Bug 1145679 - Reject EV status for end-entity EV certs with overly long validity periods. r=keeler
authorCykesiopka <cykesiopka.bmo@gmail.com>
Mon, 29 Jun 2015 22:19:00 +0200
changeset 250685 a2b818a26d8528a8da37b16622e06df4d0c1676f
parent 250684 40097092c52dfacd9a345b387fd25c99d3d447cf
child 250686 ade5f5dd22ea3072588d1f25c6f82693b4bec470
push id28968
push userkwierso@gmail.com
push dateTue, 30 Jun 2015 23:40:44 +0000
treeherdermozilla-central@e5ef71b73fec [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerskeeler
bugs1145679
milestone42.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1145679 - Reject EV status for end-entity EV certs with overly long validity periods. r=keeler
security/apps/AppTrustDomain.cpp
security/apps/AppTrustDomain.h
security/certverifier/CertVerifier.cpp
security/certverifier/CertVerifier.h
security/certverifier/ExtendedValidation.cpp
security/certverifier/NSSCertDBTrustDomain.cpp
security/certverifier/NSSCertDBTrustDomain.h
security/manager/locales/en-US/chrome/pipnss/nsserrors.properties
security/manager/ssl/tests/unit/psm_common_py/CertUtils.py
security/manager/ssl/tests/unit/test_ev_certs/cert9.db
security/manager/ssl/tests/unit/test_ev_certs/ev-valid-anypolicy-int.der
security/manager/ssl/tests/unit/test_ev_certs/ev-valid.der
security/manager/ssl/tests/unit/test_ev_certs/generate.py
security/manager/ssl/tests/unit/test_ev_certs/int-ev-valid-anypolicy-int.der
security/manager/ssl/tests/unit/test_ev_certs/int-ev-valid.der
security/manager/ssl/tests/unit/test_ev_certs/int-non-ev-root.der
security/manager/ssl/tests/unit/test_ev_certs/key4.db
security/manager/ssl/tests/unit/test_ev_certs/no-ocsp-url-cert.der
security/manager/ssl/tests/unit/test_ev_certs/non-ev-root.der
security/manager/ssl/tests/unit/test_ev_certs/non-evroot-ca.der
security/manager/ssl/tests/unit/test_keysize/cert9.db
security/manager/ssl/tests/unit/test_keysize/ee_prime256v1_256-int_prime256v1_256-root_secp224r1_224.der
security/manager/ssl/tests/unit/test_keysize/ee_prime256v1_256-int_prime256v1_256-root_secp256k1_256.der
security/manager/ssl/tests/unit/test_keysize/ee_prime256v1_256-int_rsa_1016-root_prime256v1_256.der
security/manager/ssl/tests/unit/test_keysize/ee_prime256v1_256-int_secp224r1_224-root_prime256v1_256.der
security/manager/ssl/tests/unit/test_keysize/ee_rsa_1016-int_rsa_1024-root_rsa_1024.der
security/manager/ssl/tests/unit/test_keysize/ee_rsa_1024-int_rsa_1016-root_rsa_1024.der
security/manager/ssl/tests/unit/test_keysize/ee_rsa_1024-int_rsa_1024-root_rsa_1016.der
security/manager/ssl/tests/unit/test_keysize/ee_rsa_1024-int_rsa_1024-root_rsa_1024.der
security/manager/ssl/tests/unit/test_keysize/ee_secp224r1_224-int_prime256v1_256-root_prime256v1_256.der
security/manager/ssl/tests/unit/test_keysize/ee_secp224r1_224-int_prime256v1_256-root_rsa_2048.der
security/manager/ssl/tests/unit/test_keysize/ee_secp256k1_256-int_prime256v1_256-root_prime256v1_256.der
security/manager/ssl/tests/unit/test_keysize/ee_secp384r1_384-int_prime256v1_256-root_rsa_2048.der
security/manager/ssl/tests/unit/test_keysize/ee_secp521r1_521-int_secp384r1_384-root_prime256v1_256.der
security/manager/ssl/tests/unit/test_keysize/ev_ee_rsa_2040-ev_int_rsa_2048-evroot.der
security/manager/ssl/tests/unit/test_keysize/ev_ee_rsa_2048-ev_int_rsa_2040-evroot.der
security/manager/ssl/tests/unit/test_keysize/ev_ee_rsa_2048-ev_int_rsa_2048-ev_root_rsa_2040.der
security/manager/ssl/tests/unit/test_keysize/ev_ee_rsa_2048-ev_int_rsa_2048-evroot.der
security/manager/ssl/tests/unit/test_keysize/ev_int_rsa_2040-evroot.der
security/manager/ssl/tests/unit/test_keysize/ev_int_rsa_2048-ev_root_rsa_2040.der
security/manager/ssl/tests/unit/test_keysize/ev_int_rsa_2048-evroot.der
security/manager/ssl/tests/unit/test_keysize/ev_root_rsa_2040.der
security/manager/ssl/tests/unit/test_keysize/generate.py
security/manager/ssl/tests/unit/test_keysize/int_prime256v1_256-root_prime256v1_256.der
security/manager/ssl/tests/unit/test_keysize/int_prime256v1_256-root_rsa_2048.der
security/manager/ssl/tests/unit/test_keysize/int_prime256v1_256-root_secp224r1_224.der
security/manager/ssl/tests/unit/test_keysize/int_prime256v1_256-root_secp256k1_256.der
security/manager/ssl/tests/unit/test_keysize/int_rsa_1016-root_prime256v1_256.der
security/manager/ssl/tests/unit/test_keysize/int_rsa_1016-root_rsa_1024.der
security/manager/ssl/tests/unit/test_keysize/int_rsa_1024-root_rsa_1016.der
security/manager/ssl/tests/unit/test_keysize/int_rsa_1024-root_rsa_1024.der
security/manager/ssl/tests/unit/test_keysize/int_secp224r1_224-root_prime256v1_256.der
security/manager/ssl/tests/unit/test_keysize/int_secp384r1_384-root_prime256v1_256.der
security/manager/ssl/tests/unit/test_keysize/key4.db
security/manager/ssl/tests/unit/test_keysize/root_prime256v1_256.der
security/manager/ssl/tests/unit/test_keysize/root_rsa_1016.der
security/manager/ssl/tests/unit/test_keysize/root_rsa_1024.der
security/manager/ssl/tests/unit/test_keysize/root_rsa_2048.der
security/manager/ssl/tests/unit/test_keysize/root_secp224r1_224.der
security/manager/ssl/tests/unit/test_keysize/root_secp256k1_256.der
security/pkix/include/pkix/Result.h
security/pkix/include/pkix/Time.h
security/pkix/include/pkix/pkixnss.h
security/pkix/include/pkix/pkixtypes.h
security/pkix/lib/pkixcheck.cpp
security/pkix/lib/pkixnss.cpp
security/pkix/test/gtest/pkixgtest.h
--- a/security/apps/AppTrustDomain.cpp
+++ b/security/apps/AppTrustDomain.cpp
@@ -297,9 +297,17 @@ AppTrustDomain::CheckECDSACurveIsAccepta
 Result
 AppTrustDomain::VerifyECDSASignedDigest(const SignedDigest& signedDigest,
                                         Input subjectPublicKeyInfo)
 {
   return VerifyECDSASignedDigestNSS(signedDigest, subjectPublicKeyInfo,
                                     mPinArg);
 }
 
+Result
+AppTrustDomain::CheckValidityIsAcceptable(Time /*notBefore*/, Time /*notAfter*/,
+                                          EndEntityOrCA /*endEntityOrCA*/,
+                                          KeyPurposeId /*keyPurpose*/)
+{
+  return Success;
+}
+
 } } // namespace mozilla::psm
--- a/security/apps/AppTrustDomain.h
+++ b/security/apps/AppTrustDomain.h
@@ -48,16 +48,20 @@ public:
                    const mozilla::pkix::SignedDigest& signedDigest,
                    mozilla::pkix::Input subjectPublicKeyInfo) override;
   virtual Result CheckECDSACurveIsAcceptable(
                    mozilla::pkix::EndEntityOrCA endEntityOrCA,
                    mozilla::pkix::NamedCurve curve) override;
   virtual Result VerifyECDSASignedDigest(
                    const mozilla::pkix::SignedDigest& signedDigest,
                    mozilla::pkix::Input subjectPublicKeyInfo) override;
+  virtual Result CheckValidityIsAcceptable(
+                   mozilla::pkix::Time notBefore, mozilla::pkix::Time notAfter,
+                   mozilla::pkix::EndEntityOrCA endEntityOrCA,
+                   mozilla::pkix::KeyPurposeId keyPurpose) override;
   virtual Result DigestBuf(mozilla::pkix::Input item,
                            mozilla::pkix::DigestAlgorithm digestAlg,
                            /*out*/ uint8_t* digestBuf,
                            size_t digestBufLen) override;
 
 private:
   /*out*/ ScopedCERTCertList& mCertChain;
   void* mPinArg; // non-owning!
--- a/security/certverifier/CertVerifier.cpp
+++ b/security/certverifier/CertVerifier.cpp
@@ -196,17 +196,19 @@ CertVerifier::VerifyCert(CERTCertificate
   switch (usage) {
     case certificateUsageSSLClient: {
       // XXX: We don't really have a trust bit for SSL client authentication so
       // just use trustEmail as it is the closest alternative.
       NSSCertDBTrustDomain trustDomain(trustEmail, defaultOCSPFetching, mOCSPCache,
                                        pinArg, ocspGETConfig,
                                        mCertShortLifetimeInDays,
                                        pinningDisabled,
-                                       MIN_RSA_BITS_WEAK, nullptr, builtChain);
+                                       MIN_RSA_BITS_WEAK,
+                                       ValidityCheckingMode::CheckingOff,
+                                       nullptr, builtChain);
       rv = BuildCertChain(trustDomain, certDER, time,
                           EndEntityOrCA::MustBeEndEntity,
                           KeyUsage::digitalSignature,
                           KeyPurposeId::id_kp_clientAuth,
                           CertPolicyId::anyPolicy, stapledOCSPResponse);
       break;
     }
 
@@ -225,17 +227,17 @@ CertVerifier::VerifyCert(CERTCertificate
       CertPolicyId evPolicy;
       SECOidTag evPolicyOidTag;
       SECStatus srv = GetFirstEVPolicy(cert, evPolicy, evPolicyOidTag);
       if (srv == SECSuccess) {
         NSSCertDBTrustDomain
           trustDomain(trustSSL, evOCSPFetching,
                       mOCSPCache, pinArg, ocspGETConfig,
                       mCertShortLifetimeInDays, mPinningMode, MIN_RSA_BITS,
-                      hostname, builtChain);
+                      ValidityCheckingMode::CheckForEV, hostname, builtChain);
         rv = BuildCertChainForOneKeyUsage(trustDomain, certDER, time,
                                           KeyUsage::digitalSignature,// (EC)DHE
                                           KeyUsage::keyEncipherment, // RSA
                                           KeyUsage::keyAgreement,    // (EC)DH
                                           KeyPurposeId::id_kp_serverAuth,
                                           evPolicy, stapledOCSPResponse,
                                           ocspStaplingStatus);
         if (rv == Success) {
@@ -251,17 +253,19 @@ CertVerifier::VerifyCert(CERTCertificate
         rv = Result::ERROR_POLICY_VALIDATION_FAILED;
         break;
       }
 
       // Now try non-EV.
       NSSCertDBTrustDomain trustDomain(trustSSL, defaultOCSPFetching,
                                        mOCSPCache, pinArg, ocspGETConfig,
                                        mCertShortLifetimeInDays, mPinningMode,
-                                       MIN_RSA_BITS, hostname, builtChain);
+                                       MIN_RSA_BITS,
+                                       ValidityCheckingMode::CheckingOff,
+                                       hostname, builtChain);
       rv = BuildCertChainForOneKeyUsage(trustDomain, certDER, time,
                                         KeyUsage::digitalSignature, // (EC)DHE
                                         KeyUsage::keyEncipherment, // RSA
                                         KeyUsage::keyAgreement, // (EC)DH
                                         KeyPurposeId::id_kp_serverAuth,
                                         CertPolicyId::anyPolicy,
                                         stapledOCSPResponse,
                                         ocspStaplingStatus);
@@ -272,16 +276,17 @@ CertVerifier::VerifyCert(CERTCertificate
         break;
       }
 
       // If that failed, try again with a smaller minimum key size.
       NSSCertDBTrustDomain trustDomainWeak(trustSSL, defaultOCSPFetching,
                                            mOCSPCache, pinArg, ocspGETConfig,
                                            mCertShortLifetimeInDays,
                                            mPinningMode, MIN_RSA_BITS_WEAK,
+                                           ValidityCheckingMode::CheckingOff,
                                            hostname, builtChain);
       rv = BuildCertChainForOneKeyUsage(trustDomainWeak, certDER, time,
                                         KeyUsage::digitalSignature, // (EC)DHE
                                         KeyUsage::keyEncipherment, // RSA
                                         KeyUsage::keyAgreement, // (EC)DH
                                         KeyPurposeId::id_kp_serverAuth,
                                         CertPolicyId::anyPolicy,
                                         stapledOCSPResponse,
@@ -297,29 +302,31 @@ CertVerifier::VerifyCert(CERTCertificate
       break;
     }
 
     case certificateUsageSSLCA: {
       NSSCertDBTrustDomain trustDomain(trustSSL, defaultOCSPFetching,
                                        mOCSPCache, pinArg, ocspGETConfig,
                                        mCertShortLifetimeInDays,
                                        pinningDisabled, MIN_RSA_BITS_WEAK,
+                                       ValidityCheckingMode::CheckingOff,
                                        nullptr, builtChain);
       rv = BuildCertChain(trustDomain, certDER, time,
                           EndEntityOrCA::MustBeCA, KeyUsage::keyCertSign,
                           KeyPurposeId::id_kp_serverAuth,
                           CertPolicyId::anyPolicy, stapledOCSPResponse);
       break;
     }
 
     case certificateUsageEmailSigner: {
       NSSCertDBTrustDomain trustDomain(trustEmail, defaultOCSPFetching,
                                        mOCSPCache, pinArg, ocspGETConfig,
                                        mCertShortLifetimeInDays,
                                        pinningDisabled, MIN_RSA_BITS_WEAK,
+                                       ValidityCheckingMode::CheckingOff,
                                        nullptr, builtChain);
       rv = BuildCertChain(trustDomain, certDER, time,
                           EndEntityOrCA::MustBeEndEntity,
                           KeyUsage::digitalSignature,
                           KeyPurposeId::id_kp_emailProtection,
                           CertPolicyId::anyPolicy, stapledOCSPResponse);
       if (rv == Result::ERROR_INADEQUATE_KEY_USAGE) {
         rv = BuildCertChain(trustDomain, certDER, time,
@@ -334,16 +341,17 @@ CertVerifier::VerifyCert(CERTCertificate
     case certificateUsageEmailRecipient: {
       // TODO: The higher level S/MIME processing should pass in which key
       // usage it is trying to verify for, and base its algorithm choices
       // based on the result of the verification(s).
       NSSCertDBTrustDomain trustDomain(trustEmail, defaultOCSPFetching,
                                        mOCSPCache, pinArg, ocspGETConfig,
                                        mCertShortLifetimeInDays,
                                        pinningDisabled, MIN_RSA_BITS_WEAK,
+                                       ValidityCheckingMode::CheckingOff,
                                        nullptr, builtChain);
       rv = BuildCertChain(trustDomain, certDER, time,
                           EndEntityOrCA::MustBeEndEntity,
                           KeyUsage::keyEncipherment, // RSA
                           KeyPurposeId::id_kp_emailProtection,
                           CertPolicyId::anyPolicy, stapledOCSPResponse);
       if (rv == Result::ERROR_INADEQUATE_KEY_USAGE) {
         rv = BuildCertChain(trustDomain, certDER, time,
@@ -355,16 +363,17 @@ CertVerifier::VerifyCert(CERTCertificate
       break;
     }
 
     case certificateUsageObjectSigner: {
       NSSCertDBTrustDomain trustDomain(trustObjectSigning, defaultOCSPFetching,
                                        mOCSPCache, pinArg, ocspGETConfig,
                                        mCertShortLifetimeInDays,
                                        pinningDisabled, MIN_RSA_BITS_WEAK,
+                                       ValidityCheckingMode::CheckingOff,
                                        nullptr, builtChain);
       rv = BuildCertChain(trustDomain, certDER, time,
                           EndEntityOrCA::MustBeEndEntity,
                           KeyUsage::digitalSignature,
                           KeyPurposeId::id_kp_codeSigning,
                           CertPolicyId::anyPolicy, stapledOCSPResponse);
       break;
     }
@@ -385,36 +394,39 @@ CertVerifier::VerifyCert(CERTCertificate
         endEntityOrCA = EndEntityOrCA::MustBeEndEntity;
         keyUsage = KeyUsage::digitalSignature;
         eku = KeyPurposeId::id_kp_OCSPSigning;
       }
 
       NSSCertDBTrustDomain sslTrust(trustSSL, defaultOCSPFetching, mOCSPCache,
                                     pinArg, ocspGETConfig, mCertShortLifetimeInDays,
                                     pinningDisabled, MIN_RSA_BITS_WEAK,
+                                    ValidityCheckingMode::CheckingOff,
                                     nullptr, builtChain);
       rv = BuildCertChain(sslTrust, certDER, time, endEntityOrCA,
                           keyUsage, eku, CertPolicyId::anyPolicy,
                           stapledOCSPResponse);
       if (rv == Result::ERROR_UNKNOWN_ISSUER) {
         NSSCertDBTrustDomain emailTrust(trustEmail, defaultOCSPFetching,
                                         mOCSPCache, pinArg, ocspGETConfig,
                                         mCertShortLifetimeInDays,
                                         pinningDisabled, MIN_RSA_BITS_WEAK,
+                                        ValidityCheckingMode::CheckingOff,
                                         nullptr, builtChain);
         rv = BuildCertChain(emailTrust, certDER, time, endEntityOrCA,
                             keyUsage, eku, CertPolicyId::anyPolicy,
                             stapledOCSPResponse);
         if (rv == Result::ERROR_UNKNOWN_ISSUER) {
           NSSCertDBTrustDomain objectSigningTrust(trustObjectSigning,
                                                   defaultOCSPFetching, mOCSPCache,
                                                   pinArg, ocspGETConfig,
                                                   mCertShortLifetimeInDays,
                                                   pinningDisabled,
                                                   MIN_RSA_BITS_WEAK,
+                                                  ValidityCheckingMode::CheckingOff,
                                                   nullptr, builtChain);
           rv = BuildCertChain(objectSigningTrust, certDER, time,
                               endEntityOrCA, keyUsage, eku,
                               CertPolicyId::anyPolicy, stapledOCSPResponse);
         }
       }
 
       break;
--- a/security/certverifier/CertVerifier.h
+++ b/security/certverifier/CertVerifier.h
@@ -8,18 +8,16 @@
 #define mozilla_psm__CertVerifier_h
 
 #include "pkix/pkixtypes.h"
 #include "OCSPCache.h"
 #include "ScopedNSSTypes.h"
 
 namespace mozilla { namespace psm {
 
-struct ChainValidationCallbackState;
-
 // These values correspond to the CERT_CHAIN_KEY_SIZE_STATUS telemetry.
 enum class KeySizeStatus {
   NeverChecked = 0,
   LargeMinimumSucceeded = 1,
   CompatibilityRisk = 2,
   AlreadyBad = 3,
 };
 
--- a/security/certverifier/ExtendedValidation.cpp
+++ b/security/certverifier/ExtendedValidation.cpp
@@ -119,22 +119,22 @@ static struct nsMyTrustedEVInfo myTruste
     nullptr
   },
   {
     // The RSA root with an inadequate key size used for EV key size checking
     // O=ev_root_rsa_2040,CN=XPCShell Key Size Testing rsa 2040-bit (EV)
     "1.3.6.1.4.1.13769.666.666.666.1.500.9.1",
     "DEBUGtesting EV OID",
     SEC_OID_UNKNOWN,
-    { 0xA9, 0xCF, 0x93, 0x7B, 0x12, 0x9E, 0x39, 0xD2, 0x43, 0x10, 0x33,
-      0x6B, 0xC6, 0xAD, 0x86, 0xA2, 0x7A, 0x9D, 0xA4, 0x5B, 0x67, 0xB2,
-      0xB7, 0xC1, 0xDC, 0x47, 0x8E, 0xD8, 0xA9, 0x6E, 0x2D, 0x6A },
+    { 0x47, 0x8B, 0x21, 0xEE, 0x20, 0x3F, 0x2A, 0x14, 0x52, 0x70, 0xF9,
+      0x75, 0xE0, 0x67, 0x93, 0x6E, 0x70, 0x3D, 0xA8, 0x8D, 0x09, 0x95,
+      0x72, 0xF4, 0x03, 0x6F, 0x00, 0xA2, 0x33, 0x82, 0x8D, 0x46 },
     "MFExNDAyBgNVBAMMK1hQQ1NoZWxsIEtleSBTaXplIFRlc3RpbmcgcnNhIDIwNDAt"
     "Yml0IChFVikxGTAXBgNVBAoMEGV2X3Jvb3RfcnNhXzIwNDA=",
-    "ASt16w==",
+    "AhZ7jg==",
     nullptr
   },
 #endif
   {
     // OU=Security Communication EV RootCA1,O="SECOM Trust Systems CO.,LTD.",C=JP
     "1.2.392.200091.100.721.1",
     "SECOM EV OID",
     SEC_OID_UNKNOWN,
--- a/security/certverifier/NSSCertDBTrustDomain.cpp
+++ b/security/certverifier/NSSCertDBTrustDomain.cpp
@@ -43,26 +43,28 @@ const char BUILTIN_ROOTS_MODULE_DEFAULT_
 NSSCertDBTrustDomain::NSSCertDBTrustDomain(SECTrustType certDBTrustType,
                                            OCSPFetching ocspFetching,
                                            OCSPCache& ocspCache,
              /*optional but shouldn't be*/ void* pinArg,
                                            CertVerifier::OcspGetConfig ocspGETConfig,
                                            uint32_t certShortLifetimeInDays,
                                            CertVerifier::PinningMode pinningMode,
                                            unsigned int minRSABits,
+                                           ValidityCheckingMode validityCheckingMode,
                               /*optional*/ const char* hostname,
                               /*optional*/ ScopedCERTCertList* builtChain)
   : mCertDBTrustType(certDBTrustType)
   , mOCSPFetching(ocspFetching)
   , mOCSPCache(ocspCache)
   , mPinArg(pinArg)
   , mOCSPGetConfig(ocspGETConfig)
   , mCertShortLifetimeInDays(certShortLifetimeInDays)
   , mPinningMode(pinningMode)
   , mMinRSABits(minRSABits)
+  , mValidityCheckingMode(validityCheckingMode)
   , mHostname(hostname)
   , mBuiltChain(builtChain)
   , mCertBlocklist(do_GetService(NS_CERTBLOCKLIST_CONTRACTID))
   , mOCSPStaplingStatus(CertVerifier::OCSP_STAPLING_NEVER_CHECKED)
 {
 }
 
 // If useRoots is true, we only use root certificates in the candidate list.
@@ -835,16 +837,54 @@ NSSCertDBTrustDomain::CheckECDSACurveIsA
 Result
 NSSCertDBTrustDomain::VerifyECDSASignedDigest(const SignedDigest& signedDigest,
                                               Input subjectPublicKeyInfo)
 {
   return VerifyECDSASignedDigestNSS(signedDigest, subjectPublicKeyInfo,
                                     mPinArg);
 }
 
+Result
+NSSCertDBTrustDomain::CheckValidityIsAcceptable(Time notBefore, Time notAfter,
+                                                EndEntityOrCA endEntityOrCA,
+                                                KeyPurposeId keyPurpose)
+{
+  if (endEntityOrCA != EndEntityOrCA::MustBeEndEntity) {
+    return Success;
+  }
+  if (keyPurpose == KeyPurposeId::id_kp_OCSPSigning) {
+    return Success;
+  }
+
+  Duration DURATION_39_MONTHS((3 * 365 + 3 * 31) * Time::ONE_DAY_IN_SECONDS);
+  Duration maxValidityDuration(UINT64_MAX);
+  Duration validityDuration(notBefore, notAfter);
+
+  switch (mValidityCheckingMode) {
+    case ValidityCheckingMode::CheckingOff:
+      return Success;
+    case ValidityCheckingMode::CheckForEV:
+      // The EV Guidelines say the maximum is 27 months, but we use a higher
+      // limit here:
+      //  a) To (hopefully) minimize compatibility breakage.
+      //  b) Because there was some talk about raising the limit to 39 months to
+      //     match the BR limit.
+      maxValidityDuration = DURATION_39_MONTHS;
+      break;
+    default:
+      PR_NOT_REACHED("We're not handling every ValidityCheckingMode type");
+  }
+
+  if (validityDuration > maxValidityDuration) {
+    return Result::ERROR_VALIDITY_TOO_LONG;
+  }
+
+  return Success;
+}
+
 namespace {
 
 static char*
 nss_addEscape(const char* string, char quote)
 {
   char* newString = 0;
   size_t escapes = 0, size = 0;
   const char* src;
--- a/security/certverifier/NSSCertDBTrustDomain.h
+++ b/security/certverifier/NSSCertDBTrustDomain.h
@@ -9,16 +9,21 @@
 
 #include "CertVerifier.h"
 #include "nsICertBlocklist.h"
 #include "pkix/pkixtypes.h"
 #include "secmodt.h"
 
 namespace mozilla { namespace psm {
 
+enum class ValidityCheckingMode {
+  CheckingOff = 0,
+  CheckForEV = 1,
+};
+
 SECStatus InitializeNSS(const char* dir, bool readOnly);
 
 void DisableMD5();
 
 extern const char BUILTIN_ROOTS_MODULE_DEFAULT_NAME[];
 
 // The dir parameter is the path to the directory containing the NSS builtin
 // roots module. Usually this is the same as the path to the other NSS shared
@@ -51,16 +56,17 @@ public:
   };
 
   NSSCertDBTrustDomain(SECTrustType certDBTrustType, OCSPFetching ocspFetching,
                        OCSPCache& ocspCache, void* pinArg,
                        CertVerifier::OcspGetConfig ocspGETConfig,
                        uint32_t certShortLifetimeInDays,
                        CertVerifier::PinningMode pinningMode,
                        unsigned int minRSABits,
+                       ValidityCheckingMode validityCheckingMode,
           /*optional*/ const char* hostname = nullptr,
       /*optional out*/ ScopedCERTCertList* builtChain = nullptr);
 
   virtual Result FindIssuer(mozilla::pkix::Input encodedIssuerName,
                             IssuerChecker& checker,
                             mozilla::pkix::Time time) override;
 
   virtual Result GetCertTrust(mozilla::pkix::EndEntityOrCA endEntityOrCA,
@@ -88,16 +94,21 @@ public:
                    const mozilla::pkix::SignedDigest& signedDigest,
                    mozilla::pkix::Input subjectPublicKeyInfo) override;
 
   virtual Result DigestBuf(mozilla::pkix::Input item,
                            mozilla::pkix::DigestAlgorithm digestAlg,
                            /*out*/ uint8_t* digestBuf,
                            size_t digestBufLen) override;
 
+  virtual Result CheckValidityIsAcceptable(
+                   mozilla::pkix::Time notBefore, mozilla::pkix::Time notAfter,
+                   mozilla::pkix::EndEntityOrCA endEntityOrCA,
+                   mozilla::pkix::KeyPurposeId keyPurpose) override;
+
   virtual Result CheckRevocation(
                    mozilla::pkix::EndEntityOrCA endEntityOrCA,
                    const mozilla::pkix::CertID& certID,
                    mozilla::pkix::Time time,
                    mozilla::pkix::Duration validityDuration,
       /*optional*/ const mozilla::pkix::Input* stapledOCSPResponse,
       /*optional*/ const mozilla::pkix::Input* aiaExtension)
                    override;
@@ -127,16 +138,17 @@ private:
   const SECTrustType mCertDBTrustType;
   const OCSPFetching mOCSPFetching;
   OCSPCache& mOCSPCache; // non-owning!
   void* mPinArg; // non-owning!
   const CertVerifier::OcspGetConfig mOCSPGetConfig;
   const uint32_t mCertShortLifetimeInDays;
   CertVerifier::PinningMode mPinningMode;
   const unsigned int mMinRSABits;
+  ValidityCheckingMode mValidityCheckingMode;
   const char* mHostname; // non-owning - only used for pinning checks
   ScopedCERTCertList* mBuiltChain; // non-owning
   nsCOMPtr<nsICertBlocklist> mCertBlocklist;
   CertVerifier::OCSPStaplingStatus mOCSPStaplingStatus;
 };
 
 } } // namespace mozilla::psm
 
--- a/security/manager/locales/en-US/chrome/pipnss/nsserrors.properties
+++ b/security/manager/locales/en-US/chrome/pipnss/nsserrors.properties
@@ -313,8 +313,9 @@ SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISAB
 MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE=The server uses key pinning (HPKP) but no trusted certificate chain could be constructed that matches the pinset. Key pinning violations cannot be overridden.
 MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY=The server uses a certificate with a basic constraints extension identifying it as a certificate authority. For a properly-issued certificate, this should not be the case.
 MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE=The server presented a certificate with a key size that is too small to establish a secure connection.
 MOZILLA_PKIX_ERROR_V1_CERT_USED_AS_CA=An X.509 version 1 certificate that is not a trust anchor was used to issue the server's certificate. X.509 version 1 certificates are deprecated and should not be used to sign other certificates.
 MOZILLA_PKIX_ERROR_NOT_YET_VALID_CERTIFICATE=The server presented a certificate that is not yet valid.
 MOZILLA_PKIX_ERROR_NOT_YET_VALID_ISSUER_CERTIFICATE=A certificate that is not yet valid was used to issue the server's certificate.
 MOZILLA_PKIX_ERROR_SIGNATURE_ALGORITHM_MISMATCH=The signature algorithm in the signature field of the certificate does not match the algorithm in its signatureAlgorithm field.
 MOZILLA_PKIX_ERROR_OCSP_RESPONSE_FOR_CERT_MISSING=The OCSP response does not include a status for the certificate being verified.
+MOZILLA_PKIX_ERROR_VALIDITY_TOO_LONG=The server presented a certificate that is valid for too long.
--- a/security/manager/ssl/tests/unit/psm_common_py/CertUtils.py
+++ b/security/manager/ssl/tests/unit/psm_common_py/CertUtils.py
@@ -14,21 +14,24 @@ aia_prefix = 'authorityInfoAccess = OCSP
 aia_suffix = '/\n'
 
 mozilla_testing_ev_policy = ('certificatePolicies = @v3_ca_ev_cp\n\n' +
                              '[ v3_ca_ev_cp ]\n' +
                              'policyIdentifier = ' +
                              '1.3.6.1.4.1.13769.666.666.666.1.500.9.1\n\n' +
                              'CPS.1 = "http://mytestdomain.local/cps"')
 
+default_validity_in_days = 10 * 365
+
 def generate_cert_generic(db_dir, dest_dir, serial_num,  key_type, name,
                           ext_text, signer_key_filename = "",
                           signer_cert_filename = "",
                           subject_string = "",
-                          key_size = '2048'):
+                          key_size = '2048',
+                          validity_in_days = default_validity_in_days):
     """
     Generate an x509 certificate with a sha256 signature
 
     Arguments:
       db_dir     -- location of the temporary params for the certificate
       dest_dir   -- location of the x509 cert
       serial_num -- serial number for the cert (must be unique for each signer
                     key)
@@ -39,16 +42,17 @@ def generate_cert_generic(db_dir, dest_d
       ext_text   -- the text for the x509 extensions to be added to the
                     certificate
       signer_key_filename -- the filename of the key from which the cert will
                     be signed if null the cert will be self signed (think CA
                     roots).
       signer_cert_filename -- the certificate that will sign the certificate
                     (used to extract signer info) it must be in DER format.
       key_size   -- public key size for RSA certs
+      validity_in_days -- the number of days the cert will be valid for
 
     output:
       key_name   -- the filename of the key file (PEM format)
       cert_name  -- the filename of the output certificate (DER format)
     """
     key_name = db_dir + "/"+ name + ".key"
     if key_type == 'rsa':
       os.system ("openssl genpkey -algorithm RSA -out " + key_name +
@@ -67,33 +71,36 @@ def generate_cert_generic(db_dir, dest_d
     extensions_filename = db_dir + "/openssl-exts"
     f = open(extensions_filename,'w')
     f.write(ext_text)
     f.close()
 
     cert_name =  dest_dir + "/"+ name + ".der"
     if not signer_key_filename:
         signer_key_filename = key_name;
-        os.system ("openssl x509 -req -sha256 -days 3650 -in " + csr_name +
+        os.system ("openssl x509 -req -sha256 -in " + csr_name +
+                   " -days " + str(validity_in_days) +
                    " -signkey " + signer_key_filename +
                    " -set_serial " + str(serial_num) +
                    " -extfile " + extensions_filename +
                    " -outform DER -out "+ cert_name)
     else:
-        os.system ("openssl x509 -req -sha256 -days 3650 -in " + csr_name +
+        os.system ("openssl x509 -req -sha256 -in " + csr_name +
                    " -CAkey " + signer_key_filename +
                    " -CA " + signer_cert_filename + " -CAform DER " +
+                   " -days " + str(validity_in_days) +
                    " -set_serial " + str(serial_num) + " -out " + cert_name +
                    " -outform DER  -extfile " + extensions_filename)
     return key_name, cert_name
 
 
 
 def generate_int_and_ee(db_dir, dest_dir, ca_key, ca_cert, name, int_ext_text,
-                        ee_ext_text, key_type = 'rsa'):
+                        ee_ext_text, key_type = 'rsa',
+                        ee_validity_in_days = default_validity_in_days):
     """
     Generate an intermediate and ee signed by the generated intermediate. The
     name of the intermediate files will be the name '.der' or '.key'. The name
     of the end entity files with be "ee-"+ name plus the appropiate prefixes.
     The serial number will be generated radomly so it is potentially possible
     to have problem (but very unlikely).
 
