From 6978e35bf56a342eccc06b3c1b10b5a6fbb2c261 Mon Sep 17 00:00:00 2001
From: David Keeler <dkeeler@mozilla.com>
Date: Wed, 11 Mar 2015 11:11:22 -0700
Subject: [PATCH] bug 1138332 - re-allow overrides for certificates signed by
 non-CA certificates r=mmc

--HG--
extra : amend_source : 92a2dcf71daa6b31be0dcae628a13b13b0fc443a
---
 security/manager/ssl/src/NSSErrorsService.cpp |   1 +
 .../ssl/src/SSLServerCertVerification.cpp     |   2 ++
 .../ssl/tests/unit/test_cert_overrides.js     |  10 ++++++++--
 .../manager/ssl/tests/unit/tlsserver/cert9.db | Bin 294912 -> 294912 bytes
 .../unit/tlsserver/cmd/BadCertServer.cpp      |   1 +
 .../tests/unit/tlsserver/generate_certs.sh    |   2 ++
 .../manager/ssl/tests/unit/tlsserver/key4.db  | Bin 491520 -> 524288 bytes
 7 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/security/manager/ssl/src/NSSErrorsService.cpp b/security/manager/ssl/src/NSSErrorsService.cpp
index a4d689d1c83a..bc90c75dcb7c 100644
--- a/security/manager/ssl/src/NSSErrorsService.cpp
+++ b/security/manager/ssl/src/NSSErrorsService.cpp
@@ -151,6 +151,7 @@ ErrorIsOverridable(PRErrorCode code)
     case mozilla::pkix::MOZILLA_PKIX_ERROR_NOT_YET_VALID_CERTIFICATE:
     case mozilla::pkix::MOZILLA_PKIX_ERROR_NOT_YET_VALID_ISSUER_CERTIFICATE:
     case mozilla::pkix::MOZILLA_PKIX_ERROR_V1_CERT_USED_AS_CA:
+    case SEC_ERROR_CA_CERT_INVALID:
     case SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED:
     case SEC_ERROR_EXPIRED_CERTIFICATE:
     case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE:
diff --git a/security/manager/ssl/src/SSLServerCertVerification.cpp b/security/manager/ssl/src/SSLServerCertVerification.cpp
index c074da8ee4ed..7180437b98a6 100644
--- a/security/manager/ssl/src/SSLServerCertVerification.cpp
+++ b/security/manager/ssl/src/SSLServerCertVerification.cpp
@@ -300,6 +300,7 @@ MapOverridableErrorToProbeValue(PRErrorCode errorCode)
   switch (errorCode)
   {
     case SEC_ERROR_UNKNOWN_ISSUER:                     return  2;
+    case SEC_ERROR_CA_CERT_INVALID:                    return  3;
     case SEC_ERROR_UNTRUSTED_ISSUER:                   return  4;
     case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE:         return  5;
