSmNB>au&k#iSV^WW`!vYZGoCgtZ^qigV2&to#W@owDPchba?K$FTo{95}@_KSs-b30@XGm6E#IQ z@4W8OwrF#RBp{+^-#d`^*}ZIx-}!D7mE=HURLsc)9)}HL_WE(_H@f+x3D)G;X40ar zh4eY8+Va|~PJZoGTVH$ConCv@X|KKNuCK6avN;swoY^7K!25_;L;P5Cw{~5!Z4;i| zu?_WA4pfj^M%kkC#`uY_Umvv%?4o$=^vdj7W7DhORteX3?N7pwy#G-(KM?m7gbK$q zQpYU^PP`h79QA~_x*~1HGClbQ>MQZ&2(BWGkx`%)VY9u@HrqkGk8aw7ZKl08e}XpL z#4$}(b^G3!x3bM99fBfs*E^aXsoRaPIyrXaB?{1LNl(te$wP4>dA&I!m&59}9mn=bx0I zT#Nn!NzpRAM3KdV4_sv$$f^R`^`xTSwL8C5T)j#AbAAu4Zs)rL*oJ0mcvaf%ZqD}Vo=J8+4;5JU% zUmgGTUylDew%4{d!?AoLuX01390+dZ-0)2xlsexb>=?d44Z#UyEtF`gz3G-#{nK^}=8&e^)LSG&5$3rWfrka>qPQMia-4C{P56VWj|KcyUZg2F_c4u2eX`7AKIC@Rj=Srf`g+0s17{e2{>3?I&LY~%>7BJ<5h|?{3x1t zi=nCX@e~BpFyK#!6Zh-2l5k&leika|C*z!X2P~NN3#F!5^6MZ}YD=Qk6d%m|(twfQ z`rrmvInh$0O5+AFvY-w8gZi(RW2HjK4ZY03t5@)+;p-Rd>qJ54>@c^ym>5QIl@u)L z<&6l8WU1K0fo8F{$d~ zwBo$s%g2#SP{iGC(e^G|QU90dEQn4>*dlq~;MHw#k@81lly}VGIk7lI*A~?V-Y!oB zsmyTB%{sB#lCtB8fCgTQGX1w!&=u9{D?c5`LE3@dcxkIQpR(OU%i5mGr&Trmo?K02 z)%hH?tPMBbfrXUV&Uo+E@ax9w1;vcOcoE8=Ff66xVEE&Yr}TNh@+kWPG04$DZs;@2 zOvzUar7~Yd(Q-qVhk2vad@Ena;E!wM)1g>6FgQPLT*#X^_>WNt0KIzsaYp}J2^r-I zI(A($5xbSo2@dJ2jIK6|KTu!KUIxfS{eRA6?AU)IeK(mgFMu^DZ)!!&klFq~v9c7* z{jERNtO|Q}_Lx_t3z%<^)6oI#XW?4nAMAa|4CP&VP5AW#K!5Y;YCoe&0NvoD!|hSRtAG1cnb) zs-bdWKCeZehbs?5x=*q*!#jVmU8-3;9)7G>@qx9yQUbuIb~-tGdhvkD5rKgP=1<5& zz%olXU_2;ER#!kKSEUMw+56Jz6nh*h`j^tBeuxq*KO{JPr^J7j;RUU*nIX-lPm$!* z5+0NmFF*uGrx^8%(J7E{#Z>F5GHJJ z>6okl(Qlpljk1;^>ULF9IAuWzJ)B35A39k*RHr?A0K%=<R2pr9S62^8gNMI zd~!pd3g5B9VIJ*aYOfTBq)xP^+29U+vRRiJdUG^F(OnMw@o#Gx*D!-$hM&sE-*qX2 zwDRX>SgLOxnk2y)2&na6P6P+IY0cSR7-UAfPE!XwkzCHS2*eyI^@eQOw(AJ2(}aszdy7 zkQG3y_^$4_s_Tc(Glt6SrClCYDOtW)T@Niudac{fcWN$|{9iGX! z2ahBkW22Od!br)NCo}$yVf>7#H|gdyS{orM%4z?MWl9paWiz8fu@EHz6FIV94TRjL0U&#ON7FG!gg;d>k-) z!n!)Lq0~F(K`^j@rA;E*Tmy5}8*m!$I%3&0B-uSsGPB|NcF$P22 zemXdGRQqQ@Bv1}~TW&E+7+m%|#Mi8s1vYD_C&xE>EWBU|$obT!(6y`?H%u~}QLXzphxnJVg z^Wt@=A%EnrQX~E)DK@aSYUIV%-Tm9ZNY z7pn#F7QgZizWujSjiK#4c4(Tc2s0ATA_WYdu6)mPniN`p)r^@<#kZsYy59jP8aSNA zuKt8&XYSJzR)LlRx8TBLZwzCt9Xob9%lVia`cf!TKOMhy?(&lu%PKhiL_Ph^$>m*2 zmsd)^PYZiYq;pwGI5#fs#x5$leVYGjWct@&Nc>N7^A={zbLCV}C-=Dx^%%9SicbcUU60fJwHM!KLAXYOtE!Pn zA1J;pb3aem7i4`S-_B*B^U_hZk6L&HV)*E(Gx?fd@|^qVCFYYHZ4@I%8epW$2zW_0Imu3W^TL455rTu?7a!zCX-`QxuFNc)W+m)$kI29a8P(dKK@A< zL)5>Cy4HsinnGkXq~;rZ5xvBqxSF31Uf^F~&q#C+x0=U>pRo2KGgmnI0U0kf^d*E` z?)72cbZ%JoP1jv5pPaYJky2lB`P+8bap`V$^H>=wWu5JO7QL93uT0IC*X50A@7U~l zcX!@rzRwx&d${if<|~uYX|pn^wdSMlYFN9R&i1XvLwoR6m}$X$Vcz-zS13K>aiW@; z00B4paN%(uKqr3*yP>jr4uY`)1G{Dl#9Y3P>mbRc&yqc@4%a_Jo!n3&W_AoW+;5(3 z5A&pJ4}e$-^=&sO&A#DGeS?bkB7+jj2IlC3&j})0J!kZhB)>!EJJS8Ik^$9y9~4yr z18E_?d=9wIP4V%WAQiq}@hQ{0<0!)d(_e!;-1uy3mah5Q#^((E<)BCYG1knp84T}} zxxtGkz$Vn*V0LR!6@ zXtZM(R$!6y${W}l1f$MrVkke3N48A%=a3QE>#rp6%8jdjjWhzqERXYgM4XTroK0-9 zC8hYl2Q{L~Wo>=O!X942g9Hb2v$i5OxIfivo!Z9;?Hx844;S@6#klYM$Mmf!T%-Or zbne;Wn!cz&)GrxFVm@h}jr;bjpFT-*EiDxDoulZLJd+M={I=&S=5n0*P8;|2zzv#; zy5~j^Oev-Ix>0Hr2WWtxg%yg416bu`VH^F&_-H%GYwJ|uOq4+JkpRh}=G0oxE+{bK)#yhf{llHIjQ68~kl@W8&k(_)GCN>)N{(Rm@%oLb5C zpA6pI{7RkGlhlcuv`BD?6fNmW+Pr3234*Ff9tUJ7ds;ldg$Q!kl)#+p47GkzGey4= zDKvy8L|6B~v1YpC>J43xfg_!Em9+c)pXZm{%*}7f?;*`&p7Wg=K=%R8mt1;ZXoANT z7cZ#+58TH5tG7CwZcA0~AQ3ZhO~oxUshm)ceA9pP)%BT01PU_VKQ*swkA{W$`U$UVr8D@9O!>D$16!JYa;AmCWT zq3nq3cf-u9&uQ51uwau02}CSiZb&|!Hn!@6R%-4(t(v1DX(IYE<@V~Y(^f(gWozO~ zp^1EDk6yEzzN{9VG3>++E%O092Zb4#%akNvI%@sF0@*q^tjE)579w#>DVHDHm${>2uaiy;B7>r zfL8{obdENW>N%;RBdo=ztcP#$xB3a~;(C~^v9Gu5>z|DMnzOI#`D+shaIfCUn}&w2 zwxUXwUpuAYlhRA%hGdbc9og{7b^mJ$jIolraVy2N_5Erg6OfE;;tYI_G9_D1IKfFV zcfKfCzzI(m2j?E6x87IEBU^B$U7DEs$q!Kv%x;_LyBTuzZhTxCzB&kfm$UNI|lX*5CB=h|G z>=7Pznf8qGWS;;3-M{ho$}fUYZkY)UJc$p_(+P7fF~eIqygtf5mN!fwCY}^0pdx36 z|0n7m4wx;L9aTfx5{@K9 zP7-d}@uPrku>q~+;R*11gs6_x{>0%+!nG1n*y2~u4=rCQiJkK#BnT>QR~thV#2Rij z`aJk(qK)URq?vI0_n3bK48^w}^F{tCt;Kpqn4PXn2<<6Ox3#KpO=r)md*3)9Ri0_u z>=$WHtSoV|J)F$h7NHO=fY`a%qIygq9nwA!C?frPSeg@u)6r;Y##WGEhxw}Z7Uah; zJ`V>ag7@uWGg^MCo|5BTn)hE3FH>Jhg8j{S@dk-SEX&tL#Os+)Prqt^-B_K4-PdaCl^!laHhAHv-jU-Gq>X-io99-JquX*9P{UCN($Iq!;BL^)H z4Jv2-#%xTDW#fs~#<#3EOfHvXwh|gFjTXf95MHA%kcY9Q*qXD&H61Z{WbJF#~K6D|O|^ zLp84I{8dW&Jn^aR-cZ}hHXPGAI>`+!1paO{eBIC?Eeta|&m07WB81Rs+UI4sgY-zf zu%5myQnCy3_WZ~q=n|z5QL~=DwmJGb%?AWXfL4h9th7ZzX{Ml5XKm)@pr|aIXSBi1 zLA#z^GczF*tV_ESm0eC;a=;ZAn_sK&NtoadA_ywSkDcS)(28k=c(W&g-j9}>~fX z+O(p}Xl3EeEix5I5U6hHanvbG(~Hm=^V4BGOq8 zw)9*^0R=0cQHdN+Y3IMKjWQ(8J9pF^l&{5~{S0%m9qr<9wkzk_)TD!Xi$Xck;u z;OiUwm=6%){4swMP&Z3;IGiVjt&>E8~f_Cv9A`5eRa;5SJ8luRnb;Xw8yu|YzH_7K8}c4 zTjD3z?&*ItaJpXi`qxgqrqaji^<4kj9e#SP)CXgHfpc`18@dM|IpDjQZI{G0(C#a( zg}Xuvui8zfRtf$V_54aco^LS`*-vu(#aJe=$?cL3TN&fJbpr;pKi-R z8B)S&?h1i=dcx_8Q_d02%qi!mC*q<|>0t*KT_lwvD8}_l%Z$OL6M}HzNE8a4lmb|O zI^Rz{xp_DcM)i>;myX;xMWEXZm>rf4*+E}k*$Q6lH)9odY?xe=jx!GatL2qkWxd_+ zTvolE@3_gqJv@Ls6VTuZG6YH2TVA=}_G^|`A|Z5YkgJc-FjgO`dsbJ!o$FS~Jc;;7tR2P8`uDxY9k++mKhuvnksvV>Ig(36c>;6otv zWGQRw*esm->^hbpwN_H6-4u!$dcVm^JK<*kSP7KJTnpul%J z>X+7&GHcQ@VVt#(S*h9u4ZUcq=Y|GCFSYKDhipUx7Yn=@nSd0s2JNDO{h{JCCtT#? zMXj}+fx0&*&<3Q7oWGtq`_0TaG%V@A;)iat+(n?SrMsKG0TsuU4Rbt7Re*AZ;1! z-myKt(LUe!ypSv=+@Vz5Qx_Apk_g<0sT~DpVK{X8{GT#f;9q6|*3~3`c+1=Q6gso+ z!2(Qx>FqN1j+h*W>w?6iYnksw0?I2*O=H>s zUQ!jA6j%quXkep%nE_Qa@Q8nz0Z26Pf`6Hrb~Laj5bLa4RP*&R4ELz#T0fo?o&X`6r79;C|HZ^tY8xeRy+z$)Di$wr)CKOL)qe zlGx_UaYy=$?3?TcaPgbwzP8jkhqxeuKrO)HlMs3d|87&}tk$*6Di8=r*BuL4j*#C@ zB<1BKuFPngr#Z;GaNoK50ZO_GS8>hD&*OS?0|4|*(s2$@0FA<1Yj<*@_TKw_`=iaW8feQQCjH$TB zDymVNLIIY4ft2m;3g7q@7*3rIs@0$W83MW157UwU06dQ*w8ar^<1K%Da5Gq-=L2ha>k&y1y(u z8$eQmbK%E$CIi?; zx0ll@2_naQRp480=;QpgellZ8SEoTgz5-6lRO6_gf=CTaTof;g4Q~&6CT(DCLDmaS zsNlSZ+0YqW&|UeEL^W_X!;r3qW!Mx7Yto9zQ*M%Q7Wtw2vqK31S2^XC5)M!5UGhl6 z)3Q_-nZb?r(o+lR-f>&u95Y;&4dgLvI%%&EUu<_%2Wb)|i>X+mtKY$iUPCMQjN)=n zb8E!CZts=F1IgXgxvA5RTY4q#btQ2-MAxxDbxE>1IQJzpEbPT+kij96j0#)WZY##M zSfuiz>~&sW%3_2tGFy&=nw{*QDx;jm4fO0)UTJNgRNonLYfHYY-+WR3OAHKKSVmD` z9f)Rf87-^T7|i}#z6k8)VbtMrJ=E0@{Fr0e?g0_nINjkp*gK;=lLaE`e-~r6koNqN zUj(3AUpk^;1w`{ejv&%7BF_$xF5mfy{W}H2^2?#mb0iPDh3zCG;EWm3)jP9%)yFi- zup@p|&mhP?VpXdDk(R12B1zR1=^I<*8eZjwZVE+ei+xA+O~_Nnnn*HSgzq1+`WwP` zkFOR!0+uFnN^p~6IS1!%q;z8Wa$hi^nK|Q`5+aEzKcOznzEW|6V~5?6o&gRhu?< zOFO?h9`Jr7xRqya8=!t6e!92wp5+G>29Mk=fB$a^m6oUC=V!OBc!D^EQ_O#u=&R0q zmOY$;qn9 z+d7PYWZUC^zPIxS8voH9`TKucs7!klrYaTaR+~1^BM?ckG`O2jz zKhIuTdJ=YPYqB}g+Q@r8{^b&Q>}$7bgz?KV&J4Blo0N8r`qXyI#Pe`5`(1+X(QV)d z){E!kXJ*d^zFWBx$ME9?3S{9M^~=?`0Y`q+0*?5LX6zFKz9fP0kv@;QQ;sdVQ?PRl zP^=iWO^n)3YKz)VZI9Z{o)hiH21X{2^NXXl`3s}nx)$D7h?I)r@*h)@gvg<@x6Im>tLEco{LdXzGSicpJIf$%9O!;bH_u_j>69{ zJ38oh{`9iEoFG~ge2_)b>#vRfb3SI>osYQN51dLh)Ly^rzUt3uT&YT@m!R53NoMBQ&Vl`T zsvgK6^YgQ&^lDQR`l-?C?)u=Ckov4rbpmf}KZXR13m3#2bGpRn!T9&x@iXOLM}&Za zzDLg}of1FXZK=6zRRni|<}f%iSrhY>*|H&oi&rg*x&H`#6yNN$rB*>~XFi@?JCOq; z{$MmDw;_pWZx_e=QW-b4f90~^U57qu}so1O(K)J>R!GOvOyBBO^d}IV()6lQfr>xk<ne5Y6}Fgw z!YzlHNt64{!dnI7Z<)?pgMytj>0#pZi*}r3_2*X5|W72=-Q?`IpJ{R;-)pbKN3wCKLM||FrPz zg{Pq~vEq{*E0y}d2xHE#K|9dYL|EZ9Pv}u$J-_4!xDy(|S!XrbDq1-{!AIqZVe_E3 z8QCIxdb|O=ANV@IR7SXCo6)r4=Fj%qZ2l{5geo2`*VEs|Uilm>vSNnID_Zt0oresn z#znHgtvk>SER-K5;ccrOIE0r+dVRNEh64|*RK-rK$SpP;MQI&$>_5aFIO%q+m+@XR zGY4C8e%kuTGL?>_CYK%@ z>afyR5K=av9hxs+p#aW*;Afcx?