From 47c37349ad9753dd4f1cf972212fe44e43b39891 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20Kr=C3=B3l?= Date: Fri, 9 Mar 2018 15:42:28 +0100 Subject: [PATCH] initial commit --- .cproject | 216 ++++++ .project | 28 + .settings/language.settings.xml | 73 ++ Makefile | 274 +++++++ README.txt | 32 + isv_app/isv_app.cpp | 719 ++++++++++++++++++ isv_app/sample_messages.h | 543 ++++++++++++++ isv_enclave/isv_enclave.config.xml | 12 + isv_enclave/isv_enclave.cpp | 397 ++++++++++ isv_enclave/isv_enclave.edl | 53 ++ isv_enclave/isv_enclave.lds | 10 + isv_enclave/isv_enclave_private.pem | 39 + sample_libcrypto/libsample_libcrypto.so | Bin 0 -> 764816 bytes sample_libcrypto/sample_libcrypto.h | 240 ++++++ service_provider/ecp.cpp | 257 +++++++ service_provider/ecp.h | 114 +++ service_provider/ias_ra.cpp | 254 +++++++ service_provider/ias_ra.h | 209 ++++++ service_provider/network_ra.cpp | 134 ++++ service_provider/network_ra.h | 95 +++ service_provider/remote_attestation_result.h | 105 +++ service_provider/service_provider.cpp | 738 +++++++++++++++++++ service_provider/service_provider.h | 161 ++++ 23 files changed, 4703 insertions(+) create mode 100644 .cproject create mode 100644 .project create mode 100644 .settings/language.settings.xml create mode 100644 Makefile create mode 100644 README.txt create mode 100644 isv_app/isv_app.cpp create mode 100644 isv_app/sample_messages.h create mode 100644 isv_enclave/isv_enclave.config.xml create mode 100644 isv_enclave/isv_enclave.cpp create mode 100644 isv_enclave/isv_enclave.edl create mode 100644 isv_enclave/isv_enclave.lds create mode 100644 isv_enclave/isv_enclave_private.pem create mode 100755 sample_libcrypto/libsample_libcrypto.so create mode 100644 sample_libcrypto/sample_libcrypto.h create mode 100644 service_provider/ecp.cpp create mode 100644 service_provider/ecp.h create mode 100644 service_provider/ias_ra.cpp create mode 100644 service_provider/ias_ra.h create mode 100644 service_provider/network_ra.cpp create mode 100644 service_provider/network_ra.h create mode 100644 service_provider/remote_attestation_result.h create mode 100644 service_provider/service_provider.cpp create mode 100644 service_provider/service_provider.h diff --git a/.cproject b/.cproject new file mode 100644 index 0000000..28718eb --- /dev/null +++ b/.cproject @@ -0,0 +1,216 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/.project b/.project new file mode 100644 index 0000000..3cc71f6 --- /dev/null +++ b/.project @@ -0,0 +1,28 @@ + + + RemoteAttestation + + + + + + org.eclipse.cdt.managedbuilder.core.genmakebuilder + clean,full,incremental, + + + + + org.eclipse.cdt.managedbuilder.core.ScannerConfigBuilder + full,incremental, + + + + + + org.eclipse.cdt.core.cnature + org.eclipse.cdt.managedbuilder.core.managedBuildNature + org.eclipse.cdt.managedbuilder.core.ScannerConfigNature + org.eclipse.cdt.core.ccnature + com.intel.sgx.sgxnature + + diff --git a/.settings/language.settings.xml b/.settings/language.settings.xml new file mode 100644 index 0000000..bb1f922 --- /dev/null +++ b/.settings/language.settings.xml @@ -0,0 +1,73 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..89e6d18 --- /dev/null +++ b/Makefile @@ -0,0 +1,274 @@ +# +# Copyright (C) 2011-2018 Intel Corporation. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in +# the documentation and/or other materials provided with the +# distribution. +# * Neither the name of Intel Corporation nor the names of its +# contributors may be used to endorse or promote products derived +# from this software without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR +# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT +# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT +# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +# +# + +######## SGX SDK Settings ######## + +SGX_SDK ?= /opt/intel/sgxsdk +SGX_MODE ?= HW +SGX_ARCH ?= x64 +SGX_DEBUG ?= 1 + +ifeq ($(shell getconf LONG_BIT), 32) + SGX_ARCH := x86 +else ifeq ($(findstring -m32, $(CXXFLAGS)), -m32) + SGX_ARCH := x86 +endif + +ifeq ($(SGX_ARCH), x86) + SGX_COMMON_CFLAGS := -m32 + SGX_LIBRARY_PATH := $(SGX_SDK)/lib + SGX_ENCLAVE_SIGNER := $(SGX_SDK)/bin/x86/sgx_sign + SGX_EDGER8R := $(SGX_SDK)/bin/x86/sgx_edger8r +else + SGX_COMMON_CFLAGS := -m64 + SGX_LIBRARY_PATH := $(SGX_SDK)/lib64 + SGX_ENCLAVE_SIGNER := $(SGX_SDK)/bin/x64/sgx_sign + SGX_EDGER8R := $(SGX_SDK)/bin/x64/sgx_edger8r +endif + +ifeq ($(SGX_DEBUG), 1) +ifeq ($(SGX_PRERELEASE), 1) +$(error Cannot set SGX_DEBUG and SGX_PRERELEASE at the same time!!) +endif +endif + +ifeq ($(SGX_DEBUG), 1) + SGX_COMMON_CFLAGS += -O0 -g +else + SGX_COMMON_CFLAGS += -O2 +endif + +ifeq ($(SUPPLIED_KEY_DERIVATION), 1) + SGX_COMMON_CFLAGS += -DSUPPLIED_KEY_DERIVATION +endif +######## App Settings ######## + +ifneq ($(SGX_MODE), HW) + Urts_Library_Name := sgx_urts_sim +else + Urts_Library_Name := sgx_urts +endif + +App_Cpp_Files := isv_app/isv_app.cpp +App_Include_Paths := -Iservice_provider -I$(SGX_SDK)/include + +App_C_Flags := $(SGX_COMMON_CFLAGS) -fPIC -Wno-attributes $(App_Include_Paths) + +# Three configuration modes - Debug, prerelease, release +# Debug - Macro DEBUG enabled. +# Prerelease - Macro NDEBUG and EDEBUG enabled. +# Release - Macro NDEBUG enabled. +ifeq ($(SGX_DEBUG), 1) + App_C_Flags += -DDEBUG -UNDEBUG -UEDEBUG +else ifeq ($(SGX_PRERELEASE), 1) + App_C_Flags += -DNDEBUG -DEDEBUG -UDEBUG +else + App_C_Flags += -DNDEBUG -UEDEBUG -UDEBUG +endif + +App_Cpp_Flags := $(App_C_Flags) -std=c++11 +App_Link_Flags := $(SGX_COMMON_CFLAGS) -L$(SGX_LIBRARY_PATH) -l$(Urts_Library_Name) -L. -lsgx_ukey_exchange -lpthread -lservice_provider -Wl,-rpath=$(CURDIR)/sample_libcrypto -Wl,-rpath=$(CURDIR) + +ifneq ($(SGX_MODE), HW) + App_Link_Flags += -lsgx_uae_service_sim +else + App_Link_Flags += -lsgx_uae_service +endif + +App_Cpp_Objects := $(App_Cpp_Files:.cpp=.o) + +App_Name := app + +######## Service Provider Settings ######## + +ServiceProvider_Cpp_Files := service_provider/ecp.cpp service_provider/network_ra.cpp service_provider/service_provider.cpp service_provider/ias_ra.cpp +ServiceProvider_Include_Paths := -I$(SGX_SDK)/include -I$(SGX_SDK)/include/tlibc -I$(SGX_SDK)/include/libcxx -Isample_libcrypto + +ServiceProvider_C_Flags := $(SGX_COMMON_CFLAGS) -fPIC -Wno-attributes -I$(SGX_SDK)/include -Isample_libcrypto +ServiceProvider_Cpp_Flags := $(ServiceProvider_C_Flags) -std=c++11 +ServiceProvider_Link_Flags := -shared $(SGX_COMMON_CFLAGS) -L$(SGX_LIBRARY_PATH) -lsample_libcrypto -Lsample_libcrypto + +ServiceProvider_Cpp_Objects := $(ServiceProvider_Cpp_Files:.cpp=.o) + +######## Enclave Settings ######## + +ifneq ($(SGX_MODE), HW) + Trts_Library_Name := sgx_trts_sim + Service_Library_Name := sgx_tservice_sim +else + Trts_Library_Name := sgx_trts + Service_Library_Name := sgx_tservice +endif +Crypto_Library_Name := sgx_tcrypto + +Enclave_Cpp_Files := isv_enclave/isv_enclave.cpp +Enclave_Include_Paths := -I$(SGX_SDK)/include -I$(SGX_SDK)/include/tlibc -I$(SGX_SDK)/include/libcxx + +CC_BELOW_4_9 := $(shell expr "`$(CC) -dumpversion`" \< "4.9") +ifeq ($(CC_BELOW_4_9), 1) + Enclave_C_Flags := $(SGX_COMMON_CFLAGS) -nostdinc -fvisibility=hidden -fpie -ffunction-sections -fdata-sections -fstack-protector +else + Enclave_C_Flags := $(SGX_COMMON_CFLAGS) -nostdinc -fvisibility=hidden -fpie -ffunction-sections -fdata-sections -fstack-protector-strong +endif +Enclave_C_Flags += $(Enclave_Include_Paths) +Enclave_Cpp_Flags := $(Enclave_C_Flags) -std=c++11 -nostdinc++ + +# To generate a proper enclave, it is recommended to follow below guideline to link the trusted libraries: +# 1. Link sgx_trts with the `--whole-archive' and `--no-whole-archive' options, +# so that the whole content of trts is included in the enclave. +# 2. For other libraries, you just need to pull the required symbols. +# Use `--start-group' and `--end-group' to link these libraries. +# Do NOT move the libraries linked with `--start-group' and `--end-group' within `--whole-archive' and `--no-whole-archive' options. +# Otherwise, you may get some undesirable errors. +Enclave_Link_Flags := $(SGX_COMMON_CFLAGS) -Wl,--no-undefined -nostdlib -nodefaultlibs -nostartfiles -L$(SGX_LIBRARY_PATH) \ + -Wl,--whole-archive -l$(Trts_Library_Name) -Wl,--no-whole-archive \ + -Wl,--start-group -lsgx_tstdc -lsgx_tcxx -lsgx_tkey_exchange -l$(Crypto_Library_Name) -l$(Service_Library_Name) -Wl,--end-group \ + -Wl,-Bstatic -Wl,-Bsymbolic -Wl,--no-undefined \ + -Wl,-pie,-eenclave_entry -Wl,--export-dynamic \ + -Wl,--defsym,__ImageBase=0 -Wl,--gc-sections \ + -Wl,--version-script=isv_enclave/isv_enclave.lds + +Enclave_Cpp_Objects := $(Enclave_Cpp_Files:.cpp=.o) + +Enclave_Name := isv_enclave.so +Signed_Enclave_Name := isv_enclave.signed.so +Enclave_Config_File := isv_enclave/isv_enclave.config.xml + +ifeq ($(SGX_MODE), HW) +ifeq ($(SGX_DEBUG), 1) + Build_Mode = HW_DEBUG +else ifeq ($(SGX_PRERELEASE), 1) + Build_Mode = HW_PRERELEASE +else + Build_Mode = HW_RELEASE +endif +else +ifeq ($(SGX_DEBUG), 1) + Build_Mode = SIM_DEBUG +else ifeq ($(SGX_PRERELEASE), 1) + Build_Mode = SIM_PRERELEASE +else + Build_Mode = SIM_RELEASE +endif +endif + + +.PHONY: all run + +ifeq ($(Build_Mode), HW_RELEASE) +all: .config_$(Build_Mode)_$(SGX_ARCH) libservice_provider.so $(App_Name) $(Enclave_Name) + @echo "The project has been built in release hardware mode." + @echo "Please sign the $(Enclave_Name) first with your signing key before you run the $(App_Name) to launch and access the enclave." + @echo "To sign the enclave use the command:" + @echo " $(SGX_ENCLAVE_SIGNER) sign -key -enclave $(Enclave_Name) -out <$(Signed_Enclave_Name)> -config $(Enclave_Config_File)" + @echo "You can also sign the enclave using an external signing tool." + @echo "To build the project in simulation mode set SGX_MODE=SIM. To build the project in prerelease mode set SGX_PRERELEASE=1 and SGX_MODE=HW." +else +all: .config_$(Build_Mode)_$(SGX_ARCH) libservice_provider.so $(App_Name) $(Signed_Enclave_Name) +ifeq ($(Build_Mode), HW_DEBUG) + @echo "The project has been built in debug hardware mode." +else ifeq ($(Build_Mode), SIM_DEBUG) + @echo "The project has been built in debug simulation mode." +else ifeq ($(Build_Mode), HW_PRERELEASE) + @echo "The project has been built in pre-release hardware mode." +else ifeq ($(Build_Mode), SIM_PRERELEASE) + @echo "The project has been built in pre-release simulation mode." +else + @echo "The project has been built in release simulation mode." +endif +endif + +run: all +ifneq ($(Build_Mode), HW_RELEASE) + @$(CURDIR)/$(App_Name) + @echo "RUN => $(App_Name) [$(SGX_MODE)|$(SGX_ARCH), OK]" +endif + +.config_$(Build_Mode)_$(SGX_ARCH): + @rm -f .config_* $(App_Name) $(App_Name) $(Enclave_Name) $(Signed_Enclave_Name) $(App_Cpp_Objects) isv_app/isv_enclave_u.* $(Enclave_Cpp_Objects) isv_enclave/isv_enclave_t.* libservice_provider.* $(ServiceProvider_Cpp_Objects) + @touch .config_$(Build_Mode)_$(SGX_ARCH) + + +######## App Objects ######## + +isv_app/isv_enclave_u.c: $(SGX_EDGER8R) isv_enclave/isv_enclave.edl + @cd isv_app && $(SGX_EDGER8R) --untrusted ../isv_enclave/isv_enclave.edl --search-path ../isv_enclave --search-path $(SGX_SDK)/include + @echo "GEN => $@" + +isv_app/isv_enclave_u.o: isv_app/isv_enclave_u.c + @$(CC) $(App_C_Flags) -c $< -o $@ + @echo "CC <= $<" + +isv_app/%.o: isv_app/%.cpp + @$(CXX) $(App_Cpp_Flags) -c $< -o $@ + @echo "CXX <= $<" + +$(App_Name): isv_app/isv_enclave_u.o $(App_Cpp_Objects) + @$(CXX) $^ -o $@ $(App_Link_Flags) + @echo "LINK => $@" + +######## Service Provider Objects ######## + + +service_provider/%.o: service_provider/%.cpp + @$(CXX) $(ServiceProvider_Cpp_Flags) -c $< -o $@ + @echo "CXX <= $<" + +libservice_provider.so: $(ServiceProvider_Cpp_Objects) + @$(CXX) $^ -o $@ $(ServiceProvider_Link_Flags) + @echo "LINK => $@" + +######## Enclave Objects ######## + +isv_enclave/isv_enclave_t.c: $(SGX_EDGER8R) isv_enclave/isv_enclave.edl + @cd isv_enclave && $(SGX_EDGER8R) --trusted ../isv_enclave/isv_enclave.edl --search-path ../isv_enclave --search-path $(SGX_SDK)/include + @echo "GEN => $@" + +isv_enclave/isv_enclave_t.o: isv_enclave/isv_enclave_t.c + @$(CC) $(Enclave_C_Flags) -c $< -o $@ + @echo "CC <= $<" + +isv_enclave/%.o: isv_enclave/%.cpp + @$(CXX) $(Enclave_Cpp_Flags) -c $< -o $@ + @echo "CXX <= $<" + +$(Enclave_Name): isv_enclave/isv_enclave_t.o $(Enclave_Cpp_Objects) + @$(CXX) $^ -o $@ $(Enclave_Link_Flags) + @echo "LINK => $@" + +$(Signed_Enclave_Name): $(Enclave_Name) + @$(SGX_ENCLAVE_SIGNER) sign -key isv_enclave/isv_enclave_private.pem -enclave $(Enclave_Name) -out $@ -config $(Enclave_Config_File) + @echo "SIGN => $@" + +.PHONY: clean + +clean: + @rm -f .config_* $(App_Name) $(App_Name) $(Enclave_Name) $(Signed_Enclave_Name) $(App_Cpp_Objects) isv_app/isv_enclave_u.* $(Enclave_Cpp_Objects) isv_enclave/isv_enclave_t.* libservice_provider.* $(ServiceProvider_Cpp_Objects) diff --git a/README.txt b/README.txt new file mode 100644 index 0000000..e3709b2 --- /dev/null +++ b/README.txt @@ -0,0 +1,32 @@ +# airtnt + +---------------------------- +Purpose of RemoteAttestation +---------------------------- +The project demonstrates: +- How an application enclave can attest to a remote party +- How an application enclave and the remote party can establish a secure session + +------------------------------------ +How to Build/Execute the Sample Code +------------------------------------ +1. Install Intel(R) Software Guard Extensions (Intel(R) SGX) SDK for Linux* OS +2. Make sure your environment is set: + $ source ${sgx-sdk-install-path}/environment +3. Build the project with the prepared Makefile: + a. Hardware Mode, Debug build: + $ make + b. Hardware Mode, Pre-release build: + $ make SGX_PRERELEASE=1 SGX_DEBUG=0 + c. Hardware Mode, Release build: + $ make SGX_DEBUG=0 + d. Simulation Mode, Debug build: + $ make SGX_MODE=SIM + e. Simulation Mode, Pre-release build: + $ make SGX_MODE=SIM SGX_PRERELEASE=1 SGX_DEBUG=0 + f. Simulation Mode, Release build: + $ make SGX_MODE=SIM SGX_DEBUG=0 +4. Execute the binary directly: + $ ./app +5. Remember to "make clean" before switching build mode +6. Add libcrypto to the path before runnig: `export LD_LIBRARY_PATH=`pwd`/sample_libcrypto` diff --git a/isv_app/isv_app.cpp b/isv_app/isv_app.cpp new file mode 100644 index 0000000..74ec080 --- /dev/null +++ b/isv_app/isv_app.cpp @@ -0,0 +1,719 @@ +/* + * Copyright (C) 2011-2018 Intel Corporation. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * * Neither the name of Intel Corporation nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT + * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE + * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +// This sample is confined to the communication between a SGX client platform +// and an ISV Application Server. + + + +#include +#include +#include +// Needed for definition of remote attestation messages. +#include "remote_attestation_result.h" + +#include "isv_enclave_u.h" + +// Needed to call untrusted key exchange library APIs, i.e. sgx_ra_proc_msg2. +#include "sgx_ukey_exchange.h" + +// Needed to get service provider's information, in your real project, you will +// need to talk to real server. +#include "network_ra.h" + +// Needed to create enclave and do ecall. +#include "sgx_urts.h" + +// Needed to query extended epid group id. +#include "sgx_uae_service.h" + +#include "service_provider.h" + +#ifndef SAFE_FREE +#define SAFE_FREE(ptr) {if (NULL != (ptr)) {free(ptr); (ptr) = NULL;}} +#endif + +// In addition to generating and sending messages, this application +// can use pre-generated messages to verify the generation of +// messages and the information flow. +#include "sample_messages.h" + + +#define ENCLAVE_PATH "isv_enclave.signed.so" + +uint8_t* msg1_samples[] = { msg1_sample1, msg1_sample2 }; +uint8_t* msg2_samples[] = { msg2_sample1, msg2_sample2 }; +uint8_t* msg3_samples[] = { msg3_sample1, msg3_sample2 }; +uint8_t* attestation_msg_samples[] = + { attestation_msg_sample1, attestation_msg_sample2}; + +// Some utility functions to output some of the data structures passed between +// the ISV app and the remote attestation service provider. +void PRINT_BYTE_ARRAY( + FILE *file, void *mem, uint32_t len) +{ + if(!mem || !len) + { + fprintf(file, "\n( null )\n"); + return; + } + uint8_t *array = (uint8_t *)mem; + fprintf(file, "%u bytes:\n{\n", len); + uint32_t i = 0; + for(i = 0; i < len - 1; i++) + { + fprintf(file, "0x%x, ", array[i]); + if(i % 8 == 7) fprintf(file, "\n"); + } + fprintf(file, "0x%x ", array[i]); + fprintf(file, "\n}\n"); +} + + +void PRINT_ATTESTATION_SERVICE_RESPONSE( + FILE *file, + ra_samp_response_header_t *response) +{ + if(!response) + { + fprintf(file, "\t\n( null )\n"); + return; + } + + fprintf(file, "RESPONSE TYPE: 0x%x\n", response->type); + fprintf(file, "RESPONSE STATUS: 0x%x 0x%x\n", response->status[0], + response->status[1]); + fprintf(file, "RESPONSE BODY SIZE: %u\n", response->size); + + if(response->type == TYPE_RA_MSG2) + { + sgx_ra_msg2_t* p_msg2_body = (sgx_ra_msg2_t*)(response->body); + + fprintf(file, "MSG2 gb - "); + PRINT_BYTE_ARRAY(file, &(p_msg2_body->g_b), sizeof(p_msg2_body->g_b)); + + fprintf(file, "MSG2 spid - "); + PRINT_BYTE_ARRAY(file, &(p_msg2_body->spid), sizeof(p_msg2_body->spid)); + + fprintf(file, "MSG2 quote_type : %hx\n", p_msg2_body->quote_type); + + fprintf(file, "MSG2 kdf_id : %hx\n", p_msg2_body->kdf_id); + + fprintf(file, "MSG2 sign_gb_ga - "); + PRINT_BYTE_ARRAY(file, &(p_msg2_body->sign_gb_ga), + sizeof(p_msg2_body->sign_gb_ga)); + + fprintf(file, "MSG2 mac - "); + PRINT_BYTE_ARRAY(file, &(p_msg2_body->mac), sizeof(p_msg2_body->mac)); + + fprintf(file, "MSG2 sig_rl - "); + PRINT_BYTE_ARRAY(file, &(p_msg2_body->sig_rl), + p_msg2_body->sig_rl_size); + } + else if(response->type == TYPE_RA_ATT_RESULT) + { + sample_ra_att_result_msg_t *p_att_result = + (sample_ra_att_result_msg_t *)(response->body); + fprintf(file, "ATTESTATION RESULT MSG platform_info_blob - "); + PRINT_BYTE_ARRAY(file, &(p_att_result->platform_info_blob), + sizeof(p_att_result->platform_info_blob)); + + fprintf(file, "ATTESTATION RESULT MSG mac - "); + PRINT_BYTE_ARRAY(file, &(p_att_result->mac), sizeof(p_att_result->mac)); + + fprintf(file, "ATTESTATION RESULT MSG secret.payload_tag - %u bytes\n", + p_att_result->secret.payload_size); + + fprintf(file, "ATTESTATION RESULT MSG secret.payload - "); + PRINT_BYTE_ARRAY(file, p_att_result->secret.payload, + p_att_result->secret.payload_size); + } + else + { + fprintf(file, "\nERROR in printing out the response. " + "Response of type not supported %d\n", response->type); + } +} + +// This sample code doesn't have any recovery/retry mechanisms for the remote +// attestation. Since the enclave can be lost due S3 transitions, apps +// susceptible to S3 transitions should have logic to restart attestation in +// these scenarios. +#define _T(x) x +int main(int argc, char* argv[]) +{ + int ret = 0; + ra_samp_request_header_t *p_msg0_full = NULL; + ra_samp_response_header_t *p_msg0_resp_full = NULL; + ra_samp_request_header_t *p_msg1_full = NULL; + ra_samp_response_header_t *p_msg2_full = NULL; + sgx_ra_msg3_t *p_msg3 = NULL; + ra_samp_response_header_t* p_att_result_msg_full = NULL; + sgx_enclave_id_t enclave_id = 0; + int enclave_lost_retry_time = 1; + int busy_retry_time = 4; + sgx_ra_context_t context = INT_MAX; + sgx_status_t status = SGX_SUCCESS; + ra_samp_request_header_t* p_msg3_full = NULL; + + int32_t verify_index = -1; + int32_t verification_samples = sizeof(msg1_samples)/sizeof(msg1_samples[0]); + + FILE* OUTPUT = stdout; + +#define VERIFICATION_INDEX_IS_VALID() (verify_index > 0 && \ + verify_index <= verification_samples) +#define GET_VERIFICATION_ARRAY_INDEX() (verify_index-1) + + if(argc > 1) + { + + verify_index = atoi(argv[1]); + + if( VERIFICATION_INDEX_IS_VALID()) + { + fprintf(OUTPUT, "\nVerifying precomputed attestation messages " + "using precomputed values# %d\n", verify_index); + } + else + { + fprintf(OUTPUT, "\nValid invocations are:\n"); + fprintf(OUTPUT, "\n\tisv_app\n"); + fprintf(OUTPUT, "\n\tisv_app \n"); + fprintf(OUTPUT, "\nValid indices are [1 - %d]\n", + verification_samples); + fprintf(OUTPUT, "\nUsing a verification index uses precomputed " + "messages to assist debugging the remote attestation " + "service provider.\n"); + return -1; + } + } + + // Preparation for remote attestation by configuring extended epid group id. + { + uint32_t extended_epid_group_id = 0; + ret = sgx_get_extended_epid_group_id(&extended_epid_group_id); + if (SGX_SUCCESS != ret) + { + ret = -1; + fprintf(OUTPUT, "\nError, call sgx_get_extended_epid_group_id fail [%s].", + __FUNCTION__); + return ret; + } + fprintf(OUTPUT, "\nCall sgx_get_extended_epid_group_id success."); + + p_msg0_full = (ra_samp_request_header_t*) + malloc(sizeof(ra_samp_request_header_t) + +sizeof(uint32_t)); + if (NULL == p_msg0_full) + { + ret = -1; + goto CLEANUP; + } + p_msg0_full->type = TYPE_RA_MSG0; + p_msg0_full->size = sizeof(uint32_t); + + *(uint32_t*)((uint8_t*)p_msg0_full + sizeof(ra_samp_request_header_t)) = extended_epid_group_id; + { + + fprintf(OUTPUT, "\nMSG0 body generated -\n"); + + PRINT_BYTE_ARRAY(OUTPUT, p_msg0_full->body, p_msg0_full->size); + + } + // The ISV application sends msg0 to the SP. + // The ISV decides whether to support this extended epid group id. + fprintf(OUTPUT, "\nSending msg0 to remote attestation service provider.\n"); + + ret = ra_network_send_receive("http://SampleServiceProvider.intel.com/", + p_msg0_full, + &p_msg0_resp_full); + if (ret != 0) + { + fprintf(OUTPUT, "\nError, ra_network_send_receive for msg0 failed " + "[%s].", __FUNCTION__); + goto CLEANUP; + } + fprintf(OUTPUT, "\nSent MSG0 to remote attestation service.\n"); + } + // Remote attestation will be initiated the ISV server challenges the ISV + // app or if the ISV app detects it doesn't have the credentials + // (shared secret) from a previous attestation required for secure + // communication with the server. + { + // ISV application creates the ISV enclave. + int launch_token_update = 0; + sgx_launch_token_t launch_token = {0}; + memset(&launch_token, 0, sizeof(sgx_launch_token_t)); + do + { + ret = sgx_create_enclave(_T(ENCLAVE_PATH), + SGX_DEBUG_FLAG, + &launch_token, + &launch_token_update, + &enclave_id, NULL); + if(SGX_SUCCESS != ret) + { + ret = -1; + fprintf(OUTPUT, "\nError, call sgx_create_enclave fail [%s].", + __FUNCTION__); + goto CLEANUP; + } + fprintf(OUTPUT, "\nCall sgx_create_enclave success."); + + ret = enclave_init_ra(enclave_id, + &status, + false, + &context); + //Ideally, this check would be around the full attestation flow. + } while (SGX_ERROR_ENCLAVE_LOST == ret && enclave_lost_retry_time--); + + if(SGX_SUCCESS != ret || status) + { + ret = -1; + fprintf(OUTPUT, "\nError, call enclave_init_ra fail [%s].", + __FUNCTION__); + goto CLEANUP; + } + fprintf(OUTPUT, "\nCall enclave_init_ra success."); + + // isv application call uke sgx_ra_get_msg1 + p_msg1_full = (ra_samp_request_header_t*) + malloc(sizeof(ra_samp_request_header_t) + + sizeof(sgx_ra_msg1_t)); + if(NULL == p_msg1_full) + { + ret = -1; + goto CLEANUP; + } + p_msg1_full->type = TYPE_RA_MSG1; + p_msg1_full->size = sizeof(sgx_ra_msg1_t); + do + { + ret = sgx_ra_get_msg1(context, enclave_id, sgx_ra_get_ga, + (sgx_ra_msg1_t*)((uint8_t*)p_msg1_full + + sizeof(ra_samp_request_header_t))); + sleep(3); // Wait 3s between retries + } while (SGX_ERROR_BUSY == ret && busy_retry_time--); + if(SGX_SUCCESS != ret) + { + ret = -1; + fprintf(OUTPUT, "\nError, call sgx_ra_get_msg1 fail [%s].", + __FUNCTION__); + goto CLEANUP; + } + else + { + fprintf(OUTPUT, "\nCall sgx_ra_get_msg1 success.\n"); + + fprintf(OUTPUT, "\nMSG1 body generated -\n"); + + PRINT_BYTE_ARRAY(OUTPUT, p_msg1_full->body, p_msg1_full->size); + + } + + if(VERIFICATION_INDEX_IS_VALID()) + { + + memcpy_s(p_msg1_full->body, p_msg1_full->size, + msg1_samples[GET_VERIFICATION_ARRAY_INDEX()], + p_msg1_full->size); + + fprintf(OUTPUT, "\nInstead of using the recently generated MSG1, " + "we will use the following precomputed MSG1 -\n"); + + PRINT_BYTE_ARRAY(OUTPUT, p_msg1_full->body, p_msg1_full->size); + } + + + // The ISV application sends msg1 to the SP to get msg2, + // msg2 needs to be freed when no longer needed. + // The ISV decides whether to use linkable or unlinkable signatures. + fprintf(OUTPUT, "\nSending msg1 to remote attestation service provider." + "Expecting msg2 back.\n"); + + + ret = ra_network_send_receive("http://SampleServiceProvider.intel.com/", + p_msg1_full, + &p_msg2_full); + + if(ret != 0 || !p_msg2_full) + { + fprintf(OUTPUT, "\nError, ra_network_send_receive for msg1 failed " + "[%s].", __FUNCTION__); + if(VERIFICATION_INDEX_IS_VALID()) + { + fprintf(OUTPUT, "\nBecause we are in verification mode we will " + "ignore this error.\n"); + fprintf(OUTPUT, "\nInstead, we will pretend we received the " + "following MSG2 - \n"); + + SAFE_FREE(p_msg2_full); + ra_samp_response_header_t* precomputed_msg2 = + (ra_samp_response_header_t*)msg2_samples[ + GET_VERIFICATION_ARRAY_INDEX()]; + const size_t msg2_full_size = sizeof(ra_samp_response_header_t) + + precomputed_msg2->size; + p_msg2_full = + (ra_samp_response_header_t*)malloc(msg2_full_size); + if(NULL == p_msg2_full) + { + ret = -1; + goto CLEANUP; + } + memcpy_s(p_msg2_full, msg2_full_size, precomputed_msg2, + msg2_full_size); + + PRINT_BYTE_ARRAY(OUTPUT, p_msg2_full, + sizeof(ra_samp_response_header_t) + + p_msg2_full->size); + } + else + { + goto CLEANUP; + } + } + else + { + // Successfully sent msg1 and received a msg2 back. + // Time now to check msg2. + if(TYPE_RA_MSG2 != p_msg2_full->type) + { + + fprintf(OUTPUT, "\nError, didn't get MSG2 in response to MSG1. " + "[%s].", __FUNCTION__); + + if(VERIFICATION_INDEX_IS_VALID()) + { + fprintf(OUTPUT, "\nBecause we are in verification mode we " + "will ignore this error."); + } + else + { + goto CLEANUP; + } + } + + fprintf(OUTPUT, "\nSent MSG1 to remote attestation service " + "provider. Received the following MSG2:\n"); + PRINT_BYTE_ARRAY(OUTPUT, p_msg2_full, + sizeof(ra_samp_response_header_t) + + p_msg2_full->size); + + fprintf(OUTPUT, "\nA more descriptive representation of MSG2:\n"); + PRINT_ATTESTATION_SERVICE_RESPONSE(OUTPUT, p_msg2_full); + + if( VERIFICATION_INDEX_IS_VALID() ) + { + // The response should match the precomputed MSG2: + ra_samp_response_header_t* precomputed_msg2 = + (ra_samp_response_header_t *) + msg2_samples[GET_VERIFICATION_ARRAY_INDEX()]; + if(MSG2_BODY_SIZE != + sizeof(ra_samp_response_header_t) + p_msg2_full->size || + memcmp( precomputed_msg2, p_msg2_full, + sizeof(ra_samp_response_header_t) + p_msg2_full->size)) + { + fprintf(OUTPUT, "\nVerification ERROR. Our precomputed " + "value for MSG2 does NOT match.\n"); + fprintf(OUTPUT, "\nPrecomputed value for MSG2:\n"); + PRINT_BYTE_ARRAY(OUTPUT, precomputed_msg2, + sizeof(ra_samp_response_header_t) + + precomputed_msg2->size); + fprintf(OUTPUT, "\nA more descriptive representation " + "of precomputed value for MSG2:\n"); + PRINT_ATTESTATION_SERVICE_RESPONSE(OUTPUT, + precomputed_msg2); + } + else + { + fprintf(OUTPUT, "\nVerification COMPLETE. Remote " + "attestation service provider generated a " + "matching MSG2.\n"); + } + } + + } + + sgx_ra_msg2_t* p_msg2_body = (sgx_ra_msg2_t*)((uint8_t*)p_msg2_full + + sizeof(ra_samp_response_header_t)); + + + uint32_t msg3_size = 0; + if( VERIFICATION_INDEX_IS_VALID()) + { + // We cannot generate a valid MSG3 using the precomputed messages + // we have been using. We will use the precomputed msg3 instead. + msg3_size = MSG3_BODY_SIZE; + p_msg3 = (sgx_ra_msg3_t*)malloc(msg3_size); + if(NULL == p_msg3) + { + ret = -1; + goto CLEANUP; + } + memcpy_s(p_msg3, msg3_size, + msg3_samples[GET_VERIFICATION_ARRAY_INDEX()], msg3_size); + fprintf(OUTPUT, "\nBecause MSG1 was a precomputed value, the MSG3 " + "we use will also be. PRECOMPUTED MSG3 - \n"); + } + else + { + busy_retry_time = 2; + // The ISV app now calls uKE sgx_ra_proc_msg2, + // The ISV app is responsible for freeing the returned p_msg3!! + do + { + ret = sgx_ra_proc_msg2(context, + enclave_id, + sgx_ra_proc_msg2_trusted, + sgx_ra_get_msg3_trusted, + p_msg2_body, + p_msg2_full->size, + &p_msg3, + &msg3_size); + } while (SGX_ERROR_BUSY == ret && busy_retry_time--); + if(!p_msg3) + { + fprintf(OUTPUT, "\nError, call sgx_ra_proc_msg2 fail. " + "p_msg3 = 0x%p [%s].", p_msg3, __FUNCTION__); + ret = -1; + goto CLEANUP; + } + if(SGX_SUCCESS != (sgx_status_t)ret) + { + fprintf(OUTPUT, "\nError, call sgx_ra_proc_msg2 fail. " + "ret = 0x%08x [%s].", ret, __FUNCTION__); + ret = -1; + goto CLEANUP; + } + else + { + fprintf(OUTPUT, "\nCall sgx_ra_proc_msg2 success.\n"); + fprintf(OUTPUT, "\nMSG3 - \n"); + } + } + + PRINT_BYTE_ARRAY(OUTPUT, p_msg3, msg3_size); + + p_msg3_full = (ra_samp_request_header_t*)malloc( + sizeof(ra_samp_request_header_t) + msg3_size); + if(NULL == p_msg3_full) + { + ret = -1; + goto CLEANUP; + } + p_msg3_full->type = TYPE_RA_MSG3; + p_msg3_full->size = msg3_size; + if(memcpy_s(p_msg3_full->body, msg3_size, p_msg3, msg3_size)) + { + fprintf(OUTPUT,"\nError: INTERNAL ERROR - memcpy failed in [%s].", + __FUNCTION__); + ret = -1; + goto CLEANUP; + } + + // The ISV application sends msg3 to the SP to get the attestation + // result message, attestation result message needs to be freed when + // no longer needed. The ISV service provider decides whether to use + // linkable or unlinkable signatures. The format of the attestation + // result is up to the service provider. This format is used for + // demonstration. Note that the attestation result message makes use + // of both the MK for the MAC and the SK for the secret. These keys are + // established from the SIGMA secure channel binding. + ret = ra_network_send_receive("http://SampleServiceProvider.intel.com/", + p_msg3_full, + &p_att_result_msg_full); + if(ret || !p_att_result_msg_full) + { + ret = -1; + fprintf(OUTPUT, "\nError, sending msg3 failed [%s].", __FUNCTION__); + goto CLEANUP; + } + + + sample_ra_att_result_msg_t * p_att_result_msg_body = + (sample_ra_att_result_msg_t *)((uint8_t*)p_att_result_msg_full + + sizeof(ra_samp_response_header_t)); + if(TYPE_RA_ATT_RESULT != p_att_result_msg_full->type) + { + ret = -1; + fprintf(OUTPUT, "\nError. Sent MSG3 successfully, but the message " + "received was NOT of type att_msg_result. Type = " + "%d. [%s].", p_att_result_msg_full->type, + __FUNCTION__); + goto CLEANUP; + } + else + { + fprintf(OUTPUT, "\nSent MSG3 successfully. Received an attestation " + "result message back\n."); + if( VERIFICATION_INDEX_IS_VALID() ) + { + if(ATTESTATION_MSG_BODY_SIZE != p_att_result_msg_full->size || + memcmp(p_att_result_msg_full->body, + attestation_msg_samples[GET_VERIFICATION_ARRAY_INDEX()], + p_att_result_msg_full->size) ) + { + fprintf(OUTPUT, "\nSent MSG3 successfully. Received an " + "attestation result message back that did " + "NOT match the expected value.\n"); + fprintf(OUTPUT, "\nEXPECTED ATTESTATION RESULT -"); + PRINT_BYTE_ARRAY(OUTPUT, + attestation_msg_samples[GET_VERIFICATION_ARRAY_INDEX()], + ATTESTATION_MSG_BODY_SIZE); + } + } + } + + fprintf(OUTPUT, "\nATTESTATION RESULT RECEIVED - "); + PRINT_BYTE_ARRAY(OUTPUT, p_att_result_msg_full->body, + p_att_result_msg_full->size); + + + if( VERIFICATION_INDEX_IS_VALID() ) + { + fprintf(OUTPUT, "\nBecause we used precomputed values for the " + "messages, the attestation result message will " + "not pass further verification tests, so we will " + "skip them.\n"); + goto CLEANUP; + } + + // Check the MAC using MK on the attestation result message. + // The format of the attestation result message is ISV specific. + // This is a simple form for demonstration. In a real product, + // the ISV may want to communicate more information. + ret = verify_att_result_mac(enclave_id, + &status, + context, + (uint8_t*)&p_att_result_msg_body->platform_info_blob, + sizeof(ias_platform_info_blob_t), + (uint8_t*)&p_att_result_msg_body->mac, + sizeof(sgx_mac_t)); + if((SGX_SUCCESS != ret) || + (SGX_SUCCESS != status)) + { + ret = -1; + fprintf(OUTPUT, "\nError: INTEGRITY FAILED - attestation result " + "message MK based cmac failed in [%s].", + __FUNCTION__); + goto CLEANUP; + } + + bool attestation_passed = true; + // Check the attestation result for pass or fail. + // Whether attestation passes or fails is a decision made by the ISV Server. + // When the ISV server decides to trust the enclave, then it will return success. + // When the ISV server decided to not trust the enclave, then it will return failure. + if(0 != p_att_result_msg_full->status[0] + || 0 != p_att_result_msg_full->status[1]) + { + fprintf(OUTPUT, "\nError, attestation result message MK based cmac " + "failed in [%s].", __FUNCTION__); + attestation_passed = false; + } + + // The attestation result message should contain a field for the Platform + // Info Blob (PIB). The PIB is returned by attestation server in the attestation report. + // It is not returned in all cases, but when it is, the ISV app + // should pass it to the blob analysis API called sgx_report_attestation_status() + // along with the trust decision from the ISV server. + // The ISV application will take action based on the update_info. + // returned in update_info by the API. + // This call is stubbed out for the sample. + // + // sgx_update_info_bit_t update_info; + // ret = sgx_report_attestation_status( + // &p_att_result_msg_body->platform_info_blob, + // attestation_passed ? 0 : 1, &update_info); + + // Get the shared secret sent by the server using SK (if attestation + // passed) + if(attestation_passed) + { + ret = put_secret_data(enclave_id, + &status, + context, + p_att_result_msg_body->secret.payload, + p_att_result_msg_body->secret.payload_size, + p_att_result_msg_body->secret.payload_tag); + if((SGX_SUCCESS != ret) || (SGX_SUCCESS != status)) + { + fprintf(OUTPUT, "\nError, attestation result message secret " + "using SK based AESGCM failed in [%s]. ret = " + "0x%0x. status = 0x%0x", __FUNCTION__, ret, + status); + goto CLEANUP; + } + } + fprintf(OUTPUT, "\nSecret successfully received from server."); + fprintf(OUTPUT, "\nRemote attestation success!"); + } + +CLEANUP: + // Clean-up + // Need to close the RA key state. + if(INT_MAX != context) + { + int ret_save = ret; + ret = enclave_ra_close(enclave_id, &status, context); + if(SGX_SUCCESS != ret || status) + { + ret = -1; + fprintf(OUTPUT, "\nError, call enclave_ra_close fail [%s].", + __FUNCTION__); + } + else + { + // enclave_ra_close was successful, let's restore the value that + // led us to this point in the code. + ret = ret_save; + } + fprintf(OUTPUT, "\nCall enclave_ra_close success."); + } + + sgx_destroy_enclave(enclave_id); + + + ra_free_network_response_buffer(p_msg0_resp_full); + ra_free_network_response_buffer(p_msg2_full); + ra_free_network_response_buffer(p_att_result_msg_full); + + // p_msg3 is malloc'd by the untrusted KE library. App needs to free. + SAFE_FREE(p_msg3); + SAFE_FREE(p_msg3_full); + SAFE_FREE(p_msg1_full); + SAFE_FREE(p_msg0_full); + printf("\nEnter a character before exit ...\n"); + getchar(); + return ret; +} + diff --git a/isv_app/sample_messages.h b/isv_app/sample_messages.h new file mode 100644 index 0000000..e2a80f6 --- /dev/null +++ b/isv_app/sample_messages.h @@ -0,0 +1,543 @@ +/* + * Copyright (C) 2011-2018 Intel Corporation. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * * Neither the name of Intel Corporation nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT + * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE + * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + + +//This file contains samples of messages sent between the sample ISV application +//and the sample service provider. It is intended to be used so that authors +//of other service providers can verify that the messages generated by their +//remote attestation service matches. + +#include + +#define MSG1_BODY_SIZE 68 + +uint8_t msg1_sample1[MSG1_BODY_SIZE] = +{ + 0xe8, 0xcf, 0xf, 0x97, 0x8a, 0xf4, 0x24, 0x8a, + 0xf5, 0x5b, 0x56, 0xf0, 0xac, 0x7f, 0x78, 0x39, + 0x71, 0x10, 0xb8, 0xdc, 0x88, 0xd, 0x50, 0xf0, + 0x39, 0x85, 0x37, 0xfe, 0xad, 0x1f, 0xc7, 0x59, + 0xc7, 0x23, 0x81, 0xfd, 0x4a, 0x2, 0x48, 0xdf, + 0xd3, 0x74, 0xda, 0x45, 0x48, 0x62, 0xc8, 0xb6, + 0x73, 0x43, 0x26, 0x42, 0x8f, 0x1f, 0x89, 0x17, + 0xe7, 0xa9, 0x2a, 0xf5, 0x27, 0xb3, 0xcc, 0x4d, + 0x3, 0x1, 0x0, 0x0 +}; + +uint8_t msg1_sample2[MSG1_BODY_SIZE] = +{ + 0xa8, 0x56, 0x72, 0xc1, 0x14, 0x41, 0xa, 0x2f, + 0xdc, 0xb0, 0xa8, 0xa1, 0x3a, 0x51, 0x40, 0xf9, + 0x12, 0x9f, 0x11, 0x86, 0xe9, 0x1a, 0xf1, 0x16, + 0xbc, 0xd4, 0x6, 0x2f, 0x47, 0x2c, 0xc3, 0x37, + 0x8e, 0x65, 0x7, 0x29, 0x85, 0xb0, 0x8, 0x61, + 0x6b, 0x6d, 0xc7, 0x22, 0x7d, 0x22, 0x61, 0x7f, + 0x40, 0x43, 0x40, 0x5a, 0x7a, 0xf4, 0x94, 0x0, + 0x60, 0x36, 0xf6, 0xa4, 0x22, 0x22, 0x41, 0x82, + 0x3, 0x1, 0x0, 0x0 +}; + +#define MSG2_BODY_SIZE 176 + +uint8_t msg2_sample1[MSG2_BODY_SIZE] = +{ + 0x2, 0x0, 0x0, 0xa8, 0x0, 0x0, 0x0, 0x0, + 0x6a, 0x83, 0xdc, 0x84, 0xd4, 0x4c, 0x8a, 0xbb, + 0x5e, 0x42, 0xaf, 0xee, 0x8d, 0xe9, 0xf4, 0x57, + 0x71, 0xfd, 0x73, 0x66, 0xd7, 0xfa, 0xad, 0xfa, + 0xf2, 0x17, 0x14, 0xdd, 0x5a, 0xb9, 0x9e, 0x97, + 0x79, 0xa7, 0x38, 0x72, 0xf2, 0xb8, 0xd6, 0xbe, + 0x18, 0x91, 0x7f, 0xf7, 0xb5, 0xd3, 0xe5, 0x64, + 0x9b, 0x12, 0x18, 0xaf, 0x39, 0x29, 0x6c, 0x24, + 0x19, 0x38, 0x29, 0xb, 0xc6, 0xac, 0xc, 0x62, + 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x20, + 0x58, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x1, 0x0, 0x1, 0x0, 0x6a, 0x83, 0xdc, 0x84, + 0xd4, 0x4c, 0x8a, 0xbb, 0x5e, 0x42, 0xaf, 0xee, + 0x8d, 0xe9, 0xf4, 0x57, 0x71, 0xfd, 0x73, 0x66, + 0xd7, 0xfa, 0xad, 0xfa, 0xf2, 0x17, 0x14, 0xdd, + 0x5a, 0xb9, 0x9e, 0x97, 0x6, 0x10, 0x58, 0x61, + 0xa5, 0xbf, 0x7d, 0x2e, 0xab, 0xcc, 0x1a, 0x3e, + 0x4f, 0x44, 0x15, 0xe7, 0x91, 0xca, 0x64, 0x2b, + 0x42, 0xb7, 0x53, 0xd9, 0x71, 0x37, 0xf1, 0x9b, + 0x31, 0xb5, 0xa5, 0x6b, 0xf8, 0xfa, 0x64, 0xfe, + 0x7a, 0x9e, 0xdc, 0xf4, 0xf0, 0x59, 0xbd, 0x78, + 0x27, 0xc2, 0x55, 0xb9, 0x0, 0x0, 0x0, 0x0 +}; + +uint8_t msg2_sample2[MSG2_BODY_SIZE] = +{ + 0x2, 0x0, 0x0, 0xa8, 0x0, 0x0, 0x0, 0x0, + 0x6a, 0x83, 0xdc, 0x84, 0xd4, 0x4c, 0x8a, 0xbb, + 0x5e, 0x42, 0xaf, 0xee, 0x8d, 0xe9, 0xf4, 0x57, + 0x71, 0xfd, 0x73, 0x66, 0xd7, 0xfa, 0xad, 0xfa, + 0xf2, 0x17, 0x14, 0xdd, 0x5a, 0xb9, 0x9e, 0x97, + 0x79, 0xa7, 0x38, 0x72, 0xf2, 0xb8, 0xd6, 0xbe, + 0x18, 0x91, 0x7f, 0xf7, 0xb5, 0xd3, 0xe5, 0x64, + 0x9b, 0x12, 0x18, 0xaf, 0x39, 0x29, 0x6c, 0x24, + 0x19, 0x38, 0x29, 0xb, 0xc6, 0xac, 0xc, 0x62, + 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x20, + 0x58, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x1, 0x0, 0x1, 0x0, 0x6a, 0x83, 0xdc, 0x84, + 0xd4, 0x4c, 0x8a, 0xbb, 0x5e, 0x42, 0xaf, 0xee, + 0x8d, 0xe9, 0xf4, 0x57, 0x71, 0xfd, 0x73, 0x66, + 0xd7, 0xfa, 0xad, 0xfa, 0xf2, 0x17, 0x14, 0xdd, + 0x5a, 0xb9, 0x9e, 0x97, 0x75, 0x39, 0x23, 0x1b, + 0xc2, 0x5a, 0xd4, 0xfa, 0x41, 0xe9, 0xd4, 0x42, + 0x72, 0x8a, 0x75, 0x4b, 0x48, 0x5a, 0xfb, 0xc0, + 0x90, 0x42, 0xef, 0x9c, 0xed, 0xcb, 0xc1, 0x45, + 0x2d, 0xfe, 0x86, 0xbc, 0xee, 0x3, 0xa8, 0x97, + 0x68, 0xf0, 0xb4, 0xf, 0xa, 0x5b, 0x5f, 0xc1, + 0xe4, 0xf9, 0xa9, 0xa6, 0x0, 0x0, 0x0, 0x0 +}; + +#define MSG3_BODY_SIZE 1452 + +uint8_t msg3_sample1[MSG3_BODY_SIZE] = +{ + 0x57, 0x19, 0x8, 0xa1, 0x3b, 0xd0, 0x37, 0xa8, + 0x4a, 0x32, 0xf1, 0x31, 0xc1, 0x14, 0xff, 0xdf, + 0xe8, 0xcf, 0xf, 0x97, 0x8a, 0xf4, 0x24, 0x8a, + 0xf5, 0x5b, 0x56, 0xf0, 0xac, 0x7f, 0x78, 0x39, + 0x71, 0x10, 0xb8, 0xdc, 0x88, 0xd, 0x50, 0xf0, + 0x39, 0x85, 0x37, 0xfe, 0xad, 0x1f, 0xc7, 0x59, + 0xc7, 0x23, 0x81, 0xfd, 0x4a, 0x2, 0x48, 0xdf, + 0xd3, 0x74, 0xda, 0x45, 0x48, 0x62, 0xc8, 0xb6, + 0x73, 0x43, 0x26, 0x42, 0x8f, 0x1f, 0x89, 0x17, + 0xe7, 0xa9, 0x2a, 0xf5, 0x27, 0xb3, 0xcc, 0x4d, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x2, 0x0, 0x1, 0x0, 0x3, 0x1, 0x0, 0x0, + 0x1, 0x0, 0x1, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x20, + 0x58, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x2, 0x2, 0xff, 0xff, 0xff, 0x1, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0xe2, 0x55, 0x5d, 0xc6, 0xe6, 0x69, 0x53, 0xc0, + 0x8d, 0x52, 0x5b, 0xc0, 0x2a, 0x2c, 0x5c, 0x2f, + 0xc, 0x8c, 0xfe, 0x5b, 0x1, 0xae, 0x89, 0xff, + 0x2, 0x2f, 0x97, 0xea, 0x9b, 0x45, 0xb6, 0x2e, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x60, 0x27, 0x7a, 0xd2, 0xfd, 0xfc, 0x57, 0xe9, + 0x80, 0xe8, 0x76, 0xe7, 0xf8, 0x78, 0xac, 0x19, + 0x9, 0x88, 0xe, 0xa5, 0x38, 0x7, 0x95, 0xa7, + 0xe8, 0xea, 0x98, 0xb1, 0x57, 0x84, 0x1f, 0x85, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x2a, 0xe, 0x9, 0x4c, 0xe2, 0xd9, 0x44, 0x73, + 0x36, 0x42, 0xfa, 0xe0, 0x44, 0x5b, 0x7b, 0x1f, + 0xc2, 0x85, 0x16, 0xca, 0xf1, 0xc5, 0xcd, 0xd2, + 0xf, 0xe4, 0xdf, 0xf, 0x31, 0xca, 0x36, 0x28, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0xa8, 0x2, 0x0, 0x0, 0x68, 0xe3, 0x1d, 0x2, + 0xd1, 0x6, 0x2a, 0x16, 0xab, 0x1c, 0xfd, 0x43, + 0x5c, 0x1f, 0x34, 0x5, 0x15, 0xc4, 0x84, 0xdd, + 0xee, 0x73, 0x79, 0xe7, 0x2e, 0xc8, 0x95, 0x77, + 0x6b, 0xca, 0xff, 0xb9, 0xf4, 0xf8, 0x5a, 0x42, + 0x9d, 0x32, 0x73, 0x62, 0xab, 0x49, 0x8, 0xa4, + 0xc3, 0x5c, 0x5a, 0x66, 0x38, 0x76, 0xcd, 0x58, + 0x5b, 0x85, 0xbf, 0xf0, 0x52, 0x12, 0xd2, 0xc8, + 0xd, 0xf8, 0x6d, 0x91, 0xb8, 0xcf, 0x3f, 0x1d, + 0xe0, 0x1d, 0x63, 0xb2, 0x58, 0xa7, 0xbc, 0x8, + 0x97, 0xbb, 0xcc, 0x19, 0x31, 0xdb, 0x47, 0xf3, + 0x8e, 0x54, 0x7d, 0x36, 0x6e, 0x6, 0xd3, 0x20, + 0xca, 0x5e, 0x8a, 0x5, 0x30, 0x50, 0x56, 0xe9, + 0x91, 0x9, 0x35, 0x13, 0x69, 0xd, 0x24, 0x71, + 0x55, 0xca, 0xe8, 0xef, 0x4d, 0x1c, 0xe6, 0x1f, + 0x51, 0xeb, 0x12, 0x32, 0x97, 0xa2, 0xbb, 0x1e, + 0xf2, 0x26, 0xc5, 0xe9, 0x3f, 0xda, 0x79, 0xc3, + 0x89, 0x28, 0x9, 0x6c, 0x59, 0x9e, 0x2d, 0x60, + 0x5f, 0x35, 0x33, 0x76, 0xfe, 0xf5, 0xba, 0x73, + 0xc5, 0xb6, 0x44, 0x9d, 0xb9, 0x3a, 0x90, 0x8, + 0x5e, 0xba, 0x33, 0x3d, 0xe5, 0xff, 0xc0, 0x5b, + 0xbb, 0x7b, 0xbc, 0x39, 0x52, 0x6f, 0x54, 0x8b, + 0xb5, 0x44, 0xf7, 0x75, 0xc5, 0x28, 0xa7, 0x51, + 0xd, 0x69, 0x2b, 0x3a, 0xfd, 0xc0, 0x7c, 0x6f, + 0xf, 0xcf, 0x76, 0x32, 0xea, 0x38, 0xd2, 0x8d, + 0xbe, 0x9c, 0xef, 0x3b, 0x56, 0xdc, 0x8e, 0x29, + 0x40, 0x87, 0x4, 0xe6, 0x15, 0xa1, 0x12, 0x9f, + 0x21, 0x12, 0xe8, 0xd8, 0x5, 0x26, 0x22, 0x23, + 0x12, 0x57, 0xd1, 0xb6, 0x3, 0x59, 0xfa, 0xa6, + 0xfe, 0x24, 0xe1, 0x84, 0xfb, 0x63, 0xf3, 0x3d, + 0xf1, 0xe2, 0x70, 0x2c, 0x94, 0xf1, 0xa4, 0xdc, + 0x70, 0x31, 0xda, 0x9e, 0xb9, 0xf7, 0xc6, 0xba, + 0xd3, 0x4e, 0x5c, 0x63, 0xf1, 0x78, 0xcc, 0x38, + 0xc2, 0x1a, 0xd6, 0x2, 0x34, 0x23, 0x1a, 0x4b, + 0x1, 0x4e, 0xf4, 0xe6, 0xe, 0x6b, 0xfa, 0x27, + 0x8d, 0xe3, 0x67, 0x5d, 0xec, 0x79, 0x13, 0x66, + 0x46, 0xbb, 0xd0, 0x8e, 0xc8, 0x21, 0x6f, 0x37, + 0x5c, 0x5e, 0x5d, 0xed, 0x8e, 0x2d, 0x8d, 0x94, + 0x68, 0x1, 0x0, 0x0, 0x84, 0xd5, 0x35, 0x93, + 0x3a, 0xb1, 0x19, 0x8e, 0xb6, 0xb0, 0x5f, 0x4f, + 0x66, 0x8a, 0xb3, 0xe0, 0x12, 0xbb, 0x7, 0xe0, + 0xa3, 0x6b, 0x54, 0xd5, 0xf6, 0xc8, 0x2, 0xdd, + 0x33, 0x78, 0x3c, 0x4f, 0xdc, 0xa3, 0x3e, 0x5c, + 0x99, 0xb8, 0x2f, 0x3f, 0xdf, 0xf0, 0xf0, 0x63, + 0x24, 0x6f, 0xc2, 0x17, 0xeb, 0x45, 0xd5, 0x79, + 0xaa, 0xb5, 0x46, 0x4b, 0x77, 0x6d, 0x3d, 0xbf, + 0xe8, 0xca, 0xaf, 0x4d, 0xb5, 0x5d, 0xee, 0x9e, + 0xf5, 0x73, 0x8d, 0x1, 0xff, 0x84, 0x1e, 0xc9, + 0x78, 0x2e, 0xde, 0x3, 0x97, 0x36, 0x1c, 0x47, + 0xc, 0x46, 0x5, 0xfc, 0x8b, 0xf5, 0xd5, 0x13, + 0xa3, 0x8, 0xd4, 0x29, 0x83, 0xfb, 0x4b, 0x3e, + 0xf1, 0x3d, 0xe8, 0x54, 0x28, 0x2f, 0x3d, 0x9c, + 0x8b, 0x91, 0xcc, 0xf0, 0x45, 0x40, 0x3, 0xb, + 0xaa, 0x41, 0x38, 0x2f, 0xad, 0xc3, 0x1d, 0x61, + 0x15, 0x20, 0x9, 0xea, 0xfd, 0xdb, 0xf9, 0x17, + 0x84, 0x19, 0xae, 0xf3, 0x4b, 0x4d, 0x8e, 0xa2, + 0x3e, 0x9c, 0xb3, 0x70, 0x4d, 0x38, 0x1, 0x5, + 0xb7, 0xc, 0xb2, 0xf6, 0x84, 0xbe, 0xbc, 0xd5, + 0xd1, 0x8a, 0x22, 0xfc, 0x82, 0xb4, 0x3b, 0x96, + 0x8f, 0xc0, 0x49, 0xaa, 0xf0, 0x52, 0x25, 0xda, + 0x39, 0xc2, 0x4c, 0xbc, 0xe2, 0x47, 0xe3, 0xc, + 0x59, 0xad, 0x40, 0x42, 0x17, 0x30, 0x4d, 0x1c, + 0x34, 0xd3, 0xdb, 0xa7, 0xc5, 0x9c, 0xef, 0x83, + 0xd, 0xb8, 0x9a, 0xa9, 0x29, 0x1b, 0x11, 0x32, + 0x74, 0x53, 0x17, 0x34, 0xd6, 0xa2, 0x14, 0x6, + 0x8b, 0xae, 0x8c, 0xb4, 0xcb, 0x20, 0xec, 0xb3, + 0x2f, 0xe, 0xf3, 0x8f, 0xc3, 0x84, 0xe3, 0xb8, + 0x46, 0x51, 0xea, 0xa6, 0x1c, 0x27, 0x31, 0x1e, + 0x69, 0xb, 0xc7, 0x47, 0xad, 0x7d, 0xde, 0x3f, + 0x13, 0x2b, 0x5e, 0x2a, 0x24, 0x37, 0x85, 0xa4, + 0x8d, 0x45, 0x39, 0xeb, 0x95, 0x47, 0xb8, 0x57, + 0x5d, 0x88, 0xeb, 0x56, 0xb0, 0xa8, 0x58, 0xd, + 0x9e, 0x1b, 0x80, 0x3a, 0x74, 0x86, 0x3a, 0x58, + 0xfc, 0xa6, 0xa, 0xc5, 0x66, 0x5f, 0xc7, 0xa9, + 0xd5, 0xc, 0x37, 0xd1, 0x23, 0xff, 0xfd, 0x1d, + 0x38, 0x1c, 0x98, 0xd1, 0xa9, 0x24, 0x3b, 0x23, + 0xa2, 0x1a, 0xee, 0x8, 0x31, 0x4f, 0xd5, 0xaa, + 0x1d, 0x67, 0xe7, 0x77, 0x5c, 0x46, 0xcc, 0xb, + 0x18, 0xf6, 0xdd, 0x86, 0xf4, 0xcc, 0xb4, 0xd5, + 0xcd, 0xe6, 0xae, 0xb3, 0xf0, 0x24, 0x15, 0x71, + 0xb3, 0x65, 0xff, 0xfa, 0xe5, 0x1a, 0x6d, 0xc3, + 0x6f, 0x43, 0x73, 0xe0, 0xe8, 0xa9, 0x6f, 0x68, + 0xf8, 0x4, 0xf2, 0x73, 0x1, 0x36, 0xeb, 0x83, + 0xa5, 0xf2, 0x6e, 0x4e, 0x36, 0xa5, 0x63, 0xab, + 0x7d, 0xa1, 0xd2, 0x24, 0x17, 0xb7, 0x3b, 0x96, + 0x4b, 0xbe, 0x4c, 0xcb +}; + + +uint8_t msg3_sample2[MSG3_BODY_SIZE] = +{ + 0x4f, 0x85, 0xd3, 0x93, 0xc, 0x44, 0x9c, 0xdd, + 0x3e, 0x81, 0xbd, 0xb6, 0xa2, 0x44, 0x16, 0x5f, + 0xa8, 0x56, 0x72, 0xc1, 0x14, 0x41, 0xa, 0x2f, + 0xdc, 0xb0, 0xa8, 0xa1, 0x3a, 0x51, 0x40, 0xf9, + 0x12, 0x9f, 0x11, 0x86, 0xe9, 0x1a, 0xf1, 0x16, + 0xbc, 0xd4, 0x6, 0x2f, 0x47, 0x2c, 0xc3, 0x37, + 0x8e, 0x65, 0x7, 0x29, 0x85, 0xb0, 0x8, 0x61, + 0x6b, 0x6d, 0xc7, 0x22, 0x7d, 0x22, 0x61, 0x7f, + 0x40, 0x43, 0x40, 0x5a, 0x7a, 0xf4, 0x94, 0x0, + 0x60, 0x36, 0xf6, 0xa4, 0x22, 0x22, 0x41, 0x82, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x2, 0x0, 0x1, 0x0, 0x3, 0x1, 0x0, 0x0, + 0x1, 0x0, 0x1, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x20, + 0x58, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x2, 0x2, 0xff, 0xff, 0xff, 0x1, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0xe2, 0x55, 0x5d, 0xc6, 0xe6, 0x69, 0x53, 0xc0, + 0x8d, 0x52, 0x5b, 0xc0, 0x2a, 0x2c, 0x5c, 0x2f, + 0xc, 0x8c, 0xfe, 0x5b, 0x1, 0xae, 0x89, 0xff, + 0x2, 0x2f, 0x97, 0xea, 0x9b, 0x45, 0xb6, 0x2e, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x60, 0x27, 0x7a, 0xd2, 0xfd, 0xfc, 0x57, 0xe9, + 0x80, 0xe8, 0x76, 0xe7, 0xf8, 0x78, 0xac, 0x19, + 0x9, 0x88, 0xe, 0xa5, 0x38, 0x7, 0x95, 0xa7, + 0xe8, 0xea, 0x98, 0xb1, 0x57, 0x84, 0x1f, 0x85, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0xdd, 0xda, 0x3e, 0x6b, 0x72, 0xa2, 0xd7, 0x31, + 0x31, 0x32, 0xbd, 0xf3, 0xf4, 0xc0, 0xe3, 0xaa, + 0x16, 0x19, 0x72, 0x47, 0x92, 0xe7, 0x8f, 0xf8, + 0x40, 0x2b, 0xa7, 0xc0, 0xb9, 0x77, 0xb1, 0x1c, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0xa8, 0x2, 0x0, 0x0, 0x2e, 0x23, 0x7d, 0xe8, + 0x5d, 0xcd, 0x6d, 0x88, 0x6f, 0xad, 0xd3, 0x4c, + 0x7e, 0xed, 0xff, 0xa2, 0xea, 0x1c, 0xd5, 0xc8, + 0x54, 0xbb, 0x93, 0xc8, 0x1b, 0xbe, 0xbe, 0x51, + 0x6b, 0x8d, 0xb7, 0x90, 0x7f, 0x87, 0x9f, 0x9b, + 0x66, 0x4f, 0xeb, 0xf4, 0x34, 0xbb, 0x90, 0x5d, + 0xc5, 0x20, 0x7b, 0xd2, 0x5a, 0x92, 0x42, 0x80, + 0x2f, 0x3f, 0xc2, 0x64, 0x7e, 0x77, 0xa, 0x49, + 0xdb, 0xde, 0x77, 0x88, 0xd7, 0xce, 0xdb, 0x2e, + 0x44, 0x50, 0x26, 0xd8, 0x7a, 0xe, 0x1c, 0x7f, + 0x63, 0x36, 0x62, 0xa8, 0xa7, 0x2e, 0x60, 0x56, + 0xf4, 0xbc, 0xb5, 0xca, 0xc3, 0x81, 0x9e, 0x84, + 0xb8, 0xc, 0xef, 0x7a, 0x18, 0x4a, 0x5b, 0x3, + 0x0, 0xe3, 0x8c, 0x3f, 0x2e, 0xf9, 0x9a, 0xf7, + 0x72, 0xe1, 0xa0, 0x5e, 0x6a, 0x4c, 0x68, 0xea, + 0x67, 0xfc, 0xe8, 0x21, 0x27, 0x90, 0xae, 0xbf, + 0x51, 0xa4, 0xc9, 0xae, 0x3d, 0x3b, 0x5c, 0x53, + 0x7e, 0x25, 0xa4, 0x6f, 0x78, 0x99, 0x35, 0x2e, + 0x48, 0x50, 0xf9, 0xf0, 0x63, 0x90, 0x19, 0x6a, + 0xc, 0x3d, 0x48, 0x2a, 0x5f, 0x6f, 0xb, 0xd7, + 0x26, 0x64, 0xb5, 0xe0, 0x60, 0x36, 0x69, 0x40, + 0x9c, 0x21, 0x29, 0xe0, 0xca, 0xae, 0xd1, 0x7a, + 0x4, 0xb8, 0x8d, 0x96, 0x74, 0xa3, 0x7, 0xa4, + 0x41, 0x9e, 0xf7, 0x9, 0xbe, 0x8f, 0xe8, 0x65, + 0xd9, 0x26, 0x16, 0xa1, 0xef, 0x1b, 0xf4, 0xb7, + 0xd5, 0xfe, 0xd6, 0x7d, 0xa6, 0x6c, 0x50, 0x8c, + 0x90, 0x34, 0x1f, 0x17, 0x8c, 0x14, 0x38, 0x6d, + 0xd7, 0x83, 0x1a, 0x1e, 0xcf, 0xf5, 0xb, 0xdb, + 0x26, 0x8f, 0x23, 0xf9, 0x4f, 0x41, 0x73, 0xac, + 0x9d, 0xfa, 0x77, 0x3, 0x6a, 0x32, 0xbb, 0x37, + 0x93, 0x47, 0x38, 0x93, 0x39, 0xd2, 0x51, 0x46, + 0xaf, 0xfd, 0x71, 0xda, 0x89, 0xc7, 0x44, 0xb0, + 0xf3, 0x95, 0x74, 0x3b, 0xbc, 0x7d, 0x86, 0xc1, + 0x6e, 0x49, 0xd8, 0x52, 0xc, 0xc1, 0x88, 0x72, + 0x5, 0x5c, 0x92, 0x12, 0x22, 0x95, 0xc5, 0x12, + 0xf5, 0xfa, 0x11, 0x8d, 0x50, 0x42, 0x33, 0x4, + 0x41, 0x17, 0x90, 0xc8, 0xb3, 0x1d, 0x2e, 0xe5, + 0x13, 0xf5, 0xd6, 0xb1, 0xc5, 0xd4, 0x6d, 0xe1, + 0x68, 0x1, 0x0, 0x0, 0xc4, 0x15, 0xbf, 0x91, + 0xf1, 0xad, 0xb1, 0x9f, 0x9b, 0x6b, 0x8d, 0xa2, + 0xdf, 0x7d, 0x6, 0xf8, 0xba, 0x73, 0xb7, 0xb, + 0x72, 0xcc, 0x34, 0x4d, 0x52, 0x3b, 0x76, 0xfd, + 0x8e, 0x3a, 0x67, 0xcc, 0x36, 0xb, 0xa9, 0xc2, + 0x90, 0x37, 0x77, 0x75, 0x90, 0xb8, 0x97, 0x44, + 0xed, 0xb4, 0x61, 0xe8, 0x11, 0xe9, 0x2, 0x50, + 0xde, 0x98, 0x99, 0x3e, 0xf6, 0x5c, 0x71, 0x92, + 0x49, 0xcb, 0x0, 0x72, 0xe0, 0x55, 0xa9, 0x6e, + 0xc7, 0x2, 0xf4, 0x2b, 0x3c, 0xe3, 0x42, 0x7e, + 0x8b, 0xf, 0x26, 0xd9, 0x42, 0x21, 0xd5, 0x74, + 0xe3, 0x35, 0xb3, 0xb8, 0xfe, 0x25, 0x1d, 0x47, + 0x5b, 0x35, 0x8d, 0xfd, 0x18, 0x77, 0x29, 0xd9, + 0x69, 0x2b, 0x67, 0x54, 0x8c, 0xf5, 0xd7, 0x84, + 0x36, 0xf3, 0x96, 0xca, 0xb9, 0x42, 0xad, 0xd6, + 0xba, 0x8d, 0x2f, 0xfc, 0x21, 0xfe, 0xa7, 0xea, + 0x59, 0x94, 0xfe, 0x95, 0x1f, 0x1e, 0xb9, 0xca, + 0x5e, 0x4d, 0xf1, 0x2, 0x68, 0x91, 0xf7, 0xa1, + 0xea, 0x11, 0x90, 0x95, 0x1c, 0xf7, 0x85, 0xd4, + 0x70, 0xf9, 0x49, 0xae, 0x5e, 0xa5, 0x62, 0x3d, + 0x35, 0xc5, 0xdf, 0xc1, 0x7f, 0xc7, 0x39, 0x5a, + 0x3b, 0x89, 0x8c, 0x80, 0x71, 0xe7, 0xbc, 0xbf, + 0x4e, 0x72, 0x6d, 0xd7, 0xe0, 0xa2, 0xb0, 0x7d, + 0xca, 0x89, 0x22, 0x6, 0xb2, 0xb4, 0x3c, 0xa2, + 0xed, 0x51, 0xf, 0xa2, 0xf7, 0xc9, 0x89, 0xf0, + 0x27, 0x2f, 0xf6, 0x41, 0x4e, 0xa, 0x2b, 0x67, + 0x49, 0x44, 0x8e, 0x40, 0xc6, 0xb8, 0xad, 0xb8, + 0x40, 0xb, 0xba, 0x73, 0x2e, 0x1d, 0x4, 0xc9, + 0x28, 0x62, 0x6b, 0x3d, 0xe6, 0x5f, 0x1c, 0xdd, + 0xae, 0x27, 0x6d, 0x3c, 0x2d, 0xf6, 0x42, 0x3b, + 0x91, 0x1, 0x37, 0x47, 0x76, 0x5, 0xbc, 0x7, + 0x8c, 0x6, 0x81, 0x77, 0x70, 0x9d, 0x8a, 0x75, + 0x34, 0x1, 0x68, 0x1a, 0x38, 0x13, 0x11, 0x74, + 0xf2, 0x70, 0x4f, 0x9b, 0x86, 0x15, 0xc6, 0xbc, + 0x6b, 0x1a, 0x56, 0x3f, 0x4f, 0xfa, 0xd4, 0x17, + 0x97, 0xbb, 0x4b, 0x91, 0x3b, 0x54, 0xf7, 0x8e, + 0x53, 0xf5, 0x2, 0x21, 0x3b, 0x66, 0xf9, 0xe5, + 0x79, 0xff, 0xeb, 0x5c, 0x66, 0x1b, 0x34, 0xf4, + 0x41, 0xd1, 0x9a, 0xdb, 0x1f, 0x3e, 0xe3, 0x8a, + 0x90, 0x98, 0x9e, 0x73, 0xb9, 0xa8, 0x20, 0xfe, + 0xe7, 0xe3, 0x9f, 0x83, 0xd3, 0x95, 0x5f, 0xa, + 0x40, 0x53, 0x6a, 0xd3, 0x72, 0x32, 0xde, 0xf1, + 0xf, 0x98, 0x2b, 0x7d, 0x6e, 0x76, 0xbd, 0x31, + 0x84, 0x99, 0x1c, 0xdc, 0xac, 0x78, 0x44, 0xbf, + 0x29, 0xdd, 0x2e, 0xe3, 0x39, 0x9d, 0x38, 0x83, + 0xa, 0x3e, 0x83, 0xb6, 0x74, 0x44, 0x4d, 0x78, + 0x55, 0xb2, 0xe0, 0x74, 0x25, 0x61, 0x67, 0xc0, + 0xe8, 0x1e, 0x5e, 0xd8 +}; + +#define ATTESTATION_MSG_BODY_SIZE 145 + +uint8_t attestation_msg_sample1[ATTESTATION_MSG_BODY_SIZE] = +{ + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x97, 0x9e, 0xb9, 0x5a, 0xdd, 0x14, 0x17, + 0xf2, 0xfa, 0xad, 0xfa, 0xd7, 0x66, 0x73, 0xfd, + 0x71, 0x57, 0xf4, 0xe9, 0x8d, 0xee, 0xaf, 0x42, + 0x5e, 0xbb, 0x8a, 0x4c, 0xd4, 0x84, 0xdc, 0x83, + 0x6a, 0x8, 0x70, 0xd, 0xf2, 0x42, 0x8b, 0x2b, + 0xee, 0x42, 0xb0, 0x85, 0xe5, 0xbf, 0x99, 0xc5, + 0x22, 0xf8, 0x37, 0xf7, 0xee, 0xb6, 0x2c, 0xd5, + 0x8c, 0x37, 0xa2, 0xd2, 0x51, 0xed, 0x45, 0xf9, + 0x65, 0xf2, 0x25, 0x8a, 0xf9, 0x9, 0x2d, 0xdb, + 0xdc, 0x4a, 0x73, 0xbd, 0x15, 0x49, 0x2, 0x10, + 0xd, 0x8, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x54, 0x1c, 0xdd, 0x52, 0x93, 0xd8, 0xd4, + 0x28, 0x9d, 0x24, 0x7d, 0x4b, 0xe5, 0xcc, 0xe8, + 0xc0 +}; + +uint8_t attestation_msg_sample2[ATTESTATION_MSG_BODY_SIZE] = +{ + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x97, 0x9e, 0xb9, 0x5a, 0xdd, 0x14, 0x17, + 0xf2, 0xfa, 0xad, 0xfa, 0xd7, 0x66, 0x73, 0xfd, + 0x71, 0x57, 0xf4, 0xe9, 0x8d, 0xee, 0xaf, 0x42, + 0x5e, 0xbb, 0x8a, 0x4c, 0xd4, 0x84, 0xdc, 0x83, + 0x6a, 0x8, 0x70, 0xd, 0xf2, 0x42, 0x8b, 0x2b, + 0xee, 0x42, 0xb0, 0x85, 0xe5, 0xbf, 0x99, 0xc5, + 0x22, 0xf8, 0x37, 0xf7, 0xee, 0xb6, 0x2c, 0xd5, + 0x8c, 0x37, 0xa2, 0xd2, 0x51, 0xed, 0x45, 0xf9, + 0x65, 0x82, 0x12, 0xa8, 0x53, 0x84, 0x65, 0x62, + 0x33, 0xc0, 0x6, 0x86, 0x9f, 0x82, 0xbb, 0x6d, + 0xd6, 0x8, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, + 0x0, 0xb1, 0x60, 0x31, 0x45, 0xd1, 0xa9, 0x23, + 0x7b, 0x85, 0x3f, 0x8, 0x3f, 0x48, 0x6d, 0x2d, + 0xad +}; diff --git a/isv_enclave/isv_enclave.config.xml b/isv_enclave/isv_enclave.config.xml new file mode 100644 index 0000000..5e7af47 --- /dev/null +++ b/isv_enclave/isv_enclave.config.xml @@ -0,0 +1,12 @@ + + 0 + 0 + 0x40000 + 0x100000 + 1 + 1 + + 0 + 0 + 0xFFFFFFFF + diff --git a/isv_enclave/isv_enclave.cpp b/isv_enclave/isv_enclave.cpp new file mode 100644 index 0000000..be9423a --- /dev/null +++ b/isv_enclave/isv_enclave.cpp @@ -0,0 +1,397 @@ +/* + * Copyright (C) 2011-2018 Intel Corporation. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * * Neither the name of Intel Corporation nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT + * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE + * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + + +#include +#include "isv_enclave_t.h" +#include "sgx_tkey_exchange.h" +#include "sgx_tcrypto.h" +#include "string.h" + +// This is the public EC key of the SP. The corresponding private EC key is +// used by the SP to sign data used in the remote attestation SIGMA protocol +// to sign channel binding data in MSG2. A successful verification of the +// signature confirms the identity of the SP to the ISV app in remote +// attestation secure channel binding. The public EC key should be hardcoded in +// the enclave or delivered in a trustworthy manner. The use of a spoofed public +// EC key in the remote attestation with secure channel binding session may lead +// to a security compromise. Every different SP the enlcave communicates to +// must have a unique SP public key. Delivery of the SP public key is +// determined by the ISV. The TKE SIGMA protocl expects an Elliptical Curve key +// based on NIST P-256 +static const sgx_ec256_public_t g_sp_pub_key = { + { + 0x72, 0x12, 0x8a, 0x7a, 0x17, 0x52, 0x6e, 0xbf, + 0x85, 0xd0, 0x3a, 0x62, 0x37, 0x30, 0xae, 0xad, + 0x3e, 0x3d, 0xaa, 0xee, 0x9c, 0x60, 0x73, 0x1d, + 0xb0, 0x5b, 0xe8, 0x62, 0x1c, 0x4b, 0xeb, 0x38 + }, + { + 0xd4, 0x81, 0x40, 0xd9, 0x50, 0xe2, 0x57, 0x7b, + 0x26, 0xee, 0xb7, 0x41, 0xe7, 0xc6, 0x14, 0xe2, + 0x24, 0xb7, 0xbd, 0xc9, 0x03, 0xf2, 0x9a, 0x28, + 0xa8, 0x3c, 0xc8, 0x10, 0x11, 0x14, 0x5e, 0x06 + } + +}; + +// Used to store the secret passed by the SP in the sample code. The +// size is forced to be 8 bytes. Expected value is +// 0x01,0x02,0x03,0x04,0x0x5,0x0x6,0x0x7 +uint8_t g_secret[8] = {0}; + + +#ifdef SUPPLIED_KEY_DERIVATION + +#pragma message ("Supplied key derivation function is used.") + +typedef struct _hash_buffer_t +{ + uint8_t counter[4]; + sgx_ec256_dh_shared_t shared_secret; + uint8_t algorithm_id[4]; +} hash_buffer_t; + +const char ID_U[] = "SGXRAENCLAVE"; +const char ID_V[] = "SGXRASERVER"; + +// Derive two keys from shared key and key id. +bool derive_key( + const sgx_ec256_dh_shared_t *p_shared_key, + uint8_t key_id, + sgx_ec_key_128bit_t *first_derived_key, + sgx_ec_key_128bit_t *second_derived_key) +{ + sgx_status_t sgx_ret = SGX_SUCCESS; + hash_buffer_t hash_buffer; + sgx_sha_state_handle_t sha_context; + sgx_sha256_hash_t key_material; + + memset(&hash_buffer, 0, sizeof(hash_buffer_t)); + /* counter in big endian */ + hash_buffer.counter[3] = key_id; + + /*convert from little endian to big endian */ + for (size_t i = 0; i < sizeof(sgx_ec256_dh_shared_t); i++) + { + hash_buffer.shared_secret.s[i] = p_shared_key->s[sizeof(p_shared_key->s)-1 - i]; + } + + sgx_ret = sgx_sha256_init(&sha_context); + if (sgx_ret != SGX_SUCCESS) + { + return false; + } + sgx_ret = sgx_sha256_update((uint8_t*)&hash_buffer, sizeof(hash_buffer_t), sha_context); + if (sgx_ret != SGX_SUCCESS) + { + sgx_sha256_close(sha_context); + return false; + } + sgx_ret = sgx_sha256_update((uint8_t*)&ID_U, sizeof(ID_U), sha_context); + if (sgx_ret != SGX_SUCCESS) + { + sgx_sha256_close(sha_context); + return false; + } + sgx_ret = sgx_sha256_update((uint8_t*)&ID_V, sizeof(ID_V), sha_context); + if (sgx_ret != SGX_SUCCESS) + { + sgx_sha256_close(sha_context); + return false; + } + sgx_ret = sgx_sha256_get_hash(sha_context, &key_material); + if (sgx_ret != SGX_SUCCESS) + { + sgx_sha256_close(sha_context); + return false; + } + sgx_ret = sgx_sha256_close(sha_context); + + assert(sizeof(sgx_ec_key_128bit_t)* 2 == sizeof(sgx_sha256_hash_t)); + memcpy(first_derived_key, &key_material, sizeof(sgx_ec_key_128bit_t)); + memcpy(second_derived_key, (uint8_t*)&key_material + sizeof(sgx_ec_key_128bit_t), sizeof(sgx_ec_key_128bit_t)); + + // memset here can be optimized away by compiler, so please use memset_s on + // windows for production code and similar functions on other OSes. + memset(&key_material, 0, sizeof(sgx_sha256_hash_t)); + + return true; +} + +//isv defined key derivation function id +#define ISV_KDF_ID 2 + +typedef enum _derive_key_type_t +{ + DERIVE_KEY_SMK_SK = 0, + DERIVE_KEY_MK_VK, +} derive_key_type_t; + +sgx_status_t key_derivation(const sgx_ec256_dh_shared_t* shared_key, + uint16_t kdf_id, + sgx_ec_key_128bit_t* smk_key, + sgx_ec_key_128bit_t* sk_key, + sgx_ec_key_128bit_t* mk_key, + sgx_ec_key_128bit_t* vk_key) +{ + bool derive_ret = false; + + if (NULL == shared_key) + { + return SGX_ERROR_INVALID_PARAMETER; + } + + if (ISV_KDF_ID != kdf_id) + { + //fprintf(stderr, "\nError, key derivation id mismatch in [%s].", __FUNCTION__); + return SGX_ERROR_KDF_MISMATCH; + } + + derive_ret = derive_key(shared_key, DERIVE_KEY_SMK_SK, + smk_key, sk_key); + if (derive_ret != true) + { + //fprintf(stderr, "\nError, derive key fail in [%s].", __FUNCTION__); + return SGX_ERROR_UNEXPECTED; + } + + derive_ret = derive_key(shared_key, DERIVE_KEY_MK_VK, + mk_key, vk_key); + if (derive_ret != true) + { + //fprintf(stderr, "\nError, derive key fail in [%s].", __FUNCTION__); + return SGX_ERROR_UNEXPECTED; + } + return SGX_SUCCESS; +} +#else +#pragma message ("Default key derivation function is used.") +#endif + +// This ecall is a wrapper of sgx_ra_init to create the trusted +// KE exchange key context needed for the remote attestation +// SIGMA API's. Input pointers aren't checked since the trusted stubs +// copy them into EPC memory. +// +// @param b_pse Indicates whether the ISV app is using the +// platform services. +// @param p_context Pointer to the location where the returned +// key context is to be copied. +// +// @return Any error return from the create PSE session if b_pse +// is true. +// @return Any error returned from the trusted key exchange API +// for creating a key context. + +sgx_status_t enclave_init_ra( + int b_pse, + sgx_ra_context_t *p_context) +{ + // isv enclave call to trusted key exchange library. + sgx_status_t ret; + if(b_pse) + { + int busy_retry_times = 2; + do{ + ret = sgx_create_pse_session(); + }while (ret == SGX_ERROR_BUSY && busy_retry_times--); + if (ret != SGX_SUCCESS) + return ret; + } +#ifdef SUPPLIED_KEY_DERIVATION + ret = sgx_ra_init_ex(&g_sp_pub_key, b_pse, key_derivation, p_context); +#else + ret = sgx_ra_init(&g_sp_pub_key, b_pse, p_context); +#endif + if(b_pse) + { + sgx_close_pse_session(); + return ret; + } + return ret; +} + + +// Closes the tKE key context used during the SIGMA key +// exchange. +// +// @param context The trusted KE library key context. +// +// @return Return value from the key context close API + +sgx_status_t SGXAPI enclave_ra_close( + sgx_ra_context_t context) +{ + sgx_status_t ret; + ret = sgx_ra_close(context); + return ret; +} + + +// Verify the mac sent in att_result_msg from the SP using the +// MK key. Input pointers aren't checked since the trusted stubs +// copy them into EPC memory. +// +// +// @param context The trusted KE library key context. +// @param p_message Pointer to the message used to produce MAC +// @param message_size Size in bytes of the message. +// @param p_mac Pointer to the MAC to compare to. +// @param mac_size Size in bytes of the MAC +// +// @return SGX_ERROR_INVALID_PARAMETER - MAC size is incorrect. +// @return Any error produced by tKE API to get SK key. +// @return Any error produced by the AESCMAC function. +// @return SGX_ERROR_MAC_MISMATCH - MAC compare fails. + +sgx_status_t verify_att_result_mac(sgx_ra_context_t context, + uint8_t* p_message, + size_t message_size, + uint8_t* p_mac, + size_t mac_size) +{ + sgx_status_t ret; + sgx_ec_key_128bit_t mk_key; + + if(mac_size != sizeof(sgx_mac_t)) + { + ret = SGX_ERROR_INVALID_PARAMETER; + return ret; + } + if(message_size > UINT32_MAX) + { + ret = SGX_ERROR_INVALID_PARAMETER; + return ret; + } + + do { + uint8_t mac[SGX_CMAC_MAC_SIZE] = {0}; + + ret = sgx_ra_get_keys(context, SGX_RA_KEY_MK, &mk_key); + if(SGX_SUCCESS != ret) + { + break; + } + ret = sgx_rijndael128_cmac_msg(&mk_key, + p_message, + (uint32_t)message_size, + &mac); + if(SGX_SUCCESS != ret) + { + break; + } + if(0 == consttime_memequal(p_mac, mac, sizeof(mac))) + { + ret = SGX_ERROR_MAC_MISMATCH; + break; + } + + } + while(0); + + return ret; +} + + +// Generate a secret information for the SP encrypted with SK. +// Input pointers aren't checked since the trusted stubs copy +// them into EPC memory. +// +// @param context The trusted KE library key context. +// @param p_secret Message containing the secret. +// @param secret_size Size in bytes of the secret message. +// @param p_gcm_mac The pointer the the AESGCM MAC for the +// message. +// +// @return SGX_ERROR_INVALID_PARAMETER - secret size if +// incorrect. +// @return Any error produced by tKE API to get SK key. +// @return Any error produced by the AESGCM function. +// @return SGX_ERROR_UNEXPECTED - the secret doesn't match the +// expected value. + +sgx_status_t put_secret_data( + sgx_ra_context_t context, + uint8_t *p_secret, + uint32_t secret_size, + uint8_t *p_gcm_mac) +{ + sgx_status_t ret = SGX_SUCCESS; + sgx_ec_key_128bit_t sk_key; + + do { + if(secret_size != 8) + { + ret = SGX_ERROR_INVALID_PARAMETER; + break; + } + + ret = sgx_ra_get_keys(context, SGX_RA_KEY_SK, &sk_key); + if(SGX_SUCCESS != ret) + { + break; + } + + uint8_t aes_gcm_iv[12] = {0}; + ret = sgx_rijndael128GCM_decrypt(&sk_key, + p_secret, + secret_size, + &g_secret[0], + &aes_gcm_iv[0], + 12, + NULL, + 0, + (const sgx_aes_gcm_128bit_tag_t *) + (p_gcm_mac)); + + uint32_t i; + bool secret_match = true; + for(i=0;ipe!mYXdUD$C)B$BbzBWrq1? zv3M+nmUR4{WSPilhbLlEUoNg2#lZN}VsWxCMX^7#6hjn$LK; zVP?9}!#rK+VV*Aj>^7?sf7&@4iw#fu*=fd$PnSs-e-bVIEBQFMoZdtABUxB{)?_l+ z5`V_i-HLQnzyIn#he`NNGrytQ#bIU;f11@{b;|+|D}LtAUubDReC>!ouCM;#bHDdj zfBVkSSL|GP`O}mI#Zynl+y7teCAMqqSuw&S{EWxXjQM3JPyhU>CBsf#`&!F+%TH%~ z9GmpPzkT__KOQ?@`O6VMdZMxKnc-G<^^AN1c6pyLLKsTcyM`a1`qUp55& z&ryNF_*1r&vBMa zOXxZdJODcS*Nz{;qj@Z73G#>K3X{*;865bC1_J)Qf*+!{nDj3*)MELEiF>AV;412P z{0rlU=p9r+{QIuSXPL>rVJ64t@rR|##5+v>J&FI{@~y=(4Ux-Ph^ zBDi#^WvN;kSh{>g#frP{Sr=SUQ5q;(z2?3ZrOUpvdIgUgJZ5S6`ejR3-gDow)%QHO z!gBAj)vMQ(TUJ)AKq6vY{=KE;tG>5%<+6KL16WZ}ao?JypjZ~XXU%<!;e($pKrT4D8J07>9ygdK5 z%h%i&T(Lfp%#12uy=L8tq2el5EDNq!`n?qoEM2?oo(jvoEAA~{`+&f^e9gUUD?znx z)v}5e%a<-+1@eB98#3UtqX_aq8pLX~TmBeQr)6TEvxaOtXL>sARc zD>M~n-HM=P^*!Gyzi!={>%Kv6W{VL!#00y!OB4Uq=If82*z+ zq2D(4dl>Y}VE;+qSS`;$X5xD8iN}8g^=Px~GO?_C?io$I{%(dVue=8ecbMf6!t^gb zFU0kE-c*kFn)5~+?>6Txdo`aI;`r9LxPUqYyzCIivxmT)0&W?`XS2G6cR#z&qYfXBA#6;GT~;zJ3TiB;bw1d5hEyfj0=a^Us`rqkzZxJTnBoQ^4cx z-zwno_HQ2o?-1~KyBR~^-2xtOe~W1+#N{E*$36s}BjEA&&lB)?`xg#@djve*ZpsjN ziGau3zf8d6d{zyCM>h_X|I)j;{jyWQ+gEYCRlv*Yc=~n$53bvThfH%(I6IG6YH<*0#1l)5g=Tj))A(M|sz@sJ~MZlf&IiC^%x7@_b zvsl2pO+IA;9#S};RRV6gne$mI;Le*l{dxh9mU28K;&VBlIsq>+`7{W4$mH{+fLj)D zK8*q%GWk3s;ALhzZxwK-m-E>s;9E^TQ33am!H9o51>ABw=hG_S9VVZ40gv9r`E-bQ z5$9tFxZ@U1-!0(L`#9b!;Ei#EY12SC_n3U_0^YcW^Kl4x*(zS1Yyn?u@^K2d=P;iL za|FEc95?LpMBL<4DBv9pygVKekMQy+0^Vx!DG_i>2QSZJ0WUkx%Tp%c77x#Nm4JJG z$nmuT-tkYoJnIEK&*T#l@Wv-NpE?2eY~g$w1iZ}T^Q3@xmyJ7o*| z*DK&1A&y%f87Ti{5At@l3wVji$06WlAMo;I3wY=Pua{HAO+GmS-tiIVlPBPoOPo)k zfNwSVcm%xh4CkW=c+^~Imk4-=$!D>EM@>Fu0`AP_cHk-jcg*JPxmLiV7kPQs3%F$p z=MxfekIAP_z%8G1J`DoiVb<$O0bgtKX%z5A8}Hv|1l(hmXRClWntZkic=Uc=->86h zn0j@mfVY}_S_Rx<>eY4uFI&sY*&*PTBA%}y;Lh)Jyj#F6_j5kI0-k5`v4jW8zvW)e z$1dQZm7I@Lz&jo`*AW8V_!Q@pC*U0>UMS$99h}}H;Lh)H{)&Kme!=NWM0`8P7Ylgk zR~#=B@MsIiR|$B?EazGg|0Smn33#-Hm$Od9H*>r}z{_6c_>&_3CgKO^8B zf93dA0S{>$-zMN4KjU~*z{~b=e5Zh0%zRq~yrZ4dcL;b{4==wV;El&QeYb#je9Gy2 z1>AXx(_3l=%4f#`j@w224CmtzaWmg+5jP!JP603bjPuVC@Tf_jC*U3XIlV`~omNv1 z3wY@394`^@sE^}|1>AEj$IApfYVuhn;$t}dS^*Eu=J@6_)Y;2Rdc*mz@wEMZx`{! z9PbeE296s7?lH^RE#h$pXzf6`^~~X3bi06e+{$r>fLn%hJX^p+X8Suud_1Sm5%97x z9M2Q*Xd1^01>BRvagTso92{2!yhGx6iGX{294`~_=pT7|t`hLZ7dgIG#P8sI)(g0^ zl;a@*kG{tF)Css}8^;?2-11wFKPlj$Rh)mLfO~$$>7Nns#=RWhD&WyqIUW`8j^Fe7 zbfN$GaSF74VQ*uMPn(`zkNLA>g5O zj&}=q;~`$JUIF(U<+$Ys1LZdQCdcgp?sRef4gv3Qay(nWqh@)W0v_t*{Bs1{W7aEA zz@vZT^d154xQFMf2zc3ij+Y2{#|(}y7Vzi^&c95+L$f&jDglq)&GEGY-k8Vn^&)PT zCnVsOQ#{`~0r#Bcc!Pj<6mb5H0$x_d@n;0wGL`#pw+eWf$$y)GJA<50RK&AQf3ko_ zYdL+ZfOph!yj{R8eY{>B0v-x+dPBgSn>pSs;2l5UxW)8abFLPP=XV^pi}=5A+#%qN zf8uzyi0|OIQ^1{Xa6CuAL;u0?JOOX~Cyo~ixaU2Ndj!19tgj;Ajg6eXM8qHGc-(&< zZ-=tP23^iB_^IN;HymBDc~U!&k^t^O*~J)x0-mNfbTSMkAQcWxFX=a zCSD@oj{A5!EEez_6K@po-bzz`1pK0jZxwJy6{p`O;CUt<6>!TMPQO#YJtp2N;3X!X zb^(uzA1Dt|vtAAXx2)ym%pL-FiunDUK4%C#PryU#IK4-}EhZmj z2z;%8hs^ML0k1Q|jRL;a3_l~_+syD*bH9>SCtO2vzsI&DoUdFs-jRg!8gbl6!bfq4 z{kEI?M6_z*D|#MTXVTLyI$zOnydeqamLA8SOv1URm*b5|INy=y_%lg(T-Q^K68_Y# zM25e;=o*Vs8x0QYYgNLp+nX$X*FOTN@9G--mZo^{M&VVIq_d+B|E_+J!c^4GRu-G~jx`x(62qbRg=XzvhLKYFbtOFO=Z%3iJ%WHCCeU8?;9q2bqa?z~H0BHz`N)E?#4t}Nrx zOMQK4J5_rFZExIq1?5|LwO?Cd>Dp}8 z%dZ_ZdOrs@vnZWwQ8j6bB_2jRik)fv9W)WVXic5-K@pFBxd(yHnfPVw1;xq+rMB<3 z;B4i_Q(9})RWBD)HMG-8Wc1Suud!&&eQm~1K&EAD?RTPO(Vo)}`Xj?PB2v+IYt3?B zE03|fJON3&+8S;{dpZU*p?!K3nFMdAMz$&11y*@9Hi@9c@T1L@a>Uf0-7s3wPEFsd zXon5zF9pT7qmg-MR8B+lIuLhf=edilGr9Z;R3nJ$&L-mwXjpks9Q0IDkDA4~Td6%8 z{ElB=;)bW$>H9CVR?~!JIOQzI{azjfSTs8hWAI7xYqh3&$~jX z6>8_g!y?rLp)t?|+S{u3ru4*irFK_9YmuISi2g%nWggjDdtCbGSk2DhG$j&r<)9~K zuo`-`s8oB5l80X}fsALUWni%spcX^Z}>uQuqb>%3*O9&)OnPKbP@+7r((kfs$Nbs}8vMDaQ*9Jl zV-71itD;})@oVRewTNOxn!cAPP$H>z6}1^P9}O!Bg`?+R&h_>Arbj!k66#>Kf`Nvm zVl;q^>xy6F&D5W!yvf?zOymX`Txa8ho68mY-M(F_-A656+ox)mq#D|bqOOKIIHPKR zdl^DvF}9DPib=K4QY3oW_A+&;QH-pa>THo}=*$2b1LL$O-n+)jESan|2WL>-ZHd18 zidl=@7%_7AQcv&>{O%3T$8RmDusplwG@#wQ+6hHFY5W^wq%{SX4CHeFJxQ(c2>6fy zjHVuq#>Y2vqp=>s0Le7xgUSFYf#k7~m@ko^*=0wKMx3BzUAd({$LR-24p*9ajzOMX zKR3RHhpGP;-u4pB?L(-wc*_STCbTVCF~&O*<@6G@b8xay+SbZtytHg4XDx5MgK2^d ztsO5>Cj|dSlNRIjSH`I_ThUHHk*8UVpD=l>Ojoqr>3h3=K`ptMQnye-3(K-gH&y^* z@;=o3z;sUVrUAu{*T%SE|{OCntHrIUa5qWRP7>b4h2OdQvuVj*OeE4DWn$w zljv!@6qlzQt$I*mxw=_2(#YL{c2#v9Yh zoeLQcbG}CNk$OSMZW7o^HVs+-MJQmtyD zg+Ox>XaS*^tqNIF`?XHLcG~#&1gk8T$P29x<>T?|t6ffN!aVeqlg0)HCtAm^ouuyc z07y)jY?3jSGC8C|?S|%jk(rO$$Ju-sf0n79T_4wBR#>lf;4h?hw}?~fB%=1lrfuPGRsM37MC}v_Ud>cF>ee~ zNa+WQ%;xgY#IpA@6!Y$Q`t;q#T0&k5`2WgfL_W#)hd5a5!o1+k0E-CIFqacJA}Ya!xB%jjQW+V@eV$JGV3}EiP>nuKw?6kIdCL8 zAHIJQ{UJ5a_&wI`#{E|NH>sX49w7Ak!qVuW>yIV0ttFGo_}0WTF-d z6GHwq_Pz_VLfo3}GiML7e{0Xm8jRv$cwH%-j8gs3le7LfVI&j|)|5j|Aqg!+FG{=x zO5!hz<1c0LmsRuvS~l@WQ@yUW($pGP2%up@hf<5dirR%RA3Y05JkTe3hR=K}G~DK! z$Cz%uDaO~#w-RHr`L@`&3~zF{uQzz@hCA`Z=+aQZ4HAv6zTjj&x+XLr>U{O-{uVaJ z*Jjp~Nki;*YQjygQ;R3fUg(c--`UubojK`x$*w?l0&6K|3@G=cq9CwLgY?@zU#qLGSbnCAXe+s#x= zfwPg3XI$Q&iZni@@*q`1f2z$UJc*ChU&D1}7LI9rnxy5|V4e3Fcb)(P<|>eCZl_f7 zA^UIfG{JmxzCOyw?2V9PQs769L!QZ`Pw17-A0lLQ0>>o#2qb`N>cJ$7LF?B(F_yyf z#fpI;OEJW6KSivJ=T-RxRYsu^z8wYQ#38~;P{C*8kW_n**~W_jKiLm|lVD7-i)s9q zs9HPe6NNG>G-B~gq}p7N`N7ns#OLG^(gkI(1SspH@SvH^l?KWI!`-DXPLEx{#CuQ) zUvO4s$gi>CPQ6D9q%v03lYZ@zaq3gpiF~EEpZ9hjwKXdpGFxS4_F#WzPk@OUpN-@C zWnhNie@uz2cCF&MkY0-*7qsH^y(|kV{Zq)LQ#Jdg-+sr6I%z_MqlugXU&2zDbYH?7 zWxT=qh@0+Tp~7Ot6<=tyRz3)G4^F3ke*@WjS;hn^1k?N6es5vB`ijY!Lc~Qs}2A=zlN>eQ^qXT7rJfAoLSc=-ZTd`z#uSzAH_v z@6QwTw+ur6ati(Z3Hq-MLLW(?mlO2TAoO>p(2q^f_uP^y54kDyN9M-sdw3A~3l_1y z&n4(v2BCi=g?>|l{@GM|xfCnj+i$yF)mmY-W2cB2`)4ut__Y=#d{k0;4$~u`y9(t^ zGhIb;ps3Qx97Js(lJz<8&)Oz~+LycASFkrwz6-=vSH~xGbNw3+ z%FVWXiyGdZ=6CO{I8E!71VIQTv3w?NwB;)(o9b?>IPG`8v2G&s>m{Y1j`T64f1~0w zt0{6+_0qz;qGs=x^Fng{5|>l154yfA=PhyN`Re_yulVXqU03-K;iA~9<-DM4x-ZY~ z%J=1!x(a-tn?c0aQ?jp8imy?M97-{jQd~nRzCkH&pcI9a;zmkw6Q#(d6w@fhwUpvI zO7V3{;ieQbDa9;GaWkd3Mb(!SdSnozXkOQJ8L=#QJ#opWppRm|LHr6RIER8a5N8y! z)HRoaD1p}{Q&6Gcjg--B3aS*miLxxB;5-VV7)xAU3KmmvCcXLTZ5F)+=nX|Hb`EUsa#= zrJ}m5>(p>FM6kQ!WY==9*3AxG$BZcjdu3~LTW@W&>ZT#esb`L(l9lg5L9akTr+VxC zSES9U^G{84w^kg{{o~SfxzFqFuF3>a{gNyCX4fs5ip`OeQ5h?5r~r$lAo`gsZG;Cg zG5&o8yE>DW!tfAJdhkZNI=IXM#4Cfs>?{0vM6@^7mkDpB$1a>ifl@81*N$1 z3rE64N->F2Or{iHq7+kx90{GLP~vTH&Gu_9tjD1pF5EX_qg^TQ>7-plNQU(2DX>wroxs%GX2spTA=~dh zB|S=BNk7gTzWk1-V*z69Z>LwiIY?tpM_PY8Du!oA(EdmwJz(&oQ_NZXDv)pNl5 zF2tK2Y%e1T55%#;I6(<9_ZG_qrO~~(T2yh;0NxKq`Ixx5d`JD{` z7UC86JL@ht<$HF$Ex*n-iVu%>D!Qp{y6)A^^IgZ-u_*;n>$`2|p}|E7=IbA?ZnL0h zf%0g)q;u;_^U{2ErS>$GrNgUxEorju>2vp1jRsXwy*IB4lnS@uIbdJG##{NqR}QyN^TAx9QLH+G^Q<>_-hzDU64n~r(c7g=cc zO)quXeUZB|ebbk?GUdK^!cA#d=R4d>T!q!IL?&TZn4I&_t`7KWvjbL~h(O75+x>Xt z_#-HZRI>&WsiLxZkm@bpCh@!gwR?hzW^>gTlCScEYVJFV`@n{Yq@o_(%f#|Dxhis7 z0ZWfXfhgsl;p_o~a}IdGQ_Dt>b}S*B$03}@6g>c0IwfuXGKjQe1-l@W`?zfGW3qX? zY66>wXV=f1?x~xZh8}=^eY4`^Jl%gi42T#L&@VTfhJ1Rjr)k_f92$QIxE`xGMjEyT zWx@Oo`Am(6gmMkrFuOi8zb+xyx!ue3l6u;uCKm6%~MxBJk7nk;;_DYWSYLP&wZe3G^pl)s?Q6mJ~?fvtssh( zzUQtx<)vg-ajR+oQn0u4Stu<$=0R;SsZ{h^I~4svhZ2#YY!_ixpNmO-5$5zon9>(u zMqh*peG%sKMVQVPVK!fc$$Tm1@T;Cn> z7KCLQ&_1QPOAUV{y+~J5s6Fq|`vSfCY7FS}MJ={zq`!+=ywg}w7wEyOJ)adpe6IEw zk4=Oy?!e|~?R`jEtS`CR0VRN{1tJUJ=RbssW~%yvJh`u}sJ?WXL(w0Sq!%RXF0b@L z(U>|Z)@h%kXUg8X;xRJbf!;P6zt&~W)hFHRt-Euy9P6^<+|5Dhh2o64`pk9Sx`#65 z*h#yrXD+BK&fsZ^M$HD3y5do0aHRCYEJkU%-pSY#cA=#jOelSBIyPHG{@Nkp$~pglvg@!O0iyg zwbQT9ll<;IRha>8r$4tvg|gi!sqS-CqoDcx);%h%4qmv$+UKczP(syN)1lSodh6!( zw;FG-Z?OhrEl91#TkJvBV$ur_Wyt!>jo^}DazV4roQv=%Gd$8Gz0hZ3BTWn~$7t+k z7){5*>1KFDQkoGaHr%8cZidl(ERD?!Ta(gQO>CG+Gt3O530ayngryfI>NA#l>hfcq z={@_yN6>iwXRC=p&`I8747Blo8a)!T$qa1m;q*{n8+nfHN`%7g*s+Tl zPFcftP)ydgW2thP)*d@%$I4;?`Gb$iF(VrT(&0svLq<%@z`NfyR*9WNx`SR&jzipd zS?iUxb6CDyE^FsCBX-Q8b$RltT@yht8G{#G4D9NmM8u9bp=4K}WPmZWy-1lwnPe09 zD~Rot2u%X~B~RXJ*A%8VX2~#8W_gP0{j+8l)i0TavEv#GeKN~mRKI$bx2Qfi%U4ui zJ!{TfkjwnJxA}9yWC7)t<-wY8JQaTe zmFaRS6AD&J1%qV`Xd;lwR5&jc4jcWLwRPxkIs8dClwSGSl?_;*cx?{0fN_!msJfdg zy8Q0b>$16io?Y*q;V7!JeU&dzPFI{rk%!7cHqRvsLMlxbb17h6NG3Bb?PF_nlGU(W7h=urL!1&5mwZCcm*dZ`Xe;6v)V(%rOeWHdx!GJnMj|KX)8S zvZoP{!w+M?OfA-{XOv+S&7e^P@qBO;4ICREIGDN2kz;caVV*BPTCg{zg}k)(41uR5 z_sOANTSZr~9-L7^HZd8ak$3l@!216ht36m%>epPZ!K=^p>s;M6PR0s4Q2tR-{mhwi{>&M2-OOni zpEJ|s{OTELa$WVbG@pB4#oPXf%T=UTk4y9Fi~3~u-YT5$>YGzvdP|=-zw`!JeWhRT ztKCa2(Miq>ni-|d8*F4GpClKYs-0KiD`W17K6t;*`}L)cfV&Ak3=lyf`3erg`{lLb zn8pVZe?vQB2B^v(q#AsD&aH<(CLd0xI#;fWWr5#)7~>Zu_3M*vP4vn*+Iw>Nqwe6< zYNR%VGNQMz`|8y`fLE!nRW1L!oco@dwlLdoJ+D}gVWig3)h$?`IpHXTNi@1d+H#5n z`vMc}CKBu>tWv5n6wOd_w`0{!g8gn_E%_ZQsQz9S$24`rl!rwTLS;aY4UIQzkyD z+9&6&PGkKcTlbUT%GzB{HpgZs8C%=1q{7*|*9Tzaw-+$z!_EcFmv^vpDx$^t<0fqA zrOY2}+Q5FlE3W0)WRlVqp8v-D(fPx;drl}|+>%VL2$UP|r~di(c17DKYj4sC?2DMu zrJA{rJU*TGd^~VE$4u^ZcMh_8RJFq@X<|6+@R+a9aAW-^w~QbQ*f@3AW|^=5&P@|A zTrzZg{TN$g8jD8Ld5&OavIUQgcE?y7F91%f)Ldr6WPB~%3WINnevOGz)#j{KwfXB+ z?GGgIs`dg6a-$e!1+RRh&%0;^@#u5xaqVf`6pN&}D8=AO=jl(oY0jthFD7O+;=`Kt zFqW-Q%vMzo}%ys@(~WW(Z^4m!WfTh^SYprh}>8OA7()`xiTrsk>vJg{!@Hy z0ZR(!%4O{>Rr|Yk#@LSX;#A<*z?7Qmym9M?448nnV`rPro5H%Jvj?Q{fM8!S&n(XC zyrF34RP7X2+Qr9= zZL=l-$JUynlDOg;(@CCSx!z~VFDjAiM#%LGVT6>rV1(SB=BxJ&^W}S8!+dpfhWY9j zT78JI`s!}C`s(kp`SS5)kgx9BHl!XdgKW55H)l8kBPcKe0dVuBQy?9IbOh`aup?kc zU?c@bA}|txQ4|=3z$gSVD3F0b1_GHBfb(KbCIX`=FdBi;2#le?7zD;3AW=X+um`+&OUW;XR$Xf^lG&6)vjBvCsblz6+DWnYk(8v$T?j&p018FDAzp$@0 zyd%xM8s5xDmb3Fx=$n`~)dg{ZUd9 zAj?zrsuF*s!~sJ&+y{H_1StURKtSIT1qFlfWO%^-WWfC?$sf5_RqNm5A_e*Txay96m;`E`-+i3qk4WJ}&4>K$ zSKy3!c!G+EX~_{lt0$8DWxDA1oP+=dES;~T*w~bE$@#ZK1Q+7n?@G%LKm;)pVTW;; zHy?6XhaW^(z4-x%Abzk%WAo-Ogb3mX+cd+y`F9QX)!hXVEOm{@UkC}r58l)B7eWB> zgLixWLdYL}@IEqsA;b?qcpsI&5YmSqyl3Pugz(`9@0s}vA$$12`{?|I5Iy|heN6sB zNFILhF6A$T;4OsUy$-?K;mF_hh3g;4A1#0~LvZq9{S!LJHSn#-(hKv) zP*;q=+wB=}hRqp;U-L&QT8)cD4HD!eqS5$;v8TO>=eN`G>pn_RH5|V-*pLEhLVDp# zBx7FaMF;If*b#R-c_rsqiRCc-s**5e)VM-mOm=tYkMZKgAaZ)^o_9S)fx2J1wwPeH zx9)c?@){5r!Bf`$Mz8f|yuGf*wb_i;@T_~nMH5}!)2<)j;X&d@+4Ff6{C(+DX&vFmLc!^2r2#6<*xOyb8v)Cl&yPWox@{CuphUJc{{$`nu{@fF4_;bg@V^#O5s(`AU3FLMXP%UHGGhd&U9dN%%gnI(H@VEAXFyQX2 z$_;2I1G(o2sGb6OoxqI%RICke8^?C;KqHt8y!AKx@@GQ3-sr9WHr8@?VJUYA>y4?ZEB8 zM*<%Sd?fHuz()Ze1v~?I2Jj5vnZPrFX96D$d^GUUz{da|1AGi{3Ah9tw)N9_)UNPH zP%|9z=k};@CsTV}s9H#y@VTE6P^|{^SBNlR5(Z4dF#!-x3*=s4jdc|@lumSLwI9(l z-e!+eptA%Dz+3;X^zO_5DSOmCMGtTN3uz4eGkerMM-OlPtHT)h3VYPONDm~pGVrJD zQTG%*kle<=KeI>ObMye^a8Ah{bx+X)JV!9_751omkshE-=alSG_Y^(A)6T#@vq#-? z^Z?~ZPRSm1PtgNBM=|gf_NaT29-z$NlD*IZScyuX3ewYhrtknB5cHX6rL(d}5V0dB=x#whoJ3vc*nJL_{-8#J>WJT^g>> zzu0yTIr<{DI&Wk~L>dcyO23=|tZ{Ho$*1jxuQZqs7au%+a8>xUwz$3#_0Q~Pn;S+e z_WRxYD^4Q?={~EAWTxt~jM`I!{T~T^UbQ)NH$n zou4yf;NK6w-tE_y4@2AIGmNK)@$;Q}lguoG4NO*&kGLm2Oq^BoqKwj&{nsy=htOAeOVC1VeKWh$NGNg%HP zLF3WE0oi?MLmRCUu&o3h`tVbCvH~2tjTYQI*Ayv`YG1_s!+b9ZF&KpC2@u8iD-v{k zeQ`S+yM8)r20^YvtFX@yH{wOrc0m}@nOp5hI?iT}oIh8cE!EzMI64|vjA!^#+J+hN zt{T{}W@vV}`i~bal~TAFUw$E4O(k$d1H@2<*X3B4m7Ff$&xsI~aCC83L~WIk(DDQ}V8y${b! zsi8OF9}J)p4ze6tY#|gJqJ*0*B1=YQ`rvAGU#LFp(}E-IsCH#0t5NtS3+#thpH?~& z$1mh>H*Le$m3{Q21FrNW7a2Y2pctMhc~ko&vTvYIJErM#`)2i_JE}%7E=_PS!$+Q` zwBa=1+%zTDVa0;K_v-~wZ35@p|9uPe8$a8y2VN7b@v!$3e9(_QsqlyC?3nC_>9aS@ zbW_(?E~Jl1(q~7!Zkv{ly`kW=dF7>U`#b|hw?1K@xt-;~iLQ7YA zi;s;qY)A!1GFnx$x#Iqv_*q`2cM)L6r$hh24lCT*rWf@JNpo_5*V6z)j(=C;$8 zC0xq8swVZHuT)#S+nv;5Bp9kYR&j!?#Qu2Ff8O0r{>bAGeja3Z3ACa;fMdT0{q95S za#92#L~M&&ya$~0!Z%kAk$xms#d%a>J779@TDvQlc{YYxJO{w5#k98+eU4pmw@RCT z21IM^*>By6p`IHn*oEN$k*Z4QUwkULCkI4eL{Y{QFB7Ngu4FGbU@#Uhibkg?A>8b-sd}=7vI{0QfRo+4eyv#v ze*)S=^uRzE!3M(L`5^`9MmnUB&JHQCh?k-6U{^^sPhhH;6Db{msqlQ7R8xiETzBcL z%ney=yko){kWIut*?}LNg1pg!3ypSTHGm0P)or^rOiyXM0SZ6~ukW=~j)!Xi0@jPn zHo_T+9FJltfx$My5h(uvYm&)m8Z4m}M1r#%B<C{`FX=o3<`nK8eXxgB@COm+k!{w929@853sx|`Rf!|gEH(Y3co4_eZ2R^Ppo zb{)@R3YrX$m$$puuX#`RT6Yy-jfDIQ&Mwe1F+XOxXu0Sx?t@|L#fk~)Bg^#+(#+&6m3qJ{RnVuru0zZD#5wF7KxKk(t{UXfvDn`PNv)Nq=Of z%co%pW;+l+=8FBY0exyZ*g{k@+WFi~YcJbd7=b9wF5&zuwui)c9DkC+lp1Pge#EwW zfo6M)_O5{A{PuS-x$+wF*>zX{?0RELK`b~3W$xb{oEOPFP^@Jhnir`)U@z9H57~X# zwmUReUotYyrx&s56h~kW&X0Hx^e)i6hk9|!ZI%sfZYk1&v+UvO$ru{7bm9{8p;S|d z7ukJU(szNvU%u0?b*MOD9PWkc8jrXIx()7c?Dc&pp^L_xZGr})zGN$A?U1712Mx1B z+T00D+tG8-`ab5Y+^&Lyv~q?H8&C6x+G3-#_~>@n2<}4_C%O7f=pWX!-Sper?cfh5 zf8=o$cBbMz#ciz1Db^>wmC`&Od_!;R;{11jzk&Y6T{@8g7)Te>HlCQPEuUpi*-fJp?=EP-g5#a{!Z1+7H=`+E1<>_(W>*wP zN@qEWG_*JUvMVi+SX?0X7p4Q0a3QE4!iLgpU`}o(4_q)+_YaVD{9Ucek!a~OXt2uD5pQlL ztQGh6>Tlq-i3w06xsDcZF1xirX#qP_X$(w_T!--?-Zexanu!=QD4N*yUf4M@zYwAq z)1u(B2}KR?U&Exqp=|I{UL@{l9jwPLDX~wS%2j)?jJTw-vo{p;k`n~{B#w8xzqX|^ z9p{mh*inb_5+%hyd?WlWp?0A51d7Rsp*Enl1d3^vp~HX<(@WA6>7}E$NJZP5wt2uQ zVfK-ArfL`P?NLFLP3pgbo`O#a2Pli9h*!1m(P_@=41>6K zBCe37J!V#Ac}5p9$U%|7!$~xs2F#p~g9MfM$N^?7&B=IvCx9Z0j}fN2Xb(|&mS=RZ zjE*3Z=kWn@%OjQ_QWhu=7&;lv$A0T^ss=?K1tZ4(BWg4>%*qBv^9j`>sj14diMkze z%QN;=Evij&i!nw~mQO6vV%rlf)pe|mX@k*l2c$2*f z5^6FY`x?>>XfY2M)BOiB&7;CqXZ)7(GTYAV;orqu@An`ZAaBpc>Hc*<)1leQh*N{v&dW0%Pc+>>QPZ)ke@OY5El2q*&v+u< zaQ`ee+>hf8_am|4Rxw_6l%1AnwR&nb#xg>g#G4E~N_0A!4FnFJ>0@lHa=F_~bwXu{ zY70p0C?0~O7_^7hGKL|R-=;*fJrZxWFy%C$*=muL$zu&@pgg&DdlY=3!IotF011%6 zNx!v==>p6Gsgn>gIdmPiVe4G@0v%iPQsfNwVrS5!`Y_;tsM3aA^$u72MIBu2|bQxl4+C&fqBKc>+7QrN0UzU5VW0*#v(wIm~fu z$S5VU7LN*eC)eX#&x2Urd9wZ5Y@BIOoPKQ{jy06z__c51bFRg>4(eNZ{zw@{CTGI10NMgAAcSGx`yi50p9J7s+x?B-s- zKKhgNYb>v2!i5C7Iru9X%=FRDz@NPsA-{h09qcjrTkJ9ZPCUS72_C-4$j)DapV2dg zS0`SPRj9~!QIWN%NQL9ov6N+GJ(kE1X1_KHIiYH((rjKOefYKxSTIq_2S*H5%HMs$O8HaJcP^$< zzOnHOO9=;He<|rgOQ9_{<9Jz8Dc@(oL@EEkf{9XYWWhu!TZa!-$}u2BTRw|N=O5wu zFm~YPDnrZOpSMOtw$sO!5{x}}sbRG}lM1L^L_|;`!*m4lm{+6?*w%qx{16pn(Wz;{S zFS6J~%e~KniI)2YNyp#wp5 zdeVUxOfRJ_CswXGY_FAlwk&JA6hwQBt59m@B`IN3*0xft-1!@s3G9t*v;OnB*uteV zY}ot_At`n{{N>&CI?hD-IY9X&d&hAqB8)P^=Uva>>5u%*wUxrW znAqvXOQ9EzO)9(-$#b-a3d5hLZGdT8142vO;VlI5nb}{lKL-C#3!FNA@c$G=fEeB# zaKFZm4)^BvdbNj?K=~zn?UuITD?;)Hq<o$9vMIQD@_j6=czV9Ojc-ic$1 z{)CH~1TLaT@p|J`;7X(j32$3P<`GOI>se!GI1ML{rP?j1JF7OT3W~+Xf}?a+sCbn> z^3Y-*Dj$g44gWkUct1q_6Q5=j>(d~l(_C_74MqXHi1@T9a=)UYDdAUCBPtsS4rAp> zt3|dRhwJrPcuwDx-CdIYA&TYAeP1o#$9I2rKyMerg=&5RkL|j#Jv(UPlWPA1QS2jg z8DCH6^Wa8plQ#b|z@GPIYZrDjz^C9i+sxWqm2`V;2&v;86YrlEn?Wdcu(7>$EY-hC zSC6#Pi8gO5`;5=q>g1t3d<22*t$h{m`P~P|ziJ!IzdFzK-}3FP1LR-DWd!ILbQf(Y z;0R%-G51Q^tH5CUsuHom6Yr%`@=?e4N5;qy8`>Zts*PRf6efS@6dYMwW2f)NX`C2; z_&Cu)W&foPatzu*c4No!)DHRpIV5+`Bq-h?I*1MdrF77z5U0U92nz{b*M#-&O{)L@ zx&EOIAeWu`=QsG{-~YY-8Q3r32WfP_4ikdE{RVI7Lk#0}ImS&{e6-a7Gy<&11NDhYU+P=4e=P8jNhR_rJ!}W>~XYfxD0e>Vykr<%s|7ZQ*^`H0u8^~{n z{@;qIl>Yw-!2g%_|AhZu|0j=0bXOgEgilGcZP>PlBm6@yn;|dhoPZeGquz@R83^WDV>p1$EjV?fM8Jl&Uuwz_>YS4d)n3O!rX1&ANn%(T zC8gAvg&1PE3Fp=5xgVFX(uB%{g7~p{S@Q1a90M21;0hpwat^eAFnjF8hAd`AI_)!s zMiFg~PoNjA4Mzpw6~LK%JgjY-ZX&OMRJ$Eg$2Lj2*$cLSj?xQ#4bx4eD)S}mSLxiE z8M2;Jt=*e$;hRB^fI6}u(;NAwKXzn>{&1>W_y%KJ#`A!y9)k{4>L`ZKMiNM->Bt1nExFrgidzPwg<;@ zztF2xd9O78t*&coqh$Ut1s(!7d|_RBij1FAz29F{fj@)Mj6J5a8*vNIF0b}h&mojV zmb|C1GpCOOkIuXCi|v6yK$CMH?CW;+HNDS3<0t3RCP#oqyWX&IIaOr4=LU%`Jsn(X*=OYwr zGdoeCSKn*d_X(X(!bu4D0~P7nOE`;Ec#ERfIHsUsWOe}Rzp@QW=TG}@2*Zb9Ju)>g z_AJ-g=mf(h8I6qZ`f(J6KJQOopu27m+B~`MX!Bb}yUY4rQ)K;KCo04?z+Gs0w(ITU zd*Cj<2ky$_poc$7_@j(J*3zTKMN+`uNJsLw#>5+~k#IE5MY@FUb1Os`pX1{50eqQY z$KgDe-*|B;1i;~)1<7)|R~h;_fy_%lNI ztP0m*;L>a3XhRxK4?KNCHrkrLsQfV9UrwJm^&DKFKXF48Mc^3zLK!Y9m_%eC&!i`g zf(M{hJgiMgub2%RuznW6$FADp06>QtK8h9x=cDNX>jgykwe|oilbz&QRjo}dV!sNF z>r7Ivs`U*PaX^J0%VB5OP`XL%+o=!IRqMWh70eE)C)>!-yCyKBtV8w|ORAGs$j1G3f+f3(;wVeSJV=bkjMsgTrW6eRSm%|qb^la^MtJp^YM{Ii+W=O-^z3;|0=KB;?5p!t)IDB4dYFbJo-~meU;d+wdsvb+$lx6{cs8oDvWQVUL zQiOBE^X&z@BHx3Knq$Lxmn~~xB&m@qENY4z;m>h1-FavW+;3Pl0Sj>Ku*}nK^l_|3 z&23lQO&hNAyPKs)-vJF|nkaIc=joFe1)`r`z=D(y5~V?f95aTaYm zU#6EMLS}M|TM_JTL)v^R5DlhDtDJkjU>CGc&tWTecA`~N1rspQzJbUjjH*d=cns&0 zc2=D9X}Itr6Jw6wV23}>wMR%hVEqh*zQz`%-~K4g4QooHPI@efvP&16aoW@0?7;8R zW+#3xY0iTc4u?XlVn^4_;Qc>Hubso;Wz_nSf1p`0oBDJ2gf6624#$^PUAN#GuVK|^ z@TCGG@VUXIf`h7_*{hc0WBPTIJW&Lm<{G>6F#MQzv4J<6T2MOO9bHb2tUPH zQ(B%-kYt>poYXc?o7Bqh4#EAZFjlR5x|VAOb12ars0Xb(hPVP1<3P`x$WEv4QX?}V z=`-KL`N^H|?fBoa<52n$MC;WP({Re!ZB$993(k|{y8m;q(l7POkqx*MHHOoCdNVI) z0G=`>7qZ?5xw#A8E>)iv#ifi;dvwZo3_ImZdun`>>H70_o(-$ySuf%73c-`le;SJiFN z6e$X!%yd4kn>}&F3#7Q;lMatP3}2IqU0z2dV2}7P*a9@z?!sX6*>G}q%cE?tJq*v_ zy$*H_jbw0>)6rpEtjqxFd3@Qa+et%T$DPe+_zo9{xAULAIv!O>&T}S@LEc9vf|Y z=(m3l^PQFMVZO5^dtevD?0)1H?fUj$>>+sn7xC9ldG-1D#%jOx$SLa1^0WTj=9%Uw z#CJQrY!qTQ{wyDbitayyF9dNtf~|*|Y2f&ykA!IaO<&0eEhxDwF(!{u+=>cz_b1L&J0LR`Sa^dXweu!Geh(5!HMNJX#noA<9K=p;&Fv5 zU2%ddT-&SQj*ZTXtlj~qdu*Pzx&>qKUW~zW?l&cUC&^&>aW#UE#d7hr0qO3&gz1_1 zqr7AX(dPoA>2m?Pa*7oXt|Fx8!h9Pz z9-nf46(Z6`L$Zwx&o(wZ+b}%0BiDTu9ng4Ecnm8g>BW@x!T4_S7pFx;Lx?*0{#e3HX0Jpuh8xPvE`ogR~F$ z_j3L%xclcE?$@R}N=~#CF^6$WksVEIF(!OJjjV{E0(S!$c#yBtMp{*xMUKqJ!ZL>Q z{2OvqC~qh(C`vXwc~@}%bS6%Bkb4?*8;_Ie0WBH4lV?Tk`~sG<2r*le_9K3cungU) zl1IT^pvTIF{jutBdpZN3xm&S{9ZC?DLuGlS=vhaPT!he7S<1 zBlz!T)z}}*QNtT>pvAi#1#xJ%(mopd%LPsNn@8-W^W)D+$3YI__AR?-W-(e((f`V9 zcKS41YsTL{gV~CGOXG*X!B8{f*tZ zo%S)$Q8pgqU%o<4t@yHy+1yxw=OEtLI3VgYC4r)#HFyr&pM_1nxZg{fdP+&Gzk(Z1 zaM~PR4)RhKlBNINWh7Iz3*f|Ko#mECUvbZK5m}U~@@!(`Lm@S7l(sIEA0~{6{-+OY(5fw5f!+ud< zzsQ=$hL9aD)h(YvC<3%=2U^Gq_CW%XTd{`+-&D94i-$6b*INB<#8i#sgG*p9_};D5cGpAvS+6`)=anD~S-fq$=9o zh%yx|w)|xJ9_B9uX)(GUEq6C60NW79@4VKXq-1aMYqVR6)h!O()2%ODVI|yuJm`?