     case SEC_ERROR_UNTRUSTED_CERT:                     return  6;
@@ -370,6 +371,7 @@ DetermineCertOverrideErrors(CERTCertificate* cert, const char* hostName,
     case SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED:
     case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE:
     case SEC_ERROR_UNKNOWN_ISSUER:
+    case SEC_ERROR_CA_CERT_INVALID:
     case mozilla::pkix::MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY:
     case mozilla::pkix::MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE:
     case mozilla::pkix::MOZILLA_PKIX_ERROR_V1_CERT_USED_AS_CA:
diff --git a/security/manager/ssl/tests/unit/test_cert_overrides.js b/security/manager/ssl/tests/unit/test_cert_overrides.js
index 859a6e7486e4..2244c6299efc 100644
--- a/security/manager/ssl/tests/unit/test_cert_overrides.js
+++ b/security/manager/ssl/tests/unit/test_cert_overrides.js
@@ -53,7 +53,7 @@ function check_telemetry() {
                     .snapshot();
   do_check_eq(histogram.counts[ 0], 0);
   do_check_eq(histogram.counts[ 2], 7); // SEC_ERROR_UNKNOWN_ISSUER
-  do_check_eq(histogram.counts[ 3], 0); // SEC_ERROR_CA_CERT_INVALID
+  do_check_eq(histogram.counts[ 3], 1); // SEC_ERROR_CA_CERT_INVALID
   do_check_eq(histogram.counts[ 4], 0); // SEC_ERROR_UNTRUSTED_ISSUER
   do_check_eq(histogram.counts[ 5], 1); // SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE
   do_check_eq(histogram.counts[ 6], 0); // SEC_ERROR_UNTRUSTED_CERT
@@ -75,7 +75,7 @@ function check_telemetry() {
   do_check_eq(keySizeHistogram.counts[0], 0);
   do_check_eq(keySizeHistogram.counts[1], 0); // 0 successful verifications of 2048-bit keys
   do_check_eq(keySizeHistogram.counts[2], 4); // 4 successful verifications of 1024-bit keys
-  do_check_eq(keySizeHistogram.counts[3], 47); // 47 verification failures
+  do_check_eq(keySizeHistogram.counts[3], 49); // 49 verification failures
 
   run_next_test();
 }
@@ -194,6 +194,12 @@ function add_simple_tests() {
     run_next_test();
   });
 
+  // Due to compatibility issues, we allow overrides for certificates issued by
+  // certificates that are not valid CAs.
+  add_cert_override_test("end-entity-issued-by-non-CA.example.com",
+                         Ci.nsICertOverrideService.ERROR_UNTRUSTED,
