Bug 982754 - Allow some inadequate key usage overrides. r=cviecco, a=lsblakk
authorDavid Keeler <dkeeler@mozilla.com>
Thu, 13 Mar 2014 16:49:12 -0700
changeset 192265 4959184a7078398d0a1245322400cf4064569f7d
parent 192264 ca4c0ce099bea6d81933ac8db8302b27d64f5d1c
child 192266 2602ee663acf3cbc2b5d884b389993faf2a8baf4
push id474
push userasasaki@mozilla.com
push dateMon, 02 Jun 2014 21:01:02 +0000
treeherdermozilla-release@967f4cf1b31c [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerscviecco, lsblakk
bugs982754
milestone30.0a2
Bug 982754 - Allow some inadequate key usage overrides. r=cviecco, a=lsblakk
security/manager/ssl/src/SSLServerCertVerification.cpp
security/manager/ssl/tests/unit/test_cert_overrides.js
security/manager/ssl/tests/unit/tlsserver/cert8.db
security/manager/ssl/tests/unit/tlsserver/cmd/BadCertServer.cpp
security/manager/ssl/tests/unit/tlsserver/default-ee.der
security/manager/ssl/tests/unit/tlsserver/generate_certs.sh
security/manager/ssl/tests/unit/tlsserver/key3.db
security/manager/ssl/tests/unit/tlsserver/other-test-ca.der
security/manager/ssl/tests/unit/tlsserver/test-ca.der
--- a/security/manager/ssl/src/SSLServerCertVerification.cpp
+++ b/security/manager/ssl/src/SSLServerCertVerification.cpp
@@ -298,16 +298,17 @@ MapCertErrorToProbeValue(PRErrorCode err
 {
   switch (errorCode)
   {
     case SEC_ERROR_UNKNOWN_ISSUER:                     return  2;
     case SEC_ERROR_CA_CERT_INVALID:                    return  3;
     case SEC_ERROR_UNTRUSTED_ISSUER:                   return  4;
     case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE:         return  5;
     case SEC_ERROR_UNTRUSTED_CERT:                     return  6;
+    case SEC_ERROR_INADEQUATE_KEY_USAGE:               return  7;
     case SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED:  return  8;
     case SSL_ERROR_BAD_CERT_DOMAIN:                    return  9;
     case SEC_ERROR_EXPIRED_CERTIFICATE:                return 10;
   }
   NS_WARNING("Unknown certificate error code. Does MapCertErrorToProbeValue "
              "handle everything in PRErrorCodeToOverrideType?");
   return 0;
 }
@@ -561,16 +562,17 @@ PRErrorCodeToOverrideType(PRErrorCode er
 {
   switch (errorCode)
   {
     case SEC_ERROR_UNKNOWN_ISSUER:
     case SEC_ERROR_CA_CERT_INVALID:
     case SEC_ERROR_UNTRUSTED_ISSUER:
     case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE:
     case SEC_ERROR_UNTRUSTED_CERT:
+    case SEC_ERROR_INADEQUATE_KEY_USAGE:
     case SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED:
       // We group all these errors as "cert not trusted"
       return nsICertOverrideService::ERROR_UNTRUSTED;
     case SSL_ERROR_BAD_CERT_DOMAIN:
       return nsICertOverrideService::ERROR_MISMATCH;
     case SEC_ERROR_EXPIRED_CERTIFICATE:
       return nsICertOverrideService::ERROR_TIME;
     default:
--- a/security/manager/ssl/tests/unit/test_cert_overrides.js
+++ b/security/manager/ssl/tests/unit/test_cert_overrides.js
@@ -35,22 +35,22 @@ function add_cert_override_test(aHost, a
 }
 
 function check_telemetry() {
   let histogram = Cc["@mozilla.org/base/telemetry;1"]
                     .getService(Ci.nsITelemetry)
                     .getHistogramById("SSL_CERT_ERROR_OVERRIDES")
                     .snapshot();
   do_check_eq(histogram.counts[ 0], 0);
-  do_check_eq(histogram.counts[ 2], 6 + 1); // SEC_ERROR_UNKNOWN_ISSUER
-  do_check_eq(histogram.counts[ 3], 0 + 1); // SEC_ERROR_CA_CERT_INVALID
+  do_check_eq(histogram.counts[ 2], 7 + 1); // SEC_ERROR_UNKNOWN_ISSUER
+  do_check_eq(histogram.counts[ 3], 0 + 2); // SEC_ERROR_CA_CERT_INVALID
   do_check_eq(histogram.counts[ 4], 0 + 4); // SEC_ERROR_UNTRUSTED_ISSUER
   do_check_eq(histogram.counts[ 5], 0 + 1); // SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE
   do_check_eq(histogram.counts[ 6], 0 + 1); // SEC_ERROR_UNTRUSTED_CERT
-  do_check_eq(histogram.counts[ 7], 0);     // SEC_ERROR_INADEQUATE_KEY_USAGE
+  do_check_eq(histogram.counts[ 7], 0 + 1); // SEC_ERROR_INADEQUATE_KEY_USAGE
   do_check_eq(histogram.counts[ 8], 2 + 2); // SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED
   do_check_eq(histogram.counts[ 9], 4 + 4); // SSL_ERROR_BAD_CERT_DOMAIN
   do_check_eq(histogram.counts[10], 5 + 5); // SEC_ERROR_EXPIRED_CERTIFICATE
 
   run_next_test();
 }
 
 function run_test() {
@@ -109,27 +109,49 @@ function add_simple_tests(useInsanity) {
   add_cert_override_test("md5signature.example.com",
                          Ci.nsICertOverrideService.ERROR_UNTRUSTED,
                          getXPCOMStatusFromNSS(
                             SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED));
   add_cert_override_test("mismatch.example.com",
                          Ci.nsICertOverrideService.ERROR_MISMATCH,
                          getXPCOMStatusFromNSS(SSL_ERROR_BAD_CERT_DOMAIN));
 
-  // Inadequate key usage is no longer overridable.
-  add_connection_test("inadequatekeyusage.example.com",
-                      getXPCOMStatusFromNSS(SEC_ERROR_INADEQUATE_KEY_USAGE),
-                      null,
-                      function (securityInfo) {
-                        // bug 754369 - no SSLStatus probably means this is
-                        // a non-overridable error, which is what we're testing
-                        // (although it would be best to test this directly).
-                        securityInfo.QueryInterface(Ci.nsISSLStatusProvider);
-                        do_check_eq(securityInfo.SSLStatus, null);
-                      });
+  // A Microsoft IIS utility generates self-signed certificates with
+  // properties similar to the one this "host" will present (see
+  // tlsserver/generate_certs.sh).
+  // One of the errors classic verification collects is that this
+  // certificate has an inadequate key usage to sign a certificate
+  // (i.e. itself). As a result, to be able to override this,
+  // SEC_ERROR_INADEQUATE_KEY_USAGE must be overridable (although,
+  // confusingly, this isn't the main error reported).
+  // insanity::pkix just says this certificate's issuer is unknown.
+  add_cert_override_test("selfsigned-inadequateEKU.example.com",
+                         Ci.nsICertOverrideService.ERROR_UNTRUSTED,
+                         getXPCOMStatusFromNSS(
+                            useInsanity ? SEC_ERROR_UNKNOWN_ISSUER
+                                        : SEC_ERROR_CA_CERT_INVALID));
+
+  // SEC_ERROR_INADEQUATE_KEY_USAGE is overridable in general for
+  // classic verification, but not for insanity::pkix verification.
+  if (useInsanity) {
+    add_connection_test("inadequatekeyusage.example.com",
+                        getXPCOMStatusFromNSS(SEC_ERROR_INADEQUATE_KEY_USAGE),
+                        null,
+                        function (securityInfo) {
+                          // bug 754369 - no SSLStatus probably means this is
+                          // a non-overridable error, which is what we're testing
+                          // (although it would be best to test this directly).
+                          securityInfo.QueryInterface(Ci.nsISSLStatusProvider);
+                          do_check_eq(securityInfo.SSLStatus, null);
+                        });
+  } else {
+    add_cert_override_test("inadequatekeyusage.example.com",
+                           Ci.nsICertOverrideService.ERROR_UNTRUSTED,
+                           getXPCOMStatusFromNSS(SEC_ERROR_INADEQUATE_KEY_USAGE));
+  }
 }
 
 function add_combo_tests(useInsanity) {
   // Note that "untrusted" here really is "unknown issuer" in the
   // insanity::pkix case.
 
   add_cert_override_test("mismatch-expired.example.com",
                          Ci.nsICertOverrideService.ERROR_MISMATCH |
index ab5dffe785a67ba80741b7979178ec92ef5a96c3..573698c3682875024e9e1514798754e06e922c8f
GIT binary patch
literal 65536
zc%1E>c{o&W|HseF*t5%)ec!?v`x+_|rN~m0eQepXWUoxJl%*^oDupCTWeFukD3v8k
zo5)@%N+J=zVI<Wg`aR$0`}}dgy5`cD^SS4~=e*zdx#wKxyg?+4RuBXsA&BS^1gYcx
z3sFN50>VEavbp~t=YFDQf6l%%yD=icHK-fHgPeQ(*C9jv8}AAL000000000000000
z00000000000000000000000000000000000000000000000000z<&;PXiRNH?X6mq
zT8Y{_)gIL<)lAg~%6ZCrl`WOU6{!__6zUXe<nrVK<#x(Z$&5)ipsUfT=)GuNv>KWo
z{R&Q(NR)7v*d-w>F(zIp9wn|KCL#7kv{p1lbib&KFt6}?p$efGAy1*z0;~dk{MYz{
z_^tRUct?0{@<j3&@u=~<;<V;`#W@WC000000000000000000000000000000z>*+C
zKt$>@|B&(!1B^vV!&pRW8VZR(A`uKQ6$!a$sCMWW6#_v_48inhT9}#yWkiHxAT`8z
zdU3DQfH|3|&@!+TT3Sk43YL~JWu}r@_!O2zi^F308vc#0R<@Wu-d0{1Ze5HYw~?on
zJ%)R>Ax&3Xag3{%qn95Xe0t&AB8VYWa1;awM<9cPp_A<umc*mvP7>lJE=RcX{O(l9
zNa_{l4jOvixI~tC{z-Gu4fSGDjnm#AC4KtqWYP@%&uAzFt*1;WW-){4KPK*opR%F!
zW00uH_111!EA34?<|JsaA(}}3W2y)v88UG)fvHz+m(HW0%<g+{I_o!DG^pEHTIE95
z!ptvyYH?3Tq7V=wJrMSXMQ}snpd;dixv`v%^TXPW@$;S;lmy1t%EjFoBVps_0!xvQ
ziILzwKT-sOND$_SdA~h}5ur>DUS94>l9JADHdf9KZk}FB3a|n!2~*BA&wxNo6Cq&;
zUNQ5GhKOipxBRqEP`FQp{6lH$2Zpl=*k?ShDNbVH*W~FRe+j!Re<y37jc{@SAEWV+
zg2GH*0Z+xZ-j*>c{3<yGs!2|1+G=kr_;2p*SKO{|L33x*JthW80s9DcnQL#hXSN3v
zI~vrePoKP<V040P4fU2<l@@x6uZ*UNBcnQJ=@Y7nM_wg2cz*OtF6)PW9Y2KA4gs-{
zp=SO{0wV;u*vfi3+PhkLd3#{QF~07O9vE9_<^_5}WvCxSH2cfV>t(miH=v1cV1bCp
zkPw7kb`_Ffx4t_>5@N$SL=5MU_&JBr{p=7HG!wiM|CUr+yc{qd++N>(q5z}O3w(lJ
z_!O2!OT%b<rRZiyPZujM8wYVCS1%85PcMw^d~cWImbc=qeCYP5QugW4+w5-EvBh=T
z`-E@s^2FU{YFu5AxtC2Q%^6wla`%SI2jVgrWjK*CZiSRoILql0hWNc}V_H|Iy0kaB
zDO@;n>xAQbSm)S2%lZ~km%9~o&7X1wr83^^Gf)vWA2sH?#;07T_MBL$H{jEucfnGs
zCFthharbBY@osT|?QoKxbqgEJie<KS!+5%S&5rLsY?EJ|k#Y;|^zh_O8l_|8_bux!
