From 23793bf22a7cf9b12e5113d16b5504b50faaf4ca Mon Sep 17 00:00:00 2001 From: "John C. Frickson" Date: Fri, 23 Sep 2016 13:34:40 -0500 Subject: [PATCH 01/61] Debugging was hard as many "syslog(...)" statements were missing Fix for issue https://github.com/NagiosEnterprises/nrpe/issues/60 Jobst Schmalenbach added a bunch of missing syslog entries for debugging, and changed some printf()'s to syslog()'s. --- src/acl.c | 103 ++++++++++++++++++++++++++++++++++++++++++----------- src/nrpe.c | 16 ++++++++- 2 files changed, 98 insertions(+), 21 deletions(-) diff --git a/src/acl.c b/src/acl.c index fdb59d1b..4b7c6d57 100644 --- a/src/acl.c +++ b/src/acl.c @@ -46,6 +46,8 @@ #include "../include/acl.h" +extern int debug; + /* This function checks if a char argumnet from valid char range. * Valid range is: ASCII only, a number or a letter, a space, a dot, a slash, a dash, a comma. * @@ -142,18 +144,27 @@ int add_ipv4_to_acl(char *ipv4) { unsigned long ip, mask; struct ip_acl *ip_acl_curr; + if(debug == TRUE) + syslog(LOG_INFO, "add_ipv4_to_acl: checking ip-address >%s<", ipv4); + /* Check for min and max IPv4 valid length */ - if (len < 7 || len > 18) - return 0; + if (len < 7 || len > 18) { + syslog(LOG_INFO, "add_ipv4_to_acl: Error, ip-address >%s< incorrect length", ipv4); + return 0; + } /* default mask for ipv4 */ data[4] = 32; /* Basic IPv4 format check */ for (i = 0; i < len; i++) { - /* Return 0 on error state */ - if (state == -1) - return 0; + /* Return 0 on error state */ + if (state == -1) { + if(debug == TRUE) + syslog(LOG_INFO, "add_ipv4_to_acl: Error, ip-address >%s< incorrect " + "format, continue with next check ...", ipv4); + return 0; + } c = ipv4[i]; @@ -201,6 +212,7 @@ int add_ipv4_to_acl(char *ipv4) { break; default: /* Bad states */ + syslog(LOG_INFO, "add_ipv4_to_acl: Error, ip-address >%s< bad state", ipv4); return 0; } @@ -247,6 +259,10 @@ int add_ipv4_to_acl(char *ipv4) { ip_acl_prev->next = ip_acl_curr; } ip_acl_prev = ip_acl_curr; + + if(debug == TRUE) + syslog(LOG_INFO, "add_ipv4_to_acl: ip-address >%s< correct, adding.", ipv4); + return 1; } @@ -387,8 +403,12 @@ int add_domain_to_acl(char *domain) { struct dns_acl *dns_acl_curr; - if (len > 63) + if (len > 63) { + syslog(LOG_INFO, + "ADD_DOMAIN_TO_ACL: Error, did not add >%s< to acl list, too long!", + domain); return 0; + } for (i = 0; i < len; i++) { c = domain[i]; @@ -426,7 +446,10 @@ int add_domain_to_acl(char *domain) { } break; default: - /* Not valid chars */ + syslog(LOG_INFO, + "ADD_DOMAIN_TO_ACL: Error, did not add >%s< to acl list, " + "invalid chars!", domain); + /* Not valid chars */ return 0; } } @@ -448,8 +471,13 @@ int add_domain_to_acl(char *domain) { dns_acl_prev->next = dns_acl_curr; dns_acl_prev = dns_acl_curr; + if(debug == TRUE) + syslog(LOG_INFO, "ADD_DOMAIN_TO_ACL: added >%s< to acl list!", domain); return 1; default: + syslog(LOG_INFO, + "ADD_DOMAIN_TO_ACL: ERROR, did not add >%s< to acl list, " + "check allowed_host in config file!", domain); return 0; } } @@ -470,14 +498,23 @@ int is_an_allowed_host(int family, void *host) struct sockaddr_in *addr; struct sockaddr_in6 addr6; struct addrinfo *res, *ai; + struct in_addr tmp; while (ip_acl_curr != NULL) { if(ip_acl_curr->family == family) { switch(ip_acl_curr->family) { case AF_INET: + if (debug == TRUE) { + tmp.s_addr = ((struct in_addr*)host)->s_addr; + syslog(LOG_INFO, "is_an_allowed_host (AF_INET): is host >%s< " + "an allowed host >%s<\n", + inet_ntoa(tmp), inet_ntoa(ip_acl_curr->addr)); + } if((((struct in_addr *)host)->s_addr & ip_acl_curr->mask.s_addr) == ip_acl_curr->addr.s_addr) { + if (debug == TRUE) + syslog(LOG_INFO, "is_an_allowed_host (AF_INET): host is in allowed host list!"); return 1; } break; @@ -509,9 +546,20 @@ int is_an_allowed_host(int family, void *host) switch(ai->ai_family) { case AF_INET: + if(debug == TRUE) { + tmp.s_addr=((struct in_addr *)host)->s_addr; + syslog(LOG_INFO, "is_an_allowed_host (AF_INET): is host >%s< " + "an allowed host >%s<\n", + inet_ntoa(tmp), dns_acl_curr->domain); + } + addr = (struct sockaddr_in*)(ai->ai_addr); - if (addr->sin_addr.s_addr == ((struct in_addr*)host)->s_addr) + if (addr->sin_addr.s_addr == ((struct in_addr*)host)->s_addr) { + if (debug == TRUE) + syslog(LOG_INFO, "is_an_allowed_host (AF_INET): " + "host is in allowed host list!"); return 1; + } break; case AF_INET6: @@ -559,19 +607,30 @@ void parse_allowed_hosts(char *allowed_hosts) { const char *delim = ","; char *trimmed_tok; + if (debug == TRUE) + syslog(LOG_INFO, + "parse_allowed_hosts: parsing the allowed host string >%s< to add to ACL list\n", + allowed_hosts); + #ifdef HAVE_STRTOK_R tok = strtok_r(hosts, delim, &saveptr); #else + if (debug == TRUE) + syslog(LOG_INFO,"parse_allowed_hosts: using strtok, this might lead to " + "problems in the allowed_hosts string determination!\n"); tok = strtok(hosts, delim); #endif while( tok) { trimmed_tok = malloc( sizeof( char) * ( strlen( tok) + 1)); trim( tok, trimmed_tok); + if(debug == TRUE) + syslog(LOG_DEBUG, "parse_allowed_hosts: ADDING this record (%s) to ACL list!\n", trimmed_tok); if( strlen( trimmed_tok) > 0) { if (!add_ipv4_to_acl(trimmed_tok) && !add_ipv6_to_acl(trimmed_tok) && !add_domain_to_acl(trimmed_tok)) { syslog(LOG_ERR,"Can't add to ACL this record (%s). Check allowed_hosts option!\n",trimmed_tok); - } + } else if (debug == TRUE) + syslog(LOG_DEBUG,"parse_allowed_hosts: Record added to ACL list!\n"); } free( trimmed_tok); #ifdef HAVE_STRTOK_R @@ -606,17 +665,21 @@ unsigned int prefix_from_mask(struct in_addr mask) { * It shows all hosts in ACL lists */ -void show_acl_lists(void) { - struct ip_acl *ip_acl_curr = ip_acl_head; - struct dns_acl *dns_acl_curr = dns_acl_head; +void show_acl_lists(void) +{ + struct ip_acl *ip_acl_curr = ip_acl_head; + struct dns_acl *dns_acl_curr = dns_acl_head; - while (ip_acl_curr != NULL) { - printf(" IP ACL: %s/%u %u\n", inet_ntoa(ip_acl_curr->addr), prefix_from_mask(ip_acl_curr->mask), ip_acl_curr->addr.s_addr); - ip_acl_curr = ip_acl_curr->next; - } + syslog(LOG_INFO, "Showing ACL lists for both IP and DOMAIN acl's:\n" ); - while (dns_acl_curr != NULL) { - printf("DNS ACL: %s\n", dns_acl_curr->domain); - dns_acl_curr = dns_acl_curr->next; - } + while (ip_acl_curr != NULL) { + syslog(LOG_INFO, " IP ACL: %s/%u %u\n", inet_ntoa(ip_acl_curr->addr), + prefix_from_mask(ip_acl_curr->mask), ip_acl_curr->addr.s_addr); + ip_acl_curr = ip_acl_curr->next; + } + + while (dns_acl_curr != NULL) { + syslog(LOG_INFO, " DNS ACL: %s\n", dns_acl_curr->domain); + dns_acl_curr = dns_acl_curr->next; + } } diff --git a/src/nrpe.c b/src/nrpe.c index dc93d971..9ae398f1 100644 --- a/src/nrpe.c +++ b/src/nrpe.c @@ -724,6 +724,8 @@ int read_config_file(char *filename) } else if (!strcmp(varname, "allowed_hosts")) { allowed_hosts = strdup(varvalue); parse_allowed_hosts(allowed_hosts); + if (debug == TRUE) + show_acl_lists(); } else if (strstr(input_line, "command[")) { temp_buffer = strtok(varname, "["); @@ -1220,12 +1222,21 @@ void wait_for_connections(void) void setup_wait_conn(void) { struct addrinfo *ai; + char addrstr[100]; + void *ptr; add_listen_addr(&listen_addrs, address_family, (strcmp(server_address, "") == 0) ? NULL : server_address, server_port); - for (ai = listen_addrs; ai; ai = ai->ai_next) + for (ai = listen_addrs; ai; ai = ai->ai_next) { + if (debug == TRUE) { + inet_ntop (ai->ai_family, ai->ai_addr->sa_data, addrstr, 100); + ptr = &((struct sockaddr_in *) ai->ai_addr)->sin_addr; + inet_ntop (ai->ai_family, ptr, addrstr, 100); + syslog(LOG_INFO, "SETUP_WAIT_CONN FOR: IPv4 address: %s (%s)\n", addrstr, ai->ai_canonname); + } create_listener(ai); + } if (!num_listen_socks) { syslog(LOG_ERR, "Cannot bind to any address."); @@ -1372,6 +1383,9 @@ void conn_check_peer(int sock) break; } + if (debug == TRUE) + syslog(LOG_INFO, "CONN_CHECK_PEER: is this a blessed machine: %s port %d\n", + remote_host, nptr->sin_port); /* is this is a blessed machine? */ if (allowed_hosts) { From 28b4a1b98834ce5c965093a73414ebdf1136c8e4 Mon Sep 17 00:00:00 2001 From: "John C. Frickson" Date: Fri, 23 Sep 2016 14:09:22 -0500 Subject: [PATCH 02/61] Fix help output for ssl option Fix from pull request https://github.com/NagiosEnterprises/nrpe/pull/42 --- configure.ac | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure.ac b/configure.ac index 47760b48..11f58e72 100644 --- a/configure.ac +++ b/configure.ac @@ -296,7 +296,7 @@ AC_TRY_COMPILE([#include dnl Does user want to check for SSL? AC_ARG_ENABLE([ssl], - AS_HELP_STRING([--enable-ssl],[enables native SSL support]),[ + AS_HELP_STRING([--disable-ssl],[disables native SSL support @<:@default=check@:>@]),[ if test x$enableval = xyes; then check_for_ssl=yes else From 85f78b8f258a45c457f0132012b10069003e805c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Elan=20Ruusam=C3=A4e?= Date: Wed, 7 Sep 2016 16:27:20 +0300 Subject: [PATCH 03/61] use chown colon syntax --- README.SSL.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/README.SSL.md b/README.SSL.md index bb6498f8..ceb0a2ec 100644 --- a/README.SSL.md +++ b/README.SSL.md @@ -171,14 +171,14 @@ run the nrpe daemon: `db_server` and `bobs_workstation`. As root, do the following: mkdir -p -m 750 /usr/local/nagios/etc/ssl - chown root.nagios /usr/local/nagios/etc/ssl + chown root:nagios /usr/local/nagios/etc/ssl cd /usr/local/nagios/etc/ssl mkdir -m 750 ca - chown root.root ca + chown root:root ca mkdir -m 750 server_certs - chown root.nagios server_certs + chown root:nagios server_certs mkdir -m 750 client_certs - chown root.nagios client_certs + chown root:nagios client_certs ####Create Certificate Authority From cd319e373f753c0f5af21c7aea2dfdd5aa40dcf0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Elan=20Ruusam=C3=A4e?= Date: Wed, 7 Sep 2016 16:30:05 +0300 Subject: [PATCH 04/61] Update README.SSL.md --- README.SSL.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/README.SSL.md b/README.SSL.md index ceb0a2ec..52aa39e1 100644 --- a/README.SSL.md +++ b/README.SSL.md @@ -229,7 +229,7 @@ If you have the default `/etc/openssl.cnf`, either change it, or as root, do: mkdir demoCA/newcerts touch demoCA/index.txt echo "01" > demoCA/serial - chown -R root.root demoCA + chown -R root:root demoCA chmod 700 demoCA chmod 700 demoCA/newcerts chmod 600 demoCA/serial @@ -242,13 +242,13 @@ Now, sign the CSRs. As root, do the following: -keyfile ca/ca_key.pem -cert ca/ca_cert.pem \ -in server_certs/db_server.csr \ -out server_certs/db_server.pem - chown root.nagios server_certs/db_server.pem + chown root:nagios server_certs/db_server.pem chmod 440 server_certs/db_server.pem openssl ca -days 365 -notext -md sha256 \ -keyfile ca/ca_key.pem -cert ca/ca_cert.pem \ -in server_certs/bobs_workstation.csr \ -out server_certs/bobs_workstation.pem - chown root.nagios server_certs/bobs_workstation.pem + chown root:nagios server_certs/bobs_workstation.pem chmod 440 server_certs/bobs_workstation.pem Now, copy the `db_server.pem` and `db_server.key` files to the @@ -271,7 +271,7 @@ running the check_nrpe program. -keyfile ca/ca_key.pem -cert ca/ca_cert.pem \ -in client_certs/nag_serv.csr \ -out client_certs/nag_serv.pem - chown root.nagios client_certs/nag_serv.pem + chown root:nagios client_certs/nag_serv.pem chmod 440 client_certs/nag_serv.pem Now, copy the `nag_serv.pem`, `nag_serv.key` and `ca/ca_cert.pem` From cb5300c46c6821351fdd3596dbcabf6da0e5dc89 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Elan=20Ruusam=C3=A4e?= Date: Wed, 7 Sep 2016 16:37:00 +0300 Subject: [PATCH 05/61] Update SECURITY.md update to match NASTY_METACHARS in src/nrpe.c 5bf9b2047f8e9a8609c3b95b2e655368765e4dd1 - adds \r\n 5aed5122c89ed917f6410197bda8ed93e069ffea - removes " --- SECURITY.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/SECURITY.md b/SECURITY.md index f5986ac8..8034837d 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -64,7 +64,7 @@ To help prevent some nasty things from being done by evil clients, the following metacharacters are not allowed in client command arguments: - | ` & > < ' " \ [ ] { } ; ! + | ` & > < ' \ [ ] { } ; ! \r \n Any client request which contains the above mentioned metachars is discarded. From 2c935fb2b22dde4014cbdfbb4e0ac367f71831c4 Mon Sep 17 00:00:00 2001 From: minusdavid Date: Mon, 8 Aug 2016 12:35:23 +1000 Subject: [PATCH 06/61] Update nrpe.cfg.in The wload and cload for check_load should be specified in decimal notation. The current defaults in percent notation would never work correctly in the latest versions of this plugin, and they're - unfortunately - probably the basis for a lot of people's production configuration. See https://github.com/nagios-plugins/nagios-plugins/blob/master/plugins/check_load.c#L200 for why percent notation doesn't work. I would also add "-r" to divide by the number of cores, as that provides the most user-friendly way to specify wload and cload without knowing the number of CPUs on a system and without adding explanatory notes to the nrpe.cfg file. --- sample-config/nrpe.cfg.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sample-config/nrpe.cfg.in b/sample-config/nrpe.cfg.in index 0e1cff57..19d213ed 100644 --- a/sample-config/nrpe.cfg.in +++ b/sample-config/nrpe.cfg.in @@ -285,7 +285,7 @@ connection_timeout=300 # The following examples use hardcoded command arguments... command[check_users]=@pluginsdir@/check_users -w 5 -c 10 -command[check_load]=@pluginsdir@/check_load -w 15,10,5 -c 30,25,20 +command[check_load]=@pluginsdir@/check_load -r -w .15,.10,.05 -c .30,.25,.20 command[check_hda1]=@pluginsdir@/check_disk -w 20% -c 10% -p /dev/hda1 command[check_zombie_procs]=@pluginsdir@/check_procs -w 5 -c 10 -s Z command[check_total_procs]=@pluginsdir@/check_procs -w 150 -c 200 From 743df69871a08ee1a1d286a6ef40ce2ef23b3a0f Mon Sep 17 00:00:00 2001 From: "John C. Frickson" Date: Mon, 26 Sep 2016 13:16:35 -0500 Subject: [PATCH 07/61] Cleaned up config.h.in These changes were suggested in a pull request by Ruben Kerkhof: https://github.com/NagiosEnterprises/nrpe/pull/41. I didn't merge the pull request because parts of it were only of benefit when useing autoheader or autoreconf, which we don't use. --- include/config.h.in | 115 ++++++++++++++++++++++++++++++++++++++------ 1 file changed, 101 insertions(+), 14 deletions(-) diff --git a/include/config.h.in b/include/config.h.in index f8fce61d..c3159354 100644 --- a/include/config.h.in +++ b/include/config.h.in @@ -28,30 +28,67 @@ #include -#define DEFAULT_SERVER_PORT @nrpe_port@ /* default port to use */ +/* Default port for NRPE daemon */ +#undef DEFAULT_SERVER_PORT -#define NRPE_LOG_FACILITY @log_facility@ +/* NRPE syslog facility */ +#undef NRPE_LOG_FACILITY +/* Enable command-line arguments */ #undef ENABLE_COMMAND_ARGUMENTS + +/* Enable bash command substitution */ #undef ENABLE_BASH_COMMAND_SUBSTITUTION + +/* type to use in place of socklen_t if not defined */ #undef socklen_t + +/* Define to 1 if you have the `getopt_long' function. */ #undef HAVE_GETOPT_LONG + +/* Have the TCP wrappers library */ #undef HAVE_LIBWRAP + +/* Define to 1 if you have the ANSI C header files. */ #undef STDC_HEADERS + +/* Define to 1 if you have the `strdup' function. */ #undef HAVE_STRDUP + +/* Define to 1 if you have the `strstr' function. */ #undef HAVE_STRSTR + +/* Define to 1 if you have the `strtoul' function. */ #undef HAVE_STRTOUL + +/* Define to 1 if you have the `strtok_r' function. */ #undef HAVE_STRTOK_R + +/* Define to 1 if you have the `initgroups' function. */ #undef HAVE_INITGROUPS + +/* Define to 1 if you have the `closesocket' function. */ #undef HAVE_CLOSESOCKET + +/* Define to 1 if you have the `sigaction' function. */ #undef HAVE_SIGACTION + +/* Set to 1 if you have rfc931_timeout */ #undef HAVE_RFC931_TIMEOUT +/* The size of `int', as computed by sizeof. */ #undef SIZEOF_INT + +/* The size of `short', as computed by sizeof. */ #undef SIZEOF_SHORT + +/* The size of `long', as computed by sizeof. */ #undef SIZEOF_LONG -/* #undef const */ +/* Define to empty if `const' does not conform to ANSI C. */ +#undef const + +/* Set to 1 to use SSL DH */ #undef USE_SSL_DH /* stupid stuff for u_int32_t */ @@ -91,71 +128,98 @@ typedef int int32_t; /***** ASPRINTF() AND FRIENDS *****/ +/* Whether vsnprintf() is available */ #undef HAVE_VSNPRINTF +/* Whether snprintf() is available */ #undef HAVE_SNPRINTF +/* Whether aprintf() is available */ #undef HAVE_ASPRINTF +/* Whether vaprintf() is available */ #undef HAVE_VASPRINTF +/* Define if system has C99 compatible vsnprintf */ #undef HAVE_C99_VSNPRINTF + +/* Whether va_copy() is available */ #undef HAVE_VA_COPY + +/* Whether __va_copy() is available */ #undef HAVE___VA_COPY -#define SOCKET_SIZE_TYPE "" -#define GETGROUPS_T "" -#define RETSIGTYPE "" +/* Socket Size Type */ +#undef SOCKET_SIZE_TYPE + +/* Define to the type of elements in the array set by `getgroups'. Usually + this is either `int' or `gid_t'. */ +#undef GETGROUPS_T + +/* Define as the return type of signal handlers (`int' or `void'). */ +#undef RETSIGTYPE + +/* Define to 1 if the system has the type `struct sockaddr_storage'. */ #undef HAVE_STRUCT_SOCKADDR_STORAGE /* Use seteuid() or setresuid() depending on the platform */ #undef SETEUID -/* Is this a Solaris 10 machine? */ +/* Set to 1 if we are on Solaris 10 */ #undef SOLARIS_10 +/* Define to 1 if you have the header file. */ #undef HAVE_GETOPT_H #ifdef HAVE_GETOPT_H #include #endif +/* Define to 1 if you have the header file. */ #undef HAVE_STRINGS_H -#undef HAVE_STRING_H #ifdef HAVE_STRINGS_H #include #endif -#ifdef HAVE_STRINGS_H + +/* Define to 1 if you have the header file. */ +#undef HAVE_STRING_H +#ifdef HAVE_STRING_H #include #endif +/* Define to 1 if you have the header file. */ #undef HAVE_UNISTD_H #ifdef HAVE_UNISTD_H #include #endif - +/* Define to 1 if you have the header file. */ #undef HAVE_SIGNAL_H #ifdef HAVE_SIGNAL_H #include #endif +/* Define to 1 if you have the header file. */ #undef HAVE_SYSLOG_H #ifdef HAVE_SYSLOG_H #include #endif +/* Define to 1 if you have the header file. */ #undef HAVE_SYS_STAT_H #ifdef HAVE_SYS_STAT_H #include #endif +/* Define to 1 if you have the header file. */ #undef HAVE_FCNTL_H #ifdef HAVE_FCNTL_H #include #endif +/* Define to 1 if you have the header file. */ #undef HAVE_SYS_TYPES_H #ifdef HAVE_SYS_TYPES_H #include #endif +/* Define to 1 if you have the header file. */ #undef HAVE_SYS_WAIT_H #ifdef HAVE_SYS_WAIT_H #include @@ -168,14 +232,18 @@ typedef int int32_t; # define WIFEXITED(stat_val) (((stat_val) & 255) == 0) #endif +/* Define to 1 if you have the header file. */ #undef HAVE_ERRNO_H #ifdef HAVE_ERRNO_H #include #endif -/* needed for the time_t structures we use later... */ +/* Define to 1 if you can safely include both and . */ #undef TIME_WITH_SYS_TIME + +/* Define to 1 if you have the header file. */ #undef HAVE_SYS_TIME_H + #if TIME_WITH_SYS_TIME # include # include @@ -188,68 +256,81 @@ typedef int int32_t; #endif +/* Define to 1 if you have the header file. */ #undef HAVE_SYS_SOCKET_H #ifdef HAVE_SYS_SOCKET_H #include #endif -/* Define to 'int' if does not define */ -#undef socklen_t - +/* Define to 1 if you have the header file. */ #undef HAVE_SOCKET_H #ifdef HAVE_SOCKET_H #include #endif +/* Define to 1 if you have the header file. */ #undef HAVE_TCPD_H #ifdef HAVE_TCPD_H #include #endif +/* Define to 1 if you have the header file. */ #undef HAVE_NETINET_IN_H #ifdef HAVE_NETINET_IN_H #include #endif +/* Define to 1 if you have the header file. */ #undef HAVE_ARPA_INET_H #ifdef HAVE_ARPA_INET_H #include #endif +/* Define to 1 if you have the header file. */ #undef HAVE_NETDB_H #ifdef HAVE_NETDB_H #include #endif +/* Define to 1 if you have the header file. */ #undef HAVE_CTYPE_H #ifdef HAVE_CTYPE_H #include #endif +/* Define to 1 if you have the header file. */ #undef HAVE_PWD_H #ifdef HAVE_PWD_H #include #endif +/* Define to 1 if you have the header file. */ #undef HAVE_GRP_H #ifdef HAVE_GRP_H #include #endif +/* Define to 1 if you have the header file. */ #undef HAVE_DIRENT_H #ifdef HAVE_DIRENT_H #include #endif +/* Have SSL support */ #undef HAVE_SSL +/* Have the krb5.h header file */ #undef HAVE_KRB5_H #ifdef HAVE_KRB5_H #include #endif +/* Define to 1 if you have the header file. */ #undef HAVE_INTTYPES_H + +/* Define to 1 if you have the header file. */ #undef HAVE_STDINT_H + #ifdef HAVE_INTTYPES_H #include #else @@ -258,4 +339,10 @@ typedef int int32_t; #endif #endif +/* Define to 1 if you have the header file. */ +#undef HAVE_PATHS_H + +/* Define to 1 if you have the header file. */ +#undef HAVE_SYS_RESOURCE_H + #endif From 4c717462e4ac1e8756b47d37df3afebf15f6643e Mon Sep 17 00:00:00 2001 From: "John C. Frickson" Date: Mon, 26 Sep 2016 13:36:08 -0500 Subject: [PATCH 08/61] Updates to Changelog and THANKS files --- Changelog | 5 +++++ THANKS | 4 ++++ 2 files changed, 9 insertions(+) diff --git a/Changelog b/Changelog index c3afddfb..15e5c8f9 100644 --- a/Changelog +++ b/Changelog @@ -13,6 +13,11 @@ FIXES - /usr/lib/tmpfiles.d/ndo2db.conf should have 'd' type, not 'D' (John Frickson) - Fixes in parse_allowed_hosts() and called functions (Jobst Schmalenbach / John Frickson) - nrpe.cfg: 'debug' statement needs to be first in file (Jobst Schmalenbach / John Frickson) +- Added missing debugging syslog entries, and changed printf()'s to syslog()'s. (Jobst Schmalenbach) +- Fix help output for ssl option (configure) (Ruben Kerkhof) +- Fixes to README.SSL.md and SECURITY.md (Elan Ruusamäe) +- Changed the 'check_load' command in nrpe.cfg.in (minusdavid) +- Cleanup of config.h.in suggested by Ruben Kerkhof 3.0 - 2016-08-01 diff --git a/THANKS b/THANKS index 2eef4cbe..fd815b68 100644 --- a/THANKS +++ b/THANKS @@ -8,6 +8,7 @@ Bill Mitchell Bjoern Beutel Brian Seklecki Derrick Bennett +Elan Ruusamäe Eric Mislivec Eric Stanley Gerhard Lausser @@ -17,6 +18,7 @@ Grégory Starck James Peterson Jari Takkala Jason Cook +Jobst Schmalenbach John Maag Jon Andrews Kaspersky Lab @@ -30,8 +32,10 @@ Matthias Flacke Niels Endres Patric Wust Peter Palfrader +Philippe Kueck Rene Klootwijk Robert Peaslee +Ruben Kerkhof Ryan McGarry Ryan Ordway Sean Finney From fe006d2556c906de84321188630ab0d25c317cc1 Mon Sep 17 00:00:00 2001 From: "John C. Frickson" Date: Mon, 26 Sep 2016 13:52:22 -0500 Subject: [PATCH 09/61] check_nrpe info logging Fix for issue https://github.com/NagiosEnterprises/nrpe/issues/64 --- Changelog | 1 + src/check_nrpe.c | 12 +++++++++--- 2 files changed, 10 insertions(+), 3 deletions(-) diff --git a/Changelog b/Changelog index 15e5c8f9..0fa0e120 100644 --- a/Changelog +++ b/Changelog @@ -18,6 +18,7 @@ FIXES - Fixes to README.SSL.md and SECURITY.md (Elan Ruusamäe) - Changed the 'check_load' command in nrpe.cfg.in (minusdavid) - Cleanup of config.h.in suggested by Ruben Kerkhof +- Minor change to logging in check_nrpe (John Frickson) 3.0 - 2016-08-01 diff --git a/src/check_nrpe.c b/src/check_nrpe.c index f5d32d22..41d92a99 100644 --- a/src/check_nrpe.c +++ b/src/check_nrpe.c @@ -46,6 +46,7 @@ int show_help = FALSE; int show_license = FALSE; int show_version = FALSE; int packet_ver = NRPE_PACKET_VERSION_3; +int force_v2_packet = 0; int payload_size = 0; #ifdef HAVE_SSL @@ -149,7 +150,7 @@ int main(int argc, char **argv) if (result == -1) { /* Failure reading from remote, so try version 2 packet */ - syslog(LOG_NOTICE, "Remote %s does not support Version 3 Packets", rem_host); + syslog(LOG_INFO, "Remote %s does not support Version 3 Packets", rem_host); packet_ver = NRPE_PACKET_VERSION_2; /* Rerun the setup */ @@ -168,8 +169,12 @@ int main(int argc, char **argv) result = read_response(); /* Get the response */ } - if (result != -1) - syslog(LOG_NOTICE, "Remote %s accepted a Version %d Packet", rem_host, packet_ver); + if (result != -1) { + if (force_v2_packet = 0 && packet_ver == NRPE_PACKET_VERSION_2) + syslog(LOG_INFO, "Remote %s accepted a Version %d Packet", rem_host, packet_ver); + else + syslog(LOG_DEBUG, "Remote %s accepted a Version %d Packet", rem_host, packet_ver); + } return result; } @@ -336,6 +341,7 @@ int process_arguments(int argc, char **argv, int from_config_file) break; } packet_ver = NRPE_PACKET_VERSION_2; + force_v2_packet = 1; break; case '4': From 23159e45ff0f09be8b9cbf1665b60d310c0f9d54 Mon Sep 17 00:00:00 2001 From: "John C. Frickson" Date: Mon, 17 Oct 2016 15:49:49 -0500 Subject: [PATCH 10/61] Squashed 'macros/' changes from d570c9b..925d86b 925d86b Merge branch 'master' of github.com:NagiosEnterprises/autoconf-macros c5ea9fe Fix for Solaris, AIX and HP-UX 4aeb50e HPUX - set init to "unknown". Let admin do it. 009ccc5 Typo in ax_nagios_get_paths 7f1a5ca Changes to init stuff for AIX 3a89a81 Package name and the program name are not always the same a12bbc9 localstatedir was not being eval'd b7fffb0 Missed a comma 3ae63db Change to say ndo2db needs to know the NEB directory 405b9b6 Forgot to reset a switch ca39514 Having trouble getting gnutls/compat to work. Backing off for now. 03f9fde Changes for SSL portability. Also uses pgk-config if available. git-subtree-dir: macros git-subtree-split: 925d86b11bac90d2ff899df3840740d594027441 --- ax_nagios_get_distrib | 8 ++-- ax_nagios_get_files | 2 +- ax_nagios_get_init | 15 ++++-- ax_nagios_get_paths | 106 +++++++++++++++++++++++------------------- ax_nagios_get_ssl | 85 ++++++++++++++++++++------------- 5 files changed, 128 insertions(+), 88 deletions(-) diff --git a/ax_nagios_get_distrib b/ax_nagios_get_distrib index 2ea11f41..3bb26b07 100644 --- a/ax_nagios_get_distrib +++ b/ax_nagios_get_distrib @@ -96,10 +96,12 @@ AC_SUBST(dist_ver) [bsd], dist_type=`uname -s | tr ["[A-Z]" "[a-z]"]` dist_ver=`uname -r`, - [aix|hp-ux], - dist_ver=$OSTYPE, + [aix], + dist_ver="`uname -v`.`uname -r`", + [hp-ux], + dist_ver=`uname -r | cut -d'.' -f1-3`, [solaris], - dist_ver=`echo $OSTYPE | cut -d'.' -f2`, + dist_ver=`uname -r | cut -d'.' -f2`, [*], dist_ver=$OSTYPE ) diff --git a/ax_nagios_get_files b/ax_nagios_get_files index fd567350..f8c5a9b8 100644 --- a/ax_nagios_get_files +++ b/ax_nagios_get_files @@ -97,7 +97,7 @@ AS_CASE([$init_type], fi, [launchd], - src_init="mac-init.plist" + src_init="mac-init.plist", [*], src_init="unknown" diff --git a/ax_nagios_get_init b/ax_nagios_get_init index c43ef01a..5ef27f4e 100644 --- a/ax_nagios_get_init +++ b/ax_nagios_get_init @@ -119,14 +119,19 @@ AC_SUBST(init_type) elif test "$dist_type" = "slackware"; then init_type="bsd" init_type_wanted=no + elif test "$dist_type" = "aix"; then + init_type="bsd" + init_type_wanted=no + elif test "$dist_type" = "hp-ux"; then + init_type="unknown" + init_type_wanted=no fi fi PSCMD="ps -p1 -o args" - AS_CASE([$dist_type], - [aix], PSCMD="env UNIX95=1; ps -p1 -o args", - [solaris], PSCMD="env UNIX95=1; ps -p1 -o args", - [hp-ux], PSCMD="env UNIX95=1; ps -p1 -o args") + if test $dist_type = solaris; then + PSCMD="env UNIX95=1; ps -p1 -o args" + fi if test "$init_type_wanted" = yes; then pid1=`$PSCMD | grep -vi COMMAND | cut -d' ' -f1` @@ -173,7 +178,7 @@ AC_SUBST(init_type) if test "$init_type_wanted" = yes; then if test "$pid1" = "/sbin/init" -o "$pid1" = "/usr/sbin/init"; then - if `/sbin/init --version 2>/dev/null | grep "upstart" >/dev/null`; then + if `$pid1 --version 2>/dev/null | grep "upstart" >/dev/null`; then init_type="upstart" init_type_wanted=no elif test -f "/etc/rc" -a ! -L "/etc/rc"; then diff --git a/ax_nagios_get_paths b/ax_nagios_get_paths index 8a4ae378..eea97d2e 100644 --- a/ax_nagios_get_paths +++ b/ax_nagios_get_paths @@ -119,16 +119,21 @@ AS_CASE([$dist_type], [*solaris*|*hp-ux*|*aix*|*osx*], opsys=unix) -need_cgi=no -need_web=no -need_brk=no -need_plg=no -need_pipe=no -need_spl=no -need_loc=no -need_log_subdir=no -need_etc_subdir=no -need_pls_dir=no + # Does this package need to know: +need_cgi=no # where the cgi-bin directory is +need_web=no # where the website directory is +need_brk=no # where the event broker modules directory is +need_plg=no # where the plugins directory is +need_pipe=no # where the pipe directory is +need_spl=no # where the spool directory is +need_loc=no # where the locale directory is +need_log_subdir=no # where the loc sub-directory is +need_etc_subdir=no # where the etc sub-directory is +need_pls_dir=no # where the package locate state directory is + +if test x"$INIT_PROG" = x; then + INIT_PROG="$PKG_NAME" +fi AS_CASE([$PKG_NAME], [nagios], @@ -143,6 +148,7 @@ AS_CASE([$PKG_NAME], need_web=yes, [ndoutils], + need_brk=yes need_spl=yes, [nrpe], @@ -284,14 +290,14 @@ tmpfilesd=${tmpfilesd="/usr/lib/tmpfiles.d"} if test ! -d "$tmpfilesd"; then tmpfilesd="N/A" else - tmpfilesd="$tmpfilesd/$PKG_NAME.conf" + tmpfilesd="$tmpfilesd/$INIT_PROG.conf" fi subsyslockdir=${subsyslockdir="/var/lock/subsys"} if test ! -d "$subsyslockdir"; then subsyslockdir="N/A" subsyslockfile="N/A" else - subsyslockfile="$subsyslockdir/$PKG_NAME" + subsyslockfile="$subsyslockdir/$INIT_PROG" fi if test "$need_loc" = no; then localedir="N/A" @@ -372,23 +378,23 @@ elif test $opsys = "linux"; then fi privatesysconfdir=${privatesysconfdir="$pkgsysconfdir/private"} if test $need_log_subdir = yes; then - logdir=${logdir="$localstatedir/log/$PKG_NAME"} + logdir=${logdir="$localstatedir/log/$INIT_PROG"} else logdir=${logdir="$localstatedir/log"} fi - piddir=${piddir="$localstatedir/run/${PKG_NAME}"} + piddir=${piddir="$localstatedir/run/${INIT_PROG}"} if test "$need_pipe" = yes; then - pipedir=${pipedir="$localstatedir/run/${PKG_NAME}"} + pipedir=${pipedir="$localstatedir/run/${INIT_PROG}"} else pipedir="N/A" fi if test "$need_pls_dir" = yes; then - pkglocalstatedir=${pkglocalstatedir="$localstatedir/lib/$PKG_NAME"} + pkglocalstatedir=${pkglocalstatedir="$localstatedir/lib/$INIT_PROG"} else pkglocalstatedir="N/A" fi if test "$need_spl" = yes; then - spooldir=${spooldir="$localstatedir/spool/$PKG_NAME"} + spooldir=${spooldir="$localstatedir/spool/$INIT_PROG"} else spooldir="N/A" fi @@ -437,7 +443,7 @@ elif test $opsys = "unix"; then fi privatesysconfdir=${privatesysconfdir="$pkgsysconfdir/private"} if test "$need_pls_dir" = yes; then - pkglocalstatedir=${pkglocalstatedir="$localstatedir/lib/$PKG_NAME"} + pkglocalstatedir=${pkglocalstatedir="$localstatedir/lib/$INIT_PROG"} else pkglocalstatedir="N/A" fi @@ -445,7 +451,7 @@ elif test $opsys = "unix"; then localedir=${localedir="/usr/local/share/locale//LC_MESSAGES/nagios-plugins.mo"} fi if test "$need_spl" = yes; then - spooldir=${spooldir="$localstatedir/spool/$PKG_NAME"} + spooldir=${spooldir="$localstatedir/spool/$INIT_PROG"} else spooldir="N/A" fi @@ -471,14 +477,14 @@ elif test $opsys = "unix"; then logdir=${logdir="$pkglocalstatedir/log"}, [*], - piddir=${piddir="$localstatedir/run/${PKG_NAME}"} + piddir=${piddir="$localstatedir/run/${INIT_PROG}"} if test "$need_pipe" = yes; then - pipedir=${pipedir="$localstatedir/run/${PKG_NAME}"} + pipedir=${pipedir="$localstatedir/run/${INIT_PROG}"} else pipedir="N/A" fi if test $need_log_subdir = yes; then - logdir=${logdir="$localstatedir/log/$PKG_NAME"} + logdir=${logdir="$localstatedir/log/$INIT_PROG"} else logdir=${logdir="$localstatedir/log"} fi @@ -528,7 +534,7 @@ elif test $opsys = "bsd"; then fi privatesysconfdir=${privatesysconfdir="$pkgsysconfdir/private"} if test "$need_pls_dir" = yes; then - pkglocalstatedir=${pkglocalstatedir="$localstatedir/lib/$PKG_NAME"} + pkglocalstatedir=${pkglocalstatedir="$localstatedir/lib/$INIT_PROG"} else pkglocalstatedir="N/A" fi @@ -536,7 +542,7 @@ elif test $opsys = "bsd"; then localedir=${localedir="/usr/local/share/locale//LC_MESSAGES/nagios-plugins.mo"} fi if test "$need_spl" = yes; then - spooldir=${spooldir="$localstatedir/spool/$PKG_NAME"} + spooldir=${spooldir="$localstatedir/spool/$INIT_PROG"} else spooldir="N/A" fi @@ -561,14 +567,14 @@ elif test $opsys = "bsd"; then else cgibindir="N/A" fi - piddir=${piddir="$localstatedir/run/${PKG_NAME}"} + piddir=${piddir="$localstatedir/run/${INIT_PROG}"} if test "$need_pipe" = yes; then - pipedir=${pipedir="$localstatedir/run/${PKG_NAME}"} + pipedir=${pipedir="$localstatedir/run/${INIT_PROG}"} else pipedir="N/A" fi if test $need_log_subdir = yes; then - logdir=${logdir="$localstatedir/log/$PKG_NAME"} + logdir=${logdir="$localstatedir/log/$INIT_PROG"} else logdir=${logdir="$localstatedir/log"} fi @@ -604,6 +610,7 @@ eval libexecdir=$libexecdir eval brokersdir=$brokersdir eval pluginsdir=$pluginsdir eval cgibindir=$cgibindir +eval localstatedir=$localstatedir eval pkglocalstatedir=$pkglocalstatedir eval webdir=$webdir eval localedir=$localedir @@ -622,9 +629,9 @@ AS_CASE([$init_type], else initdir=${initdir="/etc/init.d"} fi - initname=${initname="$PKG_NAME"} + initname=${initname="$INIT_PROG"} initconfdir=${initconfdir="/etc/conf.d"} - initconf=${initconf="$initconfdir/$PKG_NAME"}, + initconf=${initconf="$initconfdir/$INIT_PROG"}, [systemd], if test $dist_type = "debian"; then @@ -632,27 +639,32 @@ AS_CASE([$init_type], else initdir=${initdir="/usr/lib/systemd/system"} fi - initname=${initname="$PKG_NAME.service"}, + initname=${initname="$INIT_PROG.service"}, [bsd], - initdir=${initdir="/etc/rc.d"} - initname=${initname="rc.$PKG_NAME"}, + if test $dist_type = "aix"; then + initdir=${initdir="/sbin/rc.d/init.d"} + initname=${initname="$INIT_PROG"} + else + initdir=${initdir="/etc/rc.d"} + initname=${initname="rc.$INIT_PROG"} + fi, [newbsd], initdir=${initdir="/etc/rc.d"} - initname=${initname="$PKG_NAME"}, + initname=${initname="$INIT_PROG"}, [gentoo], initdir=${initdir="/etc/init.d"} - initname=${initname="$PKG_NAME"} + initname=${initname="$INIT_PROG"} initconfdir=${initconfdir="/etc/init.d"} - initconf=${initconf="$initconfdir/$PKG_NAME"}, + initconf=${initconf="$initconfdir/$INIT_PROG"}, [openrc], initdir=${initdir="/etc/init.d"} - initname=${initname="$PKG_NAME"} + initname=${initname="$INIT_PROG"} initconfdir=${initconfdir="/etc/conf.d"} - initconf=${initconf="$initconfdir/$PKG_NAME"}, + initconf=${initconf="$initconfdir/$INIT_PROG"}, [smf*], if test $init_type = smf10; then @@ -660,21 +672,21 @@ AS_CASE([$init_type], else initdir=${initdir="/lib/svc/manifest/network/nagios"} fi - initname=${initname="$PKG_NAME.xml"} + initname=${initname="$INIT_PROG.xml"} initconfdir=unknown initconf=unknown, [upstart], initdir=${initdir="/etc/init"} - initname=${initname="$PKG_NAME.conf"} + initname=${initname="$INIT_PROG.conf"} initconfdir=${initconfdir="/etc/default"} - initconf=${initconf="$initconfdir/$PKG_NAME"}, + initconf=${initconf="$initconfdir/$INIT_PROG"}, [launchd], initdir=${initdir="/Library/LaunchDaemons"} - initname=${initname="org.nagios.$PKG_NAME.plist"}, + initname=${initname="org.nagios.$INIT_PROG.plist"}, # initconfdir=${initconfdir="/private/etc"} -# initconf=${initconf="$initconfdir/$PKG_NAME"}, +# initconf=${initconf="$initconfdir/$INIT_PROG"}, [*], @@ -691,7 +703,7 @@ AS_CASE([$inetd_type], [xinetd], inetddir=${inetddir="/etc/xinetd.d"} - inetdname=${inetdname="$PKG_NAME"}, + inetdname=${inetdname="$INIT_PROG"}, [systemd], if test $dist_type = "debian"; then @@ -699,7 +711,7 @@ AS_CASE([$inetd_type], else inetddir=${inetddir="/usr/lib/systemd/system"} fi - netdname=${inetdname="$PKG_NAME.socket"}, + netdname=${inetdname="$INIT_PROG.socket"}, [smf*], if test $init_type = smf10; then @@ -707,15 +719,15 @@ AS_CASE([$inetd_type], else inetddir=${inetddir="/lib/svc/manifest/network/nagios"} fi - inetdname=${inetdname="$PKG_NAME.xml"}, + inetdname=${inetdname="$INIT_PROG.xml"}, # [upstart], # inetddir=${inetddir="/etc/init.d"} -# inetdname=${inetdname="$PKG_NAME"}, +# inetdname=${inetdname="$INIT_PROG"}, [launchd], inetddir=${inetddir="/Library/LaunchDaemons"} - inetdname=${inetdname="org.nagios.$PKG_NAME.plist"}, + inetdname=${inetdname="org.nagios.$INIT_PROG.plist"}, [*], inetddir=${inetddir="unknown"} diff --git a/ax_nagios_get_ssl b/ax_nagios_get_ssl index 7d580fb0..eda150e3 100644 --- a/ax_nagios_get_ssl +++ b/ax_nagios_get_ssl @@ -49,25 +49,30 @@ AC_DEFUN([AX_NAGIOS_GET_SSL], # ------------------------------- SSL_TYPE=openssl +try_pkg_config=1 ssl_dir= ssl_inc_dir= ssl_lib_dir= SSL_INC_DIR= +SSL_INC_PREFIX= +SSL_HDR= SSL_LIB_DIR= AC_SUBST(HAVE_SSL) AC_SUBST(SSL_INC_DIR) +AC_SUBST(SSL_HDR) +AC_SUBST(SSL_INC_PREFIX) AC_SUBST(SSL_LIB_DIR) # gnutls/openssl.h # nss_compat_ossl/nss_compat_ossl.h -# Which type - openssl, gnutls-openssl, nss -AC_ARG_WITH([ssl-type], -dnl AS_HELP_STRING([--with-ssl-type=TYPE],[replace TYPE with gnutls or nss to use one of these instead of openssl]), - AS_HELP_STRING([--with-ssl-type=TYPE],[replace TYPE with gnutls to use that instead of openssl]), - [SSL_TYPE=$withval]) +dnl # Which type - openssl, gnutls-openssl, nss +dnl AC_ARG_WITH([ssl-type], +dnl dnl AS_HELP_STRING([--with-ssl-type=TYPE],[replace TYPE with gnutls or nss to use one of these instead of openssl]), +dnl AS_HELP_STRING([--with-ssl-type=TYPE],[replace TYPE with gnutls to use that instead of openssl]), +dnl [SSL_TYPE=$withval]) AC_ARG_WITH([ssl], AS_HELP_STRING([--with-ssl=DIR],[sets location of the SSL installation]), @@ -80,6 +85,10 @@ AC_ARG_WITH([ssl-lib], AS_HELP_STRING([--with-ssl-lib=DIR],[sets location of the SSL libraries]), [ssl_lib_dir=$withval]) +if test x$ssl_inc_dir != x -o x$ssl_lib_dir != x; then + try_pkg_config=0 +fi + AC_ARG_WITH([kerberos-inc], AS_HELP_STRING([--with-kerberos-inc=DIR], [sets location of the Kerberos include files]), @@ -90,8 +99,8 @@ if test x$SSL_TYPE = xyes; then fi -dflt_hdrs="$ssl_inc_dir $ssl_dir $ssl_dir/include $ssl_dir/include \ - /usr/local/opt/{BBB} /usr/include/{BBB} /usr/local/include{BBB} \ +dflt_hdrs="$ssl_inc_dir $ssl_dir $ssl_inc_dir/include $ssl_dir/include \ + /usr/local/opt/{BBB} /usr/include/{BBB} /usr/local/include/{BBB} \ /usr/local/{AAA} /usr/local/{BBB} /usr/lib/{AAA} /usr/lib/{BBB} \ /usr/{AAA} /usr/pkg /usr/local /usr /usr/freeware/lib/{BBB} \ /usr/sfw /usr/sfw/include /opt/{BBB}" @@ -109,17 +118,20 @@ AS_CASE([$SSL_TYPE], [yes|openssl], [ssl_hdr_dirs=`echo "$dflt_hdrs" | sed -e 's/{AAA}/ssl/g' | sed -e 's/{BBB}/openssl/g'` ssl_lib_dirs=`echo "$dflt_libs" | sed -e 's/{AAA}/ssl/g' | sed -e 's/{BBB}/openssl/g'` - ssl_hdr=ssl.h + SSL_INC_PREFIX=openssl + SSL_HDR=ssl.h ssl_lib=libssl], [gnutls], [ssl_hdr_dirs=`echo "$dflt_hdrs" | sed -e 's/{AAA}/gnutls/g' | sed -e 's/{BBB}/gnutls/g'` ssl_lib_dirs=`echo "$dflt_libs" | sed -e 's/{AAA}/gnutls/g' | sed -e 's/{BBB}/gnutls/g'` - ssl_hdr=compat.h + SSL_INC_PREFIX=gnutls + SSL_TYPE=gnutls_compat + SSL_HDR=compat.h ssl_lib=libgnutls], [nss], [ssl_hdr_dirs=`echo "$dflt_hdrs" | sed -e 's/{AAA}/nss_compat_ossl/g' | sed -e 's/{BBB}/nss_compat_ossl/g'` ssl_lib_dirs=`echo "$dflt_libs" | sed -e 's/{AAA}/nss_compat_ossl/g' | sed -e 's/{BBB}/nss_compat_ossl/g'` - ssl_hdr=nss_compat_ossl.h + SSL_HDR=nss_compat_ossl.h ssl_lib=libnss_compat], [*], echo >&6; AC_MSG_ERROR(['--with-ssl-type=$SSL_TYPE' is invalid]) ) @@ -154,48 +166,53 @@ if test x$SSL_TYPE != xNONE; then fi # First, try using pkg_config -# AC_CHECK_TOOL([PKG_CONFIG], [pkg-config]) -# if test x"$PKG_CONFIG" != x ; then -# cflags=`$PKG_CONFIG $SSL_TYPE --cflags-only-I 2>/dev/null` -# if test $? = 0; then -# CFLAGS="$CFLAGS $cflags" -# LDFLAGS="$LDFLAGS `$PKG_CONFIG $SSL_TYPE --libs-only-L 2>/dev/null`" -# LIBS="$LIBS `$PKG_CONFIG $SSL_TYPE --libs-only-l 2>/dev/null`" -# found_ssl=yes -# AC_DEFINE_UNQUOTED(HAVE_SSL,[1],[Have SSL support]) -# fi -# fi + AC_CHECK_TOOL([PKG_CONFIG], [pkg-config]) + if test x"$PKG_CONFIG" != x -a $try_pkg_config -ne 0 ; then + cflags=`$PKG_CONFIG $SSL_TYPE --cflags-only-I 2>/dev/null` + if test $? -eq 0; then + CFLAGS="$CFLAGS $cflags" + LDFLAGS="$LDFLAGS `$PKG_CONFIG $SSL_TYPE --libs-only-L 2>/dev/null`" + LIBS="$LIBS `$PKG_CONFIG $SSL_TYPE --libs-only-l 2>/dev/null`" + found_ssl=yes + AC_DEFINE_UNQUOTED(HAVE_SSL,[1],[Have SSL support]) + fi + fi if test x_$found_ssl != x_yes; then # Find the SSL Headers - AC_MSG_CHECKING(for SSL headers) for dir in $ssl_hdr_dirs; do + if test "$dir" = "/include"; then + continue + fi ssldir="$dir" - if test -f "$dir/include/openssl/$ssl_hdr"; then + if test -f "$dir/include/$SSL_INC_PREFIX/$SSL_HDR"; then found_ssl=yes - CFLAGS="$CFLAGS -I$dir/include/openssl -I$ssldir/include" - SSL_INC_DIR="$dir/include/openssl" + CFLAGS="$CFLAGS -I$dir/include/$SSL_INC_PREFIX -I$ssldir/include" + SSL_INC_DIR="$dir/include/$SSL_INC_PREFIX" break fi - if test -f "$dir/include/$ssl_hdr"; then + if test -f "$dir/include/$SSL_HDR"; then found_ssl=yes + if test "$SSL_HDR" != compat.h ; then + SSL_INC_PREFIX="" + fi CFLAGS="$CFLAGS -I$dir/include" SSL_INC_DIR="$dir/include" break fi - if test -f "$dir/$ssl_hdr"; then + if test -f "$dir/$SSL_HDR"; then found_ssl=yes + SSL_INC_PREFIX="" CFLAGS="$CFLAGS -I$dir" SSL_INC_DIR="$dir" - ssldir="$dir/.." break fi - if test -f "$dir/openssl/$ssl_hdr"; then + if test -f "$dir/$SSL_INC_PREFIX/$SSL_HDR"; then found_ssl=yes - CFLAGS="$CFLAGS -I$dir/openssl" - SSL_INC_DIR="$dir/openssl" + CFLAGS="$CFLAGS -I$dir/$SSL_INC_PREFIX" + SSL_INC_DIR="$dir/$SSL_INC_PREFIX" ssldir="$dir/.." break fi @@ -247,11 +264,15 @@ if test x$SSL_TYPE != xNONE; then fi if test x$found_ssl = xyes ; then + if test -n "$SSL_INC_PREFIX" ; then + SSL_INC_PREFIX="${SSL_INC_PREFIX}/" + fi + # try to compile and link to see if SSL is set up properly AC_MSG_CHECKING([whether compiling and linking against SSL works]) AC_LINK_IFELSE( - [AC_LANG_PROGRAM([#include ], [SSL_new(NULL)])], + [AC_LANG_PROGRAM([#include <${SSL_INC_PREFIX}${SSL_HDR}>], [SSL_new(NULL)])], [ AC_MSG_RESULT([yes]) $1 From 98e253de294c553abf2f6657b74540a7d7162202 Mon Sep 17 00:00:00 2001 From: "John C. Frickson" Date: Mon, 17 Oct 2016 15:51:51 -0500 Subject: [PATCH 11/61] Solaris 11 detection is broken in configure Fix for issue https://github.com/NagiosEnterprises/nrpe/issues/67 Was a problem for Solaris 11 and 10. --- Changelog | 6 ++++++ configure.ac | 2 +- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/Changelog b/Changelog index 0fa0e120..26ab1520 100644 --- a/Changelog +++ b/Changelog @@ -2,6 +2,12 @@ NRPE Changelog ************** +3.0.x - 2016-xx-xx +------------------ +FIXES +- Solaris 11 detection is broken in configure (John Frickson) + + 3.0.1 - 2016-09-08 ------------------ FIXES diff --git a/configure.ac b/configure.ac index 11f58e72..f5afa230 100644 --- a/configure.ac +++ b/configure.ac @@ -60,7 +60,7 @@ AC_NAGIOS_GET_INETD AC_NAGIOS_GET_PATHS AC_NAGIOS_GET_FILES -if test "$dist_type" = solaris -a "$dist_ver" != smf11; then +if test "$dist_type" = solaris -a "$dist_ver" = 10; then AC_DEFINE(SOLARIS_10,yes) fi From fa359ec83dd860794d54effe77fdcd993a251a48 Mon Sep 17 00:00:00 2001 From: "John C. Frickson" Date: Mon, 28 Nov 2016 11:06:58 -0600 Subject: [PATCH 12/61] Update to Changelog. Some fixes showed as being in 3.0.1 but will actually be in the next release. --- Changelog | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/Changelog b/Changelog index 26ab1520..bf185a17 100644 --- a/Changelog +++ b/Changelog @@ -5,6 +5,12 @@ NRPE Changelog 3.0.x - 2016-xx-xx ------------------ FIXES +- Added missing debugging syslog entries, and changed printf()'s to syslog()'s. (Jobst Schmalenbach) +- Fix help output for ssl option (configure) (Ruben Kerkhof) +- Fixes to README.SSL.md and SECURITY.md (Elan Ruusamäe) +- Changed the 'check_load' command in nrpe.cfg.in (minusdavid) +- Cleanup of config.h.in suggested by Ruben Kerkhof +- Minor change to logging in check_nrpe (John Frickson) - Solaris 11 detection is broken in configure (John Frickson) @@ -19,12 +25,6 @@ FIXES - /usr/lib/tmpfiles.d/ndo2db.conf should have 'd' type, not 'D' (John Frickson) - Fixes in parse_allowed_hosts() and called functions (Jobst Schmalenbach / John Frickson) - nrpe.cfg: 'debug' statement needs to be first in file (Jobst Schmalenbach / John Frickson) -- Added missing debugging syslog entries, and changed printf()'s to syslog()'s. (Jobst Schmalenbach) -- Fix help output for ssl option (configure) (Ruben Kerkhof) -- Fixes to README.SSL.md and SECURITY.md (Elan Ruusamäe) -- Changed the 'check_load' command in nrpe.cfg.in (minusdavid) -- Cleanup of config.h.in suggested by Ruben Kerkhof -- Minor change to logging in check_nrpe (John Frickson) 3.0 - 2016-08-01 From 082527d4bd6946163829cf62357368b4a94d2c82 Mon Sep 17 00:00:00 2001 From: "John C. Frickson" Date: Mon, 28 Nov 2016 11:09:19 -0600 Subject: [PATCH 13/61] A future version of Solaris will have b64_decode in string.h/libc Fix for issue #68. Removed unused function `b64_decode`. --- Changelog | 1 + include/utils.h | 1 - src/utils.c | 49 ------------------------------------------------- 3 files changed, 1 insertion(+), 50 deletions(-) diff --git a/Changelog b/Changelog index bf185a17..8b8d27d7 100644 --- a/Changelog +++ b/Changelog @@ -12,6 +12,7 @@ FIXES - Cleanup of config.h.in suggested by Ruben Kerkhof - Minor change to logging in check_nrpe (John Frickson) - Solaris 11 detection is broken in configure (John Frickson) +- Removed function `b64_decode` which wasn't being used (John Frickson) 3.0.1 - 2016-09-08 diff --git a/include/utils.h b/include/utils.h index 37bfcc89..3074eead 100644 --- a/include/utils.h +++ b/include/utils.h @@ -49,7 +49,6 @@ char* strip(char*); int sendall(int, char*, int*); int recvall(int, char*, int*, int); char *my_strsep(char**, const char*); -int b64_decode(unsigned char *encoded); void display_license(void); #endif diff --git a/src/utils.c b/src/utils.c index ff2029b0..42654442 100644 --- a/src/utils.c +++ b/src/utils.c @@ -450,55 +450,6 @@ char *my_strsep(char **stringp, const char *delim) return begin; } -int b64_decode(unsigned char *encoded) -{ - static const char *b64 = { - "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/" - }; - int i, j, l, padding = 0; - unsigned char c[4], *outp = encoded; - - union { - unsigned c3; - struct { - unsigned f1:6; - unsigned f2:6; - unsigned f3:6; - unsigned f4:6; - } fields; - } enc; - - enc.c3 = 0; - l = strlen((char *)encoded); - for (i = 0; i < l; i += 4) { - for (j = 0; j < 4; ++j) { - if (encoded[i + j] == '=') { - c[j] = 0; - ++padding; - } else if (encoded[i + j] >= 'A' && encoded[i + j] <= 'Z') - c[j] = encoded[i + j] - 'A'; - else if (encoded[i + j] >= 'a' && encoded[i + j] <= 'z') - c[j] = encoded[i + j] - 'a' + 26; - else if (encoded[i + j] >= '0' && encoded[i + j] <= '9') - c[j] = encoded[i + j] - '0' + 52; - else if (encoded[i + j] == '+') - c[j] = encoded[i + j] - '+' + 62; - else - c[j] = encoded[i + j] - '/' + 63; - } - enc.fields.f1 = c[3]; - enc.fields.f2 = c[2]; - enc.fields.f3 = c[1]; - enc.fields.f4 = c[0]; - *outp++ = (enc.c3 >> 16) & 0xff; - *outp++ = (enc.c3 >> 8) & 0xff; - *outp++ = (enc.c3) & 0xff; - } - *outp = '\0'; - - return outp - encoded - padding; -} - /* show license */ void display_license(void) { From 0e596e1170fc1dce96fdcfa9fa77c77e849a9ba2 Mon Sep 17 00:00:00 2001 From: "John C. Frickson" Date: Mon, 28 Nov 2016 13:15:51 -0600 Subject: [PATCH 14/61] check_nrpe ignores -a option when -f option is specified Fix for issue #69 --- Changelog | 1 + src/check_nrpe.c | 10 ++++++---- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/Changelog b/Changelog index 8b8d27d7..98fd66d3 100644 --- a/Changelog +++ b/Changelog @@ -13,6 +13,7 @@ FIXES - Minor change to logging in check_nrpe (John Frickson) - Solaris 11 detection is broken in configure (John Frickson) - Removed function `b64_decode` which wasn't being used (John Frickson) +- check_nrpe ignores -a option when -f option is specified (John Frickson) 3.0.1 - 2016-09-08 diff --git a/src/check_nrpe.c b/src/check_nrpe.c index 41d92a99..9918653e 100644 --- a/src/check_nrpe.c +++ b/src/check_nrpe.c @@ -459,12 +459,14 @@ int process_arguments(int argc, char **argv, int from_config_file) } /* determine (base) command query */ - snprintf(query, sizeof(query), "%s", - (command_name == NULL) ? DEFAULT_NRPE_COMMAND : command_name); - query[sizeof(query) - 1] = '\x0'; + if (!from_config_file) { + snprintf(query, sizeof(query), "%s", + (command_name == NULL) ? DEFAULT_NRPE_COMMAND : command_name); + query[sizeof(query) - 1] = '\x0'; + } /* get the command args */ - if (argindex > 0) { + if (!from_config_file && argindex > 0) { for (c = argindex - 1; c < argc; c++) { From