From 948137be5923961acd6726f275d4e9bb3ddfbbfe Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?=
 <manuel.pegourie-gonnard@arm.com>
Date: Thu, 10 Aug 2023 16:58:04 +0200
Subject: [PATCH 01/39] Add details on use of ciphers from other modules
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
---
 .../psa-migration/md-cipher-dispatch.md       | 50 +++++++++++++------
 1 file changed, 36 insertions(+), 14 deletions(-)

diff --git a/docs/architecture/psa-migration/md-cipher-dispatch.md b/docs/architecture/psa-migration/md-cipher-dispatch.md
index 355f5618dd..ba76f494b6 100644
--- a/docs/architecture/psa-migration/md-cipher-dispatch.md
+++ b/docs/architecture/psa-migration/md-cipher-dispatch.md
@@ -110,23 +110,45 @@ For the purposes of this work, three domains emerge:
 
 #### Non-use-PSA modules
 
-The following modules in Mbed TLS call another module to perform cryptographic operations which, in the long term, will be provided through a PSA interface, but cannot make any PSA-related assumption:
+The following modules in Mbed TLS call another module to perform cryptographic operations which, in the long term, will be provided through a PSA interface, but cannot make any PSA-related assumption.
 
-* CCM (block cipher in ECB mode; interdependent with cipher)
-* cipher (cipher and AEAD algorithms)
-* CMAC (AES-ECB and DES-ECB, but could be extended to the other block ciphers; interdependent with cipher)
-* CTR\_DRBG (AES-ECB, but could be extended to the other block ciphers)
-* entropy (hashes via low-level)
+Hashes and HMAC (after the work on MD-light):
+
+* entropy (hashes via MD-light)
 * ECDSA (HMAC\_DRBG; `md.h` exposed through API)
-* ECJPAKE (hashes via md; `md.h` exposed through API)
-* GCM (block cipher in ECB mode; interdependent with cipher)
-* md (hashes and HMAC)
-* NIST\_KW (AES-ECB; interdependent with cipher)
+* ECJPAKE (hashes via MD-light; `md.h` exposed through API)
+* MD (hashes and HMAC)
 * HMAC\_DRBG (hashes and HMAC via `md.h`; `md.h` exposed through API)
-* PEM (AES and DES in CBC mode without padding; MD5 hash via low-level)
-* PKCS12 (cipher, generically, selected from ASN.1 or function parameters; hashes via md; `cipher.h` exposed through API)
-* PKCS5 (cipher, generically, selected from ASN.1; HMAC via `md.h`; `md.h` exposed through API)
-* RSA (hash via md for PSS and OAEP; `md.h` exposed through API)
+* PKCS12 (hashes via MD-light)
+* PKCS5 (HMAC via `md.h`; `md.h` exposed through API)
+* RSA (hash via MD-light for PSS and OAEP; `md.h` exposed through API)
+* PEM (MD5 hash via MD-light)
+
+Symmetric ciphers and AEADs (before Cipher-light work):
+
+* PEM (AES and DES in CBC mode without padding)
+       AES and DES: setkey_dec + crypt_cbc
+       (look at test data for DES)
+* PKCS12 (cipher, generically, selected from ASN.1 or function parameters; `cipher.h` exposed through API)
+       setup, setkey, set_iv, reset, update, finish (in sequence, once)
+       no documented restriction, block cipher in CBC mode in practice
+       (padding?)
+       (look at test cases)
+* PKCS5 (cipher, generically, selected from ASN.1)
+       only DES-CBC or 3DES-CBC
+       (padding?)
+       setup, setkey, crypt
+* CTR\_DRBG (AES-ECB, but could be extended to the other block ciphers)
+        setkey_enc + crypt_ecb
+* CCM (block cipher in ECB mode; interdependent with cipher)
+        info, setup, setkey, update (several times), (never finish)
+* CMAC (AES-ECB and DES-ECB, but could be extended to the other block ciphers; interdependent with cipher)
+        info, setup, setkey, update (several times), (never finish)
+* GCM (block cipher in ECB mode; interdependent with cipher)
+        info, setup, setkey, update (several times), (never finish)
+* NIST\_KW (AES-ECB; interdependent with cipher)
+        info, setup, setkey, update (several times), (never finish)
+* cipher (cipher and AEAD algorithms)
 
 ### Difficulties
 

From 36cd3f9f8ef6edbf9c7ba16a442117ddfa506748 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?=
 <manuel.pegourie-gonnard@arm.com>
Date: Fri, 11 Aug 2023 10:06:42 +0200
Subject: [PATCH 02/39] Add tentative definition of Cipher light
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
---
 .../psa-migration/md-cipher-dispatch.md       | 51 +++++++++++++++++++
 1 file changed, 51 insertions(+)

diff --git a/docs/architecture/psa-migration/md-cipher-dispatch.md b/docs/architecture/psa-migration/md-cipher-dispatch.md
index ba76f494b6..488cf20db9 100644
--- a/docs/architecture/psa-migration/md-cipher-dispatch.md
+++ b/docs/architecture/psa-migration/md-cipher-dispatch.md
@@ -499,3 +499,54 @@ The architecture can be extended to support `MBEDTLS_PSA_CRYPTO_CLIENT` with a l
 
 * Compile-time dependencies: instead of checking `defined(MBEDTLS_PSA_CRYPTO_C)`, check `defined(MBEDTLS_PSA_CRYPTO_C) || defined(MBEDTLS_PSA_CRYPTO_CLIENT)`.
 * Implementers of `MBEDTLS_PSA_CRYPTO_CLIENT` will need to provide `psa_can_do_hash()` (or a more general function `psa_can_do`) alongside `psa_crypto_init()`. Note that at this point, it will become a public interface, hence we won't be able to change it at a whim.
+
+### Cipher light
+
+#### Definition
+
+**Note:** this definition is tentative an may be refined when implementing and
+testing, based and what's needed by internal users of Cipher light.
+
+Cipher light will be automatically enabled in `build_info.h` by modules that
+need it. (Tentative list: PEM, PCKS12, PKCS5, CTR\_DRBG, CCM, CMAC, GCM,
+NIS\_KW, PSA Crypto.) Note: some of these modules currently depend on the
+full `CIPHER_C` (enforced by `check_config.h`); this hard dependency would be
+replace by the above auto-enablement.
+
+Cipher light includes:
+- info functions;
+- support for block ciphers in ECB mode (to be confirmed: supporting one block
+  at a time could be enough);
+- support for block ciphers in CBC mode with no padding (to be confirmed: do
+  we need a padding mode?);
+- support for both the "one-shot" and "streaming" APIs for block ciphers.
+
+This excludes:
+- the AEAD/KW API (both one-shot and streaming);
+- support for stream ciphers;
+- support for other modes of block ciphers (CTR, CFB, etc.);
+- support for (other) padding modes of CBC.
+
+The following API functions, and supporting types, are candidates for
+inclusion in the Cipher light API, with limited features as above:
+```
+mbedtls_cipher_info_from_psa
+mbedtls_cipher_info_from_type
+mbedtls_cipher_info_from_values
+
+mbedtls_cipher_info_get_block_size
+mbedtls_cipher_info_get_iv_size
+mbedtls_cipher_info_get_key_bitlen
+
+mbedtls_cipher_init
+mbedtls_cipher_setup
+mbedtls_cipher_setkey
+mbedtls_cipher_set_padding_mode
+mbedtls_cipher_crypt
+mbedtls_cipher_free
+
+mbedtls_cipher_set_iv
+mbedtls_cipher_reset
+mbedtls_cipher_update
+mbedtls_cipher_finish
+```

From 839d3580bd9eb1bba89887c515837a871c0078aa Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?=
 <manuel.pegourie-gonnard@arm.com>
Date: Fri, 15 Sep 2023 21:27:19 +0200
Subject: [PATCH 03/39] Update details of modules using cipher operations
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
---
 .../psa-migration/md-cipher-dispatch.md       | 82 +++++++++++++------
 1 file changed, 57 insertions(+), 25 deletions(-)

diff --git a/docs/architecture/psa-migration/md-cipher-dispatch.md b/docs/architecture/psa-migration/md-cipher-dispatch.md
index 488cf20db9..6bd0694c47 100644
--- a/docs/architecture/psa-migration/md-cipher-dispatch.md
+++ b/docs/architecture/psa-migration/md-cipher-dispatch.md
@@ -112,7 +112,7 @@ For the purposes of this work, three domains emerge:
 
 The following modules in Mbed TLS call another module to perform cryptographic operations which, in the long term, will be provided through a PSA interface, but cannot make any PSA-related assumption.
 
-Hashes and HMAC (after the work on MD-light):
+Hashes and HMAC (after the work on driver-only hashes):
 
 * entropy (hashes via MD-light)
 * ECDSA (HMAC\_DRBG; `md.h` exposed through API)
@@ -124,31 +124,63 @@ Hashes and HMAC (after the work on MD-light):
 * RSA (hash via MD-light for PSS and OAEP; `md.h` exposed through API)
 * PEM (MD5 hash via MD-light)
 
-Symmetric ciphers and AEADs (before Cipher-light work):
+Symmetric ciphers and AEADs (before work on driver-only cipher):
 
-* PEM (AES and DES in CBC mode without padding)
-       AES and DES: setkey_dec + crypt_cbc
-       (look at test data for DES)
-* PKCS12 (cipher, generically, selected from ASN.1 or function parameters; `cipher.h` exposed through API)
-       setup, setkey, set_iv, reset, update, finish (in sequence, once)
-       no documented restriction, block cipher in CBC mode in practice
-       (padding?)
-       (look at test cases)
-* PKCS5 (cipher, generically, selected from ASN.1)
-       only DES-CBC or 3DES-CBC
-       (padding?)
-       setup, setkey, crypt
-* CTR\_DRBG (AES-ECB, but could be extended to the other block ciphers)
-        setkey_enc + crypt_ecb
-* CCM (block cipher in ECB mode; interdependent with cipher)
-        info, setup, setkey, update (several times), (never finish)
-* CMAC (AES-ECB and DES-ECB, but could be extended to the other block ciphers; interdependent with cipher)
-        info, setup, setkey, update (several times), (never finish)
-* GCM (block cipher in ECB mode; interdependent with cipher)
-        info, setup, setkey, update (several times), (never finish)
-* NIST\_KW (AES-ECB; interdependent with cipher)
-        info, setup, setkey, update (several times), (never finish)
-* cipher (cipher and AEAD algorithms)
+* PEM:
+  * AES, DES or 3DES in CBC mode without padding, decrypt only (!).
+  * Currently using low-level non-generic APIs.
+  * No hard dependency, features guarded by `AES_C` resp. `DES_C`.
+  * Functions called: `setkey_dec()` + `crypt_cbc()`.
+* PKCS12:
+  * In practice: 2DES or 3DES in CBC mode with PKCS7 padding, decrypt only
+    (when called from pkparse).
+  * In principle: any cipher-mode (default padding), passed an
+    `mbedtls_cipher_type_t` as an argument, no documented restriction.
+  * Cipher, generically, selected from ASN.1 or function parameters;
+    no documented restriction but in practice TODO (inc. padding and
+    en/decrypt, look at standards and tests)
+  * Unconditional dependency on `CIPHER_C` in `check_config.h`.
+  * Note: `cipher.h` exposed through API.
+  * Functions called: `setup`, `setkey`, `set_iv`, `reset`, `update`, `finish` (in sequence, once).
+* PKCS5 (PBES2, `mbedtls_pkcs5_pbes2()`):
+  * 3DES or DES in CBC mode with PKCS7 padding, both encrypt and decrypt.
+  * Note: could also be AES in the future, see #7038.
+  * Unconditional dependency on `CIPHER_C` in `check_config.h`.
+  * Functions called: `setup`, `setkey`, `crypt`.
+* CTR\_DRBG:
+  * AES in ECB mode, encrypt only.
+  * Currently using low-level non-generic API (`aes.h`).
+  * Unconditional dependency on `AES_C` in `check_config.h`.
+  * Functions called: `setkey_enc`, `crypt_ecb`.
+* CCM:
+  * AES, Camellia or Aria in ECB mode, encrypt only.
+  * Unconditional dependency on `AES_C || CAMELLIA_C || ARIA_C` in `check_config.h`.
+  * Unconditional dependency on `CIPHER_C` in `check_config.h`.
+  * Note: also called by `cipher.c` if enabled.
+  * Functions called: `info`, `setup`, `setkey`, `update` (several times) - (never finish)
+* CMAC:
+  * AES or DES in ECB mode, encrypt only.
+  * Unconditional dependency on `AES_C || DES_C` in `check_config.h`.
+  * Unconditional dependency on `CIPHER_C` in `check_config.h`.
+  * Note: also called by `cipher.c` if enabled.
+  * Functions called: `info`, `setup`, `setkey`, `update` (several times) - (never finish)
+* GCM:
+  * AES, Camellia or Aria in ECB mode, encrypt only.
+  * Unconditional dependency on `AES_C || CAMELLIA_C || ARIA_C` in `check_config.h`.
+  * Unconditional dependency on `CIPHER_C` in `check_config.h`.
+  * Note: also called by `cipher.c` if enabled.
+  * Functions called: `info`, `setup`, `setkey`, `update` (several times) - (never finish)
+* NIST\_KW:
+  * AES in ECB mode, both encryt and decrypt.
+  * Unconditional dependency on `AES_C || DES_C` in `check_config.h`.
+  * Unconditional dependency on `CIPHER_C` in `check_config.h`.
+  * Note: also called by `cipher.c` if enabled.
+  * Note: `cipher.h` exposed through API.
+  * Functions called: `info`, `setup`, `setkey`, `update` (several times) - (never finish)
+* Cipher:
+  * potentially any cipher/AEAD in any mode and any direction
+
+Note: PSA cipher is built on Cipher, but PSA AEAD directly calls the underlying AEAD modules (GCM, CCM, ChachaPoly).
 
 ### Difficulties
 

From ca18b7747e7738788df26c06c581e9c0f7c6a92a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?=
 <manuel.pegourie-gonnard@arm.com>
Date: Tue, 10 Oct 2023 09:45:28 +0200
Subject: [PATCH 04/39] Update definition of Cipher light
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
---
 .../psa-migration/md-cipher-dispatch.md       | 45 ++++++++++---------
 1 file changed, 24 insertions(+), 21 deletions(-)

diff --git a/docs/architecture/psa-migration/md-cipher-dispatch.md b/docs/architecture/psa-migration/md-cipher-dispatch.md
index 6bd0694c47..3feda1115f 100644
--- a/docs/architecture/psa-migration/md-cipher-dispatch.md
+++ b/docs/architecture/psa-migration/md-cipher-dispatch.md
@@ -537,48 +537,51 @@ The architecture can be extended to support `MBEDTLS_PSA_CRYPTO_CLIENT` with a l
 #### Definition
 
 **Note:** this definition is tentative an may be refined when implementing and
-testing, based and what's needed by internal users of Cipher light.
+testing, based and what's needed by internal users of Cipher light. The new
+config symbol will not be considered public so its definition may change.
 
 Cipher light will be automatically enabled in `build_info.h` by modules that
-need it. (Tentative list: PEM, PCKS12, PKCS5, CTR\_DRBG, CCM, CMAC, GCM,
-NIS\_KW, PSA Crypto.) Note: some of these modules currently depend on the
-full `CIPHER_C` (enforced by `check_config.h`); this hard dependency would be
-replace by the above auto-enablement.
+need it, namely: CTR\_DRBG, CCM, GCM. Note: CCM and GCM currently depend on
+the full `CIPHER_C` (enforced by `check_config.h`); this hard dependency would
+be replaced by the above auto-enablement.
 
 Cipher light includes:
 - info functions;
-- support for block ciphers in ECB mode (to be confirmed: supporting one block
-  at a time could be enough);
-- support for block ciphers in CBC mode with no padding (to be confirmed: do
-  we need a padding mode?);
-- support for both the "one-shot" and "streaming" APIs for block ciphers.
+- support for block ciphers in ECB mode, encrypt only (note: in Cipher, "ECB"
+  means just one block, contrary to PSA);
+- the one-shot API as well as (part of) the streaming API;
+- only AES, Aria and Camellia.
 
 This excludes:
 - the AEAD/KW API (both one-shot and streaming);
 - support for stream ciphers;
-- support for other modes of block ciphers (CTR, CFB, etc.);
-- support for (other) padding modes of CBC.
+- support for other modes of block ciphers (CBC, CTR, CFB, etc.);
+- DES and variants (3DES).
 
 The following API functions, and supporting types, are candidates for
 inclusion in the Cipher light API, with limited features as above:
 ```
-mbedtls_cipher_info_from_psa
 mbedtls_cipher_info_from_type
-mbedtls_cipher_info_from_values
-
 mbedtls_cipher_info_get_block_size
-mbedtls_cipher_info_get_iv_size
-mbedtls_cipher_info_get_key_bitlen
 
 mbedtls_cipher_init
 mbedtls_cipher_setup
 mbedtls_cipher_setkey
-mbedtls_cipher_set_padding_mode
 mbedtls_cipher_crypt
 mbedtls_cipher_free
 
-mbedtls_cipher_set_iv
-mbedtls_cipher_reset
 mbedtls_cipher_update
-mbedtls_cipher_finish
+(mbedtls_cipher_finish)
 ```
+
+Note: `mbedtls_cipher_info_get_block_size()` can be hard-coded to return 16,
+as all three supported block ciphers have the same block size (DES was
+excluded).
+
+Note: `mbedtls_cipher_finish()` is not required by any of the modules using
+Cipher light, but it might be convenient to include it anyway as it's used in
+the implementation of `mbedtls_cipher_crypt()`.
+
+#### Cipher light dual dispatch
+
+This is likely to come in the future, but has not been defined yet.

From 2daee0410e725ef5ef5beb34d80ac35bbd88ac79 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?=
 <manuel.pegourie-gonnard@arm.com>
Date: Tue, 10 Oct 2023 09:55:03 +0200
Subject: [PATCH 05/39] Update list of modules using hashes
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
---
 docs/architecture/psa-migration/md-cipher-dispatch.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/docs/architecture/psa-migration/md-cipher-dispatch.md b/docs/architecture/psa-migration/md-cipher-dispatch.md
index 3feda1115f..76081deef4 100644
--- a/docs/architecture/psa-migration/md-cipher-dispatch.md
+++ b/docs/architecture/psa-migration/md-cipher-dispatch.md
@@ -118,9 +118,11 @@ Hashes and HMAC (after the work on driver-only hashes):
 * ECDSA (HMAC\_DRBG; `md.h` exposed through API)
 * ECJPAKE (hashes via MD-light; `md.h` exposed through API)
 * MD (hashes and HMAC)
+* HKDF (HMAC via `md.h`; `md.h` exposed through API)
 * HMAC\_DRBG (hashes and HMAC via `md.h`; `md.h` exposed through API)
 * PKCS12 (hashes via MD-light)
 * PKCS5 (HMAC via `md.h`; `md.h` exposed through API)
+* PKCS7 (hashes via MD)
 * RSA (hash via MD-light for PSS and OAEP; `md.h` exposed through API)
 * PEM (MD5 hash via MD-light)
 

From 301d2a29a72292d4654be1929007e33fe69334ed Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?=
 <manuel.pegourie-gonnard@arm.com>
Date: Tue, 10 Oct 2023 10:02:03 +0200
Subject: [PATCH 06/39] Update to MD light section
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Mostly to reflect this has been implemented, and remove references to
temporary remains from the previous strategy (hash_info, legacy_or_psa)
which would probably be more confusing than helpful at this point.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
---
 .../psa-migration/md-cipher-dispatch.md       | 32 +------------------
 1 file changed, 1 insertion(+), 31 deletions(-)

diff --git a/docs/architecture/psa-migration/md-cipher-dispatch.md b/docs/architecture/psa-migration/md-cipher-dispatch.md
index 76081deef4..12b486a46a 100644
--- a/docs/architecture/psa-migration/md-cipher-dispatch.md
+++ b/docs/architecture/psa-migration/md-cipher-dispatch.md
@@ -323,8 +323,6 @@ These problems are easily solvable.
 
 ### MD light
 
-https://github.com/Mbed-TLS/mbedtls/pull/6474 implements part of this specification, but it's based on Mbed TLS 3.2, so it needs to be rewritten for 3.3.
-
 #### Definition of MD light
 
 MD light is a subset of `md.h` that implements the hash calculation interface described in ”[Designing an interface for hashes](#designing-an-interface-for-hashes)”. It is activated by `MBEDTLS_MD_LIGHT` in `mbedtls_config.h`.
@@ -454,31 +452,7 @@ Note that this assumes that an operation that has been started via PSA can be co
 
 #### Error code conversion
 
-After calling a PSA function, call `mbedtls_md_error_from_psa` to convert its status code. This function is currently defined in `hash_info.c`.
-
-### Migration to MD light
-
-#### Migration of modules that used to call MD and now do the legacy-or-PSA dance
-
-Get rid of the case where `MBEDTLS_MD_C` is undefined. Enable `MBEDTLS_MD_LIGHT` in `build_info.h`.
-
-#### Migration of modules that used to call a low-level hash module and now do the legacy-or-PSA dance
-
-Switch to calling MD (light) unconditionally. Enable `MBEDTLS_MD_LIGHT` in `build_info.h`.
-
-#### Migration of modules that call a low-level hash module
-
-Switch to calling MD (light). Enable `MBEDTLS_MD_LIGHT` in `build_info.h`.
-
-#### Migration of use-PSA mixed code
-
-Instead of calling `hash_info.h` functions to obtain metadata, get it from `md.h`.
-
-Optionally, code that currently tests on `MBEDTLS_USE_PSA_CRYPTO` just to determine whether to call MD or PSA to calculate hashes can switch to just having the MD variant.
-
-#### Remove `legacy_or_psa.h`
-
-It's no longer used.
+After calling a PSA function, call `mbedtls_md_error_from_psa` to convert its status code.
 
 ### Support all legacy algorithms in PSA
 
@@ -517,10 +491,6 @@ static inline psa_algorithm_t psa_alg_of_md_info(
 
 Work in progress on this conversion is at https://github.com/gilles-peskine-arm/mbedtls/tree/hash-unify-ids-wip-1
 
-#### Get rid of the hash_info module
-
-The hash_info module is redundant with MD light. Move `mbedtls_md_error_from_psa` to `md.c`, defined only when `MBEDTLS_MD_SOME_PSA` is defined. The rest is no longer used.
-
 #### Unify HMAC with PSA
 
 PSA has its own HMAC implementation. In builds with both `MBEDTLS_MD_C` and `PSA_WANT_ALG_HMAC` not fully provided by drivers, we should have a single implementation. Replace the one in `md.h` by calls to the PSA driver interface. This will also give mixed-domain modules access to HMAC accelerated directly by a PSA driver (eliminating the need to a HMAC interface in software if all supported hashes have an accelerator that includes HMAC support).

From f1878d89741ed968b55c2a10ce5d996073bd74bf Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?=
 <manuel.pegourie-gonnard@arm.com>
Date: Thu, 12 Oct 2023 11:19:00 +0200
Subject: [PATCH 07/39] Update to only serve GCM and CCM
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
---
 .../psa-migration/md-cipher-dispatch.md            | 14 ++++----------
 1 file changed, 4 insertions(+), 10 deletions(-)

diff --git a/docs/architecture/psa-migration/md-cipher-dispatch.md b/docs/architecture/psa-migration/md-cipher-dispatch.md
index 12b486a46a..11c5f21fbd 100644
--- a/docs/architecture/psa-migration/md-cipher-dispatch.md
+++ b/docs/architecture/psa-migration/md-cipher-dispatch.md
@@ -513,9 +513,9 @@ testing, based and what's needed by internal users of Cipher light. The new
 config symbol will not be considered public so its definition may change.
 
 Cipher light will be automatically enabled in `build_info.h` by modules that
-need it, namely: CTR\_DRBG, CCM, GCM. Note: CCM and GCM currently depend on
-the full `CIPHER_C` (enforced by `check_config.h`); this hard dependency would
-be replaced by the above auto-enablement.
+need it, namely: CCM, GCM. Note: CCM and GCM currently depend on the full
+`CIPHER_C` (enforced by `check_config.h`); this hard dependency would be
+replaced by the above auto-enablement.
 
 Cipher light includes:
 - info functions;
@@ -533,27 +533,21 @@ This excludes:
 The following API functions, and supporting types, are candidates for
 inclusion in the Cipher light API, with limited features as above:
 ```
-mbedtls_cipher_info_from_type
+mbedtls_cipher_info_from_values
 mbedtls_cipher_info_get_block_size
 
 mbedtls_cipher_init
 mbedtls_cipher_setup
 mbedtls_cipher_setkey
-mbedtls_cipher_crypt
 mbedtls_cipher_free
 
 mbedtls_cipher_update
-(mbedtls_cipher_finish)
 ```
 
 Note: `mbedtls_cipher_info_get_block_size()` can be hard-coded to return 16,
 as all three supported block ciphers have the same block size (DES was
 excluded).
 
-Note: `mbedtls_cipher_finish()` is not required by any of the modules using
-Cipher light, but it might be convenient to include it anyway as it's used in
-the implementation of `mbedtls_cipher_crypt()`.
-
 #### Cipher light dual dispatch
 
 This is likely to come in the future, but has not been defined yet.

From 4fb1955b3184244ccd7e3c0066fb3b19457ca615 Mon Sep 17 00:00:00 2001
From: Paul Elliott <paul.elliott@arm.com>
Date: Wed, 18 Oct 2023 12:15:30 +0100
Subject: [PATCH 08/39] Remove NULL-ing of passed in SSL context in
 ssl_populate_transform()

Remove a piece of code that was meant to ensure non-usage of the ssl
context under conditions where it should not be used, as this now makes
less sense and also triggers coverity.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
---
 library/ssl_tls.c | 10 +---------
 1 file changed, 1 insertion(+), 9 deletions(-)

diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 827b7fbcfc..0476a9f73e 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -8159,14 +8159,6 @@ static int ssl_tls12_populate_transform(mbedtls_ssl_transform *transform,
     psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
 #endif
 
-#if !defined(MBEDTLS_DEBUG_C) && \
-    !defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
-    if (ssl->f_export_keys == NULL) {
-        ssl = NULL; /* make sure we don't use it except for these cases */
-        (void) ssl;
-    }
-#endif
-
     /*
      * Some data just needs copying into the structure
      */
@@ -8438,7 +8430,7 @@ static int ssl_tls12_populate_transform(mbedtls_ssl_transform *transform,
         goto end;
     }
 
-    if (ssl != NULL && ssl->f_export_keys != NULL) {
+    if (ssl->f_export_keys != NULL) {
         ssl->f_export_keys(ssl->p_export_keys,
                            MBEDTLS_SSL_KEY_EXPORT_TLS12_MASTER_SECRET,
                            master, 48,

From 3bcda449c08aea258029b2542e0e86dc745172c3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?=
 <manuel.pegourie-gonnard@arm.com>
Date: Thu, 26 Oct 2023 10:03:49 +0200
Subject: [PATCH 09/39] Things forgotten in the previous commit
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
---
 docs/architecture/psa-migration/md-cipher-dispatch.md | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/docs/architecture/psa-migration/md-cipher-dispatch.md b/docs/architecture/psa-migration/md-cipher-dispatch.md
index 11c5f21fbd..ca98a51077 100644
--- a/docs/architecture/psa-migration/md-cipher-dispatch.md
+++ b/docs/architecture/psa-migration/md-cipher-dispatch.md
@@ -518,13 +518,14 @@ need it, namely: CCM, GCM. Note: CCM and GCM currently depend on the full
 replaced by the above auto-enablement.
 
 Cipher light includes:
-- info functions;
+- some info functions;
 - support for block ciphers in ECB mode, encrypt only (note: in Cipher, "ECB"
   means just one block, contrary to PSA);
-- the one-shot API as well as (part of) the streaming API;
+- part of the streaming API for unauthenticated ciphers;
 - only AES, Aria and Camellia.
 
 This excludes:
+- the one-shot API for unauthenticated ciphers;
 - the AEAD/KW API (both one-shot and streaming);
 - support for stream ciphers;
 - support for other modes of block ciphers (CBC, CTR, CFB, etc.);

From 6b3643117b404767c246f019bc0d977c2bff220a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?=
 <manuel.pegourie-gonnard@arm.com>
Date: Thu, 26 Oct 2023 11:02:17 +0200
Subject: [PATCH 10/39] Document chosen goals and priorities for 3.x
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
---
 .../psa-migration/md-cipher-dispatch.md       | 33 +++++++++++++++++--
 1 file changed, 31 insertions(+), 2 deletions(-)

diff --git a/docs/architecture/psa-migration/md-cipher-dispatch.md b/docs/architecture/psa-migration/md-cipher-dispatch.md
index ca98a51077..d75a4dcd40 100644
--- a/docs/architecture/psa-migration/md-cipher-dispatch.md
+++ b/docs/architecture/psa-migration/md-cipher-dispatch.md
@@ -99,8 +99,8 @@ We can classify code that implements or uses cryptographic mechanisms into sever
 * Software implementations of primitive cryptographic mechanisms. These are not expected to change.
 * Software implementations of constructed cryptographic mechanisms (e.g. HMAC, CTR_DRBG, RSA (calling a hash for PSS/OAEP, and needing to know the hash length in PKCS1v1.5 sign/verify), …). These need to keep working whenever a legacy implementation of the auxiliary mechanism is available, regardless of whether a PSA implementation is also available.
 * Code implementing the PSA crypto interface. This is not expected to change, except perhaps to expose some internal functionality to overhauled glue code.
-* Code that's subject to `MBEDTLS_USE_PSA_CRYPTO`: `pk.h`, X.509, TLS (excluding TLS 1.3).
-* Code that always uses PSA for crypto: TLS 1.3, LMS.
+* Code that's subject to `MBEDTLS_USE_PSA_CRYPTO`: `pk.h`, X.509, TLS (excluding parts specific TLS 1.3).
+* Code that always uses PSA for crypto: TLS 1.3 (except things common with 1.2), LMS.
 
 For the purposes of this work, three domains emerge:
 
@@ -319,6 +319,35 @@ These problems are easily solvable.
 * We can make names and HMAC optional. The mixed-domain hash interface won't be the full `MBEDTLS_MD_C` but a subset.
 * We can optimize `md.c` without making API changes to `md.h`.
 
+### Scope reductions and priorities for 3.x
+
+This section documents things that we chose to temporarily exclude from the scope in the 3.x branch (which will eventually be in scope again after 4.0) as well as things we chose to prioritize if we don't have time to support everything.
+
+#### Don't support PK, X.509 and TLS without `MBEDTLS_USE_PSA_CRYPTO`
+
+We do not need to support driver-only hashes and ciphers in PK. X.509 and TLS without `MBEDTLS_USE_PSA_CRYPTO`. Users who want to take full advantage of drivers will need to enabled this macro.
+
+Note that this applies to TLS 1.3 as well, as some uses of hashes and all uses of ciphers there are common with TLS 1.2, hence governed by `MBEDTLS_USE_PSA_CRYPTO`, see [this macro's extended documentation](../../docs/use-psa-crypto.html).
+
+This will go away naturally in 4.0 when this macros is not longer an option (because it's always on).
+
+#### Don't support for `MBEDTLS_PSA_CRYPTO_CLIENT` without `MBEDTLS_PSA_CRYPTO_C`
+
+We generally don't really support builds with `MBEDTLS_PSA_CRYPTO_CLIENT` without `MBEDTLS_PSA_CRYPTO_C`. For example, both `MBEDTLS_USE_PSA_CRYPTO` and `MBEDTLS_SSL_PROTO_TLS1_3` require `MBEDTLS_PSA_CRYPTO_C`, while in principle they should only require `MBEDTLS_PSA_CRYPTO_CLIENT`.
+
+Considering this existing restriction which we do not plan to lift before 4.0, it is acceptable driver-only hashes and cipher support to have the same restriction in 3.x.
+
+It is however desirable for the design to keep support for `MBEDTLS_PSA_CRYPTO_CLIENT` in mind, in order to avoid making it more difficult to add in the future.
+
+#### For cipher: prioritize constrained devices and modern TLS
+
+The primary target is a configuration like TF-M's medium profile, plus TLS with only AEAD ciphersuites.
+
+This excludes things like:
+- Support for encrypted PEM, PKCS5 and PKCS12 encryption, and PKCS8 encrypted keys in PK parse. (Not widely used on highly constrained devices.)
+- Support for NIST-KW. (Same justification.)
+- Support for CBC ciphersuites in TLS. (They've been recommended against for a while now.)
+
 ## Specification
 
 ### MD light

From 4823d2c94e021994671fcb0f9208c1338253f782 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?=
 <manuel.pegourie-gonnard@arm.com>
Date: Thu, 26 Oct 2023 12:56:39 +0200
Subject: [PATCH 11/39] Extend design discussion
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
---
 .../psa-migration/md-cipher-dispatch.md       | 31 +++++++++++++++++++
 1 file changed, 31 insertions(+)

diff --git a/docs/architecture/psa-migration/md-cipher-dispatch.md b/docs/architecture/psa-migration/md-cipher-dispatch.md
index d75a4dcd40..a4c8fccf0f 100644
--- a/docs/architecture/psa-migration/md-cipher-dispatch.md
+++ b/docs/architecture/psa-migration/md-cipher-dispatch.md
@@ -346,8 +346,39 @@ The primary target is a configuration like TF-M's medium profile, plus TLS with
 This excludes things like:
 - Support for encrypted PEM, PKCS5 and PKCS12 encryption, and PKCS8 encrypted keys in PK parse. (Not widely used on highly constrained devices.)
 - Support for NIST-KW. (Same justification.)
+- Support for CMAC. (Same justification, plus can be directly accelerated.)
 - Support for CBC ciphersuites in TLS. (They've been recommended against for a while now.)
 
+### Dual-dispatch for block cipher primitives
+
+Considering the priorities stated above, initially we want to support GCM, CCM and CTR-DRBG. All trhee of them use the block cipher primitive only in the encrypt direction. Currently, GCM and CCM use the Cipher layer in order to work with AES, Aria and Camellia (DES is excluded by the standards due to its smaller block size) and CTR-DRBG directly uses the low-level API from `aes.h`. In all cases, access to the "block cipher primitive" is done by using "ECB mode" (which for both Cipher and `aes.h` only allows a single block, contrary to PSA which implements actual ECB mode).
+
+The two AEAD modes, GCM and CCM, have very similar needs and positions in the stack, strongly suggesting using the same design for both. On the other hand, there are a number of differences between CTR-DRBG and them.
+- CTR-DRBG only uses AES (and there is no plan to extend it to other block ciphers at the moment), while GCM and CCM need to work with 3 block ciphers already.
+- CTR-DRBG holds a special position in the stack: most users don't care about it per se, they only care about getting random numbers - in fact PSA users don't even need to know what DRBG is used. In particular, no part of the stack is asking questions like "is CTR-DRBG-AES available?" - an RNG needs to be available and that's it - contrary to similar questions about AES-GCM etc. which are asked for example by TLS.
+
+So, it makes sense to use different designs for CTR-DRBG on one hand, and GCM/CCM on the other hand:
+- CTR-DRBG can just check if `AES_C` is present and "fall back" to PSA is not.
+- GCM and CCM need an common abstraction layer that allows:
+  - Using AES, Aria or Camellia in a uniform way.
+  - Dispatching to built-in or driver.
+
+The abstraction layer used by GCM and CCM may either be a new internal module, or a subset of the existing Cipher API, extended with the ability to dispatch to a PSA driver.
+
+Reasons for making this layer's API a subset of the existing Cipher API:
+- No need to design, implement and test a new module. (Will need to test the new subset though, as well as the extended behaviour.)
+- No code change in GCM and CCM - only need to update dependencies.
+- No risk for code duplication between a potential new module and Cipher: source-level, and in in particular in builds that still have `CIPHER_C` enabled. (Compiled-code duplication could be avoided by excluding the new module in such builds, though.)
+- If want to support other users of Cipher later (such as NIST-KW, CMAC, PKCS5 and PKCS12), we can just extend dual-dispatch support to other modes/operations in Cipher and keep those extra modules unchanged as well.
+
+Possible costs of re-using (a subset of) the existing Cipher API instead of defining a new one:
+- We carry over costs associated with `cipher_info_t` structures. (Currently the info structure is used for 3 things: (1) to check if the cipher is supported, (2) to check its block size, (3) because `setup()` requires it).
+- We carry over questionable implementation decisions, like dynamic allocation of context.
+
+Those costs could be avoided by refactoring (parts of) Cipher, but that would probably mean either:
+- significant differences in how the `cipher.h` API is implemented between builds with the full Cipher or only a subset;
+- or more work to apply the simplifications to all of Cipher.
+
 ## Specification
 
 ### MD light

From 303121eb1682f3e4e18f2a7d9578c21a53f17f2a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?=
 <manuel.pegourie-gonnard@arm.com>
Date: Thu, 7 Dec 2023 12:05:07 +0100
Subject: [PATCH 12/39] Fix a typo
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
---
 docs/architecture/psa-migration/md-cipher-dispatch.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/architecture/psa-migration/md-cipher-dispatch.md b/docs/architecture/psa-migration/md-cipher-dispatch.md
index a4c8fccf0f..f165b21e07 100644
--- a/docs/architecture/psa-migration/md-cipher-dispatch.md
+++ b/docs/architecture/psa-migration/md-cipher-dispatch.md
@@ -351,7 +351,7 @@ This excludes things like:
 
 ### Dual-dispatch for block cipher primitives
 
-Considering the priorities stated above, initially we want to support GCM, CCM and CTR-DRBG. All trhee of them use the block cipher primitive only in the encrypt direction. Currently, GCM and CCM use the Cipher layer in order to work with AES, Aria and Camellia (DES is excluded by the standards due to its smaller block size) and CTR-DRBG directly uses the low-level API from `aes.h`. In all cases, access to the "block cipher primitive" is done by using "ECB mode" (which for both Cipher and `aes.h` only allows a single block, contrary to PSA which implements actual ECB mode).
+Considering the priorities stated above, initially we want to support GCM, CCM and CTR-DRBG. All three of them use the block cipher primitive only in the encrypt direction. Currently, GCM and CCM use the Cipher layer in order to work with AES, Aria and Camellia (DES is excluded by the standards due to its smaller block size) and CTR-DRBG directly uses the low-level API from `aes.h`. In all cases, access to the "block cipher primitive" is done by using "ECB mode" (which for both Cipher and `aes.h` only allows a single block, contrary to PSA which implements actual ECB mode).
 
 The two AEAD modes, GCM and CCM, have very similar needs and positions in the stack, strongly suggesting using the same design for both. On the other hand, there are a number of differences between CTR-DRBG and them.
 - CTR-DRBG only uses AES (and there is no plan to extend it to other block ciphers at the moment), while GCM and CCM need to work with 3 block ciphers already.

From 9f06681cb4d44ea31d9200909dd075f80729d91f Mon Sep 17 00:00:00 2001
From: Ryan Everett <ryan.everett@arm.com>
Date: Thu, 7 Dec 2023 11:02:48 +0000
Subject: [PATCH 13/39] Update psa-thread-safety.md

Signed-off-by: Ryan Everett <ryan.everett@arm.com>
---
 docs/architecture/psa-thread-safety.md | 34 ++++++++++++--------------
 1 file changed, 15 insertions(+), 19 deletions(-)

diff --git a/docs/architecture/psa-thread-safety.md b/docs/architecture/psa-thread-safety.md
index 0d03e324d5..79881a624a 100644
--- a/docs/architecture/psa-thread-safety.md
+++ b/docs/architecture/psa-thread-safety.md
@@ -281,28 +281,24 @@ Note that a thread must hold the global mutex when it reads or changes a slot's
 
 #### Slot states
 
-For concurrency purposes, a slot can be in one of three states:
+For concurrency purposes, a slot can be in one of four states:
 
-* UNUSED: no thread is currently accessing the slot. It may be occupied by a volatile key or a cached key.
-* WRITING: a thread has exclusive access to the slot. This can only happen in specific circumstances as detailed below.
-* READING: any thread may read from the slot.
+* EMPTY: no thread is currently accessing the slot, and no information is stored in the slot.
+* FILLING: one thread is currently loading or creating material to fill the slot, this thread is responsible for the next state transition.
+* FULL: the slot contains a key, and any thread is able to use the key after registering as a reader.
+* PENDING_DELETION: the key within the slot has been destroyed or marked for destruction, but at least one thread is still registered as a reader. No thread can register to read this slot. The slot must not be wiped until the last reader de-registers, wiping the slot by calling `psa_wipe_key_slot`.
 
-A high-level view of state transitions:
+To change `slot` to state `new_state`, a function must call `psa_slot_state_transition(slot, new_state)`.
 
-* `psa_get_empty_key_slot`: UNUSED → WRITING.
-* `psa_get_and_lock_key_slot_in_memory`: UNUSED or READING → READING. This function only accepts slots in the UNUSED or READING state. A slot with the correct id but in the WRITING state is considered free.
-* `psa_unlock_key_slot`: READING → UNUSED or READING.
-* `psa_finish_key_creation`: WRITING → READING.
-* `psa_fail_key_creation`: WRITING → UNUSED.
-* `psa_wipe_key_slot`: any → UNUSED. If the slot is READING or WRITING on entry, this function must wait until the writer or all readers have finished. (By the way, the WRITING state is possible if `mbedtls_psa_crypto_free` is called while a key creation is in progress.) See [“Destruction of a key in use”](#destruction-of-a-key-in-use).
+A counter field within each slot keeps track of how many readers have registered. Library functions must call `psa_register_read` before reading the key data witin a slot, and `psa_unregister_read` after they have finished operating.
 
-The current `state->lock_count` corresponds to the difference between UNUSED and READING: a slot is in use iff its lock count is nonzero, so `lock_count == 0` corresponds to UNUSED and `lock_count != 0` corresponds to READING.
+Library functions which operate on a slot will return `PSA_ERROR_BAD_STATE` if the slot is in an inappropriate state for the function at the linearization point.
 
-There is currently no indication of when a slot is in the WRITING state. This only happens between a call to `psa_start_key_creation` and a call to one of `psa_finish_key_creation` or `psa_fail_key_creation`. This new state can be conveyed by a new boolean flag, or by setting `lock_count` to `~0`.
+A state transition diagram can be found in docs/architecture/psa-thread-safety/key-slot-state-transitions.jpg. In this diagram, an arrow between two states `q1` and `q2` with label `f` indicates that if the state of a slot is `q1` immediately before `f`'s linearization point, it may be `q2` immediately after `f`'s linearization point. This means that the linearization point of a state changing call to a function must be a call to `psa_slot_state_transition`.
 
 #### Destruction of a key in use
 
-Problem: In [Key destruction long-term requirements](#key-destruction-long-term-requirements) we require that the key slot is destroyed (by `psa_wipe_key_slot`) even while it's in use (READING or WRITING).
+Problem: In [Key destruction long-term requirements](#key-destruction-long-term-requirements) we require that the key slot is destroyed (by `psa_wipe_key_slot`) even while it's in use (FILLING or with at least one reader).
 
 How do we ensure that? This needs something more sophisticated than mutexes (concurrency number >2)! Even a per-slot mutex isn't enough (we'd need a reader-writer lock).
 
@@ -310,11 +306,11 @@ Solution: after some team discussion, we've decided to rely on a new threading a
 
 ##### Mutex only
 
-When calling `psa_wipe_key_slot` it is the callers responsibility to set the slot state to WRITING first. For most functions this is a clean UNUSED -> WRITING transition: psa_get_empty_key_slot, psa_get_and_lock_key_slot, psa_close_key, psa_purge_key.
+When calling `psa_wipe_key_slot` it is the callers responsibility to set the slot state to PENDING_DELETION first. For most functions this is a clean {FULL, !has_readers} -> PENDING_DELETION transition: psa_get_empty_key_slot, psa_get_and_lock_key_slot, psa_close_key, psa_purge_key.
 
 `psa_wipe_all_key_slots` is only called from `mbedtls_psa_crypto_free`, here we will need to return an error as we won't be able to free the key store if a key is in use without compromising the state of the secure side. This is acceptable as an untrusted application cannot call `mbedtls_psa_crypto_free` in a crypto service. In a service integration, `mbedtls_psa_crypto_free` on the client cuts the communication with the crypto service. Also, this is the current behaviour.
 
-`psa_destroy_key` marks the slot as deleted, deletes persistent keys and opaque keys and returns. This only works if drivers are protected by a mutex (and the persistent storage as well if needed). When the last reading operation finishes, it wipes the key slot. This will free the key ID, but the slot might be still in use. In case of volatile keys freeing up the ID while the slot is still in use does not provide any benefit and we don't need to do it.
+`psa_destroy_key` marks the slot as deleted, deletes persistent keys and opaque keys and returns. This only works if drivers are protected by a mutex (and the persistent storage as well if needed).`psa_destroy_key` transfers to PENDING_DELETION as an intermediate state, then, when the last reading operation finishes, it wipes the key slot. This will free the key ID, but the slot might be still in use. In case of volatile keys freeing up the ID while the slot is still in use does not provide any benefit and we don't need to do it.
 
 These are serious limitations, but this can be implemented with mutexes only and arguably satisfies the [Key destruction short-term requirements](#key-destruction-short-term-requirements).
 
@@ -329,9 +325,9 @@ We can't reuse the `lock_count` field to mark key slots deleted, as we still nee
 
 #### Condition variables
 
-Clean UNUSED -> WRITING transition works as before.
+Clean UNUSED -> PENDING_DELETION transition works as before.
 
-`psa_wipe_all_key_slots` and `psa_destroy_key` mark the slot as deleted and go to sleep until the slot state becomes UNUSED. When waking up, they wipe the slot, and return.
+`psa_wipe_all_key_slots` and `psa_destroy_key` mark the slot as deleted and go to sleep until the slot has no registered readers. When waking up, they wipe the slot, and return.
 
 If the slot is already marked as deleted the threads calling `psa_wipe_all_key_slots` and `psa_destroy_key` go to sleep until the deletion completes. To satisfy [Key destruction long-term requirements](#key-destruction-long-term-requirements) none of the threads may return from the call until the slot is deleted completely. This can be achieved by signalling them when the slot has already been wiped and ready for use, that is not marked for deletion anymore. To handle spurious wake-ups, these threads need to be able to tell whether the slot was already deleted. This is not trivial, because by the time the thread wakes up, theoretically the slot might be in any state. It might have been reused and maybe even marked for deletion again.
 
@@ -354,7 +350,7 @@ Alternatively, protecting operation contexts can be left as the responsibility o
 
 #### Drivers
 
-Each driver that hasn’t got the "thread_safe” property set  has a dedicated mutex.
+Each driver that hasn’t got the "thread_safe” property set has a dedicated mutex.
 
 Implementing "thread_safe” drivers depends on the condition variable protection in the key store, as we must guarantee that the core never starts the destruction of a key while there are operations in progress on it.
 

From 1e9733c6a8d2505218801dd415065fdf34a8aa7c Mon Sep 17 00:00:00 2001
From: Ryan Everett <ryan.everett@arm.com>
Date: Thu, 7 Dec 2023 11:03:14 +0000
Subject: [PATCH 14/39] Add graph

Signed-off-by: Ryan Everett <ryan.everett@arm.com>
---
 .../key-slot-state-transitions.drawio         | 183 ++++++++++++++++++
 .../key-slot-state-transitions.jpg            | Bin 0 -> 46583 bytes
 2 files changed, 183 insertions(+)
 create mode 100644 docs/architecture/psa-thread-safety/key-slot-state-transitions.drawio
 create mode 100644 docs/architecture/psa-thread-safety/key-slot-state-transitions.jpg

