From 81aa8c9d93b7f1c1d6081342ce6a76a9a89a2066 Mon Sep 17 00:00:00 2001 From: Samuele Pedroni Date: Thu, 21 Oct 2021 14:39:39 +0200 Subject: [PATCH] secboot: use latest secboot with tpm legacy platform and v2 fully optional (#10946) this bumps the secboot version to the one with tpm "legacy" platform key data support, this means using the ActivateVolumeWithKeyData APIs even with TPM but still using the non-JSON keys v2 sealed keys use only when strictly necessary, otherwise v1 keys are written to prepare for this we reapply the changes from #10715 that were reverted in #10930 --- go.mod | 8 +- go.sum | 20 ++- secboot/export_sb_test.go | 69 +++++---- secboot/secboot_sb_test.go | 288 +++++++++++++++++++++---------------- secboot/secboot_tpm.go | 191 ++++++++++++------------ secboot/test-data/keyfile | Bin 0 -> 131303 bytes 6 files changed, 320 insertions(+), 256 deletions(-) create mode 100644 secboot/test-data/keyfile diff --git a/go.mod b/go.mod index e3710760588..f063c63d632 100644 --- a/go.mod +++ b/go.mod @@ -3,9 +3,10 @@ module github.com/snapcore/snapd go 1.13 require ( + github.com/canonical/go-efilib v0.0.0-20210909101908-41435fa545d4 // indirect github.com/canonical/go-sp800.90a-drbg v0.0.0-20210314144037-6eeb1040d6c3 // indirect - github.com/canonical/go-tpm2 v0.0.0-20210314160024-32171bd353b1 - github.com/canonical/tcglog-parser v0.0.0-20200908165021-12a3a7bcf5a1 // indirect + github.com/canonical/go-tpm2 v0.0.0-20210827151749-f80ff5afff61 + github.com/canonical/tcglog-parser v0.0.0-20210824131805-69fa1e9f0ad2 // indirect github.com/coreos/go-systemd v0.0.0-20180511133405-39ca1b05acc7 github.com/godbus/dbus v0.0.0-20190726142602-4481cbc300e2 github.com/gorilla/mux v1.7.4-0.20190701202633-d83b6ffe499a @@ -17,8 +18,7 @@ require ( github.com/mvo5/libseccomp-golang v0.9.1-0.20180308152521-f4de83b52afb github.com/snapcore/bolt v1.3.2-0.20210908134111-63c8bfcf7af8 github.com/snapcore/go-gettext v0.0.0-20191107141714-82bbea49e785 - github.com/snapcore/secboot v0.0.0-20210805184555-c9f2139ee92b - go.mozilla.org/pkcs7 v0.0.0-20200128120323-432b2356ecb1 // indirect + github.com/snapcore/secboot v0.0.0-20211018143212-802bb19ca263 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9 golang.org/x/sys v0.0.0-20210908233432-aa78b53d3365 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 diff --git a/go.sum b/go.sum index 80162bf0279..19c48ef26d4 100644 --- a/go.sum +++ b/go.sum @@ -1,9 +1,13 @@ +github.com/canonical/go-efilib v0.0.0-20210909101908-41435fa545d4 h1:rSWREoNHHbcIC1iQeKKraBlsDm7cmKg8eS+N48jMVKA= +github.com/canonical/go-efilib v0.0.0-20210909101908-41435fa545d4/go.mod h1:9Sr9kd7IhQPYqaU5nut8Ky97/CtlhHDzQncQnrULgDM= +github.com/canonical/go-sp800.108-kdf v0.0.0-20210314145419-a3359f2d21b9 h1:USzKjrfWo/ESzozv2i3OMM7XDgxrZRvaHFrKkIKRtwU= +github.com/canonical/go-sp800.108-kdf v0.0.0-20210314145419-a3359f2d21b9/go.mod h1:Zrs3YjJr+w51u0R/dyLh/oWt/EcBVdLPCVFYC4daW5s= github.com/canonical/go-sp800.90a-drbg v0.0.0-20210314144037-6eeb1040d6c3 h1:oe6fCvaEpkhyW3qAicT0TnGtyht/UrgvOwMcEgLb7Aw= github.com/canonical/go-sp800.90a-drbg v0.0.0-20210314144037-6eeb1040d6c3/go.mod h1:qdP0gaj0QtgX2RUZhnlVrceJ+Qln8aSlDyJwelLLFeM= -github.com/canonical/go-tpm2 v0.0.0-20210314160024-32171bd353b1 h1:FGWb/opVaD42utMEAkDgO9QqXiTlwESSr7VAirVtW/Q= -github.com/canonical/go-tpm2 v0.0.0-20210314160024-32171bd353b1/go.mod h1:j23KcThy5uN+suQ1HiKSpQxuR54apc2EF2P8C/FHSuE= -github.com/canonical/tcglog-parser v0.0.0-20200908165021-12a3a7bcf5a1 h1:8uxbbF6v0M9G9sadgaGYnmTlhYXN6vDTahXnKsEdz00= -github.com/canonical/tcglog-parser v0.0.0-20200908165021-12a3a7bcf5a1/go.mod h1:QoW2apR2tBl6T/4czdND/EHjL1Ia9cCmQnIj9Xe0Kt8= +github.com/canonical/go-tpm2 v0.0.0-20210827151749-f80ff5afff61 h1:DsyeCtFXqOdukmhPOunohjSlyxDHTqWSW1O4rD9N3L8= +github.com/canonical/go-tpm2 v0.0.0-20210827151749-f80ff5afff61/go.mod h1:vG41hdbBjV4+/fkubTT1ENBBqSkLwLr7mCeW9Y6kpZY= +github.com/canonical/tcglog-parser v0.0.0-20210824131805-69fa1e9f0ad2 h1:CbwVq64ruNLx/S3XA0LO6QMsw6Vc2inK+RcS6D2c4Ns= +github.com/canonical/tcglog-parser v0.0.0-20210824131805-69fa1e9f0ad2/go.mod h1:QoW2apR2tBl6T/4czdND/EHjL1Ia9cCmQnIj9Xe0Kt8= github.com/coreos/go-systemd v0.0.0-20180511133405-39ca1b05acc7 h1:u9SHYsPQNyt5tgDm3YN7+9dYrpK96E5wFilTFWIDZOM= github.com/coreos/go-systemd v0.0.0-20180511133405-39ca1b05acc7/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4= github.com/frankban/quicktest v1.2.2 h1:xfmOhhoH5fGPgbEAlhLpJH9p0z/0Qizio9osmvn9IUY= @@ -38,8 +42,10 @@ github.com/snapcore/bolt v1.3.2-0.20210908134111-63c8bfcf7af8 h1:WmyDfH38e3MaMWr github.com/snapcore/bolt v1.3.2-0.20210908134111-63c8bfcf7af8/go.mod h1:Z6z3sf12AMDjT/4tbT/PmzzdACAxkWGhkuKWiVpTWLM= github.com/snapcore/go-gettext v0.0.0-20191107141714-82bbea49e785 h1:PaunR+BhraKSLxt2awQ42zofkP+NKh/VjQ0PjIMk/y4= github.com/snapcore/go-gettext v0.0.0-20191107141714-82bbea49e785/go.mod h1:D3SsWAXK7wCCBZu+Vk5hc1EuKj/L3XN1puEMXTU4LrQ= -github.com/snapcore/secboot v0.0.0-20210805184555-c9f2139ee92b h1:r8G3o2em2zKDyMDdHthy+FARm9qEiyGtIsJIkGVBMYo= -github.com/snapcore/secboot v0.0.0-20210805184555-c9f2139ee92b/go.mod h1:72paVOkm4sJugXt+v9ItmnjXgO921D8xqsbH2OekouY= +github.com/snapcore/secboot v0.0.0-20210909111405-e3a397e2da90 h1:XCbqRVVmFztGHPWN+wdPcRahQY7moJBRd/g/zMXLJmA= +github.com/snapcore/secboot v0.0.0-20210909111405-e3a397e2da90/go.mod h1:72paVOkm4sJugXt+v9ItmnjXgO921D8xqsbH2OekouY= +github.com/snapcore/secboot v0.0.0-20211018143212-802bb19ca263 h1:cq2rG4JcNBCwHvo7iNdJL4nb8Ns7L/aOUd1EFs2toFs= +github.com/snapcore/secboot v0.0.0-20211018143212-802bb19ca263/go.mod h1:72paVOkm4sJugXt+v9ItmnjXgO921D8xqsbH2OekouY= github.com/snapcore/snapd v0.0.0-20201005140838-501d14ac146e/go.mod h1:3xrn7QDDKymcE5VO2rgWEQ5ZAUGb9htfwlXnoel6Io8= go.mozilla.org/pkcs7 v0.0.0-20200128120323-432b2356ecb1 h1:A/5uWzF44DlIgdm/PQFwfMkW0JX+cIcQi/SwLAmZP5M= go.mozilla.org/pkcs7 v0.0.0-20200128120323-432b2356ecb1/go.mod h1:SNgMg+EgDFwmvSmLRTNKC5fegJjB7v23qTQ0XLGUNHk= @@ -52,6 +58,7 @@ golang.org/x/net v0.0.0-20201002202402-0a1ea396d57c/go.mod h1:iQL9McJNjoIa5mjH6n golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210324051608-47abb6519492/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20210908233432-aa78b53d3365 h1:6wSTsvPddg9gc/mVEEyk9oOAoxn+bT4Z9q1zx+4RwA4= golang.org/x/sys v0.0.0-20210908233432-aa78b53d3365/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/text v0.3.0 h1:g61tztE5qeGQ89tm6NTjjM9VPIm088od1l6aSorWRWg= @@ -60,7 +67,6 @@ golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8T golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 h1:go1bK/D/BFZV2I8cIQd1NKEZ+0owSTG1fDTci4IqFcE= golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= -gopkg.in/check.v1 v1.0.0-20200902074654-038fdea0a05b/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= gopkg.in/macaroon.v1 v1.0.0-20150121114231-ab3940c6c165 h1:85xqOSyTpSzplW7fyO9bOZpSsemJc9UKzEQR2L4k32k= diff --git a/secboot/export_sb_test.go b/secboot/export_sb_test.go index 1f7cdc51cff..1d8d8c005af 100644 --- a/secboot/export_sb_test.go +++ b/secboot/export_sb_test.go @@ -24,6 +24,8 @@ import ( "io" sb "github.com/snapcore/secboot" + sb_efi "github.com/snapcore/secboot/efi" + sb_tpm2 "github.com/snapcore/secboot/tpm2" ) var ( @@ -31,7 +33,7 @@ var ( LockTPMSealedKeys = lockTPMSealedKeys ) -func MockSbConnectToDefaultTPM(f func() (*sb.TPMConnection, error)) (restore func()) { +func MockSbConnectToDefaultTPM(f func() (*sb_tpm2.Connection, error)) (restore func()) { old := sbConnectToDefaultTPM sbConnectToDefaultTPM = f return func() { @@ -39,7 +41,7 @@ func MockSbConnectToDefaultTPM(f func() (*sb.TPMConnection, error)) (restore fun } } -func MockProvisionTPM(f func(tpm *sb.TPMConnection, mode sb.ProvisionMode, newLockoutAuth []byte) error) (restore func()) { +func MockProvisionTPM(f func(tpm *sb_tpm2.Connection, mode sb_tpm2.ProvisionMode, newLockoutAuth []byte) error) (restore func()) { old := provisionTPM provisionTPM = f return func() { @@ -47,31 +49,31 @@ func MockProvisionTPM(f func(tpm *sb.TPMConnection, mode sb.ProvisionMode, newLo } } -func MockSbAddEFISecureBootPolicyProfile(f func(profile *sb.PCRProtectionProfile, params *sb.EFISecureBootPolicyProfileParams) error) (restore func()) { - old := sbAddEFISecureBootPolicyProfile - sbAddEFISecureBootPolicyProfile = f +func MockSbEfiAddSecureBootPolicyProfile(f func(profile *sb_tpm2.PCRProtectionProfile, params *sb_efi.SecureBootPolicyProfileParams) error) (restore func()) { + old := sbefiAddSecureBootPolicyProfile + sbefiAddSecureBootPolicyProfile = f return func() { - sbAddEFISecureBootPolicyProfile = old + sbefiAddSecureBootPolicyProfile = old } } -func MockSbAddEFIBootManagerProfile(f func(profile *sb.PCRProtectionProfile, params *sb.EFIBootManagerProfileParams) error) (restore func()) { - old := sbAddEFIBootManagerProfile - sbAddEFIBootManagerProfile = f +func MockSbEfiAddBootManagerProfile(f func(profile *sb_tpm2.PCRProtectionProfile, params *sb_efi.BootManagerProfileParams) error) (restore func()) { + old := sbefiAddBootManagerProfile + sbefiAddBootManagerProfile = f return func() { - sbAddEFIBootManagerProfile = old + sbefiAddBootManagerProfile = old } } -func MockSbAddSystemdEFIStubProfile(f func(profile *sb.PCRProtectionProfile, params *sb.SystemdEFIStubProfileParams) error) (restore func()) { - old := sbAddSystemdEFIStubProfile - sbAddSystemdEFIStubProfile = f +func MockSbEfiAddSystemdStubProfile(f func(profile *sb_tpm2.PCRProtectionProfile, params *sb_efi.SystemdStubProfileParams) error) (restore func()) { + old := sbefiAddSystemdStubProfile + sbefiAddSystemdStubProfile = f return func() { - sbAddSystemdEFIStubProfile = old + sbefiAddSystemdStubProfile = old } } -func MockSbAddSnapModelProfile(f func(profile *sb.PCRProtectionProfile, params *sb.SnapModelProfileParams) error) (restore func()) { +func MockSbAddSnapModelProfile(f func(profile *sb_tpm2.PCRProtectionProfile, params *sb_tpm2.SnapModelProfileParams) error) (restore func()) { old := sbAddSnapModelProfile sbAddSnapModelProfile = f return func() { @@ -79,7 +81,7 @@ func MockSbAddSnapModelProfile(f func(profile *sb.PCRProtectionProfile, params * } } -func MockSbSealKeyToTPMMultiple(f func(tpm *sb.TPMConnection, keys []*sb.SealKeyRequest, params *sb.KeyCreationParams) (sb.TPMPolicyAuthKey, error)) (restore func()) { +func MockSbSealKeyToTPMMultiple(f func(tpm *sb_tpm2.Connection, keys []*sb_tpm2.SealKeyRequest, params *sb_tpm2.KeyCreationParams) (sb_tpm2.PolicyAuthKey, error)) (restore func()) { old := sbSealKeyToTPMMultiple sbSealKeyToTPMMultiple = f return func() { @@ -87,7 +89,7 @@ func MockSbSealKeyToTPMMultiple(f func(tpm *sb.TPMConnection, keys []*sb.SealKey } } -func MockSbUpdateKeyPCRProtectionPolicyMultiple(f func(tpm *sb.TPMConnection, keyPaths []string, authKey sb.TPMPolicyAuthKey, pcrProfile *sb.PCRProtectionProfile) error) (restore func()) { +func MockSbUpdateKeyPCRProtectionPolicyMultiple(f func(tpm *sb_tpm2.Connection, keys []*sb_tpm2.SealedKeyObject, authKey sb_tpm2.PolicyAuthKey, pcrProfile *sb_tpm2.PCRProtectionProfile) error) (restore func()) { old := sbUpdateKeyPCRProtectionPolicyMultiple sbUpdateKeyPCRProtectionPolicyMultiple = f return func() { @@ -95,7 +97,15 @@ func MockSbUpdateKeyPCRProtectionPolicyMultiple(f func(tpm *sb.TPMConnection, ke } } -func MockSbBlockPCRProtectionPolicies(f func(tpm *sb.TPMConnection, pcrs []int) error) (restore func()) { +func MockSbSealedKeyObjectRevokeOldPCRProtectionPolicies(f func(sko *sb_tpm2.SealedKeyObject, tpm *sb_tpm2.Connection, authKey sb_tpm2.PolicyAuthKey) error) (restore func()) { + old := sbSealedKeyObjectRevokeOldPCRProtectionPolicies + sbSealedKeyObjectRevokeOldPCRProtectionPolicies = f + return func() { + sbSealedKeyObjectRevokeOldPCRProtectionPolicies = old + } +} + +func MockSbBlockPCRProtectionPolicies(f func(tpm *sb_tpm2.Connection, pcrs []int) error) (restore func()) { old := sbBlockPCRProtectionPolicies sbBlockPCRProtectionPolicies = f return func() { @@ -112,15 +122,6 @@ func MockSbActivateVolumeWithRecoveryKey(f func(volumeName, sourceDevicePath str } } -func MockSbActivateVolumeWithTPMSealedKey(f func(tpm *sb.TPMConnection, volumeName, sourceDevicePath, keyPath string, - pinReader io.Reader, options *sb.ActivateVolumeOptions) (bool, error)) (restore func()) { - old := sbActivateVolumeWithTPMSealedKey - sbActivateVolumeWithTPMSealedKey = f - return func() { - sbActivateVolumeWithTPMSealedKey = old - } -} - func MockSbActivateVolumeWithKey(f func(volumeName, sourceDevicePath string, key []byte, options *sb.ActivateVolumeOptions) error) (restore func()) { old := sbActivateVolumeWithKey @@ -138,7 +139,7 @@ func MockSbActivateVolumeWithKeyData(f func(volumeName, sourceDevicePath string, } } -func MockSbMeasureSnapSystemEpochToTPM(f func(tpm *sb.TPMConnection, pcrIndex int) error) (restore func()) { +func MockSbMeasureSnapSystemEpochToTPM(f func(tpm *sb_tpm2.Connection, pcrIndex int) error) (restore func()) { old := sbMeasureSnapSystemEpochToTPM sbMeasureSnapSystemEpochToTPM = f return func() { @@ -146,7 +147,7 @@ func MockSbMeasureSnapSystemEpochToTPM(f func(tpm *sb.TPMConnection, pcrIndex in } } -func MockSbMeasureSnapModelToTPM(f func(tpm *sb.TPMConnection, pcrIndex int, model sb.SnapModel) error) (restore func()) { +func MockSbMeasureSnapModelToTPM(f func(tpm *sb_tpm2.Connection, pcrIndex int, model sb.SnapModel) error) (restore func()) { old := sbMeasureSnapModelToTPM sbMeasureSnapModelToTPM = f return func() { @@ -179,7 +180,7 @@ func MockSbAddRecoveryKeyToLUKS2Container(f func(devicePath string, key []byte, } } -func MockIsTPMEnabled(f func(tpm *sb.TPMConnection) bool) (restore func()) { +func MockIsTPMEnabled(f func(tpm *sb_tpm2.Connection) bool) (restore func()) { old := isTPMEnabled isTPMEnabled = f return func() { @@ -202,3 +203,11 @@ func MockSbDeactivateVolume(f func(volumeName string) error) (restore func()) { sbDeactivateVolume = old } } + +func MockSbReadSealedKeyObjectFromFile(f func(string) (*sb_tpm2.SealedKeyObject, error)) (restore func()) { + old := sbReadSealedKeyObjectFromFile + sbReadSealedKeyObjectFromFile = f + return func() { + sbReadSealedKeyObjectFromFile = old + } +} diff --git a/secboot/secboot_sb_test.go b/secboot/secboot_sb_test.go index 2a21d39985e..5e60b6220c5 100644 --- a/secboot/secboot_sb_test.go +++ b/secboot/secboot_sb_test.go @@ -33,7 +33,10 @@ import ( "path/filepath" "github.com/canonical/go-tpm2" + "github.com/canonical/go-tpm2/linux" sb "github.com/snapcore/secboot" + sb_efi "github.com/snapcore/secboot/efi" + sb_tpm2 "github.com/snapcore/secboot/tpm2" . "gopkg.in/check.v1" "github.com/snapcore/snapd/asserts" @@ -94,14 +97,14 @@ func (s *secbootSuite) TestCheckTPMKeySealingSupported(c *C) { // TPM was detected but it's not enabled {tpmErr: nil, tpmEnabled: false, sbData: sbEnabled, err: "TPM device is not enabled"}, // No TPM device - {tpmErr: sb.ErrNoTPM2Device, sbData: sbEnabled, err: "cannot connect to TPM device: no TPM2 device is available"}, + {tpmErr: sb_tpm2.ErrNoTPM2Device, sbData: sbEnabled, err: "cannot connect to TPM device: no TPM2 device is available"}, } { c.Logf("%d: %v %v %v %q", i, tc.tpmErr, tc.tpmEnabled, tc.sbData, tc.err) _, restore := mockSbTPMConnection(c, tc.tpmErr) defer restore() - restore = secboot.MockIsTPMEnabled(func(tpm *sb.TPMConnection) bool { + restore = secboot.MockIsTPMEnabled(func(tpm *sb_tpm2.Connection) bool { return tc.tpmEnabled }) defer restore() @@ -144,19 +147,19 @@ func (s *secbootSuite) TestMeasureSnapSystemEpochWhenPossible(c *C) { }, { // TPM device does not exist - tpmErr: sb.ErrNoTPM2Device, + tpmErr: sb_tpm2.ErrNoTPM2Device, }, } { mockTpm, restore := mockSbTPMConnection(c, tc.tpmErr) defer restore() - restore = secboot.MockIsTPMEnabled(func(tpm *sb.TPMConnection) bool { + restore = secboot.MockIsTPMEnabled(func(tpm *sb_tpm2.Connection) bool { return tc.tpmEnabled }) defer restore() calls := 0 - restore = secboot.MockSbMeasureSnapSystemEpochToTPM(func(tpm *sb.TPMConnection, pcrIndex int) error { + restore = secboot.MockSbMeasureSnapSystemEpochToTPM(func(tpm *sb_tpm2.Connection, pcrIndex int) error { calls++ c.Assert(tpm, Equals, mockTpm) c.Assert(pcrIndex, Equals, 12) @@ -202,7 +205,7 @@ func (s *secbootSuite) TestMeasureSnapModelWhenPossible(c *C) { }, { // TPM device does not exist - tpmErr: sb.ErrNoTPM2Device, + tpmErr: sb_tpm2.ErrNoTPM2Device, }, } { c.Logf("%d: tpmErr:%v tpmEnabled:%v", i, tc.tpmErr, tc.tpmEnabled) @@ -211,13 +214,13 @@ func (s *secbootSuite) TestMeasureSnapModelWhenPossible(c *C) { mockTpm, restore := mockSbTPMConnection(c, tc.tpmErr) defer restore() - restore = secboot.MockIsTPMEnabled(func(tpm *sb.TPMConnection) bool { + restore = secboot.MockIsTPMEnabled(func(tpm *sb_tpm2.Connection) bool { return tc.tpmEnabled }) defer restore() calls := 0 - restore = secboot.MockSbMeasureSnapModelToTPM(func(tpm *sb.TPMConnection, pcrIndex int, model sb.SnapModel) error { + restore = secboot.MockSbMeasureSnapModelToTPM(func(tpm *sb_tpm2.Connection, pcrIndex int, model sb.SnapModel) error { calls++ c.Assert(tpm, Equals, mockTpm) c.Assert(model, Equals, mockModel) @@ -257,7 +260,7 @@ func (s *secbootSuite) TestLockTPMSealedKeys(c *C) { }, // no TPM2 device, shouldn't return an error { - tpmErr: sb.ErrNoTPM2Device, + tpmErr: sb_tpm2.ErrNoTPM2Device, }, // tpm is not enabled but we can lock it { @@ -281,13 +284,13 @@ func (s *secbootSuite) TestLockTPMSealedKeys(c *C) { mockSbTPM, restoreConnect := mockSbTPMConnection(c, tc.tpmErr) defer restoreConnect() - restore := secboot.MockIsTPMEnabled(func(tpm *sb.TPMConnection) bool { + restore := secboot.MockIsTPMEnabled(func(tpm *sb_tpm2.Connection) bool { return tc.tpmEnabled }) defer restore() sbBlockPCRProtectionPolicesCalls := 0 - restore = secboot.MockSbBlockPCRProtectionPolicies(func(tpm *sb.TPMConnection, pcrs []int) error { + restore = secboot.MockSbBlockPCRProtectionPolicies(func(tpm *sb_tpm2.Connection, pcrs []int) error { sbBlockPCRProtectionPolicesCalls++ c.Assert(tpm, Equals, mockSbTPM) c.Assert(pcrs, DeepEquals, []int{12}) @@ -341,13 +344,12 @@ func (s *secbootSuite) TestUnlockVolumeUsingSealedKeyIfEncrypted(c *C) { for idx, tc := range []struct { tpmErr error - keyfile string // the keyfile to be used to unseal - tpmEnabled bool // TPM storage and endorsement hierarchies disabled, only relevant if TPM available - hasEncdev bool // an encrypted device exists - rkAllow bool // allow recovery key activation - rkErr error // recovery key unlock error, only relevant if TPM not available - activated bool // the activation operation succeeded - activateErr error // the activation error + tpmEnabled bool // TPM storage and endorsement hierarchies disabled, only relevant if TPM available + hasEncdev bool // an encrypted device exists + rkAllow bool // allow recovery key activation + rkErr error // recovery key unlock error, only relevant if TPM not available + activated bool // the activation operation succeeded + activateErr error // the activation error err string skipDiskEnsureCheck bool // whether to check to ensure the mock disk contains the device label expUnlockMethod secboot.UnlockMethod @@ -359,14 +361,6 @@ func (s *secbootSuite) TestUnlockVolumeUsingSealedKeyIfEncrypted(c *C) { activated: true, disk: mockDiskWithEncDev, expUnlockMethod: secboot.UnlockedWithSealedKey, - }, { - // happy case with tpm and encrypted device - // with an alternative keyfile - tpmEnabled: true, hasEncdev: true, - activated: true, - disk: mockDiskWithEncDev, - keyfile: "some-other-keyfile", - expUnlockMethod: secboot.UnlockedWithSealedKey, }, { // device activation fails tpmEnabled: true, hasEncdev: true, @@ -385,24 +379,9 @@ func (s *secbootSuite) TestUnlockVolumeUsingSealedKeyIfEncrypted(c *C) { // happy case with tpm and encrypted device, activation // with recovery key tpmEnabled: true, hasEncdev: true, activated: true, - activateErr: &sb.ActivateWithTPMSealedKeyError{ - // activation error with nil recovery key error - // implies volume activated successfully using - // the recovery key, - RecoveryKeyUsageErr: nil, - }, + activateErr: sb.ErrRecoveryKeyUsed, disk: mockDiskWithEncDev, expUnlockMethod: secboot.UnlockedWithRecoveryKey, - }, { - // tpm and encrypted device, successful activation, but - // recovery key non-nil is an unexpected state - tpmEnabled: true, hasEncdev: true, activated: true, - activateErr: &sb.ActivateWithTPMSealedKeyError{ - RecoveryKeyUsageErr: fmt.Errorf("unexpected"), - }, - expUnlockMethod: secboot.UnlockStatusUnknown, - err: `internal error: volume activated with unexpected error: .