libopenssl3-3.1.4-150600.5.21.1<>,Dg! p9|E,uNũCf15Hf Ǟ*վp۪>{$0C MDGVӱkG$ }CP)76R[HCNn/zk|bf'g/-OY/Pˏ;]Cj591 fЩ7* r/zh;m .WK6av,HwwqXed h|mE6BP-ܿ =Pf%Ѹ?>i.a?}xܲG[2B˱>IK?Kd " N\`lp 4 P l   $\H 0    ( 8 (d9 d:xd>A@ABAFB"GB8HBpIBXB YB ZC4[CD\C\]C^DUbDcEodEeEfElEuFvFH wIxIyJ0<zK K0K4KLKPKTKZKClibopenssl33.1.4150600.5.21.1Secure Sockets and Transport Layer SecurityOpenSSL is a software library to be used in applications that need to secure communications over computer networks against eavesdropping or need to ascertain the identity of the party at the other end. OpenSSL contains an implementation of the SSL and TLS protocols.g! s390zp31MYSUSE Linux Enterprise 15SUSE LLC Apache-2.0https://www.suse.com/Unspecifiedhttps://www.openssl.org/linuxs390xAAـ? 'AAA큤gPgPgggggggggQgg!e7ɟc63d0db6933664ad68d34bad684ab4d6c1b17a742ae28a35f02bdc4161c7fdc3dc7354ed0beaed700e780f6a1f7207bf40d082262c5e956b204ebd827b58d79d063f5a4de8e7b241c356e2ebd69669d1e3e47d21a3eceab153b639abf80f4a2681e78fb22a304dcfd1e3ad94c01f7773ed52e8fa5eeb4651864243590d0707fa0ada116850acdd18f170f14c4788123309ef168ef09e528cfdc8469ed153788b51964871e29846acc56ad39a4b9142a928813039b9af44b3b79799a03585e056476538f80887d3276443dfe8706a7be9ec1e161aca18068afbff159071d45863a570ff59921510f05548e8e2fe753b34ea05a5335e683bcbdf9d2b2636e87c727d5450cb2d142651b8afa315b5f238efc805dad827d91ba367d8516bc9d49e7alibcrypto.so.3.1.4libssl.so.3.1.4rootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootopenssl-3-3.1.4-150600.5.21.1.src.rpmlibcrypto.so.3()(64bit)libcrypto.so.3(OPENSSL_3.0.0)(64bit)libcrypto.so.3(OPENSSL_3.0.1)(64bit)libcrypto.so.3(OPENSSL_3.0.3)(64bit)libcrypto.so.3(OPENSSL_3.0.8)(64bit)libcrypto.so.3(OPENSSL_3.0.9)(64bit)libcrypto.so.3(OPENSSL_3.1.0)(64bit)libcrypto.so.3(OPENSSL_3.1.4)(64bit)libopenssl3libopenssl3(s390-64)libopenssl3-hmaclibssl.so.3()(64bit)libssl.so.3(OPENSSL_3.0.0)(64bit)@@@@@@@@@@@@@@@@@@    /sbin/ldconfig/sbin/ldconfigcrypto-policieslibc.so.6()(64bit)libc.so.6(GLIBC_2.15)(64bit)libc.so.6(GLIBC_2.16)(64bit)libc.so.6(GLIBC_2.17)(64bit)libc.so.6(GLIBC_2.2)(64bit)libc.so.6(GLIBC_2.25)(64bit)libc.so.6(GLIBC_2.3)(64bit)libc.so.6(GLIBC_2.3.4)(64bit)libc.so.6(GLIBC_2.33)(64bit)libc.so.6(GLIBC_2.34)(64bit)libc.so.6(GLIBC_2.38)(64bit)libc.so.6(GLIBC_2.4)(64bit)libcrypto.so.3()(64bit)libcrypto.so.3(OPENSSL_3.0.0)(64bit)libcrypto.so.3(OPENSSL_3.0.1)(64bit)libcrypto.so.3(OPENSSL_3.0.3)(64bit)libjitterentropy.so.3()(64bit)libz.so.1()(64bit)rpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)3.0.4-14.6.0-14.0-15.2-1openssl-33.1.4-150600.5.21.14.14.3g@f@f(@fIfIf@f@ff@fr@fffb@fafWfU@fK;@f8@e؈eee@eXeoee{@e{@e@eqeRe7e1@e1@e-%e'e @ddd!d~ddu@dtdkY@dbd*d"d!@dd@dadxc=@ck@ccccj@ccca @ca @ca @c!@b?bK@bK@b@b5b4t@b0b@a aa@a@a7T@a@`@`P@` @`B`}p`v@`/@`&m__H@_@_@_@_9_-B@_@_^@^@^@^^@^@pmonreal@suse.comangel.yankov@suse.comabergmann@suse.compmonreal@suse.compmonreal@suse.compmonreal@suse.combwiedemann@suse.compmonreal@suse.compmonreal@suse.compmonreal@suse.compmonreal@suse.comotto.hollmann@suse.compsimons@suse.commwilck@suse.comgiuliano.belinassi@suse.comotto.hollmann@suse.comotto.hollmann@suse.compmonreal@suse.comotto.hollmann@suse.comotto.hollmann@suse.compmonreal@suse.comotto.hollmann@suse.comotto.hollmann@suse.compmonreal@suse.compmonreal@suse.compmonreal@suse.comotto.hollmann@suse.comguillaume.gardet@opensuse.orgotto.hollmann@suse.comotto.hollmann@suse.comotto.hollmann@suse.compmonreal@suse.comotto.hollmann@suse.comjengelh@inai.deotto.hollmann@suse.compmonreal@suse.compmonreal@suse.compmonreal@suse.compmonreal@suse.comotto.hollmann@suse.comotto.hollmann@suse.compmonreal@suse.comotto.hollmann@suse.comotto.hollmann@suse.comotto.hollmann@suse.compmonreal@suse.comotto.hollmann@suse.comotto.hollmann@suse.comotto.hollmann@suse.comotto.hollmann@suse.commpluskal@suse.comotto.hollmann@suse.compmonreal@suse.compmonreal@suse.compmonreal@suse.comotto.hollmann@suse.comotto.hollmann@suse.comotto.hollmann@suse.compmonreal@suse.comotto.hollmann@suse.comotto.hollmann@suse.comotto.hollmann@suse.combrunopitrus@hotmail.compmonreal@suse.compmonreal@suse.compmonreal@suse.comjsikes@suse.compmonreal@suse.compmonreal@suse.compmonreal@suse.compmonreal@suse.comdanilo.spinella@suse.comsimonf.lees@suse.comsimonf.lees@suse.compmonreal@suse.compmonreal@suse.compmonreal@suse.compmonreal@suse.compmonreal@suse.comjsikes@suse.comjsikes@suse.compmonreal@suse.compmonreal@suse.compmonreal@suse.compmonreal@suse.compmonreal@suse.compmonreal@suse.compmonreal@suse.compmonreal@suse.compmonreal@suse.compmonreal@suse.comcallumjfarmer13@gmail.comvcizek@suse.compmonrealgonzalez@suse.comvcizek@suse.comvcizek@suse.comjengelh@inai.devcizek@suse.comvcizek@suse.comvcizek@suse.com- Security fix: [bsc#1220262, CVE-2023-50782] * Implicit rejection in PKCS#1 v1.5 * Add openssl-CVE-2023-50782.patch- Security fix: [bsc#1230698, CVE-2024-41996] * Validating the order of the public keys in the Diffie-Hellman Key Agreement Protocol, when an approved safe prime is used. * Added openssl-3-CVE-2024-41996.patch- Security fix: [bsc#1229465, CVE-2024-6119] * possible denial of service in X.509 name checks * openssl-CVE-2024-6119.patch- Build with no-afalgeng [bsc#1226463]- Security fix: [bsc#1227138, CVE-2024-5535] * SSL_select_next_proto buffer overread * Add openssl-CVE-2024-5535.patch- Build with enabled sm2 and sm4 support [bsc#1222899]- Add reproducible.patch to fix bsc#1223336 aes-gcm-avx512.pl: fix non-reproducibility issue- FIPS: Deny SHA-1 signature verification in FIPS provider [bsc#1221365] * SHA-1 is not allowed anymore in FIPS 186-5 for signature verification operations. After 12/31/2030, NIST will disallow SHA-1 for all of its usages. * Add openssl-3-FIPS-Deny-SHA-1-sigver-in-FIPS-provider.patch- FIPS: RSA keygen PCT requirements. * Skip the rsa_keygen_pairwise_test() PCT in rsa_keygen() as the self-test requirements are covered by do_rsa_pct() for both RSA-OAEP and RSA signatures [bsc#1221760] * Enforce error state if rsa_keygen PCT is run and fails [bsc#1221753] * Add openssl-3-FIPS-PCT_rsa_keygen.patch- FIPS: Check that the fips provider is available before setting it as the default provider in FIPS mode. [bsc#1220523] * Rebase openssl-Force-FIPS.patch- FIPS: Port openssl to use jitterentropy [bsc#1220523] * Set the module in error state if the jitter RNG fails either on initialization or entropy gathering because health tests failed. * Add jitterentropy as a seeding source output also in crypto/info.c * Move the jitter entropy collector and the associated lock out of the header file to avoid redefinitions. * Add the fips_local.cnf symlink to the spec file. This simlink points to the openssl_fips.config file that is provided by the crypto-policies package. * Rebase openssl-3-jitterentropy-3.4.0.patch * Rebase openssl-FIPS-enforce-EMS-support.patch- FIPS: Block non-Approved Elliptic Curves [bsc#1221786] * Add patches - openssl-Add-changes-to-ectest-and-eccurve.patch - openssl-Remove-EC-curves.patch - openssl-Disable-explicit-ec.patch - openssl-skipped-tests-EC-curves.patch - openssl-FIPS-services-minimize.patch - FIPS: Service Level Indicator [bsc#1221365] * Add patches: - openssl-FIPS-Expose-a-FIPS-indicator.patch - openssl-FIPS-Remove-X9.31-padding-from-FIPS-prov.patch - openssl-FIPS-Use-digest_sign-digest_verify-in-self-test.patch - openssl-FIPS-RSA-disable-shake.patch - openssl-FIPS-signature-Add-indicator-for-PSS-salt-length.patch - openssl-FIPS-Add-explicit-indicator-for-key-length.patch - openssl-FIPS-limit-rsa-encrypt.patch - openssl-FIPS-enforce-EMS-support.patch - openssl-3-FIPS-GCM-Implement-explicit-indicator-for-IV-gen.patch - openssl-FIPS-services-minimize.patch - openssl-Add-FIPS-indicator-parameter-to-HKDF.patch - openssl-rand-Forbid-truncated-hashes-SHA-3-in-FIPS-prov.patch - openssl-FIPS-enforce-security-checks-during-initialization.patch - TODO: incomplete - FIPS: Output the FIPS-validation name and module version which uniquely identify the FIPS validated module. [bsc#1221751] * Add openssl-FIPS-release_num_in_version_string.patch - FIPS: Add required selftests: [bsc#1221760] * Add patches - openssl-FIPS-Use-digest_sign-digest_verify-in-self-test.patch - openssl-FIPS-Use-FFDHE2048-in-self-test.patch - openssl-FIPS-early-KATS.patch - openssl-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.patch - openssl-FIPS-140-3-keychecks.patch - FIPS: DH: Disable FIPS 186-4 Domain Parameters [bsc#1221821] Add openssl-DH-Disable-FIPS-186-4-type-parameters-in-FIPS-mode.patch - FIPS: Recommendation for Password-Based Key Derivation [bsc#1221827] * Add additional check required by FIPS 140-3. Minimum value for PBKDF2 password is 20 characters. * Add patches: - openssl-pbkdf2-Set-minimum-password-length-of-8-bytes.patch - openssl-pbkdf2-Set-indicator-if-pkcs5-param-disabled-checks.patch - FIPS: Zeroization is required [bsc#1221752] * Add openssl-FIPS-140-3-zeroization.patch - FIPS: Reseed DRBG [bsc#1220690, bsc#1220693, bsc#1220696] * Enable prediction resistance for primary DRBG * Add oversampling of the noise source to comply with requirements of NIST SP 800-90C * Change CRNG buf size to align with output size of the Jitter RNG * Add openssl-FIPS-140-3-DRBG.patch - FIPS: NIST SP 800-56Brev2 [bsc#1221824] * Add patches: - openssl-FIPS-limit-rsa-encrypt.patch - openssl-FIPS-RSA-encapsulate.patch - openssl-FIPS-Add-SP800-56Br2-6.4.1.2.1-3.c-check.patch - FIPS: Approved Modulus Sizes for RSA Digital Signature for FIPS 186-4 [bsc#1221787] * Add patches: - openssl-FIPS-services-minimize.patch - openssl-Revert-Improve-FIPS-RSA-keygen-performance.patch - openssl-Allow-disabling-of-SHA1-signatures.patch - openssl-Allow-SHA1-in-seclevel-2-if-rh-allow-sha1-signatures.patch - FIPS: Port openssl to use jitterentropy [bsc#1220523] * Add openssl-3-jitterentropy-3.4.0.patch * Add build dependency on jitterentropy-devel >= 3.4.0 and libjitterentropy3 >= 3.4.0 - FIPS: NIST SP 800-56Arev3 [bsc#1221822] * Add openssl-FIPS-140-3-keychecks.patch - FIPS: Error state has to be enforced [bsc#1221753] * Add patches: - openssl-FIPS-140-3-keychecks.patch - openssl-FIPS-Enforce-error-state.patch- Apply "openssl-CVE-2024-4741.patch" to fix a use-after-free security vulnerability. Calling the function SSL_free_buffers() potentially caused memory to be accessed that was previously freed in some situations and a malicious attacker could attempt to engineer a stituation where this occurs to facilitate a denial-of-service attack. [CVE-2024-4741, bsc#1225551]- Fix HDKF key derivation (bsc#1225291, gh#openssl/openssl#23448, gh#openssl/openssl#23456) * Add openssl-Fix-EVP_PKEY_CTX_add1_hkdf_info-behavior.patch * Add openssl-Handle-empty-param-in-EVP_PKEY_CTX_add1_hkdf_info.patch- Enable livepatching support (bsc#1223428)- Security fix: [bsc#1224388, CVE-2024-4603] * Check DSA parameters for excessive sizes before validating * Add openssl-CVE-2024-4603.patch- Security fix: [bsc#1222548, CVE-2024-2511] * Fix unconstrained session cache growth in TLSv1.3 * Add openssl-CVE-2024-2511.patch- Build the 32bit flavor of libopenssl-3-fips-provider [bsc#1220232] * Update baselibs.conf- Add migration script to move old files (bsc#1219562) /etc/ssl/engines.d/* -> /etc/ssl/engines1.1.d.rpmsave /etc/ssl/engdef.d/* -> /etc/ssl/engdef1.1.d.rpmsave They will be later restored by openssl-1_1 package to engines1.1.d and engdef1.1.d- Security fix: [bsc#1219243, CVE-2024-0727] * Add NULL checks where ContentInfo data can be NULL * Add openssl-CVE-2024-0727.patch- Encapsulate the fips provider into a new package called libopenssl-3-fips-provider.- Added openssl-3-use-include-directive.patch so that the default /etc/ssl/openssl.cnf file will include any configuration files that other packages might place into /etc/ssl/engines3.d/ and /etc/ssl/engdef3.d/. Also create symbolic links /etc/ssl/engines.d/ and /etc/ssl/engdef.d/ to above versioned directories. - Updated spec file to create the two new necessary directores for the above patch and two symbolic links to above directories. [bsc#1194187, bsc#1207472, bsc#1218933]- Security fix: [bsc#1218810, CVE-2023-6237] * Limit the execution time of RSA public key check * Add openssl-CVE-2023-6237.patch- Rename openssl-Override-default-paths-for-the-CA-directory-tree.patch to openssl-crypto-policies-support.patch- Embed the FIPS hmac. Add openssl-FIPS-embed-hmac.patch- Load the FIPS provider and set FIPS properties implicitly. * Add openssl-Force-FIPS.patch [bsc#1217934] - Disable the fipsinstall command-line utility. * Add openssl-disable-fipsinstall.patch - Add instructions to load legacy provider in openssl.cnf. * openssl-load-legacy-provider.patch - Disable the default provider for the test suite. * openssl-Disable-default-provider-for-test-suite.patch- Security fix: [bsc#1218690, CVE-2023-6129] * POLY1305: Fix vector register clobbering on PowerPC * Add openssl-CVE-2023-6129.patch- Add patch to fix BTI enablement on aarch64: * openssl-Enable-BTI-feature-for-md5-on-aarch64.patch- Security fix: [bsc#1216922, CVE-2023-5678] * Fix excessive time spent in DH check / generation with large Q parameter value. * Applications that use the functions DH_generate_key() to generate an X9.42 DH key may experience long delays. Likewise, applications that use DH_check_pub_key(), DH_check_pub_key_ex () or EVP_PKEY_public_check() to check an X9.42 DH key or X9.42 DH parameters may experience long delays. Where the key or parameters that are being checked have been obtained from an untrusted source this may lead to a Denial of Service. * Add openssl-CVE-2023-5678.patch- Update to 3.1.4: * Fix incorrect key and IV resizing issues when calling EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2() or EVP_CipherInit_ex2() with OSSL_PARAM parameters that alter the key or IV length [bsc#1216163, CVE-2023-5363]. * Remove patch fixed upstream openssl-CVE-2023-5363.patch- Performance enhancements for cryptography from OpenSSL 3.2 [jsc#PED-5086, jsc#PED-3514] * Add patches: - openssl-ec-Use-static-linkage-on-nistp521-felem_-square-mul-.patch - openssl-ec-56-bit-Limb-Solinas-Strategy-for-secp384r1.patch - openssl-ec-powerpc64le-Add-asm-implementation-of-felem_-squa.patch - openssl-ecc-Remove-extraneous-parentheses-in-secp384r1.patch - openssl-powerpc-ecc-Fix-stack-allocation-secp384r1-asm.patch - openssl-Improve-performance-for-6x-unrolling-with-vpermxor-i.patch- FIPS: Add the FIPS_mode() compatibility macro and flag support. * Add patches: - openssl-Add-FIPS_mode-compatibility-macro.patch - openssl-Add-Kernel-FIPS-mode-flag-support.patch- Security fix: [bsc#1216163, CVE-2023-5363] * Incorrect cipher key and IV length processing * Add openssl-CVE-2023-5363.patch- As of openssl 3.1.3, the devel package installs at least 5200 manpage files and is the owner of the most files in the man3 directory (in second place after lapack-man); move these manpages off to the -doc subpackage to reduce the walltime to install just openssl-3-devel (because there is also an invocation of mandb that runs at some point).