bf506edf83d861491cf3f74ffeef606d80db5b33 Mon Sep 17 00:00:00 2001 From: "John C. Frickson" Date: Mon, 28 Nov 2016 13:29:03 -0600 Subject: [PATCH 15/61] Add missing LICENSE file --- Changelog | 1 + LICENSE | 339 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 340 insertions(+) create mode 100644 LICENSE diff --git a/Changelog b/Changelog index 98fd66d3..7ad90fcc 100644 --- a/Changelog +++ b/Changelog @@ -14,6 +14,7 @@ FIXES - Solaris 11 detection is broken in configure (John Frickson) - Removed function `b64_decode` which wasn't being used (John Frickson) - check_nrpe ignores -a option when -f option is specified (John Frickson) +- Added missing LICENSE file (John Frickson) 3.0.1 - 2016-09-08 diff --git a/LICENSE b/LICENSE new file mode 100644 index 00000000..d159169d --- /dev/null +++ b/LICENSE @@ -0,0 +1,339 @@ + GNU GENERAL PUBLIC LICENSE + Version 2, June 1991 + + Copyright (C) 1989, 1991 Free Software Foundation, Inc., + 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + Everyone is permitted to copy and distribute verbatim copies + of this license document, but changing it is not allowed. + + Preamble + + The licenses for most software are designed to take away your +freedom to share and change it. By contrast, the GNU General Public +License is intended to guarantee your freedom to share and change free +software--to make sure the software is free for all its users. This +General Public License applies to most of the Free Software +Foundation's software and to any other program whose authors commit to +using it. (Some other Free Software Foundation software is covered by +the GNU Lesser General Public License instead.) You can apply it to +your programs, too. + + When we speak of free software, we are referring to freedom, not +price. Our General Public Licenses are designed to make sure that you +have the freedom to distribute copies of free software (and charge for +this service if you wish), that you receive source code or can get it +if you want it, that you can change the software or use pieces of it +in new free programs; and that you know you can do these things. + + To protect your rights, we need to make restrictions that forbid +anyone to deny you these rights or to ask you to surrender the rights. +These restrictions translate to certain responsibilities for you if you +distribute copies of the software, or if you modify it. + + For example, if you distribute copies of such a program, whether +gratis or for a fee, you must give the recipients all the rights that +you have. You must make sure that they, too, receive or can get the +source code. And you must show them these terms so they know their +rights. + + We protect your rights with two steps: (1) copyright the software, and +(2) offer you this license which gives you legal permission to copy, +distribute and/or modify the software. + + Also, for each author's protection and ours, we want to make certain +that everyone understands that there is no warranty for this free +software. If the software is modified by someone else and passed on, we +want its recipients to know that what they have is not the original, so +that any problems introduced by others will not reflect on the original +authors' reputations. + + Finally, any free program is threatened constantly by software +patents. We wish to avoid the danger that redistributors of a free +program will individually obtain patent licenses, in effect making the +program proprietary. To prevent this, we have made it clear that any +patent must be licensed for everyone's free use or not licensed at all. + + The precise terms and conditions for copying, distribution and +modification follow. + + GNU GENERAL PUBLIC LICENSE + TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION + + 0. This License applies to any program or other work which contains +a notice placed by the copyright holder saying it may be distributed +under the terms of this General Public License. The "Program", below, +refers to any such program or work, and a "work based on the Program" +means either the Program or any derivative work under copyright law: +that is to say, a work containing the Program or a portion of it, +either verbatim or with modifications and/or translated into another +language. (Hereinafter, translation is included without limitation in +the term "modification".) Each licensee is addressed as "you". + +Activities other than copying, distribution and modification are not +covered by this License; they are outside its scope. The act of +running the Program is not restricted, and the output from the Program +is covered only if its contents constitute a work based on the +Program (independent of having been made by running the Program). +Whether that is true depends on what the Program does. + + 1. You may copy and distribute verbatim copies of the Program's +source code as you receive it, in any medium, provided that you +conspicuously and appropriately publish on each copy an appropriate +copyright notice and disclaimer of warranty; keep intact all the +notices that refer to this License and to the absence of any warranty; +and give any other recipients of the Program a copy of this License +along with the Program. + +You may charge a fee for the physical act of transferring a copy, and +you may at your option offer warranty protection in exchange for a fee. + + 2. You may modify your copy or copies of the Program or any portion +of it, thus forming a work based on the Program, and copy and +distribute such modifications or work under the terms of Section 1 +above, provided that you also meet all of these conditions: + + a) You must cause the modified files to carry prominent notices + stating that you changed the files and the date of any change. + + b) You must cause any work that you distribute or publish, that in + whole or in part contains or is derived from the Program or any + part thereof, to be licensed as a whole at no charge to all third + parties under the terms of this License. + + c) If the modified program normally reads commands interactively + when run, you must cause it, when started running for such + interactive use in the most ordinary way, to print or display an + announcement including an appropriate copyright notice and a + notice that there is no warranty (or else, saying that you provide + a warranty) and that users may redistribute the program under + these conditions, and telling the user how to view a copy of this + License. (Exception: if the Program itself is interactive but + does not normally print such an announcement, your work based on + the Program is not required to print an announcement.) + +These requirements apply to the modified work as a whole. If +identifiable sections of that work are not derived from the Program, +and can be reasonably considered independent and separate works in +themselves, then this License, and its terms, do not apply to those +sections when you distribute them as separate works. But when you +distribute the same sections as part of a whole which is a work based +on the Program, the distribution of the whole must be on the terms of +this License, whose permissions for other licensees extend to the +entire whole, and thus to each and every part regardless of who wrote it. + +Thus, it is not the intent of this section to claim rights or contest +your rights to work written entirely by you; rather, the intent is to +exercise the right to control the distribution of derivative or +collective works based on the Program. + +In addition, mere aggregation of another work not based on the Program +with the Program (or with a work based on the Program) on a volume of +a storage or distribution medium does not bring the other work under +the scope of this License. + + 3. You may copy and distribute the Program (or a work based on it, +under Section 2) in object code or executable form under the terms of +Sections 1 and 2 above provided that you also do one of the following: + + a) Accompany it with the complete corresponding machine-readable + source code, which must be distributed under the terms of Sections + 1 and 2 above on a medium customarily used for software interchange; or, + + b) Accompany it with a written offer, valid for at least three + years, to give any third party, for a charge no more than your + cost of physically performing source distribution, a complete + machine-readable copy of the corresponding source code, to be + distributed under the terms of Sections 1 and 2 above on a medium + customarily used for software interchange; or, + + c) Accompany it with the information you received as to the offer + to distribute corresponding source code. (This alternative is + allowed only for noncommercial distribution and only if you + received the program in object code or executable form with such + an offer, in accord with Subsection b above.) + +The source code for a work means the preferred form of the work for +making modifications to it. For an executable work, complete source +code means all the source code for all modules it contains, plus any +associated interface definition files, plus the scripts used to +control compilation and installation of the executable. However, as a +special exception, the source code distributed need not include +anything that is normally distributed (in either source or binary +form) with the major components (compiler, kernel, and so on) of the +operating system on which the executable runs, unless that component +itself accompanies the executable. + +If distribution of executable or object code is made by offering +access to copy from a designated place, then offering equivalent +access to copy the source code from the same place counts as +distribution of the source code, even though third parties are not +compelled to copy the source along with the object code. + + 4. You may not copy, modify, sublicense, or distribute the Program +except as expressly provided under this License. Any attempt +otherwise to copy, modify, sublicense or distribute the Program is +void, and will automatically terminate your rights under this License. +However, parties who have received copies, or rights, from you under +this License will not have their licenses terminated so long as such +parties remain in full compliance. + + 5. You are not required to accept this License, since you have not +signed it. However, nothing else grants you permission to modify or +distribute the Program or its derivative works. These actions are +prohibited by law if you do not accept this License. Therefore, by +modifying or distributing the Program (or any work based on the +Program), you indicate your acceptance of this License to do so, and +all its terms and conditions for copying, distributing or modifying +the Program or works based on it. + + 6. Each time you redistribute the Program (or any work based on the +Program), the recipient automatically receives a license from the +original licensor to copy, distribute or modify the Program subject to +these terms and conditions. You may not impose any further +restrictions on the recipients' exercise of the rights granted herein. +You are not responsible for enforcing compliance by third parties to +this License. + + 7. If, as a consequence of a court judgment or allegation of patent +infringement or for any other reason (not limited to patent issues), +conditions are imposed on you (whether by court order, agreement or +otherwise) that contradict the conditions of this License, they do not +excuse you from the conditions of this License. If you cannot +distribute so as to satisfy simultaneously your obligations under this +License and any other pertinent obligations, then as a consequence you +may not distribute the Program at all. For example, if a patent +license would not permit royalty-free redistribution of the Program by +all those who receive copies directly or indirectly through you, then +the only way you could satisfy both it and this License would be to +refrain entirely from distribution of the Program. + +If any portion of this section is held invalid or unenforceable under +any particular circumstance, the balance of the section is intended to +apply and the section as a whole is intended to apply in other +circumstances. + +It is not the purpose of this section to induce you to infringe any +patents or other property right claims or to contest validity of any +such claims; this section has the sole purpose of protecting the +integrity of the free software distribution system, which is +implemented by public license practices. Many people have made +generous contributions to the wide range of software distributed +through that system in reliance on consistent application of that +system; it is up to the author/donor to decide if he or she is willing +to distribute software through any other system and a licensee cannot +impose that choice. + +This section is intended to make thoroughly clear what is believed to +be a consequence of the rest of this License. + + 8. If the distribution and/or use of the Program is restricted in +certain countries either by patents or by copyrighted interfaces, the +original copyright holder who places the Program under this License +may add an explicit geographical distribution limitation excluding +those countries, so that distribution is permitted only in or among +countries not thus excluded. In such case, this License incorporates +the limitation as if written in the body of this License. + + 9. The Free Software Foundation may publish revised and/or new versions +of the General Public License from time to time. Such new versions will +be similar in spirit to the present version, but may differ in detail to +address new problems or concerns. + +Each version is given a distinguishing version number. If the Program +specifies a version number of this License which applies to it and "any +later version", you have the option of following the terms and conditions +either of that version or of any later version published by the Free +Software Foundation. If the Program does not specify a version number of +this License, you may choose any version ever published by the Free Software +Foundation. + + 10. If you wish to incorporate parts of the Program into other free +programs whose distribution conditions are different, write to the author +to ask for permission. For software which is copyrighted by the Free +Software Foundation, write to the Free Software Foundation; we sometimes +make exceptions for this. Our decision will be guided by the two goals +of preserving the free status of all derivatives of our free software and +of promoting the sharing and reuse of software generally. + + NO WARRANTY + + 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY +FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN +OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES +PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED +OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF +MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS +TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE +PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, +REPAIR OR CORRECTION. + + 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING +WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR +REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, +INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING +OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED +TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY +YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER +PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE +POSSIBILITY OF SUCH DAMAGES. + + END OF TERMS AND CONDITIONS + + How to Apply These Terms to Your New Programs + + If you develop a new program, and you want it to be of the greatest +possible use to the public, the best way to achieve this is to make it +free software which everyone can redistribute and change under these terms. + + To do so, attach the following notices to the program. It is safest +to attach them to the start of each source file to most effectively +convey the exclusion of warranty; and each file should have at least +the "copyright" line and a pointer to where the full notice is found. + + + Copyright (C) + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License along + with this program; if not, write to the Free Software Foundation, Inc., + 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + +Also add information on how to contact you by electronic and paper mail. + +If the program is interactive, make it output a short notice like this +when it starts in an interactive mode: + + Gnomovision version 69, Copyright (C) year name of author + Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. + This is free software, and you are welcome to redistribute it + under certain conditions; type `show c' for details. + +The hypothetical commands `show w' and `show c' should show the appropriate +parts of the General Public License. Of course, the commands you use may +be called something other than `show w' and `show c'; they could even be +mouse-clicks or menu items--whatever suits your program. + +You should also get your employer (if you work as a programmer) or your +school, if any, to sign a "copyright disclaimer" for the program, if +necessary. Here is a sample; alter the names: + + Yoyodyne, Inc., hereby disclaims all copyright interest in the program + `Gnomovision' (which makes passes at compilers) written by James Hacker. + + , 1 April 1989 + Ty Coon, President of Vice + +This General Public License does not permit incorporating your program into +proprietary programs. If your program is a subroutine library, you may +consider it more useful to permit linking proprietary applications with the +library. If this is what you want to do, use the GNU Lesser General +Public License instead of this License. From aed42f9401278de90450959c703387cab339eb60 Mon Sep 17 00:00:00 2001 From: "John C. Frickson" Date: Mon, 28 Nov 2016 13:44:51 -0600 Subject: [PATCH 16/61] Off-by-one BO in my_system() Fix for issue #74 Someone forgot to subtract 1 from the lenght, resulting in a possible 1-byte buffer overflow. --- Changelog | 1 + src/nrpe.c | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/Changelog b/Changelog index 7ad90fcc..5f8a1236 100644 --- a/Changelog +++ b/Changelog @@ -15,6 +15,7 @@ FIXES - Removed function `b64_decode` which wasn't being used (John Frickson) - check_nrpe ignores -a option when -f option is specified (John Frickson) - Added missing LICENSE file (John Frickson) +- Off-by-one BO in my_system() (John Frickson) 3.0.1 - 2016-09-08 diff --git a/src/nrpe.c b/src/nrpe.c index 9ae398f1..0990d0f2 100644 --- a/src/nrpe.c +++ b/src/nrpe.c @@ -2125,7 +2125,7 @@ int my_system(char *command, int timeout, int *early_timeout, char **output) break; } if (tot_bytes < output_size) /* If buffer is full, discard the rest */ - strncat(*output, buffer, output_size - tot_bytes); + strncat(*output, buffer, output_size - tot_bytes - 1); tot_bytes += bytes_read; } From 8a943934477b28c393c578e2bc1de221036f6c47 Mon Sep 17 00:00:00 2001 From: "John C. Frickson" Date: Mon, 28 Nov 2016 15:48:51 -0600 Subject: [PATCH 17/61] Compiler Warnings using Oracle Developer Studio on Solaris Fixes for issue #75. --- configure | 153 +++++++++++++++++++++------------------ configure.ac | 2 +- include/common.h.in | 6 ++ macros/ax_nagios_get_ssl | 1 + src/acl.c | 4 - src/check_nrpe.c | 7 +- src/nrpe.c | 9 +-- src/utils.c | 3 + 8 files changed, 101 insertions(+), 84 deletions(-) diff --git a/configure b/configure index a5dc3511..c65b01e5 100755 --- a/configure +++ b/configure @@ -630,6 +630,7 @@ SSL_LIB_DIR SSL_INC_PREFIX SSL_HDR SSL_INC_DIR +SSL_TYPE HAVE_SSL EGREP GREP @@ -1388,7 +1389,7 @@ Optional Features: '--enable-install-method', so you can see the destinations before a full './configure', 'make', 'make install' process. - --enable-ssl enables native SSL support + --disable-ssl disables native SSL support [default=check] --enable-command-args allows clients to specify command arguments. *** THIS IS A SECURITY RISK! *** Read the SECURITY file before using this option! @@ -2751,10 +2752,12 @@ fi bsd) : dist_type=`uname -s | tr "A-Z" "a-z"` dist_ver=`uname -r` ;; #( - aix|hp-ux) : - dist_ver=$OSTYPE ;; #( + aix) : + dist_ver="`uname -v`.`uname -r`" ;; #( + hp-ux) : + dist_ver=`uname -r | cut -d'.' -f1-3` ;; #( solaris) : - dist_ver=`echo $OSTYPE | cut -d'.' -f2` ;; #( + dist_ver=`uname -r | cut -d'.' -f2` ;; #( *) : dist_ver=$OSTYPE ;; #( @@ -2888,20 +2891,19 @@ fi elif test "$dist_type" = "slackware"; then init_type="bsd" init_type_wanted=no + elif test "$dist_type" = "aix"; then + init_type="bsd" + init_type_wanted=no + elif test "$dist_type" = "hp-ux"; then + init_type="unknown" + init_type_wanted=no fi fi PSCMD="ps -p1 -o args" - case $dist_type in #( - aix) : - PSCMD="env UNIX95=1; ps -p1 -o args" ;; #( - solaris) : - PSCMD="env UNIX95=1; ps -p1 -o args" ;; #( - hp-ux) : - PSCMD="env UNIX95=1; ps -p1 -o args" ;; #( - *) : - ;; -esac + if test $dist_type = solaris; then + PSCMD="env UNIX95=1; ps -p1 -o args" + fi if test "$init_type_wanted" = yes; then pid1=`$PSCMD | grep -vi COMMAND | cut -d' ' -f1` @@ -2948,7 +2950,7 @@ esac if test "$init_type_wanted" = yes; then if test "$pid1" = "/sbin/init" -o "$pid1" = "/usr/sbin/init"; then - if `/sbin/init --version 2>/dev/null | grep "upstart" >/dev/null`; then + if `$pid1 --version 2>/dev/null | grep "upstart" >/dev/null`; then init_type="upstart" init_type_wanted=no elif test -f "/etc/rc" -a ! -L "/etc/rc"; then @@ -3154,16 +3156,21 @@ case $dist_type in #( esac -need_cgi=no -need_web=no -need_brk=no -need_plg=no -need_pipe=no -need_spl=no -need_loc=no -need_log_subdir=no -need_etc_subdir=no -need_pls_dir=no + # Does this package need to know: +need_cgi=no # where the cgi-bin directory is +need_web=no # where the website directory is +need_brk=no # where the event broker modules directory is +need_plg=no # where the plugins directory is +need_pipe=no # where the pipe directory is +need_spl=no # where the spool directory is +need_loc=no # where the locale directory is +need_log_subdir=no # where the loc sub-directory is +need_etc_subdir=no # where the etc sub-directory is +need_pls_dir=no # where the package locate state directory is + +if test x"$INIT_PROG" = x; then + INIT_PROG="$PKG_NAME" +fi case $PKG_NAME in #( nagios) : @@ -3177,7 +3184,8 @@ case $PKG_NAME in #( need_cgi=yes need_web=yes ;; #( ndoutils) : - need_spl=yes ;; #( + need_brk=yes + need_spl=yes ;; #( nrpe) : need_plg=yes ;; #( nsca) : @@ -3348,14 +3356,14 @@ tmpfilesd=${tmpfilesd="/usr/lib/tmpfiles.d"} if test ! -d "$tmpfilesd"; then tmpfilesd="N/A" else - tmpfilesd="$tmpfilesd/$PKG_NAME.conf" + tmpfilesd="$tmpfilesd/$INIT_PROG.conf" fi subsyslockdir=${subsyslockdir="/var/lock/subsys"} if test ! -d "$subsyslockdir"; then subsyslockdir="N/A" subsyslockfile="N/A" else - subsyslockfile="$subsyslockdir/$PKG_NAME" + subsyslockfile="$subsyslockdir/$INIT_PROG" fi if test "$need_loc" = no; then localedir="N/A" @@ -3436,23 +3444,23 @@ elif test $opsys = "linux"; then fi privatesysconfdir=${privatesysconfdir="$pkgsysconfdir/private"} if test $need_log_subdir = yes; then - logdir=${logdir="$localstatedir/log/$PKG_NAME"} + logdir=${logdir="$localstatedir/log/$INIT_PROG"} else logdir=${logdir="$localstatedir/log"} fi - piddir=${piddir="$localstatedir/run/${PKG_NAME}"} + piddir=${piddir="$localstatedir/run/${INIT_PROG}"} if test "$need_pipe" = yes; then - pipedir=${pipedir="$localstatedir/run/${PKG_NAME}"} + pipedir=${pipedir="$localstatedir/run/${INIT_PROG}"} else pipedir="N/A" fi if test "$need_pls_dir" = yes; then - pkglocalstatedir=${pkglocalstatedir="$localstatedir/lib/$PKG_NAME"} + pkglocalstatedir=${pkglocalstatedir="$localstatedir/lib/$INIT_PROG"} else pkglocalstatedir="N/A" fi if test "$need_spl" = yes; then - spooldir=${spooldir="$localstatedir/spool/$PKG_NAME"} + spooldir=${spooldir="$localstatedir/spool/$INIT_PROG"} else spooldir="N/A" fi @@ -3501,7 +3509,7 @@ elif test $opsys = "unix"; then fi privatesysconfdir=${privatesysconfdir="$pkgsysconfdir/private"} if test "$need_pls_dir" = yes; then - pkglocalstatedir=${pkglocalstatedir="$localstatedir/lib/$PKG_NAME"} + pkglocalstatedir=${pkglocalstatedir="$localstatedir/lib/$INIT_PROG"} else pkglocalstatedir="N/A" fi @@ -3509,7 +3517,7 @@ elif test $opsys = "unix"; then localedir=${localedir="/usr/local/share/locale//LC_MESSAGES/nagios-plugins.mo"} fi if test "$need_spl" = yes; then - spooldir=${spooldir="$localstatedir/spool/$PKG_NAME"} + spooldir=${spooldir="$localstatedir/spool/$INIT_PROG"} else spooldir="N/A" fi @@ -3534,14 +3542,14 @@ elif test $opsys = "unix"; then pipedir=${pipedir="$pkglocalstatedir"} logdir=${logdir="$pkglocalstatedir/log"} ;; #( *) : - piddir=${piddir="$localstatedir/run/${PKG_NAME}"} + piddir=${piddir="$localstatedir/run/${INIT_PROG}"} if test "$need_pipe" = yes; then - pipedir=${pipedir="$localstatedir/run/${PKG_NAME}"} + pipedir=${pipedir="$localstatedir/run/${INIT_PROG}"} else pipedir="N/A" fi if test $need_log_subdir = yes; then - logdir=${logdir="$localstatedir/log/$PKG_NAME"} + logdir=${logdir="$localstatedir/log/$INIT_PROG"} else logdir=${logdir="$localstatedir/log"} fi @@ -3594,7 +3602,7 @@ elif test $opsys = "bsd"; then fi privatesysconfdir=${privatesysconfdir="$pkgsysconfdir/private"} if test "$need_pls_dir" = yes; then - pkglocalstatedir=${pkglocalstatedir="$localstatedir/lib/$PKG_NAME"} + pkglocalstatedir=${pkglocalstatedir="$localstatedir/lib/$INIT_PROG"} else pkglocalstatedir="N/A" fi @@ -3602,7 +3610,7 @@ elif test $opsys = "bsd"; then localedir=${localedir="/usr/local/share/locale//LC_MESSAGES/nagios-plugins.mo"} fi if test "$need_spl" = yes; then - spooldir=${spooldir="$localstatedir/spool/$PKG_NAME"} + spooldir=${spooldir="$localstatedir/spool/$INIT_PROG"} else spooldir="N/A" fi @@ -3627,14 +3635,14 @@ elif test $opsys = "bsd"; then else cgibindir="N/A" fi - piddir=${piddir="$localstatedir/run/${PKG_NAME}"} + piddir=${piddir="$localstatedir/run/${INIT_PROG}"} if test "$need_pipe" = yes; then - pipedir=${pipedir="$localstatedir/run/${PKG_NAME}"} + pipedir=${pipedir="$localstatedir/run/${INIT_PROG}"} else pipedir="N/A" fi if test $need_log_subdir = yes; then - logdir=${logdir="$localstatedir/log/$PKG_NAME"} + logdir=${logdir="$localstatedir/log/$INIT_PROG"} else logdir=${logdir="$localstatedir/log"} fi @@ -3670,6 +3678,7 @@ eval libexecdir=$libexecdir eval brokersdir=$brokersdir eval pluginsdir=$pluginsdir eval cgibindir=$cgibindir +eval localstatedir=$localstatedir eval pkglocalstatedir=$pkglocalstatedir eval webdir=$webdir eval localedir=$localedir @@ -3687,51 +3696,56 @@ case $init_type in #( else initdir=${initdir="/etc/init.d"} fi - initname=${initname="$PKG_NAME"} + initname=${initname="$INIT_PROG"} initconfdir=${initconfdir="/etc/conf.d"} - initconf=${initconf="$initconfdir/$PKG_NAME"} ;; #( + initconf=${initconf="$initconfdir/$INIT_PROG"} ;; #( systemd) : if test $dist_type = "debian"; then initdir=${initdir="/lib/systemd/system"} else initdir=${initdir="/usr/lib/systemd/system"} fi - initname=${initname="$PKG_NAME.service"} ;; #( + initname=${initname="$INIT_PROG.service"} ;; #( bsd) : - initdir=${initdir="/etc/rc.d"} - initname=${initname="rc.$PKG_NAME"} ;; #( + if test $dist_type = "aix"; then + initdir=${initdir="/sbin/rc.d/init.d"} + initname=${initname="$INIT_PROG"} + else + initdir=${initdir="/etc/rc.d"} + initname=${initname="rc.$INIT_PROG"} + fi ;; #( newbsd) : initdir=${initdir="/etc/rc.d"} - initname=${initname="$PKG_NAME"} ;; #( + initname=${initname="$INIT_PROG"} ;; #( gentoo) : initdir=${initdir="/etc/init.d"} - initname=${initname="$PKG_NAME"} + initname=${initname="$INIT_PROG"} initconfdir=${initconfdir="/etc/init.d"} - initconf=${initconf="$initconfdir/$PKG_NAME"} ;; #( + initconf=${initconf="$initconfdir/$INIT_PROG"} ;; #( openrc) : initdir=${initdir="/etc/init.d"} - initname=${initname="$PKG_NAME"} + initname=${initname="$INIT_PROG"} initconfdir=${initconfdir="/etc/conf.d"} - initconf=${initconf="$initconfdir/$PKG_NAME"} ;; #( + initconf=${initconf="$initconfdir/$INIT_PROG"} ;; #( smf*) : if test $init_type = smf10; then initdir=${initdir="/var/svc/manifest/network/nagios"} else initdir=${initdir="/lib/svc/manifest/network/nagios"} fi - initname=${initname="$PKG_NAME.xml"} + initname=${initname="$INIT_PROG.xml"} initconfdir=unknown initconf=unknown ;; #( upstart) : initdir=${initdir="/etc/init"} - initname=${initname="$PKG_NAME.conf"} + initname=${initname="$INIT_PROG.conf"} initconfdir=${initconfdir="/etc/default"} - initconf=${initconf="$initconfdir/$PKG_NAME"} ;; #( + initconf=${initconf="$initconfdir/$INIT_PROG"} ;; #( launchd) : initdir=${initdir="/Library/LaunchDaemons"} - initname=${initname="org.nagios.$PKG_NAME.plist"} ;; #( + initname=${initname="org.nagios.$INIT_PROG.plist"} ;; #( # initconfdir=${initconfdir="/private/etc"} -# initconf=${initconf="$initconfdir/$PKG_NAME"}, +# initconf=${initconf="$initconfdir/$INIT_PROG"}, *) : @@ -3750,28 +3764,28 @@ case $inetd_type in #( inetdname=${inetdname="inetd.conf"} ;; #( xinetd) : inetddir=${inetddir="/etc/xinetd.d"} - inetdname=${inetdname="$PKG_NAME"} ;; #( + inetdname=${inetdname="$INIT_PROG"} ;; #( systemd) : if test $dist_type = "debian"; then inetddir=${inetddir="/lib/systemd/system"} else inetddir=${inetddir="/usr/lib/systemd/system"} fi - netdname=${inetdname="$PKG_NAME.socket"} ;; #( + netdname=${inetdname="$INIT_PROG.socket"} ;; #( smf*) : if test $init_type = smf10; then inetddir=${inetddir="/var/svc/manifest/network/nagios"} else inetddir=${inetddir="/lib/svc/manifest/network/nagios"} fi - inetdname=${inetdname="$PKG_NAME.xml"} ;; #( + inetdname=${inetdname="$INIT_PROG.xml"} ;; #( # [upstart], # inetddir=${inetddir="/etc/init.d"} -# inetdname=${inetdname="$PKG_NAME"}, +# inetdname=${inetdname="$INIT_PROG"}, launchd) : inetddir=${inetddir="/Library/LaunchDaemons"} - inetdname=${inetdname="org.nagios.$PKG_NAME.plist"} ;; #( + inetdname=${inetdname="org.nagios.$INIT_PROG.plist"} ;; #( *) : inetddir=${inetddir="unknown"} inetdname=${inetdname="unknown"} ;; #( @@ -3829,12 +3843,12 @@ case $init_type in #( src_init=upstart-init fi ;; #( launchd) : - src_init="mac-init.plist" - - * ;; #( + src_init="mac-init.plist" ;; #( *) : src_init="unknown" - ;; + ;; #( + *) : + ;; esac { $as_echo "$as_me:${as_lineno-$LINENO}: result: $src_init" >&5 $as_echo "$src_init" >&6; } @@ -3866,7 +3880,7 @@ $as_echo "$src_inetd" >&6; } -if test "$dist_type" = solaris -a "$dist_ver" != smf11; then +if test "$dist_type" = solaris -a "$dist_ver" = 10; then $as_echo "#define SOLARIS_10 yes" >>confdefs.h fi @@ -7266,7 +7280,7 @@ fi if test x$check_for_ssl = xyes; then # need_dh should only be set for NRPE - need_dh=yes + need_dh=no # ------------------------------- @@ -7290,6 +7304,7 @@ SSL_LIB_DIR= + # gnutls/openssl.h # nss_compat_ossl/nss_compat_ossl.h diff --git a/configure.ac b/configure.ac index f5afa230..74c0dbe5 100644 --- a/configure.ac +++ b/configure.ac @@ -307,7 +307,7 @@ AC_ARG_ENABLE([ssl], dnl Optional SSL library and include paths if test x$check_for_ssl = xyes; then # need_dh should only be set for NRPE - need_dh=yes + need_dh=no AC_NAGIOS_GET_SSL fi diff --git a/include/common.h.in b/include/common.h.in index 38d93c2b..8146bd5c 100644 --- a/include/common.h.in +++ b/include/common.h.in @@ -23,8 +23,14 @@ #include "config.h" +#define SSL_TYPE_@SSL_TYPE@ + #ifdef HAVE_SSL #include <@SSL_INC_PREFIX@@SSL_HDR@> +# ifdef SSL_TYPE_openssl +# include <@SSL_INC_PREFIX@err.h> +# include <@SSL_INC_PREFIX@rand.h> +# endif #endif #define PROGRAM_VERSION "3.0.1" diff --git a/macros/ax_nagios_get_ssl b/macros/ax_nagios_get_ssl index eda150e3..ca323335 100644 --- a/macros/ax_nagios_get_ssl +++ b/macros/ax_nagios_get_ssl @@ -59,6 +59,7 @@ SSL_HDR= SSL_LIB_DIR= AC_SUBST(HAVE_SSL) +AC_SUBST(SSL_TYPE) AC_SUBST(SSL_INC_DIR) AC_SUBST(SSL_HDR) AC_SUBST(SSL_INC_PREFIX) diff --git a/src/acl.c b/src/acl.c index 4b7c6d57..5723cc4a 100644 --- a/src/acl.c +++ b/src/acl.c @@ -78,16 +78,12 @@ int isvalidchar(int c) { switch (c) { case '.': return 4; - break; case '/': return 5; - break; case '-': return 6; - break; case ',': return 7; - break; default: return 0; } diff --git a/src/check_nrpe.c b/src/check_nrpe.c index 9918653e..9142e381 100644 --- a/src/check_nrpe.c +++ b/src/check_nrpe.c @@ -58,7 +58,7 @@ const SSL_METHOD *meth; SSL_CTX *ctx; SSL *ssl; int use_ssl = TRUE; -int ssl_opts = SSL_OP_ALL; +long ssl_opts = SSL_OP_ALL; #else int use_ssl = FALSE; #endif @@ -307,7 +307,6 @@ int process_arguments(int argc, char **argv, int from_config_file) if (from_config_file) { printf("Error: The config file should not have a command (-c) option.\n"); return ERROR; - break; } command_name = strdup(optarg); break; @@ -316,7 +315,6 @@ int process_arguments(int argc, char **argv, int from_config_file) if (from_config_file) { printf("Error: The config file should not have args (-a) arguments.\n"); return ERROR; - break; } argindex = optind; break; @@ -454,7 +452,6 @@ int process_arguments(int argc, char **argv, int from_config_file) default: return ERROR; - break; } } @@ -479,7 +476,7 @@ int process_arguments(int argc, char **argv, int from_config_file) query[sizeof(query) - 1] = '\x0'; } } - + printf("Query: |%s|\n", query); if (!from_config_file && config_file != NULL) { if ((rc = read_config_file(config_file)) != OK) return rc; diff --git a/src/nrpe.c b/src/nrpe.c index 0990d0f2..7e987fdb 100644 --- a/src/nrpe.c +++ b/src/nrpe.c @@ -237,8 +237,8 @@ void init_ssl(void) #ifdef HAVE_SSL DH *dh; char seedfile[FILENAME_MAX]; - int i, c, x; - int ssl_opts = SSL_OP_ALL | SSL_OP_SINGLE_DH_USE, vrfy; + int i, c, x, vrfy; + long ssl_opts = SSL_OP_ALL | SSL_OP_SINGLE_DH_USE; if (use_ssl == FALSE) { if (debug == TRUE) @@ -2167,8 +2167,8 @@ void my_connection_sighandler(int sig) /* drops privileges */ int drop_privileges(char *user, char *group, int full_drop) { - uid_t uid = -1; - gid_t gid = -1; + uid_t uid = (uid_t)-1; + gid_t gid = (gid_t)-1; struct group *grp; struct passwd *pw; @@ -2694,7 +2694,6 @@ int process_arguments(int argc, char **argv) default: return ERROR; - break; } } diff --git a/src/utils.c b/src/utils.c index 42654442..650bd7d1 100644 --- a/src/utils.c +++ b/src/utils.c @@ -31,6 +31,9 @@ #include "../include/common.h" #include "../include/utils.h" +#ifdef HAVE_PATHS_H +#include +#endif #ifndef HAVE_ASPRINTF extern int asprintf(char **ptr, const char *format, ...); From 75aec018e7043afadabe585e34bbe2ff6fcaa79c Mon Sep 17 00:00:00 2001 From: "John C. Frickson" Date: Mon, 28 Nov 2016 15:58:10 -0600 Subject: [PATCH 18/61] Updates to Changelog and THANKS files --- Changelog | 1 + THANKS | 1 + 2 files changed, 2 insertions(+) diff --git a/Changelog b/Changelog index 5f8a1236..fb2e436a 100644 --- a/Changelog +++ b/Changelog @@ -16,6 +16,7 @@ FIXES - check_nrpe ignores -a option when -f option is specified (John Frickson) - Added missing LICENSE file (John Frickson) - Off-by-one BO in my_system() (John Frickson) +- Got rid of some compiler warnings (Stefan Krüger / John Frickson) 3.0.1 - 2016-09-08 diff --git a/THANKS b/THANKS index fd815b68..95278f8c 100644 --- a/THANKS +++ b/THANKS @@ -40,6 +40,7 @@ Ryan McGarry Ryan Ordway Sean Finney Spenser Reinhardt +Stefan Krüger Subhendu Ghosh Thierry Bertaud Ton Voon From bbbeabfb5e1574437818a9f2dd2a7a655cc00241 Mon Sep 17 00:00:00 2001 From: "John C. Frickson" Date: Tue, 29 Nov 2016 13:02:18 -0600 Subject: [PATCH 19/61] Getting "Unrecognized option" if parameters after `-a` contain dashes If the command ended in something like `-a --foo --bar baz`, getopt_long would complain about `--bar` but check_nrpe would pass along all the arguments anyway. The check for `-a` swallowed the `--foo`, but the `--bar` confused it because the loop check after the call to getopt_long for `if (argindex > 0)` instead of before. --- src/check_nrpe.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/src/check_nrpe.c b/src/check_nrpe.c index 9142e381..f3325119 100644 --- a/src/check_nrpe.c +++ b/src/check_nrpe.c @@ -225,12 +225,14 @@ int process_arguments(int argc, char **argv, int from_config_file) snprintf(optchars, MAX_INPUT_BUFFER, "H:f:b:c:a:t:p:S:L:C:K:A:d:s:P:246hlnuV"); while (1) { + if (argindex > 0) + break; #ifdef HAVE_GETOPT_LONG c = getopt_long(argc, argv, optchars, long_options, &option_index); #else c = getopt(argc, argv, optchars); #endif - if (c == -1 || c == EOF || argindex > 0) + if (c == -1 || c == EOF) break; /* process all arguments */ @@ -476,7 +478,6 @@ int process_arguments(int argc, char **argv, int from_config_file) query[sizeof(query) - 1] = '\x0'; } } - printf("Query: |%s|\n", query); if (!from_config_file && config_file != NULL) { if ((rc = read_config_file(config_file)) != OK) return rc; From 4a88099e4311c13e50a9be24b8aa67837f4e22e8 Mon Sep 17 00:00:00 2001 From: "John C. Frickson" Date: Tue, 29 Nov 2016 16:15:17 -0600 Subject: [PATCH 20/61] Compiler Warnings using Oracle Developer Studio on Solaris More fixes for issue #75 --- src/acl.c | 1 + src/check_nrpe.c | 2 +- src/nrpe.c | 9 ++++----- src/utils.c | 2 +- 4 files changed, 7 insertions(+), 7 deletions(-) diff --git a/src/acl.c b/src/acl.c index 5723cc4a..f4ac2b68 100644 --- a/src/acl.c +++ b/src/acl.c @@ -29,6 +29,7 @@ */ #include "../include/config.h" +#include "../include/common.h" #include #include diff --git a/src/check_nrpe.c b/src/check_nrpe.c index f3325119..4012a8c5 100644 --- a/src/check_nrpe.c +++ b/src/check_nrpe.c @@ -58,7 +58,7 @@ const SSL_METHOD *meth; SSL_CTX *ctx; SSL *ssl; int use_ssl = TRUE; -long ssl_opts = SSL_OP_ALL; +unsigned long ssl_opts = SSL_OP_ALL; #else int use_ssl = FALSE; #endif diff --git a/src/nrpe.c b/src/nrpe.c index 7e987fdb..4cc17897 100644 --- a/src/nrpe.c +++ b/src/nrpe.c @@ -235,10 +235,10 @@ int init(void) void init_ssl(void) { #ifdef HAVE_SSL - DH *dh; - char seedfile[FILENAME_MAX]; - int i, c, x, vrfy; - long ssl_opts = SSL_OP_ALL | SSL_OP_SINGLE_DH_USE; + DH *dh; + char seedfile[FILENAME_MAX]; + int i, c, x, vrfy; + unsigned long ssl_opts = SSL_OP_ALL | SSL_OP_SINGLE_DH_USE; if (use_ssl == FALSE) { if (debug == TRUE) @@ -2396,7 +2396,6 @@ void sighandler(int sig) void child_sighandler(int sig) { exit(0); /* terminate */ - return; /* so the compiler doesn't complain... */ } /* tests whether or not a client request is valid */ diff --git a/src/utils.c b/src/utils.c index 650bd7d1..fb56c54f 100644 --- a/src/utils.c +++ b/src/utils.c @@ -245,7 +245,7 @@ void add_listen_addr(struct addrinfo **listen_addrs, int address_family, char *a int clean_environ(const char *keep_env_vars, const char *nrpe_user) { -#ifdef HAVE_PATHS_H +#if defined(HAVE_PATHS_H) && defined(_PATH_STDPATH) static char *path = _PATH_STDPATH; #else static char *path = "/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin"; From 461b3bf8aa02f7e9c197a0dfafb361d97dabff4a Mon Sep 17 00:00:00 2001 From: Bas Couwenberg Date: Sun, 4 Dec 2016 19:01:13 +0100 Subject: [PATCH 21/61] Add SOURCE_DATE_EPOCH specification support for reproducible builds. Patch by Chris Lamb via https://bugs.debian.org/834857 --- update-version | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/update-version b/update-version index aa936961..fe4d9670 100755 --- a/update-version +++ b/update-version @@ -20,11 +20,11 @@ fi # Get date (two formats) if [ -n "$2" ]; then - LONGDATE=`date -d "$2" "+%B %d, %Y"` - SHORTDATE=`date -d "$2" "+%m-%d-%Y"` + LONGDATE=$(LC_ALL=C date -u -d "$2" "+%B %d, %Y") + SHORTDATE=$(date -u -d "$2" "+%m-%d-%Y") else - LONGDATE=`date "+%B %d, %Y"` - SHORTDATE=`date "+%m-%d-%Y"` + LONGDATE=$(LC_ALL=C date -u -d "@${SOURCE_DATE_EPOCH:-$(date +%s)}" "+%B %d, %Y") + SHORTDATE=$(date -u -d "@${SOURCE_DATE_EPOCH:-$(date +%s)}" "+%m-%d-%Y") fi # Current version number From 2c095ab0c7ddd4c07aaf0e7be2729d5be022f38e Mon Sep 17 00:00:00 2001 From: "John C. Frickson" Date: Mon, 5 Dec 2016 11:27:49 -0600 Subject: [PATCH 22/61] Turned off the need_dh flag for testing and forgot to turn it back on --- configure.ac | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure.ac b/configure.ac index 74c0dbe5..f5afa230 100644 --- a/configure.ac +++ b/configure.ac @@ -307,7 +307,7 @@ AC_ARG_ENABLE([ssl], dnl Optional SSL library and include paths if test x$check_for_ssl = xyes; then # need_dh should only be set for NRPE - need_dh=no + need_dh=yes AC_NAGIOS_GET_SSL fi From 0fa610a9e21662ffc6359fb38bb748884838734f Mon Sep 17 00:00:00 2001 From: "John C. Frickson" Date: Mon, 5 Dec 2016 13:53:44 -0600 Subject: [PATCH 23/61] Updates to Changelog and THANKS files --- Changelog | 1 + THANKS | 1 + 2 files changed, 2 insertions(+) diff --git a/Changelog b/Changelog index fb2e436a..13cb271d 100644 --- a/Changelog +++ b/Changelog @@ -17,6 +17,7 @@ FIXES - Added missing LICENSE file (John Frickson) - Off-by-one BO in my_system() (John Frickson) - Got rid of some compiler warnings (Stefan Krüger / John Frickson) +- Add SOURCE_DATE_EPOCH specification support for reproducible builds. (Bas Couwenberg) 3.0.1 - 2016-09-08 diff --git a/THANKS b/THANKS index 95278f8c..f60864de 100644 --- a/THANKS +++ b/THANKS @@ -4,6 +4,7 @@ Andrew Boyce-Lewis Andrew Ryder Andrew Widdersheim Bartosz Woronicz +Bas Couwenberg Bill Mitchell Bjoern Beutel Brian Seklecki From aec3eee982ef2ae19ad60f01466771d60908ced4 Mon Sep 17 00:00:00 2001 From: "John C. Frickson" Date: Mon, 5 Dec 2016 13:59:28 -0600 Subject: [PATCH 24/61] nrpe 3.0.1 allows TLSv1 and TLSv1.1 when I configure for TLSv1.2+ Fix for issue #77 --- Changelog | 1 + src/check_nrpe.c | 19 ++++++++++++++++--- src/nrpe.c | 19 ++++++++++++++++--- 3 files changed, 33 insertions(+), 6 deletions(-) diff --git a/Changelog b/Changelog index 13cb271d..cc47915d 100644 --- a/Changelog +++ b/Changelog @@ -18,6 +18,7 @@ FIXES - Off-by-one BO in my_system() (John Frickson) - Got rid of some compiler warnings (Stefan Krüger / John Frickson) - Add SOURCE_DATE_EPOCH specification support for reproducible builds. (Bas Couwenberg) +- nrpe 3.0.1 allows TLSv1 and TLSv1.1 when I configure for TLSv1.2+ (John Frickson) 3.0.1 - 2016-09-08 diff --git a/src/check_nrpe.c b/src/check_nrpe.c index 4012a8c5..5b512349 100644 --- a/src/check_nrpe.c +++ b/src/check_nrpe.c @@ -809,10 +809,23 @@ void setup_ssl() exit(STATE_CRITICAL); } - if (sslprm.ssl_min_ver >= SSLv3) { - ssl_opts |= SSL_OP_NO_SSLv2; - if (sslprm.ssl_min_ver >= TLSv1) + switch(sslprm.ssl_min_ver) { + case SSLv2: + case SSLv2_plus: + break; + case TLSv1_2: + case TLSv1_2_plus: + ssl_opts |= SSL_OP_NO_TLSv1_1; + case TLSv1_1: + case TLSv1_1_plus: + ssl_opts |= SSL_OP_NO_TLSv1; + case TLSv1: + case TLSv1_plus: ssl_opts |= SSL_OP_NO_SSLv3; + case SSLv3: + case SSLv3_plus: + ssl_opts |= SSL_OP_NO_SSLv2; + break; } SSL_CTX_set_options(ctx, ssl_opts); diff --git a/src/nrpe.c b/src/nrpe.c index 4cc17897..e62d1f07 100644 --- a/src/nrpe.c +++ b/src/nrpe.c @@ -304,10 +304,23 @@ void init_ssl(void) exit(STATE_CRITICAL); } - if (sslprm.ssl_min_ver >= SSLv3) { - ssl_opts |= SSL_OP_NO_SSLv2; - if (sslprm.ssl_min_ver >= TLSv1) + switch(sslprm.ssl_min_ver) { + case SSLv2: + case SSLv2_plus: + break; + case TLSv1_2: + case TLSv1_2_plus: + ssl_opts |= SSL_OP_NO_TLSv1_1; + case TLSv1_1: + case TLSv1_1_plus: + ssl_opts |= SSL_OP_NO_TLSv1; + case TLSv1: + case TLSv1_plus: ssl_opts |= SSL_OP_NO_SSLv3; + case SSLv3: + case SSLv3_plus: + ssl_opts |= SSL_OP_NO_SSLv2; + break; } SSL_CTX_set_options(ctx, ssl_opts); From 08425ff922b71a108da8bd457a9c63c3a20c04c6 Mon Sep 17 00:00:00 2001 From: "John C. Frickson" Date: Mon, 5 Dec 2016 14:18:38 -0600 Subject: [PATCH 25/61] "Remote %s accepted a Version %s Packet", please add to debug Partial fix for issue #72 I would really rather not add another command-line flag at this point, so instead I changed a little what gets logged. If check_nrpe is v3.x, it will NOT log any messages if the remote accepts a version 3 packet. If the `-2` switch (only use version 2 packet) was set, it will NOT log any messages. It will only log a message if it first tried to send a version 3 packet, failed, and sent a version 2 packet which succeeded. It will be logged with logleve `LOG_DEBUG`. It's not quite what the origianal poster wanted, but it should reduce the number of log messages. --- Changelog | 1 + src/check_nrpe.c | 8 ++------ 2 files changed, 3 insertions(+), 6 deletions(-) diff --git a/Changelog b/Changelog index cc47915d..89eb8621 100644 --- a/Changelog +++ b/Changelog @@ -19,6 +19,7 @@ FIXES - Got rid of some compiler warnings (Stefan Krüger / John Frickson) - Add SOURCE_DATE_EPOCH specification support for reproducible builds. (Bas Couwenberg) - nrpe 3.0.1 allows TLSv1 and TLSv1.1 when I configure for TLSv1.2+ (John Frickson) +- "Remote %s accepted a Version %s Packet", please add to debug (John Frickson) 3.0.1 - 2016-09-08 diff --git a/src/check_nrpe.c b/src/check_nrpe.c index 5b512349..e9df2b37 100644 --- a/src/check_nrpe.c +++ b/src/check_nrpe.c @@ -169,12 +169,8 @@ int main(int argc, char **argv) result = read_response(); /* Get the response */ } - if (result != -1) { - if (force_v2_packet = 0 && packet_ver == NRPE_PACKET_VERSION_2) - syslog(LOG_INFO, "Remote %s accepted a Version %d Packet", rem_host, packet_ver); - else - syslog(LOG_DEBUG, "Remote %s accepted a Version %d Packet", rem_host, packet_ver); - } + if (result != -1 && force_v2_packet == 0 && packet_ver == NRPE_PACKET_VERSION_2) + syslog(LOG_DEBUG, "Remote %s accepted a Version %d Packet", rem_host, packet_ver); return result; } From e4ae64e3ac8d72f26323aa781adbc84c7256c599 Mon Sep 17 00:00:00 2001 From: "John C. Frickson" Date: Tue, 6 Dec 2016 13:10:56 -0600 Subject: [PATCH 26/61] nrpe 3.0.1 segfaults when key and/or cert are broken symlinks Fix for issue #76 This seems to be somewhat platform specific. I was unable to reproduce the problem on an openSUSE VM, but the segfault did happen on a CentOS 5 VM. The `ERR_error_string()` call seemed to be passing back an invalid char pointer whether or not the second parameter was NULL. So I put in a 120 character buffer and printed the error message from there, instead of the returned pointer. --- Changelog | 1 + src/nrpe.c | 7 +++++-- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/Changelog b/Changelog index 89eb8621..618fbb3f 100644 --- a/Changelog +++ b/Changelog @@ -20,6 +20,7 @@ FIXES - Add SOURCE_DATE_EPOCH specification support for reproducible builds. (Bas Couwenberg) - nrpe 3.0.1 allows TLSv1 and TLSv1.1 when I configure for TLSv1.2+ (John Frickson) - "Remote %s accepted a Version %s Packet", please add to debug (John Frickson) +- nrpe 3.0.1 segfaults when key and/or cert are broken symlinks (John Frickson) 3.0.1 - 2016-09-08 diff --git a/src/nrpe.c b/src/nrpe.c index e62d1f07..b712afe0 100644 --- a/src/nrpe.c +++ b/src/nrpe.c @@ -325,11 +325,14 @@ void init_ssl(void) SSL_CTX_set_options(ctx, ssl_opts); if (sslprm.cert_file != NULL) { + char errstr[120] = { "" }; if (!SSL_CTX_use_certificate_file(ctx, sslprm.cert_file, SSL_FILETYPE_PEM)) { SSL_CTX_free(ctx); - while ((x = ERR_get_error()) != 0) + while ((x = ERR_get_error()) != 0) { + ERR_error_string(x, errstr); syslog(LOG_ERR, "Error: could not use certificate file %s : %s", - sslprm.cert_file, ERR_error_string(x, NULL)); + sslprm.cert_file, errstr); + } exit(STATE_CRITICAL); } if (!SSL_CTX_use_PrivateKey_file(ctx, sslprm.privatekey_file, SSL_FILETYPE_PEM)) { From 684752fd8160740e185889e9f6750a88a4a537af Mon Sep 17 00:00:00 2001 From: Bas Couwenberg Date: Thu, 8 Dec 2016 23:08:40 +0100 Subject: [PATCH 27/61] Add ::1 to allowed_hosts for IPv6 connections. --- sample-config/nrpe.cfg.