From 43713b70bc9d327adbab3969337fdaba13a2e20e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Matev=C5=BE=20Jekovec?= Date: Fri, 22 Nov 2024 12:23:22 +0100 Subject: [PATCH 1/3] sapphire-contract: Change bearer token type calldata -> memory --- contracts/contracts/auth/A13e.sol | 15 ++++++++------- contracts/contracts/auth/SiweAuth.sol | 16 ++++++++++++---- 2 files changed, 20 insertions(+), 11 deletions(-) diff --git a/contracts/contracts/auth/A13e.sol b/contracts/contracts/auth/A13e.sol index 0c954326..b7426799 100644 --- a/contracts/contracts/auth/A13e.sol +++ b/contracts/contracts/auth/A13e.sol @@ -7,11 +7,12 @@ import {SignatureRSV} from "../EthereumUtils.sol"; * @title Interface for authenticatable contracts * @notice This is the interface for universal authentication mechanism (e.g. * SIWE): - * 1. The user-facing app calls login() to generate the bearer token on-chain. - * 2. Any smart contract method that requires authentication accept this token - * as an argument. Then, it passes the token to authMsgSender() to verify it - * and obtain the **authenticated** user address. This address can then serve - * as a user ID for authorization. + * 1. The user-facing app calls `login()` which generates the bearer token + * on-chain. + * 2. Any smart contract method that requires authentication takes this token + * as an argument. It passes this token to `authMsgSender()` to verify it + * and obtain the **authenticated** user address. This address can then + * serve as a user ID for authorization. */ abstract contract A13e { /// A mapping of revoked bearers. Access it directly or use the checkRevokedBearer modifier. @@ -23,7 +24,7 @@ abstract contract A13e { /** * @notice Reverts if the given bearer was revoked */ - modifier checkRevokedBearer(bytes calldata bearer) { + modifier checkRevokedBearer(bytes memory bearer) { if (_revokedBearers[keccak256(bearer)]) { revert RevokedBearer(); } @@ -43,7 +44,7 @@ abstract contract A13e { /** * @notice Validate the bearer token and return authenticated msg.sender. */ - function authMsgSender(bytes calldata bearer) + function authMsgSender(bytes memory bearer) internal view virtual diff --git a/contracts/contracts/auth/SiweAuth.sol b/contracts/contracts/auth/SiweAuth.sol index 570817dd..7b3f22ad 100644 --- a/contracts/contracts/auth/SiweAuth.sol +++ b/contracts/contracts/auth/SiweAuth.sol @@ -16,7 +16,7 @@ struct Bearer { /** * @title Base contract for SIWE-based authentication * @notice Inherit this contract, if you wish to enable SIWE-based - * authentication for your contract methods that require authenticated calls. + * authentication for your contract methods that require authentication. * The smart contract needs to be bound to a domain (passed in constructor). * * #### Example @@ -24,9 +24,10 @@ struct Bearer { * ```solidity * contract MyContract is SiweAuth { * address private _owner; + * string private _message; * * modifier onlyOwner(bytes calldata bearer) { - * if (authMsgSender(bearer) != _owner) { + * if (msg.sender != _owner && authMsgSender(bearer) != _owner) { * revert("not allowed"); * } * _; @@ -37,7 +38,11 @@ struct Bearer { * } * * function getSecretMessage(bytes calldata bearer) external view onlyOwner(bearer) returns (string memory) { - * return "Very secret message"; + * return _message; + * } + * + * function setSecretMessage(string calldata message) external onlyOwner("") { + * _message = message; * } * } * ``` @@ -144,13 +149,16 @@ contract SiweAuth is A13e { return _domain; } - function authMsgSender(bytes calldata bearer) + function authMsgSender(bytes memory bearer) internal view override checkRevokedBearer(bearer) returns (address) { + if (bearer.length == 0) { + return address(0); + } bytes memory bearerEncoded = Sapphire.decrypt( _bearerEncKey, 0, From 1dad70d2c1b884b06c66280d9c326a1455822924 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Matev=C5=BE=20Jekovec?= Date: Fri, 22 Nov 2024 12:23:57 +0100 Subject: [PATCH 2/3] docs: Add SIWE tutorial --- docs/authentication.md | 449 +++++++++++++++-------- docs/diagrams/siwe-sapphire-flow.mmd | 18 + docs/diagrams/siwe-sapphire-flow.mmd.svg | 1 + docs/images/siwe-login.png | Bin 0 -> 49208 bytes docs/quickstart.mdx | 2 +- 5 files changed, 320 insertions(+), 150 deletions(-) create mode 100644 docs/diagrams/siwe-sapphire-flow.mmd create mode 100644 docs/diagrams/siwe-sapphire-flow.mmd.svg create mode 100644 docs/images/siwe-login.png diff --git a/docs/authentication.md b/docs/authentication.md index a4f61e01..f5e86dbf 100644 --- a/docs/authentication.md +++ b/docs/authentication.md @@ -2,67 +2,79 @@ description: Authenticate users with your confidential contracts --- +import Tabs from '@theme/Tabs'; +import TabItem from '@theme/TabItem'; + # View-Call Authentication -User impersonation on Ethereum and other "Transparent EVMs" isn't a problem -because **everybody** can see **all** data however the Sapphire confidential +User impersonation on Ethereum and other "transparent EVMs" isn't a problem +because **everybody** can see **all** data. However, the Sapphire confidential EVM prevents contracts from revealing confidential information to the wrong -party (account or contract) - for this reason we cannot allow arbitrary +party (account or contract)—for this reason we cannot allow arbitrary impersonation of any `msg.sender`. -In Sapphire, there are four types of contract calls: +In Sapphire, you need to consider the following types of contract calls: - 1. Contract to contract calls (also known as *internal calls*) - 2. Unauthenticted view calls (queries using `eth_call`) - 3. Authenticated view calls (signed queries) - 4. Transactions (authenticated by signature) +1. **Contract to contract calls** (also known as *internal calls*) + + `msg.sender` is set to the address corresponding to the caller function. If + a contract calls another contract in a way which could reveal sensitive + information, the calling contract must implement access control or + authentication. -Intra-contract calls always set `msg.sender` appropriately, if a contract calls -another contract in a way which could reveal sensitive information, the calling -contract must implement access control or authentication. +2. **Unauthenticted view calls** (queries using `eth_call`) -By default all `eth_call` queries used to invoke contract functions have the -`msg.sender` parameter set to `address(0x0)`. In contrast, authenticated calls are -signed by a keypair and will have the `msg.sender` parameter correctly initialized -(more on that later). Also, when a transaction is -submitted it is signed by a keypair (thus costs gas and can make state updates) -and the `msg.sender` will be set to the signing account. + `eth_call` queries used to invoke contract functions will always have the + `msg.sender` parameter set to `address(0x0)` on Sapphire. This is regardless + of any `from` overrides passed on the client side for simulating the query. + + :::note -## Sapphire Wrapper + Calldata end-to-end encryption has nothing to do with authentication. + Although the calls may be unauthenticated they can still be encrypted, and + the other way around! -The [@oasisprotocol/sapphire-paratime][sp-npm] Ethereum provider wrapper -`sapphire.wrap` function will **automatically end-to-end encrypt calldata** when -interacting with contracts on Sapphire, this is an easy way to ensure the -calldata of your dApp transactions remain confidential - although the `from`, -`to`, and `gasprice` parameters are not encrypted. + ::: -[sp-npm]: https://www.npmjs.com/package/@oasisprotocol/sapphire-paratime +3. **Authenticated view calls** (via SIWE token) -:::tip Unauthenticated calls and Encryption + Developer authenticates the view call explicitly by deriving a message + sender from the SIWE token. This token is provided as a separate parameter + to the contract function. The derived address can then be used for + authentication in place of `msg.sender`. Otherwise, such view call behaves + the same way as the unauthenticated view calls above and built-in + `msg.sender` is `address(0x0)`. This approach is most appropriate for + frontend dApps. -Although the calls may be unauthenticated, they can still be encrypted! +4. **Authenticated view calls** (via signed queries) -::: + [EIP-712] defines a format for signing view calls with the keypair of your + Ethereum account. Sapphire will validate such signatures and automatically + set the `msg.sender` parameter in your contract to the address of the + signing account. This method is mostly appropriate for backend services, + since the frontend would require user interaction each time. + +5. **Transactions** (authenticated by signature) + + When a transaction is submitted it is signed by a keypair (thus costs gas + and can make state updates) and the `msg.sender` will be set to the address of + the signing account. + +[EIP-712]: https://eips.ethereum.org/EIPS/eip-712 -However, if the Sapphire wrapper