- Update to 3.1.3: * Fix POLY1305 MAC implementation corrupting XMM registers on Windows (CVE-2023-4807)- Update to 3.1.2: * Fix excessive time spent checking DH q parameter value (bsc#1213853, CVE-2023-3817). The function DH_check() performs various checks on DH parameters. After fixing CVE-2023-3446 it was discovered that a large q parameter value can also trigger an overly long computation during some of these checks. A correct q value, if present, cannot be larger than the modulus p parameter, thus it is unnecessary to perform these checks if q is larger than p. If DH_check() is called with such q parameter value, DH_CHECK_INVALID_Q_VALUE return flag is set and the computationally intensive checks are skipped. * Fix DH_check() excessive time with over sized modulus (bsc#1213487, CVE-2023-3446). The function DH_check() performs various checks on DH parameters. One of those checks confirms that the modulus ("p" parameter) is not too large. Trying to use a very large modulus is slow and OpenSSL will not normally use a modulus which is over 10,000 bits in length. However the DH_check() function checks numerous aspects of the key or parameters that have been supplied. Some of those checks use the supplied modulus value even if it has already been found to be too large. A new limit has been added to DH_check of 32,768 bits. Supplying a key/parameters with a modulus over this size will simply cause DH_check() to fail. * Do not ignore empty associated data entries with AES-SIV (bsc#1213383, CVE-2023-2975). The AES-SIV algorithm allows for authentication of multiple associated data entries along with the encryption. To authenticate empty data the application has to call EVP_EncryptUpdate() (or EVP_CipherUpdate()) with NULL pointer as the output buffer and 0 as the input buffer length. The AES-SIV implementation in OpenSSL just returns success for such call instead of performing the associated data authentication operation. The empty data thus will not be authenticated. The fix changes the authentication tag value and the ciphertext for applications that use empty associated data entries with AES-SIV. To decrypt data encrypted with previous versions of OpenSSL the application has to skip calls to EVP_DecryptUpdate() for empty associated data entries. * When building with the enable-fips option and using the resulting FIPS provider, TLS 1.2 will, by default, mandate the use of an extended master secret (FIPS 140-3 IG G.Q) and the Hash and HMAC DRBGs will not operate with truncated digests (FIPS 140-3 IG G.R). * Update openssl.keyring with the OTC members that sign releases * Remove openssl-z16-s390x.patch fixed upstream in https://github.com/openssl/openssl/pull/21284 * Remove security patches fixed upstream: - openssl-CVE-2023-2975.patch - openssl-CVE-2023-3446.patch - openssl-CVE-2023-3446-test.patch - openssl-3-CVE-2023-3817.patch- Security fix: [bsc#1213853, CVE-2023-3817] * Excessive time spent checking DH q parameter value: The function DH_check() performs various checks on DH parameters. After fixing CVE-2023-3446 it was discovered that a large q parameter value can also trigger an overly long computation during some of these checks. A correct q value, if present, cannot be larger than the modulus p parameter, thus it is unnecessary to perform these checks if q is larger than p. If DH_check() is called with such q parameter value, DH_CHECK_INVALID_Q_VALUE return flag is set and the computationally intensive checks are skipped. * Add openssl-3-CVE-2023-3817.patch- Security fix: [bsc#1213487, CVE-2023-3446] * Fix DH_check() excessive time with over sized modulus. * The function DH_check() performs various checks on DH parameters. One of those checks confirms that the modulus ("p" parameter) is not too large. Trying to use a very large modulus is slow and OpenSSL will not normally use a modulus which is over 10,000 bits in length. However the DH_check() function checks numerous aspects of the key or parameters that have been supplied. Some of those checks use the supplied modulus value even if it has already been found to be too large. A new limit has been added to DH_check of 32,768 bits. Supplying a key/parameters with a modulus over this size will simply cause DH_check() to fail. * Add openssl-CVE-2023-3446.patch openssl-CVE-2023-3446-test.patch- Security fix: [bsc#1213383, CVE-2023-2975] * AES-SIV implementation ignores empty associated data entries * Add openssl-CVE-2023-2975.patch- Improve cross-package provides/conflicts [boo#1210313] * Add Provides/Conflicts: ssl-devel * Remove explicit conflicts with other devel-libraries * Remove Provides: openssl(cli) - it's managed by meta package- Update to 3.1.1: * Restrict the size of OBJECT IDENTIFIERs that OBJ_obj2txt will translate (CVE-2023-2650, bsc#1211430) * Multiple algorithm implementation fixes for ARM BE platforms. * Added a -pedantic option to fipsinstall that adjusts the various settings to ensure strict FIPS compliance rather than backwards compatibility. * Fixed buffer overread in AES-XTS decryption on ARM 64 bit platforms which happens if the buffer size is 4 mod 5 in 16 byte AES blocks. This can trigger a crash of an application using AES-XTS decryption if the memory just after the buffer being decrypted is not mapped. Thanks to Anton Romanov (Amazon) for discovering the issue. (CVE-2023-1255, bsc#1210714) * Add FIPS provider configuration option to disallow the use of truncated digests with Hash and HMAC DRBGs (q.v. FIPS 140-3 IG D.R.). The option '-no_drbg_truncated_digests' can optionally be supplied to 'openssl fipsinstall'. * Corrected documentation of X509_VERIFY_PARAM_add0_policy() to mention that it does not enable policy checking. Thanks to David Benjamin for discovering this issue. (CVE-2023-0466, bsc#1209873) * Fixed an issue where invalid certificate policies in leaf certificates are silently ignored by OpenSSL and other certificate policy checks are skipped for that certificate. A malicious CA could use this to deliberately assert invalid certificate policies in order to circumvent policy checking on the certificate altogether. (CVE-2023-0465, bsc#1209878) * Limited the number of nodes created in a policy tree to mitigate against CVE-2023-0464. The default limit is set to 1000 nodes, which should be sufficient for most installations. If required, the limit can be adjusted by setting the OPENSSL_POLICY_TREE_NODES_MAX build time define to a desired maximum number of nodes or zero to allow unlimited growth. (CVE-2023-0464, bsc#1209624) * Update openssl.keyring with key A21F AB74 B008 8AA3 6115 2586 B8EF 1A6B A9DA 2D5C (Tomas Mraz) * Rebased patches: - openssl-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch - openssl-Add_support_for_Windows_CA_certificate_store.patch * Removed patches: - openssl-CVE-2023-0464.patch - openssl-Fix-OBJ_nid2obj-regression.patch - openssl-CVE-2023-0465.patch - openssl-CVE-2023-0466.patch - openssl-CVE-2023-1255.patch - openssl-CVE-2023-2650.patch- FIPS: Merge libopenssl3-hmac package into the library [bsc#1185116]- Security Fix: [CVE-2023-1255, bsc#1210714] * Input buffer over-read in AES-XTS implementation on 64 bit ARM * Add openssl-CVE-2023-1255.patch - Security Fix: [CVE-2023-2650, bsc#1211430] * Possible DoS translating ASN.1 object identifiers * Add openssl-CVE-2023-2650.patch- Add support for Windows CA certificate store [bsc#1209430] https://github.com/openssl/openssl/pull/18070 * Add openssl-Add_support_for_Windows_CA_certificate_store.patch- Security Fix: [CVE-2023-0465, bsc#1209878] * Invalid certificate policies in leaf certificates are silently ignored * Add openssl-CVE-2023-0465.patch - Security Fix: [CVE-2023-0466, bsc#1209873] * Certificate policy check not enabled * Add openssl-CVE-2023-0466.patch- Fix regression in the OBJ_nid2obj() function: [bsc#1209430] * Upstream https://github.com/openssl/openssl/issues/20555 * Add openssl-Fix-OBJ_nid2obj-regression.patch- Fix compiler error "initializer element is not constant" on s390 * Add openssl-z16-s390x.patch- Security Fix: [CVE-2023-0464, bsc#1209624] * Excessive Resource Usage Verifying X.509 Policy Constraints * Add openssl-CVE-2023-0464.patch- Pass over with spec-cleaner- Update to 3.1.0: * Add FIPS provider configuration option to enforce the Extended Master Secret (EMS) check during the TLS1_PRF KDF. The option '-ems-check' can optionally be supplied to 'openssl fipsinstall'. * The FIPS provider includes a few non-approved algorithms for backward compatibility purposes and the "fips=yes" property query must be used for all algorithm fetches to ensure FIPS compliance. The algorithms that are included but not approved are Triple DES ECB, Triple DES CBC and EdDSA. * Added support for KMAC in KBKDF. * RNDR and RNDRRS support in provider functions to provide random number generation for Arm CPUs (aarch64). * s_client and s_server apps now explicitly say when the TLS version does not include the renegotiation mechanism. This avoids confusion between that scenario versus when the TLS version includes secure renegotiation but the peer lacks support for it. * AES-GCM enabled with AVX512 vAES and vPCLMULQDQ. * The various OBJ_* functions have been made thread safe. * Parallel dual-prime 1536/2048-bit modular exponentiation for AVX512_IFMA capable processors. * The functions OPENSSL_LH_stats, OPENSSL_LH_node_stats, OPENSSL_LH_node_usage_stats, OPENSSL_LH_stats_bio, OPENSSL_LH_node_stats_bio and OPENSSL_LH_node_usage_stats_bio are now marked deprecated from OpenSSL 3.1 onwards and can be disabled by defining OPENSSL_NO_DEPRECATED_3_1. The macro DEFINE_LHASH_OF is now deprecated in favour of the macro DEFINE_LHASH_OF_EX, which omits the corresponding type-specific function definitions for these functions regardless of whether OPENSSL_NO_DEPRECATED_3_1 is defined. Users of DEFINE_LHASH_OF may start receiving deprecation warnings for these functions regardless of whether they are using them. It is recommended that users transition to the new macro, DEFINE_LHASH_OF_EX. * When generating safe-prime DH parameters set the recommended private key length equivalent to minimum key lengths as in RFC 7919. * Change the default salt length for PKCS#1 RSASSA-PSS signatures to the maximum size that is smaller or equal to the digest length to comply with FIPS 186-4 section 5. This is implemented by a new option OSSL_PKEY_RSA_PSS_SALT_LEN_AUTO_DIGEST_MAX ("auto-digestmax") for the rsa_pss_saltlen parameter, which is now the default. Signature verification is not affected by this change and continues to work as before. * Update openssl.keyring with key 8657 ABB2 60F0 56B1 E519 0839 D9C4 D26D 0E60 4491 (Matt Caswell)- Build AVX2 enabled hwcaps library for x86_64-v3- Update to version 3.0.8 in SLE15-SP5 [jsc#PED-544] * Fixed NULL dereference during PKCS7 data verification. A NULL pointer can be dereferenced when signatures are being verified on PKCS7 signed or signedAndEnveloped data. In case the hash algorithm used for the signature is known to the OpenSSL library but the implementation of the hash algorithm is not available the digest initialization will fail. There is a missing check for the return value from the initialization function which later leads to invalid usage of the digest API most likely leading to a crash. ([bsc#1207541, CVE-2023-0401]) PKCS7 data is processed by the SMIME library calls and also by the time stamp (TS) library calls. The TLS implementation in OpenSSL does not call these functions however third party applications would be affected if they call these functions to verify signatures on untrusted data. * Fixed X.400 address type confusion in X.509 GeneralName. There is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING but the public structure definition for GENERAL_NAME incorrectly specified the type of the x400Address field as ASN1_TYPE. This field is subsequently interpreted by the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an ASN1_STRING. When CRL checking is enabled (i.e. the application sets the X509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to pass arbitrary pointers to a memcmp call, enabling them to read memory contents or enact a denial of service. ([bsc#1207533, CVE-2023-0286]) * Fixed NULL dereference validating DSA public key. An invalid pointer dereference on read can be triggered when an application tries to check a malformed DSA public key by the EVP_PKEY_public_check() function. This will most likely lead to an application crash. This function can be called on public keys supplied from untrusted sources which could allow an attacker to cause a denial of service attack. The TLS implementation in OpenSSL does not call this function but applications might call the function if there are additional security requirements imposed by standards such as FIPS 140-3. ([bsc#1207540, CVE-2023-0217]) * Fixed Invalid pointer dereference in d2i_PKCS7 functions. An invalid pointer dereference on read can be triggered when an application tries to load malformed PKCS7 data with the d2i_PKCS7(), d2i_PKCS7_bio() or d2i_PKCS7_fp() functions. The result of the dereference is an application crash which could lead to a denial of service attack. The TLS implementation in OpenSSL does not call this function however third party applications might call these functions on untrusted data. ([bsc#1207539, CVE-2023-0216]) * Fixed Use-after-free following BIO_new_NDEF. The public API function BIO_new_NDEF is a helper function used for streaming ASN.1 data via a BIO. It is primarily used internally to OpenSSL to support the SMIME, CMS and PKCS7 streaming capabilities, but may also be called directly by end user applications. The function receives a BIO from the caller, prepends a new BIO_f_asn1 filter BIO onto the front of it to form a BIO chain, and then returns the new head of the BIO chain to the caller. Under certain conditions, for example if a CMS recipient public key is invalid, the new filter BIO is freed and the function returns a NULL result indicating a failure. However, in this case, the BIO chain is not properly cleaned up and the BIO passed by the caller still retains internal pointers to the previously freed filter BIO. If the caller then goes on to call BIO_pop() on the BIO then a use-after-free will occur. This will most likely result in a crash. ([bsc#1207536, CVE-2023-0215]) * Fixed Double free after calling PEM_read_bio_ex. The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and decodes the "name" (e.g. "CERTIFICATE"), any header data and the payload data. If the function succeeds then the "name_out", "header" and "data" arguments are populated with pointers to buffers containing the relevant decoded data. The caller is responsible for freeing those buffers. It is possible to construct a PEM file that results in 0 bytes of payload data. In this case PEM_read_bio_ex() will return a failure code but will populate the header argument with a pointer to a buffer that has already been freed. If the caller also frees this buffer then a double free will occur. This will most likely lead to a crash. The functions PEM_read_bio() and PEM_read() are simple wrappers around PEM_read_bio_ex() and therefore these functions are also directly affected. These functions are also called indirectly by a number of other OpenSSL functions including