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sample-config/nrpe.cfg.in b/sample-config/nrpe.cfg.in index 19d213ed..df9ab9e2 100644 --- a/sample-config/nrpe.cfg.in +++ b/sample-config/nrpe.cfg.in @@ -95,7 +95,7 @@ nrpe_group=@nrpe_group@ # # NOTE: This option is ignored if NRPE is running under either inetd or xinetd -allowed_hosts=127.0.0.1 +allowed_hosts=127.0.0.1,::1 From 9c8c52cd924bbc140022bff49c21d5ffce4fddc7 Mon Sep 17 00:00:00 2001 From: Bas Couwenberg Date: Fri, 23 Dec 2016 23:21:50 +0100 Subject: [PATCH 28/61] Fix systemd unit description. --- startup/default-service.in | 2 +- startup/default-socket-svc.in | 2 +- startup/default-socket.in | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/startup/default-service.in b/startup/default-service.in index 4f3a66ec..8e6017ae 100644 --- a/startup/default-service.in +++ b/startup/default-service.in @@ -1,5 +1,5 @@ [Unit] -Description=Nagios Remote Program Executor +Description=Nagios Remote Plugin Executor Documentation=http://www.nagios.org/documentation After=var-run.mount nss-lookup.target network.target local-fs.target time-sync.target Before=getty@tty1.service plymouth-quit.service xdm.service diff --git a/startup/default-socket-svc.in b/startup/default-socket-svc.in index 3a749c5b..7e6acac1 100644 --- a/startup/default-socket-svc.in +++ b/startup/default-socket-svc.in @@ -1,5 +1,5 @@ [Unit] -Description=Nagios Remote Program Executor +Description=Nagios Remote Plugin Executor Documentation=http://www.nagios.org/documentation After=var-run.mount nss-lookup.target network.target local-fs.target time-sync.target diff --git a/startup/default-socket.in b/startup/default-socket.in index 1dd5815d..0921fe88 100644 --- a/startup/default-socket.in +++ b/startup/default-socket.in @@ -1,5 +1,5 @@ [Unit] -Description=Nagios Remote Program Executor +Description=Nagios Remote Plugin Executor Documentation=http://www.nagios.org/documentation Before=nrpe.service Conflicts=nrpe.service From 0a9eca0f5f5e6daa35edf531f7a9853a286485a9 Mon Sep 17 00:00:00 2001 From: Bas Couwenberg Date: Sat, 24 Dec 2016 10:51:39 +0100 Subject: [PATCH 29/61] Add reload command to systemd service file. --- startup/default-service.in | 1 + 1 file changed, 1 insertion(+) diff --git a/startup/default-service.in b/startup/default-service.in index 4f3a66ec..1f3a0176 100644 --- a/startup/default-service.in +++ b/startup/default-service.in @@ -15,6 +15,7 @@ PIDFile=@piddir@/nrpe.pid RuntimeDirectory=nrpe RuntimeDirectoryMode=0755 ExecStart=@sbindir@/nrpe -c @pkgsysconfdir@/nrpe.cfg -f +ExecReload=/bin/kill -HUP $MAINPID ExecStopPost=/bin/rm -f @piddir@/nrpe.pid TimeoutStopSec=60 User=@nrpe_user@ From fec37d685d4c6d4e0cb3b45ba3e774b77e152f93 Mon Sep 17 00:00:00 2001 From: "John C. Frickson" Date: Wed, 4 Jan 2017 13:57:30 -0600 Subject: [PATCH 30/61] Fixed a couple of typos in docs/NRPE.* files (Ludmil Meltchev) --- Changelog | 1 + docs/NRPE.odt | Bin 137452 -> 137731 bytes docs/NRPE.pdf | Bin 211290 -> 211256 bytes 3 files changed, 1 insertion(+) diff --git a/Changelog b/Changelog index 618fbb3f..9ca82f2d 100644 --- a/Changelog +++ b/Changelog @@ -21,6 +21,7 @@ FIXES - nrpe 3.0.1 allows TLSv1 and TLSv1.1 when I configure for TLSv1.2+ (John Frickson) - "Remote %s accepted a Version %s Packet", please add to debug (John Frickson) - nrpe 3.0.1 segfaults when key and/or cert are broken symlinks (John Frickson) +- Fixed a couple of typos in docs/NRPE.* files (Ludmil Meltchev) 3.0.1 - 2016-09-08 diff --git a/docs/NRPE.odt b/docs/NRPE.odt index 7cefad23b4129f4da88d9bcdafa81522dfccccd5..db9ca05e50cfd636829a33ddd4763cbf8c4a67ee 100644 GIT binary patch delta 28347 zcmZs>19T=`vo;(|Y}=eT6Wew&nb@|Cj*W>Xww;M>n-iN8+xYT4?>T3E|M#DJt-kxJ ztEzT&uU)%$@7jI(8#=Ha8c|UO{0lk=2s8)?dltEL9HJD;Kj)^F0;3L85RiWk?Bpy| zFub@xazIv5_PZD;C@35p96CBWE-o$^85u1t?YD2=czAf^5kZtNpp4(5EZgNBVGhOW;i2m z6bnHB8(9D+r9aQtST6FP93*i(lnH#)F~W@DVyv;Uym1n2DdOMKrP(v(dD0d6{A2}V z6$DxQ6-9$prDK&vqJBt*YsiObDaC&mO;nRi(2&kHRLM5e2(dAbu(JqtwhMExiuQEP zvNlL)1;qm@t+jLQ3=5phikvN~?e!~N%xfGB8a%Cw{9G&joLl^y+Cx1$BYgt{10y3N z<6~n}LjuyG!xIt`($mv(!vYH9q6#z8DznnNqWo%phIb@Jw57z>rNlR9Bz5Gb6&4m& z6%~|~mDQ9Mw-)Es)zvlE)wZ>@^~MGFCx#EEL=OQO@grFY6Ga)5Ww`?_jRRes6HT?# z)x~qaOXr$uW?So*+Z(2OI;ML&*ZMoVySqn6N9QNT)<*i5CPwGx=GOnrudJ+W4R!B~ z5AIG3@6S#gE==z)E$pwZ9Q~R7yS#9^zH+v;w!6D~zPojDa&oo5d;Ry|=Ir$L_V(%S z_Wd1r2LS>3`1r`itJeVmL8g-u75eVJa+VRDfIp<#{lE{gM>jG`up}i0ifXMWUD(E_ zZ|bQkw(~_Bd9Q#5nLiQ)v46kz>nJ3h3-~%EdTvG$Z6*~C6{kasy{C0ZgK?Azf{|6# z2g^qKdfV!1=JI+%;VNJ8%e|`?zo)J5+(kLG-h=KKKrKz1K!eHzqzy$fa;%t2tB%+~NHL2xzOho6M&Gn~VR4k~qd-5##Pa@czUZ1}b^`-LJ}L(I>~q<0XeP{*Wn;dCIi~ zLk1?v=%%AO-QB2oCM_pTbI_p5~?qhH01=8@yYU4Lisop@+uI~o!9rZQ% zjB&z>b_U}HFxCbZ7~ZMhLp%*MCc-0(=){ofnRtbXrsWzN3&*1VK7TuL)se>y@I1q& zq8M(Fm6dOpt-WV=ddg5Q`*v|4mQ}3LM2#3y`*f{b0DOy9$Xvh4c>p&WE*#k3-!BXf zF5FMr>yF0QdoK$sKe=#u>c+M#?`ZKfq>WffPdB7qvt*>V6DvO(pAvu^5!blq7l){# z_ECB^@<$om0VUJ_66J@&1SZ}MjSafnY}9^x!Sg<#_7=HV)ls`!t=D!xyZSz1rA|%$ zvAuw$2ekO`GBMb;Z!u;)WX4vxyieDo5?8>ax)djX2nvRwV6ZTKC0j~n@=l4(|pO^b&`K+$X)8eW>i~HE<%gp9m^mxyl;&;Et`B)kR1Rhu???*m=S9?R7NAM@b*t0x~$5*_t9`O=wxOGJYj9DKORnf?3#7G&zAPSPzl@|iw9rj-!;tP zRewOQx@C1a-rqk=dOyrwc-!q3$HMQP7QZ4bPCmtE-`G|7>}pxD&Rx^bU&aFMAxVr? zm3)`wEgwB1R02s)Sd$xW=l2&I4}KmOw_P3|(~F&5jjo$xu^;UpI|_;KyTFs1Kx#75 z+ww<+|HqQR>FdH9)yMotPxUG9tBS-4hih5#CcyacjUtdJ-vixJ@tgy{)7%~a-R<++ z)@LM>Pm03AHl6pX{x4DL8kS1c^)dgR+M%S6pS!2=f!(}j#q+oRux zUg)mGQOHg(DKdw4E>RcTE>S!~>i#bFpb&hbu-k`7Fb7n>+v`CSJr5Yc)6*dj*N0{6+KDRtna-E_aBtR13!}O{wcSRbEW$0t4JLM zTbl0A)_ELFO}~2CNG{+EAzk>O7B#zZ^xNTdb88hnob%byL}}o+bdOy)mFYO|cNe2a zp^HsNjW047|23@t?=fCCFg&;W{hBhWs!ayMoyUJ2!NASxhhLi&MC${7V6`M<1-&&- z%zkfCcw<9UqgXrgh^u4M`*6pQ`Owy0tva9#=dDB^aUX8ZreV-5Vplmh1Ql3mN%CVp zPdkXBgM5{CRjIb{x218tek=kcc{)me`kHM^qZGS~S7c;=eQw7DyAdZlwus_F|?aXwJ#@57PT7rQrND|i%_UyB))4I0; z7h5=;GvdHYmjmdLC$RZGjOkJ!)gVIcJs!$#8Epo=9B6CE+zr_drD^{LPl#f|c^1UN4CFf!nTgqRn8@i6%)&vqvoTXxdt@i8=P! znRs$>ro52P{P|yulg;I2;2gP6-}7ty6Ut)`0jVk3THM5_}JeyR|N{JSkpId z{ZNrI+!cGuPoOz0mcF$0S{UfpgOhzja;u=Q$6A|EihVyZ%`!waPO_WMSP zB>fH2lQ)?<#+61&oz%EDb3OyOB4>BPs)&UVM>WA$5oQkA{!T}cyvLRzI42Ww(j7am zy1Y3<>-fm4de*r*aRs*f3VGYkwoKDuRj)r4+*i_ryUaG=;g-uKtLzX}ijMd;%n6Qb zMoaDqSD|5bC|yGyt@aXS49sgIQ<^@XPy`rk?cgVV_bd*K9mL$~?02$IadXCrXt2v19 z5p`ZNmMzq$uL4Ia;x;+(zqV*yh@LPsIb=!g$C^5MVu!&{i4u9 zR;Gems0fXuC1!b$mfY8CA`UF3-M)+C>p-iog;J)BGuhH4EPZ80JY+^(#9veI67olf zkNqZ5ByCwY7@B&EzrbbAe%bc~dSU6XhRkkCS*(v$WT=bBdHdB4`c z*d-`)3)?Frq?+eq$3SZcr}rw=2k#1&n(}>97(_Cx>@U8c?g&IlLc!(v^2QZGPT^iK zXWmtC0L||3*un#1Gwv;)@WLuLG9@*~%EYZd4-$C8VXFX$&kBU%%n%-of6j5S?h``T z{p?eA*w=VK(sc8C+d4wsbNE~q#*yAgZ$+=}{N{n64y>R^k-4MD40-Le_DugbMbZ^} z1niQ3GPs47B2kbf~~&CexXz94IJ>xkC}!2*h+CE5$$LEvHr9fD+LV zgTnn%Ecsg?L;sHpR&FmrDnZz!RXt4p@kd)FCa7#F|AJX4rgT}}W)sq}60`LuE zOpm2-tD3WrRhHux+%;pCT#<{i-|(CXRTQTCwuRSPm!76`x4jSCeb-FWw^9tJVa?@a z?7hUk(_$Pt#Y4K+^(3K!Q{fpPqvom_!n9h|H{7UCr?7iD1cQ^ZR^#v5MS{b`fWiP~ z2t|(MxlHj2Om{Q=l1@$~2XFeKa+)l{aph}~UkZYYh*#xxZ&-bn5Tj8%d~W%f*Z*i? zL^DWO7?>xDO+h5~w8{%|1;?~Ye=xDM6?*kj?j~fjLRc{~B!|lf^~})FM;{#Zm7B~i zDPXVU4Sp||<{U5E+GRtdoH(LoyZr!o{$_jpC|_fu$z@!YgkNXY672fXn$h`rc>ev{-_Hc}#orze4Q7d5ITAy1 zw`qMA21~#-e*J|imE+%w`K7Y1l;b;2wq}$bA%3EQqhjW@X*l~9yzYc`nD^IOUW}?2 zl&pijWTa%^s6r|kO^lmg%}TsqkCTysv$DAMwn1#tm>kU%dw|e96}z}W3d+}W6`Tk1 z9`W^7A-#-QF7Xd5VGE^?UF&ZS$0IKLNFUR(7!f!VohdZRM%TBH)y)&!Kkm(gg+x{N z+%D0fh}@qwosS^m&owp&!+)=b=6-!ZN#+o8+Z;GLe%1g$q{QS!tAzCf{!?^Qaym1VoT6p~oE`kA;EEA-kf^XYGrNeW5EqjWJ1ZAEdmMmS zmx{*8_ODwwJ6LHfBM3+=7|y9k$%kchaDkSM$OKjw5&p^RVtiIT9g z$c!v3E+Wdp#>6BpF3c&+!NT#61@jV)@4ptw@;^YCk%dH9xP(}kg*e$cM48w)#hYS( zfUf95|97eEKSsh_OkCnDY+@qJLf<%<*hK#^+R*(^D-I2y-#~ej3mQNvz*HKO#~MJ% zfY-h8R-pB5ou^ham|yox|E7&Y29JhsnEfCBL5IezB#w0*Tt?{8UTc(m`bo@|E@GG% zll)-V4tpw!JzTSKvN$}=E*<~-Hi3ogbykiKUo=(HJ0(Hb0%{XtK~YQ z$B)IVD2})h0yGr`&6c24!G+w;h1)->w0>tyz^7Qj>zf{ZM}sU_DIJ8&S}kS@UICGj z&QGg?tLq|d!=?nS5=KVeqyjh*EHEO}>%c<=B)>o-V(%~JroW5K?@K-vOJb=7V4=QCG#gZG&ACT$*zjg8#QRs@4pp}prp>jH&TvM7pzr&7%s}di^8%oX<8E&{U zeUT^C2s*RL<3}&bF!?68c;>M&4!67V+~?qfD8mBvqjqTob+3O5dHXr=V|?CAR$`w@pia%|Fp-(U* zjT>P<4(qKhw)Yi!Qh*-|y_ZY$Wl{|qWa-p$$XTB`%rGG@xyIQW=A@;=LHVav9;sEA zjd66h)Q|QLXI}30hOo!$boM{_$bPo@{CO5%`3!G6Mv1~cK^C!Heu;nv><(4L+-Fu zya}jXWxaCg1Q0eE6Q6|BWYXobEdz@wXA9XY%wT3MahW)Ld{Bxu>wJIh9CmLOapnq? z9}p22w2V^H4MEbxoao5K&=fdH7cx+;%C(D-p#Z9!UYB78Czr;qw+M%ADSsBOI>Aqw zC$s4)kU|rDUt@Oi8`4A}cv-gc)e6%HMAaR;Qhu9WyL%;P*WgPnHG?K}?F7>#bUvYx zE<<$c#tBJD>h6_sXUhJ>Dw=LA>c_?Ix5fA`p_CyhvM-p0`fft%sF)A3l;bhKFl6En zodKf7vz9uN@?AVPeq@OE^;}6LE?7`w6qRvOO7ycC5+0La1j?3~(mj=*uk`o-DEElOU6)4`^GGU>{`s`(ZhnqR20 z#LdIwtAb`;#0LDzN%RAD1lhyiv*stl-xzNg5V*t1dB1eUJ>w(W;dx#UCFZR6(^ajo z$M#1WtPYw;92rI6)%*6SVSVbP7Q_No!fKOC)dq zdACUIp%x#vXoJR|Z=Os>TUP^Pa7LuISh9HQQ~6}V(TCI&+zu)Q2B48VfkW@77A=^Q zd~^-}p1}2>9M^a9vx;F`$;1b8+0(dZAHM%swn}Z?O7?egPB}E+J5`|RHSmYn60X6^+@0sGE6&tdL8-nGZF|Lh&ur;$w*~+S!O60aFCTG(}XZA%r zpyaq1p!KF4aL)4CjkYKvNE>(JLytgnd7Lx}y5u*#YA8Yt<)J1HoG<$ioE7clv!8Es zqPt_({I6~W=Nqur3>UjJJoOa5u;2lk?0#2+$ti{+C$uSsK;S4w(IZ`E+pn+Z9!`AE z=BRc?8IIT5)c*nUs-uI1Zx~$grTlLSphm{-pyt|NwRx<8yV-bg8;SGbn zhGX3aViKS?iTFndRk_vl48MtVI&k#jPNmJiStH7YDB!2TpNJ$##CUm~JM#lMc+k~U zo+*v7gxVMJz){ciGwe*D5N*WKHeExr<}FhO(t%pXj7yBx!&>Qs@|x!jB>T-dQVpUzGv>cO`d3F?@c~&yH9FfOTCCxi- z`JVfzp{Oq4U(XerDSPD7DjrIGs(&X1dEyA=Ucd_gV4((Tun5G4)nXldc|y<`OF5@b zGR3@$fA+Lf#u=qGpH81A@5~4mosI?O0;{lD5Vro(o}eoVyL|t-v(IAdu30e*((%FN z)KL7ed45rDcd<;;v+JnWto?@Y?t>HgooKt9ny@Rq+Cpu91nnoLog=joKRXkoAUBbm z_TO|K;KKk*EaQy#DzoRosU`-}Xy7^jQG24cSmN*x&f~2ug$g{u_X}qBSkl~aBaA3( z!ZY*~{Axdy8@R0B%+td?j$S$8;Rx~95P@F=A3bqyvd{S|g!Hox*B1|gj)nIgsO3U_ z{;RFPo_SrECO6uIkmcxCOwZgSU~s9eq_K#H6mt!+v$_t&nys2sHRE(PS!t*G9Mu}0A0F%r!L zAP{eA5L3y_vP@d)bI|XZ{3EA+;3gtdV#?8PZaC6v%Z5C|L8~1{P3ncuIR?I|KQ&WZ z4zFuGN%QbipU=+SjJu-hJt7m-H)PE&g<(F8+Cpl#hc^FeSa4T~FIpm2Xm|TlS`yrK z;ENvmlx9Aqe!*QSzG$jX>53M}znT}^wcv{`{uD<(mE(fD8hp`apVHq?X-#m~gD?8< zQ(7+1`>iHpP#x2`VWjBx-deKCGOgB?OH94yg^ufWPD^&(Ex0Gd7YBuf+M-#goOS17 zh&I3Dnz)kwt(J3gRxSRty!B?T{!p4L>+DDQWmeYWVwnGfA+X=gHrzAgLd;egUWkva zJ`V=ap-QSKaFcxbg|tGj+#wMzf7ca z{NQ)`v0``8{`)$$Zq^t4C^~5>BZC$}j>}qTN&v zCBD3?Uv+&fAw%M;+ziec(}dg@9AMHXOM>&FW7i-@x8I-p2GPICym7axA671aQACRU zhir+lpJ$K)(xnf3?kavEqC=3rjv{4*%=7DrAcXLI@bBy$dbAAYU22pY{-OQuF%C3e2^U#n|K|YMwO1{V)R%{511;!pDVS^X= z{aCfx{t2qZU%C6hNE8y|I8y_Vu+}UNUC$b0daKbObX-}uwW(30l5O9GO=RYxTzB$_ zidiz((M5050Q3tGJi^zj2;f+zLshzQ@@eW$-N`mR2ISalDa1lrd7r+FD0oDUW5D+v ziX-ZyPUYz&mUQatkrj6SQgP#>my&p0d;#@XQXV?gXcOBT0_Xlq{OWZcu1%9(kQ>NQ1r-YSPaWNTPoVa$l}%8>G=Ch7 zhgO%5!tz~hilr5EhNrn|4V2#>o@Cot3bp|LCJmkW8EH5P#_$&RZbnr{o@4-8ZKD;_ zPP%8oUjZXm<9Kgum%OPF#y;{W6bgM3b6xG2qOgVP=Tvv8ihe0OcEe~bn{<79tJn~Z zd|4IpsRxCg8nSYnAMn#j3TTO9(-$PYiGd9I!TO*;AI0nh16#tp3+i7MF+V4TrAGOg z`z6iCjBN98nHiVjBg{ofl_~U9*lBHdc{z>SHd%7N@|6Er5*RPUrWK6cw|Lou$Q8`Q z|Jp7=W?44)>K6ZNuE%@78eQ{`lFZMMn1Dn`LB9w|y~Lw%2_SI+vsmbS}u^SLXpSPdZ9%-G}=gc8|(pFx+O9L010 zF;{ldY6ssg7Cd~aiZGPqthZ2rrJ2Q{%4ekwnN0p$QYuDmaewODdgm@!hA>yM2}X6w`>?<`mB9G=lS1EB=)*=f6pP!d(M6N-I);vYM%~XM-Jd4Q zA!#u18Sus^0VICK96G1~d05+3ylzwW`};}gWUS%D2#`^%{*@~2`~;Vd5*tbsgNLm^z_By`7ZUy2BYVZN*x9Und{tp%%UW)TMC}zM zZM&W3OQ7pvzzHjVq!+@9D;>T_WGZ3EiB2JOnAb~-9l4^oW1Yq@XX@SIi1}#aT^d8& zFLC7V3sVenuc;{{t6TE7DYuge@(qetdg7e>UNBOG_+-AP3?aykguQNFy+fpTBAyLz zem6RD|FkDfr4%qN0=L@%JO=Tb0rPo0q>d+NQFStk(Z|x!>&Z~>z@14wV%cG(Y00Sf zxQG&pgRc=LRp*TjKX-y0n4L+}?_ysS|BkZ8Qbg_-rB^%(D9S)V!+M^6u|NX>i7NmB z`Tv%Cl3_+b2>~6q6;5QIO})52FKJ@yct=!EzrTVgjm4OW>_(W5YCw0w$4wS-s@1P)`rVEttZk!t^=$FXlOs%7SpP;ZMn^slNz=h zJ=8R?6Ija^7A)^ ztH)YA#jAwfhFCP#uQ`5!8Mo(qkp)*H1@dF}+D4P*GbccQ|Oz#y5w| zGLtP)`Uo?t`UK*sUZIb*0sfO)zq@eby-<^&3G99$=&HVD zEA_1UxlS!#hx!-G9es7S)Wn0&K|yx9uzS#EAkz>&M@;WIF=q&s!>yu$H^u5 zcYs=fv2r>1JF`gevzz5<*tb-iuk$bv-FiuKGgJ-DwBE%z@#H(>C4{r)V$hx5r-@tJ2zh9u#Pbe8CPNl|{ktYXIqof2j$Q>iGBB+y8n z3Zv~YT91ZDsb|5PGYt0#SFFov&b4R~PUsIS<)y^c+IlSnhaS-0J;ceJ&H!yts_xrO zn4;mF0=XL31d%P%R;tpO?wa^_W7}H1cV?*d_RddEXwB}S&^w7zF&Mp{9hU|)T_8nZ`o`%zs~XbAhiFq)q5uBurE0XP(6#lz}1KER#q$#)Aj z%SEg^%}KfZ?B~ZT<1N~u*7%2PAKjV8keYJ3C*J*{sf;E1O6dn?|KU={t<{EFEoHJg~{UjzvVCTcnN zzd>I!dv^BStzS zeR^)DWR<3b>?RdxAyJJ`?40ww=ji?({Dh&WrD$~SF3M+{Jc1l!3kG0pf5i=`39eJf zQ_nnB_|roCW_eMjcsFYLd-bObFPo~PoUiaBA}maGm!BoG!-^}_*Hi|IVn)2~Rz@i8 z7i8Ae3(!Wt&tVI}{$d-(sTPfxENdgb8aA|tQ5z6kYx!P?axdtZSkMfB7*LmjDLy}- zFgUV`uj#>1T~ssLeQtvND_W31*f zrnm3qEqbF?hLCMT7juio5eY@9LdorVu_!X0F~+QD&?IY(mv8N+5U_0P^EeF%sL{^W zF(=G`(w|)ZQW-(~DP|;XNIig8l#EfwAam*wAongR#+TTb`zpT)_Tv;9Wxl7bZ&Nnl zUcazXPctFY-b?wmg!Jk_)F=zy407`VH=%IR);JlARI~1O)Z#|8Gvw zodU%LreZUQ@dqy6XrtE4!A6_G9o7m$i$ZNy3g!x$V8AOx%Jq>K&j7tw|ID+=+;FVT zhZ}dK>Fe!6n>;fMFOypm@vl*2r7bAZi=mG%S4Oq5L}hM;9-hkD$_9_q(r58MxG_D- z&;Neo?hjm;uhG5xUiagE-ocW)G%#3q&KXe?NK6+0s~7sXqb&i7J;Y3KGrxpOEDW7e z42t2s+uFmn^vfNq#(Vv&W#GzRSt zP&98-LlpOTUiiTDOC+kuQV)I|G|x8S5tc@-p-_e0e;uGQthv!#STuUKQ1c!5xdES?U8@FdQzKM|>bjEU)X}8P+4CHILovsZBr3>)@w^yWPzZTM)wZxpVY6D=^ z8rn!_e9`F3=}#C8;tvgyX4HR|k|Tw`?$EDE;hExWB)qtkykW#(?Hg}0pU-X7K%=4u zmVK%2#I-*`s(k-^g@A&_pMNb{0R;is1pj}#|DU}j5RfLD8BjLR|LnbN%z_dp56*(3 z|BuM}AA~sv%Jn}Saq=c67<@7?2MYZkE^-c3yRBgQEVA z$+!QYpm|XC|Deu!Pzs8B1hy1D@ucI3-_I(f9|L<&M0KO{ zXT8*qw$gxK^lB{kj~@b%tQ)-T4HL&01v{CNaaKI$5CJY2SZ(NUo-~!veAXB2^cd}s zg$YyoY*}c>iABSban9czlAu=tq*-NJ2}Ku}=K`ijF78Hp{w4xCAnxW~P24XF?Vwh? zjG<00Hfe*$r5nZ2dT3mXO^Obde{)08XFBaT^F8VMs`F}*y6-89E4Ssyctf`>>{iT# zJo0Pa;m>qWtC%i-or5U6)M?{#JBw>Y)$*-fx=v{;a*fyNXHKiY4Jx<{7+4}^HJbf> z-;>3Ifo+={*xdw%hKQ-eezY3s{#+v2_Q4MsbGx{JCj2T7J&+dUAuFkisvNZ6L?RkH z0wqH8W%o)0`#0TLmQ({xTglq+)p6Vs;D1 z;u5+d!cHW_RgC;Ngsmq$Jh<+qH*ak}8cL%te-82g_Tx=Hy#!i<*7j!fXriXpaG#NJG3G&0?!e$fnpX3q(FGsKZOs;QG|8H_7SN#Dc z0G8udB^#I8y1-QCSV-j1vFyzzN^HMd;f(x{fmJO%j3Gc2LzRp-_XmLjDUUe&ZS=k^ zzI5T+jPzddgqocI_j5^-yg96OXGu-x3u>yzFJ7%I-lt-~L%Vs94?%e7AxkG^;yzf2 zZ>)*H?*4RVZoPc)Xh*N=V=nvk@BHthB;ZV|9O5o7WZw(rb1?s^dyoZJY$@WP-p1n`qYq6Y^?mp$@X^c)3nWVPlZX$5U`8s zg{QC-u}ZJzKc>0-BeE483Qo&(&U&N~4mYmsrmyihv3Lt1Z6~ttvy@yAnZj0 z#!TdsCRz0QLixm}H=oB{VbCY_JEd$d<5|LZ*|#RvyWKW87ZEI?=b62zvw ze=vwN?h3csKZdPNj&j{Y_eVqp*at<U4W2n7thNBAmPZFJG%4VjLx+$A)!uc>&MkR_lOw$Ju^Kav}f)?=0b zF$%gLwiGiQH`d}Tb!2WPGdu4Sk#>I9z~T_`R{g<0qE?#nK@CmGCY^2NhvzTsJcuAJnjdZ{e;OWxT3R~mQh{6>VzGu)Ghs=@nmh}Pj5z_r)D$*mt=bJy;%lIn^v z+_l@k!4)|Ykw5IN#a;QmyiY;8r^BfcLSJtcuMw=R)S(j&u9G1;zC8)j=fKs}ohY)dkrR%IR&* z0?2y2e;zjXN5p{&ovda;sjG`(fK^;*9L#?=W+^kqGg;OzMz|z|Njo|-CE}Ut9BdAg zAsSd(Kv{oj1W?xbvGXJ*wlPJU8j#mF@$zWtM&7##r|D(ln@SP8w@N^M!VuVk`!#$D zm-8Ul&a2L4pxs9)AeSR&SbkT`pxEj8zIJdR?Q$+4BEe z>ccw_!2XDX2WSo|>p)l7x=n9@f!gJR_Pkf5!y+#MnT;m4{(em}e)@o^2nICe!4I3k zRdYdmP9HkCM5yEOgPFQWn43+v0GS41_oi9dRO3MK9T)4O8c1AsuClajd7cg%?0>>> z7G+)3ul66?h6vWr_-&;`bj}efdPSDft$em7D~D7Y+1QjqlNTK#;VUb*`8Vop5)(_a z9{9&Jt#j^VZbl#OOM5irm!bLF%x(SIRm0zr?6}DIDsygwZ!rtY|G8*pHlNV?p+A`E zI{(JVatnno(y_w(Qt_|j2!XIyU?ps*A&g@hE zP2&4^Q8a{8eECf){ZPcVIh)@+GY8E}TxIk#M2IU|?xLSpnUh7oEy}Qv;^{SeVjD^L zc~dHz*(gelY7N9a<5vJKLnau|NN^$Sfo)$k!5jT*a=zRjODbz`!y)J0GY6$X`DRp4 zYD=b#8o9qN(G#KD?`0fg*0(2S=bhF3vM$*%zmdfkCbzzx&E{-bU{4UsejqHGdUk(d zi9%h3lnMg-YLc?m2)%W-w+1zHZw8XZJ~KW?k=EESyP7@WMG0t9}& zj;ScNSUk6t>Oiw$)#v=jgk2rT_G}&hNc)oLZ6SL!k3@~gG#8)IP+xP4;1H7;jW+Hv zz6|AvEZ|J)%HY0q+SvBi&k^-U20M-`{yI)39FPO&&o{$rBodpSY!?X-XfvltQ8cZY zF{w_=)s?v`4`X?VX|@BgYP*mc#o;lav}Jx=S-lTjZ=#j)$D{oHGcV3<({zpLS`E<% z!F7{@4x*|UXWi0OfyQ_lxx)cDhOmJ*41sIOXSFVI?aeM^E!a!wgJh(`t5f4^i^L{; z3!vcOLL{DY(OIo4eSVd?MkR5+{%}rSLr18anpU_vek(npamM>%UbHwV5Epk!LhjOa$R_vP*pdE|gixU2E?2duH6GF^~ zw|XLx2x_&Gr|P4}XZTEIoiTg?%6SndfO{R)3e$!)r^+O0R2HXB8!9#ZPLKYiq_@T) zGCF^8_LVz-ai;4zn8p$Zz%u2L*Liw)m4Jl8529_OsgrGc1JbU%Bh3imr)fQWiazUE2|!kDLo1sL%uZc<| z_r^lh@o~we2tEPMg{8QKkbM|90Jp0%K}`USsFGdYQBF_@Ash^Ub3P22Sqafw6_SVv z9V$7=zS_2;sY#6AYx`}r4Of0$+2G^OV3qAMS0W3%AT#|;hm2?y;~Ylw#?))keq_6c zAG+be3?Co%6g=_Z(?b)z!x5+cYl=;y8{3ygvxxJ(vGnvZKE01{yzWyV*{F1PC)!j^ zWys}scNElt%4?3nQxy?!+v8c{TlKT{x#J4=igRLKGg#%())t%bg`=m(uCa_!_X5%!6Ji2>=-oeID7#e+!?SAb~0NG!CJyvy-7{~|Nz zWED+KnSyrB`R!4u^?h_8hBC&PBmdknPuERQF7$*5;Y#6@DB*U~+?nyH#+$C>Hek{oM&pSIU3R#idE%{JLSLL1G>*eskX{^(3Z5gW{G!&r92@|Ej*YkLwB0-2M#n2c=_d@%|5i z5=-GdgI=VTTmNslRa~f|i|d9u7l{ni1k30WDkpRqKQ~2R2|?ZxHXmL;ZB4St*yI>x9+Ef zA-ve6sn1q?x&(vIf@h;J?)k9Per9c<_v$jwj(GZ_ zpJi=V!pPnI-A2G$SGPrQkYM`-M_X zemleD63}+s1l!{(#OoDF5t5a=;!%*Z9}tM2iw>s3j6@Qly#4wGYr|H!6;g`3LFyWKf5W33 zsnHWoknc*NJ`K!QD%47+`FQ#8sr$~{AZbXLKnQePDA}jN9MHxG2?*e-K5yoqeoJo^ z<)V>;+$`LiU7$LMyBoRmO4K8uk9Urdik*3&ZsBfyE^spT`Swm|q9&n|?Hp6CU{ChI zgRavGTUbXFoY!8p^XfJ^`LX=;aWCoU`mPX5V|Mt_f8_892&wGe7KN$^VH^@=t^) z!cRzE`fo7G|Bd}g4QvM8Yzpvvd}>$8M*fLV_89>!f9MlR{R8Ln|2Gzme3WDR6-hc1 zuxm(})-S*Lh+#u>YwE8@H>$vlwr9)aj-6siJMR0sQQBRG<6FLGV^!61FK-nyCmg6O z#_WIbOL-_7-F&VLpjN)joIQ5G0=J>T7(nV&qaolb%aJS3E9rHUDK{F#t^cZuZuMyU z)nyGjh`lm`6nXP&WeisGbdj=>_KsKKY+OFZN%Y^?hpc zwld!JoGsQQ@-;WN9R@H6J* z$KRR%n+5)xhC$u`o&juVZCqtT6!BUxQ@{=B?2^@H@cf7(xY8PECin?;M0eRGh?RAr zbhPVBnZ-)CdFOB6WmET|bNT1<>20$5D75B0`aX08I-H_n#%}hW#&r<3qXP3omn;qH z-I5(}WxfOF4(#I7>h$$XP_mkDy-* zM4>!JLQb`fj}*dnp||6<7-eS|h=Kstf9ZO@0I1}|Gl-T zicI_f(vMKuD-;0A30q~2Iur0X#ZzbF>W3yuo9tePk=g?X91kGT z3%a0#1bVkdXN$@2370F7=r0zj4CUX8@%~AR7i2dM?5Vx#z)9D#C^(5I1sDBmOjA%jS%mNFz6C4PJ6U?nkzM$p{G%D2SdJ>I}6-Zs#4=fw`()3vu!bdd7=)o z9JkYMpX+k?(@?q}B8K!-U`?gnYP^1_76->_0nJ9z@TK?(Z&AlzmSp&2fXv+4Rf5uX zgxAH>U%>5r4}#7`0=X66YOKAtJzB6Zt~9Q=M?>4m6T*`fj{?6$WGL{wwUpAePUV;A3=tn~YRqd_V&v z6gSqdnNjV=Pu?Ie2BQ)Tw{g7jx=X%m>;oIgHp^{@L+8en6}!{?L83aXi_Spln&I(O z*zEV0-bl0UH2@?PG;-`05DN_tItCAMs+G;u-hetUiAo)use-Swxt z_Eo@@P^xweXG1!^kF}Kyir-je<$@fYK`xSoIYP_kxQDf)ZI32F$?~a}`KxgQ95gn0 zq)$T--D_ber*-C!urVnYc>=;OX^|{XV`XybDpq|cG9kCM!d)%rgnu$X%vhDNEKza8 zL#=$63R~f#(tEVgvBwMa3(+*h!5M_Ts`dafX=?IrxF~P#b*{v9fhEce=xYyFb}Hr& z=>w)kIa~uq4+x4g2xnATB`z#r%t661Wn=j&U(7*W)rz~&w$O5De4^GiL^&rsBRudf zvJWLa5(X9_Amr>~{M!rzUCbk|+=Z1?NP+Hs-bJe`2nPE)Y}_)TQQ24wf5mts(E-4V z8;`+qKEvs>7E_;&)85DXcpi9Dz{-Prl*2uD7k^Vg%7uHh`A^e{1NW%&pQbSz?$OKt zcv*0dLjK3ggnQKgPqT^v_o(onW)25Lti_uSu;j`reB$>N)A78h(%QL;W%_8B~wTJm^8r6=|q6 zAsp%B=3bJEKSh`SE(}Fk%uf&dPY=F3ztQVY0|j?SMIbg(1>yJ3DIrb^7GU^Q)WPI{}PsYr9di;t!Z}A#z(W z?wD#7Oba9=srvBnm{LGUi5vbs^TpTx)?c!OX{2~!WshSUsq9`aynI(bVeg}ZCY;PZ z$J2HFu@Vo~It>Hb7mu8A{l?wm7aDk(LPF z5d;OYg#PGm>B`a!vBJk(zZLFBM9m$RH8b6&NZ)X*e8GLqi(dc?dXs!*t>egv6uo&p zI%WcEpt_a<8Fk~URCBLwSt5DidBS?~IC_EwRw6@ZypG|+&k7-;4>*XP|A0tlIiF2j zIjx>wU6@553r`FO_5lfYAqHF`RimHCyt%-=Ws681dn~LHl^*fego(pqaq6!RS{a61 z`G&*&I0^4i%j4{8y@S+7lvKuX56+=L9ChkZ|jvg-q@`SNbiX;@3Q3VZYJZx|7O7W{%fD*p$AIfit}`hRRq( zR8DIxou4L05E+7d;jf zIpjXK6pru3ocg_|bu}~mVq;Lau1a7SZXyEJz*DhJKcWdU-koRq03Mr9ELf=U!Az>J zfrIGl;qV;?m2&|Y7syJJ9Kv5S}B zi`h2GZ}`H?T5ck=&&`C}Lv6V^0+5>4b!P7UyLgbxyA8Vg>qEE3uH6~_SHZMZ&$uyE zG^?~D(8HO9_O4>o3XD@)iA=Zr1?v{i)pUyIwM`Qj zj>EWKeR9umX+}(!d@H7m2CQ!}fo&w2@WY-KyzvamIzbDwp-~RDa0&;Iznfqj@>2}|;^jTcOuBIr z#@TX97}8|u&RZ@EU*b4-Uon=Nnk&@Dt#2d-{%md-_j%%4S;bpeqzjzh9s_+dK0PRa zp6ON0sNtlP?34o$;5Kvoxn^arJubbYq{3S8tMT%gpj^%R6^x3z8NoS+B zLACTkc%C@FAIP0e=d`hi?M>(aGpN zg-tmZpZ#g^xF01kecKN;bZfa~c~S3FJo`I8e2klLMC&D+G(0DLNw(x?zbBt|G3g-K zLdlJHan9{-YxUs-dAg2wx{{*awZ%PJFLg3+&@Ji9f7+y2fUiY-Me5>v|9xT*7#>X4 ze^={B!pZ5)x)7(w#NtS;6FuXT?|Qdq#hv;Yju^tjgSXaH5l>PG8|S_@GJPa2A_}+o z_zySh1(FVvCSfk@=l+ZX7MvwOXZU+j(Ukb7Y>oE_!q3sEt{qe4hf+%GAguSN<`Rj;5YreFuT{`rd}#B zmM*M0rh4-ZZJiq=E9q~+l|9@=$~+C4@V9N7X8u#`XwZ?+Wp;L49LU8{<;==$oo+13 z0sdBKx!o;<-(282FHJABi$-hPRk^8i)@GTeMrWdJygj86t-ZP+zfjg*0@bq}40d@n zh}qMVJQsd5)4kz}L^}_j)B^&hQhn@Z`ZS5G0tfu5nNfq|U&;?G2cg}+>+4MvniaZz zrA$diV65kAu{~jO7$I?0XUeZH-(SIj#i{l>K%W}@WWo^0zE?Lm4%IC4gGFt$Fd>U; z8bkC4Nuat?N{X%3J@PZ%CD0f{e^Y1Yf8|IgU~6fC9)DU>nrgjWZE?KK@erp$S~}y@ z%>K^SBREZ1fQ31rA`MXxs$|A;zoj__5jnc{ViKvRfaas=FAagM17b5=?+7Bu1?U;!ln-<$T&zNf(n9q zf6*J-kaLv6CCDyHp_~0>tMfq@j{lPCa2K_-djsy$A5%GjRG;AHRo%7(h3na`C%=pC@`23;OB#K?kWRrB$$bq3 ztZPs@hAQe|YxcAiM$%a{_l;~7Up~HkINxg6B*`PVA?;b%-2eEtOmY4A((i~1spjfk zUI6Tzd8{waHzzl3?M;qc*;%d*`zDrE`FV>@z8BLarVW;%Sb)KVYIL*X!!tJ!&bnB0 ze||aSw%56*@PuCYavpc<(O&oE-znH{W8?Oz3`tw1kWAo3CeJJ{U2CZ71Q# zb>+NjAU*jJzJ{&Z(6pzK!~MndtM#_#ftO#4JYlfg{Km>pV{)1nbLhgiFQBRhl>7(8myhZvd&@1e=?V$@fe2elrYTzfUCNn`&f4A%v zSWV>=bRmTNNzm%~R}M0{;Gd9#otRWq%mkmLJlJvEzpN&`hD7X+UTC~$ZYCd|i$W${ z=>y$#D$ItG#XK2WT*8L)yy`NacU^(gsva_;Bus!t-4wJ+MB-1arolW3l)E>t{n*yk zgtj3;h_@FPc|;#BNeocz%ILrU4u`)LV~buS5rOUPt8)Fg<60ZhBM$6qIFZ&rcj>|4 zs2)LP$EnPR{?UcCFdkTejzne^TjL8meO$}Jy;fAv0v*{*VA=q+qfB#Tq?P4*? z&Rq>OB{I$~w*@>9zz#%5AL{n_FES#M6U29`#GXMo|3Y3;SLfHhm;-OU(v6C=w8&^C zjXLe7;*Z!~v=XM-#&E*>_PxuvjvFqYEt_!z<`Jct zCZ|p4`UFhski1qsqsquM5{)zJKvqZG{=x!okfZ&~?rna=LnJ9y(4yk0j96wmvUx3F zqf$}3Chc*yQS_VSZI@0_58=U-gS+;mS@JOGCVIwyU(F!Kr&+!_M^`3KOPEhh2o)g6x1i?%SlQlHv4(W zWyPt1$uw1`OO2c5!TTOGpJpfhnnJV+qQ^h79g&i&a?n zL{3=GY5~Tufo=s~<~wxk#tMn-eQ+Gs><#cr8A1!sXrkosyt`cI`t)TdM}+~9TA6Bg zDO|?=-HnDoeeNGMQkq2!+lzDJ%9H48R!&C`C|TP-^eudDKE3vSzJx#HsKh8$ZLps7 z(|lQGdwOJw!}!y*4eDr=|JDMc9ERRiGirDksxq0iAmO~TbLRT6g@d$8gPHE#Kfw5G_#IQC3z>xmVcQtE=@f`%-@T(J zXm`hpQw%OOsFv)G%^T@3GBb?!(fX53xe{%J`1w$_7VgiKuh;BRa2RctZh1@2S*|aO z$^hQvFY&h5#Fs*zo%`$HNjm8C{PHF|_Em$1_HU7$a>}gmcai;_={o1Q4~*ir)Kx5SPxjF-B%qX=AO@ba zVVf8~b=q%zan*zDuH_IGIb#jcqfWzPBwH!DgokY2=xODAU>%-=dH8PQw@q5_sD;eV z{zZz^82o{GgB`%V91%MepI7@sNma>{$i^}&hq8t6tR%y{Xww=AEenOCtlVrOTY9(t z3pKxm+ls1iN#6=`Z7)YJW{`&JXhz>@HLRlL+A>KlJ-u1_0z4(Z1;}Q3jKFa^ix!)5 zyN0TKc?Y);!`$jv=sP1)iYdh(e5zP{E8-D!0J)Eeln*#EizXE6Oo8|Ix3a^fxlx8x zFQc1t|IH?HB)WIU0qUOH_Ru zd7@Ivy%n$A>6wXPh)PSyY{~n=FU#Wr8RA!J*YQE)<8SE4Kof;pcME=d%|J{^gSulY zDRDx%g}8LW0shn?;@(*)4S5+MHAsySP%z%8=01>}qj19%guutBDpQsSMQ*mSELG$f zjmk!cVHxbvIT<6ee&Utps3^cgf6He8T6kBUHB0a|s{IM^eh_rPUPu<4h3wwbBpL z9})}RnXl7Itx6fa%kHgi^Z<#lJ*g-w3>2E3XL2X{;=p`%r?DBcHM1%6(k&nx!=8y} zseDf1kLpJFthu{-jyfMRS|+3~$JiZgodDFLJ+Q#MkERRxbh(kU;8ieF$K$yIr^U`O zJ$L9j8J*F$;AKfevCNNuM)paLUi-s$6N~_G#eTj#eGs|Uhs-;) znS5J%3~4@vKP9|XIG8X)&!aZBJr-zgTlK{_Cz?B8ZFRBAN};s&xVfc~)BC{Dp$H(_ z=^NZHlIiVqy@<3@Iy#E?~ z`6L_{sSYkg6Zj?{hLR$TM({x4C$a}nuI-uM>H?f@wu?clOfBk~bS=fb1gm%EgiO;@ zBVzg;e{$IuXLz=P@_#V6F}8Lq>oqgn9AD0BZA|usCB}8?J|}Zo*3CmNqvutZ3KSrkeIN8q_=FY%e=ZS;M|fV0LFq)|*9gju&ASL4XJ1PT2Ln zp(vTE`3U*9ylnL4*?2wexd9v`-y(9(YYp|_%1W^%iEh|5h=bn2`;rGClF+EA;(GaR z!KvAMlUmT3lU<5S+Hrn`L!XkP^tN6-BZ50Z^kdGuyGrvY4pkJNacL9DVI8>T zA9XC!PYMWv)iJBkWX<2L1+*t!6FVk6L2%Lbane!QP@~zS`#LQbA!A|dmV@4DD#?o_ zj~ToVWGdXFa8Xb0qVjwObzoVn( ze-+{_@Qp9rt{81q+W8md6`L+bSCzVz+M&se9waYl RaLySIOtN%2z!isULmmkPv zZW<5#9*Yn2wRKT#IZRy)sKTN;8dDBBc6f;;B9C^+z%221U5m4KsG@={|3oaN&T6V!h zD1NAOxV|dx$`M(kf>l&VQ|0o&JfB{$Mpj{Ezo+gtdUq8Hce%jpAjL8Tvn4$ayJ>9R>^tEo@c zN_*z7H3C&6^y3_()G5Dd(ga(NQ{4{fwbQwq#$F%dff~L}VA8#$sEv9o<4JGA5y|$H z%^9SYgN((iQGk>XY;N;#+{x02QPR(9E*P3&#ig?Y14p)Q-UmDGcV$HX#fd#S5B}4S zC&}Wgs<|zgo|iGizQZI~4SL%)w%Kt>oQm&wcV*u{tM5rD%Xg9s#eGf!&x*&sC~GY) z@@&n?9)eYP#tS{3_!N_bJ86?|mxe}#!0$SS(Bz?V+ za1-^QgjW^nKt!_2Z!xClJbl4J0SB%L2#jQ5w1tg#Kp<1TXSA%TGJz;hjayNcx^MwDKOh3rO+hK#in;m$(xIH*8el@BfBLC%Itx}YX zhdd_*9Dmgjs?eqz2sJJrsiXNNj~nR5U!Nw>Zfxs!XguoOYtIwaK=5IUASl5s-R%*++i@d_i;#Wev=i-V0};I)|=``67+IIheTxu}KR%LRYuz#!oc zaHO(=yW$z+g_ucHpGJWdqrpB@pl3u4i}1o=pM%?g&r30J>QOOum2+K`Zp#tlvD(~K zHZfkM8R046E|o`dXlpKdn@;Er+rIj^{2PLBDvafu3BlH&2#AJ%6u?Y0#+uOSkjah& zrlJIiulTuf26Qf{;-6m#6&{k4#I1B`=#w<{zS0!P)J0;olv5N(Q?q8lrY*3Vr{utu zvxRsON>AK0C`&TCrez>&CYo(6jfGU02GcoSXBl%<+arWWj}IEM(&>46GyS4~2s?Ug zAp9v6px3#SIT`GFF!{cN@jUEai=Dd`Knqz?k`N+^P%)$EN4vn$ZyD%(XF8mw{L3(1 z5p*zFGn9phYC;+2oX9t9HtQ>26tSn4W>F!h;bw&_tT?eaQF5X+ zBqd%kupGeMaKImn2HaogxBt zCZ7@sCyErMR7L1I#Ad$f5^uLy5;DCjmaYLivE zRDh-yfq5Z;1^!;-Cj@#=J5-a0A-;!_9nsx)&~C3bkl#_`6-TH~{cG>h7=0{gmag=} z%KMA=pJ+5xbYLErdXtF(0ndOBUsx3AoW@~?b}Whw(;@oLIlkK(Oj@Vdh|(Odgt%Eq zD`F5@#Fpa~bZW{KKM98E^N@?)O z4q3}9bg#u+x^p^hlsbKE>GhLNI@(ywd?Jo2ZNjgA1o+4UaYBsd-ap{tt)ew>pa%QM znL688=#AJEttn8TGJXk+F03*L->GZkb^gu((_t~DI1JdI??`~jHDOz|OvNxRo}yOr zqu>>~isDvlrOXp61~fcYm4h9Y;0Czb36FwcO#Fq&<}Ft0AY+sog6@~ZdEmL-&fC4x zS$hSHTb+FYAs-3Y?KxQjOecQRhkYi6G^=bk>W1A9qfBh({4aB^iaI>V(TM^p&x6>AvOa1_MUEt%VGk;9fG1_KM2t0BZ7zT~{~~_E(pP(> z50jI`-Jg=HJoBN*9n3UAhfj{nuJ6J?_Tf`E?e)X2X|y4p3}mH6CiZf_ z-Zy}3Z)4^ThH!WE~aMi?d;8HymH)dCZe$P8K##j~l#K{RXeBlM+| zB`oVApis=KpklkUIFNHn8n`+~)Na2Q*UU$jnz|wf4pX#3R&c1M@Y1vAce6O6^LD3a z%dW`HVG`x>+!B5_bw0{EcZofBDey!$!XL5CPPpF?^x(E45X^Knm%zQ4!j+x7(p;8Q zL+7vEtZtjQpnUeQ&;<2@xvaXV^gH?N;s@PlU?^WyW7L;qRB8B00n#TRju$sgB(z%8 zH>OKe>qNjFz6vu|I#J2zRv9y`)m1VrMH(`K>Ai!V1{nqZXhm6rFJtPQ3(*%#i0bfw zW4n`5&UI*usBix0DEb@fAWLSztzTiWEk&dDiFJLE+_Lkz(y8}I#zD_}z4a*6*R|v~-XI5^nooC~3J{yq{1hj+ZNIuhoZE=;vCQfURv~rHdlGIm^qlinN zbqDdx7Uizj$%UFPvzRzPCp~U@o<*zkS?8aVA!JEBb^SK##*K+~Zf}tbwx?iV!&?us z#C5_dG+>Mysi0uqr$w4P^Id{fxv{K5?tngPS&|Nrayo(He9SS#7d>_4cy=w|10b;O z#Q1v9hqe~p_jgy9$jrnQmS2B9b z8Ae8;e2naZuC5-^(W>;}&cS^ch!6enW;HD3xd6HxSsl8z%K#Qp&c(G4AhY7i{$rfZ8I7Y(0}eNR?`m5Lh+^0Eq(v0y!HlRKy&PF3F)=~e3@$`~sS|}r_N!8Y4DW=B6FB9~*kHW~--rtlH&f3~k zTqJPm-i4N`CK5g=n!U=PZot z8u?7T{KaiO3S_stxiA-9$wssMX~G}t$fh}7ueouU&zVsW$O{IioABlmRm`ROINdU_ zF=WbNnpHY!cOT^O!%ZUpX@s{8h-(j%u9r19_EwYOSqNbcAVWB@H20#6U3me%eRGL@ z7v1@e%T@j8uEZ_5H*SL1^bk8TZZaX_-5_pH_1E8nZc;ux{ZRWQ?!hr}c^pG+g8~^K zN+$aPe`6dHKw;9yxZ{}%l|_iFAXLw_@tLU`2RWVGAbmiWlQpe&g+A^?YP6}novk0; z+E1(bnU9>5^jD+(gYOFtH;f>}fQKD3dz*=%RkXq*^Bu{-oaW3*R;5S9hL__IlYiW) ziG_m-M^A|3fHiGQH|U7gtES%Oi(zQ0mX9|{;d_7@0M!VR+&*<~m93MZx1UYbx+cao z;V}y81vlrCn+o8g=w&n~*K={}5|^z?=r8IR8E60efn&4Al|M4PJ8rzi2^rm=@nRBy7?`tigY!40XU3PTykCXFOh&bd5 z*;n#r01AeB!8in2A*Ef}&3KScuFbmjlHiLk%WgcC$MdJ4%9N%>#cCu!Dd{mgX>!tl z9PinxVnb{0)Zsxcu-BRhKVMF**1fJ0XFxEw1Qr7ubOpybZ^{M+_y+}jQ&aKJQnK>z zztK(W9=N9;QrCQ=M4v2M1-?^cZw)t2KWPt$0Pf-f_|78javS2@aqu2k^839swCbUx3VD7u+wcR$Y)r=Z;Ck3 z1BiRiK~d&P*#$$`={<$=y`e@iW@8DRtaA`>T!u<3^k~hy0a9cs-CDvpjn<)r;j+sa zXo{`{NF8sR+~_wwD8?4KO@0*Ro@Nb(lwHXE^E}*bcJ0~Q<8jP}`EnPBnr!{s5%F`U zFo$OPPXzAofifjW3xjE*Iq&g0`?g1GqS#$(l0RHs7(t(?^aC}2{(-oOw6m$n5QKm* zgoAp^PltrUf%x}ET3}@?D6W6diT}No7C06QO2FVR1o0x0nNiSN#`^W!f%10zyNJCZ za~#clTs%LrT9{ebTK#w2eJxmY7r7_yzswkQxLq}oZcc>hyaQS;jfPTm2D4pCV;|& jN?HVm6F^Z@{N?@oghKw0?gcM{M+u-v;k2;->i+)&aPsu> delta 28023 zcmZs>19T=$*EJk#Vq-Fy*tTt36Wf{?9ZzgcY}+;_wkNi2eYx-Ff7kzf-+HgL`s%&U z*>$Q{S9NvO=?bWaIjw;~RFDRTKnDSV0Ref)>5+&#D zk&%^^m6MZ`r>CbcE?6M(mq2o4KYF}yI;>E7Tz^*L01mQ1UYcl5k{EWvSZ=a-UW!mr zmS`ECSaH^LS*~;iK3_S(07a1qHHlD7xe#r|I90I(b%_K`=?pc|P<^!wGcCZ^Oh4Gh zJj~AG*H60;2dfBo=R{lMcn8Z2dy_a%msD?;Y!$&A4Y5K!xm+vVVgrS8ORYRxgFt?{A(ATBH_h(}m&>G;<9_-#3?h_CY5FQ?$9vK=RAD@<%RuCIeke*tR znbsT?SRE7El^ofY65X7h*bZc;78Ddz7Uq|hmNpmV)z#HC*VVSQwe`jZ^(TZ5rbG^; z#}8-5j~Av-7H3VAWDm474s>;nH`Pv87S7g|&NfxgwAL@R)lK$vO!apD?P=}q?jHFw zG%_+WKh!rrKDs*Cy*AvxJTW>uJG-_pzp}EjIn=#9Hn=k}ygxf}Fb_=aF3s=$T{&Es zK3bkX{kwd&xwf;jbFs5|a&mIHyM2AMe{*(ne|dg;d;4^E_x}D40s`{!@sUGj>;wXW z6d)-gsN%MAmL48Y!tUOEP!mm3Znv{0>!42&A<3z#p1F2a&!V1~GK3+IMxhQv0^vW( zSjCYzDk-rQiM)M-gU4tj98s4WAX&s&Iq~&pgZJ(6#*Xsj`8r==o7uy?iy7U_n6uS0 zW0{`xhH|P^i)U_q`~@l#ps0+xIdZ{VP(s23M`@t4PzRl>tFrKfgjjRi$O# zumdL`G)vj7VcwwiqEMR^OnV-HH_k1<4%nnDNFoRTL!;iH*smV8t0(4iku?5wP(co5_Ji$~=wR2{JcV7I>@Hx;v@P?B#Azo4p&$`ny zsCjAJ^JgxYmSFU>$V7eqG_{fjGdoqtb(MP(ou_Bg53PR< zlW`~19WD}K(`UGpQ_MLE?)Q_&S}c*vuh(5sMBC#S!-T^U?_V8Msg)?~1cwv$IEft& zqwM)pM>Bat0`%A{=dZc!b({+nPThg=b`lr;>1()IYk6vEk!$1T-`FT}4tsBWIvG5- zP39h2(zu|dyMGRd)TLkf@S5%U(X^FazJ&zHB?+ zhGhStiR&|?qp72X)7j4XLs#n=H?!@O|NT$P#@m9P`_1!0#R=lZ;`&eRMccJjmoxVF zv9zwYwT2D-yJy*7ZC31dom-8SU0Z+g_8N+UYp$0t4S%%TpUi0gO(bmRdwtwLK490o zImpy}8vst^;Xf|IAG!|S*loRc-@g!e8jyM#Jk4)GuhsQU@^(3H^-9ZEy*Qc{v)4hNJfF`_)g=F=su$G8%af&-B{txG6|9mvQbzE)T z&D{KUbeW~rb)Nb9ST|ZT3be;{R$m|6Kg|!R0Vq3(c;`p_!1l4@7M)Lzj;8KQ(#zc? z=|k*LmXDQ#(;0bkGJS_v7&ex!*Tp4@>(%SQFFmmcSHA1tUQUk>{DIo5*dH~|uGFC~ zBToQtG_+Vp&2#9`y2JFtpdN;N$4g$878N7k<>u^#Q<|_nf%oh1kPhSP*PcC^*oKh?Y3({m)fVH<$84V;cfB~ zFWURej_={s@%*pyg^x)^|I!bgPP?<@E-KHR5%4Bmji;?WC-(R4TZV6LQ*S?y3?3SP ztyxLyJ>H{k=2%Hf6Qg`Q6cji`zxQ^$0#hx}Xb%}pS)NPYPw!4y-bPO^6TG*-v67R{ zJ&*L(_xNtf0eicb1G9G;>Tl0OCvG2T(U^LzAAk9q?cPgXX0*4J8}PK-e#d6$Fz&xD z zrXl(gzMM&kpiP>CHoE3Mfn#t098k+bkD9!RBk|+ZIwGxi&`mUxyhXi&Z8Q!HT0d?J z(jEEA_v!(Tv(4DtrY4%DgCQbo*VDu6Z$>K}l!w+(ssKKH+ic`Pz6 zwP&k+m&&?zZ!0^y@}KC73kb9fk~l0Rxz$nJX&)$NI5ZQd&>FWw$!qTvu8Q4D+UC%E>Q!u4Z0s4c?4}}_9y739cY8aV({s0 zhx&k3AJC<@D$8X*;Y9GF6JsQ~?!LX^d|$_UOeIRn1Pr(SssyGPD_UM!CHkMd!76_p zMJdI>g*X=w@*oYtbi(_Ac8{D z=hxUPfJ7J$EbUSOD-~itABpZztP7$ z$a+Xb&0JrlRlYu)Ulq^&ZPh`{T%xT#9!<2Z#;Z2!z&KS_uP*Dp|G)!oV@L^r;YZ+0 zH{06Lhjm9tUTjQvGn08WD|A2yIPO$_+7T)$=-qyFcFY%9>}c#kZ}S(9NPCT~uA?w^ zOMK@kcw)y1hwfZG(i--BMQneG(4L`8#j-MJmf*S>-Zn^VX+SR0UQsV2pAST5}^U35Twe13UQ&y|+ z$HZ9?UPw!|<}4w0GhGob1mVvHmd8kfMTB+sZKfd{Z-tr%J5nb$O9olz=G=hfBqvSF zAGux`X@$At4x?8WEcsenR5mm|%&i1cPZ9Nt)=eL3dmAdUkv#7irKo*_2(^Angb1gl zyyeHjp^dO{w)(Uz?WOW8dWLcPDlA12FGmRQ$y1~%5LVVB{+haYY<{OkzJmD?DcOPI zUs14Q!NuI27bI9FjpmFSqFe#?_`3kOF_+%Y2^P8XY3RnhKDz?qoJ@YHB_o3&nCF23U6_?uK$02lOF5r4s*e_7t_ZSZbM!MzYY04ysMVk5`Sk49 zG>J@B=n^Eu$QU0mG+u4uf-CKEv@$Pp7(Z+`v7E#z`N_F`w|+@ux70!l#QqAOs_~v9 zaqy{xj^7kRPOtEj(|G`Y3h#|8Jwy%P`2JdP#^L;_T4S=+F%xtQx{g^AS|Q6ZrD=Ps&=Z*uW7l_KCdmmQvmDm_MC?O%-^ zSrXxk03`v6VIuIQpFm)Ei0F?yViip{Z<9({c@BA}TVuRuFGC;>cCW)itcHGV|0KAl zlX4#_5<+}dk|DOz64^ljbhCD>ByTcGJ7}Wqj&+MX+t-F#yZ#b{yqV`QB%Y;qJ?zA< z_b~dNk~D%*2pSV#dk}h#0x|&&9nEg4@yB+l&;qyb48(|Mt}QnD^^%lgGYVD= zzV*zU$}O-Idq|b?tGUF409(Fgrp>m0PGp{nC$(RcM<7rNN^02M(9`Dw3GzTCaOoW3 zbo8x{ae3@jq*w7|lPO^xDyVI!Z)sxH!bd>Oo_MbZcH%AIB`PSdrzeO(mN_1qArJd2 zYq^k3n~qxxlq(mx#c`4hoL^MySst1a6;YTjbe{4sVPvsd^9=pvZ4D$!s?%Hnc8hqe zq{BjGK`QXQ%KmF&xL8>a&ec{HwuR!wV5t=U-)<7y$JoSk2C9l2ES3ca4Z5cEx2mcgq2qSaR#vN{zJR3t-wgV%$gU-n|K z>8i1Xe9z#0iF#+DlX!3Bv?HRU>Hhq=BX_D?*JVI~Vg!R_mifftRG{L{1!*c^6%Yp* zX@yX+mSz8~VATc9-rm*68eF_aT{enK+|z(D1ivC^Xo$a-#HX_xx^_>?-Ku|i&!zD! zm}&eQT@DH~Q-Mj|UveB3*WuRidO$Y=U1=?~rO zQK~5^nn$#z`&!=ZNocA4Ah*^^rIIkOoB|P`dXyY)j*)YxW?rtC!h!3Qm77WiZ~L>M zaC__{VfdpNi5YESbUc|R^6>+F#W%ZWDIpsMq~ydRwh9a zHbGW4R#s*fM&Twkb$?9Da5RE4fet2HHG-0Y(M2c6HG&cYUiPMI{A=&$_?i_$1oU9r z7mXYf88rMN947)h9NL#7Y3Fp2SP&)#jUm&RX5oMJVjzZUr-g!at8?67PsSQK!PT@6 z9{HMVWDKZnre}PNp~@Q(mFoZDeub7d7&SItS)vnR9DK`U6iBQz=Xnh89(!{J?4K&$WmB8~3bvOqdtQAGOlNP#BNiUk$i479Kow^?Gd`qO7m-s;Q)|Y}@)v zSS=KyqMB3JDk?~~ZEe0sb_td=STk%=dH(X_{XAA&!mlI!$m`ze6^7rR_KYaM94)xe zz-bdEW(9}dv2fO}WFjkNOX1l=nj9kjaGg8Y05A@{i68k8oYJW_eTbW*iMp~mmKRVE zHrx3GI3A6BN!o=`HGnZ&Xk${jqaXhEfe{$lKP;gA$I2sd2! z-cO!c3!HPFzTW6N6mm{e9f{u@MZ38xW1=%aUKCwkqO==xoBO(yN$gqy@N#~FMrkl2 z2sIfYo4&(r)uaps=0t<;oAqHgn=bblfIt})Dr1sjf{TBf8$FLzO1R3jdm}H<_(S!} zL>ZOarP>7Ukbs%Ol{JCsGUX2+m>U{-#ub23#-B9hW?+CBnvHkT-R~8}~q0D;TfiEa8 z=%1MYx!ehHVl9l~U*b|Zy=I5@Cc<=3=6+gIjm4OC+zRZb?W<)JK8&5E3T#{DJ(_9H(h`~nMwJ(_h?-GN>b*DMVY#H&T`T&O235gE z8|Xhm96NE7onSBF&WLKnl6k-U02V2w*m5=!tGCNJA(Wgj%uV6AZ8MLv5x9Lo)c+D2?gY#_ zduFoV^fouX+yBVwn;G*P^@*T z{QsiJm=Wyb{ko7VS4g0oNy9ep>c_|J+Ro+hz<9L5Ddezcq`Es>WU zTL>-`Bu`Obu%Kcatn=5f(ky;wX&*KCpvXH4i0oC0;qI7m!sX4BD_|y60mLAs&)y)3 z5U$Cw2UodW)L<-WT8RW&Tws`P)%-hFF~UZKBD__gs^9j@h;*D1Z4N37B4j_M zkfhk&%Zy(}!f8WK4j?kSScOe4C%3?{F%_v@8eIgX2ED8Fj#E!9V1e_C;5Wi>JB$f3 zxbpZhTiNei;lxMnQu(yYG;j0_9m3ZI)g@ZU#e7XtQF(>yDs0Fw8)j5gxN0`$3|Pj3 zGPp}fxOZ0jj|P&SoKQlt*-lZ)B^~6XzyaQP*t$HEfw*1HHDJiu^W6H+@#A0yl8E2O zg+l(XuR$QSA(W;lXkqt#Hxos&WTN!&_^ycG}@!ZpNg{m@V@XoWsBgMNxACa<%Xqo>2#QwaFuoIkFI~ z=VL{c@xE5Fa{_n6=MVSB&oGJ$oHusW(kN%wR4kXNu-(EXc~72R@8qTSSU(z@ zsJRqaeIH$BHD~qQx$s(>wk6*r(*Y_82KdFif(Bm8%v#pReCX{inMU%UnO1Xlvku{& z$whT3;K|}2c~X^~Hpu8)j&^f#jXAM6-jib(GLgFiB-wWplV}&$^@u+*?L7|%g6P*z zO)m6d1@nb2=EK{358c#boXVfmH|15%-E|jF+gQ zDB2Fg!neLt8JrbSdPNt!OL4-CMFFNxTyBO=T*d4~^4=a(V*29e-EJP=k5|6f)|_n6 zbX1Z1|Bmdk!|Qh2k(Q~+xx2*j^Lc8^(&Msm*lT%b-l*9zWIBM?G?2Exn+!Ph_iGvP*O=(vB(IBS(}CzRMXV9_rwA<;vopLI_+$ZIRHSw9qBX(-CG1Xj|AL4iOn#J7pZ`0o)senVZ}COX4Wubax2(***gZVVH$9xjY&x{i z|EPS2`sj=hEsefZMUUPXU#zD--i4J2XXi{{B*4Q4|DF*|R(U&~0en=46HT~eK2B`D zaB7GL)EK@gdR3Y(&*nLuz9P1#`8febexwvfZvT(+IeT7_0hd&59^n+yIV|D@Fi;p+C%i1ZN1jR zK&oUul>jAVT#T+R>gbkTcXl3R*+a(nhFf{114|>D<8>gk7C_8fUCAwxlW&kZ-QuX$ zH#;GtxoOKGRjI=>WT`RMX~GRTOv9*@K#%1`OyBdft3EJaR)wNxGE4N7sLo_>XU11k z2L>iU_=V5eWw0z|6YBG?HWR1ajI*zbGY9jAvac>bnRWJ6bLQaACp-LPhS^v7nS=44 z>@g9TcC*aBs?Qvp{iM5}PSfnG^31`yPj>ssY_qT0GY4-z*{SOEQdvQ@y13p2V=*_N zGk1n_Shk^njDF4w7s>mOh~lpQ{W?4IPr#SZ9~DZJlh0f=u$B(oQfIO_nqSS1s3q@J z*Pbj^oC>~9x|FH9$xohG^>=&L0FIluyPJnxF{yL?N{H~~<~_wdczL=|dBJuO9yk%W z9gN2&43@8h#mPOz!~Z%8|8=DP$MOD;gQC^_YOsWSH$lm!=I)BI-aW=_`y+1SnA@%| z!0+nYl5Atz`N#VUpvzDt`|A`+R~x_fMrt8%FY-^PA|Sv~qFp`XBfZ;DQ(LgY2dJ&s zrMA~x|E`!=$D_9^_u4P7-$->g+G92=c-tSxqt4=_K5KGa*LWJ!wCDo8 z9UL*67{SyQv1|9j)x~9tJw&oLiIU$|ZC(#GV-yV{)~&088J^eME!z}oy$dzl~= z7fU;q&0h)5uF8v2c6KOcrUQx2rgNUd#ruBO!(C%VuXKRE>@C(^JBQZalD+f{gdo>S z)G>gF=uG0#^J>&4v6=|MArwNMo9#i**>@e=g<#Jr@SuvS9iedVS@AIohPnD8AicYZ z0(S-LRHWJmuLmCGoK3RgAa}gheJrFU*O>Fsy}N~JhWsA^c!M9yC9gN)u?Oh4tPzT* z%G$3T6nUDGN(p;Xiecb;tEul$>DS)FHtvd%joKv2EMeb>XXM;cmvM+>=y= zZnAcNrJC~O|1tLX2HvH)5D$a@hpx(z7g+XK!_6kHQ#AF5E4i0ogYer1P)>^WbQ@Q;hFf$jS$uApQE z1&WdA&TffNIu|rev~@nKF4*)$*-hAe%MQqK_%MefH`_ztDYKY&USo$^&lNJhFAd(2 zYOS)I`9eFHR+`C57a$#{kxw#Ic5-d@+jheNR4yldv=(kC4@r#%6xcA(&)>XGz9j&lDpH6AY5M{!{Wb z_WSvuw8xsy^Gg-Kvk$tJ+&;iFAjLWTQ*ZH-VcZe#{OdCEw9>rR;V;_yr7pv1Rh{80 zCT9pmWechWK{4}IbhM6}z2eIx5=P% z@X}EIpTkZsC@Mua%E(}3;fT-$&lG2zBZ{OVg=A&Q0>cGw-FIYBUjU$kKC=y57L!h6 zblI2z-y@SJ)5x7mWPf?J)=!`J>`V;>-1|OSI9l-GUcHn7EMKOQ+}8mDg^igxyQM9` zy;Iwc?22y74ivNj3lrHQru}sI0G{bGlLUJIi3_;=Si0K3X)z*%of~5h?{xzO#L-|J z*QV`{Cx+6ms7AT@_vG==UEjeBgrfY#3~!@VL}(f16=|HDn<|3P$s@vZ(3Z=A-Ct7b zh3+((H0*1}10SFY($Fy5kv5(BXdoc5`5++wcLFDQc^LE?pzXTCf$X!P7u)AKLYmx| z9{BBhK>?{Bcs=JTy8)6$c==WAF35+EI8#2QA8kX0H&M+Vj=O269o_Z#FK3#GOaY6i z>qaF&xh&leo?+L~LHmjAETgN;%lyqb;D!?^8^w&0GpcP`H)9p;WZt{r&Bww5?4W zH#_}ipro{Ro?ex3yN>8Zpb@92T(L|?t?q-`Y*n_CK{jt@W!d22xgxE?|MVaoFQmd| zqA~ew!InC|_Nm|C&bnbF=fKB%pS!}2T3=a)s*T$eh@Zmub5yjLud-yHUlfwV;_+?a zq-e?hEB-C@Fne=wVBpS#aVyJ@KDTexc8=c4?nW|8q#0LOLJ?{$WEk?07lBy>R7Oop ztRO~ST+ao)lI5=v%uxR1?uL>(e{omE zoQS)qf#^ZqJfFnbUuvg{<#Q)k>h1%Ud}s=M8tEEHn=Xz+LyAJ!?Gz+!0fYKpW1i}q zXRqLlnQ_H$Zs7{Qg%Viw@nmGNL~%#GHIhj?0-9+M7OT!?jQj+h-7fC5Ce|MAARr*1 zdNXssa5nmEZcF=cx_C-!{=!o5=ix0d#Znr82S^Y3hbxGQ7@3ud(U^Rpi#VT>n8e1U z=^U>4DU(EaE=kvIJNo?hgbb)2W(72*S|w`ydq3C61tL4SJ0M))ejCHCEGM%=yp29? z2opA_m6@l*5GwKpJfQLC2Wd0C-f&jTs5HJXqA)Mks==u)aUtU&l#SJ~z~o%*FDg@0 zAPmWZ2iy!zo}L|Q6{=ei8$E{Kq>d1_Xi?MtNbp^pNp^`i9Y1m!te3pR@m4?MLqhj= zzYGkLhYxD(U01_mh9ULP{T}rRTqX%}l$*Yi^VbzfmRkrWBWw(1By8@Xm#J&niDDxy zE>>>e$Eh76>)Pp`ed_5pf=pP=*ZuX%fEAe@3m@U=mq&kQdhGg?lUk8z0Z0{3MXuJ) zd(bcF{`K8M9E@pnFa|jqojvEjL%C!EYz9~T>GSdT6RHaFO`R|7`HFg{f9XAYben!Z zZ@i(_YheS6HCl~F`&trLekMa z9(%BbDT1|LArY(_Rhh%`i3=uY$3X5q+kwb&GM^6*{^Pbr^7VV&B=yRI!YS1kKKZ}5 zztLI?DrUUf1rAFc#TB&$>c{&T_6Q?9*hCwY18^#mtG*MXWWgT!wu}Igwjxwu+dXuH zu&j*tFlDz_rF+E}%U4SZE|8W4;0iBfgGED4uzjdmynOXCC&8`aa(qOcA;83NE`?Is z(Dg#Fp5SofzD$&oq<7&^y7@1X?BF^egjl?|Wqy~^tbo}luacZC;Tb%P7H0LFA7EG^ zG7m$PZ=}7N>W{6AwhBWT?g!C0gsv%3LicQg8+(^yP!)XVDyJ>hahaCQFiRc=iHb6X z%RO-IOA-2+K5${%o8Weg3hbudLR^BQ$CUv)dxrCBtM~}UL70@@ndZlxU+vF`h3zIA zOO%*Izyd$2s+ZM;8C|`Xx8h31E#ggNtR=e!Hb|5jdA!e0c{agG6Jz+n4JblqLMFXZ z!qFp99(cEo=bNxDa4)WXO!e8oZo$`k(hGWj<=I5X><#Zgf4fWn3YeQQqIaML4AVs> zTi zhqQV7VRd1dDK09F0nGE-_8ywlcS(oSQ!Gi}oS+7)s?I!so_lpY9}~A8*GzuV{s8;u zMdEXCpMeJj0+LPf|Gr56`9|c|YT+J@Fi^TP zqj{M*=roo41CJ2Ee+_5EhtmH#WFH}1V1wJ zEDhQMrjJAfX;KJraWR`k&5FOUgGp3km|V0sjAX zh9=1wP;Suwd~fNV1^u3kg9Qc;|KGcPlRwQY{}DXSf^zkSB z{~(6>&p^9#ps4>vap(VwGX2M4IuFYBACx^0N(u}luG;1?AO~N(pvT%#GyJlLfh&Ot zJn1;(^R)`@$H3kdR$cdzt+l9Kk;SM#O)3LUuU-kjajUY{S52>=gleOT{xsm%gUGdo zU3rIf@+YfBWU?WhB-yJ4s0?e;jB(QO_o7?$#79Yxp~-2*gyu>vf>&{sYHw0KvGQ|r zc>^NqAm3JaXy|-ct-6^G2JD9`oo6+86@Q^`X^Ya0(yBygSRN9J=3n56g)&(@MylVV zEOqYJW3*ET7BTP;{Cw$!wIWe7vv}|V0{j|`k=*`f?asvH%#P#+e%p*{@-#>fF-V0x zYsS^q=bK0PRm17_H&f*SFHh=A%#w5EHvnki3gx+R$*hBKaz}@eaYI`t)pr@XI z5#8?(CJqa0jtDP)wS(~kP|K#4p`a+n{25?g3({7r-VR`@c*pvXFXV`B(zE}%*BqD$ zGE#kfS=meqCR#C-+vPO)UG*-Amye4ZQ}=Ozn!x1b^xjKL!30caSv3|Pb3=sr)$1H;41FLbXBMnQQonYVW+DH~J!PYq&_Y=y)3q-WF3viZ)Bnwo& zPmvh-fgt$yZAHaj^QV{YlDZG~x&JYHlCE7iw#{}R2E8O2+2-T(MDi1Jt&*t!V~5-k%sUq!p2k^F|e3Z^taS){uhO#oiRcn5M4UVySvqRGS6__DV=&jX*# zUa{cOVO!ZIJDJsR3tYMV&25?v94}sT+~b}bVbUHm;LwAXLSd6IH+vT~ZW zAA{LhCqlBAlCu*Ghw>C)i^L{CK|%MLvbb7Q-07w|ebxiKT+JqydqeP6+wj<}*gW zmy)2g?~tn>jBIA;qFg_ePH)Na&TnjpJlI){LC>ekCg_ zkK@IzWMuZzp2WFa9Gv;$leU`PB{dcR%%?D7DIf{aYOD%YThVnj^?kqnT{HFm$15QE zI`6!5#qHGDWMPr_53qe7%?M_#I@7yl;*Z2+C6hM{F= z6N97KJ;-R}obX+NiV4P9oA0CJhSB@T$P!V+HXwGuvK27qIwZB>*-52ro90xiW1-lE zM0N9XY>Rb<3}$&-;Ks{_W1^p-E8%y6wP!VFV_3wOtG^mS-{pi>trhrV=LJ9H1a1YR z2T|+va61`qBKLlD`a)yRWfLI0&s$9jlZ&~82P+!ECSlwNr$K5NlW+KjLXZ(~KzRVU z4?tA{`!qwO3Lb>~@3W*5S44(8H{6leqHoZ{_NO@5Ze&iwCOdksCK!SDKWAaAU7{`EvKCLY z&ZEIQtp{Dt^CRaR)>mI&DOnqJs|=otnX?&!j@m3E-zmlZ*j< zgrz9b;nf6aeS0O42w1#xFyEC=;wA+GwZ@iq4&vKHiPU|V01|Ph*wq9MvR=povZD;9 z4<8X)^B?B%l8=mS)3*W%+E4-_NK0Kp2VvU8ZGPeF+w>1N`s8XwfXy-Y_e~or0eg;< zLU;%??;^VYu(}+Ho~qxxX}=~b$#&n)A(Kn{+?$k!*ytyw6@oz&%?<15TpV(w7mo;QIGQNM-!RZy?{nfA{+* zjtAE=BEFiz@tI^*8?_hNib~4!6*~rIFn`@za9`nOOQX$$l>4C*z;?%SoAlcZjUJv+ zuySqg3R0dwSLW}Ky$MI8zC}tx6W%km3&y~b%_87G9KQa@!#`Mc|f5i`tZ1l zs27eNbyhq01A_k6)Ct2Vxr0Od^AQ`u2uY%h}zVWA#d? zUP*+z^0~r9qN@&^=-`V_DlrF%WORuKl(nmZUsH*1k5=$&#u4*A5u$^I*BNb$Ev<4V zA3QL$By>2>w13jq9lUl_`6jbo2nOFU_Vmo~m3VWb%w%dYc#DGYLzi~c2MIe0`SxO- zDfGd23&!Bn^reOmehB9E!4gO2&VWPguuFYZsu)Qa;4r_4kLe-=1n7FyQRSa4Cxy3b(QmLv0fyfZMaqM@l1gS`X+pQMD$^` z&AcOR)LWQ2Y459vF}z$=5L93n;&f`Ap+9IO#~%~m=7&Gi(rZw+dVX)T!SI*HK*W(` zkN6i3=FL+?=I2g*Y$ocvsH_h=suTs&>Uk6T@Mf)2J<)U@`+je54Q>lvo8SGwW~qC_ z+s@fpLEZ9?Nj>a|>FZ_Vhh->5u{3ifQ0}2s_Hy5h>+=_j8fFfQ%qd3rvz~X)IHm0+ zL8^0($CXg%fH&n3I6u6>nz8oShYg#*OxNm&!btZUUDObj>Wo}#rpbcoJgBarA=Px(0 zTnOHTIr!9+7o{S9B_&}iH__P@vQIcGQ>1lv_kBt%7*X^(SELp77AlUe{mr$aUT3#q zze-@)@wxktiQ;n%D1K;wibA|oEL}Xc68wsPY?RQBb7tlI74JAN-SgX-Rmmr+mX5tE((;4>-npV#e9YK?3|g46JaNb+9p$bic6Zj|4Pz;&ePXnYk$jaV`6@Ua zQD!=tWYJcd_`e``ic9c!w4lUbLAY0!^OAz;Sx?pPfx(9QM?XStsqF_hJ=wLll_CGZ z7t1v%@O-^8|f@bKI~79vHC zLP4BbeHjFA4a&Vg>1(W7)QjX1=TOLQdT`!q+c1ogvb#9xBOo}Ej6TjPR8ZL5;Y1*jH zR^NF54Fw-9mu_<+uHM>bC#xF{DTm26rL%o_$F_xyJDXP^Sf&`f<|&ywPoL8P&H`X$ za*vNW-hOqu@ip~NZa|(oYv*K&l{UFH_A({E{$Mjz5WdID=?EgiklbPK&p^o@cs)We zyX(=h7Z`_JQFjTZ`x(FQC}}t3fh0y?swVzG*mT58#Fe5&D0U=j6J%g0qN|r3+QR+j$*3 zvI>69_VmTeX(XtscskBd*uz+?_gcy5(I{+ z%nzPd-O%L54s6nH`#W>)a{^bsT{4#=L4r@uTo^^if%px(Aq>X$baoTrC5_<#b}w1Ivnu<2l6o#6nA zVUqv-9UzuS^g}<*KlomD#{&5BphKJZ>qjyAE&jZrT#v|Dv?&ceO#3FsJ9M=$W+~%q z{s@b_BZc!L)7z?l-hX>1p+%hJMqY35b{Gmpq)nbar5C_r!q|)E5c98>#>oyIb$@IOacq|FqPhRi7ywhmjS4I`7AhI$#G?+ zeADvf^1&N28%qArGK0cJON!C9~<8! z=_Wp&6!*4Yvv7Dnp{CM5kU;i-vl1$H!X9+FI=s_Qd^Cy2{ZoU=XANdz(VsBsA9x@h z|G!wxBogd;pDy&$Kf-T5&SH1}sX&!(0{Hknz4M7lKk>)Y^#7Ru+lqs_muCMC9W>F^ zrX`coHTwj}kM}1EpwJFrmx&T<$QIr2)Rh%J+lPsMl%#GoNv*pKur97!jXP+mWUJ`P zY_=85Sr9`eS|nmoKFV1*w>}D*Q0)yMb*fWkaFhZHzt!9ogD#TPiXvE53RQH=xBk^5 z|D*T&SKlo1kDl~jy_Vvqd^+r3xxuI07JjFVbl!p(FHQr47_U!StBVug{M%ZH)7+N_#KHKrL?7$O0f9a3(59Yj~PbmEl z{4DyvSpO-w^&0)z5Ccyi_Y#f{?~~C~pE1S`9X?^)Kk(K3f3w1eI?_$>U(lXBP6A#! zne{2SUsjhliH$g$#$mX(o5CDM*%zjMUwHe`{g^bF8tRkbvG^Q;LAQLC3xP_vlae!z zTASPNmRtn@2OkKIlj-FCZq<=d6a^m!u*cTha#3M=W2UY=X~z7x+OT`VI(EC9I3vL+ z!ernBzCrKjE8WKqQwm}>XMY-m4~!Hd!Q@&XWA$KnHkpISGTV6@9~Tomd7MApPiEqg z@rjS@vq(G$Nc7-kVz;B?ZdsQ=?>A}-+T}I+}dPp6VfT~7g;vft)C#@n&_ku_s{J4A^@b?s;14XZ`st;a|Ex$*9+3h@HKk2tz362XQkMQVHeJ(*rr#5XW?pwkIra+zhH=5KL4-*hk zVL)_=e%eCxwf>((#&Tp0Tt^V7^&dT77G!#|%!W{(O^F{I6<~+GX~Et1%*ZHw%$*R1 znTl3C1{mg#b_FjbW|d&WfWr2kH;H0U33LKR}4o$ZXb#Jb7>8S+1#f5=UiduABf z5bQ9x1mc4g(3GU@Q@fngG5(-~Kk);Ba2acOXhr&&svds)59hn2G|t+{t=Lwh<-P4+ z1PgFFF~+k^(~#B>r!vD02r?!7zBQ#h;}ga`UhvzKe#b}dV--wb1$xI(*Kt5gEGxkm z8ZjmmV@{+{`#}{93>I#-{&%jHwrHv8CR$ zQf6=4yh0#=9vG}@*xNz!V&YC!flX{WT~#|KB?iw+N=?le2UMQG4)!D4wy|OQq4KZxmlAU&hB@XAhf@KyS4$wCWzKqut5;TEm-j{8_YA+J#qQVBB zTN`1A)Gi=#0K|PnUgy5wfY6Y~ph!fG?e1zE=C>OJ2N}Mo@u8cKpOl!J!XqTixs~AT zpH-I3PQ@c%ep8GCg~stg^xrV#e!a$L34_V=LD=@hVdB5Q;QQlE*N)%Q<24@#5*J(o zeh8Kq?&&c8*I}4wt59y;3M{NeEuY*q+X*TE;4G^|0=W3`e=7URpgg*)+Xr{I2Pe3@ z6Wrb1-62Tu&=B0+U4jM;E(spo-5r7jmtdE7-kI;4nS1}-uIf6wSMPOp^=_-`(|etG zf3M;L$GCEt-$ws1PXpgf!@p6NH`DlU)U;fN^q;<}Z{|OJ#ox?-`f|LPfBT+MP<0gD z!kmWKu-FW&?e)RGPtEplZWj10>BP_X_AumQ3t|_#z2rW2a0Vh+ZYb8A91vhH!87z;FR2Kfu`qu?_z-rdNW}X6oY2>&FL<>zFgi60!muVurOWcmmy`ZJCNFPazZxM{ zlURH^x7a`@oIs;?9ITS)BX+GwV70H_WlUUO8jB+-bjq#S_$Z4pTE~lOD)9%J_k8dH zzODx*tAelrhRK=v9mGFnWXINRzwE09BgrY|J)G1q*b({(p2w2w1qcY&hrsQx60*QI z3gA|!8YA>M)$s7chVQGNN>4P3qaA1N2l4Umu@jL>j|114%TYLs4M>mH!B-O|oP{ww zjn)jpovb(Ni1SW08$#2=8oGA|CZ|NU871B==<9a&9>P|zUcNsAnm1;Jn5>0jihJgT znV8_Dw^uls_`aSni1}a-WvMYk%4vp3J#Lno&UdRqPvw`dJ+31@9hsbYn?_oO@u63I zXZPH@G6Y@`2_LSA{9<;SY^{*={Wvc=Sde;^`;6|J1#-@`zBd!y3>s9L0g!N4Odu2_ z(9tX;?Jw(Qc2rjwooT}_CPVKw1>cL{id`D7txse~l}m*-@T-DQuLel;^9&wU^}+i@lh~l39uQLRfRq%- zu{5_vmjp5Y18PzCYoUw8&vW1I{^Z-^AJrY_&9T-5sIOQ)TcYJ6zT1n&>9^axG-DUY z$9no*lut2Dh|&1%^Ex)%dGu~kH15{z>5%N!5HqQ@9uDfiX3sPBecoNyf97)pSrte2 zcLQh{zX_CP=NheA2$1(f2^2#nTR`$MS*&CGu?T*MZUNm*TV>IpL_b_c(@91}Q`63{ zGiQr+vWB*~_0Vu55LqqTwN_Ga=3vJB+1WZeAB5y&RYAs~x__>N5L~x`JB(vYygEm` zgSoea?PMi{8nI9JM4*-ek_orabk8PlB!GXRm-W@;c2RrNmdr8`k+;PBo@3u$Ip9QO z4Q_wJlxy>e#)!962)8a2N;HM)RnRpD0ZJ+T7ZZ4T67@6A%)HzFboK+H)}M?TgAr@o z&7rV&?>AZT0EHAIfO9pbufmiGzI-G;{gb506+jc%M+dG9_*{4otBi5qHwNDd0{F*> zTc^u?Wqu_ir#2!M8Q>Iaw2iE(9rc=6liTqmgwrcgK&y4)TB6X?0YO$QSy2@{k2~20 z8lMdK@IPKhzFu_9oc-{h!~fVe@yK#f65+Y{7$&D$Yul8Fz&p)TD ze6^cNE8L$eFhiN3f?cDxQV35p5~(f-g%?ZY!?c?LF;kY^#u1e!2CXm*d;q$I9WvSb zoF;dvKpRGVwbd!~+0>Jj;IMPuYxVTnmqO5UO=LuZ+nUY;;umGU?n*4yFYi9v4&>rQ zZW$wSj!AZVjYZ5pcr2_7{BNk;qdVNz^Ct?EE1)6VzQ}|tsYufO!@hzhX~(w`HU^z% zn_NK{`|TXuJy>&3W{#xR3&2-FUz@Td9gmG+d{k$94B;LP>ql0@|cdRpX!NH4;q_lB#@MQdN+??6P= zm{cEoca@*(W9Ufc2SU2FUAuHy&Dk-r*$cBT7DY>VuBBURbxVvis#f5 ze{r4V1V$GgljpW?>{hE~UD1^XTr|zl`VYR|DGn{BmNl)OI_>V+x0!BDzv)FetL;)y zAKLWuMS8Go+-qUKJ~eLXXPOPu7#>xTI9{U{4?%?|MHeA`+AYr^ZC%D7LE&v2A0{_~ z13@`fx)FVi`SPTnO#t){J#J3xd7Mjr$Be=!E<|55ye^jqXZB{M`j&R=txpI@mhglH zP4U{dc~<06_`W2*UTi;%9Gp&FjaP1+?;YM8?w#LEDc-GqoE1LgKRUL3W%kT#8J0WJ zjuHC=g1Vd7bSR=x5)xw0ogEIeG>?klBP{UfQ!8kR(V-JNfB||o;!?*nmB`+yNNJK$#n66` zQxR2Nab<yGxd~IM`sGUN+wyqSJBd=r^bywsI@o^BiUqUoODzv%F*-TpAw}&KanP!2!wOb6y*Q@wP zZfeGJ3lLlInq4d~?4B*!y!3rPehj7I_)TQw0;`eo2$?mQnqj5RLPiHYxR8e-AQC?i zeaKVE z1lZa3pM49`)CSK< zGsaQ|nx$2>xOMq3)%#=?&pIBM#udgOicILK_4bJcSly%Q zzuUIl*-;iIu@LL5TuEzz@1Ux|-S<}dAns=&fIZN_Y0z%7KB0i62|uWb9;1xL#SbfW z;GRf{UZm)!VV~iKwLyrJK5N;n4*p0? zgHJ8wAg3iqqC~Yvrw8YfVo_2ZFp;8i4fZ{LUx=jj4ILj_w9(5w9E`wF$yD?)l&JIb z$Nmr_veZ?2{%g6^89AnSZ; z=D^;PS{=D38R*^{h{|Xx;Nw)TBIfD-@loFK0w#3!MVjI0`*m80<^>0_#Jc>Hkt%;J zHRJW}6T-B}Ku}T^n)09?Ff$1ah2+p_RN17>8HW1~VJXCjELk~KP z`wP`Gb!_ZbSR@^-Rn2|BmccBpxN3AV77YDv8tQ#LV*33uIT)=0_?cI_>;&?>gE^+H z$zu2VC2I|2S&$m671GJN>htdLu@e|L^rH*R*_>XB}KQcX|z)I0`rK&SRt%6TCs1EV4?|ROahu&(j z(=_DwSxy2hG98$KrWtb-@*U^I9kv#-Afx<^(p!p9TvLEP}diFT?OzhslHf4+YJ3G~=`XjV~iy~bIyRX^k0&%Hyk}{I{yuDgqTI8gK7Qf=Era@Lx(Hd@kp8Mj?{@zTum~oKT z${=VvMV#eN{%1{`-#GNRnzduan3pTiBsP<2aNp{&FQl%-f)G2Z*u^>)$}IyfCk7Fd zK1>AAXeUvh1Ex_ca5a;nKpw!5Ua0f9iJte+)N*KkW}@sDQ$}qz)~+;m#ww3_v`yDLb{F4spw7$ptrY zD2FAx;lsSDn=2X#_7T=&xs^f(oCgz;?t*?AoGceKK+y3B`_a(#J4~pf)F%AtEA#?2 zGmDO+a!t{wDm3k8tAZKNhz1&!9e9zp@!UtCDK8ZM+wdP8l!9kin-68f`5r{avb`vL zs3G{-vkA-e>y_=e{09UUi^E(8=Wxws7jgX>CzLpP%3oSa^0qSHb2VROV}@3WBn0hO zW6Bk}0|PH6tTrM0>~$e6QM3&%Bh975``o2)8(h%+trnMZv0iIA3Me_~mFn;?^0h0} zK7Uro)hyGc&r#C6%v2NilfIgVY4Q#TLXRw(MzFBWAT{@BPIOsY$eu$RIH9VpVxpm6 zDw@0#z27f9kmB=W`yt%Dn9^BG+zaT9eFT%y0_=3!i>YQLd%`r(Sp^iP7|-zYn;RJu z)%;+s_%V5$6{U|829a1(g%4aZ3melvl3|H}Gj^kpMp!>q6#E1)6Vz~cPCvVisn8D@qpd0rKw#t0uDRo`D_g zmr(XQQs7nCascLCXivuaWcOavpXS>vLjGw044Kl zFOh43%b7Zjcz8dEG#Dus5nDm75YtM7iPrbfB*_aSPw3qca-xk?S!t93=dxW1Hi^ZH zChZ(T2RZpWqqjdqat%b-pxAxhsadOny2SghTJixBTQE z5UN26#i4$tNa3&u#=kp-^E*+mAJI@0!N4CQuU7ZQop0JK?ml2#-bl<%~vY^>hu_UjE!*acKJJ5HlY5!~$RSCtj zyoBgGn=;~rs-8R7;+yd)3rbgCFF#Om{4MlYbm{OCcgmsV6OftA0M#oK7{_`>C{8IC z`H2b>p1rbVp9E4@`8LtR41lV-(0aTtxzGz(pCokN0PfvuxHi?@%DHf_^WLtu4Ms?; zf>{D!D))!i#Zm94UsJ^^7%>E3G|O$3@Z>y$1gv)+i^(T4vbCFfdeKmzHBMa!KL>Iso&MrAuc#mziquQ&i&pc2EJfpPF=ybTT3Yuy@Z~nfN{&a zq@KbP_5Z_nnh|dnExkv_FE@nM5EL9ZX#H+7fd~I2%6gQN`yx2fGUAFU-#gGVRWFP| zOJTw?mFfAn!iGV8JK&HrYVm!582rSnDlGm5({pubIfno(H}0YNKJXyTI0KD)@}2W5 z3KcivYY86{R+xC>O_8)sR}qYAeQi1Rp!#N7ii}9bR|7e)v}xs+Tiq_R9dXGL{UFa+ zX(Ovkc1kZgtGZ5t4NZe|CE_iu<vxL0$|WJVefJt-m!{6kwHot z#rhdUDNBy@zB(sySD~K~hlh6{djQMWOerJ<&X4jA)gI}xpx2rOt!%z(DsW_)T z)|C{TjdvzAOMu*o%o#mlauGsj+Y>a_UHu1BN^y(B$d#uCwg@#UMg2wfF*WPO6*vVn zB^)cq)3P!>e{=pB7ku*qc`McRp<0^jcm`MIq%tLF9_hS&QX!}xH!L~~$c!c`-tYUG zIbt~vum1$Oc&?rv^|}DF__tTpf?f-in9>B-)tD>J_`vG}dLRN3r5qxTmCrn^%8_M` z8MPV7)RvGfYb7k&xXe3GyQNcNn5A3<_?jsp#T<`BdNsX_o_SolZ*|X9U018Y1+qg+ zLdqfgFSEwlO%EY811Au4wrSK7Ff0@WWg8jKB9dak-i1S1RP_Y>_3SOwaTavT+G2|? zmI`QIvp{6lmI7C=0SMn3%fpiyE!UL?5I*P5%j>Q;d72l4qQICZn~+@Yf-KC8x*JVM97|moofw8X|_&9 z_P}kVnc^u06cbFPmV;1?fZ`|C$mYD_>cmjQ{@0xc>!9%rGcxdYv8+TUL)}oocFe+N zMeB^pLWrse6BarCh+yEQ{c{xoY2kAp_A+AjXpjIH={|{iq+PJOJh|eU$$=GPoD#Js9Lz51-IUJKp2=mP*ba)@5#WES3lSzfvI)OiB zukq8O!W|F4&R!ly(nyWh)}8|j8c1`2r=XW!60C>cR1vq<81`q#q^cQTa(Jc`2GHv{j6A(CvUIhJJ*>NW@|({o`P)e@V?Qe@PU`@Q0ci=GF5S^ z3eXT8Yid=xd|e0`zB9(-JBzd-6Cm)^-b*hs7%6pj_d$uoktMPW&UcqkBIL4ab|1Ry zdHFWzJd?Z}tHChsaQ_{mrb|?o#*|~R>c`@iVbt8ul0)+DDnS62=0~nZPsU`pgQ!Q3 zGK+~mUq)|r5k}Du_jcPsYDeegmmIIknVL{mDX)K;YhicSk#M`PL7I7^^uVGZo~lN< zD0dWpSTi%&)q@u8gDqOvGu--7wTir@9a7hu0)wM_HNTi{R-1-F>v_4SVR? z?&q;sjO$J*9dKM8ACXizHd@eU)nz!5lu7;v3KgvFu+Xi=FZCqTQC&!N7T5^!J8D8~ zYN+0AkERS$f-E_PBDlxPEP#&PoNV8*53mmxeCfNlU~w`u&B3~&JJqlwtcm@i<@+%6 z=zF?TDQt3dE`9nkwjxkf(AoK8CfEM1#{cR3?BTic$c@h4uj8(TKS4>4QpUWzM(?6b zOEw&#T`j@fWj%==RODpw?9?`G?RjD->(x!pTK5gS7F7tn5)%0B6L65vCk;v|LFZ5Y8Vtydc-)i=-4nJ!NKya=tQR3wfxH?P#0QS)v06zT?t4)U^9r_qhE zl+(t{>@HcewM(u})oNhWKm5s2pL$(0k8seYNJNfu+<|8QiU_>eKN4W0mZ)#194LK> zh@FbbEI&z)1@TqD53v1Jz>I4INilrNvRbadOl+;)4-Y zn|t_60u0F&6fi-<)zQ&1N+wmw;YX6>a+@W=$-{9C4tP3h%|N*7EkSVy^0GBH+sp(m zlEQ{ji4&b`aJZt1?2o-lOL9h-B{Vh}N4#WVv<4GDQhCux6b1WEscsm=knJ zA+Ei1RO&6fsRv}@eikHKRLH2gC?dAYjMx0kxsymjOT;WS9qp`-Q7+i=*1HT5od^(p z<)G=0;A_w``Xj0{i*%0zKWL3bQ9DLp+jvO=a=DH@tH;!ga0!Yvel2yF_KxUmwO^i9 zf2w5<(=Ie;!5+taKsWx)swB(e{b*$BQm_R#`e{3`{SL6(>Zxk~{5)F_;$?j-DtMcc zmr2Dv+@AvGny$KPLYuKBp;cz4#N|8)6)^WgTZUpt2@yGe#;_Q7PZ~@gluhCFR}$wI zHZ^PCR<62GaaW2tKujAoIvk;7aba5hAVM(?Mjpl1#HM~~tC!dn5kG2#(ac1cgfQ0Uumdk|HkwcPCQU&bjc z8@)7(%R+=IOoLnB=_a=2v#sKniV80137v6lJhOn!IL#!_$FhNF8|!scAVC{!RtYXT zw&@cJ&S{~Ct@_Ju1kwxe>b=6egcl%XY-^ESpALud)Dqoxx4jUGNKT>( z{Qm9Y5LPK?BZ0;~Pnu=niLN*1$|6 zhaYeTz0S1}Ur$$+-d_(iW-=Fv=JA4>4b2-$To73D`eEp* zjua>M;m(;Wi$ejkJL=)SR!oRMZh`@Vug^F*u%f%;aFZ?(28+WvEB9LeV+E@Qog=j z`L)tHiv-*zQe}*fj9?B6C|C(%jqeDoQSsFmhp#3acrmNb7NXPQzNl=)nBs4_8nQx} zq7VB0l&zSQ+Ukz0uRqL@Hp-MKRso!TSF{Ep8Tu<=@2Ukth<4S$6pCZnTlvXme=CqM zOQ?`2Z*>PYLYD({N{}MvLw`#h?63)j#-f;5WWsLi!)+0b_O%}9h_)$hyYKN1UCa`m zEm1^=Hxbr8x#A3run)H+ES=X_;^Wn2`B(A5Ff50c+VUcESe5uy_)T*f9|AuM#H7pO zu5W8v7KpkLjj_4T8i4+V??eJY%0>kt9ID0ThqhHvUhPT*7&b9nO2}^Q5b22qSGj7@ zeM9>!)iS)ppD}4Hcgh$>JtHfS=%~!-_d(iMEN=r%!W#Thtc;&<3*^Q!M8zfs4ky%G z!`n2wT*1NCU{yW^BP0D55`c@1=Fbbuh2P8Zw<0#hqh*!GQTc6VC-y1v^wcerF0uFH z3=?F}@&cmyF!@WScIZA)@=uO=-4eom-Si4UxA%lCx)~@zAm1aWVhpy}zrZ@gC3=6wvguIjZ+{ z&0I?oDBhtd-m$$^jCYRxVaz^i1$A{*s|u~T`{kW=1)U|YV4b5XwXx!TMT4phLB#RY zw{m;FKNJ;tdTevbO}$B3*fHWjaq!trv9kc1Dst91t8$tQi7@nE(p2c4OKxRhH|-8fjVzxz3k6x_I`(`` z2Dh8^YEb9XuQ!pz63Yu&hRhP`K6Q&H)T7mfDYvtR##lF}!A8fthz$Q~*0EVsQmHUV zQ$uXp1i2Zmn8n{-&NRW45>|>fiV|1M)vQW#jThBs%FSfYOjQ6#+;{U-o+Q%xPtIqX zsXvr%Ha|Njd$`&e)U_Rir#KIYMf)Gzq%{?JA=4^(6+GhFSMaW8Xn7EP>Ks-Q_WLrd zl#!yA=_>FlLq}`MWoUK-HOoOr&|Hm{uuzy_Pifg#5b1eN4zPl>X=fo zxOycGv%YW)v%G=bz$mTdPfD&Y4RnR{k!r?P=1P{MQL5dVi(I|(K^8AvfB#j$qMYGt zq{A@CS(cqR2_qFj&W~+}cuJ)lgPQbB)}UYXK?z*nk2sb*l11N07Y(1FH(@ZNUl2WJ zbcwS8P@V)1fb5~&f@>P7EZ^H9ZK7F`v5v`7e=6! zlPK=S-*c5D4z5$lNNTB8O=?NTL~Siy21$_9E_yR+ao|h4a|cVkR`B50c&|Qc@=s(+ zz~N35LKjB!?Ku-xRt3L90<-5Y~`@P0=bd2&#lS*m(t^l^mY zIirU}`P*m`z3yW$m-X1;QDbRcsqtw1cD;bXitOUHy*^?j7Ry0am(uK53b;2U9EfmO znM{K6bwlFfXss%pjv&n#>Vjx!XyRT9uBT39oo~FKSBD52{Nd7p-<*TYL)Vd&(m*~J zvfCCnN|WGk^pPI(EvVa9@0RpIBtI&6%A<+Cia(B}l9qqy$t zljGB={2H{&+23V}e~7U$P;NFO^8mOW{)}|PL9w>i-)Cnz+|qSC(y-%|&+D_frL`1S zu<)NCrxNh%b2$tk+zqQ}Vkw4;@TqBeQm`!Cp+nf_nFfX=kW^K%`j5#ERO|+hxA)RA zoVOD&sQNw^S!zEt>U2F#_E5G(+13U33)K+|MAxjXdE)y|uE4DPZjX({Z2>f?w3&=+ z^2kH;p+w%NH9Zv)QYxs*0(*tM3O_%#s$K3$eOAbd_+RKaPiw{)!X9q(_Id$tqOFuob6Ox0`f4_H4 zjw;I1OHQnAimIRD@Kh;H&(fk_B*k@sR#0=DXtk05er5!}*^=+G`&xiQ1}-=wFklsL zUBzC|vt2h;j3CK8mqY)Z*KzJe>#+0w&)zq zD~;?7ln`Shz9!NQD1VTWf$X;w!5Qcb{mihvO|;w6)O7tcOQG5E0>Q}byuU2WQK`2* z@lKaHk{7=8j_uc#KTcho0s3f2mNH(%ip{{qrY5Dxhy9Dwg4W!6&e4aZ+a7satZd0g zd!5KPm1o!7@}$eWJ$Ns`4*%o6u4@)1D=%VmXLk`vF89?rdJm%Humu-I$AxbxMG@`t z&1%0ikg4u1x1@-D01b}^n^T|%}M1eJk{bsG`n*h-cFw^yTy22+J^8oD+0aoQAMQ_={;(_bU6!vr?>WRgaG>u;lxV32Pd&$BT@dhPBHTb zC+q)?l=kT_&QF=ddwe-j3D$os;-V7&C1CvjVrE73S5F#&K!2@V|B^)bM_cZdcuzt3 z-vYNRJ^ufTE}{jI1aVIe{I@vrzsLWVuJgYO z1|j~(F_a3Qe}{?d&8hkig> z04^jBk;(+b|0qWMcb{o>xNo`8ok|;fYyUo<$A2N|(`j&ckhK4XOirgM{}1Ae2T1?{ zpO%UT$^5@AP?9qcX~J_5IB9?IApa>OfDV4^?9)sdBN*~;rRubczmVCPv_LQ<_21mT z5Gcf1h%|&b2tw5Vye9wQ4khxo^Q~h-hX368?>Qj)_YIK88{y*|1nEBs|H|OMm%iit l2ch^KY}DKoY|WVnV**{|ELj_n`m) diff --git a/docs/NRPE.pdf b/docs/NRPE.pdf index cdbd4384918c3010937dff223c56b74643d4edb5..7284e7c5bde43c5d75fafab85341c9af1cf5d325 100644 GIT binary patch delta 82416 zcmX{6Q*eh9cm8qPFMDfGuc}cS4{+@d za0xO18HXcwxZc^iyN>>;C~sIys0;~^<~AVEC&i~FcMQsUy2kXMZ{-x;*0H3qbMsYs z60o;}wKP$cBa5V@A@{kjCNF!;AIrU1r|$QMv6EARtUh*yX&2C$ut%OvN5u$f!e$QM zMJb8c`yf~k6TrUz>eq|c$L53kCi$An`{PtP1ghr=6-(d~a2=Rx ziY&XIeQFBaf6{ODHb)U*Ob`Ue`pOF#p>m;U41MnU^?(0x^{!g={$<^|Q#1)AtExm)^IGdoK}jn`a=#m>D72k*F>0;9|f z;RLh9A?TIE`u$yc7#zURY5aL~K_$AgIY)E7<2hrjgD+=V)bhj9I9;P=vmsX?uuEa( z59Gq;yaUi?l#0>ii^=b4J;VToi9{mf(oOADs?}>_Z1w#zoJL2gX7c%9Vw7wXNcAI( zLV*cl_aYGllr0Big4jgmK$~2?46j9uBq&mmp#4Vr={SDxTy>gG{I!9o`q6yiH|?io z;}OD9^E|#8QDUMlzF07dBN?8b|aVQRWzdKcZ zP$?NHCnbs#4CJ~hNtbj%Q~#?GHvNW!#`em!gHe&8j~h|bft;RXm$?TC452(t_?ot`V0Au`?FNr%st7!c7vUkv+sv~ zL0*>WvOdQ!z`b^I7KswA+$q8`z6DtPg6fqc&j$Cufi{%*zTu2USE8@&{V{EE4JtBV zK|Z;-x&|hJXXm0&l{zy^M~9;r?L=vmQ}7%iW+)M#Ffv<)NAdu(65X9r>Rt=o)Xn%W z6NX{chCmw2SGyOF7=%gqhAd2v=vIDQT<%)iq)k{aK3o={#$dw=DTh3@Rktx(5S;LB zw396Nxt>gG2w5~1P8z<=hZAL|oc1t{4_O7oDp;;Vd7l!6k+i46blYwTUqxh0h;Qap zgm9rgtnStCm21G*WC~wd+-IS7cv!jy1yhTY)_gigcGR+2Ut+w)m0xbW3(F4GlERhD zz3-0155}-{6#|h^%#|Hhv=jHb{fbZH zKoEPkZTGcJ3dh)g(Kdkn&4I0e$*Ml%k=uA1I0)t&tVn<;8s6U^U`K22y*!