bouncycastle-tls-1.78.1-150200.3.29.1<>,3f3`p9|@|v/ճtwxUٙbn%ѳ, -5ˀCC09!f? 0J?M g>R]EK~\n#hm6|TIF^^K)NW]!Osn</vKDӪ'mW_P9|NTUQ0p-j,8 0a|8lvs_RWUѐx`tt,-(7+L;ww:#rT)uX9>>?d ( U +HNXl v    $(('80"9": 5"FGHIXYP\]^bcDdefluvwxyz,<@FCbouncycastle-tls1.78.1150200.3.29.1Bouncy Castle JSSE provider and TLS/DTLS APIThe Bouncy Castle Java APIs for TLS and DTLS, including a provider for the JSSE.f3`h01-ch2dSUSE Linux Enterprise 15SUSE LLC MIThttps://www.suse.com/Development/Libraries/Javahttps://www.bouncycastle.orglinuxnoarch >NA큤f3Rf3Uf3,f3Rf3R426dbb4e38d9a0bd0df4bdabdb7b44fae72ed0e64f9c8905c15171244bc03156edbbb10380b1271998b867a2e36b1cbee226e03d438726e1a91f80c5dde118498908feff3fc6c6bdc7a063b26c8178d4cfaafbedf090ef2409f5cbeedd953171cb1e42cedfb0b28c2e454a0f65cb3d03fd003e5ef081139a743c074718f2a3e5rootrootrootrootrootrootrootrootrootrootbouncycastle-1.78.1-150200.3.29.1.src.rpmbouncycastle-tlsmvn(org.bouncycastle:bctls-jdk15)mvn(org.bouncycastle:bctls-jdk15:pom:)mvn(org.bouncycastle:bctls-jdk15on)mvn(org.bouncycastle:bctls-jdk15on:pom:)mvn(org.bouncycastle:bctls-jdk15to18)mvn(org.bouncycastle:bctls-jdk15to18:pom:)mvn(org.bouncycastle:bctls-jdk16)mvn(org.bouncycastle:bctls-jdk16:pom:)mvn(org.bouncycastle:bctls-jdk18)mvn(org.bouncycastle:bctls-jdk18:pom:)mvn(org.bouncycastle:bctls-jdk18on)mvn(org.bouncycastle:bctls-jdk18on:pom:)osgi(bctls)@@@@    java-headlessjavapackages-filesystemmvn(org.bouncycastle:bcprov-jdk18on)mvn(org.bouncycastle:bcutil-jdk18on)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)1.78.11.78.13.0.4-14.6.0-14.0-15.2-14.14.1f/f/em@e/dC@dGcObbbDF@b4t@b3"`@`__@_ @^l@^{G]µ]@]@]@]@[P}@[d@ZYY4Y@VU@V*!@U hT!Tfstrba@suse.compmonreal@suse.compmonreal@suse.compmonreal@suse.compmonreal@suse.compmonreal@suse.compmonreal@suse.comshvetz.anton@gmail.comfstrba@suse.comfstrba@suse.comfstrba@suse.comfstrba@suse.compmonreal@suse.comfstrba@suse.compmonreal@suse.compmonreal@suse.compmonrealgonzalez@suse.comfstrba@suse.compmonrealgonzalez@suse.compmonrealgonzalez@suse.compmonrealgonzalez@suse.compmonrealgonzalez@suse.comfstrba@suse.comtchvatal@suse.comabergmann@suse.comfstrba@suse.comfstrba@suse.comfstrba@suse.compcervinka@suse.comtchvatal@suse.comtchvatal@suse.comtchvatal@suse.comtchvatal@suse.comtchvatal@suse.com- Update to version 1.78.1 * Defects Fixed: - The new dependency of the the PGP API on the bcutil jar was missing from the module jar, the OSGi manifest, and the Maven POM. This has been fixed. - Missing exports and duplicate imports have been added/removed from the OSGi manifests. - The OSGi manifests now have the same bundle IDs as 1.77 and lock down dependencies to the equivalent variations - A check in the X.509 Extensions class preventing the parsing of empty extensions has been removed.- Update to version 1.78: [bsc#1223252, CVE-2024-30171] * Security Advisories. - CVE-2024-29857: Importing an EC certificate with specially crafted F2m parameters can cause high CPU usage during parameter evaluation. - CVE-2024-30171: Possible timing based leakage in RSA based handshakes due to exception processing eliminated. - CVE-2024-30172: Crafted signature and public key can be used to trigger an infinite loop in the Ed25519 verification code. - CVE-2024-301XX: When endpoint identification is enabled in the BCJSSE and an SSL socket is not created with an explicit hostname (as happens with HttpsURLConnection), hostname verification could be performed against a DNS-resolved IP address. This has been fixed. * Defects Fixed: - Issues with a dangling weak reference causing intermittent NullPointerExceptions in the OcspCache have been fixed. - Issues with non-constant time RSA operations in TLS handshakes. - Issue with Ed25519, Ed448 signature verification causing intermittent infinite loop have been fixed. - Issues with non-constant time ML-KEM implementation ("Kyber Slash"). - Align ML-KEM input validation with FIPS 203 IPD requirements. - Make PEM parsing more forgiving of whitespace to align with RFC 7468. - Fix CCM length checks with large nonce sizes (n=12, n=13). - EAC: Fixed the CertificateBody ASN.1 type to support an optional Certification Authority Reference in a Certificate Request. - ASN.1: ObjectIdentifier (also Relative OID) parsing has been optimized and the contents octets for both types are now limited to 4096 bytes. - BCJSSE: Fixed a missing null check on the result of PrivateKey.getEncoded(), which could cause issues for HSM RSA keys. - BCJSSE: When endpoint identification is enabled and an SSL socket is not created with an explicit hostname (as happens with HttpsURLConnection), hostname verification could be performed against a DNS-resolved IP address. - The missing module import of java.logging to the provider module has been added. - GOST ASN.1 public key alg parameters are now compliant with RFC 9215. - An off-by-one error in the encoding for EccP256CurvePoint for ITS. - PEM Parser now enforces PEM headers to start at the beginning of the line to be meaningful. * Additional Features and Functionality. - An implementation of MLS (RFC 9420 - The Messaging Layer Security Protocol) has been added as a new module. - NTRU now supports NTRU-HPS4096-1229 and NTRU-HRSS-1373. - Improvements to PGP support, including Camellia key wrapping and Curve25519, Curve448 key types (including XDH with HKDF). - Added initial support for ML-KEM in TLS. - Added XWing hybrid KEM construction (X25519 + ML-KEM-768). - Introduced initial KEMSpi support (NTRU, SNTRU Prime) for JDK 21+. - Introduced initial composite signature support for X509 Certificates. - PKCS#12 now supports PKCS12-AES256-AES128, PKCS12-AES256-AES128-GCM, PKCS12-DEF-AES256-AES128, and PKCS12-DEF-AES256-AES128-GCM. - The default type for the KeyStore.getInstance("PKCS12", "BC") can now be set using the org.bouncycastle.pkcs12.default system/security property. - The PGP SExpParser will now handle Ed25519 and Ed448 keys. - Dilithium and Kyber key encoding updated to latest Draft RFCs (draft-ietf-lamps-dilithium-certificates and draft-ietf-lamps-kyber-certificates) - Support has been added for encryption key derivation using HKDF in CMS, see draft-housley-lamps-cms-cek-hkdf-sha256. - X500Name now recognises jurisdiction{C,ST,L} DNs. - CertPathValidationContext and CertificatePoliciesValidation now include implementations of Memoable. - The Composite post-quantum signatures implementation has been updated to the latest draft draft-ounsworth-pq-composite-sigs. * Full release notes: bouncycastle.org/releasenotes.html#r1rv78 * Rebase bouncycastle-notests.patch- Update to version 1.77: * Defects Fixed: - Using an unescaped '=' in an X.500 RDN would result in the RDN being truncated silently. The issue is now detected and an exception is thrown. - asn1.eac.CertificateBody was returning certificateEffectiveDate from getCertificateExpirationDate(). This has been fixed to return certificateExpirationDate. - DTLS: Fixed retransmission in response to re-receipt of an aggregated ChangeCipherSpec. - (D)TLS: Fixed compliance for supported_groups extension. Server will no longer negotiate an EC cipher suite using a default curve when the ClientHello includes the supported_groups extension but it contains no curves in common with the server. Similarly, a DH cipher suite will not be negotiated when the ClientHello includes supported_groups, containing at least one FFDHE group, but none in common with the server. - IllegalStateException was being thrown by Ed25519/Ed448 SignatureSpi. - TLS: class annotation issues that could occur between the BC provider and the TLS API for the GCMParameterSpec class when the jars were loaded on the boot class path have been addressed. - Attempt to create an ASN.1 OID from a zero length byte array is now caught at construction time. - Attempt to create an X.509 extension block which is empty will now be blocked cause an exception. - IES implementation will now accept a null ParameterSpec if no nonce is needed. - An internal method in Arrays was failing to construct its failure message correctly on an error. - HSSKeyPublicParameters.generateLMSContext() would fail for a unit depth key. * Additional Features and Functionality: - BCJSSE: Added org.bouncycastle.jsse.client.omitSigAlgsCertExtension and org.bouncycastle.jsse.server.omitSigAlgsCertExtension boolean system properties to control (for client and server resp.) whether the signature_algorithms_cert extension should be omitted if it would be identical to signature_algorithms. Defaults to true, the historical behaviour. - The low-level HPKE API now allows the sender to specify an ephemeral key pair. - Support has been added for the delta-certificate requests in line with the current Chameleon Cert draft from the IETF. - Some accommodation has been added for historical systems to accommodate variations in the SHA-1 digest OID for CMS SignedData. - TLS: the TLS API will now try "RSAwithDigestAndMFG1" as well as the newer RSAPSS algorithm names when used with the JCA. - TLS: RSA key exchange cipher suites are now disabled by default. - Support has been added for PKCS#10 requests to allow certificates using the altSignature/altPublicKey extensions. * Notes: - Kyber and Dilithium have been updated according to the latest draft of the standard. Dilithium-AES and Kyber-AES have now been removed. Kyber now produces 256 bit secrets for all parameter sets (in line with the draft standard). - NTRU has been updated to produce 256 bit secrets in line with Kyber. - SPHINCS+ can now be used to generate certificates in line with those used by (Open Quantum Safe) OQS. - Falcon object idenitifiers are now in line with OQS as well. - PQC CMS SignedData now defaults to SHA-256 for signed attributes rather than SHAKE-256. This is also a compatibility change, but may change further again as the IETF standard for CMS is updated.- Update to version 1.76: * Defects Fixed: - Service allocation in the provider could fail due to the lack of a permission block. This has been fixed. - JceKeyFingerPrintCalculator has been generalised for different providers by using "SHA-256" for the algorithm string. - BCJSSE: Fixed a regression in 1.74 (NullPointerException) that prevents a BCJSSE server from negotiating TLSv1.1 or earlier. - DTLS: Fixed server support for client_certificate_type extension. - Cipher.unwrap() for HQC could fail due to a miscalculation of the length of the KEM packet. This has been fixed. - There was exposure to a Java 7 method in the Java 5 to Java 8 BCTLS jar which could cause issues with some TLS 1.2 cipher suites running on older JVMs. This is now fixed. * Additional Features and Functionality: - BCJSSE: Following OpenJDK, finalizers have been removed from SSLSocket subclasses. Applications should close sockets and not rely on garbage collection. - BCJSSE: Added support for boolean system property "jdk.tls.client.useCompatibilityMode" (default "true"). - DTLS: Added server support for session resumption. - JcaPKCS10CertificationRequest will now work with EC on the OpenJDK provider. - TimeStamp generation now supports the SHA3 algorithm set. - The SPHINCS+ simple parameters are now fully supported in the BCPQC provider. - Kyber, Classic McEliece, HQC, and Bike now supported by the CRMF/CMS/CMP APIs. - Builder classes have been add for PGP ASCII Armored streams allowing CRCs and versions to now be optional. - An UnknownPacket type has been added to the PGP APIs to allow for forwards compatibility with upcoming revisions to the standard. * Rebase patch bouncycastle-notests.patch - Update to version 1.75: * Defects Fixed: - Several Java 8 method calls were accidentally introduced in the Java 5 to Java 8 build. The affected classes have been refactored to remove this. - (D)TLS: renegotiation after resumption now fixed to avoid breaking connection. * Notes: - The ASN.1 core package has had some dead and retired methods cleaned up and removed.- Update to version 1.74: [bsc#1212508, CVE-2023-33201] * Defects Fixed: - AsconEngine: Fixed a buffering bug when decrypting across multiple processBytes calls (ascon128a unaffected). - Context based sanity checking on PGP signatures has been added. - The ParallelHash clone constructor was not copying all fields. - The maximimum number of blocks for CTR/SIC modes was 1 block less than it should have been. * Additional Features and Functionality: - The PGP API now supports wildcard key IDs for public key based data encryption. - LMS now supports SHA256/192, SHAKE256/192, and SHAKE256/256 (the additional SP 8000-208 parameter sets). - The PGP API now supports V5 and V6 AEAD encryption for encrypted data packets. - The PGP examples have been updated to reflect key size and algorithm changes that have occurred since they were first written (10+ years...). - (D)TLS: A new callback 'TlsPeer.notifyConnectionClosed' will be called when the connection is closed (including by failure). - BCJSSE: Improved logging of connection events and include unique IDs in connection-specific log messages. - BCJSSE: Server now logs the offered cipher suites when it fails to select one. - BCJSSE: Added support for SSLParameters namedGroups and signatureSchemes properties (can also be used via BCJSSE extension API in earlier Java versions). - DTLS: The initial handshake re-send time is now configurable by overriding 'TlsPeer.getHandshakeResendTimeMillis'. - DTLS: Added support for connection IDs per RFC 9146. - DTLS: Performance of DTLSVerifier has been improved so that it can reasonably be used for all incoming packets. - Initial support has been added for A Mechanism for Encoding Differences in Paired Certificates. - The PGP API now supports parsing, encoding, and fingerprinting of V6 EC/EdEC keys. - A thread safe verifier API has been added to the PGP API to support multi-threaded verification of certifications on keys and user IDs. - The number of keys/sub-keys in a PGPKeyRing can now be found by calling PGPKeyRing.size(). - The PQC algorithms LMS/HSS, SPHINCS+, Dilithium, Falcon, and NTRU are now supported directly by the BC provider. * Notes: - The now defunct PQC SIKE algorithm has been removed, this has also meant the removal of its resource files so the provider is now quite a bit smaller. - As a precaution, HC128 now enforces a 128 bit IV, previous behaviour for shorter IVs can be supported where required by padding the IV to the 128 bits with zero. - PGP encrypted data generation now uses integrity protection by default. Previous behaviour for encrypted data can be supported where required by calling PGPDataEncryptorBuilder.setWithIntegrityPacket(false) when data encryption is set up. - There are now additional sanity checks in place to prevent accidental mis-use of PGPSignature objects. If this change causes any issues, you might want to check what your code is up to as there is probably a bug. * Security Advisories: - CVE-2023-33201: this release fixes an issue with the X509LDAPCertStoreSpi where a specially crafted certificate subject could be used to try and extract extra information out of an LDAP server with wild-card matthing enabled. * Rebase bouncycastle-javadoc.patch * Add bouncycastle-notests.patch- Update to version 1.73: [jsc#PED-3756] * Defects Fixed: - BCJSSE: Instantiating a JSSE provider in some contexts could cause an AccessControl exception. - The EC key pair generator can generate out of range private keys when used with SM2. A specific SM2KeyPairGenerator has been added to the low-level API and is used by