PEM_X509_INFO_read_bio_ex() and SSL_CTX_use_serverinfo_file() which are also vulnerable. Some OpenSSL internal uses of these functions are not vulnerable because the caller does not free the header argument if PEM_read_bio_ex() returns a failure code. ([bsc#1207538, CVE-2022-4450]) * Fixed Timing Oracle in RSA Decryption. A timing based side channel exists in the OpenSSL RSA Decryption implementation which could be sufficient to recover a plaintext across a network in a Bleichenbacher style attack. To achieve a successful decryption an attacker would have to be able to send a very large number of trial messages for decryption. The vulnerability affects all RSA padding modes: PKCS#1 v1.5, RSA-OEAP and RSASVE. ([bsc#1207534, CVE-2022-4304]) * Fixed X.509 Name Constraints Read Buffer Overflow. A read buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. The read buffer overrun might result in a crash which could lead to a denial of service attack. In a TLS client, this can be triggered by connecting to a malicious server. In a TLS server, this can be triggered if the server requests client authentication and a malicious client connects. ([bsc#1207535, CVE-2022-4203]) * Fixed X.509 Policy Constraints Double Locking security issue. If an X.509 certificate contains a malformed policy constraint and policy processing is enabled, then a write lock will be taken twice recursively. On some operating systems (most widely: Windows) this results in a denial of service when the affected process hangs. Policy processing being enabled on a publicly facing server is not considered to be a common setup. ([CVE-2022-3996]) * Our provider implementations of `OSSL_FUNC_KEYMGMT_EXPORT` and `OSSL_FUNC_KEYMGMT_GET_PARAMS` for EC and SM2 keys now honor `OSSL_PKEY_PARAM_EC_POINT_CONVERSION_FORMAT` as set (and default to `POINT_CONVERSION_UNCOMPRESSED`) when exporting `OSSL_PKEY_PARAM_PUB_KEY`, instead of unconditionally using `POINT_CONVERSION_COMPRESSED` as in previous 3.x releases. For symmetry, our implementation of `EVP_PKEY_ASN1_METHOD->export_to` for legacy EC and SM2 keys is also changed similarly to honor the equivalent conversion format flag as specified in the underlying `EC_KEY` object being exported to a provider, when this function is called through `EVP_PKEY_export()`. * Removed openssl-3-Fix-double-locking-problem.patch, contained in upstream. * Rebased openssl-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch * Update openssl.keyring with key 7953 AC1F BC3D C8B3 B292 393E D5E9 E43F 7DF9 EE8C (Richard Levitte)- Relax the crypto-policies requirements for the regression tests- Set OpenSSL 3.0.7 as the default openssl [bsc#1205042] * Rename openssl-1.1.0-no-html.patch to openssl-no-html-docs.patch * Rebase openssl-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch * Package a copy of the original default config file called openssl.cnf and name it as openssl-orig.cnf and warn the user if the files differ. * Add openssl-3-devel as conflicting with libopenssl-1_1-devel * Remove patches: - fix-config-in-tests.patch - openssl-use-versioned-config.patch- Create the openssl ca-certificates directory in case the ca-certificates package is not installed. This directory is required by the nodejs regression tests. [bsc#1207484]- Update openssl.keyring: pub rsa4096 2021-07-16 [SC] [expires: 2031-07-14] A21FAB74B0088AA361152586B8EF1A6BA9DA2D5C uid Tomáš Mráz uid Tomáš Mráz uid Tomáš Mráz - Update to version 3.0.7 in SLE15-SP5 [jsc#PED-544] - Remove patches (already present in 3.0.7): * openssl-3-CVE-2022-1343.patch * openssl-CVE-2022-0778.patch * openssl-CVE-2022-0778-tests.patch * openssl-CVE-2022-1292.patch * openssl-3-Fix-EC-ASM-flag-passing.patch * openssl-update_expired_certificates.patch * openssl-3-CVE-2022-3358.patch * openssl-3-Fix-SHA-SHAKE-and-KECCAK-ASM-flag-passing.patch * openssl-3-CVE-2022-3602_2.patch * openssl-3-CVE-2022-3602_1.patch * openssl-CVE-2022-2097.patch * openssl-3-CVE-2022-1434.patch * openssl-3-CVE-2022-1473.patch * openssl-3-Fix-file-operations-in-c_rehash.patch - Enable tests: test_req test_verify_store test_ca test_ssl_old- Fix X.509 Policy Constraints Double Locking [bsc#1206374, CVE-2022-3996] * Add patch: openssl-3-Fix-double-locking-problem.patch- Compute the hmac files for FIPS 140-3 integrity checking of the openssl shared libraries using the brp-50-generate-fips-hmac script. Also computed for the 32bit package.- Temporary disable tests test_ssl_new and test_sslapi because they are failing in openSUSE_Tumbleweed- Update to 3.0.7: [bsc#1204714, CVE-2022-3602,CVE-2022-3786] * Fixed two buffer overflows in punycode decoding functions. A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed the malicious certificate or for the application to continue certificate verification despite failure to construct a path to a trusted issuer. In a TLS client, this can be triggered by connecting to a malicious server. In a TLS server, this can be triggered if the server requests client authentication and a malicious client connects. An attacker can craft a malicious email address to overflow an arbitrary number of bytes containing the `.` character (decimal 46) on the stack. This buffer overflow could result in a crash (causing a denial of service). ([CVE-2022-3786]) An attacker can craft a malicious email address to overflow four attacker-controlled bytes on the stack. This buffer overflow could result in a crash (causing a denial of service) or potentially remote code execution depending on stack layout for any given platform/compiler. ([CVE-2022-3602]) * Removed all references to invalid OSSL_PKEY_PARAM_RSA names for CRT parameters in OpenSSL code. Applications should not use the names OSSL_PKEY_PARAM_RSA_FACTOR, OSSL_PKEY_PARAM_RSA_EXPONENT and OSSL_PKEY_PARAM_RSA_COEFFICIENT. Use the numbered names such as OSSL_PKEY_PARAM_RSA_FACTOR1 instead. Using these invalid names may cause algorithms to use slower methods that ignore the CRT parameters. * Fixed a regression introduced in 3.0.6 version raising errors on some stack operations. * Fixed a regression introduced in 3.0.6 version not refreshing the certificate data to be signed before signing the certificate. * Added RIPEMD160 to the default provider. * Ensured that the key share group sent or accepted for the key exchange is allowed for the protocol version.- Update to 3.0.6: [bsc#1204226, CVE-2022-3358] * OpenSSL supports creating a custom cipher via the legacy EVP_CIPHER_meth_new() function and associated function calls. This function was deprecated in OpenSSL 3.0 and application authors are instead encouraged to use the new provider mechanism in order to implement custom ciphers. * OpenSSL versions 3.0.0 to 3.0.5 incorrectly handle legacy custom ciphers passed to the EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2() and EVP_CipherInit_ex2() functions (as well as other similarly named encryption and decryption initialisation functions). Instead of using the custom cipher directly it incorrectly tries to fetch an equivalent cipher from the available providers. An equivalent cipher is found based on the NID passed to EVP_CIPHER_meth_new(). This NID is supposed to represent the unique NID for a given cipher. However it is possible for an application to incorrectly pass NID_undef as this value in the call to EVP_CIPHER_meth_new(). When NID_undef is used in this way the OpenSSL encryption/decryption initialisation function will match the NULL cipher as being equivalent and will fetch this from the available providers. This will succeed if the default provider has been loaded (or if a third party provider has been loaded that offers this cipher). Using the NULL cipher means that the plaintext is emitted as the ciphertext. * Applications are only affected by this issue if they call EVP_CIPHER_meth_new() using NID_undef and subsequently use it in a call to an encryption/decryption initialisation function. Applications that only use SSL/TLS are not impacted by this issue. ([CVE-2022-3358]) * Fix LLVM vs Apple LLVM version numbering confusion that caused build failures on MacOS 10.11 * Fixed the linux-mips64 Configure target which was missing the SIXTY_FOUR_BIT bn_ops flag. This was causing heap corruption on that platform. * Fix handling of a ticket key callback that returns 0 in TLSv1.3 to not send a ticket * Correctly handle a retransmitted ClientHello in DTLS * Fixed detection of ktls support in cross-compile environment on Linux * Fixed some regressions and test failures when running the 3.0.0 FIPS provider against 3.0.x * Fixed SSL_pending() and SSL_has_pending() with DTLS which were failing to report correct results in some cases * Fix UWP builds by defining VirtualLock * For known safe primes use the minimum key length according to RFC 7919. Longer private key sizes unnecessarily raise the cycles needed to compute the shared secret without any increase of the real security. This fixes a regression from 1.1.1 where these shorter keys were generated for the known safe primes. * Added the loongarch64 target * Fixed EC ASM flag passing. Flags for ASM implementations of EC curves were only passed to the FIPS provider and not to the default or legacy provider. * Fixed reported performance degradation on aarch64. Restored the implementation prior to commit 2621751 ("aes/asm/aesv8-armx.pl: avoid 32-bit lane assignment in CTR mode") for 64bit targets only, since it is reportedly 2-17% slower and the silicon errata only affects 32bit targets. The new algorithm is still used for 32 bit targets. * Added a missing header for memcmp that caused compilation failure on some platforms- Do not make libopenssl3-32bit obsolete libopenssl1_1-32bit. They are independent libraries and can be installed simultaneously.- Update to 3.0.5: * The OpenSSL 3.0.4 release introduced a serious bug in the RSA implementation for X86_64 CPUs supporting the AVX512IFMA instructions. This issue makes the RSA implementation with 2048 bit private keys incorrect on such machines and memory corruption will happen during the computation. As a consequence of the memory corruption an attacker may be able to trigger a remote code execution on the machine performing the computation. SSL/TLS servers or other servers using 2048 bit RSA private keys running on machines supporting AVX512IFMA instructions of the X86_64 architecture are affected by this issue. [bsc#1201148, CVE-2022-2274] * AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised implementation would not encrypt the entirety of the data under some circumstances. This could reveal sixteen bytes of data that was preexisting in the memory that wasn't written. In the special case of "in place" encryption, sixteen bytes of the plaintext would be revealed. Since OpenSSL does not support OCB based cipher suites for TLS and DTLS, they are both unaffected. [bsc#1201099, CVE-2022-2097] - Rebase patches: * openssl-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch- Update to 3.0.4: [bsc#1199166, bsc#1200550, CVE-2022-1292, CVE-2022-2068] * In addition to the c_rehash shell command injection identified in CVE-2022-1292, further bugs where the c_rehash script does not properly sanitise shell metacharacters to prevent command injection have been fixed. When the CVE-2022-1292 was fixed it was not discovered that there are other places in the script where the file names of certificates being hashed were possibly passed to a command executed through the shell. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. * Case insensitive string comparison no longer uses locales. It has instead been directly implemented.- Update to 3.0.3: * Case insensitive string comparison is reimplemented via new locale-agnostic comparison functions OPENSSL_str[n]casecmp always using the POSIX locale for comparison. The previous implementation had problems when the Turkish locale was used. * Fixed a bug in the c_rehash script which was not properly sanitising shell metacharacters to prevent command injection. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool. [bsc#1199166, CVE-2022-1292] * Fixed a bug in the function 'OCSP_basic_verify' that verifies the signer certificate on an OCSP response. The bug caused the function in the case where the (non-default) flag OCSP_NOCHECKS is used to return a postivie response (meaning a successful verification) even in the case where the response signing certificate fails to verify. It is anticipated that most users of 'OCSP_basic_verify' will not use the OCSP_NOCHECKS flag. In this case the 'OCSP_basic_verify' function will return a negative value (indicating a fatal error) in the case of a certificate verification failure. The normal expected return value in this case would be 0. This issue also impacts the command line OpenSSL "ocsp" application. When verifying an ocsp response with the "-no_cert_checks" option the command line application will report that the verification is successful even though it has in fact failed. In this case the incorrect successful response will also be accompanied by error messages showing the failure and contradicting the apparently successful result. [bsc#1199167, CVE-2022-1343] * Fixed a bug where the RC4-MD5 ciphersuite incorrectly used the AAD data as the MAC key. This made the MAC key trivially predictable. An attacker could exploit this issue by performing a man-in-the-middle attack to modify data being sent from one endpoint to an OpenSSL 3.0 recipient such that the modified data would still pass the MAC integrity check. Note that data sent from an OpenSSL 3.0 endpoint to a non-OpenSSL 3.0 endpoint will always be rejected by the recipient and the connection will fail at that point. Many application protocols require data to be sent from the client to the server first. Therefore, in such a case, only an OpenSSL 3.0 server would be impacted when talking to a non-OpenSSL 3.0 client. [bsc#1199168, CVE-2022-1434] * Fix a bug in the OPENSSL_LH_flush() function that breaks reuse of the memory occuppied by the removed hash table entries. This function is used when decoding certificates or keys. If a long lived process periodically decodes certificates or keys its memory usage will expand without bounds and the process might be terminated by the operating system causing a denial of service. Also traversing the empty hash table entries will take increasingly more time. Typically such long lived processes might be TLS clients or TLS servers configured to accept client certificate authentication. [bsc#1199169, CVE-2022-1473] * The functions 'OPENSSL_LH_stats' and 'OPENSSL_LH_stats_bio' now only report the 'num_items', 'num_nodes' and 'num_alloc_nodes' statistics. All other statistics are no longer supported. For compatibility, these statistics are still listed in the output but are now always reported as zero.