zy>8eRMh0`!Kla`ipA?ZUXKa-NMSRFI7#3VvbkmfAIU~krz(KpJv51l#qfsVuq-Txe
zWrm<B$}^<0!flw&eaULsY>&vpCN=8%R*ovOTvm1T#E9Nz{?sEfoox@%)E!nmb~Cd?
z_oybHCe8l5j_FpHZ#&X^en)<j6;3<96${=c^bquG8N>!bw7;)J!K=}turU55o<GWG
z#wQZXD?$F+r|%9CnmvZ_;T#e<=Mb7@Ib_izi8xwpcG|^N^8V_OWjW(zV8Rx=Ci1U^
zn>og5rkRYdp4yXW;a<G%EuVkQo`mg;Myh>#q;1b0)PM3ax{cfIz@EnS#X671Pd-pG
zlOF7P6POpaFE1iD;K_xYvwZ`PI*NSvw+SZ71g2yNoy&;kJGPyvTH`3P3#GS)t0B}*
zejhTTW@4RTI6Kj2!zm-C+sOQX-x)#)%0?P?PutaHLmN!*(Tdo24>&b=eko7AGD2;X
zkrjUUk{%y9#m=Y+Ri+0aNEMZ<S6|<y*Uptp8CV~1(brTtvq`r&tShc`I<=02>yUwX
zca!=i=jzjBRE_U;9#%%?3R8GC?owPyoNZiVP}RM$a&!Iu;fzs4`<@Tf)7$r$jQ{Ek
z2&a`lID!s$<oH&%@Tfse_^2U<7J-HEzvP}5%py(@UseV3m#%#GfdtN@SfnV<2XS*g
zp!!=MNdM>qX;T<R<1CA>6!@u6+&+$84&3t}DYv7ir#Hr9Q7haXEAKe;pr1Q8&BBmT
z=OmOO+MObvJ4IQtM@5%WQSS*)=h~i)tf^|s8OlB{Uf9&??q}XHDM|y6NMrjSY>waU
zYV;wHl~oO0eO)-4{8N}<W}B9^4Qnag{#4ErpIAo4+;{4ommgHKCKa<LO}SZr==#?;
zy<hq+wCGUyF&o5FlH#r43_HPscq?$h99XvbA>c>wkK5r|RyS9RuK68%RnwE{=qHf}
zMCG<O23UTLA3M4!(~EUfm)elTvO_5^)4M@?u)lZuA_)tRsC8n!A9T90=GZ-2?}V!_
zUbC##MBW~u?zqz}duTULw`n`&h8IpJM{`=$VEPu8{KoR?oZW#hqb|A|3A>C$e|9<?
zq~u9qIb@O<S^v{`A)H?R;03B5S5dP*pd{>rg%c-1!Qj?K-19BXI6-omH9xGJ7WhC8
zXH6_p3g?5AIUlU}*$4b++!`AHMyx+LZKJCf#=`~oiQv|ifAoX|dNnMHZ-tLwcjr91
z6i1Xjx4xnuf>gI*J-N=VHGcvTfzYMv=+ii>k}h+~RB|H+-B;pLc6z?g_c2U79_nQf
zqTe83<awcKFRK!_li)r^DLyB&>hP~;@=-?oCNu&jClyZ)LN})DGl|rW3>q|AXxnG2
z97MT0K0lpBCR5Ey%yK+VS^0QY@LHB_u=k+}yd#`o2bdr42o9JH%Q`oJ|B@dX*Iu!q
zda&l`M2glq=`%ys>H24TNlk+MJL_^$+N)QeJ?itcs{g#f){Yw+jBTQr*l9y@AHrq9
zJ}0_XXa%qJ4J4!PNfO^V8SvOEvY@RiU8}BdnD%JKrt2y8UK8&k>@0%)__l3EP02@{
zV|`nGyVbC^$$NC<&}hYx19mb^`@$K27%hZT&5~q-cLp^C{a6kOLC_LgKrL5EGj4&G
zTZH_ve=}_eF0FsxDmUsGF0h$6Zg^Ov2+n4)b2cOW*=B-h{@Jw#u64F;7-u{28M_i#
zHT}tGOKoQ{gB2HE-}HXvT1@fO(;5@|{7t*G+)8{0oT>$k4r91K`J{NNyI=1Kz_6r!
zK0>0ae`<gsI*qBa*6$X_HuT^rp|%>-rTbO8lU?;;(k_0c&XcTc6=o)hZFw$LyDZ;q
zc;^yjPEl*5mwrFtl#9*eusW^Ji`R5Y{9GpL>Q=f}&GoXY@CLJoF)$C_V5?vjER!d0
zH2A^%<L<%;*JM{zxMmTT)qV<VY+d_~U27;pZ_CcHwj!-5o`PxO+tHGCmv2ll%Que>
z42BMono%1UGw893n2`4;`Esf59W#j>QqPsj96o*drTK~H-8%Qh#0El=i41+#$?fR~
zdPy1ZLSaO*xc<?Z5=HY8gRj%r*oNRs5~=sh*0_F^;rl*R2&a@K?$Q~R3NLkI<bt=r
zyOR9-+HLk&MMC&k#fRpBx$wVa`L+Th)DwXvZ8^V2TVNJ?hzw^I+;IuvGiMg!C7$P6
z@cmut$M5e_rZ6v>8|K8<F#pY$^`S9=Wc3GJ%5g>~70-!qwmv?nZ*9>OJ+>w2K^t?n
zU$)64*|00Msd`bqDi0Kkr3o^O8q}w^G@tGYy&G0=v@(<E^whCP(bolatE0rfio20j
z#*1kktJtm>L}I1bkmi!L;mT%rNrlP+t+iUtIV&=I;?9-x9cGu!Kt5*LG5TTd)Rrx5
zJv$1VDVSkKEW_M%^N%|sf^N-w#>%gmI<k$KFKY+V_C(S+_qUIhnt1qF9j2EhW4%mO
zV!t=jAy|%oIy!LL>Em6S>}fxr{t(+TG4+#mf);BV4wiGJGbCvu#za(OhCg#8T|b>^
ze6X-5epAV0zK68Z>5kfj9W9xjR2E~Wn|kyxeCI}<GnHBHuSkA!i_2#ITRAbo^H%fX
z5rdd<;t|4$=jfbxh<+9iI~q5g;OpuBw2+bdael?gXyJEpf=7}cT3bv|nTcsS*9V`;
z>xE_?;i2$2jMl$ax+d*;w=J#W!|;QMsN}NvG^ydE;#oFdQyr=woI9?&HikLcJGwY@
zEsK<2*{$6g@`W!pgeV9eHgDvTqTNQ-traPslvH_}e8i?$s_2=17Nz?Bi=$D4hlQRn
z_>{Z#>CrORwuoHgHhXt*ts9jaUQmv(J<Nv}6g#{MOFl0QES2a#uBs}T2w`3G3C9oT
z9d=JOJxegqPgUd?rmR}unbz^ZgKhIi<me9X!wCP<7}q{V3Z)gNqcbubTUg(<8ikg!
zS5)S^T=Lb^)-AIh?~4>*(ma6_@<-((AMQ9zai&Ji=aIr__<(Mgq2z(8CVJXSjI7#Q
zVk_E8gev5b<vgd78tJ%By4iTTYigR{cH6?e2H`Zbs7QW2EAvMsAb;~#^U6gG&rExW
zLEOV+PPwS%pWgpfuZydFF?|k-nI*U9O$v=SJ$&oSJosve`6}g6cUs*tgr~cL6rz3e
z)8hwyJB$xcWJhj%S!$b{@1p(8LLXtLP07f@&J&ZvSA^|*ijKQ>{&qrJc{nC%Z?T@<
z_~p2oV<S2fuGNFjNuH@mVRh`QIy(AmW8btG9J(2^=b`T|s;MEtimqw9U3h)!z}kN$
zJ^Fd+k-;RmA4mit0qWkT@QHmR<sV?v%gMd!rmnd+-}dtNw+>G2Knq9vuzY%Cy)ny<
zxVWy$I=@3YL!}mKq_Og~+S<JK{+<<<<iiseNmm8kBkCejweIyjw#j0>KHZ}!A*Lgh
zH0up3JFfJ`?JkbVRup*Ov@d`t{ooe*@U4<emF>4uCxj~w(8DScduP5e&MXyi`}()1
z<H;cC+h#MzWrACx{vg=-`H^OJe#EUt5ngjDL;NRHwhGMxGvRA!mUB>j?6_WGRWcVV
ziQe@LbWRoa5=HB9=n(~$6M95K$JuXFMk+qo$h<>Au_;UC+`00;z*F#PlA<TWyQz`8
zo*kKDh|s=LSu}Lj=+Ns2H3lz~8?jPC+dsV{A~MlRw$~4q3zi7V6;F>mw*NFukr?p_
zgAMZa+c>s8@`=9pG-}K7>u<6T{twK7i4`xj5?Yw^bv{0Iuxbuu3Jb4w7RyzxyWJ=1
z*~}(&|2D&6jEiUI+oqL}zjFA<%E)d#nO?K(FQVo;Zc(Yb3xi%|-|<5d-5Eb<{F3}8
zLzW1C)Kf;C=GNS;<)o>aCTZ@(Lmr*023@G7>W-ui34LtbYg%-5BU#(t>ap-dr4rfs
z{%W||YU0Pb&dmkF>EgGFWQL&MRLuyKU?FNTiOl>R>?gC6;GNk?@D}bNf|n;Tbn56i
zo4-9b_p4BUU%8k}TdD(I?^#jBbo8G1wxptDH5sRiI$NX9>Fzw+Z8juI+NVMKS+as8
zF8j*I^7xH#FTdvc5*L|cT=`#f^N2i@H<cw&Wwnh+KH4JEug#xuKK2RfZr}YEwZcg!