+                         getXPCOMStatusFromNSS(SEC_ERROR_CA_CERT_INVALID));
+
   add_cert_override_test("inadequate-key-size-ee.example.com",
                          Ci.nsICertOverrideService.ERROR_UNTRUSTED,
                          getXPCOMStatusFromNSS(MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE));
diff --git a/security/manager/ssl/tests/unit/tlsserver/cert9.db b/security/manager/ssl/tests/unit/tlsserver/cert9.db
index ec74aea2feb7457b07ebcf51214ccc859826e058..d39c77e9c3cbcecb7b229cbc36e9df5f56e77e88 100644
GIT binary patch
delta 1985
zcmb_d3p7+|9KVklGh}AUV?3fXv}SE(MnsQ|WQs&hC5Mu9vV_H&8S^k}2BktmbLaMA
ztw$-<5!u-`(VLagLkDSzP;4HR)Km_8FSXlt>U7$(-@V_x|L_05-~adB-}k%!E0^oZ
z<$4)YL90x&rJ&X6%>`pHA~}JOz<#o%R&qh|3pRKT&Qq~L$cLwL0il^%Ol_C|F(`Uw
z0Q%ON3Mk)NrT~IlGt`%x0fp+01Y{9mgm)Mv$-!^}?;)=pjgf<C1YRZP8<m5z@VsF$
zgc-0Kgi?lJGc5r9+ol3aA`CzPGJaL4`i4MbT^QlJBP1wbGT&X+F5D+$$j-=;<Dc=p
zk!a`~{3D-_XQcBMkIzA8!Yd)xG`1PbR15YY!20?ej)e!0CkWnZu|;eV85KEu=@LLm
zhV`IAz#l-~846W0ABvwuM?{f8oWJ-R(U|D2s3dNeR4pD6301~&NFO93qBK$DKfFAG
z(Hsp#W}*hL4HO(af#NFmj*9#Q1orfIBp4Bp5fU6=B_Io53p=DtDNPzET_#qD<AleB
znF3c?kL-p7688$20xBYhk52%i*hVC*n|MbP*dDU)E@2jNY0g(;DsSoR@ap122bF;G
zlMw`uSkBro*r+LmMsBy*=1M{>{}@%=$M$Ta04_>_J;6bQMA%CvQ?&e`I&ct&<$|;X
zzXYRLf&rDP2Vl(&eR={8*Ttn!zjo<b5GVvt-67cA7lPI&gShMc4){JEts5ieXGNd#
zm8xq)$QJ#15uI+Qa@2i;v$of|-zaq6xM!z!0$qp$*Z?Uj0RuM!9OrFYiE^2QP4h9h
zsh9@@fe%<_B|?X>PRxZN5W<(hqG)N`B)ccSq=4WgB7h6bTsF;!!ggTUvDs`V);tGC
ze<O<h`@_$vg_Q_0-p>mX0XPw)0hnJ0O2ih`a4pO?q}=?0wMOOA%vwH8xUe`qtF^=W
zLaJTx{Qe`d(crGK?0&l@PuGjq{VnM`?iChkO8d^GYD5Rg1I6d{SFJaE$uirzCLSqD
zoww+GhurbuDx;uoHGR;RXh~)0D!%u=u7(#^Sd4bI3C6VT=GG4r%l~{4ai2Z%vO+$$
z!_{=3c6ji;{m9y<b7(yo!#$6hN?nh0#k8&$%ZkJ4TNc!)YCS~Us8+SOIH*eHLpaGS
z$zNsrrrn%s7<;sy%(slt9Ev!(;mxAq+;r#=wdVD1C^0N&j;36CTF~j+7*nE1X$QJ@
zbz86ZX7Ab5s|s7usu!@PSxGB9Q)COgav4Tx#sot&vKNk&#hq(WB_)+j$$Xg6c{?y~
zcdCANZ-#n$fA4dzZQXwBvbQB&TK&xHyu*qE!i$bR&+_iLXw%+2_DJ2_#(7=G3FTBn
zaZ~cc7~B=1ab+e~(!9ONbC=UYFBMcsGQjzxfVt&;2Ax%X*2AHt(KK6~nW27g1o^?J
zGFBk*Rj{Ae5DReWj2D(~#|813Qt+|Q2uxxn7^1gQ;hErebjcH#E5ih6ilv2cz5C+;
z*zKb;K}-%<3_Cv~iZ9ZH?Ee?V7iq%zKZybaumk7P;9p#h|0q7-@?(Vwqw*b>xkq&_
zuYMvNSl-pRaA0vw1J~U@-6qeD70}Ls7$>_ccWxUsK`X2u<Y;kzA_bBdj@RQeW9j>M
zHd&-MIAvwpS(iw7*Lpk$TJs4hGUWyFS7*|giWi%Q8L^26oC1q?RYi+u`<3qgwGP#F