KeyPairGenerator.getInstance("SM2", "BC"). The SM2 signer has been updated to check for out of range keys as well.. - The attached signature type byte was still present in Falcon signatures as well as the detached signature byte. - There was an off-by-one error in engineGetOutputSize() for ECIES. - The method for invoking read() internally in BCPGInputStream could result in inconsistent behaviour if the class was extended. - Fixed a rounding issue with FF1 Format Preserving Encryption algorithm for certain radices. - Fixed RFC3394WrapEngine handling of 64 bit keys. - Internal buffer for blake2sp was too small and could result in an ArrayIndexOutOfBoundsException. - JCA PSS Signatures using SHAKE128 and SHAKE256 now support encoding of algorithm parameters. - PKCS10CertificationRequest now checks for empty extension parameters. - Parsing errors in the processing of PGP Armored Data now throw an explicit exception ArmoredInputException. - PGP AEAD streams could occassionally be truncated. - The ESTService class now supports processing of chunked HTTP data. - A constructed ASN.1 OCTET STRING with a single member would sometimes be re-encoded as a definite-length OCTET STRING. The encoding has been adjusted to preserve the BER status of the object. - PKIXCertPathReviewer could fail if the trust anchor was also included in the certificate store being used for path analysis. - UTF-8 parsing of an array range ignored the provided length. - IPAddress has been written to provide stricter checking and avoid the use of Integer.parseInt(). - A Java 7 class snuck into the Java 5 to Java 8 build. * Additional Features and Functionality: - The Rainbow NIST Post Quantum Round-3 Candidate has been added to the low-level API and the BCPQC provider (level 3 and level 5 parameter sets only). - The GeMSS NIST Post Quantum Round-3 Candidate has been added to the low-level API. - The org.bouncycastle.rsa.max_mr_tests property check has been added to allow capping of MR tests done on RSA moduli. - Significant performance improvements in PQC algorithms, especially BIKE, CMCE, Frodo, HQC, Picnic. - EdDSA verification now conforms to the recommendations of Taming the many EdDSAs, in particular cofactored verification. As a side benefit, Pornin's basis reduction is now used for EdDSA verification, giving a significant performance boost. - Major performance improvements for Anomalous Binary (Koblitz) Curves. - The lightweight Cryptography finalists Ascon, ISAP, Elephant, PhotonBeetle, Sparkle, and Xoodyak have been added to the light-weight cryptography API. - BLAKE2bp and BLAKE2sp have been added to the light-weight cryptography API. - Support has been added for X.509, Section 9.8, hybrid certificates and CRLs using alternate public keys and alternate signatures. - The property "org.bouncycastle.emulate.oracle" has been added to signal the provider should return algorithm names on some algorithms in the same manner as the Oracle JCE provider. - An extra replaceSigners method has been added to CMSSignedData which allows for specifying the digest algorithm IDs to be used in the new CMSSignedData object. - Parsing and re-encoding of ASN.1 PEM data has been further optimized to prevent unecessary conversions between basic encoding, definite length, and DER. - Support has been added for KEM ciphers in CMS in accordance with draft-ietf-lamps-cms-kemri - Support has been added for certEncr in CRMF to allow issuing of certificates for KEM public keys. - Further speedups have been made to CRC24. - GCMParameterSpec constructor caching has been added to improve performance for JVMs that have the class available. - The PGPEncrytedDataGenerator now supports injecting the session key to be used for PGP PBE encrypted data. - The CRMF CertificateRequestMessageBuilder now supports optional attributes. - Improvements to the s calculation in JPAKE. - A general purpose PQCOtherInfoGenerator has been added which supports all Kyber and NTRU. - An implementation of HPKE (RFC 9180 - Hybrid Public Key Encryption) has been added to the light-weight cryptography API. * Security Advisories: - The PQC implementations have now been subject to formal review for secret leakage and side channels, there were issues in BIKE, Falcon, Frodo, HQC which have now been fixed. Some weak positives also showed up in Rainbow, Picnic, SIKE, and GeMSS - for now this last set has been ignored as the algorithms will either be updated if they reappear in the Signature Round, or deleted, as is already the case for SIKE (it is now in the legacy package). Details on the group responsible for the testing can be found in the CONTRIBUTORS file. - For at least some ECIES variants (e.g. when using CBC) there is an issue with potential malleability of a nonce (implying silent malleability of the plaintext) that must be sent alongside the ciphertext but is outside the IES integrity check. For this reason the automatic generation of nonces with IED is now disabled and they have to be passed in using an IESParameterSpec. The current advice is to agree on a nonce between parties and then rely on the use of the ephemeral key component to allow the nonce (rather the so called nonce) usage to be extended.- Update to version 1.72: * Defects Fixed: - There were parameter errors in XMSS^MT OIDs for XMSSMT_SHA2_40/4_256 and XMSSMT_SHA2_60/3_256. These have been fixed. - There was an error in Merkle tree construction for the Evidence Records (ERS) implementation which could result in invalid roots been timestamped. ERS now produces an ArchiveTimeStamp for each data object/group with an associated reduced hash tree. The reduced hash tree is now calculated as a simple path to the root of the tree for each record. - OpenPGP will now ignore signatures marked as non-exportable on encoding. - A tagging calculation error in GCMSIV which could result in incorrect tags has been fixed. - Issues around Java 17 which could result in failing tests have been addressed. * Additional Features and Functionality: - BCJSSE: TLS 1.3 is now enabled by default where no explicit protocols are supplied (e.g. "TLS" or "Default" SSLContext algorithms, or SSLContext.getDefault() method). - BCJSSE: Rewrite SSLEngine implementation to improve compatibility with SunJSSE. - BCJSSE: Support export of keying material via extension API. - (D)TLS: Add support for 'tls-exporter' channel binding per RFC 9266. - (D)TLS (low-level API): By default, only (D)TLS 1.2 and TLS 1.3 are offered now. Earlier versions are still supported if explicitly enabled. Users may need to check they are offering suitable cipher suites for TLS 1.3. - (D)TLS (low-level API): Add support for raw public keys per RFC 7250. - CryptoServicesRegistrar now has a setServicesConstraints() method on it which can be used to selectively turn off algorithms. - The NIST PQC Alternate Candidate, Picnic, has been added to the low level API and the BCPQC provider. - SPHINCS+ has been upgraded to the latest submission, SPHINCS+ 3.1 and support for Haraka has been added. - Evidence records now support timestamp renewal and hash renewal. - The SIKE Alternative Candidate NIST Post Quantum Algorithm has been added to the low-level PQC API. - The NTRU Round 3 Finalist Candidate NIST Post Quantum Algorithm has been added to the low-level API and the BCPQC provider. - The Falcon Finalist NIST Post Quantum Algorithm has been added to the low-level API and the BCPQC provider. - The CRYSTALS-Kyber Finalist NIST Post Quantum Algorithm has been added to the low-level API and the BCPQC provider. - Argon2 Support has been added to the OpenPGP API. - XDH IES has now been added to the BC provider. - The OpenPGP API now supports AEAD encryption and decryption. - The NTRU Prime Alternative Candidate NIST Post Quantum Algorithms have been added to the low-level API and the BCPQC provider. - The CRYSTALS-Dilithium Finalist NIST Post Quantum Algorithm has been added to the low-level API and the BCPQC provider. - The BIKE NIST Post Quantum Alternative/Round-4 Candidate has been added to the low-level API and the BCPQC provider. - The HQC NIST Post Quantum Alternative/Round-4 Candidate has been added to the low-level API and the BCPQC provider. - Grain128AEAD has been added to the lightweight API. - A fast version of CRC24 has been added for use with the PGP API. - Some additional methods and fields have been exposed in the PGPOnePassSignature class to (hopefully) make it easier to deal with nested signatures. - CMP support classes have been updated to reflect the latest editions to the the draft RFC "Lightweight Certificate Management Protocol (CMP) Profile". - Support has been added to the PKCS#12 implementation for the Oracle trusted certificate attribute. - Performance of our BZIP2 classes has been improved. * Notes: - Keep in mind the PQC algorithms are still under development and we are still at least a year and a half away from published standards. This means the algorithms may still change so by all means experiment, but do not use the PQC algoritms for anything long term. - The legacy "Rainbow" and "McEliece" implementations have been removed from the BCPQC provider. The underlying classes are still present if required. Other legacy algorithm implementations can be found under the org.bouncycastle.pqc.legacy package. * Security Notes: - The PQC SIKE algorithm is provided for research purposes only. It should now be regarded as broken. The SIKE implementation will be withdrawn in BC 1.73. * Rebase bouncycastle-javadoc.patch- Version update to 1.71 * Defects Fixed - In line with GPG the PGP API now attempts to preserve comments containing non-ascii UTF8 characters. - An accidental partial dependency on Java 1.7 has been removed from the TLS API. - JcaPKIXIdentityBuilder would fail to process File objects correctly. This is now fixed. - Some byte[] parameters to the CMP API were not being defensively cloned to prevent accidental changes. Extra defensive cloning has been added. - CMS primitives would sometimes convert ASN.1 definite-length encodings into indefinite-length encodings. The primitives will now try and preserve the original encoding where possible. - CMSSignedData.getAttributeCertificates() now properly restricts the tag values checked to just 1 (the obsolete v1 tag) and 2 (for the more current v2 certificates). - BCJSSE now tries to validate a custom KeyManager selection in order to catch errors around a key manager ignoring key type early. - Compressed streams in PGP ending with zero length partial packets could cause failure on parsing the OpenPGP API. This has been fixed. - The fallback mode for JceAsymmetricKeyWrapper/Unwrapper would lose track of any algorithm parameters generated in the initial attempt. The algorithm parameters are now propagated. - An accidental regression introduced by a fix for another issue in PKIXCertPathReviewer around use of the AuthorityKeyIdentifier extension and it failing to match a certificate uniquely when the serial number field is missing has been fixed. - An error was found in the creation of TLS 1.3 Export Keying Material which could cause compatibility issues. This has been fixed. * Additional Features and Functionality - Support has been added for OpenPGP regular expression signature packets. - Support has been added for OpenPGP PolicyURI signature packets. - A utility method has been added to PGPSecretKeyRing to allow for inserting or replacing a PGPPublicKey. - The NIST PQC Finalist, Classic McEliece has been added to the low level API and the BCPQC provider. - The NIST PQC Alternate Candidate, SPHINCS+ has been added to the BCPQC provider. - The NIST PQC Alternate Candidate, FrodoKEM has been added to the low level API and the BCPQC provider. - The NIST PQC Finalist, SABER has been added to the low level API and the BCPQC provider. - KMAC128, KMAC256 has been added to the BC provider (empty customization string). - TupleHash128, TupleHash256 has been added to the BC provider (empty customization string). - ParallelHash128, ParallelHash256 has been added to the BC provider (empty customization string, block size 1024 bits). - Two new properties: "org.bouncycastle.rsa.max_size" (default 15360) and "org.bouncycastle.ec.fp_max_size" (default 1042) have been added to cap the maximum size of RSA and EC keys. - RSA modulus are now checked to be provably composite using the enhanced MR probable prime test. - Imported EC Fp basis values are now validated against the MR prime number test before use. The certainty level of the prime test can be determined by "org.bouncycastle.ec.fp_certainty" (default 100). - The BC entropy thread now has a specific name: "BC-ENTROPY-GATHERER". - Utility methods have been added for joining/merging PGP public keys and signatures. - Blake3-256 has been added to the BC provider. - DTLS: optimisation to delayed handshake hash. - Further additions to the ETSI 102 941 support in the ETSI/ITS package: certification request, signed message generation and verification now supported. - CMSSignedDataGenerator now supports the direct generation of definite-length data. - The NetscapeCertType class now has a hasUsages() method on it for querying usage settings on its bit string. - Support for additional input has been added for deterministic (EC)DSA. - The OpenPGP API provides better support for subkey generation. - BCJSSE: Added boolean system properties "org.bouncycastle.jsse.client.dh.disableDefaultSuites" and "org.bouncycastle.jsse.server.dh.disableDefaultSuites". Default "false". Set to "true" to disable inclusion of DH cipher suites in the default cipher suites for client/server respectively. * Notes - The deprecated QTESLA implementation has been removed from the BCPQC provider. - The submission update to SPHINCS+ has been added. This changes the generation of signatures - particularly deterministic ones. - Version update to 1.70 * Defects Fixed - Blake 3 output limit is enforced. - The PKCS12 KeyStore was relying on default precedence for its key Cipher implementation so was sometimes failing if used from the keytool. The KeyStore class now makes sure it uses the correct Cipher implementation. - Fixed bzip2 compression for empty contents (GH #993). - ASN.1: More robust handling of high tag numbers and definite-length forms. - BCJSSE: Fix a concurrent modification issue in session contexts (GH#968). - BCJSSE: Don't log sensitive system property values (GH#976). - BCJSSE: Fixed a priority issue amongst imperfect-match credentials in KeyManager classes. - The IES AlgorithmParameters object has been re-written to properly support all the variations of IESParameterSpec. - getOutputSize() for ECIES has been corrected to avoid occassional underestimates. - The lack of close() in the ASN.1 Dump command line utility was triggering false positives in some code analysis tools. A close() call has been added. - PGPPublicKey.getBitStrength() now properly recognises EdDSA keys. * Additional Features and Functionality - Missing PGP CRC checksums can now be optionally ignored using setDetectMissingCRC() (default false) on ArmoredInputStream. - PGPSecretKey.copyWithNewPassword() now has a variant which uses USAGE_SHA1 for key protection if a PGPDigestCalculator is passed in. - PGP ASCII armored data now skips "\t", "\v", and "\f". - PKCS12 files with duplicate localKeyId attributes on certificates will now have the incorrect attributes filtered out, rather than the duplicate causing an exception. - PGPObjectFactory