z@2<Um!b3ky=?<9-nL@^7-%4+R70LBq#Mwg)xl%Y!nLT@Tic?Uu1TRxu&k0OxKl^t^
zQ~c+tMTp~6Wg|Y=nvgMZThX@|j-a`V<B|*A%Gg@pk>y@|{i2%xZfS*m5lz*zYPXx8
zx_gh<OvpNk_rB_u$$RpN5#Ax%BZV5bYxpppd%kjjXi_WI$JMeXK3>MUrl4AEdysMJ
ztFHb8i_p=1D}yvq2A6j~RNdVh<y@UeuIixeHuK4@)4)k(cJKZEOd0M#y6X2YBfqut
zT_D8}DNY;(xCh5#0{NRcj8M&DqR6}b`9f@8d)FEbGsX&U@d<xri{i5Cs;0D7dk-Gn
z;Lf%NDG8T5v3a-L_8MyRNU-D&IN#H93hCL>z#?sCE}ylzekI)QA4i7HuycG+UFfww
z?yb_v<WxV_1N$^Obq7OvS2w_q&+ECZpj4&ZA0&2ys_t3u<;O-tHE#l{8dZa&mn#Y#
zfzO!BJ*d@*)Cr^>Pt&$e#)wu3#}2|?F$yWx-NcEfp9nnH&d#ACddTY^arFMV2PyjK
z@gN>(^ZVBGVh37RT{3x`r}U{(MYdwVq%BH4?UIn~1rF02&)J(pcJqkr;&gH!i9hHf
z9lm8>d0DPyZjiWS>bv&z;qtu8Crvn{v)0Y*)bE-gG`Zl^u#(UV$hlJ7kq|P*cz8Ox
zxkBpDfZ9#9bTv0M6E!(CUNsW6!8Ijo(%1N@xT|bd;Z%99{75-lIYil1dA%~T;-EsV
z!YKtu1qFo>`C54&*{!mCvQ)AYQoT~ya1v|<OTeR&FD28(W5mtG#l+vQZeATB>LQ93
z9TzDQNfR*;S|daz)GByJFicQakU_9eAW+~b?>642y#ICz0ssI2000000000000000
z0000000000000000N{U)@7HPuL98$q=?7yGU31rJuKf8rr-h*e3-9(=5agk$YxIYk
zh<?43`!Aba>}sjbMCLMzvmDShalb1Hd+Wzbsn2<n*K>O)UwZWB-j(gQbY7g1cKfWP
zP#ogdElF|dnvtzkrvl|!o!v57j|cR5J~^ATBlPlbwWqR;dFT4}=7f|`7d*A`DohF_
zb=v@G9hk@>_lKAmV*Jx?r9|&?9W)zBE>0|Ye5)j^e_$O^)kFN%Qo%`ZZ~`oezt&S2
z7R2&@zYj+IdrSsyaR1@!J{e}72@p}j6yHiwhy}4BL@<F1wh*Ix1BkX8<dUoOsjHM`
z1oLeh%H0^qRqIU8#~x^ym-#$u;`B6s1KSE|Wvq`&Aw$7lTgeHG`^`*$28pfbP7ECJ
zJX}H3@8INf>2{zk)a@Fsbv%A5n-o(&D%WNy<D1KqUsu~E+7G>w&+jAedk7=jwP-24
z7{_H|l=ZjlvYz_gM+4z>_;(7yUp~qTLBDMpQkc00?C)Af{cW$15G4PXwaDL&1V2^=
zh*0{<%w@6!16WYYj^p_?No6TjNCKVuKJl!E7;zJiFmB>GHaGFmFO(<IlJ3CzH9=*$
zaW9L`CwC@>I=DkpS+8XfLr0w7Z>ZvV62D1_`A$Bv7fpGLFIs#gQ>QGntj2XE$@qp9
z=OV_a^%+aU`{USRnwn&quSa~Y4D@&-`ankV{Be@f@kFV3HwB3_3eCcTjj#MS`EqeG
zz|Wm-n?x3z-_`BN|8Zn<#wzjc=5W$FktPAD=Vk|M@bk$Y*ll)5xY-0ZD`2?^1=Rd=
zSCA9o=ZWKnME27kPSL9iV03mh`KRBx5HblzQ=QGaEfeSb(1vGaYj(3zE;ZLfX_XS)
z0ab*Dy5spsF+oalRia_{?UAM<CNJ$w%`YC2w(l`-4rWLW$cpsU&JJB4S$|=(0ZCs^
zSi^aNHCb(O?L2&^hL0D$vZj|N6Oi2YFg&I-=n-A!CW5Iv2!csLcvG+~h>0Mapt4Bz
z3hFPDcz$*H(rb~6ba$a`=zp>e?SC$QXjvIBi#jK#OfSCZB2V-ipFrKbcl+~JyiKS2
zq|%{QV6;u;#C?zcVqf!VWwNC7=m;kMI*yi0M5tG-+6oo2Mj<4}J2JcdnDR`$z0{6<
zVtIdjinN*Uqm4?<p?sd>%w@rwbwd;r$8F2qM)$PT7?U|l6u#LmDJ*gOY*^g}c2P5^
zLe6X3&;Z^!uCVj$cyP|)fw{08zkIO&_>C8uHFnJ#1a=K2$f&1WY|Zd%$uBKreiyLz
z;%JbtOWM$pXVmL&L|YhM9XtAE_vd?8U7dKQw^-_~OCjH>A<Dh3^>&M5^Vqty7Z(hy
z*1U9}5jjTEU7^ZjbYDVmk6h~HONTpywgSqu3eUG}qO`J>CaFM9BT3Jo$gi^SVnri`
zLM|8+h#XoZIB5QGLLiuB#xaXzv!Irl%=2r&#Gh*jIAnn{xNwHXBH3`x2$^#R_404&
z{nZo8NrPF`63=pkNG3ea#d5!L4Wt;l0bSpCej6jR?_0kKgTX-Q0@|Vx(yPxOw;cI!
z>p@cHR>fSZM_1IoHf+xe!>W^c$`F$%^dG#Zjk%@q`2Aa{Rz=-+E(~|6Ix0HrQlt30
z5uDi?rU5VGoQ<d2`g+xLM2~iS<iDiwsFC-{I&{d1_qz0TdH;UgP{x<u&p}05H<eo-
zX?Gd7KmHWIGO@$fZ<9?|TrJf;v7OFwEd{K$IT{y~sm1~xyz($PQ!H56BhHN!e${1B
zKba<wbI)8Of%Q0Y?M|Cpxs1)tV_War-J`5GidT)j?Mc-W>=u%I*NCJ=E`v0LOJ8+!
zj*dKsvHvK2xMi%>n1$5AU$S}-1T%y1E}&fyy!9<Y0%w6mB3V$&59OJ0fz<NLkU#hA
zy9;=6J;Wk8aV`j(a{=WNmsN`<J}fT@W>Ftpm`IxZpiuacm*Rk@VV0eTnh@GfZxuJm
z6K<}J>tH&GsIYfp98@-~IUez)j)_+rQu(`{t~ij>oO+!)+9WkTQnWvOUzumf*a>(2
z@v}y|#W|-<tvU<&QY^mqpk$fPxL#n&aOYbU8+iQg&<iOdu`|AzCCt~Z_8du5*SRv*
zTVqA=c087a>x+MUF=aKeyU{oK1(vQ^(lLuS{H8&yE$hUDu|OBZl4t17<8w87%|%p#
zx0k>na(<t?KC2IWZv1$hzDvz^)oHHU6MCCPytnqz8>;3FqXlHU4%=9xX)4zn2OX$s
z9yqu<W<$fPrd5*--p!pPJsj^>aHuw$2b{@p_V4Cn?_bql#=w|*{fD3)1i`?d@AnLU
znaLGFjN%>^bBdx^{=6#v<GhMf)Y2k<77a_d8II)Ek2O@(Ycd~y?0jFu)0slD<fg2+
z_@UKtvLbwjWba`?uf*h**3`7xD*?u;2L0slC+*0TOQLCXH&DT^Wz?iri-g$`<*3o;
zKSv!bVBU6vi^DI@JmT8!oq9WZG6&QoX*SY)&i&fIa%Y71unS*N=Y_)jB#vFr)F)4e
z*Zeo`9X4XyFC&RPA0sJnEH~JajYpHYl5Z%dY<-mlC(nbJh*m81_@&O(^6DvxN|F_)
z?i$2xbu>h~mF?`?=ddmHRyX%l^YK0Af-O6Cv|4det7BY(xS!PQI)*TDHO^mY{`lBM
ziiUnl?R#6^ToXrkxSLq;k(vpG)H6VD*bIjvKO_a%El8Td?e^bJmMiAdcD~&~OmJh=
z5)*vpXETM_=qMSS_D;@ek9@IAn_pVu_HyI4#W-XBpW#t<9&RqUNqD!bn~&>K!lOQ9
zrL`W6Bck?pD|_%7!Ik5`!gPNt|M5dTNQv=SY;dPfq<xdVYoN3J-KnzUPYQ<4Pt|k;
z^zaMC?2mr*Quus_h)!>CeDt{_ud#Hin<v*YW=zCVZq9K?se8g|CA8J7*4s;i30WI{
zceh4XG*&DL9$?HzT~W%(xXa0-zth;PlW=&{+yMSd;Zd4jdV``IlHD)azHjh$&@Fzd
zJVl&We&SK}oz$22!xA$h^Q{h4VpDxz)1DprAo(T4ztXQu7JCR?bwHD3J1e)UPz*Aa
zFMCXBq^6>3bn=YJ>7iS?O1cjQ*&R%--Q3E0x~fNt`j8dt7o=9$Ykv)~_MZ5rY@=8%
z^UHRWI?;jaVt*JdgwxFug)$!>^<x8&2m~#;jl~0`2&n1L0a65tkU#ct-iZrRcV>FM
z<ZK_*l0$&z{mG2`Ot44>oIeBS{7JI>yJUa$;!;w57Byha<mmcxJ9L7ax4-gz4Xtw<
z9NoyD`Muxo&4<}beJ-q{AfDD%XS?rPwbg2OTRMXICN!)XGhP+fD^Af};M`xjqp<Cj
z(vvTHRArhxyNj+UW^8%%g|5<t-dj_D%bGi59=nVKWuA}4(^!gKiPm!q*qKp}y>NnQ
z&3Q`0oh~QGb`kmf`)lna(Orsk#6CBRa*G0wVnmKjdAYxKpT^3wvc+g}zh$pgpk$CM
zl$z?OYG&86Sf{@^|MP~JEf(v2`1VDcUh}*hL2YJ-rqe!aYPEy$zzIDMFW#}6>oQN&
z*}v!gXm|cnaOLArIlDYfp>WZfLllgCAKB}MY16Gn-wg=sJg#)$;ZB^-TtX1cc$!b0
zSeW2RFm?yElu)G^|L`wmL*)D!m2V*fzsXF2xFF~c2`#AQrL)ZRk#q4Dk>4^nzB`O!
zHcXcU=P<W9hy5J>{a5#)Gol$_I(!WU{!7d{jEC3a>vkGM|300`i=x62*Gg63{5vOj
z4ws9|2Pf4(vB-EWFL^en(*NAE;r?fw#L-_Q?q0X*I6O@MvBr&}Mfvz8WpX9APahd3
z>)P9P<{}KLJ+`xuuP!SUk?Xt=sy_UFy=H$V*4?Kv#M@Q{V|c+SA^a#wdCWt;>nDz+
zbPldYu-~6L{XY<+;aN0#5#h8`)>L0O{w!l@^C6qdZ{Hv4BncJo^D3#Hr03mY`#2fZ
z(;clpxk4^uAlm*T+rGj+#Z4Qr2N+zt%0uha8#oIlwCfrn>U4(#pE9kjrK3{B9BEG#
z5D_CU<!!#Q!erMeolME~sM01<D&Me&0e9R&wwI>(Jmgf0N=##((dz8p!s$$NR%Q@R
z4!^Y*176)fRm?bzU=iv!s+bWj^KV{55_p4|?b#QL;z0f;*kgWD_!h}9W5PeAJD~n_
zHj5OWY%|ju>$lbj4xYd-zy8~Qm;nF)00000000000000000000000000000000000
f000000000000000000000000000000!1VtCRqn<g
--- a/security/manager/ssl/tests/unit/tlsserver/cmd/BadCertServer.cpp
+++ b/security/manager/ssl/tests/unit/tlsserver/cmd/BadCertServer.cpp
@@ -35,16 +35,17 @@ const BadCertHost sBadCertHosts[] =
   { "untrusted.example.com", "localhostAndExampleCom" },
   { "untrustedissuer.example.com", "untrustedissuer" },