%xvqdOvWrR+-h8%Fn$s8tCVum5RQDvk`Fy$f&P2f@Vu;$NDIS zjDPmR%C5H^!3N`!xAOCoqHEp_f{WYn(O^raU6*gZfAmrA{6eZZ4taO&)p^ph6IYu*uIf}%DLd_*!VY9 z#Se5r{F|yAuJXEZqw>kt>!SY6QU3~iLmUVDw9+(tLUg@SCz1@Qd1K%6heiEjNv-+5 zRiiwf$zxUgmiD!5K)Ld&)~4d_5V^!B!3)(~+hiX`Gar7$I15Y8Y_}G3N1f3g{i)J7 z=}I;!Wl?nN1e$Je(Ab~lW%b9J9HAz?l?xf>3hu0f9lPT_ytQ(->98>%ZRQ6G;=UEl z5O^s@Vbmt@Q>suR|B-P<(`sV4_SPH0&Kj~d{*@;n3jJS|>pS+a!je6?MQjZ(JMUVV z&wmbHuQ2ODBZR>PqtsD**KNB|qSk9esr9I0>1~7r&7QbwPpboX(j_TQvFX?L*Ojo2 z(DLr)?iP?Uvgh&0JZP&kN`}k{My}Fc8c@M>^0`QmmC@a97u^z;TUJq6um$#asn{c3367_s!-+D7@_pZ6(?=yq1Z5IzV)7`BGoN&d_WU&i~<+fW^vC)4tLCz4{?Ao18-6c@}4nxC&k6qt`-Dsrn>7xvQO zN!aD}j&hPC<>Y{#L2O;SBnr$=iKCnj zTpgvd3oE;^ysAFzbbFo+m1y)kzOVz3_p=_n0YQlHSdQ~GZ6*Sv#4~&wi6VG(%ZEg) zAQWtj?^nOYKm$KgD6i5bhq_eEU)Vp zo|Ya)i@REZbWwP3&MfKsR$76~z^SYJB)0{St>#|LUP;_9{0zqMwhaUOQybVbVPF z*m_Siyws)FE|Og2ALMbnz~yGt(V+_}3Y7y29OUHnaL%Q+H6&_B{cAw30wFjETGqg= zEtytSKo?MjZ=#l=2YvhLSX7h+J2#|VQ(bTS=%^9m0m@W$y$_vEO8S!$V0CL@$rPHOnKZ9f zHIi@8LuekQ$-YX7)JCaEzWHz?GEG-no2#)qZkBA`*wWfmU7T*43Rs=>w}@ zk`nn?*NnT!yZSNSb!?v4S_g_Slj;J#n*OKJ-s(^@qwm>Ev&=m2NMB^Aohkq7>O20) z-&gqR6IN&CgYoiJZ)7eU@4+p=P-`XcUT41QXkaakfXd-SWS38`DuIi=3+yYIYV^uX z3SI%IeAS%!L80Qj`@g7C^)#ZytK3kTzqZJ=WeKfo@MpX4M~v+$$N3w5y=G+a@gNeKR0Oi`kl!u$do;=EGBoKWOFVQ#AS zg0HaqFkSAmLEd))|z)N+VfJDfB8d)9&N z`5o1%g#KOw;Y+;JlH|z`?1*%}l_tLq+vry4ZB9@$aKkIC#RcWf-cQQzjO*NI^?P;>nXp7O_jerD5S#4{*HXFMKH-%or2HvWr7g)(7P8Xv;R=ieMbi)SJMJ+OrFw~vU z#y7+_Wx&?I8P?GaP5ghoxt8-PJwIf*?NP=TanONYgxikYHS4yt??9xH>%d#;!2~{& zfnY)Wl!sJK411PWmp&pl*wcb8zXi*+xi&=oe*h*>`b1xl;YYM!$*!kuugoVSt?vRv zyZ$d}HQ|=DPu=MfUXjAY>szDlA47Z61~Y9eq7B=QkDFwG1khp-gGoZ<4a#4H1|}5x zcKm&+N%Fu*BkMx)lByhZa}!hIeX8Ob8;_g9iU zI{xWclNtCt?s+JuqIsmkPR(YwGs;mBD!FErUmPvY8k|2$RK?{p6;aXBm0$M=;-($F zd71Q;#(MP3Hf*C8x=nh%e3FB&6H1~}+!6)nr(M1Xi_z%cHM`O>qdYuSHraM^ZqK5> zRcn14sPxJk{ZSlmstua7jw`HL13N~mS1{fLUhaZY_NyrQ;J-TA)2+dR!OQ36D(BA& zYx3-RaY@m@LGtPI>y#Tgp}Dzqk&U=8_!rj#0!NBEHrqRZzlaxZMm%td2;47k?l_a8 zzK{qR4y)@cG8(t!`gY~)AU`Ic$noNYHLF|1_Z5$^R&W}Qe_Q<=x)TcaW!f%%kr!RH z&kyx!9Z;-5n|g5{jia_FA^2Ui zC0I=eJDzuWy-Vi3iifnfs9$;`C?<8FQr@pY2>w--OKz_|c&Ll#bPKL6Og%B*An+}} zLPu^Q#JIKwuU*ZGl%GH1^8KCedr9wLQ@*)6`sh#_E!IN*n`4x4s(9!z*K;bBzBDA{ ztNpe4PS-v=)T)w$L%^-6_Nk$E{;6I?s|ISjnI0`)h|1@3pCC`fBE*ta=*iJ8L(j*lYeSu5x9;^fiyFV2p;(2Uy5;u{@8o z8t3za(Ygc|v=a5t<&8XAXqWrGJ+7DMwG`jvd`&`Ggz#TfTPYk2E(4Q!sE)u?1*La@ zh_a8N3y7}Qj`O@qZC?rSNcB1`LP1O(gW@%1x(x5cD+kQ<{~mLew$P+p-^tC%Q4H+< zCD5Nxo_BL^*_rk_9;i)SYyRK&EPpFXO8MW%n`U42?WPq~31gRP8j3T4;lu;~7ixKe z{vepRjYgQ)$mG80v%}jwve)V;?HW9PwEW`KWyhOWo;&i)2}$(xP+RP9G7j$Y*SiWD zOjWq*R)7&tad4Sxmd&oSQ-7C%(G~lYM_X40kCo`cAp{0OwWy{)R*Q9SvjsEsBT6Lwhp!zK@jt!wUnctE5&i zH}v=XwMJ|rI=PF4~Q;H>rLP{>sVYZXs;Dq{^9+8)Z3e=GRuMo1mZ z@SW?g+OKw2I#;!C4cWJq$5~nf)`gSUaV~?)Jx5Vl(H=~>0DoV@@$#lQp&Ztzzo>oN zJ9Qe*k@#oU$p?!T=!yX@fO;@~CKvx9ho7aGCOkCvyBt;$3tq}Sc_)iP^9H<{i8-#y zWvv(HpQ}MGkb|TfB4AnCunHfU<}jvR7~_0-81(U2o7z41^e*i+Gd|H}bnONRlz6GD zeWMv(%8DV|Rxbzn@0=4>%V@y4R5LF?8bNE$Q`0xt94#1tX}dSsju7;~n4#suLiuw_ zn#6d&rd0X&8Eg4BSAOCTIn2nA^SvP|&ToMq?KV4oDa7Z(uwB$%exx}!byKcaV5I}$Ohu&~+!SNxHi!tDl>Q+g zQL`M7sy`ralA1fG0S`?NZP>V*i=S|UZM|aG75yJ7xbAQj=MeRh0Rk!yj`Qr;s=*fJ zfNmwz@PdYJwPUS>@wkgJN==6;NI=z9sllT$h)KthRrjO51&CM1LcFRJH)G?QP8E&9 zqu@nCYroQ5nsD}ds_zc#>K2S2?QWj&!)G^;7W4m0_VeJ}r>6?Cdwq?5tcoK{G`ceU ziU$6Xxu#FwuX}o??rDFfm6q(Od%CFZ>4v%|p-Da)S;2hpWVPMpW|IA#iI+?|>pzTBKhnreOKHP!mqYpON>Rn)3mEnr5`B=sN!obNLVW-b*6Z|K1x6v(Ej<^*DOt!1H>M|6Z3Tg4f?-*w6M-rMfZ)Dws;^dL}u=oeZ_pEuW ztKIv%uX#Z~i*4~e>z-^WKi1qaJhHAi>bWb!4_SPgaWj6Q&;fbktH=hY?Yez`X2vw9 zC}kJHT4CUJgz$b#sKf97Bnbf0%Sdt8P)Z)3gn6ai*=Psc&bXS;6ENhj z*V=e9?e@3pP2Z}nrYrsu1?3GMp2>VG^XD;a_(MN`x@xmT4I}gCO(;&R%!kVZTy^Mx zzGmF=Eh?YiVR;Ps^B4J2!5)@vZ&$uE)#2hKk|?-xb>oY|cN*$ybp^8Z>%Lof+1cxp z@5F98odAox6LV}Xa(vI9SwF!p_T$Mce@n5IwLKv}p?C^A8F@_{a|5evtbMdss{^pO@-(lnQ*XoA2u&dY> zI{!-1C8AJwAs)Y>zjGS_H?pb?d3WZY?C18#{QQy_W!E7nw z2;zC;_43wndI?xJA%&-hYtn%|(*ZXW3vok@S4z3oTfF=4@%NvnMnpI|wuScwG>F3 zEX7)i^EeFhT_uv)J$#2WVOb^LioJR3DPuSwLLn^nkm9?U8X>)np7i+6vJiO9Fpxj8v1Ux-hT$|UMPry2eb@gNsZ zuAa^Bw3_!BvC!4&e90-5Xur&5B(uP%No5sLBAN0qf)~F`4de53a@zGSndh35h^|x@ zM3~4riK(u~YoFALRE(Gji1EO;DV!dB7%)eY@x%t*-dFuwbw0)}pW|(A=v@9<*VSvb zQ))#hRlC6Qa{#u(-E`(;rZYewDe7=@9td7iCYcRgNBuGP!njX;q3JLm%Q>PnHwzut zk#2pXuk!yPt4x4Cna`xT!9EvQ1#qh!%{$Uitz8{QPZmEj4V-`?P7z6xJZy2hkDkTR&35m8m z0TS4`9&(B58gL_}FP`TD2g=VKc==9-xi-9Ho#*2w8Hk|SeCYiq6@!y493@}uT=*kf+k{~m@dx!>SZ-$dP${PhF;DOAc`u9~~4StG<|E3Ym4JTRP#ZrEtg!Pf=2C7(qzcJApPDGl|VG^x4v ztue^>Ve3uTX4TfFG|=>w&in|HpJJIxN42pNYo1T0T4&mrwu>vrzWV5x z_0}1i8#;^`+Hw>sZ(4wg%%#I3@qwS7L)dYy+N({=ZJInv8>VSDZMaYq*_ijdZmK<= zIX~r!makl%7-Wh&Vf1o3dJgs-U-AddRHNR(!FqGFG2>rrnFxZB#_t#rURWuNWzIzb zRpaf=GlU%fY3l1j{7ZsMC*xDJ%jG-eqkq7k;e9Gx9-UAu@fTatZS?CZAALyFe;-dr zzsKqMavLW%^;~!K48?l)m#OADtxQk15BmP-rcEQ=^PAhFe%<0gJnL06nq@qrR_U>7 zFV)iGoNqZxq;>Qmr4!VA?z;VE^n=hlrLE7*7Vm0`ZdyOm-P7D&yquoSaZUF>RN7K~ zkltvIt2GzI|GgmowOmq|c9?GTDUnvo%aQF!wfr<@+WLj|i98Y@vVHuj`c+DY0~=mb z`8>4!_o3Ld7QGnhUeMfLs^vCzbJJy*%rRC=UQTAtbm%vDUUOKYUsbemh0)>?06j={Stx@kjhr27OR%p2h7THl0tgSU;CvS8t+Dc45TdXnprh@CQho%mP0d5a^H@^vIp^S_J1PS39?1UJe?c zW?t2m4GaHD+b7wRwI4G0rC@vlZx9#8Wd zs(8}i(W~q7car0DqeQ#w<+)sd1eFehZ>s*8iaTmNh80V0KB@ixTi3u)#SkI|6h+T1@Y|AtHX4eYT_%>1-}s8{M>gw5uO@-XH*BdGG3b z`8~zzbtjD~!ue)i4xVve-wQh}Yacx0@A_Vtbou12zKvh4wGEzeCr{Be!<697=JXR81CO(e2ReZV$Fmf zH@sy1ln*w3(LAp@9!OkQl60`Fq4?y38HhN=!MV4QIVbV=2|~0uTRYJGd48Iu1@jk4 zhBMuK_$==UJ0SGW-gNm-Tto$Kb_dICvQZxdnUV5b><*&XJ+;MIYr)CdpM!X8pyzH+ zk;~|@f?|`h_;F(-Kp=4rn)sTO9yUi2ILse1Lz=#~Hpx;3f$5H0w|u`+KlM|9HB`DQ z?nlV`?7$rl-68Md1azW*pO6IUaUW5TH>VfkCu(~c{i+WcS^jRfbhd6%1%yj4zeS^^ z2b2N4wLEWf={p*x=5Yw`8Rn2uNKw^owZKsM+{B4;kn>UUlBod7t6KIBVMV{sTZE9Q z_;i)gO3USP90GUgO%R>uS_2cIaAd_?7SD16#PFl5(gt_=HATFb!f1|>E1??-Wzjwy z8!R2vEnz1jtTk1Jy9c3 zqxq=k2l?{z6PE4KcicNld-SbtKCHA0hk~f=%hG`^?H$aKN&($mEyG-T{KUbh^XVez z?4IwA@0;;(%biE>v#dIJ{C!97wCpi5S6()$?}bB)Kka+rJ;fjPy>Nc<2OYz`og0_$ zrB7{rFC13dxp(m7=Gx6pv61dSsMgyoBO4j>en?QeB6LylwqyQhx5PiUHPF)TI>eDT zD#^@zS8b>Lh63I3^Eq<_To6AUzSipf&u8|=-^T@=cok*+r)f+5^vR#am&m&b>vKf7wqi;w)lb(}93jMV4c3KN>`B(o~1}6P0dI8-z zou73Z_X=}i&m3CfL~-3eFhu}oe{?!7C4(xPPf6;3+1)v_gip|lR=mZgng2F$?1{JZ zYNDrGvYV+)LbL_ge=`?vtmzN5m{W1a3Y<6&dY$MO5=?~HXpXcX;PoU9bXk@IgVK8=OC~%?V=o(g-%FzSJ zQOo<0yqVaQ2@sy1S-GR5=Hd$vM2+JH<;OCYL~tz+UBiiRkFJ%7uIa&o_b@0l7H!+5 zZdOAl$;LM~pl|1-Cp)15-Z+a^T+v*Oc#&!L2aJ8_Q7Scwhu|DJSFhSGiAw)S{Zbwp ztH<{bNK;GN_AyARkIQz0veBsVR-Jd}d33$^jbG(B8;P6l<6lT)bveKG^GOXu?@oul zQ5iYmI~k3Qi_3BH3YS4`6juH7Z=4iy`GAGQr)A@{@(Nx=2c23dD~`HDSYMn%0!XXd z-_3tZUwHWal6;%a5cx`!A8y^U7pXNbmL!KWWqxU*Z>;Oj#PP|a+9l9S@Vfoo{finw z2!%Ki3G}aD-s?p!X`p|->;Kj3nO^DnX_^Q8H~tvUz)c?v+%&c*aMNYS1#UX8+oSAF zVxq>HsATq4E!V+1RT3Dvv1VpVFF3yi=jhbpP1cm%C!IKoF$!s1dS-&^3vT**zD^# z5Djj6qWkGUAepj&gIoRM(XX&WQ(p9j9O=9h=P}erD{^Cy@Z<8*9kc&mVB{M$pU=qq zB(giE2x!F|mN(2S8n(t6`6>VHOX1(O?`6m>sqc^3%xh)!2LjR+0*|mS z>B91iFDG&8m>PfTcEJ?H@^h8F3Y{?Z%=0mw8ehHNqj%=V&dFl49f?qs8Zf=@>v*0a2N&iiwdga&dQ>7vrj)4R+o=Bt@iBqSKuV@2el6V-X#@i^o1*G{)A5i07>}F8Phj&zGTW63_^Z>1j2(yvum0Y zpujET*m$kL$Ap7d%(=9ps1;5G1olQtYKCOB3HftI`0%?ISeYS>Llq-eUh_uFXR`!T zmX!G)@{L&-ojoAn?Eehzx^z))X~B`rM)1_kmuzw7H3eHB1Kj-5`!L_Cf{o&wVfMm9 zv;PMoyMMN9#PZpj%Nj0uysY7Jl>fko5&9x%)(8BfUmnvi?(s1VUz2cH0AZ0eIr}p;Cp6y#r-bp|5}B;? zD>Gh5!4v8|Vf3uTM}Af%=2$1X=OSEB)NMT=NBQfXK2^Osqi%v!o_04s!^epSu>|aD{6dIvBeu1*S#o1g`|8mcz&H-3W_dt@htmjMk zjX=2Swx+AFfVl(h(@?(JX?