will now ignore packets representing unrecognised signature versions in the input stream. - The X.509 extension generator will now accumulate some duplicate X.509 extensions into a single extension where it is possible to do so. - Removed support for maxXofLen in Kangaroo digest. - Ignore marker packets in PGP Public and Secret key ring collection. - An implementation of LEA has been added to the low-level API. - Access, recovery, and direct use for PGP session keys has been added to the OpenPGP API for processing encrypted data. - A PGPCanonicalizedDataGenerator has been added which converts input into canonicalized literal data for text and UTF-8 mode. - A getUserKeyingMaterial() method has been added to the KeyAgreeRecipientInformation class. - ASN.1: Tagged objects (and parsers) now support all tag classes. Special code for ApplicationSpecific has been deprecated and re-implemented in terms of TaggedObject. - ASN.1: Improved support for nested tagging. - ASN.1: Added support for GraphicString, ObjectDescriptor, RelativeOID. - ASN.1: Added support for constructed BitString encodings, including efficient parsing for large values. - TLS: Added support for external PSK handshakes. - TLS: Check policy restrictions on key size when determining cipher suite support. - A performance issue in KeccakDigest due to left over debug code has been identified and dealt with. - BKS key stores can now be used for collecting protected keys (note: any attempt to store such a store will cause an exception). - A method for recovering user keying material has been added to KeyAgreeRecipientInformation. - Support has been added to the CMS API for SHA-3 based PLAIN-ECDSA. - The low level BcDefaultDigestProvider now supports the SHAKE family of algorithms and the SM3 alogirthm. - PGPKeyRingGenerator now supports creation of key-rings with direct-key identified keys. - The PQC NIST candidate, signature algorithm SPHINCS+ has been added to the low-level API. - ArmoredInputStream now explicitly checks for a '\n' if in crLF mode. - Direct support for NotationDataOccurances, Exportable, Revocable, IntendedRecipientFingerPrints, and AEAD algorithm preferences has been added to PGPSignatureSubpacketVector. - Further support has been added for keys described using S-Expressions in GPG 2.2.X. - Support for OpenPGP Session Keys from the (draft) Stateless OpenPGP CLI has been added. - Additional checks have been added for PGP marker packets in the parsing of PGP objects. - A CMSSignedData.addDigestAlgorithm() has been added to allow for adding additional digest algorithm identifiers to CMS SignedData structures when required. - Support has been added to CMS for the LMS/HSS signature algorithm. - The system property "org.bouncycastle.jsse.client.assumeOriginalHostName" (default false) has been added for dealing with SNI problems related to the host name not being propagate by the JVM. - The JcePKCSPBEOutputEncryptorBuilder now supports SCRYPT with ciphers that do not have algorithm parameters (e.g. AESKWP). - Support is now added for certificates using ETSI TS 103 097, "Intelligent Transport Systems (ITS)" in the bcpkix package. * Notes. - While this release should maintain source code compatibility, developers making use of some parts of the ASN.1 library will find that some classes need recompiling. Apologies for the inconvenience. - Version update to 1.69 * Defects Fixed - Lightweight and JCA conversion of Ed25519 keys in the PGP API could drop the leading byte as it was zero. This has been fixed. - Marker packets appearing at the start of PGP public key rings could cause parsing failure. This has been fixed. - ESTService could fail for some valid Content-Type headers. This has been fixed. - Originator key algorithm parameters were being passed as NULL in key agreement recipients. The parameters now reflect the value of the parameters in the key's SubjectPublicKeyInfo. - ContentType on encapsulated data was not been passed through correctly for authenticated and enveloped data. This has been fixed. - NTRUEncryptionParameters and NTRUEncryptionKeyGenerationParameters were not correctly cloning the contained message digest. This has been fixed. - CertificateFactory.generateCertificates()/generateCRLs() would throw an exception if extra data was found at the end of a PEM file even if valid objects had been found. Extra data is now ignored providing at least one object found. - Internal class PKIXCRLUtil could throw a NullPointerException for CRLs with an absent nextUpdate field. This has been fixed. - PGP ArmoredInputStream now fails earlier on malformed headers. - The McElieceKobaraImaiCipher was randomly throwing "Bad Padding: invalid ciphertext" exception while decrypting due to leading zeroes been missed during processing of the cipher text. This has been fixed. - Ed25519 keys being passed in via OpenSSH key spec are now validated in the KeyFactory. - Blowfish keys are now range checked on cipher construction. - In some cases PGPSecretKeyRing was failing to search its extraPubKeys list when searching for public keys. - The BasicConstraintsValidation class in the BC cert path validation tools has improved conformance to RFC 5280. - AlgorithmIdentifiers involving message digests now attempt to follow the latest conventions for the parameters field (basically DER NULL appears less). - Fix various conversions and interoperability for XDH and EdDSA between BC and SunEC providers. - TLS: Prevent attempts to use KeyUpdate mechanism in versions before TLS 1.3. * Additional Features and Functionality - GCM-SIV has been added to the lightweight API and the provider. - Blake3 has been added to the lightweight API. - The OpenSSL PEMParser can now be extended to add specialised parsers. - Base32 encoding has now been added, the default alphabet is from RFC 4648. - The KangarooTwelve message digest has been added to the lightweight API. - An implementation of the two FPE algorithms, FF1 and FF3-1 in SP 800-38G has been added to the lightweight API and the JCE provider. - An implementation of ParallelHash has been added to the lightweight API. - An implementation of TupleHash has been added to the lightweight API. - RSA-PSS now supports the use of SHAKE128 and SHAKE256 as the mask generation function and digest. - ECDSA now supports the use of SHAKE128 and SHAKE256. - PGPPBEEncryptedData will now reset the stream if the initial checksum fails so another password can be tried. - Iterators on public and secret key ring collections in PGP now reflect the original order of the public/secret key rings they contain. - KeyAgreeRecipientInformation now has a getOriginator() method for retrieving the underlying orginator information. - PGPSignature now has a getDigestPrefix() method for people wanting exposure to the signature finger print details. - The old BKS-V1 format keystore is now disabled by default. If you need to use BKS-V1 for legacy reasons, it can be re-enabled by adding: org.bouncycastle.bks.enable_v1=true to the java.security file. We would be interested in hearing from anyone that needs to do this. - PLAIN-ECDSA now supports the SHA3 digests. - Some highlevel support for RFC 4998 ERS has been added for ArchiveTimeStamp and EvidenceRecord. The new classes are in the org.bouncycastle.tsp.ers package. - ECIES has now also support SHA256, SHA384, and SHA512. - digestAlgorithms filed in CMS SignedData now includes counter signature digest algorithms where possible. - A new property "org.bouncycastle.jsse.config" has been added which can be used to configure the BCJSSE provider when it is created using the no-args constructor. - In line with changes in OpenSSL 1.1.0, OpenSSLPBEParametersGenerator can now be configured with a digest. - PGPKeyRingGenerator now includes a method for adding a subkey with a primary key binding signature. - Support for ASN.1 PRIVATE tags has been added. - Performance enhancements to Nokeon, AES, GCM, and SICBlockCipher. - Support for ecoding/decoding McElieceCCA2 keys has been added to the PQC API - BCJSSE: Added support for jdk.tls.maxCertificateChainLength system property (default is 10). - BCJSSE: Added support for jdk.tls.maxHandshakeMessageSize system property (default is 32768). - BCJSSE: Added support for jdk.tls.client.enableCAExtension (default is 'false'). - BCJSSE: Added support for jdk.tls.client.cipherSuites system property. - BCJSSE: Added support for jdk.tls.server.cipherSuites system property. - BCJSSE: Extended ALPN support via standard JSSE API to JDK 8 versions after u251/u252. - BCJSSE: Key managers now support EC credentials for use with TLS 1.3 ECDSA signature schemes (including brainpool). - TLS: Add TLS 1.3 support for brainpool curves per RFC 8734. * Notes - There is a small API change in the PKIX package to the DigestAlgorithmIdentifierFinder interface as a find() method that takes an ASN1ObjectIdentifier has been added to it. For people wishing to extend their own implementations, see DefaultDigestAlgorithmIdentifierFinder for a sample implementation. - A version of the bcmail API supporting Jakarta Mail has now been added (see bcjmail jar). - Some work has been done on moving out code that does not need to be in the provider jar. This has reduced the size of the provider jar and should also make it easier for developers to patch the classes involved as they no longer need to be signed. bcpkix and bctls are both dependent on the new bcutil jar. - Add build dependencies on mvn(jakarta.activation:jakarta.activation-api) and mvn(jakarta.mail:jakarta.mail-api) - Remove unneeded script bouncycastle_getpoms.sh from sources- Build against the standalone JavaEE modules unconditionally- Build with source/target levels 8- Add glassfish-activation-api dependency so that we can build with JDK that does not contain the JavaEE modules- Directory core/docs does not exist- Add bouncycastle_getpoms.sh to get pom files from Maven repos- Version update to 1.68 * Defects Fixed: - Some BigIntegers utility methods would fail for BigInteger.ZERO. This has been fixed. - PGPUtil.isKeyRing() was not detecting secret sub-keys in its input. This has been fixed. - The ASN.1 class, ArchiveTimeStamp was insisting on a value for the optional reducedHashTree field. This has been fixed. - BCJSSE: Lock against multiple writers - a possible synchronization issue has been removed. * Additional Features and Functionality - BCJSSE: Added support for system property com.sun.net.ssl.requireCloseNotify. Note that we are using a default value of 'true'. - BCJSSE: 'TLSv1.3' is now a supported protocol for both client and server. For this release it is only enabled by default for the 'TLSv1.3' SSLContext, but can be explicitly enabled using 'setEnabledProtocols' on an SSLSocket or SSLEngine, or via SSLParameters. - BCJSSE: Session resumption is now also supported for servers in TLS 1.2 and earlier. For this release it is disabled by default, and can be enabled by setting the boolean system property org.bouncycastle.jsse.server.enableSessionResumption to 'true'. - The provider RSA-PSS signature names that follow the JCA naming convention. - FIPS mode for the BCJSSE now enforces namedCurves for any presented certificates. - PGPSignatureSubpacketGenerator now supports editing of a pre-existing sub-packet list.- Version update to 1.67 [bsc#1180215, CVE-2020-28052] * CVE-2020-28052: OpenBSDBCrypt.checkPassword utility method compared incorrect data when checking the password * Defects Fixed: - BCJSSE: SunJSSE compatibility fix - override of getChannel() removed and 'urgent data' behaviour should now conform to what the SunJSSE expects - Nested BER data could sometimes cause issues in octet strings - Certificates/CRLs with short signatures could cause an exception in toString() in the BC X509 Certificate implmentation - In line with latest changes in the JVM, SignatureSpis which don't require parameters now return null on engineGetParameters() - The RSA KeyFactory now always preferentially produces RSAPrivateCrtKey where it can on requests for a KeySpec based on an RSAPrivateKey - CMSTypedStream$FullReaderStream now handles zero length reads correctly - Unecessary padding was added on KMAC when the key string was block aligned - Zero length data would cause an unexpected exception from RFC5649WrapEngine - OpenBSDBcrypt was failing to handle some valid prefixes * Additional Features and Functionality - Performance improvement of Argon2 and Noekeon - A setSessionKeyObfuscation() method has been added to PublicKeyKeyEncryptionMethodGenerator to allow turning off of session key obfuscation (default is on, method primarily to get around early version GPG issues with AES-128 keys) - Implemented 'safegcd' constant-time modular inversion (as well as a variable-time variant). It has replaced Fermat inversion in all our EC code, and BigInteger.modInverse in several other places, particularly signers. This improves side-channel protection, and also gives a significant performance boost - Performance of custom binary ECC curves and Edwards Curves has been improved - BCJSSE: New boolean system property 'org.bouncycastle.jsse.keyManager.checkEKU' allows to disable ExtendedKeyUsage restrictions when selecting credentials (although the peer may still complain) - Initial support has been added for "Composite Keys and Signatures For Use In Internet PKI" using the test OID. Please note there will be further refinements to this as the draft is standardised - The BC EdDSA signature API now supports keys implementing all methods on the EdECKey and XECKey interfaces directly - Work has begun on classes to support the ETSI TS 103 097, Intelligent Transport Systems (ITS) in the bcpkix package - Further optimization work has been done on GCM - A NewHope based processor, similar to the one for Key Agreement has been added for trying to "quantum hard" KEM algorithms - PGP clear signed signatures now support SHA-224 - Treating absent vs NULL as equivalent can now be configured by a system property. By default this is not enabled - Mode name checks in Cipher strings should now make sure an improper mode name always results in a NoSuchAlgorithmException - In line with changes in OpenSSL, the OpenSSLPBKDF now uses UTF8 encoding- Version update to 1.66 [bsc#1186328, CVE-2020-15522] * Defects Fixed: - EdDSA verifiers now reset correctly after rejecting overly long signatures. - BCJSSE: SSLSession.getPeerCertificateChain could throw NullPointerException. - qTESLA-I verifier would reject some valid signatures. - qTESLA verifiers now reject overly long signatures. - PGP regression caused failure to preserve existing version header when headers were reset. - PKIXNameConstraintValidator had a bad cast preventing use of multiple OtherName constraints. - Serialisation of the non-CRT RSA Private Key could cause a NullPointerException. - An extra 4 bytes was included in the start of HSS public key encodings. - CMS with Ed448 using a direct signature was using id-shake256-len rather than id-shake256. - Use of GCMParameterSpec could cause an AccessControlException under some circumstances. - DTLS: Fixed high-latency HelloVerifyRequest handshakes. - An encoding bug for rightEncoded() in KMAC has been fixed. - For a few values the cSHAKE implementation would add unnecessary pad bytes where the N and S strings produced encoded data that was block aligned. - There were a few circumstances where Argon2BytesGenerator might hit an unexpected null. These have been removed. * Additional Features and Functionality - The qTESLA signature algorithm has been updated to v2.8 (20191108). - BCJSSE: Client-side OCSP stapling now supports status_request_v2 extension. - Support has been added for "ocsp.enable", "ocsp.responderURL" and PKIXRevocationChecker for users of Java 8 and later. - Support has been added for "org.bouncycastle.x509.enableCRLDP" to the PKIX validator. - BCJSSE: Now supports system property 'jsse.enableFFDHE' - BCJSSE: Now supports system properties 'jdk.tls.client.SignatureSchemes' and 'jdk.tls.server.SignatureSchemes'. - Multi-release support has been added for Java 11 XECKeys. - Multi-release support has been added for Java 15 EdECKeys. - The MiscPEMGenerator will now output general PrivateKeyInfo structures. - A new property "org.bouncycastle.pkcs8.v1_info_only" has been added to make the provider only produce version 1 PKCS8 PrivateKeyInfo structures. - The PKIX CertPathBuilder will now take the target certificate from the target constraints if a specific certificate is given to the selector. - BCJSSE: A range of ARIA and CAMELLIA cipher suites added to supported list. - BCJSSE: Now supports the PSS signature schemes from RFC 8446 (TLS 1.2 onwards). - Performance of the Base64 encoder has been improved. - The PGPPublicKey class will now include direct key signatures when checking for key expiry times. * NOTES: - The qTESLA update breaks compatibility with previous versions. Private keys now include a hash of the public key at the end, and signatures are no longer interoperable with previous versions.