   { "mismatch-expired.example.com", "mismatch-expired" },
   { "mismatch-untrusted.example.com", "mismatch-untrusted" },
   { "untrusted-expired.example.com", "untrusted-expired" },
   { "md5signature-expired.example.com", "md5signature-expired" },
   { "mismatch-untrusted-expired.example.com", "mismatch-untrusted-expired" },
   { "inadequatekeyusage.example.com", "inadequatekeyusage" },
+  { "selfsigned-inadequateEKU.example.com", "selfsigned-inadequateEKU" },
   { nullptr, nullptr }
 };
 
 int32_t
 DoSNISocketConfig(PRFileDesc *aFd, const SECItem *aSrvNameArr,
                   uint32_t aSrvNameArrSize, void *aArg)
 {
   const BadCertHost *host = GetHostForSNI(aSrvNameArr, aSrvNameArrSize,
index 7e6f9654dabd2a6220f7cecccda64a707059f9cc..26982feb98235d870402b6be7f3e4f9e4ba5989b
GIT binary patch
literal 527
zc$_n6V&XPvVk}v}%*4pV#K>sC%f_kI=F#?@mywZ`mBB#BP{4qXjX9KsS(rT}wYWsV
z+0j5woY&CAz{t?p$k@oh*eFVz*94hsAY~|FAO_LH57y(Fm!g}RSCUy$Y0x+y*#<^d
z2Ij_I27|^<rp88w>zOVVQZwZx+5C1dF<gDLX&u+KPi@^660`hR)ThZD<ms_I<0&3#
zVR?DE&9Y_tpViDWn9sKD#;0sPrr2BE|Aad|HXh#gep6`c%QMG=?pj}LGE$HD`j&+y
z+-+uhV53>1UhP`l#XS@2=kssVW}Ow}Zhk&kHuzF`-^rW3{?m59TG`CR%*epFIMX2A
zKpE(ISwR*V1F0s?oc!d(oQ(Y9k|tg)z0``t+=84`z2y8{10yyLZ8l&au`@EVs2Qjj
zD8cv!jBR2WB_#z``ucFqRu%>p2Koj(AcKV&8UM2|88D!QH8U^>rXRZNHub9bX0OjT
zGZL@Vh_!c|%F$kHeeU2ht>P=vMyC%7cctbQKYVjpgrUm1<BLeoV?UFp(JOyx#d+oT
z&dJ_d`(ovhN+y;gKbylIaPAXcuBp;{Q`GCqwY35J+2^>1FDPJrU-VGwT`r%|x$Zgd
Y)jwY>i`uryljBa=vF{zzt#+CM01jffQvd(}
--- a/security/manager/ssl/tests/unit/tlsserver/generate_certs.sh
+++ b/security/manager/ssl/tests/unit/tlsserver/generate_certs.sh
@@ -140,10 +140,11 @@ make_EE untrustedissuer 'CN=Test End-ent
 
 make_EE mismatch-expired 'CN=Mismatch-Expired Test End-entity' testCA "doesntmatch.example.com" "-w -400"
 make_EE mismatch-untrusted 'CN=Mismatch-Untrusted Test End-entity' otherCA "doesntmatch.example.com"
 make_EE untrusted-expired 'CN=Untrusted-Expired Test End-entity' otherCA "untrusted-expired.example.com" "-w -400"
 make_EE mismatch-untrusted-expired 'CN=Mismatch-Untrusted-Expired Test End-entity' otherCA "doesntmatch.example.com" "-w -400"
 NSS_ALLOW_WEAK_SIGNATURE_ALG=1 make_EE md5signature-expired 'CN=Test MD5Signature-Expired End-entity' testCA "md5signature-expired.example.com" "-Z MD5" "-w -400"
 
 make_EE inadequatekeyusage 'CN=Inadequate Key Usage Test End-entity' testCA "inadequatekeyusage.example.com" "--keyUsage crlSigning"
+make_EE selfsigned-inadequateEKU 'CN=Self-signed Inadequate EKU Test End-entity' unused "selfsigned-inadequateEKU.example.com" "--keyUsage keyEncipherment,dataEncipherment --extKeyUsage serverAuth" "-x"
 
 cleanup
index 6793d58fa6a354fe7a401c4fa9dd6f85d82975fb..f99e2f218956c4f7c6d119930a51903582f10e0e
GIT binary patch
literal 49152
zc%1CqWo#tfmM&;BGrP)VC^IuNvt4Gk%goHo%*@POW@ct)W@hGl`gUnFAbpyVy6>4Q
z<s)q=BY#9jO8F}G%B5I95a_x<KtLcsKwz^#KuG_32?PfO1Pt__3kd383-s>+<lprl
z$6)_j*#Gf<qLt?!(0>B?yFh{d7lQ)+U;T*y0000000000000000RMY|0P;Z`g_D3w
zfJTGXhLD2Lh5-3j&5r;|2Kog60Pq(m5HJv(A4nA)83ZgvkXX<YJTM$MFen{17}|xi
z6DP(*JoO^^TxPz9K<6XI<r@evFqj{Rk4;!14>}nv+S<U|_cGD7d@(-~q-F2~`sKcS
z5ALreT8-JKqNc1ljZpc$7)YqmOWvJF4JZAv4SJS=Mti$J-eaAVq6;IgBD*>Pw(`A<
zMVRxqHZeb6R8jXl>{yKwYM{2WtvarCq|rIUJtzvatAxqJLqmbWp0TEUXlZkoZHsvb
z*eHbj2P4&H)yxbGLbe5!qB1S-{#3#J?ov?Tnp2xy=%hn76k5L*PrK)eAW>x~(-}nk
z%FJ-ZDy&t@7llh0<RaO1YGIR3gz1q8QmLNTxKJ8RCYEBK@Uz{ON8^DFkArz5j4fhK
z<2<j)7`oR0OgtH8j_=w%=#aK<g|n?Ozh^Y>(9QL>=ufj1Oe?lQil}*40(KwzMDC*k
zT1hx%=RO1U>cYc#P_rZ>U`8`m@@zR)P>oT0g0o!Z;tGdJE#-?UqDKs1*c+)uw}SHe
zp@74rFx=wejp%mV`|{w0rQt{uQcDqjzf%kJzo-d3j&RUT&PME$$Skdua(Gy~v1Y3Z
zc*uwv>+h?1Gqe}yrmD%VtM_$(kLMY}ci7(LBkv=X4%ljqPOh1;qsJRgWsoN@$#o?N
z)Ex1*Be*&!$_AA&GCBA*9l~p-idhoZ@#J;Vc)iL4u6@nzEDXWVw$f~ah~R=mk>?WH
zJZ3aeaW?Qf>qe<@&J=g}j|6_ug~Ar5Zzb3rg;R3ieaTFM1|M(6&tAluCpXGFg&Up|
z;m4ak#1E*C(~YH>T%Lo(*%g{*ItJ*n@2^puwpM79NGPb~hTK=uX}9f=aKp}27;>#(
zz`NNQf&9Y-8hsMq+YaQQ@}e2p*HFVX@)j@3S%fynv)(Bhj%^gF7a=>=^lIb+K=|~r
zGX;$n>)wDvfhCc*4*B!A@|m*KX~lmae}K2*pb$Qf8DbFF@pS+JAIZDluQjM2U~}M`
zk$9mq5SnQWhJ57KfhrNHAQG!&vS(fbwSO8Hg7Jo5%FpPC8JBYTgW8y`Wfwy+4Pt|1
zCB<`cCKdY%U@6c!2EGAO14s=ZHUEXF>3k~+e-4+z8YG=H5cltUO!bN?`J0-j3fj$V
z{5~>i#?cdJhbqW=%iL-RZ&jYQi!&iJiK5R#HPd%V(S`@y@C{A*oG^(=EB?qzxC7f_
zSiH2ummKi?Aa)^DL-$GJY4p&mQz2}=Qdfm7x=~;RIqDWMcZR}gWUY;r={{4?rEGN2
z5ckC|Nxs9S)qA#!Uth7EKej{O>mfv_y4hn@8G-~-1*GPsZCw02(lXCm?11}?RT44g
zB3n`ArPrrrDSALlHW$%4VyMZjFz_C})$#@sb{9%B#?6{LHeNDUGA-H$A(3|qZBOup
zLrnrz0%e$(v<^-Bd~|Z77H>LYdsV9}>P_9UCc`+y7b+{4&c>x0uhvB2tJ#Rqz9OVE
zDT0wJw5@Ci$ab(nfD-AM256EVHx~FPkmqtaj&Q}1m<FNv9*r^Mm)-KOJ7_I4fS0-N
zp@w~CUc01zw@N&UhD0RP2|2tP-*NJ!mX>uDm#ibD0!bZ^y-`&GWv<wdU62<{q#<4W
ze7utkiiD6jTl_Fmx+^CBG)t(-H^I`12qi*==~Z%Cej1}SG2;X0e<t)qhe5dfLn1F$
z+-VWGw^PIe(jRcSO{M#VZLNfzxXl*3ope@%P*MfHy`1~Au6fU)K~%hW@ra%;h)gPA
z;`He9iOEf@2DIjnpzf6njcnG7rf~(_6~_Si2nKUY-4pO9lgu7wc-vLcg%6qh4RSOU
zqL=KyF0((c824PF1jcLUirstmyTx_hA32+9)zY^-CwwW679?Nxt$;|)K0*))OQ{w{
z?L0LXjE4`sliW5Wye$SnV$dONA6wB3)1aISP(97{47(F#`y20fts_hZQQYHixF|$w
z-^`4UVmc8-1Ci)kn;Y7suF(Vxn?F~ERE+DSv_!01T+Yk}iIu_(@gJPi?fGol_T3G!
za-PE>B;~TsP@{4%`bJ&5e<;vjW|6KBfmV$Tn5SCF(LwGKVeDjLfA7^$NnWqE9MJlG
zDtciVsSPu#B$Gdum}RN|e#?jCym5leL4>Em$EPb<t1VMH@DHiUaVOn1A#2sm;ogj8
z@T~2eHB8g|o0?JX%?w-(zQiSjpTTG9XzLK|Kf0I+v^mZvJ^5%%J2Kvt`UNt+5!2NU
zXL;2}ESI71z+El*2^ihkAOtFg!NNr}Co4T<Eg*uC2_e#hGk7^m*(buL6iyJYc|S-Y
zEV7NzOFHJH&pfho)1d{4Q`16@e@2cZD8-wdK&<pD(>k|4oBUKB_nS~Ho_4iTap0Nc
zpgb&?vi&?3JGD(|&1U>U=x8Ar1oIYd$EvDwXsRnXzs^^RnxT%WdI9JEQqd_58<q$#