@?U5%rDED;u50$DP)b=6vd$A+xVK=QI9AkAv3U8^;a0 ze_>A0Yo#>JmqKy0ejpl~-D44e+;#UaI0r7dzlHNoWwb7ep3rc;eK_S`>Y_ zCuI7|w#oG(6jSrnx>enq(-`QPX3ZGRFt7g~o+UfGir3Lp;un+#KP~lmUc<@5c-ng3 zYV@=(HT1Vwrz2PTZ=8k-z(uP5g;&FY1Noz=FBBZ)gZT4yD3|&xg^?4*4Hy@sCb6%zM1y zGK3vs*k0(9e{|X&k&;}`{!Q~gkrw-T{Q-O+P&xR?IbSI++RtwVfROAoFzzk{2^Jw| z`*8LH{Sj-8LzN>}pue2y&Y%CG4+E9^1A*CDvShEd07q7X!N2GvG=aL^r3yXff3ZmE zmz4mqDBp_N=nkLj2}8~75hz#x_t_&}n7xH%xGGZylp}>gG|YOuVHyGnD{Bz8$3OZ_ z*1|)mNp+`IZ9ke|V8=?#5jf2|m~o3_VKf0o9> zzr%ITS*R+cKjHC)DhxQR!W{xutMXN~J)(K`!!31KtCSCpqp@r7*%p^*_>CQWgv^gl z0(FU=fyQm!TK*q08IZYLMO|z6SvU?Lvnj2hFUo+F)k#IkdECb!zli6$K?!RWC~IC2Xda)jr)0lZfEfzvAI2TfGEs@4 z3!wvCA$Q987yboae9aK3U&U)!01M^pDmL!D`|`*!n9K5zb=`hgI2zC?Fu}owC01R5 zL(d0z^CG$=tu$lM)4zKk9Jo0cr+#X*A)>xVS^ehbuR_8YS`;vCQ}!VYWV6c`pQ8=` zyTK>-%P+K;wWZGWAL8==OI-f1l;!_;F8?QrZvAh0!zHr(Z}}piW0CA=)W4|qOXWL# zsvQh#<+{?KM2prSf#z`tmk&FdxoyFGaRZAufXeIH%=78+h&^FPetSY3_Jroy<>;@U zY`AQ-bMSq$TIzQ@n>RYk9!FQ1^{>j2tLDInnjSLyIXusvy$a9EXD`Q>?=X**Gj=pW zK2tNQvZ1P|<$>}mV8`YDuhh4yQ_NYgW+-Rp{m`QI^ZK!pK!gu~MFZrHF$5`f(6+(6 z6EyQZF=ttoSIjCIwgaOAmOURr4WkihY2mq;I@oW&^L;o1b?M&zTUz0&-|3vw1K-K+ zV1=k&s@6RHc^(SO9W4F1=D{&T$%ZU=q9BIq^hf4PWWj^QP8mEs>z^s>^+a~bb0_FV z-_-xC(KnTyRW$mh%CnC9B3#`9bzdy$-ZD3^_>2AdP4JavBX`c8(sES*-_Wms>G4F4 z$MxGAH+3)CSs(AUmYq2;^2ym}peg)liicODZP^~{8!mhN;T7UJe%3P$m;LPFUyG-B zP9wyeGNm!zbIR!YPoKr~j%(>Prv94#aGt0JQ(5nvXy*8trFa&xJ9eRDIsZ`6ZT>Ng zJ8#|a$CaM@4_=957>qCcUR3Cc@#a#xXD5Hhb@LS+-=ll+``+KP*9rdKec(L~-s9nY zAG{|_zIMjMtG;2K`Pm_p=FXmMeaki2%6uN;bN+er&wRW8u?+5i%(werSN-Jm)(^|h zx-jMM1vjkZzW3t~mK7gN06y%*`TY3flJ%YZjsE6D{QudZ)|AjJ>)H{Yzx?x``?NLs zE91vqc>WgyRbRCx&9%;%IAg}FkR6&a`Kqh0p8lE8tSi5ez2C9C?tss~a0#lVQW;7E z`gM`Vj12qA8K;tsFG##XBI=D0) zJRKOeOXc#lz_0^KvZjL+O$V2zgA`52{GN{dej53;kl)g>qL%{0R;gN88W{G1%K00C zVY^i>_XURSS2d&QAXU@BrRgAF)AcyC%D?DN%p_PRtQ-D1h>fOS$w_hf6n`4uBcMf! z+065ov7P5PvZ3cMm6q1)-PqFI(9)2DIX!+K#P%$WTv`1!_)(BBWQ6VVx*axtLl;`zGC|q<>bsZXyU6b4!`AcXYj}Bk87;|W@If5Q zgy@r{4?rSI2Bn2emJD@v4pv{MVB&T%e#fY2*y@|gPCZn9XjM&fdBdMeZ$d$F?egl% z#dEN*xhjD>k++pEzG^3Klg78RAK#5Rk&RLBmGb!q9FY2NEJ43SKSZsEinkm%bf`^# z9R7QRB6ie6@(y<|m5k+d&Whzx_NbPzs(hdx*i&(lIwV~=Bwaa;O4QVx+(qd%7P_n@{(u2D@n3 zljq)4)&t72vgXx_hSPSttnAqV9qS?JM-^_kYus*C>|1J4O&0Y+`$A`;@LbcsV*X~V z!Mj(?KZqBQ{vXio^7*fqW6YXThPMC7e&`V#BT=Hc3fRjVzEjFEt+HXjWr(e87&25OevgRnL3yts@C6Axo8C82h*DzAboQJOuDZr^I!cN1yuimsuqM~=v7QOO z$j3&cx(RqJN(h3b#wS3q@7TEB*zFCrsoKpBC}iLhTdr zQmB2og-TO=oR4Qf17yPk5GNUzc1dqW65E*Z*ZE-e=sL>gUL_~FMpiQ8GAvO=1q=c!y$j1hjXC)tiYEdz1moxx7y`ANG zn~$w5l&Yg_p_F1sq0+g9daXV2P_Yp{v`aqms)e(KQfe)QLI-y1*{ekAHTbm#WG$_F zE5Mq)6=+Sc!B91WIo^qUOlqX-0A0_)HEkCk2jLApiO2M%AP=Fgr?VldSHf4lkrJe% zr=_E(rK6|O(Sb@pYdkqLfDcy~@Kq@)9(tZ>NKH{^CQ;zDwM>l~8hRa%>95jt06f!K z`PFa0RgJ=>i63d;2NDh>_^jB8h9gWMF^s!-p_^;z`@xD*mHDSp*QT|iMPG+wdV<2A zK{(11@K;kMs|gtZqBMahO(04Gh#(B?3-e-b8bifDp!E&f_TbBzrerWU?@oJli$3AiQUa2VW=lbe#53Dy}z zyo@3wU*O~L@3S2!4p$An)R3OXf|=<@2{o)hvp(;>7LEoRq22)?arOD$7jQ z>h4A^IfuCVBUQuJpmNbK(I~oiVh^`@I9PRI3#nRFt9p779*Se};71Fh5;+rLBK|Pi z1a#=|oPEGQozv>=bU|sGmmz=dA<*th`h_&DG)TTS^;D&Q;a8XyX5P~3;LiVr%)c}< zOGBFZ+u7*!vF0$D0rRP4U8=uA^8a3_CaWSdO$-m6{bi|!q24yUUbi90xi*@=Jt~DJ zI&iA^K~5F>S2cV^O%*?sf2z1d)(@}WL?x};l8EoWCN`<|(t*ExexImT)Utr@gJ{SwsV!Fp?k|Kj5avw#0Q$!x3$QcxQZ33*X z`S1W`Q+m*iI}n$`Kz%wGt(3Nb?= z<|Q;fi0~lEzDY8s8Dg3tQZRuKWrwZ}GVxC`@meUQjpy~H!PvRAm!6H3Et%G}oRCeO z>$mu*bTs~Ga!YLK1mA1%;pr9eza)3WmR{sb#s{Xi#DAKM#v5ks>>W?dTHQb1&=RGz zGvfo&JL2C@u81$1wX1i04;E7KMJ+4bqF!~2dLtuh(X5?4DC#88i>R|Rq8euH>OoN_ zA(a)#d1)ygKnE1{8!QSY3BmY~^qTnZl6zxIt9<+7gVO8c_a+a;mX7fqLJF@Uvulvq zH+#o-%v!_Dt}&TSBD3p}+1&+e%#mtH*W>$%6n6wOda%D1%RNSJ{sKSh>SCK0v z3RSM_301Dzc0gK*LfLhOQFhdx)EnwBh}vUyq6#gP`#DshZsI}db*MsJp99ldk=gag ztf?my&SdrtWHyS-8dX61xkbH!D$I!5i_9ufsB&FTsB)88B??-lRRLPX`O_?}{B++& zJ)l<%Poq~1NuyT`N{>&(0;4AFiUo#DItbUaM!2Ru7Yp>6{!cur_aSWh%Xm~Tji=H@ z@jYquo*ilQo~>#2o=MNft0x_dr=~T=cYv*N2-${IzZg$Ve>tA2UK+b%_}Eq}wt4v2 z6~khq`;1*_@wsML?218ScO!hz*!6Ia8oLheQDdXSP`l?)L4kaz*Xu<=D^bw{)99uH z(&(ne>1(4XL3tw9IB?S1SfF?kvOI9wR=B3M#sbyTx5XN(t5+k8Ss7UU8v3pkUztDsZKi|u%Ea$bgKUicH> z0X)qMUt;4C&hYd>Iy;gVTk);Q%TUN1p0gnR5~g!G)5-D-N}duQo;(jYmmF)yo03yp z>6{Ab=ac7)w{)KZ@`cZgP`u&+cy?SPV^l^x``K-f8e@OBU3WA0`mf*Yd z{2+fn5SDr2$H{`b1=!FH4{>6w^7lFBk6x+@Ua0&Fkw0Gd+SU5;=C4mu(t)1eVNr6| z^NaldRWg+h|9~R=3r|w{x8YHmhu@)Yc${A3pD*N}^~(?Hj&%OFChw9I;>pK?OzEAM z2O@qZBGci=Dbl}?=TxY_c&YZ0^3hBE#S8iaux;kf^t)ZYLCL!$#o@{CMws%EFE85n zXOhIc@GVSY_9&D+3WsW2eh>RNz3e;8L5i!g_Gi`cx3BTqU=4o6HqR}4*2iaaUp`+d z;q#TE_$$c`@t3YX*fajh)$4o4o0HGSpG~&JHcu@Zh#K~l#9L=uD zF(og_k$;A!DcLqiyR2;=(XOG}`f8WGt%r7v+l>!$*VG)hdl_p8X6U-jVfB*(vA{4) z%UVOdDhIz@QP)xuKfq!n8)HA8TlVQwi}*VER3BfZr}pLRbElS|g5JO)sH6&aT%6u= zg-Z+b>}s3(H^P++A8Pbp%Go#mQu0;hETUvrB1nMg)GUjyxVoul{MoBhJ>%n(&wzJT z%Ng-q$oSk)ua1+?j34YhXixtF{#qwWId%ry|BNC&Q9wLDA$oC^6psW!23}L5G9^xx zYjLVvi!;M8F1C4Q*(lK(xcn=6iU2Dsz{(1+vH~n6U{~^=Ow|^qp;@M(S*D>`rlFZs zhvrSy&I+)z0_>~+J1133QXQ9N8kc1nmt`6!OtHq9sCwj8y3jSjELSkg70hx4O{|ZgU0u z18{~{-=YVcfWIEGyXPjme_-1`5AvAf(vr%N&(^%o9*vH3AmoROR6I7|gX&3BmoJa< z=mgGJ;k(3bMX{wbeJ{o~O>J5oZ=JOh=yG*ycjW6SI1YLoyOJv@uqI|icA57)7z8rO zb(+$7mK#x|JO@IT1K?Pw@MUo1mMj+NmE4Qs@q`452lEt*H!-JpFI~OMLh+uCZJOyD zB-H{B0;FVs&S$Y0oZ9pP0Cu-Uq>XKwsObp1uOwfVlxrd`xgCjQ5p??@x4rQ92?%%} z5ag9MxzE;&ZV1WgQ_QI#yR-^&8rw8}1GvLqa#v=7ES9VO3uGDEbr!qpEaSS)66`w5 zj4rd>>_ACOQ+1tt3AkNcuPE)y+onxy)0-obTo`-wNc4T^vwr+3MV%WOf=HOP=FV8L z1jFF^r}0Q*fjT(d6bqb&g*!*a!O3UirzKyCpClRv9ho$2!;09X!5f~9O*(DEOR-5O zQF%gNu^6$E5o;LnG9xx2;!8u@k9cC*xF{?gnUQG87- zP!kK(!~!*Kiq8dB%ne^$g2!bR9#e*z`44``mw3u!NEMCSx>waNt!Uiz1?+c!0X2Sh z9Jd-lCI?9iK|^T7~kuH|+AdB>tYj-*OxExeb52@OJ=G zmtndvIKCn|EZ&$L86TM}ieDF+h+cfbhSy_DD>l3pTN>E#cI@1d8-TFs7$ebN^F;1S zKg~$=%si3J>E{`VKA0!+mGlNiqPOLVL8D(Q9cGFS$@!)WntmNog3e(2Xi*HA zPvE1J?L{@;4@?Mr-90|J^y#AV`mHz$L20m!N3-fR3hFfqD)qkjt`?2O{eWC!&VNG^oS#&$C)8^>U!Z&v%D)nS z&*5(a{nIm3KKL!n)E+XYx9lTCNMtg(?@w-s^xW9+;rw1v0hjiUbo>zd)v8y28PP zE>R%UVBI=kLU$>U=``JxU_w_akm)4d?$?DLVJjBQ*H`Na`1Al&XuCZUQRy_XotxOs zO>E~TwsRBPxry!E#CC344yEx!X)Y;&)?98uZLS;&y$RXuzT?<^gY3RDa2g7|=LGx# zh7S;i4*-VoxXQ+3&Nw{g1=*u#_!o_lLqu-Xm3}=<6xcK|bQP1L4Hf9uc%on9iGGbI z`Zb>D*Lb2|oIlUud;^E`Ekc9(>68Yw*C`F^wo@9^e5W*MmriNWYMs$URGW56rdqsHGU@{o z#UL~ZgAgjSiIv&J%4}j~Hf@1I{}1)K1k)_otp_JB8H$M(4BjUtucQutfht^r2h82q zg)bh82khk6g{O>zeg!dZ1Y17c$Q3Ba?OR2zcKkXiWEbMo<@P5M|n1&I9o76O-#f#SCl;u3qwWO1|OeK!}3s3wxtBU z=IKI|4?Yd2uR9IxtE~*XaQY}Q6Y9YEZ?Os5~!|M4Z zS|(qIqZM{aXjp4VrZQBVNMT*_LFtm4=lWNRS!!7c1V)kLPe?a~<4UY;IAMf~iB8y-y_PO4SI~9o!ukaL7Y3tTQ5|(zSQO*f+zG;(7i^w|^I_;??e{;^U7m(rC%4mV zkxHd1bge6Zqf2Ve6uPFuJx-pOp20nX&m}Tk(4l5TQ=67hzo1he0(O7UOaajD zOQEY3iEXvpaI)G#9M*`&UhW42drHt%}Y_aUPD?zN!eXb3T<~-Nd>!}6jbAI zlF~+@F4p0Xl;#~)f}*QkZL}Xf2n|2X5=PlMx}4zZ+ypyS$0n-d%?YM8H+;OiLtuZq z6}GQ;-rqJzf0G_4)xka)Wj5)M{BD}rq_P0JvKWUJA{rZd%047^p>5q^8#-rp_X=DB z(Vn5GwNOJ*%YO|;Ii{}bLU%7=gTRu|#teqINC$D!qV4cSJK&RcZ-+0T_}-CWYLLe; zrLJ*5vlAfW_j7P0eG#@-M2!YPPMuSJZFj&L=ip zqwT1^GGfs>?J;7-8s~<)9ljCkP98)#Oe0n-FgMfSd@6CF=D|JJ`;2K{~EEN zO+HoxM$Tj2h*hxBOTkEi<$+Nxib^QB{GeBGQ@H$ul7B>vaLR^Wm=$gz7Chziy;isk zh~dbH2C;W;iQ6ESI1a}33dG=$>Sc%mF<9$ZA?V$H%oeiNI#}Tih>5-AaO`u}Vk`W= z_PHE;Ar>#4S<8Z0+H^)!fSI5R#(+o!8c;x@N{2elTeL7~O8+{QmQd2(UE87iuJnwZ zFrPg!dwz)qXsdfh!P~cA{MUZiu}u;y{En2M>&6$cpW2;E?V5o`q{0HxQC@}S2y}7G zWxd9rW6XYdEJMbF0vR6r7fhA!y>0Ua931}Vt3pK%4q^K5gKX&-N8zigecWl5}Y z{QAv!q<6*|E7JR8fk1j4&nV$rpp(+ueNzfQr`_E!OQt7RD0Nc0TSZ|ym8GUhoynrAp(dKxa7}EuCN`Wtr-g=VLc@hW zjz667Y2_IooY>;l<`f%`t8gGZt9~83^m$9~{a#*wH_v@wUcdMLFs~oQ$@vGXUd}%p z$;tWW^`l$)vChi;!JqpthnshP=LUc{CxFcE01@U25WkB;`LhAqp9wI26Oi%ifUI8y zxcm~}_A?;IkAPhNA+P@s4mwv2TVFM7O9g&&%fIM*5K+0fZ{_0g#TAV$Csr)ywT-x5 zaSSf1SzfVk6Mjezzd0xVeVeQN54>Gb^h8D97ZD(L^@5=2iSoKNpk5i26nL@PW>6k-aMX zXy&lJRk-Z8sIkibi#K{!G;Zx#>3?W0syS7DXa&yb)Vx+zw7shD?xS7=z2A1xSIrG^ zfeUb$&ZgD80UyGZ*KJMUhbAiP$5`d{6HZ?