diff --git a/docs/architecture/psa-thread-safety/key-slot-state-transitions.drawio b/docs/architecture/psa-thread-safety/key-slot-state-transitions.drawio
new file mode 100644
index 0000000000..5da2a7fcc9
--- /dev/null
+++ b/docs/architecture/psa-thread-safety/key-slot-state-transitions.drawio
@@ -0,0 +1,183 @@
+<mxfile host="app.diagrams.net" modified="2023-12-07T10:07:36.568Z" agent="Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:120.0) Gecko/20100101 Firefox/120.0" etag="WX9wRn5Pyc0ByqdG18_k" version="22.1.5" type="device">
+  <diagram name="Page-1" id="FGZeniR9zYej3VAosmPW">
+    <mxGraphModel dx="1185" dy="603" grid="1" gridSize="10" guides="1" tooltips="1" connect="1" arrows="1" fold="1" page="1" pageScale="1" pageWidth="827" pageHeight="1169" math="0" shadow="0">
+      <root>
+        <mxCell id="0" />
+        <mxCell id="1" parent="0" />
+        <mxCell id="Xme0HpS_r-Lskl_YgTMW-13" value="" style="curved=1;endArrow=classic;html=1;rounded=0;entryX=0.988;entryY=0.663;entryDx=0;entryDy=0;entryPerimeter=0;" parent="1" target="Z1zLfVIJwQ9nnBBYjpjK-5" edge="1">
+          <mxGeometry width="50" height="50" relative="1" as="geometry">
+            <mxPoint x="300" y="550" as="sourcePoint" />
+            <mxPoint x="370" y="570" as="targetPoint" />
+            <Array as="points">
+              <mxPoint x="301" y="577" />
+              <mxPoint x="331" y="605" />
+              <mxPoint x="360" y="570" />
+            </Array>
+          </mxGeometry>
+        </mxCell>
+        <mxCell id="Xme0HpS_r-Lskl_YgTMW-14" value="&lt;div&gt;unregister_read&lt;/div&gt;" style="edgeLabel;html=1;align=center;verticalAlign=middle;resizable=0;points=[];" parent="Xme0HpS_r-Lskl_YgTMW-13" vertex="1" connectable="0">
+          <mxGeometry x="-0.3881" y="2" relative="1" as="geometry">
+            <mxPoint x="32" y="-30" as="offset" />
+          </mxGeometry>
+        </mxCell>
+        <mxCell id="Z1zLfVIJwQ9nnBBYjpjK-25" value="unregister_read" style="endArrow=classic;html=1;rounded=0;exitX=0;exitY=1;exitDx=0;exitDy=0;entryX=0;entryY=0;entryDx=0;entryDy=0;" parent="1" source="Z1zLfVIJwQ9nnBBYjpjK-4" target="Z1zLfVIJwQ9nnBBYjpjK-3" edge="1">
+          <mxGeometry x="0.6542" y="-2" width="50" height="50" relative="1" as="geometry">
+            <mxPoint x="414" y="440" as="sourcePoint" />
+            <mxPoint x="414" y="600" as="targetPoint" />
+            <mxPoint as="offset" />
+          </mxGeometry>
+        </mxCell>
+        <mxCell id="Z1zLfVIJwQ9nnBBYjpjK-42" value="" style="endArrow=none;html=1;rounded=0;" parent="1" edge="1">
+          <mxGeometry width="50" height="50" relative="1" as="geometry">
+            <mxPoint x="520" y="640" as="sourcePoint" />
+            <mxPoint x="520" y="280" as="targetPoint" />
+          </mxGeometry>
+        </mxCell>
+        <mxCell id="Z1zLfVIJwQ9nnBBYjpjK-11" value="" style="endArrow=classic;html=1;rounded=0;entryX=1;entryY=1;entryDx=0;entryDy=0;exitX=1;exitY=0;exitDx=0;exitDy=0;" parent="1" source="Z1zLfVIJwQ9nnBBYjpjK-3" target="Z1zLfVIJwQ9nnBBYjpjK-4" edge="1">
+          <mxGeometry width="50" height="50" relative="1" as="geometry">
+            <mxPoint x="400" y="560" as="sourcePoint" />
+            <mxPoint x="399.9999999999998" y="430" as="targetPoint" />
+          </mxGeometry>
+        </mxCell>
+        <mxCell id="Z1zLfVIJwQ9nnBBYjpjK-12" value="&lt;div&gt;register_read&lt;br&gt;&lt;/div&gt;&lt;div&gt;psa_get_and_lock_key_slot_in_memory&lt;/div&gt;" style="edgeLabel;html=1;align=center;verticalAlign=middle;resizable=0;points=[];" parent="Z1zLfVIJwQ9nnBBYjpjK-11" vertex="1" connectable="0">
+          <mxGeometry x="0.2079" y="-2" relative="1" as="geometry">
+            <mxPoint y="-11" as="offset" />
+          </mxGeometry>
+        </mxCell>
+        <mxCell id="Z1zLfVIJwQ9nnBBYjpjK-1" value="&lt;div&gt;EMPTY&lt;br&gt;&lt;/div&gt;" style="ellipse;whiteSpace=wrap;html=1;aspect=fixed;" parent="1" vertex="1">
+          <mxGeometry x="120" y="600" width="80" height="80" as="geometry" />
+        </mxCell>
+        <mxCell id="Z1zLfVIJwQ9nnBBYjpjK-19" value="" style="endArrow=classic;html=1;rounded=0;exitX=0;exitY=1;exitDx=0;exitDy=0;entryX=0;entryY=0;entryDx=0;entryDy=0;" parent="1" source="Z1zLfVIJwQ9nnBBYjpjK-2" target="Z1zLfVIJwQ9nnBBYjpjK-1" edge="1">
+          <mxGeometry width="50" height="50" relative="1" as="geometry">
+            <mxPoint x="120" y="430" as="sourcePoint" />
+            <mxPoint x="120" y="560" as="targetPoint" />
+          </mxGeometry>
+        </mxCell>
+        <mxCell id="Z1zLfVIJwQ9nnBBYjpjK-20" value="psa_fail_key_creation" style="edgeLabel;html=1;align=center;verticalAlign=middle;resizable=0;points=[];" parent="Z1zLfVIJwQ9nnBBYjpjK-19" vertex="1" connectable="0">
+          <mxGeometry x="0.2079" y="-2" relative="1" as="geometry">
+            <mxPoint x="2" y="21" as="offset" />
+          </mxGeometry>
+        </mxCell>
+        <mxCell id="Z1zLfVIJwQ9nnBBYjpjK-2" value="FILLING" style="ellipse;whiteSpace=wrap;html=1;aspect=fixed;" parent="1" vertex="1">
+          <mxGeometry x="120" y="360" width="80" height="80" as="geometry" />
+        </mxCell>
+        <mxCell id="Z1zLfVIJwQ9nnBBYjpjK-3" value="&lt;div&gt;FULL&lt;/div&gt;&lt;div&gt;!has_readers&lt;br&gt;&lt;/div&gt;" style="ellipse;whiteSpace=wrap;html=1;aspect=fixed;" parent="1" vertex="1">
+          <mxGeometry x="400" y="600" width="80" height="80" as="geometry" />
+        </mxCell>
+        <mxCell id="Z1zLfVIJwQ9nnBBYjpjK-4" value="&lt;div&gt;FULL&lt;/div&gt;&lt;div&gt;has_readers&lt;br&gt;&lt;/div&gt;" style="ellipse;whiteSpace=wrap;html=1;aspect=fixed;" parent="1" vertex="1">
+          <mxGeometry x="400" y="360" width="80" height="80" as="geometry" />
+        </mxCell>
+        <mxCell id="Z1zLfVIJwQ9nnBBYjpjK-5" value="&lt;div&gt;PENDING&lt;/div&gt;&lt;div&gt;DELETION&lt;br&gt;&lt;/div&gt;" style="ellipse;whiteSpace=wrap;html=1;aspect=fixed;" parent="1" vertex="1">
+          <mxGeometry x="260" y="480" width="80" height="80" as="geometry" />
+        </mxCell>
+        <mxCell id="Z1zLfVIJwQ9nnBBYjpjK-7" value="" style="endArrow=classic;html=1;rounded=0;exitX=1;exitY=0;exitDx=0;exitDy=0;" parent="1" source="Z1zLfVIJwQ9nnBBYjpjK-1" edge="1">
+          <mxGeometry width="50" height="50" relative="1" as="geometry">
+            <mxPoint x="190" y="600" as="sourcePoint" />
+            <mxPoint x="188" y="425" as="targetPoint" />
+          </mxGeometry>
+        </mxCell>
+        <mxCell id="Z1zLfVIJwQ9nnBBYjpjK-8" value="psa_get_empty_key_slot" style="edgeLabel;html=1;align=center;verticalAlign=middle;resizable=0;points=[];" parent="Z1zLfVIJwQ9nnBBYjpjK-7" vertex="1" connectable="0">
+          <mxGeometry x="0.2079" y="-2" relative="1" as="geometry">
+            <mxPoint y="-24" as="offset" />
+          </mxGeometry>
+        </mxCell>
+        <mxCell id="Z1zLfVIJwQ9nnBBYjpjK-9" value="" style="endArrow=classic;html=1;rounded=0;entryX=0.5;entryY=0;entryDx=0;entryDy=0;" parent="1" target="Z1zLfVIJwQ9nnBBYjpjK-2" edge="1">
+          <mxGeometry width="50" height="50" relative="1" as="geometry">
+            <mxPoint x="160" y="280" as="sourcePoint" />
+            <mxPoint x="160" y="310.28" as="targetPoint" />
+          </mxGeometry>
+        </mxCell>
+        <mxCell id="Z1zLfVIJwQ9nnBBYjpjK-14" value="" style="endArrow=classic;html=1;rounded=0;exitX=1;exitY=0;exitDx=0;exitDy=0;" parent="1" edge="1">
+          <mxGeometry width="50" height="50" relative="1" as="geometry">
+            <mxPoint x="200.00427124746216" y="399.6557287525381" as="sourcePoint" />
+            <mxPoint x="400" y="400" as="targetPoint" />
+          </mxGeometry>
+        </mxCell>
+        <mxCell id="Z1zLfVIJwQ9nnBBYjpjK-18" value="psa_finish_key_creation" style="edgeLabel;html=1;align=center;verticalAlign=middle;resizable=0;points=[];" parent="Z1zLfVIJwQ9nnBBYjpjK-14" vertex="1" connectable="0">
+          <mxGeometry x="-0.0497" y="-3" relative="1" as="geometry">
+            <mxPoint x="8" y="-5" as="offset" />
+          </mxGeometry>
+        </mxCell>
+        <mxCell id="Z1zLfVIJwQ9nnBBYjpjK-15" value="" style="curved=1;endArrow=classic;html=1;rounded=0;entryX=1;entryY=1;entryDx=0;entryDy=0;exitX=0;exitY=1;exitDx=0;exitDy=0;" parent="1" source="Z1zLfVIJwQ9nnBBYjpjK-3" target="Z1zLfVIJwQ9nnBBYjpjK-3" edge="1">
+          <mxGeometry width="50" height="50" relative="1" as="geometry">
+            <mxPoint x="416" y="670" as="sourcePoint" />
+            <mxPoint x="472" y="670" as="targetPoint" />
+            <Array as="points">
+              <mxPoint x="414" y="702" />
+              <mxPoint x="444" y="730" />
+              <mxPoint x="474" y="702" />
+            </Array>
+          </mxGeometry>
+        </mxCell>
+        <mxCell id="Z1zLfVIJwQ9nnBBYjpjK-16" value="&lt;div&gt;unregister_read&lt;/div&gt;" style="edgeLabel;html=1;align=center;verticalAlign=middle;resizable=0;points=[];" parent="Z1zLfVIJwQ9nnBBYjpjK-15" vertex="1" connectable="0">
+          <mxGeometry x="-0.3881" y="2" relative="1" as="geometry">
+            <mxPoint x="16" y="1" as="offset" />
+          </mxGeometry>
+        </mxCell>
+        <mxCell id="Z1zLfVIJwQ9nnBBYjpjK-26" value="" style="endArrow=classic;html=1;rounded=0;entryX=1;entryY=0;entryDx=0;entryDy=0;exitX=0;exitY=1;exitDx=0;exitDy=0;" parent="1" source="Z1zLfVIJwQ9nnBBYjpjK-4" target="Z1zLfVIJwQ9nnBBYjpjK-5" edge="1">
+          <mxGeometry width="50" height="50" relative="1" as="geometry">
+            <mxPoint x="280" y="460" as="sourcePoint" />
+            <mxPoint x="330" y="410" as="targetPoint" />
+          </mxGeometry>
+        </mxCell>
+        <mxCell id="Z1zLfVIJwQ9nnBBYjpjK-27" value="psa_destroy_key" style="edgeLabel;html=1;align=center;verticalAlign=middle;resizable=0;points=[];" parent="Z1zLfVIJwQ9nnBBYjpjK-26" vertex="1" connectable="0">
+          <mxGeometry x="0.4866" y="-1" relative="1" as="geometry">
+            <mxPoint x="11" y="-5" as="offset" />
+          </mxGeometry>
+        </mxCell>
+        <mxCell id="Z1zLfVIJwQ9nnBBYjpjK-28" value="&lt;div&gt;unregister_read&lt;/div&gt;" style="endArrow=classic;html=1;rounded=0;exitX=0;exitY=1;exitDx=0;exitDy=0;entryX=1;entryY=0;entryDx=0;entryDy=0;" parent="1" source="Z1zLfVIJwQ9nnBBYjpjK-5" target="Z1zLfVIJwQ9nnBBYjpjK-1" edge="1">
+          <mxGeometry x="0.2766" y="1" width="50" height="50" relative="1" as="geometry">
+            <mxPoint x="360" y="560" as="sourcePoint" />
+            <mxPoint x="410" y="510" as="targetPoint" />
+            <mxPoint as="offset" />
+          </mxGeometry>
+        </mxCell>
+        <mxCell id="Z1zLfVIJwQ9nnBBYjpjK-33" value="" style="endArrow=classic;html=1;rounded=0;exitX=0;exitY=0.5;exitDx=0;exitDy=0;entryX=1;entryY=0.5;entryDx=0;entryDy=0;" parent="1" source="Z1zLfVIJwQ9nnBBYjpjK-3" target="Z1zLfVIJwQ9nnBBYjpjK-1" edge="1">
+          <mxGeometry width="50" height="50" relative="1" as="geometry">
+            <mxPoint x="272" y="550" as="sourcePoint" />
+            <mxPoint x="180" y="600" as="targetPoint" />
+          </mxGeometry>
+        </mxCell>
+        <mxCell id="Z1zLfVIJwQ9nnBBYjpjK-34" value="&lt;div&gt;psa_destroy_key&lt;/div&gt;&lt;div&gt;psa_purge_key&lt;/div&gt;&lt;div&gt;psa_close_key&lt;br&gt;&lt;/div&gt;" style="edgeLabel;html=1;align=center;verticalAlign=middle;resizable=0;points=[];" parent="Z1zLfVIJwQ9nnBBYjpjK-33" vertex="1" connectable="0">
+          <mxGeometry x="0.4866" y="-1" relative="1" as="geometry">
+            <mxPoint x="14" y="1" as="offset" />
+          </mxGeometry>
+        </mxCell>
+        <mxCell id="Z1zLfVIJwQ9nnBBYjpjK-41" value="" style="endArrow=none;html=1;rounded=0;" parent="1" edge="1">
+          <mxGeometry width="50" height="50" relative="1" as="geometry">
+            <mxPoint x="160" y="280" as="sourcePoint" />
+            <mxPoint x="520" y="280" as="targetPoint" />
+            <Array as="points" />
+          </mxGeometry>
+        </mxCell>
+        <mxCell id="Z1zLfVIJwQ9nnBBYjpjK-44" value="psa_get_empty_key_slot" style="edgeLabel;html=1;align=center;verticalAlign=middle;resizable=0;points=[];" parent="Z1zLfVIJwQ9nnBBYjpjK-41" vertex="1" connectable="0">
+          <mxGeometry x="-0.6916" relative="1" as="geometry">
+            <mxPoint x="25" as="offset" />
+          </mxGeometry>
+        </mxCell>
+        <mxCell id="Z1zLfVIJwQ9nnBBYjpjK-43" value="" style="endArrow=none;html=1;rounded=0;" parent="1" edge="1">
+          <mxGeometry width="50" height="50" relative="1" as="geometry">
+            <mxPoint x="480" y="640" as="sourcePoint" />
+            <mxPoint x="520" y="640" as="targetPoint" />
+          </mxGeometry>
+        </mxCell>
+        <mxCell id="Z1zLfVIJwQ9nnBBYjpjK-45" value="" style="curved=1;endArrow=classic;html=1;rounded=0;entryX=1;entryY=0;entryDx=0;entryDy=0;exitX=0;exitY=0;exitDx=0;exitDy=0;" parent="1" source="Z1zLfVIJwQ9nnBBYjpjK-4" target="Z1zLfVIJwQ9nnBBYjpjK-4" edge="1">
+          <mxGeometry width="50" height="50" relative="1" as="geometry">
+            <mxPoint x="409" y="372" as="sourcePoint" />
+            <mxPoint x="465" y="372" as="targetPoint" />
+            <Array as="points">
+              <mxPoint x="411" y="338" />
+              <mxPoint x="441" y="310" />
+              <mxPoint x="471" y="338" />
+            </Array>
+          </mxGeometry>
+        </mxCell>
+        <mxCell id="Z1zLfVIJwQ9nnBBYjpjK-46" value="&lt;div&gt;register_read&lt;/div&gt;&lt;div&gt;psa_get_and_lock_key_slot_in_memory&lt;/div&gt;&lt;div&gt;psa_close_key&lt;/div&gt;&lt;div&gt;psa_purge_key&lt;br&gt;&lt;/div&gt;" style="edgeLabel;html=1;align=center;verticalAlign=middle;resizable=0;points=[];" parent="Z1zLfVIJwQ9nnBBYjpjK-45" vertex="1" connectable="0">
+          <mxGeometry x="-0.3881" y="2" relative="1" as="geometry">
+            <mxPoint x="21" y="-8" as="offset" />
+          </mxGeometry>
+        </mxCell>
+      </root>
+    </mxGraphModel>
+  </diagram>
+</mxfile>
diff --git a/docs/architecture/psa-thread-safety/key-slot-state-transitions.jpg b/docs/architecture/psa-thread-safety/key-slot-state-transitions.jpg
new file mode 100644
index 0000000000000000000000000000000000000000..ebfadcb4963d39f59cc3f21d30a21a62ce1676c0
GIT binary patch
literal 46583
zcmeFZ2UL^mwl4fZC{jc3BubYmU8D-qM5HKPKm?=-5d{g-dj|o5B}nfAA~p101VlPW
zs0o5}5~M_FH|~AbI(zMN_8n`V@sB&kKkj`qNXXan&9}_?%xBK|U3|G%254?;Xlnoj
z1OPyQe*qVBfEoZI{MCNFgYb=rgy>hhL_$JLLUxIqoa_=A8961GlAMB?f{cucmWmoo
zLqkhLPDw{kM?;VQpXS#^2!5RjBD#b>k%oed0>Aa&Y!@8>?InV4f=v(sEkH<10HP(h
z=mDVk`y?j#TLb>15fFlih)GB<k&#p252&L72=Tv7NCYA#CL+Qg?T6nF5YZCTT@k-Y
zLT_M0%H_@=5tNvFiCeX*lhJSt!z20VSuhzn6Eh1d8!sQfz*RvhX&Kq;ayQg&scUFz
zY2Utg-^kd+)Xd!0&i=83qm%P<56>4~aPOBPp<&?>kx|h}$*)sV(|&uCo|j)xSX5k6
z`mVaBwyqx0(Ad<~-P7CG|8Zb&d}4BHdgjY45`|v*y1MplePa{5|NY?b=ot6o=P$Vk
z0MOsX!oUAruz!*Z-w6bSMEEWx{UsLxp%?xSL`y_`MVy50rU9vqJ3W^~&?N@d#N4V*
zGHyvj4CA9`W8_RcQYc>RFVX%c*<TYZ_<tnXAA<d-Tu6WtM1UVW5G|k#oZZVI3?v5x
zfdBkZsD>dckE{?W%h^YXI17%dDossn{99I24w{=8!Bl|kIa~jc=>?FViZi+Z!csFY
zfc_G~@S2kcr^E<EkS{%!R23KTZo$gJv@;JUZ$5Fze(b$wYHQ2Vpr81oS|eQ3UR|^~
zl4F!e88ekdaU(So^%WBk!*12w&|2R-){-IaT|D3-Z1DMg(XvQ4Sc#v)afb5a<}%~u
zQIfOD{%oodtQ9oW%O5i1ai+1aQ}RSiwD;Z3mq*wiNk81lhDUXCqX#iOdWh8*gS)_n
zLcq$7GU`0T*2}Zd*}QJIB7iBa$SK{q$F1^xrdf~so2=_;WE}Bk3k<?fw9$bIA?9Zd
z=U|+dPVJ=Uu(IXEYNDq$tQ^MHhupdwq1T?(ht{@D-SD0GhWyMV^jxZ(CK2ik9Kgbs
z=qvrXwz3pHq;=Prn&M2XVs20Dv6)&*UxMn@HPOW-i4&a_Kb>d(3U5#NbRYQU&+R`I
zK<>|sJ5++=()T@E;+|xkqeMmM<cXVJ^%KBXGx;-k>|)@B0tJ#gL~KB=`-zF8`(~QC
zeRh|1q}RFSVzYyjJIuvq)w(UgWBPc9)~8Oe<m2r(w|x4^8qaS7HAUxB5Xxz3ZxN3r
zQe2ZOo1)3x(UD01Vdo~Vqp-8O*50>J>5goPm?1l=)hA}WMvot?1zv^A9~F%sf(cD=
z34K{q)3tu)-*3g3A|~=Jyzl1NwV%*gAX73!ZaerGA-4nl-b1_}=0GB_8GY#q-Pxg8
z;@G1^#)7mq&e1(jd5>n}Yf`VeKIf^F7rZxld+qwJ0BA&dZw`tQjmmd=d7vE-U|+f5
zOtYS>=~+Cd`EKsZYn`%>JWWmEl7s_XeX<e*SJtFFu6!g_LuDg1QA@EFxAmxs%HW<0
zntD|e076~X-O4G%AR4Q7oon7A%1aVJEvLxPkt|bZqXT*>C{UVV7QI<l5KRpT*%#Ba
z>Q6@VwH5Zu4X!46bBA9u3tSS83~9CtR8crzIeHb}-BUehjngx>kk6!7Zyc{psZ*cY
ztrI#qnX_^Ien;d8J;tJhg)HoQhh4f%*yKNz#S+tJ?v`1(QGv3ix&Z85B)5?5k$dIk
z_inXUwbj&~NO#wD-nH5x`6~L}0U=%^B&Sau^53l--~tG*I!jevUu|OyK-m`uU^f9}
zRC$1X!cRF^m^IGKY3cN3AQ<NYowYrWw?LVkGnso`0FWHe|GV1%zxz#5R&Ubd%v!I0
zsy1WGXO8`gAsV^1Xq0pn?MWFQUl49=c<J(T@TD9I20))cg&6p6KfF!0@d}u)3IjVI
zxBw#B4;F}lmlc5bx4w}Gw#uFzikoA#agSXEb!B^++^Tq2Tk_<Vb)0;Mv2L0gPgP&N
zFJxzVc=K}LGxM44wB;q5^_q3__IO{1=dgFWUe7DN5lpbNI_Yl0?{_Mm7?Rx=%+qnK
z-{%s1_kp|tXe8Z6<-@)D$gtq9^D8sFljU{8YCXp3mc7FTOk!TXH8Clv_BB2cac!fk
zUbS&7_e}>c3#thF>R=Lj6C%x}Q(D->!VfI(-I~mqIw(8Qqx&?``5f|<mrYl0MfFjt
zJumu=*5iAu3ymt*e5p>vl)_LtLY8W1{-}clnme8b6^rX^p*D3aVuw1JH!BL#O)1WI
zbsCM_u2^`tdD)BaAp!ZVfJ^X*&Ma;$q;=Uv$JNN!I)JIP#C#LkSQ|dQCa)!;X7R)L
zStFRS)*_^lAX$)PEr*=$l&={}8r6=vK6$EMfwRzWby41l6Y54bY1_UNDTqBf_o%ku
z*?c-@Js=Ld!=0v24CvWoWV>F_&FNC-mnFN%MmgwCs0SlgS1cDoPTHcl6QOy_GT(=R
zr&$DNDHXo570#~Z@P4c8?lE|>&h)`Bm1vHOPU^(L7KM*aOyxY;tpVv*$xogM-?7ER
z7;zQm{_Pc4aC94+I_DDdR2qYJIn$W-nX8x?ACmiItZ_Y8Yq<9AmACTET6T3ImtQ>y
z^z;|SEXDcr;!I3&J}b%;>oVrdQNj-6hwO3kJ<oNXGq!v*K=LGYa4WGai}zOm_DkoV
ztvJpXTCn_KzE0?NGG}I!G=%#=zOEzFs8s>iPXR+8Zv)$gBqZ59jn*559)VADfm|PO
zvVKLU_6@j7#>~*2Je<Z{*CI52#keumWjKCZv3EOx{Yj#Zl-A1UXVrH;Ewy|BWEC_~
z37o#S#+SO=cxiBklTCM<5+Zz6+}uKP(K6v{9XEyVP>^UFjfNa+cLE%J*(U<N3gc2=
z%4_3XdW>ads?7bOf09+Cy2xkvsqUVM+UW5Q7)x3|06|k9?thHERdP+`2Kdq`Ip$l4
zuX+KlMi0x>{=Cd-tDIskqttbw&TFzL*d?NokOo91@=)M1tzalQ$w+FTBHup&pg+T*
z|MCqq*lxG?LpmWO;7IRO@d7AX7XVE;{sVye=QH*zXXVdzZI_qMk}m*oz(x}}aA^J~
z$o0=>{39Iu3;Pr<fTNd~`sQU=pf!~OBRT_G<zfZJ_{SA)$}Bo-f3>`6&+x3jm4e&V
z!zP9It^^s!C~3~WRw)bwtJc+Cr|JEj?I--_kPBeKgMnbP_J5;<{#(t2-$?qg?JBMq
zo2-lJecvwDtHa5Dce?E|uIyIh)S=uHk0C{-{=1W&>^}0IjY)lLQr_w<&g1hMsFpf)
zfxX5+@k3ZbHnWJ-u*6DFJL3}%FwG@j9*+v4yW{9<@FI$ngXsMo!=qWZcrIUBnn>0A
zHKoQkRj5N&9AXrN(9KkQ${gk!O&(c-(_<bYqFsIRb4M^1=NF%s9MTzOKR$}Tb^+LC
zirPN?e!GU%<SD7LSg&=oKj~;Y3OeR5xq&pQYpYrDE|~IF^LAlKV=G|W-XM9a>NEqf
z**D`m;c?>Z$#ehOlt%<W@A%SApI^r1n_=4uSF-7%+N<jd#zkslEKFBwYkR}q?n^Xl
zAn0T>6mpnt_FaiVgpMF)^aT*>f7S6^220!?Sf^bG;lz3Sp<P7Cg#_%+r>AV4k`|et
z#fhc%2wY_~7N(~pSzd<REI#$d#kiv6H$1K5oA`>0ES;Nl!z!aZESf1oY~6*KlNWBf
z`?(h*H;$@y5Fw6mhjf|bK~INtI^eoqq%zdkWu-FEN@n8J9{XZRHAM-s`P9t3+sW};
zZ+ZmsP)GhFOAEoL#7<Y|+ZN@Nah_{Up@M;+1Bt)5I{xit@%tnvtS>IzXcEovD&M*h
zRu`UaLzE_KVj@wlKi3s)_BHWKn7R>BDi1)w7bsU25DO)9JD|7#7?Gz2m{=rVn({2H
zPT;Wlaa~<T!orY%U*u^*N~A(Gkp3N=-OYJp>sHmI5;x8Y`K{+&LSDB_m0Ln-*(;j4
ztG=JeE>pevtPXgL-?$Yg{JtcTLQ=c~@Z=dK<#fdsFR!k}_@OQIVw9+|wZ?l~{Q@AZ
z&ePL*ns%}HA1PrSoARPfiY2`~3aZVHX{SEiW9wh0qVIj_dS0m%!yI{8$D*OoY}@Wt
z-Vm#?e7K1mh(+-EFyI15^h3xoB<W2f@uxO<aG0L=Eefx)O`6%RaT+a^{p!+31lK>q
zr3miAqM=kGheJ?GJuH2<_|}cAkq;XqWpgnZ6`Pz2B{6$`gM;0UazwP9Ih2REVa(dM
z{-bQlg9Q4GpY`qX3!2YeiWfWOH%16y_D$-3m?Q}X#;+k03<Q;EFxv)%ZRS)SwWA@Q
zpxiSfD>Gf4V=c%Rj?{^8(tc?4;#LO@n8yLc13dkiIkLUFVw8qn{T6>JU*eR`+52vB
z^C|p89G~1yA)UopDfe6Rmc);PA0HbI&Ry!H2&7Kd!*ydW0K*y4T9*Kt*-Nh5wK40S
zGR+~|vSp<@?u>aBpP+Q|t!070H(whaIu&3V+aBvNLI8gTqu-*j)ODfit*GIxF4Hnc
zqp#Bhe#$2(H1uAlmVjSofk<N`y2zx~-Fz*v$~t4)=t=ttL-?sV(mdnq54(B^bp@Y7
z!%O0HTHHBO1Qn>c5zxARf6<1Oh)#C>=Cchf#e%=i54*N_87Gm%;*_ON_ro>BuMS2o
zM8}HfQ0dXav%CGl<Bw-fEzq2jw<bie->f!e-REvX?viZqT+z@5>_$n&W&7I0>(jF;
zoJ!%vx)TRGQ1$V;jk@OMEqLvKh$q>56yoaBaaW$Y*v8MyV90pSs~jeegkRI+0$}U?
z+x&3LEt_|&f`=2;HAfp|^=Xp}SEbmt&^3N!>AaWa2-54Zk{<QF>f_{Exp>nS_T1Im
zn|Eh;p@qicrYlR58P9hfV<f}Z>M~*=P4Jo)Q5!S1IHU#Uq?Ehd&g6(Zt0>=bRrqOn
zYGTkU5qRgxSQU8(ZHmIa0AY4y8=tQ%CcMlg2ZunDhS%!eJsCO?NzE_2>8fyUE74yq
z$06xv_w*X|?GKz(!2PrpXcvou9BC{+u5=l9z+RSYPx9{PYDrD%vct9V-XqCa=xYuP
zJco44n%SQL4l}kS?Xjjm<t^NV(PloW^el7ackJ=Eac6IMl&741y>Id5a}^3NEDWU^
zo>;JTyhQKI4=dc-eKZcUpRPz+()V3?LdQIJb%aILkr0IoTc)j)4NHiZA}B8}b3=L^
zy;gRn`@pN;+w6}fxNOT$5-9DlV4*YpFlkF`vI3SHjds!IsefaCKZ}*^YCf+v!T2o?
z`_1xl>PuXKBBTETIzx<3_yY#Yec3O7>HyT<ne0s!NZG$a+5c$ZAf6|h8_4j=69r#`
zagPl4n7OSb;;k1))6-a~q!FPnpGw)dg3aDU0t87~gn<hA#%I}WS6vWZ{(>#zzO)Wy
zYObgqS-pwc;ph6*QIE!lH<+V*7#n<Cf?@Rq{<pB@2DMM@=-gB&6By2i10d3wgmapf
z0bR`1RP1-_y)25y4cuI%$#$psm{QGJ;zAQIKNi=B<$Y~YmH0aF<x;PrmliG=gXn{T
z%SC)`UA)oOVCNh64f|2L+HA5}NUcueRF;X$2=+{Z>%?htIbiAuCHhls+yL6o0j>Tm
zq}*3oDZ3Q@Y`6aob9!G8NiJ_(e4(qLU)lDkRd1aq%L1>(v)o**{@+SIsVK^#+Plv5
zmi=pr;o--3Yb^O(snK2MGn#%DMp?*n*V|~^Zz26s-~0O3RK`DIPX{llQ_})c=X@Iw
zAza<_T+7oNA~5PG-oZ_pEg8g5%6&5QmpJ0N+1k$gWU~F>)CUqFf&}3J`V@3>4L;Ky
z0M5g#Rk@>5r_g#4M@vqKhV)xWVqiVzaq-7trp%^1jx$6g$;5#}`oxu_z7TACH;f(*
zHO2BGBGxc_-6eH%@;*C)LR&l5_Y(|L%<Pho^0uqj1&j161zzy!4#X9Ja&Z02kI(WB
zwqRhmm;Pj}R>ihwnfy?Nrh0pIl63pHTY2I#eOHVS_vdnxr$26fyZ(`cajBy{8rdG5
zjLzIi3l^3>liBOuH-o<zGH7%a+*Oni(NLUtkYNNbfbD45%@GAlI=M-l-6wo)T@#QX
z+!A1qEg44XfN9p<ovM*eHw+qed4fFO$>h_kaLH#@)LrIkyksxQUH@@fGp<7sgl?$D
zO)Tr|g{K2prfi?Gk;lfHd#Y0&>u4>vyew5w^Z85Jc6wFSN`5&scO5~W>hxx<`(;vJ
zioVIe0Bl@t1cV8Dwo|Rw&-n9Ac|1cZ9;8mF9!q>F`tdljYjlA2V}nYPROuBP6}EP&
zbLQe8f4tq9H-6a!hjzYHj5YWBFt%qsJX2U3KDg;)6d>WW5<fUNb}MF$a3)R8>)}`6
zMLWaJd!=iROfO}FrD9U2JTmVtnM7{AK=wy;dHbaKwPFx_S36(P{<dapEzTyvQXTk|
zNx3GWw?eE(i32;a*+w@loj_@^4r7e{d}NH6KtgHy1+_31t_e@fzfvdj@U%>C_X!-6
z1M6+9zG7I}PFFW5BRpJ3XpVhY)*!|pLKD%_lr*@%XVx@n%<jk)lx|_ioIvwp|07NA
z>~|X#C>GJtl(0jV=gejj0?}cHFktyY`>n<gspRhb%nU*Vy&iIt&1>Kt{Q7PsSc`#R
zdUhi<o67$RE~Do-)k}HSpSNawr(EQ~53+xVmN6JiSgU9eu8OPfq33@U8bAd+v!?Z@
zd*JKXh|Ov(oSUVvrp4*q#Z0|(dFeM*Fd));*86GE?zsxfts!C4%bcGwmGm7!6#dFI
zda<6?kuUpu6lpztzI&E!-kaSp#HHOE<35qzP02^LR6j7yP5xw7TN>b5m!!2zZDx@}
zJR~;zVoPTtJi#6uK~-3vyKLra6uV6~qnbpLqU^UeaQrBFkcuZ_?Z;cYIzWF)*+Dr<
z#<g-D4u{Jc2GE<sn>88`Q*LhD;e8V(Q$?-uXvJ5`=_p=8$4haRiQ)njNqAa{(HDv(
z?XC=NQ>-4d%`nF*9<|%N$C+EOUw!|ce{y?go38VHm%x___eXgqBCF+hd*2d%0gj>J
zSrjp-Z-KR9#D%lX$vQP!@7=!Gyx-LuR_qR_6RzNi+g%I1;ruWBpZ_t6{ImZB8u1r8
z)xtu9Ji#RE5L%39cBE$jn~TKy(b(c<|6K%Pf7{J%(TvxW&ox)%fsHM{FrJ&-32<(1
zE?c7P=I^eZsF3zXcAbB}KTTEFB8zoS-k33dQS%!mGrhWWv(l_RLV_pJ+h#UefMh91
z+0nbj2J2=Wo{Tf^qA<&uD*7;4E*;(`a+d8$Nypn^%5*8S<?w0ZgF8cYsW;gv^+~O<
zLTKuW<&zOAoLAR5d;N@p8oK#MdF_eIuzI<OzM88@PxbJPUP-Rd$Px<rq}>p}%^vv9
z4owK4(Ts;F@F{RI_O(`6ZKRst4JmO>w6Jh`CX*tv^DWy4#?U+En+CkoGJ6A%7e)u_
z7MxF+u+`V0TtJvZk0BAy<=V!UDbIlFyd_RmABq?YZAy~GO)Y!GqmL76+y#j&Ng7XU
z35qd3M+uYu!nkxQMSsSvpT;3&W((FEY?G;Ji+5i2atTs|r;iJ8c^jR6?2&wM)#yp}
zTS8zDDZdhX0f59>pcS7HUTj9&O-WW?<}AuGk~uR5n0}CF*Yw274u}gzMt}O|$Q396
zMOyTXV5wms(^JTlG>fpbye`OKvYaH>oro>=Xmrrb-U3>aaUF@4^8T7G2h5+})RzT3
z+ey!5ZeoMYEOanivlgc7KV7HudD3noC+;`WNg-_oZoYAy;+Bxn{P`8|>>w@rSLXlE
zblU$I4E*^r9HhO<q2?yNu9}@QY*S}bt(9S(-gS>sy-b+W=p;?&=fqN;!+4%`47!2b
zj0ea~^4Wl*00(G@P3?$Smti+knhSBdMd!Okb=Y%C$<`hnFY-a|mN}`UL8`8gUIW|?
zqCJ5!OUvM31-S|fIHKc)!)+{e){OP+_r;}6+36SV3o={3<=31TY9wks?UO<VO+nqh
z8Uj+D0pV$o8}-pc=<s}-cbc|O5$R8Ua>zFEuBP<$#}&kHviGHs#cQfnB@6BrUx~~i
zk2r$kl+vG=TV{vxOrQ}y+OCBYb@D^<F=iqa$VKL0xV@Q;4aESv)RV$#O=^qhb_7-D
zpR-9HHcg0D`10~LZCsn}q^f1h{A!#mQr_od``oQM(k)9)JJHG`F@$b*M2f&c2PcVw
zk#5Rnap622NRlh&3#!yab4Av29UK@YglA~y%%unWpCsKVljvM6lPG;Sr;<augtJ=o
zY36i5?^dDw)P=vgh+L}(t*4Eu)SOM{r(3w4%o-ZZtJ;zZ*d?kk*1~4Lqx2#?b!E-R
z6qG%Qr{h!6W4zO1MfKkwBA76G(#@Y9Wx-KKagP(t^-BV;BO8ErOadydvTKQYlg$gc
z1M}4NGM`jXFJGK9^GgycI~hpV=CoN{Wgtu}5#6bmp8quah+yvj==_4poR6iy9l|?8
z>3sR6r+0MeU?jM33=$4;y`{&O&)N4jwfc4{>8FQzX2EF?eFuocpd%;_(^q<;vY{kZ
z)rx(bjHS22l8vEmRHT$NS5?(DSc5?V!K%FDqIo_CuEoc)+EV#XlXwJ|In%Z)JXdhO
z*60e^Ua}S2ym`l$BD-&WZ&KHB@#2!O(nJ<<`eYO<+jj2?#Isu&R7f5X=pDsP9!lcL
z1@-d@+*=W46yfCigA+aC;gYXgTx(KwNv7NJdL$~8-P;$y_nEj_0&uv3Ha2gj$BF~v
z5L?^MK7b}`@pLM2o-wXxPAKRvl!<JE{d`n8+mcXk?;H37{QU{wmID^R4v+LC5T6o+
z!x(X8=&x2+pu{UPPgZND>h$X8aOFq@GF$)4Y!JO`gL(tSC9W0FXP#GJ^O}h^$)OX?
zA*Fou5;L-^jdua&KoV3klCO=z+Fdefl8q@U`ZiCt&xX;B1wp8Qm#`iFJa~H#l)BvG
z0w5@1`+~I&|5pEI+iF+dTFj*GMMDyU;0VX<3huZ;ncN|P0RSquWgJi|eQ@J$raM|J
zDht{^alkmSQ&czR>1y-d_kP-pj*rK<ny2d%*G&I@VdxW*p@A1hru7m4*bXPl-y`&k
z6uO2PiS!&c{HBU?b@#G$d3HR)<y^B_3CX1!q@WwNcgCs&?Yk>^qe?(azcVO*wtav8
z29m#zg+|oMx8CSBpQ+tZ`exd20?DMB8dvB2dZP0~zl_Gt@7-|Sv!?|scxR>TNE3hb
z`wPIqI&_h_Zl-plE(08)#M;<Ak>8}zgb3HYafKu47WIL#;GAh7^+bGlpkn%8B#8du
zzOJ?<77moDRcaSo)EB~FyagtYui0zy*g0`iO$tdFB;BBk_8|vW&$;0<hM1zl<v4at
zJU`LS3{U4|KI4*k`az^(c%fUs_<?MqgXs7(g3GVEg9%2r7FjSe(XRP5SmlV?VXI5o
z!|_5VTD!DRA~*8oz^7Uxt-$@!7SJ+`VzI3dl}+lHu0EN_0&$_ZR56>+LsyU&8~ZN1
z<E1{yA@Im$krZPRUHL>>nI5NhYg$aIRAG)H=1fT_N(6d&H!4#*cJ==1(`TfGfYZ_!
z)6LX-PRPvH%rDXe9;K75&}j-n$g4kG2|AD>NX+w9#xRFh2Gq95EysawH-E7`QBTdF
zq;pj?c_wiEI){%wiC(m?%R5{E+B&F3AoVD&5MJu3<GtzulM`JI;tw(iAttxg$?PcQ
zcV3R=2=r)@jW~c(cPb(x4s@s_*vsC)9O6IEUNLjybshiI2~h6#)QEpgPSOP&_5Z{5
zC1u2@^)*%YR0f|D;NsrTA#aw#%esCVBfJ^&Bsw{cWfF(E`pQ3bg5&@u+gQ7-S_0(1
zR%^b^C(k$9K}yoTAgppXl<w35BN|iL6=E=IKiQ(@;5>~i7wqGB!^2J#@+s`McsdjA
zL=}j`1whn|`PP{olntVzx`(a|D#YR^yQuL6U|AQ_V{ABYF1Tx<!$)@Ia$m-LDXSS@
ziZ@aKwEOXEyyLWKrX>f7@x50a2bYf-fX#n_9RFc@{WE30-_FS}sq6?1dnpzDN%&xo
zc57X-t3@1X7T%}aTzdTi2+}8ghwm&7y-20&zD$_63E*gdF&w`}l4RY4K9;z!@!klL
zLI@}Lt0N(&(8{-tikGY9waRfyph-8z)1v5!o)^!r`}-S~U6EVHZaadS;<eV|?4zc}
zI_&M`D8Z^=cNOX!urRJ8ww<=^(t}(p1$S=>!VbDPRI43E{&cVy^nt$)c$xV}gzv8t
z@DgUW;j-yYOxIToKW{%}pw{L&U?5n7VyaGUumV!bL{EfGH0*!)I+bhKPw;<Z{eXzS
zm5Q_F9~NP3CM=SB{3AG!|5S1$^zgt*Noeckw;rd}hvVvK_8gD%3qWvVRQN@PcmFWG
z9N_ktTZ&+A-HI5a7q)T@=hBIUB(us#n{Hq_B)38hh5@|_xL(&H55mWq7VdI;>T>d4
zzmEgQ`jY-~hzbYK1yEDmox#f2it|m+?jBZkQdsds2~~d3u#@A>nxJwJ=SlMY!a+a4
znnQ8{blt-$qoNaVruCpcC5Y<Wsd~<rA6}{AftP&dfKPT-xrMd!&qIzpbU)=l;__W?
zC`Z<o>H2j4tjH=Za;7QlE!=s#CB;m8ZE%1i@^;g!n?!W@80zbPFMI(ps2CzYpHyN=
zU!9^GK^;f3$X_Fm;ma@B<5yIk;#b}tC2Ie_rIVoy{!`HUgx<;s<=Xb((<?b}{+qb4
zf(2*eHbI<|SK&emTl&(5SNfx_Jywt3$aYul?F3B)SbKtAfe!S#tT8D8T_Ocgj?8Pg
z$XQiS>+RaaC%ucEYmr2;BdZbf%<lXwcxL<$U6tZLu(a<2#m|H7Y@E*ppgW3Rod2CV
zB3NZI;P1Zx#7x>%E&$4@<Bg-xRbPXU{e?R>q{F@AB~uz$5^HExmLcW%+^uV*H&rNp
zr}rREmFqVWy3RCC`WFeu*P6#gS6$j^anHsmq{{EwwO7Y_G;WUH%0J^yQuaIl0BRqr
zixcWGS4@bM;?!8upOBV!tQ3B~^A*h4Lni?Ls=*;q{o!&vo@^BTU5bCfIsVyOfH1=F
zmhC7EJC)X(sWTh^GIL7axMB3hw;K)T$+{XhIdp2QzN|*aQNBz@{Ya1pI99=@&IR5e
z2mXj2VqlR0gbJLfy{L5P4t*XRdh+PFYusw#fs@R+4IH_lI=?il5@9>PL!8A`JS_i4
z=JWH*r1k5_z7(_wq`!xaIv<AT^)qWtQcYg$lSZS-7!;myQ?r_x(r6OVsxbc!F#f7n
zuF#FH9f!|Zk1LUW(Gz~U^{T!UZI;K;pQpwpG)JHPdQqMt;2szm{pusDilXSHEA`>>
zE{=u*dHRWc(ToNv9RM`|ssprtA0~Wv5v;Z`QDBD9eoNiu)o`Ca!YwPz<`Y7B_8tM)
zw*HZc!^s0@?@wv)AKXUzV8j1RV*6(k@Vg{`SPAeoT!mDY%*;VT&=LI*$BnNd@8GG9
z5#sBwK1Lt)d|Q=`?^>GdKFTYQAkhcw1YdH^jYlFGq6J>_xaWo4*S`jU0)ZVBx_=yS
zZ&+CHsRS<D3$rDh1;GY3&9vOe0OI?w<m@L5iYc?_Gi+JUc^8$mrtX6#Oa9|d{&LqM
zmInj6)X`w*seVKFO+G~BaPF7ptaP`eeRGYn{&`u|b9;r5qu`sJ_*m`zKPfx!fE{Mg
zm(v@{H03)*8TvTy0MZ!OP=$fjIXC9W9764+L7k5uNVHxD4dj6D#%rzqVY-MQp^$@r
z!{93XoA*dM)W(MkL+e}s2@rXV<#8W0#-IJenEm*}@$yslWr4aFBl_8bB&lP5&DQ-d
zAA8W+`o!N@)&k`z^dj4&FMv?lmGgYQrg2LgyU}EY)YWt(jjL^hYIS2Q4UKT9o>W2_
zRpytI9Dv~Ykq<5eA9Cez&XPc2?^YgtIjGzQS0&W+Leq{i={~Q)8uDLk6ea%nEc@^w
z0N`~`haM9yq%VtXN;-hv8TzCdflY`$C@I)aQmn6kxwBJI3s)hSr4;8w%gW4G32R@5
zB;Y6Q|2G|t2jO=wfMipg>;+(V0dz0@bPEntH2$wB8#L5zzy6#5h%$JuAXv+O%0tNY
zkw@BIR3-C{1k>^}tH=C7(}9W_fl3B5B8Pg6{-YNFokyllXFKcZz2c3U^$+ICp>0>R
z^GuzhL_%Sg;Utyz4XM0CJcjgJSptOc7EAP(Hl;XXU!w|6IVIUR4)gk4N%bQF%=aDZ
z$AT6lVzqdTVDrOwY0=h8ieNK6ysE5tM=b~ECvDL?zJ{T$^yZDs3~Qd}%P-EmZToqA
zv-(Cj_hotDsV)FV^etGUmC9DYkq~-JLQjQPw-*dQK7^)DCNE~5F?^7P2GF`8AHC>I
zRc_|`D)U^0HB0a;_Z0SSi&@X1Y#wJ~7NI`YB97J(m(3szKh(*ly=mhEuWGZk<&Y(D
zw70*K@5mXXst&w#3y;C%uPjBhP!aF-I!v4zz`UIp`y&-@lGGJCr-@ro<V$Iwk94*)
z<7^WznbI+d#Wn0N1}X*TP-Zi&zk;WArO!l&=6}C3<#Cd6mHuQ%_(`b$l@d^Q8|C>_
z0FfO|dD%=s9V>aecFLmL+@=lD@Z$TU2AQfKk$AhbNcGCEGlzQUoGt$degWjw<s_6>
zoHGCc-S^KwUjPRtzDi0p*_dC6e8oqe_ygKeorjGVz?MG21weK0<VL{QBh2W}g#=6v
zwFw%!V}K$%*x|l|yNU&Onj<1TU48D1YqfecgilkHy+*i%$IEd$AjkW|7Mr6e5}Tg_
zUk_nOAGCk$@zL?d@?ky3bGHnJc6Fwph{^DZ9(PoEYu^9N?a9ukXIhY_2p5JAA7if*
z1$w>&_qVe;TXWRz5m!4R+8Cw}<6vsFS#x(9!cE<zCSMJlr${Y7_>e?qn`m2SI@Ulh
zXZ;rR?ktZVYwoB-Uxlf}i(VC9xT455_|wSjc*yw}<a--4Okad%5T_d4HN4grsF0wI
z`+;?v(V5yifVW7VMWMi8GkAnSf`0VR-6P!mmU&%SC&QlSNx52anNZUph_m^{D;mPF
zvz!)hR5cs#=<=wr=Mt?<jUOEG^6iJ4%u$u)`E>8*Gh(ja(Wk5VA=y!0!J=gwrvfbD
zl(As62ZZ;-xPorUMtXL{sqPAlbHkYHR)ed?sOjeM4w+9xN+O!JYqVUIcYlnln?@#(
zY7gntzbJ}xcUlJ1!X;Iv71Vqc44$()n%nok{`oGB)Hv~>?<+QO9{1ZfDK%fS8fD(6
zq2>Z3_0XS-(ehH5qA*l89!>P%+&I<lBV>;Bon7BWT8z~DRH*YHRBD149#f>IYay>~
zE&%d-!R;(9W?0FdrnCrYUHLnR08+DoVtDQjDpB(Y(~?fh!2WhSW}se{-NJ`u&s8g+
zwSjP?w=zmeW>mr2VR?ku8A3Pq)tbsV>uU34ivh=o<LK-Fj5Uy@Ft!Jbl+~77<TARq
zs@)t2R-RT;K6OeQSEg{ZVsCYY^&zb2$5Iz3c1Q$vcKDinA|#j0`=5TU@^+$0f-n}$
z&#M9wEhZ=TPYuRet`y^vsOY<|S#P9syqt+VC<xtD={f$6?A!7tMk0~@*XrKn_oNxR
z&1ad3CoMCGoy+>(!9dF1IkUBu6>n7+RicMP<UcbT*H1g9*C#u<xzRk3dZxxa$ENWp
zH&yCkY{uIUq<9~ZB4I^$Bo>X+we?yKpUJ`cwn18FJ|}ui^UXWj-Z!KBXt`(hy1HvD
zBlw!yE_*#dwM2YA-A=sg%bjoOtAlIAryg`e1hV?b>U0Ia^)Man!6Yx+My|fnD(Q&O
zpWm_ndU%=L8Z(8D`0kx?ICP62Vl5Lc0M1`4u>0r%KBYYYXM;~^ca8XCqXm9rBJP1w
zo7lt!fZGA!vYlc$LH>^RNQhV?&KAqJHqvP&SU1Tt!POL_Z>f26vcQa7XwI3ogdOVi
za9og&_35rI;Ip^gN)Mj>hB`ZVrA^uNKFqcJZqgZ68huuzI!~?hsRwgol(Ym7ayb@*
zmUX$ivqZ3ZvE^<s$Z>Ctxvme#`yv74;=)5c0b(M;cVzPxS-)}UlQN?BW=B-8R+VU-
zFA82OBBXb)?<dfH%-Su8_#qS66_MGu1E67$0<AiIUCW2m`>b+nfe<A^?IPTeDb_2v
zO$<KMWw13qtK(DP^x~&N>K#|ty!u!%WI5j(f@lUJ;gCj_9I_UAjOua6jj7(XAZ%Jc
z=vL$Oq2dcYYF+C1BNCUb#`oV6KAix~`=?t`teQw!f}n<=Xy6bJzCirFO*{}@Oi>+b
zsO0pcr=`-`;H~rhA@(cKNM~TJjc{}3#&O3;g!#_qM+93!=s`@Qv2`0n=lYwFr*Z>w
z%lf2Ve@B6&f7KuGhHbZH+v5n9;~08*baOUha+<XK?R}VCG)RLMLC8SG+kxT-m1J-q
z^_jYMdZ+Y&<WhLN7VqS@@0Kk`;a3<mUBr#L1fT+}eRuVw2nOL9%iyjhruhYH=O(36
z;+>^P`d$eur}XpuqWL%j4{R~nxQp3JlJbEx&1;QI8rp_ENdy|lN3J-V673?(2lMc6
zJ5B1X!<p}Mp*>I<O<$33i9D(NO*&&zB~}6-%{YU1*i~|<d;)^4sVde^bQ}?BvV2>&
zTYWNyt@hWv-K0i|-&X4gm+wnFw5#GB5o>unN|bg15c@N3wq3<C$4M&_Z5+Qu#CX6D
zIG>qyE4&PgW}0IdO<q-!rEPeR&b|LuFpxl}8ww~f;502JTC@w{{`-Cwnqp@ee(zjl
zktw~=3VQVFL}~Z5#%>vEknnIRH@#TB9|%^<p%jC-RN<^U&bhEsxzSE+x(nZlH*e|J
zy!AP)B}l;NbnnA;miq&Jg``|L(q+S?DijmrZ~x}XtqKO6w7veFIwBbIRl~WX+M|$0
z@e$}|`=*KQIw3#p9lK~bn?`ZETZRSEgJbntHu36!npo#vXtKHEG`+6~CNy=CLl`L~
zk~_z8Fh1NE*YvuF=L6AppVlzIyVs>0A<I@c67|HFHD@D>yP<(Odu}>i`pqQWSE0*q
zb$ImN;424qAKvARc&@@E+(Ik3pspNwYW5DE&hDkXvs34ysL)H?b<Odc9v@PM?ke=^
zLZ2RMC%`n(;ZG91xI3;);;2o0)?~KO)8uhQ^s+W@3fC*w?z{noU52kD>8d1_Q9!95
zrV<ri>|;~vY)!2o=H*p5KjLlcu9N`dNk!0qdYo?hTdu(Vonh|k<(j0PB>a6;Dlq2^
zIKJ92HbzPhxAqRN7VgBwAu^qwKixf+RA19ruf9Eg+wM_8W8%QTBS*rvjOEhHldhg3
z0lhcUq99#riqV_(Fa3pg$)z5{&Dk9nc=iiY6~a%F8v2J-C}U98T{vk=Ny`vadszNt
zt+nKd3|7j=T`}#q-F<Hfq6NseBn^43ffxKqj)dVMn0hFs(~Y>)h!sWu8H4G%D9_e=
zrn7d(X*1Np3R;l)E=JpUmPsCG)ozxNMPUNPrLGZ5T=cY%UL>Y-WwN%xqD%~@Emfhk
zvi&S54oieksW_h|TL~5b>6qXGmX&E7kJ}(Kr}R0_=EnKYU}C~BsV|QajSW2FsagxS
zo0ACUZ^{AqDiaqd8Gc@d%d^zsiyy4$CzJ0~-*8P@bgZACuuu)7YPmVO9a$=9@U-E2
zp8#P`0F^(dy7X#~6@WqOlxRxHCW)p1E|F_m<3_J`h9b0Vj7hJAYEi4k0y??B$kwp!
zgEQrBrAwnyF_wHzZo-$VCTtM#<7SMhno$NSac?ZAqL*LwK#K5LM8jft#-3amKXAP<
z-8H!IqTAJ#yqCe{Ey_Rzu*(V#6#1Kb2j}l>|B}6I-ML4%c&esLZOsJ#e!n%tunlV+
zdD>j|ttkbmnR=P=5kfxm+%eIbDtK6h-uJ3r^?ARs`PFExjGLIawcw2_LqcErMe;!%
zdjvZw5Q`jNReYXKC2BXhU`v_d{d=y-HrDm@%+Qz|q#oa!Qe96Md(PI^&R6IP;-0fz
zZt_B+%)VZ2&?k}!U^-WHX8Ji2ywhTW29>V+-|*wpip^rRX3{IBqNC_$xUG3~zeZEx
zho?UK01N5MBo(DhoFcjxJJK~m4sUR2pVNJ}Au~hg41IV)*7Pa|d<C(HrZbh%mj~dK
z8dQMq@d`LPfUR7t&f8;&$@%!&W;TOG$4kGg6x)IVq<!#g-B`M88yUrdeD9Hm<iKi>
z#QCna%q~#qiOoQtm!c|UyDtDt8ZNlIN9H>&%gdE%sXKY;!N$)gqdjS|$Mm0mdX|KJ
zGu`D5m5N^x;3D4yu8*+$THvCvup>XLSIp^6tl(VttBp2hOonz&x6KpR!^e2^E&rxC
zu|OkJZOD^{=2AhN(N4zG<X3<qe|I~Zzr>a@6L(6QevDcMTC{k1dP1~d6g8pL?L0#p
zb%ifrN2ZmFxC!~u*6~enAM=v}P)ZEiYX|VBJe9!4_4l?K?w|CuQD*o4+!*uNA#yhE
zFrQ^9jQ)(Z)!w#UlAJGp!Y^?<>mC<loQhK6l&^~eX_wGQ<cEcrIjvJ!zS`to3RS*X
z^EV;oPjvWD9}TrxJBI=FzpN(zVyZR743qB=dg_OzK!rw*<v9mn(l%@ohIq3|K7Zd?
zdAHQ-Yf8DS!+L#D05rM&2g&iPv~Pa|$^5t-WhsWb<v2cqWj78{NtM3dmmS_PY1VLE
zud4Iu8wKW6>CX@B{`t)R!kPSIr66cfiPgev9U_fOz$EL}n$)G~D+zuGe+UtZp)&nA
zLs1*cVXf)c>fMnl;ohQ8>K?ERCUmaXE!y-aAB73e-97*4;(hSNF7}HZv^vF}dtk71
z|9o%oIyz9?0Y{5b+Pa;r+K7{0cB-9?rQ&^?#aZLX(ZQj5=dofzAI~d3&7sz+*mMBl
zzO1NgN9$-!d#aYRF~+6tQnWGs(s0fkPbb;NYCqm)Am|WwAI1Ch6iKH_7*~9O3`{}f
zJ<dgY+T+Y1w5i<Wr)y1r=}6duVvnjgLz1{U&o<~Xo&f+D-?!2G3bjpmSVE3b#bKht
z3Nq)9<6K1Jo?tdA&bI8X*3);a0vjrfMYyXN=am!X9VnRsv)GYt&8#VG)YW1;b=S1T
z;IZ;TKJzo9r_^g7zmAfW2Y_3MnPaliL{^tZ>3ivVkG!U5bVIFcO({OiyM8BMCW!me
zkwb1i(xn%s#65P9K#hw)rG*~q3UzNr6__rr*H6rCY`$YuZ*dEIL|~-yh2$4o_Ur<v
zW$S$p*Sn3=p;TYRMZN1p{oslXWWGyKJjwd^5q^uY(we#4@bPa^j=zzRe;roM^!m{o
zeP|wQ6T<1~q+S3Pm>6x&-q)9gW%Bdqr2^dQ<4n?C3mc5kJ={x0UOzXu@(>><FkeeR
z`_b!R`6CWlq^ZP=>Y|SZcNe;Q-HD<ha<maf_LoD}9SINr2zUUogE=)c04vWCp7C3v
z7RU1U9tW@&$607HCFJ8o8qbb?Tay!&riK%4I!+9AbOtYy5u9!4|1;C|k7=5J=30MI
ziQlXl4|I*Y_B3#nC`D0=Ggy}hj~A0Zw-hoy;px~}6H?mBO20}|K|7?)!g1xtt*}5+
zSguRDa@2vYa!(d?^5LXZtMRnZoKUmZ@60c!(d%GvZVtudAA}pBq+swTy!A-_qEDLU
zd%eFWn|a~XElb*!!(1t0x&GTR()PEn4U=-q6s7rkVjvO<I1lM@p$ci~?@Z!f9vKD#
zlzDOVZX5ZjC4_O*S2>^*u53A8>1$9rJDZzs$!63PF1IW4P~S=`b5~)&M#aM2o7=EA
zu|qLiZN@{7e*MV*GG?*T{@upQP#wj>o!5VhnSAs}Bs0FZNiFdE;LwgJFn!SW^ptwq
zP0q@bq(NSiV^_tG&)=3J_~D72J14(_YNtE@at^^gFUHkdv<EQ_Dk!2$w+ktp$`tmm
zW}yoE%%}NjG*<mjwVyG*;U^08&+q4W+E;ZeIx<l3T`Vyu2lOF_^mpn10&z}E<z+Rd
zAeO&?i|9#j%}OgWz2(r<(){L8I7`2=*CWD&3cweIYL7nW!f5tpWGZXmTq@>HrLZJ#
zywLXb>8#4N+p}(ubYgH)XIW2-_ge=)PWQ0x+r7ROYc2;Uy&64Spzryqm>sDgTQ=+5
zWR*)d;^bq0W0<(-jsz!<s?qD8A<;nV-<=bp=Oe`Bbe5L79M`(SwRsYQ-wCh^YcB(G
z!+>wqN&+$l<<%n=w@7)Gv3uzAn}YnxkoIm~YpkFeT3|xy0R{Ip8{4P0Z<y2#MPr{t
z-nzr~5d6+I{<^Jcp872nMk5WvpizP^`k;T8D#q*l3bpgQ**AY>HkSo#^y}qNQNd8^
zQ}Ja!=#el8AMDardPwbY{T_wo`p?*2gj5=n(j&pae)-~{yp(;}+MxRYxiY4%B>*Mm
zc+T(3F>S>CupOC2BT{Lu)pB~S%4Jo$Oc%V+@fp-6sX~4M)RA^j=v{NMX7KPM&hv{;
z$NKS3H7-{m`+Oh^B?R_oB>@gO<NdbSfNt~J5AClp>&GF6ua%X>(p=ZX6(D#T9dv4k
zWsYna3JALZNKXwaw4jfyT}JUy{IQuehbFz+YWL&3`ZPHreD)-D2<mR@iuR*+911P(
z_wstdcN@%N8b@jqk7g{{ii21QWB(~a$>6#>;Wa}*u96l9>aaZu!&rxE275raMJzh9
zuH%*1o%7*{?KGH7F>2;bVT9WNMU`-GkgzsCU!Y<iiwz=7WCyL47p2O@6=w81)erv5
z!39t%cBDs<y<=>4PS3@=%;ja7!ppl6MenrzN}6n+##yE?GC$i()zHePEL^xr5_ru+
zEaK(2$io;t4qxlW`nJjKLgpKHgPgdv3mucd&0M=ivR-QE{&og6(8hSqaaKTJ6T0v5
z6MU9@hG!@4-tYq)T>{8O%RMcYn0y7Wl5oujlbpq^2)Oy4=Hz3M#)5{b@3h9oatjJn
z43&wk1>`w^0iNWjSh)bm@-?yY%WKu8?8N7jm>}1e<LckO?bFg7>H)8rc1fOcV$%VW
zvl1o1+&jb^m!H2bLci@X6SE;&F+%J%E&1hWM}<OcN9{zBBvl?7bIvwZ7<O75q1nRr
zI`_v9-)5M2)G~(D8Gx?vN4BW1S)7XDl+kg{DkpR&RzatVMe*&DisOET$qB8DwT&OS
zxzhm;D7ohzn+_xXkpf`axvjBY{tR&VLBrR&F)oFNdhBw3D({t78~3BSBWZ(Q5$u!p
z!@fZF&<;BWHY*j+S5gtSD^SLPcU$R9g*FePNFyfhxLhgj`H;qE8O3KA(qq<PgIJp<
z_(@SzlncppfmA5aF9{2X+6QxU=m{9KCXzjRXTd|*6V#_?4%Ga8g%ha!<<vmZ6z6{$
zmzNcP7&wAeD|`?<xe$jh-F^g)4LCrdkpE5<pu$#<GVP(CgLyNCze~tM@t$Q(0RR1|
zN^WndOyWpVW@1*|-VUN`HBnQT`-4YYTv{FM5E2|LA1<gfY`N<uolWOF7-BSY2*mmL
z)bMiis+i`gem1<+)sr#*ZrAHEu;mCEtONhJ;YWHta9(i%6mu&5Ddw<W$#ww@^qq=b
z03X27$_FAc|FrurmN+Vu>EpYhcr;);dvoch`^5S`mQI2Nv0|s0cu0Rjb83sf2Qc_w
zgns|9wttulMo&dO-7$}?3R|;Dk#b>S8=si6vQlG#hfxF$i3^cNMnIA_K#;5gaXQ*#
zIdwW)j1etEfeDnUN=scVZ7uJjC*67DYN!>y*P}XZX+kf3dkVgVIgaoUBU`V};>1iR
zyA(O4UR|9-&S}tHpW%5+FrTEYsLk{CSDMY}uSrr8Ffg&Me57{>JG;Jd@Q>w^q$%*3
z^SiRBfU`hf{KCt1s{QlczaH;4k2uX#3i(@92%k7J5ug31iWP5@sP?bx=bQmwqE^6X
zVwl5Ub>RP7MD+J=w1Zdnyu#_-$~Mo?nmSZt)k4>dm)kWrW|=%JiH^LMQw4lnwN=s4
zS`YdSa5s18-U;Y8kE@J6mlSzh>Lg+5q(qNUa?39I7|SO2{sGqKMLCF6uu8Slw?H)8
z@fB#|KfH+lVv@i{|EW+F%KF;(-P`eXecK>(!Wo5b&Y$=G#ef))Lv6Uy(H77v501)4
zX88A_PFg9ptu(xT9Ls$7ZhO2dbC&J4P%K}Q7)wL_{#QT^q};=Hlz?)j(8tO~img<Q
zAC#HFU~YDwKR%4pk$?L<Feke!Pzo;s^}Tx-v7>}uD7CNl`Q$!+6-bHLs-G|?W-IS}
z-`M}r_INMN;mBWRN4{l#^#v+W=Frkdb9Avw(fnNg@st={*C(X_zo&zrs$#vau$(gx
z<f^bfhiBYEV5N&gidyH&txX>|zc^a7$UGX=rhL|R>dJ0~rVYL+zfS<XA}IZ(iwM$C
z0rZakl9;s&^b(cTS<UUK9ov>_e7H(khFO1b?g7bz;Om$14<kudo2d<;Gp#SoUF!FC
zPBW3w7547PTJ#FG`_`nx5a~BLN)q;`c>xt(@E>1dl=`g>OlO$@SUDNO5xwWM_zI=*
zFApqq3VKV1iH8@yBB<#4hKk>PqST^&Z05D{HHX68e{_lNy;K-xy#;gD9)A~cbXE8<
zCi6!__}n(sS+0sX%i`MgGh923x5JB_3!o_n?0^$nX&#BX04|+!V(Im(gU9!JUh-xY
zx)V3=Ma$VonN3mOy-(*pu)={)Li_Fze*ri_qi^V)a<?<E9%y?=H)0EWE5pm}(x<WE
ziB3Lry?&B+#y%CI&3MixACZtN!&RJt&6$<r9gs`Wg5%H1P+xhbR!EJF1Lb<^vti!4
z-pt{iEURRaO5tQ(=<HZMMWNG`l)_s|_pShg)wnIJtpQe~uN75E4>vKanvn`1n42{p
zD6)#t(aF>^Xs>H((BJRB+8H(wm&mdmMRt!}G7$fC4u9O2MBd$qVw|#3n#oLy9!im0
z-GcqMJ;Mt?Gx)5xXYVMLL?~jy^itQ=NGpqMi3c<tkQ$60I@#BL^iU77A>_PB-#lp!
zrh1^sE{u4QsLrM<6<Wo5qTi@a4$RVJc|9dq%esskSOH%;AAeaKoLAfEM{1a?8CAzV
z{@u)6%T;uh$rvjfZM?bOW%K}jZLk^9tjQkuJd5tE)L&9B*XjHQ77=_ZSB$ed))_z5
z^L$n_C!ETr-aD!PS+%!Bk7tPC`H!^?bdU`4QxW51%N(fcDIfN3^GZSlQZx4SrY-U7
zrcLb<<eWNt-=h!d8a~pm<mtcpy~+K411#y!r~v?L(*FlchmtZb8?$AKo#{`A+(5O5
zw<FuG$SgAHf_np;>k`gsy~kFQEMkYah9UY_F8~c~Hp{FBfudA^F#;!owZ02cK#coS
z&kd2ZGHk(-t*fsQ=E>S+okGIT=N@#Q<ucEj@4Rv*BML0I)?E8cM+Fjhq7Y*p?9Yh>
zhqdw4XDq`-Pt}wPbG~f83{P=vf0%lS%rvJqc_37{>)}`qIZG1Togc9TtIEvpPsP#M
zaqhff;R)y+m?^e6=nzb~W!#imp6v9}@_qheSjBSez)=+aH7i|il>};@0O^$6UcjXO
zEJeY`9R-CtBJouNLpuTYFfZDR7M7fue_ozA)qOXAqqQK{CiKB4wLTtgSb+wDhYLpe
zIR~nzyRsKC17S(-G6%=ENTV{%EkMO)rU6c~<w(oUgrRt-;8j+&9-L)~*5ERoxC&GT
zu6AUBec(^gg4xYowx*fm-I)o&*BVpl-5=8}`rs-(XOXF~%^Pd*CJ+&Adld6VX+olz
zTeCq_Mbclw|MScu2&cB<=hd}HR6WK?->)Nel-x}gquyB8C_^LKH)s*15U!>Fi0?=J
z)p<uyRW**ROdE~Q3f!;;c3R|6e#*TNj`mti{!oz?M%R_`s~7UE3&*fq#`&1TTP<Gq
z#}D4`GX%Q%f8NN&IbQ%h{t{T(7%2e-ZdBP&HX)8)KlSJJ9lP=AHJ##pyJrk59!z#u
zFXK((F6TOc+gi?aSV@cV2%yIUVWyPIjW#ySc|lWnwo9q`kVC~?*uhX_ZA=$Sb@y}5
zims$<Iq!ai<~n`_Rz(6FTuw$f;K@DK3<o2$PA{zrm7`#FOEmMFO`L66NX~6$A>!8~
z9Ik#`b7~5=AEg>0qIQU?KC0%u0^d4&>#M^Qh1my3DYKng<~n5w;esEvr|gLt&OWY1
z1k1ZT4!v!J56WG6j(`d+v{wLj@S0BKQk;^~dOO4aV(&epn(WrK(I8#A^o~^NN*6*A
zq=`sTsRAlBVCW?X5(McT1O%iB2-16vAiZ~_1OyU_R7nsaK)~;L*IsMA>)m^wZ|^hC
zch1;9&JP9ye&xxW&z$#t-B&>nqFhw3ZGTcpxwgAsGH<ngJUao916&U6%xyo{H9tx=
z_|_xT^ggnuw8ayo02Kn5EX9ubTWk)+n6>>Jz8DQmQBDL}b)P~SI8<LW8WRS#NS&6o
zQJyxK6P@E*$R3jftGv0$L6Ayz!-;m<nX@`)FS$g~9kkZHoVAPPrY3W2sXfQjd9ULc
z76-3B>uNm>xEEZONb}&|Zf8PyE3AA3SR8VZk9MPlv}#tVc67AGFRLix$JFwud2Nt3
z#~vZ3A#fxi3gLMdEu@XL3byxpFHB-hGqe=IeGjw;w7mwTuy*<Mt{}0=hQfq{#%ws_
zfVIb9T>R}ks!Y&oAU8%Hl^$9tt9);|OHp&PqTJef&NQ=PHrsWsPP@c<)DO^V&`PVb
z`KrB1s(HkbluY2N8nQylJHd;2Z$pk?$>e9YfyU@tk<3^W^~s$MGmVDa_h_bEi=7}c
zSY>ykG8+fJo8O@LU)-cyav_$lpM6|_$Q{c$>n58R9>+dnlH_Bu9lizl3#>%Us(`Rn
z(Fb@BR8=UF4KjBt-G=qsHemMRk}g20FDASmCD7!Q^O#v;fS>BTD4F>hEp?F!C7wH>
z`x;D8HH?eehI-grvT%wd%vmgF-Ikt3&fnny>1ZqlcvKpkX%6Tdno|IL8u^IJx#Gpe
z1*E}625E*H(KY{SO?K!Izb9y`fWR`5U^AEpfrGA|e3i9faBAhs%7>Mi)(7Y!^ok*A
zp^qMmfZP;ya{aAJ)e;r)WvM*RgN2;{4kQnzDXd<S1Si^ib`arRaivd*?0TKv?fa#{
z1pE~qZlW>~$s=Tg{5kp{$RduWd(>XMBT}p)P{YGV95LsYnH^T9?<at0x3AON=!xuO
zx@xQBS#*cvry2{_bsQsR#R4-Ii4X-QiNoDYIX9I8wFO^4bAiZJQMg{~_7HljR~~)H
zceCeRQe$gMCg@=8KOh;T;vTCus_5*9p7DMCj^~(*<*;K(J|+BlmOo-e+K)YGyvcPs
zdtsoDjMVgR?bln-;HI7ve{*`!Kw{eq_5ENe_fm49dCE*sbiYx<jLhOIi<ME!fOpqW
z;4N#`D^lU?1@4^GG$LPaf@x_O2>L&U7UIr(gGg|LdAR7?N5fQX=X-h_#A#<#nozs=
zryH-;m_TYsuT41hZO{*80B0f2qwJuArQgNm<T8D#TE0k|4cHZzx(#j$T>7@u>*D%O
z&0t(+Qqbddo0xit8c7jQmJJ08VI=V)Ku4WJg>$_4bWsc}Z+gVhKE-~!cFJ*8?V>hK
z*2WKL7UJ`wpPY2;dxv1f*8hyd4jwysI8$&@B=d?%S$)I%6i@T%+ptq@b-3=-W$!hU
z`}-25Kk_37D8B#%s+acvtl$VXg9K-O@n3uhB+V1d_iVK~3B^D3@Uatk<_4~@+KORF
z;PS2G9ldFMM?}E=R`dElEAqb==6@8o27P}}!?=lbAw`33{^hucN2XB8?la?l!Ga)q
z_653cbbQ7`Y!GV&!&XwCr54a8cc%?g5KpdZf4gE<7u%!P_qMpMy%iWVzO9$7KQ}6L
z`PpRY6ZbBMAxTaQhIF+()K9P&f|*uto+<L+Z%r$3mOLnY_MWMwc}3dR%T~f8CH`Zu
z(wph}qu@n>xYn+heY}Rnn7$i?@mR?(<Dof{iA%5uR6=-VWm6Or1~RGb#~!TaoefH5
zr|kBu2Iu(aQNnR1a9S|4>Y@r0Ua!5Sj-~~ngx<C>t`p8Nq3FKMa9s{tZw3fKcNHf{
zRzibr%;RDnyOF_Cv|2I6F{sy-{1d-eZ5?wMuUnv}%;x)jKmwjyeuB83PxRIIK!8*M
zs6-q4LxV^!Cpu^@Nq3U86|e$D8^;Zb{K=zs?GIzfp5H}nG&dVaLeBH@6=<44FJ+5g
z2kK(wb~pppI6qiGZVuFKFH?lC>qFUvhx9%v2BxRPlF-J@PO9>a!`9w|UjDTvC;qqf
z<)&H=8qB%bh=XGeG~5VXq(|*B$Njpkb(6AGOsw8j^!`Q_qxd=Inh~Q#y5dE#lW~?t
z0!DybN*WcY%6ZTqV?(N)cc&8fLz3f(jV@ZKy-~hj^Rn~3CX_#*cStM#xlN`(y~N{L
z4Y4dI!jG8rFK})%+<CXWMO9ac>oa{(z3GO43+v6UAG4y5CZ@(VS@`2M+uoeMPO6~v
zV@h5hZn0K3B+SIj?R8*D$PmON6|3-Tke}NsoS3l;M~RdYCt7V(TbYn5@*1mMyg&Nq
z6V~npCYJ>1;dk1x!8Ad*JI_{ELR9F|4X~rYYz85TrgAa;+8|o@s$@~y!=EEFuKUaW
z^}vA-tbA9cd?lDEVnNj0Xyz`8gJ?c<L@a_Ot@TX~pCYBA+^6Clrex*KTo*C%PYa7f
zmv%<1Q>@~PBS!4mA^HOdkOy1w-uE?g1S<p;Ao=Djbu%>JlM8dr_RE=8;?ce+v9#Gl
zi+2^ghxNlc<^`>(vBEz5_d5&Ni{IWL^gej4%IKEW-4t{acgLp`Rsq&qwR#q4<Wpt_
zZdJ)DrV_K6Z}Z<Y;kDFTKs1N;UVpFKJbXAoiu`jZ@K2cH@5}mMzy-yZ4+2pA7g5##
z+A=jt@)xA#Z*T2w8ZO-O_wM9B>YHzGEOMjq>h@M5UD~2-{Y>L3KYTfg>Q(Fl<~=QR
z3T$#75nXX3gk2r(ocy-3WYu1Q=Cn$-vbAVd6Z)Lw)u1+bn6E#=7xrL=XiaQvgkT0h
zGye7|NoZp6jQOx#T`Nh;=tlwmX*+$#3;41!iXtL`UPQsW^(RS5ohJ5Aheiqs*Xhs6
z@Wi+*0QW>T?O%sh;mZ2YKExRVBO8;3>0f_{#wcV9eY@miHO}7^y&2f22Wxxi+B$&F
zDLR9wFe}|FS0O=UnDF;6WUQDLpkmO#ZNbB5Hm$GM9Xv_zB*XHkO8+=9sUHHyj#fe_
zgHYE%XaywmV*%97&(==dd%)N-<6~P}_$=dHUqiURqT?oqBdY=tVem|cb1vETjWo81
zkU(?N$c~1Ola83Z51o=vTL4zWha%*b<vojKn4M-cgiCFmw@$P)80wr`PZREK6Pc;n
zJ!;x*&0Cl9q&1{#+_)tgN#WR<wzR~r$B-hvh%a!_NtC&Fs^vb^sis831zXg`1)wtU
zM&+G;9t>WK7I&ad(I?ENrqcaxZf>;CORaT_;$@eH@|wklq|`{0cHxaS-3e4Z$II7&
zYqh?@LD}R)_Z7Qg*8Tcsb8+!~$CgArS@fb5@A6{F;w?wX^9GNfhNPyLfHiM!7M~6}
z07rE4BS#IhzY;vr`npg+Ub1MtpzT>vtz)MVMM@n57+bD`$lImx{+N|c3bS9T47dQR
z)@hSj%f-d>Th3|6hFWS4zAZVDvZwqSptR=<Xz4yR>6PPDj89XPo41u|caXqz{V<jF
zZ_u5r9%hr{wFl=u+3%ZD?#hig^6g>np$&wF1$<p;4krjzIPl&xLA-c9x2rUSyIfq;
z>|KqQe2te2O;Hk+#sT5+!jHPaB{j9e7mHyTI;USf2|!I)?zQ`HDzF!{(1l5GO(#n&
z`IN6dc<_~1iAsUJJp@W^Wtd@yctlVwFO|HLH$iNGgNR>Mmx+;#Se8Oy?fgz&zM2c;
z2_M)osc>;4?it&2)vSrt@OMHb`+hrq7ZU#b5y%whbFKwZk;7$G;U&)*rgn}^(Ut)^
z(EIfB5K{e`7R&5Ag6@;j2C#|Juw@;>;U3Rs&^O!$HdG%cT;Rkdf+Z>XxQ%2SYvGKq
z3J7F}e$H=fPR*7}3>=-vGYTKuBj%3=t>bOZZ39IyRF_#FVSVE!QxdNA!}`xJ*;~qa
z({<}xlBSq*<XUJ%xy9%EU(~gVY<%^UB3Q&pugQml{mRX@6eV&?D>g>c^8I}{uv#4p
zAIDDij5WL(#uhAmvJE9xgGO%+Amu^a43|<)+*kQ0#bx!`O}@Gz?#N8cn{W3m*uCw^
zS|_M<2$zEvi?Y=uozBOF22-m`A{F)ASOAsZH5i{I@EpavQg;d=FFAo9q@AK%Qh=A2
zyF_smK|J)aEt2Kd%C%By5`Mw}6mwt6rG(2ee}eWzu>tiq1|r|8QaQ>ss)alrQhMti
zqQRS8OBk-X8v8R5#EunO3(CcG_sGj-wr78GHksHyds4FiNh24SnUhDBzYM$@|FiV{
zu#CTYD4{swVhFU;&W$@BMw6ua!%1RFolYzq^5xP?Ajr%v32}+%op!dA$#=h$@sa4V
z>O31a1Supi1x;B<hJkJ2t0>I(J|rU3x6D3Y?^Us-c|(~qbK0PC{Z+dbZGoQXtRW&T
zo`Hck0KEvIeeQ;5!@Oro#)XJm^qJH*w|^C{w5th!#l<2iA+{;4Eija^;41bb#l9HH
zaVn;s_^6s><6vK@Py?NgsZ7Vz^=I~smw&^(?AsYy{$gpfBR7#1^)zauP5sstU7lpM
zB-+@v6BHR?!9^*U(9flKm(3v*?Xpk3W-$3nT-!8yma%d2!_2@rPn&6m{gU4mG|R@}
zO!%u(FE!?)T%=MbGQ`4WhmEP@!xl0;zjQmTwXcW~;afXiEYQ7_kmitN3eBE0u_JgR
zrp>}nh`@9JUX;QB0*!{ra2ofCTlY~MHGDQJXnt)U_e5JH;<}Z_vta%!G(r_1=$}*6
z|Kf%zyL{k>>bQu?kpOO(&sYEb4RaNlR$yDOJ!jGQ$&axj^{u3b7r3H<H;SRIjeY_|
zE`$sQpRdkl`Bz#l<885=<rBMHa%QgL;+4-ABvK1X0g!tEx>HO!Jw&7Os;A&bsYvk4
z$Nwx?0b4*utZ8R!LbNxFtR$r#XHzu(wr6JJYtL2N{aY8ieyTtF(9!~k&t3ONn(a+M
zY?nmX_zWy*CsI332DTYJXWF3mnsT?%#SaXYs=^GihihBsr$#t~mjBkWuBzO|E6=nG
z2P(UfKrCL@q`h)e|D3!bcuSXoDYKzyW}iLm#Xa5-{S20sCIwa=!gpWc4m32oiVyOO
zcU0-X_R7mGuauA5;L_WNjn#Hd;VZ)}P05oLa{O`=g+WiqCieu)m=l|c%~kCU$RRI#
zg7`5Vk$7#W$Fo<(yG*SCR>)I&!1Y2C3d-EnGk49D3nz~Inmt46ch_958aQ2IPzh1F
zba>7Hl*<Yg&h|l4QGI)DTWC+Zq`>EmiV@SBI&bEKV{6sRD>X{1jVFg%v_KnRx^o#9
z6BGHDCs9FsE@uXDRlnl&jML304xrz&c|J!^30Gw5?#;3?_J)<esi?Q)WYD6$F+lpv
z9`$gQhGm)iinAQDvaD+RxWcE<rJeWiy@oxTWyO-6rM`zKqf@fBpJ?;-^D$jeA1?G9
zJRj&1FlvD2+&GD-@}Xi{>y}T1!Hq(8l;Y&9decW+Yp<!V51iiI6T1@O2oec))y0r@
zHf08~xi*wIpOp(&E#sos_Knq5=Dd7tJ?s_l@kME;O<LXa%`;}_ScUSiUb5gMOYkzY
zwpi0Jyar%|`dFWrhFUA<#_aRP=sEqcktBWx<UqR5bFCBNdHJ!u$L<7<JsqS4xME-A
zT#u5&<S+IBf$ADXu4-2zVo7M#vsRO|S*f~SFGs?U8bU*UqJ+^Ppar8`%)k2^v?!-a
zi?Fvx4@y=^{y;n?n$<9Fbtw_w-;DcO5mz1C>*(;>n0WEnX(;unS+JhtxiZeS3mK~-
zhIw;Vn8RB=1I)Ie-w`vIIo4@t{i(Qw1RJYefIn|tlixDuNKIKdu_=hzXP?@Q%O!_%
zLPcmhh^?B5xuSBr(f8$PTjrSyY~+50oAUc0JCUZ_p2Z@4surNpDY(NZVRyelLU#u(
z!lP)>9BBzjmpg8Kb5-)_+%n3czCKffAk~;L17#YvminP<kpCS?Ff$6!#R5$lUUe1^
zU)xotSIh0OR+=;3-wUsDPfJUq?XA5rYwJ2<RVdFa@j<{yU_FmMZj8XMZ-wGlN36y3
zZENNBtZq4sSQ3j2m9e-Ml{$I)wSF(+Ur}$?oZot|Ch0;eGoW8sV*sly4TJVqwp~HD
zuzumcOdRgcc%QfVOYk+kQhHFGJi{I-K*io)xS(SmdQU)onD;w~(5Bnws&<#T0Q}9F
z_rryyc?i-LqL@|+tq^}!)5wGYKS-;)KlWT_GPHdqk(NMAhoBTMU=Ybxi_7g#<P<dy
z*XP$HNh-Z4CDB)U7-9T6qo^_NH3UVrdWF)z(?sd*6*!IAj^e!)SPaUlJrr%l+-J(y
zlZ#}w=5<<2{T?m*(DiA3Di<MxhhqEB?C*`_AhS!_?Uxn%<B<*DTkF5ds?u&R-)L*9
z|7^a$hNx?bCM$?TGB`vQl9@45nl+NKFc2hm)WIXfsvO$^{Xl%6eZFqVFwDpH<8mjx
zv-=ZgKZ}Hg4KH%o)a|MtJ#K`WB8BCYZ+@zA66bcVP|okBDdJ6$`OVXKJvh1~wJ70P
zTU&i5^6s-b6+_*n5~7<=3u{=32$Smpc$ebYvtp+-YeDRNHre*vLP%@QyC%71ttPI_
zI}P%7otq>q1o((II(eeufT^%NT5=C-kM0ORQ|+Qs(3FoDk0Pll{kFp#+hnvT`}5mU
z_tjonb1+tHwosbK%+d4y8|YIS$o3Zi!}upp@4uS1n&RJo?}ne#2U`6G6}{yA_X9&N
z%X78jW1ulRq6xdapWKfnwP~C<Fru-NHP&m}2%^5GXK9|#k3C<NPWwZ2NPw+M2ol5F
zyD{S}Ycb66mjYI}+^$RhnEROAu%ixwUO4K!NYOgiJ#l%5d*S=wifqrat@06+jqxdH
zv6;|I8<&DMpbgZ=Hl|kL?Qz3}fI%y+OP{y<KBl94;Fq|d(&O-Nsr;YW1jfiA-2MT<
zk9CBecII96%dJ=K<)*a6yVPMHG?0a<qD0&xGHVyQI_wZr`*yz5g;s6+K6fqO#e_?V
zEQJq5+7VVvuH%NWlKs}IjT0)jU98zvSVOg}gbZSIri!NvGuQ4%qmb)*PID3!qVFTW
z$A&2w-ynQF+u^hlb18>WDML$M!G$k&o1XOtU$X96sO#EN&9J%VSGvgi&c*uWLkeyc
z>W1?}^#>c?)qs|<2K(mdVS<m&XRqEcy$mZ34ZPQS5dI_N-5y>a@@dQ0NUS#OC-~i>
zVQROq5kEcuyA3kXUj1(n9j+hM-`hb6lkZbymp!0|cj=5fdI3%mY<ez)p0kIeEI_n^
zl5CUq2-Q0Yp;W}@{-6!^VC5gd;5L*ept;8Kq2;^ZhU@Hw?RUf+P4utRIp;uH9<9QM
z_Z!yBZ}Ti&3Bu&j82!0j{uqe<k6;1V;NP!wyPebH0fI}Bg}{H<msV>mnSkeUIL`4o
zMh9!|WGy($*uSJ(0F_(NUHhcBptcTYwgCNN18w33R+afWGmB$nUrB5pnj>rhZiAbR
zcz2nYAGd8|{UXy>BB69gx^5<=j4^jL5XU1M0v~<AkB(;!%!ge;(}b^L1uFy_{6Cs4
zZh2W!r0Yx$u~*1JLQ<m?q&U1{4GGrV7P3%t3771+CR9YEgly<XT!(4voKR~BTH!#<
zO~}1Z&-}_Wx%aPIEJa2tTFgQSY#v`^0p>#A0!*fYByhh$YIWGVOlioz^rGQnZQ?1*
zMe$m+V_iUr-rZoPXz$yDRv&{UomJ~1y4w~i;|iQD?90y_!;T`$%ZuW88X6|tHa^$r
zglhHJZ`uW>ynRej9nwPp);O2Ji(yTBKD(iP+dh7KvJ6Y<YEq${m07#V#5|jVpyD5A
zvFcibmeWN&?p$EILVj0-fGO)-Y1_yphixuU4=dUqB%0ni*Wo(xY}SW`O;i{h#dDjs
zleJm!wpHM8s92~FwY=Oajd>o8L`PJ42W0=MQ(lT|-Kw&=L*lEh7Y!7IY&nVmg=0ut
zc@a<qvHb<`{I8CsD*Ssl;Icah;Q**yecI`-9FdEZj`dj;s^6dmRm{m{R^DH@0>Bpj
zr?C2e&u3wR502nv0j;7&Z^zlg5C5KN0tnCL4XW{QoK=O4F=OjASUWF*bi*`T?8g_d
zADfpSr_uyTM}O|=^$t4t-a|lAb`);`!YClfF$XB$0?a*wH|@-m;9FI&oY_roT5~7g
znuW@uLMoCSNO5a4ZJAKIZ<><5yBYZPoeLBZA@}i9oDo+NMzvE#7QRrtI`+m6=kKP7
zYtwE2DSH~*YRKi)f04?>|L*or_*54A%4SM4sot7X&?MlivQ!<qSN-HPm&*Imp`$|l
z6XYUQrTdET77WZ4Q3Uc;0bOL{>3E$p9TPh2Y=W0LrX_h}g!A|n-y!T?bvi~{iF{T6
z)Ga*xbKWP9h6O{~oe+^jcaeE{4HwguLx}kiQ@V4hjA`9rMh2x5H}s-EBHD<iwDJon
z7CjX9)!3MpIdJ9`L1QYSxZ$<3=4ZIF=RSTNSk`8~CzB1h;*4jtje)1tr=DWBG@OI^
zBl*}lbo@Z}+nN0_K^(A%HRitDYv4~s&Szh9BLe-Nv%ITcu<T~juynpvrD;~_DiHo$
zb>r<WpNE?oxAEn8$KjnIcKCdL0eqX`5kZD`E>gArGK07KI-muIe=!|8gp*xP%s_qP
zvki`I{r0E+5Pki*BS3jHA~UM%+eh5zLT62v@4e6dm4QV#gmC!{5@N@6Tz*lx@f$Qz
z{}+PRe^;mfpO7#A%4O;8IP~JCg6|n)9WUQ*{e=tk2lD10u}|eD5D_AF$%|an_wd5(
znlxd};^{KjkRa@e2#DN4PI~!<p;S-Uff`qohg%UW^j`Ap4!geI{h5jpPi@}vi6@=B
ztDi_kwuapA4Dg&8lFF~H0Hh&u6^@2!yfV%b#Z4)D6!ds<vR==HPZ92eFSP2OUpFLi
z1XPcXHVY?R7UhZuVL`-!%99PE_DR<f)A(EVZeZuF$!7CwJYS@wg*!LQLOW$Z-$ai+
zE^@qY9DJBmA;c?9Pd}`GrE&@ll(eO7ZSX9gxW{z8UCM}DYbd!Oo)`pyNv?Kuu7o3F
zk^S8rZ!W1Y4HqLMNS6v`^@f^E9X*m;bzRZDej?e0Ya%qxAY?-4GF{BQ+KK0w%J@u&
z3=hU{smb#_JdHWG!2=ud%56ro2HECn*IR(`6oX_CGhSvU(2_KvfhHn|wH2$}xWWg}
znVJG{jj>cs#Ngg9AWB&fWEkZ}sqa#5u8$g((1X)Sx7SdZ_dPUn2;;GJZ|>>o=J3cq
z9pbG5mf^|t(K!`w*W$gYa_C-pdA?qNiwi7GAwP;igqJs%@v$0+AQ*HdSj85210imq
zIV8Bba%a_Rf!e_E2M^TgRUaqu(j_ZYjo0S4;-QV;3*MiSf-`n;Stl>v$YHDqL9evP
z_;}XY{<QJ{&aM9u+jHg66HuS4?mhfte>%<lD_8B0{VAt2^~kA6)7$-VYWN+}65e2N
zHws+*g)O`POSWModNR+YgKVHTVNr(ha7K&5CwWYl>Dvr_<Y-|83AB`8N9JFsdw^SF
zF1<6x(hRSRv6@KeZI_UAv*#I9^of?D_@-MkafhR<PJs%XhD`>Kej(hfLY^NJs@6Zq
z$JBK#Ga_myz(T7uG&{$)ljf6dgfGZ!$yJR_rfW&v<k{2iCbgF#_yO>ri^K4&DDDso
zrleIqG?`2ZetrzFP*1j5+Bz|kPx2~0fVcAGus*-h!DHu%U<3U^{`3C$pR*h*z-m0k
z+FT|~{)H|1w<@1-;8J>LHt2e514bwW`f=ux4>F})3Nbbx-jH~Go$`}kfJehD8Rz}T
z=k|Wh8X|?B1lQH56FPJ0tWO?u5n$Klkn(XAD2V=t<VK)*51vaSj*{w5v)WGK7f7``
zA2<a0{bR)l25@U=xeOHfzBjw5<1FHFX@Oj79&&)Vcfy$P{yLVbmB~iR@03}jz^j%o
zn2Q*rIrdulBpQ(2YnS4xEY13g0wYas6eM^=Pc2a2_r<1rmg<U)0cK?>YMeeGf7kdG
z%<DkUuV6WAg(G;RFSH7ReS_rtT5;EXg@?!Xq*}JH^s}CZH-0_wud0v#0_pmHK)vK*
zE)JSoCTPa|gw>g0;IZD~Tu^`o`()bn7rWlm%<Ru8yi1XHO{oV4tPBp`+#60e9w=YE
zauTTu0b)J?i>#ZlgNHc(HR75?t3d@){YOn9-;8o>z2`!v9zWwfb)h^2XW5aJ+a}&1
zEuVL8Y^_XyRzhC?fL4ho|5$NCP8F2ce|hmVQTvI{cLsu0Mdp3zMG|IL9XsC3eZ|Fu
zydtBrD052mMuqpThVMidXVGWDP5nG3OSsg-xaE5!k9jx~!rCQwfMAL?w^hdI(WCF7
zy#_KLNAoiTrX{^gu0K}sDigL+e?Fp~Ch|t?DeV^;+#q&N4=0OGAYXumt+LrfKAYh)
zOQl%;wxTsV2yt;P`f8zT?b&7-|E5-?&X82N>T(uNe54xLWWo78Lb5W@ps27_GRy5E
zO8|wCLvPnNr|hdj#5VZ!J5@#;u6}$1O#B{Ww0jOH12sO+K=C)`n0;HJjk)e;!H>^n
zJ{~ST>Axno-#bgrll0o~%93VCPqiWC0VDp|H2BsU!D^cg87{X+zHv4!GraUnyzt@2
zREQTiu~TMeN-UmpHFx8+fO~ZtBOy_+d*;D@0%omyR?ZKZ9)Y-XWhcEgJ0~;!;dZ0e
zsrNP_W?{`Gt9g1j-Z(1U-k+i>EnZ5Eq#$VK67)*1s~U19(cxc&n^L}g1hqGwWw%Uk
zkJN>-X@j@Du0I_ppX{3K8;!6NIaj+4)LxfgrJRxCIW_29(jDKXv$T}Lar-=T%R2(!
zzHa>bwO{YiE02u5E59KB+(1mLbnKA!ULQdP{M;00JP9s?N3_eg&xpSOMy!?(8XM|<
z9!1s<7DWHtC;nj~XD_Wablv}c^p}2wAxUne8?=EN$%nEou)mSEyxV1cBa;~vH!!ue
zSDfQdWJp^1C-O@S5_+Hy@_*4Tjg{~HWTS`E3q;z4Yq0#lLpS<)a_h7U`+4lLKf4w_
zbS-9QT0Ni(_PwOW*hGLy3*zXz<w%xEQY(eh%yR-_+QR!zzh|mX>5D#fP1bTyU<Cv1
z4h=EPvA<ROSSZ?i+Q&7yqUV}6IPHX~uH?F7Q;wkd(^L()1zUTc!A{mZ>g)SK02Zqx
z<5z=A&(~rQ`24F2(z-`Ra#LvW*m4&9R7X5=y*}QFVEkMY#;*I558D@qJ|NYj--GXW
zP=Bjv-W_NQ<8OG@IcOfQFeW7hQr*`-m%Urd+O7h-A{f<Uz>#ykL6>pNy@(=wd}ztG
z<|vN{4kX2;u4FL3Nr()zaZlKYL@1%o7uOxWUs{&K9q)9W=4cwaOAic?zJm=PXJN}P
zxwCq2I!WQ!yWDB$z;jdm)SoH`T6ve)x7O;H8ygR@bWLt^SqAsBM%|%NV-KRj<*sr^
z&>0k)2TJ2Y0xipSnO@p2DVAAU?Y^w&IZkJmtJ8Ns(dT|UNVHRGe>Zpo+-%61$Fv8B
zCcHk$Y_Iz$SL8!!p;=k%$2phbqR_4nPV(dpAz$8LdDck&A!d~D)&YwQ!Am!!qrU#j
zmAhZT*U@g2R%Xs0$IWWLde2J;9>&L%0Es@Ii)Ny-({3-d`x^XcBzcYn+1mt7y(DR4
z?ml2#z~7v4nEItkFI&3vGU3>}tave-_YhUJUmU%uGycOi$!6G#xBq*=4d1)&!~o*8
z-++nfLFykD6`Jk(Nn2!J-`^9@?AzHn=Dc?)$`0W(lX#+ieu}1I7-bk>p=VKGAo!tQ
z#v;R4>CEOcnh`&}?}gN{h2(d+I?WeIF>{1A46VEOc&TyGR0J*Akl|&Ew-t+{WGVu5
zBOXukVC5FKWpILxlbd4K5isj5T^_iE@%1qK_hgISdWY+TpMXvZvI4@n^_ebT!#>EU
zaH?KF?#RcKE{j(;Hb?g@Ej<Cdm-p@QL~*8>zP5Gm;A=E>Ct9IumjTFvv?_wT*3<}$
zL=`GVU%uPIq=k}ghE8Cw!zE{*aFcu^VOaD<vqq!lQ`DDL5RDlCeEh%IiK@VHF6UzK
zr!Z-)X&|zMqStfh%p}I=quE7-QM7`$u0)}(gg|Z5Q(e}K0yV16w<13@4Pyt?1l;CV
zP$;dWKvOjAz}3=7{-j1Cn|)dQ$hYQ+WLjeg`}0A2(25JkHOBzAr9B<eye(gDIs{+A
z_A<kij5y8X>G}Y(7vcxMxao8mzl|92XeK+Mr|}JmVMK3EJs;e>K^Qs*w*?@*v*pZ8
zV_049%Rn1ULITx;<0*5QI;7b2NG`Z>Y*K2_>$)I4OCpi^-ROKL!jcBu9p+HH9&-Yi
zcY5b+557n?>5NQ9F1GG?EsT3^<Tv;(RTY1sB?ghE+&*;&9b5|(Zo)NqF#HBFA!Lg+
zIpcFnAZf>~LFFeN`cy|wDRmj*A7J0^>eeLHQrz0RK}fHK^UBAG_NO7`60jP5%xCLq
z4`FX%L1)JbFMKRZo<)!8?S9H{SY}<;$yhTzjE%LYWg?m&&IS4!3Lpqb167%UqM_Kb
z=9-aoXlb31byG5HZVYEFO7V7ATX9G&3}<Py>@&MgXW84&e}j1cA&PiBw&CZRzT1;o
zFkhLqB@h(#xhmWzEZ~*N&@4o-DH>ALV4mV)pzw_#YG`Q4DjWpTO9*CTgCI3KB7lsv
zD(W3YzMU2OuSW|NL38WQrmB#(CO1WL-dpu$blh#r?f30&@+1?amRt@8QGdqD<N1#-
zZ({A=j+Q{!3X`-wT;#KSJ{BQ-4|T!EhffrQU07hqhwM!La#3c3Y7{Q#;xLh+LFhi>
zA^L4gLwJ|C6wbg|XqqY&$bzZUIFE}psuGAjE#rZGF{RXF0!>VHII5CBlAI}#%N_m!
z<q(U$^iL~K#>sOqJ6_u2qr>}AhI;Rk40+3)^KRTH2)>#*mPHbWJx9qUIUmZ%snB9&
z%c0kaqYE<?Lv%ongzo`COD9n4|6M%t9M{%o&4v+-KKl)dZqTf)Gu3%Who~Kwey>e=
zvyV-8)9bL%s7$Gb;89962&Iam!>abF9(6>&^q2y(;TLhYq7khj@Bq^!vx0o?!}W{=
zcEtBwSUeAnarBM6sO#af@d`5{ys;uBt02In@$Wi2!lB<FrvzLo&apcO{AekV75$CR
zB=P5=#h~hZ<@#?>u*LF|4m>G<JHI7B16A2x*6PYNxeDkf*!Mp8g5rA>zGzNCr7YQo
zYDM&jEcta+ho9ydmHgg6t?#gN+#tJ0OFd_dQ$}S!>`%mNG`G*p8HHR98<{1W^^oXU
zS`IsP5>r5hU)_4vrj&Y9jp!z+Wa;IYg(c3h=aPLI$Oxhsl{B6DrN=4Xjf~r=Oet30
zW#z~Vk!gO)e;%%Dck>gkIG_^k!bt9Ys~rBcV=a!WSmQMLZqxR4+9(97YG#^x#py)x
zd0KPy)QqUV-*oHgP4&mgf=eSD%_NPv=VCZM{n3k)=s@jH&QxWKyYhY~6i<__W#rPC
z!i7JC%qm#%H?=j#Ytu!&Q&4eO*D@r=aCfPazzR@5B1*R5^mqt5fy&tk=Vpn)x5mxf
zYdi)dBF=K;9M6}f8%8|Hx$Ipc?u+VN4awvDx`x;KN_nP#5(bv%%JOSnb^)Y%x3izR
zrDog8Dd~mrhe^g_+kn70S;@WAyne0(uCO&Y^A?}}gc$f13~9ATr&958A?>E7`zDi}
zh<)x!+9oS$E)OM;m;8MBau81A!|D0+QO6u!TQ=^pplnB8@lL=k7injYCz=5q@#4Kb
zk-I*E@<XF6S8Hl{kZOt@5gjCZ2*N*10htZfav5Q{k7s1c#OW$!TlRB@>+1b;7&Jr3
z!Zn`gr9U;VrMRZ$L^x6MKciRcQ$6&AQ+Di`V@)sPrv3%BB#gl}^}GvID(OaXQ#l>N
z()*aJqxQWm{oknH&|_qlPoXuLotJ7lV3C&VH%o?)rm2bIv{4nkmGwDbTxeNUB*La<
zioC}`iIZ2J#Yv2Z|5PoW%RyY`Gv_hcS}Y;rPXzxK-X3Ko)Nf5Ui)XC5Yd`ICp}2M*
zac8Dm2Fkv+;sOBTm!!Dj$5?}ID`AAb;vm|JMK>Q80ZPDSn%9JE1cSr;VuvDd1xYN|
zSgsK)|65f_kg&!XwAhtHHwQNI=k0eZ*lv<PY`bariQ)d9E|?$;oC*4_as?Ljz02mx
zB?r#rP%i!zd)G^?ToL)luoq}`nu$+&)Ia_K#EEPpKW3C$HY_KVAXn5<MxCb?@7I19
zrL16>OfC%G=2evXWuo;Eh&`oNx}>wLc(^8*i<Rg$p8h^n4wf&$y|jyeKK-iV0Qx={
zBpP-u6TR@Xv-;K?i1XVY#})A_4a4fG7ZN^JCdbQTLu1U%EiKKdw$Us}dP;3IfM)`K
zvO9=>f@pG(W3s$Pu~mVxy!iU-tvf$%5X=A)O#lu~iNo3a20i6wfNxnq|8?;2-}hwp
zH^~QpM1#CP5bCcTM{C6s|7u{%1wnrndfW^E|Cj^wrfG?d={<xh+DxKyipl9|vbjw6
zHKo@L=J*ylK>fwe+L=eA_ixKfI3B2n26%tDmaQ1=?l$%~Y9;lWopzD0GT#p?nr^sB
z8iX5uIP@&Pb!)W#?grvmyNQRBG$fE1)d7M`o56x6@w*FgvjuRk>zO}|T0|Jey`%%D
z2GmP8;u#+ssedR9rjGu{68#M_r4j#1iWfPE20mxXz79eX%M{=uZf(41GHmlWetF1u
zuur1Etb%-Zv(qk`JT(&ZOXT066L8boCl%3}$;+z?#A$2&>DCX5xrYKPu8?TYZ1^Y}
ztvT)e42_b^=eL#lTOUuF6=*x_Gfw3Um}BVKx}inm*!8huRcNw$J@&F~i@~F8^&9wM
zm&g7Nu~xcHzHfk$#Q=dkh$iPKj&BVP81j1cy^I_0wWKoD!UUz3I9YftJJXWPELzT5
z+ogT8gpPbz5Hmu%uMIiXHs1oIbZe5-cq^-$J3nE$XsWdA64-eUdHFl>U!T=sG6R*8
zs&z~hRw`)r!Ulo22aPYPod|z~fz+r?`&;LF#VNXZ7yGPl;Zh|dU*K<{(l8f&nG*H;
zP0Va>CckAr5H&9h5k^Y#f~|BGkL45ZFFSzb1MkT9DXW@HyUs46eU7SKF8PwD^%@c$
zHid5(L>=h2Q8deU<!%K%nEyqlU#2$6lCAO_bo;YSmntJ(MOK+z<Ex4w4z8^q(C2p(
zKxZLr$DhDw^~gFsd){{vt0M*wegpQQgXebAr}HTuc{GJV)LUFKp?w{6vg4e)D!hp1
z1e2QSqfS4uiS2!78D-((wAnfTHzbI26LWc}hX~2}dGM`v`K?@rUkNNv^e{gSu|)Lq
zfvR(r^-lYhMWF^MJ=a&607a6?Z5Db#zQngr&1w@7Ab*lvnqG0$F26}CFLZlL-VR%3
z3RE~t8_SgLQ{39=FR--W5>sIf%kF*uAgzz(ZWyH}86FSv$`NS7^`i|!TN@+R+9YF{
z<sHAg97{zF$dqwD=5LuxJH8aNDYTC*Iqq0!x3mT)wr0eic$x*j8qL?{R}{=;C>hvx
zxmH`<X-sQJH$OqV1N#3!l}s3it6Edm{u0DmJ$p1z!JqscumYJ}KR2$?3^_Mxs7no>
zeWDPL8cKF&5xyRN2ZY^!xYpkr=he@a{w9z>C}cI}J}{hUhq(TtpvbCzs0|h7ixe}x
zg+CC?muhpQsL^@y$plnTayezgR9T;G+QY?;S$-{0x1+)_>0PGvx-i?d!9|oJR}RA8
z8X{=cKFuo@P#_IXtjb`TvIFS?HBxTu{)bU}m6X*L8kbgyI5gDHsAcB(n}v0E;W&}?
zBaej@9dSF`+dusbZUy&;B)bxU9Q)7J@rHWhmPQj|-VZ%IN_)LvQ@uW)8XBrGV{rj|
z8pRhif;Xe8Sgk6W$X;vT95_^}Cep=zU%QD7YAS|FyyENGM&~k^FK$t$UD5GASH)@V
z{UW8S=)K5m{t2FV95`V19Q{P@t`5Pr4Vj8~;C)=`8oQN}=@de~0Fu^DIT@%~((QJm
zBQv0EH`|!1@#N-%34euYbgG$u1hpxD_5i_Gygn8ld!)($qv>j=Rs<WMKbvfh9qt-8
zrmb3bQoTJ9C;-e(m)5&z?St8Wj@?uPD|K}=sP=K1c9Wx5=x`d{NWomR)fG<L?!zZ!
z>&deLF}r$}F4~O^?ai(2jxN1cUF`SohX~P~W+f8ZblKE1_jUl$u-2eAFg<N7?bn8L
z%g>e%r#3C+BJPI|8HkzpzZ_*ar1&);FIfZKd|ntAO|T7E+H*(B+Av;@b5n!$D{V#t
zN}Su-su3+MnH!Z{=KNvi?}nCI_%GJxDnKux|EQ%MaiQI3^3g|10LBiBc>tWQ_h<H(
zXMZ4#4u|PurQUlgC~NbT0Iso;T{+jk;u%XV1Lbj1C0XGa_yj6gh#$zsBg}zmn*PLx
zY?9pPyzay4q^D5$JmDlTKA@Cjf%WTPtTQ+-3+tAiSdECw?5j)?rN4}uG_h}LicR`F
zR8Yeoc2_%Tflu29)Qj_9y>K*WoeA_>%XpgAo5M3NVcV2A2rWWh7o<}87D=3}JTfi}
z8WkNBoO#G$1oA!lJ9tkJRf^;8wD{5V3=Q?_ViPPVhumeSQa><=cF9twUVWbWwjKt?
z7XpE&&<WDqWmvIQ%-WBX)slmn4@)>zqpt#uhbfz_(Z^#lDM9kF{8N;K^*;uQg4IY(
zt6-*Gmm=Y!a3E7sZ<hCUOi%i;$CB6!Epo%vV2>q3!Xrs4m{-?ql`SflX1i6hzLwRR
zokC}S@_jG`qZ)w%$gvWXNA-`J=>L?e{6C$`5Jq81`)NX!>61`cgI)j&+?vwzZFT12
zsc#bTUyVq#&Bw=qG>QTPag0?@8qy-L#a~{=b#=U*w1CBrIns;|J+>19b1BDx{EYrX
zF>)oRDc>naaLU!2n{Mk^u`=Uj&g0S4U#$j2+ZS_johBUKz})3R2595032>n($?$eI
zoH=S#k<(9mP9QpfokcutiY4=l!Ihq*)xz_<Wdg&XQ7(;VzQMlNV5DDaw@xm((mO3E
zwk--hdS5+9z7SmA=8NNvvrllHqu}t!qoihJ)V>M=lyC{E)GGAOFKxmv+2*(8#Xp%Z
zE=jybsZv2^+3!j*nr5d3_&=LQsoy&8+>m0niyKK6b0yd=Kyi1!a_c@;bc<<c#Hnoc
zK@SA$GP~Guyoh+D0#OYABuP^8je;n9JJVZzp;v)T<!6C21$e|!aOTK%4w%g&{YRD*
zzdldye`kg}5?P++Pn_nMIgqz0X>iyI28(}#De2SQ#_T3gEh{%PM0HG+@0-ADEi)+P
zPSb>Jgej-?)thZ@9j|!|5WO@Ay&Uvs%CE$QocE;5C2X4Mms*$|)Og0mPt-GE871N$
zM+t4L1wT*|?Z@PzUg%Zw+fW6H#Gt*}0BdMVf>O@jI<Lc^-=Ix?{ONj%8e{HiRcDJ#
zUH%{@y)*7(LyxJ$$d=qkLa<R}LHh9F@qx|^Z=)0gh>VbdU}ihhA?w5T@!5lf;zctv
zq*nFfqUGHhP0FWFMR<c52qp-kK@ER)*^aQ7?pE#?8Osi8T+01W!)dpa;hbfkp=Ki5
zR~jS)p_GhI$#{aD2!m}X@GhA9UED;tI$dl~H2cX*w;20Oid~=aZ&vph5{L5a2xQv^
z+~w~rWrElrT@=Z_WlCG70<;Mxu3VS9R*2cag0Ky!F>-E{b!8SU-E}m0mEiO0O8D$0
z`;0wSHBxr>H;4iEag&dzb*!+aOoJTSw~S;-wQY=0I5qN9>5)Q|=Wh|#{@HW@<>LPZ
zZ3rEB2iv{c^ky9v_z(;4RFp}|uFQ;x6c-=Lfn8r`*@E+_(Qeyts}Q@)iQDJnAsDU#
z_o@vUlN`RfjP9R@spjP4qzSfaoHL%<GA?2dD&q-7g$JI#qz#A$0V5;RIQaTn5c6-)
zJZUfY8B^B3bHmun{tXhW!MI%x0`E!3(Kq6Mt>*t_49T5gEpbt$3aQ{bo-%l?hgs{Y
zSi>3bcAYsi4l7LC=(ILBA*_ro-EMaLs1P4XCVm&}hmm7^O4Hom17``mM@7>qO2Igp
z5oE)*gU#?BJnefSzLsR)&N6r{E&AK*ha7c*ooe)#tlzs{p2_4g{`%~NmN~43@M5VZ
z6yfkx?=2=JeZ<;k)cat0X}V0%{t>_}6Y9dg3zS{mr_qhg?iKUKJ!SpXbz?JFXci%a
za=T{v8R!UQi<}d6Pu4!y#e2JzxZla6z6M{IMvca%SmRan4N#l;GC3ZtnAEv>J}Hjm
zaY%UGyJTIJ7u4kIu@i)FlrSKr@72bOSrV*q(_DvM@=m-6Y#V0zLZrMO>>wp+IE8e*
z-FdDkxM>JzZgP7%2yuRB)$ZS*7}Fr$+7`^mTp(|FSMrnjNE7X-Q_RP~c0qL${UH^r
z!XNwu?<Ytl&lQ5c=G?p}Z)bwEc65)DKA3D+SZ_|~v3RplRExndUn{5UXMc7ekwYA<
zR`B8;M}0h*8IW%QqzB?vCcwll-mSJ)%R7p1V^lts?MSm8{1X21CD~tx^$Uv6u%@qB
zXG-R3FyY6)Y{9>n9{z&_^v{3Nj8riP&E?k5CY?isz7zq@v?f@*un+2$w59!fNL8WL
z6U$|ZPvTAQY)(wlHg&Izs43ytuU3;T*`ifrRRl;PR#U^Gw?;Z7<9uKvt#<e|IVS8t
z?Fyw`l%A&RmrwEL?N9T_0oL(Pl=3S!gXpv67A%{;nM@Kae2Y`HW2n`eg7f3D$IrWC
zYU~-2qafci=GTGrDA<S!8^$-Hu<rpnO)>B$<r#{>OO1ZlnjX^>CB6*gqOnai=<uIo
zmlygK<!2OlCP>Lu_qH*ceY#aa+=9hGy`Bj`l(2iddvqDpx{meT<|DfNxpJgLhgwbq
z9hkRx1Kjh1OD6GPY(hk0Bfuzhl2ftTh<$p6>-dW_D{~11D$lWckxlP)gP6+8d=jsT
zT|seuMqQYUKb)4Op~9u1r;f*bGASb8Z5P?a-xaXZ;RzuJ#!c1#5Qzam;eR(qnRMJJ
zkQe85eiv_CbCKr*r?40=fSf(t%2b}NtHBB+rH}qByuatdc^<3wNxH0#e!bZor1A!^
zVq_uA`;*g3^Y%B$d3=Ge3r=6r(S#VM??-)^yN1i^&f&=BO*<C;7y|iGVN{UlzqtQA
zStsdE?lY0Q#V5g>274RloI%4j#2=^I1@N?(Nte%h`Zl$@1s1KX%xMolv{sX7P>5Fc
zQPSs-?W=L$`SSt)34{I}4gF7kaVu+LVo>Az^w@j-$H8Cm;w~z2#oGoSoK7B$_4lM{
z*~pJ2N!OJ7{kV0daIA8~AQ@!`I-><1?J0FgFw;M}Zm><CD&=*IP{Ll&ZJeau=hhg#
zc>JykXYHVQ@?MXtTg7$4OBJ|#JoW}x5IOf}RRrkQD7)DdLbG5V7kXy~`in~XVPo{+
z(2r#`?2|jZ5%G7Qb&HB#AzKZ(ab@El^{2n-fA3f%eHUnwX~6Dsrv2rdd?TLIlj$p1
zPe$Y2k&c~az;my|to~<iJI~IIj9Ce9kQQ|k$xZYF-np6#_pT{Ss+Zni0TFxw`R0-T
z>w5@p>go()4K!%O`J@@pz`j_yEOY7yYum!Ys4k+phJZ{!mpFsl$p_s0&Hz#5(H|!?
z$4m#k3VSEI7XwTZXu-1FQQ7#0NgI=3o4QjMiAh(R5usu4K<IfnjXD)bgSj^$EM*%x
zRz=g(adq$+YL0G~S+9JN#rwMufh&i~ye?1dZH@_&<=1F#8eE-r1K{k@Fsf=kRrTm|
z!*Q->I@8Y*{%gtCMY?%nLuUY}3~YtXLXC&Y?$VGu2MJAYVyW|AJ+tMCaSI@{sX~6&
zvCXJh=#C6k5W|5TK|o^0MQ*QZxMEmkL%=gEch`yBCHwQtk%?WVADJ#!?l6mS)4ngG
zR8a&h5&Gc?xum8xQ($l|U7)g9=4PCKmARGnr^SZyMw6+2j%0F;eLn99mH}Sjc)0Hj
zK{0dh%A21n3lKxR0p@LbYiixHxurzI3;UKPtHq)?`HcyGw=_ew`6Y}Kp=Wnb5Z6~%
z-ukIu`-+GD<sW8jqbUlLmZ#M3dX*UKMnzYfatn8M0zRt^RZ&3<n3brNZZ4h<{hPgo
zat-1a>owhujICpd&o+G7%@8rMu>s$sK>>I}oFh{W0KOSS=CJ6S>d<AY_cjE0csOuQ
z(vEUnO#XoI88uU;8{Xy(mKXa4l{9Q=udSY`aCMa#OhX>ua4-!p&y-2EO}#U8D_&<w
z^y$8jYb-ga>CfWlA1@UUUB>t^r4M<Tgi-18w~crb)?jdLly+138Y`Xk{CoUI?7ZdK
zyP%mz;c7z!+wOO$>TfMtswZh)dlN5XSQ<?N0=a`YORn7eR~C;rrrIXlhW^JTr+rHI
z@=a!olZb~;>E@TOYrvmJ)V8T2*B*}9we=6Ol?J~|{lER5q~Tc&a5{)PYrt%TnRbAG
z_Sb2>60_H|{*<+z&R5uZ_?FE`abnPfjsow0U?WOid{_<Oj?hLkX4g+UbJIw!VxiR$
z8Q?Z(7nT8}D`l?h&jcF0mUvr+U>iUzYyN>)@`O%=E(dc0UteIiKPDF~6niO*H)yJ#
zJQ7#xZq4mcrPwv7u$IB@T$lN*s@?n>bT?MrHk(Vwnoj6_h~Q70S1RB#OSAVK+oXY6
zKU2wlwfaqk;_l??^wGQzd1V3Jf|bmOc$GwXVe_;tPl5>dQ3ua@KX2~);FmO=S^9db
zxnYultZTagyJhEbUXNz;(>1HV{(2WH-(>tGEO~8jL8@$+S58-q(Pm?%M(wth->PFg
z-n{b3ctHXUyi2wm$U@NvB=yHRc_+TDUprE%5K@a24o#;|_{BGdri97vYTdf54ZaDM
zKIg}kX<+PH8T+D8mf0HG6Efp8+w%0VHk)@g+Ago$JnaSEQ3=<%(DzjHU*7MK`>tl|
zPJx`;o5Q;Fa4{=tRh8l_j@Jw^2hm5OlgiTx{LbmVrnF3HN_Wp~X=<hPM0@F*G7u3@
z{Xjk{!Z=m{=IKMOr_rERa9UtZpfG|>?HZ<;hktsCG&ZZ6&wKq$nBNobc!SzrJ;q02
z9&dLgcMp{(-*s?xr=1_GpB_2nd=|5<!V!$~Jv|UZ+<L}evu!echeKb?EN<hie{|es
zQuyN+B_MbYfC#-T?yF*l<TBtnKj{~*0Gb=_`9v4Frdc|@vR;3x5jdnNjqxWmgAOeP
zwPj62xNP#)27CH(*Zzcfz(U|$+mHa%mTAuk)@J+VY)h$gm0-DpST*DxF~a!6Hyz5P
zC<~K#d2)KsJg)I`FwCIWnh9rGG>RoFfQ|PM|2m*oEP3KAuN|1=uCsXc)Ll|&J<MO(
ziEs*-r2JDn0+jWC{Pq8bI{lwW&-y<f>g0Fv(bdQQQV_^Y*#DS-C4EvoV>@Sun8dT9
z!zX@JTHJt+c!Imm2F>}z`XO1k=7(w=LOpJDfcJ53Oc0gJOJ2M>CMV)UFPhU4Ks2%P
z(fnU4CA@#NPKy_({cvmiRz6I`obpYJa=dOBM8ppWor8q%I)J-0E@jOv^5}pCR^)yA
zXcVw&Z*@&C8+MrJhE~BHpA5bj7JDx2Dj0Hb(mCzz#yrB{5UlKln(MM*fyMML^E6@w
zQ?V{x+%y8ydvPB#ssisLn!nn8P1X$@M77n-6z8zRg}+(|wj%c!PHi1@NDMkxBDf^6
zG<yXoRdyKQ{Se2F<|-=Kw&sgIu)xNbl~~%?eEDclr_VXslT`G%?<D%Mrcs1xr&ECl
z!B%b^zydPDT67!XPSL`$%5vSk+YEp=#rj;>hiRE%&msO~8C$xRoQGnuYy8^l+PR7A
zgbQ2$`{)vYgO-bVxbhlK7(@l**2{G1V8LD5T-}!X=HyGwr>7SshW1QPf6>N!oByU}
zvZm@w*)b==tpw_zIqtfOxrq9<D*DTb6|xty8Re@fM)i%@v23v1i2y;G!n#z*PE|9>
zmjTeKBLhJJ01(;&{E^AwKoLOtH~io?Xl;g|Z7nxu83?Zqei6iH+3kmZC2G<#E$&@|
z`bjnIOjTmQz!XO)6T@DBz$Tt|?L!xOK^~?y4Su074#d50BN)*rw6H|g-j5@0!QuT`
zW2AW9Na3sE;byqR@$B9BuiumJzGcwr{6c#7H;5}xmb5p9`;Ffv*W8P$UzVTt>UYnR
zoYUq~x}8sq#XS6hI((itUS04enXY>Npa>bsci>oyvT*DAc6Hox25?6-f2IAXezJVe
z``w3ts2`O!!(pUZ{7!(KWSzoeKx}#qblXbuI2q$mL|t3w#Kl|Pf%%bAy3^X8?L)-v
zRHqp5Vcd05&<SZQ5I0d!|Dv2lg)EP(QWauDRayKA!sZtOw*2&D-q}}?UldCGA?D)V
zPS^6Ks2ODw8IWq9E4y&46~Zd7a4H|{mASHChso*&T$IXo*{nZ1D*trh^3C!+W@_>^
z+D@M`w*to~Pw^#zA22Cc=svk(A{`n`<K8&C=VL&liPmS@R4P+y6KJo0N7!igzskGL
zsHVDYduRrwNs-<=(ky|1KtQAkBB&oN2#C@`42ZNKB>|*_D#f5Ef&zjfA`n2SVkjyK
z(v<)qK?Fe{5ydDF-}%b@%JshS-o5wzcw^k38Rz8Woa}Y>-fOP8<}8AhMi|H^lB)rX
z*v0PvIyeQ)S-C+DWb=f{ivp6}P{lO|!q9ZjyywH(4X5tR)}~1H)Kiw{m!avBv!`<2
zIy<rrGtaC)V0z8+?FmHiN_IcX_0Z?R2&qe~+-@E5A5O4vKAsx|(;vpW>UUeL?JAOR
z#YNsYz^tX$Q?akHRKFNIdd0;K;wGgQ8?>Z9CKvc|{p$^v>q{NMSFSbAOO2aY0_QvE
zW2SYzThdKWYBsfqt1J^U$fjQQhgwjNP@7%_Qf9P4_&NI*m$4s040I=RW%bE@I#1cr
zL9ZL`V15SV{vTZqtf`_8vHB?j;d0uuv1bl8jQR4P?{V+mIC7D0sJ&mdXyF%YMgCwj
zx@rz}K$Kb0;|zmkN7LR^tF~pioDe|=2R%^BXHQ^r;#|=lIKr>ak;aJpFkgbHabc)@
zkTqfu5^rP1kqmfx*|dAFZ&lMJ!iRpJ_;>L)xNqSnrd{oJ^Il&w6Odz59**(7hiU2b
z5^F_K)jz*KTi!MVZHbk&Q`K)Abhi>)b{0N@>)ydGdT=tsk#l-GQz3drCXlvf2KLFs
z-#WQ;;YN#EifW2=G>6{j$??$Mcd<B+uW{jB8KuioxW|)b-M>fzvE|XGgam|`ClK_x
zkvN|N_lrY)6|qsinU}J=^Z-m`XZFOvdKflwnhPr&_X^7oUG{F(yDekhztP<&c#?c_
zi(sm+ajcv-S98VL8A#xkmsRJe15H<I!2=6(?Ypp4-wG^a5iq6R!}?}_GYn4hV!DBv
zmKSg!gIVs)8CI4%)rBRB0A-71f40f$U3Uc?u?S2jQ16NW0&KmNY?QjPePmW21yXWD
zEz5P2gZe2fT;XzZ5%BXi)l9bHAMEnyI_kc~7R*2rpeICf^b>FEfc7X~FMsf;7MF!!
zz~&FImOLASrDu1V3hP2Mt-JT4j!iFEVLxoNDRmu4&ItjoI{C_?^BG2(oF}V<4BnfG
z+ywQ>M$w9O9m5T=-U`E?O*DMQHV;)U=1G~Dnd?xIK@~Y~q}{vrxGqmbpeNq|Nv8fa
ziHv|omTY$Cj4J{J*?B`^+m{r3`e&C#8H6?1Ubps81(nIXwkyJBvgu~xtetd_OUy-$
z)$EKD9%hkB0~%}JxRRr4bn|xb?q1EgN(RDDJG23^JL%aetq^LpX(vkrJg*Gt_*Im^
zLiNqvKHT$O;>t${<vcSf5w@h+ml38sOt~&k)%?BoN{3t8Pqo>kiH2rl2{?H4sHry=
zhn0+jFoj8`!ZAG3k}R<MS<OD(bJ%ubvGFBWSxEdmSJ%ymOG3V363XgOwofT3(3Un~
z(u8L^w%TJ!OkdOy@v?F%NqE{O6-=p4@w7eFBAZF50Xu-f5&<}KmcH~8vvj6UmltHD
z6`rLt(=A33D;lkjO0ouyCCp8$s?WaU5mcA3B>*taR}iI|xMv_CQwNW|g@VHwMMJ1@
zu>!av0eR1dHJM8@IIV5$5a^8`(!`v}vI8|(peHqXujAanNDF)g#fn=pAf!0OanP!Q
zxD|mFc0<;CAbJD7thw8x)eA$BDt$eSleWc1PtWjev|VAxDT8<BkY>7zxXg2?jX2l}
z<G)6eF>*s&+cG%or%3Ba3tU(3>wCWO0B$3HmiJy+8c<pV-k``Rw51QqOqz|B+6p8)
z)sKHhxnEO=sy<Xnw3<_+1P=Cg?Y*nlY(98*+58qx8`C$VTvg%)BefmHv>r6YhkXZx
z$sV3wDlG^PcVy$Ypi}woNAS%Puh~@+!p~@xRPwd}`(wm5_Vkr9jgHigz!fnCRt!b`
zrmc!Q3u1#&1(yN~^T*fRjqAy|WaVo-A(DsoC|u=rfBp(m{!F*aFJf5iNt`t6rSfAn
zxbnmOU*#g>NInN+TbFgBW+N{ER4r3qFZKoJ<|CdW3|;&uo+6<E+k~E#C#Yk}k%-tb
zLWq}0E(Cwya|o&ZRx25nTB(t5ULtHwSF~o<%s7Y#A}$sZia|!N?FeD$JK#7{_Hg90
zw(aM9;{uJjd*%jt{TjqelC#{G?wvA#)c(rt`4bKf0$prtN0X>q)`+cCq8Hcui1S<Z
zhllSG<y0P>`WE{kqW=JYv0u;#TR+CVE6#u!4N9aCF<(pQ(-jOX=#Km@?OTjMpjO)S
zk#RnG2jbTys8PI|MVu?o96@D)g9k*9W#IbP?1NrmzES5#S#o4%v1JDX-H5NSYT7qV
z;ygdm9XPNK3QfhB7ra!$vqO|2oE#LaznAz@yV|Q5>vCq57h_v#H8a>FR{x_6_UQ0(
zgOt$N*jkw|{Q67exrlxlzl-u3igz5JcH;~v*<QkMHKt~dEOf+Jt)}k1CpQzRmOgCd
zt}Y!Ynb3zxt$V)UajMI<zw&u+pU3?~%sGCIxV<r_hw^@+Cs)%tM0nCc$3JTqo0i-G
z63kPcu(FQI)}Nl{vCBIny^nMjv3-T<Q6IF{SPj_ImuTbN#i<vP<H2@4&;Xc<w4Bd~
z8?Dj1ou^+K5q7Q5^;CV{+2GU4f>Te|t~mO*%Ot@g09oXWX(mPN6D3K~z96AN^IEhQ
zPmDnW<D?7WjAe@bh|c|>)y~|l2E$o`5!<?J?>7x00lhxBxh8O7`Ac@3VW6xyV?6Z(
zOI{^u6Rw{~l7y#Km6M73bIYCq%N5NT-P#*kdA)*HGt_qMAQ)A0ykg00+Bdf_IchKi
zC&$A*KxHSA#(m35yF19nbr*)6ukxD&%(BPwM8N1SNgIIz1&_tMQUSmR_;yU3!}b_)
zx<Ha&W@(-kz2|a8-QH&>_{stf&R`>la7MrTQU4k5`&<54PqiA@&fK7hk+ut#T8w-L
zsJcTWIf9+Zv7&i$uTw`F^MS-~E<tzx0=u%!6%%z{VxKg7JxLubFQ(~NZ;RIo49PU*
z3#qI>cdqzM0(BooR||C=G`9Kmn^BZyVcNh>roarWOHPt$OGls(V#%NR4mn(ZT>mvv
z&}={|>MVE69ytw&i8{yp6l%6O14=gW8zvPKcM)2sRVF7a@y7lUP_mNpxajym)NN~w
zw$#yN*NN$VOH?ZEJ7BYCKi*Rx5HUWn;fQJO@!}2~!wS|A2W1M9bsG3gU2BJ-BO~aQ
z8jHwrT^_A3!fe~-{Tp+|709i9in$^ji@F&sWd<yfCCqH<hV#{Kcs7+I#bC~RV~Z-b
z7H=xFmVYfHe`(a!ZVGt&3i6_T5A#~J`y`oJO6}-A#PIw=ijY++uo*S2D><j;v3ueW
z|AulF&#Lyb81pm|{Djb=Jz!U}8NrAv3a&&jQR@k{W38H~YUG21vql9&)v}D+wavNn
zN0T?e+)JyrZ&zvd0qA7CG5pjejS{ZJ*?}I=6?9r6nbh-5AJ4bdlti%~)MF+kt)_an
zW{I{v+~ACG*}s2V)bN(<vQpFD;Cv!>KM-BKd|0K+3ou4%mp^=1q_yi-YI~;={sd18
zB<Se2kZvGmi$=)?4aF3QgP%L_l41!BD7(zq7;E^=kYIn5?;UbmZS63+JkOzdZ6<dN
zOYFIq9(ukyAM+e)%l4kd%S>ThJI?GV+uY4C83{S5SJadluGwP8*H~(k+leM0%`C@z
zxNo@hhwD_qa%80-syKM^4<H5@iyTkmWZxfv7t_82sT7Fbmg@A!C-%o;yu8s-LVcX;
zh56Z953QsQ+nY;`dG}NHss3!GH3YfXs?M%X@6Y9QS-o4bA%fLjTA`eWd#a*WufoBy
z3`l)^Jj~+W6d&>?Q0$nNGgSs)m&Nwu6f<I`rxET}*r{5avl+fsR_gS;fe3)u)EWeR
zFUSE{zHo^+x%Z;v*T{B>p-+9$&Jl(>XL85P#6em~#+R1>YT<?;ap)~!<9J)%$x;85
z4|R)$N#(bu+8&(l3wp`9mqV!Dh)Z+y^_LRf7Hk6Onu0bqjGkHY0{d!H%tq$LT$+En
zu<P!d$rs#;hZVNhPVVG?$4OTQ9x?aQFRUF#v#(OE6a9xJmvtwe+wT}HfoVwg<cU8=
zuZcn}1TvBw*&egwv;yUJ#EAuxtR*W*!91P<0ye%w@WE2@v#slMO`=VcDbI{>hDW3`
zUU5x1JdT5meTsD;O$;PLHMcYoS0)#oVTiDO<mnf-dCG%zmvitIU#|#%%syx)8_Kvw
zYL~8KM&FEqfP1PBVJ&jfftQ#OCNTS^tchv9{qv7TY%;|Ht=DaWTuQj+EPu8pd%f@@
zGWFX8^YhsDw`(pGRwqqoGQ6H#IN9`#auH#(qE%vrY><(qmTrU-16x~fp3cJLL1G#Q
zdq3iN0Dg-3I20?qP>97Fn^tyKA}>_mb7^#mSdrCCRd!@N%{Wk{!6|phOzaOxjML8v
zEdBz|)E<DU2h5OcJY2VhIb|F;VL*(P>qHN%5_|VP3#kl!EOx@`hUYe3QM!%5sx9s}
zTl(h=uVko~Bop-$Jv((7F>g1ftz6fd<P-4X($jLcNDbacoFBQNY*l7_VM0nuLLBV;
z+aYwN95d;6SLquEhk|d8po2GUKRza34vMkAbF%B`-Zg8j4;h9F&jUEh!GM>5+8OI|
z6!0kKt4NmuRtBKO)(W>G&Tv`t@d44yO3OQL6lT`poBg9L44u+&!KX^^(vWYY5;twn
zowJsg1m3H2h#jFvrhwJ~C|RA_`hpEFPdiM_{oBn1zkm{61w3blv--$0CGOcBEoC{3
zN3Spas>%2RT)0GQ$KQSJu|V0isaD>Ht!7%5Wzn8<`dvFVxFTuV<Ze~f_gqwc9=|8D
z4=s&Vzw`hsd25GSGvN3NW*+HVhGcTV-HGmK-^d^;?O}qYfOIP9Zr!DWpTM>#-0vf9
z<?HB{3h?GegYEXKDdM1T%tlA%a8Gq<y7l0u=p<|7NT_syWQs9cI21WIbE-3#6UX{g
z`8!AT_v`%Kdd2Y~_+GeNVqp>`)!4LRIuO2NB*>?Alz7bmfyz{jk_u}g<me!5JkpI{
z$!k9<wCPkC#F=pXAK7Wm<$B6xFN_`dDYt?I13bL$yRd|kR{0(+t+N|MS&IS7=BHKO
z0-s%Hv&6^LbB^ugayo`92?HWTfW<$RJN|w=et1-lC*cFTJY)EnZQj&aF|+oORw)|T
z%)rpwD!Pt_P8hF`J0n9wP&*PnS}FzdXg!eEZh4Wbr`&7+AqHGn!P8=82SAeI=!XUm
zT}Qk>v8}GiFM*~i!4DSBp2r^S20VYAeAx}>6UMgd+`pYA?tMr(*QV1+gqNU92c+NO
z;7-hzjpLhpM&lGP98~KxJ)=GWAjan5BVwYPrBma0hPkoD$p>M><xxVq#v1OKT^c(f
zmmkCLWf@R2Pvdt90!~iiJ0NBdZ!`XXG|~TMqFAf`k2JnAf&cNY{9TOy<?s39n80pk
zcIN(B>=T)gPM%o!BkF@UER7F*3v#JL<d6TU{$X&>t%umtWZf)N;ZGDW9T09sMGK_J
zx6$Vl!(Q&U={iB~jIJybntY~}_Uv8Mm&5>WtI^|KvjM<{Cbj0`XDmBL%!(fIXjc1B
zcO=5(0g?53<e2l~qMovqpC;+4aA3jWTqNwp;S&DBe|EV3$JhK%!)#o$o~lvK^dj9b
z3_oowM_ZP1%1_MJnYN4f4^<5r)V@C-x+s#hzYzFr`};(~(PxTm%GFJ5PI__lSak!M
z|Lx9m*vKjb+>`;zq8#}Byg&WS4>QfbdW_=+Gi7E;E;WvgA%|;F(?HR*cdy!A?m3@s
zY%fbc$SK$&4+2>`50>y!5<T~~GUGvcup64A-mZG?RVpdY@fX||9rO6!n$mev-#IY(
zfQYc)vRt+~Eb)?EO-f<hMYq-|RQI&_gG{IMCuRHw->w)4D&LFEr(Xbdfc{Zt{MS7B
z-}@BR5g*ou>IB2d7)d2OXvOlQa;<4as!M%-2@~&vr@Y>*EL8Mo2I17Sf>nFB<JjK+
zQ66uH4>dT5Y`QQ*Z{5FqenLM{|0b<vV^xLKucMIofj}r{t$aa!_2(Ji;?2w2$M*gg
z8pZ#D!t$@2!Uk@oMcQFYacm<j1vhecY3im1wMHOtecQ6vzR5+gFYEoe-aT{Q0n3Z>
z9u=XDc0K@G*CG}aYuggA8jta)L}1L(T2q)chrxR^P>na$=ap}}d(?du7?-b`b9Z77
zUV<xLp#K%nOzG{&z5q*?I@Ad6Q1lF-cCn)KZejW$HCW~-byP7KRc)o8c$y2Z{Lz2I
z;^~Z*AvdrGt`s*UC#*ofQGd4-gD_D-47SFcg)*Jj$xgLse$CX8wh@=zcE&lHhIns`
z9jCKj7mocq&|RF36*+qruC_2XaXYc38+D6WXv#a)c}DL=?j&+OTLZJ|{V>4(N$MOW
zSnJ$j9#!k>JClJ)dT*~+CJfYlDWT6%E)r2S{0K~%?sm_qM3g^tT(R4qu%e`M%a=3P
z$NeBmNqie)zayk#697r>?FySR^z1HE85s#Z-Cf}F|GH_Yx;#zFbp?GZ-}0(*PEovH
zpAWxTC;1W1xVHx@1K;<)u)q2?)64vouJNjDMLaQp@U#!=gTzh<L>d;ZPiXAhMYXZW
z@x3Z=<*?u-{@^Z3gG+a;*pqW8%Ii3Z#AB~M&5yKNmiMxaz@F$CrK^{TIePNAt6V|Y
zK5s`)-ZEo+J$rg`M#=^3-ECLK<k74XR6P7GKoN!zhJ!Obd)@NE4eg@`z0cgy$fbE1
z^%WX=zP6SB=n_a2Xv+j*^?rnV|Gl^6Z?O-`#=>a9$;JG}$jUcMvU{0WYFos2z~MNd
z0CD3o*T~pnlp-w0P9Ba+18PHNf;p$&6dhRY{H8p1+wRQ~AtasXyULrq+<3XiZ~qY=
z(~rY1V&6=j2VOcnmgO94Xw&U#9!Ln2+VVOiKJ=NVNM9o8Y&47Je0&i5*rr54AA~LZ
zvD^zc6c_?sZ7>oj&F40HrsXgZ?daOcH3AE|wWxmu@wGtvZB$NI!TH1Dkmpl7_J#u#
zx_!lC5IPS;%%_D3a4|!S4~NUWHa=2t0J;-oiz)$RuPWVZYx2^DyO$Em^ApStn82vn
zBo8U~dWKF8{R>I|Kzp%IA^OHmbQ!rjG&mqtP<!^W<35W@_KTeA9KdPZo>t#r>S{`}
zO!eDhq19F%>XLZ%r#4gjVKj8E(HyWrSKo|2tn4q(Wpn14!H)C^oE#O)``!~q_xPNh
z-7bObt5|Z;4AIMKK%u}+5cMqiCPY$m*Mo8rn2C;NZa67EbAE9Q7qEzhu!K;Ku81X5
zo){%8e}T^gIwSIc3b6_m@Z6~+b>GgMT`IOZA_-RN>@Q4t<0Q$<oETpSiNf1U<Kz}|
zvR9o71}r{~Y)=TL!jBE`^x6XN|H!QVnbqu{S!Ss1sxkZM)*01uU5Izd+nUPU2DXat
zxt)A@<_<z<s9Uk6$)`v#mFtp$^W&$WuEAF%Etu@GUh=A4{^d+2j5hiWx!v%hwaVqP
zdd}|E%_dC7qpgvc)q%dxB?3b=@u13!vC>x3txbovVdYU{5A5k9h0|4$`ZuG5o*re+
d5U5ktw6nb3f))mHy6iZU!2foQ=lK5SzW`I|))@c*