zv<R)pck^iD^+@wqcT1egJSR`0=q=Onx)W63_4SqJ@`0+%<OZUxO+(VAW8bcMG*X2W
z9^sf;X^iM1Nko}!Eb+;7!{inqT2k${@zCDB4acsEC%-aTa3b1|F>?2&vS{JiA-VDI
z)$RwU_cpP740K%j!c?yU6ZTj(3Vo<QhuBAj7}STf6<)e|pk{~Yx2{$&sFs;!JHe&u
JqBg-f_AhJy8)N_g

delta 281
zcmZo@5Nc=;njp<6F;T{uQDS4llK;#TtFBCCXM8*L52G1V)xGTojEpsv(*qcpbhclq
zVl-f7o>=^5I(q|S_Vls_#-8bHjf^@>RXW=Z8X0qnK*~b4zxm84!NWYUq-`oYQ!G#Y
zgYwDsO7&an+v+||En(Wt+*Z=I-I0-ry%?lAaC+VkCXVfWB}`@9A`>g-F;quYYFGTP
zxLL8Gx})Z7<)7_R4NSs}%=0Q*A)2-WHD$6ubS?YA6vxgyu{35XJ9Df|`LFVaH5xVi
zHSslWl~XFK%U6|8tbb8|zKW^x<<t)5RZLY!fu3Q$0k$_{drT?wiY{h%&Vy6gS^8Pn
S?y#|gEKuj%evp&Jz6=0U3~BQK

diff --git a/security/manager/ssl/tests/unit/tlsserver/cmd/BadCertServer.cpp b/security/manager/ssl/tests/unit/tlsserver/cmd/BadCertServer.cpp
index af0ae5c6804d..38e112b0a783 100644
--- a/security/manager/ssl/tests/unit/tlsserver/cmd/BadCertServer.cpp
+++ b/security/manager/ssl/tests/unit/tlsserver/cmd/BadCertServer.cpp
@@ -67,6 +67,7 @@ const BadCertHost sBadCertHosts[] =
   { "nsCertTypeCriticalWithExtKeyUsage.example.com", "nsCertTypeCriticalWithExtKeyUsage" },
   { "nsCertTypeCritical.example.com", "nsCertTypeCritical" },
   { "end-entity-issued-by-v1-cert.example.com", "eeIssuedByV1Cert" },
+  { "end-entity-issued-by-non-CA.example.com", "eeIssuedByNonCA" },
   { "inadequate-key-size-ee.example.com", "inadequateKeySizeEE" },
   { "badSubjectAltNames.example.com", "badSubjectAltNames" },
   { nullptr, nullptr }
diff --git a/security/manager/ssl/tests/unit/tlsserver/generate_certs.sh b/security/manager/ssl/tests/unit/tlsserver/generate_certs.sh
index 5aa6f9334256..f294d00abd58 100755
--- a/security/manager/ssl/tests/unit/tlsserver/generate_certs.sh
+++ b/security/manager/ssl/tests/unit/tlsserver/generate_certs.sh
@@ -334,6 +334,8 @@ make_V1 v1Cert 'CN=V1 Cert' testCA
 export_cert v1Cert v1Cert.der
 make_EE eeIssuedByV1Cert 'CN=EE Issued by V1 Cert' v1Cert "localhost,*.example.com"
 
+make_EE eeIssuedByNonCA 'CN=EE Issued by non-CA' localhostAndExampleCom "localhost,*.example.com"
+
 # Make a valid EE using testINT to test OneCRL revocation of testINT
 make_EE eeIssuedByIntermediate 'CN=EE issued by intermediate' testINT "localhost"
 export_cert eeIssuedByIntermediate test-int-ee.der
diff --git a/security/manager/ssl/tests/unit/tlsserver/key4.db b/security/manager/ssl/tests/unit/tlsserver/key4.db