_~{^zJ|8pn(4X zw}lR|FXKuNaFgf|`#^5V0j9eBuq9$$-yXm=rI42YA%7fB^y#<4{@E@)LY_N(@e|06 zh0do{LS1#;$?TuA_%IMSEJ2qY*JxszD%P{!prAu3-?>1a^hQdtAoxl4nQbqt|31uN z!~FOg4)A+t(zj6bry;`sj#0_DLq4cc9SiiV-DucdTt8xchXwE?xKcGqiR%lcXJ>NK>@KcLeQ#i>#S;;2s9LiFAN=C}7%wI;4Cj8kVi+ z{JGE`bSLTN@%`GNZNiY+;RQs+wZm*^hp4pq7X)chrX9AEcIbe1XonP$cEJ5mU#K18 z^8Me@4?F+w(GN*%Q#$Z}t{-APe7uvSAEJTWok{uuUJB@kofrd5=o0#&iGrqn7<6L% zPxJ%KZs>cui z))(rB35ZVB4;G;RC-uYq|5g3aHCK&n#OV|A0w4Y^?t`Gol?6$MIgK~&p-pDQGBPY9 zUIIWwOkd{_QI7FzU~v!Taq?hB=E4wB@BNp=YMJK}Z-Q#&cfh>NM4p^T9c{pzL~#~&HLR3*O*QE_!+8YA-w8p;^C zR#Z3tJNo7Sw?Ftd_sRRq%s%@6jQ!z@_^^e$iQw_=)`uTNrhAdxnckI9pNmRWfE7^o!Newy-ieGn1+ z+jE~@%-0~x2*NdPxQs6MjpQ{5`NqD%hkfeuBe8xU`y!ytfcK5u*Sq8EkAv~`$Nquq z4^$|zfC*6@Ve752?IVj1rxahn;rX@F<6Q-i?rvlFOLY9w3_a(j!;K*B@=35bl$q1<1El+`dl+Mk`%KfLVhtKn`L7f!YXcOYVeSHotmKj5F_ z>yP`83V#ZN*%!yAm=`KoTXDG{wz#U;`U4$-Wzc~2$E4i>4ck=_EIqJIy%Xz?-4%!U z`h(puP>l6QtZFOK6#)ro&kkehulw6=ce{3b*=~2c-R)(!KYOt|Ngy`_a;X?V zZeGt2K`w;^5b}S2zt1_7xg>aN|Lu0;>m`}2E^l^6Wd@p6Z&3LkOWNQSPz0mz|okCtP-iQ}(u>^Mmz8o;$qw$KJ5 zi<4rB>&tPDgc4CKl7L?hi+_-sx?K>Q!xVR`Bxws(kZ3TqxQvUV!15SA zdj`VRo|#r`H-7$^CGpzEP@vtHJc&gm7s&pB1jp0IDPE5?WD2JG_N9I4?P_xYq;oZ` zF}lKHf?;?mp-=}3F-r5r6F1TLvg3RVWh+^1Vu7(0i`jzQ6SsQl_7|n@nBQB$`hD5u za?;oECtN02W-f~QQOM>ZaR{st0}I|>s$(sE)j6VRHM0jqWU_bMV)l+N=R{D^NTg7O zs-?}h=0b|tFeQCs*uO7&p}s$P)^&BwSNrwx};)ua@xUYe=AdC zQT_ZVL<6{e3VH|mR{htKk%9%XS&T@;bg{iaHjO!|(KYu1Hjm|KzFB(99O1l!iP6)Yu4d3Qkr*5g#)JVfQ`UC!! zgR?E~0U=D|dfERv81!_c@8UMrmAp!3{T6gMd_JDt7d(nFEV$VAc%p0*uJjFXqisUJ z-nxNdky8B%%S(+2$aLhRP2>arj<>?~?DU9dN3#2|7ae4(Pd&%p zDK?l%i?A+6d`|Xe^!MD&=pc*WLfB{FxAk=3a}4>rCb#oYxSAG^&udQj zTiT^L&Gstzg?#=N;SX$7-mFIT9EKVVnHC8X0V3c55&un(ui+wInmwL%dG+V|Z`eOd z?*|CtYOgMSlY6b4W*+k9#7T8{qa)|+Ri}_g3DA({Fmf(=3o9v&1u9g|dtxY=q*raF zh#&qVsEUwt62COOhs%td_eA~c=zMdLIA>2W9Ir%5W!L%(>{>f{d~(J7T25q(c`qt~ zqOe7hN5p)Sytwh|hCLfZ&c_=$&&=NrKhZkTZJK{GY#oi!`PIp32Qu=FV$2>>84HSG znk9ehx}*6$oD!C^Nf72b6jgFk?-N_9!|dBO8qc41(QMK8;;P6GWOGoV~%(m z`w1Ay7PX(U#rvsv?N0im(C4>GhNCN<#(v6?@8-I`8AIE9 zZdmy~B>0>IVN&1;L08D?6?&I(2A~VgoWe~0RJtP5KB1)d9HuDzOVx>zmTIeHU3H?S zh54^$T`_PU@^^U8A%}+~R*^Kjy&~OMie7y5Z3uXq*iTOlh;&D5Q(??Z$7P!<-M?X& z#*<}8x1hv_peD~!u22)g^5V%L;>G|J>LJkCBHc3nRKO2LYc~mW;!pC#Z|$sBZZ>E< z*7!NiY#Lv}&g_LxkgTJi7_5x_z<1aRo?`4!SHJ@eMY@^9F6U|0HMs z7W_N(`8d$Xv#WUm;i{0#EWXuy=q%Y$EVegTvh}#m9Q=v{g;&U#AL*G^bLKmGMmHsk z?Z4FnF(DrsPeTi>aXuu{RdIC3BT?#y-e zx$;w9j=ra6Az85dYup?Arnpr<&-3*X`u@0meNNRg+&biG0teuV$&_&~zn_yqUBRJg zj#Zm^;dtU^Y;k;&K_1Nl1LuMs;ry7K62ij=xhM#)F@}b`9H|q>>E2k#)8#BmE2B6> z@_PFAwN+03D$v5w#FWm6HKh~%(McookF!4Yo>L{Mt3t_{tWVn)zf-Se>6r+14zPt~ zh2XB$)oC01Di2ML5&@FY->5xI5H)eoXDswnOJC{ZBVR_=!7ibaR8eArwlbawV0y|!QUwWyzNb1T86a_0-&**DI)+F-mtN)dHC7krz`rMx`- zB=4y2bzrr;7Xr+Cy}<7X~tx=zN95za)Km+ct@& zjgr8cvK^7LU~)w%``e;wKld&Q!fGE!W>GE~7i1xZ~itfyP7opPUq>P)qt;AX^cQjza5*^HK-tdPEnY|BJ3K7#ML zd~r#{FQ$X|p&z<@sNC0ZuXA0wT%Z@TAo`3HQc)>fu9Ym(WSePxpFk&G{%bpc^FHXMtf|~)6zIVx)qlA zWtBa9qn8o(L-rSItNo2X;YEmA8!wOHM&B3L^MitUQXr|>imkC=q~@Eka!X$4h?>Is z*taYYv|0XOtsHBVw$$U+)GdpA7R}=6ESr!$pX=d3EhIF%bVCyd=Po3MahdB zxPDjqzd(d$>0jb|{_LlxiSHTG&)M_)S+AUKe*YfIOwoDFqhHtGnfd+h**Ww3ui~ef z-^XxLV4BXcqL%Ud2(~{C=Na@6MIYT#z@vm+HHi`Q6L!toi+E^DLR)JM^bJ zzmGLX?n|71(?4`zPI(*78=1<%m!7njrgbEOFBMu5 z`v+&pJeRXr6_J>$SNT@|B!e&YE|vb52}vZ=KJuVBbnvAw>7j!!-Kqx;zVs>QLI+>^ zq;m+ql&uv2rdKP#G_KgX@k2hxKNNiFQzPR`e^iJsef)Lsr7UF7W~HM0N5+><+YG&W zHojE&)0sn9?BPrs#g~raOR?Fq@ui{D<4Z3e7GLW7pMx(2#Kr7BVPxfS6eHUOpW{j_ zfS1%dDTU6MR;czCIhhdAK#pN$MJeY_A}nm8T2^plcO;WWx2qu<$|e8c)7 z3kaI=zc}~@*+qJ*`17o43yi!`eCZz^zI5#A@uerBmdsi+I{5RKDIFOK^1H{MzbSmF zKtGsRC)vx0`&Wmn90{~zynQFJ{(92DNLcRQNQrn>wNx&eU|&O#<6S*p4HBf^g*qs_ z)EYvU+Ny0TQA!2q(od_Rd2{H}_p7!U30*4N5019EZDe%m%tCbO$4`eY{YbvH8QPzF zGx}u|U;4+6FAWvqOC#C%(tY4zP7~U)iPMFu^xmyW=)VyPPhvGi-N$Gi&YnlWO=-X575yCwSY)RK$=GcU#c!Z;+ITd z%f}RQni@W^<+5B|@Mh#c%Mci~FC728+E>Hi%l~J_uVjNvr!xG+UCdC=;LBeGFgh~G zv~^gJ>5oneGG*2t2A4N9KmA_tr|dVYc`@#jVmYvQ*Nt8=IL@1vu`Xm&`jGuvz+A$1 zu!BF{ONn}WWuF>rW0Ji@Z*rid;v~0k*Am5_MsPfm6z?O@wiV&nF<#Tm9-?dlG!o#> zMJarm1MnyNR(-{Vs_IVoal7{u=7|#=phg?VuD=D2BiGW|zylPj8fV)z3#v+xuY**T zjbw3;2Q9)oc{{*W8KkPHy^v?CgI2xLpj9h@p1Szd>cqs|)z-v4)rqCMN5rQZ_?^O2 zs}rH!0#BW7@i!ZudMX1?Wf+_epBm1Sr4Sp}RL%K@j(5`Fvn;8Y0! ziX?^wr=G*93^Zbqt9 z`F83*JwSC|-#izf`l16O4K}Y$A;aPz_}P zR5u{h090ey0M*+@0I0@?1E@|N8K62YqkFU&e_!}i0RpY+R(L9#jRNy@xCjt+fv2jV zgHCN$K^G!|+fcy*Arf@zbQSd1MWCl+U^bqxA%bx*|I`ZuRR2}(t z0IH6Bugd^bk?)ZzU&RQ2`}Lm|pt?`+=LGlwP<`6LkPeAA0M#9c_v-*u3-RX$pL&JL z_g-JaxA+LB?h){*S@I3PJ1q5rPrZ}dhR3G@Kc6@}J~g(!$N{LX&j3`3&v+vMRgrEN zpt?`rI9IyA#&8@Cp!zW71pw8%C=6RW1fVKIPywpxXzfM;sE*ImmcJK#s+dl|Q$gw2 zzq}IL#WMI*g@b)x3b45*Vcgh{PtLNXKodRYoCGQ?GnRIaA&3V^sFZfr0mL}V+^Ui_WL-dcC-p`!@c%T;UDhKR}`Wyy52#NJ~@OUy%rWFL6d%vO>%=G z9Vc{3?dfCett;$7b}H1My;u#}wT}H-GGxEjU&Lmxz3#sX-qnH2%BKkQ>wRO+%-^ca z8@sX%nzjF~%sRhe(=*0Aph(hHQzVW_2>BjiCW%16=aOG4AKyX^a*+JXi;x%vU$WTI zJj@cD5Dgp?KE5rG7P-+4QU6wl{BpDJk!@T9&#PP^e0(NWRLL(>vU1<9iPk4z_mSVU zFjUkhHliY`g2^hV+I(vyEQ{R5XdRL;i;3v)QM73MQo*+y{TxqBfoNok((^g|mqbUF zWWqv;U1}@1H8eE;$oxTki5P~&m++^C_!9oiZ&d!vR;brvt;&DdD%5N9TXpJi_%EsZ zZQKt99jtU?`1F-WROO}O{!WJhb9>(>-I;+nBxcd)VZh|O8l$zsMA|y!f8h1A`7d|Y z?Zcibm+&1TaT>mEDwaFtwt|)r{>!cKUlQfhjD1J`4MHs;km$ReB+`m40~rJZW{ZX< z43j@P!+%MjC>`P5454{Dc*`2-_YD6f^m~^OodEsb0j1xoPQ)68es8uFYXvtOHep9_ z$vo#Yg7}&J1XBr@j0Zz4nw-)o`PH%m6Z$YoRPS4GU_J;{Vykb>Gn9p_R!A^6qw@X7 zgai{d_3eu%7JRl2fE7GX;s-YAU+`T*k693(z{b%|;opO|Nd8s+y`2mKp~u`+x103g z3nvnr&{*&cGd`(*z|=3mx&h(GggyN%URAg+U3yI1;SN70=w>0vT&)7Bq!126=DC!- z9z&*K?ze|w$lNFrX&5s9(JK-;3`6FloG_lWVA3#TE}~>uhRjPc;}6u?C_g4Fkbk`V zn0HmU1etSW2ns=_U^-leOxXj96f$I1QLOqSiy`wPlnuv_`8x91Xyk_&$G6Il`L~RI z*hk+OKPH?lT$6W_-{~z>{HxU`U`nGiGCs`R&YqdQ;9XSi_%yk3_Lu}w&(CX zl^=I`Do0T4&LZ?J@K=T%{>tH>`*!&;6C`3#{>qo(uYAXS@KwGWw@J;?g9%i@rV zK5~e@B>e(cME&b$Cd-@%TA0szIm4tTaq>UKB}@e*Tkt`#e*V!WNP53TnQjb)bYrN^ zw`MIR#3=`@Eg^r?WPrGih1m$V>terb4CQt9?Q7$SX(!11a1v8oCh${r`|(ItSl!X& zw4R6)ACLdBGyg{Sn8?Nj-ox^5?6AZ)E~q&y@yiS5A6Blz(2*jJmdB20>|@OljcuNP zgxKa5jG9Bj|6Evkc6^%D^>*sVU?46J_K_6KW|Ifu9cfn1 z!}|43{|o=~ag5;QUeYGFLco5k?v-G2n%Vwo$~HioXC-Ua=a0d)gehU%O=~jzhQcq> z8uSdn|J*iYes(*^^nlx_83z#j&(kh!Xd?O@Vs$Sa6*|cPt2u#pvF2oPpcDS*X%}LE zUT6%^Hpc*+-;4p;3WR+Z_jjyP7?r$YYoy_2-|9h< z?6tB^AxdvKr<5Z;XdREkxEYlsdtZ=Mjn&h?E9f~vxB(3QA^)yu?TI+7D3=$!KJthD zZlgNnkRV^-w;4`e_^2wS}FEz#{T3w;m-+|Vr$MVPFzDA z-5g}I(wn%ZSU5TsB8^cA9K}7L%t8GK7&nP{k{06_bTcY^F@Hxia8Ov;pYc7?BiC44 zxFX{3cbSDa?OP-EdHBk9wd2RrX7~ak4KMkivADoxu{eifC9w!4Zx%Wa-!4|#ecIB&?Dv`QL_QMAJRDS{Pb?`&(ztKy%I1=5V4qp{?~L(%^A z?7A1#-^hBY;3nr@{UhVIgMVT~A0wOuA0wL`y7t>FYd?tD;je&~oweU)%>G8q{!Ml5 zeOGD4l|^syepzKD7mk6ve&tEtQY|Vhd3lxON;Jqq?gcwH>)kX+q z{)73-5yEy56|N8xPcK5)<$Gik*N`#?A&mJOT_NPOZ_R&Z3E_8f0)eL|j}H5FDcP?} z8C8bsuE?m{Fnp{khkq$Wr0ud=!v5YoK|H$n;>`Nbk-xN&zy0DrPR&kEY;px~Uc7b$ z`b#qoMSc$PPwbG&-yxO1Ln?mi zn1TFl!Vl%jUnFq@@<+Uy$e+asLjDkKK>E4r`yNgi4kGJ7Mg(u9P(*NN&~pe8e2E!w zOSJZoh~O~#`)$i#i^$&rmA{U>#&zWHkdZ&hPjaB{Rr?)LS;n;nS;cw-_j?!Jqp}z! z-T;}KQ5v|RxZbBL*PpY}81z+l_I+%1cR_Y!_fZ%OckbYhRDr@8c$q+V7+G`>6dsYQK-#@3@CY?e|gpJY{XX-P|C{Xh-2IJz z|JTv|jqLr6qx0PTjnH5HHupE)|9^7#H-a~4{;py81;+kM4!=OWNnA+<`~pY6XZmf3 zU*J0d8O0fXf&c3qI{X5U=%K?e@PHmT`~r757drd`H#vu+`~rCkIQQ_)#P^KG_qlF$ zouF2TpF;i1!^HRe5$CTOV-Y|A1aOwkFAxU})?C zzz6jb*c3DT0#7(48vn2S0^ik=-xj~XJYG{m@?3s_2*;!R0(8qLzd%m>@hHE*Q2wh? zet{7ZV2#V5bXLgvV3c2g#C0G%NBISod*2Fw!6?7LD8GQ{k(~TjS^NU8k!dA|U!YG4 zFlLlrVCQelf!b08Xl-&%8h(KkXS4VPu9b_2_ywlt9!@rgV!RoCft6WL76O5~p=0G2 z_#DSs`~rvd(N6xWVF&>h#z*28c;L@+`2`xM4e<+{H)8~Tfsk|4o8cF@_q#Me?&jVf zEWg05iwfQ~k6++(?<%;$-89QgQI*;J0$KTc-oHk7Jx9pj({`x@O|p9lzyB}w_Yl87 zVBD=K_pji0CYbZ6 z{j}bz`FlF_r_1mE%L7s=+zuv*&<{Aw;rD;`z4EQCL;U`JeNC6&|Gn-@E5E-_UOFd# z&rMprp?uhDzsh-)Fl0#b_gt-KU4H*AIqT%_xt!nsBl!JYehMNq4K@FfsP&rt$R%D{ z6-IujMVeyP!MHUb(S^a!8c=ll_MX8(6QAMUulw&4+#v`hlKm}9$Kd6{-~TuKp4_e& zX@V$19Txe**G3^Ao{J>q<;0S+*1Nyn&m&gnOY` z6LWBXL+Sy8NnmaPHarM6yf7|pX#Z64;q`(KukRf2Jv!wApxG-c_}AdXcRM)o69y;l zTb&eLPKZ`CaaTpDyv9wu#**yU2$u$~FL;el@ETJJ#Fy95=iepIze}F~kEQbbwfsBm z^A}w}g67pdWBRp#K0V7gqa{T6N5JB@Q>iTe}?jgmrqGfRDrS{r<(Jp^m(R0jU~;3XPzOD! zVF^fXUmGHSpM*}Vlbu@#Glc$(!L?sY2;rS5uru~ zL5e}pB>W>?3ui*?l^=lYwlwi)ol<{N{J8{* zNdk_^-Nh((N~SNXDdcaH zuYlbyu~WStwQKj z3U9=KBgu23wT)srQ^}D0GX9^@_~#ypVtdArOZL!N3u>Mb!ChX{qcLsI7;4ELx~_?? z>qLGD?RM*1C4J=Tgq--Yw_d*tLCuYfd`pa@jBJ0`aPmzGKf1>e^0Eyo7?e28YkbKWfly%Os%6iD$*I7KvTG~UPVtd^#>PAH|LCX~v^IQfr}aU`jb>9bPeOY`J=yhNBv zqN*`3ixlHs=RmB+a(mX(S*YOx4fFRK{!bgc(Dfl zO^PHGwmt0MnlT5Qkn~A;3MKDwE&K+Dqt>(o#y&VG@v(#elx&Fh8(7i&c{Z{U-EBdtif6A0!hM9=wJV zn3I2x>yp{GEn=bJvJ$5^P;Mm2>WC*lO^0mvt+|K7ptW6s(>G{n`c_Fuxm~y+uE_iD zO#30AGUJ%18<4cZgj8B zxJ5!TRj-n_FG4g8f1uIg4vXOOm@0FJOmKOP>U8B4MA6T8ReNJyW8clc+xo3^GCYQs zSb2bVg}W=_Kayb>oEB*~1@~;wI?M^fFc?jiK$Lod)r;+Xtmuzye!*RJ`=%#j@0Gt=53@1{-$4RyFQF;kIdZJ7@R>G1S^I z)Y@2|w--mP`ZkweFnQM{W0K*)z`$Z3-w{v5(gRjHZpCcmcA1b11~&VWefpY^#E|FG zkFP<-(E)~3G&wO9vC=uR+e^91u5b%3#8x}yTeFTb>lD<2n}k~Mpim1Q6>7l?Bdwv0 z)NKS*2n6>V0tt716mxwCRuuoL0lx!f&2O}{5D4z9+r^@B;T#$~Rq*vIwAxm$bRF{V ztS|dmfQmbcDgL;9=}t4nlZ->B`13gqC+0H6OKRu6i|#AP;+z-SKAp*ZTEUaE#&=GB zXWygpt-h5{@~_GB?D{WG8vjLonc8xB?t(YuQ_wi~^nzE3c&Dw4(znSkiNH^9hndxs zb@9st$yXgD`n@}S3aVDa!+If!RVnC_IC^o)ZckSdM=yU*9UmP0$(YIe(uagk>}Wax zpO~q5I<=dMr}8VPHcxs^zx>o!2=f!)xjps%*YPe5-+(Llj4b~t`K!yxUmYPCbSWgQ z5i+L~+dCGUz>qy+=HM~dPcn}#rCawMuS3%?Hlw!$iIa) zeD%+GuG-KIOGt@+o#HJZ6F&H?3>I1L;dR?)uiPp(s;e@$NYzhsG*oq~TZf9my^Q|j_D?9|UVc9(q{H9g&_SSX=7r;l zo6Cc;qE*h7AbD-fkyQoXj!=_5D1BvhU{e@?8is`qjgY6yu`4R0iK_hNz8pmbC}H%)+oWk;hRCPFKA(of;v@t3HqIB@ zr|>P9X0s1-nQR0JSM*+cb>@gVitWXw4(^fmvs<}Msv-S&gr{=qIxf!e#(LP z_vWNLUTLNMoOL%<&;#W;PS}3?srl5ETU;PLE97gPNnptTiwF7F(ELS3)5%ab`BX0y zLmmp_Rku0@NrvKhwot0xiC6I&FAT_!EkMFx&Bh+7Ds4E4J#riwhf79ybv8yUVbxVd z9`*M+6vr*TN49WH%u2}>{uU^X^$N8|e#sf^k(10L&{-p~hYGWk*UB)+)$DfY;S_8;r#HrCIYAJySE20mNT8FAMSk=o4#4Vb0B)jpB+ z#{8Qd z+oQYhYMg7zd*8u{V8e5;8)HHYL~HjNp3X|Q|MTsS9b$i!NS5(9%lU?{nX2X9VF^Bk z-x!vuv7M|v;8(-{1?!Y&GxmqA+-=7GSpSCXk7-!>(>7sXw6UU&ZOYgmOR+y@3-D0|VAEg!)vr{n29HGsph8Nx6*+?T;|!`S!<0Df`{oAO1ICe<+>!L#$-X4n@2e zZ-RL65w@Gug)j8QkEpOo%0Y*{_&k~40w+b-no-XP+j?502y-+NXb}>tSACD95vhnZ z9DDI*5jMkKTrN)@j=gx$J0xs|y?7rb!?G8@H_Ly=VsMnd_>Y>u_->cJxJ|~O&=-?U z%4IL^ma;Lkv$~{5U5I35>r;>Bt1eS^iOs8}(lr{oGTy|M5HEFUHQy<1gOQ zrB+0J1Pe(wfW=?h$cqINvq_8G*l=vjvIzo8L27AJzeCkfIbU%Wu9uw(oe!)fQL^0 z#5R`7pPG&1<545hKL^j`9zUTOn=cEU@&q z%&*>2{vkoAG#P}-<>l^z8$WUk$ZA|bDn3d>R#UKlTgcPRwiiCtvxEL_U{B&+{-AJo z6c-Fp%ox_+IP6*9XX6iXid7Vw^&$S>KvG5#X2S5&M5!TDF4vN>yJ_Xp*Oz%_@8NCjPeiV@DF|C z7h*YN^ADZ(M8>)>{6nw(KXVBP=xxR(*-ME;0gacvJ*kps zM^?cK3}?;KMm7*j**#Qv`v6+bzBv+Hpmie(&SXIv2R>ZuuLqtDoaD2t--Dn zVQ{Ti#uGC&%qf(tC}Qh6Ui(6IV&d*Rw*xEDO;%_i9vm{>I7z(r#Wyd;JE>JUGuyd?IQ@jCd&=k># z?MwU8+XdB?2m{%R0Mx7WD!wGl0f8aJYxo}9#1e6oe~9(F;Il&O<&RmWFNm!-AtJh3 zUr@7NSL-#pXkRdYy$KRAYj;UvulYqgVu^|QnNQu3`gZHb=m7jix3>9KzK3xpz%BoC z!4(6##j&q%UbNvg-QswWGbBR;*!Lo_Bm|p!NqoOiR>1D7WMJVdWUx3#>K|&9T^nzT z@k9Q##=1U|5{~i@jq(pQTq3xcgtsDI+Y|M#%ZV{9;*`XMOAyZ}|B%riqx?ey_)0%6 z+AxE^4nZ%Z@#QI^#@82BTP5p=cU;c|ShG$7%$fhZM3~1U!aPU_YOlCzFhK~c1RBD5E*dw zkLI8bb!7Iyi9g-2FaQ8-U0&U?&7K>d#{Nd%1^8kB{qI%s75kU}jtBxfHy)e0<@Wcb z0P|@Q=97KtkIjMFQp6-Y=A1PALq(j;;vc#|tJ(#KyIA5E&d5DH`~!Iqx#eB{q3L?w zJXs*`R}LLxNbR-X$8i?_&`;!kpn*rv8dG1b{6k`}Y1>E0iEJPCI{ZU9#S&_8j7?g( z;b(Ftl6=<{N6w}u(kOE-dFqU!zKe#bZk=!xnDEP_{!P;ER3J|hpPPenOR%t4L5$~ zDh@L7GauD6PW()To^j%5F4BY7i=VmgKV-mU;%A=w*P%m=pZPxDBLmQhpW%?u3nzZ& zzqojq_?b(oQiC!yer7Ef4F$QZH1%uz%u#3TA~JpQ6XTuXH55N%o`pmW#m_WnZjtDi zkL6VT0eKs#BP)L9o#t^8{~-g{%i;f$_!(^)6F>8qDuJx{nSXJ6#9pZSB@;ix3GINL zCVob*lb9S6KO<+e;%D^YjN*!#LpOfL91X?KaO^6Dyg(U|t2I|p^;?La$>m=O9#d&=d$)MG&1vVGlI#I+-u~~LQzS<| zCcx-OvYsu1Z|@|yuVLN1toWn?^~3sVNdM4+zlliP9{<97Lq#~oQdE9pQbNSEyL92H^>PuYhz;KlRY`LCw`Oof? zvkw2+iy|c&{zD&b88zctxX~9AjO-}WFsvz?90zIWcp1$f0Tyih;r8ig|{oAzauGQVXP;)l$TI+Hj_>7tglT+4)zNfPAhcbSyyPmOggt24q zpJt}3*|HMG{`>@Rr>{VlboB7*ruNYQ;PY6s?*hej3+_Qz4~1o2NO4w%;26~>T@_N*yoqOZM?faXByZ7A-no-TNy*T@)>V0Xs{$7|Y?C-U3vo#1kitz0P&za)Dlqefb$Fq@vO@d}}IUHj4o(9AC&Vb~&dE z`HIGZRYI@JuAc8p=TRQw*^}Vd4*NS`L?09OHww93Z7KrB;S({o$;Zd|kn)1Dm*Z(# z3#kb z_w`*h;thGPvsUKBg8R)^Hhhm~XDY%MKEL4cx38U*@HWq~yf8fr{-LSv)wBR0L%i=K zhqY#MDrB|60~Yi&Dh=3_?6xVI0lYCN_X^K-8BI~Pi39_i!GFx(R7~oGx}6Mj0Y6S3 zr0FLu6lOB%-Ew`g*+TJGEd+luXvSN6Y4!>BgwN1xbWHLA#AEPG8JFXOjjvu@l??f= zZX7r(lzebd!j~LaB*4lm2Dv_T?nY>;i=e8kFaBEp$)MHJcXs8`BO%{U4}^UGafCrm z?RSLyM?%(tkae(ezyp$`(Hq8Ar0|fA5goerPxBn#fov zaB}GjGX8EcFRRhS=8feevfnyUR@JjNavAZ9paY|xXYBM1((TByR{NYIrfIvYX>d?J z!n%VdVry?n*47>{nRE-3INV}K$sdq+S^yf6hN(sMyVCy!V@{TT)$IRWKR4oRbRL)7 zC85NpiYE^yrhCKIwZ(~<(4Gaof=c}o(jQNJo}u{Z(uQN`fOktlpigMex=>rhKxtMI zXtd#iT6S3+a;HZQA?jo};EJe!{Y;0jT&S_v^l}E;vt#IkpT0vb+8b$j&bPX|{`{j& z!ezBi0W(I-^+ftxRlIMC)^_G~Z$`fY8Cu{yEdRz13w~%p&0)b0Etr3J z5`UJ5jugqC*b&7R)f`c5(flJ|i(25j1~^_%k#cnyAf=68`Xh7BS{N%>jn5T zLGE@6emB&q94w(u{tospg_C@4apD@# z?{kpNN^jztVo6%E5NV7GFe@?F;u-UIL<0wfmGBwgBRz7B zwS_Ap{(czljR2D^W{qt4hOcbbv_j))GxqEw4KMkiskorO#kAo${P`7^fsnu1BopXo z$CqRR(7yP|j3Bhzi0F1FnZRWQA6PUyF=g*;Ys#xpjFVU(&G5}K^z0!hj4blFSlTRhjM>z7Vb}oZw&8^(%wk!fJk6dUAycJQE{dE zZ{NcG_r1HKEB;_YTyHP0Y|l~52K zL_sHIV_#-=Hu@oyCEf!OEEU^5SpqtxJqP+Z;LSik+oH)O^h>L6&GQtJ`aqzc9g_zY z`Pmh%?TBO3y+7~ejsC)jI3~lvsP}oxNC7VamvSD4&h&_xd` zfYS>Fkajl$IAv?W{M)ATCu;y#{-$_j80X~gm?HAWz2>_e^|O|cj+Tg3k|lqd-;4Ym zDIUMTY{qeZ{*Eb*{2fL95R$Tk$loE6zk~2=w~72sG4dD22Iqsb1#k-j z*fo%tf&6U>9LUIDByj`s$9hEM&te22e~30DExGFZ9!{zH4q68?B6uT(B7!@Eo zOU!^M*^z7J*P`B?9h z+tZJp;Ll*X2wuyAR|^fv7yOm)d457sbKW%>`E6KUJf_|=In^xRE++n>!{Rbov`_Lm z>hbfc81gG{>wCTW8A`=kL8P{>#G39U-YxcOn3`Ca6+%=Vv<_johdr9(1}i@7$3$(CbY|n-7jpy*`>I{q+pN!rv9D0?Bk;>c z#eR$hS{6>st20~vslUMjQ_Eg z+5S!WAFt$wEdS$W*@qFk%sF)YkC(%utLXig?7t+Ep}_z6A{kuYvj5R;lMc# z847Q}|M&xLE$}~1<>pcUBQB~@|Kl6-KYs5TnPL6_{Ewms|Nr$r?nCvxUH{|ftBmaD z`yVg(l~w$yO-NJ!G5m|1x z>wy=)vG}zcmW@YKR${Qr&cy2LSa(TUBHyZi5j!EV450rW@tnwl(LVq4TE@jBp4n#a z`nm^KeHHn)C02>FIH3S@D;rMr-sP2jvso=H`?I{S&O2PI{;--x$xoRYxc}U`_XHtY z;Kt=VK!XK|quOTA{aZdWu}q&Uv0T@197%X98kVr_#1%mK>LudpxEOa@_CD{^6PvRdQ<9qBPez=cvEXLeFInVb!`ZC5Ro>DPEop#!p?%~KZ z&QM3)_80QW1Q4+scijH?h%e+_KDF-}`QVQhyoIq(a-N^lKeVXx{m1Q}{$KfiW@LR_ z+ux1!{odtorhSL%pG*DuV{zr}?k8$5GfeFT6zQnePv4{EB(R!i&(&+)_nR={`_VtE z8TRS5{GZ@)HjgZ)A3m)7XOFMB)K3$Z z$`%WeSAU^Zhg|`S4+)re`Gmedm8$<_xcBj>y1&k}{b97SU4Ze`;%Z(CGT1S>YBc z<0AK6`40PT_r57iZ`YUF?=`Pcn)e#-=T65F!c0FQYa^1NQM--QhIz#WI>43xocWu@ z$%bg+4(8@ET9vKHg=|F7Sx8AV~w%M7TiGq)iDRO8USJ^IaQBigB z){O*zK351vU}-Xx2_~Anj#V(5nBSLDVWsUdl(eMS>yFfR#UUAz^*w{@*Y4nwWVHqB zU-3^rtB&bsjeq)C20$9g@3j>8QWN>N{jHnk=upN78$|eflLBvVJL*m z>`l|4R_qs<@`5C#U#38lasR6lWd0*ICR!oep7sZQhv#?Y;A)dIM z%{M?PjC8u7Iyv#Rn02c>>aL2?FdZVjByCT8ok$8axY8q0dPKT|G9VQ8-RlcFp^t}T zcY;_@BX`2bIO_l#te#9KjFZygJ7FZppQGRYK>8(_z-(q&xQiKeaQ{lKkH-* zQMXk8jZsmZEFmPOBWJt*uPIkAr}cC!c^ga~zxJ(JL0SJcPbXx}Y}g|gpmX*u9-D16SWicZ!?sS?AEv(qUsudu za@(<2v&*+i_P=6@>x$XMh+>sPb;kdn@>&rBcBdCxbG$hHmZ5qhrP0Kv^22p!v#B`S zDwDlU_Q%^KK6g$@EYKnGxs}A{X78U|?Rq@YfYt{QtJGI?7?9^5@^3;~eFaCScpEQ6wzp4C|+h_J=>ra^A z-^Bd(5cAtYM~})T9Lz=snBIOP`jaQ!#eApJ+nq*#R+;H-miCG}y{Y~zw;%hJbi_+D zl4XC2jS&t!=S#jqM}+;qjslxg_4(2nMMblcr0j_fm*QP=_?Z;%Ve8pwl5Up$;Wa;! z;{NSn&o%*6g#A4*;0x2->K7Kj&isaa^@@rRe0e@B@hdstV z?4f@IKh*8mhf#T9x7LggMCQL9sXxa)q{WQq0dj~W4L6Gzl*M*1ucXxe zNM1>~{ocHiN%pyUB~$HVYfjI<@}fYohv#3(IhD)5^8EMM$#^sTE5?7>+}sZx3V5BYc4=P$Zoaw>1In$7LJ zMJ!HYwp;GJ!`>kl0>+&b*qwTyF5&TZGY7h`G3WkM51ZYleu4#wAZd|-FjTc<{s2pR zjmnFg1?2nabjboj>UQLj0o^bFqILqMu>k2w7MI6rQ!#5BcEEaR_=q3vg@v^21A5wr zGL=V&At0E~4S-YhIxg|8d5&`qa_=c{bTL8!@}M98MX`h2n+;+Jq|vu2Vb{bu6!LH4 zwN;IYLTi(4`47dc3YLxlrt>;scB0~$YOA70oF}UPV+lgTnMQeA2>$@`HBoO-eNDW! zOS~BQ_X~b#i{ejv1VyyPM2Dg30P}4z!C@#oFnwDl$yM`vF#DTOx!vUNzIlW?v-h9h zM*XPwVDj2AEb>jMMKmcLA|ED6zM*w3*+5Pj(0-fD{)9YV zl8^&I)#!kxx_#kf*#*osQLsx5-!&C$bFqTys7{t`a9-cYTP!iQDQ=B*@I|S*SAph) zJzeR$xe;Imvy1?Y3{2YNLX1A;t2~x z%sOaCC^6dgM~FFY#tKRB!yXWvLSS-dU@t=JY~63DoWF%c3zf61I7DHT1{FGgDaDZh z2GZhkhB4qj7d#*Ha}9%I*$4Erui-bUwkee1?r(Adgfe~8Dnr{mhW2#ySX|mlQBbXfj5;U;EjTxF9}3yTNOU|9TjlMP;o}mbKCHoKFOAm18f_DG5?E2|3-WuTgk z*XNt(sMn`AX0^%qvKq08&p+D85POs}y6ELha*kM}zBLOe3t8R$TRk0E!~U*FZ3o^T zgqm%IobFtk>;HMH^4+oU237#Qd6hf(!7TX(Ki2mlLGYT55DDHXw;z}#0?O2;;?15X z46F976b2Lb1MI!V3(9+Sv>34gbuT(E4zxEcIKvCgIv}VHm$0w8tM6m<&oT`DO4m@L z9f?;UNGdSD3;X0-RO4IuW&UMTgMHfW<)Gxd!;pygZ-pH{>;Vxgncq^xm_vp zy;JnMx0j!>oyI=sRr_G4u@8FHKGr#ua-aLzj`qBLZ47*I%qnR%{>x_cL$haF-`!#b$ke}gobeWfJe`hm z05GtEI^FSCl^pBfi_t-2cVbHPf-l}lfX)0~^h1Z}hq2&`=btksoSX%|xKZ%M=#u)K z0Q|Slvg&&Q_%B8`YzXZ1CC_Apki$3XKj;8I&lGQlw@tti4bS^lZ$~LKqZAq_*KpdP zwJo0fG#zr-x8@!SgVy2x?Lp6W=ADp#yLd6S%NqHL{111JnV;2vL9a4DZ!4VtPaj_+ zTQ2x7b}p=zw{$DbG?C`-%lJpQPUe5M#FSXlm;m;tXNY`}erss{r^L+v_aT~5!Uszy zcLU=HC9c!yA1_7Ny1~18(D&E_2&d>#0e3VEV&8kEfJT0Iq!up zM9j7M9@#BIj5e+9kNQ)QygiyMgJ}E&wxXS7zigA~y_XS4c-*eKebbXQ?-hfA;o@ufs;O6R)Vo$u zkdZ$8+ljH;W+HT1{0`eZPxsww4LnI-7D;&Ac2BDY=6+(hc21UE!pKL(V2EKQPV8i8 zb`?jh`p)7&Z`~eFC-1ssOfoze7+CD%JDAba1J>TS6|<4s=*4f!0@hDcYlb*^on4$CjR zXoKlr?03t4#4ialXiwK3)F6WQ9VXU5A`rHxKXgP(4oD!vkH_G8yBc4RoH%uSaPTK% zChtoh!U;$GK>|RusdzfIn}<#1m$72f_k!LtOSSZE0_0;qzx?IbaXl3@n<|JEv=W8} zb3+%b1d4%s;NEniTU>#a?)Y&1e^|P)L^TVGxvZkDRfkE?`V@botfZ!E^zr{uUHWOv zuRk}@$L~>H`m7i`?RZL9KuPzYOMmS|A3yJViC&=__uDz+L?7S( z4!LMsjug~VW|q~-FW?~A=v#9wB|&Rr(0V51-z%0mnl#wIBjicPR}U`!KtUs{ke8`W zOj%cLO+imfe10qQcXvGL{dKfIrRL9{M~6{=dZVj<#C~{9tccia;{RPx^P2d77tDWc z5`UI^PsqQq6Y3hSIiarM`6qAw1nT=hx-vcjlHeSxJ_ow#cq^apn}Yy7dC zC;f#4AP1cQWQY=OeTvLaZPnJT8&I;JBJ)#Q2tzozn^#p;J+m~*qDS|8uEEx4WVT1G zRAJ!W6|xX8t2?VX4x|LfmT%2FrPTVhM#!vFSDZx1?2gy26I98iIsT#S{g+|!C1M}- z>i!N!GY28eW&Oh-X_kB&Vjr=8F7KGvwj!p~pW>_7pOE+%)~85msS4}d(vbx9uQG!A zc_XN$DyTaO1@&o1Q2Tt3yrP0?4&xSmEL{P`&v|n|CQ21;C-7f;loaRdCEz#Ov7qrWeeiKQ6;R1fGmL=V zwb2OZUAY3fi%jc1RipeX&7hz9e)0NYx2q5X^D&`5KZKBy-c7Z$mjeG zMn30n%$Y!klg|NUcEkyEJ0}a}Q#Qi>P~|f*W4v|E_~2)=!iV>zpTKGtGya8iHP*WM z^&(s62y)*y`6qo0%$EGUR>OruvcNRmDE71FU-*p$Ny!VoRX^j~dg1QGK!NX0#`OOW@<8V4vG@dxKHC!~ODm=&91)`S=2JJi6o`RpLq{7+- z=wsr9STc6r1f0HS3*xVzb?|d%%Tc6%8`MN+a)x7TQE}AM74x*m#ooWZ6jO)Cv+CV_ zcHGkzvw%<^qE^#U_u+tk%je>&$->dW z6*0@s`5rs?@IyKp7F{LZd+~7JJ9|cS`l4}|QuPyJ7QO@-3Qltj&{}f3{(OD&8}-$L zH_;fc+TFd{7~uY@ZfRHoV(w2(Q`qnMXD?Y(D0bS$_}yZO25F%fu)^SA7emCYOK^i4 z*q(ClzmNNOnxW%fl<~i2Hym^^)+ZGTQlE2ETkbM={Uth-Yu`;b|4xFn$_Pf4q+@CcahQ(z`d{9Obs{@+a!q zs@*WB{yfu2jzC5e*WaQ@!t38(x_jB_R?n z%~iA2P%rFv8Cky7tF_s<>;u}yuSFYPK$xDDKQYhCnO6F9ArV;R;Tj3qqaPyuJM@od ze`Ww8kEZn_R!>&@MLgRc4rmLHO;nXM?mjCRm=Sqs{1do4fRH&r*!j)cwpqu~#G@*4 zAUP(;HtYm@j5MfwSZp7FhBwS zJqQ4LA)fCDhUO#E_OzFrBp@Z{Jp1N@of(ZMZQ*J><~i3t1WLK#l{-|+J)~$E|f)qb%;(Eu%~uqe|QB^LovZENQQLc(6f(fTHwnJ}|wMe`X}+Ur3AN&R1Hpo6|!Ydv)umTZ34KHz??)0aX!#7MtMvnazdyqj@)@7FLPpvc{pqTy5b+HGIMWm zut%>z{Yl{8um0+kMxL5U^yt-7Aozle3#124*dAX1of!O>gu-iV!`jUJ3Kz~z=jYCCoJjO1WG{97z(HVoEvT%#%PA+j#!o5-5bZ7VW zdMQ<|HAQv!n;AB&(vg$JAB^x=SEW0qkHHVHKHbLiSzZY~xYz8j#S&w=dWDqBBFWpV zOC>UH%ZiCq+xmw!lJIB2&w(FcAxcqSSwJ>=qw|OT{gl*W_Al|zN%vLC9{W^*2Tzh6 zcvX+~^e4{{mWT2&%M5+2@Vl0;&BP~3`gn;?B87aPc7<@9aw`ZL?JH8i<2?pAXZnj+ zYWk~^{tC8EH-Sum=4sQi#vqh7(Zv0T=REG05Dn9PF}ld~DOWN_KywRXIAZ^7ExpDM z-lx*j83J%2n*y9F4+O8Rf) z{I_wo0QNY#%z;IqlsTu$V3I7A=vLq6I*lYGal55IbkGHdPVRT zp~MoxPY`}1en7!R0)etlmA6Hc!`LuozvOp2ttumdk#cE2|mJnDu?Z z8Y~<3Qft$ZWQl!aev)<$(S%cn(e?pE(HE@9q^Bi#pmm#7jS9#i#3-x z-zFd>=8=2`*V~7!|Kd#j7r$Qp?|jqshrd|iG4+SPc&jI?{$TRX!NA7F@6p#kC;Y{j z2kkJ_j(sKBM@kfu1^_T-+2n%mSs?=BbQUD#eJHSZ5NwD7BlvH>+!VCFP`vD7@xO7t z!<=vA{ISgWNbxcNta|={IWGY&1h?!DS__M@CFjG)#yG&LooB2=C{)LR1H&N`?P0H{ zCuB8FPEBw1{;j-CC>a(1k1(&D&j5fE@RDHT^Jfy=IVogq>faK=#Hi$GY6uM%k*FAQ zK@y;QSH<`s@tB+`k3;f`<|_?an}rR(81M;P@*!*eX}>>crLAwJQY~-i+ z;XUkKt^oHuD>*F|N}T=BISuJC4ebYjcm;cGiGsN-R1smrH{=l-av^$a4JU6LBgIoC z-XFN}d$@FW*Kt15{u(-=DzWrGU$cETd5ZdbgPwgJCWN48N5J;2c@X)8JsLbJCI+7) z?B%E|K16uCvC|;3C(L3be!HyogR%mEmT!qA{t}GSpL6f@a+YJp*PXZz5&JBa-ccHp z*l>y3X5AI{|0b#wck7s&A;x?uZvB7ky?cCA)w%GWFarrpU`HD?Dwa`48XMG+V2w=B z>|{?e12cdEmR7XbAoUz+r6J%g0x@7`XR?vn_C4)edrt4C=d|baoSq(zwYAM~Nw`=b zsK~_&pu&V8HysDXP{aua=ftbl-7*xJgT;Mf7|1?&4T>OEJzt{?OS@e`u^a5^?nev7)WmYrxg41wEi^3YLAC&SQFTkSz;CxG+z!EW9oh`S8LvfkZzha=9RE1 zTtn!U_k~{B$Qc5qBJA3-bfvN4H#@=>v08nHwB}!s>o*T01ou0RgEd7W?k_$ct~t&z zbLnV-f8H;GVYUB+eJ2N}PqwNJZL7V#5p_wnx2Z|FPx#NQTY_ntCMKp*&9C^b9vT8P0H5H69B9{jp-BnFu5Ru8(j33cG!^hpFc8 z$Y?%If1;cynxi%Q%9|z@mq%`+S4LB)nC7K};vZF17p=;KZ^zQ%6l*ey6Oo)gXLWY2 zj_<3@{QZvqP%QPG9WN_$v=!2Syu#b)*X)G=y1-XYqW?AK8CQGPx-5`TU5?rPy{?{4 zE~igwYg?2|>y?Anto(#;*HfU?O>~sz%w6dBFKaW*7H|>=@kHJ5wj9x6!bzv14s67q zd_f97%?>mioxx`%it>C2uuw#N;m75HMGI%H^T(BmbTAt>WL-iNlxwAt#TWkHHlMF-K0G9jsrE$ zN&ez(di1G>Dy@P`bzcuoSqgP61pg@PMoCaxjkN>YRCm7CJVf4sV>M+RbOKOWum;F} z#Q1EHs1&R$$fA$XvH4*D^$^iC7GJ)mx@p!8MOBe+=h@HfAR9-}N)tG~E8X%B-$8)nn@l^@hWVtVCABVSW;N!#k4D8xBg!a8c*5 z+wa;NcHs|ZuJZ)6%CNd>dFSl`~DzDi?@^8-VBWPQ{(DrSVyLPucN~|D#j>n7kOQA*Wq&wRd7}~z~LdCeR0bCkSYs?Z0j&}-`VL&@pfPE(yNymqUkK9JX} zlZL6Y?*qw_7w$Wxr- z$a+~s4L#~?GB?WB+RXl@IOo?x^>Wr~K0!v^aJAe1fZL!MV{bK=6+ug0KjhJzEO78p zSgUQ7(a<&UvfxF6Ejedcqvtml;rRxc+4LIY8s~Mp!q{p#5QtvJS`VH5`*M z9>c1WKu=YoO3wM{G<4voL`9@|;>}bkJ|$<*r+G0)wxFU0USh*EH%+zbM>FZC8~2|G zqFG)8*sq{eYX4LAad)U)ZXy(KD~GESwMXD~E-q6wsgv63`&Ue+jHZdDMx@T^wHe4Q zwZ}Rg^ngjOXf>SP70Rv%nT_LR?z)9RA_@?JnjUoAS-78}k5jBrfj3yZIbiARv-{cH zTa;=-3!8fjn|n*hTEwbF%e_Z!?k&36s}8NLI;H)^CpdUB9bz!y&gkocHF~Q7_80D} zu)+t~-#N;yF;$GrvWoXC^K9xTdsU>+?)l@NCQ>s?iy3<#+8pS(>po<7Ur9?%BB1d!xVgl#;YJEd#tI z&NIwE8whR$gSmE?T}Je$9)o*{)rL(KH3BO29-A{2@t3(~fR~&f*q>!mfS~_>f6m;WC4!(kOI!WVvgGBS6)!HVgd6Q{Ja|InG+lNG zKd9@OoP3`Wof%Q4N4qDPsTOZr|UsCw;)OMUvIR5T+qIcD?n0=fB@{MYn zKizR3+x(y}-JYT;GTIrm@Q*vq^!dHd{;d2nbD|~0XF{E1p99^d&#&Tw$}fBFVs5mR zxAUu{*nl5%oJ!xhcWL=U4NCvHe3szWr>X*Lh~jwTwv^+IOwLLMw4SOUe&rnk{C8kt#hX8< zJ=%$hL28w-b3c;#966xY7*#7NtGcPc=Z_Q+YAz`sRPiVM=DH+pa%8M1FQlzgAx_34 zS~k+Fu+kcTl}=qu*D9LoCTEpL_>sG8xr4ng{x2C)rB!zo7VP&VuxZEYtmbr8)2urZ zMuZB2;@>ok2228||5Lr-W$`vTGO;k{nj8hgaGDLZXw5!ek z5TnToIl9^HF;Bhjt-8_D42pW@UeWTw*w1m+DE>eIbftJW4p`xZ+G_D`tWK`0a}+FW zUpgv)!&$M9ZG+BPc2&sNqdg-6V$?8%gn-P$0{dCv7zS$yu_0%RdT9==NoWnRq7@}E zVLP;-aD#a$(cG}#YyLci%(jw!5}2+RmV>%t&?iL6$NHD5YI6FFh|?wZvjLIcPO-+6 zrjX*b3)ZObUn<`}*G7JAgM9yt=Y*8g8lPkgfJsG@^UjDk6!Oe z7}-l63Yib)qUmmal_Oifl|9hlPV^`<3dyl%g1DzjbQJSckj<*sz<)Nz?B8Ijw`ts7 zo?0IW`BAW_yB)H5vLKJ8!xX9^%HnBdve-SZ?`}ZkDE5 zf-9NN^s2b9{%AK~zOI_qzHvnGhUnlqL5e{{-awktLTt?zwVw84Dpk{ppNbr1jvfnJ zvto0?)|hocYa$9OccIK%z~lNHGW9tj^9x>iNO;dS9UUkE#JiBwK8~PVcL&U`qq=fe zIi(Qh+%*GO(^lUvUEo-yH9w~A4)=?xh#HL@Q;~4n7WS6n9bg7|P_ZhcV$j@~4yg#f zTly*dKN{_G>A4Fgn{hwRH^a_K+D-7?030VvDy|2z2jwkWL9 zDgYOuS@Qya)^(6d= zf&8w&etcE|oh@k3cnRZM*MEF%*|Vli4~wus*f{Hfw9Y^B)3FPN6sVx%6gW$+!?-G3 zHBj_Pzf-U2M}HNf-5#iERVd^x_!)}83UCuL&-YQnt!Sv9oF$#mR^{?g4*o|uN1x7t zp}CzK&db>q(OHw7!S-XKFw^{VGGTWv8z@Rgqw5>zkRQG(C6tTDgb2YqLV~%#TJ6UW zY7gexErnl+G&#AjuM^)XHKEB)1bp@HtvbDIzImdL5t+T!-~gk~_;DYv_Lt3ss-9dJ z9rLVij)_c@M$sR87N=|>Hpm^dyT!y)EIdyvCHmLqDXMV&v**nE$T^izx>_Oy&8jl% zCg=Vhq?YyXLjq9_#d1tfO?Mgzr23B(9tJNVO>bi%1!G6uVeQwOLfWre_&XRBX@tm@ z65;Fiz{3tZ_J5WWs8C+1T!rDT?3o;E=3eWY@W1 z2kC82wUUK&S}kHQLU$|CS*!!LmG0Qq-h-^T3?56y947f!1vdW*?`3t9A;_G&aBn0x z#_PG53h$TTUBIu5RrUss=i71-aBZ~e0GTTF>Z{m^1ybGi`=g;#h&#%5Lw9y{S6iOX zm0)-;&x=wsg%^4>U-6M=5=fwEzM3uEH?+vfHMhK#~aF+A9Cv^d-1@q9wzR@w*aly!RLohBaU1dibXn7Vy)uv}};ZS4fe5?U$$8=caG_dI~<(`YKPaFQl`}=BmXY zp)pP`y{+VQ#t_!@`M#makYN+sWgy(ty@IiGYwg?V1+ZTRzyesvQM-3eoe|R_!8D(NLz$0<=})hZ!4yarUzpNj27A;e;$BwkS?5e#t(pM?HWZ?p%MkS|V6s(l~a@dgw7oQJ7 z*DB92Z_%fqwQwj79i3=9Wm3tq7p5qyjUnqkv~Xab8x5MFS%zaBJ>6r| z%R4|;!i>ZDKj!yp;Uq6?C+lS$*&OtZ1NDQ%^;f5&i#u)qj-9su|4t+V8==pSi2nKO z=r23sQ|WC6c&&kS*dgr;_lA<^02{(&2&HWi~H zX!=RB(UFlWtpv^4@L^!321;H=;F+hiUzQAKZi>X>W_|o~TJJ#QzJi)r*uEm@6O17m z;1Bb9IADwNl`fB{&Bk2~yqrT1E9AInn_HtNhjOyi^Z52J49RM%R3EXeQuPEw)RcOT zy_Jalm5d)pL+O!Yi`94V0S2EO^`rUm&aWm%J>lY_An_rN*%!J?Qtc~ooBLh&JH|t~I``sx3 zoYal?)@OcS$tIS!Xk)MBR@z@-U+iRZ{sM!1U#U9y_bs>a-`wO(7Jb}IN-HV+m;SyS z)bVW=t;bTTej}PpS-De>VPy z;OvY4PQTb^@G1DQN8R~Qa?}$bl`aZDf90re8ZM(=K}S>H>A&%P4tz1$)A;`bJzbgm z7k;0IpUC_^+3D|d^UVMG?=$r)$x)yB-~aR9XLZhi@AH3O-@&`p46uI*RAj6}woJ8u z9j(4N{@%eedwqZU@lU+IFWNsiUpD^vr@K=9ldOyM&j?(+e?>g|oz#sldn~hmlKpY` z=VJS7x_8Ai*?)ciPNqY>?)Z$p@MFI!lfIdy467B1(Vx7N;)A2Nd5R8+|LF6)S@y3N zq@?Ba5R41%8Sa1NzIX@XE$>s8*$*}@z1hy)2>aGse=TBnrw2~HUsNAB)NmVCK7BoI zZfCnYCkpBa2%%^xAsy`sjTp!cs4Z|2X~B?>6$Z?wILwrDHu4wsCtcJ4IP1(~6yQ*& zjYAQ0ZFoo!e*Az_(O1fU3J1^VVy_XMI*WL`bE6N>2#NFL@uLD=ZyC|6g2k@|9VbGL zH;rh`M4SNQ=yeX`G|a1lv9s=Ir4vJ#f{@O6GH- zrDUFzBqwZnF5xoW@?-^zKjih%#YR}V`EWtNv5kUA$fe+$Ve`+Foe(NMVz*PMULyqw zYIJYGh32yC<~~dJqEpA%g+ml6wEMOP(bBa6$1dp^YE;D=gN}~^j!neN3OkO59DBmW z_<_E6jB2kKe=xg4#eWVtVDucpD`UvIJU5T-H?O|?mpWlA>c7Kwy(r)tLRT8-#nDM>lbsiiK9V1QhNBgk@jEyV zhJD9y&uqqn#bU1NeQH$L_tDau!o@f|==IiLZ?7~?(dnheeR{2NpIU6{RF+(9HbD}= z&#cg!XvZZNTQIrU!fLVE=NbaxiIjl7K69xdbl$MY)>T~}Uz{yl!%CUc)Yz5&8~%$p z;NXS#9BP(zcfk@{?oyJEFDN%fItprIOA@i(p$JbraqA$~mUQyYSohFqfhQKfvcjr! z-&xWU>vc39>UQk1@@kQ+-lm&RW!Vj=Bd&cr;PnC@cs5BN>^LVK{S0`VL#l~X^wr&^7)q!5Q^Y}WqN2u$p(xKVZD=W1NYYwUT zwq0VB1BLioP_Lilo>e-W;-$BsHZKbL;2fFT>9L8CkS_fBav`gNy2 z`ZvU5c>w#MZl|{TU05WDT-2HtqgWBa2)`7jDHiImu`@oz8Ut5L)~%Oux_nWz{Nwe6 zb1^sCxpL;Ta~F^sdq0;?9-ZYWbj5|4Riu~PjNOmZDEUY)!9aK7_l%Mw=B)2I{Uz@i z=ECpg8s_}(ZG$go#lE1&U(KZ;fgLrs3h z$Mf{);|%)?1xx|{Ex#~^;pb|r#i3W~vr1rSh#J`6wox?hD*AtAH4mvh2=c(X^)^mi z_V9o3Lwoot+nvsShHS-!ex6 zSgR%C8y0#?M}=@0hd83RBjDS(>?(->^2~moh473f*+8FiS=6{!of?@y##m>%8r}3}SPt1IdqMO$E1RYnhB-b#CeBwy zJ&h#y=&|?nt4eWo|=axBPid@c!J-wil+6vvn3 zfm?rZbxu~tn}QC`XRD0AlMG8`3{e@+NQO^kI8??G$q+;P#`8{u3U1RGQ2wmtmvTF#%^utwd!Peudu-N zxdHR&eYTs&z8QY@KqrxtOJ@WKu1R3Ld~IbmO$2LToNVdZi>7_hsvF}K`*ZP(k=n-^ z&$6NZiNisl;q2ETwzOuEk%%>YpZvky&=y8zjv0W#82UgQsY*sF-~fHMrssEjT@xKXQjsH zq{eMhqf~0#E;S}ejbf=WUTWMZHExm`H%kql)F_i0lcmNTQsYj-7MGUm6!z*oP}xb&hiB1Zj#(hkvpHkvP3@UBp5gbBYk^G;ES}1gS1}3TcuNW_lGMwB zHAa*3%BqO-vw_4qB8k_Y$SAO8WA7u*D>nRS*>dL%jFR@Z)gBcag~rDfjArRg1)r{r z6x1^u`I=N(r-J%w%%_5Oo>v=50?w7F^S z6^V+-+#3>#kxK`_CL4Q>w`_<#u^f*;OnSeSj+?H#pn&zpLzn|$UeR$gDX~s|4gVgj zNaaidS4x{ZenN&?6atL->E&>VK*6N~1)mZqD3GV4KXy4>CN(aX8ii8h3aN4B$1Vq) zZG}8zq{h`!_wMD$5DE!&}rY1W_+}Z<5%%z-FOrZ)h^}vbS=oKp+~UtQl5p6JZH=~n$s`6g_8YbwW-!&uL-ToN<$;p7LcFKLxcvu@4T*18;< zBQ6N8p!Mh|ZS5T#>Zd7oQ7;Ngj~kI;LPe2xUR%5D9I1AhB;*6c>QHh>($!?YIwjXw>M3kL-sZs>FwO;scfVz)qY}iBl~{a!&7Eaqt_J-dVSf#q0h}?#iYRt_ZCP zE#zA-+}gH4@maA@UVcT8v&u7=026Qo`2lf)IBKmH%Q0>3RgQg;FKWpWPT~no}n-2sTm@}rCVd>M!x7uwlcyR^JL_UBS>j$_erzE zRmSk-<6M=>O{Q{GD(6DsVJc%-^6^lW8k$TwRmypxutQ}yl8=X|)R1HWKFrbqYZGj9URq=D5kczqjwWNuR$kY=I;7y5y)8gvcz&ph=uj4`s|GdQ>7g zWYXO#Eh8q;r4lk=5~o!nIbPBqsk982#D^*&qb2cyO2}ZfwM$PW2iww-b9&E;1As{A z)|&?|%ameP#%dja2(tRqSN8g!gPOmtyqzlr|D{k_VO-9OwPDv=a+zw4xvjw`%UfIZ z01FylUs`hs#k7@okW~K9%Sj^HVtKFpmh3k%0+hzkjc*|qmac{W3`^VL6?^+RJjLVD z@?4DWI}Y#((N@=o3LvW>D&MoeA;~ge6FdnD z2{a_^U9eLURBqhQF1Rke3yMkHx{y`QE=5#Bq17Y`W(!g2+Sv!?qI3*#cYA?myR38eGqYZkvI33A`-aRxY>&ALflMCrfq)W8L@+ikBg(lMHU1;tnAi%!j^(XEq*5 z#(5ER;F;!CPL(#x31Oyqw}3M!oKiQQ@x+;65vp*hk)}mkHes4f>QS_FkKZD`{g3&h z(_wzL_-_eww)uRn|CZStlD?D|ojF(drKSE`?#p9~*Au(+1RlNH@C!QMf>qpxU+woXQX{2{_kz{On2exrgV<#fsQrBr zLi&z~UFLr6nVm9G=0UO%R+Ftg+ajfFFoh9_TtXvhhxZ9cr z-1KP8l@u~hm24Ku>@@|ETop*7+I^8}!anmFBjU^sBw~2~z6gAd6Zjkk`-}ISQt)ZB zw*d2sro3w-c|%h0Ddv|)Z1xtwxtaH01UflDtYEZR*2LkwS#h_7q_WF?|du#qU%rEB;!~F7LC*Mlxm(S@>Q4E%sQbEluy0c>q^p3fuq^0rT zerBrUt0d7)y%Ji5f#6ld&OVK2?cSNerkRtxGp97o^m%7aZJJr;of&GHIoUfi+%)qJ@62gN zQ{^p2)6@w@)65d1>E4M=Gw(FKmAc`bT48u+RvO-Wxg@E7p=E$nMfjsLDs$KI1ib}W z)?KcSrC{-l@ujeMMz$czV;rWF@=u9CGCK@OV4e-()J1&#ziNIIe;WLT*4t+|c-YR) z??OC9#$}LJhKaBAGf6e^xgGyCGVL}%6xmit=aQGf_J>mThqTO-<9MKC17=Dh??j}I zb?I9mm#}$WNWv63C>CM$%Fi4c<@N@F(zKYUEE~q@Cx6*ZBDX{>aYI_uLRn>rIFt1QQj|U^csSAvJS?d zTn>3SxuUXZ?&QkKrn<@Unrr0YR9@ufJbEqfzpk7kH0J*Gll|3Hsj8+*HJi!gKsEJ( z(##ZTCM3;-rI~5fO$#Sar>$aa&DFSMJmU-+{EWP!NQQL-S)V0mJoh)sD{eBp3q4RI zVw(PQ;E2=J3FZH000L8Bw(-m(hSR;_N1O-TY@o`^O=rk=YVqYM{=PBMT^VtXQwPXX zqJN(OCrj>77$XBf1{S+Kg+ww+#;-VVo>SlHPIF+LcTy`bqt3vRzw68lBWCv>{#G4p z2zNpU;89_1azJY+yIqz--7wXm^(8GOJLTkL8n@$oan|i&sAx4EaHAvw$OZZh&7@nz^P{~Y--p!FqqCjn4np`f zb`Q~3Z4ly1ENK3fs%lC9j2rO<+58`p6ZJ2eVy(Po4WCzha5tWz&iB=~eu{-wf_?Zc z^MKtIm*?O->9@DY;tZ(;hx;IGwxA4fBE*)>Y9lAalJie!ky_r8of%-#YfRFXf%#(FA`(O(OrJutN7=5mDBy`8Gd2vwW-bj%&_G{!!>(5r}9H2)TJ&?qk&== zXm2e8MqgiA5(t{zqOK^u0|yW%Dh&jJEn)s!!OPlkEo0k#U0hxCmN(UnO_WclyBy|7-JQhc zSmI`+Hm$ALmP6Q%f(>U|E)^D%BxEp(ROwQD)izj2LaKCO((VrV-qxCT2=Uw{Hu+~7 z506z>v1d2SJSF&)z{p#T2l}EZZ|sD;%PS&zcLow|go5V#*&n{lcH<%Zqff)P%)3mO zNO|H!1R|xY_OP@S@{REEcV9-0Vb#Fc5yOXsCE;j85^Lp_@a%TdRc)6N! z-Eqoad@!7SUt!R(FO1_)bBUXcPg~gnMEcD`f+y?7v4I0LhItAmo}y*Hvx07efBnUW zg4weR30@R(oRO8dQcNrS_@0431!*&KhPJv%LGC#Pxf=v>HzXmqJ3xF8UrQQtcPRfN zEosQ*`Ffsfs~hBHHstQM%V?{=s^)EfQUfTCKNiTs4NB~Ji}-IZ7_KK`_@wqXjk&UF z!k9~|BV#7{o9eF2u9|>>Yjvb_vgUDeo%(guG8xNAi5Z1hcri_Na_RfNz8PG{(qzVyAf*-qO;9^*-J4 zsv@kf#Swc#oPAU^<=tU;^St7gCY#-r$JKXL)OscS`Me``kTFGfoH1Ktf+MO2#J}GMGHJ~u+5&C z8{$k(U=!J!YiS2m$2t6F@3MK=`6t;V82TqthW?o@BH)kQnP^M#N4$ABloI}k7qfm} zkK&Kq3DOBLgp-OvQr$G)necn(XC>t2M)qR2q8>BBC20nknSGIkgFnzw$&q3~&rt0H zi6Nv;V&)==Gz0?zKT(x#hM3i{T}&qjhscY-ZwB05;7<((f1J;DrO#(*+Q{*YZ3V7} z;_7z**I|>e1n+V@dqXbMt?}b7(1VxoeAT|XOBC=DQGtZkJdUd#^*bB8v+GJB5|<3+ zu2Y@b3j3ehq+|;5l=fe4#2#FvtrEYE;)hzrHyla=|Jivb)^pcO8QWJh%V z4{6mM+2Z9OzvD+to8Aa@smiE4W_g@YmUSG+UWeMebR=gxkd+KHSLjPF0VpEn@|sg& z*xYKEn}e}Vw;_hkxCz)DJAy9RUVszHu6+iJ=W-N_b>zp6=lZ>~OO2)i57*oMUjHP& z_dcY9vylsikqAC@hu<5%Q%tPjCyf4Ic{y3~N>Wp;x^d;vd*%Y~<67u7Bx+^i+v9%7 ztq`bmSO`=__oc92$96KMzZo<626J2umwi!2XY23UJRO_kh{q!Xnw0%pZQs>RY}?*3lQ<1dV*T*LRtSGlZQ6IUezwT^ z*~zhTQUakSKXgGyU~SHJ%VBTjeezke{V>_O_2NC|-V_pe!ljnRxOp}bP~QytQcuiI zVgcxye2ALjy#U?U12wO({>RN*_9Z0ZHkVYEzhkR%^Kom&IzT?zXZ@E}+3UYFyK2Dt z_w7k8|N2sve|=U$-m07T!3oNk_azTq>^#};^DNOXa-JO6V4A&?u^i(6u=70b5;NZ) zPvL-!;=tKWBa(BOL^EnKZ8WnZjb+kc^)=AUz~;@)e-Oq|avK;7e_#{y3Tz}|2f)cy z=fDT}w)W0A{^)?65!8B7@nFz=TY{I_;c&GnR+&%e`nDX|WhMA@Ufuz z?<>d+n+*{z@kcs`Nvod|Tuk*9K2`k-Wvcq!2ZqwhWEYp9Sx)r;)&EVZ2hA6xIPd4Yl7i(tZ}d2X~a6u4G~}^#|Q_By{D#0cU`G zMl${Vl;oB(@m4%T2h5ZBlq9A=AlmptdLFVW;e0Nhp_npP@_NOq3t8W9k%wsdmVz85 zU_tCGto=?{`+NKo1XaS>-zQqIs5c`&7Z!dlt5}%(ST86mhC<@tCOP`O8C_HOMT|)< z4Izs`MBvyck#8Xxo+=QdlbIK?$*VWQz7Llc*m(hKR^bfAB|nq@)MdnqS<1;s+OQum zj{4EakRS2OhnPA;#L1&N{>)(XCV$q1${9Lh;HKHx`h;1YY&~*Mw!g_g#6Q9C4Dm;* zhWMMp4*!G@VW1+@2n99U>8F^}AGycrZ@O=&f5KePP=Dn9p)@s2r_L}vQblY297*Jm z$RUv{iChx7B!)|3IEmpTMo3}=i4i1Rl5ml5k;s!o9*H~>BPB7C#7GjOBr%G_C=!|^ zG!mNV<(6aXfncRIf5OfI9*$%gSM(ZL+L95y>jH^QE6zA={}g9fWaa~Qxoqd!+8LuL7#PXV3>QChM(|TUoS#La(f=6Q{)>iC zAX{5o%2N%M4`KT*>S&NxFgiC92T#2rLzHB`5n1SYRPvTe9x)(1p2%F!^2jXDG9wc5 zJcUzG50dh^o+prFcu*;*^E@VXmPnmCBU0~KjBim-EoHx6PHItVF4B}W`)VprH#abl zd3wXUW3#eWJmu0Gk7nzQFYiZ0r8k~))`$4b)vQ(YRquMk4w0lcZg6d=xT5Plzxl3i zqKkXpiNfkth9k~pD0U4vvwc70nD2Q=xTl^)FvFJ{*JpKB_H7~OleVz(deN$6Mlq#n z?@6@q4Q3eT0ki@VvBNp-9q3!0c0o8L$T=b`wAjI%_Twb>>8>+W1Dpg^l*$2|@HPhD z(aX(g9yuYfh!*I_fMD%TJ%$Iw_D*m~!0*~k33M(X@njb(hm?^v_$J^SaXjOdx9FG< z#oo#BySC`7MV>^lUjHgg{edssQV+5jP zhos5@svJ=@+V%FM0O=gVbx_K>%`;M@Ts7Lkzzo-RNV-6KCpiX4uh8{2v!By`MBs?Y zIjp;0Yv?+_w>ypPS~fNs9){)CH3JQ21}yMZPJaXGeiGlx)zyB4dZ-b5<}`Lcq&+qm+iW#B z>xdgf4(?XjgplF(SXTs+3a4}4pM1K8Mz^1k#_Vwel zmA22N9UFODva->1r+-3Ofj=_IX!=UFf5L+Zw7;BfG%W{7KLw6{VhH)*=m$a3Uv`iW zihc?V{e+WzF!X~U=r0c?e;E10$R9?24*5Cc=a8REelGdB8pH@?GTTk)KC?9{D55A4&d5@<)+Biu_UJYvgO>YtyWsPLNp*!^dI@4uy+PU@EDm zV8hb8!e*--^DV#LAGThy3m#4u>{11>uspZ4C|rC_P1IN>>RBl!ll2|@=85Ic$xX)$ z=q{t_ALZUZ;b-a+`LSG#rvDP9RR4tkRF}waC^^(FsV!D-JE7Ki2ol7e%MPQBAclj-ny{}|=(BD`pSAX(&$@&@OJyhNvvWe9 zNgg3FilEOBXZ0xh?6A;h7aovn(`Umr#2!B$R`i*cq|czK{Lp6*QPZH$LPDQS&(@ok z4bdmmdxq!{a6nTPYu^z1tQz`k8jBy5Y(G?ozv&)U|16=;K0nmobU({~u7~yiCFnEA zGU`B|Rns(N842jKYUne_G7`{d)zD{UC;RO^_*AnT#QFI1u0xmQg>_#Sic=oO4}i;Y)Ak` z+YNH+?BC@2l>TV{CPUW9FPx><{O4QiN!HMS3AP=$Kwx*qH@8MmT zG(`N-iRQ+0mp~=L=U*c{dFSn-Ss!fZanpy|_c^){dMLU6{E;pGA?yc$ zDI?cwWG+_pqXDZ#tl zVzUk^LD=wUp5FG2iL^y=j#3^Etnm0Z-pfWUZA1Q_1Xag--cYB`ahy1}-7ja%(VyW$ zH80hqM9{3}IQ99$j;BbMKdY4(kOQyXg8|=7TZKm!0zELA{vU3T zl5axCq*xdI3#U3e82vFDlMZ|e2hGjOq+)>PJz&O!@)5)sntl@dO=+fUtJGkkj z#U^G`Xxo>_fi_an2Moe*wrOTef7G)E8`baN z-j;lSbp9G#1keADQ{oW3Do3poQnuP!NaSQ|Ht~{AEgcOpkC(pTP{2p3qqBZ-uG*aS z%X6x8e#cJTw^Oqor8A+Ly$D@Y2jsks=1RS1zid?an4Ld7zuFp)Ozr*Y*2L$lEYID3 zHj+eToAIyRRL!c2)(y||J5B=vPmP^M0w<7Vf6wDz3+tZ83+3_qe&2ibzgC?T?YOvT z$L+5$jp4b>+mbxRjME!Svse!mX8mv+(c@ZA`J9xiu(RbVEONODGlMJAgQWBM6HFp=H>_G5v(tXx4TtIxDGh{#e2dvTXB#xz`eIkf8(Ehhg&95+2HJ` zJ#O3Jq~QTgQc#|CE$=l29!g1ro+l}5Q^AT8?d zz*xp{$>~^*w(6H;h&ruXTp_^IwsdCzn~P>qGB8hc?Qv`(B-#N-F^YLD5=nQU4N&zAvi)3 zR039Yb|ALj0b8j1X7jQ>5mK{0j{ZXCM{LxTo7fwN3d(8GR(jM8aon!rCTJ4B^PLyATU7q&l+Mf^zM?+WT>-^*f8*k5AGRfT1*ptoH z7_^+5mtB{E2#L?w_!!~C3ldv^z;0f#{Fr*rX%36{njWU8K!UZM2}WmKRX9CbH(mva zf0(H^H`(H9k@&YbY~kT#B2FF~>p0ooTWLAjSXu9#!n0qGqf((08oZ6 zSfg?~+X=sdpKa`%H>uz&!KiT+Oef<+H;lzo-6e_XR^FYC%_XOW>w?I;dmlcU~#FiMMHlw=Tu z1r)(+t=`xIMu|K8W{Yr3u}=xGWHxKfRXj)XL=i)U3~=bho0w7|orpP=o3(Ue$Q;kE z%zeh^L(DfVI)2@Bb9}4PKW}6Gf%cIlj#ozexeL}P{quE-3Tj0in>WU4JA=FyAH!n5 z4y$_$j>y^lV&r0f^^k6!R8nEE9~!=fW1HUI1BzUV-}{wRk*#foTx|S?d_~EJ@NZtW zZmL<`xl_eQw@!Qet@`1F)v0DDQxR5RD;j6I!=};O&Gs^0$*b{0Fdp!(zY2I? zbuHh8?L=GokRV&Ud01O`7oStNTUptr+$0R{c6s^GdO)(iV0+Dlv7gvgHf{gt*<>{qwfp&N13)sBwweBpG$;_ z#ba1%t*ObP{wA3%bVnq5#RLaP#+CfIlf zQ@@(3oj;ozoi#pR?d6pwA4q<318sn4R#s=kMhUXVuUaahY?7Y6GjLss$jiu1O-Voa z!EP7rWIQx&M=LpCeuPlD?uigO7vNT9I{S_wOP@lDvqf1lry^?joMsNbp6kX>shQ== zrBl9qmdB3n_$aWhwD}eBEsE5`RoS5F^bq4ysW;EHDUx(T z$dXh-wqfNT?=@8N(RdT$B+5Lf;9^h9joI0!pABWjs+(Vi=xAQZbZ2JpFVJA(?oAldQ&^9}-}pvkwH z6HRYuRU7?|9nMGRHt?cd2AzmiudCeL#+KZ4E{7vK*9m?}=eDGBhcvbf31}}KzSEkK ztyQjD|3W#frMoF#pJ>>aIHRL~CRb~o4;g0S&wF#Mdq^_y#MQ`m*I`wHrZfoD33k<< zX+qC5ATdtod%AH&Cl0e9y!#<2MJ5Dl-bVebv26w1-ubR>JpZ_Q2!K%M$-G_?*jg=gB|?t#WQHB@h0W_Ej1wCh4sDA^$w*O(qXT>g8tB&JLGs@6?@Mf&qCL`nGOFhZ8^pU;y=z};*5nm3Ui(|jcfFCC_cw!%_vuH!nR-iJp;~#n?@Y;8tat5@H?^y$ zJNcdOdWF)NGsPrHu~(_C%Dkq^?@G@X;*`{!y-r#BV9!*MD!qx{de>%EXN$D6^TT;UHd7l?Glkp40W;N_o~gFJGgYdZd_msy zJN1qi`JM0j{l#bM52=}YNtOTOU^DfnzB5&>TKqSD>s|k@>ikAt_a7fKQ~#Noso!SK z)Y{Zc{a4?a3P^*$Q1AIC^@e{|Z~NuNX6jd|nfjMOX6j$lGxh7fGc`js`9pcrkJLMU z%nW(*mtJps20D=Z@ue#s?PtG*M0wEX6gs2nR-5Rrv5%P zQ~%I+rshe5Yt(zbsowCMdfT@yHdEhD&D3`WnW_Jko~gg@>aXTLSJi%2;V406ps7VFYX!gct_FS=x}KJw#=$2_9<8+J zsou3p6@SM57KiasPQ-`F)$Tr`Pr(#R z0Kx_7hNO$K?V#l3H+NW%V@2LQgj0gzY{cSM3!7jad01I)*0CsUlx;YOR-|o~b@%pwZMx3TjDS3`(;KBo-bit#c zOW2nV$XwN5k_bDtlPe*sDI7G5AyA>myKC3P4m;4sw+bc^zxe@05-gjIHLtzX9#=;> zEDx|axY4HXv6sRcLvYZjkOP&E18jWLV5PJU2|6|#zP8%8s;v+vrU{1FzI22X*VbMJ z&o^kg5-mbvrMLPtcTc7@MPKW)@U3WmkkljEFT1*FvwMFy_!+NxbNfM{3v8yy_XvTw@aF4 z-r(Yo4)6FW?Zy8NE}RS}HIRoG$lo#$@j_gi|Hn(@mC6|y8m(kziLN9;8MS7Vhy}Wbs$M%x7aiN#PK6x(- z2k+&Z03CCAT3xQs!8{GPEL4}#H*leslekDPg|z~JZymupR14D@?V{SBhDv9wp`YSj zq&C-onwyuTyRYx-1A2z)V>maCx&f)GcNp2#(;)NJaYZetWFlsz$e?*IJ5kY_bRQ> zjm+%JhVOvQ|J93M4q&+?E|#0ogvlcE8y>g2Vg7cJ3K5PSyFVz}OHQvt{DnL{OC0fG zcMs2KXW05OOy3P!^9GeK&RiVDTS|69mW$2b!0_fP1cH*(YOu}uiX@fzYv&;RU(qjk z1)D!O>+Q8C1HMg*$4s>fwxvJ?qd8$2u$j8*=3ftGgE`pd~OvpTK;E)aOzWs$o z!ciE%zKAJe@&A+ z)&*=+_Cve+htM0L==bGe3coz|iJ=Q50}fQswSfpUOy3~*r7&J}&BdVWYs~|pOO|I} z=qiR1yZ~Jup$jwc%W(1rgRYZ|(RLQ~{{j5+lNSbsFSa%$sPT=m05kDR^4VsV;C~Ch z^u;LvM1%>pH}eXoS&`fL1e^J-C4>PGF}?@~YPtgicC;2HkXQAn?b}zYc5k9Rl4I}Q z6?yfq1fqA_qN$`nipIZ76MC|Q~Q zcRH5y5TTlwOCWGVBZMubV-hJA$D;THJncBFR6}W2gk~#$PpacbeX~}XDwSMp$37>k zWl4)*=8i{rLhJv8pzT8I^`yxBHVml?nO`BLywN6gW=gYOpubt@na4Vw#V=#VrqGXm zOW9>egbP$=&Ila|U4)&a*bj~d)RmJE2>@WL_NDc496K5&31>!ICB}nnrP|6v+yolS zJPdW8EO@00C>2DP0v#T-AVQ8Eq5+Xqga|oWLr@WV!z2-%X{#1dOOICM#r6*~qEkY; zFQzpIR7))lrMzqgbPGwea{Sg8#_F-NL-iLRrxWsqKL?_&WUPF+|uzA>~O`u)$#A{X8)cp+2YY5!}*mUS&yd?B( zTK*cui3Da1W{+V`MQYsx=6q9tL#Q)+s`)CMbtPg1`*X?34T3tN6S0VTJrJ!Z4@8^f z!z5+|)XAWTQvi`TRUDdNO;;#d3Bfr9V(jkxI!zg5{!zxJP21I}47RbzTq)l*1>16d zKz{-y2_FH$AHBOa7(k6})#>F&N_LvNh(3bazi|qwrF9w2bUe(Dk{|-eeP5l@Sm~Sh zqP)2CMb(MU{{S2T;7Le*M@vJSfbf)zw{N8Z-D7{fbI7>HQ+jg?!c$IeLR&y&z9XLj9c1oUD;7Ja0acm~B#p8y^R$<4cu(=Ie z=K?9zX9~lPlj<321BYqnZMlRc%opk|oBF8L1syS!hXT++R;5tVIY9@ZwKj+4?5SRx zR&z?dkZItpVMk0}7&h0b&nBIdFSs}C*e1i7C;bgE6i?W(L-l17IvNxZRgIh=%g;*- zff~-xA>kJj-eW-5gy+nI$1XfTcf_+u;S#0~);PV71x@?g5;Cmc$XY`7GueR#dA3gK z36@VjBZ!*l8sg?rP?e)4&~Ksw4m5$9JwK#;0QHRvdZ&un-R$`V4|FShXRK#vtmDc6 zy&DgoSSY2&gLhU~p&NKI%%0#o@s%IM$nD>#qLx?~P;^^)K>{#%HXO|El8r?CABeLu zB0a#zzcWzNPOSkbI4EZ?`BHPjOz1;lMkHIJv@WP7{`@Zd-@P3K!R5!-r0)ykE7SMx z_+#n&qWD7YIg4=Mt0TVm{plxj;&-R-=f$hI7eGfV%=1vZ@VRU-@^PuMDBd|gJ1f<| zWAUq1L3w*HY8&;%kKnq(F7R8Ae3*F8YibDvqrX)jBmPh67JjS765oBHzz?NDgaUtb zb4N3|(ykimZ~kSd&2Y)U6e&!Vk)0$H`o)JY#0*0465exeVl{!2Y$Q~WLPCXoFtz~( zl1MC*o&r0pH>|I+9i1nN*hF;Gj>qS}&Y-L%XnaXzu{w{_FuUT@$&`3Fe6sjY7(@xE zgNV_yJbCen(8-d-EQ^gKemzMVm!bvn!nG=)h8&MFOmkhR#_0*w%=I{BeGwOap(iiI zLgH+mR~UA5OtB`~A|3R7T^kNQ(6z?~OrqWan_)*MF;k{k&S%1oV_4k=9j(?v!1MgD zP))t3An0fV_N@A^f`<~QfCvblMb*9Z&VaQte=HM2Y$+6I*hc!!M{1t?<}FwQ2kr5b zpShs#k(_pjKYJ@1Y=7W0ye?!2yQerw(Hob$At(;R;8mYy52Q#i`e<%+8XiO$eYDD{ zZV4-0(jp#Xj|e72ArRKa(tKRU;-iS1fbT8Q_5)e$2^DX{)O;flgg2v}W!Dk(MSCVl z86F34j8=Shnw6J&tTo@vlg1u&Q@#vezOhHsn&)vtJ4$=l6n;-11>(s(>!U!dTaV}Z zw&Ng!Y;!y6ti?TG;;y$r#VFMwr7C~|Dp-$_qSF5j)U+kZGkboN{@ynE4Q;~>9y{As z`3-G#qjH-oDz|T%-G+sU3_5*J3-QcH3l+Bo#Zg=HKf&=JEzSuW-@(HqUd&$!Sb4p~ z$~&lGdaZhRY2 zy!M1)?sl|wK5TC9CsOQDBE`uWm4$w}peGuN<}nj_>oGiTm4n`TR7Bfq-WO^McR>z-oPZS6+a)r0ey-H?jbA5~{JW7dQQDc@hIXnq9Xge)gg#U2<& z$0cQZT19o3cx`+a2%8;bLov0wW5*n*=vmWY8KIl`JF;QvcDJPvma!XFZ1q&q;IE+DP;BnqF4$1wZ5Q&Z7TKM?&(<$>i*h@xQh zOZjj~At`lpS}q=|Ou)P{7tY=45o!St3N?CfzKYKEtOD;3mR`nDDu|e(cq`*QFWm}@ zGAod;J@c@Xk;jD0#BwGt^;m1ZOTe2bSIz&xYl(t^X1u%~9|58qp9$Vi@T?Db`z;;8 zatmui^39f#&Hmz;&i<*?S(SGAK(?tNBmHx2y!SpgP6OndscjJc*ISj?0sSO6QKAxZ0Kn57p0n!M{ley!>~gTjBM zV9}a=;>k|IKP_CSWcPaz_@}tQ{~q13sq=5mwtfqsTP=XH)TooSIbZN9TTgm3@Xt)- zZ3F(d3jA+N!9PBWl!#s6zby&>o2NwQZUz45ZUg?80sb*?jP)})q=B=GyTdTAnE}|P z2LxEGF<|Qi(7#toWUw>-L|%%W0byf(9bkzYsyy?5Fr$t&I?+ZOB}!UTON~{!P)i-E8JWOLG7~_p zqM~&hi}nhJfT-MLM0@sRly=+QUbfxp+S+b+d)eQ1TYH@(NG>QOLAgb_Y4wajO`wth zmHa->bIzG-g0-vN?lylA=6&CD-t(UKywCeQ?{oP+$S?G{v0*;4!)$H;t^^=Gt`*i36o__`To>j_w3t&WtV7>KDOEome|NULc(1Gg zkw|x-lqE-5ZE;xRJ_HUA?uf)Hu^;0og+-!%4rlFN*}YrseLx-$BwQfY3hVA8`~ygd z+30q0>0D1!kW?%{UKD~3`5b=QK*{xroHj!Ehx3V{@9nbA9qhL}|6!RQ6x%pX0@uBt zFq1{+pkF7~p+g_cPnX>9>Yqc#E|9Jrq_4K=@>T_+PHz0#IN^?sGXP8hbXxeM_3f_` z+$9=!*cu1b74Owek)_YnLx8KaU-kb#S*$4pMR_XQP~-LXvzTh@8hX;wemX9; zW@^WEAhK_lem@|{Cz+dCYI#=`*zpC~{nv^AvPci91y<3DE5iuM&hc*ZRv@~<3*IY+P0@ zDTu{Xcamc3@3jq34HYH_p&RxFuZGx$kt3ttfEfTb{yKhF<6=xg!vd~}0$U$7L4wlE zh7wOGnGMej*Rxgkge%!C?Vu5;cg1;{;jo@-w7ET8*+NcX4H}V*JWV2C(hrRGrc?A6 zoc0EO(UX|3jGmMM>oRKH9XWmle1PP!7f{D;#DFVXV6TKV6t+tKr;Bnvc}}s`oYGut zOli^hkQU+($nt83PuU9vb;trwxBQKCtFpw?BN~!OPdS-^ykU~)JPWPix*a4N)#{gJ zdDJIDl`QN-uveIulmo^FVXu=9hU+&+*}aIsYjM86pzwJ5!KCmEiqn|l%g=~=Z1%d{ z7yE|YW0aklJGm=o{mwE=w$Cz3M81spw>R{I$`&k4^xX=dB`I@qf*zj(4*XYchzi>r z@hNtGgj%zNi708QH5;3WPibuN5(xu-nWrEQ7NEk8ZbPK1CzP;DqLc_yiL?v>)map+ z@2VEzawkJ&2Z>g80&omhk?^1Ifte0h>7oQzd5F@8T;(1bM&c@+zNYy!2>{#3Tm|#> zo8uqdi!OzKbdAhE$j{U_UJ^CHI;|^6yTNagNujOwT8lWu+k4Rw;f>}jXrmWCjNIup z=XmtjHIlC5fqkswh|+X+kBq3dU-tpDx#>wiGk|A4*z_v`xK&-!1_`adA+e?$ECasKtb)e;bfW+qaJ z6d}i}=99Dx2t3HxlMiZ?5{bIw(@)8p2wNs6MVSo2g-g@Nol`CIH zO}aPASiJK(L}Sz`A$SeDX2#19LUG{?#sfrYC4>ezY;1rAI)nx~p@BMRU~@Hy81duf zQ!5RG%{qq$p7s_L)WtpBHVtf~6g9{*lq*^NkcM0uScqh`k+@Wvf&j`14eYcfs{?#e z6*v=1F3i~!vgW6@&9hBb+Gz5Xd`u6*uLxM{8wLpeS`UR6gkUwdIKF$}}L=EJk zr8#G<5D8Kb>1WVld94U%t$=wAX_BKJ656gIMKA6_QPfZ%8^Rr{#bf03fby)sW1>Z` z_RVVVn}BO-(~CtM!t4rcG@L91Cz~x?4NgV`^pJctb1q!$Fv<|L*{D5Qg^TSE z8;NLTD~J2nbQ1mTE6xL=*ms|RHPRe0wzJoBm~@-%Bqa0$7dxVZI1Cp%#ILZijtExH zi_e2*ECTg9TcCbgt^&C#whn=MUtu7QJQ^f*Z4>SRXxh8vzzA2?10(*@$goSsi(XGMBvd)T^w4(iiORkbBkwg-ny@H_S*+Y-VMf`gk`l{na z$i5xyZoZhHr_n?Dwk!s=7OEq@vaCb>KZyTB7Om!d_$ly{32}O5g0oTz_bUbGGBCxj zwBsvhnMJL2Mp0sxc}uIe&bTGv5R2;@?k0=8@m%1W_A(#sOc`snTQ| zpp}q#L~MzNXC;dA2-)QH`D@`{9Wsx^KZG|zISWpH#y)4sAd4w5|vIFS%c?g80qtArnQ`!-GH^E|q(1+*`x2XOQA*coY;bzqzz8fg7i2pfX z>}z(H?p--s;9A0lU#Kyr?G6vG<8slT>?X(At%T;PWG6Amy@eYU+%-1`q&`3HQGE0S ze3E%6X@k2Z(4Nd|^CB(or4@wQ@lZ$2Ft{@iM^Dh`nq_hpsx$Bl48Yn#_5C8<$<81& zUAZxA-sETw#l4tUg>#E^ce9iXuu@)}KpbkxV4M9d15^+0inWzDzlyinP*l+(5bWMh zJt<(E90;fmw@x1B`B8KQ8S%yNA357`z9%=q&?xkgkjU*Q3Igb(d(li8k~@#khw29u zUP9zMuys^%av0AXrI4?G!DV46426XmRKU|=VT(Ck4lMo*ybS(zBZs~joGjsAIVa0$ z@UBbT2c~$JO`kGlD6BZ&DgT-a8TeL<#eTR0FUXwpW#fs;7yFJ=^oRT-9R#fxL{IS00Z#adWQhMbFoAS|lHho$>q$QId#MAf-8uFD zkTRDpI>>(=$us%SXeKGto}uJZuTga{`2^k*NG9B1s};UUnJb6UPlzhw5&2)DRi9T? z#K*O|H+cyv33f$=2zd^zLvQkUYPc%-g6-2`@}ERugTgVC469zFCs~dPf(0W-QijJ; zNxq5_!+y*EqRoEuf0L_Jut+}7U;-)tCb#nw1&tLid1DPk*8Y&8-;g{};KOPh_F+*Y zql5^WS9;AWz^Iw6KLbV;HWrmBj$?U;CDg`jaO4V>6$1ZJkt=!#>5Wuk2QPYB7I)ac zLA20=zWXqGX$X`cF0g@?xy^7NT5P%E1(AMYB3C@eFM3j0(&)`r)FtGqw4yE$ueHUB z?@>>9y=S`&!z8_FdMAU?{j-Np%KnM%Uw=hM9ebgp{xyLAF;kPvVV5V{&{*ZKJRq)&#RCwdSn9y?{^!|QEMN3gSFcW`9s zkbjdLeOrC^&EguBrJKW*8$jJuS(;{F(}!rW*Zip>CF`0$nO`DyV|y{!LLEe(SCF$@ zL>~-_WbQ$iPhHU1ibBY?D3WU@Uq6rhoQPso6A%=^7s|6QHnYCl_59mzpMN*#`F8{7 z-)674EMs59yr|N1pMGNO3+Qr0dY;1wus1l;b5Epxfb;7Rx_vP&+WbM~=k84TU`s<^ z+@rv7B0hiB?h@UP-sj%ta2dgeDQd?mBJ#gj5c-XF%!?!;>{h>cS=|TS)txImJMsbP zk>sFlPD_N1X{{V<6P$h{tq5GQzAuR{BNx&vm7N*XFbv!b4sq}e9vL!gT;X87j#7jJ zan7>MivNjx$J!