literal 0
HcmV?d00001


From 204c8524422e3a2c9010b01f9427d3b8d1daf35d Mon Sep 17 00:00:00 2001
From: Ryan Everett <ryan.everett@arm.com>
Date: Thu, 7 Dec 2023 11:03:43 +0000
Subject: [PATCH 15/39] Move psa-thread-safety.md

Signed-off-by: Ryan Everett <ryan.everett@arm.com>
---
 docs/architecture/{ => psa-thread-safety}/psa-thread-safety.md | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename docs/architecture/{ => psa-thread-safety}/psa-thread-safety.md (100%)

diff --git a/docs/architecture/psa-thread-safety.md b/docs/architecture/psa-thread-safety/psa-thread-safety.md
similarity index 100%
rename from docs/architecture/psa-thread-safety.md
rename to docs/architecture/psa-thread-safety/psa-thread-safety.md

From b8c4254f449e263cac03c282f9a9b0124c54151c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?=
 <manuel.pegourie-gonnard@arm.com>
Date: Thu, 7 Dec 2023 12:12:39 +0100
Subject: [PATCH 16/39] Update cipher light -> block cipher definition
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
---
 .../psa-migration/md-cipher-dispatch.md       | 58 +++++++------------
 1 file changed, 21 insertions(+), 37 deletions(-)

diff --git a/docs/architecture/psa-migration/md-cipher-dispatch.md b/docs/architecture/psa-migration/md-cipher-dispatch.md
index f165b21e07..bc92d00b37 100644
--- a/docs/architecture/psa-migration/md-cipher-dispatch.md
+++ b/docs/architecture/psa-migration/md-cipher-dispatch.md
@@ -379,6 +379,8 @@ Those costs could be avoided by refactoring (parts of) Cipher, but that would pr
 - significant differences in how the `cipher.h` API is implemented between builds with the full Cipher or only a subset;
 - or more work to apply the simplifications to all of Cipher.
 
+Prototyping both approaches showed better code size savings and cleaner code with a new internal module.
+
 ## Specification
 
 ### MD light
@@ -564,50 +566,32 @@ The architecture can be extended to support `MBEDTLS_PSA_CRYPTO_CLIENT` with a l
 * Compile-time dependencies: instead of checking `defined(MBEDTLS_PSA_CRYPTO_C)`, check `defined(MBEDTLS_PSA_CRYPTO_C) || defined(MBEDTLS_PSA_CRYPTO_CLIENT)`.
 * Implementers of `MBEDTLS_PSA_CRYPTO_CLIENT` will need to provide `psa_can_do_hash()` (or a more general function `psa_can_do`) alongside `psa_crypto_init()`. Note that at this point, it will become a public interface, hence we won't be able to change it at a whim.
 
-### Cipher light
+### Internal "block cipher" abstraction (Cipher light)
 
 #### Definition
 
-**Note:** this definition is tentative an may be refined when implementing and
-testing, based and what's needed by internal users of Cipher light. The new
-config symbol will not be considered public so its definition may change.
+The new module is automatically enabled in `build_info.h` by modules that need
+it, namely: CCM, GCM, only when `CIPHER_C` is not available. Note: CCM and GCM
+currently depend on the full `CIPHER_C` (enforced by `check_config.h`); this
+hard dependency would be replaced by the above auto-enablement.
 
-Cipher light will be automatically enabled in `build_info.h` by modules that
-need it, namely: CCM, GCM. Note: CCM and GCM currently depend on the full
-`CIPHER_C` (enforced by `check_config.h`); this hard dependency would be
-replaced by the above auto-enablement.
-
-Cipher light includes:
-- some info functions;
-- support for block ciphers in ECB mode, encrypt only (note: in Cipher, "ECB"
-  means just one block, contrary to PSA);
-- part of the streaming API for unauthenticated ciphers;
-- only AES, Aria and Camellia.
-
-This excludes:
-- the one-shot API for unauthenticated ciphers;
-- the AEAD/KW API (both one-shot and streaming);
-- support for stream ciphers;
-- support for other modes of block ciphers (CBC, CTR, CFB, etc.);
-- DES and variants (3DES).
-
-The following API functions, and supporting types, are candidates for
-inclusion in the Cipher light API, with limited features as above:
+The following API functions are offered:
 ```
-mbedtls_cipher_info_from_values
-mbedtls_cipher_info_get_block_size
-
-mbedtls_cipher_init
-mbedtls_cipher_setup
-mbedtls_cipher_setkey
-mbedtls_cipher_free
-
-mbedtls_cipher_update
+void mbedtls_block_cipher_init(mbedtls_block_cipher_context_t *ctx);
+void mbedtls_block_cipher_free(mbedtls_block_cipher_context_t *ctx);
+int mbedtls_block_cipher_setup(mbedtls_block_cipher_context_t *ctx,
+                               mbedtls_cipher_id_t cipher_id);
+int mbedtls_block_cipher_setkey(mbedtls_block_cipher_context_t *ctx,
+                                const unsigned char *key,
+                                unsigned key_bitlen);
+int mbedtls_block_cipher_encrypt(mbedtls_block_cipher_context_t *ctx,
+                                 const unsigned char input[16],
+                                 unsigned char output[16]);
 ```
 
-Note: `mbedtls_cipher_info_get_block_size()` can be hard-coded to return 16,
-as all three supported block ciphers have the same block size (DES was
-excluded).
+The only supported ciphers are AES, ARIA and Camellia. They are identified by
+an `mbedtls_cipher_id_t` in the `setup()` function, because that's how they're
+identifed by callers (GCM/CCM).
 