* \(unexpected\)`, - disk: mockDiskWithEncDev, }, { // tpm error, no encrypted device tpmErr: errors.New("tpm error"), @@ -429,25 +408,25 @@ func (s *secbootSuite) TestUnlockVolumeUsingSealedKeyIfEncrypted(c *C) { err: `cannot unlock encrypted device ".*/enc-dev-partuuid": cannot unlock with recovery key`, }, { // no tpm, has encrypted device, unlocked using the recovery key - tpmErr: sb.ErrNoTPM2Device, hasEncdev: true, + tpmErr: sb_tpm2.ErrNoTPM2Device, hasEncdev: true, rkAllow: true, disk: mockDiskWithEncDev, expUnlockMethod: secboot.UnlockedWithRecoveryKey, }, { // no tpm, has encrypted device, unlocking with recovery key not allowed - tpmErr: sb.ErrNoTPM2Device, hasEncdev: true, + tpmErr: sb_tpm2.ErrNoTPM2Device, hasEncdev: true, disk: mockDiskWithEncDev, err: `cannot activate encrypted device ".*/enc-dev-partuuid": activation error`, }, { // no tpm, has encrypted device, recovery key unlocking fails rkErr: errors.New("cannot unlock with recovery key"), - tpmErr: sb.ErrNoTPM2Device, hasEncdev: true, + tpmErr: sb_tpm2.ErrNoTPM2Device, hasEncdev: true, rkAllow: true, disk: mockDiskWithEncDev, err: `cannot unlock encrypted device ".*/enc-dev-partuuid": cannot unlock with recovery key`, }, { // no tpm, no encrypted device - tpmErr: sb.ErrNoTPM2Device, + tpmErr: sb_tpm2.ErrNoTPM2Device, disk: mockDiskWithUnencDev, }, { // no disks at all @@ -469,7 +448,7 @@ func (s *secbootSuite) TestUnlockVolumeUsingSealedKeyIfEncrypted(c *C) { _, restoreConnect := mockSbTPMConnection(c, tc.tpmErr) defer restoreConnect() - restore = secboot.MockIsTPMEnabled(func(tpm *sb.TPMConnection) bool { + restore = secboot.MockIsTPMEnabled(func(tpm *sb_tpm2.Connection) bool { return tc.tpmEnabled }) defer restore() @@ -494,16 +473,19 @@ func (s *secbootSuite) TestUnlockVolumeUsingSealedKeyIfEncrypted(c *C) { devicePath := filepath.Join("/dev/disk/by-partuuid", partuuid) - expKeyPath := tc.keyfile - if expKeyPath == "" { - expKeyPath = "vanilla-keyfile" - } + keyPath := filepath.Join("test-data", "keyfile") + kd, err := sb_tpm2.NewKeyDataFromSealedKeyObjectFile(keyPath) + c.Assert(err, IsNil) + expectedID, err := kd.UniqueID() + c.Assert(err, IsNil) - restore = secboot.MockSbActivateVolumeWithTPMSealedKey(func(tpm *sb.TPMConnection, volumeName, sourceDevicePath, - keyPath string, pinReader io.Reader, options *sb.ActivateVolumeOptions) (bool, error) { + restore = secboot.MockSbActivateVolumeWithKeyData(func(volumeName, sourceDevicePath string, keyData *sb.KeyData, options *sb.ActivateVolumeOptions) (sb.SnapModelChecker, error) { c.Assert(volumeName, Equals, "name-"+randomUUID) c.Assert(sourceDevicePath, Equals, devicePath) - c.Assert(keyPath, Equals, expKeyPath) + c.Assert(keyData, NotNil) + uID, err := keyData.UniqueID() + c.Assert(err, IsNil) + c.Check(uID, DeepEquals, expectedID) if tc.rkAllow { c.Assert(*options, DeepEquals, sb.ActivateVolumeOptions{ PassphraseTries: 1, @@ -519,9 +501,9 @@ func (s *secbootSuite) TestUnlockVolumeUsingSealedKeyIfEncrypted(c *C) { }) } if !tc.activated && tc.activateErr == nil { - return false, errors.New("activation error") + return nil, errors.New("activation error") } - return tc.activated, tc.activateErr + return nil, tc.activateErr }) defer restore() @@ -538,7 +520,7 @@ func (s *secbootSuite) TestUnlockVolumeUsingSealedKeyIfEncrypted(c *C) { opts := &secboot.UnlockVolumeUsingSealedKeyOptions{ AllowRecoveryKey: tc.rkAllow, } - unlockRes, err := secboot.UnlockVolumeUsingSealedKeyIfEncrypted(tc.disk, defaultDevice, expKeyPath, opts) + unlockRes, err := secboot.UnlockVolumeUsingSealedKeyIfEncrypted(tc.disk, defaultDevice, keyPath, opts) if tc.err == "" { c.Assert(err, IsNil) c.Assert(unlockRes.IsEncrypted, Equals, tc.hasEncdev) @@ -582,13 +564,13 @@ func (s *secbootSuite) TestEFIImageFromBootFile(c *C) { for _, tc := range []struct { bootFile bootloader.BootFile - efiImage sb.EFIImage + efiImage sb_efi.Image err string }{ { // happy case for EFI image bootFile: bootloader.NewBootFile("", existingFile, bootloader.RoleRecovery), - efiImage: sb.FileEFIImage(existingFile), + efiImage: sb_efi.FileImage(existingFile), }, { // missing EFI image @@ -598,7 +580,7 @@ func (s *secbootSuite) TestEFIImageFromBootFile(c *C) { { // happy case for snap file bootFile: bootloader.NewBootFile(snapFile, "rel", bootloader.RoleRecovery), - efiImage: sb.SnapFileEFIImage{Container: snapf, FileName: "rel"}, + efiImage: sb_efi.SnapFileImage{Container: snapf, FileName: "rel"}, }, { // invalid snap file @@ -735,14 +717,14 @@ func (s *secbootSuite) TestSealKey(c *C) { // events for // a -> kernel - sequences1 := []*sb.EFIImageLoadEvent{ + sequences1 := []*sb_efi.ImageLoadEvent{ { - Source: sb.Firmware, - Image: sb.FileEFIImage(mockBF[0].Path), - Next: []*sb.EFIImageLoadEvent{ + Source: sb_efi.Firmware, + Image: sb_efi.FileImage(mockBF[0].Path), + Next: []*sb_efi.ImageLoadEvent{ { - Source: sb.Shim, - Image: sb.SnapFileEFIImage{ + Source: sb_efi.Shim, + Image: sb_efi.SnapFileImage{ Container: kernelSnap, FileName: "kernel.efi", }, @@ -754,14 +736,14 @@ func (s *secbootSuite) TestSealKey(c *C) { // "cdk" events for // c -> kernel OR // d -> kernel - cdk := []*sb.EFIImageLoadEvent{ + cdk := []*sb_efi.ImageLoadEvent{ { - Source: sb.Shim, - Image: sb.FileEFIImage(mockBF[2].Path), - Next: []*sb.EFIImageLoadEvent{ + Source: sb_efi.Shim, + Image: sb_efi.FileImage(mockBF[2].Path), + Next: []*sb_efi.ImageLoadEvent{ { - Source: sb.Shim, - Image: sb.SnapFileEFIImage{ + Source: sb_efi.Shim, + Image: sb_efi.SnapFileImage{ Container: kernelSnap, FileName: "kernel.efi", }, @@ -769,12 +751,12 @@ func (s *secbootSuite) TestSealKey(c *C) { }, }, { - Source: sb.Shim, - Image: sb.FileEFIImage(mockBF[3].Path), - Next: []*sb.EFIImageLoadEvent{ + Source: sb_efi.Shim, + Image: sb_efi.FileImage(mockBF[3].Path), + Next: []*sb_efi.ImageLoadEvent{ { - Source: sb.Shim, - Image: sb.SnapFileEFIImage{ + Source: sb_efi.Shim, + Image: sb_efi.SnapFileImage{ Container: kernelSnap, FileName: "kernel.efi", }, @@ -786,15 +768,15 @@ func (s *secbootSuite) TestSealKey(c *C) { // events for // a -> "cdk" // b -> "cdk" - sequences2 := []*sb.EFIImageLoadEvent{ + sequences2 := []*sb_efi.ImageLoadEvent{ { - Source: sb.Firmware, - Image: sb.FileEFIImage(mockBF[0].Path), + Source: sb_efi.Firmware, + Image: sb_efi.FileImage(mockBF[0].Path), Next: cdk, }, { - Source: sb.Firmware, - Image: sb.FileEFIImage(mockBF[1].Path), + Source: sb_efi.Firmware, + Image: sb_efi.FileImage(mockBF[1].Path), Next: cdk, }, } @@ -803,9 +785,9 @@ func (s *secbootSuite) TestSealKey(c *C) { defer restore() // mock adding EFI secure boot policy profile - var pcrProfile *sb.PCRProtectionProfile + var pcrProfile *sb_tpm2.PCRProtectionProfile addEFISbPolicyCalls := 0 - restore = secboot.MockSbAddEFISecureBootPolicyProfile(func(profile *sb.PCRProtectionProfile, params *sb.EFISecureBootPolicyProfileParams) error { + restore = secboot.MockSbEfiAddSecureBootPolicyProfile(func(profile *sb_tpm2.PCRProtectionProfile, params *sb_efi.SecureBootPolicyProfileParams) error { addEFISbPolicyCalls++ pcrProfile = profile c.Assert(params.PCRAlgorithm, Equals, tpm2.HashAlgorithmSHA256) @@ -815,7 +797,7 @@ func (s *secbootSuite) TestSealKey(c *C) { case 2: c.Assert(params.LoadSequences, DeepEquals, sequences2) default: - c.Error("AddEFISecureBootPolicyProfile shouldn't be called a third time") + c.Error("AddSecureBootPolicyProfile shouldn't be called a third time") } return tc.addEFISbPolicyErr }) @@ -823,7 +805,7 @@ func (s *secbootSuite) TestSealKey(c *C) { // mock adding EFI boot manager profile addEFIBootManagerCalls := 0 - restore = secboot.MockSbAddEFIBootManagerProfile(func(profile *sb.PCRProtectionProfile, params *sb.EFIBootManagerProfileParams) error { + restore = secboot.MockSbEfiAddBootManagerProfile(func(profile *sb_tpm2.PCRProtectionProfile, params *sb_efi.BootManagerProfileParams) error { addEFIBootManagerCalls++ c.Assert(profile, Equals, pcrProfile) c.Assert(params.PCRAlgorithm, Equals, tpm2.HashAlgorithmSHA256) @@ -833,7 +815,7 @@ func (s *secbootSuite) TestSealKey(c *C) { case 2: c.Assert(params.LoadSequences, DeepEquals, sequences2) default: - c.Error("AddEFIBootManagerProfile shouldn't be called a third time") + c.Error("AddBootManagerProfile shouldn't be called a third time") } return tc.addEFIBootManagerErr }) @@ -841,7 +823,7 @@ func (s *secbootSuite) TestSealKey(c *C) { // mock adding systemd EFI stub profile addSystemdEfiStubCalls := 0 - restore = secboot.MockSbAddSystemdEFIStubProfile(func(profile *sb.PCRProtectionProfile, params *sb.SystemdEFIStubProfileParams) error { + restore = secboot.MockSbEfiAddSystemdStubProfile(func(profile *sb_tpm2.PCRProtectionProfile, params *sb_efi.SystemdStubProfileParams) error { addSystemdEfiStubCalls++ c.Assert(profile, Equals, pcrProfile) c.Assert(params.PCRAlgorithm, Equals, tpm2.HashAlgorithmSHA256) @@ -852,7 +834,7 @@ func (s *secbootSuite) TestSealKey(c *C) { case 2: c.Assert(params.KernelCmdlines, DeepEquals, myParams.ModelParams[1].KernelCmdlines) default: - c.Error("AddSystemdEFIStubProfile shouldn't be called a third time") + c.Error("AddSystemdStubProfile shouldn't be called a third time") } return tc.addSystemdEFIStubErr }) @@ -860,7 +842,7 @@ func (s *secbootSuite) TestSealKey(c *C) { // mock adding snap model profile addSnapModelCalls := 0 - restore = secboot.MockSbAddSnapModelProfile(func(profile *sb.PCRProtectionProfile, params *sb.SnapModelProfileParams) error { + restore = secboot.MockSbAddSnapModelProfile(func(profile *sb_tpm2.PCRProtectionProfile, params *sb_tpm2.SnapModelProfileParams) error { addSnapModelCalls++ c.Assert(profile, Equals, pcrProfile) c.Assert(params.PCRAlgorithm, Equals, tpm2.HashAlgorithmSHA256) @@ -879,10 +861,10 @@ func (s *secbootSuite) TestSealKey(c *C) { // mock provisioning provisioningCalls := 0 - restore = secboot.MockProvisionTPM(func(t *sb.TPMConnection, mode sb.ProvisionMode, newLockoutAuth []byte) error { + restore = secboot.MockProvisionTPM(func(t *sb_tpm2.Connection, mode sb_tpm2.ProvisionMode, newLockoutAuth []byte) error { provisioningCalls++ c.Assert(t, Equals, tpm) - c.Assert(mode, Equals, sb.ProvisionModeFull) + c.Assert(mode, Equals, sb_tpm2.ProvisionModeFull) c.Assert(myParams.TPMLockoutAuthFile, testutil.FilePresent) return tc.provisioningErr }) @@ -890,18 +872,18 @@ func (s *secbootSuite) TestSealKey(c *C) { // mock sealing sealCalls := 0 - restore = secboot.MockSbSealKeyToTPMMultiple(func(t *sb.TPMConnection, kr []*sb.SealKeyRequest, params *sb.KeyCreationParams) (sb.TPMPolicyAuthKey, error) { + restore = secboot.MockSbSealKeyToTPMMultiple(func(t *sb_tpm2.Connection, kr []*sb_tpm2.SealKeyRequest, params *sb_tpm2.KeyCreationParams) (sb_tpm2.PolicyAuthKey, error) { sealCalls++ c.Assert(t, Equals, tpm) - c.Assert(kr, DeepEquals, []*sb.SealKeyRequest{{Key: myKey, Path: "keyfile"}, {Key: myKey2, Path: "keyfile2"}}) + c.Assert(kr, DeepEquals, []*sb_tpm2.SealKeyRequest{{Key: myKey, Path: "keyfile"}, {Key: myKey2, Path: "keyfile2"}}) c.Assert(params.AuthKey, Equals, myAuthKey) c.Assert(params.PCRPolicyCounterHandle, Equals, tpm2.Handle(42)) - return sb.TPMPolicyAuthKey{}, tc.sealErr + return sb_tpm2.PolicyAuthKey{}, tc.sealErr }) defer restore() // mock TPM enabled check - restore = secboot.MockIsTPMEnabled(func(t *sb.TPMConnection) bool { + restore = secboot.MockIsTPMEnabled(func(t *sb_tpm2.Connection) bool { return tc.tpmEnabled }) defer restore() @@ -926,18 +908,25 @@ func (s *secbootSuite) TestResealKey(c *C) { mockErr := errors.New("some error") for _, tc := range []struct { - tpmErr error - tpmEnabled bool - missingFile bool - addEFISbPolicyErr error - addEFIBootManagerErr error - addSystemdEFIStubErr error - addSnapModelErr error - provisioningErr error - resealErr error - resealCalls int - expectedErr string + tpmErr error + tpmEnabled bool + missingFile bool + addEFISbPolicyErr error + addEFIBootManagerErr error + addSystemdEFIStubErr error + addSnapModelErr error + readSealedKeyObjectErr error + provisioningErr error + resealErr error + resealCalls int + revokeErr error + revokeCalls int + expectedErr string }{ + // happy case + {tpmEnabled: true, resealCalls: 1, revokeCalls: 1, expectedErr: ""}, + + // unhappy cases {tpmErr: mockErr, expectedErr: "cannot connect to TPM: some error"}, {tpmEnabled: false, expectedErr: "TPM device is not enabled"}, {tpmEnabled: true, missingFile: true, expectedErr: "cannot build EFI image load sequences: file .*/file.efi does not exist"}, @@ -945,8 +934,9 @@ func (s *secbootSuite) TestResealKey(c *C) { {tpmEnabled: true, addEFIBootManagerErr: mockErr, expectedErr: "cannot add EFI boot manager profile: some error"}, {tpmEnabled: true, addSystemdEFIStubErr: mockErr, expectedErr: "cannot add systemd EFI stub profile: some error"}, {tpmEnabled: true, addSnapModelErr: mockErr, expectedErr: "cannot add snap model profile: some error"}, + {tpmEnabled: true, readSealedKeyObjectErr: mockErr, expectedErr: "some error"}, {tpmEnabled: true, resealErr: mockErr, resealCalls: 1, expectedErr: "some error"}, - {tpmEnabled: true, resealCalls: 1, expectedErr: ""}, + {tpmEnabled: true, revokeErr: errors.New("revoke error"), resealCalls: 1, revokeCalls: 1, expectedErr: "revoke error"}, } { mockTPMPolicyAuthKey := []byte{1, 3, 3, 7} mockTPMPolicyAuthKeyFile := filepath.Join(c.MkDir(), "policy-auth-key-file") @@ -959,6 +949,9 @@ func (s *secbootSuite) TestResealKey(c *C) { c.Assert(err, IsNil) } + tmpdir := c.MkDir() + keyFile := filepath.Join(tmpdir, "keyfile") + keyFile2 := filepath.Join(tmpdir, "keyfile2") myParams := &secboot.ResealKeysParams{ ModelParams: []*secboot.SealKeyModelParams{ { @@ -967,14 +960,28 @@ func (s *secbootSuite) TestResealKey(c *C) { Model: &asserts.Model{}, }, }, - KeyFiles: []string{"keyfile", "keyfile2"}, + KeyFiles: []string{keyFile, keyFile2}, TPMPolicyAuthKeyFile: mockTPMPolicyAuthKeyFile, } - sequences := []*sb.EFIImageLoadEvent{ + numMockSealedKeyObjects := len(myParams.KeyFiles) + mockSealedKeyObjects := make([]*sb_tpm2.SealedKeyObject, 0, numMockSealedKeyObjects) + for range myParams.KeyFiles { + // Copy of + // https://github.com/snapcore/secboot/blob/master/internal/compattest/testdata/v1/key + // To create full looking + // mockSealedKeyObjects, although {},{} would + // have been enough as well + mockSealedKeyFile := filepath.Join("test-data", "keyfile") + mockSealedKeyObject, err := sb_tpm2.ReadSealedKeyObjectFromFile(mockSealedKeyFile) + c.Assert(err, IsNil) + mockSealedKeyObjects = append(mockSealedKeyObjects, mockSealedKeyObject) + } + + sequences := []*sb_efi.ImageLoadEvent{ { - Source: sb.Firmware, - Image: sb.FileEFIImage(mockEFI.Path), + Source: sb_efi.Firmware, + Image: sb_efi.FileImage(mockEFI.Path), }, } @@ -983,15 +990,15 @@ func (s *secbootSuite) TestResealKey(c *C) { defer restore() // mock TPM enabled check - restore = secboot.MockIsTPMEnabled(func(t *sb.TPMConnection) bool { + restore = secboot.MockIsTPMEnabled(func(t *sb_tpm2.Connection) bool { return tc.tpmEnabled }) defer restore() // mock adding EFI secure boot policy profile - var pcrProfile *sb.PCRProtectionProfile + var pcrProfile *sb_tpm2.PCRProtectionProfile addEFISbPolicyCalls := 0 - restore = secboot.MockSbAddEFISecureBootPolicyProfile(func(profile *sb.PCRProtectionProfile, params *sb.EFISecureBootPolicyProfileParams) error { + restore = secboot.MockSbEfiAddSecureBootPolicyProfile(func(profile *sb_tpm2.PCRProtectionProfile, params *sb_efi.SecureBootPolicyProfileParams) error { addEFISbPolicyCalls++ pcrProfile = profile c.Assert(params.PCRAlgorithm, Equals, tpm2.HashAlgorithmSHA256) @@ -1002,7 +1009,7 @@ func (s *secbootSuite) TestResealKey(c *C) { // mock adding EFI boot manager profile addEFIBootManagerCalls := 0 - restore = secboot.MockSbAddEFIBootManagerProfile(func(profile *sb.PCRProtectionProfile, params *sb.EFIBootManagerProfileParams) error { + restore = secboot.MockSbEfiAddBootManagerProfile(func(profile *sb_tpm2.PCRProtectionProfile, params *sb_efi.BootManagerProfileParams) error { addEFIBootManagerCalls++ c.Assert(profile, Equals, pcrProfile) c.Assert(params.PCRAlgorithm, Equals, tpm2.HashAlgorithmSHA256) @@ -1013,7 +1020,7 @@ func (s *secbootSuite) TestResealKey(c *C) { // mock adding systemd EFI stub profile addSystemdEfiStubCalls := 0 - restore = secboot.MockSbAddSystemdEFIStubProfile(func(profile *sb.PCRProtectionProfile, params *sb.SystemdEFIStubProfileParams) error { + restore = secboot.MockSbEfiAddSystemdStubProfile(func(profile *sb_tpm2.PCRProtectionProfile, params *sb_efi.SystemdStubProfileParams) error { addSystemdEfiStubCalls++ c.Assert(profile, Equals, pcrProfile) c.Assert(params.PCRAlgorithm, Equals, tpm2.HashAlgorithmSHA256) @@ -1025,7 +1032,7 @@ func (s *secbootSuite) TestResealKey(c *C) { // mock adding snap model profile addSnapModelCalls := 0 - restore = secboot.MockSbAddSnapModelProfile(func(profile *sb.PCRProtectionProfile, params *sb.SnapModelProfileParams) error { + restore = secboot.MockSbAddSnapModelProfile(func(profile *sb_tpm2.PCRProtectionProfile, params *sb_tpm2.SnapModelProfileParams) error { addSnapModelCalls++ c.Assert(profile, Equals, pcrProfile) c.Assert(params.PCRAlgorithm, Equals, tpm2.HashAlgorithmSHA256) @@ -1035,17 +1042,36 @@ func (s *secbootSuite) TestResealKey(c *C) { }) defer restore() + // mock ReadSealedKeyObject + readSealedKeyObjectCalls := 0 + restore = secboot.MockSbReadSealedKeyObjectFromFile(func(keyfile string) (*sb_tpm2.SealedKeyObject, error) { + readSealedKeyObjectCalls++ + c.Assert(keyfile, Equals, myParams.KeyFiles[readSealedKeyObjectCalls-1]) + return mockSealedKeyObjects[readSealedKeyObjectCalls-1], tc.readSealedKeyObjectErr + }) + defer restore() + // mock PCR protection policy update resealCalls := 0 - restore = secboot.MockSbUpdateKeyPCRProtectionPolicyMultiple(func(t *sb.TPMConnection, keyPaths []string, authKey sb.TPMPolicyAuthKey, profile *sb.PCRProtectionProfile) error { + restore = secboot.MockSbUpdateKeyPCRProtectionPolicyMultiple(func(t *sb_tpm2.Connection, keys []*sb_tpm2.SealedKeyObject, authKey sb_tpm2.PolicyAuthKey, profile *sb_tpm2.PCRProtectionProfile) error { resealCalls++ c.Assert(t, Equals, tpm) - c.Assert(keyPaths, DeepEquals, []string{"keyfile", "keyfile2"}) - c.Assert(authKey, DeepEquals, sb.TPMPolicyAuthKey(mockTPMPolicyAuthKey)) + c.Assert(keys, DeepEquals, mockSealedKeyObjects) + c.Assert(authKey, DeepEquals, sb_tpm2.PolicyAuthKey(mockTPMPolicyAuthKey)) c.Assert(profile, Equals, pcrProfile) return tc.resealErr }) defer restore() + // mock PCR protection policy revoke + revokeCalls := 0 + restore = secboot.MockSbSealedKeyObjectRevokeOldPCRProtectionPolicies(func(sko *sb_tpm2.SealedKeyObject, t *sb_tpm2.Connection, authKey sb_tpm2.PolicyAuthKey) error { + revokeCalls++ + c.Assert(sko, Equals, mockSealedKeyObjects[0]) + c.Assert(t, Equals, tpm) + c.Assert(authKey, DeepEquals, sb_tpm2.PolicyAuthKey(mockTPMPolicyAuthKey)) + return tc.revokeErr + }) + defer restore() err = secboot.ResealKeys(myParams) if tc.expectedErr == "" { @@ -1053,10 +1079,18 @@ func (s *secbootSuite) TestResealKey(c *C) { c.Assert(addEFISbPolicyCalls, Equals, 1) c.Assert(addSystemdEfiStubCalls, Equals, 1) c.Assert(addSnapModelCalls, Equals, 1) + c.Assert(keyFile, testutil.FilePresent) + c.Assert(keyFile2, testutil.FilePresent) } else { - c.Assert(err, ErrorMatches, tc.expectedErr) + c.Assert(err, ErrorMatches, tc.expectedErr, Commentf("%v", tc)) + if revokeCalls == 0 { + // files were not written out + c.Assert(keyFile, testutil.FileAbsent) + c.Assert(keyFile2, testutil.FileAbsent) + } } c.Assert(resealCalls, Equals, tc.resealCalls) + c.Assert(revokeCalls, Equals, tc.revokeCalls) } } @@ -1091,13 +1125,13 @@ func createMockSnapFile(snapDir, snapPath, snapType string) (snap.Container, err return snapfile.Open(snapPath) } -func mockSbTPMConnection(c *C, tpmErr error) (*sb.TPMConnection, func()) { - tcti, err := tpm2.OpenTPMDevice("/dev/null") +func mockSbTPMConnection(c *C, tpmErr error) (*sb_tpm2.Connection, func()) { + tcti, err := linux.OpenDevice("/dev/null") c.Assert(err, IsNil) - tpmctx, err := tpm2.NewTPMContext(tcti) + tpmctx := tpm2.NewTPMContext(tcti) c.Assert(err, IsNil) - tpm := &sb.TPMConnection{TPMContext: tpmctx} - restore := secboot.MockSbConnectToDefaultTPM(func() (*sb.TPMConnection, error) { + tpm := &sb_tpm2.Connection{TPMContext: tpmctx} + restore := secboot.MockSbConnectToDefaultTPM(func() (*sb_tpm2.Connection, error) { if tpmErr != nil { return nil, tpmErr } diff --git a/secboot/secboot_tpm.go b/secboot/secboot_tpm.go index 815b9d45cd1..d7fc0c5feea 100644 --- a/secboot/secboot_tpm.go +++ b/secboot/secboot_tpm.go @@ -2,7 +2,7 @@ // +build !nosecboot /* - * Copyright (C) 2020 Canonical Ltd + * Copyright (C) 2021 Canonical Ltd * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU General Public License version 3 as @@ -28,6 +28,8 @@ import ( "github.com/canonical/go-tpm2" sb "github.com/snapcore/secboot" + sb_efi "github.com/snapcore/secboot/efi" + sb_tpm2 "github.com/snapcore/secboot/tpm2" "golang.org/x/xerrors" "github.com/snapcore/snapd/asserts" @@ -44,17 +46,19 @@ const ( ) var ( - sbConnectToDefaultTPM = sb.ConnectToDefaultTPM - sbMeasureSnapSystemEpochToTPM = sb.MeasureSnapSystemEpochToTPM - sbMeasureSnapModelToTPM = sb.MeasureSnapModelToTPM - sbBlockPCRProtectionPolicies = sb.BlockPCRProtectionPolicies - sbActivateVolumeWithTPMSealedKey = sb.ActivateVolumeWithTPMSealedKey - sbAddEFISecureBootPolicyProfile = sb.AddEFISecureBootPolicyProfile - sbAddEFIBootManagerProfile = sb.AddEFIBootManagerProfile - sbAddSystemdEFIStubProfile = sb.AddSystemdEFIStubProfile - sbAddSnapModelProfile = sb.AddSnapModelProfile - sbSealKeyToTPMMultiple = sb.SealKeyToTPMMultiple - sbUpdateKeyPCRProtectionPolicyMultiple = sb.UpdateKeyPCRProtectionPolicyMultiple + sbConnectToDefaultTPM = sb_tpm2.ConnectToDefaultTPM + sbMeasureSnapSystemEpochToTPM = sb_tpm2.MeasureSnapSystemEpochToTPM + sbMeasureSnapModelToTPM = sb_tpm2.MeasureSnapModelToTPM + sbBlockPCRProtectionPolicies = sb_tpm2.BlockPCRProtectionPolicies + sbefiAddSecureBootPolicyProfile = sb_efi.AddSecureBootPolicyProfile + sbefiAddBootManagerProfile = sb_efi.AddBootManagerProfile + sbefiAddSystemdStubProfile = sb_efi.AddSystemdStubProfile + sbAddSnapModelProfile = sb_tpm2.AddSnapModelProfile + sbSealKeyToTPMMultiple = sb_tpm2.SealKeyToTPMMultiple + sbUpdateKeyPCRProtectionPolicyMultiple = sb_tpm2.UpdateKeyPCRProtectionPolicyMultiple + sbSealedKeyObjectRevokeOldPCRProtectionPolicies = (*sb_tpm2.SealedKeyObject).RevokeOldPCRProtectionPolicies + sbNewKeyDataFromSealedKeyObjectFile = sb_tpm2.NewKeyDataFromSealedKeyObjectFile + sbReadSealedKeyObjectFromFile = sb_tpm2.ReadSealedKeyObjectFromFile randutilRandomKernelUUID = randutil.RandomKernelUUID @@ -65,7 +69,7 @@ var ( _ (sb.SnapModel) = ModelForSealing(nil) ) -func isTPMEnabledImpl(tpm *sb.TPMConnection) bool { +func isTPMEnabledImpl(tpm *sb_tpm2.Connection) bool { return tpm.IsEnabled() } @@ -119,15 +123,15 @@ func checkSecureBootEnabled() error { // for measurement from the initramfs. const initramfsPCR = 12 -func insecureConnectToTPM() (*sb.TPMConnection, error) { +func insecureConnectToTPM() (*sb_tpm2.Connection, error) { return sbConnectToDefaultTPM() } -func measureWhenPossible(whatHow func(tpm *sb.TPMConnection) error) error { +func measureWhenPossible(whatHow func(tpm *sb_tpm2.Connection) error) error { // the model is ready, we're good to try measuring it now tpm, err := insecureConnectToTPM() if err != nil { - if xerrors.Is(err, sb.ErrNoTPM2Device) { + if xerrors.Is(err, sb_tpm2.ErrNoTPM2Device) { return nil } return fmt.Errorf("cannot open TPM connection: %v", err) @@ -144,7 +148,7 @@ func measureWhenPossible(whatHow func(tpm *sb.TPMConnection) error) error { // MeasureSnapSystemEpochWhenPossible measures the snap system epoch only if the // TPM device is available. If there's no TPM device success is returned. func MeasureSnapSystemEpochWhenPossible() error { - measure := func(tpm *sb.TPMConnection) error { + measure := func(tpm *sb_tpm2.Connection) error { return sbMeasureSnapSystemEpochToTPM(tpm, initramfsPCR) } @@ -158,7 +162,7 @@ func MeasureSnapSystemEpochWhenPossible() error { // MeasureSnapModelWhenPossible measures the snap model only if the TPM device is // available. If there's no TPM device success is returned. func MeasureSnapModelWhenPossible(findModel func() (*asserts.Model, error)) error { - measure := func(tpm *sb.TPMConnection) error { + measure := func(tpm *sb_tpm2.Connection) error { model, err := findModel() if err != nil { return err @@ -176,7 +180,7 @@ func MeasureSnapModelWhenPossible(findModel func() (*asserts.Model, error)) erro func lockTPMSealedKeys() error { tpm, tpmErr := sbConnectToDefaultTPM() if tpmErr != nil { - if xerrors.Is(tpmErr, sb.ErrNoTPM2Device) { + if xerrors.Is(tpmErr, sb_tpm2.ErrNoTPM2Device) { logger.Noticef("cannot open TPM connection: %v", tpmErr) return nil } @@ -205,21 +209,23 @@ func unlockVolumeUsingSealedKeyTPM(name, sealedEncryptionKeyFile, sourceDevice, // intermediate certs from the manufacturer. res := UnlockResult{IsEncrypted: true, PartDevice: sourceDevice} + tpmDeviceAvailable := false // Obtain a TPM connection. - tpm, tpmErr := sbConnectToDefaultTPM() - if tpmErr != nil { - if !xerrors.Is(tpmErr, sb.ErrNoTPM2Device) { + if tpm, tpmErr := sbConnectToDefaultTPM(); tpmErr != nil { + if !xerrors.Is(tpmErr, sb_tpm2.ErrNoTPM2Device) { return res, fmt.Errorf("cannot unlock encrypted device %q: %v", name, tpmErr) } logger.Noticef("cannot open TPM connection: %v", tpmErr) } else { - defer tpm.Close() + // Also check if the TPM device is enabled. The platform firmware may disable the storage + // and endorsement hierarchies, but the device will remain visible to the operating system. + tpmDeviceAvailable = isTPMEnabled(tpm) + // later during ActivateVolumeWithKeyData secboot will + // open the TPM again, close it as it can't be opened + // multiple times and also we are done using it here + tpm.Close() } - // Also check if the TPM device is enabled. The platform firmware may disable the storage - // and endorsement hierarchies, but the device will remain visible to the operating system. - tpmDeviceAvailable := tpmErr == nil && isTPMEnabled(tpm) - // if we don't have a tpm, and we allow using a recovery key, do that // directly if !tpmDeviceAvailable && opts.AllowRecoveryKey { @@ -233,7 +239,7 @@ func unlockVolumeUsingSealedKeyTPM(name, sealedEncryptionKeyFile, sourceDevice, // otherwise we have a tpm and we should use the sealed key first, but // this method will fallback to using the recovery key if enabled - method, err := unlockEncryptedPartitionWithSealedKey(tpm, mapperName, sourceDevice, sealedEncryptionKeyFile, opts.AllowRecoveryKey) + method, err := unlockEncryptedPartitionWithSealedKey(mapperName, sourceDevice, sealedEncryptionKeyFile, opts.AllowRecoveryKey) res.UnlockMethod = method if err == nil { res.FsDevice = targetDevice @@ -241,20 +247,6 @@ func unlockVolumeUsingSealedKeyTPM(name, sealedEncryptionKeyFile, sourceDevice, return res, err } -func isActivatedWithRecoveryKey(err error) bool { - if err == nil { - return false - } - // with non-nil err, we should check for err being ActivateWithTPMSealedKeyError - // and RecoveryKeyUsageErr inside that being nil - this indicates that the - // recovery key was used to unlock it - activateErr, ok := err.(*sb.ActivateWithTPMSealedKeyError) - if !ok { - return false - } - return activateErr.RecoveryKeyUsageErr == nil -} - func activateVolOpts(allowRecoveryKey bool) *sb.ActivateVolumeOptions { options := sb.ActivateVolumeOptions{ PassphraseTries: 1, @@ -272,26 +264,23 @@ func activateVolOpts(allowRecoveryKey bool) *sb.ActivateVolumeOptions { // unlockEncryptedPartitionWithSealedKey unseals the keyfile and opens an encrypted // device. If activation with the sealed key fails, this function will attempt to // activate it with the fallback recovery key instead. -func unlockEncryptedPartitionWithSealedKey(tpm *sb.TPMConnection, name, device, keyfile string, allowRecovery bool) (UnlockMethod, error) { +func unlockEncryptedPartitionWithSealedKey(mapperName, sourceDevice, keyfile string, allowRecovery bool) (UnlockMethod, error) { + keyData, err := sbNewKeyDataFromSealedKeyObjectFile(keyfile) + if err != nil { + return NotUnlocked, fmt.Errorf("cannot read key data: %v", err) + } options := activateVolOpts(allowRecovery) - // XXX: pinfile is currently not used - activated, err := sbActivateVolumeWithTPMSealedKey(tpm, name, device, keyfile, nil, options) - - if activated { - // non nil error may indicate the volume was unlocked using the - // recovery key - if err == nil { - logger.Noticef("successfully activated encrypted device %q with TPM", device) - return UnlockedWithSealedKey, nil - } else if isActivatedWithRecoveryKey(err) { - logger.Noticef("successfully activated encrypted device %q using a fallback activation method", device) - return UnlockedWithRecoveryKey, nil - } - // no other error is possible when activation succeeded - return UnlockStatusUnknown, fmt.Errorf("internal error: volume activated with unexpected error: %v", err) + // ignoring model checker as it doesn't work with tpm "legacy" platform key data + _, err = sbActivateVolumeWithKeyData(mapperName, sourceDevice, keyData, options) + if err == sb.ErrRecoveryKeyUsed { + logger.Noticef("successfully activated encrypted device %q using a fallback activation method", sourceDevice) + return UnlockedWithRecoveryKey, nil + } + if err != nil { + return NotUnlocked, fmt.Errorf("cannot activate encrypted device %q: %v", sourceDevice, err) } - // ActivateVolumeWithTPMSealedKey should always return an error if activated == false - return NotUnlocked, fmt.Errorf("cannot activate encrypted device %q: %v", device, err) + logger.Noticef("successfully activated encrypted device %q with TPM", sourceDevice) + return UnlockedWithSealedKey, nil } // SealKeys provisions the TPM and seals the encryption keys according to the @@ -325,15 +314,15 @@ func SealKeys(keys []SealKeyRequest, params *SealKeysParams) error { } // Seal the provided keys to the TPM - creationParams := sb.KeyCreationParams{ + creationParams := sb_tpm2.KeyCreationParams{ PCRProfile: pcrProfile, PCRPolicyCounterHandle: tpm2.Handle(params.PCRPolicyCounterHandle), AuthKey: params.TPMPolicyAuthKey, } - sbKeys := make([]*sb.SealKeyRequest, 0, len(keys)) + sbKeys := make([]*sb_tpm2.SealKeyRequest, 0, len(keys)) for i := range keys { - sbKeys = append(sbKeys, &sb.SealKeyRequest{ + sbKeys = append(sbKeys, &sb_tpm2.SealKeyRequest{ Key: keys[i].Key, Path: keys[i].KeyFile, }) @@ -359,6 +348,10 @@ func ResealKeys(params *ResealKeysParams) error { if numModels < 1 { return fmt.Errorf("at least one set of model-specific parameters is required") } + numSealedKeyObjects := len(params.KeyFiles) + if numSealedKeyObjects < 1 { + return fmt.Errorf("at least one key file is required") + } tpm, err := sbConnectToDefaultTPM() if err != nil { @@ -379,15 +372,37 @@ func ResealKeys(params *ResealKeysParams) error { return fmt.Errorf("cannot read the policy auth key file: %v", err) } - return sbUpdateKeyPCRProtectionPolicyMultiple(tpm, params.KeyFiles, authKey, pcrProfile) + sealedKeyObjects := make([]*sb_tpm2.SealedKeyObject, 0, numSealedKeyObjects) + for _, keyfile := range params.KeyFiles { + sealedKeyObject, err := sbReadSealedKeyObjectFromFile(keyfile) + if err != nil { + return err + } + sealedKeyObjects = append(sealedKeyObjects, sealedKeyObject) + } + + if err := sbUpdateKeyPCRProtectionPolicyMultiple(tpm, sealedKeyObjects, authKey, pcrProfile); err != nil { + return err + } + + // write key files + for i, sko := range sealedKeyObjects { + w := sb_tpm2.NewFileSealedKeyObjectWriter(params.KeyFiles[i]) + if err := sko.WriteAtomic(w); err != nil { + return fmt.Errorf("cannot write key data file: %v", err) + } + } + + // revoke old policies via the primary key object + return sbSealedKeyObjectRevokeOldPCRProtectionPolicies(sealedKeyObjects[0], tpm, authKey) } -func buildPCRProtectionProfile(modelParams []*SealKeyModelParams) (*sb.PCRProtectionProfile, error) { +func buildPCRProtectionProfile(modelParams []*SealKeyModelParams) (*sb_tpm2.PCRProtectionProfile, error) { numModels := len(modelParams) - modelPCRProfiles := make([]*sb.PCRProtectionProfile, 0, numModels) + modelPCRProfiles := make([]*sb_tpm2.PCRProtectionProfile, 0, numModels) for _, mp := range modelParams { - modelProfile := sb.NewPCRProtectionProfile() + modelProfile := sb_tpm2.NewPCRProtectionProfile() loadSequences, err := buildLoadSequences(mp.EFILoadChains) if err != nil { @@ -395,7 +410,7 @@ func buildPCRProtectionProfile(modelParams []*SealKeyModelParams) (*sb.PCRProtec } // Add EFI secure boot policy profile - policyParams := sb.EFISecureBootPolicyProfileParams{ + policyParams := sb_efi.SecureBootPolicyProfileParams{ PCRAlgorithm: tpm2.HashAlgorithmSHA256, LoadSequences: loadSequences, // TODO:UC20: set SignatureDbUpdateKeystore to support applying forbidden @@ -404,34 +419,34 @@ func buildPCRProtectionProfile(modelParams []*SealKeyModelParams) (*sb.PCRProtec // ensure that the PCR profile is updated before/after sbkeysync executes. } - if err := sbAddEFISecureBootPolicyProfile(modelProfile, &policyParams); err != nil { + if err := sbefiAddSecureBootPolicyProfile(modelProfile, &policyParams); err != nil { return nil, fmt.Errorf("cannot add EFI secure boot policy profile: %v", err) } // Add EFI boot manager profile - bootManagerParams := sb.EFIBootManagerProfileParams{ + bootManagerParams := sb_efi.BootManagerProfileParams{ PCRAlgorithm: tpm2.HashAlgorithmSHA256, LoadSequences: loadSequences, } - if err := sbAddEFIBootManagerProfile(modelProfile, &bootManagerParams); err != nil { + if err := sbefiAddBootManagerProfile(modelProfile, &bootManagerParams); err != nil { return nil, fmt.Errorf("cannot add EFI boot manager profile: %v", err) } // Add systemd EFI stub profile if len(mp.KernelCmdlines) != 0 { - systemdStubParams := sb.SystemdEFIStubProfileParams{ + systemdStubParams := sb_efi.SystemdStubProfileParams{ PCRAlgorithm: tpm2.HashAlgorithmSHA256, PCRIndex: initramfsPCR, KernelCmdlines: mp.KernelCmdlines, } - if err := sbAddSystemdEFIStubProfile(modelProfile, &systemdStubParams); err != nil { + if err := sbefiAddSystemdStubProfile(modelProfile, &systemdStubParams); err != nil { return nil, fmt.Errorf("cannot add systemd EFI stub profile: %v", err) } } // Add snap model profile if mp.Model != nil { - snapModelParams := sb.SnapModelProfileParams{ + snapModelParams := sb_tpm2.SnapModelProfileParams{ PCRAlgorithm: tpm2.HashAlgorithmSHA256, PCRIndex: initramfsPCR, Models: []sb.SnapModel{mp.Model}, @@ -444,9 +459,9 @@ func buildPCRProtectionProfile(modelParams []*SealKeyModelParams) (*sb.PCRProtec modelPCRProfiles = append(modelPCRProfiles, modelProfile) } - var pcrProfile *sb.PCRProtectionProfile + var pcrProfile *sb_tpm2.PCRProtectionProfile if numModels > 1 { - pcrProfile = sb.NewPCRProtectionProfile().AddProfileOR(modelPCRProfiles...) + pcrProfile = sb_tpm2.NewPCRProtectionProfile().AddProfileOR(modelPCRProfiles...) } else { pcrProfile = modelPCRProfiles[0] } @@ -456,7 +471,7 @@ func buildPCRProtectionProfile(modelParams []*SealKeyModelParams) (*sb.PCRProtec return pcrProfile, nil } -func tpmProvision(tpm *sb.TPMConnection, lockoutAuthFile string) error { +func tpmProvision(tpm *sb_tpm2.Connection, lockoutAuthFile string) error { // Create and save the lockout authorization file lockoutAuth := make([]byte, 16) // crypto rand is protected against short reads @@ -471,19 +486,19 @@ func tpmProvision(tpm *sb.TPMConnection, lockoutAuthFile string) error { // TODO:UC20: ideally we should ask the firmware to clear the TPM and then reboot // if the device has previously been provisioned, see // https://godoc.org/github.com/snapcore/secboot#RequestTPMClearUsingPPI - if err := provisionTPM(tpm, sb.ProvisionModeFull, lockoutAuth); err != nil { + if err := provisionTPM(tpm, sb_tpm2.ProvisionModeFull, lockoutAuth); err != nil { logger.Noticef("TPM provisioning error: %v", err) return fmt.Errorf("cannot provision TPM: %v", err) } return nil } -func provisionTPMImpl(tpm *sb.TPMConnection, mode sb.ProvisionMode, lockoutAuth []byte) error { +func provisionTPMImpl(tpm *sb_tpm2.Connection, mode sb_tpm2.ProvisionMode, lockoutAuth []byte) error { return tpm.EnsureProvisioned(mode, lockoutAuth) } // buildLoadSequences builds EFI load image event trees from this package LoadChains -func buildLoadSequences(chains []*LoadChain) (loadseqs []*sb.EFIImageLoadEvent, err error) { +func buildLoadSequences(chains []*LoadChain) (loadseqs []*sb_efi.ImageLoadEvent, err error) { // this will build load event trees for the current // device configuration, e.g. something like: // @@ -495,7 +510,7 @@ func buildLoadSequences(chains []*LoadChain) (loadseqs []*sb.EFIImageLoadEvent, for _, chain := range chains { // root of load events has source Firmware - loadseq, err := chain.loadEvent(sb.Firmware) + loadseq, err := chain.loadEvent(sb_efi.Firmware) if err != nil { return nil, err } @@ -505,11 +520,11 @@ func buildLoadSequences(chains []*LoadChain) (loadseqs []*sb.EFIImageLoadEvent, } // loadEvent builds the corresponding load event and its tree -func (lc *LoadChain) loadEvent(source sb.EFIImageLoadEventSource) (*sb.EFIImageLoadEvent, error) { - var next []*sb.EFIImageLoadEvent +func (lc *LoadChain) loadEvent(source sb_efi.ImageLoadEventSource) (*sb_efi.ImageLoadEvent, error) { + var next []*sb_efi.ImageLoadEvent for _, nextChain := range lc.Next { // everything that is not the root has source shim - ev, err := nextChain.loadEvent(sb.Shim) + ev, err := nextChain.loadEvent(sb_efi.Shim) if err != nil { return nil, err } @@ -519,26 +534,26 @@ func (lc *LoadChain) loadEvent(source sb.EFIImageLoadEventSource) (*sb.EFIImageL if err != nil { return nil, err } - return &sb.EFIImageLoadEvent{ + return &sb_efi.ImageLoadEvent{ Source: source, Image: image, Next: next, }, nil } -func efiImageFromBootFile(b *bootloader.BootFile) (sb.EFIImage, error) { +func efiImageFromBootFile(b *bootloader.BootFile) (sb_efi.Image, error) { if b.Snap == "" { if !osutil.FileExists(b.Path) { return nil, fmt.Errorf("file %s does not exist", b.Path) } - return sb.FileEFIImage(b.Path), nil + return sb_efi.FileImage(b.Path), nil } snapf, err := snapfile.Open(b.Snap) if err != nil { return nil, err } - return sb.SnapFileEFIImage{ + return sb_efi.SnapFileImage{ Container: snapf, FileName: b.Path, }, nil diff --git a/secboot/test-data/keyfile b/secboot/test-data/keyfile new file mode 100644 index 0000000000000000000000000000000000000000..c588b55e7e95cdc0a4a7c7a05a1a006d44393199 GIT binary patch literal 131303 zcmV(zK<2+yQ%fWO00031007wl3jhKD)pWD)zRP~hoON3|pD>jhP;h5@5^EIZYHz{_ z_?<5P&$SzO0zDhb<9ma$+M`Ny9#$@eg|~qLHG*{3r=2rf0;5o$pK_MaYK4lBUwes( zT+S+t?+vzT+TWokCrl#3?^(?4ME)Z1xoTk3?BJU$RJO^zZt$^MJ{xjn?Oo7U_2Kt{ zfW=9#Kv2$MzK8V`{4TPKd4lq5sMIuuaY!H1U6PmC-E*5*)$MG_PQbbsbeBYFgj)R% zgF}RIgbOdh3+>chDWd!#Tu|L6zBruZ2T!rzs+k_EkZQGWPBV&fyWxZmuAlp!s_^Vr zU);?k(Ja3OR#XeDO>*DyMWz+#RlobjGQboM7FELq_<7$c<1SWwwWSys>4V_Rfjrp-1{hofs>5)Ek_8w|=E!`jEV69=irujxD^wjv!{ zkZYr?|MkC;8~7gNb!aM+d6*H1S|Zq8D%bRl;TWo70B4D3)VtwJ{df#aO^go>57MPS z_xjN^E&8}+^OwyC#6*xl)jt{qs1C0Ji3f0kVwz?;1A8sEJ301*s$SS{KUBEZ%4(mAaBA$;QgZ^~% z&60`!_<}eDf9Rx5uJ8SiHz>RSbGA`Pzk=HOz5a*Dj)~2>KNG7@rAsG%kZ7hO7|zYX z;pi*_rrRR0qKfMVQ6|SH_H=ye`WMO5RfiH9R_r4Ln+x~GpbyqScKBis;iWKz7WWfO zb$V2|gJ^gTSUY+`^_9M^tuWmNx(wMcjsfouR>Q{dnT{H?5S~>O&+%wXkf{^c352RGMnB$AkBR^LBFP66`8E18wNqt(bGhI^ka#YqYERN` zrR#JEzPNDyPQHGHcSc<;1s7Ah!C!;Frl|};_NZjndM~2yu@)69`}x`Z6Vuf@s4ROnd5K>y_W^5y_B-)9>D?r6N;U8c zYx@Ifs(@!#-H)(48J;0`SNL7ywUZMWUw(21Tb`=vw%SUk!TYk1A)ncSS2?BEh=*Pf zase1Z&a85fC63UE1Pm~r;udc7S+EthmV^$%oKY|VQROOTNm3__hj%SecLP2vu7)M2 zm@d@OQqk5Up{I6(L?eTvk;-xec}+#v-n^Rk`PS4tQx_`Az5K-P3bbveZ__qDu$D9W zw)G!0zyPmXWI^3ZvoG1)z*|upVf&GRE+Y}^IBmBZIckLXARtMeD)SzAWr&u)ytXUP zawqVqF4cEXX?1zsy(Dp{HRuNC`w#Q_4<+hebw|h*@I!7V=}UPNNOnrpL4*&Gt@vp8 z_<9!7$5l@&_b$3tuq-K|=IuLtfPrZ1UVQ=zn+Kwmn$XVaODZaBvf__49=YKoWkBgE#6 z4$R(?eMY})f;(>NrmL^sCs{3C(*5ze(XGHrzwAKuGkHlN4)bJs1O2aVqXvzz3m46f z+!_aP53|Je%g@zN|K%U}nR!_@d#d8nn@KULjn*svJlNLr#VjTg2Ylr~nyt+M^01$% zY-a5Sn78`nL|6t)U(w_f{!qYHi-@EwVWj||D_|UD&Z3sWwZvy@f|h_JFvH)N>~vh^ z7H;BPJyBBEd)1w(+(CkZ!%2SUK$b+f+)Ts-6?Ax~6)vo8#d6BieQj#Zc|di6K{M?B zQNK^-zF`KTT7C<)WBzt2j%$q0oc%Ng8}(RIxukKqhhX2COax4$<66cp?QuJQs#-D| zQ9K=x|Jkwc_8u-Y#wDxmfSq9%wQrk7=PuZXtJ*ZOU(9kywh*Gx?v-uYw!#EF!2oKN z4!t42Qh<^obH?VVRnS@^W8Y}xE;aFjnIs}Zu=+VI(=}TyM{+$Pqa9DCt2{I#kK(0U zjVG9;xGLc`0AyQl9i&7$Le#7JFmja%b3W_KMNLfuc#P-HjQ%* z%$-95F}Zg9F$ZpCZn5ksvQz4v1A#FYOXl+P&J=H*qvye|HY1T}9nz={qtE4Pa2QYV zoq~BU-DW|1{U&EHM>l~R>}{9WdRUyDfyDOJ+9NIRA3MNGnLfmrBmM>eu0nEvM7ABLs)rvm`J zx>IF{)Zv?f#C}iX;*Hp7N`qL?0Mk)0sJnkLa+H^9W#)8T4pJp(!72a=uUe4OG++hN#%%Wn1eSgUT< ztFlbS1oN)1`2y8$Nn2m!Tul`$t)vH51WlK22hEshK~^Kv#FzzHKUBDG;QS7iIwWV{ zz&->erCSbpdeInZFRiMq$AtMoz;f0e+&|Dq54oVBQXSyQbY^ktyFS`yviy8ww>{4Z zw>5ZBL_vR5F)_k}_`vW_G8eST%6f$1K2(eyYi+|YN>h>>U9#*?qiStMnt5R=7p%H zad!^S888z5u@~kjaQ&w(N)kWp=A@#& zB(yIye71xgdWe$y%}xlu!0SeNo7XIqfY{^Kr$fh^2PiGl5A4Cx6eY_^doKs^`a}YFV_8JlcpZXPgO1J|Jq@pn6#V|8@%7-4Qi20-9jNVYy%l{VU??0E$uEc@S zFSg1CZk-zQ{Eso&*1H)l1tONLGYbj>QLLnEnA2Ok4HnXT$i@F0f3#()?PQ*#(dm0* zaA1B+S7eQuxpaD&k3nMa1~2e!vB+b_8c*uJ?V$}HlNo%gr-5gPJ#)X;&j$m1|F)9C$8QHa-_Hd5 zqRD)t1;QwFxGOJ1I}_`+N?Js5HTUT(y7~%5XH9?xWTy7E;tCS7alRM~7^cr-0ZGaP z*8P82KXC!>ul6=qc%3PLL8{PfUoy5jS*cKr%F)>Je)_r)Dc-N%qe+%8-|1jmpwkQN zQ5KNYhZ9fkA`D!UWWW2Br2&L3PoYA(dw}EPb1p!