&gU%oe(Zl)hFYH!EJK{kH#rEH@=VW|! zgj=oNz&wYS%bm6xH(LZs_?&3*a*DTcfx%>6WDy=?^Eo+Kv3x1-vBCuxF$5%eiN*-u zpdAo^n;Z~^n;;SpiQ6ggxh)>g<1(rwZ*Fmu-<6lV2gz|M70J)`Z|M$!XZxc)<+TN} zazuPPuZVV2{B&M&Pl~;BQtV!FXr+HqKWGY)E`CZb>q?_C{OgM^qcqeBsv$hNq^dr; zZMqnR4*FQf3#Q^+6RY(H>Vhw+zz`}>ZvBu8N_hQ8Xf^)cLXzUZO;S@c9=uG98aDfunqRBUZcU;X4^L zW*nZO;^AcDeL=k0hnFGgN~iW~C;Xd@P3_AL66^aq|%G5~18DGJ&|B2!YIZ zD4q$##Y+g}jfwkxX*+5WvMY>f)ztx#wCcc`!x zDr|>@wdtFgmMq>Zw}Q2&QC%HGknwk>fzk-=SMiZkInk&mU5dS3z^i7 zO+gaOL$bVLEXixJ;J_oz%b-9PzJ_$XRSD1V3^3ls5d!bWI6#p5u84L##w8G>JcU2r zW(NlzDG0g6A&EcyfabxMz6^lK$H_yfQT2XowTcMcmC%mIcESOP_{cWNyUXA}d27c( z+>KGv_`|=_OyL_744_yt>2KUK-?q1Kq;0+#7bMCr6<^j*W;Ibz`fvOcF8no9oEtxd z8BlrMLEC@hW^iDTEiT&4HV$P*WfWVQBt7U7#vsMXLEH;jUjGtw0~6TqLg;zj`X7H@ zzpo#E3`}8h+6xCQO3X-2Y{vv_`kTnQ8Fv#XUdI!#fqBV2)1i(hUm9)x@VrY_^GWCSGXo>LA&MT&eOD zQd6k$^hxXUSv^A(;FXSB=E?NQ zc{9!BMcy*5!c|>tgbvH-86qq2s|*Y7#wQ&a=2kX`g$6y`0Ow5x(Ic)*|F`$2Xx5xV%&Ka@>CFPws|- zy2+nvQB{&l&J=NRt&rziUgY%h`?QDxd-?dhQi61fq682&8KKf)sEL# z!geN1Ign2SRUS*#$t-QgQgwp%snNiveQGp#lS$>ZRS6(s+@W`G;S!4 zyi*`IzAn~MG;ko@e`V5@>&V+6^2l~LGea2PsB)n%!$SXLCU+6vVyo zi0Vvr-q?~~*}SUL@o4j;mf}?eJ&Na1ojL7rcvZ(U=434*sBO0rjn(oBSE9EztCD*; zyh`L5gV^*F#&y*m!`5n}Q@83I6s}WtI~-n}QhCmrwnV46!ZHKrf*KgB^fK_+S_8@$ zKUJ-T2M*nYHu9(Q8m;=PxV%Hx{#S&r?a;MRMdS`$Y@Gj8qZQS4@;D5UQ8h%Wm%8S$ z?qJER)3Hv%)zP6-Fq2(|p|uC^F~gb(Rv6iQ2+5W3u@>9}9(qy?QmY^c#JKQm_9^(; zJ&c)GA1nfrS*O4n^#*51j@ zV>afxf$>%KeXHun_Y7Q)A7sY0B>y{MH`*{%-1;x7zuJkD%};n<$KP9O6O^-=C;3>d zw?pCN4^O0r4BaT0h##MTZ}>;)%gl&Cl*+$Fx{}FdCoG*==)RqoTn{+yZ;`sEDqqtg za+fQ5v}rp}>6MpU4>j%EY24$>t4*qm1+H#>ke6H!E$vNDa;Jf_wTJ@OjDzx$dup}g zQT#Y9qQF}H(*{)~x#XT&^^D)1QG1CNQDCj&q8U-NTyjsXdd6$n>i%*HjM%eCte1D6 zb?QA}wR*pXIQ;5Kni~sgZU^8;r|?L!7mPYtCyF0+Szr7=^yF-hSE15ig@-l$U)X6O znpSrEU}e9{#GbB!^(g?W-vDc;^Uu!be%V=2m**k=5SuI1jPk*S!C^akIO{X?CWBsR z9?GG&!-M7>$1dsU{6@v%@gvHMGG{n&oTKeAj_b>_dmJ}hdx|pLed6VO$2c^^p#)sH z3Bnn?QuxLqt>c3~L6aVI0i@8!-v~+%8m)Z-eS?P6hj{?a?wKPYbmu#9U~rJ6<3JQD ze&Qvvr#Is7-8gQ526}JK7f4}VT6Z)H1EbmzJsgmCm6dOKnAcjLXW5)>_0=yP&5An0 zTl||}IGTldS6bb>4q~f&#s_LgAzS=1j=cYEsiJ{*u9bJ*b;U3uBuYG_UzE4qZ81Qsfxlnty@aYGkbQ z-FMeMIX27R#sGOE#o_&{C48fg-5Ajh*?mWPQTRP8ndOZY^2*5a^4zC@gIQW!FaEJCOli)`BP?q)& zuVqKm?C%GfL1m_7H2rQ3DwW+nRN3!xnW(&H<4dQr9~pqYwg%PqE{~?2PqSDl|3T;1 zKK5)!mD=T*q~0~h5xm1YLHVAkoM_bXt2-(@NZ!@Mc*pwSMuQK3yjISzxnQBw-r9L5 zI{dW?GsS~-w`@NkZ8z|v&&WIPsC&GM%RB0BUnP8PN8M*tglE(RT-R_?k0*wq(C4Wf zyE!18Mem#v`uEWVaa*$03uHk-GXpS6YQxsfHgdnHA4X(BW_Iq}m4Z|W&n#oAc z@iBK~ZGIU?%{Y=X3h#nWyqS?)@pN|JZN8jz!?@0S+cAXm47VApZ@G}?-*8TC(R%;F z^Lgq`k(q)0#*ctW9e%qIGXRX{#oeD~D`!V_RJ=a?b}3`fUXz2zl4@gobMN{sdJ35= z+=%x1yyPBpPuqhR?iBmw6+t6f-Y*+sEAwU0lcJhjn=c!>A4~NuP;wB4AOX60X=+Ql z_?Z>*&V_*H>w77kdQf7sI;9K_uXDEdBzv|#ZP!XNgsC}S3w@$)d{)mmmMX!cbR{a| zP()0166if0pRH_sQp)Ke_ozTyrE^Yp zwcFh;%1iF4YfpDWitf7ptQJvVU2lFuWiXfAQ`aiR%whP<82usBv3{gXt$k`JE#FDM zud9gM9)}So?}E1N0gyZ={gyY{96I!Yzh(>PqB$V!jxz`Cbl#kk9~`6AVZSp}9q6^( zY1*gybwB!C{hDq$?02jvoZ7a_8CA|;9TYyQBx3odAC1;B5ALlz(TG#_A7wDoC2;ax$CHJ&$$B?pd zsj9pJTX#uba!>1eAjQ+V)mlVubG6&Lr{pE~w601qbF44}VrRmr;koF_aIwr7uIldI}RSe!(H8Nd`ui5u~xncIGLsdnos=?{1dQjGbqlh28Cf74{oZVpR zIJ|+>E9#O(HO&?EJduPL@xE2rFzTC+V>Q;enK-=u`cwIxY|FtZRsMM?JkI`Ly69Lr z$)RhdV)4wORf_{7D(m?>Dc$`Gm7-_1Wsj=Ha37e5WSS>qrxl+B_{-~`@-J+pt~bm+ zA&*AXp~0Kc2%8_xZG>a6{{Q1n(me2Y4ggr}@vsbf<7sfbj=#JoX=c(A6nYi?DLv>_ zGQy|M)vQxu^jGi*e%tII=NbVV#pPLGaj?s~Bp;TS+%uqeJY73MizskFfBbLx#(&R% z-tlzpCt5^-1A0|na?gOSQZxfP>MLgw{7EgMz-iL@M^qVe$vw5&@iggSEuz3$otl^2 zQ>z_Mlg4Th1=i}mhgBJK$vw5|nI`3&q`89v@Ilvi)qB7V>irtRGAC)4p#!MnG_SEw zj9Q};1;P3OdxRl;5k|IfjcjaoLo+oWw;yuf!SNH^AC4dCNrj5{{1v~uxwQ7u)A%Fy zff7C^TKKj1LFXW0V`jYJBAhRQheN6VhWd}P>W!Z|-<(5ui@1`_LJSvS64@^sm zk(sgUj*D+yKX4pGqedp+hhQd*jrNNz8#p%6kC%d6!b%*rqOx266Ds?C{e)xT7^}J0$9FbH1;nz54*rXQuA!~z4;`}lZ+kF8LjM`>Tj`!5MZ zoq<2%wX#P_6EiCz>Z561f>-^6dcH&YMG7hibtR`?pb`Z_`vhA#;W9-vBry%%}Uix zE+55L5AirIHKBz4@kg=Nj<1@v7v3uTw#=jWmNdS0)}G$DYY7)Dk$)QkwFYZRq2if; z&R@>1?nS!mrQ^a^cDwKd9HIUC2`BQjZ`-QqptvV>P~)tL9+{dri8TSQu8EUa6Y%Of zK;OsZC8iEkD{LNvOG{#-2l?0cjEye#AL<>$RaScuGQ__IA$@RarNc(rd=V})iH#o4 zpK=~O0Owg0p2QTk2+p|m>!d&BulM}*sN1k0Rm#?1SKF`)>cvLHiS4hSppI-eR1D23 zT&9{8Ae(9~KK_qgDYEpN4%)lZE|sl^4%gCgMB580O^R`DH4`P?<4*sjQ2}zJ!!68rzJN28>;Sl<<_4WEk6% z{H_Js_}b*}ZN7&mzZ>KmDM@@fe2c`V!w*ROyzniIKg!j|i45m137NY@QK*5K$4K=t z^Qq(w5x$#}zl`!dDtSYKZ&sgr-zf3v@UJ9(9`0^IIInEM1cFz#@P&CC!vH!+5xqq#8+i`^pH?H+9bvJHdBA9@b{|>61oq%9w@eo7wd<@Wi zZv?Gou5Ni{Cw>#&zwl-R9b4aS<;-9I{M!QO$lvl3dgreil+>7(lg2nNYkPC#9$rFk z8o6_1xxWHC#O8CkMW^Tq^Uv)?~@xQaE;}#Xl1v4 zmHqx#&&k`JC3ZA0snMpZqdb7w=?-AlNq2PS45PLnNq(xgU1nM_q2islsM)n6A_l%IMDy+z5< zw459+5Y_^UGSW-vEsB{7${;VR2&^1pllu6EpCYVW25@4J>eBOej3B#n2-n`n0=o$J z_Q16E1`EQvI zh0VDq?LAac-iy{ei=7!$jWxf*JMUEEVaBwXYH)OHXN){0z9)&_e_flzZyOI!o)^Rj zaw`7td$H*-ei(UP`21i;Ad!1_fj(2+d^yf5b9DG5bJGrTq-0g9m#2V{d88ef{!0Xv zoU<6cmmvmA@RkWz4yO1xvH?@d>l%+g_HczuVWY(3f9cW9_LR89OXyW%;7Ue`yXSPq zJ@+z=0y^Vwy@cM*h%{uDEx3{cD&G^<0?bI|UP3RZTkVeJ=sBrXlZbJ)> z9)IlPC>C=!-vi9ayO^87n7jykF=O%|Y`g27Q?S;#*uv;D2W!UU#Rg$7A;MlmguMg^ z+b%w<)e_b)f`VAXM2Uu2!zB35u9j|zDE|XdzOjZ$;N1yw3vOa5K=@Q=TAT01Hz-8z z8F!&)jVcNVaf`V;LcWBz|*o4<5qg^33 z%Jxh~&;3kgHK!`y!?{XF*54yoMeW<1x?pVrh-Iuzd5o80Z8Bh5fPwPbyG+%O<2Bo2 ztnI)YcjT8cP+RLgs{ePQqCXf&{vLAO=`WdH9c_BkI`Cr&7tLt$vc96hB0|Z(Ef~R zGlCj(D9xVl-1zx!*&jO^sX2~fHFa3l#!g0RhpK`5;rPOLtD-0etyv$#rl2KOVeA%S zqtL=eA^f2j2Ci5vP#cQ1yvP%2_<^A(XPv?;9^$P@{-S2)PKVg$+Og5TjED8Fc`Y_a z!Ol%YZW+FgKUttXNm;8gtPffDLry$vLmT)ox2ohU4dw_%0rSftUPABuGG}R!Gf)12 zuof^+UU6q9^W^rIIKLOx0?IMjOXw{}&OAA%9AENguRRk`k(aQ;`M&IwUkNK98fGaH zT#4THD*7V!cSog{avHLdE9}j&z<_j8G*9--Pevkb_RM2fTr{>(OzN+Qk$r_2*_&lA z{rzYLsF&qmFiteG#d6&sa#Zc-mEA7JX6a>m_&tiV$PPOvrj@Uti>*R$UB&(cM`$|& zUTFR$8qaiG|AKok7O?XkE43SMO`ZY}Ih6+jdGZw?GP1FV0CGF`#XAI$AABDa1Jc89 z;X8XGLG2TuBFs?(vGU|Q!SX>c7IcDT)$JZaZ@+9GU;Zep1>nn6FQKqw|T0dyk4UP>Pnp``WY-0z{%oyUuqd}5061EHo}MegYN<9L4W33@BDdtH2kuaZhE$Bfjx?B{~inM zSxes2tR9io3p78odN~3M-CJ&XPpjaatTkibeNVG`L|O}&o@uSaTx-fK@W-&oqEiiw zG~k_g1$P5u@~+^fGbZl}?kkLGvw~BHRAN`)*a|Rg3=ganuOIaUX=}r^zABu)d`X%D zvj?1Aq5bnzSSl~K2!00y_B@A0ih0Zh*3%%Yrw=(qTO1RK@I8;GUD7a};_+9B!2uD* z5MWznrs_EkQk;A&ig+&25`4pyDhoE4QZ3A0AyMuYg*-8x;{AZc!<5SS*cB7T?$5JR zP83{@T`-$7;Q1}`!e^c0JLn)G{|(;|bT#KXMgNMH_m7{>iw$- z`5UCjdQT142=s(BY;WPj29aCIKH~)O_(1Q!VGTZ@VT^d*>aSuz?!RH$han$k-5)MS zV;qiIH$le3GwY)97csLmqK>DSe-DiR?#=IMR*wj39AS*Vzy3X~f_H-PiJRWjtR9ip zIszE)?pvuF-_t61C$06_cCuPtmn;F$;SLL5^ID)-_InEX{cZr*x*Jf)!vU~UndIRC z7;?m;N=sZ{aJuV#5wp|@rgg9d5c_vI^Ip3se>uB)*ed^7?O2{u+LhfdffeWS|I;Vl zKd~@>t>>@BWAMcLB{=YYxjye6F5tZT2kW|0U{RY6dsio)ko?~~?~cpK77aNl6+Lj# ze7y564Zg*gyi0=%7?XEta28|QEDg-&jtfFNXtX20E9yp)_cUQ{$owDP(ZWLP-8#aq z&aPv*!z1keTQ=eh`~OMp(z6pDu{X!|ukW2*6yEr{``G@2s4K1mzgLT1nw>`B_~jvn z7@MXx-W{#_mGw)UGAhArgkEWPeuXS4hl0~Y>eJI>kFJth(u1Giab8}oTY;|3y|GKL z!8`A?