<*;7!B+ zqiCPao4+e@X&a>c{?pn&)e{>z<5At+N~+bI1gAdkGaIK~t;dT-KN_{W&%Ls<;us#Q zzp*q@9dA#n)o6sSORjPgKNav+4+kmC@)pn)j%g@He>;(KRJfoH!O zDD7S~>90ihghIzhTK*8!y^y*h74{YV0;e7oL328E0P7!c*C-3MbYw(eR5%twMnVT; zYZxY07S`lz@KR7oAc^D&KFOvXhz44~w6;$46+4Q5p27ZUzpHAJ+4>x&_ZCZnA1vIJ z$iKxML!vHHhR@d`<#XlER*Mr_Xh>eaE%yrgyvkncmiGRqzA^&}qhC5gil*`NHURJU zbJw}RPi=<(=j!6*XR_+0n1VPx23yas-^UL;`RCWC0H70QZCOpSo092v_EHUS=GPHr z_WSA0O`?gq24t(TeYK>rOdiA~$o{U(D)qwm3#o2-In^&aS$ z|3C_*qVT-&nuP&Eb7UewWm*DQXVR%Emd6N_1wn>d<47ISg1aJ4?7Dy6n|~Yr(z@r6 z`4;$SGek|9YXdgHQyQFfPu?5FJVE?hVFNaf(J3=F29~10WBG$d^x$hBtu=rnrGa8{ z7|a+&nt(ets>Tn-w>2@6?>w9a5a&^{T^FS;Qo*eW6<{WmtzbBna>$*xnEYRqlS+ z4Wy&>wwy|JpY}?O5EKCJ{P7Ldr`lZxx=oJM2LXMpE)xMHRWj)08R9(23Jl*2g7z#u z7;`X4Q@U`6lIj}E#ad6<)uN+WdBNW)`2SA%74g(mQ^K0>9m^LurC`_&a^VbNJ`%Pu z7M)I1S(4esOd2|*io`aK{3d7fHpWZN9Xj8Su>qp`ib=v88;`~Eu=kn z10~`1bngMhdw+X-Vmh}UOo%C&`ve9t>QF_A9CeN7=SBF7Ofxq$^heb*PsJTx3t7@E z{+^hojUCx%UK>EbXMevRJe+nMK)ry1CL}1~jFyy=AQ*0`Ef!0Dy{0fo=0)>v)$Sxt zHivcCV|%<$?P@UA;z_N&7VO0K>CBEjP$8}oL&Mlv&b{TLrT|{py<5J_%dh~f1PY!?&1IO<5DlTZ?3fF3+?tRJ0 z_UEcv3DHlNIVZl;nrb2(XBFo&q;JyE`X|)`sb#prCXUeSf#9X#K>rcPS;+wwT7+Oj zO&2em>NCJE*x4}5Oo%lfncZHA58_bK=;n#Ypo?}8TV-u*+#pm>AVN6^(~;byoo9Gj z@+je$voF31bjGaQAsgJ2XONcXJX2*i83Tg~BW*1FPB1=mh3C|mkdKCKc-3J_Z9^h0Yfzi8_N-QWoAnoebYc`N7 zx7C@3xI~S?JL=|LvT^I7UI@Y_azwg2QeSMit;l*MGU+7{)6B~o;sH71FeFPsNfy)J zn#eLnH;@8C)I_CGh7NGx?{5p8kA(ESIyx*Xir}bROzEsmC31gS`1s!3q41eDZ4zDO zO#yOnXN-2j9ux^C!nj(`&qmSjtYW!*YUypXZJC9Oa6}PZGz#-x{&YA=$g9K98@2)P zv4>#rr%sHhT3+sf2DpbQM#g{6l9%7;j;Lb(7-EYbfPJEr+PNO4iEf48t17mU?Rsyy z7xN%H7Obyr=*)F&m6a?lCr)Dg88O*Chy#SI=9XydK9R1{X>uo*XwL5ZZu<`C!T|~{ zvu1+KCoz^Pn(mr>vHhdhr!6AEYyA0Zy_E-I+jOj3EDI_%iI|i6ZM7!i?S41%pNuGB zj`LZ`iXaZB1{VKP_;qM!pTmSDFp_5{Wrv7*@4F;O-rA(`<>B>Pm}*(>&4UN@ivY^f zPixHDsO870KasCWsy(qD@8={xWC zX}_?bO@xd@vZ?lMt+q*Mj@N#fLZ=sPueSy)Yjd=l$fY0`@EH@xzDeSqBrO))i>C?D zte=L0uj*Lw#rzGc$}kqx1;RnPS^&nI6FOIja<~gXcjrYXmq8W^iIQ||?{SeALcU`X1cfvDyqX-N$CqD5YoCH`ecN>4U z#bXuZ?KK*r$gB9UbQ-|WQ4{()pfzz8iMN%w&l!b&7|dT_GyyYQlf|UZ1!eTvUp(pq zO}o(SkfP|6!@-LwXB|D@cWc9Uu*nYcz}YPK2%g&E!0( zk6GFz%K&qMjn{v<7a{P}y$pC<>Wy`w4wvJ*S3@q=ar3qugd?JaAyV;kCe^)-5Lc0P zi&k#!R(V_y*Ws!2FDPZiM+(!9pBaKCfT$dO6vEN6znQt`bo<lH$1+p~T+mr5&+k0yc4wbpJPAuOUF zJPEtV+vM7{d;VBDwI-+$qjGY6%b|{hYc6q$sc@<-)6yxLe{GUZ!PXsPnCQh=aCgYI zm8v#2jEYee!4O)o5vb_D1%eR`-%40UG8eKxwOD>+Ww!jZnE?9WxMxi?BSl3^wrT9G zm6{@}_3O$%+zgtVU0PGe?e;z}mwD*=@Nl4zRX+tPqzC1j8^v$C*sCFEdD zW`Ym}V`E|DNUr6>1cSbUzWN_62N(o`g#wZWCI<#a2KpTa!UF;V0RaUD1_t{79uzPn zI0Q5pD9G;y5Y+z;fQ>48;ts#&|AJQ#0s)z<@Z^pF0U@T!nX5pvd!6pS=iQ!5?2to4 zB@B>V+4Tb13fGd`>XVCI|)^wD3Vo8Q^Vs;~9b z>C3GT&7d=*Uf=0HGnAEF($W93yp#~DWCJ-HQiqSNn+@ZN7WwAz9_#DQ-rdcR!^_x! zSING@1E|Z}lq|N9+0c$b)7gFA}|76%w`1MliIrh$S&+! z{*(jcR#7Ic`-~Lga>pfo00d+0XkGoMi}bb|B=Q=j%+U|Xwf|IAWNCWx%54D?aH&;r z%`cr*0y=?De%@HYNkJ4utLCf3d}#iME>y4!&2DpGYsB*jrpX(E?0nKAUq#xr^_P@X zEz(nNH5qo*G{%2bQnrgS>&Wx~Yphxc_3+okF1hgl)}i26jO!aa5o#ZUZ43+Z2@9YQ zu9m5aX)ky8saze~Yjp_=$K+@6P5N|WdylWwOIjH;-P1)3yxg^xzIu56YJIrFK=%ep z`7qk~ay)iPvp;neT+&5C{@PxWU0*mXdP57tRrM)s9%5@xL15z&1(<$-yN!HXad$() zgRs`_)=txrnc5qzNoz!E?Bh=y3>eX<#`jWjGrB9z-iwB5rXS^fqY+1;P25S?=cvgS zt&!#*5=6HW#%uikJr)Ubvw9R@4SV73+F&tX2N|j~5ZF8tlu~P` z$dsySv5R|zK%IxwsN8>mm)KC4_RFr!>IVKT*P^CnCToe;rL=|1&k})>_)DolCY=pQ zJGD5gvAg_M&YdfgfA?J_E4%4V^#{X`vh~@5>U=70R&eWBGmd9zeBbu}MK{>aqcUc+ zsOcC1x5uD;N}Z$4Y>Q5(0zSZ1=l<@qaaI-$=gwsJZm$?e`q}!9)~^`b>P_*o zmoh$rq{-b;p-{uWK*^*KAd!D8>U}|YG(`|VJHnbCCac4EC#T7&vym3wXfFpT%iw&m0vY2I|v3*rT61`G-muEH1a2-WQQ!+Vt%{2+#;iLsS^=kc@}7j=Rq7==`+E!HD?ppqj1T-BIWQciy&FU|qi0m7t*uGiYAkq*4#JqpF}~o+ zuuf2809F41ffEVnKO6ujZgfI&ckz>rapP>Gm?l+cKoNtBI@oxlkhSy+Xg zNfQM{6jfXT3;rJ(AOt`-I4Gd?2g%(_0f9x^vRv?)6@=T(SqRYR9SUX)g1fP#58jIA z84}hop#6(dMedhV{v?t|#FR@@-Y~G}&78KDQ8op*51^CKaXrAqMI8ajIIox_?E=^a z$BjJYelq$;m($kfSEaQ$U0Ka;oZKTsHv)frY!5x#OQA8{W0OYFn?+PUw@mIvt-BGUwUEQVo(#3Z;fpdu9UZ z`C+T5CD+tz5r8f0^N54pZoJyHR#{8KOELm@ml8j1-9n${Q{mC=!KKo+$hlpk{iwbG z8#h=mf8hU6(?z=bD1q9jkDwD^kkgvjSv+`Xk{M@C6zv{ZV0Q1y3gcto5 zf)G`y$8k&MJK`GB934{NYt7`5vbfV?zDNbf8~)^OW{y2Mq=$zb`5j#igcyVj~5A*Hwp8fU-i zowL&IjYI}%hVE3=2Phg2pQ*2>j^nJRZEsh#f&z7KzKw)7Mo-%`{>o(!0$0|{wdIY& z4ORNyPipvJ)fAT$_TA&bs27@PN{H%2^Q;o`$QWEwM<`Adz?8pQB5(J zZ!Xh>d`(nfc3INRR?-0Pq~s0%y_rLt+uaZ9c$}#?(;WR0N1O#RT>lV3vtUE>+C`U zE>xe8CLyvxTHmHAvNrp*&R_NDwb#QQACdjMlR8lI>X+uY|cR7@Nex=yaQs6`Yo z{UHZT#b2Oh2VPe1&%+y|6vnre4muLLr+noFMv1|80G!`&+UhJ6e)ftlpMUD*(~+Oe z!_w;c_y>02wl1Jr3&+z$F+ z`7e;r0gEn#z~Jxy$XIeD;Qw^&e~JnG|F2|$fsp@0Ba)I4qf-H4U}D3a;QjyL5b)m| zSb(T-Ac`wy2cJ1g`D#~4Er1?Jr(Xl4vG;Oi&}FOc19^*Vd$r)ZH}u8T5@b1TX<1*a z2ZlJaNl_k0D`1WjDsn5W=CWjbw)S3Zl_zL4^`6qsf6237^EGm9b-t-@E_@>}D~fnR z@1F#IY|b&y6IZo)63AN`XMyoJpl0D*D1=}_`(DR6NM~n%tm`607-1iVL`Ij57xj}2 z^{t%}fX>)XEOo#`rgBfDZ2(0Ka+Ep*W5Vj27oCj7ov?fN!(4gtyfv=o@ zhHnQmh$V9J{;+nMlhDmCdqoFb(BWOr|nm7dFAx*gIK;oqU)ZRZ@;}O2Q^{$)_tWzP~6`t?YlNnd|$S-R=cstC1A+pe3rxPF{ zMMc3A5u3kyqV%`+*2+(&-dIEE=!9diT2SYB%bbnHjS<84!!u+GKrdy_I!0QNE1zcZ zjgocLhn#~HGnNm!5j@X6z(mIEYHipdU0z2DYZVchC%FD6i($4bBCNz%TjCa3uUR+S zDzpZK84>lQ_q-*3tJ)o=9l5xv^BQOvy-Nw`72OND8by`pq_Lia%9<-}-oTQJ6L9b|Hw9*_Qi6?;vZ$W1gKH+ySJY);*onI9gv%(b*`N76+8dD@0g&o{xfN7;! z??gN!eRuBdz=XwcMHUHU6X=!G(pnA=-!Y~!*-bZQ$0N!MFq=RbK8^Uw1a?TwJ;QNI%OA+z@&4g;Z?;%^Mv4f1VQwyugVs1!dR~ z+ZdWCIuGSWu>7(-njuzYwH_#OU7&o4^&!{U`tI9z=Lq9xnBsqI6Y2j#;D7Bb5a|D@ zr2mD0l95wjVgXXa{Qli9;Qu@=umF;xUFpa?KI&qj={qXu0nXC+Cq;gY_Lfvf18L>k z5ZUqpMWpuF6(UNv=shZSWViH8p@ni&-MY?j9dhey2)wwrYy`r|!kE)Njb`eBM*O-y zp@~5QQ+X~K;E-k*5v3*4;a+e-J^fE@m zv-iLphmSLxq)nIjE^JvIeU1D9t`fXU>KeW zrJbEsYDlecjj4jxD5T2b5TUfCH0p%oMh7Kk1a6Nkiy&emw{NE%M@4S|-gb#*Y-n3K z2fsk-#uM2RORYPNv3%|pi6HYDO}zl3S3F(D7mrnu0w~@ZpoNU)SwVU;y`gjfca_%?8oJU=gg?E(P9MCuRNNA+1eQ#CGC@5tW+b%2Y|i;} z%bAJv++<8NvRfC@-{Nu)UmtXK79zA(ExYL4^okWWZFs z5c$FMPi;w8+RV)S!hb%gDcq3yf)>!4rI2)tG=o5zX)3;vQ7aG+!UaT0^a7y?ThSI6 z46R~>8_*>TrXo`$QCx86PfW~BXV9(+lnvRQ4EPrTDWuXq7`;5IqtV|zNQ!tcCGLks zyu< zUu&EjvDhiA0QIhnQyT7)lczxvl}6cwl<)D?SkUZ6l)WsRZl^0y%BY7iH; zd_RL8xuPQl7f<#Qj?3Qy4x|l+TjI%WgkB?r%->G%`&@R3oT+;umHb1(atn% zZa`(;C%-*@?~Xo52eK(Tz%rXeNSl2rz*l#zojVCUQ zVe?Ni0bfx5h{9}ch%|@`SG@2YOUqi*Zx~-D_H%->4K)k`%WZFxAJZL90u|-V3a}pO z=@lb@fh{ap&jd`IJw6E!PiYy_q%krP&qO!wldY-QCy@~i?-5PSqFk-IV_4-4GWVj0 z{2?=M)J=8DNbwd8S!i5PZd+MlbiQRQ)l6d^AxQGT0=JjOTE4B8!Wr!K$861b1`y{FqR*N&k5*M|)=xM}LkT#B2aKfG_zeVO zEa^%on)eN04njx`!IieyCajQI7lNae&&Ndw@kOQTm>n=w`1c-PDu2s7ztSUcen!U; zPd>jwz!@mt4|hAg(z`&*$5)i&9 ziSPXUI6Ys@>zuVxbu;+o-^Qn~8ys=df5lkj`#Ia;6A8a00DQAkVov9?`eB-lxnQQ? zd~4Q{E|Ae+y02ilDA ztYNYOIN&MEdT-7{d0wwtTOKuGZ5(e~2l^TL?rap0s~DWdgcsY-KInX& zfrPas%&(c?_N6U?a|Hq+axH-=b%kL;uf6oAti|vb#?Y3yFY9;|s{jz%FRXVM4_BZnpJef zI|V2SVwi@Fj=Y!G!#>I)XoYi$Hut|gnV+(dd!qRwNtw4@X zDy#=j`a!ycCn(5jDyO~^(1AMe4G5L&D^sd)E!Qjn zxs^MXHucLlXl!JH_09vt_?V*2D8#0eA#rwsSYg^%%YSvwT@J)h!dR4_Q3g@&{E^df zpBuoF`laRPUNJZi3#ZY$9m%CIXPr2gI7cGGP>jd(sQg`WwZr6#>Shs4cNM$^RFqp= zGYYP`btD=C(GQVVa_V!Fx4Fum*&G%D7IIrBJP)nVOc*s;ZSw@;@OIdS*7A`)(ft_C zrOgd_?yFWStF+OilU9Gs*EF&wto}H2vPGy_;;g3f)4?(U4;R)~V)2oMbxZELe3-dM zKsS^8uohI6X7i1ESX;KojQ^Ra^zu(oA;Xig^pp9qlUWmA2o;+#<4fnBIbcW!&_pS* zOBjC<`B~4Zkld=r3RLZKy@d+4(38%zqvYd=TRpVZ*WXKslplC06BU zIj1o$hqOs0ja)rfsq=0gBhpQmOG0?RTF*ZVYUAwscJ@4*9$B1-vHv~@ntK8XI3I9A zZ-jf7k!`3hoo{L17m|;U0R=(FR++-cBP?J5*LHeIrZO{X1Dz$v+!NsAw5c$7jEw zgnL1P5kTJ~Ete?Z%2r1$^tH25~afUvSOMKpLT0>O%jz`2R znsWVp-kB@j9Olg*24oEYUhkKPivay4FLiEOmCwgZ0R!`%?4jZz@7yvj`G(P713;$# z_r6)~Aze>pQ_fc7or%9FAb92d>aMocLM3*Ae`g!ZOx73cChT!gA;KE`X^X!H6L#3M zX*gBj+vMY(kKV9Uq3_36$-4=|Y|l7#Q~pwHded2H@}*4y;O+JK^nfbs#=bLs9}ZL1 z=&YXY^4)ima#VAfS?X*>y#_sV+@_LkvArb*?zVjbJ9TClo7`6p*lZnLzx|uH|LWvqH-#*LeNBX}i7|*?0KJ$c*-NSu3^0UN~tc=Jzxv#DDng@Yv zgC4rEnCuKzY%Erx0GrJADc^b6DQ~g3Ot~RZaf2tei$H%d@Qi)>9wc^OSl2IXXtw+h z?mM4@RP>wZt{0e;EXmIiPR|q1xHs7`aIYR3l;VS~zzCs(D;#-WvjS^xv{imOj54FG zsK@HBtTLl!egmTqZ$vMJ)}4wThfq}RT9-)?xBOHGGttZ>Kr8Z86~ZPJ5}p-eqN4ZW z6eE`WjPFGJXiU*E3r*qHC0)Mlft=kNI3jKFh{j+EXA0$@QqZxa##m-lkVvXCd4Z&Q zg=G9Pr!J2W50j*=%x-|-7F=RrmT7JOFHU(=@2bwIgzU*r?=XU4_`O0vZTz{Jb{MPk zOvuig=MY1UG9-lcK6c)OR9L-)2g?6TAcwTAU7r8&P^ z^n%YclF>BJjayzwI!D%Uk-A3uEifAb1ZDP-eATp}DQp^#I(a^ad7ZODZDB*eb_-?n zhBn8>rpJ@#e#9ao5-3!A+!tQV#HO7~Dm7X7z1EupU{Q)B5LLmr^9G`$MZfUzDYu6s zBc4-?MtBDk1bYYfmhKP%{_1raniJ4CgN0RRwqVXz3d`Z9aN$?3Gci`*09{ziwnvkf+{B#paJDm?y=L#be@GbuA9<%)1NI5d5neKlIKeiVVRU*AyKB6UMqpE^Kp*p5g$JRLdPg)> z#dDLsVp}z0jwnRJBtbsHbJF`5aDQCsiV(>=o0fCL{b-IjDzX~>1fsoC5pgGO0)qV? z&PlcQ2?@-|$P}a#6|coKy@lnIE?1E!R6a6M0ByY=%RyBW}7)hAML;V?0vwiOCFyc@wwGpcc|3E3+;X*P9i@{uSDOMt(4&&?0Dy zSs*R8fg0j7QmQrf)|%M-D|fJ$8jB*f3(ybEAVGqZWs` z^~H}m+571~TVOPgqB&Xue^9QTVpUL$((wCrBkMvVR%1}m4wAUZhWVBV&3xdk-&`LQ zm@28cA~-{uqj)!K5H5$0Bs!dMgz!?OESU`gLJyU(BaGB4CZnE8t1@8P0P!<1Bz~+0 zk(_><)4fGzKIcJ1kJI?Ct5*QYw-lI54p{?-%|Y|U@TS5+6^9TRYp#=>ePolO{aQ3n z98U^*iq=9W7VjjSx6e}yH~rGxO240XLK z0Q~dHSWC7>2~n7ep~6@YKv4IAzn^CT7Zg0Q)48Edq>L$S5;WW>JT{|SSf@HRtB)jv>tf?5Mj=OM ztP*wFx0<_2z=tbe^4iY@x(@6{T}YrkWokdTbs96r6!SjT2TyGtKy60mbRtq~l`egz z;9LXuPuFFBtG?EY;J!rd(rLIi#j^&qm{(()8*O=;6dO4jYU}~|-FI_mo#--EYVMiz zax%bS;)C$>4_euSt(-ES#?@JHq6!{#G9R*)mcZB#OOZP~<3tJmio99GbIJKE-)6$)IKeK-Ce|3yXnyu6a64Rfu~I zMmXR^9`lc_tbeqUBPN6^VnFgAr~Mr58dP8z>sN{jxqajV@q84XMD{f<%sr@lLN;$?v! zjmze?EL3Ad%EgbWQ4+8O-NYC9*wC1*Wmm??M;JvMyap;(wO?R^4Nlrxo5p=x0=nY{1AB60o?;5?L`O8nc?6wV)m^-5idp(oL2 z?WMuwvY;6uBdx9t3Hy26o*kWB^QL6vrJH$lXl&0BVB;FeW^5~bMohedB^D8^$c#W4 zCee@3;tHMPF|_W^QPn%;!TGd+JCvBVlZ$jNGtl`& zrLi&!SmxyxGtI{SXc$fI88p7V;=uc)jLsd#QDB&#_MoTFkDILs53dui34F@?$~OW& z*k8mn4m)~$D|w}mMjTzEk37Ce3pqK#4Fap+=3ZedEvxRObiGei^U_D#&znp|_+Y1; zC!A0Pw+_Wy#T&fgR5Hk{RgF@`L-zCiS7EdZphAAtEh}Cs9(T4T%7y<`pop|!!AfnJ zYa^6j?h849+k@_eXJO8SfJN_y{UB`ben8+8H9XIG4QD;i$j|W0Qoc*Woz8&JR7Ej* zv9e6nVelKYNvkFhdHxr~4P}LbpKPv*<&aAJT=rAxDT5z>7Ff$?`Eal8w)loxknhli!p}-ky^lg~Ig1 zMD|9h^I^;149{z62Def4%w$!?$8qTm0G*7LDRWbRa79+(!9Cz^wwjZ~^Stu=fy6fL z9B>FUk#d9$LwGlC6i>-Hw`8w=y#VGaWtEy3=7);mdDW!gDHD>wKy-U2ubBq+8>L%- zp^&@Vjp~S#dnFwdF#g<&8Z=J=i8OH-N0@v*J}o4bF#fcZVt{J(A>KD|rqgQ$U;*ys z6%X8!_^z4yf}Ezq**k2?IZ4wiaxfSUJV+(=9BRjFMpiO3XA&JZMvm+~WqP9A2sr*5 zu=H^T#^O)It{G3PRQ;)F_peqJ^guHC=IkSG-TWk0LBzZr5gp$9w`fE^XAW$ZB)+JGs;kqOiM2ZSx^$}Mi`jHM%4(C3RB z0mq^aE-+Ur;Gco66h4nAS6_@8?pBnJV7V%3I9#F5q9w`OcA{b|JW?VQ97$-y>TE4eT1 z=ITs>CU!8@Ig2@)0q%~MF3LqCLQp-t95r?Kt80_kTH;+6);IU6yQfl zN31ddggN=2Nqq!~OTs3u(r zZ?DnZTqVf@Q@{SdW6_I0DF{2^U#?oBQ@?$`&Tr4*7^m_#dv@HR!O#2v_nt^dE`U$e zlltFv$`W~Zn-u3`JMQ;_k&cAjshGV#leaB1qfmSZ!mWmS@hpm^q%}q4IIjLp%sQ8j zQ=Pn*E2q}o+u2q3RwlJb1LiA?AU(P~No7-|UirpeU7Ez#%bmP- zMk=|j1(Tp$)CFJ9LR2TUhbT-D=zzh;j~@_-8o0g3&hB5|w|lzi@S)E-01pjcW)p}n zrdgQ@FAc|g)5GHK?(fsX$Ik<}SPr3P`foW}YNE1~`B#dpm3|DxAG0dTZ0K>AMW)Hf zWWK6m`edFW(P-|t{pwnksRaiW$2Ts4n?>Xc!tW{EMr)p#gEkGiQfuEGazGv-4^c&M zuzIoFrc~a35&^Yb08QGe9M6~MAqPg10)dIXjvs}|Sqcjz@r5>(*w+p#^4F+n#BaGG?u#+Ad+a+4vH+8@Q z)*ReE&pSHo8aWzxy=xg+>tmfG?orrGzevW^%Ru!oOnL>vZ-ffO?WT0gIhdN(IALq| z%-pddMrx19nC`d2`+(_F$Xn}|9yaz2uA=;i)fEfW%n&Dx0&&s=%+>B&EMtkW>Ww>8 zh#1CuWZVeK$u#NF>yVD1UbRLCR(=bo?GXNfx|u3GQlzrd*5&lD$ki}tV^nciyJ1vn zyRG273mo%2vXn7F2C=$sLw35VDY z(<#h2Pn^_DUEJvHiTam=%tl0xc{~^?^9c)3HF=UssYysSC~+$g;(w1ej_aPUtNSymP)F}ez2_kJ=3+J z=2?~Ie}TgnwE%O%JdohDEcnD?3m;kIW>e!FC&AJr2uMar&y$rP6)6-AkiDNjO;EzY zq9s1qnDOEqGZ%f-o3 zlr5H@>QX5hmpeg}O%4>LPm*s#6+U_$m#8XbjtD#h0Kk;c&>@&n2g(|4I>=~hzj+5* z*I*YED?F$1Gb@nhO|6bFl7x9G;=HSR*PgN+`0*XRV7;%~^I((D1>#2j%_6>x|UOy8vZ5QFbTOl0IBGDw=x3L36 zmfXX%$MlBESUKYaU)hC{a7I}L}})QQQ28%F6i-BVngIzu$;! zZc_m_M(*ax(3i3eZv&o=)1VPijVBTYVxWO}#u;%y1}fIvA?`Ep6`d@k-l|IRCGo1E zB;XnEMD@nVe+|~u5~`!KJi(1M2ECEGHtpY&c&IGtl!lOa3lBpx! zVV8z5m55CG8tZZ8g@@of2USf&3F_Pi4*;8~JTY!6eJnM2>VV!K%kU5Yj+avDYo~g* zHk|Ltnk1=r`gqSYE8}Qxtcy~7>0j899>uuS<5hP9ao`Gl5kNJ2 z8qy32RxSbjF~KC(^~c1w$wgh~EGy++}S92EOcho;-w zJ!C0c0I$UvKDDdsuL1B!@ETOt{Pq2)b>Hjb;H|Rif5~}uxo+gkx^o>w^!W|N%#Un7a$y3dSgrBUts;*i67}cLx2p}f$OQq z$rP$>PRMvu8a$R>rtKoSUYJL#Le+?u^NN&e+u=D{WQ#)g`=X&ma>$3P7QyXc20ixk zFB;>xaFc--?fz_9O70jo0)WhT5F(*j)e#p=36HLaoPXzC_8eBuC_5Z+p#ip(p{(6_ zCXzCyovi$Dc#v&E2yU{>0K6BCfzJ@*N~9~UdLh(uuLq|8l^B4~6?Wp`i)`;M*R-!% zcCs_%JUg}YR3w-NFkDB4WxxJ^M7?uxCt9owAPwmH$nb~3ST`xo1`ZQHhO+jic0 z&U4Q9{kyxWyQ-_JYv0$}Yi&@&JOa{3xc$*;#kkC!PF`wDr(WylC-oq&SnZaYLnDvaZ0Sorpxc$I?_QfOK54>^`yOd znbKyNPAt5-EAHJUvhmF+uR^v{cZIFF*yY8BOVa5wioQCAc}`Wvi>Bs+T4sNE+e`Uk z8K-n-m{R=uu!6lC(74jnBx+w|%k{s{E36Zu(7r_Fwk&9UZo#E$e-=IOU{X9u_&Wfn z`+dQ!S&pxn^dn)}RdMa~!`@t86FiMWfs`Uin-|Q4xuGSH-_(q3|oYK}0cA zxdTe9QAxi7!V$ZUIFAAZekt~E|HWOb#=*B2)a`-;G-u@9!n`moCykvr7M6modPO1v z!|-k5y&ooWc4hFO1@T{aUSuOPirc^hzf=hR`6Teh-TP5X%_ol&QMLnzC7~rJ5efbm-BCA z$}9mtYC_r;JkU(%g_9wMnG7yaVR%p6E%!DnOJAR@OuwFigJwKq4O09(BC9G(>h7=Q zNM+-I&`QX#J(qhzj7^#HE3;`pKSVWj&#O#!klzT5{27*=FGVDHWq&75et@ltTX=&P z{HP?n;h?KVUcV*?kpe4%cs&#+uXVbMf*KGV2QUb#7ymjnadHZ|JjavbE$U2d##qE5 zc(J$uWQww*J@))3+~G(I{?0K7^Mm)tMj0kHzauQA)_;wL!Pf>wbwIru`EaqcZ>(gvZ#Ij(&jy`}ujm}K~;uAq`< z=f1N>qn~UfON9o85ebmOwQ2VE8UvT%H?sqlNqy6i8h_u;?C^am=E@dAc-3J`9RUzCtEy^CY0e=GFI@pt~OCCQQ?_0y&a0=}as7vqB0Y)voY<`VUld z1Q0c=-lPM_eUqLbh{Z&N{w9^~>^em#y3Cn57R%2;1W$!ccw+L;{_Z}gr5xxO3q#I=DRw9sGXfR3Pw}=%ycL$cwe_*VqQ>BQ1y>aj z-;nQHo~k|~la`itcZjw`!mq`)Q_@B{2#K5g*Z~g+r*FjA5_W;lRABw=eq zMgIvnd6BTE4+<-0%pDwj(BqTs-sq&PRi&ls*?Y(x#36?QQoq$A^Ywj(J03$ryQpVh zAtR%KLa)m)K@>*n&%G?Ofr1_vC1gV^%SATLjwvbEY!=}ld#S^ZS`AaI1X`B476nVk z@Y`ZH-SR4*I4s6tnSLg)LmM~p#^(+vmnj3li!!!!EJH+B3|TVsgTz@{E39KpWZ6`x zJHK{_p*HSb>GE9EPBD?zJbcG9Chf)$N)4g_|7?oLSipw}+=#-jR&O+;KJ>ZnA6j%A z^=-bS5rH!nY$zuWhX_lgwD!I=Fc2b^7=o^1>AhO!#GtHufVQOQ@`j3~_8F;DLH!VgP*OHyoPp+miMIDjNw?YD5dkzw(<;^c_+FYX>Jr9?hBM z3LJWN{BD~m;Fi_9*T>56Q4TxAli!Ca;GV(r_;9t$y6;(Bs?i;7QWly4ju)x!7@j*I z<@jVVqT(@m_cSz2c*eEamgWG@m8#e0(i(;55z+#gcK7>Sqj8Wi2gB0&RHy3u<`eni z5pWe|KLc77DQ5zrvzJ-_Hqb$6D%=Mzzf|?MFSlefMM;6YAm`j0u1@;^&-16v!NtU) zD2<$D9V`8FogBc?0;aAMaPyeEBE-&0LbZgU^1k@_*v<;QG-+*7wu#Vn?}Wk?5wDFt*jn-9sZ(+2yJUcAwpdl^O1p0V& zsey?!+CF^b*z{5xt7RXb>MVuw>7}^Z_6|jbb;aC!z9`P)aAc~^`y6(ApmaM=iVu)f z-H;0@PiLrOy)|ImN|t!0Z4i!Frsvu+gLx}ST-7#%8+}(O1La&8{soy^h5b)T2wu57 zS1COr9!b){g$bn?7lBmrDMiCXn(h=cIi+w6g%QfZpl;Re zU$BZ%RiRUVELwF4@;>rxKSrmG> z2*OaZ2liTm2&Sw$-~$XRS1_JDnoeREMsEZG2lAc}*B_>qE)mRgVi-H9k!;c!XvOul zIveNu>>Plg#f@wioDUHx`0+zwmZcS%(mWo?pIJ4`M7Jmvx5dNTU}#^Lj|YNMlV%#I zUB^#9UD&UW+my#Ad2FK{ls&Vicp16?PS<9KI&-o2`OquzKbJIxE-Kl{kY?LPNeaP8 zeFU#zifeR;^@yqONmdqEgKY^(9!-Hr-@P-@`id{n`4rDEB%`9UjI`ak@?@M&r!)hitl!xgg7OhSA=iN@B^fiL`_d` z?uc$bk%ax!4nP0b=g7>(-t*2t3DDIKN#05O{~Q8RvdDm8L0Fhl%E^FL0lKl9-0r=& z{+aPX0VD{?=g<4aT}uwacFvvx?)1SN{6JdB0+O5pcJ-_B zhD)-elXlioCpY3FYrifRz@SU!ao8r>`Pj;x%p2hvtTEJMX&v9#)2k#wbE z(0F?nK_s5O0V8Pb<9E!#jO}eTSNG5JO2m9Z7i9ou#ikQB!?@gl2>im%_K%ZWCjlQ( zSp)R+00Fv~F_}s}mk+AU*fwW&TH-{Z{G2e2G(|3p>~(&AyX?0=01dC&9tP7nLo}C9 zuJ7Qt*7d^Jp~O2nmY(^F$D1paAwz(FB;!$mIh%Zg2D}b1$a7v2SV5DppEQ zd?2!|*x{4xd2R_eK(^P(W8Y7og?Q!3HC_7QQy5hiIS0ak>9&flUo#!vL6lfdNwmGl zl30v}Xj6U_xCX;MxMt28=wJ=f68KamS;}4}j?fW>nS^st zIvjJc@>rPWyj9j*J1+UsV%yjLz%G&liAk!7#2P><@(d z*JmDqCwYn`G$qVbQ8yU&m37B4Q_n-m)KWab+DVx)fpo($gTDbMuus%G%N#4y z_$+r8Sm{@}Q^_nm zF1y76@O8UXvc(>Hb`-E|RYU4$#-1}2#0*SAmJ_pMEtQ(N(Uz*R^YLWN$a1wJ8qcnQ zC9WOv&!k{(HO&ph^tRYsSAv{8qU?G~1q8Wh7sFWSA;LMiKcXy7C@Jx+s2;X@&V`E% zh^HaBAtof{iC$$bhdoSK9>mdX5x>k2Bn^fD#fNS(*e16}u0koyxv;M2aF^#}_(13K zEkJISs|yxWOM{(CvY>;-o#RM`ShOXx)`_zeDuRqb0+oa*g%&QU`+7O@;VRS$aE&dI z$AQ--Hx!L5csx+0HMVu^?ot+lYa-W4{=6cNNTX*Kh2uKyWbem(YpE#HOmU-{<}A+u ze!&F%l(LVgE0xV5!m=iu*3gs}@2A|qDMMWnJay*M&VDpV*Yi<3D~w~f{hAC*ttm4V z8PS;;aRkII!mbjCVaM99m%$^5Q0oxIT~W^##sWf@{X%Ubna0+)&t*(X*W!wLXjs*h zuBsQ+&P(i0L2O(DW(LXPT6uOBF6;~dwMtl*8cjNM)}qCA*tZLG3xjfbN_m8x(?}YK z-K2JBjH6*ovl((K8?&<4Uh1)IxqANxrK1#f_Y}#ifDw@xD$V;>WfX;=)G9`YOF*`UrJDF!&;eg9d>LSvuGzIFY>b&T7larj%0vZ&edt zB;;cFpw|!TaHQ!pOln(=p+L|u%nK&e(x;y1vd2SpEoT~aO z$g-$|a7ucc)=j1js5XVhE^h!u9#iIyKBK>OO*tzkm{)`-lCkSC#taNn9eRuJ6+#qU zQ4&71l}tfgOf~}7#GkA?;?^nk=_0aPukA$4$t=^j{uHIlpvf*v=&t6S25b{S*6hEX za1*=idT@klJLc%o4Kahc``jLOPBNq19N1)z{&uQ-CM{p4DB@# zu{+ckT*8`o)B@2#xZ>QAL4KK3YB-YRp=DV5R1}xgKc5Quckxr@SZgh3OiM2_#Mi-> zE~{(^7X<7}zH|-3!SuKBStyM^D)=ryUKc-CI7RF*T7g(#WlKdS1GBkWfJ5UlwL`4V zi_|D28Jo~|1ED@X=gis4XNrc^qrJ_G|C05gQF8@g+wp^3d zdE{5$DfVf!Zns-e1Yv`xQ5X_Y;a9CxBd*W6pFb(vyrK(|}Z`Jz7a{VK=`mXBg{*tru;9wtu6^qZ-o=ZK?{Wq02hHSM$VD6J#0aGe!|{H3;B zP>!F~RE!^1tn@d1GgV@SZh|tqbmUo3LT2Rg-C1wN!>az_?9ZawWfT|Cq zb2S6tbmOIDO1*pK+M0(x1rYqi%LzZka^lGt8mOANS0T)L;xugfip4EhcsaCJt3nL5 zogYcxS>P4Aa+s_W9iqRnI%zY(hb7E^Ro-jh<-R00@Zt6JMvUk&62Q3$YeKHR9QArE zzhUA=K1x9nXCHrlJ?x$E`{2jC{NVEgH~oNOj9~sB|K-N4IOc>f4)99^c(LILt=-OutkxW`gUe|;Cg%< ze~m0~1~Tojh`L2rMNo(UT*DVFzPwZ5FYdjfH|`^?@3mHr!~p54M{mf-l@kwrp(q;s znMcKL_c#q&%_Ra=Sfq}KnoGG|I@^fTa*PaIiFe-*w^ul{yTLEI0A3uPj|ThKTk^?~ zGpk{)Y?;iTukWwDr>|RJkt{73l25~Xqt0YW=8~HDvZah-)Cd@W2-Yd(T zvEl|3qB~I)ZjN=&l8V4K6KV4OgZ5mAwTsy$&&XybHY>yd5bdE65m@FmeuuUBQ|z2} zm7aGiYuw0J_4Cy>0DadC-~b%)Uw(ceP`5IXfxY4ar9D60+`u8_(D2;Zxabl0`A_pg z7qKWOk_$^)pE!Raat}{tW1g2@^{QcN>mRnJ+L1ZGq}Vse7pI8-+6k}kn>Zj_Yo3+i zwS+W6h}VJw1mQ>`@gq%|FTiD_<%v#jCHd$LYD25<{^l+Worn}zlc@j9bk|oio+or$ zpmwjS&2X2VFqHhBdR9V4%p0LW0+mTZC+a)Ir<8kJs76{XR|?9x0`+JPx=;dN=7#0C zSj#PBuyQla?0RGo3hzEa%311Pa-scO*S*?R&%J98K!0Yp+%d|)0^q7@mJMV%tD;Op zhIJ}#kinCs(1Yl#R*P*a_$Q0lT$&4}Md1FkH7Py)7Txgh7=@vV*A}ehvMpX!PPkQ3 z#OTyeu#Wky(XFYUpdDCPJIP!Vs{9-z9N%Gnz|^dA?KM1_g!nFQctHk@*i;&>dZJ-+ zu{*&6sG)=LHUcg1R$mqu_pap>Z>W9!mvH1LSSa2kJV8P$^|w%-iUm6oEz=pkv>0hi zS@z-U^n$o_P*nJrff#&8TX0Jk4hV72s7P`HZh88ZO7rwRrbFjYp1pAap+`aGDr?mwx0l!>iUzFf0Q zmp!1VMN@Lq@K=pvzI4ezEe9>T2%`R#-lel*gp>BqFCKbHJU__V4e1dMz94Yku78Fq z$ksy?#C=h|-oHA4!2`V&@tf({Nt&ypD#F=)=;`IQ*2)l24Zevx1jL|ckOS8jgFjq8 z01lL>@%+nS6Vt467YhN#%2$LrX?u6fA0h9QCZml{;FINAcSQkUfBmo_bQw;Pb`H1@ zfz3H)TG--Us*tMeHC<%|)pETkr}5x6ksyW>s@q^doGF^pvZ*Y}q9RhYsb$!_V%%T+ ze#MMt#4e)-=`cEfOv}Fo^DYI}4Ka9s0H-%x%52Zav<@ZA+_nzqps)L3pdPiq68-O^tZIZ2_1RfInObZA7GF{SsLtfYqrm ztog`K*2(>m zn69gl){84;iNd=8P7QYZz!^CRje9)qD41X5l9;ArMlPat1iPj&z|sS zcDf#h&nBt;uGZ@stgkJ)0sy&Mo0hFdAhhFb9sU$E^_AEzluTheE)Iv|6nLIdku~xP4<& zE=$EVQo`$$yZcsDRLAKtZWo3L^?tM}u6nl`zKXjf0ma$=19_7+Kye3cDdDRwPg&d^ zPZL&mV=5{rQ&x)Lb5v4;JBEpyq7Cwh#}wM!NC4<=5Lh7=j&2;dbDjUEF9!@n8wZex z`F{H|a$9r1*X>lE11@jNp#*Q8#p+^NEQN$>Ec0&ftI_c90s^gRd0th*u+8KnQ#0Ee zB$)NodYO+-ZDyHlaI-9S2OH|W7ro{E4B}#Xk@FRTi%c*TcXq^de6DA7WVy z);hDCcg?u{7rE86vnlfR_{q1kgT0L#KG}gQ{sG9?Xa2e%eXjo!COb}G7*HlA))a5f z|0v8F5;dE`NdH+4fMrhJ)k60-*~A^OkM5QfArzHVJk&QH7LcRiLDgYBb9m;L|2p-k zc(J0Q&8AAR_2u}wN%e}^c($+C&Om^`@4fKlEKgDMh}3?x!_Y&}iBJN}-m0|YPB=I4 z!$8m;vxD2o|2B=dhsKQw;!~~EDRHJ$2vD#->BtOcZ0MdaPf&*!_&dG2yW583Z`%3$ z?{Ofl>A&M`+7TLze$?+ac%sU)1 zX=KH67vyY|1GwdUgu@ZsaSuxAl@J$elpbHP@LSHz?#aJG5qj6Bn%q2>g;a2Q#J zjDU3ai)Y@g`kfZdXi4qU8dVCG6P63uN7XCF3jclu66BEo#^%8T<j3B zFB9s<6tlIAArRtWeZWON0aXe}=~+5w2?#=<)rlP)ovI*cPfhV%_}058PWk^atuW6W zi3yVtPJv_www4kW!Go9usRS&W=^|88D)g_MV2n&v1ec#A3YPk>N%}Cfv}pHXkMfGm zUExML(8Yfl7)7)EVoTJaywTs*TTeR$K22|C32yg)b)mKQms-Rnv=1i8)Gip7J4!$I+G zWJ4yF0~`upcTu@ahVnpBi@nPs8^S41WqS8^p%CJxVz;vMW5ZI?(rG+jf_S_ zhb_k@2r6*w%2sceS0Y_R#O;Bb?9+w%(JXDWhXE9b>Zf z@8f~;hZ+zq&Z|)W7g4!INc%|M`P@X65JVzx`(w>@Gy0WI-8ak+| z(|)bwp=QwKsQ}#ELE~-5TrS1=IasI}2G_{ObHTk~h%AtWm>gE&H4-svOl;8;=^sMY z^WdN2N{ujbDBrYb`(olPJrP`9Oyxr<`ZOGn;*7nTOeZXaY4l%bcCfu(+D=j6AT9_^ zd*5rd5gF}BOnxWZg6mO9oAh%B8mr;1hQ<;dTww=MZ-9QiZFrAzTL)v!9UHtj>|mtc`_|#^u+$L_KrgRN%J%;R-I71r8ye^jD|77K7 zuRZjX`)y!yQVxuL3&*{)7Ow_cwZOZhG7X`2RRH~DIqywUzHEqBNCjJ`>>j_v)mT$2 z-Ba8CIp0c&^%y_RN?CAD(x*GO$|onCln)8@xAOi*bNfk9av^1YS)wfpG#;#N7B{RX zRMXciX?7H0!)5Ys4UcJCc*`c!v1-JjIuXd{xFH7MHv#6HR`mS->2PF z0AQT=l$>!|`+2(siVZxk{MM2H-0cKpmkrAaIos3lls(>5eG=(Tw3*+iEdJpIZijj_3n-AW zH_P4eRuYTx5#zJyC?NP^?&+6H7=lCR6%W{lSW*^C7}gh_5nD6~Sb1D+H+vJ0-8~s8?(6iz9n)qF>N4)!>^e%LB`?>a&x^p&`un$j=o^^#LbwOIS zwR#43p85|72qc-Nq1`|>@eIv#OIUKatgAO3u6R?Au#)M3Yg|)LoP$+avbc8L@C{5g zL_jz?3RkhM7j=3hS^r>BK)x4~bX_Grf4-mHUU$fOyMA4l z#kW5#IdVOpv7+RyKv9&=_D`{}4ywVIfjL`52ddxz3r{SyV1XJKWxF|=KLfSov(hyC zk&c%8lV$@+-?3~{zVO>jeT7ugxCJHUTqfe|XRykDG!PZSjCmW=m!&~$4+?i_wGm}J zWE}0RS>+vTJyaYi_vq4D9wES%Eex67JyKDlq0125H6Rvmt=Vpz#3JC$_6H}0*RYM_mh?djeLZZJ?%A{AOx}$hNtL*KYYc1aT>Krj70&N=DOMc+HKWGnhIvo} zkv*Z4I}2sImUMA^Z-^0|MaI)-!l<{0V1>3hczkCO=(~^KrChns8buvfxHktkv;kcQIz65WW)rH)=8;~}HP&I4aRWgWc}26uUbJ67scDxc-JCE^ED%X@Y_W z6>yfGR1CD7*$*k+@UTjHIy%~I@zC{dFMW-CB53v%^+sFdZ#_f1l

LtxvyAXk7=3 zQ{;&vW2?9@GNlY(XIwBIbTQE6dl*uPQoR&2Fx*{-_rE|?m(rBTsiCM~tbxaXx@RcR zYxQnpPD7{FzH7I(dgV*ZrC4B6(uqNx{^t15?oQY8U}Yk5+cI~n1g6JM@uKom8U6de za_mWUg`O(O=({(l|I8Kw^-uxfaV=1!T_b<+vfHK0tEk%sYiT9(z6GcM%!i~rdj^HM z1hO4}-w5$mEj|a1?aI%?O8LT3Z?l?QU3VEbFnOS$`$iu5O@Iaef}o zf_kF3?*6l*Iu7EW;U|AI-yA5gx%VTCuHTX4_gEwqq&>>EcGeAVTmy$h3fYQe+OU$O zN`6#t50}8W%G;)0gXhQsUSkA31_Mp(Y2|MKTg&Pl5EzY}<5UCdy#S#D6ML`bOLHym zr+oWr1T-qqz(*bf!@bw|hjsx9j9{ZT1Vw#e#k>+EKH{3)XW)WKNMO|N`v67@P3e<< zAGj-mzb;j$g>mr*iB5Wm%X4{Q`@d5hvnIBc(0a9O?-^;FOiwZa+L2qP3hU4?8W=yk;4dsDhkGpV|J5_yZO8e7sWKJ@zf!H;2DJ;rNj{t8FM3)Ss8C?GF|w z!tyJrjZH>_0vZ&JN8_k`rg0*FZ*h@N&Ev{vu<(Zb^d2m%PGUTVw~yaTl9y}^BWvTF zg=SWj;~gx_QC|rFW@AbtMJvo}N}CFu@8K6p-Tn3&DyUpBWGWWo{6+4!6qM=uU%5 zT0IM8NByY`rEl3jL~{3dE*fK!eCBhG2y(rAQYSC~rNN&CsO^}ktLv*#VtN}d2Tq|y z>^KU=SIvP2Rr*rhq45s7k}3Xqj94rkuKsYo78V#DLN_tGqz0({Y3VSHJFjhF5ouTg zWC(KHhT}ad69){6=6{^4H}+Y*HECDJkhwGGvR4#88w5hVxQ>lOyCSzSa%n<7@A4bmhA zdM?!cqh=-mfBq1dRFv`-6`1@LApL!(#C{d@l8&;D+YB38wFkqK#2wksMVCc6R(4o} z?m(>s019I8IySax6e8-&{@awS94KcO?r}>OG;7|P))oq8qj>h~XjL=+5zK0%s`*rj z*U&brpXD5!ip7@^s{Z#_$AIO#jTTJsFZwLFk%nA_B$=LRQPxMh@dAB*;jjT;yn03}8@HZm|Y*|orUbH%s~J%^IjoJ?Rb zr!^ihm)DGjcbwDEVCKK6mtYp_0WEAhO~acjaXrd24~H=9MP;nBfX-eoqNvV$k$l6! z+c;k*RZUfeE=q$a@3$n0>VPwFsU(G@mxWAlbg$J960b@*2y3D#jK2)#eGg5|tCt*MTmi2rMNAP$Nf(2%E_Pi|!TH1u~ zHmNyz{=|h0+#TL4D`(lx{vgXiP+@Qq`aof2){$i6a*}qUKP}X~7E|+Xy;hVGK(|xl zPOuP$X78ZC=0|}L%zexKNUXJ!$Dv^bxY4gs2-I(DsR7zL`!_0@4-$ z1oCmh^4fbk&BPv5gfxkZGY~9~T#`2Kmyi|8iH!8L7rG10G5lv_EygXCJS)^c#OK1I zg1}3i^!X$Zxo964Jzr7yO_stYx2a5`Ovuq%P)x>V4dXn1kWU0~@oCJjgZJPG;A*BN z9!)x22+R-lDzjaw@7 zJ1=dF#uU#Jb!O%l9>e~%{29CfAPAw(b-6$?s6$pHE3CiUFUBs1NC#0(*_&*$%|(5C z54yo63rH%$eTHII;x0;y;C9oUCJ=p-bF3=3HtK4!;NZ?m%1fo49Qbi~T%%_C;mhtm z0LV|)8LYtcRr>hvkU+8H=Nlz~<%i_sHWJ)n|BUxo43x|lk0z_G;=wk?UEdSrS5>6J@ z6m%J2VSw!>J5u+D+9|Fc2WbeJgdS1vc2mT2^0EM;h@7=zu9*huzkQ(70fm%d_v2^P zcwoWC5f6uxu>=wdSI#dtQzf!{ay2q11!sIcJ#TL^FE3H+JVk~(Q$If62g7GR1RZ>V z-lw?bP_G|v-YPx$=>}On@it2#4Fr{zjdPyFHZtg7GGVYKyRbeHYj{@8xuGvXhLh1t7vN z&+7Cny5%UKFNIjpS2xexcO8B}I6P`fnWpJx*Gy2Yt1869Z5TgS{8*6~8Ct6NtN+>o z?N#NITL};1=mT=sMzTkne0Y5`dhGQzL)h82-By20Wb#X49KE6nz(W$btoO9!M<<`Vr{%CDN+Dt@dtUN#RR2mi>(=fQY z@+Yi8VH?!K?5)G=zDH7u)JlI!a#+McL<2Bpf-X*XW2b>v9QK{@KAt1I)iT;^ z+B2~3j3~%4hAxmx^RF(rQ-HMS3QN9$mX53KAAFoYIxpTGqo7m+BrcH&O#8sVfi&H5 z86GfN$PwUaoI&U6Glyek+BtMvbIHKY=T?E9bW^98%*;Sx<(@WO_`OIz@EvZe;Y`aZ z#-o;ckylrhZaFc`GI$IjEX!$~Z=D#^jnZ1Urj<(*l5WnK<{s!27=WP)b?&QGT9xYV zi6fY15K?2%dh5Tv#ayn+@p=1AW6=r_St+E(sh=9szjF|I z>J{!c^gd%^|wQ`>RdUz6? zo~OWxfKW7Zx*M|+!rON*-JTH@;b@*(5zDeRVF=_NF%f5Btr3U;ySI8xOjEhWx}4iK zZp|{3`(~8SQD}Q)LvS+WV9F6O4nNr)jO4;ffT%*SY-RO}+5kbFWymebxh9<_LUrf% zC%ftlU{zIe2L%i{dA}wT8U)Tw+{lSq8NZH~o-9C;s*>hpTDY0e9?ty98#KMIlbA-3 z3y7M6*NqM;RP3jr__x5I1K*09Kl2hx%|>55?#V;J2q&2gyuq}3MJi-$KXBZctcFU8 z`w8}X6?~OI~~jN65v@d~#GMT-am}iFJeqqDx^?M4Xv#$y5~| zYiQ=Em9*$I-k4a}*T_5s-mSoV4_Vg5L+_kUe~LZ5%bdC47c=A<8=D}$N+2H9%DZ9i zmT&8IR0`0KQIdqpYfESygx}2P>?dzJHHUSm*0#QPaOb$+WMp!JnyDaqKHSgB!amKFO0zWNVOW* zUYs)_Qsq!diATQ>H`+#*z%eVAU_V1RGpmao|C%pS9^yoaYoG$>+c%(Hi`UF4XcDTt z4wR=Sqgjp{?WBnxUWl4DQnIm%W{0h7pJ_|1REJe?ONqZ}m&1F^;%K}yLgrIvQ0s7v z@+LMoKf>NA z%e-`F>r!pWHSDgFLkNHzK17Ib;fr9_ zj=hPH1-TtKK=vfrFP@RSpO=Z75+r*4&|#fT#(&XHptEoH`me83RI6@j`t&-yQPU}_ zlY#b$Pf9HS3bzosUro>P>r^3PPfDZ0j6NYjdbdF92Mn^s>WTr(yq(#ZIeLZ;qZb#p z109&^7r`qr{JK%vpG%xxZY=aCXBPb^HRSX?ojw2$pMQTDMa-08pr2HC5O%bGQ{!JW z>FHhO?Tlqi2}0H=RgIZ`(~Xg8EDXz9Q`TGqH*whjr`dt{-M|s!@YfIA>SJ@Rj?RT{ z5hPB4mB?Gnw3^Td6h?#+FA$Ptw zU*nZ~~(ou6(Gd;1Nha!VtB^^2C4 zFQD%?8XYrKWACmxHU%7oYe3UC@El^cVG|hZkf((3Jg3_^)|WaF7e;U9@`ucDgrs6Y-u;2!bUrpu^1ma28-$uxa*0Snm7pjNDf%Ux8Ih;~ zVMf=oguat#9|Cro#R{PDXC$$sEe&RCQ+ruklxRl{)PFyg+8Wi6{yA&a2-d_~xt0Dn zp@gw@MIt}^@SvA!)M|+f!i%Lq^BE1j|g&3(NN7 zW2CGJoLzNu#rYUCgE6s~n}TM?BFvm8Gi&R5xpBUD^4iv>F-!)z?=A zFxX%2hg)RAxjg#k@^ItzVew7(sc{2X)a|f5>STe~8jA3X3PEI3c^Dd|l6>X>48xrV z?!6rci&dyA>*rZND6yEx_yKeg+4cZC!8@$dT!a@MAMdx zQ)GB6l!{kNsZyAv4GQLZM5t5SVCq-h&&*3s5*b$BT8)*G`nA+DjRfwPtr} zB5rhi?Wj&y(oLVwkcDPh0vN>5)(Wi?N1Yut8#9(bpzd4w+dg;T6}x+nb$_XGeTgZc z@T0s!7%~~w5tC)Bh+dBD*QIe|wBI{wq>V>nd~7EVA4X{~lBjf*L6g;h_Un(uACLhK zns^fNyP9*6HfkzZP0pB+KCet6`e{kV7Zxyw%ZzaBva&@kk)<=keSdu75)PTsBr{D* z8`;o=Mzy91CE&KIYe&hI0wMT|r8oGmZJnBy#;rcJX3wU|>x=u$9A~^a<4R&ri;ZsY zydA}T!{Qt%Hc<({(#Hj$5z8Tu$XjzI|L9%nNLfc6M|&-9qvcO3S%*K?%a9~+r9e@M zR^=8$6ZLpK5qD~lVy2$9dmZ_al<^PCSE_&5PF4H4MbVIpAL z_0-b+;nlc3n2-KbcCi%BjdQxLV()U2aHxMh#RZ(Anb0JFiOM`q6LFt@w==F^xrHRg{6d0I6V>_bL=OD8Mv z+A~TdW3f{{;7!RUsT4i7bY&Rf9Ysppxrt>YF@-0c(YC$xVu`rXckw$xoNHqC9WEGWAO zvI1gad4;IKU5ss&2;Ua!qZYx$)C?!SdSbC0+7^|MVcPuZ*K_au;^Qel=hB@I_roHJ zpbUVU0R@3d{gRYowCd>=OdQ+_flUUG45TweTCqJNcG(scV@|FNvFyM76K54Is19>$ zdzQkzcD^ps0F;(8tET~-5KHg?A+ix9CG)$+^-O3sPsel1X$rgRPKG0*Q(X8LYHomI z!)xcC6FV2&tX?jyfeguS%IusPY*s*&sgH{e+}k{g4GLN0fdcMp7rSE1B%-QGTRB(mUq0$xBMToY?W^pDG!PWcvOci z|MnBi7R+E0pf~pM7M;Y_t-SczC`6jS{y&q9l{qa+|KBpPY#iA?)Yxln`6JlNMGb8qb)Wky__$pns57*)jJwM? zd3yWNtt9z#esSW}jj1y%SV7$4+H6^iwc9k>g21T!QZ#Vhd3;! z77=@UtADVu&8TLJPRp7>+e5v!mi>!AOp~=gyS2_|bUj;gF?P0R7zF|W($>qTZp_j( zHgEiy#qw|Xatq9Dxnh?n#OK$OQLqhb!*m`ilWDz-KLLrdTIXqo->xXmt5^klqHv9Q zD^YcwozSh{?~}I%J3U>#kSZ3(F$n)DpP#NEoqiT&Z}&7>7MmbfsY5M3epStHyg4Cl z(T|L3yD4+DyFUHYq7mHL{K1ol>>Jruq9RBNm>^Jy-|Q`X9pw zI>YMl&5(`HQg)+_Wee0S^JCafGEc@+r88zqtRhC`D0HoszC`(fvfz(^jhK)(V=*u> ze8FVhi13SokH5OrV>C6g*-NAl5A*J6Izsu$SQM{Go!HXYu!J&sXCN1l-mZaIkQhJk zImC*R;(l;u8+iaA1X0dHEV!|#_bBS}Z^h({L?>DxQ z%ewv`bLSdIV;@a{-dZEm86FXfpzI6n<2O&dBVhDt*6#-lNb`9tv`iKbQ!!IVYOLVc z%b}R7O&H)9iO(k}AUhr=#*g2I2&#D}_n{2@`(UGn3QJZ%&)-$FM#^LEoH8XaUtroq+zCSyBxU+ia zEVPi%x6oW&^a-xx7-`T9jsTrxm4I6~LY8SEh9LnA`bH@k?o9+kD$$|+$|zXjwrzvBRb2PESJFojn}<1sAh|5D{CuHt@`GAL6&O0DbG+Q`>4}eB~3xJWopg(7D@BgvNB#rK3eT&seMuwhEd9b zJFomCgr;eyaP2>8eM;k#chdsoWs2^?WlwX!B7-D2Oz;7J8g-{y8uW=_v?0jn>J*Y(A)n|+TJm)e zaA@n$o(S@QzKHs>n}n=kg=HWDwhBw3lpzKYQ(+?#fYAlG5D9mY1=z*2jE!iIoQ)4e z+Ax9vrYL-vRhKA}A!Co53w1yuo{M6E_7$}{&AT&9NO#hc_&&d$_}g-I-rd5h_%uMv z7V0^wQjxj>*q%c2sp?B+(cMhPsQoA3)4u=G=L&Jo5ay?Ngerl|Tc)wJY(Z-KEH#E1 z0Vlf}e3R+hpMAL8}`u_p$&qG8to{ypF9G4+tfW-isTC z5K*!y?Gu7(sTr_|;c0ki0Yp{Uv&*^Fusdq)G=-2L*%f_vG`TGm z>?=y40V2@2$@=R`*NDntgKog}#7n55ht=V4`_Lg&hcmlaToUj^6qw>ntrQdd%sxLkR^ZeofbUUTg0VaEjx{l!6iKlI*M1|{Ge7dG> zBy!ev&B#mJ&eq9B1J*$4B1uV}gdg zb7!BSqar?{I3`DexpV+fwJkhp;hlZ-As%jc7h}!{l_h`q{tsj8yVN+VDP_&fiC1)?RKnzwC9# zOaa67Z>Uo!Z*46w#+vzLX#Zq;xO*R!gVE!yB%w`7W#%!l$BY6JpemFEK1P5~HZLS* z5g6u|AIc@J`qM1K=w)W$ft1e`TBoY;*FFTyIVG-=oNm z&AtWBSD=pj3xxwZ&F?M~>5Yex!L9`cXVB>%h-;mr6&sxxAV2%MSiZ;C_r4=4-zq{p z#IhK{TWhqxR*njkC_uM9?B`ArL+?1MP5CZLsT6B@?IFsRO-L)&&w|kV(rJ_CExs#71jdaYqJoDsF&@K<_4FckY5kV z{ET27&QLmiQOjbZxqqwsgMa;=>W@k@G`())7orrQ znXWE-TlcTUDDrg7jERh(OFL16+mphfLAT?;CiZwaf#aIwhleAbUbH+1aGfP$53Uvc zg#K>szBB}o)Ui&<*E8nVr+9!uLWsU#m1l51hrC>PK%l*gGU#EIZ205FTaaW(OX}q5 zh67emxE}cp*HJbETgP&Sn!pogetq4aAq@hn#S}(w60u`BpZ2? z3I`#>z=X<26}&k<=a%KX?>Ra&Wa-m zfdR?s%Ca=TndYH**NZv#oa7IN)XyY@X(X$wU#0()a8$+545|GLq6VUbC${yu2jtNg zwx3KayO`IQwfP!PtmP5|aF6e+?BkHTd;4L#}- z!2d_o^0)l2s1;@TPt^KO;+X7?5YF|#naV<%tXnev^&3spty#p5 zR+86bthX4Nq;?D3&s%I2-v5c@4K0o2kf)d@2oK0v8m5u**ZS-C=j*7?5Y=Al%~gu@ z;JbBpFb&B}VmRsqCqOn`zWs>F--32S&OrcUYPcFux;2b2GhhCk>(4agXn?^oWjx`X z#O2z6CSXJ0yisbA)3HV&z>-Va_)pzxifCi8j1w~e;0X#I>IiiCzk8`MXDC~F|AX4P z;HPALmVZ7?ULuv1tuDePbe#Pn_^V7qyQpfGdH-|%YB=hiwAhv;WsX3OPR^njjf$_5 zJrEbL?8bZOFsW$%#0+udm{nM|Yr$1HdR{%L&?bp;8!(4ef9^*&>nQscs->W}9H2e7o+B&IVC+(Sm?k z#Nin+^61Dhl_#F7qJeU|J`gU5j#fr@sOuQ9w<>H;^rl1Z)Wf5*0Ye#ObwyFn#hd|2 znrKv!mQt*Ql`HG<+F2nd(C%w?*ga3&c;?S-)G?e<~mu*x(!A zhFlOB2fsrQDQ0NqN2fz!{LHC1NoOqJ=4K04~k{BnMGI9)LtB zKiK9K&I+ey9V#L0s1#njK!j0(NFzOd=kcK(l9=NTI~k z%34pPxQw9xEk(@cSOyoYD;ZC#f$q~F(ekEDD)q$te6J>Ob>n=gZ#!FXNVg=)L1SZQ z@;oN9bCI7iy~7dN%C;^6w|EI4>a^M+0SOY%oApz0zPicNge*Cgb|z zmd)17XCLHbL8kJfd84UKwpQAKm%m>KG1*KR;Q!s0d1^M_+;r7JeGH{;6IEObF-RZf zwj4)0Ad1m(-Wp?fayRhmw(B?yky9X(SeRWisGc#xc5~le7p9^g7u5q;EKN?)cygd` z$meWwKV7_Tn3)d-<~T83*Dn_rmR4b#hH|zN?1OV;Li)sR{}^Sg<+efbqsJ{V8G&83 z-&UwYQ?p6t;T#O3!N@kFqhFoNwf+~xnG&yg5});L3tG&9&}W)B0zivnS3_O zHwXSLzkyPIQ8_lV(9#F2dRl_!)#7JBXV`!irA}yf*=J5q0onWJ_35jY4Nat?NmV?s zNG;BAV7Et;GNd71zwYfnrbsAmlo~peipUyAQkeNj+n6vMbL!1JG5N&xTgn zro`{5`h7Ef&KqcLcUcZY7;SQhE)}sHUOVvm;gGbEQq3yeFpDP>@prilx$VPXdf(P z&w0}dbN@il@}f`WK7r%xW1iQ@36(wl*GpmZMoo#40KRD4XN$v)|B5113Qg;iL3(BW zdQ7Q#DlG9Rldp1H^|OI28Nr`#L_=^_QH@hMc7uh688wyK4C0PhDvy~6FM2beAHSqL zIea9+ZU%JVdh}KyHpia5;e(dxf#Yy?zw9BQM9zJe*VDbFQCEk`?0QC_A&HLvI7;$R zo2v7cM=q8h$0sx$`hilpc8DiW>Hnhvu>E+sx;T2hm2D6@5r4}N4= z$FF;Bg(JnM+LA#zIPFxx(^Se7*z6cSeawAs?PKh3bXfZAE0YrbQYlqD@zqMUVjfs( zF5K;#`C}Z?cH~)!!kYM05OcGvHT(U!GYgV`IP44%D>~~$Wdh~%=AYu6jF&p> zEXmUpk{QhtVw3dSo<&+!3yDo;-(#XNDbH9NVwI)=ExQ(-?ADKfX?qhoPv?7TU)jzw zYejCM3;A_X6HF6yX0a7>?Fa@=MHo!)dj?yK@v&`hscq3*r%682+bb^~ZJHPy{DH7;Myq)*vL#FeG>g|D+a)jGD(I`{*ud9bGv}<@z?;K>e z&3+mN_e(rAZdfFG)`$FFx@%GgWm}d-J-qIKZD=cWwvy2f9}}IE$C=PhHNGX43IN}-bc>u6kb4; zEZW?ciV8^&T3!5hIn@Q(WQAks{z4Qu>qWf^%ZFms*5U#rOhL<=(e80}M!vmbOC1Rv zuUkm$)eGX`N5f8uGBNBr&OPW$l68K%E5(Ujhd1Lkt*I!c$=6B2&&%{#ARM&Hef-p- zBxrzg7!LuwWm^T7Tgry*w2Jigz{_g3DA(%Ygsswi&AHcCZVyE`Lozw`A941J`zEj~ z9!Gco{&G%G2l>Ph$K2mHN>N{SN=C)zk}XlD$bc0+fPaa$R{p8n!QQ%rD4kNmV3`D4 zdmW$%oo+(4AF1T0YFSJ%n4PZC#hj-|gSRA95bFmRWvXvA?=078#Fn%~kvdj~ZNpmH zl+xn!$1korPG4Ri}V3RGr;)!zsuSZETB$`*p8^_qH=rpeUj;X0s(9PRREH$Y zSO*IRIk>p&c`?~E^G?wDN~O;`MqJa6Zp8vtj-ETrNn|`jUw?0U=YXO&?UB3RziQFn z$CRUsTHG*7-lwvDSC=2KKMDt<&KxF9{~mlB40(mM!E>>+GbA>Z0GghmCj>FTQxIT2$%chc2c!~^nnU~!_`llXC>NJZ*L$F^EL1gzAsbft>8-%>#rx}_DEUgm(}l5 zHhUz7F+I`_LF-9E4tV{qTj6PNzFRK#<;dUI1pOV)IM|C_%2k((F}hVHi!1$g^hk(I z#!o8((Mw62qk_AHMrq=a+emKS6*!*&Ut5@W5CxgyM3!yYaVK~JqdnYRa<_++Wr3VT z9t9seM0?yfBeP(lA5nV1afD15XO2`_;`4dCIPVR=zWc!2r!?QWECP(12h4#WqOC~k zP>AJBDO5+pGMxe+hw9EmLNlfc=B*--lkmoMeXQ1Lom^Fvnk=d z{H-QleH@`Szwhbsg!!Bj$uFG3p)b+l9A?DqD^9VL>-#M8YD zU7Tvds8zbEibvwvZQTm|3$}YevgBc;1z~k=@_+7|DV^L@v#)6IzZ-d-XhT+6oIX!j zU+|B)cxZ?)r+cC*dZp%irS@OUdv`Zv@*+KKJx?HQr_I3UK*@L+kilAZBr|>Ek^EW1 z!j1lvO;Swb==Bxs{(f;ey8*Zp#c%9_MnT~J|E!&E4^S9zR%TZAv~qzURqY!78N8QB4mcq+hCFfc+2t1nOf_0#9|9tJ|__47DQ_s^F@jJ*#0>FyMm z^o!aPw(5>}0|24|I!B{A->HZ*@@ZkH;x%~Ll7t|G=;ypbAb6(mu2jlrS3C(5KS=@Z zl(0V>k(s4PK9CH-2}ig*L|7J&&gI>jvB}+YU|eWK6b|!bpr0fKIe;5>h&qgZhibmv zm)tBQb)1x;tePIrptile!THnM;jZ zsjZB)NiSzkawu3^Z5E+H(jE0a4xduB58{5y`ewvUk{l+^-E7bk{sE0!4c=$!TqMCz zX~U-r1UJmY!{-sgRUMt@c@`A|H0mM|sY=7AR^%BbB)3;|6l?5YvYKZRDkFD*;Wmz1CHPxDic_ zi0QE|AqG}iPtSiVFqQ^o>hfBtdj+Oj$^r$a04V`}1gQmA{K-QqqBx(I(f((hO94IL z2^}+cH?&urB)Y~4U=oh>WHwpsk%HJBO`n*QaeYAIB}R96hg6z1+ETJnsBqP#QrJZG zA0x=1@_((lF`vnfwIAd21hX0h>DI!_a}e@KYOZpk=?0$Vb;*)UZAtVs8|skTU@>O` z03rmVu`yL^JOO8gV<-knFSg8J_Eq%IXh&CK2HA7)mqlRC@ZuCIYgGvT8mpWU2HP9i z#whq#O4?U4X|+A(YrL2m`?R?>zv>GZpdVG(j6rdXL_q zp#&}7Ts1|LIq6urVj>s`v`avUidcoGnybtA96EbxU@e9@me1mORKhB)1xlHi0P@LZ z@vWdo_EoH{c*lmiZfxM@Yip!zekoQ&&8jm`>KRcB@yzNO<+hcVZ%yf?NLW zPQ_3sc%tF40xI^XzIz6_$SIe~dv`R~GZJA88lyZgd`c#O1z`Rdw4QAe4pExN(B{@) z$v-xIW};D<_nD8o2R0{iw*${b01ycWbpjz$ML#Qo;r$>QzG5 z!0~M}x@}4HhTtfZO|MD|fka%8TM;P(+w!(;1tD(HX~XjiWNj-$XXz?(Wc!A}c+Lu( zSU0cBl`GCF-Y0nMYJQwgSxvS}^b zJj+~}V2NE8E@BrOqluRhJv>9ayc^iGmW>6)UgGSEjb(3Uk~Daq?$I^Azdf+bRk^bS zlB{nwq>@LrdeNK4_<}0Q;ZM?4W!q;QJDdWf{@iyanUvX_862rIB79%@Po$Z8mA5M$ z)rVCoRQ+Ie08V5C0NT`x?@JEIYY;g#V{InPFWCPLVCr!ybxM7H1=LHW?qoex4z#j= zqg}payIm*gHwB)yS-FAs?~2R_w|H}V6&wpZZQmRo>8jvqv(wCm3|@qXEso=|8#;{! zeGppg;E`J1e49%K_lSyG_Vl;3QtaRCz1`V@{@F(zSJ(K)g#Lhc{_?xs>gl~MoSx5zhgYJo@2>L0;-);{b+4hnPe$n> zd$c_vC0Z_`>e}%n(_rn-E;$8)FJ?ww{=l-o+-YP0@BMdKgWxP0x2EpvC0G3WiWbR1 zQL#oaYsOoqk%69>DWjy zeGM#tLfh|2cmPppQb!FGn&yQhBkBy%WR-92UQ@tJu*DVLJY)O7%fNEb)m|^Z6~?oucApzg=Eu(o5gbu_>dl z{?KDS&zQ?zS13s@A-{uJEwlN6krCfN7o)!kS6&nneOj*0wg1uS)^STD6_PSc_bB)Y zUKH^;!Sba^U3fEamXda8y{AgnV{wf5cLb#E_YGlT|z3pq@Xhd%(B)qAd zu`FDasvKMp2GuM21fx5H*&;hvN98ULMSs&+A#a(g979~gypi7Jn}~pl%k;&Lp3jim zTu^g0#aBev!(zL#IU${ogMWE|FJu7ND5-7T5yiHpvZCg>7ylNBfD})Qqx6qloKAPoY$J3Bu&78vLggl_XyjJ(b5iIok zH|Ad#JlO=oH$R_H0;c#s4YuBE0p7}k!bn8H?z|wtyVG7^uTyov+pmB1Mwx)|PHdvo zzRbF?0FXbFT{lukF;wr4BJNXnR0bZ(gr=(1Jixlj{S7XB&rl{f1h32&OvrwmFr%6S z-Wnc}zOvz27GK>tA@<9i=ve}PMx$(c__RFHscbE9Wm5;&D?C(Cl5nVjr7G`98;83q zj;TTQT%~vkuHh#Nl?;SBCeX81^(1Ho8=MDpioA z∾8?|89BZ|L?UZ;+=?=y>!!Q2+KaQaGWdn#kg;Wqx^bYxCL_KWnGQ&ZQX;IvL|u zM88Zl*lDeR9}EyHS0PD?>^i&-=c~2op~lp%JiNgfd5xiljcl~~1OWhrSkTb275qKS z{ZN;wEn^T@=^POjy_s-&zlyZ#%+&Vh=^TlX5-4beUb zMtyjxBxg~R#hQd0yF%c1wlpqX@a671cgQA#O7J5)R;KGK8|FVB7oa|m_o4~q!Ycf@9T zFjMA{Fi$7Sl_4YEyKZgZjSpdYb6bebEz%mzBjkU8M_ZMrcGI|?C2JB7zxj2Mrh5NS zrc8lUHOfIuGHe{HQRv&J#Ys?7Ot6)z&NH%v!HA$L1?_zs5X8U zQ|OFO3ZCg}DK}^)uV)01kt%O`Ms0*~H?h)bFsV&BZv7UzV^hed5}_;6C+SrUWYA1c9XZ?`3oMEEAv1#z)tv|3Yh?G0LHdC^7=?;N;Ba&}u-5^<1<^~$Tr2U4 z(dua98V?CXFv?&att)6JWa#2S1UYjDxs6#1Qe;2(wwM4+u?oMh_s>Jy`ImIa3M=hw z_1Vd{riO4^XQx8D5Dh9D_Y=l$)VO9R9bWe5;8%N%XVXc7S;0V^OQ+(PV3tsUZneaF z{D?d&c9*}XcQxE7EElyaaHbE#xD%Ery6<8vX=NaAM+?pf8x|zS+s2Ytj--9Nxqa(% zYN`*&3qAsJuf8 z5ue_+wWT|QCOxvO3-c?S^0Z(vlqyjq^P+9VV(BJ1Q7V%^{pa%V)ZblvWEGN*J}~_- z-!F8XU(>F(7Vw>q8Q({*Kx_=ZK>Q{~rM3%^T8jZLw#8~xNY!@dzK4UZoj>KCR*W`> z`P1GaAsB!)RbhciFZw#UIdG?x3y>8$od#B&ozw(nVg-jtyf>Ui7iYf@1+R2N&c4 zx_1DCaC*!FSf<1-c|M5v?kp(L^Vj`dB4Kt%zYM>vs7tHWQ!t;qCzlksWXg_lQq~8W zPFIg5vj+87W&KD}cqv0toO#(P>Y8Puu5E_jC{&e*r)+fxRZ4nd!mqBi`HfhPy4$%9 zXHy#-p?dbzv@GqS5PFq3on{IG!P{O%Hm!gvi4{%jp#}3aFnY<8*daYHzlzaa5^9Wl zOWpHS{+dC^ipS)^u<|i>J-sJ%=^(K0Wh0ZKF@{#EBL}?YJ%>Xh7G;`z^+ura^1@lc zC!lrxuE5f0-*9ahmVVv6iv4MJkM^w$!Rg1i$TlWkRyRB#t$2}VS^cVD8xFMl7>txgixeq^?}Qm;JA zeRJ$C<&WdtlLTy#=J87j)}ZEvah$K}h5A9Jt_n329 z#txc|FEyj|D-K>Soi8wGo`%ogG0}kg!V%vY2~D3qSP=itQm!2g9KaW$W$pERH>z`Qs_JG)fO`*=~{&9)XO3xj(vmp!D6^I(H!I&3n=A8u0`UoIjA~JNnJ%Ji!Ykh3~%-u)&$tzbh z{H^ZVm|#e?NifbPQ}4BC4r^eLs{3Uu1U>CVp*z8?4uAJ>r-e{4T8u~WMXJ>~L2>IA z=T_y7;cgCzkCB^EjhVC(CIaBL*EgX-pTRmBPncQpg4LpIpvO;q(BrvXGiP5q#iGRj z0Zq9y5}Srf3PykaYPXBp8h_K~<%?Q?Jax0Mrl2t8c2mBi_ELAexB+0_8&%91J(IP? zLbubi!@+K^8Jb*^IVdpuxy(=oG*#|G_u*PDt2w`6JU!J`wRWBNiRz3tu4f?YoL7x4 zIHGKO*JFmvk!9~0~}@y;{Z*ZflQ>MO}7qhNDIZk|KD3-v3+Y4n>!0)0O3 z#;U(xC5w3!GlqpRQv#GgjxfFpt)w!IZ!(2f0Kp4jDbZNNGyV^WBax_6UJG^CD8XIpk|Hplt8N*7Z91~_p z!J)SSNdU=cdLwUl4gUvNeIBcok@pS!r2sgBTR#fg>Bygg<5($_ z08)v7xay2qolk@Og!p>jV|v459J@}kj`FZ!6VjKwrpRfj1Pxw@ZOcsAm59bd4m5E*pH*ETYvd{ zVLQK&P8LpUVAD{MKvC1Cqy8;obFidsME%q1#$*4bue)FWrLTqToD!r!5kR};pvD=- zLH>b@%zgxM2m0OLmT3)_P^-wsu>_i6haKa{klWO1ig)luo(%5mFZSmNkBvk(czti~ zkJe`Pep#+|eIGh{2}+s8`I#I!s!c!EPG@ym?)^F41@O8VtCT5p056`FHdI#?2P^OZ zrFnV10{j9*Jub2YCG!HGi!m*#zUq35J(ltcxy_O~GQg6NLm``ticq(!V#V#XoU*@1 z8cX(ZE7={Brbf?~rrxh?{PwDJgXHx_k4ZApil_p2P1tgu7>}ELPl4#+N zcAh|*)~ehPv>d_vet&BpD%tCoAfPzl;DN^?ANp@QZ|2@`(x2glsszE#!ATU);MGF7 zM{q~TSQ_$4~STF*pR;^bYXzLfe!>O`iF{+#zm2Ga0ls zYwR56F|D|#3~E;rIc-WQJhN^#!Qh*Z2gV&o9UPL5X!KtnuA>mX>;<2&6Mi&x7KDkzj1U#0=qXb=?Sry!vKsRx3DAFm9^m11jzzyxc_-aEFL2)<8&gdYtiiSG1^ zikhYA`IDhz05yZKK+w62t{rBB^q zr;@DuKv1`BX1))QQ=Kways|`&;p^=VO6`I;(SFr%qyt8r5bWW_#6D%fQZTzD5hw@D z*6{S{&nmR3`8yb8QCyAz+mMJUxS!tc4fS;CW~Tya=?Z@Xf=X|fgbJxn&F!(b)qV16 zI_YFmF5^4-i(E8K(;Z3@Y1AuTQk8KdCZ;sTws~|ykj?-cd<Zk!O-}O1k8&r;;|Yvl+CXGbKDWwn$y$4aiW=6P!)t4zfU-O-gy~1Dn-glOQaQ z<+vpt6o2qK(yG%)sBN_xU_Mdrd@CCflOyU4EldB2#Pkpa1N%rb|M#woayDg!M(*A0 z!Y(|k5|0K~r|<>>Oq=v+gtWPA)nEmZN8m{AAX2~@=~K%VVYin3!lQ{jb5m5@pF(~W ziajnFFZkY|ntRc6C-VG6b#GlLfnHC%OI6G`%bn>l$YfP*(uX6aXDx;e#e#UsK!AwQ zT*O}uzGqdgR!8o3oyA#M6U}-(`X@&SNt2+uc|Ak;i(47rsnX%*YiQd^(F>;8EcYLN`1!CnYg!dAWn+YS3GG?A>_69r>b`k=T!J> zru3b=@kX`oa&Qb1evb;EWysm*apbPpN^e3-s0K^`E>(0^kvU;vOP-RYeXt&u11^S6 zLw${uThaWHt3WT)N^`mYdXjlnyb;0qq=JA!w51S`!-7vjp5~ zCL(WT6~9!kD=a`pZAMBPNI~dx_<5R}u@cD~V5txv`&x13Oby-FF7Fu~kQqFHsLcfr z7cO%Em@X_7!U&f)_6F^X-{d@=z1+EzFqCS)RIF6avvSK{YcEV-`<20{3Mo zH5HHQh2MxteCUovEI3MhrrvM~+wYCocr(%t)>boqZz!66vrsGOx*!t<=WDO}cCW++ z0^21&pkMr>xoLea|6c>b7GL49I8sxNSn*lFDV)e(e3XaE$zj!P+M++g4GpDNf4VTG zG`^4%ssH^)qM*8URb7cdembJ1f%BffKpH7NafW0p1*J^nL=U8Ky&a-F#2haBPzmss z^n^&Rkl9v48=7oTl3&GF42>NS$zrEyZ48yGWFmxAs%h7p#s01#hs)ciabWk8u}WqG zoQxuL?KVAv`1Ye{y^@EHAFzTzAjRC_qFY~L@2SqbHz{5L8(kX_+MJ)y z%LV)vxO|!BaX7OzFIcg_MPc$0ijXetX5lViDFP9QhufSR)uZ%}>286)v%$tlAbbs*c`jT_gpW)>-eVr-e+|ANf{>_HM!Ow^O(O-|q`z|k0{EdxmwaCx>WaXUEIA?Ju#$ig30KxF0F1 z2yl_gGWrPH`|AS}BW3APhTf6@d2f28n>jm3lqHU`IG;hzjv_)$GAf*m2_!F;EZtJx z5PY;hsrBA;9woaf4AzktvOoG6*Mlvz@z24K`%x0&T%)kaOX>qcC;f==UJ+^MIb6tn z#Y;Sq)ff+8)S@2qtC^dSJK|v#4=e0_9me-!=xtO?8yCCVi$AEdo@cRsbt5xx3a%lA*0v5 zTVF5{$mBqGId1bat)pGdl2G!6jQZ3TzoA%eDv31oValJy;Wylk>If5zw@8K%B1 z;r@U8Qv^x z{lOAJ(~6q^rR)m>z$VhvTR`mrYGym%kJ+bNCsTgupzTEVq>)0TwAMWN`P8%|g&LS- z@If@lSo77xle8Hv=CG+5Dit;w<}0}A&HD6gE)M569qkTWlinuNt*hJa7_r~GkJ&ib zT}^h)X|Ip(Y=|x=*{2Vk-#xv%JX(gEd*YN$=qN{w`g;`-?QiXo$lg!@k}GO`t=iZt z&3jyY0Ek0Pm-$W5$OwrUG|F3SZZ;pl>3ttKdMgrc7^UA4!_-usX zXdI|PLBdW7)-$R}UvBuM=V{5}>oMqEbgG%={k!w-uXG6OZP2A19DkIx;OWgV3a<2M zm3l73PFR`^RsZWebj)8sU1`Vfzm!c^s3I}R63wM6x~l%M!1tKCTqV#`=B~3i7)0@p z9I`HAnFe8&%qh&O=^JS0jv&#G(6CTRF$wW1mU^dqm@hOaas>Qjer^hm>kg80QMNDy zq68l2rL#*1?8BJ}LOw<+kI#^0Bps0}cU2r&kD7p(}UPoOGb*sS}Df;mX*MLN-kV|3TT^ z>|>}eA0X^!SlFZ6CreLA?cn(lOM%uJ%&pu5P;%aI4pwD|BT&E8_!&>ww0aUeJ5p?FzJMhWuAI(1uU5o89U|6WFt*k^BCy%ZJHIW%ITlt#iUQ}q z^kcX@DAwYDGYDyP&jF+4>Wvp?7%wxQZLS%$-AoKN?)Qe;N_myn!l3SxVe3C7vJhT?kEEwPuUUt|c&*2(J$GHIs z=-=a%D|K1AB_F%jk(jR469OLWp|FW&jUK%<#Ca)zh><-S03`yeo}S%_Uq-;S>yg)# zZ^x^PjbV(?L@~U6H2JZ-DmKK!udrDrwbx&rjxz9jRsTav3cMz)(CCKwu_#qQCW_!^ zp`pV6hULjLXJ=t$vQ^Sy0)mNA7J?&e!C6(`n8A{62nej6Mywg19?gBo3=> z+vEb^kwQy~{%7MS>cWf>p2XyA^6a0*xaP8EzI$4JyXCwP9xD4zb-wB^1HKA^p63=1 zD!IPRJ3YO?))>j;Rz60*DXsuNY-Q-oGelHA{PMx28?DXRy}BJK{NLIBLJM9*(k+cv zH*G8hvU8~Q($o@D_MNIf>V)eA-n1`XUH-noK%)3zyY$1 zr5^p)^s=4r#ds=$qCoRLzPqKx>{r|iMN87_EIyC(Nn6L@!1^(zSo zlB!{QagD}pQ;DZRV~yy@aeH>!b@L)Xe^|5#o7cE8zhz^(e55eBRLg@#(X_kofN;#HY(>CdhGWM*rOs;eSSTNG)pm9q8i;ier zRO3A-iI@{^PARi&ItR+|p{K&JI*BylFDa#inEO((N1;ifDr=%xR!7LRkun&vWTO$I zQj`-p*;0<_+|aGH>Gp^$4>V;6j%)EV312d<9P~Q~k$P@@+Efc{ zbLz#IMfpbh#%hQcXT2G9>XcM~j7@}JMAuluSO@O5jh2<3m5!Z(owl9d*qpH~i(QLt zi#?Y;mw=VmLdX9BRY0o0*ZxcU`}RwA?`$+%u;4*B1JpVO<8%W~=Qd2)c-Myc`9kA($?kcrWG$y<;u3M(fVFpooQ~P&EPf^7)lH^ z1_93wN@x4Tz1j{xe96T&(fK*^XMeE8o0vZj0Dq1PHANa6tAc_%tfZrVTzld{Lx=UH zu*m+QNH&cZ9S$`oi86E^+y?eJbh?vyjdtQJFqWCNzhvOjfo%f`@D|`EAvP{1wtr$q z6!19gdJK^$mb2R&l;I3WvpZTg?%1)hWkeO3@Po4Tg`$+pdGU~bHfiM01=F&NMBqo^0Bj=Rv_UVBy1GxmDq3%#(K*WN@ zW{bVuv`N97jHZ|kvN6|5{hhjd>gZ0O+wKU-OxsuD!ay%bM<$a^gZ-4J@7Mz9ZbB7D2X>Cy*T89p4f^=lv5yB0+8rN{ZvZoL;E{1m4%BH&F#u2Z9LZ|ER#^1L5>z92#Ur=8hM#yF_moRp)P7$)WjgYLyUz``n;7` zd2aUb7`u>>kWMwN;fdNq*!wn~*tLB(UpJwB!i5vNnQt$H+}aE|zaNT6Gu?4gbSPeh zLfe!bd>dLF9Dm(rTOYhOL5hfo35r6ou@UC*1mFpT?3eYY+Mmzbs3)emgAawi7WPW` zD-o|mz7};TTH5V6==j`0X5-nznIAfWn9MVVqI4Y=KxSjfSJ%pi`CBHv^{#c~zWE<$ z7qRUla5cO3toBL%7JS1!+qT^U@96gU{@9Ei#kXMV7k{7PV69GDrESx0j^Z{QcF$@jA0qYWzGHAfyT~1LF5fmY>cIDUM`_es= zf4b_ncNg7xeCB7^nR9cfc7FHn-Hmwt$OW778h=}}$G&sjkk4MbWk*e<_65^_Gw6RE z@K3Q-9AK+92Wm5|r`RgO8bu;p;g?}6?2DrgfF^xF)0!=hJOck7dE_ECXkTBvsC|tM zLV8HkVpjL zO*Eb#KXiyHnc?5GebHu!sMN6RzV{Kbw|_f~JKUYg{k7``;lyq&cX#*4y1y*}c@Kto zrl16L5G*d*7-F!XCql#yi(Oq6eITME4#HZ935Ae;G=D@B*_qQH_I&3!RyMM;eVd*h}<{8Yr{QgtRsvqiTZy$5;o~Mp>U&P!`HDL0iTFOnQj#c;kbo_x5$o1?R#7;mi6-5C=Nx~hw|zDLXEa4 z*uLv@*P)(zNIQO(rr890Oh$}dWE*YE6Znl>Fjgcsl{{LqBl-`!TC{X+Y-_8aXN3Cvb|aarsOXcLEJ zl*`-nbdcsY+XS~zAe0C-!Z|_I!59EB(fPMdI=33~>S2&=B0A$9Z8mWhses@I zC zk%q+7q%ldiB{d~2O}am+E$LiRKXCgydh>rYj=~T(<9Yxhm~1K_V`{#D2G&g3b<^tA zb2g4SwBzgF-}L(Y@;5!p*Lt6HKl$JXzbJp6AG2q`fTALIUW{enL#wy!kBfUbBV*Q$ zlL`{7@h!`@J{5&}YJb+7KsU4=1eE5l2iIEK@g~A5!SPTN=0vjS%7AUBzZl%F*Mbz$ z0xZ;B3xX~J+OWS~1xCnY?d>CDbm{0_&vqY%Dsa~>s07J=?$*C`?ke-(aae}e zIFIJ?mx6kHn+NetKnZRW4Q@P+AR`ek0wL6LPJ`(f(xd`uDSuhY^UQ2$Kzp0}UDs{G z35psp+6VrT1Z&srLj_!H=wLM3*_q9*8Pqg=i6I~7G-hKBRS<`ikb_$T$KpgLv zZxh(B6NRH1cYi!`VZ$o<9>Mhl7CKD$#eN-*cGKF3a2F@LWHgC$SaTwns1LFHOs({^ z4dSQmypCOx#zfXcwnhFb@?4}a293dExG}CV;X<;MDyM>pR-$FQ~Imhwe#9xoYeIZmVes09rtYRuyD8D^zz}ML-!0! z#v`x-o<3IlaCtO%&HR`5H~3aGOPkNWl0Srk?bhoXuWRv?&n z-_GchAV%-M(-r8Zb*nE{&=6d}sIiD7jkU>GxlFD9y` z<9dlejep=c?By@n`6G~Kk5J$;(1-@231}9oM2+ZPBn9I^s6QS=hT$oAs%fgZ7?gSj*5(oH){btB}z3F*(+izDsMvC9hL&zSOFf;|(nD zX1jxo9Fkguy=a+9ki|@_XI;NRG1Plnk2PJ?pnuY^+ni>0n+wb(=5^+6W|3NzP1FnP zj3aL!`*`x0RaIcT8?>*^?{0mK$!ZVS&rFtEoM@CgqBpy&Rq#P)y9siO(>MjPOs-qR37|g@?dkQ9DG54 zov=+{a)>+f_S?YvAj&iK{rg}Y8Mq$l?uT1!sKv0%VN+x%8ii2v7(0qE@GPN%U_*4Q zb)1&ul{UDr(L~KV$%;pICxgZLJ!%!TCjw?weKUb&_OXLPrkC%`oe1mYOxDu_z ztI2A9wXjNTMXh)fx0yW1KPYSxcL_fg_sXxx@5`6u8)%I{n{hbqdc6gw-Ex61=_(>m zU2J1ADh3f`fQ(G|3wNF{U4Ik|ih-Z57|3+RsBqIUXEZ9JU6LgMrjD3)7VXrHZQ(%9X{Sjeo^LlhDjP#62i% zR1R_ngLg!wpWO%ani;a2%INV)z6hR*aPr znDDV1Ji+;ykI!;4#iMRa+WR176JCO&0NYgMORDJEbORk-XT@WLTms zG~R7$=I#;JSvH|fcq6xgY~ddk9uyyx9+KUut)^|3ooFZC&TS`8@=pp+h)+mQ%G*uP zSboMmOJ3q%6xt0xw;bYLC-3lY3yYaegk$;-#~E>4ar>vAoPYfElXmUBlmGM8NwAJq zGLOD5wvpDZd0-=>z>gM#jTrG*cdlTEBAvGrUZNiYk2y^29H`w6BNe+r!SutZfXNu_ zU@+N=#A99tALD#S;1VXkfmnU|XQl#1AO#(nm(pLk zp1)3+&d-o$Du3n5LVPE`P^wq%?y=&<>o$&uO(M zaS~4AOS<3heigTC6S#?7uyzMt=c^y3NXYTA=q7i6(P8LkMPj7nGBro4q&@s#s7*q4 zt1OEJcG+4G(GOBj9Ls%Oko{N}XEc49f?+!|fFNm*+zdybWUO$h2KmJm@0Wtuq zDqVq<=6@9>XHw29%b$65`_rCMg9(zLBB0?oTjl5hJT(Qxt{K{eR`JRUv zF+7^hsw6%puuAe_s>>QsWX$@PWw;3NmpCW9zoUX*FIYt(x&cHP!b`)!>MuyG!2d!NljOU~PPPLYGTL@r4f zBo}k#++4YiYZR7qtA(G)8@N_sll(a6FbD>bGZIA_Koa=@!XR;w%Z%DtDz9#3$*Zes?Y=8D0G)UN~k;VZeI?%x-e9^s!yZv1E;SSN+ zRf#|DKHvQm7uWsAKKDS_{X#z$YPYTpe<}1}Btt^u0TTsOi2nP9Z(er4Ft8}Z0mWiS z2Ead@>aPpAy54GWWP5uLBI@1~P%4(~{@Y)W4=V~qfQf>DzGvMT23aDI(+E!>r+@Jz zTjY_8@U9kvv&Fp3$O|H|8&E{BMNmRRdHWcr5@F&Qj_W!^&CRakrqL8mIx-!7ZU+j! zzJNQ5Dk=NUAS@sO3!F$Kmj9hxFci!*t0Zv!NutM!>q6W1&{^)`MBqplU*tF;GO zS{~pI2H*c9tpYc-&got)ocQhU?>oRv?LOPQV#P{dZ%`P;YLsNRQ*Pm&=Fu`mlt_dy z!hrp)!7f%Qj6MwqY5NLTXAnwgS{%S{K;zthz5RA~EMW5PEnL}!L9|Oq*MFvc*vG)n z6VZ=+{TMFF*O1|Q8!{NV9(8W)*J9^e(8h%Iz5STj@KDQODbyJ|z;@~oV8y_G%xQL$ z-u9-wZ$HN7Z^&2yw9eiios^n1HHpl=yiL+K0O)O!cpB6u)V*`tj^`S8-ucn*v_EQR z=6$(zNoVcT2b(u9`RHvN@_*;bKM3337(Q(2!cuQ^=%ADPPkxY=`m3DWdwx`PS9HI@ zuRQtY>Ha>MiqRlb6Z*M(D50Q<;!PiD0$hddiei9#$Pt;KXJn&bkSXd^#0dTd1!Qh! z(AbymXsEt=!UHyIEY!Y=iDZ?n22OEtPAN#~&-Is7slTEsL!}I*l7G94TOuu1mU7Fb z<;wkBFprHS2#1q6oJ(QnEdS6?=?19I%ufP6U`+EC?^(&Td*sy%X zdhU(Q&CQ!1Ue&z0SlzeuxnKS2xuyHm*f-am{Oq%n>)ynk`hVri>*3Av)l6XQJ-|H% z^oTo5)_eJ&)NJ_)bdWqD$OI!Ei;BPfVA2tce!r02J7j3)&=6m*zw?S_zdM^^*Z$mi zE>9ASvenp+gv*0u)i{h~%4tS=FF%Lf%O5MxAhYD#j3u~)D<>s47TH^yG}d4vEtc>6l#j21D496pgTbYY1$RbjsY*T21g|H$8ERH{kw}0Y?Pj;U>3Q=Veaxutx76gK4q5$zmkN>8?0_VuvPm z?A`nHbAKIsODE&Mb#%}t0LZVqQpvB^O?ly&hYBi6@xITg&1?lfC<8f1qFdc@e3)ck zWs3}Jlbmg~)n={@EiQ5R?=fMNBpex zJbz}zZTHcI%?nTA7Vi}_mS4Eoy7$>JpW-b%73qvTihPsU;9e?a>i`! z%P&6F{+r#Dn}c_-9yY#o0c_`U(2Im7x-FvKEOvtq+=9%kob`u>q+wS5zXWbV@4tax z`0u|3Awx8>VH+1M(dR;H4BHHb*@Wr9C&xEp|sq z;A)tog;TafT}&24EO8P1FbSf*qDTEqUy+j;0Q?x>i#AdROB=?GkS1{BrAn?`TFOZx zHi#}9Cg$QiaR#0#dU2(=SX_zk6&FdtJ5d;=GmIdT&20k-aR`&tLo6^~5xbyvC7v2!GG(Xn$G=|dS$BiYjDv$FNsd-j_Y*aeDO)J={Lx3 z?sLYYgtFaM0sk1ljtoE#2^=p|VjM-RLjhE9l!~rXv_W-#G&KmfHLd44pf zz}36CcwoQ#1UHDjk?#Kv{5sN*fI{6SvK6fm2~V4$^q$1=cl4(yhNrtoTz}BHcegJq z)Sl8_!C-2aI<-jNsXYZWT7QO~z=-2*^uFxz&NK{>op)aRz4p|)b-J9#K`pqG;tagR zohO9pJ)1DaK*DIxChS}FY@WGF&*mR)zU)H`hkPY+B2@QK?QTZ4_6;(-<;|%dif>E`omeJfulEJ4##-TO&7}|?Lxp*Sy=5qwMkPXh3 zExTp6VVpAAMEfx_Ilw!n0t-}2#KX@KO2iVWL@qOwDP_h+v=A@h7JrdOzFt@?E|wbQ z8hMea$<$<7#Wj^LG3J;pe^}?%lyqf z-M8IyLa=m)l06p&;U;aFKaL5zA&$kP3GSf&ENq!#`kA9-yD7%z%undW8KY^m0@1qd z2DAMM2N%|i`hRT_qa6p0R*E!+Xrs>#fe;2^Brt4U1~MdifyOamw?B?Cw6W)!3B-L02z!1hYErn_kmbPR4I=gJv`Krj z3ud~VtR-QvL&RWc5Q2jd36ia|=bzgNmn0+`cnJvxUVp@#LPTtZpIJWBr-qN0oy2vx z;iRT==%jXwHtP?Z%NG*UyZ*{8>0U`9X?;L#w9|KALWTMuE)=yWh8D*%+@d@kZ8yqX zP-wJ(ED^y%XhaIs-wr-TFF}v99#3Y^Gb)*2!Lj;de>&XhIY@{JED&Pw20ZTZM;>`x zJBSBuTz|iQqh{pzGZ&WL)v`l7cd`33?nw6^o7b#e$(3t2RM*~7v-6c_S3l-dk3RU; z9}tH#s1qcOX+CqiQTLlGzFD#-^Rb z5u9=K=uzimE)7CL_Z`~9*vs(jrT4UA_RND3S%1+ucZ89XkmY5Q)GWM&4w{~|$u>cp zYR0k&<=WUC)6~4F3y~JK)*B?@K`tKF$534@@v)t<{^Vt)tYk&L7 z7SBWCfX`XI)(JVp$?n%lv}SYLWge|iM2-)I%!Li1GMG>oeaxP<4k0C^QGWby(t7+j z_kYBR6BnL7aYAE1)NlMTLqspQ6M5SAB2YBxoi75{q2j^bK4~w@Z^iSw-O^i>>Mh}>x9!R;b-vjaD z1E%}>JJt?}Uq3W4COpAF%r1+;Y>hDwvV@zh*BOUW12Pn`J0h%bWcZ%~p_~1;v45{) zJxiAMI;_oV^T>_4xyUVEvI02r7N5Xo!G80oR0I&nPXOF}<{O`ql$4 zKGJsJ#jZ`orE_M?C@mw`wRPRp7QOZ0i`%w!9N^Y({PFUZmgOs2nohm=;(PDCcW z)3W@>8#n%VS!>hZ{#P`=_u@-`cz^HUfm1!toeA^UbDv+j2VA@VNh6Zp{)8;mxBWTf zn(a?0y1^PAaB`UE4013xKo}qo=Y|PGP3@Oc&MHptF_is#dpuVmU=1Pr1jcE;8BY*rvTqmtF zZ6=S1k4XE;&!jiV8`AH{Z>7)3=lo~Fe~Vv}zY2d7lWE8F4%#xMtrN_;V_Pxb9Ztfu zzjUY59@%QHv3o+-$J{TwuhZ+hc97Pt6*HWv1rp`6`P z^wDkB(SJtKGW*-GUyS+PKL6i|U24@LrJWFw5R!ZUcnl)N0xdG|&&e+P^RlV@F;p(J zqB{N)bcf(X2l#{NdNL6m;4;yx@cj@PD~o2tgmhdl~mJ zDud5fcsIj)mta9h_%mn;ohPQFI=T)&2vyUy_y%-Dcn|I4JJB87K6DPomvOgTYK5_T zVEy;FTVU?HFb3!llh6?{ALs&l#5JfGK1WGM(E*sVg?|h_DQ)Xu49~_li)Y|71g+uI z(M^h?-ztFbOiQ9+^&oQv)^XMd`k}{BAEUH4UU>p7mm%p|CR!S3J(ga11uJET5jU&yI``Taf!tq*MteTr#&DjJFeq+6{GJw&a8cX7e+ zN&jvy4ByaW6Mql(*awC<`JnHZgK>}hjtQLqsqdJF<9)tk0h!QCzGHwe5JmK3iWuJY z9UD<3I_*0)J08LQzx1@Ap+Q@H$2MdP`i<|{j`*NI!j70X06}R%ANr0l3U=9j#~hMf ziN0e3=Tm*hJRIlvjs?`ub+hkSL{3+o?^s5$u4dn{5r2(zJ>fexCyaD`>^rugicyii zV;c${wbFNNNAjqL$5z)YuC1I~QLhdtO;U%XrKPKL7OUBn^>y{NUeAJLHLt2PMa`N& zUoE7g>eNDSows(Ow=6}uV(KtDwaBw@!My6KxoWnj;u;gjdFOeG8`RPYPt{y+o$9Ie zs+Co0O@G6j`IV(=S@i->WtD%-G*4Asc6Igb0bc_Si@mjVmDN@1kd*YH`ssiH<<(WN zYdtVgQD0v(GBvdf&M$08sjF_NE%laH*Ut5(RC()j*)U22<)VjibwHihtIqMxuWn3A zQNIPnDeCz7i)$+C)XD`l)wT8BGPS(6dV!i%>wjJ7BgMZ5lTd>$p}=hvrFVDW%%ke0 z^@v#+{Ea`#l?wURx>PUQxw202sP(m;GVcOU?d@uH`Q@u9N`bd_L1i5ie`TFo;jQ(; zUUO?bRls^O@D6OjG>{m`Ia#f*Ry|dV)f!M3OsJky4-%^c5qQ*6AXl;D*u}O@QT5nBlby-8Hmn~CP35-?FX{h&78k9a0l0nU-^Bc-2C5@H! z71a&(K+J+l-$rzYT3wW|Y(pK4r|cxF3xB+nYlRs|T}5)h9?5ji)aqKb&I@{g(Um}| zkNwNGro_RrHB`{`iY_{~QDX%d))f<|8p<1Lt6)Pfn^;z@)>S8~bq#aoc}wf*8OmRI z^?Wck%1~)_RaqtFqi&?46v1+yIn@ijj04?@7y&&-P*q(IYN*rCQmxeVT7Z5{t$(ZV z%%88!@%p3&WPq1=`tVs@1$I%ZE~u{cUX^XNesPVr+yfh>=tT9sy1=s-yalG0RhCy$ zL-Wk92h)QCSkzNi#yHnSM;+8t3v@Ni_tYwMqcU$@<=iSp#$4T3VG^}aPbn-?M`!ry zsk?k9x}*XdFoAjIUwr}J96uestA7D`Rr43Cl>uh1Pi3~K8@AH>AUhpKkY6Iwi%4A`6We;KAMfKn@ zs;8y~+{-g(zL#Fmd54whfzqp#3QxUS;i-cay;Xf=LanaXy35ptsxlwJy?>-Cj5wXc zZ_;XA^?d5pOl?$29(6vA9^fnffi<4e+dXrEG4R8xYK5BWKW0>Ywt|2KBzotUQ=%s1 zsJT<86sgmu<`&J!D$G&yrl|#mQ;YM)<&0Bfv!=oK*kpA^UeSc9(~DFXQJ6KQXqGxP zSIwF-OP!QAWn8kFGqa#DXMfr>Won_CH@P4`F9*)$O&Oa%eO%s@@oF~An=-XX&Ci>h zR|Ja|O=VMkOXcNEql-<>DI7ZizGh|T<>wX6N>+07il)GtKwP1kr50or7Uhkdo}X2y z7ECWJm^v*7)))uNPRW~+TL`=4OwIu&V4<;73uYDOjh|4I43moBWPh?!RG2j`XL45I zq+}Hqn+hx!s%%IKPzh_OImLAHvJ*C#%y6 za>nM-1CV20Vb0hhHh&Ui50c1dWm?XS)8Pb+^KX%?%$ShFwg3jQ;NMtA8DoD6 zuuIn|np#-YL&}W2X*tPiR$<;Ws*&8nsX#8(=hR$g0ncg(*S2{EARBB;aXpsVjQTw z9MD~QgM&_gt$(+!2C`J;Lht;=DKNH{<}yY}Wffqx1wPi9_)6~N%_yfN{X(Be;QU&bcg+3SV{Q-v69k@mDKNum4B2zxZpcrCFNRJN&WU%NeRG8 zf$rM}EfsgtvfRDm}Phaft_W@14f4rN41|9dw4iB9;ddE~RKCTo!+Lft zf}Iw^Ui7~htAf##4iC)v$95bCNAqA_F=~Jjr7+gRR`aqM9>$Rht5m`78W=MN)~$qb zD$K8j-97Bu1b%5(N|xgoXyaAt@mky z@_$|rl#fKI@GA3-UkKwVJy|g4?9*eGLboE+YFGr0`9t*zJ4t{SaXHmP#$Duc1$1?Vt?vczssU+sX zh*GwmKE|&#Wj;%q&+N3e=ZsD%m1$Xk&I7H^pFuq=BUZAQ zF`s=?dN?X$lu~_F1xRCVpMSin@8pl69%end?fUn)Tt0PwmnT1!ijRX{3-d4?eR~S} z?sK_3u0~t3Pv7&|yvl1tbEQW+wJgqhSX}8{*MFw2$0Ggya(VXf`r@3IapB*ok#SYV z=Eq(oAIA3ZefbOpuKBZVY=D*NK9hf0ewoAky*hx_2A?1J?PMWbt$)0V#Jp$`lXI2N zlWX9mXD<(nsNS9#fqK_z_McI%>M0d0!mI4F&PSt{S<Ca7Y150ux{ zq^bl+E>MTx)mQ6S)b!`-UT^bz5=9R4d$32XZ${r0YnVmf4!`I6G^Xc6YE?>4RQ+d0 zs%vvK$LAyUzI<5TBY&w0D2MGc6-|L}bf2m4tq9Ek99hV&<-s`>a9kl=DTZ(3;Osc2 zmn?RLUXNwoI0KI9ic`^awwAs|A^fIm&w?{_ZIyke-zLHMDX2EeMfvO-Jv$vf3t-$dCeJL! zvrg?4#zQV#*Llfd6zH1JDH;o(1+X_AF&^kDVp5VI@l`4{)>JdN?64=M_4+bN4lWZG3Z@vj!BovT@g(zC;O#$OJTR6ZL$ z4dj>uqSHW&S(aNBQ&~3+s&m(|z_i zwTH64^7Z?Xf84i;9r{}Sz58l#9J8lNw{9)+*JZsjp%T#hY6~vYdaw1-)kdPry9!hWa|0+ZW3pC|-lL;? zDlA_4dtCqiuG0_Qm;F!b2Pu8}L6;-1e_lUGxoSU1{TKIxlyB7!>Wkz{18C~)b@)eq zyMGSq)jBN7zpbyNUeQ-l{(oO7ps&>1VfeqgDKP z(^pcypqz21t-GY4zTKs(cQ^hu z-6iE4q^kx<@ISlDq%a%163zVUyG+V|aDSIcxvb07TkHNSyG+X8?J}wVvM!VI4|JK- ze_EGGVKOL&RVOlPb!lh8^?zOONV%%c|6RQ!<%-^s`fuwUDc9^B_4a`N`Mo3MALt!@ z)4KoM-jP4DUOS^)+3``nL&qnuOY=i^e3b9i@wu{Q`)(Z{C7|Q;O?`(SqC-=E#ee#4 z)Z1xL*go`I%J+EYDwWCQc6g^U+R7MeN@4i52F~?GW8eJD8T*@M{qN&{glD+~FbR&p+Ze0gt{@TEr1wvs=!lFkd{ ziwoqxHS+mL@>w=HqmfUCkWWre6MsHwC8uHF>1pKSk5Yw?FOZK?$%h*GKqK!DA^+th ze{3bEH1eK<{NZkL@2quR#^14P|)5xnDc|{{X*MG>%8hJ@0 z2Q~7dMh@6X$EpOOLnG}kyePD5P+?0Md3du;csP`7wvmSv@}NdG zwVH)Z8fi6?7MRr1N;Yn=2pb2G4Hoji1+xDB7lrj2xqsbk;rbQ%_i&I z{7(|deHvN2CPi4Qku@pgUSRXyEVB9@qp;dZ?lF>PIMG~2R)M5eC4Z2WcJgD5tXOUr zR%m3ooh;MHQjIie#C_>Uci%1iNF#UOP3|fqONv~=k_2+6Miy&ik%csx$U=oQXr%rE zsk=aGFOWMfkQ$9tYotme^JB>E8kuL$7UoSOl^UtIo6LnTW8~$&l-e!VryIXC!H>))BLkBh!oUQQXPcRDott7!n;x!VdkytB<0X}0KL@guH7f2Ma z5LHGZ%_IUO7=NLW@Czg?n}oubP>u8}BOxHE5RC-Gq~K8E(uh+dK^k$u0Eb5Gz^gr* z*zP9QGGft)*%U08HDZF%reI>!h+-oKjmR)e)`;XJVj1D#A`ceeB5;;ygoE$gV1jJ~ zX#}_9vX%GYLH`$i(7&62Z~Te;f58&5UJ7MyWOHplIC%gJV+Sb)gz>>|AF8X9 zm2$9E%yc(j^$eYCkGo^v&B?cEXii~{FJ0eG;XXX3CdB7(?fNK_xb2$Rp7g)D)nk+_ zxu@rS4!2`}8P@A4`M&Jk=jj>0Y}(-*K1IpbsSQ)te_!L5pWD;&e0q%I?{EwK9H&uL z#cjAObw1bQm--eG&3Zky%XT+EUze1RfFI8>#G=m`QJSF*_pxrmRQJ~qt<$uM*M~zD zg}(i7uUs+Zd})5w(-N93p=s(}wP;aY9H5=*GKKckZ_qilKo^YH^^&@TUQw^0-x%+q zH>yQzf4);|%$D)Wu;aSc+^cpO^nn`dS<09lH2EEPGV(jr&&cnc7pjea18w}s74mzm3;9dL3;6{+LVgdwLjD}S z#Q5P?$nUkL@#E}-{AB@c{O~2@FVS-$e}NtffB79eit)cglfOi-g#0<)>x>_D9QkwP zI`Vtebk={3vHJtRj{G@%IqQF6cgWF$LoXaXICyaMki(~=2ag^(yF>8o><($X-63VA z2f;Zx^MH6y4>|hc=|NPR2h{O)2Jr9w2dnOx5BT$T4tSrZ2hkk6NAT_8K~m9NddO9q zI0tz4^x)BZPY({g^n1-+t~5Sq`*QJVWA^+V8FBNNre$2{fYLdE3DNc8-wYdv5n1~C z1C~%Dua^-I0TY*z_yOPuHZwK~GC4FLmv#98HkYsY0Vf7CHXt@JFqho<0l~K=QUcxu zmmV4d2?Q}THaV9o8UiwxL|6iam**M+CAaWc0uTY0h8zMgmoZubO_yLD0$hJFH#jst zJ_>Vma%Ev{3V58=ybE|#)wwXd)?Rzh{eH_m*^^{)F(DHIAq2ThAOQj)iAjJ+1#_86 zCX!