From a6a8b7a60a2d04a1de0a39f74e445518c21b0cac Mon Sep 17 00:00:00 2001 From: Nicola Tuveri Date: Sat, 2 Nov 2024 17:35:45 +0000 Subject: [PATCH 1/7] [oqs-provider] Import scripts from oqs-openssl111 --- providers/oqs-provider/ca.cnf | 70 +++++++++ providers/oqs-provider/check.sh | 193 ++++++++++++++++++++++++ providers/oqs-provider/check_r3.sh | 88 +++++++++++ providers/oqs-provider/ee.cnf | 232 +++++++++++++++++++++++++++++ providers/oqs-provider/gen.sh | 147 ++++++++++++++++++ providers/oqs-provider/gen_r3.sh | 47 ++++++ providers/oqs-provider/ta.cnf | 63 ++++++++ 7 files changed, 840 insertions(+) create mode 100644 providers/oqs-provider/ca.cnf create mode 100755 providers/oqs-provider/check.sh create mode 100755 providers/oqs-provider/check_r3.sh create mode 100644 providers/oqs-provider/ee.cnf create mode 100755 providers/oqs-provider/gen.sh create mode 100755 providers/oqs-provider/gen_r3.sh create mode 100644 providers/oqs-provider/ta.cnf diff --git a/providers/oqs-provider/ca.cnf b/providers/oqs-provider/ca.cnf new file mode 100644 index 00000000..013a1178 --- /dev/null +++ b/providers/oqs-provider/ca.cnf @@ -0,0 +1,70 @@ +[ ca ] # The default CA section +default_ca = CA_default # The default CA name + +[ CA_default ] # Default settings for the intermediate CA +dir = /root/oqsCA/intermediateCA # Intermediate CA directory +certs = $dir/certs # Certificates directory +crl_dir = $dir/crl # CRL directory +new_certs_dir = $dir/newcerts # New certificates directory +database = $dir/index.txt # Certificate index file +serial = $dir/serial # Serial number file +RANDFILE = $dir/private/.rand # Random number file +private_key = $dir/private/intermediate.key.pem # Intermediate CA private key +certificate = $dir/certs/intermediate.cert.pem # Intermediate CA certificate +crl = $dir/crl/intermediate.crl.pem # Intermediate CA CRL +crlnumber = $dir/crlnumber # Intermediate CA CRL number +crl_extensions = crl_ext # CRL extensions +default_crl_days = 30 # Default CRL validity days +default_md = sha256 # Default message digest +preserve = no # Preserve existing extensions +email_in_dn = no # Exclude email from the DN +name_opt = ca_default # Formatting options for names +cert_opt = ca_default # Certificate output options +policy = policy_loose # Certificate policy + +[ policy_loose ] # Policy for less strict validation +countryName = optional # Country is optional +stateOrProvinceName = optional # State or province is optional +localityName = optional # Locality is optional +organizationName = optional # Organization is optional +organizationalUnitName = optional # Organizational unit is optional +commonName = supplied # Must provide a common name +emailAddress = optional # Email address is optional + +[ req ] # Request settings +default_bits = 2048 # Default key size +distinguished_name = req_distinguished_name # Default DN template +string_mask = utf8only # UTF-8 encoding +default_md = sha256 # Default message digest +x509_extensions = v3_intermediate_ca # Extensions for intermediate CA certificate + +[ req_distinguished_name ] # Template for the DN in the CSR +countryName = CH +stateOrProvinceName = State or Province Name +localityName = Locality Name +0.organizationName = Organization Name +organizationalUnitName = Organizational Unit Name +commonName = Common Name +emailAddress = Email Address + +[ v3_intermediate_ca ] # Intermediate CA certificate extensions +subjectKeyIdentifier = hash # Subject key identifier +authorityKeyIdentifier = keyid:always,issuer # Authority key identifier +basicConstraints = critical, CA:true, pathlen:0 # Basic constraints for a CA +keyUsage = critical, digitalSignature, cRLSign, keyCertSign # Key usage for a CA + +[ crl_ext ] # CRL extensions +authorityKeyIdentifier=keyid:always # Authority key identifier + +[ server_cert ] # Server certificate extensions +basicConstraints = CA:FALSE # Not a CA certificate +nsCertType = server # Server certificate type +keyUsage = critical, digitalSignature, keyEncipherment # Key usage for a server cert +extendedKeyUsage = serverAuth # Extended key usage for server authentication purposes (e.g., TLS/SSL servers). +authorityKeyIdentifier = keyid,issuer # Authority key identifier linking the certificate to the issuer's public key. +authorityInfoAccess = OCSP;URI:http://ocsp.openquantumsafe.org + +[ ocsp ] +basicConstraints = CA:FALSE +keyUsage = nonRepudiation, digitalSignature, keyEncipherment +extendedKeyUsage = OCSPSigning diff --git a/providers/oqs-provider/check.sh b/providers/oqs-provider/check.sh new file mode 100755 index 00000000..4488a1d7 --- /dev/null +++ b/providers/oqs-provider/check.sh @@ -0,0 +1,193 @@ +#!/bin/bash + +#set -x + +function check_dir() { + + # We want to check that the needed structures + # are all in place + DIR=$1 + + # Checks if we have the PEM version of the RootCA + if ! [ -f "$DIR/ta/ta.pem" ]; then + + # Checks for the RootCA in DER format + if [ -f "$DIR/ta/ta.der" ] ; then + + # Providing the PEM version of the RootCA + echo "Converting $DIR/ta/ta.der to $DIR/ta/ta.pem ... " + openssl x509 -inform DER -in "$DIR/ta/ta.der" -out "$DIR/ta/ta.pem" + if [ $? -gt 0 ] ; then + echo + echo "ERROR: Cannot convert $DIR/ta/ta.der into PEM format" + echo + exit 1 + fi + fi + fi + + # Checks if we have the PEM version of the + # Intermediate CA + if ! [ -f "$DIR/ca/ca.pem" ]; then + + # Checks for the RootCA in DER format + if [ -f "$DIR/ca/ca.der" ] ; then + # Converts the DER into PEM + openssl x509 -inform DER -in "$DIR/ca/ca.der" -out "$DIR/ca/ca.pem" + if [ $? -gt 0 ] ; then + echo + echo "ERROR: Cannot convert $DIR/ca/ca.der into PEM format" + echo + exit 1 + fi + fi + fi + + # Checks if we have the PEM version of the + # EE cert + if ! [ -f "$DIR/ee/cert.pem" ]; then + # Checks for the EE cert in DER format + if [ -f "$DIR/ee/cert.der" ] ; then + # Converts the DER into PEM + openssl x509 -inform DER -in "$DIR/ee/cert.der" -out "$DIR/ee/cert.pem" + if [ $? -gt 0 ] ; then + echo + echo "ERROR: Cannot convert $DIR/ee/cert.der into PEM format" + echo + exit 1 + fi + fi + fi + +} + +check() { + + # Extracts the argument + DIR=$1 + result="" + + # Change directory + if ! [ -d "$DIR" ] ; then + #echo "ERROR: missing dir $DIR" + echo "N,N,N,N,N,N" + return + fi + + # Change Directory + cd "$DIR" + + # Baseline test whether TA cert is well formed + openssl x509 -in ta/ta.pem -text -noout 2>/dev/null > /dev/null + if [ $? -ne 0 ]; then + #echo "No suitable ta/ta.pem found." + echo "N,N,N,N,N,N" + return + fi + # Baseline test whether TA cert is self-signed + openssl verify -CAfile ta/ta.pem ta/ta.pem 2>/dev/null >/dev/null + if [ $? -ne 0 ]; then + #echo "ta/ta.pem not self-signed." + echo "N,N,N,N,N,N" + return + fi + # Checking for some parsing errors + openssl x509 -in ta/ta.pem -text -noout | grep error 2>/dev/null > /dev/null + if [ $? -ne 0 ]; then + #echo "No error parsing TA certificate in $1"; + # Extracting algorithm name + openssl x509 -in ta/ta.pem -text -noout | grep "Public Key Algorithm" 2>&1 > /dev/null + if [ $? -ne 0 ]; then + echo "N,N,N,N,N,N" + return + fi + # Verifying cert chain TA->CA + openssl verify -CAfile ta/ta.pem ca/ca.pem 2>/dev/null >/dev/null + if [ $? -ne 0 ]; then + #echo "Error verifying $1/ca/ca.pem" + echo "Y,N,N,N,N,N" + return + #else + # echo "cert chain TA->CA verified for $1" + fi + else + #echo "Error parsing TA certificate in $1" + echo "N,N,N,N,N,N" + return + fi + + # From this point on we know TA & CA are OK, so we collect specific test results + ee_csr="N" + ta_crl="N" + ca_crl="N" + + # Now check EE + # First create cert chain + cat ca/ca.pem ta/ta.pem > ca-chain.pem + # then verify + openssl verify -CAfile ca-chain.pem ee/cert.pem 2>/dev/null > /dev/null + if [ $? -ne 0 ]; then + #echo "Error verifying $1/ee/cert.pem" + ee_crt="N" + else + ee_crt="Y" + fi + + if [ -f ee/cert.csr ]; then + # EE CSR check + openssl req -verify -in ee/cert.csr 2>/dev/null > /dev/null + if [ $? -eq 0 ]; then + ee_csr="Y" + fi + fi + + if [ -f crl/crl_ta.crl ]; then + # TA CRL check + openssl crl -verify -in crl/crl_ta.crl -CAfile ta/ta.pem 2>/dev/null >/dev/null + if [ $? -eq 0 ]; then + ta_crl="Y" + fi + fi + + if [ -f crl/crl_ca.crl ]; then + # CA CRL check + openssl crl -verify -in crl/crl_ca.crl -CAfile ca-chain.pem 2>/dev/null >/dev/null + if [ $? -eq 0 ]; then + ca_crl="Y" + fi + fi + + # TODO: How to check OCSP artifact(s)?? + + echo "Y,Y,${ee_crt},${ee_csr},${ta_crl},${ca_crl}" + cd .. +} + + if [ $# -ne 1 ]; then + echo "No target directory to check provided. Exiting." + exit -1 + else + pushd $1 >/dev/null 2>/dev/null + fi + #echo "Checking in $(pwd)" + if [ ! -d "artifacts" ]; then + echo "No artifacts found. Exiting." + exit -1 + fi + cd artifacts + echo "key_algorithm_oid,ta,ca,ee,csr,crl_ta,crl_ca" + for oid_folder in *; do + + target=${oid_folder} + + # Executing the Check Script + check_dir "${target}" + if [ $? -ne 0 ]; then + echo "${target},N,N,N,N,N,N" + else + result=$(check "${target}") + echo "${target},${result}" + fi + + done + popd 2>/dev/null >/dev/null diff --git a/providers/oqs-provider/check_r3.sh b/providers/oqs-provider/check_r3.sh new file mode 100755 index 00000000..2fe12a46 --- /dev/null +++ b/providers/oqs-provider/check_r3.sh @@ -0,0 +1,88 @@ +#!/bin/bash + +#set -x + +function check_cert() { + + # We want to check that the needed structures + # are all in place + CERT=$1 + + # Checks if we have the PEM version of the RootCA + if ! [ -f "$CERT.pem" ]; then + + # Checks for the RootCA in DER format + if [ -f "$CERT.der" ] ; then + + # Providing the PEM version of the RootCA + # echo "Converting $CERT.der to $CERT.pem ... " + openssl x509 -inform DER -in "$CERT.der" -out "$CERT.pem" + if [ $? -gt 0 ] ; then + echo + echo "ERROR: Cannot convert $CERT.der into PEM format" + echo + exit 1 + fi + fi + fi +} + +check() { + + # Extracts the argument + PEM=$1 + + # Baseline test whether TA cert is well formed + openssl x509 -in $PEM -text -noout 2>/dev/null > /dev/null + if [ $? -ne 0 ]; then + # echo "${PEM} not suitable." + echo "N" + return + fi + # Baseline test whether TA cert is self-signed + openssl verify -CAfile $PEM $PEM 2>/dev/null >/dev/null + if [ $? -ne 0 ]; then + echo "N" + # echo "${PEM} not self-signed." + return + fi + # Checking for some parsing errors + openssl x509 -in $PEM -text -noout | grep error 2>/dev/null > /dev/null + if [ $? -ne 0 ]; then + #echo "No error parsing TA certificate in $1"; + # Extracting algorithm name + openssl x509 -in $PEM -text -noout | grep "Public Key Algorithm" 2>&1 > /dev/null + if [ $? -ne 0 ]; then + echo "N" + return + fi + else + echo "N" + # echo "Error parsing ${PEM}" + return + fi + + echo "Y" + cd .. +} + + if [ $# -ne 1 ]; then + echo "No target directory to check provided. Exiting." + exit -1 + else + pushd $1 >/dev/null 2>/dev/null + fi + #echo "Checking in $(pwd)" + if [ ! -d "artifacts" ]; then + echo "No artifacts found. Exiting." + exit -1 + fi + cd artifacts + echo "key_algorithm_oid,test_result" + for oid_folder in 1*_ta.*; do + target=$(echo $oid_folder | sed -r "s/(.*)_ta.*/\1/g") + check_cert "${target}_ta" + result=$(check "${target}_ta.pem") + echo "${target},${result}" + done + popd 2>/dev/null >/dev/null diff --git a/providers/oqs-provider/ee.cnf b/providers/oqs-provider/ee.cnf new file mode 100644 index 00000000..efb0eb4b --- /dev/null +++ b/providers/oqs-provider/ee.cnf @@ -0,0 +1,232 @@ +# +# OpenSSL example configuration file. +# See doc/man5/config.pod for more info. +# +# This is mostly being used for generation of certificate requests, +# but may be used for auto loading of providers + +# Note that you can include other files from the main configuration +# file using the .include directive. +#.include filename + +# This definition stops the following lines choking if HOME isn't +# defined. +HOME = . +DEFAULT_GROUPS = kyber768 + +# Use this in order to automatically load providers. +openssl_conf = openssl_init + +[openssl_init] +providers = provider_sect +ssl_conf = ssl_sect + +[ssl_sect] +system_default = system_default_sect + +[system_default_sect] +Groups = $ENV::DEFAULT_GROUPS + + +# List of providers to load +[provider_sect] +default = default_sect +oqsprovider = oqsprovider_sect + +[default_sect] +activate = 1 +[oqsprovider_sect] +activate = 1 + +# activate = 1 + + +#################################################################### +[ ca ] +default_ca = CA_default # The default ca section + +#################################################################### +[ CA_default ] + +dir = ./demoCA # Where everything is kept +certs = $dir/certs # Where the issued certs are kept +crl_dir = $dir/crl # Where the issued crl are kept +database = $dir/index.txt # database index file. +#unique_subject = no # Set to 'no' to allow creation of + # several certs with same subject. +new_certs_dir = $dir/newcerts # default place for new certs. + +certificate = $dir/cacert.pem # The CA certificate +serial = $dir/serial # The current serial number +crlnumber = $dir/crlnumber # the current crl number + # must be commented out to leave a V1 CRL +crl = $dir/crl.pem # The current CRL +private_key = $dir/private/cakey.pem # The private key + +x509_extensions = usr_cert # The extensions to add to the cert + +# Comment out the following two lines for the "traditional" +# (and highly broken) format. +name_opt = ca_default # Subject Name options +cert_opt = ca_default # Certificate field options + +# Extension copying option: use with caution. +# copy_extensions = copy + +# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs +# so this is commented out by default to leave a V1 CRL. +# crlnumber must also be commented out to leave a V1 CRL. +# crl_extensions = crl_ext + +default_days = 365 # how long to certify for +default_crl_days= 30 # how long before next CRL +default_md = default # use public key default MD +preserve = no # keep passed DN ordering + +# A few difference way of specifying how similar the request should look +# For type CA, the listed attributes must be the same, and the optional +# and supplied fields are just that :-) +policy = policy_match + +# For the CA policy +[ policy_match ] +countryName = match +stateOrProvinceName = match +organizationName = match +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +# For the 'anything' policy +# At this point in time, you must list all acceptable 'object' +# types. +[ policy_anything ] +countryName = optional +stateOrProvinceName = optional +localityName = optional +organizationName = optional +organizationalUnitName = optional +commonName = supplied +emailAddress = optional + +#################################################################### +[ req ] +default_bits = 2048 +default_keyfile = privkey.pem +distinguished_name = req_distinguished_name +attributes = req_attributes +x509_extensions = v3_ca # The extensions to add to the self signed cert + +string_mask = utf8only + +#req_extensions = v3_req # The extensions to add to a certificate request + +[ req_distinguished_name ] +countryName = Country Name (2 letter code) +countryName_default = AU +countryName_min = 2 +countryName_max = 2 + +stateOrProvinceName = State or Province Name (full name) +stateOrProvinceName_default = Some-State + +localityName = Locality Name (eg, city) + +0.organizationName = Organization Name (eg, company) +0.organizationName_default = Internet Widgits Pty Ltd + +# we can do this but it is not needed normally :-) +#1.organizationName = Second Organization Name (eg, company) +#1.organizationName_default = World Wide Web Pty Ltd + +organizationalUnitName = Organizational Unit Name (eg, section) +#organizationalUnitName_default = + +commonName = Common Name (e.g. server FQDN or YOUR name) +commonName_max = 64 + +emailAddress = Email Address +emailAddress_max = 64 + +# SET-ex3 = SET extension number 3 + +[ req_attributes ] +challengePassword = A challenge password +challengePassword_min = 4 +challengePassword_max = 20 + +unstructuredName = An optional company name + +[ usr_cert ] + +# These extensions are added when 'ca' signs a request. + +# This goes against PKIX guidelines but some CAs do it and some software +# requires this to avoid interpreting an end user certificate as a CA. + +basicConstraints=CA:FALSE + +# This is typical in keyUsage for a client certificate. +# keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +# PKIX recommendations harmless if included in all certificates. +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid,issuer + +# This stuff is for subjectAltName and issuerAltname. +# Import the email address. +# subjectAltName=email:copy +# An alternative to produce certificates that aren't +# deprecated according to PKIX. +# subjectAltName=email:move + +# Copy subject details +# issuerAltName=issuer:copy + +# This is required for TSA certificates. +# extendedKeyUsage = critical,timeStamping + +[ v3_req ] + +# Extensions to add to a certificate request + +basicConstraints = CA:FALSE +keyUsage = nonRepudiation, digitalSignature, keyEncipherment + +[ v3_ca ] + + +# Extensions for a typical CA + + +# PKIX recommendation. + +subjectKeyIdentifier=hash + +authorityKeyIdentifier=keyid:always,issuer + +basicConstraints = critical,CA:true,pathlen:1 + +# Key usage: this is typical for a CA certificate. However since it will +# prevent it being used as an test self-signed certificate it is best +# left out by default. +keyUsage = cRLSign, keyCertSign + +# Include email address in subject alt name: another PKIX recommendation +# subjectAltName=email:copy +# Copy issuer details +# issuerAltName=issuer:copy + +# DER hex encoding of an extension: beware experts only! +# obj=DER:02:03 +# Where 'obj' is a standard or added object +# You can even override a supported extension: +# basicConstraints= critical, DER:30:03:01:01:FF + +[ crl_ext ] + +# CRL extensions. +# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. + +# issuerAltName=issuer:copy +authorityKeyIdentifier=keyid:always diff --git a/providers/oqs-provider/gen.sh b/providers/oqs-provider/gen.sh new file mode 100755 index 00000000..8064b253 --- /dev/null +++ b/providers/oqs-provider/gen.sh @@ -0,0 +1,147 @@ +#!/bin/bash + +set -e + +# be sure to not add wrapped pubkeys: +unset DRAFT_MASSIMO_LAMPS_PQ_SIG_CERTIFICATES_00 + +# Parameter1: Name of algorithm to create a CA hierarchy for +# Parameter2: Directory containing cnf files +do_cas() { + # clean up: + rm -rf ~/oqsCA + # Prepare persistent data structures + # For rootCA (TA) + mkdir -p ~/oqsCA/rootCA/{certs,crl,newcerts,private,csr} + echo 1000 > ~/oqsCA/rootCA/serial + echo 0100 > ~/oqsCA/rootCA/crlnumber + touch ~/oqsCA/rootCA/index.txt + + # For intermediate CA (CA) + mkdir -p ~/oqsCA/intermediateCA/{certs,crl,newcerts,private,csr} + echo 1000 > ~/oqsCA/intermediateCA/serial + echo 0100 > ~/oqsCA/intermediateCA/crlnumber + touch ~/oqsCA/intermediateCA/index.txt + + # Create TA keys and cert + openssl req -x509 -config $2/ta.cnf -new -newkey $1 -extensions v3_ca -keyout ~/oqsCA/rootCA/private/ca.key.pem -out ~/oqsCA/rootCA/certs/ca.cert.pem -nodes -subj "/CN=OQS TA" + + # Create CA keys and cert + openssl req -config $2/ca.cnf -new -newkey $1 -keyout ~/oqsCA/intermediateCA/private/intermediate.key.pem -out ~/oqsCA/intermediateCA/certs/intermediate.csr.pem -nodes -subj "/CN=OQS CA" + openssl ca -batch -config $2/ta.cnf -extensions v3_intermediate_ca -days 365 -notext -in ~/oqsCA/intermediateCA/certs/intermediate.csr.pem -out ~/oqsCA/intermediateCA/certs/intermediate.cert.pem + chmod 444 ~/oqsCA/intermediateCA/certs/intermediate.cert.pem + openssl verify -CAfile ~/oqsCA/rootCA/certs/ca.cert.pem ~/oqsCA/intermediateCA/certs/intermediate.cert.pem + + # Create cert bundle for EE cert verification + cat ~/oqsCA/intermediateCA/certs/intermediate.cert.pem ~/oqsCA/rootCA/certs/ca.cert.pem > ~/oqsCA/intermediateCA/certs/ca-chain.cert.pem + openssl verify -CAfile ~/oqsCA/intermediateCA/certs/ca-chain.cert.pem ~/oqsCA/intermediateCA/certs/intermediate.cert.pem + + # Create server keys and cert (EE) + openssl req -config $2/ca.cnf -new -newkey $1 -keyout ~/oqsCA/intermediateCA/private/ee.key.pem -out ~/oqsCA/intermediateCA/csr/ee.csr.pem -nodes -subj "/CN=OQS EE" + openssl ca -batch -config $2/ca.cnf -extensions server_cert -days 375 -notext -in ~/oqsCA/intermediateCA/csr/ee.csr.pem -out ~/oqsCA/intermediateCA/certs/ee.cert.pem + + # Verify server cert + openssl verify -CAfile ~/oqsCA/intermediateCA/certs/ca-chain.cert.pem ~/oqsCA/intermediateCA/certs/ee.cert.pem + # Revoke cert + openssl ca -batch -config $2/ca.cnf -revoke ~/oqsCA/intermediateCA/certs/ee.cert.pem + + # Create CRLS for TA and CA + openssl ca -batch -config $2/ca.cnf -gencrl -out ~/oqsCA/intermediateCA/crl/intermediate.crl.pem + openssl ca -batch -config $2/ta.cnf -gencrl -out ~/oqsCA/rootCA/crl/root.crl.pem + + # Create OSCP keys and cert + openssl req -config $2/ca.cnf -new -newkey $1 -keyout ~/oqsCA/intermediateCA/private/ocsp.key.pem -out ~/oqsCA/intermediateCA/csr/ocsp.csr.pem -nodes -subj "/CN=ocsp.openquantumsafe.org" + openssl ca -batch -config $2/ca.cnf -extensions ocsp -days 375 -notext -in ~/oqsCA/intermediateCA/csr/ocsp.csr.pem -out ~/oqsCA/intermediateCA/certs/ocsp.cert.pem +} + +gen() { + + # Function to generate the ta/, ca/, and ee/ + # directories and X.509 key + req + cert. + # + # Additionally it also creates the crl/ and + # ocsp/ directories. + ALGORITHM=$1 + BASE_DIR=$2 + ROOT_DIR=$3 + + do_cas $ALGORITHM $ROOT_DIR + # Generates the artifact directories + mkdir -p $BASE_DIR/{ta,ca,ee,crl,ocsp} + + # Extract the artifacts to the correct locations + + # TA: + cp ~/oqsCA/rootCA/certs/ca.cert.pem $BASE_DIR/ta/ta.pem + cp ~/oqsCA/rootCA/private/ca.key.pem $BASE_DIR/ta/ta_priv.pem + + # Also generate DER for private key + openssl pkcs8 -topk8 -inform PEM -outform DER -in $BASE_DIR/ta/ta_priv.pem -out $BASE_DIR/ta/ta_priv.der -nocrypt + # Also generate cert in DER + openssl x509 -in $BASE_DIR/ta/ta.pem -out $BASE_DIR/ta/ta.der -outform DER + + # CA: + cp ~/oqsCA/intermediateCA/certs/intermediate.cert.pem $BASE_DIR/ca/ca.pem + cp ~/oqsCA/intermediateCA/private/intermediate.key.pem $BASE_DIR/ca/ca_priv.pem + + # Also generate DER for private key + openssl pkcs8 -topk8 -inform PEM -outform DER -in $BASE_DIR/ca/ca_priv.pem -out $BASE_DIR/ca/ca_priv.der -nocrypt + # Also generate cert in DER + openssl x509 -in $BASE_DIR/ca/ca.pem -out $BASE_DIR/ca/ca.der -outform DER + + # EE: + cp ~/oqsCA/intermediateCA/certs/ee.cert.pem $BASE_DIR/ee/cert.pem + cp ~/oqsCA/intermediateCA/private/ee.key.pem $BASE_DIR/ee/cert_priv.pem + cp ~/oqsCA/intermediateCA/csr/ee.csr.pem $BASE_DIR/ee/cert.csr + + # Also generate DER for private key + openssl pkcs8 -topk8 -inform PEM -outform DER -in $BASE_DIR/ee/cert_priv.pem -out $BASE_DIR/ee/cert_priv.der -nocrypt + # Also generate cert in DER + openssl x509 -in $BASE_DIR/ee/cert.pem -out $BASE_DIR/ee/cert.der -outform DER + + # CRLs + openssl crl -inform PEM -in ~/oqsCA/rootCA/crl/root.crl.pem -outform DER -out $BASE_DIR/crl/crl_ta.crl + openssl crl -inform PEM -in ~/oqsCA/intermediateCA/crl/intermediate.crl.pem -outform DER -out $BASE_DIR/crl/crl_ca.crl + + # Start OCSP responder and retrieve response + openssl ocsp -port 2560 -text -index ~/oqsCA/intermediateCA/index.txt -CA ~/oqsCA/intermediateCA/certs/ca-chain.cert.pem -rkey ~/oqsCA/intermediateCA/private/ocsp.key.pem -rsigner ~/oqsCA/intermediateCA/certs/ocsp.cert.pem -nrequest 1 & + sleep 1 + openssl ocsp -CAfile ~/oqsCA/intermediateCA/certs/ca-chain.cert.pem -url http://127.0.0.1:2560 -respout $BASE_DIR/ocsp/ocsp_cert.der -issuer ~/oqsCA/intermediateCA/certs/intermediate.cert.pem -cert ~/oqsCA/intermediateCA/certs/ee.cert.pem +} + +runandlog() { + cd oqsprovider/artifacts && gen $1 $2 ../.. >> ../../log 2>&1 && cd ../.. + echo "$1 done..." +} + + rm -rf log + + mkdir -p oqsprovider/artifacts + + # Classic/baseline test: + runandlog ed448 1.3.101.113 + + # Dilithium + runandlog dilithium2 1.3.6.1.4.1.2.267.7.4.4 + runandlog dilithium3 1.3.6.1.4.1.2.267.7.6.5 + runandlog dilithium5 1.3.6.1.4.1.2.267.7.8.7 + + # Falcon + runandlog falcon512 1.3.9999.3.6 + runandlog falcon1024 1.3.9999.3.9 + + # Sphincs+ + runandlog sphincssha2128fsimple 1.3.9999.6.4.13 + runandlog sphincssha2128ssimple 1.3.9999.6.4.16 + runandlog sphincssha2192fsimple 1.3.9999.6.5.10 + runandlog sphincssha2192ssimple 1.3.9999.6.5.12 + runandlog sphincssha2256fsimple 1.3.9999.6.6.10 + runandlog sphincssha2256ssimple 1.3.9999.6.6.12 + runandlog sphincsshake128fsimple 1.3.9999.6.7.13 + runandlog sphincsshake128ssimple 1.3.9999.6.7.16 + runandlog sphincsshake192fsimple 1.3.9999.6.8.10 + runandlog sphincsshake192ssimple 1.3.9999.6.8.12 + runandlog sphincsshake256fsimple 1.3.9999.6.9.10 + runandlog sphincsshake256ssimple 1.3.9999.6.9.12 + +echo "All data successfully generated." diff --git a/providers/oqs-provider/gen_r3.sh b/providers/oqs-provider/gen_r3.sh new file mode 100755 index 00000000..b4de81fb --- /dev/null +++ b/providers/oqs-provider/gen_r3.sh @@ -0,0 +1,47 @@ +#!/bin/bash + +set -e + +# be sure to not add wrapped pubkeys: +unset DRAFT_MASSIMO_LAMPS_PQ_SIG_CERTIFICATES_00 + +runandlog() { + ALG=$1 + OID=$2 + DIR="./oqsprovider/artifacts" + openssl req -x509 -config ta.cnf -new -newkey ${ALG} -extensions v3_ca -out ${DIR}/${OID}_ta.pem -nodes -subj "/CN=OQS TA" >> log 2>&1 + # openssl req -x509 -config ta.cnf -new -newkey ${ALG} -extensions v3_ca -keyout ${DIR}/${OID}_key.pem -out ${DIR}/${OID}_ta.pem -nodes -subj "/CN=OQS TA" >> log 2>&1 + echo "${ALG} done..." +} + + rm -rf log + + mkdir -p oqsprovider/artifacts + + # Classic/baseline test: + runandlog ed448 1.3.101.113 + + # Dilithium + runandlog dilithium2 1.3.6.1.4.1.2.267.7.4.4 + runandlog dilithium3 1.3.6.1.4.1.2.267.7.6.5 + runandlog dilithium5 1.3.6.1.4.1.2.267.7.8.7 + + # Falcon + runandlog falcon512 1.3.9999.3.6 + runandlog falcon1024 1.3.9999.3.9 + + # Sphincs+ + runandlog sphincssha2128fsimple 1.3.9999.6.4.13 + runandlog sphincssha2128ssimple 1.3.9999.6.4.16 + runandlog sphincssha2192fsimple 1.3.9999.6.5.10 + runandlog sphincssha2192ssimple 1.3.9999.6.5.12 + runandlog sphincssha2256fsimple 1.3.9999.6.6.10 + runandlog sphincssha2256ssimple 1.3.9999.6.6.12 + runandlog sphincsshake128fsimple 1.3.9999.6.7.13 + runandlog sphincsshake128ssimple 1.3.9999.6.7.16 + runandlog sphincsshake192fsimple 1.3.9999.6.8.10 + runandlog sphincsshake192ssimple 1.3.9999.6.8.12 + runandlog sphincsshake256fsimple 1.3.9999.6.9.10 + runandlog sphincsshake256ssimple 1.3.9999.6.9.12 + +echo "All data successfully generated." diff --git a/providers/oqs-provider/ta.cnf b/providers/oqs-provider/ta.cnf new file mode 100644 index 00000000..ba3eabb0 --- /dev/null +++ b/providers/oqs-provider/ta.cnf @@ -0,0 +1,63 @@ +[ ca ] # The default CA section +default_ca = CA_default # The default CA name + +[ CA_default ] # Default settings for the CA +dir = /root/oqsCA/rootCA # CA directory +certs = $dir/certs # Certificates directory +crl_dir = $dir/crl # CRL directory +new_certs_dir = $dir/newcerts # New certificates directory +database = $dir/index.txt # Certificate index file +serial = $dir/serial # Serial number file +RANDFILE = $dir/private/.rand # Random number file +private_key = $dir/private/ca.key.pem # Root CA private key +certificate = $dir/certs/ca.cert.pem # Root CA certificate +crl = $dir/crl/ca.crl.pem # Root CA CRL +crlnumber = $dir/crlnumber # Root CA CRL number +crl_extensions = crl_ext # CRL extensions +default_crl_days = 30 # Default CRL validity days +default_md = sha256 # Default message digest +preserve = no # Preserve existing extensions +email_in_dn = no # Exclude email from the DN +name_opt = ca_default # Formatting options for names +cert_opt = ca_default # Certificate output options +policy = policy_strict # Certificate policy +unique_subject = no # Allow multiple certs with the same DN + +[ policy_strict ] # Policy for stricter validation +countryName = optional # Must match the issuer's country +stateOrProvinceName = optional # Must match the issuer's state +organizationName = optional # Must match the issuer's organization +organizationalUnitName = optional # Organizational unit is optional +commonName = supplied # Must provide a common name +emailAddress = optional # Email address is optional + +[ req ] # Request settings +default_bits = 2048 # Default key size +distinguished_name = req_distinguished_name # Default DN template +string_mask = utf8only # UTF-8 encoding +default_md = sha256 # Default message digest +prompt = no # Non-interactive mode + +[ req_distinguished_name ] # Template for the DN in the CSR +countryName = Country Name (2 letter code) +stateOrProvinceName = State or Province Name (full name) +localityName = Locality Name (city) +0.organizationName = Organization Name (company) +organizationalUnitName = Organizational Unit Name (section) +commonName = Common Name (your domain) +emailAddress = Email Address + +[ v3_ca ] # Root CA certificate extensions +subjectKeyIdentifier = hash # Subject key identifier +authorityKeyIdentifier = keyid:always,issuer # Authority key identifier +basicConstraints = critical, CA:true, pathlen:1 # Basic constraints for a CA +keyUsage = critical, keyCertSign, cRLSign # Key usage for a CA + +[ crl_ext ] # CRL extensions +authorityKeyIdentifier = keyid:always,issuer # Authority key identifier + +[ v3_intermediate_ca ] +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer +basicConstraints = critical, CA:true, pathlen:0 +keyUsage = critical, digitalSignature, cRLSign, keyCertSign From 03cd310095ea25077a8b17f31f901cd930815960 Mon Sep 17 00:00:00 2001 From: Nicola Tuveri Date: Sat, 2 Nov 2024 18:47:25 +0000 Subject: [PATCH 2/7] [oqs-provider] Split the req and provider configutations --- providers/oqs-provider/ca.cnf | 12 +++++++++ providers/oqs-provider/ee.cnf | 34 +------------------------- providers/oqs-provider/oqsprov.cnf | 39 ++++++++++++++++++++++++++++++ providers/oqs-provider/ta.cnf | 12 +++++++++ 4 files changed, 64 insertions(+), 33 deletions(-) create mode 100644 providers/oqs-provider/oqsprov.cnf diff --git a/providers/oqs-provider/ca.cnf b/providers/oqs-provider/ca.cnf index 013a1178..3a6fa606 100644 --- a/providers/oqs-provider/ca.cnf +++ b/providers/oqs-provider/ca.cnf @@ -1,3 +1,15 @@ +# +# OpenSSL example configuration file. +# See doc/man5/config.pod for more info. +# +# This is mostly being used for generation of certificate requests, +# but may be used for auto loading of providers + +# Note that you can include other files from the main configuration +# file using the .include directive. +.include oqsprov.cnf + +#################################################################### [ ca ] # The default CA section default_ca = CA_default # The default CA name diff --git a/providers/oqs-provider/ee.cnf b/providers/oqs-provider/ee.cnf index efb0eb4b..4fe54863 100644 --- a/providers/oqs-provider/ee.cnf +++ b/providers/oqs-provider/ee.cnf @@ -7,39 +7,7 @@ # Note that you can include other files from the main configuration # file using the .include directive. -#.include filename - -# This definition stops the following lines choking if HOME isn't -# defined. -HOME = . -DEFAULT_GROUPS = kyber768 - -# Use this in order to automatically load providers. -openssl_conf = openssl_init - -[openssl_init] -providers = provider_sect -ssl_conf = ssl_sect - -[ssl_sect] -system_default = system_default_sect - -[system_default_sect] -Groups = $ENV::DEFAULT_GROUPS - - -# List of providers to load -[provider_sect] -default = default_sect -oqsprovider = oqsprovider_sect - -[default_sect] -activate = 1 -[oqsprovider_sect] -activate = 1 - -# activate = 1 - +.include oqsprov.cnf #################################################################### [ ca ] diff --git a/providers/oqs-provider/oqsprov.cnf b/providers/oqs-provider/oqsprov.cnf new file mode 100644 index 00000000..8b7f39c7 --- /dev/null +++ b/providers/oqs-provider/oqsprov.cnf @@ -0,0 +1,39 @@ +# +# OpenSSL example configuration file. +# See doc/man5/config.pod for more info. +# +# This is mostly being used for generation of certificate requests, +# but may be used for auto loading of providers + +# Note that you can include other files from the main configuration +# file using the .include directive. +#.include filename + +# This definition stops the following lines choking if HOME isn't +# defined. +HOME = . +#DEFAULT_GROUPS = kyber768 + +# Use this in order to automatically load providers. +openssl_conf = openssl_init + +[openssl_init] +providers = provider_sect +#ssl_conf = ssl_sect + +#[ssl_sect] +#system_default = system_default_sect +# +#[system_default_sect] +#Groups = $ENV::DEFAULT_GROUPS + + +# List of providers to load +[provider_sect] +default = default_sect +oqsprovider = oqsprovider_sect + +[default_sect] +activate = 1 +[oqsprovider_sect] +activate = 1 diff --git a/providers/oqs-provider/ta.cnf b/providers/oqs-provider/ta.cnf index ba3eabb0..cb54b110 100644 --- a/providers/oqs-provider/ta.cnf +++ b/providers/oqs-provider/ta.cnf @@ -1,3 +1,15 @@ +# +# OpenSSL example configuration file. +# See doc/man5/config.pod for more info. +# +# This is mostly being used for generation of certificate requests, +# but may be used for auto loading of providers + +# Note that you can include other files from the main configuration +# file using the .include directive. +.include oqsprov.cnf + +#################################################################### [ ca ] # The default CA section default_ca = CA_default # The default CA name From c582219503ce3b5276945cd83219c9649f375675 Mon Sep 17 00:00:00 2001 From: Nicola Tuveri Date: Sat, 2 Nov 2024 18:49:12 +0000 Subject: [PATCH 3/7] [oqs-provider] Use `set -eux` in scripts --- providers/oqs-provider/check.sh | 8 ++++---- providers/oqs-provider/check_r3.sh | 8 ++++---- providers/oqs-provider/gen.sh | 2 +- providers/oqs-provider/gen_r3.sh | 6 +++--- 4 files changed, 12 insertions(+), 12 deletions(-) diff --git a/providers/oqs-provider/check.sh b/providers/oqs-provider/check.sh index 4488a1d7..b18acc55 100755 --- a/providers/oqs-provider/check.sh +++ b/providers/oqs-provider/check.sh @@ -1,6 +1,6 @@ #!/bin/bash -#set -x +set -eux function check_dir() { @@ -62,7 +62,7 @@ function check_dir() { } check() { - + # Extracts the argument DIR=$1 result="" @@ -77,14 +77,14 @@ check() { # Change Directory cd "$DIR" - # Baseline test whether TA cert is well formed + # Baseline test whether TA cert is well formed openssl x509 -in ta/ta.pem -text -noout 2>/dev/null > /dev/null if [ $? -ne 0 ]; then #echo "No suitable ta/ta.pem found." echo "N,N,N,N,N,N" return fi - # Baseline test whether TA cert is self-signed + # Baseline test whether TA cert is self-signed openssl verify -CAfile ta/ta.pem ta/ta.pem 2>/dev/null >/dev/null if [ $? -ne 0 ]; then #echo "ta/ta.pem not self-signed." diff --git a/providers/oqs-provider/check_r3.sh b/providers/oqs-provider/check_r3.sh index 2fe12a46..4ec8bdd8 100755 --- a/providers/oqs-provider/check_r3.sh +++ b/providers/oqs-provider/check_r3.sh @@ -1,6 +1,6 @@ #!/bin/bash -#set -x +set -eux function check_cert() { @@ -28,18 +28,18 @@ function check_cert() { } check() { - + # Extracts the argument PEM=$1 - # Baseline test whether TA cert is well formed + # Baseline test whether TA cert is well formed openssl x509 -in $PEM -text -noout 2>/dev/null > /dev/null if [ $? -ne 0 ]; then # echo "${PEM} not suitable." echo "N" return fi - # Baseline test whether TA cert is self-signed + # Baseline test whether TA cert is self-signed openssl verify -CAfile $PEM $PEM 2>/dev/null >/dev/null if [ $? -ne 0 ]; then echo "N" diff --git a/providers/oqs-provider/gen.sh b/providers/oqs-provider/gen.sh index 8064b253..71119029 100755 --- a/providers/oqs-provider/gen.sh +++ b/providers/oqs-provider/gen.sh @@ -1,6 +1,6 @@ #!/bin/bash -set -e +set -eux # be sure to not add wrapped pubkeys: unset DRAFT_MASSIMO_LAMPS_PQ_SIG_CERTIFICATES_00 diff --git a/providers/oqs-provider/gen_r3.sh b/providers/oqs-provider/gen_r3.sh index b4de81fb..1dd6e4e7 100755 --- a/providers/oqs-provider/gen_r3.sh +++ b/providers/oqs-provider/gen_r3.sh @@ -1,6 +1,6 @@ #!/bin/bash -set -e +set -eux # be sure to not add wrapped pubkeys: unset DRAFT_MASSIMO_LAMPS_PQ_SIG_CERTIFICATES_00 @@ -9,8 +9,8 @@ runandlog() { ALG=$1 OID=$2 DIR="./oqsprovider/artifacts" - openssl req -x509 -config ta.cnf -new -newkey ${ALG} -extensions v3_ca -out ${DIR}/${OID}_ta.pem -nodes -subj "/CN=OQS TA" >> log 2>&1 - # openssl req -x509 -config ta.cnf -new -newkey ${ALG} -extensions v3_ca -keyout ${DIR}/${OID}_key.pem -out ${DIR}/${OID}_ta.pem -nodes -subj "/CN=OQS TA" >> log 2>&1 + openssl req -x509 -config ta.cnf -new -newkey ${ALG} -extensions v3_ca -out ${DIR}/${OID}_ta.pem -nodes -subj "/CN=OQS TA" >> log 2>&1 + # openssl req -x509 -config ta.cnf -new -newkey ${ALG} -extensions v3_ca -keyout ${DIR}/${OID}_key.pem -out ${DIR}/${OID}_ta.pem -nodes -subj "/CN=OQS TA" >> log 2>&1 echo "${ALG} done..." } From c99d6e5d23f11da5497816d83fd8576cc1b3b8a1 Mon Sep 17 00:00:00 2001 From: Nicola Tuveri Date: Sun, 3 Nov 2024 11:38:29 +0000 Subject: [PATCH 4/7] [oqs-provider] Add `gen_r4.sh` and default to it --- providers/oqs-provider/Makefile | 2 +- providers/oqs-provider/gen.sh | 64 ++++++++++++++++--------- providers/oqs-provider/gen_r4.sh | 82 ++++++++++++++++++++++++++++++++ 3 files changed, 125 insertions(+), 23 deletions(-) create mode 100755 providers/oqs-provider/gen_r4.sh diff --git a/providers/oqs-provider/Makefile b/providers/oqs-provider/Makefile index a4f55068..d6bd65a3 100644 --- a/providers/oqs-provider/Makefile +++ b/providers/oqs-provider/Makefile @@ -11,7 +11,7 @@ PROVIDER_NAME := OQS DIRS := oqsprovider # Script for Generating the artifacts (if any) -GEN_SCRIPT := ./gen.sh +GEN_SCRIPT := ./gen_r4.sh GEN_LOGFILE := logs/generate_log.txt # Script for Verifying the artifacts (if any) diff --git a/providers/oqs-provider/gen.sh b/providers/oqs-provider/gen.sh index 71119029..3a5635d0 100755 --- a/providers/oqs-provider/gen.sh +++ b/providers/oqs-provider/gen.sh @@ -121,27 +121,47 @@ runandlog() { # Classic/baseline test: runandlog ed448 1.3.101.113 - # Dilithium - runandlog dilithium2 1.3.6.1.4.1.2.267.7.4.4 - runandlog dilithium3 1.3.6.1.4.1.2.267.7.6.5 - runandlog dilithium5 1.3.6.1.4.1.2.267.7.8.7 - - # Falcon - runandlog falcon512 1.3.9999.3.6 - runandlog falcon1024 1.3.9999.3.9 - - # Sphincs+ - runandlog sphincssha2128fsimple 1.3.9999.6.4.13 - runandlog sphincssha2128ssimple 1.3.9999.6.4.16 - runandlog sphincssha2192fsimple 1.3.9999.6.5.10 - runandlog sphincssha2192ssimple 1.3.9999.6.5.12 - runandlog sphincssha2256fsimple 1.3.9999.6.6.10 - runandlog sphincssha2256ssimple 1.3.9999.6.6.12 - runandlog sphincsshake128fsimple 1.3.9999.6.7.13 - runandlog sphincsshake128ssimple 1.3.9999.6.7.16 - runandlog sphincsshake192fsimple 1.3.9999.6.8.10 - runandlog sphincsshake192ssimple 1.3.9999.6.8.12 - runandlog sphincsshake256fsimple 1.3.9999.6.9.10 - runandlog sphincsshake256ssimple 1.3.9999.6.9.12 + # ML-DSA + runandlog mldsa44 2.16.840.1.101.3.4.3.17 + runandlog mldsa65 2.16.840.1.101.3.4.3.18 + runandlog mldsa87 2.16.840.1.101.3.4.3.19 + + ## Dilithium + #runandlog dilithium2 1.3.6.1.4.1.2.267.7.4.4 + #runandlog dilithium3 1.3.6.1.4.1.2.267.7.6.5 + #runandlog dilithium5 1.3.6.1.4.1.2.267.7.8.7 + + ## Falcon + #runandlog falcon512 1.3.9999.3.6 + #runandlog falcon1024 1.3.9999.3.9 + + ## Sphincs+ + #runandlog sphincssha2128fsimple 1.3.9999.6.4.13 + #runandlog sphincssha2128ssimple 1.3.9999.6.4.16 + #runandlog sphincssha2192fsimple 1.3.9999.6.5.10 + #runandlog sphincssha2192ssimple 1.3.9999.6.5.12 + #runandlog sphincssha2256fsimple 1.3.9999.6.6.10 + #runandlog sphincssha2256ssimple 1.3.9999.6.6.12 + #runandlog sphincsshake128fsimple 1.3.9999.6.7.13 + #runandlog sphincsshake128ssimple 1.3.9999.6.7.16 + #runandlog sphincsshake192fsimple 1.3.9999.6.8.10 + #runandlog sphincsshake192ssimple 1.3.9999.6.8.12 + #runandlog sphincsshake256fsimple 1.3.9999.6.9.10 + #runandlog sphincsshake256ssimple 1.3.9999.6.9.12 + + # draft-ietf-lamps-pq-composite-sigs + runandlog mldsa44_pss2048 2.16.840.1.114027.80.8.1.1 + runandlog mldsa44_rsa2048 2.16.840.1.114027.80.8.1.2 + runandlog mldsa44_ed25519 2.16.840.1.114027.80.8.1.3 + runandlog mldsa44_p256 2.16.840.1.114027.80.8.1.4 + runandlog mldsa44_bp256 2.16.840.1.114027.80.8.1.5 + runandlog mldsa65_pss3072 2.16.840.1.114027.80.8.1.6 + runandlog mldsa65_rsa3072 2.16.840.1.114027.80.8.1.7 + runandlog mldsa65_p256 2.16.840.1.114027.80.8.1.8 + runandlog mldsa65_bp256 2.16.840.1.114027.80.8.1.9 + runandlog mldsa65_ed25519 2.16.840.1.114027.80.8.1.10 + runandlog mldsa87_p384 2.16.840.1.114027.80.8.1.11 + runandlog mldsa87_bp384 2.16.840.1.114027.80.8.1.12 + runandlog mldsa87_ed448 2.16.840.1.114027.80.8.1.13 echo "All data successfully generated." diff --git a/providers/oqs-provider/gen_r4.sh b/providers/oqs-provider/gen_r4.sh new file mode 100755 index 00000000..57fbcf2c --- /dev/null +++ b/providers/oqs-provider/gen_r4.sh @@ -0,0 +1,82 @@ +#!/bin/bash + +set -eux + +# be sure to not add wrapped pubkeys: +unset DRAFT_MASSIMO_LAMPS_PQ_SIG_CERTIFICATES_00 + +gen() { + + # Function to generate the ta/, ca/, and ee/ + # directories and X.509 key + req + cert. + # + # Additionally it also creates the crl/ and + # ocsp/ directories. + ALGORITHM="$1" + OID="$2" + DIR="$3" + + NAME="${ALGORITHM}-${OID}" + + openssl req -x509 -config ta.cnf -new -newkey ${ALG} -extensions v3_ca -out ${DIR}/${NAME}_ta.der -outform DER -nodes -subj "/CN=OQS TA" +} + +runandlog() { + ALG="$1" + OID="$2" + DIR="./oqsprovider/artifacts" + gen "${ALG}" "${OID}" "${DIR}" >> log 2>&1 + echo "${ALG} done..." +} + + rm -rf log + + mkdir -p oqsprovider/artifacts + + # Classic/baseline test: + runandlog ed448 1.3.101.113 + + # ML-DSA + runandlog mldsa44 2.16.840.1.101.3.4.3.17 + runandlog mldsa65 2.16.840.1.101.3.4.3.18 + runandlog mldsa87 2.16.840.1.101.3.4.3.19 + + ## Dilithium + #runandlog dilithium2 1.3.6.1.4.1.2.267.7.4.4 + #runandlog dilithium3 1.3.6.1.4.1.2.267.7.6.5 + #runandlog dilithium5 1.3.6.1.4.1.2.267.7.8.7 + + ## Falcon + #runandlog falcon512 1.3.9999.3.6 + #runandlog falcon1024 1.3.9999.3.9 + + ## Sphincs+ + #runandlog sphincssha2128fsimple 1.3.9999.6.4.13 + #runandlog sphincssha2128ssimple 1.3.9999.6.4.16 + #runandlog sphincssha2192fsimple 1.3.9999.6.5.10 + #runandlog sphincssha2192ssimple 1.3.9999.6.5.12 + #runandlog sphincssha2256fsimple 1.3.9999.6.6.10 + #runandlog sphincssha2256ssimple 1.3.9999.6.6.12 + #runandlog sphincsshake128fsimple 1.3.9999.6.7.13 + #runandlog sphincsshake128ssimple 1.3.9999.6.7.16 + #runandlog sphincsshake192fsimple 1.3.9999.6.8.10 + #runandlog sphincsshake192ssimple 1.3.9999.6.8.12 + #runandlog sphincsshake256fsimple 1.3.9999.6.9.10 + #runandlog sphincsshake256ssimple 1.3.9999.6.9.12 + + # draft-ietf-lamps-pq-composite-sigs + runandlog mldsa44_pss2048 2.16.840.1.114027.80.8.1.1 + runandlog mldsa44_rsa2048 2.16.840.1.114027.80.8.1.2 + runandlog mldsa44_ed25519 2.16.840.1.114027.80.8.1.3 + runandlog mldsa44_p256 2.16.840.1.114027.80.8.1.4 + runandlog mldsa44_bp256 2.16.840.1.114027.80.8.1.5 + runandlog mldsa65_pss3072 2.16.840.1.114027.80.8.1.6 + runandlog mldsa65_rsa3072 2.16.840.1.114027.80.8.1.7 + runandlog mldsa65_p256 2.16.840.1.114027.80.8.1.8 + runandlog mldsa65_bp256 2.16.840.1.114027.80.8.1.9 + runandlog mldsa65_ed25519 2.16.840.1.114027.80.8.1.10 + runandlog mldsa87_p384 2.16.840.1.114027.80.8.1.11 + runandlog mldsa87_bp384 2.16.840.1.114027.80.8.1.12 + runandlog mldsa87_ed448 2.16.840.1.114027.80.8.1.13 + +echo "All data successfully generated." From c7703b6aa84fed90dc1baf2d9887128b301b2c92 Mon Sep 17 00:00:00 2001 From: Nicola Tuveri Date: Sun, 3 Nov 2024 13:44:51 +0000 Subject: [PATCH 5/7] [oqs-provider] Add check_r4.sh and default to it --- providers/oqs-provider/Makefile | 6 +- providers/oqs-provider/check_r4.sh | 159 +++++++++++++++++++++++++++++ 2 files changed, 162 insertions(+), 3 deletions(-) create mode 100755 providers/oqs-provider/check_r4.sh diff --git a/providers/oqs-provider/Makefile b/providers/oqs-provider/Makefile index d6bd65a3..bb442515 100644 --- a/providers/oqs-provider/Makefile +++ b/providers/oqs-provider/Makefile @@ -15,7 +15,7 @@ GEN_SCRIPT := ./gen_r4.sh GEN_LOGFILE := logs/generate_log.txt # Script for Verifying the artifacts (if any) -VERIFY_SCRIPT := ./check.sh +VERIFY_SCRIPT := ./check_r4.sh VERIFY_LOGFILE := logs/verify_log.txt # Time @@ -98,8 +98,8 @@ verify: requirements/verify echo "[ $(PROVIDER_NAME) ] Product: $$i" ; \ echo "PRODUCT : $$i" >> "$(VERIFY_LOGFILE)" ; \ echo >> "$(VERIFY_LOGFILE)" ; \ - result=`$(VERIFY_SCRIPT) "$$i" 2>&1 >> "$(VERIFY_LOGFILE)" `; \ - echo $$result >> "$(VERIFY_LOGFILE)" ; \ + result=`$(VERIFY_SCRIPT) "$$i" 2>>"$(VERIFY_LOGFILE)" | tee -a "$(VERIFY_LOGFILE)"`; \ + echo "$$result" >> "$(VERIFY_LOGFILE)" ; \ echo >> "$(VERIFY_LOGFILE)"; \ done ; \ echo "----- END PROVIDER $(PROVIDER_NAME) -----" >> $(VERIFY_LOGFILE); \ diff --git a/providers/oqs-provider/check_r4.sh b/providers/oqs-provider/check_r4.sh new file mode 100755 index 00000000..22a727dc --- /dev/null +++ b/providers/oqs-provider/check_r4.sh @@ -0,0 +1,159 @@ +#!/bin/bash + +set -ux + +_check_ta_cert() { + local FILE="$1" + + # Baseline test whether TA cert is well formed + openssl x509 -in "$FILE" -inform DER -text -noout >&2 + if [ $? -ne 0 ]; then + echo "N" + echo "${FILE} not suitable." >&2 + return + fi + + # Print raw ASN structure + OPENSSL_CONF=/dev/null openssl asn1parse -inform DER -in "$FILE" -dump >&2 + + # Baseline test whether TA cert is self-signed + openssl verify -CAfile "$FILE" "$FILE" >&2 + if [ $? -ne 0 ]; then + echo "N" + echo "${FILE} not self-signed." >&2 + return + fi + + # Checking for some parsing errors + openssl x509 -in "$FILE" -inform DER -text -noout | grep error >&2 + if [ $? -ne 0 ]; then + echo "No error parsing TA certificate in $FILE" >&2 + # Extracting algorithm name + openssl x509 -in "$FILE" -inform DER -text -noout | grep "Public Key Algorithm" >&2 + if [ $? -ne 0 ]; then + echo "N" + echo " No error extracting algorithm name from $FILE" >&2 + return + fi + else + echo "N" + echo "Error parsing ${FILE}" >&2 + return + fi + + echo "Y" +} + +_check_ee_cert() { + local FILE="$1" + local TAFILE="$2" + + # TODO: this needs to be implemented yet! + echo "Verifying $FILE against $TAFILE... SKIPPED" >&2 + echo "SKIPPED" +} + +check_ta_cert() { + local FILE="$1" + + local FRNAME="$(echo "$FILE" | sed -r "s/^(.