<`Ko^EkuQCg)t4FL0e?+1VB&9@ zIWs$|f`_!LzoXBXiBEuiWOg{0of7Xjnqj$!=jNg=JyLQ2JgnAoL|PALHy)~EXsJch zlYhMwL-ZY#>z}l!csObOQqIKknCX@tNi?)K2J+<3uNbzr%!Y@OWbH_aM}Cby1h2j8 z)KCArv~@$;rv#p^j$~;X|6EeOD%ih;+LF;l-ddthrzFtHQ%im-aktwaiS>V`llUKB#80{&KYJ((-R9Q;YlAf%yGkNtG;98#PYf4mktw*p1eqr%E)cBr@X$WI|F4Ft7Chq`R}-5&(6(aQ2AcL2bxg6+%)9j@4TEgucI{%)0^Rq$MObY<=*hi*gmw_ zRrt#~QTZ^*x$O`Pp*KW5HgQ9l9=SW8^OQTT%V%zMs$9N#2lEtmgNvCxKO$^Z1 zS36P4&DnvZ?#H+)23n1#2vq+ zKZTe(q34-OIh(4LxUle)c?io3wvu^7Hxf#0V;vBoH{&&8NJ6NEM$&ODZF>4fI+zA` zqO{_|0&tdmW^g*RTtJ#xs+$!!Js|+q!t*J1hG6?m7EZjwwTpeXnw=-vW6) zJgTcLbWV_BgUyn!cc2^*%2>N+L}BpP}sGpY&+1;5t4?j>HFR4L_l ze9Bq3H(ublvV#IS!0m$9S?|M{QE1IJ;US@=dw|ICqj$bocE*r^o$(NvgKrqKH#D)n zJ>GcEYh`N`fJg+AFnTofv34Yl;dZB3al*X=l&&ORvKvRK z9gg$!XeXRXONLZ9P$$N;F(wFc{itTO+xgs6_rd$_4{}p6{0k%fQ>=wDDD6UUtt!ZG)VlyA!!rscx9g789%1f(zyI2_ zE(R3=HDNTE114}EJx3QQy*<*~DBg$~UnuYVl$jIEe#L=<~-4XZ?@0;Fo&7hUhf4EQw|k*lV*F zPyCYY;1gjSR};_2=!Mi5g0SS+hH?*o0Lg0!Dio3`iTek6ChG_Hh^0$JMXefjY1I8* zWKMyi5;dO)N(}b}+>m1gsjEDN0!bK|&dYObnxMz;Blo58pDa_XK*OYfz57$`!%!4u zuSNM`SA6tXQ}XF4t$uDe?1*0R$URnsmw^@J!@`SiHQB094Io@&uVc;eDT@ZXW0aY* z?Zej!3I|gPyh*<~p%V5$LbE+!hmU1^Rt?^M_dHUt>;jWMw)1b#uvEb4!pI{K29#=^ zDHc7dMYTfOoee3HNYNOBUNu}bvuQTLxaS&K{~JrS*dIJNf0y1s&nuvYGHYFQu<=+t z%CIT1?2+{D=CQfO$$(r%oC>Ad7v_%4@dK0EtX@&+<@ZVAMI7Na0Va30rt@Fi?TS`C zk_Xntb#^wqAv|;?2z%1@eov>H!(mQsb0NVs<6-NPd)S9G|1N|C@<9g$n07=I#4(L+ zFbksj*F%3<2ag`BF0#q;Sia4f2qOrYw9UjVgL-r|tx*Jt4rVa)Tv5kTb&jr3aq3@& zhfuo7EdJ@C;@9@{dL)it+DN4P(HnfeqxfPqqS_wOG=Fhp&hM+Lbi_D*uq2h;8nU-xgod)}M-%L#M;MbrFIC zK~Wb1o9xuJ!hN$M09<-yn`4&qU`21x3Dv9?b22fy_T~cVyzWKxnP>dx#g9<^kb7pt z4oI7}Ou5%kNb)bjCar#!2Y(Xah`g=mly2@k0n_OZ$h6-Ik?47$qqVdZ3gn3LjqSZ0 z9XQ1kvTYf^jk{1pi!-mhHFOEMb|J=2t!jn$at z2iB$-#&6C)@JDY=|M6sgch2#qY1TGUX2cc(LbLPf9f5{?@^7C1jb=vDjYL8hzQ-b7 zIL%8FJC4UJVnxXRH{J0n=1h+?%#Q@OP*3oc{?*`FiVZU-FKXVil9NYLrgy9Sx=1ze zjEb2knq?q1OBi21z-pa6o%*x4Zd#uG(AT>TmW3`c8wg z4Frk~l}~;}QkkDoDrA9Zn9n?mZs|6A?4MMS_y(5h)O-8?27>A;pUU15xz#=9T0{a- zo?R;Xnh3_S~%JSg0EkLpBH5ENp;0qn;BdUXSN$jgVtDeRERwc>E4c^!*!Qr6#Fg$EcSjo!K_t>C`>j_B1%@gns0aRfMaJbyEm+V zE)QzFQhwYIN>KbyU%_M)9~o3c1`#0KLMj+ig(UaEF#Q+DwtO?{?gsQSf_?_&FfAr? zU79+wBXm2V1l}*!4&>q78MpRG&-(FR{eyb5t|trB$uMo1kePVt0m zh^G>2x$kDWD(lm)K?{%zxnj~@f_))?EIObevtsm4tgt zB&DC?OQKn^e$ZBeZAgiVCaSq#Th`5Jr!5NQ_c(?3N`m)IRR)CQ4=?Hp-eL zCA0$@8+*cf76I0BJvyboA5X>QyEzHW-eb5Q{D!|p-WDmr810vI*YsTd_H&8bsbG_S zg9=${xOZ>YAF1u{Lf|&B(96S2xD7&%CZ-e@Mg9l}@m3gC@I+e72tCfn3+xeF$+NcX{M&H?H^cu*UcQG=c(z)dj%R zQl-}i_Puct?>p%4jSZ$j1zd`O9A?;{=j%F~w&tKX7C@SdUwLyG#Y7Gi*12_nOnU}?mQU9rl4+&L0f3^6Mn4t^y}&5 ztGi)?=nw0vrNE|z2e5y2H+9Z9XsmpfmkR9p{Vg?XJgKW!KtPIEOK@#?5G{I}vc+#qeyC`QFb@*~b<8XDe9> zwmXtK+nKPYS=a=M4vD=E0fUzwk8h;sB}T|WLOcjFx*u45Y_=*`VItP7Qi5bpO+;8; z`0g?mv83L8o_uRZSQ9h^^~P#tdWk(owJk{?3ANA)6fO&NmclUk*Z&O8RyS0hn-Xah z>`*hT6%Pc5zQ3hBKYFecIVN`YfB;4swT6u1^`X5$iH6{sZm7q1I|Jq~O-S*~8ba3n z<=~&{3p`;+ZKk3Wz%6W{>U07ayIX>Q6>qEmR>;=w{EDt2sU^ope(6|D*}%m6hty03 zwapF$N*a&-5EW&P&j7u@DYDW@X#_E^b}uB@sij^N=KEI3P76Z9MHy}hscn8y&f=U6%n;Nw@GG=gkEsx}W7<^qJ43?R><5nTO%%%L& z(zufPeo5?H4^eT<()t(FNMetD#XYa2ee>*@#QgYfyqR)M(Su%?_T`&?RtV$t5#38W zdasY)rpo9R(Gg=fZUE|~_`fHrumT`4LHU9^26EYxaS^yLiHt8y0aXv%E4XfHXlss! z`jb5%)k_L>VAl#Lq#U|o*yp-Kc>rD6 z@oLI$)1Y%L-r8KyG%mvn`4dI*nso+; zniqvycRI_`a_$Yb3W=cKbKc%MGDgUuKA24cC5!f2b+k==u6`m`n&tcM4MtX9#6`Dw zx-b)BvG_}S?5W{xk%bGqM3nKFD5R{uwexQ(e@R@sUv%-Ch2Ba8h3VPdz^E#|`GN?F z;+L5^^ee^4<(3YHBSDZ|*|uTdk~WGWux&B|{_A~?Fs~en%lR^gFwK4%j$M_cw@S?| z7kcN1vEN13ca|VHK@A2%{V#thrYoA#C#9=23U7Iln{^DhS3=y&)zdyM!~!Q&yrRhI zFy_GAm`lMHCYcQ5NBo;L22yHMED!1{Yv68FBO+iOa`+5M+@V_k_Vfx;5wC$m>+#r9 zse6p(%6j?FOvDFoyo7RsKMIKdz^A`E1UakRqe8-yw$hUcbt6w)(>7U-!S3%DT$hGy zw|NK#9w_+^gfbFWH|y9OwB@kk6!Bdje*}YAB4Yz+wOlFr?mYZyG6q5c-}Wr9&TLmx#rr`LVNzKvKNF(Q)IV8VTB$<%Cko zM%Z;@eED_%$`JiHQ!1QoD_PDP!I-J5<=q|N;Npx0BhXKF&{W~@!y3kA@;BdPH}55T zv9FV5%Es$+@T_QZpOIv{X&Q%edK@Etfjs-S%Oif+BrPszby<46UuV{m zSuR!`V>ky0elh`eHoOOcTxU}8TWz|Vtk1SJR3n9l0$~M+K|!gUo4xE1?ZJ0mqmaSD zkW>i3zXE>wY-VOHujeRLL7)wW5i!|F5fs=w8oxIFjsAcaZMgft0n5bf=&7KOEQ2A={|>|3|nPR3Q+~jCwPQIu{eYu1L?Q2D7s5) z(e(a9X$LO^QdQIURpwt}Fn52t<+!-|$0vg@@cJn15#tv}Zrrw7=8z1!v6 zqq0xL`+QiqIdB1BYT6-#IoQ9F%lr=TJ*I)WXz``G^o_*PXvc$zM4vRaMC~mQM&n`^~2m4 zEY1NJGY-qOVT9V|R51273RL#1tTyx?K+XUB$BLn1NzC)At)!qzaWSe?RR8~A!(PY# ziTgDE0pVU513hd$eKQv_AR=OoZ2X-sf;GSjm}<3VS!7&}NE#fP>w5POba`I4%0p#y zpPP0Npk|l_eAZ|OAqOoK> zGASjIc2M3m01r|>uY?9d_1?g7_p}(+=U-#&CyPqs3LPuCTRIS0_%5zzo($lqPN1ugPj8Ari<%HyWROj1@As8G+vu_tT@Aq@@;oWY>4%y@xP z%N`?n@fhQ8v_`_i!vQd{xjdS@QIuq55axnNWaBDl=cq|=ROoola?=AW#!_$T`;B9f4LQ=h8Zdo_N- zfBfnB19wJ}R{q`XU7Yy4Ce!OFH@Wbcq5nUstHUP}4Tg$Xy@Zy4xsia4{coKo^JevT zG#)abZHZ{ZS7WGID`OyPslVHwgYfPM+6MnjAet@rHx63BpLPeFQlCTHF@N`cbFW~y z9ooSKHL{J?T7Ei|0@E=Ebk0!R!5}$udg1}_Bh8wdFQ!gXAqi9e+_MP5a1P$)eTri~ z1Ndnmk?BwouBajSJDsy9f2L$Hk71>yl&y7lI?Oqhhjs?T|1pztAU<;sD||zqMXw?M zrMBYB>IexA$A`)#4D|gO`=~ZVmPLNpY zqm)Z(QjlG0Gm-eqYyELVmNSWvqDI{IIH^?SEH;~v^MDL6Yrw{xKJ2hW-KOyk`o z>!LJFO__EBihFB2l}n7|G8U7;KUX*7ke6`Udxj?JoP8&=5ZiaN?3LaP(`#=mOFZw`>oxYTfjGetZ|1zuE15tpw# zS&Bssw~37Y7CR7?{s4TxV9r&iv;bW?!7GwHrPjZaH#8BUp*vT#uxf2I3^ZSO|{ zRaya%4#}lD^fox_ycj34l<2{W|GM|OHEE!r@Ach@tY(xFiS0@s7c)U?q*@_96rz=J zx}4K^IyXZ7Z;evo1y!X@0g0T7?A<*vXk567*BXlmL;;s@|3@(5!wzwx4VJbAPb_)( zM1#gvW_|dmq}CdPsIm^BG`UB+N8B#$D|XXX+ehtSjy5!k5Ch;+KpmNoB>FRdsoN{G zcW4Zg%1n=0eOVYmR((;lF=;AE>-5;+A#{qsDFGX}K!#V$COsdqR}cBw4QkIKf&%RE z>5e;{I2{TXbRO|#!7qTAe+BTjDB`seaCY0Qh^mWTYtzUwe43eBXx*4=0AUKP^e*}a^h&xz& z@URMa9O50MW!f<)53pK>9#8-(`veJuQGy9Q$gdEWc?e(M;X%x~G|#$gdAl#)@NKBT z*cSBmw+fYbcnxYnRfmr2mU3)s8-*sb5h7+U+$ynx?5^r8EO4)8&ZIkjOzr=Yy(B|R z9y2@g&fXh)d^FZ+1+QDc5X&wnriIV!MY-viS3~!9ZgS!UU*%U+Nj|u0Z1(hC8f)LP zGWvgegH5lZO6;RxI7}X3{ot#&cz}UbA<+OzcD)VAt4A!#2!4O!X$MWSN|7;BS7b#rJ%uDt@-U5R#2P;WWPaZ1o{XtJf*q4qvHz$g@$ZV{Kt!k7uyWV? zQ+z6rZTq7q&nqPNdSwSJx3@yxG=1iuH$)g*(V!3j5o;LK7Xr42wQVHZ$dBIu`mI`L zT5Ij}qM7jzTxBz}R>q~g{|q807l6RE>>wLJku(gP47a!!LR1ha!JOuOImxPalC1EO z!l~`ors#&t7EYSBFZ;Wg^EZ+eue5Wk{&Te9&OBvqp;0J24jcY-ZKV&HX`VYbSET5v4{uM&xO0}>2VtM7@t`ZxJ2lr zvI+(@R*M!;JhG!`dn-UdP6>&c5|^R9)vZEpPlsb8j4YI_EC^&KM5}N&+K(oL`Z`Xh z(?I4Ube}x8LX5KJL_Gb&E5dG!`c<+Kt@r;H=@Up-rwPAGl_Gl zQaDI16CfEjQ}J=z`lVW*#;I0uLD_wM6p>xIAPI{@ErT*4={%O7%KyH?c)S+soU77Z zOe-FDQ_VxbAE7i=0zovqX@5F|@ZQeA=AiK@HW1hUulbN7=JGV&(9Q81l+06EP8+d) zC!ihArar%+Hp=>h1%Gwn;!p zKSX%ggm;g{NPaD7by8W$mCTO&5D-Qy>RsLWop|LlfNBr8^>zx;;{V^UQr#fcWfZC% zwLXj=l3*`o1YKrB1Qa~kcAl~!ve4n6V6TuX3Ck81PiGJ1aKH%XjyobTa&b`s_k?7A z*9`I1DOCkwjtmRcG9W*4v43$Br*K@FYO5s)18s-dd2pw){%?42&fUnMx1<~bB~y@G zu@c>Af-zi7-EAz?ZEhXXc3>{#ETwf#bEcJMZ@IG#kH4ecitq>YxdFB6SYO%k8DC@Q zJ@s9si$@m2c!YdP{l&^lV8Mec$HS*;7<=}y4aoHiR0!{W&Vbs?o`}>w)z83*d}t3O zM&nq17vS&S4HdxF>NRGfBX*jReo&L%wprL-`g>vkYE0~H_=ODMN&SzSYQB#KZRzj7?4Nd=0MKVN=iO!i$=XwP9_=wGV~dD zSg1TqvwE6nQE;vUC($O?tU2~-3i~cwFoTL8T&VVI*OxC{l^EC(XW5Q5lA7N99ap$~ zq!-dSThHrGryeUWS0nuc>YQ={MAiu6@;mo=lIGZ9wCn10DH)0#dF3o>f!73&hpe65*Yrt$yxCEvo1kLlL)ETNkxAxAZ*9e4ydbXlW6j_{mv{DdBFfw!2A(dgh$gJI0FG z#tSTp7AlRz+M5U7uR3c|?bz(?`%I)#%4pmb78whpXiEq`Qi^hn6Ky7R@VMf@@}4#9 zkasTPRSzj4M6{vO;iM72Bf4A0=Vu4 zdlnMQ0b65tH`kO#-M8gMISevR^JMz#@&1EO2S-8h|64#{a+r}69XlDK4#x&(i)gJ= zy3pmyLU#}({jqlAa5DT70Bly?I(po`lo(b&hzz)f?=X>ha|qqVDY4~>?r>4sD$RGH z=-Q%Usy&QSLA8qy{K=1|I8?hl$y>7teH6(l6ls`jyvPV4x>zNjovmt?r-`C) zut6yYA65Q896G0UM}oc2K!fz?HUANmat>(_8W%jfDN>L5+>eDf$np~=70&0Z{hH*^AL6}r8Bu=T*sHBaGl_3d<=#KgpGO`dIjlu_0|V|C#A93!zqe71W@#iJS>Uw)Nl_gTG9 zUMz2i=wGo@wnbxS#1LI*cmC62C+Elg;d2KB;CHTNf*hKf`v?BiYIphPSO`nbtL~*S z72qRA4sHQ?LbMp!C=G4{;hCYsysF?nP!mO9T_CoC?%V_C^E1cWwp$hv;Q6lqYItCIwkQuQU?d5RLZD6^g>RZ7h zp_n`~N-3`tEY1+&vSlx5aB#!-bJlFg^DR%L5)c%%pSYM%%Cfy_)#5QbmAc@6q*lOQ z#AbI;y5%r{L{q2+eVR>*inqLvGf1jI;cEp=_}w2PqW0(QpOz)eEb!i$!i^(-dO*ZF z_V!1=zmrs1=`zq7(Ew_|o5^+oo?w;;%AmNkE}_5gJ-ik;U)~u#Q@_zm^hlBOQ7Xe( zq2VJ19|rVC~;-<0GlEuv0OqbLY}{G3YMJQSL|j&QEjEKV9X}(QkrOm^Zw~CSv@i{UBZ^ zTyIAznJ|jmp{*RJ3c?@D5u{IL*S*}L9#pEv)o~+np`5r=%OYO{aNG&mUQfsR^ZN-Z^roy+{GD6qp@4*_B3G`;ZDis$|p#H4}=cFRo09Q>@~3o4Yn z#hMG+Xw95O1Su+O#dNj&0DR5OtUppJ;ZuRFaYpqD=NQGJB6%>TPa)I-YR1~8gVAox zoC&N31mAA~zlZFaAO{95&Cr*3=dF9J<^VZYPOoA#cH55hD{qRd$l{IU#iB>}c4%+M zQf$+f@GI9*MjJ=G`UzM%&=xR9d-P}@O*fSxVM9~&$PKyU`4d84e*6UE!h{r_K$o$- z;c(N!DVixz|2eQtY?B_V(Cu1R8Y!rHlQF^(IIK*D6wRhG36LyY#Z`d;tYdJCfA>)R z+(oK%#*x&+!M3a?uZ5P21y3RP`MuqcBoK+E-%2w>h>@rz#*mEl<->WPtK)^M!&S@+ z_U`n!L@yPE(f`P4VfkPVn_TsBumiz$IriIi42Paga`F!nttDm;-AuZjmyPu!YFHoS z@@lxKeuR@vD*2IT?UetYd-sI<^ZM~&1h?78i= zp7D zPs83vwOS|^ae$i-%I50gZbFE&l!qY`xBqdFue=In2S3ohVB+~}Py?%Lt*}8{z4-;*zL;B&n(q7GFm_k8 z$%(uCIx7tk+h9-nI&~`h3+8UOnsn@^+=kYo zIa_5qVSnk1gU;bOV^l}ve-+fz=?bSYbcDW6*Er*yC01id6Y24mP`foI??)Q028MTW zs`72h@=|{oE`0IpzqZ;wJD~$Hx@&6k`FTN6)lC2^=}v`)29>Qme{?}fJlTs)*phfWCYKzRQ| z#tLLD-lL_>5|*NX%d3+&GP{qj4ky|4Saw6!SB|=1Dy{DKnVX&r4`-mXxNiMHKUO)q zxX8vn!^YU30X&YGh5AxoL()}!VHQdCq&<8Ar7z@CoCCLkWT<(hLpr#{2p3m+=OAS2 z@Nb7XiNSL|z|A3&KNu0zU)<0#bQ7h)!=lfr0)^$7(3M}~BjS$xjQCdApMr1rCQAVW z_JM^;FS`H+4x;5Pa2cjCfb#fK)L*EQq9)G+VG2QxjQ*z#PSG7prg6{JjY45GYV=R4 z=e9*`&y^G}f}FS*ji*7~HK>DAP*TR$>@DZcZ*-y>sYoVL?L-G8^srwbis1kKZM04~ z+Q-0~BdDT{E&CS9zqkm@;}wvGGkVhlS(YSQv0X%?;F#;J-#wJZ9*rjUKoeR-CqZQ8*8e!{&1 zdduI;fw;AByx*?IaxA+s*en{gef`+BT8NiSCM1@<`j5RBm!00oHqsRLy7=ms|yf3~uQo zy-?`V^dK-&OABiY+td`vRy3@}@Eu%~mkGbXecW!BYzcD-wd{=fqnWf?YIx2AU167a zBSr636AwXRF3!kss1vKIAsNXSs<+w}Qf2iZ0Ar#$#lT;0ukv>fr|JI01omsfrjip> zJBz3XQvtPQ3zg-^d$x&vqB{HX1^3OL<%tM<%T%YpH!N(p>pS*=$_^ypaj5hu5LeRU z-N)fT=rV-DyR^|ze{dWt~_nOGT131UZf3yY;P|4(C{F(QJTK1y#h|lf^ zL%|J;#7kyhV)3-GZ{tl-m8IV6JWUjQtc-G|l6Ig10Y(v+ER0p%`0r&lW#F9T^x1<5 zvojIY7z~1G<9x9C5^P^7W-Eue-aABw@km?m-J~Fj7Q&{Nr$0FqT74gMJ)h{o5_XKyEQQ!(kMK=jn@$SWuUt` zcE2gnF!JYmpMuU<-vGTJb-xYhcVa&67S!?AHbVziv3H%PQ zuQaa&eLsg!pxK4}#5nAqNtGcM66b>0GYw*=mbCAPS_<0Z>1KRzSA%VJ&4pCaT`xG~rpz_Q_XcL)rr%d^n#hd7SI-$0^y4IQ+z{-I`)eRbum3~yh=&>qt z+*s0Clu(;x#-VOtmI0Y+5V77zPoD!D+Ka5Gbwx4vTvao2z&^s+7VgJC=|P{TBZ_BZ zM~pwg-($>u7T~YCq@@RERH%;fqEWk_^DL|ELCvfwZ`wzEJSIi>b!0Ws=zApb>jHK~ zAL=v+MJcAp1f$|_PaaBXsW{GKw55lXUV5H3XkRnRgxn%11YT3*;yyB|1?UlYgIQa@ss9O?^au^d z)+&o^Z$P^mL0~;2xRJ+L%PC^LB6%5ixRKgze<`&a$nG9`UpBkea2H(|TsoO=!Z>g8 z^{X8Vi*&$#IxShCp*#G>;*D#SkV$l=sR5n-G)B?}xsJnh7@z&eze4K}+21o2(<8+x zJoJk859U&M1y_U{TCS|+FJ1A+e-2V<%LWE~f#Fq2cHl5dQ+%-JOh29DEP<^rkyST2urT^#OAHG`1zCUAr``}G7+>q34C^_jkauv3wLi$MM< z2?(YyLIF71pb3zK2?mzcphvRHz(>pyH*c5D7pyOLE0h+rRi=|Ns*MS#dyD2NgWJyH+%T2_nt~5$*&x?zHc(A^ybas zGlFZbg<2@SEIZX(sF2>i;t$8@R8E_-$^iWpp;t1iN)?Q?psU`LPPcVm4=eXGc*|A` zR;SDLpv=l4i;uAjHD(?Jp~1{Hf76}1u@{u*s_MOp5>5WI*il;^f)1@H&y;kYT&gTn z3lLa!og1a*UyTN=K`_Hbg$3_L3e_v@J!za3Kln7ssCGGt@S+|BHa7-k571X0FOb{| zQ1*3|Jx-H6Np}t2oB`Y-hX^x<21DKI%_w{k)Iin6+Rn5$B}^df0Z{;yWx&G(bIJpl z#4U~xX9GTKOL5ruDEPn3gB%IcmP^gzCO8(S5be7P&URi+TL^(1G(>7gae z6#_^bQDZ5~PYJD|5!KNx@g#S<=udJiN;jVJCE=5;$X45N9ij3JL5Zg&n*2*~qCTHV zoQX4NsVF>$HelXK3UTCz7X%H?tyAu<>!tTjzLglRZ_!N(@go8!NUC!)JIcy2R zjz+{&@+gpMUfRIOnE7$&ie^G|fGO9Xz`V#1|0g`Fiq}X&@Nz7HM?l#$KJvQJ^`POK zROJ|D^NaxcuV`@mgj`F;$$@CUOPQ01LO=hRCi<6;GGDm{tL`H`m& zpOnGY>lk?4RrYAA#EP89vw6vBQ4lMg7lDk8_n{ezjVnCrk2Manv?Nn}%-}r;B@WJy z3y!VGrF&BT}Ytn#c6)LW!_LEKj&7717(`e3N{FOzUX%7CV2# zTg8aZLbn6SD_Y*<-N}xItPNwk?@LD$&ZYgp>q^m#Z;Z=H0OFs?1szYmq@!4jB@sX+ zVt@R*g0~?LyFWz1shW7>Phi>d0hx^(RJQuq(=DB53&j#=ECD>)rrXJSEA<@94~OFe zTeJ;Y=+>x;M83OxfDuxpWXT*wSf)-KQ~^1}Mj_J|>-X`W9qSy59ldEY`#>dPy(Tk; zHB`AW;g$><=mjti?i@dXVwCE-JWOBAk}f81*0vgxnN}e*WJBSu-J8Y=%a7kvo3X*9 z)3N6Y9v_v^_kJ?HJME@D6zBYUXf}^k4I5_MT!I1w2nP!~03AT$zmdzG5VKV8d*%_6 zZUoUPV>~C2w#m-I*WoX^X7yd8bQIc{gYx4-ggh}Hwkdpceg~TZG{(mI+(q?d=2%em zp02G!86649?x6sCoqI@`dUmg>m&^zp!9<3SwrnSkOd}0IRMPtZT&dpEvOa!xiYrO# z4+}Qexm^Qg5J2&Hx$4=SuO1}vI|aZ4vO`Kt6Le1Avrk%~3sU=?G=>o$y_7Xra4Ol! z#&JQVPwwlfM}2h(csrY)?%-9BmU2&m#VAkp!lZHKm8e*A6Nsk!-$NM5cL4^f_ZPj3 zu*`c8_QqQpj?&F8%!rQO?KUJLdh1@O=FI-@zO4P6jv9%qo8;BAiJWs=yUKNF9JibCf@U8eCd0brQurmA_!G4-G;$+saHhD4%D@plwE@pkC zziXR_=>1KMd5-j4b&YkV;B5z-#Ve# z&_NqtLgUvc*Y0;!*(z3;{yza?Wf#9cJYXsY(DBk1F8X1IHFc zeC8g|2Ckj>0?uiL+hSv;n;vrmOaH>2TMR28AyA38aYd5cyDCN6TItpbE2Nnt+ zm+i`fi}di-`TFgRE(HzkezKj)oOPun)g&%5B1^IqcU7&aw9 z+tW-MFKC#kpaa@os!VCFVRp{`cx|UG##Zi7QwSq47^o6HewF?Bf>{&x%h%{tzcH~b z+$S|xpKP!HsxN*NWIQd+PX-l`d?~S^ll|5H71@(`Gj&m|Jl|}6)dec`ilexq}GIrct}3oXiwTlU2+gz_oq=+VzimropoPM8 z6r)w=Saap-v(k4;IGq|X)%3zo>7OCvX$jRA?cc4-w@{pNj>(rQSj9G@JAklkSl&{< zriz&!+{UlQP~!uZO#QkC=yln@SS4mzpp>$l&v12>Hq0ly3RCbEFn*d)ZZkg(j}z=) zVe|BP{vz%<1xf~H5}HyDn_j_+8i9m_ z)=hx{&Y}^UF0nRo{o}aLB z*TYQcOZR$D0(Aw|gwGGcK#AT{E0P9Rmf~Qz%{D7c(|O!FvoV%0x_Q}r%-fcCb1EWm z4T%gna+P>Xd{v&SCqYS0UGb8P9Haw=y=1O2P&aGw|JcZL%rfe^Zw26FRJF;2hzt8n zj(xxeheMT}vkHxiuD<%AX=0>5!CW{V(R7+6VRGS`RVd!rQg-Y3h%`Hdj7gny#&aXA zsiy|)QPSkNzg%64q4&RB-cyk6aObjK#n5L9(xnD2Ce1`G8aPd0{(|D1#XfZ|MeKL| zqLV*!@2EN+Mg0nqwB4=RZ~Iol=eoMiwl}PpTrE0pk$3#o!?UI6WcWf2X(X1}e75U; zl2?L7X^jX3*WkToeWfOWmFD|WybZ<`U26W^$=Z0q$$l%9?~Mw8){KSl-l@Y_nW3>* zS8!cqhCEiSCP4%vCXGP|Tx4n%`WthkHYb)=fB0a}j=9~*g{a^634`Eb)C`G8D2ubK zwf7a7!87#+XPnF9KxG371AijR6@V<{XlQtOG({GwhE5g2&h~IfPnT z=PEF(T#qY3S-kAzwcP272$NSn6EEmY<}Id@`C;Eu68CiCxW07lPiGK_z|-ssf|HOu zW}PE9L~8t33rQz08k`^q*RKC%6bL9TMAxif+3==^@lR~WPK1qsY6uwXqlH??L@2lk zvrKdTl21lpdDH09CDq;4cAp3-r6a#WKw`LI9DfFI=}(^z|E0QQq-p=`G^L6QQoWb( zWek+9ib{#Y{>r%7_5BEJpH+I!oEoFviKSHWnNC|3+DelJX^a`u+iX9mp#Q#y)K;+W zxEe$DeR+jPmlLpKB*OV@Wp1+%wf>p0N};=7Nl730L%e8T5|r?jk#d!FFd>@~YA%6I z`J)KB>29DHxyZKQpUlRxN^c#VZ5*YrigM^yi)3ef17AfEEaYQkUeS@?li8~xg^v0-PT%tSo4lsz?jNvyh?IE*trDryF!J_H9O`M8n!Zq113W!xd zj}kEo5`rA3$?wT%Cm#ji1YaA_&hJ+oBJ9oTcQUfxOzAGX5!=QiM`-T(Vy229C+!)Q z6H&+3kB*$y&a$Z|Xbfe1ahKcL_oExGfbGDaYycOL-#A8rU*pDw&isZkTcv%^SsD>n zO|g@4k9K`Q?^e?g)xXM)MynbWJlRW?1gu=}VMQmA&Gb`Ts=4-+W&e-? zN%Ki&Lw%KKLicFj^YLO4m7>YM=jDbvu-o>6Yrn!Bs~2j_=4$&!=_^aN;k=v5CI}h@ zg(AgORZpIgD5rtvL_j=0qlFI-ZIYOwAudG+iYQnBldnnwfXO}{$xte0Ur}|(+3b0( z$oOs+^fStL3h;XJo!YiAK#h{Nvpx#6E_+HFvZj^s$4H}ijmXUN6GQ#hs&Kh-WHH6Z zPFoXpV8{6@TTI$3MrWzEu+%>ASwd0n(TArB>7RfW7YM@LzO_^iSt?;SZ1 z5f`6J1s5yqi$IJmN$4$@e!@mlA%%~25Ueg_TPH1(43U_*QNLO!zi?2`Alv+5p~EsL zqrU^DaSVyia=5)0?mf(L&eykFsPPM>7w3j}^(5G%4ky=yAvj?Ro}Uzv??0ja*oC!V z!tfLc0kF4J6A%85(v447zn-94NJnpDEQa37qI-9$d7iErXV`NcZ*bHr0ThLO@8Fe8 zP0~Xf49uXYrNZ$bLAEEaOW+sKHADOe2Y6vL6wLB-sH>dj@V-`J2C+=_I1%4P;z`ZK z;HUVn1B%NqP4xx{vXBm6x|P8bJ~Hu82+tByOJ{Ld^PvLyBmP}y&0DTeyhu%WZZkvE z?4-DFm0 z0Zq-o%Rr@a)ISdq8Tr_Yw3J21qf^&-^omrtwO#HH1~HpS?*NoS3pIqb1mg%yRttkS z^B|~9vJyZ@4gyf~z-=sv*hqp5g<5K#_Ns89PZ7L~?SZIBA*d?3;&uhA7go51))-a^ zqXClC;DW`mrmiXH6Y;}}6H&WYG{kR!1S3i;T-oHouemEz=fy^{R*)y7R;X@5NCMi; zxN`)lo_z>9+5pMCy>)7EEK}F-U0YZ|J7g3bVQp|%*>g+)D*BM5~y zu^yzL$20B6EU~sI!DF#_cMuAl=!Ar%EFq^$F*N42X9J`4Kq=YKab}P*hRE6!K0fi{ zde=RMlS!gtH{E05=xGZRn&epvM1Zu+NwS#wCbYTI~O53wlAel4ORCb?2d9^ z$!nsWMg1)tHvxZioZSabOONn_pYliQU4in`e%{hLdcT=J-=*wvBFFh%pq+&~CMG1n zX6=UVIyJ)oG1&_NJip{>37VTP^ZcMhWx^g=s7KMgoeYuIfBvTl>o3`_L|QEp#iOHq z!g>dR+t({6hKETL0250pX;8d2lJZBWd~+1HWk!sF>i#+~SLA1$b!m>^iH9C2Yir0q z@<_Tk!OK{Bz^EZt#r<;5yCX!m_<%R-I_;8C>)yx1Bqb{z+8-<|MWoVzh4edcM1EwS zj?QYUYU;(vBs6g^F~UF?K~}Lv;yzF}#0p&Vwa0u?0&F2Y-He6wZG1 z+0to{{n+kpL7g17DQUDphhO_lz&i5`j^_a))ZBKh!$+mu8IqUiA{0V=dXwrAR_eR{ z$i_2J^i@geI744-GG!_a5-#aGIB}op!l2oDzb((-&-_qyN4QA^`-Q}ML<27~~ z;qNIC)X`T4!F@8)4igLJ-gdpOZHW41p6? zCFU4#EskSNP<27b(BkYd(;*gspcWVRa}b|dWCdU5hKlYMoc*2n>#{+}uv|{)(n7bf zz4QRFWXB+wCE5$B_^5;_7*7B}#lfI1lA5=`{~((Ife$AG^t$R?9Y(gDTiKPhDHbI} zqCWQU1jx(nnu7+ethPz^fb`mnfyr65#%N@0=EY5>Pa+az5vBDS0}=#8WHcsd{5of7 z)u}@K*wwfjMo!|R?BaI3eiXHkw?fRam_O4ob!FYQ=8ML9c%8NbE6;hnHEU3fQm^=i zCQ2fmo^dM=^PhY$9M-&lL@RKO&&%ymK=D~nR&wIZAcITm!@ym|wz^+O1ou1X5GLv` z>bbOHVCR_$u2P)SIAa6B)=Dl(cNKwsyl*i#1AlWcQI@T7uaWRH2mthCw;QXH)E_C} zZe%~eB2St=?|k#fqCj{vdgqFqpHn;(VTPi0n=T;_-(2=0zzJ#PY9FlM#d46W$y9QG z0LG_+FD!=1daTX2Y=nY;m!-|wY#X`yUb$)Vzq&jI@?yMdwEGH8+02ZJp<2mSTQ{`~ z4ky9S1`@3hV()EN_kRATlZ8ztJBMd&S+@gAG=GJx^-e5!Mv$eDZ$Bj>wp^?XqgktK zTXYqP;UnJ&;0tdR6l#WDIWi16C(r;-bWQ!h}c+RBanQlV<3>Y$bh zZo2W(T%-SfL^qegnOs^CPdZ6GXXx`~!pT0BH(Nh+c7a-Xz24QtWkW}_(#?L)WiuZ} zSDCi()Mr$2owv)zivTq&m9UeeBp^sfzSyoo`;@OQDX?FuTH=J7kUabv`kL zX>xX8eX)b+%^?cP4fh7seU8A$y9|m*nvCDmRfG$FS@|pl-n5D?zp^$7pv?~uM|#}3Rgo2 zavIAnX)OH-auqN48ggF&5P3WI7{LmnqX<$g4y#P zEat~3(`oC}&N-qG7bN3Q)pyJL+pU_Ws&WG*(EF{CDOyB7D=N3`P#sm=I;kQ%u>#jo zUm9+NCoveMt!}JFr<9tg1p&9SUf=YJqu{%GhBb99NI9?yINZa3X1Gg;Ly{=)5{KG` zEwVBHJu>N6|OjHWyCE*oY#|G9&AZ=6t}J4sX+xfx&0>o zR)84O8`!^`K-*M5n={<`ll(>siTy9zCLr`x>*nEzHfns6*sTrJZin#2>7@E%D@(;W zZUjG;Hlb6f0m=lT2`w83o>b^#48>`(8*i=>b4A zK3V@h>>yIrLl31PVO=ld_%u0sfcYlEIu2)N2x_^K9?@!0F5~ai6LW4aE^S&=lF1l0 ziNQI-P4U<6B&;^NSt)kW5~PLG$3p3dn&$$R8kL`*$txapRHPFnG5!4?yLnE`^23L) zdRmx_98Knlmn`Z~i8^X>{rD=s4pk*TG!jv^6ceq292(SFSNQtj+%iwH5C7x9aqUw3 zVA)JGiWn%VKwjId^TBR)rOW57`V2DW3TN9ehkKSZD(&A!Yr9^1#@EsNlAiZI>g|%q zIAi3XMvf7pez%)$f^92-a+Mi-rHXox`k6^JjYzV%zX@anfC$$V&XmUyy_l9LNO*un zYe4AyMd|zX0abR!n|8nQyF^wPB9I`Kw1^fAsdfZ4V}9iSs|reW2DpN23Gz{Pq|1E*_YNtCC#6FlwX+|(c9x{!X+7q z2Grt|cZPPFr`SyajXcq8ti`R*A-3f#tGm)Yy9VRS@*#H%x?&#iAt=Acvs5^|vht zwM`(82;$L(S)CnO)n@zyC>8p6r?*+5l+jjBeavFP@~7gAar>0s2#|+oO>B7>`}?k` z0I+SUoE1NearO9)qmj}mMh5wJ4+afjg9|zPX>XTPgY=t?*N?A!1vb0>7Ajl9y&^Us ztUqw`qMCba{|BqzvcCBRJExd=@nYyD8Au`|^g9>B=?!ptC~VYIhfdnSIWHBQ5|>=q zjw%6C@HlwPyp_nF#C*DBDkeZaiccbmIR zv-o%I;z^rCjbgw5-Fp0H$^@m?sNZ@;l(>@b~KW&w%^r2q;7 zArBx|j-o&S&L4y;*Aw)KKeIs^-=tOjzXOCa7wtL;NRtI;wRXNu1JMAEQ8h|adfrZ3 zYy9t13=|EqF-si?g+Lz=_hdxulKx}E;oxfclhK5}O!Ost4ZaZf(+}ou-%%2e#z~-! zUW#@4RyEzSNviJuSmj!tWSsClhX~9!DE0re`d`Oh|2C@Ofuz1`S)%=KcO&b*RwrXV z8i-5kM!<&HsxMJJTOzwhdxQsn#{2dd9>S(q*#ET+n7`uhA+LQL;&q&bp=i42o-IXM zYu^340R>&^E&2VDhVPG%zg)uJpzJ_gu4!gzuc%dzIQK0o#If|s4!>ZCFZY2wZ6fPX z3_(2V>S#kMngi-2T_qvT14K)u+RnY$DTpF7Z{^iM8eOWDD0dboEZ=1bjH{=DbqgPL zmd%q6;F@`3PkR;(CesZb^y!;*`Dp|*=X*)Mu~mkUB?pXj4CJLy$I4u? zzk5^4dXQb360?yhIhM_GMvcan*4Y!zE`5A&2ayc3Zxfzh!W%uScRLo7wBulPCe!~3 zvO;8x=+34}rFfKT*EqMzrNxfMlYZpW@x}Ss^(8c1sQ+R|F#$uE4w09h$A+8Y+&iGN zs_mHx44p4HYko)d$>Q=Vz3(QgSaP^m_x;mbP1uaD?DbzgyoU_cHj(gw+IAC7*nTdG zBtQfQyJvRMb`aQ2rm&hmi@4%jFr^ltPU$wR4Ym;o(WdQ?XpxKLdgJ8D>TFo^tPH&^ zbD#~&3viq&4+lq}yY{JTinani9xc1ixqkO9J%Frek)AQ*2e6wizH}qa|5+n#@C?{2 zd;sb}(tje%iwa10^+T=`BH|Cy*2-^XIV)7pipwfIWNyTKFPV4UkfZ(Rp*@_AvZQhC zc*2j*{QmLOEwBd%*k^#P)X!_>PXLv5+$v)+RWa*HkSs&oD|+%&dXxpsKM8QSw6(D7 zlnO>JXwmknx1P_0r@&^7vHzVLxPZK{3Z8eKukps(L|R2C&~6)~r6ti;Z$9gI5^j+e zT|I9&qmnPR+1PE7dq|acPOM)^j^6v&fo?SFYn`SQLc~Ip7io~;J*n;|dtVPt>?_#o zKWdV@6|C4uKie(NjxDHH(<~Z6MRpn!DasXI1NqCqTDW7;_rDG!jZ})FZ0pjFevUib z!>!Gf2r;9{LzU0I=a2c*DzooZ9$_=VnU^ucJnscw%JBXhC`L8;lHVG5?XvhM99!5F~B%?r&Wb`ba0uJTO4I*1{L=F0orCQ7G2OcPp z6>Gd%6fsGsecnt8(|^m+XVoUFn{0e_)|jP0-HQ@8pi8z#xhDJYHRm{p50f17ZRNif zxH_g*DU3>pJyy@K*AeHME_ACkjLRS&i}>a3v>8X7%+^rl-iBgk_1rt&O*N+1;9a-> zw_@n9cE8PhsdDUW8PL|0+F$b!1`PfX7YrBR!^eZ`{?J#YQ#jV8f+e#=8U}y{LwvNo<$3-XH=0S7LYdl^ znr3dwGzOG}Y<8T!ArEprFkOD)F5_U=22l0Li2mhH@=-!3!?Ge15z+C>$k|7IPCcNE zy@WuAwfA13{oX?k%+~1WCFMQ|m0;~bv2x(_7*LkNGp*M@d`*Xd{DUyHb@R!xN?Q^k zdll>a9a9Z(ZmU-_WDo#VWA#fmhc)P3v}AHfcHj{JaYlx}mRzzq+dRf9FnF7n=+`IS zRRd>$6pY~a5!9+5p9`mp)GfB}SgmJXrp}r}=vGWsaDfS1EE?g^Xdu>z{&=68+q#@> z6n^+96=%8bbv8yI5YW;}xbvVWW>$*ZA{~qm=%^@~%X)9(A_Pw=t7e`umtp+vUXX-{ zWlXT*PN{WmPn&)~eTqBwr5zrJ4#d29!Eb&61oDw1oy4&bv~;>?K|2Ar>Qs~teugpX ztSof>VP+FQwhHgPwflBO-wm(YeM6TVJ^eM5pOvbejwqCgYG{43rK6sxbH1nGfQDt0 zd4T5Af~y>pKk@Hf$l59|dl^RQ{>kbV+bmWeI*R@UOS*3b3g3QWaH~{9bJiqUsYjkf zNQwWSffdzo-EYSiyybdv4E8m%B7-ch%qFPb|CaN?{}D3lMEk_gHdKdjl%tMo9S8I* zn%LJ=uw_@3AJwG$N}_ny4nBoadwcs=x{VSToz(Z)27ZTv7r zgrb~-6q1$0Bczn};&Vl#kRV;m#mJ^W?@WLCuC3^JXtJm(AjKM`1z-BI)6}G~{`2p4omN(az+8laNCy3`J~0 z>MPXv1>OVt1HuV*EF6T&vXQE{DySu1pIHZIkTk`+u7aJ%TP6sI78E^uff}f9Q|V+( zjtVRZHxQ)eU${pHO|T$Fch$Poz~q-DLBmIu!2I-P}lEwA%g2Kt(rBObmvG9mPE$C)>r1bQ9Tu&bsYGvm%(YH<}xJ_|^??{0e z9jnENCkN@he|5cN889>rRzgR@lC=K*%cmWpzk<%@LJ#x#1Hm!&L;B)3bvOXf&Hx6 zplK4%X#(`n0oP3mdi)?OllH$sKxlpSS}HDPel~}D@Lz>xX3cv|^|Y@E#qoGRLlX7W zP{mBI?Ex#fT(fx*U(*1ZUFp55vxpAxqPBcXHooB^dAHMM0_CBzR`S3tu6_6-9M()f^(&NBRYjP?DD=Q#}wGNx{hy)gCF=P8J z#VQI-o}v{z!x1D?YP|Ru)p>O)ZtG*s5^CRVxX$Iw!ko>jvXsXZX+>brdddUfB#wMQ z8=JuD;}Bc+I5!{GW-Uz)1U^39R$zLcI6gRa;Fz6hDhGHk5G+>~N*ahGHA9qea&)4T z_)XT8Yaic*(SYOguu!_px>QWgu!Y15*v#;uVE_P11@HnbE`2@o)4OQ-nSYE%S)H92 z29Khk5!n`5J7%0~!2gh2FH?cUgZ!QMyk(&LZXm|CwDRKc)TMBF8Q@XtUDq2qA0wrf zc5iv|!VS(oa$6FKb$9HE;px&IvEFZJ_-3r4G!2Y3X>&V%asi=%AtLdynvh|Q8be!{ z29?8p+{Xz-gK@+1&$q18@k#@6`6s@Vf_ZiGB3;nd^E%Tm8wtu=3K=xKN=#1R?7HQ7 z6C2{m%Sx+sT&={i32EinIFNX6eO&ocE>_G&vYCBpKkuk6Q&I!SVzX9S;rMiQDksNv z9t_5+6_64IQ*>)G9iIxjdGs41B1N(d1HW?pb0-4pNBRz5DA1J=|<>{9;-fZ zE(wEy$UPTCI(o3Bp1*afm1Px10cp-jj{Szrja(d<#nl1}ggjT@3VwlvE{h$o8ho^? zc?5-f`lWf%JdMGLVh)bl9FWwSnv2{$MZJV^D;Dv=NZV(TGOm4}f_C>uO)1c3MLEt1 z+K8XcNy_*`zl6Elw!^flv4Q&l*A0(5*nW2Tun(qqv)?_pCyx-%udP1s{QXRikCsXuN~MI4+D$c>HIt8FBdV|WbB?x zpb1WMN7VBNVlq9IDEX-sRI@dymNYw2IaK*QJwDAzVh|`_J-dA65>)7%mFF zWMYGMXJ&VBoFSUpmj9IO791BXHL%sNr7iP*XC{)XA_L2)9((l6jbCFnfuD!w%XW4$ zV%xt^nx^*Mx4)fSn~ZhjX9ZC;%T?b#0ZUE^9I*?Iy^H@#fmBU?B`yZF3N?&CtftPi z5l{7;nljR%V!3CIC?0J{aTh;aTn$+#t+Br~W4lQTUyQGurvp*1Vfdx;8g!oWLzLgTDd&qY<5sc?JnPH#Z z%q-b?bWtS(%*m)L&}pv=Vl`mC>HI`=sdaEgvvcnfdc(}22bC74x|s8`8M|;NgfTL6 z^wRkD{s`|%YPa}zQOnH2N$sdmj;b-WT(8=x{c3V#mh_|#PItKGTfiTM$)p4St-LtM z!w>sn7XMcVd;)s`6+g|UhZZ6spaYgVSHgPO^*}XzMOeJ-OcXT36%AD@#u}Zl+-KRC zGWXRm!ksiXJS@%g)x{mXd#}3}1LIGVl`U{j(O+|~^f9V(;=irmH2TK1(!D3$@1FZ3 z_3XS+MtxOJme?7w8*UvC6Zfm{DP+0TC4aAD$^ahKQx?