&t^=UX=o*dMav##dzngg>6 zY_vak3B8SmG%}6Wn~OLB#59)70*Ldut%gGa6_AsEg?t8M@XuqY|-4KivT+GR1I|z3;5m+U-@-euvGy^>LK*b6x*NOKPs#ROweX~3B41voY{TO1Z}*q7BH(W@e+C`XzkCc_uwA2g6itGUP5nO z<;<#cCbQoY)&lCP+)L=KtM(_eLxi<}y4rH3XV&YjtDMQK91AmtUhBb%g7ultH|Dc* z`Ft8ot$N%;6b^M=8R9@#x$94SQ{lDq> zzg16n{NMZD-@DHVeqYgX-MSYa-=k+QuV00GsvyVf^Bp?W{+}vTmci>+G1;Pb<~NjH zy4>(=dWTN!_`i$F>$e6jtf)_v*KJ9Z&wt%_BBqk?DOW}PX1a#rjBouGy3`mr@ObW? zr9;Q#@4T>Me;IAYl&%)%)Qn-(wV?#htz?Md#2xCY7S_ z1l$?n_J>43_fkl%EVb~wu+#?CH%fzeE-ZDJ``Yk#N+Zf~dudcTeo~sCBOSUSDy2^K zE{!*(ZZCBhT9aBDuW8)`X$wnzEF;KHlwzcq$Xd`v6x~YD;R8L;N&SFshM}|Lt3Vf3 zbZbEOrqJ11-jjwd7>|Q4q3B))-2tHslCC!F1W8vLzA1`#tZ{fMidaWlxHi1RVawKr z?@ZtwYaE1ZBhp4Q#~Ozy%7}OdrB)#3CLebG<9k#@kZ!bRRK4%BaL-4qaX>0Y5e_f? zU<0f7!!}Nu#~O=MPcSkfo<52a2qQ7L*f)Gr5FR5xN_Q%xD=;;4=W+2=3hlIK=3B>s z<~yYhOT1_1uA+Etsxe;M$`2oPHEQZI)b*a3dlY%ZMZN;$%|b4`1=Uq=@iHuSCH1~9fp@0rZJggn!mYB63kX@_&ytZa+%^rxIssh_<+104&t3DZd5$FxE6konK4pa2Od-01l{S-SPPHy zuEpby)l3_Jc)IFqzqAzq{{Bw&erTt9KUS^*(IFiGk-s{E_Z>qC2>`^K1RBD)KLg6` zP^bpQ1l<5dsTH(jgp3*#1*SD91}Q*;B5@{zTbA_xa3rWfG3o+EOM{}LK{4S1McW06 z5f>=>fP)#~!FLXd2`PD}pg2N`(K#qCF?5}P;xae<mOV}!yrKKe)q zd<^o z3mNirM}wk7C+GnxipSQlNYCFR1{WoYz(X-Vw^0B(?vH3_RMEghhW;t29eyK&belIu7@= zBOyzJs6;u(9*Ro26UY}G_uB?XCA$&&SZ*H?6pp_K4V0>qiVs*SKFfe9eTyB9rV^E) zCmlN1BA#*$e(P$Dr+N*3kFD`kufhMQ*WiECYw!hvhQL$32ESFW!GFXxIFlG{sZ=Qz zvrNf#!eFXxFg4=FR39P8U}}&aOf{vH1g9+8Sq4*s22-PMOtlQAItEh{ZcMe^m>O|o zs?SV1C9}bIj;RTjp>s?va8jDT0YguhiU;eW&>yuhn1@EW0b1Ft@!Dxmkapn=z@8(uAMhv|Ah@;#KV(ZjV1q5EB241Zkcy)5%HIW0awi{j}23~y{NAC~jz-!dN zt7YKT$${5I4!qhq@EUQ$s}G3u?>=P>8hDN7z^i58)iLmz$bnZo2VNsN@ahAQW~Qt` z1Fum7uT~DcItE@7243wPc#Y)1s}C3|%YNzQK{vcck5PEF47@ry@R~62Y8!Zs z0M$%cgE{aTb;GL#5W=o{wAAN&1RV#P?5|YRZz`{Q-GXXTJ#UH<3{#;c4pA=^y3;1c zr6vZ0@zm6B2IG4sK4>v!&(w$IT|LoB&|f|ECV5YuxFkZ3$y4u?chjUN;!V?@iLagX zVtnnijX04wX%imPw&Nq1NxSiwb`Y&IeG4Adug4l|rtiU{Iu#34Pk#cB>Stns$tvtlIxUj{duuvH6xyq@w7fc!c>U+ilLiGf%g&$WBUb_ zmPH&1pL(CXp=&ndp=c9*Bq^D@`kS2 zjEAnt8@lEr-45iHZ|GW7-c#?CckR2NYmcy2vikOjC0?U)kJ$8PwC<6h#AX#wVzY`T zv025V_plTXmE=}D@n#iIyjjJg*QI#k%_^RFvx*0A8^x1cdlip_P&^xtn|w;)mPEDU zIp6@iMIu`9W`6pwXD#gjJ_FF`**PTogY@obf0*~p;cMYZBNR3Ly{L`pvO zK6yj&f?Dz94aKua2gQ>&6fdC_Pu}m2;vola#S?E<@#u9ap2TJqPhzu*C$U+@qxY~B z4~2Fso_Mp0C*G{$v4*@LhLp?eVipHSj7}liwnK}f&=WdtbD$t}{Me?>HP%kNB8cbI zZ{b-p@lTe-)=d4oI0DrZ>khC+1IQdEkr_B2krXpy z=Oahw?Dr)Ne%7KQpjY5ip3h5K| zgF-3?8a8Sal8z&;kd{%%gmx&)7!@+e7NkNtMj@4h`8EnEjz;F2#Es0iIGAtcnEGQn zu*rMmXK{}>(qv{P_eey%8Gwt@>rzOG%_<~Uh%SYs*QJp39uC0CGBi7-i%2S2g%odA zAtlkwl+MRxs!Jion^j0ITRmtP6aij^Bp(`Zv@J;E(|UMY)F`B56f$BIQaRADL8Fl3 zph8+kA(aCSn=lGV#}QXZ+bE<@kPQeK)s7!K)F>)s#3-b4FyBTY#X*I%ME#(U%E5da zg{0$MQb=jCtU`)6tB~}%6jEZd3dzO0OCjlXDI~pzrH~>vi;&{YDx`R`3JGr;9YYvL zTq;u$AAfM9B5Okx5~juhgkNBzaYFN>I(B@J-g;H*wV}HO^bqnrA5j$azZR`S$PX=q z#H-dOz!1L22O~v%%-U@Tzz#`qY6nAqLt{pK)Y=4MBy33L*@ z19S(oVuGX_0x`plm{D2`7=(_3-_8nl$S??khZw=bjo?vQFgS&QNnwd>avV{duYgl! z6lv-dM(Gs5DGaI%QN^$w3@XQ9(1J&~1t%2UX3(jOg3cwz2SW~W{5qmtxv^B}R#jW@ zum$Eveai6%TenGlLWeveV;yL|C-{L@n(t_uA6f(ngw#iL$lbOM`CioBk`B{s(~>ka zbvQWNkBqYt3lWfJ)P7`Wmu!6X-n6rRq*aw;)z z4m_w{*cTeBQo6U)q}W@=q;zkoPO-O)O6lG*ImO;GJf(Zfgp}?rLsHUP(3}ZKhvE-R zy{7U{hvc6QQ9wFG0pS2)>pfIJaaha`yH-#&$X0OffS5gynTp?wDjAsC8vote?ehN1 z+7@{~3Ke4by$BzW+JX2MdH)6B^xq4ApVS_Nzb@~4@h--95kuCli~j{O2c??gkAj!) zIB5A^1scAGuU(C}=J=4*TEs!)@m>WQzDKQn5@Bd29Isx5IKIcMjl$g=AC-#Zy`Q?f zfZYX-)&&kr_0!g!sO{E2+N$ouf0WQvYPpd36m8frg>Ggi!kVD<<_NjJ-`a}CY5g0U z5e(tKF%;3MCxyn+?3$}KbgNI|t6Oi4lD$tWez#eqC*Ic!s zA6XJVx%Ed0vKP1FXIpB+H`9YDeClO9T7MMOT$;ExbdN3Z6I$=_Nj4{>Hsd0N)_WXH zsN>O7W$;EF{UKqxwWG)WM|_+GA?kY(-DT%nI^>5@)2(eCa(BXX>!1$#wNJ)=K(>Pr zs9QqxDvJEH?dS=Hwh!4p7>l6@okBKk%}}bsA=@UyVL^6KaTX5Qj$-H(vLlMFJ;;u# zXb)s3RH%Y%pV-jRwlWQ4+eUPo)Z1(mggg?}A>Rw?R+^vCAwP6tF8n54kG06@H>e17yM@Nq@P(V z=a{ws8Tjq6c*Jj;r84-zb40j--$8O4{AQby?r#ju;y00q z!I}&B9Tj$9vqN@+-!|C;Oh(uZe*08T!1x23r>G4R_b@j&dT za%lXvHKC68%(C04q-WmURzp2A@wN(E8_JoRx7FXavvsdVqc%PBcifhg(!;}`RAzX< zGV2$mJbaV`DhT~;Dfi6tgNiWOjP4jzL`;x$1%iqQcF54x;X#s$D9(b02T3Zb7&;mr zL~ugUetB~06uubNBXY>Fm86JRW5y2)d$#UoT&>&lAfN@bx zBfgV_p`(FE@@FZ!JOhv9&sNddfk&8vDs+pGIPjq1a@Gp@hM}C* zL)$*@Sx>a>^PUw(+dl7Ib4Xjgvr#NQu=N+E(rM_Bx*{9|Ra5`lk79A2be1ljYF$|B zuv8eu;;UN!Tq+Hp3jbM!Vib#$#K&&V5406i=sTqehU{s@H{s;QC>D>m{-abBBo+RL zgvux;G?rr5T&d9Qr9N`)XvL@9bYK*Vk77=!U;N^np|T1Q8e6ezu2kqJr53riw&MG9 zIxvcX3(|!Ps}P9_DlSc&3jLzgCUFxQ)F-NoRfzZ;MX2LhH6(;;V}O@+3mj?y#P}Lf z19E6V&_r>BM}>YzX~&*cz3`HOlAKuM#N``eBm<#g!x_F=&kaJd4wUpb+>0!SSv9h3 zBg-H{A zoY{Haf}oKVHL`+kS$e(*{X)Ge{X%t0eQ8eUm&uo7WF?F&$1O`Hk5qTd$g+$q%?bSi z=f0Qb_N$oR7{yRoF@Gs-sm*t9$JMR#n^n+uV_v1P6$T>EDbPS-te^QhJ~iLw%8hv9 zoUEb(marrYOTw^3kcvbF4NJtZ*b?r8MO{Ss@MCM@>19XTxP1E}ybdprnS&H&EvxVz`2aD`>bZ!<8^xmf?yTF2`^=hRZfw+-i~X z+J-A(xFUutVz`2a%Q9R+!{y`jMw-cRMGco@xNO7a7%t0jB@9=>a77GP&~QZzmrSLY z7I#KeV|~Olmf>;?SJZF?ObPhRZfwKJ*LKUZy)l4VPoMqJ}GIxGckE8Louk ziWshh;c^U@ZMba1rHAV>hGy4gj$+qbT$csO&UKkZ4zn(!N34qy6;WK8nCmi!TwIsgLTJ`yQAMcZ z*~cyRP4@AG>aE`?wN=PJN_`kl5OsTLQ1xFBtB{|RIw}OjDg^qXLO`rSep?zGi&k!qcYLTMTW#*V~LPpw|aU*OgxHkm0cKJEAxX$M2|O=oG&bimpBU_I*rp?7?qK zg=+I3J#5_QlA=b|4|xMA-9)W4B^RH52PM-TDaV)YWgrRxyC zZH5rPeXLC4caR~(Z;K(sZ-*hoZ<`^+?+8PP-$8~P7JiF1id~JF6T6yfo&OB{mcAo) zHI~ZYx3rbm)fj5<+sFPx{8mh~t1(3EYNRvxEo~}xHH2pI+fwYBOYCao61y552EQFu z(MU$vu{)&fYKk3TPhzpF(IIvk7g+WH`LBLUDFstWXS{j}?lp-LZn!z|OadWUO%5 zZrQm$^e91CBD_V|Ce)*dqS3Q|>XDC%K){PC8t;05dSsD?5SUOj-W3A%$R-UzF*D}) zn0l>QGf<&wnK!I74eT!$A}0T5tb35I5{~sB5ae3h!IhP#3M$8V?@|SgyMt<-)XuaYOqHx zqFE8}7!eU8B4|V?PKdCK2*>0ikrjcfnvIC45#bmSiW4GiBO+o%2xPH3Yp}-j$=ntt zN*EClBSLXPM9_$c8WDnKO2jWpEhEAwb%qv+8WD;UA{-+kVMN&M*Gj~1OKl^Z_}(tNNUA zGmDf=oPy;Ot2zt29u0HqEVKqV%&M~>70SvS<6#!jnI3g&RcGPQS-5l-(jbPrqqDH< zEPTu&3US()C>)~ISvYkTZk>fR0E6=`0+~A}rIlI|gT_`9mkT z3<>Eh2*ZpL?dTa;EaC>j!mYD#GKb%@KFRdkzqVsa- zya?Y_kbb#x^YZAtTskk0&P!{FD7<`;0jP88yzDwJcWz!jotInZ<uwl zdAW369-Wug68Pel_iyjRSb{Mc=r1PAkrf`{Ne<`%CT6%aVje3Olq4>)D?9XJ9eDss49Hv>)bl?Es3Q+R zNdOtppq@Mcb>#u5BM(3cfXoe0&))&m^|t_Z=>T=faA1Y^XoP=*GS8t**u+I{bt!43 zA~4WCDZvUa1OwF0m3f6%1P0nEC0OB^_>TkBr8A^_!TL|vA zBG7MX#r>96+;1Vc--dXyLdme!L@&MFrrq915n@J0o47s0CoETD#O75)rc8vu8IbAC;|hmE@7aB;DJ^I z2AT;0C|4GM3c&-d2n;lc|2#mMJDbiPjhI1dd)8;3g9!ns^nd{>1ovAJ=(n_DfJ!R{ zs1V$5MWEjx{wn~5F(#|J{t*Zmb9pdIjLBSPs3#9bU3oC-$b(VhLH{3_p{_g_b>zV) zF(z}Fp`JV#b>+dRBM(Li!263C>iJuYdi)rb5#h1ch#91|T^MUc0Hf*>###s-YeitJ znGlR}Wx=QrJl2Z9ScCY_W0biIMm1sve=AnaEhYq`(gVh*5ZrG?px@GpF)FPXqe5`M z6@h+(_%C79od=`NJQ%g-!Kg0}M%{TZ>db>t`~MiD?mQTE=E0~v4@P}?FzU{OQD+{E z+W!utzQ4t&4^`z`V-`ZEnvLG2lHG*u>yv#&#_JpJM=$ov^@%y=+ z6m~olIxmD>CwR(92|t$*E}d}eghwZQI>8fD@zDu~PB?YKr4w$Q@aTk3CrCPnj@fm> zp%bd#xa87H+&baW37<|7FGl=;cAa2Vpq@)7Tsq;_36DAh7y5b~!5qe~wsD>(y zd`qPfhbQ9KqA|A`hdYtL#qMFaq5xq?09AKr;lv%o7B$S__!n^pm&zlC>}J63=*?&F z7^-NCSSCPR!kH>Fh);gdPq;7**9Bi4$7fcSHiRm^b3vvPhc8XXa zl0yp!4kdgmj2Tb`ibEKR0%O69<|jm5e+>`MMiH$87*btz0tKp@3=A$qe4j_uFIqct zn($R!h}I=#BXPFOEvlad#}kR$BRbBW0>5aTQZB+*bs<`hl(A@uQJ71#h@?p`S-cLZ z&*GK2;}e+eg^D_kC z%p3#q=KclCTR4ck<(kNwXN<^O5!xK$^IA?-0(mO}@>T@o&4kDsgp#*rEdbvni!95V z7uSHiovNH;cgnKhkfl}^K~-6QMKK@-$vmMfIO^xeH%CYnzFn#=AErPJuDe7|dO#hp zVnA?_%b+ay7=<6-J}H+Gkyfla9H_yHVoEsk43@X*CCl5R-38%J^fw@H<`|H-L~wJd z5A8Wc-f~Uk&ALS7tq90l5s&8J2D__iab zYVa8!P^_v|8LPf9E@OEUjtenQsA>f60`hiBxr~Ua%c@$d3so&aK9;7#uG&LYmqUBM zyxmeRBckfEszwbZZwGh=%UktQ)U^sAvbyFc^6L}k7?3yjFBsp#LF6shMBcpmh`bd6 zc`E|)Rs`g&2*^YckT(+|ZxAdS=TTn^ltq90l5s@0Yh7Ic-E#UDn@HCip}c`IUdxJwa`w;~{KCPdys;EUxc5s9IuY)|r%)tc;YcSr1ZD`==UG4)#B3NJ;fZ)^~9mZ&XdByDzq_@&FuHi#?ap zHqp|FIi)5=w?n#nM|A%?hLn{4f1*=qx!nJ_AtlWlaffSP_J&>K z+7}b5c)<&kg*9gypA-CD{1e^p9=_Hdo9RhO>383jvNaP=(C?H9 z(to5Lo?