- Version update to 1.65 * Defects Fixed: - DLExternal would encode using DER encoding for tagged SETs. - ChaCha20Poly1305 could fail for large (>~2GB) files. - ChaCha20Poly1305 could fail for small updates when used via the provider. - Properties.getPropertyValue could ignore system property when other local overrides set. - The entropy gathering thread was not running in daemon mode, meaning there could be a delay in an application shutting down due to it. - A recent change in Java 11 could cause an exception with the BC Provider's implementation of PSS. - BCJSSE: TrustManager now tolerates having no trusted certificates. - BCJSSE: Choice of credentials and signing algorithm now respect the peer's signature_algorithms extension properly. - BCJSSE: KeyManager for KeyStoreBuilderParameters no longer leaks memory. * Additional Features and Functionality: - LMS and HSS (RFC 8554) support has been added to the low level library and the PQC provider. - SipHash128 support has been added to the low level library and the JCE provider. - BCJSSE: BC API now supports explicitly specifying the session to resume. - BCJSSE: Ed25519, Ed448 are now supported when TLS 1.2 or higher is negotiated (except in FIPS mode). - BCJSSE: Added support for extended_master_secret system properties: jdk.tls.allowLegacyMasterSecret, jdk.tls.allowLegacyResumption, jdk.tls.useExtendedMasterSecret . - BCJSSE: Ed25519, Ed448 are now supported when TLS 1.2 or higher is negotiated (except in FIPS mode). - BCJSSE: KeyManager and TrustManager now check algorithm constraints for keys and certificate chains. - BCJSSE: KeyManager selection of server credentials now prefers matching SNI hostname (if any). - BCJSSE: KeyManager may now fallback to imperfect credentials (expired, SNI mismatch). - BCJSSE: Client-side OCSP stapling support (beta version: via status_request extension only, provides jdk.tls.client.enableStatusRequestExtension, and requires CertPathBuilder support). - TLS: DSA in JcaTlsCrypto now falls back to stream signing to work around NoneWithDSA limitations in default provider.- Added patch: * bouncycastle-osgi.patch + Add OSGi manifests to the distributed jars so that they can be used from eclipse- Fix arch dependent macros in noarch package [bsc#1109539]- Update pom files with those from Maven repository.- Version update to 1.64 [bsc#1153385, CVE-2019-17359] [bsc#1096291, CVE-2018-1000180][bsc#1100694, CVE-2018-1000613] * Security Advisory: - CVE-2019-17359: A change to the ASN.1 parser in 1.63 introduced a regression that can cause an OutOfMemoryError to occur on parsing ASN.1 data. * Defects Fixed: - OpenSSH: Fixed padding in generated Ed25519 private keys. - GOST3410-2012-512 now uses the GOST3411-2012-256 as its KDF digest. - Validation of headers in PemReader now looks for tailing dashes in header. - Some compatibility issues around the signature encryption algorithm field in CMS SignedData and the GOST algorithms have been addressed. * Additional Features and Functionality: - PKCS12 key stores containing only certificates can now be created without the need to provide passwords. - BCJSSE: Initial support for AlgorithmConstraints; protocol versions and cipher suites. - BCJSSE: Initial support for 'jdk.tls.disabledAlgorithms'; protocol versions and cipher suites. - BCJSSE: Add SecurityManager check to access session context. - BCJSSE: Improved SunJSSE compatibility of the NULL_SESSION. - BCJSSE: SSLContext algorithms updated for SunJSSE compatibility (default enabled protocols). - The digest functions Haraka-256 and Haraka-512 have been added to the provider and the light-weight API - XMSS/XMSS^MT key management now allows for allocating subsets of the private key space using the extraKeyShard() method. Use of StateAwareSignature is now deprecated. - Support for Java 11's NamedParameterSpec class has been added (using reflection) to the EC and EdEC KeyPairGenerator implementations.- Version update to 1.63 * Defects Fixed: - The ASN.1 parser would throw a large object exception for some objects which could be safely parsed. - GOST3412-2015 CTR mode was unusable at the JCE level. - The DSTU MACs were failing to reset fully on doFinal(). - The DSTU MACs would throw an exception if the key was a multiple of the size as the MAC's underlying buffer size. - EdEC and QTESLA were not previously usable with the post Java 9 module structure. - ECNR was not correctly bounds checking the input and could produce invalid signatures. - ASN.1: Enforce no leading zeroes in OID branches (longer than 1 character). - TLS: Fix X448 support in JcaTlsCrypto. - Fixed field reduction for secp128r1 custom curve. - Fixed unsigned multiplications in X448 field squaring. - Some issues over subset Name Constraint validation in the CertPath analyser - TimeStampResponse.getEncoded() could throw an exception if the TimeStampToken was null. - Unnecessary memory usage in the ARGON2 implementation has been removed. - Param-Z in the GOST-28147 algorithm was not resolving correctly. - It is now possible to specify different S-Box parameters for the GOST 28147-89 MAC. * Additional Features and Functionality: - QTESLA is now updated with the round 2 changes. Note: the security catergories, and in some cases key generation and signatures, have changed. The round 1 version is now moved to org.bouncycastle.pqc.crypto.qteslarnd1, this package will be deleted in 1.64. Please keep in mind that QTESLA may continue to evolve. - Support has been added for generating Ed25519/Ed448 signed certificates. - A method for recovering the message/digest value from an ECNR signature has been added. - Support for the ZUC-128 and ZUC-256 ciphers and MACs has been added to the provider and the lightweight API. - Support has been added for ChaCha20-Poly1305 AEAD mode from RFC 7539. - Improved performance for multiple ECDSA verifications using same public key. - Support for PBKDF2withHmacSM3 has been added to the BC provider. - The S/MIME API has been fixed to avoid unnecessary delays due to DNS resolution of a hosts name in internal MimeMessage preparation. - The valid path for EST services has been updated to cope with the characters used in the Aruba clearpass EST implementation. - Version update to 1.62 * Defects Fixed: - DTLS: Fixed infinite loop on IO exceptions. - DTLS: Retransmission timers now properly apply to flights monolithically. - BCJSSE: setEnabledCipherSuites ignores unsupported cipher suites. - BCJSSE: SSLSocket implementations store passed-in 'host' before connecting. - BCJSSE: Handle SSLEngine closure prior to handshake. - BCJSSE: Provider now configurable using security config under Java 11 and later. - EdDSA verifiers now reject overly long signatures. - XMSS/XMSS^MT OIDs now using the values defined in RFC 8391. - XMSS/XMSS^MT keys now encoded with OID at start. - An error causing valid paths to be rejected due to DN based name constraints has been fixed in the CertPath API. - Name constraint resolution now includes special handling of serial numbers. - Cipher implementations now handle ByteBuffer usage where the ByteBuffer has no backing array. - CertificateFactory now enforces presence of PEM headers when required. - A performance issue with RSA key pair generation that was introduced in 1.61 has been mostly eliminated. * Additional Features and Functionality: - Builders for X509 certificates and CRLs now support replace and remove extension methods. - DTLS: Added server-side support for HelloVerifyRequest. - DTLS: Added support for an overall handshake timeout. - DTLS: Added support for the heartbeat extension (RFC 6520). - DTLS: Improve record seq. behaviour in HelloVerifyRequest scenarios. - TLS: BasicTlsPSKIdentity now reusable (returns cloned array from getPSK). - BCJSSE: Improved ALPN support, including selectors from Java 9. - Lightweight RSADigestSigner now support use of NullDigest. - SM2Engine now supports C1C3C2 mode. - SHA256withSM2 now added to provider. - BCJSSE: Added support for ALPN selectors (including in BC extension API for earlier JDKs). - BCJSSE: Support 'SSL' algorithm for SSLContext (alias for 'TLS'). - The BLAKE2xs XOF has been added to the lightweight API. - Utility classes added to support journaling of SecureRandom and algorithms to allow persistance and later resumption. - PGP SexprParser now handles some unprotected key types. - NONEwithRSA support added to lightweight RSADigestSigner. - Support for the Ethereum flavor of IES has been added to the lightweight API. - Version update to 1.61 * Defects Fixed: - Use of EC named curves could be lost if keys were constructed. via a key factory and algorithm parameters. - RFC3211WrapEngine would not properly handle messages longer than 127 bytes. - The JCE implementations for RFC3211 would not return null AlgorithmParameters. - TLS: Don't check CCS status for hello_request. - TLS: Tolerate unrecognized hash algorithms. - TLS: Tolerate unrecognized SNI types. - Incompatibility issue in ECIES-KEM encryption in cofactor fixed. - Issue with XMSS/XMSSMT private key loading which could result in invalid signatures fixed. - StateAwareSignature.isSigningCapable() now returns false when the key has reached it's maximum number of signatures. - The McEliece KeyPairGenerator was failing to initialize the underlying class if a SecureRandom was explicitly passed. - The McEliece cipher would sometimes report the wrong value on a call to Cipher.getOutputSize(int). - CSHAKEDigest.leftEncode() was using the wrong endianness for multi byte values. - Some ciphers, such as CAST6, were missing AlgorithmParameters implementations. - An issue with the default "m" parameter for 1024 bit Diffie-Hellman keys which could result in an exception on key pair generation has been fixed. - The SPHINCS256 implementation is now more tolerant of parameters wrapped with a SecureRandom and will not throw an exception if it receives one. - A regression in PGPUtil.writeFileToLiteralData() which could cause corrupted literal data has been fixed. - Several parsing issues related to the processing of CMP PKIPublicationInfo. - The ECGOST curves for id-tc26-gost-3410-12-256-paramSetA and id-tc26-gost-3410-12-512-paramSetC had incorrect co-factors. * Additional Features and Functionality: - The qTESLA signature algorithm has been added to PQC light-weight API and the PQC provider. - The password hashing function, Argon2 has been added to the lightweight API. - BCJSSE: Added support for endpoint ID validation (HTTPS, LDAP, LDAPS). - BCJSSE: Added support for 'useCipherSuitesOrder' parameter. - BCJSSE: Added support for ALPN. - BCJSSE: Various changes for improved compatibility with SunJSSE. - BCJSSE: Provide default extended key/trust managers. - TLS: Added support for TLS 1.2 features from RFC 8446. - TLS: Removed support for EC point compression. - TLS: Removed support for record compression. - TLS: Updated to RFC 7627 from draft-ietf-tls-session-hash-04. - TLS: Improved certificate sig. alg. checks. - TLS: Finalised support for RFC 8442 cipher suites. - Support has been added to the main Provider for the Ed25519 and Ed448 signature algorithms. - Support has been added to the main Provider for the X25519 and X448 key agreement algorithms. - Utility classes have been added for handling OpenSSH keys. - Support for processing messages built using GPG and Curve25519 has been added to the OpenPGP API. - The provider now recognises the standard SM3 OID. - A new API for directly parsing and creating S/MIME documents has been added to the PKIX API. - SM2 in public key cipher mode has been added to the provider API. - The BCFKSLoadStoreParameter has been extended to allow the use of certificates and digital signatures for verifying the integrity of BCFKS key stores.- Package also the bcpkix bcpg bcmail bctls artifacts in separate sub-packages - Revert to building with source/target 6, since it is still possible - Added patch: * bouncycastle-javadoc.patch + fix javadoc build- Version update to 1.60 bsc#1100694: * CVE-2018-1000613 Use of Externally-ControlledInput to Select Classes or Code * CVE-2018-1000180: issue around primality tests for RSA key pair generation if done using only the low-level API [bsc#1096291] * Release notes: http://www.bouncycastle.org/releasenotes.html- Version update to 1.59: * CVE-2017-13098: Fix against Bleichenbacher oracle when not using the lightweight APIs (boo#1072697). * CVE-2016-1000338: Fix DSA ASN.1 validation during encoding of signature on verification (boo#1095722). * CVE-2016-1000339: Fix AESEngine key information leak via lookup table accesses (boo#1095853). * CVE-2016-1000340: Fix carry propagation bugs in the implementation of squaring for several raw math classes (boo#1095854). * CVE-2016-1000341: Fix DSA signature generation vulnerability to timing attack (boo#1095852). * CVE-2016-1000342: Fix ECDSA ASN.1 validation during encoding of signature on verification (boo#1095850). * CVE-2016-1000343: Fix week default settings for private DSA key pair generation (boo#1095849). * CVE-2016-1000344: Remove DHIES from the provider to disable the unsafe usage of ECB mode (boo#1096026). * CVE-2016-1000345: Fix DHIES/ECIES CBC mode padding oracle attack (boo#1096025). * CVE-2016-1000346: Fix other party DH public key validation (boo#1096024). * CVE-2016-1000352: Remove ECIES from the provider to disable the unsafe usage of ECB mode (boo#1096022). * Release notes: http://www.bouncycastle.org/releasenotes.html - Removed patch: * ambiguous-reseed.patch- Build with source and target 8 to prepare for a possible removal of 1.6 compatibility- Version update to 1.58 - Added patch: * ambiguous-reseed.patch + Upstream fix for an ambiguous overload- Set java source and target to 1.6 to allow building with jdk9- New build dependency: javapackages-local - Fixed requires - Spec file cleaned- Version update to 1.54: * No obvious changelog to be found * Fixes bnc#967521 CVE-2015-7575- Version update to 1.53 (latest upstream) * No obvious changelog * Fixes bnc#951727 CVE-2015-7940- Fix build with new javapackages-tools- Disable tests on obs as they hang- Version bump to 1.50 to match Fedora - Cleanup with spec-cleanerh01-ch2d 17146525121.78.1-150200.3.29.11.78.11.78.11.78.11.78.11.78.11.78.11.78.11.78.11.78.11.78.11.78.11.78.11.78.1bctls.jarbouncycastle-tlsLICENSE.htmlbouncycastle-bctls.xmlbctls.pom/usr/share/java//usr/share/licenses//usr/share/licenses/bouncycastle-tls//usr/share/maven-metadata//usr/share/maven-poms/-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -gobs://build.suse.de/SUSE:Maintenance:33611/SUSE_SLE-15-SP2_Update/299882afda0c8705d93615a05834f152-bouncycastle.SUSE_SLE-15-SP2_Updatedrpmxz5noarch-suse-linuxgzip ERROR: Stdin has more than one entry--rest ignored (Zip archive data, at least v1.0 to extract Java archive data (JAR))directoryHTML document, ASCII textASCII textXML 1.0 document textP P PPPPP P PPPPP RRRRq' o~pYutf-8acc202c759014133cfdcd0d27e4c31cb450404c649f99a5981eb22164113db64? 