=;y9fvWE~Wgn{UFupwS6cG5>uFf(xyA8cZCCYZEp?N9~PT1@J~Uw zsD1v(THk!X5!bg^Zdu=(WPKmf^}XMn$gK5!2>pk7RjHg5uLk`P6Dh{UEBS%M5MY_( zkoADL@G(i^W_v|(Y?w8^K-YM)2*#M@NiaUZYwO0%ky_SxyYD^`f3+E{XM(-TZT2;N zke1jmg7FMw$=EQvdXOKs$IS#If$F^Yd-&{6q>?jkq8x;r_(HE3pw6I5H2RhOxD^fV zEF2Uw%LMnuocVFI8ut1S{Hc0e?{)g_<(sLy*8)$ouJ2}heJ6B%Cs^NLSU?ib8Uyhe z|plp9f!qnT++N}2o{n0epEXH;dl{96Ylp>`4^VJ`4D%2R`&0mtnZ=| zSaPEDjY%RFIdY|Lw1<^i-x1T(h6kkRcfar4EneQisHeNQhioV_Ulr zONWvtrKH4#2*kFOIGbv6TaP>_x0x!^v+^rg{s~sAFE!>PN+dHk{nWkmTwf z=jtC*&h?MN@P(UEmYu#D62Ubap`_FtaGESCm>`T&72THT|yeT36tAWjCRkE2*%q zyjyLQA<<`J75*13z8aF;rhBb3^kRatUP(Sk@6LVJW!mM76uHgnr-VPSQ`&1kP9J?{ z>N@LWxkv_Q>meja+xoEmEN<)rt4l`fwVtC+FVU{QlGXM7ZXZ0&j`DuVT0|W;VpBYd zO5VDKqCFk=zQ};X=C!4AFyN#nS$2?2uIyUlyx^v%rjZ> z3=_5JaG+unH$|F<`wuV0^#OJ5t-WYE`dwBXR!Pbh?3 zKZ!@Q;Lz7UYT=FOYd}{l%N5rOp)b2Azm>keq)V9DvgxZ{KS_$d?A4x2U*F0if`0oJ zm%jAF*`&QBb)EGYe&*8GpneM>%rt#XPu(J<`<1M&@0XI$XeND8mq}j~|GMexVHUJY zUk7!9)AV&8Z4Q0)(v+sJIMZgAl)hGIkq=|j*DSd$O`@|~o9$>o zqZQE$eQUOzX*0B`*7d7}tbzo^z^kTOwNA0zE>5Eu#+^{xE_T``*~N0FIMFVi<`g+P z;_Z#o$Cu=&XOiNMrCJ&=+0#L=72zC(i|<2VXk5J+>qfRTiI-lvX#&iWb>aP zZAg@j-&3*VUD5jO*mEM4o(eSRj%qrw;sU4L7ZV^{t_hiBH>$)j0;8RKm9I%$Wa$$@ zeH^dOFC_KhGwj}hv`kCtd#Q9K^_GSZ_cl_{TBTawy46+q+~M0iPh0@ zD}pNd5>?KhnlWGS&rJWo5@xD|>6y1tG~8mpO^AQ2_y^*`V5d%PUvd_skx#7CSYt-I zhH4G|Fi)~2mPT-&HLJk2Zui9{uN*u(3J|b37HN3(EHEKhKA;$QDyZRTTTM+Ek2*1A zWLYsPXvnZ)pn8hL=c1=3)9Ohy1&tP3gM~c^x2y@=<?fIJw5tn=!qR` zbb1mCs!dNDPj~6*34YlzaT)aVBP#Rg>FZREOi$-#uaCEteokQ&f64R%Et9*{rlLO+ z{gh|YPpK||Z2CEfPhU3u?4xEx`q@CkDD?AVn%*w@`Q)+ar*CE$Z4i#NjTIBEUAGHA zznjgNlB~N@>$5of*hTS*;7aRytq~jv=c00JCRMf-_CZ)23N=wSgcv^2wJ zZ`DeURVbYBB4yW!7;?R`x1TFHq8Wj`mB6}kdE14urJ=O6Y9j>?hg@qd!P{R%(IzhwISGxN7Jl_L|>IT;MD3ibA zh4?1r!v)-g*B1((6n_((^6nwLzm`nSm>~4OxVK^-B#tIWI>eW+VGqqXK>V@7;iOFF zR;C|6o4KvQ+cKMi?xto$3c8+#Q7GtgnntG}zP}2Gw*2=e(9is1^0!cif8Rvw^-s%r zRymo?Hy~vR|{Ar0p6l^zWp^r3to;SQ7qB z43et3oBnS=W7xCggJR;8Z45tE^`GvoGb?&$85P?|T+{2FWqfuUVP7o`yTyST6S1tY z>5{zxF5MgEUi`EPQRcTjlN0n@ zJiU}-gUAWU3nDp4035$H0!|QE#L6rpgGRu`Wn1%OqXG;J@6$--c6|7r=2fxI;(H)A zxBHkhT#yO8#)Z4R&hb5<+1Df%T6IC*g~?eX;CAxE^Pv0if!ii%Xq2Aewi~+pD{k- zcATA_Z+q2#MOePrubye>n;tKFzW{&vU-HGo;z17_X`P$wb?dwd{s(1A;ymSrV;W=IZ&xwC;)c-s2 zzbUi*Z}?b_{|zfh@5&wjEYs6nXMg}V+#=4DtpCj{fBbK7Y!=@AOD41+P}pMYc5?0( z|C=)0ds+S1v32!FQ>!1>i@mh6xr%r1bUYNg+_gVT*8Z%VwJ*C}?%KbR#T1Q~IBWkJ zO5o#Ut$jar>9tR$NO4dgocBEH$xSS4{~0)kF8}Ak_0NcdLZ*K<{`W1qxWxZvB>x0i z|DCpf!UpkA*tY0md+po%2%Eo4KeXY$cpB_j_^zNylv=Oy-IU zw5AbnmC1=GS)DWs`;-_quT@67dhffua|0F9JPB^9SNtNk;`^xzhCnYEf0o$8(4on} zcz#y7+`7gdk{u~fY~894T~d7TgmI0t!kC+X!ED-y&$8OnDz_TTpY`weqE4pe zF}VSV(#O6C2&n>EAGHRy6c+ToEB`)gsdJO7K5wf+Szb`kR^`=Ra$&0oo+XC#sI{k) zN8~kPV}5s^I4kxfA9+c<8%0!z?Hx*ff)b6vSM0{NmoppJNQqniiR@R^MvLB}E{va* z3L2*G%V~Hg6?FF%b=vGnmdgLBXKm@%#-HP!DL4D&|5W24d^x4I7W!9 zG1kwK%HHJr#T4HvHumQ*ruQZf{9XGqRsz(}{EJdDhTVVs_{V;D4Etl47*#aG(42sV-nlSomf_(5V{*Fr zBke0^yhO&uM5Ak8xvzbs;fsA`Us5j2w67e#Ez7>r=M)|L$}<#G_LWUen`2)|I7P?4 z@)M^xW?#`SKW1MUv#)SkAG5EF*;hEU{7Lr7G5gA&LO*}JedY4&MHbDnuS9N;DzT)v z_LWPuCdp3m~X8MCh( z+xh0N&%ScwRk`++&s?2maB5$87t-`^vAiF5A9>&hJgxSI)Z9 z?bp>2ok-1?ePztPLVV|#ePztPGG<>Hv#)~9PegWRa^gwW zztWtxuPmcI%f3?SG^gw^r4yd72)}h ziP1ytD<`gV>?>K-Vqb}V#<8zR3-*?`se-jsdiag6TyrjuOzil8^-ecf#PO5kIX!Ty?%@md(O&8c)N){U20 zie%<1{-q2|EOt=}Aqm~^zwW!2SVSuCAnxNv8^pX;FwBGIHQ4p1+gJlDW{1F611|zB z&XHft83vFMk@}4_X0W5b)(E!u6Y7g!&hpcw2KR_y`;gHOw9m4w0drB2fBo`ln25n= zqT47qu=CeSd|napc^x?VgsOpgAR@25pHUN^w|~W{QquUmpnvDG%|Mdk?i3|fWue!& z-SI}4>&3Z901|pvToxu8lFuvXfX?^=#7qF7$Z)pE0K5AG@hV2xy8Lvhk`Zsr!$=5*{9!?9)0;-7U=Xc!~<5&W|x5u-8J>)2SY z(=fmrF{!@FO7YsIV?(h#KHkuk*Uu zV3IS)W@_7S-22IrOkfkCOi}U*#($-m5~2j-8&4`;%WKyEi`r&1;7;vU>mjFxX>@8H zbZQ7?a%z@4HCWV~n$I{jQ&Tn9X^q5fMT|orni5%Jr_CUbaFulfGi|?$w&DxtHd|HN zv>(U|e7d<4t!Aq25yy6!5k~1wxwCTY_s_RK-m_0IBS;M(e&S2R#uH)VX=smNKFMO% z&vz9A>b+0el-No+VBX{Q1|E1;6cwS-DsJg;k7X50*L~t|2NOYK=8!d+Pg;%lT}bOmw2UwN z%-z7FUrq|}n!Kg$Diivz~$j|IADUxWkQu*y&{@!%GF9w*AURNp? z=*5Jm4a?lqQ8B(3mZ+) zWKe;^w%BewyoSQ{ZQ|lWUR6@60ESbM^7KmW`&s)D__XW6r)6qv{}=fX+()Q{>tBTb zUZ*bFD3#N`whBXKZNsRsum z-b8(jrpTb_5&uy!vD0yd7&72P2MyZU&@jmCb8?Qf#z4w=4BRg&2823#uKSO zdO|!{I{dZ4BhmVULE!6g7P5C{V|~!~qXWUp1J$5l8T$jxhYE4I@Zm04R$aJ}qK9#; zTU|L=5&~xVyse?at1E7{etepQh*p=g01CL*_l2MHBVtUeAaT=dsg$>#oBB?xqzb3k z-W8Vy46!qG1Z(^wXVfKSTYk7=krP`LWS2(vQA{6E`i{!;S$!5cj7+6xQ$yuX9(T1PWG|v z2vmf_-MEu5vlGRkWH$~aiRAaGp*QO^9DGN-OX1haFW0y|IgY&`%YQD5f0UAVD`aHi zH{6J$h6pTa{D#lW6o(53rQs$mIPv9kD5T=cgIaLn%Rj7zH;ONxbGgh)D!%;T%e0t^ zFW*ly0+<_LKD|ncZhZM-y*LlQ;iz5hM3m2_WJfJaNca`0{!6Vbsq3r_auE}piQlkQ zADtav{x7Lpq_fvPn%VV>Qj$JofQUSD#b)X<;>*`j{OgV{U#$~p<2PKR)5jj-;5W>d zkDy2!mY*i%2M535a_e!CQYL%H^niZB0(KE#bLFLWB+`0~G})jhx= zYvtlM{3kxJIn_!>`SM3>A7qq~pXl|h{6sJN?#;?i6iuZkszyi_2mF07H9=cUB_|?S zuHcQ56LJ29U(coGB|p*U5UT$N@)KRmV>LSCB6lexg|-sXOW1Gx8HnrTT5jPxPQ{(3&JC$Y65w z6A=;(@6XIn^pVR%E^7F&bdsIEGT%K$t4kDA>t{E~O|jd+_XR zVHr2<4;ul0c`^6nz=gv`a@S21I;<>dv99~W~pU}!{}FDEM&5MleR zznv`C+Ddb-y;6(Ziels?>k&HYo1hBy<$yaA$Y2e)ed`71ak<7=BpEB32*$Ed$I_<1 zZ{atKT2=qcORcZC&pK-To&MxRLU7^^>z}k!N(5~%h&V-Os3?%=v&`;O$H{XKTR%Wx zQEi5nzNsY!t)OSG(skdt_B+{Q{%F>i7jU(%9ae@!hfL5`I+6*q=4fBoEtVHszvFkn z{2ch!pZ7GD{DO}+9DAK4Lr?z_65&wTHzyDD`ZR5NOfL1!+Q20hz+S&g*mVlu`i@H* zE>K+SS<@lKeV1A0O#szt9Ei`tPsjXbQoNfRA*cUYO~>f9XeLrHBGY zF_0>qV!2%`qnPsF_c?8j|9*i}bo}=Rcq!><%zs~3#+d*9nE(Em|Gsa{7(Noxc zOXT8Ar8t{DoLy?woar6Nyw4L zM-rZ&_TQiR<U{sW zk3N*^A6HxM81E!;(Pdh2{Np}IA>|)ep#{e%{4OoLk$>C=&lXZm`Nv%`UW+OJxE`8$ zLDxU7mFBd6+!=ato`2lVv!styek1JxTbZUL+G{_K{!6X@N?m9DfSL9T zm00Q)@qYVCR@e7SDaSu<5p@~-LX3ju{XqQ5@8)OG@Qqrv2kykdI*d$Bm~c z?H~7Ks-*sLztN&tKQ+J6kM!H6{Nui@y`=o(zNimz{o~~O$#Qc2;}+5CZjd>SaNaqO8|2y*!dry;t;8_0Qw<7;A{*jMe^GEncj&goq z{>9w$yIGuZeqW&l=lp&8(+tT?{%e9x(`F)OlBlrAX=rp?L_sO&# zUQS+bgfDQ_DYkcR8ebsb)THqRE_P~g1$NK`&T(qe_yQ+8HMoa6*BmO6p5?tp!WX#v zSFWpb9=^cM+B7o0!1HI>y1zG%FOVDG_lKY>V;&}& zJ00RD$yMJd#4pS>BZv51Op9h_{RG)uG{o;_evB64_fbhhGq^nvYc40Ay3h^rJD+M} z6RO+FL$Mc69NblSNaEayI)6Lk`@a8I5#JZ7a0C2)BN}HXz)!-1V}}4KcuivZ;+}1k zNI>(dl=36|x~Lu@!tXJvM~Uz|L-lWOOMKt6=;Qwf;`{!Y$7+1vx8(Vw#P{7rTgLKE z#rJ(e>W#m&_`Y?2Rq=h_k?6gg_`W^VrQ`c{$Q3#9eZQq{g!sPiQT?{W_YKSTJZgO3 z9@(n1;`^>UAwyz}P>^6h5%Qe)zB^y{uyIe9@V*m#@m{uoRCwPB5wn)O%7@tnyu402 zx^En%@JP{p^7xE|N}17p>uDN2y6^mv?PqUwe4m=wUTK?dXPBApWrNq)zLMi4j_>)# z85)d5@FTH(H=lq=0<4A?wiY`yZpC}UB2$u`FOkNd3B{HIuXOToM<|vU;-ZzW1O$3V zLISV1pT$&LXVR0F?2y0{wc|Q3$)cp+4=4ZzJ8a$*R3Y=^_h087HJ3r8yfHK+=Q*Z4~g&_BQ%{E)UY! zI^V3WzDw5hteBMZ1?H~}N$3I?U!d-E4f*cxA!Ds?bqjxoJJr7+ zc*T}Ze#U?i1x<|{jplXyt|qrzukV2Zu8D$z7BxRcNZb){lkR82qyBEm?Y1ETFivGR z3KD^=LAY#@+-{w|`$#=SZa13S!<8+db-B&HCJ`{{2dIdfPSIaJU(*fzqNfnK-HjfS zyPtNjg@kyQQS0u=@hiXy+U9GzfI4;~23*+^+kN8Twm@NPh)j_e<;{E6BCa*3G}jta zTEIt&2!2td9^wzm8n-V)*}K5gEq^23<)ZoZ^r-%~r#uvE@rFsM_AFdIK6_lyzr(ls zWqH+l^82x{4~d41EV7gX1_>9RJ39GbxPEgqPP)DLv=-<4uWP<*fv5lR!z(?5A+Yj7 z{{0R6X2duzMuE8{kkL?#ded{I#GaZ3i`Jo5n|PZvYHvTd*+EcWcnt zPV({O1SPgW;fC%*NYfw5xt(oJ@?#48Qli!@VIoReYR$%GZ>`bT;w4?$9%+{Rtnn+z z@3w78aj3o}U~~}_-aHgFA}vGJX0!r}y`bJ2cYCeL1#V2t5#f#IENG)wvzX5CnsYq*>lzPx zgaW7t!eG?A#!mjZ&?O5NR|Jf`%7GduITpC;stzb8vfM zduYwUC1<7Hzt)_#z1EnvL)XtvS^qit4Q2fg==vY9*Z+Q9|NB}0>skK?Wc_c5-#*U2 z-nV+cOeDE}E1QuuSpLl?X&L;)*lt!olpttWtp1L$(MF!b&iQK}KfJ&*2obFG9FX-N z_767fi=biv?r|K~ORhhM20A1$B6QH1MW0c#1pKj*=FqTQ+t42{T7#0`(^$_=(EQ4T z$C$l>!v5}~y!A)(mVZ^jbQ^z+QIp}YgZ!Q>-gzD5_ngIOk_?}v zfx%Y$SQ zcE2Xf%dtri;$ICx%qXt**LfRH4=B$HXast-Z&rKXv}%Icr??MIxjzr{$`_X9BTx zs6+Ol4nevM`n!EizoMa9(sWi=!j*TEu6J8?VGA;BR({K!b08jqfpz;0bV>^z4!Rq!It#hQ8`}5wdRwyPGeD ztA+HCzAcM^t%d43p}G#n&*ehD9o2>HeV+;%TS!p)$^>Vn6z*3F&ShZp*TSGkP$~~F zi(2c9BL2Un)mvxWlJL?U{Hurzr9sJ18iIp$ONP<}FAT_F>rkCBF9CY|VyL${$XMfh z8EdHip#Anx?rgLhY}Js*Q7E^D63Lmvu{{%5dGZOH?N9iAQG%p3T4aKZ#;+$$=>cEU zsnTQ|ptZVCk}elkS8it|!ri0DCa2F|3;zN(kB)f>f9DAKdF7L_b+nM5cXPu)#J_XV z<@O21o=5Ia(>MEf-@DbHP7XMljC9$d3@%n|eU73nQNLz$v0{gX3C?8LW8O|G?mEw! zgT4p!1Zb{60T(Ea9fd3mC5xdYXNKx`hK<9~$}Y&_SslB-Q^=ytci$(uhUSRT9ID(D ziI=#|z9tZ{3t~r+?auYc4~U|SAM_JOw5v9H$QCR!+G5Y>Apt`ggx$A56fZ#(HD3RK zuW2vU#(?MuJ8fpRQD*U&`ycBIrc>6Y`~mqcR1acrFhjn(2maQj^wDM0$5y3}ts1L*g82&5-k|4cYOr5&+%6D*eJX#VOg zn!gtzsD=E!nabs=JJ}h8rYkpwHFdRcw)w0fUKP$Qob6^Q8Ev81 zixbuiBb2n+-!ee;;I3F(dGo7euO70qS0mWHpL!C#5AF&S9*(^Tw&~W%!;;(zj&^p& z`Mb>{XFKFGpk0SXp^rou{uM=hhd#O&&6FXza{+y*e5d)3MZSB#_?81vb2wx!QVO~L zpv%J0hYL>&Qvpwhg)QcEIk5OMc~C4lC(CK@u1nkprg+!AGHji)6h4dZ{<)BWZ*_>j ziqn#FzHB^E`C{L3lM^Fq0I1Xp@(+7@%1w5Wq*j+ja=rW#sF>umRNdc53R^IV9wI+2 zUg9DC-C z7Olb)gL1=0Zg_zk4ko`znJb6UPauCKACdo!E;t7qY$*A0t?o@;f=Ys25qd$GA(3rw z@_1^vD*1wdA9W;6{sVcHvGJ&|>NR?j<)|Q7Fmfby+`C^ziDAFxf6->Y`M=3kDp(|+ zXD|U30F&GKiGs#DrSXk55Lx?!>wle%Z?k>?mD;iJvB$qje4E9KR7>LG+q^J`m6PWg z&J(SOUYLn*bNzmgp5q;Sn_8#n;M+{2n8LTY*lBa{ZOWaZgKu-1Qyjy$StXQf@8550 z{QsmgL^fi}-4-#6DmWvB>f2e~wegZ}!Cm&wiWj8>@tl3d`YHsKY z#EXv8!&9pb;{2!Lb2vQa&lUeKCjHU~Q2%CCQNZ8sivv?HvSXBRFj4GjNYtznk;yzA zA;VKa4Sc7Xny}HLf<%@SQ9(n76p@L~aS}~IqlMOBVGo-kI|_=0o`|hgI9nVd?C%f% z5J0@t`6&XnxQ#()@9%nkYL)Yoz+Vp#qr9k0hUc<_4F03>%Mtu11(~`$VAgN|33=sM zas|f`DLLW)Q{aqY^9t0bo{Fd>WdIV{8;Bi32zwOH5iz<#eow^`u&}ptK8aL%DtMwJ zY9&@&;I#WQ2!Rb%)z zD(Aed{B0~h?O1-=kr>=qep_%>tsHgZG?sp-$Qu8rZ_h!TAa-{$`Y zzRfu}y?_U=Cr%PhSxcRp-0+VyzK!;hr{`8r%A?kvOL;_I;~2h8 zh5_WF!(uk+NxmvRo*l_A^B?C4^qFEenIo0G$@h!nXDdc$Of6)XOdiIZBAOzsT_GX> zK2oswqMyrma5a`GMe`~u`2dPGS8iN|ffyNAu z;ctxLZ?L?_@Hg=E8VJP>;{@|>vv&UM-28LuQtM>S-qbJ<@*iGA4rb4QyHVgj?fS3LhW{Gb zslV`~cmH)0z-K|E;f5-RH6w{Lb?g{mua`WGvvRMw=0*IjL zRUaJ(QDr?n_$aR*vB>Sry!wlmG5^sCr;d~79=7^6N>6gTl%CZRgVy|a3m8*&{<~ji zz0{AmTF-z^{=0wHRyvXiv%aW(+4=7t?`9nT8}i?coj<0K{BeryKRtH-7(0KAoj=CT zA7kf_vGd2+`9n?||0~ZQ-sZ9M2ca?GXgo=*cb+k&O6R`Z@)*yYwO;C zZRu#G958S48uQ38MN}XmvSIVyiXYR3fHT}Ios>qLK)YIVnRh6}rMQISifsM1|L8E5 z!HLZ;o=`bt;MrqEA0$Gq)eaH@)?w+oPyFp*B52GUvL+`yL^VY!LIU@&Gz3US$e6hs zc%sV#%|plI$94A1_|;wthffF^*Y;b5TyI}$%uHCX{We`{w_bEgm?USGT4(VpdSZCR zx@dwNFIIR87N4p@KZt32t+V8nF*x0zhkcqhbQ&p1_k|f6w$awaIVo6!&`9x&8-K61toyZ?*`I1L7e-#5cA% z--BP&7IYIq`NDz1w%BfBS7XznKOECV;eARdCm z-xGTuAoiXyOEx^N>!593(3x^l221kA~KTSJ9cSKMstzXy9c~Nyk1YG0_7*gN{OE5U zVtl)O%@(>RJOu)U>zju>XqC-7rkb;=*0uNtOJ;(ia$ZSAsPNiJ)`<+%B@j;LE@A!n z&f|65#;xp*p?lWJK6XRk$H!u zz(=}E;g4cd3mUg4$FY-U$Jc#KupO@n8LzQNTA!bmWB&y}V$A*vz)Fo7+|plb1iSkK z@hV^_T9=CU@vDYw+JYT675MkBI8{ojzznjn_5{qC$oQYZB`_m=Bi;!AGwc0F$p7;Zn_vzJbAj}|RxP7d<)!BT(Sn=*N8jUd z`?3lxxcPsy@P_!ozmZ)dmH(&Z7g|i^|GDy)3_+#|)hH=r{zZ$gDr)Lp>nnP3K7R18 zr4Kj%&q6NBzz*y44m>71%?f_2s`Gh@f8F@Odzk@Y67n(6{FQtecr55W<`S>9o;DXhn7QXufEX;Y zUQ};N;Rj!4_W_U5{67!MZE5`ARoV+H2CPEh_)c?+uLz`Gy;E}WgAc$=T?aA5PIO90-N^SJ;Z+>@zV4k$71{Frp)%T`rngGI|5TkmFH^q1 zW(8mOjpX|ea$l}|e-1Z}$@l-~dGC{(Uk%&cQiD zzAvt|&n17NeE-1@LSJuMzW-zK+yDMYx$@gRPEA^VTj12B<+mH1nzZ~@>(r#>w~uJe zX!6^5Txds;-wL#8Wch7fSozJHliwzC%n1?9U(Q)4ga)V7T7I$3CT;*LMdScwQAj9nb#i>-hBuE3?dqJHj@YT|y% zf=Uou3MWD0YEw8Kx$@=j%bV=tL@IKJJ*toBs6%^Xx^-$!In z#2r?-=Z8_p2Yt|;J-)&3$oMGpguT|M(oaC+gF_Y*;J*0Dz6Z}^3X>P{he!DyID;QK zXR568ZPxRB_rHLg?pxi@UuT|nB{x&BBLLDLV#e2%fSEHH(6;ZTUO8_-o|TvM1?8nL z&Kt!lPG}tLKtvnq`?%t>%=+LXE}V_N|1lr;zP=C1{CZ3%e5We6ICjy_OZA)6wzh=+nXXiLr$yAK;IEpT+#ho0(v`E^GY0`)A1I zt7r2!^?fE&$o)RwMKz*>)B#OB#(>_E?{n?HWPYCxr5>e#5thTB@_hy$wr8~5T@=iD z{V|{N?!Jp<6`Z{`YyL9n-|b52pZ=Lb`)sw}@}|3<0e#h_$;-2HV&5gw@w?q`c8vZ9 zopjEe|LEU=d)zK+2{T%XdaBx-0o3CRPtXW><+lNTv5@QnE&==HH+b?yNDUw4;RY^wt>5+R;z$5dCD)`04S+@#Eq% zaMDaHDFFscx(FBpQS<8kLx8vR51D}?0=$=BO*g1!BIcZ8@DKqqtzwy>e<_1ZdqE-% z#OI)c4DL|%3y8@TQc&%SzkS)$eP`gMBe;G}e08+cI`+3K~g$c6SE>QLKWt>S>r!R;mM_urN&TrT@@=FWJd?hJBK$o!bs+Q?NQbGbLR zk_%5s?b;vKs~E-r4U0DE{ z2HryY`ml4KvV@NnTQlup6z2@%$K2_tUpWd+%s3%(R<#-?^6>0xK6C#0F1BxO*mx>r zUUyr>{5Y&{f%mrsVE+m>yf-LdBXCl%Pal1xcO$9iftp@1NQB zedy%B_5EepR0WNtUMEn|+WL@eN$X_=lWtK+Tk4t$fdRM;A;gz z^Yci_i&zs^u@~OJHh{TAmVsB60XHD{1BFpxefwYRug`9$+d#i;1Kf(hX?aeTuRl^t z%@Xt<6%8PV?gMiSyuY@R9N2?+Bj>(rXN5Y0TMQ>I7>d`#1wtACklNZg}&7e zU2WU};@V7)>Y=bmd`= zjVb+Mp8oL%eOdZP^!wLb6#`8@LXIwT4nvybo!mpJg`gHhWa;re@S1!=gbKKl15$lA zH4z)6x&=7#NM$d^9@zzeuHLZXys&^&U&}S&`WDz|SU{@F+-6_XN9D`M4r8s336yqB zK&n^q%LOJkddcvRflYp+Tr~(vUMqOKecpZgU5c;2S@3s3PRo$L@t6O2c-f}fVZ=f*-Mi_@2&S{JL?~{>^TF zg>?MpE*6$#v#D*vsypDbQA@VEO_|z|iW9z`*eNOOqOHLEa8zKQ> zoV28iP`qqII9>vHb{2bBTW5MU*BPE3#gBzQkrSn`yYDuP+ksy)i3OOrLGUYVQQP*^ zoVx}8rUZCupj5#PWFE@8BIYfdiSN0k%S-6eURs0kd4f(o9pSM{0C;F#ZJyy7KuF)Q}h8-TVi9 zcmO{G96buFjh1M}zEi zlY9a^_Rg@;8?D^trVR=EHw*A|tM9(g>Qe8F7%id7%`EjN^_eW0rYloR{ih<@=u-a= ze$i7n_8idDIZORPxhiw1U&T`I@ipB+y(YvV|3qx>iGWiVf>qr6M)^geWZ)5#;1>@IeuK%7;Wv88AWQRuGe-| zTUR7LWpl>*->vwdnd{$kx~~6jcm4N7xr>#w+5K+L_Pn;%EbFRa-MaY6Ed0V2S^quG z`hQ8+e^2*eIXmUtE$d(4*|A7FINZdyfy^E;z-R~UocK0({a?lU?{U`uHUOx%2>^93 z>wk{su4{4EKkvRdET(NuT6K}Uf7}Bax5NNVq%`9CKaqx!);}ow`$Wt!HotZ2zeU$S zNi^=2C0LNP{sn*BoP`KmSNf-|{~mY!7pc&#TYbj*?@{3O4Xl5+IdlE@Kw0+s-y}3P z%KHB|xhix0J6rvish6!jk+apmL4KY5^*;js`Wvi&@Yi$q|8BlG9;ky5x9mOz}Wy7)8zrFwWxa*(9A|63)M=Y_w+lcGGNA~|N@YnxR*1tNSrPlwcvI&l~|4Uk; zQPw}fLVwovFAgL##7FA}+=}MGae9&sxKRRL@h<*LgI7F-?}RjdOk6K}k|I;F=LoXJ z-l62rC`sc~ao6lfK8qBVzVqvpP_iU%M_?mY5!b=f02xmttEiEdYeB%sZaH5e#uLep z0#F_h+}6}RMbzZ1iLCuQa5bJOoS%)~hm6;)AHK_0=Sw0iM1S(*?DO3#I>iVnP)PfL zM2bpEq&%{Z!29gqRUYz#1tf1-6wVG4&NyF@CiOTld~40fj{X|Zr11X<5BocppDr~+ zQiJfzAb*BYpON7o`zTe}gLMq;hOzDuJG{n?^eQq4&?)ApfNE-yfy_`Eu_0 zze>)3oT^p-Gt2~Koc}Z1zW?d}=J{XrKlV9aQP}eoK&*#1Q~*`E3LriCm&y~1!OZ!2i(p;OBJg-J7Xiy@_vUSr$@zeL&$pgi}t6_(($0<5Z&Ji zB*4kh{x~g>Tk^C&x%B^g_)S{-BTz~s(!aVIq;u?K(*J*O&nViT-0A$2zW*Pk|5N)v6@Az0lMDvO!oxGxMUeECXT*S+nb@d6&)TCjR5(A`PM?6DCT!UhDyjLL}kxJ#Y@kk_bby(<6MBDGdAjMOAPp zY#dNkfk$+ilF&_51?zqH2>>O{5hD?*T+dO-ZT2oVG)iL!sC(2c*vxX*pmVkp!fOmgpiX zNLGldDWs22gokvI z-)-I&FX^Dj?^bd-8nnwD4O+Wu5O{{GLD)GIt?v{q1FF7wg7E|@TbN=y<@L8u*2Ih( zDWN@3ux+C?|4ZM=Wf@;Oh!7gT7Hbwtp_}ZcU?I9S$xO<524!&~v}Sn8nfCcJEB_+z zpNAjPOymt8s}1wpkmO%Pe^3*jhI!2X4B&^f$vmd=mtkmB))c|W7&1Hvn0Nw+cu^`+ zrC83w=J5q^5f}!Q=mF0V@>kY<;na) zcm4nPMNg6@IF%&$AE|Sb1P93yTrF9GS5rxfTp4O5I%CbM$g$E+6?~ri(kb$+fTzNs3^^p7jvmj_Kf7DFyz9(PmQMNlXC4-f2_dag-tks!ftT zcavf9w1dqgd;T3PVQ_n_xx6_^h+KO(KHH|fC$+w?ourDu>DG5mPDtvw2{~_oeYu&3 z+Vn$y*gX2X2l|uDNpwp79zNNkGV(bSofg6v|&$Z@5%d* zFA%ybhVIVf=&7bFoAA6=|9%LsB)9hPjSl6FY+sKp`$G=>ErDOk9nW69bpmNaF##cK$nhVIZ znIh`FkhB3h;f$3+sirJ6K~5>+K;8xL7jYCv)L`)C~Hr zF-tmF)f-*=Mx?%7cFNTLCzdHve)BidW9#Qh=7@fN3;egmOR{s}zs*4?yjl`~|6Z0F z6IPiZHx(3aBhZm?v_+mTN=o>VFbN{Fg!!)3{9W6XzwSWe4}aa>&^IGq#Maq^Ma36; z*y+(Ms~`b#E1|#;d78gMm7AgOZj~RfPgNV;!NT_BXSpjy;%)*Wo5qofGu|&9e_3ai zbk;Ewq}%O;!Csw;zbqn16Z$4g1v>g|OG+4-d_tZ?{G}#}+%m+fDMw9Jm=GB#{xhB) zsBBI#THJ~<$b1QW$Hg}yN` zqkWP?$s}R75$41?{WN%yE3YjB^v9#%a) zB(JB()1W9Nqo4$0AUQjn2VS@U1wHP0Ef`O%LR7RYsSafo#E zvc-f7VInM#gfG60&0b^ZW;T`7KY=xFXi(Gh}{E!68EKT!XL!G$ydR_X9|Q^ zfPA)I?pOH?`=;^+St+ger00!oSw3f42>N)?a6l} zK{vNpPio7{jpxhalSWQjQvXxx-KwNqT5LT`RXzh^Z%h8pPB40_CKyGT-YdC3&!Z%b z(^avbNWMriQ6w?dv=1e}BN;|}lFP9Hpsbhh)%vdFY%vTZk`@tLR8Ah|TPA-+fzO(J zmJ=&&G5*tiPP3R^ZdYC_r(o$tWbxz$_9^%{IR&S>e%g&g4guO8yDN3Zy|P&2)p>sG z(gL!Hw~liDZ9Ks~^}46v#%KFp$@x665WbIknR0d}A9kq7Sm-epdP8zPtGy6!okVw30M<^3-?nSepeLN4j^Zq$m@-O$d*!R2kebfZmui8O-`c;1> zvVy+qPx%!#MtIdPi!hLOSIB(TJEdvVR~_Me{WiQ`X{dg7>QmyJW4|AG8fuc3-M}_S zC*&8Iu*nym5@x?gT^5&H$hmKeuW2py0i&BF;)NZOU>B$dP6Hhx(H{HzvHz$wCp5es z#Yg`46Jf=JFe378v*1&9F3Q5U zo1ec;WY%J9+1(NWqj4_9)&ecGh4DZpY=x*@;zY1q;0jc{MwJ;!HQb zMR!A7rw?0?EfVj1f`|@>O`d$g$emu?=a)`%8POln|8?3wzT3oy?6qnsiMEW0`!)CR zI{Mm-W3TlS1gj+Jfmw7+!y$Q3qHgC}hi=uYocm3#s)jG{()bx>y!AzWm&yR&m%Tq6 zV|)_jE6;tb!HG^F>HLzLtqVqe0FfC6`&9Bv{NXvi2kzzv_#v6|>$_hviu+c7p1-O1 zi>oNuYhfW`j~=;nWqd+Qya+FfqolnY4p}Gb+wwJ}LWFMX(0qA+yC^>Kf}Ha^>g;K< zW19JHJybc%L{x(IBVQ*%Ngk=+mo8eY+Qo9N@>Gzd7TX}U!1TJg&<;Q19LL7*Ok>vj z5g+j`cm1e;zHPHydb@Nvjfe1r!&b6!)F)if_hI=)C@S7e|E2WLGT~c=OoF*jqUf%m zd$U&10-l__U8~^!_99{d{rr=e3#f*RMqEH2uwVcDEdG%D{u%V+uAe&>${fqn96^Ld zRGsz6t*rSGA9-ot44IF~c`UAKwD}p~`G*#WA$d8Xv8)k>VYS`D8ihtY)&7~D#xs8* zYW4uxF9N<`m+C7gC;Dy=fQQ4{`>dp3LI3RkxVP~%ZPeuBzF8Z%C;+(2l)S;MVus!E zf%$}7`0P-~fAzMZJ1%RuXn4b#-j&J89nN!%PC4ifjq?S&aRd#LX*g@6)MvRv+U&?K z#)iI>ALB^+_o*OKg$#}?>a}ph8bbJDC+5KMqP0&1u?|%VL8QS>gR~#(re<3tDId>GE4l84w104D@L(^aT71J-#&ucx}gSB5ni$|7>rgPq%-a zVc)E-z7JwJsm!Dwb)5v`1XQH1A>aL{`_`%2DR0h4HQtJ}MNcBC2bz zxjX&bQS3FB^4Q$(WXo?^_8Z^*D^8W?f1bZt&v)%OB_cTHPM6Eza%NFBnDVIkx!bI- zLQzhR_HxVA0wBM%S}Q2%iOntweM+&^HJ3;rA@)hsIEjFHJBP$2>Q+*1UdQhl_zt74 zImEY!;xQ-jO}4s5^si_xRR06Y(WxQFE0g^gK9vIo;YV`5?p{=l>TruYlgOuCj2rnB{cCqaf8YDWDk%J3 zqIZpEYy8J$>9K8dj3qdWqiLyiB6aqrbg`NdIl*!)l5jvy!9nvToa<+JtBsG_@qnUH z&~qGoK5AYIkqn{J{02l4@t2^}4A=L|+D4~|gWzjA7}04;qc7ITWn3T`FaL&J{@^&Hro6 zqD|08r=H)C-&KEEl-6H9eiZWHPo%qi1nTH+*oF2|%@ZxY)$e4$oR~wE{dW3{y(eiI z`iZFWa`({?W@?o5^2%MxtXcTYkV=dDxzY>Y`K9)YLqb4@FmhqPINY!g^`^+xVvUXc zvwT~A^8jp;0N_bq8T5@-vISJQW~Kl2LO;#uH~T(A04MbG(gfXHHGY%1`G|am)DTw5 zK=FPf!3N8oiE5XLsxgV&tTl+?^zRq?DY_&cgnkyH+gvZfn+cJTm=u&W*e;Bq(9pF- z;ri}sR(ssX6rul&RAQ9A0~$I^(A`!sTd-tpBSsgcsDVXc4^H?U;)LIfp#ow3$20^u z;KiD8!cP`r01a_~kKo$h^c9+LV5Buz$mx9#G(?vZpQpTU+waqqn+RN zqdWA)`7g}*ua0G$Nnd(D=Rew@uSt?r)*&xBA&4&PXE!)B#-Tz@iK_phvfBJOK8!Qq z@2$Qym+_twXDf_GW(VO3kw_IFfuD;A74*$o-}g5nuw4LiwRcLD580^d{FsV-_g}zF z_*S3AUswKzQv{9mgF9{Us~_KhHBX-)_Y2ZOKM?h>jzYNKANZ9|)Vrun5w*kpHc&Sb_j|uP9jV3Z%7q_ajJ=^}6$pF8>HS{nF162FtcG%XowEgjafd6e%{`V?FRsOfZ z=6zQlk9ZNEg4yNJ#lEImN@1fvU-4E+L$)?5#rukBQr^cqi8UFz#oss~G9z?bBJudrs3{L~dsZ+q zrUcR2r>%KcvNQXdHdAfvmvDm~4Yw)WB4)hu970*^#Fg0j2_(LvKAV52|4f(0*L2zT zyRB-!+p6|EBEanUnk&ZzcD9+$ySsAOzh9hVdI(^^IY!NPTM4hZmhhT>EURa*@*zGL%D)b{a{+y+eCYaT2>;SJZJ`fw#uoAzygHMADSZ@Md#S88 zXTiUgz`q6--x4sd;XHqnbDY06?`--Z4vD!aD{E!S%*bZW?-4nlevGB>TV2iHtn;CB zK5aZv#g)F}CMOtH{z;L_Q4WiGKu)e57#`MTk-SfS2~SP_q2I0B&o8mC+$`pogGsNN zUv`34{lZZ4@%_~GB)^IEgbfRo?*C`+T;QXwuEd{V1{ftciN+cXO3;&1q-yZwgb zQnEzTyTIXA*lOCvBUZH0{KEoq@4AZ^-B`=p^6vB_#D7>PCJ%@O}09MpQnxE=wrMFuNdukwu&by&FPj|g~}=IXBhbWg2Y%1Y){C*Pz#axA4ueE z7wA2CVqDjs4W`$=Q`S|^Us2(Tn9ejZF_^k?qRA#i^aHG~?BJErzBcz@|IYp=Ec>6Z z-v5M^b|8#)pbGme?3dV(<9&;IV595#vrI(n?0tEgnemwZF9rzS&5eFcCMp`w`z5mO z>ItFLo$9C^qpO{2{$H*9D=qs-;%9q94!i6mm{%+QS=T8W969&JTO@VIq>y8~MS#rP z;eeS@#rd&pfRDS`^4V*Y5|)`d?qf`|F(+f}H>ODU#hgXrXFD!(2fJ{-?_yxrzMoIYv-x)H?VhjS#7w`J*2x-SWqwOMB#xHGKMX_`_B44D28f zD)}*)Kbjw~_W#OSMF^=dx?%zyh;96}8H;?#kN$uUvf03`jg7|?F;#jlGiqAdm7LX) zJvTaw53zmw-7Hp0bB*Dl*F+m9%M{C#a*h0XF%_M%S?jt=NsJ85gv--oO!yK{x_qZ~s)Xb&Y+*TfnVmO?9P8#c33EXE-+M%$mnZ>6SG&@S%sL z>rFoO$eP)D>GH4((E5|V_WC7WX0m)0|C!6zry<{!avY}RyC-?-vV2V;u?yeaPGS#y z^XbWVXB1I%$alZuFzPSmkDux~KcRd#i&7ZSGU;(ewB{18eT}>RG&(_&^^P!FfOjH0L!jcJRM0#0@?jg0)0;UQ_>r}EpD_BBHj1SL=et(+?5^35e=%N@Totut zfB;8R65bKJka|AL7J{ag4X=R>Z!toCJSOk(=Fy^D@74a~$`1Pz>4bSkKue3BoEU>t zrxZu0S*-zk_pN=Qd7`v-bC<=flJSYpe@eff5P!B)`?>M<=g_|1#TGkcGSSNYZPa5R zuorSHm&tzCZE`pkoZuj`g4evmf%GQ_+zZL&HXDSOnuoZ54^b;L6?*Iq?)tM52!V6( zxwnhaa~D|QogBqq2PXxGH%>B#@0%2y*~s-nGxs?;)DZqkCC_x>FHcUpHh(|pLr>~8 z$?9p8Fg1~o(b`^bG(i1g}UvQ~*cYmK78?9h#A+XLnr@wbTG5yt8L0;C@{ z^pe9>@egDtmztmQs3WGSl~ev@&+t*5P^NIySJ8&1wwl zrYTC~$o^jGZ?`D@?G_y$Y%?zl{hKZS3-q^Mye&g_qQK<{a}XV3+4toU5=a!d*#O2n z3S2SI7bUI|?6fAAZTKqAn&Y-I){@=n{89NoZcNhevZo#z)9>p2{c5RRRozkPA{li2 z9~<$ii0gN~W~0|0R{MKX;%y1ZDvgzWd;M9+^wv1KG=4hv_k?j4Ol3p_WpY7Q1m0ge zdyn4WPmv&E_qP)fjs-x;x=PzXB(aSWNo*tg`;DB`age!P+2H$OGf`3G5s_&I>RyQ+ zdMT6}2xaWzjRTQXdF#$Rw;A$HI1u4PHW0cGoo|h6*+%(wKj_@Eki|YATiE1Z)1dlV_qZ zYCgLk{({GXW7uRsw#qyPL+o*i(Z-vj_UL*c#BCj#JGTyFb zFR4SPwK8|)?L;w#53+rSaN4jq=?G#hV(!9Ueo>HpBK~q?vJ$!r|E4vr=Q9N*=#TO+ zL=*p}(~685)OmRZ{I&1AB0JR3foc1orJVt#>gvS!UHNOL(w}YD{!hEa|H&}`uEikT zRUz^fEs6$CRozkPA{lqwg4Zy8tcsm~GZ}c$pNV`WF2)U_9#H%hb1}X-0ZSe-sRIj(N~M0W3yEYQlbX%5#&sSu7!LM2?qTD<~mwM5dDVA-62F#3EP?I zT~^*~F~hVfaYk<=RR>>Jf=Y4JKTeD_?{QW9o7diGyM(xmm&vMM)2vh=#Z~T5p36| zZNxlc0Sl0XF7L!__?Kpp22^c_@W8dC?!QbRaV01qmTTeyW9e>R z!B9=Vl2auSWC#GZudS)XI_z4^!4~V9VmS@{6jG#sici+i)Nn?QyqJ_X2|`}wjrqCh z-#FY7g?>jkvH7HEU11?6L05D9CKSqE01qU>*|bOBUfUh&4KXyYxFu!IE5W8W4)8>yxDT(7|ks`k1tkg4$*Fg6JWQoKM@gHi&VldJN_s`xsCfihZm%a70AL}nR~vP)LL93Vtr(OKgQ-u;krX1i1U zy!Pml4o(Os7VC7p84R;2U>gm&F1CSz*toz(%;?O@2L(^&ttt<_63eqeHHJ5wY~D=x1VvB z->$IsqzvE?zj<6?$s#BFagEf;bG~RSZkRJbHKUBtvCV3Y-mYLMbJj`Fm6Yb|m?7yK zcO?Ad3Wc@v?UN+{2H$y2Y3^5NN9)9utGWh-JN=k6>WT2{Tb=JV%(dzs=T?H%0E(+J zN=+gh%9v_s4g2=;BGs3N6$Pv$2LqpwgQ1pjmZ6*T1?ev=-?hJL@P`Djv4E8b4H9p_ zZ*K!z@;Nr}mR&x`Xo>z^ojRhv0`vEW)O_-HY7sdf9rW405-TY=ECPX{h zC#Ny?v3itSzXbV-SY`k4Im+(QqZ`ZANq*Dw3p|KZ!8+A#74EQyZfCm|FBZHlZg*8) zt$661ui_xouuFdY_IKmN|5XFSq{=f2$tM$t->|8uPPPFk`oi&4o3=so_s}_XQUVX5@?=y+r?L9}x*mk?tiW`hiEk zrs>y%)+?rxEu6!H+QTBAa+;5vYBse`=InlSPV}`}H7IE-CU}U;CkC2`*luenPLx zkIVboa(>|GcEewqvzY1 z^vcGo*)F~Y`0QKCZ&g(PdqZ`cD@epvyA)NnLOMOyA9kt_avxP`TKi;YL6vGwAwoSR zpxW-i9E%AO@|EL+t)ZtDirP6y}J0+oJ^=qj!;N|^VY~d;L+$S-#Cw8rtUf?ht%t?ct*6aQ_vtO zcsfCF2sLF_2-H;ZP^XN)?=~atGqLTPz+@d;l21%xD5axC?!G`u$5;rjmA)2= zGKN4T0iVk6)Sj9IhzJtP-Y;gD7 z-ho_pU$XaPlL&@&Oc3aZanRWP;9tNlp+9=d)52|XYOK&-W!e^uR(k_ALS5#7n0_Z7 zzi<^6O>MZFaKD8jAf;I9pfFX77yY?VZJf*sAv1T~7!~O-z;z{lAvuOglbqZ*A>##o z(Fqw+NYA1=O>y3!4{}wkWD%SZUGoJM_yRu_jMXe!yH{v!vcOOnz450Yf-|7*zs^io zp+gFVxbC%x>)sCH5*y?^53Cyt9TIeC;xZrSQRoVv@N(PPDWj0VW#v%KdKQ% z|CEdwqM|SOCy^7}W-;o6VjUVYyFe>VW+^gbzLp${KCmFe4TR|o+Az@MVPe94vxEI0b>XoZNu9yU;NA((ZX28Dpd=&skn!j;{B z%XTSRA_7gLZ`v*bV5fMo$PURBao)UL_;+Zv_eeCr3Zc0E(p_6hB z-S=0~eMel&jvxs2p!mKqiFy+D7wG4zfd~5G_~U}~-UDEgeOF4||eiy-1vTi-eRS4`|yRuVN+i3mApv(N*HLd(r7N}oZfcw&KOs+x{s`%L0b z*nD&(KE<0)uJe)2_4k`zQ>M%`)86z&46)tXs(Cz*u^m7XbP4ps&dczGCJu3jPxtki zX9;YoRD`IU%uSK~O|7eu{zC3{cb(&RLMGzvafn~|vUqH0)J5*_zP`ewg(mT-xt1d* zH^5OD0gSWV<~wqcStk2kx%7`MAW|JAEaXW?#gFW_jJUU?b z38B&cplcYWGK;t^FlwtDilZe~CyC^!ZQZ)IwZVqK|!q4_Iwyd{6 zst-RoaKwO?-IP(&9o@##WdFoo0WsQ-R#_s+67Zb}FKozCl`E$&ct0dKnSW!`Byf*g z*xX#DZ8o?~X9%eF*u(DnHcrFmCVTKM_bwgE{f-3SZ}5Yh_Uds%a2j>c8w0 z*Y91DW7qY2mrS=O)b9>G)?Tzujz<9hBJUEv9eKI~qs^&_Z|WZ8CcI2--NbIF6he*j zcg4JBt-nSE_7VDPDdaZ4;aq?diJE`rt* zm9*$Lc0aX$8dnaFaT*LaKITSncIL#;U||)uSO$b4dj<*X|3sRv=xtX>?8{`6i|@R0 z0%bDgOwzGN)+}^35>WP^B*`S6*U1mt_$VgC=71%ldI#fb_Mm^h^97`N*HL zoHmg{W-M3!pUT0^S5znGr)NqB3!Jg?tRHQ!A!e`*4D@pSN4qy|uG$*9g`VsQeSs(Fn1w7>QtqOjw$k1d$`Hi|f{^45%ew=uUwrKeMdHa18 z=Ky|(=$bFt55dhn{ZtKJ2yc8+;3)X_lIV2;C$G%><1)! z&BJoYx`)6_2MEmcfp6L#84cy%NBi&V_E#F+#b2t$KAjLy;@^jTy02(g=~ccES7s)_ zzg?HF;UoUdV$pIHjS?V0&E(8593R+q?8cj7#jMqD#&RzA;O0y$9F`8gc*zhST8*V; z7u$-L+{`0$OJm4?sf}A@iGDD5Alb$&os!c2?U?_G+i zfk#!*ef<~xS@n-uI`{@v|Cps^HzdRFR)HrkR`7dnXkXHwy;oe*Qo~C86P8|&c>uqr z1Nb#HG|iQzcvI7QT!uKKt05 zhpsyNjq6f;;r)I6p}uL;`l1TC++ruK16nl`;ps>E`hwlk3TVIZ%D;IHeX`~J{vJD<9aXe28|_{j8!axU__ z`~>w%twTrr($~o1Hrw6Wi9Fmg1Zl?J?yhh5GJh19qjIp19Hs2HPPvzkx@63fH%Apq zN0*jeVv`rOSTpbKK;_{Hm5CMCxOV(nafGCR|C07GOO}lich$TTA{jkTa~|>CZ_9Qq z8vzQ;RTDz<2BuUrHZlogF5}CKPrMcfGQXBMz93oz&!}P_GrG*eNAN5vEmB3hmaqz1 zKc1zd3O!589K~t^teV}@%z8jL4t0Bw@5TXlWY=q&LGHuXzZ%8IkpmQtv~c+Hpq4@hk{V6MAR62pD4Y&-~`Og|@=k2Hr-@&sC*^ z?g;q>B<|8GPFd-3qT>?fN!9ERptsz9WyOAOv_s?yN3+ch;W|uls>9*T@^{-)+Ed)& zYG?UA9@@iIneOuak~U0U2b}f{*l2{`&Grx2MsV7kLJpHS>VW8s(C>+oDXZ~&ObhKq zm+O=)Tf-36m$7fakm+>2B$Kugs?2$alDLOu^6$|`{tRorudgIrZogms4$P9@+S1M0 zwd+dX$&NhymCx77pY@UbU-^84{5cjGdsAW57734-{Z3{iJZ$z!XCypu_B;ITJNsm2 z#66<<013@?wXZdRz=qSc>zeB#)4o)=nKECQy@@in%|1cyVY5$=`zy_>YHw;d5(z&( zdy_Nbe!TeroP8f zWeoI~4A^MCqKXZ8KlppLhC)JZ9%}IO=;fZy;P-MQlC#&`KqCE5|0IXmjc3g-)}RR-L5R^<7fMt#~!_D3fT@TfBD*(TWwOY__{=q1*gRn!Zl{B$RcYU%OjBWf%?fY8_KxU9i0EDyXbTv=*3VfknMK) z#p}`a(hNmSvh-9*8!;=CMz+&kx>y{Wf5kG^b7QV7K$RIObPQ82X88Kqhq0b3{mk<5 zOQ+nBJ8sDmH}Rie;Of$>gld0Z-cviH4FV<_sTwt)MYJypu)hk^}f~}a(Ki=w(V>u zPSfFkV>R-XpVkZ5&*dfbEQ`v!Lqw&~%0;a;EMVleG5_U_g%wQ^rUTXosKqOi&_gsD`~E0#X@X}t!}A2TB}={dfeUX zS}ALrH8dZ$!qvtGQLk`^G)<`0ZNSC>@5h#^W|kxc;hQ-EpR7~@o~%>?o5%cRjsPZ? zUX{(FHyOOB-ek&y^k%SpHrqZi+?rx7SZGew{3eG}8Vae_H*E|04w!f!+>M2Oqu6^N zjLjcv{S(+_{mYc~&sP+g-Q+LYUz#awHfE_tzI%ydu!@1QfA&$C>x(IpxWdg@5L?}3 z_U^j6CFgf7t^l0adU9c9=G>*v@yjD!^UJFC?-!k8&vmfrb`~Ac|88U*6Kg_I0yAkg zG`%JXav`a*|6ASk48PH5Db;O{4#n2fuB~;O|JTj&TY=(hT*}>SXfQf#Lku2Rb$8zs z*SM|0QQt(}bTxC}oc^kb`)bUm9CiI={fZtP*q4pweKl(BzptiS`w2{WwwNCnW}7mM z_=8Ne<)d@-^7kNbh(61{&#$ZUHvY=mRrx9p{%Id*)wMS`CC9-$tYV|GMoR1o1G^wa8J}FCAqsUNWkv zcxjm(1x;BIF*Ekh-s_^eWg+Vo-%`) zw(^cpYJY<1;ByzQb7LTcSR0xW#-QlVTs%Cmp13ccfL~m0c4r!1Kr0RNN$v}o*B>*b zXEFmJHyPd8I^&&aL+&%kI9crht`-QCGuBM~gtqz{>Zx+kKe%5DhQen6D`lg-5m~!rQNn@=0e@C6C{$A;T3ZS)hc8gZ=6vy@#Of8=G z?`48Rf!!+i2eid6fLJ8On9xqE@&xdb8|*lr5m&N*U{=;g>2hy8SmOw!N{&FP^byEh zQWMV6iSTHI7SKeUYuT6iWY+P~W3O|on0jq+kRc}^r{)e#>csL1b)K*VKMpD@yTC8! z9|;{eE*;UNG(bMuorl=Qls@!4SYj|)21cj=#uPpcXqx&DFkovKoT zRB6EN@6V9(D?9Lmeo>FlDjB-asA4+zzV4hH5Bo#oyXl+6IPRfuZdsSjrG;5UyY*f5VNpEn{!df{3ux1EXRc>uqs`eSbR9y{?dLC*;0 zmS=6g`WCmaL@kNP_6xca3o5;TJjapZ2jt)mp!PL##@XzjcAgzCrSZ?cv!E)8rmW+I zO2&?AtNP#_d`ED~h|G}D&S>qFqllC-Mg9?v`IoD7No>=Jz%_3jHmQ%9$2$(E>?_sX zfyGJ9=<&z$hniC_MWfwb9UT0!+Z?=v8^%UpJ?MYg;WhnB9ULR=P{&m6cCKzkXdqTE zg@W^5K4;Eba!$Rd1DJ8bCL*(c>^wz2^z+c5l40}ZgQmt<%?=4o}BLfi>CSKLs4 z8fE|J4uIoZ3r!yaZfk3Ol;ecC0pAH+Q)}-ZkMmQV?(Jq1*c+IGKp%(L4q?ns6t`O z1qfmrghc{qLnKl#b{$?pw6`JWg+x%e!_@spp7pIkv;XsZLFcowd;Bmof`)u#XiUXJgSi&W{{i>`A-IW;$mfL1+^GmC$gL^%=M`2sbgim$ zRKyV?3kQmPP4gU06PB({vHvXvo4O3L!cW%7kAXpVYP~lujq4=&_^-#;}Xe#C~X%^wa&riK=I}- zT)_GXW?(Tre?k9i1>4ALp7lgN*k+xt%lUMpbby&_CSU73>r?|ux=p;-XazAf#RsKR z+R|>)lpZ`OpSXG@m6bDr`Xd;OG+m0SAtvZ1*4|bBU2zmK6zOmc(T+mG_KV>(X%XPd+2cyNlJB_nNPa4BNFJ`?@u1wju zVmwEj5+*0E_hVKuqBZGa8qSj#9Ttn#H5RMnlO1fX*sf+H5MRUHd_fK*Rbw61=o)P3 z8Je?u%W?a`KDv#L>Q&8d`*yC}y@*%|p|_#)fW1ACcQ%lBo*SHz&2vEnPwXs)@kEDm zGAD!v7chBnQhay_x}%JkrP4<%HH2PYnT?qe8lliwtZ>>~%MO#wB+$CYetc5MQJ}hj zty11fbx01r>L9GReN3zHnrxqnKIm%SBdUwN2G=VZSg&FqQ&)Obz`jRJ_%iPZ4Q^PT zY#*ddjV(-pTv5y2M;LB}X@y^~%H@SeJmzWvi}6xsfgUkjRHGzg^T=~x78~Q{Wg`?xqBJ%` z3%IG6dazhL-4-aC_fgwZm$;svDuQVH1_a23hgaaUEc~8S6a!cS{KWS!6NB?kwM{CT zcT$!A2!Yktz8=@Y9?P#_N8C-du}ybUYnxEcAN+boP*#8e6q z#e{~0{^Q$hn44uPGuxDDjuCte25vEevy|CpG;0ADuL8jpl4!oC^Mo!h9N9M|di&FT zQY=H{y0K1}Aq7X{nE8!vQOoyV!ps(-XRAM0lBOsyes*XSU|s_=`-!5$t#xV9wJ2C= zZqRR~I z8yf|0PdAEE)#>k?RLCSZ=D!=g=!3KEAU_d)z(*#*#I+~zB?wG3O@n?J5DVZ6(CF`; z0_gNkNvrl-;On#ZbtghTj z9N}kBCNRQtKD$Ct9_zRz$D$Sw;KK@ZwQ|Q+xb3O_vj=n8?!v>J=^>X)(H7t{e{yybOqu?APIl5ycC&xx| z(ABCTo)ArTz&ueRTbhxzn0HKDSuo%P{TM>T(wb?-06SPC!zc z$@z-;7`XCU6QI|rDr4~nSG&N~;0|0F7|{#kM!$=TOA=8ftj~J=q<+_ZLA&ZF(Xfz} z1|zWT{Vgiol;|>HLc%w7PW^`+^pM*j){}*6UgoCy%|;zVEr0$c*!|DF(U-^O`E35Y zp>m*?qr5f{sSqqtCFNubw<3S?ry1vBCOpJ5VpJF*L=+-ZnY z;AexS`NZa&;t7tOid%Q^vB?ud!!Pj!vwV5)`0cwnCHDlUjq>O1^aSs^*JnTOF|)XB z)fYaS&FvJpi)Hxj+vVJy%^w1D9tP#?&c5vM+go%V3<$OdClm&7+{AXweA}P559b?R z4f|;_I>lI;%4j4tVBh64j|Rt%4&?2p6w!5pcNLRJwp1>+v$Ca;5(wp_^D`-wlj6(! zkhTN%-N8~18Pg2=dY$pH3=#tbHwoqZoj>mg*@1~9Pw+83?!TO2RhOx&W3w&Q-3WL* z@jcV}j`z@Dza7K3?S8Y$msiUX;xz^#knCGY_1RC7b#TCbRB{LMs)J**73ApXj`;Gn z1oGD8FTPe^tJDZ7kfA5gKvydIHeA63ZQjtcU%9 z&~;b&=Nqy4Q$8nEh5TyLM9=b%VwKS4)5#RwP?9`<%GX}ypPuHIp0^4Q>8-*8Y0*XP z4!xDsFeGjz56w_>Y1a?KH(7J(G*kiXt#i<;h`q~B^^7$`#hLv1pV1#`=H94N#SuDx z-c@SqK_P>1Aajm6mdS%D$1v~8ZAQr>+fsYSlp~^pOgSPs%%TN}2KY2n&U5UAi=nTv zf7y&P_Mpr-o#ijp-6Z+BhzU1w{naSB{LNvE*MpBHuD|l78~H17{Uzi{SNa)5EqeWx z&t2)~^i{plkCZ`v-a@A6%a141k9_TwemcpYs;=bzQ)goTt@fr%dk;R6*niztl71tB zK2@Zy@}pv`$Bx@isKRbk9hEt9h~$?GWDyI~qPxy18olzjx?SS7a6b|;5k(*^o(_>_ zcK79l4SiCq^wBxEf`s18`61OtCuTTOeiN@rB0+{Sa*XmH%SSQMFv=e;mfz^&8R+Ih zH!T?4H)Vz7Pa2gD`xWMw$h|(fT(bN5iJ*)sx(jWohNI1oF+)j}dVNbM-!VT46Fel0 zMF2_|OI{Rb8C*oKKh+S#U8f6g8S}1#x5y^U#nZB!MKr+61URfxbscUiZl0>wWG$UP z3g0Q|e3s&|kU!^XBREp?*)#CnbJ<4d_c=?b$R9*CKQ`ANoJ35R3HkoevYb~*4g}dY z-9_x|`$+zBac99#A(^&iG`kZ5gbK8Fd}>?>`1i&xLO_T8phZ1mm#UJ6gfl#UxQ>W?VNVs#_ow_=%p7(EcZ?qV!7?kE91n%!WPpHS@coYBYm9d zOdo5%-YtDl{%@W>I@F9kQb&ds5oMGWb;N1ol|5Z(L&*UmAELlJ={C>dOi^|xXKo7z zC>8L1YWs-sEVh3`!sqd%$jFJVYigGujS_7A_HbL@aP-PCp|b4T3#!8B?c8H$-x^At zjcWL2w>dvWSD>`d`mxI-Ao2@}Io9}_*p4OZY+)E1&N?d82%2YZ_j_2(ABlMIp+rDP z^O?000Rg4vR=+tKB|~@H+_A2=<_%+lCp2s{{~*x{mUwQ%mZ~;T^xnJ!VyQ_?0_qZv zY)lsA5D5p&P7K!<6;feM^se3AAh0+kVSd(;2hG{OYcKL`!}gH&Hp=fpf>3^ixj$GP5`nbn8C zWm&e`(@(67xSx4qUF7v=vi({8ZINq7W>3lLXN$c4B)3$$#2$J5tNdQ(h+I1;duG<94xOnlh4172ioTI+)3eL6KGRp{yNF8e zwM`BU>uzld3gTFI=uEq)(fERl4o9) zgEpkh<$WXJ`LmDX12|{)iL}VI?rcxipnkRUo0}r9+jw@;fm;ClD(aLDrqY&lEX}c8 z1Djz1m)TF6IG`aK++REpKg6f-^5#?c0*?HsHh|Bed%;3SImc9-T%U10|6`7BeABAE zMO#WA=rYK~vH5XKXz<_501&!@0Z>S{t6}KF=w>p&yv)n8c?O(fd_4nN$uT?&&pNL; zsvNgZYM=dkh|}R(e1KZK!I4bFxi|L3h3Xl{?;KKb@JXjP`1MqrZXK?dK5G|gsqatO zjhI}RCwpH}-^qcj94&~Kac-ymg~x39t*li>=%yzrBzx5+w1RFklJMmozC<@ka`>nd z!t@NlpZ9tRD&Q^nkQF{B7p_cm7pz3w%`DjHDPZe4>N}?AI}UTocQ`nl`5jJJY8*f# zP-GfKQ**NCEe`4%{jwkkS;!q`5&EG;XI{hDPF%mjmC~?*DJsc}%CUm_M_aWwZ%+`4SDX;pER!l%m_;k1I zUg{;iT6!9eI>Y-j2UNQYIKHoQcnTV&uYR$;;W9wh)XZI-=CP?)k;GeAv0K?`G(&tMfQ^thHi%sFFM6a_S5aGSe^K>;6* z6;6d1p@L^p!4!zOGXn%=x`X!(20{2JWl|`H8H27B3rz@mz!8Clt}thzeu$ zi(bYek1t-Q(X*yfqo?CbAzz}ulH_V32AQJcC{m>h#KBq6nwXk3#Rc02fDcCX2%z0s)Ir9a_IJ4{pC&p|qq>eE? zFQknzr@W9c#`M3CImVp&0$r|h(#L%19(8956BPT4-~`vQ&nDs2M=bVmV;?b}ML8^n zgkDgku5gx%IDJJs#E=~e;3{97(Wcj&5;05JGZf+pi$U7@Ww=e%Qxe-)pB8VlS zaho<`e}QM8j#2NY3GL{>ajxIx#lrq++zl{J#6KD;tmBUMz4r4s;pMd!5FMI$%vE!* znX!D_(hQepNyd=a{k};v&2sTCbTCmdHD%Isd?!}UZYGk3tKvC8nz4M$($SX`FByHc zvL7J63HIy9E&Fw>kJ>HU!(Q#zZ*Q+-sT{vF!-*k%=J=&ko!GBW&9q^yEcWZSW4~T3 zmWN`$K7Og+*-r49%y!osYq*Cr^ayiQ-kOTjX|83LrF=f(fbci zu)o(_>2;H_fb zjB6vIOxDc)b?t(Z5rG_RB|?3#V^ZRE*aN)sd(~V?p0*0EOy%4Hm-V@uAnz2;$Rjq! z=iBnv|LyGB+LrdnnA=iLMyhX0*}@vrP=lX(!-2@yf#c4XM-Dtb?nHU*VjS4lHSZGN z_KnWkbuFiAPc}Ep`d06ZRDUI9Hw#`#wfxy6E91%9^3vVT$n*1;kA5@a{#wHak!rPE z&Ph2JseXLj@sQV2c`av zY2r!0k+n3jfe&b)0RsEl?0UZ6G`l`i8XNxakuh`V$C#T^-lkU{=~ihlXOZq!_199i z06Y~x-q6s|zcuBxeVdQh&S^edd#I&>tSqZEw?-D(jgkFxmJj~NTC;S!v-ViaChBdF zMfto2=*RPyXZ$JRzNz7Cr1~~IDR;MQin!;4!2|Qhttuyoz_|D6+nnYqsdWP)K)Ci~ z%W5&lCtJx0scBUtY@_nXj|VPKeMu5n)1~nr-?ZHE0syV1*(x|{Vd}T#ujkv@c-krhA~01mg!@mX*pK7kCU@L~2A-CQ z^GwNA?~mfQX)X+K`C(RY$Y?Kzf>;Xt3R>B6O&0=I>vUx3vn3fnh=lKxXa-^T>`iHr z{r9CbM;>;kKs!STe^C2=%j(F(LsJeA0Bq#3+S7Ek+P6IQ=e4I>s%oDpS;N00we>B> zB4eHzSrvJHb z=a2Gt_`gNm7tL&qxChPrC=zzAe0NFh4v_Xf4V`W|DVO|=`T@Siu*)vj^JAE6{YCp+ z71L#IoVE#bq}K&!c5Z*~duXWiJmcHTJ;6&o*qyuH+Q|hwuqS?6#c(LBD6F~46CC`i zr{H@lG zmkdlDaPdXX{{8wo?D)^oruwf_DPCgfiRC5F2d)oOAN0fj`ZW8Ln9ea%Q;Z4x6hoHw=3~{kHI-WECHqCh})He_EROw|$1|R!=i} znv#9;w2G&e26<{sw{jfi&9z(V|A;>=2l%&+>^u0^G{fU6In9?3fTQ%}7iPF!rLDJ+ zVK+}Ld&$vk6;rTDIVn#$SLr)_c~K8^q~k%dyiJyRfIK3Q?hr_i@Q(&9NcYQAeH_w# z0;%Na2GVz^YA64W2&88&98$_DNU2sssvZQ=_=9BG@_}n%fBsEM5wve32N=>Mu~W)2@=~61P>i5mJxFKb50a%ufjk-Oxf%2-))(m! zWp#fF)W;GG@i$prRX@<@XQc4umx<|J#Y(PiYpMR*=(ACAB+a$BNU;bE_C>fnx%bPL z$4)dw&nQYkBlx|XAFAJFIm`J4Kf^L92_A%32k?(!EKC8b3mrN9!8$8Eo zT7^j>aEw^4e^AOS&$DQftr?x@EG}1`u>_Zn*@Y-{;pGOC+P!U z)9LJ-NZ+bBQPMA8tkb9DNHu#&e~=7?DOWwN)29->yP~d`!<=GQWglcu!Te1RsgJXc z!>J`v${nZkw|c7OqfDJ-*~cFyEJ;3+u72K6Q5jt=Cn5U7Qu4zYu7+X5q$;){hi0)JU}sAZjeI-n~ckqO?yQ|UXl#7C8tKTPwpP6)D?Qd>??!>yi83eC+5 z%~DfKvr0}x^9eF{M)M!J&xULY&B9@VW|;s_Xf*E>{E%LHLeQ)p1kI}Dt$>_}=F4YG zT`HHVhQ>-aC7>BjD%~V#PJC#2M?*^QyP)|RsV|1+20@TQa|0#RK$M&X@=u0lH3ACF zf*cFY`ca`d_6Ua6GK_ezP_Yb?2=ve7Q_NpQ{6}~y;Y3n6AoO1{aR8QG{!B;%MbU{g zpb*s(<%ux@S?_^PsMul(SIa5&2&KBnWUav`o#07H3rsaop{oRXg`22YmaS8_^CwPJ zGMrT2N)AR&6)W9C1yZhs^1_9B4OS0={rH1qfpLT}f%JWdNik;2`*BG3DezVc4QNP} zv>=j?k`_8cDsl})V+?S?kc!YEkbb;eBQgz;%Itz9LAODSh12~C(v2OEDhW(@qZ>$> ztVOpWCe~>J~M#x(tHOzt=V-O2zB|v;YLA*T)Vnn{~ zAZ7(9`G9{i{Xq2>3^C;t#3D&5nNd9m#PJ8o0+q{J1zl%zkn5_HNNw>|ie_aQ7V-D| zz#kyglQC5iVhiBF`&A;VUbib9s|M>^{F5wbjEP#%tQCv}o;B+dOZExNlEvBr6R~Wa z#|HuE6c3gR0Hc2sqM*zfMnyEu_3|IJ5UVh#1ep@#m!3r-dYnp+K>@PRLi)=}e3l#L zcu9{LMkNZDjM9b3S1VK%|Go0nH3{<7qqGmjjL6r&ij=14XOXckH}tc}SyzqL&mwCL z)A|1v<*i{}ZUTgGrzgo$v(jYYQ`C z2@(NQk1Q>0jgYsFDM3J1%$8#+d5xC0)ZS0#C@?>(T1svd8R^$j6@mbZGcv14&aM&> zt3K3%z!90KNH6_RCO-8bf`Dpye}W)D@rGev*D%Mb5wU@-lSm6n-V*s@i%dd^4=qYE zJSMAr7eQc<)E5&3nk9=81a`}8cuf9$1mvGg5Ks*%K|qjW2?F|22?DW4=4^SCNqN>* zLDqWU-b%`?o)ZeqEeg%=3YuF~aw3`qnVr!*5g$sjDKxWuDKv}Nc}k=CjG&qH(o=$F z^&n_gEuT;r)MBlm`KCTnm&&E8A+2<40-8ns+A3&Hd|-7~kamaW|Kw)NIGWGK(Y#kM z+#-Jj@=u25kE9lbWm#EL04#P_e^8Mf^vK!G28M`sXh4 z7L>?JEA*_mK(^4gdPE?AF)XHV5sq9Q86mw&Gc>ols-58J41d(N4U!bHFWDmf1)9?1 zxAW&jhnk>Tz^o$&T%(Gi4y7#Rq&(%6(5vd#(ymIes2w7A&3Z>c8Wu?3k;=kxNY^Rw z6pv^~R|}*fQ*;9erB}6oFK-AdU&yfzv91R7f85 z#c;Y_L3&)MRYST;AhpOn8K)v^LE|M`1=8~u4k_gnq(ayVQuQDJ#vdfh`~0K-Ez~?~ zTL;A3IzzlcLEM%EG5VhFaEnk_B4fNwQ~d?wmU0SWs?`vy2Z1>LAX!fHPbhuf$I4ru z!n|iS6hV%*|S=NFe;Qe#ut?yy* z(@EY6>Vyt?YsP0gbl1fxcOk3x#~YBK9y44EYE~TQzoFa12OQ-Gsm0SGUh0O|Nh9qL8l862S2>S&smPEB`wq?jnc zTqQO1;jGZ-W?m4WO3%m(vuWve7m$VBuK#jyTF$u1%w77Cd_Ba&4*9xzhP%M}YGqdm zGh9zpkxeP`zAU2uT>+CVl91pkwMXOmI>{hi{~u!fA7cFPAV%4$Yvum}4lS5H`-@Sx zKF^bb-H}zC>h_tRVc4qt!G8YB`fz`yF{rBPSFq^9?2gpnM5q6T>oWba%mu+1_%iv2HE$3GI|WGeses|6i?+#3)c(GkN!Eet6GB-^BKB)S}LTa z!sJ%SgH_a1h0>DPPx>S}8fX3c?8eA2fj-uAcD;s^`we(a1#DH#7sd5W{-9$$#%$}c zXq&Pgv(>5V89&Dw|7HF)5X+P`(7@C+45woQ##S5X-jogWZ|VjN-+hh)eVYGd3?dRn zqrGgL@pDKcrR;NtZM9ILBDOxA=xw#}bFh$7mZb^08ltXCv$9)6%b}6nV8PUG(f3_n z(jKMmdoYB}h1!Xf8T2eYhyVY@Mn#it;R#H&Y-59-B`V1$N!(x*MqReaXRh_%vbywI z!fTYJ*0I*4q}25j2o!E2x$XzG*Bdb)2up68GtnK)9LY_`p6{M({Xh!!#a`OpD z(|AcyFV2dvQ(lhC7YD{?@=_%)eJa9zQYhoQ69nDH$W2D;2R<``*Yeol%q49;d_}YsfNyBsoGXmhLjm(WU-)qL*x;0< zZT^c+7`JSki;?G1o7=V<@5j>hfbB641x6kVj3mZpOP_fosJU+nCH=PJM#ZKS(kI;D zxje-;XsfSvkFTQEDcR=lz+|ycSr&Ngo6>s7V>?b(@5obQC98YTR<1Mgnk~!)KrrN&t4g5deR&ElilXBnazF*qs z-bVD9Lh9X-pdwk}2t}%pe~ryASJihSN6WtjgSKElpKTTM7ZU^Vi$`xG-j!GnrZ9U* zWG6`Rz~`B%N(VDbFh5-4tJsKTxx)p^I}bQY`!pYsoVT1WOFM9hd{^HnHRpt|ZhUG{ z4{{VtdpCTt_O^e5_LBAsiStFK=N5vb-Y2r-%Y+q3sW`(`4H90p;*8z(;*a22SLHA0 z__H^}fi{BujMkyzYpZ;0$2-AdW&%^=L*VBUTqAfjZkLmosZW0u+$7c?(KtJ* zaR&W7017njRi6~mB+ykNJc+nZtS7PlT3tWUN`(&bd(q?JH%s#UB2NUz7j{1`F|ss9 zuJ??rHb%bh9=TCJ$G+%a_#ZP{T&lJ;;xx0h(Wt9or=DWmz^$UV(FYxbbxZfPs`b-V z`9oMTF!CUt@hS5kRu%YK_sd*vi}=l)y;y4Rar)BVQHiH~HvDyF?uF4jd(xQRRcgD> z#?@kFdm&NJo=ji*HkEqNXRG5@)4d?ivnSh^PDHyJN9pUd)5rCqY^hz95-#-F841l@ zZv@9BHC94fRLpE)JebdM<9FmxyNt&yVz+bv>E`!>lDY%;=Pb z+>97zR4&wE$T*k>iJiya*Lol@l0m7p#!mVqLz$RTv5of0#wcOet_D+vO$}~hQpFaX z4|1rphIfm~$8aYmRdDa4)CYw`tN|BXC;~`Ks@RIqU*m99+=ES(riCg|*i>FC%A}>E z)JVm_7h=%RU$21I@10>6;?SU%I2GhNp)=q@EgJ5pG}t;pL#;$&$Osyu2Ed0w(vL7G zOtGvF$c#z&t%&wbH6&q#16yx(&NLV z$Eb7v6yK>1+GSwU<71`x($~}I*kMm!dVIk2XvK%f!w@CF9v=+*^$K$J?lvgbx(swvTKnqjqX+o$VP`=x!c zt(okXq>UMAfsqYtAbjbYfeGDNAboWpT|tvh#90AOYejT+URL_dZ8HBT_^uC#kXqsl zq^}o#56D!rFw?J~&DPMOA{0dTfRaRbMYq~J%xb?wA3F9s6P0{vwC+>l6~2lxF>RLB zk2LhG%vRhMsa89cNknZVZ0T9&?gr8i2GZFl)KgH6r=SP9kN(@DzVxtkS?zKWdSg36 z`F6yYt{PA~74_}G>{z*@usT%8)=$cmPuiz^gJqB~uKT>}6P-dK!yB`l&!Va_e7v zL;w<;C5(zS%I~ohLd0wcWwaI+>(MfL8?ElgBltw_UpOXyGn#;9+5i3(#)y9Bs#+5_ z#f+(s;BFmbCqg+0NF3{={PB8LN=BdUJuAOYq7+YLb2Uy##E@x4guPrD;)=}{4P+}J z4?vi2B-1eiLhP9zEgE2Mw0IM@=|ujlSNyrETmIDF)^y9C`rF%jDNdpW{cXJ#lNreb zia_(l%!_@coKqlSstI!8WDt~1f@e?yzI987q_qctUG{d;& ztJb=ufiwo69C`-%v&qTE-9C_ws%HjtV>P9TsfYO+dim>57&2KXX^k12*+@|Yt3iNs z$<`V9LeRo6HdY<<$icb70lB``!+8`0;KLs-$;(^z)03sl}X4ST$1jS)n7_g z`O@pjlpEkoLOw}a*q1IZ6l@6C+Ku#vK)SV3`xI-j5D^&#D3B{;7o`|XO=2>A3aQFk zwJM&aN;isZF@Cb{)1-SlmIoGAo$Fq2K`5A~GTJ=w=-HNFJ?1=DD(F5#apbl;uO5+iyg zttnBI1w({8hCIsDm@Kwv;Vmv{(hM1o1k!6nh6$vLw$g>stmfjPF+#c3l#(+8ww*e&q%-`|_n7b`$9TG6eckGx{x8)J+vdzn09UK>M6LYDpRL;q_Yu@HRcM`FHUq$Bs4lHZ zVm8p03;^}Z#z5;Y;yGdnOdbZIHd|~Yl$zN(aaX$Jj*+N>L}errI`sdF{!a}^dM#74 z=#H34(o`qqbV2Q=*z7WD=>J3?gbt8IwI7yUu!VB_Q|z=E7&bgg*&0XtpNsCWh3>y~ zd@F*qKLU0jN;dCGsTRkMn3B1ceO)~3Rp>jJQQ}D=_Go-@F;|&8hTRSVhcXXUh7~NsFT5 zk#u7pmjz38wT~ke;mDuWyM0_jF3~V#^==>6O>WUiWL=njT+gKuo$L*s4B)wO<%{EcgC`SsE*qEsv)FW(1Xrt=kVOO70@Mzi)DzfOOuc9BuqNey)#Z?L(O&gNa zqMwVrLO=Aq`p)|wxK6>NX+v^a^mB>O52PCYm%6u_6gZkxC8I??8H#)$jjFGteQs-S z;4l<5cV&3`^ac)HuP#6QqwT$bBcvK$b$0W+y}<)%R2^QoZ)k7uFcdXg``=vC8$7U1 z^@{`F`LH*5Al2}(jQhR4!2@Yj^=&%v^WNZrm228wZ#mZ+Jg`pnjy@%i^ac;48eZzZ zG1MD8GG1eDIRjh7rXQgTHTO6a?a-;3@>5T~sDM%QB}Abno&nw%;av08*B)1pDB=>5 zP_s^&nsq>LIJNLl0+$PUsww9RMKeOeo+E$!Nsllv&^15buxCP#FbFmtn(#ZAAU63W z!2rpHXZ`+9e^jVY)SU!_jLXUe|CHMk4A6efnd^Uaq(=~hKo;k>Z0QjMm@wS;swIvd zK@d{CW#g6|J%KQh@vJ%Yorc3b!XQl3Ht)wndV~SW3V-eHUq*U@fnHX5uDJm!7iwtT z~$v z+zs!?uFdrZM>L%29#W?>qG%QsyWg&CuhF%OO?<#y<FMCp_I^a3vvte&7YH1FGlnz@phZ;($_N6($xh@GTIckj;SE@HvTpdxX;*^RP z4`7^}_nCmX!=HuuuLgRf-@F3Ycc371Ha!Zy682z8@T>Dv&SO4NKV-`t>)yw~cj4Vj ztQAuL3u&AfV9Y6FL}adbul=0bbskGO`Hmwkp?G4g+{k3rs*b=_tuqs94Vc^gc~=L_ zeg3Q&Tu6MxpY;SyDmvKiH-~`IeWH8d7lXZ$w5EYBQImB&kG9UY*u`N&tjngbgBdDjKZCP)BEIN{IYeiU=9k;U<@CWuB<91ubi zgdhZg?GdJgt}$!z3(IW!kVv30eMe~ChDNP{ZiN^yl;$;5w!Xtqnj(Y*H|na<$)*@X z*BGr~CNSo)ef;=?se1#iH#Ue7kBu?3Y64gLgEPjo$-wW+6kI_TGiovJNPLNMhQgKIIVj7VqAPT^aYI#nq)|7D& zp0lc@PC!@3$_lDSD2};x94ej@i{H;Us-luvRB4x$Sm29VO`hwRr~%)Gam#Wt5%UZT zRuDzjRe4P8lb2pW74h}UA^Y_39+I$?El12S09?h2~K4$6MNx!lF%R# z#W_||Cf(Xzm|~WtO&s(g3UaX*=45C{65N(fAFv?|fjYsAv=hwQib^Ol!Hg7udDHN! z5f(B6M6F8RqQ)Elipw5hI52`zB>RZc_cPvoT#NHDUNrD3X2O)eqY@2Ia0u5` z_{}T1c$8XZP|3s80ll-5`OR-o0gCUexfGwxM7AA|FwF4Q$ARG?VB=P4fg@)xjSB>2 zdu4*#CD8Hvo&ZAXRDotXz>x_nEa1|aNRQ>>;+6FZzF%~}2V^pBQX5a-pq{6saw?VQ z`>E{_Db8nk{st94CH2bp%%<<-;ki6MA^s0P^vVzLnP%k&A#_+-2pxvtturSJp<~!A z96=7@2uWb#gwPd7ScG0eGUtf$gP~*==XFG`d^v8KQUQ< z%JlpRNw|TnN+P$3{oMb|@5*EAW9E10&Z1|?ROnd}pgPD@txOh~>QgIqc(qlLX$fRX z3;;!@JWD))IGHZ$Ak+Au{FUkTW2fFvnLa;eN)>0dc-Pg#|Ij1CNlfPLDsNb1_8`=b!d^-g$}cazI<0;t7sV z#--^3_v->ARkWqd&;H-+y$yU+<&{64VFnl^a)U-qHEO8CiXGI%V2e!DTyh8Qz#YIE z6fG*r7= zS|MVe;5W|^);l#n4xf$sARdcfRxmi8`30T&l(X>c( z58yzy;xC=WTq&?^y! z1`H^_;m4661qlk$v}ia45E@2xp~DL;Jdg(-ei&Q~H}2>DI}G*P7<>%#dzyX_V?Wbt zIe~F600Di5sImBJU`If`p~W2hg*FVU$H<&P&U;8DV#EM1v;zx4!H5APlEqXk1U+Vs z#|7B;sg@9mGx>@sS(t$tMb76b1_;fRn3jc^+6^s8{vvq=QnHwug_xQ;0t68&9@o$o zW$_dNd%Tvn@Vw9{Sc|Tr9$KJ@D=figu(GSHYLp(B@1zLji%D*YU1OW+m zt#3gN{|H2Wyd3%QV&uoh$d7gA4|xSuk(cr3BK|Do&s_e@;m-_w?zSKX)i_YF5`DiV z*01XIEBH7yx^rcDI*Pw32l%svKlkwG5&A?xHe^zZZ_3pAn{qCH7V_sJ{#?eNE9i5* z+0mWrsq5T@hc{Z1{%%V8^CbNhCH>u+^w*N~cYD%bIO#9x^_Hbce|wVt7A5^%oAh@m z>2Gn;-Cq5(k6_VXt!Ks z9Vgi?o-{svY#?pY#EZvYG&bEb&OTv`&6?D`MW0UkyDaJNsieQ;@tBeHSD5s7N7A2~ z^p|$=MdNLjNfYg3$4KcD##z%G>Z86NH6Q-;C2Q{g)z{BIM#?i0JepZ2$#{{7Xi%4_b< z`}T<*{bsKPw{MIcH{LekqKWp4CrRlsyiZ?`d!ioW0BuB)rMG_`avi=A>izK}2sTOA zsVqnI%*T%d@4GMlZ|y_xVHN+THX8Qcv}idxGNyta>Ok1aF{Q1u>U>_!H@OE13O%;3v# z#&()d7q{?_(#tx`1auG)?&k@>u5L3^(K%d1Gedw+p);>;G;`>xo3yc4#^wAWp-x&{ z&MOIZ_VE)3;=DRCUgABk$K|{jt0Rj3iG|)8UJrv~^?Y+s5{^AC65qi{ z#fYa`Bt{TBhGY36BNfNy4Oio+xQi#XhJCmiKabU59J`ha4uNBHxL_QP-D)N!vfMPh^_0Yp)HYOT25CUvyCV)x!qQ?VNB zhpX|za5e6X)uO{P)SEza(*IaguoP zl$`XJBwox&5-$ormGoDW^p`gFBFQ#klGT3knDLN-CZ^rA@bktGYTmo;ii#z#eE0PB zwBRpS7JqBs^*{dNmEC7^I=HV^@F%}n05WqOc<7R{i|6Zg>^k+X3!l;S5FjUPQx3Moc^6l@J&3F5#u3S z5;I~omM3P!YWNc~Vl_UQm=UYtNz91V*dxZB?gvWj)%a))TnT5c=a3{zY0X5*$J=bC zurl^`E;%zThy=(Hr56{N37b(AiKuVl1C~fU+$dVc1KqHI>u<6}0_GjLQZ$$4q$nat z&mZNSAy%^2d5Mcdhu@hAj1F7P2Mk8()&FWf42cfkjBAI{;Rj~Iu;}m&vp@rYqWiX0QA){Bfy0_oz2 z=7r&E+&NqgQ$C0=tJpivCa=g^34#kkS!sjEU9eEQEm(P6#Yvy3gHQpe(ywjf)Zk&b zyPWc@-%Cke>DTFbp5R_6o(@BUdrB3_D49M<4eo_@iIV%(^>3LCWL~ZY-^$V^G^+Hk zrS>~dJavEk|9|c2{7U@)H-CTC^YQ<81pjt({C~PLm+sD`J9OzTU7_DZ?BYVLbp98oI z43})CJ7m30)|=gMft^w#2W!XTm)p`A3|ymFGac}CmGv68-Ymn>7Mb#t&G_ZEbOeLQ zFLv16mKIsxjEgK}G(fefK#gMQlFbruzHD>rn`OOSh9fSQsKGDA(joIZiXG{SrG@)e zgHLb*^bPlJp>J?RaqBg*Uh789Dg1u?QqZ{?etCvMy^Hjodsh?J`(j7txw@Zq&hBTU z`xvsBY5g?j4fr`w;1G9!M4@tvflGuc2T;X&&z);a=)L1yy`Ofj-cLvGxo@~m1sAlS zYcr^8<&NCwl+bk0yA!4)SHMKq{>_q(*-;rARl3IlS5_PWQPNtCZ@M#yE`V8iD*a)p zY{#|uAmu_2-3f!LWv$oXC-*5<8%PJJ+$Ly(hyf_?*0&H&1?zCOrOvI>%V>9b7~Ghy`YPST zU8Q`*asbnWnTe1L5Ijgj`ll!mC``Ag2q6AE2A(K(8tuHzgmHPB;YpZIL?r9mG0N1Y zY^hW5&Zst`lrF7|0-GaV8^-twieh|h1vTM4y9gO}(?n1g8OEIo`6|+E07zgE-k-^@ z1Bk8EmfNz$tz(qwVkNqXkk$;oP2&{$McE-5UN8pq*wP}PYmY*Q<%70;0=na4Fo0P+ zpqtSxyegZ9!>!i=Sp{g@6&>0Py0V$)u_GR|Tmc&1N43EOct8RKSS?Kfrg4_E$qsmO zFoMMFaFh*C4gfFHI~X3>vPEHd=td-fv#j76lYw zOdkplNG^)b1yBbKGY0VB5LYv&zm&M(;YR9jtsTR_w9Fu(yEBHIZrlvE1>6ahKv6-_ zGP)cA6J5p(%jQ6%&$84LB;aR8!J?@x7;0+4^QhG*3T21^NtsuAF?9imK-WlN<%pk3 z+mKU<;+v=r-9%Ly5Zz9lK=ixC9BcGDfNm2F#AYyks2N1Jsa144hsm5Ve~5Xc7h|f4 zcg~W6b{Yoe2#m6r$;=^V@-VLQJlqHLXc%@D%if6MM*|uKVx!B{YxEz8JrvF2n%KA= zn+TmUjm)e0_Sjic038NGGYhMgCtv|@2V-#KJPTgw7-~BCQaR@B_0fsM0^2N4zye!~ zH5Qell)57dLOq587>;GW*-a&zAu6CG-ZFj2nKk*m82t#YhiKZcmQMh~Lj#+spTxD8 zNNIh5Kt4-qAR5gj#Du^wq0K#|7VMEh0`?Cz)gW%-K(rLp37EpE0}>_M?NONOXpm+S zmL`G^Pz#2fbzZBY7{!DjSa{N?#3-3o97v?Iqg*UP5X%rqkvTL{ z;0kTAO4JIN-VY(l+M__#0;a5?5h8migdjr+6H+ddJ`)m1KXp_hNRhBY&`^P*lHmue zjv=vvFVBlE74MG_@rwptGi^wW07VUf5z*CyfQnGm`yfTaDneMnBo$r8XAFf5V8uzx z$Pf#7(lUZ^VHzUdMvHdAkW(L9MZ}z##4{ALPh3XQnQEe|wQZ>RPF+TZWb_HE2+cCn zNrcg-4>h^5RYY{#l%F8BB`w-X%Lp20!iX?@(8Ewun!Jpp^7{BygeH;6AUcWJLro&x zHlB+880jQAj70wEGJ;uToR7>Rq>~{Ck51q8A*Rn{ z*-=SE5GBnI1Rt}{=-!MW=0|Xml-WR4pk!>h1xlulew3@ynoP1FGgGUiOV+tIc%fMD zwZpqfv0^(7rys?-FhilsDfkTGA)F!f<7!(tp%sdIf5@LIdB2_*-w65FSQyj^(^ zF6e_g#1$~7Ai(X^e_7v=+&)^~iVoq^Z8_kE`xcIL>pMmJyOP`ACFj*Ed3)q3{Fzs8 zRsp@F%UlU>ph|HN;Fa#YdUOeRjG6-%R=y8{TQJ8>h#!@19$_ojOaf9CBIRcKOZ zi+l=`@#O=H?=ys;1|mSc1hUQD}~!-N;`?1AEGm_Y?QL>0`tT?{o|kThyM zmG$Tm4Y;L8u^gA7=MkeOCNb^>Jj4JZ$aomUREjDf&vY@;ctOg<1K54sqkUj6xS~n6 z1jQTzag!z<2{ea!EkH#2q&`s@=kx9kJ}ftYGUj@B}TV zG%KUT0tyyPn0ehtK`blY2BDPx8QP3LT?EC?j>%Z#_t6j1nc>HZ&`Zcaf&A@ON*<5o zL-b>!__3mI5egkcp@B2_j~kr_29U7-#rJKMbaS($5EP3m4x;}1v|oChN*<$<0rYgm zNfaNzE@S|^s{yQuD+ZsTEPT-B5lzt=`9$F;-6t+5A06GV*mDj93!ekQP7#6~|DXs4 zRUs71=YwEJsN``f*%U>v*MUUPEDvCP7YNqG2)2z7jMsbgX_SSQc& z!PvyZQrL=77M8f_`Y2i0$59IVjW}m9x&e!6TRu`Q_Hh)%ej`pFjml#2Yvo7D$Ucs; z*l%8hN7$%17LQ^dDI@zhietYK2P;PzSv;0~l#J|SDUk(68CjAU;Ui^aA4`d>C5B_8 z3jY5C3jU9!M7Ae}WTS>~wjq6_jO=46ksXQQ*eE0Ws2Q1MyyYPq$MS|hjs^ZW7P!e+ z;3i}FyKM5yQGJN849}eJzR8|B@wXszd=WZJLq0lmmWIyM+#LxRv{+sL-V2y%cG3B! zV;%j}x4<=LY7;zf@I8(^3Se=B-yNP7WYFX5c!X~}p6|(_XK3@+!ifsc59ZP{l&@=- zI&$$m2c}3-U2zmreW-#X^%qfn==me{mr;GFWh3=hXcVLg!Eg|9NP|ldqE_Z0$|eFf zeKi-i8qL(KPo`rdagM4Qs1O*y9J?WLzH)VwbI zl$WYT_C+4cZiGVOOCxKjUbco4Jd3ov%_tf8q&B5lo6@G`1?g!l*9*!