(e^jqTbU(>C=mQwTlArse=l_>6yS>h9e!-SA@^G0{v#$qA3tJvi#Ihglyn zfx-`HC1mDLQi$x*h8c>Brqq@kTe}?jwG*?@&sVH*`MdcEqM< z;R9~JrVNEeNo*0m8%-7uH;nd%)aHiKUQ5xShVODNCOREIu+%*Jj%o=D4nn5LkGW-A zZ%7WO7=@Ea1GlUsw``k!Bjqx_87H?a0MSKw!(QS$jY=-dBlbMgImsKH3=2rTn945{ z%K)QcRQct0mUecZ_hB|;M5m18J0?YsMVf0wWu)xPDJ?OqC)Y_!ig0qu0JAf|nkR;} z?io^|vJQafafbg<;4QNMF_d{jrZTTcZ|FGY^=ed= zW8eiVhat9sPi^wEM!}X~0&V*pH6n{&ZHP)el##Ai zz^J;*l`ad=E_S1^dHi6Pz0t+E>lmjS$g>;k$svHwQlB4WN4NCTDXH1%DVZ?(>c9I_i4}g+Nm-d<<~VK^7Wh_l{{O1E)qkrNad%=uXB#<(-9jo4Cjl( z`QAxk;hYABlSj$H@QO+d&Ci#jl0poeGQ1p`{<<>^1%THzPS@mQr$puKf!2DQ5}max zWev2~hP>Kq6th5I2O|w=F9$=bZDNR<`Ls<6or6^AQC+9TX5pKX(OEm8%}xPb(fyA= zv3aAbGCNG zFHnK@ccUoe@lZ6_;0+tdRWPdYK@Go@(sYJ(_FdIbS7E!jVX8N*9#;W&iU&39CZ*{& z<;#_FLrsId&lg4|FI@g_#LUHN31pz? zFM8}LeqwYvKhl66b1FR+{W3F+NU~JnR4tOSUSgGGu0Cy*l=adZmcq55q_=VxE_SPO z2_0OZ_8;9~L^&C0{3eYe`W-hShqav55!OcouaB~30%%w>18bZT0PC@oOne15A{AOW z7D&X3hm{cPAF8H4PD#r~b9_BDWexM;WfVXTEVx)xfw6mhC0oG8tKG2=(dB4w=xf|{ zjMVeobu5#|4gqi>138D)ZU?ZPeGQ8i>}^qGSYYRH%UEw{QErJby@q_CWnFHG1s1T* z{!=y76}9~716GAN z&k)YF;>xnxJo9(1gfHY~-oww?kC(Zd(`UPfMVQlPww?P1t%&)^zn|P2>XFr56BfW4 zZ|F8o@u;68WpxKEW&mGOntlol8Uk6_Sq!>+T$q#G5Lyh6Y}3}*?13mv^M(%Ms{lsx zAVv$NH2o?}zjLacKpKmB3b(uL4UOg+08nU9yB<=Sj!Be#Pqovv=2UK%>J7DU4QS0Y zJ zGfo4D5zi~bH!?9~7+;D^3hmD+!`H2;$wV#yd^;cos&bBFP0mTl0NAi5Glsobl=B*U zH>Hs`>Jm5d8+&dBF!ncv`6~7|R$&>~-(Z`Vh2;{=g{_AW&py9U<79X!8>}Vp5#>+>#?lDSel_Hu`~zPQJD&|`Hjp>Wqa=` zR3Scz3Of$CC5ux$>oKIP6+MSiwtBt+!18eW?@M0qXiR2niNh|^gqO=qJc`?_i<8yHNZC;iYc z(rfvUt6&e zMRS^geYz|TFjRL!r~j&1l(H|zN_mF2t2d$+ zKOi2o2tOdy@TEg330QwP#~WZUoXz$gCQ0@Y##s-pkFA6lftmOOhez}=OoiUeF~u8k zS*6iikp?&lfB#-w8j3>3Y^uo(GQ1J1RT?@rsNqS@?dYA3xe6#tLtP_3`Tz}6y%7Vr zAvE&qK@GoQ z9=3XUg2+tye{=Cbfo>PG57va3dqB6Cc`4Ax8EjNUVS?~}`|kUAv;=QR5=#V+8p9HS zLWUn`gEw@hl%`(df@%3|BSg9pk5EQ5m1@+k`2dt!|GUBeDQ znQI_giv(L5w<=(Djf$*#5a9!Cm?8F~j2pjS*d^s$!>Q_G^UVcX;RFoa%?L83OWUjsf{{|8mP07-J41V!0+xcOD=KawtOcE=kZ-l>ifpz|$!L)&vvc zbO*s;f>XV)P(ZR%Q9O`AL28e`h8uD~E6CgK4^lf2;#Jag3&ryG1O=%{9UBFhef}V| z(;uXE`GeFxe~_9GoDIm^;SW;V{XuHCKS<3ygXOJy$#_=vS>F5%0eLgWfV{bX!SWUk zB5%1S^5!`s@>T@otq24;6ajfF0`gV_1i^&J8-$X#M+KfCZ+oaJ1FN7QwM&)ri1>rl zKCLc7rT!4K(;uXE1qG=+{u*w7klOAKQak)1XtzH|?FkA}lLVw0-#&kk+UXBcGtXdo zt6s9aRehE>KSMy?%rPKu?q9IHg@edju8F)^$%woa0U;>@@>T@otq90l5s)_%B5x2% z-Y$QT+UE~a69;|+n%WagVbc__M$C> zVtwK&hx_~WiN{~V?GIAhQA1PK+}EHWp6aFOYk!d15fr3mjsbad|AOT$97Nu7P2|n% zkH}jQkhdZrZ$+Tnih#To0eLea@&=*g?RZ`&px3P^*5Bn(%`b044s}t(Cr>H*Ta~f? z4(F@9^!bDm{apd=1Nu8cuVGhpS$|8J=x@~3^mj$M59{wrXz!P|OUh+LR9)8JQYQKv zJcH$}ddc#3N`2Aa{6zlskvRtB?Lc3G}AA|P)?K;DYL(hqF8@dMm4{@J^mVQ$N{Zbf1?Jshflu>Q!H<{P@=zIM0>xy2{~;< zq!kCLol?f~c17}4(H256zNsqO`{nI;Nv~m7bs=xJl(D>h+}9v{t6qx!);L0c;~4_- zW{v@QbN_bcUy8#Nti zU?)!8?bO7G%}y{vDBwFz*&V9f1Ii&PUM2B|id%`}8_W!5dt+gy2N1~wW>FYeGBbg3 zVM5$RfdC?gnfK!G6KNqH_6hl2L3ql5X^J1H;s_7?r?9r!oeDP*sv>llp~ny<5XlbH ze-}e!e`h;>xHaCeL!81QUxt*o#R%_o^I9HqE+#Vl2>g_=_F!8D0zH!B-A!?Bn&u6g ztkQ@sK`b_KZik8{VzBb_U`bdJ{E&gzDe`D%a6rVT8FRo+xm*y30m7ke`Zf8Y78L-8 z4E(AY$9^OOFHv7^I4Zfbop+;rf8H;Pm4*R%L*-}t7$_L1Mym2O2akvfUt_cnc0wzR zb_%DtMq8r5jJ*wspF4^IjA zfA_21B*KWWHN)>R;AiKD<+zU`g5o|KWcw`s9r%Q7?9R#M#SsCpdW_0EsKtH6_sOnM z2`}~z4llAd^e^E>_z1gYo`Isd$Jey*BKs;&Cg3T1dqZ3B(_*kHaQCq_hQED{H)4pC zrk}u8cD01BLEOL&6VJm~WEbUU%mAk;LbxhM_cHPU2DPL#{QxkB(PF&8<#<7;VU9BxNb@ofuMy>mUwe=aez% z(o|p(E&v8?oJQq}!|)=Er56s_yvE-GY2uBVg*2c7UCQ_i-PR6_+9rkkz^PhyMJwx} z9ev^D<7iMGEtwfSu}y`U9*A-AGe<*oE(Rb6VwgbFzX`hVPd zawrBW@G6k3#}l!pViM#I#iX%0$V>CT3&kMxB2q;J#m7Q~Guy$Pi%HNzF)3OorY1{Z zt2cTzr+Cz{NLf$HDYMX%oYO)vZ`tM3k}eyw(E>7j9m9`Hd;(1_@v8l6TNH2bM!&_E zfs(30Oh*gTsPz4!d|jIIJ)>A~jxC1;%mOj_63hZR;3o2cel=hgT3iM&QOcJCH0Xq` zeBWjcsov;gDvewj#NjdLcBlXiP|9%ULzBXRGf=*n+z`rF1PSb4=RB0J2oz{Iqw)(` zuoy^x@I2J{CMp75?K#bbF7_L`c_JZHQ=hLPR8x~v#=2Y6x8=D2Sbr8NhiV>4s3s)~ zzrl<(A4@3o?O$UxYoryi@jO~VzVAftVSJYlVv}}8!i2Z zzTy7w#&I@|)!>s94EGdl6x{s0e4I@YxsS8`gIJAh$~jg8eXF0x{a3-7zdetOUnq`+ z7hTS>>F04d^e847f-GW+0smrxZP0@?2^_3Jps+EE0)fIUDvh4SA_3kJdc<*#D^iLx zyE%Q{8X_AK_NIe4#TdNCS96kag#&uxXJmp1*A%pV>)cBPh@tgBELFfPQXl|4NchD=`6(-N#HqbeDh+KH#CZkh{Qd-w zrr6KIpir?WnSi@mf(1^^*JBn?HpPQjbmJT%^_btVYCKA@^XWct&=vb==Frv~lF2Eo z>Z3>lk5^te=>7x`;^y+XQgFQ7ddVCAM zb5dwBr@7$8E*u|&JuNY`3txi=>m5!R?6O?Ii|`s30PL?Kg&81+;P=4VWhJP45&n7z z{)DvhMjhZ*e#P!%yf00Rc+ea?v9Y|xshsKKDT=YuWI=hwxF07E2~6G5JzEj~U35510)iehr>P6U`N zmw-_16g(f8+VKxOSbY3L>`WLhVqanch+Vk`N?nfi@tYfLZ}j2E$6@5FoZ>;ZBW3j` zrV6kKg>pu*s=VXXCFfv=Zx?RlHTYdTq7r0U1iUcTxByPlsRU2!=|b<|F3xbXt*G_w98IU5qH zhD+52_DCQ%67$F|-C)PKOY0DpO;PWe+Kc2qe+^d5fD-SXQ9}iOm}hRscszHJz2d6! zNX$s?Jyfd}rDt|Pwic!5&Ouq{iqboF$FKn8!v8i(?-bOrWJRTlWCb^V$=Vq>O7^NQ zgzHje*z>v>6(U^Xu@>Rl5go@8qQ9jt7SiU*P--+p=f{53rClniDEYOrkKQIOa?OVcA1gV`4p zrMLT|^rY%S-Y$QX-tCXllSJM*%3}|T(mVZ8dWSzs@9{_JnP;%PRWDiIsy@q`pCKS` z<`|GS_b*u9!a?LM*F@etXGGqL0CPn^-im;{6#)z?0wy36!BKjjKT7WiRWgKQAt*}k zR^_}|_DAVS;_WPNyFUi+@<-|2K~Z|2zlKLz$*Z6KD817krT6%w^uC}dz1<(BCsh~t zcKM_9%rjWts+TNpRiEX}&k&F|a}3Cv`xh*4;UMysYa(w}G9qt9K;DXgycGd?D+2OX z1mw*`aFpKdkJ6JCd55MBLp49Xo&G4j!yl#h_@neb)YX)=KT7WmiqgCNQF@oE%gS1d zpF>&OxxHu$p%~xpa=5==pZNSWJpL%X12r^d&3z5hC#sjCul-SaeujX&nPWiS+`nLX z3kQ+6ToZY-Wh3%d1mvv<$XgMRw;~{KML^z61V`ze&kL$qe=CaZr}C)gm$w}`O@FHz ztiM$m>+f*B%KC&Nq#pE%y#m??^tY6Y{#JEae`|H2zfo7o+fh-qhyJdF_I`Q0rCdft z)n)yS8k+tF&tQ3z^iuS<)EE8DPvl=8nPWiSPV^;M-oioTE!RZe7E}^>D+2OX1mvv< z$XgMRi6S6xCW52%_7~(SSz9QI^><}d^UK@kui=rW6#b1Fn*OfBl<04vM1OPK+b?fB za@vTfx~#vYjExa@BwuA|(o2db^mkB{-YMl=!=dUz-X1CAC_RB^u)I|-MSn|u(cgH6 zfV`PwK;GQHV0jA%rN8-_$lD4+}AA|P)?K;DXgyqOSr3&F3FV@t6(hV9Ly z(D|GOwiIjvkpT^&5-l#igh1&KPP3s9$%qRG()Zv3Y;ihsx-};)WdmOPU>7aiS8!VW z&5M}#rG+;t18HD8PuwBAu2+(;B5+ZJuS(oZxfmo$3hN!-D>*AKuYJJtvYhL~o?j^3 zy2)!F2qT-ojo*$Vp3od6RYdM6DQ|c9JxshFu7#@D_r$JTeg*tz*(ee4iD-a&4fB*7 zi&vp4xTDaLM4aO=eP!l=VAW2QMh*+&a6n4& zVkU2%*!TpIjeQ0fa0VNb{aj;Ma%acxMkDKZ4JkuUc5cNXgY{gVmAugn^z8m^WSs|w zl+2SG*D;nbRI}98?L0_)^$B0yUX+In13Fk;UFgKf@l~+RJh`whkE8x(ddTk$z#kyF zfiyQrPy@=9Z*w^@`XEtJJ; z&KKtQlA^6cH5My3BiWb}X?sieI(^_|>-$9;=6Eg?c$Njkn|o zZAtKz-`Rv`2~7}D<@YfpwECAs-U}Z3{zFC1B zkLnZV56C_Yf^0s93`XjLy1Kl*2H8v8c6m=3F>mNDb#?Y84YG)&XP%tBmxob***&ab zeeef9YH=FC2S+s>4A_jsi0AkcVqqmXWxzT#9c$tO0QONmqzQhmwJB(dj6-VKE_Dd^o$JUc5`tkx0;Luc46n(Nh2 zyom${r@WGc_nMgaw{b9W!L;TlOY=rwS82poNLjf)nGF1f-IG$pVfhS{1L_n6zqGkU zz3a|SprTv_v8WX)4Rr=FSTCho99A~S>Rll)&{gZM&{S(5t}!fm;T=Y+u3Z<(atyS}^8u}`fRKQKbuwNsQZK8v)7CLs(RLqe z=4l=tF^p%Zx;nlniyl`!e098?6^D9h9tfFUhkKnAF_F^%LfBK}WVA*nhJ3)65Y6h& zDWg^H4)xlW3xL+4GrBs1X;A;_@HV5IB*NzFSu}taX0A|mO)a;7^Jyz2fS}l z-l&wsux?xlp{@i@c_O%Y8p1S==K@TG#++Wx352@D)_{cpmv-J**J)|vjXHufptxO1 zaYtuGfm3Qy*zcT*eIYA}7#P~?cbcW)jrfE)!Pxj%IO<7b^jN`_9F4AdOwFLi|mn zi){;-8#XpK!#ioj~dshMZ^S+zJQK6c^3oW~xSakmDp05?yFNSNPD5=?_*+a%ni&d`7qS4AYg6(eMszY4|U_^ z+{_dFiuLbo2FZt^I0no{DTlJy{N!^FY-mCQYay{H4vFFHSVw+(L~8#~Y3ORC44i$F z`Cv|tl**SbwzCN=yE-=me~0$ji^p6eD_O28MF}%@`wFhhp;W2Mw$UHeQ4c37r*M5> zrg6}HK9^E0K<4H-qE7gNfy@yE$i8C+2v)z&RWXT8K@8eTsTLq}t10q_>H$v?UZeUm z1H8RjfU9DS+KGJNNlQqn79ex;8l@fZMHjR+>M5>*HA=Vk)fy$%KBmY$W{)YNTl;GJ zD%L(=lgd|zC65QJ8 z9&P0)#s!!n1vrhyn-Bao4gSoT?o`3YG=k4axTS?RY7WxCy5ZsZ(Ka!3XI1dQe)%V) z>Li}Fn&CX>evCgGQDW|kR|SSgYi0-S)lAq$!K=c~AP>VY3SJctRB$ zQEruEnp;KASLSl7Kmfde;M}EH{ikq3Q$GQ$xmAKbr@`+-1fRg z|3Qt}Y!YLxENA1F=Z=`UF}<;lq~W~8X}&miaK8}pNjPq`p4hw{^^ z{6)Q-!