*)-(.*)_ta\.der$/\1/")" + local OID="$(echo "$FILE" | sed -r "s/^(.*)-(.*)_ta\.der$/\2/")" + + local result=$(_check_ta_cert "${FILE}") + echo "${OID},${result}" +} + +declare -A _EE_to_TA_map +EE_to_TA_map() { + local EEOID="$1" + local TAOID="${_EE_to_TA_map[$OID]:-Unknown}" + + local TAFILE="" + + if [[ "$TAOID" == "Unknown" ]]; then + TAFILE="${TAOID}_ta.der" + else + TAFILE="$(ls "*-${TAOID}_ta.der" 2>/dev/null)" + fi + + echo "$TAFILE" +} + +check_ee_cert() { + local FILE="$1" + + local FRNAME="$(echo "$FILE" | sed -r "s/^(.*)-(.*)_ee\.der$/\1/")" + local OID="$(echo "$FILE" | sed -r "s/^(.*)-(.*)_ee\.der$/\2/")" + + local TAFILE="$(EE_to_TA_map "$OID")" + if [[ ! -f "$TAFILE" ]]; then + echo "Cannot find $TAFILE to verify $FILE" >&2 + echo "${OID},SKIPPED" + return + fi + + local result=$(_check_ee_cert "${FILE}" "${TAFILE}") + echo "${OID},${result}" +} + +check_hybta_cert() { + local FILE="$1" + + local COMPNAME="$(echo "$FILE" | sed -r "s/^(.*)-(.*)_with_(.*)_ta.der$/\1/")" + local OID1="$(echo "$FILE" | sed -r "s/^(.*)-(.*)_with_(.*)_ta.der$/")" + local OID2="$(echo "$FILE" | sed -r "s/^(.*)-(.*)_with_(.*)_ta.der$/")" + + local result=$(_check_ta_cert "${FILE}") + echo "${COMPNAME}-${OID1}_with_${OID2},${result}" +} + +check_r4_dir() { + local DIR="$1" + + echo "Checking in ${DIR}/artifacts" >&2 + pushd "$DIR" >/dev/null 2>/dev/null + + if [ ! -d "artifacts" ]; then + echo "No artifacts found. Exiting." + exit -1 + fi + cd artifacts + + local TAs=() # self-signed cert for signature alg oids + local EEs=() # ex.: ML-KEM-512 - signed with ML-DSA-44 + local hybTAs=() # ex.: catalyst_1.2.840.10045.4.3.2_with_1.3.6.1.4.1.2.267.12.4.4_ta.der + for i in *_ta.der; do + if [[ -f "$i" ]]; then + if [[ "$i" =~ _with_ ]]; then + hybTAs+=("$i") + else + TAs+=("$i") + fi + fi + done + for i in *_ee.der; do + if [[ -f "$i" ]]; then + EEs+=("$i") + fi + done + + echo "key_algorithm_oid,test_result" + for cert in "${TAs[@]}"; do + check_ta_cert "$cert" + done + for cert in "${EEs[@]}"; do + check_ee_cert "$cert" + done + for cert in "${hybTAs[@]}"; do + check_hybta_cert "$cert" + done + + popd 2>/dev/null >/dev/null +} + +if [ $# -ne 1 ]; then + echo "No target directory to check provided. Exiting." + exit -1 +else + check_r4_dir "$1" +fi From f77259679c5d6010972ca8943afee4549520663f Mon Sep 17 00:00:00 2001 From: Nicola Tuveri Date: Sun, 3 Nov 2024 14:05:10 +0000 Subject: [PATCH 6/7] [oqs-provider] Add artifacts_certs_r4.zip --- providers/oqs-provider/artifacts_certs_r4.zip | Bin 0 -> 94851 bytes 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 providers/oqs-provider/artifacts_certs_r4.zip diff --git a/providers/oqs-provider/artifacts_certs_r4.zip b/providers/oqs-provider/artifacts_certs_r4.zip new file mode 100644 index 0000000000000000000000000000000000000000..b5ba085533c821c4fe14049d9adf5c080c0aac20 GIT binary patch literal 94851 zcma&ML$D}Z)MR;W8}Hh-ZQHhO+qP}nwr$(C)nARe{)(uM9^~+xNltdISn^W9ASeI; z01yBM_C^{fuux9=fB*m){{;i!AApH5Gc!9411%FR13d#R0|S$uvjMHKiKB`#Bmi(q zAeq_!ii+wnh8G3PrqI;yeJ@>y)Gf5pdg^3AR?e4zyKxP3gpai z=@5n`b|X@twV&AU>W!va?Uj2~apoaIO-a#XoW!X@?|`7MsqgZ2g_rTg{AzkQ} zbw|#~ohEHe=jCJDW&}@4EjwPD!0qqFYsf56y9rL0!ZuwilkPkJOB3{{5ijYQ2&=jz z^!nCPUvB9&Qd(%!knTwCZug3x{P+ixjoTcC-zo zq=TnA5C%a0e>7Ipnw=N`4*-z=Ur7IJ%*NW-$$*)ehLM(mm6n~Ep7y`m{;Q6Omid2` z$oBuEKbsUYcI?=;v4r7WLeUDOVM+$8Dw!C zS)2?>JW5pyI9VY{5@|^oV$z8GLNK5Mm_z43e1A*?ewojC42LmgRNt%+Q9()Vf3y^| zplQKTTEA_{?|2`1s)YQCe`oagK*KU9U)VaGmSH;8NQ1Arn~>Z_9?hZzJmvSbc_%7v z4ysmC4Jo0d7%UJ=g{)W)LgRFfQDgPNj(-YvsF{>1lIB|J;x5->9=xvwxShzeF;uO0 zYl6?OTizd^;%qOFSB6LLx%GLH`QmtW?V8HKeKtfOdaoF?1$_VDsxU8duA!=>3 zltBq;n__vm!X2=?EMGbH!%4wnfG2^>Bw6y%sF>b*m8-)Z{x^`kAjlu7y0k3ft1Hre zB+UcJj=@d+?6~tOTC4AveydQcj`JCZQ}4g~9~)%~DY{$-`w&^iJm<@Dzslu4Ywpv)Lx2UGrPcU1KkU*z+?CFlkJ2CejfE-tM_QKc97rd!nI^H3ie~l;{_P4EQBFjL5`U-|PoZc1~wB zQ3SJ=^Rz2Y6};UmI1#YebALkKFt?G+PS$|sMxg6wwiNcc)048^zMmSuu$((d?~E8! z9*UfB(DDbcw?WHxL;PB67X(WJ1bRfcxDvf0?b>6WcDKCU9R%(8bC5)sQ}c69tWD~EL6 z$jASPf8h33)-toT97fC~$T)jHnMTBW8SkJP* z&ZJ5^` z6baF5v{pB=dV=u@>WKXw_3q^dU`9#zjzmz2Gdf0%VNXH;nEb}1E8~h>^X8>O9mBT) zI%iO({S0{-EM!G52TBo7S$)dZ0sSlJt(Lll6C{h`@}J^{{8c}3c8p2(*KqM1;ANB2 z96=9j-1(q^1Mh7LAvmmC+WnP0vIv#FKRlBmyQ(p|3h@Z*!SB1N!Hfx>#5wnxkl$Xy zv|@nsK#|uxQy~E*P|Npj$!Yy&?t63c(n3M3Gysk zs8oL~L>A_a_e;HD+BEY4XgT&?5hPk=AYHJ>Fj6~xEhH<{bA;JwRcJGCYsuE>!C?is zOQUm-@^^KlNHxI&s2u1lfm(NtZaWrJ5$!{Z0enEEkM|9+__?C>btxw)^^H5zo)3bCZ#YHL{O@^uwWk$}M0v>j>?_v7t zOPBzdEL>llToDVwQ2ykwNt|1{8pLUBly?=BZxkxFMaaOuDLlA{COW`kW`sy;#O->j zTOoe6ZXxFRZs#|tn#)#*Yo~?9>9meAy`u1W42%xe5Hk0wFj(<&8At<5BEo33@4Q3D z0j*p1197m*$eHP06&VFEg+6*4+X??O@O(Qpj#C}~ov(li4C24PBQP*$_VQ0cGp|Sh z6$yBP>**gk$O*?9yb%hHe=LpPMRUXL)EhaWvKtP)GH4|Wp=&ek z1u)!+y*I!B7ol>NANuG{%wTw71FXE;+4X1YP_7IBD7`z+tcYoR?GUMPz6;aG%vfJD z4_3AWX1yiX?eSun;-!G}=;k(PKTLL)cJjPh%qab`v&zhg9UR8{;#QN#tPhK=Jy#po z>~)vbireSjx=mcP=xp%q{&FAbMPQm8bu8?izbJC?5{$9s_9>{$S+X0TmTil4ZZoOEZg;= zT$|#Lj{i+Lkcc-W`Y&^7I*ds*OqZ~PVJAUz8CeEhIOAFukPMTII)Mp~$6tW02P>=F zonlWPj)l+zw(f>;s&4x`kayNe1PMV?sWg$%;V1(2<%o-$Qjm2D4Q61F>6+RZy$&Y` z`k8im40FbIDWM=_4Y)6Kesj=U>~=II{*t&^qEaG9#DS!5&Cd}0W1CIxhU6~ER{YZB z_T*N&Xfg}is0VZjKxN*Q6qVBGbb~s0AkwD6I|Pyda*q#BwDYwjC!FBZiHb}pOCw%x ztHtD3ba3Y-Y{i%30i#K6+Qj-;oK&D-61ZI6gcu(dVYp-@KcK^HPF88}&+{bs9G2-A zOETrEw7~v1F~%s!*i2wIDWk(EXbVMA{n}oYS$GpY!|6F^u{UGm_rAMUp1xGLV2?1s z(#p*2=H0ebLTfF)QCmVZ`!{%h$xLoGoX3m?21V=ErbHzuVQee%U(VT5G<$^r)I~4EruIC>R6q6i^B(}(4ya(xN7zep^5R6F>&a;iTe>#!M940jK}h*(wM4!Y&Y*iIB{$n#W#!~y9%VA zs_h2PUUfB21yyG2UDIa?ceHzS?$WD8V_=MnO$ zUT&i>n%}rpG=Wq$LM#2w{)9H00euNemPTzi&kvEQ#Du( zleJpiThi1b*oVZv5l_jfu`%dt|0wonp!ga7XKA1(!P}aBZRMHPdNLswM=t+t8_mlM zFoTWq{tZh+Se^ljpHgmsYeY46rGtKRE$e~X5v^HKDC<6R1@}2}& zXyslU$C;owtiGw)LxwZRTvJUEY4f3N;D9y>FrT`d7&+a|7Q8)9Ur?l*<3!@87WFY{ zLg2STNpuh=cm=SiMFp=t-XjRJ#$v`gKUE*=(RtQ`!xur3iVwdq{@Rw|iT_aWIdTNQ zq~zZ@#>-6a>H0r~`m4F>lwCVf5YU@3x0Jg&unxM|qF0Uxw>!BsyE}}p-j|)UQg$q8 zunu2KCNV>|#!OskKFrRrl4nw-u>c`f@Z&KW@nA5(4wkm zbr>Kb2%J{m>9)rbEwUyOIhd6f?QtJK)sc1SFo>oO<+_}@t_5)qS+~5eStMVVh+T#V zCH3`}NsmZ{jLy3(a=RssD{>E};i&yzsIY)mHtaT{mxN^#5-2%aQXMytH&|X#UcqhF zo`nS#Z}XFL>_6JRdfYa6Ag96Lk)y=jVpBhj9Ww1jCa0(EBozi>Zs`7E)8zxSI9UmH z+o8P9_YhH&;}zc=J_3ZFyTTrt+E2azIq;=LVHeO4008*@3*G-a@bwJs8Ch8W$ING7 zre|cMWv8cQ|8MlO{O?OY^*>7Uzw&>O8XFZed~BFCR6^D1%_7ki%Y^($C`)Eb<(O7e zp$fEy64Pr$$(mLIR~wO;OCcMUz;uD=P0Ks1mR{byxVy2p-nTiPvu&rlIVXYw={NiW z{3>fGM*t2EsyoADUKE7#wz-AjA=OMiIRe)cm;&$x4KYh#!asJNQZRYJ^nz$Vl1MUs zDEjgKdG-Ed-eXSip6GulPzfQE0>%W4r+-o=zj429De{x?e{Si7$%`S^b+`BE5Qzjk z)LAUS>Y&Z!Z?B7~sbr_E$Ud=#pflvrbzC2aB*Y@j6Z$QT^+;|Sl?_$fhTq}`=;L5N zR;Yzr&g1oC&$<7e8($Wb{Ky#XZUJ$P6~_>(s`=|XcKFdt|0SC3pzjRqa=deA1c`mJ z>M$Fm#6W5+$g06f#t3Gld&^~`HpNmg6}St(4U|29eGlbJX2&|$%DxY zzru05YC|H#CUIW}{2n)rx3+LzuP&oUR$OzWfY`qrg)B(7u&;2yIyS!%XT0d+m*}=e1k(UsBghJ*1R-N^$`Z zU5e>+AsI02bhA36-RziC-ZisY-s7juW;rk@93d z7znN%xUSEeX;|%GF}$+GP)y|&WGVI6lDF3H;C$8Jv)+hsEsHzxKT(^OrBViT`8R65 zWFsxqWOYwaOKEGVE=^E?;+{pY@|QTT!|n~lh?cYmk>Z&??C2Z13a$6wc@JQEi)MOss_eh(n*A3Y?O~~FC`YvPMC&Y@b=5h_3 z@@%84y(OqZN*&xIFXDXX?Q--8| zyC>cJXgavg9Xv+CKa1ggI5~l)G&X+SGLV0fFe)wbZa)4@Q8Tg)etN0z(vEEAQli3x zp3Rk{df`$0sokiP11F`PzMEz(^L*}-7fdLOgd$hL@D4Xs%-he=kIZr11lGRErnpD5 z{Ay<+=-YHqokiwW`3=i;)l)o1rKf8sc6t4x)*&SFOo>%0{i4J73#oEzQ|j%yY!hFY zn&Kf{!%ytF`$SW+>v&jffg^3M*^$xd@?rFkm{>wno`?~pYE*BypPi>DUkBcoM~tYC zoYhO>j$W&Z#JQg|t}ZW|w2YO*XwAK3`VWSj0e9FAn)7Mr%*)1WFD+GPlw`bLclWU%`%5tY0JKkR{@pqB$@}M8 zEo?;zmkj>$A7z6O)vDcuRJIU>4PSWAt)+ApQnpL}ZDEoB|>V1iC$N zYuJQzhs3$Hb{DwOUQ_>BfY+^B4gdBgXhR|}L_p#Q&Pd7ro6>M~m7R>NrzM^WIj_2- zDKdEUOQ7N|%I3Py20v)O%SV*)FTq_0{--Vsx%YI?nr622%dCEhY$xE{P_W)vBSSvL z_he?f`;Q9JE*f_EqfV;#ad|(e@NqxZ!x0acMzPOW@VGr7&W}t&*7i?b$o7-o8O{cO z*2Hk*i9gDvalahAd9ab6sFa@RHo-&+w0juFYXfKsm$?a7$Rx|feC}Z1O_oj#be{^% zC-+k&0sbSQFQP1Q<|#0vE*Ip7yB`KqIimmKxAX8!Q z6kb|)ADjG=y6sj58iJ}!`ck79;_FPrxSExlPN#~rMPb?{pmGiqFkSlGXI(T6N+gKz z62@?UQfpmPyp@Ut6vp~b{#$@g^d%8KkL9s>&eBFif`UM!?y&UQ@rEG32t3lnvAp?Ai+r-6;xQ9Me9 zvrf)u9Bw(nxjoEAz(yg{-;au-KK)#ZNcqgSld2c)hA z_zdoQMS5gobfk7Xw5J8NlNG`L+yx0B+jre`5U(eUl)rONzs9zS9)AogC&)#+?iOo6 zxWW!yN!Pw>4xyx>Jj1$OseSij6XbtbjrdJ#Woyi?L_z(ygF?-h5ZJur;sLfUm9rv5 zC+Uv}x(=Dw5pKRbj|8lKbQ0^|S;lxJQqq|QtH0ik09rMo$9q?I1Ne(PF&n@(YJR^G zibkTMdEZ2j&GHdWIo^kNJkV1(J1@Sr+<&ZOX*a{$jwqrTQK(suXpP}o;>^lf6-wJb zt9u~=ll{M03y6Dc=6uOhS*^%**Y8uyOED5AskeZ6vW;kxH{RA`d%A4ys+f<_iVRa$ z6pGyO_|sK43PxTM3tMG!i?fW;D5GC)iffk57kQfEAkyOb><&5|im#0o#?iwSY22ZmZ9Cc4sXh+>hh%XKfOQ;Bpz)J0VdQcL(2#u{CCbLc~pn}0U zuMpAihYU``mtUfFE>{=0z%C2DSFs}DyR|@5`q&9ALuy`5kNGyX-h14=bv^;h0x%ip z6!#iVHYTh1+~>4>Lq6yROJX(BVfSrK=Fsyqn%_VF>8|>lu4G|Bu~knIj8^d(DB;Nk zW-d1mufEo+h(vF?q-WMjhtd(-BkuMF6;hr%($TTkOEvqoe+HdUOoORy2Fu{TWor>TT`Txdj>#w zBZY!+`ki4lK4v1VAPCEupN&Ost-{oJGkq4`thLVASNB`0U%(Km_n2jZN#}665wzq$ zRd3&0XQWc;GpC<+`6s<*zN!REajXi=u2I__qLrTGY}q3X2KLx7h@& zBJO!?Bf}Ef02OK(3umv~w6yJBr$0k>?1~Ec_55~**E~GrgO}WNGHb*CrjE{X6!99& z^G*>pDk>37a?8-+@AatI@hZq(WIrEd3th!ph-#udlu&GwqnAcU)==qOTOco}J69e@w}slgt8(K)-7D&{MF{=T z{)Z_2Fejt5Ot%)T%De`Rxph-Sm}bd?Q$dc+=uDNKyDC)7$_}-@^p>*Y^(uo|OAa2h z7LVKG79liQf56zaU|(@SZLHh$x*EKy8?t<}lF;ZGY}EyEjiibTB`y3zV428mSsN>w z`bEKLNMzsZNoWTBox*SlE!WL3$6v?l!|23aJ2S3RuG&du6iUs~HR||wa^{(FH!4I1C&5nC zJv0w7MVIJUE)GBT*hv&&(W0@Vd|H$4Nbj+><+o}Q94L08GWM>J!T070JZPxiWsUFx zjWluB!9ty+DmS7LW$AjW4=1;5q!Ka$#|Lqzqx?06f9kaNXRjBVF*IzN1bw59;N2^2 zegclxHe|z67CzURxPEtg;50lWY;MJb=Mx>wSw`0p)CQzS>Arof$C41|OL5RINQ=ks zNf>-75a_3MK^earVakDOQS5MC2&Ek9mke?suN16gL6isiA>RV(vYTHugo2&8)11Qblrgg=Oj(! zFj*k|ql4+KKNL$EOIT;}7x}U%QRh6|aSIidCSvp3LHT6q==S1YW>vVi6@bT_ZIp!U z+l@lyBDyJ}vMdmNki5Q{km9qZI$`?ji2NB|nvJFePCAyX{RD9e64Gr+M#cS_}$x0s&p`DZgg zv(`M5i^U|OQfUh=OWmz}TJ}zU5TjIbm6Ii)ks@V@YgtweK`@lT0vgUZs#vBygI{jS9)suPSRy|A7=d7)TIz z5`%eBtOlQ%INn?t9!E?r?lgQxtFv(v;wQ`UR-?9rRV_d#?hGqIK{wD4`@k- zgU49h+t616&p_WJ?=m*@!^w)x4W8K`p4mrqXn>@s&`^>?xnaoAn4xbdu^>TfmcO3RA5vfAYls<73zH=yVf?|SQt3|?*QU|s3QM20Fk1?j{?&ax>1svcnc@snU;uhaeFHwEEu0W8iERv z8XHog)Y(N0B7lehqRr1)%*E^Y@iRNp!G6}4>5=DQM!N?%G*RAf&%FU;jSm1(+&Ja& z6ZJqXDG|moLg?Y#&VvH}0wWzL2J({+_iq2Bi3idTmLw$pM`(@w&)Sfi2bhS}2$UY0 zCL$aI1PCo8JV0cCF!hf}OrvTO)=93+$xRuPW)D!#6H6!m?1Ei(GR~VoHe015yYXabxG%C~yYN5Z z9ZtmNT(Yk_+DzLrn^E|aJuTm>aygOypUidnr{6m7irz#CfFJ&&958sUxyU8$BCTd# zccW>}TGNL)oO?4KZKC`DH0W|6FV>?LG^$OmJsgrMcE@ugM(Zo1#HdadY9Cepf(p0# z3_E0Nhg{uY^?9WkFYg9~UW*WOU)jXMa5#x&nJ`%J0^PoBxP}(hb(?YZ_hI4TBKHT5 z83SXyOQO%)8tn$u#WA3H;r<0pE0?W#?DyAb=PiN3cO$kM(G*`fSEb%`Q=58{)KB)+ zjqdfR>#Kys*xwk+Q(TquBk|g|ltpPNu>jxj)O zSKor}KiaOqw3J;W!%1&7yUpJhit(&rXTE&&*biQ(;fb;#KXOL9ofg~3yL#4Hu}E*T zgq_oVx)QPRLbumvPZ*$g$W-QJN@K6PR^ui9PuSF)JVM*4vppnd9G|)EM@1;fL}*ZVpN_jB zGs#zznuUThE%Y<9>tIOy+&xx>K78p`rgWt5@0mqq(SGOfa~-{|7gpJsNtTHOl6k6X z4!Hlqfs-}Qs=Qa_BaU|Fj>6bze%#QaR?m)bu{mTvTo0vjrbvDNJL2VQ@@oOjV6A06 zKU1(V6Tq9%jI#DQu9xi7xf43Pe%fwLczwZtHQbuAn&V6ae)6drYz%5W+%-8LQ?>Bh zX;OS}th&_m`)lw`wZt<{sTw-ZVOaVfinQm+lytq{s&M&rosTc;;=dM*pe>@WS-6k?1 zsX?w@=K;#Ty3qg!`@Z5_Qq;@`=*N3Avu2#5OP;bFGoIf7?co*L0(4YqRG?5KQMOga zl8aj4D&`^tjKORBLAK8u?N0 z;1jFEeXRdt!qqTNPO*up#d~WGk^Nq}4iNsNhn`}SN|CyX?wAV}R-}}c?O{{M{A)O({ zTHc+jD?kMklSG5l<(n5He5lDyVuEsw)B zD*tnkw@o93wx6K#m-+K0J@?s+OB$B8S&tyuHTj;gZ4$X>0l|I!R2kBEc=Jt9yz6G| zN}cvHh`q7X@ZS`@2QJxf7O2{=Tvy5W4!6GDXVM;fX*^WhPt!l`Ynb|m2m=e7^ib9m z)65D6@2}lxv2rYD&Yo}rH2ra#jt~Mbh5Wh$i}Zs{2IvQdgNS}>0{{fLFY?2@=z}@C z+v@-FrBR1c9X``U%hIzFP)KI6a9eH$HHqGzrV{il~%9p%;+`0qn~4gC8I~&VG0-* zntpZN40(X58E-$v5nf-8VEy1#h9q7X6?sv8Q*HA*%;b;zU{k$6+x3QUvQ-KyM{Yd= z$J!E+Txy^0xf+6%?3P5Jy5sfuwTcZ8*^p4uYyl~A$T+U0gNW17BX{HhICKiPB*e!sd+*MwT5$_~m4mhfR8Xd|ZHlf+nddQh$BSF)Fr z?J{^QYQI5+?MnZ*q0|5}7ZOQl4;=J9b$);omUIy?ZOm%Ya}!QcssLg_aB!a%5`FXIs+b*X6leWW`lKLh79yqw5n zl$+n`c@znG_FYF=2A(;3KuyZn(&9s)j_u&4UOhj7yb`*_5;@`-!af^?F`dsJGA96J zx1)r!JJ!C|n@KXB)fsKI^SLNhHXi#9npA8>QwVb$b+21YO>J(QBB=EnGlmyMdQ=ae z0;qfICCPD6ck^b@v+;?!ae2hzasCKGSW0&l{2!*3@8#H>*JXDZ@S@Uy_DpVI4t0=v zuBV&?S4;XCsj7g!3?c%Uz2pxi&XAPtIb{LG)^e?3rZ5$hks2(mQ9NzwLgFbM zW#W9y;6Mk5{xazh3PUaN%)CHh}>VBnz(a z-hn*PoG>S8i=Qz|nvHfuLcY;4a!&GcYfg;mc}LC0{aG zc^isLL96o(w<#|+V3SGC>W_}2(yFx9q&A9kL5<3@)U)&=2qsAb(xZUw73;~9`?t$- zq1>|HAkt%%18_qLL0~aNrj%1@lWC&W8ydCiA_>Od8!E|J7?)A5;d6|6NHeTs7+f6H zZWnzn{tnApG+eW{5d^?j`>%VxA-46ae?W|3Dfue(!UewSIRN+EG{K;wVYZEIwjA{h zi30scNwTdM-FB!U*luB@8hl3Bx`x#u30(4yP3E9*O@q_|7%R4_{)>5l;#!qyuIo<5Z&%HBIkT4> zW0np1v(=6L&dH-;e5h&8NY#U&>2v_(@Pc>A-rd4YnMwLCFh8*aggZ@8X%<^FGPYh6 zMAnmEXE(NBItST&8@(?P^f`rkzXkGpw+tA`;r_9rBi7G*fl>mA!5#5E*gFXy6BPb( z%#(t`NOXPlIEhhp-UF=i;>k1?H!d}Z#1b9n5L=km(e0Ub<@pDOtO1)i=@GCQD=rVx z_?UJ{#x6v^gr#F~B zhC|w*uEkumNfYN)wo=wGley!;OobfGcFd~po(15uFiH|#l+|~jOBRvAw;~-5h86mT zTD4wne>Qsv>j>&D@B>nc<)<;P4S;?t7#YQ6P#QI!WzC)PMRL=i4}$rl2eH`!_6H_c z0rJYllL>`nSa7ClPIYFcrk$;N`I*B@PtVm`$L;24C{nmye|4H^vTAfIAkOI=AtWp> zae(7q~uqhUfDsxLFp6UB@TQ%_dupYx7ux&j}RSj^6-o)-+*o zT;huJTDx`N57+@L-Q<;2)jO$u!4@SA%{Z)?{fHH_;jUa_T1mOTQWjgH7a>oREk1U? zCNxT<0@boa-FzUlv_;=wxluFM`KTctZ-x2e*EfGTH_fk~l9a1X^SUnT0ykfbbPWIz zDfyZzIVe+c1X0i2a5fyH&Fk!x$zne+5S1!PAMtCqpy!S7^YP^pggV#>vuyJLJr^8? zkF8p|QlWX-*SSW9%yOlM0NgDew&)-By)nbI~g^SqQwl`ffEn@w4YuGs1!A`mkVj_iv5a~6wPtxYI^_Q_^Q8J7tX20jwe&n8*@ zmQ%Vaj=ABeS+Azx=!^k+3jzz63P#;F{i7RoC-_gVvP87@AvCqh8i}v%3R~=pk(UoJ z`Z}tu9wcd8E3~Y#2S>_ktd(u23vEu`p{p`c8ILhy?G?#*X}WPiLo=mbvHKBn+fVFv zC{ow`=IF2E-IASxnK66AR%Pbt3A)Ry922@@nrso2*0Z&wA4WN|ath$}ZJ3rV_3gqK zMK#IQO>BU;nno5nY62ykWGI{B!2>Z}RukyC+BHH;4q-gRtB`ZQFmysv0($45!IeThDNnllhk19p00qMeo~sKdASdp+S_(>|kQor0%{>b-V+E#iA8h=E z-^8iJh##-&xiEiP2er4+DGF0D1p7YKo#$IznTxd0Vn_!?$W=genE~lRr5VFo4uRwH zdz@IUIu3zZ2ayfN!<*=og<)LXbdj!Wo~=-4W9{%|VXiv{ND=PWM3-B^-NUH|P|aq>U@EbDU#+mApWP&4$tB6gF?D2OhL}GZN+&v zaIiv#GtB+}0UA>G(H8OlgABa?h4y~~4gcSo1M~kc&B25pIU0>bw2c|Lm>5(PQZkGl zY;nds-u40^boo40mA|-)ON@&+EZ><5Ibh-adpGXwsK@PZ+i8~P?Ux%Jq{tgC@F1&i zY-C_`pg=(zh6k|kQf#-q+lOz~d|tn=eGrUrh^!$J%t%bH%N*Gdm|uAi#g9ZA7=V_d zH#HWwsuw6cBv)EkS{;L!k{S#NG$Q>sEAl(+w+|IVci0bSG~}Se=w~J87l^eQtQ=EI zIbTvBk@}I6Ny3=@9N%s7680^bQin!;xm+VhHK^s1S=YH7RJ}|U?2XlMXap7*`VIT8 z`;^BZG3;|foY+=x=lluW|@cn@W}4uyf>2djs?y-9q}hwDqQHcwK?!5G%@lz zL14KpH`VStrL{nFrX`3}b<cOONrBtH1)YV1&@d`~Uf53z$nmH-&q84kF zxe+4m>5(zcc5nVCsIgR;)&ofktuVPXq}lcc#X8*t*lDh@l7d?)HztR%X?HM+xQ)h9 z!B(1gG4YtugPo}zlcj@d{7c5EHb*0QqDPhlv;pWpfB zSa-w`h=Ev%^=~HFtVT;R_s6%j)k54(GneQB{jEam`;Jjx$ zUM=0pQ+~DL<2h&c`3`pN+Pj;EvUaap1_b-_o1(K}Cx_dtsbbvw0s^ zoT4l%LHFvi++KGd0mRbTKZ9nIdq>8H@ZkntQFVUzyPLe6_l(0^I=-coQ$HwK3GvN< zV8ayGv#(J;)Z2|<@JThikR${w-&BL8I#cSmZQ{(()Y9^DPt+rnu7BHfE9#Nrw=m*; z)Mr@o`5sw#@};Z=fcSZd$Q}rU*a1geOnHm{2FOL53`iTMEQ4~#S5%G}a8(RUb;*3`cuY5ADT{NF236x+I{RAV7$A7Q+3 zYlnj@N(WkgjvuM zu-PCnAbC_0n=T!UyU;u?Gxd)6?{D?JJ9P;@i45(??pi&bQ<(l0(oDY0lP2n&b9$!L zh+;H^gI=5wpN@j`Wo?^;ZLIXmir0}>{;8+#T|5VT(B@|-_-rfLY2CPe7NIx8lGGXQ zsxj&Eubx}^9#9$rf_Mc|L-qJelq(aH{o<{P_(9`N1r&uloT6TBB+TsIzB`A*vu&nH>Q+2e|*fgeAw&#pcW^BGbd~^sq9vLTI`sIukZB zG$jOOa#!AMRn-pv)9l^Mb~`@C2F?$=$%~)qoPd=^=$%L)D;0rG5u_-azNE8w(=}YW zs!g7J$`(T~#i$1kL$H&g7Yj@+_W~-_KlTSBo$8d?e;?`I^Nip|K&o#&>JExjLfX#M zPeg3#S>SG<`8W!F?(=9(x6K2WhCAFsMUKUb>2MBTT!2GHtCqC|{JiwqxeC7o-kBy`%KLXr5ha(OF`(GS1X@mhS*`{$vz(V$LR)jOU@*P=Wu2!AbjaaY>e{ zx_$lK5My|&*m+x$-Ya)~=S707z9uuIEKX+x-9Vu(z9~&_* z?{hZebZmXfLsM;0FQ)d+ADZw8|4qQOx4O7>;brj2#>+I5zN{R)6KE^{q3SRO5d}SV zUd%y&hY%iL639c)kQ-umlt|CMSjSYh6kWR4+PU4*F5t9`N_o;pBsLB`eKz8qrLnRDhYuyr z9QZoja(`>J1@Wj3c1CI52BM<~wyEwl-;nSplbh7N*wl(mKaklQPX`73QVQR)2b@{5 zuuxq*{Sn8M6ku!2Vd!p=B(Z}@U{sYbBg$vxD)M0me|pQY%7> zg8_#>y+(!QL#Rv3@pmm5tj#eX;EiDJQ$gO(UdEh3cgpr?z=*qN2|A9uwOU^@PQ?n2 z`RJ;vWgBudme+e~d-u+xtN;r$ja#GcQ6JD-I)53$<=ZTvG%PC*bcgV5$pwc(jUHF( z%vAsI!6I)jYTH6%(L|*7lYO?LlaAWWx(FH0E{~Z-C)Ajp4-B90AF?