7zXZ !t/w]"k%'+ woBܸ4/hI/1v? pJqUWlV`S<04{ 6[$do9/`9wOr ewx;\W*JyT1qq׹=Jpo4vjJ{6h!pXJd̲r5> Oi[BҀ1F^Q dvAit^H,-͊vWS 8+*{ :1cM(E?hIۂmZhqD8iйNM `=;BVhp#Ql1(ݐtuF%Kp⺑ ʆ9Uؓd˳!CbB)M.4 ~kdOmo qwwne[qTVjͼ )O~4SW,9$Oֻ/~JRDAe酬=`r<~^  Q.aķ%+"w C8 VQx |zHSO}V1AI}g IH9J+wl\(]l+=جE0.t|3{6^~q_JJtQ}pwdqyش=?r_&dZ}Z†Њ"'f*YJeTYwW6Rxc,$=Pyq-y~SSj׮T{3H&|RIkը8 ̀kJG۳fJk抑*'0Ub⊃DI&e^7 ,l׏ /D.ͤ+TR5 F~=,ὧ:/L6UajUtȊY%_O m\7*}>}f}E׫Ys֧}vɩ<ٿ|+Y|ɢ?'-viRߋ*rGz 1~c6y=K鯓a53t(!jJ[!AXe fz12פj,E| !SB (hwB\½SoHbUT$?;SV;R*HY.J%K ;g]tWaZ8(΃|6k uݸl^jC>քtL; -Y?Z}]>qF>Zܸ@KZfNFWџ{5fm-O̾ _֡>^Wn*rPom}FrCU8qiT- +2F0^q Wdೇ)Õv eV@oCrs1%<.N4ϣQ0PhrO3oܽ19P$''2rž1WRPܐvnOhFW'u07ha[1@cU#%^$hz&6K w?$˴F|>hyǖFF:U6K/s]S%|#Dӆ@ iŚm3,>@B Ge^^5ՙA8%T!3EDTB=j|gN/@ED& _Yڊ _:s+NK457kU6 V0k_r9;{'_K~D<Ӻ-PPۈz2JZj1PHp}ƍP_0~LJO$*c,ATO#1Kp0s:/t#>jUDRxM{HYůs-O˖*HIc8mZ?өFDM8anpU(/ śSl2΂D3 v @raZ Ah#1]5⎨: US{Yw9J&wF_5<!d Ǟ/9Z&ٛ:ovc}+J!TӞ0` LV߂T.=jx5 Z,9kuJHaqC@5Y(!u%&~/3 _[EF2t|WW⿥SX#fER`zr+ʡHoc4Z%WkVpzI1d3%8C z(rˊST+VCL( 3 juFLUÉ0'8##y IPmgx(u'2oq ϣm(fS!rUtwA"o5ZA>8b0]f:v[ιDNq݌s6t6(_{`/@=rn_͒#r֛UL!Gȕ 99W+(y %X:`H >E:Ayh@v|  3b&U8`%Ҙ^ ϝ+ caQ_#G7O.  F\׋%Ts>'<S*>)v/z3&;3݌z;;#XyPɸ*c6:C;U쒠+;aUѷ'OʫH}h$KaF$^.Y+OQ8'jzf6D)E*s0g>ON3.X%]#SoΜ7#WAšW IBgAe$-:B=Zu~S?[4 :n]T=G"TÍOpONH:>(}w)}2=}"$ߘ%9ZNZ5ܢ1_=~~Fխ-xdEoigmyLY\ݫ >4ڕmٚ(# "-&E6M|lE{s_F,S'4={K|yV0chL)nFd囧q8-7?/7$g훍,KiNuJ#"vcW\ ck'#-ԛ%h}e7;z ueditv6֬Z*hؿjn9Spi'(^7SRX@TKa5j\E LJxS974T=Xot|LDM%e䃆c<1F,çZڎԻ+_@#W`Ϳb8$W+ʑo,%BͻE8@gג~G@ Ѥ-5<5ϊk% q$ƞUf2v݅H {P4w,>x_R~#sոSA**,bW] 9k~`hێ9$M\su+c|asŗLJJ|2$w86}}vZ(^XbetY.㓗tj~n͙Qx6x+`rӡAΠ#L] \I(Hn8-__|k[cb\ZOo&\bJ]!둰lr=6ņn{h :0m[d\Ӯ1D@-= :̾4̃£b=5q e/S64Z7YC9%C9*X#Oq3zC^*t3waqy>3"\$bm<.x(zV ŬtP*=hAy1NjZz /Ymt*IR!DRĦ@:S rM3\VɠdfM.b.C ҊaJ,9\W 2Rmw|9m8R| y)F{e,4J<ׂ=9HtJ`ӂ# F,,V!i;4#)՘IjrOÔo(k*hT$NszU,;r5UjURVK].:a0l`.14[-yɧl~^oM jdakg'aiFO:Jl^ު2(i&h"36bpa1 @ &#r.{|桽FMbIMhϧ9-=}XnS|(e8{py4AtPP潪mKjy֌3`r%۲ Ή-|'61.Xq|ؼDG`<>IBKbƩݽvīR P[lՂP5k ue wZ _LMjul-kЗ# ό7}Gܔ­M- N crүb(gQt܌n"¸u`p)kQ=>*h~xrU['Rm&.LIp&xK;u4p?[<%xS@l51zuJ|o1Cѳ=Q `!:Č\nTr\J3Ai'uFhv76])1%|ibj}|L>sbڠߺ*{Ήn,\E,hO^NG"}-&]%MyW=,EڢM-{Ck5f85=j~`=|#bUA(zzzꢍpwƛ`-&pzP7kfI'o od^' t`Oج'eH8>[ m,"Z(⹴3G)D+x8I].BKt`KC׆;bh0]Y1[P9荏;qƒqo:~[R%!2M@ƝQ\a > ʋ؂S9}E7Q_Qy {Nv1}1ܠ5\M  ࠎ83}nҀGk m$ũ Xw0S'rOܺ+/Fbe햂&Ĩkâ[p6.VhŌh߅} {Lx\ `B6I uT>鱦;)ƩB\42kG+.{Swn,"[uqz&nD&SwCF(Xl hMH'=N6Y@ H c⇃5c[ ջEb!QbnP_64a%ml J|r͆zlv&MmB|mj7 =4uaF=Qv,D_SIxC&˺XJ˥jU̝g}o2vOVsnGY:SxzI1!g,&r_1 *msOBpb)_S`";۝Uc蹶-Oզ5VmQ40 >A8cE6lβxtm jHYA24nԩ$^v=q1#6HsC$Y>@纏dAݻ]W=Oy!)n/#2`CH@?3B; 9rщAЌ <櫗)V뇀!b')=?*٨c. H Tc;OԔFAPs;x\^Pzy<75`3k&%AZ̉g?R2,?.a Az;fU~D9Ոw^0g@V$ {Kp& Uυ_)TDy@lV^MGq-՝6-av ( w=w.0[}s.+&?c@G涘B,' f>׺`/=z }B>ЖMp.׸R-D=2AհXFeSDPP@!S 4]&@w;!fÂ8D&;VLQX< J,$ d pY :G$cxvΫj&42\W@z.~L$!6"~ݔ,YOkcygVmOb[1v7M_Đ`E*.TbC׊*vrzNцo52cUM}MueO|tD1k@UaAKh!b"8{3YvhMgh\cdk3,ce\_4lZ'`LZl:1˂/ech";|~yaȯ V$+/M$7L$JHȊX23wdLMʝɼy-۬w+o5+lUo ys_C mv2+4؜ZD-qɕjPɾNfQ*T4t0De8oO$2:}<Շ8xxuǮnkY[5b^/)//)~!+o+>#=PI{]$4:x;!Icp* T ͳ}Q۸1Υ ':m1?w;AD d2kҔ-4 &a}'o}z.$.:J{]B,;Y3BE#ݺ _\1J42mm`-kl ;/DYr53뒸lU2q'>^N\wI H!!!/!3tɀ}l.ګN;Ԛ=`Ѱ,^=jq3秫N>W0|%R)];c҉};UYe = }OsnFj,nc q_9Gj6Do1Cj)hϮd#fߟq,W?vL]zG}EoBw/=PZJ{T;䨨IKt8T2=*IC@ռ@؉bZvXΒ52VYД%r'Rѯ8\ڽfz2!A`Nb=gش㛸~S®V]Bw(sV5%`M.7(i>%bX6 EbipLIE3cSU̠oś\U06AoGDBNiu΋f٭z^7KZSٕH"/* 6ıwwANVeМέ0H= ]3"kF!RU7/Mnڔ9uORlϰ!?[ '.Z 2θXIK WY79oci E:[ӛR ym[R@LޅYY0yq# 3'n៟T?~T|ps6;(lw\: R;6_cД 4"Y-q$|b9KBpCU+ɽ>Dj p"MBԦG Į}oO}h6mV*:~sD+~~[IN5ɏQ:KR'ٶ˲zX?󲣖%?V|{EC #.ud 4YwTL+y2 n*7QDjApuPsW#Ь$HhTUAa_y"ic bu""He/ԿGeQk PvƄn{oYԺn,V YΦ ɷ5Hkn%z_ ¶2;/bWic <T}b ,L^S:fCf3IǗ`;gxs.=%M|G镀{?eE.@8~G"ra OMYܵuZqR ߫GFV=.8//X/E+}P-1FvL@0-TLB7/wxT~y~EDžsԒ,`NmC>r  WdMa?J`pO\_՘C⤰^:5KO ^sazU7KjT9yѤu̶wfhJك܋3C,HIT1Xec 0QS5at KDt~1؊.-WLB*-xVm(^H#lK,H58l*U]͑DAN4)cKN͇Fq6X 6>8ĘjA1G! ;I1kZ(<8 l)wOz+ħ `qȑ,@P3m:oEX+PzEȠglST\2@R0M0[2 (mwq\Ge& xbddV,c4Xìñ>*5s\\VP(LkƖ`ۤ`wrg Q+M-1)OlokB](LRZI#G"ItݢO-;s/Fq0T͂TOn6ѓN?J&^b;߭bxpX:7B)V<6Wq} uтep !r0%F&!V/6gRzJ`KUfz[$J2H6j'7RD9lDŽ »摅PJ S.%W-M^RS..:m0TEO8 b Рf8 /8`ZsõisJa ƃtெ:aG`J95 ṯYW[j01qZFf){`ۈɁ I.1FruJ}-eOtғKsآ܌s?THAPVt Ayf.ZX+u?$ĪꞶoSM3-0N9EeFѮ'gNP$z!gɻ&ʊ*AW7 |5Xx鋉L| > hQJ UΈϏ=?_OUyjO.dM9J46GK r~. #}*Z01m#QɧDgfXV*ſZ޼#2FE +@e!<\i@Bc1&yDVl Pu1MQ&=pw%dv$duNV蔆GS>iTEz'i^S_!cW!۱wdt7fpDb(_p\5}7G v6A /gx'~(Yr]YP93NQ+qtPKmj6͕BuP?*Jt9sSE%G=m,kl6'GCĂ!q. OKY'*2[V_/eN/2F2F&Wa@ svߝ;uFUߜ=P@%hZ`0nQu 3ax27ZL^Բ3Y;"]>!L.t)ۢ5m W>o =%f 1 >U>&)w,ga5Sq&Dā>O;O?ϢN : a3C`]uR7?cҬF2q#NL?b);pc$3z-%um羏M7(H +T_bk5} inehyLs Bt_"ضL ~Aa꘣}hC1Mzh8uY"nm'=?a5.8rܩ5poS5M3,sLR?,_o(Efcu*Y PT?r3?Qt.2YOs)_\}_rARy̵GRI-S0)Yw,8Y0[/ I7Wc)"j"'+B1h[.-0BݽNƩf|T899KgS1./O7:h*'r cdԕ XLR,}z(׈7]y< ^{@/Emܩ#^QD$_rΫ͊*bL"horYYsSi1mWAf@_Nl 7a%/l U* Klm  a'vnue}B8ٽ&Ff wtҊ!Hg*#z0-fnlH!j,|Kp6}ТՖxMX/ ($WAΜoq.]W3k*ۄg;bn#k;{#?p {1*gȼbxV>@~V94pL;ۍ BnzZt.@O xAF>x[U:j`bo+•!氩*%v"Nv2u+FL'L( TyF{s33}Vр.DH&a/bS/EUx5#F[bhճLh#cV!Ca2Iɖ:ڰZ@^nb܁~zZ}|wf!ҍ]s,T^A m8OWm19ӽ ^"**sn5L.N;y0`g6EěT1%}Q>ZfLa!+KL;eu]LC2Ao9޿Z"7VG`;A].!';۝܈E900ԃG* d7ƀVUfٱgQ<EWsU$N08'UIm(NNM oD% EQPZu;#uAScAJ>}T?^7Jmb!#`r'$?aOzšm624#k؉ZyPFT<`^P)Wm;JOdw*VRfaTG!rʏk 呥* {ΫU7=1Lc(oʃx&p4_X|܍.;Q*,Kе$7,C޴2]e#I9 .+yGq`V>{{Qs]¡f|0=f0#:TFKDΚIt+uO}GF}ĎWwF/%alBΝKB\5Iөr|e #j)]ug(x "&wV0[15̺k[$0=kj'9~g5Ef'Z%b.:!CBcNфNeG,$E}5:] s*RV>s"O5 & ȹ+>̀^RAPo7a^^8ӏgޏ3ׄZ#DVWndtZǴ>vREJ)~FM&?Hܧw73DZDuP ̔. Uu,A^Idw761 klRy/ͬa~`|=W^΁# zӶa7+(y߾]օK߉!Wfq̰1r(Y7E͢*RbLԛz{YM d:Qwgn|{7dF{KSGKCabp+7b [05`1|4;H^X:x!d5??vPrY jN!`2sD>-g:l=`Do=1OvL I @( /jxMgQvH&+#mzj"Epki?-r4ck퓊 ,L³#QsM q\bfd'B5Gq$5kHˤD 7pw].RW5o(#pc*ЫS$<-dE&ߒ܇M.H?h;JLnb-=ka#F_T~QΛ+Ӫz]$YsT2-|M#r[+GrTT,8I+=zKm*<(cKyqqP4/sA5= 7:`G ٰZ> TbnܶgKBś%))}r: rKh#F8p~ªԨK]*Vp߯ [RWAuߞHt[Dl'_,a*&؈!AG["805mi.bq6w^o#W5|jmfQūn onN{z#@y#*_DEoMuv^&Fp 2HxtX"Elk[`l*HIݶC3¾IpE|6;s5 M=Z!ᖪO_@^jJ6K騼UyLչ*G,OoHkn7%&mk3QcNTրQRWIE5e֣434UW<}W|#TgLf%9u'_gBEuAia 5/bm8fj"0: K3ܮ6>u }09hckMh';&U]rP=c~`->r)I1Gd+x R+^|ZZi`'m o1+t9_l9ueh\OBiv"x貺Bhu<$pRY(6,ڝujC<HgC`e8.`.P&L99z| b+2 =$ۋfpx=[,&'\Gqv dv~dفyt@ y H%Dg[*8D]*{HT0CL5j4O|-TC5 ϡvΏgyo1U&P/u,K*cF-Tڑ?/ntڮ8kSSh]L4ݵ@[,5A0CU j J0)7^Bv(D*U ӰY0k! +~[g;af&Aoa؊e؊ҰX )C6O݋Du\i~;QG*efccsYog³J`HaA ;F ;<}Us괛G3ڻXo_ }|.[` IQ(ĺ׵vvDOyqH&a@S΢;v i2AڻbfޡDAճ#`A opKDϓwrZ 姫psQM)wNXGͦym>Sm˜o(\ehGT4Q hSh9k+qcs/!f'r`Pa|p!=(EThLA <)wFM1.Wirޔ'p72&cx%2X6R4氒T#jy6z~{&RKݚnRGI C<*t$;m_Ď{g0?x&:(*A@}^4+~ozZ?1(&@EVA!: ҫF trIAZ_[e2T~ !hPk0kiԽJ5+Jd10I35{";']OϾZUQęo5[ kxk+8D:)̐(}s//on ! TX mOȯ3k=9/ֻrzh޸,yI<}&z"jXp@̪6KYzF"jT"=?pSyw4Ѳ1`2icТz$Iسӹ,[݀>?4@UK88wM&~ȅ[Nf@R1BrK[x 'OnH0|4mo1 7fJcԭهDuSn6Οi5F/fq>0DY_,%ׯv<Ŝ`^h%Wfr l ;WJY>< i: 8Rs "/f0dtJ4@Y F͐Xåg)A |cn-&.QiԊR7GRʑޙ dJ?hX|*p@jz@\N͇S\;G@;}}HEԧ.PI&g'`ۆ; y@V!t D`em܃Vo_Q&)D)f<-*vsh}|e}MTr-Bc)jV̟ `cB ;d]3;.҆#[R 8a [@R0Lg8v#zà('[,%1hhZ9шɳo&zKoRk̕ ;Nw/lxyK\(،w/c=g#r<5uJ:}{/qsyiJϣpZTFe{YC'/8ӽǑz)}#k\~r5 \4`!~f|.o_w`F`&򭭓aճd詯OitH<2'wd#+"ݔf3w=c_Aqvb6y EoR"B6=PVBI\k9v9]"]IƠ(6IM.DwLWȃlDCOe+Ṭ8DXv r"ԨS>Q/%J2$ eE6A8$–6|7JiH M[p={Q4D`5][/0T;;:4aPOJ:>+"fQLC${9:+}[}x9!179%m|fmpBo?vDq:Def|ZT5_Ʋ"sݖ !BORc>PF0ښЯ{ͬ dP$VER'4Su_GJ[N ,ibRGG8#{H{fLWnvEzc }gx^\*c({V~!d XI'䇝#O3xf0tEWP Wz錆 mg`n|eܞL,biMa'VM?_|&Ieh1^^OPw@nv΃bW|N2 <;5mW*sk˼E}Y] UKAoͧ6d]aܯs `L۬f L(-˾eB8R1'uL7nt6UlI8?Ux4ҥ:XHW5o5x0pNmt @@3V֏L0KQ4$x̅s TBK.x>ȹ?';մ:N w$.59~Z986q]NgtczannA(FauC˦hfq\ `0mbko_eRV73N'(I`g)81͚(`j$K}wiUIY OuyնĈtS.m9wAuŒji J(mטya-—)zٜCc @e]HJ[7Vnyb yk1ŸBнgb{Q?Rgr_ UwQa;\YQ3Jt6h: y웮`e6-Htԟg6] "Qb Dþ/n֫d?pf?<{8hZ.\ء.Tp%+yd6Wj~]Y4 !q X3[7A>}Y]fxqC=;bUH:U|=.>LR,&;F[[ƍЀ2nd>uWhQ !ۙ:WFY ).[;{zlG$sfIڲ^뭦.ߪJإI>&âjٰN:uANUOn@..Wd?[?Ot8is迤Y>pTCS`DEם 6D#}y ZVO~W!񅩤^= UP1]<WGz(Jbh9*7sQC>-]p#eJD5W!Dȵ{ED:%!<ٚ=%wZ 1eh>(!n' G|yS)QsP8rAr kc"-1)⥱֒?'Q.Br`KS5.c~~8TpB GwH0&=^ ~]ЃF;-~@02^W~m*j:y097e\ATe>]6AyˉFh0Q:7áoV._|ֱOvlp:I1'D}Q]ޡ'^8O>~GKTSG1 j`+2R>PO\E3ڠ"Ő|+kؠY/:h}gNN)pKxԣ9KvBԛe@Y&4ς K_Ua/`u O*bQmnݜԮ@Xk;V_,[J9﮳1uU㔹u2@ OAsIwnaVt]6nbbAdVyfS@ K$^UXBB15WPK )ܦك5 QAZb 9M,!) ]VD8LJe%C?{PR4@,?ٗqkiJ]B%9ҳT~?9&Y錏6U]6FP4KID .Yt+0 eGIOzbWjDt B V΍F7@XI_'1Y-ʄDRAܴ"^ѭ;At9jri{xdka``d(14T{U&ezkuY |U,}ba/=ܰBs:ƛs ˄졗8C1uCl' n {%zE1&qذvF:ͤspKXјmD-[=?3Y+j(%g|™Bh癤9tl,ߏEy"˴r(Pg^*)b) _T%xeC0B5$YX)<X'|:džqZ[f;[(HH׀ J!{4tNdMh" zr|p7|? H$B-p^}G||O{@p?@?B&Y3x|Z~rֆ;ح4={K z}59?!c@`jCW3qlXy}7Tm~L7kpM"zTk]qzY([ǟ, ^{Mpd|ܨ{3&CB=IJ~%yF3׃3d|xtp.ԕ3,SF.Mu OMmGAzq*WgV"1w!1^qHc߷qx aOU\[>W,G)mӒƨMyE=?,=U6XdY >Qݑr=VX6']$Ə\1끈e>(jzzS`D} izE(6} fib3MgwZcܼh q}=ꁻ1ՅGN4l#م2 d3yj(KiNn_Jc6|u͝hHѤ+y^ѭnyly抟l+Ō̔f$X6&J@oü^I*[OpZm)i88HWG~܏f(mv%’.=.Ŀf.{y>Yc8 hx]?[km-vK9ACTewEk˾;cc:L5dQ VZA|!B@Դ=?5Ġ.6JZq!^i7UaT54Gh8Ǟe b7n`&m|+_}WƬ4`ROwIhbc-.Њ 8/q `O^1 '#bFxRjʙJfQ΂Sщg&L#%МIi|T4Rҕgings_m%|A}e>Vg̃DT)7EEv[:}H|边4pR/0 Eƒ#tP<v% =֖nh{Z<#|ie[kEo!2TXtZ[ڡhrqҾc+Rfske)vQx_ 6; 1ȑԧDl|L:`='KP|F:,fϾV]& $or-xTy7pzw]guI׹p)/;1PaxdL2f#*G#C3DxLAa}~U(H۟Q 4[| A!%#bGpI؃%1EP:J\HRSN)\ʄy8$'\d)n6e^'.,{}v̈זpB_Wcx %L&z,ٓZ k=9fom1}H&1}e3fY\XaU|C@2fFDRL$Ӝaߘlr.2fxްI\8OP01@c֧o8F.q?j{Fف{g ^q"sƲɭҴ5}vmɡ q(RjĔ24 aѣ{(#TӘt8XQj<jR}iI*-"ېℛ凪xdB"0ׄ-jmͽ^Ff)Tb7ٗ@t$!NtFַ1o`HY?3-yqi('m.\7CPe;E9B4$†;@_#9 (s:H-h6uBRN فk:&&}Y?}q0A p֭i61&VAk$~ap#n>DbW @x\Fjm蓟ElNѯA|,XdN8{[uEEG:1cjlhi IDŽ/u3`ڠ(!Emg" b?z ͌=0*kZij=j2[=y%9C9U>.u {zHCOm .xRC8Ծ^ Bg7*zdm]ȿ\|,kNꡇe2!XW4*3GϿ[Kq*E + b]E e;^^=Jb7NJX_E؛.``Cu >OS&b36<ņcp?IV|,%GE9\nW+~R!wPMo=B7KVry0;;bv:f ڊ @^e2Df9u}zH< 9CͤpWu- ̧E t×R@JѡVzFS.l@`6j\(Ӯ i36kgOAJCL%,MXh%AvT3T};BcGy/;1糬2a)P^AUck׉(Ǹ3HV!H.YyY}A|_ˬ yBX<9 cB)P"yn+y=R-p <@>jvfe $%m@K;jk] C`g| //2M=V./5t~$>SHO 26dO0x7~Ƈ2Il>y .:ڪc8E(!7|:}iRkj# IPCQg$=2ø>n௪HxI74*5\GGa׼qh#<ַGw RI6Uk#OD~| wr3aIX_@ϮcwFUWU (Yaw[H4iCf*:;Fm̡?NDKO矠0(X8~G-?"]"FR ~:G[(ZxK5q.b\tڄ+J?Eff|']?kݩuȈ"pO#UePV3:TW퐾i e5a9dRՐǻ| °]F;`Cd:f0-q @SNKueV[6c :(,|{U¿&c[ ?= !H0s+KV3Lhn=Nq/*"0leX^9]JsqI1wˀ4KO: {~]XJiLzc5zsL$Qډ~YWg죡-k|8/.w#+HڦLzs70M[ oXXVEoG[-MU@ɜsFilk=VUz-7Lp.e Xr~!taBIM5T3(yQY@IJQ+\rw8)Pӣ >8˪Zp7 &rk$&Kn٦.*Z7&ȍr ^!ݘ>#fy9l_ϗ:i+pIj9ɻ9>(5H NMNŝaFlT{h 0wwuZFh_q1pT/it0f\柱>m0 Wُ:Y-(]o|)>)$~bA?̘y0$y#aؓrR)=IԚLƠ$$d_5tpB =JT.ĤF*pܔjj3FDm& ]nLD *.O0eič[1;K QY{&M mn(Ew0!qXg†p҈}Ocym;ީmJ^iL'41@| b?,jtѱ:ޕv\5kqxo\K7IK8.pr)m0;3WYqڙ;Ǐo;6a#-ޝ]Ai  Z8]'SUR* Yߑ6:PEG3y\gAÔ?&$88нRرce 2=O4~ک.S DI-"@崞OYkc N'1)$5$RM]VQ7Z%P՛lL`[ŗEq+Vp|[c;(Y ʅ W?!ۜE`omU;?bX*&kW&eE2zg}_$wAY0;H3Qzf |}ߋ1^닶2_NsNb |\J$G!GK)17cQY!JL&ezeԴHGYD:U'Sѻy{*ns=!naF4ȳUǖ/?#B!0$Z(]l_K}3LuQ W\~ C͋RlRڼ^4/ \ox{k?_1`w}sj$op'pxQט X]x(0Q3B2&jХ u/Ҙ .ŲVqQkdx2Ìfc9kqNˢ[ \gcZaP J~A 4$Nr<(t khΘԺªxqY0NĻJ o7TESAtt)u)LT+uHaj-r)-zd8}rl3g,h iܦbqÅd̈́}w ٴ<]_0_G $(Բ0 ]N= ~7= UN}.5 a 'R]K=$0f=o2s} +/Ӗdh;N<O|ioۿA2! w!9Wʳt.YdS?A,ڠ*xO *+cUQv^X@ k,(qK5ԯ {ݢ`Op֭ 6\oH!SSjnڋ4@kh= bR0kK !+ |Y'Elc BMXy~ 3NГMjID}J_.' e8ݩ¤&B o#*:F!Ea[؋Y^-Xn&A/T9e`xcXX3DܩyAQקa霑0#s'*G:2`U|!{f4ktg7wB'1OH8"3>x"{ڒ 5BYhv{OuQg^6: p j$;0py渁ZO1vǶ졥ܞCZ{*BW ɢ¦1 \p L-?^qRh{kzi#oE +J׎7OOdhW _.a&PE[0]8Qzߪ)F=uaUR YY'Ȑߺ݅[5:RjJF_/|ċs٢v#i;eApRf]Hfm_WbSwj+' LpWQ BZl |;|`qe¤8xus3xZjIlTtQ=xC+ݰ!0Jta*goNHmuof".#3}VÐ?tCćiI9tC{iYuSHr6gL,E/+h9> FU:ҟdȗ琩"XG!yC5R^{iFyf~0vj|?+f,8OyǓ޹p2k01D: `|4_+ Ȑ.G5x# " pXyu+SLAtjSA(A3A"E)  m=ĢOXSxox(3CE`G^k& $RYW^`H2?UYg<"gznzHn9ݝ l*q%o\݇gvD.8"*s/%[bl2X2̭)i8IA]93ve1G{ܑx?#xtd-蚄p^`HL<*Kq ElkeBV9;7ٳƑ3 ]և7Kx56j(S)=ҶE%scdnsM=2L?]V_ŘV[:J >{;8Y'"vljFv#HRx:bAɂO{xwOeM׮';U@iF\{52Sw0 aL1(~K"ж Jw>_ߎv;S}1z_fZyBppqt3pKU,jbGm3諅krX15*HH E:06ҀY82 !Cn LDJtRnn7s@sehx~tM=~X(640 uopKrvuli6hJ ŧPZ ڶ8ać?\uiz L(*G@#A}w+K)%! +R| e3LtCˏ,+02⚉SKSFtZ˟A|e1 A?$CR63~txN#(P4*F}8Ǻn FyTOUNZK?Wnl\#+L.Ӗfښh]~DILw=Z=Ge2-BxvY#Wxߓæ "FWĔOtX.q3~&铞7Z1FALF-oĔ˧/t-:1-d}k,÷Xu`T^$hl6&]4ċ]k> ;HwqBU W;؛过٥?}U`$V)ؘ%IקèEmŀcU8_p›&L>TdipۼPfpV\֝up "JI!B@H8!IV2ANa者|? GZZֻ|$VkNWșmhOkwX3b:ڌ<;n5JVЗ T‘NPݲo,A$WSżXH@OKWw[s&َZu+L-6GET^2sbesN:dM5=a5^ HكvENKwisQYt-&{ÎYu2{76sm&L}qvEW~f&{k+ݵW ޾KjVZU4 %ɡ"<_Ǟ;Xa}uF!6d$Z L4g O-%q;z~?&7׳1ce) p j AlT 9Vހs ?vU0P!tPGoB,>3z:sTKu{ aoIbwx>@13W0p%e'Pnsϰeū\,cԉqm*ܫh0=o$,N2 *F5W~ ¤oh^%3JH@ zZ)ץ,k 55<:Dj({l Oe/g[z t `n`P)2E5PorV_8<}&] i| m#Vpouxx! ʕ^Eհ%vEBfǂ:RuW !5NVȸLNh@>_I q׃Du'$-~JiV&ʬ  ?=E*~ +LjVg@ ޹}J˙BV=BDvhI>c'N ׎v* vUE}ڃ `4)O:ĉa+LM ܀A)TF/DzOTjL?"F= xІRk+S l?S3fDꎦ\bT:RyޥlDscI 79"4H$_Җ ݦ_;bw,)RءdуbCa/JlC _4OSaYb5H TO4' :3F/@''Ɛ%p©sE,Ze"^Xm6uINk@J>AIцۘƀ0e5I?FW; =g>Ӿ!+S$S{o?p m\<:Ctm3ђy/\EHFs7#"%H: 8R`"\6\6?hy 78rXA(ô-]pSA*B'n v Ij uх Cl8D]Aȍ4NִM& :H$|gwӹѢY:r |+թN1lRGYou4Qܺ}T~ J0,(j.T駘A'YnT 4)Zюj g5REaiZIɦB? ?&T$!iPg -lԋ*vr͵u8e;:@#GҦv[g)˥l:QlRl(LNS9C|w( SsUIe)l47,ʪCg; T!T(kcz"$o~ȲƐXRM9=bk{~bgV(S e@"Wk,[xkDX*K^anI]Q93@'yLނH82ZyA1ٚuIP}֐q 0Xr٩ݚE<;GlBDw[S)U|fZ8a~Ed@YЃt+aǺ{m~Z]mwH& ȮG]]Kc0g?N T6`(%>\g%tݳ"v3nhg^ Aw6,e1]Յ(1ЌPc7ӋQWւu`Md3uZv5BcM's^ oj"!rіpi N A$~ߚA]|1ϋ0GUS˥6Ba>;*k޷{icCs&^ט!Rm+W,7y!W4kvlJdRO"<*cUoδ٫YgPJ5A *z!05}$?%-ʼni Hn7E(AHPҡr#!B.~=Z&J%nW%iRʴm>WO2D|+kv- *@:<1m'oT[8kxxŌll 5gћiD6p3L 8<f|<+Ӥd$D+f|e:oAp1S2J BZ3`RUt}f evg(A >[N'(h-Dbǰj 3L)X *I]Hu`rbH Y#]kĔ,~ z@ Dxgo4Eorcwi:+1-s13f˘! V2a},z GpYS&k9`BB$Y.+NBBEԴ FiW8Adzſ}EtQi*P] 9A-8pn^%=s'2Ic̃k?Ҙ5wHL^ٰ!C&majXr5^',ZpqwǟTPa||/ nմQe.}r^4f"R\V.<==YGSAH}a:s+&*\v_ -ߟ0zBWf$)aObTk2zgU̅푗?v^L@{ ԇZ# *x3jSuĠXU_!wtD Mb'h? L$}@E(ԵF߲%WѝץSPV@BY%kOnf>8;Ul _׾*+-'4bUԕ2^꧜Bkg]ǀ'ߞ? 󓱹y#Z@Yѹso8IÔi=<)o AYU~WomNp0sv:U pt]eB{ӟD7SD9L]QdNuQU|e10|[" TQٺ`n2Y@D^K|ʈdRof\p1OpC@s]VNRn|SՂ58^h`(T4nqf3Us ^=, 90#2y#/64H?&sj~|5oAwhx-~&w*/Nj˜dGx֣e/l6X2TE~en(6ڑ[&!,֌C ,Z#* ݊+9#t.ۅo3Ґ]De|BДA` NYZWA7Y5Qo3 W4Z*wvsOy#IT|IɹU0'6X>X9CΛ&|EX0G1 lS޻#.ݰj,O:佅k7Pn>ȦQ 7% E. ]A b1;.bG}^wrjIFʱU,W]\֙Y;:cQ9fI+!Y/B#.uygCW Cflq!K8_&wүVH pbPaE[I4N]G\?lp̏ڏ([ \78SD7'MuUw~"p4R31I4xd'a zÉcxfBwk?ŔRԦ.ݿwQ+ 龥vSS'c01i8 ġ΁m$̻`OM̉HgΤ/ xp $TH޹0RnmkPB=Ք#r\u?<;&qKTϡɫ~9iJ< .b^?cm-np@f};VaFZiD,^6nseq"Β0m4`5Ro^pV8Snq~/ EA}16b-YĠ;:%LyLR\FdCk610etU27X+iX5ӕ;k%wؤcL'Hq!u;aݰ`~f9(LmD wۢϰŋT ؎bzygZ;Ƚۅ74BGچь[+4N!sQe .>k K+L++J#sEu5%7-!{97ó~}1r:d}<0 S5ֳpˡXQcݘ7EjͺQ C4-asZ$t[]xu=@668D~&,D?5z~f4^a ICRX +[h  /# kb_\Q W qt8A;Ch]mڄ؏6}y"Z7D^s Una~[x&R8~J̰5=A>eP M`-OSkBI_s1W=߽b32B@oH[%sgG1z`yw<>dHduL_/e37\6 Z|< Hq{3\e/┸Y"zK J?.aBQYzfߴ8>a;~]g㧓fsLW̙mv677$iڼB]G Hi&of22}7)9AΚjE:ɣ@D.+cbNasE; |O|Gm#&Tk{1[͗k?^YL^qP Y-C/0Ϭܗ5bz98M&'5;-`2DȩLOQnܝXI"r΄~5Cn1L.VzB%c3I Ձdeo4j!uMy~ɼRaû4GE@iDS&,E4|?ʔ""썪+np.ݕ<%7rJ08I_X{tߌ?AVHAAHPgY|LGgJS*X unIbo;':7R̯*8i,&I""'rDw7eɔ)y2c&QbJ8녹^cK^ײ\@7U*@LwѻwPro#'[!%7 9Jܷ8JBï1u2Mb9HBۙDL-5',vld~}f歖Oa$6 ]GR E sfl[2O}"⇑qa{2"곛0nT$N34]A?[(WL,*m!g[Y`-)]yvkj!A8{92[,A:*7M[{{.Y斎h Eށ`,~T8c҈v p >~H$g=,k%ulmSj"~>jujz*V?%@x*Љy. ׭?>)k\M]3,3}kĀ_UprH3xA NaAtQGY-CX9cȰZ`@&:bV"J Mov-qaaD*lȜ(z8aZn0JqD!8NB&}N~ۿRU[yuJ-;c 2fm[6츧M5a {;dr> 6SŬ!r++\`:S rO#ҹr⟖I w4/޶UW ,眿@?(խMKrȯ*'xR̅W࠘#Yn͙>|Xo'O-Ӆ@S~Ү hkK~"%+dR7ebdSg^6cNˠ]|r-{&m2p7Vİo0g$ϵPhOW:[u🰺k&*Ҽ >Lwx?Q奌1/o7i^oIn5zBrS+}=@ bn~;d?N7ųNYd4(ST@i!jTr%zCqfXRLEIu1j5.d`(c|>7Zs8uyVN)d~HvS~  ЗL- w0 %hJ2 ̰]3v,ňОXAԽG5Rw.ȗ}{:w8zPj zZUhmd<؀,!A0EFuq{@:UJ,؋?Uo!yу>VLJB+C>SI_]&$ñ5мi~BCRRB,Ir I,grH40&N&@EYLٙҹXq@sh)N֔À*k@ゲ {>It u z(j5K90sT߳U%8 mM:6"\ p?'rvAdʇЎdU hXHd̓\8o69(a/3=wW4*pJ%Wg%zu\ &f ]h˲M"3N6%y8ac>".P.sۖS&6ȣD>Ǜgdsc_S?kaaZth =.jِD'0D>`K pa8o1iz|m_k *Rq|"{48R w4EjeDXa?@?X%1]+ K?