^%z6l_O1CjB zb*w-PEQC<%8An$$A*C28Xv%_*woBE#Mm4XUp2ySkr_5)V{8hM^AedH%s@oizb(I}4 zfE|b*iXh@$R2&d=%XbS1x&gu4+LQxYUMG6eEgH*NVQh2^d=C`$b=NB21O0AJz0@CJe{rd$hcMlspL- zPHR(Yw7jGABw#oyKWNq?7!Wu(+Yt`}5)kzDJRry*2$q--p!Z+MqOj+P*4m`$n@tFs z<+}s~O@N?Xn*!u%LQk3m1WodNq9<>9EqgS?uhtKk5cJ54wY*~}c@PjB*QWGqd0~1I z5QOCi%z6X?B9+14C>{i)z%%T8V8|jEmYFc1{}1FKIJE;I@o)_%<1{b{I4xiZ0ERf6 z7BEC{8dtsUj?oZk0W_rL9YC+&0Ss|8Bw&cr5boZE8!y3t^MEm0KnexkKaY9HAs8Mp zVL<;EPt)MxH7$nKfB{%7U>F1paab*2h+=h@*MexO5h?-ravAAq<|-%4-B~k!)g--^xqBEiWXyd4H$se z0)~TtAr7wv3{kx9@X|e(5jp}4pd&4h_;C|ph@&F`LzIp>2!=v}VOl&4NC85e4-7L^ zE4TsiRqDC*$wJLq=_rh$H9)u!OM^-v-5lwzcu2RRhdG$7s}!+`#;QfYBeV`vQ+ zF2v%nh+vo*4+B!*>3%*is02fX2?P57*dkgS7RAsSFkFbmVF|%d7!Lzdiji_2^RS3u z$TDF-|G%(=mWL%Vv<3_pVtH6bFsSh`Af*^7=K;eKf+5F*0sVhq87&XXF8K2B2*I!@ z9tNZoBjr3`SVk~RGhsmg7e7MF!y^}bd00U(EQyB!DaA-R4;UUH7;;S*(0}g=S{_zh z@a17O!LTeI2BZ`t^uU7)JW;;b&yQ9_bs1muLq)^7jzmf04l$>D!2J{g}ZR={pI7Orj%y zGg0*_gE7MQ6R!mrijlsh_*El=G17MxKO-aC$lqAJ)WKkk^u5LR_b?bEeS7h(5Q8z& zcNhlQZAShkqpFX=7~%VjG`d@GWSb~{WoH;h{5~Ut!5G>oq_43# zpAlj(M*KeG2!k==_ZfW*#t7eMq~Rj_3vSQQtiQ7JdoT3fK(qcVgI|21rFqTzQWn4X zLQCM9_4_&e;tMS^Yu0Z~;}>6ODOa-^x%}b_EthK6s+s)a3oS{){jrc=e4&Lu(6P!d zzR=A&>6qaMdY*Kc|O z4-d!>iSX^8t9|$;>DmoQq9{M+k9$6?mZ~Tku@4r4;U#%J}UrZOz`Swa`Zzp}NFSxC8<>%*@ zk9+knPNvr82l8?0_u+u9+-6ht;@fZ^UGZ%h^pS-moJC!$+=dgV_{2F=eB$&eK9|+L zimUMkYa_>B?_P{M<+42b_T{)6Z|XF_p&$3?18V*zI!Kh^tvV=ec-x8#@$~mRzIP-~ z@0;{B-*|Lt+WIHcs6SHGWyr7UE}!hJIw@`V96w0a*W=sow)y%j<+u9!#;h8PUp-Db z<&=TOm#Z%EHmPbV3ciZV2PvR_)&rl5%u225cdwADZXv1Bzu4}rYLhnfqkA4-fBLFV z{TcTi3ysRDx#4dkd%p3?RGKtS@jaQ7R{lv%A5@LYdZyTLuy=-o zz_JgvP)F>le};n^_XOXvYWf?B-imwua`gV-0bJm4TBlo#PANL>uWONmJy~)vY!4pD z3WjliMaZt?J}^^xHrt`(dS~JHZH2i{x^fp6nB8i~Qf5O6W7+D4$w5*wWy(q4#NOgF6FXX$|fi`U<~;k0Hh` zjL{it?EH&!XuSRlwPXNQ(k26ijLOTF$++B6aWyNFx7k|~bXPU4DOYf%*l*EJTJXTN z`AxF5wY9&htwMb4dh$F#nh7KH4o_> zGO4K2f}v~k+pM*%eN};qTT}aQyTn(6{s-nho1Qx-H+}rvXNz+!b8?HvTU;&Ff8`SN zzi`miLET5G^4vjpZu!hX)#A<2AIM3Wja3ij2U1Wt3ENk>n0C)uEb~=8l^{Zo?C&2; zeQk&dI;lx>&;%_2`ww1YOVf0lL(y?od$2{JBiowa=7`|e-{W@M)TWJ|A0&-ilt0G! z$2}hX4Ou_w(a(6R2Bi&`V3yofC(AGKR=p!_AY{gqRDA$5;?>W3eD8vX?4+;xM)u9? zU4nxc$n7n%p%a5rRVg0)cjq(|*=QCCkAH}7eLK*&cc*G7m*)EFGGx~wS@IrIOSV)U zTvMtaFsB?SJZRm{7(6?v>rq5rht|>*!*-{y!JPjb%zql@KZoW&&Eo3k`M(qMzi7~P zfaf3Rn?vZEHi)iSx9fKc?0pwash0V6&AL}{o>24?zITt5Pgng#K;C`&0ZhZqxxn3< zP27F>YQkN$g;HNj|dP=sgS*GYm{zzam^2*lwA+ZGVip;F-`hq(a%=OGJ&m4-Hyn3U@ zw`aVkw}ZZl))&~R?5aO`^+O)i_4MwdFQnhZ>A&|sdWXHpui5Rcu--V=zx<|j$y=wm z_DI!F102O)d52B)m*0^w-@o)Gd=%R==DI5Fw(_;E@ROJ7A&-6}Kd6WGEvmjFKSXEG z_1&tDojNEjBlOZuxSbV0(1HUmSn~0796+NgQ1_#0QFS`qz&Js zH@e5txIPvLN{(fs{af)RlP&? z?U87ttjPQEc&Tb9jSdlvUZV$9<8iy{IwV!sAfdNIwr&CjD9%0k0dL7WYE@Ikl~Mks zHrQ%W2upClqPl`*he?!@t}Vnuw~o>wEZLe#VrtIdPnM^ebFpIEJ+9Zw_GqqmS58lX zOQD65>(6Vjy-n?Se48vNTXwieFQ(Cr68{B>^Zn(M zGt`oP+0{}$S9*Rums6}+3(-v0qWS*H=@|?C+Vm_4-(MO>v$-jwDo}n&QG+s_SC1lH znT}EK8T;z97$X5rRoj{Z4U%AFs1g?j^GWlU4*);QPxXCuV%cq~uK{>DxHhaoVtn;@ zw5hmO1qT;qPvhzQT{45bJ<1@fFdhD-CVyP$FTY*z$0FBKyKU8Q z{87_;WBjq|hM~EU$0*nuFvZH zJqG&pKK$|azZQRFM&W4y%G1l0+wJsWOJTmg)0W>+5iTydJHmHIP%nuECF9^m)fju* zom10rwb=%0Ai~z7{8Qj3)^6;S&dR>JYas%v1{OIvcy_Eu|C6F04lTLvG%bGi{5I@5 zWMj^t^z)!v640z*$Pjzh+(W{srWZK8`hHp8#CRWhpGUs}O?ZrZK{Rh+-S46=k5PU_ zhDZOZJ+u=|t0kx|6MxnFHRma}YhPuP<}Yv%6Np~SmeBh+{(d)g-PdrfemsZ(LBQc?Dm0P0-Bc9q^F`)WzVo#Rh`T5~qd z_G?eu=IH5P^8~}V%rJbd2Wh(YHJgfOJi1+7Wesx;?JA4gkO#qXrLR@u)!}cvZ%6J< z>WJW9L%l!#)!dhJy}#lrZ%LDmeiuJ?Ms>E%){CD%qXrM;=&k6j-k3ZqCIYQPchjIg zDb@${Q^9>1>-VOmLBLQ3eoI^GS1DIgYI+;+J-BL|FJKSuxAW5xda?!g+xRI!Ph*1n z#~6z&oUjhHYG2JkHRyNZ`1AVrI*_Js$6ae+0U88iFG+8wH6#7dJi`_yhHzcdAZ_&c zo-pMnk1r_XCz%Rno6{-et4W|N7O*I9Es0*zhQGTUTPpoM`45B^P|rMflF;ld&}An$IeTBB6`FbLgw z3Ojm>+`C(`p2e;mqDV!)>i<2zD``~X=o6u=>Qz0nf#frftELRM!Z!hot)AYXgx8jT zI?|z(CIlHAn=Ku&?KoZpF%I%g4LbEkSx?V3ky;y%&z4G4^1ZIplJ7?}Q0Bm;G+r2? z?*;z!frWZ{zsHA7r0aCq;czMH$$D7+9fl6%3UbQF9phW%)>9a-ichQl4JOFzke@c! z$i75o1w{7(f5EN=dO^nmf8{Rw0==@s?sm17?V4*Wy#$0fAA}gLxXfG99qH5pzqYGy zp{{lHxoP^>W(=bcjG)uK&mR?7O=$c#K?KSST0}-U^UsGyt zH+t%}?vzQm!-I7vUWUDV#X02Lc7g+A3;5qim7iy0eLF@KPsyG8rpV6M)x!vemu7t`c?&yhuVn*!u+*&3Be~Wm(2_KDqTrtM1e)?4UGsIVp_)3B=Rxg1+&u_4GiS|wSB2Zx}y(OFG88e#a z8=1|X2HNOAyle63#}^oxTc{50fe3g_N1QRYjyo6|WUP)Lv+?tcf?8Goy(55P8Z@0t z6ur_hO+mp&6rJL9VQ0D;>ABDoQ-CWC5m5B+IS5o$uXYe~q^NQaZ**G^Dn{jvNZqX( zuQ=$~w4&pR+EXgVfr@D+K8OD8lMv2I8h>mlN0361CpXxhMGb-JrhhoKu?HMmS z`=E`5egxa13h)Nau{wf|n4cit3M30){}vGVjZLd#wOHSd%fRmdeJX(r@s%UKutyBw zbq!^2V#!}QjkIdfR--ru1+T4-+Q-fU`_F;0!}%v!D3YFYfpZe1V39N}-V!K5zv*}e zKQ+S!9rb=^Kh10oCN@jM+`UY#VD4VTw}PqvF}`IT1%K#RhoAaS9UJkb>U9c!zJQ+| z{eNHRVJhD}v|s$va!5p5~}je4n|7whot7hP2FP5lEmqUBE7 zu;wCEED6VxlJoMmEVN@Ud6SfLYf(s zzkxqn1t3AJk4*wUDH10YQJ}vd{@cVHw@L8dCc%H3z@LJcm~F&=Pp?EUQPhcGeGET= z|EH+^==zr5gl^WrZ0rg|Aq5Oa zMI8SKI(qd#MKN+q1S2(n)BtDp0P=Ml{vCtn@pdQ((#MD1c?0+dO%FtntBADh`hngq zaJ`w1SyaA$)tF{mW4y zTRojg1@tYDW;joE_8?EHrU#F25c1ZuC@|zA{y4paC|8)|t8VnRQ|+x|`RdN3ib;~_dctt3CS+ZERqlAqWD^(83553&Vnp8wI- zzIpni?R~1gP4x=|RuFns?{w>-&_&=HSPa&0>OcqMbmL%0;Ua9Ci;PEa#ZBCY1B?WU zpO#c`gB3)VtBH!1B_jqjxsve?O>4;^kM*#}8OCU1*&=nOV=N&~cR9qgHmT}zJc)@_ z^bS~w>NHA)X@g|4E|SjN&UWkpF}1W_-JUcqQQBRHHplAGijKg)kUp^U$CznY3xrseuo6N4P~g<`0Zb3CJ)!s7#k!MC>kc?e+`1zO z|I1g$mL1K7<>1M&wCMZ~B49?yo+pVl%l|}#sG0HPm7rhg z>2%7{cdD2+N|mZl11c~DQ0NkvBs@A0KUvJa6B!W-#j5xvQ0Nw^`Ua#bxUF3ext+BT zJS?&^#Dd2`+6_%jni}Tc3;fe-7wFT2B!76t{-=9^Ve9tv2F{;8+j$k>{SVDi3VkN$ z6CX0^6UM{x~5 z?s0|I+@QKd0m=6nDh^qK(8^mA6TEp`P<$C~Ks1y5Fu?yLVy+&zDKF?od|2hO!#mRSGzwH3#H^%>Y z{|fjLr}z+0@oh1AF|tjXYeeUFp+EC=%y08T|I*iKew$O~_XO=Enst#AYDpTuj1iVpea_32Cq>HDQ~A#{R1Sr z^_^r6t8?d{WQ$k`8YKG7FW0y2IDW46p)0<1H)r-h!`5|u5pS+>OL!@}h>Q@9*| z1q+unCg?YW_7k+oG?o7{f_LT&M&v@+FuRDC@Jh1`zf_m#b_Ep1SZ)N55^Ihlk|+5- zO(ji+5?g(8kSZA0X8JYM>hlX^q%tmA?6CR}!D zVV0;_5%wI@&nNJ&;w@m+nN46|TVe~;&V&VOCv$#K5Rt)k!#douUZTK*H8R!9g@Io?}P`4>bnEmqUXc-CG=3tTv9}q}Gx9BUbU?7(qv^{XM>MD; zLMc-a)gMFudndN~q&+U_hF3`k?AVWX*kL*Iv>&9GzJrcTd=FwoN0!=tKo2j}AMLaw z*)#D^^Y!A+3^$ZUzoiXG2bPXKnx9_j$195r?M{ngJPx&SeZ|#kNss_42zdSF0aQOs zP4Dwg9PsJ|LDe~ch*qOS&{7(N5KQLUnFagL|#2YwMb+#A}|uh>@a8)v*`e z1#6V*>{WyNsDM;`h=|X*TV)eSBWVHHu?QQs0O{2OLa+XFWXL>n3j3doQC+*F>hB;` z-vw2pvk$fpXKy|`8g3s`Ix8nzDjc!V&ES{NdJxAfc>@wQuFq$EArV>}hdyd}_IANM#RcNf6xdB3C& zlHRPhK@9g?lw!S^@eriUZmF8qN=4rZZ!hOz%~}u7g?w~(Mv$cQ9=L2&T%Xi&v;WYa z@%~r^(@|Z!P5oKP&PZw69}m#}c!2lE1H3;T!2Y-ay4}-&?*R+F|EYf`EFsCPTZMa! zwR_zu%PL!bQ;(PMrt+i)fe_pE-d(^ysIE&6`t}Z}))Vjo%OCU@GmZ+cqlB%m&~Nbj z@it8Csj_3(p{~3W{x?Fyh-NhFPE1N?q_g)rD>Qq-nL&`iR88L>`ZRv$H?ivx)*ofF z-UxH~v^eDn6`ITyq^cV(0SAXiwzOdeCJnAX4*ETf=H2hMdmz8t{Yz}F2W?W-AUf_} z1jD+Tq59`!xbCr+OH5?HMSlmSg)KcYym(wG;6t#B%r9xs!6H;wc?(?3W|fs zuV%2SZS9`?Hoc{{12R2~y0ml}G*o_fh6g+}gSznmy0JRG8}1C(;*@U8LN{g%)eV|; z(lS5Dn4I5(F<4BFSYW1yFgYHO z@a5i;7FBPZXV|u5NYaQ?!g=934K~E5NgBoSOC_8&^Ne&Zfo!SzW#kZf_kp}$15bk$ zOStcqUrerh|A8dIIgKSSdDcqRFCfLO*Xj+5vjhE%*dsfLj<3^n2VAxy^Xv6Hu-Z6| z3HF8kiRO1W^Z*=ig6dD0f8OsYNp%n?jMN9`EVZ2?D(k18+9@J)4O%b6THLgY!{4Uu;+FhZ~)^_^f!?1 z+dqKQ0!DhLR?+~IU{?%&Toq;uQuphzbsgh@h3cSe%y6kC4N%`nzJC_&g6Bd9osN15 zEQaJ$e|kXE)1fFg?duR~tjBx42yFlY;>S6RiQ5>OspkM(Mik-+|z z+!3*(GWDZF_oK2y7WH|5}jjLm_#cCiT(s6 zs`}*&um3?D^-&xqo!)?C&4r6+DzZR_xG*O|sj5?h^D$`kdd`;MX-W;CBFcH3wF&h4 zb{xH4lTK7^y4wnRorolpURBU52>jGUqSv5aqc|J$vGdpq|A9`owGp0C6*I{u2OX~i zCv28Odzy%W8zJMJ@#xb}3-PDF>@c_`9Z3KYH*o({!`5d~@*+=35Ml;35~E+>{~I8} zwYGMUg7ya6V6}EkR%!7YY>6#y$DEZeeIu7jEp5lt)nMsv0sTH0YcGi`V(SOd*I(E^ zp`alP`X(D1R9{|a>rnI!l^CYSB=XE=Ci3(q##4Gf(|1iAeP`Ylq3?ec?UFJ)160xs zLT^mKZ?8Wa^qn0?-!(XN6aFIVVa8xxfrAQ9CZ@}DQJKNxZsKw5e9t_8X3Km%vwfbw zvc*21%queNjk{rgF%-ynD#$xnkqN<_fzfNwr(mB~S874x3qay+va3}xXhp|Bc>D`u zB)$puPUy5-z3g9{aE1tx^&L+~~Nc^f8e}w&#>^Q^I_qpu%HDzxyjf0X} zlaQCtFqOV@K+-VC4}>f)of#xr2l5Z#X1~zUADkJK{S`LZ@3y(>rK$?pPr?1{#O`Q3 z+^z-o^2x%>?>B?^Q>2AWJwFbvYbPbo>S1rTm$XH*N6Mr&mL(k%E(BlDML!CxA|U+8E+ z6Uhf?`$N=+3jo}{EHXIkQ-XhVdz|g^x_;VO1bXgJSwPTX;_deB8Gu?3mSpS9ksi+6A)mHQh-fOBy?ew8s0wMU~44)LE9$}x|?!7g!JDn ztoUvb`tKH@|89Z)y9S!~_OdrMSNBQ}^)dy~3duej$Dg_(A6yG%B5i^oB6Njb`xh1w zu*S29@LzZoBEnZ$M8Ha)-vmlk{CBgA;Qt4^TffH!8^CjGL91TunKb|W4BsGR_=_k3 zEE>eyiz_j)uAU&kXeeE^Yp(OU8l|WAfkYw0qlCu^cd2YHfo!Szb>!UA?Hk0H-)tk= zrK2E8tom|f2yB2{Yj^cY)i$K)XTi8(D$8%ero4Bj^)LxxpNI?v|bV_~xDDS+eJn938fejFLt*PZsiTLzIutyze@!|RkFIT!(Zk&wB!pC*eJbM-#WR9> zE(RPlKS|MV2mwAa0wlWc z#3^iXOaT)8o2dk?GfXlSLC#f%HV{uP*Y)Rms72RGxyOc6@%plfbB+TaXMPbp^ZpFqDe%n8nP>J?T&|Vi zQs)Da-4vE#tcAogcS=tm!-!*tgc2TS-8@s^p{2E&5c!q>?_z%q7e=}p+4q)&(;|~j z)?khLH>5H6iZL6KPNP)45h=3XNN#e@8rn#~HIpJKZBU!GM>NO}cuJDDr-|~xagq|W8RvPyixO{vceXYvF^u&?v8?5FS7S;-941ffhHSMSV{;3c!m4tRSIdv#5~lx6Tt<7%s^A6^upNrY&cqAq7*3m z{l%vt{uH0JQ+xrO-;RYCXe8Mu00l}dWS@qG`qDb^(7Pb}G`RXD<1KU*It&kK=A12% z{;(E*7m_}(5?#aziTzNR##H2Mk;N)5RB`Uc ziZiVL5#$q=f8g5(`|k&qe>5Bkfd6y<%4yWg6gn+T@_)wuU&C$)GR-}9{~U-ki$I%& zHvb&ni>w4Sdi<+1RR29$-VV>hFNq1zW98NVmv4|BfU6khs}t7RB>Ww zMawpwl`uCW$)|g;4PD@$abSTy1IHHXu>Qh-N8Lr3Ks6 zr_Q1?Bqh_dH>NQ{6n`y_aE^ZO43e( zd7^TH00a7)0py+$M}NHk_%hU#%sXMH1Rh(Dv<`qprkcvq680aN@JG(vhW*E8?8%pI zgXL&zWdFfFqGf}ym4XD@=J|`;K!Wg0Eq((eSO_uZC>S*R-w@~UFM=2YjVo!iGq9_` zPWTwEMNSZ7`fSlHNF&>+$+rA960vonEy(8lLEeP4dP+8v@7UiYfiC!$$MnAz?7c5_ z|3N34g3PKR`4Y#5$je{g(E;%2AkkkV&L0?=$CBP)>Mu4Ex<%!0(q52l0FIe5v`RMp zUb{XQ0u8(^NguF+X%Od4RR2OjgtY#t2<{??5QnpbZ2&|_2OB|ztu6qi{cU9WgS#X7XEXiHp#4A7Uv&RJ zgXk~Wk_h@s$N9VTIQnDz0QUa@(=>n;5EQ6b19B^@xq*u0{r?Pe|9?{RXM#vFVIW?5 zjOgzu_WzAUe>1TE2mQH?*>F}6CIXWHcYpv}`}}i3e_LHgqV%WwaU9qQohH#Ag);#C zfwZ?GCP)JN{tB{~earfhC<)$&L?Xdmvh^59a35B{9iEb7?7kV9_2^DB?L*UFJ<;D0 zroYW8%@@-8$NqIt zHOcit^nV9(z4`M#n2%YM@A)M&^whtlAGlhU;~`bw}bXL)dV z9G){c+s#I1obSGwjLcHiUa%c9XWB!4439_OBp%lASg{Gz9(tT}*y?EyE$19)IjGLP z{9tp)tUIat4d7!Pw{P{LwDP+>;CQNjC^Y#Sw3#Dw%pp>})NG7B`ZFD&&*GWm5-2D>6cFL@V~ph%{XitwK#-7A-+f)G=|xaA($?r7P)OD{gVMd!Ia2(Iy^FQg)cX~B{6(oL-2SD!kV2keY-;)*kE+EA-&0FXu z9vFlM(7TXt53S)mnvu|@ltoho&)ox|FFY4{LL2tbJ$Mvt()fkuq8c^^z=M6*QHEyH zBPs1F09IG%2CloCF{3MVmB^&mqp6J0MC8g1b8@K1*r&%wxt;FP{F^%%3 zb<{+Jeh}kjn@8V)Gkpla6`J!0IKAonHNxZ?O+V_@p>x?}kHpjq*U#b*hoD2Ow=n3d zboymL^*^y9Jbw-?euWYFGtxfC2Tb(;m>%c8Z?9-uMS?zUuILkjKAr9Ukp3Sp>a>hR{XdRA z6EW_L`hSf2e~kKn2o>DO_5TP~3FA=2|6?+qNBuuW{Xd{JIxqi`QU8xo|Bs#PSVV~U ze{99$sQ-shZwiT?<@Ztlk5T^*VZgxomJ8|samSNliHBB*{XcHP^QiyFU)}%X6X(z_ zrD({Y*fP~*3HmEFq9pq>Mb4TDEpw<6ZNqQoO4gR04E^jDR==r9N0;v5Qc~4_UnSJg zGefqYl2!$wuSml@Gj!rV#UspY^tg{7SuZ^^)X5L5ik=yI-7J_Z3chAOW<}g_?}UNg z3l|mg=+23q&{6H=m0JiqoXlpp69zq4-s(tcNZz_Qunj#f7m$2;C{9h;Q4$eaxRBOF98rBLwwdAWN8p-0(Iauhr^*rX)S+*4y3A%>Y0g3{b3%2%k_fi~LzAXb#L8 zP|~N&q2TZEX4!^Ej2h@IjK-}IN5OkN!RPqkAF_RNYBuhI z+PX%1>RK3J;Lh!J1|u%MpY!0x6gmSGKswB34!dylrHFv^h=|zmb;%yafq5NGHTSQL z;inKJIDg;D_IJ4S!TuMJd_N(45JQJ^c9`;oM&@P=Y?H7*=$dU5{h<``^zfIwl zs5QI^@Ky?AAtoZx{=OCVzs>0RRbbKx>W2Lv&07%mtDl`J|=klDn+g;Mc!DzXKhB2E@=^ns5q{97fY zDte9F+lA1&@NnZmiq1A1TOfDUPZ2<=C<-} zCFucX4mHFaOlP+MF^AjF!5pIYi4Vdb;CUWF%fBXnh-)@w0zW)|2)g0^7RMjp|JE4C zA5JlUz^TgsBVCj~)Y7BLABJ&oSVyxx9DfiFa={3HKi{}p%1t6I}WFt`S`|yXemqt)EoPN{R9*6(jdGUvy zx#D~wR>9oR9V<;6Ha!s!%L)0*Xh(@hQ4HsjoP7!ye%8jgnxDdc`;G>t+Exss$1BEX0g!dxds6!{zG zHp7V`_87PM0*;Xn!)@jvE5dC|QRFj}G@K}Mb27Jy$&Vj|zl_Qs;><#V{}K8BeQe|p z#qXw*NGy6Br?rwq4{uELIEWMH@55TQB0E*|conI`vzD8O7Cj>Sn~y;LAoq_5FPKlf z0LKPRUhrm=7tBxQ1q+gRfmk)+wZ=k+$qSMsk1LrM3@3S<0dF@Yj}pW$ABGpG$cpd+ zQ}Vc#l7^E!aJ(aaTk=8ZKTZ%Bl`l*g_TwdADC~wL=znHJw1B5lWb5%R4#Eri&vc~j zJQ|RjO8&n<>hR=`1vxYM)JHsj9ftn1QAfykboAjo_8*U(w|r3qSs{xhh|umYnHDa% zOo@~mkzz_00^-BhG6NNgMtV$7rZMegpio657Xe2(3r-Ex)v3 zPJ~Lm8809SH`fcdG3Z$ozXvA}X4?@a#jVe?L6#*)xH6QIb!@-UI|M&Pj3oK@zyxSx z3NsXIr`&oPA&n|-@%rb%8Lklb3p&y`{OLQ0q=%?i)Aug)SMISd)GPOrBXikq1pzb_ zV>yLDRUCt^MhcVkj>kV6aln*4eTbrs2$_4}gFY`E7j-JGCPc}AzJ&@f8sL~WIlu+b z1MEQqh&Iqv*%R(Y5gaRrOJAJK=Eei$HXI6Oqe+oJ~`8@{FY8PVIukl-x5G`*of~Z z(GfA3aLFTL0+Xt!PN<5uB17i$hqB>@7k;Bu{W~P#-VlXC<8G(jAnq~f?Q&aNY5VOQ zk_gsu*Zc*W5yPxG>c8&R57I4!2>llJm=Uya{s~Hl=|hqc*$ue;T@RfvF$1eJDL-V>YI>QF`hV%yHVh&bQ=sxE>9M zNDuZb@%YZ*5UE>#m$fG8n8|l>790nfZ0)#0f;40)M8g9Y;SVIA1;M3pivjQl{^7y0 z9w==-MUg=fG~M?@jI!A@wJ91@qWaYZh#$T{w}nLf&iCkiX&7f4!jGYvqBo)^(fyxn z7009y-!wKCcopamcke;*CP39022KsHdelZrq=L=-|XWSByrAhJ0k zs-bpL4JkMzj>D!hof2;bQPTlg{}(beL=fYX;$OhQ9j}qTDfyU&7wLT36bJ9Th#=#2 zbxGATk%$X5_?U(`q(LXe5lKBzacxvN!@~&waCSZw`bnH$PL3Z#n#bYKXHZCI=zrQJ z-xcUHj-hT!nk~?Foc^aB_sbljlMjMpwc#fY+&Z!-46_-{iGw-aCkP#()oPj0Nm2X- zlh99t&}TEDJDAYh5g8kV&gY_3XFB4K28qxSWXX3`l+fEfPTWNj7t<*XS&@)!myAU> z^mkL~{1jk{r}GY}dLNPyw4Ui4p-90g%wRFiMChLsgs#LmJubzmS*RCmBHqULZ-Blv z%>6>6AQYu-zI`_i z5^|834(X{Yn7*L^<{&Xl-uLlA50LkE=xB+r#mM`0Z^=$fNvcvnbZl7qt}W}qrCc{K zeIJl~{{|q;wn5*oixznT))9P(^nHNN&xG98VED_(!?}JDBTCSZdByT)Xey%eFYec! zKt~7ZSff^#hO3e`Azn!x7Qo_76d(%gpA8YBG`b{O26cDP`UgmDQ1Ul|z#B>T`+6Ty zx2GgP(ZP&^cy%&$Q=mn!kqPQmJuXGJT+vfSJMruE5 z-{_gl@|AvoV?c!7Tn5<)Zs|f}19$djN`P>aOHS(#eqKBXNvA9HUuGse-z)5)Lgae< zYv7a)pZ5OH*B_#$qHgL>B|feckMtt)o6iXSZQPs5CH}LqX9#KsLbLIV*1=WaWPTu& zPxbw)GER=OlrN;??&QQM#$Lsl%~1Pm11O%HOh*wqe*!;d6j<- z9{Znx!JaEp>xF)3R*JaNHx%+cpACg}ZpF7L(S(PS87D(6m!pe`Ib^DA3O})LaFBil z!p|R|L+fo}{XOyh`H;wI3U9~RcTuJphu*17-JiwxYZN<|j>)uz@4{&p`u-Hoyo+=3 z*V3W)rtqn=un$6Hgy3unv{$k~yU~Hbkw|# zCKF2};V$79*+1{58(>c$aAWAXGpG4D%>v>ySP_25gGJ%iC^nahV~rjcZd%@riNHBr zL@w|`<+nnp{T{b_OCUhXI1mCtS@RhWPNrxuL8iPkf&bvpS3TDBfH*%LtURoiJf5z) z>Yuzq#W`lgA2sh+qI@J*()nNDpBJL*(C@uA@?N2T{=n_~-8l$v1e@u8)wuPuKe47U z+Jzi%4h(rt$>XbhlY%!RUIa$_H1-!B441ydZXz7rWleYEVqWNkg?I{&d*?Lbx|5$u z%>Ily_!A$`fTsWn+#>AdB_ydMa`1-bm_#%Or7C^P)|1yr?%&}42<5Dm!P&J0U zD1+l4_hSxm){xF!Zb7J2Ea9w4LC92&=c3{4?$bL^M$-dS!dZ_HKU{+2xzL^k@m$VA zOs|CK?a_~=?pI4lOy^TRki6`4Z^B(j(IMjDewltgJ>I+9dX^UMVdLk(e%Pq#*=)Zx zqGg%y*D8&KbTMPO1o#XlU0tH_)g{Gzb;(k3bqR^) zh`)rkKSX`~lrh%=sGs61r%MJk=QcBTOIy#K6oH+@?#;M044V}ZyQR-lasY942I9{b zp!@OhTXs_XmUQf|+PpXz>-!F|yb^?fP45#G6Nm@r#}U5;r;xK-g#8ck10m{Kw;_H@ zh|l&@_M$Z{6ieDwPlucjOHYSEQmP)J5>ATJ zDN2A0tG5xc1$Y~hMQ_G++$ru8gSHs4mDwqH^g*QH7%(<~&SN09edBv~S&x&9a&;Vj z!OXV>B%ZxZ2oOyaKe}z6p>0R}Xc0l_A)K8}p|Gg^l=O3m5KLd%7U2`IC5N7tZpr0c z;WqlDFa!9aI0N`Xpn-^N1NnHU=9TFF5amBq`v|mPEP(y9Q^fy3*dNVVkN6*uj@x=} zWB&+HVGYs+6{-f}S$j)1gPMA2nCSd=jQ%|E=^*+;99z&|i{$%0<27z9MlDe#fdDyv zQXKu^{sW@Ft%(285sUwE(v*CMjQ^4TX&)j7k%I+>8Jr*C2ed6jfZOaiD89!?|1{!% zd>Ybk;UI)xivNN8Z|bn44dM!%2GHPR*w&uH?Lh{`9!G>F99+cVXRJ2FyW1$uNXHpe zM9|tJ!IOzY>i!PN9G(OtgXm|ft4FH-5z_RY-VQ5n1{;sKx&gZ27@^OSuUw1np4Ksj zC#=tif0Dev#rC$9&cw9x`IuHdAJdBc69w69FWaLcM2>F~_mcQx!syccVEyml_fV86 z*G}wj_YxTyI9%y}!XEnm)8tnLN2&rx=qEJ<2W5SM9bB^fbK+HWr1c&&#aoARxQs#ApTkXi?P^IUHGLz= zL?EB!=z&JY54pny&omM9`?D z(TSI@M&moB4vv^#>_tCR{H4+OPS@tQnTpFH`Fp`7i0sUQ(`bCBBqTKXJM*t-eCN^l zP7x=Gb;Q?6KKTpcGmXY~qQS%ZlIUML8sCYA1>>?#e6f5r8s8~d>{Muo%=HoU_ZP%x z8jbH{jvqyDA{#Vq%tqroB_kTs-!Y=aSbV4dSWR1+|6j&;T8;Ql9uCAxj-o4Y{hI7s zW5?y%1<;BhR#E5>wB8i%=`uXa{s*Ce{z?XJ5YNR{RWocmX&^oRs+aMFTL{MX(E*%g zbiV{#P2la!-lw5Y{jh(K>?6Vb+~?+B0%SER0V>C1-j)mUajP~J{{4C>ae*n z_h$xfd*^y#Dvy^R3r%aL=stt6>KM2!6jp&pLW{G>w83|sCBw zbe7@DOVr~ALRqK`b#yK+Y`zRTb@~aF*9+JJ^LYyuhlsK&(p4v!FX%wglT%~ql5d4s zE{h7}Z~<`_IZPXl3|x|22+cM*=jEhszNaE9&LgT2$5Y^4C_R5M(iMQ4i#sZCbO=Ub zi`yBb;8P_5Qa9rw$8sD50U%kCfr_qqV%*HfjkuL&+d}A{DL9lS;)~;&dYH^{Zl=}K zTMOUIwDLT0jEY>3lA7CiOy>J{$%~5a(BK<(dV1~{wnB1!)<4(aGrqon()VM$JK7Kw z`%6<^|M157ep~H)-9~p~!u|;TOPCyx6hM$`YAx~u@UtK%3v-t;BYte)I1zt8FNPv> zE8@#;gZ&kUaLB!a?nf7{6&U*5m86+wLlt)nSM;{@Eu;Wk>`$d1z_3pXJ(C5+0w%_I z0^~6`mhdu14j#U;$WWv^gMH%^;~$`v3BWZXfWD@|vFQdXuT0z`_Xg7t9|;JNM% z)mjV;?hFkgSeD#?x6^A-QF^8hKajA55;PFMUC+iDv!w!8mL*LN?N1Qh?BE&~?#WHb zGwBZ_y&^`p-e17hhe*qc>ulvagn!FKXZbXr=rI8i-)nznQTqY)Ivk&X`QBrFBjiD^ znU=ZPw@fk(hwf^?l^*~?e*{AWW76t49SPYc>!A`smC#R`*fbcQO{yK$H#4n#clcM( zm=Itl0mST2s_(res(xBEe(%_b(edirygKe-7h$nagz{Gs0~2|~!|b6cNhuj2DJdl@ zbha$9R&J;#DFx>rk)ruG@LNrll97qnX{Q7u?Ls`kNH&kiA>vBYkRSSELKcEYo+3pc z4cN5Mb@e<*OX3D8WeOD_AMBsv4$^bMpVV)_pOgallTrZx<08Ncnjco>b}mawYF@i$&yNAK^8yWeZ{{=PswevshBG28z7@!N9lAeX0T{IY*P5Anc-1u$sEc0}W8QdlBHnOLV-rq+t7Dn&ygYWn`?*AK&-!>Y* z?d%K|5#YVGl^w}uUKzsS*>3E86ei_E?$_DJ`Olp&kcgXaArwa8`* z65lU!8J^(V2Q*E%U*w;;PUL=(BR6stxChetkhkz8juIUTRYc2$zDz%%vB#2xdg6YO zd&Rp@F?PR5QM3v*_N|1bzlJAn10AFbN~pw2@jCqG`$d-H(LANNjkL`l-}^O!ECA1Gw^n#t28Xj?RX2iOSK<>0{@INM5+#4 zozuv=BjjQ8baN8QlqGMd**iY~j}c4fksi z_XPxueku43ttuM8MXo19i@9ID7}L-^{)so^Dx$7X0XK@-pbj4k-H1oCt24QsGxrg! z4d|zNEbGg7FVig_(t3cOh;9ko=TW=o8kFS@Q+qoj`6zuLbTgiKqS0;2{Uhfh3k@6y zO{QGLX`=qVME&4PX1`)9&-^V6MuR@O19m&xxN$r9XH#yToy=Lkp`y~lW)zuu1PzwWPK|KE^e|F;Zf|6lS!?f<9{Z~u>fg#G_sksGo9|5wcZ53@kCD3)OV$HBhyvj2C%YD8ws1p7ZKkJ|s?PB3c!KR^3_A29m=g#G^nI&wkn|3AYu z*B{#ck6sUH|9_+Z{Otcf`CqaB-%SiG!Tz6=0{eGT3hdvXO{@j`e^LtU-$;oVxJkgp zdGUDr|NU5=BiTvz?>iH+67Ao<%Xt(&kp26d>(5vI_~F-||9CQa{psjGo$7y9d)EhC zf4+eVaqEvS{!tB;n~&!DQ}v_h`qTBs5bICfr5|Gbv0uiG$FD!zfz#)+{%pxax#acd z1ymkge@54z^YuToANxPD{;WNGq1T@+MMTUW&i}0G(9r8o-sIE&AA9ctUsZJ_{u2li zD|(ZH8miT_jcqiv2DM`}&X_AV=3KZJs34&7`WK6IN(loInO1=|+Io7qm0xE%?X=T6 zzqa$AKBr?lGdguT&4Xts7(gHpd5B_9h!DgYA{6rbuC>oO_ZbL+_LY3#o^$ruXYaMw zT6^ua*Is+=K8-)ue)lZKpN#V*KXtqp|Fq=!}m7MBV%?xlfv3zVRik zOXimc_12$XYN3hwC66id%YQOuCgztHDVXxPSY1wj*@el>FINC`>im+F1kBHoJ7s>U zZ@u~DQ}WiGUseI+AK&~k)4unur_F$#uBSdn~5B@72eEZ%gedF5qiuH|a-@9BN z&Sc*!u!SRh``*VPrS~ZIy`!L1)F1EsVC7WksP?^&k~xcg?|&cHWY?mX@A8VV?+rBN z7m9J|AN+hyOm5Tcdpiuvkuzc6o9%xheDt5n3E)CahyTh`x_$5ONTWHPeeY2o|2*t_ z-+-*>r9wC7BVQE6B1?r?R#Ayn=(B6UbVcX81MXG&Ait; zKX|=TX0LJv=LegYzJ2dUygiM5Z^gG%IKMUfUVnTViEq{)pQb-P&HD4YKG`3irawMS ze|(xh#rQNQZ+8_)mXu!8`;_=JOK;`1iBEH3miROm{u#ulxeyzk)Afi(xl4^t6I?EH zjPnworfZp~TWC;je41BymIbgsjQBK(_=}hP$V^B4_=|!a>(4j-;;Flczo;DYy)T{5 z_={iois%24VSl&?jKAge$#Iz8&vk$DmmWyB4?jb+$c+8T->o=H`|v_ONU{&lPJXnU zN$#U-AO6Ju@$JLEXvkt8u9CfmZ*_grk#oRO*C+pTZ{O_0KjG61`|uJz?za#3+lTvV zA9mXQK?V6{h&Y%`%wFQGk+!Nqt=3~bi#h*^qYtk3{NJLn;@3zyYT~yXlk;bbi|u-% zH8xm3pqK%*_l9R@9uNB{oR{{5+ubp$);-=B)I*Sv6# zL zwM7ZC-s|}o#6Mq0o$mQR&6)av#1C)L_~9)ket3(CAKpUz@J51_Z(aC8q@rz6SfI?< z$)V@Rw@Ue8)j!%6cH-1x45c^@>~enj*Qz3T`&0jo$Nv4P{rgk<_otrM_1_6+aXv{0 z6HsvnV*}7}=c)(H5Rcal4qiu{OL*?zpL)Lcr!K)5ep>5NhFm4ET-yHBiFdQV)bci| z{#HVfmWMfU>q^STiuE4#Z0~ZSKUCXT>fvO+ak^HTb%mc_fjB0{Xu0#f4~SJo0&42x zSKY@F^Y{gQY%E238E?t$UF7uiqmXsUiGR7fX4b&v}qz+&b>l^K-gFc0K75e>AUdABV@{05zNg zj)|yi&0a^G)D0P6CHPSR8k@sq1zlH|Y2RC|J{N9SHJi@ZirLu1Nq(|vMq9mtT;Uup$dj# zl|zFZxf?&M(AUeUef}ZeA)+#xL%xaWnaQWu@H#1`?NoF$OpXCkdq3s-I%!Z|HZ*ho z%PwGW^*7gkq@*(V)5x-YIN!Sjn`-7!p{gGyoiEGzMhFLbeW^PR-fzezA2@$i|qYVX~@%wlg^ z2H6wiQ!oAhO1@bxih5t?AD`~CelZ$dfn(CqAe>))%$UFOG*FeKTs+CwF35y(@wt;?dZ$%WWiLa{I> z58sg&3+GkYV{*}DA6p;zGK=&G52oKhcVm69q2ubHoYjrdrZPV?XlHQqi7MtVH$-D& zIC;HtKqy{3K#m5P{qp$O$bIAOkuQ#qJ-mDaY@?z9( zg(nV3!I9G3VvGe#uaTF5x?-|fvD{)Zg-e?d;hIUT2`et-Rn-mk6vyJsZ$x#pcZcf^ z1gbc%bXf4%YTzOO+a_KFe<@fC#;Z8xWL;pzvm|j^cgS|CO1H^ua6hxbT~&iNi+Wv} zwG%Aod*++BHAn5+HpubH?)l}1EDrJ*7r(7Nd~B_H08J0i#^^9IYc~@ApU~<=H>ruN z&X+zDX_8CLq}4_8G^t50HPcp?$X;g?`<)(ien71zL!smWOhol8H*Jm1-Y6qfMyFXWfO+yk z>|+gRY0Gl!;h%v~8r6Z(=DO(YL(z&?19jgcuUoW~X$nlppK-C=_HlNu6XtLu^2_dO3kP8k@8cei^md8+onjAw77#ZuStx?Vw-WsU89GF>#Sd~UC`gW52XDjCm9hNhhjKtc) zE$77-7lLNb9Hh>C_n3~(N$E{=$Z$*y#h-9Hx*V5&2dR;YV(sW#Ble4QbmOj9I<#0k z`snC5+0|V^Hq+6!hD%pL`h-v40A7htpDe<@doWXr{?9`ZXg@xFo8$LyBx5p9`4pm@ zrx9=!g&Dy4s~O6lLLw0|Seq<{BT_@hGhb1uKiUKfl9>EEq^&tIE>8ZrSwjUz-w@ z0L!I)sr~z);NPhl)X@GZ-i7Se8`n$sHY@G!DeE^2DSZ7m6wkd7(ac0?d@Qnhz<7J; zs`0T&s~G?%t;)mv%lMajVJIHCknu0r0~(}v)6!g&>~(bTb=_m_$gjJlcZX-!i+5=J z5LKu5?tg?Gqw(SN?#(H^`*WnbegNyE@gV&T9-K#FmAzYfx3Hjg@b>WRjnT)}FD^>! ze`D9?HVPhu|3o%soUbnZyIK2pv+3W>rhhlnzZ>!*73&wiz`S8mMV7uT`a!CH0rQKF z0@bhVgBrZT`JXX#K?#_l7Msb1&W|Jk^{GrYwf~i69#ogYUEs^^%Rr`uKWSDkA&=u?^W1pYPnE?@i6GjDXGkrlu6+N%ap(h>?j z@P|DDgbw12GIBwa@km8Z1m ztL3=#_3dx6Uq==%P@FAv)msKU_#RbgSGxM^(1iY4dpW^GocpI|z$&^aM-7??D94@e z{0~K@wlj@)g}+k#_otrbe6g(;P+UAYzF0$AO1|^cw3I^UTWKj}PAn~j^-of~0Aj*n zY4OG0)0}vn7GJDqee$c+_+lT}ug&jUe6jxX=hIljm(NJ9{`2Q&qb?6^8XKRqI(>$@ zk}x0*mVH|z{gZ<`Ip2|!VFz`0%w^ctJqrwf{pZj3?*A64*s<^htK#?~S>J3(V?uZQ z>z47g|NMDxM&@g;%LOm}=g;3n|GO!v|FOQfq2p8b8e>UoI4rIQgN|%I^;p;9zsz8; z{`2P>r2nm3gk#e1qZ#O_6#cVV_{_JTNW^W~8^&^P5QQbzo|0!*W8lXMFOEkG(4E7w zif6^fn?=5(%v!99=EavqX19dx^_YWnmKZ5*Mqgg~0jpwj;0v3`6UH5Bc1xtRf%QMl z!Rx?^|KLs44eQm4|Nk?cWj}bBKooe9h`p%Z*o)#a-ixcWa>p1r=PMVH1Mb+0&Mn_p+-i8kXQWAvj~X) zW${+BV%5yKj$^6%k;p24tH4m*D)2SZLUx1wTqIu2K7p3NipNL^+AU%qSf|E;2KQj| zp2hD=BjL*A`MXu|T&8^h^FX(pZ`rNqTXq-eJ@%!w)YZLkU!# zb_7=Zy(H{7wsX*PG_~~28;PvdBO>&27r#mSAFPT^S=)C++H^$QcSPHFg!ZkW_+tzA ziSBp0_JO}t{m)uEKpNF_V^2qu%*fkLNjy>`jQxJ20(v>wQs=i4UlONYOWa_cJ3gVF zy~B0fNIPjmoNw9QJb$k9!ZFMeCfsDc^PE1cRgW3_Aa+qq5aHO2Jm)X!B^-yu2gH~n zFPvghTq|t7uuI+22`nMK1Vr*RzTslM*!%h^jw`ChH+MYa<>>rS#pt}++-28vjADFS zdX?zEY8ac;&^@kVQhoPB7cIOTV|Wj5m%Sox=5i_->sN=RH((=?GcJxhcJ@-Q@2HSc zOME0Le)>{=p_Wf?!-svp^Ddrbbu5>KnlI2E+O2Txck-!NJ-d7ay@{P^s#8c*Ztbo5 z{lTNsXw(ImH=pHui&D<6E@08`&Y!eC#uS4 zxmlS~e&CA_kQVrS4Zj|q_q0#sNg2XBxxJZc=s-6K(uA8Rp0-7Gob6)$U267QTISF1(CDYt0p|1v%Y;=D38bDzG z#K#ry1FS^}#u?dhi(v2?VH}stDeZ%Qa3pv6$Hc)@%iqnfN|6%J5&(}oR_`@j*KxDd z@Bv?c>QnhUI+Q>rbn1R*9giLdNykla(554B(BEhh?7SFz6rJf!XUG2}Gtdvnl$C)# zY?}YUWcip5UvmHP_@^9r#AIsvuJG(E=l+x`|Dv}lZ|%5K@Nr{?1nLd{+3J7hpqM^! zu+!FxV0h)(6WYYws*38|+ROBO7~&)31OuTK@4%M735vsaI5tltRds%_VrE`##u+ie z$J&d3$4J$IkU2mmO;Vt{t7~rat;_Fi`ienX++Uj&0KG({VJAtt;Y@p9vz%3QWAPFbCcj& z?C*m#>gIC-X-Q{cEhzBi?@PaoEdy=06{|bpNJ*%;iB&6H3B&f$G4b103k;D`ye%q@ zFTF-y2I>aucW^t-S*53N$Iwh<2&_1WsCHe3nlF~g#?eeKji-2F=9a{Z~xCIwxz-6OxUsey~^X5cbykM3WH zn*9sei}m3<$MS>ro1yp=X2DglO{q1e`oWgPzm%DQL#>bEoTm zJg9qf5Aj28F-weI|E+e{pILMo7aQI@&K|yLT#T&=<7_r5geul9+#@;M<>$}zRIK$^ zpR0(25_`C%dyM_?_U?G@717z7WtBeO2Ef761{!Fh2R?#-50m2UQM)Nz_YyPPHksKr znVIb@UIw+thp>#tr?6nehMO^xdaRAftWIl7QH0vShlD>VN@FzEr&_7d-G8t*Q$NFB z0R@y_(LnVgOPxHa4r-x;vOd)y_PN`(r^$zUG|1|v2-V@0>mPu zIaY@taRGNnV{?#uMiP9J9xVZBR0@26hj7Jfi!Zap-tc-PKHOLnN_Vo3F0p7f1-{Tj zKabkY2dK- z`3?RldqW}y@J~r=cGCD9j@`B%0p|J-;vYcQXNL{lzEQjVtmy0=8DA&KZ|$GrKTs1< z|ACrG>OW93t-r?eaU@@H8tjv7tuPujV#qbi;&{oi7LN!^pCR7B;Q z<|8w%xx>%OXl!@`J|p$QpX6WIDUO|k)^>aIM@0*k5 z2TS2s1lfD7dc`$7){-j3PpWee__M13o zb&s>)cr>~KcoLLes$yjD$}653+;C8{htoe`%mU9y)Nxje|!noJ^X_7e+#{X zE&KHUpgkjxRa+GRY3rAw5|=w+)Fo91%;T;4NZ8hD^o1=^qzsOQq2i({=2@}_0nAvj zMYtQIvs<>VUK^?L1C<*1xS`Q!(;r?>Y(%)Sn6Wuoe~{5x_A8Wb8W+D(^#?Mz`hzi6 z{$#KSkJmFr`rq@yh;#xPAUrT~eom4Ym+W0tr5k8OVk0Co_Qf~2O2lpHN`#OR{b2|C z!*=%WVZYoW{>Q36;M_DE{bBenPmoMx{E;CxjS$HCn%u4O8`)|+UbY%nm#t;Y+H<$_ z6WK0P_etAj>OO5d!$Kpbi7g9Pi|oi&q}zQ=KRk!>ardi=--GVZ6!^SMh!}!p?<1}+ zviI?JUw0r~G%O=O#>9tj!i?;@sleGaxjU81cZvMKeM{uWaDRW}cTLHH8dSkeX1k;c z*yX%I4;|hVwuig+P5g^QZVcMoPV5#)R*$-;8<@-x?QdYZ$@f#Ljt{>us17b$#>KAO zGS0qoJNm;G(I2*({f&~tjc+kp_c!9;f=(_DF1yCXLaoS<(4Owm@!Z>^vv-BCKgD-S z-KC9UPggt6By8RADz<=Tt8Rb5-t33DxRp1qd&{~o&TDW;V8t~gV$TuNRcQl5;En94 zt6$8tJ4JH30u=wX2El_F-)Vok{5ZY;nwX@}AGRziK{)TpsG@QJ<*WZ1T*dk+{44rH zVaR3{<|+`^RmyC!Cub>Mo^tH1IG`lryWtfxPzgIdxx#Y*Vs}$)D343(j+R-Xh zobT_G38d_L8ZELqN=+iF<3qbua1idSST{R|V^vmE9bhr}L`#CPk1_Z78{`G%Blf2j z7jlEE3y!|dSBIVIVb!A~IA{m@;O$afkc8=-D_ItJoZ;Ek=PoMi;VH@4_4h0$a4uXEfMea-9pG^9YRB9bbC1! z)v{j;*`M`EbLhvIO7I1~RMkj*-!6_$dCpeepbyr5(4{J-E)Rd7ia6{9 z@yp4;%5p(?w)ySUu+2Cwr*O#p)?$9^yfDFwAHc}?igWQ_D`?4HDR}HS|E0MCk6m$< zNSr(8%E-p&jAG7xFPYJf<7!EBBJQKc2e6#K zEz#J$+6|1_JzhprduODAHxf}`U8EHA1R_-|>_imUDw~GU;x$8{u88cqXOx@_p_)lH z`LJmiEqowv-9^9mzgIF&lZXQ8lcOQL@bC}k$jh{?kw22|$b+sou(+E#b`Y%$|!Qjyu&>>SFMxk&t8Gk%Unf{251 zX|p$e&SduK?F}}&m9#sXQ54mN5tKNd!?$FBl_Da{{5)lRZB_kzptnDGy-yEFgpEJ*N_4CH|ukaZvks)uep`BIyEd+)LZhn*f35zEwtZGR; z1AJ)b?+!AypuaQzqQ76+$oMPz`?N;J-_5GOznk&*-F|#2;tMeTin&SnRfpj5c4#N+ ze5)jv6TvhTvxZioxw-KL*w|T_4{ptbeg#o2Xk?2F5yTfr=h{z8&rXZ5?xtbS``_O2Us`!FLPy(+Dx27j!NY?clt%Ux9-0oRaTe)17HA+2U($$bvOD5I=2QGFgo{u5xvTa1BD*eeXV`B9cEKO!oZQ{_j9z!#^HAJ<4+j12h^AoceoKLT~K4474h zsC^(+esoMT%Vn&N5pF;jr_wq09ke1h3_+!zUheGG^x9%K&3;Wjb=I5Q+L02u%bcf3 zH~U^bgH9tsk~C^{EQmTIwgJ=`aa1w^lHRQ%Dx4pUO+kqf*&Q$XV4NFyL zQo5GuA7>+iCbzkajw{OUJVvGHspZBf-mrj;_!WNpz`ZMGGhRy6$= zuQNr{Ka<+4Xe!I5+9b~(-)a3u;wO1>BZScaxuF3JjM%us6&sP*#B{MSKTT}3xMIU7 zHLlo5(`;_lSx|49&6SB+(3t#Q#m4o#^2CN~PrOo+dev-#rxhD%-SlkaN56g}W`PtT z{AZ@$gkocT`4RP08;oq;)F{qMxlwJdB>qAA%&3O9nd0LfQhOC2qq3~6r`Vr+nIB2a zgyjgh0ezSs1?oOe#y;yeQ^i9XCk|hasdO&?#tCuoK*zvl=BYDI4ylPp3}N!2)A5g* z7vts5#7k!zsbUgi$k&1^ow{}6v=S<=tXq;R@eS;?lAVf=JCAQP{w!r~yo3^GvYWXi zGxL3#S~#VU7X!S{jR^> zuX4R0%3^4@aImRl>v?fuj8Fuzs0sP-X+Pw{p}?1yk}YU=2%0L$zb$9S$jzK5hV-p9|o(@FG~D}Ps(~aZK}z;@sK&> zrP>_wvYEk0HioNjqMeIx7{gRh733-zwd{3PMQ*Wx(;6uqTFesWZqUHWd&AO^LNhGa z7=r6YkXKB?WW&I&S*%jtk}t4ABJ|+gPpNqmNCw?{E)pZsPP}_1E0UjGxF^UCT|cwp&P_^Yfyxdm_Nb3yGvXHK+M}F z>(9N}e`NhkS}x1PegKGrqvIn@0Emu2-S@##a@k|zeu*L3A09e1AQ1qfVhk}C+ zs+S*uOR=>l1%RmE+zt8IAr2b|E#|DGCS5gj&+F{~9Ogki@K^7AK zVI&J^1PBEY>=3VCJVL>NWu>WOV)I(qBhC+~s*24d2*m1OMMofhkZz8p4-d3_KL|t~ zi!jkR`_LoyMhiA%C8EF!O7bc(9}ExLjvokOhZ_iDH%+QLz|zdN8xK*tET~;(?3-(I z+l7yW|H8t5XSaTqi2qOlxZyaYNafFr_5JpDlhI6rUsq){YN9_RI(k*?9?o)-ZchA% zgKjqug9gjSwbcgogl!-Q#0=@Ww&Qj44OZz$>E>#xhqqI@`3-(I-!LXV(qxftPQJj3 zOL2^Q#7Jm41Gs-_J8f0S`^+uNZxA z!nYzlKEzGLhcMlLx|;S~mP;$?9QvmpAA(76_QKDt|7-ae`Az>PK7`-@n=6-}OazF) z%>PD}y)n6u`u(2>5q@udRQS}xn}>!h{l979L1vw%|F@rI|8HM-SOY{fy8XZP#zPqa zB8dOuql?f-p$`wB@8~!_bj^5Mf<(k7t&so`tMlkkdo%|TB0lU#h@k&tkxcY|i4iex z9fRdM>Hl7sh=VjXz5na}~1&zXvXM`+vJ1DnhzXmA&T}{r@oRsUqNw@a)49 zD&kU^#-4M0h>fy--m&O*x9_JBN%rSCLN+5`I*1R!(&;0GXqq_36{-&EeEkXaNKdGf zVXSV2&gV!LRj*RjQZdHic|6ZeR7F!%P>BgT#Z4^HN3ux)c}^wC>Zj`lkT~*7@ndG> zt@{ir>ANj^hpJajccYswOSkrRIk#dpS?fM)6xY4361K~Ej*RYFF3ZEaoF}v9`hm$M zUm1V|ntbPHL~qd0`zY96i=1yI5?P4Q73(7BaS{b?X7KDtIPR2FO|Wj6K;sqw{*F6A z1^Xe5STQ{LMTz?&%=nUT+$&;JP&bHTv2l+y6>#vYz-fBv4Hhbt*Oz?B9ZJj-@n2{$ z{tJz)Ss%y$$^IDbPpteJs;)|2Dkji}EF!NP3*qWg-pJzhmiCKZ_Li|n6PE(_w)W{7 zucEE}(pSuzE$!=xTw#{Fdx%RRc}B1-F4xUOun3xhexS?aTiQR*@_6NcYT5t5!uXAc z+85}-vX!jHmgB9kg-=DHU|x}zBY`P?<7{|O25^2%3n(3tb!};d9EWiG2Qu=e;cDgC z?ce$y8c_QFt(Byu?%!HU${+UrtsT;%z5QEBd$)ci>1^jRjwC;mr?mZB-zF_(|5jWQ z{($yx$;Pc_L}mMaJS^s{4Bj1_9Gqgs2fu#w0}$m{m3=a7pBfVz?$FjeJm?5%v*ek9 z1K98TA#omg@FMa~`PYHGxf3^`Zq}>ox(90NQ#kZVDj8ns`2ZsPSjdz_Aw|KN!5P8n z?bs3+;gb5F-9`4B5#t0SwBi>>`7n%}XxKkExHdSK+yi2{tas+VcH{c69nRxFtlv-~ z`wzD8(wg0E)%D~DR;=M6!nQdadZeUdyI7FTXP=xEs5%;nPtMov1^<^!_R(Xz2DRX( zB^OJ=LwB9dKlsis4bQpr@!=Pm{nzZTV_p6NFQ(}G=d3(>N8m{A1*)E3!lt@>3m>44 zj;j*(d+~ouf6vCgMehE+JH9k@;2n<-#s5;)k9REWY_ja;jy?YO!6}@K@wr!zNL%eU z?`K%OrbO@G(D*&pjjP1JWP*iXlx06!yieZYGUdE{;$)A>5hq+~{6C6U^2Xlm{CFoK zUcNBVe6VK3hZkF)`<}iRw`}Wk_ZL^njWg;uCwnvq4l#eex_uyYOBwvk{1%C_%CagV zjolCBEwotH?pgL~*xup8uXQ2Kz3QA37oRevCVd~Sh^*~?=y|-Y^!tuxi&%>jEP_oH zNLWgJC~cwBSy*<=tERU8IPAf!Azsl)S9c@0Yquc6 zE7&ND7$c?N2{dKPShWK+V26fkj7h_<8uI|6At-ZVhz| z;N6RIw~o8cHo4nZ;O2Ohr@(G0|0F-1FY$jP*?024eNHG)^CoXz2aZK={MDRbV9~K# z$grEc&b{R5a6ePnPJ;;A5bRpd@cbk1k zUld3sM;1uwgEhPOe^4Mj-gij(P9ddO1F7B!r2dU$c^)}Eg#Y8kZ)!>r{kLglmOlU( zqV#(m#h8anXxBbz+-7MU)a<0Ww}$o$8I&Lm(zq>>wo@7>Il$Ykf#-z`LhDW%r4+?O z4tAh%-Ml#}WcY1@49^Q080Kogm|>A!@-3Vo-}4JH`y9;?tUL_(e}NCmU*L=K7x<+7g`{u7JsTdBa(7FX z-I8UuWZ4ZfqAleE%>BipBz=(o^W|o-=t)a4pRWNmovWk|l7GP9uM#kk1g6FOZq#lm z=@&m@(s4&5T{f#sAp_j_36nmlSc=(8`b;vE4|s3Xq)$V;t6N)%MpqelbRcF@!Td)n z_2q&i^xPVU?~c&;TSJZVQba3RUgQUXCdmg2^zzyO%^2u>1EzmPzWnW+K-)EgrKn(_ zt&6wP;STd+AAJ(hE+03`SEMgGB7IbEkgcZXHBcUbA;rt*ZG-=tNqAB*NBFE|ux4tP zV%EsB^zh`H&eaA|nCMmEr`^I&i0n|H?Y*Cr@~Q%DhpC}+19zPVq-{Ip#})esd*nX9 zzThX}`4Ndw+7Dy4+ zHIRd@15QQn=_5}0P9aq-NBV=_2u}SQ$s*kdeN4271@uM_VqvW$h+k5OThky$CCmmf zBS6jT{1@>9*Y_D>zEg-r(^Q>OZvhDw4r0A75nCNk<}9qAY~7~lL?GN3^d9njnni~*i8ON}o8(jY??V+);#VQUZe zQ4+Ne)?5Te|0q;Lkr`H((E}!(r5N5O^sm3%Xwt=E zSeK!H)$7Xz&m$pg&=3$sGSo12LjO9Xih+!vorg5J+2~(7R}`5AB^ETwmo1_*Jtjq= z7%*6)!-^&ys1Y^mw?;8ID1wXhMZXn6s5hb*XwCbR6azkQyXF=Hvsa9$5lpQ_drV(3l6Fj`O3_I9O8HzUFyp zFVHMHayvgq6J~@)0dp-m=r#J;qE`8q@8o;FQzcl-H`=eJxZDnt2NrBoNE-ywZBkf+ z59vk)Py2|0biF_-Iz|>q(LriZ>1srwrUUdDQod72DOS{VE#E+@DFUfvK|K?;1E=)@ zsjxig^KiOJAw448Y9L)Fkh<)ij#JUS;PIO60_mx~L&|pwsW7%esy70le_ORZi;`F)G~QvjzR$SjJB65H4a9mQ5c@Zh`D zeXIJ{y!JHx>pqi^qJPc#h_{xuaw59x5UlTEn>Hj!fYgD~OEQLpgTRHWS*aeYc10(hjYeaqf&*{Rf+WV=oae0wpV_2JK z^?rPwdwh|U)CLN^X13I<_;KQ{Qo+ zFY9nE+C(^oO}M*H+JvLgv`x@2w>dH_(hRdqYK8}B1)!u1IJhK6{*IPMkC%+(~%r-EE-_~0{01E?ZuP_Xbe-d^oH@nNU zEHbULj#lvVd?iJZbXdwneQrQfk0kIzth&a$K8nKU{UdR&vjlJuGc z3kus?!W@Ho%lbth#D}kTsKz%Mu=WChKykCGgj$SSR&W|_Aq3CJdGKSwSmCHG6!(qa z9eZ8A8+?Zydh&O&@U*O5o`=UmPo!0DUlO$6ZLO`>lIzlo9aTTt&i#f0_}@j;jjKxK zsP#XP75N7*XxNuu*O1S{0DZ{gL^gRiB5!i*8gk{KULFS4H4K!8sB44q1PZ$odN}>n~EX zzJGLV+T*{A*n~2b*dfttH^`NUDZ{@pR*-Iu+F~7hop9t~d)w&PyvMu4;t;651>yIt zeeiPY*ny~hINb0`(dgKuFLg&QJZjz2vUq5??$w-N&hCi4Z_y^e4%r8yqYgz!bphnS zhd)fog9q?sBTXDxWs6ZFn6-iHV>Liqt@Vrs#u9&zqYU{HY>L(@RI{oHVO3v0pJ8msNw{-9wI3? zHEQn--c=R5&ddFAH#Z55X}PZp-YfOLSNvD$H4Qo0xKO!P`h{{UouDZvLdcj5j!cXm z`2Wk&ZtQ|^&N}27f?_*DVu$4&q&cDk>^O)VvTiw5oBz@!@?PIj%7geNYS&JD&iJMEUwdx#x1L@72@I^1!85)L>4(I+ z(26h4lSV{G08Vwc)zkdoev8H>8;p}+m)k5K2Szt|U%%L7#R^vKKhbqnB!@wIE0PCI zvo)za_x)wOusF&lOa4{+pY58T7tKMOZyONKfuLOMc8h3msU=tQoHc7wbt|23;%@+W z2=VcSyvT$vTOq6V|GaBPel&*&a$A9+T`zKAcHdy={qy{^Ch(lugkC<^W;qq6Jq%GY z;7%z?ZmiHJ1OI)kVb%U0br_HpNwvI2My(k?s%aaN?zwKSM|GQl?ilR9$8M=2Ey1#I~anMUO(yVu;J)CwT zV$PBECLj4v=|g8B$d{gC{+v%4{Db@P;C>3K*v!g^{eb1>c>Cd9wf~!4^Gl*RuNuC5 z!N>y+6+gdxnT;mBRP7@N6gel7QOHpp34Fe2@L2>ti~LWV4F;d!a=fUu;Buw~J|{%% znyKXa{or%e{=e&*Q5Ma4!|?qf!}oiBUpVds96{nA7Jj^bbZ0W%Z%KX_X_%k{CQwoB z$!};s9@j=i zx(_II*w-N<#mMV#8*bvEJoidq4WzTnBOMbxPpKP6FKwg&2GS0I`9?}=a(-)@D7iQ8I9-uGO%%wjph}g@P zBz@q-1jN|KD$^7xp8KXqWz$LeD*Lm^rCw;r9;?{o%1CUP0y-j+!@ea^hpTz6>-r@6 z?OM~1_R2+ozXyGDosqweTto}}B>EUSsOV$NOC;Zqy6!lqd_5@4H=}WPC(t zk$i0?-#5GNL7p>aNxA8$1_=0z5f$%p`dr#Ef z7PWuPQ6UkDTjzo}m#@H1A=m-DDS$T<@E&l%YZLH-_eOJ^Xu)gIg5zOGkP71x10%HM zh=t7@6|%*HlhRzh*GPZ#i*Kr*xA<;=&r5uGgOjpAyfTHv%% zv(_Z=&v*HOU5Jx{6SK5nN7Tk-vN{rbpeVfwH<%`XZKH^$fPdd~kQps_FZP1BB&^mc^no=A+Rejg#DxTx~RQ5YVV5LFGcNFqxKt7_A?6Vh8WD{8O-Gy%oQ5U6&cKx7|fM< zm~(zc401tVHbzKbD#ffX41pYi1t0PTG3Nws#|9s3kas+Q4|t*X!R!ppmxe;bO6NOL zu<}KvX&nq9d;voUU%(K;7chkI1q>m4u|QfEt6mZ=V01C;L16%Pw-old&gBqO3Kv;? zIu0@N|BLlxhf54Ye9bV#lfn=Y`(O9z<)@Bbo|a9Gj0oLan%;{eko?8n>vWu!0YZCzDx;A-KG~9@NRlNaP7;V3E6=FQk`W8=Q)*Q943_ zh>*T^1d%zg%82?29Y2%;jAe6(89B#eiI$OR3foac&d)3~GV*~U=^oM#j4*kq%&^O{ z@_T2@G_7u^yw9rZ$O}An9r#I-9?aiH)rZ;NdQ00Q_lHNdMMkypYg7V$J0^gE;KT_` zdKl(cef-%j++nyFHb|p&+xqDed+MCB3(%yU)7WSer z+`qRdV$a))1gYJN&hYSF8As@jqSs))Ur)26quQdQUN$QR(NP%Oac@46Q~MV(kZ?D! zcBBmK+zqOIzYHqe<<{!Z!rkCnEYLM2++9$ctHTWOL5hR}C2T}lpzb~z#NP9~z@y*5 z!^Db@+?&*B^3iAwI^s;EH?=R8JP=az2m&4^#1Lotup`(<1#M^5Pr|ogP#^rXs4KB~ zj*k|tTX5!V7PZHKvz8`Hvk&GiLTzo#tNoBctH9_F*Pzi;7tLpw>d(}RHV9FbR064x z6X?#+oe~gUpAEu=V>IFhJZ8nN4j0hLX41Wg)G{+aT!2ZKZc#w|`k9O~7z$^WgbQ|a zDGL{1KAB1P+AB<{aCH2m!Td`eqbPv6J2VymocJ)P7i6A$O-gJZd)W}_*VNNoI|{>p zZHfF`EkBpZ&&Be?x=%vUOV%JvhwpW46oJ+;TB}IY7SFN}=|>VW2ksSqBLWSKFXN*y z5b~uiUuU09u(MD3_~08wMM>_Ou=$P@Hb-h4^|(XGeZI*x<&SA-AGtzRSww8}pnPe;&njE(22ee&rAxr8szhI-V zj`zXpaKR?B6iTg2DL_pcy`d*s&=oC!*UmSRVw35)YnUdKySQWET2={IB?f<%uaTTB z{*>w^KGhAUyhUUx$|!5K!Lc$6s1FlW#Kp1lmro_InU>Wnfyt;4@32oLf|fu6p;D2B zjt3PAo-@WOlBja6Rj`39MUrKHiIqc8m)@D!rIPf)w}GKgM=OH!%(P7ZDcEM&H4_Z^ zruyVtc~0~bVlFNNtHQvbLuJ|dC8pAVDzZ{Y`;kv$2xTbNXENt72#KsD2GlX>;cAlz z=b+GJlb}W-LCo{s-`u{Y+()!7RB7O$(K-pXa<D)0oX8z6>y?GoL{cE30G*kKXvrV-+L2eV+T1V7NTPaNstL;dG3a4xYkr zlS|GimMupxZAEXedSAsIMcAaNrh8+>B@y_E)hH3m0tVQAH(>s2kgO)Ul06#x<38XPB3!j2GmUO6TW+ac^u@#nUX-xQjYu zC{$!8E$Tofq%0~?(xQ&(?u^U+qK*_U_QKfdEHP&cY=LZIh8=H7Dh*5C?C~_@ zPs3H3h|ENt^d0E}sVHRCWE7Y11X@|P&`A5a5^ z8aa!cdy^lc`oIE=*IS$pQqtQ$u`Js6*$oQ5%7#}^VE}`l&sxFrv1AqEVq+^6M zY(5Rk7#wIr26AR)L(T(=94UkRuBa3&8fljh@O+$!u$l>qSwW_U*~w&7>?MRW7<_1| zV0H%YjO|4+3s$Sa>i7jTZ%M>{a=98!pL|>{BEtsBik2tCy3C?10ugR+PkM-$1z4ZE z`!3LCL85vpOA}~L1@&got1XFNkMBx)IHV7qMRa}`w;EcFcWE`nXIjPr7q#FyV{iw3 z8T12F8T6Z*jeatD1+#_++`-)tKXuTizzmvFU?xo;P@2v+Jm5mj$4cNZ3n6X~n#{+U zbgp5BW9Y17trDG#X@e|;e`uDxo5MR}Gg5|t8LDB1@i4>JmO~hLLYRT2$dz0y`^m4% zMOeczE4zjp+L9kOB|W&TVZ0=e?B1Ano`#9u_~!&5r1Q_^tx5g;7v{nA_n#y`{IfoE zB0<~f_|+~WjrTjfDj{B{SFZBifj~Pn%U~`@m%&_MJ%hOxWMi%=zHm@w(d+CKn5rcj zZcSx4D#>6tD#>KHnZ6KFptN;{TcyB+Mo57fOh|#5O!$B@;e5&~WsomLw(DCO`Zl z`Qaz}VB7`;4bK0tXm50$aA3fVsxt#}|7a-~ZAP)fY0iZCe%57I$Ld4`D#5q9~>E*4ZJPM!BIN!`t{?lNQ@&Pin8%#uP=JqSAwIR zQoL$1@UvC<4Z8MgI}9{utL+E@K>lg9oiBRYPJ$F>zWq(Sp3>=Y^A@E?zryfGq%a5* zEPx4?^hse*ht5pti~NmsB={jQ1UsP?Gax#j;=PV#%gU*(k}hjyA5cXg`U7gy+Mqb+6C3*FvVz^7noBIv2Bo{5|eE4HjaClD`sj@tyYYxKoe4`-xn1uh(x>-@;|e z;Oj2u^5=NzX)oeBab|bE7f|5(>dog6GAO<7+WXwv&(W{%F6Z7&>A?T^e7XAJOY*t3 z%T-myo#e5h;PxI|07tbspWr+sPv2s?lKbExS56sxC;Y{}xSfoyzt{vp?Oo1JzEyNc z0it$!Y%4EUY)os-BG#!I^L!UV4ooS&tEc5&+1GsrqkQ{(oW+1=0_=Y#mrDcL?Y%>G z&Sd)euhSd$V`&(%cAKF38Zhp(otx9nhrN3uI90)N!)nL%|CPgmb zsZ{McxZvwjjdzHw%@lH5WE@3`xW!XRmS;-1Wm!{PAj-I99cQg{uBqxFn!+}?U=sNB zLGj}fC&EK)NFRJPHdT))hzBn*qNdyx>D`xJ+{Wchmweo_>{Iv7B#6-k{2wQQVkb+4 z^BHB*dqG>$2?IRMBpEAR{Elv!QplG00QvH)W2|AVvqoTZ9zupZVuR%@+sAwNr7oT% zy*-$-Y(L>v1x#Uo*j>87$B}r+U0@OGCJni@Rce3fmnD*IR)nTY1^GbcO8~&WN9E?d@y% zeb_GimhgQp^=I3%7Pj~JJn(knI~zW-!PCnYI)(ABRgE28NU8$oE=Cv29&)b_y6U@$ z_cxgLR&02&`_0GlocC&Cb)NrKBLBc_`DG6QVi8f7C?((FWFtw}v(v)81SB|(|MSEIg6gYPHii!}JYW>VAO`N&}K5???h1m9&vo%#XO>%+sbeOBk9aaZY_M|G1Flc6Njv;!q>K1u^D;c z5qQ(%fiMDpUc8z{;7!kp{Rn&yTFGTf=6p8FnnEEpRyZ)ap8q@f-^~B5{O1fh0?pu< zk2x-kIWBD1n5}zR+pk+BJe)c0vL@$0wWU05OnLfM%F|ORPv7Oq#YmaKh>Hfnh>Hfn zh>Hfnhy_L_7>rEdb}BmuP@S;m^$9t#871Kn?BZ1%Xi0b?G;~UGl|P*&PP+){-Kno5h+g>r97Qvx|YCoXUfxyJh>PwHyCu$CKz2_Fsq@{_Kz$!*6B;zATDUtsR_F-xMl>FtLXydfD7w z@fsL?su$db?PX@iAiIsT^+<15sA{r4FV0NC&&N`pMyEV|H09|-DNiF(o-RsxI>}n8 zi}Ol@a~IKqa~IKqa~IKqa~IKqa~ILVwR6Gw0)z7f+%93?3kp9bgR|jf7yYpr<>3)~ zg$gt1{t6Ie0E8(SEN$5rSoREN>f_jwG`W!M3KQ9ZV#*RIwTl0{`M-((J1qOoBJ#6e zXOS z5G*J=fdngD1S5hCCb>*GWF^Gg+~gGgkCf_ebk)slr&(B_C=``$qD9p1jtm0f$zVFy{fDrK>`6krvi*sd_Ze1UF48jK9(HOlg&J3H#UENX z)3TeawT%~I5^%oqbLzX6Wyns%{b7sKOx-uu<__mSd1>U$S>b=FFzpdL#vf4Ji(FBrG-S}h4662#3}Z2588T$8B5EIr+HVRKBE#r_DU@jWnNNv) zvk|ROHln!%5zjitVJ$VCFfA@&-X(;2^C^!o0`&w#7#J^lZpB{isK_lnSHvzNp=f z7j)Diq2-Mb`YB#EogICb zvMO@^$G`6X%%pD_^es17>EoG zoTgr?`-%_;2WP_u-K-57HYm>;@})N}hz!H=CxsI>{nYRCuz+v^EFhc!3kWB`0>TNf zfGF(9CQ;boU8aCW%hg>AvNJ?{+EPO3^d9s_zD;I~ZkI6v!Wa*K-(!p=Fvb$Y81hCK z<4In6jG@-er188Dvy)i{Z#3atW+%){n4#R|ydO>QURPj(HL>xyqxE^58=^OzQEzr0 ze^vS69NT4PUCvn1eyKF6WfTlQ2wT7peVxb29H=+$knjk?1%fiq^D&$>cpv(xjq&*z?5?eu)^3%M`kzL5JO?wQ3-FXFz0duFrKOSmuN zo>}emGVaT{FXx_aJfku^0?wad88h1iV`iIb%xts7%odw5S1d`f84JYt5u35ZoqeBq z@?FKuc{)?OD6@#Wr=EHCU4^bQonbJFM7(=RBvv&b5{nXj;qLrMY&tPaK0$b_PZO`> z!Lmr~5n#u<3QA(Kw;r2bnmJ2DwFs*0C}_I7km?OeVq$@uQcnJ~$$yog4Rl38)7|Aw zFSF(^e=p+#A%DYNpM+Z1Cm|QDL;fCR)Rn(tv@7|0{u|q&{d@QNynDTg?zi@qcd2eqG(I3RhxKA_GN zo^eXNDpYX7j6EA_N6QakJ~q^r$`8?FHq;K2AMLkBq~;ruT4+YvA~VvKn31;3n8p~I zjcIJ^^z%>ly2VO%2@x}f13S)=CO9Mfg)FDI(PYH2MCfzIkV1k&!JHsVw_M8Z$1Hk; zH&R#}sgO_9rkvVw{0^*zWr^=}1HZWhO_8`xm+^bSxkZaXZ9S`yRKmA`x&kDUy4cuT zBM4-uJ4!=QaRVBNM8(b38i1Wd;h+w=znXj4=vBEN#yz}rNbcde8W@W0t}O$UkHmX} zAVy(h7{h&qhue(7MWAl3z1~dR8C-dIznS0(^v$)G8pR(s79I$EBQX;tWFtzU5i0T9 z;Mm?o$=AP~Rg^T4+>~^_%j_-T*{!{W{jzS^6ysLJtxWFPX>8U2fos$=uZ) z9~AgvAxIqQXdQX&wURZFw(8?A5i`eCS^63R8D9~~%147KY%lJm zJgHQ|-n5%Nw{JZrdsvTG$WQi1kR|tQJ}lXMH254?eOq07EqKY+eji@J2#bvc?%v+F z4tO^247^!D@>_09??vi%X3yUT{P6s2#%USZ@Y73?;H(JxV%0ES_#L++@hZeT<#yGc zmX47LAF)xptWl^TyDYoKy0DdVkcK=s#JP}3R>u%W>?<8|-gMF#L&=(qxliH$UYQ@C zuw}!5(ex>RA3I5^2Wz*QzxZ}a&{ zRIzIR)~>5wj|9rQaHbvdy2VYaIY&vxG=xv``AHf1=g5Z}%*gP1l>3G`Qi7x9IPO_W z>0edno$)ghoavqj`~n^VFvmO`-J{8 z6>Si&=Ut?0ElD&vkMt0L4j4aTrO*qhJd54zJW{9+m7PDD^`Wx!N5wu=R+PaqMQ@R1 z&Qw{G(}w>i{KJ@I)-SzvJeP;wR{jy_I*eDea@2v;KCfq5WuPLPT$X}T#i^vEijz!K z^r8B={(Pdc*7)&>nL*RR*(K@wUp~Osw?*pm(+p^#P!FwpaB5pm(;P^#P!Fw&(Q$ptAH% zR$cZsih?r%{iDRSmz}+S_4}UM_4nWY{@dSw|3v#Q`t$GGQqwPA`sGW% zeCd}j=Vw9i?Debi3`=$SJ8G#ugZy(&uqgw3btU#{3qPX?toKgEzi1X)_~zo&yFm8g zB-yN;4dh3xS7tP;@(-t3Y(kL8%`rLEMSX=vs5$#2Z81<1=B%#klX+d;~~Qo$S@N!JOCMLmPG8Qm*Z&3 zIpPv$*bv33kdPZ1GNYl=8OKf;BB)H(_!*pG?(b5F+MQARm8iWtYCj*fH$)|r2M(FB zAmH{O?6`SH#>0Btn*L1w0e9UIY>(aEa;Y# z1j9Jrl#mo2e1~25g6#Q_eRL@h{w8YgiQ3zu_OGLMlR0+4fcT675%AJN8Yp;e0$%Xm zXpX}XbkTz2;mk337O&Fco^>FHMGj4?DL!_=6L(v|vZn-W0W0n}GPKP56!m#!Wba zC=osI@0$)XqXjQU3l4HtV5H!rwjgY`h3!{U+YxJ1`j@1)!)zzW*r1fro*xl7m#Xo1 zTvP6Rn+MQZ4q7WgD*|gKJ>`L^^p05wtGO_=;cHGKQi?plhPfKHVaVo$2Ff^G?%XQ{ za!R3iL2||c0dzQCkc-7xW?Uu^wv)?LLUwYQMYv8ba|zWc2cX^MLo!^!>Rcd2!pG(J zhD`^^wuvQTYxrRT75}?-->*HRmnZA>@~`Xk^3xW*Jl)DA2?@@95`x0-KkT?WZTodE zaazwh4N^2{&p*0_8UnjvcBJEE-CV4w8)7h*XE2vHQH>2De8KKu z;R_f-_yUFyzJMWwFJK7a3m8K9Vu7?SR=tGqtsZ+&7=ZnY6lTsalEOvOosL6{)c<0= zvcMCDA--l9;z?l$&cE2Fm!CR%dHRT6e$~yT>0&kk$Y0#OK7#AN{9W8?u2Ce3{C#@2 zxyIcP)PL!2%lx!^J;_KSf8RQ8u2EL9I0K8^($*+yE$CP$?&?vF*5A(2q%3rZUyg~F_YTmvj+ZmK9& z-Zn$a=BWAhe}IDeRt}xNviK}F@AbB~23`Q(oZ7$8O?7RRzc-F-Ajb_WI?{YEa}#z*c=YBZcmqb2-Uku#Cr z)V^5qm|e350S~j&)UIXgV*(Yloh{mgf<7<=v^;HgUplgFP|+gXuUK*3C&4fbIKm?` zDjdvP#Qq94v3|&)RbcdoYtZPccKTT#LWFM+qAIBbQXwbMouNA=AY4X|&VX>?7(rc$ zMpV1n1f|G3>#ed1N5?-J%)jI@iUOF+fuxN&!if)q`twth65GdKHbnY0v0-wQ?3&cA zlk5m?X6GtD7t2rX=>jICDSoIuMc&xROrpGly`eNFOwe z1Pl<))A3Olh&|$U`EaRKC!2+R%Et%a$bga3HDU7|DQu3^IO=hSkpD~^qJ3VNQ@XYx zQQvk6i_q9@^=zyS%g=4{bG`h$Uw$r?ADT9AFAUW#*L>MO%N5my4F&V|qPx5**Am$? z%e74Q%W^Fb7jT##p&FIF`?yQkbUo>If<4(PJlGcoabZbqnSvXMIo$~e!yJLWS!MHLmPtN;dBdmKkq?Ag+3=-Tk4c8~tJV)luEwAgZ zKw*I3j8%Qnpf4I^_p3f{(dR8>gk#-Cgwe7uaZ+rW*FWTL_kQW4!5FiNx0esmdU;+pUM6&}C_9 zg7trY*$-r9&g*lYxAUCmJab0Mtd4-lKm$*3&=>~ru`>RaOf6fyAEF}5`A&QzOF2qd zXZ<6GeZQM$2x?%1Y@k7*clQ1(M^gpMsKDqm;zrL1tyxfgkDrYaLcu>Xm>3bq zXt>O;!4dH;ReFNIpwPllgLj_^6Z)skSy`TQips9xWrM8jX<|z@5ag7kYL1c52^tCC z`x#pI1K-e=__R2N&+%Q!GAe=Z+&FwoMtew?hlKnV!8gMpv=IL~UVjk}SYi;*(aVG6 zW6{fAz1GO4lOkH1mpw;7lbPFX6;>M~VN{N*`N-;_vypc#TG5{wk50*9%6`DJuJTJ=@(Ke05=WWIkpQ)ps zjG{rr%Q96uo$DyBLGV#ZIu)4<7s|5NJDGNQvbmPUO+ zwddOysW6ko%qEnTXJ=V?FtIV8u)-<4FqR%sq;MHG&M2QDvr$)mre0uRgW2f0jy=<4 zwgAJ=;9N-=r7WWq1((HfxBMW957)@uv{xL9zJf2NCd%hj87a zLC$mbQQ0NDY%MF>#QfhHM?3)+XAix5r38XWPb!z5RIpnrKUNGTmRieDUQ4QMq2#mfBKMs%VTUxK68|C-Pt?8x+*mu7A3KhN zP?#|7WQ>CMBavcfDSKH8_P3Cd!cq>h6om65h0iF*Sqf$pr0^M~m8IbIGo*0AJWgukqwW}+0<(Nbs*bi|uAHo}|L z8;Lf{8-YCI*c}c(CknQ#xE;lseH01=&GJU{D$z!G70jr|&oAeVaP+oli<30gNFi(( zG{Q;73&3bc3a`TPAJmNY3|8f-3@WgO7vOknCriDIeZNK~*MTpet#t80y5Q|QnOok5 zWg+$zd-?b;{E#>;mcGe|9(1-(EFYTrQ_tAH-xGFE{lqk18lTaq>I2VPv!9QQ(g(Vb@vlR1Y^TM-HnA?i;7x2OhP}nemvzC|f z!pl&YPvP@d@WLxlI8I~bt>lGQqA=H4^VjmiYf*SD_%S!C-nMRp4q>_MPEz?{)N5I7E9mvs~LS0?ipjRCYO2zQHf=yOH7?`3E*k~ZfNX$!-N1f=y>q~2KYNO z023=laK;<#PEzzzZ1X1IB~cI@UkU zy>!I@AO77H(Wm4?UY+=kvoYO)joC$=H`~C*FX?5r(jC~CT@teKt0-W!se-@4p|k1~T&Cy_GQ}?HyafiC`mJ7O zE8Rh+*d?J%y^aF9Oa&iAq(rrgf9o3tk^i>w;alvXEfw;g3g(A_ zNMB)Ls}0D2QTFw9ElC`geWNzuVr$d}T*P$IhR{u4(W^FCYSaeCMq*V8bE zc(aN0!=pz1pjU}DV$>MCkwhA!5K1}HFE7BI3cQL@hk%Y;$t)u!vz!;;c;gNOrevUC z@}OX5LBafBBM1mRLkb2VY0UUne)1xo2Gq@fp^$x^*#)1-Q23PUhF2%`!h5GXXe)M6 z=dCbkt6IIxR=R_>VwZ&4su2asf`38uVZ46Id);84H1h{;{O>Y8_}N2S8kAKUgea=0 zW*HR~mq_k=<%-Ivy0}I$sxGckj9P~au2FTZ>{WHmH>xgUvzOC|q*QoEx@LmT$mbm; zQf5ny%1nnXs+sggqRkrB8*es|dVAEU-t;QbMvMxNH&KsveuSDN{U|HHc?lOu`N^wv88FTU zjI;mWYD=zcNjq|7OLtJV?4r(FX;8K;dYP?s2W87H36*US1;{iE&U{zXxA^W1i&>>t zkix;@-y2NAM~x2;7#}?Bp)CU{7ym1BgC8N7oKDlm4h3X17j}#ULvc2oiwod|Sq85n z?3<_HJtt=e0`;|+{ec|`J*438u_M7bjI=1{FuDVWu}eQ3(!4sUU0$8;P@P@+;Rxi_ zUyW3!J5*M|r5`INUcD+(o$gSbUHW0l@am0`>U4+d?9vb6U4+d?4r(FYmn`Bz06j+gKV=)LfP&_0e#sQ{3hP^AZdh9>syAw4*H-*-=E$_m0WCb zvHe25Em}eb$0TSk4`1AXwA&%=DUkM5NIMKL{*CH>>`(d88MFlLPvx=wDMN=rdLJzw z{u}XW50pn=aW5$9E7L2wbwS`kf$3Wpd2H)K2QfH20etiEO+Qos9t>|I>aczOT+uW@ zXlJ7uPChs7L@1z z_be!hO;&b$zCls$oFu(?TH51{2Dc(gUNql_H%Bq6>nj(x%P4fF{#{$L0lHx zg(x%pI<;%|ZvNb;U-$55sg7T>_ws9%_A+P+*qDBuP(Sp`#xzAg+i`wf@Sb+nUiR$7 zt6}t8fj4~VSB2Nw>6g;Uug_`MG=vw>&!)Y!DrqmRc4{xHrt$2^H$(BpCwpV`okn~< zQpc0_f)0J^5=)MIgYW-e`p~4d`k+^LF8?~|+YsCSzD>F!LEps>YQ2BT_e$>#-q8d2 zUtg(LP4O<%rpk>>LE&|#ElI%b!X-9`l3r1u8trPWh5ytI0k@uk&GCrw1Bd*$BGZlGfdB;PuR9j^l_-4851 zD-;gF|9qgUa2~K#i0?W>T7kBq_&P+Pd<}q`=)l13qTzrs{+c|q>h80QB~4t zcm?pTFNGlm%^O;fuVu1eRYUFx^M+&6rg8$4*!?V2o6hdrfl9;aQf$4ceTj;1aK+{` zw`^Zuo+`U+c{+gzp}W7wyL0T2nfNb7MIh^E|2^BIl-Ms(kPjfp#)hwBwZ`=D3E=J7 zKBdH-98Ntp>ezhS(BoC=k06LWsXS)Pry>x1X8jXH2nqV$`6c`?q4+O*Xb}A!;h{+S zKE52l`S0HH($@3PM5FLgTT%f-ABdom6^Q2lBhQ!AWQSH~jxBgIOU$!HYDLQrN>rZC zq=4FkDvP#a4<6vDcC-?$U&<1p|Dq*r!T(HH{|8!qW7(A8CZ3uSfsF?T&QnvhUZee;xy0~mENu%OVu|tisN|`3W7(A8?|3Q{eiS3AEWR5U zh3=20rUkd~vS~46j~hQL5{F+8uNOz3FZ0wmc*gV8ICzHh)Hry~(ToBQfDy`!;1Qmh zVSqA<@kRH|99j60ZEyjit>1OCqDz_agYIy zdi0*e&cIQSg$_0B_53$>)LAz%Gt+v6E%XG12Hizc4BbT%4BbU+h>uqi3m(FSu!0L= zgs_1{ES41H8_*BS31VoLlM#t$O^FhukSoqYM7E0c7 zERpj4lJBXirIJ!6RhACJ5>6>q=d-8CNogApJbSMPA5acE<8%RN4Y>$kgtOP#!zDA)(9o+ z{9vOLVn2-_{J0msX%$bHT8%K*5Mlo9S)DKhH8!b;FqA`t`71Jw7WT)JkHehD7@n@2 zd~|-lCw(9n@q1+?7o>_b+7OvE4Mt?bSU--mG@RAR)T1Yl67(piJ<3I$O8CUK-Z~fU z;B;V7lNpeR6h$gm6ltU=3<}MP$=xMP$=v8zLJ<`fdXyHA z67nc#JW7|5YWOI+-hoEBZ9t<&IgpGf2a=JB&)_OPn^b%p0r`B>$fDaltYA`gUqsz zN8b`UNAil#ekeDb95)-9ob2DuLnQ6TcoF99Z_+!0P z$4K~gjqoFh@ON*}3BMAAU&#qiIYjsc$kZkLW73}^hz;e+&999w_N0F{N7tuXdNJFV zlsItkaoC{ql+Fg(36Bu&jSJ-K5QrDU3I7$Hhrt5G319)@1h4>c0$6}J0W3fUJ9HBn z>?_D%?