=f22ynQE=U1a zGnCK!4a%<|jQ}4l*mVK!ZqI^a`OG9UW@4uRjd8VMCnmT6%$?fe&*ZR?-JvOvZ+Nke zCfw-6%}L-TUm$#6@P#**+ZNLBpAY)lEe>qQ#AULwDtD05x-@$xqbi_{Pzd7V>e6?v zz4w4GOcfR-_T+{gZM(>?$(VT)4G)xihu9uQAG2WGmCKLMf~1asp<(WxD#KOEcEzh^YT$bv%rGi&uvQOc8oC$9vz2(Qko5%l_P?7l-tyaHgt;0>?0@pOV`o; zSs-5KA+kWYLMp+%%6cGKU$GFd6a8Adm^`$J1Eq27K;6;)Ql#)TCp0~84$G6vY6Ni3 zOUcmOWlv5_*uw?FJ=j&?OCo32wTPsk++*yxTx!z`;I09y(sPT*D&P^T<_cZff!G(T zrUEQb@Er&y#o5-$T-|BTj7YQPj``1vnol(iSn4EcR0BzUIZF}Ns3tE?Q%jz61w3qY z<4OE!=$km}A_!&4{2hQbgVUV^4b&yq2DoBMc@82+bl#v(JrthtI=O7V2&=nG#i8$S zkP(XiJ(V?sFp=GUXf7?xb+yj&=|_bfX%D^59&RNo8fW%&#k)ypefuGB^`z3o-G?4k**ll{D;P ze^o5Va8%B}+KjZR!L-v22w7cIw)Yi0`ViVXEAv4rU@do{&9K}qzdy!6v_yGh<6@+j2r>F(^t;sqTY$#49(>b-DxK3bq5YH%x( z7?P6Vg@WI;Vwo!cQ1$Hbw8N{n$g4M-^^+iZ2kaOP);?LGJmbO6dYiHOpB15Ee{aVf z6KbJyJ*z2*T%D9c#6g-$CD|nK+*(4h>`&CUgPZ4Ndy#XJeC<}uZbu!-#Mu3oh;VhI z-j(d0wsq)>E;86!UBbl3aljh+P+dSM?EiA@ZiUx38Ln1$pH=)e_6yD}=9ugfLaVN>slZ!hsJj;nsvL zP2off+l0a7w{21o>HI8aFRnQQNMOSH3Q9wza-Sbfe%IdfySuNEw?*SlBG)SFALqLV z@QbpPi_z^1t`QuSu1G4|gJhan9>}!YrkFiZvn|>mjr!NE9qY(ZLA%vsz=_3@#w!|E z9CDLAd6XWaVfW;4IdXk7ww@to;RkYA!&b`p`O`H3#s*_-+-~*;vd?O{2&`XZff74F z01CQyo$09!d^F7kFBdP!Kc%XxOY_XmP;ijZvNRXi+M67F#J*F+1*J9SN4Ob}1qJoZ zzBtaZ5_02&G{#WP&;HoTN^C6656H34w}pEt0egQ90#h6`T$fLI^|^f50>X{NQS58f z!|LEEP_mOXWccBkubNdChdo77V;M5bq=YNlSxtJjp3!KEe1jTz3uZDdB(ksS`##YB zJMh38w_H$$2mmngZ~imz;Na}c#PF{S<3EcP{%hlc@jp?-|Im$Lt7fW#0?=rRuEABD zrms7=_^Xu&Z$7zvpiy80hjlYv6-& zM!2J|hlDRW7B}jivsIf>SJ2|Tp(m!s!CtCQ%{$k87vo=?XTNGZopVLu;|N)wh2Gn6 zSj{v<$IfAonQJhXi1Mh#-N51 zrP&UFIplY@)5$n~eUkiEoxJyMoM^#>k3(c|FpYMDayo((s?5C38VDwuvC`Krsd&dp9@D-7lt&tgl zn2M%#?G>subLeQ^t?Wq0(0NcNrUft4b1Lt>zudgeF(wI|eiU?!ByI#=u*V zKv$mHo?Ixjv0GApi&wNDxy$avcDAp@ugZZ;==1@8bJq2inlRbUCK>KnaZ-^zi1KGq)tAZ9>mp!FdMYUZbI8OH z9uJl@)#g*V$sJScF#Z9z!0}}CRvqs&>mgQHcU?NldR`)j+wjl8(C` zh^jTk_$pWYs@LR+WXpJnW^_)J>|re*eYsPt&gVBgc^FEi$8*1fc&83Un{o;Z4XPfA zPR8nK%_>Cd7rz)P6?U>=w+Bp}qxv+SF>55TO1m87*Hak}*Q6$ew~unbpY7^pt=(@I$U zJl>%|Pd#ZQ>O_}-8u-DG-bVB<9FnPmSr&gzk}!h&$PxVsCRc6O|0RzJxLvMk=A=X6o_ z6|~~Im#-4*u*ab@0 zNm1bwCr$T(kTtu(um}}xF1hKsw7P1?D{aB7AEBwL6VJMEEc_e|7Z~&(Up5D^@p?RhWab(9-5VO z^I0=Yf-SEr2OfxWwlk7=e|NWp`81*=FMaR8LBG*5vBUHrc>JlcQyZTAFw;WnqE4-t zdcc)tlxn1nd;QhhJg->(iI2agUl0EsW&MS+GJ(1JptCusPtHOp$Tjy-{%Ya$+$_t> zhKH%xw=nVwXvnl;Qby;O4)sPn#*q8|`j`YW7Vne&j+F;zp^S{EAfo5RaIxMuGbLpo z@gQkOF}t_psO|j?WQm~^coHbtIfTOpCGh;J1tbwj0RRA>u59O2%m*w9+Rn(+;+evW z@GG?ZgV~w!4;$f@l;i*myb$*s$g_uvoDYvxXU4jf8Z?HABX`k9N3rLm5!bGFd)JM_ zR^JB1UjB|SmRdC`#T0YH6yiGir1)ap# zu$;5`e~s+jv~|)I$++;1LF9|V(^u^NFtD(oW&rgY7;=Xq!%nK_k-wGAC)eh5K;9zW zMD%hK9q1vHl%#X&bYgXzwZAc|2AfqIi2yi%PI&uL6%2C}?s`XZBY&5;C3|)Bf0FgltxfF<8+Z(LMf&Kr@-OFm*2_c=NE}3Xzz=Ql18D&mpbcaMa%K;EA zf!~^l#ddB$u*gY%Sn9)PQ}A+DX;0O`%t%IAng$|p$957a{xM7wu4RB3m3D9<34LFh zWoFA8=}=hfFl`TPI(3b#yp8dEI#i}(UR&v04=kl$aq*bp$Ovt~$a8r5c1blN+alj$ zY;aa|YrLg-b{)cb9UCAlEJ56PZV}kdX=~8Z@BuLYw47a%+Ow&X4}u8E(#XTWOl0I zO40(23%P!WMo=ZW&3dqFyJ*q`EWoD_R_jZd%gR)%Y9^!*ySjK2(N_aSG4?fH1cvIc z1t_JUW$>V!vo}hF+DIi3x;O{?SjQ7`dN)J9C+jFlf4GY`YBqF$yhpb1zf|QL^kyMK z*igBz+bU>FUJo@o7>|ed{PbI2A;f{nAB0LOO8F0)mPlXsyR5Xsw)?_GT^s2cS)w{_ zcJtdDKVw6py3AhVU6)AXwPETi=wPghjbBBmWx1e>LFcmrdtpAME(LNgqz>(yumXBB zNW9;U%go%5?fQEqlJat%&3z$9Kn_dgl3}zS|1uWz6)~sYVY^`It}4zHUK+nhu~n%I z0NFC|8Z?b#p0(Et#3L`RGzeNE%{f&A6Pukx)yG~1t}gbVDznXjUW(k=6Y$35PXk@q_RCohI6RyZx>KtzvowDc16_R% z5*T%5%3-f4h^p?tsHQBR+(>D9e95#p3H}6vVTQKTb7S-wEh;$7=_UXE_kz%N(-snuiB!J zcVj_x_tr12bOs@gm*#wbq1>b!Ou5w-rBj`uuX&w|v;`jiu<16>Z}h8rH*3(CnU0-n zJ6CF?{%lCg%wu4oDMh7htpbi`%=fPOf%Zz~7Zb4~jn6$Fy(FizSnh{{c`3%4QSa87 zb464l9$wSl3zAcM+fyYJB@ud6IbnH0o6Dv0jT_KKWLtI_86}CcOdO(b$rTOo5t7rg z&a=I*&3}+>y;!FMn{deIz6EWn#uwfXvRABul7rszbWc5(nd^gD^T9gXue}DeGoh-CcH6|1YX-4*eJ|RzgQFW`UGlw+oe8jUR1x*ll?Q) zm&<13R`rEtQHQghq*Xf<#saVUvTbguC^t9vQET^nXts!Ge&KF!4 zeuc7I`mj_z4wf56jg#+JbKP7Alo3s@e%Y;V&J#oD^BB|@G^gi6|;%bp1v=mEPmcE$Y3Q`s(;$e4@Wn3YvK}m#$(OYrKo|I6Y zt}Sx)@RHyQT?C5Q`&PQrDXH|}L5NjGYz-R=ZI@6zm_V5Z4tsV$A#_&UKzfton*W7X@44)ISEw)b|R;F@)X--{oy1G z=3mvpR)bds(7O}r&|-U|?qKg5FKR6%iAY`jti6MlD_^u0KjXxmdL-ye1G4`$7a!_} z?4|+Ov1ZkRD%C4_HLw&6@c|#9FmKIo)~SpN#7cQ=Tf$Tw)vRkGnW^JjMkjCL+&$-Hoi$=(Mh7;Ny$v4Y z4L+G20Q}X2d`_?<`eZ^sU9}tSp4mU>e9#+b==h7bXmN7X-~v>!?AlXhl@MMKE1e|D z1y~n;O%GV3Jark0K`^a({H$O<_!TPJN7@J69@VC~x%jHw_j11DT+nSuWx9akwD2bVKazPgd%h*%f8Krr4JhldWLCv`o5iQx~@xu&XPsM62 z(XH>N+-8a$3N996jt{=nV{{n?s@|0eLV~0V6ZhCx0iU+VcuPJ-W%{3eYsDX*vm&f! zaL#)a_k{e#DI!o$+Vkdec%hPq6A~d!|Bj>)S~06}WeUGSfC(c9C48w<6qOi=O?MC8 z`ZfMo8P_AvYHqD10aX>`&OjzK9Urr%`cn)_^w? zHwMQT24*3X^p}{(O8ga26YwtlDC~r4+`ZQ4a@eV*7(c{kNaP)x4hhTxfv!l%z&&0|&mA3fsdgb^wv7kx_qr zF*!Zlb4;Yv2d1)OClfQ@;03Z%))V9!U(-j7TmMnqjAEjnUi3BdpxwX51hVQTW!qs7 zHSK>+(I-e#9l)=z5nAv-$JraI@Xt6z$b2jh9wp2PtpucU(Bg=#3F8*Jpx;?y@T4@< zf1DWlvKt1TGW-+eZEJ@KMUHtkuK9}eLZtqR-+{5B_#eWYvBEF-zPV%ZBvUU+gE%Mk}r=mKXdy_ydm=4fC}~$v6a_1I?CNPIf|{g!=BW0G;NSfq9&4cILVBvP`{5sDsXE3$PZ4vF+C*1lheS;;8D%TKCV+Ks$;KHU ztq)jRp4^BTcoTeZV7SV%)ZWOSHJ`#xvYpHKQj>rz}F znTJ>=JpdE7L*~naJZyP!I$;8NO8pK<;K{c7Z#?07;WDR0^)UUt8_!I46eV0(W$pbZ z$qgnIR+_6l&2@0)vD>9!l?8QGaiKO<7kojH;ZmMQBhME7McXe!O;I~7I`Gq)V*dAs z*Upxsw{O~x3~)(_P}piANny;v00?jp^POrPOBDB4(dBNC$=K2^bYQGWL|EAAQ98Bl zB&>=h#;%h_-fjp7 z-xfN4km|n4^AFmzo}8*7#jdRssqU-=+kTTtwCej)Z9p9$T;z|51HP60NCR%yeBj?0 zT*#n7EgOiVjg&OE-j9|kzkcMN*$>I7Fi9)HZP)^T_ZGjVFCAAb^TQOgtzYYB0~v-j zR}(Bqx3b*E?tF&fdoS>0jDPUJ`>ID)uGzyJ@nF5kMfwP(eh$FgGqsC!tLQs8u8v`D z9A#yGmId(io9;bHfB{EmSV|>28p_&XJF-~kB=2pljAvWQ69`sKkWuMvInJvLTRT#`g1JU}c=D!&)PDn6>Yk{rM*2%c4WR z?5Gx5h88d=9OW8Ynq#jY0qkXr+c+$P<$1ej=?99rf|UOY6ph}`%06`ZG))$<(zRte z3lGzA)_c0uzAvF-rrNe8v|INaFln4Xn&+PI(eHuVB=kxy454xUPh#TQMobYg=ybPF zih2zNnY<=NT`Lr#%idFl+_NcdrrbjYD-+G@7) zWZUcs!-N&}ik@hsV;rySYb{{~X)i~y_|59Q|Cd-;7^$hO4Ln#fpZyOq{GIR*A0Yi3 z4mK;29!*yK31b!E%oYlxr81U@>b29Lq_Iv}!{Hagj2abkz%Q*ar+J+L>-D>^fv+jx zcU9L`om?os(~`og4LA)8oZhqJhH_->)fiw5*?tqX57wQ-rCOaZp(vzs9af}zszyFV z_h`|vGu-AeJIbdX=VncV&gA~A&dr*%&H-bbXp4vm+pN!0P$%9zO%_U($6}FuJnOQ` zhIlL*$$4+_oO6R)AFrO?e0=Vp)r~iC%8bN=5~pmo0;f9~5y<%y2&rsy4j?m7bGr#M zqc`6pJ27AG?zJ|m{jmTU8)HjJ$vRDOdna^qf;LVWUl&?-e|_|~aMnQKoV;^oho>u; zlbJS(Ngy1i)2Dvwsq}#E3G=^RP?ZTI9zLbNGGyyfBWT7YZJ&d@bj(s|2Rfu=X!O?dp|0EZ~do49j{LX!wXy$BROT$zWIgSYY zTT>~{pOZ6wanK>}*IxJ$yn4A48Z7s{7I`|O}pp>J< zeb$-ZPvJ+HQ;5u#c5-XiII>LJ!*)GY4`S9H@~EL@993*pjZB!W#%Z7SBtT%rp$T9O zbAGt0n>j4~oWojkyV#O-lS;5h2tT-?{9G+?-xb6eBn@wLa+L<7&$HaD&Wi;Z1#$r7 z03Zqn!42}LpKVAs7<{1k34>bd7@;lM>f|n+E2O#Jo%|VxQ1v^J0s??w^2_nykF%qn4f4&uOBD6h30cUX!}5kH_akv=mxFS0D#soHVb9AU zaBql2RjF4ywU=AIS*tsecb^q7sHP#m|1UU9>Zh$?{Ms`N6XkEBJNB6aU@cy0a?kz! zpj+Aa{=KxNa@)A3jw*m!h5()=coy)jJ2LVx)fZAzi0LzxaTF2NA*|@MRc}TGvPX)h zr)ShP;e$(pDL)zG%iLtDz)JDq>}0{GUMo;{Az@|x7DnWKwr~ICqXpvb4}PoQwV=iv z4PE4Cvdy?3UG-LrS}6w9kQFPbkI@dXx)pBQ&0-4IuvqaoT5z=9WHXg>_Cd*>7yb~L z^m8acr!sSUffi+qvQ=9&AT^3WM>%`D{NcVk4wh6scl4$`emsQStg2*k^ZIH6j$cfZ z4R(N+1cslb)cbfXB%j?@Vkh_n(FoV zb~f!i_rj7^vn3mQ96Cl!HEF~xN8*ZAm}{c9q?hf-K`pJFf3~8i?|v9cpeF zsHeQ=096Hwo&f2Ka9i21kd^riB28t?6g9P!xIjZ7ZRgK|8bY(DJ@CNu0J}M9fr@S~)L2eRJ<_ zCCVr#UwX^#Et^wGHqEF>@q5AW#-+K(0wtmf;mTN?O+y^Bz1>7S@G2eaZ(yTc)Hncl zmi}aql=yhI9R9y$A~*3_U=bE({uYM6_r}(wcP}v@r*n2-7AJ%^$t60rdF>H?q0E0C zWLWukKpHc`4uGeca&|&uHt0BsQ9a=i`E3SVy)6Q~wpj~_MdOV-R z7KdOkZ^y>7Jm`fznese(ezPj)r$#$YCsctaGXmYTZ!(o@!UzyozJ#;s<3#&cM?~T8 zVu$njwmhAf3mw@C#P#04n`|Oza(fzh{k^q%ZdmB4N zRO8h+9R(lrHcKsavA&(EI!_C0dPLg~1M2#LVk_1*Jn!oS1ty2j?wE*K1dSUT>}TE| z{%A;R`?!`tVLq+aF6}0-z9~iU_lx@k4W|d-bmgVi-ozk{wZLxsTkeN|EiODNDyng; z!S;K9ypwCFg-8RnQTpGYZ-FH!!FR0yx644ffFzBOu~MZX1HE6ANdP|{V(m(+-r=hh z8p}QU=$|mBryYr+1^+!0;>&S~7#GE4uz!|uMi#TVr7Lm%;Ox&XYp5!RKVRj)U=@DK zxJQydo;L|V0Grk+PoVQmmZB9@^R&**IaSp}L28zK4UCx#Otm_BIe#G;oyym`2Hkef z$$aJ!um>;cu7SFgkTG9iLG{JjO^AKerrw2F)>4_dWJ3>};zs^a(9e51cW6ZREy|S} z)-Qv~1&u+k9Hp!m6g>?tK)T!I{CdXpYhzXt#sN_rI!PxAwGHl3p*Q4CM)PvCbc&M( zepz=ORiSaNj*6C%7caV?YnU~BT**w$2^+LVlMmVqi<{ORI@O(WWW=&&{L?DPtqZV) zYBB{3Jb%E}JPq>8W8zXfh}&t3Dw+HAD0F~^pNHf);h1U9GKO2YUiN$?eih-^p8zO<@w|}#ZX9VIF%2_T>aj1x$z{^HjbHY8<`JqMahN4a*<@zL{*zAyz zJb765SkThZi+60(8Ia1AE;}XU+Zx7*0L|CAL`@u-FPGaMf3f{um*u-tA`7F-|HQBU z0o?h75Y%gG4}9q=ALx(nBm3Ei6DrDi}2r zw&fj+W$0P%-Y0KT{O|wx<-OI&;`de2J}2TO=YwwfGnjniKI$GpiZ(wu3SFU){$~>q zU)c_d?n!xb*_FH`A1NDpYsO^36AM*_?}dzLD^kEU&re+auC=@VyI;V<0*UB}&gi$01Fw8)*Q zRvXov2-@k9yowZ}k^);RxC0YcgePS%M=53u-R^$&>mz4EJOqP$U_KF^jRBg`&EK_> zX!02Lsh-UpNaAmD@CwP@Q8g;|Y5ZlYX$a={WyN!T;`wsWA_bJK8KaGCOjaY8DsZ)d zb+ABkblufCg>h(Wj5AOnwX0G=CEo@Ol$?R-j0*jPVdtpeu+X2pAWEv!WBrHglU+fr zsjknt-G|b>a+)F}$9QY)ZD2#@=*uiDaCo^)b%aYfUksF(@3Cuvvz-QPAw9wxPHu*Z zrq6w+Mb}U%`B+q!)Se`%eKwvU1`eU)&;|8B)dBqiw(LHjPcq%tK3X zAKHJ|LFEJ{eTrkVW7gELO%-jlvhPy0@$QD~>0Rr$O7A({GIXy@h)_w^h;cSy9y%*; zmSeq{vJjt!n3FI?I}pRevqAXoBF7t~IM@SQ2tp4gQ^zn#tuYIe%kG`Mc7EGTzMlv# zKg3jp>`>)6xji|HUikkT4Jp{OZ91d=^X2@T|6^ZaWBsp?(En{;;rLG;^gktp)Kzs* z;2KT;^`Izlp{3g)1eRDQrX|dTmL%RJ(VZuNou`1E-y|gIi6m$}{QSP|^KIQ`r@!Yi zo6lV40EQ)$017i8Ln|Zzj*S&t++XC`rsGa~zo;r5A`IVjaw19*;BmpBa{-_R-~T5n_6miIHzxP~2|t5GYl?9te$TW^K30@Kkv?e#YJ4_1XLhR!y_Bj|RPb zWUL~U$LGF#MDLZtaO)asW0z1_fohPkqk!ux1TI`kS@ZGlRn#SUp8{2VeKO+vapI`=WJy zd(t~iJF+*S7QH3o`*O}VyKG@9yJ#FGW{2^*v{ZcUaUpm9CCx{nFXg2?i-~=;Ipne> zP9ex2l)6j4=O|+~C>=1dEYe?y$v4fZ=ZY-t_@X&sa_tUW(tI(}tP!P>hll5>p_pCl zuGN))B5gIh`g6HYT#CSw5{oc>B)>oW(~$ZGMWKXIX=DVZPv6f#l}u1en}+S|rMMm5 zgp_GIThcF<_}2MP3cvtlGutfN)KIkgNO-2Gx-y^JB3uUVMVj(@q4W`Rl512(XY$IM7ulgP zp*SZ5B98|5lt|Lw|AL)GlBo9A4I$U{7u=@g_~_=Vy@uo1Q!hL+)^fX_jAoM=@tXq3skcf$iZ|#b0h-& z06it66*X4k&$T}-UqvmABQXU+sg--NVRYQTHnivp7!;Hdki&R9=NjJ^VUZbM)6(@a z;(s@@s*$0MGUWIOGYz5$jb6oQI&V=V76zN=^mNb#Wlomha&l3{2GOeCnC8k_^M~<^ z3!vmK|P`S|hh1JtHj_)zMCQL?7>CiqQZ z>Ddk6%{r#e9uaJ1h!M=o3j8qdE{^*R5F}6$7af>H?t@0|0mGaRgA|WKMzz0D!XhQy z{R9{RcZG7Ezm`F3-d=%YZMPdmLSjoIgv8!*bQB6JFf-!`-U^uZ<<`AobTWiSiT+*f zxODU9l0p{#5|@MW0(b9k)9Tap}x0X(Ze}=&_o{@bwEeGirk3 zwGzKK$gYgU@Gg7|{6z9N*TgjLOh`%Ja(|(}Cm)FmFfavwNvETf#Ga3H9ze?48`}N= z@o!!+`|zAUfqTukcPeSNz5c{gRwpkmKHw{#RsZh_^-dZKOulhK?wX;m!w zgMfu>COM|A|KiMZGm{*KrpQ$T^!GElDdg6arhBq2ff4Fs;ZJk?GH1Q947GqO;z-pU zMHyl+7r-ZCtoEI^nVjw{mNr@J*EWtRNrgi3-$D%nUJ4_A3b(v#=anMEWJvD@|l^f2)o2>`k7DPiut-2PXt`kA`Z3}2h2`jGvlOR631Y= z=t2Pv-IrIUY~qIPA9sBbb9aC{pQw2)QM2S3uh`XrYkVLy{sJsQqEXFHYp*dNfY-^$ zsBZElX}H*H)`b2On8}-^4Of(0yU%#u6qYgSL&xzGUdkKZ3;Hu^cuW(28d~Z>Hps-f zTbbi+=s3TP>k;;)T`&?wvXdNkp;?M`dt`pb4wQ4Gu)@Xbl>s(&{1hH)GTEnM$Yq|+m2 zin@g_s3E(})TUA^`{XG^pSGrhn8#1d!NInID@g1ZgKp~%80bYlwjI=c#^w=o`s)x1 z6OVzolWQ<3H-5-!q=u(f{95pa!?XAoc8?|xDZQ`~M2{F7j#!#P{>tbX3Z~J^6*!jM zC(z-YvwCmjyy{_tMgp!HFB|aV9+pleLE?@kS1^*MmYw(zEF)S({N!jvIpoE)+=2IUIs~5e>NYRh4N)KW(?|C?}!s_@|ESnc-2KjR? z`4>Wb_?rN4?MnP?$O^?U8(~I4dK};gISB9C-1XTX-NqtYh02(_2)DiMFg~V|^+J{U8Zg^mEt93vq<_wpYxQAbqQ1Q{^aFn4`bZ6r(_XJCb%rhU zsXdz`@kO>nXN4@8{D>_`Qyymh&9)|vCb6Y(+koF~P2z3r3Zb)hIxsI%KEemonYhwZ zOT@N{_F#E2a`iYx)`Dj?<6I9T$z3QqT2?iff^7&~S;J81Sll&v*wL5CBt4Li`lkaZ zs){&2&hc2R{kuOya(j+2mJZNY5{c7!iUE!Z9#3QOBr^ihzcR&_sQDu3%nJ6~LIK1P zeF63(c~RBy9Yg#*5yWXMUv!!{Rp)!;Ak>mC^;R=J89bVaI#W$JZs7as70QdOwG2<5Q zjP@+3fx%p$dOqP16%}Pm)G@|5m5~mbdjxv(M;YP54-KcC-syq0 z3?uz^J1oqe!HW4QpGM%8YT;vZ_Sf&BdGd-gGoLJ00bps(=$ijoTCZh$LEu`gwyg?JWp-Ag8 z6;P(#3bXgSpElL&#<212H1oa=PN_|uWUwpHm??;YJ5~W0*SOK*BgF*PD>3ZK39Qv= zr*D*5>rvsvl#fFcI&W%2!M(CMV#h2Tk3~a~bzwWM6#v(;$oA6BHa9{!zHYr4cR`*A z-1O!$DRJn9kw#W#=x3fLOg9V}oPOU`xRDU%n1o92FhU;R<#F^ktY%TFmsO+lg4*>y zx6Oyg!>fBg(QI(qWj4sm{kL^G1Wzhd%#ivQYIcu?8GVgAgtr#EIIHF&@#-ai_V!(Q z!9_+8u+~NhhbIyCE1kNhM}Lp_hOu#A@*y8$FT2@3-Lvj_Ri8$a;f725ClzE3-NZ-; zx(iFXI+_${xggSnP$HH0oI!c?XH7hCG`d5a^10RW4pnCRfZs=Fof?-(%eLIg^cPTRZuzHK2b;8j>WK&<*jST}3gklkntZ4a%d`#zeW zJK`voA-46}$BO6kM!YxV(B3OOR6`q_E6`LO}hgDWg~lDM3y*S$G%d*u;U#6{Kcpi z6FTOo*EfI3UQ+-3>EjS5k&0OK+Van;>(ZLeBSs;$DwE3J^Kn}4#E0P>B2a7Xo<(+N zE@r4XoTQf3$Q8=I{G>APU4Jw6(%bXU`G67lTQmC#eHx?*G6kQ3H&LYNggs^qVN}?l zNX}ZajhNDR+oX2CCcs&gcv#MbcMbp#O^woxh2h2oHg+zn=sIoSpuj#eTg{_GX6^W2XBRJ!uKBw0`SVzQE!%%5rtHN7m3A6oJ8{ae{KC(%u;3h z(zP_Y_^+?gGArPcM)uI{8dQR|2AKWaFf z8{~L&-hkv=@HVF*WQ<@VvAfz7e-KY0w}$vH`ipbO4wr>B3&&utxHt182Z*2&YN6S^ zTrtqCM23`pJVm&pl9C1JS7!LmlHUvaBH z4VGJvzH{u&qD$h_!eV$2jUSNJW;G@b;@40|DWIR=NdUYxW$EW~(dI+~{PTo7h!gId zaMJK{(wSiK+b@2>$Zng(MGzlL(UmyNEXdyl12?AS|^7SYP ze~M7isUR6(Ve-YbR%XMQrcVoG&#H1X{u3?EN%*<4Gw$o z0$RbyFuJQm)jtEopilVg&EupuA@=G4e5zn_09`OZLbMLX^A)?JtH4`1>3uMz<+wSt z(w3|Iy(jiX;XFr~Jw2{D(T#7_3evhekvRKnJX`+b6Rnd{zv+`GzknX`?C8YW%Z1*v zdlCL?Jc`!0FSk-!;L-URWS&FbI(c%Yu3r)2A`oIdF;-dvqd-1_+jrpe&2rZ~Z$_1P z5HmQua2%6nJtSGn3)s zeC#H#TGGm2tG~j%j1N)34q~++5%Jc}@gwESWzV&{xSb=0+Fz}6TZ!lkUQIQNos7OSq|}G+pW|I?DL5r~WbT{k=QA2)yh4I1$>*7~j(RbTI+oB zE=fMP;}@RHM%}*I#`W2#6^=ilq7l6*FkhAnudm)yZWzRS8~g*VSYPGruD1@s{#c~L zg*v80lNQ#ZrUSH=s>nrPY}!%uV3Zr%U3k~fv>~hUa>rjIJ5tb@_M9R%ZjO&iL}okd zqGT5AsPc|dn5K0UEx@FyOKwJUDSe#emd|tmFI6TtOwtox`S41vGQ&@)eYgjcXMv5k z#(S?tJbY5wlfQyoJ1Je(2 zwK!u7kwqG^gJi8mpY@>L-JT8Ys*YRDcP|aQ5uwcu_&SyWauh}%YgLoUz9*#tzTK59 znQrGJTsPDrKOSOqP7A}*CKw#%H-Z6(U#ToN)@_fY?XPu+9wt*U)NL0K_EOasuEqTm zg%WX?&q^bk!k{{4^J^UZQoLtD3or)erh=T+QEff*%3lW2N~iO7UH?wX;Q&x%L&23V zJJH;0As_tMMPUtk7~?P|GJ%ip8a2J@y5{ z3gLwuMEv5}47V6Kc5BL2r0v66_wxMgbwf}jidkqqw_a5P)VCt2;#u`^I8uei_1-S- zv%kKQpMH6unTf+@VX2aDJ946tW*|Y6m1};~{fG*|q*Ns&MWI0Hl#Maf!Dd}s97Kit z%>h}ur^5nwq@9>fwq&xMZ^`MwfwswF0ltS-npb+v91Niv%PV+jKP7fH*%8%N9>;=$ z6-LO(!V7T;XCGz$4lus1s&j|Mqx0fg}xa7P@XCjq?ui*=Sh#To! zl{Ma%Cl^|twBI3@aC6fT#DmU?^#cMk-gjBRrGMMw&Uu6+`i=-(>^X4f$*3~lK|IOm zahG~*Ew&lInHS%TlU~n!Xge@Wj+N!@MHGLctqgTmZYF1oTP4oXNiUk+7T7v$!+oBT z^YNKBImj(X2*Vy9D@>}<^7lVf3V8#ke8jR9or98h55&`5MCO&1z+MQM*naetWy=XRMS@!7* zf|Jdrx@dOa;tCS0HYB=NM2S?iVh71+z|1Ny3M2O~oClB{SPV$n#@DKaSze$U1yE<) zwVk3%$6LlLEpjaBQ6&b;Ai=G^ zh!5WeiOBvUH$gdzmHbBH()RMAh|>XRZ)MBkc*kSHWf&;fov( zxIUQ9e{#!i3mZ!<$(!^_DVr3nz!M9z6~;m`h4``6+er7oui1G#rR6aFROBaS-hor7 zV4#J0NI=ILyq|TGA>9*HT+*PV^w-~8(ZORN7_G%8uYa>kIlxhKf8!^h8&1;-v%EfpQtCRny&zAE`%Pc+9fa+ zS+{6tV*oQ6u4k(V0Ps*OLcu`u@)Ac8TES*HiEWvjh8}ylPnJew-smBr<+xIw^qpla zI?Lz#L=9_&wV{{k{rZF%IQUy%^?4CW|44N zZ2z>Dql?E;PV`8_3FC-h=!dbbgD{YSmUy#BtfR~M)r1X;X*C%kgS(tsBGG#2zEJf@ zDb?@-xYYZ<7&`|ZL4ZI_j&1JPwr$(CZQHhO&yH=|wr!iYFUNPu%Uvh^C%&$(nv5T* z;y zxaNxL=exZ8*Du05;9A9;2V|GceeDy-@nM^nd@vm}9q5q!5uwHWV}Ulyw{@7^+Tnvz zF;RjvDXI4)jpgQ?eFg~oBj;Vl)PyS!J^DmD$iUcbzJ3@(v5a{`NZ8u~A&4Ksz8DIZ zFo!if9axKl)bu+`av$RQlz>~nK{F#VF4Yrm_>~pY@qYS49tD*Z_@Mm$*tKA^2 za&CVI44keynYtrs=ICFOjHdhroV6@8Yv1)X^YwPTwJby36D*B_4@~mzeEeA`Dx)z^ zi{U}Yp3wyw!(C2XO)zwmo1b&HI}^b|(>(DE{27~K)Ol&xQS$k1PD~vIlwS6R2+7C9V zJeqf0Vs-?7&Ca^t^lkap1sqwg#1%Mcr!7@k&wbV$Y*uqU6B2O0YEct6CA|;x7>^1Q zc#E+zIDubu;xx}yc%IR2e#F&Okt4VsH>)1x1#sGrm^sFbS~fGRq4+VJwwyjp$rpr3K$M?a=LlsozY2zo%|X2f&zttN0OeYER)e1A$??`SGE12FkMSW)oz zbl5$N9=24vHcF(u-JA**8*DNiFoo{rrlk)DGdw-d)7p^fAlwjY-cMb}s|=|R=;qcs zhzb%Uto=w?H*zSwC*EDwWV^Bn&uL6yIZ_9=ULJ6ZsVGT6YyGjmg%xBy8qZWgzTB56 zPhNHKixqR&)>D2NA&Kxd9@tN=-Ed<}zeaCb#N^Pz@r5|5>DN7}u^92(XAq=y*fFvSmSf!-S zs#P0a4$o9-@mwBWCz(Ndr;~2hXm=jUdgwN?56#y7iHUI1<)fBY*-W(C+|VDwS;^@{ zzgyoe=O-a|MNq*QOU@Mx*QQn^?WMf5NoEv-ii!jgSF%)~} zw_pI330G#Izs>0DhXl~Jn-r!gIUCSR)DPMWAbfMIiT+<#5(S(r>Is+YA0*$wIe25@ z_c=TrHJM`r6zXjxXa{O{7t@t-I^P&p44<=5?o~=*c)@J9$CeDC6QL#_ic2Q6IR|Zj z>Q9k7#h#DnyogugBW?~gE4@{ z<0>m@@ZF27Oc(a^p)OqT8N=f>SrIQ6JvhQ$;RP9thKezsC9S-`_KCC@JVSa6?a^>H!Y>RI(U0JVhO#UgbnWx}&SS{|ZVCq@HqgJvWU7#p4gWR@?_l9n zAN37dm%H9z!8S`}X=@zxHo^)0^{WhHmEVknlC5zdt-vy4wJv8Q?=mFEasZJgjXa@!y0a!FrX5!(qMPo=`V4x7=7 z@vE4%ARAr}v&nt!Atr;c_bSD2sW2jCZZ^Cf0`YSnwTAd13ZEs8*<;j%0C+b@Y+3Tl755v3Y~FpshV9m|z!`M@~wTXaUi8fHXC;jqT5{ zkM9>$mfg#1NN1r1OzRyTSqA$0Az37(dcE1LSU3l?9HC`Fr=9!YG}20|C+hpna($H* zEZQDq^>}FKxEevIp;8VX9<9!oF+V`Mzl8C?N~uS&l(&Ym`NyzNmps+_{JrHO3O7r} z{7|j_;U~(3K^g2>z*!(~?R$ zsc{9H^?Ea{jGa|3dK#O1((wCZ4T}lftlrR!Vhz&_ zqwCI}z>#r0L#Zf|xmf8YyjQa6sIp0_c99zrCOrGPK716GU= zb6TpQdA+9;Eri$`QdcUHmrpqr(#8vh41XtZgLj&qdlf&?ztP>`#l*AZ!*RurPHud8 zDItHM=YQx-W0i-lu{$^O^W7`F<^x-PUV&%X5cn2TzAxv>Fl~xY<(n(!Kvn5WT)xl4 z(kU$R5EYo$v=f;V^u+P* zN4alkr*31ycI(j)R6i#8*4_b#`pN$!uNV-VXlH6`)zE) zo?