has been attached to a signer then subsequent -view calls via `eth_call` will request that the user sign them (e.g. a -MetaMask popup), these are called **signed queries** meaning `msg.sender` will be -set to the signing account and can be used for authentication or to implement -access control. This may add friction to the end-user experience and can result -in frequent pop-ups requesting they sign queries which wouldn't normally require -any interaction on Transparent EVMs. +## How Sapphire Executes Contract Calls -Let's see how Sapphire interprets different contract calls. Suppose the -following solidity code: +Let's see how Sapphire executes contract calls for each call variant presented +above. Consider the following Solidity code: ```solidity contract Example { - address owner; + address _owner; constructor () { - owner = msg.sender; + _owner = msg.sender; } - function isOwner () public view returns (bool) { - return msg.sender == owner; + function isOwner() public view returns (bool) { + return msg.sender == _owner; } } ``` @@ -70,140 +82,279 @@ contract Example { In the sample above, assuming we're calling from the same contract or account which created the contract, calling `isOwner` will return: - * `false`, for `eth_call` - * `false`, with `sapphire.wrap` but without an attached signer - * `true`, with `sapphire.wrap` and an attached signer - * `true`, if called via the contract which created it -* `true`, if called via transaction +1. `true`, if called via the contract which created it +2. `false`, for unauthenticated `eth_call` +3. `false`, since the contract has no SIWE implementation +4. `true`, for signed view call using the wrapped client ([Go][wrapped-go], + [Python][wrapped-py]) with signer attached +5. `true`, if called via transaction + +Now that we've covered basics, let's look more closely at the *authenticated +view calls*. These are crucial for building confidential smart contracts on +Sapphire. + +## Authenticated view calls + +Consider this slightly extended version of the contract above. Only the owner is +allowed to store and retrieve secret message: + +```solidity +contract MessageBox { + address private _owner; + string private _message; + + modifier onlyOwner() { + if (msg.sender != _owner) { + revert("not allowed"); + } + _; + } + constructor() { + _owner = msg.sender; + } -## Caching Signed Queries + function getSecretMessage() external view onlyOwner returns (string memory) { + return _message; + } -When using signed queries the blockchain will be queried each time, however -the Sapphire wrapper will cache signatures for signed queries with the same -parameters to avoid asking the user to sign the same thing multiple times. + function setSecretMessage(string calldata message) external onlyOwner { + _message = message; + } +} +``` -Behind the scenes the signed queries use a "leash" to specify validity conditions -so the query can only be performed within a block and account `nonce` range. -These parameters are visible in the EIP-712 popup signed by the user. Queries -with the same parameters will use the same leash. +### via SIWE token -## Daily Sign-In with EIP-712 +SIWE stands for "Sign-In with Ethereum" and is formally defined in [EIP-4361]. +The initial use case for SIWE involved using your Ethereum account as a form of +authentication for off-chain services (providing an alternative to user names +and passwords). The MetaMask wallet quickly adopted the standard and it became a +de-facto login mechanism in the Web3 world. An informative pop-up for logging +into a SIWE-enabled website looks like this: -One strategy which can be used to reduce the number of transaction signing -prompts when a user interacts with contracts via a dApp is to use -[EIP-712][eip-712] to "sign-in" once per day (or per-session), in combination -with using two wrapped providers: +![MetaMask Log-In confirmation](images/siwe-login.png) -[eip-712]: https://eips.ethereum.org/EIPS/eip-712 +After a user agrees by signing the SIWE login message above, the signature is +verified by the website backend or by a 3rd party [single sign-on] service. This +is done only once per session—during login. A successful login generates a token +that is used for the remainder of the session. - 1. Provider to perform encrypted but unauthenticated view calls - 2. Another provider to perform encrypted and authenticated transactions (or view calls) - - The user will be prompted to sign each action. +In contrast to transparent EVM chains, **Sapphire simplifies dApp design, +improves trust, and increases the usability of SIWE messages through extending +message parsing and verification to on-chain computation**. This feature (unique +to Sapphire) removes the need to develop and maintain separate dApp backend +services just for SIWE authentication. Let's take a look at an example +authentication flow: -The two-provider pattern, in conjunction with a daily EIP-712 sign-in prompt -ensures all transactions are end-to-end encrypted and the contract can -authenticate users in view calls without frequent annoying popups. +![SIWE authentication flow on Sapphire](diagrams/siwe-sapphire-flow.mmd.svg) -The code sample below uses an `authenticated` modifier to verify the sign-in: +Consider the `MessageBox` contract from [above](#authenticated-view-calls), and +let's extend it with SIWE: ```solidity -// SPDX-License-Identifier: UNLICENSED -pragma solidity ^0.8.0; +contract MessageBox is SiweAuth { + address private _owner; + string private _message; -struct SignatureRSV { - bytes32 r; - bytes32 s; - uint256 v; + modifier onlyOwner(bytes memory token) { + if (msg.sender != _owner && authMsgSender(token) != _owner) { + revert("not allowed"); + } + _; + } + + constructor(string memory domain) SiweAuth(domain) { + _owner = msg.sender; + } + + function getSecretMessage(bytes calldata token) external view onlyOwner(token) returns (string memory) { + return _message; + } + + function setSecretMessage(string calldata message) external onlyOwner(bytes("")) { + _message = message; + } } +``` -contract SignInExample { - bytes32 public constant EIP712_DOMAIN_TYPEHASH = keccak256("EIP712Domain(string name,string version,uint256 chainId,address verifyingContract)"); - string public constant SIGNIN_TYPE = "SignIn(address user,uint32 time)"; - bytes32 public constant SIGNIN_TYPEHASH = keccak256(bytes(SIGNIN_TYPE)); - bytes32 public immutable DOMAIN_SEPARATOR; +We made the following changes: - constructor () { - DOMAIN_SEPARATOR = keccak256(abi.encode( - EIP712_DOMAIN_TYPEHASH, - keccak256("SignInExample.SignIn"), - keccak256("1"), - block.chainid, - address(this) - )); - } +1. In the constructor, we need to define the domain name where the dApp frontend + will be deployed. This domain is included inside the SIWE log-in message + and is verified by the user-facing wallet to make sure they are accessing the + contract from a legitimate domain. +2. The `onlyOwner` modifier is extended with an optional `bytes memory token` + parameter and is considered in the case of invalid `msg.sender` value. The + same modifier is used for authenticating both SIWE queries and the + transactions. +3. `getSecretMessage` was extended with the `bytes memory token` session token. - struct SignIn { - address user; - uint32 time; - SignatureRSV rsv; - } +On the client side, the code running inside a browser needs to make sure that +the session token for making authenticated calls is valid. If not, the browser +requests a wallet to sign a log-in message and fetch a fresh session token. + +```typescript +import {SiweMessage} from 'siwe'; + +let token = ''; + +async function getSecretMessage(): Promise { + const messageBox = await hre.ethers.getContractAt('MessageBox', '0x5FbDB2315678afecb367f032d93F642f64180aa3'); + + if (token == '') { // Stored in browser session. + const domain = await messageBox.domain(); + const siweMsg = new SiweMessage({ + domain, + address: addr, // User's selected account address. + uri: `http://${domain}`, + version: "1", + chainId: 0x5afe, // Sapphire Testnet + }).toMessage(); + const sig = Signature.from((await window.ethereum.getSigner(addr)).signMessage(siweMsg)); + token = await messageBox.login(siweMsg, sig); + } + + return messageBox.getSecretMessage(token); +} +``` - modifier authenticated(SignIn calldata auth) - { - // Must be signed within 24 hours ago. - require( auth.time > (block.timestamp - (60*60*24)) ); +:::info Example: Starter project - // Validate EIP-712 sign-in authentication. - bytes32 authdataDigest = keccak256(abi.encodePacked( - "\x19\x01", - DOMAIN_SEPARATOR, - keccak256(abi.encode( - SIGNIN_TYPEHASH, - auth.user, - auth.time - )) - )); +To see a running example of the TypeScript SIWE code including the Hardhat +tests, Node.js and the browser, check out the official Oasis [demo-starter] +project. - address recovered_address = ecrecover( - authdataDigest, uint8(auth.rsv.v), auth.rsv.r, auth.rsv.s); +::: - require( auth.user == recovered_address, "Invalid Sign-In" ); +:::tip Sapphire TypeScript wrapper? - _; +While the [Sapphire TypeScript wrapper][sp-npm] offers a convenient end-to-end +encryption for the contract calls out of the box, it is not mandatory for SIWE. + +::: + +[demo-starter]: https://github.com/oasisprotocol/demo-starter/tree/matevz/sapphire-paratime-2.0 +[EIP-4361]: https://eips.ethereum.org/EIPS/eip-4361 +[single sign-on]: https://en.wikipedia.org/wiki/Single_sign-on +[sp-npm]: https://www.npmjs.com/package/@oasisprotocol/sapphire-paratime + +### via signed queries + +The [EIP-712] proposal defines a method to show data to the user in a structured +fashion so they can verify it and sign it. On the frontend, apps signing a view +call would require user interaction each time—sometimes even multiple times per +page—which is bad UX that frustrates users. Backend services on the other hand +can have direct access to an Ethereum wallet without needing user interaction. +This is possible because these services do not access unspecified websites, and +only execute trusted code. + +The Sapphire wrappers for [Go][sp-go] and [Python][sp-py] will make sure to +**automatically sign any view calls** you make to a contract running on Sapphire +using the proposed [EIP-712] method. Suppose we want to store the private key of +an account used to sign the view calls inside a `PRIVATE_KEY` environment +variable. The following snippets demonstrate how to trigger signed queries +without any changes to the original `MessageBox` contract from +[above](#authenticated-view-calls). + + + + Wrap the existing Ethereum client by calling the + [`WrapClient()`][wrapped-go] helper and provide the signing logic. Then, + all subsequent view calls will be signed. For example: + +```go +import ( + "context" + "crypto/ecdsa" + + "github.com/ethereum/go-ethereum/accounts/abi/bind" + "github.com/ethereum/go-ethereum/common" + "github.com/ethereum/go-ethereum/crypto" + "github.com/ethereum/go-ethereum/ethclient" + + sapphire "github.com/oasisprotocol/sapphire-paratime/clients/go" + + messageBox "demo-starter/contracts/message-box" +) + +func GetC10lMessage() (string, error) { + client, err = ethclient.Dial("https://testnet.sapphire.oasis.io") + if err != nil { + return "", err + } + + sk, err = crypto.HexToECDSA(os.Getenv("PRIVATE_KEY")) + addr := crypto.PubkeyToAddress(*sk.Public().(*ecdsa.PublicKey)) + + wrappedClient, err := sapphire.WrapClient(c.Client, func(digest [32]byte) ([]byte, error) { + return crypto.Sign(digest[:], sk) + }) + if err != nil { + return "", fmt.Errorf("unable to wrap backend: %v", err) } - function authenticatedViewCall( - SignIn calldata auth, - ... args - ) - external view - authenticated(auth) - returns (bytes memory output) - { - // Use `auth.user` instead of `msg.sender`! + mb, err := messageBox.NewMessageBox(common.HexToAddress("0x5FbDB2315678afecb367f032d93F642f64180aa3"), wrappedClient) + if err != nil { + return "", fmt.Errorf("Unable to get instance of contract: %v", err) + } + + msg, err := mb.GetSecretMessage(&bind.CallOpts{From: addr}) // Don't forget to pass callOpts! + if err != nil { + return "", fmt.Errorf("failed to retrieve message: %v", err) } + + return msg, nil } ``` -With the above contract code deployed, let's look at the frontend dApp and how -it can request the user to sign-in using EIP-712. You may wish to add additional -parameters which are authenticated such as the domain name. The following code -example uses Ethers: - -```typescript -const time = new Date().getTime(); -const user = await eth.signer.getAddress(); - -// Ask user to "Sign-In" every 24 hours. -const signature = await eth.signer.signTypedData({ - name: "SignInExample.SignIn", - version: "1", - chainId: import.meta.env.CHAINID, - verifyingContract: await contract.getAddress() -}, { - SignIn: [ - { name: 'user', type: "address" }, - { name: 'time', type: 'uint32' }, - ] -}, { - user, - time: time -}); -const rsv = ethers.Signature.from(signature); -const auth = {user, time, rsv}; -// The `auth` variable can then be cached. - -// Then in the future, authenticated view calls can be performed by -// passing auth without further user interaction authenticated data. -await contract.authenticatedViewCall(auth, ...args); + :::info Example: Oasis starter in Go + + To see a running example of the Go code including the end-to-end encryption + and signed queries check out the official [Oasis starter project for Go]. + + ::: + + + Wrap the existing Web3 client by calling the + [`wrap()`][wrapped-py] helper and provide the signing logic. Then, + all subsequent view calls will be signed. For example: + +```python +from web3 import Web3 +from web3.middleware import construct_sign_and_send_raw_middleware +from eth_account.signers.local import LocalAccount +from eth_account import Account + +from sapphirepy import sapphire + +def get_c10l_message(address: str, network_name: Optional[str] = "sapphire-localnet") -> str: + w3 = Web3(Web3.HTTPProvider(sapphire.NETWORKS[network_name])) + account: LocalAccount = Account.from_key(os.environ.get("PRIVATE_KEY")) + w3.middleware_onion.add(construct_sign_and_send_raw_middleware(account)) + w3 = sapphire.wrap(w3) + + compiled_contract = json.load("MessageBox_compiled.json") + contract_data = compiled_contract["contracts"]["MessageBox.sol"]["MessageBox"] + message_box = w3.eth.contract(address=address, abi=contract_data["abi"]) + + return message_box.functions.message().call() ``` + + :::info Example: Oasis starter in Python + + To see a running example of the Python code including the end-to-end + encryption and signed queries, check out the official [Oasis starter project + for Python]. + + ::: + + + +[sp-go]: https://github.com/oasisprotocol/sapphire-paratime/tree/main/clients/go +[sp-py]: https://github.com/oasisprotocol/sapphire-paratime/tree/main/clients/py + +[wrapped-go]: https://pkg.go.dev/github.com/oasisprotocol/sapphire-paratime/clients/go#WrapClient +[wrapped-py]: https://github.com/oasisprotocol/sapphire-paratime/blob/main/clients/py/sapphirepy/sapphire.py#L268 + +[Oasis starter project for Go]: https://github.com/oasisprotocol/demo-starter-go +[Oasis starter project for Python]: https://github.com/oasisprotocol/demo-starter-py diff --git a/docs/diagrams/siwe-sapphire-flow.mmd b/docs/diagrams/siwe-sapphire-flow.mmd new file mode 100644 index 00000000..99ed1b7b --- /dev/null +++ b/docs/diagrams/siwe-sapphire-flow.mmd @@ -0,0 +1,18 @@ +sequenceDiagram + autonumber + participant C as Client browser + participant M as Client wallet
(e.g. MetaMask) + participant SC as Smart Contract
is SiweAuth + + C->>C: Visit website, obtain
smart contract address + C->>C: Generate Log-in SIWE
message siweMsg + C->>M: Request to sign siweMsg + M-->>C: Signature sig + C->>SC: Login(siweMsg, sig) + SC->>SC: Parse and verify
siweMsg, sig + SC-->>C: SIWE session token + C->>C: Store token to
local store + C->>SC: GetSecretMessage(token) + SC->>SC: Verify token,
extract message sender + SC->>SC: Authorize user,
execute the call + SC-->>C: Secret message diff --git a/docs/diagrams/siwe-sapphire-flow.mmd.svg b/docs/diagrams/siwe-sapphire-flow.mmd.svg new file mode 100644 index 00000000..7b63ef6e --- /dev/null +++ b/docs/diagrams/siwe-sapphire-flow.mmd.svg @@ -0,0 +1 @@ +Smart Contractis SiweAuthClient wallet(e.g. MetaMask)Client browserSmart Contractis SiweAuthClient wallet(e.g. MetaMask)Client browserVisit website, obtainsmart contract address1Generate Log-in SIWEmessage siweMsg2Request to sign siweMsg3Signature sig4Login(siweMsg, sig)5Parse and verifysiweMsg, sig6SIWE session token7Store token tolocal store8GetSecretMessage(token)9Verify token,extract message sender10Authorize user,execute the call11Secret message12 \ No newline at end of file diff --git a/docs/images/siwe-login.png b/docs/images/siwe-login.png new file mode 100644 index 0000000000000000000000000000000000000000..c8d5f4f9eb515114a065a1179843223eb8279348 GIT binary patch literal 49208 zcmce;Ra_iR`0oh`5+FcucXxM(;O;KL-Q9z`ySuwP1RLDl2X}YfdH272w|9Hax#-Vy z*V9!~@^p38w|`aP3UcD`u-LF*U|{f)62Fzez`)JHz`hOtfC7b>{eZaKOL_!6bhRskrN%Z@M|7E)EReTvl6Bkexl%e9} zJnIeijvm?vPXV7le@gw**jnkaRx+c7jx5P#}bUK^zf&)A|MRPcqye9b{J` z&Vv;Cm6i0v9Au&(`(JG;cF5YPN>Em6M?(`aRAR;wLji;8Mj)_bh=73JJvaeg!wUTh zDqUB;8L4c3aKp+{fE&x()%TH?cgkea z8{c55F10SA8thc)kUKmx1|6u8r*|-oUCw4V0&)7GxSHEM^WYBFN_|+n=Dnzw;$OWc zxCGU7!(TqzfsQX81Wu^pEtmT<4=Sv_e-`X+eyV;Dm|Z1K6bF-}<@8zt@uWyrgZX^DeQ^QFN*)`b@=6@HPwR191zAW|g_dNj<*Xm0l3> zO}hK7Xeq-8I3>|#w$@qh(YxYy3pNXkieKV|T0kUTL08*9@Vco1~s zm68yW+Bz;Np#0kXjU*9k?50S)&z$!@dM2sjbBh!bR{1V?N(h*dFx6nMg0f|v9UxPy zVpu+vomEaYVukR=^Id4iI3T45h1Aa5r4E_ql=~h39?Y}b|GU&6Z}xCTX!xtOEhegRA40y(^h0c$@<1aKK;{VB98oddvkA%u|#X84QGb?JQ%Gre!&@rLmtmk z@RnK>ueOS1MM9n}-@y&A=#XmOIhfz;WAU|E$*cbxk~P0jGML|rdu_4^n`~o4*Kw^gZ7$G>js}zFUP80x|}=lnqT+i zVWw?