- Added openssl-update_expired_certificates.patch * Openssl failed tests because of expired certificates. * bsc#1185637- Enable zlib compression support [bsc#1195149]- Add crypto-policies support. * Fix some tests that couldn't find the openssl3.cnf location * Rebase patch: openssl-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch- Update to 3.0.2: [bsc#1196877, CVE-2022-0778] * Security fix [CVE-2022-0778]: Infinite loop for non-prime moduli in BN_mod_sqrt() reachable when parsing certificates. * Add ciphersuites based on DHE_PSK (RFC 4279) and ECDHE_PSK (RFC 5489) to the list of ciphersuites providing Perfect Forward Secrecy as required by SECLEVEL >= 3. * Made the AES constant time code for no-asm configurations optional due to the resulting 95% performance degradation. The AES constant time code can be enabled, for no assembly builds, with: ./config no-asm -DOPENSSL_AES_CONST_TIME * Fixed PEM_write_bio_PKCS8PrivateKey() to make it possible to use empty passphrase strings. * The negative return value handling of the certificate verification callback was reverted. The replacement is to set the verification retry state with the SSL_set_retry_verify() function. * Rebase openssl-use-versioned-config.patch- Keep CA_default and tsa_config1 default paths in openssl3.cnf - Rebase patches: * openssl-Override-default-paths-for-the-CA-directory-tree.patch * openssl-use-versioned-config.patch- Fix conflict with openssl and libressl- Remove /etc/pki/CA from the [jsc#SLE-17856, jsc#SLE-19044] openssl-Override-default-paths-for-the-CA-directory-tree.patch - Remove unused patches- Ship openssl-3 as binary names [jsc#SLE-17856, jsc#SLE-19044] - Use openssl3.cnf * openssl-use-versioned-config.patch * fix-config-in-tests.patch - Support crypto policies * openssl-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch * openssl-Override-default-paths-for-the-CA-directory-tree.patch - Remove obsolets, not ready to force an upgrade yet- Update to 3.0.1: [bsc#1193740, CVE-2021-4044] * RNDR and RNDRRS support in provider functions to provide random number generation for Arm CPUs (aarch64). * s_client and s_server apps now explicitly say when the TLS version does not include the renegotiation mechanism. This avoids confusion between that scenario versus when the TLS version includes secure renegotiation but the peer lacks support for it. * The default SSL/TLS security level has been changed from 1 to 2. RSA, DSA and DH keys of 1024 bits and above and less than 2048 bits and ECC keys of 160 bits and above and less than 224 bits were previously accepted by default but are now no longer allowed. By default TLS compression was already disabled in previous OpenSSL versions. At security level 2 it cannot be enabled. * The SSL_CTX_set_cipher_list family functions now accept ciphers using their IANA standard names. * The PVK key derivation function has been moved from b2i_PVK_bio_ex() into the legacy crypto provider as an EVP_KDF. Applications requiring this KDF will need to load the legacy crypto provider. * The various OBJ_* functions have been made thread safe. * CCM8 cipher suites in TLS have been downgraded to security level zero because they use a short authentication tag which lowers their strength. * Subject or issuer names in X.509 objects are now displayed as UTF-8 strings by default. * Parallel dual-prime 1536/2048-bit modular exponentiation for AVX512_IFMA capable processors.- Update to 3.0.0 * The full list of changes since version 1.1.1 can be found in: https://github.com/openssl/openssl/blob/master/CHANGES.md#openssl-30 * OpenSSL 3.0 wiki: https://wiki.openssl.org/index.php/OpenSSL_3.0 * The Migration guide: https://github.com/openssl/openssl/blob/master/doc/man7/migration_guide.pod- Update to 3.0.0 Beta 2 * The ERR_GET_FUNC() function was removed. With the loss of meaningful function codes, this function can only cause problems for calling applications. * While a callback function set via 'SSL_CTX_set_cert_verify_callback()' is not allowed to return a value > 1, this is no more taken as failure. * Deprecated the obsolete X9.31 RSA key generation related functions BN_X931_generate_Xpq(), BN_X931_derive_prime_ex(), and BN_X931_generate_prime_ex(). - Remove openssl-ppc64-fix-build.patch fixed upstream- Update to 3.0.0 Beta 1 * Add a configurable flag to output date formats as ISO 8601. Does not change the default date format. * Version of MSVC earlier than 1300 could get link warnings, which could be suppressed if the undocumented -DI_CAN_LIVE_WITH_LNK4049 was set. Support for this flag has been removed. * Rework and make DEBUG macros consistent. Remove unused - DCONF_DEBUG, -DBN_CTX_DEBUG, and REF_PRINT. Add a new tracing category and use it for printing reference counts. Rename - DDEBUG_UNUSED to -DUNUSED_RESULT_DEBUG. Fix BN_DEBUG_RAND so it compiles and, when set, force DEBUG_RAND to be set also. Rename engine_debug_ref to be ENGINE_REF_PRINT also for consistency. * The public definitions of conf_method_st and conf_st have been deprecated. They will be made opaque in a future release. * Many functions in the EVP_ namespace that are getters of values from implementations or contexts were renamed to include get or get0 in their names. Old names are provided as macro aliases for compatibility and are not deprecated. * PKCS#5 PBKDF1 key derivation has been moved from PKCS5_PBE_keyivgen() into the legacy crypto provider as an EVP_KDF. Applications requiring this KDF will need to load the legacy crypto provider. This includes these PBE algorithms which use this KDF: - NID_pbeWithMD2AndDES_CBC - NID_pbeWithMD5AndDES_CBC - NID_pbeWithSHA1AndRC2_CBC - NID_pbeWithMD2AndRC2_CBC - NID_pbeWithMD5AndRC2_CBC - NID_pbeWithSHA1AndDES_CBC * Deprecated obsolete BIO_set_callback(), BIO_get_callback(), and BIO_debug_callback() functions. - Fix build on ppc and ppc64 * Add openssl-ppc64-fix-build.patch * See https://github.com/openssl/openssl/issues/15923- Update to 3.0.0 Alpha 17 * Added migration guide to man7 * Implemented support for fully "pluggable" TLSv1.3 groups * Added convenience functions for generating asymmetric key pairs. * Added a proper HTTP client supporting GET with optional redirection, POST, arbitrary request and response content types, TLS, persistent connections, connections via HTTP(s) proxies, connections and exchange via user-defined BIOs (allowing implicit connections), and timeout checks.- Update to 3.0.0. Alpha 16 * Mark pop/clear error stack in der2key_decode_p8- Update to 3.0.0 Alpha 15 * The default manual page suffix ($MANSUFFIX) has been changed to "ossl" * Added support for Kernel TLS (KTLS). In order to use KTLS, support for it must be compiled in using the "enable-ktls" compile time option. It must also be enabled at run time using the SSL_OP_ENABLE_KTLS option. * The error return values from some control calls (ctrl) have changed. One significant change is that controls which used to return -2 for invalid inputs, now return -1 indicating a generic error condition instead. * Removed EVP_PKEY_set_alias_type(). * All of these low level RSA functions have been deprecated without replacement: RSA_blinding_off, RSA_blinding_on, RSA_clear_flags, RSA_get_version, RSAPrivateKey_dup, RSAPublicKey_dup, RSA_set_flags, RSA_setup_blinding and RSA_test_flags. * All of these RSA flags have been deprecated without replacement: RSA_FLAG_BLINDING, RSA_FLAG_CACHE_PRIVATE, RSA_FLAG_CACHE_PUBLIC, RSA_FLAG_EXT_PKEY, RSA_FLAG_NO_BLINDING, RSA_FLAG_THREAD_SAFE and RSA_METHOD_FLAG_NO_CHECK. * These low level DH functions have been deprecated without replacement: DH_clear_flags, DH_get_1024_160, DH_get_2048_224, DH_get_2048_256, DH_set_flags and DH_test_flags. The DH_FLAG_CACHE_MONT_P flag has been deprecated without replacement. The DH_FLAG_TYPE_DH and DH_FLAG_TYPE_DHX have been deprecated. Use EVP_PKEY_is_a() to determine the type of a key. There is no replacement for setting these flags. * These low level DSA functions have been deprecated without replacement: DSA_clear_flags, DSA_dup_DH, DSAparams_dup, DSA_set_flags and DSA_test_flags. * The DSA_FLAG_CACHE_MONT_P flag has been deprecated without replacement. * Reworked the treatment of EC EVP_PKEYs with the SM2 curve to automatically become EVP_PKEY_SM2 rather than EVP_PKEY_EC. This is a breaking change from previous OpenSSL versions. Unlike in previous OpenSSL versions, this means that applications must not call 'EVP_PKEY_set_alias_type(pkey, EVP_PKEY_SM2)' to get SM2 computations. The 'EVP_PKEY_set_alias_type' function has now been removed. * Parameter and key generation is also reworked to make it possible to generate EVP_PKEY_SM2 parameters and keys. Applications must now generate SM2 keys directly and must not create an EVP_PKEY_EC key first.- Update to 3.0.0 Alpha 14 * A public key check is now performed during EVP_PKEY_derive_set_peer(). Previously DH was internally doing this during EVP_PKEY_derive(). * The EVP_PKEY_CTRL_PKCS7_ENCRYPT, EVP_PKEY_CTRL_PKCS7_DECRYPT, EVP_PKEY_CTRL_PKCS7_SIGN, EVP_PKEY_CTRL_CMS_ENCRYPT, EVP_PKEY_CTRL_CMS_DECRYPT, and EVP_PKEY_CTRL_CMS_SIGN control operations are deprecated. They are not invoked by the OpenSSL library anymore and are replaced by direct checks of the key operation against the key type when the operation is initialized. * The EVP_PKEY_public_check() and EVP_PKEY_param_check() functions now work for more key types including RSA, DSA, ED25519, X25519, ED448 and X448. Previously (in 1.1.1) they would return -2. For key types that do not have parameters then EVP_PKEY_param_check() will always return 1. * The output from numerous "printing" functions such as X509_signature_print(), X509_print_ex(), X509_CRL_print_ex(), and other similar functions has been amended such that there may be cosmetic differences between the output observed in 1.1.1 and 3.0. This also applies to the "-text" output from the x509 and crl applications. * Improved adherence to Enhanced Security Services (ESS, RFC 2634 and RFC 5035) for the TSP and CMS Advanced Electronic Signatures (CAdES) implementations. As required by RFC 5035 check both ESSCertID and ESSCertIDv2 if both present. Correct the semantics of checking the validation chain in case ESSCertID{,v2} contains more than one certificate identifier: This means that all certificates referenced there MUST be part of the validation chain. * Parallel dual-prime 1024-bit modular exponentiation for AVX512_IFMA capable processors. * Added the AuthEnvelopedData content type structure (RFC 5083) with AES-GCM parameter (RFC 5084) for the Cryptographic Message Syntax (CMS). Its purpose is to support encryption and decryption of a digital envelope that is both authenticated and encrypted using AES GCM mode.- Update to 3.0.0 Alpha 13 * A public key check is now performed during EVP_PKEY_derive_set_peer(). Previously DH was internally doing this during EVP_PKEY_derive(). To disable this check use EVP_PKEY_derive_set_peer_ex(dh, peer, 0). This may mean that an error can occur in EVP_PKEY_derive_set_peer() rather than during EVP_PKEY_derive(). * The EVP_PKEY_CTRL_PKCS7_ENCRYPT, EVP_PKEY_CTRL_PKCS7_DECRYPT, EVP_PKEY_CTRL_PKCS7_SIGN, EVP_PKEY_CTRL_CMS_ENCRYPT, EVP_PKEY_CTRL_CMS_DECRYPT, and EVP_PKEY_CTRL_CMS_SIGN control operations are deprecated. They are not invoked by the OpenSSL library anymore and are replaced by direct checks of the key operation against the key type when the operation is initialized. * The EVP_PKEY_public_check() and EVP_PKEY_param_check() functions now work for more key types including RSA, DSA, ED25519, X25519, ED448 and X448. Previously (in 1.1.1) they would return -2. For key types that do not have parameters then EVP_PKEY_param_check() will always return 1. * The output from numerous "printing" functions such as X509_signature_print(), X509_print_ex(), X509_CRL_print_ex(), and other similar functions has been amended such that there may be cosmetic differences between the output observed in 1.1.1 and 3.0. This also applies to the "-text" output from the x509 and crl applications. * Improved adherence to Enhanced Security Services (ESS, RFC 2634 and RFC 5035) for the TSP and CMS Advanced Electronic Signatures (CAdES) implementations. As required by RFC 5035 check both ESSCertID and ESSCertIDv2 if both present. Correct the semantics of checking the validation chain in case ESSCertID{,v2} contains more than one certificate identifier: This means that all certificates referenced there MUST be part of the validation chain. * Parallel dual-prime 1024-bit modular exponentiation for AVX512_IFMA capable processors. * Added the AuthEnvelopedData content type structure (RFC 5083) with AES-GCM parameter (RFC 5084) for the Cryptographic Message Syntax (CMS). Its purpose is to support encryption and decryption of a digital envelope that is both authenticated and encrypted using AES GCM mode.- Update to 3.0.0 Alpha 12 * The SRP APIs have been deprecated. The old APIs do not work via providers, and there is no EVP interface to them. Unfortunately there is no replacement for these APIs at this time. * Add a compile time option to prevent the caching of provider fetched algorithms. This is enabled by including the no-cached-fetch option at configuration time. * Combining the Configure options no-ec and no-dh no longer disables TLSv1.3. Typically if OpenSSL has no EC or DH algorithms then it cannot support connections with TLSv1.3. However OpenSSL now supports "pluggable" groups through providers. * The undocumented function X509_certificate_type() has been deprecated; applications can use X509_get0_pubkey() and X509_get0_signature() to get the same information. * Deprecated the obsolete BN_pseudo_rand() and BN_pseudo_rand_range() functions. They are identical to BN_rand() and BN_rand_range() respectively. * The default key generation method for the regular 2-prime RSA keys was changed to the FIPS 186-4 B.3.6 method (Generation of Probable Primes with Conditions Based on Auxiliary Probable Primes). This method is slower than the original method. * Deprecated the BN_is_prime_ex() and BN_is_prime_fasttest_ex() functions. They are replaced with the BN_check_prime() function that avoids possible misuse and always uses at least 64 rounds of the Miller-Rabin primality test. * Deprecated EVP_MD_CTX_set_update_fn() and EVP_MD_CTX_update_fn() as they are not useful with non-deprecated functions.