|)LD~phGg`fMix+t%I{TwPfQtY0<=y~i0pmU%r4`n2*KM{=w+w(%rc$5h7Lhfo+ z8nC(r7WQv81)}H=TTQt{xDyIg4xOAcUG11y@|1x8)qo~bm zPS{rf3Nk~)vouHrIEjz4(I9EDN1%z3sCrI-D?0-2X9Jo}UfYM%xldcYgd~!!*TN&e zg?k>!qobMbJPJ9FHit3lPP)emDr8YO?B^Rxt+(!?Fj1^}00xIud#hS=mube#);bOs zK+dIlsbMXF*Gs_zNxWFA^gUf$y=#ngGGUQZY2G4%+qD3^VI?@1cZeW{sJuH+FF}$O zs=}k4ubtPvOLdJgFE@Q8%FC92d-PDm%TD*dCRbmYk)IFanboIxQcS3w&di-3Tsn0R zEI8kzce@-7%RWh9St_?o%u#i8r>XVI6; zq=gNELkOEhOL_IVuR2qyNPR=!5*=^lx$ap=K1-?5kvQmoxAD;^`c?V5d( z$r-xVx2DH7l-|4XO!#;u>ewn_=R!wW9(X73ovVBgn)H+L!X@6an%7zudSfKn2O%$V1x#&2Cb#q^4ws1S-Lva|( zNW5fXc((q{(y=tuB*T{Fpb}-lJ@PfKwJP4>Qw4!xc=-jZi0Yq_0&%8*%67AgM3Cb{ zA8C@c<)}VEwdru)SX?jgY%pI7hHX~FJ5VFPtoO--OKfm{s48lIy zagSD}NuZhZzp^qR1*U|bhfv-G%Wb$-BEyknr-1ZhRbwt0tQAEG*l=1ydq{-ia6~~O zl0(CJ$U#fINK@@6kkscxcxy~r)2os5>3(4hM_598tvsSwFXtHXcDbLPSWbpx$= z%qv9`_R$knJM?^<0gIN2eSw@aQGhfdnATifay`>|{$`&uH3|b%mGT4IlAIgN6b?dLxH@K;Y|M2Qj6ge;>8iz7;g%`bdiX@4+M>N+P_>#p{Y#KG6 zb!feu1A+WZvnLE@wqoiil1gvm055d4A}VHX#axza6M^@a8TyM?BfIe(zwUzQHk~o9 zO4nInP$`0f6yV5T%lt)Jt{FBzv%@oJORvJl+`V##E&}F6%4sD^*P2~ei=CX&XOrC@ z)1!-zk-7%*44?cWcKCDY#auZ@{?mB^orPm##}HzH6vyDA&ENmzBobqd918J4S5gy` zz{c1nn|gAJvX#G@U4}(hSE^|jZ?gjzBK#U5V}ILKs!5zGu|@%URhO@iQIF^73Z{pe zfqy_3aTB)onkaiY9Xtt-2yp}uAi0rc)&n3W+|F=O$5mJ1dFmb&t){65*c!Fi?zR2+ z3vl?`NdU)Nwc63w2=Ckvos{<+OO#dFgE$@ribqkkL(j=z)aM{%W-eM!7*!WwDj5G@ zBx78sewbomNER_fmea3)eKm$JpfW#QOZgX2oE7DMSTd9oMG1P5ev|w5toQ#KpNoy= z!LR?Z#EAdKXU6{-LHIX5|37Ps4D|m$`*Z4l&n*V%s1{?T+FGP)7I${0(Vo*<#M?qb zo}UyU5`(0osS9>s6(=B_bNZeh^s=AkWo5i(wB?{9iAIA$3I(A9$;T_mLlkgj^m2Ny zaiv{teOP>wY(;&nuHviX!#t9M9+i8E!7>{=L*TN_=z+|E0?`XxWNt8XCL&NGQRDL3 z+CtE=;RT})SiSWop7K5PRtI-)eDQ?=8r1sYe;SXsp&b zl!M+WT5;*1JAiMN0i$5#qCNzo)C|x9UK&!q!$)<0CQ&Z3*zQ8Ky=Mq0TZgkI!#%6C~gl!1wU<8heTFornE`@m!SVZa=Hi{%wMZ?tT=eN>? z226~oBI+5Eo*?*6kUZuJ5iQ9()b4*Wbls@?pRp>4OqjHOE15QQ838wN@P@4@&~8qv zk*to7%2vzl8;)(Y%|Aqv{_{%|AueA{81NBo!YTm1-bRzuRpPxxsp3kAtS8)s%rO>; zu9jxlWy~K4;YVgXv7^_Miy5z5syy?EdXC_)-i-;#i(by5i~gQ6Ff4oDg}BTgikGI1 zLGHk9vM?pp9BQl(6Wj3wu9pm&pUb9i!Dg>}fNd)TkGVyVVP z9a@=7gTD3*RoSoX<4u zp~Z47z_8@a9V&21yl3SH4AI`MS%t|77J zjdwNfv33s!d*PJgNckqZ-bnFVZw|9FA3^U+B#f9;jhu$7kr{a}MUP5AKl@ zKn^DC&Ut@w6-wr;h;6Kz&$5>&DwEDqR_k5hQ1?Bi_{`#%PIL$zg7>l>n&C|X?ACQR z5&jgz3#}6V($)!0A&~x)y;kLz$>jTNp4}bylf33UF9{d(l?Lc9%rUO{(BXpfk<YG{6ODiNTv<%%}wtqxo7CmVB-h5c$zm3#7x`R^1J zg8BNSU#Y7Ee+{9=B+LR$K4T}ooF<8-aCK@%2^U-=?9u&72lWgBr>OP38W9^bZnU> zHO;^#&u>ee;+|B`Yd+GFUB^%`^9G+bk3Sjj7$-iQtPT&2VnL}k7B1Zme9PQy*}YDs z9kIr5;EI-EcGx&jIq+v>%FXV3A1m&H_-c4Ztg_%7a5nvJn z*}sd%UFB41>IXGck)L(T%qsz)qV)F1hpj?zC}4>hkCeydo`ri@X3C>!jru`^)kd8_ zlq}g7#5p&dL>P!<)<>rP7Gmbz@Le?seaxMp?+sh8Nd*a#eVBXQA;VQizwfgQ6%{AD zUXdEPejr~j)nbYOL89s|_5uq9m;dq{-ySoOZ)af>POz7ywdXscWR%cqtA{ud|; z)s$)a@X)<)4cLNMY`NhY^xWt|B~h1gnEav3)R+4->m7d>_qMqr^@9e+WTIeFt&+gP zcV$r_)4Ex{Bv~C2RtXhM`#<9nOwj@+;m>3 ziz-i&LLP~6x-c<F`v*=%`@#q-NP&}Py?k-yg_)VmMlcIy~iQ@g|X}&zj_r z^mAfFSZ<>5ow!4Eb}xpW`K0rYuJ`kON>K!yr9V^=_4x35(mYWE+PiFq|kytc3FAiQ3SvCd*Szfx%mB~zkq~; z{C`MMjEx~){&ha}z`m@s_8F&6hebvmml@D-tfwqZ12D+GZl&zD z%$sW^v@#VfRasH4UoLRyWaiZRNz7&0oO4p0udcaDX@&y2VG%uUN-^ zcPx~quUWAn2iC(VZW*jk5tDw7Cf%~~OkUfTYDeI<7t`z=AaI*GH;a7>Z>NDtxbhgl zvV7dn6K(eZ(e?OGI8qVpwfTPy;a8M(->r144PvU{D@}st?|mf%OiC$h8=x0LO>~wG z-;gXfVb?B-5L%GU2rbIxW#uf=|56B)%oAy4pd&9k9Ny}MHbR1`dCpjwQ_!I_zZ6R-2gkN^? zy3DdpbDEkPM|W5Zb#EpUAZ3-O;0-2v+xifBvyVlOSgBd+3NfKOBg&1_MTni%nJm{* zogj`)$m!Mlf2Q0)WSO6;L_*+iGc(OBN8nPyZm))ab z7G66X8BJgxNeJI_?LFyq`y{n-qe5b1vdF2g?ZY4?jkKWhl8a!W$JR>e`sp8%PYr#K ztgxaT({~O2>ClXv870bOyww+zPuYOgh_B(olO++SNXu$Ag7M}$rw_P%K_$rbFjeK_ zBWoz-pj)esLVIf19X9wL4py)W!#=~%u4$UEJE+Gp<4^7}+?^X!?wXn9-rlpAP~7?T zwoR&1ScJa%_nI&6TUwyYdTgC4H(SAnII#{G7%gbqI}2P55}P8C&eD^b@aIqdgkGeE zEL#W^+_|NoEVF!UrE0?3O=f&qssTf(bJvjZY)$FaFcWb19!m%6E|V3fSkj-TcNu>( z<;TV5D0SP$Ff7OlrUkQ=1XW@HmIZNbewHMVxoJq zOB@x;G|QHyZDT?b&Uh=9YO>1m(ZKV7DoG3Y=bNHnaBXv!T`E=z*;c6mY>k^w70cWk zq?cpi_~-Y4CL%8pbKifFS-T~L9@I}xwHDP=?fd@pmH@q~G7@`V<2pHls1*aJSZS8p zY_+HejI`YFYt9K`9@~>{%-h4x*1ybz6A7eUTSP)enJ=x(CcuVP zQdpVinSS*NZm&+cBJw_+`NT@^8l;gL3@Pt%_ON!MM+bBQgdcf%%aAzr-2qNfwgmfs7ue#O&g2;QI9vgq zqKaDG>#O_|ftI`|ro~>TD~{mXm#n{`isQlEYD?##ju3h1(q+h;<9bpQMy8cS_o!IYh&^X}6`TH>Ru>05iej@Kd0+nAX$Abi@4<~ae_ z(X8H^u4%QW>?+w|N^uk67UzeDa_zd}cYb66S1X z>Cp8mFB2@=y{F}tK|7#{Pmy$Qc@eW?VJGbDFo;?TS>R)xJIpB`+8@TJi(n#hAo?}9 zx5-hPg-Xiy;gS9mq@dx%fCWqKwM6iuH#$9ZqMcJ##HVvnoXHC+HMG1rhT|c1B=gp{ zaP|ba-(bhg1SY+b{6#(d;?nT#6925_W8pA-j!+y6I{CU#M#&H8M-{|~$`7&UH>sz(*667mJo5ZoZ}j8aaW zRp*|GN+4UK-c?npm$&!z!ShYw5ADxG$eY};`S>vpi%&Q8*y=Gqn_h_ED1(iM@1^t% z83~!8XmxGn6U5(@e|js0*IEJFhW1vrks~l~|GID~y=WLHv1Gh|1lNZ=wc(X)1|lgW z31OA>?x!^1bc=PFZ2=V)KAyGLHwY&gfFPS;i`Hn}u(w7m*_q8bk>Q)VMF1>8ZT3Eff>iK#$_JGUPM2zY z*(#4WwJ3h-0rqH+FoDal)^Tgx_)xHFlAiaLuOc`^)Z^bd z?INU@)_>k>>u0lGLm42QNtpjJIqs0i)FJ%QHcxy|9Tow_0U4XIz5Kh?%nBFo9r+kE zpTFP(PFm?wGDEQFf1l=5`kdk;;~ADMrCt20-vf1;2D9UQykmvjE`aR%eE0cvMN@nr z>L;~lFRS^IuQp6F9cwjO>t{=?={FuiYDZy#$0wjrFfwace9=uwilvk?#=r-V5My)qr ziS?d7X3Or61enwz&qkhH{UOw!5x!Tg_FxS?D?80#GB=Of)yrGy^v7`-s!%Ya(IjwZSd&}84sL@(I8oQ~c`k3Ctt|*I16O=P=aE1Ecx|0p z--CUoH|%wg{zG>S;`+rYfqrx1k=TjYx{W2P#i|rkHg#XB7Ij5(UK14_>!V^eq3c>3_|KP4@VSSgUTJMi$9Epr<;eYxl9it8Lf1kfY&^ zep7xs>!w1{@B2t$47bkbLUD7&S(7&a-ZyMfBG~W~&Tj5({`O7sR(9^dXfp{KqsAIB z@Q6f)!R)Np*NUpvd;QOv7_HC9i-*lP0*sbbG9h&lSj7ONpMzXsubY4DA;-=I=9Kl*m`&4up|!4I56yP1Uk z^hp0#W-W+lcC}g^%jML}P=_G=ZmY~Bn`lvQV?8^!ig7(q;3Gwt#E4Uj*EG<%2y;GG zDB=#DV^ykl`&n2b!Ni08-Nh#yhJSy^IgXLq0$nU*X8wA-0@0_)mun1tSv7hi>&p*Q zXxfe}5vis{VTJxkVdD=KPeYT}x}6CUXsivKD7bisL(Io3)%~Ghv6brij;T0Tp*=&{ zr|qma)vsa*36!#zqi4v*s!y~XBzwL&=(7*j1C3M^7^3Z5*^wze#7?lEtJQoE0R!zC z`zMUE40<9ec_FG?U)v9Y7p_i3z#}GssFWeWZ{##uvdX_Ex| z>y8tDi+j~9ZRit;HC$V9C|n&mj-IAbcp;7{tK)+^GdL~1jLK!)hUh3KXC-TU#q}JK z$9Y3mLI{L_uAKhtox?zu;2bVwl3OFn+T$~G3=qWZ$^^fk9=mIpEO-(+piDP1ryN@S z$<}Cfh(Qs~fY>ww3^R!lhxHkn% zFbRs>jcq(SEM-Y*Z(r+EhzVA1CBqN+{}xsJ2i3fNL1o z#eYiL{3l_>e+4zCn&9Kau8!(>H2>|~v~QPolaY4IYU{|zv?z5-uZgfAEtQG=yV+*V zS*qhO`uNF1my168>$j8r_?_$S#k&XLXkZUwU-SnS)jv`a69$?O$+X!6aMMamaMp5k z3?=8J;g`pOJ0iJe)9{>Rc3IA(UkcnSxaByj1-e@Tecu{E&8VVA^p8!ZuAL5VU zN3Y`D?~&g>l?c$!u0az-6(9K?MAe{QBvP`dbp)~=s*Ej{#$<#HG76sxJ{8rvnoo$+ z56Xbm3yLx)_?!RTJ6d={u)Qy|4|~_$)b*d`yN6)YQhBv0ySz_r9Lcv<_bNLjFYm*w zUw=<6!PYh~oOaSd8zkU?&h~zd6;&2jB{d?*YwvFwr(Xb&x)g#y*-hzhu8hg-3gwHv zx0Gaw-|9Fb9#p!lm`u2MdL=Qn5P>BF@*=ON$4j8L0T`14zk>KIZYrHjms4V*AQ-pP z48#j|S0)AFX?!cXsPDHa2ee%q_66G9)sTVoarDMrO5-6N>;V_9uSwXGZBH$ZYAvRK zBobZOHQ0=9sHCvvb=?iwNmToIF2-6>(2WzQj$Z47HpOFOw8Jnf*mMGu4cv5I@MPI-!n`*c{LDPgI~!4^;FB&&2&P3oK`z?rbq?~`$ZE6I^JlPT z^$dwwH#qRoM|&t>lx&qUa}Pm5`R@?YJGjLdeHG?Ogb^nmWAhYrL@ERQP=kB@CfbrJ zjJOGZ<}KXADxche!AYl;QiUssCz+xJ$Nm;({n_>5Nb{5()b*tu`lUEN_^v) zRizgmqEpX^E8I7gTNr;{o4#+~2D)b9i-q@npL~L}+x%e9xgs=AflRyY2JLQeR{Y@a zOXMtPw_e7gA8^t{sCjzanBlO%mdiqFO-+@4v4d zUoN_!X2=KxZkyJ3aEax>{yDdI2)URk75fu1u(DcmufdB>V#cD2RDlX^)fF|R7Gs_L zDz|Pq@lake1X%|duueH2AZgh))1vS{kCxg#ki(O?W`yuZiMy7r_N@a1g0*jTZ=KYz zq|Dy*!n(X)3TBCMO`_o#0`-hoDN+liuJKm1>_|AsSnNdJa%t=RVKunc4l&$O=BKOH zHyB>W$pumbVJ{X`vIT`vOq5+Sj#xOieyX=B(^~fnI(JqXiP|PPHI#}cx<}z&#^F>_ zkjOA5dmCAJ>rX+4i3xel&Nwnut8PXBuG~M;+JdMZ5)WKIuyOmt(X2n@;|^_kgs#-p zjrD2jQwV1r0S+T7lHw(=l&^jkaRi#?!Lxa=^FLx90E+a}m(ZITENZ@%pF;UE7(%qC zK$vmnToqQ*s89wW{V>WhnR=S;Ywc|YidFPbZi!v}9iQ%L&0Pqk?Tx+)x0e^uNWv1? z{>+WItxK7beJW5kVHd1w|}gd+Fg{1W61y&g{JVI=Jgj9FbuVrAj*m(Kg? z5r`Z++D4wADCM27NGsgFuEF^wa{Ns?!#4M8@SA*X`z?sn)AEnLVF#wwtvP)*!}B`Y zlvPROuawFej))dTej~3O&oUpmOtCLYq1aF3c_K?M13aQR8brUyQ=wH3Jh46UnN zIJp^5bZl+zv)z5m*jwwWo1c@?OD>C!sq24fXiD2sw<<=Ry_6vwtf6Q?42L0Y7w$-~ zgC{p2?P!#p+gJL{?0nW9It`$nN^r*HAK=n0^QM)_RBBI)RfE^f$xS(sBZ5eYmO00~ zvHF|h2>&bP>xkK)N2UteVB9nB^T{$UH@M3ACFHl!d7(YhF6EGJ{(Wo}6qXr94#edv zJy3bor&;!?&81rroJg+-`Za;9#N)_#sa3sZtOHPFY**?EzLEeA^$z(gt8%o% zn448sx+P69Q!>FyoL`$|c zc@9&kR~DQnj7wuYh#pO+^F;(@zjP%$00?6m+>WD+w?3^+IJNLAs0wu1^X|hLl%2;s zJw3zcgqZYB)~#aQAud)o6Wj21H#df-ZzQ}x1xF?Oe4RtT>;oR-r7aVkOqC-KMVHhW ze{BL@I9`;m)m4_ynD15yMU+@5Og)S#yN0FOqU=+DVAE91tZD)u>WPbREjQV;m56Zf zteKNpYATxshE;rUW+$5aeZM$P;RLW5aQ?Fo#0li==&Wec$~K*;`tG;AW*=AcLgi85 zgUqcT>bFUKmaP9!_sh%wbqnxMei01^V)T>rPd!WD-;2B7i~GT+9rTWuA3*mCZ@wp0 zD6;o0V9?cxxp4}HU=&d(pjF<^R9TWWR9=*)qMp*>YaCjoFr*jLQ4GHkl`Y&m%hnS> zLoDH_eS_XcK6)05?6W}g{tP+X7U&-p9q30bE zo50P$>h4$-O1}bKU9kQpsJ3cXOl8ZNXwEo0ji1)9{AU?fMALMmiGo5ThMUlUa>f+P zChLFy;rG-~02mUVt@#{#Xupa4=bJbXh7W(Qd6{@FAE31_i{yucea#Z?Lq}m4g0sGU zXv73_2j(S}jxUv8=duE-o>7l)j{SQ^tm6QD7dO=nJ%qM3X5!>QoTYXb%z~UrMPuDB z?Y1ORJM)N)iN>tAm!Ulvky2a+6Ad&L4fU1Q+iK}>NDtqwG3S|kl&E&&cn2>{l}|S^ zqUVa)j{a7t^UE1QmN17JH4MP;rxNt4v(QQ^qxB*CJK3*-{FRu|HlL|n zGjZ58GY6Phj6QP@jp6cigCL)j%slwm%= zOXuMMSL(y|b1|n)_OjjRWJx`)dPwkMp842bfTfC6Bzu%m8D76Xo878wU?3!YLN&!u z{sUX8FBkTxr*v**kxZUR+X%MBLgh6QdH=%9)<}HP{C~sWsir~PJA)Fm z@JU$sElo<#YMe$+ukP5jI(XD!A2sgmE)X2UE(IN34Gt`ZWyB(5lj3;HZbx9`8TPgC z0oCKa>H$-GWj1?xyIamg%<{vz<$HiZ#Sj|9S0Y5q=T@1s zl*&Kkg*EG)zSLDZb&PRTmo%(_>9$BjC&{ImqQwu7v6OW~o}{ot_(i9Jj&BQROfE;4 z;Opk#`o+;tQL8nwoy%4+Vy_VEKK5VgXgT?bTIST?XDt3^(gp|kRxcl+^w|SOM4K{_ zXK%IcPaFjHGF|58=n<0_pFMo6qcNV*W)KXx%6oKcOxMbHa zl#CqN0a}Tpu=!;V6CqeDTb|6FjpBMpd2(myN}hG#wq>Y~x7SBB4o_qrC*RMVqd+&z zGkmR?Wec|6_rrUiPqA0LJ_|}}9rR?D4~nZO2XmEq9y{JwF#t@OH47U}cfhkN5cV&- zvsbtH@lN0AqqYL>Vj}76oOVaiJ%=v869xmg>hrnUx3Mcc{+tdB;&6XQ0tH$q~4`dFhGf>cQp(DvhYoIfN?h3)>th}R5dm1x? zVi6+Jc5CmLW+}PkW(4yN$7h*y zBgsYX7ZmkrHrrcp`cB$W3&4Zq`DA6SfoM2uGMZ)b( zD@6yl{t|m9G{6}V69oU@e|01epIVcAAsJPBrXTG)d7_;`Q)dfAkh;<$ljQr7_KSg; z=>r9=(2X-DW+sg4l?!rHNDG;8ZE$zC6l}02tMdj%2WIu&L1)JrXCrp#} zkc90+uhpvwJXr3B$I>4-JHj#~LQ8m5e7DG!{8dm74L(|6y8zaYXp~+72M48QRp`MKK6KR#1k#{w#;#J@g zfa}e3O*!Xxq@A;PB;9H)+O^Z#o5N`z2cJSYnAr?g)j*^xv?@ce@LlBg>@KXi1@rz% zkpW1RQ|pZu0a37&xVW@bd(PPnk`G)m2zIWZb`kzh1H(ypD~4qpIK|(_j1@h8Je4JY zwb4>fPX$ssz5T#aN?Jc+&a^iC5#zDz@21TrP-J$H5l!-A6i5Zk{^!H^E`Sge4U||se z->axA1s^(VcxO0j`i&$B6&!sEUuMbk6^Ay03pJ!_knCfv6Q)A`EbrCo-OW}H%H^YFy7R+Rs zM(T1JmAYcW=)JR>=$huF>C09vl`{euuy#Z=4{X70MP;q%_`7Kt!gNc9San9FB55|e z^u4tl=v1NM}aB6WY; zN@MAFa!HD3AUIO~{mZpPoP@JB(~Aab>cI?KrY7?tn;3GWd`NM`WobcrMp-RIY_(25*@S=B!6i9T*G=k}nxutbe z6y*#jfR5v)`KS+dKgwD^$CxPDPE{|hqMbR&cGg3&{`}>E-}(T!!4;M5*tC9=0^Yko zmJ)nzMG}Ybk3vIOk7vB?p5riqRe87mrBb546tM-q`r}0i4da8g7}5;j;uu+B11QwE zrrt6_k=Vo09Dr8F)hYE;1`ChP^Oqs&k!vlC&Gk^Dm#_FFg=bU$KJ9>m9xdaE-`MXl z&Ysfu7WVtWFt?`3dAIz?79*EsR1r0Lk5p7U-W#6T=&FXb(o}*@qhX)&uqo7YUciA? zZ6@#)Q?Cg6xpjeV!I+1(85LCF6xF8MZTMlL%kghXLUw`7&OI-+XZ|(^2Su*wiR##x z?fF}A&EwSMOud%(w?JG%tq%)JKYLO32sh3id-ksSBR_)V9}#zL9Z~GtfGukiil22R z>DddAgXfh$IZ%n<0i<i1CQVr%*H&fZSy|UOpAO~8C*vNmko-FNN=-OgR39$@?n(^z zp;SXA2Y|6lAe+Ib__!gOSATwz=>}%gz0N$vnC(Q>luq69Xfbf>-78SA!K~Z<^;GL> zN$@CHao_|Sep@r*p8RHT{IRSx+{PiLZq|-{$@GpCUn@313GY+PAfWz4KqNk#UvRQe z{lz^T9mY~N(KkFQC_&%lEEDZ5M2Rek_o{21|2;y-H0QV~H;5}zogj<6 z(R2V0h%PvrVmTUA9xa@c9$EAO8g;T~^x2(e!Q<{}Yoe*EtUUruTcmW~*8dCqzn5o& zf6KFh^$JVY9{_;CfA@d&)c<37c5-5(XJh=Y$7k06lW6|0>RDd_NEYe>@B=U|{FvUO(hb4KRosgu(50-1pk+N12?O+N)Zg(sI6igRML} zm>4e-Apl}RILqpHdrE3Z?udf{tBkc^bO*%|Sa3|B1x7VQxUb{9FmS&AornEzK>U-x zxH>teCTCNJVm@2(TGtmhH$E?}F9Kfp>YJa`&M(#PrZ{`Y$*)#4N-S;c9XxF?O6&&? z;PGW7SzGfiJ2|0ke$tYKGb&QyiIV~Q^~UtP#D2cjJ4_FKvEFii{QXKmNk<5=GQ6V6 zMR?^scdi!?lDb6IUB<5h0V(4N~Z!rQcTAVF1 z`~e$OqDo{<5%FF*{u?%&gd`mjQ5U~SuYv7w9xHmqr_9Za5Sd^vxy4m1xmQuUjq0ui zHPVfQ;_S}}ZVzDin*YZ`&FCf4-}#yo8}0;7=#`QxT|CUTxb<6PzLO0!aOOM#h(k*L|2G}jLl>(2!uE-HFzE27}` z@8(G^oD%Qyx9sL%Iw7B1n?-fg(}rmri72D^w@?Yg0DoPjBI*YLOEE|h1}acoV>m}& z3_zvcq`!w7ZlE?24d!5(C*(Re-#vK-ps1(%VHUdisa{OSj30bF4laRlT^Ty+27S#O z2I2C+_l=s~5BbuP;Ii#t&e?<9{i@SAE2uQj|>Y1EHGe!igX&Z)V1z zyXw(tP7kA?Z(5!kLTdD&;B!EHzP=$8X^t9QOBE;Kn;Go{7r_ENi3X%debACav?63( zF+!fXr27IbtKyn^Tuv@LK%w7FYbWrX`1%P9XZFNc-m4+>xSw6#f~z) z#|(tr0C#@k6}-pv0)p9)g{+Tv>~bM|F^Ucxs}Z9zt1pzicg44W*AQf7MY^&{1BM@< z!t{efq^W#4E&6*^B_v_*nx?+A@(sx>C>{Q^n}D;O4O@_XL_}u)ADQ+14N}67&$Ma~ z&JU$n&_(l>p9r7QLJ_S|ah#?H$FIv&#$VhDzJHsQ{QY&4Z@PWH*n6-w(q)HM+HUk6 z1u5Mg6!ROA`>LY+u`LV#IWw}i(^@gB3q#opI16c8Lyv>4y@xF$3ut`4c%%2Vr|7a& zv3*`~qH$C-)$gi;No6rf3_ZO}c4-}}wad_%O$iiyknM|?SZ!q24%p6^5aE|@j7 zt4+B-tW6kxcwP*_=W31;9aZqtq1^e9E8dZ z^ok3AS1UQ#CB|gY4b0n!GT4Q(p;)UIwHxM7O@jU9_Z!zJ;RH)uF|4N^ZFi3Zw5womg{^G} z*2xl;Z&Jq=#{02EYRn(XaXH*uO%=aQ4ZtdCZV=UIdhbenv}t6gh!>}ImkcayW)vDY zrIC)x4)!AWD!(5lGIzeh88yAgqxehQ!sG(m0GDG`w`WBnoL{^YRl`FH?9OR8Z#c8I^>{GzNu2t$(ZH{< zkX@8&Klg}$?-HQw=d2lUm=1`KZrB&nul=xxu{(?c?T0L3xu=pt(Md9?>d9Po%%mUx zUcbzGC_e@Q|Cw%yuX?}BqEz@(r*^NQfeCZ$qM+d)n(hC1WvBe%%TvH?SB^zy{w_~1 z5~f=~Qh{vO)B#qHEU=CVGYwIVQ-BY-0+QU#Ojrb3UO6jkNFBOWjb=~ySKQ7MM52y* zBQ)MZo zS+*pniq2}6VZL$LZ+NEH$H$w4+oO1_h#BI5Qad{{wTMIkx;BuAEWrd}A!btdJ7;kI zLlCEd*r^Ayo^Ls*eFD`u>ycY(Ckw?>%x>?|6!L7DA-H5eN`zi(9(m4X^HnG%VQ3y`g#f8z5MYBt+KE|w>iz2g%y=1~+F{sr)ff28EX7L4Rx2PEc z2Hy8Xu-P~uEx5H=-(PQG9!08;`4<)b4Hfr4+y-;fHNo>}Sfy$T^zzn5!S`S@8)|Gp zOgwtRxZs{-eOv{OM1GgT+*mRV{LXY2Ncjs5LGoR&>^l>>2L#zq5Js0UX$Zs%s>k~n zw9htjCV%Fx!L9BH-Wum^8#^>V5yQ%8{@WP=_@^Nx;g+L(MO~bBw&|l+@d@ zF;e9tbGE)u)kqU(66U=<=B|>)C6dhN=N+Qov4c|vfdbHxI8(uq&r8?1Ehx*6)h5x=>bn*S^S`= zLUVE1U#@Q92U27NzicMHtl8#e#NchftZVx~`CACin*#$cwl5F>6@ zxwd0EY>@s-0tAvfi)RFr|2<+Ne*h%z`?o$UU^Bme`_@iQYx1pNEZ0rkJ34}776ej6goe-E_md3~NB*=-XC8D76n?44%K?oJ$uta~5 z6J&br#K4%d0^|$tXKj*6Vh^Vveqvcv!XFuwO@C)6RK<}w=71D@5cH;I!^^%Ba3QE2 zA_|Ou322@9#!Hal0t@|YX%2+f0Phu+|Tc~nN9$|x?N60MAVovOCj}L)V5*WU?U&n|V6c#+46~PfW6~Bvpct-VD*fwUz}e z@b!j6C$2~s&`}_l*H|;6h|>PTE@b``_8yaK{gWn*_-fjEQ%w@Uv!72=3ozDNxrp;w zpGuO~X{D;t(ro1|IJF;lWZN`A#7*53;n|wzZL)to`w_nN-FwP zmnaBmu$jk9d$P^tvMi1U=~|VcVuiWBAV?u^EA4zzUxy7rz7i@fX+&OlUJ>Xzv|EN{ z?Y?8?AQGE-%qsMXy=7GFM$6{Z;^l&j&~0??7P>$K31eEEwkcgp{oDf}WaX9>X$CVt zG=PXxu8lsrX|4GjIe}neZ?ZYM@tR*1J1#i|RXgfke@@nz_kSJ~FhH@&O3z3SM`MC@ z@b%$D=zk+=hHD_r9Xw!882f`;#eT;~ljs|B5aRb8l!*kttZyGal)F(1`KzOY!{ea^ z0oJo{AMNQYqivFBK=C@|r)sbC3H_mXQ&ara_lO0wBm2WTiQIOc##6YIpTzc+7n)KC zCWFk`-%X8i%(05B5VE{$W$ zoCz;UBlQrGvps87%1D*#;W@DJj@;?au~j=lEi-~AV?Oao5M!r`Nvx_|n!5*HfldrU zb!wStthn$bT3Gxh7hxycwnfh4C~>PQ^E~Cy*c&5Z$?PUSNw>&XiUv<NV?UA2P(Fm3Bt1rP*uFBzM`}v!a$Zw>cW3rD{cetJ4PvHhKz`pm z-2>iIcaL*CQ@96%-}QhrunsDg82g&8BJR$wb0##jaEgnsuwEtD5(BAAN(T3I+8pf;)-Fb0 z+qC#Eu=;~>2?4A*zd8y89U9hdhP4BF<-NNS8FkuJNQSOAgA_SIKN&gEG?ITmZ_gxB ziO?{tq#5`B8V7CL6*ud$lYD)bBiyo+{+Wxty&ytUxz88+8P>q-ofclY9R?hDd^^o$ zcV<4^u2hUuzBLOt9ZAp;Hop9RT;>Pz%)XZSylKl%x3R}6XftNPt6vEA_{*%b0L;(0 z)~p96L@7zC6qFha?y`09!+|cO@yPQ%dmf8=5A&rzPxiKjqe>=uIF>3HQL&ajxA@kH z#Zy9N#N_B59^C(H00{fkwi72)RIcR8L$3ujYz92q!zuS$K%=^CR`Da%-uVDGr&ordW*H>v>4R#Tp_)%PxYgo7@%>{scq?j&T?(o}JC z&mz(9o6iqW?P~byyGLbpu5I_&`>B1YzQ2{Fb;=WSQUj77>|WmCMd8~4#!*P6GIvsF z>sjSdm1zpL7$qOj``!%pkG`ep<}$!arIdGM%B zfy1sRP24Y_>CFMT;|+;s1^R$u(zrVw{=LweRkf9cWN435mbP?hJeJ~P?zgQvX3Kc` z>U6+-0CK*-Q{P$=%x`#%`5)zSNxc=em zj{8+4*oJuA&$GmY^Nt^BOt6{i`nvDZ%`~T&jcqaaImpGJvh$d66AmLLtc-AUyQ~3| zNzT?IWd?R!q%2Lhq`a zu&kd+`OPeU0WXxfheEOzSR$iAU-a{!mMuC0mv?q>b6hz)$BCd@b` zT&XR>)K6mA>3@G0^W7G8*(ELktVTJV-y-<6GW(gZw~%j2Xs1*`HS?QXvI({(wOVvG zjSU$dZKnzp<71hv&&K4zkD_}NhM#J5L$S)^J&4H=?_uz`60h$uGKPkM@;oI~N$VCa z4#eYDa3sr1A-4?&FC}Q4k;BlFyO+b%vaTifBD(wE{LJLK+<*3dmar;tyl zhl1u|j`oav$M}ZU6tjt8Cr%E*ID$}P7;{)}`j2d-Os|#IuVaYZ%`i@Ir0JquOgr%# zJ(w@QrpBClFllLzbjh0SIu-b(%3otN--LP;xcHlI{d)9Q0CBxfzZVYSE{uwhV zZlIW_#GWpyU91%UbZWBH9FY={zT&RM$chO0U z|E701benDu6otfQV2Jk=0khIn;naOqF(owN`dF>kp2(|hb81{l1d(d(0G~m7^b6#C z#qvafWfy7P-I?DqaQNbT2f_>kgLFjxxO9i23~hU-H(8+lvHm9W`rzx7U^AJxCyE(p zptL8}_{AD^2~}g<57mV4q>&?27c2I4$6|LT{cOi0BpfsKo!c3Sse*#^WVt7I`FCmC zg^KsbDZL0c)H%7PARLU`R4S= zt(kYhC~~ML$kA5+0JuSRVt(Fyet>R27LUZO&xur~(B&BoW0>4prGUp70lzbxT zi)>k+WCKj@4Mf(#?JA>Zvd61v+#hibrvglTGH1Ef4kt|FX&m^&ECwU5Y&7I}N@Wy+ z52(Ku|A^#9Y@Noy?)EqL#_4Sp%^2fDL+e~+myQyf_5HdJ3sROZvYe}?ekg2^J9|12-CY5H0%mz^hjhOVr0)TS@6 zp@S~;`%ZpO4Ib<;PLF9_yl(VQDPC{1LL}xdnsF?ytEuaP)J%Pf%_)z^YVu#^?^{KW zaGnr5p6n&AVd?^15??xM3Mk2P$-2`&uXxN9<#DG$xm-OO6x}f@WRI^I?`b15t!m!x z=pR+U=qkJN4!MAnX~7udcHO93+wjz@wfyP0Encc?l*oHysJDZO<&lxU6&Yy)L7k70 z)XTG9?A%0OIobiDBS?