+~fMEF{ eM}9e9Vv9MP=~JFD{-eI*,T&Î([2 (@z !1Vtk;`{ȑ,Z?gYV iXfk`m {c]_D@ҧFswD2HɎ]Аc |4"ci L` +񔧭<x`h[?'zґ#}a^z\Pf)0D/qOvWcw"*07Y'>J:`#X0Lm[ x&e7SMDBڡjrgITuAPXh3c\2WZN|iN_$+?c)H!W[)n5ӏ %#CTՃ~z$f=w2="aAhaʫ? n6Csh[ӄK74o[!626rv p|N&V00}3"T7.SÎC+hnX`_ZʆfcSɖAePwZ4(K`aDc@5$ewhϾn|$&]TwՊYy|w[ Qey\kq;ݚ,E !Rxz<1ّ37/4.H$‘sWf'BD18aЃ -:/쌍TG] 9dp-vS $8c^qj~W&⢧޲m'oԽpѲ<%hmM%R)l6&;y1w,8 /7m `ҴgEs7c|f3kҏәEYHkWYJ<kZ 1-͆ε ]eD942^tb"Ayna(ebR!M3Ws 2$2{i`OHX&^d:cS$7#83`:ᝑٶo#*J$=O֊wܷzq1$IL&oDTC{5xBP 4%"u}j+75XD|Pg*P^ ˰p(9lȋ#&%{G.ÛϷM+Ws50@sVǖ5?ZhqM5(,ݿ>:!MbL1oE qTPdi x#nYZL-i:u'.7yY4;sV:CF$_&OCEGCj<騺Ja0@ik(:hø$C/ؓ}ޣUD(fNĕI껀Wb;Qд !/U2'A!$DkTkO~sP[28%ç6[kWǶzD,騏M2UL5aF^j%Q@ 8j>h2!s<H.Я^.&NoogIp&O-DY*̞[M; `',\fmH?ƈrh ^۶7TRD==8錰2Fq-d)r+Sh4&b55ж\F iy-a&M;T&?HVsZ.XXSLb# p!%t_2SuD!NV DO{ESi#uSzMGNuR ЙTv]ߊKqм tEkq'rr+xEiVHV O7 ^*Dju+c!E4l>"do8 NYE)|s`jl2Ɍ8jN&"+f +){"EdЊ1IYN9xxHPBʘȭ>nI!wZn,,C׽Fh̜NK=kl\>~yTłilr#;P.a m ~$ZᡔNI_rYDE 6[vn^Jn^n(9lq;oA)T҉o‰p%˱"kn晢~%$Iރ0[$Qg_ pmk9>0*jmVKŠM)I#G0i6B~h i48q5Vݐ9JH mme_]o%znsv|[Pv8I ]a`ЕWr8 D6|ؠ)Qmˢ@$<$^XezFKK(ƯH6c߮?~5 NAy0] rń]IeiӢ42r7%:%F$6:LPR nr+RK"An SMW .ǬyӪ_x$ AzxY; x"p×k7c ?PwF:lݮWx PsLN qq_; 4Dp :ݑ>)2ʫ܎'I\0B . `k=őӥ*s 1_Zx[IIIM ̢Y8QͦaKb] ̎کo\ޣF[bF:IŃM޿';DM饜WKU%D1Q*aƑSOrw AJIg. +s:i=ҪTlL"y񧵮@I5k*9SM?GڲCFNTTWݮlÖ\C@-C:݆p=g_#krӟ~бML/- @k:7# \/$u>̴nf+g<8+b8?ݘc-FP1кoɻ}DVe]r?C ҷI]LG{Ӱ| V:)yokBsiYkga-ڹ*ɤ"'Ht2EjlU/m W}Q9Cj|Ƽ9i1Oϱ_NOvb'{H.~k a"%:T6Ui6/ZQQgflb֥Iܡ/L؄_YT Yo 8`4!o.N~;ޅC:J%N'L_|WJfR LWT]$@' )+&icRa>ket9\OK#6ѶkZlBȃ>8؎\_N4[ߜt lH}a#򳺀?4@gPo1/1h+z.v]9vsY V02IԁChtQ4Q6:zDJia5MJ!Y]^呂D3aр5~}Ʉ)ք?D Ksl1 h* ױ>W͗`qmɜBݹj5WPf[6s13Gh/?pk&-v"~*tΜ2R/dKԀ}EiEh_ٜ^մn>؏/ -atg4lgDcUq6L#N/yYMM~Sk8o9_`U_z%^e>:w&ApǾ!3եx0:^a7xH Gb/ 3b&%.I)HT%cx Q@^OpHw'/Syy%Cr|L-dḻAUn!~+G3 l;(| (K?2b5ƻ[y-|2r]˥p+Գΐ< rXcRq 0 ɇUA.jJT`9! o-C:QۊXBRr޹>-H5.1EQrph|X`$ҕÊ\QTLMJn+]=(CHm\Y Hn `"=:rydfJx=4s6]ZfMSlGiT%%I&d7`SvޞiGQ)]:V ||) {1.ʳ?':>ȝiG9'%woyxfaYKꄜZ+N@[d-T{_Xt 52 Y4Ҧiil 1#`<n;a4 xDI>d QL2bh6Z i m6E!y 'g:LM5饗6Tr+mIdZW]>y_f)F7|Ϗ6!՟6LU8*{nS/^J^zw5r[׾5`cBoDJyaisQQB#YaS[Z0>_2wK d?R6nPnacn/xYe&-v U#@ŸP~&lٝڣ^֒ Ƥ~ԺmBt؊ԹJv6ti%-spig`RK @8e,>ǺcϷ(̻wjڡA:QSw6i=p#EtrY'=97k'yPHNXG'Һ|Q,͚' H3T~CpK- 0m+)=V}]::\<H)KO]]8b1md NItޘt0:V#sf0qFA"crj僯bɟ0Οp[#'zJX.:UaDx`MW~?dC/hIr\<,ƔBd;]&1eZ}N.Jj8&gWŽq9/SotKh)R?TM8,omyDTiF s^ m`гV/ov@Ȭk$x&.ꥎ_Qڳn?=|r4ƪB/Z&GoГT֨4η9?fc@@~BVHjkVh;}{k2̴?>CZDG`~G[q5`ecj3,DӆO'r'{GSJ? #pqBes ]^\|OI-jD]"ܦxZzst sd^ cg^9]6s2DGdI44I!bq60T !5OrG@ls'Us S]"7h;M&AvY/LKo+ezG7B~mv!|ke%CV}-o8qe/`AIhb.k2ah>[;L0\m,q?n9!*2Z4C}^׏$czƤV:MBܱo\M+ec2{{o,F4I|ĞOK`64eq>sNpر1QG*g+2 rZ҈;㚈Qگ NrINw: /KU$V-l&w~^#BD|̀?(jZݷuh6T^*NHREܧƼdwdJ !]aI8ꊕ@}[(%5|Gsi<ߘ#E4,-k7L(/]pdiꍏWnD'NF2 [/f|=B2<{2l*& nAO2׭ ;*I)x#^3w̃/elM|?hCYYfr '_V-S낹 i<= B{L>s]-fܚަDX(NnV<LJFz =yTcQ BuTF!$Y?sTXm3FLTVgeo1뷹Q`Eæ-6VOǽvg{-LÜ+Uԑl ` 8L&c(`?Fhf; zo۫v;Wʀn>n&0ÇegyIpc0ˬ8DPE)O]@ ` S0=ƻ?_}% .̊ow D6_6syrѿt]%4A%A[k}ԫزtU[v99bf4d?7XJ@1>fY ,)džEt˗FLr~C71$g"XaԐ RN>TֳH-"(c;LOC,d`x){۶û~SvRӨ,,yMd0qʌ>MP3<}!M]]lʰ;НqQCܪ<\w`=Q  Q=ZuLK[Lݳ%4kQ@<0.ȟ: 'ѶSI>SNmGEVdCCwV{ D ˜P:p6wa a*5 zז@k@%j:Q.g6\o'p&|Mj;x_ l RХϰwO@AuZvۂ9 2jVI]@Oo۳/5il&!RQh.a3rv8} 'V]&"$F,t(~_x=ᜐs1%8QG!+w"2b[}OU-oAf尦RDb22lNJUnhH泎QϸxȝŤoa8 E9w$~ X^ur_>DMwșrG%MVRFnU">'ڵLr M,_[`=糩,܌۞׽W޶R[-ie ގ$/X8Jmz,M QR,5r.+)rޯHUyWO;onf)-okV$ ȐWEkaa\*WXBp}ᏰW{ai{?GBmb*/S;u /G5-f A'Pњ- ض"dy_&*. 50ԈZvU_vb, i08~uPblazis'ͥN's5W-➲3fl{OȎgDNi/tsėY+ṃ ~١I݊ Oߠ]A9U\BusTڴDDP_|/,A3ր[ Pe( g<ڄ"(zߊR-F/pp.쑐FٌV^cY)]m@P|BxEI2žgu% @a5$1sP|EQTf0{U;O`CS`ad;2|O!xQ.!>3X|?JHCKFqA%C<O}(5;+O`飼~q+ֽZ_rb@8ز#s .921^~p'.b֠."Z) աLh5DkFIa@1@ m=Ԇ ҕx:4]Si3ԋh'TM{(@ ՒJMѥ08rlA!pt|Ԅm f܅m β|"",Wx]¾saB?N$Y6Sa$Q 2;fP@S.zgq ِmC6QF!ӄXƦX]"JJ|JҌ!u400FN7jnefcQ}bO1.}bg ;2.8WP 'ϤN*.tQY%BUx f i]*U^ⅼ#\/H%Tl 1 wybc>w >OD2Zr2Rb=*j\lBS vjOW,3>r:q<:\1A#hdb'o 2e),sl&;x+U ou[k\|-_\p;Bt68?G?Υ 8^䚋o⛝}º]˼G 2|ee2y-G} h-=]j-)1zB>i!#CUInCifMZvצJr"t?\PEVz"Z]O3:J\y#AiJޭ͞nC Yt>ϵL'Zs)5g1w>bOL JBaYQ߶2h4! 7B*7]QiLG>'1u&ufzN[.2V z~R ZBJtd=ե`O7"X,,[# 5­d]@ϳW#9"(jilB۵ CX".aW5-,&X _ I)tQ}R'l]8'ZhI뛙-sP@8¿'1GX^Bm=q(%8: ])tv%X݄t,;M4,ņ[[\c4(G@ý!zҊhsAIK 6m.Mfweb /K3(B-^&c AYIfd#!MeC\Jf +L)vuG NO+'-^V롼._ J\_H zH})f%jg(.VD.VȬ3eh8i0s7) g/))?g@廫ΏrnZ2TYFVw;,>EWx3P4i5?&6Lr`|)+]~zzx/Ŋ:b^aRy5v?' z# kxi>+`[xPi>6bۮ%GڤhQi1wFs2H /Q hȱ=oF۔bLCTNlV-mF qe>~ 8d\&m^ٌeΰ(JJ)ZqH8vb̋)& %m!,l" p֗A(B{.s52ZR1==K:/E{BN-PSb]ϡCX0*J/n\cJ2:fĄ׼! cd3X.ֵGͲ].5_SjrZn( mXٴ̇"%$й@lR' 祵`SHaH O.pNw]U"& 1D#t݋A:A}!I!羀Eդ0},C!dIU5:U)Da<1Vڒhu_8#:253`(cZb)SaB<=Iت^_XA-b,}^̨GEGlbIUx V+*S]ޖ&Q*AmbG|Q1& _ST6Y7W$T6T;]خdߋ*&(*SJ@,_dQϏjVGcg%-jHЍ忛Z w'.&O?ƵعYV',STo8[ ULp`t]8Dr.2U*LET-TgbSUx%,\#SKjv[7vh^"mg LK#$mT&MJ2S!\3 󬉡0U G$BQYewUQLI/FU*;Gb ۘJ^u pKqb*&0b:LF?'ln|6K4M`N/Dc4֨{w QbUTjUԈ)*뢉nK,}NDfk?"La 6bU0]3T1SRlq:)ﱢAE-&pO:ZTT "b8Th'KU@,ľ-H$-^FGy|U l&׽]o"v.c^,VEPU,0ZպuvmFU,gi:|;ܭys{ly{".툡TEhVEXkصXTEREhSj2&R[@a#Fk:NܹU٪8f|NϳUxZWtГFIE*|[(/!tWs#]֌ u{Ds-\~2z4'W_*8>]Ao[lSDHa!zTx!vb8lljM|};7:8_\ ٝHKT[\' 41Hs{X!8+hqjEPvqG/@cÇT(uO":]fPIh&W;ێU\)I*W3`x^_"y@%5= q">H Aqne&q"nƈl)+[)Wx&#`"^q;|Kj rzZGn,[(W[Wx8 ="sX$vIax,pErfs>-/K9SvWjT#6%oȃrJ|4t?FVceɾuE+J1adom4w01W`c'mפ?5Ŏ1W@GF 㰗6Oi?,n IXI&OŚoS$=7fih0uk LlO w&Bb9s@nm<+e,>d5d=z㬔Q’λ5VG7m'%- Z[[@c˒躾0#W),n象e/oh|uI^C;|5eIt1べXjje)'sp~oB69:\hM-)OGDJ4ojZ:0$FG%%k3+[CbKZv`ѯ$63MR:e-vR?ZJKPLe#Qg5Egn Ghld*˗&8aW@ 5gR=dYПU]P$X܈_Sܜ4W `W#'߂qϸo?t SG~\Ο>> ?# 0dàg9;Y+A=C+ANye =Kd5K P plTYj;́ "A$@'#m,ӠCFC0dXD )ib.`i`LYf8y0 Qa%>!Hqo a/BsIP\(TjY)9 )BA;c(;*Cql| B/.Fm] 8 F0\XډK7y6dH-9=0j< %xi^'9_hPz ss#|B _p^昴MiyYCY!2}dD6DVˍ4i&c;,j6ԠJXj*C0%kpil4 c;J*7pPrB !ƠU }0.I{`Q(k< iLh9(T/WAu~ ^ulJLe*ti 2B*ħ ZLP<kۋ}0&}'^$\* -/\ޏ.0 `t8'p8qOA7<s~6I64Xd(B5ٜUnX$8^UXwS8F*T}bj ٫f5#Pby}p`A6t % /Z̭Č&Sl-la%oSZTD5DuaLT*~FuSEK 9}O #oWi1q٨iQG)QfS8J_{~"eDkBC/JMdi}Դuw֗I[ol(Ƽxn㿫÷.rpCc|oCі>8ajEZWLIq9BfiT9^ a>% ϚkΚgHs8Ϡ,0by>g V臦%T$$Dz&5lh[dO3T< ZȊ,N-688޳Šð2AA!,K2C,HDwFKL [Xս0*,}yG\^qΩO̊Ua(sd2 vĈ|Fԯ-sl5֭K)Vؚ0Cakc*%!(⦚bS*sG9 YKrWg><3@)A*MUOC63)inK4k3%Lq&%\d` >Qc)0= SΞ='e l=fL, 6 l&v>q9'ӹh =l#:.ً=3F^Foax8r|1 Nb(aK˭1.eƞGyP~ cKX6n9ʁ8#f09apVą\ GL| ob q`6?DKz''W8]x6s1d~N?azKYz'ҠǢuo}r`iU͔j+ȏC`lQKA,Q.+&RRR>f 'a}l /D-]gYXL.3R3ˎvdQu,-0`:'.` XGaGvb_^a1+QQQnzˎ).<qO\Q|' -LhN8@*LJ<pχEjzny΂ey 'X-TR[nrhYCk cPq,LYubHAźsIHk,=Q{`DŘ].9d 9 såDŽ +9^>XC1hM6H4iH n83YX˚ y OڒQ#Ix%)Pǧ>bKMz Pbk.!V{ɪfɐSB<~1QsyH0C ^KnK erCPM-_ Tބ"l& .Q S}F{KT>}M?\k%0"v^Af5J0.KɯoHDC2aGO7*Il/g$F yk`_zhp/l<mSWh5SƯ/P1v59 cgYhva I7c7 3ϯ̗B%ފ>Mʢ7!ha EP/2~),WJ TTbd]Ͼ Zvj,ez]'Wۖ7uG&7:,8TKZHEWH#[lID;l`UFBؘҊҊҙpw;Neփ 9^=PʿiljX/:S?cU]R+W-`kkj>AEM1 ^9FO{{HV0͠XCS}=0bfmP%Z=eF DaC9?qXȟD# 砍}'p.)lC7.࿀}%E < Fbv0MmXcj!}C68Ep3A).od}gcWmlvR|PqMrG1}ց*xғ؏FUPJ}'~Mcr8YYYx etX%xٿn߉^ȑ^1ɺ{8ٸ Gzr3*j3Yq^PX=qr߳<GޕrAu6$ΝعbheS[7$#~,?KO PZxA?F~lM0#DOcC{`"Z&Z[0 ]>fX X~w Oa?O_)8\/GdBpBȆ /xU"Ql(fn1U6MfX\gi*_+mb2dٗc5[h 4|2'v>eݯbPZ6>}= -~lcM9xQ xa}L6<*!̎ fUC>#8?0Ya4cN D,*}VX߯GZ:cƴF?W,dbwZ8џx0OY?=y0?_9/3_R#OTvEz1fE7dm00J쀱b@EńOzD"`ISNL0)fʥXRt~eV-rq~Mw/#˿!oKűbxv֨9 Ϡߙ%Ⱦ0w"Fˠ\\ŕ0K\5" [h~j)Ajid(ϳe1q)K1/[}3|2+ǧRhc x6-e?LGm'~kɟdϱ<OO /km ,|Agxlx?<<5<ytȇ?j]0Id-(g<P [ְ&C=ހc `.4b7 iArsޞVH &,?KM&  =KXJ KXD $313RnԪ պuiVuj[kmkZ޼y3y'𖻜{g/|ؓ0Mi|~HMo[O`|Ul-Rg]Ad7ѽϦNƻ<0o꽓.h\8?_a =_=p*oq.˥t. \WWWr_˯rC*E|^of7 =4nz&Ao>t:E`&b\H=v%K}T{~"D!=#Qj$6CtVih#8Ɵȿgͳty.?H?/L^y%#DŽOR j{ _ktZz`~T.l濧!ޥߣ6u?$LR_'O}J? :?_ ~-#X'[HHA &4HHu &p4S DG v!.2p D&eE6ȡCbT2-F=-F!.b4C&S<5qz[]TEԺ8{E[0nQl)&!5d*S2^e]feAp=21Þtb>.*0F15nQ"X5YOHTL=<"M4i|XE՚Xくp-=#4>gY}#肳DfdNBM5^M4țbKgPV@QlumnTBnAϦNz %]n-vPNMt[x.8?_!\@OEnqG\".ſ-.廂P*-׸ŵN3KOc0~o+h+k mn)ǻs1V,]Vbڳkj+Vկ`lĕqs|o#_RTgf55^`Kշ_jhC21qr ƮMΕĉ$f_j_g@qQ:py![*[Kl bKtf`6F~%DDP?XkZںpv@0D:?"!dOs[(7B@Q6FJ х@YbDqmXeu´PWfh<5;{N0B_ .W/VAq~F+H DM~ԼuN`"䟤8yP+@tJ8!8llNՖrmNV= B$b!NdqN0rh4"5kk hEL/Bn@ PhpUliv\ k %_QC:7h:$,lErD#8&#XhkQB7Q`u\75vڻU]:1a4ZbExJc$j#5-fcDjCqT5#IGl{ȫX[TiF0 ::H6߸uu Cc=Jk7j{l4FlBkڮ]( kk+ѫd [!Ѧ !Jj{϶zOQf_T)nHb::LiV-'0%R;b m LeVeYg|\G 5upkk|mhVa!565R -VtEQsoj c8~xmaiN9PMTC6rTQڢkcQmYJ Hnk΀4q,D*0(fk b~ZZV̴Hv5kb7JT.DZ$)7s xsWn+O(4Zsѡ1F9VHoYh |Ps\ ʧkMyʠ8{<0uG% )_'ڗ']P!w"ĔnwxUmp*q&@ <{X瞋FH{B]ڀ ږ8觞L-JqRè8lgh.]-=+}t]R|ܭ{uq_gm]A.uqݬIl.aG$=`uc(Xh{/R9 QnF0 ^]<*W ۮ>]͏ON=~Duxv_[F|;C_a4N xJ/ԥ`l6+ץ)tIMnK{LiTl:7O ɦSA,2]f2Sf2d.a.su9q#'>QMj:勺La]^]?b0&y()'T9ɏS{i('|]ýQg$d!Л-]5Y)e:CԞ$'rS]NӉ3t9Sl]9fi$B[]<]Η PB-7oƨ닶{?, G .+d%&9<.PdA$ 9,Q%iF$y1jDۍ<!XKe=]d#:w+Jpć.e:׸u9(lFpsg].W ISHYjXb6j2ʋ<)nU5ځ \m*ӾLx.OkL𶤉 u^舄QT&K AC$8Knd0޲}yQݵQ~ t铛pLͺl~]n[t6Y@%[Uhe]Ov'2(C q6ۥNv&èdD]ICe7y.rIKźx[)rSo{ 2Ƕ^ }< f68JG]^KtiP^X^Kuy\WW1rά.&Uy.ףɓ7$_CNH.oKx[}a2y#y#!/::M ٣ݼZߔ|_` >Jx}~66 $b< *w֢H`;3zF7(坈1DoҫwbAГݎvH cCީ˻ }[^O~G"2 Vts%Og̦ǧ9'57]+c~.=|(.,6]WMpR*nllzErde&?9NN:V Z9|#9%?91msWb %11 | 8@vyT3IMK,hu21_`<}T9Ş_m#/ D w_+JQ:z=;Ȑ, gjʸrF644*ߡ΄pz]dɺ(_mfR,5klZYX&|Ҁ_35U*8@Tr%IӾ:GȒoD5r$w52#<_KK,-fUGegu:1'U@qy;z :'Vx\zDoũo=+r_xh~t8)YPZbOM3 ]uPtR~Urr ݶ N)ɕBV,[DEBxoR8n B!'y`7J/3'Ʉ*VX԰y+0Ni~ Wu2ijp1c39mnt':NI%?~TipC?%|>Qe|jq,4A?T.cP\cod 3U'I@sLƗ7cSTkwW`͸x31:լ,qS }}O@iOTT>Pٲ; R }nS|倘hQ9lZ^c}=p%Ւ7ϖ;$i 8SFm$8E}k3S1 WjDZ 4?FfR/ú}C>Tmwd˾;^T\ː,Yqn;h74M?o8Q&m]U?1_UԗNu]jp sIDbH8S;e TwK $D}~m2kYC~=Emz_rf/+>4NDwsV_Q2n?bf_y$TԆ:V:#qȧY5tɤIOmUl.M/PRmbD:BӌOE0V+ P?>4k`6˦3?#U>R٬\x7۳y>,_WJub^j.%uc} Gx ^#/eTr[? qVR>}R_ yy.*;Cn3dgI?('Ro>YN ָҋs\h9p5sTV5r>H+sR)-דzr=0$WAkAu'}g/ `H?UffV/dc]z/S/ a  _ai0}PL̒^ aIS:k 9#߂x] .Xip,ȁX1 ca3(0AC-t@=tj;9Xz.b.2.JWp <OB; ˌPwx!RR;P/8}zi084lgOSƬ- C0vZEbph˂jNBzPsv64a?}]aa8A/; ȓBvR@BP\YR L*,aRD}RpNp 1́#E :f|L=vn"_5TR(%R n402t蜟9S;Ysyfb3'|֓[=@{~YK{C'> &T 6@ ),]%?+%8>fYP_/ʜMOEOB9M'L7(}}/[STR,J`$V][@u-)ΑTsd(}jjr5JH뻈!p3r_QPP̄@5Z3Ti*AV(v!;.b+μ$av AvNTs8E ]9Lؕ3 i+Ujs1˘f>HXO-C_@ 3h;T e(`sτ5nGa(S|-1JDwJ/TAM˳zue2׾j 4OE1؃l*摈yIn4a7Y<;B.߱6X[2Ŝ8qy&7 1œD#F~7,.4oT/440 k˥K{aYg# B\N+#A H"X 9G{rJ2%`0#5*O`3a Mlb |`7j58 PnA!QE`PVփGk2A^r$P/Icdh>4JAކn7\o2q6qnk23eU/F:8B-ݡPN \FRy*aV -Hn ]&$=p nA&o359LGkBn/!X_ϨG#D,d/ :צ<Be8%f탖W)qT"WLeA:=ňv=Zhk7ݣ)SB ) wؽ8ș! _ V[0lȑ_=Rk%MQfF5}?-#P/2P_j* 3,q ݜZǾ8ݒFc٣vǥ874ˑn(v.zde$TÆ޾ϝC|u+öpb}&sߊiXs *tr0F} Dnmth[A\"ztX .w庞й@xmnJI+W~kEk\6%euyJVobWC6Mex䓫*gG=^%^i;kp5{CQiZ1zdq/_y=<!4Pm$1ľǾ WОAhFgϚTSJs{^؃Q~=q2<7e ƖxapL .nť?B@VgH` ,ܧa2IWQ!{a<g' g]3ȏC9eW?Kڙu#B9&ϵPmP-1{ἃ;߈"pAy C%{ ]&czB\\ ņSQa\-7.Ks]A~B[r+$_#p%Cp|6:>_5ݝk;ƹ;׍ߒs`4r$\PgA _|!,数W2%F|9lMp1_  xoW&x] [c sY6|bKѵE T'h4xzZ WWL.OLAjX;Ela򰇕DYcVTbnd_[̩13X#adcs ZA / V!V*a)oq &{ XbF_,j>EJ0?R0_ w.WmH(/8T4bcF' #3>T 76pcL(F&:>{`$M岰 lJB~TVUm̔߅Y&͑ond[a* f` ǣ[;D3"X.w4j*؟p*?:taƩ9^1M"jҐ`LM__ <_̀ '7흢MM{d#Ŋ>Q=0&W[&6KAJ%ٺco){n6u}--K &qL-:͇!HC}$߃Ÿ \+p^/6ؾc-;\zu>0WQt!-7q 57ws?Gpl)T>K_]B:8Epdd^|U2 Ez?;s^JLR}Ƚ酽1 LT߂am㿂70EgL!bS}Z< ֜7m`'>&g^=}CSd]C6Uja:^UD æ,O+wBDh( eXLp4\?C!SKh  {Y3fl9fa 4 en>3wsm¸\~q6Ш_@ !L)P+ܶ"s)PŎb0 ]j9Du "T=oSTK3# %=SA/bf>t <Ȁ P(d 3-R%ֈ"Kfkt.T|wv2MG*2҆Wjm2v3Zպ_FΣ(QLB-94 `PO?Pe܎; CqpQd,F!MEp!Ig>org d'*AʜcP.rxzƆ 14ܨ3x&2lSdG 3/yyyJ?a 0DAY:$ lDDj%R#0*ycc(f fn¢Ce{VGk\/0R6l^? }A(Pg4)ڠ8x/LZ /Ya>=?,,IxrmW5AE|daƈ D\ZR䦫'z@삻pnxX )q<+xUcb%|8Җi* k-k|$9( ,F<HmK2ӎV6>ړ'mGsoBhL +%׋za"$]eT*F`!}n(͕ 쁱hEߤ׷3Q)D<+{r]{ ʵ\~]F_ smE+wC "YmX(PNjb}S S|Y)/(R4 8.`:6,/ :+Qq; *do0527y*q eΉ"M,>V?wZi# ¢^xoyh,m)$Ca 9"r,+Ų.Ep,|AS9R҂[Zz>OWyښؘry3eeX!A_ɳr>>@+qu/0ӕ: ꦧ0x>2Dwz O] sSça`ge5OϱP騂v;v =01 c/ P)I ei/.MaXqsY̕[;4$纱?zrSҹX!:i"/e1=o zā#C!(O#WÎ,eƲO")r& a,r.HVRY d !kY.bdzlrdp\ 75p<>ygr#!}ͨ?ZKXƦv6]vlV+lvly.C!y!=hq),31qC3PӤb䑳,BL1<9W`8p30sއ_*^SxZp ?[;"#ʿ=̐} >$"_2O4(ࣣŪB&^c`*ǧ2>,h&Ϗ!dD{Ll%S*L\EOTrMW 2D(%d {+I>/SZgH$d(qK1ō^^+ P;\!jZ!aHF31Dr')jL5׉DQdždk0 20E^v-&r7y3l@mV蒷Ny;\(kxB~^+~&A#yel<$[ fA=v1/ϲ]9vI:0 s$Q JI{,I$GKɏ v O[J~RExYɏpy[ɏےg6 Ҿ(ϔr#> aՉbifJ%B>Xaf|%M&I+=l5l̻]ZM$JfP[ \*G) /U\`|7q߱ieZVymTIJa"A! BR FN#lz2#e&vlѦ_Xb?M^a6sIA2/Ihqor-(Kt;en+E?d3Ӣ6$v33_XbHБѐ1yItLaQxICNò; wf-jH0 yw+f1mۮl0:=W&あQI/yQpŝ=b`-ۡ,.tKb"h|'1okpiҙ3g|ߞ}0L=0*Th #cBaJ܉箂{ +ahѭaҢb-}G,.hˮ0,T1\.VvDcԴ@̺i#DmC YuJ[ЭU]CIͅDj:;e5kqmvpv<kaq5kZIe71tLдc\Q6\GO)C** ootTC- 8IN>ˮnEB͂eAG/T[qi}xՂč0]0wLx~k^"dȲSj[?&c ؆9n:y)J|:BO#\9G(PqV ʜ2r-Kt Vqyz(kJ-BJ|=^/& hWLA߫z :G h #DhKO$0I*N!Vb7,$R+J% kiJ(mP~[6Ke6Fk8iӪ3t|nf$/63y9=gϗ`_ \U5̨)ͪ=çRW)Tʸ,*\opMǨV#K`kc[pڱ-9uٮ Ld5-Wfd`Vh7m'L虆e|n(C*/Jt!{ S"<~ 7܍ZCrR`߬{%tnh}{dA%Ay+j5 ޷rQ^Y@oZ˶9e‹]rMǫ׬Wְ0aH.i 5] i(e p%ゆ-|+< /}kZ{ `L@H'0zf+Ifuᮌ~ؔsA[Qh/uH'alZ"᭳2 !hہ3l[|Kl>Xۈ!L{gu __5k}YD". Jɦ]1LYBM27 "7 stBU oq#Fj9.d+FLj~z'+HrO!^RCYSL)VǙ\'PGGt}8 .\zqB'>~~&6~es!i"!%8"cݸq1YI&`d5A]!$FZAvEA/%CjL6(ֹ::O^ClR^y\w8{J$?PK bX"5org/bouncycastle/jsse/provider/ReflectionUtil$6.classTQOAC XjiEE 4)J(׵l9ݵhh>b1춑*%{73qd2*\c &4qhaRM 4L1*̆iئS5Ci 6+1,ds0Ctѭpޢpv{f撜k yn}ޢm>dF٭;֮e͍im &9:ag)WwRѰiSlWM{޲/E 1u*#=V̝V>%Qu̠~([uOƪ'ʼJfܺge!#$}BZPv}Tᶎiу:zч~I0q_;՝@l_Jl!1'Yğ5a{OO-R AkHVq~h,fBovM}.;Fi%H"! I$u:M"E3sd*ˍ#7H =@k'UW1D<.|DDyyC :_A{?@ׇÝBJf1%M2:iL/+iQ*v0}aY.)>4qtj4GqYe1+Jfpdp PK bX% 23org/bouncycastle/jsse/provider/ReflectionUtil.classVmSU~.ydޡj[hBPh+KP*EKan6(ju~3δ2v8:8'ze dA0콹{@}!8hf5؈nhcŅ͚PgR7bfjtHV.5crF-y-5OE\ҳ浌[0ȳ930WT^5r)˱M9o{JޤmK7r=[3 1#{a uA]ϰ+mꢛZX h\c4[á 3RɘM9C;MDiciA(V1c92 ~PCՋEm*E^ju($cc]2kGwwO"d-t [ųNEO_ml{rR̰AT "7-bZލvfbw?OdI5_$6Zrd.h6U(CM{1uPsf~c^ZrYJ+]tjh}=i7K#@|Tlihe:?[`UPĒweUfEc= +eXT x~жmkвU:+F$1CmPp nCUp*f<?cȍ.f Nh 5:V͢ ob~6<}ben/2P-3Bɚ-}j9>u8A4ȉdb`~- F(8-qKZ *=x}We# \5,cdTN:Ҥzwr'9Uc| VEWTZ48:wQw 9\Zh7ZЪE[EEQٺt.M[]mWWΚ Kw?s}Ó:DDj'ϋċunvR'Nz[TˤX.Ed]V\pRtr'we3Y:5g9R>W uY@pdzfo[ , =:=._MN'ρlA)B::WJ+/9RX-EH:dN/rVXZ80_*eR|IG#R\J:osUNj櫝1xf>!ӟ֧tIq𧥾I'_ϟudeo|A߮'Xqd#o6)nKRwJK-w t,WG=2U)kRbYi>~P}H&0n LFK0n"L9:?di PXTԺɳSj/T~';Yѷ+PF`t'ik3fa2ubrlڤ;T61<kx&'v\Ѽk֖u-KZټNh7v6\ռ}qƮu4Ťl,Pv}/D_&h7k;=AO/nm7ʠ'7wxž;/ E4ankmE ݽ4LǢ}P辠g} Mmu#;}&yA&Q1GtxށFggkkDY yCUXx1P1r(MnS^?kۼ`_'Lg |Un}VGw6[*@Atu# \x=75kX%ˌ R^c4DU^a !Y}[ ȻnLVc^<%)g:V~Y0,(<h< uŠ傴&8 :0խ3vWL~=a1_\$b9ӢaG Pj^>]0Qmon%D|I z}։9juS.4<{ N31f* ~i1qOm ?e0 ?g ~NO& zif )煪B;l?7KſK  NMTh m#ɜY z^MΕp'w,ro0M=1f?:2M~5=v|1FW5(4Ƅi"bCj6|&Q,ɵLz~/KxnKMMHnh-ˠ&X>JېueE}@wCsjjJ >o'37qٙF^{(򴥉CZi.*S 5D t}>d>4Bm1}n6Amݎkc msKQ$E1 "%xC )RD~t\WDTC;M+3xumMCZe0vR28vb&X.SȒ"3Le=~䡅iډ~hi0A^1I<(gx̌u-$SA6$O]GWwa2KǛcg8 9'拢`H$&9)a6 " oYW˯"iӦ15c&PN t4!7ı`,6?/f"y\ CG^=uXWl`#f-=b{1P1tH~ݝq=L,Tj_-3?Z*s:9]+[ڗF}O~|Ly_~iWT[l=R)]ZMT*wLΩ8إysjY#J2YOƨŔbpH}8hIYU_psۿA}8|Qlğ'icɸr>VzYBMΠK6S b-w' cƍI{8/,}#cQ6}>v\W/qq Zέ/!w.]j@ `y'8zzA|K}9"C[Qk[ZbnS>1d,t֑3] DZznM,dtK;s;s 'wפ>A=R8EGL#;WP9 [e'Vs-C/~N&~ڴruG׊u+[ZZV5wDW`W"ԣV PG:A3A1R!]FDyT$RUt51} m>'DSiktZZK>'п!_?ܓ.۠q!T5ƵPշ%D㏨zdYȺöz[ms[kȾ- Liy؝v\NNnÝO#F? (*,%[:es9T gp>Zʣ]t6!Mp1}Kz@1~O;T%=O%ӃBΧ/ 0=l:G(UKTߢZ1( G]MWwA0G,ZJ=-J7w'%/wiNeM:=e} T=gM:C^;kdc<l,xD:{􃸥ުƁ+m)7@zkMAԶTm핤l@rҹh+i,W2:=W=8??Og2~-xlXZZ+"}+y&V> _hLd~:UmO=Fe)CgRQ>Ϧ*Y@ytTAi/Wi: cEe2br%Sؒ'O߼M`w'ޤc쵀e`oWոXho2̕?nE7XJXY@#G1?c(p.2 JY4 U.>@5mOejrRMBVv[wQOjA?WP1:%:qr\ xs=5p75:7 D+|ZAZ˽/P͂ QF M(CA"e-0Q T'scLRH\>Lcp֫)o戫􏸴"]J0bs%:Z_Hf=FmEn߻4;uv@X֕? 1AenJ$DdVHRbTI|9M+?J*iŜM|-3+i3! ;u@/"MQM\§bE}IG\r` !b2yKeX{2qn@֣_ތK UlEpA| ;z-u̫s7SY1@BHDp٭uz fyF];]Y۩P띻Qm:HsT5lwXXAj^]-}>cցEqS&Fb [h4þx'4wEn=0{a_C~ ~b~qԴ ޢ d1&nD Ғ I^TlH.UN0뀣Y,bg:bO";bb;<Wl fSN# ģ+XMLh.Ba9J鬑S>GTwU Йm\yjǂ88$1U\lS42:#xp0ITN,NN(- X!uC;pWܶCub.eI6> lpY]+GR+t[A{? \QЁ@O觕iK++ 83짮\mԸp+t8e.k͡p8.U5R3Dg'pS?K~*R ?u/n~E~~:~nW!~?ҷ4#abYşXVЦC40,JʪY ~&TɚҺLh}:9Jt/<,Z&9$[iqȁy"Ƣ'ݩzy%L2-*,bVEr-H.Ar;G !RJxw@܊Dl  Q=Tu@kA\,uveIneQ#EnW4.0i!&V94$>FWWJ^ qEl$E r\ x'&ucRJqqukաqKψrϭm,=l=4rQOh4 *mKWa-aF]fd,E[1L$)Fҵb;QRhS41τc5^=^;uq.ںǒZxZ j]HK:R<;i+½.F J+кʪt^e~T.~Vl>v:Y:fS6ҚKnkHTɌUKZo,%ŪZygˮ|΃ȷ'I]i g'6fQ̈pPl؛8 ޑ8|O&|)ōo7?m8x&|)|pfŸc ?'k6>7 ؖrmz3^Eq~&=&P3I "f_`*$pkx,wP~[PmIC76Nί4r|&1g9KL٪=e(蔱ƜP®6L_C?@Tl\mc }S^e e@)GFv"Xa-PKZ򰤩<,YԺt/0S$Z 鴓4tsMG3Zd !;M~EˁES~):@};(W%h1X<"nG")Vx۩uvD#-)6ڵXڔ0bq:Z7sxnyP>:pjEP٘)Il@xH?(t ~OվJNeMIڛ*B熴l?62/~w.5< 8x/30U *(짋i]z?HTdESIٵ` e̍$mb ÈԗgQcSetHostSocketFactory.classU[WTC ^.-32PhCQ@`#_|V&$ηo9S&Uъ)*" TT#Y))W)J#Y5Xc^g*>R5T|K_kF`Aw@{f]߲֓Y\2÷5W2e@~55q\r)]C|L{5{gctw(#׆yO>~Z͙l_#wig2Vޜ+l.lSZ]K~W=> =Nk2͜<&ƬUB?*p3v-fy\1m3Pؘ۱#5Qp]3'ӴJ#՚_^7 _%@%Zqwk?oYXd,-')XY>kXB>,7V lbuѰX%s?>(l5@6!լrh,a#]jHL[:0, ;(Q4t+7.) oGC(5"`MC+,Lt_u 52ĉeP<Z=z1F,7NOJc8aC޷\0' ME4@3I=5cII=Lf /@ y0>PEX؍8 q0Τf:߬* UZeW'cHBR9ӷOo?FA)я[Eu\ќ긇yuhX+:z@Œe (<)˖-<a4c=vM B 1uq1OMn2(6g8w\Vy{Uڴ|GΣEE݃\T--"ڹɦ*+~ Үa`{{*$Amo͡In" 3lI}x%6M$sw7vdHr;Cv!t-G"[ۼċ ނr+ I$x3lvmoU|/;үCf0"AqFŪs@ 2[U <]:``ẁ0`v .V@4 b1dOrȊasJ[4׷v ٦.vnfTS'5_h2C.AKOvNjM3O/8à Eh%|c]i4';DQC,C62bİLH3?`C$(w(IFRyIyʫqf2U(U$^9B%຀ c*I==Ě XH;Zi{"Z2e4 VhiRVJ[jNRk?i?:Ԋ|,{E粟@": Z- V^BU*Bu{0rp<,Uig.]q|):,]a8_c)|ڶrP,)z\=}mI/J &[i^t (&IX4Kւg&y!