_8d&P?eX^%N;0ZlZ`ERHrd!B$CR1PmNt9?8CXsqz&g1krq#A8xXWd4Xgh8V z)2c91#xX3n-ri6r=U`f$Wj?%fkb`SJHs1K$8gSo<+YL*Wi)_`vG8uYuwrneSnj|xO zw&jT1u#=J-EBl@=rFcWnsWf^P(!iasa85oHlIujrZN)+6AP$=txg|WU^EidJXcNR? z3Fl(?aI1c#gC`+>0}q|hm#poT(R8Ud^etwAC96mfi$r0;=k-|A_;}6Q!Tu{@p{-d7 z+!AY+zE4tX7Vnc7#0}Nejry)gO+(%lF)YietIPF0&?VUeEtfqIBwkiLAx@SYTeigG ziaw@upZOD_qxz`NN%2K~BB{lw;94oFma2i8vWQ7d(I03cI6=+%T1}}jia%B)cY~CL zaLN7geL+%c0$C zlvY75pu%4LUJmVE30eiYfC^6iUQW4}H>|!^K`x+ze;}ONEuPgXX!2iZXLRuMI<;G5 zRZ`C@7r?YqzMWRgeqd;1{(=yG3!W!e2z~(Qfg3MI{Ga)RkDFv7kKKEskmx z_(J@|-7y^#c6I+0KWjQ9eq!VBYH<@ghCAXWz8@YJKe20gt9VfD<0lRbcg9Z~5#BRy za+$cvALNUl+`VZ04PabTKpFFBk9In~pP^(h2iN~5v{H58GUxsvVHo0!Ik9Ou` z`t4?uYv^=~W|NEQ^sCJ#7trZfnolcelJn%r7wN_)N8%=TrMT*z z+$EpJRrlt}@5_@vmM8xtPyRukd`3{dd7k?Ol8c)d777IL{r(o#zhZ&T|KH z=eYy9^W1^ldG0{&Ja<6P$GrJzOvj*n{6t^e6HnYkb9ns3@NmAkpnY5fVM534xK`lt zy^W znUn_p3DHRCP5EMsDz$4_hnBju)X!dT_!mZc#s8cBUkUtQ3H+ZffqeV6-0N{Af3JGW_m3U7w#Viw z4`=1{zxP4?yRU?Gu6w`b(xYRptVwQDxOLh08&sLn(=z|Ptuc>Qo%yKj&~l@SmpkKYA8g;f;Nk(V7@|RF%}6aP}pR(8S<(tOclGK9f1bW8LKZ`j!Xf4YWV4#` z8}k(mDQGKP$Y9EEp(5sdR$~Eck;3^4nkZi(V~EXQE?_BO%xAV)4VEGW^A|Q13ZZJ% zYrI@D>Xllx>mk^e?WlEri4GgoEW2ivMw#+s^}sy$J`k z35THhsI-*h=ZhY4XjVC`^RB~R2 z`{TcBSv)be_tgBON7mRn&5{1`#^D9;d{*xHj_h}KR2MAr^NCpch40Y zw7+bS=(D}>*(OQ0w<`V~Hh;^kMy7{P{ruq5+YPQ-ccoU{+r7-G zeAjNAceT0o=h&6~S4TDPRr&L0j`e#xwAsMd7ar+kF16(5PG8IiMOy!IAbk2at-kuB zZ=Ja#>W(YF>HA@ijjy~D(ROzA$b_spzfGF4*7EBMMSHye)4t<$$|(`sbixjKU_TY3PKC(+=XAO z_^g$_C^hZz(o`a6p{)x#-L}z}@vdc`jk8hMV{=>$_)R<9U0-3=d@Bu0t30?>D-*SG znLLdTo9M%#j-RItu+o#>DPQz<=++<);{Wb%T)ipx_slfYpAox8_xqJ-V|;^x1@9Bp zh+i^pW(^Cy9=-T@<_Mw&(;cTQb%+)XI9amNPedcG{86z|10&UZW~cAi%LW=f?S;%^ zEzQ((<*@OVVg?$TIS<*(w#%Fc$d}^T;so%fqTxy^V4{J{YwNE( zzsW+UH$2ty&PpTASkV3L4x6pidD#4=->ooGa=zOgzFTFYZ!F&3EAE@g^6C-WiXSc1 z>PGQ*zA@OS+U#5LE7n=)Qrmv}iiTOKXs`Tx7g)^H(y(Hxa~M{f6+d3+`jw5k9ecdw zT3G`fSlP1HrY$yV+5Gk&Z&$TY(W#kp9Mvtfwe6tx(^na3;^`wH4QE>EvsdFcf85AS zQ(C=Sz4tFB+Ow$trk-7lG{4H-USk$nXkq@xpZwU`M1?KOmu#PArDtb<@maIVX3GAu z$upN{ny7u58bz<;NX_K|Bfa{j zJ1u<(QTdptV&6V7;wQZBPrWtBMD`C#9PT*FNI#uyx@6ZF1O0ycmCIdUFwz_JX4x?_ z4Ak+HAz$9jG}4A|8(dxfrh&$dsXY3w*F>{tH~gt&7W7E%1>Y}tV5Og?^ZR%S7+25Pt9{j&?Y8>n|pZw*f;Gwph@*XFm%SZK+Vk;8vL zbnE38t~SmZOEjrZ!sQmB2KscsOJfsWHB-q;&+P6x*+l(bzhUfA!%Q2hIcwGIN#xp< zS~bn?#E(?2O_pzVuW%sSH1NL`vgvuQv(8=deRjrg&Zfl9=@aHe)c z1MT~0#O-#>W$iG{Y?9=!d@O(X5P zxpd2*Iwm^t=eVS&o7iaH)dEy!F43^eu0!L;S}6LR%nK!7F;Ggw6^C9x>~GV}el4mN zv{C)8k3T6<$wq_UnQLk=h^R-8RqH!%x6rAm*e$y{6YcygZT8sVCc5_I`;*N=tyKHy zw~>oV8tKb*FIf-&NYwt%%l#H)8!7GlH*MB_M>P9V>F&$FFwiG$kG*NlveJo|PRB}* zu~F+ig9Z*BV4_dEg_ro{GoqfWmsQ5_Q|q`bAKk^gXlyO;T+1d_vgIFO>9E~OXVx5b zWY0CypO?+^&i`(q4$mF<=@#NV1zvdg?NAlw z%iqgP@$(}?s`fWiU0(}(lXE6|f2h6wb@aRWZ;wCU{Rr#Q+L7;V8)TvUR}PH}U2LW& z)#@0p!`WBt(dT_OHnZWCmSt1s(JpJY!m(Yw)w=m6)<7S+$nnV zF;Q%b@ZDb=Gt#!EJDwdr!%B7Xt*$w)8c|F`Q`c9V26}q*D{oAJJg!IAzS4=ru<=NuuoYdG{xHT!@0B0)(3N4PR)u22wmq_v_i?c){nO1fapIQO=WZ~N z(;B~G`0F;>wD#cLA<%<`?w(v{tzo2up1;$8TP7+ssLa@=SVxktot-e?MH5|rcJ}c# zCCqfUaMh1m;XT%gk6!FG;)IPho*en*rM6ffzD(^>Zi-icZ?#zNo!Fz(vnb3`|8ocJkch>@q?l|GI8dcuOO zSck7yJ<`0WnKt#x@3potQ24ql6Bm>-kay9?CsyG;_RpL%*2A9Ke>?8&cd${b{A&19 zowggP-P(3NO2FQ#c5VE;Gp`va+qJIS{u>6mpH*O8m%Xr8dX04tTmn0(%$(axp*OB< zf4%-%*dH%`RN|YO9nEy}$^4N&Ot(aqeOdmNa6>`4Ztz3VPiCX$f*Z%Rch5lSI;->MuiEhtG zuN#RlWRtpuQlFn&kXsF{A5Z=D-AOB8&LC(f#x`0 zOKeuxM$5LJ`}j4dg?{K-a>R+F!1qhNs^`PH729fGtoJ)36{@*&o`dMzdm% zzMf^FJE8kspWsc~q#8HtA1z^{9{Z0RZQvkklhR^*RHTVs`0?&k^F0HVpI@@xDeRgH zj$C|s_!TReKC1TSz^xXlJoIX4IoPqAs{Oe6$G6N>p+@P+39z%;ohUP{#nWa=wwC{P z!(f%Tx#5c6A8U~eoLP^r~v11&glepH#R zHtKgjJ~iW}f!6J8*QTMzNG%Q>ZezPebp6rOqtl#LN`F$Mc#qZ=>iF5XO=I>L=th^X zJ0D9l(8wik3?Ed=M&+s&nS7zNmCQGHT>ABqg=TCnvv+q&XU*bOfiThcttMvHb|*?nQAkq+ma{i6xwzxdDdS<_(WnYY}_ zK3K*;5g9qtuJ1IFrB2g%P-kcm2dUAott4-q<@{NYzCZ&+znO8o7rcVQQg*lq9N zve1jOGy64#9qI5a{Bth zXBwJli+xg$E(moun$&u|?TUp;9R7UibFi;1C0rxUh7xTkI<3$A`a~riGoMeYN%YpG zI@RwPj8v-BukTL_Gttwpmw5gChX(qh!KqDy=9uWaq@q_O~3II^k?|TD}I@6qN_uT?|rn(LdL3{BDO$ZxB7T) zyFV9O>D3Xw6Ui?a=(#d48o!4gTi>C>otf1PRBF#lRim~V=;Ip`<`02=@MGMKl22iu zaizPh#uqOeX?fMUtv@~k@6@vw=GJX!rQYjL9xjaaciPkoQ9bKfsNdXj6ThmC{Y(Er zU(~H?p#8hwxK1Hhx2yJf>Q|GMCir}VcSf6NUe_n3KVNO2J+79IV*6NWQO=LIY9GM5 z>h0UVtIa@rLk8ZsThvCs*4wnF$5STiS@iWbuhxcM$*K0m@sTz<;*KfT2>Ypsots+Z zOdy(kC#FlIVz5^#L_YIdGpw`UE=wK;C)T-9AI?}i+Dfg@JxtmDypcYgT5@saHdx0e zwixe?vCzxUj(y~cw9@RXig!L}Ky>Zp&%dniw$bg&`O9znz)ZE9B__R5m1w+W(VELx z_l=qFE!_Jo^zYu%T?Zm~*QiaaB3C<`X?lsz_S%~nsZ;!{#GB}USx-q{n~F9Xc70LW z#^+&&zvX>U8vBPS1q*$?403Ju?4^_ouxn!$_io(~`tQrDE3!?!3{3G4DGeR+6uceF|z7V*+*{WU1$YBQh za>w@G4PY-7-Zr3iSOXh9EbwgVgQX_wygFoAyYW`4aC6e|LC~XHU7i1khCG*jzHmyz zAyzv0<&fny;fraren`I`LSTm%e(~&L=+EPQpYz0iYNHNCBSME`9mqNSM){rxZFKLC z)jgdDEp%Yuu*dUkCi=c>!EUoLU*@)0uzFRpnGUXB|Az6liGIi$fBKyz1{$%Ww=M21 zE3J5HCAqMl9hg7gzMEf}$+NY~gee~xsamThuN_`zqR3(Q*KT^AXidcR53OsAG%WU1 zkC^;s8q>=;>6b99K{mYoQ4Gtnao>Cd$8TS>(i2D^-83biU{L z=?BkGYsPG{(zf`tv{fINsPyU@?^ax5qF+We_V$O}pS*mdCFP-siZ)End~1ajc3pBi z&to$^(_+k*g`h{W#`c}`Vk0B<{CY+GKZl#CN2Lmbr(=CNRMge-*J~C!|MZO!C1G!6 zZ`cq!?~H+N&JAzbqr8QRS145>>mkvcDdsr?rr`uk=!upU7Mke7@ccQeUNh0lbt6oV z>zV1^#_2gf&o|Q3uZ_KwxSXi-uKvZ|?P#S17q5CtVxMz=)_^esVl9-`>cO&G-7M7X z=cxl**DpmS=)*c(xef`p{gRon7bzE<&@wSDgbg13@nUZGu<>8kNCcR>$f~zm) zTlppgzI5Q_byW6s013tmM0pE2ld+;y|>)H7gkrOu?>B_~Q@0`H%JbGB7!@U|N zDzx+C8=+X2SF8y?JE6CMey!a7dFveL^S4WHNjF&Nk@fm>r(2n+;lQ=eeSRAA^{0_j zc5Ss%m+vnu|Nc1U*P4sxUmr`fs>|mU*Zg9pL2c~IzWTvLhkGBHUhx{%^ZH-!?;mZX zKUVf!wegOHV!QlwBH}#8v+OB%_@@SXrfBDZK0mEhWBDWL5(i)Rp0)|OwO1_ovVT0 z+IB4rX&)KLJ-$)CG|bnT2b?`hjWtu^%WrgR*T_bOO|Nw63H@5V(Ss&$VjV41I&MY% z4kjvTuF(6%SFu0eTr%#{Vn(|E=BD$dvHu=<*6BL|e?_6NlZCfJPcEM~w$r>)@FT77 zP{6XP;3&a=3zWUVg#owI8{Udjfl4*Niu3?d*?vc%oCIN>ky_sx-HBODptPqx;*6^n{%>HT9#km8f?ueOL$J zZdh)_Zo{}1aen${hJl)X9@?-X z>=#eL459ozQ+$E2K2|#h@rJC zv?!mmUAq=0`ZDL2Gmj&U^p&q((eFE$DXns3!`J6oDE*Vodusx3`Csd>t$rONosS>$ z;hY@!kqU+E@*RV}tzY+^v+tW|Zk-=SwO>h8de4jvKmP{3-PrQ}^z~M%H~psqM{AnM zdwBGQgRm1{nO3*0?>7sre^SQ$9sED^#CFfL3wkH^Oh|hZ=2N#BBmbOgrW?(^`)whf z@4`0)#!b9I)T{5R*5AU89yeuu$&>Z4e|dZ4)t9bX>3s8&Px^mtpdxz)bm?*t{-yOp zragO-Xx%G2uHQaIlv<$c#OGESXm;5@){g0Hp^%J{_ufh})2NCAzgaZhK#vMHY1ycX zl^!3@^6Y_qS|on>%$^@v>7DUKUwF6=^U~t;UabZHREhd2uS0+CJhM5W@NV$yxOTy# zy;eHA@j}Orm=6aww7TTGh<(QQh8`L42UMU%$rp~B>5W&XOn5xqMmr|i=Kh3n4Si~U zQr0ujo2}|KeXhQd;=(S5^|%Uu%~ws^W>qlJnQuDpY+e}q`)NNvs*Yo_VL!Z4XFlw! z9}m>8^ha9@U3Hdz)FTak#hh=xvNeVMS7pIVCCb4cS?Xb2sh^2Hu3!H2nb*x!t$ofX zZ(Xy}hM2y+-!YphbX3iICwH5vZ|P}s9>ZUEq1)mHB_F`g7P~g{Y%IphQ5B#0_cI3;OpdUZ0eY^Kl7HT?b<=O0+2I@2ZTCMu~ zjFk0JN~LESnP}+g$!D8k{djK2Fvp7Tv46gkKKIcwEA1(N>4y!lqfVyX{k2sY;CoPu z8iS*4^hwNTZ^liqP^TCF_&OW@uJpF~+HJ-@C~i&hQN_yI=;qs>n!np)p`YhZ_~bqK zizilpZTevBGmmbyEdKUaGrdrDwB^ZnCVJ^i{Yvjg2o$^~Jw=7Nc zZoM%NhCqMk8*qH$#|A4|H7@0iH(F>%%`Z#b+6n#jc;37B2Scwld)(><_I2TnUtU%s1@=^Y zyV;*&pd+HnZ)q{sKo@RhH;RRwbnMwDD=V&n{y#h*F1wtOV!DLZZD}`B*CpK?F_^a> z9nPp%sJ@x(%RcBk3b+XWu}_DUm^U+L$L~#mz5nG-N40As&2-h)ZT)%J+4Gv7%ery` z`u3VT`J*Y2=YpjjyMJP&Ga<7=e}-Q9?76S%c7}gGY3y&O<_x#c*fj_Gq``mI{?o^w zkLzimg^8vUy@12p{XbmM0e04sZ37ZNK-}o9UN1KM6Z2tg%@L13=!^ZtD>v&5nFBjD z`S53DVV7*VwB?gQYhl-&-MFTM*+!e)ovUqaiGAT$gAU9oV5XM`6?p!_6!;}}TqruM zoRzw6Kk8cjnT@`y^8NH?UIX=SH1{1R=4<w?C07#K zmF;h&d7FQ~)uxb@p6b1J#7@|&mJdFgKC2h(@UY_hehN2GLKXY@Ke5htpFcJHL-9@Z16hlg4Ut+?