&ijXS#M#~dwb=@g3L@19ApTP|(otcI&+w8{D+$RnAh}nCO$&&R&iPp1+*O{Y6 z>nc@6rCKwdZNOXq>FHWw#N*A@nmLytYh)R$7*RJ5gLaHDDTw57r>tOOs<;H-9)FpQ ze9vA zl}S5r(7jGvx+x@Z)jwmD*ujV|b?zeTM8Y0!8aLrh&%BOSy?Xwnh*TrGc-|&88Y-(C ziM)Eu_p#tp8s_iu^5emuT*%`86=}^ul59ET@5ZA%#Bz5btIok_x}r%eLq383;Qo}j zweY0a;EaI^Jncu4iLRB2r|INWtYBz_N;)`iSe@8F2KNmASxkwybqTmT*lY;(i!t7f zq5pGxwcc*HoZr%^)U$bZf2D*k4^tKY_G0r&>?$U8T)(GR{Qc_DMwW|%EA~MF*z?re zWDg;*NhzsNwC9#6C9)hI?7<(X_h(F)(j(fm z7S=AN$c1+gAwKPDolFynOy_+9tH;J;FARy8elilQ+-=)>Izg;e`2MP*V_X9~kGOE9 z6rYg^&m*5L3dMkyL>$6B3i;WH#}SB6cEbp#mL*>Ej7!k1hVs=(hXaFgh0N-kk0`p~ zdr(?EuBq(+#*j3(jTe&26TGjjScKsfQisc}NhU%y207$NHWyR1HCDvcTE_D1)seD9 zLV<5~cuciI^G)hoXzQnJIY-Z4;2JCk{qT;9ercM_;OE6g8JB-}_qaiqZ}>h~sAvuS zu+w*aB9BL6e!QkMr3dY~k6`wNp9+a>UI>Zu=ttcIP|AxaO4D?EnO7h$@Tg80J7_cX ze)+&bUDgcWdZQtspvzx5RxgJ&h}{YK!?^vW1I59WZsZqpaI_ux@<#!$Pj12mhp*>3 z#_XM$^L?DsSKlk0yEdsuyIF?0RSq!oI#2LYRz@S)Nx^dP+hL2~jz5`~@Z}0JDyt`{ z!N^mYE!5;hB4%T7a5c636ZqtpGQoP&C{^FM9G&=E;Yk2T@@9?e((jDz?4On>%S*DmmCj{OX6R(el~f1MuK@6% zH3lZPedCm@vT?6P;=2uYzYM3u*TCLlWl6lp=RlbkQ}*$3?|;%{PPX|+>iJO4picP` z&J4!9B*-j;8EHY?b~95mUV>LO`5s5~rrZ-Yx1w~$lk*X8{5L-T2&6VshiiE}SyrQC zvC8<;f&g=#IBsrUQn_zuMM{ZTV$yynFR%>-5LUDFH>UVO!hfxl zds8de;hmh&L%G?*A6=F3j zcK=qu&o>}n=knl4?v3`3r_j?#!29o<&30ad*`d^9+00)#RkymYDL68HY&Tmu2R#3j zJSaSided*v^iM^WRD$Z!Q+VUX_(WyhWj8v~!l8J;rgjAIvg_LQgpg0mzCdc#h~AO{^Vio>ibEnse>62|44bZm)tqD0;} zRQ*^X@$^WB<-Eg6C0f8~UMc>SBFZBFY5q~RZAST^7^ayE_@CC!aQg_v+Y+;<&QP*> z+5Z@JCrL!|NaLC(XRaJcb&i}kYWdSS@wvy}gsm4j;dIR{)nY3j2yb;cNpey?TR|nN z3nr!19Fa?Wq{RFJ+V{hLYJx0tAD40oR2U3Yk~d;` zx7{tU4xV7L#|ixuJYjFy^}V<7ZS1Pn?J&vfi@D7th5|ZH1vxM7W1%eQ-=zK9HY}xO z#DcYGDYj;c12nuIQA}=<{;Gbe&lp~NHMDrUPb>7o*Vc>aKP(GpcTW!>-QQL>IBu2g zK06Gf_|1O~RwF*^BUW$U?1yCiYV(OCku{+^4&Jq3e8Rb%&DF`J^IC=$muXU8?yiJn zbG*4gW5-7kILrcE!}hKqw#OlF`m0H{tVx(2(wr*S?WU&6;G;{HGzleEUr9sy2D zDHj`Qn&FW@7p;)p9r>(kuoS_(c41Pidy-bAS^#x^tL((@R&)8wIL=hQiEv1oq52wa zJx*jiiIKBq$_!hUCqoC3@y2+hd4m@w=hrZ_0=ZG}b;F@3Ij149sW{1JNe8zf%~_Jk z;K5CIXBs|p2?s+k=bGKw_ALIT(3PkGD7(AnENvk{tLVL2XA{!a_Zb@ z)skjPRi{|6XYw_zUSh{-AnmFv%iVbwTh901kCEr>o9BaO{M!rghh_6wDJoKOvu#-z zIYGrZ6RgfnvDa#nbKXJ)ZrZrMcUzoO##429Xn+=_fFic{-a=1B<`Krm_+i;c8GvP`8-@JP@<2*IFu z@i^8}v8ATPpLDN{fHOt_KsC908rS)30BD!66so|T-wDt3&`Eo#o64PnG>rsI;|oL^ z+7&7maqi3WhC-Jy?awgC5%Ho7?S*g@0&mF{o@EVih(P(yDz~J(~&s za#i81w+DMaKlXQisfW56-?vWR{n<7q|Kg2eYrs#Im0oT6z`Ty)NZ6Nsdde|-Y$7;m z{T;2>l3%+J<7V}e?>cS7x4-`Vw6;Q`G6m=PWd2E0aSv@6!P?&o;SCQsT9=(Z-dQ^- zny_%}9idz*;`h2VQg^PPc`XFUtTXo@2w>b%#K`ggl z#M5DI!*o=nJHARIw36${Kpb|m4q=Q z<>?63=CPYn{Xl0VCp%Q-0uU*6Epxg&1OC}p^&2uBs#!YZG*+}X{clw7gl!RlFRvTZ zyTZF)Z!?Cjq%2dm$;)WGUP3Tg_}+Bsbl!LG9olH^Ky+i=>>bSF|B~#o0#8V^CJiF>jxZ^ zYLMks$zHrY0HdJCV@)b~v^kv1C!-z3_t3q&W1&_7RlYf0J9WCw?n{zbCTGEVJ`UrQ zXTXQ^lL~5#%_Akw9~T))P&-KsPZf2tSObJR)OYA(j8GyKw_bN>pk$f;ZfLB78{KDD zekX_-zboca9~~S`b628GS4~;q{wAfCC);_*N_%kjKV(AtulCH}7I%OomlUVwMf?C( zU&A?UajK97jJ427n;K`NS8;FojKG+K8i-@~1%D#|^P)oRutZFlPNld}Q3Z^~ih;`} z;XGcr)KyuWXi)zMxUN;)@$ZRh-79)qncD=7nb1}fV$b{ulsw%X0FofU@r4bEaD1`m z7?XIJ=w3lxo=Wh?Sd_nLyHi8v7X(nhw9jV-gV##%9UM%C8m}DNPN_++$h<2|mU_}9 zwuIE>c7TN|P^@!`tE`g{J-!6_`|?)P+a>L!@5<0Zi1x9m!x&fq;^%XrnB30-`0=ll^? zIG-Qwp|Jta)};bEok3SmnHf69;}q`B)O{Rdv{Nd<+!yJNZ*+Fvi$pAHpEjO|_C^l7(TW87UB+19%yT3?CU z`AeDiCZv2fo#89>b@fgbzlaGvc zx&1QZ<4{}^%@yud=?)D0^?)ycltF6ELTw^#D&CQs`=Knb7F%JCv)zzfIVKq}Q_th# zgD)Pz|IG`cvL~}|c!B$#;DI^Wu{`Bs0ogaJDavy1HE%;_IH|r-5#H$u~R5{=||&J78lfRO5Ncg=-tF$-fMa7ne_Qm1i&9?$?iD z$oY#E&6YSaabLsH5z{u@sp=}E*~YDs@RpS&ot^O&yLzZ%@c zzI!Y>zTKg-xDB`*PWz;exjj-p(pYD4WiMjIfM1N>E$R;$9pRSHhjlYpvn_5O&vkQ$ z!$IBba=c0OC_gXrs_DH)*V{^`v0uovbRL=X)Tn{u3+nzTqejzo@|}Q%Z`#_-MQbESrb$7V=1?As4$k2CLFevNCNwFWUV(` zGt#VU!S^X+YV-#P{A__Gs8K`?7}9>alai|h`e(AXn#dXgF6;p2Z{}Rq=#?pQe-v~P z6CUOMyk3@`*4GHf7~5874xDPklIcDFUCcyh+SL@8IKsFE#7MMEY7UA<3RH{J8lH_2 z9IMFyhsU-xak8_#R-*$aK0Y8$Y+YWCr(LYmKC#i*Zmd6SJRU<&sl%5 ze}uG7bxHb+wQN7{RbhRl#zR{aU$oH!qqw6=KtXYsos!beruX)Otr8J&8rw}BSKz)$QnGPobdG&?iPZ>RjeJ3_@oWOpP-j56J~av4@(eZ>C)8x$EL$@)@Ov>tlXZ)s68=&E>lGiS!E1Xi0o$KSx>G^c}n@U=T2! zy(oCtGn+3M&&=Yo`+a-$J69b?K?sga&t~vkB$Lza5bE*J#Hkl4@fuY@B0{<^2JQfx zt=OCC`{hFfi|05M@~&aHbX{H<&0L;`Xhbk-se>lnxGgzyYFYqYYeO5vt}<$oVY7u^ zBWJPAw8GGy{1n+>BIQ6gycoIbfO(IG>vv7ns0x$&BJF?ckoVD0jRq%R8{Z;#{`8KL z!ROr$u1g1xwf+!wMozWOF*uS_uhEednN7*p2!l&bku8~@Yv zJG|#&frmrg%2J+~uyzslWF|)mV@`$|B{+Otu`gM~Rde=_UP++CGx@b!E*MD$eB+%`A6LFrr!s4CHra?&Y5yb%~Yw;8-WMfbR-X)?bIBE#KQ% z4fYSyyKprUE(7(97k41Dw7F9LR{9d>EscXn;IFkH{{1(BAmNkUHX|h}z6iP_k;DGu zT?sb9_E82dIr?A8Ze&_+J~6hsxrN%x>?*x)J0dt{tyiQw~@7`xOQ$Ni}=}!7TE;bW&`oqkI&zz>dDh%t@h>Q6Q%&$jCQSUVb4^7PF%QZ-e z_Wm~F(Pfog0}G@2jPIc*-m^<2cdj9?*j=~1J-jG{L?@N=XN}WXOU*hdP%@ysAZO^_@UEqm7XDE^7$ zABzyR;=-~c;bOu9z3>W@u)2Qct599V7Nto@GC8=q`gQPsaT`simTX4)Jhxr3xKk^h zuX)6jh2a=eT8=e){zZ4exidV{YBM6)U89?TrkJ~X!8qZd`FpDCc|BE^T3+64Z?TNu ze?k2XyKDUU%1e1xRrp{rF1FVrm=QkCA<4lG!FaC6{T&<8@NrHbQ(^rMsl`s+vYROc zX3y8S|LJOGgyjzJydHYRn<;H7um?Cjlsm5iU2^X`SX{eaWIngJWChBsKi+eRUETO%Kt;pvK(CinF>p7oJ;d=0*w((Mr~LEztC z?6!{VaFO1_kw!kuwPtTq8ZF%zeiD5%ul1{Xgy(1hectIhH3EmKGxsHgN(V2<(Ag4Q z$P)RL@v>CCKgwy*EYMSiPIeN2L-63vRP-Fovtof4>vMjkpUuz4_n9g^UNh8ARtL*b zIv9Z^I{L#uYhnRb&0sG7uNGi)VXRO_(hz{C&-j!fY~G6GJ0qzi<0vO zXy}mEegD*$>ZpA+)G^xWkBJ}^ri@Lq1FXNIt-nfm@W_qn zf5^V@%e)YWrPm@D>jk9{FIp<=`J{h0ol&inSrwL_^}-*wYm}B?1V&3Kj$%8wWk_D# zN*Luc@M4Tbii>{?0J9{wcfJq%Ekw=SE7Rt7CRBzfbUEr8T2gnjg&^S#?DUI$zMqk< z5r4k$yp&K&O)D0l*TQxKIPXI(}@n`p_M9PWhCFUDVYG=raY*SYA` z_gB%0G!Se|+@u&MwbiB?o>Y}u7MlReDt!7MjDB)oD=VCyq`4kF1o;-$IWPivB45U1ShApTc7Tby4Iy#_*h>1ME%s(c@_pkQ4 zAet%pl;6FY_nc#gx$eghzyEqUPly%5-|q$g?>ks+sk7dx!u<%-TUlXKi1l$6Wj9BMA| z#$7Wl9w`#jJKQanPWQ7VHE^kw&5iY(s|yoe2+y|W!w%F=zKp_t*){T^6#Hwp@zGE|@ z&TE!$ASc;xdHs(M(A^M4M)G}iFfXtptGJ|KGK`Sg^h zp%gCN0=zs6+;aHub2K?AN#`5z;IwX*N=*qxDW2EIVcNBh%1BO*Q1v3%@3Egkq&@+i zK)zxuQc&OL6Wajtdgc3TjJ6nwHioshrW@2|@o(>4o3_o%3b|#ot>+PyVQ3JzFn_d^ z?t-&NiXi;a-}_GheFlVB`Ugg*kvc(2nQMr!{}U>h|4&)XAxMxCGyk6=hk_6vn+BxN zDf*2O3d&R>GWdUbouc1@Z~=szR7n5jSWXI}>3@|edJh7`T{WtWjWL-rCNyZ(s@QQ{ zJMlDA@XXMHgbS6*6)G3a*|2qVnvPv+Fn@aLG-&}egDC_z>b_taG^$BUixM(2VyZ?k z?>(Kl)pc}r>}M?%D;LXD686R+@@GaG0yb>{hRud88jR@^#+cD%q-gl~w(cIDVRgO% zzXb)r#S+7V294)fn6Gc|`{oDmy5){IGYNT_K;cOXtRS_J0}JN$!wvHKF$&?gR|4ba zwXkS;!U6NaWdM%89RolU;@=4=DOqA%T98mJMc*_=wc35ur}A&XFOh@<<*=A&z%n2b zOh6xCC}i(he*;5GN{)iM6WW?uYE*xX8Rq{9{aXxR$ea#?aElQd-mg4q&WwbH7b$A51` z370w%QTA=uYy8UboUM0AlR=LNhKh{yl^Im>k+BsU4zox9Tnza3K6|3mhK04KL5hkD ziYsL7Ol#RJ71VfLi-Ecmt5r?R%)L}EK?y;e2dAmz2uq%*dCvv+g(VvBohf~Sl&q8! z9R`y0TgNZWYW4!7Js1RJIx}D|8Rtmu@rrwuTBcFF0vIT&qP2HG+pg5J{M?!I^Q$`& zPVNrq5B+}}3mdYgk1%2niBk6asrlzJV2P24C63lhxc>&lk`y*%?&05xNrVIn3@rmP zLCpgg?I%G7*Zo1OMstFNwY!Dg@0U~CiUB&;s8RzE1Chcyb5H~JlT^BR`EV&Puq)A8 z>{#k;D#P!Ntcyy=o38Ro#bhzYl9zuW7r1(dgPK<_2Os1+5tlu}gf*nJ5b8CezmRbi zjwzroT+{BAskdV#iP*`HaGpBb`u&CQqi_#`D9_;>_vz z`&d;~^3!8aHM~gC!xJqvMA3S~iMqHuhqVEg;|I_)herX2DB08sJ7UgUIN#1KM;~X` zD+w+N+yuvWKKUg*tp`Oe`;afPu93m!X0r0t^}PF)!0EI$_Suatm)%t7EDH90OVZ%8 z>!;qOiM{uDSF!$|voRx9-x4GfSU3HE?5-`&ym zSPN+(J7B!7Qbb(-HDxD6tPJ4ts?orzHh;S zaz_!f#$s6<3~2#X-@)rNs@y%>c;tMI!^4^P03~%sZodWuR`=s)$X~D(Qfb9Fi z-I2lPezi)R9@>|HeN|wI+L%!{WjE(`l{*pEOjKB4eCGRJYr9nWHpj{A2bIYy^{ay2 z$@EiRMnE-TIV7e)E>C#y@Q>i~}+#!!-khzak^N0uIP)pXdpbKP`2%d*w5Wu>8cikV7dK2cHvgwL&|<%w6b z<|~a0+^lz0G_==(Ol>n-Dz!D8DxtD*-V&Di`)s9%__ezm6=;jd$rB7+t0rw+Q6$5u zFt5HMJjOgUHxtdWQF(^+nB!Gag->N z%YLZRvncu!bkn=AF#Y0(lg;dGaES~*q{DAm7p?!*<3dePB_LI#DTJXD%TLff+Q=XJ zY}?0x+we{1@W97X%8g*6@d$7?PK9G1^S74%w{8WFk$4M+-Pjwea~4)!6ck zaV`z66IN-zY(RyPqVdSiu6B%>SI;m_v@o;wP8!U1bKD8slReQW6!rIfHtjpHTsf5| z#lMF8V<`gZ4bOzj^CkA+LU*Vc{a9y?MiQsK z848{JF>`vOB!mk)8tUp;e#9e#tAQ>*&(<=X{%@h)56E(ALT%Ok1OAbOk`QdbCsLN^ z&y^$)57TpJiOOwiyMqB$qG_~Qi!a30 z5^J36zP#8MzECv>|Iz%b=qzcL(WYG^CdXzVK?ob*V22<|6H{cMRqR@{nz)TL%kbo0 z^SsVOY3=6ja>Pax-Xxv@+4FRSHzsao`FzU%@!;Aee#SkeU@?n~}Y-Mqubde@ZIL*#C` zYCc?r+;l6C0(os%&?nkxo-f*;q;&`Yw z4~G*iQK>H$FgL|V76wtYSczynxRnWmrshyADBJOX8Ifr^w^4~(W_*=p^$mg{t5vb5 zD}*MMfQ8Mad8g9#%SGFyVmnBcj3)o>kzJJh+oU5O_ev75JyUF?X|A41`g zWLqhMGQ6mCiu;dKB#A{&WPQ4jj>PpazqE+=dmNMf6eBjbyL$C&#;FNh5>$g+E~d4U z6E#^JIPJOxA}l&>6Sf;)XL1(ZFPiL7k-y&|*=OWqLis`crg}j?PS(~(fDl*t3=Vq_s0Npme`Eo0(bkmoU zq4Oy6B(D|*-z%9?5%7WzWU_pJ=X2WH*{5u&>J}VAkfkj6R_ExjXKHxbTwE`2o19>O z_XMB=LIIzA(xP#IiV~mT&lcW4?gKM{@lO}#s7BxFEtt!^ub(FM=mFb=yFE|Nac2!< z;@K*MClRv+(+a*h+$pu4o=)e>?beag%ziZlHo%F9a+xjEsqT3@SS+gYm4#CsS7ZMV z^0O4&{%RBTjMvS|wuG)oyKStg4QWleLrKpr-i0DGdkC>VxtTAuV>eI4`?+d`R0}u* z&c|hY$4GE~xed1`W_mhZ21d_jl3h0?I0QeX_NRhha(~JeSUBN91r9b*m8(=#4Q=Y~ z?trsgtYJKY>B6`na-4I}JJQcebj*H}z~tRf7}5di$UqJMyt{}~X2gGsq&j0rFjuWB z)ioPGe>r!x`Mr+q$*6B|c|xVIaB5TdeR^mkGMk*-D)j!sa-(;ix`54}l zWkJ)DXETF!IJMGOe*DwAg|+4?8*pFEj@?=v*g6(EY-5#Jf1_@C)h(2vJB;cTgO=F) z=eP)Oa7VgOZBcUbn#T!YlXQ{VD28t+0L!ZVKJ0A+dPy?ebo^N{YTNO9;aZ}hNhGj( zrGAYFaNxatJBNI1b8sE7IWLVAnC zS^l;{uCW5k`rU<}hkhtNBW18TQ2OQUhf0MO^LQ5Gv|)1rT52rSEH5hDC8Lsr=jIkJjbUTGg+EwIK#`D8bv+A# zxaC3fH#XEmDXj3*RvBq-pKA>_XOiQ}MtI(yuos~!xW^Q_<0@;6L1fFwb0sngZx%N0 zx?(=4&Z+nI^Br@d0d~61%-u}Ft>Rd4bcB$KD;m`X8y%7`C)+AUxoOj$*~`?JxW#r~ zDVhG>Z)V3*)*BaZhPzKh#Yy8?e7x6@Q9vD9WyGQm83?{CD?r7Dntbvvxyg>Ginf3y)?vdR6aBXMHGpK%X=3m zp85o}hD?TPXS3!1JS~t2x2V&@T;BGD3k}|CZOpU|&#L&%#rh-POa2AqSl(sqUZN|0oO9xpl9-GCW zg&1<8?CyK<7n1~kH)WI>U@+tveg@B2ccP&M3e^s*R~iU?>8t;!-0ht-m_bR6JLYT` zB!xMoyDzn=#5`S$*d4F!UTI>xzFhp9$&r5iVu*XToH27khP-PM5Qug-ao713jsM*R zVbV#maPp5x!c2!pqH;7T#>WMUDl?2ER7USw+*oVpWc7{MH}0GF_V5azXmsV`79S|3CGu|wl6l253@xR=A+j*D}S=iq_I%K^bFVwid9WLhI+cQUr zy??;g`+g~|`lLy_!LSuMLjB1KXak!Wl!&)&-rz1&_-)F3}$XKP&QWT}n1 z-d|z<^bqKk$yPuPN({BJdWm13PV_oGQlq<~qHrC*cy+{c<47>7(K!PD29e&>$pCxl zh^VkQ0)>K{h>*Z_CA@vQBqU@UvuJ;OQNe^uKEH-#3Syum%>@6ho&Pg)79Q=_RGRUl zf1aM5A3RV`zl>u1>+H86MgfT8AR{L-W#9vC9RsdGGCUa&%!xz^43>d#CYrNkgMfSn zp_?NO(jQ-zin9)&%lyTN_|9NSkooTM_IIh%ftpH`Q9R*04T#?el{%rR!}CKC=Me