\^pH!ILR/s;.QX[n.K({O1DER cnt:]flQwrAfjSL$M ia*wK$p_/MnsIۆ̹sHGmZϒq OZo-Pg%^Ǒ A2%]0zWGTt={fPy!bWdXk,DfB!q|7A1b朤1kth,^i=,JY|Jg)Ɨ>l+,6eX '_VtsfbvxdnyEA'gG_h}_@1N+"S>$! ܄Gn}|g}M e=B?t2NG7C/h"߸u# WF&WaxHsD^/ 0I`@SQG$bR+#%/=B70ځ v.o m#p'S2'C~ #$7D2cx |0LJ,@@Od~ (]" tQ%,W}}; 76ѷϢ@+QqَH00б|ѿ%NA!t^rBhcA9Uq[KPdWe2UR?K5):.V{ʠ o;|2$bcU:ؤe#%WkoE)e _td}|0>/x_„U1hB@–* 8KZ[Z!TUTP,ԥZnv_kZ ޼lw}{yӗA&ᅸI?7{-lQa3M+7InڸË g /B^AH`A!n+uWsMnZn[\ͷp]nn&nnnn6n^> 3?.nqs7cx%qs<,܅}=PLJ\CW`&>̠ɂ{=͏Ћq/'y)^i{f?,ƧuIC>\?3,|? "/q2_a׸௸kn~c~?Ob:÷<Wn7x[A%7`x;Gp1~>0C'_?Otqon>瓏M?Ǹ%.VZ/zB$zއV ;NtF(\V]xٜgͩ^zѼX]onM+B]u];w٬yuՋ@ ,!YuòYj6U/^@kd$ˆxbp{8ԚE&'cbU֒ZK$@:%yPskK%m`2vߧ0I Enṳ:-s)6LCts$ޖ{H(\ Q"ڑv̦ @s#KVyn,a#?8V]5v7):YŢE I#-X5?ŗ)$])[3f\CL$Zƚh-Lqcjό6Gg!\8vd %7 `kX=-Ԇ<*tɲdF&HN}ZIlahe Z8F[ns[j^ހh4hCFGՂm\ZKb]s9ڬizH8:J/=#xbeFc$G_Uw3)ͷ1Z}IKTIȁA6l5̲3_YIRIP$3 a2B|˒}D%+B!Uߥ״3N<B:;.U/1!yR4S aԓ'KL,OFU(K/Lh+#9ΉŬuc-8'q?ڵ¬0ldTf%"O3d IZ췪"UNFlAI{|}cgRzǽB W.Ed:ׂD#YmɍF:]' 2]e6Tm6U:I\-r*695c3ROa%Ias*˯jl&Ynkc긭4=#*&HƝ8`9ἓ Ja0 Q~4~v:]4ޓ1> 9k~>'IzSa/=gsy@=S=g=~RnΠ^=b?Cz>kgz 8Wl(k W1@{?{DGXq~kXԞW@6kMzK.{?K͸Mds|u6l65SWLw~E2(vP~b_$ƍ0&@LrN;N+Vf@#1$alj./,᷊M2ޠ.:c znEtxvsr(:u; y:7y(榄Rnr3dFr3*(h  `\p>( j`<O@?۟r" >h$}鄩in6Ak !667a4_L N"<Az̃ķ+W5poA'7@K7Mp3w'J-CWUP=wO,dz*]"Vw(І)޼1&ðN80i ل`†)#c΢5,i>5 ܙr+̰>#6Szɝ0qe O?*~GQ8"$fŽ/BaPVIoX]{X]6XUGtI/@8C4*)K 3Qs&xtMp={<[ B֕.ӭf^O%urM4rvsȹO+f P5P8]؍&\؝QW Alb=N>¥ѧc3zO wy DPm6=E(0f"O4|٧rT5JdsjI6D̞ISr%Nh' $?? /$T+-K.Ua *@9k|> (gCZB(J4Tq=j'&RdzFa<[`PY!tJ=Xb"|-Ҳ9zz41qfy~9Z~`U@h!JB} I8P԰XDa|d9qAPv#~d*ve̹ݰpԊ(ꪭ`*aHNQ:@~)x]}_KHը(aX;[M+8׌NïGv{`gnXu=Bsuc=*4GH+|^G!7Jgj]"+h[bSUq7MC1aWh{<(QI,B T, 3p2TX*0NlZpę p8Ja_BrKu(p fR,z+pęx.Xެ7!%Q[ܹXJI0R/N*a3XBRF=[ިglyS,yp/ݸGR{/?OGs\Uc8&>(Q 9,=伜,oӇY]ň]DcC" 6#Y.Ici~Ađg`>G*fC8(e6tJ,C< /#DBF5/3An˿MAx߳W%]]F,uPڨ;8V +w}|qCс!lDJZZiC)דoN{0'^q]/h x }mtiL h!J6+ŷ6\Zɭ AICr"]Zj!&A >J1YdJAfS)%[TsȎ "7:IӝO6Ɠ^*tLdb]{uE\ZJ9)x\/ԂnQObDo0)X1p !> bxt1f0SL94aL8W$f ,JTn5pXwEpX !I~,V3b<'΃b='}E>3G- m8L\X!*q5q=7fq[0!npb;,vw=!Gx%߉.؏ox??#e<*^> T^o%-JElmqE+xP|,vÎIIM.+ޒY@ò@|*MqTEX#cr+d ʘ$[y*/Ty&#ϐߗr<7_>&^P>)}r|^+_/j@%weX\OPxҙ_r3I ):$ht6+Jif|AJ`…5^UN^ nJ^SP7BQ/MDiByBTsu@UQ򘼃s 7O7yOȃXC+Ε }pP6A ($m.U6 >9o|`(L4(ux {~Lr}8'3u%DHŴ-ޡ!w!yr$zOY'Xʦ Ρ (8rxB&hzC+ sEtND,-,s'yn842; e^'[j{xS<p`CsK41k7#\ IʺApCDQ{lF6F_$vqܲ n+ 'ʉ{dZ!/GKęWDQ .uhTl4L\ B]=nϳ77xRA,y^Y#&15 t 9͘eWUUItYNK*JwaŁ,Ә{2;a9fN7xyx'7?./4t'X"==ᡉlc\F127+YIOqU(vSzndUKT<ٗNzKIMA{䟡X0Uga< G e3ҡw_~3(F~ oiinGN4ͣ$J; fSf@iBx'CP 5q L1v*^Z\GP0ޕ)VRއv!B顕՞ nOy^l= BMS0Y}seO`94Zn ]>G (,EʹMdZZj@)X)IE! Hnveuu]oU>QUArW˶}ڌ1m#%Fay 5K 4[1 #8o|&$ѯwG{ba;f._޾22B+AuXBKBP箩+,H`,ꋮ]X `G`1z'a_xwiGhuîe.R'-<# iųꪶXbM솣/i\2kAQqͫ|=ʐ/+3sZZmjlP͘ cbVVi``8ݱ,m- A"#~_h/X A99]Q,b@%htwb&aɏ( v~N}'pBsq![yXEuaP:,F.ٸhTU+k;c튟ms i>j4ȓ#wXl.'J]PQ`۵ _gg d(V,%T3EWP6HQAKqOtp.Gk8\+Wj8JëCk8ܩ_G5p7pFkOoiwhT=i>L |>W?_?_ዀ/%j25|QJW_Mj:5| f |o]wj/wj.ฆެ{}[4x |~Pہwh9N ? ~L~\O?%k.hÁEk0"FF n흴n; 3t|ʗh|%Q\l$IkV(% ӧ9}ҌئQ.YTAOEOGRDCƐ=HHP .ClBrhxcLbz^njDz9yS>^>g60 SMީj2= Er _S/ݣUKt3c̄v5k{th'aлOA_ Z@fMMK-$`=1'|H0awӻo}Wa-] !toZ?,n*j4ifbfrY=qO+q,sX0&\ijd~MMR1EvT IT G &kMfC V<4MsSD%#nQ;1g3ej<1O ' 7f'l}0gx3ueߩ-jbX=.r"WPvGajiC4͟42ZcXӥC eEfӒë́GHDOh~< Ib(5ke1 @,Ғ,wY"7Y"mS)&ZqAAU 49T/ڥUTozK딌 _pą3.D\EA\ ¸(%qQbD\Qq1:.f6&JRKƁE)XˎDD2Qg+)e!z%I(b&롷zLu1;v;bgзLMyFJKR[ʢOQt\#(G2>ʶ!3H-|/,ɝ>O d|Oe-zOĘ.tvrl+mbvi4ۄJpDsq:sc' q2Q4wF*#;5}Nze#G.m+MdQBJ|l*vg`hr'zOv\(Ƚ\kgur Ls"mȚ35=WvTY|N{eS}nosydzs/S>~S6 .0|.i~rFn:fT50~?HY 2퇤&e@az ,fOP;LNFcوqeo]:>,Knr;5Ұi0L}ɡbjzusZ&0VIwj/ձ45d՚xj Tݖ&jmVQmKu޶ 1f6.zbMLbx8xh*D 0D,/G7ZG#Qb1h#ZNJlj%1e{eq3ceɰa >g>Cn-vidl4I_\)^ *I6ud#< ~(q6z7;7|~8^;>v}lFBwʈB(\f3[u%,8Q.t 틼%{G1u& (/^$|bgTX_5"F%Q24 'b!ROwZsBp2W>g:z\;? iw& 4ɛL&{M% R6]!Ref7iEP)((VPPXť.uK]hs̝Siwvιwfy#ܨl9\"9JmsdK=I~Dc')H~N $$ɯI~Cr$#=HNO$& $%yo$'9MH/3$&OH^"yŀ JE$eFIQjL(3ʌL 0 rѰp];mg[PHZz2bFN۞0 4jXQ[$b6L9kⱤc{#4c3򒝖;=±YW,Wlcq1`~w҉%ӉXrhn{Dv>w",vk@ Y\|%:Qw%s4ZϱHٟq~?3"$DXFvȀrԵ[RJIeB>K4rےwgU"!7k`D$ztz"Qm~uʈxhgYT܎s^20wB5*9 fC8XJ5QLufa6tXiώtE;qf3uk@Kd:%Gd Yuv ILyu<ôf,~rSB8yXOFN&y Wawugyi_`8_q5m" r5㙊!ḘEzDk7['(&w-t$! XCqA#ZMϪq[Շ|  k74KHI$ńAKI\Fd;$;h~W\IrC&D0L!Iv.T%Ic旂&8$.x&o9yUК&K#y 6a z7Qse}N0)\ (bH;1ߢVwI e*ۡnPTKYt(۫feD~ebLH;nU2e)]˕ݡW*{7F3F@Ҏ(k+$m\=*PI~ ,ie1M=jVv/k$E}#a h+:EmŇ&TTm!TIIB$5$$u$$ $$M$$H&L!JCN#N2d&5̢l*!K2d>I I+IB*-"YLN,!YJꖓxE= P+PUZ&TY4`!k΃F &ty3n$ S0ئb@M`1?< 85]0fh[n6,{`ha ўeӘf xG?+8'б'aG0OcY]13.,-E9{yX**e1HjYbHCT*bm ɔA:fl;s|Rk1{0_>y<9|=ovM0ڄvVS):8> 27 \#,V.QKuaᷱk.},|3<ײ;׳;Yx·|fo0JoguN~/Vm:| n>ӯH \TRE ?|.߉QTS a6 8ʎ W1 Wq( :|1p@wIt A~?:|caOpp,I,) daOp7,ܤSX3,ܬ3YAX! X,{}|߳̽%bΝr9gN<W/|(L9rI>'\- Dg/d"(%^ll]+q;'=ԭ'Ź 7E?/.1 rRCbz +8+F}b?/n^(9w@]nz ;kzp88["+yx1MdL'yb2Oaʍri t:7}gr2_ܭ_<:r99yMsHŹ9Y1\6}9ُQx΍&U*en9ƋHMҨRNĭr`Ұn_xn?_'z$9_0v6Cy\;+X:-gy2F99sL*n0'7,87VqHnwW-2c2@9bQnX F#G _T^Y6SX1ÍC:e7k%#񡆥HeS1E *WN\Q4^DԶfSu0Z4gk F ;oה Ccdj|} 7-h[TRIiՁڹHBո4Dv@Yz&^ӎ , 745V6F1™MmfE)Bqj"P]l:SS^6=`KԦp-IkpSÔ@&4 hV7:;7 -^9=Dյ` o5ݖ9%X[[?;Yg43Ƥ kVs@%"ƕ@]1vM @NT@$"u,>qEc0Ѹ45jO D62#A\Lmt! SKo-cgDpWu}Pu8&^@@ EC*#ɑh|=%` S#PYXR_kKx Iha0"?5XK0ILm/{BAZӁō6y9W.RbPM\DeMaPG4sckiQkfUNu˥vš%D0I@4Z|Dj3-?+,? beEYɶI\jYi[6}/&5, i.]61]I/l̀VCF/ʃXn\!<-ee[%"h=6EW VT^F44Pw.&$nyBƶ}\u,PqRUqhC2Vn =n\3#nB˂m4$w T=jם`p'U+ҩ>$ĉYۖAqRijbz[YN q[.Zߋ %spy&9 L<2h\ȵՋ^Q^ymydI[xL<Ի:&{QwHrzt=Ȋ5ڕ 4T^i3ގq˨)eܔ\)O0$SWqSi<]a31gl\~!'5&ڍJ2LwLy$)T[gP^dʋq)/!ȯqLyؑJy)0q5j֔My\gMYÔhM^"ouLyÔwʻLyl{-^S'Yn3e *7v$>$P>dʇ#H<*3r I)L|֔zS>/MeS*_3 S)2ۜ)L[0&CGcS~BCOS~.0+S~ͯ0Y{|ޔ?pGĹ9 /'7)sMv1r/*S /r+4PPQVI,RTrTYc*o&&Lim5Ug!ɭ Mՙ;_U dJUd3aQb*jnz&~ORzަC5U?ItOtWjdR5T~-5J %vaj/S W{SFj_.ޏbs2+ऌqҭǎ$RPc1U9ƛxH597+&Qc<2d} ɂPj*N#33LS͢cJUe9j[n#dwHPԐN#w0E7=)D(S'Iދ#)Tmui--d󧚖נZl%jB8ձLeTuL0'\֠3UreML._#9FmSV%~e % _LE OJf zsd>OT8sSwnuNgq&ER\~=:_]` E.RR2uPW*y[]mk4յj5YFZP֪Lu=4uZg7U7 TPM܉L*WFT[6SHܡ4]nSm{Sݫ3VYV?L!~TA&7VS=dM*0$<1/&MZ@=#|B3S=J =1ճ9S=;~yT/MO.yK^5kuSx?4[mS5{}SCJ @T#>a|˲T/L%B}67[S}(|ύP?OaV"O(3nUGLgK#dޭGEyf|(SLQBl]c^l!`' R!vI?K}݋7 m Nݗb_=]x֮>}zݧ Twݤy4n]\ ;TʳW/#|Tq1/G): K:=3w(:lHTI6TbRC΄ԌؖyM|4ZR+ve0sh ϶lmb"86Nf)N|WplM]'dHRěHG šiaVXSKaCC\^sEY:[qiBQ}0>8wJzS˥1l\8ZgɬgE%2]>hpN~w{XL䍉bAf3Qa>:- -)]rTl.#!LHS9ZuMu\4k$4:Ko[iVЭ; MJ+g>ɳ%$1b!P~ix|J]@V71uXa޴Oug} ژe6.TAFDU",Ͱgdjj2$ ND>N Ҁ]6YàCԇm%5t{ںA65Z{8m-hb9E&򴻵vZeZ&E2݄'NU5oyU9:xqwo:|u[ێ_ #IT4tǼ]OX~X|ѸMN1h-,~欭:6[(:7PrZЮ,f6drK+2_Em&hOKNjQyzәͫ"]P S]ZmPC4)`o'[wO8&qeLtdua7{4q03zF9RpmEP<ЎMbp8.v؇4vޚK\ʧ͚ε.Kn`A44r J#/)V2:o I:}&qL&FHUX9pA]24r`#Ps`Y T&_i Bn:Z O/O!R2=PM#FH,)tD, ZWȍ Q`'l\t, Vp-`v8 ۮIA9"[Aʝ̸ӻO0z#aQEBGO2zԺ[S (vN--iM1kA2g\IDgPFkIOc?O:5I!Èɉ̳ZP>gnHO::wLFY1{Zʪsf͚9j℅Z|ފԡćΏ;gmEv $㥼 ׬&d]} U03'FE@`_!?nP(؟~BPtb:e"s?U; Х`GivìCK+SFd' (1O8?LNK`ve9yNGV&G s**˘S)EDhy: tW^tan0jS /2+6!8rrJ,вҠ}'*Yxd=}HڃN JB:M˓/sOj(cΔvtC  DgH-;čTjAǑg]ur`w)t#I` =k]JM؅涻hy۶3Ѣжl!Y)ftγfOhօZUFZnЦOi(KئhcIi'&1dYZ Zأ^c90 4=Tv<%lz&~\Yd>Ӟ8iď1ߞ|Ƈ*'%3it,ᕖk/jJ]ȇ#qM+b.}Eo-+cKtӮg:O_#ujo:*αUO)a-lҧK:7둠2L~EۑbcNv|fTvvn9ZicwQYOi݌c4;ºFb׎2Wdr.@Ѿ~:Mq v]Sa1NF{-9 +c{rNP7-16qwG$lkiwߦvo1ۃ Œ67T 񞭃oxew%&,nJ*o%HТΊZjOD+Z.v/BmXV)Gl'GZwF? jE7%8B HFQ~^)}Nm/_6LM3)KPupR($,&Sgy%}#^ev[X96T`Zb=P$C |&J5>O{O0g%`o)94=GQy4.g@tEv @zoVHN''{jnnJb@  +tnXCOіCnwMxE4^WmR iz㱸gXGwAÇ< 9!k^'6>S\= raC! !NB!V$/ ;4C.5!pL)T`?L*=J*a6́pN^|:k"5en(g~RQq8/gؼL,NKbKK qX:C+͆}f յ ySJ4i ǏV@Q@;JC4D&FQM (؈M6LPޝw/s$FیE㩅hn1+˟ z>lc:}h3z}ʔO kx->ř`o>ʟC<`m0dsO"Y= t3HrςAp6Ml Ap>L KpqVp%@<,<O"2x2B>xMɐOxz'ęxE©ڦOv'UfP:̅>bUWuܺWWYgx\C1G ]Z`D˲{ڑ}P j0slU \:p]G0GqVHy-.F_Fg&SlB' ZIl̓m>V8:lrv>[a8},Z$d-Pe,r2M ӡ0a+>LY~!)"lbRs@'9}qSfcnY/8&.eGlnNƔj-oP')Xٗ Gr^@ƖiaxS=VX(` Sӈ)D4rV5f!j[L 7srxa- KuJC[ضe[VӷNa.[8?%,#fm W,O4vF񫡇/k;WT V ZDr%:mJnqj-NOiSiVv3&gYlkxUpIJV8Zn󨟯p_֙pT["/g+\g*] L#|Z}?>2](-դ֒\G&%7^Z-0np wC5lc>8DiJx6s-o.ëG|C/np8o8EG W`!ibaO {~Wp0M83G /':h1P3Wx9b'xd1^!ƫhFVjN7 q 7țqo[v )ǻ x|V6Bw(<W <o/p9|^x.z`*By3%x)tf@,.S ,d|"( Od\0Vޥ-& x ^KHy)Iyx#sXilڢģ&.› J.( gˇcF}x08oAm-#5n tSK섥 * n( yA*хM"Q'M#ugθ]P طN'.r͏lϙVQ4D`lpqy/y+#;2<:2-p_ l-s3Z5I^*N=meYfh!g@k ܿlі~ IJ= FknrĬvŌx`SXms ;YFyPGX0jz. ?ҩkwZ >{u*AG>g}΋>F^MSʼ~v.͎=K,M`9^hzmGSӠIU t‹@/Vb m;$i$R,$lfxM$y5cWH[QE٫)j-U ݋[Mk5yްbE.Vv5y Uuqj5{|QfYmG˨A&b֪8w,y]}ݓڸ>ks/qc'f |<(vyzM< C9x|fPB߄]8''v\51܁V ƯI""!7bÅ,yhE) CrxBOų j^WJ>V6su/dS)gTx[c6V*35-7N#?ˆVaN(&?jhmdL 50\⼁S⷇’%ȎkIӻ4FnHSߡFwB;oD{~<2{wxWO;Mۀ.sl1X&NYD"suOSO*~wd w$Xn3F48`~*i,Ii k?]K~/% =~4nkq m6xmkGo5Go7Ӣ0~rV?Jc lB>񻹌 T3| NH|EW )!>y/t%U z9@Sۯc$m| lrEM\ ˓y | O3ky.*=",c˱'q ('"JʍX'oFďw"7G( 'q4>/ŗs|ߗ,?o["-4!I"[Zܾ/9s/ Jr<%E^R@)xܞbl%xF lM߰Z)߮nF" kj8ZCwQqw^sı{chۊy- ~*i,I+NV~ϱJ-VKmV/Rkw\'7ySՎ߂ ]V-e-zYǨ[8'YEEh;~~oXm.q%*y}O⫹0~Uc4N꽋~w/[_\OQJ#?_/6} 5#5ނ̍eYј ]eYG6d` ݊YÃV 4ן|V4ї9Q?bis/KՌy,'4X~b]? މC}ǎE 9Svt.aIp%n"Tv`1EWW 'KZV \ǮLv5`V-xh7@jßE{MKi닏xVbh j%O۴.kV'fw%B`c+{ [X25ɿ:A~e[3`4K92{z8hMdsxE*8a m2^H aUǫxaxkY[ԾxSc~u >U9>(S UCj~fwj&R T*EpSGj:ZEb3UHVU+*,TDPt$S%jV$6S E%Tg9uxI](Q ._+(JRHC ԍ UXus]r,yO^Zj]=*Sԓ |Bsu|K,?To_;PlU;T>W7jVMWߩYG5_NR;*ņTk C7r]Fj1cO=kR/F_}hկH1FFQft7`c145Ìl֨2ƑiQ*|#`\l,24jkXjl0N26Nn `R?_& d,|I׃P'!x?:pq-oP8oR`zs<sa(]2n̵0z>vw]pG,P8D߶],wѧ7P}uƽw=砎rN:6@4={mS1P9>BW83hgO76cj_d?ۍ0jhS[i}z6d ])W@q%4Ycuw0en|$L=|ߞL}amuڍǛ _~[;lZ”,]Ƚo_͸PGBgP%#g i}dm$NBnBt 0q$iB&5~SHX? I~?4'Q|BQ%Lǡ;T;84n,-k6}xGxOxށ8clܳao1I-wPB(Q?`-.fܿW/aqW|`5p1 b[w'F FbG?O8dqt--xӕ!$]2>%_@;eAqy' DKF,3Ҙu|z$4.7m iG\lY&>!aL*;xk _%`ˀQ.7E+^ʁJWw@Ajl C, Wi0o;{{v2};چf U9~a=!.n]=鐲ql| l F Gfg޿&|uqM6eS߿mF(LKߌvԸX}$xfہMRġ@E>#Nȉ?Tmr8uR@gwOB{]?򶉐3lמoMiϪM*N^D뾐UJ1~4^05s\c` hp+\4xX UCa5r͇{] u CRVpnsإY:HKWIl3l ڊ,o.#a3Mf\6Rw'(Q:iyV1HA RDi \#Z0\BPJ$ PqI6dy^'v9驜b`;ٻwz*{7ok3M{OxnBso(M)zcS8NDS>Ŕ 3sMć0o ?1PS1T H(:&YXdc0Ps\ 0ǠBC-RzuƊ1Vbj1V:$I2QĔ`$GuViLWy,5`<0A-0 =~#{Xd/K:YbJթ0"0m:f`l&fal679jbP0`0F b4a4cp 0hUS cUS=T= ck08k1hà baJ4uI~Ba@T;.| AGbɈFMrà7bIS7S=Jr4k.zY)1kǩcx"'ap2q N9 gb; RρbyzInU/@)6,^ 8@S/r Wv\eʦzuxz s-TWok? |S'j͈*|ŔQo`Y z;qu'B\w"E܃wcp/J>]1x?cH<ԧti>lgu91"/a2o⛷0;~c께=ao ǀM#c]DW?ts|BRWկ|WWw?}P?"&$C5B&4cYfZ6 $\iZ) ДҊ0 =X%^%g+ZV6*um@@Fe1h76^ sNPi5u6$6N̒7jY&ĽICŦMƴ)6T6 S~tkҊ1c1jc9;1cj*y+ Օ֨i 5mPQiKiK5tjJC5hZ)h5m>ib*)mڤT; Qm-vM Zc-bҎ`4NZ7`p$E0 A/ڽ)KyIی,}( ~c080;c`+>5#S>OO0s|BӾ4<,k,Ckb"U{1gڞ,4U]t ~A+2 T WנtcLM= cP `AXAgcl-`$c9 %JSR.G`0 t>Vc!TkzWMq>A'b^6'#)>}0/fOӧA Y>[9ak<,݀%nAM,@57 jL[h*O4})vMƗެ2Lnq_"1*7 M?XW*Ŀa/}f1brM?B7zwݺ~$t=AjF[zВkXӺV )ɓW߰uMKkfi->"107ꜰ ] H鼆uCK6̳ B|WX8%[WXemA 0YZYt4i@ye4`5C^7% udMK7YPײfoX;"ӎyYe[Y Pw(6[ R՘APwpIo`l+>D9>ȰȺ kým[XgpB3:3sH%sH_ *O駂 Dk'Ե,]wc{;#y-z#v ÑPl} dPXC*( d@Q d緥9^ 5u "@, s!Uc||+0/팵#`;+ % J: _Ӷ>ضay;/*Jj[b Md̆mX*k1Fd9j&Mq?M~iBQvIU d .3bs?#>3bt?#N%miY,U=zh,96kmA /=]v@ocp`$ fH6ʬPSm<:) YKPxXOo 4U0)`FZU깴Hk{;\GG4EC m-m-^ity>- eU-)bT<D mug:'.ݺH$I#cF)>[ZC@Z>-vuI-$MMp[Ò˦@W;y/k4;ov{ G*Hm ZØ궳rg5xcT4\>4Rȩ=qmXo}(c3!|1tE85SIwp]@=;7-4Q Ʌj vcyϪkO\DaQ4E-=0Lxδ>m()lzU-#01;ԅ]%ejB[,Ks .HX2,sydi2 E<ڃM3i BƖR{+Vg>ǑaqKzрu'ܓܠ@dJYF[VKGԩ]L-дPCG:\&4(@7Y\hRSػÝ X )@,I%و}耜 ATmA/&arK;-T2&(u4ѶPhq`mt J9駚B@p7*1hm| H^L:ȱ;02 ̭kYm lYڱ UT:8'5th^Bt;"ahg":TFwp= #tݠKcZZhCml-uSϗKi7Q, pɋ=(m6/UK]sKK͍ؾ^ +~qdO D4"nf7'$3<^`MƁafM?ͷۊȑ\ŀŚDalnY47FoĿjRf%V PH̴^tX  D:*Ls,mMTc-%x jO0gx ŎlҞޝ;ː&hլǵ|f Qi5$E/ XfPA&$_n ˰\,`|_ͫZ0)ޕLčL::1ܝNSFyA?Ixd%Xz(_J*+Q־ .c'=x]2ݫ84Ԅޘ Co]ەg)Jly|Q~t#+4S~]'e7ʐ!?mCmA rxYHh @.ڒn |{ŚaekQӟ5 tϟe˔h ) 嗆 L2%DBLv׫(,:yOscCB@A)Ěa{'~pq7_$Q+UjT!amh@[܀1uq=nx`뾨i4*qҎ6P.=_h`ę_g~ #{?Дxn P9 rm ?ਟU8Ļ,"/O/r|үć0]cu\ 1M'|[00햾]܉NKߍ{;5>K1x'nX1  )ĿUG8(LuIa=`yK|c/`E0xW П֟WX_XQV|߄@ķ1< {W|K_,A ߇Ge}XkA%>O >0cI$a Z& ]u Ⱥ.jcy06^1-U Vvvv8-VjIoHoZRdX4i%͔h%D-#j KLXކ@0nJ4] xxcI"I-dhzU-˖/ߖRZeIiWq/05,tXGf韋i:%mJkKX8Kt%'oZVDK_K1KN@dtt%퀶$ΖL6vZ`1P${~{{t⍮*6+-xyVeme,\Y5ک*kX`Y a|;ܽ+lZZdikePwel}9ƹJ Zܶi![b0ftVRZ(Qb 2 ô''5BKzȲīk4KeXlPe #TkyFfXFQdQ1XF1*@H2J ђߒneFeTC-c x4?!NTD9*7~%웙4ce2F[Fya2b VX֖A~)h%]c5P;QzWz2soFQ20[y11ѨIoȠv~~Ԍɖ\`W5Qi,28)1OCAAkg 4d];";ߒsXp ,|RJ3f[4lUؽ(xh{#(g=\Q`Xt Vcy & ?ZF233Ho)Th 1 /Q"Xc2ckBbHP'!njU&镖XjƁL?,P5$brK_ZQRj~E]kq"dvqe j8cffk-# A+^+ =7"o]RY;~rM%oIyxJcɫC-Z 8B=Xgt|Pп?KY4e ޏ!4%6z,HN ^MēH|̒^~؈8cjlBP5ce%2~emɋ&Kn%_Y]| cAEPM;aޕ:,9o58\ $H%`8k>hǃ %_*_f?reƆxxђ/DsZoP;%I i*CDk82NўҾB2NQ8 >T Ќ0΀Σmg*-9K~I~ْ_8 pɗԌ"A1-|<08߸[ƅ6˸ȀqR˸̸2ؕێ0 k,Z:˸޸2hh7-q2m햱Ӹ20eiww[=n˸׸ϒߖь-y% hbLh ^=[7"A`G K c_h4H[o-;l*0 &Ynz6j{Ledr&e-eśL2USL2 `J2ЖPP825se \YoC4a;bϳ|^SZKNF3 ,% 3 ?ܸ-l)'+XiTb[ NY1cf%r| g[ҝ3䙖\1s(lsfJ|iͽ,sox4G`0Q>ffjX2axAm=h5,s"Xf92'S@$ʑ~Yst.2@2f1>My2 d=3Zmj\W60UB/ uLEe0gZUՖ9˜% ][u@L %2[Kk}Ygszʡe*o0[l6U~\V[a?2,9K@YA_ZAi5Y< [,NfN5;4Tye(Zu29w~PmЃ*7WE*}eh.l\n.3Sf+,]IOuTvL5.-&F5 ݽ iK*o(U޳̃6@z06'|~2u}riO1'O+{ Q*^$wʔ)3a>S'M2qfUoR_Zn^KmˡW-U˹LH?Vuҫ~Oay/x)2^agu}$}~g{7Q.y] cӕ 7BMXN/asWDK;o;cH)}z4jkV)Az]ǟrxh.a;Hʾ9xS§h1~rwEc4&w[2 A]2~8!e괤&癊kN}(phӄy ̖u8 pj/TM5/oW C7-7S6}ojI޼߄{!@^b 44ZIiBrCkܵT[G@ۄz*FkqA/JJ")ڔTJo!KXfnG2hhܖFfrz:n.$JJ"bKN$'R>|.h4r{Mౡ}ԩ ;)^%~g{9؄e36i\d¦n\. )Nbä&MheTJ!4M3α"p;z%ߠRRYCJNhT$'KJdnFl**z}6}"@X5:0KBnJ 9ؖvk$;2ٵ,8A#=o+-X yP=zOWRDBi:}_ Gy5P+=Մqrk:fVeZu׶ 0ګ=gJi _)'~z%C5:;CQ* e~pBY6]mC'2gmspU~߁١Vܱם<+GCGbQӂ6ŔD'cttmFWZ-sO0u?>ziN ¼< ~unF*P8=;wCVG mهDk"y˕ɔ flΧeWɸWRղcv\Gh=vNt ZB9yeϿ_ڶ>氟zIf K4p-ȴUّ`WxcЙR8!5moYL^ t9mAyu|RrCP̝3/Cw FѯJKGTqiФQݔ9)A2okE(a¥ f}BVLJBX֜uӝ4Te`kEE]wZmG gᩞ xk*z@g R@K\9(({.d$ď(}@iag6/^==[֜C=Ƶ`@b\\6`T2Yه};Zv4v2h?8^zBb8#]/CL6ʢĮt55_Ǵ\YǴe\Xo\^volI'~Gk -S}b$(_9DB9_W5Yb{ }M Nx ~[JL0يfޖ+Z='2tNtӦ)StJ U{S=tf8J'bԩz Xrݤ]ݗd_tH7X"䄢tڦ=nWˋyi%Wˑ]q4.9O-Ir2Fp1U[2PTp괳* E쳫CD^]R]Iz+sfW+Ekw$_C5 o#E~9gOץ~fH//y^<8a"T ;lIUfJZBO`+]<&]0vN;=)rGjuN;7~;#ZC03aNBsKSWKSbuKM/e_SZvjt(:8n˧gڃvۗG:Iό9(M"ă;B_:xKo-0To qЁ؂[mHs?Tߪ_ 0W7?=s=aiL12̴ڃڷ-F ljB!f{-+%[u+v*{x ׊Ax<|0 7fH@GR}oYnPew& 7 cwf'05t#.YVOw"1 eHOfEw}Qb+ "#: ʵ(<,gGU)xP瑢\`Ee!*kˇy=ǔ^A4Z"K7:a r+D̞#P IO<t r="ob@ _pD*_KJhlLCcv4E"EOqH4 rI|ds2!HQF .Y"2 PU5^r ]dMK2.0bZ,IV$%]CD9(TO""`"{?+!I;^D!b':B'zqKL"qFPC$BđB>b[ BH-08=$[8%AAġ{!E@78ul|x G/HrM..r:\\GM@\4rvCG GC5!±.J%L}0Ι*Erm8{J"{ #)Vx")NrX`,uX,uXLx8fhnOA t;vJ"Atb gBL2T8~yWC? ooxa=|ݦX޽~vTMf q"L-4I @ׂNCw2O!D'С:S!1 (h/j¦Na?a:0 YRPJPbf_ W0 Cs{=`h Y$1jGzKԧ|J$8s#I#WG {w$$DD,Yջ zyYK{i-N܋@"- ܃Pq%!"!dxa^2e ÀV)#,oYlLE{?_J,6,/Y(FYt,z@Ed ؔ,O/ KN:b~/uLPֶ>lA&HTAwOhR(Į}S3>7d,B0M7+|1c%[%.ۜ.KӔ"|;\")ՠ6-*[%roooo'{w$Ļ>d,%Mo9]2n:(Z"! 5FUL/MT,& ޿KT_h)zy>\>\>LRꨦ\5e3;z}dK\C,y#+dZ1C`!Imlc5:Ho&)reCyeX$_*q(s7u37?c* 㘛,Wni9Jt >* Lϡھpɕ*LNtix 9EO̙C4rvhuƦHA1BJbґʏDT$A㾬Fs< rT]IB%iD:q0`TH`43hU UH4<@:Ֆh(Yh H e,Qh>;gCcS8<0C$H O"?58gb[n}qg[q!T xƂ8ƥB RD>WӴɹś*eq 67wq z3<0hj&M"Cd4LjscLc4(9χsDz|++muzG;ȺΑuZ/#'`VE[a=>@4p+s7X˥'է92 blêITpeN]n#F~6s@j^q^URB#CWץ 'R ؚ>r슋"RQzy<+ m\ /%e/~%*] v.(Mh $q^W 1wzfHVp?wK)3q|3@utUH{iI-p&a%ջg_F V'47(M$t2K8%wpUz>\eSgb>-əQ<9dЋ-{гf5mLnL@G+Ϻ clCvϡ,&ӱqH!+ʮ$zyE1^ļ ļ53&>VJɒp*d~Oџ-ww}ExxD`D1 Dx/dDodROÖR( ?f@NV{fM4n'5cY]BFd#$[,[NRVVFUwk/0,\CQRJiԒi<#IFr>QbE )ViyGFCAF@FAF@F{HFۓd4$EF+,O`Cu|83&~*oBt_!9MrӽCw<d?d? ')wzr_)l .r;oI~$\n&^Nq 5 Đg}3IO)#-B\q)&{ɻq:@E+Xb6MKTӳi 48 jj$lФAYJClL522C8W #W%OH}VD^IO.r@`f6\qa^\"׌-Rv#ѿkFl,+4g%?y2L~)P > I'AB =6rHK- ppz.MW N̚t?tu;{6ZtK6ɲym:dIKgx R:?N!40x6RNUB';kJH6T5A?[:2gΣDezt9Ncݽ'II&~ X{0nY2Q0o 2]r67np$yJH})R!PF:T|󕯒JD*T!;ZNY%T_Hwϔ/TOItէ.:$QC4e< jI2ZRLsZ