}Uc{RTH~x4aS{? zn6pwHH5G-dUgBn?e(wvC*tjOPmGMoM6F>GB5frs^iFrCHhQ7xpfSojUdzjoc&fgur z$}@+$Xs68IGzAP7X=%MUI7KhAxR`SbnL&EGe&nbqe(g4*mYgxD2_~*YQ5`P4cO*Sd z@5eLA`j zB~JxHT6iTDx7>hJIiRKlFkE#a2G_V$$IrJ`j34)*1UlSmb|AtP{Fq=iNT)%+=x9d& zxFix!XSt!co6U46U>P_LstONU$Vh?cJoVmJ{juSmJ{_PSQEw(Z z8bN28UgbGPdvEspbcfoY2b}o-Cf;gQEwOM1ov{@q*L^`iycGn?yA7mOMNa|m+7yr0 zK9Q6K>%Tz*9d_=&Q)OY4aO;Vrz;6J772gpm$;tM!!d6{ZdIOgEKPX7!HyL5l|Am4$ zIO_kuDG1yD9|ciEfo(APCvqw5uoUOh=q-|L=MrvDj!m>t(JLbrZjS@kKcoE@Df#@u zg?_T139va%bKO7BGTq*TBfL0->pPqj5(Fb4LZZw-lxfAKxQCkZ)1|<%xOckS8G6{y zHAoZo0{Y9%SzZ7->jw3D`zPzPCT{=g=jGK2;>E86tOFeI1NHX9 z_GwE)h;ja7O0NJJ%-*l71x5)*gRfr+_gRz(ARRUc{R0zy+D^7*pv&FE?VAq|cSu`~mZX&g=(vi2^k*?N)4b1|3 zN;^IK#e1Q71#G&H)bMZpk_e_za!Y)CPpw}(o+F%uj4&j~_2@`wzp>XrOf{Kwgtl2+ zD52)~tO%cigIXa%>Pbv|zngCgh+wmi?=a4vs#b-8=tc$a-Op9$%(4RY?Kf&^8$fn$%Ns2*HsOh0rx zG;2Pin9BMTg>VPTV2!_PG2ato-=CcATz;`$`DK4j*O}j3Wgk@G%lOUwe(C#Q={OiJ z!=TSd5Evw(({p_+MZ^y=v@? zf9;zPS~_PoBm{`diMH8d&_~-5b-nq+x;1}r&uUn)U;F;vr4L~Lz_RaWeT=EN!ed`( zm$tv$FnP^BOnlrZh8s6bfEj9UQF4hpuD=|cE$Rs93lru`a;$t$RGFhMwb8^Ab2))P zr>T&$A|>v_d!Vzl{1+FiRko29GEHo4Pt%cD3MPOF5{o)0)rzykE6<#nCQ4)Ue@ZH18uapb_DHH zYvKf&Fq1ahew=l3mR@NX=r8Q5dYetjY1S$9w4oYUA2U;6i4lzYW=>B$@fe^~bwlF( z=+MB_SX?d3HN@76-erZO%kIS>#k!5Af%`*HnD)?Fv&mk%u69%t_;ZB8kMhBGcwk%k zhv;%w_Gm#j?4NGnh}-1_lQ;$Q*-`Z`(W183c>3_YDg-35Lw*0V3sq{WIzc>rbVTP4 z;CvG%nMFi%^uS)t;R3U?dNsBWl7^|+aO+cT^Je_6w5j@rm~q?s$kvqU)SjSJAPRBE zG|@!5%w8So5HXtzQYFx?+{R9I;&W6c%E>0tMB(g2L3+zqEjZn-Q3lT&=XU218YMX= zA3H;RIVgWS>CUWuwWqfqLctNTh)T2y!h{Pn;;NAgLR=fL*h(D)}0^(>4rD5swr=V;+$pw$9W zX-yC)Xe4=tJQMy$cNPddf?7|o@c%rwkWrDf^*efJ!IL+c@@8SvUS%Q3GC0SfwjV5Y z`yViTf~-W5Thi4+_zJLfR#}KyVv|X5=&1~QbqS}eQVQ2d1CEyx$R*Kb%(pMcu**;l zQS*d9m!=D-NPc1Ga@l=4#DdF#_MFWV2{DnQ?t0HK&myuQd`cYcHNae6{Ra!K`O-2Y~ zn(8Z$&q%8VgtIv;`cX)J6sktDy$<@N;!pk>o-I57MYL;>oq|HBbmgEBZMJ0fky?=Gb@BLBL5Ns z$=Hs7Jnso=BF~zeKbuU^>GGKe2wOr;3_s?=?r-8^$*amNwmJ9NFSM%HbFX(Uo)ft< zZ$!ylNcr?W*Z5FnE6tg-cJnHpOuH)vh&7wXmu!4K#&Uqoj7#jzy)dNe*qpwM+%Acw zuq;Ln$@{{$A*O_Sc$W#=K~pYVUK_hyY#~`RX71XG>Zs(GF%A^;8In~&6h;6fuNd&* zR);q2J)$BuoF-H$#g`DBR+81IF?BnbGJFuNu(5eir{NNzC|s6YEtmGQbcxV0Bl!j| z8lkoT^#iL6-UFPWgLc8&;DG>2-c1aZd{ZXg7IP$+@A$R_@IHpRMi7LOy4BR+s%+Yd zqls+sjlyh~PCF(xpBxs`WU&$heSZ9KzE>e2#X_m7o3teaJp=_bLfXW(iEN4_6#$WA z{z_p)8~;qeF~*xGU-6^QX~;9^$AC<{Uo6^W#6+$0KZWfY|8s4~QsIZ&cY=7)IQ$NfoT ztsgVR&a1&4i?C4<8b}ARJl)q{_rt&CC?(?+ofx5^ZlX6H#f0YJq`Y2EzbP}Hp`}$c z!dkE`UspdeNSt0o9f8RtVPg8%XhLW?-bJq(>rtpZf?(nzG$6h)Wk|60l!O8a^9ZyC zUg1xpR62ij#{T#Qv-1C1ba!vk3Z)Kg^T1v*ukU=jrj8+6yb5wBxluWn?cGh3Bs+eR z;4bjJ5FG9cOW>d|sBc|77;$-(I4;Sha5bPS@OIeytGoHd<}$9n1N>>2#56ikT5!eu z*s*g0#ct<-o2C$e>#Z$y8xgy@sg$3O{DCh7y4hYg01Y3tnr@V(T0vbIHEKQ8{ zmzx8pmN&9n9Bv+Q=*p_Nl*+W^gKau+T4V~zYY#f&x8^N4&}%^C^gkaTAqY@s>yLrk zkHILwnCSdx!Mb&~N2>Qp1iFt`*mt(Y-{nQB_MqWRn?j$cHXvF8POcP0RE*t~_*5Po zy{Uk#f7N=7lu4;F?SPO{#|c;7nWC+AoI~!xk&bcHA2hry`P^*{n}BekgcmKXbFoHUPJvs|DTY;ar7{7XLGXvj1-|HyhT8g zwMKG}8hoBHm4Ce9d~}HTZReSiW7+}RwQnI=;f{Un$~X4fN{xGF2>fblT|c$&3hSzUGM!J&czVqI}g~fXkWUU&hyOyO>L6< zJ%wA4>Y3`uK8E$b#}YW&5o<-E8h&9nr+is(Cj3ymOAMvkV)kze2)XI0vFtRh!z&s> zztgXv(-l$%-htHwC2V~O25o~!^Cu&iK_yx1<7MrY!3BJMDV1bu;Pdm<>Jd$hTanZ?VWjNuh_7#Z6+;S6H3_ldpvf>8|YnH zOYhLUzpdFeN+%`rs~_y1)0>2J+!*6Bi-vqLkR6@mIi zs6{~-PCE%}jX@WIliivJMf%8=#?MOmAqiseLBOmR64!hl*N_bCGxYG`&eo$!Z$r|j zKQ$y(T}tEZA+1UW?F2AOIjK8~={OGpX_vGtBL|ZCF(jsmLDxvPt+<=wQTT3RxI1n^ z0vSBFc4{=x@qH(_^dOO^P%M$cPn*Thev8no#D_^#{`#rcd!YKw_f-mnLGmLi(@F^D{^zykc;L)*bvQbnaj-KYyL3Z0kMd@U2M!Fxj z(xB8G_rpque}R=P^aqf$8LC1Y#q#DZ^th-YI=;06BU`kP6#BGAZF2GYwg`lwY7Lj| z@h#rzqj)H?w~xEZ+HhMF@|QP=fuw6B1}#-ni3QwXr@O4G?LJ_@7W(xdcW`JBR@Af zGS*3&W^a|4QNh88@f?o22E|gNv*r@pU7CM4`fQZCmX`gn=OB++GX{xi$n=#+?)>VK z1bY7K-in-5RoJ{_#QttwthaK{DtuQc1VaXv&NJe`E<|uVG&OYWFdK#nOYzruVA?ZK zv4D)jg&5Jdr(`~faO4RzW+^7gsS1h9-{yiNn=Vg=J>=Gv@$+12Y)(R}H!|{S7yf4= zKK_3zWlYwcd0sKyWdzf=9s5C31D3_DN?t43=e!0Xxx1^iL&>61ol2334$etbP3uP8 z(q7Z7+bJ<~x*pvlX1SCuuY;bQ6$(Qfc$B(Bs&VA>Hd(U?8@9m=cgV3?n6mn8FdGiW zliyfj)&~4befWtc(Zp=ikDZO4glHamlq^*{FKd#$_ z@5oI36?=V|hn{+F{Ftp*cbh7U3%>F@fhr)o>5tTDLR9^Nv-)YC8ZR%3H&j2wX}+uS z_%4OW)?K|SQqe_Cj;@8(7={BX90q_ETc4T6{J+7v0h}wtrn*Kqz!3Ar12ZIwKjB`Pssz zc4sBmUTheI;w!G}8m<#Z6-CI&UvtAN&OJAhc%A5)86<>9nvzpxoO+M{c5808g7)xsU&In<#`-`{BWIQJ|u;UkY&S~i(?H=XJBb7m_( z| z;!@^=!z!#vh)COv@01ojIsBzZ5c8Yn?1Q_xOxGjMKflP4Zx5*3AKckN7wZUH6N$ZB4b? zUsqwmT)gF~?j>fyE5RD&L7^MT0S{VgI#PWdSF^yNa0YpByvIpfdvV>anzw;U(6i|( zK^FT<133O|-@xuTmiQE$ziz1$(QMd(_ZVCrqwd(GS}CWSJqkloe8!g~n>g#8An`9;?_;Qp`Z~WJd5D2si>6+2wMifbRh*ycxGItKZ&VMJ zMosk~mhHWC>%bdgJ|l-vECU=VVO|m}24Dv!O^GNWDg%k#3F{uijRPqGhl0*ke6;5k zK5I5Nz++5qC>e4QjbPC|LWLn;phfLOY1su$Qm4<=Pp7#!&fkHkSD_NVCUTboTj;yz zW5(oG8uQ&!rkcZXeoY-EZ?oWu+^45QZ(c<#)-o5!j~rm>x0RDJH4wg|^EyaA4ZK0McM>$zbyRoac6a|zAdc{GUQy;) z`7!ahwZsc91SL{ot>sWz!!fBW$YW5E;@mXsnr6##3-xy}H2_WAwkv#7^^J+`?F00= zXvJK*iF7W~a(f**Fb(c+6k1Fk0-+XwjCN%0T-Tod zEe@&Z(Ts|&v86HX>^5G#ujzNTHt)^~g&`hq+mwwWk?uRwR#3BsVua(Y$(=!;2YOkU zBU5O2HGY+kM>^_bwTK_CBd_yu$o#xew(KP&k`Of^QhihPp+quBNyK_h2>efOjHua2 zHg}r;FC?v*N}H75j3fI83l%R5gt73%*j^YLz34l_BX$KHc3w5+>(*W^?GJOW2i2@x z4vJYEQ+I(_v(!|?z~+PPj-ti^Azw7 zd63aCh;Epz4Rg^4Tx*+_+KFcynw5d(?U-whI997`1AVO<7>24eklu$XNYNbP??YSu zHHli&HZ5E~p=y=;lb?vG4fYJT61b!}zP}H+KZY?)x{X3p!&*;0p4KfWrj@#=hj04T zN1p->qS4jrfTG2WdU53X>@;l@*(A7ks`1E(>jf`Jk0mQq|9qmb@aVa+(v;usm01Mp zjSM?GNrawfMM}i3fL)Lpa&%b=dk3AOpMUcgEaEc*C9ooemEMe#WsyVr!>T9V%XO}K z7dVSRd@s-94` zlGG3Fn#6f^chUX`VnytBGpKiDK0W5YkN26Si#5e0KRXw>$o%mKvB;<-rsi2xVga1R z>JgN4K$!)Q2W=q*JQf6AIna#Xi848o=RmcJFl+Ap_L#>F=RVNBZ z;*v_SfNLsB7QIs7Hp5yhPGv@V9s2fp%IorFLf?c4AH`K+u{rV%bVYc*YqRB?jmY<3 z+w_p)=XpaFRIFJaOT=KYd9rqTb|h-?SI+1!!jN}b%N%T-ky*JIo76(lu6}{_)%Ymv zZlIDqS7%SDW9I`-GUK-d=!Sr};*7D2_m)2V?Sy@|Gd~_dm@xXIOMb5YC`Y8Ja%AP{ z+_Js>3|#=i4UQgF+M95V!`+z4A{@>5GUi~>GvOzjP#>|6q;$;V&CSH05lS9STjVO9 zkyvTW*73$6rKRBq9`&OKci;t!&tc4{weroNkxDXe%fGHoF?*P*g-Im-r?IsR%&z3Z+Zc8cCQ zWN$c>a`wW$#-0AE_(TXWhQ%O(sOis~n7uKc5&W}U6ndDlb=YoxKB!5@G@KSZb9RqZ zAZv{JfxZvnCwOTFgN(isjAW&r91O^r@d=CX5ccZ|}H@C1|v0Pmtms`2OLI?!>!ChSuVu!b&uCE<$ zs7)AdmWsO{R>~T9dl4N3^dLE(W!>1-*x9{|2~(ku2l7$%pPN!Z)_28^uD?xo$w?k- z#A+dH?FdgXC`S2lTq=JE+-ShuU`bF};3TB&chU1@akMTk`DI*a3CLr$Z+;}Af5?AY zQV^M|f9NoH!J?qa@Ojb_QzQ+;dPXalw3Hm0M6QtKkeU`rH|h$#hmpELEvt^ZD-v_d z4)(|3sNTo341eA76b>{SADzaX@%F?f=;AQdgkC^r*Oe=;?hAOw12&ae*{3WhGM;1` zsJ43{D*VsV;M3qXrgd^MsUvs#pLP-DnKDZASbdK;)fCXX)Cdb&P6n*H3O#j}8G*Sxl>SF!IA% zF9F&Q|1KWX1d$a+ct)rDTKXOgu}JUJ;*{5YzU$M8rgoq{QHERI%?CG2a26Woe-E#s zS4C|rvQNPqq#lS70kQIU22j1ZBv7Q-LfZo}*lrQf5;^Vh5+r!l$>EtJAkHg!5F_cj zV17FWCK}oNYS@#1Qs}ANUoP%WXo@Ir@aawvDTOP0zxFi5E`=Y^+(gnYRsN$JLG&hW zS=z&v$QN!r63{6x;1S>!OPFcmB*K5(xN(f)>(oZUQQgWC(C2~Q;KO7F%Tk)UO&vZ7 z5`IM25wHxvJtWEPB?jQJma2=YARL0fc^do*q?5VHRm$Zs>XO;|i$1Ow43SaOIVO+( zs}C96f-?z11cIZX;kk|MiVS<}R@m!A6BDEqGIU8X3B3zlO!Ru#_KL= zu>!L``OchLAV@ruujCQ7Sq^F5X{Jy9h2%k<#5y+mB#8lJnETABDq;8>#T!V60N zogpFydJdyV@FS)Ah{1)lh*j&^DQk~Wup24~-L5F)-%fk(p#wMQ#6CT;naRLZJ7s*0 zj^t?mZ=*as_{5{FM?LouOr$QkUr(Rj_ES~=&MbONrUTpLd2Hr)`2Vem>DEfqRpyb$ z(wyynCrPK3s-FS8{R_Kj39&kgH%hdU>HjiEyy9W1*m`4?Yb-A1@2KN*&O15`hOz1soQwJrFl z3%^~At~{-VMBLm1ON-AUz!a-dO9VxQIC+ix&zt1r+ux|xswNv0Q8&_)ZX*j>p74dC zeNag6ZYUNauyUt({-p6DbAP!-^G0H&=#eI2ZGk<2@phR98)CaFEVSJ?CVmabPn9Lj z4@*buT(LNuB2b5=8wH=@9RcLZc3AAo`{(KY@%it3uJQ?9eYeRS2NSXj>`-A{go9R# zL*eL$L0+V9y=ft)-Z;EIHl}ba$mAL%_3n~;QatB$pC-{(c_@am^JRfNITsjQOgDGB0bL<5@o2Zg_L zaVNyB2QL94I7|*`MukhCjgIchYUw9;EJXckU7iy}k7r8}9|8u*eci<_k^G2>sYt4C zz0j4|t3PJIZ)PE3?I?-1zOb>4f!YDSl#t5hr_J(PzzFpJ#_o6Wlvd8m3ov5kFB6xbt3 zlNOVyqk}3jgL~P7rM;!R8}u}OxJ8n7y7K;(rDAxwc@9SSs^z5qWQAwk=D1{Xl~k?g zk1n;7blb`{th%*#=C(v8j(0>8U>4|=IGR*v{ARn|jvC`>7q?LzbnUhc5-_6Iw zLHe~eg0`#eo7s=%fr(;{$y%6YT$9T1O9|uI;vi1-a)P4FRg|h@nD4G=bN$96+U{^qAp&2#(^xq!+Y;pO zoo%Er+hpu-k@ZZKR{AFcqzgG$>mrv5*x6R8lQ)@JWa5u-FMj~)6LmK<_nd{8MZWpm z3!U`f-|A`}4#p*TLkw^L&^3AuSR#{(1~^6apv=LImT%oj7cSV`3?HTVt{XyU(-91} zKAyYd1q_4iwm*(mo+v}Rmd2Q@Iw#)-4nRbG~bEUrU&tYrC(h4&(_#MhT5B&ecF z)I9#NW2{FRP(D-I7##E`E&_X)05X*ZhiiY1Lhz`zY3 z3TsAsYWQ=OFr%JT@J?5s-wobwqk#foX^IW#hvNqtg_1dX77A zDmXGG8nRh+S|lVd@fJmecH^Yx(qiPrNCpBD5*>&1H)#~UDR~+?V`6_d|2{iv-M53~ zUf$gq6GE|M#=k$wEgRJaPW(rgm=OOvt0>(c*}^Uau{*Y3^}{*1`V~1`QY-S8*&!Qq zBD#Wuh7>E9Ow5N&RUh&6-Vr-2cNP;Wm=83HCi-{sQVZKX*QWs35Mz<>E@TE#KM@YnH zU8O~Sq2<8iAxoDWK^|Fd3xu-xSwk2;$^-wgD~!5BKgCAvds}g{Q?Dk zI)Gn#z`4~{5x`Ig<^gCp)YOO%J+K!&uzP&U7-s+{MJ+E3+s2rl!<;x+o>`Z7?rgJ6 z#%YS^75~#1b9f(>IcRI-45z740_yO}7U=sln$O0->6! z=dGHzYtmn`kzOMlFhTH!ggo^0`6!wyA1S=T+e6BW_Z^vPa{{daULFNBex@WlcrJCB zcIj5N2q)8U^ug*wve#EFp)6-m@%tew*1KxRml&-SH0~mitd+@2M`}W`1~8W9H(P%l z)>A_VMIX^esWh?Li?W*b-5>)!uY_cOYvjO;@237CGa6~z%^vAdo{7S2Q)gA16y@ph zFO&Bvj{d)yuOwXOS5JoNrCsUV($!VX;QlbO_)|Su=ZvG|9bZXwO!FpN*Ap_q@!2PWu}Wv@z;=If1OlUf<>^F3vWe!MJkg_})`3+S_VdR}{ z2XmUqsKpc*iZx&G07N_L*OzN%$h-BI4;QsCO@f;#hO%b1uwhSf%nUt}-t66xyjE<- z3AuevdDM)MZ1T^8OCRq*HE}i(@O;3=XU0q^e_{9Nc9m0-rz<%E@hN58MTqQ@B%QZz z$rZjTcXvvVAr^~rZ@4VMH#dxm;h6Vj>&^%amh5cqymI3vK8UGANa4)MZP0s;SLM4w zB`R861D9YWaY)s}2r1};(W9kKaRb_d11$)E3u%Z=lMq&_vK_G(EXczQGWIOC>*=6#2_jK^vH+>^}Pv+!-#nNBsZbn zKY^RGxgl-{aPQjOC_wW>XeCmN&ai9Pl`5JwX_DYnsC+YD&%~2|TLRi{&D`PDC4c(z z-Qb2qK3WPrp=S6Be*jX@wvO=Wk}{oKd~b0@*(j6N>I^l%5mz7queWyT7jcmt=+P*} zbecU(BZ(C0OzZL6@=`EH^?JtqEGtH=iadf%BI7KG;kfAKYB`)lJ^Y4-`Qug3o0oiY z{oA}RHSjkq2>8jABS<;!qe#kq6 zbog_w25rw%*fk?K@G3q*2Cuz)_NXB|uJO`Y;k+Dcx*(FIBO7J?7H=U^cxn-{7pJa5 zi&XQ9Ob1B5`_E<_6RCAo+7#$~2=$)6%2?aJl#v|8l)VQ47@JHhyrHkrfvVwlS&f34?<>N*u@>(!zrDwE3!G zYh-Je)Nus>h|eJ!s;mU}?H^6uGgbcx7eHo&Hb!Je4n3~MUpRZI>k5h;{-%7z@sQu^ zgLQw1%GxRY%ws@y!Z%lXo(nVo@>fB{Xc~>dg29t3bE;KSd8hD%VNj^8mFb)0J147? znK7-(wE$7>E>p(A4d8x{+L+mQ6XU~Rw5wVchsE+!OI?vVK{^(I(DYCXGF)Mje>44V z^sraa*17TApmwhWonrpwaOPniCXT~C(nqG5HChmY3BvZq^{;Qn%Gzf6`?P~*?!}eF zOTQC>z{9=j(qjfeT~K@`s~D?X)+3OqD*U3GC6xmeHvufT+yTyC~uNSR7qz#i^oolriDTcI1j@iTMuQ}Q3MY?@M zmt(D(GP$k&oKPrXBoMpqHKA;Q^G3e8b_JI7AB?@jmMB`ZZ5g(0+qP}n++o|cZQHhO z+qUh9Jh$}jD`d7TtlIp5)kYtnF|t^ElA8cA=)6>@x`$ zpl${tqfb}7q1bbMJwNFECNv)I5CJrAeFhSF z9naKuWdGr9(WJI}VS~1PG-F&5FTq7PV{z&shC9+bPn>2C9j9fAqK-#A7LQ4zha#6r z__ZCltRMdsLEZDoiU$+a{!r^qE>MNF_U@I-hF^NOY+zZ+xtMf^jr8^R20KT&{uebu z;gBo>^PsP+_!g4G%@Z#|CK$ojKf=<6$iHQFA6o3v!}J2RdLL0UHI13639sVr^+eL@KnCxadMqRHnbGX~vZR;^;quJYdnKR#9+s zbPk1Ga=m#`R4q9R@<1!$B`RKcRrrt{D)U>+d-)m#PA*MBB-5LIHRl0e44~!ECqWqq z&aA*b5q?#+M{xY4Z$W@&+^XOMIFUsLb(}>H-|ZNoY8K1)l(e7^KSM<%*6OvvgB78q zBBG@nt4|sJn5j^F_fujJTPtKLf|!C-r=6?fzD4ik$TQ1L3{J8>oqyL_!YfSSFw51< zn5J}G$`Hr~6_x6Lxwn>y8e?s;H%#seXK#(B#{FkOV(UXU8#}0($pQLbsDh$E019iK3;EHI|dP<>D_@S<2p8(CE zt~@-j{nn3Mu+8rataJu>CcLcJ2y$))KpEknTGQ3S5gc`v3Nna`$u}FIb28^{aypmiYBLZbzG}z&QE?Z6==Tf zx7c@IPr%{?7FKcYH>b6e6t0pF?I84lxM_!S5HV#mSb1^Jav&Bhk2+%F@QWhoIZbMx zshb!KHed3!-enJ{x(ORIXnC2$b$}5U^kiB|tx*!u^weApn{WDGR;jZ8b|hq(YqZRW zhd|G8B)hDd+lEpiL^}3w%JaG|IPnM(gr3O9+0a=p|;&^FEtuynVE&VdGw*ZOxRi5>+!SmlaBHF>t}2e(a{4hPSWtv65X99%{U zHpxpeqbHWLyz7Vm)wp4lWtCVVBbX%Yq86x~GLBEe7n^y1pAFelRWcV{A10YcDNX;a z_o#FwXBdSbDqwJIGB$y{^+c9weu7Tla@9EYDxbG{FnwiADy;fYqe0!F{6bQP9b#3=q5(-ku!V7`>`5LsA@`Bl?;&AYzMH zV)K(E+n7ke-h&&l%9CPe<&-KfAj%P4^q+f*ShKeI@`La&K*OuH#EAW%8q_HIU*y=g zu^g&Wx!g?o4~jTcCr#5t$Cqu=0-#Y*Y1HI*jT-*0V8HDgP;uW!Rvq;#}@*0hVa%j3?evm=N(U*H-_qAlNcP=N8*s9T#{K=1*ajxoUJE znx|})w=PE3D?GkxJxP1SX)$OA3g2Pq$S!^icTel8=>#B`n)JWkl`K;qX%qZj^B(5d zQ_M8E3?cMPx>gR>-*Z2Px%vPt{D?gvQI!Y1`kp_>xT#8cRosvwKZ`NvWNq z*bHY<54R_*6yu32}BTT2d#z{OX+;X$;|hK z^gG(ulV4sBNlcH8wLLpvn4g1LB=69661Z!u72~6d8#A%GI z&B#0z0*#_pJ>W?YJSNaM{U^3xU(kHcq)|xe{OuL|KCnHAQS}7B#YJI-B3{{AcRI^S z&!`%^>n_uFrP1vCNSi=%H+&tQN-<|?{*WwH{wrZl4@tNA*&xI_gvs*U0lGTd*Xw!o zrL-09BFf^)tNSQjYT}chdBT}5OWPc-m{nR$PN}_dd##V7Kw!2Gg<b)o4E&qc;Pu{1Wt@zljy|>JZUZZL(=PEHs_pY3h+s zJh@MQ$h|hBM=bs;&LkwaTmyiV(^t1Hpnv_b2mtDpgjTS$@M6R6yPi-Au9wGdqxFx1 zkJdNS%z_X5RoYgV(TBqC<+vE+6VlL2|4S40QhU7iuAWjqnrEjnAt~(cMk4%5j<`5CI0VW!IJ>SF2-$z4Bw6!Duel z+nf~yX&C}H8vHWmi};0ne#&VrXQW;Yni#odZmf!1?Pyp7;}vL|+e$9Yelk%l4iJp2 z0C8dCM0&tjS}0cWp`%6`-7UNE7SPlsr;Z{IkSKmQIt)E=-%SThOw%J}um>AMYp*@_ zK{)-7u^a>B7(fi}_kVZq{m<%4R|P^e5FP*k-hYqb|4>(bBYS2Jmj8>r{$H~%j7a+-g{EYyaK#k`4kJbcqED zCfw6mK^WK|;J(A*uL+?g0ii)bWrfwErC4COc%8?4dz(PdmJfkGT>Z~aI`@zG&yU&= zL-cRWaF`*QB>3-p{SS*PxR;N9=3fM7hYgIXq~4M2H*}BB&wNTu7n3p%i)1C^9i-Z% zb<7>Y;NEs`{lc5cxrqP7ySGo8`?A;*Bbjgpb?ie#OB4V_o_1}`mJmA)YgM9VZ{q@> znp&j%kZT)2vCWq2B+`Y`5=iUL-~Pkk&e%cwCy_Fpt@5xRniuNoZ}X%hMMp!wwP7z3 zmw2iH1s5=pxlUXx)}=4#TN$rDxx!GbGxJcOJ(kP5iaY{58Sfyfg#?qqH+?)D&E-D4 zmop8{Sm}fhYjnFFPvvc=5`FnW1fTUxmRF~_hdKfb5XcQ@Hr=1e%wF{eVy8~XIrAO- z;9~-NFTib1A=~YqMV_RGR(H91ncgq#8kI9k$*e1tqGSD?>^!)(AEbP&zB7ebPProT za--Z@B@Uo|U-GUvt))PO+iZSQfrJ&mvGARRn0=u?aBx$l_D_#P|j6_8bt^ z;a0PKphc!qX9Y~+Xk!!nZdP}nNFYQF3tCHXTXv*q+eCEZg6ma0?0TPJ?rJ7kn7ub~ zQ7kZ$_Y>qhlyTUw5EwgE0qPjbPf=3!dz?UiGe3C zkZ2|s^Z0h(+Sx&+t-Ibt4q68#wWPsg^IDerH!zPrsoXzPMpH)g@QpE z)4wxSXbAiFQc_ls7nH`+N0D(BPM`entKR56S$LS*!%7wAb}8~dECGsA8Q?lL@4%Yxiy0DZMI_U0MsUpGpIJcZ)8c+`*{Nwv+GXvus$p`FIYq-jn83ytc%OoSUX?dfy-l*ykWOf@zv2xo&CUCRXjE! zbK0^J6KGR{QSWIF=*dvD>%`>OE>U&yc+j{$9|c}jrAt(D2*-N7E4a1}R~|6G z_$m%<=uY2x%xQyVT-q*oDMbuT+26o5$dpGt)UTu+qjH}03-M)tFV^4k(=a+4W_myP zgZWHRn*;o}1JZNpDfK+0a>n<@dGpFH#q)S@k|bKhZ0KCYkN7&@4_7ARC?b@&iS}25 zNJbr=Z(21^et)oGVe$9)99Zm;d;V7D*(-(v ziMc(^f4|Ct`gCJfnH>C`k}H<(pH|ctH5iAl*o(m}Y4a>fx(Ji&gmkKQ-{&J2syGV> zKtTTe6$OInR;QzACs=tnV1wxJ0^!p6>6+ilO@r{u>z-3D+ybr}uF7@ygVUP|u=W`B zL3$J&zY%`HqzFNgW9|8Facj1d@AGgv6b~&~JV{NQlFzmXHzduE!ygB-Zj49{tq+QD zK^)B_1lCDBNYp8WeEv-MPv}@ZANXf#tKPzd0O(q~B#`Tx0$V#g>Y^nJ8y;i!7;Ph} z>Kxo?MKz1!KkYB%3a&?tEcr48wOxo+zPC<+_ZO|)^OJzeJmL8}%- zF2B;>u=RJkqmC?dYV99xBcq!W(VE7Aw=$38- z(`Wf+VJ&x6eQ2vKLc9=m=-mT>+=dFK7j%TEZEoFU;5F4jD%_^O3!Ul>drcG8Dz)Yd`5YFi1=X6?hi*`dnj-|8vW8;#g%&IADD>dLE=E*N ztS440*f9K=hAiA3CYo@MW1mAwc(Zb@v7$F;Qil$nJYWa?657oyVh>DP$@n7WUH}*8 z12k5ix)xm8S>cAe6lNzgm8~`aAM+gjkx=BbP0MplVmUmNL3DG#T695ZdaGcBT6u9% zV%LUw3mqdMa0dE^VC>5lNy7(1JbD7px=zjq_^z)bVeer?6%;~Ljj$A0WG=o+hU9$x zS+{U$BQ*<1UOSf`Lk06}6&03(xCHq=vRtg3bXPb58}%%^^AYedRu{(`u1wmuXe{ug zd;|eP;aFlPGMk8^Bb4h+42Ok@=TLF&s-PlCKej>`1$%#LU0>Xc&1ctOql%UQ>P3UQ zLwIr*Od*-8-(7-vc^FE}IY|s}7 z63qb)7loE&iXA1D{p_ch z(Zs#cnxq&4pP~_6Fhl6K{zQ^h9pz(rMS`-+>pnHn^4@Yx+ga(Rc*7P?lV%q>g;&Ji znS$|PuWa9kbTN8hrDFPfJbchR)4nVTr!@y`c}b|S#4DJ=$5>;yh-=5vwmz=j-oVWimJrt zwCoEka);XiK@76w_e+Qf_Bl+yUE~zCLG||?1K@$F!&@RR@zk@dwBckU9z>V?>=c(` z>r-iGR=5~+t1AD;pcKy0L*7 zL=QKf zc}%7Rpwb7S!#9n%SQY!icJ4~C;Dc35kw<^PNtAc`_tKc7GUjN?WjAMtl&v{oZmj^~ zTEtngL4f*fXSgdo#0nr*CYYfco)9DXn;YS`L@FF*YyURVlSBpzBBN~)uMb5iItg=g^4PLljejXi3yX^@ZfCU`w;N!)a-fYqQuH~c z%3AEUHbulyZjeV=%}}8XKUyXB8OYE%aD~vT#Eq8>zWLhwBO+)#z3GfoywmLVSit4_ z?=x<=c#VDvJL^|@QPO#Dju8Y+!DN`+8M?!^nY(pAj1FLE5^IBv{%Q-p6C13pgRTL zrZ?F*3nm#3-f`7@0r(JieT!t~1A<4yutqtN5ws?bSRBX)<2Ex7HscMyyX<>i>PP&G zXIYmyFHZ0gExOo9NkCL?J;Y3wBpej;@ce-4D?2O>zIuh_gL$SU1|7!-NN9#Iik622i8lS%LfGF0wW@(b8rgV~|#Lg&77d+@*H>M_gZx~$%|NW>| zzNkwr*<*&ThG0Mavq&K^WUE?tOv{sjx@(C(v?EK#NJFFhz8vwH+%%nsKg$OHq#}>5 zY-#lpp?8Uwv(aK(;a1zQ%+E4Uv^JBc3*wr)IhoF zUWQKo``%KLjCl%RJ&!}ddOlx~n}46KUqumJ(69Pf*|7H-Z?3$sLPjk)Fz*tbi}EuB z#PQ{iDeYC+(1*MNO|mbh&)Z%9#TG$yT~75w`xsCrcoq3Hf=|BH;v<87j^HP$+f7og z4^%{Ps1zN!(FT2#0mm3Akm7gK)T{%V%AsE`uG6XeWEtVr3FHpd>}8OJ;cz_N(xP)8 z@1p|Isq?6dyD8ReQO)BuyqPR>D2{c7`1cYD9E7=65~d(hdAS?~Xlczqr5=i_Q>~6f zP}yVrE~4U!R7z|7q*yqeVG)cg3BLC1Y9d!GwBL`3KtS%5a+Ssm>%Ig0OV4lcdpt`- zk(llPs*kb;k~?;U&$HuY9pt#EkoP&-okw*Q6yH@!?#l_vs>n`TbElcgZeWDyBDc=v zo71gFRGz}G?C8?{(EC11KNh9+pEN|aha{M0-^*%8%fw?_c*9jV#q{ETS~`JXU}n_P z_$R|eU&iAXgI+gFrH^a|9b`{AS+socapFyto+(YO;ly9e0Xqkke#ZY#dEGcu z1opsd;-=VPEjB19^q**yF%vnh4yLLfAe+51QDV#(z_Kbm3M%>y1#?vm+fe`b87v;h zcQs-D3ARPYoeX0F8udUfS0hvuJ8YHyi5LdfCTVmq6Q5dwsB2Z(jis%0AOxQ>%X{yo z0Fh$8XMgBMV&qNUsfJbA)D{YYSf6M;tjb3UPYi~P;CkxQ!s5%vY-k#6|MGrB*^aFH zIdft<$9+?p4%<$yjqWhiH#5b>Xg}uCQgbP0X`=BiflH}5L5DrA{~r{o7UdMLI}WjL z*+p8j6g@eHk<98F3B*KHESCQM(wIOVF&8uy@i|_^ntk5zX3^nLE0m!@&kV>GM(wx5 zR3mFbFW~E6AwAM)2Xvcf$`DjYD!JpVPR>SsFH8*j*|PY^5>ak?H7Q#OdwD7untoM| zRPq<$wP8vbxpG4j0p`*|_c`r}jj?rr zRPQY0?