 #### Cipher light dual dispatch
 

From 177a45f556f9a44f35c37a34926eefd45260def8 Mon Sep 17 00:00:00 2001
From: Ryan Everett <ryan.everett@arm.com>
Date: Thu, 7 Dec 2023 11:24:30 +0000
Subject: [PATCH 17/39] Small clarifications in documentation

Signed-off-by: Ryan Everett <ryan.everett@arm.com>
---
 docs/architecture/psa-thread-safety/psa-thread-safety.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/docs/architecture/psa-thread-safety/psa-thread-safety.md b/docs/architecture/psa-thread-safety/psa-thread-safety.md
index 79881a624a..97273f3872 100644
--- a/docs/architecture/psa-thread-safety/psa-thread-safety.md
+++ b/docs/architecture/psa-thread-safety/psa-thread-safety.md
@@ -294,7 +294,7 @@ A counter field within each slot keeps track of how many readers have registered
 
 Library functions which operate on a slot will return `PSA_ERROR_BAD_STATE` if the slot is in an inappropriate state for the function at the linearization point.
 
-A state transition diagram can be found in docs/architecture/psa-thread-safety/key-slot-state-transitions.jpg. In this diagram, an arrow between two states `q1` and `q2` with label `f` indicates that if the state of a slot is `q1` immediately before `f`'s linearization point, it may be `q2` immediately after `f`'s linearization point. This means that the linearization point of a state changing call to a function must be a call to `psa_slot_state_transition`.
+A state transition diagram can be found in docs/architecture/psa-thread-safety/key-slot-state-transitions.jpg. In this diagram, an arrow between two states `q1` and `q2` with label `f` indicates that if the state of a slot is `q1` immediately before `f`'s linearization point, it may be `q2` immediately after `f`'s linearization point. The linearization point of a state changing call to a function must be a call to `psa_slot_state_transition`.
 
 #### Destruction of a key in use
 
@@ -310,7 +310,7 @@ When calling `psa_wipe_key_slot` it is the callers responsibility to set the slo
 
 `psa_wipe_all_key_slots` is only called from `mbedtls_psa_crypto_free`, here we will need to return an error as we won't be able to free the key store if a key is in use without compromising the state of the secure side. This is acceptable as an untrusted application cannot call `mbedtls_psa_crypto_free` in a crypto service. In a service integration, `mbedtls_psa_crypto_free` on the client cuts the communication with the crypto service. Also, this is the current behaviour.
 
-`psa_destroy_key` marks the slot as deleted, deletes persistent keys and opaque keys and returns. This only works if drivers are protected by a mutex (and the persistent storage as well if needed).`psa_destroy_key` transfers to PENDING_DELETION as an intermediate state, then, when the last reading operation finishes, it wipes the key slot. This will free the key ID, but the slot might be still in use. In case of volatile keys freeing up the ID while the slot is still in use does not provide any benefit and we don't need to do it.
+`psa_destroy_key` registers as a reader, marks the slot as deleted, deletes persistent keys and opaque keys and unregisters before returning. This will free the key ID, but the slot might be still in use. This only works if drivers are protected by a mutex (and the persistent storage as well if needed). `psa_destroy_key` transfers to PENDING_DELETION as an intermediate state. The last reading operation will wipe the key slot upon unregistering.  In case of volatile keys freeing up the ID while the slot is still in use does not provide any benefit and we don't need to do it.
 
 These are serious limitations, but this can be implemented with mutexes only and arguably satisfies the [Key destruction short-term requirements](#key-destruction-short-term-requirements).
 

From 4dde0b293cd84dd0eff77a1d6d5f9387a55f8a46 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?=
 <manuel.pegourie-gonnard@arm.com>
Date: Thu, 14 Dec 2023 12:09:38 +0100
Subject: [PATCH 18/39] md-cipher-dispatch: editorial improvements
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Fix a typo, add a reference.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
---
 docs/architecture/psa-migration/md-cipher-dispatch.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/docs/architecture/psa-migration/md-cipher-dispatch.md b/docs/architecture/psa-migration/md-cipher-dispatch.md
index bc92d00b37..430b0caec9 100644
--- a/docs/architecture/psa-migration/md-cipher-dispatch.md
+++ b/docs/architecture/psa-migration/md-cipher-dispatch.md
@@ -358,7 +358,7 @@ The two AEAD modes, GCM and CCM, have very similar needs and positions in the st
 - CTR-DRBG holds a special position in the stack: most users don't care about it per se, they only care about getting random numbers - in fact PSA users don't even need to know what DRBG is used. In particular, no part of the stack is asking questions like "is CTR-DRBG-AES available?" - an RNG needs to be available and that's it - contrary to similar questions about AES-GCM etc. which are asked for example by TLS.
 
 So, it makes sense to use different designs for CTR-DRBG on one hand, and GCM/CCM on the other hand:
-- CTR-DRBG can just check if `AES_C` is present and "fall back" to PSA is not.
+- CTR-DRBG can just check if `AES_C` is present and "fall back" to PSA if not.
 - GCM and CCM need an common abstraction layer that allows:
   - Using AES, Aria or Camellia in a uniform way.
   - Dispatching to built-in or driver.
@@ -379,7 +379,7 @@ Those costs could be avoided by refactoring (parts of) Cipher, but that would pr
 - significant differences in how the `cipher.h` API is implemented between builds with the full Cipher or only a subset;
 - or more work to apply the simplifications to all of Cipher.
 
-Prototyping both approaches showed better code size savings and cleaner code with a new internal module.
+Prototyping both approaches showed better code size savings and cleaner code with a new internal module (see section "Internal "block cipher" abstraction (Cipher light)" below).
 
 ## Specification
 

From b461b8731c5549c5fb5e20f4c7f80ab8e40973bd Mon Sep 17 00:00:00 2001
From: Ryan Everett <ryan.everett@arm.com>
Date: Thu, 14 Dec 2023 14:40:36 +0000
Subject: [PATCH 19/39] Change how the state transition diagram is stored

Store the source of the diagram as a url instead of an xml file.
Signed-off-by: Ryan Everett <ryan.everett@arm.com>
---
 .../key-slot-state-transitions.drawio         | 183 ------------------
 .../psa-thread-safety/psa-thread-safety.md    |   6 +
 2 files changed, 6 insertions(+), 183 deletions(-)
 delete mode 100644 docs/architecture/psa-thread-safety/key-slot-state-transitions.drawio

diff --git a/docs/architecture/psa-thread-safety/key-slot-state-transitions.drawio b/docs/architecture/psa-thread-safety/key-slot-state-transitions.drawio
deleted file mode 100644
index 5da2a7fcc9..0000000000
--- a/docs/architecture/psa-thread-safety/key-slot-state-transitions.drawio
+++ /dev/null
@@ -1,183 +0,0 @@
-<mxfile host="app.diagrams.net" modified="2023-12-07T10:07:36.568Z" agent="Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:120.0) Gecko/20100101 Firefox/120.0" etag="WX9wRn5Pyc0ByqdG18_k" version="22.1.5" type="device">
-  <diagram name="Page-1" id="FGZeniR9zYej3VAosmPW">
-    <mxGraphModel dx="1185" dy="603" grid="1" gridSize="10" guides="1" tooltips="1" connect="1" arrows="1" fold="1" page="1" pageScale="1" pageWidth="827" pageHeight="1169" math="0" shadow="0">
-      <root>
-        <mxCell id="0" />
-        <mxCell id="1" parent="0" />
-        <mxCell id="Xme0HpS_r-Lskl_YgTMW-13" value="" style="curved=1;endArrow=classic;html=1;rounded=0;entryX=0.988;entryY=0.663;entryDx=0;entryDy=0;entryPerimeter=0;" parent="1" target="Z1zLfVIJwQ9nnBBYjpjK-5" edge="1">
-          <mxGeometry width="50" height="50" relative="1" as="geometry">
-            <mxPoint x="300" y="550" as="sourcePoint" />
-            <mxPoint x="370" y="570" as="targetPoint" />
-            <Array as="points">
-              <mxPoint x="301" y="577" />
-              <mxPoint x="331" y="605" />
-              <mxPoint x="360" y="570" />
-            </Array>
-          </mxGeometry>
-        </mxCell>
-        <mxCell id="Xme0HpS_r-Lskl_YgTMW-14" value="&lt;div&gt;unregister_read&lt;/div&gt;" style="edgeLabel;html=1;align=center;verticalAlign=middle;resizable=0;points=[];" parent="Xme0HpS_r-Lskl_YgTMW-13" vertex="1" connectable="0">
-          <mxGeometry x="-0.3881" y="2" relative="1" as="geometry">
-            <mxPoint x="32" y="-30" as="offset" />
-          </mxGeometry>
-        </mxCell>
-        <mxCell id="Z1zLfVIJwQ9nnBBYjpjK-25" value="unregister_read" style="endArrow=classic;html=1;rounded=0;exitX=0;exitY=1;exitDx=0;exitDy=0;entryX=0;entryY=0;entryDx=0;entryDy=0;" parent="1" source="Z1zLfVIJwQ9nnBBYjpjK-4" target="Z1zLfVIJwQ9nnBBYjpjK-3" edge="1">
-          <mxGeometry x="0.6542" y="-2" width="50" height="50" relative="1" as="geometry">
-            <mxPoint x="414" y="440" as="sourcePoint" />
-            <mxPoint x="414" y="600" as="targetPoint" />
-            <mxPoint as="offset" />
-          </mxGeometry>
-        </mxCell>
-        <mxCell id="Z1zLfVIJwQ9nnBBYjpjK-42" value="" style="endArrow=none;html=1;rounded=0;" parent="1" edge="1">
-          <mxGeometry width="50" height="50" relative="1" as="geometry">
-            <mxPoint x="520" y="640" as="sourcePoint" />
-            <mxPoint x="520" y="280" as="targetPoint" />
-          </mxGeometry>
-        </mxCell>
-        <mxCell id="Z1zLfVIJwQ9nnBBYjpjK-11" value="" style="endArrow=classic;html=1;rounded=0;entryX=1;entryY=1;entryDx=0;entryDy=0;exitX=1;exitY=0;exitDx=0;exitDy=0;" parent="1" source="Z1zLfVIJwQ9nnBBYjpjK-3" target="Z1zLfVIJwQ9nnBBYjpjK-4" edge="1">
-          <mxGeometry width="50" height="50" relative="1" as="geometry">
-            <mxPoint x="400" y="560" as="sourcePoint" />
-            <mxPoint x="399.9999999999998" y="430" as="targetPoint" />
-          </mxGeometry>
-        </mxCell>
-        <mxCell id="Z1zLfVIJwQ9nnBBYjpjK-12" value="&lt;div&gt;register_read&lt;br&gt;&lt;/div&gt;&lt;div&gt;psa_get_and_lock_key_slot_in_memory&lt;/div&gt;" style="edgeLabel;html=1;align=center;verticalAlign=middle;resizable=0;points=[];" parent="Z1zLfVIJwQ9nnBBYjpjK-11" vertex="1" connectable="0">
-          <mxGeometry x="0.2079" y="-2" relative="1" as="geometry">
-            <mxPoint y="-11" as="offset" />
-          </mxGeometry>
-        </mxCell>
-        <mxCell id="Z1zLfVIJwQ9nnBBYjpjK-1" value="&lt;div&gt;EMPTY&lt;br&gt;&lt;/div&gt;" style="ellipse;whiteSpace=wrap;html=1;aspect=fixed;" parent="1" vertex="1">
-          <mxGeometry x="120" y="600" width="80" height="80" as="geometry" />
-        </mxCell>
-        <mxCell id="Z1zLfVIJwQ9nnBBYjpjK-19" value="" style="endArrow=classic;html=1;rounded=0;exitX=0;exitY=1;exitDx=0;exitDy=0;entryX=0;entryY=0;entryDx=0;entryDy=0;" parent="1" source="Z1zLfVIJwQ9nnBBYjpjK-2" target="Z1zLfVIJwQ9nnBBYjpjK-1" edge="1">
-          <mxGeometry width="50" height="50" relative="1" as="geometry">
-            <mxPoint x="120" y="430" as="sourcePoint" />
-            <mxPoint x="120" y="560" as="targetPoint" />
-          </mxGeometry>
-        </mxCell>
-        <mxCell id="Z1zLfVIJwQ9nnBBYjpjK-20" value="psa_fail_key_creation" style="edgeLabel;html=1;align=center;verticalAlign=middle;resizable=0;points=[];" parent="Z1zLfVIJwQ9nnBBYjpjK-19" vertex="1" connectable="0">
-          <mxGeometry x="0.2079" y="-2" relative="1" as="geometry">
-            <mxPoint x="2" y="21" as="offset" />
-          </mxGeometry>
-        </mxCell>
-        <mxCell id="Z1zLfVIJwQ9nnBBYjpjK-2" value="FILLING" style="ellipse;whiteSpace=wrap;html=1;aspect=fixed;" parent="1" vertex="1">
-          <mxGeometry x="120" y="360" width="80" height="80" as="geometry" />
-        </mxCell>
-        <mxCell id="Z1zLfVIJwQ9nnBBYjpjK-3" value="&lt;div&gt;FULL&lt;/div&gt;&lt;div&gt;!has_readers&lt;br&gt;&lt;/div&gt;" style="ellipse;whiteSpace=wrap;html=1;aspect=fixed;" parent="1" vertex="1">
-          <mxGeometry x="400" y="600" width="80" height="80" as="geometry" />
-        </mxCell>
-        <mxCell id="Z1zLfVIJwQ9nnBBYjpjK-4" value="&lt;div&gt;FULL&lt;/div&gt;&lt;div&gt;has_readers&lt;br&gt;&lt;/div&gt;" style="ellipse;whiteSpace=wrap;html=1;aspect=fixed;" parent="1" vertex="1">
-          <mxGeometry x="400" y="360" width="80" height="80" as="geometry" />
-        </mxCell>
-        <mxCell id="Z1zLfVIJwQ9nnBBYjpjK-5" value="&lt;div&gt;PENDING&lt;/div&gt;&lt;div&gt;DELETION&lt;br&gt;&lt;/div&gt;" style="ellipse;whiteSpace=wrap;html=1;aspect=fixed;" parent="1" vertex="1">
-          <mxGeometry x="260" y="480" width="80" height="80" as="geometry" />
-        </mxCell>
-        <mxCell id="Z1zLfVIJwQ9nnBBYjpjK-7" value="" style="endArrow=classic;html=1;rounded=0;exitX=1;exitY=0;exitDx=0;exitDy=0;" parent="1" source="Z1zLfVIJwQ9nnBBYjpjK-1" edge="1">
-          <mxGeometry width="50" height="50" relative="1" as="geometry">
-            <mxPoint x="190" y="600" as="sourcePoint" />
-            <mxPoint x="188" y="425" as="targetPoint" />
-          </mxGeometry>
-        </mxCell>
-        <mxCell id="Z1zLfVIJwQ9nnBBYjpjK-8" value="psa_get_empty_key_slot" style="edgeLabel;html=1;align=center;verticalAlign=middle;resizable=0;points=[];" parent="Z1zLfVIJwQ9nnBBYjpjK-7" vertex="1" connectable="0">
-          <mxGeometry x="0.2079" y="-2" relative="1" as="geometry">
-            <mxPoint y="-24" as="offset" />
-          </mxGeometry>
-        </mxCell>
-        <mxCell id="Z1zLfVIJwQ9nnBBYjpjK-9" value="" style="endArrow=classic;html=1;rounded=0;entryX=0.5;entryY=0;entryDx=0;entryDy=0;" parent="1" target="Z1zLfVIJwQ9nnBBYjpjK-2" edge="1">
-          <mxGeometry width="50" height="50" relative="1" as="geometry">
-            <mxPoint x="160" y="280" as="sourcePoint" />
-            <mxPoint x="160" y="310.28" as="targetPoint" />
-          </mxGeometry>
-        </mxCell>
-        <mxCell id="Z1zLfVIJwQ9nnBBYjpjK-14" value="" style="endArrow=classic;html=1;rounded=0;exitX=1;exitY=0;exitDx=0;exitDy=0;" parent="1" edge="1">
-          <mxGeometry width="50" height="50" relative="1" as="geometry">
-            <mxPoint x="200.00427124746216" y="399.6557287525381" as="sourcePoint" />
-            <mxPoint x="400" y="400" as="targetPoint" />
-          </mxGeometry>
-        </mxCell>
-        <mxCell id="Z1zLfVIJwQ9nnBBYjpjK-18" value="psa_finish_key_creation" style="edgeLabel;html=1;align=center;verticalAlign=middle;resizable=0;points=[];" parent="Z1zLfVIJwQ9nnBBYjpjK-14" vertex="1" connectable="0">
-          <mxGeometry x="-0.0497" y="-3" relative="1" as="geometry">
-            <mxPoint x="8" y="-5" as="offset" />
-          </mxGeometry>
-        </mxCell>
-        <mxCell id="Z1zLfVIJwQ9nnBBYjpjK-15" value="" style="curved=1;endArrow=classic;html=1;rounded=0;entryX=1;entryY=1;entryDx=0;entryDy=0;exitX=0;exitY=1;exitDx=0;exitDy=0;" parent="1" source="Z1zLfVIJwQ9nnBBYjpjK-3" target="Z1zLfVIJwQ9nnBBYjpjK-3" edge="1">
-          <mxGeometry width="50" height="50" relative="1" as="geometry">
-            <mxPoint x="416" y="670" as="sourcePoint" />
-            <mxPoint x="472" y="670" as="targetPoint" />
-            <Array as="points">
-              <mxPoint x="414" y="702" />
-              <mxPoint x="444" y="730" />
-              <mxPoint x="474" y="702" />
-            </Array>
-          </mxGeometry>
-        </mxCell>
-        <mxCell id="Z1zLfVIJwQ9nnBBYjpjK-16" value="&lt;div&gt;unregister_read&lt;/div&gt;" style="edgeLabel;html=1;align=center;verticalAlign=middle;resizable=0;points=[];" parent="Z1zLfVIJwQ9nnBBYjpjK-15" vertex="1" connectable="0">
-          <mxGeometry x="-0.3881" y="2" relative="1" as="geometry">
-            <mxPoint x="16" y="1" as="offset" />
-          </mxGeometry>
-        </mxCell>
-        <mxCell id="Z1zLfVIJwQ9nnBBYjpjK-26" value="" style="endArrow=classic;html=1;rounded=0;entryX=1;entryY=0;entryDx=0;entryDy=0;exitX=0;exitY=1;exitDx=0;exitDy=0;" parent="1" source="Z1zLfVIJwQ9nnBBYjpjK-4" target="Z1zLfVIJwQ9nnBBYjpjK-5" edge="1">
-          <mxGeometry width="50" height="50" relative="1" as="geometry">
-            <mxPoint x="280" y="460" as="sourcePoint" />
-            <mxPoint x="330" y="410" as="targetPoint" />
-          </mxGeometry>
-        </mxCell>
-        <mxCell id="Z1zLfVIJwQ9nnBBYjpjK-27" value="psa_destroy_key" style="edgeLabel;html=1;align=center;verticalAlign=middle;resizable=0;points=[];" parent="Z1zLfVIJwQ9nnBBYjpjK-26" vertex="1" connectable="0">
-          <mxGeometry x="0.4866" y="-1" relative="1" as="geometry">
-            <mxPoint x="11" y="-5" as="offset" />
-          </mxGeometry>
-        </mxCell>
-        <mxCell id="Z1zLfVIJwQ9nnBBYjpjK-28" value="&lt;div&gt;unregister_read&lt;/div&gt;" style="endArrow=classic;html=1;rounded=0;exitX=0;exitY=1;exitDx=0;exitDy=0;entryX=1;entryY=0;entryDx=0;entryDy=0;" parent="1" source="Z1zLfVIJwQ9nnBBYjpjK-5" target="Z1zLfVIJwQ9nnBBYjpjK-1" edge="1">
-          <mxGeometry x="0.2766" y="1" width="50" height="50" relative="1" as="geometry">
-            <mxPoint x="360" y="560" as="sourcePoint" />
-            <mxPoint x="410" y="510" as="targetPoint" />
-            <mxPoint as="offset" />
-          </mxGeometry>
-        </mxCell>
-        <mxCell id="Z1zLfVIJwQ9nnBBYjpjK-33" value="" style="endArrow=classic;html=1;rounded=0;exitX=0;exitY=0.5;exitDx=0;exitDy=0;entryX=1;entryY=0.5;entryDx=0;entryDy=0;" parent="1" source="Z1zLfVIJwQ9nnBBYjpjK-3" target="Z1zLfVIJwQ9nnBBYjpjK-1" edge="1">
-          <mxGeometry width="50" height="50" relative="1" as="geometry">
-            <mxPoint x="272" y="550" as="sourcePoint" />
-            <mxPoint x="180" y="600" as="targetPoint" />
-          </mxGeometry>
-        </mxCell>
-        <mxCell id="Z1zLfVIJwQ9nnBBYjpjK-34" value="&lt;div&gt;psa_destroy_key&lt;/div&gt;&lt;div&gt;psa_purge_key&lt;/div&gt;&lt;div&gt;psa_close_key&lt;br&gt;&lt;/div&gt;" style="edgeLabel;html=1;align=center;verticalAlign=middle;resizable=0;points=[];" parent="Z1zLfVIJwQ9nnBBYjpjK-33" vertex="1" connectable="0">
-          <mxGeometry x="0.4866" y="-1" relative="1" as="geometry">
-            <mxPoint x="14" y="1" as="offset" />
-          </mxGeometry>
-        </mxCell>
-        <mxCell id="Z1zLfVIJwQ9nnBBYjpjK-41" value="" style="endArrow=none;html=1;rounded=0;" parent="1" edge="1">
-          <mxGeometry width="50" height="50" relative="1" as="geometry">
-            <mxPoint x="160" y="280" as="sourcePoint" />
-            <mxPoint x="520" y="280" as="targetPoint" />
-            <Array as="points" />
-          </mxGeometry>
-        </mxCell>
-        <mxCell id="Z1zLfVIJwQ9nnBBYjpjK-44" value="psa_get_empty_key_slot" style="edgeLabel;html=1;align=center;verticalAlign=middle;resizable=0;points=[];" parent="Z1zLfVIJwQ9nnBBYjpjK-41" vertex="1" connectable="0">
-          <mxGeometry x="-0.6916" relative="1" as="geometry">
-            <mxPoint x="25" as="offset" />
-          </mxGeometry>
-        </mxCell>
-        <mxCell id="Z1zLfVIJwQ9nnBBYjpjK-43" value="" style="endArrow=none;html=1;rounded=0;" parent="1" edge="1">
-          <mxGeometry width="50" height="50" relative="1" as="geometry">
-            <mxPoint x="480" y="640" as="sourcePoint" />
-            <mxPoint x="520" y="640" as="targetPoint" />
-          </mxGeometry>
-        </mxCell>
-        <mxCell id="Z1zLfVIJwQ9nnBBYjpjK-45" value="" style="curved=1;endArrow=classic;html=1;rounded=0;entryX=1;entryY=0;entryDx=0;entryDy=0;exitX=0;exitY=0;exitDx=0;exitDy=0;" parent="1" source="Z1zLfVIJwQ9nnBBYjpjK-4" target="Z1zLfVIJwQ9nnBBYjpjK-4" edge="1">
-          <mxGeometry width="50" height="50" relative="1" as="geometry">
-            <mxPoint x="409" y="372" as="sourcePoint" />
-            <mxPoint x="465" y="372" as="targetPoint" />
-            <Array as="points">
-              <mxPoint x="411" y="338" />
-              <mxPoint x="441" y="310" />
-              <mxPoint x="471" y="338" />
-            </Array>
-          </mxGeometry>
-        </mxCell>
-        <mxCell id="Z1zLfVIJwQ9nnBBYjpjK-46" value="&lt;div&gt;register_read&lt;/div&gt;&lt;div&gt;psa_get_and_lock_key_slot_in_memory&lt;/div&gt;&lt;div&gt;psa_close_key&lt;/div&gt;&lt;div&gt;psa_purge_key&lt;br&gt;&lt;/div&gt;" style="edgeLabel;html=1;align=center;verticalAlign=middle;resizable=0;points=[];" parent="Z1zLfVIJwQ9nnBBYjpjK-45" vertex="1" connectable="0">
-          <mxGeometry x="-0.3881" y="2" relative="1" as="geometry">
-            <mxPoint x="21" y="-8" as="offset" />
-          </mxGeometry>
-        </mxCell>
-      </root>
-    </mxGraphModel>
-  </diagram>
-</mxfile>
diff --git a/docs/architecture/psa-thread-safety/psa-thread-safety.md b/docs/architecture/psa-thread-safety/psa-thread-safety.md
index 97273f3872..d8256b5c5a 100644
--- a/docs/architecture/psa-thread-safety/psa-thread-safety.md
+++ b/docs/architecture/psa-thread-safety/psa-thread-safety.md
@@ -296,6 +296,12 @@ Library functions which operate on a slot will return `PSA_ERROR_BAD_STATE` if t
 
 A state transition diagram can be found in docs/architecture/psa-thread-safety/key-slot-state-transitions.jpg. In this diagram, an arrow between two states `q1` and `q2` with label `f` indicates that if the state of a slot is `q1` immediately before `f`'s linearization point, it may be `q2` immediately after `f`'s linearization point. The linearization point of a state changing call to a function must be a call to `psa_slot_state_transition`.
 
+#### Generating the state transition diagram from source
+
+To generate the state transition diagram in https://app.diagrams.net/, open the following url:
+
+https://viewer.diagrams.net/?tags=%7B%7D&highlight=FFFFFF&edit=_blank&layers=1&nav=1&title=key-slot-state-transitions#R5Vxbd5s4EP4t%2B%2BDH5iAJcXms4ySbrdtNT7qX9MWHgGyrxcABHNv59SsM2EhgDBhs3PVL0CANoBl9fDMaMkC3i%2FWDb3jzz65F7AGUrPUAjQYQAqBh9ieSbGKJIqFYMPOplXTaC57pO0mEUiJdUosEXMfQde2QerzQdB2HmCEnM3zfXfHdpq7NX9UzZiQneDYNOy%2F9h1rhPJZqUN3Lfyd0Nk%2BvDBQ9PrMw0s7JkwRzw3JXGRG6G6Bb33XD%2BGixviV2NHnpvMTj7g%2Bc3d2YT5ywyoDv4H08%2Ffvxj9VX3XGGw5cf3o9PHxJjvBn2MnngAVRspm9o0Td2OIsO7%2F8aj1Mx0585U9B5bgQTnxgW8YP07Ksv9he1bOcn3KSTzm6c2Zc1hqs5DcmzZ5jRmRVzsegK4cJmLcAOjcCLjT6la2LtVGUnJZmnN%2BKHZJ0RJZP0QNwFCf0N65KclbXEYDuPTdqrjP0T0Txj%2BlRmJB4322neG4UdJHapYSMACowkzphjfYy8nbVM2wgCavIT5btLx4pmaCSxFpscf%2FNvcmrbeMk2Rutsv9Emba1puBvEjl8y8v2QqJGOOGiNwF36Jjnul6Hhz0hY0k%2BO%2BxGLW8V522Zshwtsl8p8YhshfePXfpFBkys8uZQ92UHXwYrgE%2FFzJ6Oya1VUpOo3euancWplJKiNpymnduttu0k4wQFhzgGXjk9mNAiJv13seX9kBhkbr%2BxlwK9Xm86cyEeZQxCfCaJlSRnafkxOLKhlRTqGPgnou%2FG61Re5khc93PZx8XCAR4XOVb56RADYvTOSq3CwXAQM0g2UVJ2zxAd4mt%2BkaoAwxJ1OA9KNLasA%2Ft3np28v14nevQNvvXXwTmBYysAwKIXhHdxLWbiXjsB9c%2FCGFcEb9Au8ec%2FJgWxl7D7yDugYrFO6mXE4LzAmU4Pak59kMzEZXofUdfoM2ema6SNkJ5ohp1Qc3x1%2B51%2FF94%2Fj8eOXh17DMFIuDMNyldderTjnt18u0Lm4kXAVIz3dfRlt3b2inUZ347tvj39%2BuU4b9Y7PqF3RmepRZbPotTmdSdNOx%2BgM7BWdgRJ7%2BWkyVAGLJmWs8G9BLCs3KsAq1FTMGkhQX5XrAEUgTfJ5yY5WyHXYFSdk4YWbLeEJbDfsMdlJF1Qfuc5OjXwuegOKXtTt48sNbhIwxaMuGjL1K98VYYwkpRijMDjg0QBEWawUZJAmqc1QRpYElGG%2BjgSX7DoFVow0U%2BrQYH41cVW6uE7Gmg%2FM7rKu8mCDWvEpRSvUegboKaKfgi3Npf%2B2RZaYbZwv51492dMcg6rm3FGvMEhWMecwitowb4MVQZHIoQ9ADPMBY5PplizPwzes82imSlL5fUGhPzjSX9bK9LOD%2BI6bLp7RUDYBfTA9%2B50sH%2Bkz%2Fvi0rha6CVsGFQO4lNEZjjWxXfNnhtTV0GDabkCiobVGeUtm8uyo%2BtFjf9A%2FtVEb6A%2BQxntZO1k1nr5CfC7sR0X74K3QzixwVwxrMzyz2zy9XBHw%2B5WnhyrkvATjhoAPDuVWzsQpUVGsUwhDFglC392cDl%2FNoPKKQW%2B3sFsIr2VN4eObdGGc6NA7ZN5wINg96smXYLzH4Kw%2BcB4EwJ4AFiN8mVwb0gBnbaSCorO12ausZtJ9CtDrXKQjZouQVn7P4l2iI8wWl%2BrvhtnmCyaup%2FZFbo3ysXgfC47bEvh1kVosNGT7OxeXxrfWCB7sFV4iIeDFTSsxkCrkDStG9G153HXtTpQumlZiRl3YhGqLPqV5zS5ThoWzc5barsqbFTwMdbhZUTVRiHsNKwpoCitChZfSXTluMSMprvDigsTeAkprpV0RoECekbQVj%2FH7Gl2UdhXb9Ux1%2FsehoQkMNYcTXBFO%2BhXVwQNp%2BdpwAgWWonRXMFrsdrDA7XKJoVzQUyOhtKIeyWXtryOpVL5Q26jZ2H0h1y6IAXQhEMuT3pwlz55TOohNfcESIXHSeA8TbbNAGpahrMs6RBoS9XL1GrAS0NRNA7GnyV4F6PxNqBK6UaG0%2B6HyJwJ6qTIA6ijDze%2Bso%2BxSPoToZXqpfK3%2Fz9JLT3S5Hk%2FhRNNmX9%2B%2B338yHccr%2FLCqHfLGFaE1%2BkizM%2BpWtTS2X2VrSKgnw2JeqDLc4iOZqvaoW6HPVWJuEQOzXcOaeMQPIlxxwi0ZY%2Ffk1q%2Bj2Gp6XVI7pM4JakoLOq6DGpaiQAuIiGVQGIie6Pxnq6mAl6wJqu9Cv9g3mFVT%2F1WL%2Bfa74OmW%2Brk2T%2Fnkbu4Lg8pFxIKiqtUee0WnLBnW3P%2Bnj7j7%2Fv%2BloLv%2FAA%3D%3D
+
 #### Destruction of a key in use
 
 Problem: In [Key destruction long-term requirements](#key-destruction-long-term-requirements) we require that the key slot is destroyed (by `psa_wipe_key_slot`) even while it's in use (FILLING or with at least one reader).

From 3b9de382084bb7a8b5f8735457844b0048e51748 Mon Sep 17 00:00:00 2001
From: Wenxing Hou <wenxing.hou@intel.com>
Date: Thu, 14 Dec 2023 16:22:01 +0800
Subject: [PATCH 20/39] Make clienthello comment clear

Signed-off-by: Wenxing Hou <wenxing.hou@intel.com>
---
 library/ssl_tls12_server.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/library/ssl_tls12_server.c b/library/ssl_tls12_server.c
index 923b093af9..96b65f8b0e 100644
--- a/library/ssl_tls12_server.c
+++ b/library/ssl_tls12_server.c
@@ -1128,11 +1128,11 @@ read_record_header:
     msg_len -= mbedtls_ssl_hs_hdr_len(ssl);
 
     /*
-     * ClientHello layer:
+     * ClientHello layout:
      *     0  .   1   protocol version
      *     2  .  33   random bytes (starting with 4 bytes of Unix time)
-     *    34  .  35   session id length (1 byte)
-     *    35  . 34+x  session id
+     *    34  .  34   session id length (1 byte)
+     *    35  . 34+x  session id, where x = session id length from byte 34
      *   35+x . 35+x  DTLS only: cookie length (1 byte)
      *   36+x .  ..   DTLS only: cookie
      *    ..  .  ..   ciphersuite list length (2 bytes)

From 3eb4274a57cbfc514e9dcb36bf92fc231dcf9e1e Mon Sep 17 00:00:00 2001
From: Ryan Everett <ryan.everett@arm.com>
Date: Thu, 14 Dec 2023 14:47:03 +0000
Subject: [PATCH 21/39] Fix transitions in diagram

Move the finish_key_creation transition
Neaten the diagram
Add transitions for the key loading functions in psa_get_and_lock_key_slot
Add psa_wipe_key_slot transition
Change file to be a png

Signed-off-by: Ryan Everett <ryan.everett@arm.com>
---
 .../key-slot-state-transitions.jpg              | Bin 46583 -> 0 bytes
 .../key-slot-state-transitions.png              | Bin 0 -> 70492 bytes
 .../psa-thread-safety/psa-thread-safety.md      |   2 +-
 3 files changed, 1 insertion(+), 1 deletion(-)
 delete mode 100644 docs/architecture/psa-thread-safety/key-slot-state-transitions.jpg
 create mode 100644 docs/architecture/psa-thread-safety/key-slot-state-transitions.png