     Arguments:
@@ -108,33 +115,41 @@ def generate_int_and_ee(db_dir, dest_dir
                     of the output intermediate. The ee will have the name
                     prefixed with "ee-"
       int_ext_text  -- the text for the x509 extensions to be added to the
                     intermediate certificate
       ee_ext_text  -- the text for the x509 extensions to be added to the
                     end entity certificate
       key_type   -- the type of key generated: potential values: 'rsa' or any
 	                of the curves found by 'openssl ecparam -list_curves'
+      ee_validity_in_days -- the number of days the end-entity cert will be
+                             valid for
 
     output:
       int_key   -- the filename of the intermeidate key file (PEM format)
       int_cert  -- the filename of the intermediate certificate (DER format)
       ee_key    -- the filename of the end entity key file (PEM format)
       ee_cert   -- the filename of the end entity certficate (DER format)
 
     """
     [int_key, int_cert] = generate_cert_generic(db_dir, dest_dir,
                                                 random.randint(100,40000000),
                                                 key_type, "int-" + name,
                                                 int_ext_text,
                                                 ca_key, ca_cert)
-    [ee_key, ee_cert] = generate_cert_generic(db_dir, dest_dir,
-                                              random.randint(100,40000000),
-                                              key_type,  name,
-                                              ee_ext_text, int_key, int_cert)
+    [ee_key, ee_cert] = generate_cert_generic(
+        db_dir,
+        dest_dir,
+        random.randint(100,40000000),
+        key_type,
+        name,
+        ee_ext_text,
+        int_key,
+        int_cert,
+        validity_in_days = ee_validity_in_days)
 
     return int_key, int_cert, ee_key, ee_cert
 
 def generate_pkcs12(db_dir, dest_dir, der_cert_filename, key_pem_filename,
                     prefix):
     """
     Generate a pkcs12 file for a given certificate  name (in der format) and
     a key filename (key in pem format). The output file will have an empty
index dc8fb133be5680418b914af8fa3e9a52365b8f95..0108fde051e297db79d63cb5249eb822d4729137
GIT binary patch
literal 25600
zc%1Eg2S5|q^Z#x(1VZmsAfQw!8%ihw(v{vV6s1cCAyh#rQbk0uASz7}P!SYC>4J&{
zK}5ld1yN8$L2QWVKf6Ie5B2VUci%gI=RhX2Z(iHoH#492-fnEHOufk-1kb==e-|=A
z5x@c<2xt=s000P3K77D5(NI3v8OI>-V-f&lAK{RKAT)s-<EUT1=okH>f1a=)Vw<#3
zFLJ;OO+c@qQRpc&0QFIme$g-bML#ofGgBBB1BG$YQy4p*!kB3(j1dXt3>YMl6<Q5I
zZ=vVVBd8a;3bjEkPz_W86+^kuHYgoRfTAcFe$g-bMSq^?AS|f#U~NAuD%?G1!h#CD
zcPg1tp=01a6DnNvdCxc{OfaBAbIK`tRA_jbk4J^N=Z18sP;s`378T06X>h1;z}SHX
z6-vy<v8b>|4iBM1POSxo7Q*5wf;kg_0C{5o`Tuj2tO(Nb2n&N5%48Q;KaYTr5X(?k
zKX13s0!Gi;K*!dAV5_5RYC!m$Opx?;Cs<k=ndw+BCzu#4C)k-AS=kv7EX)ad7UqVg
zMtZgc9bF4+TN#22O!*Kg9|g)s5s}dZB!!41sUnA}$e}8Fh-6V!LYOkbNC;Cwm@2~5
z5axm~R|-=@tAeQ<tr1p0Ikg=nlq;j0gmM*>tD;;D<t`|9MY$W=F>3dy{X=C1s*KjG
zfYz*l)~tZmtbo?6fYz*l)~tw@QbbEBqNNnkQi^CP5~?MkS`w-yp;{7Ei`Gd(>r_E=
zs!}<61<^BAfT=Q4Rsrp;5=<clw98W>dacpiifC>{G`A8=%}vcnO;JR-63UfPj<l_W
zwyK1-s)XJbWwfj^T2>jRrXXeAJd_oc6qSk7qQbN|BZJbks5~u_rbU%$QT4M(nl46~
zE=HOzMw%{0`c#ZG-5t_&cSzISAx(FOG~FH2bazP8-62hPha##?i!Rfm>$K=LExJ#O
z9@C=dXAvC;RMB<1JFZA~+?8EmcUSa^tHLNvUtf}%6dL~lEdY}P_5&|~1YjlD3YGxH
zKnmbaNp6KKF?rx);LYqdPk{76n4icCbK@X8EX2s-9YB^12n>+*2$KyC3?#E+Apm3%
zg0w-Hm&grsQgbm;b08UH-CUTFJWSuu!}xtQ!+gjdgvE$+VG*jDAL$3B4`D8T-tMw4
z0g*w06i*W=OG&0jn#0G*W8<AcIIft;0OOG|I1Y@R&8Gu8MvR`$r^aX*nal!11IRAk
z0fZ&q9^s!_p=abb3ykvi^K&7{5)76Q+&x@FR}sh_A!GujuplgeWMW|CwDE8Y4fZBS
z5)1-Xc?WoS1bYXpBFe+E)Sikjv(&Tk^6>LRs<5RLrf3P0l;(m%L&)KQ!DO#UDN22G
zf{+#n^ANdU4r)2ZnP*7*T`dkdW164sjIl_sp`WeSm^e8~hw(p8hmrVCgJ}VvG^hd6
zhp-g!7yY82h_rDy9v)$Exp#oOM}(WNi?{n{Xo;UfoJQvQ2FnPj4uO?3peKUzq_k+z
z8tl*-{9If;{66QP`=SO^_jL`5Qu<gNkAN`fgq9Bpb@lOZBY)08`$Y{?+TZqqC`H8J
zcnpL=fLhCHKX0<fN|#V_AbPy=bMBSI&myD);duByow|2ONT^5fXC=)S?NXIrH>*md
z#(xY40GVK1APB<&iD5i3s+jwjL`)TA3F$$Cm@>?A4E#^u<zMtaqdAZU2y+uTVRmXH
zVVDW%Xd!m62(V}Q5%Oc6%E*L-@gKoA3CJ3RMTo+%AXUx%4d^yiC;kt>JvtG{5QGJY
zd@v6+FKa-cY@l06kZfqMpRAilFqxJQB7ramkqu^{=AiowoTl2N`7XS|PUV7-GyUn}
zKXv_20Dw+H-q35P8%l>1p@WbBv=n*<J%ZYy^^gU$2%7&-56WNki~h&N0*QjNxjqg^
z8vK^GoBC#CgT%oveH=fe3jV;YAzt!3o{STc0e|DX7@;}fZ~PT2G!LBBMNNHU@DMMa
z+BItY-w8kuFq4=z%u&ovitP_V7oa0hHna}%gfN(X$P7~Yr*FnD`i~JWqy(n9$(`jr
zA3d*(PGIH6qERv*+m;AcL?N=T#ET(duG3tn_=uB-pFs;qW9wPIrC>%Bz5F{eF5AZJ
zyv#aRo_RgDDT{voJSsN%mX-lgr2D42G7`XZ+iVp@1DYeYe2`5xqDK^WY?$Be6}c1;
zp5bVBIgdMs?6Zm=|1AX_qPS8gf_FdEX!a1#Z^&Tr@J7KTJqs<OXj*vwz9#W{Zeh%=
zZO>vohdr}TVsVI~Qr&gYRWT#CW#SHjvSIggELNs)(0ogQMHE@axtDpF7)!VLUN2@Y
z-`=ljMRSFUOL!n9{A^m}Qct4+I35&*nQ(aNq{T^Zm_QJu0ibx01)!wUW8y&&s4_}*
z+yk&~WGfiYOD=tIx#*VDyQiZmH<vcKb9il%=?|9q$eO9zOvap7mtLgVAn7x_@b(qA
zOZHNn;b6mc-fJ!n<I29>SI#N=97xBnCZ*v{wd=doXj$o+^XS*f9k}XqP_={4OJuun
z@@ivlH}8e`usL_ld<(>$bewIJU{c)_k>__e;xJKvSn~9WNGVmf;zH@g+4Q7+%)#A}
z=WE37zCD{olArY2QQRDAx?;!qRi~cx@*hqsyx5_X26~@hmMpx+$iJO2P;sSf{;pl_
z3+<a~jRp^t#yxiKi%DM0&}-MbmFFF=WnP_~>7}@RYHK%?u%{_Cyom5<PJI|+aa4*1
z1AzdzR~Obs!J;4s2!6!Uz!2pNW=0ZNkOVA*0h3THE69xH#&WiD(dnzQ^eH6sn8+#k
z-MO?xovUQ#Rc1i1G6)1a6`Kv;54_>NhR?8nflcrv(50Q#Yqf50QIOVJXhagrAfQnE
zT%C3KIdSg~MG<$nmBjY0*q`j>O?G=M&L0ok-f%FU*BGzA`ewQ`K2H=H4xA&>meR8)
z;zXyKh|-loQMnBx%R3#cSdY#PJ5?u3U^>|>=gK7`pmA!iH($pakqPnT(p@@iwaz8O
ztZoM*3Kv|jexP4)U$`XTk$mss^Fv{Wc2sXkJ;=tTS<gJ_qyNHK?ahhH=~s%z(`w8}
zmP5jFbekNjyLW0%X07olx^z<JywQcn#%|!S$(YXMeiuLblE->QTWz((Op@1=>q`1|
zr0*y@-ko&dg|c?uT9uJa0mxYVd5|-P26Oj#`^}%H!?T$`h^+r%fKUK@Kw<wYiuc8Y
zV>y|b+0g@M{y$cl`48phq!3z4Nru9az0VFCJsS|9z@VS!)=iBykkWN)%Ew{q+Zx#I
z`ux`6@gdT(i3L{{xo7Q3lJdEC-n2_aY;XIATdDH6%%yAV(%HdC<ZAN*nIwSo%gY__
z{9|PI$FBF6glsWWz9`O(3OC_+EE^n;8PBJ<NX#b-`qCBtJa+{a;$b2x5{U{5L`9ec
zE7<ceDIkaN)ZxGVOei;oo@)OE0LGlc{*AOj6dQqz-g!V~5HfmsXXv#4=D}NHJ`SLR
zcjjb@GKA&ec!--igt6f1b^Ctq5v&X=6Jc0|2rDR4MlewoR{ebV%|)+SfFgyM66B$2
z$3Bxd*_9}_0=XH?6fOIDM&PR~%zyS??U6$sZNs3B9Z8^k%^L71gy<;$|8*=&L9*0m
z_`ihsr}Tqg(Q5E8T@e8e(^qZGxUp$pdGS`u))4!qR{KU49(u>k%lt2nmU6R<du|Jy
zqsf{l&TFz$Rl~B=n`_?D@*L5g?Qd3H2llCto;qF3{xZG&^?viR9;{O7y*on#?n2PY
zTtB10c`O;eR^BIs^)-^;HLcFkja_^|s+HsIz=M-cb%OlL4xNvq1;W=ulb5X>G{<8$
zJ)Y;^`OKyqFB@LG;WVvmRWW!ywdM?u0ElxIYLw2<UTvEDw&k&f-u`z-57wkQzI?w<
z)<El{%12+C?sxs!nC9NlMfQG{tsvhX)j1}G;VR`DwolTWe0NQCUb)qp(X4=~j;mXT
z1Ps?WwdRabA%5Hl95?)1kk5dEd=%m1U;`Z8d>lwaLkogfHCP2!{&Wn3Nm5>9a*(>b
ze0X@coJWL<e~_PtoLiv3x+;a_XIhdxtcuhrj3vSp>&>5^FO?)QRn{%o@3&>q^(2ol
zIf@cCMM@H|2CyEigJY+(jRl8{68VuoFoBE*;rX!Cr#@joZo#Q~{UZ@~;vVQv@jY^W
zfo?8-@@_#Pv&~41ls}$o+8AfL=Y679zoRirOH_In-}~D%&NO3b57Np^>hq)Xa93^@
z=ocLpsi+Uq_Bm0;1l!+wRF`_}r6z2L-+$!Z(nE{5^y>p^B0DxTS|3mD;fZ*1XT0ga
z>nuVpcmBJ~iB;xhabtZpeT<j5CDfP7#4q-Knm&BsVOV~mmc7LB3InSkbE9O|xSgvv
zB@C6BkKL&o!mGG)w^u~?fY((V7D8L<R06NvIO{)Wvsa>h)Y+ZPqFZI1jr0mt^Ct#V
z<B#4enOv}9jc5ch#(#mz^+6pk9$;TH+qJ=u+($l6ybrmOcE)y<$6lOG-=4Mx;+l(d
zG<cbDVUlUu$&+0~PGQ74ejaZ=6^y>+vu9g1K=D5W22<icc#rb+i~e>>aiK+HqzsUO
z0XVg0;u*ug9M7<(SmMyu<^UPMSFMr$^43@q<Z1q?_<z9I0r)EZ&pP0z<Ntp>(0z{o
zzqyuW-RLWO$fWHP+=Id>)3z0#Fz?G_B41<PZz9DnAtvcdh)J@ab?5bm>yV|pKG>Uw
z2keY?kKpN*(6+oAw|be#*5#_63$>WW3x*h0RbO2p4fK`7bw}mB*t()}|JLQDGSc+g
zxf;8eC!*J-Z{8^7_>jZ%2-#U}Zu7%h`@MoSeew;4qs8@&kKT!#y*7{ly{TOlv+)l5
z#g2((m3*yR%6)K+7P}64c5%o`w>W*cD;Zm0XLMKns#ih#_QSYjyaVwD<i0V<f%_r5
zt*~I1&xL$PyF`qY;8LC!`|Df09ctb_O!iqdDI(D|gl`A^);(oatBf&yIERPXer;>h
zHB#!frMI^@rCduX+seKhf1)VN?zB=cty0YS^y<(yfmmDXhqB$r^>{ye^TNU!%2Obv
z9ge#|3H{SBL>X3ui8Ek`*!N(_Gz3whLJ%01gJtri^CgqSzXw4)JY<pd{|N%&5{`pC
zI3Ed~F@JY`dDJT9n3A>UGTxe0><Vd>e|gaJ=$4vfhG+vUB)an$^U%5@mh)d^71zJr
z{!CctL-1l(mQm#e#!So%e#ZvujvblgUwl#ipie|?^!9-)wYH@P?%-D3PB)z|vx+9Z
zRLbOpD0^<9kF$2(>#z@A{G(yG^CuoX74pyuyZXWqo^N!;>uqIFmG4*%3*$#$P$^b*
zb#15pnzKf7{9dx7@3q7I`p?koD|O%7ClJ(VYV%b3rC@>@p;mHYmp!9<X>abcV6%03
zdacZ2$>)^l%wkABJ*|;k`9f>9I%r?TyF|C|8aY~#)PGytRI1T^BAHbPKM^$i!B!Tr
z$8Xx!lqJq)L9=Zt{GJzfQTwkrTSc}1ueTd1ejuFU2Ubq`0Sv!p=wIdszW0pA5B)*i
zMTQElZMgyRiTkP)aXp;-Q~c6`;&N8d%e_*|zLA=H&}7lNWd|#B9=c=aIW;h>)DJzR
z_$umJ0w&Q<r&>}i(oiI%R-_FujpmMw41UOZoVNGFWpR2BE8(&o{)eR>Jsuw(lTY6r
zyf?rlb7$@0Kmw$);%3uOt*d@+%S#I#y_m!go7MK1%Hh1`S~PAw$B=VtOsJ5@Ds(QR
z7pY^1L@mv*E#Y2$V|Rv<pc9bcl1+aHQ}63}B5^_2hDoDsZ{`lKX1a8OSX<Yb?|5jZ
zNbxe<Qnk2!d$(e_Ty<0f!rBi)TIbR-=7-Eb^en<b`hscCQA+`v*Y!&ui<(M?9Pq!X
z7CPk*TH&};u=)&tK(S|7`m;a4Bni##59Hlk<h;oKe*a=ekc+h!Y2n+l`%>rW_c1E3
z%IdE#zo5L<;Mn`Zb*b5h<qa1<s6PCD;U<kc3kT!)H`G?#YzgFH-&Jul?3LuX1fx@D
znspn4^GwTGxK=&5*o?WoqKNh3n3{8S!@~LIO9E{|7WQwfxFvi?;!?W8-N%s;JA@v;
zGSgMsI(JR^=EW+P8G6$lyA9WdIo@O!HXhGi8lz+Bd@po((xmd~VMsfsZG78Uq2`rJ
zzwJ*Z^)f3JTHO0KyVvj^)U_>9-;sGWccM^h`v-|o!!52iXfwN)$SJz7Y%7w@OkFCp
zWwDW0la~WO$dKwlN7Q6|`7!6HdE*(4kyE2K4W~7#GIIB2XFtZB^N9F?BS1~@dnPp7
z_T!X8C>Yf8J9lKu{z{dRmeRT=!M9xI%h~z|F|HbTn}#~M<A+anmAwxwP3RFDJ7eD3
z7r$Vij!eg3E*nlDddZ0*l~z#)??oSVuji^2L~vrBUy9i*1WJnAj+pI({NG&VnEOa|
zs59NHf)-zgkxbvTc!T>#H_}e01x2q_m<7GAZc$@uy?NzL#M|u4o*Wm|)Ge<WTd(Ds
zaEw=v59ZDWu8cC_g!NmVU57Q@=ro4<=1uY$+Q&xob}R*%*Y7Jo^Ok?vRr-d#N3lX}
zTS{BYI^)Ym`L#keF2K)A<<ZpzlL>1UuPNg^!OnMkr!noylL~v^E+LKq^HQKb(RD^b
zHL7a_)JA{*jNfL4X)S^&gMCJ*Rr$R${x2Wv_%ri=EvnI}z?86$!%{@xPn+3}E-A%5
zx2{d_^quE)?KyJq!Kn{qIKc71X=cR-Z+%Tl)<@gb2)6Gp5|dw8uyv4gIPJa#f$vte
zY9<rSgBAXY)*X%&r3-p5U7YhiMewA@fhu|0-M%MnBZFk6^=oxRm-Jt**RFL;S9!5l
z*J~T7-$52R{8IitU6c0fhH~?fmM5u)>lbUr3XW(`^fRQ9*`5&?nwA+EmOAfeyX3OL
zp|JSjkzQv{yDLr>_^?AUYHCOKI}h<DId>cBjuM85V#Ny*jjz+m_^~!}x*cm8!^*Zj
zqtWKAlRY38ahT_jWS<a0nU5~5|B}-#W1MyckzM#z?FDe({Ut7gm%v52C0%cPwNW$s
znP&U~&qjXdqmZ*bnJ~5g7Y<;gDC~bn3G(=VYNFWiG#~hCqB!f7nVu;A*Zm_pQQTlk
zhwj5@1DhGY-iNXOoA+Vro*M$c*@yXZaKrIf4GKD)_i2WTn8p8*T^W@xp|Xno@3i+H
zf@TV_A*|uR*O%&dHt?f<{`isZANFx<^^>L+&Hg=cJkNLRl8n;gedxwvw=VV2nP{cd
z<ATu<eJossbC*52vth}F>d`7sg|JKal^V`V#u;cbjUCd`m1nYg&|()Wd1veTW46^6
zBBqS7O=W7rQUd(<)0cIQlN*z4dClJ84mVvht<MXs<><*~NwJIX@!?%0;OwQ-&>+Oy
zA${a|-m?I^qbA~7tv<?Eb4{vUX~##Rl6nkjR)Z?38ponGL@v`_Hj$C;^dvaI49r^+
z`|<R(yv0g)pW>Q=B^9r?bX7Lpz1JL`n0D-Xea{Cw$m5Kq?G+)sM1x_f_in+9#HgN>
z5$x5R*iFgR$G3NTrT0aqFZ8Tb&VAyam@tJ+ZozTaVT&2)g95YRg)`8H;_sR0e~mo;
zy=Y(NV7k+&S;~@le8qTDV~G=8ijRf-!Tz9Ik)j-_&1}5wj)QVdm5Y+$WH{C`%e6<#
zonPSc$%%Bp0`f6-R@JWdm*BiYV;-($A;3syX)<U=z+8Un&v;l~pV>k5%8k_YBx24E
z$+?p@_l}Fq6}e$dAPYyuo=sF(_j>q*PEFu#H3!>^rOc5%nfRj1U4xCa{!b5@c66Dz
zo9wJT$JHx#zi7Q}Q&1%K!6H7vqEyH2BI5GpEjDzo?ffOTdD{;b8DcE`j|y%{l&{((
z^`2Hd`02@5I<mz6Orgr``|nCz?K{VO;5RCUvhrk;IyxZ%0~T$QHD%SI_lRe!#)>xV
zj#z`3<?pmY3>N65Sn!W+ZMJ6_(fAKSRsiMy7yY7N^k*q`9zBX|Re=m!fYW{^OtSu)
zVN!F-Dd3A``>$gyln=*aQl=mh&`HV6LH+#?O91)*D=1l(0X=<jV1qQksXY_CYyZus
zf6)i|Z9#O^a>k1nlrwIlpovQAS%cu$Q0JR(rG15NRKG+ws`lS0`6Ezs%zNlLqxqA@
zfk*oni-_gk34pQ&Zc1=t^IaY%dXL6Nlle@B($uT63=#(fBVHeJ4-#ZOo)jIQy0u(I
zf4<WDkKRSr{`_gz%Qd&)YkhSGMw&})&w27Ry@=%>xVP3Os*ttt<Bk+InUCwPCc#n9
zmmYV0@o>>l8|iSFW7@)%M}<o_ALI8qZ}KtpoU8Jt_hK){AKjmiU6fN$3C=g05ZDlI
zsO|f%`FX4c=l)Aw#zS??6Z@C3!Tn8h1ry_?w<HR3rZh?OWN7x?hT78~TU533m0v1o
zeVVlS_?(?y*2mc9?qxf3f1yBJrBRDNou+!BSMlwx@zn$G+gx}SsN?7hw$a_Ef*JxW
z^n>M=S%85aHfnFdWI9we`liNcXX>*<a5)il@X(;k;qkn7zCq9KNK*V{&AowDA;H>g
zjf1DS!*@&2U%1^6_NJq1(FM86o7)%k9a|!9z%jvJsc?I+(k1h(Qs%COVL>G~W9^S`
z^x2#>Y8&W7x2Nv>sh8It6-2qv+WGD5s8_qV@@lb?^Rwg22z~UINWQB9-t29K3q9``
z;L6EjDi&rZZ_VM@R^XOu%#g_uF0AJG+-VKwssq8>_v4vr(i*`hulHBS*0e3HzQCqv
zmPo3}Yd=K1_9A9zsh#bbuuZ{BBktSpS?w#cp;^2QJ9)-Hpkq0ZcvG~!($!$!i>5O{
z1LIL8D$?~CL^Wije|zL1<NKS+*<Ny>?*9Y503-p10{_>3^DmW&8Ffa|K!zj58O`*?
z`hT-C>b+A5e4et-cvB2{k(wt#p6Q=j{pc9D4}7)yG3&UPUj6v5J1cbcBW?*}*ylT@
z{hRytefm=mtY7qbKmEY^_YD8H4~M@vR9K}|tgfAvIe4ruWu#^BNZBsKoV6zARcRXW
zCp>Sx8RCdVT8fAEQKDq}r==6?`s4q<K~n9@AgN~my;sD47$zUQeR3#0h)wJT3j-Lx
zuinOueVLDY(DOpKlS6{SK>MNKmJn_0z=8$+>M=%b=C->DT~3|EWbN>EtkFzPxP~<6
zd97_s^j_&l3^Z*Y^VL7)f&%K_agX=E?N8a1OE<SUD!=MO^u=MK)_R>+FY@p%=hUk9
zurFM`-!Zd<cyq}5Rq0q$?VLB=*zHp4;!YAwwVUo0Sf=AoV@lNztR=@k+u0kE(@=Ke
z=DlS-u+?0;q=6NQN4(Z0m0ahuxw+XYwrqqm=YW0nx}v4}dktSFh$|@dne_KgF5C+-
zDy-u--TTDKo}8sosw1sgV5PmVUD2%k`X2G7XX<9JFU9DBT)B|Z)ZBjzjvM(wpj<p-
zWk3T~hgD~+49NUwUt-2B`By)T7(6H2@#gXvw~Y2+oW7DzhAwPi%jpqI*UL9rmo=ci
zsq76_V2NhmD5ki(-l?)8B<%>y!MAI5ZDIxOIi-h6eWgc*Vh@#c`Pz`>9aICt6pUDF
zcQUfI9pCYx<Y~^aZnN?U^$||vj4MHA<}DfX=2RG63p2vi@NF9;gyKeT2Rp@2a1Gq+
zdH$mMzSzs~_xVqT8JdOcdxrcxm)zFbHd4v9bxo&=(dn{x1M3Bc^Aopk4sb8bl6f8w
zO20!$nXdCJtdwyC-x!%P9-8K?9I_^NQeDdGw$u{cU9Ic$9M($`gcDkIs?xKxc+8tO
z?eN*KPS7`Xk=s_?<e2%R6L>w=U=_qvzvBU@hWj0Ro9*35>iR!;4}Jdck9oCU^fOS3
zGb;);M1c%efK#7)hDzfvhd_J@@+|)pu(^BA1o#Tr%sSwwfz5wCynOrlzXxmkff+OD
zsb~$YrJw{)DoTJD_11n3622Gee*_c0@pCgjgb3$f_yc+zwe0I^E^!=+JbD{nyW4rs
z0Q)-!kr$J^bJ<mfIdZETaulO*m$R;s&P45q?q+m2qbGS=aLtaC-5+4EyVRPOTdHbE
zEM^h!vpBBZMJ1go#dE})mqgGfL_T}Q^Wo(3aMSXKUUQ<nI#2Hnl(36_m7h)fzF)JV
zQQxv|Y1Ss^I&T~1cN@*gyxVUzYPc+BQzn)M>mKJPOCBj^lBkK`{+NC_;Qg+^c?^P@
z!vgIt0q2e1bH)zr)?;fmw5&av)8!w%GGeiTnKeUvp{SI$;Fb}Z=C^vuna6`dPqW^{
zW$jnUwLW2dLGbzL@RRJj^$jb07O%*rlTbUgJ%M-QHsTaS=!E0iVf`5(KouszN;5!!
z<o7_p7XaYjyC<-gMC4KU0IV&Z`)Iq5NQ4eM;hx{c!_Jmfnd(MY=G{G_ZPT}vA?4Zm
zY=6=6fio$c^f$6w+9wm@`E}pX8XS>&#Syq+hgFJGp2Xmj>vpa&yb1E$Z0}k}b5+HL
z@1*8vN#ab_Zd>Vg1Xm9^J&l7>@2+o~vsAK08f$A}Bh(XoiY%t*Q*-z2&dj1WJYz(w
z2u9~u#XS#?Riy?pXD1~Sa_%HI<d}`#4EC2f)jBv>p22ZK+qUZ5t^*+%Yh7&eH!++f
zdtH;MP&<f`a$C{BoelK1(eHDD^3H`j?HSl6((BdbU@%c&Ip|SuXVX4vX`^+qV@a{#
hNXP@Ak}fscoO3<;6FlEDGOAI2!;)tEDFwv%{~s(@Vg&#I
index 9e4dca46fb2f3f13d07bd56ea29da265d7f2809d..08cbf8c2b3b241f26ac8d05317b53c023b70e292
GIT binary patch
literal 932
zc$_n6VqRd-#MH5XnTe5!iG|_9-c<&?Y@Awc9&O)w85y}*84Oenl?@cxm_u2Zd89J)
zN_11pbjuQRGE;OD^C}DSb25`Fb%DYLa^k#(rUs^l1_tJa21e#lK(2*>1)OW3Xee(W
z3o%9vhY?MTO30QovNA9?G4eA2#krW87#SHp7rxqm$o9$HM)CL4XKPg1Njyy!4z2H8
zbF{{!bGvL!#Up;vMamJc?sbQq+V*j4no-&LhbDVZYBajq@_t@p=cLaY`1nw0gT}on
zEn7mi`78SHH0)n%DX%Fl^{^-6!q1X@Z6OlAzu4C8zwWbVe(5gZYcu#eLYuB-Nw`ZV
zWH|2KD<^SIYvcR*@A5)7d8^qS%QC$(&wE=E`_B(mZP(mb3mMHjZMIZ(S4KEQ{O;?C
zeN~j_%Q!!*;s25A^F2)NzhT>7q+xvH(521$?>{(L-rBY0#-3~cLYY&K283Le<5b`4
z)|oj+_KacGwT=%gS7tTzw{P1%?P^BPqskupw9TgTUgfqnGchwVFfMMqZP0kbz@Lpn
zn~jl`m7S51#o55oz#hgoU~DtaC@Cqh($_C9FV{=0NX#wBN!3fv&$Y4u0)6aZuWw)u
zj2l^b76Su41Dyq03pCo)pr#}j<zO)-RTm@<#0EYfjS4KT20&-92>~6!!uZ;=RSE<d
zn@czu4YUn3VUA;B6qAJ-n_F3uT3nKnpPQJOr<aqToS37ZTu_Xb_?SV_uCux)_M>k{
zSQF=lpKbeA#By|G`RlKKQgFLcNx1W%pv2jj7kc|QySE#(8#Dw=PP%57A|-wC!0#Rg
zf95Q&1Ph04x#}X9S^diG{H1v~0=!@NDllDqlgqPC--Rz)>GI9ao;Jf-(>0X;20z%Y
zsH}L?OQA%*s^NI6QT?~KI~;fB-?5AiIkS?l^4bK>r57)~*taY9&1#=>m%LNFXYM*7
zdRO(~(w30@1(ht1-6dt0cE(IoRMTI7D4640Xs*W8%%~Sj-IxM$H_1+F)!*8$`G;Mt
z=*@u!juQ1{6XZ6}c=&5YQq+adSq9(D-E{R!ymxcRNxSkpcvr98R{Fs3_}0%$yXRC?
F0{~^tVN(DA
index e1eb2cd9a1e7377a82bf31d0b63bff1769d994d3..b17b79a4b35430a9c439252b52d50f9d5a441bce
GIT binary patch
literal 890
zc$_n6VlFdiVv1Y9%*4pV#KQPxi=qK98>d#AN85K^Mn-N{1_N<JQ3GK%=1>-99-hp+
z65Z4?-Lk}-%oGDTab81H15-l-19L+IBeN(V*TTR8&NUD=6g1$6XykxvYGPDEwt$h9
zfw_s1p8+V&#ni;e$gpzuzbL=*yqPsA72<c*9Rlt*7DgyeiL^+wx8wb}@HKb(wkvU3
z43AbcUagw{X-eGYWm6(o>S%E}%(I!z_q(RPXJW5r%v0gCjU@?|$_JnBidrnY^O62u
zw~x#B?0fc0@%Z)U&CK6-rPub}6FPJ5cf@ANW0TfrvF-Dpy(aCFu&&mj*njsm8Wx6n
z-nY7vvGDA)b!_dN(S|pfQ+nH?#hwa<$je^JI<+7sw3R7PHeCGEvOR|~qj&yz+MbpE
zS5f`aYtFNbIrVP@EH~HsJe3jWi>f=e|GHV{)bKl#Vmq#Pteqk>hjYi$vd|+YMeHWE
zCwsP)o|bM133{q~b-S~~|4a!3c^gwEW=00a#f@hT8c!KGvT<m$F|x9<GcvN68W<ZG
z!uSS^ZK@e1B?VUc`sL;2dZ`tOxdl0?ddc~@Ru({@4-0L519M>b%gVDD80Z=3EYMn@
z(WVB~mt2&CMPI5eNF0a_d_Wo%SX>R9fzA*DTFb)t+Ot&(1R0x4I2jGJ4K!iSVPX`M
zg&Lb%S&~{@l9HdBn3<=Slb@WJqn}(*jFzOBK@lw~-)N93@=W%q->(~yRq3X+E9y@4
z{qWu}yZD&?m(^*TChctJu5o2yR+_nm?{)pg0PRncm+$#8?VY^bzaoz${*R{CUc7wV
zIa^-r-m>wpl*bwU)mat0YNkD(Y<W6-)jhVjJ3T(yI_a!UD>c1$C<)D5l$GEx|6AF=
z45^Q0Y$ta-dn1=>S9ax-n}N3H<%}Pj3$|u|p2g4eKbz5{!J=^2g{bP|o_bOlx*z{I
zl;=D-%H?8m^}!P9f_*;0Z?wM1Hd`v}()c|)iYH~|-FfedeCy{sALCPPKVib*TWgke
s?O3Jg0=eob(GFKQ6Kl@S{;+97+mkzLKAQVdezyzAasDoN`!7Tn02j(pg8%>k
--- a/security/manager/ssl/tests/unit/test_ev_certs/generate.py
+++ b/security/manager/ssl/tests/unit/test_ev_certs/generate.py
@@ -21,16 +21,17 @@ endentity_crl = ("crlDistributionPoints 
                  "URI:http://crl.example.com:8888/ee-crl.crl\n")
 
 anypolicy_policy = ("certificatePolicies = @v3_ca_ev_cp\n\n" +
                     "[ v3_ca_ev_cp ]\n" +
                     "policyIdentifier = " +
                     "2.5.29.32.0\n\n" +
                     "CPS.1 = \"http://mytestdomain.local/cps\"")
 
+validity_days = 3 * 365 + 3 * 31 # 39 months
 
 def import_untrusted_cert(certfile, nickname):
     os.system('certutil -A -d sql:%s -n %s -i %s -t ",,"' %
               (srcdir, nickname, certfile))
 
 def generate_certs():
     ca_cert = 'evroot.der'
     ca_key = 'evroot.key'
@@ -48,51 +49,54 @@ def generate_certs():
 
     [int_key, int_cert, ee_key, ee_cert] = CertUtils.generate_int_and_ee(db,
                                              srcdir,
                                              ca_key,
                                              ca_cert,
                                              prefix,
                                              int_ext_text,
                                              ee_ext_text,
-                                             key_type)
+                                             key_type,
+                                             ee_validity_in_days = validity_days)
     pk12file = CertUtils.generate_pkcs12(db, db, int_cert, int_key,
                                          "int-" + prefix)
     CertUtils.import_cert_and_pkcs12(srcdir, int_cert, pk12file,
                                      'int-' + prefix, ',,')
     import_untrusted_cert(ee_cert, prefix)
 
     # now we generate an end entity cert with an AIA with no OCSP URL
     no_ocsp_url_ext_aia = ("authorityInfoAccess =" +
                            "caIssuers;URI:http://www.example.com/ca.html\n");
     [no_ocsp_key, no_ocsp_cert] =  CertUtils.generate_cert_generic(db,
                                       srcdir,
                                       random.randint(100, 40000000),
                                       key_type,
                                       'no-ocsp-url-cert',
                                       no_ocsp_url_ext_aia + endentity_crl +
                                       CertUtils.mozilla_testing_ev_policy,
-                                      int_key, int_cert);
+                                      int_key, int_cert,
+                                      validity_in_days = validity_days);
     import_untrusted_cert(no_ocsp_cert, 'no-ocsp-url-cert');
 
     # add an ev cert whose intermediate has a anypolicy oid
     prefix = "ev-valid-anypolicy-int"
     ee_ext_text = (CertUtils.aia_prefix + prefix + CertUtils.aia_suffix +
                    endentity_crl + CertUtils.mozilla_testing_ev_policy)
     int_ext_text = (CA_extensions + CertUtils.aia_prefix + "int-" + prefix +
                     CertUtils.aia_suffix + intermediate_crl + anypolicy_policy)
 
     [int_key, int_cert, ee_key, ee_cert] = CertUtils.generate_int_and_ee(db,
                                              srcdir,
                                              ca_key,
                                              ca_cert,
                                              prefix,
                                              int_ext_text,
                                              ee_ext_text,
-                                             key_type)
+                                             key_type,
+                                             ee_validity_in_days = validity_days)
     pk12file = CertUtils.generate_pkcs12(db, db, int_cert, int_key,
                                          "int-" + prefix)
     CertUtils.import_cert_and_pkcs12(srcdir, int_cert, pk12file,
                                      'int-' + prefix, ',,')
     import_untrusted_cert(ee_cert, prefix)
 