_hE|Eh(nQM<+647t1*Tzlt z>HnkCJVgMyh(8Xn>_<#ytNJGwX=RT6k+;s!un&0wRF2(suRnYs!Y*)zaFr?O1v>qS zhvVR?CrAR%nG-2rRegb2Jj;FC^6RunkJh8kVe)z!ty7{Ez|Ot5J$%)QdRF*%9MJCt zE5PZ-cCHAZ!n=)utvM(6@9MBpt@7Lw|0S(C>caq3hcRW1eg2#F`cQ3>5O^82+VU&0 zKGd)Kmn=@Q6b#=E5s#LAWV;8YxM|bOFaFzx*2=%e6k-XaDVy0<3eWr^GXx%SI2356 z);NjpqQm-lvE}5g^t1elYAA~tesIw=1%2YpzW{pzPy*j20hzzkncYtaWlYfmMbxM^ zFVFJ2b(tco{EdW$tr48za`%%zN@uKP;GHfIHYk0Zw-n0k{vXlhfcms#1l9X`Agl4m zHzKR2IK=yeWg;EmEOa8mI#tStqNarLwlg_-~KTXA1Xx+_XLy@JP)&ymCBkg>X zgKFmHjkF2xGQY5A{s!!I)*6*AAhXn;9<9>*>faLF3spfpJeKw_fLQ7a6lnBeO5@TpoI>0B0hH^<_z(;QyqedNK6Z`+VITKNe zy4Td&R#TeLu)AoWRFaKXF#!&Y)-UcPzla1nv49u^N;n~!N<6d}Nm7=l(2Q2$Hafi= z2j1@X3if}ra1uOLSnFz!f_X|ikis43Wst7DOO@xVeUe_3gbrWS{sc?iOvJ~(8?Zxf zy(&2k`&EIn0}=26dl6B@^ABR%$3jC~NkO4r3o%1_fh0JV7#6YbAAMF#@{7;Zu|h%?UwbMkF^bZ@Xz+SFD)HG==c zmeJ^gz9cnMPYyH_C|gBCB6$AI4~v9v8_(0J8+ksr80Q@5rR7`1Ez6E{Z(?AL^$z8W?8y)j(1ox^m>ulccYlGzStY?jcXZ6o7%zApAh$FC#~>cji$HD0{tss~z3PYq zZH`Oc3FUlB%N|yFD@h^vwgwcGFsM`G#My`ICyLM5_{I$N=zt5y2^&w*u3M4#hQ9}3 z4c#M`tFUxSJLHA0%EEaqawJUo_YybulewD+!Y2hL{1(0DJLoZm@gRuLEd!maL>TiB z6chB|mg)L8@_3Zlq!{E7&zp_0M{EXv|(- z6=+<)LP4}G%iHuNS^0fwCq*cyBl}Hc%Pzv5s6=>J9v&vT7`>IJZ^%K_767yU(n4n! z9G;(Y0IPwvgKJBSwe;q+j%oZoo@-nMCa-`ylBNiH{tYr@zKlis&G0jQ^x;=C4Tb)H zFI1Y^4z3Mv^O4AM(P(LN3SBskl#3V2O++q{#cw_T^D=Q0RLPp?O23~@0JTw>)xRy( z62G4HrihiAJL#jr@RRPLE?MhurT2mDsHI*Id8Z;ZC1-6_vWYHo)8`9TtXCc7B{(at z78OA!qv(V|HNiWwcnOYVs%Py&pg=%sGD}moNG96*xOGUNHciVcC*l_kR2Wo>fYq5{ z+s_#Q|5s5g+Udg0t0${dM&m9~qM(KDDbNL6It|DAM@4R--ONqU?@@kXwp z?^nXg{b-k7|I;r1sRxt_OXzd-j&7^RVF@qFHZ%Bc7>`-yF!q(0b@AY! z+?D6Y)U;z1@a#{aN7uYg1z)`iHLGJiAZ4L2=vP&IDT{Z6mj(G=g2x+BFmLN_#oQxi zuYE-Uud0Uo!B@FR#;V$!mhCs*%fHLgbqhMKF2G=?Xl#Wl;_jI3TFMlKG&@?tA|g`k zv^Q{`cuIPT`>=@elmFh@DF+Uiz|i zcSd>?bn>)QcWgv-fLIvx2O!0%G~=9(S+U2<(m~}2XM-JQiqrLy8A+f$D{tjruNI1d zeF2|ZIbKeYv`3f>P$7acEdEwXAWsbS?VVhZX0h7;RhRJ+^f+Njkvy5U%y%Mz35_ki z$Ps2qytJJUsRSe%y)?HI>wV3qkpQQIHEF}A0kKnc9Is`&R-Zpb1z3&S@y;5bkujyX zd#d`wge`^z#e@hsoBCa@S=u&UUk33h=lPn98LnNe4&;Z+;vk^9PV5U9ybY`4jGfFr zznass2g}l?-jDT!`U1jQ6%a8ZGDBh}d`Kl-Wc&xKP~Tf^hMk#tdW7?}GxL3W<^cTofq*-Z;3c}N7Vb4I%y(2j7LDlR zkT5wQl2~ZPSy=(IM{=m)3FVqH@Y4!+Vbq&q(Xh$Hnodf*TDU^PTKUEKYdlR$Vb|ck z;Re@>bv{~uJ@oaM3?##axe*L|U<^bV9?DjO2o>WsWUkF{(%Sqnya77R=CC(zblyDQ zQnFt&BqB_*$552*?W%_trI=RuZ|W%tzh+d~OJp_txo{&>w*|Q@{p~MWl7$4Kv_YNuwOG%im zJ%WoPSXgC%!}8J|AGQyVIWeH3BW!oLb(r;tEKER)dAjZs(nX`^ zd0*a?O!5=^6prNi<&R@2Lte%rKTw}&QHqv2>&9XX+bjt?P7e$3Nl_NgD|5WeJ4OK6 zbI*tQmE2-9ivIN*O6Bz=r{`ZJU7AezM#D{mr&*EV=2GBcVT`uPO`#+A4Y@^Oe=6#& zKr=j{l;|xNh||BcN!fa_Q}uS`Jt66G9(3R})g8STq<8@tWCXlCIhGC`37z-&2L`Q} zp}lsq#(CG^N6c-m{l2U7-+O9xMsSB5r0Xj)L#1fVH9djUiudx&cu?3;4?{4nTE&Iq zbbn~tS0-Ai=rZ*S-@t`cCNpVj=xAJuxB4oxom8GBe)m7cq zW!22rv!(6Tza4uz)NDCGyDP z3(78uDCH7jH9sSHm7a@Ec-07#yFeH?x0-gB6CjQ?SiQW?#DC9)zX4l16`9RKuA2n* z)=wMM0OQzzo)*RLqj~R2bN+pt_8>Oe+E3JvdF^Q^GurrwX+j=;74gr!)nkA0PCwi$ zI_C9g@=V>l4}eaPn74dMP#Ju**sg3VFRKalz=CKsw{LUC-8YUQoC$$w+}!Imi_fP$ z*z`=^^!dY0i(1LziwBOeajmM&QNqN91LFK3`N@AI&N$+jNZv#}fn*_gx!9}Hh~<*g zSMZ2f31O6-UwV=<0$w6t55YdriFmpNO`jVHhkyjfp8X{pWZwSRuWx$g%K*3TL@Z=D1mh<|G0GF}SZ41`wa=!5^6q5e6suZo78{sKw->X9KGuX= ztOlRJF&x0f)1eJh2*iNpDD{cDxv{^ztsV0fg5M}Sri%!59apJJRz%u@FgKCLa?R}B zaDMDx_Xwu%he6%uLz1p^axg{66dn*{!~FoHaw;eI%EW~zdLK;Fn6u6 zQF2=siGFcTNBLW-dsEW~#feY<4nMM9u2y!MOI^o<%%xhsh5A+<7Bpbo$xr~714 zy78%om)#xIkKz*uPvs39mf^0+t4geBE}K^LM|CvZem zOBsC-yJ|7rViLLA_2Rsl?e}VroUgC{c1+DI)Q1))+}yf2Vd)FZi`4Z}5xNVa>BvjD zPAmkzK<`2fnQt_3W0&Jb1%>dhNbj!Z^I?8!aH2+p6KvR}>d69*kAB4cRDS;v#R9}$ zEUTeQtY|85DLXdw>i)45m~D^!cnPn|Ai+D7fSpgYdlNkI>LHXSX_#WQEfN9)OD;A0 z(VR#ePKnrb#53!3g&=IGMFq1So(&;bZZx2)U0r)0rX3@h^p5JQE8pBS=RgGWuV`ozG{2T*B)*89G#*{P$_t>7GsRG81g zO!FXa`uh37S~2-db#H%G)Yt0p)S}$SbAbd$KQ3Pb!00RbTTP#UM>R>{#ocLXQBKM%HD1Az?cq`BYot$yU0^||8~xmm@-HC8z(}Xvsj}6a zCC5O|38|Yl_@lqB;W`Fd^{@>=$T%jc$wBRrtX_9WVqtsS+nWg zL))<=S9EKF6VU1j;TVXU+fc}vk?dDY0y3d%S@AV*YGHJkDa+L6SY*p@1=8{7?Vg0p zi}=R)^qJ6T8>%cbArX0B>JUj-l~!T3Ez){hT#!&Xb9_Nzc0gC2{x1A5aME6RYYfW> z?ep6F7@gEi3R0DdU+$=l0l8*1733sqc8nVLyP$@{o$})qBQ*^>p{};NNa7bel?2rU zP{w=XoR?e12q&U?Cc zziFpq1>}YFlvOlx%HUX;A5KN3>?lCd&gcSB5Kb-jfRZYX| znb}IBJl3@J1d~wRQ*%IHjwvH~ox|$?B3NtH{^$n`y`G|o&vc;>YNx7obbbjo6Nz~5 zW6#7dh|7?6l?#Dp1))03K8HMeG27!J4doQR3R3K(iU*RYp@ZGZdkkXBL&sMuPflz8 zdU*{@{@WK4Zcymh*q89s7K7O;Iy!?REJ?WJe06MfWPC~NxlsMIlM=lk;b$9BatbQt!-Y;+^ zbwJqZJRm{0aQsi(!!w`fBCh9%L8BQK?23l^h%O0RPlXV7oxUdJ%>24^$tCkhxe=5c zZOra+K_sB?Bm%JYQtxij{7lfQr|gpBZ0O8Pp5(xedfi_njvF?iv)xYN0GhR^Ppq-l^&>3%cn1-N%U z1R}E)Z#^t_4Z=k0Bg=O_i>>(JWz6;4hDnNv7WBUhCf*mzq*rH{ayinszVUlwGY;%zkiM(^uI``6J)>fJ z&g2DV5B{YPL&^~rYo;_X?!GwUsmOztm{(?RLQ=y18%x+5+`{>A6)BHxe5V{ ziaPt0CO$dJL1aqu6%8}&v6*HAJVXj0vkXJiWAEn4cJ|nzZIkb|xb)=vZny@`cD5`< zd$uQ{P9r>KvKa-P6Z4(+1dTO4(wavqBAkHeS4t~N#>2D!A?&m!MxY>q#ySx@J4i{) zpfs)wV$N?BZ|}v=^KvKWFtE->35oynV;;|CT7$V(>w{PGv&g{w+A;FDU&Jmd<8G;> z5N`$Z`1GrR1PR+85X$&|^!}vZ#RXp_iPV>QSKmcS`?LHq05T4n+*v+>p3HMKfXyah zc*!lDb_sq}2~F~QE+d|Fw;i&rY}^1TK-RyWB-pl1k+$?dZ_k6ZWH_Vh%*xcH#c#U@ z6VFIbTo+DIxNG~1Oh^JHX1FH!&zQu(z0<_Z)krn`tR(N5!g|099pXZ=2;)8(`@*8d zCPF$aJ23xg?*>yFu~fn$N(^ZJ9^u6|F|o6k_EHZ@H=VUlZ|Ytlq9!SAWaZnhgNO$dKbW%ZG_0oJ zDI1{0C!lsAH9kN=39+qah(GuzT2uP?83KO7R>p<0VhD2;Tx&O2daXag_-R77skfn$ zt;+SN0QAJ>9h-bahV{zMr?RZ&n^$n2zaP_Dscdu`&JlARBPN%sk4W9~rVG1ChF-G? z=|viw->3Ol-Q{*DWmLdPEH)T_a``Kv^Tz!Qhtg0cj`vIm179>_|Ls6{GKOPc;={^u zCT}JKU+j@FsYIleS~)z>_8}Ii>Jn+BW&X+DEZLRqRuy906D)i@qsSmWY^vYT$Nach zVyi=8drTz-n4m)_SCa}zY^L(rPn$>@9(Yoxa;Xrq zC7>jf!ugX@>ShdY^)Lkx3{HYmIxir|92mmY$WQ%oeSUv@POlTPDi-@y{0>}QkzzJ_ zSd7GXmAds+v<1RAUJOu(lmESB)oe49Y_Xxm;lrt_WET*d=})3`U|Ceor_go{RYwPc z*Zl^KogP=e@C0Y=Xf{!Yjd5Ma`u;na6W_r<2|Y|vJbXm9)lh}B{$!^2Ac1M#*#f94 zBdXN4!(NqNagt-0j+FZ?)wV`E1mE#=mCG*lzAcE|N+5unLuMEup)VMF!YHen6gweY zOqi`3-sDoN7Y>OP{ogKFlooKK!M_jK^GNZ<`XCo3HYZ+27W^zTQO9*~Q^BH67FFRn zpmSnFGw+?Y6#smO000xBVT(`3*Cyw)HF>Gqj=->{4=BXiT$UI zjWDLl)FO-g1sBW@gJ1*%V`!s;J$7AElI~7>BsJ3)rpLb~Q8iW;&$mI4V<`A6Nois$ zGPOcZhPvSXk*qWyk$_lJ&rZ17xd5F24>=n^%cb|y!iIH({uTj*NqfDZnyO5Fz*XGq z9STs9DF9|5|9{UCibt(Jpc=a5e-}IA_C-r+vF*()Ly{uk*nn~YViRVrvr{O$F|Ski z7XeRHa?3Df)0!vt>uJ!9li=Tl!9xm zdl;jyL62%FF35;MFy9cIrtyZ+Bp^eY%MZUp^FGl;LJmhFdX_$t$*OV4jAF(*?VluS z&-8ie+dM|cPsp*^`<9nA;lj&=S6hPc0`2(|Y1mtz)=1Mc-?b-{Wxn4|8!s$f#3*Upo$hHBT1m+1=Txipw|L_Z@~L?31i}- ziwaAKd>lqMO5V;si0Z<@^g1kuNa<~*<|BWVsn??9w{;&#mDMZq*6!EVrU89 z+wg5{d^JEk+-I|@@#LlTLm0dVfQ@0Y2dU&{X-rH<{r6Lj(E3RXC%|Oe3Jhib%&n_~ z#^(JRU-#X-&)zC+KAHQYNB*M@t!K_dd0Rz1G01SR&P7^^0KceL{#&&R$ngb4jT-5= zdH>bEk$FPTy?UY}MYS$uiSmH_LW@)C>W+ksIEzE@Z@eS+cng)(Wp8Tsw{u?&@5&>3sJ>@?ze=Z#yG z!ts6-g=01@jp9Yl`(PzcIU8g6Y|o>SW|@5y*Ua@5)^^zG=p`wCp_+@GX3v4(p1St^ z-gbWrpKnkVAQG7U>;@fm6pU=ib-;Xtp}&AxE?P3)Sb%=uF^2^Z*GQdM|A*fT8hs%r zONPyLeUYR?7G22RDcaBoV)w);$@mi}bH=J(#~{Fd)%njk%b8@1DTb>H|DCph^(z}0y~^9;Z@>_7H2-{AKX zu%iL;i0<}(2PP7E?ktuezQj=RO1pvFWl0p84xUATJ^q8kl;{=;JI@X5Kb~)d=iUBU zT4VcJ&8;}xxk8&x?2Y727I$+t+lu}yH? z0=g)_vlU=F)8*5?V<~30`+piCg;CHqd7J9owi7_btlrx5MS%`7tGv=>VR=iw!} zLr$19*w0}B8U-x;!xdm@j$OnE(cy`v4fgCG+<+@vXp>Kpw0@ zW1jE=Ve8lO&Q*}{(qgqw-t9{N>h#bxEm$9}6Y=6ZkOr99JcFT`f==tQmd!gdj`}Ee z?T&eMh6mMn@hu_FFDm~DH-q@kr0NY+SIxi~Qw`wb;8d;eR^^IVHMaFf$BJC!*@t99 zyv{Z{-{5gbR7Vjnwk9wIo!4i%>ko^2-(|Fj>E4!o&n4i~y-0cdp{|PS`!TPDs04ij z86^tEiJ<@!Kme?r`#pl~Tz~h~$gdW*$cUmw@OyEj&ewK()B@^`vLA2K9qEh{wA)sV zpYBD{nZ{WZ!7dWV{qBZwpc#<6jsa}AP~9#M*{Be}sfu}GUS+M9fHuE)5ZEO8AGLJH zuogOQlj}P}vRpw~VeUJG(v`$66c9J&mF~%A`f-!|d6e;qqA$?GFPX3RVF242=?dF8 zG@-!Kqj)DWuO_+Nwx}HF*LDy2wv@LW;$;mpees&R-Xu$sepA<0nHQ2G>6l)1Z{l{z zkM%!Ws4l$p6~h5a{x>hgmovHMNX*d`K^DvA@{!bc* z+m*UweCm4nS+9P@e>2)6)}-@P*Dq|Mf{y5MAc&j?5q)8hrJSZHn7tm@mXYZLu3y2F zwrG&ppNP5uQJXuc4#f!Q>?107S0}(75NHXobhg zK{b3XQ?@zXdAO&SwaS((M%7=`k1Qy$gDmcuInQPLVU5+xb??PTi2o=H6yMaY6puu* zC}Ue*PU+ftpmw^2UCIfKOvPrLIsAgf7-cE`1U?O=#eKBsKJt`>Rv%NdaGrlx!=a%v zaO9=jG1=|bxB2lKF8Wlkh8r)4mf`Tw6K1Z_YvKU#I=pm}JBb)eqJG9Vn>W<K?xixV5ovmL?9t68O!`g(X$jI9V1D$tm^a?vusa-3e{Q+R-E2IsB%x}%tYMouN zgP9CrG6&Ju5Yz2S3=B7T<3omUoCkd*yVnCtM2dj22qzghc*;YD7?c_Isn>vp2j8x% z%|=ty2cP!O{uME&7C?tV5(txgaywBX42PVTnMr?>d@}2v{~o^l0mH!{Bi^v~x@&|} zr`-_)cuL8Pmit(z0uqy5nmU9IU(Hne=#gb?o(EyuCL-!U^`k^FvH$~ ziA2GXJTBdoPV5p+?7Q|@+@B;)@^K^FeyBp5{-TG9Xa~nxo1K~1qBK-1$H8Adu5Jy9 ztd%2SheG_gCy^NgYXXn^Q}zxC=H`RA8et4&TmuXVRyAKvZgv+7vmU(eKeg2Z{(u#5 ziK0fE>}%x|t3bgk2I3l6?B@TA?F#Dh^VyqRk^X9K&t?!$8t;}1v*qEYTV`UBmLD>L zyvc;8gkHDx141vySci&HZDS|McuaoEa#}!6m?uXxk4|IZP5*%CW8k&TwxtH>`sPGAYLCzv|1%k9|X*CT~u}gooi{zn% z;W9e_6Q3F;)D!LD`EWc8zpEZFlr*}#^XPq^t4Q`#HjVVFG}!XdkMyF22NpgM-Zkh` z)z>o60~)jUc=D?3)7Bg8s`F;XN4Ld&o8@iu#n*_XYF9|yt!SopQiughgxx;(;@2($ z5Q#KnfA_))4dTL=D1ee1Bsj!RQ543@FOQoFRI)f39*tWdDh1omUPg|ge zTIXjtkg&Qev(bHNgm|F5pL0)`Wl}OesQ9A_`ieLCAcn-U#6ZJ0dTv;Xl46Amv*^W+ zzE|RgpPS7vcQSL7SB6?8K@qoRuF3hysECG_;7jeMl^i;5?pl0tRXLf_5&uI^mx~Nh zo#NU~+mJ{UTagW==Js7z}y-=05;Y}~9I zKhFPWG~^X)05a(ZMezqZ#Vn|PILU)BOI0q)$*N{&+41^)YBqZ*S#m>lR16Hy*ovLP z68k}`Uq-fZXI%a(17Z1t#+Hr}zTAlMEY_QCU#@t4b&Yx6qtvP(3bO2Qv`Q|nBa1lh z%f(_|*7-N}^^)dfgub-q5=Xs568DgrI5i+b;l@e72rdlFLMP7=wHw5R#M5}6bAB(5 zfUE5j=S{)dHd&+(GO`I&4h(jjJ@bo?LRhmQAN*SfB!5+sp*;4BsGYwE?n)|Cl7<+`*mKh^ zFLD3UZ1+*iU0L?*^)$254g~B}VMtRTXLuXfnfj(K51Z3lLL_*6kgjF4&FY6!m9z{fYk3X* zHt^2dO7E*ZxtI|CAsSgyybPaM*PXY(Di`ALz_BrseE}HXE30v$AZdP#IkucY_WW9jz#xmpp2E@u7yLs3gqLX z14Lv>E0zM))phjIFrjwxlke@bo&J*=^$v4nr@FVvjaC0Qcd`~hgmr6K2G-226}J2{ zm;2AIf#-N_!GePA|NBy1x>C*M~;{EMMffy)ue z>sSAp;+=Iv52%~Q3pZ(Fx`};8=L-ii&?m~9 zgX2ZKo|lswy6yLKn1l$xM!ZM0CKAGOD**|v^R2TN>ojQNDqN|$y)x{RO$CbPcyrAG zGo`<^=Y%YEv$aMZRfcnd9JC$PftbvY+HExN$$5(KM%R$UW9Djx#&0N=%#GaHt9eDU z!%WW0ei60?Rf2M`VC%_sH$0X3z?uq%TK#v%*6j zgVH{3R@vooy=ImEWRP%>kM+xZ{KWEk${cvz5cNIg#G;Zspf5JBhU3(_D>?oc!u6A0 zd~b4`+_JSygzIcsJdrzf5nKJ6J|{3$5Yjt6(tK)QRqYda%eu-)u?@{zPjE)H6u%SC z^Wf5U#i5qO_=)Z$?2;H|4WvDfW9VbDHR5ONT_`~;`7lg|YkSSS?g7ZtDo+L%vLW1y z4R}5(atBX68_IK8myG*7kkZgGA`1o~`F`UjcsA{jAB<6va?tY)Xjx$&iRI4u+E1*h zOyG`5YdLE@tj`yxuIzbufXR*~EsU!g#iqhln#cEYF>d4EA?l<_&XXOP9UMr**pDb?ejhRzcH0GvFns<~ z%i={A`hiE?m7{cZPDB^)F)2wk3v0JMLozsz5zl+Vj5;QZGpRQaD z&aXp;$#nn>87K&mU9%s*HxL4gzsA+U4cqxk8SIDghnDT%>;IxV;&i*hPegS)QvtUC ziu<8_q{e|XdCS;>>;3&(a>hFFISC7I7rOmJLQ86NnRgP(WHCt2b78@Ra>_US|8nKS z+rOdaf+nL?GK4oqaJJo8=*)@5u07Jvx{Ig<^niV-KOV5Y*WUbgmj7>wU_k;lE%vGi;7^jvn1_#!DP(>w@zxN#+jcrR&@j+yp# z9uRcrA27Aj4ltsI_5HJ~R#VoSA6}p`(zrh9SUkT`{lU>4nYFLB!H^9g2julfGq;b= z?d%Zf2pWfjapITAO#)4FFR$PtEg0q?$bxdoDz{9}?i7{8i69@83u8l)d)4P^0%75N z&Si0!<;eq&E%$dxO?osJ5H&R_^T`f}EuZcxWmU2 ziZO6EQx6=&R4L^cw2#&(5&*z++x;8jhC#o+XVT>lRgb@ID_kK6&A>R4|4f-%M z{QSAQ6~Fcuv%2=ShK6~<3W11xUAXv8hbLt&+G4!*pavtm%`hWA_e1q1vPRE7=)qcP zYNQ+`a7QlQ1e+vMX|yHGtXMxr#`RtQ!m`QwyA{HbWc;Pn@kxDGEXC5%n3<2-u=cRf zv1Foguo77wsRIC+Bp?=p`A*?gumK)CrzNx3jOO`P>HuE5jKX5PTFSquEx)&3RsEt+ zTu5kNHQ&4`bR_|lF~h`t5rmV7e+vpvzCM{JIO`kvQMwEcz(Iz0mgfcSa=se!mtDJo zT-{9jy1uuT1^{ml-w4@x1_IP^eqO1TN3VZk3+ZG28CZHJJWdRPi0VjPbzHwQ?{ufw z2vGJ>PUV5{%_lYiaPF9NeY_lZVjD;{NjpH9pP4;R0}sjyMq;vk^Xj+b=(w8ew#IddH(z0D>NZ6-rx z`p?-9bylVk12jWl&mTIt-8rIR)0lRKFw>&{TZ7=Cez%>!m9P*m8Uq>pYqWqZ(v*q= z9Y;Dnp64bPAq}BJ^9=!m3~b2JCYG6j=vF(tKJb1)99|;vFk#Ito=sdELon^(SDVOTbkmt1Wr7 zFV;dk28JXL5p0`=J2@VgMb8Xh!1KQK5X%6UC>W5+LP}7VbwV2L{lmAuyh#Gbsa9lt z+tfKKMb5Q~K=J8GKOqUC~tTbQzsuMNh#S zjA4}SCo5t%=dfR5z`iUzgV_9_C4-84{-(E-XF2UU$>FQWY&Th3%w$U6!D! zdYo8knWKh)#B3v*_cGFyb4 z6#U}j>51=<>)r0b*ma*p`fCOPa}W+O*M!-84U!=px`Q~iPq`)&Fw*Y`1NPN>)aTpx z6hD<48BY5BF8jP01Bz(K4)pVg-4y9Gy2CbCUg|Yj;QpdoZMD8c>_bV|U8>pJ&5LMB zBc>Al6-W`j#0iP@D9q6{hp*frUis%hQm)q<@%0Er=vo!P$zlfyr&wb`%}f=azoNEw z?$~J5*X6PPw+KQSBS;BqiWATx>NaWR60)*X)(UbJHf1i0M{y8#Sk2pH2eBD;IFBSz z>i-8VJ4{vAC9smGu?yT2H6I@3s^uFz>YZc~rLcDOm00_YN@@2O8k~Y?h|ki-0M;tU zA#|aqr^H)>$<3rQ6H^V-2$P1WE*4FYk_lwdoK=6^SAJN{8l(q(F@~DusTYLWYhG}A zy*IQOe2J9D`-hgteKAVRVazKw-)Y?QD9V9tpvqv5u5`Vc)lrloJ_iP@n6t;3QlVt< zQTwkWR<4yX@SGh%5D`Q7yHLot0{dC5Q5TrjWVgDqZQKt`~ za|L1d)37G$`jfg!7r}n|K_IscS1=i^D<;ne5a?~@}x+zu};V1 zEgW^gdH#CWeiD7^LV4gDOq7zR{x#c*bUSymI0*lW0;nZ0&^^ewrETa1?PiE)7Pd#o zTtG*VWV}JldLp}h3TZhY%qtKAknBK;W+`D`wG_TWl4T95tq{hT{m^>{L2LV}42B%c zC5CzQV8fESiKq3l4PJl{rUQqrB6%k|7G058U4958k#>c$@QO48?P^C89~DKn1*J^*?objQ1&+jxI9h-Kxna@ z5rSM^;XSMw___kKqN2mKL!$H$WoxrdYEiH^jd`zd`FN*=Z1_Pix~$(5CX=P z8Ab%A+BQcOgw6WK)aBHEVqrvOnI-c2s*CfqIc!toZ_SQ#PFmD_43uN=%C;y__B<=@ z`2hGp?s=AR@{#IeU@`cdCvX5zz zARW|RWF!gL0SAws5PQRlD38E8UV?EHB`D`HmE9Y*Sd;%oBNu3?WW`4I7|!~c`Bo8w zH!ciAgoVP^k%vMN15H{UQ}Cd&x7O?7)wmpN26YBi6S8ybe<+Gu55y0}gAR62qw zYeJVS`sB;u`PebAquEIat@jF20DGE$=6VJmJL`-?uwNQoW}7^wsCDFA*m4Q~`CWuB z3o^-SGn^>$FT`~vetZ&$w7xRyLFze_CCx`ZV*BU&@;#J%$PyE{ zH2JDsNW6oR=Kj;3h#0(AJ=^6?N<@WS!OEdR{;NL?tr{Av?}kvRC~yQ%P7P@47N15Z z2f33fQpdo#0wC{iEFan+FJij_5f`<{vT`&-az?%8tW!rgs(` zm_u7FNz3}=&(w{0sG*l!s%FQ#0yLg%Z&hT&*DoM1hqAAHAa~Jc2ybKbTu4=bPet|D7q&(JdZsV7BJ<5FhdYz&iFQO9^_H<2K>W=J$fUUVv2Q>}>V{StgY ziT@gLohCp{w`9SKZtaTVJNeDmRd_u8<8!IglJ$VJ7;%C=GknG6E0US?Y8g_fscl`^ z%CYdn7o!GQ;*~st>w%ZLq0>F_>gfPI2g#CmUmhbbe=>tV|NCm1(I++5|7b%ao|)i2 zwxj!c5_GhZq25!-eey!w4-o9K!6^7Taey2p}F>FFyBzWcG$h^thRaeOUGO3tiDddYp zR%pC^pgvr-`%qhr(1K!9LbP22e52r(?c^%c1m?ZGW-pEI42=H=bI0Ad2i4BScG`?v z_fFm_D5QkxYygHqK84O?arAng}2nAH;c%h=~fNGwHNJQAP$Sq@#;k#cd9NQgFY|I`w z{?>n16)jGP5Fq1XTCh;noIn{}EX~r$jT4jE0#7^M?(ALw{TLf@BKYU#GN*fRO|@NG z_g!S)y2tr1+!6*;5vO!(Wp0*KIl5~$x(&k6UE=3SgTSWt58|6Fsy34{Q+zvc@&f%4ec-h@ zB&!84cFaXrJL$-bImDDoHr?r;u5@vm!nk{&086}$BR#%W{`}0mTd4_DvQw2b1l3F4 z7Ez3-MsK*pXTb>T%!BE&sU}5?v$nU=#Yh-8dFd#cbfj_n zYlgigxzvj)T#USzCIY`&`57mkhNsv6<#_@45z2kA*ao&ca0m3iX@76YMVcVykNT-h z5e~m^k%%QRb7eZa2bLXg=mweC28jAMTH2zhShz5Z^lM{_zRbGb>oq_gDsz#>!Fv=~ zxxSX0u9I9EEsolTs_d@g!vO+IDs9VIuH=i;{0$B7;AqkEIZO*&aQr<{A(3j&{pp%l z-V3OWwGGmD%N#H&uZbcgnMe-evq#^Q_Eax9Zq%ymN(DMI&sYmiciR)7W&igs*LE4YF;i3mbxd&f?Z8FNQgWnY)#FTpS2&^wae}xO4so=wZQyO$?qO zJhP7ETO*kt$$Jk!r|!AR?hXsGVOUiZDnXos-%fS8_N-6RH))~6F2Q0Bblyv}nMD@@SmQv_ z)AWqxtR?w}2F?9e2#@7Ov7QTpc@!xAQIr6&ie7grBJf;P>rQh|dw8jn`iYr_Rqi6g zW*{_Wp!}`IjV1~oOTSyXx5OU}H`=sehlkT~srr;Z#K#FVPHv5cT*C|Y{Ec`t#L6Q7 z)n@dfUvz)zRee zg!owW{m|4CXD&ZDt~0L8yEv3tNQ6Oc@C^$b=lzKvO(MI|~tNe!$T)5k4P$j%uVEb|#^n zCwnb}(nE;pVKKt1CKVZ|61L*^$xP!zjdp1E{KS` zvpOolKD@xRx1Yb(k`uwxejvan%-6(n#*N+g>t|MOvM&bZ_GA4XKc(euSOmMQjK_j< zA7pU$^~#P}4_$fk(L$iZjGX(@0>{|}Dn_j8)0`ZtxcY|??_v1pVLzMDTZJ@$qOU2l z*DX;-;WVNkyFxFCMlB$n_)%U+(7LYCjE!sqD#hBbN7ELl$16?-FJKxr|NC9Lgv^9} zrwO7>7ii4H!TGQ|10l+%Bhpa1{-2EKre>#SAL80rGplfwc@s6)2hkg4|F^tclfBoZ z*JVM(wRiC!ywP{`%L{M#iG<9$DX`@3*p8=n)uO4oHUEAZ?f|Yw)s&zR#sl0k4rXZV zr+finn)})fESwjf%it0$6}dswog8md{;(K(OOZDbZHA>t&opRmo`yqy?*Md7s$8o` zgHGkC{!CFJvcig_x)biyj;UzY$WN@p@Pr;qs^THk*&IzAc50#cMz!k)CI8LH&l~X> zG|=U)gS1~`&T6~Ng@cYk6?sQoq%AX{yCwt=OQ1CM+pvrtWBMY*M&`Ibnj zIRdEN2JntO{ULj|3WR4kpa;GN>_uzczHn279fg5B3H7*?0N6E5Crj{twN=H6F;wzm z(lxl~&@*?ZEzb*x&p79nbdzwMeGW}v&kK>yI7R6tNq1RD9#pPN3F&HkV9TDdB5+@^ zdf&3U9oSG%obFNPdwmI^##`V)OKP?5hmA^5BQirU?c~>-*cPb!Yh9IrKsUkeGcYrg zjamwge!$sk9H_cDTkA2)GPM9EChsheHQ5Gr`#hl2sw6d6;N@vNA2lBLIg!_D=QvO> zfFJ5FZXY!sLKFj?01_fbq?SB%ggwdMuVJa!fm%79T{n2b{~G5w8m~UG8)V66k}2oP zxx+8YP;mbOSqdjX>RPwVFCT&mrg1th&~l0-vc1lZ?Tw+!bR;|*F}y{|HwR5uZaK8o zS49Ed=KaDc{3XT*xWYN>F1#gEVbJCU;S!Xg_@XBHZDvN9i?+;YOdB#UTOXt|YNI{4 z29XO(F1g#yB2ZZ4R2s?wdIL;*=21*P{LniXm6cmU=)%q~mLK7+_bj^2aIWEv!C!v~ zq4=EX1zTl8#XIFM!V59jj`L6f$zB8&Ucj|oFN`!loERM(^jWZ;4_jCF@^&U z-zAE|=bLU&eB#o>WrDg)xh(NpQv<4?t+xI6vh)ZV)BclPyu00 zVV1BTzO9z_u%qS3o-k8Si}rm7ERzFy%LuVJ%u}kE44g^h8Co{wUN*%oY#wryyd%r> zZbo?%`^!q`&OqVb(PG@Nv!rv1je}qnZn0RcoRS8@2)H)@)SD~sO|XERUE&ULnVd4I zFt{}Tt0V68Pl08xGTtd!#=dlEZEA zzSAc&Swl02{6-d+Z(ui>w?EFu@!50w)H?Vm^o2E&!rAZ)aa$v~^&FwW$aJ&ff2I@L zB)wOnd5lYdGH1napPB9;gCTlM%{K3FkP-@-98mht#ytrsp{?2HOw#^QzCQR7aBAzJ&fntkopZK^(`c zj%^WC7%w{VhFj_G2kdLz0^P)E`YctGMp{c}aiOPz<}_c+v6Tfg0x_(Y(!nLDjFO9I z2l8YC4qshd`U2R~mn>W2<1ra(u8Ija1^XNxxAwJrfDjI67m35o76{<1K8#dGDU>g` zXN@4e4t7@hF@2+#ll#HW`LX;_j4&2JfJAs8aoss#;IWbCi_W+VN{Ghg8V^e)}hRTQLMSYoBv6( zR9#CBHGH%r#M>Ekeyc?(z}~qn%LDAK< zTiRMGiw%R69A7G8H68u}npd{j9dzx8@j=faOa({D9r;)Dp~EfmPSkePX{Vr&-*N?m zNq@6CC{kRG33wX+mVZWTZ)4PSA(ABCaJHQFo|LUK6~c~2lP!eOr~Ox789{hq`+HH^ zl(OH}gt9^31p_9g0a7S?cuCvM)4Nx?-6E1#Yc$%cm>m}RIJi19RmCr(g6{t=Yaons6_SV-3h4ZmZj*fX_*~!%KbnGqJ zV@cYEyKCsGro<34*%V=Z|Etxb(id2KB7YzK6E1wvOnnRboK3aF|Gk?*1(E4;rWcq9!13$&D&FddZDrWk7Uufo0PKfxCRbQMY|Il_2d zmQa4JwGrAkt+=kL7t_aDJW<6<%Hjwd9!Gd>Mz+sg>P0y!$+0rsA9;NCR+ z5AS3)BQ1{#m)R{gWqWkXV7?X8f4)xgn!Dk%RM>Bh*3LmHEtLRh8vXN5cKRsR3?>0~ zU-rPyeyYFV_p(ruNLEAdDN1q_EU@f5=G2)q#J2@P(olSuCI1DXol(R3(SGwZduA+O zm?)^VYo0T!5@tj9Y@7LKGZ6B@B9vl@;uH7QHiBX0`K6MuR5-2?VFa>u7G`&Y{-~Z$ z+pnzWacoL1)*d8hb4d@IT-L&PCx4JmdQW$-Bi$gJ&S@7Y{>XQN5Wc4S<&_Phnl2Qs z1<2RVx_f2<-qDe#^#gxebk8oL?8|{T>-K@Gq889ytW^zv)Y@EXY^J!*uYc$9SBWOj znc*?=w!ytmCaE>9b@i7gffD~hHoKk>-=tdaSOl}S?KFoG6VtTy;w1LNV8^r_gpI(K z+j)MzXYjF7u>1yT=6DRfE_xluMS&+!qBk&6hSdbNym2L7c3n^ccbnlIHI9A)xr3Z% z-rY!&AsRb`LK}Dreyzh@l`ukUUsTQ^x*P`QBR;1AVPV>I5p;Ov#K1yM_)oWK8RiVi zpXGkXFa0nKawC4;s^%_-46qK8nRF9U^xareU-b!5W0>d`F-Q}~(Q8EQpP^Dmj;Q3u zv-)hr+JUkLmf_vXMRoXsno)orQx<<9?0=0K;UPwHww&&q*~l|@fEWD|B$-|Tp{$Ucs&3CS`sT;>3p@Uo{zbpX`r>qa4A46gaW^u<{`_~LiUh&m(*xD&j{c} z4KHwevbK*{Fxk&EOEP1(w=SCcd>vnQ_M5#uwo77p(5$|26It2->RthjiCpjISEN1J z02KzX0LafaC;ndFLdKlp8p7~niMq?G1U&j1uun12lR_IxHb#o$Z1p6NXy$frw#1Y3 zH+BgPl~rUTIM^SFLpzlaE+S@p4u2;1=)ONOuNO5fo#F(?q0k9d5)0w$3FGL3yW&fj zZ$Ba~I+Xmk{F}eYtK+uVv-mqypD8;pV zE0??`pi^*Nu+`&dfRH8l+zm{_!_^qU5dRlua+KS-c{$;l`smeTW&ggaxpyAftTD>f zhTVBnoU1L+3XI|ex90cNtghYzPSJ}qO?H)4w$Ht}-R|Bj5WTP&E(}@uNuGYqzx#YoI(paY!yt)tf0ur(a?fRPDB zdSXVr`R|l;Et#ZhX3N3pKG17?72P35Ndcpj+~ZnoVovJLE*hB3zhik~!sxfdQ2Os+ zjgzfH+EUaAf-@qEjhUYJIOq)VOUA5v`O-a-AFSZI7#M5dFhfDGAPY-p3d9d5+lH!j z>A+*czmq52)t23I^wAm%$;a9tpCs_gFs5f~Lg>GCEu+J*<5cPWg2d5=c3(1@W7paD zDmF;F4%OaO;$uwk8sM)Ss^rp4)pxvIA|H{j%4V}2{!s{VwzH#A9XW_s(LiRJKwu)Q zR@4qEH8b-$?arY4Kmx>Elbx8lUGFe%&~{Ny(e!I#yL-miGtH|>H4HDx%H8hAWW+ej zxtRa=Ecmo-^p)Db^s25OH~~C<`{|3LH-sYlYzAB0_`f{1M@^9YsLu+<#NC)NBq2Eb z-nIMR$d5Nl-Lo=a^Efe$lt3uGQ>>jj9du7gHC6fFZaGTfN|-kCGQ z30%zS#TdJBM@E4D0TNaa7;O};zb!WEXteEn{9@i>SdO9*mzMS9#rDXnM+a^*2byB} z$qtSmeb74@eVcp*8q}l$)}L+88^WxGUTVob6YJ(^*7(Y9dOh13U`FvteYpi9I))bd z|J`y`@!uV~SRO%U{m)A%f_ujww7HUqN~MQec}ipA+wzuWURRUI1h0igy*m34*k&SO z?kyKwHP_e_o0wCOZV)VjH`vjVCIYUdP(Qur6#Yl0833XmQmaN<5{Kh+hSvoPP%f#W zvA+MA5il>pr4f9fPIPPf47`nmNpXfbPV6k*-c=pemTz8h)ZF~!N@4uYU zWsjt`_EKaZ$#%`a-^Hel$n84PM~CKz4IWP6>!9;8U`q{(F^q zkE`b`wBK(v5&+6CE{T^D5guoK(5`#8BQ~kA3}$VTm|s=y!^juXZA8nC@%esUO#y&O z6LpX)+(0VtIh9lbvnIUvz|Ry>GCxn=y<97+968j9)iQ(x;n}4K)wClSJd>$1~i4TXLuj3M&3|%6#0dH-YF}lZIl$Cvz>KN9jtWC|4`wgVj$CYS*n8P3DMQlO>f4c&o&&Y}>~RQ}DZ?20K{lSHX$RvMWhT#jM#;i4 z*$o-)ZRWILDIoTN_T=D)Ysb2V0dCdR>EyjYoNcKoLD92mbZtWbLhWRJs>I*u@UKF+ zn|sO~t)c&AFJ}es(qIF3dNLx-PFpAGeEtKDkYod~!~&HY4$egr<09O3Y&rn{Ljw!YFl@cb(6FW2{HexHnB3YLsXScCYaXG`+hQ0yePa^Ofq+`e!g?hPR`#1In8g zmC9^w!Yv()yNa+P(IX#W6-{Z6G4}Xv4jA+vQ!?q$inT~%H*wxf>@it1lBg#%6<&7Q z=ap+Rmv?o7(U^Aqb0}3R{37gG$*)}n0&Qoq4uyB(||%)Aifjc%^rPdzL!+f zx*;ZgII(@sp6OoW1ttxOfH#Q2H`;d`td=VGGfr51;jG4i4^G3FEyVBUE3g|F4?jOL zwMM}$`L=cvQlWq|l}Oq9#|2DFeeQG>3E_J#YnLUU6n4luWK)sLkyU~W;v^zkBFdss z%F$@Uvp(JdqB)VIMQZk8-bhY^Mn93XcGxg0gtYLnh3UZt+M*-U$1jB4J?5=!U#`fg zuCAzi`KIL(b}Ea+8(h{U_Al@F?x0K@-ofvh8c z|K)}e;)SL?5qXGJ5GR8mBk8!~jCF$&g;>1T`V!xcXcJM`9Y4WlJsx?+O*S7!!%1+6 zVJw{Vgh2xtj}$?jOK{Ts$D5Uagb>xQi#yC5Ij*(HAXZZ6(A;(3;fms*a3%^_|CByR zxD`wJE=Pkx!d;4=uuB+4rNW5D=r)HLUOIQkEW9qt4X_5T+?4P7mrLb1J6tHR6qhT6 zrqB!;pWPbMA(4iIiktO#8^MUIP#msLQg#t5Np~11a7ZQ9u+3RNk+k5h5&76i4_Z@2 z^~n5Z=c{pQXZT|RWRK)1cFSnhQ7*m9b+(|iYXK-k?Wqx_I93=smr^9`$$t92uVe3> zoGKcZqpH%8Pet>6q}TkqQ?ze=pKU@IOS=8qE|}X7tzG8o0~mhexGXF_*CM$ci)X$K zP-dk@c;#_{Mqy)JI0pH3anE>i0St^F8_QvUC-{j2xrcbbtiDt zv=;#OdH8&-O4(wrWa`?sh7$kmY^)5L2?K!{LCeB=SOF|~iA!#dbio@?#Ct=+5z1^2 zR<{t{GjEex-jpZW-tX$5gU`{+Jo8cId=0OPTTk_cEegj3QOO_(edGhTO47Vrnqxh* zi_7vh1P*k6c_Biw^&ptv6<;)(WD3A{N^l147}Ux&7|{+gZwSS|bk0ZyL;P(c1%Wo5 zPE6l)N5G;d#)Hbqq7~DewDs2(x;S1Ubrg=WOn6&= z%PN45-BXrG%<@W=dfSJpK$}N5jt&}3o)ABdm49Do#a{L<4m0#)O7W{@Vry#0$nCjR zZx`GE&ZyHtcJn*B9`jh1OI(k1bIKLo8bgNPSkEdaZDz4LyR6-7bYtHtd-^|(H#ju9 zIlKdShG(yTUrw5JIlp#P_*m2u{mOaaj zQ-5t%0Z#|y(hx}-=j2n=Ms?rbxQWypgy%PW!Nd-A989#6`B_Vf+fiUf!!SGPk@`AD zbu8GT>9m_(%vTX<_SN$ORqg#dOK-!j=2@Mk%O52%;}SA-vJ28qX`9P9D)pxq5xfP_ zvjqK(ZxT`Z*W1$_U+qk~LOnuMqw2U+s*qY-`LA{_Qo<9Cu?7Usd|7)fO{xC3l$hw$ ztJ6oE)P_^gamcOR5;O1(R639tv5ipkLToeBJMGZ6DLPaTu~@7g-oP4uYi9HV4P7J% zp~5!><}vPS-Pwq_1vIYJC>^A^Q32L?5rtk~lmnagbLm$RfJ$zp)vE6BDn=-ZdTNNp zm$Tc63?jn{kfxk?pvuat(d!tqg&bL(->z2}|C4Bv7>KX3KBy9gj$k$S^4Nx6fMpg$ z+7$W*FRIVVy78iK#51WzL)gs^(vy624k_RNQD-5!;R&Hrs!CLhq;6Qd%MvIi4 zWadSW2Y4O;*VSLw?C=2H`!njYG}Fz7HX{O%A#AtNmM?OYwbW(P$dhVr+R_-h2>|UH z157P`ju3mH7s~%;Du8)G2We|COUP_&yGGNHN~&6XLxz^ED_ScUT#@+uF`GLUn%b_ zB8hsLU$rr;#augb&XY_?>;?_IHo$S$QdW%S?S(wZS3oEguij;KN%v=*Bt@BFlWI*B zwav0Zvn2c1Ap(dSm*tFRsQ06q5ff$^Zsk7;J{71H$1-XZi=Kvx_iZ700l?VJVeb%0 zxuY<0O`LAT-5>PKOv-JI5Z_X3s@f1bBn@53s+!O{l zpj6u-{9aYIU}_IL2JuUp=NBt-Di=2>L-R_lys)ehCJEM+Uzh3jdt}L{hJgeC|IgL5 zxl3nkK9<=ZETi;pK~~s_-7P9{@#MWK>P+#A?#7AhE-v62$S?y9LRGrDd98O6ydpGu zH)m4O&v_6~fPpgm2TY>Hi7mM7h#WL_LZa9S%cEm#E$PZ18G#U`Wx&fLC$tJXn1oDb z{O~a^s@-Uh!6=4AD6_aP)q?Q{#p?qek=FbNyQqa>R_E=XQB>#P>bzTO7PvKSES4B5 zU97RNb+sco=^H=I{dI)UIIg%lsd1%>f0Bd99LW(UoOAnqTySvb=$$6PxoeH>S>d`c zfHplLaxz-Ep3&bjNYJ9ToKKzF8uU|HI^W_`KY8&sUJjTUmu&7v{~U%V#&RvfDmx%E zv<4o(P6Nu`luFO$txB2h4Epvm?U(I26#_MhEMlzWRJPMW*3*Y7ZI>?2|JODOZ0e`XaTFV{HPza_XtRPr$>N4PG|{sa4axNu$Q~6lfwy}to|C!d!L4jc@U9e0VQda zBd8IIVb9CE<#L=GkbJ-_FvC-$%J#dZR&=xO(60i+J&}MK^TqK+t?G3P3%z(G?