=1Sl zO2d~WHYr)xNVR{TxM&OXdY{>Kx3;ZirH!la&Mt+0)h65UjV}Vv_me)1&Nmi**h7&` zE5UEqX2gKjwFU!k`Hog@fPK)aSJvz~SKLS^x28HSE`uGD^YC%Yo$z~YiF@wAX`-)7 zfB(U8qnX;cOH6ri$VPRJ?tCW#@r+)js-L(D|L@almY9M3gSyQ`z&lV%RsAFSKoiSl7+H<+%%v!{K?;C z`sV%udo8ZcD|@nh!12MjOWXd$x?JRJ(IOYjbltw{$M+G3I`aOFmXFczB~d?z&VYSd z^Wb}xeta46tp(nnzT0o5tgXL}s@=jyXNpWpDc%VBFZ|thE6SRva>lt+S7+gz>r$Fd0OL(X8P=o z*LScn_D^#wS6}}+{F@yg-mi=U77Zu-9>36u^A!8P+VBDN>CpqX7d4&?y_&P|n`7`t z?doy9M#&6<|L=vQUHMGZ>e%mb_Znbb{OYStO|h&^xX|zaq3F89v0lUQ`|UDHlI&5U zD4CU{kO-k78fK-4jEYDZnGr%pLS-f*%8H1rP{}AGQX&*G8d5s<`RiO=r||uL@B2LW zdLAQ#=$G$Bjw;*%&sJ5=-y@R!hZ?d zw)f<%01BbTI7|+##=Rfj$iJtXNtW8DuG+7|AP-A}l0D!TzO$cy^6Wc>>|ojaxg8EX zxs}6i$``&}$DeH$X;kv7ui*t`KO&Lq;TtjmUhW{Tf6oNxqF!cbtp$a6H}9i~ETNIB zq6OzRve5{w|1Af1GL00N7EV||$1c4n$seu_e`>xc`yF)Kk9XFaKPaaV#n=e972t_I zC8yYIlqh7y_t)n?+fqq}ipZYtICt8T`(p*aQOW84;5p;1tHs-JDWraR&Nhpflqp2Yl78f4{31gut`D8;q9g(TTYH;M;Qay&J3LzPq76 znn@V?7r>tjDff8BpT{KJo!ypRyU+(2Y95^UzBGZ7e}D4mL}cX(`ld|`V(Y}h3@sldevw*;F?PJ{)VvL*dQcf=lkqvnM^w?3|)N z!&puyg?#!z|1c^zM6q24CDccrfG?>f$Tw zvX`s#C`9ju0)Matl{m4Rs=g^>k~1BRJZs-m$#^>3$4dAyUp=^k#>3&;Kd&jidxS=+ z0_DRp`k|+muYPd=c;uJ=?x*};8KhIbC@vHD+Pv<>bj)TJp{hR54gtRJU9&oE$xT8m zFIKze!3VP19oVn(4?0HOS48_7HIT?Ox ziYg@rxW1`L#j3Q1kV6JHv*j#kWHx@({HYd&O!_E=vZMa~JZCYrtOs>s;VFNv5rdr0 z|2%#c#+=`rh2aM(mFy|nUO^p0eN_%AbPJ)8zR|7wuC9Yo#(SG@6YlR~rOi8!<9z0? zQr#Qd&miwVjtPq4b6hz4Pxl~v_1`QV+q0jkq>9VD4S+wg>O7Wq<6f`rsi?h!=d;WHiT!Rr=W8LUw*p@Y3HwB@dM^XXNk$=ih%<6$>3O zDbYe;1AeZJnt|+MiRjCHuJ@`A(8xUxtFiMKCfsm2CDqfGMW&S=?O$F5JxWrj)k}dw z?lfAfzEy(%xAXelo&n@@QVaF>VGrU;>8HBh5lm7%;;a;FMkm_Jk&bd#2>B7R(cxAX zc+J3bgDuEM>?)oL>*<7^cKTHI8~9rW8z+o(pTYli2un)9*V(-yPHZtRg}gAhxrx`5 z5FO{-pq#ICQb^tgl6o2$`@{KRJ9vkai0<3X@Hg+h>RD&c3*PcW-r+Lzi%WX;Cl4V1 zvTCT{=PZLo5=<-Bd_exB((8wS_Dwp8+q&L$1@a1<90w;)CW3#xa+%y>z#tzlI<;P& zVv$vD;t^-`;TKT^626{ zS!ch&K~)KU!|2s}bm*(2JD)Y`U1E~+W*3ag9T+5X^~Ixd(eMf1uICoGk37NPUZ;$H zLf%TtH@-Gy5b+Vg0@IW5bsuCygHZ@PsnAJaE?K| z-@li&eI5Z%3B7A5jd}rGJ~VeN%ZEiIx?b1UL+?%Bkl`KtoIbswUX=LG;v56#{oKVrl{c(Kj@ld%WPwdUf~R7(E96IZyxN zJJjPr#@AT05-NFqx~DF^ibg~>r`R?^54-7H;W>wXP%Ap2T)h)|$u$2Bp*zqaA6wMy z0q*W0k5=}?QpxR@ppsGCv-%n77Jc;7pf735YDJmkscd!PYxKnddTD(xcuI8egX}6# z)Mw4kRA1;>o|e)L3&;^{xGdeVPn=FhEzlF7d5&QI!~NOihC34*={?ZhArspUc5(!Etw>HZz+EdbmDc#ZEb^aPWB`^A5zI- zk*eG2(G#e{l&*BPT@}E??5gK8XX#{j#S(Tw2_{()BW#oe-Shk9!OwRHp4&#g&}+WX z>mQdaUuO&)ANb7U)jJx=&av#H`ZCFm7u>FfYIIV!b#Ck={0@1xgH5^C(8H(eJFS4v zbH3KB@DXB>Px~Y@zV1bCz;4*uT?Jo%I@&Y~^_EvmpB%YEUw)6$?jY#$l_L$F z$g^l1m)2a7X$-x=MUl>uf-ev}cQAsTN?J&-P2*-7 znP_!0YsJ?S7+Q5*9XZrB8(vmA1fqY?HfH%MQpn?(EMKneNJJ}MS}$@Gb@^NGgSeGU z^8JlM(#CBpQt55{I^rIa%x>X(9t|E$mbx=5`3lfHq`$#!`Eu^fo&tlePf{`UP!f=Ohv9ZS#}^7{C4D< z?dTy1vo$-RW~!^<*h@Nl_JJkrUv1E6;LX1^@Wx{QLN)uS{~= zI=w<2{evTXo-G^ob1nCs3ISi_U2~NzpQ4XFtUfR`w1!FI6wWyR&p%#HGAIeT46G6H=i=8>iOC*Thik(nTQ@T~IpJ`aJ{#kX4}?*y(lIOV-y zjprwP^k&E;^s~`+#tvC8;DZN!+)2j>d3fQ)H98-YT-1)g95q8Dxqd4v?RK$9?7;qg z{1@=NYGsq^z#}%;dZv7X{uQ)gdex^iCJA%&SB=PnZ*#xF%2O4*(JEyNH4=QwEx2Op z5b7p}#*!O!;HtcZ*0zHZR=;5!-d(2-08YCo}% z!+WEz$`1Z~CjUz=8|rmZ)Z@Mm^p_i^MNy+&EaKR(O-Ei3xj*?~`8XPj^i|LA6vsWe z9h-V2=^ULft@M9ud*bKZcQ~g`0{&ZjvWKE6>R<1c=^oU9Le=DI$9CwttKPb3;oRh9 z^SP)6A_vo0W3c@m@WThziZt}0FN(_F2g|6Wj(Jz=EpS5GikFSp!9$j;V`CXzr4WtH zT|s(n@N-^v{M+qLC&?-PQL${uoviem=>+arQq65&yPi%Sm)1(GbCwbI{fw8<^vRRo%c=>C(b9oe2&x-^xb0J3x-D*QAztyqOT+PzlptC zEgR}j#v#-0J>yg|x7O_;C+eG0^!mRQEmTs|MccF&x^hSXr|63>Omc47CH*hpFXl$? z?QA+(B=oiOO3x}n*nSwTJlTx*^MPGu4);<`#ye?W1R;KlGTNS@&Z#LzXlV$-H@R|F z|9t_AT>buw#kYz{hQhY`MFUTrIS~FVp$EFHw#k8R5kh2@EhG|xm_#DA@ZrET@Pg3# z)KhhYcoa^leErKH%&CU&Y|qhmBW7 z>Svtip0l;H@ORbybf>bM=tL@j&3+9F_}cT^=+-Rgfb}+7(S4}DU3>EmGbsd1=u*bl zAV*|p&1{1|VCSXcA`_3i{apJ&mD?;*Wca!wIEG5hIK|$tfzKScb9B$#TPi8}>QYUh zFMsQrp)uf(yqr27!4F8(RbPG4z4d_^sq91BB@b45ee!qNA$X4CxQz@HR@v;7=lS|P z*?g}9lLYS{44OO#|0VXRR`+W<5tDhVvPYId4kmeS+6}$Ww>8Y-)I4~@!9}`*q40V0 zz2XgGY2=;8xkF>i>EuYnyWn^13{v*t;bCp)Lpp1}N-g|Ce=+*jJNyRkMM3b-RT_Zp?7vP9-Mf`B+)j)2Nm$X|E|%|GVOzY+W2@88D^3F zd>6Nvt5L~a#qU!VDbRbq)lJO}BloiP$KLcb8o9)MRPh&Z!)(Fjd==b}oJ-TP3L$td zcT%@(MxFb~zbb0iF!VBQl`eVI!zq$_z0He|`g0#ir7i0CrsAm);LXIXD&38IG?LIR zoU<;4Npc+;9tJ{hIkbCv^DE>*<`yDqq~Xu(J)|I%zL-Jy7ye1pEa=3r-|^-revf4+`r94P`UVLq8C^4%`Ob-u((}W|{J{@i&3{_+8}-~!eX)Br`tPz( z1?s;e$X#>SarPmv!S%wb>iQz!rKBAc-F4uR$~upieg|$D=)WlC4qaxTX|>C8%+pAI zxuFa{V4KW7@iWlfMx{FZ~Qsnj5uN|Jl8 ztmIe(y*x`~@*?<HRanD5~b`1vVl8S3$RVY$DO#j`mF@& zT`jNMvu*I{`38jN>NKdtZAI~VpG{QqKG@)C;xi_BGW0eq7CwW*iqK=Tz+rN78J5N1 zOZOc6)z_`WJn62JvPbB^TYt7|vm6;D%4xwN>21882DWG3!R;Kp2q^L?kAwmFR(XEc89jn$qjb;kqGqrs4F(p=~;B5FTFWG3Op=9 zYhkV265y9pMonIlRI;;Bvu1*yMV4$|#d9nh{*P6G6_pP@$bzfCLpX3)_s`v0(9eA} zJr+)&ugmwnsNE|F|N3A0A}uLG`jmR}E+gk-vE}9SSMV`Kj-=lxU&|yF!|y&-fOk5x zC)YaJK&Kf#8elO8J@Zi1&F%1W=L~MUrQZauTVXn}9_K1xjl{>pFIi-;!??h*4g5U& zX6wvd8j1Kq=d_1E_0(1W^$YX^joh1Bp72+Vc8hB#0T+imteCdvVv>9=RWr#ic)r=s z)juN_wl;T(*$)o}*{qVJIIYDb>m6fDbex!^^?>Mt0?z5NqZXE$=9mX6d#98KUH4Y* z3IY3zbi$!-;WU7{Q?UJ4_o`a>nYPzA?*dVG?x$z;MuwyAwOMJHWD^Y044v!s@L zvDN3|=QoL3ln7qQuUF2~(Tn%kJEgk_{OnuPiS)X4G;;Hck%7dA#M z;l74*l9zjYwwXfAY|KW_8Y7o`q%md|e&2Ep_kgxqZjS9EFsFN1iqJO%nWZB~-(^5Uiaq!E@mLd1@%UnCm z4|-GS;(x-|G->38f4#*aQQY%4R_DwvAYUYz!(Dy=_w(%4!wt~?t(7!8J&WPDsu!31 zLEbUhs?vXR1CvNIBJv~l!RIWGIoEQWNe0jHxnDsY^?dmrkdOFH}M#dN|GB_4lB3b=guWN6P#%!&Lwmw5Rsojj+i+~11l z?)7Pz!vOm6dG?ssl>x}-HmHxZ@Ulv0o_R;O27d$Y6LzMh^b` zMf1?E`!u30r*fzx0q5YFTJr+F&YNFqW2N2jTUP9gTXKy?PN@qlzXKjL{Z6^q#f(B+ zV}JU;NI@Rchh0d!7r7QCziiE|;9HF?x1x2yN3X^5PTj^_nNq=9BixJo z-v9OFEask`G;`68BDWd%@%$`sU8AGI*QjymLTNNN<2Ovw8KUCeF3BV>4{mY}fG@i9 zjgs!p81UeGmRhMD(3_k;hq|<~$cKh!#X9Kg-QDS_?(Uf5lT8)g0UqjbHdV!U9J!2b zdj`CZQpxMjI+@qTkY~D~cqSjbAT{ECZWZbvD~#(>6#UwyeVL9ccVezmczxuGPUy2= z4yI@o0nb&ceL3nzC7;<>K6)EPB_Hm-KiTve`L%>;8{fNBa_OjRilH3x%}MW0wejG7 zI^PkrhmVl!^ldF4bmKq&zOlx2;fK|{{TPm5@k`dRU-j_K&MpqT>-=LOJpAN{NU+`=SH zt8)88>XDsvE%nn;smQrXasjU3sw^^*1f% z;(Yu|IuTsE?65!b!lqF@7p|>kkpqhv6&dKeZhR7Z=QK*$OXR2bG2f6CvqVTXM^uQfX;c-uH1a$7UsZ%SDK%IZWvSN zV0eL-P9`E>{<6inHA|=y-~w*^b1S1Uik<;+lwb81wX&s5dV1m9R=yqN@b)!_Wv#!#Gq)70mI&kX)p7e7|DSX0Uy&en7=GVe(u)Tr>MUY-eL9wZ z7mb)0=3Uo7E;Bx4{4X2uu6OU6~+TIDic}7=nH+b*GOJlcM|4@l^TZ#jB z9F-I@q$#d<=w$T)gNEo{=tP>th}#b586K7 zFGz4|j%|gW{BJglpdO0E^}0qG(};QfwjVsJ;Pb3goh<_ndYCpLKc)+RjQ8O3^WXys zmMYesxYs6k4m9dP$BW5i8LRuyNK)~%<1p&EaZ=t1P3Wa%#v_-$d}0uxl?SiRLU*{w zh>cJHuSl#F4!DeS##$|WCGIQo9kSE^j?GYsO5R76Ec7kO@{qCbl62DO=JPpP4*ZwD zOI-zgcX^PXk?eBJrR=-ZACI5!&9z|j{siFcFGoyD;n%%ihzmR3hW`0L_YK&(q(WZ_`ZPJ3N++&I1LC+X3E8`Ay+mU<<{_0; zxtQP$iefW*-m5X6V*F4*Qxdw%nk^R7S6Sq+ZqkN_6I8M{e&hKy=;y1eRQ+|{GKucn zPTnr)Hwl}npOYl`56QdbBfz_hK5}^n!Z$y|bB}jK74zQu_uG&2V~+KqyBOL5*|6wk z8Lu~ulx+_*+ZY1hRkSrXrHw^ad@ee4>NDnjvu$E!`=MWZ#3p}0U){D#=x7T!ja+2) z4Cn5`eHcxel!+q5y<(@5H+-FD%Z%b#^o^IQXUiXaVG&)17~>TD279rOpT>WHzhq9a zW#fFZbrl|wfDZcCX-4el5Fw|ZTEA*3qY+8Znbm{f6E*Ia*ZbMhNxaB#;-6U>k=XG2 z3k&`Ec87V9Rta)6;%0@$YcT)9oopD1_uGAxOS-U?Q`efk3&aueYE-1fg<3y4ucO8(6>zMH0tuk_j^7~L%%4@^jfA6z$Dx9WH?r8 zVBTS4)s+XxtE!AC{XGI7^}A*Co+uiXY%?7A=c5asJ^$-PQwa)rbhef)D2GD+Wd&Va z^^`%*Yt>Y7qi?v$-94Lu_v+GkVx7$|;KFeFrr&=E@qbvZ=n9_TZkm2qQy=<3V4{)J z7@gel7@070M(&$a+T%F~@(cG|ByJgb4=ZNob# z@P(daMGSEe!s)w?CuReM#I=0c`FH~Q;ICNYz5wWnZOQ_Q?LNnx&6j@;6Uq06CGaok5e88Ui!c%mFD4CwHWVDnP>GJaCyOrgmgJM;3G-)Q5h}x zfS0a!wR^G1TCoGw2j(%aGG{8x4?SYv;uTktxo}=}Hf(sZ2Dv2F&%RGDGDx%N88