zS8*f6(?y3<;*rQZxNQdFU{$lA)i!)D|0PyX;4)>WZYUN^*<Ya$LtT?XR7i7obojGQ
zHytJ^Tr#AXo|^`XwlzC_3OvJ_;%V{)p+gd{(7&Q1RKJ(V(V(RHVbH_kj7h`ETbqNv
zg|3iIYw|3IKmPU|T{+13g&Wb`_kNc*%B$qTL}i|DoR2c%OfNtZF5T{MQ7Idmm`PGY
z83ufkgGk#M_SNpR|4HnI*V_BS0tEBQkUj=eYV0_RYJ9vM1c3_YF{Mp)3dlkh!IR`Q
z8I$iDD{NP{XgK<P!_4&d%%th<se3_Ij`*sM{oo8A#ar-uf^NIQhgwginRw_m_V~{k
zG+ay;Ug0;YgK)Lgw|bMB`Bt}*GJ-_R`%x8aWLt=a2_TpQk)ax2rc>qAq1|BlL}@JZ
zW$1UcN8o(3Sn$&gKTSv&xo_X0wL3y}?T9ZmrPO!w9)u)lBDlqYmsNcqy+#;^$Pc6R
z3_-}cY7b`|e4(~pIyZj!{E~;8&6}Ofd{BuC59g#siie*e?Z;}(I6eKt<+T__>Fu!=
zmJSQ6Z>vt_lxzoLQn1rWj8~~J3lW}Pt=Q;!^+cS?H;%^{uawDNM2@?-<S(bEGZ*zF
z>p8xTS?XG<@(y)tg`m#YSjSBO6z7NNsTg@Fhw@wdYd2^(xIU(@5G?yMHiF`$ev&GZ
z`h(gUsxN_3B(_(T-4jBWeLBaoShPmkhL)|bUPM5|q8zqxKfb7oFbs#e0AvY6?eQib
z=KoUvZ-SG70%QGW{r~U&X957=|3CiW?qcdG@EM>l^P)eOL=}Vxnenmty7%|)(&0EN
zh~n!n5R`8V|I<*mj*BC9w%p0cjaXzU(attH^WmNX_(ouzNXRfI5la_+Qi}&Xy^jEm
zkI_49(tjSPm()jOCY+<v9iN|%dBi|^-@{Hd*j7#8s2Hz9O#Fh(;mJ;(kuVN}AOh{;
zgUxx;*D9o=9Vg43>TKw(BuyTT!s82aAR*>^RWFO(JKuf?m=jwM*mc18G5L&4hghWu
zt854Jbx#}SQ{RrdPnOedG7=u+yjoB~jku<vyd^VVbcJy2lyQoWj*zRV8#`(;G4DAt
z8X3z}l4y|jH$HOuR_nYy&hKRBW?OTZuw%;`KO*hEPw?cssT~CSQCf?yDgJQ=GjKv3
zW-2J>;c>u^dAzC8-JH5%>`X#;a!?A=d-&Oe&GTKP>WZMlWyBfk<(L~vU{)6z%7mPt
zPr-@CQsgn=^z)=BzvGerB66q%hK2YEEq5Y;<IEZDH*Vr3E=$$`CzC_$;qoQ|WY9yS
z#drLmS0y5R0=?&P<t)wDD1kJ>FNdygKRs=SB!UDs>Jb%}gyOopji2B7ij}*5jIHs5
z3;I+&^&yMYs-NPjNh*#V`wt2je8MYWgWYq0=2_9Xva1heeYCR7Aj%8hhWXj!#B26G
zzJG3o?oiNb)I$>5Z}W@VLB~I?sVMAiTyqI}Y4Ej14XXy1Yyw$c;$X7>oZ_AQab-&g
z;h;Rdlg>@G#gX()yh{(~sV|PH>tfy}t`p@}h*oZ3`jH_4L3o9^+d38vtJ)oOOw5Ls
z)(9?f-<@^L`i3S(#wkP{S15hnxW?k~u8J<u9-5S!BJV8FvfN3q$c-D81eII^s3cWn
zAb@uJ3B5<nsi|g&g)TL7v-danBeWR}b&F*<UbSm~FB7dyL*=ESeR~yDa>??1V>@3n
zB!9N!9j)`xBvX!}TP{DFrx09vGnNJr%3ZQr!lyo*D=N)UrK8xi0HY()lNpJ;XcQRh
zT?RQi6iD)WBE|uWmc*=Q;oivU&Xl;$G@t%&-AbUQVC|}h1)KbTNR8%l!7`bOO>b{3
z$I6ppev<twOz_{-;7KhaYe^JC^Qy`!^Sox?lb*!$yf<^o+i94Xpbh{2ae}mGUjFP$
zkTd0bs@%PjPO2!|(hDEo4vFSh`rTEw0oOS$`)l9qPamha3lM)yhQ)>B5~LfQBUW<D
zw9=n_p-N6!c;C?pE7`M(4@g?-uCAN$`cvSn4zcv}DYu~Bo%1WnH<B~4R8MMV(wLXf
z$F%{V@@*f*4L0LqO$vi+Z$y7(N1$>f|67tLhC7(rvr_9FQS3j~UfZ&Luw<!Qf6Q#{
zOhJl~O+p~I8{{0v18Ig%J7srssI7iueZLil7<q$tl${jTWVfaj!(D3x27<3~&rgP~
zWkW~lFFAXP|CwLv3gf4$KBeIpo#?1I6Ym{io$1e<l$y(+{)<EJ-0}?<;rcQgcwj~`
z`|F?^cw?+%w05$T_;I3`Usr#;CUTcV#q(XW{$zOaSxXWt?mdqn4IA{L=~xzXB(;Mw
z1-!Y9_P4um2tisu@Gzd+g1fA>Gd<GK1q{~r=glj{FO85{1l1+)lIEGtFqJ=yoR4X-
zzX#aW!f7IMpQg!jz!g0m&57{^`6M@RVZ>?Nx_xi|^~*--U;Ig{hSy9l?dvxV#R7jD
z15$n)t>}(?ih1Mm?6&0~;0B6%d+0jb6Nko|f|^Yb@GAI~^;DAtzFqUt*C)_==yBDd
z`U9r!vHyl9lnBM?JPnq&f{7_=54pM;R)~)bv|6rbOBZSh#x%ixLCnyFL>KrYS9{5G
zWzg(6@|M`azARaxPA8BbCd@DDR1<9hieWViE`wKyQ`9P(TE|vvbdvfMsHMO1Saw*{
zXhWr8B6=NX4AQuq*ti+*3cF&iET>U<<zW?^$SPvBoD|~Ct|$)w*vbRusvW3JyhH&V
z)8*XtP5#n@u^y@M9<p|AX(9ZkdpxD^7kefAYz^<nv}$#*A0L!G6F3Chk^hL8VK@KM
z^*O^LyX1u>>M;CP@6KdKB+(u)ZYjUI`*ysA^5^>D0j~r_%+?)I72E90&t*aSfV68#
zl*#IUNDZ9Ok((<Lm@6OTD(SuVujkdmij}{qVPRY*2{~vu+H|<5M5zelRl28am0QAp
zzp*?bD+sIL!x(8VW}}Ve6eWGlskn@Qxs!u4|8*_|bo3g&nDic+Pz(A>AQf!6(O=f7
zr+PD$;W*)a*mabxJ1SVOr0PV~YbN1#YwWQI=i#g*{-Qs*D5uO8$!2{0NVqJ15s8pn
zCX|hGKPzbTy2$6GRajyn*1?uylc1FJ1#kIev;QaNJ!yh$7rCxC8@1|@o$j^%dVSNV
ztuM&<GHJsn_5Nx)Tcd1Pmm-g+W`p^nx`Z*lmYdjwm2vJtcF<nAP!BpX%<T}%6NtGj
zIU-6THgW3SLZ=ut)tPc60HN~ya1NQPtId0&saC(02qi{?X%BSTH|$1EUhsNw#@y8*
zR5Sn^h=8A}4rL>waR($;q6a0Qa5QDu=8>;0nwL8zdl0+zb?BQ|Q8NARW=T4h!u+=c
z@0n4gacY6fElmyU3_*m$H;>TAj0r#TzEAPQMN&oPO*}`9HJG$Q4z(S}KDbOvRn7#{
z6tFh|n$VzP8tg-D__acsvV8BC)SkQ#Ep1iK0lF}7d&b4Od1e!*Ad5uCAs;h^W=y_~
zOTi`F9d1*?5{F}ORS-@o$4ha9d>o+TxM|YpAnR&f<&|lU(8X#J@>ytX2a#rfwe>Q{
z`Q8J9CbEE5Pf-3il3i8;7cz&B?^QOZtE;-aC2iOGYAJH3xS?C0=KF%SaNcRRG>d=Q
zcz}G^BHhM~1GgQHJ*O$rnP}<8gXiV=V1z1p<7Z;Bb><Om_Bgg?1~+KZ;;E+~(e%!6
zb##yCc`FFXF&0;Swi5^}l#6;=S0sNT&Y7fLfKoqmayOI6nOgvr5?wD82wZiBfZ)r;
zDYDDVX}>I4jFH=0z|gjIGE-9rQpGcq6DmSo(~&qNr!FjJ<c!w1D|5>qLDM~mMWk0z
z<RG_$`kpZHGEk8R8-bPcqSUQ{`qyJBwB!A7jn@usGS`$*+b=xhr9~7+e6IXBLemU&
zytO23+$n3QOZlO-%J-ffGV~9r8Axl&S<OxD&9VH%gE&{II^@2?`J0-ZPSFZ9Bb++?
zvV3_?4BHY&5?GgO8wh#=cWANohV$C*;n|p)udQQ)1&f*5%<C<afmB%$Jj*@xJ3eRv
zSQO&G=}PBh=TzX52eP&i2IEH~UMO`5kiR30oQBw;2^_XWjSl0F-LR>3Ao|XqMf!G;
zmN-~MCb;0)7I(#Dk`I3ySDtC$u>a!N@?b(veI-t-a#&D0H>K#`EDMOXB?2K`i2vq3
z2lZ3^&dhwkHnvlS%(o0x3#I8bu9Ao`>C})$0`-vDV6^(2`vI*1WZ;H=N98=!36%Ey
z-t~rcW<k@iXqf;c?A_TkFb>VjN*@NsI0l%2(PsrizRALk-kp<SQxz(oX~<hEE!IMx
zz9Z6BA49Z16<lqV2n;l|%RsI9Cl@@gC80TT1CNd}*W#md%j|lZg#`i5z;#7RiDk5d
zoRDkn+ZBGzL`syBQQl>m!M0l9;QaB*{<{)L#GHMFmBH`nbPC2uxn+L&bzsb(7(To@
z?MWHsY;y?%F^q}#0D0thJAv1#w+Jn1ej@#&b^?V9S<9v6oK5QL0h8X#r7f}mg_`Bc
zS<?tqL-ms;$9Bs>3qmBZZ&-W3iI!Z4Jc_KIB@f&dT@HPIe`E#AAY~x)w+3BB6C<=(
zRSuP9^LC7|6?~ZzCcYwMy=3*9#;I=G#T#r))p>po=WoegaGm@knQ&t->Xll2ns<v~
z|25;SQ1JoM_R9<8Ek%M)o5lM{A)nQ)J_g2S1{8A^;nzn(EH|ZJC@EC(y@NjSVJ}#4
z;LBwapW58id@cj=)$i{oB^6R9Y1@p645s*WK>DIUtQf|tp_e{lEgZyc$|X<96g8pq
z{(lmq2x*_q8_E!YkGv$_D=5f9n_9W(>iW|N!n&wgeN(2EbqY>cY4gha+=^Cjk5+NP
zqh4u-+jO_WZc*-rtYH>7ld3qOIjkS<P~Rsv*EK7F<p=Flv7o6sTFF^<%7XZAuZ4t<
z3jJ)H`vM#dxC|A`%o0OlAiAO_2;0)a(|0bZfN{n?vp@dbja2{u000000000000000
zfd6(N|Fi$!4L1t+@4gZM0000000000004mhxBj93U(}*_xr1vgJv2V+hRV0Fc3dM)
z`?vpZDzC8YH&x}u0q)U$tq<&OLrohw-c`k6gAzpf@=(t+n0vGGo0!4j?m38FvG<hM
zcuN46G4qrTjfLv+QdyAN_`cWr50!;w^A6^>82Z8%28srOD&5W2x5b+g$!|AlnT`~2
z#v;mJNHhgl0T(V21*0t(Ptsedor9QaOc5sJc(2)NPq!6ZgPB8o8z`an`ST8eO&q72
z+JcP~7psga*ABJ@sm<0)55FdN<<=N{B9g}x6^Q17I!d5H3IoWDWo+4AkNrpER4yM<
zM{sBU#7|mK>BHR$BNRxd+6z@#*?A#wBABF>AV%gpqDE@mD%h&3oNA=$b%xl7V;g4%
z!(3omWX)r9V+PSVxm3fa%KfrJ;sGtuz4T}*Td@J{U@-qYUm(nnKO5<g3lr7~P#1xg