~}K_ zQ@71?#tDh~0^Acok5$WKmW~my#s?+8|-kwwCHFIh*BZ!K?%q{Ew?_H;ijS#f(} zd<_8@|1HV1Q01jbGu@~YdYoZFsf4jT#6e%SOYNm*{bDJ5G!Cocqkupn-I41p3uwXXM1 zm#3-8b$2um#OqLd>*@BHs6$xO6$7Zq0RyQu5Q0l&lD=S3Q z=y=Bwtn}TC%vkD%itNiA&S+jpS??we=8-J8(`9NE|2cPuXP%dCy8H%Ma6qR;G-qk2 zuS2o`>>V0)U4A(3fzcDTYRmr{Di3?#tbxT(BSV`+ssli?ri;MuC7H{!rfh|PuC8NG zbH5AKUN2`6a6F`tSl$j^I`UmVz6_es4V6wFVlP8oL{hrPpc&5~!4HRpqRbr`JaU}& zeu4C@W~$7v1?ge>E$c98Er|E-*G`J3&X5CsVievK;Hlo)Ez*si`?joR(f*`h z1kuN#I?OXdm~Ia;5HMD*N&F3JB)n1$i?K!St0Q{pnlN;qrl{{_V9>2YUVf~*IqQD9 zoxy^G=TU5;puf}uO09MgY2>vAy-F@8NohrFPgG!|7%qrYKoNCECEUA8Mb!YS+VDUy z`&`DNXP2d!Y3RYlp>7+5mS%5(htv;@gb~ql_^nZ58ZL|7iPQNxdYt2Npi0d@dXs+h zA@{t?9MyW%tdx~hsiNBXxT49LY>%zofBidoVZJvU&hn%;FH<(4)k^;rR2@u6n2hl6 z%WA4iofhdCowIa=a)*24TNd}fk2a03CK>OG#J&gO6ANjb)!IDKBg-F`G^Xw`I_yC&R6{lfFMj3yv_!oI)R7qpZ!{ z7E#8%uQDM@p~dD*Q;?0+;5RUHi&;HS(U8iWPyH`;IvY5}qq#}~@@PQ3%a5*{w&hER zAQ6i&5KV)j>4{^^9t@ks>+KaI5hT$KR@j)tnk=eFxA)rw$v}Z#pL-9cROXzu$Eara zlekn~ob3Vl3LsKG;u@>vq9QW$LUT7iuYytVBXWsZq+Z|cb9k44Pm>8`Jg?j{Dlwz` zb?ag(Ug~lMu}9Yl;Wu174HxbbHG7P%Ed0_FzR;YLeGClW3t2U4nF#DE)WPj(->i(K zu04D4Vv@Y-F5tfOReZBuaJ{>oFv)}e5Vexv=YJW_*n{=4&~PP*-~1d@yOPB#g5uR8 zuC6A+)y%pTD6=F#Mw@|qi4&WE4!%v%8ld;oz5~jW=GlTVH=SDT7vbT=jW%mPDruiq zu>%r~A25o_6y~w016XwoErD|*(5NgZ8}m)w%Yb^I*>$?*`h`t2dPuCWje4p5@0E@| zv6Fk0PeRQ(r8N1&$Ne1T7ALfk3`}0{GbV;()|1tx)kE?j3@HKaV6RE$0e1 zX3y4N-2QydQ0c?p7zui|m%o&}dAgBpqP-3`wXY940Vs>TNFuDHLsFk+X_qJ2)--}{ z4hkt5Fv#03bViFd$dDcQ2@)4|1cwh(*jD3#V1`JE=oTi@_heG!Hrp4mn&LUoU{yQ8V!I6M4=|F(thZe`4DoWi82g3)cjx9DL#nGKr2I1w>CiI%T6+@~ZI8GONoX9Tk}ro*-iJ7hLuKw6Z|q|;~O z+2XtpV6$|*N5Ag}93*B#)i>-ufDpuu>Yx@+O$F|A^&a~adU~176ouoMH2-qJ5L7Ip zV3MH{^6sEFHnZ}RCdcIAr1yLjj)lu+TQ6^>M~6Tw=wH#=Ci z`H+bG^LupYlR$H;s*pQu^?3h`$R8*YtByWZk8Qa53E%M4v$oCfe4&0Q90u%tqeDK} zENHt-GkD*~_6)cct-Ei=LE^Hy*22Hqav|km_9ps2PrO(WCZ}5$)AVhXJLs8}-5vb! zG|q#VMeePrQx3=NT{~LGYcbe|8x|CAA?rT45LQNZ?{c-*KWIz<_!H0X-Cbhgi(qv5 zrLsOJf1o3$9nO#OOp5-_cm4aVlEcQ9do<#uq7>>6&UFha-0LEb*hxvG2T#5og(qK; zzr|NOPZ+8Na%m?i^m`Q#^h5LpoCwXd=M%x<&2uJz`qqNsP+4`1HMQ`-3bsQ7BP`2} z;ia-rGVzIr=GEQG$5P)n47$mbh#C=@MSv5iKxqw%Y=8c+>2TCy`jfnotdU)G*f6iWZmll6Ps2T*mSr%i&5>Y@W4s!N}TD3l`@a@ z#mS|QnTNtb+J?pu2vG9XW&;^xlLw-s>l%ulW+oZeakJ};ms=fSuoZ4O2tfk`N4w#I zNKjA~uBlazPT}>ng#_L`4>sG%f4V?@NEpJ?hA+|cTUD~8dm4E~sMs-|2bm@frWGAL zCv3U91Af-QnB?6Iar-xo)PHqYEaak=Rqw+76-z5(VPHmQaopMKAc-tSEWO&=`}TPnJUDp|t^O?e$kr}-ls|iN`Eu8W z+*z9+bVj$Zu-WmayUrWiS!#6Q3q^6!bHMX#b_ip$5VVq)LVeTkI$#3%69v*#|7G^s zk_Xhu>dXxY<29`X%P{6}4Rmk+;BGrsHpXS0ka119N(nA8MJgBYq;qdmtZXvq%G=}A zK_Umvv7B!UwC8pA7v}`3rV;HH(azvJ21W*0_*Y?z_|;qzSr!Gf89?v5a|hb)N60L_ zxb}_nB3o>S_OUwKb(FiKP1rqly6r{LGkjoq%lt5xFk35435y&CXr)#bkA6KV`MmFW z%n&Xf?X_nHfjwWje{4iIaer2jS0-tbQr)GV7bcC-Or^bMJcqms8HVz2xJ`$BX>%s6 ziS#F#in?DAcYB40ulN^QQ`UheUlawb$yf!o(rrNxWMWY(qcAyG+JnOD)*E`;#x|Mv zI=NmPD>Pu(cjVM%hPxNueJV32yX1HT{@=JE=dW3caks`8Fug4VC?Xd(+S~jZszVNh zFS;5x`D1#{yCtvgiAjKRKs8o~`f7 zygeQE(!l1jbbga?&`DeQH!B?mLjq752I2n}3oIA3mTabquz!la7t%$+3Pr^e}a>25EFYM`T!Jy*Er= zcc07LVF)o3L1gv&W9Q#=sMO4$vnpeQRdF`}FRlUtgFx#WRLAxl*y2^h)TAa1e3sPv z0yc-5c4r+IUl32Vcdmq;ATF!@2iMSHQR}H533gbx`bZCfjR_w_zp1zY#CW#E0YFkz zoldDM)AdYFY6KQ{S_oq6wv5$OoDEiWYOQVE0`&jeb1dYs*=7OUfi>xx4}RU*9zuoo zoavV(n*jT709ZM|{Q~qgW+?I&7&u_;%?NcOAhT!it!FvKwG!#-*K%}}2g67+p*(u!iR}Yamu3MH95^m;db&BU# zJ;HiO7G*vk`7~!*i6<1-=tMJwmQ!LLA}YkAl1xq0GbF;FM_Zce)~Yg@psmbhe#Kb& z({=FREYNE(q?GJ@!obwH+UEErW_&HfEdro22JmVef7adO1=ci*xjnYnNnkL$!#&W$ z)X9gT9JjW#&#b1>vqXJ;8!tI*A)Usq0nD?~6md^4c(-6cYH%v|UJaGTT*8k2G4T(t zUy#N~B^ohLv6b9qscL*M&Lp37>kOCCy=%x=idkA;UuQ57-m^B?Y2k_*nS1OCKiUKd zSSBYw7ECXmmh_z5@D0vagna9OtrRCNs8^8)J<(4pnzfCnDjcv(+08k;MvgDt#x zUbcv!viH~yJ#5OO!CpYr(N`)NCZkM4;`aT2d(|%tU5NTYGY7(beBG!M#F8j71v2EW z!gy0OS?0c$Qp;oT@fOPA4)y$baJV?cO|i9kpf`$I7Xkj107kaEB zTvrg$h{Ksbz(51A-HJF7u1t%5DX@6s{|CrUUv`7nUng==x04hgRqiXjhKJGq6|rIH zPz83_#kTSDtOv~GDXv!__Q=YKATh77zaf961`ns04rjOmliv485EO>gdQTOcXs(yy zpC1s{Fq>S zoIk)%p5cdQXGZZk#i;tBsS^x#F$rX+{HlCu!S)@4(FnEW#$Qz)x0K`mD}}eSKOpiZ z>R<(Px@4J1Yx0rtu*mXh(CjYEYG=JY2b9_;$f^Id8{9N&>C+HVlXEIz!%;pCfuPl? zm;!aKCf&=7wg9}N1bM6To$ySenj<}-${ z=ya@Y1!5m+_8@G(YBp&pe)ZXbHl4>j(>^zeP-(JHUDz@ke+bQem|hqs1bx4xHcjZK zgq$Njjh~fo%o3ZI`y|a0X0xZf_#O|X!@VbER0b!u5x6WucRJ1!^w4^>e;sul2eoHE z-gw^r|L-?GAOSpJx;6-GKrhIL?085#!-0K2Yw|c+2*x>tT2E*aH}|!2T;8e#{O}H1 zt2c@as443~fU%nI^^DPz8e?Jz-gpCo+5A~LJN|*-&**&$QoxGZD@fD`_=o%Ux06BcS7%ggnWRpEi{_+C zx6-cuH!cV^yP;mC4UU|sf~Izij)&-H8JQM}0{xgSt$L*kHZZ~*9Cm)~wU#7q;MtWi zl!gV$^AtO{OMkdP#xNR{)Krj2BrhfkTq$&sHz@Q(ArI_@Z%Q5fC%D7m5gLvjbN+st0>W_f zvsQw!hIh5~$-kJ2ZCzBR5*#%E*>zQ9jV)bEu{}d}bWc~ZwM$x?7wc$TlxG*VjY5T( z>d4YS)ZCgH8jsS*4lWZMYgBG1(xTx{ zmyX>U(wfQlS9ma+oBRB02WZODB!}Q!pSc4|Z7b;R)=zBemkhPFe7byH2*l;$D}=Dc zV>Px-C!Z`m0g+Qky)TP;YlCyz>+cVpakxNo**P8(103Ly@8l=V6*>AsQ^dP>!%I+HOcHrnIDNosgS6D3I6 zL7(h{++cj!J|Kdor-4&>G-Zi~1u}g0afDR+k||+>2PRs(hKtB+P*h%Ba8cs+b!`n< z=+#RHvG0HE&GnzlmCQr8_KRfl!k>gJpca|Y8pFC~Z6V0L^vYSOBE0-b>Ag;fX`YQP z)Lr{=p%8EhkY4CXYy@L)W+1u&t?YMkv8oHlLrUox1w37^&@Y7UV&)o=k#(LznK*O; z&ky?dfS6aI3rjty^V`SlOjF(GZKyem7e=j=f8Z){AY*i|*suyCXw=X{ch}46)=7x> zEq)!(S~SN`6_P(EJ1y4#5m=?zduPu*a;FMg^4lpz%9OL*tiXG^u@y!_S~j|bC|-HR zf@UeAe*njJ0s*n4o-asQ$|g;TY;@gFgvyY_cx1}&#rb;zjo?lpxg3=41qz5Ha&QQh z?^Ujprdwd>nELw@a^P=I^a@w=ltd!FJG((G=HZ^jv<&P$BWhNWTkJ<_o{ATQef35` zZ_3f>0I3zQ3GAWhiY6w2k8kRy+N;@N*wDbn41B9LR0f`JwCtxV{$?OW=6`vz$rKz< zncfCSEhf1s{F?3nsnk+&OV_>c)mN>hBMWDhD#wa6pnp*r2zatASjkw-{B_`|kEz_z z11V?+u8GiTSVgc#F*m;&z6+ARQ7+Fnz{^Xxr{e1F%;4k7U{J4t64a+&T>FXQHi0Yc zKUV$Y4zPH~}T_ zmC9XYU};1%uInEzAa| zp;iV^MVMTP>J+>feTB#` z)1AuF;QfnYGJ384w7ZX%95=8}cQYcSOiZ1c1qy3EVBxTQt;9aZZTkfMYIF znLQAj=^(^=UH4n1l4%Dxj*ad~Y>Jj#uXnw===NE|G@fKRemPT4gvV}NHj+j|)|50SgdEsJ{GnT$WltBokP%Ft)B8CKN;kc0Zvs;{; zLt$p*F%4U#%{^|cx(K@nu3&skORBi)Csbl-#H*0hXrR;EKG0`4t<(5E{jpx_9w*sX zi-OEA0*P3r*7iHXu0L``ZNwvZpMqo#i{Ar3148j^L6~jrW0isKF7E=V?dfoUt9?e7 znx(^-Xr)G8nWHL2`&pBFX9f3EQCyga1J;CKeN=-B_0TqVYx1`RK(J>>cPhxviM!MS zl6RuavGvNixPsdzk}BMu48G3R0;b>=Ks3}IFD4alDy+7e+>K~BwlhXQbQU}j)d!+* z+n3E}&#nZs zu88iQSH|(PKD!#sc|m9)r5th=d=V+$qUj%fSynTtinxr4v=$0AAC0f6ZS9OYDcVw@ zJPms(mXuLXuuJuSdvrrLw~mZaeN17f(SKz)W}_tW2OnYh$x{%L0p{^ zsEx+9bKTxYLTBr9Go;+_?KipC5XO+@OzBU1O@xoThBXElnaDuW zKDa-~+=hj^Ss_-DcW=h9Vg2tlElIUBt+ke%Im70lA8J0-LP3(G@!J~im4;z?VDjmT zG8)r?nc!;u5YGS;7d~Ocg-;NR(Dq?RBy)12@hRvWX&%Y@VyOwQ1e+xrm9VW5-w3->*BfBiKr?nK` zz#xRtal;Ccy8sO(qsi<#5vKa(yt)X_4_c4(?oe_mf1f2L|L{SGUgG9%xDcc1o2&lZ z4lXK!UFUo;L&MjDbWyO~@b)ahEM?GTCJy*$s$` zNh;1~UGt1J>r0C}FY5jhk7pPXmtQ-=F*}`WjM4M`0tbZk)LEx#tg`{1uIs&;*$dj$VIG5uRv8C17ZR5%)u}amupT`GuY2^B*HWUnB!=hML z0RU?C((+&*b^h9XEjCOLSe>#jwnzfH*^t$J)&Q9V!4huH!Wv9_@RiT#&1Xhj?mMLR zyF7uCvpuPtFt}jUW>eob2~fgu+gHUf;T&fAKle+BR<3|Ccs`9Ye6=bn7WhfdUmFh~ zx<=@Gug0e$beD6GICsys`9TVjf}sMvL~0f7R{ku|Xp?O^00sPym6l+%j$ms;iVoH= zM|=L=kJfYuZ~1r@m@VK7Oyvn5RqsMxGRu(~lG9xsG9i@0Dp9Qr%YJ-o0^@)OyO5;C z^WtuRz^i574&MV4I~KqaFs7yyGEnTWM%p?qoC}pZ1u2=*(q6=6=mP(*kxCbleN;^} zD5rZ`W`m)!) z-eMW4q^W@AYG@_V;f#pOLa{^92bS6-z9a9X!kgYy`oSG?T%1E3|0@a($;k-d@y6!Hy zVQwKe*`s26u6Bv5iNjlMsr6#aSJ1pzTO(3*Eb`w-udL6eY1xM|jYC(mOG(l0+Egro z%F@p}OzAK`XU@}`%u)*OYEz&^$O1;4!C7G3i{!WnDKb&uI9G*_x;T@d8n)uM`8q0x zD+t`zWfoh@C2i07H&3s0wKKl_Zj5pPMD({&KQ-(Ri*<2B)8`WooN-}kf5eCatacnO zTv|_iEH-_{B`RAinya>jh1vO0+$R{Z(haaVf_OF=;X4vzXgkB$_mWS7Mqyw0MA;S| zm=N$P`U26TU!Bcq;m$~auuzq9R9P!Asm)7W(lP90c(1ESJa+~kx@c{JFvGD|tdf;# zbsTf!mc_;kwwV7LQ$DONw2k?Ku{Cu*xz(c_Zb+7QNDwNiSI7that-!CVs$I1X@}#f zNzp`-3{>~?q($YnbCXmgwqC9xS5sr3tb?Z-XbS}q2AWQV5Xb#xPz8i?e2UE$+A9=j zhWd#%C<)TY*~%F=n_JEv@36Y>^%x-#o6*3z%FG|9Y{%e&`O!2sxRX9CixL8Boe2o1 zf&_<6MeEA{Yd@VTKSL^^_7b3psL#H0oi9vsCz&%s2C&3K&j?Zn$x!B|?k4XS|$ zRFMy8niU5K`C$3}hd7_U3sIQ**;D*xX54$7RFntYYZEvKxYXgOEfDbU;^soEWDL%U zXO6gqIE>fs^|qw)`yoJnd!)VV_ODl_5Cd{&gZ0ht?XOw>Fn5%v8=puTAU=pg8b$dH zi0qG+m_VAnTyr^j$j7pzu{CitkVT2X3u;;?U2CmL|xdcM%@u{+G1ZY<#jy zqUK?&KyhS(2o6s$!S%K|w7R$lp;5%c7jHWL+DKxFm(hQ)v$`ow*}(k40&o!kJ8|>O zJtv}=lo1Y!_Rjv%1~j(vCE5#?22y?gLGmAkxU*vQ*%kC-1Fk@-MWcHsE=gH|1)Qpz z_-3O#Fp}82;%=~sT!LIzv0N5_oXof>))A;8NO&Sm;iANj#|J^)k>8%;z@qSr3DgTP z*Nwp*n>0w%EH;-aq+elTyxYm)txD|YmI7i~B)@AFulE^z8w4EzapM{M>fqtz_7kr= z74v}D47z5^YQ0Wh?ib}Gzt7@qIq+#zCNo;!7SPi(uTOx=gWw&NKvTITEF=2)QajYV z?6@GZ(gWf(9>JB5;sMrVX>V%i|0#ek%fw^fs{!e9w5PRFQin?*|<68yG>jmYec)3ONu zp5F24)%FF5P{3_~~hQ%eeO8kuQgAvBaS*XPITc5MyKD6l$DO1xN z`Mf^R?iY@GYYx*zWa5JL;o`4N1@bgj(x$ur^eL^YONiN?Go9N9Q} zP&9gYHF|DaZeP=n!52plD@~^3puUNO$+(HEzRHdkFg%PMnT!=0Ow`5sJm-d574!s@ zt9vG1LW6{l_$R!LF0eqW@0}CAU*1vv>iN1XQ^3N_2M-$Ex+$aV z)CAHqW%vXxVJQFU-&4{d8cGIZ>0v*g3>d2kUzj+;TR-o(khOwy?6|1@-dUILUX71nNLWH5Cj3{&d zO*m_;fwM!O;ScAtx8`>Y^*_>+u1(sPQ&pP6w%P(LG2j=&KZTnVo55K97u@%thxkWR zJdUQ;(1H6sx4-BwEyxb_%P^}?yq4nY+9f%s-+E&v!FdQr`no{nbWu0PSVwIPg^;28N^DRBnOp28OPU*?PNMDA* zBHV7u)C(KW54U%n%dM^JI}zkh=q|e&!|SPB4Pe9m)&9L8EZs6s41dAckx=HRo)=xu zKgO*Wta|Pj?eQ`JUFw?+p@N6uC%;;Df3l{KHIBX3i{ZWCawN?w;tt_H^D6u7HK8~j z*xOO%SY_)qE5pIH$LY3PiH$J$9YM=J4WJSaH*-NP`=RnLC!LFVBT<6+<8`p~v?|I* zS4uMmkN)mNfgV&vu}4b1PTVqd>0rV84rLJHM$K5D}>`Y>@sDiBrH!hDE%t!SBS(IQC*u$*} zNb>b>_UC22+E{fjN26xSkGB1a=JaaN8jt^jQ~~NdWpT^cq_JKUtG99CH2ypiSu54_ zp^AM3QUmlLDYrxZrv|OJhB%Tsul|<@DQEbGA-x05l2L(c?oF6SN#)pK3%cgOLev;MwIMDJOdPOJjb?sjw2%g4fr|czuw1Xd8z8&c)W>OQD{*F9}J>KE(%0%jh0LnD zFn4NSf%Tq=)d>? z-~BW-9`T(!sugr;!1uIeQ1y78%y~e*$3ZleeUwt?(rT1h3^uD@z9^iRn2)>X)3O!9YJnDx5ezaMR@3l_~_6Nzy3=bIgAIdU@M$LU+xMn{tV!xY*vQ7}~ zuxSixZ8fD#$ewthpf}cEsE59@3=p~&ihh4AaMSVm!fG6J2Nxhs*=tEn@V0b^HHz@U zxZypDfRJQ5^ZL9FsqWZB)tDsaqF`v-RJmuha{Lpb;R~XH=S5VQ3ScEz#@ZOx&o-Ib z-RB_g=3Rv@P(C%vgm?(a9yFOVRwpAR;RoLTLO7o_Oy?*cIZdlnejHPFGIZJ2^wPj- zpL6jO_EUyrx57cA?%Kk*ICpF+*c8TkGgnt%MD&yumd@L%@(&U`m_c&YS0a7GdD&Ke z(foCC8JF{h#xDxg_T}yGXONq6kd(V&VeEA>9I>`mNtm)t%|G~v{dORM7MXw2DcD5v zDc2Xjq%8hSX4>D=H!)XPK2nW*Oj{rA8^P>GG{+i;6IWRe-w=N(%$zN8V_auk>TBP9 zcGrc1MqkJMq~f0K2=vCch%df!eOhMz)1=5^ZhrB8X~3RCC+Za8lLG1b_tvE~yzc;? z*fidH9+Old`FG|FKH*oz9WHLyqPn=bzUYo?uxo%*Kku7+xjd`!4eO>HJ=zlEkJrZc zjV?>%nebr+V$&$~_;CgaI9^F~n8^%EUiT&Ge5l4nka%jUWAY}_VTDsW$0znF^pTdM`x@e7~Wv);OnP3rj4jnNWEV##k}6d4w+8?ZVuF*iJ&oafGMh;Np zI`8<8BIK-`#Fsb;6M{nMS!_w7)GvXOf3HkmBSl>|>W@SP1zT+S&AeclnZ&8hV5b*B z(rDB{4C5>fD~O&FKA`A7R-9r7RDMgSgPsqU5$-;`IUpUo5=YxEZCmhR zv*B7pGQ*eb6AZA10or%2+E5pE0x~11@GivXp@IL4B>zlP>9!I@r1^WmSY*dW47V=? zk#Hg$54rb04JMc1zAh1L@3do-6>@tAsYLh~Ku}jktV%TbfKl@c7%wR6L|I?2^$=rNYXTXemhNv8X3%;HX>KO zZJ1tR%cbT@XL|F(bzR)eqKbiY($P^ow6<+Em-A01-=+1*?33=?n zN0^@;y2-I`u<+zBW2*s}mi7|C*B4l0|HxM}lpIWDpkTEOP=PMqgF8n*-?!+>bjj~Y zXqSzuiK5SyCC)txuJt5Fsmk!9^74~!uUp#E6~>6GX#gC9zD30Gd%<>`lnT!@DP7>> ztXP!t`!Mg&tUYn21e|EH@sQ;Le=#%84=RJ0!W3P{2YN`5vvw7X^IR75M!`LU6tEcW zxHK75rOu!Y1s5^Jok%uWYY+-NjA`M!DP#+##;JXeN@Nfp7R!#Y5?(`lwIzhz7$XrB z7z}LElq-C?yLF2#uAcT|0M6~^J|gXk=9@=FRY(<5BpyDW5Gn54{EQ!h3O|O#09m`g zZg>{X@UwB2Fk+ybeGbBU?$x9Yrl`DMlI}k#7rmH}T$0IUFhY{S@fiqWcRnmco|Dzs zg~Gq1Pt(=dIeQrGbE+8rZ*s(4$D}W8J>~;_%hEYAli-&2q|d`haYPWequpMeLhXbX zL~wb}wNAahgfyAp+>jnNF@;R)`bPjy`8=yu;*fS(JJu25Cu2_qIM4WHM?mZNLL%X4 zZ&)Zfefl(MeTRcUwzInE*XFDTVusCg}M?z2%O|}d}-)U+@t2h@)~6t9MkHr z^!J^PQQLk;ONy8vQHuwE@Wtww&Mu4?IE5Ms|A``%aB#OV_J5Tgv)k=-upGA@O0&{J zbwur3`f8;XMB0D75F5>ZctD8%)vvHHVMAWAh-I>_g(1a0DMBA5bIA)NbPBaRg zj3rkCx5g~pp|}=0jjT-e0D_(PmoJJRM2*)r7B*Re{LV{9JBVJSJZC`NV6YuYXd&-}`2o>R>&Ds)=t{U}YGW@x z*hR6bGB=noz^24(=eCW~x_`Tr42^4^C=O*a&mhQp=9(VOAmeWp$0;>^gt!rpWDA4{WKAePk-AlQ!sJr7oQqcnJ_QAn+S}P z@2ybfp6BYIyPd% zod)BcMxf+Pbe+&A4$|&h2Zelsmc*;#SOfY=yW{CerlOnrjI<-Lfcu&(lWi($Mz8V7 zELX$lbMA%{ji6_Cx8?wWsR1!@T%f>3UE)SEM_W?jq3>6NXUl-Buam0u6E(E%(waDYs8nIzPe zaqyS2k)X!>SFb+dHRPfuWm@|Clkq_3UKw><7(d~1dT%%0x|CRWgpin}BW!m)N4O4U>CAHWO^sq3!=?~u3aLq(9HpPG zjA`SlahYq;~k2omUoRmRSAvnF=zB1 zp5Oxz|F!a?f&IQ(L~bZEljC`9eFsKgW=1TtuuTGmyH&dUdRnH4RALetWA^V(U!&0lT^pxzb$%nn_+xi2n&aFGQabO4-%>Us|Na} z&t(6rx+Wy~OifMkd!%1`R2@O;#MK`6W3hi>(i)F@=~2^;di1!2_{gXgy^~|mRy)O6 z0GYFh)wWKELvG2IH%;%u1Tx7ZIEv~As|O{O z@5uYl&|m`esahLixYXlOU*IcJgbwC5qoh1llXoZ6%5lAtCn(#Z0o|%PbqIX$Pk;Xe zX%d06FNiA-7M_9fEOlW56mXuxs1TcWQun=`UfyKmFAW@oFIvFbHUzm4y<&>4!)#7}<`p zN-;N|@*2jw1}S{dvuM{_``q#=uCMcytc@eXm78u|~>w=v&8<;|m$?iGu2H0AV?DrO@OcGD9s?IS0cxu`cRZ$1^8 zIBL5=?XVS^Q}=8clchg@mu#uV{k-e9;@NNF~dM5yhh4%+{8htPH!@yN5W*`Xb0vn#y+Qj8v>A)1y%;_BQ%>##8JVm z5S{?g%|*9h#Pp~I!dScQK_DHQ84wWd$8cz?T<_ItF$H9_x1Xi`fu^8Z(KNu+pQ zmW7D)JLFI-NZG3Ly0j`B9g{A}-4zh7T`(o+!Rq66e08K2!yM7|hf%Rka@J44rG8T)w?1Fv3y zbt-t-{E-q8o6ThasoyuDo5$G^^U8sN`u;qgXv=qQaW%!{#O}lPA|`-2#`uE26p)*)`R-?P0+?*;aa&%KWPaqvo#&cqfF!nax2M?6+}4Z_(;hSsoxjXW|vP!EFE zhGzFfLtBLjtHdI=^GZdJU(#J4Ko}|>xb?q?aMO5j6izosyMB}O`A4P*N?S?6!k9~G z1Eu#UGouM68{9E_;J8%1hjHlZ&zUXBlxod)53sZgubGLScY6&_CvPGRAv`_{Z!qhb z@ihNyDtf1UT;{f|E88rPcY$n*|LRM}ZVwnKmrrP%G*sX405c&vc-pj1;@s{5b3525 zjg;M{*`2{!b@9bs%GR*pX=&xpaRNHvOchQrs?rML;mI8^Y80HO1Te%tBM)6APsu+T zd|GX*#-M>BWB%y~v zd~H|zyJzsoS4KH@!bVtKstdzp zGK!Jl;A?l3;oUnowd6R0T4b)| zVLAnROMGxJ76UpiLr?DQR?lvFa2m|u__O^eieLxB+ngW3Uup~lU~tU5_R971NPsFm zC?+CUXj!8b7<{V7`ps|cZO4=(!@}4w$Ek`8_73o$)7cEfILdagxT2+!W|s^rc&2&` zSEF3Bzy zNcIK^V5x)f4{Oczf%0{L>qB8AvJ-&T=F`Y9J?tifrROc~*`u3-@6We&R&k-69-4IS ztL`V1%fUroyYLyb91|ixVJf>VmYgPLx>Il?DJH?Lh7!B@ofPzgrX} zXt64L!I_FDt8pFVLwHyLe8VO0eQUz4{eYFv#|-@%dsSYq03VkRQEWm0ss%5fC1IYH z%s=^K#=ggqyC?B;Ph>29)0kBHYgpjht>?iSB#}Bn-$D1@H2SExcuaMBwWsed;_Pbr zk;IlaO6st_?~G6oHdl8+K@zAS>%Iu&L1StF^%ibJEj`YY(IL zxm=GJ&7$&4(n1z+gELMMr&YS-xV)Kswmn)$>H#e_83!S$Q%aCM?)Bux1Ni*+jSILy zlr|h}VOH|8H|7M0aSvKZSqaSq>1!^7wqrDzECtlZfKc`pGX`ml*qjKnHXBiXDXDOD z;&ZP8BV~C^%5I~kY+5=5-(qY2S8aPWI0Hm{H1;k8Fi3vrZQs2!RT?IP(Kw}M%Xl2xlf2^N)&oW2`Tbn)1<;AZ+fCp z=EO!D8b7fAWqpc-V2&IV-y&eg`a8mH!jQbjD*7@o-qINPE`q1Yh(q{y8r#G|7rwe@ z&r<(q&n#}OUws((YVHi2|ZhJ9n`19YzY_=tF@_2=+)suAR z(PMn6>1zT>!Xs<~64}ng;~V-1iq^>l8IyxbQQzLRP<3-vgm1I0A4VNJ)-?%v&gAKr z0O+n6>y5@7vh5{DAGUuC)-RqA_S3mvnCHN^fB)8VqjQ#idtZ3_BAf}l+^%SvdEw1& ze5&2?WdmMVh+4|DHRBS7HEFRHZ8jYX)oaNo@BkD_7Uh#t=_p>J;7$3WIghZyr&~n6 zk!oW!r+%uoh|jaie&iEFkK$^ow4^UQ8hfA{@Zt7Zx^4RXkC_Her??9ZVerDNKN2tG zWwzNU@ZG$~eYIFOaFp@SK|}qJVM%5HkxW4Q%V&K~lDZw&=oY{a^<*~i5wu`+&lNA9 zq8Kphg`SH4Ea)R?(>$;W!=e%G>hxniW(Rk`UYRvlojeJfN<2cX7@5+5y}E-J9BX?9bwlXX1T1Qtnv9GXYWDJsD@0;1f* z+&b{!PU~tPg1;av-(D@cE)Aww41jNo533+JjLSB@N5z495A*ScayW7j^3@PIs*PeEl(Aj)r4f>dT=VX!DBf|8AMbqv9J9NQkj$z%T33K z3eO|J=IkUQoiNP59@jH?Sg-@_TSfCMG$-wdpPMU3#annDV!!NNy2;S!yxkJXbk}2b z625^Jc>h`7*0COrl(34Y0kJ+gHn5l4ssX~2?Uy?5b zV3zNnDysnIs{{x+!kcBQX><}75j8}~7~~L3hl8cq1Me|<`bE$d9jRBaem?&?!s={; zR(1lsL+bd!Nl7xKthdAI#<#3QM{LoN_!jx|xiF}rba$_!&WutAR>XT9#I8PDMRR{{yd@;r~X(kg{ppOwgMBX&8VZPTttReEYhhNcI>Pf!3c=5BMEMv=jfc)U*R6Ei$; zINp>HoMD_TrZIT~dujv~tqVy-Ev&P49)c||R$)JMczFs{<=V%zh|vSahaDd;AlJ*c z{^okeB@I;QuvcHwfSNmt?chC)-tBtj>?z)iAD1P_Or+KrH*4o zFrVc9@wOCJeS!yPj#V=C~g4nip zI2CT?H^{QifTzF&#K@;SqngQ4#LbDTMCYxQUcU-ug33$jZ(B)o{Wcs6g^}b^s_AWX zSgYpWA)XZ~xq{?KUq6hVtCe7Vd5WEHJHhJCulxo-XZ~Fj&RI_#UASpUl+qXAw{e)H zT0VDX@?~#owu0-119ZzdaB|^|7_X5>7rd^~&plJ^-7-tz*iy~aUpfRGhN-|LJjz7d zc?q@SEn)RW(qk&YXw%a14XgK{G<;`{e{iqaG;X%{Yx5a=OzH;d2?Tc-x%qWj7Dr>v zN9ZI08iZ8$=$R!Swj0(!vn;FoD~BWl%tzb1+j@+=VvI2I5y`6I}myZS9blA<~*|>9`lAX9~|JZgEx|X$0(1`rQwvaNK}C1rNaFZ`P}XO`;{z%8&MN) zL2t7_%$dT}g;i-Q__{^!KW1r6(isF(hx&P~d$bBUUoU!$odY|H1l^kg|ych!w(R2)Y(aGq8b*+q|%wk5i*~Gk}s0)qWT#snHZVZfGl%trFFl zTGfOM{o%2=-b4?03R}_C1j?YHaGbVf{5M8h_&uu4-g3k92I#CA#v8BTF{iWKuT^?hg>V-H$qb_!${6U^&HFla zxQtUq$2vX$oBD!qoB%p|&>!v~?V>X5^w55>O2bly91rA;C*>!8gJnZC0XeF-GmN>5 zwnBu=y?wm7DLj2?2iq0cNt>KYgKpik7R{;O@B=0|8)}=-ul}&CG}f_U22I#GC01gV zO0=xnQ-=?kZl!thZ#~JzUxuM&Y<y0`E{=&2WK~-GsW* z-W_0@q*IMZ{aXKi2~d>6@^3Z9uQ{rHoXh8oER;q*iQfSp+@EH#=mOkE!ED?`*6Nxu z`QFC}D2yW+PX02CO&&j#iOyB3mH_-0Id0GDk{$m&{q~tyBBR+&`>(U+z2vld)?C8y z_|eCkW8<^CBNVmFY{h2c1?I>#6msuQOW=Avd7i5|aWB{V<`F^_fcUq=85WozreG#?y-QoDw3vMXPw8yZXt1_gN|86Qx4pAhx0FBj0G@BFI;N#=EAV4BH(R%&~F zk528GvNL`sqPsyF9+V&7=m5~o%t3<#sv)XIh$z;fbm3i{YBssxZ3FSH4$>!WWZho> z1pHSDqEgp}cn!N);TZ;>EMxqm-n>MqBvuh^V|kj;BYdkmHH7(-ZSdJ-$Nas5vGlHB;`l@N3GD? zk+jyOfm^fYHcF+gIe24lHVz~&^0}4KcJF7S*kbX59*+FE+#kQaQUqLsQC3;e+%w2} zLz0}rWbZQFEmm6;{_9*QeQ6xR*S8~c!^U7xB+R!Q5T}su`q<)?c5x(MT%4oS;FB;R zTyhr1!V8)!K^JT3SEiQl$TxhztQ)I)0FwY@!vBhD44@ykw0D^J+Xq*~EnT?QBgxkU zeBb|6Pd@t<=cLL8@lYS=MkzI4!@a0YG|=7I5x$P2rq7A&qMqL)5cA48|*3`Ohd6ebO=*gxsl zsrTxnK>O>bb@!A-gl7WKqv>RP=B-4C<=P#YeQIGM3d=c(gZkJGAyt#bUwThZj{ZL^ zaCQ_961<*d^6-M~#v57vGPL`O=lFH0$2S4_WYjt_A{+9Nu)PjtwpaM~Css>R=1Fg$(M z+5-QKU+a9^Cn2N;fC)bu^#p(8v+r`nqWZ1x>d}9}rnuo55O6t-5V=a2vi6grN=ZB% z5=~C5#*rZV-W@}9tpyK9&u}(cRS<=A?*%6Hc4&|*#Y8+}Jj(;f;l%jiLhjyPMSQjD zswJ7YcqwGWi`ZRGhT&6zU{e^UhV9fhSbiFI5!JAhYyRmVS5=|svB+1rHP)^i_td31 zqY&bVv}Pb_k%93yS1i}~K2|(AHfC8Fd4kB}&c0E%50*wjX<5~8ru(EF?c1KIS7#aDG4 zR9CnKAobAO6J5iAjm>@OLSe9{O=}Or{rv{{+6ozBmv;pJ3->)XJA60J+(5$F&WT~> z?8E(8M>0K|i}E_(gGFyk*hSwd5dz_rHuB*P`(UchIj|kik$ZPc55y}Ej+hIDK;bo8 z=_Byq1x)2%93K6!Y+N7=?r=cC5kR9o&UU=k1ZMCsrKRtVhqw_xPJI$pwcbk0Mz@ZWo^Q)X=Ma}r_RjvJ)_2H=IXH-f*eqvBN=(lgz$bbfgmoS01JR8bG ze7dT?h7$jxQYC^0?_Y;nkFy=i(yl!-uIOZy^-mQ&G@_M&8s=&PD9b&7E}*5UDuw|` z3sv`IoAi1c;@kH*2jroLLS>&4WplB=v!BT5rwlc@3zYBH2d%J*9CPFT@EGOe!*}5nsqyK_Cj#+F9Bl z0Nzs56|}`W{~Lrjor|P_JR2EW841pAuYqNhpaB8W$1O9P|B4-^c3>a@~+o$0hVvC^P{r0p@#N z(}>|!+dx7N1uQYA9aaGb5tH3MJ>;Zfsozc*obtdfYMiITB5;Y1pHtNLlb2YVZTcPJ zU4i@3dDWvoMrupo%_&il(kAZKb$}ueWN;-eun($q;Wp2XUG?>#mLmD61&9TE(*NS3 zm}ZYoz?7&qc9<$cZRV4(kYV_m00~39NQl?bk0%V79d8HS3kCypJ6U5NXQDb>8L9WC z?(y#2Go`tBfkCHHx+$|?e7m0x#bmXHW5YkxUs-eQyUH7z7)gC(FpImF>ztD8NsxCj zUR*-M@lpv+3WRHi3^t50;~q<_=)C5tFspD3Vha-6P#^TEZ+u>24naEDn3z>BX$DMqh58s75Za@p zK&kjevY^X}28nrX_GwX}v@zsuGfhsg2@zngH>Ci(vtBYikK)5ETO749Sl+nd$W8csv1 zg?V*VR~j_?sN6bHDKpt<;MCO9i;6P&-_2VA2lcBXUKs#uOz}TE&}$-kU`}%wcMXf) zgNPHQ>KF0;X7clLYJ%+KTk4fDrG{Y&P-FLMU829-vKd9>`(+qHS`EDG5AfkNyL2)} zRWyV;im8H0Y!5RCQO#7tYo)ytui-lKhx$0?szd14fle^mntVn6^h3{h=;+4t{9e!} zl`-bMAV)|4FldRX)+X(^UaK2@br&A~iL)&g<^aP)V}!4cKM$u=-m5Nt=-%fJN8P5R zXbg$@KvPQlkK=$ZYw6!QqSV^?X&f()Y_Rk)K#-Gpc4$lIDk3?p>E^~Ah^NO};tBD# zcrFTuS<@Q+x3q!Xr;l8o0xIb0fKvCumayA;MB!!n?UMv>@{>2X^TAuy7w(G;xPnyF z>BX_of`4#ykFixtMaW6rOrdUq6LRtxzfS@*`MF1j)6TCOh@k;E{jP!nAO zGGPSH?LlRMPD%E{N|(t6L@g`#>JL43;CQK(H^`L-mOC=6F7r6`U0!m|pH<><6yl_6 zK9f7H#5mplpulLHb{x+QItI>xQA=I29n-HZo3GI=SE-Ed=E|wCA{Idz^rcm&=$eU4 zWgE{TajKQ{496oFr2NN`UZ489Aminy%OxUV3kCiHsNF7>=FQBv*U2hu|$K4 z@ro=$i86P<5VdUDQYgaMTQHlRZ})K>m20MuEKGda2pSw+;nX86tG);NNo}I4*HHOC ztiC56Ad#DXZ;xW+nbbaNGBc*cn#70*7_?dn5vbMnow?*L}dsX5-Y=zb& zuk6DewDs|6e5UX6!>_T`8de)!bzIP5bA|&FjXLMNkxFEB6vl`u%ZqmEr>)r0rCBT) zaMj=ER-{TQ`@#o~@)w!vQ>lbTg(sKWngo%0V-Qkf&w%N+A8Jme;z`1&3uyyp z_pJdjw`#_x+GGV3j~BBcom1<0O>&Z$q1>@w%iyZQy3>JW|LR@auTV1tBCBDH{%%mp z)PmDE{GZM>f_qaH%D-Wjxp7NLWa#V z(D_-9$rz|Klp;@mEsg;^&?L8@tB@k1qUgtAP|uKT?bfzRDpcjUbSoN&_=&IKFezXE z08g{)Td9O#>qYIMsU6dvYt%wEt>(y^NHBlxk!jop1pc7CbHm^39|o*W%Qe$3A?7dW z5rV$3Q_S;6n)yQrRp!~ox!v2AmA+%*ODFp?v_A9He|>quoPmsdi$T8>P)9rt+>P!o z2)G8pc-`xH0w5+WY7Nx_6-j_?`&{l;ZC|E%x)+65oeHPec6A|Y9!_7uhd0)MPyI)# z4WJH9(8vpL_MZ@8FnasamW;`LahXwhdtO+5BYnP7y)^Q2j}IUA75^Kzp&KZbHk#on z&FVNl!C51_r$p?rz8~JUXr(oM$aqpXG84gS3Hk-9P(psQS2S_(*4k7XRwDlvOe+-@ zg#VB_*z&-EHP_eoCeU~|&-XCo!bg(y!>YgBq%v*Q0$JF|FkGrmRBG-5EE9ZmKL(&? zihhkX2up#h;}`FHh2@&LV|+;csLTFIDq5Alp|>>+pStFjQ2Vw$J}MhfXK=lVfW@o@ zyI&L~XdUs~Fa>xR%8^N1e;aD6sPuu5D{i?-{p@sgKF;G-&#}oOkpG7$3ldSznTQ@~ zd!^Ek@bd7)pFnh94VFBQnAB(p{QJ0Hva`(A#u!&{JD?4MmoHDrTg8);Rd^xO2J-{= z25q3?7^s3GXi1pQK`W>gHL!(Qv`3p+;`jLeU{{F_8-mw~4{B?Za8iu6fcmbvi?7Pt zsm5(Cy1{y1DE`mj>NSuRGX#)12s}=TKxm7ZByKA-VEFEf39gLs^=n=>i*-Ni{2Z= z#_3i~C5q%OL+4!OhBtEz3!Yx&Yf&rZC_EmJ0DVf|1nup+j1NE#Dl++-GPbT;j98Ko zIwAC}u%jqJmu*Gfw%V~~@<{L9fM2F1k`j@_9UP>E&iT)RT<1xHsdbEgP0^^<=hu0K zN?oZZ!^%1--&Cv=dcX)aa?8z3`il#o(8c0RE8BUPU?{m;hdIUE@tC{dxG2DuqX>(Z;`p|4XJU) zTCF^N;tZ|30jC(d?-6^L(olXLiwm26H0yCqIC?Ne76?XyeDL}Ko0moU?zMQ*ZW0Wy zK9N?Zu?2`ODHgCn26bUxXV1Qf@F9+TWL@j19*e})L^|BizpNg>;usH%>iImm&_}R! zPc@pZQ2|P<8eDs{M?Q#pFc;D&G?$lTU7&o)=~YcB*jRnCXl7BPWj--NZj5QU#}$bQ z^YC~!b?2BqZQj{@>=r}P{{uyDQ~W>lek7bCKdfmBJ3+X9cksXpET)r`SgFi46}Ut{ zVv@sy5#@GRVGM2?fMc^z>Ej~X(<|WoEEX$|!7rZ;Y|vs|E#^NM&m5Fd61Y{NW`%z_ z*AvYjOE3yoKYA)Xsw<&1%X+Y%0LPp`(u9WifH+X$?NXLx8B3ku*yWT}n087f0X4!>K_p(RnuBL;HDHS{TDh<5 z`37YXo;%q)s%R)AwL&yPq5O-P%e0Fn(`g)fNdHMFz%+?KB*?TdUX%7G&h4?nKLj3u zTNGix77;j--aQ$PgtU*4H4ODFa+=hFS+JQ*rD`lILNAs$?GU!2a-&`=6ALW-A^$>= zP-@Sl=hAH){6%$$TerUT-&1bthU}8vudjCUf>rXfERfs41o-}cZCElR9vF@xzIF~1p0Nw>@ zVB=GdyX~?xzyIs7PR`T#X}9YnZdV0>SII00JP^Q!LG&PW_hj%%RkSEyg13AVB&EnotNAkLw0d2>lIW#) zTT_tRscQ2ST#?auM~YCs-f(KV;w#RXuTCt30bSIUFZZco$#<+!9Jdx^d=zL@F!A59 zgh!U1^iZ=ST*UNu)~5B7P6JmJdjIn@@1T6cmb%2X00*z>7Vgdk5doMO9thtLC(c_1 zT=F7k6q~;UW ze8W{XFfm+aV}%Wb46HfXgM!D&QNg2X8>qj(5+|pgVOK}Z%H)KSJDB|3Hl+SSv|*#&}L-z1N|9N3M0Dcmyx+=ctjnyIgt?XkD`_VEF+_qfbqK^?(YbV+#be zQ3gGi!TRWJ1a;FnDy3@w?&GX*=F$qLvLxDF_is8wt*aMUR2pPD{agL}4^3 z1z+|^4^ePT6V`YIbu8-3k@u{?B+3Y1;GQ|DmplNYt7JEF8{`-}|5GDr$iV$m0?CaP zQXBH2$*7cXFNOLTdiL5GQb<~Fbb=LV9^>{p6Kak%jaOuhCjW|`v0De0r zS8KySfN{9o?0pq|61N`?%Y7@AGR3x!+8zZmMNw?gSzue-rB3$<<#rNAm@tA+jvYEuUn)NQVqVFd#LjG_p2syvc_YJ^JdOv!;abmZ# zz%{l8HMI2Sxk52>HfE}<_QD`64H1pn|B|zt=UXiw24<^$la5fXRhBKxz)=W_1wkG$ zy~-dW6PfdmN}|FVRTxnqh%wMyOJ3{W3e zqZ{ItX$K{dHN18PYAXISZ*3k)wvp&26@7+kBB$oXAuu5P|EwcIa^ujqo&4D0Yws0b zhLd1zp~^j>J{WfyuAeky2ssQ^MHgxLdiEM=HzVRZ5Ml6 zPZuVcX3|X?_ZnEn9LRodzAK?oe^C~F2-g|+B$hZ0o{Ix~<6<;1hnlN0@ucNHYCVQo z-u#<^yW6(TA0+>+IH+oM0XF_@g9pysV~`R>(S)}laNt=@206OHNM}M+ByH>j0-4`M z3s_-1=*wpI-(It07~-Ao5+tTnoTrhV9ZfO%lC#9W8h^H(5_`_7VARMT zE3_Ay@QfF79{8~dH!oL@5Il+>;(2jIsr9?c!wPu=i6qw5goSd+wX6&gyZCwH_2E`r zhWnL~^}M|YmltQZUCiS4o^&0k%P|K4O7sqPki z8QyeX!