- Update to 3.0.0 Alpha 11 * Deprecated the obsolete X9.31 RSA key generation related functions BN_X931_generate_Xpq(), BN_X931_derive_prime_ex(), and BN_X931_generate_prime_ex(). * Deprecated the type OCSP_REQ_CTX and the functions OCSP_REQ_CTX_*(). These were used to collect all necessary data to form a HTTP request, and to perform the HTTP transfer with that request. With OpenSSL 3.0, the type is OSSL_HTTP_REQ_CTX, and the deprecated functions are replaced with OSSL_HTTP_REQ_CTX_*(). * Validation of SM2 keys has been separated from the validation of regular EC keys, allowing to improve the SM2 validation process to reject loaded private keys that are not conforming to the SM2 ISO standard. In particular, a private scalar 'k' outside the range '1 <= k < n-1' is now correctly rejected. * Behavior of the 'pkey' app is changed, when using the '-check' or '-pubcheck' switches: a validation failure triggers an early exit, returning a failure exit status to the parent process. * Changed behavior of SSL_CTX_set_ciphersuites() and SSL_set_ciphersuites() to ignore unknown ciphers. * All of the low level EC_KEY functions have been deprecated. * Functions that read and write EC_KEY objects and that assign or obtain EC_KEY objects from an EVP_PKEY are also deprecated. * Added the '-copy_extensions' option to the 'x509' command for use with '-req' and '-x509toreq'. When given with the 'copy' or 'copyall' argument, all extensions in the request are copied to the certificate or vice versa. * Added the '-copy_extensions' option to the 'req' command for use with '-x509'. When given with the 'copy' or 'copyall' argument, all extensions in the certification request are copied to the certificate. * The 'x509', 'req', and 'ca' commands now make sure that X.509v3 certificates they generate are by default RFC 5280 compliant in the following sense: There is a subjectKeyIdentifier extension with a hash value of the public key and for not self-signed certs there is an authorityKeyIdentifier extension with a keyIdentifier field or issuer information identifying the signing key. This is done unless some configuration overrides the new default behavior, such as 'subjectKeyIdentifier = none' and 'authorityKeyIdentifier = none'.- Update to 3.0.0 Alpha 10 (CVE-2020-1971) * See full changelog: www.openssl.org/news/changelog.html * Fixed NULL pointer deref in the GENERAL_NAME_cmp function This function could crash if both GENERAL_NAMEs contain an EDIPARTYNAME. If an attacker can control both items being compared then this could lead to a possible denial of service attack. OpenSSL itself uses the GENERAL_NAME_cmp function for two purposes: 1) Comparing CRL distribution point names between an available CRL and a CRL distribution point embedded in an X509 certificate 2) When verifying that a timestamp response token signer matches the timestamp authority name (exposed via the API functions TS_RESP_verify_response and TS_RESP_verify_token) * The -cipher-commands and -digest-commands options of the command line utility list has been deprecated. Instead use the -cipher-algorithms and -digest-algorithms options. * Additionally functions that read and write DH objects such as d2i_DHparams, i2d_DHparams, PEM_read_DHparam, PEM_write_DHparams and other similar functions have also been deprecated. Applications should instead use the OSSL_DECODER and OSSL_ENCODER APIs to read and write DH files.- Update to 3.0.0 Alpha 9 * See also https://www.openssl.org/news/changelog.html * Deprecated all the libcrypto and libssl error string loading functions. Calling these functions is not necessary since OpenSSL 1.1.0, as OpenSSL now loads error strings automatically. * The functions SSL_CTX_set_tmp_dh_callback and SSL_set_tmp_dh_callback, as well as the macros SSL_CTX_set_tmp_dh() and SSL_set_tmp_dh() have been deprecated. These are used to set the Diffie-Hellman (DH) parameters that are to be used by servers requiring ephemeral DH keys. Instead applications should consider using the built-in DH parameters that are available by calling SSL_CTX_set_dh_auto() or SSL_set_dh_auto(). * The -crypt option to the passwd command line tool has been removed. * The -C option to the x509, dhparam, dsaparam, and ecparam commands has been removed. * Added several checks to X509_verify_cert() according to requirements in RFC 5280 in case 'X509_V_FLAG_X509_STRICT' is set (which may be done by using the CLI option '-x509_strict'): - The basicConstraints of CA certificates must be marked critical. - CA certificates must explicitly include the keyUsage extension. - If a pathlenConstraint is given the key usage keyCertSign must be allowed. - The issuer name of any certificate must not be empty. - The subject name of CA certs, certs with keyUsage crlSign, and certs without subjectAlternativeName must not be empty. - If a subjectAlternativeName extension is given it must not be empty. - The signatureAlgorithm field and the cert signature must be consistent. - Any given authorityKeyIdentifier and any given subjectKeyIdentifier must not be marked critical. - The authorityKeyIdentifier must be given for X.509v3 certs unless they are self-signed. - The subjectKeyIdentifier must be given for all X.509v3 CA certs. * Certificate verification using X509_verify_cert() meanwhile rejects EC keys with explicit curve parameters (specifiedCurve) as required by RFC 5480.- Update to 3.0.0 Alpha 8 * Add support for AES Key Wrap inverse ciphers to the EVP layer. The algorithms are: "AES-128-WRAP-INV", "AES-192-WRAP-INV", "AES-256-WRAP-INV", "AES-128-WRAP-PAD-INV", "AES-192-WRAP-PAD-INV" and "AES-256-WRAP-PAD-INV". The inverse ciphers use AES decryption for wrapping, and AES encryption for unwrapping. * Deprecated EVP_PKEY_set1_tls_encodedpoint() and EVP_PKEY_get1_tls_encodedpoint(). These functions were previously used by libssl to set or get an encoded public key in/from an EVP_PKEY object. With OpenSSL 3.0 these are replaced by the more generic functions EVP_PKEY_set1_encoded_public_key() and EVP_PKEY_get1_encoded_public_key(). The old versions have been converted to deprecated macros that just call the new functions. * The security callback, which can be customised by application code, supports the security operation SSL_SECOP_TMP_DH. This is defined to take an EVP_PKEY in the "other" parameter. In most places this is what is passed. All these places occur server side. However there was one client side call of this security operation and it passed a DH object instead. This is incorrect according to the definition of SSL_SECOP_TMP_DH, and is inconsistent with all of the other locations. Therefore this client side call has been changed to pass an EVP_PKEY instead. * Added new option for 'openssl list', '-providers', which will display the list of loaded providers, their names, version and status. It optionally displays their gettable parameters. * Deprecated pthread fork support methods. These were unused so no replacement is required. OPENSSL_fork_prepare(), OPENSSL_fork_parent() and OPENSSL_fork_child(). - Remove openssl-AES_XTS.patch fixed upstream- Fix build on ppc* architectures * Fix tests failing: 30-test_acvp.t and 30-test_evp.t * https://github.com/openssl/openssl/pull/13133 - Add openssl-AES_XTS.patch for ppc64, ppc64le and aarch64- Re-enable test 81-test_cmp_cli.t fixed upstream- Update to 3.0.0 Alpha 7 * Add PKCS7_get_octet_string() and PKCS7_type_is_other() to the public interface. Their functionality remains unchanged. * Deprecated EVP_PKEY_set_alias_type(). This function was previously needed as a workaround to recognise SM2 keys. With OpenSSL 3.0, this key type is internally recognised so the workaround is no longer needed. * Deprecated EVP_PKEY_CTX_set_rsa_keygen_pubexp() & introduced EVP_PKEY_CTX_set1_rsa_keygen_pubexp(), which is now preferred. * Changed all "STACK" functions to be macros instead of inline functions. Macro parameters are still checked for type safety at compile time via helper inline functions. * Remove the RAND_DRBG API: The RAND_DRBG API did not fit well into the new provider concept as implemented by EVP_RAND and EVP_RAND_CTX. The main reason is that the RAND_DRBG API is a mixture of 'front end' and 'back end' API calls and some of its API calls are rather low-level. This holds in particular for the callback mechanism (RAND_DRBG_set_callbacks()). Adding a compatibility layer to continue supporting the RAND_DRBG API as a legacy API for a regular deprecation period turned out to come at the price of complicating the new provider API unnecessarily. Since the RAND_DRBG API exists only since version 1.1.1, it was decided by the OMC to drop it entirely. * Added the options '-crl_lastupdate' and '-crl_nextupdate' to 'openssl ca', allowing the 'lastUpdate' and 'nextUpdate' fields in the generated CRL to be set explicitly. * 'PKCS12_parse' now maintains the order of the parsed certificates when outputting them via '*ca' (rather than reversing it). - Update openssl-DEFAULT_SUSE_cipher.patch- Removed 0001-Fix-typo-for-SSL_get_peer_certificate.patch: contained in upstream. - Update to 3.0.0 Alpha 6 * Added util/check-format.pl for checking adherence to the coding guidelines. * Allow SSL_set1_host() and SSL_add1_host() to take IP literal addresses as well as actual hostnames. * The 'MinProtocol' and 'MaxProtocol' configuration commands now silently ignore TLS protocol version bounds when configuring DTLS-based contexts, and conversely, silently ignore DTLS protocol version bounds when configuring TLS-based contexts. The commands can be repeated to set bounds of both types. The same applies with the corresponding "min_protocol" and "max_protocol" command-line switches, in case some application uses both TLS and DTLS. SSL_CTX instances that are created for a fixed protocol version (e.g. TLSv1_server_method()) also silently ignore version bounds. Previously attempts to apply bounds to these protocol versions would result in an error. Now only the "version-flexible" SSL_CTX instances are subject to limits in configuration files in command-line options.- Fix linking when the deprecated SSL_get_per_certificate() is in use * https://github.com/openssl/openssl/pull/12468 * add 0001-Fix-typo-for-SSL_get_peer_certificate.patch- Update to 3.0.0 Alpha 5 * Deprecated the 'ENGINE' API. Engines should be replaced with providers going forward. * Reworked the recorded ERR codes to make better space for system errors. To distinguish them, the macro 'ERR_SYSTEM_ERROR()' indicates if the given code is a system error (true) or an OpenSSL error (false). * Reworked the test perl framework to better allow parallel testing. * Added ciphertext stealing algorithms AES-128-CBC-CTS, AES-192-CBC-CTS and AES-256-CBC-CTS to the providers. CS1, CS2 and CS3 variants are supported. * 'Configure' has been changed to figure out the configuration target if none is given on the command line. Consequently, the 'config' script is now only a mere wrapper. All documentation is changed to only mention 'Configure'. * Added a library context that applications as well as other libraries can use to form a separate context within which libcrypto operations are performed. - There are two ways this can be used: 1) Directly, by passing a library context to functions that take such an argument, such as 'EVP_CIPHER_fetch' and similar algorithm fetching functions. 2) Indirectly, by creating a new library context and then assigning it as the new default, with 'OPENSSL_CTX_set0_default'. - All public OpenSSL functions that take an 'OPENSSL_CTX' pointer, apart from the functions directly related to 'OPENSSL_CTX', accept NULL to indicate that the default library context should be used. - Library code that changes the default library context using 'OPENSSL_CTX_set0_default' should take care to restore it with a second call before returning to the caller. * The security strength of SHA1 and MD5 based signatures in TLS has been reduced. This results in SSL 3, TLS 1.0, TLS 1.1 and DTLS 1.0 no longer working at the default security level of 1 and instead requires security level 0. The security level can be changed either using the cipher string with @SECLEVEL, or calling SSL_CTX_set_security_level(). * The SSL option SSL_OP_CLEANSE_PLAINTEXT is introduced. If that option is set, openssl cleanses (zeroize) plaintext bytes from internal buffers after delivering them to the application. Note, the application is still responsible for cleansing other copies (e.g.: data received by SSL_read(3)). - Update openssl-ppc64-config.patch- Update to 3.0.0 Alpha 4 * general improvements to the built-in providers, the providers API and the internal plumbing and the provider-aware mechanisms for libssl * general improvements and fixes in the CLI apps * support for Automated Cryptographic Validation Protocol (ACVP) tests * fully pluggable TLS key exchange capability from providers * finalization of the Certificate Management Protocol (CMP) contribution, adding an impressive amount of tests for the new features * default to the newer SP800-56B compliant algorithm for RSA keygen * provider-rand: PRNG functionality backed by providers * refactored naming scheme for dispatched functions (#12222) * fixes for various issues * extended and improved test coverage * additions and improvements to the documentations - Fix license: Apache-2.0 - temporarily disable broken 81-test_cmp_cli.t test * https://github.com/openssl/openssl/issues/12324- Update to 3.0.0 Alpha 3 * general improvements to the built-in providers, the providers API and the internal plumbing and the provider-aware mechanisms for libssl; * general improvements and fixes in the CLI apps; * cleanup of the EC API: EC_METHOD became an internal-only concept, and functions using or returning EC_METHOD arguments have been deprecated; EC_POINT_make_affine() and EC_POINTs_make_affine() have been deprecated in favor of automatic internal handling of conversions when needed; EC_GROUP_precompute_mult(), EC_GROUP_have_precompute_mult(), and EC_KEY_precompute_mult() have been deprecated, as such precomputation data is now rarely used; EC_POINTs_mul() has been deprecated, as for cryptographic applications EC_POINT_mul() is enough. * the CMS API got support for CAdES-BES signature verification; * introduction of a new SSL_OP_IGNORE_UNEXPECTED_EOF option; * improvements to the RSA OAEP support; * FFDH support in the speed app; * CI: added external testing through the GOST engine; * fixes for various issues; * extended and improved test coverage; * additions and improvements to the documentations.- Use find -exec +. Replace 'pwd' by simply $PWD. - Drop Obsoletes on libopenssl1*. libopenssl3 has a new SONAME and does not conflict with anything previously.