z^*Z<zkfmZUq?8I9!WMyx_e6v}TQ?`(=8{DZ``QotsVP<tgdu>7T}XlgnqrA-kW37Y
zMqNm(4s61GR7u-YPc+WG)mi3~4&g0jEe7>U*bD1D4o$Ihvq~T`0q$=^j{_u6S79eI
zx5*#8tvV>|&1S@8xn?HjfD~PjO7E%Uoo<FDFDS|MaKWkb<zJr4%UEgN`A3?I5C5n$
z#AI9MO}nJ+djN*vA8jRF+cwwhq^i%-{@JblKXhB+J6@m^2w7_(y#&sK1rVr6sN$zm
z?vZO*Rg!P^p{dwaKw>>qp83@+b|}t>$n3adnkIa=86l&pgZ^3Sse2$@kHR7d#qqet
z@O>nwMMZqZt6M_a-|3^IIv`{a^4Vwy`ZV)Wt638;8zf;ZQ*O}QGV9l}`kX+V26bo~
z(au5OC%^d=kA<_H7&k70Ma=m-Ms0f}${Ni<e>6z{ctQNaP_E6gP1dn#7Ca|(8?sGQ
zMOWfJv}H8N^OsxRj#|gJ_OYE2YL=LN$sFg<V7%Nt^{5W^st&DmUoI=pJ3O1+YIN~l
zCrM`VNG~8QDu^PCRmB+Oj{(^QmEpmg4l-i(0tp>@6I2Yr0ee>bRKn;1se=G|K-@vp
zMJ$J-gmZ+}hjxVCfu)2-hNgu6cjp-Z00000007|M?jH&a(5FauNV2%IRot+J`@Nq;
zsmWlNe+!I_Be}|W8Vj|uNue-#d7W)FhM2m4I1{W**d7vFFV_t)PY?rzT|?K%X4c;`
z!EbQJ9};>?l^ZZ>-b|{-b+O&7{mF!uy%-F;5+!jjUf0RnuxETFeEp@e&V9+lCo1Xh
zK2}4wbR8vH9NQ{rNU4T;{g6SWtU8q5;G(ySx=6Cq?+-4tYyWbs0KKpWYd@|!!fWET
z!F76`Sl8_#=O$j;V{RL+^&*EWiCsm?T1fEhe<>u$JGnr8ms{ti^sGTh&!rcLDqS)M
zBz-~$)sk0~d=UCjgA(_-`*SDJZ)p$fKH2jHTTBCnN3K79E9n?Y?N0RM<Fj9%F{FAy
z37()cSO8+j8XKNN_$JG9ai(+76bZ#K6@w4kH`ST1)^9}0;B#of=Jlbg2)?C1#ARLL
z*HN%5it!ipw#Zn4ykDyQfUg)g62U7!Xui%e0>YU1gQKRPbW-|``W>ISnSVocil}(}
zT)E5#mZbf!pMGoQ*9-&KK8W87OCsCMb8v@%iGn+^D(}CB%O-tSsSP=|x%;{oNVjMv
z^#b2dX;D%zEh}wzP*BAV`UV^bf#7^=O17sL>CQ{XThjW+*$ynj6X@63brlyE2(v|n
zHzQkNM#JgO8|$2-Xy!N~b~)5EFTbpA6w=^{VB9krWy6B}IGqZI<oh}TM?n0&$lWy#
z+>n02Sec6&?53e1Tj*pS8XErrZQ+O>vz`F5!jX4ktc$6{K|En7kgEmnx}P^nBmgJ)
z{bqra1nF)bv06LaU*A^luo1)(Xiw7>m?-|KgDrf{ZWg|jIn>C`s;Y1C$u{RTk3dy~
zfadwVc9^^yH^0Z}cfKhR^-Z`7!$Uz56Xsf<VatL~*%%DOawBwZHmpNIta_b>?H@II
z`3vE)ZJ%460QHj3-Gj*U4ytqNMMC<2eM_9LpdK7+y}0H{F)y<Ap9Jwe7&BD$g-+j@
zax6f)EQi}IZ@@d4IO&q%;$ayWLa?%1P!pU4q8F($EH~$@*~)Ue(@d}FBx1dOPc2Yb
z4)-F@KU9)16r6g=bCGF3Dibyla!&HDfpZ+VKLlR*GH|!h&-=dEta|@LYL1Bf!9Zo{
z*cM^G&EWtS<JG{Smi|r6S;GTs*kkiK1(}jH0llHxX@%|6kb$4Fbn{WZG*Q4Cn1fZ8
zXW0FKo8FoQH{(IpkqMcT4kxy~Vh-!64IHP^BRgm);*!I!+Qrl9@VM8v%SVZqj5Ay%
z|1i5{&?~Clv2sVRM?2F{T;=Bt-U4#qJ5kR}MZ6v5?YMH*?XlUWM2gdaSFqu_Fgx>A
zvgh@wx4`k{tcwJat^BNc^UN~0badwNOMyAm5Y+rs5yA;50kxKtmEtX07q2d{T0EVY
zS`sqH`4HDj`}hvKu*6RP(reEI^|EC_^HyZEC&rynD=T<kbA01<nBuTR>C-2|m-Ka}
z$X5ua-3Fi+wjK@mTs0n<?VKtB&&8KJXWupx*f-8q?R~hguK}G|r`kqro=h;qcapWR
zP$-a)T{3H{piHVfg6SkJy36_}c&nfuvCz1mB#hSIk?~NQ;c&||72VeLb!05OrzTcB
zmH!;d)4>rWheYwKKQK2)z8;bhk7o&-@*ESP6vRlKvvh&}_<7r(J6}vU4xj(LL@ASb
zgOzyO;eUsm?_pAQlwkGE9hja7;m?w32#1$k=v_SZ6WM8Sa%wnH@28){b-;yE`tOj5
z!8$u*`+MMdHtaX|b|dLo`oPE$_Sm;+#|pJrM*dd6fgEblmpi=dlF?jYDgT9wk0KK5
zxJw$}8s%1Sm9@_n90m?vq<xOlmv#617fEiTFi_@BcvsWjEge-cXbQ32xU*dhL7p-a
zgH3|NEN0I31_;OSrX&&<o=aN84lrHX)9NJ``k-hiaMrCUiuVM|K*x1bx$bu@{K0}=
zG2<m>)a41t*9xL2=Y5`h*|Ah)vO5bz0=Q%<!MUc$fLwu|6H9pqPwMYl-sv<?w#koJ
z%q^LtciZ`5U(Uo9?rfUVn3MU1L8MfNt14$;Id=3vzV&yMK{}}N!JhGb$H&cZXPoEO
z`bj>{;1*Kk85rYu2`Mh-@0nMRFy?DFlXc;R|18<sxdbzb3e!6f3KH45RX7%)F)&Mr
z8cT*Sh#eT?7PjZ;VdquN?Oh~k=W$Y(zh-P<t*2{2ZLe$L0QP@8{~rXM0R11&{{!a#
z0Ra5p{lm@Ymq{2dC5}_6pxL&NVKT9VegG}s-<!`Ot<l1QqC0G3TA^`r*T4*6?&%CR
z)Jn08Zch9&GlIknF1_j#<wAIdGQIMUw52}W1Iy9tcgkMB!FzYKlUxZwLXUar`f0Iw
z@ax`oW-_d-LOeH2-U#w*cfFB`tzNf}*ulzh2bQA4^hpuJKL6jYIhXhQ$tj50b1j?q
zlVtKILqg~Sv1Ut5O+Ow+Hyh??&g<3b!Q|M?e#Hd7RE3*6heHz9xou}sn<{`;3LjsF
z5*t{5x{J@Lm8hAIY2bgjJmQNFwwPk=c4#}qDlFih*PK^tQ$4yef|?Yv#lo`^(MU={
zJE>=wBJch*`9)~g1c^dMi57UY2~4C*<d4_!J{!Q-gdQUaBnNJ}lOsgklj-@RNBgE1
zJgM%Mt)U(^D00ZbSc<4)+z^|4yjqnMC-zuc(zq{}FB*Cez4x+zqig|4k$)m`UuSJ~
z|68AaZm2_McK7D9ca}I?CZ7VRvm$n3tn*GHSon_Gue8D9x<8v-CZGhf4}PB+y?lfh
z-{!JBI9g6*Z<?HDm*a=3f}n3na(;m}>Z^~d=6F}dRo3?8)Uw-_pxsLuyXYau5MLaH
zC~obA@`H>H>!EMqv%q$sVRziIt2fR~B}((D&6{Rtrz0-0kT2f!*?2=*A5}-yj&2GW
zpFOp)+=eX*uSSGip;b)UJ64f-45gP2Xl!1RvE^`ya{CZZ?YtdJ2w_jHUKhhwbq4@v
z#eH9d@S#Uc%NcQ7dUXR!ngAnKi^6nHQ;Fql?tM4F*uQYdrPSU{vTWg|+H&>%L-!fi
zc*A^M8CxS>64quMYUg8;_zD$pjlLNFtINS8+4o7?h@BhepbH$wY4#MZAt37YtuQ%9
zqU~~(RVJu3oB+lyj9#v(l_zIy&j5*iBE%m!GPNTihv7Dcx>)}s!(?#0C`nQv8Z*i<
zsyRpii@~*{+nk@ZVM8>4jU-Ha29E(r0e(*;f;A<juLt^GznP(NRjwG0&%5F=@-mEc
z8P&PV`cMW5b98~c318!)Lcki{`X5q5^`qatgjGt(inz03XX_iDWOV(--_#hYmT$_t
z?hkn<Ba}<gf};*BQ0}(`U^q66SlFXEC1{b>N<jpd8(h@raB(P6)cAjGvMb@6Oi}(R
ztz-JOxkKbAx+u$C?yJ4ZX>`@YsJgUh#5SiC7>mBwXw#on=^#<kBD;~{1|oDG!G!tS
z>@e=^k$QhK60Gd!E9S2JhCJ>ZwP5!pZ;(s8rOz=A`9iY@8fl;B!>fBAG{0s1q&h^Y
zG#Z2ks$$bI+fe^U&ZbNdtk0gVz=E|jEWU)aoR_V@Kt*{`blIYf!8RZKFHw>wpBo*U
zKm>{>HM79qsmZP83M};!ELZQ!T9Brru8M1*zODjo7z4e~<EY0f;im1i3FK3a8$wSj
zvl>l7xLsVrGxNseavzH%l_uLrS7<6_s+7+K+Fm9^yIPy_mpoU`<L?b%-0Hb?x<z=T
z5`3JZa1t6ayd*MeHPsMEOi-FOp|loO9N=qWM9y%)x@e^V<~Jd`&vg@RS+_cya!sXW
zF-b&&x}Bj9Qj<d%Npucuqc|p&`lFKzaYSa;JWoB*Nu~w(R(9ph!O7U%FAX##yyMf(
zXV0r*eP2#ur}m<5Ioe2awv<{^e5;N*q4l@O92@u5kDRadJuips5=uv_Sxhevoz>n`
zAYkA>ix({fc2<rU7r{eyQf1-Va;q&vA<C)sD1Bw9>lGDZDSlA+x5_G_!seGS&3}3b
zvOOz2(zU_v>r=KrZA+bNHAbCIHIrAX&{#asayv8VBFZZfgJ(IW5L~t36^=!@At4Mw
z@#Um6KY5C{HK;@RnjU5iLYeE1srguY#|7k1XAF=$h(X$7i`zC0X?s~%m2&8eyf6$D
z9mu^GLCBk!jQk2)G8JO`mWqcBA=6esUq0Yh1+#b?6wZc~CId#Agwq2T!9FgIsm8`W
zSIkvZ)OF~QMVAfHxO{7l0HU=T{)rkYR@2vbRjU+uGCm}~!8zl{K&tw10S2Zbl4>mH
z%i>GpSxKEA5$m0e*hmSUCNIi5rSL;x);VfqB~mu2?X=V%(8&aJG69{;|F50Qe@G2_
zm44xqhs!>cAyN-LG{535Po~!2)D&LD{!qBfE0xgeA9x*yD7fJlHqj>h$>h@J_$AOi
zka`|GTcAzqc6MWO>>Tt*6k#I92;-B3s}0lYQQ!e)Zq#z%tn<)QpBF8pJrE>s*u3qd
z7gh(I`}B}+VkPk-)>ofEX%515z0?nh%rRg5iV}D)c!0do$4vJM;qk`(S@2V`(lXRA
znIS+xk@nf^WGg@V%&+)d&7{8@1knR;BoIk*`4)ErYq9ie81knD>a!o-BI?9DHTX*Z
zeAigu$58dq%Y7jnJGL{~XA*f@V`|Yp;~y!}paFl8lPY>KzqqE$8e|DG+ST@xXBil0
z8xozCp@0cRwW015gscb2j3O5@Rr@YiP-~4oPkyw(jM#qIeFEOIcE+sfD)$5DSt5)m
zI_Y$sdd!6Ep65hH39cVGM5qXf`vJT?HJLwEJ(iNMf`uSV0*J`_S*IqpP4)k@csJA?