@^nF%3M1VluN7_2R|9u>+#ydLCOB- zIx?hQH9Y&^IXl=BTlZk%1|2-p^?SQR?XAa-w(dcwn5WM@t?R-uA)SA~^L}_1ds}+~ z$-4SFcpgG1o|Nih4oP`hKo#+VSlChtMVLf!>#}2Tw*1V=qAc7-o9$n^=E`%TXISjT!*keP}=W z8HjT~$T7+z;Z5`sI*;B!7lk*4`_Vr5d{g)st-(}t(o{!P4s{k#7D89hGHip-7txrKh!>*cst)b}?j^p3UF%`RMeZhUJ@)`Q&$r+w(0eKe?6(CyfI>i(4V@-sd=2^> zonb7@1qz-ZrNVzs`2xH(=ndgbZWdZku>>pzNhO*EGu`NQ^*)sed(|6-i?BM1kOR7p zs05w>FA7D=ARwIvEAyndfZlbkVnH&k}~{zX}8++`KJ+8K9e!xPYcIU z3d%r>e8s5=>P~`^1f1^FcG}H)t1%-zEj1-MF~McGSuJLh(V)|6WG*DD9HQmysf6;$ z$UF1w%$a|~GwJ70$%T@VVoavkr;sVmEV$hy%brE=Qa8IXbaF4<{OYRTw!V0I(P>Fq z_3ox% z^~^t9o_VpvT5c^bw?#-B^nWLSfo1>p&m}8w|n`58jnBz=YiD%;}B`&Z| z>(qaotW1^DI<7Ir$p*P++#QSV4Sk$bQj+&kUP(#L$8RR}R#t||#|tWdAq|ae=U(5? zv~2yzWbXC#%bGTfOy*l+bC=ve`EU^Ua1iufk9 zm#PSr8Z5&XE|gehnO%4vXa?O<3$Lgxnpb~r%(T0$*p1E@il+I}P_jvIkmR7r5!6IX+i{E}@W{oL zScSa>ToY{9KTad55-JFaNcT3jF&b%*?v|A9kQ^bPbm{2s1}W(VX%J}yq`SL*yYJ_D z-uHgs{eS-Rqn~*=*LBYMp1L-6cIjMPaZb2CQ$~k0?%ibJeGR5UJ5vi0;+f52QcNhUGlUCDYN}USP zTg8?@Rk!mQG?OilD@_)MLvAi5t9Cb)B7ZJPVD2cvIXq5$mua@>ch@s52m60~Ic56- z^~XCKe8}>mP^+vnOK$|0<-D3cwF~`v@pN6M?8{-3IPMMSH_M=~!MBNk)zfd;-+>r9 zlPvk4Es6)0wVIoVmk!KeORE6iT!QvwOgb&LB&KXYh^4E`*`K;rcmjMk?eT*ndW^)8 z42+oNZw0=xB%C%bVnmf}T956>4v6E%n$5F;9nV7OieF6lX2(z!U>X}!vrSZ5>x{E* zj)iWuO1{)-mmI-=qK)-H=9;) zvzGiMO49Apmn|6=f|sW~`5=^`;P4Sdg)W8_P8cF3tZa(VH5~GL9kb}88(JUqyq?pc zo4X}ihg$&EMHruF^xh_sc5Wf^KzKm zDaE9@lwdZiQR&<4-s_{+9!(ow$JYJf1nbPhQkyX(Z*L!0zkt`VTT!0n!l$#;vL5bE z(Rn_|clBnbbp29zX21@GFS({(GNw-B@m6OT=tX^f7mW&J(cl5BzA;Wszfi>9YxoHK z%|py3M@ds7VNwvZO0J^#o4G+tMeCGuT_^EN+2vQh%NmE*=QG6B&a)2F-C~W)WnU<5 zjtpp^hMw=Qe*_lc_j?ug_6WdmUSr53@ON8Fy*jd*fDGQH24(0@-kYPXB~kR zSEX$Wo2~UdzQQtt-FAHDaT~mST6wIJDl8)yPUt$MnxaeMSE}rgZ0*EPQ-WwfcrSq-fVZJ3B0% zR8C+?9aQcLZ%e<>`zz-_VYdt(0U(LnZFjcry>b_57 z761#d3h)WM*6VY4zsjv! zV;Oh&S=}l6dv{GejbE<4f0CfQC(VKHZEm1mV=A1L6&`M$ICe|CjhlKmw9I%J9w#Ow%RRJ9N3*o7;g-R~edT_(4CoM}}8 z33a&g#ObWhg{Jl=z|#ItHBNj*DQmPa>vsTF%wK2a__7&>*!G0vMM9i{A*VFJ&TMX- zZh0g7tQzHW&Oh2H9Z{3+EeC=F^FHg!1G&`3y@`38 z&1BwKwYa6Zj=oMId%Lwe!Jppo@QRD0;=%#WMow7x6QScmnfy_ylwk1d?)TzOzb zkT25*>nj$wI@`Rr^Z+J@3}!PxCp>AiFfQRwa?A6q{$J9AdM~`hE^HFncv-G5&m)83 z!OR1T3c4n8a#ne{a^0sTW#QcI?nH)kaMppES` zjCt=39NaVBSP|!8Yg*AZt9_E~g~$vz)2v~U)d=Hy_{il5ys$kb#Mtyq^y8<`gQ4SW z+5&$rRnW%vCD0Z1Cm$E-m^O;CUs3B)U&s9RD0WOaDs*ID(!j@34#Lm~OZ6h$d_?m+ z#`S>PSmslI(nme2%kQUaGw;(l+Z{I;;~ytQt;+tnc=f|e&h05pCBilQtHo<05qO{r zS#E5Ppzd4cHv1=Pz$dTFifHK>GR&+7bhq*f3+f_Gg2)86rY;9RJU<obcetzY&h|iqgIElbp0osvxUBEzb)US_f@C+raL2 zQ-vK4*l(N!v>Gms^21BdFZ{EfLJf7vUwEOpud+{TF6_pEh^HM6=lF)Nn)7>t6Y`v! zP|gCWPJgCZri2zQes}WK3mp>*GC~s_7xoB5k&8q(8IB*dB2`x~cWUx}DhbcAW0Y+R z4nVw1u2=MP3U1t!YC~~)DaeW~X*%qv2lV;)7X5o{Al;#n{LrKJMKg)zU&AP3tZH=p zvYZWOGK=k;u3bB;KRP2*?4<+hYNjIf4p^IBnz>${&gf2L;XAvcI1gvMJYT_WevrIp zen#@4Prp^j7dzTflQKZAfv^-l^hR-QIM21uVu;Ph@9m>0CW1e77RtKlq+Jn;1`T>q z^85jVXO6aiKp&OCz1UWo$>VmK)DO&yR3DP1YGRTlf6d5CdQzvvAwXr-_E18u{;=u@ z!%Kb27r_S)u^~HO>{h^kJ@bZ5!3}Gi$!X!ZZ|?0e?dt|n8LTqnA(Eee;5xp)jI#OV zGn8bGe0KfLwb;H+_ zX!1kj3F2WgI~GqJOO~BY-bnL6p*Tm-{yU5EGy=agp@!auV;+^MRS99k9@TgszX2}6 zO&*V*R4J;5ZlnvJn-AMF(BK$2ySST)`q6XEuYDeAY5K}`Bt##3luv(M7)=O`TQBdT zKr@zOP>YoXhfMhvdDJtNwqw?5<4nk;F8%09Z~x3TKV4R<7@Ao zxC;CUOrjnPyfz)fN_u>F67#IxMN2YWXj$sTs#!^%f7j(NyBi2X%9pd9uYe>GQuAlo z;k_J|^HYV@UKvFSW~kM&)Ve_P{jK$y%=M`%h^F3;%`aYgHXRMFS&*aN#@|#yZ4o`5F^F)@uUALgc_OUdl9%Ln=fF5-NE*&ft!ki=3v88Z5#(k6>j z9_mHg<}+qOn)OTcV-{LY#!2gQW#%Ep@|Y%ttTbJW8acjhlXanW@ex0+TlSZS$O7e0 zZU_C2DL;Wiu8j_0c*wf9Tqhq(Y}5a&8#jmC8cb-~_VxGZ0|b0`M6slxe9ECvQVc!7 zfOLlPW6HOuMn%ua`?JzMGIeT<4S!3tE9=Bm?FyIH%2}~Z4t%*o`E1RKdvfwTIDzdQ za(wQTpU#uPvuefaHeatq%jI--#xGV+cf95R`MpNnwoNBnV_nfodcRM{E@6`sD@hcZ zq_Zge@A>3Q@fqI1S8=$e5fT+uPS$O;F}f}^(`K@2X^t6_iKgAzKh`Iez6S3{`+qAT zz2rZpWDdJkbI20uAp?oEL^$6ZGA zmU}0-i(W|7eptq(Svp~U4exLf{Nq>jv!1LoA6^Zca+R9W7LdjJ(%x zC)ab=Xx#7VzM~b&=UJiV2S*hZ%7aI~ymIjo{&cGrO7L%6(QO*-FRJ{t^&QwhFRdB} zV~R>@m>J~DXno9{jw%)Et2VX>Diu<(cE!e>N_!Q-&NpGqFO|2Pcdeb>bAA}y!>E2$ zBgSaEsP|4=sz_S8^(_XVl!acLO`!|74Wkd3H^Zo0Ks=*PTJmIFl>3Q5<5l%YAdgE7 z$?ZkuMjf2lQ;TWixrxdj`<&p_TWyU7IXB6kM4sI=iH+mDM5g|#QX^c|r0=H&4%=gK zmxQ&6Y6?~FFDkaCxoH47MZ68XW<3oytaW`2IzxJ%n;GvsFo={0Jq44gUY06B<0UsS z`}~4M5`zLoE=cei5GKh?k%Jlw)Gxg?TWITH2Xt^XL7UPmp@=>Y@5lg?i$$%KP!Ucn9^=?^4`EzppWIS2J|pX~ zX1E}5mavgh?3EW^{Mr9-=kiCAle_i1#{EIMjH9l(8;y%#1_K?ho3T(&9*1?F1Xi`d zL#tM}Xz7Nf@`iME#xdKk3+2Tk`N5JwjFKgQX$#q8QG1mBUTOJZ>yWz2ZOZ7wPyuL6 zR!%bACLe;<-o9bb$_xiXQ!0x)G7+YOkG4yPp~Mjn-Kac??D>*` zE!-U&3kjL8KPZGco-wXZlH<>TKkO^j1i<(82zPjy_yQ8bcX-d(dBTT2Za;YEl$baz?=A>N- zV2StM6^%w8az%b@N~@m}HziY}%h#+vv}rrPB2(pm8yWDbNq|5e%IwAc)Zg=)jx1YC zWU&3DmQIVQIK#MMAfYaz5yrYiNWTfOfD3n)=0jmo2n&}~%U}rm^p^;IyR67Q8{Ybh za(!Vei6SodbW(Z`7}c`DdP5-Kwr*e?4f?RMFpTqe+5R5!$XuqJ@GjLjI z+HPA5YPV~wQC>VYH{}2Gt=WPC8NIZ2gWHH7b0$zYHq=BHO)~7$I!_+Pm1TsKsTAx zVB|2x(4vFjfqyHxK((Z3xqN_k|AsQ&!8}#VfNYEeAJsCv>o)`dK(DqPKY=KpZEE^pjH^R z8`L)0Eyy$(LB0_d;;oj%t`ZD)^!&Rei zJkJCT{)>a2PQpS<+aK7fFCJ{~D3YBko)86d@?J8Vt+iEQx#bT0W+6!7nRCZBkU+)`~PNk6>mIzG&nqmVHDw*0T6Jh=Y1fOWo}#`+dyXdV3w|bfLdkZj=5#Xg3t~Je`g%kLPxudk}lfQr!zjpnb9?PbMy^P(WBL9 zoIA^rf!*=Um>)tpAH3Ve?uRpAr_iL3*@#7$Jz6vo?j{;L837qqqZ;QbHvNhNtU69i z#Mzx+VSklsin^g3>=c!LSy)I`ICL-?m&YeEd` z0Kv7?oEDqpECs@H?sfh==_x8JiB-1FMJlxZ?8f@!Oz0?ibDvxXul zUzAqj+96NA}I|tb$V0PI{=G_{pe)U0&`Q-{sD)@LSK*i}|anX={swmlVAFelCO8 z3~to+x8GfMd46-kKdeOZY!B3(r2MWVp()pM^DDu?Ri2ltN8V=cJ^J~)zAZW_2gf9n zXA6gGO&03PI_dH1k&)ah*YwY+M;IW5r&NlAQ^dVQ&(8f&5@~ zwPg+UA72aK7BD>Wo$ZoyVF$*cI6T{H^QnQg=2;h+N#S#t7MZ#w-9x!XJ6YF)(|97RNliV0HVF>}@Ir(O67oV5s< z@g(EmENg$#oI?bhsRgdqhyGGO1CL4GvUFtT9uaR~TzbQIv?g5bG6q9SBhp*+qlm^P zAX>r$rFm+^l7YUxJvsEX$7V+nma(+YgQlYf%3tRk7^H+Yet5Bjg=2&D-ki=PIY%@N zjE5$A)sKH@u@xHf)oliy>hqCKHobuTPWc&A^OuT)sbB?MsB{NAzs7E++V z)7!(%`$&7DYN2WjQwP0H0ABHab!(Ex{l&G%>3n$${O9Ga{nW0*zxa20kuPNqG3kNzdtsKWBq_^(`~cW z!vn7b59Ow=&m_y`4r5OA_Hpb*4(lOtNx*CreGNhKG85J|*1;=g>*yCZhq^c;o8X!G zFK9P;kqp&`!F2PFmG=|1JAOJi+)jLlT~FeZ&SURKC2h>@&M#6Y6p5PgXOQoE$!0v^ zP{uAl_>ptIn;5j(?u~XsIVKHnb35(TfOCmn@O21X&{N3&=CgY5dh)TFML)tLw$Zr7 zgIjSpTJ=JA@%is^^>wYU+e<$q$#>?O&LXBkXvTwC3oK@5M6L);FW8oYz|XSWK|lS6 zrarvOS5YQkU(mc0@WCK@?IZn|=-2+$zQrK#qGU;YR*-p3jPkGud=5Q7J%gQiA`V`H z{mm!>&llQ{coD^&6=-{7eAB>;Spj^cK6V*pD-cY>C?6*))awzgNOTB{!v6uW`n`ca zZC<1g{!W`=T1n67YHuQyPDZ+y7k&Pgz65v}XUcS~G0rm|;6*H;m7c5Tu?=+W7QeEe zsSf9{OR(keAuinm8}6)DTk|tO`4BQpqJe@*OfW>fPm|>)AOhBZvmZNG6dk`=khkFo;|yLliW_>F_0Vj@$nms=k*#9 ztzragRHMg!TzKFNa4vycvhS+O-uW}$*^h6ArU)8uM0s(xF)!Uvnbv@gkMzW}hOHg> zHUeFbP0=;OdDqZ6KUJloI=&dQ%+A4#klXT`I(=eF;H&!k;SeN4*i@hyJ{xv1q)*|m zUPdtI`*q=AGqFfZaV}@QH{P2#)7MiE&ZRMbf0naDtB$Z(K8YYH53ziucAj)arXOz` zZYyi7Qlx05xUI^Ub>ZjM=oaeM)LE#JX*OJ6SZU#28CcOYyu4nunLyA!4`|0PA=l|7 zT9jIR-q{q-nXRZaapb)o0$)E}d2^Vtg7?++D}52x=JwdD0;9{Y?K#Vr6AoK4C*Tu- z32}fF z1;*@N`Kf25n>$KV6eDZ8ic=Wo2mOgcMj zfSyE3`W$Uo(8#J;j}y)!OA-?{Me@ghwCsxsx8@p&jiMp9r#Z zK-eAllOp3DHeVT7aFUzvn)_diz;hc)=!c$LgerJ&*Vdvd0K(rG;k9?lix)P5iMspV z$BLjWNOaGQzjz0Kccmk!sivjJ(rg=Bnkv7wVYRz+sPy)t&Y(qJ4?kjkT@jLg_!rx z0)u07(>k=Y2!7>bs`j2;IP;r36-CI1sIs)yG^#{Q@h3x)24{MW%`4zf&AKLX?{d1Z zu4kNrCDrbNTk)wIg0eJ%x0~z`1SCD?i!#KH7{~iJrqR-+@ME}gA4O&7+gcY7!M@DS zggg#{Or;EU87-8p&#l|&FnOY}fLbvHyux6g*-u3a9Pnov7FsUegx#a)TNW6^mZ6_p z#ux$9;cBBEPOoo98S}I)wQ*~?shSvw5rb6p!^VY2@Dx)WwP_qv5KBhhc=nHiVA;GpJf<>jxlp05qMnit zrsuE9L-Vhys^e^rR$FVQYU#?d-6WleQLOR}rAg&~sf3bDMCAv#;w_XJSUbr${S5X0 zbG4DJiR-|RQuJt(nLIv!m9;3(^wA~)GCB@cMTLh*p=fF8@HC-1=V>ZpilC&rIvqnH z%IxYB$`69$Q@_bun&;*gYAOzw)28u~>KbL420|)}6LgO8 zZwBDcc-DL|RVq~oNWuOFhMvFb&8JZKRiVoL76u@n)8^0Q0Xy}zQ=R$GzrMll3${T; z(@^iILP2AipW_W6d)@S;JIgkHgFIeLK|^;|U4=oFQyHpAvH~4NtyNAg^&P1pIg|8P zE0~uy7P)LJq~r)LR(()dn4gR49ZC|)-fs-QP^m2DdlaT{ts0{39MzZBqgxSSR=kBT z82a?c_q@lm5Qm%Kq=PzQYnjgEfqxKjwlxMPMS9fM$7>7pd7O;VEbq{dxk~H1K|uFF z+X-UDKYA6F&mn#)8Q+@US2?$puQ9|Ehcdl*))vX8KJs!s2zesWx=e+RI28~@y_V{R z*M3E-?X5f$M;qo4DJ-t^+3}%{eV%3)sz35;`f<<^Lni2?vdg61)9me*QS-In2Zj-i zk1Im@j{;g>`PRzQlh6TZ(s@V24i@S#h-M8K^hFuOvF07v`aTP}QTR=wjt05OzdBOQ z(2do@D8d~jKs@;DM4=kPhdIxKVlmd51Al4aMHcn|hbw6qw@B=4%a|E~V%=an=wJ6- z^+s;|^DVZj;#S=xxs=~0I`o@pA7;IPXMs-xp9F%}wG4(kI8uwAZSJ>8JoFGBGGD_J z`hF5lv!}ARXn4E2WGPZ>!)nHTdJFmG_|R<}6w8NiK*G;>y13_O$&xxW{=<0#^8=hj z8n?hN6idv-GLV!cPX;CGKRnH=GZF>)2{QT$di<1E6ItO4uz=7Mg-3?m z<5(F02>IONrVE3Sea6UkfXawmn#PEDju!{ z1YM8`xFJUn?JU+%$f@6IWmxtj=f_SYPZ^BnVu-7oL!7bXl0mxRj18~oo@%_=wzLsw ztC4PT?9BCtFfwbQntwX~1b~H{N*ijQm5Zmo0B5U0gBg7)Q;IiF#5AxhCG1(Opj&4y*!=xYch&S7t5YI^)m}$DjWA zpy8J!ogyb&;q`#4w+4%EB6!dv#Sequj zF!lkUkJBCO;mo8My_k{sLpLGtYHm+cPfjJlfEhr`@BDUt?2U5ANxpF9p2%swUk+Ub z1+WhbqDtUNz2r>5QI4O?lvW+}BgZ#%X#cHATyL7ptFg2!{IB>Ka8!QAt>XUttVHZ?oA-I z@)HqvM5_y5pM}v?A^aU@@5C68e5I}Ctu$$y;Mb2K!@Ot3feq^+nBHo{ZN59BnSCrq zB#LfKlWw(}24l>IsyPyIRb8nhjP)`5saJZCT8GyeO;~J^!*dvXGH)TIC<27gVjjF_ zA89k(Dq@D!TF&IVoMU@C8J;o0 zy8I!+B5OacG-Y|qUiKMfzv2=X5qZDz#pIg02cn?u1q5#BasAZzvM1)4k-6BPb~Ubu z#UZs$w8=MNjwG+R=vf=fNpIcJH|MuM6d61{d$gzEn_w0DrFf>zmp`avdjU_)1m`cG4opDKioB@`LnGjd<_j zYTt&IOD=BVU6jj^bAv8g`>kiLH_u#maL?hz5w8c?9)(dL|D_6)?v`_jelOMCbnzo? zc4^(ud13w6Qfd;fF}Um`$)&RBs|;*wk{1mLytSVN_9Vh= z=f&)sy9AJY?Y%qh|W+OJS#qcyPqmQaDN)XN4m5SDD^Q=Ejm!D z+mGlxhk40|d8v!&`<$59(yKb+AD%?#jUqc=y4gPCW3jZ(W7!YN2HJ)PZ`DszZ#hQP zu^Nes*Oq2{^cWPZnsa(P!4_FpRYbDGEw(e&Zd3R3wWXG1)%h6@pV20ziM|EV_qMlH zTXfaZMsQH`wDuc_RRvzcl~G30OjUyAUi2;`>KMh&6X!cA-HhfNETSLWYwD}?*F+l3 zk?NxiBB318Rnh)x-M-95H&}`)W>51W5mG#H2nnXQMzT0@Rw23Y6fUXVkKJ?JcyEumDb@OH{UMRW_*aYfu%IXF2zai7(_)UF)SGo zKlE^Y5^ecT#+mwueMFyfV1&k-nLo-cd~LQs}&h}C#8ua=@b!T zR2PA!Hwvlnu#ZxasERfs%b^L?kSLF$3HoWzKP*J_g!rkq!#3Rj@DIal=R~%Nl1ExN z@G?y)j7?Gl9|dU~Ktep`A(nwJy%Gq3_RNqQu-5PUDrv1>1pAu2QfMglvskt~0ZBfA zhz#TC0h17OuA_(($tB^T@7D+7fCJk7E9*C08G<7V(eJ!{e&Uor_8_^e-f73YO}P=i zW#36UX+lYxI<5TAsG7djU(XOPAEII*`ee{>(Ln$%#H0)wCn9GBEe4Swi$;eI27~`S zyEfWyoxwqZInO88QvNNs8P4^EI+N2ZlVwFbdI0^AtzstDqgTQ8*Jm?}agip&8z|%B zDU`Nld|QOVO(X&( zRlA0Ppp^YdtGJivKeM09El8_+q||Yo!rN%!7nOXSn~R?D{B2--XOAo7T zn|?3}aN~TaqwD(MLzwUlX}v&pgvEE&%nHM&)=EDEzLT-N(n1&~m7HF3;|ZV6ftvnA z{QQ1xx}u(MV5VWN)KwTKZS?y4)GMtOHKQ)eNamHNM(mRoOQeU-5AfV~BB6zdD|ioi zc>S_x-WW4a?zwgfR69`X{t@nEc0qZuwuE@w)a7M3;^qgtXOy1#+W4Nu1-yuBz4}kuoIYFh)r6LCQ=5(XTD5vz+FXla)Jq4l z3rc(}FCC_JNjRoo+MIz6!L_P+)XNvqS3tEXczsHM7i-nh)92SuPFb&??1p5`Eml_@ zJwGZtdY+dvC&713erfpqR<$$xRNQ>zrp;#EMIDhfr~i@#`Ga@sE_q(QM>okjKe_Z{uCB4lQ>ab<8dxJi#L6S*%ud(Q zxDlIYsQ3t>4Kx^nkrIs-A-93{62VG|_UixZ83jU?5{(Gat$?OmT~CSjm;*WMHXwuc z6hWbm#(*G@MGHstsw3ywT4d2CP!VXFXzbP9@@QzN2yaa^?dl#MG*uQ<0OD0Ka>cDD za>cu1v;;)07jgwv30f~I!oeGj9YJ1(c8jp~K`uzXK=po!cu|aoi=Zb*BS1ik(U=fA ztpDD^YzBp_^!2(lF%R%8Kk_Kq}-w-`~$bR9ye2 zaZO5GnxR-&80SfaBj(E+mz+`q37eA@bP6fg}S!U=A>tl>>tCVMd3d zfq;lwW^_9EU%UMEpt7dI{rd?A0L%&gZyEpwfN?BXPT^fiB$i;DY zEf@m*mkjv-2nN7_9AMxbMotiv6M5J4e<{cb20`xffx$2?B<6Sdxb7;0UDO8u9|{JJuoBf}nSmfxtj8gdHn7F&uD5CnP%<@LxJ1 zg+hTG$N|p(77qmjIPZ&sK<+q;1Ic#}A1LziFTU6R1e^Lydwg+7I+UHBp>HppK?J#9DnN!|KI3D zF6O)k43ZIe$A27LFwXx&FqrF}f-uf|f?+@)=%1i!Ak9PyMyhkiIwT|bu3#7^2ked| z$hBP1`+Ug!MD(zuQ^NtsHTTjG1_6TZDhuNR0`Kk33Al$Ql8^Illp*sKawp1=azRKi zk?tPyh#r3vwqMfgGIByP=GvA(Q>TK|<1yV(!ww9RC}l@P8E^WcCB@ z=I~z?0d`L?m=o|%_aK!=@_|8jEJo5GoOjX{NrT=+0SM;+b8+2q50C>nrhjik$lrzb zpJ*ZZfOq2&NdtlJSq$O4C-|?zgOu?%{{Mj=xfqIc#$Pi2$0bM_*ZmEl9H4vFK>>et zivM2wpDg<4ew;|3{0|@e@4Ek&kGbyn4gf%A{@s8>((XbHK=uOAy|o}@vHc$*|B`{^ zy4PEPa2T>8++hU5VBkAG27r*A=?*eT8kFl!d?0nXmz4kzkn5fyNZQ|q{DuF2;0J&} z9Kd@Uf+54`n#HIR4?M ze?bW0K=!{oLXfn(^#uSy2GT!-{1p=bWc)(z)8OEH&_I!Xzl#ErcCY( z23=Emu z|3vUF{E_Dyu6rB8kZ|2w3;^AO8V2CJTR)JcmGf?|0U(ba_Zuk~hQ$Al#V`o6Sl^=o z|J}j=7cCeBDdip?kBWaMk=OQEx86kHqh9SfM9t{Znr;q=3F$~Oce=U>?eg|qG zlKJj=0!jNn8W9KQ-4ig94++jLpP>JvJ0TD5_blPOcK`u$KsoQ8ijg!h7=Q@kLKlQ{f#19V z0)S9XAt4A<3@nCx>wrr{1cLk@OavhI2E>oc`~S;ArGv{ZVq++5YHVoX;ABO`F3Kr_ zJg0I%h2H=;g+zfILSW>fSM&`B@C{fL0v3hg{{77*`u2_=9@`t6;3D;b0-?CHw4!oi Gxc?6cbXIEs delta 82286 zcmX`SQ*Y*O`XkYb#>Uf0P ze1uDo1x(praUkt{(snQy8uSqc5cS7{S$Y7&xhlD?U@Gpnjqg0a^0K0tjgZiHPV_3{ zkn~5AK9wHi6k{jB>_PvVJI!=@YZPI@B>Q~aIvu-PH^`>^H!XJW>35ci1~E?+pt_&Q z08s^J07eIYWAxtd|K9Wd{B1EK4``;erdbp30ZeYB3vz@%Nn|uMPg`~;Uw_elK2v41 zTz`Ekz+>L1v+1@0!3Zzyh0V7K<^$IGayS*%cV``u>Ap?}T-YtQ?$}yxfPP)Jf*WP7 zx*PR3j|_3G7h1ax`gSJ6Ap6d6x&vs#S4ER02SvNt;RRb2hX>YJZ-ula`McWhoVXwf z0Oj*i@KU`}5H9})tQ4YGdsij!x!+|u)!QC73{dt{%Zjdw@l|T|La75lze4*=ZmNi04&+&PF#+-|{|HG^0e|Koy>pQD*9`zl%wu-h;UYD1d1mHX81r zc2bN`xd@A?42`Sa%?r*@j+tufyc@9EqAbtO|;z4dZxprEN(VP&mVHfqf)N!tzZ+{C0Oj zOY*OEY2en2qb-?>GkTW>)M`HX9l*I^so2R7_GBh{^R-D(a<7lkD>EMh=*m2^(tm*bGUrq9nA+=T^wt4BJgO_-d@lPM+)gDNXsyqb&hmyt1wd9aiVmxDB z#LE}f3&af6qrt`a;TIJta#x8$7CQhuTA+&H)5_VC>6L<;=r$_cYW+#GRo43q^>;iD z#@+S9K4quejxfj%xvV1$(b>+UfeX<_68;l*LPDg!`e^4S{!W1TI~HI23)8l%cx#WG zQJ5!8YT{n#jRQu&9WOeq&0mxm)*pfB)5X|1IK8ufr5XCCBHnN_7okOK%7ppbuQv)( zg-@I<9iM7nTyNSG7I<7Noo{u*aC5|IFB&f?-2&d8Ucq!pE%905kPyn6`r8o0oRBWx z^bTMDMJazBGtu~bvZ)xl*B{_OD07xug$JSOS_5<>IcQV>7~Dhc>SMI}?wzjt`qZcR zNYs;)K&Q*DK=ii0yyR#7_Jpk5Du1F1QGSH)CsP1yX&{4uFgk4?`i#R9@6iwHuT7vc zkkQC_A)=c8DbQs5;QfK1WCX4?8Q9>f10F~%KYx!I$p;bYUH;VxD}RAv=L4M}FuEW} zozaAS<-Q=oST`0STwb@rwE-uc(R18$@*yRBLm{Lg^g3>;Z|Xds@5ytF%U19W%#*JmTyZ^BJex6dPit>=7w`DU8g zMf0;XgInN*pu%7I$zL5I1^cBXhhNW+C&Ds7Xu0*r%~|={9Hrgr6d!l5?)3Bf>qR(X z#@E|i{*SX-gW#M-sfUZ21VD@ZZq89{>St|EkiQoo@EsAvu(`4ETi&LIO`S|uXOKXp zrn3eM+oUw_uBDl@mEW7-)~?ZdQ&4wl2Kcu}?+3zg-_`w673ZgS&s+D|CV0h#db<&3 zu$PAWu7B07<s@<9@eCG)!CbvIuX_;7^b}+~13S4$NT9yC z?~v9ePCMKE>nTk14p4|D097`J21TQ7d;g1vXf*LNffC4h6w^T#ebAYWDUWhuOzT&w z@bTwKBc)!7`R~(96*|tj?(`PIlbS zqvmb~9xhx;%2Qm7^|_&Ny?9XNx^=<6@V^7;)32Tcr zNKZ3&Ff`0iX4@w;m^f~Eb6<)Mr`24s!*~wLAl#BF;Hd6YNSE!d)7wtClw)8>gSqWtJQuXe|5zN|%*Hv)AfBspAZi}>s2OdNgw2_5bZu3`|! z`Uk`-Y8IKqDec$_Z9$7Da#a%(MH1jqydhmv3&6q+d?Z)BJCH+D9VtuL76X0|3frU4 za)}@*wt=J1yldTP0>BizF@prN10jaHpLmrrN_p4NP2VEyxWvslV z2PBzSR7zDat>Vj3kiIueAsH@GPlXVtAO=~*Ou`GaoFO zx*Sh5=Dqz*1Bt%q81uqVYO=={UbjseLCa>FCRToCpjoQg zy(j?OUm-D1e$3I#^I_2B)*KcH^wWP$0B9DxSUe%aFN{K{mNIRQGO-j#Dc2-UaEaZ7 z7#oAl@gr89E(?f@fpIs$d~!9*M&qzIp#Lfl-I9h-;aw*zkO;FlJs(zDd-l5!Aq^!; z!nc4=wA**!bAynLhgJ{|8oB{pc;NSQY5H9E{mE@oS zz=?QT4H&uOgYxpyr*yFwsvI#%GUBO=49ZP0c50cJ+hvk2s#q=r4z*RDl?Z2rc3!F< zO(yePN-h>&d{z{BoPQad=Q2=01K;`IvF)5lFSD^7NC~;lyhH@f+KCHH0Qs}2_|uS| ztho}}TPTLvGl|F?e|D4zsG=i=>zY9Znu^FB^(&(kQMzFeNg2AFXC)yg#O|)ycBVGj zx_6pNh*?@9UH{3O9z&D1iQx=%wkJ%)?5sHKLy?e2)j6_dDEL+S9TZLQZjg$9g>CNa zJo87wHFANP2Uq5BTagJV0k|WoURx_7Tm{mYo7@@Db|*2CV|&L1^vA!gZ5|=&XL{qj zv%~ph4g>H96G-AhA6Qyk_uh%V22YLe?ghT0pbgAE@za#l9ra+GW)YxA! z0o0?uPigM$?#GY=uWosm>0pJ3N`2S$w=l0;0k|zeO_zSS zL;k7lSf)QW)vCQ1bUl}jlqBrKMOIe*7dj*^3rv?KJ>7;S;-nn;s(G^N zO+?+BlzAr-_kQgM@vCc1dIo!%r#2G<&<4Hym`2N~+1>TifU1Se7H*kHR&o@Y&O9sh z8Nqk>%zLC=QH_dbg5G+ z^Tk)b&G~Zp&O7Dco1pw(dGpMi_O3j>Kp~uiflPxU56_jrOQ5QRu%Dasa>AdtDW2YM zA7f&9g;AXPDm_J@e!39N#r%@~Yv4n+UA?yh4yer{$bw&x>Uo8t|Lhqm1}6~{k%O@{ z3=10z3yhh)>Hq9uxRdKQ>5?t^9sb9+HE;57Yrt_4F-n%IBfDU6mmiun`!}1+BTc1F_7e&9D#@NXW9J~-W<_?LBpsaFXgWK= zW15N^B!pP#o%Bqar=6E>J+i)*nxMv&tpV8lfbOItwv*{`(&ubxzom*uN1G$78?Iua zrNp?Xe%YZf8eN2C65;mP{>q-Nw2^y0E%T5Jic*X%E$#)wx?nja6eP|q&N=KQR45N5Jg#b%IpS{Ho1kOGKKf034P z12Mz3@r%-(uko?(kQ9T#``?amhz}&`1e)Ms{|VHYdUDguN8QGGlqDV9&_Mh1Hw$#m zo3MN+xvl+8Em7jk`l!CI1J;qaeCv`GI+1Of~S3JM1Le^mkp1_grvfdoQEK}A9*M#Esj zBw`jKrC|GC!GOU**zCEeTsWalx5}^8ZJRuM*jpgOvmnh7I02MTTJCkg}L~>c!ic^{>^aQ zs@XMM{>A?yYXLm1H>{M~jDO@WlUn8aI9LQ>Y`JWw%WTA_5}jIZS+w<>Mymcx=^S1< zA(I+pC4U8-o&`9f&Y0XqePaCuclfgUXI)Q!U$G;KITZ=y%ge zh|^w1M>V2v2&CZFH=G(vutbjO#|O=glUlA=WVq3Ys{tl&i>*wyFO0+jez>codAT4) za#L_7>(#1P$Tp5QUP>C6y=q5K1STjE-o~&rPpbAHAKkEHUDlH(`IfZCUDfm5RcX=v zKCa*H&d@KZ@BAU#C_BCbOT-=7DLUkg@CC^U%We4j=UxQlxe812M^$gcQL&xx*ePv} z{YZ}X$N;qd#Ol1RIJ<<^M?P}4NyqsliZREhl@EUHEseL;Px9?S;2f)nFe#BSxg!6# zG%-&Yl`!zr;%ZCNhT^n>z0e8P9v+g-#m=+yI0y)=EL_yvQn@c?>9C<{Cz4?~7{rTD z)HdIw)wf5s`8hGH1G!6+zy1N$2uPl7k(^((doyl+0U{3YI7WfkFoPJWi z9qXGh2`%vjD3+QV%r)4FTEmcTDjXTu8))Mvm?e)^!-C_zPXI1;JYn-xG@xtKU&TF)$O$eF9$wxmVJ1dOGV<@vJ!miJH zlf1bEwUSc7r}^YnU3BTROiqjs(GMuDn0C^va(uMAuWAtJ?jJ|TubwV z(jjn74sUpBCQzGgI8^;Q3Pww~B>KNq^Z;|j9K2j(CW|ID9E%Y(GVZWJW1N{4^yNFo z8k8o$qyw${iG;@;aVgeki^d`QIy*enk4ik0*I$+q6b{@b- z!@T*4lT@#i>xn#M_wy5v;EtZt-(+yn)CN_s2?_hmz8weHAu!T?Ap zd#GGN^MwFo+vVD+vI!{%iUuVW zHvTV0AOt};F)5*FuT89QV!I_f)63S{s1{kCMxY>!6CPLI?rh+AckpIlwTO3EoxjxL zh0=_>W;?;GaL#aY;~Ds<4P9gLpSqKvLl>3^@UTxR93{_<&`B687MK9=_>quU&=w&2p4dUMR zdlwROo3R^e3M*sf2)HErp=~2h*rSNZB8L>?uGNiCS@AD0t=}N+>5OAVuSImrqWAzb z&Rz>Z`DPMg2_Q`MeodClLYWiEs>CH!DOmw>VOLcj=Sm}rz4(G`ZkD=-0)-&6q`6lq z{dh1lo`_X>#2QU3938*)FsKR7)Yc2{K-F}qw1&o5B_^-+I2I-B--hOV=+B`4m{Hn6 z$Fu(PF4ir{g~3d#>0FIF`@xys&fL$p`8}%{J-Pblt6g1ITLLbzadB5mdhm<+AsxR&z?sS*2Mu zn42=&^p_!&(k^R`XNejJeY(+?^vqCB^!(z@irc#YUpxzY46dBaZ3JFv)B99yd#vEb zga2bkG$7i9aeY|3?k21P!3{fEB=MYfqO zdOS^CFGv4|`~tPg_K8F&r1QdmCs{j87qxh5vHNEwofFzHPpF63G0sPQ!TOI4d zWjTba)ncW2Mu@Jd>uP<|`6azA%|lbe2OHCsBsA%F#qq7QFImBW9%dxLM4^Jw0Y?QY zbe@NhGEdYh54GEvbf~Qkc+!q9Xz9#YhAPQbN$k%Rqf3X_BEBp27$?0~;ynq&e?j$a zD#kvmC1c_Rp0z@|&uSg$i=(}oJ@|~puWby%$6A5$ivWo_y_@GZQ9s&(Z>uSa#SOJz zu<4ZO(Qm_%+lmHs3QtiPWap18fCDwF?9LhOb8MImHrhKTy1v8Ktt}ExU%TlB()@@T z_8dSfR6(qX{E$7=cztWDf+Ov_qKzEJdGOX{d6Yb9w()ybN(qogJQR#KnBCTzP)kw#=CHRYz;uR9+9{yq zn0EeetD{o$BJH9eBtqc#h?$|dz)Fm|8X951Px628q(A}&0s#RA`yY4we_a{R+ZMFh(RpSVOyZFZDzKN%O8@fyNusfdHeN_9YW z5>8BjNB5!MS$Y=t_25OV0#M{>KkSe!qV|$6P_}uOzzUE$N z3c`0mF^Q95whw@ZDasz}0`>?egW`q?hIIgx8Dddg-+$}^K1Wr8;lrJalewA-cI%x# zZ5v+LtvnphAs~R@Q87Xv&kMUa#A{qBOddz4hV(MfVs-pPku4!I%{FcW3fbC{-9wC6PD<0ibzZ@T|ks3A#(wq#S!VKq%hdv8RZuG`xZ0e-O?;* z3Kf;$2Q*A9H)w8PDiZo&`)V-Z<;f!uO#?tWkNlX|8=5EtCOdxC*>#hs7;bW(aKiv7kvH?A_JU9XM&>B7w+1KFq{jU(MwAIysdroGPs`Q52`(d60OvUUwdF z*KsWsAeSS(VHY{g77Idp@3R375z91!GS(!kPi4DtYQp?()Ts$(M8$u;)p z5WiCdvJhl^z`$Nb%8+MAEeri?5kmHBS=xZ|>WbuUf}kM(RK5!2s{5emHnQzl+UY8l z(Bd*mp&#MHFA$b3VrS4_v~IvhA|Ihxxv?GU23i9lJ>{Eh1)I4EO(-3m^t%P$b| z|I2!j(vA!xP`b}$PSz!;`Oz|hU%BO^8P%Xzw3BO#C3Ofp(kblZJD+(EX(CY4V=svm z{-Xx@|Dgs52nZ<9|6=3+QsX~pApHl8fkwc>{lovG29iZZ!G^0m`N#rwSQ-<{1MoDk z?SUr)kHml;(MO1IBb`a*u)F*bPY&_$sT1PyC29?@Evjb)0T}dQ>w2%K(zYA-n+M_b zepunKg<=#`VL+s`6gNsraTDUXdd~_UuoScqh6gB05p^#~DF8t-!Y*$2Fr6jJ3*rah64yT*~MOQ0`Wh90}vb8z=NZ`ig zt+vH%wR;+%HwCch{s1y2%W}v*%neBrj!zk!(*+ikF^abfQo8%Kk?zbw_fg?>LN8nCnPPa~yV`4{eKn9sZ_`a|f zX3`aaxfiHIa_W-`nQUHh;BH@46Im;PSTd$&0OB8C=x z01#-T=B6S`a-^lOUSX!CmJ~NsokTL`B{z*`%15fPn6bcqi*ioZGz;(=X~osPHd1jI znEM?loZNwKSPxkxFG`b9I{1{BKvD<8Uskle4%z*H%0Xx+R>&o;M)Kjcn>Qx;L!@#Oe<=t{EYhJyMVeftexnNj?|D*f-q}HH`C|Bhn^wJ`!;o6#ov&GHv zk>ze%7rnP(_lSK`1~fIlGZRGLkIM8H$Z36t(>Iu@yrf|I){(%^15~woJ}wAsu&Ko! zt`Z%f=2g-93sf#jo10QVK!RZh)|Y7PHc#rNsGhU~F8N=F=Uhs1Thwp>_7dzA_N*hN zJq=#JNgR995~P8aVlH~P03s|u{KQl87TiUUVkd`@{bXbW(k^}YZ?1n;4B zIwkHK3dV;{4eZyi?xa>8*;wY+4quYfPhbIvR_Kow=_e65!l(o1XCl#cnr8;EoF8-( zhsB&@iJn7>lnN=R?qcWuEBr>4nd)=twvGDh= zx8IF)qhb*BDOXjlfZ`=(_Ransx@14gH)EMTG;vq@jz8B; z3%Y&-;K%&iusBoztWd3|#QlKfT2Yo_qlL1ntzK4tdcPrk6!TU z{y07lEZ}NQX_-@E1nnVHuxxExLO>sY^E5zFg0$E!F6b(h6$3Z22VxdMA)iq$^sp`S zC3ZiGJCnRPOVg)A{1uT*cWk*r<=3x zzz8z~;u{QasuiR|uNxW0DntoHeKx4vGkt|pPnK$G?OS;K$gSg?i(LfC!G&mQfWX!^ zvTIW9mJ&fcOP>R>u~d7;^P4DLY5p12L~e@aj?y+&#<(EpgxN&u^Nca%)SOVF1i%Tx9l3Dy^;@6#j|P@DoN93s zt~2)4S%M4OqSCk+x2LdJn9#@V4l^f(;dg+sxs1L>PIwXGN+)S>qwql9V+k>AD(}+< zaM-!;xL0a+1-<52aF>u*Wag$xFJt-E5ygXaNcHoO*hP!kt(E+F1JCvwe6FulPZ}Zu zus_qo@&DL7+lkPL+m<=RM5(Dv!5lWqiLoBA536dLru!KTw1w#*Vc6QxZm6GLzqL}? zsq_>;dHXAKLKhz|%UyHrYPv7A$Ek+;(qWUphITlF%JH(X-lSnuGguZm6|BG6bJ)Xb z=^=cg(JhBZHEfwvjtk{q5)WmX)gI z=-E@g7a9NDAH2`eqFp}Kd7BWZyWq|I_0Fr`5a5F&D3IIl9YNz7ntj^h0mSnbfIL>_R&KO!?@fyu9YCw0Zpd-M_BEzM2vVqUSTzGsjx^ZLtcMK&cHIu|ZJ<0%wB0X%8n z>2VgYl#}f2KJ4AJ`J}$D6Yp$Q7_KPq<67iSmc(ntvC;U{sld~$OrNg^h@1!}(vaz1 zIQSfc_w$_}9L>NGqy*|?J+PtP#EP$%bUeM~r@W`%R7NBjS29YW6>a+jlAf#)ll#ab z0NBnUWYcUoMBUJr0u=Jqvj-Avc$xuEXzjsNv|^Iai1@2_M;Bi0b75~rWB z1K5Ae!IJe?14AQ-`^Y&@xqaouM46zbBDo(IPZvY4`9qGsHb}%u@T=Uq*6{nNY?=Jg zg$s1yf5k$%3c;D9L0G4ppA|r%xQG+P0v-;vwfH8R-lB`6eY5hQ$u~$Y2 zLC|6Ux1q+&&dS~_*yybYkc~g;K>qJ_nD+wq(IO+42_WuI>kdBVm;mz8JWjcWfMS6* zXZU;_syZx|N^J5W(5xAwPaHAk@AFPjx4`=GeCMP3-2?M>j3(&&`u8}cFa$7I_EK$- z6aBtR2lU1;<)#Ctz4IXyQ!;=4{{7GSJr-?DG{8vADTD|5ci*i7AmrJF73C(#k$#MQut%x(%Z0d^wJsuI{Zc z19wwedpZ8A^8uy{*l+84FKTnk`)^pv$3TH+HpHUsV6FW`!hiY0emQ#Qd&(9|7vN0# zWC$T7Dn!v=hfo^%47bq6ujGvrz&3lkql(~_UBii6QjMw?8x}%>Gk~;U)v7PxP#p?u znSz)AJRf|&m_$6y=6ii(#6kzz7*5!RF=dl;sO=3TPHPnls0x9u)YozhaP4RGd|3tZ zXbM2i*O$(ksv4sD(4iGXPh*mY%Y5kcw5}Vk_*Y}lGT_0n5U`+dKSfO0Qt>E?sUNDz zTK^M>fVapu_ix%pryrYjp>R&fK2k{Dwl^1YUFK-7i2k{w=c2%NBU2RWN*Q-gXLHQdF2ApFATVQ zOC=RQBXASN&!^vM#;PGH9_p4CqwuIkV_@joTz8}|fH}}IqpnSqGDcLi&Eem8oLY5k z?ObB8M6}tc-c(n{Rzq654RO8lj!?s27n5But!HoTAYgF^P9-_hP+JY9Ez$>gu)jdW!8*6)an<&F=Zjs(JJ)9Rw-#<7(5KQ=g9np&NLU*N0mD$N;Qy{D@ z7$*pg0D+`W7K17WEMF_+I??h29|{@WTVPH+pq*xU0{ zOKt5XQ}Q{nIYQcY(n?LWP}*W3O3X8WZb8REfKy&k0TDEeIwOp-VCV@fkl*Z13xpMv zjMnjR3Hf}&fs$wLGhPtdtoYXB3g;a5)Ut*6lK7_Og$~tmj-9C_dWOV2c1^C}hzJ-z zML8vPKi?=}F2%VWyDavW(;o@}v-SYX@cHLM^>cqbA0GEV+su#xYy}lA0x17RosG|S z02`L6I}L_1`Fn*og}^*2XXSCE(F`oPw(FB=+fq=J^s1G)QV5$Q4?eBTomBH{kirLl z&36yHY9S)$lzPB*g>dki6_+c<3yllRkTD@Njy0BnzY5<}l~cEYnh_Q2~7s{=7z{jqf z<^eTZsUfZz#FcL)diBNue3>80c#ULRqoNOxpRQYtEx!-NLLrt(g{1I3<;_}^B1hRh z2`a2QOyO#>k`j>z)*8nPNg@?{nys?fh%q0ye_3~FFCI?hi2MR`fvTFNtLkGW!0?6T zW#+I!)$>k|@siC#yB#LLrIR#?-^jhIiH9*GY=b-z;xs7}eSx?PM}TOyu?342g>8Wy zGIRe*8Cvehi3jfkWE>AbPog~8(A?Q-Gva=!TNT&~t!=$->ZG#%8xmTEWaH2(`pMGJ zTz`iRu3Ve`2%MNKhz;rtQe+DP;8CLTh(b>s(8TVIUM8`sPWx^J|Ip1{9T8?7*;6wh z`7{8FwAHecO2c^#vx%qStLk`S=x-BWp{ZYtD_S+~oovb$pC$1t7QdX|?jPwh$k7Z33x@nl81}~ald8f!wi6HaO8$W9UD0<1K(6g~N z;9s)Eluo}^HF6N2t|G~TTVr2``ox6E1*HKyGTVw2^08!? zyq-DHAy4T~cW-FC8dn!a!1Zgl)j*WgL!mfj35f7bS(XsDlA}}%E^MN9S?n^MA7tOq zVC@oGX`#cRYTbTH#F91uybcSVZ3k!`7-Q)#2(HV%x#Z)Fkm=Z-9E-X9F}0&yLsAPE z+}1dh?a{rRqiP=QWfM-?+mS)^}db(3NmXhl8Q{VF)d_wzD zKbgsifmR-uRfcl1Uqr|^jk}72#ACbeL?5CqcJ1kw2)V@ZW!DhE2t}~AV*LqSqS#2M zF7Z^EmeRwx28u7}fSs;1#=MnIG}kv?``{Ljg2uKSg_~~z(31Q!GmfrWVn)KD1T{s2 zw-TX@K%+kv$?t7r9)HZemvXNNC3CpO(2;5Oh?SX?E9Jkg9{6lL&gG52OY+T2n1iic zE$DDTC69^7HQ|Gyp2Jf1I4jKQ2%CvL?xKX(`>z%-s!7X$TsjS5L||L92i>SlV&Vu} zpVC9+Uox5ks0+i)*`ms-8DsJqg#HTWm2-{>2RK~@8;h6KEhi1HNZ9IH#w=3hYHYvK z$^vzI!BVH57IyRvybKMMYtBd802}`noS$E}@Zg2#EU%?bFF-4o<18@uCe0pJ?=_7w z$~Yi;yF_@LSQ+&2B-F=&olWdK%m+-l$qR)oH=0KS$g|dly7B6+?anp4{(*HJH0BcF zt1VXA?qo3u4Ht`~#~*DJ)=ryS(4ymDnJsZZWqm|Ju*|BZL$ zM7-yTUEd-@FpQKO)GKmzJ~$ZH;+E$3pDygU-Vt_{)d_kXe5)q?KAh$~qcp?iUoKQE zfgRHT&~$)#nB7OwII3MSZ)~&Y4*zp*pDcQA^(M!QNODHh)@DAucXHw_x7_{aX<4z_ z5U-T%C6vHSRRKZ%oAffG(i9%5_saED;qJ4&1Mu7s*9f=P-rlFt?vEuPEsl}P?m?gV zSU@MSQ)7)wO}vha?gbwg+(0UU3q>u*hd;CcI1nc|53>^&9~bW0Hf*19RRlxuyA|s} zc^dWOjvgFQ1h1NF)Q0(|4If`F4%GEB;1zL!uU~pghD`qZ&N`WZx!AW1v$dLi_k+;J zZcGz6T~@cEd0d$6wAt%eQ;j4p_jmr4G|&0OyJmZVzq$wXaPwUXSDOaZ#qXlq=j(a` z_$d_-cvf8JHk}?%Za4&d|CsC&G=cRAE$F2gua5p)dh?wpg(hD;DQML{@rnz!~^YwnVJ{tD(^mO_~V8|2359bVs2z}}UD zOzmsu0B@0|S6%V!Lre_pajlIjdER4hrE4@3`za9}+I~ zoh8t)fH;hEC2ap>IGNd`i2k&`in_wDw!k_+SAOZ{d&6oRvA^evya!2CGaWZ9zUKq! zV{OkM?W{8F0N2|4(qc^$>|;3UdPZ+YUPgL^>Sn5BR@gZvc)0W~=@gm-=rx&7T<14j z#o`iLqY><7;o;NbY=y5bJtv4A$$iCnV>h+5jl#OsT@U13qYh|nmo_MC@G(dIrx0@Q zMSVxPoWBCJ8!qrb__g%s8S_WU+?(2eUD_c!)7a8`!i1M~V1I7qFzb0}uIGPFFuL-o z!%oxL+y$S8?!B0n_SvXM!6E%&xb9*vG#Zo$@*hqHse%U;T=?d{zRnb$9Dn!j2UI=< z4`qAe|EHvemi~zV34;ru*8j5`}%gPoet;x4-e3(mc2n$ zI_qwe;@rue`#pc8+n<(+vS?DOXQNt{d_+_Lapjy7$XBY*d)p*zGBs&iTg-g*Ril$% z{ow9WH(DOsDH5{HssfylyI}}9K8rzacn#9qg8!squEMX#+|D3Z(yM(|PH+3T#KGo2 zA1^Zu@KcPE;>nWA(Mhl1WnMbq%;kN=U^}>r~>u5R0-PD}0K>SmYPc`%X#h*vKQaBY?I^j>~$4q&4>$ zToFrJOaNi8rMR7!BL}1!sFSq_;v+QmK;4C01=fqGlz$22LCULOz#abrecAPqzwqBM zBkG|6PI~0FsbaAYBOJQ%sD|-+d$M&AC^ceQ&EQ{gI)NeZQ`+R;En7lJNy3WATGS}F z`2s$|W8?E1HFFvB1HdSz_x8nuHq=TllJ!hTp1;AxLz)|mmL5TF2nx%ApM(^sTfvy! zkHk)|dZ|vdGUC}4N$1Y0Zz@&_V3F;^YJk#0oGsCN)uQ#PTLN=$CATflm8Y@mI5I2W zDLVN~bCqjFFM&VuJ37bNb)s|3s2d$q;Sg+{RBWPwBNHF_1t9N7E@_%S{iBdaEuSTM z4?#*RLImu>SY8@2DCwK~?v7LMpyIoByFh`M{v}h~?C)h0HOta3uaw*__{@+B^IY$h z&LBTnH=q+?ia`kSK&`db(9|e!5IB5R`>5wh6l*`*v97UPTU}MNr!y3o*fSKiCeeJ6 zdcDUW5-B;q0k~4-i`b5CZ0VYX-XwXNmKK*-rX2&;Vn}Lct!2M z?Ade&YtyI-aH+K+kGPbyI2Z{SL$TX-5?E265|}_tr}7OjaNEEx;T*&)^V;x$-WG8> zMcJpKAD1uDU>?lXt2Yl_FgwiNT4eT0l0zX=Ycn}y+XTd#R-^Z!CqX7 zf?D1(QF{w-AYzx!w|;X;E`O#pA)ZM9@5fg|5ADwmCl#9#yavr_!%0%>(3yCS!Sg;P zTf3r?f*^2Xr^@Og(Kx|)>3if(Q-m`+h4I=kkc`iQ6g*(b)!3t4)`;b{9HN>?Ayb(k z_r^xz0FX<)L4lIo7}7|cPZLE8yo|kOdgUq+yJBkmg#N)Ff8-?7!>^@jwvCA0`QX9X zF@bNlE7RN2e(h-YY)1O9=Y*=^Kwn~ehA31q(Ii%jFha_eVIcX>?5lRYW(ekVt$_~< z2)H4v6qHdW&(BNLFR3Q~D+^daF|!{*W70Ox25_ekeJFbi$#PLm0L=lv-`+|>=}pu$ zM4Zyx$o%%Z2<%hTeXz|*t#8^&i-I8$F)7V%)n&@3YYq5kTB>Q2jX%Y9ByGtQVU2>7 znqk2rWm+_#Xsx~$qGjDnY|SItLDrktLUjzOQKS2r2=qUbXg?!cvR>VZ%1;%SidV@8 z0u9IY-2aw zOI?g2m8e10()uh{JBQ{awcoVn7YJqM1F+xHK3Ju##6C>SP6B<(m6|hg*-=gbq0`K$ zc-et3MES&OpBY~azg*QFWvu5uxiNX>8+S1wRUt!vQy?88B#c4?FKV~T9|sS?$*czg zRk9*dSWFKzf%)y6ZucD(0pX^A-leNjrOv}Nh45nifWAcqBKjetdVvKdule0IROyy}= zLyVyZ$Of4h`;W{HNeS?Z{-8t9Hk~h%q>5h%zYE`U($H;}KP3Qn|4}c+Y8Q^6Yo(jO z*TtO|J^cFhw>|+3}8LXNEc{rhr)61Rn^S%c~`%C_G68oQH+#12lhMT z9y#)Uny{KX<%jqVdt+tSXiFe4XEFtLoQgoh+Mi~X+(5FUzRcs^jAj4p_9TaA?WBle zQ0SHOCd$M+b}?6m}c4+;qt#oH(Yl@nmufeBms|ue28<^3~pwmimak)1$o{#&SiFse; z4B%c5c!@?G`yE;`p z`|m2xhp+N1Pv!jFe~J0|1HkS40#}uITGxobN5EM9k9QBte|(|I{Xm$)N&q#(P>xu6b&DpXQb;N&YLhu+-3D9*or{>!Tk@c^! zDo@o6+DJQOe>axI?*#5flM^Op8;n;P%m=JK>ZpHW4?&)y`j4KaZZa-3^oxAy+$**E z@x++s{y=>WowRuAWaWx>wD%4QXd(j;{RvS4*W~aC4A@n#3r*p4(8x&0#drSIvXdIw z)}O{cGY$I*(AF-jD1e>y^l3*+U&Kv|q>GHn_>(8&L@uVKhg6vOsBiRa_V}l=eWIFQ zwqUy~8tzw@NiF>|M!XpMY?b)Lo!t*i!T(3oHw9?|B;9sT8`GM$ZQHhO+qS+or)}G| zZQHhO-`V}|zE)IJM%2^EgG`}p;P#4{-9TQ9TeEEh6W7&w3_anmJ2wb1F>v1ayPjh_ z@4G9#5xyiUo1%se)RC@%(db4O#;avb)3Lx*|`_F7!CZ1EPlMP1{p2&qnu6_S-&muCz15@NF~+KO13c_eXL;)?N6^>zQY zw=#(pj&utHbUfDwq0IH=f1jB9-xHV?)?^7cPcDp7W^NaD9Q8ytS<)R0ibgsbsy?FE z-z;hW>S470|9Y5Zd1Hqafmx&TE7vHrBQA+e2@+@r-Pk>Q7AydhmQd-&Wk+pC_+iZC~)i^wJC|4kWh4$#+01WZXW~jPUih~_1_%@&tBPqM0%yxkKYO{eYTv&M! zqE_|w%c31|?L8ajh7p{u?62Nb^SsZd{jGxgOS00W0d?k%QBCuyEXhf zlL}cc{_4zBsG72ReoHZ%m$R!R0K$ahV@(C4+4t}fNID$&%zyQvC%4nn2hjHM{COLh z$Zr;N(|9zcjnuf@Zx(aW_@W$BU16jLHgt|;Qv1ELg0|oYE30eZ1NSt zUf)gKQU<5*1vi?Vcs`92jr0^4Y}HMFwyqA-Ai^)THJOx#u1Y+mj0IbY^r(6)Bh#Kn zA&=^TqM`{=N;2K#jzmCI7DPDX>CIE7x(m<|F=`Nrr6v4=w)2D61+4t3lK2H@M%cPr z3KohsY*(kD^QuTsWDg6u)V?xwbw052pf~dJg?^YmsY)fZtZ|!4TQ|ezx;8~&ZIwmbWk4iIZyu_;c~WJc@(%)U2UF-0gxwBd8<&1mJkP5tP?RENk)j@0x^Jt`mAmcOOCOi)*xa*=4~PNYKS2)%aX={pH2wF zgH}_=d^I_a9x&x-n0ZQL$9M@|$b4osX$2S8s8KInwTY}G-d_K0)1q;H(0ggUs_;|+ z;sn=C;%^V8N`6i5eKJV4Iqo&Cg%p6=*8(+J961rpXdu&#{{euk=QtlwykmrJtfIex zY-9-!LgQFOT~@)f4}{E1Rb0-Ly>xOLl#d!31CWF`0tgM^uC|6*$jn$g1B9>QVUq(# zm6}LX1O@8R>!?c1WV9e$a}2AKGO#=9f~25Y#8oM^%Rq4xh_0}0P7u`Mat1-o7JCuE zKQ5~tyWW5LUB=PHiueyNACat)C^*TDi$%R+apj-pClnm^RE2~BDru(@46as}VK{7R zH8fa)0E1kAx4~2X#K+C`9R1FDM!8b_gwE7^2s6D?`xrLR;TE{;&FgiJMtZ)cCtltl zf)^=l7s=UNJdE&L@hdl2L@m7w5qHT|qm;m4 zx&!(dGV&E1)e>20IwU4p_T3{UxcSG$XBi6RrOhkz$RyWZa2=P^+Z~hG#Is1sz&yGn zbIHqqi7O^AvW7U426%KS$*^Wq+0Ck`0X!k9JKL64=UApUQYlwx0IBgu%g42f$v7BH zlaDv!yHQl4+!1hF*IORp<$10+UEWrNb&5k@Di#*E-6$f&zOW{GQsm5{5MPtzrR9Qrn9O#M3afO9My zZVwCB$DxU)SKVdXMy%p2&_wc z$LfkO(2)0SK;pPo?SfhG9L5^M;h;!%LeQ+pkX9|C%*a81nE1*X55!HEOkbixHGO0~ zJr73XB`b~Ya8uL`5X|(+yi241@34v^r_b$(y{23`a_>g2U zgswE_s2#MISMJJyRZq)FiaoZyH>&;FVu~?qCrDE_oV6;Gd{(}>knhT!s=Z3WsQ6Lt z+U-!4e<-~+hdS$m7k?}8B{j#6CpDfoYkLUJd+L}eut=<8kiyhh0q!=m0AfU~G!>6- z{Y-5B#V4Fr8RTlOVnzrL+Hx-3QN-pcf0hQQPZ0K;$m0M-Q)YY4{Kg$srs#pw%&E>Sbl(AWpU;f1y zE`#l-9yywo6K>qs%2HsngcpPHVx=MJ2P+5ChRabW`lOVg3h9M&CHms6tW&*S9PHl%DB)1Za+W67Kq>5FX@m$DS znaWmESW1PC0HEALC94cN0cC)1047Fmk`&`r0!^)>g-VsglI0WHvGGBbt?Q@D%T_Y! zYy8%gTxp0Ks%wkeb+!LeE2J(PN^)@}9jKh->#FzCBO-$d5F?HGWu zVV~~JPj;irS}$3&Tv;41GO9ZBfxM?OIiQt(>GDVZ{N*Atltei}fX!ji9$+J9xAR#+ z-~~Xsal~A@tSoqtc#YaF7E$dZ+dmsOL<4Y=9n%887+++;wK+PyY6XnyxbSeva(dOt z?4ofo;YB_Jp3c6fH37l4J%^9+QBA16P&jzn^>d%mA3st&?4?eIu33f7D%@8bDrIef z0G?)!1J@RWlN7tc{o=piOZ#1cas$(;F}5D9?W}kqi=ifE7a+&TI!SmAY@;v5m8GYe z)ZJI%>qt0W5k>}2;avb%#Bq+=P@XJw?2#frjXNg*s6uX)^ehvZxcO2d!XLBfK}j{G zR>gU4&~}zHl5KSy^2SQBmpO%{tv-j!L2o}1IU&l1O#gc}koN69 zyF^%ktelBOchepcm~;CQw*bbUbn9EA0Zaz{} zMm;Wc(2b8rIZYMZeH(NfV=^PLLiw3}ie=Kx<3 z3@vhsJCVf>mk7KI;DIc$Oys^Qo5NESFAJn|`71kA)gQr!oTr<}d&@S4A}d|sPi+bL za{2(@%L*9%>wmWSbY^ICDor}R0|MiG%lN5DQhU68U%y{+Ru(3DWOINv06+;Kx+7=* z=?ZXvu`s2?kpQa#xWsL^3|zTeVQWv z@x48Gym%;|SdAPZ=Fxh-oS(N_cPoLMUPTA?+TUOI6MYwZ*aiW7p7`|rKXiOJfbZ+w zFAUtFJ#O4B`b-b@-*?DGdl7O?Hf9`RD@z*F6%YJ!M4w3jqU8-?JMGE3=}elM!kIjr z`ZR66LL)XmZ;c|>7vrRxmq9`m^2&{kzEwn0a3&xrJ3ic=AE2A`gN>P=PI8{CPm#1S z-9#1Hx3fYz%hd0u=azwkt6M~R?v;0Qc z+aeoRvq8NFB2Y^Un~>H!Yi%jc10 z@ZVwhum*!zC2EGP6_LgOVXS4M^(`7A`o@l1;DQPSWS^&Ae+FSoYwC>$E`-qqGeceb zm!%fJ39i81mQO8As)w-r6jCkZu`D`c+J`37`7wH1^_Ji>>%Ya3?k@Gg`k7>l8oSe0 zC0DPEv1ANF1m}iRvY&|A`jkx5x;VriY~3y z<*M$;r~UE*qNkTxJ#qrV^e4_tx+T%b8&SXq7=y4mg?PxS$xY>2R&HHT) zFj;Cck+ty{*%fm7lfo@XwaQSVk7)LsP8Y)AHuqK|mka)=!Yz)f6IS4w0cz?8YIXF%!c1}EOQSuqatKyfrA*LfPhIU8loh6rxCb1k5 zJr_P?9LCV-B1OIK+BJLCzH@l29EPgzIYp7kO4OV6co%*>cPi>6nW1!CJ>B#yKp*~{ z;t^WCc1cTzxPn*Ws%IjEK3v% z3j_>FuMx8dk!!o9q-nU31R5+ppt&%@NCrt2q(@xBji6|R7eFUlyg^Z+xN65RZ}>bZ zBl%nUS?NA2UBpOPj^Z6Uy27zO<4upU#CSJ9L>=)+GD45~sFL8C}x%I0zV~83XOJIQ&mn>IA_{^2Sq)3%qRh+UPe#JZv-{sRvlliq8&3zK2<88 zS%sQXxrt=u#6*>LL^n_n(45bDHA#_a)t8jnV5f;v^I9CjYDXeFCVq&%NW6*Sb?&d- z8*4!@pK+2rPA1~sL7;NhisFFdBT%Y&0)a`C@Y`FA0>9tIMxgw z(MDT_<}i_Ts%C4Vy9w$~mnC*nF#hFgzEQXac}7B(-*Ba(b4&_#!Yw+{Xu8xNbdi`e znW-;W-AXQtEW1p@ohLkJ`E!gCS(yz$4eWT-g?v!q6*c4N0S;~3d(HYTDnz3G?bh!)dYX1oQqleY1!MP zBEGqmv!uvYyl3Dvu74!-uMKx^JDb*b*Bq=wKDAqC=mmiTU{0d?1WV8-Y}Tvh!}xKO zkhaa}BjG3&G}b?q@VbLZ1;5n_ovgCvHN%-PV#xorL?-eA9$_+B$IScW!iBzLhCMRGKU z=jX#Q9Z#$3n1gk(8QKS@=6z%wc#hR8vd{?z`l{oB$3d1)H>#^07|cudZlmD54UmMu;B2I6T_ArpdT{e8}<3L)@~lO z_PL$U$sCl9Dnp7SgsR?wvjf(V6YdW%wnD=nhpPb)#q@9AodUAA`;l7|S71g<|`-wB5RSyx-(y_QplBX}Q@DhqhDFxSyx zv8kvTo_wP^S=*MFdTP{_2@ns@65mzrXI}NgeOQV2Lp7#NE82i{5Z3y5E6zwN6p0N* zkERUrq}H5Y83vc08jLNV2w9z%8?-&gj$3u>V8|Y2pTdm^ohxugRhU_ov@bn4EBUSb zJVYdb#b1V9X!TovHr_86eOYzo7WBA?of)6ni>Q?s5X!4XZMn8v@nRr}YxrTje(|I& zjFHm)6{@Y4fqx3DZG(d2oN2AcU3xmTV)5}`KGS0GR87c!ky|wS*eom_@SJezb>vyj z^ahQ4-3G3&$ARK@xPQ)hY8hD~k+6+;^-<*lU^bP*iZBNEHmq4{su@}&XP!<1mrpuK z`ORdedxkV9)VJrUoBl0j;PE(wf4M?QtXmq&*L{wR*v?11TU;y`o})rQzB{!L=K^Yl z8`}j=0JasIX1l-M4M*UmdwS`?=EjXfpLG9B^qpro{lWc-ixGKDiC#Vj;3srZwv^ctuy|?g-if|)B9&d?%?iw zbe>b(Ai@veZPv%z$^QD3^Wqn8SB#umsC!&!K}ic>ojSD9W`U_-r?|wq2%>@DVA8>S zo{6^FVu4AOgrLy76&f7Cj8&n(C?;h$BAzC;S`K~n^ymo0H0S~xJ3L{xwV`DUv^6pE zLRM6=orNrYT==(sT&9bcg7548eqitI=oStNhd>?er_@1Sbe=e3Kuta||Mx%~)S5J8 z6TT$C;G8JVpq`9HRx@kS@#?t zR2bD)zTcgb6DjT7tgxC!(QWYbFJ8`AM9Wy#BL;{0P)%cww+}=1&MlMW(hEl z3N}5NJ+lH+7DXm=4`jyvJG$2PZ*w$cG|no3xcY75Y(Wt906VbeWac9a6y8oh2AID@ zNm;inSaLF9;Yyk+zEXC9xo~7kv=U#j%H)MbsFpGXoQ``Nz78ok@e&z0cSg?wf+VQr zxsN6bqlFVG)BL3$XB{bZc6++n`}n+uGBh+!g+jUiCCj3P26+mxkXkz--rP0BcXkM1 z)Ua_GDN8&Xv@*otO?_ADb2O2_>36>rOoiCD5o~W1y**+O7oHKDJ-Rv^$lr$)zH}J- za&`FwaQP%_&BPF6-HejGz1XevZS7q{+e$woEevI$L6Dx(W~A(ejM~BWfXLEsOr48> ze5!qdq1L&z5sGzv(&EQ;+tfNmv}hVYL^$T1LSFW5t~?K#6?)G&uRscFya$D;qoLz% zIQ<`toQB7rmxPeNh4AlXwC+tgxDL@kRRNT1L)cFzmRvGTBz5?^P*Cu5Q~lX7Z;a`# z(Hbcn)6@S*^zEQSY{klRxM8UQl}RzEjOe4_r1bNju*L@|qILzn_7%US~c)Xq(Mb54*hFj)9GwH5o4Toun377}H zs+ETBX$rdOLJ%nH#CSV(CD=GEQ~`am^Sl{6kEMZ?@TzSrXh${uOdL)JHwlt<`P#ek ze$m5qYD?*obh9v#cyW8aU646ICvu(I&&*!7@vqqiJpu9q?SZ)D2$)g!1eE$6^U3%Y zf~hPCs*C77CO2W2$W-i}mM5IeiGj?$B>$h&-Z~NyT|YY|_qoQZ;2u0S-Kz3lOd}~( z79dl21fn2fHOQfU?{RrX`gIY%zD{5M=xixw8$4pvmPlV4xJqeF2D*HJ770}SUbH5i zkZF$!918x>h6wA^9s>+#Bt3m(Yg9o0P5X5WtMyiY@~d}81K0C&(J`YD2Pvz$woTV<>beeXzTKs z%R_6J`e;|q@`bK0^L9gEu$_Weo|_fODndh?pl7kbdD;RMoJZ7l(4&JdT*~)GCrRLR zh;mrqYIGcaFMb(7n-eyVF|jJPc`~(h(P94}eGtz5G3jLUT55L!%2)_Ie?}h`YFH?K z`u^op{BqSN&rb;4U5`|=KU>-I^pU1Q5<0CO)1LE8QGysO4t}+gb0JuHMriD*^H?>+ zPNh*Qdw@46!equo*n}q>j^0x6u0KLp&I8t+I~6%lUYQvHv!AE_To1#t{MV|qkH4^) zZ6uI31AY#jR~y|?S?P_^W@IIqE~=YiD&^EW`$nt)PT^?kFF9gg^l^$>v%xtUyLFLO z{Q|3Y;6VI!v{gD1RZ9Y21-5Mv&e&7#pqIa4|9dVc&UIpSDzr<0#@uyv`qq21FwFI2 z@?O2p-E{|GoxSJeT>iGe5ajCD>O^;|Idw?j2Y1y}+v2YdOz>u6XP1KJAtTBe1}xpJ zrv$hQm|#0j^zDbaPv^Q!^Kj7v-=u&#?3?a!YuKKYfIgS~q+@NTzf6wW4O~ikIjVMR zj_lD{@a{f?#n|YWIq06ZpCRq2=PNi%INc14;rF9}6nN6EMen7?Hkaa$c5ptOo3wn} zRSWcPr*W;^WvnKTHK4#@sS=c&Q?*bVYQ4I+O|A`Z6IEi_VQcK)SS-vM@mt7a85#LB zzPahsyHc&A?p9l?u7>_J-k6RUTW3dHDy43TOk^Xj!PA^IXP47UFoQ!*9X&05Eg%&~ zr!<%VBlc>ZTizx*>r zBA*3+Wl1aFFK73Uuadlu@2!8%{%Xcot7Hfvn5nOK|KTA;Q{$O1{FmW6&eG$fT2*Z8%k6cO z;uWp&Y~TDpV4}x+<;zK4tmYBD{cVR1fZGW-f=JtXFzW%t(ECG&*B-Nj)5-Tf9kYkd ziT2C4TFYDF%&1VsW?uSA|yk`h?wPMi*us`q`m%`>2}(B=L4RQR~~k-(V1Ls5}=uT&#P zDc#fc>E7Cfy-k!`5I#MC#{xGlnF{Lg3LO^TXu!^hp8}jm4W*a~@C0I%zAhY=s7T8HaW!FLzCVBT89p#%LgGMO?Yj9m+|4ofN7i+@)G>{E9Vz1)+l1{ESIy_DZ5dM-fACg z)R=k+8^O>$ zL^!A&!38#4ZCIL7SFC@C^VKi;M3c~9DO8X(OE>q{2)Tg0O8 zdcRCD!9La11NMeN7~y;rf`6b@1j0{I4>ZLj`4wVKe7br;eAr@aomx|DwALKsFKK4w zP)sfMSf`Cszb^1{^=|>t8nV3WCiJtp!`q> zlal`6(0K);UsPH}Az6cjCqlC6S7DaqVuMsMy}U%p(P0xPK0(w{8`V{%IID6PEsxlP z&P9D9gyw}NN_+8PtWnghf`AGm9zkq*l(lhJhDKTp0R3nKJNdgqxSUP?Mi@T@GU|6; zdZ|ygIH^X%3UPd@;#d{+{Bsd8O2i32J11osZlZa+)yFC6r<3}a(8?kplX*;rAt6e(Fv!Ny+6UG{s1uziJo zi+NOkV{eK~_rD@7=hca}O_MDh7B}$;1%E*q8=+0dGVHYKpViqtVo*58*6S+k)IHv; zo_^t?pl!Fm#%jhf*c01kX4f|hU!JgI{>Qop&~2y~W-c(pFxssEKxlp0b%Pynejicc>D5Qm&8PWt-yw-VFD$R4<%L0(U2g z9uf39vs247?nzsX!S`xPjXZDVwX_JO34}9=B`6_v0q?J{aEw2u(~Q=0&k-eCorZOk z6nuzt;)#WzI}tl3nciqSpw%RHOf14VaUGZ$I9ku#pLfn7F<{{(wHy;!)`}?xw4tWb2SYsGb3sq*(~yR)^XSxT!KJn zu6lT=>k}i6gYt6qYUuXtt_<$qU=Rfd3B=lvDN%+8UJ-F!SZY*OZ7x(%rR*0@g%Y9a zHA|Qprw^$tGPix!mdmmU-)Xbt-vEk$nzmp&%6$SSw9G^`>=z-+!j2j4** z!Euglx&Lc^y4KvLi6sODJo%XJO~H$=MNaW*wzu)*Q=I?^E^!sYZx>wW112BiZB>6e z*knrV=POS2_K94lo$RiP*?C$oR1^KXLXlnOp!_ss_(t`bV{@j~i4tmcrRBIr+1pA8vB~wV{6T-zi(|X3DgXg7OVVOJISU%C zR|Vft{*iy-(_PF$(k?avRl{A}z2;PK9^0ZyakGJ%>HH{0QBR8r&^`t1hjUvL>`q;@ z*_(DB9%-NXrMMvN`S3VF`1{;5LvVKV%TFdUR?xFciDSOzk?NH>e0=r@>nXj>;ao;j zuex-~qZ-3rux=1!D@iQy2yZ$38i$9x1IWK<^xb%{+yI4SOa`&5t!K60Y_XgXc?`M# ze7Va(C;TnN)pMQ>Pzc>s-6>&ko&gmVzw{^KC}3zSRn@j_%Q`3b@9%VN*o%;+;!_%Q zB2=mhq#<^(;xIbp!9n0uEAeRvR*XF=lQ_%%TEd{2Qs4LNQ2jpP+DW-Hn69A*w-+bh z3NpJ0H*fQnHj3zF8O{!e1q@^Qy+b!Y%ISKFZ3NA2WU&iU$*iqb3!}Ywz1K4Ig=BXO zbKeT=3M^+^j|-m{jEE^(Oz9ECwq^2^`+Jq-FSAYTvyAA+Zl(5zkCK57Jl@}1PdnE< z{2zF~Rk6zc3vihK2XGjfSW^51faL&h$P~Q@yQ=@ml}mtdfO3#@00&41q)C1Ip7)iA zkKa#T6Qcj!Kppc`3x5hnLi2dPnMg_S10*Puu~jUrmS^nk+0*j!~a z9&{u_;n`PUj)Tpx%rt84GkA>!SoPXy;3RJ9%z&bD7E$4>M-dev%}D&gWjxLII7!Q9 z14MMG6(QXiVzufgaLMXQT*>NsuZBZx&tHM(PX{6v@Gx2F{P8h8IlkVZZRd}74|>&t zv}RuaS~9h~U_@7riHg+Z9)R!X-qH8nJrtBqA`|L&*cyz^KVIb}0 zEIdYIhQE*Igz`W*q_UaJ5}BApjLKP(OdJ1HC0h_56EiWMuRef9ty-T z8@ccZ&!v#0Wvo_U7iCWSgoXzG;Yv7OqK`?Q<#w3}(kC3V7bec7?s6fK^i_^C`3kUPbpOO$pxc*JzOY~%GY>f%BLrzR^aDxK6!Z_V1mD=9} z(v^nlCtBP-t@c}+1waiFQ#Bcwa?IjM*oNPlfUcC^PdMX$o!Cf@?w@&DD+oEE*; z`{?z_Lh})yJ|IjodZ`;hSuvT!!nFVjdY?5t`*G4SJJ3Qk7J#weWe*?BkAluQLPC}L zi$TW1yYmSoGS)}B@3^5XP@>o*y0SSB15J!U{iyOqSNAr68u#Z}pqSBM7PT;CEOH0c zf&&(_fKdjGy(4v+AW}O`SY2iHaP1H0A}7QH#VUKU)BbX`5f_KELu1@f?0OVxRc*1_ zoZ;fW_1T|M6~JNf4F@NT3Ppkr20C*NN(6AfGdr*3+{$>|j$(~Q=9C)S_J-9MLjjpPcfsw_faKvDFU!0 zvOlcn3&cvX6}3IOSfC>X+uVeU1bBozxJiVz_V8b$Il$^~)^+6NzGuLZk)EnM4(vo( zRwSP7F0t;E;*4cS9`uil{7(O|OZF}j#ZCOZvN^KvCI{ImxWLM^GVN}K!4b+eiFpP{ z+H3R7^uY2)hC9~irMT68VcHliiaZS4Igg-SQ)6E{wg=n*Nf7bIr=oYl(<5F4xa9(%1p-6gM3t>KvIFxhc1hyW=>O$BWq*$xdcR zdoj?hQh!~S9-F}~)W~A{WpKqg^}=}2rg6LA!olihb(mRU?XZ?Dd*GO)3~${%UMBlC zno|O;`Sw+-;&fWlw)-u1^aETG4mcQBO50W%7GVA0hX8GRtiBZuty>s7t#Q*#%AGGb zfK9bG!uLY5Tnz=gPpdS&dkiKh`~{7~HhH&vFTTH7Y8I~KfiGu)RL0UN=_(d}BN154 zSSas{P+=)3pGSsx3jAyzLnNARMihe5CgKn*yKe8mhk7ITPchF{k9W*gvL^S+MasX< z2izT`OSa2uWZpzpzIEZ6hA-O^uy-I-g+c>!H6Wh9G3uMHg`B=rsFLVXmh8m4^8hb7 zQyWHQ?1kJFJSdlg)-GqVa+rD$vDq*Ot>KtNftV`K5(9+xHXREm^X=r=1I)* znXfesT~9o;ytt$RqW+QNmhc`|aYHh;Ov8sPh~ zMWbu@iv2nf)3Wul{Zv2CAIFbIe2|9c+G7bKsyLcUx1?5sXxD5CCG??x=KAPfgTWJDEfXYw2cUU9n6_PXii{F-}Dj z2b!nD1_7Li* zhkib#saV^MWHaHUa1Sqb z{xZXc*uIkSAd3!M{c`9TOMn4ol6<-GwuEbihmF(K8yhxO7lNofc>d|pC$b%D{DFz!Ywa}4Q=AQHh(+TOOt@PtG z9z=Y#SSo^`jK9pAD8tvds#@MmZsa)1fY|4pK{G}E;#34|pz3>>W|#4**8M=k@JXtd z`IiLG3Kf-&SJ%Cp4d4x2Os{+Ztu?Q}w$9fN$8B}1YUea)eC>Bm+jUb?&s{Yux$2@d_uf_(t*v#=(`npIfBT>613EbL?v-TUo0_LC@)D>6J8 z&n-KoB?>&`&;VQoxGJ@N<{-rNrfZZI$9V$OEu-!Xx5KD${T{6E>XAmP~qo ztA|FedQ4<_(PdfR+!infdx>JiSdR#8nW0p-sOcY{f_4o&n9|^dNk&S{gwD+cbYOw` zo6Txb?&B8XR3-dsZp?D2gXcLZ@FhZ$ys2IGY_+}SO1uG?#LR<@BFElJdzArAl6zKz z3q{55;{_nnm;{2Z5-jHIrus_{%Y5NqaQFxt4X5aek{;C#q9JL|0tvc7r-9s^?UtN8 zMy>ZH^}kM@$MksB9Xj~`0vzLgB2D(l0-$S>3;Xs_FfglBQI!_(XK*SP!S%wSxZj?V zCYgSt(zP^FMV48_o-|YOWp!u%3&KKwFofDIi<5ZwW^9i{Jii76GJWNXC0b1F@b-MZ ze$0G7KIbfuA%t`;Vmi@~X-$?@t17iLsGWNo841_|W|LWAWo7 z%0MPhM;$8y^e_#Cl84uKl^uWzAXF9YO?oq7-xHCPXI+19d7mPGIbm|*<$k=nK0H)h z-$boz6a`)!1Ngq{>ejCWPu_i3+>)gqAAb%uuD2?v?|dN$=R8kJ2+iDFMU3MB)i!bd zAp*^Zz0SjJ#!mSl{@G!0*ZPF@UE2nK+FT4y*3m1k)If(xtfUYzJ?HzU96JIw1E%rq zNf~hy`Zyd9@I$%83@X>tP!NxKwIh1jU>RKtJRMg1Z5u64u**1@;|f@;NcQ5uS-RfR zzxvih3*Ef3efVHE$Fe-J7{mgYejhfx$^FPU+T=O;N2-6m%T}B&!_}_zru@+%cj=`) zTw8WBJ^Q9;AyBJ@$iT83vJno5IoW!NK0f1jVQ{GtGWn?lwmHz=sm+7wgl?_jpD#)Y zHT%`}*H6ekn}2c>tJ#qp;DGPd|4U3l^DZ3{WH!vA4WSW{&D0E2Y6K&^O4ObK?jkv< zRvb>NssV(8n#=T!BC^7JBR*JNCNwpoA=R(=ryB}J1BYYeR8pkB44qd*7>$TE1Y*7M zM0rwoxAs#%)b_&X$$YO(6OWW0HKj5~nZryBvw<4RW~ozN4|J#P6%jyqN`LRaF~- z`6GrfusYD?`4i2zfYf1Jo#;XVPj2o(sPjVPtMD4o1^T~2!CLkn!&i}XKH_P2M%}B? zgQL67rHVyD%;*i-TFJd+4DZm{tRx1U29=5go^!?s1lq+I8wdG^H{wjoGbOPp@zMkR zU*yA_Nh>lrk%pSIwz3S%kB#M@=j6p;Qsktl;V~)NwskEGfNAVZr~BWthErHZQ+Ck~CMzxVrs-v{UJlTW2<-Uz z&_)`yH#3d?0_G+pU+=LOf>0<^z*I*c>gqX0-t&;D*Z-1}np2x7V;C&9HSgrrd3A&Q z(K&fx)lRHWQ&8ljGZp#JDAUa)fZh2-Ew!Y4@VX4T#0QztA{OM^B05W_HYDBW5q;nP z9gi-DI44^ik>P76)HK#!o3Yk!+~Q)?EU-dn`4Vj%2jdI%=)> zX#dzcaCLRX*Q42@Pmm`(b;XXi3lB-Sn4M3WO0iZ&Ku33w=+wkv%U`Mb!3#@P;%UH; zdg)DlFud4_N92l%vE*dq7N!$~=UC;SWr92B`96x0(-&esNi{(IPcO#zSWo>IQlE{7 zSm~AIH30Yp?1e+W|6XJfCauKcz;_bl6phZyc9NS0jm-?#uO`+lId{^4u|~-sO@6iz zw|e;3%h4i8dtGEV$dmTJ4_S1gP8;V4rYuSWj6-@t{rClFoayf3UD*_Ga{LsI*)Ya! z7;p+?XNVtA)0IJ`IfmGLLSL8QagsJN2OVA10bYT&0sxzrUn<|mj7X+UE*K>bWm#1< z8O>#n#~F!L(~r=XMcWEvCB%C?EdMeD13=Gw|^EQ{Aoww9Y?D6c?tEKrA=q|=eScPZa zR-Q@gElSac^d`cfk`aA&f4Xz4=PrT0GKUf?#1C_i;z*_behumrp_R*fderV4KzvM6 z(n#Zek0FOJcizP!R>8-!{VLc%%K5QS(%1Rvz>WFw6)0yP_>p&e@SqCd!dGPEC!&ty zi*hF1V5u2YcNJ0mJLH!%??K<n|OnL$9EMT zD2)55I{E_C+<~s@$P!A_6@wYI_27p^SJ7eb-`_88zrmK%_nsEy%!*11_^6oH8tTU> z_;8*yq84Uqc5t%w;PGN-$3Rc^go+@gA=8B!zF{Kbo6zN?M^OYzCGwGri4ejQxGD;1 z|H!*6%*{dV0V=DN{+hXD1dQC=x~E4MThGUc1BrF$hSUHW5tgFu#f%j$RV zyE2l~%yst~yjcxKVk_`QrSo&pln+U_|BY!CwsvL*15}PQD9|45Y5x`S+sRayTH>DMRQ8BaX2%vee_d%9D<}>sV)G`L0m@@>1JFI=b21ShQWY> zaC-{CoG2{*su^FD&|yvwlGNW}FgCFGmwK8+XOx6CWbLh29AU~D0&z7a9Vv$YPUjG? zksV271FUZ(mZ)Pen-iY|ATw?xLk9;<-c?I@bkLVYUEC+o6wj&~z{E1@nW+jk8zWUV zsW~&>rpx|H{T2C#aNfk^Aa;3}%!+VEvmHT{0E_f^4_`%_rsr%!``9(9yxfdBb;EdJ zd|ljhpjpuj#ObeT3e9YNu&Eh&3ReAZGuvKwX8@Uo&$TY5aK1w{ND77OSUO2AN!sN) zwa~NU6j~rV9+yx3dxjHA4LPsY@7ZW;gJ9XUbqqEHv~4I|1O+e+GE=yhw;2Y6Bz=$$50+UD@M5d=$*OUeg0rir z5I`M*>xT-dgG}insT(%{Fc)J{(37ZBh7WiO5oN#vF@ce7Zz_i>U&hFh`i4b znz2M=L2wa09O3?FLX=gY(WcfNUn(AmD;DMlIHn&NW-kgj8H7GaLD`vU%X7iA9l*$J z0m6W72*%dwKRw$Yux+yJiN0>K{CLQMXHC_q4&L_bubW0W%nPtI#$Bn`GM=83ro=xCxPGca0c%E5ME05|L0w0!R}URz(tV4{hCZu%J2W?1x@)IA%OY z98Y*yxTETPa!togU{gd-vHl;W>IwwMT;^G6VKgzOGpc~Vzd)g3XUZ>Egi3YLR*Jl& zoxj_WoHj$arKv&|F$ht?nKsO=JeO415f4S{(-zR6~8F+lxqp|hv%DWF>FlONhn zI7$}S*TWAoE}JO=$=ohelm@BF1ML3+r9fK0Udvcrk17?~u4x6mFfFb%yLu8;D72JF zpO2(foqg$MUb?fdX3ER%$3{j~QiYnu<~+FRv!0$?Cbh~?vi1*B($WRM{DVk~@_4Vv zT5BFWRMT?X!v|vG`?wVeju%yw0nVi!{v9vj)(u6K$5pi5ALOx_&t$ZG3Up|EX2;$juCja z&9kCqFGM)R3N+4Zsn)xj_ctXlXMVNMwpT80*Q($-x2oS|5ztU2) z9qrnICs`Xy(u9-j!p-zqy3$5}_Z`l-^lbrn^VCCh;_q3$(hDnlq_e+_J-tsz{7gIU zTI8>}Uqj;#Bqa8@)@&4j&8R`Qkqr?MGGm5Y-s@URN2Dx}1&%e5wcJ$NQe?yziJ_Dq zW{3R;RGG?~>!{QP-~C771f_ zj<$AlUs}IVep$yyBjj0haJDp^Z?e30>@HkgDJfA!Q$BNmUEux+7qh{W3*)+xtzG&S zjTFGww^Yhz30&)tB>>ZZ9kZi?eFpd$xn?ZV!H7^kANBn=2TwO{6j*8i4J^zj)d6aCVt{JQ6tx5N8y-{SD}=kNij{SBH84X_H6;sp|yOkDvB0y8t0 zSzQ4`f60y`xe>kVEAl*mG+dLJfRKPnRb|+>wj1!l@X4O>#ciYe;@@`!gG+ENRZTa1 zF$SYnCCOkcFE%nIE^_(L>FXlkzg4Qm?P~e<%jwTQE&n=+ixqNTm-^pt|2SEDv5VFk zR-1K&?-ss&`(^p{r<0ZIWrwltqWshSvc?fyf21~j*#?W$w!vp_kv8x-Sfp`sxrpQu z$m!GPlLB7s;?#Q4%jdr@KflTaB>nvBU#>zPXL}Xu&{v^_5%xICt5}b}e*VMh<@4zi z61pg7Ec_$(O=wQjQ`|m4k+TL86Co1`p%k8yJI+94JIqz=;&uR4bDWLe!Cl4Ev29mz ze?OeX@9^<_oK;*TACUmIHl++dU~6a9Zkm6I1C3j+&eHaJkruT8`%8N`)FIN-p7zs7 zfj~ndjf;CXl__uQ4$wlnD$!L4AJooGYEN`U`Wt?g0_|fAUbyVvicN0Uk;bJ|~TX*r47bRvI8KX{# zmW}D!ITuO>FpM-}yntx@*TeY8Vg$lr4M>52GvZl^0O^tHzQ-=)k9Lils6`6D zg|>%8BH)kPRUw{@giQfCgdfz|4L{Wld09h9F@8tbcR$huT4Lb=ID^I^j7m53e-=N> zZ^4PFLx!nDHq1f~>P>~G8WueJkmtwb9{vI$uF4%UQo0{|m?(Fe8aG3p150P`#yV4U zYzt}l&d6D@@e@w=dl5~qIkm%F{p2IVy_C%l1%XURMPNaAoCGEDJwq0Gqt(?AiLrBD z>UGQ{-WVOVpXxA!by}TM1%}dm^+mHb}pBP`C(6WXuH^ zsY0@qn-k{Cj8VOHwy8FKhRjGH^zFDzKErz+52_7M zr#KQ062%*?m6ZW@dKuBP2I$#sZRx#0E*az5slhtHvx?dyF*|VTp^5t!AwS1H7J*pA z(rbg_7!kmrP0*~=-Qa>2e~=4k+Qi0~a@Y5R3TPWqv?9p25J-kl?{8J1-b5!YQ124x zQ5r=3)Q0O?SwhMOEZD62u>BJZmNujR`+)f57qkXY<4P%OC(Bcg_d*c06;hK>O6K_Snd-ua`uy6e~4Y0}hOpay@=p|BHHW9|EZ z6UV82cg-c)+*ebC=}78=f5y7IsA*E>VYNP$&^vHMzIv-fe`Q&_&KoUo&#FSMtD)cL zdWw%#HTd8X?Xj~_1qY;nHV0+pH8d#kdeQFvd|LHF-Olo(y&2ZXG29Kh>bD`B;!A|E z445h*oRkn+uWZzyJZ3JYSsr3@v7g$%bJ6&gEpJdV)})1{8i2g3O*UqWhe|ni_(T(X z8%wEY<+zMdf5bltd1=jke^d8_DXe3SVoHk{%*bq$c@JxpYxuH=dOBSnS9BsI)y zGYQJzlB>)gai-JD<5Qi8ba9b%0{x{mA^5({*!Opf*g_S@QcZ|q6=1INnn=f^pzm+* zZ=@;S$i+xbZ19$1tGuhu6O_;9QLIW}@LXs2z0*33fA8vA9`W?xSDb~dO|)QI;iiF) zq8=;@`5A2Vt{T`3tiVs^xJGywpeplT6q2^k>IhR_YdPcg3(!IrdpPrDNz-d@FV5gp z%xda>=)Goz>XN1u9vs?Wj^^P#i=6QWBFs(>_<7wri427K*bB-Y;+p0q22yz~0SHf2 z2SBU@e<2O))PAz#yY{?q3MaS4JIWk|#tj@t3RB>uEPEsL=%U>*>d-b-jcw}}i;R>L zmSSK%2A-{V6m$r;0JZ0w^Zp5utZIZ}l(&xNld ze=&gHq@g)DEGTe<6h^E)g|maGIz?XYN6s$%jT|Tx!ra-ML{ialL!L8rIBDBc1%J57 z4prDuOum2M$8`O3y*t6Xpz|nH`}y@fP*ph`KGwk1JsBO%mu-uPu{#_szhw0&ex{!~ z)>*Z2Yp#f7sf^*-F;=M4zTM%ecTQ-ke|{6Fbsz^Qe7vN_{L||bSOX)t8eQZdT^PED!ZzI-6j$zq+xptIelsD}i7cw{BidY|@!CH*di#D&v1{>G!9+pr zdspwdjH$Zy#C+L|q(YDSR9@SHe-VLruDt8!iSCs;?K?LjoqfGg-Nz6(g_%&7`lgz1 z!rqh#&F1i^t%-*F5$qI>U3Y#b%VwQjk#cs*_`2M=eJ7?ptL)uD$O?|+BfLs_)cB6S zx>AR0+M6Bf^zWYgZ`w^xK{x;6VtyH9i|4{VHDQ;dJ$P4CdF{9<}x zaL7LXMk;E`vRl~l6AUxpe+e&HyCCZseMDn-{;lA?N(q)23SE!@pu2|10r+(A=SHPK zln$OS<%{{5r4r~j=--ZKrdUxKtN+0;Df=e8?9GA&;hy)I5+iRdJ# zM&irw=_fJK248V-_kT$=cv|zfFQ=b>|7BaA|Gj(yYX1e%#R^-K;RO?yOK1TM0Wp_Y zXaPZgty#&ABsCDd*H`2jDQg_wEtOKLt_8tupd}876U-nX1~hZw_ld<@Zq>yIwK}^i zZNFF@@$6DZ82&kY9u)p~&_hUi`10ZK(>KFk2X%A`k{_0Tzx;l1;ExFxBz!uAi1_>E z!|?H&GNR&9^9aB(%!XX@N53-^ZN^&<1#>iit08xEgLCxOdQbl^)No!EHOykjdXpD) zx)YwY4kc~lS*MP6i6_oeApbjIzp2 zBb=0{W~LC_uIVB@6{4g=s{PIN6g*>O3KT zs+~s562eKnOfjC+WeSe|$H#RVby)<@Sb(DK+=l;ObZ4pwi0-56Tm~3Fk_Tym6Nm^$ zo;%ay#;&^)Hk|pX@SQ(_Z?E$33$Evt+OiV76!a8mjbq$6=^3OxPkA9Yv>}5UdZ{vY znZ0L_$9(fHlGDf_J%D0!v|xF$gpd+{36J<0uB^;CYhWo;AW!vesup`Vb4Dmwfm7>@ zRxy?=P1BfUmANs1NVK$=CTLaFU=-0HKUstGLhd=cx6CrWTbM`Pq!*y>q+^p0DNiRO zbjX%y%9=DoGMBl%GtZ3i4cD;v(UWWJLtjG@?L=`?XR~)uS;vVTs?8az1?K^OHYFb9 zH!Y?-w@!PQLe^sWoTpG9U`Eo=oNLVlIe3(*ZeP35`4_|iu^N`+)g^0aU^zkfHRH0& zZ4J>fUz)2{4iptO)6!9hC8IgoxP9%(M%uT6azQy18J==!LJaK-B@yeOB)qJe@3o>7 zk#zHvf3dSL>1DCZzc$Cn>A`D%jjuRDp+<;AVTr-VP2_QQ^ShDl;p&v zjJwqkyQc#Clw943MevfzP`9Z~H6pg|zU9KZ_^fCNZzxD!@ph)$$?EC#kKJPLkOsk` z*qbvGjoLMKT4h(?C6=jw)z$6Bbm?DR^re+is~xPotYlV|Kf_b{|?oy05~xU`HtQ(L!Nv7MfB_<4itTd|4Ksb_A| zv3ag?4(zZ z{s|uROxTxkL7hrq3YlB6(#UUHYcEbNz{T%-oV5phj+&R8f)O3er*8L%=#7Bm1Yo}RiW|k>oE;z77FzX>D=K?hPTHUjq+?{)i z1EsLL+6ms)`U(1Ky(@?AMp{5NdbXy~N#P^Hy04WpsY=MMZMd>DW)K}`x!3lj+sLJQ z?$Y|}=0a}FaVk7>rDSEPsVdYfSv5~pY%gm@`2<%__2}P!8tb-omAi$?Ci0v&qu}iN z5YeKr&9JFiRT8Q6Qm;8xyyw~-dft04wn_NHwBos|y{W@`Z^lAAO7tyEEy25PX+ut0 zOk%70Vo~>kqE)YY5o_OkJNh4d!RS zk5T$bu@2vK&KFTXe0y*laidYrC;1>>U;H`zSiV&$gWZ=KJUUz1O|646cV{Iz$rYLM z6-SdlSqHl>K-Md}scn$wu2;SvJ`ctZL6Z`JzRdx;R;b@P6@PrD!Ni|{oL|@c`swiQ zyH9br{yn@$w0{BAdcE$G;RO?yjBf!80x>q1nQs9_f7~_Iem{J8bFlVg2djJ_n{lMS3rUzjzJXp4 zjMXRHf0Aaj?Z`4lMFUpSw8w2}+L?|t?R=4jElI;kZ%Sju9eFTC6Kd;-3rBsLI$StT z$B3zC_5kFtj77* z=N}G_=fgV^bV6rr_@(@$bS;x5PG2FhHf@?teRms+o_5 zHMq07&eL>Ox7k_xJ3Q|55fc-=mOI`^2;W9h& zA<5G$`_gk@kO3s)tB-uBb0*o^Q^ayx{kzng*b`?2nq^Eq9 z4@~2)tuUe)5=7Ea1qK5|pIE>Yy-#fN#m+^Wn3<)sJu+6!5;{xZ3VLiH1=hd-%c(Hy z6vo#kp(6(Qz`R~;XC3vl=w08+yf>xke+z{KpMqx8L^I@6p~-~Us7p)$tl>De_JwyI zT06P+TcES!g1K5uhwNXQT+5b=`E}gLMF_>!dTOVziz9<64P+dBiTh;~8!Z962^Bo} z221gcoh_ai^W-8H`8GzcKvBsbY;O*4O0M_)q|Op&_!ydC*^y1q3$eIt-?!6Ga0kZTDQvt05X~vM3qduy6Z>5-f~e_c}7I8pq>q> zlU6S+l0;74yX&$W5%vt^Z#TT@Cvm;yl%|(bbk60H6w2(Gjc^YyR%z?>3PQ9-OP;Hi zqm&O{IVaYzY4+7Zb9<|em0F}V)+ijLf54$su#f{w z398ElE98*nuv8u>bz+^jN>+;KZZg?zxws0>d%AzphWXlF@e@&o)JsXxFHXc?WM%(o{WS2`G-40#V7phoyO5M(YWNDjO zB~?%oU{cOqH+Gl~eTTEYD=kvYTyIxE{MF#%|lk#0#_Nfl}zK5m(Ie=B@ITb;!ay_GI< zK&Hjs0B<=_FG^J>W0XBWmETep>U8cisN#(T04lq6%a^x4`)J$U#w_qEks~9ZX~}jMT-)iJ{9=)C=J*d-k@U zYG8R9!9YYW=Ng!sRg^YmvG;#PS*V(ps=fZ&;sq2L%7RVte+r&?yog2Z4IP*D)b1y>eCNu9mnqB5gPD6+3IP{C$CaL$9 z^KTh==P~z$aLF6@6iko<@yNaFOJmoY-;jTdN*mjFXqwN_w)a@=F~+Jh=q(LgcFw&+ zn2l{;vwvN6D5k&C>0V}ZW#=-b-8Uy(+Fx_8#(NaYf3=pk!$%!G>g8BZ$B!WAVckOp zzDn892jwg*#FVVpaxTV`lQXi_7xm~~*|>>M@|Su7o-MWRat}ft@_Q#DN`-D}Ek#c5 zbl<6<0>U@=E)mSf(iZkapx#rhyL^5-pgD2VQ*-!?981a77nb{^Cg7o6(^RFCr)+iN z**^RGe;eb*ZIEpRy(h!FlkU1yU`cl}F3uo8cZ>@w;M0ZIN%BFOUHDQtUsV10-N91C zt)YvhkMRZU@aOPTy68=$eC^A$hN~J_h+*U=7u}a)(j`~FMO!9T7sG4LYG@(y*dC{{ z!I@E~To6|}6S2BJUUODMGf~ENIJGgAPQFAgRys4Wx?)~)RznMs$96bz(xLD~opJ?T zbY^08LA~azh87}^U30!0J`H*t98$@15K;ipd3^q#2MJ@Ji0JtZ2+*15w~vRn-+!Ej z``^R6Anji=`T#hS;RO>7H8LPDAa7!73Nbl3H<#dd0YiVujw3e=z56Tb9Keo5tpykb zbldJAxlPhQ4na=YE|~-~m;8RXNR-O8w5JgSgQ<2E#YN;3NlE5phkp*A27~{ig&~bF zeE#k5<5$C92XhL>j&ZpE`}vPUu<aETsA9@bij1?>&>(z~s)x8E?XL zv}Y5ipI^T_++GhKNYDwA5BSH7*|=UNOU&<(*qeWr^GO8xDu`ymlG1cUA$js=Gn%If zrTXdUSwlLT=PBp2xlAe0Z+u**BUC2)$P7@mpU>gHSKUq3C6pc!=*?vo!$efvh>a}kY&rxh){|l zlP`bBP8h6VD_xkZH*8!!gF#i^q6s#$Jbt3D=yyb#y`pFEftK1Q#st&QIv^3Yyt5qR zctDzX{%B&rLCEEcfSxsrZ2jtgy#RF(28BZc0 zPh%=F^to#sxTSHpXi^C+d!%;}DHQ8F10;+yZ>6#b0+X7U3X47lIz>B!pCGhF%v^tF zp)3HJLr=ao?2}S^hpS7s1X-t7#qKhvh@kPF;Y%>n;tRRuhFpAs@afk22={rr{P!hh z0fuO7tztRoX9-$tA4!cn3p$A3VE!#a>XQT zR1_4Ptl0o_6OL)yhIh9v|6SY1ewb$&s{{?YM!q7j0AYi z!poFO5(IYdNj#~nFtMRPjX>3Mxp{`vKs)yNvCGzDOUI6(Xm3+IyJsrt@)TFuV ztz5xnUI1J5-^dxc<+7IHY95l*nflsbxq~vz9~A<~bL~rt$Nb=D(O)${zOpb_p!*K7 z5<4=&&Wi7SlEjQ~+}HZxwD0EKW1!Zk6*E_ske$t-RJHO+Aa5y}P=3Cd23r&Vzofxc z8>}`PYt@0|WBbe9FSo?CFj#*-l@?hZMV$mNX?iH!TvlYDm-bG2Ywo)1RG*|ARc>&# ztTYj2f}{t0ow~>cEnIcASDqIozckY>b&Nz2S~j~W#ngGS9FV*T8ij?3Bd=r}8SBI# z=@i|a@T8u->?RwZ6YY8C$%dc^V{N6|4uD$~?T{ZX4PE2H$<^?xcyE6JvlJW3gR=sL zzPY`LMjyl8icmy!9g4k*4}s)Y*!H2RLE8uok$bs2p;@&!xLOMyS;H%^W4j)-co!%T z7eJxyw=ETutCDN&xdf(lFY8UYq6GuGfXjBxdmz-tpTf4|lID+=8!qgbo8}V^(Ws7t zH+8xZc7kOZ47@IAq1=Bo!(Mk|;Ntxe006tElvZ6PD}CKsN4e|$jjejEW zcKi_)vM=*>dF3%zg>}#z4lTQvVD387#>F-hUFm0?FZ-e;EZ*j}HqL5t3NoZNgLTty zmuCZyWK7y)J|2aBrHsohXAgGU|@5WVKNaVO{xX`M7u+b$lAXqR+NdX3T%I z1#xoX%wdt!=fxLu+dTD8bh^CMgZU`X{#K6C$!X)>5-|qz{ZdLf6L*_@mM)uC_?}8h zIJTYBmI!b=s@=BgaXp~g+0fH*_`G0JZcm_HNz4L{I~spSZEW>aC>GG(VE)`b1n?=Y zgKRD6TQbIUa+@v{SfbT7l^Gy(V_6Z1&xEg8x}Q2b{L(pJRDJ)=A#lVk3?JpE+ztLY z{7~+~3aPs{WLn3i!;~Q7Hn@UIn6|1mzB_E%l-S)YE;+lQjmTp+I4K~ilkOLrMkVRp z1=uT|q?6$V z6PK=k0SW>*HH`8p{0H)}IEZ-#Hby!`aT@b4FOoRs$S zQ2+k+kC$mWPQ&QtVKUG4ul-zm%BFj3Slvn2!sE+Gl zq!rvrUDjnesq260Cj1+I+}4AMlk_t?fThQB58q*FHyJ-RznKGzOV4iNeSFvTSZ>oC*E54ww3=0`2I6p}8t8vbtK|3lPA<{r(!M)RT`jJ=B zGfn}KJ>(2qnGL}y(v_oV8tTx}*|fT5(qbU6VB_LE8f2#BzIe}37G}Y{&yoq;!VXvV zjK^#4xUPT2z7dJ$^U-HCLb_tfXrjn#8t9X|AJ;&)TK`*1LLi^PA@z?_yltS=Uw0V}8AE=sOGlPX}*0v6XKh#U(xv3%R1u^G)fiE;wA;2StUtDfH5RR7kAEb@j+|FRb%4Y8-;$c zFHJksgV@c_?*L!s;kRPXfBwUZ8V-7RAGFipLEz7S4Sxxq0=a@F&Y&v{i(7nphXK<(*cY9N>D;xbKba|HG9Xi4OX_Y2vjrw88 zCs_J9hEEJWNa1E`AWxzf7~py8Szl0mQ{akMSPwp|c_%Kw-`H@-7vkp%9V1^MXnPGa zEW-urAk!pRR9R~$qN5f(*oAvw2goRmyhMKzIykulH7@W^$S^Q=X$1uAT!V1%qtVd0 zr4D?8SslbVvpOKadvfW6#C*@5)zJxVz+nZE!w(k+0F{m`rh1hs1yyEyjb8)lrFLS%!A;D1D~9Cnppo2$ zHW}Uqy$BNKp}GYECd=ivYPd~)9g}|^UCAE^os;ONtMT#ErZ$msSlznAUE~Rr7C21V1=Tcd>ILE^?FtAJVRB zs5xRr891@^3Z9QGM`pabi|K##7jYJ~`vobY&3wDO&!smRDJFy;_b8ockZk-D$khTWPs zNy8%@BCDu-#6JyxrYityV3-7($7l>qaGRtTFv#-f%!?^miNy1=h}VA|&mj^#+$64O zpyjpF#!@5yc+IR$aW)gn#0~D&Y$k&UD2>w+(d%VD@a@INF$a&kk`C`Jsd}JI1t&WRu_W=`ITIEux2PcBI>V zPU|XfB$+)o2v=HPZ8MNTMa(%1vhl6&_N$R_TzVD}`JA_R^jt2p@MWbNHwCDubbS+; zWW4m8IX9{?=k_(3tSMPNvUOzF^etKYOB#63Hd99zpfd@ceNBHo!BjuNpYqW+claZU zyo{~P_iJhlwzt!GPk%|Cqn*ktZ1P;2YrB|_#kFF>hPiGN-1&mLn4ly0J`-q{6J(Ge zkW!nsJ-EU&6}DZZe?xF!u05mRwy|MQRZOm&Lk_C2E;1P*^NiV+GZXn{nh3(CBDK7e ztL60tJ{DIwTa|x}+a`PgWz~eNF2OP^VmHz@NSkWo{4F;3EVi8;Rsu_l{rlo>b(6+D z+mc;$D)sF-clupL_+fBUYQ^m%ZoUqRo_F)}_BE~JhrD}%m>#)zJK3g)h*|6yEQejX zwameYqF{962iL9j-5w>mkFS9O~4F6xdwd7=pOISqeos#F_+WVd<~QbE6iRqJOb zg+DJcFack2#MjETkWE`APEf*ks&KoiWPPJb0`Rf2kZebmt=v3{RGaVXpg8%$uBlFH z%Op+5hot)?%A`A*Rv_-$g`^r<-#2poxL=t3A51N-T4=gUiq6&S5V{mdt6M0sYUvb8 z{=X_`{3w5e2v4cnL`xe}R-ZU^GV+qfl5U8SndIkHd41sm5e?QT>p+W|W5vtR@zWe) zxRz5A%bj{gAql+jfz(|HFqY_0W5o`rcC}TP;&XhWeujgesh}A@w`y_W64|W~RIU@= z!n>Dv+JS4IN92MVR~v~A&%5z4O{@%C`$V=L?oxll(7H}om*0$YO(;AXdPp@Vk5ydS zozhnr(7xPo{6Z!gf#}g0ljN{E`>&3rBUq#*-uoTQMM?;gV=f+HB-A9(zY`^&Zicun zC1q-L%|lDGy8R-f$Oh}R1IUC#eJa}MNz>Hme)uJXRuSZWs=~VW{>IFml*)DUw9BC8 zocn)xu(0QKC9q$j+)X6NR7jb~iPq9Yh3&ug*{|oC@q=-%nDC&UTPb`Fa8Mlk5ss|_ zoP;Ag#aMwz3(V^}Aj|YoU|SvVSokUqxVRfppINCd0{UdsBlGj*of6h=v0?dUE$Yap z(v2=YSKCN8mNlBuu4M#HfqC!B@7^NTjLv`Crstk)3H{#L@|G>j?-yfLCEeG~3QxSG z5J9ahp%$r~Waeud+RdknGc7YTtvYv8AQ6-M)~<4?xJV|f{mk*-9r!X{QE!td{KHijTdDWdr?