_YwKJE$skG4c5{u~i^dtLL@8Ml-a8oD!v2nwQ(dZo9dZI13_6aXMrl%q$iq z>9{w6W@|0aYw_XfqPh$b2NBnT!^%@WM#646oYqFj==L0jnKT%I4~^S$?Ux zXng%s7O%w~333V;Vt%%|fdQ0{AAERhYpbQ#d}Ae3X^d?NC~~Tr-G9Uo*Zax6)OwVz zSj@5^EUbH>4~T8aU^9r5f6*!a4FFXKET+QcRL?VzRF`qOAfT^D`GW~}JLxX_p|Vus zku)S$A2t5%85kD0bA9d(0;tlj%HD$@RIfW6=WY>!>ikkj`F|V@aSBd17U*P&zUzr# zjP1FP&C;TNL=lQ5ZkB-_Bd*IOFlb|HCMSKxwW69Y}*};r+ViJOO zX~^X3Zj1(J+q= zj;dKhT#e-g^{3iJfT$~80ZoDJsE=A+QqlX$rV#vgY;nw1SZ+^`a3mz|Cix(uK6-Hb zwgN89vf0|54H3hcwfyFBp#)RIx@rB-yl`d`p`}BLDm1G_iA*ND9X0rCkTRJQ7aMtj z=*FN2r})Kn7M)dvFjM(T#jD4C8R2Sy8u_> z8@AoIFc6G9on7agH}(%c$gv#|0lb)zR|G`d*DW--1`6Y5`HM^rWykVfahg@pfaJh* zQ0XJ^41vrtAW9Kof$PIgN1CER+>l?H7#SU!Qh))IdIM5;p>+#t^-?uix!U)CjP}JY zck+Y+OO~Uzh12;HO}!?F#28+#58k5ynm13t*SsEu7~h|yn%$ZUZ}%p3K09nFc8B>< zqS*h4djq9`8U`rm?0wOLzOjT2`OWO5XNe-r&LodT0Op;8t12i?tbkyRgN|>eT;K81 zfOC&wpij^l*$()^=e*?>o)~>QSpGSuR&w_$Y$#W zKp;9XOuPeZOZVv2NB=L@c#6jdH$?@~hrH<45Wc-sOnqTk{m2a!BsM62y$Epi7l^Ri z@M~QJ#*Em?i}0+|3bQmdb40DyRxlv@0XlJhXNNVZ9GcAIVWeTy_Wh{A!;U9D zFz|G)f~5+qG`jGr7e6~vbNmC3oue&MSUST@Wmj}yiO8$TQ@GUAheuhn8f_PR!?ZH_ z3j`t5ylCZ(JdzYs-1=~Id@$9M&V}hA=L%*$f_B_NbC58kJZirH)NS5{@}6126VeX+ zz_UpR*RlE)2?@b}+>QH5uxE|%%lU#JFkpYStm4Q#4!}c+&J*YUWr$^Ek7z#C_O!09O8X4EHn~g|nugH2bviQA z+Wuekr_+;5o~o=T6DHD%6$Fg_ApqMF9%UFJb3Zc4zce+ZQH+J19)&sm_)&f#$<8dL zD}I-y^XPpZJ8h(h0kNXM@qB1)6&kjVlLFoMZW05dmAxplNE7*_lapyNb2p)4Hf9TI zrAG9xAuvW*q$j|u(`qU#!u<%3t{8I8R*8jk7n1Vo)NyvX$A;XgJ%H8&K- zpyHAXe%$h^wK0HB`39XeSE(I^VO4VaK1%bK?yt`yP1wb!g!u;C$9Y&yewsf=pwr}#VY zdO2ay4S+)@E0G>syyc?+7wEh4tpQW#qP{B_noO@-rGa%KVLKkP8X-^U)oX_wx~)jW5*gug}Q`43rPcBl5A4sh2h3DRLe@BI|bY^T+P zGmM0r;Z}A8y6Nj-S1h%_Y%E5CcPuOvLhfal4ns=gp`WjS85k^U-TbBNY`=HFE#I-` zr>m$~^4Brk7`{gDWoL?FQ?H*1R6FW`!XT3e3)PptR6dtlh$*O<8oCra@oeSbNJ%b3 z#4Lr6MZ4J$P4$J)U*#iq-W6#S@XDqnTaW8A$v;*>Y#u7wH1cIswa25V>nT7dLPMxr zMq$_#2jLzp2Y(A@@BlGD&c7>Dwm9IYvfjy&yBR=shx1s{7d|nxDJw?SwRcTXmS{xt zU2x!8nm@XdnnEy;epae{$32Q(a8NK$Znf1h<^=vSa;vJWJ>kI(Qr&Ax$pFj6(-#tE z58Xw;uGuG2k%a)3$+A?;o&UT3LTru#kHF^yv{%T|_{#>(X!d`7^4cCDhHG}PkSGf` z{#FOoAhIa& zR{wh1o>D|l#b{+GAHC(G#c1}Sh7`%U6hpw77mYagHc92XC1zu8E3Alh!5 zU7!U*?S83_yTc+4{kVZ#pycEXU0>EB|K_tqf6{>NkhQAFEU9Y~#k570qr1y=s^$Re zH*jrzIlHEXH1c_}Y7}?#SY}U9jz*k~ZGkc9Hzegn=x!ax4qk{p?y6^&Mt!K;xs|WT z^WjqxzC;z~;z5Cre?IVFQLKrlw0WFPC%W!g1hhnP=U_NZO6@NYPoaQi4Y3f_v= zcuFUvc@tXR7YAnfvf$8I_WkUL7h-KlOv7)Jias7h`cqwY2ig(KnhP|9CpnRNP5`d+ zo^wp4mA@Ju*H}LUxy92~Q^U&djxOv8!2`VhiyD}kI)z<%X%L;{wrtdDGo&NUyebH> z8=vIeOCxT767@W~RJr9&vb#BvzxYWy`o2P7v@gJwrM`O$)urOI+IM)l$J1)LAEHUi zslV-?_;}`x-T${h8?>hi{O`F>BAmGlq0WdOnUz}ZlhOv8w%nZ|Y{UUR#Q*d!fu9ev zF3%{5e&26^Ot*nAs5R0huOzs20#tgUQw%zkNF~*qDI-k?pX-?jg3gbk+Pa-d|F;9D za6Gf(FXt)L53QxUd){4}R?pYe=m{45oQ)hPs}4f_mR=ow+BcOTuLKb2aQCOE14%J0 zF(9|7f(Hq{M6jmGywo%=FY(f4u5{paMHWbya(-oiANo1{+n6qE-zTHJVY*a59YWZ; zT`K?U-_?*w%n{MD?$NGvBPqm$yBsGSZ1=L26meNKR07_MT(s_A3~IRAqZzn`F}+94 z{ghrp$O<&FKB+gLI>GaX*fnH+hI+0B?fU5O(9#7${ATR|;d(7@N@%tt<*M{+aSRum zL)tvWhK|*lB5}{0iU%vtS^_l=qjlONb%?G)=YGm;o<%}%MZpsx!5<4<=Lkqx(ij>A zJqf#RWo^Q0@p+BYii~q)w03LB)p|R3f_{#wcPUbB7rxn|&Qm)ozm^wU*sXps+A>)P z-_JG$C8L#8n7Ya4ISJ@Bn~%?LQu?!PsS$&^pX9qECdX{Ns55Z%LMi#_GJOZq(u>|m z>dTGwx<3umETyz&e~RHn>4=TaO!N6q8Z7J9@e2y0f*+-2=&A*i;}Lz9f9z5!?G-Ki zP1TKb=BtKtAyxYQvb9)d?cKlR>5v(@C(9<~LCmD4&?f~?w~aQo_{?_>)NQsk2@4y5 z+H2dyH@|rfdzf3I9ai{($oJZ!HQlxtxRYC@))u9pt1%nYF&-D}Vas~94$m4o3ttv? z7)cfyQGMqaUDYSn8687{)Xa&YIwf+`0%W=Ttc_&N2_!ZP68H5_AjxH2G}ekct(5d! z^GuZ#PW;&9`a=M^1(b{}6V#(DSBYT-nY(~HwdGns{gsbNr#>R1R_^BO{(~MiaAs~q zB5+Un}1f$N35-9)NGov59P`DL|M4gbh|?c!A-ldcbqGf6^+5UDx6 z{j-z`zRktlFFay^McvJuIMmAmtn|p-{FFY}t-`a3YlwT?5$2C}Fh;mHYNtxM)zXA$ z?BMFeH8wn0KVug#8P{;1u);|fEKG?~N-?7W4gF|tr)mEVkBjUGn>ooGkX}j1$UugT z^zVtlyK^Mwnk|`Nh&rvh@HYZzCC}AgJ#yn`QH4i@``QJ`?9Z+fM|KHVnY>n5tHts3 z@hM3JJ@V|wvE3_knSYfq7xp7`3u_$TrjRx35CWJmE$mM)Q?^SI!B3P_|261?-PMp} z<_fDV$Xuz;;Lg@l&NpMpUmSlK0VP1p#T_B6*3Y9+zl`m78LaLzkI;@e$Cq_`fySNH zw8`8#!^;zdC%2doUvhZ;k7*SEP819|()i&9mR=~$V^H(CkG#S(lfy8JZ1wdsb6Bf_ zpvj&`u98GVOGmis3~9qaslP*}gbCmI!1I`1_b^i8&i?WZ^?{w1z~W&3+Z6uq_){EB zPX3O3|ATq6)=lW%dJ^AO_AuCV$?)Y&AX48|SsgJqy2orp#^Y%YoJ%^$PQKZ<8h`VS zp{$)Nv}{pC`b=r3grnsqgeMkoI&iQN;4eOqA7=!NNZO^^m&GFC@6cw2A=xXj%#0%B z5$zo_G(%I6y3jJQJ&~?rG<0&vF|IVzd6LvDw%1eZz3piHJUu_EwH~j{LoJ!r1s{LM zw9h)^leNSIm}H;(?vk!*GF}&3zyj_1n02sEJQ$NXzzv4m8N~%BNlD{9YiL$9RUXSs zsx%~-OZpQ7Nzsn;ztQ@-Ewv)W8;5cr?ow!$90X0^^16Rz{v)|dUk4~M%Fu^Ndz_8% z<%KBN@?A*L?UHWA zip8)Kz(CF?#ba4ccBW(&5<}p!?X7Bpml{s>-)}iewk#n8?DnKSh)2bM@hYH~0@p61 zXI8ywWiQ@#qg+q`c1kBjC^Q|jif^Yd7{b98#iJm4R*v|=c-*uRd5sHobX!`XC-+zQ zNCvckb#uva)PPzoq?6R2CH}U*>9G38WqfJ0cR+c{U_4=HgH8})*C?AfXuXwX%NfbxK-p3a&U^aq*!EdYsp`|I3sh4ZdmF5PmC0J~11t^-=;F*9p@jZc|bd*kE z17|%V?u5|gic3Hrm&#D$f4Pe>*2gQ<5O>2 z)x^q}A)nIWw_e04-5sn9cEt~8G%~LrWE=yZzq6JAXV5oVbWVaUGLAd2AA1Jy2HmU; zPep0Ja5^`zcef9mwJQDc7AH5WB7%@WXH-repm?HInWS$WL2R8?1@5%3W8>YzBN;vj z1b1u##ejg-Ufzv&kjS_hLRA?7cQG0wjg%uLd4$1yjCrGKQgds~gtkxduGjh$ly}wN z_K1%dxQDa)m<~`#KKmN|nJGQuZ^+f;=7>D9DE`94mHcJ+RLkP#^lYWBb>fbY)Fj`Z zkGW01qwjE%dq^lI3S;|JMiKoof74gymae?DP-wJ0IIx?w;c{O{eYeGC80A^XABv+-G&+g{JIE|C=)Z?dfWuM<0L4pO&=8E=up5f#9w z__zt{JST*zKfnTEB%P!<9U@uZ>MdTvL6!}*+b{VdZTRw^9BvcJcTNETZV988Kk1(9 z`yPyc`OCKlp%X+G*;;qS^0Q-xdBbbnQ}hQWZ~N7gU%Za)IBvdo(X1BM&q&|1UArBg$Zh4*kkA^iflpH#Cf*$knbYwA*yF0HkGGOm>!9*(yuT z^Znc=fsBD5YL=67)55sDkvM#|T=%S1Z46?XT> zoK#~34jWjeTUO+-FnHO?v~B*czqu$eF|Dd?U9h%~dFZr#aEqgBMgw@J5X5E8As)!t z?&&E6^F|irfS7opaiIE&7mT1dtl)Ru2k;J-(A&@ zaMkJ_$I_;qofDz9@HBvzIBuP2S8Pon`tN-;xkpZ`b6WZXf$4@LT?H%eI4%<-6#!6V zzn&3C?k=r+j4fsPDwwmlR$(NYMpynSwMnvJD5%he^#ATQ)3?3@#) z59<+3+$(0$j`IV5CX~_}1-d=f>8p3IN)xkY~FpA`>I3F?mORTZMK!^>c)W)U!WGltM*!&FhfK7AF0)GhT=RAmwJov=%IAnG# zi6yVBLJFAGs4jITV<-usH)t(sU#C)4_~Ql%c2Nfu7r#`yQ&Lsilzl}8{lxq-sypJk zZgQMN8(mk+*{Z4H>K6UuDa$TSqVC`|kLIQNgjn zql0*CIXPkApZQ7hpqL;o5%)tPkx{i>KK%3J9VI45=dl7KR4XN@1==KTiKq4{V(2+} zRf1BoOL$g8})b?4ayX8-qcfN3q#FlnI6_O=HLIwWorEz}0(C!i=!F zah{AE){k|~xsgkC7VpSnIv1>1&VMPi>B&w)8S)5G0>T>eTz4#u_eNGoD^U{!L6wry z&@xa3qHGJgX*&CXN$vE!gxqd+&?T57Ps^tY(qbtq70p{7 zrt3Yl2w_K$VN$5}$9XPYq*e3`&^!!%=H8Mbc^gRqRLh(MTp_Qc-M2_5QDlBWmHY@3 z{ESkXzaAm5LBFE&S}^G8V+?L)8d3WWiig=k%DL3ceyR(WTVsmnQ6@atw?KuFBzL70 zj7c4!^vb$~7vD}Zsw{2dtQ~UAucY%+{79BY+<5Tv-xAeWIRY7SlAPotF3&5W zdkGMY!yqx_5d|%r_Qns9HXe})du5?bU+2Adwk|m<-76C@w$1>bfwroctkd8B+-CWH z(4#O3^hpipoytK~Q&l&Pj{I^iy({?#Id8B<%xPVg77M$T^grXMCq|_BHbHYmcFATJ zkrQ&9`JgrZ8mg>8pGM~_4kA!})6n6&;YRjQgK9EB{u2xXDG2_U+EI7t_cW;b;cJL& zwo%BCI(zgUEOIF-9pgf`rIV11A?i!=+dXE)|uRY=SjSLtVsi_ ztJS(+`?!LEQU{*fA1c**;<+;N?PX`R+gB?><|x!enx4W+M23i1g3Ob2a1r^(8I zJPptjAe{083sjkP91_)c+rG+>9#2|X;l>Ym9{H9J!C?~H*UL-@xfMMjC9C)daBT6W zK%7b6#rB{3JuUCYAae^x6sD*DhszDCDZDg>idfp4|1td)t+Kzd5OSyi*K@v?G_B8Z z8DRNlM|SloJALE?O5*@D{)i>XGAO8R@tH-EMECg>fIO2R@WD=eLB*o5aRvh>Y1IJ2 z=^g2sOLZPxA6+ z!}NLVHdhzWpYvl9C3^z;IA<)v5kt_j#?}uVrcS9Bwup!rFAX{}uXy){s=-cVc!}C@ zP7ay|*IVjAM-@^FYnYkS#H@IlbC^X~KqbW?!sR0B6D=L1lK|#kB}a4Zb7C(kaku0q>+wRPmZuR_XYC^}`t4*oy|suc0O#V|R{xU3 zc0IqZ&Iz>0-Q$v%5_i_IB$x%$qz9WDgPuagfXIAy4gXT7Q}(#(S6jmKgrE7$wvb*=Hu>?99Wh(9Td&6ercFoEbY2ng1JJ0%C>bVv20fTK`{ z6q&|WrsM2#^P8nvbB2HrBxdw}Rnm@0?jCME9xo9zkC0$m3<948^eiR_{0J(U5xGe$ z+tE$ssnr1lFo_Gx-5z=i`Cs_8_t36sCW(z(p6m^{{yb;{Qv}HcOup-VQoDe!lB|tRJ`FH z_Ak=z^9|lNdD`&+y%fZ`{8+ahkI$CWqLXBCFlp)W;LEIpJnAvBU<%7Ym2+H&+k2726^W4aY~qi|(mE~t!a0qa)2bF7i=xH3BT7P$kSDw0(8$3xJ6 zz|hLFW~ACMXRHqzA;}-frAoJIXXaFD2`N1ug`lP$L@X#L!H0%QRxm*8s*TK0L$w?q zA7oO95v3faER+q)dZ?OZh9X>#0S>PSS+)(7P0Yt?DXkP>d^41E3E?0!q5??{B z89ZL`I~N(X^cB(-N%EmSHCoN}Dh#95IcRUru`ViHK56rqjn&Ma_;z<#}vA;ownByr<0z22u1XgEPt3G|CL7*b##JPKXtW?bTg z>J^uhY*6D*bid8bQ@4?+N0$>SPJ5?rW)`F=qNEUaN{U6_noE7zp!JXH@eHXTXc{#o;H1l_M{5my6pz1h&;HNnH3vUGsu zam5docuGMdB4W6Zv$@awizKF3=Z`*0131%*6YcV7BHHN0@C><|T~hNg zu5;xe@-5gHC$o|yz=__i;R~Wi?qOBO?wDtJ3389M4(yCu$JxkhKs{$n;Rc$k%)n0F zZ-p?s8#RBO@3rY{SxLZY#oiyDSm;pi)DM*^nN5;a3IA%mO6z@H#~vL3=hH7tmadHu zJIE7O4f;Tb%fLe0pzfc9ewIE+eAPNw6;SCGNiPRqyP*oq7BmQ6ZO6X}sbjhfEsNDK zWneUAj4)^un!x_6OGsV#=~N?r=p8j8Y`ha*kg&F_U%oL#9{l^w5XW074^Fhdnr`3< zfU@b>WDfuw3wyNYsi9Qi97hZ$6~&UcUU%*sf@-a?Y|+;)T9ihlwFdG-cE`sxwr)?e z!h+hST&N6yc5zCNAt61JE@&!rvdUim?Sh8UEE5}X>ar=X_~trOCmCv21l#!MDtzc} zgz@>)9pz1(5XK$^t^U7C59i*l(6lEKfm;R66@W$>&yAAMj}A26{-t6UvSr|vDDsrJ zj|WWCf2<8`M&L8y5sKhu0edM#C@q&_Xl`Ks%4uoVhX2Y@PYmjn zciopva)i6)^3~pKbDmWNf|8aYoB75JqfFyp3*C#M>J&kj0LywfMgt_)SF#jpF0gIQ zu%$+k;qQQACI0`#hteR_zvvP%H7-oUrNhK*3Tn7f$_&V8_#VrA$c_8_N4fxrp@0SdonUVLY?|0RcD+#8*!YNUufOO9dy zx#1zff&P(IACh(KH5`eK@oLLUv5eZ|g*QeZOls7>SB@S24{krW4p6U>w<}YUT64ev z)Em=t*R=!hnG_2#+xXU3Rb54NmNRU0se?8l+IwK*KO3{;xv1QHiT#Eyv6*ZW_t%H7 zevFkJCPB}&INRn6YUJWVPms7;N#W_ECgfrMUJy|vl|iDUicgqOtiKpwFQ3XEEDsCCE6-_ zTAbQ%X0NQ`X2htU>Pta`c^dMt;FR1tHVYdiMbt`Qn_C&v>(z^3KZ!E=M_jH(D@9;T z+P3c{@oR=CzcD)E5@#S_3>gXu7uzgL^A!?s<)2K_hs4JNo0HQ*p$J4#XDOxizDh*7 zf*6~zlE=HYZ`70dG~T#Z6f-CyfXzv(v|yz!ikix)@aJqW@BJor77jF^ilyU50q}46 zC_}bcP)Q))J|=GVGPG<;pDOGjta988FgAnniaw>HYRZ*p1+aoVd3!3M1!En|D<@c= z&Xuhhd_X~o)N$(%qxK4Z?D)CvCbq`qaH21AJ|dA35fJy?W!;iHzKBqnIR5jn7Lu}H?1Uq0v{oIKJse) z;BtQu&aCWWxjU%8dRy*tpR5}#dhz0Pax-k>60t^{b}JCy@@+K^1l?ZgjeDxl28tLE zsykDmNd^u2g$nokyVP)s24Hx6uWIW_X=6;lLRPGQ7dBX>DOOoL7M zQ~RJ+>7-j}%SDY>U#Z4N;5J3;Oh(n1qhPj>r8k18Q|!`Zio+6TFeO7SejZBGQ@BlL zWIe#ie!HdE`*7d!QgW^0!&_gtG~6gmg%$oiLH6gi^to-;(~b%J8c+Rq;JLVA-^b(y z4-rZLr{9fwVDrd273|Gtpmj;1Suoh{4$Wu~&F+kjpV;0O;W!&@``dz$>4Zun3l0V_ zUOW+<(ek-OrSj@XS!GKIT1v?3DhV(-LFW|dDsk7NW{3Z!#?zBXc=}}C$h!w%$_y8z zAM|_voiq^TH+bw|jY=m2Ua_|6Q&h|>Q{-6tk}DPF1R_!Qr889Fby#`#_Id&-qG=$7 zbWm!|nz_BeU*j=+1uq4K?YV9-M`WHEDDE2<)>wp zuK?7~6*j||>%Y?O~Nn=2KmWRG~$k^6n z3!8=yp{94N&iMZ-8A=|9neY3~M+(^pEu+gs#TN8V_JK)1uLm&?D{F+ixV?97!;LYK z@~#LWK3Yc{v)mf1>nbf$Bwk@dyOgoYURJyg!y@E5qk;R$ud|IFG-R{nS^;;fN)qs| zu4NcjKFjynDoX9`qPs$$We?qDF4|zSuI8|)sze~9-@h2YIajh5m2vX(5_n-p{JIA{ zO*4~PnGXQN`9`=JKaas2sp00-nH=200-rR6Q-4pDZp~yOG4_S>^sYl0JzGYjbKh)s<@-aXVIMo9plI#esQHq&59 z8Mtek9*A9*faOgP`pUBfV+_RKSOw|5D_9z4`nJZPG+>SALfBi=E>f<7h`rcutJQ6A zr}kUHC!sd6Lh2@28!)H@!!9kI)w5o{mnuraJMfdJ#C4W!%iGb!KicnF_vzOBe#~`t zwz4JOc;G`L$Bm<#bzYFaXxVcqI5PzGy_-@5I~%KKc?C0-;DF}@d4o)-p?)a?H(+53 zv)RcC`T;fkaqHRWqhy;@f{bP4BXn_t*ym!WcQ84??D*7je-)olVhK(~iIz^4u}<6P zgQW<~K!}jL=5<;-`vj~>z9q>?6|=*GNS~tKHpO3=>(e-FtnoHQ+#T;fbtnreO%O-9 zxAYT)Y{!ef8mkG8qFx4*%?!Dyr%ZPLbLDpp4U)27TVRIu+2cZ#=Va&|EfT)BzRjmiu~LDZZN->9flY5F4Yvj{1nawo?U1 zTRvcUL2oH*&kUOf7o6rGnLsV_ds3PtQ33te`w;%N-6zw+%d+)kgPJb>(sef!dTeF7 zW4X_?8D@8}QMo@IC#=h{M3H3@ZSIih-+y0SR5Frwj!Y;4FXlc8N$j88Br=6Lnog<0_Ul#&Qv>ZN-|ArQ8eQy2U?~r^! zd+NOYAK&&vgnH{f5G?D=4HRV-7^dO$nb{4cABCwh&fIj5S8*#{Q7{$XXlcazX1p3o zVWbcic~9KYLomP_tmY3-bkd6aRPQN~?JLT#iNOiIp+O<>96Jx1wug`POi(oGwJgD} z(@^1q+o6M5Aw`%L8JFOY9C9yQS)ZrDYd4>y9;7O|2eCyhXdm<>x(K*`aqptw_)=|` zfZ|I9utl^5qZ~^MOn_a*V3EgydNt;IEaVtoqAsR0r07=mT6e-Y)HzqEpG2v+mIC_( zQvk7~vm-u*so~>>#%Pj$T~1;i&R+FRA$#B99pJ0 zI;EWpApD%jx1o+-P$5`efqH=7X$go5NWXjrkuSMOz+#2*mAr-^5=u+uZn9jcBf`tg zM`p(!G8?5xsE)^%D|7doBLX4NY;!%6+E#uz2B#aF3#ch^TXAnsldA&cP`^Gb%#SWL zjpRxY7K+qXM};YrMMXhkpQogYd3|>d)(xC>u=y%$oEktYxtpWFs%dMSBLhg6RWkE(|3rzI6M4-Iur#bNuw)h~P>ZT8eqw>J@WN zDIs~SWsMgPe+*GwSbF31PJw(57^ROWw)sc*LQ9?%+shp!44!w|yRln&8q|n`XzbKN zkD0`7dz@s@4zv=3feA!IiSiwKsA&YE;j1m$zWsN;eyo9X1KjFhsHU22ReAYK$jC4@ z#arCKwoP?uuB=*zR!|-#m}}Y@OnMg!PIf^3-T!ybN*)39L#W_GJ{OV1V1F5CBo^fr z85&XklmcDXsX|A~QPo(`297td>xC2zLh36$bNe|#4#P1Zhqz<83~uH{muIRAv8l8H zzxi&iy@TPu-gjor_;Th?sMd{Tgc#eMquLONOes~S?BvRXd4nYsN&ZJrgH%i~j^UuW z9DM&0h`i|YtDX|d@aEzSz>B_9QqEION>(1{A%>wD!m2o*Vq3=0)f66;-H=;%W?!K+ zq|5pLzYkW{!^IY`cMxgJXw=}5Ln(WM6X9k{#MM{>s%Gc+^y3(gh!l?rrJ{A<<)BR2 z>JBeR0I!H#$5zXMz3z4PS2u$wtZc}_`J%Ibx#j@Ah|UR%;tA68(a=<-A_G7IX2}-H zEThNsTI`iQ$5umDIvCq~7OfoMhD`D`+ z>^Dj3K5UqdUPe6dw>lfhpRJFkYxwMhC$q2|WLrK+a!zBZ)_I@g@{%h9&E&sxc@05` zVl7_wl@Z!@GgCns6L$UK&z$xf5T)!wf1))Q8A3YU!N4j&`cyX>x`)$w@FY#F zrQwp^*!Z5?YVHOc7BdAg*j~u_P_f5PtoGpaG^8F`Cde%Ad@oOgteki4?ER(K6$2dR zGx|Q=K%{xo4LQ0x!~gl$S$l%fUAaS>SQtwi@vKAa#kIEVgBQtrWv-UwLjYVR zXV+1(#*&%#ql1Y-Ny)dbeko44kNod`NpJB*)4+^A+9jkQ7qN;k$)`uK^S0&KENwAx zq`ug;Sudi|AKh@P2Q5!#*^Puqj9K(xWeWczugFD@Q0@y*PKUCo4dcjD+Pvsz;jjDDE+cQpSW@lOSelblry*lf=nR%jV(Kz08)Lw} zCSHkbWzt;ZbE4tXQ%z;O9(S;&YcxrO;jRMHT)wTSoh`u48K0}<|9HT7VijRJXy!J8-O!zyJefks;NTouBDzO4K^)m~1uA{w$rGXu?(Q42gr^ zSp)-USrd<}ANah>lB%v}%r8&HV{l7eBkZHMG=B-aN4x8n>CFhHzb5f^EBLv8{_t6< zTy5aJ$yiCH-M6O>My|g`<3qM!a{#i>zD)Ym0%!fxM zO3plLQRXP0+?2ZNw_(Ew0F7l{h4|{B5*Rp%m}2K=jK9@YW&&&c2owrCH)ub*aiWVc z;`r;de%0(j_nvt&?tv_g0{`w@#a7>wwy8MsJsGKO?iqH##aHt_i69}wYfExa8C>#< zECa-^{yj~)U?e(kescSM36N6js*f$w(lb~frUwVRK?^zDY(-JvZudT=h%&4ecU3`Z zhNa)Bq=d8XCo(Qf-COuh!l0k9QSsKFGeyfQRy!4638RHapiXC8I9seVjWm+kB<1bD zoH{ueu|Wa;%(X!m@z_`op9UHqiNCR_|;5NSs(0$T~Lj!}|VY;6@kMT3r9~`~6*w^;p)$+>x#2@9s z-M--LVHsYU@g_+zYW!@cFl&=>iYW6fk@b8X1MolANl~HeqnKCXp%%=0Da)i&HhKmd zFIiXF8h1M75XvFz%0d?f6sv>2xEspEq!loKRb;%N4MWt!ha>D9^kS1)OXy5YdQ$Q? z=gN|$*j|Oj+Op5e!!zT$7+3MAINqkE*v#TZOs?yqIwMoHe*Y^*;|$3VF6Gn_=5*b$ z$7z0p1s}L9_yT*J#5jirnbZIzUyQ0^Y(BZQhA?jFdkOkY)P`qFj*)8|zRC+flzXsE zrp3hxNns_m&p*B8;3V5Spu>&)I#)pQA%6i3Yt$1h1-JZ&7Nm+>P41~>-Wa2yfiSZ| z2(ovbjzoe*9Fx8;%uTXcwJlVD8+kD*7? z;rGy$$7Q_EY=$=|`S81IJt#^JkhwFeCjOOlsB^q(qEd&~dmeq%=bZVI-8+N@K8dCT z6UTO?0heg(l_v;RR!=5?@yN9$a;(KXD1aINQRV{Uf=%ds4Z$-g*2X8+bGNIrZC?oS z!lcEDr9(VBg!w<7vHwNbYbCiSv)ceJIfaqQT9eYc5LlFSiZ!a1K(d1wls?e2jZGW7Zm{}Npn)3jQ68| zAH3Q}&m1?7jMyeBZ!$QTh#3KNhnstENyc3&N0LxeLg$NQLaN(TW|PeSyz4G~2$ zpO{SmSxoTK3zFWqjLQ7lbv5Gzk5;XH3q1rDTEtj{j2TuI%#X}2OGD=-U(p(QQ+v!V z{*{N-(yTLMfhp-O0YqpIEbl_mtx3j@R%si*a7ll%UPgdbU1u){`72*oRkbOYZgG1_ zzL|nNlr#Wzba=(v4Pnl!i8CZexCwlWx|>?v0WnTk#)Hj$=maJpc!q$!zJ)r|U$#F#h{$Mzn+`pJzlw6xD7F@u*n{QkR~vWo{iv_EA?QHMRP>nP~GyzK8T|! zCmRn=%Kdo{dgx|SnVzNlQeTxKgw6;HOxr59`g{rMdw(;2TdWb`9^gJY1Pif z$Z_>4z;f$y_Yfnbh01Pw*$pI^r3%YuMts12s)YwVSDA`T^?fl^#FIUXb+io&EcY{> zIUhxvxgtT$)-43i&HQw>{)I+K8`$=0e)oYCW|$Cj5@8SeRN>|lPEmRvzM!x*yRBD4 z{tJ7z$?@jKR@1PR35zWzAWot*3>$R|Hg>x6SUu6^>`|}Y1F-qHF+}|MN<$dJy1BB< z(@!Fpo2DB#eLgxrn=ez{c821>9RCy78!1*8D8_Ns7ZBRd1LPSnx$Oi4QJzd!OoiU{ z6V4s*cCMW0(n>!t6G8LsV>~#y?RuJBw6Db}99cay`2bSJ9;OEKmGk?LTWGw6D+60n=5?J9op)0BP;^iEs2t6N>q!8t&lUF%>7= ziHIk%_(z7tbc=yo@<4B#3aSZA)b3#?hfne80@I_IaHH38k$CS8KYInAhu^Q~;+R0Sj(4BO5eBk*V4~2mwG@rD4amaBrQueyA@+_s4JV<*{rb(y6R5WM zrTdg02zpn#as}bOQ|OW8uS?YZhZ%kBLbuuqjlD@JFpia0bQWCO2?bW&;CI_*oS)P(eCR{gF_t96TcJ97RF&h7WO<=? zxQXd|-e(2ce5P(Pj-%>9(|kt-$JrqhL(_B8iBR4V;-Z~Lx3vL4OQIGFJ5XsJs{S60 zpy?K-{Y;D5IPz<1#h-{IgKZ{MP6v>2Y!pECF$^_BeXazX6+3})rwV}jc$0>!OCiu1 zuaeFr?aFLR9jlg(xZ8lVpLE^GYe#fM5UfkMIHB=LEGPg=jfPwTG0Jc2i9Mm(F)1bh z*GP1v-&MUTy9}Ome$^zLWel=x8Fh;JJdH_2v6RG_?%;f*UxCCM!$`S#ryd?{o^_~0 z@Pcw;eoey=b^G%*j~iv0nsw-K6@u8r2?@1BSZ_QBxZ=c6kJoZrWw1$@&7#!IHbqE4UQu&ru1{R=S)r!~W{}{cUz1N8`P7QR{wb-FJe*a8hOIKGsj#{7p_Rc-Z}{(kY5gY7?z4v zjm_b98;epLJ?Oa`sj>kpsR%tcB&7f|iqPw7xPw7440!nIqiXZr#amWtGAck$$@UF2FUszle;)(osDf+U zQfX9$R?3)AqiO*D*$p^QVE`?p7JUTm^ur(P>Bb0UW^xbXaPa!MLcPFxCsU_T4?Hnv zpFJCDVk%cOsX7rh6O|wuGa`Wr`g)e-=*3=FOnVa)a*r?GJPcG&rv$xEFJW$lm-T1Z zZzMn#P~Y0rz~!m2#FG~SzrDy$lm;zg?kQn)i<3Y|94TcV3gR&^+nPg-q4ZY=3I%&( z0lE(E>sgUq_M^TOO(RgEoGh-i+7L#YG8S`$`(Tp7h4Y=g2^1-l0+>0(d zd0DZmt)L?|dS>`G;5ERw6GYEOSjg-$>@k>K-EOqkmnub`u{kaEXrdatp-gevpZ-}@ zZ&c|kw_kw5z&x4?D*Qu_no8&26J{ThujS}g`}n3aM_G^#iuUpo_4tgijx+C{8%`zr z?ZOEm3V*(Z?sC*RJ*~s!|N3g04SyEH>+w7Q_OK5ojJSWrLp)Q|eymLPt4D(Tu)2u} z@cmu)WH-HI*^Cb^Drb7g63c6m< z-v);OHHn2c96md(`z44yjAC$1d~~|nz3#;kcfsFA+Tlv-|Q2bqJ^)xOzU=EbR*BYXxS*+fphy`PUGfm8&TvO zY?@MofCw;ksed|p!Pq-DSl0E`<)rsfjM(2)SeSEZr4?g6jH6YEDWh3i&PG4876-&z zGVM=S#JaPZ0b<;HZAQg~Z3lb+P(;irmFe;-k2~jm16FzA0r^%xm_26H=QB19dp?g% zEX<^`jl@KQdQ*%GM5}ZQNzAHaU>7wUi$3eJjTCy?O2j$sJrZ9euOS+$okAB_*|i|S zu8JWU1|p=cwpJNEW4!tJkfy|Hd1gV++TYF9W`=X0qo_WHYjETPDpp#j9_3#+IZkz{ z_wPqM9hE%2L-N>3R*<~tp#wr8opT&l%PmPmtXFo*Vx#1nHbX=A3O7_fgRbWk8`p!e zqP`+9DQ8Jz(GudWv0tAd(8z)Gor#6u^P!G6Do+>kg(24i8!8y}&Lcnn{5ND5VXl%5 z(bnYlr8{7siubVqMclCR;!?-P3e$l4{9a2=p4bxAoC&l6gbSGk`mZaqd2^^2V;ZR7 z?OV}oA>blUSo@D$<=FxZ0%NDk>o`|dGIP=5+cdd>PjH#&-1;l=GXQ>i%H3^y??zx6 zv#61K*ef^Cru$rt<>aaGcQB==nd7}`({TpMW};(jED@jg3C{~%z(l$BsF}CKjtmrZqbp^$gzHS~ZXLHhV1FqZ1BPtrFP6`|vNdG; ztDv=>vntRMG8U~(QerM08+42^L3i!7*-RMcAOC`wJVbE}w%&7eN~lhhY3S>S*=9@2 z>o+COKsMT6ySr*03>abyog0_@{iJV1<%%PeR$hscV9~#6IrJ~d8ULDANb5J_Fn?$@x*8T$gT$!atVq>28R71ZR~=Qb6z!eO*d=^B zS{##%OhTC#TVI_(%WR+E%EOPZJo+GTIu2Yl0G9f+i*B!5?YmOv>!i;TV#6;6d)8;cdHVvihogL9}z*qMT$(@98I$+F)|MwLc789e+!AV8-PSM-3v8x zOj9Hbi2+i=5EHbDOV*J#NVPHmANrRvYabFMJ!0Wn6&?cr|+eEkB@E^eZ+>R-h%ee&YdH1t3FErc=~QdPy(}AxGW8M$D?c1RW!Or#M8DcX|7U1(ds%Fb+%%^yK| zoomL6k7n}XU=0x@x>PPS=IRkz0t{=@68hA&{QG^9yA}D6gz{c&$YTTlo~nrAU8@^Y zJ48{H{ng~WYr|f91975af`J`;bb!~*C>&lm^(~KFHe5Cbf-W@3cPDYs*Se71bcSOz zc={E%DfGQC6rFtTlrlQVj%En?bokV=ebhE;2g*U{$)eaKYA>o$wLNpuCXvjc_XqSE zqYw|p{!fXMi6j5mCI2?2-G!%BHVt4ybIbJnH5Zq^k~vYg_E)KTt@HJZ0G=tL>RM8( zrg9i&(T2Ya_cEZTS7`BqS+98_b6kPQ%9BHUml1|S%vw0PF%AyAOK&Bm*FT7Q$IMhu z?uz9go&9D2 zEC3oOjE|+3-?PgE(NB+hCjkw?+#emHEv+~D%W_L7V@(0zdQdo`eQ+`^u?+)xVNm79 z1rkd1%<5BxDdS6z*vRt)ehHt zFzkJDs8J+R&!4!5EUC|`4-)T)u9gRNZ;lBps7&$$C8{z^CNzmka?s5vzWcZ%^;rvz zcHY?(`YC#TxYYxYxxhHhe;oQ%PBOiod=ys8qe9ym-8DyGU%+VEHvqp{+2RK9czLfh zcp&(%bBX&e1IfJMvI$}7bVnFd^{+)dyT98DZm){)gN0* znnoD!T2*`Xd!UH9X>jCqQlYd|11g9fe zGSKZ}Qlk)H-5b3|8UPphHRd98I`ct}3HSRpjCKu_pJECb8d!+Uon_8tO7f?J*9V|- z$=ES%v@U9R+NOlw#n3z>U(rKE)Dgch=*veSGKf#oO@#k_e7-jaq9GNm9av(Zx`?|3 z4}{U?o~i;|A!)fW7NCe$UbQW8$Ni{+6f9*m8w=C?sSUdZM#5~3qs9s~|4XR16QZ#G zOY}OFdp13%b~=Hgsj0f9rSXUW z@RSMy+XAh)(e`%jCtb^bUTTY zq}eIl!^@f8Y5fe(G3(~e4}kklkkLS1)9A!{tr((SC^wOP7W1N0+h}5kkEpLPB62x@ zC`*IYduS_-X;7!?ySca49)SzIP^Bj8>2;UGju+lPoF_CxYdb&g1ujE$N^`PI(;t|p zw??vyq~$s*bW2&UO$*Rv-dAbQ5zQ;Dnc6tCBuVDN#%>&b_&44P*^AuViA-GkscB;h zhPv>vUTKM7SobS6Pg!D=5+Ix~heg2a<%P>#y|$dI$OVkL&}oj+JTzt|*Yzqu|1GcoIVSN4 ztYU^W`MTVJ7?6lF6O-$I04I?tMN!o2U?8G(kImx3)uO!O^kFbU`Z;`y71OHtjk63? z`UCf9xn~F4he| zBiamvI)#0~+@h+p4tw*^nt^lO7S;Y27Yia;of)eQ3ix((*5YU5O3T1`mjKqi@>FnR zb!w{pC}%Uagf!L3qil!PKYXi5%xUd4O^GqK`ISIn6bPmhUv~X$n{UTYe0~RM8KQ0j zw)TmuN{27LM;Oe3f+nTlbAVm?hR7JAvg%gcQA(e66uf_P{%D_}P6t+uQe6NM*y$8dvBv=~bSWxK6I( z%e^;M0h>xmMH#f;o$Nyvs6u+MYw~uT^@D&2!=yPtRe7rvuYd~%QFC{2IsFm2^bL)# za#?9|AMw?O8sOCI&cq`6vxHbG9V{{yplh_2kFNYc^r^E-AXV(%Hc6z+5JOJ67F_3w zFFx(j#)ak3nqi0mJ3qLJ0D?)ZgQ&3ow=2y=&bc+nDLymlc2iY`j+OKqB5@ZwBrtWt zP(ibEyHclq?2rquA2ac9@%K)7-#`mP2BsZ@KI#51s$NKA{T5Y~%n9}P-nq6MV`|p=6pjNU*@@eLuia98jEmxDq$n z6AidXc#<#{0sb*qg?GRU>~krP(5_5At(#t_!);u6XTl^L0DI|g5NyPz%l-G_iHIEu z_4+D&{E2`pc&<{9VOk5G&0sU`y&dyP*{`bw2WMgPFqlV-Ec#|AuRg#lHc>#0w}KZD zZc7PhalZjE(6eHy#U-AF=8G{!d;&Zzh?;r#|Hkw4c{*@ zZJO~?KZ?#1wB)OXkOCpu-ws93Fzo*k@Yxhd33m%Yvj~tWB`ZPUAZln`W2;58bm}9XwZg zsD$3_E=os=FS9@Nc&|5jx(|!zhlRtnEOb%2$f5#`Q^6oGN?el4h3&x;aN|yCyx7YD z1KoJRRhu0`l&02qjJ%!~=^F4+Nvz4m5LI+a_$uMG8V$g?sEV6v6Djz26%9=4ceN@bB5>SUzmN zuhw8VB?buY_|qa^B*8hPAdK&x(w54^3V{r_JrppL{rRw4M_CUvXZINWtV+u)f3QZo zDbjbKJF?LkZ6a})jYhPrE&IX-yiHC$C_W#r@wFW?XgU0AbjEwH4 zzKjLJUuM;i4w>kK&+vt;=@p;qIy5yt9#wJdPD6Y2xjF!9h_}aO0MlO>_iP9XplGrE zX(ObNfM=UkkD$XOAa?pFfri@iB*T?4EXL4Y*7C^qmC8ZEj4(4o>An0)-ZLa+-M=dC zM?JEH65ji+ZU!gcBz|cHp`fr?1w1sB$E9rs!u8ccgpZ_3-guU-J?Jzs!cZ<)DiG&w zbeO3=!P;KNxoQf&&T08fXa$Ni$e zr=Wq;w}XcNI7l3t(XyhngYSF78quBN$mpLYQ197qKVP4cN8b03hn!+Ha~A74K=rco z_bGd;BM?KjIf>sRWQ5dQx{(ZsY$?2Y^~eW`qnJ`5f}~vuorqz50g;M77G#P)fsh_Z zAV8}^p0kIm%`H^v^w`eFYFrM}guMd(M&&*a*g_;Oh3!MmAua%dJHiTZG!%Cc4!ma~ z;+J}0?H-77ROdqWKZCxWHLqBQ)ujsqh+Uki(fmH?v|T&CWXk3?6^5UFhTl%Vly^3- zh<)8y6gq3Zk#EUm<4DYcQoVG-Qz?D9%w9nTr4{2q4DC9beJV9at0>5G!wy+Ln}9h7?@RY#QGp9M`oeFX~1Kt{;BNW9LE7* zpU%n?M_8M+vK{`#44)v)%M(um_AhK3FLTn}qfI;(p)`Atip(?h9nCWJOn}qVcRvRi z2EEjWXR`>G(|nhsyd^t|-~SKlA;b{^Hw+@gVzpJMX3QEpH}RBkQ@6g`q*a2fkc>cA zc$_2K^=i1jBY&{A|8h&TICqTVpA&%=Ri_&84LgPQ0&FZiZyK&6n(1X^Xyx*1@5> z*y}Wtw9gr_k$*`Vm1jY=IXoPM*3v6L2o^&o`vo7lRP!g6>oYD;oLT&$VAAewtPU$_ z88iLMbsPy_&}jbB57w+?&W-Y!1wpz+U;A>~0#3v@JiyeKH5a#?iIC6w1^gJ&$=x*73tmTCQw6#c>-FFEIMl^F9m8KnNV zE%0@URHy)gsCsKqtyW!4B#O#J-Hh}QnMz_Uw)Kn0cml?7QaHKcRcQRZd*#SHJ=Q{q z`L(ay%7^;gv$<-QO&^r6FxmkGf5nj=A280|V#I{0_@MQ=uA{yUd@q2Q2RKXuRqCz0 z!GDYeC+$RSMaM|7%5@!&h#V#`VbQA!oO<7Db7v_R{H)7>EvMj`X|d4hxH;K2UNd`p z_cQfed+W|C*uR0RP!?6KAL8ul7!4$bc#odYkLFY@f_M%u!A@0)H~~Q8f=uL_o&j3b zhkG;EMK@kvF}Vt!ohPYZP=E;KNYU9=k{V>`L6|`)1{~LfZ8c;5_O3&hwN#dw1#SE{ zCH*rTQOdjV**hE<6zwq4&dnCRfGzHy8O-Hcc=E@=!yMLx{CdIvydgJm zbTRjAJ04L95A%;*pxrgY(v0^-@^lkdJAnq_h-1JcKK{7uJn<({sw6OE+dce%*m>M> zzL2m9xs@$J90+o0$&j@w>oQmGE9{o^Jt5CK8Ct%Qu&8yr6>&ut`EzRJqp*o^xdj6h zJVrF~<|Kr|_Xs`cg_~ACLYB2Cjk-g2Puz#)VQ5s?htR1xL)24tb-0R8FW%6*A@{wv z`FAhUsq!5>pe(ZS{mscMZW^mbfJIcN)Nsc*h6dFVoX$Qx80=3uo}~3^0so;*vKTsS z?1)}U;Qr7#h?S(Dnp}$kf>4k>e1EQBqyc1t`TbeMjtHHyH6cz51N3`W!{F|+V zTuiN6EA6YN>p4~~+%;;{3xSS_-;8|~*6o?1x7^BlOV0kvE#6zBA6T809I`A=I0B6Q zU1vOb{=JwFP#CF`phiri&4#gS^0Ph(;qm`I%js6>l_i(Cqf@Z-=n6MVyq6-to1u#Q zcg#_O54P;V4|`^;t6`eJ?2b_JAnKvngm)lGRZcSK<2u_Vo?Y-vt&PQbpYk@ncD+jj zAGyA8tDUu&)&U=7%DuJBIY%B$R6Xv>5DYpbSwEYNsT*c{P7| zm))z6AJd4@O5vXu^C7L{M82sX|DkzrZk23dMrb@By=|VN$xK-E^lb=?k6+bO((PKZ zd1fE06R? zFT{vykQuAU8fRYtK?X5xA}+%uAC13bwwE|BQc)p0zU!wx)^RnjoE=eV47fC|Sdp;4 zTDo2An766VwZ?!s*)^}5^TR8~yFd?4FK-23Tsm(d6Fz zh@+<9k3Pr=<4A_g)G|wl>Z;i?pc=Z} z(KUjLkrX*w*YZkk)8hknu0sgP=a%=2(z$iY;`i7D_q$BLX#$^P^Qu7o_L!D&I=x;e z>{VEi380t&B)QcUKdX7p$EbfqbgDB2vYd)B<=Qe^)vs75l5~qz1mO8-gNp>?L;D)M zhpymH20Ax98uV&n#{YgHCWB6XhqJ$O&n?NDZC1B5y9%<4DSco5bj(v4mQ0Z5_CU)0 zYTTHAJ9uQgioBHqDLk2IWVy>qBN?CwUgA@5yHmMg8_A;X&6rDc>>ozIyJ8AAg#{NL zcKhOY5j}ICiP%v`u2ZcmDd1%J>9ljorpehYVKG-H@nplbBk~ z;mgR;Bv%7+{7!7!n~d9F5#fBtt>W^5y7yCr>HQo82-4jesj>K{$W*N7`if<^ouM8p z`axxnIQM)>Tr4ken^m)OGRC~zg}~9ozeteZ{)&M-44*2RVz5~8Nfkm^YZJ)$BqcQr z$Td>(H+R*;6e`r?oe1;w(^HYejWRJu?