zIbwv2*XP!}ORHRg-#qK(Qe)Rvld*XBP`rqP_9hz>zE-r9t;(Xv*H>lN2X$JRM!tOZ
zFKPm}Gsn!z-WSf)?(yZIbw+S<$`6w(m4h;qtZp<1vn)+xz3Q7)!lx+-iOEp$caiiA
zR43a^<Lm7z(>62m3XiQZV;WX~hC90o%WTq(L5X>Gn}?!=wlaWxDv8QDAR!V~e^kDi
zE4P3!&>hnA*?E&eBtclfO0t?qXiAssWp|a>dIxELvW-OdrM61zoR3?n@_qGa%P9v4
zw_fxa@E!#PH+!yLm08%|h4tnXU57DajR6Z$bsSr|YqV~1cd=WO$j153`OfMfwVD@d
zH^vpaZ@dfJB*}UAYGb0Kw5~#mT3CuZ3jT&F?(XgJkL6|<h|pLVbU(3$9l(egp;ky~
zOyy-VtC08=RV1mIx2JJM0eQ#|`Apjj5noz!*OeencR(a8)MCjLi&ytiSq)~#Db<k(
zU%Y-#J1a|mBu12261NOGd^ol-N|us2EYOx_Cl}1o4`m6(R`7m^=12^iI`vA86Qqcj
zj+>>idYpwzLecX7od5stuCxFE0002~_xBHbvIIrb<^8xG8lv!V=BAA~kOk-Np1*st
z+Q|ANC%h>x6}`L(nrd|{;7m_p{0dY8MieLU#%|JL7I7AYYlBk6E^i>9P`v_c|4U&@
z&u7+^bG19D5bO_KD_KRv>(?Z*mkP60fkr5{+uzD#uO2gWS|@o9Kp=uCceF4vnqdqZ
z6eJzLwBl9#HdRI@z3f+(!VqhTEd9uq)pBCjcw)$$yKEi&8l2V|qUakS;|v6?=7$@M
z341AMhxCQAFO^I|$j`OwUZeP-4e*ien+494jN{3o6$B#>Mjg@p5JqMgcTKBxUxH(P
zJKEU!m5li&^>5jY{_YJVn1?Y6?er@)fpsbJ`O)orW{UcaqiJT%wBB7OV|U94-zJ+I
z{4AkQN@8qDl!598b=i1|T=jZK4d?_S2znLluBm+OhZ!`Pk5x|=I{7QGeKQcB{33pJ
zT$5LRE8Q>y2<+~_cA1T=NwWWQimRL7wcXe;+SU-8i@SoLwtnrIGx6Yawh}SHYF`~4
zeI_pl*2TCn<_+Iz0F0!3pl8@lzX+Gjb<k_HQ%=RrR1Opg38=s)SR>~qdz|7~g#L)$
z3D8;GkrwTu5DiD2U^Er<_e)W(hzb`A{v7O&m~_^36E-(%@eSP_QcAj#d_Abfo1z?C
z?U#bv@mK$oPPX1r{1CtQkb<`r)HD*zVT2jG63Lxl+DNOgA1YRTuj`w^0;35J9laq~
z)hBLkWx;c7<-w4XVV&PqZD9NNwPFhk6`A(`tiY(_8${Kqm%lwD^p~R$ZFX?Or^E<{
z*6P96YcJ-gL+z6*k46l^qcfRIF<gLqo(E3qm6DxQPJtVn$UYf9r%aZKtD4wJLQCE$
z0%rzi<A=2<r*C7YblWj>j+A%EBs5kKM4dW&NLF8XSHqs?!#{9s@zyITaHWme9W}dX
ze{n*k<VS^K5KaDAr~(5$UKC^NWmXD+NZKmgbH%7ucXZ&5eZaa-`h=V(ywm3z3aleY
z!tC&smJDD|elh5>ezaW}Qid|6X*gA-C8O!d3!W6kq0j*8WpPlrI{Syz(E4CLB|)(q
zH6=TIwIhJAsUs~;|4ogj`S!^gA#`IgoI8b4{n};JByY+h`C^TUd02GX!O+|k(x;GE
zhhQO!iQlATxziS^1f272Cl!vtppUN}cspWo@zgQ)&?CW=QV~n+Od07jI2?Wgi9%@i
zw+$dHVp=v#T$U4BQAdQZZeq~wN3IW#$ICoyEh$N+_>+sLAC=BWiNEHgqjYU3zfnvx
z>k2a;yv~0*v}c24+h1%+ROo6NoF&ptU2Ye|L>s4H!u{k)Qi&$J{<xnKWBLW!O#6pb
za|Ut!kC9dv*%GGuKBOvicWMthP}n3KL)VOVmOIUqgkAnEhf(6hYM6jRtz(~gQ&c)}
zN8uS^iLv?_?i4kU-jDBkF-?PGOM1WkQ0i`fYth|2Pe0+gZKYaB2^*V)4}LSUJe2Gc
zk&1u8fs6?!PNsH^_deL%RbOC(zRykGS)n_b#+UF>Zv=L!#xqfwsVYGPmu{rRf_%q*
z!XxuzcpVrn4eWZ>rnyOL(B%RDp(~=&jA76<j8UgW01WZOow2jEsEyVI;#e8^s7FNr
zPmgcg%H`19A9+-AyC&_XJ?6oJ>t}|kC2(&vpAKR^B9mZ*G-k_1X+FuO-D0YBRyh{c
z6I@WX%Cnn_o??F7raOmS)zY4OC(A|8KaEU~){GQ1qi1trInH=)dO5SpoLsMgAkzY)
zXDLqb>*p{ArUHM`U3)^5@<Z^z4SVMBnN?kc;?qOSb>=B7R!HzY9Zf=aR*1W_)3hh<
zZbq>1eySyU(1oINT<7j?U}eb(@#|H4XG0<E@2<4{^f0H@-tCm!nStXVabgN{g+QQy
z4;9B4FOP*b64O=Dd@FrE^`-t4L63Tq#dLqc1cG7_vEiq#t-$dk{K_01MRbWwpmd78
zbn41axE5P3NpyCZWr7`neR1pzUd{qe=Zy{hQAux1wRZ|cx_d^yqjBj3b1S7A4{U5+
z`oT7`Qs{?ZlEQTnJ$>v}WbX{zv<Iw5N*hg?64pyzJxEGD$n?&sz_yRmgV)2d1qm2e
zO!)*j$bU!;&hp&YvDmW3$(>M#RHgKACC`f9-_-aQL@&?Rr)1PEiTWU&ommK<RobMp
zf-1V_(%3W1L7v>29AJkriR0d4`+R#q>{hm4H;d2;;q<Ugu@hG)q%`-ryJwC`R<cW5
zBX`mNsU1c-mBk;$y{#GV)5vGLQ8u7$4=ZvTTh^t)Fczdx2kCFGLL*g7RVz*3Q9s%<
zAgvJ<Owku_2kLR?=TnD6(vP9rip1kc<p-o0#hmq19Jcd!k;PUpXOu*n7ZTGN;cc<-
z$n3AroD>1D71cAu&!3X=--ciqqW6b6$n>i`)(5D6Unn?&!h4hmic!W9KK`i_cKPkB
zO>y|`P$I6eqSkd;OR^H>qeu5%^*AC`5T`Q_NH_4!$O9vuw<|`egY&cWKFrz40{tZ*
zsC@pOiuHUry7ZX;US06l!Hgj}P@$l4+si%9g(R$aK=(7FT6Y^YU#?GGVjcmAh_?A)
zh4%_5&5vr+B+93Z2X4uyf!Rer=5R$heaB(Uj7PiON02FdqpIl$Ibo66=lCU=oj?l=
zV&oUAj){bc17O^64cZ0fT$*w$*7j^1)L%uw*>jbj$!Dhsg+HPTr~1Q#g!u5iKhU4X
zLP^ju7PN0FY;eu{VrWHW=z$57NNS7KI$Rm$8F~-79rORVNv+F&j~S_`J6|RCrr?rn
zKb|PXEocr!<Y!s9WPlsB$?j5+-^L6m-}td;y#b#>d+`UqffHKTE8@-9KgOfK{TQSC
zTCj7|_dd}RtfUStZ+P5-zaJ7)9O+qo_Bj2AbL49Hi+@G)0nYd<y8Na&Vx|_ls~``@
z_mK+dm1bC2hG2uzPvGD9x0d3;MZV0sNg@<aXMcju;J~$fNU`#l(wcCTW!!Q&ZZ0V`
zQa7vLNnhqB&RsAskFPLm;bLr%Bs+lZZP*xqH>FpS{9U$`!`@0G#J5`wQtK?mR(0fn
zjl|&4v2X~Y%LyC(4p->on@V~T*SkUtQ=FP*WM2Nn55?X~yjcxiu0gEwGWbat4{U86
zjmDiW$Om>t+fKM>!GB(n^zMEcX#whg00000fd6{`uqV^{ifXTA^Koe#Xx5e;jn7KO
zF~0x1CyVquq!-Z?xt`Fu<|tF{dq=V*&J21I2t_m-nRx+G>kJ^&;tVu~s9cXW$-&9c
znL5uFvor8pkQF4|175h8@xm^n?0|JU77Z2$3*0>d;-jUSr#*D9X^FNN0Y<tzdlMOQ
z;Zfa`ARqS*9+3i{4}5VfgyT(#aH03EFsx%@9mYWZ;9zSh&idS_PyUWduzQmMr6-=G
z)gakUuh$dSG<Pvkf}g{s<`5U2yzqic=2mq*JRI_Jy=AyMYa;iB1SEx8qa{Ww(KKCy
z{pTAr#zh_T{a{zBL&_3Mn0sh7!B9#Yp8@H7{a`rFw+plgS_0fO-j*tq)PA2d-0WWP
z^C}0F>IOp=jFVQLg^8z!oNgMp=%u~(Sc5EuzQh90wnJ8Ory2tVsb8re#t@E=I<BFP
zzALluU>FZF_Nn)>?UTyvC*{?B?Mn+rI^?DsXd?}Xs<>FrmC>}>oGj8w27cf__O-IU
zt`F|bmB)3t@>%ZTu$%iv1=ATrD|6U4r7xF=7@1wfSvWHTo=bpj=ddVTIk3opTI@}=
zGr>}z;gYuG3n@cXP+{S7n#Yr}BqRNKv=l0>thG7wm(Gnp7FZcl=#=og7h^In71!HU
z95df9gyVL9c9%E^p~+1OQsUGFXnF=X0soS-0vfDf`RQ+OwWmELKKA&e)9l0R^Fur-
z_OXO1S);Jkt&g&taE?X)`arM3TfIPd&ScfYkRA`3dU@Sy|CyBXhkqHmxK71ycCd&!
zI5l!-{g^9tkhc(f!|icy_w(P&8v-H)zG@^QGoyUwBxC)A&DQG5D)MzXWQ&7yJ|@b)
zyiT_QbDMl+6;|&H@YE+NAIYWE5qe|#->$as12V9i3c!KFEv`ie2$mD1I57L`Ko02P
zVhN+D?+Yb5f;xt*&>&t!VT(ea5aiHXLyqFVN6*bM&9{X<_j%ZzQj9avmLx&6z9cgw
zShLaOzz8?giyym5x!~cV(yf{Gs6^D4XziI2-Q7zUe4|#?rb`hdpCe{i)A0YNN#-kO
z*O|<~7q@reaiZHQnzi&jZ1#UsL&~r_3Iwr)DwXuFUHCU86sTxKT#eik{@V3L^L6cg
z{kcmcm#~d-<JUhZd&E0Hea}8OU<+mQ^L!s%ukK(>R<ISmN1IiDj9jCB;Ajz~@(cdp
zSg<yIJ*;mGd7ajB=ODy6AgH-)X&vBW%6VEL0%p~L;-}xX9m_r(r`qo93G*4hi+>R-
zka|EKZ}ruC+bSK8*ghmAQ_~T1j!h{P;1e$w3)uSk1kH9YM^K5;4&{tr{a!xvHV#3-
zQ@W;Wgq4u63_9v=l-tE@YVQ0%R@B*C76_K0XsC_b_-BdFC&y_{ZndsuY~2?V9Q^X@
zIb8#@?HK6XRf$<eAeJ_d5MkQ2{4Vme9P)Z?yVke80v3dxqGt^5OMGK9F0nWJiRgHp
z=d+XxxWr-=RpNX2sV6~!-2pNNdH_FJ%|ki2<EtM;L2JQN*Y^2QMwq;};06?{>)EKN
z6MwT;(%PlT_<<t=AqH=A^Zn5Jc<#@T^S6Z$RG>C2vn?tSH*LCuEA%z6=|<<likk9+
z6())CCzn&x4s8wh_KzqK+(!6U-VX<19iKm{tbc|(`nae-Gu-sI^gH{;E4VAz1=t3s
zSqhFN7p7qv`+Z`*!N2GxU$aV|-92L+J?j}1QAtI?!~qvhzUKbu@B&j2bYg%}D|Qi~
zXYzFF7v4xOW|z(4#QLHE%Uam^k*4E76;^E~m$A1yHG@jrfoSb3DRvQ<0N+$+_943z
zPcT859w>b{>UWddG(ANzmdBdBy_eeLY`?hQs@!<4F3>+DxA&8YmopeV3;Ld)+z25w
z0Mv2c<XK&s0;qe4YSh2rv&#`)mOOI;%tHJo=*wZ+c)%TF$cz4_IA_s69t^?Jx?}tV
z7_Zz7R^5A%C@F9sgytpA&v(Z;!gx;3%EQ8V__HHvx&Er;b7;$bpNKTtJ8E{DtYnK^
z;=nf{swl<bDPOlUQvki-Ee=k)+$4Q+8C#e1m&T~013w1HXvnZRe{qx_WeVLHdL3vD
zM|r_8E`gk;vc}Foq~^Ecm$R!aEqB6j@Wwz8*D8w(N8;bqFpSJJ5~6E=lgvbq%;RfQ
zEMhz4)1%wTuAZ?|$0Fomf391#82$VnX#B{FKW=aS-fM|B>fixSAcpxxGmZZVnp%|F
zMKCL2*=>~7!r1b2Du-uL87jub0p$u3HeT9ZQ?8N10S<R4w7V62=O)rFM>&RtuH5ci
z;Owf5r98Bz5}P@mw<BFBDq%y8U?(=Fmm2wpHS)pG1`kFWV>1GKM?Nb^x7&`a;yg*s
z`<#6-{;-t2T6^^!hfcqZE~W_o5o6?SfSZpcxID<lXLzZ{37CmWnOpBrT@SnG*20uD
z96}$$@+J|K!#Enb`Y!vb(<M8|F9^zMxKS1#>LRIE!N$)mspcGmllKU@B8+Q+KjyF+
zzL(N9zzd+HcljU2Lwd3l?Z?t%;10^nQb?SgXq;GnN(vEyw@M5tr@dPp-GZ!?Xu2mM
z!a_DqUQRkkZ%bKstYS6z+p&AN9KJ4UfuwDdlFhgqd}nEA-0A%|e44%Cd5}-=x-nM9
zLHz`C4@Ng|o*2cED)TE+gh7Z}e0m&`F9IgGuCXF9tT>3zaCugRi;Xz9(+6|AoHU4y
zz$9*B=+t$aDJrUZL;J&|w{Y}ai=<G?zHrzo>b9CMo#{IiYJVQfwcv4oE_nMSWOpr;
z;3FksqabyhqJHx=MJbf3YB`NFyCZcUJkHS^*zy>C)UdWd!1&GS^`816vq8q!Uer<j
zL4fiRx`z>rl${nkvqD(W_|Bq*b4QUb=n*uAzK|{jx{<vAg>D{M7Mayp<-BuL>}kq(
zLmq!P<{ECQj0x^~Br@0#9R@znRE09Yf?c0#isOqo_Z@1<<r@e4&3+2i%e=U;83r#S
zM9R?nqfnO-eIkpa8|N6mNRg<iHT0_MwYMXop%X$;@K${Sl7WP(%Q-I<@9@HwFX0=%
z?o7dP^A!6hav837t6IbQF~{<&EjQDg{a#}Ydx7liD{`MDileZcEKmQFotCl()7n!4
z;%~~DC>d*a&4MYvvNQ~y5;#Ro%giS&FlPv$7sO}8Q^ZC@7DOL7D>xs(96$g700000
z00000fd3}{bwf4CCSb$7zZbBM9fWb(;E7q(?ib^AeoQ%pmV*yxNz~2I+Slk8ebw4=
zz~iC^CTo^Y=goQnUsE1ZzJ7J*)RgVdeKFtSc&`>OqqB0Q%lC!CFMao1b<OAA4A12a
zfQ4?ZFe3U64Q0gw-#NH@3+_r@Folz3LnhDV%}oILLoYw(&U9&by}v#{6yXTC$Fzbm
zk)S4<ljujUu?!>?7jjxVSWZtZlRy*Vam8Rikmr|dJEaA)<gd9eG29xN?d6CT4|vP1
z)o)fR)v!H_+Blb>Z_7NJo-6m?i}!+nGj{dZz$2w8e(!n?L`D?qo13|E>|fB)1GVA-
z4X@M>=(>u<E^<FKLK0av`IcgWBml>Ak6e~tjx78RG=2j=pyk(&bm6`^CH9ibszLnR
zJwnFP?8b;zRYJ`j(4+2tOV%i5)Ai>J@3<vC{q|!jeO~FBCS#7{(?ciq=dEfIIb%}t
zHJV=Rg17m!m`t|OX_aO7fZei^IzRK=1!;MdDAF;+{OB_^6l_G0+MH(#?r>B}N(b}B
zP8CF}>FHuL*~&r{{Xl87Dt)K0G~r>a3RIEhBUz_e8p+<!9CKe1&8@-w9u4qZy%|o|
z5Ef3p%3W}^SSq_^-&%pdcZb6@)C}j~<RE!;DY$TX)eutSi0=W*iUpkHTHB;Oz7on?