EcIENXGc<@lg@SO-FFc&s+SpXg2vXi;!#xyG?T}OU$!Gm~5B(2Nfglek z5X5V49&U!0wRIfGID3PNj6rq5c>DnI{1TDx{6&Z~Bj1-T^Z`OLAh@=30;KQYhbRSM z9tlZV5-u_{jzDmI0*3l%esJQvTo5vma+IPjFFzTHh!Uz5FLfGP9D)S3ShH3%^-*ae ztZ;su31sJH%#bChZ#G~~A7#V_xgam^1_;vq;^6lLkvkq3P$FU>NQI+OLxw|^jelC# z;}5dz78rg63l%Hnt5wcgvbMFE&z|WpVcrubWe5E~iwdC_LCX^VH-OCle`NGtSxl05 zFzHjbOurO~&dYCnIMWrNnH3jYNh3B>DEi%!e?I!jmq#*Vmot{|M+~W`;-LJ2WP&nR zuLZv!{rcFavU<2oeV)S;8EF+Zyteaha;g^cA^m2~>KJeq&*LFB(|EW6_9|v?g}H?- z=V@#9WMnqdqj6LHoZZycGNFW+fL42?ufZ~u3sPuAYL8Rs89JSw(QQOf%&t3_Y}|G( z3v;M=Kv9RgEBvK*srYN9{%6HiBrFZnZ1{-VQIceAIFT%rJOw|x5^`bqCe9k3CpiwKg2%C(lolGS~%8M+o_U4)k2@pxW zlbh1P1AHm6R4x1rUFWbSH`^TD(Fs#q@lm5P}MRbeuxe~&^;y;#~!@_arLPCeR%v|>mU_C+G*Sg*+Q{#}49@%2Q??@}w zj4@QnR_N6Wes7EUdy8%2FYYKoZR^pQh#J_!pAU_$Tak*2M!#G$@reSX{oMCH6Wnb zTEIIe6NX$RM<__uM)2&&>&EfS(fz>QotPr`&rp>n?TUTeog$XGcZ6cQ1ICtl;?(os zc}}D6GYU2%j_40G!Psy(p{#~8*d(xo9?pN(a_lTl9N*xpp)qgHwI?D+c{_L33|YNO z`Q5(4^|ilIEKe9+j#cAw;t5%Y1pMoTNIqjbYESi=E$$$Q;d>oETTf?k!mo7unp|9A zMHK-nu3#^5y7KK>>cZrHvlw>uNViD6JDpNcZu$DA=A%Hh{stHOe|ybo!(zE%8lYMQ zQlU;)Z-nQ zpVKz=@}gdK>yD;0B0Il<673}~m#B`BEwVk%x?wa~J87xm(u<0{>om1b(Jg-_OM~ikLl{ixm{?$ zYy#7xL$xBSIlv_y&X+M+*lXtEjSw6x{4b3yt1<2?xBD$7rr>md^D}$%UeAAqCqIZZ zZbsM++(N0y?Sz_;n6T^zIt1iz@Z!Sziu)L6p|~wCcrsGbpnGGtqYn}ylSIK^-dHqqiy+&YWfA7Fa1DnFmu0iT2S?NY6ne6D{@%j+vzPgY4I;XMs zu{ABj^3&wF%I^nL(T8#6Aat(5LlL<3`bx-EiI3bsmpoQuMZR?!cWNRNRk#R3FZ=za zLS#aWqRvKRl%{m-uY}v`eH2RWtZuE@UN;dbEnTyRA_5H;rjy$Z)EA61*WkNH9$QLG z81A;eB5re0b4te}7u#VKkhu=Rzv~M%_V~SL`k_nTc+y@s4PykD!Koc6*c%>9DPB=M z#(E^A>q`tSYVNI-U;$|cQ910Ga~`c}h?*hwCrOitvqL?~N` zS4~fjG@GD2UkJ}hO3!*JycIflFBT)WSEImi^(54WL>WoPfiI#?)s*)-w$1*aKB;y3 zbQB(w9BkPA(eky1)EXy3oAtpF+|es<;49r1{W<Rf{C^9NEyU_v&3$cO47 zs7jgO(rBP(WZ$a@jh4@g(P)a$J0VnZ(Q>i4KpJE1!;yV{)sntOA-q zXy*I84|r>of5u3%Gza5u2;>c}He-f-3n0_(TV26a+ZqIFlT6OlBm!jUY3}v<^U`Q5 zf*PUSh~n1gjkS_JX05|b22umw3~Y-p0kfB7D{Cbt=i?^3Eom-jGX;jzMOTXF726iF zWlFt9WRK6SK^u~?@YI#gFZ_=P@&=!~lcd?U-CuoSTmo}UezzesPzu#;G3Xy^zwTuU z-zgZk4BrmtM++SxeQvZ^DN#quyZszt{j(OTw304p=nWPAxw{Fx(c_e>fK+(4up82A zQNR(@jwgPRO@ApBoAuy|7Xkta&#DW&`r)uZmyAdYvhs~ls?ImfcXiS{eQvy%p|e>l zXFg9K{HdW2?PnigE$u4K?>U)Zsq^$9TF#Yhrp3k_Keo+|vFJg-XeFRgQMqeQcVJE7 z^+GHu-67@w;_fSgARqF$_mAp0aCEv^wu z;n_1?fiac}ScB~`bn8z@E6Fn$wSzZHraKQpPydPo;5xjdZhtJ#JEDFlJSJ7K=H5sQ z+wQd!g;UL}l;A8xx(LMTDI*`}Qrc~bX@h3-HILX^`Cu7a?h4}ITl&M6&6L-9EW6$= z%f1UM{fFZyY3%L_!I?ldK)rcKt&WG-n0j|8(N%$tN*Y+Pzlf?!*TN+|eTw8DrZOa_Udwqa;z1 zmo-LF5B5y&n}?m?>kjC@DQ`~X4=yh3Uz`Evr;f5w*jgWgX!VNC#){y?n5@7psYhQ5 z03Oohz3g{&Sm5o!uT0;sjdkySa62B zGu0*`d@+)lI;GzFY*+|y@+@3S3p@;crbiq#drQ@x8MlZp^FzE))Na=t&Na+6pRa@x z!KLFC8#c|W|9m$1>2(Xdu|jLoSHrfr_?PDLSfTy z2xrUKpAIt^Z5Zn%t?>52T2gJS>9gnYFqEhUtuP)`dEmQFRBbw53x8M zO{MlxtdH`n?d?EzrRs>6Cu`D)#q>us(28Hj=LMLsUj!HmRS}4MNwe+X-RW_!D2d&S zg(_lWvRENh8{<2rP$)-oBlx8SflXIqGbW36q7sL<9h|~v=6Y~?42$xltVWu}Dbrqx z(&9{=@uHn08D1JcVkE73<@!*e)_?OJO}=9OeG|b-1iL6dTZvef;c+)Q8E86DEkI+o zQh|bw?`Qh{zA1itWKKOzk>`YO&7oN%_xojM4r^?MkZk)_4^@H#JEV@*4=7&*SHyX} z8Rz4LJ@-v;BJ04|;p8os;(}nPk@irvH4KbXv-B}Pd=juhNkS$K)jpcrRb<1c3^D)r z-TxNb)27pPoGr6J);XwYsrS|Uo1UVyu=dK}T~#B)dizd{E8K}qT0jHe40lmxuNCBs zwTKRerlhb4$;Dun6!r%hU~F-eUo4Z;_eq9xaGM>S9@)thfsioOKzlkO^XEBV;pvI? zSSMC=>7cFsrN`je_)})48bjE_Vy+rf6;&X?nXy!t9yK>^VCXU2O4fEljy<((LH;Hp z7#becVnOUX!Gkc#J>AX`caT$B@LSHv=>6WQ@%5%0-qoiKseSNV0sjpmp^?ONT%Nv8 zVT60I$FfUN`N*CA%~B%Tq-9zdf(a&>Yacio+euXVVAFWGUea)-L~ge8b-`*Av1uw( zN$ielN)CXRm>y*OGcXI**6hYL{*DlE?9j*ozmD&?3L4#_ykcVuF;7}vJyJuaph=}hcfj}oujB7I z)HGIk`Y>QFe8e$zI;T&=CGFfJZO1CPb|svp&ZN$8luxr6*FR8$Xk^i1(j8vtxpZhU zecTcU2iJoydDw4lHo4XXSFADsDbKzzTULwnzHF>OmRIliee5vn&h?bRu7*u|fmZK2 zXdRE&J^VE$RF(Z8U(U?ioXuLO=-^{dCNn_!tmBBo6J3dw#^^Xm>&^28vIo(ihXIj< zYA#Q!DzpC1mIW7CL!o_E@q@fJz^tp%Xma@Un;2)GC7!laVzP>RjR}Uy^tcgUMRwzjr1xZ6Q@Qx z-VCPEg0-@u&=<%I^u%af`oZff0W`NJJa%KJJFHx2Po&@q&{I=rCZot2b7HTKz!8dfU;hm!;I^^;-1ivy}dMKGP0-6tlXp5Z@H^p zG{rx~dpA!oS>EQnEb?a1#VXFL+}Lm`WuEF2PIL;()pO&s)XOF{?}hDHb}L-XUvJju zo}D8~OL69KE%*Rwig!vKREmlnWlnNk%h=^OvsUs-O1qwphf4_NMnJxX_O7gx&j*u} zlhe@BQqp2~-l`mB{01FqmwM&%Q-COqHsgKPVz;z;d1-0TR@dC{J5Jet$4H5hr-#z! zOUFFn!?!ZXTc^4Fk5}f5@=TUuSyQ$+$J7V~lZew?$oP8z-x5+;sd>Gd^**Ng>B;`Q z04M8+-@^#Er?<#k6E&Q&gLOtROnM8ND9Pke`3T)tF<@Iw>`h zOj6<*eJW{ilTq*{Sm3|MZ#VXb^le{Jmbb_ z9;KjtF4hZJ!sESE0!fm;%3oU^o#b$t_Hx&0ba-EoVEr02dlE3{Wxfb3D&{eNEy?`n z3km9FI+iVQ+sTZY>4lwIoo%gKGB@&8&4m+|r&$L)%%uXiZ6zDhWMw9B%j}t1Ip=Kh z%4B*mLB}f?PO1-j&%VTXoAfxJRDfr@YZk_cuW&`G%tl--d>j2SLa$3tMnX4gCCQUS z*uZk55rw1H8@edGwXwa%foi3(#sj3k%@rCc3$%nzj$MXBmH2PZN>-LAbo6zfx(iDk zqkf*j9F7ijlI~p92fN7B9SOs7w2_t#X=5%1JXDw87`^r-L>H=mTCS?xrPxIJ02gh~ zp7f%uu*JF?LhrI%{$MEzHhG9|iZ2#3yFqvpa!qXSe+A)Hj#t#NrgZfC5~~1U+HizB zd~(MnFzPHt2&e;v#)5cWWUV)}1j&AAJsf||wRHRXvJ)d@wkDEX?4Je%CcB;S?^^t~ldvA>F z;5wM9bHRfmYag28TR&p5U=owTGk!d)Tms@qWDO66vTRDRMkiT5o{LvqmY{Gnf1rV* zvf92qSz|af8owt2maJICD(KX+f&wS2jl}3lyIl;p(kAtez z7|-Vol!uu9tT%27qf9Mlvo9R@_rOz}7zS!h4>|zTgGb3Gk+X7gsan?HHCH-fJd<+& zDs|zmm$?}xr!8>o|45prd8pbPKb8~w!r39|@3(MFMZwza;<9C3C066uL)-*KFv0qZ zKzkyWs=%eqRbIa;ee3F4QW)Kge|>F8t?u24R4l6Mw2tr_(>zPS?#ojN;O=-z->E2P0n}_ z?QM@01#dT}jJUq9qj|Q|R4t%Dps>S`CbHvR& zQ7^9Y^pUAf08RO1=3Xv1%Exm?0#O6@gOdBmezhR*)K@kw1`e41oYzB*w|4z^KcZpc zi7v7_8QiCR6_5}^#d58@W$ z7|_kSeX2UM%c=}o5o32Y;-}*-ZqD;-9MW$gT+N+K?$|s_PBIG>3KerNHx7s%m$)8H zqVm^^+Xw^CP#B{+Xa2UXM;w|B_Jl+ajMnxthPU8nxSHhr=E`@C51? zgcWjS-?{Q!JB(3p5HRJW#=5`Nv!Zl24(b-drFTCKdzSF6q=exIFk5=#?b%`Hq(p$i;h} zD!v7#bn}i|xc6Sio?yQu?w^h#;6sF?{f1Yv(6GD{MPVe^LqmYeUmB}8Yu=UZPkdE; z)rIkmvU+wMHQI1m9xM^`ji9a!CPToS8L?gkW}XqO0GUPPYduT!l<5EH&3<`i-$B9c z`V5inN*3GadjU|c+XzOBHF&)#Rv=EZJ<_{g(FaN28yu2%)hB?(`tguBqMz9v_AC!3 zbOMGH`1U0U5}umBm0K|q!WWH{u8$-mI?Q$$Yti1gss3pi#2h;Z{JQs##}aFwfV9}B zUF1=G&}t6L(L0X!A8~p7neT~(|s}vsr!bBjs3Mpb@XlSx*pXlfNSF1K@Ltr)dtB27wt!X#|1H-OuxL;iv)1agn zy9ZxbNHKdkWqo1B5W=8WP5f>Sbnzg04Bm0y3EDx?8=WAraJeji}3Nah^E23db)vhB@`5?VxNg+^rDbkJYGW4 zxxAx@Sy@@V?Zr$2BN@i+zRTy`DG1uk=QJf$NG3fU&BRx+8mFH569O`X%^yE0V^vpI z9IVVnSAd;{%c1VVxI54sH4&3T)XGPk^>{bSlIQM$UWnmjzDyta)VNf}E!p_sej;asXHQUQ^?cn#4mRCF7k&s;csFOk*_ zZxs7lfrUDFg-@?pS2Dh1d>GM2U0U`q9JtZOgTaC9^tBvbyq!;TCw*16kyy)3C=cX& zrp#f-Ut#UG>Xa2JRS-TG_>kAKX_RIy*GlzuIxT?%sl4}B4;KB^fPFK~i|eI#Gb>ev zTy5B}3~Zr133LjT4n8i}t|2Jj338u6Stv-B5Pg}pR7F#Ul(i{zE==>LmE z(67F|a}hC)y29{CeQvB9K|;NUOe*HQc1{yZt2WChjEsU4Y!!va{>ysL-+Y#$Q5W66 zLxC$93%l1}7|O17*_e06O&?cOzfUl<)`lcFPATX?Nr*c%j72%c`e_(MG!(P4mfU)o zlT*F0>KTWoSmKz1b`=)%tVT0F=deE za2nER3i>cG&IjWkfZN9Ye-Ci?hGMmeEvhp0_6Jbk9A9yoatXf3b@v3CKZi}N%qBI3 zyQNeR1xztM(?l(H$87xwI#V0H$fi07FYd)RFKsF=+2~zg!3lQb+g56gaRrS}-6nIk z^Zu03_oGGfJjDZhfEd-y>iWe|);Kud=JbNzZz1sI1-I>VtGaOP+6^0q(484!mb#k@t`8 z(|#=6;g(?@Xr6im5umRSvJPH&;@2NHBMiBf8T>5R!`M?{3hyS_P2#R{1upP^@$RV3 ze%r`NuqTnkKT3hEk{IsA7I?qxpQd|de#DCY_dz(v)r(I0i&oLY1v0Yr| zd^S*DtO{#tB1AuFFzC*w(exZ4ewKo+!NbM=eU#&fX8npi@7)&p>HK)%>I`keVL3cUv8E><85c&{~V|b=WC7YK-4NxYvNw; zVK8OmqCL5;P>D+)&MH6RVR|y#6k0otG#)?L9|P6iH=D}!HT%+qKi**h&cenoh8H1q zuirO1LcRdKe}9l3%N7O)EAL-Tl^&14G`+(`tK+w{S<%)w(-mouYHOiPRgv!>8Qvfn zX-myD{0zvtVWlH|i)RzS#kKeLRzk^(J)qc?8DlQH-|5%d9P9_LDB0E_xEzT*W;BPk zAZyHXNI8jEN@GTkt@gy)mq^Nck1k7@siHt1nU~BYWw3GHl!9!s2C(5>Mrwu$9cq_EJfE*SR4(8 z(jp4599FJUMzwsNfEC3V+2!z$eihmd?ANA-{QI@JM`ieO)g^QzWo`+G=6mM9Oci zb3_P}k@Y#AC^-ZCOZ7>1UIOediR) z708ZuWOk09!n`eMKFGJD4#Xyh(c2yfbmq+DqGp(ZS6Vu=uHBbwwPUgg-3Mrm&Eq}T zLTZFoe_i@ht!wX2#rJMXg!~6%@K!ssNU{+5libnszMTEIM(OHY%(z4t+EH&M1->>T zJ6fX>cX{~qe1ibL3xqzKj`K)zx?0U*1NniVLhT1t42n?cpdy)5in%9)P8yHoeFIF} z;X|#UCi1WiwB89bz>@K7{5B8ewjlsZwqqo)*i>=gt21UDd`s(2dGhzrhzSSI{q2@6 zoBNXR1j)go;RCBb4C&x!F!6((*_e7mji9U@>vmuV-O#H!Tt(O#5a5cuP39TGuCmh3 z?q6&n64IgsR+K$^1qVnh6l3G~n3TTV`9-m)e~p*U6Ns;ep!jNu%*2V_10$Cg1)7nB zSePYShX6(y`n*!BJB&ohPOjVDy{A{!Qb0Efb$f7=(}WLpopdiEV*f(aHPlgE%YRp{Y#0v*Z>Hxl8_6^5${J7f(b_->$atD}EP5bykZ#gAf-Jh&34x_l{!)+nwQySvo|mvgaR*6NT!3&EVN zEU4@Yh$dS|(sx6R?j_Xk?oJUB3st!w}F&fE8b{;D9C!A;7)iFL;Ma6e{j{< z@l7p$uu7OaCnsm^$sQ^g^>*v>T*^gQvv3w;Qh3_PRZMhmKTlYj*IXOUC$|Z##r~mz zi1 z|LO$@-|;c9YyL{kiO&fkH=m!$y?c=P+w*TL=&Vf*8Bu}h*=hrJTH#19ucO)lTLcYk zn>>G!?xk*YuISZPj+$6+U#OfTJNt?Wr$p_rQb;ma(pY#Lxmp)+THvtenp|I-T3bE^ zA9n}6x~U(`?UmZZCPgjcA-%i&C4(Jp%S`(`lpxWTfzHkArC0H8GL+UFG2E+baF-mA zCqwUjjGXCIR8N~kh#s!`=V=lKBRxu-BD$;HFVHVZu8$uc7N3`Zr|kvYg*Ge=wMj>2x+|Z(((7(E`QZcwBcP`ch#+9pr9w=q(oD zjJ;5jJurhINT^=6b2kiT-x}6j+L_>-m)Lc@ z{Tm&EcagKrNkHAs-|e}E-`>N_kF5vjrjJK+&jDS6=fGqTzmc7At&!JGo^ZH9=fMaw2#`YG9= zI)~gpUZ1^YzpHC*N@?k+{G7ZnI!uwf9Z_|00}Q%-4aW2s>8_U8qgBZ2(W27LQvZrr zH4<=%CtK`D!h1&WdmIm`=GwUu8+NwF!ooc5T_n%5q7$yPGf93`Y`T1#@r^qpq}9U@ z;H+;8gC+CnCWBpM<Ard)jB~JXgeC+eFu8)9K z|AC^XX)85W3s;RQdux%X9bWPwpbs2u?WV2O2f zn!`8^5cd~#x_N#cTX}AkUsXrI63~nc7psM+M0~495;Top8z2fm!XW{t`Tsx~>1kiJ z>+kNkU?Gc3SyDqohaQ9nBJDKj8ySUWRM5~)L@li>CDVD)hLx61$$Tf$ zCVBJ|0ySXggHBZ+gnuMpqD(pa3(4{Ks(rs6Y{SI!gP}A0^}eQqGB`MZjEYLNO&x&r z3trJcUq3W5oJr?yER!pnP*iwlXU9+*bO}g}iAhEvDx8YRS9geTl)R*hcYZ$p&*~%h zO@SaDq1^SF$^F7d=J)UTHkJUSpYT*vqnLJS*Y;2#HHLf!