 
     [bad_ca_key, bad_ca_cert] = CertUtils.generate_cert_generic( db,
@@ -113,16 +117,17 @@ def generate_certs():
                     CertUtils.mozilla_testing_ev_policy)
     [int_key, int_cert, ee_key, ee_cert] = CertUtils.generate_int_and_ee(db,
                                       srcdir,
                                       bad_ca_key,
                                       bad_ca_cert,
                                       prefix,
                                       int_ext_text,
                                       ee_ext_text,
-                                      key_type)
+                                      key_type,
+                                      ee_validity_in_days = validity_days)
     pk12file =  CertUtils.generate_pkcs12(db, db, int_cert, int_key,
                                           "int-" + prefix)
     CertUtils.import_cert_and_pkcs12(srcdir, int_cert, pk12file,
                                      'int-' + prefix, ',,')
     import_untrusted_cert(ee_cert, prefix)
 
 generate_certs()
index ac761fb1eccf7d0c239bc5ba466ade1bb853abb9..0439e890e5923ff509771bba169ab8391dbc00c1
GIT binary patch
literal 1088
zc$_n6VzDu3Vpdte%*4pV#KI{3?t=j@8>d#AN85K^Mn-N{27|`shTI06Y|No7Y{E>T
z!7vU750kT_p_qXPh{Mjq>ziMiSCW{Srx2EzT5hOppa>G@;*s*rugc8HNmS5Pa1B#P
zNlhwES13s>E>Qq#mNk$DDdOf42~JHeEy^sZRB+8p&&*3rEy~PGH`F)K1xYjWs6_-g
z2WO<_<baF_0cr-yDrf+$D=IB6DbFt|$*9x>nr9#<&TD9DU}|V!U~Xt&WF7_NS{PWs
zxdy5*XEF0gW#*OWrk3fJCFW$N=qBb>7Ubt-CRgeLg$<e*m5{@Lk(GhDiIJZHD9**y
z#K_37@P%E@iH(z%Z8raKXyxwxvOh%qA_bqkU`n##4Boq2Z~M9fm)8C%UD<q1_484`
zV~?7wmpJO2dofRtO}Zv*$5QiSO3|6_|DA5kvs_pq!u0-p?L;|74YiODzDt;Mzh4nn
zerECdLXYnTcFx^Q8a@3U-6{W*&1S}0Fa2iDC!29)k|po4TbI9A{FreuP56wZRls$x
zpgPgtF-=xYMPf4;E`Q`@lXp4v?uLPFGKbCUM=F0M-J%+5B+i91^0h2kfAoh`#1*c+
zi#M^zou0Jv*xCzCYd=ca757?ms&tAwIWe{?RC`pf71<#qd1s~<d;9^T#XrIfKQpLw
zFh5eN_mtadQ7vuxk%^g+fpKx;2ZP492K>O_loe)V{LjK_zzn1exIqH^EG)qE#AXo8
z#-Yu|$jZvj$jIVu;A-Fu;~OxxnP-%g6j<r&mzS68rB)>77UZPrCFkc_Spb1P?%2^c
zumIU0&thl*Odkuh7ihMrLrqF9%E2_LC_f)$lpavhzz(ESfyLaw)WDdH1;}JD&^FM7
zxrvEUOcrWVZY3y*rsU@W)3aVqesW@tesV!ETE<`orG@F2G>zxpzW!VM(Mge{Ya1Ut
zKK!r5ATMUs5kBL`KeD}7wA6&|ls&s_sj9yH!YMCA-gZ6oSCG8D&0+#C>*Kgw<Dhdf
z8&+E1J%2{#PlxP*)Ky#c+2>>*2&pX4)pFV8s1)|(;vR=xF+Jv=7CU83Wpp`LqPXsh
z{zH!a4&U~!_xo_@Rp+`r9<~j#9~^!^;qEFCe5b&@Kf=>(Wx_JS^NHQji<Up#csC&}
z^m42}XW5!sOUq5m5?)KRC0zA%`l#^QP<6R=tJe(<og9IEBFS6!e`e7={f^Z^Vz=%p
wy^3|>Ycw9oDVR!fbUisAJKKxRVS}NN{MTKl7?(T@OMG#j(S6>EOW(5{0OSgR{r~^~
index 7b7890065c9be0273f6e0c68e98d735c3de7c9d1..07c4a8c645b1f23f26128a5c9f1bc2c5b43b1fa6
GIT binary patch
literal 1074
zc$_n6V$m~bVisG#%*4pV#KL%_eu)7u8>d#AN85K^Mn-N{27|`shTI06Y|No7Y{E>T
z!7vU750kT_p_qXPh{Mjq>ziMiSCW{Srx2EzT5hOppa>G@;*s*rugc8HNmS5Pa1B#P
zNlhwES13s>E>Qq#mNk$DDdOf42~JHeEy^sZRB+8p&&*3rEy~PGH`F)K1xYjWs6_-g
z2WO<_<baF_0cr-yDrf+$D=IB6DbFt|$*9x>nr9#<&TD9DU}|V!U~Xt&WEutJS{PWs
zxd!5fq6WecBY86ON_11pbjuQRGE)qi7?qHH&B)5Y+{DPw02Jq9YGPz$IP6mNmEA_1
z_p&0xI<Bp~eK-4;tY1DQ;8=0g{$o-5_{F(mCPw6*`M6Sy|7Y6Nd>LDT`Dzm0Gc9Za
zE@X<TY+64{>DsjK={FdbSbaQvWVz6np0nSU`K`UiVzTnVz1PoE<e1~<<#^_+@b_g0
zX6}%8v1$Lczi^gQgU2e(W5Pe4KRyt<TUN?6`ohZ^>GBrlzZZj|ZGYDGzf{S+@Gf{g
zr*8T3?j!8FTbDE5=-hc!T$+(BL2jQ`pF^R~ydQ^N`a3WCwQ2Rv&X_NM>UCZ1{+s{L
zX1)6B$qc50cT3%)asrMqO3t;A@m^GJzP@|fU)BS^u3M<A53K$;IdAK^D^p%eyH&>?
zoAsHAnUR5UapMPr#<vFizyOpLW@P-&!fL<_qzt%00{kp2z!b!0;L66K&Bn;e%Ff8h
zVrgJ*U<%_KFt%xCl#~=$>Fbx5m+PfgB<2?6r0ON-=UQ0+fj)A4=o?so%#>#_GytZ7
z1=<TV+ti_YlZ$dN^%mvlgEZ>_B@KK)Iu%%44V(=e*@S?0voOB)Y?T5*#^w@EMgwgF
zO_-aQ7{z3v=H^y{5@kw$E-(e_<>V(P=IAFE6r*JYW>8x2H2r^ge{ZAD+&`^$Ph!0I
z4^{PClKgXrHG%bW*W<3W-g_3*%xAlNXQ9i|b&4DI6gXt<Sj%e=b^F=w&MjYT4MI7W
zZF~^E#$D89Pu|YTbKU!bwzppsuXuIu=l)gSCM(PnTkvbb?{vSljh`O{KjJwrrfwCk
z)8vu)rswUdr)3LT?V{ATZ*UDP@bhdJXq;Kt-~4*5-{*U~Uvru#iJje0k;Qn!JldXl
z(r)wo>o<?*%1q2?jjB36lTT@iZi1)tB8vsTUvxHYda&ZJbzHSlg<);3wfT(~jv3+%
yOAZQNfAL>z<Nx1(iZ6E^4M|U3%ohA;?&-aT)n{aEB>33MG`bwx|6Vc_kp}?8zlT!*
index 0ccb651174fae6bee84ffcbdd185f48f43fa416b..3c6897987537f745237819d9c4818722e6cc8e9d
GIT binary patch
literal 936
zc$_n6VqRj<#MHBZnTe5!iG?v}&vpY|HcqWJkGAi;jEvl@3<eU0Vg@2?%%LpIJiK}N
zdAg}(Mfv$9y2*(Ka^k#(rUs^l1_tJa21b@qK(2*>1)OUjWhh}F2GPl%nOC9<(X9*8
zZqUT2glrKbD+6;ABR>OBoQtW6k&)r?k5_AY3ItU@@pCgaE!h*CEEJKIQt*CJ@`2Z~
z@(gF!6dfvd2+Ch*{lu!)^R!>c9ED4<7Yy4S%IgJccw^c2b|t7BJI%|L(X-LjHsqz`
zo;RY*d3%0|{e1G{Nk{)Y4&{SY3%35NIrG-guEp`|r}><TCoH$l6|#?97BgXm;jPy}
zUsrzKzf0!(RhDU*R%)^8yu11zEDY%3Ji@fnYE@lH)4Q2>i)Za!yW`e_h-(Ic${cOa
z<61Xn)VHm;AsKvYVqnAC4<fTxMQy8J8t$^#?OU^&k;x<PCwKqaFJ|U3s+aOv{3<Z2
zWU|dlM=jfhfe!X(jeXbOn5(w`ot5vm^R-TlqVt$NnV1<F7#BBwHfa1{zz+;VSz$)T
z|17Kq%s|S38zjKb!UBvmHUkef4sA9@R#tXKMiv_bD+3D{-+-}AC!?gKz)D}gyu4g5
zwIVUMASYEXIX~CR0toccqC_946KJeFi=lzOf$jqB1)6Q@Q0>V@IhfkPsUWpX4=8Ei
z1JbF$;%eY*;K(Kfw4R0WwP&jo2r@R8a55Tb8)(9u#l$Ek3pF>lvLv;*BqcvLF*8pu
zCqFqcM?bls7%c%ZgOWp$%#4^@k+sQvXN%ZeOtSi%3|vD*QX4q#N`Blu`MFj9+V3pV
zVYZJxGA+NlCwB9O;;xMb!jiKKceQR{KVkCJ<k8Aaat&)%T*?kE(T}#sD>L#G*fo<!
z@bvcS|5m)2wdJbs`rlR`M7;Vg7x?-e>Qj-~;Ca2wlWnKu)E5e+Y#;9w#WwvGeg5Fu
z`%l{*s(vZ|v*6WR?t^ks*IwtOh23$S`eC!+l<EuSo=4XHdfp=Yc0ud3iFqlDChNS<
zE9IIlXUcKmxPeLEM$Ube9Y0IE5=@J$=l!+P47{Tm<}~|Q%lzmT4F&n;V~$&UCfkYo
c9qgZ;)m<-}-RYh@#i_kk`{Qp;XMrMf0CG28YXATM
index 8575c1423d86ab5adf7a22180e2361c43152584a..cd1801a1084c49c03c177c55ae3e232d6665d853
GIT binary patch
literal 31744
zc%1Eg2Urxz*7gK)&N&PjL0}ki&PWyo1j$*DC>bOTB0&U1kc{M{AX!laB!dVjBA^5n
z$skBnknl6Z`myV>;NI_lzJ2b!ywiQ=RG+HqcdEN;PK9o*b85D3RuF3^7Y8#p2p<3i
z00aW0ArJrnK)bio@9h+OJ8*AD+uKn92LJ+&2Q7eW5)Bm*8T=g)M%({7!3j?A&jSUB
zsGBI@c|?E){2jawUfK_w-~=c5j{_y*51bUdCx}3Mf)I$cCsDzD0Pr{PB6t!!vZtQl
z1Sj}61_l@f$p5}w1r@1uPklf^Dz)?JV5D+SMIVF?M#1Dy<Ho=RARPHK0L1pcK&T)P
zot%LI7$xLpW^Qlg=<2HJV(Ve%_B#zEcV0n8TLGdiBdewWIXDhsx3z?5o>x|vIe!tN
zs&EmaqoI6GM*(tH10r`;Ls3mxP8%X4d-lBcX^0tgZ|B|HVS76tLPs7z9N|SA5=I1t
z5kX;O5D`U~A0Y$~LJ%Q@5JDIsL=eIZA<XxL2r?_^zC`8-g(2nsdH9i104W8LQV1!9
zkx~RH&5+U@DJ_u1_UY~OL+Y@79hox>nKKNTGYpwC44E?wnKKNTGaoV)A2JmmG8G>(
z6(2H{Akr#`v<f1vf=H|2z7?6LATm!OWK7|Gi7Y|nFNHz(bwpYik}W@U4=^O<-&AB-
zBV+R+WAh<n^F#Mz??>D}!iSXnNGX7nh;#EJ&&rQHD?jqO2q4o6Akzv!_m3dbT38A2
z@$(7r9;mPb^>-2Y4^)8zRq#L+I#7lGM-@CsCU}rc@F1DsK{CM~$pjDR2p-T8JfI_Z
zKu7R^j^F_u!2>#i2XyvSkptE2Ks7&5Ee=%61J&w4wf-L!c_Zwr<_C1l5p*mC%%GO$
z$PyQZB5_c@f+DB(|No}};4Sc1@G|)Go_c~4oZvqUC}02(6(LX%0*nwKFc^S|3#tU5
zgGd435O57x60`-X29biU{nKnu@Q=bC9i5z(76|7=I&%(IZf5dkZe~BevHsx5{W$t7
zZrphVO*I)gh0_pQH!BC;{V&)l9t<>cIa(mV*3r_+%k_%=-cb`XcQ+?w*yKn4CcHm1
z>^+7kvS?`J<P1OqWF!kaGh538j}r4Yg32253VINv5kcekE+@jfJ0*>Z%tIHMhrOA(
zmHj~!j6dXoH2x_MzEg@QXynukK$Csy?&g=REZh#Fp#LF{-^_<F;XTC%LL)!J@K;4}
z5Z#3LKnKf#(a0%(6oIX)tGkuUffe-+=iaye>D0o!`~Ux-Rsa|VngX?g(ZHJj^v!pI
z6Z~C3!16#S6)y#p3=OP<0>;6&b#&u$baLdf^5AlDa&kkZ14{#;6ue|mlKlv{`$mL~
z%fbwW6RZz}vhXrN8TQRoi1d4DJ<RNFExF7by`7!xZ7saH_6~z-!ID5IIWH-cct0-A
z@8g2t+$ce&m{52=FE$ht5dn=Dq@(pCfPn*&llj2{9S2w4$=%V-%+?Wd!Pd(2$LX<f
zsMMW&Z0+sMAY2fI3lK{ybN5RSH!D{+$X;SvC^aGyHV%oFm4&;Dt(!MQ!SRx<qm`A5
zt>YzL9w^s7Eml2EIV~G2dwWC{+IxxjtPu9S)4902x_LUexY>B0+RJa>|IYw`*TECu
zR&WNm@}ItzCpf_get;Ov0sOf!BLuSo|JZ&ZnztjGECMj|AIu<3Fa_p*>izm33;+j%
zr@=koH1NZJ`WK(z1pi&20P_PGatds)9hr=njDozLJy-yX39baAA`Bx`2~n@K{gPf0
zF!A68ld0j$XE38645M0jo7oIKj-FA5I<L~nlHD#}q5>lf6{6;6`dE}L^jHm?xI8{4
zpEU_129bmLF=JKkzM{azDZFDhn2%QyKQ3_&^)+Jt9~C@>ph5Lx{(nDsf)kwJKL>bp
zdx8wHn2(rfPvGM02^=)UDgYpO1QCI5|LX)NIKh7kXz9Q*Kv&yKCKgsMZYF&E78ZhL
z))po|CLYNU^Z#f7YXCSMv<cDymIAT&0{`CuXGBAl2_gdgj);hvxf#E;$&Z;zC_E5q
zh=$1#q7?EK7l?`nJqwjN2;xBbQ6N>QWi^)fR{T;Q5@3W5(h*(pxvp&Cgz_xchb6&R
z9zzZU1cHDNC>9#Velif|?{yT&lEX{!%`^_p0czHwM~}pKO7k8(pqqhRE}7PdHSyPs
zhBKlbNm9W47f5cDXpB^CXOt!s+T)B1E(*y_%K9;i8B<rkESG;iSde@iNtw(N2407>
zW$y>gq_Wzd`nhPkzM&AtFSWhVRo91vOTrmZjxI_5Um!{PO;B_L6|>@n8#a2Vrk8|^
z_lJRnRoL?DA~5XYlF#mOBn{8XFu7SsjR-C3yGZW7PFEr7+R=}_O5e(66(F=>4}mj+
zk1k2GUm!_+p(CZ9zNVI9r!iZ9t98>ASI|_l_$~QbKnaPwpXU5=B%z@}CU)vuB4kU_
zO!sL|k3`sQ+c$T)4?JG3dq+2M6BW(~I+COy^cP6JKGWBR(RA@;Qo2{OXdh$@Z-$}L
z|F*ci$@^>CK2I0Dk0S|bJL4jH`#a<F^X-@oYr7cjD33I00BZ*1F-|dr??u^6fT*<m
za13WNS65Fb7t0yK@ND{Utn<5gX{X;#JRx7hl6wdhhq9w#|HcXj6$pk>qLAEHh!os4
z`8X7wdABL%Zjon@!8YR7Lm^PcPkaS#=_Q=J!sDdcaGhnp{xbu>2B3!^BA_FnV=wTh
z+Kcn2lCp$ZK}AgV*Au{Czfe+;p=$B0mggdGZJ2!K%b(gzUqNLTg`^VWV5oCmzjem+
zxRT;pK${+2l+dH9AQxGcmn(WToyy0x&gqI#k$BZs-Z~l1h<!B4U%8xVp+=ET8BDQH
z^WHQ#4|+XK=^O#Q%R#YjP(vx+#V)#h9LX=CN&I2V-{a?F=c)Mgbe`E^qlt84KHP#t
zj&qlHL}S4juu!FbBWY*l{ez?M-zmtPf#*v~lTXH3Fz)$?$S8F)i+s89iaC}-qqd4|
z-5m1zIF6;H;^ygFi_e!A!&P}M&rW5&E{_LmUVN4OV0|;E<y;J$0rN<Xzfz8Cw_?O!
zu#%uvpS^yOAG>inov^={|I%7?O_shmx^bq?vDHGdcLii9kQz7|-3yi#dRP=ZL&h5t
z@-@au1pjljhC7@Q<LCxP<QGU1t%P8qRXu*G)5q9X)LX%NKQR$|tVSKxev&Ku6lrzp
zaU}1D=@GE^P6a~OR0u$&hBd1XJ6T`NDBR>FqH8hMfmOp9(T^r6{3}iM8VJno&AX%F
zbiQhYC`f3hY*TYhlgKx=N21vf_uaMQNcx6ZEEMte-o1{K+Ds`@cB{SIQ_L*4?6XE!
z+4rF^af(0Ge?p+c;q{;H=O1EWWhG?A`*&`M4nB`iP(av-(cNY?)N0IkQz>@&)+3p`
z<K|BYf~^)3kNY9jv`M--o{VkKf<>&$lXBZE;_RRjBY|g*H05=sSmd|h475Mpwn&c9
zzf-k_<RKbO=)xtsZH5r~%1z3NYn^lt*M@tx3%bi>!pc*Q<LEkf+R)2BKl0L2_($}F
zcOEumuOFRDw&P;Yg9%Dyq|?9|XpZFgE9DqVZ$45tJb9*i0KHx{J^;JGw&qiM0I%D2
zBkKZN2Qk-i98<*k^uOLF=zNqr3YFqFmf}+^zCZaW5p9xy>GQz-vRF7H^`9>GAAH7N
zsag|{vsF%MeyQpgwDV!9HI>ULQ_$8sUGWirv$*mWbW`LwlHi+m?%5p^4lpG-@o==)
zb>FATICD1VlVnr}3K~PWhTx1;N0a=Os)eQnNCBA|36HL&&M%%Tldu(I<EUECMg`CN
z-pf+$b~=t^i>i<H7_D$+Ln|FY3O-77qz6?ZtxU7{AgqWV3ob<uXQVum<S#kB9RgUh
zGvP#MW-C{n85-;YZ-SgZURqdo(Qt396;qrdJB}pYL<n11Mv<Q-Kcw+HGfwIA)ZXaQ
zC##&8Z>9x$$|!C3syD%59(ynj0DxE@yr+VJ!2P)b#PNThna#sSJAnuQasm2#Ta|LS
zVH$uSk}z{4J+$!CtK1=@&H1IUce?eK#5U2V$6ZeE65JAQa07LSa-5N<WxxDcYWTH9
zkNznVPhjmJ#ekW?hJf9h*X?|l@7=__B6tI>sY~AMvE(^f4RZM!?t6Wg?+bTR+Aze^
zhh9-3v#^!I^q_gKZkNe2+uc^jhASNHm2Usu>jAI)XZB`e?^D7S`B@xFiCBU;crI_e
zJ07#V|JD{O$g^#ekl*00W}MJ*scCkE>cNey7v20ffVS0m>{$aiRPi`Yd?s8ODJhmx
z`t?tgr|%WQXH3WZLY1&bbVlOHHz_pJYjo6l;5j1x5d}my_-mKFtQx{6T+f!DLInbV
z&>*1TA<knL{V0rv?2E5)oc#ikP6l>SeGm!4c?<$#m}+@VeEi<#J=#8(bZhW!$i%t$
zG@;5c+-&ua<=-s%E<fcr&+o;Hy+`(`aON~YH{Lq4Jh`{*_q5ZP_|z}r+3!7Vqp9j5
z#VQNC1DJFePDs+z@6CfK$ijNsW)=f5hUdmUWw?y>1Bhi62?(IVgZi%vjm1a5%;|h7
zVV2se)uzt%2Bq{nT`p@OHRua>bQjsUZXyyCa$`FkwA|loYSEUtiw%$8Ny?87^GX`Y
zX!6yi!3=72@}blQb64DHPA8P#DPX-usSYKPOJI{Fkn>$;bw5{kXRB*;qv)<_Av-q4
zrT#Tu!3m?d)`c89pZYm5#Vf+X@eX*VS36Z%)BFND)Sirh2%BY~@Tx-!?z(O2kTk7N
zL8YuM>fF_NOC}ztONfGlhXsNOpXm$lc+zY7B*+@^+I!AWXSL*i%v#4H%vyvyykhYB
z=o+SdE!vbuAxG9#mf6y|ij#pUCD7nj2z2O@n-UHSH5jkDM0wNV>vo}U(CyCP=4`UU
zrSA1jYjkvjan9QH>iTzQGz$#Wyx=TC%cBb1k7>ihUg|v>^(qOXB=;T2xAd8KvH9dr
zyb*O8$-N*-(O)T@DskS`9)51%OnX^8(ZD`;5o1ZhR+6Br6Ll>f&ea>}KIfAsZnXAC
z3@V@nvxtm{*|Yl>>NBB=un)it5+E*fo)BDi{SUDa&U}3zuhI^5Wr>XO6yEd=r2+{G
zxbt`WrcRYqG`;fRy0aM##sJQDKGQiy%L129)q0~(aH<j1)e97VsK3JL>Ro9NcCD%G
zZrn9x0)sY@*u%@5lc+#2_qCS?le1gWrF?H6(t4_tecsD8ERtar+;8CydE-Wai6tj7
zTZP~#cCOqZ-0GorS?AV(o2kaW@ky8%jpvh_?{YLXs`V$9OEDH-BbgZY1`l`zKW=)3
z`xOOG3*v!QRQw_(=ZWm2#*OSZu;@j4<2KeQI-}R$5<-WI#%<D)LMGKq{knX(){P7o
z_z7&QCQudn{cV~zp+(b&^DeP%&(pJ`0qyctl|ep>1vFF|U)bl(yqLp;uO~dEt=+p8
zG&K3-OBrpRc<={ozescqH&~B<v0UE}pZ~6)<~8RLP9gr-n4&dQ$ZB@d%$+r<@)Gvb
zw_H7AW?8Ur*47%su%kTt*_*kZ5O?#Ua3yOv$jyJ8C6#@5>H?!q2PJ%nywoq_Hse#h
z7fU+fz4nbL94lEArt7@xNt!wh<cIUFBEc#NzmrYrWIQ%zRLX3sSf;eT&%3-J!Tq{g
zDn3WLmr01h<YqqWXOxTY6<kt<6svR_Kk+fW_2g2RF_waE*KsUNv`=%hq0y^L+#UF|
zLbuXc<itG6LE$m1lrN<Bszvwi`46w+f;+J6;&Gd|YU6dEI(q6dIJ5C*WTsYlq84dQ
z2=}9@P?{OF4oRfUh0yiYl!NN}S{vvhjcfuD_cZXoy><W9kvZh^Kj7Pdz3l`iIKe-T
zTSCA96cRi<ik}T6L8kn8fV~eM9sqzxM6~Ck6I}-c`TqF)77Y(!$NR;T;qO2HrvgB1
z|2sr;g8UJ@|1^9+BKiNF_Md?4uG~}62OzsEzhCQwu>R$8&BK;T{JxLSB=53@E>4d7
zngQ?tt12?;ZFEjaew=2jtA2f}ejPqJmSK#Z!;7UtGW-qeJ5Dqb1nI04s!77)nlEih
znafL(8T;eEUK#}Ch%PlX=M$~o>{`#$DDFq$FZ?h%H)Tl&Ho0rB?8J;8Wp~cDnqFQ!
zbhG|SvTUHzy;H5k-=;o2GpeDb5-@l<<4f%s4Bmcq-aul*FM5XA;pKu>2_~0kenc}m
zS5-c6F#K@~IW-W?l&+2=O8Sc0-EWOEXXWxX%kMu9H(cEc;8Kv>7235!eX}{92x=H{
zKcjE2*$Sjg6Q)tk@)RnGh~GwiwmBfoTypN}QmkWDcVFBbwc=Hy*5sAH?jzKClYQlP
zdr8yPdr|z^`gN4&lU7;3^$}9eVtkkhG<~vgHK+Eg(r1gS9FL3MfR@V{S0<b+PstO(
z?nX<je@Sos`mAFK>kTSL_*&+TOH3P|p6F^?z$DV+u&s4p)Ki>}I=zUWYiDb)fSrMZ
zGuG(iJ3jDj%Y1I&0)~ZA_zsJvNt3uW>%A*cx!ZnKsAZf^!5^X)N1e~3_qL}Rm8CV9
zGoMbWZ^}g(YSmWq`fS|uBJo>h?^fvJSACe6J)vvfxiBgtoud3HY&`?I4f&pc%bN}6
zsRRzXwH7NZ<&t3>tuMs%Duhe!h%gJgOodpmT$yq=(Uo7&{4gnEz8g7vZXJzQsbPa$
zLpL3&_GPR|mM*F#E4gQ2p*u*_{W5<hr~13Y{U;5BTDIoLdUTg418o$WNZxn%V~_0n
zPc_M?cbPF(6y8J1v7F*=oKcy<2$7?USiiZc7BV|>@sbpX#THnN?nL47x>4pq6ytiE
zzwevE>dGS4@VHJiKx|)-(CzhI`MY|?LEG^$B{v;i>vJZ<00N7`Wo+Cr`uDjLJ|=W?
zYJ<s^XW2jQ_DBpN>gN9VA1eTC2&x7V104a+_X2+coPp@4fh%)MD+>|pzcaX2P#;j1
zw(5E{{XTVDaH|8rr+Vg{NzChFvb%K~icZS>$Bksnb);dFT>0PxI^TbR{l>R5$@sVw
z>4EBeXo{%V0ddM@a0bF7IsVGv8o}a=N^vooF9Toj1as#;>Uw?4Dk3V{R9SOL>gs-y
zbo)4tY(aG0W6*H;<u+7QW&GGz=$F;h?1~3-rDk|XRaBE^;fw@74+)u>@tX;l|DA#a
zc!$xU<7%MV>f+l(Ut`i;8`rIf7}$O2OQ+}*(4cqhkkDI<;>r6DL1|bx5--neqOVD@
zt=X1EeiZAm_vbEM9g&4I;vY@&S4#3qfZ~JMv1h6^lxMp}_-mNE!=qC-bE2VbHcJ<F
z2O-PHksOPpcDzVKx?y0He@ec`zmTS{c?7KOwBx5e%Or^(9uH^0`{`;UIhy^Qf~1p)
z9O)(X90~Kxh!Z{AfL+DD<wcT5JZtL79~qHo>T?{&*1{dwxZ%6$FAkrKmjd}NhP634
zywqqiIsLg0CL^-F3unMRlH;$GqY>%-t)3f3(_6GE1Bv=pQohYE&1YJky*4ewY%E6C
z`f?mc>+A#%qbA~czQ|=GmT{M6Q%QABVX`c^q^8m&R;LH@-<R1Z!&kPwGubpXmbZuB
zT#Pr?LhogK>*4KJMoUui=+vF11g)eyaa0~4D(TS6`|X!Du9V_z{RN}ipp+J>Pdgt7
zs+gLbJa12uX0Cp_&e=BkafQyCD~9yE49|zGi{QJ1VM`CkLuW`$%vP1d6e)P)u*?IT
zJ;=2!p1aL8->mf!-HdfxVhiMlNNYZpNC-nidvWEFkW+jG1IG2yS0G)kLf30bUQ4Hn
zGeqC$gsp)GuS0cLpIjWa3q73oJ(q`_F@+R<{+g>Rtyqs_oAffK_IU%YQhm5douC<$
z?@Ae-|4MR<Cp+J7(_ok*O9OKxMvX#|CknH@ShBv<z6j%tGL7G5G{e?gK{4E}t$-q|
zOtqId<aNeFG4Y#CZ@<!l2ZvgWc_nT<8RCC8IyGy+%l)-5?D7^4rk{{mldA>uw6<#a
zgGb{rC9m~V1DA*VxZJORz%R7lj>p|tJe>FZV{y6M#)6SC(t<t|E({Vq(1z(gZ-cJw
zIF;U#5bpU(y5h&Fvwqo+Olqzv(^bz=wJfK9F}uML$L4>!DJz&q`wnXF6gMI2iovM#
zS!m%~sh)={hL)2ZS5A$yQ)J$IAowoE{~9@)V$?&eAWk#+O|x*zotZ$=8ud*frOg3e
z4PQZYu86#M^QwHSxbT)aj=p$;h({_~hJ8GalGVkB^QIZmFn>V7SM}n}_$Z4}lEIBF
zRos2v#S*YQRgZGv&LA8Ni?WPoLtVQ$i_Y5AIEkSdW_3DhRCdfcLv_14Gv=b&>|ycv
z3}->$Jjm@VymQ57qjQ^TZnwA-hSoYHD6(5<Xk=%-Um3p)ofn1~hA@dR^2aF<nuMrl
zbz#CJN{B*i#n>ekGz>TwA^u-tozU4*#ssj@PB(FG5s^(zAjb**+daH}|DPLx*p5f^
z88Fhvm;Tv6qW^#7<JZoo1ODXW|M77LMBHC|nCq}L)W7%tGp8l(+skg}RS11)EUc-g
z{YI*Bk#Kw(WG;@WRa?XT=)tqz;w|^WYyB)MEgG$3L1H;Fr@N=`5~5N2UZ~C$YGpLA
zJ+mu2cvmFTiv+aT;}=5*WM|d>qMieG_}WLzG$}my@}_zzI%W-s{bsaMgypV<V3Lto
z?z#{jtxex;5!}{yufKYIOMGQb{6a)jb3o<1Kk0YFAkiQfvP8h^C0sOm`NoAosDuTE
z_}m!tHl?C|pf5$YE)Xv`r=;Z@m0llKZFV^dUFYq>*5a2z#Y<F@u90Gx%;Ds+vcOQt
zRi&%NB-KQe!$~UWCeL8m-!Aa30GPwTV~hdHbdQCvQj0A8wg0d3hJ(8D>Y{CaV@_|W
zdh$1m>rOxX|3Gu!&)cn@qNb<$7Po`FW3@ydfxXIcPYGeDE8f}+y<Z$B^VXze-Z>C+
z*vE6J;ycEq4BFF3DiIE}(+=J4l_Ghs?PcCK6J88u`TQ!aOqpA&MpqTh*=o@A?JQWE
zoe(H+$MtRX1^>pHV9b@}w^!h*ffoXoc{sD7u!~KP%2)|=H-P7A=SEYw4Dc<yTJXyr
zqXB86uXpK>eo{prP<+e!>66jfK=(4kh&yH>vvvJq33yGLf)a78+mD@5KA@zXPr{?p
z=;Dfsb$HoZ2i)11CyA3aGo?v<SoyJ!;;VH1votMLwED#Jpv%(&9NIGa)3SgEQ^qhf
zeIpvzdb<v_b3`G+XBjMejSp`ZJEWI~NGCDvtkHFoRzNU&S0Y^U{dSQrYU;%YHZ{R*
z5y9c2PBq>F9Y0DuxjGfIQ{rW*U*y7etk+7rXl_WpmS)8A`-GM$g?;Dg19*|a+*r3e
zsx`;8;tU?ZaEi6F8S&-0kPFv+*q=l;V*xLczfjxqv#BtTUBO-ck{U|2PN^e#0ezvV
zJa(_1knj8dj6df8?E!6jfj<DwNOAOB>#r<}lj6l$#ib*TbRM=49X02!MPVMPGumam
zop019RiFQ=;y5>Ez1$H*7zRaEfjpmYdep6S8JieQOf$hoE6|wIgMv%|&PaarT<fna
zixc9U;bl>cT<VZ_xaAZm((21JBh@J4&Fv8#8fR_)@$PXXpUYHQybZWXU--#8UQlEy
z!gTBXLm#epy^zWRXSX288k~{r=#u=EWpQ2(c==7&qOPe3g?Y8s4&LQt*E7U6C2B2f
z0Z=`h7->I_<W;r_uuRBPx|-4XE-@M1F+O>0Q<{Y2*`V?)x?VRkayTRDktBa<SzM|J
znpvZ7EK5oNN7Sj9@|<gl>#LK}O>8WQb77VN80p86Tyf&S=5bbzhs;HRafbk%l}>0<
zT`>vCepNy2#cq7~a7L1!Ng_IXW`Aq7$CC1yI>JpoFilE^w6%WJT%B_lY;)e$-%g#A
zr_4|I`*9?3eVsi5?~LZHEM?v!XUELGK_Ex=S|y#@gc`i4B}In~XCywF<gb)u(T4On
zOBmz&k_;hV<hZ^yUjC`IqNFn-&$5R|ot4(Cjw4A*n!jc`8axCGb#{{lHH0kS`>{==
z-U0SM<^5Dy-OPcg;TGeMB{FRqQy08l;)wAdYWY#-C`Hi=9^QU^rS8(XZO}y3eW4_E
zh>+)W&^QkLe*2|#|1oj8sZ#aE6k(L6q>AR*R@c~TWR3n|(Kkz^30s{b6wC-R7Oi;o
ztS384Y0kE1Cq>5RHfx<Wr)1eAc={wH+-uEFs}Mt=tUA|#uEb;M<B<9nyqFO_`4yo=
ziv|9WZz*D}Uqy>c%QFafv?!qq=W~|6PwqGt7>r5v6{GN&bhBvRO4>}ldpK{aWUD%~
z{*H<mIhB<Z;Jf~KAK~_W-Wt_Rk)3vv8g<{eTIzZ_)j#*U-gC9~clE|lF6C?*iC>Zi
z)H}v%IyGURo_w5#t{`NzLwX}z+q~6*jezHVWp^wWZOwBXFLYq5g1)>&{ypOhB6>Dq
zqpZ=+k6nr5n$U}E)ZTQ=-K61-*|j2GuY&PiQQ5x5PW&~M?aIK==Y;dPRcy38dT;a&
z=Pfb9)u!I`j{J!ZlqIw#H6@$(OX)uE=}w_gqOCEWM{QJ>BM0#Y#GWZT$qs$)O`r!!
ze88i-Kc!f1QY1HW|5~rjlBlzFs9?Uatw6_x^~#TpZ88OVrDRwUPq*&{r=O{}6%%U}
zAS{kFCyl%mqG|aY`@JzbiRvBg0<IyE_okcOmUT)C%?}?XFqG!$SCrllCju*OjEGbP
zS43<rthgM``?*@8)sm%&#Im}~*S^MV7>6y?YM(c`U$!w(f}&U3o!EluWK6!t*Ymey
zmX;GbALyNWQhK8kt>EHIceI28W|<vV;oObT`HA(*(Px*1ftTN>WI3-UafZXpA7K@q
zQlCpYm!QbZsxzu=KIS8`Is0gWGPCF{bf{OxUHsuCxf{l*oIWvwT^)SyD-~Z1z{XyF
z_%Itt%c~HAMJlDJL67wR|Jyyhf7Ka3!3j?A?~ncdzY+kk{cjM>g@POz_|xP8iS+-`
z$Uyhh2LN(p;191xK$!pf#V?0FT>bn0f2Hl*B96vv-PB~B5(CTKQAcp>)H^mZlnk?(
z>$XdQzHXGNb2mh*Vim4W(R!^HSvu1aJPPp*3XdxhlIP^#+O^F+??829utefE<`X;F
zsV@zM+U?fl^~-@&Qy=`be6k3#b`!z~Pwxiwg+P54bsw28Pn?<S6ns!@ctgshoW3xo
zlIn7Y>aKgcxj^(5%j(ADM^2P8$(a>EPWA895uS?DcAE{0f#M{2J-sS(HF)3i^a!Ej
z^-Q$agE($qrzHui=OB-g7#jw6-JCgF)k;~?li4~S67z^A$>w||AyYPC%SS0{c!hGK
z1BQfXmQDU}@5Ys>txhv?F;O(E%sUt#|GNKQonpKAV8K0(@r6<YMPJ!uv{IkeZ~g!8
zeJ&Nx@4JYeo=Op#oM4xJGf-6Z>Q>tF`fWlXe-1tW8_~Bg?mbP@s5#wC7S-@rV>;p;
z%$C5*1Nsq_B@^yBkKSQWM}D2!Pf*+PCe(L_=Hk%Pv3d{&`P`<;dOdD#XxA`$)O3|D
zImL!C&k}&lFRaykkz8D0<gV5YSW^?w%38=b{M&P1+y%po@Q>{8Mu{aC-sL1yn!yqc
zH>RB|zn3W71`OWg*3hN&rwoYQ$d*G{UUQ-`@VdX~Nms|d`DqxRzLey)1FduDx4Etz
zP|!Nvi@f>f;EusU<`k)jm_G7CZFcF~I}yFFq_@>ANB|i;_ukqJq?Yv44kmeI(xcBB
z=Gk3J#k4)#FOo?l^wf2ZmgQ>at=h?KPYiG0oZR<|%sglC-+IREDEhZzejE<2j1LHT
z{;ey|HL8{7D|7uS0jg6}UF(yL)~#=bsKwvwLu-i3vF8m_v(KH+$`%BECAOS?)tlXh
z?|P<~`y+c+rli*FlV-wdFXIQYs}3%YipU)Y(n422Nwvi<GiMmyyxT@R`b&+d|EPct
zMF0O0a{jO5U#*1yFyM?#KlipQtu2K4|JKx6+V*z}%6F1l7ZM-CmFFbnq=co0zmTqJ
z_CYS8whWRVJ4d;tEv?$3VIab6X6Y?d(;NlZ9Z`P0wSzg&k|`p)^Ue^?$apl#U+EHV
zv%B^tGhFGZA)crcX3L;f!zc`e(ov9bFY3%ay65%vIFgN^I;YSIkNa<@$rgAnRn#w!
zr}%GkbZ-mYT-9hx7s!V*F#I%ah2;46rq&#<Tt8oOkq}~?^dRQKoz_l;b#u-((-8Zr
z?ktLMj;Z4~)_)h(DtgVgLd4EvFt$p4Rq%z}boJB7-U?0uJCpmR7;py2ksN=e9H-^v
zHEr!ixI?y!)8$y&WinjvH4ut4)IW8PkN4pA-ahtWF9ONfQnc?vVU3}ZeaR{nge3#4
zpPqMns`hm!UAU&p31_4~`mvc`DaigvHo=?qYHvDKn&Y~?)661wEL%yY@1rF?q;kwu
z0zNyA<i+#|;kOF$^pAL`o@r8eU`7P3EL!^3qH0C4oy)?OjYL!(?)DLd01Q7244?tq
zoo7V1fwlT!&)ENB{E`6RR@XYrC%`=LSc?~@5R-BYPhr3Pa)!O;v&GmYx%Ay9fhk-Y
zpi?Wt7ThnhTBXK7ImSevF#wyoURocaMqO%5Dds_1y?sG!;j>?qq~2L2lsf+`c$b1X
z8hY*xxAV_FV5Q`lpP?B?;~4y$Tc7J_7FH$P+JM@g<5E3#A@Ot}dcXT>*hn@imqHgX
zAR)9RVnFeswgeZgRzJ?@*}}tlJLem`3CmtnMgiNCC~F$B-r2_R*ykN9bLRXtqc=}K
zIB%^BJi)aL`Kp#)2{8`KBVlEjdsZ`bxuTavLuoEt3^YXAYw4aMo|)od$>CF_gjX~C
zyg^u-jU^e2vnLi_(b_vGD5J>Ea#cyX{p_uWT4(r1%S3V?zAZAyo_MeE2%-jiFA;c#
zjQ$DP^68fmLM)W=dA8OAWw|1^GTCaRuO7~OnaTGSx-AU@L!+ePCX^xP6w64#KJPNM