diff --git a/docs/architecture/psa-thread-safety/key-slot-state-transitions.jpg b/docs/architecture/psa-thread-safety/key-slot-state-transitions.jpg
deleted file mode 100644
index ebfadcb4963d39f59cc3f21d30a21a62ce1676c0..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 46583
zcmeFZ2UL^mwl4fZC{jc3BubYmU8D-qM5HKPKm?=-5d{g-dj|o5B}nfAA~p101VlPW
zs0o5}5~M_FH|~AbI(zMN_8n`V@sB&kKkj`qNXXan&9}_?%xBK|U3|G%254?;Xlnoj
z1OPyQe*qVBfEoZI{MCNFgYb=rgy>hhL_$JLLUxIqoa_=A8961GlAMB?f{cucmWmoo
zLqkhLPDw{kM?;VQpXS#^2!5RjBD#b>k%oed0>Aa&Y!@8>?InV4f=v(sEkH<10HP(h
z=mDVk`y?j#TLb>15fFlih)GB<k&#p252&L72=Tv7NCYA#CL+Qg?T6nF5YZCTT@k-Y
zLT_M0%H_@=5tNvFiCeX*lhJSt!z20VSuhzn6Eh1d8!sQfz*RvhX&Kq;ayQg&scUFz
zY2Utg-^kd+)Xd!0&i=83qm%P<56>4~aPOBPp<&?>kx|h}$*)sV(|&uCo|j)xSX5k6
z`mVaBwyqx0(Ad<~-P7CG|8Zb&d}4BHdgjY45`|v*y1MplePa{5|NY?b=ot6o=P$Vk
z0MOsX!oUAruz!*Z-w6bSMEEWx{UsLxp%?xSL`y_`MVy50rU9vqJ3W^~&?N@d#N4V*
zGHyvj4CA9`W8_RcQYc>RFVX%c*<TYZ_<tnXAA<d-Tu6WtM1UVW5G|k#oZZVI3?v5x
zfdBkZsD>dckE{?W%h^YXI17%dDossn{99I24w{=8!Bl|kIa~jc=>?FViZi+Z!csFY
zfc_G~@S2kcr^E<EkS{%!R23KTZo$gJv@;JUZ$5Fze(b$wYHQ2Vpr81oS|eQ3UR|^~
zl4F!e88ekdaU(So^%WBk!*12w&|2R-){-IaT|D3-Z1DMg(XvQ4Sc#v)afb5a<}%~u
zQIfOD{%oodtQ9oW%O5i1ai+1aQ}RSiwD;Z3mq*wiNk81lhDUXCqX#iOdWh8*gS)_n
zLcq$7GU`0T*2}Zd*}QJIB7iBa$SK{q$F1^xrdf~so2=_;WE}Bk3k<?fw9$bIA?9Zd
z=U|+dPVJ=Uu(IXEYNDq$tQ^MHhupdwq1T?(ht{@D-SD0GhWyMV^jxZ(CK2ik9Kgbs
z=qvrXwz3pHq;=Prn&M2XVs20Dv6)&*UxMn@HPOW-i4&a_Kb>d(3U5#NbRYQU&+R`I
zK<>|sJ5++=()T@E;+|xkqeMmM<cXVJ^%KBXGx;-k>|)@B0tJ#gL~KB=`-zF8`(~QC
zeRh|1q}RFSVzYyjJIuvq)w(UgWBPc9)~8Oe<m2r(w|x4^8qaS7HAUxB5Xxz3ZxN3r
zQe2ZOo1)3x(UD01Vdo~Vqp-8O*50>J>5goPm?1l=)hA}WMvot?1zv^A9~F%sf(cD=
z34K{q)3tu)-*3g3A|~=Jyzl1NwV%*gAX73!ZaerGA-4nl-b1_}=0GB_8GY#q-Pxg8
z;@G1^#)7mq&e1(jd5>n}Yf`VeKIf^F7rZxld+qwJ0BA&dZw`tQjmmd=d7vE-U|+f5
zOtYS>=~+Cd`EKsZYn`%>JWWmEl7s_XeX<e*SJtFFu6!g_LuDg1QA@EFxAmxs%HW<0
zntD|e076~X-O4G%AR4Q7oon7A%1aVJEvLxPkt|bZqXT*>C{UVV7QI<l5KRpT*%#Ba
z>Q6@VwH5Zu4X!46bBA9u3tSS83~9CtR8crzIeHb}-BUehjngx>kk6!7Zyc{psZ*cY
ztrI#qnX_^Ien;d8J;tJhg)HoQhh4f%*yKNz#S+tJ?v`1(QGv3ix&Z85B)5?5k$dIk
z_inXUwbj&~NO#wD-nH5x`6~L}0U=%^B&Sau^53l--~tG*I!jevUu|OyK-m`uU^f9}
zRC$1X!cRF^m^IGKY3cN3AQ<NYowYrWw?LVkGnso`0FWHe|GV1%zxz#5R&Ubd%v!I0
zsy1WGXO8`gAsV^1Xq0pn?MWFQUl49=c<J(T@TD9I20))cg&6p6KfF!0@d}u)3IjVI
zxBw#B4;F}lmlc5bx4w}Gw#uFzikoA#agSXEb!B^++^Tq2Tk_<Vb)0;Mv2L0gPgP&N
zFJxzVc=K}LGxM44wB;q5^_q3__IO{1=dgFWUe7DN5lpbNI_Yl0?{_Mm7?Rx=%+qnK
z-{%s1_kp|tXe8Z6<-@)D$gtq9^D8sFljU{8YCXp3mc7FTOk!TXH8Clv_BB2cac!fk
zUbS&7_e}>c3#thF>R=Lj6C%x}Q(D->!VfI(-I~mqIw(8Qqx&?``5f|<mrYl0MfFjt
zJumu=*5iAu3ymt*e5p>vl)_LtLY8W1{-}clnme8b6^rX^p*D3aVuw1JH!BL#O)1WI
zbsCM_u2^`tdD)BaAp!ZVfJ^X*&Ma;$q;=Uv$JNN!I)JIP#C#LkSQ|dQCa)!;X7R)L
zStFRS)*_^lAX$)PEr*=$l&={}8r6=vK6$EMfwRzWby41l6Y54bY1_UNDTqBf_o%ku
z*?c-@Js=Ld!=0v24CvWoWV>F_&FNC-mnFN%MmgwCs0SlgS1cDoPTHcl6QOy_GT(=R
zr&$DNDHXo570#~Z@P4c8?lE|>&h)`Bm1vHOPU^(L7KM*aOyxY;tpVv*$xogM-?7ER
z7;zQm{_Pc4aC94+I_DDdR2qYJIn$W-nX8x?ACmiItZ_Y8Yq<9AmACTET6T3ImtQ>y
z^z;|SEXDcr;!I3&J}b%;>oVrdQNj-6hwO3kJ<oNXGq!v*K=LGYa4WGai}zOm_DkoV
ztvJpXTCn_KzE0?NGG}I!G=%#=zOEzFs8s>iPXR+8Zv)$gBqZ59jn*559)VADfm|PO
zvVKLU_6@j7#>~*2Je<Z{*CI52#keumWjKCZv3EOx{Yj#Zl-A1UXVrH;Ewy|BWEC_~
z37o#S#+SO=cxiBklTCM<5+Zz6+}uKP(K6v{9XEyVP>^UFjfNa+cLE%J*(U<N3gc2=
z%4_3XdW>ads?7bOf09+Cy2xkvsqUVM+UW5Q7)x3|06|k9?thHERdP+`2Kdq`Ip$l4
zuX+KlMi0x>{=Cd-tDIskqttbw&TFzL*d?NokOo91@=)M1tzalQ$w+FTBHup&pg+T*
z|MCqq*lxG?LpmWO;7IRO@d7AX7XVE;{sVye=QH*zXXVdzZI_qMk}m*oz(x}}aA^J~
z$o0=>{39Iu3;Pr<fTNd~`sQU=pf!~OBRT_G<zfZJ_{SA)$}Bo-f3>`6&+x3jm4e&V
z!zP9It^^s!C~3~WRw)bwtJc+Cr|JEj?I--_kPBeKgMnbP_J5;<{#(t2-$?qg?JBMq
zo2-lJecvwDtHa5Dce?E|uIyIh)S=uHk0C{-{=1W&>^}0IjY)lLQr_w<&g1hMsFpf)
zfxX5+@k3ZbHnWJ-u*6DFJL3}%FwG@j9*+v4yW{9<@FI$ngXsMo!=qWZcrIUBnn>0A
zHKoQkRj5N&9AXrN(9KkQ${gk!O&(c-(_<bYqFsIRb4M^1=NF%s9MTzOKR$}Tb^+LC
zirPN?e!GU%<SD7LSg&=oKj~;Y3OeR5xq&pQYpYrDE|~IF^LAlKV=G|W-XM9a>NEqf
z**D`m;c?>Z$#ehOlt%<W@A%SApI^r1n_=4uSF-7%+N<jd#zkslEKFBwYkR}q?n^Xl
zAn0T>6mpnt_FaiVgpMF)^aT*>f7S6^220!?Sf^bG;lz3Sp<P7Cg#_%+r>AV4k`|et
z#fhc%2wY_~7N(~pSzd<REI#$d#kiv6H$1K5oA`>0ES;Nl!z!aZESf1oY~6*KlNWBf
z`?(h*H;$@y5Fw6mhjf|bK~INtI^eoqq%zdkWu-FEN@n8J9{XZRHAM-s`P9t3+sW};
zZ+ZmsP)GhFOAEoL#7<Y|+ZN@Nah_{Up@M;+1Bt)5I{xit@%tnvtS>IzXcEovD&M*h
zRu`UaLzE_KVj@wlKi3s)_BHWKn7R>BDi1)w7bsU25DO)9JD|7#7?Gz2m{=rVn({2H
zPT;Wlaa~<T!orY%U*u^*N~A(Gkp3N=-OYJp>sHmI5;x8Y`K{+&LSDB_m0Ln-*(;j4
ztG=JeE>pevtPXgL-?$Yg{JtcTLQ=c~@Z=dK<#fdsFR!k}_@OQIVw9+|wZ?l~{Q@AZ
z&ePL*ns%}HA1PrSoARPfiY2`~3aZVHX{SEiW9wh0qVIj_dS0m%!yI{8$D*OoY}@Wt
z-Vm#?e7K1mh(+-EFyI15^h3xoB<W2f@uxO<aG0L=Eefx)O`6%RaT+a^{p!+31lK>q
zr3miAqM=kGheJ?GJuH2<_|}cAkq;XqWpgnZ6`Pz2B{6$`gM;0UazwP9Ih2REVa(dM
z{-bQlg9Q4GpY`qX3!2YeiWfWOH%16y_D$-3m?Q}X#;+k03<Q;EFxv)%ZRS)SwWA@Q
zpxiSfD>Gf4V=c%Rj?{^8(tc?4;#LO@n8yLc13dkiIkLUFVw8qn{T6>JU*eR`+52vB
z^C|p89G~1yA)UopDfe6Rmc);PA0HbI&Ry!H2&7Kd!*ydW0K*y4T9*Kt*-Nh5wK40S
zGR+~|vSp<@?u>aBpP+Q|t!070H(whaIu&3V+aBvNLI8gTqu-*j)ODfit*GIxF4Hnc
zqp#Bhe#$2(H1uAlmVjSofk<N`y2zx~-Fz*v$~t4)=t=ttL-?sV(mdnq54(B^bp@Y7
z!%O0HTHHBO1Qn>c5zxARf6<1Oh)#C>=Cchf#e%=i54*N_87Gm%;*_ON_ro>BuMS2o
zM8}HfQ0dXav%CGl<Bw-fEzq2jw<bie->f!e-REvX?viZqT+z@5>_$n&W&7I0>(jF;
zoJ!%vx)TRGQ1$V;jk@OMEqLvKh$q>56yoaBaaW$Y*v8MyV90pSs~jeegkRI+0$}U?
z+x&3LEt_|&f`=2;HAfp|^=Xp}SEbmt&^3N!>AaWa2-54Zk{<QF>f_{Exp>nS_T1Im
zn|Eh;p@qicrYlR58P9hfV<f}Z>M~*=P4Jo)Q5!S1IHU#Uq?Ehd&g6(Zt0>=bRrqOn
zYGTkU5qRgxSQU8(ZHmIa0AY4y8=tQ%CcMlg2ZunDhS%!eJsCO?NzE_2>8fyUE74yq
z$06xv_w*X|?GKz(!2PrpXcvou9BC{+u5=l9z+RSYPx9{PYDrD%vct9V-XqCa=xYuP
zJco44n%SQL4l}kS?Xjjm<t^NV(PloW^el7ackJ=Eac6IMl&741y>Id5a}^3NEDWU^
zo>;JTyhQKI4=dc-eKZcUpRPz+()V3?LdQIJb%aILkr0IoTc)j)4NHiZA}B8}b3=L^
zy;gRn`@pN;+w6}fxNOT$5-9DlV4*YpFlkF`vI3SHjds!IsefaCKZ}*^YCf+v!T2o?
z`_1xl>PuXKBBTETIzx<3_yY#Yec3O7>HyT<ne0s!NZG$a+5c$ZAf6|h8_4j=69r#`
zagPl4n7OSb;;k1))6-a~q!FPnpGw)dg3aDU0t87~gn<hA#%I}WS6vWZ{(>#zzO)Wy
zYObgqS-pwc;ph6*QIE!lH<+V*7#n<Cf?@Rq{<pB@2DMM@=-gB&6By2i10d3wgmapf
z0bR`1RP1-_y)25y4cuI%$#$psm{QGJ;zAQIKNi=B<$Y~YmH0aF<x;PrmliG=gXn{T
z%SC)`UA)oOVCNh64f|2L+HA5}NUcueRF;X$2=+{Z>%?htIbiAuCHhls+yL6o0j>Tm
zq}*3oDZ3Q@Y`6aob9!G8NiJ_(e4(qLU)lDkRd1aq%L1>(v)o**{@+SIsVK^#+Plv5
zmi=pr;o--3Yb^O(snK2MGn#%DMp?*n*V|~^Zz26s-~0O3RK`DIPX{llQ_})c=X@Iw
zAza<_T+7oNA~5PG-oZ_pEg8g5%6&5QmpJ0N+1k$gWU~F>)CUqFf&}3J`V@3>4L;Ky
z0M5g#Rk@>5r_g#4M@vqKhV)xWVqiVzaq-7trp%^1jx$6g$;5#}`oxu_z7TACH;f(*
zHO2BGBGxc_-6eH%@;*C)LR&l5_Y(|L%<Pho^0uqj1&j161zzy!4#X9Ja&Z02kI(WB
zwqRhmm;Pj}R>ihwnfy?Nrh0pIl63pHTY2I#eOHVS_vdnxr$26fyZ(`cajBy{8rdG5
zjLzIi3l^3>liBOuH-o<zGH7%a+*Oni(NLUtkYNNbfbD45%@GAlI=M-l-6wo)T@#QX
z+!A1qEg44XfN9p<ovM*eHw+qed4fFO$>h_kaLH#@)LrIkyksxQUH@@fGp<7sgl?$D
zO)Tr|g{K2prfi?Gk;lfHd#Y0&>u4>vyew5w^Z85Jc6wFSN`5&scO5~W>hxx<`(;vJ
zioVIe0Bl@t1cV8Dwo|Rw&-n9Ac|1cZ9;8mF9!q>F`tdljYjlA2V}nYPROuBP6}EP&
zbLQe8f4tq9H-6a!hjzYHj5YWBFt%qsJX2U3KDg;)6d>WW5<fUNb}MF$a3)R8>)}`6
zMLWaJd!=iROfO}FrD9U2JTmVtnM7{AK=wy;dHbaKwPFx_S36(P{<dapEzTyvQXTk|
zNx3GWw?eE(i32;a*+w@loj_@^4r7e{d}NH6KtgHy1+_31t_e@fzfvdj@U%>C_X!-6
z1M6+9zG7I}PFFW5BRpJ3XpVhY)*!|pLKD%_lr*@%XVx@n%<jk)lx|_ioIvwp|07NA
z>~|X#C>GJtl(0jV=gejj0?}cHFktyY`>n<gspRhb%nU*Vy&iIt&1>Kt{Q7PsSc`#R
zdUhi<o67$RE~Do-)k}HSpSNawr(EQ~53+xVmN6JiSgU9eu8OPfq33@U8bAd+v!?Z@
zd*JKXh|Ov(oSUVvrp4*q#Z0|(dFeM*Fd));*86GE?zsxfts!C4%bcGwmGm7!6#dFI
zda<6?kuUpu6lpztzI&E!-kaSp#HHOE<35qzP02^LR6j7yP5xw7TN>b5m!!2zZDx@}
zJR~;zVoPTtJi#6uK~-3vyKLra6uV6~qnbpLqU^UeaQrBFkcuZ_?Z;cYIzWF)*+Dr<
z#<g-D4u{Jc2GE<sn>88`Q*LhD;e8V(Q$?-uXvJ5`=_p=8$4haRiQ)njNqAa{(HDv(
z?XC=NQ>-4d%`nF*9<|%N$C+EOUw!|ce{y?go38VHm%x___eXgqBCF+hd*2d%0gj>J
zSrjp-Z-KR9#D%lX$vQP!@7=!Gyx-LuR_qR_6RzNi+g%I1;ruWBpZ_t6{ImZB8u1r8
z)xtu9Ji#RE5L%39cBE$jn~TKy(b(c<|6K%Pf7{J%(TvxW&ox)%fsHM{FrJ&-32<(1
zE?c7P=I^eZsF3zXcAbB}KTTEFB8zoS-k33dQS%!mGrhWWv(l_RLV_pJ+h#UefMh91
z+0nbj2J2=Wo{Tf^qA<&uD*7;4E*;(`a+d8$Nypn^%5*8S<?w0ZgF8cYsW;gv^+~O<
zLTKuW<&zOAoLAR5d;N@p8oK#MdF_eIuzI<OzM88@PxbJPUP-Rd$Px<rq}>p}%^vv9
z4owK4(Ts;F@F{RI_O(`6ZKRst4JmO>w6Jh`CX*tv^DWy4#?U+En+CkoGJ6A%7e)u_
z7MxF+u+`V0TtJvZk0BAy<=V!UDbIlFyd_RmABq?YZAy~GO)Y!GqmL76+y#j&Ng7XU
z35qd3M+uYu!nkxQMSsSvpT;3&W((FEY?G;Ji+5i2atTs|r;iJ8c^jR6?2&wM)#yp}
zTS8zDDZdhX0f59>pcS7HUTj9&O-WW?<}AuGk~uR5n0}CF*Yw274u}gzMt}O|$Q396
zMOyTXV5wms(^JTlG>fpbye`OKvYaH>oro>=Xmrrb-U3>aaUF@4^8T7G2h5+})RzT3
z+ey!5ZeoMYEOanivlgc7KV7HudD3noC+;`WNg-_oZoYAy;+Bxn{P`8|>>w@rSLXlE
zblU$I4E*^r9HhO<q2?yNu9}@QY*S}bt(9S(-gS>sy-b+W=p;?&=fqN;!+4%`47!2b
zj0ea~^4Wl*00(G@P3?$Smti+knhSBdMd!Okb=Y%C$<`hnFY-a|mN}`UL8`8gUIW|?
zqCJ5!OUvM31-S|fIHKc)!)+{e){OP+_r;}6+36SV3o={3<=31TY9wks?UO<VO+nqh
z8Uj+D0pV$o8}-pc=<s}-cbc|O5$R8Ua>zFEuBP<$#}&kHviGHs#cQfnB@6BrUx~~i
zk2r$kl+vG=TV{vxOrQ}y+OCBYb@D^<F=iqa$VKL0xV@Q;4aESv)RV$#O=^qhb_7-D
zpR-9HHcg0D`10~LZCsn}q^f1h{A!#mQr_od``oQM(k)9)JJHG`F@$b*M2f&c2PcVw
zk#5Rnap622NRlh&3#!yab4Av29UK@YglA~y%%unWpCsKVljvM6lPG;Sr;<augtJ=o
zY36i5?^dDw)P=vgh+L}(t*4Eu)SOM{r(3w4%o-ZZtJ;zZ*d?kk*1~4Lqx2#?b!E-R
z6qG%Qr{h!6W4zO1MfKkwBA76G(#@Y9Wx-KKagP(t^-BV;BO8ErOadydvTKQYlg$gc
z1M}4NGM`jXFJGK9^GgycI~hpV=CoN{Wgtu}5#6bmp8quah+yvj==_4poR6iy9l|?8
z>3sR6r+0MeU?jM33=$4;y`{&O&)N4jwfc4{>8FQzX2EF?eFuocpd%;_(^q<;vY{kZ
z)rx(bjHS22l8vEmRHT$NS5?(DSc5?V!K%FDqIo_CuEoc)+EV#XlXwJ|In%Z)JXdhO
z*60e^Ua}S2ym`l$BD-&WZ&KHB@#2!O(nJ<<`eYO<+jj2?#Isu&R7f5X=pDsP9!lcL
z1@-d@+*=W46yfCigA+aC;gYXgTx(KwNv7NJdL$~8-P;$y_nEj_0&uv3Ha2gj$BF~v
z5L?^MK7b}`@pLM2o-wXxPAKRvl!<JE{d`n8+mcXk?;H37{QU{wmID^R4v+LC5T6o+
z!x(X8=&x2+pu{UPPgZND>h$X8aOFq@GF$)4Y!JO`gL(tSC9W0FXP#GJ^O}h^$)OX?
zA*Fou5;L-^jdua&KoV3klCO=z+Fdefl8q@U`ZiCt&xX;B1wp8Qm#`iFJa~H#l)BvG
z0w5@1`+~I&|5pEI+iF+dTFj*GMMDyU;0VX<3huZ;ncN|P0RSquWgJi|eQ@J$raM|J
zDht{^alkmSQ&czR>1y-d_kP-pj*rK<ny2d%*G&I@VdxW*p@A1hru7m4*bXPl-y`&k
z6uO2PiS!&c{HBU?b@#G$d3HR)<y^B_3CX1!q@WwNcgCs&?Yk>^qe?(azcVO*wtav8
z29m#zg+|oMx8CSBpQ+tZ`exd20?DMB8dvB2dZP0~zl_Gt@7-|Sv!?|scxR>TNE3hb
z`wPIqI&_h_Zl-plE(08)#M;<Ak>8}zgb3HYafKu47WIL#;GAh7^+bGlpkn%8B#8du
zzOJ?<77moDRcaSo)EB~FyagtYui0zy*g0`iO$tdFB;BBk_8|vW&$;0<hM1zl<v4at
zJU`LS3{U4|KI4*k`az^(c%fUs_<?MqgXs7(g3GVEg9%2r7FjSe(XRP5SmlV?VXI5o
z!|_5VTD!DRA~*8oz^7Uxt-$@!7SJ+`VzI3dl}+lHu0EN_0&$_ZR56>+LsyU&8~ZN1
z<E1{yA@Im$krZPRUHL>>nI5NhYg$aIRAG)H=1fT_N(6d&H!4#*cJ==1(`TfGfYZ_!
z)6LX-PRPvH%rDXe9;K75&}j-n$g4kG2|AD>NX+w9#xRFh2Gq95EysawH-E7`QBTdF
zq;pj?c_wiEI){%wiC(m?%R5{E+B&F3AoVD&5MJu3<GtzulM`JI;tw(iAttxg$?PcQ
zcV3R=2=r)@jW~c(cPb(x4s@s_*vsC)9O6IEUNLjybshiI2~h6#)QEpgPSOP&_5Z{5
zC1u2@^)*%YR0f|D;NsrTA#aw#%esCVBfJ^&Bsw{cWfF(E`pQ3bg5&@u+gQ7-S_0(1
zR%^b^C(k$9K}yoTAgppXl<w35BN|iL6=E=IKiQ(@;5>~i7wqGB!^2J#@+s`McsdjA
zL=}j`1whn|`PP{olntVzx`(a|D#YR^yQuL6U|AQ_V{ABYF1Tx<!$)@Ia$m-LDXSS@
ziZ@aKwEOXEyyLWKrX>f7@x50a2bYf-fX#n_9RFc@{WE30-_FS}sq6?1dnpzDN%&xo
zc57X-t3@1X7T%}aTzdTi2+}8ghwm&7y-20&zD$_63E*gdF&w`}l4RY4K9;z!@!klL
zLI@}Lt0N(&(8{-tikGY9waRfyph-8z)1v5!o)^!r`}-S~U6EVHZaadS;<eV|?4zc}
zI_&M`D8Z^=cNOX!urRJ8ww<=^(t}(p1$S=>!VbDPRI43E{&cVy^nt$)c$xV}gzv8t
z@DgUW;j-yYOxIToKW{%}pw{L&U?5n7VyaGUumV!bL{EfGH0*!)I+bhKPw;<Z{eXzS
zm5Q_F9~NP3CM=SB{3AG!|5S1$^zgt*Noeckw;rd}hvVvK_8gD%3qWvVRQN@PcmFWG
z9N_ktTZ&+A-HI5a7q)T@=hBIUB(us#n{Hq_B)38hh5@|_xL(&H55mWq7VdI;>T>d4
zzmEgQ`jY-~hzbYK1yEDmox#f2it|m+?jBZkQdsds2~~d3u#@A>nxJwJ=SlMY!a+a4
znnQ8{blt-$qoNaVruCpcC5Y<Wsd~<rA6}{AftP&dfKPT-xrMd!&qIzpbU)=l;__W?
zC`Z<o>H2j4tjH=Za;7QlE!=s#CB;m8ZE%1i@^;g!n?!W@80zbPFMI(ps2CzYpHyN=
zU!9^GK^;f3$X_Fm;ma@B<5yIk;#b}tC2Ie_rIVoy{!`HUgx<;s<=Xb((<?b}{+qb4
zf(2*eHbI<|SK&emTl&(5SNfx_Jywt3$aYul?F3B)SbKtAfe!S#tT8D8T_Ocgj?8Pg
z$XQiS>+RaaC%ucEYmr2;BdZbf%<lXwcxL<$U6tZLu(a<2#m|H7Y@E*ppgW3Rod2CV
zB3NZI;P1Zx#7x>%E&$4@<Bg-xRbPXU{e?R>q{F@AB~uz$5^HExmLcW%+^uV*H&rNp
zr}rREmFqVWy3RCC`WFeu*P6#gS6$j^anHsmq{{EwwO7Y_G;WUH%0J^yQuaIl0BRqr
zixcWGS4@bM;?!8upOBV!tQ3B~^A*h4Lni?Ls=*;q{o!&vo@^BTU5bCfIsVyOfH1=F
zmhC7EJC)X(sWTh^GIL7axMB3hw;K)T$+{XhIdp2QzN|*aQNBz@{Ya1pI99=@&IR5e
z2mXj2VqlR0gbJLfy{L5P4t*XRdh+PFYusw#fs@R+4IH_lI=?il5@9>PL!8A`JS_i4
z=JWH*r1k5_z7(_wq`!xaIv<AT^)qWtQcYg$lSZS-7!;myQ?r_x(r6OVsxbc!F#f7n
zuF#FH9f!|Zk1LUW(Gz~U^{T!UZI;K;pQpwpG)JHPdQqMt;2szm{pusDilXSHEA`>>
zE{=u*dHRWc(ToNv9RM`|ssprtA0~Wv5v;Z`QDBD9eoNiu)o`Ca!YwPz<`Y7B_8tM)
zw*HZc!^s0@?@wv)AKXUzV8j1RV*6(k@Vg{`SPAeoT!mDY%*;VT&=LI*$BnNd@8GG9
z5#sBwK1Lt)d|Q=`?^>GdKFTYQAkhcw1YdH^jYlFGq6J>_xaWo4*S`jU0)ZVBx_=yS
zZ&+CHsRS<D3$rDh1;GY3&9vOe0OI?w<m@L5iYc?_Gi+JUc^8$mrtX6#Oa9|d{&LqM
zmInj6)X`w*seVKFO+G~BaPF7ptaP`eeRGYn{&`u|b9;r5qu`sJ_*m`zKPfx!fE{Mg
zm(v@{H03)*8TvTy0MZ!OP=$fjIXC9W9764+L7k5uNVHxD4dj6D#%rzqVY-MQp^$@r
z!{93XoA*dM)W(MkL+e}s2@rXV<#8W0#-IJenEm*}@$yslWr4aFBl_8bB&lP5&DQ-d
zAA8W+`o!N@)&k`z^dj4&FMv?lmGgYQrg2LgyU}EY)YWt(jjL^hYIS2Q4UKT9o>W2_
zRpytI9Dv~Ykq<5eA9Cez&XPc2?^YgtIjGzQS0&W+Leq{i={~Q)8uDLk6ea%nEc@^w
z0N`~`haM9yq%VtXN;-hv8TzCdflY`$C@I)aQmn6kxwBJI3s)hSr4;8w%gW4G32R@5
zB;Y6Q|2G|t2jO=wfMipg>;+(V0dz0@bPEntH2$wB8#L5zzy6#5h%$JuAXv+O%0tNY
zkw@BIR3-C{1k>^}tH=C7(}9W_fl3B5B8Pg6{-YNFokyllXFKcZz2c3U^$+ICp>0>R
z^GuzhL_%Sg;Utyz4XM0CJcjgJSptOc7EAP(Hl;XXU!w|6IVIUR4)gk4N%bQF%=aDZ
z$AT6lVzqdTVDrOwY0=h8ieNK6ysE5tM=b~ECvDL?zJ{T$^yZDs3~Qd}%P-EmZToqA
zv-(Cj_hotDsV)FV^etGUmC9DYkq~-JLQjQPw-*dQK7^)DCNE~5F?^7P2GF`8AHC>I
zRc_|`D)U^0HB0a;_Z0SSi&@X1Y#wJ~7NI`YB97J(m(3szKh(*ly=mhEuWGZk<&Y(D
zw70*K@5mXXst&w#3y;C%uPjBhP!aF-I!v4zz`UIp`y&-@lGGJCr-@ro<V$Iwk94*)
z<7^WznbI+d#Wn0N1}X*TP-Zi&zk;WArO!l&=6}C3<#Cd6mHuQ%_(`b$l@d^Q8|C>_
z0FfO|dD%=s9V>aecFLmL+@=lD@Z$TU2AQfKk$AhbNcGCEGlzQUoGt$degWjw<s_6>
zoHGCc-S^KwUjPRtzDi0p*_dC6e8oqe_ygKeorjGVz?MG21weK0<VL{QBh2W}g#=6v
zwFw%!V}K$%*x|l|yNU&Onj<1TU48D1YqfecgilkHy+*i%$IEd$AjkW|7Mr6e5}Tg_
zUk_nOAGCk$@zL?d@?ky3bGHnJc6Fwph{^DZ9(PoEYu^9N?a9ukXIhY_2p5JAA7if*
z1$w>&_qVe;TXWRz5m!4R+8Cw}<6vsFS#x(9!cE<zCSMJlr${Y7_>e?qn`m2SI@Ulh
zXZ;rR?ktZVYwoB-Uxlf}i(VC9xT455_|wSjc*yw}<a--4Okad%5T_d4HN4grsF0wI
z`+;?v(V5yifVW7VMWMi8GkAnSf`0VR-6P!mmU&%SC&QlSNx52anNZUph_m^{D;mPF
zvz!)hR5cs#=<=wr=Mt?<jUOEG^6iJ4%u$u)`E>8*Gh(ja(Wk5VA=y!0!J=gwrvfbD
zl(As62ZZ;-xPorUMtXL{sqPAlbHkYHR)ed?sOjeM4w+9xN+O!JYqVUIcYlnln?@#(
zY7gntzbJ}xcUlJ1!X;Iv71Vqc44$()n%nok{`oGB)Hv~>?<+QO9{1ZfDK%fS8fD(6
zq2>Z3_0XS-(ehH5qA*l89!>P%+&I<lBV>;Bon7BWT8z~DRH*YHRBD149#f>IYay>~
zE&%d-!R;(9W?0FdrnCrYUHLnR08+DoVtDQjDpB(Y(~?fh!2WhSW}se{-NJ`u&s8g+
zwSjP?w=zmeW>mr2VR?ku8A3Pq)tbsV>uU34ivh=o<LK-Fj5Uy@Ft!Jbl+~77<TARq
zs@)t2R-RT;K6OeQSEg{ZVsCYY^&zb2$5Iz3c1Q$vcKDinA|#j0`=5TU@^+$0f-n}$
z&#M9wEhZ=TPYuRet`y^vsOY<|S#P9syqt+VC<xtD={f$6?A!7tMk0~@*XrKn_oNxR
z&1ad3CoMCGoy+>(!9dF1IkUBu6>n7+RicMP<UcbT*H1g9*C#u<xzRk3dZxxa$ENWp
zH&yCkY{uIUq<9~ZB4I^$Bo>X+we?yKpUJ`cwn18FJ|}ui^UXWj-Z!KBXt`(hy1HvD
zBlw!yE_*#dwM2YA-A=sg%bjoOtAlIAryg`e1hV?b>U0Ia^)Man!6Yx+My|fnD(Q&O
zpWm_ndU%=L8Z(8D`0kx?ICP62Vl5Lc0M1`4u>0r%KBYYYXM;~^ca8XCqXm9rBJP1w
zo7lt!fZGA!vYlc$LH>^RNQhV?&KAqJHqvP&SU1Tt!POL_Z>f26vcQa7XwI3ogdOVi
za9og&_35rI;Ip^gN)Mj>hB`ZVrA^uNKFqcJZqgZ68huuzI!~?hsRwgol(Ym7ayb@*
zmUX$ivqZ3ZvE^<s$Z>Ctxvme#`yv74;=)5c0b(M;cVzPxS-)}UlQN?BW=B-8R+VU-
zFA82OBBXb)?<dfH%-Su8_#qS66_MGu1E67$0<AiIUCW2m`>b+nfe<A^?IPTeDb_2v
zO$<KMWw13qtK(DP^x~&N>K#|ty!u!%WI5j(f@lUJ;gCj_9I_UAjOua6jj7(XAZ%Jc
z=vL$Oq2dcYYF+C1BNCUb#`oV6KAix~`=?t`teQw!f}n<=Xy6bJzCirFO*{}@Oi>+b
zsO0pcr=`-`;H~rhA@(cKNM~TJjc{}3#&O3;g!#_qM+93!=s`@Qv2`0n=lYwFr*Z>w
z%lf2Ve@B6&f7KuGhHbZH+v5n9;~08*baOUha+<XK?R}VCG)RLMLC8SG+kxT-m1J-q
z^_jYMdZ+Y&<WhLN7VqS@@0Kk`;a3<mUBr#L1fT+}eRuVw2nOL9%iyjhruhYH=O(36
z;+>^P`d$eur}XpuqWL%j4{R~nxQp3JlJbEx&1;QI8rp_ENdy|lN3J-V673?(2lMc6
zJ5B1X!<p}Mp*>I<O<$33i9D(NO*&&zB~}6-%{YU1*i~|<d;)^4sVde^bQ}?BvV2>&
zTYWNyt@hWv-K0i|-&X4gm+wnFw5#GB5o>unN|bg15c@N3wq3<C$4M&_Z5+Qu#CX6D
zIG>qyE4&PgW}0IdO<q-!rEPeR&b|LuFpxl}8ww~f;502JTC@w{{`-Cwnqp@ee(zjl
zktw~=3VQVFL}~Z5#%>vEknnIRH@#TB9|%^<p%jC-RN<^U&bhEsxzSE+x(nZlH*e|J
zy!AP)B}l;NbnnA;miq&Jg``|L(q+S?DijmrZ~x}XtqKO6w7veFIwBbIRl~WX+M|$0
z@e$}|`=*KQIw3#p9lK~bn?`ZETZRSEgJbntHu36!npo#vXtKHEG`+6~CNy=CLl`L~
zk~_z8Fh1NE*YvuF=L6AppVlzIyVs>0A<I@c67|HFHD@D>yP<(Odu}>i`pqQWSE0*q
zb$ImN;424qAKvARc&@@E+(Ik3pspNwYW5DE&hDkXvs34ysL)H?b<Odc9v@PM?ke=^
zLZ2RMC%`n(;ZG91xI3;);;2o0)?~KO)8uhQ^s+W@3fC*w?z{noU52kD>8d1_Q9!95
zrV<ri>|;~vY)!2o=H*p5KjLlcu9N`dNk!0qdYo?hTdu(Vonh|k<(j0PB>a6;Dlq2^
zIKJ92HbzPhxAqRN7VgBwAu^qwKixf+RA19ruf9Eg+wM_8W8%QTBS*rvjOEhHldhg3
z0lhcUq99#riqV_(Fa3pg$)z5{&Dk9nc=iiY6~a%F8v2J-C}U98T{vk=Ny`vadszNt
zt+nKd3|7j=T`}#q-F<Hfq6NseBn^43ffxKqj)dVMn0hFs(~Y>)h!sWu8H4G%D9_e=
zrn7d(X*1Np3R;l)E=JpUmPsCG)ozxNMPUNPrLGZ5T=cY%UL>Y-WwN%xqD%~@Emfhk
zvi&S54oieksW_h|TL~5b>6qXGmX&E7kJ}(Kr}R0_=EnKYU}C~BsV|QajSW2FsagxS
zo0ACUZ^{AqDiaqd8Gc@d%d^zsiyy4$CzJ0~-*8P@bgZACuuu)7YPmVO9a$=9@U-E2
zp8#P`0F^(dy7X#~6@WqOlxRxHCW)p1E|F_m<3_J`h9b0Vj7hJAYEi4k0y??B$kwp!
zgEQrBrAwnyF_wHzZo-$VCTtM#<7SMhno$NSac?ZAqL*LwK#K5LM8jft#-3amKXAP<
z-8H!IqTAJ#yqCe{Ey_Rzu*(V#6#1Kb2j}l>|B}6I-ML4%c&esLZOsJ#e!n%tunlV+
zdD>j|ttkbmnR=P=5kfxm+%eIbDtK6h-uJ3r^?ARs`PFExjGLIawcw2_LqcErMe;!%
zdjvZw5Q`jNReYXKC2BXhU`v_d{d=y-HrDm@%+Qz|q#oa!Qe96Md(PI^&R6IP;-0fz
zZt_B+%)VZ2&?k}!U^-WHX8Ji2ywhTW29>V+-|*wpip^rRX3{IBqNC_$xUG3~zeZEx
zho?UK01N5MBo(DhoFcjxJJK~m4sUR2pVNJ}Au~hg41IV)*7Pa|d<C(HrZbh%mj~dK
z8dQMq@d`LPfUR7t&f8;&$@%!&W;TOG$4kGg6x)IVq<!#g-B`M88yUrdeD9Hm<iKi>
z#QCna%q~#qiOoQtm!c|UyDtDt8ZNlIN9H>&%gdE%sXKY;!N$)gqdjS|$Mm0mdX|KJ
zGu`D5m5N^x;3D4yu8*+$THvCvup>XLSIp^6tl(VttBp2hOonz&x6KpR!^e2^E&rxC
zu|OkJZOD^{=2AhN(N4zG<X3<qe|I~Zzr>a@6L(6QevDcMTC{k1dP1~d6g8pL?L0#p
zb%ifrN2ZmFxC!~u*6~enAM=v}P)ZEiYX|VBJe9!4_4l?K?w|CuQD*o4+!*uNA#yhE
zFrQ^9jQ)(Z)!w#UlAJGp!Y^?<>mC<loQhK6l&^~eX_wGQ<cEcrIjvJ!zS`to3RS*X
z^EV;oPjvWD9}TrxJBI=FzpN(zVyZR743qB=dg_OzK!rw*<v9mn(l%@ohIq3|K7Zd?
zdAHQ-Yf8DS!+L#D05rM&2g&iPv~Pa|$^5t-WhsWb<v2cqWj78{NtM3dmmS_PY1VLE
zud4Iu8wKW6>CX@B{`t)R!kPSIr66cfiPgev9U_fOz$EL}n$)G~D+zuGe+UtZp)&nA
zLs1*cVXf)c>fMnl;ohQ8>K?ERCUmaXE!y-aAB73e-97*4;(hSNF7}HZv^vF}dtk71
z|9o%oIyz9?0Y{5b+Pa;r+K7{0cB-9?rQ&^?#aZLX(ZQj5=dofzAI~d3&7sz+*mMBl
zzO1NgN9$-!d#aYRF~+6tQnWGs(s0fkPbb;NYCqm)Am|WwAI1Ch6iKH_7*~9O3`{}f
zJ<dgY+T+Y1w5i<Wr)y1r=}6duVvnjgLz1{U&o<~Xo&f+D-?!2G3bjpmSVE3b#bKht
z3Nq)9<6K1Jo?tdA&bI8X*3);a0vjrfMYyXN=am!X9VnRsv)GYt&8#VG)YW1;b=S1T
z;IZ;TKJzo9r_^g7zmAfW2Y_3MnPaliL{^tZ>3ivVkG!U5bVIFcO({OiyM8BMCW!me
zkwb1i(xn%s#65P9K#hw)rG*~q3UzNr6__rr*H6rCY`$YuZ*dEIL|~-yh2$4o_Ur<v
zW$S$p*Sn3=p;TYRMZN1p{oslXWWGyKJjwd^5q^uY(we#4@bPa^j=zzRe;roM^!m{o
zeP|wQ6T<1~q+S3Pm>6x&-q)9gW%Bdqr2^dQ<4n?C3mc5kJ={x0UOzXu@(>><FkeeR
z`_b!R`6CWlq^ZP=>Y|SZcNe;Q-HD<ha<maf_LoD}9SINr2zUUogE=)c04vWCp7C3v
z7RU1U9tW@&$607HCFJ8o8qbb?Tay!&riK%4I!+9AbOtYy5u9!4|1;C|k7=5J=30MI
ziQlXl4|I*Y_B3#nC`D0=Ggy}hj~A0Zw-hoy;px~}6H?mBO20}|K|7?)!g1xtt*}5+
zSguRDa@2vYa!(d?^5LXZtMRnZoKUmZ@60c!(d%GvZVtudAA}pBq+swTy!A-_qEDLU
zd%eFWn|a~XElb*!!(1t0x&GTR()PEn4U=-q6s7rkVjvO<I1lM@p$ci~?@Z!f9vKD#
zlzDOVZX5ZjC4_O*S2>^*u53A8>1$9rJDZzs$!63PF1IW4P~S=`b5~)&M#aM2o7=EA
zu|qLiZN@{7e*MV*GG?*T{@upQP#wj>o!5VhnSAs}Bs0FZNiFdE;LwgJFn!SW^ptwq
zP0q@bq(NSiV^_tG&)=3J_~D72J14(_YNtE@at^^gFUHkdv<EQ_Dk!2$w+ktp$`tmm
zW}yoE%%}NjG*<mjwVyG*;U^08&+q4W+E;ZeIx<l3T`Vyu2lOF_^mpn10&z}E<z+Rd
zAeO&?i|9#j%}OgWz2(r<(){L8I7`2=*CWD&3cweIYL7nW!f5tpWGZXmTq@>HrLZJ#
zywLXb>8#4N+p}(ubYgH)XIW2-_ge=)PWQ0x+r7ROYc2;Uy&64Spzryqm>sDgTQ=+5
zWR*)d;^bq0W0<(-jsz!<s?qD8A<;nV-<=bp=Oe`Bbe5L79M`(SwRsYQ-wCh^YcB(G
z!+>wqN&+$l<<%n=w@7)Gv3uzAn}YnxkoIm~YpkFeT3|xy0R{Ip8{4P0Z<y2#MPr{t
z-nzr~5d6+I{<^Jcp872nMk5WvpizP^`k;T8D#q*l3bpgQ**AY>HkSo#^y}qNQNd8^
zQ}Ja!=#el8AMDardPwbY{T_wo`p?*2gj5=n(j&pae)-~{yp(;}+MxRYxiY4%B>*Mm
zc+T(3F>S>CupOC2BT{Lu)pB~S%4Jo$Oc%V+@fp-6sX~4M)RA^j=v{NMX7KPM&hv{;
z$NKS3H7-{m`+Oh^B?R_oB>@gO<NdbSfNt~J5AClp>&GF6ua%X>(p=ZX6(D#T9dv4k
zWsYna3JALZNKXwaw4jfyT}JUy{IQuehbFz+YWL&3`ZPHreD)-D2<mR@iuR*+911P(
z_wstdcN@%N8b@jqk7g{{ii21QWB(~a$>6#>;Wa}*u96l9>aaZu!&rxE275raMJzh9
zuH%*1o%7*{?KGH7F>2;bVT9WNMU`-GkgzsCU!Y<iiwz=7WCyL47p2O@6=w81)erv5
z!39t%cBDs<y<=>4PS3@=%;ja7!ppl6MenrzN}6n+##yE?GC$i()zHePEL^xr5_ru+
zEaK(2$io;t4qxlW`nJjKLgpKHgPgdv3mucd&0M=ivR-QE{&og6(8hSqaaKTJ6T0v5
z6MU9@hG!@4-tYq)T>{8O%RMcYn0y7Wl5oujlbpq^2)Oy4=Hz3M#)5{b@3h9oatjJn
z43&wk1>`w^0iNWjSh)bm@-?yY%WKu8?8N7jm>}1e<LckO?bFg7>H)8rc1fOcV$%VW
zvl1o1+&jb^m!H2bLci@X6SE;&F+%J%E&1hWM}<OcN9{zBBvl?7bIvwZ7<O75q1nRr
zI`_v9-)5M2)G~(D8Gx?vN4BW1S)7XDl+kg{DkpR&RzatVMe*&DisOET$qB8DwT&OS
zxzhm;D7ohzn+_xXkpf`axvjBY{tR&VLBrR&F)oFNdhBw3D({t78~3BSBWZ(Q5$u!p
z!@fZF&<;BWHY*j+S5gtSD^SLPcU$R9g*FePNFyfhxLhgj`H;qE8O3KA(qq<PgIJp<
z_(@SzlncppfmA5aF9{2X+6QxU=m{9KCXzjRXTd|*6V#_?4%Ga8g%ha!<<vmZ6z6{$
zmzNcP7&wAeD|`?<xe$jh-F^g)4LCrdkpE5<pu$#<GVP(CgLyNCze~tM@t$Q(0RR1|
zN^WndOyWpVW@1*|-VUN`HBnQT`-4YYTv{FM5E2|LA1<gfY`N<uolWOF7-BSY2*mmL
z)bMiis+i`gem1<+)sr#*ZrAHEu;mCEtONhJ;YWHta9(i%6mu&5Ddw<W$#ww@^qq=b
z03X27$_FAc|FrurmN+Vu>EpYhcr;);dvoch`^5S`mQI2Nv0|s0cu0Rjb83sf2Qc_w
zgns|9wttulMo&dO-7$}?3R|;Dk#b>S8=si6vQlG#hfxF$i3^cNMnIA_K#;5gaXQ*#
zIdwW)j1etEfeDnUN=scVZ7uJjC*67DYN!>y*P}XZX+kf3dkVgVIgaoUBU`V};>1iR
zyA(O4UR|9-&S}tHpW%5+FrTEYsLk{CSDMY}uSrr8Ffg&Me57{>JG;Jd@Q>w^q$%*3
z^SiRBfU`hf{KCt1s{QlczaH;4k2uX#3i(@92%k7J5ug31iWP5@sP?bx=bQmwqE^6X
zVwl5Ub>RP7MD+J=w1Zdnyu#_-$~Mo?nmSZt)k4>dm)kWrW|=%JiH^LMQw4lnwN=s4
zS`YdSa5s18-U;Y8kE@J6mlSzh>Lg+5q(qNUa?39I7|SO2{sGqKMLCF6uu8Slw?H)8
z@fB#|KfH+lVv@i{|EW+F%KF;(-P`eXecK>(!Wo5b&Y$=G#ef))Lv6Uy(H77v501)4
zX88A_PFg9ptu(xT9Ls$7ZhO2dbC&J4P%K}Q7)wL_{#QT^q};=Hlz?)j(8tO~img<Q
zAC#HFU~YDwKR%4pk$?L<Feke!Pzo;s^}Tx-v7>}uD7CNl`Q$!+6-bHLs-G|?W-IS}
z-`M}r_INMN;mBWRN4{l#^#v+W=Frkdb9Avw(fnNg@st={*C(X_zo&zrs$#vau$(gx
z<f^bfhiBYEV5N&gidyH&txX>|zc^a7$UGX=rhL|R>dJ0~rVYL+zfS<XA}IZ(iwM$C
z0rZakl9;s&^b(cTS<UUK9ov>_e7H(khFO1b?g7bz;Om$14<kudo2d<;Gp#SoUF!FC
zPBW3w7547PTJ#FG`_`nx5a~BLN)q;`c>xt(@E>1dl=`g>OlO$@SUDNO5xwWM_zI=*
zFApqq3VKV1iH8@yBB<#4hKk>PqST^&Z05D{HHX68e{_lNy;K-xy#;gD9)A~cbXE8<
zCi6!__}n(sS+0sX%i`MgGh923x5JB_3!o_n?0^$nX&#BX04|+!V(Im(gU9!JUh-xY
zx)V3=Ma$VonN3mOy-(*pu)={)Li_Fze*ri_qi^V)a<?<E9%y?=H)0EWE5pm}(x<WE
ziB3Lry?&B+#y%CI&3MixACZtN!&RJt&6$<r9gs`Wg5%H1P+xhbR!EJF1Lb<^vti!4
z-pt{iEURRaO5tQ(=<HZMMWNG`l)_s|_pShg)wnIJtpQe~uN75E4>vKanvn`1n42{p
zD6)#t(aF>^Xs>H((BJRB+8H(wm&mdmMRt!}G7$fC4u9O2MBd$qVw|#3n#oLy9!im0
z-GcqMJ;Mt?Gx)5xXYVMLL?~jy^itQ=NGpqMi3c<tkQ$60I@#BL^iU77A>_PB-#lp!
zrh1^sE{u4QsLrM<6<Wo5qTi@a4$RVJc|9dq%esskSOH%;AAeaKoLAfEM{1a?8CAzV
z{@u)6%T;uh$rvjfZM?bOW%K}jZLk^9tjQkuJd5tE)L&9B*XjHQ77=_ZSB$ed))_z5
z^L$n_C!ETr-aD!PS+%!Bk7tPC`H!^?bdU`4QxW51%N(fcDIfN3^GZSlQZx4SrY-U7
zrcLb<<eWNt-=h!d8a~pm<mtcpy~+K411#y!r~v?L(*FlchmtZb8?$AKo#{`A+(5O5
zw<FuG$SgAHf_np;>k`gsy~kFQEMkYah9UY_F8~c~Hp{FBfudA^F#;!owZ02cK#coS
z&kd2ZGHk(-t*fsQ=E>S+okGIT=N@#Q<ucEj@4Rv*BML0I)?E8cM+Fjhq7Y*p?9Yh>
zhqdw4XDq`-Pt}wPbG~f83{P=vf0%lS%rvJqc_37{>)}`qIZG1Togc9TtIEvpPsP#M
zaqhff;R)y+m?^e6=nzb~W!#imp6v9}@_qheSjBSez)=+aH7i|il>};@0O^$6UcjXO
zEJeY`9R-CtBJouNLpuTYFfZDR7M7fue_ozA)qOXAqqQK{CiKB4wLTtgSb+wDhYLpe
zIR~nzyRsKC17S(-G6%=ENTV{%EkMO)rU6c~<w(oUgrRt-;8j+&9-L)~*5ERoxC&GT
zu6AUBec(^gg4xYowx*fm-I)o&*BVpl-5=8}`rs-(XOXF~%^Pd*CJ+&Adld6VX+olz
zTeCq_Mbclw|MScu2&cB<=hd}HR6WK?->)Nel-x}gquyB8C_^LKH)s*15U!>Fi0?=J
z)p<uyRW**ROdE~Q3f!;;c3R|6e#*TNj`mti{!oz?M%R_`s~7UE3&*fq#`&1TTP<Gq
z#}D4`GX%Q%f8NN&IbQ%h{t{T(7%2e-ZdBP&HX)8)KlSJJ9lP=AHJ##pyJrk59!z#u
zFXK((F6TOc+gi?aSV@cV2%yIUVWyPIjW#ySc|lWnwo9q`kVC~?*uhX_ZA=$Sb@y}5
zims$<Iq!ai<~n`_Rz(6FTuw$f;K@DK3<o2$PA{zrm7`#FOEmMFO`L66NX~6$A>!8~
z9Ik#`b7~5=AEg>0qIQU?KC0%u0^d4&>#M^Qh1my3DYKng<~n5w;esEvr|gLt&OWY1
z1k1ZT4!v!J56WG6j(`d+v{wLj@S0BKQk;^~dOO4aV(&epn(WrK(I8#A^o~^NN*6*A
zq=`sTsRAlBVCW?X5(McT1O%iB2-16vAiZ~_1OyU_R7nsaK)~;L*IsMA>)m^wZ|^hC
zch1;9&JP9ye&xxW&z$#t-B&>nqFhw3ZGTcpxwgAsGH<ngJUao916&U6%xyo{H9tx=
z_|_xT^ggnuw8ayo02Kn5EX9ubTWk)+n6>>Jz8DQmQBDL}b)P~SI8<LW8WRS#NS&6o
zQJyxK6P@E*$R3jftGv0$L6Ayz!-;m<nX@`)FS$g~9kkZHoVAPPrY3W2sXfQjd9ULc
z76-3B>uNm>xEEZONb}&|Zf8PyE3AA3SR8VZk9MPlv}#tVc67AGFRLix$JFwud2Nt3
z#~vZ3A#fxi3gLMdEu@XL3byxpFHB-hGqe=IeGjw;w7mwTuy*<Mt{}0=hQfq{#%ws_
zfVIb9T>R}ks!Y&oAU8%Hl^$9tt9);|OHp&PqTJef&NQ=PHrsWsPP@c<)DO^V&`PVb
z`KrB1s(HkbluY2N8nQylJHd;2Z$pk?$>e9YfyU@tk<3^W^~s$MGmVDa_h_bEi=7}c
zSY>ykG8+fJo8O@LU)-cyav_$lpM6|_$Q{c$>n58R9>+dnlH_Bu9lizl3#>%Us(`Rn
z(Fb@BR8=UF4KjBt-G=qsHemMRk}g20FDASmCD7!Q^O#v;fS>BTD4F>hEp?F!C7wH>
z`x;D8HH?eehI-grvT%wd%vmgF-Ikt3&fnny>1ZqlcvKpkX%6Tdno|IL8u^IJx#Gpe
z1*E}625E*H(KY{SO?K!Izb9y`fWR`5U^AEpfrGA|e3i9faBAhs%7>Mi)(7Y!^ok*A
zp^qMmfZP;ya{aAJ)e;r)WvM*RgN2;{4kQnzDXd<S1Si^ib`arRaivd*?0TKv?fa#{
z1pE~qZlW>~$s=Tg{5kp{$RduWd(>XMBT}p)P{YGV95LsYnH^T9?<at0x3AON=!xuO
zx@xQBS#*cvry2{_bsQsR#R4-Ii4X-QiNoDYIX9I8wFO^4bAiZJQMg{~_7HljR~~)H
zceCeRQe$gMCg@=8KOh;T;vTCus_5*9p7DMCj^~(*<*;K(J|+BlmOo-e+K)YGyvcPs
zdtsoDjMVgR?bln-;HI7ve{*`!Kw{eq_5ENe_fm49dCE*sbiYx<jLhOIi<ME!fOpqW
z;4N#`D^lU?1@4^GG$LPaf@x_O2>L&U7UIr(gGg|LdAR7?N5fQX=X-h_#A#<#nozs=
zryH-;m_TYsuT41hZO{*80B0f2qwJuArQgNm<T8D#TE0k|4cHZzx(#j$T>7@u>*D%O
z&0t(+Qqbddo0xit8c7jQmJJ08VI=V)Ku4WJg>$_4bWsc}Z+gVhKE-~!cFJ*8?V>hK
z*2WKL7UJ`wpPY2;dxv1f*8hyd4jwysI8$&@B=d?%S$)I%6i@T%+ptq@b-3=-W$!hU
z`}-25Kk_37D8B#%s+acvtl$VXg9K-O@n3uhB+V1d_iVK~3B^D3@Uatk<_4~@+KORF
z;PS2G9ldFMM?}E=R`dElEAqb==6@8o27P}}!?=lbAw`33{^hucN2XB8?la?l!Ga)q
z_653cbbQ7`Y!GV&!&XwCr54a8cc%?g5KpdZf4gE<7u%!P_qMpMy%iWVzO9$7KQ}6L
z`PpRY6ZbBMAxTaQhIF+()K9P&f|*uto+<L+Z%r$3mOLnY_MWMwc}3dR%T~f8CH`Zu
z(wph}qu@n>xYn+heY}Rnn7$i?@mR?(<Dof{iA%5uR6=-VWm6Or1~RGb#~!TaoefH5
zr|kBu2Iu(aQNnR1a9S|4>Y@r0Ua!5Sj-~~ngx<C>t`p8Nq3FKMa9s{tZw3fKcNHf{
zRzibr%;RDnyOF_Cv|2I6F{sy-{1d-eZ5?wMuUnv}%;x)jKmwjyeuB83PxRIIK!8*M
zs6-q4LxV^!Cpu^@Nq3U86|e$D8^;Zb{K=zs?GIzfp5H}nG&dVaLeBH@6=<44FJ+5g
z2kK(wb~pppI6qiGZVuFKFH?lC>qFUvhx9%v2BxRPlF-J@PO9>a!`9w|UjDTvC;qqf
z<)&H=8qB%bh=XGeG~5VXq(|*B$Njpkb(6AGOsw8j^!`Q_qxd=Inh~Q#y5dE#lW~?t
z0!DybN*WcY%6ZTqV?(N)cc&8fLz3f(jV@ZKy-~hj^Rn~3CX_#*cStM#xlN`(y~N{L
z4Y4dI!jG8rFK})%+<CXWMO9ac>oa{(z3GO43+v6UAG4y5CZ@(VS@`2M+uoeMPO6~v
zV@h5hZn0K3B+SIj?R8*D$PmON6|3-Tke}NsoS3l;M~RdYCt7V(TbYn5@*1mMyg&Nq
z6V~npCYJ>1;dk1x!8Ad*JI_{ELR9F|4X~rYYz85TrgAa;+8|o@s$@~y!=EEFuKUaW
z^}vA-tbA9cd?lDEVnNj0Xyz`8gJ?c<L@a_Ot@TX~pCYBA+^6Clrex*KTo*C%PYa7f
zmv%<1Q>@~PBS!4mA^HOdkOy1w-uE?g1S<p;Ao=Djbu%>JlM8dr_RE=8;?ce+v9#Gl
zi+2^ghxNlc<^`>(vBEz5_d5&Ni{IWL^gej4%IKEW-4t{acgLp`Rsq&qwR#q4<Wpt_
zZdJ)DrV_K6Z}Z<Y;kDFTKs1N;UVpFKJbXAoiu`jZ@K2cH@5}mMzy-yZ4+2pA7g5##
z+A=jt@)xA#Z*T2w8ZO-O_wM9B>YHzGEOMjq>h@M5UD~2-{Y>L3KYTfg>Q(Fl<~=QR
z3T$#75nXX3gk2r(ocy-3WYu1Q=Cn$-vbAVd6Z)Lw)u1+bn6E#=7xrL=XiaQvgkT0h
zGye7|NoZp6jQOx#T`Nh;=tlwmX*+$#3;41!iXtL`UPQsW^(RS5ohJ5Aheiqs*Xhs6
z@Wi+*0QW>T?O%sh;mZ2YKExRVBO8;3>0f_{#wcV9eY@miHO}7^y&2f22Wxxi+B$&F
zDLR9wFe}|FS0O=UnDF;6WUQDLpkmO#ZNbB5Hm$GM9Xv_zB*XHkO8+=9sUHHyj#fe_
zgHYE%XaywmV*%97&(==dd%)N-<6~P}_$=dHUqiURqT?oqBdY=tVem|cb1vETjWo81
zkU(?N$c~1Ola83Z51o=vTL4zWha%*b<vojKn4M-cgiCFmw@$P)80wr`PZREK6Pc;n
zJ!;x*&0Cl9q&1{#+_)tgN#WR<wzR~r$B-hvh%a!_NtC&Fs^vb^sis831zXg`1)wtU
zM&+G;9t>WK7I&ad(I?ENrqcaxZf>;CORaT_;$@eH@|wklq|`{0cHxaS-3e4Z$II7&
zYqh?@LD}R)_Z7Qg*8Tcsb8+!~$CgArS@fb5@A6{F;w?wX^9GNfhNPyLfHiM!7M~6}
z07rE4BS#IhzY;vr`npg+Ub1MtpzT>vtz)MVMM@n57+bD`$lImx{+N|c3bS9T47dQR
z)@hSj%f-d>Th3|6hFWS4zAZVDvZwqSptR=<Xz4yR>6PPDj89XPo41u|caXqz{V<jF
zZ_u5r9%hr{wFl=u+3%ZD?#hig^6g>np$&wF1$<p;4krjzIPl&xLA-c9x2rUSyIfq;
z>|KqQe2te2O;Hk+#sT5+!jHPaB{j9e7mHyTI;USf2|!I)?zQ`HDzF!{(1l5GO(#n&
z`IN6dc<_~1iAsUJJp@W^Wtd@yctlVwFO|HLH$iNGgNR>Mmx+;#Se8Oy?fgz&zM2c;
z2_M)osc>;4?it&2)vSrt@OMHb`+hrq7ZU#b5y%whbFKwZk;7$G;U&)*rgn}^(Ut)^
z(EIfB5K{e`7R&5Ag6@;j2C#|Juw@;>;U3Rs&^O!$HdG%cT;Rkdf+Z>XxQ%2SYvGKq
z3J7F}e$H=fPR*7}3>=-vGYTKuBj%3=t>bOZZ39IyRF_#FVSVE!QxdNA!}`xJ*;~qa
z({<}xlBSq*<XUJ%xy9%EU(~gVY<%^UB3Q&pugQml{mRX@6eV&?D>g>c^8I}{uv#4p
zAIDDij5WL(#uhAmvJE9xgGO%+Amu^a43|<)+*kQ0#bx!`O}@Gz?#N8cn{W3m*uCw^
zS|_M<2$zEvi?Y=uozBOF22-m`A{F)ASOAsZH5i{I@EpavQg;d=FFAo9q@AK%Qh=A2
zyF_smK|J)aEt2Kd%C%By5`Mw}6mwt6rG(2ee}eWzu>tiq1|r|8QaQ>ss)alrQhMti
zqQRS8OBk-X8v8R5#EunO3(CcG_sGj-wr78GHksHyds4FiNh24SnUhDBzYM$@|FiV{
zu#CTYD4{swVhFU;&W$@BMw6ua!%1RFolYzq^5xP?Ajr%v32}+%op!dA$#=h$@sa4V
z>O31a1Supi1x;B<hJkJ2t0>I(J|rU3x6D3Y?^Us-c|(~qbK0PC{Z+dbZGoQXtRW&T
zo`Hck0KEvIeeQ;5!@Oro#)XJm^qJH*w|^C{w5th!#l<2iA+{;4Eija^;41bb#l9HH
zaVn;s_^6s><6vK@Py?NgsZ7Vz^=I~smw&^(?AsYy{$gpfBR7#1^)zauP5sstU7lpM
zB-+@v6BHR?!9^*U(9flKm(3v*?Xpk3W-$3nT-!8yma%d2!_2@rPn&6m{gU4mG|R@}
zO!%u(FE!?)T%=MbGQ`4WhmEP@!xl0;zjQmTwXcW~;afXiEYQ7_kmitN3eBE0u_JgR
zrp>}nh`@9JUX;QB0*!{ra2ofCTlY~MHGDQJXnt)U_e5JH;<}Z_vta%!G(r_1=$}*6
z|Kf%zyL{k>>bQu?kpOO(&sYEb4RaNlR$yDOJ!jGQ$&axj^{u3b7r3H<H;SRIjeY_|
zE`$sQpRdkl`Bz#l<885=<rBMHa%QgL;+4-ABvK1X0g!tEx>HO!Jw&7Os;A&bsYvk4
z$Nwx?0b4*utZ8R!LbNxFtR$r#XHzu(wr6JJYtL2N{aY8ieyTtF(9!~k&t3ONn(a+M
zY?nmX_zWy*CsI332DTYJXWF3mnsT?%#SaXYs=^GihihBsr$#t~mjBkWuBzO|E6=nG
z2P(UfKrCL@q`h)e|D3!bcuSXoDYKzyW}iLm#Xa5-{S20sCIwa=!gpWc4m32oiVyOO
zcU0-X_R7mGuauA5;L_WNjn#Hd;VZ)}P05oLa{O`=g+WiqCieu)m=l|c%~kCU$RRI#
zg7`5Vk$7#W$Fo<(yG*SCR>)I&!1Y2C3d-EnGk49D3nz~Inmt46ch_958aQ2IPzh1F
zba>7Hl*<Yg&h|l4QGI)DTWC+Zq`>EmiV@SBI&bEKV{6sRD>X{1jVFg%v_KnRx^o#9
z6BGHDCs9FsE@uXDRlnl&jML304xrz&c|J!^30Gw5?#;3?_J)<esi?Q)WYD6$F+lpv
z9`$gQhGm)iinAQDvaD+RxWcE<rJeWiy@oxTWyO-6rM`zKqf@fBpJ?;-^D$jeA1?G9
zJRj&1FlvD2+&GD-@}Xi{>y}T1!Hq(8l;Y&9decW+Yp<!V51iiI6T1@O2oec))y0r@
zHf08~xi*wIpOp(&E#sos_Knq5=Dd7tJ?s_l@kME;O<LXa%`;}_ScUSiUb5gMOYkzY
zwpi0Jyar%|`dFWrhFUA<#_aRP=sEqcktBWx<UqR5bFCBNdHJ!u$L<7<JsqS4xME-A
zT#u5&<S+IBf$ADXu4-2zVo7M#vsRO|S*f~SFGs?U8bU*UqJ+^Ppar8`%)k2^v?!-a
zi?Fvx4@y=^{y;n?n$<9Fbtw_w-;DcO5mz1C>*(;>n0WEnX(;unS+JhtxiZeS3mK~-
zhIw;Vn8RB=1I)Ie-w`vIIo4@t{i(Qw1RJYefIn|tlixDuNKIKdu_=hzXP?@Q%O!_%
zLPcmhh^?B5xuSBr(f8$PTjrSyY~+50oAUc0JCUZ_p2Z@4surNpDY(NZVRyelLU#u(
z!lP)>9BBzjmpg8Kb5-)_+%n3czCKffAk~;L17#YvminP<kpCS?Ff$6!#R5$lUUe1^
zU)xotSIh0OR+=;3-wUsDPfJUq?XA5rYwJ2<RVdFa@j<{yU_FmMZj8XMZ-wGlN36y3
zZENNBtZq4sSQ3j2m9e-Ml{$I)wSF(+Ur}$?oZot|Ch0;eGoW8sV*sly4TJVqwp~HD
zuzumcOdRgcc%QfVOYk+kQhHFGJi{I-K*io)xS(SmdQU)onD;w~(5Bnws&<#T0Q}9F
z_rryyc?i-LqL@|+tq^}!)5wGYKS-;)KlWT_GPHdqk(NMAhoBTMU=Ybxi_7g#<P<dy
z*XP$HNh-Z4CDB)U7-9T6qo^_NH3UVrdWF)z(?sd*6*!IAj^e!)SPaUlJrr%l+-J(y
zlZ#}w=5<<2{T?m*(DiA3Di<MxhhqEB?C*`_AhS!_?Uxn%<B<*DTkF5ds?u&R-)L*9
z|7^a$hNx?bCM$?TGB`vQl9@45nl+NKFc2hm)WIXfsvO$^{Xl%6eZFqVFwDpH<8mjx
zv-=ZgKZ}Hg4KH%o)a|MtJ#K`WB8BCYZ+@zA66bcVP|okBDdJ6$`OVXKJvh1~wJ70P
zTU&i5^6s-b6+_*n5~7<=3u{=32$Smpc$ebYvtp+-YeDRNHre*vLP%@QyC%71ttPI_
zI}P%7otq>q1o((II(eeufT^%NT5=C-kM0ORQ|+Qs(3FoDk0Pll{kFp#+hnvT`}5mU
z_tjonb1+tHwosbK%+d4y8|YIS$o3Zi!}upp@4uS1n&RJo?}ne#2U`6G6}{yA_X9&N
z%X78jW1ulRq6xdapWKfnwP~C<Fru-NHP&m}2%^5GXK9|#k3C<NPWwZ2NPw+M2ol5F
zyD{S}Ycb66mjYI}+^$RhnEROAu%ixwUO4K!NYOgiJ#l%5d*S=wifqrat@06+jqxdH
zv6;|I8<&DMpbgZ=Hl|kL?Qz3}fI%y+OP{y<KBl94;Fq|d(&O-Nsr;YW1jfiA-2MT<
zk9CBecII96%dJ=K<)*a6yVPMHG?0a<qD0&xGHVyQI_wZr`*yz5g;s6+K6fqO#e_?V
zEQJq5+7VVvuH%NWlKs}IjT0)jU98zvSVOg}gbZSIri!NvGuQ4%qmb)*PID3!qVFTW
z$A&2w-ynQF+u^hlb18>WDML$M!G$k&o1XOtU$X96sO#EN&9J%VSGvgi&c*uWLkeyc
z>W1?}^#>c?)qs|<2K(mdVS<m&XRqEcy$mZ34ZPQS5dI_N-5y>a@@dQ0NUS#OC-~i>
zVQROq5kEcuyA3kXUj1(n9j+hM-`hb6lkZbymp!0|cj=5fdI3%mY<ez)p0kIeEI_n^
zl5CUq2-Q0Yp;W}@{-6!^VC5gd;5L*ept;8Kq2;^ZhU@Hw?RUf+P4utRIp;uH9<9QM
z_Z!yBZ}Ti&3Bu&j82!0j{uqe<k6;1V;NP!wyPebH0fI}Bg}{H<msV>mnSkeUIL`4o
zMh9!|WGy($*uSJ(0F_(NUHhcBptcTYwgCNN18w33R+afWGmB$nUrB5pnj>rhZiAbR
zcz2nYAGd8|{UXy>BB69gx^5<=j4^jL5XU1M0v~<AkB(;!%!ge;(}b^L1uFy_{6Cs4
zZh2W!r0Yx$u~*1JLQ<m?q&U1{4GGrV7P3%t3771+CR9YEgly<XT!(4voKR~BTH!#<
zO~}1Z&-}_Wx%aPIEJa2tTFgQSY#v`^0p>#A0!*fYByhh$YIWGVOlioz^rGQnZQ?1*
zMe$m+V_iUr-rZoPXz$yDRv&{UomJ~1y4w~i;|iQD?90y_!;T`$%ZuW88X6|tHa^$r
zglhHJZ`uW>ynRej9nwPp);O2Ji(yTBKD(iP+dh7KvJ6Y<YEq${m07#V#5|jVpyD5A
zvFcibmeWN&?p$EILVj0-fGO)-Y1_yphixuU4=dUqB%0ni*Wo(xY}SW`O;i{h#dDjs
zleJm!wpHM8s92~FwY=Oajd>o8L`PJ42W0=MQ(lT|-Kw&=L*lEh7Y!7IY&nVmg=0ut
zc@a<qvHb<`{I8CsD*Ssl;Icah;Q**yecI`-9FdEZj`dj;s^6dmRm{m{R^DH@0>Bpj
zr?C2e&u3wR502nv0j;7&Z^zlg5C5KN0tnCL4XW{QoK=O4F=OjASUWF*bi*`T?8g_d
zADfpSr_uyTM}O|=^$t4t-a|lAb`);`!YClfF$XB$0?a*wH|@-m;9FI&oY_roT5~7g
znuW@uLMoCSNO5a4ZJAKIZ<><5yBYZPoeLBZA@}i9oDo+NMzvE#7QRrtI`+m6=kKP7
zYtwE2DSH~*YRKi)f04?>|L*or_*54A%4SM4sot7X&?MlivQ!<qSN-HPm&*Imp`$|l
z6XYUQrTdET77WZ4Q3Uc;0bOL{>3E$p9TPh2Y=W0LrX_h}g!A|n-y!T?bvi~{iF{T6
z)Ga*xbKWP9h6O{~oe+^jcaeE{4HwguLx}kiQ@V4hjA`9rMh2x5H}s-EBHD<iwDJon
z7CjX9)!3MpIdJ9`L1QYSxZ$<3=4ZIF=RSTNSk`8~CzB1h;*4jtje)1tr=DWBG@OI^
zBl*}lbo@Z}+nN0_K^(A%HRitDYv4~s&Szh9BLe-Nv%ITcu<T~juynpvrD;~_DiHo$
zb>r<WpNE?oxAEn8$KjnIcKCdL0eqX`5kZD`E>gArGK07KI-muIe=!|8gp*xP%s_qP
zvki`I{r0E+5Pki*BS3jHA~UM%+eh5zLT62v@4e6dm4QV#gmC!{5@N@6Tz*lx@f$Qz
z{}+PRe^;mfpO7#A%4O;8IP~JCg6|n)9WUQ*{e=tk2lD10u}|eD5D_AF$%|an_wd5(
znlxd};^{KjkRa@e2#DN4PI~!<p;S-Uff`qohg%UW^j`Ap4!geI{h5jpPi@}vi6@=B
ztDi_kwuapA4Dg&8lFF~H0Hh&u6^@2!yfV%b#Z4)D6!ds<vR==HPZ92eFSP2OUpFLi
z1XPcXHVY?R7UhZuVL`-!%99PE_DR<f)A(EVZeZuF$!7CwJYS@wg*!LQLOW$Z-$ai+
zE^@qY9DJBmA;c?9Pd}`GrE&@ll(eO7ZSX9gxW{z8UCM}DYbd!Oo)`pyNv?Kuu7o3F
zk^S8rZ!W1Y4HqLMNS6v`^@f^E9X*m;bzRZDej?e0Ya%qxAY?-4GF{BQ+KK0w%J@u&
z3=hU{smb#_JdHWG!2=ud%56ro2HECn*IR(`6oX_CGhSvU(2_KvfhHn|wH2$}xWWg}
znVJG{jj>cs#Ngg9AWB&fWEkZ}sqa#5u8$g((1X)Sx7SdZ_dPUn2;;GJZ|>>o=J3cq
z9pbG5mf^|t(K!`w*W$gYa_C-pdA?qNiwi7GAwP;igqJs%@v$0+AQ*HdSj85210imq
zIV8Bba%a_Rf!e_E2M^TgRUaqu(j_ZYjo0S4;-QV;3*MiSf-`n;Stl>v$YHDqL9evP
z_;}XY{<QJ{&aM9u+jHg66HuS4?mhfte>%<lD_8B0{VAt2^~kA6)7$-VYWN+}65e2N
zHws+*g)O`POSWModNR+YgKVHTVNr(ha7K&5CwWYl>Dvr_<Y-|83AB`8N9JFsdw^SF
zF1<6x(hRSRv6@KeZI_UAv*#I9^of?D_@-MkafhR<PJs%XhD`>Kej(hfLY^NJs@6Zq
z$JBK#Ga_myz(T7uG&{$)ljf6dgfGZ!$yJR_rfW&v<k{2iCbgF#_yO>ri^K4&DDDso
zrleIqG?`2ZetrzFP*1j5+Bz|kPx2~0fVcAGus*-h!DHu%U<3U^{`3C$pR*h*z-m0k
z+FT|~{)H|1w<@1-;8J>LHt2e514bwW`f=ux4>F})3Nbbx-jH~Go$`}kfJehD8Rz}T
z=k|Wh8X|?B1lQH56FPJ0tWO?u5n$Klkn(XAD2V=t<VK)*51vaSj*{w5v)WGK7f7``
zA2<a0{bR)l25@U=xeOHfzBjw5<1FHFX@Oj79&&)Vcfy$P{yLVbmB~iR@03}jz^j%o
zn2Q*rIrdulBpQ(2YnS4xEY13g0wYas6eM^=Pc2a2_r<1rmg<U)0cK?>YMeeGf7kdG
z%<DkUuV6WAg(G;RFSH7ReS_rtT5;EXg@?!Xq*}JH^s}CZH-0_wud0v#0_pmHK)vK*
zE)JSoCTPa|gw>g0;IZD~Tu^`o`()bn7rWlm%<Ru8yi1XHO{oV4tPBp`+#60e9w=YE
zauTTu0b)J?i>#ZlgNHc(HR75?t3d@){YOn9-;8o>z2`!v9zWwfb)h^2XW5aJ+a}&1
zEuVL8Y^_XyRzhC?fL4ho|5$NCP8F2ce|hmVQTvI{cLsu0Mdp3zMG|IL9XsC3eZ|Fu
zydtBrD052mMuqpThVMidXVGWDP5nG3OSsg-xaE5!k9jx~!rCQwfMAL?w^hdI(WCF7
zy#_KLNAoiTrX{^gu0K}sDigL+e?Fp~Ch|t?DeV^;+#q&N4=0OGAYXumt+LrfKAYh)
zOQl%;wxTsV2yt;P`f8zT?b&7-|E5-?&X82N>T(uNe54xLWWo78Lb5W@ps27_GRy5E
zO8|wCLvPnNr|hdj#5VZ!J5@#;u6}$1O#B{Ww0jOH12sO+K=C)`n0;HJjk)e;!H>^n
zJ{~ST>Axno-#bgrll0o~%93VCPqiWC0VDp|H2BsU!D^cg87{X+zHv4!GraUnyzt@2
zREQTiu~TMeN-UmpHFx8+fO~ZtBOy_+d*;D@0%omyR?ZKZ9)Y-XWhcEgJ0~;!;dZ0e
zsrNP_W?{`Gt9g1j-Z(1U-k+i>EnZ5Eq#$VK67)*1s~U19(cxc&n^L}g1hqGwWw%Uk
zkJN>-X@j@Du0I_ppX{3K8;!6NIaj+4)LxfgrJRxCIW_29(jDKXv$T}Lar-=T%R2(!
zzHa>bwO{YiE02u5E59KB+(1mLbnKA!ULQdP{M;00JP9s?N3_eg&xpSOMy!?(8XM|<
z9!1s<7DWHtC;nj~XD_Wablv}c^p}2wAxUne8?=EN$%nEou)mSEyxV1cBa;~vH!!ue
zSDfQdWJp^1C-O@S5_+Hy@_*4Tjg{~HWTS`E3q;z4Yq0#lLpS<)a_h7U`+4lLKf4w_
zbS-9QT0Ni(_PwOW*hGLy3*zXz<w%xEQY(eh%yR-_+QR!zzh|mX>5D#fP1bTyU<Cv1
z4h=EPvA<ROSSZ?i+Q&7yqUV}6IPHX~uH?F7Q;wkd(^L()1zUTc!A{mZ>g)SK02Zqx
z<5z=A&(~rQ`24F2(z-`Ra#LvW*m4&9R7X5=y*}QFVEkMY#;*I558D@qJ|NYj--GXW
zP=Bjv-W_NQ<8OG@IcOfQFeW7hQr*`-m%Urd+O7h-A{f<Uz>#ykL6>pNy@(=wd}ztG
z<|vN{4kX2;u4FL3Nr()zaZlKYL@1%o7uOxWUs{&K9q)9W=4cwaOAic?zJm=PXJN}P
zxwCq2I!WQ!yWDB$z;jdm)SoH`T6ve)x7O;H8ygR@bWLt^SqAsBM%|%NV-KRj<*sr^
z&>0k)2TJ2Y0xipSnO@p2DVAAU?Y^w&IZkJmtJ8Ns(dT|UNVHRGe>Zpo+-%61$Fv8B
zCcHk$Y_Iz$SL8!!p;=k%$2phbqR_4nPV(dpAz$8LdDck&A!d~D)&YwQ!Am!!qrU#j
zmAhZT*U@g2R%Xs0$IWWLde2J;9>&L%0Es@Ii)Ny-({3-d`x^XcBzcYn+1mt7y(DR4
z?ml2#z~7v4nEItkFI&3vGU3>}tave-_YhUJUmU%uGycOi$!6G#xBq*=4d1)&!~o*8
z-++nfLFykD6`Jk(Nn2!J-`^9@?AzHn=Dc?)$`0W(lX#+ieu}1I7-bk>p=VKGAo!tQ
z#v;R4>CEOcnh`&}?}gN{h2(d+I?WeIF>{1A46VEOc&TyGR0J*Akl|&Ew-t+{WGVu5
zBOXukVC5FKWpILxlbd4K5isj5T^_iE@%1qK_hgISdWY+TpMXvZvI4@n^_ebT!#>EU
zaH?KF?#RcKE{j(;Hb?g@Ej<Cdm-p@QL~*8>zP5Gm;A=E>Ct9IumjTFvv?_wT*3<}$
zL=`GVU%uPIq=k}ghE8Cw!zE{*aFcu^VOaD<vqq!lQ`DDL5RDlCeEh%IiK@VHF6UzK
zr!Z-)X&|zMqStfh%p}I=quE7-QM7`$u0)}(gg|Z5Q(e}K0yV16w<13@4Pyt?1l;CV
zP$;dWKvOjAz}3=7{-j1Cn|)dQ$hYQ+WLjeg`}0A2(25JkHOBzAr9B<eye(gDIs{+A
z_A<kij5y8X>G}Y(7vcxMxao8mzl|92XeK+Mr|}JmVMK3EJs;e>K^Qs*w*?@*v*pZ8
zV_049%Rn1ULITx;<0*5QI;7b2NG`Z>Y*K2_>$)I4OCpi^-ROKL!jcBu9p+HH9&-Yi
zcY5b+557n?>5NQ9F1GG?EsT3^<Tv;(RTY1sB?ghE+&*;&9b5|(Zo)NqF#HBFA!Lg+
zIpcFnAZf>~LFFeN`cy|wDRmj*A7J0^>eeLHQrz0RK}fHK^UBAG_NO7`60jP5%xCLq
z4`FX%L1)JbFMKRZo<)!8?S9H{SY}<;$yhTzjE%LYWg?m&&IS4!3Lpqb167%UqM_Kb
z=9-aoXlb31byG5HZVYEFO7V7ATX9G&3}<Py>@&MgXW84&e}j1cA&PiBw&CZRzT1;o
zFkhLqB@h(#xhmWzEZ~*N&@4o-DH>ALV4mV)pzw_#YG`Q4DjWpTO9*CTgCI3KB7lsv
zD(W3YzMU2OuSW|NL38WQrmB#(CO1WL-dpu$blh#r?f30&@+1?amRt@8QGdqD<N1#-
zZ({A=j+Q{!3X`-wT;#KSJ{BQ-4|T!EhffrQU07hqhwM!La#3c3Y7{Q#;xLh+LFhi>
zA^L4gLwJ|C6wbg|XqqY&$bzZUIFE}psuGAjE#rZGF{RXF0!>VHII5CBlAI}#%N_m!
z<q(U$^iL~K#>sOqJ6_u2qr>}AhI;Rk40+3)^KRTH2)>#*mPHbWJx9qUIUmZ%snB9&
z%c0kaqYE<?Lv%ongzo`COD9n4|6M%t9M{%o&4v+-KKl)dZqTf)Gu3%Who~Kwey>e=
zvyV-8)9bL%s7$Gb;89962&Iam!>abF9(6>&^q2y(;TLhYq7khj@Bq^!vx0o?!}W{=
zcEtBwSUeAnarBM6sO#af@d`5{ys;uBt02In@$Wi2!lB<FrvzLo&apcO{AekV75$CR
zB=P5=#h~hZ<@#?>u*LF|4m>G<JHI7B16A2x*6PYNxeDkf*!Mp8g5rA>zGzNCr7YQo
zYDM&jEcta+ho9ydmHgg6t?#gN+#tJ0OFd_dQ$}S!>`%mNG`G*p8HHR98<{1W^^oXU
zS`IsP5>r5hU)_4vrj&Y9jp!z+Wa;IYg(c3h=aPLI$Oxhsl{B6DrN=4Xjf~r=Oet30
zW#z~Vk!gO)e;%%Dck>gkIG_^k!bt9Ys~rBcV=a!WSmQMLZqxR4+9(97YG#^x#py)x
zd0KPy)QqUV-*oHgP4&mgf=eSD%_NPv=VCZM{n3k)=s@jH&QxWKyYhY~6i<__W#rPC
z!i7JC%qm#%H?=j#Ytu!&Q&4eO*D@r=aCfPazzR@5B1*R5^mqt5fy&tk=Vpn)x5mxf
zYdi)dBF=K;9M6}f8%8|Hx$Ipc?u+VN4awvDx`x;KN_nP#5(bv%%JOSnb^)Y%x3izR
zrDog8Dd~mrhe^g_+kn70S;@WAyne0(uCO&Y^A?}}gc$f13~9ATr&958A?>E7`zDi}
zh<)x!+9oS$E)OM;m;8MBau81A!|D0+QO6u!TQ=^pplnB8@lL=k7injYCz=5q@#4Kb
zk-I*E@<XF6S8Hl{kZOt@5gjCZ2*N*10htZfav5Q{k7s1c#OW$!TlRB@>+1b;7&Jr3
z!Zn`gr9U;VrMRZ$L^x6MKciRcQ$6&AQ+Di`V@)sPrv3%BB#gl}^}GvID(OaXQ#l>N
z()*aJqxQWm{oknH&|_qlPoXuLotJ7lV3C&VH%o?)rm2bIv{4nkmGwDbTxeNUB*La<
zioC}`iIZ2J#Yv2Z|5PoW%RyY`Gv_hcS}Y;rPXzxK-X3Ko)Nf5Ui)XC5Yd`ICp}2M*
zac8Dm2Fkv+;sOBTm!!Dj$5?}ID`AAb;vm|JMK>Q80ZPDSn%9JE1cSr;VuvDd1xYN|
zSgsK)|65f_kg&!XwAhtHHwQNI=k0eZ*lv<PY`bariQ)d9E|?$;oC*4_as?Ljz02mx
zB?r#rP%i!zd)G^?ToL)luoq}`nu$+&)Ia_K#EEPpKW3C$HY_KVAXn5<MxCb?@7I19
zrL16>OfC%G=2evXWuo;Eh&`oNx}>wLc(^8*i<Rg$p8h^n4wf&$y|jyeKK-iV0Qx={
zBpP-u6TR@Xv-;K?i1XVY#})A_4a4fG7ZN^JCdbQTLu1U%EiKKdw$Us}dP;3IfM)`K
zvO9=>f@pG(W3s$Pu~mVxy!iU-tvf$%5X=A)O#lu~iNo3a20i6wfNxnq|8?;2-}hwp
zH^~QpM1#CP5bCcTM{C6s|7u{%1wnrndfW^E|Cj^wrfG?d={<xh+DxKyipl9|vbjw6
zHKo@L=J*ylK>fwe+L=eA_ixKfI3B2n26%tDmaQ1=?l$%~Y9;lWopzD0GT#p?nr^sB
z8iX5uIP@&Pb!)W#?grvmyNQRBG$fE1)d7M`o56x6@w*FgvjuRk>zO}|T0|Jey`%%D
z2GmP8;u#+ssedR9rjGu{68#M_r4j#1iWfPE20mxXz79eX%M{=uZf(41GHmlWetF1u
zuur1Etb%-Zv(qk`JT(&ZOXT066L8boCl%3}$;+z?#A$2&>DCX5xrYKPu8?TYZ1^Y}
ztvT)e42_b^=eL#lTOUuF6=*x_Gfw3Um}BVKx}inm*!8huRcNw$J@&F~i@~F8^&9wM
zm&g7Nu~xcHzHfk$#Q=dkh$iPKj&BVP81j1cy^I_0wWKoD!UUz3I9YftJJXWPELzT5
z+ogT8gpPbz5Hmu%uMIiXHs1oIbZe5-cq^-$J3nE$XsWdA64-eUdHFl>U!T=sG6R*8
zs&z~hRw`)r!Ulo22aPYPod|z~fz+r?`&;LF#VNXZ7yGPl;Zh|dU*K<{(l8f&nG*H;
zP0Va>CckAr5H&9h5k^Y#f~|BGkL45ZFFSzb1MkT9DXW@HyUs46eU7SKF8PwD^%@c$
zHid5(L>=h2Q8deU<!%K%nEyqlU#2$6lCAO_bo;YSmntJ(MOK+z<Ex4w4z8^q(C2p(
zKxZLr$DhDw^~gFsd){{vt0M*wegpQQgXebAr}HTuc{GJV)LUFKp?w{6vg4e)D!hp1
z1e2QSqfS4uiS2!78D-((wAnfTHzbI26LWc}hX~2}dGM`v`K?@rUkNNv^e{gSu|)Lq
zfvR(r^-lYhMWF^MJ=a&607a6?Z5Db#zQngr&1w@7Ab*lvnqG0$F26}CFLZlL-VR%3
z3RE~t8_SgLQ{39=FR--W5>sIf%kF*uAgzz(ZWyH}86FSv$`NS7^`i|!TN@+R+9YF{
z<sHAg97{zF$dqwD=5LuxJH8aNDYTC*Iqq0!x3mT)wr0eic$x*j8qL?{R}{=;C>hvx
zxmH`<X-sQJH$OqV1N#3!l}s3it6Edm{u0DmJ$p1z!JqscumYJ}KR2$?3^_Mxs7no>
zeWDPL8cKF&5xyRN2ZY^!xYpkr=he@a{w9z>C}cI}J}{hUhq(TtpvbCzs0|h7ixe}x
zg+CC?muhpQsL^@y$plnTayezgR9T;G+QY?;S$-{0x1+)_>0PGvx-i?d!9|oJR}RA8
z8X{=cKFuo@P#_IXtjb`TvIFS?HBxTu{)bU}m6X*L8kbgyI5gDHsAcB(n}v0E;W&}?
zBaej@9dSF`+dusbZUy&;B)bxU9Q)7J@rHWhmPQj|-VZ%IN_)LvQ@uW)8XBrGV{rj|
z8pRhif;Xe8Sgk6W$X;vT95_^}Cep=zU%QD7YAS|FyyENGM&~k^FK$t$UD5GASH)@V
z{UW8S=)K5m{t2FV95`V19Q{P@t`5Pr4Vj8~;C)=`8oQN}=@de~0Fu^DIT@%~((QJm
zBQv0EH`|!1@#N-%34euYbgG$u1hpxD_5i_Gygn8ld!)($qv>j=Rs<WMKbvfh9qt-8
zrmb3bQoTJ9C;-e(m)5&z?St8Wj@?uPD|K}=sP=K1c9Wx5=x`d{NWomR)fG<L?!zZ!
z>&deLF}r$}F4~O^?ai(2jxN1cUF`SohX~P~W+f8ZblKE1_jUl$u-2eAFg<N7?bn8L
z%g>e%r#3C+BJPI|8HkzpzZ_*ar1&);FIfZKd|ntAO|T7E+H*(B+Av;@b5n!$D{V#t
zN}Su-su3+MnH!Z{=KNvi?}nCI_%GJxDnKux|EQ%MaiQI3^3g|10LBiBc>tWQ_h<H(
zXMZ4#4u|PurQUlgC~NbT0Iso;T{+jk;u%XV1Lbj1C0XGa_yj6gh#$zsBg}zmn*PLx
zY?9pPyzay4q^D5$JmDlTKA@Cjf%WTPtTQ+-3+tAiSdECw?5j)?rN4}uG_h}LicR`F
zR8Yeoc2_%Tflu29)Qj_9y>K*WoeA_>%XpgAo5M3NVcV2A2rWWh7o<}87D=3}JTfi}
z8WkNBoO#G$1oA!lJ9tkJRf^;8wD{5V3=Q?_ViPPVhumeSQa><=cF9twUVWbWwjKt?
z7XpE&&<WDqWmvIQ%-WBX)slmn4@)>zqpt#uhbfz_(Z^#lDM9kF{8N;K^*;uQg4IY(
zt6-*Gmm=Y!a3E7sZ<hCUOi%i;$CB6!Epo%vV2>q3!Xrs4m{-?ql`SflX1i6hzLwRR
zokC}S@_jG`qZ)w%$gvWXNA-`J=>L?e{6C$`5Jq81`)NX!>61`cgI)j&+?vwzZFT12
zsc#bTUyVq#&Bw=qG>QTPag0?@8qy-L#a~{=b#=U*w1CBrIns;|J+>19b1BDx{EYrX
zF>)oRDc>naaLU!2n{Mk^u`=Uj&g0S4U#$j2+ZS_johBUKz})3R2595032>n($?$eI
zoH=S#k<(9mP9QpfokcutiY4=l!Ihq*)xz_<Wdg&XQ7(;VzQMlNV5DDaw@xm((mO3E
zwk--hdS5+9z7SmA=8NNvvrllHqu}t!qoihJ)V>M=lyC{E)GGAOFKxmv+2*(8#Xp%Z
zE=jybsZv2^+3!j*nr5d3_&=LQsoy&8+>m0niyKK6b0yd=Kyi1!a_c@;bc<<c#Hnoc
zK@SA$GP~Guyoh+D0#OYABuP^8je;n9JJVZzp;v)T<!6C21$e|!aOTK%4w%g&{YRD*
zzdldye`kg}5?P++Pn_nMIgqz0X>iyI28(}#De2SQ#_T3gEh{%PM0HG+@0-ADEi)+P
zPSb>Jgej-?)thZ@9j|!|5WO@Ay&Uvs%CE$QocE;5C2X4Mms*$|)Og0mPt-GE871N$
zM+t4L1wT*|?Z@PzUg%Zw+fW6H#Gt*}0BdMVf>O@jI<Lc^-=Ix?{ONj%8e{HiRcDJ#
zUH%{@y)*7(LyxJ$$d=qkLa<R}LHh9F@qx|^Z=)0gh>VbdU}ihhA?w5T@!5lf;zctv
zq*nFfqUGHhP0FWFMR<c52qp-kK@ER)*^aQ7?pE#?8Osi8T+01W!)dpa;hbfkp=Ki5
zR~jS)p_GhI$#{aD2!m}X@GhA9UED;tI$dl~H2cX*w;20Oid~=aZ&vph5{L5a2xQv^
z+~w~rWrElrT@=Z_WlCG70<;Mxu3VS9R*2cag0Ky!F>-E{b!8SU-E}m0mEiO0O8D$0
z`;0wSHBxr>H;4iEag&dzb*!+aOoJTSw~S;-wQY=0I5qN9>5)Q|=Wh|#{@HW@<>LPZ
zZ3rEB2iv{c^ky9v_z(;4RFp}|uFQ;x6c-=Lfn8r`*@E+_(Qeyts}Q@)iQDJnAsDU#
z_o@vUlN`RfjP9R@spjP4qzSfaoHL%<GA?2dD&q-7g$JI#qz#A$0V5;RIQaTn5c6-)
zJZUfY8B^B3bHmun{tXhW!MI%x0`E!3(Kq6Mt>*t_49T5gEpbt$3aQ{bo-%l?hgs{Y
zSi>3bcAYsi4l7LC=(ILBA*_ro-EMaLs1P4XCVm&}hmm7^O4Hom17``mM@7>qO2Igp
z5oE)*gU#?BJnefSzLsR)&N6r{E&AK*ha7c*ooe)#tlzs{p2_4g{`%~NmN~43@M5VZ
z6yfkx?=2=JeZ<;k)cat0X}V0%{t>_}6Y9dg3zS{mr_qhg?iKUKJ!SpXbz?JFXci%a
za=T{v8R!UQi<}d6Pu4!y#e2JzxZla6z6M{IMvca%SmRan4N#l;GC3ZtnAEv>J}Hjm
zaY%UGyJTIJ7u4kIu@i)FlrSKr@72bOSrV*q(_DvM@=m-6Y#V0zLZrMO>>wp+IE8e*
z-FdDkxM>JzZgP7%2yuRB)$ZS*7}Fr$+7`^mTp(|FSMrnjNE7X-Q_RP~c0qL${UH^r
z!XNwu?<Ytl&lQ5c=G?p}Z)bwEc65)DKA3D+SZ_|~v3RplRExndUn{5UXMc7ekwYA<
zR`B8;M}0h*8IW%QqzB?vCcwll-mSJ)%R7p1V^lts?MSm8{1X21CD~tx^$Uv6u%@qB
zXG-R3FyY6)Y{9>n9{z&_^v{3Nj8riP&E?k5CY?isz7zq@v?f@*un+2$w59!fNL8WL
z6U$|ZPvTAQY)(wlHg&Izs43ytuU3;T*`ifrRRl;PR#U^Gw?;Z7<9uKvt#<e|IVS8t
z?Fyw`l%A&RmrwEL?N9T_0oL(Pl=3S!gXpv67A%{;nM@Kae2Y`HW2n`eg7f3D$IrWC
zYU~-2qafci=GTGrDA<S!8^$-Hu<rpnO)>B$<r#{>OO1ZlnjX^>CB6*gqOnai=<uIo
zmlygK<!2OlCP>Lu_qH*ceY#aa+=9hGy`Bj`l(2iddvqDpx{meT<|DfNxpJgLhgwbq
z9hkRx1Kjh1OD6GPY(hk0Bfuzhl2ftTh<$p6>-dW_D{~11D$lWckxlP)gP6+8d=jsT
zT|seuMqQYUKb)4Op~9u1r;f*bGASb8Z5P?a-xaXZ;RzuJ#!c1#5Qzam;eR(qnRMJJ
zkQe85eiv_CbCKr*r?40=fSf(t%2b}NtHBB+rH}qByuatdc^<3wNxH0#e!bZor1A!^
zVq_uA`;*g3^Y%B$d3=Ge3r=6r(S#VM??-)^yN1i^&f&=BO*<C;7y|iGVN{UlzqtQA
zStsdE?lY0Q#V5g>274RloI%4j#2=^I1@N?(Nte%h`Zl$@1s1KX%xMolv{sX7P>5Fc
zQPSs-?W=L$`SSt)34{I}4gF7kaVu+LVo>Az^w@j-$H8Cm;w~z2#oGoSoK7B$_4lM{
z*~pJ2N!OJ7{kV0daIA8~AQ@!`I-><1?J0FgFw;M}Zm><CD&=*IP{Ll&ZJeau=hhg#
zc>JykXYHVQ@?MXtTg7$4OBJ|#JoW}x5IOf}RRrkQD7)DdLbG5V7kXy~`in~XVPo{+
z(2r#`?2|jZ5%G7Qb&HB#AzKZ(ab@El^{2n-fA3f%eHUnwX~6Dsrv2rdd?TLIlj$p1
zPe$Y2k&c~az;my|to~<iJI~IIj9Ce9kQQ|k$xZYF-np6#_pT{Ss+Zni0TFxw`R0-T
z>w5@p>go()4K!%O`J@@pz`j_yEOY7yYum!Ys4k+phJZ{!mpFsl$p_s0&Hz#5(H|!?
z$4m#k3VSEI7XwTZXu-1FQQ7#0NgI=3o4QjMiAh(R5usu4K<IfnjXD)bgSj^$EM*%x
zRz=g(adq$+YL0G~S+9JN#rwMufh&i~ye?1dZH@_&<=1F#8eE-r1K{k@Fsf=kRrTm|
z!*Q->I@8Y*{%gtCMY?%nLuUY}3~YtXLXC&Y?$VGu2MJAYVyW|AJ+tMCaSI@{sX~6&
zvCXJh=#C6k5W|5TK|o^0MQ*QZxMEmkL%=gEch`yBCHwQtk%?WVADJ#!?l6mS)4ngG
zR8a&h5&Gc?xum8xQ($l|U7)g9=4PCKmARGnr^SZyMw6+2j%0F;eLn99mH}Sjc)0Hj
zK{0dh%A21n3lKxR0p@LbYiixHxurzI3;UKPtHq)?`HcyGw=_ew`6Y}Kp=Wnb5Z6~%
z-ukIu`-+GD<sW8jqbUlLmZ#M3dX*UKMnzYfatn8M0zRt^RZ&3<n3brNZZ4h<{hPgo
zat-1a>owhujICpd&o+G7%@8rMu>s$sK>>I}oFh{W0KOSS=CJ6S>d<AY_cjE0csOuQ
z(vEUnO#XoI88uU;8{Xy(mKXa4l{9Q=udSY`aCMa#OhX>ua4-!p&y-2EO}#U8D_&<w
z^y$8jYb-ga>CfWlA1@UUUB>t^r4M<Tgi-18w~crb)?jdLly+138Y`Xk{CoUI?7ZdK
zyP%mz;c7z!+wOO$>TfMtswZh)dlN5XSQ<?N0=a`YORn7eR~C;rrrIXlhW^JTr+rHI
z@=a!olZb~;>E@TOYrvmJ)V8T2*B*}9we=6Ol?J~|{lER5q~Tc&a5{)PYrt%TnRbAG
z_Sb2>60_H|{*<+z&R5uZ_?FE`abnPfjsow0U?WOid{_<Oj?hLkX4g+UbJIw!VxiR$
z8Q?Z(7nT8}D`l?h&jcF0mUvr+U>iUzYyN>)@`O%=E(dc0UteIiKPDF~6niO*H)yJ#
zJQ7#xZq4mcrPwv7u$IB@T$lN*s@?n>bT?MrHk(Vwnoj6_h~Q70S1RB#OSAVK+oXY6
zKU2wlwfaqk;_l??^wGQzd1V3Jf|bmOc$GwXVe_;tPl5>dQ3ua@KX2~);FmO=S^9db
zxnYultZTagyJhEbUXNz;(>1HV{(2WH-(>tGEO~8jL8@$+S58-q(Pm?%M(wth->PFg
z-n{b3ctHXUyi2wm$U@NvB=yHRc_+TDUprE%5K@a24o#;|_{BGdri97vYTdf54ZaDM
zKIg}kX<+PH8T+D8mf0HG6Efp8+w%0VHk)@g+Ago$JnaSEQ3=<%(DzjHU*7MK`>tl|
zPJx`;o5Q;Fa4{=tRh8l_j@Jw^2hm5OlgiTx{LbmVrnF3HN_Wp~X=<hPM0@F*G7u3@
z{Xjk{!Z=m{=IKMOr_rERa9UtZpfG|>?HZ<;hktsCG&ZZ6&wKq$nBNobc!SzrJ;q02
z9&dLgcMp{(-*s?xr=1_GpB_2nd=|5<!V!$~Jv|UZ+<L}evu!echeKb?EN<hie{|es
zQuyN+B_MbYfC#-T?yF*l<TBtnKj{~*0Gb=_`9v4Frdc|@vR;3x5jdnNjqxWmgAOeP
zwPj62xNP#)27CH(*Zzcfz(U|$+mHa%mTAuk)@J+VY)h$gm0-DpST*DxF~a!6Hyz5P
zC<~K#d2)KsJg)I`FwCIWnh9rGG>RoFfQ|PM|2m*oEP3KAuN|1=uCsXc)Ll|&J<MO(
ziEs*-r2JDn0+jWC{Pq8bI{lwW&-y<f>g0Fv(bdQQQV_^Y*#DS-C4EvoV>@Sun8dT9
z!zX@JTHJt+c!Imm2F>}z`XO1k=7(w=LOpJDfcJ53Oc0gJOJ2M>CMV)UFPhU4Ks2%P
z(fnU4CA@#NPKy_({cvmiRz6I`obpYJa=dOBM8ppWor8q%I)J-0E@jOv^5}pCR^)yA
zXcVw&Z*@&C8+MrJhE~BHpA5bj7JDx2Dj0Hb(mCzz#yrB{5UlKln(MM*fyMML^E6@w
zQ?V{x+%y8ydvPB#ssisLn!nn8P1X$@M77n-6z8zRg}+(|wj%c!PHi1@NDMkxBDf^6
zG<yXoRdyKQ{Se2F<|-=Kw&sgIu)xNbl~~%?eEDclr_VXslT`G%?<D%Mrcs1xr&ECl
z!B%b^zydPDT67!XPSL`$%5vSk+YEp=#rj;>hiRE%&msO~8C$xRoQGnuYy8^l+PR7A
zgbQ2$`{)vYgO-bVxbhlK7(@l**2{G1V8LD5T-}!X=HyGwr>7SshW1QPf6>N!oByU}
zvZm@w*)b==tpw_zIqtfOxrq9<D*DTb6|xty8Re@fM)i%@v23v1i2y;G!n#z*PE|9>
zmjTeKBLhJJ01(;&{E^AwKoLOtH~io?Xl;g|Z7nxu83?Zqei6iH+3kmZC2G<#E$&@|
z`bjnIOjTmQz!XO)6T@DBz$Tt|?L!xOK^~?y4Su074#d50BN)*rw6H|g-j5@0!QuT`
zW2AW9Na3sE;byqR@$B9BuiumJzGcwr{6c#7H;5}xmb5p9`;Ffv*W8P$UzVTt>UYnR
zoYUq~x}8sq#XS6hI((itUS04enXY>Npa>bsci>oyvT*DAc6Hox25?6-f2IAXezJVe
z``w3ts2`O!!(pUZ{7!(KWSzoeKx}#qblXbuI2q$mL|t3w#Kl|Pf%%bAy3^X8?L)-v
zRHqp5Vcd05&<SZQ5I0d!|Dv2lg)EP(QWauDRayKA!sZtOw*2&D-q}}?UldCGA?D)V
zPS^6Ks2ODw8IWq9E4y&46~Zd7a4H|{mASHChso*&T$IXo*{nZ1D*trh^3C!+W@_>^
z+D@M`w*to~Pw^#zA22Cc=svk(A{`n`<K8&C=VL&liPmS@R4P+y6KJo0N7!igzskGL
zsHVDYduRrwNs-<=(ky|1KtQAkBB&oN2#C@`42ZNKB>|*_D#f5Ef&zjfA`n2SVkjyK
z(v<)qK?Fe{5ydDF-}%b@%JshS-o5wzcw^k38Rz8Woa}Y>-fOP8<}8AhMi|H^lB)rX
z*v0PvIyeQ)S-C+DWb=f{ivp6}P{lO|!q9ZjyywH(4X5tR)}~1H)Kiw{m!avBv!`<2
zIy<rrGtaC)V0z8+?FmHiN_IcX_0Z?R2&qe~+-@E5A5O4vKAsx|(;vpW>UUeL?JAOR
z#YNsYz^tX$Q?akHRKFNIdd0;K;wGgQ8?>Z9CKvc|{p$^v>q{NMSFSbAOO2aY0_QvE
zW2SYzThdKWYBsfqt1J^U$fjQQhgwjNP@7%_Qf9P4_&NI*m$4s040I=RW%bE@I#1cr
zL9ZL`V15SV{vTZqtf`_8vHB?j;d0uuv1bl8jQR4P?{V+mIC7D0sJ&mdXyF%YMgCwj
zx@rz}K$Kb0;|zmkN7LR^tF~pioDe|=2R%^BXHQ^r;#|=lIKr>ak;aJpFkgbHabc)@
zkTqfu5^rP1kqmfx*|dAFZ&lMJ!iRpJ_;>L)xNqSnrd{oJ^Il&w6Odz59**(7hiU2b
z5^F_K)jz*KTi!MVZHbk&Q`K)Abhi>)b{0N@>)ydGdT=tsk#l-GQz3drCXlvf2KLFs
z-#WQ;;YN#EifW2=G>6{j$??$Mcd<B+uW{jB8KuioxW|)b-M>fzvE|XGgam|`ClK_x
zkvN|N_lrY)6|qsinU}J=^Z-m`XZFOvdKflwnhPr&_X^7oUG{F(yDekhztP<&c#?c_
zi(sm+ajcv-S98VL8A#xkmsRJe15H<I!2=6(?Ypp4-wG^a5iq6R!}?}_GYn4hV!DBv
zmKSg!gIVs)8CI4%)rBRB0A-71f40f$U3Uc?u?S2jQ16NW0&KmNY?QjPePmW21yXWD
zEz5P2gZe2fT;XzZ5%BXi)l9bHAMEnyI_kc~7R*2rpeICf^b>FEfc7X~FMsf;7MF!!
zz~&FImOLASrDu1V3hP2Mt-JT4j!iFEVLxoNDRmu4&ItjoI{C_?^BG2(oF}V<4BnfG
z+ywQ>M$w9O9m5T=-U`E?O*DMQHV;)U=1G~Dnd?xIK@~Y~q}{vrxGqmbpeNq|Nv8fa
ziHv|omTY$Cj4J{J*?B`^+m{r3`e&C#8H6?1Ubps81(nIXwkyJBvgu~xtetd_OUy-$
z)$EKD9%hkB0~%}JxRRr4bn|xb?q1EgN(RDDJG23^JL%aetq^LpX(vkrJg*Gt_*Im^
zLiNqvKHT$O;>t${<vcSf5w@h+ml38sOt~&k)%?BoN{3t8Pqo>kiH2rl2{?H4sHry=
zhn0+jFoj8`!ZAG3k}R<MS<OD(bJ%ubvGFBWSxEdmSJ%ymOG3V363XgOwofT3(3Un~
z(u8L^w%TJ!OkdOy@v?F%NqE{O6-=p4@w7eFBAZF50Xu-f5&<}KmcH~8vvj6UmltHD
z6`rLt(=A33D;lkjO0ouyCCp8$s?WaU5mcA3B>*taR}iI|xMv_CQwNW|g@VHwMMJ1@
zu>!av0eR1dHJM8@IIV5$5a^8`(!`v}vI8|(peHqXujAanNDF)g#fn=pAf!0OanP!Q
zxD|mFc0<;CAbJD7thw8x)eA$BDt$eSleWc1PtWjev|VAxDT8<BkY>7zxXg2?jX2l}
z<G)6eF>*s&+cG%or%3Ba3tU(3>wCWO0B$3HmiJy+8c<pV-k``Rw51QqOqz|B+6p8)
z)sKHhxnEO=sy<Xnw3<_+1P=Cg?Y*nlY(98*+58qx8`C$VTvg%)BefmHv>r6YhkXZx
z$sV3wDlG^PcVy$Ypi}woNAS%Puh~@+!p~@xRPwd}`(wm5_Vkr9jgHigz!fnCRt!b`
zrmc!Q3u1#&1(yN~^T*fRjqAy|WaVo-A(DsoC|u=rfBp(m{!F*aFJf5iNt`t6rSfAn
zxbnmOU*#g>NInN+TbFgBW+N{ER4r3qFZKoJ<|CdW3|;&uo+6<E+k~E#C#Yk}k%-tb
zLWq}0E(Cwya|o&ZRx25nTB(t5ULtHwSF~o<%s7Y#A}$sZia|!N?FeD$JK#7{_Hg90
zw(aM9;{uJjd*%jt{TjqelC#{G?wvA#)c(rt`4bKf0$prtN0X>q)`+cCq8Hcui1S<Z
zhllSG<y0P>`WE{kqW=JYv0u;#TR+CVE6#u!4N9aCF<(pQ(-jOX=#Km@?OTjMpjO)S
zk#RnG2jbTys8PI|MVu?o96@D)g9k*9W#IbP?1NrmzES5#S#o4%v1JDX-H5NSYT7qV
z;ygdm9XPNK3QfhB7ra!$vqO|2oE#LaznAz@yV|Q5>vCq57h_v#H8a>FR{x_6_UQ0(
zgOt$N*jkw|{Q67exrlxlzl-u3igz5JcH;~v*<QkMHKt~dEOf+Jt)}k1CpQzRmOgCd
zt}Y!Ynb3zxt$V)UajMI<zw&u+pU3?~%sGCIxV<r_hw^@+Cs)%tM0nCc$3JTqo0i-G
z63kPcu(FQI)}Nl{vCBIny^nMjv3-T<Q6IF{SPj_ImuTbN#i<vP<H2@4&;Xc<w4Bd~
z8?Dj1ou^+K5q7Q5^;CV{+2GU4f>Te|t~mO*%Ot@g09oXWX(mPN6D3K~z96AN^IEhQ
zPmDnW<D?7WjAe@bh|c|>)y~|l2E$o`5!<?J?>7x00lhxBxh8O7`Ac@3VW6xyV?6Z(
zOI{^u6Rw{~l7y#Km6M73bIYCq%N5NT-P#*kdA)*HGt_qMAQ)A0ykg00+Bdf_IchKi
zC&$A*KxHSA#(m35yF19nbr*)6ukxD&%(BPwM8N1SNgIIz1&_tMQUSmR_;yU3!}b_)
zx<Ha&W@(-kz2|a8-QH&>_{stf&R`>la7MrTQU4k5`&<54PqiA@&fK7hk+ut#T8w-L
zsJcTWIf9+Zv7&i$uTw`F^MS-~E<tzx0=u%!6%%z{VxKg7JxLubFQ(~NZ;RIo49PU*
z3#qI>cdqzM0(BooR||C=G`9Kmn^BZyVcNh>roarWOHPt$OGls(V#%NR4mn(ZT>mvv
z&}={|>MVE69ytw&i8{yp6l%6O14=gW8zvPKcM)2sRVF7a@y7lUP_mNpxajym)NN~w
zw$#yN*NN$VOH?ZEJ7BYCKi*Rx5HUWn;fQJO@!}2~!wS|A2W1M9bsG3gU2BJ-BO~aQ
z8jHwrT^_A3!fe~-{Tp+|709i9in$^ji@F&sWd<yfCCqH<hV#{Kcs7+I#bC~RV~Z-b
z7H=xFmVYfHe`(a!ZVGt&3i6_T5A#~J`y`oJO6}-A#PIw=ijY++uo*S2D><j;v3ueW
z|AulF&#Lyb81pm|{Djb=Jz!U}8NrAv3a&&jQR@k{W38H~YUG21vql9&)v}D+wavNn
zN0T?e+)JyrZ&zvd0qA7CG5pjejS{ZJ*?}I=6?9r6nbh-5AJ4bdlti%~)MF+kt)_an
zW{I{v+~ACG*}s2V)bN(<vQpFD;Cv!>KM-BKd|0K+3ou4%mp^=1q_yi-YI~;={sd18
zB<Se2kZvGmi$=)?4aF3QgP%L_l41!BD7(zq7;E^=kYIn5?;UbmZS63+JkOzdZ6<dN
zOYFIq9(ukyAM+e)%l4kd%S>ThJI?GV+uY4C83{S5SJadluGwP8*H~(k+leM0%`C@z
zxNo@hhwD_qa%80-syKM^4<H5@iyTkmWZxfv7t_82sT7Fbmg@A!C-%o;yu8s-LVcX;
zh56Z953QsQ+nY;`dG}NHss3!GH3YfXs?M%X@6Y9QS-o4bA%fLjTA`eWd#a*WufoBy
z3`l)^Jj~+W6d&>?Q0$nNGgSs)m&Nwu6f<I`rxET}*r{5avl+fsR_gS;fe3)u)EWeR
zFUSE{zHo^+x%Z;v*T{B>p-+9$&Jl(>XL85P#6em~#+R1>YT<?;ap)~!<9J)%$x;85
z4|R)$N#(bu+8&(l3wp`9mqV!Dh)Z+y^_LRf7Hk6Onu0bqjGkHY0{d!H%tq$LT$+En
zu<P!d$rs#;hZVNhPVVG?$4OTQ9x?aQFRUF#v#(OE6a9xJmvtwe+wT}HfoVwg<cU8=
zuZcn}1TvBw*&egwv;yUJ#EAuxtR*W*!91P<0ye%w@WE2@v#slMO`=VcDbI{>hDW3`
zUU5x1JdT5meTsD;O$;PLHMcYoS0)#oVTiDO<mnf-dCG%zmvitIU#|#%%syx)8_Kvw
zYL~8KM&FEqfP1PBVJ&jfftQ#OCNTS^tchv9{qv7TY%;|Ht=DaWTuQj+EPu8pd%f@@
zGWFX8^YhsDw`(pGRwqqoGQ6H#IN9`#auH#(qE%vrY><(qmTrU-16x~fp3cJLL1G#Q
zdq3iN0Dg-3I20?qP>97Fn^tyKA}>_mb7^#mSdrCCRd!@N%{Wk{!6|phOzaOxjML8v
zEdBz|)E<DU2h5OcJY2VhIb|F;VL*(P>qHN%5_|VP3#kl!EOx@`hUYe3QM!%5sx9s}
zTl(h=uVko~Bop-$Jv((7F>g1ftz6fd<P-4X($jLcNDbacoFBQNY*l7_VM0nuLLBV;
z+aYwN95d;6SLquEhk|d8po2GUKRza34vMkAbF%B`-Zg8j4;h9F&jUEh!GM>5+8OI|
z6!0kKt4NmuRtBKO)(W>G&Tv`t@d44yO3OQL6lT`poBg9L44u+&!KX^^(vWYY5;twn
zowJsg1m3H2h#jFvrhwJ~C|RA_`hpEFPdiM_{oBn1zkm{61w3blv--$0CGOcBEoC{3
zN3Spas>%2RT)0GQ$KQSJu|V0isaD>Ht!7%5Wzn8<`dvFVxFTuV<Ze~f_gqwc9=|8D
z4=s&Vzw`hsd25GSGvN3NW*+HVhGcTV-HGmK-^d^;?O}qYfOIP9Zr!DWpTM>#-0vf9
z<?HB{3h?GegYEXKDdM1T%tlA%a8Gq<y7l0u=p<|7NT_syWQs9cI21WIbE-3#6UX{g
z`8!AT_v`%Kdd2Y~_+GeNVqp>`)!4LRIuO2NB*>?Alz7bmfyz{jk_u}g<me!5JkpI{
z$!k9<wCPkC#F=pXAK7Wm<$B6xFN_`dDYt?I13bL$yRd|kR{0(+t+N|MS&IS7=BHKO
z0-s%Hv&6^LbB^ugayo`92?HWTfW<$RJN|w=et1-lC*cFTJY)EnZQj&aF|+oORw)|T
z%)rpwD!Pt_P8hF`J0n9wP&*PnS}FzdXg!eEZh4Wbr`&7+AqHGn!P8=82SAeI=!XUm
zT}Qk>v8}GiFM*~i!4DSBp2r^S20VYAeAx}>6UMgd+`pYA?tMr(*QV1+gqNU92c+NO
z;7-hzjpLhpM&lGP98~KxJ)=GWAjan5BVwYPrBma0hPkoD$p>M><xxVq#v1OKT^c(f
zmmkCLWf@R2Pvdt90!~iiJ0NBdZ!`XXG|~TMqFAf`k2JnAf&cNY{9TOy<?s39n80pk
zcIN(B>=T)gPM%o!BkF@UER7F*3v#JL<d6TU{$X&>t%umtWZf)N;ZGDW9T09sMGK_J
zx6$Vl!(Q&U={iB~jIJybntY~}_Uv8Mm&5>WtI^|KvjM<{Cbj0`XDmBL%!(fIXjc1B
zcO=5(0g?53<e2l~qMovqpC;+4aA3jWTqNwp;S&DBe|EV3$JhK%!)#o$o~lvK^dj9b
z3_oowM_ZP1%1_MJnYN4f4^<5r)V@C-x+s#hzYzFr`};(~(PxTm%GFJ5PI__lSak!M
z|Lx9m*vKjb+>`;zq8#}Byg&WS4>QfbdW_=+Gi7E;E;WvgA%|;F(?HR*cdy!A?m3@s
zY%fbc$SK$&4+2>`50>y!5<T~~GUGvcup64A-mZG?RVpdY@fX||9rO6!n$mev-#IY(
zfQYc)vRt+~Eb)?EO-f<hMYq-|RQI&_gG{IMCuRHw->w)4D&LFEr(Xbdfc{Zt{MS7B
z-}@BR5g*ou>IB2d7)d2OXvOlQa;<4as!M%-2@~&vr@Y>*EL8Mo2I17Sf>nFB<JjK+
zQ66uH4>dT5Y`QQ*Z{5FqenLM{|0b<vV^xLKucMIofj}r{t$aa!_2(Ji;?2w2$M*gg
z8pZ#D!t$@2!Uk@oMcQFYacm<j1vhecY3im1wMHOtecQ6vzR5+gFYEoe-aT{Q0n3Z>
z9u=XDc0K@G*CG}aYuggA8jta)L}1L(T2q)chrxR^P>na$=ap}}d(?du7?-b`b9Z77
zUV<xLp#K%nOzG{&z5q*?I@Ad6Q1lF-cCn)KZejW$HCW~-byP7KRc)o8c$y2Z{Lz2I
z;^~Z*AvdrGt`s*UC#*ofQGd4-gD_D-47SFcg)*Jj$xgLse$CX8wh@=zcE&lHhIns`
z9jCKj7mocq&|RF36*+qruC_2XaXYc38+D6WXv#a)c}DL=?j&+OTLZJ|{V>4(N$MOW
zSnJ$j9#!k>JClJ)dT*~+CJfYlDWT6%E)r2S{0K~%?sm_qM3g^tT(R4qu%e`M%a=3P
z$NeBmNqie)zayk#697r>?FySR^z1HE85s#Z-Cf}F|GH_Yx;#zFbp?GZ-}0(*PEovH
zpAWxTC;1W1xVHx@1K;<)u)q2?)64vouJNjDMLaQp@U#!=gTzh<L>d;ZPiXAhMYXZW
z@x3Z=<*?u-{@^Z3gG+a;*pqW8%Ii3Z#AB~M&5yKNmiMxaz@F$CrK^{TIePNAt6V|Y
zK5s`)-ZEo+J$rg`M#=^3-ECLK<k74XR6P7GKoN!zhJ!Obd)@NE4eg@`z0cgy$fbE1
z^%WX=zP6SB=n_a2Xv+j*^?rnV|Gl^6Z?O-`#=>a9$;JG}$jUcMvU{0WYFos2z~MNd
z0CD3o*T~pnlp-w0P9Ba+18PHNf;p$&6dhRY{H8p1+wRQ~AtasXyULrq+<3XiZ~qY=
z(~rY1V&6=j2VOcnmgO94Xw&U#9!Ln2+VVOiKJ=NVNM9o8Y&47Je0&i5*rr54AA~LZ
zvD^zc6c_?sZ7>oj&F40HrsXgZ?daOcH3AE|wWxmu@wGtvZB$NI!TH1Dkmpl7_J#u#
zx_!lC5IPS;%%_D3a4|!S4~NUWHa=2t0J;-oiz)$RuPWVZYx2^DyO$Em^ApStn82vn
zBo8U~dWKF8{R>I|Kzp%IA^OHmbQ!rjG&mqtP<!^W<35W@_KTeA9KdPZo>t#r>S{`}
zO!eDhq19F%>XLZ%r#4gjVKj8E(HyWrSKo|2tn4q(Wpn14!H)C^oE#O)``!~q_xPNh
z-7bObt5|Z;4AIMKK%u}+5cMqiCPY$m*Mo8rn2C;NZa67EbAE9Q7qEzhu!K;Ku81X5
zo){%8e}T^gIwSIc3b6_m@Z6~+b>GgMT`IOZA_-RN>@Q4t<0Q$<oETpSiNf1U<Kz}|
zvR9o71}r{~Y)=TL!jBE`^x6XN|H!QVnbqu{S!Ss1sxkZM)*01uU5Izd+nUPU2DXat
zxt)A@<_<z<s9Uk6$)`v#mFtp$^W&$WuEAF%Etu@GUh=A4{^d+2j5hiWx!v%hwaVqP
zdd}|E%_dC7qpgvc)q%dxB?3b=@u13!vC>x3txbovVdYU{5A5k9h0|4$`ZuG5o*re+
d5U5ktw6nb3f))mHy6iZU!2foQ=lK5SzW`I|))@c*