{Y#twUdj4J-LrcpbDu)K z5ud3NXB-2Eox2gdKmv;1QsoO+VfM4b)kCgu$)0yX2gR;Vuyum|7TpFYfqW*;fc6X*V~fruY(KMsEf>@DW)9Ns^_R6>o8YGq5zkI z_8IUBx(@_{LI=_+1Ucemu2S?4l{4M*4{{tm5;M z9|v+qHR4(e7$KQ`Dpcr5qs=5X0_w(|Owmp+Q#U0uMqGeweDJR!$o8K^nz5SSbM#VE zc5JMkh=dmK_3kcO+BLjc0>cmcSZ^?rtb^iA)sh>t9t!;$p53C4|ITm079uo@CuKF# z+sVnpe7t~nIvw1@rKj^nnOOk!*Ia^o8!%^84srsKa0+6OnRVrp9{`Dr?!T!@_ZICx zchqQuSLJe@Ogh!8eX35H`E0GREh$zHp$1t;CD(?r;qY2Q-AQjb-NF{l0;1c#wotKT zn`=Xx5Cu3sSQ~Z%R}o7>&9kXg>cJgLC4e3URgD%s4<^iJ~Hjqp~vBfD5beAo+JTJm!`zo zbpoFCQHZ6E`UmI+<~iGhgYENwre9G3qnSw*$&U7Hadk$p5^BHD2MBfgs}{>WAMV1meTCjx>8I*&YOZ{MFCDKYk+S#9y<4+6W zW=PAtFGH1ULr5rX(wkdo!(yEw<;5Ry-bvHxDzvIFS1bc0g(;<7_mmR{l!1v(Odg4zb4p{^(8M~RqMryg zezsz~K4=x|Cn*}XH>c}New(Tj`51Fn?xksrx|HsqR4P#}LO?HL&RxvcT9bhmNeDrO z#a=4~jaxZUsE|M}ZNQmm-$fp_O8fq5!g|S8DNvAl4_&Mfji58RoA!WyME~i8A&@fP zDe(}`TM`|0BN^@Xv}h{Tr_N%^uFG(!@0YwQMBhv4Dxif;UIt`n21~UCL0UW8e2`3W2K4#v13_!?}v7EOZUh zDaIly>8{P*4Xsmbr9MhCKu}z{X3^Ap6Hhva=bwt*Q&d*xAB1#>y#apqANpv2HIjd} zP|r%MVO4!htQnvmO}Em!fw9DDb$vutO0$`B7M3LcO!Y_IFgVJxzDsFHAtpnpb9YiX zV}mc4+}rK{Qn>0(zt?fRR`G#;ikP`|*2DMIYL3MB_!&fls3gUf#MJ!BotrA9JKK|& zzRndcGuTkh{+!PdRQ`a@-62c4y=u(3tNqpZ@->av{a|W!5nNx52@57Otwx(>(`|I0Yp4NiNt;7Zc0Q)>y8wW+8ga zPN)gjd2iV5q&nwS+ACP5Sy$*!_|~?sHVP}~rpXhY>wlDDrF!zFK72ge)Ytapc|Z-q zA^!3h(0>rcZD}?qf(n1od&_P`bFA&2DIxbI{2VLY&oe#J-|0Ou!n;2kU3#>T>mNqx z06?dDJwV{Y8ZGP?s9ly7J&O0Rn$Y515E{*94YlOa39V`a0VCSc8EH@im5t<_Tx)jj zTQRdSdw@)&9TLzUIVD%k=Ql@EU)9fJi@nPCHB_b!lW%poVeiH+4itGlDc~XM{c^c0xXfQT48R~5(Qqp5c-K99NiVe9rQ*eS?MzbLuhUhVLssE8 z3dAe(d6O@Ih7$`O4(De=FU67tqY2UN7;Nm`9K2etWBagc^%G)VY?3zzk3V*1ApB-M zQ89Zm+NO(-hBN3ekum8CbTVB6Zx?IXPG>pV_ zQZZ<%9izM@*e0hFyu1bL!!^8zzNJ z!|}>YV#B7#a4qU%2x~v8oj!I}^m>#AVIfiVgE-f~{jkt%e zsRrsRk);V6JEvW!u_x+JS2Czy?Kv0wN83>D`BwY@k6Fn}w0xY3`n?yZ5A^Y%roUpW zmU<6@qA#tprTjA&a>Pyy&JFPRtx7$-(wL03MK^!UJak@pXImi@HdeDv)(=spuegj6 zsDo*;M;{ST3-5aj9*dYuk0g&J#<6SY5HDrl(}OBuUi{9J*;|MgEO>ua+qt%vKI(SP z#Iy366`5uZ%)S_khq}>_I~l`8QYz(Z-hZ4?zY!3A2hrfkh&TPwj8ZTW+A#3#}pzV+|A$BYN%v$xuakAhqG-v$n?W4A`CQ&Q%BlH21$ zxVa~>fPewLUF(en15tf~0F)AY(%>@bK|1{TZ$AZl8Q2fH*ID~!y!VGa8BuUCB;o_9 zIMT}*-@v2HL&)T722TbYL_*jm!v79>b4j_oIwY#5ZK`J!xA7oDYSorLe!Qq8~aR)emO)p1MuN=5lNV{bx!E!h?)Zx^|DJC zf+0zJ`%v{bgQ?(3SJbH8P^Z0r&%i^?pF|-Q9|r4sU(4Z!%Li|nzUl0(y^~*LbV-H$ zlX!jA_Ts0qWEn zXc)u_kBR8_Yf86gaQG!%IP=|jkBM?u=)AH8bM zW6ZmGZy_*$vwvOr!rCziJXF@VBQZcKzJ&he|k>*Om&^6&vzT~rb2k%KiJ9tJl@;4BdxI*tXCGini^9oSut zBWblk4Vym>#*bx?d5W!IP?vSdHCTa%z3v6qcF=}XA%LYfE0K3Er5YKl-`|O9^FgS_ z2SVFw6)?T>cYiafnvXP!cvRVLK{pWC#`>h{i{lmVpM=7&p)PP~{tC;6aJms`7G9er8IGcJ3??${%|C`_sRZL~G!+sCbV zGhMIopB3c?Ym0W89rlk$TYbREDTQ(#Bt+aP1%e1grkH@|lTR=yf6Y+Y`tL%imw~??)r5f2&Dj?R%W^o0y!mgx$2U+tQ0~hU5my} z{e-xk=sq-j1eu5Yj>Ep38KlH_?U>EarLib2cQp=M#8YPkz2~!ft-`)>2$#Dm>W_54H;J%Wr1)9KdjmP{3w!+~LwL4m1X^p2I#kH~9Y`zVe zz_ynvcZ+n4zdUQSyt*h_!|Yb+sMw9@O1Dt%|9wzZjXW5;slujr;XbVzhO0;V>CVjJ z2U$(K81=9r`TXJXrL+LkitDK;D*isxfnY7w@jZ#5(UZz)?yl(1xX{GK`e+H1lOm{h zZ5bb?U|o|EfE3Q>mIRDyQ>YOadege7J5>DAnm$0WUFu)INte5&=nN)gPN=^(xXsMf z6$=JLM4>x3nOvr~^yJe$;&QF?bOI1s?+yWzYN!xCYK!@|9vuw{)W2UVE{`XF5_%G; zJC%p#0HU9WA|Ur*b+E~+b+^Y#0$H5_r-f_FKP3$LskAKlD; ztcJoBU-oolNG7-FB5sSMF`1A2C^ck7Tfod7kA_X*twtU|p{urdH%18D&vlx#rOuee zyc}B?_S@N$&Etfyv7?pAdolXMRS}4^oKq~0+V;8fzoBWif6z4eZ+=*!0Aulgr0D+} zY4$U_@4-W;&WG|z$$I$70P=PK6v0Gig!#$#T*4>G9=aE?q|^86kOaYWLA5=`Jz9Y8 z8nk@*TpAt7@Ys?_ML{8rh%xqG{R;o1oay(R0#ltge(PB|C;OpfyzoO*xn$L* zV|_+PMpc>mKMe*&qMNqt$ov8(dj19ze(@EWNy=KBGyS9R9nZ#~>fv(NXzr&UPESmV z5ElDB*kdFNt2G3L`bc8)AC2@6dvG$R@`Fd2-DHM#R)T|5UQC{iuU-a@<6P|V6yX`q zJDB{33h9*lH+n`PBxef{2o))VAC6Sd9iPHpCx_AD`kg_bS4*1xPh$P;^3%cR`y$L8 zK2O-=31*Kr_#FEMo@zgvj+D`BuPm0lK1^{Jp&ZJ^Pd#JBXT93z+_1m{V#fsbZ|7>8|Cxi zy%xT!{ihZw4>H+Q8PHLRbF5a@@~|eLk$D4dPdh4dF~um+#S1Gbf~hq8=Z%YswN#S4 zq$*bpe!-}sN&iMZ^x1z#cl?9R!EeQg$}@dKuvM9SHAkn~%-^qu$~>$#2-q{a1S8BE zKY*$`@+DAw?>7V+%81Law|E~>Un2y{Uz!;{l++pAhWs6>1ioJzgA5vX;zDoI6Lmp} z^V+&)j0~F^W+6uiK&Lqi$1)$BhV{6w{FCQ&Dqqw~U#4nz^|8wspsLWGa#5~la~Pdc zv&)L`5ox+S1^W-%{d|wN9J<{9UiWOBh28)9y7VqKk22an@<5gD5D8AiS zD6Ajz&tyl4b`PGob*kIuM~h5TwY7Oba|+;)JFgQNJ5u~c#UIHzkzdJ^?6u)xfek`M z&vx5}>IaJ5a{+ick&HS+ZD*!x>~9y6}R z!#SiG8{#majJYSN^8CFaG~&Ke^tn2 z-PtKB1!B^Nmo2U6B{Alz$e}?%px-~UN%s~cQ1hTg)0!xmyPE9?ihj>w06o)^a<<9a zQ4>BXdA*B|&$3I#LE`(M{pA!l?-@ffT~Pbz*5+kw1%NB+b85VI>n4Il0evxp96xI-*bP8xK+&%`37jm{@JK&dweH`4j`GM=A?V$ zJv@`Y=m0P>y`E)o)zz7(L>6skQ@j!UA_jTV$Or-d%(sdzeWxQ`-W1nA9Pb-DNqB)2 ziHkA)e@-=9a3kdprIw@Ol9x#7+`iD5`~ipZaQ71IsK{Glts$myo*&=>GWxzc*_=&u zy?P1&y3K>U>j}94U-TAf?LO4MiF(R-@MVs~&uN?~_A47pX%0_(TQUJ81jU_>u-7A1 zaYTM&&bH4nzifGv-$lfreM_JTp0q#q;C?B0C08lp06JdC1mipd1W(nhd%*6V)fufq zi8no&qVJ(tYbO4rg+)T$B%DG9eY%X+K1&)zHTQpHBu!(V4IgMDRUMq0&KEGzQ1LvG z=Fp~LN}pitJ$borSjt_b4E_y7s$$KMz^?YxJA9`DG%DJT>VxQr3N>Qf1_nqFHMWEN z?}knP6BJ8@HMQ4=V*t%q+j*6`p6i+`M-JruJ7&&tRG7(yD}bb*Np`c$Mb;Usfsr@c@q04%*T(! zLq7?>oyQfi*;x$1xiObU73t7$cbv}ZyKhRK?$X<8A!iZcEsmGy}vW^Sh*3KuzrZ@&PP9&s?bOr42vLNK6r4P zN$;>#8UZzbim_gbE?OcHtGmgOJ8O?Hza=A@r*OEA5$5fWfat5P{=wRIP{l`F;`MKYK@l7#&gRmt)(exI9ilbLN2W!H7D8IWAN;r&+8WKS?<;+VD7r3nj~- z+?|~@V<%7&bSJrVE(G)5g-}X`d%_8Z%zWf>5+np!(JOb~vm4nyQo0xi?1|72L%#cYG1*0sJ(G$mA^SrXg>XD}u?j_L{ehm;r zC*?b4btpEZQ+d7hV8Ua~vG#+}ulUsnlqz1j{Tlp$Ewm_0>16ztbU*YCzQb=xXq zN6Ij-^?|ryQ~4sUv@}@bcNK>%_{cpKak$BMvwCYD9uyQR(4c}Va)tsWpy?&^u}f-M zVSpw)OLArcS@E*Y*I|=OTyM9>#GCfOUob4qd(v=jFX5~U!yj71PSJFDsw!x{ zXcE2KFOx@AcQd+R(>c32Lxjto9O}S(IEnA_*AGVQyJhm_Ct}j5^9ZpQ4L*>E!v;A! z7UZc(nHVf=!DbHJ3u}ahE(jSCRD2xKT!4(7am~vb$W0=H-uB?djtdU{18vJ+12sz; zPL0~uL((!MkS^Y!nE&N2|Ls+#|FgTqfj%;Ph$s~~wwreaPLsq^mx&vHE^)@wo(@fA zL@$6gZrN{Q@Qe|>VP7ER_5H_h#(T*|kVavql=;6>9y3Y?MH!wu#u+92L;KgGPr0dh z;J$8SG{(_Ejvcs^8~F#P2u9bKTFRy_+!cBhn9rHtBkNT13gvTD2>h^Lagl3%;Wz%| zj(vcCE0!z4X;_6f*&YsdKQ5fgqsCbcH*WAC*IABM2YUZ)HX4GKe&o=D;q9Hwxw1Vu+5p-;G?<)Tc{pH^1P#L)zu@48)o1*Te-NS1(CF@FNNY*M z@WL3&@n)*sef4NLK?@Chcc}{{bR|ZpF}-tlczgK~b37v-2sAo)Jp8+U=gE7l4*wdC zoANa6!Wvk>%m@WEQhj}Vw%fPWzkQu*mS?#U!`C~0dOW7L#(YFe7HVW@H<0bz@QBur zY?~<(v!}EP+Ba~YvhNXz1xI&`=lkpwRSe+kvf@nXQEdfnJ1*Q&zt8lENcAjfgQGW{I7p_TlobZQ)2{$>$t<`7>~I`!Hae^WkfOPF?jp4lhN@jQa8I z)dX93vK$u`r&Rm)6>Wv_jYo#tkUKt z1<86_0_+en_8a}kfY$WgMJ_fWcV2m7rLL04&-lr-&Y@Hzg+1C#Fi`21j09O^PnK-C zpE|u^1{F>w_RgI(Ic&HMi=va|v(qLwzEX>}`JbrdYn3IE#?F24|5eU)xBfQ_5GXaV z2Aqg>bsS-T4@Onbtz$V1%4Nm+yNu2~GYAw%TZ&89FtYxrPFRMt3Ib4Sq69F!CsrR-nS| zma~+b9IhHqZHdqNT02!theW-Yx-%to?@Vs3#vAjN1~Jdvj%SU$lDlmsV6l9HmgqPM*og^xy;~Hn=F=zw9Uy3O z79;bx@1eMz4mY z!XXO+K1+rm+*kO21jxiaT?nIcSo{?h)V`pLnCZ z=D<~!)Sec|RQ~D=d?F&xtT!CkZvN8?F6Z7_FVEnktow4|lZ#11vb4?}{B756{`Ii~ zq)@vUYMY0Yj=h5@^G08*`m(efguf^vP`I6agQ9S+ zjOXvtqYgU(S2R_t3$AfZo%yyq;`7qKYuC3@3z*`J18zL!%xX4xB@nGCYp3(4wL8wG zMv|T(Z@%lj66ex}LK5OwsEEuDM_ddP9D^-jwJMEQhMD-mO&@UG=WrPnNB0=`N$$N8 z;DuV!CIn7_6-fYxyIva)w{T*T2V7*X(%=)V_^ziqEHzXnuzF^ z&@q}HMoZKc%!n1AC5e{+8yn4(aAJX73nG3i@Hb?~%*3Q#io=)l!0Z+u1ius7@+Y`{ z+!hC-q{d@}%la+2mj|%=3AQlt_HX~mP8=_QkLSL6F{=*kuXD6#cf~h@{eFKatgzz2 zx&R{nf#z_|s({5e^KbR$FG?VxX}L~yn+$L8@yXy5=k`Q9k^{1%8Yu*U*IAL<(x;@fBKlTNAGW3;?I2~6zRfq z%yN7ZyJU|$Fr0(U_FSJt(JhdDHE~^d{*!3=q`9Q^#8JKS%Kt~zH{+Y@iT>xN0#~K6 zUB#h43A{mJv$Jk|Le=fp)4-gVh(9M>(&O0~YsooQQz91%2`u_o3Sct0m`#cBWnchm z4YmB|24gHC{&QQyqx-En2dVw%K`a}t7v-VmuL(^yh6?Sk-17uO_gSk?FHvoYHuFiL zbp%hQ)=O`sVTB-ifKwYqR=WozfSB~eC{-*8w=@~5_m=y6F=>!ww|F*;|D}5>G)VlO zD6%k7pTp@mU>9l5@j<3JA39@C8-SK7gImO zoag;~ZXAX0{n^rN?bcJT0rEN^=Ea^2WZOuL7CS8X9hFGAMb28A8km?BuHHAx6G+cv zM&Y0p^uHJUJ(WzY1{%H^2)>&@`FeHq@u^f_4(1YjbZ+saP0pv}sR)r>+}HWE@zVt5 zp^@qdL1-@Dch2aiN`^2YTX7H*$+cftvjxvHMN*ib3@8)1Wq(pWmI2Nswt9CmA!CgR z`4Bjt_tMU@+-X4+K=o4`XguSUf9$rC)eAS>sytD{z#@t4B*>F4(0$R9XQ<*s&sk)d zXKeGz_jzYtl&~!eMZa4F7izrq%D0(~-0wX|2z$zSdu0rK}cUmGll{3k3$ z9y`7=v?X>iTT`(xpCvXuJ-<-aQ2$ln%uV+9>Sjj#^)}c z{49!P6N;IP=rE;MY6ZgU`5}2$sB_*cK4*&KWYcc2ndlc2fFwMfk1|Ndxs$#2$@{J4 zFg_u&PgHeCcxC8;q8X8t~UhVxrK8s%F* zE`-a;?&#{m{3_TR;NMj5Sc4Fgp*9GST9cp@5NzwMY`%Y}Z=FJiCMD9n>emf4|g)GI%LS$ZsrA^^_{UMI;4wIC(vqDQy?e1;?1=0+)R4=Oc(Hx z+`fiSb-(;I+*7!I>kXoS=H>G~9UtNMTK=9^Xi{6>JZ7Ld{Br~1#ZgrCcOb`aB-sG( z1hs|>LJ9sxrpDoJ-uph-R*)tzoMCgc(ZlPpOKj$QUVLi-*UhXmwNONVRWlnByGK&^ zH!qlZ-bn`>Hxjj!Q^7JpzXat4QEo`II#;CC?qj;CRqPnT=YCli%u*b*r{IYC^dl?` zEzhR5@zXe|O*(hL1dosbMAbZnZF01P?HOiY?EcT}%p6h2D}v&m%Nf@oQfAM+_t87I z%4b6*1M3W+w;Y$h@$PWUl51)|PSy&`e#ZIk(mSkZ3ao$+0V$wtJ&)3Js?ua3QQStl zTD$}sHoGf94O6l!r*~y3y<@Qrx9;WO`Y1T&bCE4PmZA>-($b0vYI&Ipz;Vhjj)iuQ z2?vtF5c7b4NI}3wg?xWYC9@?h2A$H$tV6G@@)7Ah^c~ji>S-DaWkEQ6@mJ`@-;dxU zDgp__U2|t@Gr#%3Kor+3*Or!6gKyk}Gh4W1#2B7^PEi{8 z8P{`{BfUkS6q==7`O(5jm7L~J_G(=tM+j!+bGLG5t;Y`ZyS-U=36C~|oJ^q-s6LJa zph1RRnSo+Q9@92CtJp zZd(zyx4Oe;$o)(%l795s=NP^Pf31wIlD^TZK16?eI;yYX)+|L)fq(iV53fK>!s09C zIVn#xTAAR8!r0T)+ul&)5Ef${yS-8=aJNnzqnd;%_pdDB)%o=cAJ=;?&P8|M%a~k4 z8hf&OD-yS9#NO^GU|iEVy&bJ5Q>!tRk@Ttb*W{h>&x+3?K}J$7{<%aDEiOMo*)y%4A6&)qm>oVO_!P8U_UP^&Bsmz+?|1kLAl)=QrFHQHj#Amo# zf761)f92m+x0sJvRNn6W7zjbbHAW{Mv3;chlRb#(AGhjm z%wjSnx?#iYM3RmA;a~YTMr%0Wz^K-{x2$gd(9vPyZq0Z+&D3F3;r!q&en_^^eORGK zB)Mp6YAZDeTHHw!8-X-igwOat4K*>@|GIz88+0@^l}fh{CB8gg&}(rSD%f;J>L+!* zxhkVfO2tI!+emWK$L5>>r_ZV65wPo42S={h4@wzA219P^Zj(z{1UhK2n_=~B3|O~5 zN~Nq0=Uv^=s&v7ECIyvggFRv(LG)A|33WOmo%c@@Y0g8J{W+rU2eddLCMSrNT)7y~ zPqre8>7CoM1EU-kOQsC;lj0?aXr&ek%p~$dRQ6ljN?6_dooSDfs9&K*!ff*`qUQylaK!4o zqMC1lhq5w`(rePzQxlW{-djztTfGnfT|=Nbb_`rY1cH#?Xe}l65ATk?unVsKw`a5D zN+I#Wz%U zh+{+dxd(w!6fhL686LI-`*Y5)idkIp`^fn4S3`TH!