+7e>E;AeNof$m-pYlyuH7Cj{}{J zcO(2!b5K@}Nh5~O7*UEA!kGthX`uN$@ko9-!60FA7d0S%YgY^y^t?8ze5@5f1cV-V8AIDo;M6yfst5+$|y_2xdoIrq6Fy* z{h08>f79=vW_6WMUqKT1b5nQqhF`*R3h~wq&%uiixH+q!Renk9#b5M!Q6mONuxG^e;O?64Xgv}y3*e}8FE|<>DX#SEqz7N zub`3mJbX?UePzX?d2bqCLQteZ(vWnCrbzHciUEi#(vbq7hs(f4jj7l(Y`rgI6{}5Tj-! z@2gP5rco$3>l@*nejCELHZ0%@V9RNaO1_mrbfD*1KgA?c`)Qp?ml=Sz!QUxakT2mZ z@A6=QkUZ(B+ybx+2hWB7Bd zbPSsB|LVTr&tATet>h@^6s$;@Z^@&zuCaDwc<>_E2&YHv#A;{%7Ot2*7Ng;|%j&fP zv*PQx()hP{tT$C1k2a)^py=U4qSjrP;3_AX5-dy!6(5dkQF6q^lel(F@;bgqfBSCw zG^0gZOy#vtld+3qmtdbGA7wd|vx+oXfp+5f;&U*Fp=aMCVSNEtEQ5cQjtW>!7pz9_ z`;yX-6+hxj<%M;gtc0}LwRyF^g!csCCkUBv-6`p2lE5otz)j1%_O!;*KR1VNJLFnM z;c6lJ1B}NpJcgA%KC5WyDp$jdf9moWJ+*DG2v)G+_@Rz>a*VYmcD#Cj=bgM;mR!AT zwB#Ed&6VW4qPMz0eZ!1dsmbV-CmNhJ6|6o-Nkp|Op|D-Zn5*llfAl;0RqK9i>#+WV z{SMiBVZB`is%uxQc%>LBOSFq7)%GZk$*5jSXF-OO)RhsO#>>u;@F@YUmT}H0Rta#d zeCG55i2`N|I;$Ff10ay(jJmr$c(eZrMl##Vaa=hPuVg9$#IC@Iv{ZR*FbM!Oq`7F zMxw7pi<>eE{k${9eXt}mvtSdr{|fh6Cc23$h1cUWaK~MCxG<~oITsEV?(B16XWJs~ zTbumrY?D`f2E-4gaKQKn;nfw-6~$;L58?_-*PuztDZ}pue-AUZt@3_=JKF52I%lG^ zsyHT?%PC0;5;k_a=4mrP#(&0ua%#we?%j!!IFbdZ|*^6A#dlZXQ~#v|)T zZzIGsQi(o0e-D}VPJ9RR-)QjxGGpht>FRu=#lJ#Yd^8|;R(hNo+u++y&zGXccAQcw z71UT;CZl-f1Tca}NjNv;lNR^*C7sELXDpa!a*NeiV#oK~XuT(@`iP3jaf(l&e`KtzsZ_*^<3yG-#a{l{+{X4Y zYP7AQ;s>%>QUYYNtMR%tM47tJ+ z_cg9f1_Cg14sY$wSLYM}NRr!gMH2KWTN1Ue8p*e6soULt(~X1K3>f;;=3yPDbGx_` zt3RiOe}6Dn=A!}oIbl^?J!K$=s6x$}E2^MZOyR(Svf*}t1pIWJ2k@u~Ik2wETFC)c z#|wmcBk1x5632uOaoglusnWaI2P>1twre-5wo$uey0|er=~$N;d-Q|fO|@us$jMY> zs*Z+!gY|BB;@oU1Y;EQqNdme|%|batguk3m+#A-5ko+husPx5~j#UC+3S-UmqWiuH2Jk(UTQA>BGXHs=)F+eVyo ziEMspR7w^SvZr-Ph33ky+S-*HcTJ62g~7UCW}fdinJ_i2nMk2SBGuX*JBV@ooL@F_ ze|D$16oVaCM$q=@CEAmpe978@llCi9E6jIP6p`gdOkA7@PLxj!-+~!!yr|y@rJIVP z1LvLj2;AHU#x}1`G+ZU_(YvBH4>%ehfC#tqK>8gq&+{2^)YQCZRoe1tM^Us$Yd7D6 zV#4>{yOP(C>?vq$4Por(O+EJw8lwlRf6d0KhOo&0K){p(_m#n+CZQu&NmFB#02}W0 zCm3c!Cg-O<$a+TK8e{ely|+}#umq{Kk1GJ^PSKSBpB{b&a_PJ}xFVGQ{qO@6QiC^G zF?kKv(;k3Y{y~Sw<9bwZp$Pd=sJOoS-KQ|z|2yCy{{z^E#c2v8>H>n7k-PzJe^piX|K4Yx*FE=r;exymFA+r`5EZq&pr9xsA);0mSGWkKKs;o_rds(JiA zpFh`o?>^`3$69Nz$9JuBt_^jK9%MpG5J9f8dG6Zii=V3qf1!5}!j7`}4eE$~m9Ihj zPw>_%YG=<|upq4*Ap*zf$=P!kRUCeJ+%AOpH3+3ouk^UfI~VLpM`+k-xIVNJPR!G) zC4`2D!*N{YyoQC(g@u&Bu?yxKHMgeB9o_ZZ`v_&;1=ri=xfj-c&fUi&G=lb5tKIWF zjW5?tgyT^Ne~tREwx+(}CbaYtLJKI3YHgjTw&EOr5{_X$p%Ttvc+o!-G(~#M5nd1_ z*`OFrW{cHkcLW4FgM#~ogocGjL`JF6F|l#+{SyWx4jhy;I5{Qty0r8m8AFE+&m1vw z)b%%vc4cLc8Jm+kZhYQ^iTRTX(Eq(ZoPpZWQFy(Ie|DoScqbfH!09{SOdGcktw4=% z=5>4&ui^&7xt-`7dKY>&qoZUukMIPP4rdWMDRAgKE=JG89GN%}XG$WE_yYcUzKCz< z&+y04FutBY#+UN-IGsEuln6WFok`x{9Owv&LhbkiRF4jj&q+Et$dBbM=mT<$>_(r! zDzM+Mf5uw09W4f00&xv$;udp7aOSXZ3~h#24O~Blx8iq!x&wGQI)NS}JU1R~#V3HT zqv)?_IVt9vKrhp|3ZVZm%ykULZ$|Yz5>8+RY1|+<2h_t_v)E?@87!P&uXCsgRxU={ z#da}JiiK6E#CGD>ai_QewV`*(E#waJ9$vx6fAYKd@o23s0aA+A!rYtb7_kB`0^aFs zF`b=Tz?b6P=ySeQngw&eK{j$QlJA zf7FW53z8`Cgu^IFwe98N^UC+SZk(>ZH6wa((q)ILO;Y!w!oB82YWt;2h12;kVa8q| zd@qTY_wwtyYe|e>Q z)v`+UKHGhaj)sLRA(MB+s(3r!r4QVt#OybjrpcOLId z4X{Vs1-6+G&yCt+QmXswdvo3HA`M6mz*OCJjfu&W_xs4LX`sAZ4RV#kl7J$y^> zdi$DCDa4FY18t$UuFf<%;py|8=R0j@|9Up{d23iy7>8$KXEKgek==%((}oUne_DDD zf`o*MGs`X^?HsmYwCqg9oIl^AJ+0k|SK=uv|18WpaoerhVeJpvN$v2hx4k=lJl=+9 z<4U}39HPA4ap_~e5%j}|g3$z5fY{+c9j122ntld{^+w`w=JW%S&U;C+olSMcjt*Ij z7K=?%liXxzQksm5O-<$|OOv(9f7WDQ>}U%)7h(r$V?<|QP@H*(mUmQJi<|w?GGeg${eNB8Rvf|aQF_O#~?8vIvjS50mi`|N> zX1mFZ=$FN;7!{MD+@_;YaDj2P@X zCn7->4a6Lz1e!c$*Nc z1R4WPp_Wi<0*b?NoXV?0qCCJ5uf!SSObOI$=QY+Wt=(Bl4o_{ue3+)xSf~!=je=JqjQu|_gp=F_U6}r!`!nne;%Dl?5%KDI@#n@unY}stxZrpBq z((9T!hgOnU|RsSP%uzXr5+6n3MLbx@{+dv47BRNih$&B^1Q=-^yTh-eCeKw zGC^Rv{VFWFNDO4YWsu7vzRW+14srsPd6X;Lx<=`1b#jA{PCq1+r+@nnSVWlF5blKc>vgRY=|ks;8+9}shI3+JNWYUyY6avs-q+OxyD!D zAjGePt+4KJSBOQBt>g)0#|PzR#V8xV;mbCM zg|0j55d2Ha1UpRWJU8n2cmZClt(aK<(n}{E zYi<^{YOk&BZd+BbdE0Nf(zW;oUHA5CUvY~?2Qs5!E`O`|AlhUxONcl`6rfmarzY+V zpe{h6E@0wbD{E8Na5@dV0QCo;Bv|B}fsWwV{#?co$1ra3%4N$}w6(Tu+$1_a)owU* zMjQFb7x>LTeSi;j!g}EQ$r;d<5H#8qhF0QxdCN-ky-J6j?+9+ELCIl8;{$UbD4q5N zC7X8stbgq<;8cy)Fk9G?uytW=VS+a}`SgPYrxg|YS5sMj~)AX(4gIMarg#MBL^N4%jB>f(r`i%;+yXU^c)*t{QtPTeG& zpki}5vq>AzwFyfl)Mk*Q#BhS5u#tLRCRt1++j*#q>K0Wo2=Cxy!IeI5C03rBIV{>P zWW=Y_o!0OK?IG-W8&BxkzMHQf-#-4riQUY$mqKi9hM3iCj zUlVVNF@%Ri285I7D5iu!)oDi7>8{hZvo@a=213q;k8#JyG5)A%}UQNS>{D<>F8%OTD{X;Bh=RVT9wX?Vohvh#^M*4J(TLk*3eWiUl zZKn3+7oTeX&6t{ncSP#G@_z{E)@rb2BT9BT#TK4xK}+Qp{%J+P28o0t-b7==@k58G z!Z0kIx-ZHM-kB@hN+V07O4ZWn+Q{0dTD3NMN#v5KCF+vse*SxNJst+3h`NdX z8AFDqNBgUK5cl#2Pk$|~d8nhkee}V5pE}xo5pzG=RJy;|^YTsqdyY%5SUju#oA#L2h*#rVAHY&gZP#k;toCQfP#m}K zI)T^k>~5Me6+eXM;cEQQ_}t&$R;v9{`;GQn?U(UPS9>vD%nN7}hh>z@+w{N48| zmry8_3bn#HL4VYN9e_G9@Nb=TYz@Td!ywxPbjCHxY~n1&DN&JtL?mTOR8(ZPVvLO9 zoe;ZM@qsIytNPK{9S@2*AW|_#g-NI=OtwgJU`);c3iFP4o~F2tMNbyY|3ZT~-3jJQ zEq?|tDzVQQG5b&gSc_|3xDsv*HzgaAlq6%4X{2GKGJn!I(qvST3faH_Wq@&DKuTbW zb70Vb$N^D_YGQO;!b)YOaiwXc*+IGII8hOe#6--*Laf9_LP#hHBjJ36At5DkbmDD^ zO^Hhq*Cnrhj|c8qbriCm;ONFDstsNADRhpt#tT7i}5%(5fx_V`E>=$e3~C#KL%MT+6bp zPcc8D=f5|>-q73<5T7r%Tw`g+n+VG)$3cFX6Tv(+1IeAf#B#r$S5kBg5K}iTaNr1N z!#-~ajF89L+ebWm*U?Mp($Tw~?LG_{<*r?jRezHG+^v7>+*R(zW3ddcv2M-jODlE% zHV6EhfZ|;y>fCr7PDUVJq~4jP1fV*GRH;x}LYDA6Qyc2g-sXPab(?U4A`p!Bfqf*x z9CpAvK{97IBB8~y#(8d1MO4o6YT@xL|5avci%lnR(IW^odT3M5XbrC+XVU>h{8~< zD-JoaVWoVp;CuoL9VYx@zYa&cX-#;Tlark?n#eh` z(H8ORh;tFbXfzs+=0-b5hY3kiikt!}T7QFTa1B@EtO+xKA^|LoW_r_GE`gXNG4+!8 zrmlUaV=v4(Jge;2w`=FM!#J_)BP_LZJMP`wVc~AQ>E**ihU^)bgok4VEPagj{-I6J z@7YRuItOa~Iv>k&ws6SVmh(H&a>&^TkNWlGY!splg9MExX&{()-_C8U|qLHrfUJt!S!3P7|P2iscjRoMT zbDdQ7nR?C%YT$FzHO^P4n+~x1X@7w?l;AzoO+Veg2 zY-G-+P^qL*p*WZU+VwcW^mt!s0LyE=xkY?5`%c7o!+D&6qqGmTqgpoJhWFuCtx_x0 z+(OF51-Ku$>LeVzQ`@91(SD+}GF_xG`=lQxZgHR%9TSIG(@BWaMt?DJmp>-12)t0cS9?=?Lu7^xB+H7io$@ z^Oc)@9`sPKo}pZ|B!5Q}l%J00=5UK4g<8oi;ns88IhihGAO?uyP8>=?`TnRsP9%xE zDrcY!Jc5kiQ{`Ngi}OexpDTm ziYw3xyo#*iR|zY{R@90&ahu75{DZ=dBRjtFenCos$w8h6{EsU#hlToh;~Vq1dyLBOH_0w z=nbMXWh(+lL=c}*HW?LztQY-_5;FTLoOYV!Ip{|K{V?i+q>{xG_nM%CnVz=w%J&^6 zU+}PL!Pl;O>VH`wZBmI}61X5PNQhA~lsqm^$W>g*&D_nxRHaa<=BkAXWfAPgBB4oW z<{si66gDacxr4$lxx?gFLWIB>h{ziSMK&7X%jD!jNDv(XkK%DGmq4QV zcp*lNk>ce9L!1(Aj5TGFq5M!e)0Aq-<;Ig--oP2!zWleAD? zWN0!hR^}V;HZ^ni3TrK!&?dZ*+d#JP4+{^94@wWou9Q~OHp@=56L06XlPCEng(t)( zq$lO=rhjKFKj)q$FYzx5?S@}i4soxOclfu3MNB8cF#U&PjX1WX{nJlQe)>tf_TI_= z`RXKSM=O~_-xu3RYu6mmk&$3Wi$F(=c#JDoutULYOOC_$f!Uq+e zS3-HG(qFlrzfPITPm`uA70P^kCqG|mQ10iKDG%}6_)XFS$~t8yeu967-yuD&v?<{V z;RUb(V<>S7PD7|Mk@Oeh4Fip;c?8ZR!-OHyP(!9M)tpCig&e~Kqsu&lS}Qk$OcP4P z8GllVTw<7EEHu}c7vd)K!+4|gB;GFVHUG-|f%%d-1!QmFVhtGnfm!n9+UDkaUx&Z{XzGuxLq61P2hsGJMda>4kkrFjE_M#x%!I^Lq97LBP6G(IYK4v zVFyEO60%!mSuC{6*23_95PD)+?CXN)$A79SqaZC~bxa!ZT>+_ag>kiU>*Ctr^^3R< z;x5G*AOf(=%;}%4U6HmW=Df1(nU_228rSaZs9SLV&W?`Jdl%jLBw2OW{J(relekB> z&?JuA`q;z2c$_73vuE9<=k!}3X4XS&7yw8y894)#m4>L5YCxOQ+-BGyhPSC3Vt?0* zYn+cK289P85*QNRU$upkz$k;5NFhQ{v9Dre&~K9*r(rCZp(hBgr#o$*p6xAWV3(mh z(jDbi%cFTTlVuuww11}I#Z;FSgvjXik88iyKD+hsoZ`3Uy?nT1$DaKyTOWUL%FA{2 zM`nDAO+O{^QHR#O|5bea>(`~Vu7AC!W#@w0`o(empI6o2?7QnpU%tErqOpPwx)NnO z1Q*FJLWI#H5Uq~M;5f-aw8`72{dAlM-QH(2(X{P0o>Sx? zE`duF2FWE{1vgu+=N1UdxK+YW0iw3%#@c9Wk8`=vLe-$`GSbL4CO93MLK4(cTAR7qn25*_H^;=kzL!`*(a z`*4RC*j0r;?mplB6c^k5KE(WT;CDM<4i1^oQda~v6Eh;joQ;T4Y6IB3)PPM23KwPG z#OmBe-SNXln&?Iz*URe^lYbruEBD>*;*S8=N2oOqG@^lMJeq;3&;oQHl7jFch@peX zP+Wi~ns z-fVG1dwUO>>)zv+Dwgm5+h36v=L*Fj+W?^NSyzTZmI%aS!V`$cJjoV$gSmVYXuM8bvP2J9;hcCjpH z)M;p>?ki-KK}ex#VgsL$NpS!5_S@YtkWX}P;mR)zqE$jVH?8SD20khQ{lr_3;Uc{S z8Lqb=gOT&mz>WP{?0gH_7{9)^9upH5Vi_!j1jY=oojL?K*S{Wfn%(fXy=m`TkFog* zGFAZGGxtX&rhg<(P9!rgFO&3jUV51%jymM=_3zxaIbSYW+*$YZ z!RF12KYAMn|E21W!uB_Y4P7$7%o7zd=;Z#Be@adHbx!WRKdHVes^8#Oo_zCkf3Hl% zD3GZM{lYbbP{2pAvKR0HCd76{F+eQmh)mEkvQaR|6n`-*VmN<;0x~xFx(jzZZ(8E!y-wzH99Pn-B$%Sz^cFA7{rcf7VlRukN52qz1_feGBzeIW600| zKX<{cUbkb%x^+8uXgijzN0$x{JH#cv7 zcxChE5_R8_=YIX`=a%eKW8PeQ^0UuQu6+}`8(~nkPL|(N;_ol$rAlM1@+3=6nFRM#&LO)V3e)K zet#rP9we*Ap(ImIHPYt-a@cbLW8`UMhJ2f`6qj-pq?9ieX30&)CB|orVQjaYnBJYi z(RYwJ-TB<}U3YWOcYFBKU0v^O*hS)LJ*5lc%Ndr_ZgdT}Jdcx+Op_6r=5f!6oCGU| zBbQ{b9Y5W5+VQQ~+CHRERU9R7fm{Zc%73K_kcn|F&Lz0y8@U^W8)Xl754VA{1wrB# zrO>o(7#>bs%4}Ro7Lr#Oce?yz2mOriJ6 z024S-2r6>f!*Wru9ApjTWtjviVty#SCq*))u_*%tM8hWq9A`RA;t=9h8HdBham`SUyy;ue3#kwn>3) zwpC`X4J|dVk+w$$hhv3=BgH00+JCyRKPt2N-MO|g?Kw{Cs4QTfXW&dbq+>I7kH&Wc zsgGZySnPcg(%qIcJ?R3D(~fIj-uimwO|RVk^xJPgedD9W^d`;&R;zaQzyC-3i>e;I zE_MHwE&Jp8v%1>_kn!h0zl0{ZETUdibpfp|L1x;(YCvhJm}U4cfjYT>X@AfkpxZud z_zYJ7GDIO8wsBDseHNqEu+3nYNhqx#T#^5>`|Q!~vp~Ux6T%=WFZv8>C9Ef+GFLxA zw=q!8Yyo6N1p2fC5+z&LJ6;>Q!i1>sfDVb#AtA{}hhsX2MG`7x3gd;@WG~t)N?uEe z#nHRSE8QQxi?!}_;Y7)WrGJzXUrdBEVDF1ukrJ2(=4hgpEm5b41~8+H)F@Jia>J$Z+&HOgZK|GM$zYFFJ*K4SbzO*uqzOSQaVEk zBH7$F*ewoWl5&VS(<_7pxhf~`?*3-CaN=+Cbe_ScxNq1qBr{y$f(@JGCq&$gHd(}j z3KswZH3+iVYRnI$*#j%;c%QYh^gL_D9`iWlV8WnK0Zhxm3ga$kp|j0N!!WZXT?usS zO6R_zmXxCX2Fz;DOMhY@HKDb-J-zrO*!mk}H}^T?Q9{`+tAOtTfFc7pLjuRklo&@b ztB3#<9HpY`6fKCIA4QeZWlimQ4yeuW3xm{S+qh;o7YFQjpWp`3H_~m^fnP@&5>SZC zM7E;kBH?NAmEK1<{*L|>#jtcIi48dS?)Ifc+Edyq7}V`jr+*f~2Wn3NjnLbl>kW^i-3+lARmsX}XUcL`0x z5~Y=E5h5gH;C}$Y@FIX)1XjU={YwU9;1$J$ERgl{PC3M6v#5Nupo*%b%CUwxCElo7 zRLdxC1j*pjAxh91z-U_gLAiJW=i+k&myiv{mMyzvmtm|j$wccv(>cH>ra}v3XT;6V z5=zBVsZ=gElq==N1!z8A%q=7f_y%E-xJX(c*UAe`O@F2)%Sx`9+zZ*+3d4QIwU$l% zHp?@Xn|*aWR?35%Z0tLD1kU`JejL+QY1$jwYZ_RZgFj2(fNyLU&au4%UBop^7l*kN zd=D5IRYLwMO4zAe9d?<0_bb;4ZGyqfXOI$M0bhKZWwI9)WVH zEVItGVk>8*;1n>_d{m3pAcKTuNP`S~5Dwu=@PBl!&;$s8TZrd#cab`NfwWL=#`khd zOb>DokybufPeSQVk!TXj9n{Wp@!H}~xXj<)+kM-;Cj?7(2-$OC5N^_z`uv!%8~j)t z8t)3|&)k+Nx}P~xwwt1Df%);h*kBa(Rv=oJ-C(vq;ow4>QNK-Ml;fb$O3^`@HtK8| zxPLHkBmQpdGGHLl3)GJZyM2C)A%s0I?b%zF&>#P;k5BXYwTA`_s4S!Yjn&n?`B#NY zH1i@-Od#%4K-lw3P?N&Vgoq0kZxE?%r%v3PT{ztp$VwmvJ9rEhB*8ftks#SRd;Yls z;gW=811}-Lz>Anuh={H5H^Zy?RPpiBlYh7#H=fi~4xQ9)(PsRSb9!B3de=AH;_ekB zf?|5Aqn+OSASz(`*bvmB7+M@laf|YFl-($E0U=QWvV;c-A>ql8GduWbJ#9SBYD$?s z&y{3?2FK`+{pk>;rx73R59*`w20ZrhM;>`xJBSBuT)%#!X5{!Y7na=BvO_y}v48tB z?nw9h&8yd};3~8mYU=K&-TBJ1s~!tfk3RU;9}$N$s1YzbHJ}WaRYJ@8r5t!vdeafW zRu_foz9Kn`+U&8>cOX(BqiQTPl9}=BW~80O5}a}L=+VH(oEo@&MOYdnV z>^TJ^vZArBa3d!n%gZLIS$GK@G=Dv7lWl@H*^Ffq%C)h(oToD#y?G6LVAN%_*0=?AnF*903OQc7p|QY6w1^M%tB-!8OM(kZX$P+5a@fBbFtVesO?{O1=2L3q03(#KMw?_L^8 zKeSu2;J-}#a+j0s@`8E*fYJi=hM!Q@_&{s&R&Mc`uqSO zNPmn2oJya}7d&8q-!%y7j<|kF*_lv1?OF*{o^P%F4-gZCy9DMQuI! z;czfu*mIv>x&~ak-hWCxl3s3wDAl*zns&`{D~5H~;=AP?h)3Pa>^ zTrT9cQ@PpPd~SiToZg+0H*yclXE-Os3c(CcCLPPTB1U=G`U?g{ic zXORxLu> z2_6aZ_ue0mfv1?KMfm@m?6RMiP3DiG3ZWI%^PiwQgg|tFKZvd;6VL%J6TJ$@cL)x2 zfW)F<+-h(=QD`q;f$o6s?Lsj65Z+6d28I~c9z)6sPP<4awFf>PjkE3_}b_b#Ce9f36w_ZyT# z_MkUl&3~;ty3{Fsj>dB7=nZ}|j9-Lo!g3h57+o*ijgAodOO4D+?}0!&={0FHtT`Ii zd>);IP*M)^i$T@s6>P(Q<&wD)?f~~!G6Y_8Njo{shx04>Ekd|(tMImPL0l)kBdO92 z(phr-Z%#Q4H z?7w!TIqq?s4hRpJ6|g_xRN#QXTLbS5T<5HIKInWc$QATp(0>PK2R8)o3qI8^zu%ui z8bVq_o?^Q_84W=K(zVux9-`X8JGmhEroY<@#W(cm#DhKhfx%Bc=xuY*?{RON!1e5ZQUgBpwlNBF+P!TK$<73Co51-LZ<~j9j<+qKe$Jb{Z4m`J>%DCm#W}^|6<;Vzc+lGQhu7B{h?MNQ^@R*v~MRirPD;v}SWr=E9YHGSV zYmu5=)llD1=W)+VQuC_IlGUuabJZf+t6nYg)O+gYd&-lQD~1lGLyO(>=gq09o~>rP zE3YwdtY?n9q){!abXU*z)T{0~k6Kl&);7+XTUDl(*UWQQRr~r(aaY%8*VNqZcYo;D zEb-LUSJhOjY02qB^wWMFDr%}>)dpaqvZ0}NL`q6IoS)yATwl{zSLUgxshjOduJ$zK zvTl?H%0&<3>VSHWN1f%FTeBcBS^W+aC#&P;E~>4pSF7gL*3>n4%GHXxnt5tgooBw6 z6yF+5LXEnF{FhOb-qnFKx2luYBY$RP@VEXcS8m96-b?kem86Qs;Rn*9udR z`pP7~HInF>DK&L!y$ALIdVf~|sb2OkTbdFF)7DZ!Hz>O3*g^{`L9wnFK)0cyv91~x z^ss^DHEMlLl3L$5YmTR^fu5oKRn*J{Wupw0)l`>PQ9kNNC`vI*=blwF-@`c2wTKbW zqXgA84X_RM`dPXwwY?gkUsLNV-E-$Evpim@0U2N=?mm3hRD)jBsekio>O5CvTWwfW z>#1_FTuT}DvUUt!*AQw`kJ}as@b;DO>(PqsektXTk&?2)>a@J#@sp<(tI(q;tDty>IyqO(Dwv^8%qtk1q~=U7EXtWOMVVZr=1nTh&&z>x zc?Dzgr;g1l7=Nc`!?=RU#cF=uq`YF7w0JTb>YXYtX9}HcQclsB@o<=xotK|iJR?cT z%_}Z|If1w$HA^kbDk{z!Gc`Y}NG+UNR5*D`4$LtYrY*=T$Ss0Zawg>f6EM-3$%QkD z^2UuXPJ%(ja570LF3K94GbyWRVv-7zO$L^WRMsUKsDFex)SMDJc*^*!{CqV#uXsvv zQBKw*+LuaaT*2f?IZE#2sRd)Rit{EHsM$HdN>+A$j!qk}GA2JOZ&H#vHfvJWILeN1 z5!y{>r&k;b9WXAZAg3rRKS`ZZm@_7iHb9PfMLA=NSx=BXNFtw+J7#jhl$;xzpcftOWpHdxRz6HPg^~d$lsb^6HX|3)AK!wLugW>AuSQEk$SQd*qx_9dh*ncz}C+V)2xew58h(x;UEuZfJ4_HrK zNll$nL!HTjs(NPW5CZ4b=rK>Nch7~zU=+0?)(d>4doB#C?;*2~K`FjqSX);GLl)Fk zHGnfw-HmXzuIf&27_Re%DaL`?%K=@b*E#6)*Lmt|Axc%v_sm_C41McpEMt^ZRRdO= z=YM6LiLb0-gbyk-sI%GR>3@qI z{yv~-@bz~w(4Zv4SMs-3u2L3M-CmVa1s-H!a&2X8ir0-@RyjjsPz|a@i%=b^LbFjN zYCtL)fXYxJe5avQc%?&Y7W7b2HuPyg_3*Ak9^^*zP!gQYL)Fkf8CqFrF1%D!)H7E- zJMzG{2gb~Y&vNLge1}zs_N-bAD}T+0wdj8_Rt>!=9c~!&kF7WsT617r32KBMWzg5n zX7jKSZpM)cvsA-pE%ccM^HxDW6~@=V>TY)J@_DAPS?YnJ8hG7)jjLBbTf!);hk0w* zs%b!HIvUca_tj^pU?X&18@xL~d2ay9N1zmVm3#ZohyKaXuLi#BfEy1RTYty+PKG%= zFecY;HlG}PdvWEC(`!_=9=1OokWvj=0Db9h{5UeEGmV2Qi=a;>8(9U{Y8l-PY(J?4 z>evXX0d&^+mr3PvK6-Viv5yX2iyQi|(A9X?_sk6~f2m!m%?cX)176B^vXCF&F0a1d zy*yXJ6@|4L*cqy2^O&q}hktW5umgXO7Rp&6n{OVQtylZ27)_Pzn#ar6Y_>|Zch{4= z`>yYnzM8IMx;`f{x@y?&SF`c8UJKJ#sDW7aak)N~v3^t! z_1S$h(B3-jx-NT|z3RFb0n>p>=5-ppl9|WO`E%ssp{|cs>eMze87BGd4sFk4`>F4>;^#r? zVRX_p_(OKUG3%2fA764f71Wd*JVjdL?kBC#Z)04PI-g@6*?3E4>o)_W}OnRDZ^^n^CSX-`rQ%bZO|Z z#QiP%S;L~7>fQT!?7P>0e3!jwV3CMMPPdn%{zxhS?mhE9>c708no$*lhIT*mp(@keA2mRz!^HX z%8u#LMCe}tbJ4LmXgXUX2WFcBlud>44jz?$Fw~TQ534LR{*1m zneEVVlop-RVmRNsYG11I*or>NCc#k=%s<|HHGd1{&SUdY`jZ$wqU{1Nox0?T*z8nB zbY?o|7@#Ph9nrH>;kyv}O=0rPVm#~A7BC)i;kwRC4x>Qd37w)b@LdRN(;nl1u3{zy zx>B*XXA;{-%FkFfo~}BP_0lPu?A>MB?wuvsD@&aYD*uw6m8UTN^Wmj3{)^#EG25Fg zn1A0luTOWzu^A}c3X{fE#$Ohb!(_HXHtR>FNadN|qj5!kyE2B!i|!kxd@Nfji%De4 zRXOp^=D#~v(+;I)g>j6(944uJ)_V%bF$enR^_!YWbtz3K+sZ3+Gn8SKy zvAv$sV)!vw1>#d#C z^vUz+%5E0>lX}+j#iHK1bX@6XXo0R)e-&w7J3=W}WQMgY-s`I@VC@DkGNJr6di&Dz zcV3na`|3Ye?tyyMJ@D~zHRRwg|9?8R-?iRcs)|XN;>l$1ymiQzm-WhoNRZy>1VNw2VbtUzRx{~t$>q>rgrGMTE!~e~? zlF}!_{`=}m%2l$p|Ae}da@D$0FGv5Hx{~rO^@4v*T}eUzXkDrIuG5cMSL(I5zICN* zMc->zm-PHxM-u;O)g=Y>tu9@?y78~6E-Bw4UDZ#5|JhY0h3VLpXy#vEWm5iwt4zve zRi@rt_g`6MQvPn0N&S~qnSYdjpvt8F)2d7glR*j0I)PEEOFIj$|LbZ;%2oIL-&H$O zuBaWU|F+tZa?RRNZw=_5UprF%f!fix&HK--9r--#wIj-v6(8k$RDAraG(Tp=NBKb& zpDS~=?^p3r{3<@*R(JR@Dl`pO%JAZ}IR?bjUGQ+R6 zaIP;J`}Swf*l(8g-^c$1-Gr|4*Ul|*UAm}|3xVWs@#LE{@^vfutA+eUBj+{pzwzWN z3;CZ`axR{Hd0&?BrAE%Sl0UbS&I{y=3*^5w^7#nzSvEPNkx$deC#Rg6yrYq$k>u?(azrC*RtC43kvZtIpZ6QxR8819lPM+ND5T1-D zyB*{SAo__5WS2&MrjeZ*+2J7DHS+jl7UA(U@|cA@T29)aOIs`1rjf0Wn1rnwdBjAv zJRBlyDJKtawtoo^hmg%S@{mFv)X1h*v#?1ct!B~!gIZe2#tjx>;{dY3LLRt4)~|a} zSg(FRYzO*1Gtg#*_OsvSxL%utp=RlgWL+=6zXY)xAbxRUo<7 zNSfh9b2(WFl3E#0R@lis8d<)~E-cr`GCNtSktG^w(tn8S(ogQbTlk4a?!KGcRZbQc zJB7vZ&lZ6=B8&GF>6lfPNU|mpmqtcww}nHm{BEKnGJfeagJ6NUwnp??`hVW^E{7|D=Gl5Qqx*BOO0ja+9W zsVPPw)l5>1BzdqwNVbu|29lIU1`UiC29=Y6i4I|4JV|tr0SWQKfGm;_Px{9jh5l9& zZzORViPcDql|%!d(GH@Plc)wmS}{7V{S0PHi9&Q+j04d`|+Uv3xDX}O~AMQMf^WsfUsYa;RO?y zjQar!1T{G~IG39H0pS5Rmw^ca6PJ(~0Std#l*^8rKoCXudhd|=P0!Z*&Aw~L*|*_VAL5vv+pZbn{q`8@ zn4aRL?UFpCOHgPe7;UoJ_>$3`_yS#R$v<_dYvJV$UrJ>1Yk^Gu5f`^K>h*@LViV0A%B5B;{50@zW!F@=LhaW{sNBT>tFgA5;_RhMd(m~ zL+Bvz5jrT=OZ*JMU)%xy;%CTM=@76_;tr@+Iuz)sz6X}w0ezGX3V+oPRvU8<_^Iy$ zeoyHTY>uBJcq<%27HlpZ3d=d}0B5CxVjtA^0c)vSn>!t8e9->o;?u_6^Y_X~>&Gxm z*M(hBc2D4jXuJ6D4(o3{X4&5#ne-#Cli>vum*V~b-~=)`Gzyo>{{c1uHkbYX0V)PD zFd#NFHkB;`!MDn%0)Zcw%mxAp1UN7=F_+l}0y3A3#{!C%kOu-Kw>`)LdI6Wk2m&yd z=*a@AmqG~wT(`DD0ueBmJv{;m12Qr_xGdBulZe(v_Y6=Q5F*29nasnrp zPq_h+mrtYuC$|N<0g?fiKc)gPm&dyS%9m}Y0$#TucLG){mrch42n8`QGch%nS;qo1 zm$st`JNKUD zfByS_a?WTp+!H_sv;`65Yw2nVxre5U2%*ymVOz`ks91iaau+=R4zAl;Lv3AW{?_*v zLc|YacC~f(wZ6Q1&qweMSKhttfhK=r=Pyza^4<>p)7qgSP3l&|`}6Rg+1?f1uqN(` z4&DJCI?x$xX?pn?^fW?+bo_y?rVXK}kVX)Hnw$ggVs}$lAW>Ia1MdqFO1nN3j6|=X ztPzB2>3A^|4urn@&z1=g@}XL;no$sG{#2;RTgiqt)pRMw8iMwb>m`S6qBT zVp4KSYMSUy&&c#-W#{BxmzO`Oz*{)EXv);$X(iK3XIwvX*6caHvbpohE9Ng)Sh;9_ zan+LQ8ub6&AD)6U@L{|g9YdV*xs0pPO=u%|6MC}YN`Om)ZsH9%1D$~$dDKm)mro$i zL*Ep%6E#Dh1Q+dXjzQuL@I1g9$VK?xjt-JDWE<=Gi0kLhaQ%n_VH|+>ZRjw179B!+ z(evmC`V@Ph^+oK#lhH%i3s66TkzRa%9_w%^Y9?n;9bkI^9Yj9^aUKLYMtCHgM=zp_ z=yh~iI4|r)2jG5Q_z11TJP?_pI<9i4Gk~%nx{8)z8{A(&f8zY)Ch`DYh)$?lx%;^n z`9}8H2s18oH*p)e`_V@Hi=d7Iw=Y zz*~b}7tV9D&_;?SV9`&?(JUD0Mz5(4s7%s(0oiK@C0~~FItXpo=X1_ z-wi9oU)<=Plz+{uXi_LB;0sJNIpV5nj^d?kH1wV{pf-K}Nm!N3WQ_PT!U>dw($FGbVRD?hji3Yp zr#iK5cC+4UOiN8kPD+fAbJ=ZHi`ir}=(HM{3yCU+XgPN}u5>c;&OA4NbLP-YdLJyh zR8&-m$rSq(GR2tzmz!kRGw4<9W*3G=?!}v5S^c}F7p^QiBT1{@UVR3x*D$~6O>A3@ zoo5ySO49f6dg*%?q&F`}yKoP^E@00Eyngtn(wo#j)B)z(KnK#%K3{gc&8+3sC?!dy zb{g76vNLH^>mZ@RT)`i;I4krxF~C8|Y@s1_HQ-5>`GXaq#H@4;Ws|-^FH6t1MhYH&cz>d-K>4q+V_gR z8O}OeE&t<^ibbWox^D)94&|z9JZ|8qIJ{SY#qGU0r^KtxKx)OjWE#y_q^?gs$-_$VzUk z#;AvxG>8w#t!om)NfmTk%#FVqmrR5IoSl1fG?cc2S$4gbNCbs07YZ=2EqAELoV6V+ zV=sJk|BbHXTKtLSG2~-|Xud@Lri_=`%T}HaG7(o?*?gGx@DLpxT{1$Jq)`pyezV+a zxedx#%7+cb{b(s-ZwH~dZu?&Q=AroIVP+z?XH*UV%^z92!*EGmUi}pYmegYbS&U1j zCAhzt;ES>mL&tliLF8PL$!v!wP%@dBc`=q8A`-`)g>SmIZxtgVDxtXDgDOjoR zm*G^ldR3O18clkhWL}5qTWQoua)*aUU(8;+xDpc|ga^?Isl=d8QJg|sB3Jw<*3VMc zFj8=VZ4Z;>J;jQ-VkPP4u@9*0m9E-H8{`vIE7F_tVyi@ixODYDYw44VwgD}64#3cW z3(r-|CyuGlRO&x<4R#E2+@v&zZW#J6CI(|T1Vu%BdQwl!6rFN$8)LN9$i9USuF|%* zlC2zCAXe7FZwm;!($OF3ii+sT8sGo%=g;UWP#16n?0qD`IcCF29nThsTdXdgPAiye znxKyO)@Y5{W!e}1S_i#4X@J}al>EW-6@IeHyAsN{=!p715rnjYU#-7`ny}ft-Kp7R z_YAIIcxLSQtSts*WFN^KgSHobq{{{s_9uzN?aoHK$gojqmYk(PjLd?a%6 z1e%Fr2y5H$X~L5qq@q%TAnwku)M!3F@j9mQXQ0cXBR;lVQJ-DN=ff@~3zKVkSGo70 zRAj2G+dY0{eRPpOE^wlrKc+x&{NeTlL4$yNd}%*4ZposkcAD}H?{wy`v14l2Ora?^ zb5|Ol_df4WivAQ~^NT@p%AORLsK$VWpFzz+qHmX#NZ z`v!RbI2{FLU^Zr;G&Z+632`1jG{=QeGj+z)k~#6Hp>Y=Rx}y9HWnXUQ^E;Z9cpGZ+ zsmQ%d`Qd8w_zcAq^k?*Z548ol)gSr=9)fkp$e-g5C#9V!XFW2SwJpzGj31T=G719$ zBp%){R115tV9RqCn&t#I2b?emd-IC8s(W3f+?ao`ssc}=(*x?BQPpoXt`X<7SNHC3 z=Nv3ivDxjloLX6K7fS@u_%hHRX6}lXYXp#vFDYQfGt_n$PM28hE}g{8KwNb?9cBpG zA0Q&4+~tfUXdDoZ)xN_MlaKu-ktb>Iq1CEQa3{)}-aOsyf?HTx8tP;TOwDx$q#1ro z+j#DsZ(Hny{0@9N^2F+7n+QRKI1xJe{HJ#}(yf$cYFzs}y2%H7X-|!VNsC_`RjR5~ z{$Hr{W{IW;MEk~<+SW)h^ERJ1>3Ai1#9#l(@PA-ja)=G6n|Nfp1oF#@4gvpr=a;J&%0dom13&ZF# z6Ta|BG&|wTM{&M*-od!ypNrG(yHTHW?@p(&rkcA^zX&c8h~_-YJ;0#yY9FcJv-hcEKDy{L6)eW$oode@v2gW zQA9`3f6J`8=B)va`-U=65pcZ9`slt&jrNbHGwDV@P0@1(b3}|^|6w>1;b_pt?K5Ss zDtu{V%d-Gw@0I(q@Of{bpd0N`ZFr%vyJ6^nBK4+`zJoViI9Fg7SJPIW%eJi!MNfLG z9MG`2QFPAMay0kb!>um;y!=LROdu*qWOmjsKl0jsZ!ABzH>dUbAqPNBi+||VGNY** zegqB__BkJD^pWdVY#USL&U=`}X%N_M;k@%?*eAP|{x`|;+(B4n|8pt``G=R!c+`2q z1ro(8P5$UtT`pEh217#;yoc9k0X4vqHs;Wxb?wnbL!&T3@SlaiNRt4$BxEXnR%JrO?> z&b3+9{yp~wOM|9Y;~$=hRV|5BeeuKiVOp6)$B*etkSXgbyzrSB%4uqm$uKUCE{{&n zO=aIEGmHsR#B2lWMW#)bB&95+cckQ&#>?~SQ+vvt^QLkNvtC^Q-HTsBzwlh2!s!5# z5ovHMKEo)HAhlhUW$=<~w!y9|uW}u}!?{km75%!4m8Sl(%f+;t9nE}+BLQQMZK5Rl zIHZLtNBXE*#bEmM(mJ0bY>(MXg$d4Oq^-j|G#V1JVt(=KlzfP9Yc~sH!FLN6@09z) zQ?qv8n2(EVS|NXc(S3*bUt@V@n>EKWn|hmK8jF#=5dKTFCtY2ydo8KTs1BMrQMcW5 zPzx(|-hbuc|M`*e5>21wDo)?~lXJ##jWh9zHUXAe2!?hHlOB6XgA2Vn$C;MzfVuiMLW_)3 zL6nwrl>C@Jg9=x8=KH-R6%4-<9O?A+s8vd<3QE%xFA#XGr)&!O5_jIW@Zj$VrGnmoKLCQbeBI|qZ3=K`!|95ZZAhQ<;X7n*Guc& zX})5yuC;9{N`v_j4-4}Rhn=)mYpG}k>NKNDwHF?3VmJ*MM5gD~ zCg>wJ_bx4KP*qsT*c%y^gfQGg=s=-gb8L&-LR5+`0FNeFLH|$(JbnHejH8uR&Jx|@ z08JXS0&EmZ4%sK6c^9O(tR^&l-NO7yY*%jsnHZELIm;ukK$Z=V1MtU9DJvSbynZ29 zF?ksAO`I-dvR$3{CdSU&uKr-?r2eWx4!6WntmLDN*zpjBFNyHtls%REpkar^TWo)4 z9s0n}-1^vB=FA+&8p@^rm@wroz$ANCI8ej zH2K(AzLle>+Y6((U*S!rbbj&%`cKTGx|cjv%4{1sJ`r1?DOhIgs}t(8dk1)%%A1Ot z53D_o=OTZmY_HxlpDm4QRGk_9=4Gtc!f|y4q~sRoU*!6xX-688ueN_Rk)%bF^!H5k zT0SX?8;K6=iQDBz$4+zb{aSaPCm~w8_M5YV%x^td1`~&Lo?;v!`KZ-T295bsoIqL# zoNepuY2D+YLOAV&s%azwXMjPo2$W`dzZO$>(_Q^lFurTUQbme*e{8fwFqvNF#rGm| zAeB|9bud(M{744clU!Sz3*TSXx-@!qdZhP;ez(q^*ZhkHackrScYh?I*uzw@tDuWW z2f@PSwX(9Q$!~AJZJ4?U6bBHRkrEGQ&z0D?1r7O31LOhKZ4m@)xnXOST&bdK(eIc{y>@>kFj&;1?*(dSm zt!s*Mc{#x`RZ>i)1nX@8RRutyJ^sWW#D?*G=oAIHC1VTkpK46r#Zz#0GG zab(i`?TIQ`kD2`7?vECY_QG#jxe+L~pzIGlze#s`T;V6zYe83 z)7CsX)i!97t(I*wBw5Im`F6I%&rAU@E?qW8S>mg_z89BAF(~k(ZPIS-^Q5a5k@kiL z3+2^*XrM+cdgn|7qLbI2HsA>P&T+IdQC~g$in_OIY6YF^$`a^t$qNRVM3}_AWc!W_ zD<`kmK?v^5{;uM{_$3qCE4e`QQZBVP4JwiZywr$ke7hH=Pv!enuBGDxJxLY-(cetE zx!5_3a>NU>t=?U5pGro{F4QWl7vC{xUSfjTu^;cRHokaIX7_CS3(iAYTkszX$%J1k zpv3KQmGa`M>FN?(Y4kuNidp)18BU2NrT6KEar?ngyHmlZN*{sPQ&zW_)DHg&csHYi&yn+x0T{80|?5Fx4O2apBT zWYuZaM%D8{b$1Fg^~9HvKPJ>Q@Z;Z4#ROQ8Fkdhd8R!Vqx-WJt72>zfGB6QkU)9)eO1`u?s4?(y+)r*4qR$n!?Y$h-KGZ zqJ~|}1w9ArNUf7IXH&Nw9i1MnI$?VBbMzl(gM^g+%!wpEro*+liH= z?qaCI)MIvn&5%||4Az=j;#EkfTYBK*O}9%#@y>lW6_qPo zExdY}HE?$HWq?P^`m;2^VQ*~k>ZM$%ynKf<2DpNiOP)u$7q3%b5K_3qp;o*+t3^>v zxfxW$<70icmqYBj$H{p)R2=UXfAJ}P>gy0^Z|-xdk(-95L*L_%aiVVX{);Qyu?Y1L z8^ba35<#z#Rf?&Z*9-zXjuDv(BgYm=b)V#nG@L9fEjr@7=Cxdb0587sy2AvSwo@F| zJi2Ll*ZtguEzHq#?hM6%8dl5EEvAU2RoU8?Hm~wg>)Ezhx0K1}^+TTXSD`Cu&$;W%-rW zRV){S!2Yt3<)68>%e4$e>CMR2i|S)4<*vrr+1(T`*VhwAsWuO&&de4eqv^pRZwg&& z#&V}WST|u>UWIQiR0?A~7U29GuQg7`I&538R zJeNf!)+_$JIr8JIR+a_`WZO!dYe623CjsOd{I25*tr`A)_yGtcW13R-V{vLF!rsIHB> zQrkDUT`L_QZssdx*DmGe^?~dr?i0Z{7Oe<{-^)q#!j!1pgE*Y892&$wndm!1i*mA+ zWR)}xPs=(&GuqTI@oya6PaHOto0d+0bs{@3?<-P9qG|wCn?3^OQNBxWut+<6x{}UV z<4QgrzKX84$HV_XJR;Q_q!^+TLTmH|;Z-3MlbKsH0xaihO7|Twj-5>7%B=jOrDkXL^M83LSMfMzSoBHNQq4=L?BC=~wiAhgZ zUwsJAbz|tb+?&xSoE83F4|@q*tYt^a1F@pGEfX!*yTfIKwdyZ##@87yqO~Pc@DvHedulni46763snc3}#?HYxY>e(6eAGsfp_6 z{IWj!uKuy`;kKHk5#@Nz_ptHRr@>QS_$=1gFVI)3$zCtJ2+$_%CC=X)CT{JD*B@H` zLsX}lk_AASR-V6rd{=JaB?{tZ&-p#WpNi>7R|g&n8JspTUGCz<@AzUlI94;iOzAOT z+;@8L<;}_Q@$3WW5~Fy(MS^I8{$|4b!p{Us=*e#=aQ*dlMl;kqVcf}@|K|9VF6uNZ zs%OMTIhr8u(W`1f?OsZ6P0_9_HZtR9Kk;Nw*NA|OsCg!AUyrDL!V?rG-v%uHatemh zD5WP1Qf?Ga)+&fDY;>wc!}+qwXEq#UqMNRqh9ceuIEBvAq|y^%bO>CKZK`hC0jpL0 zi_D7VM{D=aybFlNZ{$C$Ug3z1WUQv6{YZ*%jH+hdD?UU%e9-ps<8pdq$M8T7Mb7hD z3TjlKoW`JvauXvKa~#lXH6(86C9N!cpAKhE)V4Af;`6u8m}jBlq4bQ=5%jb-Gfpvu zo%W@eGRShxc0&%kcTmD7MXtCk_Wjoc8?#29*9P*u+-XVUf9Z|Mi*7yJcJiR@0nz5@ zQOh#C;hp(P` z%SaIeNSt|l(U5(L7{=&_J+e){cNA=jOVs+kps7l@zi+R)69R#r0oVJE{{D2 zPQYX*q=O9n86-|LSymZ6?>dp7`uRr{uWo5APzv_GtL2<>CoD!;(cX zuVPw-a*&3h-T+(!20)JQ5+VU+)({()s#^J;>w4)T3eEX@_R zS8O*9e`3w|Kf66+ynNPp(cX4Q;nx;oS~`1`GCgfOM`}J(!*LPa@*23>ehn9niG|i5 zbzn2TJe_B<)f)Ty$;cy<;&|cxF*%Tdb|&#iXO~L>B=nmz5;nG^Foypzh3U#h$G&5D zrshup+e6etEanN*bvjvvHo@uz>Y0AS;KwrrIXNm%m?LJsm(#8Ay?f$kqpymmWvDOQ z*uAVKn=8DaigkVcefqQ6NQ>33F~Io!yJ+j#SKXBLx|58{>lrGa`v~fJuf<*9;yM3u z#+y^3&qu@lum5mk2GhmquYd7Fqc|nwE&9F6?BdO{w{Nm$K0TpA|3_f<*K?@H<0Nm< zdnQUOh>yXUlLCCoR64`mL&Egf5?3{*8|pM^W<=Lb8;)bZHC>fUeYJtPmUf3?3HQXO z*HPS*@WQPLf@XKQ)XOKd91mwJ0mKp4@L)RMdi4vo-= zTXq^B#UX)E(y21T@@9;5S+i+#xFKky)LQNB;gORJ*ViY+@!ThRo0WC0RLgDs5`9(wJ529;M=Sr^hRW zyKSp(V9ni=hmqGkOf#O*%MB2v6*>O3evWI0_1f~0S$aNZAru`=YDew;8Pt`=#MCFe z=7uyw-!o6`KQ{%LbSd@&>z#!0p$BgSo&a+*aZfgrrfCCn zqg&-AHA2pmD|q46<v?CZiMJ6g zej|*V(;{AfewE3HGHw6{UxBrSwC5M}#2ItVJ6&%Er$3@oAOd=AFC9hk<>kAP@KWGc%CK!Zi3N-+LZ}C|MQQ85=8=C6w?H zS)q?|#u1DUQVMWp{lT81YkdP8pD=MRFBmW^kE>o;_qGm~fURQd`FRpky2na$>1Qc_ zJ^LNo7`qiKs7gucz;h5o`tp5#EW$)+{%xzwc|XxEEpH1LDhXG^7A#j3eyQy@s@@zU8PDtepNtZvKp&IIxk57 zB^VX+(yJu#8VLOTD-mKJbIi~!an45fVz}A0O4zFdR|$ue@gtk?2PG-a#xL?CYAuWJ zdgYYdU1O92i|c`#C3M@Lpg0lamtwM#88LN*tBDRLb$pE};kfKdk5fZy$6F6R&GKHqH}F`CK>qUjk5GDhb>26%#Nqm^2m^=S zYUd5U?=Sg`r4@(5#-|r`yfc+`-tg|$Up2h0$fXptl$W_!`6sfHGW+lN{-iTqdKz6>FSH6HoEGXT8V69nv!vSr9N4LB@q4UnPq;@cnIryG0C zT(`*J*S^S~DMlW$R7g!Q8pmRk7fFFU-B`C3@sPP>36{0qK&hkF5nZO;_nkwy=>)TDge| zMg~Ca;z`fKcix7qJRkb4$C*lJ;X*0-zhYE+Ze}m0GXQ_MRepssy&!?h8?j+=u2I2B zg2zg27nb#6cy{nCCSgL~asXB7$whlhdJtYC27Qm_s4Ks3nM^aNjMC-_Z8Y|-)Rj4H z&7Z7LkQLV)uW#5Aidw7HLLuX^BX8SGNCc4SkK)0$B_ZR0@v)nz3F~p^o~KRBU{F2EMNLykdD2z5xj|ap9AnYi!Ey{LoLOBzuO|- zI@@yD@~5dbi_TL%iuqc$`;}qrS|c%grqIBUDUc&@hQRKAZ4VZ57p?TD*rLj!g~JFC zv_7x>VLc2g2e-a%7_OQ+WZP!h=AeC@VsR0@i~qUzSKUu5U_5%WetvA{zJ1fWwWF<@ z=#sbgqV?lfk3rrD6A95M0T!jh4F4UAa{LtOGcjW|%KMfdsR#HbCz!C$lEfKm6g<`z z5g&!|?;-xMk8sAlXLyl5RdA19H67Xqyt~d6-bTI7AE;Kg>ct8nEDxwF;8FDGDR|+Q zaX82v{!3~#DU-TUGwwCR&?x>uweQkzr?}S?$wdZb!o|wjK8c4V68-05TqB+sei|OI z=_-OPkMzY@?YOR7~%va?x?06ivB zoO0q*eCgizU(gmGRkjogvGCx!Vy|NfT^W31yY3ur6n~w`L3)pkN`Z%tUbc74(0MYa z9A%7zB&Ex|zMpZ!60e-Xzw{d^2$tSbE0di?t#60CB%DgJGar8cUFvQ)`G$fotnr3N zPC89llNQI#OReM5unYddGhune1?gqirE;_tu#e3WSrDOAX_Dmv)h5#wiyABCJ zN#57*zzxNMen?~trPHwEop)vS=iKUECGh6%`%lB4r)Yyq2AYOW)VW?OQ9=P_Ir)HxV&+3RT@wa3S1d0MiO21>0Cw&Jh(BHps$fd8|2BFU zmUiNOyzG!s`mnc5ERJ09^5zQIE27}>c?=UMHhBvw3;mqY1csddTqd<)CD(l-?}v*< zHN52JHg5y)jLa2x_AIxuxtuYt=u7FYh^ZAi*gkoqp&`C-31DH`8lS<#V5%^G0lKbJc+E+n1Ckp+uRQ} zSA`cYOl)+SH<&cE@{BBT@oF$I8LsaiFZP$3m+N-!Y-w6?^?5`Dalq5Z7K zyRS~O6j$DF8I2V^trVhz&((DXogy@PGjtiaYU)B^WZI1Ev8*lus+vB&RNyTRIyv@s z@G$M{NX{i>2`k_#wyjq#N#adV|H;l%R>Ctv#icR%RekbXDAdJhHD}$sS`>3h!jvN4qLPCAwgk1wAzhquQzx!sPFmYRs&!46n(Bum zRP!V)U5#%q5Ox;ofOeYJ=bAF)aZzZm;?Tcu4Q!pcRLFJ5;4z`03>6nPSC%=pcLaKW zm_!LbGm_NP_UMkOYV1BE@1$XBcy1zzha&IGtihcfyG@m#t{&{fMY~12#W|2LS{WyV zUu2c=g5hx~53f~0Ng?IB1`3C%Q!%H>tZ$r$x@o-pVfSIxL%f_i8#-@7RO;|8ecjD9nqmAL>!m{#uLk|A7`tPJnQ2`XzxJ;P@ z*F(l1z=y?tFY)rT^2!X!<5%NzRs38T#lEX3DSP^09}@`(>!PPvNzwN!RRt znMTdtunuTD1VXAfQM8oCPRF(K3@B)I(6ZR4?7I6*+4|{ z(qRO$awb0=%zOTUl3L2?qjEQzG5aj4s%Iy?vOR~9DnMKlC}gYr#8C@Z`!UsU7 zLdYAo6iJJFVz|&QKO1SZ{)cJ?_(Wv4Cq{rPGJ5ttf8EK`=aLR0j@X2 zrPj|IQ3P%DFJ1ZMh$}HgsGh%mErA)8|9wB9RUZN$KxiAE{kXO=z7dt7JEp_ZwApWr zLiZI`cNXFFA+@bUpea0s(P)%q08he~CZL7LJzF#7iBc%?=!!x1&bMV0CRSgZ>na@d zKq`R@{^BxU>fJir@CSD^_(9lm$7k7~@g$7Rmtq$YpeCJH&tsot;859Y`l+K?Q|<;I zMwwxoG@%e+WaTQT} zff<$%TJ=$DV8o@eU^5B_fgQ;jhoFq18~e*NcI3O-@&tPj)H9<6(lX^^jo=VZYO%(a zDLk;1IVMeqg6;$B;qM_nuK89g)pi5HP|(MK_SoLAZ^m+VQT5Fd78twy+#Mhm|kWHhF3th@%E-e#5A* zOz11n=-FADW+#1dsrL$P-HTe?2PSsKWn_HLjy%0PbJ;i=enq1gYm>i~tTi!cEha$p zlcAfzNJWddnckqi7G=84eXdl?8AsHS)yild3KBGK+A(cv{b4knR7ds0?P)u>tp?cK zc9F{aReUM1yK9*J$nmULfGc8o-W_pW{@wa%KcQ4W@`tHz?hrH5wCo01tt2ps(R+(O zI`wrNDzVGisr~vXL6;f(ItEJW)ka*(4@EycU-Oj`hDd*Eql>3MtziN%F#5jj``j!|Il*^RP6WTUYd+UG}y-X zPo+AWk$S&InBgak`7M;|C%JV5uQVa<70vYY9g8)HLg0m zHla>ctwCK)BQQgXkzE9&PATaY21_|8(_^$ zegoz-!HwfM@mO|;J-V`#YCMuQ)$6R;`SMbG*t+s zE|K$Gn=j)l{d?$_sPxv#Xu2EqXXw?RN%Jj}}Qx03TDpcJ;U z%-3H@fc$zaS!{ScVuZlNuE{rix6y1?t9U1W^%Sas9zL?#Vxc5He9#M7)Pk{G*f(g< zAYX&5J%q20OM^GG1vA@HI zwM0z3Sy0H7m9cOZow?~7y>GH_6fW3ns5hpY;tn%y=+=CsmLw7k$br#n`#Jdxiijqv0J7+@fVZ?FTUolM>Cz5}lm} zRrg5*UpkQ>7FfmRTLJOY%BMcw-YX?`?|!zHD|~PD-QjvbETY9KT$3QI^^_s1PfYLO ziNQm$m_B{lv#cP3uGkA!$MUDYqWc(vkFmL*+&pqTu?@1X3*Bk?!m{HU^_km5)2gVV z_`Uatxa<5`YK1C`+b^w$vuAV-PWY|MM3EK76h9W1_x7W9>rw)MUECE{z8^4g+t@x0 z-@4lO$ivyFKArZP2{pL*S|7&leT@xAaWE!nz{HwWd3wIok7fRSfvuTTn>X6Li~VUB zYg3sxj=YH;Dz1c`IT>zG?60!*cecUKE@h;R=@0aDPlt&jM;k(%&rfTu`f1#?kLWh{ z!`)?t1}#ovVW*ZyK&*yVAv7L?yNfrPGMHaJ$AZivuFq1eVN-}`@lmjMuY?9=G%eeY zceHvY0ioP7FvEtY2^7(}q!tC=@ChkZ%Gq4t_3s){9VJVp>f5C(ALmH3Ovzt9`HiBz z#HLQF%^fWj?`k-PQdkokpxOVn*yQ?=in1*gCoI}gD2YmG08lV_PLgEvu-Yv7oi=Hb zN3;G13zl!&{bAz*hCL`8X=PM$%d(r4K8@)LCkGEFmI7i(A%syWlu9A_J^0{1(L%c7Q*)~Pm>Slgs03M+MJ{y~4iIbZdsZP?m5+L|Z+R_g zbwt7KoUGH&K8C5j?crwCdWP0*fneNYatIB^Z)?DMU;Pd&Aord=AMa0bm&VhQ1eSKs zc&*HDDo+RVDBgOIf!k9oFu`c|jXA*^LvNYmH-?^K?!LH^mgH#roM0wTv;5K(G(Y`pKci=Qs5oTC7VuG)x9-bBA=uabjx z&ydpN;(T`blL{3X{lfIMH}=b&h>PV>-tIaNYbC>e-mB4}MNywYo4%37Y2u_xk8gGI zjpIN6d{xjU=}l)ic{m%LDU9;QcbQ(utu+B3GT-gt0`0PACI6np} zwst%wkk>a$QJfEuPhEH7dt+gnHL5()%Om0Z&p#3GI{f4 zBR|(*q4F4?0Con>SM)h40Wedt4Jwe}+g=YE=jZ2E_vtQpH>$G@Y95_UbzTeUas6i8 zE6V;^^!Ut>>>TqXz^DD0)r6$^Lr?hz`sAim=OQ|1ZM(6{w*nh9E7O*wT)&hMg#*P?+!xnLBRZv zLC{14E_65=43_wT3;huQf--^rUQD)3c>nqU0z)ClF1~+a$WA!~Ke9pZpBM<)XUBhg zEEo#o6SyVECjfyVZTj!AP#6?xGV%icqZo{UfCO$S2Js_D!*31dhw}5?Rt$xKptqGE z<)F96BIWr0Ya#&B2Ba-;(0?mI8Ux|u`)};890GD1LlScfLyqOY!zv8H&v)BEI0OU+ zZdr&N429mhAqXkR_dj&~hb<5s3WnWc0XY`-Hxm9{|8XZ$PT-af5F8Hw8(V)bmj4w* z4i>oMCpcUH3`?ASjLwR|2Lgi=F?i4)0!Y9Aw+=7@*>ZW??E*;tZhKPz3W46jkYoAo zkcE_k-?<;0kN;o1AU*c~Z06&??KzMDobS#&1Q2)Rkcwg8+r%K{?sym(3I7$AeTHnZ8d@)gt(;yITrD^+x74DzY_r=qX>N4a|jstZ-)O<4w;4^G^jwLFE2U^ zItU?<2!^7Q0sN3V3?c-;0=J?FjLcZborvM*yG`I6zPNDLVt|4jlC;|0lDQ72(o0}E@emz483zdm|95Hrk5m6*0)P4Wr>Bu1 z?Diay?b@K*r5TAq?kIr>+$|zVjPF*IfFS} z2Z!ITN`EndyK;BJ6U-;T2fyV6BnH6lP>2lUJ1jtvDRe8Gz)&y*e9KKp3=X=3Asuxq zFOV^ZjK#k$M$Z3#6YVc}XPJf~v-I}tpvcPd4+{Uq7L*?XzpVs@%(L5aNbJ8V#$W!y zFh1yiFQNa!5VsQp4C9CVPr?3&(Qqj2&g_ub?fd~F9Vc*`emIN|fZe7Qd0GkRHiiHp zi^hLv1Q?0kEwe>;P&fu1erMS+d+d6K=S`jtN$7!fLyumVEnhMJyH&Kd-H?D1fc)EAMl^(M<76VXN=$j z-Ju^Dmv@Xo+{qFMlDXTlg~VITHL(&S|0TFkNfk1Dk7_un;AL|z1|FIk)-Tq$z_jg_8|9^Wn=70Z<00F`I zZ>Ja%g9<~fK0cj9O3IdT90K=uAASnqx2m}m*NFdqdhaoqpaF8gT@c*v}lO7)L zQ#)fxb5mn0Cl?zgUP%~O8pJ0F10m!32?8Pc1S*Y?ggt>tBG*4S^7eTDdY6Zxqq94S Vqp2Al(jGVrjQ8-Nl#(>w{|BYlGphgq From 30644011eb0f50d284f4f085157fcbe6f54b0310 Mon Sep 17 00:00:00 2001 From: Sven Nierlein Date: Thu, 2 Mar 2017 13:35:43 +0100 Subject: [PATCH 31/61] fix file not found error when updating version The "update-version" trys to update the nrpe.spec file which does not exist at the early build phase because it is created from the nrpe.spec.in file. So replace the version in that file instead. --- update-version | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/update-version b/update-version index aa936961..24e5e0f3 100755 --- a/update-version +++ b/update-version @@ -73,8 +73,8 @@ perl -i -p -e "s/PKG_REL_DATE=.*\"/PKG_REL_DATE=\"$SHORTDATE\"/;" configure.ac autoconf # Update RPM spec file with version number -perl -i -p -e "s/%define version .*/%define version $1/;" nrpe.spec -perl -i -p -e "if( /\%define _docdir/) { s/$CURRENTVERSION/$1/; }" nrpe.spec +perl -i -p -e "s/%define version .*/%define version $1/;" nrpe.spec.in +perl -i -p -e "if( /\%define _docdir/) { s/$CURRENTVERSION/$1/; }" nrpe.spec.in # Update this file with version number and last date perl -i -p -e "s/^CURRENTVERSION=.*/CURRENTVERSION=$newversion/;" update-version From c029d67d6641107b3279667c5ee67bfd460649bf Mon Sep 17 00:00:00 2001 From: "John C. Frickson" Date: Fri, 3 Mar 2017 10:13:54 -0600 Subject: [PATCH 32/61] Changed release date to ISO format (yyyy-mm-dd) --- Changelog | 1 + update-version | 6 +++--- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/Changelog b/Changelog index 9ca82f2d..c02965ac 100644 --- a/Changelog +++ b/Changelog @@ -22,6 +22,7 @@ FIXES - "Remote %s accepted a Version %s Packet", please add to debug (John Frickson) - nrpe 3.0.1 segfaults when key and/or cert are broken symlinks (John Frickson) - Fixed a couple of typos in docs/NRPE.* files (Ludmil Meltchev) +- Changed release date to ISO format (yyyy-mm-dd) (John Frickson) 3.0.1 - 2016-09-08 diff --git a/update-version b/update-version index fe4d9670..5a0aa0a3 100755 --- a/update-version +++ b/update-version @@ -21,17 +21,17 @@ fi # Get date (two formats) if [ -n "$2" ]; then LONGDATE=$(LC_ALL=C date -u -d "$2" "+%B %d, %Y") - SHORTDATE=$(date -u -d "$2" "+%m-%d-%Y") + SHORTDATE=$(date -u -d "$2" "+%Y-%m-%d") else LONGDATE=$(LC_ALL=C date -u -d "@${SOURCE_DATE_EPOCH:-$(date +%s)}" "+%B %d, %Y") - SHORTDATE=$(date -u -d "@${SOURCE_DATE_EPOCH:-$(date +%s)}" "+%m-%d-%Y") + SHORTDATE=$(date -u -d "@${SOURCE_DATE_EPOCH:-$(date +%s)}" "+%Y-%m-%d") fi # Current version number CURRENTVERSION=3.0.1 # Last date -LASTDATE=09-08-2016 +LASTDATE=2016-09-08 if [ "x$1" = "x" ] then From e34d58763e0dcf3096095ef0df8bb498d5cb9401 Mon Sep 17 00:00:00 2001 From: Josh Soref Date: Wed, 22 Mar 2017 05:03:25 +0000 Subject: [PATCH 33/61] spelling: added --- src/snprintf.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/snprintf.c b/src/snprintf.c index ea33e85c..b9f30058 100644 --- a/src/snprintf.c +++ b/src/snprintf.c @@ -77,7 +77,7 @@ * Fix incorrect zpadlen handling in fmtfp. * Thanks to Ollie Oldham for spotting it. * few mods to make it easier to compile the tests. - * addedd the "Ollie" test to the floating point ones. + * added the "Ollie" test to the floating point ones. * * Martin Pool (mbp@samba.org) April 2003 * Remove NO_CONFIG_H so that the test case can be built within a source From d761ef9d578faf57905c817613d3ec3f295d1f7a Mon Sep 17 00:00:00 2001 From: Josh Soref Date: Wed, 22 Mar 2017 05:03:36 +0000 Subject: [PATCH 34/61] spelling: allowing --- sample-config/nrpe.cfg.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sample-config/nrpe.cfg.in b/sample-config/nrpe.cfg.in index 19d213ed..f2e87cc8 100644 --- a/sample-config/nrpe.cfg.in +++ b/sample-config/nrpe.cfg.in @@ -141,7 +141,7 @@ allow_bash_command_substitution=0 # *** THIS EXAMPLE MAY POSE A POTENTIAL SECURITY RISK, SO USE WITH CAUTION! *** # Usage scenario: # Execute restricted commmands using sudo. For this to work, you need to add -# the nagios user to your /etc/sudoers. An example entry for alllowing +# the nagios user to your /etc/sudoers. An example entry for allowing # execution of the plugins from might be: # # nagios ALL=(ALL) NOPASSWD: /usr/lib/nagios/plugins/ From 35275b70ba63245d6747946d059625b330460e02 Mon Sep 17 00:00:00 2001 From: Josh Soref Date: Wed, 22 Mar 2017 05:04:22 +0000 Subject: [PATCH 35/61] spelling: argument --- src/acl.c | 2 +- src/nrpe.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/acl.c b/src/acl.c index f4ac2b68..4bcb83e2 100644 --- a/src/acl.c +++ b/src/acl.c @@ -49,7 +49,7 @@ extern int debug; -/* This function checks if a char argumnet from valid char range. +/* This function checks if a char argument from valid char range. * Valid range is: ASCII only, a number or a letter, a space, a dot, a slash, a dash, a comma. * * Returns: diff --git a/src/nrpe.c b/src/nrpe.c index b712afe0..22470edb 100644 --- a/src/nrpe.c +++ b/src/nrpe.c @@ -1271,7 +1271,7 @@ void setup_wait_conn(void) "Warning: Daemon is configured to accept command arguments with bash command substitutions!"); else syslog(LOG_NOTICE, - "Warning: Daemon is configured to accept command arguments with bash command substitutions, but is not configured to accept command argements from clients. Enable command arguments if you wish to allow command arguments with bash command substitutions."); + "Warning: Daemon is configured to accept command arguments with bash command substitutions, but is not configured to accept command arguments from clients. Enable command arguments if you wish to allow command arguments with bash command substitutions."); } # endif #endif From afa210f66cb3565fefde3edceba187df3705a46c Mon Sep 17 00:00:00 2001 From: Josh Soref Date: Wed, 22 Mar 2017 05:05:27 +0000 Subject: [PATCH 36/61] spelling: commands --- sample-config/nrpe.cfg.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sample-config/nrpe.cfg.in b/sample-config/nrpe.cfg.in index f2e87cc8..5d9f6bb4 100644 --- a/sample-config/nrpe.cfg.in +++ b/sample-config/nrpe.cfg.in @@ -140,7 +140,7 @@ allow_bash_command_substitution=0 # # *** THIS EXAMPLE MAY POSE A POTENTIAL SECURITY RISK, SO USE WITH CAUTION! *** # Usage scenario: -# Execute restricted commmands using sudo. For this to work, you need to add +# Execute restricted commands using sudo. For this to work, you need to add # the nagios user to your /etc/sudoers. An example entry for allowing # execution of the plugins from might be: # From c5cc254248d2d77b5d14158128401688ffbd82ff Mon Sep 17 00:00:00 2001 From: Josh Soref Date: Wed, 22 Mar 2017 05:06:22 +0000 Subject: [PATCH 37/61] spelling: connecting --- sample-config/nrpe.cfg.in | 2 +- src/acl.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/sample-config/nrpe.cfg.in b/sample-config/nrpe.cfg.in index 5d9f6bb4..f2e87cc8 100644 --- a/sample-config/nrpe.cfg.in +++ b/sample-config/nrpe.cfg.in @@ -140,7 +140,7 @@ allow_bash_command_substitution=0 # # *** THIS EXAMPLE MAY POSE A POTENTIAL SECURITY RISK, SO USE WITH CAUTION! *** # Usage scenario: -# Execute restricted commands using sudo. For this to work, you need to add +# Execute restricted commmands using sudo. For this to work, you need to add # the nagios user to your /etc/sudoers. An example entry for allowing # execution of the plugins from might be: # diff --git a/src/acl.c b/src/acl.c index 4bcb83e2..22144898 100644 --- a/src/acl.c +++ b/src/acl.c @@ -479,7 +479,7 @@ int add_domain_to_acl(char *domain) { } } -/* Checks connectiong host in ACL +/* Checks connection host in ACL * * Returns: * 1 - on success From 32de4d98e8e5575cf9523d791dcd7fd2da48539b Mon Sep 17 00:00:00 2001 From: Josh Soref Date: Wed, 22 Mar 2017 05:06:50 +0000 Subject: [PATCH 38/61] spelling: convert --- src/acl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/acl.c b/src/acl.c index 22144898..36f808ca 100644 --- a/src/acl.c +++ b/src/acl.c @@ -228,7 +228,7 @@ int add_ipv4_to_acl(char *ipv4) { return 0; } - /* Conver ip and mask to unsigned long */ + /* Convert ip and mask to unsigned long */ ip = htonl((data[0] << 24) + (data[1] << 16) + (data[2] << 8) + data[3]); mask = htonl(-1 << (32 - data[4])); From 998f29fa9a963a511111481ea974fba854d87c85 Mon Sep 17 00:00:00 2001 From: Josh Soref Date: Wed, 22 Mar 2017 05:07:18 +0000 Subject: [PATCH 39/61] spelling: derivatives --- macros/README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/macros/README.md b/macros/README.md index 078eb3c6..c13ad833 100644 --- a/macros/README.md +++ b/macros/README.md @@ -34,8 +34,8 @@ used in subsequent macros. > Output Variables : dist_type, dist_ver This macro detects the distribution type. For Linux, this would be rh -(for Red Hat and derivitives), suse (OpenSUSE, SLES, derivitives), gentoo -(Gentoo and derivitives), debian (Debian and derivitives), and so on. +(for Red Hat and derivatives), suse (OpenSUSE, SLES, derivatives), gentoo +(Gentoo and derivatives), debian (Debian and derivatives), and so on. For BSD, this would be openbsd, netbsd, freebsd, dragonfly, etc. It can also be aix, solaris, osx, and so on for Unix operating systems. From 38f43d18065ed4db2d41494a3563237fed773557 Mon Sep 17 00:00:00 2001 From: Josh Soref Date: Wed, 22 Mar 2017 05:08:48 +0000 Subject: [PATCH 40/61] spelling: handlers --- src/check_nrpe.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/src/check_nrpe.c b/src/check_nrpe.c index e9df2b37..db43a3f1 100644 --- a/src/check_nrpe.c +++ b/src/check_nrpe.c @@ -98,7 +98,7 @@ void set_timeout_state (char *state); int parse_timeout_string (char *timeout_str); void usage(int result); void setup_ssl(); -void set_sig_hadlers(); +void set_sig_handlers(); int connect_to_remote(); int send_request(); int read_response(); @@ -135,7 +135,7 @@ int main(int argc, char **argv) generate_crc32_table(); /* generate the CRC 32 table */ setup_ssl(); /* Do all the SSL/TLS set up */ - set_sig_hadlers(); /* initialize alarm signal handling */ + set_sig_handlers(); /* initialize alarm signal handling */ result = connect_to_remote(); /* Make the connection */ if (result != STATE_OK) { alarm(0); @@ -155,7 +155,7 @@ int main(int argc, char **argv) /* Rerun the setup */ setup_ssl(); - set_sig_hadlers(); + set_sig_handlers(); result = connect_to_remote(); /* Connect */ if (result != STATE_OK) { alarm(0); @@ -870,7 +870,7 @@ void setup_ssl() #endif } -void set_sig_hadlers() +void set_sig_handlers() { #ifdef HAVE_SIGACTION struct sigaction sig_action; @@ -1110,7 +1110,7 @@ int read_response() int rc, result; alarm(0); - set_sig_hadlers(); + set_sig_handlers(); #ifdef HAVE_SSL rc = read_packet(sd, ssl, &v2_receive_packet, &v3_receive_packet); From 89a26f1f4dfe1968879914b8e2c40b1fedcdc834 Mon Sep 17 00:00:00 2001 From: Josh Soref Date: Wed, 22 Mar 2017 05:09:37 +0000 Subject: [PATCH 41/61] spelling: justify --- src/snprintf.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/snprintf.c b/src/snprintf.c index b9f30058..3a5d672c 100644 --- a/src/snprintf.c +++ b/src/snprintf.c @@ -847,7 +847,7 @@ static void fmtint(char *buffer, size_t *currlen, size_t maxlen, spadlen = 0; } if (flags & DP_F_MINUS) - spadlen = -spadlen; /* Left Justifty */ + spadlen = -spadlen; /* Left Justify */ #ifdef DEBUG_SNPRINTF printf("zpad: %d, spad: %d, min: %d, max: %d, place: %d\n", @@ -1055,7 +1055,7 @@ static void fmtfp (char *buffer, size_t *currlen, size_t maxlen, if (padlen < 0) padlen = 0; if (flags & DP_F_MINUS) - padlen = -padlen; /* Left Justifty */ + padlen = -padlen; /* Left Justify */ if ((flags & DP_F_ZERO) && (padlen > 0)) { if (signvalue) { From 6ba3658dcf0a35316e92eb869f6ae90f37ace593 Mon Sep 17 00:00:00 2001 From: Josh Soref Date: Wed, 22 Mar 2017 05:10:35 +0000 Subject: [PATCH 42/61] spelling: messages --- nrpe.spec.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nrpe.spec.in b/nrpe.spec.in index 2f0d1569..23a10f91 100644 --- a/nrpe.spec.in +++ b/nrpe.spec.in @@ -32,7 +32,7 @@ # rpm -ba|--rebuild --define 'nsport 5666' %{?port:%define nsport %{port}} -# Macro that print mesages to syslog at package (un)install time +# Macro that print messages to syslog at package (un)install time %define nnmmsg logger -t %{name}/rpm Summary: Host/service/network monitoring agent for Nagios From d75dfc1111b80c757f610e335321186fe6149a3f Mon Sep 17 00:00:00 2001 From: Josh Soref Date: Wed, 22 Mar 2017 05:12:04 +0000 Subject: [PATCH 43/61] spelling: pointers --- include/acl.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/acl.h b/include/acl.h index 06d9e5a0..94fb93cc 100644 --- a/include/acl.h +++ b/include/acl.h @@ -53,7 +53,7 @@ struct dns_acl { struct dns_acl *next; }; -/* Poiters to head ACL structs */ +/* Pointers to head ACL structs */ static struct ip_acl *ip_acl_head, *ip_acl_prev; static struct dns_acl *dns_acl_head, *dns_acl_prev; From 353344f1cc0671595a0fcebf3337e1368ee7b505 Mon Sep 17 00:00:00 2001 From: Josh Soref Date: Wed, 22 Mar 2017 05:12:25 +0000 Subject: [PATCH 44/61] spelling: privileged --- sample-config/nrpe.cfg.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sample-config/nrpe.cfg.in b/sample-config/nrpe.cfg.in index f2e87cc8..b53eb73a 100644 --- a/sample-config/nrpe.cfg.in +++ b/sample-config/nrpe.cfg.in @@ -38,7 +38,7 @@ pid_file=@piddir@/nrpe.pid # PORT NUMBER # Port number we should wait for connections on. -# NOTE: This must be a non-priviledged port (i.e. > 1024). +# NOTE: This must be a non-privileged port (i.e. > 1024). # NOTE: This option is ignored if NRPE is running under either inetd or xinetd server_port=@nrpe_port@ From 4078c01890e07cb69f5ca87dd65b90e7731e8856 Mon Sep 17 00:00:00 2001 From: Josh Soref Date: Wed, 22 Mar 2017 05:12:44 +0000 Subject: [PATCH 45/61] spelling: propagate --- macros/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/macros/README.md b/macros/README.md index c13ad833..cc3f886a 100644 --- a/macros/README.md +++ b/macros/README.md @@ -94,7 +94,7 @@ on a simple program to make sure a compile and link will work correctly. ## Usage This repo is intended to be used as a git subtree, so changes will -automatically propogate, and still be reasonably easy to use. +automatically propagate, and still be reasonably easy to use. * First, Create, checkout, clone, or branch your project. If you do an `ls -AF` it might look something like this: From 53d1f3fad308b9f0d970fb66401d32b3eecec5c0 Mon Sep 17 00:00:00 2001 From: Josh Soref Date: Wed, 22 Mar 2017 05:13:44 +0000 Subject: [PATCH 46/61] spelling: separate --- src/check_nrpe.c | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/src/check_nrpe.c b/src/check_nrpe.c index db43a3f1..37a0f48e 100644 --- a/src/check_nrpe.c +++ b/src/check_nrpe.c @@ -596,22 +596,22 @@ void set_timeout_state (char *state) { int parse_timeout_string (char *timeout_str) { - char *seperated_str; + char *separated_str; char *timeout_val = NULL; char *timeout_sta = NULL; if (strstr(timeout_str, ":") == NULL) timeout_val = timeout_str; else if (strncmp(timeout_str, ":", 1) == 0) { - seperated_str = strtok(timeout_str, ":"); - if (seperated_str != NULL) - timeout_sta = seperated_str; + separated_str = strtok(timeout_str, ":"); + if (separated_str != NULL) + timeout_sta = separated_str; } else { - seperated_str = strtok(timeout_str, ":"); - timeout_val = seperated_str; - seperated_str = strtok(NULL, ":"); - if (seperated_str != NULL) { - timeout_sta = seperated_str; + separated_str = strtok(timeout_str, ":"); + timeout_val = separated_str; + separated_str = strtok(NULL, ":"); + if (separated_str != NULL) { + timeout_sta = separated_str; } } From fd60cd1e27967f14e5a5835416e4fbb19448242b Mon Sep 17 00:00:00 2001 From: Josh Soref Date: Wed, 22 Mar 2017 05:15:01 +0000 Subject: [PATCH 47/61] spelling: substitution --- SECURITY.md | 2 +- sample-config/nrpe.cfg.in | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index 8034837d..1181846d 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -46,7 +46,7 @@ do two things: #### ENABLING BASH COMMAND SUBSTITUTION #### -To enable support for arguments containing bash command substitions, +To enable support for arguments containing bash command substitutions, you must do two things: 1. Enable arguments as described above diff --git a/sample-config/nrpe.cfg.in b/sample-config/nrpe.cfg.in index b53eb73a..ab670e9c 100644 --- a/sample-config/nrpe.cfg.in +++ b/sample-config/nrpe.cfg.in @@ -115,7 +115,7 @@ dont_blame_nrpe=0 -# BASH COMMAND SUBTITUTION +# BASH COMMAND SUBSTITUTION # This option determines whether or not the NRPE daemon will allow clients # to specify arguments that contain bash command substitutions of the form # $(...). This option only works if the daemon was configured with both From 34f22056ccdaf05bab651ca9b193154b0060ba09 Mon Sep 17 00:00:00 2001 From: Josh Soref Date: Wed, 22 Mar 2017 05:14:49 +0000 Subject: [PATCH 48/61] spelling: subtree --- macros/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/macros/README.md b/macros/README.md index cc3f886a..0cfd8769 100644 --- a/macros/README.md +++ b/macros/README.md @@ -129,7 +129,7 @@ master. * To get the latest version of `autoconf-macros` into your parent project: - git subtgree pull --squash --prefix=macros autoconf-macros master + git subtree pull --squash --prefix=macros autoconf-macros master From fbcb03f4866f974a7d10d136b9f13a2140e6bcec Mon Sep 17 00:00:00 2001 From: "John C. Frickson" Date: Fri, 31 Mar 2017 09:23:19 -0500 Subject: [PATCH 49/61] Updates to files Changelog and THANKS --- Changelog | 6 +++++- THANKS | 2 ++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/Changelog b/Changelog index c02965ac..a41aec68 100644 --- a/Changelog +++ b/Changelog @@ -2,7 +2,7 @@ NRPE Changelog ************** -3.0.x - 2016-xx-xx +3.0.x - 201x-xx-xx ------------------ FIXES - Added missing debugging syslog entries, and changed printf()'s to syslog()'s. (Jobst Schmalenbach) @@ -23,6 +23,10 @@ FIXES - nrpe 3.0.1 segfaults when key and/or cert are broken symlinks (John Frickson) - Fixed a couple of typos in docs/NRPE.* files (Ludmil Meltchev) - Changed release date to ISO format (yyyy-mm-dd) (John Frickson) +- Fix systemd unit description (Bas Couwenberg) +- Add reload command to systemd service file (Bas Couwenberg) +- fix file not found error when updating version (Sven Nierlein) +- Spelling fixes (Josh Soref) 3.0.1 - 2016-09-08 diff --git a/THANKS b/THANKS index f60864de..f282b40f 100644 --- a/THANKS +++ b/THANKS @@ -22,6 +22,7 @@ Jason Cook Jobst Schmalenbach John Maag Jon Andrews +Josh Soref Kaspersky Lab Kevin Pendleton Konstantin Malov @@ -43,6 +44,7 @@ Sean Finney Spenser Reinhardt Stefan Krüger Subhendu Ghosh +Sven Nierlein Thierry Bertaud Ton Voon Vadim Antipov From 04cef56c472a3e6c81e7eafa094e3f9f1f125ec5 Mon Sep 17 00:00:00 2001 From: "John C. Frickson" Date: Fri, 31 Mar 2017 10:22:48 -0500 Subject: [PATCH 50/61] Added option to nrpe.cfg.in that can override hard-coded NASTY_METACHARS Fix for issue #70 --- Changelog | 5 ++++- sample-config/nrpe.cfg.in | 7 +++++++ src/nrpe.c | 9 ++++++++- 3 files changed, 19 insertions(+), 2 deletions(-) diff --git a/Changelog b/Changelog index a41aec68..c7cff84f 100644 --- a/Changelog +++ b/Changelog @@ -2,8 +2,11 @@ NRPE Changelog ************** -3.0.x - 201x-xx-xx +3.x.x - 201x-xx-xx ------------------ +ENHANCEMENTS +- Added option to nrpe.cfg.in that can override hard-coded NASTY_METACHARS (John Frickson) + FIXES - Added missing debugging syslog entries, and changed printf()'s to syslog()'s. (Jobst Schmalenbach) - Fix help output for ssl option (configure) (Ruben Kerkhof) diff --git a/sample-config/nrpe.cfg.in b/sample-config/nrpe.cfg.in index ab670e9c..da323f6f 100644 --- a/sample-config/nrpe.cfg.in +++ b/sample-config/nrpe.cfg.in @@ -246,6 +246,13 @@ connection_timeout=300 +# NASTY METACHARACTERS +# This option allows you to override the list of characters that cannot +# be passed to the NRPE daemon. + +# nasty_metachars="|`&><'\\[]{};\r\n" + + # INCLUDE CONFIG FILE # This directive allows you to include definitions from an external config file. diff --git a/src/nrpe.c b/src/nrpe.c index 22470edb..d1adf6a7 100644 --- a/src/nrpe.c +++ b/src/nrpe.c @@ -106,6 +106,7 @@ int debug = FALSE; int use_src = FALSE; /* Define parameter for SRC option */ int no_forking = FALSE; int listen_queue_size = DEFAULT_LISTEN_QUEUE_SIZE; +char *nasty_metachars = NULL; /* SSL/TLS parameters */ typedef enum _SSL_VER { @@ -184,6 +185,9 @@ int main(int argc, char **argv) return STATE_CRITICAL; } + if (!nasty_metachars) + nasty_metachars = strdup(NASTY_METACHARS); + /* initialize macros */ for (x = 0; x < MAX_COMMAND_ARGUMENTS; x++) macro_argv[x] = NULL; @@ -890,6 +894,9 @@ int read_config_file(char *filename) } else if (!strcmp(varname, "keep_env_vars")) keep_env_vars = strdup(varvalue); + else if (!strcmp(varname, "nasty_metachars")) + nasty_metachars = strdup(varvalue); + else { syslog(LOG_WARNING, "Unknown option specified in config file '%s' - Line %d\n", filename, line); @@ -2543,7 +2550,7 @@ int contains_nasty_metachars(char *str) if (str == NULL) return FALSE; - result = strcspn(str, NASTY_METACHARS); + result = strcspn(str, nasty_metachars); if (result != strlen(str)) return TRUE; From 25f49109ecad8acbc88de1077d3ba32e18b66814 Mon Sep 17 00:00:00 2001 From: "John C. Frickson" Date: Fri, 31 Mar 2017 11:30:35 -0500 Subject: [PATCH 51/61] While processing 'include_dir' statement, sort the files Fix for issue #97. Thanks to Philippe Kueck for the patch! --- configure | 4 ++-- configure.ac | 2 +- include/config.h.in | 3 +++ src/nrpe.c | 32 +++++++++++++++++++++++++++++--- 4 files changed, 35 insertions(+), 6 deletions(-) diff --git a/configure b/configure index c65b01e5..fbe07d66 100755 --- a/configure +++ b/configure @@ -7154,7 +7154,7 @@ rm -f core conftest.err conftest.