z{+7o~C1zWSyqOa%8j7NM(Y9iDwhHQp3`G5(fj>!6^~c3R1hGn!69m4pn>Vo<rTZwZ
zJa%e*zS40afvu>$K5LftiX?iB{EoVqBzqyNTOi-%p3d>vEO6GMm_FU9^LlB_cXuM9
zXJ-l7?t3mt8+?a&EHu7t^KO!!9-3U5uTTtXeHz+*IPY{&21hZM-*Uj_U2E!Qj;|cg
z*A4c0KfOWb8ZntVSm7fk9GzpNTZAv`Lc*g%?ZJ?y8mEp0@;97xNybszb|IRdWa#sv
z3IFbvb9MZw$jSyuyJso&og|W~xvA_+M4TvCMi<fQR<tg>G)PCuyEkmmetUT}T9>E{
zhf$L!kVe?uCweB(%z`F{26ncSeD%&v*v8y_Vh(}`x1CR_lMj&n|NnLmZ{Poy2Oze8
z716w?NZ+61X9J1+|B>(iz8$fA@wZvQ-@Pgg5#gx!LLT<krQiGipT5l&-E<~oS;of(
z2IV}}vLMpCZ0Wq1W$|o|mLAYm<kILWecmZkY+Te&xl=<s71C?;k~dV^Gl0Ms*9fil
zhADGvCoY!F%`ycE?HS6a^Q2(Mr<-IO<KM=^qVHlbHTYyy?fAa<%qtlzv$mX$Y1S@M
zl}03WG0*T;0q?uH^J|4G^-pNNzCnpUCCX~VhWjM?L#F0U%w|xb=skb8poOFn*W}vb
z>USUX`l08TFhZt`ub0^bgcJ-?YQ2j&7g+p-B>A5H!+=~}`E14YYpgK-G1c*rZK-T9
z4lIC5EqnHyzFVw#p$vya<~eDpE<W{=!8F$T1yS|&9zR(i>0Pk$U;F=e0t{=emAtYD
zV~y&EzYvI+XfS2`&HsP<?M>WzW_nFh;c#j#rEg>Kig<$J={p2@9aR_aeC|n8SzT`l
zt&5G9o7wj0=*yJ(%t*FOb_GoS`U^WQ=O}}TGBr1f)(#F8p}8n;uwQ3<ZcEX?<DQ~#
zAJj&7cf=GDbp^z+`v&yfFsLzx>BWUj3pu?lBd#Xa*l#}-C_r^&>$?1W{1r%gr!nmU
zL<~KG<+~#(C(3gT3A<(m>yOd><^`t3dA3ir*zlQjai3mbcwc&cD)n~qjA--S*3ucJ
z;8NhTyybUylM3f!-zU&G>!7#WN7`IUl^htYFRs5CJz#7Y9j_td1=t}Y%5Hl?YF6`Y
zmZa7^DJ-1}FT9&Y8inU;o3>g)e#`LT?c$trRVYtdvtsPM4#G6t9)tQ_+pzt1(IQ55
z<0G7#x0*__`vIiZelCpmO97GW0({K+?)iWcL2vn8CkN~hry1qI%wjvrOU6%E!5aRn
zdiAOG@V;lAz2-w|O05Yb72e+)FRew0vHCfDV2v_ja!XoBY<*kjWokEH`>?zs)$je+
zm!)-%Wp$f-m4hDf{yzc`69B{n;sI%Z96&cg_d(A=Ghhrb8(0x+1r7#hgB!sg|JCYw
zf`5BpgK05;yny1Tx5@nUJUjZ4W)X}d&1T>u&E}{_nFXPsqs->~C`XzF(0(@m@zoL7
zN19<cKbe18E{T7n8AkAv`KL)j;v>y4k|SU6BTRLqS%ex<|A~OZ0FW?97vurD1F8hQ
z27U()gO<SrU~aG)_%b*QoCj_OkAbNE=^OC`e-A%h`k#hFn2t0<8EL^%z`q;<U^w!&
zGN(AoEC?k%%52V0exzA|@@MlO-$g-pq!~v4$KUnSyG<~Uvcj<bX#Ht5FYZxR7~UVP
zKdntCJjx0q`lI!ymqySWWrfimbseD)#C_7Q><o0hk%g)^V=1mWo5$OdV$(LnP<y!l
z(#=#k5p?@(brhBz-KV*Fuk@lDb^HDcjxdy|CAR6!!@T8~;xmI)yF2V?WSXWfO?j$$
zekPP!r47>`UpFl<w=Nq>#WJ7*1Bgf-e>WYEj(QrlRHcUr4KYokkWpq!op;hxbWUsi
z#6-(9?w)h@af-`#e#mrN)$JW~04H8fxxx7l9poJ%Yx+|&H1aZ0%u$*!n^o>dDx+Sr
zHk_%|pu>3+7n1GRY3-KnIMk`3wBQiY(1a!I^LDpS3|*ZyhrU-(B116(ww}wSsF_kq
zC#QF{xjop^<L{spLA)tKT=O2x{Sfw+xTfK0;N-4o4b$pt7W{8sweVZ2#BT&V*=-ZL
zEqA6Kpnka$H*9db9aG|KjWORRDvoQRn65QN*!M;1>>FxiCly#tpL1Yy)oh&+#M#RB
z!>expn#i>v<s*`LIPcS3Q=F&H_=-<AfE}2{<O?`uDt_bLDRkCgWS2x%SWkIOW(=E;
zpRzKtOw<%#MMTO*F`BCLHN`CL5*TuCFqbf_oRddj#0p#F$?1=Sut}17bDN>Y(84Fn
z-I>+5?@>7hM~<D!+1h60PGM4?zpU02uf6%W`}qsn<m_QRO!y9|N+1De?DIAY+2k>k
z?y0F;IvsA4VPiA5XBBqRxen*e{~imUGsl~<1@!9CL|lL^S%!blK5s8o3&-JM%0%TY
zW8t`EKFRuvnZ)TtqWHZ+8C?z-6sJb%-RQYK478m|KK%(t!S##8e3-1o4O_Gd0r}^z
z?gOUeq~>s2s%AdGGu=}@QADJjdj-^HLggA5Mtvq3(#hcB{4UPN*}C@icd`iK+0iP{
kVypye@hr3J*=>Io{4dU{Rk;_07_tjok^TSw_8#8<1FWk99smFU
index 0321f454cfea58906a2bfbb387a59f1c5d275a25..6769d4dfb979e5cf1ec461195ec142745549f48b
GIT binary patch
literal 891
zc$_n6VlFpmVv1kD%*4pV#KI(HTWY||#;Mij(e|B}k&&B~!9d(l)IgYxIh2K&hbJ?y
zL^riew=6LyGsQqooY&CQz|_#dz}(Ql$SexTwJ@-Na}A^oB@M(O8U^z5b@P*p3v^41
za&(hZi%JZd7?qGMVq|4tZerwT0E%-lH8C<W>^{T2L3HZ8JpI-sTaDSSi7e~L=_+WP
z700Fb)pEwo&Uvf7-RmP(Z=Urug+(QHFL%64=^Ep&Ro9!DT5}w?X;@aeDHiWiJk8)!
zBUV{i^i*Iw``v#R)wogv<=0NnU8nWz<<GaD^?T+NEzV1vFmu<sd<ACnxLf;Q?@Dr+
zcj$}1qjPQRzloM}ee~Eel>PTjIl(>a_Gh_8;(?{gJQ-%^rmOE_eH)_iV9&m*eI~N8
z41I|+xb89S$xhqRYJI8uujkb7%5MvK&+jnYwfn+?m^CvMmq)OLTQ)9PJcUIx$<ZRO
z?Cff0yAxe~+Qr&y-c>|vo$|T1DL^{-+n(^3N<JFJt8#BymNGFjGB7S~JZ8{%*uaX7
zLz|6}m6e^5kwwoy$3P3lH(+X$%P1)+u+rBrFE7_itw_u*$Vt^p&d=3PPSndN$;~k^
z2S$LbJd1$=P~!rv1sZK?Pz}jNImjBUEPy~iHB}cR4#WmNAdLzvt_IEqj%-3e`&bxX
zd$vk}AY*e0C!>M3fhNoyOpIc(P-Al|OHzwVQu1>XGxPLv@{<#D^pgvU(b5z%D2C^;
zL@6GUoHXbBg(H7z&A+bQb0hMUX`SnqKa1)+XROnA^LV^%-5>jYn|t;z8l}2-ZMbzP
zUtDPRhFfJ{HBK~p9zJ@|X<yNNpY{Br>5tDGWV#c#RN(1n%Y<!v?X~^F@`H=*pY(3H
zEq_n_e2>xnmz5RM<z9aEbuyWvT)lpxhxtYByFD>i-RjC>ZVAbI{hSwG>ll#mp!Dru
z@6B)4F+0?r{yFvYBHPQGbEdue>pWqz(V>(_6H|6dt#%4oVKsfim3hAx*-iVWUg|a}
z=_dPxt6_S^De<S5>Q3kkmz(6_nXx}3T8fdoGn&KDmgmd=S)2U!9kuyz_+#+iBQ{(6
O<}H~q<0adP)CvGs^j9SS
index 63b495bf6c9e75de1a8ad2d446d0a9c97a29652e..4922e0bf491d539039c6b8b16267531e61b9c3f7
GIT binary patch
literal 898
zc$_n6Vy-i2VoF=U%*4pV#LVMdXTZzGsnzDu_MMlJk(-slK*~_UK#Yw!l!cjxKQpgH
zH!nX=H?>T+C_lf%Ku(<3(A2=x(7?dl(7?zt3dprEuz+(7#0*6Ygdlpkk@Yn(Dj{3L
z$jZRn#K_M86z5`UVq|1E`6-vdS$LOF{m%2kYbrP0;oLPRVeWIGU(t%6{z@ndnZFgD
zw{7n%<0`g`ldqc{t(snQl_&bBv&J3S>ggSG{uwY{T^S@Hrn&XCYOTA(yGGGDOIKVl
zUoN9|Fsy>Bx$@mR@qY&*%YD{A&5)_exNu}~zItfQ*99}!|2(nXu+Jr6clhM~gx#6J
ze7}1AN+hP;-e;5OA!us2vdC$>REfsM<-F=UE5!cyT+I73J70xc*7mLR*~Gk)UVlUy
zp3iX>Jmwa#YtyVtxi#?>9<IJY+)ay=G#z9oePBKK!?}IJ_JYzQ0=L*EFEg4Kw8QI^
z?E8;zU(L9`XK!4VN8Ah!b<4xknk9Ot8Zt36GB7S~ykO9H*1(00Lz|6}m6e^5k;THm
z%)kW3H(+ej$S5f(u+rBrFE7_itw_u*$Vt^p&d;^700Moa0M|D#2gZV|Jd1&Wo`KE+
ztpyrwYEZ4oMLC#SQ&V+8;y`TR1JbC#;%eY*;K(Kfw3&tRwP&jo2r@R8a55Tb8)(8@
z#Kb5j3pF;kvLv;*BqcvLF*8puCqFqcM?bls7%govgW|f*%uw9uA4A=8<!95f6e}Es
z6dvT9S(gy7b%K@WWtICI9fBWC;qG{Maz?Jw`sYVGE^ytPap>&d<|ZkpU+k_MHNOhy
zcTW%Oh@G$g;?<4Nq*{q)eKEmb$3D)pP<?x^bC#V3n|IyR_~eajdzfS2G%|PIZ#gX!
zu5n0<CB!>e?po2|5>@A{o%estoUrt}_-Dhw3Z8_o%db7%vb8gxZ$?|Y!mNAkduRE6
zyj7H|bNJYc7wh|kcQ}M>Ju!P#abI0x@PdBs10@;Pbv9V8X3|WK+bcGM;qGa!C9%x&
xPn5^beLhw3ZpNi(*WU{RUZm~`4L<uZAlUBAxv=H3ABrC{Z06{!@e^s$1^`|@RRsV5
index e3f5c054e69f38b9f3a7f78400d75841659a2708..a1b7487c32289fc73d53a77e852d1681e62c822f
GIT binary patch
literal 719
zc$_n6VmfWm#JG6@GZP~d6C<MmFB_*;n@8JsUPeZ4Rt5tJLoovpHs(+kW**+W{5;*%
zvZDO_65ZrP137VCLsJ7&LjwbILjxm=C?MCuzyi+2qqB)o3E3J(RtDxKMt%mMI2ThB
zBO}9>%-8RE{9f&Q{%o0tqUyYRdCZfa-%=N2S&;a$HS=RbO^KxU>n^LUlU-Y%%T|0_
zlTsinu)VFOsdLJDa~ExsKmRkA2IWe1-B@osiE~%B)AJ7pSB9KO6W{--LF)N~y5Oos
z0*n4n?-11aUw@^|pz3}2_M}fw-Cv(JTemi*%RYXS{K|=2q_R$W|1Uj}WZM5n^~=v^
z54Bm`XD!^!sO|e(y1U%XA^X?C_YF28%g$f&dcB+P_p%5<gD3lyWm}uHCbi0nbnMp>
z@3Vb$hxu&JOaHCMB-fu`c<fEv#O*ROGlI4VDlZm1`p{mwakJ;4Tn<~SMH$QQT>4q~
z{Lkq`ace6!u7y)M9x^dAGB7SyFpx9g2Zo=lFeBrC7FGjhAZ5S}65wZH0mc>^T2wKE
zg3g(xYVpFqJ<MA_e&6Xiv-8~=gY|}t(Wy2Zv&7S`pWN#ly0NY4@6HF$(~FB71oyo-
zELJ{8o$J({y=C9eZFN7TxB1pI>qlF{)LeysOKmo~^I~)2gySX?X4{t)thm(>wY@iM
z;^dDZ`B@xucb`1`<@&RQRf+7OIWy1gu{;xhWw}YhyX_GQkGRg8Wfw9?%$T~!KJA_>
z+xik!bAR6hw`GK<E==z9;+`N}E^it0KDL_aO0+^|_Wz^X%&KKyeOtDzVdv@aZKni{
zeOt|T&Of`x@cO6P*WsZd)n)xf;S~>~<`!n_bRSeZ&GPrCtMs`@hSpn3XE!IgF8Q?o
RXu<QJRV&Q3_VgKA0sv^rEWZE%
index 841806c987c943409889ce7cd161295274a51c40..b7aefed976938cfe4abcd08e4069b98fa0118ff7
GIT binary patch
literal 33792
zc%1EB2_RHm`@hSOu`h*4MiR<$XNED7okC=ZvSl9`2{G16maM4=l_>2>D{Yn*BH7-w
z(<+q8lBlHpKldW#)#t7EQ(yl)xz9Z3KIfc!=A84K-*e7AbDD2%OlQyt?mm7?of!l&
zfCE4f&>|2308nIJ68#s*yjYkQ4j3d57?~6S`4(0*Aqc-i!>oNDV>Cu%^y>)+qPB^L
zub}|~{0{DcyWn>CG28^-gX{ZlkI@*7(eFi*_?b+Em&pXVnQQ_llL@dh86O*y@vt%(
z7YgN^5PDMpUI4(oa3|ctwEF9CHGCc}fRDo2@HRLNPK2Z2P<R>a0Xs6IjnNp5(TKzb
z<3LKr#9IQGkdB|jj|uTwTlg>`c2+enCWHy+@L<A<Ne$eX;JvGs3llu85l&3-@G$1U
z1P9w-c1*C><iKNsd9N26CYZi58HWkF8+Nl|g0_Dq3nr+f9>QUQa`+7x6Q*}Cpm8t`
zPmy^U#RZ^_yb*x@{X2>!gX4t6#ldyT3}+WFnzz5dS%8Zd-Sx8o>00P(Tj~=mwRMd3
z37>BhWaw@LGYdl#Z3`R1TzwmY)jUIUD}93LJc6$2yxGQvx|RfO9a9TSIf667yok(;
z#JtF;jNL%*5YbyyG)P5*R4j-_p(>$F8D$idsi2ICGF6m0qs)cLRI#j(K91#xkTBl&
z93_k^W1NC<6^v6cu8MJIjJsgm6)RX@@%qY#$)r9R%bA4bOu}*|VL6kqoJm;DBrIn#
zmWqs}B4eq@SSm7>ih^k=n3jTRDVUbhr^WK5V0o%wF{ynVt3m9Wl8`<bO-sT`tAsF#
zgcZ48#OfN0O~zuAvDivTU+lh!eRs$hSHie5#?fahVNX@Uo~neki!zp08B42-^xZ+z
zy3&-%N@Qi?phy}NzlfkTC@K$%ltEEtP^5kqDTB!<gUKj^$tZ)#C<DnTgT<i?7Kbue
z9LivED1*hJ3>JqnSRBe=ahRg&py)g(x(tf0gQDA@NE;O0KZ{sL=o4KAi{pY8$4%K8
zadW|HoQhyHSicliSqQa%*cdfn;l7VC8ly4#K@y5kz(qRYk%(*}2ZCpXt#GUYkk$Nw
z02?Qyt4$O{#-o98oLnY80p1K}x;J3~ofbrtL?qDr?3^MdKB06kFK2>0L4N_kjph=t
zn82X<GYHJYVu&ajiGy?ee41;3ADt0G(Dz<U_omVO=-!KoiikX_hB>EMo9WK?pm}+r
zSy(a?GqnU6=HvVV{24($ehiNgS!RAH{<A>m0XP9Z1M9&!rZ`4p^c#^DE31%@IA}xn
zcB2KmE^(&2eReJJ{T`>`JUxAD0;WUV$}e0`)XS6AV8L>*!gBC(cA<HFj=}a-4w!Ce
z4rEz99IKG1IJgK)?;qgeNpod<jxp}59Qw6?F9lJS2(b$3i-SO4F3Y^=44R{J0K*3h
zJARJsNc=3q+Ayoo#DT9)_xBH=`F&QheD&Nu<<Q4ciT(J$4z0+^eIH{qMq~8LNNg!C
z!X8B2iOgA5ACk}bjO24^A%yw#P}*la_w#oqkPs!RybGN{kkMZtOH@GQ`g{l}TA(A1
z=E#iUh{a$A>E4WiFv1M``S>t+vGqS_H4Jk@iO^YC6y5<nhZn-v;MH&s{0y#!)8Q4c
zDJ%dzflflJe|6=I(f>yp2lIn_09yfBcmeoTuSJIRT55l<<?m0y_qP<^?C1R{ctl_-
zID8azp&SPTAXk4>PBQHIpEJk8XwuJFarCEUp9&j;BSpsdM`jxj%Yj3c<NB4XBYwq!
zN@3|wf&2Sc9Ebw<M}hFLFuw0rpZ(7Spv%yFXeQI@mq5>;8_+3e8*Blq!cX8@_$0g)
ziiW&k0zB?l_mnaE-yvaG3FJJ>TUV%ZCqFI8FOq%L#ndS)jH3m<rQk;ur`jS~Oj#_b
zx8qDFJXF#wgBEFK@O?|ciz?JgPwYLBeUDgX5pwGBwHj*$-b7WNZz;Gj3r4kwi_`|$
zazz&^uC1D8pS{yY=Rq&$w-g+x;@;BgQx!Sk&0W22p~o3kxjS0MNwR-Sfkzb@Yt`3C
z-Q6v}=dLb~8?g3y(gf9cY~NChLls=9=`3mLvux{q%Zw!?_@}Y?RyMPKOTmKG%Qh)r
zzt*J_A}*)W5A*7qb*vOUfcusLMinVW+pY+6aqdrBQlHIzWaC41bCzq65UhkBPJy=M
z;A#L82~I({Sn<<i3}Rk$fgs2Nz>y#iz`V~6MS>u3!Z6-`E5N&!Z^xUg*!|5{_S{+Y
zw!JIv_QG>+0v_w-9{S0B;!UEKFrdnr)90w4k@4)%ynD^H)>d|W5O}6uxX#(`jq;Kk
z*DA=KIf?jXlmyn&zx137G|YA83F#Fn<XrbWK)p24Lt>+N>@p)kSGp!Xa8iTGk{wd5
zmoA=_=Ay0-&hlyqK1|f>kSTKrk)^t3@0@P1nVqtm+wVq5Wr0*f@5K~~;s=jS*(CwS
z4x1_$m$u#$Ih?Sw=8{qZNYCe%*;&UavXRq=>?prIBg0M8_FSRilbrn#Po0`p#u{+k
zv$~fm^j6p`tH{c@He$DG*qVL(2})<WgJ~u4kNi#ZWLY2>1i)Q7h!(=bbhE?+K=2ce
z1%a6#2se6z2fcxVAut9JL&MxSLEQNA32b^)o+eVP&|C$Q*ZtZBGbil(vX(ipS_T2X
zMcF1DjXt;BmQS4hP;I{72jHq!%02T{Pv-b)gu%~ca2%qf?9Q3IHWkz8ANK^`7gUnk
z<*+x_gU)b$I!z=JvAktxH1%wx-m=??)A3nT;0~Wj64h}xw+825R+Uh?_GF5}n&&o`
z?aX=eBm+x}<Oy8GB?>MR<V0tc?xIh;^jhNGG@I#HwfPF2_I2>O9ths4R)4ZtZ%3o}
zKJOOAdj^$lfd@C8+z@|&Z-V-1?hl@N-A1af^RFac+w&%&z=UGfCa%D?-u~o`boCD@
z%RTqh7Ryx{Ry{Rx1v}=x(EhO3*^7POQ{6qOmKsuXV^=eZ_BCxv+;r&FjhLKnWv#3*
zmFMfd(Z2ZmteinCP{XOeZvQ?79?tx+J$(DcbEdX#b*x&n16P%Qj;;AHD62h%yXf#M
zA9GO?L0z^PCQEis4stv+Rlz^Xz*ZFGTF!VAyXU6Sf|}>~wWV?*9(BnF%R+g}j~l7m
zMFZKP`RmUZzBLUyaGmWm5$<5Om0oa#Yl^AojncD~AI;QxKRw>n==tn+v&pl(yPDuB
zZoV#(3M@YDiNuz7_vYt6;k%mq?6ftv#7bH7n7hd{<u|+U;(fNcHrw0goK^gV$02?j
zmq;o%Up@qE|1|Xz<FVt}x+U#Y)zi&t0gun+rQu%QJDh(^eDPH7(&-z6#J1kL8lU_u
z<B0arB(oO_o-SZ#|J2MnNpFHux6azrc)nu?3Jdy7I-(efIP-U-=D>^^vuIYtl$C7;
zE6Bn!4g_(!h&G}*5JtclvIm3VJ5y0HC@4sQ7VNy#*Ndj$>a%nvl}U=jdt-`-F`7F8
zr;jjmW94V&g#+6RqeakvU=#xnA~O)#foDLVpjiJimWH4`#LZ_ZvpXqx`M5fJDZ2Xl
z4>zK?WzO-Ray)mh3-pZe!tCC2XTP0kJ9F6P7G&qFU3@mw^XXBZLb7PY%A-bB8g@yf
z%P*5(zdLDp7=9~PI7Lv{JV7jjuU%r&_N{!gJ^(s5ICRUU9V^J|2}eQ~DXARd*njAx
zSn<RiQtel)^inhTs%L7?hl`)gJ$vlUuKcI*Vd8m~IKruSr1<idkV!LiUZ3veaqil#
z%Rfi=>E0J>B8`^zJ}#;-2M$+;6uab3Qr4^WIIt!7#V2R(xDBG$??-&l6fv5=HY<Ev
z;cmy?ooh)Pmt!0|%qL531BE5aw4F;!lW!ikE%m~y^0m5l8O$#4E{b>@bV1v~?f%7+
zqDE22Oz_GFf3pz<2kuV~M;89z)L$Hf9A=RPhwpF0ISe4W{tp2}0BmNme?n1;P!MiB
zH#h%K#dv-tfEz$(QQS-||7uQPNEGh=>qiOQw}6%w1ejA8^ak@|*fEVssE+yfr@Jf6
zkqrP7`N0sh#e{(*3NSv>N#u(<jdW5PvEKhxo5{S4Vtz0iq^}PmkvKji5_+?pIiNxV
z2>SKF_50W>GFga=NG1|VBqAB1AS7EME)p6<`h)-L--OvP?0xn>8vuKm?1w2z5%;SG
z1(no8z>q;<*nw_vP^bv|vmG96P*}4P#s&o{kj#q?3c_F1X@tfo4+_fRH-P>@VK|^-
z4iXwjBs{Hekmv)&-+GKtMwE#NqC!NJ(J_KZMW~;HqlWe)PUS1Ym~Fs;w#PqvW$=$P
zZZPi3P%I&pOROqiRVW;Uj}KQ6;SY=Z(8g#PXDYaL?o$oU%hG3DWQjSI$u}FGe^k3S
zE--udHC8FQu+S5{uHuZ;)&mb~9=|!L%_slpSwdK5^oFz+zn0h!d0iQ|YXr?->)2%Z
z)Ky$0jMqs@oX{=&T-|l*WGC5@ji&06HMc5lNjIfw4i$#P!nB&;Sro2ogyl_J$$6G9
z<H1(T_tyDA7p`(M=5z@f2ifkc32*W{6?mds>pos^cA<6~yX33MPm9FLs}IQPvENL0
zrmI|WA@5V=z6o3jrL=eujjdA@!_+%pZ#vDGG;b}Qa}qD0(H(BEpN0Jxi)}FN*5w|W
z8oqx*k&8qeMjXDFGFTvH$h<G63_2rB8Afi3pD=?cb&yy63$EYbn}tUX&3fH1qjPHO
zH1p24>)o7uqmpoSiRmlM&c$v{(+>80wW^(ix;SIE<I4q>jl!&%$1-t-d?drRM~fWp
zH>S1gY%!-<bn@9~=9YRjSUitx#Z{LZ5j+$x6j<G<ub32F!E#(^`WC`^?>d=%*VYL{
zKGQ1LFQ=O-cATd`f`ZEmE%lfUP2F~1PEg~#ygJ><!75O^rz=&iI~P2>YQ@S~!clEg
z)9ad53E2ffWR=_IagEftXH#t`6Hcn1oOk>wbvxG^{|fu(#M7G7RyJyFZ?Zdne%x-P
zPBXIbiim&aHLFmyc8yG<O(NP?FKb#7%zD-_P76^K4`KE(S~d#dfb+A}NBdphz|)3X
zV(j<-s{m*Pll|5drO5iLd=T9YyMZA-$gq_?=!5*}V<hH-B!sYFKF9)Ky*DsELgOnR
z#D0{05N-cVV893YC!hy+Fy}2d`dt#tY=^icqXy(7c@RH5d<<0Ke@uW3CYXo_^_7%&
z=-Wyr_DlTTC*VeX0zA_v0DvoQ7Zy!Z8-MYMrrNUV1F!amuV`^q!(HX8`ylY*Ax`?j
z8Mi{g7RkD&3fwGV<&PDkwt#t`%Ad`R%dNTc`i*Sk!D_#$HJNG8waeu4%8$XT`P-h(
znkezmjiI*PA+XzPR$laSiTVz0a<rk13ejU>ifFB4(t}d|ID=|%9nC?HMNO2YN5|Qh
z-mz7GjigmdS-{RqHQH$p)%WdtNG>T{ch0qW!BLOag!Grv4LvRd?$sM91`P5=M>E9_
z6&>^bYUo<|VpHbkOpDfIYmcW)RXV~(I4z%RV}@H8pXl-Wb$yq@0rzIlIvrP@WmV=y
z@4>Q5ep~pvtb-IzcE{#_Xy%yksNW?hL?TX&u*PWkg~OnZs3EFfI1KV5I1FDk$*B7V
z=)SR4AF}qIXv>{&mL)1?Dy!U8AkU0<agAkn>+Db|(->npd^ofrRw$@M#j1Cj)y7MD
z&mMVPjWLCz!&k;y%{q5|Cr$Rfx6gFZq?;Q8SBdOaG!ipnIi9uRVy9q73Cq@bE{q9P
zbPX%6$~`YPmZe14S%tg!PG6s7w|z||i%FuFh8v4ja-`wZ%Wu{|9fh~tT*Xb~9Tq%x
z2~53FezACtp=Lg3Yr%XThxo=L%K#f|%h^60Cnn>~X=2$gZ#=N<4&VAlg-37Vey^a&
z9_=vqm}9}M;?W%+GJ&EKzB%tQ%=T+1MCng9_LNgRwti_ZtCSdHOYZJTfrRTfjp%oe
z1z2oAO$Ram9^?B*wgllI!R6~lA>-j*O7`JD(|d=CnQV-r6xjZm6T$vpcOuMty?`N3
z#IP+k=tTVCgKD1-p*#-rA>@Gdvza~w=_?<CG|E1N=_?apz=s%uhwv??yKuhWUBC=_
zh`aFLx9=g20{Lr4fo%J?M>5Nf{zMocjI>i}#3_G1B=2^pvn({__F;GNO6sxrhTLOL
z1^1y#FEST3aGaBDD9|`vT$G}qbHrErMXYNTc}H9411TVI?zN>1$>djxRPDQ@PSZP6
zFB;C%l8{YbvnSFpu<2%*nlcO2oZY+Zo?~$+L#j6yu0AgDBFPLi2<*J%bcmO<LUS&@
z{&;(pv8vM3*EXM=3|N<@*#?x3*EMgRn0~%BaLUq+kLMUIk7_(3v_#bV=xdRMIk<DO
z^cd+(htjoA<}^GnQZQUQaZ~s#^`u#cR!veLPZwKp{r1z<WVY2t_onG7s&yBow|WRV
zilo-0m0N7xeriL^R_UF>R_=C4j^!SCoAaB~iX@MG@O{;f?^Q^|#S!q`<_ml`LFNwP
zJrm#6zwaI5PsjVx_tR8Wl!y?U%0~No8S^zFj%C4n1NV3qJ3pu@?i8$Wwrm1~V6fSm
zYfU3>Wl6BtM<Lwpw|>MNU`Kk`h3)|R*?X0r;G)C8yJy=cUTQPio_kNM)c0u{duLSL
zopW2*Hg!^W&DdC)K)&dA?HvECg5-icu`_#~*>}vJx!@d5I>fXAX$h{eN7m`eEj4?3
z+R@79>47#v#3fdn#3OJ;eqDz9F|pN}sbO$ix=>YQ4D!*;J^+6uuFjv4UOiuLb8pk_
zo>wxDJu6vwJ`!{dI5H@>j1Z?5Nv8{^?(@#w{gK~ZFZSr2!_~Id+dz{;@lf5C&V#LQ
zW`v)2s*-+lEDevE%IM&|MD{Vn`3JptSwy-o;}NZRxNS`R^Z&m9Xcd$F?i8iS{;QS%
z9BhMuA?Q79eGj7dpFU>x!FM1YgKuLXiS2LjZ86I5ZLf(ge-HZ_;%{*NmI>$018|Po
z>(7RBrLW;!$@brm7|bt^nZXa>J#R9#*0>`rG1Q@3#NuI(o5s#7lhW_Meo&V45Fl1H
z*aqs;S~s_w&aCmia7+45inPP&ZI^W<a=89#_lwS!Anus48JO{=_8s|1r~BsQXSLl5
zYP{zKoT}=>7Yn`+SWIwFSyo>Ntz3~c;i{Tb!AcX}^XuH-gQAM%mp3Rlb`oBjQLR(g
zv2Z=&*`gHb+^nHzZ-24pU1#TxMK256YDyT1HGlEFUTWuzlX)V~IL)&+)<NikHQ&D3
z#Vo0O>x{b=Ij$;~+q314)vfJXXNYsc+OIU(yI<xrsa3z4W#4{$n(k)1<v9nTX9BD*
z(ieN`zML(hzR*3eQL#=UH^)9paXu-%AMcBhh<wE33q-d^Y!T}(5Z(A+E%E<kfCmBX
z9<9A|XX9r?TC7%ZE%x)>=h9|y@D0AuU>@6}b2m!6h%A!l0*hx&Q@^bdc`LN|%Hhd%
z$@;9sb}3Eo1CzGCU3cE4`iaRU&(#NtH!I66;GI0v^C}<TeImX+w<+hQmD7qV4FMT1
zcy$^}LS#;)8>rD!60-8T)@8&kt6#^${~o#Hu|8I@Fmw67^>g;A%PHsXpI7a<>d-~n
zo%jf;HyH{$%2KOXC6Cqakja2?3LE)L&2)B^Cs6G>IrRQIpC&4QI%?e6*DQN?uTHQ!
z>2V_B#;qF1h4#0F1W9hPg3{(*hdfqZm=IMW8Ir}#_VA#^dg`S|Fb`kn+vmwHB@XYy
zcU{=K2{neF0K^b1xw8=Q{lVu@5lY{4zPAGnxAD0j|C0bnhspj2C`ys@S3$U^H3AHQ
z@L{X$3kd(ihrzy`1Y`~j!aac`8772V2!2tg5x%1g;T|67nHB$J6@Mtg;n<mo-ra}j
zm^}^w^wA#%h5)?s*8s0<JL)3@v*yP4+5Z|CN(0vXi-!1b(3%z816xwKfBKe`6_Xl(
zVSGVka7&6h(+iXu*pjkd<kkO|Eh&_*`yJ&wx1=B=zsVY`#1Y;S-DNhxL}n{QdT?PN
zfHlq68y5coeP2Hq&m=6Bk{sF(ym!@Jny)(_{EgbPe;Xx;mix;K$aLwvbNEdg#rmDv
zwK;AnTVrHBA5<D&Rgv2D*T*~YimXWs!-~+~|M7qs0QiYHufapykN_kMi9u7q3`iOZ
zhi<`Ca67!|`x;=3{wsw3luf_^7oh=;+Ph_b^cfJ!a42I%85_#jQO1cf9+dG}<044l
zC`@w4jaJ6^AE>zR7|M7@w_R8~a1j>ZPw+uFQ2U3$4glH)cEF~;y33Ezs8WO?F4777
zeUOdocPlXbyA>GomD(vcjARqF0@9=SGAA1^C-=}Kw3bCmBt4SWDe2C%n8ndU-om-T
zb^h*@oF*=D(b*ZEt2P@&cSe`#`{?rMuUto2eL-TOG!)Aa%dvR=K0joKuPZ{B@b<l&
zf4EHc;pO%v6&_+r1ZlZ>RV%kOEw?vi@X0+7-yQDg>VC|JMp-R;?f$1N(Ty?s@~)Rp
z7~E&M<e1)^yza?rezUkZ<Y_Q#{h2eaY2Y#?go2wK`)PM}!g{UlmxrrM&7aoXbKly2
zP_a-<rNAxfmQ>Wr_4h);<~h!md*YMmzKu8k$j$PyxoOH;4Jus=BO>G$KNEPj$Sla=
zY@DZ^Q?G`thI>L?yYo-~{U7r4cJFd`s&*Vu$rdoq%g%*P@zZTzD7C+`D(8$a(dzE~
zv^6AevgOSJ+bKdX=9xC0t*p2xxT@goxo9?C|HajQu+M@M?fO#>>a%);Ajy`3ZAWEF
zvaQ)e3{SD#-?b`TySgf8zoGAZx!4;o<#RRTVk=|h71iQcw~MNGCC94>JeWZ1(RS*o
zO^H>xo>)FP@1rRGu2#*I_Y#@eOO&?AaO^8yS=cGD%j?n2(7Dp<;m)|bCn9l#?iefI
z#`GA0+^$CT^2)P5+ASH!$VVx*Z0#fmN$$$Gd_h$o-;-9ys_oQg<D&ES5cb#+Z)8YE
zfc)MK-WEl<^G~urlD!qz^8Chz0NNsRw0HkL#@Iiv94((^xbqVF*Z*n&$dt)`b4m#2
z9oSFm_0#v0#?Gn+MqY^;oC?G3U+gD^Bx#I)wV(8RX5n8?|5d)8{;T}>ep2Sw7mZTj
z`BnR;!h~~xA<MVJ_V~f&+q-`@@L{XBXia_RnPDTo9lUB#K_e`*)4c54Wc^~!n$nNc
zn>UmM*g4)YlwT#HsAODH_b%v;`$M(1SKiqbnulfyUEJfWLA01q5%}2LN7U~~ufNbl
zT-h1?i5|JShv{c5+!I>fA2m>Qs1OT1;~4%b!$`%`T#NWPLvbeF>me!Py!1hVlu!aC
zt2MJnVMBY1>s$LHcfELdD<ie>;$HMJlNWbS3-cS@f3LALzc{XuMw;pV>`<P*dYgg5
zLheTXqR@voCcc~!MIWD)pM16YJcZ0yG*zLB5wNCu1?YY1@gx7x+BdDjZ3Y3Cd!$@L
zT`xsP)89uiw6*uHE4s)=o*Z&dLnb<^NG^J#TuSHS@PaEdM*jyuKh1>zfVd?V4{t5(
zO427dEuk#iB?@oRH4$-?<(?{Yp(?Z9AvqeM2Fl3W`^O*GyQ-nRatqn+{MkE`q0Kw;
zk5zqgRB6Abu%z3zHEa8OI;THJl(qM!iXE@JC+SWhx!%dRZX4ZnBkb8E86v(Z47d}t
z0J7Y=mp>*#l%AjSe1iApnO1sUgvi76?(_#iI{Wxvme_a;t=sw$v~HY!@@fRj3dcDa
ztgMoRodPSX%3A799%(yxH@-@71=}k6spY3b&C^exm{l1QR=iqf*4|9QJKrZshwkIo
zTp_KPZn9$DLmF4_)stXV>?FDC4Z@d8;Pwan`4(qi%#VHfx-xM#&*R4_&dY)eQ2Q9Q
zp}2qG|4C>44R^v)KmJz(&^(~}UyQ#03zQJd|LfpC9X|*7JN$p^0K0zpzdiu}3p_J^
z(a%Y!U&BB3JK-Ps3jW2T6#0JD+uL}pEx^#<fe+W=2jTxuhbavI(e*!8hzo$YAbw~G
zR0Yez8~#NzjM48**x`Ajw$wkmEArf<yCM(&tQC3u51jvtjOY`5^CVT&{yCv305l!i
z4D-Upa0PrBu7@AMPvGZpFH<o_e>e@C&ihl&rT+W^EC?6j3;z5)avZ<g|KBliqVK@r
zzXQhx51cJLa3Jx(p~eH}AP=0NjJEK1ju|6v<M^wkE>SwAKJ_`3T49l7K1I@KMu4uO
zaBp&*zlLj3@oBZAvGobwEDKB&-L;h0FDVNkHy;sL!3x#*M9BYjA?vQt!E(qJln{Tt
ze3I9-1<CCTNsHd9@Pb7N=a<%WuX+=yQGCJro`YfFBOil|OX<~Whb&ZA_$|G%mMzn*
zyv*$}PFni#hrMhix5aPoD<CzMtbM+x=7S#j#lxQBxYz4sYVfR&nhxa&j^{Idpn9fh
zi!ME@j=}MP$44Y6q9Lf-T_-WoR_a_iK7D%f+_r~TE6=f!b)}(6v)US5WzJaLB}`3S
z()KuD|G}eIHf&tj*to0I@90gnuBA0S*TT+!a?GS@{`aT<-)f1U@CIRbSlC?Kk1RGy
zjPX9#lghRA^fy*CiC<aW=p-OBJJ&3)phu=*@rlH1wngJS_wL^QBA+ajo0r(Wagz+4
zks5!-m|pEx%B5=9l6NbMt9#jf!zj+g<7ZQOBFe1!i)Nd`ZF=+ln!7LDHdHb@E~#L`
z;n3m!$;r{qL!Zm)Iy7Er2Cg-?xNVsQF{GZyj<rfE|4CPXyyL~kH4S$itM<H`?r?oN
zTX5RN-5X;+Zgf_zC2G`jSnYXbS+@fYS#?CYS2g2Z>XfG2EOuTgC(pGUy;!HJEA92*
zZnJ$r)rWk=d43?*OZU#arl4Bu7YBFLZr+)6t6|lm3)92)cN=mU71?#*lkHIZ7{&8H
zu$kXa!usLPWX9(IAY_WJ|Bula{acDs5cpN={}~f+0Yer5hVAi#3jlvOPJLegAEPlE
Iqd$}W4_ZE4MF0Q*
index 03679bac975c8463616da76e676cfc8fffedfcf1..ab85059359ffac31b43bd6d6cf8cc3c632039214
GIT binary patch
literal 469
zc$_n6V!UY3#8|d~nTe5!iG}gTK^p@uHV&;ek8`#x%uEL9hNcF_Y|No7%se^~0nWi0
zsW~|c-l>%e!I@R53L&Y*C7F5Y3I#=(xv55`W@Uy7KvFj;v&2x(KnJ9ai$^sxuOuF!
zAReTkC_ld>zBo0xz{tp?2q<J^Vjw5Z3$)7A(7?dl(7@C(3dprEuz+(7D#>+-gMl5y
zA?B&6=<XoSX^{rPZ0z6=VPb>^4KpJ<vl9c0p786WzcqKJyUT9i^f($4?R{6_W#Zp>
z-HFYY)=WH<(P0|!MX6ij<=v#WikrXbh)yw3{qQ+kFZk<@$;t6DTW0qn2Q{-NgMk~9
zB16yW8l~$;Z%uq5v+KaY3G!S9u}miz7H<CEpz%mbuZy(?sAR|DC0BAdic=mos?}x$
YFWz~&()v)NR-Me$u-zHc1okWf08Ubu<p2Nx
index 8942a06abe9319f189ea2aeca5dff91087e66c0d..c5ebf5d4613edfc80748a7ec8ecbc677b5c31ef9
GIT binary patch
literal 466
zc$_n6VmxQi#8|q3nTe5!iCJLYG6OC)4y`tibG9tZOa|$OrUu4r%%LpIJUS5p&cPX}
zIXMd6sg(-BnN_I@A*sbBnR)371x1;;sYa$|WrhksQa35H#8A&b2c(UQM>R9ABp#t4
z9;BcsKffftI5oKd$jJr^8OVwA0<AJNG%zqXG%&S{0&*=3EZ|&&N^%|IU|<Jvh<R!%
zx;uz-TBLz68#_2em>8i!!_3Ie?8LyLyZq!^^KENgo=501admVR&y_lsHMw5*cJ&>O
z<1c=G$a|8_wQKGramCf)CqwUUy*J}(^`Zy9mJ{0c%*adle^q2Ua!@n7GZ?rqDMZ%j
z_e_1X=-DS$fwLU;Ulji2<mqvmvE5mgtMp$iZE+!!LQKX@zSnE@x5$>v2ua;{%csQQ