- Obsolete openssl 1.1 - Update baselibs.conf - Set man page permissions to 644- Update to 3.0.0 Alpha 2 * general improvements to the built-in providers, the providers API and the internal plumbing; * the removal of legacy API functions related to FIPS mode, replaced by new provider-based mechanisms; * the addition of a new cmp app for RFC 4210; * extended and improved test coverage; * improvements to the documentations; * fixes for various issues. - drop obsolete version.patch- Initial packaging 3.0.0 Alpha 1 * Major Release OpenSSL 3.0 is a major release and consequently any application that currently uses an older version of OpenSSL will at the very least need to be recompiled in order to work with the new version. It is the intention that the large majority of applications will work unchanged with OpenSSL 3.0 if those applications previously worked with OpenSSL 1.1.1. However this is not guaranteed and some changes may be required in some cases. * Providers and FIPS support Providers collect together and make available algorithm implementations. With OpenSSL 3.0 it is possible to specify, either programmatically or via a config file, which providers you want to use for any given application * Low Level APIs Use of the low level APIs have been deprecated. * Legacy Algorithms Some cryptographic algorithms that were available via the EVP APIs are now considered legacy and their use is strongly discouraged. These legacy EVP algorithms are still available in OpenSSL 3.0 but not by default. If you want to use them then you must load the legacy provider. * Engines and "METHOD" APIs The ENGINE API and any function that creates or modifies custom "METHODS" are being deprecated in OpenSSL 3.0 Authors and maintainers of external engines are strongly encouraged to refactor their code transforming engines into providers using the new Provider API and avoiding deprecated methods. * Versioning Scheme The OpenSSL versioning scheme has changed with the 3.0 release. The new versioning scheme has this format: MAJOR.MINOR.PATCH The patch level is indicated by the third number instead of a letter at the end of the release version number. A change in the second (MINOR) number indicates that new features may have been added. OpenSSL versions with the same major number are API and ABI compatible. If the major number changes then API and ABI compatibility is not guaranteed. * Other major new features Implementation of the Certificate Management Protocol (CMP, RFC 4210) also covering CRMF (RFC 4211) and HTTP transfer (RFC 6712). A proper HTTP(S) client in libcrypto supporting GET and POST, redirection, plain and ASN.1-encoded contents, proxies, and timeouts EVP_KDF APIs have been introduced for working with Key Derivation Functions EVP_MAC APIs have been introduced for working with MACs Support for Linux Kernel TLS/sbin/ldconfig/sbin/ldconfiglibopenssl-1_0_0-hmaclibopenssl1_1_0libopenssl1_1_0-hmaclibopenssl3-hmacs390zp31 1729700106 3.1.4-150600.5.21.13.1.4-150600.5.21.13.1.4-150600.5.21.13.1.4-150600.5.21.1.libcrypto.so.3.hmac.libssl.so.3.hmacengines-3capi.soloader_attic.sopadlock.solibcrypto.so.3libcrypto.so.3.1.4libssl.so.3libssl.so.3.1.4ossl-moduleslegacy.solibopenssl3LICENSE.txt/usr/lib64//usr/lib64/engines-3//usr/lib64/ossl-modules//usr/share/licenses//usr/share/licenses/libopenssl3/-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -gobs://build.suse.de/SUSE:Maintenance:36141/SUSE_SLE-15-SP6_Update/1a4c085df5e38b2492d1dbf273362104-openssl-3.SUSE_SLE-15-SP6_Updatedrpmxz5s390x-suse-linuxASCII textdirectoryELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, BuildID[sha1]=38e0aaa55cc9dfd19bddfa2e0060ef20105dc91f, strippedELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, BuildID[sha1]=b064b5146624a9e1000a20abeb29389f6a14e1af, strippedELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, BuildID[sha1]=1efc7779dd495d0d2e0609f1335f1509d020e07a, strippedELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, BuildID[sha1]=70fd77534bc43fe47cd7e29807aa60df527a8537, strippedELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, BuildID[sha1]=5b3110ed9b20a78d5812e01f19fdbd66be0c82dd, strippedELF 64-bit MSB shared object, IBM S/390, version 1 (SYSV), dynamically linked, BuildID[sha1]=5ccb63a22fbb670fad0f3d9cc962234ad5eeab83, stripped (4 RRRR R RRRRRRRPPPPPPPPPPPPPPRRR R RR R RRR RRRRP P R R RR RRRRRRRR RRR RRR7V6u,d$uca-certificates-mozillautf-80827a07f8fa2bac667a8c5f7812e7943488431d1de5a4ed08c3726cfd969b439?p7zXZ !t/]"k%AK4"c&H&4RP4 @n~ ِ;Z2XRh,-T9/Lə7♤E 4灈 Yf1OxP>2= O gqth&wKbVx Kq` +,CtfqB"T3'#T@^ѱ9e7ϙC1νq{FdfBo>K%+ d@pTrOl=PR p8,Qh^餭*q;,B{y[?Y NNI@coIjnK4Q[59K8AԳp2kxw:̮bQ]7ίwxЌKpM/!!W K7<*XQ~mͼƾ }CT eoOeZbI@v>dɚ 6iR0K?ݖَJ4Q7N]X]o0 %vwHs-j2h%]l&Vy} 7~;5 ݃-݋, jh8\JkgDN#jh!T<)xATw_u 'D"npI/U)2xQ6]9['(j"s, k~ 6Dܙu4:[6WЫ\jOa&֛lt| uSJZ:;]f* §U mBn4deYmclBPuצ R-ĝTE6mS ƍaKI@%{XkuI_v|K;tcc#~N|@.*J=J3/ۘB*%ܶ ܢCbc?v:u@^4[J mZm[nv?#+_Li1{nHblއ1})+S"} כ;9 Oos ;<%FI۰W²| UMRwCm_K"(3?ݿc+dV{~^!HDxu%TۃWH~nq*{Vp=)ʁ/Dl^`$cǖr_ʶ Oi<w?d\1n㘶 Kd?/ʭHgC:A ͳ݈'7lzjk_N_-k2|ʒWZ-Wg;&Y3NBq5iF><'#p7PLvэ7YFvёd8Cye &(D&\L:{k}UkÆA{/y>X5skB rpoI ʊMᰜ&l3C]D-4ZT/RtA!_{^}6W}ϕlQa81Wtǧ #2J?Vvێ?.r K^k{ pq%n%b)YcK|ۛ2V=p>OWW@ WJJ%M/9r )F8}V`r!^)sN{8RN=#*#ǫ4Nx8tpYO4Fz_bX mӎ]>CUl|_9A p(} 3gn)I_9PV4Ӭd>@7?ɰnk: $'K6[x=N ~+EWQcBęG?\+KCKEGɬW)q3-u ߛ+!.T8|7S)Ņ`lZEX&xy_Ld/L(؟[X.DEư̳qG2VӤODwC:ik^13 j@X.Lz(C=A@< :d A,&027fÞl0Psx5vca)oFXA,&ɞAKz-υlڿC'i;"Ϸ=A/ d V`LO K6N ު2YYׂ@h.rD21D)+UmM\/pDdGjˣ{FػWoZx"Ph=şG˯,ŦCgk=k'.h pIԗdz y9tlN H DXy1CF2̪yYz'Lsڧ~LfՙX `\xJA:ye"1klEm:ڹMp(*J~Ao8jg_X@ZzuH|S|2 e9Ft?h* t<[sߌvMQ,}IƝB4 dE.YT9 9epєЎ>'pp% X)F93*a2  c,G$5 05Lp`#ե]>8̣9l'k#P5MweGg$6gj+>FѴlZȻ 1z8^2 Z΢E/8|Լ+ pAWr+Fj5ځ :HVZ'Nn%6b9k,^Okϙ 4B3SL F(}(*>6UHl VNT5Mƈ faS&YAP)8Ŷ=e~d /΃.QjLlzs(Jq,ޭ|j/mLێJ=F\2<͎!DFx;YVLΏuBQ3)< =R]*rCJ݌>s҈+ T# ,߷kRZv)mf6B*{>`B &|z/ډ<[^9k.ip%yMۉsTZ.;XM|#Ӷ^*z&B}2HĨ yDCDh8t+*\5d /k2f5YQ:,u7ˆw!thaC\ )O1Zfح(\Rts"cVJ+ >TW6"ˉKfw%4!ʼn;>>b$kSc)hv^OE+wfllGz fKYa'ϨQ>9ZUNwZM)~ Yv,MhdĄ/3 ŅAJ/cʚ[ )rŚ))*b8 0!k͇PTk jiJq b|8]DRY%*"Gyn-I$*O8Η= )Pn ]C]Zj 6:b{coWj.Eٌ>qc"Y¼z1*8 /@b_Ff_}yT(E+=loGGƭڢd7 %wƔ5̈!f}ٝWN炚R`m?aHA"X .r/՘'\J6GDjr+ +hM]Q*RHCľIA!Ћt~~F*@")yZZ&EBW=}ꌈu<\cAyS|@P@U`P4gq?1Wԫ ?żM7`~V.|@$^+-&x _\ĢJޏƌs2+/O -rrUM96[ ^Kl@Z'gN7G\]XM;iN*B@ך@ bD@2>PqL5.*nd8Wf iR:N|7?TuL~0rАpilz]4"[Wos_ B|ܚ @ +U:CWg8l Ka7ݙvjTw+y8~&?03Eˀr\ c#nM=@{|pTjq-om l ,#E.5K,( !w͇zj6ߐ҂ڋE9ʥҙJOG/%AT8JmRe59a2Ȍϧ5^oe5/)QnN?<U^|9X xh(Z-Rn14+ުeYY[g.留^>iAIgEıvI|vc \^C1w/c.CR^Xs@Q܁A9wRU±jmQ3l#k7)@x4^ȟ4&b}tdipabPwOzi>d]Ƨ2wYNDz&ڽO>!9R逸7CZQf-oh#}E|d DrQ [svCS9XO1,p@j?,'lLmeȈm k}M3kz.o WkA]P:uE]jH59Y,2NgI#j _cXA{?㒢U:\~&QlfyWSyZlKb&#Սk^7ņkR!\JjrtGbgv2MP.Zuͭ\@朜LA{Xy%"nW?28fȀōW`֜U>hr2#9' t0D]ޏim~s}^MDP@ Fj#hP~٪W6 $FKϺ< hnBt`B[GL#Lt{.IAdD%ЌhգCgL=_5F;T)~,ĚcVˍ<2.FXg59>$ >#ԋA{,nJ X.Z+Ut>v2 Y'_0\!13A&ap ::q*tWI,]S zߗ;Ng坺g8tb sJ ,ʤ$ /#.ΘxA]ǔ[ĤkSmU"CBu?kwlF9M H%.Q7A#}Xv+ Iݰp?YBbP;!~(eb" '{Z<ݡ1]&.I~7/E:I&RK\öb@@'$tH"Ө,bc!ig<`p1g=. qM a#周]p\ͅCƟdxM`\߲ZOӗ-+})~0<%4#UI͛/|5q6ӥ=QOru9?: ʒddEoTRٮjh{0k('/1"wx-V߶aradeyX ŏ!&|Gm.X[z}1tE,K=ր! rE. 3^IBĹd_6bXTu:}w?))hJ3ƭ4 ;c`oѻB,OLɿKWrq93p0s|ԋ똼y#'4cj!XgD̼SD$,|9fS7kj`9mKP+|W.]ps"Mro` S.1~U)񄶓Whl%t>> Qy5srSsh%Z8T[ilE\i+MrLpW8'#}j0黻w>d& SzE,CԸ^l5/hm@76Ny~+G¯Q+`O D%g-lHE@-Z.ȚY4e,2aɺ5ۤҫP0n!1Kx|UH<9@h^5JhiD8:P:_iM(yob'w *F^4A[ӕT6ey}% b'[Ǽ  YOfa艘.;@j 3?qfbvyHpd|C@qib|88=vLg![wՎE,OӢ=#*nM`sA2ȘĎѕbc"o[Š) no8,PK yS"ۧ&K5uO D:.Jv)Q8>!V_ŕN {flU' L8пkWY O:Q܄VlK⽯beYCE LJAѯ* JKdvHw:" 0Bz>kr6(KX&`Y^_Z)9Y晪93}d} AqɃftKDB:RHnonJWߨ ނʹʡni VD0a) Cmc@N˺⬪*] ]j|L ի*cܾ6ږ`A>/[%/P+?qu š'/4݅lbvKF$n_Jr]5&Ωj)z=ɭֹPz^6maȇ(oOXxB֏ _Ě.U]"=YͯVWG,HntQSK NͷF;KCb8dB4zo;e v}Ӹafw^%d1jXI6 ~& VZ9$]@;88Mϋzu ]z/jـZϣZ* ԲI C͸Nc6D[S̩#L]ZфvWIԭhf@2;EyDOAz>dAZ}FL_Y3yˠ2ꃘ4w\xՓp F4)L", gBaff2;#7:WcS{%?no;8аy;^lA~e@3@6n(GuINaEa_W=$ӒZ_&9E0](8TEf64t6ە] {`} )a@&w+0@w/ rX ,w dU86b\b>5ͤNԓ-b :;4La|K`إz4X?d5 Ӻ_`H D5:PN׹jgDz`6ay}x+gړ:(* 3L{$4oWnV rtӗ+i] o} qB TaU|j,svqȤUZӐCʝ` mR:z>`R4#$q@z$7ɓw͐&'Je9^?<͌"RH[D٩U&lølrY/L6}ӏ|h-R(r  OW~z 5]f\~ccQi+YpԳA6F]4XsΚ1l7'=cAVA0Y{%TT&_#lb'yB#yGYLƣ܃b <٪s8' gz[UUhҪdK׆ybhVk'QGLK;Ȃ;Z*z 3omMY"Fv@Ėn[2TT%)(c;"#D6-~wy@E]%{g+0 NHۋP*{QpIj~zKWnӡK_F+7"bLWUc-$P,IgKڀ+;_iprEUa+˚!Hz(b\2TX[Ha ?8P:I:08.$i\lep!-"W\@4[۝Dt0 T a 9JL"E=MPm4uza8+Ňu5UQRky_n;rJ$.ڷ훘CSsCL5Wh 1q-bO /G#*Q;#3&n$6xJwq)5"$S = ՘ʚ(0@Sh8ZS&5? y`#H|Х!W=[?I#|j%uI3$D?\XA/wzet ~D7",82bdH90$QQ %SU`Br16;gak < Av~<@,*2ravwɔ,4rќ{j0c صEfAC.R`6~o}06D2͖|noAs.7Η]ËZD ljx8P{\fg>{winOU2C 9o^:дg~T Uէ(ddcl"ְ ']2_Y,gu9*-4nMN]ƻy9p{zA륎u[3Wc3>(詇#nՆn@ 327a $̻6:m}d3h/$3'ZGÎXCRSlt~Ij|Zl~lh♩c݁< =sHy#~ZeU/.!n0 k Yj1 "#XE@<)w'_zMZGGZKW^!z<= diDv4(4K(_#uݯ*υ+|{_uGmUZ<qVu !i$9v 9Kl>n?R?rOe~͎.oBd~#.QT*:#Y@dٓ,QDz zHwdU)*$iu>q,vA8`uSHzL#&uQLE)$7[M!W_ޜPFa,>uЄ[7:a$K/o93j[R3כcVV 1O!hH o;ݳdk 8gmDsy4ښc pyQo imh vq'}7duM,`_Kq;acO IB>7}Ȉ{m= )&}KqߦOTw*|U"^:8C+!4㩖8u&<^(|ra-T` Akn,@gPտIP֘0Eٞ!G [ vtRdcY^G/VH4f !r('i:;RVq"ղg\%`)L [RE[9ޘOK"G rΡ"'rsFUJ7E;th[#f'|s !hd& WFc0d{дd%ãl^9;ה|D#UyUOc]Z!ٛځ^E^1+y JIHl\x 1›%,YYX':MAC&Y8U'7X^)5=uЂTU|^oY9SpsS~y[֬Wnԗ< 2R5' -gzśpqb#m= vAs7NXfU5~ aM5#7hhGܥSLق5Y9.݊7u|eO,?Iw}9*[жO4?"}B(Bu8U;j]b{eg2[GĤ8}u;RJ#ECt,|зO/ĔdCcE_En(Zha2r{ҟŬ>;Tg7'ZLlwke&H0RymOp bĒ{ڭ]3T y@G U:w} EN'&%CK/츧!<\y"WT#sm^֥RZ)aL|1Tnw Wr|)Wxд}\ɼ–(Jrӏ-$PC ճ%T=7wKoj"1$ @<:RF~ۺHCVZZ`򯆄Ay $CՕZFP=5!;x˱>>~ؽ}qɿhzf 2tj5n=)\3NM.3MZ?8Z 4?1cYyUT)I BVC"BhKΩvFvn6I,|`=e#@#[Qch^ڃ`5$=ReJ}_SyM;ΠNqbbc;fu$W,3@n4STZX=*zY_O2׽N+v:' f|/5uO:b?/Cĺ;9 B0 *av\za= żEcC.Kό-uLi@ұw<9$XL ? !+(T^7Z;aG X :X%MJsaA1\5oW8dכm>G,2lT4Jg|=2_Õ 7ce *#&;DN+>I>85 Hak`F:弡X^~",.sZ9p 3)-<{ 5?H:[7U3LfV8Ҫ4~Bfv?I$$ug_e5Vݪ>/X$-䰿_Bk} hK%uGO4"8Cp KVYϜ}~{ _aF{!<b<|}5W8oPa3>UVb,[ ^ vD07;mSUR /3抪pvKP@AwNky)ψ'4#)dqX/ z +BD~SCO# 8C4 P@HNT!m: TTIZEUQh`"M^/fa뭧wM_1 &7q3 ?tѲ\Jz&$ZY?=FF1+x!JӷͬjaL~$E YpDrK2>1^gyꨧm?>n"! =B! "ri܄Z $)sq*= ?\^I1 HFFNE&ĕ(/{Ht!_>@ʌz w&6B)) ÅAgtZZ a89O'tˀ2+3dY& U_*NkYY^i5 Ⳬo}ݘxpTuϲR  ڝ ,&f * Xh_[7ݻ*1v2pIpw办A0N%DUzYXçvf +fujs+K?x)]<\ 쩔\.X|~ D٭Qkb^,#`wB(T̨x]Dm87JLG/1xfhGJ-}KS'/-&8-XX¾9]X:6x+7C"N6H䭁!VE JLnӧnmN zV 5̡~UA6EMBIҸβ<,i;5Z˛m_z1}L |f΢ Jq mWU(l){rP[}цR Ei|;Ɍuw*02Td$B :^b @W!J(ĶbAŵr!0k ~r͙s"'LrsK\òVA|<+4U= (k>5dՎY_0@"?mӛY,7%i۵O! P J |x%lҒBQy XWQNWP(pr#wn3Lϭa9n!!9]d(I?CG*8AI7P!%uփUUQ==_gz|o.i=]J/]!fMsuNpt:Ir6|G$gӵ'ix0 \«ZAr֏ד8x)ݻ$̨!qn)bNҫ`"&Jߦ8k!]-;l}YT'Da/=35v:0&ޙ.dltdA,NVƬ—BZ2+BL~y2]"]Bkt5h#YFffΣш.l,֤ȑ X7Aʹ}xo|JHmw LNs&G0z%lcio|8PpLK?W\n|Ҡig q ʙvX -hiO 58_L&@T׎@q4ð2|`׊nu@fI&(`b\Ajn/s Ou; - (=ĩ^'<-(P&wldyr@A !ߊ"IU\%gDQno|@a)R]pQtNq?4N=ˀ Ob!,Az,Sc\:B.C26KXC IQj'+ έ7Yml.mR:c6InfD OA^]މd0*Y@Ht8ӅwV[@RdMvt Dd6/P5VG4b;U_~qL >*|vCu;&!JC>A FC bO`qɗ2 \kM2Xj^^ ć!SZ/~4gRNmv}fqÌk:hϯ=p=1F:% /|0섰#%7Z+`uRYa)3|"AwIϯgya@'48ԓ1-Qaۃ$s=wL{l=3,H |FRoYH<'AE=Ül8`[Y=uP\#A-`d*\]D=*fR Fyo!66X.1"A1ZgX1|&āҦ qȥٷS㺿"-Fᚕ03itTg943,tAc7'()<2SLc꾅బҁ3nv$ > ǵR8gł2eo_[?*UTcmǕ&74{޹Doy$x,5j|S;Dmca @Fо@~ˠ>! bs^Դ%=I+6dtX>OcZBǀˉExԥH==PdvO6n6q*Tw)T\;+̸Y @n,RhNJӃQ9# Yo|AWz|iyڙ%'N 췧RL6U$]Fm0kχu##N=vloTQp[ ~NTsGF'id-4u{\B#-lZV_Ղ10 ŮK[IX+T^]ۣ97^Ro|d= 3cg;Xr|bHNDQt]RUlSjInPiqa`ۖp_RqEsfy)9J+MGQSS%BKm-Dvp$/hcP T{*"mKA6z$ p@u6X}EE5})7҃ [Ib+XK7\P<5m f?+FLn>@ 6 ?Z7W 3vשc74O<KxǺWjÌ-YiI|+#ASmAJ^5{h3*0$dVyxCuJI 7H\v/Ұ݌ {$__Pֈq6at8l]ȧ?6MnBq )y1Δ;M 5k [s+ ަiw3^-d'L ΉAVd kEm/I#z*ePx`ġU[Xjh !i\. Bĺ)E7WByq-ADܭpV6M|6{Uu~6EԄ4~D&ݙG\bJO;̀EQ7k}`: C2 %Qyf3F,iMК=M!M|/sҶuto ssfGjU10^ ěRzmދ$_JOrEj_nlK?ZCQ0;i$0BlG ~ L&O2MxBDDNmdY8ͩKNc܄n_ޔiڽLS>Lcqګ̕0H1˗"p`+_EccFpp-uf+MQ$4Dd _Nu8] b}GUqYnYnJ.c\і쁫P6/BJ& H`hF?%8-/ysU>ONm3W2@K-2wP2x,r[voj[ `&wFw)O<&'[4Ncq H)ݢ_i<~kE7#qiMqgv%? d\FYTN͇ӮKFǕ=y׳-TVkG-Ky.-0ZB($ɤ}we[%Ac5٤ O6s}/`FjeN$Gl*ɺCNHH^nR&$cL5F]VOΠG~J @ VhU U2ϱ=A|U<Xs]XT1(1kgEu 2 <9%h_3GI\A"ˠ&(Z(҉2L.]vyTYdh MT0ѬߩE35oydJWCgLƳ/y7x}Nvϲ X>x+4,h;14 cVDzP%bFxG^7YIBW[,"~v_vOQ]i'_4'X x lN*sN8-҅@Y]&#< _T=&$3 ʏ)l2sxnۘp Ñ$"5uP"wKbƹSsgO- /DхEYo<3H*F`_D(!0hyd& 2y[TU%tQC1xOh'*KSbc b=Ѷ1S 775R8! K{ܞ#*lzچUf"YD,V_d3-eBU!{ɭ6_s9,N6w)]i!o@2^a5 @Ư/5DvÐ?¸c clB_n>r)ؾy~0ڻȹcr|V+)B(MY I@e5?v"tsRri.BƆ)QOP"l7bx4g!\gk5 ED+,{`3&+7^a_S;ҴȧY(@odfģsfѤÚ8gI.{ ;UHsE}+4"gMfԹ=1ʥⷈfdװ=ȼ90jz"Tiσ#Ge jj]ycLisݴqO@D!CP{q3)WiKw"~e52[FG }y[u=olvry}RF>bb?R6yg3-i$]i.Ld2=jN#BIa5Fh6:jC 46b.4jqn *6,hѠ(knFxIĢ@ڡJm~( 0n'@Җ\/j((ILC/FcM7*nC42ecbr,۳)ײϷ9q2xeoiCжau2{/铛 8BȊʋ'zvAt pOx$yF(>1x0GJD TCq@ pEP="O\@6ǺwW]eWb".ꔛñ+102lԠd@9W砧`=FU6vO)ݩ]gR}lLpKt[Ș +7Uw,` 'ϛ,ڍ/I+ZeJH7 dednWF&;XW"Dꔓ6#URj6,^Ol& xe)h;.TI:O ~iwMe)XNJfND "jEn3w:z4ɝDĹRLeϐl"br7QݸB΍oOOyVA$3] #2 탊m~ْβJ (`e ~ ȳk*d}AfM|^~DqA# js]1KǶ>7i+,D v742,H?ƮQ\͙~SE5ׇ:ZRc5*O,T6JiF`58ZS N8~m Tl5|fU2-M`Yre 5\h_=[Xx/C Kϧ}X+`㍯&ɸ5D$$?紟3W- է/\2U$|,Ovh Mo1{v{*+wx=UB_I4`;KZaX3o<M':!Smg4bƸƒyAD zXZg"(OG:/+lYTԁ"#gf*b֘ɺS[n{wbđ7U9<Ңˀ{ 8%A?D7P&g7KamYP1I i-=ṭſcO^`o.x(?ˇBT*u3]$kǚ6/ԩ! [+eHC~ȿHH8:2cAL`YqyxVJna-g=g3kd02Z gm3MM/FiX, E^Is$vfz7lRٺCN aN.i\xQ =w67ۈ|BYΪ9Өʌ\dc_cC|Uz UB۸-]N!SrVЧw+ys^3K$@GOK¹7NEj GMud,)ZP:& A.Z2OyhulZ_lK-, 8-$oMƜH|E,W쥴'-8zfxR` Τ 4QrGa--Ig-E?thLW| }`l{N5g#aD1I~bEU<|TeT?j|ZijrIR19(vUߺ9>b榅i3=ݲ>FV LaJHݼ3);McqZ^җBz!n#ScCP)sؾ2(`gc(ZmF$$;JhAO$F^8z̤v^ZAY1[u]27zi•ՃNf㙵_>Z a6Ay1p*y2eշaoyv',i&\EzPќ-3f.tS (M1M^Q•Pyօ|"(_pmԘI,m Sǥ`2rtK:GA:>8; e1~t[y e3JFZ~,E[%(tFqf7\ +H*|JӭōlvO)=Vem{xڨ] iI$y?QW|i@WsEUIgY 96ٰy+q¦@{[sVꫦJGQPԗkKNA!Q$*%PŜ-Ň~-r^P&<G_Y"5e@n(z^Q!T 9FMB%)cyK5ݸ ]+JW1'θ84mQ S/A5OT8eGo3opA}v%8m 2s?,ras6cS$ZY뎾O#mGCnО6U~0;&&zbOT_dlrs:$\\ r4JN@E+HMkDl"8<%D3|D 'G%}1"u)gJFJ].aZt5M"4j4`HWV-q-M*Y(n(uL#w l嘗]T݆g(IXi.)\owvȗ /g"tw{"|#Susmtu+r" ~3$&"^OIm4PJ#;y}VAQd.%taxZ^ RN;y' |_$3M$8|;DZ9M2i׆g_ʯ(`yZ;6@%sמ΂+\C:ghY?ر,W`A_zR>qm%Ihϴ-6:|0/g exfk=+k&Y_8xR}1YgaKF!v[F`srvtf&f1<SҶ6ΚBU6xpC ᬌ{4<[6ʹ9%n .}E? 0^tClG4ꎉ;/ZZb*yR K+d#:/aCbwr-Uٖ2հJ` WWIr zp]U#S\`R"yl/NۈF9 vݶmѥO#/@u@6%dA6#0\|0w3FOcyQ]ؤ4?rJb,idCcip=k4֐;4NFhG^ENv,2"!!-I,}w3RXsa>Ϗ34#zxynX)H""3 =5,>I\fkx_n%]XX ;6"aO75.Ùc)=ᚗy"c}b sTCO.[@iQ˥!HQo02T<&T(HަYh`!ou;zP^ZprmUvv;]I.35 fdj|g3Q֒u$ W$8h 7 EZh KYJ$[D QfUW?/ߧ9ݩ%q p@¥5|kv6KmTe%rs?_BR x6f;Dq׹O[9PYtuU9 9ͮt<C:ü^z?=&p/kH`g05`l{fcВe@ZJ|t 55vkKvMn_*Pk.+:4%߸!1a^ÉAV^9^crSQPXrUSC@B M`*E)y q3SPK& VܜXQu4=u"Lh-$@QR\Cט,9f>Y} G9ݬM5ݗī -\GJ 4U42`xcmBD,L%H=Jk C[4\y |S7)X442R#/F[yfMV'MN $(XmSJLvs1Jɻ.DMl3?}_@3ӍaɯQFY$=;"w`Ĺ-iE< N`,A6sr U3`WӃ/.M3 V|q8')`І(H ^{h(Q CJH8FQmT9d ) ?8t/WX܇>ٖKF_XT44LiF=ikRAբ=auzC4R\d zyf~cxIi0W?O_?Ib{S<5Bi$x6/TChk'tO9@&ٌv0oGYvfJ7Im K}h+Fݱl&4G(.ǀv5tM"hH61UR$̮moqE}R˳:\d:G [UIxlBU>A?{uoIՄ`a-#R_hap胮>(@gƳs>;y,|Ԝ7W80QRnLU-5BukWhkw/ 4=/XI a;P ]yϴtV;HHKj  wʄD:g<ڸ81Ib]^fp_45eOj\e㒂V_`e69=K<r&vUm~L)z\&"G5ڷ I \4Co/4j Bj+x8zߟ疴=bbFj%֤`ʸ*WyLK,nj"ۛ/Zs&eAifxYh=9`4m_w=pS4-M Q|Tbٹݗo@P,JK-%(6RX4 z<2Dp4lΗG5Ά,zcLҜ@Zw}$̛+GXz3#'i R!vn7̑4~CM<.6R$\ז?PQTwX43 ⲧdRc&ly*qeSPf_Avx'|iwa oco߾ #*}=^LCp:LJ"WіА[*܂!w9Muwc$qL,فWqȒOw==tY4q.6,>Wi,>WGaw$+V15a|Q_n 3sr8 vl 0qts jY A~/Eڑ0[Ҿ =EWǒ{oU+t1VAwrA,C֙*sU=!/[Z js3cڝNCmobAek<( HͿ cC[jelҚ̘3#bzR i#RZ $nLh9g ϻ߸m^{+^<*X"T0QSs2 (~6)ve,7og xqJ mDPb<)(guTi+rΣM{]ΗbopA#9"?SZN*K~P"!0!yp4X ("W4y7}gGsH &׎bn =-`2z1&ROEdH9AE ʕ,| VK?D;3lp<'陿RY-\?\>>3*ŀ.Ht"Ei%LUȨI/kDQ 0xaϴP۬cB$׹ǤmKԙ <1/NQ 0[(nhwpGE$7$Q:6)z4kSةzFb&'lT2B]Kpf'.sp@ij:[dA@b EM-C=A 3?w]qvXY2b)e}~* K:Z*5I*+gZhl Rf</䧄]yV$O I+ 2 40Hcs\"F=! V+D²*PG|]t$v*)3$nD*w-N*[ ʏ>+swK 0 ]byӓ]6kS?\k/|-o,>"=*t=l'wD4'VFx/}qG;x[|NI$fۂqޮ6{;z .cgD p`KrdӍ ]CAcUM4j~7Kna!pgMw}6t]HSLJ7`DE-X0Z9RpG:H"S, HSZyaǜ zd& ]+ f fhMM{%m/?O~B#G7 zGr0Jx`9! -mpQA;c Q.Uᡨ26Ou4ID'_~#faߟ LTdXϪ`ƲB@U*ʐMk#< $W B )v=Jg&a`PF5'yWڼ1M6j.:!:pt jVc_#-kUYbo֏ đv-Z5/b6^j~glkHtG#_SF |3;&CwYQV ^ :e!$W\O TBt9C/>Ȇ%Վ$S珼@z/xeW]49%C(4cs!Wʏ=3II =s(QWl/^e:EKTzŲm*|G7g?Zp>Zw6˓]U=Pij`Ao"i}>iv@ 5"MR+ Q޸XgJ1fh\-tgwyd.U `V*W0@(kyPCtw^1%IۑHi9͵K 2sjkKXeZwK)zowq,*L|ܱҨ0J?UVU;H_D6-19!uԟ=uiT?bh.HŲb)KP/x1Ӥ SM_Ѷ%}{)V1ׂQD3~M^p><)0h !m"tNȳ| >U"l;G W,܆z33ISM<5_Y+tmcG.驵rqQ3E8"?ׇd?i=wM,m@I̦aDW~N̡h0iO?CD-I:r;w,fm85|2Ȍ`m~b( =3I $kI߽Q,ߖjO#/Y| RK>|)_]VZJ„7j<9 ~?([NKXcicE%L0'<9U-fOTIa) TM¸t7 [UEfo+r^Ҩ_/'3AT~yW!E%i܏ڼ'[4l9s)x B6 gnE:*ٔsAhX%kE@lH8mIWIp GM$8"^,~BU녁6TK[ t*BWUfaSNT4tS@"\TCp#i/Pq/k >m˰C1U8Ee=blS\C9a3U *7LٝOJ7*.jaZ020^ˁĪ/^R'"ztp&Z90q1%~'P {B'b%[v *ȯԎ@bEAoP/EZ&Tzmru[Q.'́JwW),~,? %'`E :e9DUHgO>z0z?U.!^i}]M灞*EsY^V`{R >Dk:-txAp_R\}ߏR5?/Ѽc":S|W ܘ:D }ay9ӛSwG>>D 5E/K8 7,}]Ԯ$Ta fk_G7)e-]|wJ` n@L[Ҵ2Co%{-{bN>֤B:S@K#,'{6L1)a#D[XE]JZHPZŚ2xĚ9T+%TjRy ]tPZV7kϟcٛ;\/Jzq8l ocS() W,`7dao3iQ)AWȞ2 ޹lٯj:oZ+>_.@Vϼ9 msvc9Oi^/pJXz zM]57]ERW okC˜6cBa06}i٧P V{q%T4]?F,O~K鯓QY5#Z/{,6*HMdojmd#=1t  Iow [&3] 텝kp|&I҈o|uC9 léKN̄\?ylaFLdl4BQQiEq.iE0pR:a%LO$D`z1FRPS6eWDW R~42ƦlBVrNbdYb+Gv [~67ĒWy,^A3HT 8A< 9f\]!"S3eě\`EqpNPɤ0Nm8sz/ǵhE wyW !`{V:X>8ȉkpԇ=LɄ}sm^Ho~֋2Y?FəX}dc2qRuNj??2}g9շ~,E];<^K[e8c&rRZQx@t:]g2y՘qd.}HUc2vh.126g9Ms{+;ѼԀ6pJ,g+'QE_< RBEI4+g1魯/>Nn[.MŢ @WOL4Ru,7a͔,=pOZN#|MRa ! )`P]#p<ЋkJAi&H๽pYP? -"O?,WBjTHA3ZB@#&e5pǩTze-d,IO )n{W r[ln_Je[Lg(™:V[EC,Vfxs@P'8V$\#=uЉxFkyr^ޜQYRc/p [@ovbb݀XS4pb6*\ESETOr(odӳ͎mxJV]}xZG\ń9[)_&iCiܶS#w.Z}y_`꿥ڙtGaKar;~{ɇI-鉭Poz +pV&e< SQW}sr̀c<E17Q`֯v*"()vU{j%3 S _I]b?9p=Aw&OG?@tlX{uK/][p*x`T+B@5O4w, ˄H13}Ş^KO"}7XlN82z&-I/N!w^_E Tmep>c*y,*(J%uPŒ<ޛExg4Cz6yNcdLl P7 qz= /~a z$nr=o]YWq(uHbf=}Lk*>Ry{MRK,VfC$8rPWgE:?Va2\-F"r_+(]#gƽ}`O=0/V²έM&zwV 8FGW5< !PdoAi9 Îg'_{>e? xfYb/u|%=Ľ7x'vf"_yf@n* i!dۗ 1&t]~CDkY_iY#[uph̤ԟ+P 1!