}H)u!FRnMA|1~dof=~Z#291O>x{7$jDdITNh44WF~--BsWS%iZf=jRPx`Ss zS;p~(A$*$E305Xpq1+q1^+(un(xyUStq}_cZMMFGYeU#gm$jRN&z)ra@F~ZoDTkRq zL}TdGFfud@ejv60KlFDUM{6K5xygbf1AyiSQWwM>?3gof5TOiuRH6kmt(*gA_b4SJvv?_VpcE|aW!aGK}+c3EAF zGjYF;sr&~$$ay5}fS$pbk*8|C8` z|1Lrs(B%P|?$0iJM~fAB2Pf6jFB$SfzhW(RzzVB_ew#7t($4|wihd1ROu;Ky?a*&C zR;BC;rzrhifdiI)PVE5dN3`qrwQGZRofPEdUeT_TaOgk%G|^|5$owEFdoeX)dt97- z-|Tz)p$+auYY%){W1)4$y}{8i4?YV;zy*|c(l>l(LI1?7&%G$X$Wx0i}Cs(EAiq%(8Muo)DHNbdzR=O8zyHjVd{Y9{i+bcV*>J zwB;UuK=OU@(U-&Fe0ANWPT71(BNo0@fyjh@Q0yh}1yO8v>(G0HFT?2mY_Y!jI}}h* z{B1f{))uh`S+Im|97;ISnJG>%V|ZurH2Q;MV|Ny((;u8hytDW^`orXwt5iEzsVRJ> zP31Ff8lP!1xN8hkGk1+GSbXKl?p?#kPDc*U7{uZ^NPzlF69gN4iMCVJ#~bN{>~Jlo z&t;FOCKM9p2wD9*d3X^Wm5g)4^YM33F<2Joh5sY|T5$+3ofCco{thXIGW_JH4`U9p z!W_ei!0ZfQcIvOJ;GAD}vahV*EMHk!cO;v6Cz+R$4jmo^jl@D|l)dmX5_L1#(dM`T z8gQ~XZpN{L&2e)BJJ%dHBiJ4bZuqI@zQH%V#L!qvXw(C6bXHRDa*qm9J2->7&_-t~ z8QU!wN4{;xCVad4u0sg%_U3o%fN8cm~@&+=`W$%4->LB5S~CsgIKu_Y*Ehc%NDn%zs= z1OSd`9)&|=4*Cv+!~N}=K@#oXt%N0|LsIrj1$9h3x4PNa z7cN?bt+(+z$me9pim>@2I{kK@tO~FK+`@0_7*&p+zmpxvu~UzX3Q34Ev*4Rm6iWxL zlhg4zje}r5MA!+_0@zv%by@H(D4J2{qf~;X7;(8Y@voD`hj)FlS{yKvemk7qkfQl1 z8i4Ycd4QDxY1e=Rykx7Fx=9bsFaV4tO@F(O@*j^<+sj@oipG$A-rC^^BK4921VJ?L z|2leU2rD#BNkWuN3p$Q0!VpoE7A-omaG!?zG9b<#8U@DDDNTq|A4Ti^qj*o`Q3?-` z5IsCuw(QK^ZVInc{)QKvOSq_0kQVVEIp_;exzJ{!KUbeQR=ELbR z0~CpE1q7m&4q`6H{$6CX`nYt6H5l|(By|nkCPkoY&(;tILoF&~9e6L;)-URJtJIo0 zJxv}n6~34?@Wm8?VMv$bQ*tz7wq1!>CJJ~)54RJ{D?Ul7->Rk8fCW?W7%VuT7fbQK(ykTPn6{e0?q~$xmn|2@ zIq}IYajsl&%&87_s0{aZ}m6|63Up%{!e+y)(1MIldG{Me|-NbTHXvE(7O?n@SI^Om&Fn8mEFb zN}c1;UX5t3r$Y6D%iOHyCyAQ^AMAc3AeyV43fgFPjz@c?qPdO=RbS&W*Qxn-!1Nno z-MKztN(M}K?AV&uCrl}T>AL9|ul5PkSiofdm+6=Kgees;HNLp;ix^!Ww95ue&rf^$=Y7I7 z1u%`b{lVQQOkfrN!?)dXp25Ufg}6%Rr!kD5K$f!H-{<-nOq^AysLoF}x`>~Eg3>t; zEcpip6K54Fs`Jye#82Sfz%MKR7-ArC?xm7CJ0&r80;l*F+wa=nCrF@5*?q~*L4AS* z43utq@28D@fkfOJsOsALexERbQ~dAkIy$~jm_U`X{X@T8)+bDmsM4(?_I=nVOyJ(Y zspJP-eZmAz@ed9if2~iLAmwG9FSmWvCrps2(xyR$kM;=@xHs?}`3_&7FcIyhPQD0X z(bW^N3D-?y882aIWt+~g+R6Z83`ab|71Q-Dosn*R=-=&S4;LMAzKJ_ybrk z`$71QX&ewL1H?vD%?&Q%5YWH$7hm}PuQ(`F2D&7oX+|*~0Vf6~zw|vYKFwTI2Fw=G zG{YH}V9@@ug%5tcFL;3dvVVRn>4m=F0UwmE|FBJ)A`-&`jttZ--n^wRcxcj^Rq|?K zU+{noWi9Vb?CuL5FhptcH1o@S;Rl=<_~|HHeqZoFM*Po|+}F_;JQD%W-Dke?MqluN zF-reZf8dV3-~o#UzPtC?*52W9nuj{gFon!8h0IHn$am{TM62*ZBX*}~y|C!Pvgq<) zyA$u|!E{Q7>68M~Y3xiNT!%wv`jQ@y%(eI$#B*3G1cIsRe5;n`_9eL`bCr^3<>@xP zET!3aS`wwn=Ej-6NfK*j((`C)rIMFK`B=?LzPr!*Z-po0OVTiZ@mxurgwNg%mD1s^ zq!loBJ*Q(EFV6K3N^d}lDwU!^{G_e5-EROr2KWPd}|}Rcv0)3GJp?&npEct zALTfo|L94)mKQQ_XcvA^EBtd^T9qWciS<#ZX&q~_cMw|tldMj3E5n}whYOtDSZ-ui z%lNo2eOV9aqE82502GjePXn22WOFI`h-GsPztqzO$LPb`iqF%*=}h@l75Q{QKD994 z4z~f|_y3Kfs4_rKs>{MZF(C?pPHY@c$Bt;89e|ISor@LT zddwlPLaGyAxb~ROfFm4Eb;Bf&xr;1pL>*74B8KQBhL9)JgSd)!U>jyT6Uh4?3r+uB{eE}$vi2=GvOna)B;E;Ny!@vY#e)&VMEOu zOZ1;igY7|oHdt@~4How)(sk3Z(!zMF(ZEl615#zc)*p13? z&0}d0u!wsff(ES4a(JNC!8{&w9gqujHv_Fe^>H8{Xg(<`r-1uxkNF(%J_Q2wWs=6Z zH-kI;(u7(K`LnD*tJ{}636e;uB#b~XmY3#QNHEq|JeiYX7UVH`=nP-dLi(udgjy!P zoFwqyO{hZ7L$bM@C3CXON|qn%OP&@U}?3y)9<2zq#!1Z1#5<`@53< zZqfihw26k&6Qn3`(Yx*DxZj;|KX=@3THNpMxLz}XXwqQ6Y2@$`L$4W}WFBH0Hpps;18?@1;(pi1{ho>Y#p7dA+%Gro_tm(c z6!$ZYxMrx;JaV{g@E{>+*bs}!AwBN>#m=@bU0d?N|9tmSlj)(-m;bPD&5a8t|FG+% z@6K7K$9MkXf0|0Jec(&qz0~G)NT!$9>^nK@hm*S&`0l*%4-b`^h7TTjjaje`O&T<8 z#1Nas^xN4jFWK93SNc=8*Dl+bVVb&mNA|b>+FdaI{r~ge=p+Abdbs@OuQ#u|<-W`x zoNHC?@|Xu%OoN9EwGO*xxNXEpAt@>sNt@tx{TAK^7htV^Q&6z16tCw;GT4R^z&8jR5)?>}Ah|Re-h_Nyctu+WXSnLOr7`GQyXhd#~1JC zEkn*r(K@{7PqYLSrGzMV2`~JZL){CH?dW3c8p~s=cw#KaY~zW#C`5TIi)ZxYu^GM9 zIE`>T0NJyKt+yJ#iPm5|HjWicz+=-{K?9H7ttBuXle7oMV`H?3ggiFV&<^9Vo3(^q zdF*YxfkrEe=k5M)AZH}j01H8%BD?RseE)Ig#iBU#q9uO*jx#UD#hDi$#F-cO$C(%3 zh%+yQPitS;Q*$?FEc5?%_Dd^U+H1Gl(^GdG?Q<9>1G#-uoNBlnKDUuoRW zH2509I&7rHHe%3F*hIrkcg}jq_j2jU$v3W9@P{9E?K1`bd-dFZdGGdDAG_(`NB88v z5N{7eHomkQ*aUxqDuYcRKwR#j^E`SNn=n_fq}HNh^Glu>D>fB8v8NDd^IcCR#pk!k z)E^bJJ9tw)Ylyw|5#&0ZYG8(M!%`)n+XOwQ&z-ClgKGP;mcUfoF6{x}6yE%j_K;Au zeb3MiQ*A%f5_(l_-_;8AP;G0q45+rko4eRUoMrW|Jn?Oej_@8u)*G=IQCnyvl_=#Jbl?-#jjR*W!$@WN?UEWu3o zS2hJ2*x^@N0%M0awFe-h@aFGo4++^}v!NZv4&T!fdS!=av;sZY;V~_PvBOFB5XTN% zd16n*|5t2AlvJ+Rj3{v*kIjhIu*7CWYupi=5v>v6Q*lqIf{_f+C>_Ve<2r?GH0n3p>Kg)d2(RgSxM=XZVSW3APIl84v_+FIOXMn zd(%-$@(6!S%5(>g!tvDx5Ap?xC!=K2NGWg>-YrVLC~Z2XHIRIR6gZY5537>sUv0b- z#q@7aKl6a`|4&<+o-qD@`>$hOF#g{kc(}&+-!jN-8aiaKb@(;IY{JM9N%8Xw_rKDa z6LP_s@pEc~%zFke3ACq5UlKN7A3^bW&Xjj-)GGlTlupX{s+5 zAL~wXR6M;Q$ssEBqO#M4ou2WfF5#7fgK_IJHwmx!Z*f|Z9oW(ll~R|oQ_QSq+2Z&b zx-~ZnuT-PNT!+6YyDKY{Ly!zM?I4(bew9AiR zB1TYN>NZ_04~X592)bfNMwBSyInLvVl0ic{o++HMRa{to#9AJ3x3yPXXe+I##`W~- z?xczfMd!^G)kXWqRa|J@ft%BVDoz*G-4Y!(r*=FgCt=uVXb1kEMyo{33mdGC^0LW7 zi26Egt*C2jy9{Eoftd2Z(`^Bi4Fa4?1kO2gMP1Q80;d8u8aU{t0{=thfjQk^8T5s} zm*I*jz-f7zD6|kfhpZJ%ZSOfPRtN*eQqNhOSey9QrR)NBLA_IhUFHgx5+tbnsL=wb zK1yO4PV)(1oA_U2ePY(?TLAHg=8C4G27We6D5B!h&aj)bE8xLY_vV|v?KakTA_6D>0t!k{3L z=r@^ngCW(iW?bf7E+vF6Dp9@>BkJNKa+!mKLZ}4*X|B~qbJkpOv}iAlrVKawXy!Un z7~*OG4Z0YMh6!yIB=meJ`<%)N^ihWYP33`yB16g0hJwDRG9;G|-;aSjB$V6A1CO=U zVGJZ`q@oa+g(nA%RHXL#7)0|fCmX|#icp(QDZ&oXl9T~Z<0oRA8B`G}s>fX`+HpG4 zA|nK?C-y??$24HA4h>dNnjwX7&dFSU{4t@-2DQ~zg;tr|v9SQuNvM>VtQ8d~t~Ci* z_2Fq`3_K0&mIpE+ZRO(At<^N_?8t}+_$dhqi7FA~+F9!f2uVU;YO9#sRtW_k84cRB zqDErMm7}y@gEj%N0B$?Lom^DQ!1V)KV(=)*k`j`Pbg9#k$|RO^waeUtZlpE>wu(So zHw~K!Hsear49uKBJ{hA0+B!9Gd(sP>&@reYP;`JeA&f@BzJQg$1>nTK2}nkoRfkn) z+n#iTO7YvEK+h4uQkfDe6Nh1L-3v)~A)*4kfqkj{o+8LJFN2y94Kv?PaTsR4GMfB` zHAltp{2!H3nm#+O0SvEhKldm*i+y0!6ydg3A~m*)nNTBq@xA_Qd< zPsWZN!vw=8AU0R}oP{{Ub6p&Vkf^B65q8+1ypKcM_Z&AyNivX-{F>5d<8g8}jY9^P zU2xZjgGlMqc-|pCu=N}}4HGhvfDgE)kCh2XTs%TFW+*?tP^hp$bvFY;kc|Y4kerwi zbd|4-rw=B;fX)sgy-x!=i1DN(W`wc5FaoLj3?}1TZXn}55u!1JLG2TYAVKj1$2cKC z2{-`*it7J9nE(Sa%mnBrEg>h61SRAIni6P05eZ^CDl6n2jb=iV1!8wDKMIUrz9pgpBgwJbV*5|%A<2b5)+WftP5i(@vIx28xm=6KpQhP z5LuZ(=t>-7kbs(eYT(f722W2-9-SM|Dr0|Lixbx;AYRjWdqB7v#~tkD_4N%ojFN$J`dz#3-)ne%akV6bQs z5Da~hA=_h`CAz?L(O?FM;LZeeVbz&*#Th}U4layNqr`;?2%y#Pfq09c2$no6LQ^dB zZ3uaCTCj#iB#_fG%kIQ`V>~eJ0|chsKySL>}k{B@1Z$7OXfb;_zL=KKJGHNVl^)E z!ox&fXt;JA1WQ`X+?9!`{}BFU!Y-i-q=_$D0bM2jm$QYws5G$N#7uS_tX%Bn0A!zt!kI8-01=!QS`~oOIlC`VUWc=jgMv9+bM z;A;FK0#JpDQ1^PW5lL$>IsM#d4W`3F-3I_+!)Ks1F7(M4m*80DfP4m8<6@tT@k|7i ztFASUcCRN}gm{CAX@7a+>T3@bA1j%QhHM;s_j<4&G zTxG2RTO)VC*0`LlQF#u0!Hk~IKx_1EYse8$uDaHMtucGR)_^PgGPcHR^ddc3J)eQr z=-bw~ONZntYYo^M%LZ%>SblxZCf~)n^mAfs&=Q%0a@Dm4Y>kxzwgzd9zHN=wIC}T< zVQXB#@stdbtE@FHbiYAwcnp{umoqmO;M~y9iMeqIN9BHIu8lY7y`KS#0_ok9#c^Ikf{lG%X7<17n+XZ?upsurE^Rn+^tzg zLExuxSF*CaR5V?X`~I?H#nTPL*h>Ji1)D_$bA-2WBICQ|$Gh53-B@0*3gIfU5|lIF zEe|~15MaqxIkUaur>hSPk;k`C1{EDy@w?Rr?m>pzT-4=xwS zx8a*FemS$2Zky#yo-u^#UFXTHlgC#fjp}`o)fh`@yl@j5M6h`Z8%WdA_Hh;hX!f`dSa)~v}!IYIw zR?{YD0-Q@MaR{rK?Lo?Tz|V>|=`dDlqp6}M2_&>$v8uss*HAhUD0K_F0OURm?t;e< z$to)VY+rd`RYNsP2FNWyX)RD%OBp&!Yk|@hx4FV?J_XdY1EnEZImfbfl(x$_hMl97 zXAnwjfznEOe5agwj_O5FTB#KVN>8C#UQgMjfd+7P%9ck6rL{Urc^=?v)KLn=@Wcp8 z8{Ot|xA`QshND1Ra2^e7n1c!K(NPL;PO-!YO1tIpfS(nQptM^XO(!);Affe&#~R$J z8cN3krJ{h-MK#_6mp+70W?3NyLa=y49qR)i*8-(=Kq;ukxsABA4k)d4n?a~npyo7C zitib4Ce~33u5Qm=1AJ9FN`V-j7(prcsnl&gL9GF$`(>~_(U`S57~G?y6yO|Ui4l~ZWKzkBM^MU0 z1DONwpCAnFMe7w0HMlc0lqLbCPYZMuD`z2~bRnYIAq`+4#OgQjmH@IJD6I!dK{Z~K zP+AX^`rYP$+Z+OF&H$ymbbi-S3a)P9sL{BaP+AX^9%nMTkLpEGdR!|El!nkOuLq{m zQ2I~c(50({Dgen@2q>L{ml(Yi8UHTzV+CN>|5Ti>!jG*)~x^zxM>*r0E0wmIHZj9dOm{E%jiOf&H`BeRr)e4V)eT^DRl_RQkf)f* z6T#}`SN#!7RcVRxD(Te$V^zZ{*0&#f;U6(p73OY^>eT^zRm18h(W_B=)r3#c4A`p? zC)E|QSM5=(4%n+#%wA26Vs*e?y<+xiMii?9_UaY0S97CS9k5qFr5_+_ug;EQmGtU> zy?RCL)n!qv4%n-oQm;ns)s<1Kl3pFKSFeb@x-p7X(yIeo{~A_5i60=c^{;G?Vs*e? zy<+z2OHr&2*sGsXuSNm@l;1|NI$*C}F?-b?#p-~)dd2M3+9*~B?A1@HR}KEvC{_pT z)laEcqxNch6srUF>ZjDJ2LCF)2G0GfdQcSw20#?_C{&83G6tpMk;kJN!>4!@svZ(J zBoced_9(QlQyy_jQFkonOplGyeeUQdXpAk5M3rg*rBsPF?2TJW(fCoyML)1IDQc7l zj4Jl%*tF;-*)kDhgGZV_qt6y&bZ8_n)ELKvkT`_m>9Khjn-&DBkBwrMc<3jEziDIR z0iSx*8~SNv!MHqsBp!Kqrxw|%jSV=DZtQq6^(`H3Y~9F3_$H6sR8pg3<8hcb$~d6tHT2VI40~i0pnyj$)=?W9aE{?|+5(4q zXrneZ#E4QrBadZNa-(C@f*Ajo$lII-Wp;FI|GVVP-JmRsj_rS!yon9U%IMhsSIL`f z9xCIl6WKi9E}NI8$mT~=WpiPgYDx(F}SQku6s z?lly{M=|cyzlsq}n^!6`HDL>CWwRrgJI7cJAP+Tl7Dsw9VxA!QDG|@%eG{sCso;>7H zPP)DCApLE+pz1`HUg1)mW?Np4b7GS4!XAukns?nzR+F&#b-GvQ-emJ$Gz*)n@g#cJ znJMRcxOc0v*)DoJ%}-t-e6ERz~LyVcbT*WzsJ9OUk>F_nj8~JJ0vw7}ONEvfr(o0VKlauUd#k^}^=6 z+0A)j^F-W8O1I>FZ>ZF9m@b>9e3jAaMn)^3Amu^*OUIIOa&ehQsWZ?G^cltIQzt8D zCGT;xa*!@lH%-Z6>3?#nk9^fOO_fL4oH<98DpBy1Pgk8;NzNRSz)zZz(mB5(v(C zsyj^O7z@9I?p!(LC3a82J2MsMyCyMQ9#WC`IuWNQD%=I-XkXa;-zc)-W(H%s0mdCx zN0`A`+G@qU8PG-{owEk#%0?gslw$y8A_&s};diW#&3@tex!}R+%DOBo!RI6RydRlM zZo!9%HTp~5wVkFXM~LCKB(J}dayOiut~`xtlfqR%&xT_zi23us#8}-0Rg(9DRoHeA54gKa*tQ>cFy|$2%Q#4k{nequmN${q z(dhN327(r)RPq&BrJUWuwqLMh(c<^ESe)tpEWf9~FKww`lZ;`wE1ea{Mx$ZBlv7&N zR&lA#PlBa^Ssp0a;M|8UOResl+M;$jC$M^~A%CV`-yQZNuc+;HlG>??Gs{MQtXY1% z^w$#;td!^to5jCT=T5=Z8Tvj>taU-ue=K@iKFX>GkfB20f{9?y7Bu)Ga(6!$yaQlb zCV2NiReQEn3!5jg8;D{$ZW0S#azyYJMD9uhg5eOk^UoAt?( zoY4B~l%QJyBP$_g7ep;9C@ZD1(h=p|ecv)jSx%^AbcA)M?Cxl??Bb%;wi@#W%?zZ6 zojLE8jFbvaxfSaNIA>xbk|IK77^YNEkrNU&(}cERbSxMoO$-!Wm<#|}R~v+>SAY%! zAWf29L-pHpmZSGk4_>^i4C#JvRCSo+NfMG|q~7yUc%~a)PTdbf1y$32vt)&TvDgn zB=uTJxv?zEk79cJm>Qp72$kWzI7E1!^p}*=z2;hcm5jbQ7HAnHr|XlPj~F;H&Xsl0X{i_MF1n!P9*hGi?op}E^I6A0 z*NEY=>1xuma(eZ2C26ZW5K5h@%FkNGKxmvhy?Ux5Z?#HD#G@;xxu`17Cyz0^d}0_D zjj(kcdJg?_pK#n4*Rh7*E7AWNz+bIYPgUnW|B;klH&vPY!beizM5WX%7s7M0ehBz(@~Qt99FsoXKCO)JCvuhyQ300;U|X#-nV)EHuls`Pgbwr%AWl6 zG|1~8#GW?#W}8vF?DbSsBQp22k2al50im4u`WabCyTC?nfLS=-_&DRst z9AP{I855rW9)Lm?xNr>a+yy(NoG0z8lVx?WUG^ohIZ{qP?8(_#atq}M&wfa-VzLRe zSmbn%UCyZzwzVM5Q*hYr?ZQ;82q@s~$`iIdi#thmK}uW3DWwpHQRhoBU9UiLN3*vy zHE_Zr!p8H7Ryn6p*fyJ`i&}G>z)?IJ`xUX>FVp`ii4blbCf;yAb65~)oYQMYk=i4SlU3wV@_lE{Pu*~u$eZEjxLJHSN-iuHYlSd)TdlBsXW!yPc zK3v%S#n*ZN>ez^iCSgl5%fi=voH!K1C&3c06Sjq+v!OM_jz*Uy0F&9`O0V)11YB9w zFag)3%If2ewadZZ&Rx_97(76--=^aYBIa1jxjhDBark8X6M*tWr~abTa!%>$v62ev zYX}Da`FZm&|4WP7v+A?_B(t{yI*eDwfQVYq@=oOsj#qI@lzj_NB!{w3}Z};cC z!T=L|Hqzy&_H#+q08=?&P7t1;aw46L6Rbp_L7+wEC~;l`aA=;x3i_zdjiiBPbvg|G zV#l&szN9ZXl_jq`m3dVJ;@=*jr7~~EsdBW*j8T)Q-c*fC-QgYX2$%MQMTzt)T)sz! zhtW!kQ|X%Fn^fb<`AG1Q0p=+4(V5N%iEM6rQCT9wj9E#%g(Qu?h80NS3_aV2jmg3U@GaR^iU0yyy15Hx33>af;Zn z17iVm%tnTY>40Vd=zf=S*5jKAb#hwRb~mz=c4Rs&?ND5z_dSc4z5^@{N9P*m-{CEOElv55ZfvuZbssVV=5U^` zm{tP$SP3+(8Nmw5=Q?L8@`s)9ZJ15qtpy~^XU;-Ka1Y&a19Skn(%@NZq`5sf@4;}m zH90=@r5)X2tW`IalffKuOfZ+AE9-pdMl4dXnq>OrJ+h!fZSbH(Dev?Z4~P1o$rQR{ zBL=L^E)t}7WjtSy%(-&91>c`hP%bzvTh7brXWU`f)kNo?SxNl6A^tDn4r53nA={$j z!3h_m67cvI0{3TyZEKMP8h12`%-V9MHI>+oMc{YMnB-41oDp(x%&Dr zD*r_N)1WSwe|`Re{nkY7z_)TP?3R5DWnGtgTk`ZgUH zji)pKH&VMwGsJZg5eY(lC(*IyJv0miFuBGO{vsFbWCsdj0_zSw_ApHwm2NN2hR9jx zShjvJ75}3y&`J}-zYE^s=N}}|@P;9YWFkP~z(7jSlU@#wh9hPDO^{9D*|#W5Y4N02 zuvB3ixhc5y&`2`xy$I>sk2_Q)n~aPHNS~ie-~S*3Hi8JRpa{1hzC`Hp&EOWq4=D>@ z;Uf#8jENr^5sjXLGI*@l+{Vx_OP%!AETwoC*$*CQ;6(CgZ6NW3m(UF}*#k2f@>d#> zzoc@=LIvtG0|D{}l8Ari@)yJkqS|Gt6ze(x^_qn8mpn{F*9G;n)Uge-ltueYaG*6n z{)+cO{;G-~e{+XH{-$C9(Mj@$g3boWpL1U)R6(KIw1%fPzHBE`Fh+@JKm!}c{QOt zz)`*k8L)uK_$8AUU)J>a?gL^53wa%JIrx=?pVEhvXOtlvrF-OA0Fjp$G3|5@t9 z{j-#b4eoHMCucAGub9q^{7L%H+H6#RO+~F9tVP-S&S>dJn41fp_BcyT-Z@K2=IXVI z)^{Sr*+?EItV@kN39PIZRRgt&u0CfVZ(&YH@bb@L%~CLJpr2++F=Z48d-VIrL?1| zm%wb2>ahpw=3){WoiOVLf3Gu<-kno9h)p!;_iQKZo!sd@ISY{XI?-GZd}Oz|3l7T# z+ZYUPOOuq|ED;vSd-5!8lX<%^;cUho>9pa{m|F_*AcBZW88;%Dgl&shQWIYYaaQ4L zAtqCI(rP7QZbpPamoKbe$i{(s(&cL|m5$CoWLRKJl?)4fj$F>!N%IdYvytjy{;8oW zTVCy?`3Ei$@+Vay(TSDgOSpnPiR&>%>r;@vxW+=57C|mr1X&RY!;H~l2b{M%_-a@E zR*I~yhf60$YNP&BkP#bfH=8sPf};}NlIValw*q-CJ|rTphG@M z{Z8jMxMP>q(6k}gt*4TkrgUvrs=CuBGL4g|STWGCf^B3kgw#?XB zbVAB$))lA+rQ>kF5d+fs$D>-CJPIsOSn{X^`|=4asJJgW(2D8JFItY&bwRmLNdW5d z?RmZ=?0LdKs)i=sJxiGjYgb*g8wzyME^ObH(flTx%%X2$*qPHs3KT1v#VPr!b0^Jl zyEoKWXs}HeULd~S_BbA7-%^_! z!U>?suqoq)%?#v-kVD9*2qASUhh<+06yqLY+g-?VDSMFXvK)c44;r`&+yeHKwwzzH z5FQ@5I397d$02#UQeA%Q*^Wn=ZRJ0Et;5-Dmxs6HD~}wpF@Nmgq82D``0099)Z3}( zE}VPDhQEu>*eg!$JzDYZ*((6Pf0VnKx*8if5 ztpDPR=>KrOvM7xHvAJ}i2v+w8Gt}Y}ouQutH}pkJ%``eimg{ui zYD#XCat;X3lJ}4msB>e|3n<*{%;3|5^2xopl#5jobs%5?f9?dT@xz=}W#ArU6@i z)a5H<55T;wv*jy~AFyG&<*3sqUkl|tC!Eu~CK-)DJ;Rx{V}?3+cjpXc?jBm!2+t1% z<|7dt5k9D2sMrs%Rwv z8v-OmaF=YU0VJRW9znkfi;Rowy?s|h@XvHB%)-zm;+KbLm z^v69Cf(@{p1B=2^EBTTS^g!B1YEY{W`>K>4weXO3Oi`LA11rvO=n>2!P#am;?0X-! zdN?!@37ChzLY|DB(Rt{4HV^qj{{(d?DLYBmBkU>byku#{SOLY6&{Smg043r6BYA1v z3LLStiJ`oO&^qW{(OY7}zF<4_n5=|@j)%L#WXYG|SyY$U;26Z$tq*$C>2^2VD8EG$ zvHd2G9e$y3J%J^jDgD<4~ z;fFf>_-uD)aBmARL5@v{(j_$)4#~V0>@a_gCLWr0pa*PtxH!bA%x@3AjPkswlIIWp zi{Ys%xK(?CJ0dS7_@{@uu$hB@9|U)Qt&0X~H9ZO24NCyB8-kN*$k4OP7+CP=t~7gm zYt1E#-0r46v}{}Af`v*$(Dk{5N?6~B;Q;|hFX-X&d3h#|790* zb;2u>b9miOl>*v()TVc&#EhlcFXS#Lr6uzP5&O1fu_!iNIWnMG9n3W@qw9dmNg z7A@Sl!VBMJIj}$wOy@`wEtM>|s?%LiNp@+rOlw30CpvnXkDG~Abo{~UgMFG@2KgZK z6zh9HN(+n>zJI~i_cd&NuX(|-e@jEP3*KL#8S;g*^4LXy6&@!5%eTWmMI@6o!1njB zKNBiKB`4ZXb1Jog;5aR6!cvNn)OErKGl_ski|eSdT=+i?_URr#x*O){9x_jN!#wpD zVSUfcQ!xyf(pKNd>{Aj6bg=+dY86?jHJwT`x&9WQ=~OaOpZz~zNgAosw-ziN#`_;_ zVxa9N3}z+DU~{5)DAK!!_?#)>f9vR?m6Px3Fcw?wgga5$;S_#z)|q}5o6#=ij2O6J z5xvI*cw5HOestgh;`OS_pGogXmXvz;7Y<0+)>#&u{c~`Cr7M-1KwaTE+E=2uno6f* zHYL)i7ew^rMoOaHtdg&YN@W~o^~Z=9Nq~KA@IUXPc$-R?>g(QRt&zh)X%BP)z7`=6 z97`gbAzF3>IuQuvSD(sOXW?A>oQ~u?rC$0%vO}`W&j|j4(4z^6tensV>$hMzf?J_T zRoJqm$70>Wu!mbT$5~0a6g<6%tIXd)>SXnw>=g0fQ8(Z^+b-p_3Y!a9 zh6`~(Gi{=}(x$A!CD-awXWJAJQCSGrDan@Ah4!rT9_T*?hj+&yxnTE9Fj70>LwB|# zL`uvlT|bIaIw_?S`v*B^)*W!FVv?BSU!McCVqQ?)cFC6%*dE^D#HJd!!RZ^j(&f7^ zJfqTC&6voQQ(7{To;r!nuAIho*!jjry*e|cH{iZXz`50xb_k2cCh)5c@)T6fP@TIu zfTAy#L3k}CaR{+%i_X?H=pZhL0a53q2;ar%hmQrn>Pl6nr9$`q37i65diOtLH6C0z z6WpTCv@^@~b;@yjH`q)F(@{j5GRI2sZP;!-Lf6o?2fK6z*ocxQJ-!k#=zCaL^EpK8 z1cx*cOVPqpqCmyd9;_&_jipB|hn}5&G0gQ>&-fqj$!vuE(7c&}y=u-N+1XV+DmRuiQWbge(Pr2v}$;PT`NL_6YJ*?mG5Z#vcl` zyfpr}OnXe_k8`v~o9Nw;Y7#bQVIK3S`8HBiUu+XX*VA9QK9x;F zb@W%RONFx^`x|vdhY<0Bs4qmt3D2Cv;K1B+x*sm`LBh5%=o-)1bfCVVqPyJ%HCPrR zmT-sLmmFBWz5J)&F0>xTU+!faB*V+rI@Onifbe>3C1_zv6cseq;qi?vb3>>#1+|e- zIZI92o3A9*G5;OnlbuSPr7H9-exm}gyvPMJ6)u=YGV|++Tra$ol}*dg{lQ#10aCb z@ub&CUEo{35Sx#DKBES*L z`{URx-76O~XVt@_Li?pLs)L~k{*PM16ZXd`fT@Rl&*D4$Jieoh_Sc$Lj|H37>21M& zZ>0Kce+}y=2m~w*m>+!zgpg1mw)IaS$lC{rNhA<6A_5V-Ru_nOao3wblv1e#0`W_v zClZJ+5R>Wy*VOUVm5&ra@^_REhy|H|+@*2V<-=~2k1>qQvGQ^ID5HFg$5TT2Fd?HC z`FPj<8OTRLU-HrFa;qC)M8MDu`ge4N-D(N!9XydoJtcUm0uvj1RL)Sr;M+(*85l`g z8GEoANm!)O6qLcHpgfpKl1-V(CLgkw7TA<&eD1L_QKPjYb`LPe^SNhJ|3vM9-bL+e z5m9>!@lJg1sm5JzqV{ttl|a;a&{zrE*Bi%KOBiho6VBB8kY^UoQw1Pu0>6_9*N`S^*}{m7XTOZIG~?tmF2Uq;!*HX7*zuH5LfWqBRYDq& z)vJWu-a|t8_&$MrJksaXKDN1IoqVIs$-I z!z)NsGx!apXe+D_Y3H8LbZ-$G!G)6Qp?OjjvAn|aMRi-T?s6$JtZ-*gG*1zViONo5 zoYryT8=xax4HOt{X%g$Y$ZLQl*_temI>XM_pHAOIFp#I<6atxovy@38MDGRRzFHTu ziP&9jfp-8L^f;OKt}r50VBMc`t5fYR1tp!q&U^)bM0G|ILaUu**gu0QnF{FZ|8M{% zvLA4eiyI}@oeC}G3&#{%b$PegB--o5zP^d1a zr55qTYwqa5yb=FTzB(xYv<8^}vI6Uag3=iO5nDfo*!nTV*N-8#ehgv#SYh+z1d9&2 z5a8qchFQ$15S}5=46Xdq5pvOm1>}DNW<0x;BiJD5c4eLN6m-x$Hj^z;oQMzJg!N;P ztsfEmRx!wv^FdK7Ug`P@HWNHKU4r*Nc#AW9Nm`|tHPZHc)p{Xcv39ckzOEuT>pESQ z($;S>OdO=Q$vBq*6WR-9Uyd0cy*6FxZ#INMF!=(yKn(RLa8J7%b2aj!25~1D&;~OuUgCgOix?!R1=2F*oy1 z$L|j@mjHXSh{b2p`%BNo$j-UT0_3BsYrXCe>&=PyQO{#x96)LFWmKt^=mif-P9 z!Py>l4igk^+HR(loSHQ^xXG)s%aeWrZa&Rtva93^9=sXx>@t)=wv1@>^lI5RQP0L6 zC34UXMCFHr*&Sr%2e|7^R*I=qR8~Zv2TlPBIYPQqK{$k8Oy7mG6zKK#og^u#akxbM z@uX6td?1c62EV{xq4fm)l~42{ABa70`W}OW<&f~q2cQLJLof)q0rIhvF-$dk)#fhrXPWfKmqzxqy1Ha1c{ z$VY(J_ahJc(^$%3x-Lm^t52l_-~7Kc6CYuVLpM!~w0ZIxOJvh?YH$$_v@p)qX~FMM zHfCI#8`G^Vn1cdtdcG97>9RiY{HMpCE|>e?R6)PSMA99rIvk9oES zN3mzj`hXvHLhz@ojn($^L(IkZy2)qsXUuyhw)rlpYwf|@yAgxdGo50nx4eze9m>)? z+1J1RKG_Frft~JP)t%kpRv@Tni}`vryqo1nCA?PVS|Rhe*r@NGK4rWg3Rn0RHv%om zhxh-n_ZvZicc4^7z=ooN{SXVF(p2vMduDHs{Eo4num{qwSV?C#9$?(EDnzj^kVr+`bs z$26^l)P#InyGV+LDI$kv*UU+Vfj(r_Sf3%jrIq%#4zPaSVmIcO&pWX{JKWT>e#py&kMVqg%IwMfs^of44I?xjga z8A`zIoS?vpC8DcPohrE9N~TDakm~%7WyZm6NT@phJL}o~7sZYUD1Ahl?ZGB2BLrQslN_#^}uA1(X%+YFlE>smD zs9DOM&ndgPYeystODQZD3$sGD)}3W#av|im4_AVFHstMkhMOub4gI`x0-paB)^7%o z7om5Y5-W^Ys_P+P%Pp1IivKX9d(gAA94ahRUS`Lg*fC6iUvsL3R@zrb*~%m%`Z-qG zIyhAZS$;rJ|WeH8wqZqxcGtmLz>+N%FpeolO9&=c{} zJM8Omt`(LhC1ky%>LFr>Qb(+z(?{|P(2xw;Aox`Gw_&y~Q<1{CJ)rMPD2d&HQ;l9B zoh}nTLh}^fnqarJOolSZ=HPb5`2&>Ugly<`B1e%6rg<#B#uT~WnaAJ&_hI^K%BaHD zFP)KRq_QRnnQui3qK%LYMK3VSxv&AxPPWJ;JsEKJwg4B~umbyYXj({##CSH8eLs@_ zg6Z;D2kaJ$V(70t2H%ee4G$jjK5U3Xyzu!L#eY6>FkN?s^%b$ld-36eb65*tjs$xQ zL!0aPUdZP{L?3wiW9yGm?E8`QYrq~y)B2;RE`1!)$IMnjA84`auM+B||NLLmOJ#qj zm(rg2V-%)u79u91wx~<&ynG6zs=Q8KEh_|3)%8 zB=htr$PZvUvGhK^YGkU>HqaAML29DxLn|Ljka>3_@rggkdju~&SO1_Mw3QM2w#l^Tx_4g)|VUh;04~w@5S-hYPJ*nrH!tPaYClhS+0?TL~=Zk~)AX%9Y`*m`| z;+%;!cAqQ`kX5@-|3H8CIyD4aUx)t{Q~Ahc=+8nyT0`2-vogtx5lk?sMj|!453VmX zeo`M2okC7XIw|0!M2_0iC-m$X60`?!!n`ApOqZ>qY47}s$=0Vk^!0Nr#34zjjHfb` z`GE|zAPJ+4+1}9iPj4ts;0*0xjx(7OE>%pG59sm5tpFv6gTs*}g`Xv3eXwGXgckKzGL%C;0~~uQR@X zA1l-t%)5!3NBa0#hL0e8JUL^hyhbW~&vQ~!*_TvO>Lh&W&^M4+_y!_LMNVooeJ^FD z?)ZdD@^Qs8817`H`r#DUr>gMb1ORsh*UOtpjz9uF%ho}m8l4GqD&DXVo+gU@j56X+ z$PNa&*X(-<)&d!Fz_C=--%8a@G6qIl_CnG4|dfotV)x2uN6eu@a_fC zT>?Cs!kZE%)tl70GWZ(+O2fm~IFvy)2fs?r*Wh(P$QB3l${%@v>1QOUR^*Ar!H;o7 zzEO#al`y+AwpCG6sRCOSNl0(t3EZaaK{^z6h!Kg=OYWk{_VzRM3(uh7PufH<{sjJy zfHZ~1KOr;eF9Dw)@c5ieC@oJ0K9k#!MDQmN-wlKK?z(sh>Fl%lIUZ(kfafZx49>}W z8FZtV`0g%d$5?qtr)wAjm?s!Mr!({X%><5iKBLtUt4YkXS@BGl=#kS7Vrjh+zJ}xD$J{gM9?FgNZxw ziy-rdN63|ic#{Rh0O&>~5IDonOCp$)2gIBt1DyK;oYS$s5E9BNn!q{Vl0hSiHwfGf zrVzExz!^YkJDuVCPVu}h+>+U5N8lW?nI+g|Co3WxG;d%RnCBVNjkgP&gmjp%XD3T6 zU}~gRJO_J{EQ9To3$V z`k|aI0(t0v)c{`gi57KwS$U}XSt+{-G@l0Qm8*tB>s6wsd2){dzL01h`tiv$FYDcG zaBkN~TpcD}=EZ0p*&4E?3F$;ibQmbtc=s5fbkKZ7lHfC%FOMTRdt_A{L@*0;g-U3C-^SXq{`c_YCXp-vB)bre|f5`)t*Xg;=ei4Kj(Z*_-_s9 z8=FyH-g0L}yJu_AI=@r)=MlPZY3n+>xE zp3Z1oL)jZ9F+uDMH0<;>->oc+Keo7j-L!i(uC#8YJ-<*Bsi z=>z@^IG@08a{TMhbFgT6Ju?~ITh=59Fxd1nE^c=Qgz6oCz6%P;s`4g-BZ0DW7R2FZcr5i5RRl#^9(;Zh_Rde?W2 zTqTN-^Y$CWA*I7ZRczXLWe#&-gY_4futhMvRyUIu*S~*=HN)>HnW{~cOxY&VQ{^26 z`u2{rf;Q+QwuAf6#XZ^iK8k&0}{jJ$BQ=PXTtH zptGX%y#dKZ=o>cO0Z1pC?!TYD{{X*+a1W)8PS0oOaj}~Vn58ve^HR);N zHpI$L%%r1CHYfIqOKS`3gjObv4EsV-23`;k`P+gxxS*xgX7Q3$_^XQ!N?82RH9;8% zvW3GYX=spoPL+u64tR6D)rL27<%1-o6iOnwxjnc(@NXLC0U{pcMPl$pI74DG@o>7- zAnXX>8JF0d($uND!1sY0?8S3~YQ?jh)Ur5cZ;?6!vO}iqnd*xp+~F#?KILu3XM$_g zrEbGHl5c^f)U%%~c{j0`y3}M;iApEHR*y;_Cei*NvH*dXd)Ni&w6B};CLpiyl5*8l zo3j|A-~xLBET*De`@&1+C-G8JjVA^j-br{N7C!TPh@`5)0GaOmT)L<)2SsDD1L+P; zi$Y^UPuTh$Zyy3%izqU`h&0%TPzqUJL<;sH64h*LxA29XFz_G-!fi37sD0PypuBDk z`&_aQ;mAG&4)Y?}7a6Qd7FDD(Hvdauw|3oA)f1mwo_2-oL!gYw8?PiS>Y}#|k;D2# zUq9YHBo5WNMHP%s=j}tn7Lt9)Evg~ukHbDBY{3oHOse4s)DVy_Sg;g%`$CPe2C^eE z(ZUP#2(foBWZ=SHpqF6aLNAaYQT23CdN|-4=`{5WEJXUo!a}57jbfO8{y8$mg8Sq= zfcMK`zW5DU^(cp0>DSeGdGbh@kG#PLjTKu-7@69$2^onb;KcuPZM;O zm1+hg>@zUJsSjah#B}ko!Y6U-`{&0u6pZ4@#WaoY1ZY8umxSVPapPMYvTx1iy|Ezfa@^70AKtFU;OC#UD)$mm_Gl59$##E z*Vcv2W*CeWZAcO@*l4|fF$foIv|j8aoX_co6I%Xak_a2EE6cm2Z{%!DeUL3!flzrx zOizREhD7O6U>DCk0b-eP%a&!$eG>999s3$?@3~7sq49vmqh7zX`EnY@OVk{e+ z0$kYJ3fbad5>WHX8>1?)Bk&3%aD+RNJV%*ekmz(lsvyx3tYDfVjjd~{3#?$s3H~3g z??b<-x3Wzrz8{!>OSum(w-I`aI0sQY;~(OA{vm2H{k{-xeF#s;2>;fw=3gob#C&>Rny zCp72cJcvntfT{wgU=rgA4B<^;_CU`PQYo7Kx7zw%%dL-CNaLqGS#{) zkV@J7tMaG#*&QK&iZgtl6p}wdzLy5yNza(({?3iGxc7`Lg??kDb=`oaP=-YxFg9c= zFN}>OrpMUBO4U!qjs}ZJ`|l;_m}Ur1)nHzHJwq54ATBwaVmoI*+IpFKAD=Y(VIilB zC_75#91Rx(Lbf=#HFB8v`fKQ)GV%319N<1A;#X!F3;Bm4LlE+Z^g#!TgFTQ0`LSz~ zb1ajFSRn93mVXVy`}bCLy38{=%N4nhSPEr0jgVBEmPyd;W{xd=UaP#c;mgqkw zWTv@WxOfS#zymiEm;geb|jDaXzfS+}Aq565MY@sJ+%iBLgzXm!7&=ti34K#h! zn%8yNDvd>Yd_LZ~`1KhJ@V z5REa=2V>wmymyF0EUBy67?6R#;m5#D2!RT8^J8&Vtmg4SWSEYD8IW2az{j`9f@=um zN-f}Llgz^4{|u5@2&~oq%}hX{Q2RiCDUm2m(C;ep{fLi!5x&LL5MYOs|J97yQe*vN zj1R^w3H~|K8j);M^$pWMM*M;GG)TzQh3Ow#X|2B}ne1Sw!g`7T_dzlUaR3rn>Lz31 z9yT7d)LmJ^<}3+Yq4p4aMW%Ja8snm(4qV)+G5e^n^zB9K-{R%X(Gub%_S955T9;g$ z4CdAY&U?Uw=bC$nr5bX`5pjpLhemmtS{f+#Vhu6v1>e%+)}+4m%hOHkK+39C*>rq~){zaBIF!^gb*GKI-6Qy{;*1o`Dd($CdM zu)f43Jg-42SPhanr}GjXW}xJw)=PMva6a+yXcmUmW6Y8PL|06{^N7hW;VJPF>^mRL zO7jS@hU}ad@Q|NQ+_B)YLKD~;j5=6l+LL`MlkY&54Sy%3e|XC^3gcH#DHfS*1e;D^ zh4c@t!(b>1J;ZTg@ZT~{Z3S@=<}YjLA4*C8kYh3)NHAfp3N1zNFz9}JBczXN4zK$i zD-L;tx?)iAZx0bqU&yxr)fgV+7_}G9$OB6ee~?X(VZ3Ar4Q_a*2R1^kM_J0Z$n~%Q z4?tdApjC=xYWPb{@UQH<2J=@GwIlq?(b9DB@*P-|lH<+mw7&Xac2|CdgKtM%UogJm z-zBXcQ)ZwA5~fVJV6D+CW}}^oQ+^hE&(C5u`YDY3TtFFrCY15}h{(SkTS0>1njErD z7B)f2hD8pEfgZq}kf(DThQ)nWcQ_Nmu!s;ZBjZkFL)6K{`@D)f?2g63Bp_1cLkv_$ zL~TPDiHb9I&c)YDA2~r$Hqq-KR#}=@o^jDgY2Kd-;sR3AC_M;#Yx<}m!U#zI>7jSLLyL4 zpL?>9Hj!X^jph5djOCx#nS8$<0#3=@9*Y$l`CAHCnP55AUpqa6d_M(#%2Ax;`zes` zPf%v)ZOH;kMR*dyC+piXbX&w zI7XwiK0^Fm6Nq#4%CfWB2pPUgn8F~zAdOlX5-_J@3Y&wk%Zxdbi>PXuNRB#T?rJMM zP>+kkDK(ive@nc4D29P}35UN-kIO`U=V~>~r#6ka)m;Z#* z5vh`;b~2>3#u2!N)E&_Igd~aM6+wB0R7*-rNWBLgQ83$vRl|e4&gg7-C52e38g@zz zym&!Ubp!gLkV9Qz;;UF(z%NT~!ZAotKpTCI3>o@LUuB zQX%6%=U-~}dbFVG&-<6^j`Ac3mc5u_2QCpY<=5j;H>o{YzQ@9sZ?yQu9D!OOD$hzYzROtr6$x{(^t0epN6C|5g7| zg8pz}{q$cd|DJyOp0x$~>08(_R1!;(^h4s_7vfB$U<%QCM8WS|@wToFUZp8G{UD&;N z{q)N?{{KQh-Dv(T(N8MTPb$$*D$!43^5+u$q!Rt468$6+$&~0Pk#6b#Px?uFf{1r4 z(NFq2^plMEL%n>)ME}ICbbfqg=W{z-}c3D)Y)&!ItLqOW5ZoGPb#o48u2cVBFixQA}<{OQR|X@ zQDb&ZiG1g8knen)X(Zoy!%p<_okut^lJ8t+c_s3l68TPve22+*N_}O-8Cz+OP7*ld z68TPve5b^|h}XrwKVD#t_4Y-<6H4SeCGwpT`Og0p`OZflqgl*G`wFKe@|_a-PKkXH zobmJaMR#F>z%NngP;2&CK;vZV{kM|D^Cj!hr^szxj z{X>r#Lb8It!#{L2+(|I3f`8~T?8g5U{-F!jpN!+nJiE&lT|N_EMmtPTu!z5Mj~y4- z?+qkon9R{w%$N)4wa>)OHPWF49g-Y}G zd$@IB`@Qo*K6@!K&IB?e`@J7oF0z>YUIwd}-hQt?k@o)w@nwqgw|~xlerY06m^kP! z+0S2GZfZa8+30ij^R7ewHT!uBlrONKe?Pe3EK>Vif5zL-*TAdj?dMyZD8_z%J_3vV zo%Zul_Uw7a_VaD)fw2C_ets>kGqs=pQya>;NgeI{ ztvP4x=-6su!-90N!d73-jta2CZ~&ttM>6qOVj)4WY!28L0 zNTNdRpwYrNI9%XK;1LTUyTq&4vK%;rkiwsblf)tdVK1f5IWnIJ@}b;bj`%o3;mq98 z;3?e1F^B#X{`11&KM$@2;6EJxm6=sJLR2`~>HV{lf0%!q{rt09fIDhyX~?{;h=XPc zh>>XC)Wl>t18p|ZBgC%^((_A)NbPhRvp;zHWJyEj!*?q03=Gi}rQ$OqI!m-i(`+Xn%v+}ho*&$7!6q(~5dn(TO z`S&VL3(da^_n}N_Rrt|MYTv#&y{^RCfUt7S^|M>jds_K7y{%!8|cg(-bsdRuQvK%`#do}d6BGG;uA4!AU)Dr^U-lm_zlVo-CcnQSD=NPa=t&=0e~0|OE$$?I z*g<~ZnBDllLVjNye==02yh`z>+anG&3mX4HTQ!Uc6lya|j(qL19blCdmxdM&G=fa+ z%TWHiFtHk>b#NcrUYjQ&iY5UdJ5AG{I`F6Wa4JJMVwQJJp9gCbx>Bt_b>dHt=uhE> zeSxC`g1)SS2Xw?MLmVO8U83p*=j|Lt3Z{UR?93hR+Yt|23Q?d8(aI>AswV{@Qc`p? z78v^^B#?4t9Oou-^snyea|iz1<<25Uc+l2+u2wHxF-ad=6H1+!G*Q1Du4Gvk<1<;Q4m>5L)@)A$SeF+BznNHZj{tH4w5oN55DVR z5l`OxTfjXq{1L0#I0_;yy#S1tKO#O@tXwIIX8zF;-%REcP0fJ|Y;l3R+2#D{qEP&i zhw{-G)XY0pL3FcZiUb+b4c^@&#Y<|j7fkSUzAIzyt6QN~%;j^UTxIQu7!90HBqXZ6 zLu}*aH151Ytm92;WpcWP#Xk#W{@)SwK@I=!nptU*5bIJbcte<2u^R&%&%k>)l86rX z6ve@(I_?{Q9Jt-LhF@xHK7IrI+rbyTMRe*cBJNwrC#jSn_a9@f*|>Uz_3!BZLWB0UqEZ{cE5$)WxhBd#U7c2-1Ws9Pt_Cp$;kgT@>u*oxOA5~I{eOfYV-N=wEJHf zPhbDuc%ldj{CJA3ER3fsIHJ*5XgnQ4Vv+H*35mszr#gk{<3BonDxensm&Xr=4MGU= zqv(HV{5TkoA3H_>g~v~pjp_J#iIif;PYg0XGky*u>pwMq#{b^N1_%nh~TS%B9FrtO)+S(MT~q z`O&yqER4nw9P!r|8jsVETx2{BLt^pc@qcrEJBK)G|Ch(-|M2|gq3U6c;mM}98-}Tk z4^%``TM9y`6`tB|A*I-%c^ny^8Je4r_4%P$S72Q9^Z(yHzj?9qLvU1Ng6oLHA_J-+5{n;DwT&h?cksu5BY()_bpe04 z5wX|))8l6sBgB7^Kb($>5cLUMp<#aWu+T{2a}fQ>-_@vr%)tF2^0iNtTxH4~O28dH zL^cAT{8{F(mGR_e&pN;GVXGTz0WPN@Fq5m0k$n$^y#`y95 z-T93(itpv5?c9+h@oXmJXE|+JyMhUh;(%%IB7tVQf(fpbHXLcRfXh#n109_xEN?${ zB|hzFer!dZWTWlO(xjL!SzB9VY0J{`0}G>A_s=5z?Dn1lGF;-wcUsvO;! zEfMEwhasE@ojY(!7+v7j+MY-eJ|g1~qKBVrDb5mof;f4qyzE%mBZ-w1Vcu0T1U-_7 zz%0?n`iV3I$M4Pag1e9%J{?~#FeLW zWS)KPD)4o zm?RHp3WbGl;5$-_NY9`o|E9v%ivFdI)>q^z$2*>AR?=Q_OQP>zllX*WA8-dDo2JX} zIIu7miS$>Vi1-uGsubq}#`;_36s)9r;=K@p*G2Yk}%FXG3g z{!I|S$v(B0(q1dmT}E+=-;^ey_=IQ(3V(wLoji@9B_#2=5NG(eD`X#nM^%>SLOGu# zeEFdz?D45S?hYb+k4uDPA)dZ(?JM^T@vdx+cGjVtDTq^&RGEY?+dK4SOVrf^L7ZX` zwk{-|#j8SmQjI4I;zYB4ePTgFtYa{|@G)yow57z!j`L~ z(1VD|hmo*^QfMT|d_qCNo(Sco55_5@k-(zak3tz_vtXQv?q`3Q)xa$VvFnk;NB65h zFR#cGi-XJI=yPM?xv0=skYFsZ;C|PT4v7OsuyYIxWd^ASjRXgik%0Jkh3TI&rT;)i z|M>e^`d7wCLH-_Y*M<1B2;!wdZ-e~ZQ4LIv5=bHxk3jxUJbhkJm`z!TeWalOhWNCP z8T~(|_Iz+74M4gKf1^TC}OzZEZ62u_1mXSg z0mT4TViC&Ac1*5D7_bogvWN_baCv&__cTzyTO{I_*(182H%0gB4%tqeK>J=q`(7rr zPjCjIR3X|Q31adLvDMT5V4TU7*9+0U8`27B{|+f2QcTj|21u7EFA?qE!_2|R|FO*H z9w{Fh$7h7fTqvU+y?$Yl_?txk(K3YwdW|u&GB~%y*)4h6=Wzt!FN`1LA%0mUrV90q z9n-DSj%-B}Z8rPjl&OZWfMzn5#wK4U?Sj^YXW~}crpTu0l44j}X}yupqIU{&=l+&_ zHgsq5Scy%h2}(l(CR^NPh>i9Zk_1&TeEVv{3!OV?Pq1?+Qjw=d8*NXV%2fU~S*6YW zyeNG98JhE1s8&uj5Bl|6KOx^VnN#L#J!vfkIj89YE~IK_Id-^&^46~Zq)V$_^g6Ab z{vt_4PY3FY2zL>NF?Lq$E=Ah8Bb{n?ec5=>F0qqY4smyYDmjd^_43o^>moWuAJ+XS&he zkeQ2EZgfkVEJ`(cRtjRaQO3zklZ@q*;QA`nDVO$9saJC-(i%k##yp*qx&o(k-Ds#j z04hirs}I1|0x6X92I1Rq-FMgl)o>kM26Z_d!p${7kTzu)Zi`TF7|5x42J5(njDM*Jc1?+YslUO$)RxAE#Zw#YYIdUcFSP_GM*gK{v%C`j zQYHSSO8iSP|58hu(wuDYAMWZT$ec_3OX2&l#D92+|8S_|jBHGU#K?cRbwkoQDT!YX zJ%^I`^=`3ZMM?bn|K0fYuv|3EVu)Xl(-Qwu(h~pSCGqP8|5C$YQl%HHkQfN@>yc36 zU+SOfUux>cKbAlgT0ao{H^6(tHJS33O!;1>{HSeI9V*AnX*Z{Ym^;H$nFDoCE6Hfd zD9K2PcWNWgJRL9p<$`qLr4b~E@fl)G>LzB&o+4#WD=sKOyy_68LmI~^^01KbJ#uk` zMTBqZNC_G9!@5CHSVYiZ5n(RUvhOG~4w_U8R>+jdQMR6z8MEGyNME5pNmfy9MtTTm1W_bBb`>J$qIr=ay&kerTT@ zJQD2_flOSVGdIjtmv&2e+cit^9D_iYb^rpq)JORwyNh$hx@gKrG;r!sBtX9YFZAyg zL;r3nrhgX|-@g<7H~RMhHHb<7QnwP#o~1lSujlw9(CZ00GU;Dh*DI!fmm~Rqvwyh= zGqfnF%u_dCGwSA_shg8byZHd?W}emzl20T4LBgUYav_#)z3M?xAzz}*_E3JpK(I3F zrLxt^l!NWGc2&*H;EaEQyyiPLoY<8>|rNW=0Ir}D@iOhgDDI3fF8KzGVgj= zNy(Nf^Yu4z;GrcIMPR{i^n95zmkhl#In5(WE~LV%5%nO}w+!zAREUsFL}}7+$#9KQ ziELy_nH7FESS)d(MeZZW9zaA@X&3mk{Ez9r+8~fv8W=3sRQShIV%lFFuNL$pWRkkm+H2{x*Uf!T({f&_~ew)Y4?<&oHADNCr+bN8s^a;62f~ciK_-T!+mTnJ!+C2Es0OnMbTaE zqFfIPi7rOkK!Ynp63F@+#7LAmD6dFyQ04|c4?ta@c7x}-UmDvXI~sT{p^H&3%^MLO zh+7P{y!1$to#4?Ro}OD;;u?zQ>Y~Lb{LA3U4KiKB!}P>BKr&DXb?nj@lIC+NaoG+w0mCs);yoe^E*Nel!aU%1A{P;cbyhR3$#oQh8b6j09)KL;ImHLFg}!Tq4Vj)U z3378$vaAxcwxthjWR((FVv^iko@^zn6iTUfvPyIxPZzb^d|)!lgi)%4tWq3Hjgp&t zC!-8|ij%Aoo)RXS{ZpZv(|t*ce)(xsOT2Uy{(jw$J@GF*4sR|umnJ*tn;>nko?gaR+_AowjfJl`sls_&;wzq^uH`G9-dW8~7K@>~EH^{nbxB^*EeZ_C?Bip|fWoIM% z7Q3>2^aJ7Q*C_G~8T^ylM?Ypy!?kabk!E;S`{yH#fyn%s)1&}bvlLlwh-{ocMZ`P(HhYl(Vj8A)xw%PI$ez4 z5Zru5)DiqiAX3Z4?ZnYm_*?OIy026`-SQaG9uA`DPXewe?JEJPs8Ki(^+G4b#8YJ| z;vgE?J!}m5DaeQZm2m-a`zu6^Jsb>$v{cB!w9r#3)XGpOoeH($3r)|bI(`x%DOue9 z>I1{Wac}hT^e`&xt}pw6%H~s9jEbv|jmx4-reC76ef4EOQrQnw7Q^J~OXISjgz1;5 z>==F7PgM3JmBpC3`rf!Khl+vVtoZX)4qQ`E{7=+6aC<@VKT+|(!v)3v zL|X@{3yS}V<_?T2DE_&+>svc8rJ(5N>aB0=K+;F!8&FS*pq>0E`h&?u7&vYCffEHv zpOFBXXXIWn8r0QMeA^162_s_h5MX-YvBdb8Li4LFW~PGq6+Gm>FvZRmX4t~}LQ^7} zaZ2V}mjYJfcjsGu2N=O$0T2p^2>LK=fV7hN7_(Bze9ZGndfw&lo{#C<(x88BIv*Dv z{cG0zyYus|lKB}tg?`2;nVp==54w8Zk){e)waFBWq?E417l*09f%JOaRdS>G|H(PeC zIH)&Dfgxx=(qO_LhC9LR-oZ6NTLxEOz#{_m396RbcOoQ_m_bOYt9^(ha<17-s?5{8 zup`R}PI*hBc~c#Nl~NKV)P|wB`rJIE(^ZnIDkC(H%5iW$fIH${ z0-u|~N|6hE1lg7uS3VOJ4%C@Jlr^V2y}5(_%{gVyboLl8tyI}FM|&47iB@i=c~qV~ zi*8_pBzk1|JbEhF9_YaaJ~VT{eH)s&Q?(;K%jYUSl@Twgh+AJMgWBtFuhidGLARAU zI>MKxB=DIPN--&qBru+*xYO{$>mrrVPi3wwFv<*dN0Pajr`RLc6Dq!e(VzoXN`$05 zPvr+$V2l}Ff-bZ|(g*l4=BShdOR~Ye@=!5WBePN{RmzMiBUHr9oGx@nlA#i2B1#IN zN=P)XEVDJ#etwlaf?oMqdjw_qm64&U0qCF)c=Lc+EvYvI(qvsQ1cC-RmM9=S6q#ki zS_t(wG(!$YZbWf8S}iao9bGIdA0Y|Mu|dy9SSE7ys4%K1&0)(Ia%E>V($dPvRh>`b zz*E@?9mtO&!}x){QQ@(pz40^);_{{RlmZu|QiIZR)q%K`tD1wWQ>+3=H4ty{W!W=1 zW#=}?HzXPavF>J^%Cbf=S%&!+`MEtI6IEK4L$L@;EBvMR5#(osBSel=CoZIoqqb#P zI;aqb3t%IrtTZfajbtEj#fFAHoN;@hAOyM9xe&_(D07j>GJ>u)(;mYgPK7f2F)>52 zU0YEEiiDQ}TmS-mBvq!MNo*wE!h`kiAQ>`XFbA4}#w%0h~`3 z$+MK{oHE`e$t6L&Q&~niTBP){QVy|(05U?&ntOo$K)jQ4QFGa$pkOoc_i-b_Of!fS zKa*ir>T?;Q&t=%mu^?|jnlzh$59Z<@iat+6wd1d5!$7>VGg1O(iHYz6#5*-FYAfRu zDdwmsBSrB}7c~YT29*9Hc0Hd6v?wOgrnp3R(?p;j06H+2{?4i95+yc|Q)*n)iif4) zhh>f>dp7Feq89Ij8;u2(PJz74P;940TT`J%^@I}oc9tn~#5-Y%#+GGL#1f^uh*L&# z8m$Q4A?VbKKeggdF+eD@JkB5`cemzG@kz|e%K1}Ut|2*}Mm{G|_O(Gr%Cd#_Lt-mF zLEkn=Xs=J;+XV^kLIP_OBuIq>)*eXc%kGJX*q|kGK2SKf;?IZT0#J{hNKn9DNMOW) z1V=*x5d{*Q3<;*hfXrt4PIrka+U@aJIe^EUHlJ(rG`?4GmriJOP=uLyCr)h9Hg+Sz z#4cEpao{v5_-P%uvT>kvx)c5c=1%h)KV?q!z`U=fjhD?42Y%=|e%hQlW%ON#K?5I% z;)C{%82?;EXh2;+ixTc?4%$K*c*%}s-vR0>bGdpMT=p$8Xr-d{GP$zRRPs)5*~1@Ys6UxUm#DvU=&VvN>>}Q~3EpId&r#wJ#@Lq`|rjr%7$Y1wPaP z8M(k*+RdqecChBkCisE!)aC*pa4reB=5nM3N~bSorP)p_4Q1~qi%^@5L5uROAgiaA zb;$9niggQFV2bWXtiG3x;4t$PYLmhVfiLaQCxoi7#QDfYXx!05X#Ka`e(}Llim&a> z{A{wj*;A^Y(DYp3CAx^!U^AMSyv2CBM9Bgl>p=N(Wg@qi#=Dqm~Lf(k&IQKI1fS%w*YN#BtCoM^l~2bRUES@@QpOKhXs8m{JaY8m?Bf!59 zS`q(3P)b{XYZ9k~uRbm)LJ~nNl9@PYHvTdOM-Eddj&um-(S1*~rgU(RD14Vv&BPvw zgztgrWvC(jYJd#UC|KDHe56|>&N=Hs7bw{U3I5G}*Pt+?SC`k%FUCNYr?1*V%k4cNg_a)|0 zSG7#lo^0ds;bPXR3>TP3yE!%yrRj;MlLK3oNiBy%p-4KQ4@J_=jEbb2r9P*cXGeg& z0q_{EH8V@a*9XhMEhqzLxG7FjnF39A1THYjz)33U)Z$j|#u=k2L&0Y_P(}s)t-9hQ zZ7Pa0R1#9_QtA+-GE@*!!Tg)0Ns!9$K}e-OOmjvmk*8l}{e3NP!kEi6q0-bGEQMO4 zK|JRc?N{!MD-!Y9Ee++$=gO4rP1#Hk4_J^(Rz%^&ZT%Yhd<=~~{dVcL>brl{c3)Z^GF0#?R z*k-0H^smqfW$8Dec;V8>Hc2pVA?yA{T<28bI@3M188s_4ICTYek^_G3_yyos3qN|N zDflJgw;w-G{K#y$C4QsuBSjn^{KD}gwW=@hn}i?vs5y$?Li|9GW^eGjjGyUNv22C% z_LXZ^t6Zyk?e>msnze1-p|NAz79E>*ZQwG4n>cilWc+|B!)NswJ7BQ~H^tkp$M}AW z2QKO{cKF=hU!|;xJN$a%{j(pJME{bhiug70*pn@{&Zqux>6iSK(TCm!u1P$l-4=iR zad7m`{3T(B-tYMseCe0>f!B_`UY~I0`Q|%GZfC!_+4{tch$cIxMmZeteO!0-kXO}~ zcsvfKX2F<jYZuQ8h^c|Pi`?1Bh9xp0x7?M#VXjqQzs@W0kE-sAi zcx?L3=6k=q=dklv|EXC&Egtjf$hf&F7pH!m_I>|hcQ=n17_W5ier36=PsIH$mItr5 zv-(-ntnR664J#jgTGM4oT9r=9Tr21AvdtU)==tn?kM3^{d-i*`yYJ{v`$o(ORZjXQ zX6ct-#eKVA!kuk%J0HAR$8~pN)q3ZyS+zVKYGJwZVe9gWmmO+s_~2N5ZB|Qv&s!n$ zq)E#rjlQyZ++fX`K3_fB;XdZgzW(3job;ac{#aEOe z<+MDrzU!Jd%{p#B6d-%qoT_*p~&vi^tFUN(d?oIsT+l;N7++>2T+P^O)Z}_3Sq{XJ&Uj~2oV9N4km%rJx;)?&;oo@$iKae+c|AmKMCk|`7oqzFT z*&9#Ri;}ZKs)Xh&trL}SwsX$C-&(zm-P`!JdVABSU-vxH$*<43cD{r5H=XGHOTBJB zK{oP9D{76J`D5w6^VU@;C%!XIRQksBYPG{=+1bXr_9bdy5X)qa0f04SKoh zr1_(7&y-7F@oV+`!0q-oE-0GcJ-Mn;K844)IPK2EeQH{nPri%Dl}>=y2>Q)$M5HZ2Bh?bvwKdZ$h@RiiJY0Smf` zQ)l%q^=M4rs=8^z?A}Rz-7fc<-ZplqU%l&t7dA_5x5N7D4tvaJIv=ezrQw-c6U0I7 z2b%|fF|x`J_1$Z4YuUSJ>bUx{l&_kM_^_zWpv>7_7hmmLapt9wmOjb7?55u8S>?9N zz34mb<25l2!tY&f8gu(iRqeBf_D^5EEt8r4siN+~?)k^o?VWLYFyy$xYtx>P9zXm@6#%dW0Pq6IHrUC$b0RTe)0Nwxq2>_rM0H6T?zzG2G1puH606+`?5CH&c001fj z0Ac_DY5>4}0KhE(z;gh=O8`Iy03Z(l@GSsf0{|ch0I&)Ga1j7-3;?hf0I(APkOctv z1OP|@0Hgr`?g9Yf0RUG301*Iyg8+b^0RX1}07n4;O8@{$0Kj(ufFA(>Jpcfn0D!&# zfDr(INdSN^0RRgC0CNEVbpQZW0RUD201E&>YXCq80DvO^pd|nx1OTuM0I(SVum%9I z0|2lO0B{lja1H=)69Di401yTMhy(!S0st}r0B-;QPXGX&0RU|Q0L}ma2LM1N06^h>0DzGI0CxaDZva4j06-G}KpOx+R{%go0DvU`zzzUV1pp8Y z0MGyc?g0R90|1@@0A2wA(g6S;008R%02=`SO923@0RR^O0LK9UdjJ4G0RU+HR{#Li z1OQYA0JH%BbN~Rf001-q089h`j0XVB0st%q0C)oc`T+oX004Re0O9}u_W=OW0DuSp zz!LyKDgYoK0Pq$7a0&o$900Hr0B{HZ5DWka1OTiD0Bi;ToCN@!008U&02}}StOfuq z0RVgt0N4NkxDEh#004*r09*n9JO=>0004Xf0Hgx|CIbL`0RS@r01E&BqX7W@0RSEV z01g0P0RX570H^@~umu3L0|0ac05k^xH~;{q0szJU0OkS!z6Jmc0{{#J0CWcc^Z@`^ z0syQ40CfQXl>q=Q0Dw*a0A~O|BLKj80Kj1Yz-|D*J^+9c0I(DQ@GSsf8vx)Y03Z{R#05A;z-~#~g0|3ki01O8J z3;_VR0{}b$0CxcZw*dfZ0KioMz-s`&V*tQA06;DP;5PukMF7Aa0Km@xfMoyx6#!rh z0AMWupd0|83;@6e08kqM&;&cE001ulKsNwDSpa|t08j-0PzM0e8351<0MHl!&=df01ORXj z0I(kb@CyJS2mr7G0PrIKU>yM94glZ=03Zwi5DNf!1pr6^0AvFI@&EuQ0RU$J0KWnN zwgUhZ0Dx5hfQ0GI>-SO@@^0RR{P z02l=TkO2Us001!npcDY0DgeL^0N@4yXbS+S2LNaW0I&uCm;(T+0RU*|pz#m(zarRwd$9kN!Tz@g``;Gqza!ZHreObP zfc;+t_J0c4|FK~IIk5jd!2S;e`#&7)e+tV`Z{;vl69|-o}4eb9HVE-F~{ci&H-vaD^1+f2h!TwhQ``;Vv zzX#a=Az=T9f&HHi_J1MR|LI`=zXbdLE7<>^!2TZr`+pJa|My`3H-r6Gg8g3(_WwTE z|Lb7?HDLd*f&G69_CF2me=gYnY_R{HVE?;={qG0%e>B+tIbi?40sH?I*#8M&|2u>I zcLn=j5A1(Su>Y1||I35@uL1VII@o`Iu>bSG{!aq?KMw4FAF%)KVE_Ar{r3j@UmEPc z71;lpVE=8w{&xZU-wN!1eX#${!2YiX`@aF~|4Oj`OTqph1pB`o?Ei0I|IdN_e+Kqn z3-&(`?EgEk{|~_a$ASG11^a&m?7sx;zZcm5kzoG^fc>8j_J1ze|M6h|CxiWW0sG$- z?0<8x{|&(Ymj(M@2JC-Tu>ZBd{_g<$e+caVd9eRS!TxUq`~L&j{~)mcDzN|YVE>cB z{$BbGD{(k`bzX|OBcVPdQf&E_r_J1eX{{vwEFM$0&4EFy8*#9SB z|FgjU=YaiB0Q-Lr?0+oSe>K?uufhKNf&KRd`#%xve>brIaKOgM>4Y2=r!Tv{r{SOEGzXk07I`y`(Fy|zYW;`I$;0Xfc@_X_TLHYeX6({+|W= ze;n-pk6{1Tg8f&3{SSfgHq>HisUBslN=J)=E&Eio5hqmm&U$cJJFC0pwv-=b?@;?u z-CcEjYdO_?VRxX$w92ijWL7$6<6pJCZCZYR;m*cS8Z~M#vHm`Xm-SjSo#FgjlXp&So6l=@rp3pWU1kK# z>^568D}3$>|6YF9b7B{*S=@i2?SfnLH_RLUwf#2_rfi=&cDm!VXOs6#nl!Q5SFgt& z_L=o%n=x7APmTN9x6_1tPAx0dTiR=xS7e`Za=GWK9&tS@dkmDWmn6E^?B?Bl+rX4T z^@ofb{L27s|E7JX^gB2_eMIYFenU@;%<=9xYQg9W56x0SA1!^{L?`n<7u zo$&IzSA(^7sdv-1ycqS#;p3zHT{_=9rw=c359CaH+bT0N{aA+oyY}z%vd?8Ly5pX> zm2Q$b%Z@3bs`uX<0ZebW8Q4n`g-_pAKCs@-wF zRNgi4=k?nYchvmJd*`;}DaY!c7qx-%I~$y7{k826?r+w$@8lbGJ>F!rY1Vl~^6W3lTs-1- zUfsXiH{ULL*{?&5!4J!3tXiu)cIs`_qZ>!ey1VnWd(esP^){`myUBjlm#4dY-|u(o zPFcR^pN6_DT9muF+oT}PQO@fW;qPsIedB-h|L(#H_t058m(A$(#g}D%?P`9y?`8K! z??!E$_4bP6n&tzNHQ~9 zVRByIc}6AWgV)tMh|c6}8*gT|Aw4vA(B$W%hHvaJiz|z_pOY=F*kz~MarvRATlPRk z`sMfo$xi-;`$r!< z)@hHI`>8i%veUkw_Vz)~b}d%C?{W24Gqc`t4wgF>47+_Q@ld&B2zQNN5LyiY7xwCH_3=8)@&b(E<6TXTI*}shqU-MB|^1S1CQq(d+^q zuo%Ct`aO098{TDc!5M$#kvIPGuQzT4{+M%Myz1-o13zB)!G6idm@21LVH1^KjqBkw z`~9kk$Jh62{o(T0?fNwkRgSthY~gnkT?RS*(qKsaInmb-HqMQFS3q!dH2Z)~XZo%) zib*@O!s7jKPhXL&@sRzhv|%5vw|RJMYOK^{YmMwywKBZwE~?bANt?s>`nTwMV|RYD z4Y?KaW~Qvqba|Yae<*+Qjva69_AGl|hXn8Xjh?N4KhyU#oSW85xK`+A)BGc+duU!h zIF&DJTdD#fGtmJSk@a?*+#eIQ#su`vlTnKr#W0)khP}O;fi}g>?(2d>+G1D zJNxEU$H}iM+4#)68>#!=xkecmr-Wliq9)t6&3UjjDZ=XCY?K`-&HZDXN!Y1^aa4z%(l^4=zFO=&&CZTbcPO)xT zhX-6aT)Ou7bIUgP4?3TA^!c|P_a%N2K74)XhD47JJKk+~O=}*w&|+?;`!1iS&(7ua z?AGjIW_OzbF^$wORYovUpVFX)x_eAVW~HS-^Jd+hZ`>tCpr@P0+! z%lIAj$BSt%yayed_7kNUZ$epW2jQ6V|LD3mOYoVKO5U5(~Bk0)EM+VJFgmq)u>x*R=O&VN?>Q3E?pX)@^I$jnlM+BY4zBt?=v zY{TZ=sH^zMPUmaC%V~0N-MWh#wvC+LtkL>j530AF-Q@C>Ni|-+{Cf9c?zajxhbA{~_b$-W zC&Kt$jgPCex_&UJd6Vl)%5A9pVf;PoA9u}sJu35QkE`iCMF?#{tDv+AV}sW6Xsgh- zeEgIF&9iE*+sLlpW^%o8`+dNJh3g52g$>?Bb;A9O=`b7V!gJ|bVZ$1?j@A)rGoCl$ z&s1m0C!5hdg$*uIb;5!u=>`fLT&j}h4%_Hi!Ui9#I$EQo4Xfsc4enfZG>y_mbr7~x z91wp=8$7HUw&ys4aw*%WZo>8y2eg(;8`K008cdPiZqg9Ah;VjH~48n)Xws-jP)cNeysI3SHr z+ThIAuwBPdRX*8_+Ch&a$Y3CWPSZVeSfQ{b8ja+D?7<;cl6SrgA>j==X{qx>+Q5o8EtEi z?)cv8=lCVheqG$ZV!ygmx;O_n*BM<7&!?#BG+Ekz3Ekl)1T} zZPO;3##X;Sqt$TpVQV`KtC*emvSn45@@n0LMy?YoRUJBUd9P!ucCXGISD}S<(k`#O z3$?l9J$HHztP$C+bMUPj_msXHAI@H~Mc4Y^$-LUver!3^_U6_JdpvJ^^Of^daW~~9 z(d_Au=SH@zJ!wzS)~-9&-CFzWv&xm4WjlZTuAWQ%&~fs}pGFV*vEPva(#%G^l|I?Bhmr=bg9^^Oj!mRuw4+3_V zzPH&gW3xu{)#fM5dR}-FzEvZ>vcuYOdb8B#`8+TAz%`9znV(4>iNP`Q(h+t;hr;^Wk2o>eNeA24usx$$SqP4aIM z6&e`SY}UFR+KW4T`_|kuL)AO5 zr{1OZ=~l|(Cu*Y$(`R^4I|cvtqz|>#qhq?8)Lzq--(*so9a&$^joR&t$`K8z?Y?XD z)ir9rgkBljs0|-C^lDG-c>HFtirRAgmIHICJ?E5i9!71dc=F3MYS$YdBwVZjZT+O;n+w$5p{w_FrZ#W5yWF?b?$ei8q)^+>m{zeI zwg1PK2|cI}8bvkorha(U^wMzZi{zu9ct;B!bteX{4bxt*wAo*jJEllsQ(izT+y zKjSPirOP8{`Bs|y25Q-9g@e{+la%x3TSLDX+e9cB)pzB?6vwl(!% zWL&~2>cav1CH<%$H>RyhroP<6ZGK4o=`%d)GWBW9O37pD*V&JK=2GAObn3TT)W08p zdoz;ycudRc-Kn2v?N8r9ef_e-xSG`8PIY`5P@kusU-E$Zz3Tk%->C1M2h4g*{lDeQ zMlWK!G>$G4s;(DtYFT`pw3Ms27T$d^FMitV#a;{FpP62L*1ieprGMEFx%2WupK=E) zvI>Ps+PO3t&_Zh&6Z0OYIi@; ztxL>>8<*ux7mfe8rOD!9FY|77+&?{LboHSWHe0k3*JzDKC|Gvkk#0>#o9m*P0 ztdr$_)Lq?g_^3wvB2J`^v}t*3fUUGt;Ikcxksq!cg1@3!gp_U@gtW8c`e#AJ>^-meB18kKkcYw)o00~0oh+Bj+S^mE7WbNMvqeJ-EU=@)<>@eca?3p;2)LKzUh0Q`!} zr!@Mx<5%4Ck^H-xJ94Rh0r(Yne|Mxi;1_^jarqnPFB!fg?as7&=W4CKr5PKIVvJWU zg+1|*BK(Lq6y|2Cqrl6VH}IIC+<)~={=G9B{0FwSNq?9SMsp#}gER-y{6}*i&3iQG z3G*Gzbu`b>97ppT&22QV(VS*_&p*f1M&1%+~Hhg=3 zw_8V>JZ`ykK)l&2hmS`_Op3YCp_hEwYYDmANTb8$$j;@t?l2R zJ8`$3jqYv2RqHA*NBt6k)YgY7leaiO1sPaiEtvi;Jm3H(F zy?$Wq+V7vte;(OxYRJt#d#4P3_hS6l2d&P`YuLj6mt*1D`+jwMpI5D%(dD==XOUI$ z%P)qUUZ$zN?P1P_N?+Ys_1)$=%Tr?qIVA`0P*%A3tlLD%#^&O~1J7176Iodc#3tU*Lg2mIXe3&5{L|FA^=utfi`ME|fv|FA^=utfi`ME|fv|FA^= zutfi`ME|fv|FA^=utfi`ME~%w>mNeMP_q5^wt$Iz%d{cPYgxE0#iH={=~iIB2K(*Uo9)Wdy~IA?=PX@& zEF8Q4lBFAmy&C%!*r)H!(%ry5^b zbXx4qF5r3y&bEhT>H10(-Spwr(f{d=BNZbtGg?shF+X zL&9cpwoZ+`1NMp7kHOv!3&3i-Y~4Is2(F2I+Skg~*vUOYoyvMw3-3IKp zV}BTX_ob+(BkmiNts6u8o!B?TbAQHl*t=uz)ClLNP|wCVKbx(~!G8NCJl6^3v7do` z3id0ocaOz&v`@pn37+>lTQ{*O%3;5U_HS_g|6}iL;G?LnzdzXx5MGR{B1T1>A}Y2B z;YG!YI)MN|0av7o7R`ht5EPO%2?B~b3Ib|?s8mtWZk1M4)Sy^VQCCGp3zD|@NELP4 z+LpFxqf!hI*ynfWo}26pb9MtwHvU_NPdGc@Idks0?=SNPseSWZ%=!_IfBRi53Td>j zk7b{Mj6fQYQONOP|G4^C2-48&W8$H03o;AR=v5zE3K==0 zKBi|QoWAw35=b4=f;0x!$D%@>iSYV?=Yivm2?pd+Nb6D@hcw3_96VUQr)gaVF%I^|1`xcW4yW#|E7ZS&VQY!;|V`VaUie@N*EtyB2;z z8j#sSme`|4wBAS005AkF)smxF!CJRz4t57Kz39-jh$T!#1z0f!t9X+2yYTOi~k zNEb-$N%%7qb|HH~TF-*#LOzdl8HV#;g1tQW4Y>_6x)$~>0)G|h1!=8=f1_a^aweql zF5-JJ_-|lmEcWr;U~?RfZ^HSI(f|E^fZ)!5J26*Kd(-x2#J z^dNOe>&RU(tpLYQ-W6L~i2XBm#a0wSFMC(4S26S;4M=_9u2=-p7`-c2HyQen870t% z)FH!@cEy6%;JlJuu^LEi3iO1$2IpUk^U8L`7EFbHInJ8~{Tp`0wn0W`?}~*=p?4FG zLmH6lA-x!vmnhU;J=Vh!Y-utJnU3L z|1HFO2K3hLiiIJKPj|&?XF>1tU9s#N;LqRT-;D?day(@8pSxmFNNp#=nGO9tNXMI@ zzZdp}+z0!R;k4bcl3U;xqy-s;Tnedo*d2>nkQuvU*|*~O;k#oskb1Y>vFh7k4{`;h zrb7=h@`K&6UUP7MuidfGT;S7p#}+_F&fXoXy&W8K8>BvHcTAfHdG7957G&7i9ScK7 za2NHUJFq_${@jK5OoLs>C}dU@^ve(~WE8RvQo9b}EEM^Ga2G*VAUq*&-W}8LhP_*M z$HohJD>!8I_T8~9kj6Zm4{1VX+=K8I;`}8zZwbC5eIN88Lqg&sOyQ*n=aJp9HIU)u z@aF;efzLiimq8!09x@8q>tP(n$Erh+=2J)~NNpwbAR~~y9sz$E{y^%_AblY%$n|3X zS=fP$LJs;l{HsCyA@xED~x@}AY|lu*n!ku!2T~_??voG>T6&Z(tHW| z`6%=tYaq>+;g8sd3_OPOUWFc{{`&5ixg7pO)WEyK}LSPCuTklJ1^~tjbDND*6xXwJORDe_QbND#Q71(r=SO!4QaixCl(U>kkyb; z$Q6+0TL?#R$Ss0@yeC$-66Z(v#DY)b__upv;b#y|3>?z%HN-;C!X9J|WEgTiqM*3AvPXTFKmddcmey6 z+aSY}8e%2C#(5|4_2wBz;tA&hKHpI*|@M}84fiz|`#I%>-*A38vjLvC@ zMIp`G8)C-G;E>}XwYy*+GV*XkY|vWBmmyz;e5E0_0MdLH{z8T!vtEOIuOXHVsc(Yc zklJSrvAoxzw-+*kaAWWTG6Go*8P)d2RtV|a8`~z1`}fAO-hgbkH#QzJ{Pe!q0>~(2 z4W$0ezStJX$g|*YLJ!}JTC)!OFF?KxJ;++f@UQp90`FiSG8}1AbVaUiyvDl!^&^sj-vpz&TPQ!hm{||Qi z;eN!Aus2t(uQY=;r8Mzkc z{}JIpW8?zy;H)F9PNU?R5 zLQA`0td=%2kam2R4jI*Hni!7S_h+oH##}+@WCn(3W?guA=NTE6cENGy{%}Cg9s-N= zbH$IlcQ)QbD|QFrZvy_dfM>#c@3 zoXjj}49U#6sI#U+9nGh<@}8Zsiy^h#%)lJqq)wR`!#j_||GAwttrsw=g0=-ZcL|*w zp##&tD>`Kcax*i=2-QGNW=2luEF4BMXoK&?d`IXCwQ?A`u(R!dI{d4_vEky_#hHOi zGVvBW{Ok_C4g4A(cHrG&;r}B4kW77H`jE_CRqb*zv*)$X$s9DNLvCiscU`BX+_y6}3)0h8Zk(;4|F|?yV;6N6@m>uZ#{D~Eui&?c_dFj`Z;pRt zX0~rkr_3x6M0=P_$0&3+L${K2Wg3;Jq_KTVNBpvv?u?!6hmu!3<9(}6^KJI@EvK`{ z^B`<>eQ0Ow3raJ}bL24PIa12+N9-J#KCJU7oLhx+)?*GlA)WD~DZNKzM$`P|-ib66 z#ltQiTVZbt=E$NcaHNyr8`+pnC1IIQ4(Z5=!N4e zar{bg{F2N-NoL07>bNLhc{siu$4?Z;M`i{tvd`4CW!NpkvAPvIV|qL6AbqPuIa(;n z(IQz75HH{G%wBIHl|I0sjnLVEssKEvU6pU4e^GkkqyB&R6Q1ph?0;DJiESPJ(vjYw zr?Hkm{@HnEm-EGq{>^JIGOpZLmEpT{ga5{~%AAik4bfW?>9rKIfj-a9vcvkJgi~pNN;yKqrNT{^>vP@uk$+OWExjy4uX5xh(a$! z!IkjFoc8lN$fRG~&cD{zY~A6!CY+M(WhK%%vKoHcME~nyrbr^~B%Q_NZqsVl4~5WqUmusgFW~mfIA+fOp_;3G{U6Ssk$B zsxPj5%*_n?Z*8B*kzjm6jBEu>-+e7%bOWMVh4`*`74fD%BEFq)#T(^!W};vn<=1C4 zU-ivqt0pe#MTpM?WaxOTA)5Hzn2-ClE0yj>LNtBDMAJ8~eU;si7+xB}Cbq%&TZeFh z2*(nAj$NA2AI`%#!}JwZbz0c*(nT40i#zz&rEM6tao7jLHciOPg2jMc;zYlb-VsYR z5%@`cmYweV`H7Kx)SzR!@l_*)^~!1)ceMA zP2vSyeFcxHW0Mn$r{c z=^XBzov_Y3bd&ih+P9tol)rDB<5j^2gAa0X(I1ZkH^2@2=HgYf|EODN+iM0(=zKGI zdB-@&e^|#vDdQLk$+e0d!am-QZBY53{#i6T>Hd?`MAy(Xp#c-qnW6C%evZQ5;3E+K z2Gq;ulrzkmf6x1=b%Bj4*xLqs;uf>u5P~7 zi<_^C*lV-#x9mu)1L4}N(VY2E(En}1S(>AEj^dpWfn%GCzwSq&|HidoBYvFa-7caW zUcuYM(fBsk|EGlQh(osuek_L{ffI18wmIX7nlyi(c8Of6akT&Any)I7#U6hR6qUaR zu8j*on@F!w;2Gd;nO?%R&G;{JveQ4ox8uL{E-uDt=|`jg1J_Q#jv6<5=ktNqyEO+; z?+&1b_*Sk+?@gEd06hPucgqySV-2P5z-+c*L;Fwc3*{ z2LEE2O_uMj$6)PzoU{Ch_P#gxHt?1RN2L2~*c)WFPP&M4y%qMy7yNIQYtbHU#lr0P zo7%QL8Vo;*jz#-@3;e)ucllJ~cWyj13Uy{VogYDe$erIfE-*{^`tBM?`}-#BhnhQ1 zbX)BiXtoCl){tCQ6O2<`n!Z(h@N!(S<2YOct44mb!MH-y`^w`n{=66Wcr~xRJ)rTe z-Tw*u%be|(-T#5-xw!Bry*t(~z+1zg2G}nW_Hhr}|6>0-Tf`sZir^b|=&sDIO_xJtV?d9M> za05DO6Z&hxXL{&w2DiYYaqH0{{k9AH+rJ;_C;Xq?1LNPXo$(Uw#df_debXYtU#^k(XD(o+SeVyuq*L7js zP2h1?4K9YudukAqM2D~1|ELV!UQgXF;@1QD>a35B{O~PHnBusVpz#8!O7gh;x^e%b z6#i<+slBj%g7B^Q@Z+z~itE-ZnoNk)Ru`t}`s~PrM}1Qh9xh0D)WbA<7UiPn>9{}e zOqRPrQG@=#8|P3;V&Is3&w?GGRLzPV>!9)Ut&g%e$yR z3GQ-o>6SNN*B?%J(~Z;crOmgS=pwjXl6vF+)j!04y^$Y{>+((4Vg27U_KTwEXrev% z0{XRh7ReOlPL#3BsygH?%*b2RF>i6Fyg8kR;|_+N6Q&@$+ahh8}OIB-N}jo<%9!ZKOokI#mQiOS?btKQUnt0L~$cHnRB z8JJ%isQ<~!nJB%tB?`nju-W8qwr*=I#TD?O+vUFx>eo<@@(*t0qI`(-psgqB?n>|y zJR=y!{eem9qqr|{XTov0<9cAi)y40T=6F6qDV@YPd2?S}zZi{l@;4)$LjDd3N576) ziU0BD>n7|?999$F+2GJjm`?|(nc$`;B%kO%diKNp4?(0Sev5KPhFNQ1$|SHBz_6|J^N$)(@gs!y~aUbAKTdGgFDZTKhCR*J1A{u1aLmo+~g>!2Tkz9zVIKMbOaVcYEe2yUEIe&KYH-kV`hJPRMeZ;W@1vZ{7@ z3)|-{>M&w)#w>fBo4e_9G1@ZZcr*Ph)F0^E=_k&?HWh!}!MFSres#u8C@Ldh@#RvX88iismWIraN{IqXRvTyHRh= zA?jyU`@Y|EFaO!|Io(m-i_l5dARI#sT3fjt@l~cQzx+q}QWn;Pl!Y`YWg($3$bNtB z`4}HwN9E9_7{{R8ECbIfN4XK}KdoGD{JYzwEaItay;2vF?}N5VK3QOTLToT_ePc$` zy5byP)AOYmU)U>)qFn8Oo&i03+~3;e>Ulg*&^DuuR_qm1SFUbutJIUlO51_*(sL-T zpNn#pf^o3#&Xh&iKR9(o(_fgnuu|7orY@v{l$8o9_iM%cZ#d?EGcivQ>ng3>PR>qQ z1bw-w3u;5kf^xOU_VY_yN67qh_H!4-&)?;$NZe%HUN`Yw6Tjq9Bj)FM@oOn-B#B#0 zi3s9#Y8y4?~Jq?Wy)pjI4Q11nt{ipY@woh52 zBW`o?mpc;c@3&(7ioT+?>xusq*Q5hMimeKDbOZd@b{p!e!;fh#k*cNcAxz7x#rTG| zj$Qw0Y4L??fhe86v2RthPH1MlS(zQ$ILHYXVg51~*L6kviTU+HpKn!F`pp}BqpQ*v zwOicYH-3Y79mQ2x78RGi7y5=J|J4N-ic8o_vKGP=n2JrRsY5YrEjCa2PuLHMI zu-@du%4d9XwBjJt_tTUG<^L*mYlgmADT|i7(?FT2#9!Ajnr7S;e|@Lvey7Ig>003GRpjf$@b8=JVU(;a+J71qD$zATUT zMTFXK7_rfReB(VwxZg%7%XFN8^Xu=$`HlCl;JVZtab0#^dTYHeLiD$r5w7(h>brPP zN-K}s{10|?7S~~}YbbWd-ZH&~NY@ScTOHIieL3~FYTc51Uf1-OCA??Bal?!+#NS}y zx|KZPtq2aI*YGywb(Xo8p#1$3^(_VS%jwSCYQ^T+-#v9#9`M87@vQsn;=&g-6{9xnr510EJlN^95SZ5>ipG7uYW3C1O}$Km;vRTv-P zeH^VFztWV&&fhb2OC7Fq-IvlK*^HUfJ(q>3TVyPkbHq(b0c8=FRps z>-{HIaWmrmX4dxo2L2J$T^`^K2T2W&kZIP^X6@$&dXC5ZeLdzC;`&{({x<0Eobaa8 zVEkRU$)Cp(?c;KUUyW}G==iO++4!**d?