T#7)^<6Ejld7JZ-Isqzy5DE67_
index 78abf110f2ef35b4a4f852d79472c8a2b50e4350..de4ed3320e1c4706fe8cb8302b8b56c29ad19c4c
GIT binary patch
literal 515
zc$_n6V*GE=#F)8&nTe5!iG{H#q{4ugjZ>@5qwPB{BO^B}gF%d;zJV?qb0`Zlk6J{4
zb8tp#PL6_iYNbMOW>u;}NNRCOW?s5NQE{Szp@E^9Zc=86p{9X4NCOv-LS|k`JWwhg
zELD`BUlLzXl$o1qWNKDs7!M>3<ivRmO$|&94Ghc;4NNVgfLsd$3pm%H1So3^v0VqZ
z?Fd5^fF#%r)&`akHyEX+qFJg-&{dHJ!ffooKsaa1#K^`0W-v3dGdnS`^qZ9grX2gP
zU>myGqEFo{Wv>^b>q^ra@y&a9O1ur@++RhnImD1HtiyGGLUQzyU2H!BgYDDSuKSXb
z^eA?+nynIA=rT7pFnE8Fxw1D)e(8sYJ`*!S4@rLZjj3&Amf!8!B{<_v^2AA-X6&fh
z7R}xE=@0j_cTLrnj0&+|m=`>KP`Uc-EaBVnZEM{FTaGHSZt95=E7;2Zu=LC7U1~et
w@4fTyU+}7zmiim7?|S#W-?co)Mqtr{$P*J^CHAiJ>3*TG|3UjArGF=t0fRTQxc~qF
index f516851210dc4a13a2f26610418db4e04fb2bcc7..12de0969ec91bd2a2a537da8264e2dbd315be783
GIT binary patch
literal 459
zc$_n6Vmxlp#8|R`nTe5!iP<pbiUAiJhgO@%Ia?NHCWACX69XeQ=1>-99_@$#=irRg
zoE!!3)Jlcm%&Js{kksOm%)E4k;?(2<BO{X{Lj@qIo0M5%sAr%9(#6H2nweJ;50{Sz
z$rt74m&6woW#*<DnVOXW#Z1i%<ivRmO$|&94Ghc;4NNVgfLsd$3pm%H5-4j7afc3W
zcOVQ^0Fq#bI2hPL9AciDie{-UaZZag5N2Zs2M7}*G-Q|=*_oXfSi~y=IOd<6UpBd8
zzCGIy&xm;$v8wBvTxxnBmwbKk;ga;9khLKxD*}{N{{DB-Ref9#9L3GB;coKl50h_i
z<p26~3vx&^J2Dv9G08H#o#Z9Y67|^U4~ucgc9uiapC&L(Ih&L|@l(cw`9SIaZ<}}j
d;r{na_3_WQA+aW3EBw;G?Vg;YuY1Ll1pp!DmZ$&#
index 7a7de11151e19bf03aca7b56dc615e7a68d4f4fd..16681f8a598d35c726f4f9e72225529abee19915
GIT binary patch
literal 562
zc$_n6V$w5cVw}E!nTe5!iG_*DT*H8ujZ>@5qwPB{BO^B}gF%>~zJV?qb0`Zlk6J{4
zb8tp#PL6_iYNbMOW>u;}NNRCOW?s5NQE{Szp@ET!Zc=86p|XJ@NCOv-RAydDJWwhg
zELD`BkKh@|iSrto8kiay7?>LZsVE@V!oUK~HAo`CUPCjmy-*EYJZh<_P>X;vc-+u9
z581bjtPISJJq!ko9ZZc43^!-L?>+da;q#X{3a%%^gk3Lcui$)=l)P%|3iV0%@7%b$
zXwR$l$A0|t=l&s@Br0_(DsaLNvD>Xu74zoaK5Mk6DZ%yGoX49#ME*4BSDGB`#$Neg
z&K!NcHLBlstvzI<D_Nd#K<?$N$g5=^X74<6u4!7&jmrtMcDEfl^7+TH6%X|vFJ)q8
zWMD*#3+Bc~hM3~JaTRABzsZ<v)yk~7z4^oSEWxL3Z(>d__SB19ZvNWped{0J-xodh
zcqw!k&aqEiu9mX9`TTJPH^ocs`6`*&c9Ra*`sVJ<eLL@{*r{!u+x0#MoULp$eRm{e
t)^ma5l5d|1xqsKTKmVI^+k)MfHe6lazO?OZ_C1@E4h*v+?afwO0s!1a*w6p~
index 318be79df350fd727354097e5846e9508e755edb..869b3ca8d67a0d6fb93b0f16075a87514b6d8d13
GIT binary patch
literal 562
zc$_n6V$w5cVw|ynnTe5!iG}f-_6Y-CHcqWJkGAi;jEvl@3<hC_`Ubje%%LpIJZcdE
z&cPX}IXMd6sg(-BnN_I@A*sbBnR)37Ma78<h6aXax=EQOhROztAPrnRQki)r@j$6~
zuvAfgK8$B%Vjw5ZYiMd<YG`0!ZV05JfLsd$3pm#xi3EF%Ou+U+HE{8$rKZ9y(#7M3
z#`(y;Wn^VwZtP_+XzXNaY-HGRzDr=)0<FLKY#+jAN0?oI)2ehL<<fSMId`)~U-<mw
zZt;k*KGmrB$1P``pxk$R-t_*w-)5UwvP`_1YNJbZ`Hz*%mYKgMS^j|PHRYSPvsVhP
z*_<J=@O!TW)8x0)YW4+OpKxe}&#H^HvL@`R0RfFi9377~&IsmSA7d3Ld)V}#ClfOx
z10z~wFgG?Z%-??Q@vWtr`%{#C*KQWxdre`=!eEo4XS?q+`*sR$t>4Vh)Kk)Ncgw-a
z$<LfFu3J3mPUT^ip8<7k$})3|R^FcdUNqJq`{HC<<Gjey&bM~In#_L9=05&<R>yvq
r_l#^?a$=O$y<EEDwC?j(%i8$qwth9{7w444ygpD;rGN8n{iOc@JJrna
index dd0d891762e6d95ff54d8be4d52452cb4c90c94b..db7dd02afa9282e4458c87fcda23ed72f73863e0
GIT binary patch
literal 563
zc$_n6V$wHgVw|ynnTe5!iG|6lfZ2eTjZ>@5qwPB{BO^B}gF%>~zJV?qb0`Zlk6J{4
zb8tp#PL6_iYNbMOW>u;}NNRCOW?s5NQE{Szp@ET!Zc=86p|XJ@NCOv-RAydDJWwhg
zELD`B591k{8OVwA8k!oI8X6dw8v>~)AlJgc0?su^BHdo71}+}8)KrAEc-+u9AKABz
ztPISJy$lA8olK354Eq`my!2>mmw6a`^+;{7O}oJ5*(-abjn=EN_q^Jau;3DBqLmcu
z@2MFFCTyOvT*QGdT46y+^x^PyolIZp--k3d9Nf?nDYv$e=fuIc%OaOrg$eMgT0f~v
z>|HQz&Pw6)-NtQva#d@?rq1;V(VQG->rs0&v|3SigR;wmWMfm2GMREFW<~}^w8&rv
zx=Z7U=P}uB^{okk!tO7Y{{8TIk8I_afCuug<rY5Npqn#;Z@ZS$M4dGqGg2p?xc_VZ
zW!_GCiQ4PzN1vVjvf#am^cS}&`X>#RoQT(2US+%?K*D~0t;Pw9Z_7L{m8Q6KK4dLi
m<UI5JmTnfma=mLOx-Zr#+LTP5UeWr2<6EfzlT#n3^#cGm_{dEF
index 9fa9c4f0c3e577608fd18d2c8eb874b6ced94f20..506c14088d3183ee26e201e4fece6c393fd13935
GIT binary patch
literal 563
zc$_n6V$wHgVw|ynnTe5!iG{JGFxY^XjZ>@5qwPB{BO^B}gF%>~zJV?qb0`Zlk6J{4
zb8tp#PL6_iYNbMOW>u;}NNRCOW?s5NQE{Szp@ET!Zc=86p|XJ@NCOv-RAydDJWwhg
zELD`BkKh@|iSrto8kiay7?>LZsVE@V!oUK~HAo`eUZ@5x9<|g|gtd6w&^RC2w~VX|
z%#FPa292Fejg1VuPcL08anGsx)w7j)x4RaYey#F#Ke_CB?54(thBHhz`<7pQ+Wr5}
z<^xZE9XGDZ7nHp$>Q;T(HC=S_Q<kfX^M1_uQ{cMq)bXnmIn0IKcdt5LdwHjM+tUb(
zsrDQpe^#G(&Ho`!tL5LWFZ@gNViO<Bdc3*mF<&L%ujxlg<(GxWu4U9SF*7nSqD2NX
z&|UVdIXdF+WZBr{S6B6(IWITWR4waGQH{`N&R5&IQxrm8Z0hRvKT?wN!ei<Fb85v6
zt0O+f-ZZ&zh9~ClgGdWe|9RpJ2U$+^wWssygfH{hezhwz{IuST=0;~nn?v$b5|W-Q
k=h&D0q~7FAZmES><+oz?r)N){PKxDyJuP|j(c7$S07LlC@c;k-
index 6a26ba4cba1012bccb66f4e4d3ab569fecbd4c24..5981cb4b5ef3d6ee3518d8b450f39afdadaecb7e
GIT binary patch
literal 457
zc$_n6VmxZl#F)K+nTe5!iG@k#cE14^8;4e#$2nUTW+sCSLsJ7|Hs(+kW*(i00O#P0
z)SMgz@6<|#;LNI2g^<+ZlFYnxg@U5Y+*Bh|vob>kAgP;_Sz@SfpbOH*#iN#)R}zm<
z5D!vNl%J0-W*{fd3$)AB(7?dl(7@C(3dprEuz+(7Dhy2wj36%2#_f{g)Z_vqBa<Sa
zLySzo4skHBgE+)IH8mbC9S@Qw(q(=I0&MKy5Mg3uW7TeCVNhhYVqjU^e)oe;jL6*T
zXa5=ITWl(H`I_>Y<E{%Mm&LD`%huUt2C_jGuiWI-5B<~Jz2z^5sNrS*?rljA9wUb@
zvj>BLE0aQThDVm5g2eW@SLf%e)~hXe^hhN}c#7k7r}(RXmYsbl%%sThU-Cop;q8&K
e_b%2?=VdpL7JZgJ*<kaEKPOUymblJRxeNf>vymwP
index 77191698e7a22c13a23a49ea53360657b665e83a..b32cbebec511a945583db568d5193d855f4b0917
GIT binary patch
literal 445
zc$_n6V%%xa#2CMTnTe5!iG}e!Uxon}8;4e#$2nUTW+sCqLsJ7|Hs(+kW*(i00O#P0
z)SMgz@6<|#;LNI2g^<+ZlFYnxg@U5Y+*Bh|vob>kAgP;_Sz@SZpbpZ;#iNj!R}zm<
z5D!vNl%HP`UsRkJZ)9L%VIU{Y3$(@5(7?dl(7@C(3dprEuz+(7iVRH*j392%#_fjU
z)Z_vqBa<Sa6O2s2POvhtfH=W0H8mbC9S@Qw=q5h{0XBAUC@?Xyv1&K6FeoxxF|Y^~
z`Pi@;RUG&jR8XxIY?+p~P{}FIBm4Be-OqRY?@65e_-hUaw^YN$3dfzlou9R9D@V_(
z3@QlKLJm`A4+aBQCWXkWmsaWT+BwVioWsA1J%64Aa&8yVo9M8-ewxO?36`RcOo|Mj
leJ;to|7-1kt7y?h@eJn2M_V6uo(b(=pSU3Jp5qSI<p7}ejuZd@
index eb530b5a366529fee13839b3b9a086b16774027c..48fb614aa91b87bdec1126f3de1f3d97720e85e2
GIT binary patch
literal 464
zc$_n6VmxEe#8|X|nTe5!i8*%i1p_WN4y`tibG9tZOa>W-rUu4r%%LpIJUS5p&cPX}
zIXMd6sg(-BnN_I@A*sbBnR)371x1;;sYa$|WrhksQa35H#8BTr7o?4gM=dk2Bp#t4
z9;BcsKObGpKu(+&XqTy>fq}W9fvIH_kZWOJ0p}W27@8OuL0qDZ+a<-R$pt{uvJnn(
zFtCF-#5^@M9xe@b29YicGZ0{72Zsm~BO9xBBMSo;vl9c0qM79`+t>*@F0*w~+x<=&
zNj?%Zi4k_^k-2p}t!(Y}`dJl;(`qh1vrxF`8lktxCi!lV-LuYQnTQoxucmC_`Q(Wl
z&deSR2Chts3=`-6wo-ebn7r&h)2Wzd>+DOv_8(hqbz$CN-zjaoB%jS=QV_4OteCzt
fK7^^rY}JE}6~Wu@&)wQ^%1WZ&uW!S{&z*As0ce%C
index 2187fd1c14b3d65c0a486d1668dc5506e8338387..87c06737c0a3affe002e1927430f4e20cbe05fa3
GIT binary patch
literal 486
zc$_n6Vti!K#Mr)onTe5!iG}f&(k}xpHV&;ek8`#x%uEJJhNcF_Y|No7%se^~0nWi0
zsW~|c-l>%e!I@R53L&Y*C7F5Y3I#=(xv55`W@Uy7KvFj;v&2x-Kpmuwi$@_duOuF!
zAReTkC_ld>zNk1c-pIhj!az=(7if#Ap@D(9p@FGo6p(9SU;*bE6d9Tr7(v{ijoS^y
zsmTS#7A8f83P2L<1S<mzh!YG`Q{&;%@gQk}ZYnbnU}Fb|0uv(}t9By`gA#KR1B-Y_
z`Ni4;!4ls;24`O2bQ0wVy}QW6B_({)lD3=q_jZXEUAlFDy|T$PmRGw^n7hV?Pd>GH
zqP_dYUxiVJ+3ZFCiYrDZo6dRClD=x<()*X69nC9w{eSnt&iosV&M%mF?lrDL4tr)#
z1_L)HMTYz4Da)_2ugKd}_4H{G+XJVrgXur+Z_Nuhdod|7leKvwP{|!Bj`x2Kv&p>5
cKbgjRH6&u8*Bs%dJul92^r<a&eWy?i0M#O<h5!Hn
index ba8bd47c62599ce80e8b350ed09a98cb12281620..b2e2d2528b21591d8c35f8b2ecd9ab06ba58d517
GIT binary patch
literal 565
zc$_n6Vlp&nV%)ZXnTe5!iG@i?{HOsJ8;4e#$2nUTW+sC)LlXldHs(+kW*+T`0O#P0
z)SMgz@6<|#;LNI2g^<+ZlFYnxh2qrY0%Hr4B0~irshgBpVyI`J1JcFCqnepl5)YS;
z2gw)Z=a<A66lLb78kw4v8O8%i137VCLsJ7&LjwbILjzOGC?MCuzyi)SC@0z-rbdQ9
zcK}JSJM0Z?A?`3sO^t_3$AhGab6DeS0|7R6aCk5=vaxD6vM?w!H?}dbFrM+uy{I1Q
zEpPa)<$X4r&{w`S{<kx7427gNhGpzm_@E&8^-;*T@1lw;vjX<sQ=F2xT;1}xV(e^z
zg<C|!zE5_j6J<QIZJLa1a(J}wIbT2bPokQO7<o!|Zr|bi`9^g^s-d+~VZo{C=ZxQ8
zn$*4f+3X(=eH@B^cv&Btw`l9b`*SVc<?sH0997Jj3<haTh79|;F8%C%+AMXxS!v;=
zmRZw+(qz<H;u=3K)`*^*ZLP9t{SL+Zdu#1&elVu56Iy>h9H`~tnG@62JnLE$>F#H1
qJXzJ+e2Vaew5wK@D|UyohTe{SUp$L@*TDxX1y0ZCoWgRX=>`BHXU6mZ
index b42eeaa59f4af41dd45b087a778adc8157312997..2d186fa9f48f51aba0e69adb8419bebee037d577
GIT binary patch
literal 1008
zc$_n6Vt!-L#B^l=GZP~d6AM#V)@%b_HcqWJkGAi;jEvl@3<lwbCI&`q%%LpIJlYWf
z&cPX}IXMd6sg(-BnN_I@A*sbBnR)37Ma78<Mg}Gpx=EQO3L36qnuhWQvLIbtJYuP3
z@tJug@jxZ<U?r(#Mfv$926E!OhNcFlh6V=ah6bh<Q9!PRfd!mvkVcBd1_+Dw40IqC
zs{$=fO@-NOpo_yDO^k}jer9B4U~XdMV*rYCGBq(WFr0mMy+?iWjVT{2EKUSX2vkz`
z(k^w@m-sR9da+&d?gM+QH?-gA%3}@l)lYLU?aw|^YW#S;a19&NnfylGvq$IO5npqR
zDT+~1{(H4d&gHO)Z^DgYf0+v~?(RC2d*)O9&nCMAM<edWd6qrR_n3Wd=4tD-L6$W|
zxfgpm=A;}ulJcBIU47l(WgG`@$=_PB)9BH`-VaO9{B<$@{N&q#j_-XMXE@oOK3cm;
zOhnNCf#u#uvz#;MUoYYQ%bzb*-gv+KbedC7Pn7EZW1KU!CVIbqa_QuL4r6C^CK;R8
z_megDhTc(7nUekbdFjeE8!k?o7XI+z;=@H7u33M~J@f5y-J$>Sb5iY@m>C%u7dLJ+
zXk2Fy$Ht+}#>mRb&dA6TWDsEB2jd$swmD^#loVL$>z9|8>!nsC<`(3n>LusrT3G;r
zK2b5DZ{P!rI9UZ2R|97QM>Zj#(JYLwJzJ$fkg>UhlhHuiKoe#q6Qh_c)XLn-5@2db
z$<Iy9%+t%sPfpCyPcA4%OUS@TWn@@VSLYq|k2TVyL?r*pgkz2_uG3CDlE2vUFhN+u
zZDYWuo!>O>r*G}K9JQN0YuS<opLZCGZ`{=LX4-U(%#tacdwnubryS<B^nAAI=6v2y
zh4(z0d3v_&o5J6CBtmGnn?Lhwm*AqupN`)0Gzr+Etmn%e_crZ+LVR?FD{tr(CJ}LM
zmRB1Oye<qfth~V=&2~z4$BU1py79-KpSgc0{?yXnT5(sjI4Y(dUox%z-?T*2^M-ae
zxI>qI4Y|IMxw3w}=?}}<zo#fYy2TouGkM$oXB&=Rw{%v|d2r`(OzEk=JM{gE7<s>>
mz2Eex{CvdcH4D$rSTy10{rcFWT6HTwdGdPgj(*EIF&Y3Gg@(ug
index 230084e78585461db09f3600e65c3454b3456faa..db78b2d2c9203638239cde4485bf8596dd0de5db
GIT binary patch
literal 1008
zc$_n6Vt!-L#B_B5GZP~d6AP1aYKZ|a8>d#AN85K^Mn-N{27_=z69XeQ=1>-99_@$#
z=irRgoE!!3)Jlcm%&Js{kksOm%)E4kqT)maBLfoy-K5MC1r66QO+$GDS&%L+9<kK2
z_{_YLc%YJau#(iWqWt_4137VCLsJ7&LjwbILjzOuC?MCuzyi)SNF&8!3xvgb209Rn
zRe=_#ro!yC(8b}7CPpP>KQpp2FgG#sGXTZ8n3@<F87_I8NL2`rw!cvDDB`nw_u+q9
zk0%{0jgG(Vsar3lZ{l<C`tS1FX-}+Qf6ZHd!hWrd`0=HQc7{QsC(51&=1Ui?|4}S1
z$#P^b=hkmJ*PqPX8<f`d?9T=d%eWJ=ReR$bzRvbC&kA%fd_G&>iZkblQR5-?HNumt
z6wKzon)6L>(wk?=zhc(k$q^7Z+2qJ6pObmS_w$`S5<*`0{@CU2IMDGh)yOLC-P%pA
zwy!<(!ucKw?XG%qRq~5cbEe4r9TP8|K4fNG604$js-(30bPZ$P_UBKFtIq#?CGpy$
z^ujmQ<f`Ozt*x1VnoArVm-X#F&S5N9dDl*(wRyKr>olFo@6#K0Uesn{W@KPo+_=%8
zah*XN8;3R<BP%OABO^<YL4biDjBmi$=9E!VQedU8UtV6Wms*jSTac5gmz<w#WdQ{G
zL`8+Zfe$d|WEEIk4V(=e*@S>bvoOB)Y?T5*#^w@EMgwgFO_-HTjAF7-D|0JLfXN{x
zKQ}QmPcJ7wIWb2+xu6&=B?DuXfuSQi=*i9Sj}u%K60*$-7fUnGa`u&q*W^>tIC^T%
zjkt-e1{P%+x-rF_TU;*LIo8fHjy|;Swj9%pg*!H%`X6up=B{4$r>Ix+7yQZODdujD
z$eVs*;rCB6&Pqnfw`X68YJGII?wyQ=A?KqyhTG*~Od)fZ3AHs!XYN?_K{RiMRj5mj
zLesj;Pct8sJFO7<axgMayl?J5#)yYn+b%V-*2KHdW@A%USR`C~>d3R}+t$BcbEor^
zeho)`=Jx76Re>}2Y_&PrR(GI9!)DnWh2I4)Cak^3*?rNdM$5Ox?@21}k4xJaPqoYF
jT)8iC;UM#y2SPi7_I(a+|MLB0j~oB<=aUl)D|P|^<a2(h
index cb4a38934fba2cf2a4dc5aa5caa6c2034157ada7..d378814c8682d191f99edf220957f2e08f18707a
GIT binary patch
literal 1038
zc$_n6V&O7qV*0dznTe5!iCKBkE(2aRPOUbNw(q=*jNGgY28o6y21abmp)AZi+7SWH
z!5OJJISSsXl?uU`RjCRgsl_FkdFcv8#fb_=1|}A|Ntq=I8m?iQhMETIAYEKM3aMrB
znRzAgKqc{DB|v^rem-2lz(7u%*U;3!)X>1d+|a<(Gz!SIFtC7g4GPF~f`x$@#0mO9
zD^pWZT!7z2O^iy&;lRksz}&>h&j1wXVrpV!WY{4v(c-+%+o?TOai64uo_tHOTXa!o
z=DqI^j;wmZV0h|&RGDk)s~K<nt<K~fy{UeCvU=Q}c^8}%SMi>GQ`EX#(Qu*m3<m9=
z=YJcof1fsE;=A*o^sEIA2`8Mo(U30oSvXxGZF1p_T}-t#^F=RNC+w{C6*$zF_J>hg
z|Ja2|dhzcSz6V%DOzC6geab(}q$%;Sol8v2@o&H1zh4;pW!LL72TOX+oE7|@8=c6a
z@j|y`5C5|EIPs$qf-Bq(uuc)|^Z6JXUw=$z>8#tKHy1eUHFU3gbMaA3+66)1^R}1f
z$Gq91<~$?1des`HcfxF+XQpR4e{qwt4Noh3sDE8?<EohX`oTssnV1<F7#BD0HfY>o
zkio{G&Bn;e%Ff8h5@Qf$5CP*GFt+(*l#~=$>Fbx5m+PfgB<2?6r0ON-=UQ0+0jZIq
zZ{P!rO<4sNR|97QM>Zj#B`l1uJzJ$fkg>UhlhHuiKoe#;6Qh_c)biZQ5?~TZ$<Iy9
z%+t%sPfpCyPcA4%OXtj>Xm$MNu*}<yQ@bgsMKAe4QNfC&*B)zra_;i*<9NFN>fw)u
ztjhb#4%n#K-m+`DS#{vzI=Sl;UD*uZsM_bPmYMsj?@-d|7ry7RT2>#JVX6}*AZL|z
zNl@^fA?KTok5*j^O{lqezjXFz0jGxtD>b&x^svsH+%<pG$G+Jeg*W<Gh5i`a&ggH~
z-!-RtMZfzBTOHGlEB#Jq)vrCCdb_hx_2+E8g-52GVpHCHexb%}W){6^LWcvK79Z=f
zh<VTLa`w<vY27`|?EAj6E?d&l6}l~BYva|MXX3+SZi$N-rD%$&2j;BJs68s$d{DV^
gJ|D-EH9`Fr=bke23%>vLVPew3xIYbxk1m@I0ET0S;s5{u
index c388c49d6bb0e729d834307107be7dcfe77cff8b..013d5c34c0b97b684357969a6d04a2ae01700922
GIT binary patch
literal 1009
zc$_n6Vt#AT#B_B5GZP~d6AQy3H(LW<HcqWJkGAi;jEvl@3<lwbCI&`q%%LpIJlYWf
z&cPX}IXMd6sg(-BnN_I@A*sbBnR)37Ma78<Mg}Gpx=EQO3L36qnuhWQvLIbtJYuP3
z@tJug@jxZ<U?r(#Mfv$926E!OhNcFlh6V=ah6biaQ9!PRfd!mvkVdA(dImZWi&cRZ
zr=}v?i`5-Xj7rFUW@KexZerwT0E%-lH8C<W-1qr7TmPWZF~$00^}8g>IXfHlq=f1^
z{=P1G#_lgR*ZZX%&jt0pNt%YMPENdb|HD7)yX<Almt1C3&6E&-!Rf58J>}KvCug4j
zT;nLH`}AE`-JI4*Q=b(*YyZ3H<Lp~!!~(xNMb6K^e&V=-h|`1~(N7W|Y?D>w5;PA^
z^S5m}bMs`B(KYqdxD%d+yQZG0urcGktWf=EuJNXjFP)69LjFYTC_j3Muf+YMm`{1s
ziZcz5inf<+{p4_uQ_O9b<7+PEuW~PU%N{$uTGNH=+RVgE^NUHwD=hi0F<h)NdzNA7
z6ERu8&i4KH>3d3K{CYWgWCR%OJ~eo(WaZk-8dZ^c^TM}OYfdI+Mh3>kjT;Rb*BQjI
zacHwKva+%>GO`321Q__i_y&w^P8lU71y=g{<>lpisTGO21v#mD$@#ff7C@j+R8;62
z_yA*0R)NLUz}di&O$cZ-3*&3gRw)o<Y%bwsG|)ECgjvbNC?*TFGPkk>m>g2_a}zW3
z^m6i(6La*F3yRTFGBYSL569_Ro@Kr<sbD^*!CIT|_qE@vyiyB%|EoVGp`dvJ%k`d_
zH39qEXH0dh$og9UhT9^2_LBH7VIdDC*ye1W!{RAu<oWt(Y}~zvQ{Onv3QP@pFBoaR
z@o>)lpbt&2SWX}FQpnIhx-<0ljT17hCs?<LYt2&V&%3U%;&PvG(>sTqD|MWw$Zp}^
zsc6PBzv^&?8<WbsdpcrvhjeW-6XHV4<iCBKqVs7Z<GT8qS{sSx*D5owKekj@zO&re
z{8nJcLyL}gDv@TQ+ibV_ZFy<2fcIzdiI@+Dd+gO}A37{}6uspT`x1le_D#DkN)^w!
e99m`l#%_++bScM67wkh60>1T?>=8H9Ukd>1=XQ7i
index d6fbb6bf64dd45ddd0749bc7b15f694b96a3b524..d377ad9aa0877ba4a292667a55b7c4ade77b288a
GIT binary patch
literal 1089
zc$_n6VzD)7Vpd(i%*4pV#KPDw_0@ovjZ>@5qwPB{BO^B}gF)kRLv903Hs(+kHesgF
zU>JvkhsoK|P|QFC#9`;*_02EMD@n}EQwYmUEjLs)Py~r{@ksgRS7qkpBr51CxP~dD
zq$ZW7E0m-bmnZ-=%Nj_76mj#21g9pK7G;)HD!AsQXXd4*7G>t88|oYAf~1*w)FJ|$
zgELZdazI9e05t<;6*Pd>6_pm3l;;<fWK?Pb%`=b_=QT7nFf}wVFgG+XHH!jrEetH+
zT!U~!69XfNk=k%0y;Ca{f-|d9;RY8KCn^{jm>B3LWtJ#txQ1yO${WZ+JR_D`7N40{
z5)V`o4_1;|R+OJ#V$j5>h#YE+tPIRejC>40aZaWtMh1pEZ_KWGY4$jj&TJN(Bj;0X
z{4G_{p|DAD!c%ppgP-OE*>Ha|p2agMIe5wBRgZY(rQK#{)z9#1ecyV-HQ$-vwYJZ!
z<)~t~I#YXz?5dy-e|A(ZEJ!v`5dHN>r?^35`MT<ugC{a%O%&91{7%)*dsH3cUm~dU
zp<ziwd~(|6{8Y0R&CB=x&uV?x=Bk@~VXMbI)^qVQA5ZLi(IOPk(P8kig6+oMy~$G<
z3r!5nSmfIOFInEz@9^o%y3>aPU!J*}HuudM{av!=J5!o(sy5g5->t0ki+9s`k>8Ux
zPhiLTYsZdwPc?P8Z~ig7u~8@eo$&A2fbzI~9a+%{KkTCH(z>p{Nn~PXWMEv}c)*}>
zuK_<WBxQve8UM4e8ZZMX18$H2KMM;m0kRqRvvFv%F|x9<GcvL`8#o%+!}tb_ZN?cT
zB?VUc`sL;2dZ`tOxdl0?ddc~@Ru({@k3C}a4SYbRE3mj408L{P0-D9b_}a5o3IrLO
zOE?(~v<)<2b}%uD$wKYOtpugfl>A&^g4WB)PfpCyPcA4%%Nf8pW@O-dZ~1n$`Ep^O
zP0KejZ5PUn`fT#%Yv?haMqh_dKmO0H+$0xrZD*8{_-8-=hx<;RI4)Md^Vj}X4uRtI
z(?!hrVO!t0s;qHk%cwM%7$Ww1gT}$-5nPp?+ga}|uAk|6`qZkGo&~`=?N`6(ZnW=c
zKiQ_MZ{5MRK-%`>#7=YJ2coIp9235spWJSKrRSL3rhn3$cO1?r{ZX8=JlkZJ2KR~s
zwY%OcF3x#+t;$=ypZR^qovlqQ3ZL3S3m(pF6W;joq3yAg`|=&1&E9Oh!7Pg7jZvI3
z-^pKs<){ArF=}bIUgXNbn<?;3VQIAC)!FKej6!+$^MZD74Bp1|RP$!XvkzA%m8Ql9
F0sse~go^+G
index 943a0f459bd66f0b7439de8e0f4b76fd248bee14..2a95bad9bd212d9daef723ec4b01d79db84ff90f
GIT binary patch
literal 1022
zc$_n6V*X{&#PoOpGZP~d6AP2#^34XkY@Awc9&O)w85y}*84LmqO$?0Km_u2Zd9)(}
zoP#q`b8-~CQ!5pMGpkY+LQ;!MGV{_Eii#5zj0{W+bdxem6f|7JGz}#U#6h~acmz_*
z;*0Y0OX7iQ;z4Q*<ivRmO$|&94Ghc;4NOg<fLsd$3pm#xkrXQ}5LRj$s6(t&09u)u
z2e;8e7sClnj7rEJWn^VwZerwT0E%-lH8C<W>|oMOS^NG-)#O|2(&SHCZ0@|jadX1X
zdrap(&xyUyy<hqMPP;t^c2CxGT3?|4xjp%m@xs^dAE+{vd0);gQJ(l!-@@^Z(R=^f
zD#tzj927NYb}w!6EPHhAh_xvz)8pko3h%}rs47wYv61=o7RApK0vJ8Y-k(cYD_~S(
z@6CB*%bQa^mL@O1NB&RnV9T8vReD&&Iq<RM%tNorlyav%clWApez;ydTRLyUcd77I
zEc-Px+tla89qxVMe*eR6J<ndr=?ylv6KvMj%h-x!%GO-D^|Hm7qs8m4nv1^mr`<DO
zWr)Q~O*u35SkT-B+b6ZnRbM0#nig%aDrBi{<e?c;cPp>|Tkw^MnUR5UapNh2#^VP3
zz(AE1W@P-&!fL<_qzt%00{kp2z(m7l5Xr`&&Bn;e%Ff8h;%ne-;0fa!Ft*udl#~=$
z>Fbx5m+PfgB<2?6r0ON-=UQ0+fj*%)(l_t{*`vVXYT#_($R-3dm4)%OXR8zlGB%fR
zG8$+bXu@n`Vic2w+Ll{c0!$()`MHUid3rhd$%#4o$pyt|=^7Z_3=D_=s9Bnu7&38~
zPm8&s5!fvif23kr+0v{7i4RU4crSJ$G2{`0I5Xqp2;T080w)hv<opw7x%I2aa23PC
znRQ1$mBzR&Gkw9*TE}>2-y6wuue}y*yeoUS;N@$s_s!RD@1Mmn{k_Fv?P-U*jE@&x
z-Y;acbK=fTvU``li+LMt6}F#6z0&`_!Ly1pF$R6kI=KNa_r!-rzFhrUq46ABWY2o$
z6FaWYPTMToVn3yh`SnckQ%!9K{{mu4IWKlxFD{vRI@o2#k4Lw@ebsoLb&{3;pMtXo
z_iQtk*_8>;loO6_zbD|m<eyNCOZ$e~>rO{S%wzOj+sSl&*84TDerh)yN;swdbMsVA
E0Dc60e*gdg
index 72eef2f6d9bb845bd5a2892fa2478692976052ca..eb7851c69b7ce3223801d3736afc1376a4ad1a71
GIT binary patch
literal 1090
zc$_n6VzD!5Vpdzg%*4pV#KO38W`hAQ8>d#AN85K^Mn-N{27|`shTI06Y|No7Y{E>T
z!7vU750kT_p_qXPh{Mjq>ziMiSCW{Srx2EzT5hOppa>G@;*s*rugc8HNmS5Pa1B#P
zNlhwES13s>E>Qq#mNk$DDdOf42~JHeEy^sZRB+8p&&*3rEy~PGH`F)K1xYjWs6_-g
z2WO<_<baF_0cr-yDrf+$D=IB6DbFt|$*9x>nr9#<&TD9DU}|V!U~Xt&Y7_<JS{PWs
zxd!2eCI&_jBemg1dZ$(@1ZP&I!VNAePE;^5FtN~0$}CaPa1GNmlsAxtct$L>EIu=@
zBp#?F9;_s_tSCRf#Gr{$2|3glSs9p{82K51;#^EkjEoE?>Q>6HQh7Bu{#5KjmQy?S
zb39(hsOhN0w|m{!{6J}6F=q~K-|R(l<?(A(^opB3qNEvlt4n^iFTLg!cILy5^M`e$
zGOkZtbEHb(*cLC_=vId1RXh6kdj9gSTYZINk0JA0t|;}ei@ZwySyvD5JNYlbR^b2h
z#SgRI-Foc%Zqprm#_fE9AC1hJ<<(v&&iZ{fc*hIDOB>(qiQrSL)eLOAGto+SM%rS5
zcQei}&x_n2+IjSOWzn>3Wz)wO)-o*kukyd-dHlZX*>5Z?_dK>PeZGIwRF*Gy*X`IW
zpRU4pSZi9j?A)7|Iw!uHz20%dgn-XsFT=RF{y%1uaS=87<kY)|Q*iU@T|1eW85tNC
zHy$u(+-txO3`$vHM#ldvtOm?L%77arz|X=0Oo40${%joDY>cd|?2L>o&IXPK_AtHy
zW1DeCNlAf~zJ7Umxn62TVs1fBs$Oz_u9XE4=wpu=eFGnm=?W~a20+u;gn(wTFuwL|
zl>$M=<`Pau18oCMm>o=vVzN*>aw|cJG$lV5n4<M^@{<#D^pgvU(Xs|JC~i~cxECvJ
z*|;o;>7ByofV&?Oixy2?w2H%f=kis(>HDg(UT)yuWh~uTyTL2eE_#B|g)bAo|K1j|
zj`^3)E+sLEz%JR@f^QUM7R(j2`ODyRmD~B4di)9Feuec_u_oqgxmT{;CVN0~q3WB9
zp)OPAEVG^C7|eX&h4;SAKNs(K*;yyQDTGB~`){MpW6vsOw4J{1`N5y~ae=dtyYtIs
zpSzp9a(_JEeIk%y-O0)WNgHKMUCw8$o>lSre<EMUB<U;n8voi$c?I{*Z<x1hN&JsR
zy++&@+Tz~^$|=udlu$n6n0WZ`#A{ok4(D)M3cgDI=;3zk)9%LS<wqTZQtln!ChgU{
J*_YFF4FIiyh_L_w
index 18d9f67651c8b3b12c2928efed17eb0f78d27ee1..44ee0a182d028c8e95cbd16babe07bb835656467
GIT binary patch
literal 989
zc$_n6V!mn6#B^u@GZP~d6AP1Ab)Nw*8>d#AN85K^Mn-N{27^FD69XeQ=1>-99_@$#
z=irRgoE!!3)Jlcm%&Js{kksOm%)E4kqT)maBLfoy-K5MC1r66QO+!foagZ)99)Z-d
z_@ey$l6at+c#s+cIdNV?Qv*{&0|RqI15@KDAlJgc0?ws{l}(I_$R1;4WngY%<YNGe
zb22qCGB8|BIU1{GEpq&Yy>;Q~)nAu2)I3YJX1OGI{jc!nCoJkm_onO;d!~H-r5+z^
z-LdET&9fLc{Xh23yJO>-i{F20K3sFUNaf6&sUIAV=xjQ+nYl&i^-CK`#V08x)(hgw
zKIPbKYOPkh@z&9})icuEFe7}j^!fM+4-N};c${YJOO113wU%c6=9E~F`F5^rw{qy@
zBc+SZopGG{#CFAsC&mYN_3cl79JV3jRoBcf>i54TDe$#SGxI1hJ{}*S|M$dOzq9v0
z)_$HoXU3eMSDSmcOja>j&!MnKcVlD#OL%8b#`o_xKI*Mbdz^LMDVe|URN(GEj7QED
z%@X<;QLeY`Q~Qp;kGVykGBGnUFfMM~Wze|YfFBr!vcimv|5;cKn1Pf5H%Ne=g$0;K
z*bF?`IJDUqSy|Z`8Ch%%tPLz-d;`Wd-Heiw0xNy}^73-M)QZI1f}B*n<osMK3n0)(
zj}m<YACS2UEUpI5299h(KvP&4UwgJnfgodZ2`8h0wt*(hbS6eIS*Yo`l_kIwkdmL9
zn3<=Slb@WJqn}(*jFxPfL6OSHT>p3evaPQ-itb}=Zc|~?xx}z3Kp_20$fs9sRjU4N
zK02HYOq1Hh%MY4|{!j~@cFyJ9(~L`P{>-fnwe6uc`>!lY)%=r}uO&U<+N832sU`Ye
zvR<rP=GPp5FZT8z>s-I2646tccA>l{mwuUcWO8G4XhTwgR{w<P1>GlEeS323QdmPL
zHhHRC_}R_$cGu06WO-lRxUlC*WmB#mJAT03(|!lftDV98ah(s>7cxXfgt+B%Z<XT=
zOqE^!<?4fwPYrW_n)ACzuFNTK`sP@d*0#Cgm3-^lzjGLNZ!K8$dv?G|$F62qIiD;Y
d{muQkKiE`dOJ;3cB2%Vt<(gOKoz0~|lK@n7Y~%m{
--- a/security/manager/ssl/tests/unit/test_keysize/generate.py
+++ b/security/manager/ssl/tests/unit/test_keysize/generate.py
@@ -92,17 +92,18 @@ def generate_and_maybe_import_cert(key_t
         srcdir,
         random.randint(100, 40000000),
         key_type,
         cert_name,
         base_ext_text + ev_ext_text,
         signer_key_filename,
         signer_cert_filename,
         subject_string,
-        key_size)
+        key_size,
+        3 * 365 + 3 * 31) # 39 months
     generated_certs.append([cert_name, key_filename, cert_filename])
 