diff --git a/docs/architecture/psa-thread-safety/key-slot-state-transitions.png b/docs/architecture/psa-thread-safety/key-slot-state-transitions.png
new file mode 100644
index 0000000000000000000000000000000000000000..34cc79b3596d12a8e4e98ffbbb5620d0c7c8221c
GIT binary patch
literal 70492
zcmeGF2|Uzm|38i+)u3!cWy@fUD9hL<*<~HFm6EK3QDe!LE$fI;Axlljo`{M_DLYw;
zLYt*Tqy=TmzWlCXrc<5n`<(m!oO8bSIsgB8^r)Hla=owjb-k|F>-l=Vp4S|Lp@G(B
zdQN&ODyq#o+8V}GR5S=GD(WK025{uS-jgsYsw4M3_a5|g_Hl5+*;5Hhsjqz!l$5}_
zdUy&-X$VS6+PJxiVVrCn-EEvb#9Zt>!69(o*%jmD;AD?kyGBw%Qc4slDT<UfMal?D
zsUoGpUs5PBc_|6=wd-vh?On(X>bv?m;czyBlA1DN5}>Ia2a!lYDK+qEzpa;xr`OtN
zw3CaM4>;x{FKZ<Wnj@We_a?P1DIq2y48CdE+Z}TStw>5BCBPpfIHc+1Ztvg<Zqr=7
zYVFbXo;Hqa-NZSlV)trD>6xMIJlxgXbljvJ%+{{)ws-e%a&;lUjieY-OrCT?YOkP#
zDrlGVM@pSM3gC+q`Mn(sMBOCx<Rr|z_1rb=ajs_Gk|t{ny4X0|ueD|fUR@M)?)%m#
zZ94mCx!bs5^<6RcIM6W0XYD2=QeI}QA&l?Z5m^bTwF8dsl&7yYDk(uaVB+LQejE~X
zmNY?*UQQT$4{~d3hdf<fah^_Y-ygJdb#bw`BTo&vMH_c_*Aw4g=HQAWzccw7H}G2D
zwN5%<VrPT<^-(h?j3;*OT6syiwZ4$9*0y(Y#8RG&ltrzbakimcOnws&tPRHX#M=F<
zhrXSawQ;13rn{>vXz!az`}Q>DB4;0UdmL%7DdR|f4zQa4{NAsl;r`XW|1Zs%BmK}0
z2Xu5#7@=HT)YJ|gbvvpjN}hOc8=Mz;a0Ml0ao|POFizg!qa*2~=6*Dqau~eHH)kkE
zzd3}p@vw5Yx4{6br<}EQr?f;l@?$F`tMc&lrA#mwLtsmwLux0mPM-EAZZ>wL-kkvE
z431$vopInBX<^%VxUCtOgOd-*VStrPYRb*#mmwpMB3Ol<_LLPsy6WFg<u4PeW$)^2
z@9FLfnkC;ZEl-|?ugi!0{lquMNIr!9#ttdB*^tfO@oUSZKK~vQ0oRZ%?BDmE<ZOR1
z#GlSSaE`0v_1*OUI2SG$RnnRTBW{PY@$hi6`+f@CUA<f|tIituF*RVR?!E`fv$Oi;
z(6?VSNJIGbIt|hQu72}z^89)e_)NNoa{QNDz=^MS{L6XvaP@LuH5PEiPv4nr@t!vB
zjv(NyhM}KcC%yIvd(3yf=--d~Pp#$~tC0DLRZxz(+v99JoxHzyaX&Ma-_wO(I%4SR
z1cKwgv|Slla+fGiS{py|UBAyR*B<t-A1Q|tLw)n#YV?zoATJ(isUJG9HZlK22c*<j
zm&e!j`tQeyeD&%o`K>E|=VAh*MH;Yg7L%8YyS<~6ho`;!s!Lou|E-?`#)Y=A1>yO7
zuZDASB;f@+uz>8{!8wxiasu&Bm3+e434<Z|N;P+T4<|nx+f~0wS}<;;*<N)oGHQY{
z8sNy<Grx6+KehI+p5R9}DJemY;^e1*_EsnC-;dcZ#_)AIzM7zfn52XpIUtjbK$JXm
zfASijJdN_Q6q|Q-aPXjj&);^#lz01oY;C_XHcD*$CKm72H#9v&IsOle!jx!Ao>W;0
zvLE@z-BK?39}mLhweXGK__d?>&w?;HoKiyQA>d0$Xvv-wLBB@eZ^P-=u)TT<DTb5o
z`TFITn@FerfFMj>@4p#@$@t`-7KF*BN;chJg}^@{27mv=Uq$`DZO~l{M&AWpHxC;t
z2OB4x)iHZtD?5;ic#^X3)zJLE8G0$}|DPOsNnQuc0eRh%4PTPHy#LN|nEXcHIB!iI
zG+M_%>(>_dKb_Q4VkLQMq$qj8-!7bz^R{m$gaUxR0Y?83qrvz8dz8lCclycH=D(kQ
z!@UL?t4nl^>H<jq8{7DaxoGS~?={ugXFxgi4};Q@KP>*gFP0`Vz~9Y2@X+6Ji~kjr
zroiW~u=uy3^y)1XDE;-z9}cC-G4wZ~G&xZH!=SXJ1fUb-r6uK%lG1Y0G8Cep9K~d$
zWyR!>GIEmgax#)K(o#R*jXxe|BPn5%+yQB6GVrEAoWCv5CbM?mtSl1F1{A85y|bIA
z?<&~#z=0CU|1Qv`IEQ~S&L-QPs3aK%QS9z-NpbxQ%Kh=)Tnto||8r_&?XFci<SV1{
z7n398;rR!8bO{NHN0*gE%C5N-ibq9~stFXAE+sEPUey#s|KokSG=*8D^Z<wiq<&al
ze_OYX{JCFuaB^|-!2WF*6pEwx^F6yL5Qs>l$TmlDw&arHpIp5lQz)|E*Uu;we2V@5
zEgk*OlC~cly`7i4_iB}S4N3oXHR<0^qObX>Z%b`tyt(F+))=s#R^NVaO`3e&Kg{Dx
z%aP}wyq;v`egMsXyib>r{o#?644ATv{%eO$sSX0ogpDuAJSh#5E3*I{|DMX}S}T;c
zoPEgU@UIFK)c1V893@2k-s<IVv@b(CPg;QF8IhwXzy7H9rN4J#|7HJIYxrve{d)%W
zFBAx9s7c!)owV%SaDMh)I!-1ss)jzIKl5_G(pvo>82Ft86(tw5alu&OT<wm1laBod
zE!g2)J?u%hQh2W4B*sY3b@Os}{O+#*oE`h$kwH-A=r2JMNGbX6*8!QM`D=g#x$Hz<
z;*#Vyr}(SCBaV<F$H#9-ieJ+a{}uiBEeN1|{)Nf=c_saq4DryPT1zK`-`^wv$zbFk
z1|B5k$cu(-$1)T>9mSCUc<_LvfCcg+ztZKDNB-B~;V+C(KgXezMC#wlfk{pu=)XPP
zT~}$p|68#5T_NT-1Je)50?EezH*|GhUDBT)P$a~p<z>GoOV;)VfXxkmiMCV}?9ccX
zHIf4iWmWtgBZ@Qy4}7~IelWH_JTv_**%e8~b&wKLz~`^w<zLpM{$*zR4+{p;D2Z?C
zJyP=IkVp2@QgX<jou%04A0H@Wq~*RTPRSy_M_j+ro&P$BP_o9qGy|2AA|u&9DntBn
zuqZO|KdOBSOrY4tf7k!NSq4g858vS9zmG!wt1JF1BB_MT559vua(_`E{h_+>KOQ-M
zN_J3+t^X!)+W%*%7^%8O3VUCr6kp@szp29gfwA&8S=`^7h>;VPe^~65`hhc)p?K^+
zFTP4qh+?u6|GF`c^2q->hW>?#*iTmvIhcOqs3{EJ|DxLBr>{V90Dr!_1~oY(>Idb|
zU+b@tU{m_Hna|&>DEHI(BZJj%Oz_X((tfY_;(Mq63$^wO3HJwyFMe++j+_|&!=1P+
zrSL=XsDFHtBt?<Pk)62gk8$H~>%=Kz_stUe6?OIlm+=3Dxcaxt|F3c1l${`C8~BTP
ztMBC;<j_H}_`f6grfhKi#`6BJ&im)+`!^l&Px1F}IQ@UgR{bUdCp+aekMVEx7UU`Z
zhdFQZ&g@@T?J1`G$2)Jy9}u`KMgL5B<lonMle4t%me8-N^}nJ|{)1}!2`9JJvboio
zY<lg^zenx-rxD|;)A{p52GIO}{Sl-8Cm{n#hKb~d{}V#SuT#!ng^a(v((x}N!9UG&
z|Dfmk3lwlttF;Mv8EHvrlr&0GO8$F`20ak_R)tOWhW}@`{+ARdBtaSIo6aLq-@luj
zgp`;Z*f>P_k9_tIsw_wWf%?CDI1&`0{=A3F{P}PGcdL2)n#lN7)c&8%!oJG$|B9IU
z|1Wy1d8c3h{gdBQGj#IuK|4rV$;&$$d7EqM*}1s5QPS4$FyoK5_1_gezG?yveOm$f
z7wi`$=~^YtC<1{$E$JeIpWjTn$Q0>6EObjzq}OC9C_@p4Q9|V(pL9w6P`mzBrRDFC
zbp3Sw{H~mf#G&C_Z7^1Dq#srVKd$EDxhi)CzkKHUT`u*zq-Cou*?KvFUoUm}KQu$y
z2>UO^*ME<s?x!<CUfjR>^~^uxXW?X|kw0bP{+gmYnLDB^+y8Oe@2B!jiiZ2U`132y
z;!oOP@Shv`e-;UUB6_35w_m~_NdZT4#9zbZSDhS*za+)ZuV;R_=?|(L{oe9FIo<fb
z$3gOjK%o1is7$~4u^vi{`1ZH&D98Sq1qJfTwfvnN8GrR#2!DKJ{PB^0oHCn|xBjvf
z>wn8ptR`ju;wP#pVuoLS4E)>OQmbbvKR>>9f_ww%huhb7t0|}F4O3CUsB|<`O?@m!
zF44`h+buMv8LJ(Nk`-kobckpqZ($eRaoC3;DDfIRGw!l!W?YAwF-FKd)-ukJwb|f2
zoTd5v<@@tN$}<ZF28}H!k4G0#?=E_LTDTi%_Rw|cQ03#6J+I$co?iUIixi0p=1+(0
zpjrLrV6X~{AYw~FD5ENiAuSvAUKQ{UEwvzG9!9=m2MslUp>vO{M_<UsB(LG;zNNd}
z2eqGE*~eSF@af*hPLCmdo)a&RJ3P%b%CW5QyC`?wfk7ADL2KY@vesTx5N+Vf(g~A-
zgGC95sEB%@v;bR1`97-03m>26*=-TCz&^Mjo>nsYI&h(tP26%%;V`RAc0F9U#V>@?
z&sYwcs>O-ZsHryf)+Cu@*%|jfSN4=oK2mU)df%R-d6qLrCm!K2H}N(H*LBljsO4gg
z`K_Zl_7BewO+DEs2Ng1qzELrqwAlRkk-}%3fx@V?l;?Xxr(@G2T@HQKArmWF+{f|4
zX4g|VlmhOQgft9ZyWJ}pwqdg*Z_r{9YA{y41spiK-S0i0$1ATFgafwYZ|+Y7xj1_)
z<y}cVs<b$!K3Tnv=}zd_;^gDxd!Oz;T$~+<8OqIymOOILTSn1;I>EoKyUlyF`&MiI
zjmo29clv0Gj}K^?+{EZeId@BYOtotz->95_kaBXm%UyBX_(G4%J$)I(MMZbN+ms>b
zJFCKP8;Y=<pZYLlwK9L9Z2n{Z=5EHw_4U~{b*CIgI*W$N-la;JS^8d{o2gn6O*$RF
zPpK=#{ekdMJ#?Qmm^hi8X4j?tM~Whxo)=t1O?TRzfFWXupjQ_?9xJ{$!>imoQv6tH
zs730rbacaD#Z0e<^TNvV=N0^jiZ+bPk_P#q<MQcPp(exATSU<}EGx2O98-NYwduQ)
zdn^2t4KD4z_~?=X!<^s8yerwGQjg@-Kh>3#VB7hh-1Ry(*}&zx1KGY+mttfPh7gT<
z+R+-h*8z6kue{8pPJFT`wyvR(vVXwFhmd>e7UuNwPEpxV(y^AMnb)q<uY-a(_>*FD
z^plg~4R-64FvKV?-&tHaE7yw+ob8X`iEO@fqE|TS;&w$p2vTKdh<rV!BU|UXb5^@G
zI$6$Dc5f7$jy8Im&_KgrT|knYYvt1RNQU}swQzd1J-sJqj!3!o?kRp@=}#!VVtYTz
z0laFC-<OXaT5lgDwt|7otA`gv81?L@tdKVZx}?*Ol~*hv>xQ^mwrcM|)|7{G&^j8H
zY+YKIxiAc4z#bT53Gpdx7a-zd51KHpEWgi+!ON%Tsq}<S-{(U}IkdPrbA_@f$llnG
z_mOy{wcS^vfwp~i;-UC$X#9<;W%CxjM&6+EJo8&uv1WnGbB<t=W+2Es)4VulXbA!`
z8II4J%&(NAEM^sLNV<-7o#m~giNZ(jmJk)j8prg|2MP|_JVL$WF2*#onq+FwJt=iQ
z>@nFYciNlUgDDVxSvQfDH=dDa_lOF*yTr*(?B0lEn2B%>wDAlLvPQZjaLMmQDVNOA
z1W6=yWi*dM6k?-E8+6|un;e5nN5L`^Xjf+5(h#$6lae4-Q(~?!TLIT8F|KaIc=Q3?
z2i2zz>}&pnjd~+>37n{3>hkJn^qvXrcIH_@L<!QSmi9PYkZqfzk*quBdBLGfVbyyf
z7dON=1yippRj7LN?s$Lr)(5xbi{D81q^qv;7{9;u^yde|H>$*jV7E(6o)Oy`9n(%C
zmUrcw-H^3^kiask1-!$3vkk@?cosNA8f%HnY?HNv`91Gz7G@<_BaW=2=&4smlsV)-
zMRiU>{nRGp?U(MSaqnN<^@0kSw;)752&DU>I~ol>o335C!;RL>=j8l{E3IH!M3RU|
zy9U~5i22reHz>D<vtGw}VJcm;<X*$iW|WrMLaLb!ZCSS^bjPkOUlk>O6&F_bOQw0o
z_vb$x@p`uZ&ENx{ED>FF=3V#QE~`$LEu@VFHq+Es6DAlXB%*fUkb9bi|L83vjtRyA
zQ(M+%`zNY9*L*hqEY-Q4gDM<ITaC^m>wA~k%`EuJjNKZ}Chb5Hx}!e$kcVAOD;Spt
zHx<~ZZ5lo`ceoU%QwFiQ{w}{B{$gkP61lO15mX%JbSwI%R~qiBHg1l5Das}WPeJKs
z*28u4FWZqV9>PN{Sr&I-xj%xJvEoLdLbc6_uABC8mt{r3bs{@250J;IiJm6g!?h!u
zfH6FK*HAsebW-k>rwJwpTqUV@c^#!SE^5}xMtf&Zi&sMK<rkFf^ENL*B+EKK&<#@c
z1eZeCZfz!yNx4e!(Hf!>Soi0*PTH`tv1X_48-9LG04XGhICl`ilT99AS?2Ud`e{lh
zvpL-=n-YXgT6$cooDus{xe3C;NJ72j2N-!!YBi~(3>KzGTQm2buKgsEKN>Xi>cpzk
z+o$-&^uU7tZ7D&-2mUKF!fS&)$WF7eJX6(r=lDQN=z4~Uqn79#;30;-ys(mE7cngi
zbkRi@Sn>0uf9=RNdAD@Z5-gi|u(P=R$bp5(xHJN5e1Q^Y_eHWdzXmbf8o}>#mP@YG
zE7B<@-}QARDT=*Ow!60jS#&boGl0CT52>aDn{lW+wK)gV9Czr0c=Dx}-aXDkt#YrW
z<!igebkR5~KAtr4v)@AkKq$#kk6;|CV^ZE!al^v1FksG|Pw)iruwr-j<?Rzh2-jTR
zN}l>b0h-C7R;iiSK~=tEH5(_7`>~3lF^nIkowo`iN^itQ?_2ZMFi%>|nC;H8E-$y`
zJsr&pp7?MjE$O`IVO=BTp1lOZ=+5i`a;S&!gpeQrc=*eykuIsJO853v56_4iWahIf
zJ<SU3G1G3mvIahwchfjt@;Z<DTt3-?Y~+UeS(UxF?kRP40FF-j@NJjYy)(jJfa4Xs
zGi6J*h5(IpmsfX(Di=OUd3}7^-1wn6C2Fg<ODV3)Hi~_x!x!#E;=zhNyXDE3<6wrB
z0lvqXMa`~T$liUZ!wVv?RIx*=B!Cb82J<sLd93kpZI+p(UjNS*_vatD$fPt|JyP<-
zz~O!r`_PrNz_>IpE6r7hK#ZA53tDzM`n*6``PQ))vJ%JH*PcP`&w_2w4EJ50d$*1!
z-FYG6D4OO-?}*HXxpYgKy(zP(emt}Vzz7>grCDn}PI;!$n-9f$2oO47;M3oYYOI&(
zTKHTg4nLI!>@f*={Ffz1pXmm6mpbnp%_SqS&X8&_N3JByq+WCnT|cxGMib7RIxbUm
z#MEvgjr~nV3d$n~M1TL5<%Q3#)2~jv9@XH7B)%ZU$V=}Ftg3noj@*0h`MLMi;;_|<
zB=9O1MjuD6O>aoKW-xR2^J|Bb_bJW6-}-9WuYh>UiwUwTFV$0p#-Dh7^2HersfLzI
z3MUkd<VOnY)U2e?%8V?#$Lpc3B-fL)jXV}1BLZU}&J#Tzp|q}ko=@B{!h46Wz@n^!
z`S{fRtyV;Vm^~c<;H?9%5Q~TD<A`I-Ao4to4V~>ic0=Y$io5QkEqxgg+vAE<(A!SW
zXAR<nOYFcX?=YkV#^!)9NZDb8YKH4BG%n6fwl)i;?W&CCu5E4)&99vuA7}+{?VK7o
z@6`OtHkpkZ$wy!egpuGEb|>y!<97d+mQ=-_zGBvJe!bGZoPkxW3p1e|6XHhN;(e#P
z9HFx8_m}KGSIlgAeesodkNyOaxnvx8k!Blt_RU5)+pf3=)i6Ul`@0;|oJrx&%RyO0
z#WG<0zC*(qjyGYMaoa+y0_X0Z;gWl_i9-@TY^XTVB=AP!MWIby!hAzxq)7|Fen}lC
zFIv1TI3!h9e80I_-<@EGnC$Rp4}meOoUT5BsR><wy>+keN?%W8Dg60|#B~xf9%HB?
zBl=LH=ckv4WSO^@?|>MoTsY!=QNB5IuhF<>ALyZsezI($b}mkj<o`ZDF;Eb_eBBw2
zD62;bj)A2Eqoqytc|+&1FnU{$*1lZh<O*#4$!Ayh-*yZTygC)iASMAom<L3A!xM}p
z6l##oCh7;EKKhEmrBKyfr?0hKlxhShyKc|SOOHx}w|j!kj(8=?KiTfn7m{%%;lkEi
zLX72AE6ev#pY9BhaI(lyQRT^nBmhM3uj0wO!`I`R5YK}z1Q#XlI@EzqmTl!eIn|zO
zr`{R~<s4tZ^1HqCdw1ys9Fshq<~zjU6x5ckn&}nHHfE&CCF|4yf9&l`SHuUr#3Og6
zKt=6aN1th2CJ1nK)22evPW1~Ox^Mg%)LoLqs}?)BJ=;_#R^$`gg{~Ssh%~tcwGc78
zzN>2BwdK){gSMe(XCCal!FE{O=3Qs7@V!U#Av=w1fN2!qQw8FM_Q{ga{yVL3h{SEL
z$Y(@}6Z~yaY{LBJWyh|UHONJ0>@n@m<&U+aO%0gP$rEYu@7Gou<-K4PST-U6d2LfE
zBdgcT3YCrd@Z<_tO3=Z`TzW43#%Lb>&%G7)#U4=ElhV70TXMt3URVW%%N~hr27%sQ
zpwYXl@}xf>r0Jn})vn~}H}_AkpGkJPt0QYJ>u<oL!LRt`sfij}1#K-g-JS6UE_<ab
zseV^moCcfDo#HpeRuIK|-^Q}tltw%uj;Y<8%eo%!CSl2)y7GBtdEc_W>6XcAx`G4O
z%+;h*bhA1Wnr-ST2Gebz5%9he?tEkjGgwy7r-onb(>4MAE*y4;ppJ&=Z9U?7E;okG
zNT>$7RP?B2^9aNWZ>n<l<BJ=v(YrtHKsG<kH+y``Sv#?3w|xB|$Qa_sE2cX1+=B)h
z&e~sxZ$O{2!!jkx7C;8KQA-Pg%rN4joNMYC`0Ht=N-l1CR9}&}_lFL_#z>)0O5y~%
zX=#HloWvYI-k;?`z=z8hT+)p9@Tu-S(JXj@Xq2THF6$gg$EA3Mf%Xi_nb`<GJqR+o
z3;Nrg>4e-%M6j$d$?~Z|XB|vxD0kubZkrx?9LtHA=Tz6u#Lui>c;8uMclj}fO9b-<
zIL6m5`;Odpx%9H`w0REt;;2qy+jbQ^%(#W{v~}G^#)M4E!89AC1V+a**1URXZTro>
z7I!`K@{F=h)jZ_Qe6trFE&m3RXI3K*L&;~Urh}wHYzc<Rz!QVFb|(RFZq^X7rCHDC
z)2rt-e24(I_6e12=I5JxCIOg@d$X-u{qp9WG$_sB86M-9X&I{-rb<Uyh4Ka^8ec86
z{Gpq^ZuBj3A6{2grSx_!9*^~sh8Imvx%bl3GZfm_VY0L!HwHo+CpEG{G-;u1aGGn)
z<Bh!H)B4+Xe^fWUOo-G0*=h?Z19ITL9wBet%ePM49NO5PfKkN_ViV$6ppl#ijxlvv
z*WO*`f}bMx$lF)*A(&M@>eRDBwYQ+Cn3uDgwpxA~S3(d&+gc=oG7HLS&(hUnKuWE~
z@8f_(W!i@XgXsp~d&}82Gpmz=__t@I9x?AJmqr={xePPwp<ySm6|o={rF(Ryr-o%T
zHj3X+8)BX0Eqx{6-o){hba%<uVvILR^(<MSN@JZf&^gY|N?3El2@nt-ZfH1F>%eum
zHi_RfccCtUl;Iil$S0o{JJRj>zD>1hBbQ9FVx=H<s{|qaL#JJgBBof>C=-w69ZR!*
zGQ)~C#s)%Og-xlj5e1gFU<KRSVquVp;LXI>89CWU#QU?t(wgD~^)TE-j6{}o<rpyY
zFziVf6IhBB*j+F)X6XDW3Hjtb=G;wNbMiIn>j@8PFm(|$X`F>`H$tI8a{Nu)&m;#U
z=fV_}WGzECzyo<?ox9=n8}!+-A>t>|C}NAmTWi^{9Vq$CabqJ|dOGS#t3jdu!woh3
zR^dxwilNHR=gavJxvyn$ov|0ta?8}UDJFTwf?Z=e31MlpT+&yZWG5x$wxChiz4EOd
zagN0ee9)2hL2Cpb4Sj@J3c4$IT(ky9jZzs_-636HtKSx!UIv@v$$kfrOQNr>i;5nt
zstWeP9_dc>xLiM6<({P^$gcS0O2VFq)H9BQ7iN*qvW>1SWB1Tb6xmOEERxC&6V}+3
z=$o<MMt_kRdOhQ0B=xM#^+OeYw+aN!g|A#^t&|b3oV8Wc-{jn{{-%_%=+TW>t;WY2
zgSMcL1RgJ$v&*qFq3uwmvJy*qtfLdNvbU09p)qh_RA||)RM(OjDoek(eWLjaylY(;
zf?A5oAVpqE%`i7$ld#G$w(~0Jwu9*?h&l|3#g7SRWJ<||M@}^-_PvjyXETmP!<d+h
zC2Gec>@#$9vI#n}N=p?0;x3-0+Q`u>%!p>5RC}phP9x&Jl%kPJOn)TACi33>S()WF
z<s~_%4h=Qy@rUW|aN6}>l#P%!&lc%IiPn{U_%{gRUYO$Gvvf(R<UNym2zi2^eaqXo
zdN1nVULd;B_j6d>am&CeFmvm^q8+8b7_mg(&BlH7l4qAq>$A^3Q@i)V9zd+8_e$x!
zS57+eN;xjbs<@)}oDc$2Sa*i`ZET<CR-V_?rtb2gyVX3k_@&hDo<z;GZ#^eVSmc%*
zt;<>93m_J__3a1wX9!lHPyUMC&3@}E3yskW5u*8APPU=uJ<ahp4C!6lHyRM-4<n*z
znx}~+%BwIFrxqN^)glW|8{F8wR2K=YI=i5SA<zX1`WR^mwgwQzh1>av8*#U`o<f~)
zKD>(B#c3gzB4U|C_i@t1sqx<pT0Bc!yNSu1$YGE*b=A(i%j?AvL7fXx<fP=Bgiodn
zAAH<k09?I<@4OSF5l4(IO&&=m9yeV+O%<IsSO)Vn+e>ObL~U;{WOoT1?&bL~^x8tB
za@wYz>6j)KXp5WyYrfja@$w;k4F(QHCdDbkaLv^_Le+xtA<V23R2hPNaiW%<D`SCh
zT(>g67P{$-&ix~C$MQxZsq*^s?x|h%TLYBz>#6C-&b6|ssnP5e2k*T=D0EthWJB^z
zBDyq$O>^EvQ+;?cu5v>1l!(D<zBIU#W`qu_^YQt$ov0L6!YAJ5G@8THG1@Fp$*FTW
zDQvwWpCE=`W&naqWbIv}LBTCgpJn#J%~>B9!=YeS`7qf>%Qu7Jjig)OuYKE~NHDP;
zVkjTuCkm2=duo?Sxr>S=-x#2CqR!(v_Zi$D!$6-d32>+dt@NH+5|FINn@b#fUa-n4
z1mPK`bfaGJxHs_)Wu6ujF{JhE20e{+g&4L#)oucsk8mCX(w!;Ay|0u5)CKPwdsGBz
zoFW=#rtTKCc@{igg`2i211X#bDI5Z<(Y0Lj5we=eYKK-wvIw+f>%`+@4a=qX)A_HY
z6Gggi=Y3}1x${7Qg!0N_amIU*jl%~sqIN6skU(2@)iy~?WX3_qf<-_x#mS}_!}6Gm
zOvecoq>i)J<JFD=&wk4n;D4!_d+DF<Geyv<6RS*DS>Z^28q>2{dTKj{$NKA@B&o?x
zGezn=$<cqSvQ1p?g4kI$q|IVkuQI<X8i6Lliaz8Hm@e`Kb6f%Z;!rJv_|%Co%hj<9
z7KGq>O7$Vl^IwMd>fKyfUbv!o6F0&;r-^n4?;c8wEvAk6=p$p+z3(XX%gC_KbxeD#
zBlXQzX&aabBsLs?4RLlgR*j__-`>{QC&-<6p_}81Uxt?Reb4eJ6&r!Ep=8&n^MjEB
z(U6i7P0(XG-gr`^UgXchK4|{3Y@>+mx8YIrD=C}l^=DYPrf)ahX@9(+HajbGHATG!
znHueRQ9f47kSRzfS<QENL95aU?PK6x7IbhQT0(2j^6bD6Ko+;ZT)OFPL4s!e;r&{x
z3xv9dIUT<tX?@h_mk&>b#`^7#t!QhYfwxv9vAud2{Q~Zw#c|^=MALcMy>I31THca+
zQ#RdwtQGLn@McfRa~k~?0HsTjvb8<(0H957dh9pREF_pc47i7tM#Dk^KY(2Eelqw7
z7LfyhkR5&D-m0`PB4EA=?`D~K_P})uryX@?=_luhZ!nG2Q#sr}z4e09+H4lC4*`rY
zp$h;ZNe4hF$0frz(H&jUmMzt&9|UP*Z0*(2p4%6!@mKffM}6j<Q|r|048nn&;-zwd
z5CUYzcQeLVW!yn0nH~XdhDHeS>fQ;t&0Ml<3z^WK?Rsb*7@@JM{}fk!-UTEn^E$(g
z>L>>@H<TX6_yBX){qxD0SB|NEABAPY?9XJ&lIjtvd~SeUr{k!>d5jb_Zg^I3OhI*&
zw|T=wY*2qMNKWf5j^Aguy*>}#UVmx+%iF^-i1i^vYwtJApR{kgyjsmYHoj#Q)NSg2
z#=?z<vhPI8S}IpPULDz*M>1}GD#9HJ1WYpVC3rY6jY<|7!K=IB=ZWb$8PC_zA`U<Z
z*DcC!e(1h+4Dlq<-^zbfra8eMEKkhK^Pq>FXQ}~U5Y?!1e4Og=;>Zb^`~%lmJ3b@u
znWS9kl*zpdrUeJvW1XJfV1A@~yd40J`3k`+FN{J`xV5-bN!S@xj=wbd{-R^*xzGK+
z?=CsEVQBeEE=Injy%j`@e4cyj+{2|hKU=j#ivYCbGZ^UTSSAyfEZUOus`+_wt3U-L
zpJq8IaKy1NBe>6(gQcV9R(SmC4w|_$RF$+?At8elY~bR!*1EYq9*_8{<#|1WLW1m@
z9W3#nw4#qL&4Vm+!)eu_72c!f#h)t|a$cT#z1(CO)pcsOBUV@5XT2as-Tqp8ty}Qf
z3+dA_=?z?$z1K|L$Hv+vV8^OS+7R7g2xgHIIF~Gr`P~sMJGJmZkVkN;-Q=!$)a0cN
z7^TZc9dgw8l&`vwD2|J=muGg;aPX;g4g!Xw{_{sbWo#YYaP*_-;nHpVl9s-2*~hDF
z!<?R7P4xZp%&c|&RtsyuH0>~tbb6BGZ06s{gr7Mz0~n`3Nx*Bdd)>)Gk}$aw;28N@
zWi{+c#U9;65!)A9b`#GJyIxcc+i(#W@WGE^5{SUZs-f|UIfnCE!%d2oZ?NdfrRl?A
zCIZhY+M^`p48F9S4Q$G7=405^nU0c<&97^9ZT)aMg>{w?!anob^NGIu`x;)C-f~}u
z79#Q{YVu?Vt+dO_PV}YS`_WV`^5D#&7Ao9FK(1Y2s~y-krh1Rzz`c>1r{%M~KR(rg
z@E*#ZGl&~Ilgm-*IR4?qt3tlAE|B!y$HnKNdas?7e!@NFlOy4kP9O;G0EW(?xX4n0
zy08%Or5;aTmTT(UEP2iXi-sYvduRKO8xxg-Dg)Bp{A#<lm^=o4q@u25mU*I|kKH4u
zHsY@FWnK4BQzKe;0#!YJGyN#v<2}*AxSJ4zKAgnqt>WiT;NS7aZ%XDjVu+>dWhmjd
z3{~Xr2%AJXqv~n(X+CfF(&>EJeqP0r+qTxB>-rG|B+^>*?Gk=ReecGM;1Rekfe{%J
zoSuP^asgx)F0Opw3|;7bzK~<`B`P$)kqcqM)wj|%=)-7;hhbuu^)77b*r1e<bLASC
zHgj#AOS`>VYQq^eYi#NW)r3gC4Yw<3$Uao;poWG?ai5=!NB7Js27st@D&bShyQ~-`
zNkCPkoe6;j1C;G^ePe`<gyIm<PVI5$=JS1L<SVyX$K-Lp>xNCoSX3&MeN<Q*vv@=1
zWY6o7bWH39*Vb*=6ub4}lWj(*fb1sirU>B!@?Xk9{v6VB(R<E15ODcrex<jp_Np-7
z87=J@ych`R&$q8}c#X26kaWcw9hRH5IgQO1pc3ZmBR82-NACG-bhVz=d1LaHKp~HJ
zk7O9O>|*waQAf)+#|!0Y#cWr@N2aRWVUkoWfp9X&p5$h%z|U;jOl!Wr1U3~h1Qp$A
zr`7i843EMAY2gb0nJxOX8n%EwPjwLDUxZ;ihFZ?ag3^dc68)lMC%&CA82VZcvZ>Z4
zvM6i)L~Z+7Vjqr<pjL-h(VSH}E}xyY)hfVfIn9;Loa1@RfiB=kHc!@|+3S~WhWFHM
zH#1yty*f~mO4K-F_huJFNLdM1{+=1Cq|2k=Ep6I5xc-e@olcAiS3gFz99@Pf&r^!@
zI~gbt+%P!zF70({3}o|0zWCV9k?S~F!2iA5y#zs2_hGv0`GKEH^va57Bpt|9oa)aK
z$5ya3uw7V(wl@~OZxb``yQNqyu|iw)iSiQd>4_m&7T<p64IL~hK5Y%LQ?Y?Wsr^nB
zv?<$en^Y&1sl3cBIqkhsY6GXxd`LB4EK4uoMl9w1SfD9yFKM%Azj=GXN(|57aW1S%
z9sNdM3L82mn6bIVtt-ywEZx#>PH2gT3;4^Cm_NHk{Uhv<DlIqW*dqhwg7wia_iR+v
z6PsZgCg>Q-)|$#7T>1}{Q>9#e!*c-j%qCegWe*}chA>$e00_Svz>M?|=vHDra%6^f
z$CuJ^4Pk2a>LP?pnlGP~cv3XHG#3t5lRj0%ZdvqVL8tWb$ole7S2_oVUX~WRY!*lL
z<0Ujiwzfiecl9eYsyUL*9BsOcb#6n;J7j^8GD6L|GOI><Q+JF{_qd++hA4}pHD?1<
z3?y!+D~7lo$Bwg>T*3-rH-=XG@G%g*xoy?bn0XALs{Ir#0Av$_2eL1mp1t05kbC6K
zaXgXvtoqX^y9YLBJI}OjvY|ivH1{0wc(oD>60D}PL}wTVo8EQ+qi1^(&8^0oA3oi!
z?5>Z7a4^zbF(uGBC|6N$U5nr!_g`AxnW}f=<CNC56GH+tI6v%O$nes~{2TR$ye0;l
z-;A|7v1^%TV&t7XSRJ37g7@|5Q16qb0cFeB)>r!F0cgM}EJ~-)znl%t_<#kBojE5|
z$YPrbi#f0KrrG!m;k`uY&|zBJ8jIOkq0_ml3}HbGNdk=GvxO=+@S^^+@A|HU3e%ae
zaBh*Nv6Roetd?I*O)phEu-Kh%CayEvltVWZizvBgSx;*PZHVAyT84LRY2q9bjdU(Q
zlv3m~$~#_9tJXN#?9tR8ABK3m{h&u@eI7^0CYDTnZK)w;?(lItYR3|P0zSYZ_IS5l
zIkS2|usrdm1M%J1u#HlIAg9DKBS(0(?e@W72D-ty5cv+d_WfA&wtI*DvHcw4kA)EE
z<<>7)8kSyE>J^{nRS>}!CL(Tt+wcshyl6BU!?fw>ex)&yC>1f5U}CxqthnewkW4-f
zPGVEx{lPvqr6E43iv=D?mXsh+))?-(^<tT2A9`%1=EcTQ9wU?4>An>Y;CN1-KV6j-
z@@8gM59x|_z)cuT*=Lr^Z(_EkDXPX3_OT+QA`uH*&TWW6YJINP&e~E2FF?K?QmwuW
zgU4z@#FMm|pc-}girPYWuFNy9p?Lhl@pSLVT^?ulHLoFx(3SP49gDN}i&<(bpLFNs
zA2|pum{ZleK?e<iMG~OlZ)6QR9PLUWCY`a72MAkBBr#v6cILhwzg?4Y9x7hjFn}N)
z$4#8H78t01q_e$vGeRKw{;?I6b>W(H#oHVLW$hQ2n5B6&95PTf;<*-O?zZk44?|*@
z5X#HZu1wk0uF;~Abd2|zxzYC6p|<UrbgFIj>Aw9*AVo1jpOF77xh3<#SWvA+!@(5)
zrugtJj3(J;{(FjNckO0;iha?h=5Bqzy=&(P+0SpRChWUCx4!T=E``2ODANTb)FA5d
z`WO(2yr!81s%{?BWukN3MN!<vj2FuxS(3>L$x8M0!Ur4g@Hif9e8*J0jrL3e`{3;m
zq6*{KMvVoPr|h&s7wg39Y16iMM-bHzZ{inKqhVRZrxN3Rol#wzo#_!=G>EYe$MM63
z2xk4EXWL&42o27PW`0q%tKI$Pargl`lOyGi$$qEws(SYX|9Vuk#es-T?%TW1gY<fk
zky?5k(K%A`jRvpac(?MHkg8qi4U+)V=t);@)2>3~R+d*`Lmbd8&aA8k23wmp!`EF~
zU*^FoNE1#}p=k>~F1oD1yg_S>D<o3Iow)?by{jgb=Ej+a?L-N0+G57;7*N0QFWpGZ
z=lPPZt$Gk|1;v~`p1z;I(J+90-r^JQb0`!S1ZPvbmL11QQ|K{L<uj7MT3m`1p^-Ov
zGZWmk;oak00vN6v8<Tt{bbVQ%+?wMLVF@WsLM7}(ueP|c6D4d|_Rjam%>~^>jJ*2*
zo1V8pe`6A}<fbPZv%^c99z2xes$$N}l(^lOi-xmn(8q-~*fqxqs%ejTs2(18w*A;v
zJv8^t@XvJh^t?O`AyTddgYGMZsYEKaQrRtMnAO;WAn8ZzZ5UkL*Rp?O)nNV8@w+Qk
zaVbVyZZ8QK-6>Qzb=!Ua#=6>?+X<~{ZSI-PvvNuFk?Z<DYtW+Zn^zP@2_h`&D&XB=
zd(LHWg{pqqCM`rH?hvQy2UCsUerGZNc6%fQ<qlJqukyR4b+4!%AM2*gT#3M1rr_>t
z@S);{SJUA2;jO3)Z=*n+n=;;es>XL+iOOB$NCKIwOQ`s2va5A^_9=2Jj}A?6zEU>U
zQhu?Z1&^dFMc$OM^)MNapeo~tY~42$`}T%R1xfHS!9y(s6~)tPJq$R98|5A3sX1|9
zKayBuBqOr+L|S(CbAo>JGb;xNWMbxT0O859YsXHI=BM{DTdVKYQ)_Y;v3YDntveI*
z)J$aUX@$1O1olf>Hi-~es!yj{&~?K1ujc7)>cJAG5W3Lw@HF)@ua&VC#?C?#rGU}n
zc^5P{QX%=`sJ#EV_H&@TO$B-BGjKN3C_EN^^;x_)_QP_2kf3v?GQT=nyG?`BinTTu
zt_jPHYKbZ)+3;2xJTX(ShR+iyz2;=fXo~?Qvtrz{+B((FyjbA?b}N@2<-xfi!TT-R
zv!n{`Vp_o?LofmXd@8-0AapiaSe?ZjqnT$u8e$zw0&{9zH-j{yh=Vt~Z6*Y74bUse
zCqxK6vRq4`J8r~_uTxW-xUR+yXqg-3q6=Etk#vP|n@$Z%8Rb2TT{MDxqCdJjHZgWl
zki_K}c0yuhc|_?rbU)u2h_2l*5LEmEa7IWHXT*(cXZzC2bU@4mGHgbwYLBP}Z@Qd~
z0(^#%eBug!`hu49Dt%?`^^pdyM{S`kK2T493JMmP<mSZ=UH1UOg^(5gF+e>N#Cv64
zSlG?ae7;e52bK<~FV!OFl}I>}`oP4zYfot_seZhEWg=wV7Z?C_=3@tUP(`Wm@sB+-
zvm$hz>J~DMf9s$A=4|jM-XJ@>fn}CMwraQf*>@fw9(F0a-1l1fs=;<p9y6{qCk+EV
zLkNq2<~D<JqI0zJ@@#EVKvMCur2*GI+)HJCJ#_H?(^4Gq!?t=(fm^3!0ae(<OntS^
zwzTFpZg#Anqx68!?crsc&&w=Mwzc_#2RiN=S{7Mc$Pr^p@k)&f)`u(tYQVO14#?K-
z<J8~iBu+86EoGgW190WZI`R5@{QJ-(5&-~wM@ygnaAupE#UBv*Nko8plYx<Tp;UMh
zfo0G}QGKbM?X@XI4Hp#CINxLDda_jaXh~qA9)E#=^GZl=a5=cc9f0oB!g|GhTOLFW
z?_uDeuC+k+a38N{ao=V{$4LE3IkZkP_xwaCk*a|twYcjw+yX=n+-$PXOP}0!wQ3%T
zdJ;!kg@bZ57cATfHEFcPtu_%n=U>OSwvTwOG_j0re>JojX%h%Vpd~=D(7^Hq;ls21
z3n);9y?tTl?cw7c?Ih~X5E5I%VHI~yK#P-6K%}2<3{>8TKs~6FEyQ6sxj*w}&>%Z<
zRY6Axhg=G$ewRFU{HkF_Xh1f|G80{&JedQnR0lCv=dl;-UzD`3zmN@-8Buyv5bIAX
zgYo-Xz-S3_yagOWYr|Qt)>E6gT0U2;xI`;_k}vlAauf)#ddgoZi|oIO5xe`Ie|RRQ
zTmZowH$B?JFxe`U1`W_H6ldBdQB5k=gRD~^*ld3?saBoLyluB<ZpQoV4#}YW@jNGE
zZ{RMHuu!o^ltqy6;nUq=vAOFXm(ML+exzrsb{4{&<i?t;92A&c3}a<|S!AabcF7l{
z9JV=`cvL|eG?6rv8oVJS1z(FSR`)tkExzB^)WKosdx^ggZ{gZ?bFbzhAQ;nm{W^0m
zLwmw|(DeO>hiz#}fC%cYQ`gPQh1UEBGZFB8Sr&63vETGIcc#;h$q2=tAZ~U|=jj2{
z#(c;~Wc5&Ma`+iHsv4ZhWnK309T?h%7+%-w71QR$PEQaY2o?zC#j&s&c2JGF8-y>1
z=p;QpX8We40x*g>?r$Hk7O9`5?FsK*Pb#x!EZ+wT0{%L|6V%;t2hZOy2VxRqASUq<
zP^oDRS+_B&OS5jdF31?bdi&)sH-b1Ol>2XonIIz+ONOzR2MB-<?!Q4WV_L6@ChlS4
zHQ&I0B3H~Q-*A$~I8?Si@8miT!n5=8c4pTI*Ya}*jA_eRd`54*sK-4i_w|_Do`;XA
z-fwn9F!93YvUl5`<QfSeCp|g`K8sgO#cirSO?<!1vOHfuV<=Hye{nW^tK|-nJ!l0W
zb#<R+nR$PX`4-A!hzK;5J#KMP?3U?(`E4C3?QyYXx_>%Fd1ZcB{EJMH!+I}Rl!`m;
z>~cAf4%wErpJ{C#e=tQa8JZ<n16T4H>l<xty`=DBRn+-ppRx?l-?|#xW-e&u>^#@K
zv|bAx9AP2kQ&qJz-SY;kS+94UR(u>(<SuU5%&DF00mLsSw$X1N1d>K6Aa-FldHTLR
zi=^PNA!%@3?tVb{_QOO;uGCtb28(Nt>#MUaZg_4<Yr@NcQh+dM>ebFj9Uu`*sPu;U
zDR>95zBhkC>*KL=A9>d6pt)mxu#IOp?6ff&5V4k|L3^8rU}@nT9;FD2ZyMrM3vM3#
zD3}{~=}Zis8L&QyfHst6y|ius5SM<P>d&V^xPxt`1u{SZJl+Il&MJLLq@Q1<jq0^~
z3kDBaV6Upzm|?1l%n3T83WaVgO#@O71*2-6(tx>%9Pm05CLl?jYF~PN$>$~XP#qKF
zHK4|L>&>5VG_&NOZQOWu2}z3x*&M>Beu@YrH&zh3_7L!d>J!{*#^pZ8QB&uV;p{qz
zU?R`a-_1J$RC0{sk}KoEyEQ^F3i$Wi1IB7{99okmgeteoXHAf_&s>%e)3C+9+<8F9
z5a`eGW(H#)^X&%1{7}0tqaJ>1qs5H_v^UREacH*3#o9ox=p~M^q<@r5!a$nogi>M;
zM0{Y4?|kIBqRlWL^b#nZ>7oHCcb$2&S}Tkb=v9%#1Kj+fgzz8*jrHQLDaL%r#iv*I
z5Ay~JT-<euH6Gpe1PDjQn5!MB)zn;AOW+`eY`P)ke26(1k}jBMRTbE<|3VlHG5!!3
zh#%8c*7zy6hh0Z>(e4{6ybB;c{K0m+4Mv#bt{=H4Vthy?m}-MGe39GhsS(G_whhQ;
zA46(6=ENm+f=)F9ueXPhZ((hNYL6K$PQ@A&g#ixGQ1Bi($aN}V#t!DwS5W*YE)Di%
zW+$@fUAvL3?PK#<P68{`O5(%bD3$jR=ID9A%@NMSm0Fai9x;@xTl5BjMfm<K&@=_B
z7y+&1juZ}=oO-yx?9HHJ*7y;->xv>YMG(XAEuwUDVa9Y?``MmoSpzCAlaB+)QTcR^
zYy&#MO{PzdnGkgR?z|ll6GWiGEEUAuXqD#Q3-G~Hp0>xaiJF&Gv(N?2KiwP_Yq)uv
zD4kKP4N&40#_Crb5k%zKoqwW`KpbQX94%L2N$=c#>i`T61f)9+*={O~0`~DD&?g>*
z=*T{Z0IG*i^N5f71cKtR{$p@mbU;n^R$&^zP|;C~(uK=3$7irA(Ewc{RJ2)jBM$~h
zVWP(r7Oj|c(Kk1Ebwno+;o(i!84`${x3=$2TGSw^cG%U_4ERgn3nRt*0u7$tJam>D
zWgKv#Eza;HDjB?6GFIr5-Ve`n5>Ppg4uru!II!s7o202Y2Tz3SW_?@$g&_CPP}caA
z>QCKytWf{wwJ)?2h_j(O;>NVbn$`e?X9}W7axEa2CQdB*srx~I?Bj8;BB28)^J1qs
z>H5I<Q3r1`gzBPcXe1A}f*0P>(Y-GN7F@PLP3`GsbJhSZ(^{?IBsHwg^~(99q<R$o
zwN2c1Fn$4arA#V6^t6&0HW8-b#2g2-V2v*n{frzSi-2EJ)2>`u_HU0H0iN)p%(k{y
ztB(tINFdTu*~%sx+Q#XZ+`194H@G$htHY=`)mESxIJh%4@SPVBX(p3OH;`ry$CUn=
z(gKSs_3)h%3m-KI1aaa>nKr2d83F_Z4Sv~HQ$?=>fC#Jszirks;50P!j6tzoeaM0f
z$Q2dyGwbV9Z;i>Y3L+}4J5IBO1i@57rAy!>DKJS{#h)O!s&~w-Jaax9IH^M)Wxlv1
z5VNBX9XzoENypF?+r8hGm9?-N*UJyYT^o?RBS6!aDcE)FM#Y5pby@v0G!a;x+;a5n
ztx?jW*p0tm52W1}+4x}A_=G<CFSde+j9RXM0bO)xqv_#YI9gCrVlv54TMsq}Gyn>8
zg)ZqLE~1K&Q@V*8R2giqy2s1)`qTkuv~dUkO+DY}z)$z{z5wY5lIR?I9^;XvEZHy(
zN={k)K}Ge0q*CXml9)Xck?%ZbdDim)(tg`ig8DIWk%b7>__pmKZk*8%!q^{;+}ghv
z=0lsQh9+;-K$=m(_A7iYFYW@Pek5oGlsl8c8MY<~o8)9~N>B5zgCm-U8t`BThrr}c
ztIB`}lO8VGi9{8AlB{#mmM%U2SdQLptM20z!==%ltO;v-uC1fuRV=U%94yj6IbYsI
zl5vFDn^ebyK)(Rt<E}&Mt`%PnkZ?ksCMsaot=RtImUg(?T~H_}*r^R(23#clE-k3?
zP-Q?FRtYFG?RR^9gv)q{RZJPL?jP_PJ}_4Wmewmb@r!zCK=anc_F))Q|HhsY({I77
z=*#w0E>7s_3^g1C=41tgpqx*N9rsNFxudQ^%Vkih{BFxgwhO6%)dIAY7%{ANZna+A
z&7;q*HdjS3^4zWaTsA|ri#}J*2MR%#<kRndQ5Ts7a*5j28W-r~`D0k|Y0Kru`nCkR
zC1~`?m8F?vAkZ{$TL9!HW(f!gMSOsgO}93@hLrD-1gELPP=(u^GDnF3VmHkfrb;<J
zk_LT@^L+*cSGz3B5At94K^zpC*O)8<!AIz60BOqxN!ZCIY+N4zDuWX#D9(72j1_E*
z+4uakS7u=!=!wfCr3D;cs0IfQ*eG$%hdS$K5Ri%24@}L#z^v@ubb#mjTL`FJ8OeH@
zPJ^u-l8Sy)v77NCCGuu(UOpI7D^ir*BTKJM+n=}isYxJ48W7k9y69Y3%Z5iA?gB*X
zv@x^#l%mg=wG%W>Z5b-UR2))7t-Lh##GO}YCja_f5k4epwl8e+l}P}7lYo{^6TJ(_
z0%Dy&B?0cQFxev2D)o4eKz%TZlrFWbw`+`+0f@QsLuXOe%Sj+5ZW?NmCm}{Ygck3~
zlHt#w{8j<D?PpB*h%%MH&Zm6Tv4Rar=$<#sP_(Uh`B<px!wG<noL^wto`dy?Q6iNl
z;}QC-6B<3td-!w8LB$X3GkS>za!LP&gU@MbK4Q_{-A+O##SZ#>y8$++V$KKPlkVaq
zE9C7>`-ik95>|!QAvHGLe26^?#37&Sk-L)i_};X*!5KfM#Hov}t&>eSpGd^h<jWpK
z(J(^|UgJJOlE=Wl5hu&QIs5Tr!MW-8gC$_N?peCRbHz@X`^P30fW$C;beo(@O3DKk
z+2aPULA_NDfSNqqT@nhw89Y6qnpLYnH>V2Ijpeve*}2%J0+hU#2JcFmzbxJZIft>)
zg%vHBB5qKlw6Ms1er5FbYfQ8jk5|GO!d)e-cS>ur{_D}1Xp}=Oo-TDM7>XYR+1`a^
zE@><*S$c8`Xo4WP_p@CVZZ+%GVEa&S6GoM`VQnNH22*EKrzM;gyQ_Wu!^^T_aa$VA
z*8!7fNotXBxTI2vBd7(L76mdZ;2lqW89<G*N~o_h&Oad9J|*GO*hq_p$(kmMk<?jz
zO{Nd4Zrpi8FY^{Z^$G-e)<PQ@fU9<4ZXHPmoN1wvf){QUI=Shi|IwF)su|Cf=LX~V
z4p$3r-ORwH=&;3LB9PE5diy1R(ni|&b#z@4>kGR&G_y3%qF0ueHosum@KAv;L}Qa>
zk0V6VIcJ8b&c^E}o{dJ?in&ELlS;M8{5jk$@<cD@rga+B&g(q<!OoZP6jToP?bpRd
z9!&TL`MhWp*aOq8G!5wSWceg!={>|wi5nUHYFS}@0%2P&dw%F3sTWAwr`Q)^B3QL@
z_yN1nxrXD$)BK162F_iy{LS+f0IjEvW_hWuqp1n04gnguWf4wji}W6a0w$$B)(l7+
z=M9Y9x%Keum{Y9rvB8`34+$b{`0_`)&rl@`<JYZ(gNjaj3fMT6>HNMeBMh#mK+@6z
z;R9@tHl87wB@lw!fn}FJM@kI6qKY`71~s@;oH2GMj1QNBGhS5Y5?0!X-PO4md5|RJ
z58sx-5{zlv2lk6Sk1#>u*NxUcNZh$OXA4?d=#pm~kr&2IjPHDEN1!`td$aaNXlr@k
z(tKQU_%I)0_Qjp0?PsaD#GL)U#77e4XZ#ceihwBaX6GG_jTm|wYB6GS=OCXK^9E^)
zmc+qhgnDtL%^7Q&O6$9z#!PS`=?PMwWge1}Mq^E3KC^M@N9<nlm@t}4ry}{2K2^+E
zjxY6h)h5(=SRX#Rq;U|a%?)jBCtq~h;{d|s-;mGv!krd|AnnDWF$7z7+F{nLs?h2W
zTs3p-Z)!Eel<AJ1<hJjk>VjJZEqS%8)a#W`?xc-8dlo7w6sWx!4!LsBIDbIA#s|w}
zqWZe>r2Uh3(lI&Vn~^L?)%-AzornxD5~uU%)W$(%B<Mh1Z;>@wR2;hyDTpAtOB}X2
zn$8R1h)$cms)Cl#14E(AaXnmGb?D{%I6s1TKgGYDvrK0fva8&;7--3G*lpF0KmwEb
z$`2GT?@!?;#gjIs?4Mgf6X-CZx2*Nu0>im8z64wM)x|Z<d4Y8PO;z2U>KU+5&wn`)
zNjIbdVNBvo<xR2TQw9MkZFXAaK&Ejwj1-%p50#t7>rR8%j6CRdXNy2E9gQ-B!IHe3
z=ApJqHxaF2lO~!Fs*O!qqM3Bhafj&a0JbdNQmF|5$5ynT(RNsMGuM9QN73@S4!Y=a
zG%CgWp7$u{4qMBU85}ioh$yi4E@9vv3)2?PWDRpd=Wu&cUz#fZ^Z@3JH;ukgd3tzl
z`T4xrL;iw@i<#UnmjFDeliVpPjBKWF>DGy6sg8a;6uv_1EAN(FzsTZMQyz@U1;NoM
zO}F=~6~I_}SHHtp{83b;Cre1+S_)qZ1PfhiDg>R<ScBde*7(6~hrGgBq50?4H$q`F
z_-<C7kn?yflzlHO83JG^qMNV)l3`n>g59hjfg3wb)xO!FGZ$(zFk@L^zyhHMdsS8W
zF8V5fJy?x~he_HrX=WJhRyDQvqUNlU$GUe7K7lc9OuB@=uj4-Sj4`7fFBI?lJf<*@
zwKPgy*g+yihwh}82>n7{+wilP_{)g}`Kk{<q^ftt0xL{y1r9moBau5G1@HA}i4n=y
z%-LlZv56z@=#%GGyzFQ1vBop=3euas{Ybs<He4>eps9EaAkI^fEz$b^CwHXe1Bw50
zl^uoAor7K4d~l4~+0afj+DB`L3Z(yduMleuDsOPf^nI%=l5apnXJmC>?AsZWF8ODU
zLL5ldFs%^ni3@|tU?6U@>)R<|F10*cm+BHC%tg=<JC3&N`f{EY61zw*N{2{J-<J*V
z;Lj3S|57{1z*r*FKi5?)PP`+|WH1JgiREjOqpRyIY2N?@_|E<!ez%2z^jGrc-Tj4M
zt{y$}d6UlTZ4W_K3QO9Y>A~uR&c!ek!B8A@J-Hovojd6UwKGr2cW>$zI(at>nNiBf
zx%En>L~~C{!WS2Izquolwzd8~i{p)Yp~$$*5MjQ0Yx*tRSnbBgoU!uJccs|ia7RLN
zY-e;}J8?D-haTF0`@v(&fm69<*Zg-O`S^H=MjL{6UB?t$ww1W(DJ-QDwG;r*IqG0*
zp)xu<J7;-A-s!w)9a`!+cAuJ;md2KFWhQyyi_I9F9Gy@7_NqQk%?>)Jw4X*}3gP=@
zoi5B#xmO&f^HPEo36{;t&n_JVuj;-fRx?TYlH~g$!LH`R)nU<hw`DMHw7Fy{oMW<N
z7;AcZ5fXU3rAFY&k$H{aTM@BtH?{O?o0YKrOF}$~pBWDA6?SiQAQT>-d=%^Cxx6?R
zXP$~nEjPh<3nnUN6H2Bn0sKhSx=mk-A$a8<Z7FZ3FU(M259dS2p3<nthx!n=!f2VP
zZ}!G*e$IrfNr2`f$4xTiSb(e|b~s#HxJ3`MN3d!Wr%fc!EyA4*qT9-})^rtKLp|>!
zi12*e$o@GF+d)LY&R5T0@gZVm8fJkGu6Z=T&ex@SkJ-it>8}a1(+NcU*+RVqn;@c3
zq|RmZ7c^S%=`ifABrp8-g@md5&D-5Nc1+fyytdEA8av0waM0p+Lj$bm`pykqG+|kP
zZ+2Vk?w)+SUqJ(YswGf)3yAa<)_U*knwnelO?Qi<uFz-hkUu`AI;D%e^f4l|-mE3D
zq@&rbrDh<9G;FO5qU-VXeDq4L`X3~FgL;LGGX%<an!+5Qd;Qgv*m?y^1XE($uc~zN
zNn%xi)J;6^Q2ZHU`sJ~!*24#$5tX`_J0UDh3ZFeBZPk!_Zf5awOYgX<6<3BP5X{1R
z!G2*;nj|hpMbqia^8DSr66!m;waiZd@qjv@3lpC%u{93#46Ke-O72AQ;RSBa)uCeE
zKXiYFB|}mgzFyzFGSC&Ia#K2VLvMg>1)w{9m=s1NIL2J=jUsrrZs{2ne0y1YIyj4^
zFT1*tQT1B0Vs2vIg>kUCsCgwzF&J{ZcEC=LMV!^JEYUEc1lZM4Wnf<_=vgYZod?hj
z<8A6p1n4C*9dD&UQ;o~h8wS)*4+`c5?&vghi&Z~)X;Y(hD$H3>n|6oih8j)1*aE}D
z%u5r?CLzQbx*D_K8N6dc*gDStkEt^cgtGnqf0!7AG4?ISGWKP%mn>u7vm{YsNGf~U
zB<o<tI>t7lLQ<p>DwSm4q9_S%c4@O#6#AXJ=lOhp&;Q2UbKTc+uJeAM*U5rpVb`OS
zAqC0TN&oW#plVUnXNV6&)Wr2yG?nVP)stH&cyIb#atP{KBYIvQpXt{|K6mCerfwG|
zTl@G>pgdljuD8DMtfMd-7IcHsO5{zZ5BNsQu@ow6x|&}qi^v6E6tP1$zLoz18@H$T
z2B;fn)q)xn<@X=<ZL|%}z1;lT_U+K_Jce;qe+_O>L|R6@yeVqqJzRn(Y_myXFw0go
zLO)F&o-$<(Yida78~!S1e*WSYCP_%qF#N99Q)x+J*EGDAhI!C!D2oq}X_BB&VPSUJ
zHDpphWG0&04ZBLY1(+&G&+Ju_*rk6>UMVm>Ie&C$e~+snKNLOk6|Hs2wG!Gb&DD8C
zm?#=}$M^ZGACs#e&TP!Cq`o9Unf6t8i9*47mU(`U!tbA7r_S&?8^;-0X%86FqIz>^
z(duD#`j}8ymabo6S*C@c%Zo%b{VDfYRi!?p`n93>xcyQVuTYCaCEKWfEO*7}WS`DC
z-ImJG+ZzYlvb~v|p6fzTrRV)yf$wSD+y((x`zIC-5??l*PW_p;XtJV_eU^F%64uQ(
zmTL1Yk`nCKA71%Ber{{nq-XMFJ`b#wSCt~$SM}$njgWT|uL>BJ#M>NliNji|I{0F?
z4rUIgzVmX9&i}%cd~s5~28y)TjCWqM?G=iqQ1`KaU!}i=MF{cNa9Y?y--HtJN1oQF
z@(MClmyeh()cg!TSSiT?#Rq+QiZDoQnT4n3;<tPXtCL+7^EuXAzOY%FHQ9vrN!p{y
z9i^=?S)5Lm8e2%Yj4qUiQVO=SY&cFDo6de+>dEN#Hqk@Pc_9h=_WJhfuB5J^gIFAH
zHth2v)@$JT#7_-~5}y%18<(xVgFqF>#-t?>p!kl$z8qf3Y}zG0`#M4kkKwaoYYYu2
zl(KSNY3EOhou<lPQi$ms5!faoBbsAJu?{@!8#Vn_$>`kO%(>p6cfJ=7;cjFc;vH4H
zB+;c9bKB)wh5^qSWY)r~FTlJ)>Kj%e=P;#}bVW##!%#d}T~VGHc75){G_ld<ylqrt
zC|bCU{j@0eU?W;(;!1dcB&mt>o14<bFjB}Yf38)~)0435Rxv)GmQsDWx9fjhia{?p
z7+Y2DyRGIyKj6xQOrhwF@2@{UoWd|QveB9X8T0W)<#=~aY+vta&kX}SJcr&vpBJ$w
zCl)j8>3sILWOK2fe4<q}4&PCfbAB_!A@fx?3KhyB{{clNzYMq~OZjPZo#SD&2KrIy
zt;+<x*C=hlUboe?VqUmTtX6y}>~Z(KEyu&*@IAPt8K3)t6)+hG6UXLVNZ90~r96Dm
z{6!tri-M{it`4Zxi?Z2Lhb|2_u4A(`j06K*78)&06Uf@H{e(Zy*Jd_NW*VuH`Tr<H
zX@#p^-yr15?vS5}OdEaj7-FV7M}n4882qEj*0$H*EK3W#u#%d=V8vMn=x6jL1+n;@
zuRqEZLwu&)t4u28$=l77mmzD!D^-e0_CvGd4IuJ5gi#=G$S57ZiWGN$e-dWVeq$%8
z`cr7OlyQqnXC|epLa6|Uu?Ty(%FDatxHI1D!G8Lyilqy3PIh`7d?=b-pvsAHw-{Th
zbxm&X`}tgkAJ1pwNM{ljoi<8wM0K$+;c(YjJh0ApZun&w3%AeZFxJzJceG5q#V8-5
zP%l^Zkvp=T<7=dK*vG%pj>_S6Zl+}3Q6MZb(Y>%}W(@C+j3s&bDTP$~lXYD~y_qiF
zJZbMx&XmcW`Yv5mv!Nq1COgmHCPocTmc&Z#udqJqNNGHjZXIZ{>zaeWq%^yTNHOnH
zH0CQ<LRYu@ypYL~5W84tc6Bo^y$y9Fcxj+aI=WIP`$}S0#nSXs`JfBEAE-+MdR(iI
z)tr)T?C5IA7lmM$PaIr2>MGk~YD-LVb<Ubi7<RKvy`UMm&8y^=w*#}zi>t7|1zyiG
zwU?}O3*-l4N`8ZlZ1m($*{HH|0e@+6x^=k4DNmy|*~a3FF4s7+*#?qjon>+jsgl;I
zjx~B{cJ}X9(N=D5>QtMJo7EI{;hIxpNwFgApBG*)Ni$^GWKZ+6fAs>F^4iOr{mRE}
z&BRAqskAb)W^m}=-xpM##5=w&yLv@RWvxc40Ap9f?lMUKbK-d6=kD;ddxJOX<x0l=
z{>XI-J!eYXjvKwx?$v$$^WN@4Gs@JriAaqJ5t)dC+IZgIpOgsH;dt}F`Z8DfT6qtw
zq1Kx8y;lR$H;(ThG5;8ReHJJUW&Kk71G_PONfU0A%p!?Z=ByC*I9Gc6AP<469xyvt
zA)UC(jB>0QJvTqlVSGS@Q;a>Prb1R4?{xi1E+=WiLIWp=;j_6+b9#NFU%B9vBCqkx
zA+*Ab@{eS95;4gat<+8E%#>6wSqW$mPiIGs+@PrVu@RX^7O)idyX8`jeu6)ge%M&}
z-M4vPHa2ExXG=R&7lk=42hYFs&-44$2YN*{?0Mr7iTluYZ>L9qAz0XI6t5H%tDr7$
zEVb`x<0ehyxm`-%MrvUfEMeZ6_!HLNaQrDq)%Ds>9eW6609WlP*iSK=_9jLtyu{ey
zV)zelK8H-lGtTUdOk#M`O;1ek{g{iz1qgM?lQF86J!$Tw7ABTHyUgvo$-;W57dZSN
zaal>4^K7{xw!9Sr!!YOjicWW4a|kHayDi~;6rZbzT;aW>*j0zkrksz<Wtasvt4OMy
z^wZl2-`S!ymUHKR)UYDYb9nx!u8R{9UfH+;8FL~vUizh$Xcf3^NB2y>O=lQ;FC1(}
zwax20xrjFX?-j%|#_kg*tT{q!?qm(~_KAW&F)!3P**FY)I{W(IhaN$K$qAD=6gpww
zJ88I_3iL{OC3@lRVR)?6;=5U?a`^Saa9)FufEVtXTC&`P5<%K!=^DtqOp;N)4l7DO
zKJD#(1U_V<UH=8CUZGMDw5A;o1cyLU-*bJr;`HFP!J`wCGxA?FdrsWHnITyC$i+L;
z{+)flLs87;nllY^2&9|A24eQa-4cQ$W!r!tl!T|0SY4MSwIpFY`=3>~wEMSOBwgkl
z*nS|v(KxVP!;CV^cH-rwbKll7D`54yxg%!g<7^MgK55TzTb0AXy!WHPS7whL>sBD%
z%NgRUOjQUV?4$=6pB>V8YV4p8!A|gL<UhUQVg^z9xTsQKr_i~pSncOmJmo?zX>uGd
zEotRR)W5DMAAiUL=F$PJr%7p}617~<PP+D}q1a0^9Hff^Z(I@huH9$;ca0v8%R|+&
z5A5YXWo|kKWo1wHmAnRTCbb+@nxey*jlN3_xJ*n5cqpzZ{;bN(%jd$Ck1CDIn1j70
z-6>ta<nVe<j|9$rubfKH+~$w(Qf{=%iS$XUgas&8)h0{g^dAV-f8cX(d@^pN<IZOf
zt+xIoEQ&yNmbmFIm7vt09~c&|G?ahim!}Ul+i&>l@;Par1@_i?3fE%*DqycBj>vuj
zZHc4|$td_|-Jv5zzkYmG_7^ksO2j9+S>EU$(xt3fq%$;*h<h#WDh(F>2Y15M&K=}e
zJ8|#j9c*?}KH)7ZBs)_>8t-l*#@4*4>Q-)BhNjGinV^?ZU7urFCU*aP>s#qsL3-IA
zp+Z2LWih5cGb5|8=kHRS4y~WMB&EB>11qiXT9dlvM-2TE@7>V%XJ-%JKk-%dFp49N
zVTL4z=u4A@Z^TNMyr%`PwtU-wJUz&P@7Kt*N<Sf{z(0(q=+*|P+_9%(<!W|q`Kqdl
zg4lkmr-H5`fqm=Hf+)x|+wVDrtbvY)Ariar9#|rJFMQ$1ek#2w@a2OOvtLf#dVCns
zV$#MqSN!GhaV;XzzL3!E)Jxe-WAg@igJ@-Ca+7`#b=^EZkKBMICsvyAK+54qRl$FR
zwhC`G>EALQSh^SQpWF2FD65^PKAita%_FB(C=Hk);@Ic%|0G0uey0MmLYhpLJ{DkI
z>2~wN&lC58;-BWJ^34u?d-q5z<$Z;j*xxU?{GTsTysa+XldxkMgQY7~_(?L=9Hs9R
zn;jzBxaOZPt9^Y1WK*AuRlr5*#?*ZIX=A72NmJoYUYZH822Dmuv21Tm<`!*V5EwH%
zZgklHu)MmPH4c8c)ShkSTyps4F~(gth}yZ1-Pl=rZ)-VAoh-!D_m2f8Y6u@IGPXi=
zp#ge8o6F|ShsZ;@B7)n$T4;{0kQ1}GDtkq_`ooW<4F&sh@Zp^jr>%CzpsiouI(S7Z
zLgF|F1SZx@RWx;YDLa}>bZ@uG2AF*f%%uOs&|&wZ<oSX2cIQO#Sp%gM36Lv6GLYl<
zlzYMp`N8MElpv^4jY|J3_DP=~00)*#$u$fetRCi(YEBaCpn#IoisgW8wcqtx$)p1l
zjGkhwz|vJ4J0h#z$C+FPD*gKIud43V#&xoYhJ@g=zKXarrTc;MLRa9*=2G0)%fa?{
z(C_|t(4B>xJhu{;mY*A?=J~-(O&?rcK3qL05DB&FW}b;_7FVl*^+S3d3DWoff5a05
zNZz{pfs`y_0rBg&=*V&r3OE9+-Pwu`?B(G5`#q2T^F7_aQjt=a0eaohmmLU0;@9HL
z<d#1m2I6EPVS`n*2Cval*oB?)mti0m*<A(ITuAh-w1h82sx>WOru-&AxNL{^)X64q
zj|>QAbsBs89uoF5KuzEymX4g@T=!Z1u#(FdUKU3J#Q%+DRYL$2(9FC&@mw1rAUuxz
zUK5_SW_TT73eI)1dn;WD;P~$PIrnMZ*%(rG9Nvjh6_CPa;(mA*(rz-M(dQ6o0wV~@
z#Qe)0F9(B+a&2MPtL>X{O<*o*4@}A{gVcEnO}d(e*~ae6S*ib~DTfYd1@ud49v@O6
zywM7I|Mo(dzzgH|QOou)3L$`Ocza!eIT(p&XCELV{69;<^m?iMr8C4{9UyJ#Lgjw%
z+8K_MTcG4a<GI0d8kBzyR=8Z(_}Fk>3W8iVtNjnnsMdM0+?8TTqEN(P7rexaj39*{
zNh1g?ZakvwCf>|@yd{zDunA?6`H~R-ionCtaXF7aC=<H355=v(S%widJ&KY{0we)-
z1R<(zyUG)!rOymvna1bWxAP+)P|SCXPVg#0um7Dz1`yqU+0S`M#)&k+SzhI3c5hFw
z4lq>QB$KM7pZFeeC0Rf*W$4du?@s7pzwS)=8@Ipu@9^w@gs$y_fo%%}VXCj{`wfYW
z^rrhCqLs;H)X@NIU{jPXC@?ERC@*`si}=WdY8}v@^s*Y89U5wXcW<w@?8gbmIyt2W
zCb2o2{BIIyn3GV}Se6P)J|c^A(-4-tujsK<SRjeIM<)X;rKCZR+yUuq+sMaW7;a`n
zgA1@mHxK1(j(Z;nxQQ&mc9=l_mt`(FVD?ebrwN>iJ3n3D^Q+$?TSfz9K#(oP2k2S=
z0$byXOq3pDfw^vI-19;Xyb!2}J?|iUz+wI8D-;EK5@Sa&+AD)b!6t_g4<ei-h}I%|
z%f$&554$GJYyY7<Y<BO$(_i2es9{?}L>>P^5WDwBS=;2RU3~oP?llQa)8*vB%>Zja
zeN=r^V2(ouB-H9<@E)r5X#ez#g&cmQc_T?ISVPZ^bZ@S|#Prn8S6(nd5i{A`l)U`~
zSr27+=PGb`kP`zxeN`e@OVk#<2M5oARf1486I3Zy_ycic{8ahPbJ7cN^GX@<hs`Q0
zVoA;>XHOk}99UdQSfvI<?OO<~C_DyE$<U!#{v}2blw)dw%`voz>F+!<-|`i`X}|~q
z-8yF_@-g_4m|=8GiiPdOAj95FIDQjGXZt5a!ae|G88C7N7SqL03pl1ft=zkM?TYjW
zx(WSWoPx;yq4M}Y`-io9iZC<q>u%z%8u%B2^UyMIW#`){ShQexxc=|iQ%LQGX?m3+
zF@CqA3zoRFbxjhavU`FWZ$Ab}xexSyUxk`$Bq8QO5uz<|{4qj4xz#)uz=34hf2iF5
z_Y0S@7<)dKK_HbBc<Ig(JZ%AhOMbV=4VXg`K1m~owaaqpZ|Q9rNZTbVCFx4c(J(|4
zLKO?Q;j(Mk5%+_pM9}|OoM5KyP}jZv+!r4Zj-+K{HF_5(JH@O_;3(`Pv-9;rDXiar
z)%`Gowm;HNPIaJ<wPHLTfs3vHobRd23ZmIyPO$L|F#Q+<%fB3$S+_PWot-J5JADTT