|Wq2Bxk|E2d|60ksPCdYwfd~$QE7W8w$xZ zlH-(&=`aVW%4o0KM`fJ{{RZ?uDq8*YEB8y(FIj7WYnZN2H86XL+L{Q0ry)&Jc zrq##66k$RpbwM|EvEJlMz2-{TUJ|T*R56d%H;6?5IAk(1tI>p&X$L_k{1r5VPJpCP zSvT>AZA6hVM!;LGFjTDs>LPJZ{jNWaE&-!Ey4>PEmb86Q(mAL2mtTFjfRTib1NgT6 zn-FGhA&Zjy#mjfTg0}otskT%(7zNrxmC?P8S36>WwRaC|q@q3SbfUFc>UmdlT2b_$ zWSqNVvkZulNFlv64N!$V#*WG(CWY=DaXR{SjIipgb$um2L0o1*W;|c8KLhSr)$LL$ zTWK~;7M|eC`^$~$j$DG^oMLE1BNs^>c}n*H=5YPhYiohO40+HD~MMX?j1f_%!XWZ3qyBTt1h-ywi=etLv7x?tV4RE zY~yfUN-D^Rb&_B22+0ma+HOS2D(MgMP6KY2U>oKDH4}6%L)_>moKvDRy2RL%J-QSz z)ApetqcbiKbmX@1)smwcZ9F|zGjpTyeCXhKt65P+W6YAO;x-Xbg!P-qQHqw03b5xc z-(AJkLi#V9436clY-V19l`*bVIZIj{7rhNitj`Mh3q&r+GSNa5Sp&lXC{6qUeDqcKSDqp z`WdH^?#pRbZa{)lpQl}i<2a~(D;q6V(Bi#asFn3Pc2;N(w?0?N8nMPv*kx^e|3^GZ z(2dFL%Lz{y%#g?Eue_V(r@V-g9MWCm=7<}vYk6Gr6-=bpTk=Uoghhos8Ad%)#bakF^Rt(6jh{^9CjHle1Yh{z9i^~DIeWal>rix>P_A(#N-a0S(t#WuQ z+U*Z3g!J&WWnWCO%f2xX$p;%}q2%HEKgj^b|Jo z7-$rG;@G4d4$x)*10)s*Qo#o&Mi3ITS>A|(QGH1%Kn8`G|K_fnNw>SXqw`EJ3YZaS zyaX0{A90KXf8wM)(z{w<;=a^di&f)GwugwHkP8}t*SxfB8IM<6kVlx`nW|WGKte>0 zO_G4!Stg&g=_Xyj<6{UTK~_gKDI@S?{-IBEml2M@ERQia$h1xtB(wNuqsrZ9+Er2` zHMiJJpj5tvU7@ZreHehn2Fq&kN=ei5JM9e6E4+JY zOghPy+s|JiQ(K1Au-{;miD|<=MBL-*Ic|NQdDk}<5MH4zrz;c8u}9tW&-jv%TT!6k zM_Fp-%su^l1ze4)Ow6z;V#}l-0(mWj(2k|roZacg-;ZN#Hix_(E6#W9L1V#j0Mo2Y zsV`w*?+I>+YS!9G7#RL)12@hU@B(#;o--^MR#Iwun)sR`Jz%C0zt{d1+6BwwkrDRw z(*wOz<`FQpXfbuq2Du)Zu=1d-mZYnWA1muD4Ul=2n}UwPF=(eNSh*G(pY%}P=^=9M zvLGlq&-K{(Vd^w~=d-2Qno76JRxHj=8R1@z&-@z$PjLCwHN&j9l$2r8p-)oM{Svm7D&9@G{SkiX!;7IGz8G(;iCk$ zfZD4+%f$ZKT62xtNFX2~5;lv|gPa&-q7qzDzx-mJQR0>oZ|7d$pq}6mPo-qW$OKZ> z9*`6W{CmiJ#ao`*{FnRlac4=`4wh}ZxD=)aY=VpAGHgVTuu9v4f*J=wWJqryUKP*) zaIH+r^?FBE6G`~kdq8l{N+vhy@h6SH{tZy3poiDDU`nHp65LfC*Q;cuXH6j(HM_ncX2& z_4)bX-Uz3Jg7<1pIh^JJM^u{+=Z8eOl*7gTsuwqv}cLW+DrODQdmI_i4U)Re{0BF*t`*y^A7 z-YiO?7yTtN<3Owi>whU*Oz2i}_pNKh>w!>nenw^KCVN_b-GvS+LIYeHQA@m_64pXe zF@>-FKE{-=3koti%^(M-Xh^G5ms2fD?UEk?WFUMRkT_czFF$-MBi+pZZ5nG5jY@&m;oZ4Jk3h>BLEW|{eYmsb*J7gW`qvE_r1I-aD*T3 zyIEq`je+b>}r<4xD$qV z^NB0~Qe;Md8ti%y>KrdS_wW&7m=q^?rMF96Cmtgn>BQ@;A1sw?{Ne~Aa`0OGJjgsa z#DD#s11;zlIle75vRau3nia1IrSS(HtPVF9SR~JD1^F#tw8Mb?*cY;YLMWIWiDUol zf*@WCu0hp)ZxQl8p&du>LZ!H1*j#BStTn(sP3a-243G0{FX*Ma2h{G`@{bC3xwk{( z$djAJSlG}EsK|6}ao01O;<$#}!GZ4Ue?!ZfJ6VM9GlR&->K6AM184ziJ{{ZRe6?ah zUdV#Wca~0O`bv~EoW()5}i@vik z1<>EF+bE?NeDj2jGBsmYvSy_0W2Izm&jx zvtWvw1TR8`&U!9Xk`Q(A*)1D}7KyLwgj1X3ee!MbQi9~Awa#=l-CfR?^9B`%^5@Ip zkNCPMp0_?9by;YE@O{IIJ3^H$b5M_j2(fSeOeh!~stanah1lzTvd$3{0f_{gg3(7L zuM<{P_kQ@bU8jMYk<|#z`-%ONixx6?nE*7y?cAb$$CTu5g90ix92Yj~dQmRAKSCn- z3Xn_rKcR0ANYc7E%c(Ov86{SaKk9Mqg&9VtQ|#whoJjZb&HY zq0f`Ce=ftT?uA})i1$@-r_7Xra^dzx;n3S_a8(bIU2ovgAD#w5AC(WiSEn%slkEcggj~Wy_F~aV44VN8n6`4IY#q4=LZt^Bcx7VhNMJyyt+Q+#HeKK{DuHyE$0<){)vO6sX(u1HjkGX72;gSh+*S8 z4$nrSDwB=wl0c|udPdPIBPv3F< zKRRW`EgEkyh@0^r#)MI-2b4`VKqIwu&JN-YF{Qy{cN2zI8sgERsWKpw{oZ(M-k~Qc z5hUE65g^y2K{pFh%YKQ@0WF$bGi*m>rc~t#w@s!zIxSq#x;6J=5Q74lBZ^U9e=D6v z8R@)}SFU-fH_qN-@u_@1h-M)GL7-N-6a4Pjg1$QY5_Pfpxes7*j7jAC{H~hl4d508 zW~AVXS>=_MU)*^KVv0qFbLLSt_E&m9ux`8Y=XeR!>?*h-w5O|U0rEWzaRx{BPW^Cd zkTh4U+ncPEQXo#Q4cnSL#<8;rjzel?GX~P1-;e3Kf)URmVjU*x8GiJKp26IkvUXF| zdacPRZ9Y3C|DZ-o!QmoEi9|e4t2)4=LKI~E8A=6p`5W-3w!fhrZ$@bjr_MMJx)l`B zr7!nI{3ZAQwDlW8BdafBwuAp6@PUSz3Gv^PNYIYz|MCfgsqaKzH6;G9lZT4TowQ3~ z*~oB+#gtIprI`vpmNe5az(I>K&4fvmWCbS_sJD1I{waWY(~A;aWQZ z`UoQH07DJ|V;_OgwfqMoiWZQ$1^_}3dPa@TMMWgf3i`j<_{`P5iNJ-Mj!0q4K+Eh* zPoon2tq}I&p^9G5B|*pE%X?O(^9#AY-SfO>vkp)Cya8LZOgAGuIp*L!Us!DYy!5 zZlCiSKf!98nBqRhkky2U$2bYp_TOGGI;CEx{UT0 zTrCe-=YO<)7jX;G_-4qbMqXQ%BK}Id&7q8VWJtDY9Ko5o?dX*j*Y9B3B*w3Yua?3X zti`Vu|BMyeq`CdD&@g`i7@RH%$C;skQ;c&O9kl=npBgf1Fj-?>?psb|K_??8sT9jS zo5iaNaku_a1MOALb|=C$HUjCMT_;9Zt+6=d%QOLC`=c?9(glMiU$Aq~JxW)TS-Q$~ z;TGY0>w-JB`vD=Gqj4g>-@~eRxW8(?`W3-IK%0hko=AIrX}aczx3RiQV2}-4R4~x( zH?ZhLzXrxfS}V-WlpN88x0IZJDuZfd9z&FkEst+Gd)*7m`DCu0Ia_lsF?_PYR#(Zt zy*ij$E%Yv91g~pwc68zvoY|mJG20E;)IXM_Q@|VH2K2T$*Q(uVD7Im>ge1-ZSGa09 z9)v5A>)*|x8lTL+-pyMga2W*qJVMo*@O0~iNP6-uVVc({DRoq4f}S!|E;2! zRn0G5u0#gdMT2aGMa}0oH zm&(t`D<9%Y(^1iDB>)=>aM#vsKRn>?k$FfrdmWbn^ZILbd&B9nSzNUNEDEh07NV8Zc-|IVb_g3^Vm%x?%_z_@;dx0pisqF}j%}c^pTN)>7{v!=~6D{ArxyU$kj-yocp*kl53to^1a40Bize z+hN{;f}-PGPom9IE=kNh5xEc#hz&w&4Y+frN0K~Qa_7D6*?;Cg==!%|L!{j-W?Nfz5{g4R1e zx9$9tG5UGqxco+*{`mXYD3bKp*c zZw@!5fd$vNAgCSDij>h~%B@3ft?)sTv}Gz&FR5 zyiW3XOvj!e>0g$4(BN|TKYgxyY{yy!qPnQ-Iz6|Ey#^{gNZ1+MLwz@Xkt%dj7vjzJ zGi2+@9C!m)p8;nscQTfF$YA0Qw8Nb29o z49AzuL84mOIHO2Ob{-sukQ-nHZk2L&FZ}Df11oU=5-CHE&yC*UP|IEb8((2wq}lmV zy5m@&$(2)bP)IitAw9-UYs$qindX87qv7^OIw&Bw#2eMK!cfsxv{$C?|J-?R_Xoe4 zSFs@c;NbJIW3OGRq0X1TJ2%SW0`b8Gevz$7oMf%~%IGUB60bA5#VnMJ`|Fsu#@Di;6`v+ai8mtxEryFQ6@s zSh4HlooIas*jLf973i4UArqRUg=sCg=e^NyjBK}2daCs0S>w6Q$V?d;O5w^AkhB%q z8Kexq)IA@-A{r{_?(cH{D>fZ*B&$g~WKTn8z_KK;a(Tb@pHa1RSdn!W0Ld)yVS$yg zAC}cPrf|*)AxxItN;b@@Aes7ZHG!w#FHNM53^?RzBf&-kWrkI#4*@^)QL$Zy(b+{Ol2^p!}f$c9hm%O_dIOekhn@OU}|x*U((l40+j89uve} zKfR;5=sGC*HW;n`E3X zFqcF+%6n#;eff^ae_QPYS>bPU;tXtSu+E2L|BJ$vl`?#ftV$_y>=gk*R^wNs7bH>; z;$iK7bcAf5Ogr17FJ5h*xAoL>c9G9@G|-w^p*;-p8tgJbka?Y9K=B+gtPqKnOvDn~<#T~j(4R&LaqtD{GF2 zFI6rnNq;y(yKkv!Atdz(A*m^a9_+$XeA>7!teRJgEkN~>+*W^kVs>t{)`)NbL=2*s zc~rdON+9uOFt%Tkk&;V%H3bf4w1L3Py$Tsx5)9~UxD?z!noenvOoU|fGG^Yn<9TU0 zy`%3@yE2zwHE*3KLOkI}wizG5ry_ovs1Jg%Bo`V&+U^v+jjF4sw0glnF908FWqNUO zmkoo%c3+pASCgIxTgsi`Bq3s@xv^JR?b>r?_D0Jwxgot3XOd!qYhme>lb!CL=f=}> zjOhSBwlvp*^V|GvS@{au4}<1+uFoGs&wU_Uz)|Ns6Zuk6^OO%zdm-Ig*O2k|x8!-~ z-hM(3>tMSVY!?k^9!`d)Po|Cs(fphC$i#VHHghsXT^~IJ?v3|D^`Ra6+w%RMav`xw z&28s4$9D!`=Tqms}O=C{eC}8rJHYG1)gJWYM3{dnQ^#5I4yZBoY~$2||LzrB<|St_wM zCUzTq9^4aeEdC;vFp~rNJ7yC0xJLMFO|pdMmAeIuNJJ0_o^cD3mIHRtF;M_A{uw>f zCBa{gatA7h?3iiI5L0^*&{^iMqwTI?HycQKFCl~o1xJgyNElOUXW_@MdbtQ>%`2Hl zm_0lR%BM!)RxCQjSDNRqL5hfyl+I#f_O)kFQ|pG1*MoSr7LXVO#@;$D+QF%Zn|OeG zt)l`8ny+JsUr|tv+d_I6O$8Db0w8uztT)c=oNZdsl$1Z@h|;V6R*y|e7}MYtGL>_U zL9vr7E4TSnZEgnU;WHewu#F%T-4keS2322)0VQfVZC;5v{dSvP}s0m0Ja*tigVpLpkMR1r-eB-Q@M4V@Qr0@qnNK|Ep*(4or!CF}>??4Pw zYz+1qT07>-(OW!c8X|QQxPT`A3JGXOl7dXnHM$m~vhxm)Esboyi{LjWzlkL9 zCj?Ws2O(SO8tGe5+@rVA;}TH@@-gIIJ+D|mM-_>C z>Pe{yCg5FPew0&iD9g7mePpRDn<0g_tShh2QC}+qG>OLlc_pf}VGeuQIcOQZW>7<4 zo2(h^uy%&4Vok#0*@&y#8RvYqxp-Uyyi>6SroJlo_(w#oEMweq696p18{&7Tgvn-> z*#CN`3+}XCZoHPYRd}SaKzH70xX~KQJBj#cx9=E^T&8#daSMN0aE&}Mmo1W z^f?@0p&4E2%NsFPsl4Q4@Pq7~4G5ROY0`=@8Q&p^;<5Gb6wsOSQ-p--6S36UTo^3e zz+YG(3pQ#wAgh&%yV>oQEQ#bG;Lca%rH&;8$g zSF1#KVs%<(5}Yl{q;$!-P_RlW?qBmuew~g__xVC%P-xxtZ6pQ{lahRkfA4qM~(<&&~3G+GvqFnl(RXe0;!Yw_cyZ&a;yPFP!@|mL4Q){tll1Jg!1$D5b3v z#;x{U3B&5J!$z<}R%s5IaV%3S-1V&}?%+RjD^IwSAa>*DrqfPfsxEGzs;c&&FgqNm zm{_uqBue+?g%MyU9uvO&mTIZDZ98SCxsGOB?Nn(zdbK(++_!g}%6$8J5U^kJ&R7TX zreu%|u@|YsCXxaf!Pssr7f=~b_@1$bj<6y}9`|6i92Wkcfv_GG`!aMbV$v}YN7^lL zG5^KqiJ?IJUwFY8T+4E$ixUo6u(LFk(FuL_PFi2&z-E~xmMN&_F%1!;eB36@wjd52 z!D1oh1}oVBNeykFhFbWw^IB~eQ{e+Tq>j39l$}|CIH|7O_nwH>CTI^Ho>4*(|9H@B z>hSI`9f^h{E4zLL6o@KfZ1BQg=$f|nB^?s|!-jED#eY6#S8u^NeVX^vjMVtsZY%G2U zNzQQX#oJCQr#|)6YOQ0Y^1iJ^)Cg)8m|~KR>O$6bKL3N$5yIp5&U0CtkgVZRKx_iHRg|<_dk?ml9iMha7Fg+Oh0ruPThY$CYv~ra zF6TvXNF#W_Z>mT08S@p9e`0O!WH1$`@=M%p(b%u~YbMhPhuk2Qq=H(AXu$2-#6z+z z)lEp<1Mh%=5|widv&CC{-aIZogmMSQ^0UHN;J%MOlBV=-KF`Bpm1g0XaMhF>owIpdcNGM?^to?fN5x>u& zs1e)o3?2=`&O?R6$b&1Or2R2mjAA#zC$br;fHwYhoscQ%)2iI^gQ)TC9RS=gHp!H+ zM8?n6w{md{4d-u4AyqD^L-{?lO6XDs9HNqdXgf#`Q)af=v$J2+x5Yn73_;{q05JlS z%<>hdiU?s0+q-G6403*a;gNgd@srS_*KbVcr!tu*{1lGe$j4Y?Tfyv;$Fv0P_IJD= z6p7Z(zV4kiwj%Pbyb^a;gk9*Aa(K#{bHY!yXpQ(p@*Ti-YGZWvh}20yI=qmUm=%`; z4knbGD*{IX4RjY}AY3pqmq-bQ5oCS53h(~!u21^O?VS&%iLMf-RC2#L)fT+Uv2(UG zXg4Fw?BwfA)QJzKlNF!CDFnlnL}c?VpX3twC6AxlGU`!fA2I7I=2@`d@g6C;jmt89 z6x&v{;`}_H`Hu!&dq7Z3j@C|B?tB_Tgab@2ku)1j*7yr0%izi48 z{@@m3_kX&>nI5A7Gu&smUO*3FOL|0Lw6#H@iN$H*|%Z@msT(p(D4ZT{q}j z?UH!xpGmoBg_o@C;~wf%OfOe)A$xF(%oBU$iUeGikmtB1uZWgGuUVraMTDAvptSH_ z?BJ$bX$`gT?9wfTEy|Jv`9wSPlEKh0o}=0O5Sicr_rVTbxi`PaJJRjV|2=Z(&|zg$ z0Lsk}4$xT`=Qj6g#zZRX&!+)yH(hx4lcwC8ovh*aS(MfPN>2PQ)1&Yo~IT2bh}TyVye; z7rUw&>!SY<-)XVHIc-R*u(sriJ@7m2LflRPN(W7`XD{bX-}PmY1tXmg5ZR|sM7WOl z2xoQva=MEaIVrDmQ=<_xgDu<{ex^Y3dn&lsa2TtDtPq2Q?uB^+CKcKG{B^bNK(I02 zRW~?R$w{`P4u6=W4&J|KDUQfat#uNU0Nx37n}~{R)q<&|`~ltL;c(Wxqorg$=mb+; z)$E+tU@--vCW0SrpH>+Bh6$u01v>p-(s?s?2mzlzV8F0bcI_r7j5Pt?{OrC5YeP>l zD|H8$+9-|oFyY)FJ-h-+J{(<_B37Vz!HeFKyA-wW)aolO@VAsU(d7a*ji}MRlBagH zv^E9rm?K$db$L};k5XG4>IuPrh{l8`P_5VmZXc5^RaWeWt|*?}jrP_2^jb6&V#`O0 znh7FDuRPdTH3a#5K|ZVTMDbzXOCHVNlOAF+kGnp1bf$Y-S7AMs9ew}Lr0x#lGq^D% z6O>}G{WnM~BFB|wBdmHSQgOW*!onS6bGZ`lg{yN{XvFC6#|a;T^KwJVaLaxnE{jJW zbnN(_Z?xAKo*$9@l=2yD6LPP&=h2K@2xmOq!p*~3*<|AD>1NwVJG?(4$~kZhUTzGz zCNMsr>mMQxqW2$DIYL`y)~=|<{(ULFgd;BriArZ(ans=83SpxoX##IAG^)(UU+Qn+ z!;tD?|>P~_1?qw_H+gZ!8k1ss32$J@jHC8?`+4qTpA79gN1 zM&q!u!aUFDJ1>3ZpS&+yl)FHPgImMd0VfRyNlfk3ta}owVm)2Pmjb^d9Q0dZk4wNW)b@7eiIq6sPy zuDnxWPdHBTy<>y!Pu<1f9PV(aunxf%l|n9LkRPB7U5vJ@tARynz^Q$Tmy%6&49tqF zwg@RXvAcPQthPWG=JoY(%_Q00;;JdY{$(UEXR&j4TPZ5t+18E!OIV#g` zN>R5?d0lYy7#G8=q`482MDwGS#VJiE`ey1}>8xc;vloBk3 zRPMTS`jRNgzYljjRWfp|r5bt>n8awpkg;EKX(I5lI}39+JCM(`Q;Q9TU+khk1}_)x zScN&UAq)lnE&+Be+j?=pMoo|$oa&-yc>WDIu!XKjzECO3n(boWh&Zm>ppjOy1^{(Q z!d3oN2KC7SW@Jc_v6&xY*X3@pLI;nH(`|4yKKbU9h1m?3i@k50^R zw09wwRvUZZy^x=~F#rxMP;%*fzbj*MU`x*GnzMr_gee`l7|{I$k1J*ykSUL~_*QGk z9}JAJCzYn&gfh{ehe`6$^7m;xif@eeH|Dq1Vf_t+^z=CmY2jxc71I>5$O;0tNX(U5 z_66;k9 z%UgaH^dF#krN&d^KcbrZeR@+5iP84o5V_oL%l}u{Chi1Kwzi zm(>E16HK(eF!?pH0Hz936&V;meNu=0B!DdG)OWDZJnr91eB~UAYcSk=dkU7pHXSQ& zm8_Z@%idSLK;Cm2%&C+G1?s`BOep9{ai>`k+XJLbq#PVUu{~E;LZOHWnACYT1W3zr z$uAfnCX1VQHde>Yd$s+i;ksKLpxLK`^>^5;67d@L2G~){uzw8CB}VWdJUOfH3f4EW zbSSTsFxL`aMqVAznev&v4y;eeso}Wh(Ua2PUTgcZQ9yQ^s`HHyM}@w?DE%3}dMj|V zZ3-xHh?6xzvgCEey-7lXhKwx%d4x&xmp>T*7*IeM%e^XeJ3 zmQLImT%;VZHg>z+5FKvyvf6A;zKcLfSm)>Pv%XD$bQprIxtV%G{4__`Wf2Jvh{$Bk zQA?L|@sWrgE;T3CejD&mic&gJL^hmJ_a#1{G4@5I)=cc!W5CRNp&`yjpxTm9mz6h; zovW_rU9sob0HITgW=r;^eIj3c)2wRc#58b~xF(?Fi8LmUq`gUpNE)16#%pSOs-W4& z9XQag*GlK&JT5E(TpU@EWAkEQXFt<^GZ$U7=5i^JcB0BxXMz<-bb(O1_ktQC-LBtt z5k#I}S>-FM9#AkSVuXi-Yaul`N;QQG82xYJkG8lKpXj60@Idw?jdsuwjk)10D1eiX zU5N(4(RZ$ua%F-;0e8*viXyvzjXDCuAjEzeLzp^j*00)wigW|@o>zhM_rX2rm~xTV zJG83Ay2`3pCt{}jEf95UAKg_(VAu)B|4wI=VkD{y2uOGaQ|qVeZ^DA32K@OLk8H^G z$EvChsNwf2R=lcWi)XjK8eacGqOJL1(^o3$7k)=IMFO;v9|O)Y=_AEDKXV>C*YCOGA_6$P4gco(`J{icO zUPlrmqr4vSba!dsp73D7nBcXkH+tv^*16wC4F<@huyqI@qCTG~!Gr{X==&p@w z!9#)BbJzM6l}%%(klr3yAUyf}H}u?*d&qLISK@KBHZ=*fb}e=8+v`JaV< zi}s4k47!BFq^aoDZ*Ovl{P69kWN18w&?cOhG=KJ)vOU^4(3ljW0M;E0l9q1MRM0>@ zyYx8-f;1^i@}M}FoQuIcA24Cw>Snndh%h$Qeu@JM3$s@pF*a|XW;x~&O6ws?T(P$X ztb%Ape!dh+ev=ZzlD@%%m~k2zWQ^VXoaYa8>STEHRB4GR5pO*0&9`Ta9YRy$$D_%% zYu!!q{{4idqhNBxWJ(_M}_Ef$8o50%p4L%Iuh1=NoWMqU)V{lWO}&oezt+I_WeHbM3p7=IF`(* z2fha7 z%f|=+{)k(o+~N33ibC?yXwwhItFz45PAOfCwRXoA&&R}SB;keijp<8c1O`%#NNXd<5;=iD%5MolefwkP1Im)ymeP zm-3R~!v_KUa~l+A-iQVJZ~L&F{aCTB4$x78p;F;1>|>$I;c~JZ&5lS4+%zVv^Nktq z=w56W`I-vk?vyW%u0xYcc3Aeci}69QHgvaO?s~*0D@7o{6eh(>L9_Eb;|w89PJVE! z0}5;G91yp&8iFHYL7I8mFofVt$9aVeUH8=?+@<$f-x%Z0{W-{iusvt;0tbw+5jZxD zggovCN3jg`Z!DyrP^+kNcs?JfV+xB^m{&`m<9z&Rxvo1e^RO}a*f$s?c7HooH%|dr ztF&*TJ1DVe-shmS6o1(IrnlClwOWtUbsdsA&{>xOiaYGCDUK;{z^6XS+^5Zx+0q`b zKF<#a@h}E;2P!0@I}(ZYyExg8JxyhU$=RwVUqWXjK@w4uc1@I&MP}uUXbs3T7x8v{ z6CvF>7m7fCGX82WkNcWNMDYnU`JkkQVb~vF${^8Pi;b#aSNQ7H8l7?C)$?L=Nm)VQ zcs2WNW|CSjw{|_Ou2{XmU0Ohoo7H|SMp~hQFT!vr}bp*G$K()nJ8u2s~u#Ey8PcQSH;!jLh~4d@vxmi-w7;_r2j zoZ>GZj=VvFoKGPjY<-;Lu0bi@8hRVc9m=P`de}mtM(~P6DEcX!;`?!o3KG}`14A1= z!lIDAE%rHN@?Fmd{#-G~ztXha1MQ#I|0dnQk!R}yEVe1hH~Wm~RJV_GkCt;CNTD{M zwmiH1((ya^%TVN2Vqp}1!lVgY21qpv%IG~HtH8b+3MQ^`m|x`<`lvlnmzHcIYmj@A z6XZijh=hRuiWA`!fmVyDQ{-s9G^GQD+)=+pduVL zrqKLc5ei;W#rj_YcLM%(#~uq*XfvCar6C~0=jK)lBGLVVT?rHtUow%!|EZ17usJSi zk%G{?%!i)CROl0tCThW`-ezHkB_FC)VXggFd_DsS?p*;`E9LQq(-Bmina`vGaYCC} z(*$(cyX{7fqXOLf1vhjx^-F>rb|dWI)@)yemq=OTw~gfqRnEGEkPY`a%YT6OFp`xi zpPsXuDH$4TG)H%LJ%ZJINCnd5=ft*98s1{Q^PRQjzTC7V|8La3t{Yf${BqQm69Mr>u89kr|NDHc^s88`AYNOj{u=7!KGhM**qr&n(N=JMF$k*#soh5sm9kqeaj_)g z9@V^}Jd3`oLg6zEw|q-PLxbd`JQE-rybK7l3UroI69R_(Q8=en*H#%#Y|*eESx3>_ zaH$e;T6ye9PTK}WtFqWi(vX(iI;X2yOdGd`u4|1BPN-I+B!X+R@lff}VZW!J^()}S z))?FgeyZNi_-$*=TI~u&8k1=+=!l!65dXRp%C`FneBo?4k2tWsWwGjalo%S%qBo$_ z^;Ed?C7FO=EV7a=mCRV@#9T(wnz}Q72xu47sslTGGXH#-#b~tA*X7VP4tuTW-5|UR zBzb{Q9A+M-5vFZBbh?G{B}!Zkj5Ym1#?%u>fPt)2Ei8w*`3M}^0tGOHsq6sV1)`9k z0nc=854!E1v1h=lU0p;4Q{f1@Ai*$7`T6_Y;1 zFZR8nP9-EOH;PPGUXan?&61nQv&K|=u{c(=4(^&e>RrJec2PptTR;-)ENK8AU2mA+ z85)pa9n=$z(^vdhF76V9zl;Vq_>}cK&U5ht2I^tAWk4-Il4yKNXDJie2OYqyeC#r#W5iiis zA=h@v2-$D1!m6Ou+knkUqhI|fIl?5c++MP#F(speknD#t*K75&fBr{F=)es5eL$Zk zJ>gCR9Qn59p$!5F@Y*&oxc74&MwJ>TPM#@xf+Oy-hRlzkxrHT_sx6I=b;wbjFm2q#vN;0XzGQ5w*nz@?6GAsoyHN|)0izraXJNp%>%FSh>EwYbxPZlqrY5vYVA{^oq7H{0&#SD&g zGiwA#gLZXG+{y$}QhF+T8B7k~vj+1}w)O^C<1L-1FJRb3ue!)iK<14BN3GgiLmtpl zzh?sF*nUO`XV~UeciX&$k+zK?DETiqdzC5jum8YQrg`D`GDS5M)Fr$8(U^ID@ZE)B zl|A zKw4_|a4wVjjwdQPq;hGh%$9x9j1Dk*ti#Vsm@d?68d8&aY_j=4mkMCCJ+-b2zX%~P z40a7kz{NjZwu&ih^be3ZvdG0g4&W10D42Ssqk*zm^m-D&bFQ;IB4`!xdCsqueA&1z z5`Pphe-HXO-kztwr>v@oEmJ(?IzxBOTN_-xD@X#{12J_=?jjk+jdqRR$C zYmKEGhxrpp3p3}389#8w+Zd;s#L(|q}nD4lox1IP==lQF>`k(P8$^JH`M zv(>l;j8PIFsnq?pRBEv?r?b8o2}#`2v8fsd4jzCH>ab zA&9a+ax7kP0MrkUf~ZBPEQn$xN3Guh_Il}A)byzk8`Q2A;o%qVvmn#A{SsmWQ%s2x z5x{=@UttoI3aV`K!0H(MN`hd+@BxRbFW1KN%F%|}z^iz<^*9)VM+Kt~!%n(9 z*7Y}q@#I}&R-ZV!!#|OVDoFR>=q5mw#}?-CIrPVawfgY~&#_;;gh68@P7BN72Wk?C z%U}qSdX&5QJrAK@`*Hd?m6hPEhOp*kIYR#X00Xp5<#iBJnnblI9MtFp`C36?-Tv1V zlYu&3#$52&OEOp8ERof}N{932xrb_NmmTfW;@C}VAnYY7w!>}W@pT!(5+>2a1=e_MOTo| z+1etyO`};YMpgLLNf```2#DQcn)SRvmgu|2G;VUwtKBNS)d0BvsH+UAYs{dC?zK;O z-X-&3h6KDL9`tV8OkZh34QXDg^?m$dmo@Ov(RI4HvI!)wG4A5b_*{?pkiZ`kc zo>inL!ALLHkH@+r#s?M%w1zI4s-s0Nu>oDg!V1d)NN}vhYt9w%8LUxaHs_T9a%@ak z;|-s41~empz3tK#MTr(1Il?t z>a|A-f1GSFZ=a2jks(c`n07AFgO`Q@sQEG{>XF=Tc5_Vx##e0y?oB!|N<@z5nlLCGPC4gQTY zC<~GFo2@nlmO-$vCXONEp*fZ@SO>s2IKW_1<#D}BGZ@5T&E=#Ws{v)=i&Ni_PCt?hz*^-q%MRZ!A`YHQO zvL0ly>7hN-@q`}FC+d@UB750aH;%Pv)Y4-|pfhM8WDpXSu%5LeJY=BWHlDzH1Ln5u zxHiDn)2vs=tTe?FzOy9=dVE`Pdzeq;C1}B9zi@5jZR(L9()fgN z;4%1CfK3EoI5=L7tgcZG;kUqL%%Zg7Av0=865!;8r$w410u4_AoB-9iVA+X|w)|5FG?>+&vSlQW;QPUlFK;C)@!_n!+t-a`?OawfS z$^M~qPSg8TlLMOM0@cRvqb-3~sB;g?ocL-$a^!(Yhqg1m_LC#zh8e~;b=0@V?tI(b zqN~aW&nwFkP#hrWF|tv;aGu^HANf^z+b1PhHH!2XTY)J*t#{T{d5nB}R|CqEO(ZU0 zi-L$fxrik_|+5&4iNU91{j}{02bGj$5v3vO9uI&C4;h<<( zoD4NEm;Mhc9R2G=X3b@PY~?zTK#@!XS^2Bx$^;8&{)RG-w#)-dE9ESce^FDA6KqIi zf2f!$h%^r{IeUS0TA8hwaLCF62WvDXgk>>Ft+XV_w1F^NM9)L1n{W%KOL=Q=ONnMr z0UyPO8EvyMgi*5l>wC3`l4M@^T3;e&5c!)iBLp41_f)WFBfVumJ4&lx%gF_Y;nbTW z`^Gq1k6zteG}J7TDK9sg9itA*H?PJvAA=qMJP;m2Y6xIkBT>Lo+k@I`y3>VitLMdd z*BXZFW?=0Ot$i~<>Z0*cLP9^78YYhR{Bs$Mk359@5CKV)JiEw}7A=g4QU$_UcgP)H zgnbMw)(wVJOS|K1I^&;|d^Hk3n-<@Jz4SjSySC8-$OTIJ(hd_^#1Y|c06yI!3ztJ! zgCyjUt_#=;l=(e@`5|x_v?C~GsJ@E89CP$eT}0mUg_#Oe&N2R&CjDEfZY>**={c+E zS=fP239Y^93y@QUz1fHw@Mk6F{h=vL#f$vpi7$&O#1qmv6ebuaOb0r=Z=CMxc~1Z% zu7idLT3EK7IiNOZ+Ssx3G<8Q`^uLt5)`yX@11Pd2X{ez4XcpPs&P9*K10ZH zc(7yZ84Yaz1q<60Z}VOCs5aa;p;peG}bYrhi9gUsXzja?waB_mOw5O*u35bK~Q+nt+aXdN;$|J z3j0@-dbX#D)rrn!o!XJ;`D;1p>wfnU$58V>Oganj!o<$0QG?5l=m9J$`-3`+xKUIHOFSX16n0qT|RQ+5%IlaRoKo%7Y+E zP`!NYYUbo`9>VX)M!~#y;3x?kOe7_LP%4$$MO)XpWYEvF$B-Q)Yy4NN11bGbn)q;>{;~ zh5I!t23{;?b(+-DU8Y8uS6ea^*H=CTOJ9B|GW*ExH);`;E*cR{9Y7}3lbn~rRyQLh1aYJ%)X?U^XHkDj6^mw#Wq zKvR6gdm}}5)`=7G4PS}ugIX(hK7z$n+JRk*u}!=I2L{0S_vT-!Oy_Zca$;Xl)tz+* zdRo8BKIIRAJR~Lly}-3smB1aG3@f^)6~5% zi@==#Pb|&@MEG?tMhNOoyo!1=;;4fL$c`gBWJaAHo>j6PZ%G$=!&O{X!zc)hjw;NX z3Ioj`l9cg5K}`!d=k^<}hJ()_Np2-hddP(l=>~vMr&y4fu zD(4Hq#s*foiO3=Pf*fEW4jSJE+eKHJIft?*rc+K3Fd5wiV+( zX6I!aOodl?31^IGYgcD+t2Vyk;<(rb!Sc+tQZ#v%6Prvkv*vlX;VCWrh{p z`OV-Jh&{!4qPl5T2dq`50j3c;rMqnB5~UkhJ3%&t1J#aFKtN{9f&qf>WIP)RXB*)4 z0)3m2fuUBaXFg~udB^9DsO9yMMI5hun(Ll z?GLcoqdkdmpOO7Jac3M8(ZX|YyPfA(Lxpyw`W^@UDaCq=4XwVv>Z`}oJ$PM(76<;` z#8Wp=u@#@2kP30g1-;VVm$H~{bg<4zloDLXUWhYuR+7#z*%OeBwEki~($6A08__hG z0i>d*eE|qM=xs)uu#Gfw!W0+ z*y1hyc==5*R|L{e#W`#^rs3^Oze&SLd2P})S=2Q}>YjuDiJYXh!N%ZE=b1-2#T)*n z`P;G6yT@uMDM^w>`}K_@3FS!^Z!jbsnM2xcBA*q^=+GUAULHPsnpH@}@GVx-hGuxQ zf3YWmw;Ha%_kLDrbOwK{{ye=bLHntY%4nzgNornSbp92gAHb~Xe&Ajv7HV!#9Mjfu z^Qv!tx$a8@MHU^3uo}1gf!?Jq!ZjB*ra?ARN1(XQ(nZL=pLp7k!kX;Te!(B7N!0LM zFUWA->dWjfuArV2QdJs5#>~f(O`>Ypp}^S4N7mbWJ&dse8P+P-o8u^hrp(t;iA$Jj z_CSZHz5u>T_P4YnbePA1O~P^2meXlh4BT84UeW&26XhI%wcrPJG@0GIju3hsNcIswo?IJY!?$waQa)FO%qo>4N zf1=YT0@Y}5Jmno`yNUOF6Z~(E%&P+h6I`j(?l@nPqgps^Wna7`@l8)KX@lSXP2uS3W+0zFH53N!n3dwu4 z^K3aIt_+wIhPWHpLh%P;h4gsG6@UL#U_eoZUH96W47QBZ;+sjtG*JeRUBUG2=MbKJ z-bMqmhp6~zh~F3e$a^keMWT5 zJoB5Z?#tow5JYh~hw3w^X1i>EpL)GxSo~*bg3#T;&;zWyYks%nfMEWKg)+NNKHI3E zhU{XgWu4Ahv2Jj57_c$r^@yxb9Smb*;|`gXlv0PwV6ppA5^^|)vd zY!;~B><$W;ru(99sF|^APkP_k*Jv;&rONVO?k$1=oj`d_uK4+C{7~hj2#`89`a=Xr zq%~Q>s;PpAog-Jwj5t=@viqS~@QgrT{ntj&g1dQ62;ha4=7(tX+XwH^i z$;7Sph|3jeW^N|VTlX{UgU8OSyAG6_j2lAMN;6gL7rjK<4~a6x&xV6)tt8U5Iw4#l zE(60gas6&NSwux(mm|a5g_7IB2{h6 zQyWG8I=NP=q=17@7H>B!6|ERo%R&=#yVN|RdUfSp6Zi2b|}gqi+Z zQ5A#hxSG+1go}d<(}NKJZjz_cPJ46q>I{@~zW14~ZFb%DKfL2&4C0gQ@R2-0mx83O zK{pnYl2REz^ACjq>~@J}d{%8{w{T?1$`a~}t9~7bsJB!PjDx~{!V8dC25y0WUDey# zM<8baBy1rFnj<$SHL`s6^{d@Qh=CdE1Bwvlv_rkm#m$C)7uH5cnH`EsuNv^}p>_Tptv;*6Qc?7Amx~N#hwKT{2N!qoiHonS$c*e|?4v{Gp_jusoo#*g5;qT!ciUIB=V~A~uwJ zvzo^Z;@^$^6mf9Y|EZvhpcN0%oWWi9bmQjhkE3CPnM)pff+*$@%;br1Ap0TcNfR0z zJrfUgA{i#`0P+%>=TE*(3SGtnPkib{AL}t-eY+~5q)a_=sAre@;fJaW^llxiP1|By zvaX!-rml!S=WleEVnn8kHrs2%;O5mz^A;4Jfu6+JB)%fnmNAF0A^sD9fh+%7r`ZfmEBag&2w1boa;QiPWKecdQ3T1 zCA5}ObRXivDgF~|TbW4&o2R_h=>rTpv~H{$gfMYp)r6x;HkyYTCu&ZV5Of3l0jH3s=*lXxwCmq!q}i*N%SIbf!R%3dmy{+}AtgE1cBS61 z@g|fSA$I{gY*jE&qe(C9Ncf;Xs6^foL6qew!9;FR$ZIZ@Wpq zNVuDJlU7$`3=?RDR%2JmU_~c>zvsi#!2p}j&E5pLM__e)e4&d>%?!?(If2P0Xp^pn zX%ffoiRTwBX_15NeFTQcMETC{3X#&UOe*x^WBL@LJ(OAAhyT#270+H*BlOw29gD3C z*@~5?%{jsTSq-c6aNBzuj!d93Rx*%MAi6G&vT?HLjf<(>KDw0ASu!A~SSlNh6wZNl z$0Uk6*D9G}Sx!!tNK6fhORM;T$rw^{&-@-yIHH@a8{C~Bz{y)U*?~$6IkNL8(Slqa>{R0$baatSg%0c zBun&c;Qqr4|LmJA86+czsh5uI?(!NWL3+CS592O3otLb1l$l?@4yJ>49{-DJQ{bYz>UpNr=Uovb>Lb- z$7?@n(5B70{0tJzO66|fiJQ49_z0^q2GO%dR}{{@@lGOVc9we_N+5$VdFu8+`Z0<* zyj(?IWX3B1`zj4RPLXI9+Dsg4Sln*qHO6triT^RlfcGHK3~#H5JLIg|InEPot+?j$ z<$(S`_0kz0EG6*f1K=cWD5nX%$quT?Z%0asf%ZkNfXSh$W2HVNGEr8vb50F=9}k6! zME2Ayf36a^DOn8w!8#YDrLH$}65X}|ffu!*iz*lw#y5u&Jf?dFsB3*sAx02CAb0zK zGRFxE`?OfC2gizph}-0E9Atr^|9#sp$n5a~Us#!U|5 zoBTU3MV7tatN@-X3JDgSq-R}k=K8C1wGSK(j=aN)JY(!mo6xg~7<-g?U>Y>@slAK{ zW()<03Bk+puoI{ipg#xLP^68E0bQ;H<=&FdgYl%BWn)30P1*~FdaEW@rb*niL@m3W z|N37UBf-{$j~KW~wOe+UCnnv9vAa%xLnkY2*q*R=!ggftHe_e1)IfVz1ivqr6^1?q zGt}WVO15sj(wL4S|67l7PP}NhtMJ8;q@`?4$`Q99r7Y7}bz-0-J9ufm2d*i-G2i%J z9qTB-(qPfp$JVIK+W&+%SLPN(iqi8@e= zwM2{JSBt{IVD+odLH??a-XM+Dfzaa%LTnM(>g=y?SB_Y0t9qUe#-H$)bEVHVwyEW~6Oc3aXdIwIj`3GyRDR9zkdLIlk!ZI);$XP|9dp$K~#fsCZsn?JJ_} zM9JC!EFH*%jTc24yGV8*UxS^tYbphKP$U}sPVyf`MtL<>2)Sfi5C6ezZY@C+(`Fx% ziDKwZ)6d&&n9$Q-#eZ6Z{_-|cho}oL_aE*i_(E)u=>EaV>SJ0gqxJTC5aqHiGshKx z2f04Y))vP;Z{|Pi?(~>Pper83j~=Vt@T z&7ZY})tUas^~A!1__wV|h9|h$g%e;PYDF18r~fjc&JO%wS2uOrGBj@ugM!?=Mg9nCdinz{0cDE0 z&)$jHRvk3HV;N3B0DDJl#Ir%0ZqmQdat=Yv!1B^gctm6o59VNxRmD+4Io(R?p_!~J z3RN0y-P2GY-^hOJHRc92t256A1UAQ?SN`*|2erq91ME+Q>dk95p^Qtah7j5go>F7g@zc>T-l3N2;il zUr*>kM+wB6f)sXAmbdI36oAtFrq3A2D5>ExQjt#sj;uXXqhXmGu7K+Ru!~W@ETDmx zh&r)FrAL)uQJtix9L3xf9ROG8H#=p|-LLYa8>X1Nbr6&>Ln$6hGiZ{()M2sqJb=5% z#LEXui3Xp>Z?mT5)&d|;t;8Q27euC}=)JL=eE`gi@x#AWix?}WX*LuzHz3d0KOYFA zOC#a_OxLa#2RQ>jR=A_9FMMkmOjR^;&GSh&G@Dnt9(Pj@Z z3dVj$!MSoXaRE9`)Ca^(ohi$TwloNlrs1d?HxJ@p032x1*|$wWqXjd&lTUd<@^J4i zbbSj^c`PN7b$1O6mN8-_k+zh%!48j(VZK|nvKMZ2xu@+j85MvLPgBgo+($2GZgSd=u<8nguBLKn^F^|mj= z=b^A&BT3uY37@sTTR&NQkSBr!xDZ|BGxW;ofYr_)!DbhF4Ri{>CQlXg{Mr`j_RpuV z{?6{bR}$ZcDpr_uV~GlaS&VWyA@qE>Az_qP&s8-(@1KrZu#)W^!8f(RZy@vP@XwX0 z0yx%M11Hzujj3Inc-W*z6^J;16RwB=vR-Q!)a^L=3!Oixzn!PH&q#qGAiLgu*^Aev z?%s$&q%M3OUU+SX%Zmr~6?6RpG?hnrBGusswWf+#g)rrTY6goJM&aR{(3q`6(&4sx zD=vJ2`v?rBFiGg>f#oC@^^fXoDI)+3mAk%THLv)4NqCg$Jk{$T)u7n00{Uh!u}{~s z)@fSqA@}qESiJwkr5v6dish^gKG4n(K}sX2@}VsXbUmVEz}p}r+RZ!&a`JOF_D{sc62Eo4&XPdS_mGKSR|8~_ z>`J}}6B*+KSc?^o^`ehpB#!?);8(xW`z630Cdn!q1U?#Df)oYoyyH~`X?DOP_-XF) zq5i~lJR}9T=XoXy}=~*wPf4$RC!?$43)+pGTQ9 zVz;j}TW|uWEatCQhAQ6QmuV{8R{HLb^J~By@DM$EoTkYtla1(A9X9YWFri+LiU1q- zdf)L%jevOk)uQpTuX&#L_0OKx1iaR{X5x#I&`z4flX}G2a}HSxJ*%_54^$2iYI{o= zWh+(#Fk{8UT*v}>j2<4q_SeUwgu=`wN!eR#4J8DKD<MM^HFK#?xU6GlgEw`s=iJglniV%q-@_-l|glheCm7 zr}n95dKYz-r<~o}V&->(rHOiUqAIXk5QCe_e2+Clu@`jTvMcUqT%)LN9f!l(yLr8n zmDMXe9(f?YLxW$i%aPGv1N~a5n{~|to?`+x@nQk^Q}{$)PDgTeEN`VUWmCGzr;MH5 z7s%+Yaftv?a8}QaUhe-EM{aMj435@U;D=*O?8}Di@y}sHu(12fQI>tStQZs{(R>*P zmW)fN)-%<2S`TWtt}Aq1Kg1%JXRyW2b`}R`;5!7)L>Va*n~C2#WAA_WuSD_9Q$f^Ry`i%MXk>nX81YIOmf0dxsXg7p@A0I!xcV5bAF+Zxyn?na`x0b@&5%|YS-C| zFDB>J3Z>L}yS_f$9y}!(r&7zzL%m6!QRZGU$KlK659tLrw1~8#`m?QPhqfiR6}9_(O-iZ@p2qwqLu+HIACaMIZNOUPvo2Zr+|}cuVu@0-k1n!YmqvK zh^^0~yLMgrD*~({d`Q8XTcQp9Mqr|9Xy+khWG>4BUa$R zkLD4a@O%V*ps}#2cQ++!%5WQ>m2MOXyBh*?gbH?zip;;l(z6%NnSR8bGzd~Fz)bMa-Nfv*S|Ip!I*U#@~5r>)K#)T>Mw+2T@Y8Z z0K0G!1nQ<;#f5);%M{LD(r&m5&YDtBeK(dhC0F>x0c{_&iCjfD2MrjHY!&hkGF+p1 zt51NV!K~DxfnCIrH{ci<6VNp~F1H4(C