     if generate_ev:
         # The dest_dir argument of generate_pkcs12() is also set to db_dir as
         # the .p12 files do not need to be kept once they have been imported.
         pkcs12_filename = CertUtils.generate_pkcs12(db_dir, db_dir,
                                                     cert_filename, key_filename,
                                                     cert_name)
index 70bfcec594ecf2731f9c3ce3a69d48a81c9c8248..383bf1964b7bdf202841fc7cc9025615a8cddb14
GIT binary patch
literal 466
zc$_n6VmxQi#8|R`nTe5!i8<;hrvVomhgO@%Ia?NHCWBBzQv+i*=1>-99-W8)=irRg
zoE!!3)Jlcm%&Js{kksOm%)E4kf}+gaR3lTfGD8I*shgBpVkl!E1=7aFBV3f9UlNZ{
z5f3B{<ivS_2Adih7?>Lxm|8{wxfTW%aIQfHxz_3%=t8Vj%gjT!RTrB}A`OJu*umaq
zVubpenUS5@iGhXNQ0(_Ij|ca}{MBOhSU0Ub;%}nH{BFPagPGB#Z*G2`_t$coNMMwq
z{)TVcX8eAWWm{V69^S%pJpB0oZ0X;^lS&pV7|0p$16?C4%*gnkh1Gx=NEvX01o&Bi
zVav#d9Ma4l3<j=DiVTe&(Yj0RoE^B=&$>28_}nC$Fsbv^cji8Aa1Y)sV|-~MlY+C|
k$1K&9qj3U<*p#M=zpQQfxM#0@PwBi+#kt?I4>`*M0JYSPJOBUy
index 45c9434e86e8e157fb1d2f886736ab4cae427adc..886d59144c29983be9cf69c9d2ca5775d68fdd31
GIT binary patch
literal 641
zc$_n6VyZQ0VoY7Y%*4pV#9Y9<&VZMVQ>)FR?K>|cBR4C9fv2Iqfi4?!C<`->T10?z
za7JoQj)He;r9yCKRjNWrYH>+sUb;e2aiW5efr*7~Qf7&vn1KjL0~Zf(QGR|&JWwtk
zBxfKe&TD9DU}|V!U~Xt&Y8eIOS{PWsxdur<S!0M*I=HPWD9X%DH8M3TGgJVQU<)-3
z)FBosWagE`BNW7g6rj2x(m<Gv9q7MvwoHs{9AE}BBRjJb14}TYRQ2wL^QUJ1<x^g`
z>4<RP|E+0@i&$SRUmYqM?&(~;ZFQNE#jn_m{F`zbndfVl*Kg&kI{#2(@|iDOi<NRx
z&M#IlkTc*1x<gi&k?}tZs{u2RGT;UY@UyT0!<P*$XqlTB85u6O<eB#7t?qs*Ev&u!
zd64<_TV5O1=T7?aM)8Ey#hI$d?ri!HvAyQu_x`zJI$2FWkN0UD*vf7`q1<d)k=+Cl
zpA-G1mv?^poHFxJ+KSt6C3LSGyT!Oa(tVbE|J&v_37e|k`xk4KF=b8HpLr@@_>^Ye
z+m7ZJvhvd&n6AxGp2QL<$A9?PYt_Hru59g+Ebou};H|X!bL8FBS<*p^|C}yWlL`;m
zX)^W5ft1W#DI0F>xAwQw>RTtc<vBl4T=Z|QKy|sbUlUt!*W7RHYLj*5-siX?sMZ$k
zT^aFciT<bivYh<WzE=NQGHcP*_o-Gv!j=nnYtPa7P@2l)FfC#K9?=P_gEM~Y0RX65
B>R12(
index dd2ccdd990109e27cea4a936b4c2f544859041fe..c3b4716e68e89ec28f4cdc88f369fd6643609fa5
GIT binary patch
literal 455
zc$_n6Vmxfn#8|X|nTe5!iG|7V#Tx@IHV&;ek8`#x%uEKsh9(9^Y|No7%sko=0nWi0
zsW~|c-l>%e!I@R53L&Y*C7F5Y3dO0(1x7|DMTQDMQa35H#8BEm5~PcZN2n-2za$>6
zARb5>$cghBni`lI8W@-x8kkx}0l5|i7I3aXI#AXaVyO;pOACrJb5o5>&B}nbnwo)a
z)icn6*s7YDR}zm<5D!v-#UYUf!ffndzcMjGJ<ZI>&g{g%A~F4Ysh8F>t^>!{M>lPH
z(sj=+f!U|tgEfjb?5vxp@>HJhEL~2K*PCvKFJg6Gwz0cR=Y%&`**%`Sn;)Nkvb*v7
zVg&;^1Ad@mWQ7?S|Ff_fFas$AZjb;!3ou|A*^q;o*`C3`hDk;zy)a^yjqZ8gp0%-m
z<R^Py4&-*`f2=RMzwOf$CK=URkC-p`{Lzq)s8*|bvx(cbKE7kaqhP(RImQ(Lj{k^U
index b17a3e6fb2118bf9147b13d93e08b180a2708f27..74d2bc5c224dd599eb19bf6ac2965a42906473eb
GIT binary patch
literal 464
zc$_n6VmxEe#8|X|nTe5!iG^`daEbvJ8;4e#$2nUTW+sDRLlXldHs(+kW*+T`0O#P0
z)SMgz@6<|#;LNI2g^<+ZlFYnxh2qrY0wYtiY(oVgshgBpVkm7O3DU*IBUF^1UlI>j
z5Dz2`<ivRmO$|&94Ghc;4NNVgfLsd$3pm#x9VlxIu~Y}Qr3FQqxv4<o$`H2d8R$T4
zRn5#RiAN{^*{X}hA&~~cZ0umaGBH9u&CJNo?8Lyr75Lop@t-^gZizJ~_x`AR@$c7S
z$$+}!pF-^BAH9FJWQW=IZ0}FZOZoKcw7uW!->{#{FsnMdkH7yXPgU>fXRAdQD;UTb
z@B<wqE6m9FpM}+c8Aus$g9P|lfC0<Mh8)by9t;MqOo|N8wr$YuiaDV1%y#9n=oPaV
zEhH1HE1rtpPiUTTto#_?5hjHSmSFY94DQ!)ObxF6vR62C=B=2#!LO08^yiCyw}u;k
E0ZAE;fdBvi
index 2a0c0d2506290024bdedf63daef428fe7039bdf7..7cb9357dddc73452085a18fe08a0ac0373ebbdb1
GIT binary patch
literal 526
zc$_n6V&XDrVqCv~nTe5!iG^{xRjdIQ8;4e#$2nUTW+sDBLsJ7|Hs(+kW*(i00O#P0
z)SMgz@6<|#;LNI2g^<+ZlFYnxg@U5Y+*Bh|vob>kAgP;_Sz;(-AO+IK#UoslpI;J>
zP!SI#4dldmfd-oz8W@-x8kkx}0l5|i7I3aXjG?}PF2q_j+}0KqCn^{k7(y)6G*E|F
zsF0ag5)YJ$2TNhIy>XraFB>P&k8R(185tQ_8JHV;7z`Ram>L@x);!KXXT8Q&Zo;dE
zXY)50FL?Xwtn9w%MQyecyB?;lN`7)U^Y&l;P)RX+xm>-cTQ05k{u#MeWQJEK=a0tY
z9=9dVymDA?kaB;C^ZI-LHZQz4|L44r**ipnQmr#SXW4l$S*LO<rX~M0IA8c9#$luK
zbKA%H!s~gYd-im5pX_b0Vu@yAW@KPotY9E#zz_6|tS}?ve->5)W*}w24HDpI0mcd=
z8*&^mdomcfF)1>9a~4<n>zsb1c*C0mro|d}Og31byv0$LyW(&5j?Uvu-+)SfT>twm
h&EdUzL14>)nysIVwr$>UDePa>UoWNCDXuX_r2x9vvh@G}
index 818eb1173cd06195d0413510255658d0f9d221f5..df26670e2463bcbf5299e678af909984e9604b4c
GIT binary patch
literal 571
zc$_n6Vlp>qVqCC*nTe5!iG|^>LYx6F8>d#AN85K^Mn-N{1_Mt+eFI%K=1>-99<_)7
z=irRgoE!!3)Jlcm%&Js{kksOm%)E4kqT)maLjxld-K5MCLoovpkOnRu-lF{cl6at8
zJV?$!PMp`!)WFoxz`)!PNJRm;76uk@u0a?HRvDUstx`5ngjgk&nFq58D1~Zo<2+<f
zF|sl+H})_XG<GmGHZa_>+x6M0H;LP&@2o+9&TpxPQ~3`)JRg=<Bu@0Iek*tXx#!mN
zyOjAhPN+NK%XBKpf9l!13&x7V9^ov0ze2A}Iq7J3ZT78Wg4r7n{WhMkN$PdO=kmWz
zTQ@4)(@6AJ5Ovct(B`w-d+_@A^(7b2YC3m4SlM(d;Qyz2bF@A^dX~dInTeT^fpM{d
zft&$9&>ynGjEw(TSPhtglmRzLfS-j07&UBYk;2^A$l&+MCnvMdy~(uK@93$Ji8~y-
zUcS=3Z#?hJ@1JVEYfn7Xe`#=SYuw@q?JesI^0;Fxw@drWxqJ*s&P@HHzjeC!#BZN2
zUUsY&HPGv1y%QN1@nyntpNERF>`lx`LjPk8F0)3vs}%g>(K!BM0mqWhaqpyeu1uKp
R;@N#=rK{pSk5;+H008Qx%QOH0
index 8ab24e0c332633cb84522328312808be932e72e8..98e7d9d329a3e470cecb2e3c5e684e9900c3294a
GIT binary patch
literal 570
zc$_n6Vlp#mVqCC*nTe5!i8(UUz<`&HQ>)FR?K>|cBR4C9fv2Iqfi4?!C<`->T10?z
za7JoQj)He;r9yCKRjNWrYH>+sUb;e2aiW5ufuWghQf7&vn1KjL0~Zf(QGR|&JWwtk
zBxfKe&TD9DU}|V!U~UMcqJUfr0}D9UAdCd7j7-2*DH|w4tdh#igV_X>LbbPXKC-76
zSs9ocdl?KGJDD0A87^0Ej`#07{D_BLWeWd+&5ps}qIp)TPwv>Xn9EqH;hlJSvkl7{
zbDzmoBEQz1e3YzOlA_PYY<F5#aq=M(*RyIDcAsCZ=9a4x%KTo-@Z-Ov#viSU0hgw4
zEBim^Ro=s=28@d)y*59*^s$MRsnY4NT(4Tb>Xi1nq>i7)q6+zXOMj*^F*7nSE><v*
zGvEh$L{^xQ@jnZz0W**?;06isv#<c8h7B!Nm>U}y44-wbKi4n$?Q+#**Cj?Xe=e|A
zPEb0lb6o9A&&-*ZK7KWGZMZ4+YNNx+&E{?*kIVgzPp`J$qIEep=diY&ilRV?@@MS~
z>9d+9MVapfHk;i0Te0|t-TO_w7q=$68hlZVs?P3LJ}5r%@lnfUu9HrW=M>y~weoN3
PP3h;1O9FQX-A)1kmAS>%
index 18e3c22538de7ade813e4c22e56252ffcdd93e17..b45a3a6ad207cf02f1903a015b12185d78e1409c
GIT binary patch
literal 572
zc$_n6VzMx3VqCa@nTe5!iG@k0Nz;IrjZ>@5qwPB{BO^B}gMp`^zJV?qb0`Zlk6J{4
zb8tp#PL6_iYNbMOW>u;}NNRCOW?s5NQE{Szp@ET!Zc=86p_qXPNCOuSZ&7}JNjy+4
z9wcWVC(dhVYG7(;U|?<tq@sXa3j+%{*C32^tCS5CAy!Fc<{@m-MYXqaKC-76Ss9oc
zdl?KGJDD0A8MZ7vx6@fKPhXMeozYK|uxpH07~M_H4H*)owlA>waw}uWeM$Elt)YS^
zmL603tYO#L_}wFF#=PV?Gv3HOl{s{9Ug-6<$H~9f6)|46y&ZaT@)8qq%R<f-74MjN
zPCZ}x%Fy#do_~8*fWhvEi8jds71zwdzlXO79dr7dl5$%8{<iPSnV1<F7#AxT$Qkeh
zJt8a2$oQXy)qojD8E}IH_*qzhal?idE6hNbFVP9^u~nBipM0t3Kxy<_?b#Xs^|cG@
z-1ym?t^{SaS6+Y9==-l$ooCO=mzLLii}fN!KE3Gezs%%zXWP^FA78yO-lUrAx=+X`
z^^Ll#p}bDsT9@O~et65Cd~`cAXZF570R@L`Tvb(ntUX%v|B0+_xZFkeQ%82~iW3dH
Lba;aO^aE!B2a3tq
index 49a70c40e5b532803376c821bd3ac64a7b26fbed..a97924ceba6f318c9487479cb60069670e692eaf
GIT binary patch
literal 453
zc$_n6VmxTj#F(*wnTe5!iG|^8p@#t%8;4e#$2nUTW+sDBLsJ7|Hs(+kW*(i00O#P0
z)SMgz@6<|#;LNI2g^<+ZlFYnxg@U5Y+*Bh|vob>kAgP;_Sz;(-AO+IK#UoslpI;J>
zP!SI#4dldmfd-oz8W@-x8kkx}0l5|i7I3aXnxTn-5yV<;+}0MSCKnhPnG^wSH8KI)
zs%M}Bu~juQuOuEW9}kkp<_<pt0XBB9XPFq;ShX8j7!;YU7+BVLZqwK!!fYUL>Atax
zulcnkBb&ofY6%SmGAC9Y|FO_#-Qul<OJ8?9<>{0>s(y8IRE5LsM;fonr!H17kTc*1
zx<FQ#k?}tZs{u2RGT;UY@UsAelaUQMaGBj13|yELie=(X{1e!l^t`zC+WkU@yE-D<
zvx;n|>%4cK@2FZ)ca=#&lySfMZYBZMC918CTAOP18D(Y`Rb^c0Z#kwa`$}Wk7XXpJ
BhZFz+
index 0864d5e59910af561228c84727a7b04a9f56c620..7291d038bc268c69b9d3103e3746f17ec5a98d33
GIT binary patch
literal 493
zc$_n6Vti@P#Mr-pnTe5!iP`J>asw_l4y`tibG9tZOa`HbrUu4r%%LpIJUS5p&cPX}
zIXMd6sg(-BnN_I@A*sbBnR)371x1;;sYa$|WrhksQa35H#8AdS3Z#vTN4O|Iza$=^
zA|6N@$cgg;4K_72FfcbXFtv;VaxDxj;9P?=LlXldh_%|dtu0PXE-<z*DKb<5l3-i)
z40Is2s%GYu#KYy|LGsw#QDz{(#t!x@6C)d|b|VXe5_1v*%g1#mwjAA5yHh&v=)J7x
z=dC90sXKj2YQL_=E(^8?bCxQ_l)mvez4SEa`j6|s9)DzCb^Z21G2LAgYUd@C?Y&yn
zyF(-9-RILeTdq1WPrrEGdV^bVR)vdO^x3y6bFOA=+8n{KSiwNffFI~mSz$)T|17Kq
z%s|S38zjKb0t|LWHsnZP_Fyn@Wm05Va`0I@la}-OpG$unSG&2eeK{+OyFjn}suTVO
u%&WFuXJb+bJs|y|Y>&>aLze%ytXypKY5L8XIxlh-|K0H~)kkyrx{ClnS*V);
index 6575e38eb97e7a4688f5b99577cb0f766c1befdf..a5b5f6d2c75f83d584c590a56a4b3f36efe97cd8
GIT binary patch
literal 52224
zc%1Bg1wd6>+V%;$q(k!1AbDu%R63OI?vMuQP*NHJMM?xgLPSAA8c9Jw8WHJKT0!84
z!@c8NhAZCr?w$E(h6m1j*52=0Yd`1Rd#$~CT~n5`bT*|hvv;&Lbf(|{zyW|jfCvQz
z007`Q{BRt8=ng-?!w<sY2M+KZK)~7H0Wi-Xz#n-A?;af^9DkkT9OwA=0}gnUHj%)C
zM+davUGNro6}$wV1%CvO9iKeMInMDP2}Yztfq{4^D2`s;Bu7b|=;#HG2R;;-phIy1
zh;k^A!NmaZ7w{+W%wekU1Gj_g!7mR_o#Pzm`2P$@U^pQ6J)%Kmm?Kmq842d_A$*Jo
zb69DxBETGaT5j+#hw>L|IG95`HVX`M@Wej>A%fwMxfz$8&;dsU`73~<|NjGSa|00x
zAQ0dk9%n-%8&f+cCnZNqS3~E&bAiNFBt@@FQd}1mlar+Qex8Ef(u6`uMOt1|MUz5S
zQj<beL0VZ=l0s2|LR?WnN={n*I)$j1qRMq93PZNT5BuQ<didcua>Gs>onb#Z#d~zf
zdvwSPJ3R8j%XuWYjs*9S;5ib!M}qH27#<0uL%|1&itSj!Vq}BD<neVlVUi0bxnYtA
zCV63!4<-#^(g-GvVZ@H<9rJ^^p~r4m%ura&P*}`RSj<pZ%ura&P*}_yuuvSZP#myO
z9I#Lvuu$AEEjLWd4byVNwA{y9Se)FjIC)?`d5<N`g0No-Wjl5sg@wY{a<Ux)3Zwjs
z6J~3eZw{Dm4w!FFwqxJN9*@s(z$7P3a>3-$wK-u|<%C_86Lw#?U}3pnVY%3j&m4s{
zHs#{r<ltie?u34K{+$QT?@q4oPVVncp6^cHzd5<T2jl)8jQe{q?(f04e+|a{oeuYR
zI^5ssaDS)6{hbc?cRJkP>2QCibLiyz?lk=FH2Ur|{_ZsS?lk@GH2a$q_8=TPjlR<{
zI-+C3Wyoe?1hY6V8w}s=%gx7d{QmC)fWLva!E4}U@Emv&{2n}Xc<LPIILCh=;J^SN
z@{vF~5{O3v;Yh$A3AiHxJ`x}>7=VlpDg_{d@BrXj;7YI%=o_dUga-=zcmINO{99pz
zh)6(63iQ7OE6mxNIvYwDIvf7_jq;m<+^=VUrWmIpsU#;VF3Ch;>1=Ate*6VxU`0Y8
z5GMr!EbUB8-JNdO9G=xTbaA$a9qa!Zzdrk~F4RMYaAF7u1OyPEHq4W;wV|cS_Yx)Y
zF9f9(BqTK`V9FyJe_!N0D%~-Nz{BEDhs9xIXk=>h-3!uh;(#gtAr1}(DL4cIVhB+G
zn7WIRm8r4wcQ1&)iQ^abDNNWII6w#lS0KM<g74n-*}uEN;$Q><qF+s5>Ez^M>iAs?
z|C?(cYyaWWyzC4|tpGsqouj+Xe*ATgbDZPf1~ywbe;pv38T(<a3IVJN2S&T3p(K9I
z!qmowLe|uS;+mzWDaCbDCud7La|%Z%LkcJxCoi*+r85P+q#6S|3mel>C=@grQ&)Xc
zQ~g69`Y<1dhn9BEzaFz49y{9GJ0ro$|DZkqs1LM%n4>%e(}Uf>BjEest$(*6&T)=^
z4h&#5;BTIOwi8c3?=Me3@;~_e-E?vh%nLkSg~$Q6`f((%<0G$s3yMGumII#U2_6^B
z1Uz{X?o7(R{y6YIQvOv1LIx8eA3Klh{}cc)1^5Nn8mt0N1<!%Iz<l7KfA?KH$2tD}
zAOv#)(OzK=RPc<HCqz32p!mLyr}UBwMm|!ME&9(W!mIEOhbZDraSAtrbcOFB9Vz%5
zo<Dk?GsfPi;!!r++o8dN8Nr8mq+m0miDhVJHR6R^Y&X@($<!44@CD&WF=pFd){^Hp
zx%$P#v(#DjX~qm975tGxC{i$-X7nL*_Ne#;6F}tWXgodzxFZF6d@_83pn%q(L!%r7
zf=!F$&^if*v3fw`;J9Fm=ieP~S%@jAwCqis4<Z0_BFD)*cuR<m_Bg?MFbAV3aY|4b
zzW1n85D`3f^ix^?*8hLh`#<|{HvBoxagP5pE-@YoQtCs2&UPr!2oD85_MyN=I}}(5
z$Mt_$`lmVmI>$NA@!tY!GO#Gn$<kck*woQkpM#s*)R4p2O#j!8N5-T6e*^%{Vd@98
z0_{LJpfa%bKSbgW!GRYJzy=(}V{Phj7!8*xmmv?2{&9aI6w2oB$EJgT%y{eSt!;E5
zJO-O0o9OpLG&W8+3VJHNYWn+ZeUvk7%2c0TWAeDL#^3G?oYPmCd3B@d`3DdX2m(^D
zp&%d~2LmDhy&H}qukj*PZTvld7KEnijjVz-;XHh*gG%xOh@CI5wY{2_KP4`_=r0_9
z`K>ULyuXrU`w5ci+KKc*@L}sYP~Pqb+%0rSRWn)a?JDDGG1N?W&5s_OMKa~G!@C<2
z5j9Z&AkI?>-B4%uN*8>WISpYdgQpi7gZTX^@qSG5XDm5<Bdpi}wB?p~ooM&=T`Tk2
z?FtoiKkGdwU$mqlj4__GNEVR@nz%kQl7FL2VYK{4(LA~+I9-f;Jfqk`_R-xP!+ZV^
z{1bPZ+mMSFYW7DA*`6`*R*t#&c7SF)PhEUmb(n*I(OBN}ayPN1J~sQs=Vx*BQ(7R3
z<_Yw8bm<=IW$9H;mW0+93S7&VV<yphna2k+{UHQD<oGjov`&9R<7PE?-($$d*8o&n
zma48>-E7FxtN*yI@<E-x|5+Syz9>hBUWl)J`CP6*x;;mv{)>r%ifqC&TTk%FGqz|f
ze@eoWH~WYr2iqSpq@S>n`?I&MU#@Uom{f}EkK7dMzJt4yS#CYtNkz`+?{XH&a<{tZ
zTvT^6<9x;!<+}v<n5OGj>AVHjM6H6bD;S%Sj?+IC0IUsq0m1^>0A3#+oJ{>}Cv44U
z#Lj2(hZ0s{cs<b-^{*fU_{*-F0p3qUizcSwc3s&Dr$3@iSX{e$*3Zaopx&=ERkHg!
zy9pt%Ci-d}i|*Ahwau6-&)d<5-rMa@$@&kr{!LED_cIS|;)Gmt&a*j%z$Tw{f7^Bc
zXWa?g9&6qJ3Jc8-?otM4ksO)lZH<ScqjP1etlMaW(|c)BinXJ!S2ML{7rAFVvE@(6
z@?(;`KS2^jr`nMCqO@AjRWSyF>~uac=+}jhP}dKL`TXW;Du|<Jk*vcpOll6k809d^
zQtA?li?*H8+b}KcFN+~$xW7v__0^w}`G+KpxPF49+w>c|WjJ@p$OwTK-$1ZIM8F+}
z*SKn4%*X-#*NXMuokh~pQTI+VX)m+hw3Ba@;ZWdgPD0g#yQBLm_iryXci>O>Q!@S7
zl14v4GQ*tHaY~3Ao|89{+61S%!@cp7pjppe=3p!86Qqo!xU)!#&5TlbY$2pAK(OuK
z-4#{jeT_D7lR5mkJY^|wl5QNAKjoz#Taxo9NcNd1wW11g#3!UcgfG*`sg-H!)rahU
zR_|D(G5@B<1U!o*-9gwES$5R4`dWAo#dXhp$;(_p)f^vkW%e{wAJ1~y!^Z!CV*!W%
ze-Xgxe^t!qILCh<qHGX-;czi9cuy*D{e?I&0Ed4V7ytkUHg*sS06WMb!0Xq)U%X))
z=`nutV)TD~`aj1x&hhhz<^jUeKjBFQZh*mW(?1#jI~eePOaCl?Rr&|#{kid-;~f7R
zh;jw}<oo|mNdGv;^?yqMI1RK5QU{g*(GL&)3iv}1PP8I$@bGaO8vl`2gw|(s64o^=
z5uSNhD+#1qFt&7RqBpet9h2U%GLQmGlFzCPT|>&-msd6@^TEgrN4q}Kd#B>yZj<b*
zyi3zA+EV<3SNtjAPuAF=hNdPwoPVTQspz6Ct<%exq33iMce|yXRF(Q~6skM9h|D+J
zBK0_S0L~&AP!}Lga`|n3LzQK_KZYax-52jkC)t6#jnIfMmp^yS`BTFEnB>n`(*7xJ
zBpcP6Ah?LdYc$VCfK;1FU;Isd*1t}bK+442?wmzZeaE!kj!U-eiceLpyt*?FDOvPW
zrA1!|D%G}C#Pbmke+c-*-G*`G_#=j_XqPaq*>a)iMv0n2_~dw-u`5qM(a1)nI&M#k
zHCDOqERK}L`Xw)@N{FQuJ{{0wvA}EF->rLIip{f<)%l6k{o1HM1oT6WKVwG>%MOBZ
zeUh=6P|m@{wM(t(LDB5uOj0VTdW6XX&nk`2;>d@aT9D+s0}Z_MO)`K2`gVJDv443H
z;5AhL!jDos7DFEhPs-_!<Y4IJ<Yw<^Qays*^2A+9gYJ0*SRtl~+iA^?f=z&p9s%_i
zR%q}*FdGpZZlHeHKnU{fx#-&9p?8X3@r!OWNgQ&4!z>M%kU&r8L?zZZuuaXa6aKaR
zAFKl^17QR00BuK|0VmTgCECeHj+28AYWRm9Ia-Al3Ho|e+BE8Xi~R-Xz)6Yd@b_Yy
zx)z3oPoKouK+iIj;4)q-svzkzDQ)zkiH}#?{kX2n?UqEgjQ8+@N$3y>{2{0(ZYPZ6
zAA02a0c&68>RFkX1i>w<^}Ehu385OUDSq16ciwhB5Mx(6v;99HG+)k*W=*9eZ6>8*
zn8u0`7)i^*@+qKn0s8@YhJ`-_<%b-9#*SPWn`O3vc1vySl`lIhgfAJ|j2b-Ur0pZ>
zl~tGx)8#&kqep)wJazK2rcRC(hIc)j;d*j6LOH*|wd~~AiFYaUoBSz}Pu^@;PHpl>
z3~2&Qdiq7dHHd^(h+*NQ)IJ&S^Rme&JPR*Z-EUX13!|S!vR^w%eqZ_B-Yv24%FP!p
z3Nuz)E?AlQ`%r{E4}4KMW`9bgACvqUOX{^@UQ&MeLG^JoBV6-dg9MUD`m2V*misqH
z(7si@TFpI+WV*I?Ys99Y7`e*Vji&-HGHj=lysk!u7z?!|M^*}8vHL?1fB4G#8AB$C
zjUv!ciQ(mlu$1&!_K~6RBsvsw1mY+liBu`38PuM|acfE~L}@iguqQSNt6lVsyM0fJ
z0@t@2gMCKZ`~}AAF^8!e_q5mbVc`OBG*S4_2?qYoFv25$Z0i5yKxJ|^(&K^3_@_sH
z+9)RA5dhf$t;7EopU32R)C;NlZMqq7ZRIsclZ8MAQA&);!cBW+VtIUVq)YPFnPhJI
z1=K7~fmgMNf#^4#zuwO7mr?8ZT;A2dbkSlU=1HR`W^<{Gpms1I$Fn@DT6#y(C%+G=
ziXFU+qD80n7M)Vj>RrRD)_o;G%!Api39FUiN%@tMQDI;i2G%N+2TV>o2T9o-yH-Aj
z)$??vN&^Gp&7gd1H0CmMl35n!N>W#joo0<{Xw$5RW1=+`*JO7AApL;)z<E~x)qwR9
zFJILpzsqb*Ndnx)SYi1ya&u~o2F64;($t}z(3q8bMWV&gO6zL#YA7fNlL#adc${lu
zkyXf8&+;o?0s%m_03i1%dH<e+I3ND_gM<*ZeYqgsmO^oI2IZr?KLChSV0y1_gvN*f
z9gyr{q|SU#yabOok>#1wYjs24$t3vK#0P{S-XDc=qB9RTV@tf1<P_%t%n%Z>#5@C4
zZ_M%aH*2BI!<EmA*;kwuEEZxlqNnFCQ*MqAw?C}npI$NxtCPLhyss+ELE=S}Kf`Y@
z603(zoQZKO@_m6>en*rVVQ|xaL?@6>8dBIphqGI^OO)_9OS^xc!CMsTMOA_~>X3&{
z$Y)hcmDi06^+moPueGDb-MXb(CeqVI4rg*b9=gIwW=g~-QLfGHPz&Xwt?iY#Q5ctD
z)W1(E|859eSt;q@*s0Km1+H@4=Lj+^-oy14a80X$TD@mb(R92=1+){?aF$$oR>bE2
z{1n4k+BZ}W)~9$nd-;;+J@yo$@u)C4GMs<Njmo^cnP}d5JUu}Y$sf$If~Kp(ntDG%
zE*8Djniu3qz5V<m!(}&XC+lf<=^%G0st@kf%Sr91&NJ6L8Q$o4)XH}e1tz5|`Yz6~
zqS|AyhGVq{2BaDrd8$Q~wL3EfS||rPBJhT5CF?HZ(5(3*jY?*|CMeqCJ-~g997s2!
z&s<~|==Uln+~#!NC~6PBJk2o;d&exUpK*!L@G`Gs`Z4dEUN4n<$t4ZrF9+UPQpX^m
z<7UuNbIp~%es_x+GY?{uEO3;D<(!L)mT*4Ltlmte4{3-XQDpG2Li4l8q8Ym+%Y!gO
z%ilwUvGq-c)E4f&a{?J0wxVwh`f6<A^H1<WP_RYdIH4t#$FsDm3&CrIkB!N~jG6}$
z@=8|OpOH>|P^6gBjY4$)QfRevI`^@v_jVs-<0B&*pHNY3WFQQa88aPo=VTp<yIwIu
zM<GkxD84XX$Faw1mXM5rGWL$<j^)A?k^WuVF3jmy*<XiWj2hq<6=iD^-yaogO{|X}
zK&6hm%pIBhp<W;=G*Oy}TZUv+B6o!}X3kbHHQk0zEH-_IS6KHcXIZ+uAMuxc!kPh=
z0jrqyJ=7u{Vj{F}yAv%!CRKSW9K@E}>|&?$p27?>GFY(Z6AqQ1v&NfmabA8%c+49`
zQwc-Y^)hjc9G;sEef%aig~f*|LLq|D)hYw}2*#X8Wwx_fc}9Z@F>YKgHqvD!ZR$}K
zsIP}}>v4HBEB*9?ak=FjJP|)T%JFI=Z0GTEQx-3ky6Pdt5620K`p6`N2lI}0nzEtT
zhS8PZD4b`0gy!_lncczXfO#c@3ZCONk*GDP;$#^0>AVZ2@Wq=7P>5KS(KcA+blOoj
zze*kRZc*Q;3;v*yW4)0675!$tL0wW;a`^jJTz-S%;z&CbGe&#>t2F9T#6g?Dw?JAr
zNT=-7F8YABR#W!gyQEi&jxkzn#_1?8cCLwN4{c~tyJa@A)%Qqzpy789=)27btRcNG
zNCibQ8!E@KE<oBTuS_D<K|_B*l#Wg+(Yb$}fjecZaP5s-w9L`6a=`!f-2E@9f}e&z
zt^E)Duj71<bNu%r8W#*}|5H1u!1dSp)7$?D{#O6jKCJ)a9M=C^Ppkh!uzxuI?`JAo
z2Ry|RzU?bb#(~%LN{S;Hr%VZ+o77&*jL7hzKujq<v!!IsDk0#RrDlyow{d6PML8r+
z9aJ16X*Y?Y2dt?)lfxVSlvw{Tw2s}3m-`RZwnSvDu5p*Lij$QTVylzb`Mr8&a7AD$
zR!E2uGP<s|hI1B4SIq>JVorM}rrZG>MJ@5C=6k(?9Rg}AB-zS>0KZEw{V6ejO!8+e
zNxEeu=~TiuPNkCS3<lzgza5-(yw=M^U7is0*zCQ>;8`T2NYi{CzolS=H>9*g=Ayjh
z4ndtJwQS%i^!nl$*z+LMA9CU3-9F-I^hXS7My<Q`&P9Q2rfB-3T+qlzqSD=WSc~>H
zMxECppYT4ra2Cf!;VOVQU<_q24TED_n_eiuahj-#NU&6})xd&y%tOr|g7HI+KV!!{
zGCJaq*X$TyUlCCjde)&nHF#z2J{W|D;3iRXuPTfFERGSI>6dwia4fXG={<P;F-R%u
z;kT=b!w?FGr=RDzZAJb4Dbau2YW6dRbXB!my5fq|esCej6+gbW49fG8O2bn@n53+;
zv^ehN`dK6sJ1%AVbPQ<vw6Voy1b{F3e-f)Gvc8-SoUFeS4$#y;Ox^#`(Rc({{a-vb
z3-D|G|Lh5eN5TH;dCR|E>$J&Ff8RPVF1LD*wGP@0@oo04Aap|x^<%k+?Gv)M=sbg{
zh@UDuFND@jS8c?=p4S@FKmK{2e+<zz=V31bjU^$$9I`m;rTB&XsgBvNPeiepr&q#!
z?gz&v%s9^6-YZ$XH{5}*ye+1gW<SvKngUlWIs$Kv@Ux&XHJJfJU8163K*vz47POzv
zRIf#vy&|E*U4R?Cm*VEfRF0DC8==63>)$lW-I{tZoUg3n%eiUgcKCgCEOULnCh{H`
zU#dcM5rt}#Y`&7Txjmmj0;NCM(30n^5l1c`MnB-KC-;m6yPQTGtB>HP?YmXZBnpwp
zXe5{bp*6p&kKs|C!E3pj4s~yt@+1F#>%g6~RAt-F)wWH<WEBti&xJYqSkb?<4%}5m
zWY=|?VbLfb;DXvAu?kdv_O>7_w~>vUO)fXYU%e~i?CsV){WR2>e(p1Zx7*OlwQSbh
zygF!%Nd$ctVw9j|!o_Y60m6}<W~ltC!p$5E48;7nu6IFBs?YBT^G{^M_kbc09u&7D
z1WDhmze?lNi#zSde2K<ux^D_R!M9$(51JamvYE!()4#ep8nG<u%yIcWkEItbZqZ{b
z$!pd!@%`g@56K+IcC!$-6hj_unelyoQM)|lqfY355EoBM)=D=hVE@EvWBxT)Opg#{
z(|b3bPq*=LukBxIL<mVWmTgW|LJjtbdtNBdIfs4mrNBd>Dhk!8$FGM*Y$)P5K1{f`
zqlbGUHl1E`>aeHWmQskZbyG6cuy;tkxYI{|<GAKj$a}$vU@C*c<i2D5#1`UZ!OE2_
zee!AxoEMgtFrA1-=R~ktQ6d|cdGl`=$L|3<*GRYJNoaC+w<#XLXY-T<@6l1;yl7qK
zxz&a8?Lq6FGdt60a7km^7Anz4u`Ftr9R4A%8hY+xO~qM;KDo7Zsi=IAB1L+yUXMw4
zL}L(*QTv0iM=$h-SWo9II;@&hR@Phe=7p7w1iObLQfwFVG4CWky@jJhYgV$8r0l=I
z$TT>OlSa#7a4-)nSiSOu8*F^R|2|x3qjD<Qi>22|uM)0@i1bt$>F(`9m$P~rx3%5N
z<ib8{0H3pr8PjZgZ>+3KmW8G5wAC3p?^~113t;PgRMCBp_W&LEY8^huS3$S?c3!@n
zd{)`>%3!5<sEfBPeOnbAc0pS<t<mY+X$o%PkcH65>jfVeCu%h18Ai@B9&;CCygP=?
zjQ$XBE`tRlD^=dJcyqeB@$#hn1%q5~WGr--n_6!WKl-@Rbdptj62NOdsbQmk<?!GO
z*g%JvhV*VAk18t?Kv?h#UXfJ<(2Ny+IoKD6+@setNghwu;E^nHix!7@+Hy7uX16$|
zz}pqBYKSEoK8cA>I)yjx9K-CJW>JqR?Ms%7r}Hjv_i5LCgS{YLJZ0I3C=*3NFsX3N
z+ua>K3_JAm^+nfJ0)OcSYf|$31TW|ikdEd3l}m0<3-fsd6>ZAe^H^St8O4{1AO<dk
z5p=^{((2!zrwzY0O#3cQy0g%&V;gnkRf<Zg9m=NkwqnGJ@g7`SN$kOwaxYuq^m!EE
z1<62fK@#WX>m8dOn`kOjRB_v1Ux^eV&J;I~g<vLf-bXr}caTDrB00mm@K5GaMS*md
z40VWgzqBL;Kd%)}KQQiWP<44}DDTWA{VGU=y$(nJW2L#~kYLq3bj*aNaHdnr{DVCi
z<DSvTmF9@NjEx-8*=$g=06iIJx<i$l%M%y4Y<{$h67qf=ew#GRQL{3b9hYY0@8QPB
zo2arw_0sllD=64c)JPP*5WPG7#yjb<Dx+gN`_0hz1N(E`Nj*C}fw0zr|MlGcCkyvK
zgMZcdKXA%l8~-`Z@!x?c12|aypXsCm*B|<)kN>@R_#r+`aTqz^Xz5_UujT*WtU_|+
zgH8F56!qD@7xjtQ2#$;Tm?xt>ZLNd9FV(*_Y0{<T$9+8~%zvXjfAf)_*NibgTo2a3
z9?tp{99>hjNd^84)xbOp2E0%6ENfs2u;ie5MK<JV$J_0%3=>b<9jQC+CwvxdWGZQX
z1`fhroEIR1Oqn?Ir|Y?{*$9*b--HY<i*f`@Yx1yLsK*g^=|_KPzz(_E4!mQkCjrk-
z48J92=wP{=Dj80t8rSHO`KCiOVM;JJcZ#E~;!ch6q*}4XLRj(!-T0Of1x8RJ_f=<(
z*ZNAVdo9Zfo#U(C>v!)b-B($77Filc%~^y*QN{dJQwdHzG{RzgdvKK{-)z!qK+O2U
zjW*@VZ@|Vkjw#ry8g48v)^3;YO`_sW9~bIbPI+&4&5(8%c0b@<qgyo141DPN;<CEM
zaiJcdQn=+ff;qpx^_s>AE_MUrd5{PtA#tQ!#)gjHnuNRM9vP-^ufo=JY?hhYy6<z;
zl-L>}+U(^nIm5ayU|{UBGEG}XZasN^V0jc_shHocTz~KbzwW4e)4<i6qp7*O^&5@h
zE0iOtbi9r^w_6`!ylFGMu}W6^q0VEb$8DA`3UjHLQg+DGV+|#J`K5r_Zlss-dVyD(
z9S+zt<Vi%9MOevB{e}<L4wpuB*9PELyTF~`Y}|ymE6&{Oci))?_!3sW%fC8lb|Ll^
zr{%RW!4DDy52irnS*7#rWp*V9(&@q1V{@!;HqU5DGwe~^aq}$D%baWBpOKQxBL`#<
zTD&{GpmRrUn&<9l(xpNB1yot;(Z}+;-IK=!omaG@en_`(b~UQN+s>H-Sng9aJRO|X
z6CmMeKqGAtG|FnKKt>f{txn&>o?u;i(aM!^+e$@WO%t1;9$9W9Ya{QrI2M-*Ih#!7
z%^gvSnwz0lXcsL=2F4o(0MX(Ka&Yvmt3;_95U(x7eTQaf>_tj1UMXmy)KjEgHu^z^
z$B3&OOnOEjYpT<ES44LAKCBYxDRd8&s^+*A5iurLf6RNB6Y@mKP!`nUio&%0x^jd!
zH_-85$$g$%p;vmHpC<$=C%hJbR)-h5M+su$XI0j^)ucLptNAD;JA2>C57KM&EDd&l
zg%q|&na%eFu1O$<C>JNOh;IzAGuS3*QKr<LC(wfKx+d>0RVi+{tWSh_Clf2>9g$QD
zR<+NryvXInuWtbJVzCd5W!q2ZzNDEV)Ta3L<z1q>rmOHb)4p76wELw3B{|W<cafBQ
z*HX|O-=p#_&k$P6tG+A78>#5<U0B{awlb4NPq0dd;@<%4iaxXT+BHH*LpYeTH|G;C
zk9uHu=IQi5@?8vw6^~&`gu`UEhU2=GX#Efk<MNVL1`i(;OHI^-mpRy-^Dza1yG}D2
zUm{wF#M6w6eJJiVE}g;14UUpSg(2oIHBaXqE`+OwjR!&?%E(>G0?NJM)qn6yS0Bq#
zK6<nL&=)-rJ%8@H%oDBqx0h3zYQ*uO7FCZnvJcibvyf8YOtfsOG;=EGEY_@>ymZEb
zwrQ`t#Erf1&3l5ux&kCsp+?Q2IJ?>ViU^QerMRkT|4jLMMz@EYdKiW4eE^U!RNB}-
z`6)aL6$_D?G-vXDAUQF{#;g$SV<>*=u7|w~61LRuRGwC|@TCl)ahqNbtBui!p5{>v
z%N+CG*=)Jy`w)aedTW|q?)roNpxWm5rJrhKYQ#OLQmE~QkUiSGNd^;SijY>y>-8Lj
z1SXi_rZo_i2FpP)Pa<5bUuB^oy}?OUqb(Qbox()DPsOhLT3ScB8<eTZm++0Hy7m?J
zd;U1g@XAzG4pgsC`nd1Aar7iwKo%15xnb=w0f8AskVW}VwXnkc|9GbUhsy_lF8<u|
zKe+VIh~*sT_}@h|3Oua*FLzRb>#y>s_y3U{rGI!pD*(3o2R7)%DXV|{XTYD5=*O!q
z{7i2P6I_9}Sj=DwcD_(d4doS^dV31Nh(xlazzF@0aq|y3XZ5x~3U5p?bCDxs-TpYd
zQ`AhM@5*fxmouw2#HkWzjC4oE9|AeiZN+2C&TGi`N4l*ZwdzJg^}8j?yrUeUI;Er3
z?QZ%dVWZc5o!Un|BSX*ZTH6UPU3r=z7IyGzV^ksFy}Jr<qAhI->&me1QXss0Es;Nj
z@`oIM#*Q4!7rETkK6JxP$FqK(i|VzD#jf7MZbK>64@NTbT5&pyV@?=@aLvf#jI4iQ
z{nBb?o`yMGoc@Y(&BRIs@~p<-m_H@e$(s!$Y4}GB8UH59Pi`R<xWItTln|JbG@kJ>
z((>Y)+@wq4TkLt8XOfI;48QK)QIi}<L8`E1<Vtw8tF$srR{FBk3=>9XX9bf#CH0R<
z{){EVz7RXqMf8{PH7alOgD0d!*sHeWUQnPmn8=oL&|fz{izE`cM63_IZEZbm{ha))
ziETfW3eCMTiec#Ewf%;Vkj}%DLw;Ivg7yFDX}JM@XZ-Ie?E!}WWY-@98{Khx0L59C
zIc<@|zi%HX2Qixzd}{QJ8!j{>Z{>X!I{x&T!OQocH|zIx$5Csj#$O6m)mFx_h!r`|