zO<sU-Wh*w<<kTx**xA_sMa6u9a_*!}gpUW-)~!eR#<xrBUH|qOf2Yk4G`JZssPNS`
zgZJTQCgBHoWq``mQxw)AGJ_Pya%FG!<f)2%+$k9D>lb8h8~)N>w}4ZvzL-|h|G*Q%
z3BGfJrvILguw4S0>H@+<A|4V_^^jFshFVrLx+~ZkdR=e0^{sq*^|TsS%ge{bL|6mu
zuon<W$G|o@yI(v1AptB*8X*mfNr7*{SH`!Lz;_gi>BvQ3!EW6KrJ=v3{0=lmt;MW7
z6_$W&Q6(foXYRiC%Dy9Ub}DOzZmY&y+O&b}?2bkob$>~ga7R#TOKyaE;ja}3!zk8J
zT}19T`1SD$!n+EW@P!RY?g(q4yrdEZacImO4_Ya0L&HXCj%I%@a-7`>>Ma6IU|Ojv
z`=tFlAK+ROz={B_j$ZED1Td2pSX8bcD;l9R1wK6WRf){xQ+s4N8dR=Cl*;~^HiRK_
zGB9uyo>v<-jGPZHgBkaJugv*6AUgC(I|O)$ATqn(c6UgA2!SLTDW26I@JRkpUs?_&
zCZ(@%nOnu)fb&lEkA>-rN2fz-gWv5G`3#=nFH}jWpsWL{3+?O)o8+<w>5B<Gh8l>j
zzgl)6V!%8+Js;okI)2VPe#-?lG@eYJwKwOj=0c`;73Kf`q`)7H2+U?%n#=v*g98T)
zz^Fh}(YOpEexOvksP+zo^Z4bOR~xyHl{E3z_7TJCR>P9bK!0(NNf&Q?Qhd(00Mf+o
ztIi>iOyA=)N)(IFW059$oawd2@Hw}e#`YH(pVF{Co1V3a!><>!H@{s0i(L14FW<JG
zOi>!z#;)-TCl>G4pFJ}GUSe}wX2L1Ekh6OB7oE2w=h`K6*ME*g>z!>V7p_JDFrSpJ
z`WACZ?Q26=LSjZ2*rF66zqJpC3G8AVU0C#92CHrB!OjltPVp0IdK#o2#1hu-IE~QM
zfN3U}jqw+xaBOIB_nIzlOqdc6Nk*@hthVU2ksUGteRE>uaDD;6rR=f6?;=0nO!_EU
zrzmUEI*+P#l%{?sJor?3gFI~P|F#1yV(Lqd;S%xYJ4%XDb!R%HMQTG2<opwzG0Bv;
zWHKYMz<xPoyc2I{m6_Us+Z$h=1vcWIa-ITVP5(5JU8kxr99A4+3t$uN1?N~u<F8N3
zi(Jh=C!zdXh&U<7I3a~#+#WG@hw`_todhClIZ*Uo;78MvC8OP6q(1tddWfS@mL@Fj
z4MKO;PB2UJyI}k!bar;CoNQs2r?8Tv*RgzPF3}5Yl2LoKG=hC$!Wx-twu)o_d2X*Z
z&DaVqO&neeP6s4>y>le@-}9NyO=!NxVsBwcHPskKAwUV^Ypf!sso8dXd;!<az7X~|
z4$m%rR|z-2OT9MNoY4P#`rp%&9z-H)ap5|GiHr~^WIvz2t1C6MUrrRwmw83Cc^_+S
zb|I~vGd)Anq*fD()(J*hM_;r(SB>n8!5~$@;J^d7cA2QkRy*Em-oLXp<=<KB3>V0=
zNHu!n=nxp&TzREdKnQ&=QYWjY2L(S)f3G4p{=JIOA%wqe@m(6R-BLPQrnchr!L{=;
zz$C;8>LdO-`bz$DX?c-KG>cVf_<LbF1{Kk~B*)P@Y1(c$HX*y`w_A~5okTnQWFLt%
z63;&zN@<e554J()pYXkF@yM3w=KOzG270TRvpR9_q4VEgO$mJ#0Jq>iF6s-!Bj0`L
zMk#tq?C%6|`gej%DHGT$=^9c>gvIX)YmFa~DD9!8nNrqqi+^Aw8p!#Je~7EQ$WFjL
z-nn(dN-F8{mbtm^6q_HeJ6fIVxp9+oK%i5x?t8ZT=YeIowc3u~1tYLkp1V43L{vMV
zOO+@Z>G0a`m|WUvxI?_z;1y;OO$R)k6~VA(fc`x<XL>#3<ynv<`oKUSXRCTL+-i&E
zgtqg`?5%l=k>Cj^3EA;{NnZP$)sV#@GbMsfcwU)vg&tY%?mcT_^#FaFu!b?Q_MZ}+
zE>`$?HF4pw=lyK#x-O*j)C9e`m$bf}CJ^oz@nzU)a}!)oRzLQBdixfNduIT#r3r!0
z;{cqM*b{JSklV<g+W23|oHzy;%f#3***SANDN!DSg;@SmVD6#O@OE1Vd*Z5T7jwx6
zX`CJQ??gvspQ@mG?8QmU1tl2C{UNwRQ-(NI!?k_G5jaJfl=I8qH(kZYoIT$0w+nV}
z`Ql2x7g-Gy#j%*btPXAo{+|(ipF#jv>A=1J9(%z(eT~Y1ljB{xS>O`<V!%`l;iMH3
zPKK`PY6nVfr?DS<Pcz(Z^4o;fm1ExN_Y7>kj#eNk+dVu@4s}lXY7)^v>4r(HbTUMk
z$M*r0V9S~tA~Y21n85=jdQy91cnx>*Z(O->M~G0;;c$o4KJ^f;HC^6HO8aZdj=pbr
zu#&hZKN%J7r~KWsLNA=hE`_E1883LokFHn1^x=q$=zYY`K7Fw~Bd@T{ZO2bd^(Vdy
z=MI({=0cu1<CxvL!9~G?*@^@leFAa=G?7JlLl)#(5P)BhF;<3c(UF2@qBlLM(6dW=
z4Z#$!BG&LYf=_L-nN(mn1{;2`4V#Tnsy2CCxbH@4h~T(HwJ@q&{^GrA0HVz*jV}uA
zuiE3y6W6uC6dwS2PX6DmMP_@)5o+dFNe3i-#*qAey6eZM`_6aFGl|8fJ_m8q0T27>
zdcs>rsXFE8Rb#24hE$zbPt(o;79sUsE_2DbZx62di3daesseHb;$Hm^ovZkEwEQ*#
z)YCxT()r2iw$sfwgBpFrE3HJke7Gc)b(@QN$JxH_&~Ad@c%8?EFzQ~ku$HuRak8*I
z?i1)Md8Bf23WCqP{=5BLa-OrfHa_bd>kh;Xv%oTL-fos4$)?Vwt}(^r!Y+%7kKNDu
zfm!Etbn+aED{0?5i7314?`_9-?}#NDKzY)c0Ww09^D?u-T;QowT5KaX_74{0;s$BT
zEG^_r&PI9LJQdy;zTQ1id%)*7Wo=h<UEEG5z)Z>mBOT3Pla!D0SiO!cn{b}AOeWKH
ziwto^NeeCizcscL?fKHUlbVx6=GADYfNT%%fG9~Ql#-xWgCE`eC8tv}`Kd0YmEFU&
z(a9^wm*W%AssmCUytb9XJ1B0edlXzws?(+MROX)k_I3nZoi7c5t+#Zm<W-46g|A!Z
ztZJ6U&iv!_uZ??s=|OFpU({V7@7R}`EQwavRXXP&j@<N~8~&~u33;+Xri`7A7mPFV
zSqXI4h^fP4*mUC<3olBjv1_K$K%G_bi~q4G&`izS#Bstf@Nr!Gk!kqLD%$eaw$7QJ
zqsc--Vmq!~gwl+&(jt<%twn^dw2S;l-h<IIRfn}N!zJKZ$kmB$`Ohogd;nrhb0LqC
znInWKOmXhZYSE#={s*`Xqwb4e3vAqv$#hR=k9MXBzK@9-mQuP?E`IyoS^41lan?n9
zTUiWWW6<D`jh~W#kvQwxOgIKen~!_1J6+lKAv|goW0M>j>q1&O)V7?$7+!Er+?@o@
zC43Hue1seyqTMPclx}UQXCGSXlL4%g9Z~K`-A2R(o4HFG$^zH4XewT5I@>Pe9D*6o
z04w8(fmc)$_oyH&%<HD})t*z!YIq@Tr#o$^6Y5Z|FB;{k@f->mjz8*XyAibhiL#}Q
zKPQc`XGEOs+^?k_0#~&0Tehff!ykLEj}=(D*!rBOxz{wO49f>B+J<DsbeY#}vQBq>
z9C%joWwv(c$?28migIADhNpDSx7o*6Mt*Ut(7U>oI^2G}QJ)v7SHo_-T8bV{GFBnP
z$<`Ny4U}bU-|f*$5KroFAzeC2VJ{c$-NncpaQAko@Ou1k^_~f7b?D4p`zZ%tJ#3=}
zrs)b~$H(=|q`e-v)vue(Y^R?S(KMg=z}sOji7rQqXOZS%Id(>x_?FBg%Oj{1xm~(b
z<i*#~VR7MmkM{&m#+_W=60S6z*kmw1P55@iumF<{p0&MpD%C$V$a{R3@<UVh+~Hw*
zZ`$i#G^{aMp}?#o4H!M)%lRVtrrV<B^cba7Vc^j-OvPvSi93&oEHD4h3jkP2W$qtl
zzry;F5WP3ca=W6#9~$%hdtuS`$qetjFiinXRxKU9o|+gF<Bwu3@iCGg?Chpdl4G3L
z=v!U5Gi<ew4PwG4<S@L0C&B+%bAeIDhaCc>zmo)=f7=JPrK4ls7jF3x?OuF!nNQVW
zrum9f7k@7HY+%2NeEP`A#bnnY9=X;yA(iPbFngx7$F(%mIO~rdYI7^DX&@_rlXzv%
z@&v_dRe)!Uy!V&W*NZ~)$ORJ^YF<L-_OwBJ;QAdyLOz`Hs^r+<l%S6Ju#k$bKsvja
z7I*6K{29G>EsfP9;}LCh7)v8!d)LaGoSuAEL~6r!vvP3l9+W1MOglqMQ=V`CB!Eqt
zXFegFldgk4J?*H4*K^SKDY!lq*2b((PYoKav+mgPv~!WOHc19p+kajhKF(@jY2azL
zv!o(n9f?e0w|sCD{}`5I$!Ayo383{d3l;iKy1`t_eHNcfum;RTyJ3`*jL(}Rrudx+
zTJMHurKE?i&OX1aUWl*U@x>Qddf2-H$L^RN?Xf<Relzp>Hl3B#YQ>3u7dboz+mU#5
zDn<F$!nWTnJWMah_jP8Zi?XFWy_|1*?OyEYXcdc3nmrA<ol|HDTRGXZ2kpn~0yqIv
znze|z8jqQaPv?!d`rQy{)@h6iTWSdwJxOX2^(}98Qn4F<AeFxRj9?AzN?d<Xm->9s
zKLyH8CdL%@!f}X~)qQ8kJZocrhKt$nv~9NIslGDND2z~1>M+W?Qe&Sw$T`C=CR)q=
zpI^GTgJ5zvc`expx7*9-kb{Mz7B3@vq5sE=Z-K+rCZF!n0ywy~`X*BOq(750u8Lwi
z-oB-<kIK|31d4aTT~pboI#6oZ{^IolTlL4TR-FD)a`;WJ3ZguoEJ3=5>*PH3Z$Woy
zQY?mV$(|O=YI395|9SZ{yuBBPK`P-LZH0r2o!g-7M+fHxmugUL1a)#Dz}8AANZJ;u
zr*t;)ybrOZH~uo`i8BC(GI*V=a$WEGgg6J2>0b02?pSLW*+yGdg_nTKyGXMq7m4eI
zl(4t>r2eL9P^?Rd(ZK~+!aRYy&Tlvz=ZLvsR$vllWop`@Y0Aw+oRrGU=pegCYgyE>
zElRhlC^_9H##ga;sJT`$_#b5IJO;0L|8~4Vug{rzO&)`9bJ<hJ4EWYun|R`%LjCH(
zB``BW!5qdMMP|@2oRWMs;gFEn*M%;W5hFCpF(N5{k|@PY&2#8l9__td{+)m1UNXEt
zpW-Ym&9kX27uUgCahLN(xmnStb47COC2t3~j;6h`Whn1=3d01xdw4fMt)F2mNZMWJ
z!p`m+9AKxR@AD_ZPM^kNr^N_Y@aVLl7HrF048-u=Cq@ruhds@)B5KLcZWT81zzI5#
zYR(v(bpspjk~fFxOI8Bz?r!jX^8CbBTC%zq5v(~KpJCzm(m2sOMyzouf%P>0I?rG*
zvi*vWFs54_&lED8vC%qWz{gl~KR!y0WHP!WQzsj+3l|F~at?2oMak|T8r*fyaQ$5B
zjjzQo=)EnMt}x5!kWa9?dO6~@z0U2xvCDy90Q0j=g<mpsouF5O{Y4f@zQCe)oVdjb
z19sku$PqLB-Pt`w_LRPMdy>7rmyZj>&-rAuoTfs_-gW9rB{90E|DKK^fD%=3W~+$K
zKn)XZ&1cAGd1{6Fgs4KW)|O4P&&^i3=3WgD8eG(Bv6SBQ&S$qrr0~Is>%%MWpzE2T
zPO#3|P=C!Mj~6<__|V+TM6tMHfo3g>V7@M9KNOwmfpNcI@z&<3X*VlOpZEnKExRty
zkjHXn+3CZnjIp9VQR0s?!30U?^kHk+q*Eztq#sQM`aN6M8Ip{JD1CG8?8hs=&Y3s)
zqnuUi@}C{ZVVvQ+h5YtDK(_Rx=1EB=+GE0V)fMk+ruP61VQ<%SRTt^!s6xq^o$G=W
zm50-Lo(5F*8N*&f{ti>AEsXP0)!c;fXsrk|na$F-^vPQeb|ejn{W(wLh$_+;IGbgM
zRx;9yS+c7=YHA$7V$T!*2O}$<?%>L~YO>x>oS6E&nmj%E`^E_lNhZ5m+UYt*gV?HI
zc-N%ym|(%&-kfL0%NmXc@akDDZFjkx$|5=HuB)l)@oJcOF8J%x&7~cLD*{1)*b=|D
zs3@C^W;^uh#hAL)L9s?I@f{n-?B13thzMN>;r2x*+jAFWbjTWp4+d=qV|pXCUSdH$
z`P%A7M}Bl&x32g&t?Pc@@sQ<|s`OWk`o5<;n?6RlaTvbAgR;RXLfbh?{hf1*M<<)x
z*|rK8-gUyL*YeHqJ3PN<i)m}SNs}yByKhHj)UH;0XW;A&{1v^##mf*nr#sd^Jwct<
z9K&PikKv=RZY+mMFH!O{?~a>}!z;8;;j6JvvaCB)H@$bi-cToMmeiY5m%3B1g>0Ri
zfBBAaO{rT`W*>79FWz`4%}Na}_<UeHXB;1((Amh|Y@M0PhC8z7WA{Z|eJ$KiS!yV4
zZp%y$*^-Rm<_z}tsGD~v*?n6Fr|*UL=T<F?jIE!<Z=sG~#1*sL)ccM7z+1N&O<_lM
zsHR}E*~+#!cQU0Vyn((oQ&K{b`k%CUk{SKnys3k;xYxP+R^-d#O@#((qf$qdAJ@Hh
zDYsj*^i%yj3+|?~giOEHBTEfy5AJux*onuK;FHZOhck`;8Jd&wZ+FPiITQHw9h!^G
z&<{Ec@~*$<#%uH{W|*pv2p|S4G>z4YN1aL1B0Q*G02>j`zpy032wMnRqPvqO2AfLg
z1WBU9k=|q>5qtLY(oTwF$*pSTZoN8;y?glqNj|pGTGn$e-aEL%h?}p@)2|#E4tKq_
z>Nt8nyU%Uh_njYhz^pm{Yee|5U9Y%@l)+TrglDV&a|?$E{3su}iG2pFs|)sFsijk%
z@!gkCW5>^RzFjCx%@hY?oq~pqoBK@K4>_k5`ANCQyDN4|oe^JXK;6uF^Gm<2?YNit
z`;9Tlw%XZO7G462t<Bh%_BE9>A7;^0Z%i=R8k}p1yZ;ow$s{rvIqWUk3>`eo=Y+@x
zu}3)icCc}vPJF4_U+ecWBePfbaxU`VjIJI8GoB)n+$YAR=;6+df;VZ0>DIB}w(!Ew
z4CnlSOIZkoy^Pc3L~9hltnMq=bP1f0!6`C3Nyo;<bXsQMW$=uPQoI4C6#921bQcrv
zlU?zOO#~+|wO<jQPhd=S)U|rL7kHM|P8<jC(=eLtZ6jBk>~-eIIU=9yA18&e<QeKq
z36R?rU<2((0|nQcUdZu8nVCaM((Gu5rGJfxFEdr$CizFREz*l+z#&7JK(ylV7tms?
z-l;D*x^~ee;Q0;vqB$7w;5L+`e$gg@Y4Kd$tui7|jrD}<&7I=6Ml0(rnQqZYoct3v
zx6?43{{x>cB<M;cI=Y1wS%nW_`WLfWEirH1Z=0R$?myFhThe1Yg-cZB_SuqV>!g_e
z=iX80KmxbW8~XvRFnolTIL|!X`bIojE5Mq9x4G|eqB;H=pCdaHg<Vm4p>x9Q8C9aw
zM*7W!jAmHcO3JOakXFDGFQ{Y>h`vZr#F9*%t+5dug-63u(pBqbhw#Z9>U_0ggys+N
zXD58)_!Q>_o;AX1**qHTloR+XK&Zb*L+BRH&q(Kho=!Obi9HQ%$(*JEQmkX&+%UA?
zcQ}d(HaYpJpWjL!-~YsYcHjN8Yt2Si*;LX~a~Wk!9%>=oIgGZ<i}pM}(kcb6>E^zb
ziH#JzW?CofwMGgzvXL-plxj*!_dV;55`MyM#~1Y|v{+u1$?1&J94?l9n^B(G*#|F<
zk6e26Z>A5+PbjI{0^m?~Y(~Y@cBaAcA{F*=8N%fhX&M(QUJ6f5c{k3(G>0={)la7w
zH|xq2pbppA4?6DQE$*Jdx@swm^2cK|sJM|Pg^{-{tB=9Xw}<OaA6&G4c%s>ldDO|0
zzf?{MGL?!;$qx4p(7k5?by}0S<w4vTR=zc5zvC*SnbKPzVI=)S90Kx%)eZtD5o<wR
zpqLzO4?WV$z@4mwPv-uUT2hFBbe!22cB^Ct%@u7~2{1hm<!2r>?+5vbw(%V)etVGm
zewrsr>z!HfV&>O_|EE&$MG08_Xq}nuy!H7wCeq0QjS(@{L7r|CZYC+l-yp?C|E(Qr
zf#jZ%;@KyFi;Y~RSF>a3*XZX^{RaT+Yl)hBfILUjc6bU93jb9=tu5?|K6MTjHszD+
zdX*knZuziXx}@lW*#pU}45Zx{3H~?f`SQR2nGUWfyO^>A9f8@mUzMJZ^BXWHJJILp
zq&&YSARO{D?fU!Y5C4_15f&ZM=N|510_m*MDJkO&;T=cmb6BoCBqAOLwG+Gw7XSWA
z0RF_go4uheiPYM|wI}LsiBMu{tP2l0Eq^r!#O9RPjlYT7^nYLe1O{n;v5&*n=U&OT
z1e<TX#WW#*G3?$FIoN9W<39dP#NYk5yqCTGCc>>ei4A@*EqLhXNAqzRV;@zUdQ+>0
zl!8Pfj;~0AwHM|fYd-AS8gm(&Jx1WVX<m60%WB}?D-4CG&-;H30Ec%0p$X)X>7NF-
z{QZ^yX=Gqdx*+NPGZ|!zOA$mS-`x<|T=DKZNROk_44x$GAxb**umX$5(!+JH;};KZ
z{^Rj<Lq50eD+@i61c}afkL?W$R`qJA&*9!jqQ5csY&dgA@2(e!B1j{&2NG#NZlOU!
zg&zijH_K5_&ZRV1KOjws`XDE%LM}5;6@0S`vaJR~6?JH*vOztMDoBW43%}uY13oDD
z_dDDF0sy+KkVXju^aJ7Da;z>U4N$_;7jJ?cphJn6Ik66zCsI%Tu}*-r?5B!UhT~*`
zT6!bE8XCgQ?}RMW$iZqTz-Gtc?izW}LH5;u#M1vB`JghqCn!Z~-1%2s4+UdP(jFId
zx3&DmoNCy##&4MieulPhIR^+BI&>yGeB1Y{H4J}E2B_avrr$<Nz>R&Y9cnwxY+sa^
zvS~)H1pKSir>TJ!mT6`i4kcZ-vN?Z|Ge&>Y(Y{cT;*koqwa;lREUMkOWbuh}{D1;5
z%^gbQC(7>I2L7Lszl+7^@5DIiMxsyOl}a@5po3J}eYpan0axDT(;F|Y+Ja^X1j6Gu
zvl!akUW6x&yyIzT^R(cx$9*1}$?*qSf#Kuc{mo`JNi=W8{@U^Y>lXq@XQJ8j9}q_B
z`{>_6P)HA*H=0iut17|V{r-3EQlXZ<K@h}6Ef9EX)<I}<^msCnqAY8wKn7SeUgSG?
zzhqWV)t`m#cYtwNV?_M<i%+Wm`|+>fl&Kd4Bqgtl@j$70A1G%5f4c@?YZADHHKb^l
zAl=U`^O+fkXq8Y{52p2Au~&k~OL_74Kdiw6)C*2M9DaE6hT`7J9E8@2<jl-$vBzI@
z*X@FeGMwJYPp&7xK*NCp2fwX<`rJEYSJM6ac|~}FI>7)7%FJ-h;nX_!GArH_pc_8z
zHn4Ic(YIefYGkX-Z+hJAg*v)RUNVvSu+XPe|Gpyd=rL8bL$>xPw0H{!R7t0V#~ToF
z?Lp=21$n6#v@S7YM~l?et8o+Hk~Ke(n1|@tN9&63BfDJV-}x)xM#46EAiYEoNH767
z&B^QQpcza&*+OWJftv7O4JZxcEC#DpMeHh6dtIn~w(}`czc~XHwvN+okKGV-)3(2w
zc|EikIv%G(?*9Ol*&@W~(@<z!OKRs>h7#p&M<{0P1xdaS4twcFIY=VYB9%ak%j@^v
ztOCcLxALuW@t8e82ihln1*x8733Fv<V=|g&n}7Q4(Y%^bgF1L8uQiDIG)Rv3I(w?3
zP%TpUdygfZMvUMXd>lsO*}kV&eZ45Og}rnu;;EW8waIg{qAZsrrqLd?;gnVxe>uXW
zRUB~^T1x1`xY92}`J2tIIUCpQRS~oKbLU-;SlI3WKL<FNFWVKq{4Mh%`eVEz^PDsW
zMHtwSIk<AV!I9b>vrt?!56xok%MZ6mw&AcCn%&k9e98Z9KXkB&@DnnSIT!YkCb(aN
z!9<OWqEqr@_a1QZATvMGvzfPyQ%!f!HAcOV!#hP90gMUw{!#E6={NcKY}XSKGno>H
z8>XNdCwIyNK&<Z^__=p|soo-a@@M&;pj~DkA#<OD3XJ|dZ8qJ^A<@R*2BFFaObBx1
zDWD}h^?!Z#-9G*gnGIf;iwDNg!0gd0i_;Q5OL_qu0BU_baM8K;??a5nO6yP69`(XI
zaF9MMrFv%x>1$MCnk-t`<y`kQ$Hjpi)f*vt_G3x1p9+SrgWfA?PVN4naOFJF*7>G~
zwkel%t~Z9V^qY4Z^QcV;V8W6wDodOtEy0w%09I7%_cV}v3gFG#x^6R+)H8<6WF*^^
z{{Bg}7k7{EOSsn}cotF}+Z10c?uTt4Wwsg&@<JEHLK+6_7#b#ZvKVLN|Nnyj&+*^?
z&s<d&Ctt9?YAk}oNztu}v99}McIS?m7J5)FLL5RoC9KP2&+vPYohh1Wz6wNTf3OnV
zQ}dnb$W@=WoQi$TG%F4;uJA_GA7NwY;*k8EXoe~EAATzlWIg-rVjmNmxHkwQM?P@W
zr%@E7?3|E3MATd&9`7B`M*yA(Ks&6e4)e1XIL=%0FANbz6M=Mg>L%NjZcY;Rwsu&Z
z90HKKzGf}(p~6M}cfaEf=@jN4|MnLuhm?5uNgOsC;Re^qBF!wJCrZrJ(7+JWr1+(f
z`Q)4KpX<L^NVy#csLi+6N+A^Ms+$;S26IeY8nSYdbD!?$&7b-*Jh1ZZ-J2pXfB+N;
zedB$#PXZh&xyt#!b@7fCv2%FI519u0w_mi#<L%#&c^WG}rxrq?UeU&F%jaK^)qnK)
z)}t@PT?qr2^F#$rGtNE}u;A?o=-c!RJ7#X%63KcHJ+L{Fyo*Sj`Tz=DLzK~V@tfeS
zO4#DT_s-~riQ4KpD8N7<`$%6-Y!;tnI-fzrNC>ZH2egor6_q<g?S?^2q~xf2y4A@l
zHA`zipCi+&(^2P*y87+>vLLurVtyD?mg0Wq^{fD4{EF>CvCZCnxHxwpzS|pK+7{+u
z@n$RTD3~i7)qI}K>_yLaA|g4`q-WK|oY!h=9PtdYe5SYvCcD$siH4U@lZVu-x}iVE
z5vVK7?>Tqm>s>!#IEJA08UuE@k<l=Vv);d=&CY(0_~Ii|Ja0LSzBUvMGeCTeasX@`
zbib#R=iOnQ67t-4obrIOZJh-{wX44y`*x=DMhLv5R}!_dQ5~Wx<7kIID=V=9YI=y|
zLtN%{q&MqC8#U`~zmU3@%G?ySSX3|6yUR)-cp1KMc|+l?yv`%d*FRgI{Y02?{NEU%
zHhC%q@8n10-y?li@E5^}F#hMwE}m+|l&L>I<5IkhxAF?;HN~>aG^erK3G?#sDHUHD
z-_jnDQi_sEi6s#iHP{StW&JVM9M=^{TcB>3JtbxT<{!t6OEVoO{ZIR!I(7fZ{ZD7#
zvz`A?aOqOWY5SN*l@EL3-jnBv$SiL-yDWRrU>fDhksSNU^4H3h&{`AEXJ*FVTkSWj
zv<Wz0xw+|=3<K2)M^u4NSi+v;ohQ#uQ03cfh@%@2ZajGZZt$n$_g1T!sk)DrpX3kp
zc)>>xZdj=jn$@k|<<ylGsFyu+wlB!ud8?z)djMB|7icCVx&6TU=VVX5xABK}&&KKp
zt<Zx;5iNp}Os{zEf0w!2Mn2X8QJmUl+NlL9Fun>A)xve}DSJvBV!rTuZNuuBJ0Vs4
zYtg9a;85m7FY9?5JaeUF@MlXUDm!})9Esl|a>qz99Nz$shs2MXeqA(@(df^!h>5d4
z$fGX6hm~jh7qiPsSNSR>V<e8gUb*57jVtCWevLOqmt`=<8gY+q_;20#Jhc;04G25T
zX{qPY-=-0;U9|<V5S$dZ!&f%DKPr`MFXZ}FW`}Y$dQl=-A%h1)aFOfV-OzV-@8=zu
zGtecr7p!!_5F~cfy^;Q~lw5L?+gn|wc1z>$GQ!KwpDh=UBp4F-m|kT@e6*~ju!|6_
zD{Pr|2*jYS3oL=H>jHpM_ywe$V>Q*>twnVL-3O0+Zr$X8zkjP);`%G=(UC~=5*W#@
z^lIf_SxThvnSvu1kS27<arl7uR=;v+Ndv6X8N@}z!7Sc6)yDPhE;zNWDLfxcUX>~S
zm37Xa-_t1kr`2r*LHJn@vQC*BIh+3Ns(Nqqm~t(!$KHN)TNMxst}oeN7mzjLoxsJB
z)P|TggAy?FE>!k!9IU}<Nqdc265O_Jpg)K`t`SCGk0x7=fJuRiAOfu-*Px+QU(o$`
zg4@SA9@Dkv!A|#B|Ihj|XM7XV(hi{nhC$=Hy^6cx3C25%`+xB^%10i)gW0oz&aC77
zl_g4gfi#qhuZLD<WXpQu?V_D0E9Zu87Q)G4Q;J4V*Aw?fVCBl4yOFXBZ8pFY^>x?R
zy6pYOZ{D5S3ifj)-=5BMAb)G;#K<d(Jo#w@`cfa#p8+vTXaeO+^W2X>>kCH`rPHQv
zmL&0!zayQ7!5o}r#J6lFj+NX^4(AXHs>{l8xekFUW)3bTqBSg@;}^iWbi4ccGQ8)%
zXO{sOkVw2$`)*(Awd61vJ<YBuo%kYC<N45Wn*?M24a&<_h;(d!1nv3|BnEe!yfx^p
z(f+WvV^q2KAZaIJud<FAfRp+JY+CDc7hqRtrs;h6WL?x~{<sqcbSq(Pp_OMkC;8_U
z0f8?zk1pwn8&1?eq0<b{|N6^(d#j`3rSwe-v)4!p@5iwTA=H!{Nb>$j5rq6h_l54n
zWhkn)-g(+6j-es+@btXeiC!B#0Wr?C9kZM;O1WwhDAh~bZbWKHE<EC_{e~{2PSBq#
z%kG84Wx4>dh5fZrpZlo;VTq|<X;EEty{1^5d;!|*Ri+*qG*z`7Pc+*vx!G|NO8#6O
z%5=qK!(Lhdr3gJ44sznmD(Elq&%uWos*5_H4ZWd9a>GSa%!^$S19~BJ*Be!Fua>Ij
zM5se5k%?(Hsmq%xbx6BpaAzHyczbF2()C|i)^=x_z~rvB6$f3jZ8b@4l%h62=&hmM
zn#`l?O6_<NhvMb?%}kT%VxMA*&pJv#oM4HoFN}7GoKwYP1XW~Yc~|nZidCaC<>YND
z63SL&X2(8mm9vzpjBc9?eZZRyi&Kfhu5U}Z{!Hscdx3FoI8W+RNH!endWYEuhQDJP
zpYON_KKgnutZ?n=`7(4SDe@Xq56_+~y~3@Ot@QSg+CH79Bl}J*`Uuukzdn4<yM$`(
zy3r+z$Haoer2v5zLbsCC@3{PS6dfIHwpc48+kRS&v;+(&VKkSTN&Hn!Dm%e;h2{Qp
zq#KGnDIDn)yxaX0ohG{?LyZm)OZ?|)o&NW<R8FUsF#K`F`EGfR^APlq<eG``TU#6#
z&SS56_hs|9OJ{b2dob|ch`$(BGj=fW;aqu5E&hIY9NYGQoe>|U!q7+wU(DKm=vvw)
zeFE5!Jy(V$5X#`vxgDKD6)u*7K!PVN!K~_0TLbt{)-cNX{bW)-G_h_|YF4}SVeM|;
z_b<Ih2%s)FdPns78KiA^*R5!1PQC-|o!LulZ(HN--nd^0bsQU7g}cPz0db&yjzG7E
z!(m2~X_`||mN&2RBe8~I_KHW$m)Y7_DkV)st%!wNPfDW$CB$L!yg^fMtOwz9;@WkM
z9#Ghyk47!`aV@9*-hk95wn#Vuj{n<Kf=`&wrn`&2`?=W}PW1+FxZOPISIW<fCP!1e
zKBAbNzRNgV+aTFlX;~le6FsPZb%<w{+70tkCRO5*Vr~GM7GKz;BsicEe{u_vd9KN(
zrG-~^gu=e-C<zmgIxJNsf#DR)gZ=AZ_@xFYwU_}ynkLe%=Ay2leNN%l0LaAZKxu(S
z)E@UhkNd$J@+4*|(%xOJRps063C#7XKvg{I@UOe?9-KIW+l9e)S<tE#w!>A7cuC3>
zxuhiKA8A;fNF_Q~zo*@wMtZI1I3`E&Vr<@wJv(2YhZIvFaCKX`FGNhX-mmf5o<)+$
z!g1kLYpBITT>(3_-COlEs_yEm4#x1kR(Cse@a&XCUL$~EITR0j5h<&$Z-2v1eJn2w
zriZ0S!+_YliM%O>ZX3wd+pVsf$}XJaY*ZwVkNUV~jCA@8o3S<jkZ^cQ;<$XicgK;E
zL|XO2EIqId^|=|YxN;7$Ds>3;tb`&8Md!QY@&{k~*s+t$s>v9Gj-%XFoN4+kY8NRH
zx7*2Qn7fp&vP-eL%Yhxh-F;)!Ki~dxS9APloEV|x@=9SljYSvR^gl1a&ykov8?WE8
zgvBuiL3yOGrS6d5BNgs`u9~CT_89a~H;8{JbHy@K4Nah4k+jD0z2{M8WvZ(yOlQOj
zT;q!;*$qb-|E0d^Uu{a}eJbp`WlqL0(OnaLL!ioKtoH-d6)F76vXxw!50(Zwexkuz
zhty)hZmaZxa2w(G)>MqwU9i0t9w=#BA^D6i8*rZ8cgzKAWMx0P3#Cd(8rqGDuSwJ2
zC=XutDb`r5m5O}REWHPKQ6t}L6OOQTPb7Ndul+fN^E2_)eP;HZb-AXWud_Mc%7~89
zXcf)68O)W6%Huk<>aO1cTk-fofR!qcnSOG8<CM*2REPRB<AnJ?Z{6jCs@an9Wl)4u
zFp`|ezKG@9y!@#h!=@rImXX*7O%C%8y}@h?`4Im;_s*5eY5M2m12Fu@IzxetSd%^5
z`U3iki#TSWh@YhJ2!|QNS9sy_&qM`*782Idh>ph>eQP#PS`*4o*{udM6T_wAO~Ynz
zvR&+foMKqBeG+seZNc!B!L2S{^F(^KUISa$p8DR<X>-V+ugFvxemwb~(OW;V-1e}^
z2h}Lzjv7cT&^*#}y2YI2Y_k!1iGj&(Qrp?9X4p&a(TS^v+DGX&C$n>-u^(RYL`{C_
zP$l@xX6hHVr=H<>i)qtuioNO0JC^XYbChEyWb<;&&B8?Mri>-n5}!XT<XO)6A-c4?
zI(u7qf=_yr*0cB&ZJCs6_iFFw(9<;#8lu!FU^0307@>`qV`r#*@)rQ%QveY+12T+z
zt2pb=QDnx~4GH)h+ya(Q&>&R)dX7Za$txOO^+}DZ6PzFJbsxrnr*&(VK1G?L9|~r9
z1_Bgz_@lA!qY;6iLUXqWUBi^wrg3ws%<oay=ODg;HnnqKz@7Gr)AJR*Pr#?e3B*rJ
zQPQr-;l0gin!lK~zs*<8q~<gF)ljUT3!vuIRvi1h#hGZw`E5r8PpaS_N%QbI%ba^F
z9=g1gE0SUFWnVvRNm_wZTN?pC!+DpAfXWVkt1&T`!hg)uJ&oy{Tr*sjm=c@3yF`k^
zXWXRyGtl18rmr}@HNn!4Gn?4C3+sz`XLfEvEVkrxmB((yjzs!x-pe9+B4mjGr~UV+
zRl=eVt|`5l8{^zUwzrWoT>XsO?&Xu^_p^sP$NbV|y_RPJrL2alYd)JkRQBhS!jdVS
zPTo1a6MezVw(PR;7g@`H*{VJ8vtLjS+x|mXYu8CZWkET?-K2fPi5jfYL7h0f_|?OK
zVKRX=-FVW5cQi(sMUk|a=(kwX?9poAlhJ$G=+LcJW=ly<AA+@q(L`@T-Fv<=$@f1^
zj3z%>5<=s0e9mv{(dQdvQ@MonzbW%d#Dr)>;YNAhlz*~xFWZbfD7-=W5cy-*McB25
zsk&C5>W>MNT9^~qF%z+4ZcVOfkC<*yBndtk>giZBlbux%BsfITzVqZWaT0DxJ!xu;
zV%>y%AWh2g_x8GWHKC{5uBq!Kn#?%ZE!;xaFWe#Txl>$wyy+GBjoI{VwCqjET=JdE
z(ZfGGucmx|slCx9e!0Gl%#b2IY-&=r7SFu4dmn}R$ucVaS-Iq*C)ep~%WZzCs`oJY
zY{3b#vI>Bp`HFh)L%`{>#1$(D-4X<JziYL@8IZ}NPCYHsX&SV6^JVby8X=y-KF>VT
zd?1~g!N?1|<~`A{Yf;912W6w_XJ#%c8}}-i_m@LV5TQ};xkB6Sdd5d}yyGv(D*S1a
zOn8-eWR*Qw`!&68D-*3QT9&)6l`HaltF6_SJKyVnHRCyS)$iD#K9No(qcFAPTwdqc
z&-|&l@^j&JnAF7StUfMFyV|WsT=c~!P)DV?*;2O)@>T7sOVlRMPKLK}jr~0EHobnd
z+I4hT|D3^g+hh4^2ixqs*C)=_dxe?y<6Cw|>7w7S@Tn7+9Ca++MehXo|H$&4Ws``Y
zp?2|Q#wF&=`n>Di=V~+|^YI#tQR*oeqqbj*PSvuqY3(RdJbk&O9&)==Q|Lt&g%h-P
z+3O*22>%?@X;F&3A$=65kY#LVxZN*wnk8v$rwMv&9g>yw=&F1B%uw{9OzBgPr!s4P
zF*(Jqdl2cjqpPVkw{}-$2L@6IQqd{H+6OL)8yzw6$IXbb5O9KQujK?iPW_4|+6gTl
zsQ2ApuV2cw1})oIV`?9?sP<@%*ky^~mmjPQc-Za8?5q_TD-$q_`+cX1I1yGz7w4I1
ztql!gl~b&1BWEASh)%>ey}6x<`aOyDzhapt+?MuG)0zU4f&XT-v3siOGd{jkg4JKj
zWK{^wk#V_XJ?4ypn$J>Ob{r)UGq@+*&{ZmA<Fr+@&&d{MUbj`NN`9fZz(-TXm#VuC
z4~;1V-+sBF)u{fFjq?cq20HTixs=op!CM|=g0zCDt<;chJUQ&n=(cv1A1d!ra;D5^
zDee@@8umw&AmXadfKJ}N#-P9mjDvdEjtp6{%6h@`?+>Br*^e^@-;U|1tV<|sTq_OL
zT>j&3RV~ZMXL*R-jRz<MOrHaz&V(>u#vP45-{#SKIt7(pMw}JZaS2<&)f!bwuFV~J
z@i}Dpy`G~T-M<0$h+v5vaa*pqJe`NT?AzKN$;c|?O5l1f&1YzQnR@Y=BNJ{!U3(XG
zYd=+g-K`zrKIXoK`Uh99=Tfs*)<3K|uFoCKNVvzL%qiSiPo1s)O2oJi4x7{l)HY3q
zdxuSW3GO;IVerzElj8;p!Lxp@#j0e5rL>h4GC8rDpU!16;I8&jvMqj)1wEgb81LdM
zep$XziNY9j8&`PvIR8{wR_K9C!+Pg>FKKOUkd&X1vMqQnH~juM;ZEn|oupV*GqQ1X
zRR@MIqf2ws-GRYbUskjAgyyYv4U76hy~Ca7P0ss?Hz%8&#pG&COShzj>1-5-xEIqi
zzH+|29d+C1)`^t#MfIHP?XsLT*1yp>ypB%WZ}+H5yFC!q5=^M8#Wl;`@z?rD6SFc?
z7gbECpH0<sq|dx*FH4;`d`Y2acBGxV%a?aXCgjA!)$bD729gu?o#R(NvMuX+wjZLf
zr|#XO5urw+t9n+QKYc*F?25e19Rb6dJVrGI8)CdpzL~-0Gu|f9d5cN~EJA5prL~ih
zSd3sUgWtyJBhM|-m9*?rZNA=IV}(Q&u@lTsS?=)DGz7N@`UzTRyscg3<D8K{U^=$b
z(l%_m+DY0W@yf-v);OkbSPIAU63P1H9haZ}%s4V$`eWwnc)^$*&EN!9V(O6<O?8Oh
zL4H&}-(KkP!wz@TKq<}W^W-!if^;M6(=Z)dJJ*fp<&syW@PQn6%%+u{sO)CBeX;K_
z<g<+(3_la=E0wKwxIf2h%=dc6PkgFiITgIBlg$yyiW8zzZ%*09`iWCZCA~<b%hNYk
zZDUClRCZ3>iEN2`_xok0xSz6Y$honEx0XKb%w}lFDiIWOqBV|C#blVIIGKjfU8pdX
z`Xn4bjbG54LxKL2(x4KUQZFRUTEdQftB(=Uu??(4^UJN~iaHgc%j~N}91Rx9{Prv7
z)WQ_o=*FaKi~XtW&rw1>YO(sk5>;A5s)^^sI4M8>Ut4D$59J=Vai+o8#}X>bjD44V
z&AtuF&In;pNsFaKWZ%ZV8_`Ok&>*E!mWB{2Q6Wo6NJ&vhdhh3)&ii@)c+dGy!_54i
z=lL!7eO=#c_Nte`qX&#v+l`-S`NXY!5@W(p`@V7zgm1xD#qwbIX*mLVU5S(S<;>PX
zv$=YveI_0@WkY_A?J?!|Ft6)8oZsO6(A*{m>V;K=(R7VQ$$G|pS`n#JU#9<%C)<ag
zM$w0+m-fr==a3?$QYl~WUHL(!<WjlQdHsrh$rSYHs!G-0t!G>(U+V4oX4Z9^;C(bN
zUwr_T(-ql$m+ba-v;6l2eWOaSVo8VMrEvujwt_UXxNLUa9PtDENWFZJ&&u+vh*fWg
z<rhvq3!CAsx4m7_m4fS2E4ed5RmCP>c(#5TIdtcvqLUaR3<8yXDoY~<<Mh7=w;9KE
z#&+UvLcPU+G+pauVqgVPT)h5VzE3a9Z1rEtOQ7skx?hx(k9z?fIg#Jp8V7P%Njfb(
z4cD@6rN42Hr{^Mlk(9|%UQHl2i%XP78yaH_lcV-#Yh@-jVKhZ2_1_V4SRNCa*YGIX
zAHy>3k)zDGpGT~Z80{fG$1#YbXz{drS+hCV!04xwxHQ^mkSz8ZDz{uIN_Sl!dyggv
z)aLtW!|(fN-TQv3R_#k=UeUqYPA44|$*9-LBl9`zUL9wK6GK+vJ%x|HHg6-^1js9P
z<Yc;swjQFv@9<cjFv2@q7ng#h$za-uQm?_{0;(G=Ns5}5-lfZ{AHJkAqChggOB0_j
z*kNV8Uzpph{-H^IK=G>`(SL`lq_K#yei1a)mv489r$w)G@dP#Oj2ZFt{qggl?7FVD
z-#TtC<O4Rg<i5aI8ZAsO<bDW+m52?$ZR5i+%{?W?sqFK{q7`><$vimDl&suiVZcJL
zA<`wtA1!0EQDOFdtHiR|^LA>w{&ikO);r%3{2!i4nN!J2)br26JT-n()tgdBjI<u_
zuV#I09p##;lvqYx@ZJ&U%%IXIc(~ER>q)aYPBMo@!wVy`fEUvEBv-Vn#*65HlRbWv
z8vpf#x8s0n{qdJdn{nQ2ZR~8yJ+FmniAPkAP>oG2G1MCw$+e2YiC$M%#rm3cY;C;L
z&@DdZjxc`eAzzPl^?boF8!=lhb8JUZzDAnRZC%@1a4UGluzt{InIdl=6rD;Zm85^T
z7gS^0WEiE8wv1lIwz-)1JK`5qrIoC?r5NJP+ip{@WGeeS-FbS@2ce5zO8wLeGe7{9
zviIIP=9kcAsb7kGJY8?NdAbs`Sfihx)MP<MsUbkr=+dg~^;L}DE6!BrBF1gA7G)`-
zQEK3H<kKjcg9<bw>NC8R--m1Pna_zPiZ(_i{Ord|(!RaWS9Ze2Xq-Rf@I>&-tIBM@
zEXjPOM2sfy^F+$jw(pENPA8s~QI54j(LEAyh$lijg4jxbko!A&F(d6~K1d<ezQ&FS
zl0(g6j!&D_nEHlO3MeEKF$osy{0yBL^ZXy4tJ@#o589_29F60ZW~L8X>Y$2WNj#KJ
zo|IvV<Zc(vtvDworPuJmMS7MH*Vhr>e2Ypkd>em2#~a_9Lizi!t$#AkVD{y>@25H6
z^my+wk+&_Kvl?hDQ9E6g!cDxNz+7NqF!)2EYH0iLtL(lh*X2JZEJ5ru`hLFVFO*6#
z)5`0QuRL!iQoE<DdR*FtNGP|a%9v(;P39slH0v%}^2R`DP?PtX{~?pRc*!#2bhLX_
z-u;1OrgVZ`B#mTb6RxqM8zq82NK^6Q5>-qhidpxme6*BVdlEtFxMp_6)eir_%DH*(
z^8R@7t&+QT-jv8C_1A?@I+7%IXk@GSoLo!)mVNF)?8hrqd1H#i%GnT)JRy2CgGgO5
z#qUyxcfEzZ&$dU3tw_j|156>)Qb~F;Q?A6Ez6-Alc}@?~hbnwgDYaMa6$n1T`x}mK
zt!b@_Wxe>hq--T+wxuQNO|Cl@ZTQxYZ*?m}T4-oNjCkkp6GA=}nTAqz4xBq5fbG5^
z0z1j?oPp?4Rrf1-cV9SrBu9lJ@U)XB<>jyxT#vXU`WpA`ghJl*RV4L&MKXtJdykw7
zpYOZFQKz&YWd6$Q-}ME@!4M=gX`KqgGM`>dp^k`6phGxUIvA`BsDtZ-e+C5Q&BndN
z6;{d3K_5oh>nnLiFph$?>_xT3GyFR2bL8HIp#_w6^jl>rolh=aafeDF!Dj1#_7ul-
zIbDP?PMczyP?00Wu*JgK@T?wYn~EI*Qx7`M#C6JKB@RPI_1&~qjcoGe<&iGB;0o36
z&0;^_$3Jt)ef!w8PJpM**F$^3aEq&F26qeV*v))6(13(`Ic?G(&z($}y(JRdMOc<$
zM;UGA0#pf8#n|^qelCYz<8V}Q&}7g#%s#xmaJ@`Pu-k-YzqsU`&a<p}32R9o-!=<<
z8wpx1T~=r<&kpnL-Zzx_M8U>`WseqooF6T;M17xeJh5!%3GLDQyoRDZr!HI9id5qy
zqwIVtM))oc+C-eaY~^E!a-NZ#@@W^h(jTkuBt1G`eL$OcvBGe$xjNd^Le1-U>bB{l
zawljfm|8p@+RSAk#rFvR+1KX;Wn{`vsv&JWNy^A3PsbCRMB)8bLD%zWZ{uN>IRB+{
zRuVTwUgkb`HMnMAzbw5ImGqjEw4a&=C!r6<ym$q*qJIk0JbZ)$MYQqX{O7Qq$1l%#
zOQT05W-!WP;^(KO4_2GmY6F92ID208|NA7U8bN0XBF3P>DhzFDu%D)0>Fy-E177}h
zre>2%_*Te$hc&S+%Li9Ps_~LZ8c&l%G=AQeZ`w6*KC$<93ex9rS`*WA`4Dn_(PBOK
zv=P#E(Mss=$-IK{eea|6N3PtdOd&>1c7`2VE7^^U7U4C$AFSZdi!H=QS0q#D<Vr+(
zoVo6C2d-ZwEEfu@&$L9oYY|vDANu+JqQw_&XzlDN4|!y~Cib)Y!8MU;QOWByVU$SA
z@#gp?%8(j9g>2=INBTc4&ITdAPIazT(X+yCuB&3sG&GTL)C4bgE!lZHgRX?7$H8)&
zyRa8}gJR+DoDF0hrCLtaZsv0QwiHq(=fyu99HJJ;B+9V|x=y;nOZ=P+JT5kMekxwH
z&{-8bgZ#DK<}Vd{%WrLopq!jPv^-Yez25Ak2)&*dp~&Iv-r<x!P1oN+UIq>Xo7lop
z^w7{(7hJ8=@D8S9I$Kb#C}fFye3lVj{%42jn#r&jw9EeM7Cv#ZZUJwl?4eIc98w7&
z4cx7Q!1RK&2wNkrY+lvLCC4tNjBVx~B%x{!mi15^_}vF>FFk}?sw%o!SJ!${b(r()
zn%FQcv0CWvY~;c)ZbP`>f!djGrz#XAGh-K@Y8-}8DZ-PRp9`7cBb;2cSS0sk>{7J>
ziU0y|=rwijXzc<BhA(g?MB~~(Xe0u!ga3E6!<#f$i&R6-rgp<{CS>DoEf$Ij>72&8
z79DP{E#S)jbLpnYO8qO{XGjC|XIHa4q`!d#sSP?HZSTN={^e>}P&NV=DDh-o1Y}4D
zd@n9WiAOgapywA9IQtB_4c2`2_Cx2x^W@bs?^8$;!m9><YlQrSb|1bWOAmLXm4N^G
zr_Gq4j?lphLNZ(X2iX8OgWfdC-V&UI`0fPy;!<xJ{3TNY;eO`vl?jWr@^Ip({K2F)
zu;m7Vvc#W5?`vCwr@`Xu+CatTDO4lqgLL+3`CHf+?wPaB$`47?#@|Tvc0DtxRckvC
z_677Wh1qqBDUBu-LUPI|umx7_(hjMBGz2rZI+6ZTO-&?&1W8isLpUd-JB<d9<;l#q
zZ47y&T)HxLiCLt*k`-h=Id-=e>G3f>xN!z6G_ScUF9y8+NO;D=e(lAlTN~f^gR!U&
z!f0mcrbm<R;P;-Mw}VJNr_kj`KZ~wM2Zfw@OZAz9Fm6qR!La8zHLlUb=`IaTI|6}C
zhqW0Kc;q3_q4FZML+1)z54{v?57?vkbo1eW&L;}ec&m8?0N-;iCpYOA4nnW44}_8*
z1vW=7s^Nl=tP3OyV|8i7@qzn+&6iMIZS3T8w;ah^9KMx4><3cA0S;?79-j0~&>WqD
zA4*AuRpm}Sup65JL#{?Tzmf((GAcfe4{u+mqt`c=bE(-2nv5@A=iE6qgP~PP&@V?a
z&7<a#uvHdwvxoECs6;yNGtV+?<(YnKfsef(<XvytG8qapt$=Ieu{&P<d^LvDF-Cfz
z4~>+*D@F+wI`y}VcRE=zy9n2wpIMZ?e%q_o{hkI?G0T>Uw!}Ygwy$g;sE$MIw|bUF
z8rdJ3f=xgkb=(6e9)2M5ENXq1clbA=|FQvJ_#da)LiV(0=*Of~^2GpXZ(KrR^g5eD
zfi;kLv5}!QOY9iJC#rV7RkTYlJgEJ0C1;g9T4U_ED$<H~tUPeBM(L9IZ=4xju*7`R
zPSkJcqPn;x)SN2iM`80o%s05YJZV6^sJ8eNp=w~3Bwll~G6$#MeW1c;zUOQae>n4`
zM=%Y&1>Nj@Ph=SMhu(OEX1=FcS10D1Kxl^sbmK}9>{UPb?1?w)=0l$e#39~h$W|Ls
zJ2oW!(f!7LgQb)=zeq?g7f-48d>E!Z>8fOhHjLFX0PC(Bk1uzk)rHlBpjafLgp&_X
zvc}2GcOh-+bF1?{i0kyDq@fu%k1orsZk!MV7S7y&I1ePKCV$pHsR+VjQd^fn(a3wY
zU!vGUw8R5^2F7?QXe!fnArS7yRgqlA-^54fnwHkJe5l)-pR9wFDmgH*5-#c91~B?;
zsIuuOxV`#?&c5TC3+X8?OkPVk+py=*yHW&_0-;xri2|;WEcNH}1t&G-`h<3iK5mA1
zKjlc@-E&7~GBpPx`}ST8Zb%jpke@TQPF$yee=Es6c3n2ASFkcuR`C<lxkyAM05{tJ
zFsLT5)=037YVfqF_L*4!(<wq>shhp$&NGO%RSWW+KvkEgKHJRQ5Kd%4L~4ig_iK>9
zrJ1$5kO_>lQA04e_mV9I!`}LEFSL$_jghr8VgiS%@Fm~ZeJZ<Xi4otB&bZZ-(D4f*
zQ4x2JkOvU-%idcsMR%G`K}##I{NpUG$HL=PHfRUQor&K1mIjLUsjX?E*qw0*?6C!g
zD8m2znf(ST%DAq?wX{`w#dMIimM83DyQT~vCj9Q0Ut^Pfs|&B*U~@rxVX{5Ry)&$W
zQe5kmJ$|7pv$+OU_)@cm1?i~e2N2S%H`|%cK2x~II}TFoYodlp=QxCO3RGo+2?lSy
zLuIo~)9cc?dEQu9{;I@?$I=DcG)rrz9jY@v&a7*!57WD$6S{lTD)|J7?wNh}4<r_$
z6rRvm8*dy*(_7d8rk!zHT(}rcDGunkm&W*V+>5nNxuWmNW1-FF*?IN^1bi_TOSxo)
z@M7LThTc)IQZH?Nl2HzhPQ8<mX1I;XF``@!QC#4#ViF9BMUueEUVupY8qQGCsU~eQ
z=Fj<pF^AC4pz$D?XA3J-e)r&)kgUtj`C-dtNk^ZTX<xEC^o%xZ9JTp$Dg!JT*F>oc
zH%c#X>aVvAfx&FCcED@$wwHl+SuW!(2-5mknIC4y)h$B*PRsMb>D)W3A7no~o>6!c
z9J+waeo7{8SPu1q($iol2RVxV4S0wLS}(xwrC91#VZ;;Yv?KI?uR5Bz42AF>i$_wT
zLXH#7xKb172pWWiAdtXx-5+0wwB&F5^%+<u2Y%)c{O@;F!BF>9ge(Hwvcx7KtI3$l
z;DAt$q18XX?OY8q>A+B+4s{~G-|ZRioV(Qhf38eo8xo<;+`YY$9V0$;&Aq<`A_4Ol
z!hrR5@{CPn{%&;lz<&R;y-5Z66$_?W2W@%-<`y1GqqMQ92U*2W#OC>w7#|li&#-iV
z)6|-Uv#TR)4jyK9NGFT2Tpb5#Yi1jCi2Okw^3F+|n3ll6Fr2FTUaaOChGs^0OVlOb
z^X$0#NuGi6Vkbfx=@ErHpM<Y{ZjTl;jJ>l8&F+J4!j%e6qvx5D_dm2VMQa_f4%jj0
zcppQ58%a|fDzHibR^Suq0Fj+>iP)pSJHYST=N$fQ|G~S*Wtt9vOv(P_?HkLErf5kU
zig(?EMOoG8t#wiTrl9O|t1m73yK}|ZnO_fz0$y3gVbs<PN006u88^CqN|rV7^&7OL
zRg&gQ$aJjVI|RC!HOq=%RbXPSy*l6pJg#gyH-*R_OKxHG*M>Clwof1h_DRB3S6LK2
z#%?JD@?$iC17N9cjsztUx%m}6C^vtCGvem^!2wy+h8QxHSwG5vse5jcBBp?_ot$b9
z4toITBx}|3VeVmcuY}Y<TigzbOErOS>Z*5hfQERt;^!LC90OETO;w4}q5P2Ci(#WZ
zdN6q&2F;XwvFqSZX=N1X15^<psy6)G`dxl_w%3Ex)gy57lJM~u1)ct=xy`Rzm|1cg
zA}5Ab#TRrfMMtbpzS{<D<^|s@?Jm&fKF#C^Q0hg|&kaM=gEyoZ7WV$s1|=8!(?naH
zg^HmyFEU{<*+#bpGn-AP+m2|ZzOGn3WP|iEnBPQhME?8|5VP}ht1o5>6-RR{(cQ0d
ze)F`pn;OV$)y_oj_W}=2$lE)w(hQ?9STw74iL$SGG<)ItmyrG;HxhAeMHt;p-+@AM
zwQevLL$`6)>4Z(K0A2~n073Q7jiNbpD45nBAVTH+AVT6fTC27{h&zRQ?a1ZxVF5Z<
zY!xEW(k$dND<Czo>U>ya(ozVTdK>l66{0zMD5UvU4IuFikZtFkYQZQ(L*^{^j@S{1
z(v=oR2|m2Oe*M$amypFCh-isSBv#a5vQ*2y^uv>@n}@!^7^Hi{@507TMBH`S8UvJy
z_eA&%yCX1HrVTtU6N52!5$gtjHnOh@%)$2a<Iu0?rJB!?D7)#9QIJbrTy!rRfM~6R
z3lrs-0xlGK{RC)98eUnYBP#tH5Xg8KRD0Ie#Z8y}W82_r_zxJ(K0LiJP1`dL3XeHN
zSB}I~?Nem3CpmDGS1n%wO9cqyuV4z8LEhf$hg(wzojqci;f)JHc#PT^*KVt4%+t~B
z<Rh3GIXzAgwev&&!_HcJ?Ow{j%7@n9c<`w%e~Xj%O(=oGU@J)Z{4z{Kif62U<vE~3
z7CJZ$w!9hH1aRs%J$M%B?bip@!BH`qdNhVNPE_nGf_7_qeNb-D(e?JB6PV_)W4CHi
z%jJBWI}bite}wEf8(|*&xMcG7Q-eA{5~ccfMjDlE6k79lQ*9J^Lzt3sspm0~o_CMP
zDudYTTqb-MnsKb>t_@Z#<Mg0&Q!sd{us}5W)xCpDJiFQta*JchoFXSd&UX}c)`qXZ
zoe}!$^Sx)e?%N+yDr^KZTi_k9*Z$f5+3Mh$GI{UlOXDnopCFL`E4{f8^XJ!Oa>tRO
zIRU+J>QL?df7CZCu<h<y-Wr|T<gwMW4>1ig?zTmeXn~bP-x%`2N}G|uo)0R1>o4uc
zOvZ+~Bj8Ez2bG&#laZFXGHji-tEu5Dq|mNiN4nR%X_L#4x7$RaT?qIP;W($)0;7HY
zquhv7NhQ!O)ggSLU^+ZSFr<68XE@}tu{TxW#OC?k$OJzv*k_d_oP8IZvJ$8pn&mkD
z*7gNKgA3Vng3!6O8irZilLCrwr}sBp`1}PSb=2r3=NnT6$-2zc9~NAxafTYCc!_Bc
z#%Wew47*TKeK>`we(Fij%MOq&bpBtd4bL-%4WrR}r%q+<`$05OC#lf#Hu89wVT-%X
zqZ~&QJU4$8S+Ks@LoCDHsEpc9KQM$mJ^^$Tw{8xRb0E0+`tnB3?pbCPfOg0cs=8DU
zMXi`^?Dc*0KEe7#4&p59e)G28_xg#!FQFoJ5?N7sPG3OZ4(18pONE~lCL#nXSaV`Q
zdWU&=s5$6r&O1o5-Xc@Hg~}j1txt1K+Mk<hMTCmk820$GAZN!eQb$<~sJLuEMkl&}
z5=XO2Rfdn=2@or6#;?H%Am}8qkfNn2K8iQP>7bxG^?HYFCUES=^&mrY4&=|8XD1>m
zvH9RjnOK5r_bvC_Y_5e3SS)7W6OGp?!Z7S4PXRb=ZEb_xv>@^Lq4XYjZl#KLsq`4L
zt$T|>d&qh<a8Ekp`GZZz3Jbu<YBMkOyDO^ySCGfs2}EK;O-~9(3=<9I?~ayd(ng<j
z7(UL2ecm%MqBra~YH8w|YI0+`E#LQA@@q_l`<D2^a)A{LVm8)m;p1tLHaUp<k#iz7
z?M)%ikVYw^?$gFNHf8*{9$#P814ECUrD>oM@(_+oYK-_k2Ty#M%cpc1l!Q4hpW=Og
zY6r7V+j(E>%SX6*-pMr^tskuqY?;57KD!^sN_0u(iVLT{5Nke;RZ@QchcLz-+~&}3
zvFlU1ge06!zMt3=|NgVP2Fch!IscW^C;odhNRX45KBP09D#k{5^ELwbzCTGfk}1dG
zU<1&LPSF-6Q$m85wO)YGxt6oSj0>ptTjJjvb>iK*&R#F3>@}#Tcn=%$2N`_<`g5SX
zq|u31cnYR<NLe36C5htjJ+`_Z1i==CS$P9CN3&c}Ja@;#+$AJA`b|EkiQ2hfsF9?0
z2szC1Ig;`)f%6EE(o<IYRG$|Vj4gHVU7Kco`XKgUidG(IS-eO#RePo-B%>%JW(^6n
zGo*28ERTnYSJX<<sWAwZO1H5QP#Zky+ta=?ad{iIOv=bft8DvyV%)erw`06Nx|maP
z2?68^vMgVzD{Hv09nqRmOhGT8LRrsu2<=#S`nzMRk(M~+Qj<gr_I7J;N-fMXJw7k`
zUAgLn2A@5M6Ft2h<AtgAS^%w_^$a?7Q%-7mp`0Bt4PjA4LQpAEi$UTeNqCI4&Cz_r
zeNh8~G2(XFNrDlu&!ahXJT2u^5*hnP0@5b(@Cj@bZ0jUav7z4~dgd@vIoL?eSKv9D
z<27clAgQ;*QEf#Y94_jm#~a8*g9~Z_qV*~{qVYTMZc(Q<Fg#)jr2&va6yga4l8WqO
z%J!ZO7{7rhIM22uV-IE*&6*JG>34VyY+0<+9R9Pt2X~0=alTEA{Sp1mrc7NG4rTI9
z)||5_nl}0DTb~rN*(wwpf=`Mb%^-)GToZCYzcY%>-%Ftq+WX_92MJOHtinl%<hqiF
zr9i%C*>N#V&RLOfnMw6PU@k<P*iSf<3HIKvQ>0M~X0frZ2k7lGDHlZ^c2sm;Qu`WM
z9BTv$3yI&`qnCbRuxE#B-8IRT#{5)F$h2I5z2{zYGGVaMYRnPLoqt!iw_pV$vtOL3
z`fml4MiCIMYk+CfzJFhWyfQTt?0j!uEM)$(NJ^tV#2PBIeCE=!7Ul{0gk~-&)Nb#p
zzAW7#qxOv{xWJ$|NGCH;TgOYjXYEkQx}37i>+bo`zi(M)iaU1ok(LrrUnxQU(?F*l
zV0#t$_a8}OLEu2M-k{^o%5_YbjhelGwOKG}MeBlfvZKnaJU00%Lti^4@RsTJ_?u*L
zaHAbQk*^iOqW|#D^B(?DDFe>eI~MmvuzucXvUYg`dP}=rogfd&H`W%WU8xBy{tm^-
zPTz-`uA1{iSack;>25OlK^py-s$cmEo3-pH&O<N4jX9XkT;eG+@H99&OZ^x54XGnQ
zw?XZ@QiPjIx^KwtEDeA=ngkr{&cWyPUfPn6Ha<t+y7K*?&DMk*PmF|Qy|eWxr+<eR
zP9LnBpxnow$?V=?+@OR(8P7T0^mUX!1udjxr$u>6G{f$MOYHC0;c!}UmnUGN+MB%u
zw;+6`9N8$yjA(Cj5Uy6lDcs>7k`zzTha5>6@jVqzI|#qFSo{%6MP6Kq{1b7H@)r_4
zuR#=tVOvJ*EejlLHI_xG&vrP_RhR$qv%PUmi|`63K4o4s0^k_6AR;jIgdD~ktw<mO
z!pLJV)wtjp1QK`R$gRHp?24@`jZocx6wax%ZDlikv=BB~|Ll&id%%hA7AF$9q#TfN
zL8X9me)v`~(H2qc`Y{AD^X;gSMZS=Zp@s{eUBhirqP*p!fiEJr*cgPltQ2yp3y;i+
zN_yB{EMex6#9Zw-XBe-p0&(NLe)vjro{?0pG?#B#K0tFQhwbuQuiWi|$o8a+KBzv`
zV)1EAqD1X*&0f_P{M{^nMvX5-uN&G(KQm1Bo7nZq`fhyeYVqkUKlkJ*pYtr-H4f1;
zN63U1k-3C}WWw<?gL@$I9NEl$GovFJ?+)u_#=&lkTA=UEMZ2a9vis^7G`Z~<x6>8n
zDiJ^b>+9kt1^G@{@lQ>(-;5njoD_5FO?H}!?>4hJ1X+mnHaUKoLi(Ls-KlKKD{=)r
zs?fVsL_cF+-U9(nm#8mr1u0YeaIP(-3iR~$*W#7`*m}yPeKU$})3AgLwmAmwIQ2xU
z8KX{R#H2IaLXc$2YChILo?MS0lP4qJA8;V$-F8{{{r6F;hx|@&_A6h7%%rsUqc(`p
zOKv8lUc9m{Rv6)y5gfO^^C;UQotXp()jeOqks80R**WL~_NfZgy6~*L(@!25Z?VKQ
zCjE#XU4lkp&K?hI-e<GtNUGEU=mTT=z-NXFR@_1|snntP!48N+PFmhnZ@Wa29Me5s
zBKBVVFJ@G%f8u&JlG5$r<BegCHROt%mYNXY83mbaZU?2LQ~88*u)OP3S2$NGk2o<*
z<te8eCykNS<wc}V`^xm~y0W)7uWKUSS!7>oL`RBuMpngSA#L3-4>6!q7B&a-$rEvf
zL2lm68EmpIF!f(~<Z<YXJbmH8?-2FHT;DEaEF1C881va!0F$=HH~Kx0=MxPM3APJL
z?R7)}X*;q+XEp_Usy))!4<mYF^6?||ujG14kcU8sdDBUBp3zsibp6*1(;ngcbyufu
z{A}JUo^ZBnJW*HLQ6>8?_rO&!{};LE{XTHMF4R2P&xTx+1h3!!KH0%{td<d1{6Etn
z9jgW(YYjFDJFSD`pcQzJ&qIiA*{VG`g-&trG%*XZ(ZktITYybr+O`_<??f86g|&>Q
z_{oJ?=%Fi8wgj9y=g=(myYBlT#Te_9%ic}6E9zeD*Og&s*s7K=EHM^vq3XHBl_A?8
zR<Nono(?5CQnBy3P153WAyWEDIse}Q6_2Acsw}(H!*@G}7J4W1H2B!XFV5U}<nrG%
z-^&dSS%2-CO^3fXRhpp=f*BYHesxIh--}X#iGv8?UPRg4P|N3FNix5ts?vGG8FC)Z
z%-)&&`+L<uD<!O7g?u4lxkpg_N8SMU0h5!H(IO(QD0Yu|#GzirPAPe*25|8Ouk>bJ
zb^#|-+>BLrf*;)p*#T^(iG5A8%=lvF2+NwzM4JCl2flt!rJq){NgWT%yWADN_u-1#
zuCUmBa1Y-*KXNFY`Ex%2%vA;)P_aL+OmIAJfpF(pw~DtPTe%zt@-ym)Pva9N0Lk84
zX!G#)--$|?KD7r<mq%c~cm&zkCdN(Lt0u30K`bNedo<MG1ax<(0>9yEx1!%#nO9$Q
zdR5#@?3RL?BjgTql8igF7RPgr*8+mx*ic&3vaS&E>3V53nNF)=*k(I!f1QGg^YX93
zBFa~JOD1u0MiZFl)sd2l;BSe}eNUqa$1HTkvlFO6>=q?5Rzxc}W?HSTjr<)&Gqc#F
z%T6m;3=6tJI^X3IDm-TgcdO3_+#4oS24>lbk8gr89J}0WKkT@Lx$o3{3*{D@kwYld
zlgAXX)kyidNObB|kH~minjaio%pVxP{S{Zl4nCSyIGZ)h=XG6Ly6^Wu;(JXkm+83B
z#81Q@@l)?(S*ZA!;s~i{!{HcwnnkV`AOBu?UUrz)T{3_-(4)G+Zyi_rDxniSX!wKZ
z9;;Lpe%Y&%U~1mGjsyX0v(d-Wy%%kuB~Hf-jTljn*?mgxyOSeOvzzD&wmJ#*<3YFA
zcM7vL9D|s?t6Gy#f0o}_fXChO37pI^VU%Ox6WSzrH7Dyk6i|n*(JF?-t~_`B_a2qr
zje1>}urp4JTOLy5`u0Mh@Cs2LVU?p%a>n3i=!d#IH?igU?N>zC)c05Bg_@3WXwPEt
z!n~{%o~ev=;+Hmlw*DC}JM-Gjp^2ZHUinI|N=1TvqmyM<-n46Y&dqKkKAuR~6l3y`
z*fr0^WkU+iXK3uIl9Q!ma?%4++FQWgJvus*^V!JCrc8kGb0SPs$evRf8%vqGIRa&f
z&NKEvlY?5;ZLdja5O}ft$`y{z-uDB0k8wCSA?+u_TCum|JDFyiDpeC~t>*g9c)Ebt
zRkgs^Hfg`#-$jVO{Rl5Q@dG%gibc<R%(x;q_{5Z}CDYCe$f8=`b^7zD^90i^OcD1b
z@(YVpu9&k%1(fE!ETc?+XOL?+I%P2OrxQh;GKe-fCG^Y#2T=eB57_*DL7EYcndFdR
z95%uzUj1<<3@Sf`3opx4R9|yXxRVK;RppPX{{3cjb-7^tDP?5eEiI6RkS|`wy*w%N
z?_?m2Dolk9pOxU5^GE*u!+;vG2h@m`&fZal|9*nwKz;xCyg1)N(EdO<)DdT@0xthu
zXnR@W0KuqU@AMVUR>zLbKl`t|B8M7bS>M?CLM$*4`Y__{yVOI^{aBJAzll$b5*I%?
zGp{h>++(H!=>|PDR?~ODp43yz3#)W695AhFcjwgsh}6QtCc8CvrEqmc+(*m}4v@p*
zmA!BtKKa`1h*0%Clb8gWHRwW^hu4c+WW`U<xXlJ%JvFo%T$^(l>aWf_)*k)cZEhzT
z+R+<ummr_#`y%4w8u4*ks`fR>ym%Y{CNbhCZ$S@fs3k5o2qm3LF;uInHR<1dY|d_t
zvRl(hCz+Zf0O&4)v7)83tqXCq;s-ke-EXi!bpONAz7(?^(X-V1(mRdkQb?~%UYJN8
zidj^y#yV-MfKoO6ckXsVql_4~aC@Q|R_Pc%F;$ONUp47^y;IJ`PePLSgV-xs<JyZa
z%Pp+0PvJ-okItQeB(r@&Y0OCENZuJf1o@zM8wy^@#~XO*Or@LeL8SQwu+KAc=R>?5
z1xiZRb>&oCo#^0ON8X$x_?f5K#j;NTst|fJ2goRCb{6Lee{Y@R3|m_)^G4iM2RmB!
zsQOTw+k?{qE~E|;C)rSXo(YeCRZ~n6grog8T@USw)~Ei7OLxakI*2f7a-8HpHg9)4
z`xuSrQgtH1&<|<_3Z_qNK`&%;146yNh_h_k^B+ZOx`>HuH_2EC*!qiFuHCj|^5V_E
zPnsDH3$(xK_pXMV_t@O*-QMB(nh#LDk*Y4g5}ZrpzQcTC`QcFNQ!WcZd{GYM_gKdn
z-W2fNXuFvQMm)Z?Kx&TRu><?ooPs}KXN;G6prkA@Q2|pkcc}5ji#QU=_QO;|yJ-9~
zMq?W1ve6oebg)Wm=^)-fLUQNTtj)Z?(=%L;sym-t4YOnIr)>dkVL|49zpmiIlbUeZ
z(54HBpgYg^D5e*Z;0RzWdGs=oEB+|6UXr{YcYdLq>jeO}_ai;3Z}$MCY$-2@NupzR
z`3*&rPW7ROXP4XP`}GQU5ZdDr8Vd6q<doDAeW^<T9yc8gu7+#EGwl4|vuubX>u8U}
z##7`yn(gBKXS$)&+BrV>;7lMA{qd^a*FqJ*n_BzL9z1O_js|cM`{hG5|1N<!F6ca*
z<Os{W&n`SwO;P#1z%n!{P9hdeh>H^avU~c#Rz(@>2C&3$B?q+reQZVXcJrucB!hld
zsT!J+710ZwG3Lnpg8A>EH{=Rpgw4bNTT+<mzw1A;vECNp-!Eq$+wS5{2mcYw4w%*%
Hd&mC|h@5CH