|Qa_$B65gRj8-$sfS4W8q9Ix6e~jS0_I1 zma?!ePFYC)MXs9Oif!fP&RE$+R+QtZKgIKx_?Crk6ZxOr|APlz+`j$^K3?!cSa|4#Xufa0{_DwMAVlozosWUn{vKX3Q%N^82GQ9NKJmz?Y;?iS*<;<)$hsH1j4 z9gP2bUybKa_R;zh(+?zikHAzqUu({I9M6OPF2Tep7dF7-(wGc&dG9C3Z1r~v8P1?fxm zGQm6)_v9YHd*uF@aAm`YA8CnxW;^^S$wWHix7tL#PM?VM2R8&fzvP49_5*nU#fvvI|E{_1pR zJ?n!0YAX0P!4J(V<@2wTus+w{nNFg7ECJUBv`zUKg`m4m#{Bv*{(cz)%4d^_&YI^IFfQx2`;$;WsOw*TCJ9d9t|-PUWc zzC7yS$2HxrmFFKC*BorV{O^ow#JFPAG>oqcTW4G$#t$oDzgO|0@dMU^?D50eQe2-e zb&emzd}}kf0p6DLEsqoPYFNfA^4sx7;GKKQJ`a1lF zZw0r;{KX#smSg;TbIXi>XT#MZ*bCj#Hsg6QANvB~XW!;*Cj@T*ALQbqoOZ21`vHEa zoE~hyPw)S$MEcHaxpK4;_O`)ZxC1heS*L28mzn-)E%{!^tq8LBbhKZK@J(&;{+U+3 z-sk^!>YhhKZ0!ED%k_Bw#=XvZG7!glf>(n_I$}qq`y#ns;@^?+7Vc^jFZEDgKEij8 z7Ws3bIsxZpJ&f~Er{sA}_rLjj>%a~CR-53n!Ly!2`zWrv&?d&OOTe`kb~W#NFTtz$t7Pu)SDo1WH)4tVv%24a z@#{;7&k^vamCMC-DXRtaDv?Wj`0b8iPt}J=PoX9f#H~ zmnppOW;MPzn44(B0@5BG%W{m&;i1H$U8ow-bUhip*_YhCG z1^1^RT$93W&U=U}p}PdO)31B|J*6 z>5V^k0>bTLVf^GZqH1TdaJOk83g)w=b!Bh+VBkb!G zulV<5;klAI_V-zny#E;QABJ()N5>mqkIcXScr|?3j_?=!8U3m=U7N1^iMMM$(R6!E z)9b2C^+M{nmjrtp^-W56^3@5CdYFdKB43u@iu=R9h@VF_jiY_j)C=Do!)V_%o_JV1 zg=KjkcKU4?p9uS%0b04A_ub&Eq^;N-_Mj)Y05(Kl{tg5-@CaC zgW>UCQadQVkUUzw$S!YjM&6u`Bj$DT-LWCh{-(EhZ}SK|d(|67cr(s3ze0JY>-+Zm z3F)~j|JROrr~Mtz^xM%t)S+EU$H`6ogWcXXeQ&~FgJ%G}zG9L+r}2f#a-KB~_Ou<; z?&GJ}#CU%ycpkVe0Bz#^NOQr1;D%#8S!t!CJEK+v)=!yT=-GTONAFVH-|Mq&Hy0}ko zJM{9Pr?taLt=-Sxp0afCzn8j)vxlcFR;gP$5br>ZA5hrkO7vIVtFS(mwtK(#unz<` z+U;)cd)SXo_*#C)^FRq7s{I~mCjO?bNWccvw+Rbze|o3gF-wdqTDiXYJEm@)?VsRt zmY7!T+3|Um__EoGA>oTHDGDidRXcSdx$?;#?@p-3^}jB=<@$%H6xhW0yb|0}9Q7jZ zJrDc67e5#J%b{Nb{Rn=$$LIF@D8$_0=UyuwLA4%Yzt3Si?DRU!+m0|%?f#@yP<<6z z`rZ3(O5?5Ap}+n=m8Vtwi}F{L6)Y4fMl8 z-=04u_OBB9dVupU#?d{cy%#6OV_UqHVW`ca|ZG{1{q_X+uGycTCd zYTd^!KfUk8^|K=m-tVb6e;dv>g&#@$7U{YS`dLRdFI`1EH$Z;@^rQHFu<;b@WL=ja ze~v=GFV@N6r+nY~*!cM<^Zawt_pSTW&`t5L`L@j-)XPHb_`~lN@Y_P)>luG6koqr9 z{62q??p=STY0;ybm+m6Ha-kpW);j5RR4b*Ih-U-*-U7c({BBNp?0p~Ze>kRj=_2e; zfc{MAH^;t6$13QrfW9H}?|{l((#PZd?PPZ}+X`H=*R{67uQkV^J_z7w_YUs661|tA z{er!Su;==x(BCALCk0`zAdkNod~oyK%&rT5%_+Bs$8Hxd1w_#6BH>QCoA^143a zH!3r0c&3hzQvNhEdnCOFO6V0quP%vRSLjtiFQdyISzoX(wt;AamxBkvjdXyfd~~f( z=41|<*Fg+p?r8oE0sRs_K<{et9?0x9O4MI{ z!hXl{7NyVpAntoRupmaJ2S*mA=YH_hrXa}Q2FN83gs!U{%+1X94aF-p$85s4e&Z)oLKjp9}Pz$KXhT-M1D;dc2s=7%`0soX#t&y8|HS$;(k1@>0((B}*V3vwEX?qgVld&$w|`!YpZ*f@aaBG3rUIyosaey9 z@J1osH^6@00N6iL+E4JDJ*L5>iK1XS(!6iN2FjtEa0Sz$>F@b{{yz99Bw_bQF@DV5 z6AO#`0$k8Ab%LtLypEi`Fo^9 z`>`G2uOCbG-xVKKFS+-Zi2C09F?qg@-)a-(E*HEOb`O<1<^#x%a_?KkXDjBUNZ2LI zaebj^PfR-jJ4`+`-sf+nP2ug?ADU}FuY+7aTHMaR=J@6-U)+3E-!Gc4oA}y+XeXEa z67jdFziEnp(|VOy$G9@hYr)EXkB^9L+) zh;J$7ymQ>IVE@jRX*a6i;&Rxl`5DrK`i+F`dQFhaVkG5%Zi{i(+d z@Mp`fTc+NL_>FoB^OG09AMq38m96k+=33``MwEvg;1+mWmIqNUX0OEc!PnqN8`KNY z4>lnD`bg{agTnrVr(yrS*6GJZ{;q}ntlv2ESCqre;5zvCqQ69cRP+qKk5YT6KWd5o zr~&!A`dQT9KmKoyk4K64*C76TTc+I>_R?30`{!C_ygC^6#=)M|u|ZxJV8(}u=9x?A zd`j+q=W-z$4pzaF9V;$_&(4Oi;Cw(nfS%c&-?>3_yO>K zGqk=5?-sKhgLeck>ccwtQ*&ZN%siW=K0-R%8A1f(H3~ zjyMOKD9=5?vyFzv`|0DqgJLgWev+1{t0zmu7f|d)OFYiK*k|AGQ-t&Da*#j5Ag+@o zx}QXZw*>n7kObjfX`q ze?Z=;Gi2is?^}wth*vxv)U9kDpR`Qf0}j4zDQjNr@;DCv&s~fATifqzye=3&P7xRS z+WAM~y5Ou0zLixSd}B8FYjH1^`w?JhEyQbQ7N^@*aZLtwVJqy`ciwmCJx+%m{Ck{4 zJJRztGI!R>J;#+UKqLjUWH&soY5p+3hR5H`NwM^Iq{e{*4{`UvC` ze!JVvWY^{9qCHzj=UZ7gzp*`Qo%_sE_&$i?srwE~>Yl{AI%UmE>fUi7img~j81)AF z@6+}*`?^q~?^}rZ{xaAb)C=_@`8W&L=?-As{*TRHx3}y6o2dV%JL|uww}Zj!!43RA z(0VJRz-#8cP z;gjXZ9ycuZV{GuBzsKKx|JB>5f9Iip3&4IW_bZ3KPxv3c0sMdD`-Ea#yZT+szb`s8 zu08HQ7}tvawP8KlkBi&3e--We-1o5lcFCc3UA)&@w7W~*$NK4&huYnPFW;$q?$`f6 z((a1!YVVC0-2hG3*VRa;TgiD(8c`A0~%C_5-jfe81*?-#^}pa^AHT{#fWMyL zp$)h`-JJW>Ly2!U3B^AyUhKoe@;s6LEP*`(_H+?0&d!5B+4#8qqp%4mL6V;*{Zb;_f$$LrLl{$m2GQEIi zK|jQ!L}Gi6_PfYkZOdu$$6>T@j_GLs5=$gvtGn@swmjbcANOCAJdR{N9q;Zs{_lM; ze4Q8PQ+SlyT9C3?ylP);2F*3ZEjMEO2kDDfqKHl0aws-2H4t0q7U_?gqRf=o9%qZ6 zDwoBpfy8D~{1jh70jqed(QP$N#=0rI6D4kp@1B^954or9qx}-Hhr5yO_^RW0-Jrey zV>-Tz_Qxv)vfom|x=E&s+g^LBkKIU~O7bj{!%4c&8#h^|$d(c*%>~kaWwA;r=NVl{ zuaR0#f6Vjb5p$@N;ej#-tBD(zNNy325ZA|$#UD%kI^tFy@$)6u&zJj=aU@4b9wcrN z*DjXaB5qQ+damR(#El7L|1!y=%KlYkf2ibv3uwPo%J4Ok8^ptQDL^?akvv4)_*@o* z@Ge=h!^ET2(oXa)sb5Q6qsh9tn`(j~^$fg|R&3FGq<*$x?`q*CQW}dSH;G3-qXJkj z?Nk%ji0j`;9#Q&#CjGsV*AdtMD7i^?^c>CJqL!5A4Kmyyaq~}7-`XSXSW5p3$+dlw z*ANf?Tk=RiHW*Rj5#oB5NS>z+m3sONDYfe)&nB)-liZp_`lO~r^d{LNh98h5O47nTabnZ2mB)?8b&K0U;Q6>SDqiKlG1#QB(8~zO(%U5W&2Q!L2<=DzAot}__~)1TX7!aaGE7S24BA&b zlk|qr@qm=kUDBQzBR}e$_Ko|bo;FKL^I|&x2I4nMY0Z{0GMywf;E`&%Z>aOgj`H6a zE*t*nCDZ}5lhPu8tfS?=nJHx?O-iGelv+T_=;6eN5vKqm)RBi@l757*kjM3LQbt}U z|JF#UJtd_@9hUJ+I`4N+hsbb|M?(zVbghMe3Vl==_0n{#R1ZI*;}zOBv24N&4E?WPhiW(E;+fvTt5b`=?X? zPI`K!(p$smtN8-P^|28{hyGaa^^=LyODm`AXZPvfC;N;+)9t+hefpm+ zNqkt`Z@hj}Tkm!Z%6?pMQS+qubNx7?=0{GR-Z+nP@^+es;U*&IJVqS%W47rv-|}lmH_lI;cJLsuYd$3H z9HZ4z`E%;4S#J{+#U@?*I@UzwFENkzd8DV9?+YGwrSlJnyVq&X22azP{87bpxXt%Z zA2GZY_SL!%cI|Bz{!i2PPv@oJUj9D~F6j{U`;>w9m{9JIaaOL4{T9!w?;7X;Y=Bs2z6T_@TcCr~eYJRKioP*&+B0G7E z9W@_Tc7C12j>*_j^Jit}OmwS>{F%wvQS)tOXLS-g)r=iAKUa1Jpi@ia&kDwln$Igc ztCHA>Fm}}ZU)ebW(}qO;Y+>xE^#Wz*$s~5_7&~fxLD>=0gGByh+`4~zCCal}k5G0V zOJYZ7?5On%Wv2%^%0&JQV(h5(4rS*TN$dm}JB{ljWavaR6p8#PVeDvz@sbTCiuJ4dTM|Mi=&w9pA#O2T3N$f-!J8Jz%rB5an zdK0BjJ!41DQ5K}UBZ-~BZQk`ltxqXyUC^N>@~0PL$8!0zAc-A=v7^?%lt1Z*CH7}L zV<+nJ=awXPLW~`?zNY-CPhw{QW2bRFjto^|fRZSk!;BrZey9BTR}wpG7&~gcPuZDt zcw&EQ89R;ZgJkH_BzCqjcGP;J^5-htc$6r8v^n18xpDoG3~grYv=sjvW52ceE+*Uq z)-I89Q8EGNSleU4vAcFh0K4rl+r zl}}{Snd23V{(-6yMF*ZzbT9BZlh4riye=R2)!|3K$WoPM(TRJ1_myL&#h-Njpb-o)8&?fKNNP(HztbhsrgjY zl@6SKTXAk)qvl7(d}le~^#8B$Wb>M^E54lm_ls%@dQ&2ct9O{K7pSG-pb#=7Zaq_{vtdi&i~V++FG3 zx@bX$-!siyf7TRlUQ_JNb%vkMgsT^N+lfx}<~@qMc}LTm8xy>FJ114PKN^kw@ z%e}e9@DRgIh6fpLxOlSiV1=B1Ce#1zbf>;7NnNxD86IW$-3$*h{8WaUmEQiWW%!j0 z&tUj#72fveGJGt<|IGNG?b1({{=H^-`*SqIk79Tl!#O*@pXnX$KN8k#qyGe>e+Q$l-|20?<}PnuyU?50RD1Iv z<4+CKE=3t`Ebz8p$8gORuVm%+>t){dUuL-Wu($pyMnA;x;S9GP^0vQ~;Wse67sEe$ z(A)lUhL~A zWy(+RSKj`I8E!uAtzWako7X<+eQ?|A!ZHj^jImz^7(_LJ#vr1vB`hf;WcpW&v9C$oS3XHI`qyA*Ws zWOhzc?`?EA+6C{gaK2xuweMHt>~r_^wG{t{eOGyZdkD-?#e!Tk3wi@7sN1ZRJmE-%rKa=kDiG_X|audB0Fg-H*Z9 zN!I>Hf9dhUAgoJ=8UCkVdF#LTs5jSs?#<0dy!j#~TyvSXzRvK84}0s6e88JqKlA1q z!!wz1t$V%g)Kq)(FvF`EZZSN>aMQ(;mWL;tekRk;dDf|~#vz>;9%OhL!z0gl+rN+D zwNHEN_h$6pXY^+>ybr^7tn?1|O@?2}#5e5HPnQ0VJm($mT@1g2;WHS{*%`^`7cl&I zh7Vx)6o!AZ$~(S)Vff<=-^lR4GyG154`Fy2!?PLQli~YnyyLr#;mAsel^1{VR$aX&t~{^hWi=*HB;}}G5UXH^gm?y4;VWyF#7K^{O1gRfZ_8FkXO3& zleIJ9=e^6}eGIo4{s62s`!|*d1KA7P{8Ga$d zFJbsq44-_2xBsOK@6GV95BIinMZlZi!sz#A_=ZexJ43$pZlC8f{B(w&#PHqUc-#M& z;aOjM>(|zK^Ya-yH#7RDGW@!KdE0-R;bR%zo8cKuxZi%|9qs~#XE40xOK&^je|q!4 zKfHO}HgBHI@bKTf^$mvC{ncAPo8iWvz4f&}dh_7t4FAlV2R`-Y*;~E2^@%q({@~3+ zAA0k^@4b2Ox86KZ>&=Z#-aPVwH@6rbVt66L$8Pkte@Lb zj(50^G5lnP2j2F!qpf53Ti!hTO>Z80!<$DU-dtz6^_sVSkl_J_*S+d(r++1~f z#qex~4`R5%@H~bG8UFa=-u`c5_>)XJy!$I}J0CFoLxyi<_@5d64~Bou@VyN0!0=3l zZ}_EmeD7ZF&37^UB!+Kz%-haXh6lpl`gIR8{2^~1c+i_0OTBsZecrroi8l}3>&>Hg zdvmMWn+F#&e33T~FZAXb!$Vb!KEuOzdFz`D&t`al;h{Ud?MLtM<|f1I7I^DdGu&W! zfZ=uXz3u;v;h!`7Wrjb<@GZA{hg;3?ee=Ba&u8>==6dV@jNv^P-Z018&K5@hEk=Jl z!?)b#ZQo*e(DK#~-|WrJo4mO-+nYyk^yVRk>kKz$c-yJH&YNdXWB3$r9xe9ffkJOy zYkKp#tG#*k1aEFIyaU5O{;9W}@OWxXt4SMTG82&uNAHCSy z&XWv(j^Qse{7r_x&+y+d{1S$r%J41>KYxsOe1|Z6IKwYw_!x$dW%y+b50Cct^F~I0 z5u<+^!@nKnZT~gK{w7BMc7~tAaE;+*7kT^Bj?rJkl;>>5P9DRDF!o=$(A%G986IPJ zHN$_%@XaH=!+o0J(-=FIjQ)=p{%xLjxD^aHM|kT8hckSbH@9-Vd1RP0(+i&ZlMHn8| zz4a}I2Ttt?GNejCG&V$#8M=_gD7Q(bnF=~un(ojzAG{6dBw%kU!@ zevXSL^K*Q}+t1?|-ihIU7f%-MlW%y3JB8s_F#K4Ck7f7~E}qQK*>8FK*`MJ(82*Ph zz3m*&=>OKGpUlrU7(2gb_+MN+nSFDexBpWaKGVgM*&n~&+kWs}Z*DL=o8dac0}R&~ zUiXf-KT(F)GCacY8ir>xTxWQI;Tps1-e%&(aFgLtSH8=kK^M){n z=W5Hcy?KP;dl;@W_Urn3+aJx?dEKR-EM689?#~B!hifqU*)EJ@L-gZ7e+nZ-I`qwhNn&Bp6|5b+faPegE3Y_EZf8TSxc`f5-#Kn_^yNt1a*ZJPz z8ZP}anfG7}2T#+E(W2BZtGA$BNqh@&HR_mT^KM$i#jj`VTMXyod!Ss6yS}@~I~}$& zd^f|R4F8DX8yWsO!&fo6 zX82PK|2f0&W%zuC-^lRM3_p+I0~!7!hPPw*u94p9`6a{u$nXyt{vN|0Wq38iEr#F0 z@GBX95yLNF_yC5V#_;1A{#BlLIzPtnAj2z0c-!g0@Dmsw8}4oAcMN}Gn74iv!!sEE zcCORT-AsG_5W}Bg_^aUJJE!BXmG-k}T(_Qh$i;t8e1VI9Mm+4|e|b@3SS zZ7$yFXz8am)#>Na#IsynC!X!%KO&yz;%5;zT|9^QOcx(TyxPStC%(eP3yDWuyo~r3 z7r&8sor}*Wo-xgt4)+q*UHs?72f6rD#DgyWBJmOze~Y-~;+u#sb@5M#*SPrKh_83? zZ;3};JVw0U#XEPCt)ml0dhq zraeXWmz7BS-HE?Q`bJN(Lj%os!Nq&~YxgfuK`~C7U{S@&H zpC|Q{|Nnx1n$}GV-{G8}*4sQ&vnEMDQT^?$-7)n2*@4o*2=SxAg`d$qPCvVoex!r+ zQ%5?A?Z@ZJa$-%C_VXmxvPob6qf9rIp1EY-aIIrsMLgvCzETC*u_npyrA%Y#M9`Y`dRMGn%k=CfqSnok);huOyVCaJ3o;ADE<%P=1>`K z#LhoW+fCehKpN1=&XIOU&_&aK>J0Z}aM51`=zC{M{|s=E?^>BO5GFh4k{#o5XF6O; z`eupr(~v?dCLX>*>PIuBq1nogYn`?VT==6+k@>4rxJ${7u|yhH{3+tmO{92&l&=#H z50UXz)i?C+5Js-2lZJaV1nVbY(g?97lLO8g<>#+6cEr*K~+9v&&v$0GgT5I66l z{3Ulk0T=mV7Rh|cCH=nb{h-Vxp%ayg90M)M(h)3R)=^v(c>0IK` zE!5DGeh^%=8|DsYIh;WJP1iWTgzV^N%J@bo_?gQ7N0dIqtBD)E$Uc>;jm3lX6p=LUyz@GGh(O zwws8DsU6lS-`_n$+K-&?w7*#Cza|w`zxkLQZl*Sf#^E~ozl!wDSDfL#O*|Tq9vYNw zTa^8-&8{a8Yi%y2|YY;`P@!>(MpDwd*9eDE+6~_Pc2tXuXb-Q~T2? z(x2cENmRbihQ9DKd<~^Dop3kVUp`sdM|WdykC47TM<#$y{MW=I|E2_>d|9t}wd596 z@2zBCr+la6)c!$yhbtX+f{XgAxxN?B;Y68kk?GP;)y@aNh5mF`eK`?a#5el1jIU0^ z>%nBFCzS_fXC&zx_euX%`#)LnF)~6r#y4V{0WQL=o33h**w?gqq#x-k?L>~0{1M{O zfwJ7Hay2DK`Wb-~o64^>WZ!VTN98r*wf}bZJMWYI@ZD5#W$@Zo;>IGG4q3yi8{@r)>fk{sdg#6ZtdoT331AL3WH^%5+fmrJXMA1Uov@^DyFdX-!a(B3Jn@S9XTW{8jBzHF3?KhR`%kxBu6)$B0M1a)$dV@#rm*BQo~( zJ8%)N)h>TNQ~LjwdKT#yoFdaFY)G!^(Kn=T45N05^gHyB`sN8T0mAY$?HF(oZlp}s zQ!=Oh>@2CDeZJHFDbN@BsC`HF8y# z+KJHNuay2`DktRUKH|pxGT(KwbL7b~eT<7Gu!#SVxHVMTH>vy|HAw1L=SagU-v>co zPI>}am*ws#OWUvt*q2g#0EOz9wn_Be6l2AMDh z#p?~?+W8VhNdF_UU+XGYe<5zVz7sKk);Ba)I{cgT!*iT|`g+QA)2Kf+D8Ahluk_nQ zC*GI1K90bjb%Hep|`1X3G|E5$lWH8#D#3Qd!!6C7X?3B>>Gn?!` z0WR{lr)!?_JlWB&rSzw9&Toi^-%%No!_^!Ehzu5Ca%%=Cu$$n zv{OhqcFvn>!^}a| z?P{I#bJExL%7hG4ar{Qvr+zs~ajg>Nj5{ed~Cq z{zl@)gVIm4y$tvZ#dFhbpzMdKzGvr1J=N~*fWAnFiLP~q^wXq2rpuoIxag1ci)FlY zX-+$txVcdRm2T$|kFITJAF$+U+9kvzG%r?miok_Gn(Kbo8hG@$G(1{dY0(lzgU zi1f9~WV%Ht+-HcJ56JSV)@R-U7vY{Xj512>V*6C-(>juAQ%(Dl^v!!I;fcqZE@xxCpoUTc@2&iAP-TTN_1o ztl7?TXcCWHBGbW;$)wF99;I}SP`Gyx57Yfo5$Tq;OxYPv1=e0i(6kzGkv?mSJK7f1 zc>7h-*S5%T)jHL0iJL=ZfV!-H+F!x#^5%LT>N{{@f4QsN`f*uGq?<|UW{{n(;KEMC zb>H2oq;FX=LQ4O~#PuI_6ekL!_BMgIaf#g5rO+zCg+ChklS}+z#K*1|u5qK2PFSjDSb6B>m&o%1TNxriEEtjG3iHK{d$;3@{osRff#5Ee<8pKBtkL;rIM&-vOZjl|Oe*^LGXBoBy)h{mr7x6V* z>o8%`*XTN*3nX)ZWr~_$1=d%nh?YK`lbFGF9%E8BHF_sM~hZ=rt5?uKycIttgAAnjOG{y!ofDU=RI$j`qL zkM5EUl11&(Zg3Ib(BaPV_G5O!>%9>3$xgId>X{VZheJ~Z|QnLko5m%^Gq#B`K9{DugH!;>;DGnXW+V$h*u}qIOGI%y(vegr_vut zJd!5;QS;C|aFNc@iLzhICHvz@UprkUfYn(Zm_j^y3E3h2If{QQ^H;Td4-pSjewkEG zYQROfmTUcUE$Lg?RKLjnCgKLoD|OcvHNM)6@rKY3p`8|+veTRFXw<%$_EAk6tn5=c*NKk<7v;fRK>aV3 z|9qQgYCT=$|5~yWK1t?_vVWuE>5@mOxGyBG_m#jRzKrZgT>aMyWrqx_@*e>g=}_w$ zmu?{a=sn~Q`Tx1%Kc@_*ap1RP=b{lbjuK|Eb?7I{gYGI1M}cd&e}0?m`dSw0=eov| zr`WukX1V&ce&F`Fi`M-NVHR5+@#s+Lk8V>${0d_{bxE8GTfQSYi; z>6X!7rjPlZw6Er0r-F-gFkR0(3?lvLE7WcWJZQ)3%U)_Jhv! z{EOnQ@1gG`J7ziMmrM?=(*T*C#>tXfboh91k^b9U_3kvKPwPTD`SWAq;Y|`KKAP-g zxvqo!6kNntcfC)$nDl$P^8KT8q@T5hIIpQ(T}RfX$DSvBov!0scIcY+261zcv||weP;pwfQT^$^h#RL#KO>~y1>+o1-%Zzj zM>_GyzhnV1shk+Z^;~I3^^ZTH@lrbF7Zr1@K-sUC38Tu}bkc92@qAbE=O)q*Q@p|y z?jqvaUKy@V1WFHjQmbIZqRt38*$@JnGQPXXDi-C+R>>x4JRI+DHW+Z*RBK?^}=+u z|C7Om|Dn##@njkCeAoS5v&l||YyEry>3`ztcYa1Z*uiQ4VcSkOZK|ssdxG>M)z0*M z16-81$Q_bfGJ4u3;zocnoch5(6W1P=`L5<=dx+~o+eJ3-rj@wjdpWpWk0^f)sjkf=I|E(ia4xv;$8gP4 z?jbvoangWA$-Tn1(^a$R`BpNots*;NzcXK6B0ko&-n*Xcnf|sm7BuuF!=VwjYqbwbEHm`jCEfsIz{ZPux0M z>Z|edWn|}7SGg@xcIZCFupO$VRT4L8o~0A70vGYMDkwsf?@Ng1y85FqxSfyBJN>RROJsm*y7fNsDBbU*#^+mzN1mkig#6qEF2enXtNaA$x@YtYsUM|w z@?>zKA6V|pmwu$LkD~e_)Ub^t9zIv5f5fJmb_KXdpB0o2S;UJ;-=z7JPJAZmXS@2} z`J`_QllBc+9JTwwg`elR^6^=+vzgWjRsXV<_&OI~Pj(E~d#>j9kp5S?>idVJZ{6d} z$G?Ny?n{aB{ILF>{w@l(M?IWZ&7@_aVwNAIHa zmqHs&`o_^t{UYM}m6Wk$|9Y~cO_Lx(e$FMXyVmz!LVqR7NnMWAKbq_;A${`_33STe zCn(&A>wR1=6E|J&U#eAhMmWpW7o=ae(dqvlr5|#Zw~pruKe}j3T=nZ1;->4qf>Xdn zyrRF5382epXoJ8-In-%AB#-!Tr9WTRqbQ|YWe-Xp*Lr?Gtb++VwKSfwt08Qake$dW zl!0Vtrs7ppZYkV*h+DM&1Eco#IC1@JX@{zx_6l*0=CdZ*Ig{2=YhCLVZ>exEmv$_2 z>k}33FQtJ9RlI+Ji+C+{)zb#jH|ct)3is&2GJPV?NykGTL!Dx4peeE1suENA0QhcTaimxE9UoE*xp9t9x zyWR^_OT4RVJobswcfG&jE3$9xkrl|I{LMf<+3hpUFH9M{rh|)g7(7|VD~os^($~MH z@%rFAo9=M80_+6RNm$wx|``XkkU{S92S+qJIsqHjq*OzVnje%Ar< z7x9WrmkF=<@!)A#WeMHlye`&{^bObj10#utX?~=O=ws`2th8_9xY$(td9}UYMZ3Y3 z4i#i4aw^qFd73s~*{5;1M(ypR#El-5;Z%N}Q=IN&(aFyH;G$mCxaNbuC4F-@l@qe_ z7vfegsxLH**g-rxT9!AH?EC3@g!W_dhnnwWh(~Xd`f7dYOmI=2HP`)z7Z9&2J8w|2%NJzK?UJ=Qz@@rS*+o(wsIKT=-)yar!e8T-eWZ zjo;>ye$@4zmL;}+H*G!DUlogIz=c2N^_2cJZp=mlD0p;;W^XE98%RH_#-H-A_E+NO zdD3!}_)g;12+4KIhW0tqe#E{GtZBnZ{|Cg4(`kM|`7#vTu3xTx=L&F<4l7;r%}Hb@ zO!pJ&WPcWM>n!O{g!moG{w&D}Yxfa1T>LSzW72rQq7z;qu3sZTl;XRN>{P$%wEt{U6LDnxMuDwkruF*PxN%}L0TXg+b@%h9Jx<4>N`VSEg(>Ou#r-(=CIWH4SYhsHK zkGw7&i5@BWt{fR(6H;ude0~Uh5ns(m{)=5~e*qWeq`@_w`G)Lkdu91o@y$Sew(A95 zk2Y*8n%2Xv=Xf5f$eE7=NZ+7#M(K|x9;W9h!f2AkRs=5mu_|RbHz=LU6?e58hoM0b z`dz5L>$Vk5yE$9>Y1#2^N(YO=wVrjBhX)nUlLo?+OjdVkCx~`YY$`o#pnoLNGlca^ zv3=o_^7l5EzvKV^3+bEodV{7-pk(@v(LWmHUynCHzx#oUa1D$v#CD<-+Ay2bPMjzp zeGTa$wpXOkW;6QL%08~!i0x#*l+S?c@~7kfR~b9CWG8}gy4dJ)g7# z+AtBX{kNlSj(*1;&uZF*r1C@J7Oq!|O+B_WoVdJxi1jIXSer;ZN_MU!J_}r@-|^yJ z@E-9%{Vpu8tf-tmX;Pm;JOfZ(Jb6k*WpR0a<+S|5sb!_b6^QhC9&;{2lN z)27YBDRF!G(5!T*RuqT;@~2LjSXe$QR9V)iFci}AuN>8HK*i*l`BOrn{L8-hTbNrK5XdF;Lwud!fS(NXr)u0?jraR#ibV&&k7byDQ~0TE88;e zZPUSsbZ@irW+!)B)in`w+krNV{-wp0ZCTzCeA|_G1b%5{QJd8BOG^sMi;FHTE-Wvu z%*|^X7p6=u&Al`ykO5 zl@q7-zcvm{n}TVkyEM}XIS&pP)O03(I}e`OzhC2-`0YH1g^b37_^l3x z#E9BHKykA{nM@r*SdT$>R8$hLhO~7hQU&^rqKX2CQbi$_ene0usPOiY!jP!@!Sb@g z;nPd)L(|GiD<_v>xur45L(>Y7p7KQT`<(ubzmZx^zt23Y@i)?fewR;~hSf4vRuHr- zAQc6ZilH&4pmNIf#r=n3ovf^4N@el5@`BQeNoD2Jz{^Ve3^;ROpKScI(+(#hiWRoo zW3hlWZsJsJWa;&zr_3B$HZ@=DO+Ck1df+V5J$Wz#2Z%sKFlT6mp`j(yORq&Ou>+l0 zT3%dHHod&CSS94d(&+>G7nDz_ERiv^_nQhccGbbM8Ks4x>63~JDzSW40d0Wcw3ky} zd|AQNDMj%t{`csDifc8jX^E7>nf4->%M=|#lA;=m8d@-MYNMB;np9L4*-oRpgph&x zGy7|eKL<4Z9N6^p%%-1bHT^uh>F1!PpXW6F%xU^Lr0M6-rk}Y@KZiB_9NzS^Uv}K@ zesRC!T<#a=bH6yJ`^9aXF`7d@Uc0ghvg3&lbfHfN~*|}(bK2eLu)$_6xZ^8`IBb~ zg~E_%$?}Jmm0n+5UOBcnghGS`V!LK&)KKP+tguhcsT^4<){!e`*=A5JVWwPI5$mF( zQKd)Xpf(MI+5B@9wp&^`x)k>00N~QRoPMYTqE#4qnT+^Z*>OI>-Qs-sUEWVxJ6pv? ztoG&<70I~3oCuiOa>+#Pr1iP6BQF$D7wffSMvAa=iYrDGPRl`Gly4W~{ue1H(G{RB z+F=cvd3JtC)_=F+>r2SsX7e9Xh@I`v2eBwZlkql;I8t z$Z&=P$pwH&Sb4|i)0*h^Ztu>EcK23$YauM5_H0jkXYHMt_B?!Zwt*8u0wEDQAS8i^ z03nf)BH@ULfP@Hy2rdBR2=jgaqw24oIm-bn+1=A!RsZ`@e^u8B>Ol=CnSd}P+ar^t z5bp#}@IEqVBNB)UKE9bb-L?NKv>47v_He>j0SrmXYcW`)oSM#5pEX zA^7@HgQY4&9q^XH3)EYDlkjE86Uj`uagdPnLu(1;gu9z`m~$s1b23lbOMPa(80vq) zu!z;EWj$}YrhcM9k;XA{=-O?f>EKG&mc7F`1%QD%8|VRI$yqxx&*}rvn>#=E zliO;#vzA;ZM5*DC{Pfd)$_ z7HV2p340PekV7@W^`45BoJ?fgg$|7HMuLGdNL@8;O-3R(FgOZo7*=goRKUdnCTwv4 zuCQ<_Pa*=WGLFPDP(j@k#Bc;RmoC$RJo-5 zhJdPDsn!i6pAlXE*Oieyj7Hubuj8YC>hImP$*Kyy+^N;NbL zu8ut$z?|cdcCCb@QB!8uN1nO|hyJ*5=x+`8m6oNw$+Vi!LmT+u&kHMf~ z_F&i>`lzh38L-&7qn*MGgyQgXCp;{8X3mOeAY&p2_trPf&{YaS{^fICl?Y8iX$ z-JAk|$QXJ|CoI#F_04L`ofw?SL8rPnSv;Q|jwD}!vuGvbg|i4ePvR2%NmdcL4Oa3y zR6%joA>gwUwIT5b!&7ND(ncHXk*4ORtK;P|Bp-%Z9t(YZ{6byPQ1HORgG){WUL#d* zrD{lm>(Qe#PZ2rLb{%kZxkE(F)FgJxq=2E4yMah0nb>oSFdR9w>thad1WHYHU9`rj z<@u~MV(}d|zkAp%uO`FmZ(mKtWr~Pp#+CGviW@~pXgy6hEInn#bf7f!J=;@ zHhp2-6_$p`Z9<$()};`AH_;I``=sgR-g=ND%_CHK$~m9Ax5BdkAcaG^a;64JYwk^z z<^)U7LaOv|+G1+u`b~jsb5XrO=sK5twe#7dG7*TG(WVGJd^iar@R)7@21hAu7SEdQ z5K}}`UeZYSxap$I;zW`pjzdAyin)#7j8wW-tU;s6JTA$hlawH+O?73-16lxI5K6sYg)t1fGySH!rN7 zy%P`OUflQ^LzcM+0v-<+^?bBkG?5|~0YZ$=7Zo(BK8vN!W2p=#7?mHBy1f&9ENJUv zAw$J1;vda9~hDEVEdsGsY=P|Wtyd#dU3qcx+PE|tuVRJ>{0`Ca)4>aARDIO zB9@ZnF8LBk%+3Zw#BhQ9)BqV5bh>KKK0OpfRA6(-+%OW%El(S$(VK=ZXt^epL5Wu5 zZ-S0d3#44wGL0ZN4;P7_*vh(?L0zY#YpLKor;%HS#p&*tNQZb@{756sQ$%fQ8%?F6*(Z{!(m)m44?f_Qn zEHM@rW@o0u9HHm4(K`4*ucujij!_^iuq67Zm1?GnW}c}+bf#a9a$&9kkDic$N2oc7 z|KSL3rUHTwsApuo@EJdtdB{EU8phjHmhA-!Q&4GZXiy$d1hrq4t_Xm#qHS-o%5^RI zvn;_>gm+BPV{z}+no@A0-= z`$HaDVctqkfuBMVG`(kyfX)ayDdwIcBQ4J`6?6iPn*^NfoP1HIrg3K7!Ofgqy)_*T z+iR>DM{IkbT{sYCp?fBLXRqx2*7Qdv->DQvg$s@e$!kg_ZD^W7lDn}w>C_gU1cyp3 z3Dbze7kN(|Jx_{7NAPfB`33yU0Bbe??DBKHpv;Mg&036N)-QmrCMVLlW9L+}X5Q?E zOZG}zmV_|`L zIiFplCU0_@bG^kFMUUd@8MFX+ZO;hUzED~jQ)DJ3-_$FaD|__J)u^T(=g4IbvxVUS z)Q4_A`Nmj6l-IVRq7_9^HlIDaUsabRjqlHA6P<+g8!3QHimWBkaWu0@GPS@lx4u|3 z8j6RLpcs@XtxCC$*Y(8$iMucUxp(SuNKlcusaYRqURHeuDM^)l#m-P8Lwf_^P12H$ zf<0cQp^CXFv4WVlE!P4(l*;p4Kw~l56>ET%3~Rt4T(Pv;tnQedbA1Ml*>H=FXy8>N z>;eESk_!q_fw!2kms!ep+kFhMm4IdJ0)^d^GPkvW7#5*{p_Mmc!51SmT~D9L1jQFJ zlVFQAd>}*2maB!?pQsw_4`ohSDw8UwwoW?%;625dwz?7lowUJ70o?5GjH%n|CC(d@ zo3*6-DU4dMMiI7oEFLI}x2q81pmmS186XLT(`XyXGm3tpI&FlIz`)_hm_#<+3j0Pt z0@1Q;#)>Reeej)={o}*C#>qiitO8D49}_l+cYyL}a^MBcR5p+dS~m}vM!UR~;Z{B` z0zN5`{M73l7Q)m;7`rzZW<_hm&4=)WH3$j5Imb;VDJ)Y7esS$TQ_3~)3`6@YC9-|IjLNTnLrun_NOBjX@y7?KxViQA&E*a zW)^E>?$f{wuT)SaE}?N9_Jv%n@G&Cx;NiPOWsTG;VEDo(`5|s5`+MM0%z7C5j4)Fx z#2KH6n>2F3wU+eI!9!T=(fDC~=%-Q!2%zK|ovu5&5J8En+Pbd9iI#E#Y~47NhY=f{ z^RYO(X`W=6s_!x}QBBM`la`!BhG}=b3dl66Tyk@C%ZX%+bwDx&P%$q&aODg6I-ZKr zZKft+$`ynGz|iYpyE@4-0hp+=Z%QbLf&ti;X@wzXebY{uZS^;6YP(r%wcAXVI={E} zjSMCbnz_qJimibkvf%SE}!m6Z9CbHo}kt1VcF*+0>g!X0T?$;uv(B17}^ccQ33WBPuP%p=uHK z$ZRDNFjJ0+<#onU`VDSc0IK4-;a0*Ti>qz<0R*kX-$)AJmTyZ_l6xgNQw%){jrKBb z+Cz%c^#+d;9iC(1nU_FBv+Mc+wszfn)i&0>dT_>K7BD(%Wuf01OE`1Hd*KqalN|am z(UH17KfYUT(W9eE?!_ctJgXlZJ-oAjR6o3b|Ixkk`h5S+(Y@MLoh^&tWh0aifrHki zW2M$`EA}oq``i|=@aNn9(A*-qdOB;mfq;ammz^I}L~tynbIuI_C=^TA6Zw`LOa(2Y zhB=d?6pX-DN0Gsb+ZE+VnY}@dnWZ=mue%ue6pbN6=4B_HI6 zI~GAfGM*Il(jvENs4uQzd~^z>1-`~ZYOEMH>3-h+Q}~$e8{aqpg}3Pk`IL&^^KedP zGsAY>dNzfU{D17r8HBH80N;F^%dEh#~j z?ZU$@c)A1RXtFJIAz$;=qcOfCz$qJTd;9i-qr*FQ>%q=o2RnB3FpajsXA?C)pTOxG z?R-9+)jYz2A0(9R>%;ToI-drD(804n&bf`y#{xt_;Ci-bF&gHy&D(V|e!G5icy*me z!yMLO3&JxPiBzDlW3y5pmKztSDt*{(h+VIss_yVbGyq*rpm|a*!De#|&~#7o0NgyU z;0(Ph?hUs`_{u_xu~2QS*`UZLhEZXM0+^7;2uRo?aL%P=)RFRCXC6g&zdadOI{ zO;nZ`(NSQoJFbMse%?yK;ks_tL#|@sGm7_mlB{+XPxw6quFJVz$9^}RE!&;T=}HeA z`39!a@=KuYjGj!W&!@bNXB^x6pBjRG{fFU$Ci2(&S@9UCPXhkmv}5M{YR4D(v4{zd z!+Q<={~P+-Khs_L^|nB*sy_bqxEkSx?|i&p8hpS0?uNGP^Uvv@TK_xRta`)FQSDRS^ zUmaiTmhkuIKkoH^!}|NR`dWET=nWspu0QMdw|`gO|9$zgx5_FG!Q&!{zsv8b_4jLK z=TLc{+kRu$pW|Bew{uPXeA6GH;9X{3mAL%6x zaU2! + +typedef enum sample_status_t +{ + SAMPLE_SUCCESS = 0, + + SAMPLE_ERROR_UNEXPECTED , // Unexpected error + SAMPLE_ERROR_INVALID_PARAMETER , // The parameter is incorrect + SAMPLE_ERROR_OUT_OF_MEMORY , // Not enough memory is available to complete this operation + +} sample_status_t; + +#define SAMPLE_SHA256_HASH_SIZE 32 +#define SAMPLE_ECP256_KEY_SIZE 32 +#define SAMPLE_NISTP_ECP256_KEY_SIZE (SAMPLE_ECP256_KEY_SIZE/sizeof(uint32_t)) +#define SAMPLE_AESGCM_IV_SIZE 12 +#define SAMPLE_AESGCM_KEY_SIZE 16 +#define SAMPLE_AESGCM_MAC_SIZE 16 +#define SAMPLE_CMAC_KEY_SIZE 16 +#define SAMPLE_CMAC_MAC_SIZE 16 +#define SAMPLE_AESCTR_KEY_SIZE 16 + +typedef struct sample_ec256_dh_shared_t +{ + uint8_t s[SAMPLE_ECP256_KEY_SIZE]; +} sample_ec256_dh_shared_t; + +typedef struct sample_ec256_private_t +{ + uint8_t r[SAMPLE_ECP256_KEY_SIZE]; +} sample_ec256_private_t; + +typedef struct sample_ec256_public_t +{ + uint8_t gx[SAMPLE_ECP256_KEY_SIZE]; + uint8_t gy[SAMPLE_ECP256_KEY_SIZE]; +} sample_ec256_public_t; + +typedef struct sample_ec256_signature_t +{ + uint32_t x[SAMPLE_NISTP_ECP256_KEY_SIZE]; + uint32_t y[SAMPLE_NISTP_ECP256_KEY_SIZE]; +} sample_ec256_signature_t; + +typedef void* sample_sha_state_handle_t; +typedef void* sample_cmac_state_handle_t; +typedef void* sample_ecc_state_handle_t; + +typedef uint8_t sample_sha256_hash_t[SAMPLE_SHA256_HASH_SIZE]; + +typedef uint8_t sample_aes_gcm_128bit_key_t[SAMPLE_AESGCM_KEY_SIZE]; +typedef uint8_t sample_aes_gcm_128bit_tag_t[SAMPLE_AESGCM_MAC_SIZE]; +typedef uint8_t sample_cmac_128bit_key_t[SAMPLE_CMAC_KEY_SIZE]; +typedef uint8_t sample_cmac_128bit_tag_t[SAMPLE_CMAC_MAC_SIZE]; +typedef uint8_t sample_aes_ctr_128bit_key_t[SAMPLE_AESCTR_KEY_SIZE]; + +#ifdef __cplusplus + #define EXTERN_C extern "C" +#else + #define EXTERN_C +#endif + + #define SAMPLE_LIBCRYPTO_API EXTERN_C + +/* Rijndael AES-GCM +* Parameters: +* Return: sample_status_t - SAMPLE_SUCCESS on success, error code otherwise. +* Inputs: sample_aes_gcm_128bit_key_t *p_key - Pointer to key used in encryption/decryption operation +* uint8_t *p_src - Pointer to input stream to be encrypted/decrypted +* uint32_t src_len - Length of input stream to be encrypted/decrypted +* uint8_t *p_iv - Pointer to initialization vector to use +* uint32_t iv_len - Length of initialization vector +* uint8_t *p_aad - Pointer to input stream of additional authentication data +* uint32_t aad_len - Length of additional authentication data stream +* sample_aes_gcm_128bit_tag_t *p_in_mac - Pointer to expected MAC in decryption process +* Output: uint8_t *p_dst - Pointer to cipher text. Size of buffer should be >= src_len. +* sample_aes_gcm_128bit_tag_t *p_out_mac - Pointer to MAC generated from encryption process +* NOTE: Wrapper is responsible for confirming decryption tag matches encryption tag */ +SAMPLE_LIBCRYPTO_API sample_status_t sample_rijndael128GCM_encrypt(const sample_aes_gcm_128bit_key_t *p_key, const uint8_t *p_src, uint32_t src_len, + uint8_t *p_dst, const uint8_t *p_iv, uint32_t iv_len, const uint8_t *p_aad, uint32_t aad_len, + sample_aes_gcm_128bit_tag_t *p_out_mac); + +/* Message Authentication - Rijndael 128 CMAC +* Parameters: +* Return: sample_status_t - SAMPLE_SUCCESS on success, error code otherwise. +* Inputs: sample_cmac_128bit_key_t *p_key - Pointer to key used in encryption/decryption operation +* uint8_t *p_src - Pointer to input stream to be MAC +* uint32_t src_len - Length of input stream to be MAC +* Output: sample_cmac_gcm_128bit_tag_t *p_mac - Pointer to resultant MAC */ +SAMPLE_LIBCRYPTO_API sample_status_t sample_rijndael128_cmac_msg(const sample_cmac_128bit_key_t *p_key, const uint8_t *p_src, + uint32_t src_len, sample_cmac_128bit_tag_t *p_mac); + + + +/* +* Elliptic Curve Crytpography - Based on GF(p), 256 bit +*/ +/* Allocates and initializes ecc context +* Parameters: +* Return: sample_status_t - SAMPLE_SUCCESS or failure as defined SAMPLE_Error.h. +* Output: sample_ecc_state_handle_t ecc_handle - Handle to ECC crypto system */ +SAMPLE_LIBCRYPTO_API sample_status_t sample_ecc256_open_context(sample_ecc_state_handle_t* ecc_handle); + +/* Cleans up ecc context +* Parameters: +* Return: sample_status_t - SAMPLE_SUCCESS or failure as defined SAMPLE_Error.h. +* Output: sample_ecc_state_handle_t ecc_handle - Handle to ECC crypto system */ +SAMPLE_LIBCRYPTO_API sample_status_t sample_ecc256_close_context(sample_ecc_state_handle_t ecc_handle); + +/* Populates private/public key pair - caller code allocates memory +* Parameters: +* Return: sample_status_t - SAMPLE_SUCCESS on success, error code otherwise. +* Inputs: sample_ecc_state_handle_t ecc_handle - Handle to ECC crypto system +* Outputs: sample_ec256_private_t *p_private - Pointer to the private key +* sample_ec256_public_t *p_public - Pointer to the public key */ +SAMPLE_LIBCRYPTO_API sample_status_t sample_ecc256_create_key_pair(sample_ec256_private_t *p_private, + sample_ec256_public_t *p_public, + sample_ecc_state_handle_t ecc_handle); + +/* Computes DH shared key based on private B key (local) and remote public Ga Key +* Parameters: +* Return: sample_status_t - SAMPLE_SUCCESS on success, error code otherwise. +* Inputs: sample_ecc_state_handle_t ecc_handle - Handle to ECC crypto system +* sample_ec256_private_t *p_private_b - Pointer to the local private key - LITTLE ENDIAN +* sample_ec256_public_t *p_public_ga - Pointer to the remote public key - LITTLE ENDIAN +* Output: sample_ec256_dh_shared_t *p_shared_key - Pointer to the shared DH key - LITTLE ENDIAN +x-coordinate of (privKeyB - pubKeyA) */ +SAMPLE_LIBCRYPTO_API sample_status_t sample_ecc256_compute_shared_dhkey(sample_ec256_private_t *p_private_b, + sample_ec256_public_t *p_public_ga, + sample_ec256_dh_shared_t *p_shared_key, + sample_ecc_state_handle_t ecc_handle); + + +/* Computes signature for data based on private key +* +* A message digest is a fixed size number derived from the original message with +* an applied hash function over the binary code of the message. (SHA256 in this case) +* The signer's private key and the message digest are used to create a signature. +* +* A digital signature over a message consists of a pair of large numbers, 256-bits each, +* which the given function computes. +* +* The scheme used for computing a digital signature is of the ECDSA scheme, +* an elliptic curve of the DSA scheme. +* +* The keys can be generated and set up by the function: sgx_ecc256_create_key_pair. +* +* The elliptic curve domain parameters must be created by function: +* sample_ecc256_open_context +* +* Return: If context, private key, signature or data pointer is NULL, +* SAMPLE_ERROR_INVALID_PARAMETER is returned. +* If the signature creation process fails then SAMPLE_ERROR_UNEXPECTED is returned. +* +* Parameters: +* Return: sample_status_t - SAMPLE_SUCCESS, success, error code otherwise. +* Inputs: sample_ecc_state_handle_t ecc_handle - Handle to the ECC crypto system +* sample_ec256_private_t *p_private - Pointer to the private key - LITTLE ENDIAN +* uint8_t *p_data - Pointer to the data to be signed +* uint32_t data_size - Size of the data to be signed +* Output: ec256_signature_t *p_signature - Pointer to the signature - LITTLE ENDIAN */ +SAMPLE_LIBCRYPTO_API sample_status_t sample_ecdsa_sign(const uint8_t *p_data, + uint32_t data_size, + sample_ec256_private_t *p_private, + sample_ec256_signature_t *p_signature, + sample_ecc_state_handle_t ecc_handle); + +/* Allocates and initializes sha256 state +* Parameters: +* Return: sample_status_t - SAMPLE_SUCCESS on success, error code otherwise. +* Output: sample_sha_state_handle_t sha_handle - Handle to the SHA256 state */ +SAMPLE_LIBCRYPTO_API sample_status_t sample_sha256_init(sample_sha_state_handle_t* p_sha_handle); + +/* Updates sha256 has calculation based on the input message +* Parameters: +* Return: sample_status_t - SAMPLE_SUCCESS or failure. +* Input: sample_sha_state_handle_t sha_handle - Handle to the SHA256 state +* uint8_t *p_src - Pointer to the input stream to be hashed +* uint32_t src_len - Length of the input stream to be hashed */ +SAMPLE_LIBCRYPTO_API sample_status_t sample_sha256_update(const uint8_t *p_src, uint32_t src_len, sample_sha_state_handle_t sha_handle); + +/* Returns Hash calculation +* Parameters: +* Return: sample_status_t - SAMPLE_SUCCESS on success, error code otherwise. +* Input: sample_sha_state_handle_t sha_handle - Handle to the SHA256 state +* Output: sample_sha256_hash_t *p_hash - Resultant hash from operation */ +SAMPLE_LIBCRYPTO_API sample_status_t sample_sha256_get_hash(sample_sha_state_handle_t sha_handle, sample_sha256_hash_t *p_hash); + +/* Cleans up sha state +* Parameters: +* Return: sample_status_t - SAMPLE_SUCCESS on success, error code otherwise. +* Input: sample_sha_state_handle_t sha_handle - Handle to the SHA256 state */ +SAMPLE_LIBCRYPTO_API sample_status_t sample_sha256_close(sample_sha_state_handle_t sha_handle); + +#endif diff --git a/service_provider/ecp.cpp b/service_provider/ecp.cpp new file mode 100644 index 0000000..75c9d1e --- /dev/null +++ b/service_provider/ecp.cpp @@ -0,0 +1,257 @@ +/* + * Copyright (C) 2011-2018 Intel Corporation. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * * Neither the name of Intel Corporation nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT + * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE + * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + + + +#include +#include +#include "ecp.h" + +#include "sample_libcrypto.h" + + +#define MAC_KEY_SIZE 16 + +errno_t memcpy_s( + void *dest, + size_t numberOfElements, + const void *src, + size_t count) +{ + if(numberOfElementss[sizeof(p_shared_key->s) - 1 - i]; + } + + sample_ret = sample_sha256_init(&sha_context); + if (sample_ret != SAMPLE_SUCCESS) + { + return false; + } + sample_ret = sample_sha256_update((uint8_t*)&hash_buffer, sizeof(hash_buffer_t), sha_context); + if (sample_ret != SAMPLE_SUCCESS) + { + sample_sha256_close(sha_context); + return false; + } + sample_ret = sample_sha256_update((uint8_t*)ID_U, sizeof(ID_U), sha_context); + if (sample_ret != SAMPLE_SUCCESS) + { + sample_sha256_close(sha_context); + return false; + } + sample_ret = sample_sha256_update((uint8_t*)ID_V, sizeof(ID_V), sha_context); + if (sample_ret != SAMPLE_SUCCESS) + { + sample_sha256_close(sha_context); + return false; + } + sample_ret = sample_sha256_get_hash(sha_context, &key_material); + if (sample_ret != SAMPLE_SUCCESS) + { + sample_sha256_close(sha_context); + return false; + } + sample_ret = sample_sha256_close(sha_context); + + static_assert(sizeof(sample_ec_key_128bit_t)* 2 == sizeof(sample_sha256_hash_t), "structure size mismatch."); + memcpy_s(first_derived_key, sizeof(sample_ec_key_128bit_t), &key_material, sizeof(sample_ec_key_128bit_t)); + memcpy_s(second_derived_key, sizeof(sample_ec_key_128bit_t), (uint8_t*)&key_material + sizeof(sample_ec_key_128bit_t), sizeof(sample_ec_key_128bit_t)); + + // memset here can be optimized away by compiler, so please use memset_s on + // windows for production code and similar functions on other OSes. + memset(&key_material, 0, sizeof(sample_sha256_hash_t)); + + return true; +} + +#else + +#pragma message ("Default key derivation function is used.") + +#define EC_DERIVATION_BUFFER_SIZE(label_length) ((label_length) +4) + +const char str_SMK[] = "SMK"; +const char str_SK[] = "SK"; +const char str_MK[] = "MK"; +const char str_VK[] = "VK"; + +// Derive key from shared key and key id. +// key id should be sample_derive_key_type_t. +bool derive_key( + const sample_ec_dh_shared_t *p_shared_key, + uint8_t key_id, + sample_ec_key_128bit_t* derived_key) +{ + sample_status_t sample_ret = SAMPLE_SUCCESS; + uint8_t cmac_key[MAC_KEY_SIZE]; + sample_ec_key_128bit_t key_derive_key; + + memset(&cmac_key, 0, MAC_KEY_SIZE); + + sample_ret = sample_rijndael128_cmac_msg( + (sample_cmac_128bit_key_t *)&cmac_key, + (uint8_t*)p_shared_key, + sizeof(sample_ec_dh_shared_t), + (sample_cmac_128bit_tag_t *)&key_derive_key); + if (sample_ret != SAMPLE_SUCCESS) + { + // memset here can be optimized away by compiler, so please use memset_s on + // windows for production code and similar functions on other OSes. + memset(&key_derive_key, 0, sizeof(key_derive_key)); + return false; + } + + const char *label = NULL; + uint32_t label_length = 0; + switch (key_id) + { + case SAMPLE_DERIVE_KEY_SMK: + label = str_SMK; + label_length = sizeof(str_SMK) -1; + break; + case SAMPLE_DERIVE_KEY_SK: + label = str_SK; + label_length = sizeof(str_SK) -1; + break; + case SAMPLE_DERIVE_KEY_MK: + label = str_MK; + label_length = sizeof(str_MK) -1; + break; + case SAMPLE_DERIVE_KEY_VK: + label = str_VK; + label_length = sizeof(str_VK) -1; + break; + default: + // memset here can be optimized away by compiler, so please use memset_s on + // windows for production code and similar functions on other OSes. + memset(&key_derive_key, 0, sizeof(key_derive_key)); + return false; + break; + } + /* derivation_buffer = counter(0x01) || label || 0x00 || output_key_len(0x0080) */ + uint32_t derivation_buffer_length = EC_DERIVATION_BUFFER_SIZE(label_length); + uint8_t *p_derivation_buffer = (uint8_t *)malloc(derivation_buffer_length); + if (p_derivation_buffer == NULL) + { + // memset here can be optimized away by compiler, so please use memset_s on + // windows for production code and similar functions on other OSes. + memset(&key_derive_key, 0, sizeof(key_derive_key)); + return false; + } + memset(p_derivation_buffer, 0, derivation_buffer_length); + + /*counter = 0x01 */ + p_derivation_buffer[0] = 0x01; + /*label*/ + memcpy_s(&p_derivation_buffer[1], derivation_buffer_length - 1, label, label_length); + /*output_key_len=0x0080*/ + uint16_t *key_len = (uint16_t *)(&(p_derivation_buffer[derivation_buffer_length - 2])); + *key_len = 0x0080; + + + sample_ret = sample_rijndael128_cmac_msg( + (sample_cmac_128bit_key_t *)&key_derive_key, + p_derivation_buffer, + derivation_buffer_length, + (sample_cmac_128bit_tag_t *)derived_key); + free(p_derivation_buffer); + // memset here can be optimized away by compiler, so please use memset_s on + // windows for production code and similar functions on other OSes. + memset(&key_derive_key, 0, sizeof(key_derive_key)); + if (sample_ret != SAMPLE_SUCCESS) + { + return false; + } + return true; +} +#endif diff --git a/service_provider/ecp.h b/service_provider/ecp.h new file mode 100644 index 0000000..7dee605 --- /dev/null +++ b/service_provider/ecp.h @@ -0,0 +1,114 @@ +/* + * Copyright (C) 2011-2018 Intel Corporation. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * * Neither the name of Intel Corporation nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT + * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE + * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +#ifndef _ECP_H +#define _ECP_H + +#include +#include + +#include "remote_attestation_result.h" + +#ifndef SAMPLE_FEBITSIZE + #define SAMPLE_FEBITSIZE 256 +#endif + +#define SAMPLE_ECP_KEY_SIZE (SAMPLE_FEBITSIZE/8) + +typedef struct sample_ec_priv_t +{ + uint8_t r[SAMPLE_ECP_KEY_SIZE]; +} sample_ec_priv_t; + +typedef struct sample_ec_dh_shared_t +{ + uint8_t s[SAMPLE_ECP_KEY_SIZE]; +}sample_ec_dh_shared_t; + +typedef uint8_t sample_ec_key_128bit_t[16]; + +#define SAMPLE_EC_MAC_SIZE 16 + +#ifdef __cplusplus +extern "C" { +#endif + + +#ifndef _ERRNO_T_DEFINED +#define _ERRNO_T_DEFINED +typedef int errno_t; +#endif +errno_t memcpy_s(void *dest, size_t numberOfElements, const void *src, + size_t count); + + +#ifdef SUPPLIED_KEY_DERIVATION + +typedef enum _sample_derive_key_type_t +{ + SAMPLE_DERIVE_KEY_SMK_SK = 0, + SAMPLE_DERIVE_KEY_MK_VK, +} sample_derive_key_type_t; + +bool derive_key( + const sample_ec_dh_shared_t *p_shared_key, + uint8_t key_id, + sample_ec_key_128bit_t *first_derived_key, + sample_ec_key_128bit_t *second_derived_key); + +#else + +typedef enum _sample_derive_key_type_t +{ + SAMPLE_DERIVE_KEY_SMK = 0, + SAMPLE_DERIVE_KEY_SK, + SAMPLE_DERIVE_KEY_MK, + SAMPLE_DERIVE_KEY_VK, +} sample_derive_key_type_t; + +bool derive_key( + const sample_ec_dh_shared_t *p_shared_key, + uint8_t key_id, + sample_ec_key_128bit_t *derived_key); + +#endif + +bool verify_cmac128( + sample_ec_key_128bit_t mac_key, + const uint8_t *p_data_buf, + uint32_t buf_size, + const uint8_t *p_mac_buf); +#ifdef __cplusplus +} +#endif + +#endif + diff --git a/service_provider/ias_ra.cpp b/service_provider/ias_ra.cpp new file mode 100644 index 0000000..1c9311a --- /dev/null +++ b/service_provider/ias_ra.cpp @@ -0,0 +1,254 @@ +/* + * Copyright (C) 2011-2018 Intel Corporation. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * * Neither the name of Intel Corporation nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT + * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE + * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + + + +#include "service_provider.h" +#include "sample_libcrypto.h" +#include "ecp.h" +#include +#include +#include +#include +#include +#include "ias_ra.h" + +//This whole file is used as simulation of the interfaces to be +// delivered an attestation server. + + +#define UNUSED(expr) do { (void)(expr); } while (0) + +#if !defined(SWAP_ENDIAN_DW) + #define SWAP_ENDIAN_DW(dw) ((((dw) & 0x000000ff) << 24) \ + | (((dw) & 0x0000ff00) << 8) \ + | (((dw) & 0x00ff0000) >> 8) \ + | (((dw) & 0xff000000) >> 24)) +#endif +#if !defined(SWAP_ENDIAN_32B) + #define SWAP_ENDIAN_32B(ptr) \ +{\ + unsigned int temp = 0; \ + temp = SWAP_ENDIAN_DW(((unsigned int*)(ptr))[0]); \ + ((unsigned int*)(ptr))[0] = SWAP_ENDIAN_DW(((unsigned int*)(ptr))[7]); \ + ((unsigned int*)(ptr))[7] = temp; \ + temp = SWAP_ENDIAN_DW(((unsigned int*)(ptr))[1]); \ + ((unsigned int*)(ptr))[1] = SWAP_ENDIAN_DW(((unsigned int*)(ptr))[6]); \ + ((unsigned int*)(ptr))[6] = temp; \ + temp = SWAP_ENDIAN_DW(((unsigned int*)(ptr))[2]); \ + ((unsigned int*)(ptr))[2] = SWAP_ENDIAN_DW(((unsigned int*)(ptr))[5]); \ + ((unsigned int*)(ptr))[5] = temp; \ + temp = SWAP_ENDIAN_DW(((unsigned int*)(ptr))[3]); \ + ((unsigned int*)(ptr))[3] = SWAP_ENDIAN_DW(((unsigned int*)(ptr))[4]); \ + ((unsigned int*)(ptr))[4] = temp; \ +} +#endif + +// This is the ECDSA NIST P-256 private key used to sign platform_info_blob. +// This private +// key and the public key in SDK untrusted KElibrary should be a temporary key +// pair. For production parts an attestation server will sign the platform_info_blob with the +// production private key and the SDK untrusted KE library will have the public +// key for verifcation. + +static const sample_ec256_private_t g_rk_priv_key = +{{ + 0x63,0x2c,0xd4,0x02,0x7a,0xdc,0x56,0xa5, + 0x59,0x6c,0x44,0x3e,0x43,0xca,0x4e,0x0b, + 0x58,0xcd,0x78,0xcb,0x3c,0x7e,0xd5,0xb9, + 0xf2,0x91,0x5b,0x39,0x0d,0xb3,0xb5,0xfb +}}; + +static sample_spid_t g_sim_spid = {"Service X"}; + + +// Simulates the attestation server function for verifying the quote produce by +// the ISV enclave. It doesn't decrypt or verify the quote in +// the simulation. Just produces the attestaion verification +// report with the platform info blob. +// +// @param p_isv_quote Pointer to the quote generated by the ISV +// enclave. +// @param pse_manifest Pointer to the PSE manifest if used. +// @param p_attestation_verification_report Pointer the outputed +// verification report. +// +// @return int + +int ias_verify_attestation_evidence( + sample_quote_t *p_isv_quote, + uint8_t* pse_manifest, + ias_att_report_t* p_attestation_verification_report) +{ + int ret = 0; + sample_ecc_state_handle_t ecc_state = NULL; + + //unused parameters + UNUSED(pse_manifest); + + if((NULL == p_isv_quote) || + (NULL == p_attestation_verification_report)) + { + return -1; + } + //Decrypt the Quote signature and verify. + + p_attestation_verification_report->id = 0x12345678; + p_attestation_verification_report->status = IAS_QUOTE_OK; + p_attestation_verification_report->revocation_reason = + IAS_REVOC_REASON_NONE; + p_attestation_verification_report->info_blob.sample_epid_group_status = + 0 << IAS_EPID_GROUP_STATUS_REVOKED_BIT_POS + | 0 << IAS_EPID_GROUP_STATUS_REKEY_AVAILABLE_BIT_POS; + p_attestation_verification_report->info_blob.sample_tcb_evaluation_status = + 0 << IAS_TCB_EVAL_STATUS_CPUSVN_OUT_OF_DATE_BIT_POS + | 0 << IAS_TCB_EVAL_STATUS_ISVSVN_OUT_OF_DATE_BIT_POS; + p_attestation_verification_report->info_blob.pse_evaluation_status = + 0 << IAS_PSE_EVAL_STATUS_ISVSVN_OUT_OF_DATE_BIT_POS + | 0 << IAS_PSE_EVAL_STATUS_EPID_GROUP_REVOKED_BIT_POS + | 0 << IAS_PSE_EVAL_STATUS_PSDASVN_OUT_OF_DATE_BIT_POS + | 0 << IAS_PSE_EVAL_STATUS_SIGRL_OUT_OF_DATE_BIT_POS + | 0 << IAS_PSE_EVAL_STATUS_PRIVRL_OUT_OF_DATE_BIT_POS; + memset(p_attestation_verification_report-> + info_blob.latest_equivalent_tcb_psvn, 0, PSVN_SIZE); + memset(p_attestation_verification_report->info_blob.latest_pse_isvsvn, + 0, ISVSVN_SIZE); + memset(p_attestation_verification_report->info_blob.latest_psda_svn, + 0, PSDA_SVN_SIZE); + memset(p_attestation_verification_report->info_blob.performance_rekey_gid, + 0, GID_SIZE); + + // @TODO: Product signing algorithm still TBD. May be RSA2048 signing. + // Generate the Service providers ECCDH key pair. + do { + ret = sample_ecc256_open_context(&ecc_state); + if (SAMPLE_SUCCESS != ret) { + fprintf(stderr, "\nError, cannot get ECC cotext in [%s].", + __FUNCTION__); + ret = -1; + break; + } + // Sign + ret = sample_ecdsa_sign( + (uint8_t *)&p_attestation_verification_report-> + info_blob.sample_epid_group_status, + sizeof(ias_platform_info_blob_t) - sizeof(sample_ec_sign256_t), + (sample_ec256_private_t *)&g_rk_priv_key, + (sample_ec256_signature_t *)&p_attestation_verification_report-> + info_blob.signature, + ecc_state); + if (SAMPLE_SUCCESS != ret) { + fprintf(stderr, "\nError, sign ga_gb fail in [%s].", __FUNCTION__); + ret = SP_INTERNAL_ERROR; + break; + } + SWAP_ENDIAN_32B(p_attestation_verification_report-> + info_blob.signature.x); + SWAP_ENDIAN_32B(p_attestation_verification_report-> + info_blob.signature.y); + + }while (0); + if (ecc_state) { + sample_ecc256_close_context(ecc_state); + } + p_attestation_verification_report->pse_status = IAS_PSE_OK; + + // For now, don't simulate the policy reports. + p_attestation_verification_report->policy_report_size = 0; + return(ret); +} + + +// Simulates retrieving the SIGRL for upon the SP request. +// +// @param gid Group ID for the EPID key. +// @param p_sig_rl_size Pointer to the output value of the full +// SIGRL size in bytes. (including the +// signature). +// @param p_sig_rl Pointer to the output of the SIGRL. +// +// @return int + +int ias_get_sigrl( + const sample_epid_group_id_t gid, + uint32_t *p_sig_rl_size, + uint8_t **p_sig_rl) +{ + int ret = 0; + + UNUSED(gid); + + do { + + if (NULL == p_sig_rl || NULL == p_sig_rl_size) { + ret = -1; + break; + } + *p_sig_rl_size = 0; + *p_sig_rl = NULL; + // we should try to get sig_rl from an attestation server + break; + }while (0); + + return(ret); +} + + +// Used to simulate the enrollment function of an attestation server. It only +// gives back the SPID right now. In production, the enrollment +// occurs out of context from an attestation attempt and only +// occurs once. +// +// +// @param sp_credentials +// @param p_spid +// @param p_authentication_token +// +// @return int + +int ias_enroll( + int sp_credentials, + sample_spid_t *p_spid, + int *p_authentication_token) +{ + UNUSED(sp_credentials); + UNUSED(p_authentication_token); + + if (NULL != p_spid) { + memcpy_s(p_spid, sizeof(sample_spid_t), &g_sim_spid, + sizeof(sample_spid_t)); + } else { + return(1); + } + return(0); +} + + diff --git a/service_provider/ias_ra.h b/service_provider/ias_ra.h new file mode 100644 index 0000000..cd4e4ee --- /dev/null +++ b/service_provider/ias_ra.h @@ -0,0 +1,209 @@ +/* + * Copyright (C) 2011-2018 Intel Corporation. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * * Neither the name of Intel Corporation nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT + * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE + * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + + + +#ifndef _IAS_RA_H +#define _IAS_RA_H + +#include "ecp.h" + +typedef enum { + IAS_QUOTE_OK, + IAS_QUOTE_SIGNATURE_INVALID, + IAS_QUOTE_GROUP_REVOKED, + IAS_QUOTE_SIGNATURE_REVOKED, + IAS_QUOTE_KEY_REVOKED, + IAS_QUOTE_SIGRL_VERSION_MISMATCH, + IAS_QUOTE_GROUP_OUT_OF_DATE, +} ias_quote_status_t; + +// These status should align with the definition in IAS API spec(rev 0.6) +typedef enum { + IAS_PSE_OK, + IAS_PSE_DESC_TYPE_NOT_SUPPORTED, + IAS_PSE_ISVSVN_OUT_OF_DATE, + IAS_PSE_MISCSELECT_INVALID, + IAS_PSE_ATTRIBUTES_INVALID, + IAS_PSE_MRSIGNER_INVALID, + IAS_PS_HW_GID_REVOKED, + IAS_PS_HW_PRIVKEY_RLVER_MISMATCH, + IAS_PS_HW_SIG_RLVER_MISMATCH, + IAS_PS_HW_CA_ID_INVALID, + IAS_PS_HW_SEC_INFO_INVALID, + IAS_PS_HW_PSDA_SVN_OUT_OF_DATE, +} ias_pse_status_t; + +// Revocation Reasons from RFC5280 +typedef enum { + IAS_REVOC_REASON_NONE, + IAS_REVOC_REASON_KEY_COMPROMISE, + IAS_REVOC_REASON_CA_COMPROMISED, + IAS_REVOC_REASON_SUPERCEDED, + IAS_REVOC_REASON_CESSATION_OF_OPERATION, + IAS_REVOC_REASON_CERTIFICATE_HOLD, + IAS_REVOC_REASON_PRIVILEGE_WITHDRAWN, + IAS_REVOC_REASON_AA_COMPROMISE, +} ias_revoc_reason_t; + +// These status should align with the definition in IAS API spec(rev 0.6) +#define IAS_EPID_GROUP_STATUS_REVOKED_BIT_POS 0x00 +#define IAS_EPID_GROUP_STATUS_REKEY_AVAILABLE_BIT_POS 0x01 + +#define IAS_TCB_EVAL_STATUS_CPUSVN_OUT_OF_DATE_BIT_POS 0x00 +#define IAS_TCB_EVAL_STATUS_ISVSVN_OUT_OF_DATE_BIT_POS 0x01 + +#define IAS_PSE_EVAL_STATUS_ISVSVN_OUT_OF_DATE_BIT_POS 0x00 +#define IAS_PSE_EVAL_STATUS_EPID_GROUP_REVOKED_BIT_POS 0x01 +#define IAS_PSE_EVAL_STATUS_PSDASVN_OUT_OF_DATE_BIT_POS 0x02 +#define IAS_PSE_EVAL_STATUS_SIGRL_OUT_OF_DATE_BIT_POS 0x03 +#define IAS_PSE_EVAL_STATUS_PRIVRL_OUT_OF_DATE_BIT_POS 0x04 + +// These status should align with the definition in IAS API spec(rev 0.6) +#define ISVSVN_SIZE 2 +#define PSDA_SVN_SIZE 4 +#define GID_SIZE 4 +#define PSVN_SIZE 18 + +#define SAMPLE_HASH_SIZE 32 // SHA256 +#define SAMPLE_MAC_SIZE 16 // Message Authentication Code + // - 16 bytes + +#define SAMPLE_REPORT_DATA_SIZE 64 + +typedef uint8_t sample_measurement_t[SAMPLE_HASH_SIZE]; +typedef uint8_t sample_mac_t[SAMPLE_MAC_SIZE]; +typedef uint8_t sample_report_data_t[SAMPLE_REPORT_DATA_SIZE]; +typedef uint16_t sample_prod_id_t; + +#define SAMPLE_CPUSVN_SIZE 16 + +typedef uint8_t sample_cpu_svn_t[SAMPLE_CPUSVN_SIZE]; +typedef uint16_t sample_isv_svn_t; + +typedef struct sample_attributes_t +{ + uint64_t flags; + uint64_t xfrm; +} sample_attributes_t; + +typedef struct sample_report_body_t { + sample_cpu_svn_t cpu_svn; // ( 0) Security Version of the CPU + uint8_t reserved1[32]; // ( 16) + sample_attributes_t attributes; // ( 48) Any special Capabilities + // the Enclave possess + sample_measurement_t mr_enclave; // ( 64) The value of the enclave's + // ENCLAVE measurement + uint8_t reserved2[32]; // ( 96) + sample_measurement_t mr_signer; // (128) The value of the enclave's + // SIGNER measurement + uint8_t reserved3[32]; // (160) + sample_measurement_t mr_reserved1; // (192) + sample_measurement_t mr_reserved2; // (224) + sample_prod_id_t isv_prod_id; // (256) Product ID of the Enclave + sample_isv_svn_t isv_svn; // (258) Security Version of the + // Enclave + uint8_t reserved4[60]; // (260) + sample_report_data_t report_data; // (320) Data provided by the user +} sample_report_body_t; + +#pragma pack(push, 1) + + +// This is a context data structure used in SP side +// @TODO: Modify at production to use the values specified by the Production +// IAS API +typedef struct _ias_att_report_t +{ + uint32_t id; + ias_quote_status_t status; + uint32_t revocation_reason; + ias_platform_info_blob_t info_blob; + ias_pse_status_t pse_status; + uint32_t policy_report_size; + + uint8_t policy_report[];// IAS_Q: Why does it specify a + // list of reports? + + +} ias_att_report_t; + +typedef uint8_t sample_epid_group_id_t[4]; + +typedef struct sample_spid_t +{ + uint8_t id[16]; +} sample_spid_t; + +typedef struct sample_basename_t +{ + uint8_t name[32]; +} sample_basename_t; + + +typedef struct sample_quote_nonce_t +{ + uint8_t rand[16]; +} sample_quote_nonce_t; + +#define SAMPLE_QUOTE_UNLINKABLE_SIGNATURE 0 +#define SAMPLE_QUOTE_LINKABLE_SIGNATURE 1 + +typedef struct sample_quote_t { + uint16_t version; // 0 + uint16_t sign_type; // 2 + sample_epid_group_id_t epid_group_id; // 4 + sample_isv_svn_t qe_svn; // 8 + uint8_t reserved[6]; // 10 + sample_basename_t basename; // 16 + sample_report_body_t report_body; // 48 + uint32_t signature_len; // 432 + uint8_t signature[]; // 436 +} sample_quote_t; + +#pragma pack(pop) + +#ifdef __cplusplus +extern "C" { +#endif + +int ias_enroll(int sp_credentials, sample_spid_t* spid, + int* authentication_token); +int ias_get_sigrl(const sample_epid_group_id_t gid, uint32_t* p_sig_rl_size, + uint8_t** p_sig_rl); +int ias_verify_attestation_evidence(sample_quote_t* p_isv_quote, + uint8_t* pse_manifest, + ias_att_report_t* attestation_verification_report); +#ifdef __cplusplus +} +#endif + +#endif diff --git a/service_provider/network_ra.cpp b/service_provider/network_ra.cpp new file mode 100644 index 0000000..7c69344 --- /dev/null +++ b/service_provider/network_ra.cpp @@ -0,0 +1,134 @@ +/* + * Copyright (C) 2011-2018 Intel Corporation. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * * Neither the name of Intel Corporation nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT + * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE + * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + + + +#include +#include +#include +#include "network_ra.h" +#include "service_provider.h" + + +// Used to send requests to the service provider sample. It +// simulates network communication between the ISV app and the +// ISV service provider. This would be modified in a real +// product to use the proper IP communication. +// +// @param server_url String name of the server URL +// @param p_req Pointer to the message to be sent. +// @param p_resp Pointer to a pointer of the response message. + +// @return int + +int ra_network_send_receive(const char *server_url, + const ra_samp_request_header_t *p_req, + ra_samp_response_header_t **p_resp) +{ + int ret = 0; + ra_samp_response_header_t* p_resp_msg; + + if((NULL == server_url) || + (NULL == p_req) || + (NULL == p_resp)) + { + return -1; + } + + switch(p_req->type) + { + + case TYPE_RA_MSG0: + ret = sp_ra_proc_msg0_req((const sample_ra_msg0_t*)((uint8_t*)p_req + + sizeof(ra_samp_request_header_t)), + p_req->size); + if (0 != ret) + { + fprintf(stderr, "\nError, call sp_ra_proc_msg1_req fail [%s].", + __FUNCTION__); + } + break; + + case TYPE_RA_MSG1: + ret = sp_ra_proc_msg1_req((const sample_ra_msg1_t*)((uint8_t*)p_req + + sizeof(ra_samp_request_header_t)), + p_req->size, + &p_resp_msg); + if(0 != ret) + { + fprintf(stderr, "\nError, call sp_ra_proc_msg1_req fail [%s].", + __FUNCTION__); + } + else + { + *p_resp = p_resp_msg; + } + break; + + case TYPE_RA_MSG3: + ret =sp_ra_proc_msg3_req((const sample_ra_msg3_t*)((uint8_t*)p_req + + sizeof(ra_samp_request_header_t)), + p_req->size, + &p_resp_msg); + if(0 != ret) + { + fprintf(stderr, "\nError, call sp_ra_proc_msg3_req fail [%s].", + __FUNCTION__); + } + else + { + *p_resp = p_resp_msg; + } + break; + + default: + ret = -1; + fprintf(stderr, "\nError, unknown ra message type. Type = %d [%s].", + p_req->type, __FUNCTION__); + break; + } + + return ret; +} + +// Used to free the response messages. In the sample code, the +// response messages are allocated by the SP code. +// +// +// @param resp Pointer to the response buffer to be freed. + +void ra_free_network_response_buffer(ra_samp_response_header_t *resp) +{ + if(resp!=NULL) + { + free(resp); + } +} diff --git a/service_provider/network_ra.h b/service_provider/network_ra.h new file mode 100644 index 0000000..dc4c6d5 --- /dev/null +++ b/service_provider/network_ra.h @@ -0,0 +1,95 @@ +/* + * Copyright (C) 2011-2018 Intel Corporation. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * * Neither the name of Intel Corporation nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT + * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE + * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + + + +#ifndef _NETWORK_RA_H +#define _NETWORK_RA_H + + +/* Enum for all possible message types between the ISV app and + * the ISV SP. Requests and responses in the remote attestation + * sample. + */ +typedef enum _ra_msg_type_t +{ + TYPE_RA_MSG0, + TYPE_RA_MSG1, + TYPE_RA_MSG2, + TYPE_RA_MSG3, + TYPE_RA_ATT_RESULT, +}ra_msg_type_t; + +/* Enum for all possible message types between the SP and IAS. + * Network communication is not simulated in the remote + * attestation sample. Currently these aren't used. + */ +typedef enum _ias_msg_type_t +{ + TYPE_IAS_ENROLL, + TYPE_IAS_GET_SIGRL, + TYPE_IAS_SIGRL, + TYPE_IAS_ATT_EVIDENCE, + TYPE_IAS_ATT_RESULT, +}ias_msg_type_t; + +#pragma pack(1) +typedef struct _ra_samp_request_header_t{ + uint8_t type; /* set to one of ra_msg_type_t*/ + uint32_t size; /*size of request body*/ + uint8_t align[3]; + uint8_t body[]; +}ra_samp_request_header_t; + +typedef struct _ra_samp_response_header_t{ + uint8_t type; /* set to one of ra_msg_type_t*/ + uint8_t status[2]; + uint32_t size; /*size of the response body*/ + uint8_t align[1]; + uint8_t body[]; +}ra_samp_response_header_t; + +#pragma pack() + +#ifdef __cplusplus +extern "C" { +#endif + +int ra_network_send_receive(const char *server_url, + const ra_samp_request_header_t *req, + ra_samp_response_header_t **p_resp); +void ra_free_network_response_buffer(ra_samp_response_header_t *resp); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/service_provider/remote_attestation_result.h b/service_provider/remote_attestation_result.h new file mode 100644 index 0000000..2883a66 --- /dev/null +++ b/service_provider/remote_attestation_result.h @@ -0,0 +1,105 @@ +/* + * Copyright (C) 2011-2018 Intel Corporation. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * * Neither the name of Intel Corporation nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT + * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE + * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +#ifndef _REMOTE_ATTESTATION_RESULT_H_ +#define _REMOTE_ATTESTATION_RESULT_H_ + +#include + +#ifdef __cplusplus +extern "C" { +#endif + +#define SAMPLE_MAC_SIZE 16 /* Message Authentication Code*/ + /* - 16 bytes*/ +typedef uint8_t sample_mac_t[SAMPLE_MAC_SIZE]; + +#ifndef SAMPLE_FEBITSIZE + #define SAMPLE_FEBITSIZE 256 +#endif + +#define SAMPLE_NISTP256_KEY_SIZE (SAMPLE_FEBITSIZE/ 8 /sizeof(uint32_t)) + +typedef struct sample_ec_sign256_t +{ + uint32_t x[SAMPLE_NISTP256_KEY_SIZE]; + uint32_t y[SAMPLE_NISTP256_KEY_SIZE]; +} sample_ec_sign256_t; + +#pragma pack(push,1) + +#define SAMPLE_SP_TAG_SIZE 16 + +typedef struct sp_aes_gcm_data_t { + uint32_t payload_size; /* 0: Size of the payload which is*/ + /* encrypted*/ + uint8_t reserved[12]; /* 4: Reserved bits*/ + uint8_t payload_tag[SAMPLE_SP_TAG_SIZE]; + /* 16: AES-GMAC of the plain text,*/ + /* payload, and the sizes*/ + uint8_t payload[]; /* 32: Ciphertext of the payload*/ + /* followed by the plain text*/ +} sp_aes_gcm_data_t; + + +#define ISVSVN_SIZE 2 +#define PSDA_SVN_SIZE 4 +#define GID_SIZE 4 +#define PSVN_SIZE 18 + +/* @TODO: Modify at production to use the values specified by an Production*/ +/* attestation server API*/ +typedef struct ias_platform_info_blob_t +{ + uint8_t sample_epid_group_status; + uint16_t sample_tcb_evaluation_status; + uint16_t pse_evaluation_status; + uint8_t latest_equivalent_tcb_psvn[PSVN_SIZE]; + uint8_t latest_pse_isvsvn[ISVSVN_SIZE]; + uint8_t latest_psda_svn[PSDA_SVN_SIZE]; + uint8_t performance_rekey_gid[GID_SIZE]; + sample_ec_sign256_t signature; +} ias_platform_info_blob_t; + + +typedef struct sample_ra_att_result_msg_t { + ias_platform_info_blob_t platform_info_blob; + sample_mac_t mac; /* mac_smk(attestation_status)*/ + sp_aes_gcm_data_t secret; +} sample_ra_att_result_msg_t; + +#pragma pack(pop) + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/service_provider/service_provider.cpp b/service_provider/service_provider.cpp new file mode 100644 index 0000000..3e38880 --- /dev/null +++ b/service_provider/service_provider.cpp @@ -0,0 +1,738 @@ +/* + * Copyright (C) 2011-2018 Intel Corporation. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * * Neither the name of Intel Corporation nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT + * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE + * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + + + +#include "service_provider.h" + +#include "sample_libcrypto.h" + +#include "ecp.h" + +#include +#include +#include +#include +#include +#include "ias_ra.h" + +#ifndef SAFE_FREE +#define SAFE_FREE(ptr) {if (NULL != (ptr)) {free(ptr); (ptr) = NULL;}} +#endif + +// This is supported extended epid group of SP. SP can support more than one +// extended epid group with different extended epid group id and credentials. +static const sample_extended_epid_group g_extended_epid_groups[] = { + { + 0, + ias_enroll, + ias_get_sigrl, + ias_verify_attestation_evidence + } +}; + +// This is the private EC key of SP, the corresponding public EC key is +// hard coded in isv_enclave. It is based on NIST P-256 curve. +static const sample_ec256_private_t g_sp_priv_key = { + { + 0x90, 0xe7, 0x6c, 0xbb, 0x2d, 0x52, 0xa1, 0xce, + 0x3b, 0x66, 0xde, 0x11, 0x43, 0x9c, 0x87, 0xec, + 0x1f, 0x86, 0x6a, 0x3b, 0x65, 0xb6, 0xae, 0xea, + 0xad, 0x57, 0x34, 0x53, 0xd1, 0x03, 0x8c, 0x01 + } +}; + +// This is the public EC key of SP, this key is hard coded in isv_enclave. +// It is based on NIST P-256 curve. Not used in the SP code. +static const sample_ec_pub_t g_sp_pub_key = { + { + 0x72, 0x12, 0x8a, 0x7a, 0x17, 0x52, 0x6e, 0xbf, + 0x85, 0xd0, 0x3a, 0x62, 0x37, 0x30, 0xae, 0xad, + 0x3e, 0x3d, 0xaa, 0xee, 0x9c, 0x60, 0x73, 0x1d, + 0xb0, 0x5b, 0xe8, 0x62, 0x1c, 0x4b, 0xeb, 0x38 + }, + { + 0xd4, 0x81, 0x40, 0xd9, 0x50, 0xe2, 0x57, 0x7b, + 0x26, 0xee, 0xb7, 0x41, 0xe7, 0xc6, 0x14, 0xe2, + 0x24, 0xb7, 0xbd, 0xc9, 0x03, 0xf2, 0x9a, 0x28, + 0xa8, 0x3c, 0xc8, 0x10, 0x11, 0x14, 0x5e, 0x06 + } +}; + +// This is a context data structure used on SP side +typedef struct _sp_db_item_t +{ + sample_ec_pub_t g_a; + sample_ec_pub_t g_b; + sample_ec_key_128bit_t vk_key;// Shared secret key for the REPORT_DATA + sample_ec_key_128bit_t mk_key;// Shared secret key for generating MAC's + sample_ec_key_128bit_t sk_key;// Shared secret key for encryption + sample_ec_key_128bit_t smk_key;// Used only for SIGMA protocol + sample_ec_priv_t b; + sample_ps_sec_prop_desc_t ps_sec_prop; +}sp_db_item_t; +static sp_db_item_t g_sp_db; + +static const sample_extended_epid_group* g_sp_extended_epid_group_id= NULL; +static bool g_is_sp_registered = false; +static int g_sp_credentials = 0; +static int g_authentication_token = 0; + +uint8_t g_secret[8] = {0,1,2,3,4,5,6,7}; + +sample_spid_t g_spid; + + +// Verify message 0 then configure extended epid group. +int sp_ra_proc_msg0_req(const sample_ra_msg0_t *p_msg0, + uint32_t msg0_size) +{ + int ret = -1; + + if (!p_msg0 || + (msg0_size != sizeof(sample_ra_msg0_t))) + { + return -1; + } + uint32_t extended_epid_group_id = p_msg0->extended_epid_group_id; + + // Check to see if we have registered with the attestation server yet? + if (!g_is_sp_registered || + (g_sp_extended_epid_group_id != NULL && g_sp_extended_epid_group_id->extended_epid_group_id != extended_epid_group_id)) + { + // Check to see if the extended_epid_group_id is supported? + ret = SP_UNSUPPORTED_EXTENDED_EPID_GROUP; + for (size_t i = 0; i < sizeof(g_extended_epid_groups) / sizeof(sample_extended_epid_group); i++) + { + if (g_extended_epid_groups[i].extended_epid_group_id == extended_epid_group_id) + { + g_sp_extended_epid_group_id = &(g_extended_epid_groups[i]); + // In the product, the SP will establish a mutually + // authenticated SSL channel. During the enrollment process, the ISV + // registers it exchanges TLS certs with attestation server and obtains an SPID and + // Report Key from the attestation server. + // For a product attestation server, enrollment is an offline process. See the 'on-boarding' + // documentation to get the information required. The enrollment process is + // simulated by a call in this sample. + ret = g_sp_extended_epid_group_id->enroll(g_sp_credentials, &g_spid, + &g_authentication_token); + if (0 != ret) + { + ret = SP_IAS_FAILED; + break; + } + + g_is_sp_registered = true; + ret = SP_OK; + break; + } + } + } + else + { + ret = SP_OK; + } + + return ret; +} + +// Verify message 1 then generate and return message 2 to isv. +int sp_ra_proc_msg1_req(const sample_ra_msg1_t *p_msg1, + uint32_t msg1_size, + ra_samp_response_header_t **pp_msg2) +{ + int ret = 0; + ra_samp_response_header_t* p_msg2_full = NULL; + sample_ra_msg2_t *p_msg2 = NULL; + sample_ecc_state_handle_t ecc_state = NULL; + sample_status_t sample_ret = SAMPLE_SUCCESS; + bool derive_ret = false; + + if(!p_msg1 || + !pp_msg2 || + (msg1_size != sizeof(sample_ra_msg1_t))) + { + return -1; + } + + // Check to see if we have registered? + if (!g_is_sp_registered) + { + return SP_UNSUPPORTED_EXTENDED_EPID_GROUP; + } + + do + { + // Get the sig_rl from attestation server using GID. + // GID is Base-16 encoded of EPID GID in little-endian format. + // In the product, the SP and attesation server uses an established channel for + // communication. + uint8_t* sig_rl; + uint32_t sig_rl_size = 0; + + // The product interface uses a REST based message to get the SigRL. + + ret = g_sp_extended_epid_group_id->get_sigrl(p_msg1->gid, &sig_rl_size, &sig_rl); + if(0 != ret) + { + fprintf(stderr, "\nError, ias_get_sigrl [%s].", __FUNCTION__); + ret = SP_IAS_FAILED; + break; + } + + // Need to save the client's public ECCDH key to local storage + if (memcpy_s(&g_sp_db.g_a, sizeof(g_sp_db.g_a), &p_msg1->g_a, + sizeof(p_msg1->g_a))) + { + fprintf(stderr, "\nError, cannot do memcpy in [%s].", __FUNCTION__); + ret = SP_INTERNAL_ERROR; + break; + } + + // Generate the Service providers ECCDH key pair. + sample_ret = sample_ecc256_open_context(&ecc_state); + if(SAMPLE_SUCCESS != sample_ret) + { + fprintf(stderr, "\nError, cannot get ECC context in [%s].", + __FUNCTION__); + ret = -1; + break; + } + sample_ec256_public_t pub_key = {{0},{0}}; + sample_ec256_private_t priv_key = {{0}}; + sample_ret = sample_ecc256_create_key_pair(&priv_key, &pub_key, + ecc_state); + if(SAMPLE_SUCCESS != sample_ret) + { + fprintf(stderr, "\nError, cannot generate key pair in [%s].", + __FUNCTION__); + ret = SP_INTERNAL_ERROR; + break; + } + + // Need to save the SP ECCDH key pair to local storage. + if(memcpy_s(&g_sp_db.b, sizeof(g_sp_db.b), &priv_key,sizeof(priv_key)) + || memcpy_s(&g_sp_db.g_b, sizeof(g_sp_db.g_b), + &pub_key,sizeof(pub_key))) + { + fprintf(stderr, "\nError, cannot do memcpy in [%s].", __FUNCTION__); + ret = SP_INTERNAL_ERROR; + break; + } + + // Generate the client/SP shared secret + sample_ec_dh_shared_t dh_key = {{0}}; + sample_ret = sample_ecc256_compute_shared_dhkey(&priv_key, + (sample_ec256_public_t *)&p_msg1->g_a, + (sample_ec256_dh_shared_t *)&dh_key, + ecc_state); + if(SAMPLE_SUCCESS != sample_ret) + { + fprintf(stderr, "\nError, compute share key fail in [%s].", + __FUNCTION__); + ret = SP_INTERNAL_ERROR; + break; + } + +#ifdef SUPPLIED_KEY_DERIVATION + + // smk is only needed for msg2 generation. + derive_ret = derive_key(&dh_key, SAMPLE_DERIVE_KEY_SMK_SK, + &g_sp_db.smk_key, &g_sp_db.sk_key); + if(derive_ret != true) + { + fprintf(stderr, "\nError, derive key fail in [%s].", __FUNCTION__); + ret = SP_INTERNAL_ERROR; + break; + } + + // The rest of the keys are the shared secrets for future communication. + derive_ret = derive_key(&dh_key, SAMPLE_DERIVE_KEY_MK_VK, + &g_sp_db.mk_key, &g_sp_db.vk_key); + if(derive_ret != true) + { + fprintf(stderr, "\nError, derive key fail in [%s].", __FUNCTION__); + ret = SP_INTERNAL_ERROR; + break; + } +#else + // smk is only needed for msg2 generation. + derive_ret = derive_key(&dh_key, SAMPLE_DERIVE_KEY_SMK, + &g_sp_db.smk_key); + if(derive_ret != true) + { + fprintf(stderr, "\nError, derive key fail in [%s].", __FUNCTION__); + ret = SP_INTERNAL_ERROR; + break; + } + + // The rest of the keys are the shared secrets for future communication. + derive_ret = derive_key(&dh_key, SAMPLE_DERIVE_KEY_MK, + &g_sp_db.mk_key); + if(derive_ret != true) + { + fprintf(stderr, "\nError, derive key fail in [%s].", __FUNCTION__); + ret = SP_INTERNAL_ERROR; + break; + } + + derive_ret = derive_key(&dh_key, SAMPLE_DERIVE_KEY_SK, + &g_sp_db.sk_key); + if(derive_ret != true) + { + fprintf(stderr, "\nError, derive key fail in [%s].", __FUNCTION__); + ret = SP_INTERNAL_ERROR; + break; + } + + derive_ret = derive_key(&dh_key, SAMPLE_DERIVE_KEY_VK, + &g_sp_db.vk_key); + if(derive_ret != true) + { + fprintf(stderr, "\nError, derive key fail in [%s].", __FUNCTION__); + ret = SP_INTERNAL_ERROR; + break; + } +#endif + + uint32_t msg2_size = sizeof(sample_ra_msg2_t) + sig_rl_size; + p_msg2_full = (ra_samp_response_header_t*)malloc(msg2_size + + sizeof(ra_samp_response_header_t)); + if(!p_msg2_full) + { + fprintf(stderr, "\nError, out of memory in [%s].", __FUNCTION__); + ret = SP_INTERNAL_ERROR; + break; + } + memset(p_msg2_full, 0, msg2_size + sizeof(ra_samp_response_header_t)); + p_msg2_full->type = TYPE_RA_MSG2; + p_msg2_full->size = msg2_size; + // The simulated message2 always passes. This would need to be set + // accordingly in a real service provider implementation. + p_msg2_full->status[0] = 0; + p_msg2_full->status[1] = 0; + p_msg2 = (sample_ra_msg2_t *)p_msg2_full->body; + + // Assemble MSG2 + if(memcpy_s(&p_msg2->g_b, sizeof(p_msg2->g_b), &g_sp_db.g_b, + sizeof(g_sp_db.g_b)) || + memcpy_s(&p_msg2->spid, sizeof(sample_spid_t), + &g_spid, sizeof(g_spid))) + { + fprintf(stderr,"\nError, memcpy failed in [%s].", __FUNCTION__); + ret = SP_INTERNAL_ERROR; + break; + } + + // The service provider is responsible for selecting the proper EPID + // signature type and to understand the implications of the choice! + p_msg2->quote_type = SAMPLE_QUOTE_LINKABLE_SIGNATURE; + +#ifdef SUPPLIED_KEY_DERIVATION +//isv defined key derivation function id +#define ISV_KDF_ID 2 + p_msg2->kdf_id = ISV_KDF_ID; +#else + p_msg2->kdf_id = SAMPLE_AES_CMAC_KDF_ID; +#endif + // Create gb_ga + sample_ec_pub_t gb_ga[2]; + if(memcpy_s(&gb_ga[0], sizeof(gb_ga[0]), &g_sp_db.g_b, + sizeof(g_sp_db.g_b)) + || memcpy_s(&gb_ga[1], sizeof(gb_ga[1]), &g_sp_db.g_a, + sizeof(g_sp_db.g_a))) + { + fprintf(stderr,"\nError, memcpy failed in [%s].", __FUNCTION__); + ret = SP_INTERNAL_ERROR; + break; + } + + // Sign gb_ga + sample_ret = sample_ecdsa_sign((uint8_t *)&gb_ga, sizeof(gb_ga), + (sample_ec256_private_t *)&g_sp_priv_key, + (sample_ec256_signature_t *)&p_msg2->sign_gb_ga, + ecc_state); + if(SAMPLE_SUCCESS != sample_ret) + { + fprintf(stderr, "\nError, sign ga_gb fail in [%s].", __FUNCTION__); + ret = SP_INTERNAL_ERROR; + break; + } + + // Generate the CMACsmk for gb||SPID||TYPE||KDF_ID||Sigsp(gb,ga) + uint8_t mac[SAMPLE_EC_MAC_SIZE] = {0}; + uint32_t cmac_size = offsetof(sample_ra_msg2_t, mac); + sample_ret = sample_rijndael128_cmac_msg(&g_sp_db.smk_key, + (uint8_t *)&p_msg2->g_b, cmac_size, &mac); + if(SAMPLE_SUCCESS != sample_ret) + { + fprintf(stderr, "\nError, cmac fail in [%s].", __FUNCTION__); + ret = SP_INTERNAL_ERROR; + break; + } + if(memcpy_s(&p_msg2->mac, sizeof(p_msg2->mac), mac, sizeof(mac))) + { + fprintf(stderr,"\nError, memcpy failed in [%s].", __FUNCTION__); + ret = SP_INTERNAL_ERROR; + break; + } + + if(memcpy_s(&p_msg2->sig_rl[0], sig_rl_size, sig_rl, sig_rl_size)) + { + fprintf(stderr,"\nError, memcpy failed in [%s].", __FUNCTION__); + ret = SP_INTERNAL_ERROR; + break; + } + p_msg2->sig_rl_size = sig_rl_size; + + }while(0); + + if(ret) + { + *pp_msg2 = NULL; + SAFE_FREE(p_msg2_full); + } + else + { + // Freed by the network simulator in ra_free_network_response_buffer + *pp_msg2 = p_msg2_full; + } + + if(ecc_state) + { + sample_ecc256_close_context(ecc_state); + } + + return ret; +} + +// Process remote attestation message 3 +int sp_ra_proc_msg3_req(const sample_ra_msg3_t *p_msg3, + uint32_t msg3_size, + ra_samp_response_header_t **pp_att_result_msg) +{ + int ret = 0; + sample_status_t sample_ret = SAMPLE_SUCCESS; + const uint8_t *p_msg3_cmaced = NULL; + sample_quote_t *p_quote = NULL; + sample_sha_state_handle_t sha_handle = NULL; + sample_report_data_t report_data = {0}; + sample_ra_att_result_msg_t *p_att_result_msg = NULL; + ra_samp_response_header_t* p_att_result_msg_full = NULL; + uint32_t i; + + if((!p_msg3) || + (msg3_size < sizeof(sample_ra_msg3_t)) || + (!pp_att_result_msg)) + { + return SP_INTERNAL_ERROR; + } + + // Check to see if we have registered? + if (!g_is_sp_registered) + { + return SP_UNSUPPORTED_EXTENDED_EPID_GROUP; + } + do + { + // Compare g_a in message 3 with local g_a. + ret = memcmp(&g_sp_db.g_a, &p_msg3->g_a, sizeof(sample_ec_pub_t)); + if(ret) + { + fprintf(stderr, "\nError, g_a is not same [%s].", __FUNCTION__); + ret = SP_PROTOCOL_ERROR; + break; + } + //Make sure that msg3_size is bigger than sample_mac_t. + uint32_t mac_size = msg3_size - sizeof(sample_mac_t); + p_msg3_cmaced = reinterpret_cast(p_msg3); + p_msg3_cmaced += sizeof(sample_mac_t); + + // Verify the message mac using SMK + sample_cmac_128bit_tag_t mac = {0}; + sample_ret = sample_rijndael128_cmac_msg(&g_sp_db.smk_key, + p_msg3_cmaced, + mac_size, + &mac); + if(SAMPLE_SUCCESS != sample_ret) + { + fprintf(stderr, "\nError, cmac fail in [%s].", __FUNCTION__); + ret = SP_INTERNAL_ERROR; + break; + } + // In real implementation, should use a time safe version of memcmp here, + // in order to avoid side channel attack. + ret = memcmp(&p_msg3->mac, mac, sizeof(mac)); + if(ret) + { + fprintf(stderr, "\nError, verify cmac fail [%s].", __FUNCTION__); + ret = SP_INTEGRITY_FAILED; + break; + } + + if(memcpy_s(&g_sp_db.ps_sec_prop, sizeof(g_sp_db.ps_sec_prop), + &p_msg3->ps_sec_prop, sizeof(p_msg3->ps_sec_prop))) + { + fprintf(stderr,"\nError, memcpy failed in [%s].", __FUNCTION__); + ret = SP_INTERNAL_ERROR; + break; + } + + p_quote = (sample_quote_t *)p_msg3->quote; + + // Check the quote version if needed. Only check the Quote.version field if the enclave + // identity fields have changed or the size of the quote has changed. The version may + // change without affecting the legacy fields or size of the quote structure. + //if(p_quote->version < ACCEPTED_QUOTE_VERSION) + //{ + // fprintf(stderr,"\nError, quote version is too old.", __FUNCTION__); + // ret = SP_QUOTE_VERSION_ERROR; + // break; + //} + + // Verify the report_data in the Quote matches the expected value. + // The first 32 bytes of report_data are SHA256 HASH of {ga|gb|vk}. + // The second 32 bytes of report_data are set to zero. + sample_ret = sample_sha256_init(&sha_handle); + if(sample_ret != SAMPLE_SUCCESS) + { + fprintf(stderr,"\nError, init hash failed in [%s].", __FUNCTION__); + ret = SP_INTERNAL_ERROR; + break; + } + sample_ret = sample_sha256_update((uint8_t *)&(g_sp_db.g_a), + sizeof(g_sp_db.g_a), sha_handle); + if(sample_ret != SAMPLE_SUCCESS) + { + fprintf(stderr,"\nError, udpate hash failed in [%s].", + __FUNCTION__); + ret = SP_INTERNAL_ERROR; + break; + } + sample_ret = sample_sha256_update((uint8_t *)&(g_sp_db.g_b), + sizeof(g_sp_db.g_b), sha_handle); + if(sample_ret != SAMPLE_SUCCESS) + { + fprintf(stderr,"\nError, udpate hash failed in [%s].", + __FUNCTION__); + ret = SP_INTERNAL_ERROR; + break; + } + sample_ret = sample_sha256_update((uint8_t *)&(g_sp_db.vk_key), + sizeof(g_sp_db.vk_key), sha_handle); + if(sample_ret != SAMPLE_SUCCESS) + { + fprintf(stderr,"\nError, udpate hash failed in [%s].", + __FUNCTION__); + ret = SP_INTERNAL_ERROR; + break; + } + sample_ret = sample_sha256_get_hash(sha_handle, + (sample_sha256_hash_t *)&report_data); + if(sample_ret != SAMPLE_SUCCESS) + { + fprintf(stderr,"\nError, Get hash failed in [%s].", __FUNCTION__); + ret = SP_INTERNAL_ERROR; + break; + } + ret = memcmp((uint8_t *)&report_data, + (uint8_t *)&(p_quote->report_body.report_data), + sizeof(report_data)); + if(ret) + { + fprintf(stderr, "\nError, verify hash fail [%s].", __FUNCTION__); + ret = SP_INTEGRITY_FAILED; + break; + } + + // Verify Enclave policy (an attestation server may provide an API for this if we + // registered an Enclave policy) + + // Verify quote with attestation server. + // In the product, an attestation server could use a REST message and JSON formatting to request + // attestation Quote verification. The sample only simulates this interface. + ias_att_report_t attestation_report = {0}; + ret = g_sp_extended_epid_group_id->verify_attestation_evidence(p_quote, NULL, + &attestation_report); + if(0 != ret) + { + ret = SP_IAS_FAILED; + break; + } + FILE* OUTPUT = stdout; + fprintf(OUTPUT, "\n\n\tAttestation Report:"); + fprintf(OUTPUT, "\n\tid: 0x%0x.", attestation_report.id); + fprintf(OUTPUT, "\n\tstatus: %d.", attestation_report.status); + fprintf(OUTPUT, "\n\trevocation_reason: %u.", + attestation_report.revocation_reason); + // attestation_report.info_blob; + fprintf(OUTPUT, "\n\tpse_status: %d.", attestation_report.pse_status); + // Note: This sample always assumes the PIB is sent by attestation server. In the product + // implementation, the attestation server could only send the PIB for certain attestation + // report statuses. A product SP implementation needs to handle cases + // where the PIB is zero length. + + // Respond the client with the results of the attestation. + uint32_t att_result_msg_size = sizeof(sample_ra_att_result_msg_t); + p_att_result_msg_full = + (ra_samp_response_header_t*)malloc(att_result_msg_size + + sizeof(ra_samp_response_header_t) + sizeof(g_secret)); + if(!p_att_result_msg_full) + { + fprintf(stderr, "\nError, out of memory in [%s].", __FUNCTION__); + ret = SP_INTERNAL_ERROR; + break; + } + memset(p_att_result_msg_full, 0, att_result_msg_size + + sizeof(ra_samp_response_header_t) + sizeof(g_secret)); + p_att_result_msg_full->type = TYPE_RA_ATT_RESULT; + p_att_result_msg_full->size = att_result_msg_size; + if(IAS_QUOTE_OK != attestation_report.status) + { + p_att_result_msg_full->status[0] = 0xFF; + } + if(IAS_PSE_OK != attestation_report.pse_status) + { + p_att_result_msg_full->status[1] = 0xFF; + } + + p_att_result_msg = + (sample_ra_att_result_msg_t *)p_att_result_msg_full->body; + + // In a product implementation of attestation server, the HTTP response header itself could have + // an RK based signature that the service provider needs to check here. + + // The platform_info_blob signature will be verified by the client + // when sent. No need to have the Service Provider to check it. The SP + // should pass it down to the application for further analysis. + + fprintf(OUTPUT, "\n\n\tEnclave Report:"); + fprintf(OUTPUT, "\n\tSignature Type: 0x%x", p_quote->sign_type); + fprintf(OUTPUT, "\n\tSignature Basename: "); + for(i=0; ibasename.name) && p_quote->basename.name[i]; + i++) + { + fprintf(OUTPUT, "%c", p_quote->basename.name[i]); + } +#ifdef __x86_64__ + fprintf(OUTPUT, "\n\tattributes.flags: 0x%0lx", + p_quote->report_body.attributes.flags); + fprintf(OUTPUT, "\n\tattributes.xfrm: 0x%0lx", + p_quote->report_body.attributes.xfrm); +#else + fprintf(OUTPUT, "\n\tattributes.flags: 0x%0llx", + p_quote->report_body.attributes.flags); + fprintf(OUTPUT, "\n\tattributes.xfrm: 0x%0llx", + p_quote->report_body.attributes.xfrm); +#endif + fprintf(OUTPUT, "\n\tmr_enclave: "); + for(i=0;ireport_body.mr_enclave[i]); + + //fprintf(stderr, "%02x",p_quote->report_body.mr_enclave.m[i]); + + } + fprintf(OUTPUT, "\n\tmr_signer: "); + for(i=0;ireport_body.mr_signer[i]); + + //fprintf(stderr, "%02x",p_quote->report_body.mr_signer.m[i]); + + } + fprintf(OUTPUT, "\n\tisv_prod_id: 0x%0x", + p_quote->report_body.isv_prod_id); + fprintf(OUTPUT, "\n\tisv_svn: 0x%0x",p_quote->report_body.isv_svn); + fprintf(OUTPUT, "\n"); + + // A product service provider needs to verify that its enclave properties + // match what is expected. The SP needs to check these values before + // trusting the enclave. For the sample, we always pass the policy check. + // Attestation server only verifies the quote structure and signature. It does not + // check the identity of the enclave. + bool isv_policy_passed = true; + + // Assemble Attestation Result Message + // Note, this is a structure copy. We don't copy the policy reports + // right now. + p_att_result_msg->platform_info_blob = attestation_report.info_blob; + + // Generate mac based on the mk key. + mac_size = sizeof(ias_platform_info_blob_t); + sample_ret = sample_rijndael128_cmac_msg(&g_sp_db.mk_key, + (const uint8_t*)&p_att_result_msg->platform_info_blob, + mac_size, + &p_att_result_msg->mac); + if(SAMPLE_SUCCESS != sample_ret) + { + fprintf(stderr, "\nError, cmac fail in [%s].", __FUNCTION__); + ret = SP_INTERNAL_ERROR; + break; + } + + // Generate shared secret and encrypt it with SK, if attestation passed. + uint8_t aes_gcm_iv[SAMPLE_SP_IV_SIZE] = {0}; + p_att_result_msg->secret.payload_size = 8; + if((IAS_QUOTE_OK == attestation_report.status) && + (IAS_PSE_OK == attestation_report.pse_status) && + (isv_policy_passed == true)) + { + ret = sample_rijndael128GCM_encrypt(&g_sp_db.sk_key, + &g_secret[0], + p_att_result_msg->secret.payload_size, + p_att_result_msg->secret.payload, + &aes_gcm_iv[0], + SAMPLE_SP_IV_SIZE, + NULL, + 0, + &p_att_result_msg->secret.payload_tag); + } + }while(0); + + if(ret) + { + *pp_att_result_msg = NULL; + SAFE_FREE(p_att_result_msg_full); + } + else + { + // Freed by the network simulator in ra_free_network_response_buffer + *pp_att_result_msg = p_att_result_msg_full; + } + return ret; +} + + + + diff --git a/service_provider/service_provider.h b/service_provider/service_provider.h new file mode 100644 index 0000000..e6847d5 --- /dev/null +++ b/service_provider/service_provider.h @@ -0,0 +1,161 @@ +/* + * Copyright (C) 2011-2018 Intel Corporation. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * * Neither the name of Intel Corporation nor the names of its + * contributors may be used to endorse or promote products derived + * from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT + * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE + * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + + + +#ifndef _SERVICE_PROVIDER_H +#define _SERVICE_PROVIDER_H + +#include "remote_attestation_result.h" +#include "ias_ra.h" +#include "network_ra.h" + +#ifdef __cplusplus +extern "C" { +#endif + +typedef enum { + SP_OK, + SP_UNSUPPORTED_EXTENDED_EPID_GROUP, + SP_INTEGRITY_FAILED, + SP_QUOTE_VERIFICATION_FAILED, + SP_IAS_FAILED, + SP_INTERNAL_ERROR, + SP_PROTOCOL_ERROR, + SP_QUOTE_VERSION_ERROR, +} sp_ra_msg_status_t; + +#pragma pack(push,1) + +#define SAMPLE_SP_TAG_SIZE 16 +#define SAMPLE_SP_IV_SIZE 12 + +typedef struct sample_ec_pub_t +{ + uint8_t gx[SAMPLE_ECP_KEY_SIZE]; + uint8_t gy[SAMPLE_ECP_KEY_SIZE]; +} sample_ec_pub_t; + +/*fixed length to align with internal structure*/ +typedef struct sample_ps_sec_prop_desc_t +{ + uint8_t sample_ps_sec_prop_desc[256]; +} sample_ps_sec_prop_desc_t; + +#pragma pack(pop) + +typedef uint32_t sample_ra_context_t; + +typedef uint8_t sample_key_128bit_t[16]; + +typedef sample_key_128bit_t sample_ra_key_128_t; + +typedef struct sample_ra_msg0_t +{ + uint32_t extended_epid_group_id; +} sample_ra_msg0_t; + + +typedef struct sample_ra_msg1_t +{ + sample_ec_pub_t g_a; /* the Endian-ness of Ga is + Little-Endian*/ + sample_epid_group_id_t gid; /* the Endian-ness of GID is + Little-Endian*/ +} sample_ra_msg1_t; + +/*Key Derivation Function ID : 0x0001 AES-CMAC Entropy Extraction and Key Expansion*/ +const uint16_t SAMPLE_AES_CMAC_KDF_ID = 0x0001; + +typedef struct sample_ra_msg2_t +{ + sample_ec_pub_t g_b; /* the Endian-ness of Gb is + Little-Endian*/ + sample_spid_t spid; /* In little endian*/ + uint16_t quote_type; /* unlinkable Quote(0) or linkable Quote(0) in little endian*/ + uint16_t kdf_id; /* key derivation function id in little endian. + 0x0001 for AES-CMAC Entropy Extraction and Key Derivation */ + sample_ec_sign256_t sign_gb_ga; /* In little endian*/ + sample_mac_t mac; /* mac_smk(g_b||spid||quote_type|| + sign_gb_ga)*/ + uint32_t sig_rl_size; + uint8_t sig_rl[]; +} sample_ra_msg2_t; + +typedef struct sample_ra_msg3_t +{ + sample_mac_t mac; /* mac_smk(g_a||ps_sec_prop||quote)*/ + sample_ec_pub_t g_a; /* the Endian-ness of Ga is*/ + /* Little-Endian*/ + sample_ps_sec_prop_desc_t ps_sec_prop; + uint8_t quote[]; +} sample_ra_msg3_t; + +int sp_ra_proc_msg0_req(const sample_ra_msg0_t *p_msg0, + uint32_t msg0_size); + +int sp_ra_proc_msg1_req(const sample_ra_msg1_t *p_msg1, + uint32_t msg1_size, + ra_samp_response_header_t **pp_msg2); + +int sp_ra_proc_msg3_req(const sample_ra_msg3_t *p_msg3, + uint32_t msg3_size, + ra_samp_response_header_t **pp_att_result_msg); + +int sp_ra_free_msg2( + sample_ra_msg2_t *p_msg2); + + + +typedef int (*sample_enroll)(int sp_credentials, sample_spid_t* spid, + int* authentication_token); + +typedef int(*sample_get_sigrl)(const sample_epid_group_id_t gid, uint32_t* p_sig_rl_size, + uint8_t** p_sig_rl); + +typedef int(*sample_verify_attestation_evidence)(sample_quote_t* p_isv_quote, + uint8_t* pse_manifest, + ias_att_report_t* attestation_verification_report); + + +typedef struct sample_extended_epid_group +{ + uint32_t extended_epid_group_id; + sample_enroll enroll; + sample_get_sigrl get_sigrl; + sample_verify_attestation_evidence verify_attestation_evidence; +} sample_extended_epid_group; + +#ifdef __cplusplus +} +#endif + +#endif