zt=~3o<H%V2^nnK8D%)%8Ock@q$}2hw{iHZT{aRW<1j3LUo*f|V`mw)}p9>x|ne*kw
zn0~FNGtHN$;Pz6;dbASos_UmW1_hW<FJW2a!P2ERIX=$$ZOsFNs|dCUS}qN^;>wdm
z$@L4al(vbpS7dGmP81PX6WbMUUsTV7t6{LbMR#AXA#(1@_~%L%=}4lxegcBg0tLP#
zg1DBXUVX#!K^#ayGGnw7to&=0$qN?v`WNFn5}H*~)5~ISrP5^*s+wuD<z3Ha)~ruT
zsH7^|bJ+a-UcVGK2W{Nhiz6yBsm{U{oLnDsuiX2k*DtE&2FAsLmFw0Q$W%PJ?_QaT
zPH<X~jhf%3&bSJnNS~|vR&S7WqEFpNo@8h)-cFo|@!O?07uU4wo;Srto7VYjpa{;{
zq`h!d2dM}cXHGHH#H5L>4Y!#pQhr{Kvs)cNPslOM=5lyM)keK!<;^z{TDUKe!p6HS
zBNa&Qo#&c{Lb#3`L967+B=V}Z4c$Zf-nGxTXm-1432%A>Xc|^Kv!05~YIqU~rpNR5
zsia@K0uoDC)NrcMuCaE6pNWV;o}YG)5&<>)YCm$!*~fmy?#l3St}Ozowv0!Ku%X2&
z79ufw7a`tg+f6m*!dNDGi0QkgEUel(8D0zhd=6!JnVW{pbP)ta38z=0`f+opOB)^q
z*UHVJw5_x}0h9$s9#^8m(e!S1bY5TM37l`f?W5HPo)!`!rW4tsdXl)hxQ&*XJ{FRV
zOl@w#%Z<Gm#zxdfBA8b0kY;eZ>w_w~O?U9lQ-b7?6||L%@)B_2b8h;HVRH>M3r$hV
zAbyt8SNrbvqc05&+R+jdJY10Z61usw!3VBhJS#1xPppOb;EVld+`0SO_~UYczf);7
z2>Eb3_f`&^>CPC2qt|d2-lo?v?}(lJgB|xigjwFpTf7=aDL1!#_z7Z?o_8q~3+}GO
z!~^GaIq2S<&=Rd&XKSsuPnrsI6gz-l>*q9*HmxGAA=H!IP>8i#N{ZtuR=@2t_i;?h
zDE8?l9Yk>oEp1_|ba|D3XglA3%ey#~FnQ5FOW58bIZ<O7o(Sv7WxqsEx=o@3y&Tu#
zh^w?~;iq#SrOv~hQyljtM$6dXdHas+V;i*hn0xj}gnN_#QJffl`Q(TE8y)IO<bg_S
zruvTTo!f%)%<GG&f;Sp@Zt#7HoXRf_a#Xb>AiDTmKpXi<-ey;og!)>wa1->ILJrMD
zccgUl*K$MZ<c$~g4w`r=-3vBJYZu$BeN)$Jar8%093rZ2%Fz%6mDAPY4>)*5<I@Lh
zkK#y0NY|5^D23;q&RbDi#nbMZhf{d!<$9f1?CXu07>mcer&O5zXu4uS#A7pLL)Y{0
zl6dbwqQ~W@<N0u>5^KlXEMgwy9uHMgS=LJ~dKb84l*cmNtnhW9eD?Mg^r0`>MYo5x
zE#E(eYqGMSc%l)T=!Mz-0kl2yup5<Z{NbZmoQ%X+?vw!!Uw5b+L^Pf?_>ReqoXo8^
zFW*b_ZMu+PE7u=H82PRxjjf!{8yylke<QIkokJWQK`c%ae1~n-@R)Z6RCY23P%n$Y
zC>IUs&&jsQ>1SKR8hh*Th`RSB#Pwn(3JIT~)r;%2+ad9`=I!PQv1N`g3T)C0scx&t
zThZQZ#f|BUT3ZFWbj6YS-K9-cpyW^I>A3CU1}*M=#Xu?bb#KRW4M_+kpz7VHbRIJ_
zAaIWF{X-?Ia6u6NkR(2B>q31&gi(?%tfAn4J$L_0ip~GW`aihg&!uyYbNr7ZnjQgG
z|F=4+!1Z_d)9e3~M*{W|Fc-H7`0VG<?a&4%Px{d%06%nA==dez*8ifPQI0QCP@&yt
zX@#t1VmkcENX(?+?XO{WFO`C!&OHqpW$qk`W}!G&mmf|waf!$!w(+@4GP0`;`8_9a
z`tr(L>7KXKTjzE^;{(L)MHdP<W&$|#PS=HA@l>3Rr5Qeq?&%9OkL$&4o?H`Cvr}Xk
zl67~VGWL<a&Dx15V4s=?49*h$w0io>3(s^ftv-Sjp|(@_Qjn7C7A{=ur(@p!qey#0
z&Pp~AHO&&1=%q3|5n*c4BG2xZYSGS0On3}YZ_L~T(A>Yh5lw!Y*r$X;X452`kFy&w
zcj?0xa=gZ;uV3qt^+!~^jmnjA<)pKnyo}pKl2o8=);V7$KtpP1J3!pK%LSBz+?@xq
zeR$I0U#zZ=#UYx@MWqf^ehORUt((hxx<-D#^K{-wHTfU4bg<PLTSsc<1iNHiFrssg
zd6RsiRbJv|{Ni@e?!%bhsNc67;qGvhUK`#nROX02#1DL0;(X|F3jR;`Ck^l6mRCrH
zC(C@mBQ2&Aa#*hsY?plTu}R0^f$z0+^U*8RJ*#>%1B;|h+<uwOKFP~*lR@U)8SXo6
zW;ZBYWjXf;b=yp}1Y~vK5Xh(d?edt%RUd7+W@g!o3qI{Woj1L%R8xnirdKR~KQ1lt
zwl{;kC*Lve7+}Ej0{q3u-I%N<t6tkA)%&c{F7`LqiRSPo`=)owWeK~Z(#Y?NV9&eU
z9l4!mEYwr*jNj%CDJFLMw@4mk$0{Dv_nqGB&+nMzt9HKZe|)!kCk1uBDD~06D?WaM
zL9X1jEI37)fXU^GLZ$^dXpF@YWp}x<U&AxsvbnFAL%ihM9l8BI@;tD@!gJ|Rom2p3
zBv!`PwA+s--)4{K?kuf_46E0e;8;X4O*t|hU`F%SIfGg+GhPv_rng!a9_=;m(qh1M
z16B_b4j5{G<+6U)+rnX$7lC|(I}D+rQ^N42kg}KpfkY)sUY}Jy?;9cuNFw>|8#4ID
zmcq!cB;)ed88i!TUcaJ4=Z$htvl(|UWS3Z`Z`AW(;5E+4WW1V$!u=4#@tsHOOPcX7
zuj9B`_bl$_)Vav%-EB2*SQxul7?#=bhBFLkS&l)UIe>OC5zU@MpE>>BJriNAnhNQ;
zyvP3Y1|Pj|Uqu~L9g8Q}Ayi7MRF&)Uf5_((o{JsES-s|NS{FL)q*%fL{|7Rhlk0uL
z0IUC7X|Mu*Zv5{l%>fSoWOD#78~1T@0P7#T>S=o`{HApPGlsWIZaE>sQ*Z5}%G8#L
zQ07~b<oDYj8uO+A>}}&(u9Bt;NlS{CJM5Z<=tkn`^r{|oi$U_xJC_`Tb0F*)my!UN
zzIN?$6n!#FidpGeW8ufF$1!Ld^fSj_$1$fci@Pyc0rK`r!|UNUc<C*VS%1gu8<3c_
zxjU9c{}aWw60b)59eDKV3n`odhLb`PIy$enc0YZ}(A}t5?5J~&=;*}Sw$(O-qn~4T
zuDbB(wjM!~23D?AEqpxI9l2FqecxuL?35AJp>&aI_A5S1Z$Ijobz{kQ3HGGvES1uV
zCu!fzdjeX)L0C^Vw-Vowx+th_<~qST0C}3Hlg4@tn*95%0}z6&dp-!CF1Wi(d`lb^
zu6iLSS@28i0JDV@Cl9rpMqAH1Hm~{}qP`tOAvYEPh3#zXYufh!4qnAY`-6=bF<LNw
z%Z(@02>dCx2iZ~sFxYJz?EKQyCNNx3>N{o4mwiPqetLPq6*<}iD?u&(-6E}5ICDzR
zViD*S>-BQ>%LodcK#S7(>Q5Z8dbG6(on;%+O{jyq5^B74OwY%Ycf`In#H!pKN;lZ@
z=292H!0g(TFl3FdWUZsuC?tyPUW7+bSOiad;}3~on5@@1ItJPhB8l5~!xa=X#~0Nh
zQw5s}9z40^iN{ld5}C{RaQdE&%4$C9V*yHss!F|<^qZO=KJ?M_xl<4qK7%|`Q6udN
zQ;}P{D(neuDlHN~;gL5uJu@t>{fdBgS0q8)gUm#dLb>TWm~!GcGb9K$*2uVEMs_9i
zt*N4o66ah69wYl}bnW@a-f2Ox0DRk<yZ0>8P=<3;h99Pz#tvUwMuansZi*A%S&~6a
zjC`2OSFx2aRq$5dPrh&JLjZrXicV-JX{dK~8F=)?Wx^{Y3^`hpjVRK?X?{Mk#0aS3
zszz+>QJ*)~rqD`sCZFk8iQ4aCmp~t$&im3l`@!=4Zl?fPA*1_(`t~=CXH|~D$J{SC
z?8^qMT-aO#*E1v@5Elasq5|G)P#8sYJb0LltzI6%Er%#5Jg;-Johmg=;()DKdbY7X
zacAC4!L2HMVSFd5{1fr6eZ;V1X327X*p`IzJ;@~M_KTnUH*fd=K%*su#M^jH>^$Ev
zuY7>_7<R#;MDnLpxp0-&nY}m(bNdQ=BtKn^8ERR|>D(7RG)1~U*HO3f^e7qAfiM>O
z;wXQy`N&;DU3UE3&+v*XsdufJC35`UD>i=}c0^g)4BXg=6^2})Oq9I6TX|_EsBRaI
zN~+xavzvRkM&2b{I|1)S{b=Mcr8N`J;cR7Qc=pLbAIZ<J`a7lLtb!ZTkv%xOcItf?
zgBc?b-;BnMg~(G;sZJFV@wb?3^DVv0ccF;CFZB$(hOd&(qIx>-T%FyqFRq&8c^2Cd
zLdx}bqMUA29rF$txcT6c7DSCe9_Z-a>U{H|LXfOtq#;4#qzxvz6q<sxd2Jv?v{L$p
zmlEOuaQ~~wWNpwaVcxCbwSe76O+MWzOk{T9)-sOlmi%zmS^jyC=<@k{qKk%;BV3}i
zmek5>t>x|S@;?5?nE;>+($`b%(8ACxMOzJEjh1<<I$rAPSc=<Y^ch+Hbl!=f^_%P(
zPD;Yr^0bLH`=i(h8MMc|wcGX9Q4`#dC9$|uV(hg@cBCbdY%Y+KhX4xHP~J;&C-Agv
zbPxKz7=L6pHRc&WFeJ4#S@InBTR%}UHT^sDfhbarRZH?)iU$%av6}e04K}rq7y(36
z$b2!TT0MiiU{`J9;uoi$(u%c7ZeoWQBdwtoMD#bf1HWb}n(NK^m_F^<6Uq~dqd#sP
z_#e;R|G*3X?|}lY2V4MA0YFqBR*(Y778C)>2epCb!AM{_uoT!790bk+Pk<->$>`7V
zpAS?pDe|uiP@ULK;>5yZa6eQ-;ZLYftk{F}Lp2ong!;q^RA@g`L(xyDPfWYS{Gl3(
zbyEG?oh5L8sD|R5+=Jt{y8saWPz@#e;SL_WEP&tX!TSY249&-SwErIopb!A02l0cn
zKpwykz&fBA@Cu+4PzXu_y#V!r*1(ux7O))H3LFA{1a1U>1d##{fLXv`APQjVU-S%~
z{$pVK5Pa{L=J=tS4N3|Y2L9eA22l1NY1!C*XhtKZ6KY;QPBy;p{k-%)RI}0j_R=uz
z_g_W(BP|=viKtKXFrVE1<wP$z)o<fI(a}%&BP|=`M<(HBWB8HUi1X49)m+TKz4VEN
z`9MF?Lczb)o>*oQ;YV61;%~JlR%b)`krs;jTkVMn$rwM<LNA=q{&spj_K&nsoZo6s
zY}SJRBQ2ERFPQ%WF8b4=I>$Nw*AR_@{FCc{{0Z}apno3kbDZNG|AAmQ?IdjepAX?<
zz$xSZ*#7DDKiSS+|MS<#PuoKI?_2Xnm$=`_Fhq#BBnM*MCzHF$v1JMoxe)+~o~9G4
zTf46!fV#zzf);Ch?O|NrM|5&xse4wwNixBof*U36#V<&D-{B5wf~eDhZab6aseJxc
z?vdeO%tnE?^Nq>Lk3OgHrcPap1t}*59g{+v_k)i&brhYkm_GYG^wT#sduDIS9mLT4
z{vaiI;+7<{arg79@8RF*Cr`%QnG3>J3JGDGcSjhkt~O2p-r!{8h9kRu@GvJVN@Q)L
zu)RTfzGKWRb?FIf1u4%<lfWUGK<}tA4<7}6DW*C52(t&6<wgC?jj{<`BI7)(>i+&r
z<|{b6x=L<(uR^S}4Za9z37LfrEE)d(T)-#^71Jc?7re=t-#&NQQS7`DeYf_@T)^Dh
zFCp>3M29$~*{8(F1GmxoOb{*<<QE07NIfTP#K2uA#IW_WN-sh1zW+78J{0=W9g~v)
z*j$oVKll6!&N9?LoT7I2`tYq4cVTf&8Jyc=)4rFxfn{YJbc45cn<ddlw5x`6;=s3-
zUm{JGyoVPN4sCmcE+d^WD2{MLTx3`|RQ+kKokTZexS)W&NcMh343Si1RM10}<qGd;
z?{|gb=42%@cR8M|6*sbKG6(X#ef;26`@pN=cacvD;9O?965$$!gymG|-qB9o$P}<d
zw^K(hpw<DkmbR<fPxorvGjX=FM-D>tH8gJv+|+50bTZPdAELI`q{xz~n*Rzy#yh=%
zGy7(nTx$oqRD*NL&{Zr8liu>?{o@AC)_nIE-8HZ5-sjTDAIQEw+?dwAS=wY1X;3!2
zdZ%|6$KsZiKtF@rx_M;Ac$33Rh1eS`F)n)Q4Z(dNZo-5NOik~bj)dxpeqC#*hGXOm
zGgt7O_6nI~h}CE%;+hBF3@+cC(&^wyCBD&I)Sshk-ur|uKK=2cV#|eRog!cS-n{^k
zJ(%UNx;uS3?`o4TwqosFI8o2jU6ukbzO*UUqd4Y$*Fyaobfzp}JS+R!Gd)yj!)?pq
z2T^`~ci_|B6PO@fS$r?$**B+OSTe3~l!h_zF^O4i6@6+~?@ke1&mu}{7GO7#x8;Nz
z)3&iTfA~D-mLS_?6{EXRyxk{iMxK{12GSOVY=uK#vI}`?C=Ixi*^4bDr`HteXpFQh
zq{M7Hs*bcv=YRtpeM+s(PUqg(h^6sF=T^VDo*aW^(1j4B38~~`?sPj^a3pW?*<7E_
z*WaSQHX24&yzMafd20H(&y(qEH_T+<Dc=kjl~;$Dr~1?AR1Ki88!}V2H<VDf?$fIW
z2O5PCuF-<f12nMSlR>TA_}+`zWs$!s2lPNz*XeK_8N$C|k=X-Z745&zv5Ax~v-L|8
ztf}U$<rT+Toy)%*C_G}s_S%~_=EjrLdGn_RwcuFCUVp2ADd8^_!Q!f#<#NnB-dCeQ
zhwa{;(C2VmMB_Z$qGF8QbPizPSEzwf5FHbfVp}b1Vh0DO2~E+bo<O`OgIv*d4;<sO
zUOCoPNvVk24#EfEVd%%_ka(5vsJ)LyTv~vq!9oz?!)FNJNslKYV&@{V5>orb)W8h?
z{@Du)-!3_+8(sIF)){kB(7x&V*rdaEr<LTLVB_h$>4uWTYDI3mDt~dMN3f~!YFxpM
zUxxUtVs^X8G;@`q;V@=j*l-wJyqcN5ZQJ!&mG7=&R9x`8-f6??YlJ%0BbOdD@b?tz
ziS=S!-WFdRv!Gv_C=N)p7fRNs=ds{=t7`UnGVKa>`i{7B{Lt2hochZu9T!Oq{|oyM
z#9XZ`YiapNHL^$gGeasZbLbjeG+sCxGF$j?Q6VoXZBM+Ny$5T={~yoP|8?*Dzu|oS
z&vTsP|0hJ_BK_;u|71E||C9P?|Bv!t*8ikF>B*mx@yENZ8vevYCP>{iNitDCPhvUY
zjmY7cL6P9Ow;Rq>=xepWdY2@jva=>K-AJz%NU2}V#=jYTqrzi<;s(`Q;7b<QDxJQK
z{p<FfH~lFYen^u0XQqUSzBQ|d6!fY-J>Y&{?XuYz#$PT!KWP8x+gy*a+4SbbStOHk
zeF<|vRAhaVUiXyt+O+PU2-CJlDB<cGt3voPX+r5wNq>^$iLQd5*`!2pqki7FQz2*x
z>RE!Su8Kg6rf&Wwi!~WJm`=*f#q%tZQ(-C^gq29jIZrQLv+N^Lm5M5K$9xcee^hsu
zFP*%Az@L)t$0UEol4A;xJI^_G>*g$LRx_kH5{BQn1Ts3Z#{}VE`LRZm;-5tl+w&gs
zSoZbN)gCGgwKvu*3cfK(q&K7@m=zo#Qu6u*{t(&|vlLHsoBRYvwVVCwbR!J#eL555
zFG(Nw>bzvtlF+!mLp&MH=0gP%I*a4pi+jZvFVm28=4FQONBAOSTMS4dEp+3Rn9J6g
z`Ys~+Luh`;@n`I)qQ}9gNb(+Xr(RxK-m(Vo+W;-*)J@#vd8GJxK{<ngGdIp2o)xWr
z1N;&+JfZg-v#PAbO83IxN2Q_0o_v<Z==H(F<js6q#sC}t7b<cztl+Hie{BE4^*?{T
zR@tKej3T@W?{J7B-V~>BBS=^H-ru(l^jvK*rBK%v?soX7v3@1IVV`j_w$4Rce?*$u
z_aZB&T;0H~+lbi||Kg@yPK$7X0Kw~QLm_q*ycXA4WqV@BqAyMaL~xDO$j`T!2Bwm$
zRm{R>z7=2P(`zC1tk(D2yeGqBr7Xfedyn-pvdt9Kzn<<1PMjwNciO`JEtc4&8RH$D
zqEQ=6%+>%=WO5tJM)~#8Dne|T_uqtU%WFd>Ore*}Rtica1sAWfsAEiES9(spBif)0
zw8Tv-kLhWz=jL$MrDkb!b_s9y0@{_$PCI#aeO(}2yz0`uMPuw~{3bZq@>`&@sOY0R
zm9LRF$UMe`=z{|*nSv9U;y#)Cy?lG=_s9C(^JC$7Ol*UmKFu`l?4ZHX64hk%%UD0z
zvYQfF?=P*V6yf4O-7`_UJ*(d^Z4{cClGj^36TLiJ>-ye6y|m>*o|*_S=yPUN)gIsD
z?pY>|oEtAmh^QaZb$=MmyrW%LP%w@YT5Eo<zg+dTUjnD^;tO+6xgA9;Ts4(h-{o)S
z&AZO4clPA`Bhw41S|^`<{DQ{*mfiT}LU>uKl;tOSgeys5ZY}*YR>rKPlx|UK!SKj|
zJM*Cix0pHWU)$zCmx1OBEn+B;dD#_(SvJb_zCAF1ibeaO&;l>W(C|gr{L`!VJ_)hc
zRjM4Q_utpft9zWquGl5pnQBYs@QDjJW6?5<tr?P?ol$EyzyI)FIZsV2bMWPgC?=Uu
z6fX=hvg?D!r&pmI8$(=5?H~zB+*}f|)`PvOc6=PiRj4lkSVPKM7>UY@8VjfzN-R%D
z^R3cWYWy4?t&6B!eol<hgh(tO3|DgPu?w8jNbpsJR%!0&dtNu+fY<jqKF+8@M62II
zv)hQ0fgk*IwIA+|FLmhn>Q{gqyguj=mfTr?D)>0Ym1l1?8i2)pfsQMYc7TH@r(Tcf
zB9r+dQ@d$`RGC3uO~}meRJFOTHH0>AC8JT_{Z#E+7?NfVU_w3SeJO)*=P1!uhZYuG
z?c3>*S~rQi(tP;>ISNFV>wabWytq){a|L>uIur<|FG7gM=P=1fw<d?a_M~nJdvF_R
z%IUM&IUxtfwI_3yTx2K}lMY~!DC^>o4lBl83m-YKAkz)j*eY$*GtI;)wV2g(3yQjI
zwLzK#zu&@OsW8hkHvXZK{7K;(S@xvB`=@gc?gSLkG+Sln7V<9o=5cKF#ch@SGDv<E
z5j~h>Tlj_V61ZDVmD@#2pPa$abTG#k$AhGapd*9x8+A8s1B!35U`*v5%_@?>cCN`a
z)U0>Lxn-ceOeBk_?3t)%a57=hnB;Iu&DBjxm2$ZHb_SAO11p1b*#kAq${6nC4?gsZ
zWC{bj?ut{}w!jxggzc1n(4n~4n{Y*Q9p!4oYgDY$c}Go%P3%0Q1GYWjJhY9Y4_<x+
z$}w-Ur7->1#m(;9%RUS>x;5z9$(}}6C2BJ}w%v)w<=%+6lZce9S#gk<w=zcR3desP
z^zLI9oZhx?bfo?4Rz9hWoGJOLNW0q}d)ZUYyo~VGnC}p6hOC0sq|&YG&MUQPZ97-4
zm!>>=8y~v=HD7+|n;!mc%Q+*jerP*RF9+AcOneHLa)tdO!Rfp|5-i<pp?aP^2PRe@
zs~8O|Z+NMA%=-XdA-eS=avJYz`g{lb0fE(9tN;ka9KDtt;{gqWWRH9JwA3D973za`
zh9Nt5#;^*^QdkE`p!VJeWY!^g{W9Wek2l1H!f3q^G_chYk>zB<REF87S7n6ezVvwj
z0Noc2#;qr_VtL_w1z31IYfby&oB}=O@Fu-x&}EIrzv0D6Sbj>ISm=Q@6a25|?mt<$
z|4Bf8_x;bf?DXsV|8FmN{~UHyHsqssH3AMu_1dooNN6B&QFeSb+@k|TG<11;7dvM|
zOFIfROH(&?DmKXR+x?=vy{Dy(jUfdyg`^sViK&r`Ife6Kp@8BrFew}Hktb9%+-s)B
zE{>MY9u$&x=9YG*rjCbY26k39=Hqe&?cd53hf(}mqM$##oTH1Avzxu6vxNu4VSI5i
z58e`@qdiWr9?ZcgN}Li@hVT9RBEtXr43Xb2BE06k#RFVNdar3)BwmvL*yPQMRsAnT
z1YK!W?CsW#H<3wF44uz4CE1jVJOvzWgKyyQi@tTVh)zcfo<-1~=vpO71!X7;7<bae
zSzR$_M^Who`RJmC;AlPuq*O?(_*OvHU6nJl@DdfY&?{dM+tzeL-a2!M2S3rnqj*k3
z=)M{9Dc5nUPPhHJuW^dM2L_cd8QWyIGUQs_C(9QvU9B+ZL(ujw4bt5w`w|qHQZ7a0
ztrS}irIMk2UB|;%+`AxA>!dhSP<oBKc}`<AHXO@}{u02Y;^Fd#$qZHY_tNXhz8Vpa
z?uX4VvP;++UsltLD{m}fiVWtP=+5zUwEyrp6h}@O{Md&^WkAVj>gv;etm}G`p>XX>
zty>j}9=y)Fr)QrzR7?&E@3kV0m6&J~ttMFor%_Xnv(E=v*R|nX(RaP`forXlf#7t{
zbUSTZSEw=sPkOnW@FCaK&bM$32o6nU2e#*A1-6%Vh-36iIRX&}JqDM#*Kg})P$S>%
z+3>rRe2qe&TUm^M;_RD&n0r&NFuR_m-L&hKc0}bML+BkZ$!o!e?qOleL&l4}j@=4{
zI-HQc_qb6;gJa9=9G3q$r2eS>4+dfXvj69wo3WhZKN0?v94D*)C&pR+M74GKnZ@Vv
z<ZF9cBv{`})abMy6l`ZVqZpto*a|SFa?&!NRc*D7p=_-djBw^!#4RFPf<&X5?tGo}
z?8%$`+=<)meXqrz68dA3KU24kVw!%?MuMT)Z6GSA{0%o~09l-G@p`QMJ;NL+pQ~-3
z&LY`K&9N<hF_>6&4w-J{m87l=T2OXZg1rUWb+J)zgR4#c5cU)G{}W?Qe`dE=DW*2`
zek+4gZ$6f$^2cdKrDmHOiT%AnCJteWruBMfada~Nk{xv*?L-54BE>RqZnE8hp2(Yv
zD{v_yJ5fFQ)B4f)U--j>55fjngWA9hfAu=x=lK5}8gTwl;9sz~Gn^irzYy>*8!v+R
zPelI*wxb1E!1=2H{{?GY!P~<5>j3{)I~v=W?PzSjvyTq)QThjitN<V@&>&dp-~H^J
z<G&aG#B=@6?+*obgY$O){_E$UBlxqx1sEXz=hTu9Zw$w2cMCTD?;g=n|G>%i|KH0?
zj)MKG@-4Jim;)6&BjpLvjsYmXuj47b<bwaca^E>K5J49=82_1<w?!pdnUYH8l8ZPi
z;g^^JCn4j?+A99y+k;_t@M`j`W+Gfs){QP4lSMdQ2%rvof9B4nv{8a5%^)oxgnauZ
ziA}Fs%#u1(cZUZPSQ%Dt+p*^RH9)AgNn=b;+I8Cg>b*C~?feBQd|r;WZzGZJn>06?
z%)-&p74AJksv9OB&V32}SQq&@yJJs+V|{9?He~w_eFrka^v8k{d|WKW4}8@hQ^YOP
z2Aom%F4$jm^B;F>HxrA9(4whnMowmokzJhXX{|xx5T^r?2rP~p(^spGQc%ZRFV4C=
zep384Hc@?IBCEl%xSxO3wqvW;r~W|yzNzr<j}A<D9p+@Tv6gCgpaa?evRh4}`i1_N
z(SZxpy!;LcU-qTwFXXl-cea#=D;I3m8NZ8jhTi0iUErqa>TaCUr?Ab2m(%tRPywi5
zB2BFSzda3i;y$)UvhdSBlW4u)htp)%a0Len-uoc#@3F7#D$93{Oc}O!*&8QZl7A8X
z(lO9)hxDOm?<-}dXRCjx+L5@_q&Z*Y;+99p*J*C$@35&>IX7F}X+^PKxKQ7MKThod
zKG|<(mYMPG*Sk`D=tsfUY?<Avq09mvuTR~r7ER2N;0yiQci`@Y{kJz){XWS5-#FGx
zR&QTbf~{oie)D>PWIMGFYdDNd|IKUo)^lmO--qM-X2&iMX|-bU;fR)#Sf?)Vz(FQ?
zYR&2JH(!E`f)#Nbj`nlq&)R!m?@Y3>+<&1XZS}V=>^+b^{q<e>H{=xrW`5k)J$c4=
zox|S`@GDIfPE|Y2baCyz=!~o$=D%9pH!Pl<_fgR^{Fon<X&Kw)x?=O|7op-wF+7`R
zF@_!Km=tEv9Qo;Vo|cLJ0tH6v#k=NS;bh}=@nhZfm}&0^gBw{D;gY6Y(+Xa^Zc1ee
zInHwZy}!M8a_h{LY0Q(u<~;vgro?a;ySwdJ>f2u}VbU#M=a}}WjP+ruRp0^WIW3nr
zu<z9t4`3H$G_nF^+WQkzJ1p%key;K|7JR;~FhnO>^7<_~27QSPd5P5PtBZBLc5B^c
zlj*XvHk^6#<Xq9GJAbWuVsG1|7O~}O#Fe#bs;6GrRR)~?wpn!hBd_@PkG>?P1g?3-
zpeq_UaiUVbNKV+{p0X6SykbV9ua`Ui%iLTvy+dryGkrGQKa$wp{x$K+SA&M*r716O
z?aBCd`kZZ0nmokq!oENCUHh*7ak~F$<-S)sGpwD?tnL!fHZ<DaJY~zIZ_hl!c1q8P
z2$xIEjz7fpQ|F%S^Q`03qUN?-`k*-NVdveb|1&*Km0VRcy0%+U({*0j=Oqo|@6?!=
zP46(1$}P_idUyMwLrs9jzXK74+Lo0&eG}(Nru;Ok5i4%JU193Txk!J}X(OFLh49tb
z-EDT`m`sSz$+vG_^-h`|KPjzU$Y=}1-CHM{eRL9Rdb&=3uDW{mpD7Ny4Jmt@^KS4K
z{irYe+qIx&<&xa%ycZ{&=lR*zSoL<3`j^&BXHk#$>ke<>x0gK|lX`fkzSj9CuNchS
z+tV3ccpmIqwZbQ7i$XzD)y3dlRhkxx8Rh%DOm#a>l{oD9;K#P%TF3mRslPIhn@3)K
zo>*AJ`=KW|ev4=jc6SF>Db3p-zy5;R5uFuoM;M+5$Q{&#xcj}RfkXK86uyhgT7<%l
zAJ4fnrQ*yI$G7&C?{BB-EXnzJU2FHjx9ZaWSP$l|3*PiNui)M_MgOw7meCXWyX!w#
z_c&Fwd3n#7+0U|sH6k@O;{4m4{3o9})tF}JR^ELPxSEk;{?YxplP9q)uX%b_L_z$7
n>eY)+7#3s-t(IFOUNp~9o4xwZ+W_aazre%(BfL<jNvjM1w1A_i
index f6a7548e72c15618a90168aa93757299c065f3e9..119aeba343dfdb8f7050bbec8a798edc1c1d565d
GIT binary patch
literal 449
zc$_n6V%%%c#F(^znTe5!iG?YYd9MK%8;4e#$2nUTW+sDBLsJ7|Hs(+kW*(i00O#P0
z)SMgz@6<|#;LNI2g^<+ZlFYnxg@U5Y+*Bh|vob>kAgP;_Sz;(-AO+IK#UoslpI;J>
zP!SI#4dldmfd-oz8W@-x8kkx}0l5|i7H}@Dtc^4fW@88YjfoNJNoGcNW+w)g`~$O>
zd_NuWx9&}QbD@>U-P)!<;srf7BptlgT>ZLYH)G1$K<fiStPz=k>ld~cY6s`7V4Uvc
zy6{bjv-a}+wTEjLD;UTb@B^)u6=r1o&%$cJ45SRWK?3|Nz<^|ALk?DEPX+@wCPjud
zX3ziq__^Xzdf08n*&AvcwartvHcyw|VZ4YtY3eVQGe9L*PKAj11ia)~lUd~Fa9ov5
Vc+bc4pUOj?X{Wb)Y`!#;3jidFist|T
index a3af113da56ba307230c2428faa3dfdf67da3a41..849534ae5b9d403480614de875294afa911f2d21
GIT binary patch
literal 557
zc$_n6V$w8dVw}8ynTe5!iG{KL*);=RHcqWJkGAi;jEvl@3<jQt`Ubje%%LpIJZcdE
z&cPX}IXMd6sg(-BnN_I@A*sbBnR)37Ma78<h6aXax=EQOhGGUHAPrnRyhZu>CGkMH
zc#xcdoH(zcse!4Xfq}Upkct9wEetH+Txwd?I1kw$jI0dIjXewojU7yl4GhO;et1yh
z`GY%9H!Nk5*oRwdjw+ZvS-m38cBb9eg$=tR6`mBU?@Dr3nRNQ;ieh$U2N&CW8Wq3)
zMg1~Z8Gk;QS7cShr9_T*ZBG{1Jl*$Gzc%q~+#=uF?m7dXf`#3@jAv*5JXjLt`L~QA
z@J{>AymWyBO4a)hl!!Rg$ZlXc7^zaq#LURRxLCnJ&VV22bXj3W#{Vp=2FyUpfEy&h
z&%y$X4K}oRU<Nuos^s<3-x{BIC9_|b&*)un>3#T2OEdTDx1J?x9g~l4Sa|Jr@ZD6s
z#qm?>oLu*C_60rZvk=j(2%9YB;*l@0*}^SJY<>!(oJ9En{T{P(run-bGxfg^nb{ka
ue&FTXJ)z&)mi)PT^8UHw8uQM55v(wAwVQY3effo+a^tBh&x+<9<p%&+2E=jz
index 5848b6a09e4569e0683406fe91d9def2a6dce379..6171f774326c1aaef657f58d8bae118fda626419
GIT binary patch
literal 559
zc$_n6V$wEfVw|#onTe5!iG@*Ea)JRb8>d#AN85K^Mn-N{1_Mt+eFI%K=1>-99<_)7
z=irRgoE!!3)Jlcm%&Js{kksOm%)E4kqT)maLjxld-K5MCLoovpkOnRu-lF{cl6at8
zJV?$!PMp`!)WFoxz`)!PNJRm;76uk@E;X%coR91eMpg#q#$E=4#!jZjMurc8cUHgm
zj4OWo^SpvT<Gy6;Cqm4>BIn8M)p>b_r}57;{i?8ut1Nc4Rq<Bbd?;cT$9BeE;|_CH
zazMRXt8df3iQ2E1EPBdwY*k);bis@BtGm1V_uP$?cJI=*@(szhH2b=KbKI4bmSqV$
zuluik^H<QDrT(9iM4Xyjr{FK^HQgpNnV1<F7#AxT$Qkeh-7YK4$oQXy)qojD8E}IH
z_*qzh(ZPlm5zIiB8^km={Eg8Hcq*CiRV67D=lxCN;A*=Q%n~_AcD&W;c+e0Q``%;1
zB*TYqvxK_pGLJSGUd?)N;)A~Fv5E(8H-G%7G@H5O`_hR2bNE<)efR!oa)>#r<53LD
vqfH6LCy%NwmM(h`rCMO{c8O15--SEcY?I&YENFjYCEmJm?*46UkCWH{WFEyx
index c7bec96eb9077e820483406c3fe2595715aff026..ca11060a7ce00e05cb0de044af0c9e2a9c098ef5
GIT binary patch
literal 820
zc$_n6Vm2^nVv<<E%*4pV#KN#3?YaRk8>d#AN85K^Mn-N{1_Mt+eFI%K=1>-99<_)7
z=irRgoE!!3)Jlcm%&Js{kksOm%)E4kqT)maBLfo)-K5MCLoovpkOnRu-lF{cl6at8
zJV?$!PMp`!)WFoxz`)$lz|=Ad$h9!AfODy7RTHBUvPT$M8JL?G`5A!XTue=jj12G6
z3(EJZD)K0s&3LXnB`V|dum0mIQ(l~TBv)Lzl-Izb&t@N=OH=ReMQSEO+?_vHdE_L0
zJ@A21zSZXLW7+I2=VrEW)SNOCoV@BzLCNEj4}aywnqFSX#Wsg|eZmLk%T2P(e?`BZ
zczd$IbnA(JQ>~J9mlnPA+TdWVwuY6faraFbfm!;R!uO}Rf2~X^>uj=V;@VWStxYSL
z@xB|I<${Jqx|Q#Yw!Bd=-QoVQ@1TCmvW4lDKa<uLNShUGc1XU_?B^dKz*Lx=#MvKy
zdzNqL!kq~#yGpI^Czn}Hi+j83y#1bFo8a%epWI?^VfNszDiSZNG<e<+xh!3J{j8v_
zzr1mCCj4b$W@KPotY9E#zz+;RSz$)T|17Kq%s|S38zjKb!U9YZY-ovr85DFD>0y!C
z@?mNVcT~12=6NTJ#ux^C`_%Q~GLLHPv1L7Jc6qTGd|aI^nO{<+C6oiLOBCljda_n#
zXztv(<JzC>l7K&@Gk-G5t68k*sr0zZx~9DGe%sy~UrLs9eRfh0vPn%&-I-Ln!snJ#
zjm4&KuL3r|ouj}zDdbq5U!epu!>)YckaDXR+&3Q0cvt1P@87ajY@cVp<NxMzUaGdO
zE9GaX%Rj?}n|c?gUa4K==e+0YF^l9f_2;~nFT|HyyqIV6=~UO!nO05rg<}_8U1lXP
z$7P}P-GwKeoBby;94=n?D^i%(kn`ZTFDG|T)MJZdtKt$mmGx33>{?39V$Dar_xB$S
IYt_080O!9q<p2Nx
index 36ac715740a72ffacd29772fc858711b969e4e33..ac9a453a88d8aa1037e0eac152fb98cc757d7139
GIT binary patch
literal 426
zc$_n6Vq9j>#2CDQnTe5!iG?vG=d%G98;4e#$2nUTW+sDRLlXldHs(+kW*+T`0O#P0
z)SMgz@6<|#;LNI2g^<+ZlFYnxh2qrY0wW`nB0~irshgBpVkm7O3DU*IBUF^1UlI>j
z5Dz2`<ivRmO$|&94Ghc;4NNVgfLsd$3pkfHmiie8u(5;v#l*<Qs@=%KpvY{+!16Rw
zy<p!P6{l^VZyfFub>3!Wu=u3>y~Kt4UiCY#6pXm+#H-A==6m(@m4{!}J$TJ!Ir-<_
z_Qfs_v=%EE$Qkeht&<gIWc<&<YQPMn47fo8{4BtbV`M`PM`lL`13M;JhNBZcvoa_d
zTh%OjVd=;}!~X8flh4*)t>d<?DXIiYKhIw2X3)oS<4x*@R>eKrl{8D&hBS#De_3!#
Gq67e(Uw}dY
index 8581249a4b3e099a0d6de961ff29c256a87dce5d..e11cf3e39631432139489bc6a23b588c6db8995f
GIT binary patch
literal 442
zc$_n6V%%oX#2CGRnTe5!iG|T>hqeJ18;4e#$2nUTW+sDRLlXldHs(+kW*+T`0O#P0
z)SMgz@6<|#;LNI2g^<+ZlFYnxh2qrY0wYtiY(oVgshgBpVkm7O3DU*IBUF^1UlI>j
z5Dz2`<ivRmO$|&94Ghc;4NNVgfLsd$3pkfHmWCM!u(5;v#l*<Qs@=%Kz{Tvuz>-=&
zHTpnQoZsWy3-$iAoZz>UFMrSMb#E!lldq>{YNSSLck3NFD|A=g-}cbn?cY~MJoxC%
zqoJeLl&5NEoO;MbX|aNVoB==3T3KO6#{Vp=2FyUpfEy&h&jJiVMmFT|WcFk*aAQ(r
z=sLvotns<oxn=9rUT)``pwoXx>PlBb7hi4hnl;Z$S>A(`ybf;?`7Kwux@PU;MMwWf
VeB>)KU4Jg7s5-VxNqWQ0#{gFqhp+$u
--- a/security/pkix/include/pkix/Result.h
+++ b/security/pkix/include/pkix/Result.h
@@ -178,16 +178,18 @@ static const unsigned int FATAL_ERROR_FL
     MOZILLA_PKIX_MAP(ERROR_NOT_YET_VALID_ISSUER_CERTIFICATE, 46, \
                      MOZILLA_PKIX_ERROR_NOT_YET_VALID_ISSUER_CERTIFICATE) \
     MOZILLA_PKIX_MAP(ERROR_UNSUPPORTED_EC_POINT_FORM, 47, \
                      SEC_ERROR_UNSUPPORTED_EC_POINT_FORM) \
     MOZILLA_PKIX_MAP(ERROR_SIGNATURE_ALGORITHM_MISMATCH, 48, \
                      MOZILLA_PKIX_ERROR_SIGNATURE_ALGORITHM_MISMATCH) \
     MOZILLA_PKIX_MAP(ERROR_OCSP_RESPONSE_FOR_CERT_MISSING, 49, \
                      MOZILLA_PKIX_ERROR_OCSP_RESPONSE_FOR_CERT_MISSING) \
+    MOZILLA_PKIX_MAP(ERROR_VALIDITY_TOO_LONG, 50, \
+                     MOZILLA_PKIX_ERROR_VALIDITY_TOO_LONG) \
     MOZILLA_PKIX_MAP(FATAL_ERROR_INVALID_ARGS, FATAL_ERROR_FLAG | 1, \
                      SEC_ERROR_INVALID_ARGS) \
     MOZILLA_PKIX_MAP(FATAL_ERROR_INVALID_STATE, FATAL_ERROR_FLAG | 2, \
                      PR_INVALID_STATE_ERROR) \
     MOZILLA_PKIX_MAP(FATAL_ERROR_LIBRARY_FAILURE, FATAL_ERROR_FLAG | 3, \
                      SEC_ERROR_LIBRARY_FAILURE) \
     MOZILLA_PKIX_MAP(FATAL_ERROR_NO_MEMORY, FATAL_ERROR_FLAG | 4, \
                      SEC_ERROR_NO_MEMORY) \
--- a/security/pkix/include/pkix/Time.h
+++ b/security/pkix/include/pkix/Time.h
@@ -36,17 +36,17 @@ namespace mozilla { namespace pkix {
 // Time with a range from the first second of year 0 (AD) through at least the
 // last second of year 9999, which is the range of legal times in X.509 and
 // OCSP. This type has second-level precision. The time zone is always UTC.
 //
 // Pass by value, not by reference.
 class Time final
 {
 public:
-  // Construct an uninitilized instance.
+  // Construct an uninitialized instance.
   //
   // This will fail to compile because there is no default constructor:
   //    Time x;
   //
   // This will succeed, leaving the time uninitialized:
   //    Time x(Time::uninitialized);
   enum Uninitialized { uninitialized };
   explicit Time(Uninitialized) { }
@@ -132,16 +132,20 @@ public:
   {
   }
 