index f55f815b03604479e6f66e1eb3d23f8730053186..f2736aeaf8b674f72163007f7aed6aeef5aeb23c 100644
GIT binary patch
delta 6951
zcmchbbzGDE`p1_H5Q!;+2bETk4jCa*(j5v?qq_v8g^dzKLUNQ!NrMPZa)2OV04gQj
zpp+<rfW&XO=bXpm;qiC=IIlBc+w1;Z+xv4}<Nkbie=!(F42JpcDJU%f0HBU%mIl&3
zHqSc%iw41yVL*NGsUSGc1XvjeCj~=*tjFPhh#o#+>1rKBR<j2ICxL{@RV)kxbb<t}
z2d!4oV0?qfAz%Pd^zaT@y|oXdIIK}ghJgqrIzcLglHNdS7#I$G2rv@;^ATBX7z8T$
z&kGTv{yBh~LP6((q;Kxr1o+pZKLqml=im_FNPi)E@CD$7xeCrg9V+QIkH)v;;Tp3y
zK<O!>hXNaq@uz{UO3?1RVg4+Cd$!U2qzPnopFdatN(n}<5~cv4M(?1%q7QqSKqDx_
zR0)TUg~AB;<iYaf000OjB7=iLzJb_9?~4W@8<F=#rI7ogC{ae_I8p}5EMhJqBQhzH
zg#?H+i(snvK@e9Uspyz!BNB}?uXct&3I(vcqLAZgAt3>4K_NjaGb<YrVWhB#I0(fA
zmIZk_*b$C++%Wr97Xz98PPY^Rnfy){u>=|atfPMgSY7}b{ao;?E@A;P{GE;z09`vu
zw=fepya@^kfee1q(f{o5p9KOSeMYeKj|n*0`2B+~{@3fT{!SJEUHR$l3GXgwWo;#F
zZSmK9^?ud~{r^%R2Gaex;8&e6V4dITgaK>+PAAM)>nHuN|6dGPfHZ$9_&1#}V2z`6
zvA+hS{##uDr1sYU#Rvl?@<so8z3N~3zsmw3mBY8k>V%QdN6?Ew2!GIOdNGn^C2%XS
zvKodV2?atx2EfWh8VoyqFiV&!R5}C>IQ)nH@o^Gq*tc|0Ugmg5e??#|+l#yaJC6}l
zlE?ZNzSb=-EUFvX>}J2TXXd~LheDXeI8Cdy5)P&UTkc%5Oa#xPH>V3tGz;BcLBF5M
zv!VW0PhhAV$;gHi7?(4mR_ZT{LrtR?rUqwcKEHPgRn9P70T|(x6{7so&i`OAJ1;dw
zZz^!4#Am3lm2-%E<71wD)8nRA<=~@irC!I`SiKuULK;X8c4h(uT=Fb;W+DUwjWalo
zLKG{Dg`TAjqX59e0U<a4@q^WAfhwR0M*)X<Nr(+F@G$BKPXL66qk;)|csmpczrF2_
z26nhJ(;QpXGVcYH7=135#3qbQaWvl%vJqd&-?y2qy0;=Us3!M}V`VrteB@!_R^@X2
zoh{#V($y0D2`zovZvv;Sb<sh|g?EsW_$iF&ycV6sTo>Y#0hEoBl_JSS^HmpEs)2cb
zX58z5Oh~wU1BzSRbe<60{nmgHo|0ooBy+MENln)K%t!U%?#73O!AiMe9Y3nsO~n!?
zghXfcOBG)ox3Mn25{stltB^9zid-%J?~`XJX}t@&NpG+@Z)G@_8Owf`+{lUrWl(nR
z+y;d>-sjuG-F)mdV=&-RkrXuvn2Vg_(AN}<L4B-tR2_qx>b_5*s(Mn$57?I300Mvl
zAwVQnrwDoy?KBeg7FspLhoG3ZrsM-Bgpa0xfIvtHkW?71k_jKka)j-LtCD`lsovPP
zZuO5(>BemZn-1$B$u@+BQm^rm$*p0+zJ@>D6q3E`T<ZV{R2L^@ugXz^DC#Qj>3J~Y
zFTZFk&}hrD{v(^aWSr(fp@C;uKW?>k>YYRIv~W9mJaJ?tCENGB+I-NWcPC7xYB#o-
zA(J&7c_pIfG+<9rq{a=nZ0nlyTrN|^dEeeWB9`~e@?AEHp<6YR*JXmnzwXinZ8WS!
zzy7j6H2p;7LRvmcgKeI{<L4P`L-I4)xu2&(`BEiD*ELioBx22vtFxpyb$X>3G`b*)
z#7_7`v#Vhla|Cg;K2X(`ey`$-xIp<6WgK&ybq9=N!%IG&?rc;&Wy9*ULJ{Z@Xf&OB
z!60j-kpPwAyDqX1Pt>0sjw(1(>2*(2kT`$opv&4dwfDC)FX6PeB!onV{3h@h^zh#|
z5Y6X`RIoEsSI3qk1Oe`!wC0Tbc}!RD=8x$)u`QHj2c&gp@I<`ASL+R4bsh??Ad6K{
z_xcilS|veuxv1rA%pA~{eV5HWp~X#@nSCcL*e=hw%_#IW#13)Hc#ef*y*&?RsWb{!