$ac_objext \ fi -for ac_func in strdup strstr strtoul strtok_r initgroups closesocket sigaction +for ac_func in strdup strstr strtoul strtok_r initgroups closesocket sigaction scandir do : as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var" @@ -7280,7 +7280,7 @@ fi if test x$check_for_ssl = xyes; then # need_dh should only be set for NRPE - need_dh=no + need_dh=yes # ------------------------------- diff --git a/configure.ac b/configure.ac index f5afa230..8ebfcd63 100644 --- a/configure.ac +++ b/configure.ac @@ -243,7 +243,7 @@ AC_CHECK_LIB(wrap,main,[ AC_TRY_LINK([#include ],[int a = rfc931_timeout;],AC_DEFINE(HAVE_RFC931_TIMEOUT)) ]) -AC_CHECK_FUNCS(strdup strstr strtoul strtok_r initgroups closesocket sigaction) +AC_CHECK_FUNCS(strdup strstr strtoul strtok_r initgroups closesocket sigaction scandir) dnl socklen_t check - from curl AC_CHECK_TYPE([socklen_t], ,[ diff --git a/include/config.h.in b/include/config.h.in index c3159354..c1cd0e75 100644 --- a/include/config.h.in +++ b/include/config.h.in @@ -73,6 +73,9 @@ /* Define to 1 if you have the `sigaction' function. */ #undef HAVE_SIGACTION +/* Define to 1 if you have the `scandir' function. */ +#undef HAVE_SCANDIR + /* Set to 1 if you have rfc931_timeout */ #undef HAVE_RFC931_TIMEOUT diff --git a/src/nrpe.c b/src/nrpe.c index d1adf6a7..7497aa6c 100644 --- a/src/nrpe.c +++ b/src/nrpe.c @@ -912,12 +912,28 @@ int read_config_file(char *filename) int read_config_dir(char *dirname) { struct dirent *dirfile; +#ifdef HAVE_SCANDIR + struct dirent **dirfiles; + int x, i, n; +#else + DIR *dirp; + int x; +#endif struct stat buf; char config_file[MAX_FILENAME_LENGTH]; - DIR *dirp; int result = OK; - int x; +#ifdef HAVE_SCANDIR + /* read and sort the directory contents */ + n = scandir(dirname, &dirfiles, 0, alphasort); + if (n < 0) { + syslog(LOG_ERR, "Could not open config directory '%s' for reading.\n", dirname); + return ERROR; + } + + for (i = 0; i < n; i++) { + dirfile = dirfiles[i]; +#else /* open the directory for reading */ dirp = opendir(dirname); if (dirp == NULL) { @@ -925,8 +941,10 @@ int read_config_dir(char *dirname) return ERROR; } - /* process all files in the directory... */ while ((dirfile = readdir(dirp)) != NULL) { +#endif + + /* process all files in the directory... */ /* create the full path to the config file or subdirectory */ snprintf(config_file, sizeof(config_file) - 1, "%s/%s", dirname, dirfile->d_name); @@ -962,10 +980,18 @@ int read_config_dir(char *dirname) /* break out if we encountered an error */ if (result == ERROR) break; + } } +#ifdef HAVE_SCANDIR + for (i = 0; i < n; i++) + free(dirfiles[i]); + free(dirfiles); +#else closedir(dirp); +#endif + return result; } From b8ee0362614a1ca49d8269165ba2140f2c903dd0 Mon Sep 17 00:00:00 2001 From: "John C. Frickson" Date: Fri, 31 Mar 2017 14:29:52 -0500 Subject: [PATCH 52/61] Allow NRPE logging directly rather than requiring use of syslog Fix for issue #65 In the 'nrpe.cfg' file, there is now an option 'log-file='. When this option is set, everything that would normally get logged to syslog will now be written to the specified file. Similarly, 'check_nrpe' has the long command line option '--log-file' or the short option '-g'. This option can also be specified in the config file given in the '--config-file' ('-f') parameter. --- Changelog | 3 + include/utils.h | 3 + sample-config/nrpe.cfg.in | 8 ++ src/acl.c | 57 ++++---- src/check_nrpe.c | 115 ++++++++------- src/nrpe.c | 295 ++++++++++++++++++++------------------ src/utils.c | 93 +++++++++++- 7 files changed, 349 insertions(+), 225 deletions(-) diff --git a/Changelog b/Changelog index c7cff84f..9084be80 100644 --- a/Changelog +++ b/Changelog @@ -6,6 +6,9 @@ NRPE Changelog ------------------ ENHANCEMENTS - Added option to nrpe.cfg.in that can override hard-coded NASTY_METACHARS (John Frickson) +- While processing 'include_dir' statement, sort the files (Philippe Kueck / John Frickson) +- nrpe can now write to a log file using 'log_file=' in nrpe.cfg (John Frickson) +- check_nrpe can now write to a log file using '--log_file=' or '-g' options (John Frickson) FIXES - Added missing debugging syslog entries, and changed printf()'s to syslog()'s. (Jobst Schmalenbach) diff --git a/include/utils.h b/include/utils.h index 3074eead..53643664 100644 --- a/include/utils.h +++ b/include/utils.h @@ -49,6 +49,9 @@ char* strip(char*); int sendall(int, char*, int*); int recvall(int, char*, int*, int); char *my_strsep(char**, const char*); +void open_log_file(); +void logit(int priority, const char *format, ...); +void close_log_file(); void display_license(void); #endif diff --git a/sample-config/nrpe.cfg.in b/sample-config/nrpe.cfg.in index fb1ba9d2..71047e48 100644 --- a/sample-config/nrpe.cfg.in +++ b/sample-config/nrpe.cfg.in @@ -18,6 +18,14 @@ log_facility=@log_facility@ +# LOG FILE +# If a log file is specified in this option, nrpe will write to +# that file instead of using syslog. + +#log_file=@logdir@/nrpe.log + + + # DEBUGGING OPTION # This option determines whether or not debugging messages are logged to the # syslog facility. diff --git a/src/acl.c b/src/acl.c index 36f808ca..c5e09b9d 100644 --- a/src/acl.c +++ b/src/acl.c @@ -42,7 +42,6 @@ #include #include #include -#include #include #include "../include/acl.h" @@ -142,11 +141,11 @@ int add_ipv4_to_acl(char *ipv4) { struct ip_acl *ip_acl_curr; if(debug == TRUE) - syslog(LOG_INFO, "add_ipv4_to_acl: checking ip-address >%s<", ipv4); + logit(LOG_INFO, "add_ipv4_to_acl: checking ip-address >%s<", ipv4); /* Check for min and max IPv4 valid length */ if (len < 7 || len > 18) { - syslog(LOG_INFO, "add_ipv4_to_acl: Error, ip-address >%s< incorrect length", ipv4); + logit(LOG_INFO, "add_ipv4_to_acl: Error, ip-address >%s< incorrect length", ipv4); return 0; } @@ -158,7 +157,7 @@ int add_ipv4_to_acl(char *ipv4) { /* Return 0 on error state */ if (state == -1) { if(debug == TRUE) - syslog(LOG_INFO, "add_ipv4_to_acl: Error, ip-address >%s< incorrect " + logit(LOG_INFO, "add_ipv4_to_acl: Error, ip-address >%s< incorrect " "format, continue with next check ...", ipv4); return 0; } @@ -209,7 +208,7 @@ int add_ipv4_to_acl(char *ipv4) { break; default: /* Bad states */ - syslog(LOG_INFO, "add_ipv4_to_acl: Error, ip-address >%s< bad state", ipv4); + logit(LOG_INFO, "add_ipv4_to_acl: Error, ip-address >%s< bad state", ipv4); return 0; } @@ -218,13 +217,13 @@ int add_ipv4_to_acl(char *ipv4) { */ for (i=0; i < 4; i++) { if (data[i] < 0 || data[i] > 255) { - syslog(LOG_ERR,"Invalid IPv4 address/network format(%s) in allowed_hosts option\n",ipv4); + logit(LOG_ERR,"Invalid IPv4 address/network format(%s) in allowed_hosts option\n",ipv4); return 0; } } if (data[4] < 0 || data[4] > 32) { - syslog(LOG_ERR,"Invalid IPv4 network mask format(%s) in allowed_hosts option\n",ipv4); + logit(LOG_ERR,"Invalid IPv4 network mask format(%s) in allowed_hosts option\n",ipv4); return 0; } @@ -234,13 +233,13 @@ int add_ipv4_to_acl(char *ipv4) { /* Wrong network address */ if ( (ip & mask) != ip) { - syslog(LOG_ERR,"IP address and mask do not match in %s\n",ipv4); + logit(LOG_ERR,"IP address and mask do not match in %s\n",ipv4); return 0; } /* Add addr to ip_acl list */ if ( (ip_acl_curr = malloc(sizeof(*ip_acl_curr))) == NULL) { - syslog(LOG_ERR,"Can't allocate memory for ACL, malloc error\n"); + logit(LOG_ERR,"Can't allocate memory for ACL, malloc error\n"); return 0; } @@ -258,7 +257,7 @@ int add_ipv4_to_acl(char *ipv4) { ip_acl_prev = ip_acl_curr; if(debug == TRUE) - syslog(LOG_INFO, "add_ipv4_to_acl: ip-address >%s< correct, adding.", ipv4); + logit(LOG_INFO, "add_ipv4_to_acl: ip-address >%s< correct, adding.", ipv4); return 1; } @@ -284,7 +283,7 @@ int add_ipv6_to_acl(char *ipv6) { messages if needed */ ipv6tmp = strdup(ipv6); if(NULL == ipv6tmp) { - syslog(LOG_ERR, "Memory allocation failed for copy of address: %s\n", + logit(LOG_ERR, "Memory allocation failed for copy of address: %s\n", ipv6); return 0; } @@ -340,7 +339,7 @@ int add_ipv6_to_acl(char *ipv6) { /* Add address to ip_acl list */ ip_acl_curr = malloc(sizeof(*ip_acl_curr)); if(NULL == ip_acl_curr) { - syslog(LOG_ERR, "Memory allocation failed for ACL: %s\n", ipv6); + logit(LOG_ERR, "Memory allocation failed for ACL: %s\n", ipv6); return 0; } @@ -401,7 +400,7 @@ int add_domain_to_acl(char *domain) { struct dns_acl *dns_acl_curr; if (len > 63) { - syslog(LOG_INFO, + logit(LOG_INFO, "ADD_DOMAIN_TO_ACL: Error, did not add >%s< to acl list, too long!", domain); return 0; @@ -443,7 +442,7 @@ int add_domain_to_acl(char *domain) { } break; default: - syslog(LOG_INFO, + logit(LOG_INFO, "ADD_DOMAIN_TO_ACL: Error, did not add >%s< to acl list, " "invalid chars!", domain); /* Not valid chars */ @@ -456,7 +455,7 @@ int add_domain_to_acl(char *domain) { case 1: case 4: case 5: /* Add name to domain ACL list */ if ( (dns_acl_curr = malloc(sizeof(*dns_acl_curr))) == NULL) { - syslog(LOG_ERR,"Can't allocate memory for ACL, malloc error\n"); + logit(LOG_ERR,"Can't allocate memory for ACL, malloc error\n"); return 0; } strcpy(dns_acl_curr->domain, domain); @@ -469,10 +468,10 @@ int add_domain_to_acl(char *domain) { dns_acl_prev = dns_acl_curr; if(debug == TRUE) - syslog(LOG_INFO, "ADD_DOMAIN_TO_ACL: added >%s< to acl list!", domain); + logit(LOG_INFO, "ADD_DOMAIN_TO_ACL: added >%s< to acl list!", domain); return 1; default: - syslog(LOG_INFO, + logit(LOG_INFO, "ADD_DOMAIN_TO_ACL: ERROR, did not add >%s< to acl list, " "check allowed_host in config file!", domain); return 0; @@ -503,7 +502,7 @@ int is_an_allowed_host(int family, void *host) case AF_INET: if (debug == TRUE) { tmp.s_addr = ((struct in_addr*)host)->s_addr; - syslog(LOG_INFO, "is_an_allowed_host (AF_INET): is host >%s< " + logit(LOG_INFO, "is_an_allowed_host (AF_INET): is host >%s< " "an allowed host >%s<\n", inet_ntoa(tmp), inet_ntoa(ip_acl_curr->addr)); } @@ -511,7 +510,7 @@ int is_an_allowed_host(int family, void *host) ip_acl_curr->mask.s_addr) == ip_acl_curr->addr.s_addr) { if (debug == TRUE) - syslog(LOG_INFO, "is_an_allowed_host (AF_INET): host is in allowed host list!"); + logit(LOG_INFO, "is_an_allowed_host (AF_INET): host is in allowed host list!"); return 1; } break; @@ -545,7 +544,7 @@ int is_an_allowed_host(int family, void *host) case AF_INET: if(debug == TRUE) { tmp.s_addr=((struct in_addr *)host)->s_addr; - syslog(LOG_INFO, "is_an_allowed_host (AF_INET): is host >%s< " + logit(LOG_INFO, "is_an_allowed_host (AF_INET): is host >%s< " "an allowed host >%s<\n", inet_ntoa(tmp), dns_acl_curr->domain); } @@ -553,7 +552,7 @@ int is_an_allowed_host(int family, void *host) addr = (struct sockaddr_in*)(ai->ai_addr); if (addr->sin_addr.s_addr == ((struct in_addr*)host)->s_addr) { if (debug == TRUE) - syslog(LOG_INFO, "is_an_allowed_host (AF_INET): " + logit(LOG_INFO, "is_an_allowed_host (AF_INET): " "host is in allowed host list!"); return 1; } @@ -605,7 +604,7 @@ void parse_allowed_hosts(char *allowed_hosts) { char *trimmed_tok; if (debug == TRUE) - syslog(LOG_INFO, + logit(LOG_INFO, "parse_allowed_hosts: parsing the allowed host string >%s< to add to ACL list\n", allowed_hosts); @@ -613,7 +612,7 @@ void parse_allowed_hosts(char *allowed_hosts) { tok = strtok_r(hosts, delim, &saveptr); #else if (debug == TRUE) - syslog(LOG_INFO,"parse_allowed_hosts: using strtok, this might lead to " + logit(LOG_INFO,"parse_allowed_hosts: using strtok, this might lead to " "problems in the allowed_hosts string determination!\n"); tok = strtok(hosts, delim); #endif @@ -621,13 +620,13 @@ void parse_allowed_hosts(char *allowed_hosts) { trimmed_tok = malloc( sizeof( char) * ( strlen( tok) + 1)); trim( tok, trimmed_tok); if(debug == TRUE) - syslog(LOG_DEBUG, "parse_allowed_hosts: ADDING this record (%s) to ACL list!\n", trimmed_tok); + logit(LOG_DEBUG, "parse_allowed_hosts: ADDING this record (%s) to ACL list!\n", trimmed_tok); if( strlen( trimmed_tok) > 0) { if (!add_ipv4_to_acl(trimmed_tok) && !add_ipv6_to_acl(trimmed_tok) && !add_domain_to_acl(trimmed_tok)) { - syslog(LOG_ERR,"Can't add to ACL this record (%s). Check allowed_hosts option!\n",trimmed_tok); + logit(LOG_ERR,"Can't add to ACL this record (%s). Check allowed_hosts option!\n",trimmed_tok); } else if (debug == TRUE) - syslog(LOG_DEBUG,"parse_allowed_hosts: Record added to ACL list!\n"); + logit(LOG_DEBUG,"parse_allowed_hosts: Record added to ACL list!\n"); } free( trimmed_tok); #ifdef HAVE_STRTOK_R @@ -667,16 +666,16 @@ void show_acl_lists(void) struct ip_acl *ip_acl_curr = ip_acl_head; struct dns_acl *dns_acl_curr = dns_acl_head; - syslog(LOG_INFO, "Showing ACL lists for both IP and DOMAIN acl's:\n" ); + logit(LOG_INFO, "Showing ACL lists for both IP and DOMAIN acl's:\n" ); while (ip_acl_curr != NULL) { - syslog(LOG_INFO, " IP ACL: %s/%u %u\n", inet_ntoa(ip_acl_curr->addr), + logit(LOG_INFO, " IP ACL: %s/%u %u\n", inet_ntoa(ip_acl_curr->addr), prefix_from_mask(ip_acl_curr->mask), ip_acl_curr->addr.s_addr); ip_acl_curr = ip_acl_curr->next; } while (dns_acl_curr != NULL) { - syslog(LOG_INFO, " DNS ACL: %s\n", dns_acl_curr->domain); + logit(LOG_INFO, " DNS ACL: %s\n", dns_acl_curr->domain); dns_acl_curr = dns_acl_curr->next; } } diff --git a/src/check_nrpe.c b/src/check_nrpe.c index 37a0f48e..ed92c3ef 100644 --- a/src/check_nrpe.c +++ b/src/check_nrpe.c @@ -48,6 +48,7 @@ int show_version = FALSE; int packet_ver = NRPE_PACKET_VERSION_3; int force_v2_packet = 0; int payload_size = 0; +extern char *log_file; #ifdef HAVE_SSL # if (defined(__sun) && defined(SOLARIS_10)) || defined(_AIX) || defined(__hpux) @@ -115,6 +116,8 @@ int main(int argc, char **argv) result = process_arguments(argc, argv, 0); + open_log_file(); + if (result != OK || show_help == TRUE || show_license == TRUE || show_version == TRUE) usage(result); /* usage() will call exit() */ @@ -150,7 +153,7 @@ int main(int argc, char **argv) if (result == -1) { /* Failure reading from remote, so try version 2 packet */ - syslog(LOG_INFO, "Remote %s does not support Version 3 Packets", rem_host); + logit(LOG_INFO, "Remote %s does not support Version 3 Packets", rem_host); packet_ver = NRPE_PACKET_VERSION_2; /* Rerun the setup */ @@ -159,19 +162,23 @@ int main(int argc, char **argv) result = connect_to_remote(); /* Connect */ if (result != STATE_OK) { alarm(0); + close_log_file(); /* close the log file */ return result; } result = send_request(); /* Send the request */ - if (result != STATE_OK) + if (result != STATE_OK) { + close_log_file(); /* close the log file */ return result; + } result = read_response(); /* Get the response */ } if (result != -1 && force_v2_packet == 0 && packet_ver == NRPE_PACKET_VERSION_2) - syslog(LOG_DEBUG, "Remote %s accepted a Version %d Packet", rem_host, packet_ver); + logit(LOG_DEBUG, "Remote %s accepted a Version %d Packet", rem_host, packet_ver); + close_log_file(); /* close the log file */ return result; } @@ -207,6 +214,7 @@ int process_arguments(int argc, char **argv, int from_config_file) {"timeout", required_argument, 0, 't'}, {"port", required_argument, 0, 'p'}, {"payload-size", required_argument, 0, 'P'}, + {"log-file", required_argument, 0, 'g'}, {"help", no_argument, 0, 'h'}, {"license", no_argument, 0, 'l'}, {0, 0, 0, 0} @@ -218,7 +226,7 @@ int process_arguments(int argc, char **argv, int from_config_file) return ERROR; optind = 0; - snprintf(optchars, MAX_INPUT_BUFFER, "H:f:b:c:a:t:p:S:L:C:K:A:d:s:P:246hlnuV"); + snprintf(optchars, MAX_INPUT_BUFFER, "H:f:b:c:a:t:p:S:L:C:K:A:d:s:P:g:246hlnuV"); while (1) { if (argindex > 0) @@ -261,7 +269,7 @@ int process_arguments(int argc, char **argv, int from_config_file) case 't': if (from_config_file && socket_timeout != -1) { - syslog(LOG_WARNING, "WARNING: Command-line socket timeout overrides " + logit(LOG_WARNING, "WARNING: Command-line socket timeout overrides " "the config file option."); break; } @@ -272,7 +280,7 @@ int process_arguments(int argc, char **argv, int from_config_file) case 'p': if (from_config_file && server_port != 0) { - syslog(LOG_WARNING, "WARNING: Command-line server port overrides " + logit(LOG_WARNING, "WARNING: Command-line server port overrides " "the config file option."); break; } @@ -283,7 +291,7 @@ int process_arguments(int argc, char **argv, int from_config_file) case 'P': if (from_config_file && payload_size > 0) { - syslog(LOG_WARNING, "WARNING: Command-line payload-size (-P) overrides " + logit(LOG_WARNING, "WARNING: Command-line payload-size (-P) overrides " "the config file option."); break; } @@ -294,7 +302,7 @@ int process_arguments(int argc, char **argv, int from_config_file) case 'H': if (from_config_file && server_name != NULL) { - syslog(LOG_WARNING, "WARNING: Command-line server name overrides " + logit(LOG_WARNING, "WARNING: Command-line server name overrides " "the config file option."); break; } @@ -323,7 +331,7 @@ int process_arguments(int argc, char **argv, int from_config_file) case 'u': if (from_config_file && timeout_return_code != -1) { - syslog(LOG_WARNING, "WARNING: Command-line unknown-timeout (-u) " + logit(LOG_WARNING, "WARNING: Command-line unknown-timeout (-u) " "overrides the config file option."); break; } @@ -332,7 +340,7 @@ int process_arguments(int argc, char **argv, int from_config_file) case '2': if (from_config_file && packet_ver != NRPE_PACKET_VERSION_3) { - syslog(LOG_WARNING, "WARNING: Command-line v2-packets-only (-2) " + logit(LOG_WARNING, "WARNING: Command-line v2-packets-only (-2) " "overrides the config file option."); break; } @@ -342,7 +350,7 @@ int process_arguments(int argc, char **argv, int from_config_file) case '4': if (from_config_file && address_family != AF_UNSPEC) { - syslog(LOG_WARNING, "WARNING: Command-line ipv4 (-4) " + logit(LOG_WARNING, "WARNING: Command-line ipv4 (-4) " "or ipv6 (-6) overrides the config file option."); break; } @@ -351,7 +359,7 @@ int process_arguments(int argc, char **argv, int from_config_file) case '6': if (from_config_file && address_family != AF_UNSPEC) { - syslog(LOG_WARNING, "WARNING: Command-line ipv4 (-4) " + logit(LOG_WARNING, "WARNING: Command-line ipv4 (-4) " "or ipv6 (-6) overrides the config file option."); break; } @@ -360,7 +368,7 @@ int process_arguments(int argc, char **argv, int from_config_file) case 'd': if (from_config_file && sslprm.allowDH != -1) { - syslog(LOG_WARNING, "WARNING: Command-line use-adh (-d) " + logit(LOG_WARNING, "WARNING: Command-line use-adh (-d) " "overrides the config file option."); break; } @@ -371,7 +379,7 @@ int process_arguments(int argc, char **argv, int from_config_file) case 'A': if (from_config_file && sslprm.cacert_file != NULL) { - syslog(LOG_WARNING, "WARNING: Command-line ca-cert-file (-A) " + logit(LOG_WARNING, "WARNING: Command-line ca-cert-file (-A) " "overrides the config file option."); break; } @@ -380,7 +388,7 @@ int process_arguments(int argc, char **argv, int from_config_file) case 'C': if (from_config_file && sslprm.cert_file != NULL) { - syslog(LOG_WARNING, "WARNING: Command-line client-cert (-C) " + logit(LOG_WARNING, "WARNING: Command-line client-cert (-C) " "overrides the config file option."); break; } @@ -390,7 +398,7 @@ int process_arguments(int argc, char **argv, int from_config_file) case 'K': if (from_config_file && sslprm.privatekey_file != NULL) { - syslog(LOG_WARNING, "WARNING: Command-line key-file (-K) " + logit(LOG_WARNING, "WARNING: Command-line key-file (-K) " "overrides the config file option."); break; } @@ -400,7 +408,7 @@ int process_arguments(int argc, char **argv, int from_config_file) case 'S': if (from_config_file && sslprm.ssl_min_ver != SSL_Ver_Invalid) { - syslog(LOG_WARNING, "WARNING: Command-line ssl-version (-S) " + logit(LOG_WARNING, "WARNING: Command-line ssl-version (-S) " "overrides the config file option."); break; } @@ -430,7 +438,7 @@ int process_arguments(int argc, char **argv, int from_config_file) case 'L': if (from_config_file && sslprm.cipher_list[0] != '\0') { - syslog(LOG_WARNING, "WARNING: Command-line cipher-list (-L) " + logit(LOG_WARNING, "WARNING: Command-line cipher-list (-L) " "overrides the config file option."); break; } @@ -440,7 +448,7 @@ int process_arguments(int argc, char **argv, int from_config_file) case 's': if (from_config_file && have_log_opts == TRUE) { - syslog(LOG_WARNING, "WARNING: Command-line ssl-logging (-s) " + logit(LOG_WARNING, "WARNING: Command-line ssl-logging (-s) " "overrides the config file option."); break; } @@ -448,6 +456,15 @@ int process_arguments(int argc, char **argv, int from_config_file) have_log_opts = TRUE; break; + case 'g': + if (from_config_file && log_file != NULL) { + logit(LOG_WARNING, "WARNING: Command-line log-file (-g) " + "overrides the config file option."); + break; + } + log_file = strdup(optarg); + break; + default: return ERROR; } @@ -509,28 +526,28 @@ int read_config_file(char *fname) size_t sz; if (stat(fname, &st)) { - syslog(LOG_ERR, "Error: Could not stat config file %s", fname); + logit(LOG_ERR, "Error: Could not stat config file %s", fname); return ERROR; } if ((f = fopen(fname, "r")) == NULL) { - syslog(LOG_ERR, "Error: Could not open config file %s", fname); + logit(LOG_ERR, "Error: Could not open config file %s", fname); return ERROR; } if ((buf = (char*)calloc(1, st.st_size + 2)) == NULL) { fclose(f); - syslog(LOG_ERR, "Error: read_config_file fail to allocate memory"); + logit(LOG_ERR, "Error: read_config_file fail to allocate memory"); return ERROR; } if ((sz = fread(buf, 1, st.st_size, f)) != st.st_size) { fclose(f); free(buf); - syslog(LOG_ERR, "Error: Failed to completely read config file %s", fname); + logit(LOG_ERR, "Error: Failed to completely read config file %s", fname); return ERROR; } if ((argv = calloc(50, sizeof(char*))) == NULL) { fclose(f); free(buf); - syslog(LOG_ERR, "Error: read_config_file fail to allocate memory"); + logit(LOG_ERR, "Error: read_config_file fail to allocate memory"); return ERROR; } @@ -552,7 +569,7 @@ int read_config_file(char *fname) if (argc == 50) { free(buf); free(argv); - syslog(LOG_ERR, "Error: too many parameters in config file %s", fname); + logit(LOG_ERR, "Error: too many parameters in config file %s", fname); return ERROR; } @@ -724,19 +741,19 @@ void setup_ssl() if (sslprm.log_opts & SSL_LogStartup) { char *val; - syslog(LOG_INFO, "SSL Certificate File: %s", + logit(LOG_INFO, "SSL Certificate File: %s", sslprm.cert_file ? sslprm.cert_file : "None"); - syslog(LOG_INFO, "SSL Private Key File: %s", + logit(LOG_INFO, "SSL Private Key File: %s", sslprm.privatekey_file ? sslprm.privatekey_file : "None"); - syslog(LOG_INFO, "SSL CA Certificate File: %s", + logit(LOG_INFO, "SSL CA Certificate File: %s", sslprm.cacert_file ? sslprm.cacert_file : "None"); if (sslprm.allowDH < 2) - syslog(LOG_INFO, "SSL Cipher List: %s", sslprm.cipher_list); + logit(LOG_INFO, "SSL Cipher List: %s", sslprm.cipher_list); else - syslog(LOG_INFO, "SSL Cipher List: ADH"); - syslog(LOG_INFO, "SSL Allow ADH: %s", + logit(LOG_INFO, "SSL Cipher List: ADH"); + logit(LOG_INFO, "SSL Allow ADH: %s", sslprm.allowDH == 0 ? "No" : (sslprm.allowDH == 1 ? "Allow" : "Require")); - syslog(LOG_INFO, "SSL Log Options: 0x%02x", sslprm.log_opts); + logit(LOG_INFO, "SSL Log Options: 0x%02x", sslprm.log_opts); switch (sslprm.ssl_min_ver) { case SSLv2: val = "SSLv2"; @@ -772,7 +789,7 @@ void setup_ssl() val = "INVALID VALUE!"; break; } - syslog(LOG_INFO, "SSL Version: %s", val); + logit(LOG_INFO, "SSL Version: %s", val); } /* initialize SSL */ @@ -853,7 +870,7 @@ void setup_ssl() if (strlen(sslprm.cipher_list) < sizeof(sslprm.cipher_list) - 6) { strcat(sslprm.cipher_list, ":!ADH"); if (sslprm.log_opts & SSL_LogStartup) - syslog(LOG_INFO, "New SSL Cipher List: %s", sslprm.cipher_list); + logit(LOG_INFO, "New SSL Cipher List: %s", sslprm.cipher_list); } } else { /* use anonymous DH ciphers */ @@ -916,7 +933,7 @@ int connect_to_remote() strncpy(rem_host, "Unknown", sizeof(rem_host)); rem_host[MAX_HOST_ADDRESS_LENGTH - 1] = '\0'; if ((sslprm.log_opts & SSL_LogIpAddr) != 0) - syslog(LOG_DEBUG, "Connected to %s", rem_host); + logit(LOG_DEBUG, "Connected to %s", rem_host); #ifdef HAVE_SSL if (use_ssl == FALSE) @@ -937,16 +954,16 @@ int connect_to_remote() int x, nerrs = 0; rc = 0; while ((x = ERR_get_error_line_data(NULL, NULL, NULL, NULL)) != 0) { - syslog(LOG_ERR, "Error: Could not complete SSL handshake with %s: %s", + logit(LOG_ERR, "Error: Could not complete SSL handshake with %s: %s", rem_host, ERR_reason_error_string(x)); ++nerrs; } if (nerrs == 0) - syslog(LOG_ERR, "Error: Could not complete SSL handshake with %s: rc=%d SSL-error=%d", + logit(LOG_ERR, "Error: Could not complete SSL handshake with %s: rc=%d SSL-error=%d", rem_host, rc, ssl_err); } else - syslog(LOG_ERR, "Error: Could not complete SSL handshake with %s: rc=%d SSL-error=%d", + logit(LOG_ERR, "Error: Could not complete SSL handshake with %s: rc=%d SSL-error=%d", rem_host, rc, ssl_err); if (ssl_err == 5) { @@ -976,7 +993,7 @@ int connect_to_remote() } else { if (sslprm.log_opts & SSL_LogVersion) - syslog(LOG_NOTICE, "Remote %s - SSL Version: %s", rem_host, SSL_get_version(ssl)); + logit(LOG_NOTICE, "Remote %s - SSL Version: %s", rem_host, SSL_get_version(ssl)); if (sslprm.log_opts & SSL_LogCipher) { # if (defined(__sun) && defined(SOLARIS_10)) || defined(_AIX) || defined(__hpux) @@ -984,7 +1001,7 @@ int connect_to_remote() # else const SSL_CIPHER *c = SSL_get_current_cipher(ssl); # endif - syslog(LOG_NOTICE, "Remote %s - %s, Cipher is %s", rem_host, + logit(LOG_NOTICE, "Remote %s - %s, Cipher is %s", rem_host, SSL_CIPHER_get_version(c), SSL_CIPHER_get_name(c)); } @@ -994,16 +1011,16 @@ int connect_to_remote() if (peer) { if (sslprm.log_opts & SSL_LogIfClientCert) - syslog(LOG_NOTICE, "SSL %s has %s certificate", + logit(LOG_NOTICE, "SSL %s has %s certificate", rem_host, peer->valid ? "a valid" : "an invalid"); if (sslprm.log_opts & SSL_LogCertDetails) { - syslog(LOG_NOTICE, "SSL %s Cert Name: %s", rem_host, peer->name); + logit(LOG_NOTICE, "SSL %s Cert Name: %s", rem_host, peer->name); X509_NAME_oneline(X509_get_issuer_name(peer), buffer, sizeof(buffer)); - syslog(LOG_NOTICE, "SSL %s Cert Issuer: %s", rem_host, buffer); + logit(LOG_NOTICE, "SSL %s Cert Issuer: %s", rem_host, buffer); } } else - syslog(LOG_NOTICE, "SSL Did not get certificate from %s", rem_host); + logit(LOG_NOTICE, "SSL Did not get certificate from %s", rem_host); } } @@ -1255,7 +1272,7 @@ int read_packet(int sock, void *ssl_ptr, v2_packet ** v2_pkt, v3_packet ** v3_pk } else buffer_size = pkt_size - common_size; if ((*v2_pkt = calloc(1, pkt_size)) == NULL) { - syslog(LOG_ERR, "Error: Could not allocate memory for packet"); + logit(LOG_ERR, "Error: Could not allocate memory for packet"); return -1; } memcpy(*v2_pkt, &packet, common_size); @@ -1281,7 +1298,7 @@ int read_packet(int sock, void *ssl_ptr, v2_packet ** v2_pkt, v3_packet ** v3_pk buffer_size = ntohl(buffer_size); pkt_size += buffer_size; if ((*v3_pkt = calloc(1, pkt_size)) == NULL) { - syslog(LOG_ERR, "Error: Could not allocate memory for packet"); + logit(LOG_ERR, "Error: Could not allocate memory for packet"); return -1; } @@ -1344,7 +1361,7 @@ int read_packet(int sock, void *ssl_ptr, v2_packet ** v2_pkt, v3_packet ** v3_pk } else buffer_size = pkt_size - common_size; if ((*v2_pkt = calloc(1, pkt_size)) == NULL) { - syslog(LOG_ERR, "Error: Could not allocate memory for packet"); + logit(LOG_ERR, "Error: Could not allocate memory for packet"); return -1; } memcpy(*v2_pkt, &packet, common_size); @@ -1376,7 +1393,7 @@ int read_packet(int sock, void *ssl_ptr, v2_packet ** v2_pkt, v3_packet ** v3_pk buffer_size = ntohl(buffer_size); pkt_size += buffer_size; if ((*v3_pkt = calloc(1, pkt_size)) == NULL) { - syslog(LOG_ERR, "Error: Could not allocate memory for packet"); + logit(LOG_ERR, "Error: Could not allocate memory for packet"); return -1; } @@ -1446,7 +1463,7 @@ int verify_callback(int preverify_ok, X509_STORE_CTX * ctx) if (!preverify_ok && sslprm.client_certs >= Ask_For_Cert && (sslprm.log_opts & SSL_LogCertDetails)) { - syslog(LOG_ERR, "SSL Client has an invalid certificate: %s (issuer=%s) err=%d:%s", + logit(LOG_ERR, "SSL Client has an invalid certificate: %s (issuer=%s) err=%d:%s", name, issuer, err, X509_verify_cert_error_string(err)); } diff --git a/src/nrpe.c b/src/nrpe.c index 7497aa6c..08911819 100644 --- a/src/nrpe.c +++ b/src/nrpe.c @@ -107,6 +107,7 @@ int use_src = FALSE; /* Define parameter for SRC option */ int no_forking = FALSE; int listen_queue_size = DEFAULT_LISTEN_QUEUE_SIZE; char *nasty_metachars = NULL; +extern char *log_file; /* SSL/TLS parameters */ typedef enum _SSL_VER { @@ -181,10 +182,12 @@ int main(int argc, char **argv) result = read_config_file(config_file); /* exit if there are errors... */ if (result == ERROR) { - syslog(LOG_ERR, "Config file '%s' contained errors, aborting...", config_file); + logit(LOG_ERR, "Config file '%s' contained errors, aborting...", config_file); return STATE_CRITICAL; } + open_log_file(); + if (!nasty_metachars) nasty_metachars = strdup(NASTY_METACHARS); @@ -246,7 +249,7 @@ void init_ssl(void) if (use_ssl == FALSE) { if (debug == TRUE) - syslog(LOG_INFO, "INFO: SSL/TLS NOT initialized. Network encryption DISABLED."); + logit(LOG_INFO, "INFO: SSL/TLS NOT initialized. Network encryption DISABLED."); return; } @@ -271,7 +274,7 @@ void init_ssl(void) RAND_write_file(seedfile); if (RAND_status() == 0) { - syslog(LOG_ERR, + logit(LOG_ERR, "Warning: SSL/TLS uses a weak random seed which is highly discouraged"); srand(time(NULL)); for (i = 0; i < 500 && RAND_status() == 0; i++) { @@ -303,7 +306,7 @@ void init_ssl(void) ctx = SSL_CTX_new(meth); if (ctx == NULL) { - syslog(LOG_ERR, "Error: could not create SSL context"); + logit(LOG_ERR, "Error: could not create SSL context"); SSL_CTX_free(ctx); exit(STATE_CRITICAL); } @@ -334,14 +337,14 @@ void init_ssl(void) SSL_CTX_free(ctx); while ((x = ERR_get_error()) != 0) { ERR_error_string(x, errstr); - syslog(LOG_ERR, "Error: could not use certificate file %s : %s", + logit(LOG_ERR, "Error: could not use certificate file %s : %s", sslprm.cert_file, errstr); } exit(STATE_CRITICAL); } if (!SSL_CTX_use_PrivateKey_file(ctx, sslprm.privatekey_file, SSL_FILETYPE_PEM)) { SSL_CTX_free(ctx); - syslog(LOG_ERR, "Error: could not use private key file '%s'", + logit(LOG_ERR, "Error: could not use private key file '%s'", sslprm.privatekey_file); exit(STATE_CRITICAL); } @@ -354,7 +357,7 @@ void init_ssl(void) SSL_CTX_set_verify(ctx, vrfy, verify_callback); if (!SSL_CTX_load_verify_locations(ctx, sslprm.cacert_file, NULL)) { SSL_CTX_free(ctx); - syslog(LOG_ERR, "Error: could not use CA certificate '%s'", sslprm.cacert_file); + logit(LOG_ERR, "Error: could not use CA certificate '%s'", sslprm.cacert_file); exit(STATE_CRITICAL); } } @@ -375,12 +378,12 @@ void init_ssl(void) if (SSL_CTX_set_cipher_list(ctx, sslprm.cipher_list) == 0) { SSL_CTX_free(ctx); - syslog(LOG_ERR, "Error: Could not set SSL/TLS cipher list"); + logit(LOG_ERR, "Error: Could not set SSL/TLS cipher list"); exit(STATE_CRITICAL); } if (debug == TRUE) - syslog(LOG_INFO, "INFO: SSL/TLS initialized. All network traffic will be encrypted."); + logit(LOG_INFO, "INFO: SSL/TLS initialized. All network traffic will be encrypted."); #endif } @@ -389,21 +392,21 @@ void log_ssl_startup(void) #ifdef HAVE_SSL char *vers; - syslog(LOG_INFO, "SSL Certificate File: %s", sslprm.cert_file ? sslprm.cert_file : "None"); - syslog(LOG_INFO, "SSL Private Key File: %s", + logit(LOG_INFO, "SSL Certificate File: %s", sslprm.cert_file ? sslprm.cert_file : "None"); + logit(LOG_INFO, "SSL Private Key File: %s", sslprm.privatekey_file ? sslprm.privatekey_file : "None"); - syslog(LOG_INFO, "SSL CA Certificate File: %s", + logit(LOG_INFO, "SSL CA Certificate File: %s", sslprm.cacert_file ? sslprm.cacert_file : "None"); if (sslprm.allowDH < 2) - syslog(LOG_INFO, "SSL Cipher List: %s", sslprm.cipher_list); + logit(LOG_INFO, "SSL Cipher List: %s", sslprm.cipher_list); else - syslog(LOG_INFO, "SSL Cipher List: ADH"); - syslog(LOG_INFO, "SSL Allow ADH: %s", + logit(LOG_INFO, "SSL Cipher List: ADH"); + logit(LOG_INFO, "SSL Allow ADH: %s", sslprm.allowDH == 0 ? "No" : (sslprm.allowDH == 1 ? "Allow" : "Require")); - syslog(LOG_INFO, "SSL Client Certs: %s", + logit(LOG_INFO, "SSL Client Certs: %s", sslprm.client_certs == 0 ? "Don't Ask" : (sslprm.client_certs == 1 ? "Accept" : "Require")); - syslog(LOG_INFO, "SSL Log Options: 0x%02x", sslprm.log_opts); + logit(LOG_INFO, "SSL Log Options: 0x%02x", sslprm.log_opts); switch (sslprm.ssl_min_ver) { case SSLv2: vers = "SSLv2"; @@ -439,7 +442,7 @@ void log_ssl_startup(void) vers = "INVALID VALUE!"; break; } - syslog(LOG_INFO, "SSL Version: %s", vers); + logit(LOG_INFO, "SSL Version: %s", vers); #endif } @@ -537,7 +540,7 @@ void run_daemon(void) if (pid != 0) { if (pid == -1) { - syslog(LOG_ERR, "fork() failed with error %d, bailing out...", errno); + logit(LOG_ERR, "fork() failed with error %d, bailing out...", errno); exit(STATE_CRITICAL); } @@ -587,7 +590,7 @@ void set_stdio_sigs(void) signal(SIGHUP, sighandler); #endif /* HAVE_SIGACTION */ - syslog(LOG_NOTICE, "Starting up daemon"); /* log info to syslog facility */ + logit(LOG_NOTICE, "Starting up daemon"); /* log info */ if (write_pid_file() == ERROR) /* write pid file */ exit(STATE_CRITICAL); @@ -606,14 +609,17 @@ void cleanup(void) result = read_config_file(config_file); /* read the config file */ if (result == ERROR) { /* exit if there are errors... */ - syslog(LOG_ERR, "Config file '%s' contained errors, bailing out...", config_file); + logit(LOG_ERR, "Config file '%s' contained errors, bailing out...", config_file); exit(STATE_CRITICAL); } + open_log_file(); return; } remove_pid_file(); /* remove pid file */ - syslog(LOG_NOTICE, "Daemon shutdown\n"); + logit(LOG_NOTICE, "Daemon shutdown\n"); + + close_log_file(); /* close the log file */ } #ifdef HAVE_SSL @@ -637,7 +643,7 @@ int verify_callback(int preverify_ok, X509_STORE_CTX * ctx) X509_NAME_oneline(X509_get_issuer_name(ctx->current_cert), issuer, 256); if (!preverify_ok && (sslprm.log_opts & SSL_LogCertDetails)) { - syslog(LOG_ERR, "SSL Client has an invalid certificate: %s (issuer=%s) err=%d:%s", + logit(LOG_ERR, "SSL Client has an invalid certificate: %s (issuer=%s) err=%d:%s", name, issuer, err, X509_verify_cert_error_string(err)); } @@ -664,7 +670,7 @@ int read_config_file(char *filename) /* exit if we couldn't open the config file */ if (fp == NULL) { - syslog(LOG_ERR, "Unable to open config file '%s' for reading\n", filename); + logit(LOG_ERR, "Unable to open config file '%s' for reading\n", filename); return ERROR; } @@ -692,7 +698,7 @@ int read_config_file(char *filename) /* get the variable name */ varname = strtok(input_line, "="); if (varname == NULL) { - syslog(LOG_ERR, "No variable name specified in config file '%s' - Line %d\n", + logit(LOG_ERR, "No variable name specified in config file '%s' - Line %d\n", filename, line); return ERROR; } @@ -700,7 +706,7 @@ int read_config_file(char *filename) /* get the variable value */ varvalue = strtok(NULL, "\n"); if (varvalue == NULL) { - syslog(LOG_ERR, "No variable value specified in config file '%s' - Line %d\n", + logit(LOG_ERR, "No variable value specified in config file '%s' - Line %d\n", filename, line); return ERROR; @@ -716,19 +722,19 @@ int read_config_file(char *filename) /* process the config directory... */ if (read_config_dir(config_file) == ERROR) - syslog(LOG_ERR, "Continuing with errors..."); + logit(LOG_ERR, "Continuing with errors..."); } else if (!strcmp(varname, "include") || !strcmp(varname, "include_file")) { /* allow users to specify individual config files to include */ /* process the config file... */ if (read_config_file(varvalue) == ERROR) - syslog(LOG_ERR, "Continuing with errors..."); + logit(LOG_ERR, "Continuing with errors..."); } else if (!strcmp(varname, "server_port")) { server_port = atoi(varvalue); if (server_port < 1024) { - syslog(LOG_ERR, + logit(LOG_ERR, "Invalid port number specified in config file '%s' - Line %d\n", filename, line); return ERROR; @@ -751,7 +757,7 @@ int read_config_file(char *filename) temp_buffer = strtok(varname, "["); temp_buffer = strtok(NULL, "]"); if (temp_buffer == NULL) { - syslog(LOG_ERR, "Invalid command specified in config file '%s' - Line %d\n", + logit(LOG_ERR, "Invalid command specified in config file '%s' - Line %d\n", filename, line); return ERROR; } @@ -779,7 +785,7 @@ int read_config_file(char *filename) else if (!strcmp(varname, "command_timeout")) { command_timeout = atoi(varvalue); if (command_timeout < 1) { - syslog(LOG_ERR, + logit(LOG_ERR, "Invalid command_timeout specified in config file '%s' - Line %d\n", filename, line); return ERROR; @@ -787,7 +793,7 @@ int read_config_file(char *filename) } else if (!strcmp(varname, "connection_timeout")) { connection_timeout = atoi(varvalue); if (connection_timeout < 1) { - syslog(LOG_ERR, + logit(LOG_ERR, "Invalid connection_timeout specified in config file '%s' - Line %d\n", filename, line); return ERROR; @@ -796,7 +802,7 @@ int read_config_file(char *filename) } else if (!strcmp(varname, "ssl_shutdown_timeout")) { ssl_shutdown_timeout = atoi(varvalue); if (ssl_shutdown_timeout < 1) { - syslog(LOG_ERR, + logit(LOG_ERR, "Invalid ssl_shutdown_timeout specified in config file '%s' - Line %d\n", filename, line); return ERROR; @@ -811,7 +817,7 @@ int read_config_file(char *filename) else if (!strcmp(varname, "listen_queue_size")) { listen_queue_size = atoi(varvalue); if (listen_queue_size == 0) { - syslog(LOG_ERR, + logit(LOG_ERR, "Invalid listen queue size specified in config file '%s' - Line %d\n", filename, line); return ERROR; @@ -839,7 +845,7 @@ int read_config_file(char *filename) else if (!strcmp(varvalue, "TLSv1.2+")) sslprm.ssl_min_ver = TLSv1_2_plus; else { - syslog(LOG_ERR, "Invalid ssl version specified in config file '%s' - Line %d", + logit(LOG_ERR, "Invalid ssl version specified in config file '%s' - Line %d", filename, line); return ERROR; } @@ -847,7 +853,7 @@ int read_config_file(char *filename) } else if (!strcmp(varname, "ssl_use_adh")) { sslprm.allowDH = atoi(varvalue); if (sslprm.allowDH < 0 || sslprm.allowDH > 2) { - syslog(LOG_ERR, + logit(LOG_ERR, "Invalid use adh value specified in config file '%s' - Line %d", filename, line); return ERROR; @@ -872,7 +878,7 @@ int read_config_file(char *filename) else if (!strcmp(varname, "ssl_client_certs")) { sslprm.client_certs = atoi(varvalue); if ((int)sslprm.client_certs < 0 || sslprm.client_certs > Require_Cert) { - syslog(LOG_ERR, + logit(LOG_ERR, "Invalid client certs value specified in config file '%s' - Line %d", filename, line); return ERROR; @@ -887,7 +893,7 @@ int read_config_file(char *filename) closelog(); openlog("nrpe", LOG_PID, log_facility); } else - syslog(LOG_WARNING, + logit(LOG_WARNING, "Invalid log_facility specified in config file '%s' - Line %d\n", filename, line); @@ -897,8 +903,11 @@ int read_config_file(char *filename) else if (!strcmp(varname, "nasty_metachars")) nasty_metachars = strdup(varvalue); + else if (!strcmp(varname, "log_file")) + log_file = strdup(varvalue); + else { - syslog(LOG_WARNING, "Unknown option specified in config file '%s' - Line %d\n", + logit(LOG_WARNING, "Unknown option specified in config file '%s' - Line %d\n", filename, line); continue; } @@ -927,7 +936,7 @@ int read_config_dir(char *dirname) /* read and sort the directory contents */ n = scandir(dirname, &dirfiles, 0, alphasort); if (n < 0) { - syslog(LOG_ERR, "Could not open config directory '%s' for reading.\n", dirname); + logit(LOG_ERR, "Could not open config directory '%s' for reading.\n", dirname); return ERROR; } @@ -937,7 +946,7 @@ int read_config_dir(char *dirname) /* open the directory for reading */ dirp = opendir(dirname); if (dirp == NULL) { - syslog(LOG_ERR, "Could not open config directory '%s' for reading.\n", dirname); + logit(LOG_ERR, "Could not open config directory '%s' for reading.\n", dirname); return ERROR; } @@ -1076,7 +1085,7 @@ int add_command(char *command_name, char *command_line) command_list = new_command; if (debug == TRUE) - syslog(LOG_DEBUG, "Added command[%s]=%s\n", command_name, command_line); + logit(LOG_DEBUG, "Added command[%s]=%s\n", command_name, command_line); return OK; } @@ -1105,13 +1114,13 @@ void create_listener(struct addrinfo *ai) return; if (num_listen_socks >= MAX_LISTEN_SOCKS) { - syslog(LOG_ERR, "Too many listen sockets. Enlarge MAX_LISTEN_SOCKS"); + logit(LOG_ERR, "Too many listen sockets. Enlarge MAX_LISTEN_SOCKS"); exit(1); } if ((ret = getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop, sizeof(ntop), strport, sizeof(strport), NI_NUMERICHOST | NI_NUMERICSERV)) != 0) { - syslog(LOG_ERR, "getnameinfo failed: %.100s", gai_strerror(ret)); + logit(LOG_ERR, "getnameinfo failed: %.100s", gai_strerror(ret)); return; } @@ -1119,7 +1128,7 @@ void create_listener(struct addrinfo *ai) listen_sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol); if (listen_sock < 0) { /* kernel may not support ipv6 */ - syslog(LOG_ERR, "socket: %.100s", strerror(errno)); + logit(LOG_ERR, "socket: %.100s", strerror(errno)); return; } @@ -1128,7 +1137,7 @@ void create_listener(struct addrinfo *ai) /* set the reuse address flag so we don't get errors when restarting */ if (setsockopt(listen_sock, SOL_SOCKET, SO_REUSEADDR, &flag, sizeof(flag)) < 0) { - syslog(LOG_ERR, "setsockopt SO_REUSEADDR: %s", strerror(errno)); + logit(LOG_ERR, "setsockopt SO_REUSEADDR: %s", strerror(errno)); return; } #ifdef IPV6_V6ONLY @@ -1142,7 +1151,7 @@ void create_listener(struct addrinfo *ai) /* Bind the socket to the desired port. */ if (bind(listen_sock, ai->ai_addr, ai->ai_addrlen) < 0) { - syslog(LOG_ERR, "Bind to port %s on %s failed: %.200s.", + logit(LOG_ERR, "Bind to port %s on %s failed: %.200s.", strport, ntop, strerror(errno)); close(listen_sock); return; @@ -1152,11 +1161,11 @@ void create_listener(struct addrinfo *ai) /* Start listening on the port. */ if (listen(listen_sock, listen_queue_size) < 0) { - syslog(LOG_ERR, "listen on [%s]:%s: %.100s", ntop, strport, strerror(errno)); + logit(LOG_ERR, "listen on [%s]:%s: %.100s", ntop, strport, strerror(errno)); exit(1); } - syslog(LOG_INFO, "Server listening on %s port %s.", ntop, strport); + logit(LOG_INFO, "Server listening on %s port %s.", ntop, strport); } /* Close all listening sockets */ @@ -1248,9 +1257,9 @@ void wait_for_connections(void) /* handle the client connection */ handle_connection(new_sd); - /* log info to syslog facility */ + /* log info */ if (debug == TRUE) - syslog(LOG_DEBUG, "Connection from %s closed.", remote_host); + logit(LOG_DEBUG, "Connection from %s closed.", remote_host); /* close socket prior to exiting */ close(new_sd); @@ -1282,37 +1291,37 @@ void setup_wait_conn(void) inet_ntop (ai->ai_family, ai->ai_addr->sa_data, addrstr, 100); ptr = &((struct sockaddr_in *) ai->ai_addr)->sin_addr; inet_ntop (ai->ai_family, ptr, addrstr, 100); - syslog(LOG_INFO, "SETUP_WAIT_CONN FOR: IPv4 address: %s (%s)\n", addrstr, ai->ai_canonname); + logit(LOG_INFO, "SETUP_WAIT_CONN FOR: IPv4 address: %s (%s)\n", addrstr, ai->ai_canonname); } create_listener(ai); } if (!num_listen_socks) { - syslog(LOG_ERR, "Cannot bind to any address."); + logit(LOG_ERR, "Cannot bind to any address."); exit(1); } /* log warning about command arguments */ #ifdef ENABLE_COMMAND_ARGUMENTS if (allow_arguments == TRUE) - syslog(LOG_NOTICE, + logit(LOG_NOTICE, "Warning: Daemon is configured to accept command arguments from clients!"); # ifdef ENABLE_BASH_COMMAND_SUBSTITUTION if (TRUE == allow_bash_cmd_subst) { if (TRUE == allow_arguments) - syslog(LOG_NOTICE, + logit(LOG_NOTICE, "Warning: Daemon is configured to accept command arguments with bash command substitutions!"); else - syslog(LOG_NOTICE, + logit(LOG_NOTICE, "Warning: Daemon is configured to accept command arguments with bash command substitutions, but is not configured to accept command arguments from clients. Enable command arguments if you wish to allow command arguments with bash command substitutions."); } # endif #endif - syslog(LOG_INFO, "Listening for connections on port %d", server_port); + logit(LOG_INFO, "Listening for connections on port %d", server_port); if (allowed_hosts) - syslog(LOG_INFO, "Allowing connections from: %s\n", allowed_hosts); + logit(LOG_INFO, "Allowing connections from: %s\n", allowed_hosts); } int wait_conn_fork(int sock) @@ -1332,7 +1341,7 @@ int wait_conn_fork(int sock) } if (pid < 0) { - syslog(LOG_ERR, "fork() failed with error %d, bailing out...", errno); + logit(LOG_ERR, "fork() failed with error %d, bailing out...", errno); exit(STATE_CRITICAL); } @@ -1340,7 +1349,7 @@ int wait_conn_fork(int sock) pid = fork(); if (pid < 0) { - syslog(LOG_ERR, "fork() failed with error %d, bailing out...", errno); + logit(LOG_ERR, "fork() failed with error %d, bailing out...", errno); exit(STATE_CRITICAL); } @@ -1352,8 +1361,8 @@ int wait_conn_fork(int sock) /* hey, there was an error... */ if (sock < 0) { - /* log error to syslog facility */ - syslog(LOG_ERR, "Network server accept failure (%d: %s)", + /* log error */ + logit(LOG_ERR, "Network server accept failure (%d: %s)", errno, strerror(errno)); exit(STATE_OK); } @@ -1400,8 +1409,8 @@ void conn_check_peer(int sock) rc = getpeername(sock, (struct sockaddr *)&addr, &addrlen); if (rc < 0) { - /* log error to syslog facility */ - syslog(LOG_ERR, "Error: Network server getpeername() failure (%d: %s)", + /* log error */ + logit(LOG_ERR, "Error: Network server getpeername() failure (%d: %s)", errno, strerror(errno)); /* close socket prior to exiting */ @@ -1433,7 +1442,7 @@ void conn_check_peer(int sock) } if (debug == TRUE) - syslog(LOG_INFO, "CONN_CHECK_PEER: is this a blessed machine: %s port %d\n", + logit(LOG_INFO, "CONN_CHECK_PEER: is this a blessed machine: %s port %d\n", remote_host, nptr->sin_port); /* is this is a blessed machine? */ @@ -1445,17 +1454,17 @@ void conn_check_peer(int sock) #endif case AF_INET: - /* log info to syslog facility */ + /* log info */ if (debug == TRUE || (sslprm.log_opts & SSL_LogIpAddr)) - syslog(LOG_DEBUG, "Connection from %s port %d", remote_host, nptr->sin_port); + logit(LOG_DEBUG, "Connection from %s port %d", remote_host, nptr->sin_port); if (!is_an_allowed_host(AF_INET, (void *)&(nptr->sin_addr))) { - /* log error to syslog facility */ - syslog(LOG_ERR, "Host %s is not allowed to talk to us!", remote_host); + /* log error */ + logit(LOG_ERR, "Host %s is not allowed to talk to us!", remote_host); - /* log info to syslog facility */ + /* log info */ if (debug == TRUE) - syslog(LOG_DEBUG, "Connection from %s closed.", remote_host); + logit(LOG_DEBUG, "Connection from %s closed.", remote_host); /* close socket prior to exiting */ close(sock); @@ -1463,37 +1472,37 @@ void conn_check_peer(int sock) } else { - /* log info to syslog facility */ + /* log info */ if (debug == TRUE) { - syslog(LOG_DEBUG, "Host address is in allowed_hosts"); + logit(LOG_DEBUG, "Host address is in allowed_hosts"); } } break; case AF_INET6: - /* log info to syslog facility */ + /* log info */ strcpy(remote_host, ipstr); if (debug == TRUE || (sslprm.log_opts & SSL_LogIpAddr)) { - syslog(LOG_DEBUG, "Connection from %s port %d", ipstr, nptr6->sin6_port); + logit(LOG_DEBUG, "Connection from %s port %d", ipstr, nptr6->sin6_port); } if (!is_an_allowed_host(AF_INET6, (void *)&(nptr6->sin6_addr))) { - /* log error to syslog facility */ - syslog(LOG_ERR, "Host %s is not allowed to talk to us!", ipstr); + /* log error */ + logit(LOG_ERR, "Host %s is not allowed to talk to us!", ipstr); - /* log info to syslog facility */ + /* log info */ if (debug == TRUE) - syslog(LOG_DEBUG, "Connection from %s closed.", ipstr); + logit(LOG_DEBUG, "Connection from %s closed.", ipstr); /* close socket prior to exiting */ close(sock); exit(STATE_OK); } else { - /* log info to syslog facility */ + /* log info */ if (debug == TRUE) - syslog(LOG_DEBUG, "Host address is in allowed_hosts"); + logit(LOG_DEBUG, "Host address is in allowed_hosts"); } break; } @@ -1505,10 +1514,10 @@ void conn_check_peer(int sock) fromhost(&req); if (!hosts_access(&req)) { - syslog(LOG_DEBUG, "Connection refused by TCP wrapper"); + logit(LOG_DEBUG, "Connection refused by TCP wrapper"); refuse(&req); /* refuse the connection */ /* should not be reached */ - syslog(LOG_ERR, "libwrap refuse() returns!"); + logit(LOG_ERR, "libwrap refuse() returns!"); close(sock); exit(STATE_CRITICAL); } @@ -1542,7 +1551,7 @@ void handle_connection(int sock) #ifdef HAVE_SSL if (use_ssl == TRUE) { if ((ssl = SSL_new(ctx)) == NULL) { - syslog(LOG_ERR, "Error: Could not create SSL connection structure."); + logit(LOG_ERR, "Error: Could not create SSL connection structure."); # ifdef DEBUG errfp = fopen("/tmp/err.log", "a"); ERR_print_errors_fp(errfp); @@ -1567,15 +1576,15 @@ void handle_connection(int sock) /* recv() error or client disconnect */ if (rc <= 0) { - /* log error to syslog facility */ - syslog(LOG_ERR, "Could not read request from client %s, bailing out...", remote_host); + /* log error */ + logit(LOG_ERR, "Could not read request from client %s, bailing out...", remote_host); if (v3_receive_packet) free(v3_receive_packet); #ifdef HAVE_SSL if (ssl) { complete_SSL_shutdown(ssl); SSL_free(ssl); - syslog(LOG_INFO, "INFO: SSL Socket Shutdown.