   explicit Duration(uint64_t durationInSeconds)
     : durationInSeconds(durationInSeconds)
   {
   }
 
+  bool operator>(const Duration& other) const
+  {
+    return durationInSeconds > other.durationInSeconds;
+  }
   bool operator<(const Duration& other) const
   {
     return durationInSeconds < other.durationInSeconds;
   }
 
 private:
   uint64_t durationInSeconds;
 };
--- a/security/pkix/include/pkix/pkixnss.h
+++ b/security/pkix/include/pkix/pkixnss.h
@@ -78,16 +78,17 @@ enum ErrorCode
   MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY = ERROR_BASE + 1,
   MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE = ERROR_BASE + 2,
   MOZILLA_PKIX_ERROR_V1_CERT_USED_AS_CA = ERROR_BASE + 3,
   MOZILLA_PKIX_ERROR_NO_RFC822NAME_MATCH = ERROR_BASE + 4,
   MOZILLA_PKIX_ERROR_NOT_YET_VALID_CERTIFICATE = ERROR_BASE + 5,
   MOZILLA_PKIX_ERROR_NOT_YET_VALID_ISSUER_CERTIFICATE = ERROR_BASE + 6,
   MOZILLA_PKIX_ERROR_SIGNATURE_ALGORITHM_MISMATCH = ERROR_BASE + 7,
   MOZILLA_PKIX_ERROR_OCSP_RESPONSE_FOR_CERT_MISSING = ERROR_BASE + 8,
+  MOZILLA_PKIX_ERROR_VALIDITY_TOO_LONG = ERROR_BASE + 9,
 };
 
 void RegisterErrorTable();
 
 inline SECItem UnsafeMapInputToSECItem(Input input)
 {
   SECItem result = {
     siBuffer,
--- a/security/pkix/include/pkix/pkixtypes.h
+++ b/security/pkix/include/pkix/pkixtypes.h
@@ -312,16 +312,25 @@ public:
   //
   // CheckECDSACurveIsAcceptable will be called before calling this function,
   // so it is not necessary to repeat that check here. However,
   // VerifyECDSASignedDigest *is* responsible for doing the mathematical
   // verification of the public key validity as specified in NIST SP 800-56A.
   virtual Result VerifyECDSASignedDigest(const SignedDigest& signedDigest,
                                          Input subjectPublicKeyInfo) = 0;
 
+  // Check that the validity duration is acceptable.
+  //
+  // Return Success if the validity duration is acceptable,
+  // Result::ERROR_VALIDITY_TOO_LONG if the validity duration is not acceptable,
+  // or another error code if another error occurred.
+  virtual Result CheckValidityIsAcceptable(Time notBefore, Time notAfter,
+                                           EndEntityOrCA endEntityOrCA,
+                                           KeyPurposeId keyPurpose) = 0;
+
   // Compute a digest of the data in item using the given digest algorithm.
   //
   // item contains the data to hash.
   // digestBuf points to a buffer to where the digest will be written.
   // digestBufLen will be the size of the digest output (20 for SHA-1,
   // 32 for SHA-256, etc.).
   //
   // TODO: Taking the output buffer as (uint8_t*, size_t) is counter to our
--- a/security/pkix/lib/pkixcheck.cpp
+++ b/security/pkix/lib/pkixcheck.cpp
@@ -943,17 +943,25 @@ CheckIssuerIndependentProperties(TrustDo
   //           TrustDomain's CheckRevocation method may parse it and process it
   //           on its own.
 
   // 4.2.1.14. Inhibit anyPolicy is implicitly supported; see the documentation
   //           about policy enforcement in pkix.h.
 
   // IMPORTANT: This check must come after the other checks in order for error
   // ranking to work correctly.
-  rv = CheckValidity(cert.GetValidity(), time);
+  Time notBefore(Time::uninitialized);
+  Time notAfter(Time::uninitialized);
+  rv = CheckValidity(cert.GetValidity(), time, &notBefore, &notAfter);
+  if (rv != Success) {
+    return rv;
+  }
+
+  rv = trustDomain.CheckValidityIsAcceptable(notBefore, notAfter, endEntityOrCA,
+                                             requiredEKUIfPresent);
   if (rv != Success) {
     return rv;
   }
 
   return Success;
 }
 
 } } // namespace mozilla::pkix
--- a/security/pkix/lib/pkixnss.cpp
+++ b/security/pkix/lib/pkixnss.cpp
@@ -195,16 +195,18 @@ RegisterErrorTable()
       "A certificate that is not yet valid was used to issue the server's "
       "certificate." },
     { "MOZILLA_PKIX_ERROR_SIGNATURE_ALGORITHM_MISMATCH",
       "The signature algorithm in the signature field of the certificate does "
       "not match the algorithm in its signatureAlgorithm field." },
     { "MOZILLA_PKIX_ERROR_OCSP_RESPONSE_FOR_CERT_MISSING",
       "The OCSP response does not include a status for the certificate being "
       "verified." },
+    { "MOZILLA_PKIX_ERROR_VALIDITY_TOO_LONG",
+      "The server presented a certificate that is valid for too long." },
   };
   // Note that these error strings are not localizable.
   // When these strings change, update the localization information too.
 
   static const PRErrorTable ErrorTable = {
     ErrorTableText,
     "pkixerrors",
     ERROR_BASE,
--- a/security/pkix/test/gtest/pkixgtest.h
+++ b/security/pkix/test/gtest/pkixgtest.h
@@ -155,16 +155,24 @@ public:
   }
 
   Result VerifyRSAPKCS1SignedDigest(const SignedDigest&, Input) override
   {
     ADD_FAILURE();
     return NotReached("VerifyRSAPKCS1SignedDigest should not be called",
                       Result::FATAL_ERROR_LIBRARY_FAILURE);
   }
+
+  Result CheckValidityIsAcceptable(Time, Time, EndEntityOrCA, KeyPurposeId)
+                                   override
+  {
+    ADD_FAILURE();
+    return NotReached("CheckValidityIsAcceptable should not be called",
+                      Result::FATAL_ERROR_LIBRARY_FAILURE);
+  }
 };
 
 class DefaultCryptoTrustDomain : public EverythingFailsByDefaultTrustDomain
 {
   Result DigestBuf(Input item, DigestAlgorithm digestAlg,
                    /*out*/ uint8_t* digestBuf, size_t digestBufLen) override
   {
     return TestDigestBuf(item, digestAlg, digestBuf, digestBufLen);
@@ -192,13 +200,19 @@ class DefaultCryptoTrustDomain : public 
     return Success;
   }
 
   Result VerifyRSAPKCS1SignedDigest(const SignedDigest& signedDigest,
                                     Input subjectPublicKeyInfo) override
   {
     return TestVerifyRSAPKCS1SignedDigest(signedDigest, subjectPublicKeyInfo);
   }
+
+  Result CheckValidityIsAcceptable(Time, Time, EndEntityOrCA, KeyPurposeId)
+                                   override
+  {
+    return Success;
+  }
 };
 
 } } } // namespace mozilla::pkix::test
 
 #endif // mozilla_pkix_pkixgtest_h