8OGi:@w 8[m/=ef&+7{a)v ˷TUs'8R02i ܿ=.n(`U>3XCe}A&*_i7K } ~ɡp6j&gvl1AkBaf]Q'#ɡ|) xP/7cs'Y M@dLܶOkk/>8q:}Lx mNUYd:qj`Ҡ'u;gӴ e [K =A@H: lMp$nm%9vZALu)P+IQ^f2nᎥ6ҡw$cC58W(i ]б@8 t<: Nץ =!= 3f{f\<$wBZ{ϑrgКˑ 8& ShAt: 89kFi^CzNҝ뙘4 zS/Z>]&uj]>bޕ*8"}N{BdMoפo4?~K#:a,-oZA&^_3F͸>-7͉sn}f}䭸餇'n&90cN2ZEj;nWo @U}L2Y%5o_+F>kJ߁FYGE3t4n.B+%t)< hݎ#LI'+h^;~ǫ/ȯRL d2" iLCpH`9e*BMv.o,Op= M5;ɿ@0>tf,܉|@wM&?H4j}gɃtJtPGis:& :T@c%I+ARM6qwu9Kْ1[ ӔmDZ:].E> U25XǕ%Z|%z +oO7JtV-M;nb'<@ͧnS-~-(H΃&=*f65Z >69 JfM8KEA r|(SAK0G!Pb˳aȅ\+Є710Њ}9tٻ|1!k?_MW@g|=]WonAFWqq2x+$d) XBQ#mK2lFzilH#LgktF]dKJZhF_ZgHیAv>ڮoZHh&\l#eZiuZKEZZ+M2dtTzhȤu7mNHp:|)9gYk%(+)~Ecm<%YqN:] 1<T`v9ϟuEZ"(hmG|ɣ2M8F p8l3e̡ED|L>B':[^.+J bLf+|tLGc҈ERSpd̴Fa,ø a,èUjJz7Ae@``*"%4P c!+A-ZGP A:*vLƣu~žn{ `H YU~%d\~ }k*6nAOAOAoy-wҲ^zæ4ʅode&QEGtv_89)fuŎ͜(3xP2YUcOH*4ʠ]naV3afNȐΐa,I[~w߸ -ڸ6;dN?j(+Ԩк˂_L0:*NkXɘD1^sWmLr B V D M6)x=v]1dYh=J{QkTtN!TtݤH~kRw҂-6:AJҦV)n^0* Q#Fu*3r^G'+W;{0[mBy:gBȳ!_.32]fd|ȗ@ȗAB^JWAbK /| k!/|!F!*ȫ!:7Azȷ@!vwŽnnee2;cc@L5~, ~,0~,QcGQ<GQ<L ?3hF i,"ߡ7=nH)#V՜p.E׉ |jc=x=x=x=x}{{g_KWzyfo\Sy}awaa~<ϸys?y% W<syM{Mr%?i}?ȊJ^'L\T~IGq?GVCk 8׭ wOEMtn(g?-;N bemJtU%!J1#䂌 dAFSG4) {,em*q6A|)CQ>XT4YԾN)=[(huJ͔*\*͚nNI6iL)Xo+#DX{y')Ok(M0UIdX11}Q&kvRǩX>̐RYMҫRr`5ޕV#YVtx:(jNJQҜJ  hx󑌽hV+zml=ǜ5[F`G,J+}tVdC)_O']qZJ!uiS{qM8.p/_4)A/r09mjSؼ ؼr+hy%hy54)Z<%"ERC<sɫ+D|>]Mڠ3(Mcʤ)mՄSV~–dZ#3a~]6p<[]JwV$;P^P')C췇VSK0z<\?g;eѪ_PE{7]䣜x΋TXϩWF!׋fʓuJ& 7"VW*s-zeK}+K{@9鈙^xֲ <$Rq5$|4XI:6[H#۩ʼ27t^gnvAk=|5Tm>FOTk:I:ha^1kazǴ,24ˡ;ZŎg&S{.,h6[ :>HWS.͕]mv4w%.H{&ߢGjiɟv36":^t B J[NޓV-4 ܖHv\?(=v&CЮK[3bɎbO@A L1;+]_-{XbٵhTV]qW*.MHyKl9JlŖ]F%% 1m̓w]]{pv9i8+"8s8pvpf˪j˴\rĘ:J#)}y=xΨpfZ8gg7]qS✸C&+UC=%2/e1kv^AAVǬ?{+bsb~A}/=5eM19?tyB*]/H Ԃzr^sB u\b/us8lVi ?E\+NH8~EY'ɤps"4|[(D.j7jtFMb߿`&FAqe'始:dQ2BKMhM']M(l^.zؚ9Kפ^/\ͳ O*:pa])trԆf;[ƧړäH~EbO$5 R[CwNj(up%O2]PL93є2I)*qWIr=Q=LZa AG8OnT1ũ雝⹱qf.¿(Y:(/H=傧M>7dlyۓH>o'.T䭠6.޾۟yYޡ4;f{G<(ZM+gt=j$l3F\vy2izNGh=]U Gdi{d ]Z=)Yz؏,w'elV|ALn>)5bcv,7 yXXqy/iͲ)tSzec$sΟJw:3҇$bWw,W,`,~>)9v{;;M~Oy-L.4g*$U4[^H^Κs)YbjὄypӅ !J2beo{u?;bkc51;ʗf MrYfbJ Ļ}2"d_C_9~1oB;@գD`K[xWqf߽ƹأvv739AMl Y{y)z)4,2'h*[x.1Ldmξ}ԍ9ҍy:1'w)<F4+v`lKbm ;;15YX 8dߠ|8qԧCC⹋9yq|+d\ \\ \\ zY܊p~#ߎw8Tƻ77ėL1}m+mCy'!Ր ? #E|C|"}ٮ$Z\?u^O!]f>>|yɖlsՒ-'ZEDK9j6Y-&睌b嗌J׌f#[ȸq݃&{q=ב_3u?q=a\z כzכ<{XZ[[6b\/r)2 '!,}`O,;@ΐ"^Lw3Ge?X؏;6ٷc};r?!< ȃ!<0!y䑐GA l&[Nw,屐A>xBy"I'CK _ y _ncw,;"WB ՐC^Ⱥ}&PKZ _z7@r+ jk Mo-oFȷAߝ]|M7CY'E߲yH-KydQ^& KoYCޅw=!?A~r ?YE߲oYC5GZx ~[}f;Q}5~[7kƟSc5x?5I?߼_짜fax0KIffGfY5{sڛrsFCr3\l̹ѬhSm˩5ɘrSr0yל93sv_995PWsﳈ?%)bdUefoEߌqgk+،[3~?uJF]9_ъ*7h]noBNHdp .,8(V- J.& s9ӈ lQ6q$0mɅ{\X3A%w=pO_{>@'N.,>_"?pb?YVxn [on }nn&=&|w3߽܊ۀ |w;{jǃ5#Gqcǁ'x`"Èi?p/X% %.Q5nl Ԁ:PpaqɅ@/Ppa "K.,0 (f8Ppa[ 3\y| op5ηb@K2`;? L4ϵvs\g3$X dg23Թ%e@N$8ز L~Fra3#Qh`5x&ul|g,pup#!<r1D<  <8x.pp"tDUySӀӁ33 ِ/ ?A$y@4d K exrW@^y+!_jȋ!/{^ \x=UkhDU :$Qx {  N>ITED|7{ o(/2(/2(/2(/2(/2(/2(/2(/2(/2(/2(/2(/2(/2(/2(/2(/2(/2(/$QGQ<GQ<>?} ~ZbWX9];$kmP,̯6thQZ k;,".EJmH xpp.pb|[ۀہ;;ww>|X| 0i` Ys/9)7Z(%@PK_3N/)g/l=.8coS_1ާ=ﮅj+жI6OVśW^qO}?Rc7m'hq_"V*:g@,6a,~/u_~O9K1B Wi"k>rN9'?$c]1ٕ9T\UA>-?Hb_)>F-(slS0ߞÞciB6M0S#s c}ILؒ_ "{n)F&U,db=]Kf;SS N.+́J^7Sߓ^TC}#lvvH|8 N3$k] F!se]]ׄ.rS.ZKn 'h9y h(Z? >&?Uw*_"3WUSZ 0"wEqy!q;(OG7ʱGlsGE S?I?RXS ϠY4?F/*\GiR9/+*~ZR-^`v}%8**ȠҞ hne00-f J 2M L!ʙ0l.as/Q.SAЁnSH_go;@sϷWj)1Wwf2AgI:Ȗ\ӿ4*jP-%Կ:o 4пFo;hn/o'QsLSK>YjLZImu\Cѫz3d *ӞGvXԛRKWELs*ڑ6E )1 _RMW#f#wۿs.n\?̱nGgLj/ B!Jk"KbEy\=E}WX;R{켕7\1_L`)+(\̺b[SUI^|R*p[i*<O9cyӾŒ17S5dJōBW"VoNbj]S8>sS?H#?ùYy΍/|nU?{]'j-5gr9UjNVko`c}LRM}ϴ 0c2U']=Ӽ/" io _ƒ.ֲ0-'iYil{b8+Xsn(K}ǜ$.>"/Fi;v_!N!Mr c3X2`/drz |b>iLV>w701mPg$Yd1⬾E[(/YTV){r(6QaZ\Ԛo9e?pqsc~J')`7P_En.D}AA1mĵwb"~~Qr4me#g$T[S߶[[xO7ֱxN3~(-W)Tc& $z&-(QB>ԛg[OKnf'~)Z4qmpz&7'@´*48=P%=hCR^$C? gv @':誸ݕ@҂e.[-Я-(ݳFG D?B-?w G>y}0]ԠAɬ:{&=8g] 6h>lɅeC(70a:0ҁ3{` 1X=Goe-H*Wrx7bWPhTsFvWT΀9rQES^&&ϞeN2̔j|; mbZFUa9& .Lr؃{j<{{9]_],r ;Uٳwݪ77gޢP{sCO޲Uܲ50uxSL8]D.{ҮT ,u-XF2 ,XK_2+Q>,UzBT:SElimrՆ<#P~ i#v[۽(9J8& .~ƿ Pp({wR;v6M*y~]Br&XWdiC&zI%DΛWr6+J97q:鸝qc5LJi_1ˁAV?jC)͵//gN 9.Dvډ }y&]x| ŭWFҵ:r>QRyC-Qcߒ?:o8z+qiYžXυWg }}@o#?w8r @(iREi79Z`0*U<ڧP0Blx"ڽT<(k5G؏?qLa @ÂA2 ;m]C&FI [.>м{FoY9]M}Ղ.)O4Y 8')T.;f7Ĵoehs]q{w*gpG2wTݹi+=qCQ[i*J#?)qmupUDrDMy$[r"7nr;c^&sEsuF54"$I_EcP'# [NФfA/ RY0:}3 Fid0Ng hRf[`+ZlMWkiZ@낝~栵 VLˆ\վ͡2X0fiC=i\ä4A;4/ӬlN-ڏ"9;`tvRZGhe a>*T;Q'hr^,HR9thUWwemB5B.LlNXQCKgIt+ɵl&CJ,R/DFVFq4~ Pnl0L `CɆRɆҟd %C(J݂éW IiL&ϦD8;8 N%Y>xE-8 ΗƲ4Xr]usDFy014 &ҞnMdm"{u &m"t]&UwKIJL\# 41yqfY&G7tBԸ&`ꕃ*UHƌrH#X?Nj%jصʑg'.*lSut?<]d~v:W.T,DѴ<Ⱦ'AUl K ŵlQ?>\ξb%j0. 8|mH-Pi)p v!uM ZEcpns\YmkDު[$ڪ|ڠ*<2AGj!QqNhwM¯Q{vvyDE4+ o99mtTʅrjb9 /9Wԑ-ͬ8+mN|4"~F%/9]N]_1a'ɿ74>-M ~ir. HKB\ &!3C{ByxGC'r+FjHT yt\nh^7q*1;OP'kżx^\lLzk|S^I>KEϒMXoEC-Y56JJuriNGDKB-*F~r@QPhr;vH%k7m"=W3}ktZK+{*oOLw彆FPrB)/ԉTAe>vx;P*̋zKgxn5ޑdADm=2]dS(4"|\b[ٽdEuGa"Ezf]\#W ksŁ{崁+bX~$*dlSjkM6<  M07g'mBT$shSp(i+i+i6+i+ii ӓ~W)=dvYcsZ$SM茳phKxEufKZ@83\AC(ǝBz n鑃Yne &)0FXQH|hA 8bN.#wzN+Y4zቺ:JuuE]}I|Oӟ^ǟ?}+zzcO<ͧw6t#Y┸=F 僆OBwCDн6ݨZVb~Ww9͇Ch]C]nЇM?a=z?Wл-Fc&+6^S6iHՓ/tÎD.=.WT=rD7|FD .g$S'W2ypVQ=Ir8?EG8 J]8o7^7@i:v%h)K9#hB-D>:|b}O|!Tr:FUQkQTrɁ5LnzvqLҮTH,k̆PZ;9}NC* }L%?sWc9W>p1mŀ)Tu5\Cb,cRvI|RqqP. Xfug:*Roj5U\RmSD'Q }; NRE;NPIvU.)0h }Xǚt{YAwPEzOVDשn_я G}>Q_"E03q-_Ҧ&a/sΣHGV}DȮjQ}hh؟S†Q{N.O^&Zi*&P>>|_;^IW *dZTɾ4KTfΨ芺]\.bQ&R9 ފj]-W2 jUDO'SqS4\@"jnEmGKp[. $M in- wδ&\AӦpOpoz ZdB\9zAhH 3C{Eǩjζm֧ސM&O,6$r$wG6]}i2]46tpc\K=. 2 Oᙴ><۱;6N v:A:tR:;t-Y'DDcqK2n(%лBUUG8;_L%_F-—SqxH zz0nֺ~ax4ջ@,ϹmјL֧ 'q!DWᘪ:vZrKi,Sen\W۸98[^돳I:>Hg8>Ύ8u.LB4q/{[j{fzD+' C.ш~b9qvz%Oթ&mg޴-͈!ڴ=ihMr>YO[w5W*rJw#{b8Gz;U$qw{HW;֫y|rqo%f/n.7f5Xaq7wSYFXT|S{@UUk3G@thʞhQ[ڄ|}Kl֯pM5* ok ~Mwtvm:'sҊ'tWS.JF~q_Ym?c[䅿{k>c6Un-its>CJo3]wLYl|lo5-%_"~YDsiyDc̓W6>!kM,8N }v)մB"xezbVJ&8oK pVa6/]6+Nz)k)YL8>^|R (2(J^Be-W}o{ '-_HGt+|I^m&윩i%/숤{sRлZ_R|?W-VPH.#*7s$L"QHs:+RH"-ij5͈ТHVEҝ2'-H{2hԝ:}C+@u -RB8.yn `D<{Hϕ *s.# z2-~W64KH [ݬdݡdݩdJOUrD6:.HWʏTPHjHoJFQ 48rAEFUѴ$r&],+L-hTΞr5kҕJWJE Z"BE3Z>KKQ'k@NujOAv2"(7rNۀY#Yreed]a5I+Ddq"uBDF˱)bD5 Bh(>kj I1wS =7u~S{&#r ˨(ZFK!׽HHi%*jD_ B)3YGߌ⯷TH4Tp!OU~,wѼr\_,wW[kMmDe('rۍ`[y{#1'WU_,CO)͹Dv:UTwWۨT79q*#_Y^/ז4}kӯkG㵁$sbV`~A]S?rӮRbO>r~#>[idk kz)j Zj.ɕ7IWSjzZ$k{XXna*ޯvfo^^KcT %G~q{ ;q{#NxOihL@Fc#49/& wt]t(5 fx=ZhYɔU]ܰԵsWO'H Q#=[Huw-)UԈ!)p("3NBC EN7/R8HMEQDs(ͣQ#ٻYdW$(ooE”ٴPjFVǥlTy9fCvECdDÔR(ڌCT@ETm(=ٕv68"ErF!ޠoDWs5fgTC<X({4qN6bjZAMrPS~m *F->p:{aaaaaU޿ξ~AԡaCnӳόqB>fb15O3gCA'(rGGs8Qs1͏xc9]0s4Uleb+ڑFKyy\+O09s)] ?'2<'G"&=LPҒ2)#yU)s̘ϕ?u;Ϋ$[HlM%i,b" JLL{e53.(;k&~* W! qD8dԕAd[WR(GяRJ7)m땲&eht2Y۴s뗔ţ_Q*5Ύ~c;8Ua"ƺn*+csrpY]߇b$(btCz{*n Mߎމ\Cp\}p>ғbc kΰc ?29I-68\y;Nߡ[sYwQ>p&F<4jI^~iw۽n2}E;{[犎6ɢΕZ:bb\WG*dPGҶse7RԪ:uLD3(3)˥wOo'BZ6 ]_{h𒉐+v|͵V.iG[rD~kwXr09SڙTp"em+>ZgԳYYMErl[ #qb#zs'Z}|BCY'9PB4&f oOոܯBm/bƮ]S*ԓ`lI&> {d,2#bV'WzL5"^FIǸڋU=|gNqS'WxŢ qжWj×E 0?$ nPxXu=֕Xc=X=8֋ݗbCl tVl8Mc#jŪheL'6vxQ3Luԟ&HMf!j.;vuzL]H:~~CV4.Oi\F}pSZ$VuS&O25]IMIC?h|.QQ֟וog])aW8Uvx< !yzuy)nH`֫ Droql+Ir6ˍ:<"_<7G4tin܊HV'&WTTeIL6 ƵzJ]_v-m-cѶ +Vul-FP%7vm&go&0]_4LZf=Wsh&g.|cG7*-ϵzZ>z:}_Rs> DzTVnzslZ >ZEW<ޥtڈL%GET1N: BCgMTpP Cȶ:⁎9DFykA\z` .J ,*Eb .jR\vsaW. dKvZuZ,)!ZVÐ#ۙsXkcq'YA=yb{).Iq ENIHW& GI’Zꏔ=()fcXRWUVP^]%DPDIc73 9ݞ ɾcC㞱3xw_xKC\<.6){^ޱWدkiѼ؛t9_:=+7YIm79Cx|kO[jO_*aP쎋l-Y64Q1Po"yAKG6Ut'夺b.lƽ@ږbt8`&`;ZeMml0CZ>fsO\jms6' .a Tv58Ys=} k)[5b9Eu굢E %6ǀޢ&nb) c_s\T$1N&m 1ͤP4v8_e}c99o& ]HA:FA_$\sŵ#|{V{sJCG$4S)L *i桊f^, 2؎`;B "4!ha[AyծCmC']rPpV|^PzAG͘Q`VBX;۹ZWIWRTUG5Q/cb]DE(^ꭴvugė%]`e6[5(dz0c5g9߹I ^z>%Ug)8%ʝcr 9#F]8q@-x:UKM)&Q+_͸6㎨4HŦtl:A<26F= ] 8m;BE$9YҷüSi]mDDzXJvIV69Fe3r철|ث\Uf6XݳK ƕ&QU\5r)SUܱH_ԤXEp=u9ʉ(5G9c%NwP򦫽+b/q&\CHǧLL `|)vDÈH^rIc%@7U`E7#t9R+1WJa]tؙRyG-Wȱqr,sG^[(sJ1_$ !Z\U(%L dmsU~nfeb BЀ5Mӆ@Ծb@/mɮڈ/ _uF#3Gn$4)ig2={^sodŜ dtBo8d$# .K"aI Rb* eqM<^B+bx[ 4ܐq2n]q'}| VMB!%5N.v.1kk8넞DFKh g֓M2Ӹkxku2-[ߠ%^b8lQgwN)箭k2r=]tϸ|FX+ Y3K\.~p1Hҿhjںx 0\es|M- 򂫫;ڝ˪@5 9wgwk8: t16ir] huk]9 F:cu$\,8;er *fBYNO7V5 nL bd8 6%7-ћR%"l55Ө^k39mm/袶#mmuCUtjb0B.4 Si;W̓Mm T,GšZ(n8ÅaB# Y ;GF E^=/:BUƐPZT ndpPn" )ZIu+(T`C ^; ^İ LJP6%| >>S9)_2/R6C]4nN=Sg壛RC=.n@*tgRTwKwR[EP-2nU ]PqCulPm"A&W(f§kVmHo4w*mM;]3dx7zlNcM@&)oS͗B3<#ĺ[J4lUDTD7X${nɧ]e+Xt}" /}pEGfj ̨uFhzC7}}|{*#p* :=CU {?>?bXA=ej_Ѫ~{LJ(O< O RRaJh9Ii")İq&}a!]=$FS*c1o%HV&y@%$%(csE? JEJZxPh?eh2lOy{:Nř.*KX'q_Cq_qxB,H= !*ACa9_Xa،i Sx0 cd9řo%y8A؎s˲_q#M$C$Y2`)G[ m)G[ PڒpYJK[(-=}PzC/nfG4|yggg̼3oqXlVq53;jgx9x^~GE?k_Ž~?Es8 C\s1ňQ8ASq~ pT 5Xx1]x0UB7^A߫rJë.U}?uxxT 07jnUŏj?58 oSwI :N?KŻ5Ox`s\a N3p7sۭ}p7sͬv3jgs?p q0c(*{1 _'4.*~_ OqiAor-`?~[wU24R@|WGk)?gk_kuoUs?p/U|IO*Y[<_Tÿw n*Nn5U|EãᑈϏP\>omb\oC-9k@މ`́dwOZfoHe=6"oGjGBQ7 kch/2: {|hh#]b(pLw ɵ:{a: {c^eW;6e!T',b;X`oGU)I b8*FtN=6:L@|K8%?5%gQx1$=5EH3+aEdn%Ar v!4C׬3< vL[gWG8702F A ! 2)#{x;*Bɗ5aiv}p)gWTE,tj)N't"#˒$UkLmڃayt\z&'-|cA=fK*P-okB8cPP9:m}=㟂Tַu |?J铬 3$nj1\&*-Imݦw`+L}ށpk9ks60E4BuXFc@nLGh~4YLjxǥeLn`01JJI&ACDXvf9 d%gYu}ߟhw&$K@2{cyZֲSRJܘXP Err^MSCeƀ^h!udgb$}bY&eMmt}Ul;w3c xXOIDm:āpڔwۮ$c1Dw%Pj%Nإ'C`m{`;x%2d#>2 7e yx9y-Md^1" MÐ֪ee^]"*# 4/kBi7x1e%,>V|s PF~47Ws m2s½pYB4?"-ؒ,mGq&5XlΚlw?y) -ol R_JY,;/T 'V' N࢒\cĥ̉.\F QXʛ*ķ*18DuYR\&+{/o, ٞ71U<"N0_UlNŮ8N%GQL5&T|u:~Tc;'T +AUf:Bev*EgR8RR)XfW5r2ǩ)UT)NxR RGd#;_IUET]mI,(V&i:EטdGTߐY z{4i4(4oDFxV7-(QHvE@W@h7诲*Rp;"giĦUO"˳]2V8=Nb9+=R^s B)3Ve*{ëa:2ucUy4:q D.q5šcf2ϕNllT&Lde֐Wj̚Ik̴ (*s0c&R7S1o)3@srMSOTfPD < [)CMFڊƐ -vx}f]6^iȜUթēՉUUڜJ1q :)vNe10IJ"7NKȮ銔$Y)Ӓ> 4lZ_IDc/f"*N \۽մ|/d]^Mъ>#睙R&/>wIQ5?75ﴚc>Ȝ to /|H /](7A O=6L'];cT>;A1Jb|-"{Υ-v{#c;$ ͷ1GbiĿfaM<,EP3H+봓^> ז' E"Qv8vCawz*2{ex8c'˳]>a#!\^;5Ar#!(& ,w1o=uHgKq'7NCcN;iҰDx~J_\w -䦄4*O^sca 5cK)wOҦ= *K;Q1:[>R0N3=̓'qrv,4|zbCUDߗ%ICV5/=κN p̔igӭ`,zrL=7lzr*Z:I'6[{89Ǐ\8"r?Vȕ푃ɮ`8b[hsTxT~Ḇ8jgVTGWLw6HNU٤'Oäꝰl>ڡZ;T~F5{/JlӳQ4ȇ K G~^x@@=掃]08\f ]`ݐg Nzoɉk?ID!zCN&gaWxpG:&r,Buj /́ ba<%QGU{j_8j4l·0 8gs8)06/=ҟ0޾ Yu䵖S8q]T1^GsF%p>W@H_x$-Ÿ.Ts@VK"Yk Y ߡ\zLPp8]eP$!HzPR׹`f{ \e1w84;dO=㰼I !_o;( RE/ \DӀbX?%7ډ M+zhk#pwBc iR7Gdҽ~maEs,+y-&$ioIOFBiZ Z"*Quׄ*/atUV LηMT ;R0$A0T& ㄜbZh$t,9GmrkB%]S 3`%vqhGd#%~eupDc; kݞֺ_$ %(?Xf)T@bܦ(' 5-XMW][A9ta] XVJfOIq8m\oCQ蠆Nnzo8lz׻MSam7-`V=ɭR^zk_Љm*9o(Y77ʉk9&8דo^Ow2L×fFݲnMtҵqvJ q8M  ЗJx8J^"ÖAmL=3!SnbG^b.y_+ G88sZYFDYRR!x`R +pW)M&m2vghwcK2M{b$lZPIسUSs)4|cПΫ-otfpŴ\ 8jao=|ѝm0]JCRܟ% R!9;m }sIyēEQ^aO+Kf([\f z V&[3f5Q(aw唩eq%їrί3T*1X@_h[fhnhўBh3YH|+iPNXF"\Lk%TMq).:^Hoxa_$['7bL\؟q-u8sۅj~5?OJ (e]O]9U}H)UVi9t@;\DPLn.P~6%byZ'9\1skAYK-/}]Hfr5NޓWߺ\llQ7oRnBq+UhuRpGh wfz@xh[5ͱϳݓN>f[Iv5m$G zKF,΁=.[ yf{[̙6)oul7_dL΅Rk/aP|9 fpGGIأ!Q+\52p\1m%x4)jW:TC/  -g. *:uA LC6Zm׷1J#úad%7(u>}3˜bYb.}@fkd*]d`LtAB.,dhScWW?#WSrǘW=Z4}h=a OrzZE;'fwDSH% 5FDqo&+P@im\e&׭?4. Wnҭ.UmR4o@fTR8ì)s[L2%VZ·]; ~^! oǼWrѱùWh l7ڴ\K}ɑ49-3yo4J7;ipxL 2&\}Jo,P\ȫ"j36s'ɋqJw< ^Ժ{NVҸ} |/Lu\b-f"aqҧ:/ ep8!48vHCXvr XUbE) ]ϲ af LPuN'x,VRa0$%g]::[k:o2=톽,Eq4,Uq6#1hC*܉2b"/ee8F~;27\@u»aQHZs9 7ր/u}yoTHN2p!W# ǗiZʃkiU3.'2_.@#rO wK%[Z75xl3.1bpV-`"j?7i[(eam?חtbol1l ~젘8O،/ ߬Hi} V1bSe[wܔ/Y>Ax)]9! q./+,bjǀ`C;qd} *Zu_ޡ-ܶ< If5ʖ!6W& , ]n%P.;zY }*Dsa5v};lКϾeb΂du?{B4XTn`&4( =|n¹xG( jVH%Xݸ{S}a븖j ^@q젠5~ /һxʋزY#R t[GfGWc<z> '׻3sOFr3ʨ9{'ABdy {B2<.*yd&œt`1l`4}K 귁Œ jIL*&4 5_I(<[PGf DJh+1S~M1fk,CVU Ko/MgV> rVx(%0ټ/v*:hlKE3P^ ECk XEts<#`B4JcܷP.Lb\yM>[n>hCbȯLfʺL4FYɐA֨QBF;Vpc&hB8VX(Mh}ťNt^@pA)6\y9"L+}z&U퓠Fbo6- kSr /|uF8qɇ'd0p%.Vz˂Eg , .Zǟ}K>r/aㆤ)VJE] AtD+L<-WDV-P3mE-scPim/ Tشu&n_H}l2Zfz<|vt=k)ӵ#B.O(mބz ))QS ⃤%lÏif㢳 Xz#n|<:$f\ݎp'0uQNA1Nƞk":GVQ'Oő?ÿDϼ;?TQ|/*I<>\~7 Vk]nyiV݆2,xA3GK_;GF<xlQ8tQ>_z-vYCqTg. ':`zb;#5 ubxF2lSFuNĽ^_u fQ6Q4 ';!H,c||~D_դ2%0Y]Gi#Qڸkni *Qrx%% :S>H>\fU_.^$Ty'R1#]*3/T?#{8 p p\s0z S kAB(&țPd9դq@6;}MkLVq hU09O}~E=>(l2Oe'$`de+be]EχdmY ;[ i;QIsܦ{%EIt*V7ydɬвT;s="*4dԨFDZ_?Q_pb 4;rvqnsE T nQLqEt1kGj39T*a6`N䔠:on?'4鼕՘0⾖"}dY΃Q#E…-L|ddyrWle-\mbj #t^'&=ܬ(qpj:kRnHoc~vSh\x}m]:ڷ}h?cJf/ f**Î1F84Lߺ&/GEV=8mrs3,36w?nz 6]H'4oD_YokeI/.qdyq6wM6C@q%8.C}ҒO-tn뤫cPAD1wm%w0wՑipL#0/ :w(Rծt/jW|A֙/`|ϭϴŋA !hƎ,cʟO>9l;J,L!ؐ?U,dZoxp|biyKp:+60Tyx  N(8k5$dղ4 ?m ǧȤ 榯]^9TxCV~+)j8mZ"hHsQd"}Wg3znm]"Z9UCkϘB'&nˆOju')Zas /hgd]&2-) PU8{KNr 2T˒iG,)t(b=C>SދΈ2: lmX`㩏m!wD+DGNTJJ ,nvo}V޶|Z7'y">_M.Q1MWևc︇ԗ҆C@_cQbq>(Q-nKhlV|;v<'-\;j.AI <>>۰̶?g/*Oq*OoC G2IE͑ėQGϹt82>[OU?ΉuMt! B%~8!M[Acfs($?AcυV0?V YtoWc!#g7 8-xF(^، |ncg= N?<̡y?S2ZleaU$Gz%:Qwtb  ڲmo0?@ˇhiWGXQVR V"1dVm:čwi5Fs~C 5.H]pDG ˹g.nTh^,pǟȐTl$CD;2p28}( ^_tf[CdMhîMB8ˊfbP?~C|nP$.I>4 F q rXn0߲u3}艫N7C+ ݀z*:_M_g0m&G]7S3R7Uy(K+RZgX>>ȉ.8Nm[oqZy 08Pz󬿆dfOͰC:nWZ}R5f ӹYKlJmx3~ذln,3[S4u{}ifKşȱ n8;}9JD!o XXTbAA%d(uISJiDDcq8L<Πʥ&<*~8$SƍCRAgZ!k~4$\3n4C ae͞^|kb&1^;~wʉ*_^'R3y3+K̏-?+_dR^L\^?4jk6B{Y{\D1~HTDlk2(SnT+xgxxliM4~{"#O)m8<.fL XFIx[~BיSo &"96<-@R孇[:Q6b)<ʣ1Ec:D없H!_v]9N6/_4C,?.pr>_D>U*Yј~5e:G]԰z!u@B~Rf>y"艛%80qHO"-6؆it#F|İ 7 ;/U9X+[)Y=AyZ}+#qA*x/ώ EPQ.̦K诜3k`$j$1ؚrL('L/yPq򚹇uV9hB ǐ |%Q~~*̓ ʜ0ؐK~CCOD:,b16yKdw@1-tZ!|:п/{z4ǜen{י 9nܜH;3͋}p.5af̣ӊOFD~z-+U`*xoz)vEf䔩Q/pS'DfdTvzŻY%UӬ~rT~ܞ(@T=mS?gv+>cߙ,;9-Q5Aj~Te˷ZGzV9Fpx'@{HhO5jX+xjy* qujzd(uvh\i~1HE!}h}]sO<럷Qrȯ[tr%p:(8Q>s>B A3oj11TB0EL2ؔxD:ֹ+cn9gEnѫ6n2jy@2٢Adzcr|So.O-E!3_ |=-9Wxp Ov%FoqiXX3r wEnpZޔDYTM™8d7EgX!$bXY\Yd,w\H hZG&;"vdb|B–RiA3}:76\x@sr"QnB' l㳶t\MQ, КjFhcgFN9`LhFR-F]/  Brw[1Q')NMrR@THcUY'JXhRAFtbcoi:pN G|9! uNV *M[Ø@-xesk&.~ +Tf⪗ qg4{^.z,ᾎŨ-a¸];?ɦ(zVLu4jkD)ТB˞7[#fRV|0.7R %Ht9dLdPg<]rIf^otj χ6تY NL?xiD]NIT.m6A=ajR/=cR0b  Z\jZu 8{0-aY[Zmα ?/ZW fIglPi@ܜ`q]&ʤgN8N>Ɔp};WVBS6lS0EGhHo&Zz8XC8io->"g<L3>@ V߆DZefZK, nPyӢi5t_V'3I`A=z`;@ pl-/gε(E:{d~(W(m#΄R0R# zXhی7އ? zr!wP%>zϵ*$ J;CP4A7cQ>̜ *wmīݣ`fOAUZB&;QLXG?AMJw>=V814iMŝ" 3ww S Oґ Ɖ?@K]U YOqpu*dWD4kE -WSuASq-cmb~eC$宱ѽr!X%} Z_Ztf;KS>b+{=4*Z]iK??ĶSnpׯ4Hj `ta٫RGsXKI]6zt%9.;ͫr.eȘ7r?O'ABQQnф%a[whդZm[.ZW$pu p! F KDq~U㩉1Z$PꊂA`QSְWEdcR}KpDyY4 팿0l?jIZ?)ہg0mpZ}G,Fmi24zLwk!WʶGT; ŐIQXdsWdBT%@U{bG/RgyjcoutB;oDXʂvk"P=eIqTJc$ZNToqGii o!G) +qd․e-,@O O+˾:%L&k7cwd-ĩG8Nc" ( ً;ΫO:8s$r:oN:Quߺ9\Cc NY^ǘJkMN722 %^d@`_e3 #th= \UQ8{చlUV:*~/nĕpeǗTS4$a>whɢ kFRT2ͱbzNn0\(oV.#BU"١КֽD> YZ֖Ë^ .oV`VG1 WEp2=6*@ǮmX(zvO{"' v\>o!_ }YFW"k68Ƈj: Ї\ze!o V  G@ps%u@o;ߵn!S?(m4ld({p 1j>lѢt /j{0@ɣN>BQ0)ḏ -NCnX ԸJ_`n- @:o'fDᾹIآ6O947||63IJ.醴13Bبx^[ .{}|]MvvX {SYLpJK}4JE aɉAP{Ŵ V{`KDe„R^CJ =O)>mDapՑCw`nKNE^s:0@_达H1MnȔ[_WASq88+JjNu(K JXT@NT42\Eu[qJ^7j(ɵ]mI~$kiAz8s ߔ=ŁH}:PjY+tɀKLmOr^?6N5_ jDNu#|Tk]C;K3C%KΎ>Y6 >%kσ9 ީn#5/g5~'*O2P :s\Ei: MRLȌ|@mx*ߎr|-Uqڞ36]mB<̂dnX2ڠ>: R4lFl$8egzE/{G)U):j o;;ײ8Wp+3FXF#ϹF;05RuSX\(Tmf3:ܔ>weoJI dҼ1*hp&3l&wrE"g&__"JeމOiSUoB)tk/"4N٢| VVOr(;8p0)&wd'aJ,3e {)fs^qK QlFW"N Ko=J=!g 4ӭ3;_`*E$n()X%J+{AC\p 0|etp*{gUs?0]UB] AJU]sRs1{`lVRWj}j{omrzԱ Vŗ/d>~ȀGu/.0~"ߝ]ٙ7<ށ=O^@Kt]7T-pOMҴ v涡qT.Vo0ם/Ό7-Z" b\QTE&C};Ke(syj,_( ·jsn{Dj/ެiM {?T<]+z`ph5]\*1˸$w,y ;ܬ]ujA vC0h~Q뇩Z -PR\yqA+7y=}2bsh('dF}lEOlyI`ɞk(SG@Õ+,l?$\4UMM/X4{d5 czT*Q Ê2x pƍK/gJ?ROńA%M9 )cx>&7ek󳂛ޙ~:_ K$'Aݝb%{e7=kMM>DAc} vm)!K;c^|~K-E-h.,8^2z->~TNr@do{ SiY΂`DOJQJ(00i Jܲ o O1AZ &mAxs:au|c4[7vw67 qQ"@+$P].=+' ֺql Ɩe/nEg\U_ox}pϳ2ǭ"F{8 #Pzk aab߀O\ ufsiڿ.>ʍΫ{.qY|A9 r"`ZF՜ٛ1Ճ_<ӦO^HgթBwVrɎq.hNxAatP8*3 O1f_ ؗ"rEt() 's,d*YcJ~y,y,/{_ݠtoI 8YDkN/n8#z&fJdŤ0sqsl «? }OGaP|?bi6Q'4'x\8'( M7P(_ύ2>/]C)c{O`s0ˢQ4εW>!75afEx74jCAlJ@<ܑފfk3Xtt7\^f mJ-ݷk frLKiw+"y#}"@3Z 8:p9p:\r./rh{60(:^꠫+&хm0 ʉ TAP:iK)-9ќ'M+gUwN\J|)K<ɛ` loccی u%ԛDPJ]^:MZw\f!LX ,մ"/ >sh.T#kqWOnI9-\YPW{AVfmxpwU5N},m{]7?D_W<)Pj`Hư?cɐ:X3җi/ZY+klFkݍ;%P1 ^Чz(nH0m9^t?97z01zBEmMCkӗPH_-'OQzh_sV [0ZunO79N5B?sbe%|$|޴VIB.UD G+[ ΨZZ}=p%Fs~-ي9FcB3rto?LZhN#,e&wr!@Tq wDYTnsדT $+0 ;E%]HBI_R6K r,}?F 5#S$_2@J4ĸn<5с=d9A_5̶L wlUBʀk=6zB31k]9'B ,a)ή;\r]傘h!Ǔ2)KQm0ؙXz +N?AMb{JSI8o=|\HK" 5 f{y`9촚SFq#pRm)3cYg*ImA3K|uiCWI =;_qrzon4xĆ =ݨ,()wqz Iۘ A<=Oڢ y x64_*/4%j0p+Fv<ibjSZT!}W5|9ߣ)DԉqsX>4^o 9`- nPY=3C[{ɄX^:%lUO.*5IiU[@5Fyu F$5+?=T|ݸ&MSsxnYMbUxAXJ/-]"a_,OKԸkLUʗu>J.2E:޿Ⱦ]vI$2Y C8& |1trW41 q>ێEpQ%gXJui'xʩtkvpF~KFr]ukB✦ 3 / Lt#I{Ųs9"zfDt;uH6jongBBќz.Tң^z@ 5U 7ZKsOڐyJsحݠ`Yk8ŔA ^ؠ:]FtR9 p k7,i&&#K{!E !qy~og(n=n$ 4tf@rC1`:Z>ȼj { fgގy -qMRH7xޑQfw>Z`٣mcrKn/J_#M2R_av%]S?w.#'"[4i]!ӲA(/n_٨b+V6֕NÏ_(YY|b"ST5<6DilN R]9῱ ǜN2馇_C4$2ƨЮ*ÃEglC9\ÇON0N`h&c=¦E똩 4vO9B;n 6|9dHg:d%5 a7:]F"K8ݔV@,9WK?Z<{ ^(/K^yTU/%|6.عQVTc.oV4>dh _Qy7d҄!$=7(.N]vhDj˦E 7t膮ŮtBp|HL"]2FրTG:qu2Qz YhۘN  iwI bsЌ|6mYYJ%K2ΚǺV!0]eH<!_ep۽{g'uk" Ʈ.-8o Hji$<1A~e麲Z73m=uf}-ސ%cpSĒlpc={ǖFTB&M V/Rњ@/M@_C5c2 yΕ N5Uoe5FΊb&2PƶT3EU(e+٦&PeFD-2s yܟBWy%OU5Tx_}4~7E$qᚳ$3]AyH^|2?0Kߟ~)rm(&r}Yb9*uσAbx&H;nx{}޴77?gh<|!"JJ.w$hG UF%mMW dVyIelԤEbZzbA̳FوɏL|>++@čYjwYJPt*c83G KC?~vsdfh*Szc:Sч&g]}Qgi:i]_OozޤI 7Z.}/UGo.18uyoh ~- Qt!ҸuF5^CPfq)8]=x͘LlZȐk1ۂκ7zrbOl?H)8]-ґ~&©e>Pzͭʲr#HHrn7]k0` oIB\**.D 'U <)[:5!D9n GEj H͇GWx^ /[5 Llrxu9SUkNZdEidy SJ)ZN[('$!XHN$G{گF@Q~L'LC'$PiMJ'f$L^2_gv7uڭLȪ(p:-3WnyݛM+zoFޟՇ3>[Q߂ >&>'hC`NAܔײ4bY$f )~xsюNVV,18df1G5I*KX-3epx)VK 52g{RtKNHWR=K'nᩰYlD)y0T/ްc+!2QXL:LkKGx7\hO{i1Osa;z!˓EbN5ym[p؎p ~o;S75{k7_*$VH|n0!w9JUNlque!;/v D#zRju11J&dOTCE}[L$WMXle>Eͦ\Lŋ4cy!g$8Vm< M@=8kha4%wi =S&-$? l E? N](R5i{mT'sNfv񍊼^,)U:mܳ9+ے=l,}B7'[g7{qg +lU2'$/q "§XOټbʲ4a$N[/ex{Nd{v$zJtb`dY/Zȇn7/,Cdg$K&d(ݵ`d?B*qፌPsuƿM\g=6dh/(!% !2QEJnc?&÷gLEv{udYRʅ=aXچV6b%L .Ju3 \3M!PF%PXL;W';;^;sxb L,?-: ^1nt(.^lc#m>[]b%o]Jj W}*4 >ɺp!H Э[ JOzG^,"fT9f :4B" Fr|LkVnLE 1جIn&jE囬8KoC_5 V:UÛ2pBUӁ~ >ff QnOVIa l ɖu^Ҥ'+;=~%JS 缹tĔ|E%qߌc,Qb N#Zj@x󰰗-U};xG8j/- rh2t'XЇaz( ehM_!-}&lYw;bXOk6ERoRM-ϯ␆9 G(/?jZfȡ$#%PpNtr%R ٽS~NI<30c<{VI$/LrXm_5WUbpndvr%+*IAW/k*T s"W|z'ƟKKmJiiC'.(DžJ($i."ݳ[:er F|Z-t6(YŦ!҆o &ȫ%t{!:R^v,{a%`.ahԠuwԂ 5r^G: nc`0#$+oUk\ :$LcF}n֎yҔ O6'`7`-"O=ӸWmf mnF@2mo>X:d|^z{+`۵{O iM"nZ'A0Б.w9J[zݏkY ֆ7(2ޟdY ׁ+hH.R |5| [a hzk_JW(йj#ݧL<0ur.?@Wdeb7vuջu7F6brʲ&[am4g IM \X[`8RU7\hz~6n3A@ \G\RXMK XZrJǥ?J!+]d&9^oHD`@(An9P\h98V(3r@9vY$jXubH_az؁ kԐ\@VQ8[%OĚTRj|%uϘ/.E+4 ;>5>}ힵfBLg(>y75 K=hÿan{@ BּL巄zvAi<\Ak-ҍ3q>zj7H-r#㟭OJ$-\{A/9(.~ ?jurqFZՖk1zmF$P"]c=a9St$P0.(0#C;u慄^ݫ\q,cN'sa'0#|ZfP)0oItWĶkڭD~)2KvH>}jCv9n!e (N>&)U_qtkIeO?2*!8g1͒7ZXzg1ϡ\`NJMy鞩U^T|u!ea6-~Э.P6@ϬV2JmI9gxQXvX =ϙ堬Lbp'+Eb681`{)tp(JPC:O`4_Ӑ 9E@92( uQœEkS!Mj=4X "Ow9e uG4WZ4*vBc *1kyšc&#v` F{^k )w׻E_"M:4đ^ *k鶶ђC׹]L|*NjuL/JT&ݯNӠ2k'"@6(&6@K2kvv[x4r1"kH!1Pn"lы ?eq7gxecdTHy__:Y9lDFRR-5e^_쫅 E6gvf$S,|eCBx]NsSIãfƔe4Qtґ}A"pxǛfkFo"7q0{xa{G(FsZO1(%I(yU| s_Ɗ.%X])'k]xU^9&oY6.9ք`jG8 u鴷 u®$S'!W/(ݖ`kV#Mm!d5zem G3o( YSGb6˲c7OuRۨ``?lՠD' Cqcu|Nߓ la"Xk:7UCg[t˳OzW)x*nL][{:5NR겪mjhⱖ5s+R /\&T7|bvpjA`2D*'  ėw0'| u. YZ