\n"); + logit(LOG_INFO, "INFO: SSL Socket Shutdown.\n"); } #endif return; @@ -1584,7 +1593,7 @@ void handle_connection(int sock) /* make sure the request is valid */ if (validate_request(&receive_packet, v3_receive_packet) == ERROR) { /* log an error */ - syslog(LOG_ERR, "Client request from %s was invalid, bailing out...", remote_host); + logit(LOG_ERR, "Client request from %s was invalid, bailing out...", remote_host); /* free memory */ free(command_name); @@ -1606,17 +1615,17 @@ void handle_connection(int sock) return; } - /* log info to syslog facility */ + /* log info */ if (debug == TRUE) - syslog(LOG_DEBUG, "Host %s is asking for command '%s' to be run...", + logit(LOG_DEBUG, "Host %s is asking for command '%s' to be run...", remote_host, command_name); /* if this is the version check command, just spew it out */ if (!strcmp(command_name, NRPE_HELLO_COMMAND)) { snprintf(buffer, sizeof(buffer), "NRPE v%s", PROGRAM_VERSION); buffer[sizeof(buffer) - 1] = '\x0'; - if (debug == TRUE) /* log info to syslog facility */ - syslog(LOG_DEBUG, "Response to %s: %s", remote_host, buffer); + if (debug == TRUE) /* log info */ + logit(LOG_DEBUG, "Response to %s: %s", remote_host, buffer); if (v3_receive_packet) send_buff = strdup(buffer); else { @@ -1632,8 +1641,8 @@ void handle_connection(int sock) if (temp_command == NULL) { snprintf(buffer, sizeof(buffer), "NRPE: Command '%s' not defined", command_name); buffer[sizeof(buffer) - 1] = '\x0'; - if (debug == TRUE) /* log error to syslog facility */ - syslog(LOG_DEBUG, "%s", buffer); + if (debug == TRUE) /* log error */ + logit(LOG_DEBUG, "%s", buffer); if (v3_receive_packet) send_buff = strdup(buffer); else { @@ -1653,15 +1662,15 @@ void handle_connection(int sock) raw_command[sizeof(raw_command) - 1] = '\x0'; process_macros(raw_command, processed_command, sizeof(processed_command)); - if (debug == TRUE) /* log info to syslog facility */ - syslog(LOG_DEBUG, "Running command: %s", processed_command); + if (debug == TRUE) /* log info */ + logit(LOG_DEBUG, "Running command: %s", processed_command); /* run the command */ strcpy(buffer, ""); result = my_system(processed_command, command_timeout, &early_timeout, &send_buff); if (debug == TRUE) /* log debug info */ - syslog(LOG_DEBUG, "Command completed with return code %d and output: %s", + logit(LOG_DEBUG, "Command completed with return code %d and output: %s", result, send_buff); /* see if the command timed out */ @@ -1676,8 +1685,8 @@ void handle_connection(int sock) /* check return code bounds */ if ((result < 0) || (result > 3)) { - /* log error to syslog facility */ - syslog(LOG_ERR, "Bad return code for [%s]: %d", send_buff, result); + /* log error */ + logit(LOG_ERR, "Bad return code for [%s]: %d", send_buff, result); result = STATE_UNKNOWN; } } @@ -1756,9 +1765,9 @@ void handle_connection(int sock) if (v3_send_packet) free(v3_send_packet); - /* log info to syslog facility */ + /* log info */ if (debug == TRUE) - syslog(LOG_DEBUG, "Return Code: %d, Output: %s", result, send_buff); + logit(LOG_DEBUG, "Return Code: %d, Output: %s", result, send_buff); free(send_buff); @@ -1771,9 +1780,9 @@ void init_handle_conn(void) struct sigaction sig_action; #endif - /* log info to syslog facility */ + /* log info */ if (debug == TRUE) - syslog(LOG_DEBUG, "Handling the connection..."); + logit(LOG_DEBUG, "Handling the connection..."); /* set connection handler */ #ifdef HAVE_SIGACTION @@ -1813,16 +1822,16 @@ int handle_conn_ssl(int sock, void *ssl_ptr) int nerrs = 0; rc = 0; while ((x = ERR_get_error_line_data(NULL, NULL, NULL, NULL)) != 0) { - syslog(LOG_ERR, "Error: Could not complete SSL handshake with %s: %s", + logit(LOG_ERR, "Error: Could not complete SSL handshake with %s: %s", remote_host, ERR_reason_error_string(x)); ++nerrs; } if (nerrs == 0) - syslog(LOG_ERR, "Error: Could not complete SSL handshake with %s: %d", + logit(LOG_ERR, "Error: Could not complete SSL handshake with %s: %d", remote_host, SSL_get_error(ssl, rc)); } else - syslog(LOG_ERR, "Error: Could not complete SSL handshake with %s: %d", + logit(LOG_ERR, "Error: Could not complete SSL handshake with %s: %d", remote_host, SSL_get_error(ssl, rc)); # ifdef DEBUG errfp = fopen("/tmp/err.log", "a"); @@ -1834,11 +1843,11 @@ int handle_conn_ssl(int sock, void *ssl_ptr) /* successful handshake */ if (sslprm.log_opts & SSL_LogVersion) - syslog(LOG_NOTICE, "Remote %s - SSL Version: %s", + logit(LOG_NOTICE, "Remote %s - SSL Version: %s", remote_host, SSL_get_version(ssl)); if (sslprm.log_opts & SSL_LogCipher) { c = SSL_get_current_cipher(ssl); - syslog(LOG_NOTICE, "Remote %s - %s, Cipher is %s", remote_host, + logit(LOG_NOTICE, "Remote %s - %s, Cipher is %s", remote_host, SSL_CIPHER_get_version(c), SSL_CIPHER_get_name(c)); } @@ -1849,21 +1858,21 @@ int handle_conn_ssl(int sock, void *ssl_ptr) if (peer) { if (sslprm.log_opts & SSL_LogIfClientCert) - syslog(LOG_NOTICE, "SSL Client %s has %svalid certificate", + logit(LOG_NOTICE, "SSL Client %s has %svalid certificate", remote_host, peer->valid ? "a " : "an in"); if (sslprm.log_opts & SSL_LogCertDetails) { - syslog(LOG_NOTICE, "SSL Client %s Cert Name: %s", + logit(LOG_NOTICE, "SSL Client %s Cert Name: %s", remote_host, peer->name); X509_NAME_oneline(X509_get_issuer_name(peer), buffer, sizeof(buffer)); - syslog(LOG_NOTICE, "SSL Client %s Cert Issuer: %s", + logit(LOG_NOTICE, "SSL Client %s Cert Issuer: %s", remote_host, buffer); } } else if (sslprm.client_certs == 0) - syslog(LOG_NOTICE, "SSL Not asking for client certification"); + logit(LOG_NOTICE, "SSL Not asking for client certification"); else - syslog(LOG_NOTICE, "SSL Client %s did not present a certificate", + logit(LOG_NOTICE, "SSL Client %s did not present a certificate", remote_host); } #endif @@ -1888,7 +1897,7 @@ int read_packet(int sock, void *ssl_ptr, v2_packet * v2_pkt, v3_packet ** v3_pkt packet_ver = ntohs(v2_pkt->packet_version); if (packet_ver != NRPE_PACKET_VERSION_2 && packet_ver != NRPE_PACKET_VERSION_3) { - syslog(LOG_ERR, "Error: Request packet version was invalid!"); + logit(LOG_ERR, "Error: Request packet version was invalid!"); return -1; } @@ -1916,7 +1925,7 @@ int read_packet(int sock, void *ssl_ptr, v2_packet * v2_pkt, v3_packet ** v3_pkt buffer_size = ntohl(buffer_size); pkt_size += buffer_size; if ((*v3_pkt = calloc(1, pkt_size)) == NULL) { - syslog(LOG_ERR, "Error: Could not allocate memory for packet"); + logit(LOG_ERR, "Error: Could not allocate memory for packet"); return -1; } @@ -1950,7 +1959,7 @@ int read_packet(int sock, void *ssl_ptr, v2_packet * v2_pkt, v3_packet ** v3_pkt packet_ver = ntohs(v2_pkt->packet_version); if (packet_ver != NRPE_PACKET_VERSION_2 && packet_ver != NRPE_PACKET_VERSION_3) { - syslog(LOG_ERR, "Error: Request packet version was invalid!"); + logit(LOG_ERR, "Error: Request packet version was invalid!"); return -1; } @@ -1983,7 +1992,7 @@ int read_packet(int sock, void *ssl_ptr, v2_packet * v2_pkt, v3_packet ** v3_pkt buffer_size = ntohl(buffer_size); pkt_size += buffer_size; if ((*v3_pkt = calloc(1, pkt_size)) == NULL) { - syslog(LOG_ERR, "Error: Could not allocate memory for packet"); + logit(LOG_ERR, "Error: Could not allocate memory for packet"); return -1; } @@ -2209,7 +2218,7 @@ void my_system_sighandler(int sig) /* handle errors where connection takes too long */ void my_connection_sighandler(int sig) { - syslog(LOG_ERR, "Connection has taken too long to establish. Exiting..."); + logit(LOG_ERR, "Connection has taken too long to establish. Exiting..."); exit(STATE_CRITICAL); } @@ -2230,7 +2239,7 @@ int drop_privileges(char *user, char *group, int full_drop) if (grp != NULL) gid = (gid_t) (grp->gr_gid); else - syslog(LOG_ERR, "Warning: Could not get group entry for '%s'", group); + logit(LOG_ERR, "Warning: Could not get group entry for '%s'", group); endgrent(); } else @@ -2240,7 +2249,7 @@ int drop_privileges(char *user, char *group, int full_drop) /* set effective group ID if other than current EGID */ if (gid != getegid()) { if (setgid(gid) == -1) - syslog(LOG_ERR, "Warning: Could not set effective GID=%d", (int)gid); + logit(LOG_ERR, "Warning: Could not set effective GID=%d", (int)gid); } } @@ -2254,7 +2263,7 @@ int drop_privileges(char *user, char *group, int full_drop) if (pw != NULL) uid = (uid_t) (pw->pw_uid); else - syslog(LOG_ERR, "Warning: Could not get passwd entry for '%s'", user); + logit(LOG_ERR, "Warning: Could not get passwd entry for '%s'", user); endpwent(); } else @@ -2267,10 +2276,10 @@ int drop_privileges(char *user, char *group, int full_drop) /* initialize supplementary groups */ if (initgroups(user, gid) == -1) { if (errno == EPERM) - syslog(LOG_ERR, + logit(LOG_ERR, "Warning: Unable to change supplementary groups using initgroups()"); else { - syslog(LOG_ERR, + logit(LOG_ERR, "Warning: Possibly root user failed dropping privileges with initgroups()"); return ERROR; } @@ -2279,9 +2288,9 @@ int drop_privileges(char *user, char *group, int full_drop) if (full_drop) { if (setuid(uid) == -1) - syslog(LOG_ERR, "Warning: Could not set UID=%d", (int)uid); + logit(LOG_ERR, "Warning: Could not set UID=%d", (int)uid); } else if (SETEUID(uid) == -1) - syslog(LOG_ERR, "Warning: Could not set effective UID=%d", (int)uid); + logit(LOG_ERR, "Warning: Could not set effective UID=%d", (int)uid); } } @@ -2316,7 +2325,7 @@ int write_pid_file(void) else { /* previous process is still running */ - syslog(LOG_ERR, + logit(LOG_ERR, "There's already an NRPE server running (PID %lu). Bailing out...", (unsigned long)pid); return ERROR; @@ -2331,7 +2340,7 @@ int write_pid_file(void) close(fd); wrote_pid_file = TRUE; } else { - syslog(LOG_ERR, "Cannot write to pidfile '%s' - check your privileges.", pid_file); + logit(LOG_ERR, "Cannot write to pidfile '%s' - check your privileges.", pid_file); return ERROR; } @@ -2348,7 +2357,7 @@ int remove_pid_file(void) SETEUID(0); /* get root back so we can delete the pid file */ if (unlink(pid_file) == -1) { - syslog(LOG_ERR, "Cannot remove pidfile '%s' - check your privileges.", pid_file); + logit(LOG_ERR, "Cannot remove pidfile '%s' - check your privileges.", pid_file); return ERROR; } @@ -2359,7 +2368,7 @@ int remove_pid_file(void) void my_disconnect_sighandler(int sig) { - syslog(LOG_ERR, "SSL_shutdown() has taken too long to complete. Exiting now.."); + logit(LOG_ERR, "SSL_shutdown() has taken too long to complete. Exiting now.."); exit(STATE_CRITICAL); } @@ -2398,7 +2407,7 @@ int check_privileges(void) gid_t gid = getegid(); if (uid == 0 || gid == 0) { - syslog(LOG_ERR, "Error: NRPE daemon cannot be run as user/group root!"); + logit(LOG_ERR, "Error: NRPE daemon cannot be run as user/group root!"); exit(STATE_CRITICAL); } @@ -2426,7 +2435,7 @@ void sighandler(int sig) /* we received a SIGHUP, so restart... */ if (sig == SIGHUP) { sigrestart = TRUE; - syslog(LOG_NOTICE, "Caught SIGHUP - restarting...\n"); + logit(LOG_NOTICE, "Caught SIGHUP - restarting...\n"); } /* else begin shutting down... */ @@ -2435,7 +2444,7 @@ void sighandler(int sig) if (sigshutdown == TRUE) exit(STATE_CRITICAL); sigshutdown = TRUE; - syslog(LOG_NOTICE, "Caught SIG%s - shutting down...\n", sigs[sig]); + logit(LOG_NOTICE, "Caught SIG%s - shutting down...\n", sigs[sig]); } return; @@ -2472,13 +2481,13 @@ int validate_request(v2_packet * v2pkt, v3_packet * v3pkt) } if (packet_crc32 != calculated_crc32) { - syslog(LOG_ERR, "Error: Request packet had invalid CRC32."); + logit(LOG_ERR, "Error: Request packet had invalid CRC32."); return ERROR; } /* make sure this is the right type of packet */ if (ntohs(v2pkt->packet_type) != QUERY_PACKET) { - syslog(LOG_ERR, "Error: Request packet type was invalid!"); + logit(LOG_ERR, "Error: Request packet type was invalid!"); return ERROR; } @@ -2494,7 +2503,7 @@ int validate_request(v2_packet * v2pkt, v3_packet * v3pkt) /* client must send some kind of request */ if (buff[0] == '\0') { - syslog(LOG_ERR, "Error: Request contained no query!"); + logit(LOG_ERR, "Error: Request contained no query!"); return ERROR; } @@ -2504,7 +2513,7 @@ int validate_request(v2_packet * v2pkt, v3_packet * v3pkt) else rc = contains_nasty_metachars(v2pkt->buffer); if (rc == TRUE) { - syslog(LOG_ERR, "Error: Request contained illegal metachars!"); + logit(LOG_ERR, "Error: Request contained illegal metachars!"); return ERROR; } @@ -2512,12 +2521,12 @@ int validate_request(v2_packet * v2pkt, v3_packet * v3pkt) if (strchr(v2pkt->buffer, '!')) { #ifdef ENABLE_COMMAND_ARGUMENTS if (allow_arguments == FALSE) { - syslog(LOG_ERR, + logit(LOG_ERR, "Error: Request contained command arguments, but argument option is not enabled!"); return ERROR; } #else - syslog(LOG_ERR, "Error: Request contained command arguments!"); + logit(LOG_ERR, "Error: Request contained command arguments!"); return ERROR; #endif } @@ -2530,7 +2539,7 @@ int validate_request(v2_packet * v2pkt, v3_packet * v3pkt) #endif command_name = strdup(ptr); if (command_name == NULL) { - syslog(LOG_ERR, "Error: Memory allocation failed"); + logit(LOG_ERR, "Error: Memory allocation failed"); return ERROR; } #ifdef ENABLE_COMMAND_ARGUMENTS @@ -2543,20 +2552,20 @@ int validate_request(v2_packet * v2pkt, v3_packet * v3pkt) break; macro_argv[x] = strdup(ptr); if (macro_argv[x] == NULL) { - syslog(LOG_ERR, "Error: Memory allocation failed"); + logit(LOG_ERR, "Error: Memory allocation failed"); return ERROR; } if (!strcmp(macro_argv[x], "")) { - syslog(LOG_ERR, "Error: Request contained an empty command argument"); + logit(LOG_ERR, "Error: Request contained an empty command argument"); return ERROR; } if (strstr(macro_argv[x], "$(")) { # ifndef ENABLE_BASH_COMMAND_SUBSTITUTION - syslog(LOG_ERR, "Error: Request contained a bash command substitution!"); + logit(LOG_ERR, "Error: Request contained a bash command substitution!"); return ERROR; # else if (FALSE == allow_bash_cmd_subst) { - syslog(LOG_ERR, + logit(LOG_ERR, "Error: Request contained a bash command substitution, but they are disallowed!"); return ERROR; } diff --git a/src/utils.c b/src/utils.c index fb56c54f..7a21b7a3 100644 --- a/src/utils.c +++ b/src/utils.c @@ -38,6 +38,9 @@ #ifndef HAVE_ASPRINTF extern int asprintf(char **ptr, const char *format, ...); #endif +#ifndef HAVE_VASPRINTF +extern int vasprintf(char **ptr, const char *format, va_list ap); +#endif #ifndef NI_MAXSERV # define NI_MAXSERV 32 @@ -51,6 +54,9 @@ extern char **environ; static unsigned long crc32_table[256]; +char *log_file = NULL; +FILE *log_fp = NULL; + static int my_create_socket(struct addrinfo *ai, const char *bind_address); @@ -234,7 +240,7 @@ void add_listen_addr(struct addrinfo **listen_addrs, int address_family, char *a hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0; snprintf(strport, sizeof strport, "%d", port); if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0) { - syslog(LOG_ERR, "bad addr or host: %s (%s)\n", addr ? addr : "", + logit(LOG_ERR, "bad addr or host: %s (%s)\n", addr ? addr : "", gai_strerror(gaierr)); exit(1); } @@ -260,7 +266,7 @@ int clean_environ(const char *keep_env_vars, const char *nrpe_user) else asprintf(&keep, "NRPE_MULTILINESUPPORT,NRPE_PROGRAMVERSION"); if (keep == NULL) { - syslog(LOG_ERR, "Could not sanitize the environment. Aborting!"); + logit(LOG_ERR, "Could not sanitize the environment. Aborting!"); return ERROR; } @@ -272,7 +278,7 @@ int clean_environ(const char *keep_env_vars, const char *nrpe_user) } if ((kept = calloc(keepcnt + 1, sizeof(char *))) == NULL) { - syslog(LOG_ERR, "Could not sanitize the environment. Aborting!"); + logit(LOG_ERR, "Could not sanitize the environment. Aborting!"); return ERROR; } for (i = 0, var = my_strsep(&keep, ","); var != NULL; var = my_strsep(&keep, ",")) @@ -286,7 +292,7 @@ int clean_environ(const char *keep_env_vars, const char *nrpe_user) free(keep); free(kept); free(var); - syslog(LOG_ERR, "Could not sanitize the environment. Aborting!"); + logit(LOG_ERR, "Could not sanitize the environment. Aborting!"); return ERROR; } if (len >= var_sz) { @@ -453,6 +459,85 @@ char *my_strsep(char **stringp, const char *delim) return begin; } +void open_log_file() +{ + int fh; + struct stat st; + + close_log_file(); + + if (!log_file) + return; + + if ((fh = open(log_file, O_RDWR|O_APPEND|O_CREAT|O_NOFOLLOW, S_IRUSR|S_IWUSR|S_IRGRP|S_IROTH)) == -1) { + printf("Warning: Cannot open log file '%s' for writing\n", log_file); + logit(LOG_WARNING, "Warning: Cannot open log file '%s' for writing", log_file); + return; + } + log_fp = fdopen(fh, "a+"); + if(log_fp == NULL) { + printf("Warning: Cannot open log file '%s' for writing\n", log_file); + logit(LOG_WARNING, "Warning: Cannot open log file '%s' for writing", log_file); + return; + } + + if ((fstat(fh, &st)) == -1) { + log_fp = NULL; + close(fh); + printf("Warning: Cannot fstat log file '%s'\n", log_file); + logit(LOG_WARNING, "Warning: Cannot fstat log file '%s'", log_file); + return; + } + if (st.st_nlink != 1 || (st.st_mode & S_IFMT) != S_IFREG) { + log_fp = NULL; + close(fh); + printf("Warning: log file '%s' has an invalid mode\n", log_file); + logit(LOG_WARNING, "Warning: log file '%s' has an invalid mode", log_file); + return; + } + + (void)fcntl(fileno(log_fp), F_SETFD, FD_CLOEXEC); +} + +void logit(int priority, const char *format, ...) +{ + time_t log_time = 0L; + va_list ap; + char *buffer = NULL; + + if (!format || !*format) + return; + + va_start(ap, format); + if(vasprintf(&buffer, format, ap) > 0) { + if (log_fp) { + time(&log_time); + /* strip any newlines from the end of the buffer */ + strip(buffer); + + /* write the buffer to the log file */ + fprintf(log_fp, "[%llu] %s\n", (unsigned long long)log_time, buffer); + fflush(log_fp); + + } else + syslog(priority, buffer); + + free(buffer); + } + va_end(ap); +} + +void close_log_file() +{ + if(!log_fp) + return; + + fflush(log_fp); + fclose(log_fp); + log_fp = NULL; + return; +} + /* show license */ void display_license(void) { From 3a23c33accfd781e9948e0bb1026eeb3138d1b71 Mon Sep 17 00:00:00 2001 From: "John C. Frickson" Date: Fri, 31 Mar 2017 14:33:53 -0500 Subject: [PATCH 53/61] Typo in the Changelog --- Changelog | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Changelog b/Changelog index 9084be80..02de9662 100644 --- a/Changelog +++ b/Changelog @@ -8,7 +8,7 @@ ENHANCEMENTS - Added option to nrpe.cfg.in that can override hard-coded NASTY_METACHARS (John Frickson) - While processing 'include_dir' statement, sort the files (Philippe Kueck / John Frickson) - nrpe can now write to a log file using 'log_file=' in nrpe.cfg (John Frickson) -- check_nrpe can now write to a log file using '--log_file=' or '-g' options (John Frickson) +- check_nrpe can now write to a log file using '--log-file=' or '-g' options (John Frickson) FIXES - Added missing debugging syslog entries, and changed printf()'s to syslog()'s. (Jobst Schmalenbach) From aa182283756b5b687c6b2c8e117e7f965e57ee15 Mon Sep 17 00:00:00 2001 From: "John C. Frickson" Date: Fri, 31 Mar 2017 15:17:46 -0500 Subject: [PATCH 54/61] Return UNKNOWN when check_nrpe cannot communicate with nrpe and -u set Fix for issue #85 --- Changelog | 1 + src/check_nrpe.c | 4 ++-- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/Changelog b/Changelog index 02de9662..af097a12 100644 --- a/Changelog +++ b/Changelog @@ -33,6 +33,7 @@ FIXES - Add reload command to systemd service file (Bas Couwenberg) - fix file not found error when updating version (Sven Nierlein) - Spelling fixes (Josh Soref) +- Return UNKNOWN when check_nrpe cannot communicate with nrpe and -u set (John Frickson) 3.0.1 - 2016-09-08 diff --git a/src/check_nrpe.c b/src/check_nrpe.c index ed92c3ef..c165076a 100644 --- a/src/check_nrpe.c +++ b/src/check_nrpe.c @@ -674,7 +674,7 @@ void usage(int result) printf(" -6 = bind to ipv6 only\n"); printf(" -n = Do no use SSL\n"); printf - (" -u = (DEPRECATED) Make timeouts return UNKNOWN instead of CRITICAL\n"); + (" -u = Make connection problems return UNKNOWN instead of CRITICAL\n"); printf(" -V = Show version\n"); printf(" -l = Show license\n"); printf(" = Anonymous Diffie Hellman use:\n"); @@ -917,7 +917,7 @@ int connect_to_remote() /* try to connect to the host at the given port number */ if ((sd = my_connect(server_name, &hostaddr, server_port, address_family, bind_address)) < 0) - exit(STATE_CRITICAL); + exit(timeout_return_code); result = STATE_OK; addrlen = sizeof(addr); From 76558a424ff7035875a16c670a6a2d65b8007a26 Mon Sep 17 00:00:00 2001 From: "John C. Frickson" Date: Fri, 31 Mar 2017 15:30:03 -0500 Subject: [PATCH 55/61] xinetd.d parameter causes many messages in log file Fix for issue #88 --- Changelog | 1 + startup/default-xinetd.in | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/Changelog b/Changelog index af097a12..d81568e8 100644 --- a/Changelog +++ b/Changelog @@ -34,6 +34,7 @@ FIXES - fix file not found error when updating version (Sven Nierlein) - Spelling fixes (Josh Soref) - Return UNKNOWN when check_nrpe cannot communicate with nrpe and -u set (John Frickson) +- xinetd.d parameter causes many messages in log file (John Frickson) 3.0.1 - 2016-09-08 diff --git a/startup/default-xinetd.in b/startup/default-xinetd.in index eb8248cb..3b5e87fb 100644 --- a/startup/default-xinetd.in +++ b/startup/default-xinetd.in @@ -11,5 +11,5 @@ service nrpe server = @sbindir@/nrpe server_args = -c @pkgsysconfdir@/nrpe.cfg --inetd only_from = 127.0.0.1 - log_on_failure += USERID + log_on_success = } From 2a6486eafbdc2c688ca46713cce93a3e6fe568ca Mon Sep 17 00:00:00 2001 From: "John C. Frickson" Date: Mon, 3 Apr 2017 13:20:43 -0500 Subject: [PATCH 56/61] Fixes for openssl 1.1.x Probable fix for issue #93 --- Changelog | 1 + THANKS | 1 + sample-config/nrpe.cfg.in | 1 + src/check_nrpe.c | 130 +++++++++++++++++++++++++++----------- src/nrpe.c | 110 +++++++++++++++++++++++--------- 5 files changed, 174 insertions(+), 69 deletions(-) diff --git a/Changelog b/Changelog index d81568e8..61d472f9 100644 --- a/Changelog +++ b/Changelog @@ -35,6 +35,7 @@ FIXES - Spelling fixes (Josh Soref) - Return UNKNOWN when check_nrpe cannot communicate with nrpe and -u set (John Frickson) - xinetd.d parameter causes many messages in log file (John Frickson) +- Fixes for openssl 1.1.x (Stephen Smoogen / John Frickson) 3.0.1 - 2016-09-08 diff --git a/THANKS b/THANKS index f282b40f..3d8df0e5 100644 --- a/THANKS +++ b/THANKS @@ -43,6 +43,7 @@ Ryan Ordway Sean Finney Spenser Reinhardt Stefan Krüger +Stephen Smoogen Subhendu Ghosh Sven Nierlein Thierry Bertaud diff --git a/sample-config/nrpe.cfg.in b/sample-config/nrpe.cfg.in index 71047e48..2313cbf4 100644 --- a/sample-config/nrpe.cfg.in +++ b/sample-config/nrpe.cfg.in @@ -205,6 +205,7 @@ connection_timeout=300 # TLSv1.2+ (use TLSv1.2 or above) # If an "or above" version is used, the best will be negotiated. So if both # ends are able to do TLSv1.2 and use specify SSLv2, you will get TLSv1.2. +# If you are using openssl 1.1.0 or above, the SSLv2 options are not available. #ssl_version=SSLv2+ diff --git a/src/check_nrpe.c b/src/check_nrpe.c index c165076a..2fe9d4f6 100644 --- a/src/check_nrpe.c +++ b/src/check_nrpe.c @@ -83,7 +83,7 @@ struct _SSL_PARMS { char *cacert_file; char *privatekey_file; char cipher_list[MAX_FILENAME_LENGTH]; - SslVer ssl_min_ver; + SslVer ssl_proto_ver; int allowDH; ClntCerts client_certs; SslLogging log_opts; @@ -131,8 +131,8 @@ int main(int argc, char **argv) timeout_return_code = STATE_CRITICAL; if (sslprm.cipher_list[0] == '\0') strncpy(sslprm.cipher_list, "ALL:!MD5:@STRENGTH", MAX_FILENAME_LENGTH - 1); - if (sslprm.ssl_min_ver == SSL_Ver_Invalid) - sslprm.ssl_min_ver = TLSv1_plus; + if (sslprm.ssl_proto_ver == SSL_Ver_Invalid) + sslprm.ssl_proto_ver = TLSv1_plus; if (sslprm.allowDH == -1) sslprm.allowDH = TRUE; @@ -407,31 +407,34 @@ int process_arguments(int argc, char **argv, int from_config_file) break; case 'S': - if (from_config_file && sslprm.ssl_min_ver != SSL_Ver_Invalid) { + if (from_config_file && sslprm.ssl_proto_ver != SSL_Ver_Invalid) { logit(LOG_WARNING, "WARNING: Command-line ssl-version (-S) " "overrides the config file option."); break; } - if (!strcmp(optarg, "SSLv2")) - sslprm.ssl_min_ver = SSLv2; - else if (!strcmp(optarg, "SSLv2+")) - sslprm.ssl_min_ver = SSLv2_plus; - else if (!strcmp(optarg, "SSLv3")) - sslprm.ssl_min_ver = SSLv3; - else if (!strcmp(optarg, "SSLv3+")) - sslprm.ssl_min_ver = SSLv3_plus; - else if (!strcmp(optarg, "TLSv1")) - sslprm.ssl_min_ver = TLSv1; - else if (!strcmp(optarg, "TLSv1+")) - sslprm.ssl_min_ver = TLSv1_plus; + + if (!strcmp(optarg, "TLSv1.2")) + sslprm.ssl_proto_ver = TLSv1_2; + else if (!strcmp(optarg, "TLSv1.2+")) + sslprm.ssl_proto_ver = TLSv1_2_plus; else if (!strcmp(optarg, "TLSv1.1")) - sslprm.ssl_min_ver = TLSv1_1; + sslprm.ssl_proto_ver = TLSv1_1; else if (!strcmp(optarg, "TLSv1.1+")) - sslprm.ssl_min_ver = TLSv1_1_plus; - else if (!strcmp(optarg, "TLSv1.2")) - sslprm.ssl_min_ver = TLSv1_2; - else if (!strcmp(optarg, "TLSv1.2+")) - sslprm.ssl_min_ver = TLSv1_2_plus; + sslprm.ssl_proto_ver = TLSv1_1_plus; + else if (!strcmp(optarg, "TLSv1")) + sslprm.ssl_proto_ver = TLSv1; + else if (!strcmp(optarg, "TLSv1+")) + sslprm.ssl_proto_ver = TLSv1_plus; + else if (!strcmp(optarg, "SSLv3")) + sslprm.ssl_proto_ver = SSLv3; + else if (!strcmp(optarg, "SSLv3+")) + sslprm.ssl_proto_ver = SSLv3_plus; +#if OPENSSL_VERSION_NUMBER < 0x10100000 + else if (!strcmp(optarg, "SSLv2")) + sslprm.ssl_proto_ver = SSLv2; + else if (!strcmp(optarg, "SSLv2+")) + sslprm.ssl_proto_ver = SSLv2_plus; +#endif /* OPENSSL_VERSION_NUMBER < 0x10100000 */ else return ERROR; break; @@ -684,10 +687,14 @@ void usage(int result) printf(" 2 = Force Anonymous Diffie Hellman\n"); printf(" = Specify non-default payload size for NSClient++\n"); printf - (" = The SSL/TLS version to use. Can be any one of: SSLv2 (only),\n"); - printf(" SSLv2+ (or above), SSLv3 (only), SSLv3+ (or above),\n"); - printf(" TLSv1 (only), TLSv1+ (or above DEFAULT), TLSv1.1 (only),\n"); - printf(" TLSv1.1+ (or above), TLSv1.2 (only), TLSv1.2+ (or above)\n"); + (" = The SSL/TLS version to use. Can be any one of:\n"); +#if OPENSSL_VERSION_NUMBER < 0x10100000 + printf(" SSLv2 (only), SSLv2+ (or above),\n"); +#endif /* OPENSSL_VERSION_NUMBER < 0x10100000 */ + printf(" SSLv3 (only), SSLv3+ (or above),\n"); + printf(" TLSv1 (only), TLSv1+ (or above DEFAULT),\n"); + printf(" TLSv1.1 (only), TLSv1.1+ (or above),\n"); + printf(" TLSv1.2 (only), TLSv1.2+ (or above)\n"); printf(" = The list of SSL ciphers to use (currently defaults\n"); printf (" to \"ALL:!MD5:@STRENGTH\". WILL change in a future release.)\n"); @@ -754,7 +761,8 @@ void setup_ssl() logit(LOG_INFO, "SSL Allow ADH: %s", sslprm.allowDH == 0 ? "No" : (sslprm.allowDH == 1 ? "Allow" : "Require")); logit(LOG_INFO, "SSL Log Options: 0x%02x", sslprm.log_opts); - switch (sslprm.ssl_min_ver) { + + switch (sslprm.ssl_proto_ver) { case SSLv2: val = "SSLv2"; break; @@ -796,33 +804,75 @@ void setup_ssl() if (use_ssl == TRUE) { SSL_load_error_strings(); SSL_library_init(); + +#if OPENSSL_VERSION_NUMBER >= 0x10100000 + + meth = TLS_method(); + +#else /* OPENSSL_VERSION_NUMBER >= 0x10100000 */ + meth = SSLv23_client_method(); # ifndef OPENSSL_NO_SSL2 - if (sslprm.ssl_min_ver == SSLv2) + if (sslprm.ssl_proto_ver == SSLv2) meth = SSLv2_client_method(); # endif # ifndef OPENSSL_NO_SSL3 - if (sslprm.ssl_min_ver == SSLv3) + if (sslprm.ssl_proto_ver == SSLv3) meth = SSLv3_client_method(); # endif - if (sslprm.ssl_min_ver == TLSv1) + if (sslprm.ssl_proto_ver == TLSv1) meth = TLSv1_client_method(); # ifdef SSL_TXT_TLSV1_1 - if (sslprm.ssl_min_ver == TLSv1_1) + if (sslprm.ssl_proto_ver == TLSv1_1) meth = TLSv1_1_client_method(); # ifdef SSL_TXT_TLSV1_2 - if (sslprm.ssl_min_ver == TLSv1_2) + if (sslprm.ssl_proto_ver == TLSv1_2) meth = TLSv1_2_client_method(); -# endif -# endif +# endif /* ifdef SSL_TXT_TLSV1_2 */ +# endif /* ifdef SSL_TXT_TLSV1_1 */ + +#endif /* OPENSSL_VERSION_NUMBER >= 0x10100000 */ if ((ctx = SSL_CTX_new(meth)) == NULL) { printf("CHECK_NRPE: Error - could not create SSL context.\n"); exit(STATE_CRITICAL); } - switch(sslprm.ssl_min_ver) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000 + + SSL_CTX_set_max_proto_version(ctx, 0); + + switch(sslprm.ssl_proto_ver) { + + case TLSv1_2: + SSL_CTX_set_max_proto_version(ctx, TLS1_2_VERSION); + case TLSv1_2_plus: + SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION); + break; + + case TLSv1_1: + SSL_CTX_set_max_proto_version(ctx, TLS1_1_VERSION); + case TLSv1_1_plus: + SSL_CTX_set_min_proto_version(ctx, TLS1_1_VERSION); + break; + + case TLSv1: + SSL_CTX_set_max_proto_version(ctx, TLS1_VERSION); + case TLSv1_plus: + SSL_CTX_set_min_proto_version(ctx, TLS1_VERSION); + break; + + case SSLv3: + SSL_CTX_set_max_proto_version(ctx, SSL3_VERSION); + case SSLv3_plus: + SSL_CTX_set_min_proto_version(ctx, SSL3_VERSION); + break; + } + +#else /* OPENSSL_VERSION_NUMBER >= 0x10100000 */ + + switch(sslprm.ssl_proto_ver) { case SSLv2: case SSLv2_plus: break; @@ -840,6 +890,9 @@ void setup_ssl() ssl_opts |= SSL_OP_NO_SSLv2; break; } + +#endif /* OPENSSL_VERSION_NUMBER >= 0x10100000 */ + SSL_CTX_set_options(ctx, ssl_opts); if (sslprm.cert_file != NULL && sslprm.privatekey_file != NULL) { @@ -1012,9 +1065,10 @@ int connect_to_remote() if (peer) { if (sslprm.log_opts & SSL_LogIfClientCert) logit(LOG_NOTICE, "SSL %s has %s certificate", - rem_host, peer->valid ? "a valid" : "an invalid"); + rem_host, SSL_get_verify_result(ssl) ? "a valid" : "an invalid"); if (sslprm.log_opts & SSL_LogCertDetails) { - logit(LOG_NOTICE, "SSL %s Cert Name: %s", rem_host, peer->name); + X509_NAME_oneline(X509_get_subject_name(peer), buffer, sizeof(buffer)); + logit(LOG_NOTICE, "SSL %s Cert Name: %s", rem_host, buffer); X509_NAME_oneline(X509_get_issuer_name(peer), buffer, sizeof(buffer)); logit(LOG_NOTICE, "SSL %s Cert Issuer: %s", rem_host, buffer); } @@ -1459,7 +1513,7 @@ int verify_callback(int preverify_ok, X509_STORE_CTX * ctx) ssl = X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx()); X509_NAME_oneline(X509_get_subject_name(err_cert), name, 256); - X509_NAME_oneline(X509_get_issuer_name(ctx->current_cert), issuer, 256); + X509_NAME_oneline(X509_get_issuer_name(err_cert), issuer, 256); if (!preverify_ok && sslprm.client_certs >= Ask_For_Cert && (sslprm.log_opts & SSL_LogCertDetails)) { diff --git a/src/nrpe.c b/src/nrpe.c index 08911819..3c25f684 100644 --- a/src/nrpe.c +++ b/src/nrpe.c @@ -130,7 +130,7 @@ struct _SSL_PARMS { char *cacert_file; char *privatekey_file; char cipher_list[MAX_FILENAME_LENGTH]; - SslVer ssl_min_ver; + SslVer ssl_proto_ver; int allowDH; ClntCerts client_certs; SslLogging log_opts; @@ -285,24 +285,33 @@ void init_ssl(void) } } } + +#if OPENSSL_VERSION_NUMBER >= 0x10100000 + + meth = TLS_method(); + +#else /* OPENSSL_VERSION_NUMBER >= 0x10100000 */ + # ifndef OPENSSL_NO_SSL2 - if (sslprm.ssl_min_ver == SSLv2) + if (sslprm.ssl_proto_ver == SSLv2) meth = SSLv2_server_method(); # endif # ifndef OPENSSL_NO_SSL3 - if (sslprm.ssl_min_ver == SSLv3) + if (sslprm.ssl_proto_ver == SSLv3) meth = SSLv3_server_method(); # endif - if (sslprm.ssl_min_ver == TLSv1) + if (sslprm.ssl_proto_ver == TLSv1) meth = TLSv1_server_method(); # ifdef SSL_TXT_TLSV1_1 - if (sslprm.ssl_min_ver == TLSv1_1) + if (sslprm.ssl_proto_ver == TLSv1_1) meth = TLSv1_1_server_method(); # ifdef SSL_TXT_TLSV1_2 - if (sslprm.ssl_min_ver == TLSv1_2) + if (sslprm.ssl_proto_ver == TLSv1_2) meth = TLSv1_2_server_method(); -# endif -# endif +# endif /* ifdef SSL_TXT_TLSV1_2 */ +# endif /* SSL_TXT_TLSV1_1 */ + +#endif /* OPENSSL_VERSION_NUMBER >= 0x10100000 */ ctx = SSL_CTX_new(meth); if (ctx == NULL) { @@ -311,7 +320,40 @@ void init_ssl(void) exit(STATE_CRITICAL); } - switch(sslprm.ssl_min_ver) { +#if OPENSSL_VERSION_NUMBER >= 0x10100000 + + SSL_CTX_set_max_proto_version(ctx, 0); + + switch(sslprm.ssl_proto_ver) { + + case TLSv1_2: + SSL_CTX_set_max_proto_version(ctx, TLS1_2_VERSION); + case TLSv1_2_plus: + SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION); + break; + + case TLSv1_1: + SSL_CTX_set_max_proto_version(ctx, TLS1_1_VERSION); + case TLSv1_1_plus: + SSL_CTX_set_min_proto_version(ctx, TLS1_1_VERSION); + break; + + case TLSv1: + SSL_CTX_set_max_proto_version(ctx, TLS1_VERSION); + case TLSv1_plus: + SSL_CTX_set_min_proto_version(ctx, TLS1_VERSION); + break; + + case SSLv3: + SSL_CTX_set_max_proto_version(ctx, SSL3_VERSION); + case SSLv3_plus: + SSL_CTX_set_min_proto_version(ctx, SSL3_VERSION); + break; + } + +#else /* OPENSSL_VERSION_NUMBER >= 0x10100000 */ + + switch(sslprm.ssl_proto_ver) { case SSLv2: case SSLv2_plus: break; @@ -329,6 +371,9 @@ void init_ssl(void) ssl_opts |= SSL_OP_NO_SSLv2; break; } + +#endif /* OPENSSL_VERSION_NUMBER >= 0x10100000 */ + SSL_CTX_set_options(ctx, ssl_opts); if (sslprm.cert_file != NULL) { @@ -407,7 +452,7 @@ void log_ssl_startup(void) sslprm.client_certs == 0 ? "Don't Ask" : (sslprm.client_certs == 1 ? "Accept" : "Require")); logit(LOG_INFO, "SSL Log Options: 0x%02x", sslprm.log_opts); - switch (sslprm.ssl_min_ver) { + switch (sslprm.ssl_proto_ver) { case SSLv2: vers = "SSLv2"; break; @@ -640,7 +685,7 @@ int verify_callback(int preverify_ok, X509_STORE_CTX * ctx) ssl = X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx()); X509_NAME_oneline(X509_get_subject_name(err_cert), name, 256); - X509_NAME_oneline(X509_get_issuer_name(ctx->current_cert), issuer, 256); + X509_NAME_oneline(X509_get_issuer_name(err_cert), issuer, 256); if (!preverify_ok && (sslprm.log_opts & SSL_LogCertDetails)) { logit(LOG_ERR, "SSL Client has an invalid certificate: %s (issuer=%s) err=%d:%s", @@ -824,26 +869,28 @@ int read_config_file(char *filename) } } else if (!strcmp(varname, "ssl_version")) { - if (!strcmp(varvalue, "SSLv2")) - sslprm.ssl_min_ver = SSLv2; - else if (!strcmp(varvalue, "SSLv2+")) - sslprm.ssl_min_ver = SSLv2_plus; - else if (!strcmp(varvalue, "SSLv3")) - sslprm.ssl_min_ver = SSLv3; - else if (!strcmp(varvalue, "SSLv3+")) - sslprm.ssl_min_ver = SSLv3_plus; - else if (!strcmp(varvalue, "TLSv1")) - sslprm.ssl_min_ver = TLSv1; - else if (!strcmp(varvalue, "TLSv1+")) - sslprm.ssl_min_ver = TLSv1_plus; + if (!strcmp(varvalue, "TLSv1.2")) + sslprm.ssl_proto_ver = TLSv1_2; + else if (!strcmp(varvalue, "TLSv1.2+")) + sslprm.ssl_proto_ver = TLSv1_2_plus; else if (!strcmp(varvalue, "TLSv1.1")) - sslprm.ssl_min_ver = TLSv1_1; + sslprm.ssl_proto_ver = TLSv1_1; else if (!strcmp(varvalue, "TLSv1.1+")) - sslprm.ssl_min_ver = TLSv1_1_plus; - else if (!strcmp(varvalue, "TLSv1.2")) - sslprm.ssl_min_ver = TLSv1_2; - else if (!strcmp(varvalue, "TLSv1.2+")) - sslprm.ssl_min_ver = TLSv1_2_plus; + sslprm.ssl_proto_ver = TLSv1_1_plus; + else if (!strcmp(varvalue, "TLSv1")) + sslprm.ssl_proto_ver = TLSv1; + else if (!strcmp(varvalue, "TLSv1+")) + sslprm.ssl_proto_ver = TLSv1_plus; + else if (!strcmp(varvalue, "SSLv3")) + sslprm.ssl_proto_ver = SSLv3; + else if (!strcmp(varvalue, "SSLv3+")) + sslprm.ssl_proto_ver = SSLv3_plus; +#if OPENSSL_VERSION_NUMBER < 0x10100000 + else if (!strcmp(varvalue, "SSLv2")) + sslprm.ssl_proto_ver = SSLv2; + else if (!strcmp(varvalue, "SSLv2+")) + sslprm.ssl_proto_ver = SSLv2_plus; +#endif /* OPENSSL_VERSION_NUMBER < 0x10100000 */ else { logit(LOG_ERR, "Invalid ssl version specified in config file '%s' - Line %d", filename, line); @@ -1859,10 +1906,11 @@ int handle_conn_ssl(int sock, void *ssl_ptr) if (peer) { if (sslprm.log_opts & SSL_LogIfClientCert) logit(LOG_NOTICE, "SSL Client %s has %svalid certificate", - remote_host, peer->valid ? "a " : "an in"); + remote_host, SSL_get_verify_result(ssl) ? "a " : "an in"); if (sslprm.log_opts & SSL_LogCertDetails) { + X509_NAME_oneline(X509_get_subject_name(peer), buffer, sizeof(buffer)); logit(LOG_NOTICE, "SSL Client %s Cert Name: %s", - remote_host, peer->name); + remote_host, buffer); X509_NAME_oneline(X509_get_issuer_name(peer), buffer, sizeof(buffer)); logit(LOG_NOTICE, "SSL Client %s Cert Issuer: %s", remote_host, buffer); From acda648d6c7818b626d3a1f9b8de2e2064b8c303 Mon Sep 17 00:00:00 2001 From: "John C. Frickson" Date: Mon, 3 Apr 2017 14:48:12 -0500 Subject: [PATCH 57/61] PATH and other environment variables not set with numeric nrpe_user Fix for issue #96 --- Changelog | 1 + src/utils.c | 19 +++++++++++++------ 2 files changed, 14 insertions(+), 6 deletions(-) diff --git a/Changelog b/Changelog index 61d472f9..16997c89 100644 --- a/Changelog +++ b/Changelog @@ -36,6 +36,7 @@ FIXES - Return UNKNOWN when check_nrpe cannot communicate with nrpe and -u set (John Frickson) - xinetd.d parameter causes many messages in log file (John Frickson) - Fixes for openssl 1.1.x (Stephen Smoogen / John Frickson) +- PATH and other environment variables not set with numeric nrpe_user (John Frickson) 3.0.1 - 2016-09-08 diff --git a/src/utils.c b/src/utils.c index 7a21b7a3..50cce29f 100644 --- a/src/utils.c +++ b/src/utils.c @@ -318,17 +318,24 @@ int clean_environ(const char *keep_env_vars, const char *nrpe_user) free(keep); free(kept); - pw = (struct passwd *)getpwnam(nrpe_user); - if (pw == NULL) - return OK; - setenv("PATH", path, 1); setenv("IFS", " \t\n", 1); - setenv("HOME", pw->pw_dir, 0); - setenv("SHELL", pw->pw_shell, 0); setenv("LOGNAME", nrpe_user, 0); setenv("USER", nrpe_user, 0); + pw = (struct passwd *)getpwnam(nrpe_user); + if (pw == NULL) { + char *end = NULL; + uid_t uid = strtol(nrpe_user, &end, 10); + if (uid > 0) + pw = (struct passwd *)getpwuid(uid); + if (pw == NULL || *end != '\0') + return OK; + } + + setenv("HOME", pw->pw_dir, 0); + setenv("SHELL", pw->pw_shell, 0); + return OK; } From f94112bb61c6b60045ed6efb9263c08b8cb0f070 Mon Sep 17 00:00:00 2001 From: "John C. Frickson" Date: Mon, 3 Apr 2017 14:51:11 -0500 Subject: [PATCH 58/61] Adjustment to echo'd message at the end of a `make all` Fix for issue #100 --- Makefile.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile.in b/Makefile.in index 4fb42f38..9d915136 100644 --- a/Makefile.in +++ b/Makefile.in @@ -70,7 +70,7 @@ all: echo "";\ echo "You can now continue with the installation or upgrade process.";\ echo "";\ - echo "Read the PDF documentation (NRPE.pdf) for information on the next";\ + echo "Read the PDF documentation (docs/NRPE.pdf) for information on the next";\ echo "steps you should take to complete the installation or upgrade.";\ echo "" From a9374448d481f9f8b9ae65965a24ef1d7c7ba534 Mon Sep 17 00:00:00 2001 From: "John C. Frickson" Date: Mon, 3 Apr 2017 17:02:33 -0500 Subject: [PATCH 59/61] Fixed some rpmbuild errors Fix for issue #94 Thanks to bvandi for the patch I modified slightly --- Changelog | 1 + Makefile.in | 4 +++- nrpe.spec.in | 3 ++- 3 files changed, 6 insertions(+), 2 deletions(-) diff --git a/Changelog b/Changelog index 16997c89..893659b2 100644 --- a/Changelog +++ b/Changelog @@ -37,6 +37,7 @@ FIXES - xinetd.d parameter causes many messages in log file (John Frickson) - Fixes for openssl 1.1.x (Stephen Smoogen / John Frickson) - PATH and other environment variables not set with numeric nrpe_user (John Frickson) +- rpmbuild -ta nrpe-3.0.1.tar.gz failed File not found: /etc/init.d/nrpe (bvandi / John Frickson) 3.0.1 - 2016-09-08 diff --git a/Makefile.in b/Makefile.in index 9d915136..6c6ac947 100644 --- a/Makefile.in +++ b/Makefile.in @@ -126,7 +126,9 @@ install-init: launchctl load $(INIT_DIR)/$(INIT_FILE); \ else\ if test -f /sbin/chkconfig ; then \ - /sbin/chkconfig nrpe on;\ + case "$(DESTDIR)" in */rpmbuild/*) break;; \ + *)/sbin/chkconfig nrpe on;; \ + esac; \ else\ echo "Make sure to enable the nrpe daemon";\ fi;\ diff --git a/nrpe.spec.in b/nrpe.spec.in index 23a10f91..321bc232 100644 --- a/nrpe.spec.in +++ b/nrpe.spec.in @@ -9,6 +9,7 @@ %endif %if %{islinux} %define _init_dir @initdir@ + %define _init_tyhpe @init_type@ %define _exec_prefix %{_prefix}/sbin %define _bindir %{_prefix}/sbin %define _sbindir %{_prefix}/lib/nagios/cgi @@ -127,7 +128,7 @@ fi export PATH=$PATH:/usr/sbin CFLAGS="$RPM_OPT_FLAGS" CXXFLAGS="$RPM_OPT_FLAGS" \ MAKE=%{_make} ./configure \ - --with-init-dir=/etc/init.d \ + --with-init-type=%{_init_type} \ --with-nrpe-port=%{nsport} \ --with-nrpe-user=%{nsusr} \ --with-nrpe-group=%{nsgrp} \ From 2ede1844d7e7bec8a7e702406a1d0b5606161d46 Mon Sep 17 00:00:00 2001 From: "John C. Frickson" Date: Thu, 6 Apr 2017 12:29:56 -0500 Subject: [PATCH 60/61] Update version to 3.1.0-rc1 --- configure | 26 +++++++++++++------------- configure.ac | 6 +++--- include/common.h.in | 6 +++--- nrpe.spec.in | 2 +- src/check_nrpe.c | 2 +- update-version | 4 ++-- 6 files changed, 23 insertions(+), 23 deletions(-) diff --git a/configure b/configure index fbe07d66..0d999390 100755 --- a/configure +++ b/configure @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for nrpe 3.0.1. +# Generated by GNU Autoconf 2.69 for nrpe 3.1.0-rc1. # # Report bugs to . # @@ -580,8 +580,8 @@ MAKEFLAGS= # Identity of this package. PACKAGE_NAME='nrpe' PACKAGE_TARNAME='nrpe' -PACKAGE_VERSION='3.0.1' -PACKAGE_STRING='nrpe 3.0.1' +PACKAGE_VERSION='3.1.0-rc1' +PACKAGE_STRING='nrpe 3.1.0-rc1' PACKAGE_BUGREPORT='nagios-users@lists.sourceforge.net' PACKAGE_URL='https://www.nagios.org/downloads/nagios-core-addons/' @@ -1319,7 +1319,7 @@ if test "$ac_init_help" = "long"; then # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures nrpe 3.0.1 to adapt to many kinds of systems. +\`configure' configures nrpe 3.1.0-rc1 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1369,7 +1369,7 @@ fi if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of nrpe 3.0.1:";; + short | recursive ) echo "Configuration of nrpe 3.1.0-rc1:";; esac cat <<\_ACEOF @@ -1514,7 +1514,7 @@ fi test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -nrpe configure 3.0.1 +nrpe configure 3.1.0-rc1 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -2120,7 +2120,7 @@ cat >config.log <<_ACEOF This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by nrpe $as_me 3.0.1, which was +It was created by nrpe $as_me 3.1.0-rc1, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -2485,9 +2485,9 @@ ac_configure="$SHELL $ac_aux_dir/configure" # Please don't use this var. PKG_NAME=nrpe -PKG_VERSION="3.0.1" +PKG_VERSION="3.1.0-rc1" PKG_HOME_URL="http://www.nagios.org/" -PKG_REL_DATE="09-08-2016" +PKG_REL_DATE="2017-04-06" RPM_RELEASE=1 LANG=C @@ -4346,7 +4346,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by nrpe $as_me 3.0.1, which was +This file was extended by nrpe $as_me 3.1.0-rc1, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -4400,7 +4400,7 @@ _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -nrpe config.status 3.0.1 +nrpe config.status 3.1.0-rc1 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" @@ -8272,7 +8272,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by nrpe $as_me 3.0.1, which was +This file was extended by nrpe $as_me 3.1.0-rc1, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -8335,7 +8335,7 @@ _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -nrpe config.status 3.0.1 +nrpe config.status 3.1.0-rc1 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff --git a/configure.ac b/configure.ac index 8ebfcd63..f25cf6ca 100644 --- a/configure.ac +++ b/configure.ac @@ -5,15 +5,15 @@ define([AC_CACHE_LOAD],) define([AC_CACHE_SAVE],) m4_include([build-aux/custom_help.m4]) -AC_INIT([nrpe],[3.0.1],[nagios-users@lists.sourceforge.net],[nrpe],[https://www.nagios.org/downloads/nagios-core-addons/]) +AC_INIT([nrpe],[3.1.0-rc1],[nagios-users@lists.sourceforge.net],[nrpe],[https://www.nagios.org/downloads/nagios-core-addons/]) AC_CONFIG_SRCDIR([src/nrpe.c]) AC_CONFIG_AUX_DIR([build-aux]) AC_PREFIX_DEFAULT(/usr/local/nagios) PKG_NAME=nrpe -PKG_VERSION="3.0.1" +PKG_VERSION="3.1.0-rc1" PKG_HOME_URL="http://www.nagios.org/" -PKG_REL_DATE="09-08-2016" +PKG_REL_DATE="2017-04-06" RPM_RELEASE=1 LANG=C diff --git a/include/common.h.in b/include/common.h.in index 8146bd5c..b36fb8a9 100644 --- a/include/common.h.in +++ b/include/common.h.in @@ -2,7 +2,7 @@ * * COMMON.H - NRPE Common Include File * Copyright (c) 1999-2007 Ethan Galstad (nagios@nagios.org) - * Last Modified: 09-08-2016 + * Last Modified: 2017-04-06 * * License: * @@ -33,8 +33,8 @@ # endif #endif -#define PROGRAM_VERSION "3.0.1" -#define MODIFICATION_DATE "09-08-2016" +#define PROGRAM_VERSION "3.1.0-rc1" +#define MODIFICATION_DATE "2017-04-06" #define OK 0 #define ERROR -1 diff --git a/nrpe.spec.in b/nrpe.spec.in index 321bc232..3d066feb 100644 --- a/nrpe.spec.in +++ b/nrpe.spec.in @@ -22,7 +22,7 @@ %define _sysconfdir /etc/nagios %define name @PACKAGE_NAME@ -%define version @PACKAGE_VERSION@ +%define version 3.1.0-rc1 %define release @RPM_RELEASE@ %define nsusr @nrpe_user@ %define nsgrp @nrpe_group@ diff --git a/src/check_nrpe.c b/src/check_nrpe.c index 2fe9d4f6..ecd042e4 100644 --- a/src/check_nrpe.c +++ b/src/check_nrpe.c @@ -4,7 +4,7 @@ * Copyright (c) 1999-2008 Ethan Galstad (nagios@nagios.org) * License: GPL * - * Last Modified: 09-08-2016 + * Last Modified: 2017-04-06 * * Command line: CHECK_NRPE -H [-p port] [-c command] [-to to_sec] * diff --git a/update-version b/update-version index 6ac19c45..5a7c0396 100755 --- a/update-version +++ b/update-version @@ -28,10 +28,10 @@ else fi # Current version number -CURRENTVERSION=3.0.1 +CURRENTVERSION=3.1.0-rc1 # Last date -LASTDATE=2016-09-08 +LASTDATE=2017-04-06 if [ "x$1" = "x" ] then From 4512d4ae1039cd0128eae0447a95fb1bb11e290e Mon Sep 17 00:00:00 2001 From: "John C. Frickson" Date: Thu, 6 Apr 2017 13:12:12 -0500 Subject: [PATCH 61/61] Squashed 'macros/' changes from 925d86b..15ae464 15ae464 fix build error when there is more than one xinetd running b857c47 Merge branch 'master' of github.com:NagiosEnterprises/autoconf-macros d191bd3 Export SSL_TYPE variable e4f9f67 Compiler Warnings using Oracle Developer Studio on Solaris git-subtree-dir: macros git-subtree-split: 15ae464aaadf4894ac4792cf749b3cb05f12f48a --- ax_nagios_get_inetd | 2 +- ax_nagios_get_ssl | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/ax_nagios_get_inetd b/ax_nagios_get_inetd index 94ce32bc..610b892b 100644 --- a/ax_nagios_get_inetd +++ b/ax_nagios_get_inetd @@ -115,7 +115,7 @@ AC_SUBST(inetd_type) inetd_type=`UNIX95= ps -A -o comm | grep inetd | head -1`, [*], - inetd_type=[`ps -C "inetd,xinetd" -o fname | grep -vi COMMAND`]) + inetd_type=[`ps -C "inetd,xinetd" -o fname | grep -vi COMMAND | head -1`]) fi if test x"$inetd_type" = x; then diff --git a/ax_nagios_get_ssl b/ax_nagios_get_ssl index eda150e3..ca323335 100644 --- a/ax_nagios_get_ssl +++ b/ax_nagios_get_ssl @@ -59,6 +59,7 @@ SSL_HDR= SSL_LIB_DIR= AC_SUBST(HAVE_SSL) +AC_SUBST(SSL_TYPE) AC_SUBST(SSL_INC_DIR) AC_SUBST(SSL_HDR) AC_SUBST(SSL_INC_PREFIX)