zy-GCda?**(g*(4<GZsEbk^5OS^jia-Xtab5v@MzHSyiiZJ955zc|$FUx9?y%kCIkc
z?vD}|?>oM8E_?Z-GrVt>NKST$4nAg+cvm*U!>N4n3za6-c6nR(w7`US)HyqTT#LV+
zHN9dzQ>CcR_nFt}IDJOhv7yWRd#q+2Y#GnS?;%#RDD9ZS*21fvo)mAWsd2l?3%@7M
zGC81;?3i}{3el)?_UrBX!qm?i%8vY}rF>+IJGE_zMz3#cHI@(X*csV07~k1@sdOFR
z!bZx=b$drwAd>U|#Lu$%Eh0wM=C0G?y=cE#b}FAlk@lC_FNb|Z<M5V@+Ih43g8D^W
zg?<d<_k3?<T6V7tQ>#n5@YuynH%W3^+?1wJtH*M&`F3&N+1#10O+Iys`n^Ej0{D>#
z2_mzlxyOcEGO105?`ictqEYFNcy>OzZ$TdIPxvQgYw{3D=QfB&J2n#AA5})%OS(Yc
z?m=)bR?pIty24He+RjctUQ+(Pc)V!)xcGe}5~}bKauJ|>1uX-xJCEs=9C$Os`Tk`{
z@?D(?O7!uC4f*1@K6!2E6j|ztr4HXdv#kVH?IFQyBlYHsMKf&A$b@saNS|ig;isu3
z74u5xTIYwY)2&uB5ZBaT_wA*c5|0y&Qp((Sa;g<kt08Gtvh^Mdq4&EQLNv;@{5nJX
zdA)VU-J;#=`3u%$P@~SZwZ}Q!t+WMai*upD$Lsv#$5Kh#adyvI6h(OUzk_N|8VS`m
zWy0tMLK%yvA2p<{vW`V(_dey+_fx0`szg^}TwN{S9qYL2pmxC2vf5tJil#j9WADEy
zCWfvKYzHEw3O_vZcA;v`LQ$DmV&k@%Qy<c^0s#OZ@V^wozh*G{e;mTUW-#x69>Q@H
z$p3G3JG=<^b#*)H+x5?@TUG&itM;1Ds?zMh#Z{@!UL9qlSgsr)0n<qZ5Np|7V}!&0
zAJ_(t>H8!K4`606R?$~M@!p8kh(YGqUa^FDA&v@v&-M>$=+&`YNK{I*-?=BzoJpJJ
z8?4?TX<}w2kxkeAcnvFW*SyA3h%(zZ<jSjzdw#f?t3Bs0R;5OL>^NMJT%*q-PviXa
z_qf%j_*=bDey-k7RM92fh25s)hxrN&>|1mQUw`K+^g+lP6YZ^Gz;*u)d6SH|W#ghY
zKkDs2BucLvvdZoby-6voUB}SB=ul2)`Zy?X^(48>vSanOS#S*7fX`LRY`Y6?b|<^-
z#viu4N$U*vt(zSKTD;^;;QwiLJAtknqE?n%@WgjMfqj#M*vx`8D3uP+2g369<W!rK
z;~f^JAT>2t2BS4^TuHl_PEef<TY=`<JjNoql(dgR;8Vz(9G{^r*<x}2^tQS_86>+C
zYPH(7YvViC{FHxwq((1wHP%-slxA2s?~^0<)BN|k3DRbYE{t%`%cKF>XqIya6ILtB
zQY?Nu$6#|WTLB?D0r9rtzNH_1?7sxL4rA0u%2Tq^&0)=TxBO{~PewByC@m#pBCG{_
z7FGL6bU_0dChzk@GO3oxvRdS0a6_ePZZ&Wpg|JGqz*ntjaa&Cs3kA}CR1@7>+}25z
zA64T&!!Nu;nT{EFz_P+t&Zaz#d2fkoR?8K0^=7(sQBSSNyUsL9I(LC)>xT4eTw2Hc
z311CjbUcZhnO3Xpx?#44Xtx;m-or(#82%X@BUvZ=cP|Sdzm21WwD0Pn*BN{E%LrC1