zG|^IOxbd-g_{HCLO<|>olwbT!vgsMFI!O@<(5KuETuiH$qdyRFE+BegJrovC=QUP^
zP?AeZ5@oAO1blf<EKAB_e^I{=r#{4Ux8KuWd9Y)-150@w)Od=sM|Q_Ua>`*V`czKg
zHV@alL9{K3@Rz-%yx*`j-2H^{u~#fMvg0MCH<I~=53!7oCoV{bOcNP=LHPq-f3e&y
zq180Gb~=M-cLmm`d_JQMAxb49A%fy4#H+(T;3>^U?j=vjoErB_U3aH}FkR<kACwt0
z*QyMoz=rT!oJZ2|)dm9?Wv)wM3uaU8es~U_M9tH|kS-`1Fat9=N(I!X1kPnUTV%K+
z?6Xg-0nq<BLREJ<#LPmqz7An`fjn86!8W?~_RiLJ2Gsf{hWh59%7%9Krq)(~{yzW!
z006*$J;2lqz|;)D)C|DX48YV3z|@R?<J62}a%{Qt#vjyX+b*}G=QJYZdp+KNQ=?-9
zlG~R?E5?(WZyx)mHER*hBedv7lDH!q018``o!=wTzZos8ngKmQ80rObA|I1!+g$1U
z$)H03qg|il@tn};m0LdHOAz4U6Rhm#(!YEzyxXM)k2gWM9snYg%6C7=#Vt_y+F&0R
zq#T-xMd;6238%|T2Apu6Rn!b;Yf%%tjl=2}37Kfe1>I7S*Syw+c=8J;N0Pp&<OD@h
zAq$bgXKP_Rv}0E)vX#a6N~*VNm~5>P79)rD@PD*-r~gba0075FBsV!C3W;(vOTv_E
zm>fAGwGa=>O{SPRp3pIkhA>x-jFn@wXT}_1lp{A;QO=m=Y83PEym?+f@1M_S-~ZzG
z>Zj{2@*;_+ayR%>AGA#79;wYooh%Rf!IWckQIww@e2PFBj5KEle$}*HxdyHejlA%7
zRm!DB53KJXdf%v=!mFU9|2ZbvZu?w{d3N{!3-Gl;z1gkaAZN%xh$g9!>nnlEO>js$
zEtU98Br1_{908@iy~{eUNBN0TmCpjwQ92jgG`r7iKycbchszRA-ZT?285>l-Y*Fdw
z68Dz52s+V+*LBLtSWwRu?V<XqnvOH;CZfNjQC7FUeY`=AR&zF>&bvS?%Vt@mbFa+u
zSXZJYQ_}m^ZYwg#7UJSnN&WeSuBuXo%e$$)U`1U+cW3Ti@5cOfpz_`n5%7{F0Ji1(
zPGUta(e>)9<>9cUq*7JVDpd&w(sDs2s;9Wzpiohn@~<#e`+2T(Mm%=1qU{v+q!xF+
zIU#~4L<M1DQ(HGtn(xlWX`uc>`Y+q~`l*UQAG3P|+uoaFORJ!#gN_RZMNT{@#xw@$
z4enyv+v~h|-|PXl<AN0DhHSF*l+jLEen{s<>|tJh&ke&NqQGQ#xkpG~8Z&d>XXVMJ
z4p7)iom@MtBFEiS;61V_x>puHiifTw{W{Bd?N3EkABNPv`%S<u&CHpa-IVG;Xt86B
zy&7A(X`?SE0wR^{l4idQ0kuQAu(j=B(XM6-+A<BR!5<)j$qSA{GWs`fU&PxFO6tzU
zW**Zk_rKfUO^UM2{9#m>R}dqc7;iRfx0ZTFb4Yix(jiPx2rQO>(!dFSq%YP@x~=yx
zkhEbiN}u!p<KW=n;Nalk;Nal+|M`#p_oDY#r^L+5?awV)DqWu4I(;iL`QQHEDfEay
zH@o|1eJ@4f96(IvDoS(0$TVAqd*A?V%o7m+31oMrT!O~gC5(5K)vgjx2iB{=*p{Ew
ztV?<X$9HtWdY<!??CPuOk2j21eU%eHB$8i>kXLLfd*Vo^02u<Z1xKsE;&H%}GS?9+
z3joXVnFK3f$((^-QB;6Ku9o%-T8qiZSRj#kF?&aOtk8r>s8KArgUC8a|Gj>`V#M*>
zg1^XKM_q|+d@*EM$Z0n=0T)J1sDbl#<cL0XPNCX+;`sZsG|QUU9Y>U_mJxrRZyoiZ
zEm;UKivv(%yOUe^g>OjwQ%?d-R~)@BDckypJ4<%7h7V*drsxgVnDKf)-Wtv*5<!E~
zG16$^crkm?STp!gck3gCJ4O%s3#4GL2x`J(#c7n1xHS{ml=-GA+I#BRelMk5<LUc9
zpnk}UTte1ixec`X(MtjHj+g2lDmYQs^Q6^S*6_;~ve*!OS~0(82Ih5P{<J60-=;-g
zZH+!vbW?R)2U>9}h$%qTV4OmQ06zss-NqwJR$X~@j8qndhJ$7US{PETpf_nXu}+hk
zJk3Wxreac!x-=h(*SY&;9V4e8NQCV<zCLyYOo(AIVl#iwmdmiB5MG5?0yYe|?a+<~
z@UMLt58Zz}7S{wb@TG599K>JUT`QUu@IBf~vo^;7zo=VY$gr)Tq9ZzwbT@Wt#hHCR
z*z4S*#(Y3WGF$q{@IzI4Xr&8sdkH^BFt)e#p6WO$cEzgpT@b>Q_(ujmU@8XO$8@->
zq~lN8Br24jAc__Gqu@*{*36h4tjTjZ{BXetHAwoYuhQ$I6z;Mm262=T-c)}Maupj6
zA8>j$n{%Q?p!5`gtQA8vj2_%=5~)D&4=P3)*NiYe5Ix$V(<S<0zl{tVlVj#}1Zv1`
ze!y8np;BlN2tT=cO=&yWeTK`Sp?#)6?iZr^!Q$&=ipbk3-zZXU9AB6<0FubY^Tz_D
fCDLPGw&!DDp=&o;d5t-g$#%-4@2eI(w1IyBXUd@=
index 357c00a748f8ba04d5aeaac0242179b20e8d2ff4..5ee98aff22e6b7000888c8b7d660f6d8a7a77841
GIT binary patch
literal 452
zc$_n6Vmx5b#HhJ|nTe5!iIrjAgk{MFylk9WZ60mkc^Mg5Ss4r@48;sY*qB3En1y-$
zOEOZ66iQNyOB9?P4dldm4NVM;42_M9jSP&9qQrSkkhyqtHqJ-3g^`tkxv`hQps|yw
zv612GvFewF+(*SGoYW1Tv2CWkN!A*#fWBqkF^e8Yzt>`a=E(j-{}9{cl^Z|rpW<oo
zRK?Y0XRgUa`OSaVu4gH-_Srj?cln(!`j`AQpL?iGT`}nf^NDAt@1D|_G53Vi?pZ~F
z?N&!PaycxP{COr)s>(g{{4ZUZwh;N*a`U2Zy_hGbrnQranUR5UG0^1(LO{363NteP
zXW=kl15!+kjA((w40Nx`3O-HN$+o7QA5+3P#1s;Ru7-RuRM;_j=GOeZ(%0T{tX=c+
z?lF}UyAGvq<3D=qSpL4RkDqoY|2ECiefr|D$@&{#MGYdgo)|IzOuO*$=h_vAU$gvi
zn^c~caD2)XlceKYj%i2KhRu2L==s$6wr_PJwXV!T8?w*ZW<TxCIX0csHp2q|TqmnQ
index 080be8ed53e6bf1cd3f248c9d67e083275088c01..533c0b5ce9e364512ed1037c1b46ee4674daa736
GIT binary patch
literal 440
zc$_n6V%%cT#3;LfnTe5!iIrjAgk{MFylk9WZ60mkc^Mg5Ss4t33<V7M*qB3En1$Ix
zQj1FzoE;71#CZ)(42%qojf{;9jE$nic}<YHSoJi{M>d&}m4Ugjm%*U1lc}+hVg11$
zt0q0W_sGsMTJ%t<?(Zt=_#JzX9lgBZT6&S9cjLo57mW0Bk4##BAipfc@rj<q=GQqV
z-LhJq_+OAPj*c^5?t5Ou;9k{a4#OpBnP-k|EpeIr#%k`&IhB$Pb&e0c-?b^}Trjx4
z!Y`kj$5x=eR(lrjxm!;+Tn~MJ{8jbQi?+4KOw5c7jElt#L=1$0u9g*MWc<&<VZa8Y
zm>3z+0)!dpUN6-jsT-a!>rCgH%3gGHLBOAWtwS1<-WiniTg*;+%sPGk4b|HoD_8Tf
zoK>pooN#*Cnc0DcKWh~kd_P=Uq1|vzYF+sC^;TaG+n64D9e$_RVZl1}lvT1(dv42I
tX~|a9jFrnO_%fwA*SN#KZvWo332SS0_2<03xA@ck^&94f%Nj3t1^`m;rilOm