@vdfl)!iIlv&PTyK~bN@W%l7bxfMLtw_2ib@S9zSPMZLtv*463t!Ja9A)6E z#X+L{j9S)~zjnN%q;hKb-)CQtr>J)tyIbc} zArAKGCl!bT1nNWe`?n^j-yLt6r(x|K_-6^;h-&z=-0sc061>>Om5M>)75-2OWE1t+x~? z1BT@W@3%x)PKGgP*eS}y4ro6k8|54BS+tVT9lN-$O6uSq)6_nv&JXzq>RtRsP<#e9 zeY1sX-cmpUm73|-WwH%;GW$Jr5sdRBqvc_)-7vKyGAfW?JzPISt=^$H)O60@KRHPu z8J3PD{)PwZ>+4>vaWr=2t`N3rN^gr4_u7UJ0B6iqWg4nE>Wf1>k%}%uFJ6BW=+;Fg z=d&e>eDPDVY;s;diIQxpcOCf;2F5Qhu#2tMgdIIn-V%WJn@cK+!C{dDjrfcMV((|D39b! zDpgI+;&gntbK#Z#cNi+!6AFSF{&gmmAc)Zni;6_KW%U?QAKpgu8qcGLmdxYhD99ZX ziuCl!T@+DK6srn20+tq?tfEn4irJ_bGT$*L0g0gNj8nxnFrN=@j)x@b@1NL*9E#IJ z^Jkkbxg(0SMOz{^RY&LloaR01PcJ8``2pR^UN;6Ct}gUC4u;| z?KLkWsZDxNjtfL{*cjJgL)d6UCu2eu*wyTSuflpv?x+HBx4DV%sv9fXfP;jPhYqI_ zeZ+27bST?JTHe0CMfv5I6PMjc+ReYY&`QZ0o&)tyjyg=AsYavREto?~LUglv?8&s| z1!$z`Nb$dq2AB=_&Fll_?yI?5W$FYUy?ikmDcgumVWi9hF0m%sJC_<=aJx&d+)Gye zA3Jhw(26J2a~BDk4DHJaBQJVdml5~l7+qx&Sx@PJ&f%8NSeegYcCDXJoQ{&xOxhGJ z#}sK{{khImyt~yAG)lA3R%SvRC)exlUMs~bTY2TD*UwIU_vbx&vv?N!Q#@VcPO`em zGbg%QHCc+adE#`AM;g9Ayg8xIrSIJ-t^Rnz9x11E72TpuZ>OeMsuKoEr^@4Z6Q5YA zPj|Al>rK~`@Sr!wVXEP+<0rdwmwS-x9-`50+rN*r?k@|50?~u?Eh!&wR-bPPognOF zH-xfb5+axB_;x6aTo*?GV(06Mz$UbSzpc?{upNeAfbL~p5W78H9RaYLlI8aiM~oa#>Eo+%Tb=U3_}-QXS8+4@M9_o?!3&d zO<-lEClb?WsfswV`|2o32_AI;^)-avx7qABMf>w?^wPyO-Nr+^MCW<-*qcExj=Kf1{40TeH>@V#s7`D4C*RlCr7{Z7Sxai|?$c83{_!rvsGVtEtYo3Z-l31q zFl75zxHEfKvR!7OuE;8qD&~WJ6KGWpi?dh0H2ggBJR?h#IJiC2{2O5p4@!6234=i$ z!3D2erkAbbH+ONaz$DR5hGeWZ4lD23g1qSeb^h-@d8MY5O+eyB(Q%0?!gA?HFlafh z-9bHvy{~I~0Q-u(c0CamUAD8?J-C7%6nIo20{;SlckN8-if%$xKww}-Pbm97W;&kr zfqnzoV;sVv>OM=I^-h-O@;XoqSN?Bh?n*zkce7TbW|u)Y%0vkuNWk+(8a-Qh`eIA> zdZ}c*i^QgXbn1a+t@rS_e(4REUlvZ?lZO6HtXQfpc~D`u&NktP4IX%2+AygFGHG63 zbw(N1oUmf&Va!XCb(z_@=VkTj0$zDau#<`8&CVBJcUTKW)PuaCBKW1 zQ#Z1`d2)KVmeF|`g%T-lC~tlIIuuhlPMw$)L)9uV&y2&6FPYoul97Robf)Hb_^aR! zHcdk4R2Y5Y1&wM>-f4|L_xI9(V!o!)xBp6r8q(K%ujfRS)kUDNuk_Nc>IWxEi}JXa z(nrV_PO>b#V3sYhLyic3Wh%xBfg|N;oqNMSCPG77NwZCA`U(mMU?R*S3ZX0gg+b2-xQdrM9;rPu%f=h!bN!b?K4((dm@ffc50CSg6s`QF-HVtGSPOA z_U#~{`~3v9*iTX$BeyyQ$B6Zz2#;gyTW+NQnESQ2aM09uc`f%TR~Sz7jLQcJC8YQE z%GzP*>%-XnxmPsKajzz~a7{U3_`Ne>d1KYCQ;`3$gT|#F?`@?dhM*EPtNVu#ipEK9 ze}d&2{b|b*xJ5e(qz*GLnw`e!|7^RsGulE!9i#rx-7lPP5QGHf-_8E2r#7 zOv>Rccx?_zHf@KTpLceylZ_%T6v}Mc5uMW^@%<>!qL+Zijf5pW<)4GG7HCm&qY~xd zn2M)^KqeWsaKH=c*62gMvQ6GMZK}N+^Y#+i+DN5+Lz-sa?msUmak-qMzL*`2);31v z!;}sfg}!8|R6ogy(BMgDeO%GbWt$&F7t3LEg4S?Qw+rOlU=IVGe9o`S!D?lyp(vn~ zAD~~!J3Pw5)73bJCSBavQ&cZ!%QQ8qf5-xKJ#xa%!+k87CGuA&9M_MguAFuf0blJp z#J#ZF&F=vKa`@ugFDvMNOThby2M5TfV{Fs5AuAI?rI1d#Sw=pEkrw zspDUS6FJQ3c(R^*3mQs*0Za)l!~}$Ap+e+@#ANKXIbhVZ@GPym4#RJ=w^|Zq$D&Td z%-^?gD)UI^6s>hn!K&@mcbbHmXRiL%-Gq?HyoJ!G>y9lkP-DSg7ynf(6GdA%7AWUGGE2kX(ix1ktWr_6hT)ENm;ZTqdFd3} z+lkg)FCchT6|2>Ab|lTU_ff?Qp?h*1Xy=M@U4|{(A{_f3gb5QaOI%`8RxiI1M%ustHd= zktcZ}552a&Ii36PyADl;sr?*ZHmT7IyjG|p7IhX!=iz4$Z6vjXSk=u2VH1~JdvUtv zyHhSKm_>Jk4a>(RN%pWR(QAk@rN8V|zrC(!q+qsUH~c$E(u(=ngCf&@VNauk))Dw7 zS(etoEuC{PJcpM9sstQDD5^aL zFAabE)uK)Y@K6ZDxN)NxM<#|XFSj&2^9G?MicGduX~ss^XWwMbLBjI&5BmS?y!{Vr zR@LS)9{(@h`#-$-f3s#&6BZVZ{}0y8{QrYB`?xAQ;{dGLSaTz9O$5sZjh+sx6^*uL z$*ixp+OQy(HEgc8&iwxThJD%JwcUDfn%xDp%ueZHV+g$h!U(QRhlK=$1`G^oLCu0L z?kGE(kHw*z366a_7n-&bvw^mBbp9@&aP5Yr#li|={1wu*WC<((z$c4|2 z3{5~DpB@7`0(ZRpqC5WJzwfCDDRlqU4b>A;q$>QmFZqF@CONUDLfj-%m4Qw>2OHo_fn$ zOH+=K65-bYIxzLBW&0g;@tUeXexDSuKzgwZqMSM1Zvkh-FFxE zRJpz1R1yJgo*dycYP1_F$@)&@< z^~yAue67zKpWq{u`PjUCd_c2_InA>(@01rWSy>#%9nsXYtfXPxOXs)uUx+;0k3KW| z5@tSZiMxlfqOd3a4QXVafO1x655l~idU<68t72Na%_+XI^ew!{ixqLwv%eTAM0xfJ zv83E#2Q_)jQu?HR1leA{dW+;s#u; z?I*!8R6Ty(uEo(lw~uO6no%_z>$pv7CjDy`zH3JbJ;R3Q622lOfczHdiEPb$3dYhW z4a4|0W8T&WOUC=}2i95nf~9l7_v85=y~4gh!M*^~5I;*CWho%cnG@!TG;DWzVo;^u zitW;*B{r1$RmCJ`kG8tLA}4s7@J>KnE*Y7jG05|9S1**{1xVSh<+O&LIVJb=%Ui(p ztux7>*PFQs{uhy~HyAP{hoSo~DNUpFPvz<#gH%ElcC*ESROHBhEVi_dnzINk!tL$J znnB}Q-vPN)s*-vtNY{%~8!Vx#0pTV-C##;UW;P`cL@d8SVu~bNbZ7Bj>or zV%XsnP@PxMhdA+SFj z7Z7(!O`&4s8v7}>P6t#!iY=f~WV`b_ z@lAZ4KQ?rl`CwgkVj`0A&Zi<`!|gL7c7wx(X*@<^abv#LA=V`|xnLc~1QOGeS|ol_ zGG8ROAY1dgJ6)itYfDlu->e?0Ok7l%@Xg<+O(tl66$MW;t=2~#n+uzg*dqjc_sf!| zPFFB)!ZO$5yQ6zpCI9>ZXSpOu! znM#;d*azzgB`9$Q8tLq2ds8IS6`;TIi~0_u%$sgh>jpUHbo>`Jx%VSLO*NIqo~c}s zH8^~D$cDbMuqnN5yEiy)D`SuA-*h}kYX*Qv_@E5CvWc{3 zJ9^zGaRnVhYKY)+5%_kt7O=M*iK^XX-u@loWGA^jxnpRYC6=&@i4OPXNWK0%olF$= z^@P!9aGK+tsoA{AD%F~W;?X>Zw92<9IvX5;o*mi)%GT4{UQY6$;ifk7g4bSlpXa(@ zt}z%kS7mR{$foWrkn0N9W_5>gkmg`d59Gxyg$%w}_xM^>!S$eX8l+GiuSbL6tDB+; z_6wmjk7UhHMZgN9L8!QuGF)1o}B({jyZBj&;?=vF7?U$sBmztEcDWy+4>FA! zZrus6bPzSPRe5-IOd(@1B`E0%=iflvy1L%Vw~pp=0jaano}2Ex<1&o1$xzGp-oU*6 zYa)vBS{N2jJjBu@Lv6%G4m?|nLPx8(Q+zTCoUV5<_KD*KTk-7rS zzJcStlP;E10RwAzraDUL;im`PdBw7%8vd_irLNTWCmk*#rQBY)1bk!^+V5o#*B|>R zYncx4T&D21VLPsysO&G~y^B!xdxMx^*vpYyY}AhRDL6)WZv^WgUlAsyMgD9*>U@fY z>zrQxtlXCpjo(F4-Ni1uwE%&&Q86l&dmd)fnJR<1RhSa-y;zZj`Olh9LQY1SDa7)G zAGy90g^frn7V^(P@#;ZVc-J|stv9l(J{Gn?C3QiiC`Js8s&}L21{U%D{^n50J3G0; zLr$Q)NB$8!dwnQL)tscvsEn4pxzkWA{BMiTG(8Qq^LNjb*+4W7!VKZD8N+ig@_b?u9t2Hfzqf%EHft3mO@oc@w(2J}8nV;8dW|&o>zcI2Hiz zPSU*N=@DM7Co09+83OO?HVxp1i(tfWlf_;{ATa-r&;Kb8P{;hd&t5_x*bfp63oHBq zAMS}CXPcit=Kc>uCwtfr4E=1Z4+uU|HO-`w$m1_F9M)2%0CjtD%EnK3q;j@NhKqlL zzNBQt&qF8$f#u>!u>HGB?{_ryBI+oXzU98zH0zKDT^|*AMBqKetG-u-(Bb<1aZEW- zfI}VC=q5#^0~MH>xp#R%EJ>2~OSUXi)Fv#dL~RTizV(J4f#35keTCurXEL0Nu-Y8P z_syX`Za5zoFUvXK#(J|-GfiuBl*~l4J!A8crmhHg0Atcam*-un5ba7`7M3i8k#~N0 z{K<~3m-z-3+zf0*R4VSru9vV&Gk97$hOdoI#OmjDQn^CD`O_!!>m4&##>Ua*OP(K~#Ho?SPj2Sc^E=`L@`UwAm!6{Qag00RYCya(_A%M%IJpkF$c4nY`|blR$b79U zfKI-c^G9yq4Jv%j%L>zz*5dk?`@z1@G+D_)(xezgKo_5h8+Ex9(fK zJDoDf=>emyh1mJoCy+lQr>iuJM;Z~ip(>7lPQB!uUev=C+!7Lz8RdbEXf;_{amB^) z=Tqa@=B|aB51b#?y%05{AXX&rqC8MmNT%8?e&y_A{qnyp9opqw+zm?n7+MSVzL95% z@N#K!cxo_sUsGm2Ws(_(F_)CD)^C!8nNzZP_6{z)1VkoKiD_A*ZWBQ|c>kzq{-G0y zj@?0W-8v4^wPA}{5+)PplI(5wzrz*RMcDywlCUBgg@;;7GtqE*j1J^}Y zbBmf69zNkdBeqe(fmhLEOjEx#^+dS6H4v0Qh3Q- z8QH49CeSTsN+z*H2e3D^>Bl1Z>!$hHurz91>-MhM9u}7&FM6=SU%FLvZ;32Ukd%BS z&o#@B0Z(q>`mPyxj*U6}ZYpgav^m^B{B->Kq%t{0eS~Ll9UTUD*Fea168?+U!ArYo z7~C>KoG%|+E(QIXr8YpA?B7Qm`F-B}{OHtlwDTb!VBQopbH3AF%5guqj9y0qmck`V zaS{FgJxtrTf4Vz}Wp+T>{R%DjE9i3eeT957ZF^Hg{e`PhljE+Ha(6mGcBMsNbm^T$ ziCSP$=5r)HW*lq6SPA)$Ui*Z03j6>lUkh=kMU#u61)cuK#ooQTd>f1)%YcB#}%<<)I#IQWOjgXN!>++ zS;o6tqBnLcX(9K-;c&1<%^mj<>j*eRF&;n}o3> z`f%DV$wEEug@~%ySS&Rd&f7tmaghwb2L(kU_}OKGG?T}>w<_7uZ#9Y06rAasd@l6w zgk#<~KY8tzq)=B7=}yV=!QtK}UEX(`SwmhN`g>0G=3t%Ek~CPROX~(yY-6D3(j4KP zecqh5S2g-w3w#HTh2fNq>mHGity)1LT2g#xB|7JwyaMuX;n)xNDDD{ z$v#EmqY%WMQz3d(D~ydZ``9Vn*e8=SywX$_mDQ)x**& z)Ot{Lt!)yXcKuhPpvSN~9ObyBpVsC!<@o6Q90HNBXv*As-deTm@JFR{NcK4);;Em3 z-ef;>=x8%=cQiKd+5O48)a@KWXM7`aC+AGE3~Aam6$np4-ylfc{E0{w+&^5nIMUb7 z!$V9`F1YHoYoJQg z;Ko)D1$YB)1VSSp?yFXNSR$|@n8K`tVo5k+!pGIE@)m=9L>+_`gB`@tAUO*}!YI_X zF26Ol5Db&iN`rn}QX~_WR}L4UnlIG+|9J?KY{oGB63Y~h5b;Y9aAt5(eLHvY2NLQj zLr{&QTL0jNBpNvNwkO%-*9DRuKhLM!zVUGL1e*BHj0}dhdYV z4!%e2G7YJ=(E)}28u=B=&I79J`Iy2=H{7CxqQ*c;`&_!tg`mYlNI0v9OR@hF^V8G6 zXB{WX_gEf#thy2FMUU=I5k6trBax;W27L5nHjt6_p#`%!HYGGti&C1GCDUnLq?wl6 zl%InH1sNrNlL|JGRg$p8U(03cYDfp)NPmGKm7$x&CosTUMajhl709(0!E7VwyBf7p zYN4xNrY%LH6TJkcT{THLm8L`QbMA(7_{eFj<-5I|EU=LFmh&;->rM=8#tJ|>Vx!Q; z&V5Pu{I2&^Dbb{>6{rv=iT1-sIm)7BDv6ZD5Pmv+7%#-0p22-kqAkAZn0;7i0l3ch zs{P+f@xEQm@JHTwr(T#`%_^B0BoXj);<321 zrP9rQwSDxVMcE@b-GF~we?7v;M3UC|-a3~Q#^}+Gp6nlDebUkcOL|tcCYG0c+x`I? zjQG;!<>YCPo@$#h4GL&=-OAsa)DN(N$vgriu2Pf!cTUk*qUMT|^bGr9fNR&^;Gmf^5(KrhEan&M`~MZ)v#1d|fBwkV>gK3N_-c z!adWYW~X%SXy3bSbDEjGyH3V424lV)%}VWkRq@<1OnlN&O17r7>lwZ*yT z?J{9%w4)K^JW(I?{Ou#K53l^^E4@CJb0^>y!*sF^7=tbwY@fajis~7IIavaD28b(BfrHlyu?IzSyUcjhNhN zRc#M4(iDOBV3xjel}|aB-|C+XmUX(Opn!wqxa>&5=!$@t8=zw4AqOXPXw;v#Z+w%4KB;JB!LZ5zC$FCeXuvJ#O3ZL~}4{DDF6|3a@A+ zfm;d+?5~1V7c{O-Gt{vXWVJL9Thbq0na1)MK8g-`_>CjJnSrZJz8855&;^&gPtKjs zY45sUG&~RcJT8;lVxE@N8sKBD!{ySP26BksxUZvRPH~i10TDqeC27hP=%Yc8=N`X9 zYxjs}sZ$kbh6;)yG{bJqH|Zv6m{XE9rgNn^BBPkN*-uE7vwFZ(a*M1wYyKnzdb+*E z*|~xZ+(|)C&SUv z>FzRb97CFyn`+WaQrrYW=JTrJ^Uip*xDSLk8b9XR(w3~I#selOVN8UOCF44+uD6t+Nk$~xWx4I_TI=PS$t!ch>5Iz1Mzg%rWX$U1L6V z*HdG>v*x^wR;a$DJL8@&;ve$Vx}1=PYk7(<(z~PuQ0X`-DIw@!NNnXY$@hopiK^pz z_=~K`TVJ=1QS9n?5%Fn^6zhqto;OC!7v(>_ST8#61$R$E8W+*U4t7(X^1%S3F>|w- zOBh1kul)4!g2NErYq_wMH`BC;1?J?94@;FuZlW*77f@)vaP{VWHtxKRnkzl6j~W!R zjwAw{eFXyCQ1_CzS-TNP473dSrPg4pVa*W$dVxFH_zu%gRe{zW2MOiP@zIf#O}whI zUs)1kM4{c?o|mDjH-FF~DRMMs0_U2!w0D}-hPM#kF~ObZ_(iYM|He;4h+V~xX`|OO zWZXp+L_~JRbvx-e?#n)ht_GNXHMKZ@QcsblyYBv(4f_H#BlPJBcZ$z*4OT(lEuqk< zELW{qjQ+BqyJgqTkGE{PWc4hSj2s(P<5tW<$63LxZaxMujrCx#wub9>cVfE{f8p1s zN%QF{5mvq%s&LiHWjMaj#8zUx-U7K98J;iv8uQhy*Y8ct+wY5XAlAeS~i8x!)P^pz480>oP(oInHZbJq72q=2wdjXboE`&+)W%AkwZxJz*Ru_WF#TpYZ-44JCIAxz zwPC(oD1;){*tSEK^8ST3HvK1K+ub{9Mb+X>9`3~?5K)V5q=<=Dfyx`Q51PPml@m9C zy{Z}J!_kO9+Gs5Sq+gEe=KAJ!+4ZSyG^^w|c}*m1!}YY^HL?*`=c?7@fxZ7Za~o2R zOW2l%1fDdNV+7Etla5@$R&sgI8v#$ zB7w8#wv#L+)b8;DB}x_As5Ano-2omDCN8rM?Xf!zA_{0SdpQ_1@CRPBflDcim=)1@ zSq63-{gIs#%e=2lS$mXZSj{2LPZZFvd0m_34E}O#FssZ~3-S|V2-pq&-LlPP#C;5 z@l8xW{958t9)!h1LwFW0lLm#Fq(Ej(If!5bQUjuXhhaMnSBsng~=G1P#KJR;j0pYG&%8Xrm4sX z!D^nou86~2M@;5~nk6yw_|G-(U?@#xH^M|!=7Z{Pk??1GpLSYrpZZ^KEy3CN~O;K>s2@6sxT7i+dCpc@WqGV9xf^QM-*aq*9u zWR|p#tGFLV98Xk-;s@j~>r4){|5Ja#W*p^eD2}1VvP4$F{b-Vck;hzPGP#^y%4kkAfIO#nf$i??fv+@G(F>9cpj7IoA1YEzka<} zfr`cg`686`iqz0g)6=`Av#vsHlLOqw=eK2j9Gu?c&EPTcI|3`+n1LJ}rA+-2pDy`- z1!Ket*gp!!>A|RlO~kR8@L3Td2}mP9MuGN0?XlkJem?Wvc2^4LB7g9O=o86z3BJwk zy#rE~bdaDO@z?A*s(~%#6}>(y4{L;O30F+^*9348S86jrKBsoO;hf7i6YP5R=cgKC zO<}9hgJ(0lg*oNX^0#bPmCC1jg-DXzXFb+M+|-EsZ%9|AxNrtW>cdek!Fa)CiQcC= zKiF??-X@kK!yc62bY*^bb4mr!?T6}31bJP1JS@=Q049lPFl1#6q>j3teXQqQoTDd~ zNk7dMI}ybnq-YP)#-N{ty&0pD7BRU(RM{oca469-W`z%Yw_UZkOoFArqYzSOqnFAr zCT-={_f65@27~f<4lGQLArWnxFhS%1jatf8;VC{0TZC>Y55JY2z} zGPOc?xJC6?kzt}4Gu!2`a#@6&LQ-fY0nKgfnhOPoR*%?#&BVB;{iW@&**!<01MIM` z`I!&B054{gOP~*l5*F7^j?-oCtOJYaUQ39z8Op2~^a0CXzeMUs5 zq--mrIhy*%cAngmCdT%%tBI0VC?%qMyBE@~bU737vWt8~Rk=@$vRS-aC2$`U*dvU2 zmTLGx#W5~S(W;cV@x{@-=&SG9Hw@2X)RzJD>v(L$!(+dnTd)~alH;>WcKa+q6n;u{ zMNDx*bBhOIe60rj-&&)ih33UQ*U{!2>fon!7j2KXJT4mkn_o%UrITx zDd9!dRW)K#g9UH%G8ClM3Bh4Gp~~p`h~M$Ujs}uTmSv(7ISiSwy=a*-pf0fXt}nm2 z^XnkkQSQyi{ODOgML}aGo3A0>Xn^9VM9U4Ql-iCxmi-*8bk`b8baY| zduEh9G_dEB5197rh#8Gaty%6LQZn5efdSsURL=a#Jvq{U#r}S&{4IKOGrYAocZUbz zveBhErl&{N>s2!v_F1SVPyaiW@ckRh44(}>o-nl#`oZTSBO{i zXG7`nzETb^O4rlYZCrw{?L_UNy{hJkHbJDtF6pyOwtw{OEN1Mq&9ZqjrWW$4bxvB5 z&Q9=E7V=(CfG3^-ad{?|kR_q3Efzdo zY7{{$6dr2lEa(T#EYd-gJ6#>so}4P_-~Cjj#_2*9UJ5HL0l!@@Iz! ze$-X{LsZDueV*9ps#v@!ArSpF;+4&nMnG75*sT7j1J^Jcj3g-Qjb6m2>Fzb2*LQfT z)BMSQ6t=FGZ^T7738;DH%if3Qol~D<0H_0GkC9U8kWME(?e(WQ-agmnrO`De6}};<*#M>U zliu|y;^pU-stroD4+B1`uk{D=K zP8>%LVQ=VK@f5c-l8#?5*Z3t`y=)FZhh zsH@Ck(K73B4jT?|V%j|LzN@;*e;5PQupm@eRPss`I0g=qnWUbfJ6}kw2X}zVUxlYB zO{fOoIkNvs*(FRB?4at3JU$^zaJXnLhQ0jWf0g7QZQOW-6o3r48yRh)`@PP`owyIs z#Ym%$4QCxy&9p-P($yBFG_R1~PJ+OdvM#Nu=>XVufvE@WX)4WxBKx(!>7BI*kcu_O zPU8NVqgxlgr<3vSt;Nb;7DSR2WE_j!QXF{y%-FL6{jj@b0%YAG?%F5VTruez=8WTp z)nU5OlEenPVl}tm6)yPXz6mC%Fnqr<~h6WbXVC zh0ecF_h7 z`6$fXJJSNW;@ZX{R>P7uD+|WU5yf~`mzg321MyIjPv`uvC|%z;gdL;ZlZ3k%f~66l7U3R{>GbTN9s? zG_WzyUsJB53w$C48NFGd#&pXV1$o4KxCIuGmUYiXYdT8lNFSK&!eQ(-EWfPjdtss4 z40zBhP4w9L0) z*og2ux&eN{pa!pE{jV{g4|Fa>uRa3kWCyzNLt&3#m${FYh7X!BwR6B6nCh6_V)tM7 zTAtm*dcHTYj*v@bP=k_oZ)+&i%oUx>uU#pcHbUlYriLH6$ik~_`&6u%E+QpDUb+wl z>{2Amu$KgFa{#I9vQ}EG^}Yt!7p+5DThK*Ik>4)o7`j2(-dbC&S2|qqMp)(ek!F3@ zG!=R|u5VL@I8Z|ANTm%Uhs-Ot7I&^F3e)Uw%|m{HkGJkfo(Xr6Gs z6hS423Zkl;?>b0e56cwyGu(75`YD&6GaSrAAnt~ZyS~bJR!bKFd{Jq>@1?`r=*&nt zHg;)GA4hFQ$YOYFGQTFmv5}!OWX{A&6Kh(d#@M#{o_wK4d(}gBbpxHWD+F)`SV@7%07NO7Ug!+CLS8)G7&6JK zx!(1&t_@`ZF*xRgmnCYUUN(6=v60>gdTd4RH)+SD@a6f|Bj0sK2mt{fakNGXsfE+j zdT3PZFQwT;Q1Q+M@GbqmYn#trN25{TBlo$RVh}6}IQP;0RTLyIjKcbi0aDOCV1A}C z8~kdx-@S~?2^Tz+ zVW=~5Uy;KczD~)6Hd3A85bI%SQL?B7Za!S`7|lkfPN^NL<4{9m^~gT{5RJt^F>@g+ z)6z#ex+Ay=Yv(EED+LyW#J#G)5_Leg9F8V~CvhPyObw_N)#ex~Y++eIL8^G&{agAqd1=q;>u%3T! zZ9(`lZ?<;T?Ii88niyn-%Ny=)`>e0~xi|Iz8*y@8Bk-~2_VEIlP#3?d;&3w~ z2EuZSX!(F(awnA)a0pcP+^#S}J>BfJt4~wfxpoj}xG~2HkCNJLo-iy)kbo<&`vW_} z6spnh#ICr7po%11qjPw@xgyY`3afE+;5;vTTVX_m)KX|$B@V^kL`=pyr$4)pYl{nf zr``(!e%G5n3G6DH%nELBY-rXZBwCH*qSE>CqI+VF6spj_yGsV89qPA*@YP+)|5Z2o zX16?BB~5`WMf;gZ3x!!x11K|G?_l79s9E%4>1Pfp8F*etc@CCOs|x(BPT=dPjYRNp zL5bB@m_)d^b(vAxfvMAN&5e;Pd-J@jw+-$JbQQrcmVGs-VA!Yup_C+}bY~+9!}kTt zgbXyfRd0h?qlYH9jRP11o}+nj&fSa$Tl%@=vL@@>#Jpbe>G2Pmu9B{FV$;c)#RYM$ z7DYyP;{q6iQQ2ELbyKOICyn1#fYp}bv?5d9?96OiUrD4oH)3a#Pb++h+oyuzjh@-| zBiS}+Uz(Z6Nl%JE31&k@yRZ7B$$fH3oMzN={xAfdl&S`PFn;A$7+-7 z!u2{jG6II@je^L>OnEk@Y;`*KpZiTt-W)sbyd3c&qHKE#fCwJ00&&jQ35N*vGv09? zL7E3!9GGaus<2ZR+6)Tco|?%S_ihTzYbfPnRz0@Ghc@I6J!<>pfccW$2dBhKAmTwu ztJpy2a%oo7+V9q0Lj(srY7;{GThSjrCD#h^wa(gok=6`tzxMbw)Rr+I3Zo;EqqafP zH-impXTSS+&?}UMc8+N#IYI97P=_Xka1q+NdgEfmbg!vZLPux#V+>Vvc9LdMmZ$Ar zgHweST^Vxr>cYBZycf(+%_An~?8<1Y4 zZnq!_ou&Be#gN&&(|Y^0(-#%1ps7t3$tW-2prx>_~xXaxDK8sPl~|cHOD%^ z9#Bq*j4_Ip7pX38+q>Y+j&<8x*8>;~?>mCRb5YaEP_me0eJ#(_{M`6>)5B@+UA;a) zwh$kK1r0Zb(*C0e73l5DH`g}PvRib$A48DvPn=i@RZ1G`WQrYya_5s1w&)E-(`U2E zXss2ri9)ZAh;w9djHxv;*3_e4y+i zvxW#?I_9?bghwaFm7PSIotTr|dE0pd0$xE%WxrrB;Z9squbp$<_3e@OgMBTT0THT4 z%kS+gLkr|ck3@a!y>UscrDBV>W+-zsFu_qmoPswB?Y7gty0p^UrZum7LWGaX*wEIY zFO6eQG9s+x_2HV&bKr{;%ggXZ9heqR9nQR60&A|~=qprkwi$m+5AyY|`nlFbbY7<7 zM*oy&!r(m`#Ev0GWZnV@WVj=!cuj-!#w4pVi#PcmX_Gf-R?VxbGJb6twN4nkIcuTU zh!H;Cx8?U_7A=IkI9)*V%MF-QZ|ICxeB<}(r-HG6FY zB7a`2xVvOt4^qMmh$W|VL)hmCoiXOB)U%Uy+y4&A3DaH#889MB`o$?0G+gwYV%!Ru`r{pT$STf z*OcHd@TVI56(u@M_l#;FL<1M#X;;sTJwLkRrHe=Y48e?TWWoxNNdYHfn%Gkcm~+%N zUBl!s;5$)&!^^a4qZF9Ij)6dpm!|A0feBpq($}{NbcXBi^pNy1)^oV}*_bE1B1nth z$1+7KirW*^xQrR`;|3nK)^?#g5pYmCtm2h|Jeb!kS0*eQC(v($eDmoYtx!_KyZqhJ z$0oe$xG7hprLcmXE{7=YGb`(bM zgI}AlL1Fn2)aMurg|TjWh%X&dmUV^|L8tAF8O z*^j!P-sYR9<=2$?)jze<9aP^EXd1WUD{l@}WDl;X24USKR2|Rzu)}_aqiD53;Bes2 zQ}ykWLZU?}d|kmkkhksYD%I%}OuKl>?#vtX)G3m(A+Wl6^D!%b>)e;eJ|TaKs3q*3 zwXq^!ecwd1>Pp+MjhOv;z4s{`9s+k~z5CoOJQJA&q5vG$IPAg4l4Eg)froG&tM$t`SStLo^;o75B@BN5kn96ogcPg|&Hhh^g(P#&oQlws8QGY1sOajDsdNx$n6+!vxc_1ZUNx0;Bt1_p$z&<-c8Ehs z5;P}AYOLp_>g4r|cqDz%5So?afmD}$?=1abgZ~zku2op!!7vySZ|tkWSDvgfrt^@XVw&^QDSf8pHzfR--9Reiv0nE>zUbno!#Q{kN49UZU# zq9~34E&S7jr2uCs3ZRWmxZ0kRGmV!AyfNsC^s-)v3`=!RuN&D3b__dzqN@qL-H_qq z#4erGQ)?p=jo?FXIOCgvkQ>w-}NBaxw>LxK%wB`lLHAU-zp&r=G>-mm8OMGTog%>N=xW2bH-~8V=AEU${3ld7NC8k@24cCm18O~)CtHs ze_c*Qr{TC4xNq`y^~sQFIQSOGs=h%|NPUW|_ zRkTcXsty-I0>Q>a;fv6u`znKR;?CHDoE#zN+bt9xzvG#zH& zAkc|oCDW&NfM(D>o|e&QJdPJf_fhq336eZ1p(oL0>8|;c2bf%)X{)&IdYugE8c(rU z*7G;&Ep%%luiPQuLi$=)}Tf@w4o~$`JrHx^(btwqa>I-C!bE{o;DIzvd$Kl#_WtOl((kIeboWJ% z)3?0?gVX&b++McDK?of~qxNf|*~n*cd8b!=FHle2AHzM6bvY(-xQIuT8dS-jx<#Ny z$kbY+NmgdFTkB`Y)XJsG@`7+Jt#K|zLazisr8KTFR_!b5;*mQqbF9}^d&3Zy5BEhG zuh!B1QKq-QUS61=rjQuz$o{vm`K+DmrcW~nS9#9rT?X4sowa6tmrg~$(nLp5I!i6? zzLe<2`qfOmfZ~~gb0e~>&H=3`4NZ6%%0*29`eKZW+l6%o^)Ju4Hm9!3j^)`Ssktl# zIzio;k@WGnnq0(IrQa z8=`i#(<}SVyI!c(reY<* zYiM6Fw9udkQ!_mb=z_vQRH!TiWhCo#bHaAfFfq2r-q&~PA+3=DsEB7*<`{V$Hg|NZKfO_}k2 zZ~y?gpF#TD)$2ZaR+dH%`pmyi+5XevnC-uc*nf{DEebP(3jgV!{26q=u@Vsei}g9z zn~{a}|L(PB`71Q}e_AU4_XK|lyFR~vCWrnBW%vz>Ncbnz*ocvZg@NP$#{Rahe*>Gm zjXI0}iRAqZ+TXAqjDKSPd8*9+W~w~V3wgz#D>?QVzo!Z$^cSXs10(%E?PmWg_HRfi zU{sr}=6}VaDF2DIchLXm*gxmBf2!$ktgyTd>zV_~=X3EHzblvC^dDGOmfvpZpUP$b zH&Xm#E`TEeJ1$FK>Gh?2L4y&{sH}N zI0JU}nH<6=l<_wS`6m1c{g=vRp#L|y8~b*Li2q3Tcj>N_{>lC4(*13L|3$8UY;yXR zi!2$Rdt3i!{4U+EJ%3?3I55$(G5&T_e;fMG`qxzdhK3s6NePnvSFHNVpV&|7{&Vba z8{yx;{%$1y*DYQB`XAW8VJrWyH{JhfpYT`K6dd4xZt(1E|Av{u-_!2zgEan1<)ZzQ u`uE3b{5|ULA7lNMY9;+A^>2Tg^?yM@K>v92B77dXU;qF=EIwb90RI8|`5#IE literal 0 HcmV?d00001 From abcc9dc160761534c20149866597848b41722e1e Mon Sep 17 00:00:00 2001 From: Nicola Tuveri Date: Mon, 4 Nov 2024 19:47:07 +0000 Subject: [PATCH 7/7] [CI] Run Github Actions also on Pull requests --- .github/workflows/artifact_validation.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/artifact_validation.yaml b/.github/workflows/artifact_validation.yaml index 5224dafc..a10e26e1 100644 --- a/.github/workflows/artifact_validation.yaml +++ b/.github/workflows/artifact_validation.yaml @@ -1,6 +1,7 @@ name: Artifact validation on: + pull_request: push: branches: [ '*' ]