z2IGy!l%umlxX5_x;7-^SZ!1)NrycNm;A)Y`a*Vk!@<!vCb31V=RQ*=Z$eotzj=eGI
ztvCboi{~4A_S6fps2nkZZ(P2ygV#4>BSqNQNRw=NMQ5JXa_XuHzxKKtiPc^jnTUO|
zo1@aZKrPQjG%9E%C%^b~p>q@!-vPIH0KF%1iGpYpZ2o}$>qg|m*T=9uQD4rGMMg}c
zuN0eqw-SU(T75+A_3)tZ?nSjhwE?HJF^)O|+~2a58U|WYG(rbiCK{J($y{YeWEnm;
ze)$~Yks3OhgrRsrsVp152*1#cxpJ3Q7GNDrH^C-&iw}#FtFsH^-1XIT$w6f@@&>-U
z<gsDJ%+8@F75_>?HJfNOz_dkHW2Oa_tT!Z;mB#IaGM+~gjn={kxz2-^3*Kc^59HI#
zms$%_$F(eb#um?M6fu}ktrpo?wTk$LG|DZJNXa93Icey)i=YWYxfb0H71`-YiY8$n
zK9YVZsrukq`gt`5wKK(>>U&&v)R5yA0%@KJ!M}3kq;F=UNzz+>kW(o#3wN_suexlT
z9uK2-TpQtmhH89SZ^|>f*fvfyTJR<=;!8rb`WbQ%K3jO+Wmmd0ooEz3ijaw+uoY~r
z%VK3%*XHn~5#P>~G8A5-ggMY4uby`?eC7IF4sjC?d}gpWHM6~!e2t=XXfPb%CLJ?w
zkP$NB)EPnJ1c*h%HB6_@IV)Fs^B)T?eyg*ggz98GmkBRR)WAGpyFHZKvvmH2^?BRr
zGiTk&yazencAiug{|>%EV_j%58f)?>hiJ4h5N{FbzZN0DZB{z_Oz8@=eRqy%ba1T5
z2<4AZy|yWm`SqISaKME9t9>VuiuKz5!AW(?MroesB456E)Rhm3l~V~RL$qfeaCAMP
zzU_KP##hxd9l9EEZaWHJ(x~#PcyU`U@=>36&9*5jh;q}?f}>r7J5`MA)Aj+H`QGjB
zmut#t=C^L&+}49L-M$PYZ$8d@;TfWlOm<V>{{h>vAIsZ+DTRLxVf6nvg?|lU-v2y>
zZ_9`rE^k5AjR7z@h`@2eI(E{N9Dp_odJ;q#Xn(Wi=IH=$|2O_ze&N28z7jr3-mBiq
zUO6{*Z|Hkgc#;#Y0Eayof?2~*P}x5(aQ|h;2K)9ggol~BtwL&2KO4YOi_5YQTX2Z#
zT+wE8<xLt&qJ?Z$)VBV({FLwv0~=fRxxH3NGY<`m30dyI7k_Me&7kaFKA`zg!7YJ6
zG5s4#Rx^PzAruP%y!eCBu}@OUYc$HptZ42`S%HPa#XFDi!rv2Xe^A5?<JLCp6m;^q
zDHphzR-xl8#+r(2WX;R(9XeZ|2a%HyC?-czu-OSDyv*)pDEo{3*y-7n#W)E#GGa&}
zWV^I&8s_3^m0@@ds7h=_e#NKlc7kGmgo2btd5s=k%OjYiTb(O>fBe~3z_|P)0>t=8
zh!wWEiqHxu($`d0!h4Q>q;;hd>_1iZ?O;;r!{SIockpTT#sQH(2L>~-M_FD>`#hA&
z@gUY!c;nQEeI8TRcbEL`3))7~(-J5~e?!TFL3x-<Pe0GSAL{Exm*DN~-WyQ!!lI<j
z9Vc^FFFX*C6GvuG9N4!us?RdeHaWvunLt_)-pITHLw=?bV?-v!@TQb2Du6&SJd%QC
zY=H1GmFmxXJQCpCacG1Ei~-NStdf6`91C{syw<-PA(=0O)e(lWNYKSj**1yneF7gZ
z({h{AtEqJS(DXUX{rg3g7VY7JQ(p;;YezDyu)({B^HNyeYkOLoXujcK_Bo~>wXwS@