}E+8dl/\ſԙ q A}F!AZ?eXuO~)> D-+lM"H(V\'}u4Zu@{՝mRX#1)7 {k gYRKރ髟nX WO%B~L8jA W*b!vۢcL"1Oz0Qlgjw+ V_+K-oĶ`#X,` +N-t!X] (gVTmenCSkcڃT^wrzx[(5͉*8FwӇ Ҫ83{¤[pQ{tE @frXf^>{ W뛔wc5??QnV^d@C5NҴw!4*n6ߡS]ȣ@Z!Cz@T>")גּ"s+ 2?f65"f)R>hz- XcdɜD&2gBtAi鍸 _mL!N.xl(xF;u&nٽ}S__f@gw%B8huqgM/я4/c;%5/'`딸 qիI LF^Y׍]w p8A4 LE~p(<@-.'N_n^ Oj5gxd;$f:>~G[]`ԛnǂiFV6Q]M&9zbQ.O'31c/,c3w`W4B^_o2,U/sX㹵$Q*';#gDo|)|ڱ]@93յO{"'Ll ?dr d( Ì0]C <},AxG/)3Tyatϙo Lhhv>KT-2YܳE&K}h+oYå'2Fe)u!Vc7@,e^."lEBAخ<;U]Ť+)LƝNѦm`/f<xĄD7>0G,X'FD8@b ._2080XsotR Q X[@!EIUޡ ML?|}նa0DpI)VjN? YXUȁf3 [-pxba5srWjm5'^UZjNneQI:)+r?)BpĈp$:N!T)P1~OOqfvې|ூ97ys]⦵ffEr&Kfrt@8%܂l.6";t4 +";,)N*}hbsq{O ^cO v?kX'dVUT8TB!K]_W)4$&N)^vᴬ- *j _%9 4Utd%$pw/fx}= gW%=h+, !ӂѽ4}w?cƚqk5tuqp$fylZ,PD.зpMn `EJ++dP:,"6ǩገn9F>[;rh H JRg٥~N^"5dV7W[Po6fP4}0~pS{;`: n!+)_C¬ ,fjGIx+H&5`B WLCeZ'HCRw!X58 <[ p;a#zzȰM#J`6U?ɳ;2l ?H۳ք d^ 4H)̃pMF;K 45<|konuV^QַIm\E'&s>Ss7_d6)HD ?!):]O5pL=CaC۵t%2=h/oSuLP:C= ӝs6]HqS j}˧ F M`zc ~OIlcoŪRd9E"쒮#MW43jT&ٿ;T/vodlj(ҌꫯK}wBVa 鑉Q2ʞ&kD3~t*g %1<&.z . 'aLlF_磍 ~}m cW5l>''v۝cboڑV5Y `NS0 WMV{FO1{p*}iC(FRn<_/E|M8?%}W'9yߍjԓƳCw:- Y:]g渺y~Ody'אKk@ !L跐ܟy1A+wJm}!re>iߡ)}8xm.l^z:܅A<yl?7Ov,;~w1 :NþB#Jpa>}P5w}9tW> 886V49kƣ&|?v`+$ce?{f}(4[.\>FGvl@T̞7Uue2CnSt Z" &[sD".NK]UŧÔ |o&:O6)աgHBSX_ŔO-lu|[-ZBZ[.͓d smBqǷ EmXi=d F_(_ c%ql@evsd ]ˮNˇC󝜶t(Ah=G'+$ aejX _LLǨI75EʃFhhl%ez \4L Adݮ@xZ4r;_V+N9xBuEUEr愫\̨CV<0nd$hw[{&.S$Dl,%ns;jHE.㮢e'~3oj|7yhjo||S˽5}BJ2w<=+$=< AP^T$@M(la%ѮM6Bɓ款̡̑ӻUYDh@݉, yMmg$O$/Z&o@%4#A) uh? Ej$Lܡ iZK`(M\)ڃAJ,{ƈ'xvwYt,}ee4*Ϗ/RѭTì^Ś^{0P?>ItYvN60`Pp>㹗YK2Tte4)Pb4C823$1,PpE*kx,"~RJUOKiR,]06~>9Je`/|/x!fˀyIm[̜~CD9e'ޖ'Qr!ZDeQĢF_d$ w dY%-\O085LwxR#\y@8я>|3j҇6+Y(C':F"+V{+p5gȮ h`f0Tu}E"0lЗI7iJ^MHh~z$rOy"tDk1_*\f·}ט<W 7Iui[`[So o>>tK߻~؁7ϧ)<ńpbVO :AB~Nh$/SiJ綜e%۸ IUn=2d8+IXJW5l:R+6?6y-ƑIDQNmn!V4X>Qx88MV2N߆Xx :֬_$aܤ#kV},]ke.oW^nB; $4Y88;zv\&'|Xsxu}^чoz=W=1,iE:9 ߙg-x5OM̐q[mZJ ȝPDnY#d#*AvA3ow תjoVâ_F=Wx+@q { :UZO+I:oly_aD1(WOlh3j4g+0#"-a]O⼥Ĵov۽R᩷ DK({5O may!K# 3a1ޛ{[itt*50|]ze3"U3* +klrE2y܏伛ɒb 'Jr( ^wf\تB0>֨Juj3eK?䡆jt+wD8iR0 “SWTgtrl,osna)8!;F?n1 q8AډbN@oI/uKNDJ/lX ȡ.9~*-{3[&P~+8_Z{hB?!_ouⳝV٣PB)z0}Ql- 1R!b^݀5ŢViVVp$ϘiXiҳdxyx]05ׯxuGN2D?SMXĠ5HzAtL(|<6:(mLۣˠvM‘̹tgd(F[=놊 `x# V#)# FfhS8XBJ9]Z/~}S exX;<,Ă]*rV2m3C'Kq{W3(9(;V?8G`df*k}PF6zOg0Ǒ-|' 0 S&7кxmG2O/@[9:O #wal;՝3㡔qbw-ηy~/|ciD̦0k% |jHhϪngklT|ݓ-DǘP?? pD*P,(6xDYm )C@v(Ť>6~z} vxN!@({-26x9k)9k syrȹP%&_N{TI`R) %.+|#x6<`s O;&Hdk]lvmS!|֤+YJWlKi%7kQg)+ w@/p%>wjwguP,5P.?=adžSPŷyxjya;̥3;Mf$X@چ$\'+6 G͂g1Xy+АG&dǣfmgB"rpcL9,SL|evǮ`dot )A̘Vդ@ᓙF-`ٚ|Mԃyu\\[_;ZtQ`o:㴉C(N4>F\_o*y]e6KR"=̿QSs`qjެwd\H*ʤ\HV$9rGYۻN72A/oOY.2AXRGTb^TaG-2}R}Ijc^1=i 䲵czZ%SҐv1a}T ˦cY/DʭEoUSȫH Z&[,TQT&T'QʷiE]pJOf%Uc|zǍK\H&VHZUKR/+^֕7y `gmc].7$P xv:D}"LLQFcGz!zX8̇@9ْ`7!UYSxI uqK,y%\)m}R w(Q2_fFYfI7ɗY[x͡Mr,+ 7lK%c_fRXC= K=Mu>>,{U_k'Uحjfy$XXy"__٧䴅 M#i rQ"8c6Z e<Ϳ2jRԨzN/3xcHtxU ɕ3f^< rx\{^ O?߫d9&> $w=utUK}02[3S#@hEfQ ,#2!T[)Bz<җRa|VQ{$ [lFWK "+Fim/LJ;{,rZ"Y>pC^e5 C{z\#|(#wS"ʒOviQlMnZ;P MS([|A)z[>кAR0="ҕ%vygt>L21(꒶4>:QWOᑱT0F*lǷMKcMelmmE]=M߾*WC~|GEN7G+k 4Yh+ OmB-]Fgh`QށZ+2=_$AI3uD+8踖ΧHĘz`B;qZ(ͅ\4WFG|H3@ГնQX`B3 ZCa[%c­BKBBZ |]O#=j) j9bnl3% A:?'Xȡ4[ U7Ny9JG .Y{5s> ?ml( S)x2W~(e[Kэ5@B Ν2xv*δ S  $zJƐNm<ϷaYr>Vw. l`BGẑoBvL/B\=]u?2ќIRN૮ RzmUތZC_+ ."__7wG;i`a! .*\䷂юA[t\9ߗm'#Jpwډ5bT)CuczV 5)xp L5pr;#пse#i6BpMu7e04W]d one&T&"8앷kg% +XF(+6"늃޾b95LKA\QB(YzOd>d Z\'X@v޺*4=L.Lj,];aOKڈ&g9,v?4`C+`P? `8NH{"kv;j2KtDJUDQCy&D٢&'1[zen.m^vxѤD,<0ɐ.%*3=9.E9؎ĚRU 0_qaSC³%:cdźA.b-u> aY|4Z;g_Hr^?ŅJ[qߎP4 _D$p{-E hG׶J)RvehU IJ+ ؔDWdETH1d]a^ CyrNcFWi2r+4q8S}/6opq]mkIJM6ay s9k*JloR7/'G@S= 9fZ0TTtxv$^WpuVSotJއjD8^q/e"VCpIbqغ4Zo_Q{E]@C!*7]ʿ!5;G,V,,KdG=睤^H 6Zx* 4ʫiq;KyGGݜj['u]i)d5LgP[kZ>|>`Pg/4!!pBGiL6"u~ N7'9{ MJ2=Jdn(B(@m['"2 [8&c1ͷ+%ՎD:(_9+7O (Z ^ٝF+ԈbJ9xQ SK Q#eZULF0בH MF` !,13/v̽0,69v+i[F"Jh԰nmڦ(#vr(.9eu{В+[!kzD5Feu lYɚA4)[,j}v!MNڴnrYdB5,U.k򅛥;G;i@JC w<Nr \<9 s2*yTuKd#~P0 nM,(&Hɚi\$]( 7Dip]S'nlHDs'n<熆wRDǺ) ٨uDM1o$%Seߪب`y-BZHyܕӫ&X( "؎h/qJeY5Mjfڂ춚~{ӬYXG?h/ӵ[j qRFrΖ}ĐE1^Tz?g> NEPW K~ybBh6έa=[J)a3VL[DmFwAwJ ldjc4 Av6BMj֎R>WDQ8{9`Y&=L Q8B-C8)~.m@]:FN~Qqyhy^z].s5`z@ G|]vczekj ^^1QlzeQPvFv~#} +8UUP<VjA+(=K'?R2ʄ rW3h'r)$&9~WֹF,%6Dhw EfcӦV]5N]^Q-{$ =g~bڔ8R!u`1,hwnS 3ʌp3XXhoڄDùKu惢/'#s(D'?=XWl9*`Y`9?FZM%k" ,P}^-T/UF@ZkigqO5jn[۽={FX_ jL .PPy?< pd&;=@EG׌} )MZ8S68*O֚DXYiwYiϺA $2vwgma 2~ e8ASe= >[h"H ufC7Li*(5wWa_sQ49`N 装i%"J'y^{^Qk:1n;@wAy ϡDNl\Q=ĈCsdi.ANӀ_eY|DzC>Mvj{zX'W 8 N_{Ƶ eH*Z r/sة]|XuΑؐlɽJdrPc$飊4;J\6H&]%W&(zeq!sʯe$ ©d3"ʽB˿<􆍴irHMfu%3,v![4-ZlgHݒ,k׷7̕i/VbeT1VN"'>´:Q&B~쫛+9 ~ [X(+9 `iLJ;:~^0X[7s@y0ⷢUzb|& i\r8C].p 05#(;R7Җ`>Yh_*[D`2ؾBB70ʱ#̧l˸E[K͊Y]n; u5a>dTtw(!004TI=;5Y2*K+t޽mDLZ7 \-`')tFYۧV]71j=ec*1LtCiW͡ 82O1"CAviJq┘Ao7uM3Ƽ6g4U:CN %߃۪4N85MxLujɐo}jaO0-pr-D9ez~3UrE^291nwsvSxsu>N:~q Nn"۟kG\+FMm5[xfv7ת4fVo~O62.2 ıy}}e@И}!_UÆJJCOZKP^j4;x _DynҶ_?=qAVE^M<d76̝w4v'$$C(3D7:Dq_F5 {jWn᏶@+ي-ƫY}A>gow`6{-|c|W if@:sۻI(zMיU9υ̙/sSƊȳJiܢ;UZI HNoZ8oT70K+ V`aYtWJ|44졐[99޵7^*Va$WqT@zPHy :jیU7;&?H,}X\o`voXc͟?q ?⸔ 4զ1ÊԸ˵DN(qgSb0 >~/ NcIRVϩ͜OêhwE?,@+#|fA_*cb`1̦{;eE;b!Y"績6^y"|'l͡QkiR("< NWh,M`O׬3pЮG}q;~TF6]/ O@n.㳞WM2!ǝ92,0r ֢,Uyr8B3G0e.4O@i2%ߒ ،)pb&ZϿݺtXI4R81헩JСŐrXl*F%Tn(v"-Ȉ5L 7JAY^Q^Q@j QG,:`FzHn|Yj}ȭy A2lDڼ նXA=`:W>="p@&#!KŚ5IIx/w>0KʲQA )b&N*Lg{bcALZrᬽF7~?@eWRwnM Se3׋/@&DcZ+佝<3>,P8b}+D`jDB%?a*IwANMq} gߺ_Aۄo6 Fեrq1-u'$rN{, pw+tUrVmU8T-|'=R 6r2Di(Q}:‘mbt%rBR(2r[Ԟ_! #j ;CY2_}5;}G *H .j,=cE2irUm%;ujoQAڨo ?it]9ViG }$CA2?` 3! ppB`kp-R1UU~[I*E<lQ; }r 1[3+qn{\n)˰0a*ntSZ2s࿔ii5JM"P ̚Љ[Ri{eJH ,KٖDl>siTrR:%1#r7&~ZۑX"癫G<>na CDa4FʽO|X^ɞ̱C"c+Kwy5/&"BEJu|>PmCAqtRqOm-KԸP,,IB>'Pm;BḾvY pOdr;y^d3ft!Cxl0E7((ӊC`ح`n Kzi|L_nE C@vN{('ӿ:Nd3柳E,Kw&Z:ݷGJkm5ĬI E] ˒3<>=Nvb^`D+ Pa73,ЈÌsA[V|ǰN@$տ0n>>+Em՘4{2Vŧ~ +k7~4>N„7n?,Hy4xrUIλ@yB'Ͻ^a6|n_ٙY~7Ia8rrPH$h|&33UBUe yȗ%^!-m +`/gh- QW $˚}d]q?2`ajmj\Ai9(bY>Ȩ3Leû QMy:%_&R!Ȟ=LjyRQtWk&c:5Ra}dL]*T yEU*qb)- [M3'k"ܣ!IZeLf_#·`z02ps3Zc*:P%W[ǒ"FV%Xv;Z8d>rZbL C>I'73ՕTMa+e&h}We$kIb&0vpiK5d;`mdMQl!~I{}WChcOb]Ibn\#$۝M~FRFF]q1S8Nwۑ'6'@Ht,wo{X4X ;MVfZ|;v,n";gKyк枍mC8 2ͩ,ztTVbu:8clն /$E4Cp%&Ubj9_`Jcn51^&U|p$BԮy;E T»@2x%{٬԰3) iaKohl)BfF >'"huQLa͝K¯:e6p8N?qR7b7{i\E^r8S3!,BJexAiYֳUր}hנ [p6RkI|)mܨ容9QW9 3MsX,P)Q on8X;y%?ZƨL\`i=MΌAPw;u9kpѽve>݄?Tlxuv9|_ ( N6#-fijxd6Bc6s ׏$W,yj=++n ]CY-iB[iSbL ДC|c)\7c.D9,~Ax3?NMIigЮE[Ua g&-L\ ߈M_jQ&K7`r336)>ݐ-3c{ab+4?%'[z&ոKC(<쓻7EeQL KxDvيkf}^ቿ S?TRYΟnm{BLO"/cc$iO3є B|fY$%uYgT.ޑ,Ré&wT-rpK߄|Tvܶp =cN9@^ \ÇC{(ϟp;Kt}woUT1UYcO4TU%L2䤸ٜ߷hfbz~Oh%+q;SN B"\Ht4dA P[iNl.i0TU6ǸXG(8ƼyVܟr/gMtgX{*44JK>%ʸU..oL}bEH 'T  a` 3ajݿ(3ӴBғS;Ͷ5Kj\ s#_]xTtk;AضQW(kNqR":4K`ny/: p&C(3ab6c84]K-[4PT0OOEb;s7˝+OALvA۰ 8+ЬD~WGM8}Wv%,`;4oo uU,J"F:ԩӜ k_L0&HYb:99aQvN` =VCu$RuP';Ki/V=$" vxW(N*2d2L<>:zJmف/=V6yOr6F`ڍ2Ouw|r*y8}a@)WRO͸8f$u[ucAՃ0Wߡ hNb_O+N+\&Jq^/8EcAP7ԱMXn?7 xGl w%5ߠ#E0֡։(BؤX 7sEW C˳spP'{&YS'A@MDzb_TYmgXfʶ C\X&%A!HVt ה[OO Luv V@dJX=lSmZVp\b>V7X#-)$G4q@Euc\}+jʙ+gIf n`x/к%Ijl%yٴDP$"ҧ2T^Uލq`E&t3,rZIhcXw'yF1%W`KX{NVb@Zdhm`?? V o5ى9*֪Psgί`޿eB622 -,U6.8;w"V?+C32SY~Sgq ·.`5?+ TdxlꉩF""*u8zʱF hŏW^z%V/px{ 4U`Olt޻ΗTgY ;hK$bejE9;[QJ 9, HT<@)QM=r6:G>4v b{_KAYAu@Qx}o)X@E V>3<#8aZ*785-:%^:DKmyeXX8ı@]ڪs5yn8zߦ[T+U 9^8j7!ʷ7듢|9dŜg$z_gte"!#4"*+vKrE#WqsK_';Vhz~}׳&@0wP4 78}Ѽ g [ ȻV;[MqZѶah9GS˝gƉ/D7z;:fe/(\5N*܏H;m6RGdsxYkn͟k0o p.ݧl7sʹ׏ L>stǭ90o-?Au4KVy.\,n( 6uW ^4Ÿ:<>YkK92if^q]CS5BZT!H[UDg1qP։s宥rݥf-:V^B?M7ջ.o1kv=ޏ.yGNj4hתܾ0GeٷkL /?E{wgl66O+?_w5Aۯo7~^ط}[+A>6<_negev{ynni*<- ৫BbtCP_<<-+ǧuXὺY?ڽ}] YƈiW䥟^D 4Zv`$]mϮ/|fU̽kwZ 4p`%rF.PN5=$d`v1x8t ?t 4aPAr8U9q"ܝ+\M[o婆+" ne5^CH Z7Th g&BPB>aF&5T +ކ`5m}fUz~VgnqWpQ۰iӯa3_lm7n3ޏjv*?5{їч 3moO*@1Ѱ+r0<ux[2gꚿNFm8'OĊNF='A-Vz.ra]Gn ʹšq9$3|naфE2nJZ6QS[R:x&Ie.4s7fߨ Al#(; WѰ4yNb 7BeI2FjWU0"략øb;ͿN"_jh<-fP  U, RC^I@AX߇]r:yKvyw2맩&R[}zQa Qǃ.^L78v>eߒ9{b!ShXzUb+ ۗD@ VObޫe \/0~KEk~ɹ]883P>D; EzMn pnees:5@ޯgˑG5+r;mlynyN&qA=sEM1ʨ!Ҍ!01' Z_[R`Z[B(gz+%KXnα^ C' <0pc5mBJ$ޤ{'x8e}LS< JcPϤ.j3AC$oT@45cJ1,(c1v+yޑ?8@rLpM|!G5ѭb}7@ kQ3mq:m_rNWošpXPuQ}<.<#Nv }[b[u[.B4E-ҏ oZ/^ dEA~U,AA>BLGv?-G:eu^?gזmM_F-R(%=Z4X}!0` dXuNq =ouKT m:]T/ *~ kbخ5NjT( vu` ɴ+ 0Ko|N?h MܖwY`<hhx0 2^gL =:GlpbFv38+a[YOgAM(H\m̾˞PL qզLb#|cUjӮ ?U u~k@'k96u1}8= 36d4qf?)Y z)i`%~> @ JFi{9qrAb3e֝-tnƣ)'o^SlƳe[Q5Wyx*~1 rp9[ѕ+Nl ta gfxX-C %_=Y[K3xfhugY?IADI[A&Nb}#vjYw|OBo;%Ͼ=-^[h'}Gb+ĐX55vڵrL0pY Q4 _6)z#EJ鬢 >'Teb >Mt[xjo :yi@@G5 5uV?@!zH }Vka2fOl޺FFJ댻{-}/7>;% Š ? ]HmjC>Ѿ!SvIK]<G"kҦ "+=^‹Ƒ+{g̀֠= C/_0{O P"`Em5cae*aDS jRѩfNɈٯξֺ?F,zſKLA+rnn5;Z*j+Zd6 x4⾮وuT>=95{8]kJϔCPBP1#WC:G{%?*3>W_ +5 C+Vs{y0cw_~F@d!i"Ho*@"2MI4&TTϣ? ʂ9QEz:5m)~h{MBTh$?wwovY c^ ^v+u`;X=D!k dEO*SϟJ=M @@eE(X"Z VhA{zkʑr 6hqSŐ:t/.ԆBj܍$ ڠi,R=9nr׈uZ-XHy~&_Μ~=NvB7KFbꓔ [נru1SR>"Ɉ4)A؅V'T_oLۮMQAT|guۣN~O>a~=|@YBATJ/mz[\eOdj}I ꝶ,#^RX_S@@`6NlPB ͪo} z 0UW,r}-&|CxOMnq0ͦl@&x43X՗ ;R 2&\ִ}oR߯?Gwr/9n_ͬt:4|%u 5 Aq[2$6 g]T $ʭD]ax=PEDV*Zs)ā,\ywO+ps&4B v3QRKAHPndX~[) PFsٯ'mʂG.qgÖwU];ƪ( R&VUWۘϪyHU)>,3}qz纮?yeǔRP ^ @*h]mQw2G~ZQ2ň/.#מxܻ󍈱4%l`irX((*hۨZIթ\ma Q Ica fm˺!,6,1AjqB;tR$$$o Dc9tZH0"dvIN.Qhi$(%BNCW/ ұ"&m aڂTT06-2b!*uEGϺHji!C-TUh<ފy "!BPNhJ"U 9ѳ yRk &˃Ie$܍FWxpҐXE+ -SIæ&Ji68Xt!RhhHBtH:02i1V!Q6lʫ (cuj$d"T6̘ łmtA4F36Q 1Ʃ&밵$E.HbDOMehU4I5 1B BV.Arq!Zj7w-r5LDB0ubEi ;yuE{{]ziΆ(IJ.ۃmHUjcMex¨eqV6$LIZ!%DCBJ )â(O|Z,rbs`12^H#2`F( "U6ilk`;UsQ,uJ}v-qlJ7IRJ EZc@TN{^)._~_/h}Տqt"'ԥ5 +tA@لhŅ$n]Wwmd#:qF܇];#~~-%Bs|G(!C0@̀fkaǘ 8O1^j1$0&LDa"L!ɲp1훻fI`#@Ȁ0rczoKɟyDAK.F 2 `u6'~<#9})îC $k&">H%1˒r'xG~7cq'Tt >P`@Ѝ~aTV[ݾx A(C<6@=| JSzu5Zȡ'Uh[Xh_Ri%/ޣuFH"j\8 ~x^Xak[͇=\OOsKI,4@W>v)Ջ#$))>okI7V @W˔ulLU~ZGS\Zfv{FUGIv}_߄ch6űcDI#"&k?{ncfMH(sa OEgh5+}@^$'i$=GJ08lq6c1}96dye-ZƑ6gGN+D8 s\l$# |Mwt$ť$Da@JPWet/샮ʾZNTߞsq=޲rl^}ÂZ "9T4 Rh(S*)x!Ihl9=20f JLeYnq~^>+| =65%U(DD QD┨A"WcsHf V9P XJP{i( KckF-Kd `$Qb*`JP(RZ  o7c%v exKt6%bgx[eKЂhՃ #^mZFGaցs8sGfV0"_e[3b͔fAUF PFׯ.jFP]ֈVebd;#_pѴaA=QgJ?eqǘJ):)#'N2Ӎ.V|\|' ]_czt~~O%t̛&S>Et}Džw:S겱R]|X63K3S8}lS:) XAҪǜsɓZo] ̟⨠Zl9~xwL{W g$|)UܨUkCtV]3aH`_rbEPdYq֘!{3~֩!t]>pnVIe_W9v25P6e2l͟dЎa/$p'WjY {hW9ܭmOM?h{wTA7oag0rQڨ]lB%f]?YjmQ\Uύ#:3ɳb«*V&4k@f1Q,Pn%Tt%KVUϫw߮e<|l- S/5ĦgM \qċӿ[3{#l!4^:.Ym!KpglJ !_US kQL\rf:;hQiiH.9OH5u=<=#2Y46}j6QTdEEbƣY %m&+fz_77f0kgW˷:z))JR)B98j DM&l`icmZlKys?fq&!1CLM c9 @$ W!5P+OG!(Cn4՛![HuοXEb΢s jVPJ B-FXFF 2XTTQAs RD0=&.!  CA+(|;@=SP y P Pǫ娆Y i ѭ^~Y>oҽRAQm%EFĚJ5$- bhByu{z{JȞ$~7>fAd "Qx7ZD'`e%w':цu\q8JOBd6-!_Khy]A4ZD _l[7ŻU9#Յ6`E?DUSn,)VRwӑ#AVeJv4 (JbᄵmW5X[Axj;,.q0Kyp okܭ i?05 TLYn1bIoɍڂ]z8CZBVv[Ou}˻&lFYvE-eeOu`1~>7Q8˱TEZ4?]r??vퟫY$KA@@A)?*ύfqbgޠq"B~Wa&=< ?5皽]vK9nmV]<o:{o9t!"% "2 @ۆn@PT~utŃzZ.|QF5P$vm__p:ˤeYȾs`|""Noo9`K+/+"Z { `+ehL g3qc8*"m4tfBn.A-?Q+I*˳ 1-į}߯[JɨsmP>?r@q.NFĭ>Yx$J NjϨKƐʞEBXH.@y^8>+\wzߗ뾼g55MFW0[V0ۣܣ{!hՈߣ22rk%QhMc(3 o,⠕W03Ī90ǁ=71m|^SWA(=[BehT[`,XŌFѬQa"ca4 "bDZhV(#d(jXaRm2mbbhQ+F4F X-QDEɊ(ZKAmbأbLF*4Q$IFj,Xj(TiZ#FcPTZlX6"5Ԛ4mlZ65U$[bjQF6MEm,VZ5H"ōV4lkFTZ((ƍ[bE UbDUQZ4ZFQ!a6#e)0XTl(,جkIZL&" DBPD,X$bQQŌc&FLUQhbYTE zo^;޴92BE%$6!a;8cO8ns"1`-Aؤ1X-IԊrö쿭qDPҕWIe_1Sٔ \[*PЌ#dTfRzq!{F8 kjhkDSƱKduu`[no{>'|Ar _$zA $6} @hl&ˢ3 \z쫿gڱqcna;l0@#g`hZjگKY;FP"B _Da-Sr#[mGDw>}ݺ ;-i9|_F" A )xTZ:OqJ% T?{K{i AE+PȄ +D@3HC|ޏ7vr1=v@̂YXm͙(\ Bg~a~g+{_POV + YOL{D;)HPŶ筌q_;/& Z6FRhx`[I!2et^7*QD^Ki]^ LEIԕd5QDIɢ mAhZ JIl[ZƣhXcTc3h2_2E$BB^C糣z R&fwݯ)'6AثN\(*9SnycO! H'a)hh=_K5BP"J;:x.0KR[_"^@kpgsNga{3e|Qf_5DTXT̈330@ zfz|{}C k>u/˭Ⱦkwwɪ~7I@A)/|FgWDsʎP%W= /E@@ !5ji/1mLhW劣F>nn_DMa*,QXҊhh֐Dll("dآ*6ŬTIɱQbi65PF(6F EF#FRZV64 Q$Xشbh"A6,a*,hđFFcFجZ6*Q&TEIDPY"6#К6,jj1QF1ɱblhɣH 6آ(LKA-D_-οBҨ Qm[mcD+t6{A%DDfhp,N5xcu[lxޝ >90 iXPԱˤJFCJB TT{l}׼˷_N!h")*K?*J\ {8@HDa@j?㟏5Ʒ9K5ц SEmT-TQb:"wT_1RgƗ5MǶFYni7x1'N{󻻮g҈`d#3! dDDɀ4, eK+ QE,vX&~3]>Ǘ6z85ɲR$[xj71cn˕`#ܹ<_wFkc*xN9UiHJ 9!@r5Ժj>>Ssr%8^=vr<] q,'Ik ]V hCM:k%TSDMTrUA=P?U X"T0Dc@$tүE0V*I"9|뛇0wo ޅw׀y.Kwwy ǓǃK]|^^5[oͮmnZXXfA::rd͢-%IowW BRvd ˣZ9]NBϙT5hvHf**|uiWjUeP@An嬚*4x [pH o6)>!+oy?" 2bJ䩇a>Ϗ1ӷ+iQ:OTcb ׶ rءtYjy03ԮV)"_VfKrN0kճج[ ѦYϘ'4$qUd:;ikӄP(r$/ʮ'su2eʤ0_Q„ ]T{<:Z"?LG "(bQ(AW{ b0e*~tL-}]YAn]_X]A}7p: `0*"̭3V0V*ERA* ))f??[ orܥ{qoHsH;t msj-\_e?"'t̂`E_9nQE4Q5(`-~tvMM)ס0lb(}hԛFlhѱ0CX`M5FJ;g|1bh*(ƱDA }/F5B(2)"H3[{}=N7sJHW"zl@I W1sQtrSw\A&XSJѹ٬ )A$  ^ym\hgq8^;'3l^tg~x>' ~ D+ƹ@&T3Gj>5OW^(PPs `cZ\ ԂT}~;/r3v8vv4'lҊ#1 ة@@=?S|y-`1=LQO[X_K|vSSZ !# $1h#ccL*0TDZ̬E,hRS61b4lHhTP$j6C1#FEclFb[$!PF5D0m#&i P,U!RPm4F1Ei(CcFMQlbEll5THcPZ,j 5cXDF$6%fRbRTbɍ?Nm RTh5TI5&(4mhD!F\ԛ5ţE!hh&7{^K?o QJ^&M4U#hY&ùT_/߮\`F3?0?G?=/+HT5C/`|ߑѶ4OoGzHj(2X_R4&+clAdK& Bhj1&H#@&рDmѣV,cF E64DQb ѱɱIi",1QQB&mE (4&([Ƅ@Qci4Pl-!Hj42f(Pl4XHR2XbBIDF4j5ٷ}g9|Ց  %Q[&e{TK @"1e=Cwy6Zb+3[;]&'7MQ>d0@0,xѡƚJ z!?Dfsr&TU0J/YQ㻐wܿx _ڶlb:YY-e(A/:%rhd)(I2**!i((fBo?S=?++ALTM-*"G ^ܸQTymⓎ;r^:+5=v"^H(khU#Ȓ¤ƅHI1.;xcǮj=J=9%ss^z{uty.^<'of-Iۦa3MS 6$(y瞚Dy)lhԛ$&,S?8Nb~^@sr9@QE4%b TV+cZfFLm fqި3uQPK03%QF-bRbCcE!!KCh߳4z\ukI1O1č[m(GPd̓hT FDQX  y$SJHSr7lӉQKIM6j9gVDQE1w݂7xn'2%Aik$4yAU]9/4hƵs4%Q)\kAHTʥؕT4LpZ]ID:CR$u4xv4 FQf X'v}e/~J >6_Xe![QPU .Ihcm6ѩ`El}^llQOtI %dcآwu è,*TC z "&g\^7][ÖW9F˟0A*ג20'ѻ RIk-s׽6ڽO_D>SK;C߃f2)#BML`$T%" DOkbr'Gq|<=NjDK 8R2:Qz+vc e #I DZ'x Y~J̡oH2Oߒ}!{9L!R[;'=.u}Q"b$"A Uڞb!I %+o\eM( !&R@RףlUkMs/n>7SOժ]8oE uT j pe`j4*Taq p;ˏq~ף옘$ޮ/|=H={zS" 4J W"(x{:UR: c3\[\6!j͔UW__ÙgJ9rA|I2 $+!K[^+SR\墬?qK0Rżm V7_7˛ UNC `Fs]3EhD J3њ @ $cq#2?k9uo?H1=7p5ѷU%)A~ODT,J4I ETSgvm5cm1[ycn)WGqVb4Vؖ] ¦0,<, N[Y?}Wޞ}LBch;~Ubj˴idIu"W,88tf*ahćhaZR7$5Xk4vsp`K-ѪVޮ44^.d9J ػ.cvR[umFm'Od)[)ldN\AmffuEeWHm2śj2*H©0gzxt2jKփR1Y47Zdm-C7 A!@At5GFwJ~g{ϗ/3 HC[;m}E% b,cآ(~=h!R9'{Zsƀ?_.50j=&TXdF+~+g>D< (dF ѯ1g!t8$nݾAXn&h#2A_eοj4Gw"s\|I|'c|Nq/a **Dҍr2Vj*H4ym|,kd@#ؠb~*̞uʺ络j&E"UP@HUJ{4dqp8rl03 "(Uroթelq#;Sqs*c>jU+$S6hGNXje40'k_K?ϖY14@!SRBPׯ~,jԇt}70beIxُ1uГ "ª(ó(kR8 4KɞFGwj۾wooEu` h%whYƫmetdߣ\hav}'^S9py:vR=S ЫuU`K" 7o'u4|-@ +ƿK4=;)v[+NvOR~;Li .^(6#JWqA`|/ś˛=sq,%0`@)0u{D`ztQ`{]{>"as/SwU^&$VST|5~s /KIEJX˧iumnW+!D}:DP?8]xwU -Oxg~};gkfddЅ^tئ5ԕWtWi`7r2ҐVIVHȐ${W,wҽlݫC)u?kMY^I!Ыg*jG#r:7']ˉ IH R_#5'"S'5e,~bwzQ-iOplSD: b{#$!!HI_nքz[9Ouy̙F~VoՁH 3g*IЏM4'5Iog#I4X\6~GM?}4u}97ݍ/灕wumnƶ\n\9S?8^_j.gs)GK2;d4Jü)fbaB 99u۬!k8 "4b"#f5$N7wrl<3=wL@0`$qD-X@+.y'{)\-(sqi{>=Q*7yيt4~P1e diJ]mmkpkEKRֆԤ ?~>OSo~l=\8k?W_CuFI##"OGZCWއxf7.Ҩ{jZ];+7 9Dy@JrnE'+QxnnXepj~x=kx@}цT]fA>\`ϪwX0I<2 4H2Yr2?~? 4X^bX F|njFs}quڿtp=^י?{W_c{wuBA$d(BۍsF1C[c)"vn (d M>O+}S3B0%Ea M")$)Kwt*Do E ;.͵3j:O`(J)\MU# D6MI%a"=G}gaZV ’,4{l`6YOa?ms_n?~u@R  6Ij0B@an1AJL{-"ooɧz'_ܟV]}K;+oÎG݄ccbBk =ip񸰪*) >UDHK BJs}1*3<7+n!K5P$VQ׎gJ@&>^CZ1 Vkt'Q;9y U~W9 c W5x.wCS_RHJS |M:{%>e˛s,ocoӝQ$%I2KT2ގˣW㪾)ɮk)AS!i.0A1 C!i2nTDFdwLjA(lz:3T̈aVJzn?G_̂e~xܹ+QG}HO2Og7So&^$^{AӜE \iWaU4yhh_:1vտ*h0!*fx`S2MEUAWT*Y>fI0(>̥*B!P+Y_u?=_͂g@mR-Ш/72de e^t^|U+XǽXK=w>?[(}S#= EI*b5lmMXŭEՠFVVh),mEQX 0C6$!&a1dL1(Ai !!FI0(XL ` bURSFf:-#ؐPN|x闷Y_t?zq>]6C^|o3/lqI3T ZUV6x/A펒Gov |~1$hH$B 0M&,"2,T]zYwׯe]41! <ʳȣdbMPu:F_'ސyjfMbD*r6\~6aVO6UY発0lc#+hq#w<_Ex;d\^$5w{P7i=~ mh*J9gI'd0JJ3F`a+4%A]:m.' r&`lJM*/!q0Q4o%;863?YN]+f(ĂvC %vȪ;bbk LD[`kpHUXexuMg@مfn>OfJG-!!PYc7/Nru4SAi 7P*+M RE/eoW7U## EBQaǼn'z{Ogp{n2z. 5 TmmZ%d}i)=圧 OYTU5Tg$\BiJJc&֌J4 AU~"bI]kd^"|Ӛe9O+xQxO?^?xu dJ.6 W*tFvop-;~T*,Lh4&DmDFH,&R}e #h"!E:v<*~?wO?acAI:~O}'JBH$$y1'D^Tl|\_IOk0w9d٥x/vvcvcv` 5vHh>p5vd6*Ia^*YHQp0@̊<;1"ӆ%Ņ9?=m_{[SS$1VJ*HL$X6^diSUIBF^\r>Ox63?k< L )2''zRUPIQ UA.nR?+rOb?)3 "qRv_fMsy{bu:N;^G+( z?Otu]ОbC$G"d?sϵvYPUԼB^?JҠ~JŤ0+Ke!?ߥ|No(ؔr_-Y>%[.gVĄp Bjd4IRV#QN۞nDw;DE,^y"4RC|O德޿Om g7;{6 hd#"*- hѢ ch5jRlj6!+6[>2"JM654mO/%f+DDZl[6c!i !T.i"-&IIsZMk %bS6؍F͒-ř&*6iMQk;i55LmѫM LԚ6QAEk&4lHai`o7 *Mc,%Fe#3YŖ dI2ZibUZDl0ʡ(bW}lŧ_l^emth:8kf4yo!Fs-L1 ef5MwQI#m *$"xH^yu({HDHIA=/uM B1! ?뙈I __ս~kuJ#!S /&. [>D `pE0]dQMzr]Yb4&F M,MBڐ+\DZ~i*U!=o.=K@W#9f`q%)%B͑$A"R@*cDPl/ ]yT;-?q6 CPc2:mWֲt'$ ,$Tf4*dgMgg{m]E]fg OlOfDx-mOuG12 30:ui5@Θ~}Wd[֘~H6Uu8hS4,a]O6 qx&eSjsuz)|o#}Xg$%D ʙאg.k ReͬIąj 7.-Y;}?5< gC:׎e :O& oE? $)F&3Hg{/i??0Z8BI"! (EI J̐H0 QHQ+I! MaĖ#) &$e,2YRkH$H60"2be&̖(TF6D,J,A2ll fM#41)E15 e&ّZ*f43h)XLͲE!)mHL*e())+$)f(ȚZ)&Y6Q͔h,)آQ6LPBm*ZdŀSE64h4 4% Œh0% #d V™(YP̨De)ILĕlHR҆1m %2RDM$4%4ɲLЍR[1i2Qli S,d,% flE6b ͘iMFɰڈ(Lm$e%clR$RRDfKP&JM-4CA-CH%IblZffb"ҐM1f1465b`X(Q$&)X0F` ) iDT12u} f:;rL33#8%lΘ2-}sˍRoӿrcAhHJH'}L;m {xɡ'*dczVˆ/6C~%喾陵GeRh׍:̱ %.-K^TnFyoü_/')c!&:N櫩'dj{ :B=4[[7-@"Ki<3 Qv_H- uͺ!#-AfHBPdhMӎJ#K1<;Wl\o~ #6Y#m& 3k&6@>7VE!nDddfrU3ADu1t kVLP|BA>,^Bo ;$j&p6OKewgYQеt7ΙmeFaXhLj_\Ņ_+Xۅ4Tuz+uy]v]? }R ^pO?eYC}ʧV[b,Zje\E!Dce#F[Y-H0O!