(>NnPM@z8=1cu021BcQnUepPa5YXOlCF zV#MfNBwQmW#x#I4wblCunaUTryy;9jM~lg4$@t3%Akz_w%zhJ`4N$Dp(tRpb^d#K; z_^qjn4O|kD0Sd~a58=pdH@6QQHSXd(C)df+o-btP>+-Q4q=cLvv3{z_61se=<6g^< zGnz;&-erNJi`F&fo$9dRDxlnW9DJ*2Z(PtmC}u8h4T9RF!F z5D+B1g$pzKFaZrPJh~D8%e@XwJW>;dLllbX6XwJB(Ik2aJ75a-K(b)ZwY~Csv6Xpk z{gc#rQeO~_;+oMV8yD+Jb6iNSJ)zD%(VU`x;FddhfpuB27_G3rQRLM%m+OlUQbQ(b z4WeBh&UEVVT8myvH+AdhdlWD>P&OiByJw#SKz2(&=Q% zN6YqlC5v8lQm@J8on%JuQgj2lwjgSA3~2{U$vgP+q2KgT&kXjR6M5eLfjySatN zm&bzbNF3+b5H#-3w@eC=*WX~5{=cZfXzxD3+pCqSUHLxGmr?z>8wc{|HDb3+B>83_ z_Ba=y+XCSM(bTg>cTaLCmZ;ZC>S#{!*555BmwP2q+v^si?lBGh&v!I-C0=n z!y8WX&}J*z zjzsgeW8aW;i8^pslMGz#FX=Ks+%L6mllW-&HCazekpkoNn_ zLu-8@WtaK?=j{B+Rw0^{YQ_fOlS3;Qcv&h&yxA+IpqvcEw9;zM(9qTih zMw9ctJ0fUM3=b&& z_6tV<0)n?n`=o^%1z@2_xh^wx9#4owzr(7efo=UcOW0n0Xsn$o%MaPBH|!_6#>aE| z1OC&t(tO;g-kk-X8M$zTVhtDZd%A>Rmxq`6W%)vK+Q(yksfKSyhi}<}J&fV#@V4|s znbq>bYD#%bH~6R1^PP-gM`I8z344JR7D-1(Ie69UGd)xPW{u*P*DS}Zlbs`71d@y6 zxeo*0ReN*PIXoM3S-N8ymDRE7(WIu9$g!?(on1@kc=xMx2z%eub@5aNYu!=JFXrv+Ka}SJ6+H#m$-Pc zO8H=PJs3r6Z1E>o>pEh0Wd+b;xogJQpOzh?=p+M~q3=suJ5S1Gs=8E47@OzGSBLWj zpCYxM3~l%34Xb&v%#~7(rB}h*XBk(1vVuaAjn&GMogaO6d;Txg-*`K8kZewij(zL& z#fS7YB;AW`#u^rz_Q+NHz6qB1DW<4ii{9Y$wn4$f6V)9uPavIOR}H+6k3ixn8XU-G_lR2&*_ zmM{3(SIpFhR`BA5M276{=vR0ht)}(O9cQcMpiWD;nn@t2)vbPWeRw~{pI^pfR2?9$ zPz!&uyt6cw!JC>=p5W)L$f*&E2hus{@u`&!m4~gANb|C(aMY~H$O~m8USABi)3GxZ z<<0oVT5ZpWzd7yn@W*@-DorNVo$uAAN~$#uzAh7#vz2dV9?v^bQ>^i_TFXn6k`)pv zVqKDup*2O;c%f=gB}S4go#;u1gf|5=5A57)19@3mBg)sDW4-o(1M1>fp;1QE`lBL&!2_h9V)?LL!FEa>%^J7gW2PEG4xAz_eBb(tC9x~U&MF2MsDAp zX`YP+euZ@xxYzIBYPn>?7p$T1+iLTBb}#?xsi8a78>v}ThF_J>JJo55Xvf;jO&<%w zVuxisxUoDa<2OOHMUdu=`at1KhW)6bu(Qh<_@gxT^^Rbm<6X@`49$4?^sDL|AUXCe znihWT@crzw*1^1JuO~Jl?&Lcz}z6=g8RM2leKMCoN^-?Q-e0g2wT#_w&Ib zMhV;c&UD~k#H<~~vVeMA-J!kruxYk=A?6!b^(mdWr!)JbKMUe6m$?`56SuxCl!vD@ zyDwCXYxI9U9ynfG9T03Qnu;|4<5EviFZ@>`i?QgH|9OO9lz^|YYNLyJT>csFr%-L< z)^|M;rEEk29+W(RhvUJJEZoSxl2-{AGSA6ga@=MOjOdeW9}zF|Vb%qTc+E99eJkwd zx_kLc8~hUy)A5LUv&p@dQ8HcQ%mv-#|IE2hv=00ok|~1+Eva+m-IuQ>z6)w&N#A`E zx)LpsX(`;#>@k2!SOzcfhK$$@8W<``dp~yf>j!_;`x7n1Y~8fWAM08EzGno;8?!7GFCA7@B_LkWTxj8Hv06?j zx=A>(*2(zT77H`5nKhZiq2O!)QjE?a774Hu`cbx551VlWwsV8`o-L7u3=-6Bi`t3U zNqjeO=b!C!BHiV%rS{+|c=>)6;!WjoGdAzx#^2jCkdWr_gMhJEG0&T}eXf<-ar3RNP>gB|NJN`hqLyQm4p{qA`2vBMueicL- zTQy8M@ip@*vc8Ny?O;u1+Gg1FUrNzGZMy=kY^b`{ONErocYiU4k~OoX(r(Z3eECX? z`SIXj6AcJ?>At0Min2xPX{{~2)V%w_P3gOZbb51qb9W}wo| zRf`WaJhZCOh;U7qy@!BZayC;>w>7>ZDwfSGxBaQfC74mHoQi!5N)sR#Kh)o>KeQtn zbfKRT^;dXRf^5KlHg8ajj+(26HL76cPvKb|T|5be?8MS4|Gw6P`4+;G4@9TtP$WR| zoYA<$Q~L@GkL9qiAoncBefJM7V>;0*F38@zh+x|M|{p?j^th7H#q%--`SPoC)eAR zbqymG@E~1iXmS=kz0t6Vl;Vs4b$&mRa@=buvUf{(UT7{izTuntb33X!v6JTg4PFkxsQH;vg-w1CyMI#0cC>5* zeP!k_teX^@Ks8(T=aVYCWbuRfsioo|^V=821L~;@w9xzxE?YV!@*z;ovJE&XyK><8 zYQ}xX;=H=ghY}JvT1rH;Kw4dKReh?K5uNFB=l8bFgwUTN@{RA3ZS(SiZJ}5==;0j9 zx%LOJD0EO+Dk@!k+#wPl8v&&K&LG+%R<8_!`kVI@TJ7={(<@mcDpJBP906%+WMsx_8&MtE;`d|lXEL&ah^V-fc0NcC`T6)D z=?;h-T}P~v3}bF9iT~p?EBomFhuf@F{9gcvqx&5nrem!Cg(mura*Fd`G*VLJ|1J9& zh#{MQ!c1ig9`R5$f;$hoOI$q{c`H7?tdtA1qqM}X^!!JT3$FvPzDJ+}CdAn+&&Lm^ zBWgd_Ep2Vr-MLqyrap7`BXFjY+eIKYL^6oShcWa7ZKR(n?FTL8(D4UP7BV6)5#SUN z)1`5sRCpsM%(w#uhQgsG+EQA&%_7t{r z0FeWbO;dsHJ+7ZJ?MsBhcN*?c5LYh`rbpb_!No7$I0V}cgxN+fmP{g>>67>NpbtPQ z)>@>D(U$$<5;m%|Oa4fH2=b%GrUV%u}f)a;!<{0PxPuoBpFXu+FH}M zYQX7x{YC>o*gz9H=0JbT$|K&i5%mGft=`yqiWPJ0{8HH)#LSo*Lp3mRvW=(<%I%g}H1HnXgKxe$P~DUQG!+SGJ4z0GEMU;gZ}d$7!Ip zFK6@z9+o)h`Z7NW7PN%95P_px1OGOMK9Pm*$Sbfeh2*)q1{5WjyG(k4PQmur^g}Bdas4 zY5tq+6rkfzD<6!e>mgmm%K}+@eWz)onr>Ul&!i)B6HQT*$bzbD3>f-fWMM(3YQ>s& ztR`~#fAcC7wzPY7djTD_8?G{7?cOZN71RWahRUY&R0=l8fI@Qbq+#b|Ix!4T03I}f zT9AGl4fN3Ke2w{w5J(21YPi~xu|R}Os2-d31pe=)76nr)-&?gsH7DjTDV{5ldeg~G z)e#PdA5FSe_oq^mlNc(3JxGnU)WPkx?_z`0+Ulk&^WkFZS>Ngzu*p;)<&KqDzUdW0 zz07}2t>_;>W|i)_Gq$=)g$t8alAAf?Qq@WnC;cJt6sUuVscz0n-^S2x)2P>=2F*)F zx|b11GEZ*`pcE_iQLVv*^o*3M$IE!8IX|A;g>ew5`K1CSbL~Ti9Iq4#`I8hn*kkB+_rO_FcA-N6b%AEl z#T`};lTy?LtSk%g^xZf~O&ao{F3!1fjScY_SR))fSp)?)^%{l#rVgI-MiQ5_FIgnv zYBA`HYD_cl81W`yEEtY&*Zjy1`_O|tM3!8)t05bQwg>wX@DMA%z~IP-;bkdk`s;>R zY(qY)1`y2}*s zv6aX#gc%v%>A+Ae1-fB8z26@G{L=XMU*+tlwEdG{0orbSqXI?Gh?FV(A+2JPf8O_I z6t*4T0NCB=VCJlRP~>VqcE!KsIC>>&?G>D}n9OC@-^pWkmpf&w?4IQG*DuV>8UxUF zuU@aAke}L4d_|Y7UpTBi4vUgO;iu;u(DjLyC@f-?a7zz5;wN~ZB9XxPZabo1);PwP z5%kHIgFQLFHIp$)|C97<-5om4?YZ1ZnqcN9o6=wHykVV~%UQP5pNhlzeCoj@`rYiX(DY93*NhV6Om0CEHG!q6CPpJNF!t`{>tDBjHIT8hZ~JxHZi{3-{lFPYAu8yzgyp<% zu+dCqE;lP^srt)yaDE+Tt0%~eu5c3}Y%||_Jysge-hw_}(^TESY!fC(m#+VgXtZ?H zZ%!;D3$U}ZBW@LyQ*u8xTXeio$JMXw9949$e3`d6n=T@@PD?mS$og~md97aS;S*`P zLG1ovqX{A`!Zd}XL|iHBA99XN>8_ziJie#bM6?SpVxM^mAvfyDy2onMFR9DUhn$`# zYR0ZpPO9G!3NJctGTC7U9jK-rGve+Clq%PxM z#I0f%m8^=!WCz5i6Em#|qKd7mHS_GnCtR!?6e$;DNL8pF*Cq3$oeK|9;_07}c+3}d zWq;qlg*DUXx?Fg<1E{T|5luInx#6~^AfYtQsgyaocGX-&BEiz&J0*;sTmZT9p$BTR z&9!o4_XY54t0hMHRo4S6-zAkQN(0DGCV@OGTp&rcgMv)n-0zL2Mzr-5zX!NvSeZ6O z5xn-em+``7M_*IaDlfBVm{g#Jn0O{)<9R&0trU2ZrzWCVc|6QPu<7TKc^%}t2@7n7(L1%QY$rdj z*_m=Wv8_oBk`zROyrGZUg^3}I_^Nk&TQ+(= zfXfgWo1R){Es_tGpm#FiKqbVNjot{+q9i&uZ)K8Iu-XR!J~zaIpMb@7E=1J;n;ClY zuM*-?Qiw`kI2%$zC_|YIcQ8MIeB8(?$_%1H`UABM%d~7?&0qo^#xEn`8$8s_pkV^> z@KDE>Y^r@$D=0|jMnr?&0$!7IqQvPBxXAOe9~xbPH?S)G_vNDPvr5-uDelGVhM^0W=sxIt}}+g-Ww0Bf8z9JreysmKxv?6 zL-S%sOY_$+n}0uGgLiE`Ys9K+YQ$#1jVIj) zO68R{Mw%cPGzf=qFl+?4^Pj2{qfBm!%6*DtW5@T4S;2Br8Xf6x%;kIaWh7pOE;`a( z#=|LLy=C;s`Wp37yfa}mH=5iZ@b+FAsXpaHQtCVaM5J>IQi^K6x}VRV8?oCx41iK! zcQbLAOGgvy{c6&dmpa)*|{+F{kUbMsyL~ms@e~heKXhaTD2vh1YCOh~@ z&9<_~H1uJF4^@lZ()jQI>jGz*0t0FhwoidA=K2GnEH|2hoa*$0X1+hh>{5p{X0uRa zai;}N8Z}LKqy2Hs8OC69`|!J$l8=5fWwId%_psEM{0s_^K{|FQ9H#7gzhNbq)HBov zX6v*9L1i&qK?InE(E>k_C6G#k)`1wWwPz%pE9M1;XFwMP{sFo%fM9G4K@L)>;(g=C zA-}iWxSVE~lY(=xHDV zc`px}f3#^G8>;01JhNq3nr{ZvGzF^=d55mW*+HPL5m{KQj^ShRFFU$g`Awa)rM4?F zBJ^)8O;*HI>g-PUYr1BcV`H@i{Gmu)I0b%S{NX8zaZoAKm{qghFQNMoAnUky3x zoAmyD*s<61dTXl-q>O?To%ah)cgW4unZ(Yd$gukOpHBed{n!I_P}FbV~jWH@!U5sOwqWI&=xz z{-Q8MK%*hZMRLGax3l=;l`@lUqU6_pckZ8~c2w(>k%{{ocZR5t+VcM(NW0v=(8_lqe!N3$76K0YNiITAit;^9UIm`O}~-Lb`qg&|jx$K#&^r%5qOA1d=@ZwRc0@ z!qTqa-27KwuzQwCK?RNvdt+vj9P~Q>(8$Q=zwsn6uh#p)fJZ9Pr@gXbA=tLAhLSzccuwV{|| zn|#)CF?TpKftBdskpFN@96@65z*Sz2rlz=|hWCp4s2zYothk{nF{`&4Pf+MGM3XW1 zj+f}nH|iHf2^;xhc0(mLxHVeGJ0607AXu%xyz_wFi)h?ZC9&6Tfd>mKzczyi0;C$X zF7PUGr=ceAIpyrMLxNI7Qrp@7LGX+@tGhWAJafp8R$HvhvnsB8n~`OOsr_tIhla-E z)t?=qgtjWNl;(UV#Ig_ri>>s5*pV~-wB{Xj*?V|^I>MD0q-3!lqNHlR>E{?5yI98_ zJO7utAa261)$t=pZwT_1CRyMHQ#RJpDSWA+**uLw#faTTr{yCz-^FD&y z$zh13aB~W4gQ0Xy(0!8gk48_@ua;M9h+af0894dAdxYvlD^dwZVUz-~Glkrq0-1UA zaXS!%^3|4~A>)hV=5QmmN+`#QCs=73iNKn_;)(}%A`-8)&zB2JN5n4w7v>J5_I({DnkCdwM-fSx3)Wizl1mQJrV~RWRvOz{hr+(>; zUf>`)73*^-<+R5;?EB)z`Yk(Jh#{`upiJ4U*0(0~+QbD-i|A^x@WE76?CP~YxT5*h znigw^C^IoLjp?XHy@N^kB1X~0SQ>tX%H(h8{pt+lqKu}zJ4Um?Ul@KUc&7?3>Zhjh zQ9C*c_L87NoaA++hKW8!)aI^$k+|Dv1yR%~0E zDnIYi4;1J3$mq+64m`c)RUgArb;-IoW}=oJ>=?yvM|xkN$~<-hA4`+Kz25oipWs`N zk*#Du`L{-dALjg+7846J%8dyBJn$0(?Q3KJ6&X4vjJy~H4P1J-)GtJKw7 Date: Tue, 7 Jan 2025 17:34:21 +0100 Subject: [PATCH 3/3] sapphire-contracts/Siwe: Rename bearer -> authToken --- contracts/contracts/auth/A13e.sol | 42 +++++++++---------- contracts/contracts/auth/SiweAuth.sol | 40 +++++++++--------- .../contracts/tests/auth/SiweAuthTests.sol | 12 +++--- contracts/test/auth.ts | 28 ++++++------- 4 files changed, 61 insertions(+), 61 deletions(-) diff --git a/contracts/contracts/auth/A13e.sol b/contracts/contracts/auth/A13e.sol index b7426799..671eadd2 100644 --- a/contracts/contracts/auth/A13e.sol +++ b/contracts/contracts/auth/A13e.sol @@ -7,33 +7,33 @@ import {SignatureRSV} from "../EthereumUtils.sol"; * @title Interface for authenticatable contracts * @notice This is the interface for universal authentication mechanism (e.g. * SIWE): - * 1. The user-facing app calls `login()` which generates the bearer token - * on-chain. - * 2. Any smart contract method that requires authentication takes this token - * as an argument. It passes this token to `authMsgSender()` to verify it - * and obtain the **authenticated** user address. This address can then - * serve as a user ID for authorization. + * 1. The user-facing app calls `login()` which generates the authentication + * token on-chain. + * 2. Any smart contract method that requires authentication can take this token + * as an argument. Passing this token to `authMsgSender()` to verifies it + * and returns the **authenticated** user address. This verified address can + * then serve as a user ID for authorization. */ abstract contract A13e { - /// A mapping of revoked bearers. Access it directly or use the checkRevokedBearer modifier. - mapping(bytes32 => bool) internal _revokedBearers; + /// A mapping of revoked authentication tokens. Access it directly or use the checkRevokedAuthToken modifier. + mapping(bytes32 => bool) internal _revokedAuthTokens; - /// The bearer token was revoked - error RevokedBearer(); + /// The authentication token was revoked + error RevokedAuthToken(); /** - * @notice Reverts if the given bearer was revoked + * @notice Reverts if the given token was revoked */ - modifier