zwrMKZKW`#SzLj%Fm)Oa`@r6ClmvNn6?%kf8cXHw4WyAI92YCu3;|;SHO1u0C6oVrv
z*w2iFO%ygmV+o!z<P+GYN7XmY9f$6d9T@XwyO!>Yw~Am7pYahP>1KY+PG_dSFoYXX
zGhMq;_Bz#5(rQ){0BL+0ljV?e*oywq5Lq_@q&gI$*I7tf@^t~0dOD1@4=B1Tcb-M}
z6JTNN-dV;D@*fbf+1f-)wRuvgJ4+XHA#c;(>BI?(75}FpK7GCn#RZAOgx#R4|GFDQ
z++oE&ZiMhMcMNyr;%i*rIShZ&IQ@)W_<0PF{6U6MMruXz`tV9qA(63(?X#wKW%raA
zQTrqumQ58gyu<FP4Uqg}PvjBn<hTuiapg$H6f>cZ6E71<$e7ClH$x*Q%EEbSPhe15
zre6h0=A6R<6{&>`e=sCaO|>)bCz0;k43&<TIgD9`i(Y#zzrUN>7Rk%4wp4P7Ff6@a
zhV|!0Au(9ilbnr(ByU6;KS|Hy$3N~D@H8^nKd^Ao!eaw1x;8tA6k(o;-Ocp5Sx4yx
zlvBl5!A<9Q6N5)6>Y5$2VvUuSFM*=_H<Ta25>`OL>-OL#a-k39lC~N}&MLP#lr2%Q
zh}0qbKwW-9_y<Ki+BIGJdqPZb(poFv%e}6!f{gt*jis@G4YJI%%k%1V1d7g)6s$!U
zAy^)h+EX}=&R)5`exC4!mRY~&a#v>+r_A$Rqj$XP<~7^IR=94>imDa!F~rBt172v0
zW&kqG`r*mXW2#Img=-lffCv!nBOw;VU~#3lRBG4y+D}nJb*7!U=lS0IHzmHF9yZ!?
zUqwq&T6c+*uig4BCu~O~=!doPfP4=3_Aa57X85)9F%Zn$lBu3Pfui*{lpn!zY0k^G
zXJ-wz_^1T85Sjzdy9`|owvd8ZoP9o!A@mqQq);uptDkySdhv1ZN6JqEGEYmjIF41;
zuXFht<DAI1Go%R=&A*{AH4sjE66+SJ6$1tGi3=Jhs2Ia!W}Gj~Q?Tm39A3L`Pi5d<
zN&Hx{F#SDQ{Om0(TFsb@+bY`QTEi{tTc#9MBP>IS3Bq{<ipG%?tn32eTzOGNXX7P2
zoI#UXelEsCKgL1##Y7fs&%;3cSu5n--BBV$J<!#!Ilb3=@=-G0xb9Y+^kgbMN8ktP
zo(_X{FH-h%1c>_4kjK=7lf|Ra{vDDkphe#(-hZvF${{+hoQ*CKImdBR?NN(kB$@~j
zqvdCC{HVLrZl*X>?8UTh=A*zjhf=FGJ(m9vZkS$2fT$e}VX-Gb%(^sVLq;>Q7)mr}
z_v^FP4UH%<F=iygsd@d%dri87KOoE`$@#M^&@puG`tz$~<>4&`JD~oRE^RFzOS<~<
I^#=z32kX_`wg3PC

delta 267
zcmZo@P-tk7n;^}~&A`CGKT*M+k$YpplK;%6bt+TY8N;?FGH$G$tk58~U8Rok0V7cO
z$8`1v#_Y|44Q+MXfBa+Q0f|LUWoH5jJ+Iv!S;w>*n~;!c)fI*sqdK)Z`<h=h4D~N+
zb+$?|cT@q*HrsxsirIjbhpGMx&<zZH^}p)BfDEe_;BICI3UD>La4|42d6@s%%Fgng
zX}c0LOCIC)87wR-3^pq?ykMH{V9LTfJ*tI`zg@zD1&CR<OIWbIac4fr^k+MJ16wmA
p(6l1P?SGosIBMA#t8E#oZGj@j)y$m^rqdm#v(|0jSIzFk0s!PkT5bRU