(0֋ڿ~zedz^G%&ެ@/tYpT{L rm3pp*׷te?z= ﳮrr^WB| ,a{ɦM3c^1vRd$ܻ\L$ͼ BbGoKccwgNΗti0#ĸtLuiV0&o%ۍ1sIM11j5/kKؾSTWW؞!''~BVHcu4(jk }0FE~wu0/I+$[0ipcOӅW O9ϙ/m~fj~^du%Bdmbwwv}ӡ2JJTj$d1)-uYPFF* ,t!MP7jMI PFRmA";b,՝y6F; :c>,0f;D۞6̩wԞF}< `PD4n{g|}~+ž*U>@JXֱwrʽH@(h$ Wg|n.=l^|ٕC~"hZ?Ǘ^0f8s6|>{Ӿ۳9ȓ9U@V_(˅EndEđP.v"7I%$zƌVW>:??÷~[[[sk*NOUa]L4f:[ y IΌ"w?g=DO<rac5D #+¬"DȆbeqLmxF:}ds.x+%TRzj( @aA-0U_'{zg?K׼uԴjvNmTOw_|G)/+Yy[>/2}Ќh$ ".7[^ː%>_ϥb">3ٶH"qc%0O*,ʨ`6T ($( Ey>_2i2\$?c,#=c(:ʈE{k`QSTU+B!TB D,-;xY;v,Ϲl M@;MLOVq@]1׽ý`Ë9!P?Ds?_:+Qz'GQMh>""=t{{Mt"Tz)oo~regCH0ԑӫSf,35x_nn`v4 Ij/ن]SN8t;; 6GS?,{v:E%i;O) O-lXuRBUW}gl1zxbhueoᵉDљ rљb&@g}o~wyw- aF4QLc 65PED Ef0(e9笱AE6)ȶkJLY"bP`ŌUEPʤ-6hh$X&+2E) YdQ)Rb2#3,,KRPm2Y$I))/>qz/MtqvsGD$aDZɍh,SCTJH2ɨœHEPb66 fF5Ib["Ų1S`JM'oD,*? tURV O-0Y4vq;yx?'y:&ƍ5ڤTR^r[]t*fF e]b9&ܧ^a,B~+kl$=eVI!#`'Su`=p)MڨT8~MAB@5, LRKlĮR0Čԧ=y_[s&3@`Ă@$}_)ՕqmU?vU51$$~_]6;Z^_qV3FFldg;v ePCh39q/U |7? ]'OW>B>Oψ5FB@1m\Oעsv6X<~Kkp0n 1Z' .@db<&$j$$AS!>/sq+;;PBj+yDLT MKϑ`"H/8}S|VOHp;gyl<\91426bj$FdD!RPe&JL#eQc6"6,d a2jdmF0aQ$ƈ"F&,IEب) ƨA^+- ,7Uf$A2'.I$!O9{^.}/{mF;MS,K-&,-7N%/B >'>WYY$m($a$ !HC }s]LoFǫD̄r,r$/U&bs|_-gk𣻟3O?pϣA_h%6ޖ)s[e+!q0` Pi?߭tEݖ74ǂIR?#tx^u~ߦs%/givC J MnPD+&:Brhȡ flV\'G}xT ~f\FIa'o'k%={eTK2c#6X;)+*iˆq߻/I+?1oaDДQEskx1wB 0 `0rwv+RPw{9O:V,:S#ʲyKHVY7K?/>D~:j#30TFco !%[ 5ꀔ\uRT?ʺZV?ۗȳDUGϋ{ޣAi%>h?j,3JA DP2T4ȮJ ,kWKT+(G€s9/}TowVcv)PAdBS戕ZU x]+esd f ELEߍFB@'a !#233fd@8c;аrSro5p$! ;m_:x>e{i@Q I %JHnI/?}~f2 ҧ柜89dfê1]ƨ,M~7ΧZ{WUq$ˆ#>_>'=ᰐ}akB R!>*kӑEjW%Nma.-Ô)+B~]Ť:nhʎx7h\. 6C%4raM=mN&[?e|պIɿK78C04* DIdRx߼gw}\ Dua>-8IRME.1%UZ9h6 ah*2A'γBB7:&F U_#+ud%TKwAji0U+斍 "KHMTTR*Z2z/:V@[ G(*9VlBBL{A0R:duWW*®raqF9}A0jT5GEUhHZ֛?kk+UXަn"2JXUh9ierE2T+(P@eE&aE,G˅:hs0A8*ಃi;n$wG7;ò]].n)(Vs @xyP]8d\7%BcY -v#T7:y*64|oZ2:"[lt0yRUanWUܯnwN:f[13a쓢hAh|clU33'#c#5a08Ť!˖؜])mܺ3ǃRy;B&IWt2Qۃ F[đH: r^ĢxAHU\Uq˪A8XwrvĄ7v3-Y[׹hуT82xeL-J:l`PLKIbP@3*$M!rZB0ᖆ8h愤IHi)P>/,y(%oq D3ƎqOTaV!%K~2mͩ(܆qwqSD+s"UnFRAc;6V"̻g"UI$ DrW$ܦ(`gD[ ͛UQr7r"(Uθ">HW"-TYIǹ՛ԵFS0B:$5;gNmdiTh \IVQ9lk]M b"nEoߴ"8-oI a[.]K^Io[֪l޷ja[,ۮijټoDGJ7eʒ7 ]wzsU-*6!:#:lްET(߬F,]\+9|IgA]y5[n/cT5UؕZSJ4JY}BZ7kĸᅨg]D.@.jzõcڡd1[yy߁o>or`AC(BQ"lҊ"01")(aF"(6, 3i"j`)V &Osx ~_@DSeHi),4kMZI21Lس"M,a*-H &Ib6ib65Dj Ţ-45IJ FXfՔ͵jRٱdSAX#&$ Q )(`D̤6R)4FDٛ(FFCX ) $YHD;~رDz)O]"C` t"얦9߮DkD~钁tu&!]md˻-B:o ?L@c.?_wk;y\:sJ8Cav<(^ߔw3'|_aq#lK? 0`(9$|yB\T?ADwmrȥ.kO* B}U %J BEffH1_sNV鋯{q|<}{<8lt: 2}Db `BUV{_a023#0FY?)Ŕv;))_A~zÛ}{p_o<&ffS%x,OurwD0$!^O,xKWOTl-!jV$LJ5~Ae=:QCmywxjĉNiwbObsu׬0FbLoHH203#23·|8ņ`Ǿ3Lw�r#"F{,$Wa ?O髍aOW켟Mxm\u_4?>赻G(ä/ ኻqMAk3XЊs*UBH?ᗙG_v=݇|w*)p2NLQ6Xb6om+#3 yS|%NN뮟j<`5hQUP(a B 솆z4hsv>=_Ѭ<ފ ⼰56:*d;THE$*8#yuz1Raۓ{_ "~_~s l/(I1eFd+ϺwڭL,pO`@3!/6?`DQ44ȀT&&`89/gd{=(Ca9ZJ+k)"1!9=qۆ/S9?|K/m?{}&֐UÌe$33DfC$O~=Nw_ Xh bY oW_/e/T #ēgTH\u5m2}u)z+Ŭhb6Ѷ6V#QX-cbhZZ)(C7| aeXHMB6J0j$ء+-6 hEb[+tmNưX(Ǝw5/j& ,EZ"2EB$mTD!Jfmi6d661IDFJLRLɱ4ѱ3l %f4JH3$EE$Xbmf*e DI$&UXDmōF^(" X!QRbD^ws]{ujF)-(hؒFJBW G 8IaUPQ/s?/߳xic/_۰ѫP0 M'~hCg$hjKi}."nVa}s٤bm]Wִ=2&&Af.\1T꤬L1"K\?yaV~nO='!Oϰs_K3=;P`R֖!S5jzIsвB| tmH4F$%^<& ޒw}[̦a0`Ȍ!~N+$JZTIxǧtybVqxU]E#pyЉcl3y(jюYKX$o0xC1.o,>v*\o QۮtoUtUzMUOJv\K;GtvgFciwA2#0 ?WzZ&h1D$2] @]>7@71Ky' EWW2C$*hCh҇a=Q}nB@?uh|xt422 ":`4j0fiRS#9 wտ5t~W11 Fmd DEb:#"-dzt4\Vm]o/1$&"߁hwgxg?QPʬx\gz:-͎V01ƦQg:ݛޏg =/2lL323"#C30$1 Py?nhH6Wјzޔq7&QBQ4 &̝%)Aҏ2֔^j.b駵 Y)m ƅzUMQ^Y񃱆~"-Q0hE ꒵dZKS٫coT!ZȽ_'gv,YFf Sb?;В$Y#O3c{lX{iLnud$bH3RVlȀ~0 |߿nwE3W y-#Ew h|o}QeZn00FBi ܧJ)ªf )г!&f VUFIC8g۶|\>wA]󿲟ӊ, NR]f̀3z_=fe#l\hmrWԺXڙC 12Zba?6KY N.BcҹN Ov/0pWD{e2I\&-!C"$% 20IWBЬc="]XͰ:#w~4FAn8?wk&5&`%ճ}Z0dd$I jh/<y!|0B5?99i,S'/#9}G~bP!$egi%  QGj3aiPH%$hrb1Zw},,lh5uK(BA%YPf_lؠZ&B:|ZJ6-D! EPN1zJhs?=eSZ0l(*N|Z345F-?=W4ew}&/^l,VAPc4Z Ovfe*+E3;^ʫQLCTlmڣNj[hmV"X衬cSF7;T _Iߧj4וSy6׊ǴMLF{yzm~2r~/DH/j.#`IUE~dS=oW,5$g|u>W˦CC't#~CL*Ԅ40CL[rHUԽVYeV 0`pUu/fL 4}Q]{f0[=5i-s0_5qp bPeʪ P| ]N UK!I8/:.o13 ms2X X^}{{D @{sBIF!6o}_}_|8vww)j}g)R{B`4ƚ';^Lڦ&J]׮ī9( pҞ!lA{kUHPAUE%D|_.z8($n C+xAy VydӄWG7'%5O5y<߇]A<?C矾"s4im[{#J4%qT+^fss0 -8URGDPO/GoTrmD#jsivu腩H!zBfqC_Wl9-n}G?ł ;׳n:_{[wqyx%aںsw[owgSWY:Q2JtLƓC" }c_'p̤EQLjyP@#LĻ٤G녇su_KO/:VRŧu[2%T`H?n/JEg x~_gX9Qq>}Guų0f$F灕;XL xb^\Iֳk&L0SbTX60$#CozLFH~&F-^f^f?J^DX$B!B hM4 \3+֯ ffIex))[09kv3=&?=BAPAa18KX30 *`̴G]J ɏ) &BL7Ȕ @᠞&Ɩ5T3:Tq[ LLV?ℼE*+zR32T~݁P3ZjVA-j@63i~JqM6Θl]f؃MrC-[C|rL7RCgx$z{oy3{BE#Q ")Oy|~ZIE(1֕@Dyyv/xg9;na~+T涾lIQT@D`bNN%=Ⱦg;54fA?ilj2*}fic145^y;X!㜗|NKWk?۰: ϕXY!=sCSŶND@3"aCA{!a%]|uW}hsӿ?7R”~lg\d%SUAI!dkKqj-97edK۞c|J;Q.<Q:$Y)?\o)iX.~CՒlbZQP%Y5W߫~W?lctcG} %|pXE{z{$\pLīh+w>;RTR礳}gp~ff_22*0y -G{JĜz/w88 쎙ĩoV?C}6H^|yx!Oslu]_Z&9mɤ,!JPh$ BDP`0=3 =Z Eyq+63eRVb؈ᆵ_R*) Tɭ3[뿅C{PCr"圉.4_UzFOX8=+v6Ϳ'$xJD_GQ PU5T/R񻥘]Z=Uқ MRCv5mtklcYߘ#R?o|mGro;Ⱦc׺oU髹>2o|_a1iHz-kV -L:]5E_ΫP3TRM;d*' $aU*ݘŷZ؃;~Jo) Nw|WcF^]DSЫQGk YcH]>Tg9> 7Zo6=xg4^?vj>.dcl65.2G.-PT\?_菰1d!DV DL"+iU !t ؠ+jid7t\}g .;M-`(Jh,'CohBb̨ &lXѶ#^;㹝dd߳ u蝅%q3 d`5ξGz#25,UQ5c!cF`4(J5F-6"V ZDF`s0!aj#b"i8B"e/Tț1\u/4,6e8t>@~7/7~W1uѸj]5g޷X_*Xq@dddIQmFɴZ*^ i\$!'4H^';_+n*ށϤ*U hb]|=uD)d%TTNOG=ޞJ}<#XؤѣXQQQZ5g疽$ǩs׫ eǯ?kL : lAƿ3]lE@q/1!G;* DLu+T6ŶO,Ui RT *cPX*db#XɊ-hѪli1PU`mQIdEEttNص((b8Hd#QEE`fcFcP[h5Ih*6HNVa(K/Z*ȶf1^׹FXD &H{|b[WW^0}x)@Ţuvh:,0P)M%#GQ#bսkln.+ V۰XHH%|(i1!j((JdBxDtX^Y 늣*e:tC1T'{yh(@BllS 98'm4=in(~ OhH!(Ew<~zi*H5 [L_iKnrsarvB JQ\y\smr{eֻ*8yIJPR73p@#ss3%$EBNziTAU^?+^m*Cl $RGJor?cayJ@??~ICIT~Pko~<[TB  $ S2`V!"ȊQƽmwI5M!E]k ήP%;vy6񶝧<ٙ9]J"[:B^ٖqIU%@ vk)*^2%zvx ssHPR3w5ͧCxug7, !ZȎ 1ȥ A_՜LwqcM C;Y]5Te ?45{[GpJ(h$ QI-mrP.\iʣ/Ŕb6ʴAFS5 @+%H{2 K%`rX;6y 8M$ @јEsz,5v]8r:}_mUx z#EcXi&4Pۑeܷ!`wcd]_pfPT;PV7]bAp3` .8{S|o=w0H?C*AU4yxu}bb7V~nxg#x3ae|(mB ##oIpEt0FfX rfBX1QnJRac6^W-~^2Y2V0}{ezn(YKO@~dF?3%L?s%EN&p菤~l篍6'ZGrVnɭk#7'lBHT?C~a3Q#-j$Z:=dBeZ(!*Y`V!HXvyʗvq `S*,RQL;3x#Kto8?x4qCc(mu381On^%n×= 1G>5uz6z)f*9Y sxwߣn[Tڌh>GQj{ˎ,3Q^A3U#Cr՝DZ,gVv ªE_m#P.dZ as;T-@HJmI;EUGf #n9q :gײbLEjs%em ܼ}aɛ\GllX8k=+~eI8V_㺾+H9 XbrC5"|V'[Z'! 6v<"|c׋- q1PFrs8Y\CfeUJdH{G#w+sMfX'j 38"4Jwv=[PQ[cW*׶ĭb( _>x3?E_Wu'_{, p!?eӪ)ZkU ~ӑC[sOJog}ܸc^F 3%}.qS>K9fOV4-g+q|^5C=K9%H`#um@$6w;y,t tiͩC]s 0o>5F~c.i`#Wqp6rqGo'f9gg>J< !]k:|qeи]x(z> !_).軫]I%14i"d IvV6ڧW~꿡qŎngnk9o'W*3(~y,ޅabpM ɗPkfSl_^6}K1ԏ:ݖb]vFfJ`9=NEl6@)ׅo1휾S;bWyx.fVfQ !iZE.qx׽cϧ-rxjmu;ԹG? ;{r}/H3xw/b>=R-5]l(nWg8% \`Ֆ]˺6TV*Djmq W)yU+hb9sdXfh-~Ǜz=>FiۨwX+v>ߧ,䀀Hwsm6͎ݟ{u+}%Y+̹(5军,~ZỹřSKa %@\SXт1͗ٗ,['-=ֻ?7fdi5?;UH:ʥ]$1{7z/J;ҰoeAyk]^⺻:Bv+jSexҫ:L{Xɦsh=\l"S?S\ ImբTN=cv#fz|9|'\=~yFi9ͣn`'sQn7yz_kF̒з"qgzx)gNCX6:kH;1I&fr׌P=t>};Fwd]Ce~y&CVTcoV^S!\y7&2_sn:esC|Fκ.}o41'fGe+eTv}k.qHktDcCQƾ̦(-^z2wwYV?sYZ\y:S du!:a$Bi`nyh{KugP$L*@;,=KsJ)Sh4@U,,#mW%6!26mz}g.uEK?v!ӐHHpYf`yS[`<^EOwhN&6D(cX|=$FhܹLBJH N{L`XܷEgk\Ec?UfgTzw4˼є&~;$h #1Hm%_,= Y ^)!uN;mӝ䩚V7%QRtRJ=dP@y* j EaU+RT +n!/-lXoP=lњ]S;.az a 7o!bk"u+y}VD1 NV'Wf*6[ETEV5@BEzsv59xj^Oa ]?/B@$FD JPAMu~ytgʦKpsKvQ{}+Fܺd!{e qW}2|J?C(ͣ3L*m>/O؏?`,+:v^e X ec{=G;xa^†>)& 66MEi6TkdѬmPTV*5TcEbX+FV-5Z5bŶ55DmcQX6ѶPY-QhK`Rhmj-ccjZ,m,hLcM[E PRP?EMkڪH1!/fk-U Wӗ>r</_ -)CK@PRFFC2TɢP1SIո}` !V!$II?csMSfVҕjmBemzt|ٟ9m4Rh>p@(ut!34\D˜J*-;<]XW ta?D` ! [aY~S,դi6caM˃[mJчI W;~mT2`EĶ|N:w9?:%Wd!ACX$ڧy 7&U kNs!o-#w+w9I>:jmI~ĵܢ*/`kР7h ~s~α Y-Y߇{Ҽ=n{"aEJؽYVg!Ӓ,[g-Hp$LK+ וl$͵HI?2}oFwˁlq &;ծ/s]f֬,E݁P 0Dq9I5`.5MEP C~~UOB}_s?Z3"tݣsc8f@] 0qa˂5MTC[zyxFΟﺙ\USa%*G~E?hR@*d]||^INe h"´_a&% B4 PЭP@DI,?ɠkt29O g):\pf? 9;I/ G? xFq-f1>,pBI.+Fla:V%}hcC`_7W@t "SduR}$h*UL}3aUJ,- ) Q5: Glre^mf *aZ{62 8ׅղ]"Z޸0kG'3YźJ.9a8 FVMhdh\(sX PI -d[8{di%1[es ys# d@c!W,n9x#;뮩bɄU0cd&R0]' 14BLdƖaIA[ NpV;oCul AeoMBIY%#gL%=k> uBitjg1s]K i-mkY勚*mFu/cj܃-`j duB f˩b,(~x2#DU̪h~j?e \47+zF!1}tRZ蹆,;2SK`$'U}+Ń29 oƒt kQگdb )*\*u6loKe1jU=*]t27L'=src͵0-PDo@n68dJHӆT7p{#eZDt{Q3[6)@AU*Zy+"AaPPDWaEM]U4hہ765"*Jt5\qcm&iz~-Vm J" 6қHY&2P⦸TF մEk+[R9f)P^"ʎaTZDh2Ao1_Iz&<9VU68aRdfIK 8}624lmm˯}t﮾^GUD;!TD ETPZQB(U@)((RIUI*QBQ@?S_' ɵMbtoձͭ^̊䴢/zi{nhjS;cƖ&a' sz,Em6V|#aDPee2(s^m|Bg.-`AR^"yTJл+mT1UHֈ#tTOWAЃ {}8~sS:*}~C.Jtt5kXB_z*IH3QR 6ly13g&%kns>,^-4W]/:6VtV>0F0cXS\-"Xs51&(Sj} X[V&Z+7J 4`Bĩ838F5kUD(m,K[[ZYE`9> #U|Q]%P [\唶/5G+)K%q0s ږ:0sB]Jam5ZUkclV(U6Meq Z>R@ Et"AVR/~nx?7,idn.OA9}hW/`*-I+oeMVʧhz2jp=UʦI}slY1Y\lB +M\8-,33/y95#'A&W]dcqr6IB%{ؿ&"bB" BPXKTZ)kC/siZJY=쵊ZD4 1lpQVL-t\B k(d]E5EhE@!/e1>" ? wa}t |;8m2;"7ꞁQ ȇ~"xZ?{qC.P蠿 `uqL "7S,тy߃@{PKslJO{6^ճeu*=d7[z5֞. ِRLB`tI~]xPPB=/1n7Tiߨ7[ajq!dd'_xy-k;h&&L7_~_0r~i>hx()L5fVuNaR( ZRaC"XvO hV|%z Uk,l s 糮ĿE%!6E0 O1PG(_:CAٛ!vC9/'PϻD4 rgrt&0E)ῼBYиNPX)ܓLd/>O/^hT` ۍXαPb wW?,;UF^Կǹ}_lsC m2J]Ų.㉴T݊W1lt }u0*acXnɠ7UyD{1[r孭}HT}@wc zٴ ~RIB^ qfN$0z-zK) ޘ |!ZuL$QfowdHhoU7Bg=8ߐ|1tpoEu3wku7}VX+v]R2蚋<'P g`gFD_FpzAr>Klr:|bRMRXB۝{Ywo$νBB`r J mkH[.sUm'[Hu{K@V0N[^~"]8a(0ӌ0 |`/.x%Iʂ m0eq&p/ҿb`զΧXI/.WRPFiv+VJ/!b;0bBOM2f&iQG oڷxR#1ek%O*N0WQj`<џD,2:>!TS[z /v>iZˏE$rY M6SFaZɴwn̠Qs딺;h9F|MfL Ӿ{Zʙi%0M0Rn.~RG w$u{+IOּ6B6__Y ɿ+H4tˇh ՚f=oZ U7| JjmHG$׹2I$:`X`|Lagk;'D1@o? (JV[+N!bnVӜ6Fv^ 2 h3}T"`.ړBݍ""bڲk`]ݷY)Xҩ-6I|vpnkpB\5JlԞ7},fWTj2~bMҡ$:^ Gf, G!GlRYM08]yڡݪjhb\@{i_Ⱥ{LO[٦ yʱzme&ʟn"?eR,R$i#Rg񀌑曆EF&x>_VOi5dSܴce}/+u . >}`.,)hX'ϿtEC#a%!pPvU3b>/ر]oi:8n1y=j.e{|h[]=Cqg+7Ey@`2sil?k[F"YeG0n8U#8Q. y‘9^M%0)ډ ,c cߍ"NJ/Ҡ#Z+:_x$I?7cEOf(deRf9UldC8ئH̓Q[ Wh? - ?\, _b]<.~K `ɏɯ+*2V4TtF##S!\&kŹYh9Tj?[WC yd|'"jc0]qvΔF~"SDAoi@ɇOkŎKP$6w{Z|wGs ̻sbm`aJ D,]z:tbLb%R4=,U8[4Q nb޷X3Ӹ>0g+٘{FYc5p&*57b_muwn wY.uqYmkCxœ])ڐkn|\6vd.y9y7Ә⡤1[##Z]Y`5tB<(FlZ>K%k![v`UmS :,20.5d.|q9-k6"g\3ŶfC.,4LgϯjsɌyw]}?y${E<(iEf\֧֎==VQf*?p.9Q??(b[ >H fy2On я[]㥢2enϋc"t* JĠJp.X(tq)qn ?e9:Is_\W\BFP5lhI\F.^ @3_Ռ4$I$#jNa[) Χ_B?قqPA?$g"2 !gFoʑl =,B %|4NaXk-#HOGbd$D"(2\LiJOwlc|O-޼BA/5n-oeCaR٢z^6ECTn_ij;{DEk 0)<Eg; Ҭ%y4179trSMb:ƫn'Omc4nVi'IqhJhIǞ. M{P)J wFץ72#JA{68pRLDKIけ|& ∌$o0gG(96b̈סأ2$xJnqfGGhB L -v8[,/T|%:Hq0([[ZnsRY! .2.c>ݨ!ˋڞx44j^~o*0LܫJ#:d\;C3In[Z;*A| { Kbq09…ƭqUpup9-9ϵ5-ՑN}rͰ,;de!RΖ5ҍ,l]rT +! I] 0ѫa l14"qLcNس'y$4@C*[ؗ =mP2SӀJ ycL͊3u-7?B=+M 60f'ldQEJU#nӤ 'R@XPqn1/`I"C~o+P6tIxmS"gXlQkӅ$ljjuKPz_=lҎ7nÚg@CA~A -i9%a $ۉ~PȪ6rU턖JՎ?_8;tGre *Ed_-6큎ߛq3PyLޣ-4I0]10Ip%c\p寅Dhm7rs 5b %5l2&)ATTQ.TW,T@ݖz??Ew^j6S*~E=s _dgi:S'Q)!.ɑθonPdlN*gaOU(Y4y hdD1ŃP`දe}[PJ`yR/@c]6F$)afp/*qmop>􂛂3lb0n'JNWpq Mc*w~*/ow/HKXu˰DKDkF mRgEY]Ǜ;7L;jϓxSК} =~]Hw3,K>Iϐ|(M;;srQS( /|) V]v^n/{qϸrL&qvc84yH:f-|R)+\ N\BgT\ʢ"9Қhs=\_.["݆Jl&$=i_Q>/`̓N4ڴ"=ʏ?@u;&.p\6 ,?> ~+tQ9hǯ@H͓=r%X ﯮKBp5NZ@(=G,-sC4hlz+45W 8k[av[ұĔsu+ʲ^4Be / WL,`GCmgN 4+0an i;B163`o j%peF ĿG8YB{D^5OCvl%$G\Bndzv^<wN16iɞ{NފDgcxsě3<\JSږ~aė{JDτQ$hHUt؟B/~[F0vդphE|fg6 6{(r9|G2Qb'p}'Z*7t>enCLEX\.62H ZÜDX:7tMw iZO1OB-uz)HL1y%4ٲz[b%=ã@{j"(N(nsTw n:ć)#Bix CwM` eg]L'Ay¯ZqXE7B<ԋ]/7ddvL snnlMcՉ p`Wea1\'/$iӑ^bc ^;坷kX>Ԯ8۝MA^]1meң/Pi)?N#"xruA,,yIX9#3 /-I%ÔHeY1sƅ1TNK7 ²qk=cIMl>p^(O8./9*7BGM6YDuM& |qbAV ^]c*|}&rƑ H U-yî#&3X b<'P=(g0 bߝ;[S{Ϋu@:B˟8^Zj'/3gD_R L+o{nE, 5Ag͢ 3񇹆g N^S)4ĸBIJǘ\5īm3Vihvi d}5|*m5hBt548}S0[ٺ(ܼΞ0f$ؽ| 8ܯ\̢{X{.3(7/o uXD"̽ڌ m%-tV'ÖTmmۥi z̜#}̕0 lq$6+:)bx.SGf>Vo02ҁn#2aA Aߘ9H 0],jF;g+CGo& zVt 3F-fBe'+HmrI͍;S'ӞPGkJU-߆R'Xliz$tr|%) 1z]Y$k@F=,~|<ɩZ1y r6$'_x:ϫPύ*8]Vܡ%'V`I!i9(#̓ﰡQ[ #DC-AanB0#p+n/gKl~L jô{Svr(fBѮT_`plrW1?vKa ri=@6@"ruD(zEp)i7)܍︿ [WPz#Ƒ̺>OC3obj&>` Pkp8 N{f90&|@ p.g#5ZCL:/O%S=/̏>'} xGkUN\~`ӣf<: M3B=*7SD~& Y1M: !+C% K pP SNt0.vlߛUFfkCQzv|ǡǹ9f/i=f%m&ŕ(CX*Z |=W з(EOb3fWJ<Ix'D(2 nj%Z5s\LQb b܅3|Teqm02ZLNt4 BMEXzz'?7ci{㏔"GKd YHDZ!wĈQ|~`c8T=6 lΥ0eG(fGMknC9]ٚf"c;4 2u3 -Z6.B_WkF6Iv@C,ZζSt?fm3`s/xPmw~"u٭hpw@̗RrU0-X=RTGZ (ײKÒMmp* .JQtC9Ep2Gmj<^2m:H(#YTj15%h !,$k \]|O_0 e|(8.&{Bխz@q[2BA,eޖ:g,@*إ(9iw!"ZlNU]4E YKX&ZV/9(ԍ'_ /&uĽ'/黋=e-L( AIk'DRd)TnhJfz"t?2E4cf?juKeɲx3Xf9?jCѷ='hs + S"X˕%,z涞 im (sZ23R|£C=E@ph%T|$ypB0__f7 Ym@ G*fu*L ռtq8c}5 YV$z`2|5<|l8`ȱcG@,7 iQ@!9:л WPʫIfSO1z *hRHZ4 7!_/B\40-6  ;I<>E47-`PcqEoN@rVZRP @8Ӕ☫E8Wm3E;ȯOe蛈XDbyAUNy3~MzZcyEկF{GnWޟu5d qg> Pʐ(u䂥pg16*mDY)t\h*Slh+S|dqM!1$ y)_%I%ûִ`FY~|q\X_7EϮiҍI|G Vrq%!2dnrPylqtJt(Uc>+ξ_RtAUQ1n#@>õG}%gP0mi:14R3Cs<}Py!}mFA g-t_*kьTOn3 i!D\*:}O1۬T" M= -Yڀ͆QJ }!@gJ  X~Wf:PRÁqZ 蓏c: `O)T{dAsY3Z_%jqnid)$m\`G:Hɻٸo<@ ~u% ]b_L1vpO2/ cW.#6CplƐA qZ.2s둟H|bKm'0fQ2IuDʔMbj;+4( /^x z9ؔH{Z'_aqs/`YC;"Z$^^ھ=M!Ú"'ƴ!l1cϫʚzS[Q$-szjU_L1jy8oIeN]ȪWx{oqp7")+3c^Ff|Tae إnu#jLxwQkj^ݦML=e2] +,ژ8|(tp :.\BvnlfSN'KfHe-_8sdz&: }pX@$*g*R2k!Q qi 4#$Mƣ9Z;Hr%coOCgG&yg#7b-i%a|'חDɆqe/dWSePF9u>:LO z:U}^2.jRPSKӣ%GlX¯w` 5Q辁̵H>B팥H49+dy;ͫCQ`~(nqS>W% .VK,2P?9оaf(:aH4; Kj}D4AgH Qz !w6Pe~K mz:Ġ,|!)dr݄kR 1q8c޿ Nh〆/? O*~{Ew=1U")?c8%6ġ!vꔲTC-:&$7}C:  Jhze:;0]u13?9׃/>U:h}*68 .8cϒ? Rj?"aoiԘ߿WjEzdLHClX$#Z;8,HBIo3Zeg|]~ ;~_,~$Қ|9׿jvYTL20i9% 7#QʹI?!UV( #,;̜? ք!+հVj)ԍ7dX% [*pM;<_,]164 ܂zMa]bE>IaT=tT;OpdQFaTPf1_4h2h6lYxJinCW̆έSd]_6B/+}y[j_:A9Rs ?oFJ#> B a.R˔u0oԺ$0Wr ySy&LvСSߝL@"phI8Ĝ!+$ p6Pz r.'ɉuZss R:pAcqH3΍!{vx_}ӑ}`Ýq򄈌`DVKZZ_MG#QɃ$FNx?T!N~b b.W!噕,"OcY?jt߬ym _RAJ`t?o(qlBli|+꟢_HLbRnF?7;‰&i;Df\ڌqF*]hhD?v[rD8o+ O5zY&^kVh@Eߧ,`W yh]5"vpm#yǀR@A{C`<ܚv+zU(HG= t#Ui+^@m0IŊ,lXǢ- ,F>2s|:%wO;x,夋!.p꿶[Icۯ+M\L#GZOЎ~{? *yOF9Q2lK׻OUZ cwۘ ߋz|F""H%lA,ŝK26|*AJr&`'B]QnۊhcDeþE,K!.ycnGVҋ>,S.E--KG!hv23!*u*t683N K%bt$lQqh~!?g>=T!j^*0Ntܵ_in$Ul]w++ &MAX]/ّ1\zEb`? :BA{O3u1+1Tt|3ޱ O'Cͦ&QK#] ^hia_ \8"etqxUx/sIa\H~R pBX#*Z%NS nOaŢ] C7 5wF ]:ѡF(2FK"_\7]tf+(Bo 9^&oyrRԾ;,1An…~nn| \T'ΒMndqD'o?} n9'{m?ETaVf9݅+'^.NP&HM Tyta 8b 6FJw~_BS,*XG/!q XApv_Z-+HgJks#& bQH ׃+BfJ${6XbLY}UɲX U7kN\(!oHTG{>_|Oe^XbD~IMUoU"t-CMGd0fn%.R$Kji >gEU=aS7@¯xa*Bq vp&%t( 0~svSO'Ja`q c׮+'ġ^콛 &ԝw85XD{Y&Ǧ & wb ͷقEAGbP-[!aIXg.cOV1{Qa٦@*V\s͹)9?*uZ[$|8U}(Z^ #FM!.l. `pF{fC]SF:/\$qͬMkhN 2'˫ko8wS_ޓ5-`Z'H <QG'HpbWV~z ϱi}QP'm(bV=ҨC0\PC$=Pd庨Ƌs4+κf28ʒ uFw!я/e }T#ӥW!gG#)t<'9?lmp5OkryJj̒Ojg0MZ=hJP9wm..AZ%:sۣh`n;74tb߮KI r /QT=Q_w0y.TM Vm~aZzwe^=` *6~\&G8olCls6yY4D m=F'p={L P({UwD#?\R=hi^vvg&^`P y8_p\M/Uf1O4nuD ANN&`,:[@'! q.` 诘4IVi&Ϗ{Z!<ţ3/Tzh|Oл|$i*\bPۨS88x 6a;ݽ"f2Ay hOra$A&x҅968ȅ]a~|!5ՌZHl̈E`XpWì.3ՙMݼ0W/>;Ibw}?R?a,n6X ÆDI2fˆA[Շi#6}Df)(<] ,Y~<$GuҁJF┢^Ԫ]fSpz” ԥ]5m,bB? Ϋ&y+$WdzPqW&{rGbv ^2NQPVvò|xǏ\<ݜ<V8-Qv3\U6S>QgZѰWu#,?\=C\x:X#!wy8ceZ'3=jR*Qp{D $=4=1v r*[,1~* 2?)bťn@ i-TBKc& #sc;AòiY]`=&s|WZ쫃pl#ᣥ1cE߁ UG,Ȍ s/}JGzyshE>kDf|&;`^0wxY3~^j@I2Ъu^9m%w*!RAꏔ^FjM)VS1췸oҦ~#te@0)_) A _ 3v=%wՍښ25f ̺"B TD3hOvCc)Y_q[Xe5No;&^A`qOqڎ;Vep/I_zGsI=<{zCD_vd/aǷ(wzҕL2Tdzs 15VCh}#ҷ zQ4JO9 * mG.NtE 6~݊ ON%E{ξjdvgΓf1 D|jM~|Qiuo~?5*[rv\ōDOLCp ^FۢG,a>$g28<) UH'% +{%4meo6X~H@ß߱! jܬkʰ%uV 5[j\~i,+̤zRP?j>((҂r`'5qHNT4S' lkdkVMά8?!DF7?WƓp>^ Oe; [Pb0/ʧM~b!_@H/x$8J;~"moXA@M>Bi' &0'}1j; @ \et. ۻV6dپR+MeO#$P>mΤc2B  )'WN gjqeU)8 ^TރvIt0zEd☙SGaX krhJ <&e(q7̲;ܼuSҰڟ ?/MM6ᓓKfXlׁz0ԦJ4k5~^/g}>c~['McxڞjHkp!cxvz`ذMPmkRtef[E3c y}䯼(lwR,'\ڄ=/"(T]cNLnyL{S#~?@&k·3Jf=xO$D𨕴䪫F\bCqWڳ 'C| 5l֒M'd|_$(#_a`l[O-!xˏ%q['%ט%{J4ߐ_^=/:to4o.s}]R#ݤwmzy? ,X 8 veu"]}:kb )5%IQC7O)EҒS(SU^Z̅|!!6A}=QiɎ;'En X7Br=mr#٢I\r^}{9DBB ?aW]Dn7;^T(feMw"!s.$%|{GQ*;kW'nuNS^ :llm2/C/0pV޽5YU8^ -dF}L3mW3FQKZ4 ]|oVo_#˥ 6*%~U'/7#UV$C MgqNrp*n.U>Jk)f1/Q gqߟȼ{JzD/5h<_c~Р`*FwIuE^b_RsSR+L!x 3 'G' JD-X%hC+tcÀ)cCYZsR¨4GO$ұ] ͕vI`0Cqo\N-T w\#Tg2g6: 0}:u,%+NK\N&`k7_ىJ9J∉IB`6p(`VҶb }b65DzܒY]L2lՄzbJɠȚWL8' 9LzW@X.vo2AYZc޳"˄>AHk(s6MP5^ÊiTYi{k5ZZ2[0{?N|%\98"+f gMs9Y"6b"FxW#~u1 uCf"39\)΄.cRws n%@J9zȗ'a%mKiii zBHtufJa{UR/Z#_1hsm] Z)Qdb^<Øx9z߭T IǙ\8p=DZ/~b]@`BHKY6<н*Nsҕ!R !*pRY,ZkkTב+ j6u=L8xA* XH+$uN2\jtn2y1LrbzfQ6;ҡ ~4.&cU @t}(cZRD;xE]Y`IhB{}nB q A¥={ʴH UMԄ4U1j&[nL$G4x͸\KxJdSƴ=/eUjݖ֤aon}6M 7+"]‡XiBDmzyF}}aTL狨B!E d }ttoxpȒ}JTG^J2UIHIrFfxL5\g<:|lx?!WU!NOPvuS|KٓPn>QgAD@;LPͮYN ܑ21+R[jݽ0sߪӫ2q0(J/a\rkwmPD !c6PKٓW7&Ӝc+)r4c&݁?݆u:z q=݂)bJ)N VG,Ī;$Nvݜ$""=j3"JkXM'+҄ V7r]R1 FsZvh'#DN묤/H;2Sn/C?Q)Zt<\;w7J9_?=}GGoĵNU$EMzIv8U%9 1`&4ueT=SmGA 6VI:Mr,ZP RiBiGaīe8ruQu“0T,fa+M0C ]׵lE6oΪi="ku%BsIxlBOr#%!Rh 0\߫JNծ遒ʦZC , ٞۗ LOkS!]Nזa%NdH _·/G2p8 oUiY/M鸠)[2KnSZHFԡg4 " t Od_0*y7l₱V>jQZ1DգȀZ]G{.w?)_wcQ| ]jŕ_N&{&p[W®kG&K7g|֟Y %/[k7=Ol?o L5b5vkϢQ:Rf7.0/<ؾZd,/ѺGj`("/fbB|4Jy!Mbo=J q ^(0h&_{μ׽6e4ݚr4R[rB4U#H5_wq/)8' Odyi$' ='k?KošT뿯D]ڦbۿ91uzaV.`i_'Pf:*uG8=+!ݶ# K9Aл )ǵrj3y}]&1ӧeTyjh)_qW+-AVswL5V_ L=!d#9)_H(>]e^vq Wfa?{iâ "@q?o93 A:$GtScSH#ZܬJ'cEŸ9Dz #4Lդ6a"?>kw5XD-|iĻϰ6Ψa<Uѽ!mcP'>n0|oobEĚuz%mlS(d 'E1i}Pl_sDj!{i 86)=ȥ2O"Q0j"  $Q͈ YZ