checkRevokedBearer(bytes memory bearer) { - if (_revokedBearers[keccak256(bearer)]) { - revert RevokedBearer(); + modifier checkRevokedAuthToken(bytes memory token) { + if (_revokedAuthTokens[keccak256(token)]) { + revert RevokedAuthToken(); } _; } /** * @notice Verify the login message and its signature and generate the - * bearer token. + * token. */ function login(string calldata message, SignatureRSV calldata sig) external @@ -42,20 +42,20 @@ abstract contract A13e { returns (bytes memory); /** - * @notice Validate the bearer token and return authenticated msg.sender. + * @notice Validate the token and return authenticated msg.sender. */ - function authMsgSender(bytes memory bearer) + function authMsgSender(bytes memory token) internal view virtual returns (address); /** - * @notice Revoke the bearer token with the corresponding hash. - * e.g. In case when the bearer token is leaked or for extra-secure apps on + * @notice Revoke the authentication token with the corresponding hash. + * e.g. In case when the token is leaked or for extra-secure apps on * every logout. */ - function revokeBearer(bytes32 bearer) internal { - _revokedBearers[bearer] = true; + function revokeAuthToken(bytes32 token) internal { + _revokedAuthTokens[token] = true; } } diff --git a/contracts/contracts/auth/SiweAuth.sol b/contracts/contracts/auth/SiweAuth.sol index 7b3f22ad..cfe1a02b 100644 --- a/contracts/contracts/auth/SiweAuth.sol +++ b/contracts/contracts/auth/SiweAuth.sol @@ -7,7 +7,7 @@ import {SignatureRSV, A13e} from "./A13e.sol"; import {ParsedSiweMessage, SiweParser} from "../SiweParser.sol"; import {Sapphire} from "../Sapphire.sol"; -struct Bearer { +struct AuthToken { string domain; // [ scheme "://" ] domain. address userAddr; uint256 validUntil; // in Unix timestamp. @@ -15,8 +15,8 @@ struct Bearer { /** * @title Base contract for SIWE-based authentication - * @notice Inherit this contract, if you wish to enable SIWE-based - * authentication for your contract methods that require authentication. + * @notice Inherit this contract if you wish to enable SIWE-based + * authentication in your contract functions that require authentication. * The smart contract needs to be bound to a domain (passed in constructor). * * #### Example @@ -26,8 +26,8 @@ struct Bearer { * address private _owner; * string private _message; * - * modifier onlyOwner(bytes calldata bearer) { - * if (msg.sender != _owner && authMsgSender(bearer) != _owner) { + * modifier onlyOwner(bytes calldata token) { + * if (msg.sender != _owner && authMsgSender(token) != _owner) { * revert("not allowed"); * } * _; @@ -37,7 +37,7 @@ struct Bearer { * _owner = msg.sender; * } * - * function getSecretMessage(bytes calldata bearer) external view onlyOwner(bearer) returns (string memory) { + * function getSecretMessage(bytes calldata token) external view onlyOwner(token) returns (string memory) { * return _message; * } * @@ -50,9 +50,9 @@ struct Bearer { contract SiweAuth is A13e { /// Domain which the dApp is associated with string private _domain; - /// Encryption key which the bearer tokens are encrypted with - bytes32 private _bearerEncKey; - /// Default bearer token validity, if no expiration-time provided + /// Encryption key which the authentication tokens are encrypted with + bytes32 private _authTokenEncKey; + /// Default authentication token validity, if no expiration-time provided uint256 private constant DEFAULT_VALIDITY = 24 hours; /// Chain ID in the SIWE message does not match the actual chain ID @@ -63,7 +63,7 @@ contract SiweAuth is A13e { error AddressMismatch(); /// The Not before value in the SIWE message is still in the future error NotBeforeInFuture(); - /// The bearer token validity or the Expires value in the SIWE message is in the past + /// The authentication token validity or the Expires value in the SIWE message is in the past error Expired(); /** @@ -71,7 +71,7 @@ contract SiweAuth is A13e { * runs on the specified domain. */ constructor(string memory inDomain) { - _bearerEncKey = bytes32(Sapphire.randomBytes(32, "")); + _authTokenEncKey = bytes32(Sapphire.randomBytes(32, "")); _domain = inDomain; } @@ -81,7 +81,7 @@ contract SiweAuth is A13e { override returns (bytes memory) { - Bearer memory b; + AuthToken memory b; // Derive the user's address from the signature. bytes memory eip191msg = abi.encodePacked( @@ -134,7 +134,7 @@ contract SiweAuth is A13e { } bytes memory encB = Sapphire.encrypt( - _bearerEncKey, + _authTokenEncKey, 0, abi.encode(b), "" @@ -149,23 +149,23 @@ contract SiweAuth is A13e { return _domain; } - function authMsgSender(bytes memory bearer) + function authMsgSender(bytes memory token) internal view override - checkRevokedBearer(bearer) + checkRevokedAuthToken(token) returns (address) { - if (bearer.length == 0) { + if (token.length == 0) { return address(0); } - bytes memory bearerEncoded = Sapphire.decrypt( - _bearerEncKey, + bytes memory authTokenEncoded = Sapphire.decrypt( + _authTokenEncKey, 0, - bearer, + token, "" ); - Bearer memory b = abi.decode(bearerEncoded, (Bearer)); + AuthToken memory b = abi.decode(authTokenEncoded, (AuthToken)); if (keccak256(bytes(b.domain)) != keccak256(bytes(_domain))) { revert DomainMismatch(); diff --git a/contracts/contracts/tests/auth/SiweAuthTests.sol b/contracts/contracts/tests/auth/SiweAuthTests.sol index b71035c4..ca54acc4 100644 --- a/contracts/contracts/tests/auth/SiweAuthTests.sol +++ b/contracts/contracts/tests/auth/SiweAuthTests.sol @@ -11,12 +11,12 @@ contract SiweAuthTests is SiweAuth { _owner = msg.sender; } - function testVerySecretMessage(bytes calldata bearer) + function testVerySecretMessage(bytes calldata token) external view returns (string memory) { - if (authMsgSender(bearer) != _owner) { + if (authMsgSender(token) != _owner) { revert("not allowed"); } return "Very secret message"; @@ -30,16 +30,16 @@ contract SiweAuthTests is SiweAuth { return this.login(message, sig); } - function testAuthMsgSender(bytes calldata bearer) + function testAuthMsgSender(bytes calldata token) external view returns (address) { - return authMsgSender(bearer); + return authMsgSender(token); } - function testRevokeBearer(bytes32 bearer) external { - return revokeBearer(bearer); + function testRevokeAuthToken(bytes32 token) external { + return revokeAuthToken(token); } function doNothing() external { // solhint-disable-line diff --git a/contracts/test/auth.ts b/contracts/test/auth.ts index 9d8f0e91..7460ea50 100644 --- a/contracts/test/auth.ts +++ b/contracts/test/auth.ts @@ -123,11 +123,11 @@ describe('Auth', function () { accounts.path + '/0', ); const siweStr = await siweMsg('localhost', 0); - const bearer = await siweAuthTests.testLogin( + const token = await siweAuthTests.testLogin( siweStr, await erc191sign(siweStr, account), ); - expect(await siweAuthTests.testVerySecretMessage(bearer)).to.be.equal( + expect(await siweAuthTests.testVerySecretMessage(token)).to.be.equal( 'Very secret message', ); @@ -137,26 +137,26 @@ describe('Auth', function () { accounts.path + '/1', ); const siweStr2 = await siweMsg('localhost', 1); - const bearer2 = await siweAuthTests.testLogin( + const token2 = await siweAuthTests.testLogin( siweStr2, await erc191sign(siweStr2, acc2), ); - await expect(siweAuthTests.testVerySecretMessage(bearer2)).to.be.reverted; + await expect(siweAuthTests.testVerySecretMessage(token2)).to.be.reverted; - // Same user, hijacked bearer from another contract/domain. + // Same user, hijacked token from another contract/domain. const siweAuthTests2 = await deploy('localhost2'); const siweStr3 = await siweMsg('localhost2', 0); - const bearer3 = await siweAuthTests2.testLogin( + const token3 = await siweAuthTests2.testLogin( siweStr3, await erc191sign(siweStr3, account), ); - await expect(siweAuthTests.testVerySecretMessage(bearer3)).to.be.reverted; + await expect(siweAuthTests.testVerySecretMessage(token3)).to.be.reverted; - // Expired bearer + // Expired token // on-chain block timestamps are integers representing seconds const expiration = new Date(Date.now() + 1000); const siweStr4 = await siweMsg('localhost', 0, expiration); - const bearer4 = await siweAuthTests.testLogin( + const token4 = await siweAuthTests.testLogin( siweStr4, await erc191sign(siweStr4, account), ); @@ -169,14 +169,14 @@ describe('Auth', function () { } }); }); - await expect(siweAuthTests.testVerySecretMessage(bearer4)).to.be.reverted; + await expect(siweAuthTests.testVerySecretMessage(token4)).to.be.reverted; - // Revoke bearer. - const bearer5 = await siweAuthTests.testLogin( + // Revoke token. + const token5 = await siweAuthTests.testLogin( siweStr, await erc191sign(siweStr, account), ); - await siweAuthTests.testRevokeBearer(ethers.keccak256(bearer5)); - await expect(siweAuthTests.testVerySecretMessage(bearer5)).to.be.reverted; + await siweAuthTests.testRevokeAuthToken(ethers.keccak256(token5)); + await expect(siweAuthTests.testVerySecretMessage(token5)).to.be.reverted; }); });