literal 0
HcmV?d00001

diff --git a/docs/architecture/psa-thread-safety/psa-thread-safety.md b/docs/architecture/psa-thread-safety/psa-thread-safety.md
index d8256b5c5a..8e9f59e302 100644
--- a/docs/architecture/psa-thread-safety/psa-thread-safety.md
+++ b/docs/architecture/psa-thread-safety/psa-thread-safety.md
@@ -300,7 +300,7 @@ A state transition diagram can be found in docs/architecture/psa-thread-safety/k
 
 To generate the state transition diagram in https://app.diagrams.net/, open the following url:
 
-https://viewer.diagrams.net/?tags=%7B%7D&highlight=FFFFFF&edit=_blank&layers=1&nav=1&title=key-slot-state-transitions#R5Vxbd5s4EP4t%2B%2BDH5iAJcXms4ySbrdtNT7qX9MWHgGyrxcABHNv59SsM2EhgDBhs3PVL0CANoBl9fDMaMkC3i%2FWDb3jzz65F7AGUrPUAjQYQAqBh9ieSbGKJIqFYMPOplXTaC57pO0mEUiJdUosEXMfQde2QerzQdB2HmCEnM3zfXfHdpq7NX9UzZiQneDYNOy%2F9h1rhPJZqUN3Lfyd0Nk%2BvDBQ9PrMw0s7JkwRzw3JXGRG6G6Bb33XD%2BGixviV2NHnpvMTj7g%2Bc3d2YT5ywyoDv4H08%2Ffvxj9VX3XGGw5cf3o9PHxJjvBn2MnngAVRspm9o0Td2OIsO7%2F8aj1Mx0585U9B5bgQTnxgW8YP07Ksv9he1bOcn3KSTzm6c2Zc1hqs5DcmzZ5jRmRVzsegK4cJmLcAOjcCLjT6la2LtVGUnJZmnN%2BKHZJ0RJZP0QNwFCf0N65KclbXEYDuPTdqrjP0T0Txj%2BlRmJB4322neG4UdJHapYSMACowkzphjfYy8nbVM2wgCavIT5btLx4pmaCSxFpscf%2FNvcmrbeMk2Rutsv9Emba1puBvEjl8y8v2QqJGOOGiNwF36Jjnul6Hhz0hY0k%2BO%2BxGLW8V522Zshwtsl8p8YhshfePXfpFBkys8uZQ92UHXwYrgE%2FFzJ6Oya1VUpOo3euancWplJKiNpymnduttu0k4wQFhzgGXjk9mNAiJv13seX9kBhkbr%2BxlwK9Xm86cyEeZQxCfCaJlSRnafkxOLKhlRTqGPgnou%2FG61Re5khc93PZx8XCAR4XOVb56RADYvTOSq3CwXAQM0g2UVJ2zxAd4mt%2BkaoAwxJ1OA9KNLasA%2Ft3np28v14nevQNvvXXwTmBYysAwKIXhHdxLWbiXjsB9c%2FCGFcEb9Au8ec%2FJgWxl7D7yDugYrFO6mXE4LzAmU4Pak59kMzEZXofUdfoM2ema6SNkJ5ohp1Qc3x1%2B51%2FF94%2Fj8eOXh17DMFIuDMNyldderTjnt18u0Lm4kXAVIz3dfRlt3b2inUZ347tvj39%2BuU4b9Y7PqF3RmepRZbPotTmdSdNOx%2BgM7BWdgRJ7%2BWkyVAGLJmWs8G9BLCs3KsAq1FTMGkhQX5XrAEUgTfJ5yY5WyHXYFSdk4YWbLeEJbDfsMdlJF1Qfuc5OjXwuegOKXtTt48sNbhIwxaMuGjL1K98VYYwkpRijMDjg0QBEWawUZJAmqc1QRpYElGG%2BjgSX7DoFVow0U%2BrQYH41cVW6uE7Gmg%2FM7rKu8mCDWvEpRSvUegboKaKfgi3Npf%2B2RZaYbZwv51492dMcg6rm3FGvMEhWMecwitowb4MVQZHIoQ9ADPMBY5PplizPwzes82imSlL5fUGhPzjSX9bK9LOD%2BI6bLp7RUDYBfTA9%2B50sH%2Bkz%2Fvi0rha6CVsGFQO4lNEZjjWxXfNnhtTV0GDabkCiobVGeUtm8uyo%2BtFjf9A%2FtVEb6A%2BQxntZO1k1nr5CfC7sR0X74K3QzixwVwxrMzyz2zy9XBHw%2B5WnhyrkvATjhoAPDuVWzsQpUVGsUwhDFglC392cDl%2FNoPKKQW%2B3sFsIr2VN4eObdGGc6NA7ZN5wINg96smXYLzH4Kw%2BcB4EwJ4AFiN8mVwb0gBnbaSCorO12ausZtJ9CtDrXKQjZouQVn7P4l2iI8wWl%2BrvhtnmCyaup%2FZFbo3ysXgfC47bEvh1kVosNGT7OxeXxrfWCB7sFV4iIeDFTSsxkCrkDStG9G153HXtTpQumlZiRl3YhGqLPqV5zS5ThoWzc5barsqbFTwMdbhZUTVRiHsNKwpoCitChZfSXTluMSMprvDigsTeAkprpV0RoECekbQVj%2FH7Gl2UdhXb9Ux1%2FsehoQkMNYcTXBFO%2BhXVwQNp%2BdpwAgWWonRXMFrsdrDA7XKJoVzQUyOhtKIeyWXtryOpVL5Q26jZ2H0h1y6IAXQhEMuT3pwlz55TOohNfcESIXHSeA8TbbNAGpahrMs6RBoS9XL1GrAS0NRNA7GnyV4F6PxNqBK6UaG0%2B6HyJwJ6qTIA6ijDze%2Bso%2BxSPoToZXqpfK3%2Fz9JLT3S5Hk%2FhRNNmX9%2B%2B338yHccr%2FLCqHfLGFaE1%2BkizM%2BpWtTS2X2VrSKgnw2JeqDLc4iOZqvaoW6HPVWJuEQOzXcOaeMQPIlxxwi0ZY%2Ffk1q%2Bj2Gp6XVI7pM4JakoLOq6DGpaiQAuIiGVQGIie6Pxnq6mAl6wJqu9Cv9g3mFVT%2F1WL%2Bfa74OmW%2Brk2T%2Fnkbu4Lg8pFxIKiqtUee0WnLBnW3P%2Bnj7j7%2Fv%2BloLv%2FAA%3D%3D
+https://viewer.diagrams.net/?tags=%7B%7D&highlight=FFFFFF&edit=_blank&layers=1&nav=1&title=key-slot-state-transitions#R5Vxbd5s4EP4t%2B%2BDH5iAJcXms4ySbrdtNT7qX9MWHgGyrxcABHNv59SsM2EhgDBhs3PVL0CANoBl9fDMaMkC3i%2FWDb3jzz65F7AGUrPUAjQYQAqBh9ieSbGKJIqFYMPOplXTaC57pO0mEUiJdUosEXMfQde2QerzQdB2HmCEnM3zfXfHdpq7NX9UzZiQneDYNOy%2F9h1rhPJZqUN3Lfyd0Nk%2BvDBQ9PrMw0s7JkwRzw3JXGRG6G6Bb33XD%2BGixviV2NHnpvMTj7g%2Bc3d2YT5ywyoDv4H08%2Ffvxj9VX3XGGw5cf3o9PHxJjvBn2MnngAVRspm9o0Td2OIsO7%2F8aj1Mx0585U9B5bgQTnxgW8YP07Ksv9he1bOcn3KSTzm6c2Zc1hqs5DcmzZ5jRmRVzsegK4cJmLcAOjcCLjT6la2LtVGUnJZmnN%2BKHZJ0RJZP0QNwFCf0N65KclbXEYDuPTdqrjP0T0Txj%2BlRmJB4322neG4UdJHapYSMACowkzphjfYy8nbVM2wgCavIT5btLx4pmaCSxFpscf%2FNvcmrbeMk2Rutsv9Emba1puBvEjl8y8v2QqJGOOGiNwF36Jjnul6Hhz0hY0k%2BO%2BxGLW8V522Zshwtsl8p8YhshfePXfpFBkys8uZQ92UHXwYrgE%2FFzJ6Oya1VUpOo3euancWplJKiNpymnduttu0k4wQFhzgGXjk9mNAiJv13seX9kBhkbr%2BxlwK9Xm86cyEeZQxCfCaJlSRnafkxOLKhlRTqGPgnou%2FG61Re5khc93PZx8XCAR4XOVb56RADYvTOSq3CwXAQM0g2UVJ2zxAd4mt%2BkaoAwxJ1OA9KNLasA%2Ft3np28v14nevQNvvXXwTmBYysAwKIXhHdxLWbiXjsB9c%2FCGFcEb9Au8ec%2FJgWxl7D7yDugYrFO6mXE4LzAmU4Pak59kMzEZXofUdfoM2ema6SNkJ5ohp1Qc3x1%2B51%2FF94%2Fj8eOXh17DMFIuDMNyldderTjnt18u0Lm4kXAVIz3dfRlt3b2inUZ347tvj39%2BuU4b9Y7PqF3RmepRZbPotTmdSdNOx%2BgM7BWdgRJ7%2BWkyVAGLJmWs8G9BLCs3KsAq1FTMGkhQX5XrAEUgTfJ5yY5WyHXYFSdk4YWbLeEJbDfsMdlJF1Qfuc5OjXwuegOKXtTt48sNbhIwxaMuGjL1K98VYYwkpRijMDjg0QBEWawUZJAmqc1QRpYElGG%2BjgSX7DoFVow0U%2BrQYH41cVW6uE7Gmg%2FM7rKu8mCDWvEpRSvUegboKaKfgi3Npf%2B2RZaYbZwv51492dMcg6rm3FGvMEhWMecwitowb4MVQZHIoQ9ADPMBY5PplizPwzes82imSlL5fUGhPzjSX9bK9LOD%2BI6bLp7RUDYBfTA9%2B50sH%2Bkz%2Fvi0rha6CVsGFQO4lNEZjjWxXfNnhtTV0GDabkCiobVGeUtm8uyo%2BtFjf9A%2FtVEb6A%2BQxntZO1k1nr5CfC7sR0X74K3QzixwVwxrMzyz2zy9XBHw%2B5WnhyrkvATjhoAPDuVWzsQpUVGsUwhDFglC392cDl%2FtQGVvIW63jFsIpmVN4aOZdBmc6L47HN5wkNc9xsmX4LfHwKs%2BTB6Eu57AE6N3mcwa0gBnbaSCorO1uaqsZpJ7CtDrXKQjHouQVn7P4l2iIzwWl%2BrvhsfmyyOup9JFbo3gsegeC47bEvh1kUgsNGT7%2BxSXxrfW6BzsFV4iIbzFTesukCpkCSvG72153HXtRZQumlYiRF3YcmqLPqVZzC4ThIWzc5ZKrspbEzwMdbg1UTUtiHsNKwpoCitCPZfSXfFtMSMprufiQsLeAkprhVwRoECekbQVj%2FG7GF0UchXb9UxV%2FcehoQkMNYcTXBFO%2BhXVwQNJ%2BNpwAgWWonRXHlrsdrDA7XJpoFzQUyN9tKIeyeXoryNvXr5Q26jQ2H0P1y6IAXQhEMuT3pwlz55TOohNfcESIXHSeMcSbbNAGpahrMs6RBoS9XLVGbAS0NRNA7GnyV4F6PxNqBK6UaG0%2B6HyJwJ6qTIA6ijDze%2Bso%2BxSPoToZXqpfK3%2Fz9JLT3S5Hk%2FhRNNmX9%2B%2B338yHccr%2FIyqHfLGlZw1%2BiSzM%2BpWtRC2X0VqSKgew2JeqDLc4iOZqvaoW6HPVWJuEQOzXcOaeMQPIlxxwi0ZY%2Ffk1q%2Ba2Gp6XVI7pM4JakrLN66DGpaiQAuIiGVQGIie6Pxnq6CAl6wAqu9Cv9gXl1VT%2F1VL9%2Fa74OmW%2Brk2T%2Fnkbu57gsolw4KiqrUde0WnLBnW3P9fj7j7%2Fr%2BjoLv%2FAA%3D%3D
 
 #### Destruction of a key in use
 

From acfd774bca67a4bba0fcccdb5431ccc8459d9fd2 Mon Sep 17 00:00:00 2001
From: Ryan Everett <ryan.everett@arm.com>
Date: Thu, 14 Dec 2023 14:48:43 +0000
Subject: [PATCH 22/39] Add some clarifications in thread_safety.md

Make it clearer how it is possible to reason here using linearization

Signed-off-by: Ryan Everett <ryan.everett@arm.com>
---
 docs/architecture/psa-thread-safety/psa-thread-safety.md | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/docs/architecture/psa-thread-safety/psa-thread-safety.md b/docs/architecture/psa-thread-safety/psa-thread-safety.md
index 8e9f59e302..f7452a5e19 100644
--- a/docs/architecture/psa-thread-safety/psa-thread-safety.md
+++ b/docs/architecture/psa-thread-safety/psa-thread-safety.md
@@ -292,9 +292,11 @@ To change `slot` to state `new_state`, a function must call `psa_slot_state_tran
 
 A counter field within each slot keeps track of how many readers have registered. Library functions must call `psa_register_read` before reading the key data witin a slot, and `psa_unregister_read` after they have finished operating.
 
+Any call to `psa_slot_state_transition`, `psa_register_read` or `psa_unregister_read` must be performed by a function which holds the global mutex.
+
 Library functions which operate on a slot will return `PSA_ERROR_BAD_STATE` if the slot is in an inappropriate state for the function at the linearization point.
 
-A state transition diagram can be found in docs/architecture/psa-thread-safety/key-slot-state-transitions.jpg. In this diagram, an arrow between two states `q1` and `q2` with label `f` indicates that if the state of a slot is `q1` immediately before `f`'s linearization point, it may be `q2` immediately after `f`'s linearization point. The linearization point of a state changing call to a function must be a call to `psa_slot_state_transition`.
+A state transition diagram can be found in docs/architecture/psa-thread-safety/key-slot-state-transitions.png. In this diagram, an arrow between two states `q1` and `q2` with label `f` indicates that if the state of a slot is `q1` immediately before `f`'s linearization point, it may be `q2` immediately after `f`'s linearization point. The linearization point of a state changing call to a function must be a call to `psa_slot_state_transition`. (A function which: locks the global mutex, performs some operation, calls `psa_slot_state_transition` and then unlocks the global mutex, cleans up and returns can satisfy this requirement).
 
 #### Generating the state transition diagram from source
 
@@ -316,7 +318,7 @@ When calling `psa_wipe_key_slot` it is the callers responsibility to set the slo
 
 `psa_wipe_all_key_slots` is only called from `mbedtls_psa_crypto_free`, here we will need to return an error as we won't be able to free the key store if a key is in use without compromising the state of the secure side. This is acceptable as an untrusted application cannot call `mbedtls_psa_crypto_free` in a crypto service. In a service integration, `mbedtls_psa_crypto_free` on the client cuts the communication with the crypto service. Also, this is the current behaviour.
 
-`psa_destroy_key` registers as a reader, marks the slot as deleted, deletes persistent keys and opaque keys and unregisters before returning. This will free the key ID, but the slot might be still in use. This only works if drivers are protected by a mutex (and the persistent storage as well if needed). `psa_destroy_key` transfers to PENDING_DELETION as an intermediate state. The last reading operation will wipe the key slot upon unregistering.  In case of volatile keys freeing up the ID while the slot is still in use does not provide any benefit and we don't need to do it.
+`psa_destroy_key` registers as a reader, marks the slot as deleted, deletes persistent keys and opaque keys and unregisters before returning. This will free the key ID, but the slot might be still in use. This only works if drivers are protected by a mutex (and the persistent storage as well if needed). `psa_destroy_key` transfers to PENDING_DELETION as an intermediate state. The last reading operation will wipe the key slot upon unregistering. In case of volatile keys freeing up the ID while the slot is still in use does not provide any benefit and we don't need to do it.
 
 These are serious limitations, but this can be implemented with mutexes only and arguably satisfies the [Key destruction short-term requirements](#key-destruction-short-term-requirements).
 

From 6ecb9ce5fc7d77b6d54881ab4d78231fb4784f98 Mon Sep 17 00:00:00 2001
From: Ryan Everett <ryan.everett@arm.com>
Date: Thu, 14 Dec 2023 14:54:24 +0000
Subject: [PATCH 23/39] Link directly to the state transition diagram

Signed-off-by: Ryan Everett <ryan.everett@arm.com>
---
 docs/architecture/psa-thread-safety/psa-thread-safety.md | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/docs/architecture/psa-thread-safety/psa-thread-safety.md b/docs/architecture/psa-thread-safety/psa-thread-safety.md
index f7452a5e19..4b122c838f 100644
--- a/docs/architecture/psa-thread-safety/psa-thread-safety.md
+++ b/docs/architecture/psa-thread-safety/psa-thread-safety.md
@@ -296,7 +296,9 @@ Any call to `psa_slot_state_transition`, `psa_register_read` or `psa_unregister_
 
 Library functions which operate on a slot will return `PSA_ERROR_BAD_STATE` if the slot is in an inappropriate state for the function at the linearization point.
 
-A state transition diagram can be found in docs/architecture/psa-thread-safety/key-slot-state-transitions.png. In this diagram, an arrow between two states `q1` and `q2` with label `f` indicates that if the state of a slot is `q1` immediately before `f`'s linearization point, it may be `q2` immediately after `f`'s linearization point. The linearization point of a state changing call to a function must be a call to `psa_slot_state_transition`. (A function which: locks the global mutex, performs some operation, calls `psa_slot_state_transition` and then unlocks the global mutex, cleans up and returns can satisfy this requirement).
+![](key-slot-state-transitions.png)
+
+In the state transition diagram above, an arrow between two states `q1` and `q2` with label `f` indicates that if the state of a slot is `q1` immediately before `f`'s linearization point, it may be `q2` immediately after `f`'s linearization point. The linearization point of a state changing call to a function must be a call to `psa_slot_state_transition`. (A function which: locks the global mutex, performs some operation, calls `psa_slot_state_transition` and then unlocks the global mutex, cleans up and returns can satisfy this requirement).
 
 #### Generating the state transition diagram from source
 

From c1c6e0d906664103438fe96e7fc09c4f7a5e6d70 Mon Sep 17 00:00:00 2001
From: Ryan Everett <ryan.everett@arm.com>
Date: Fri, 15 Dec 2023 12:26:38 +0000
Subject: [PATCH 24/39] Justify linearization points

Signed-off-by: Ryan Everett <ryan.everett@arm.com>
---
 .../psa-thread-safety/psa-thread-safety.md    | 27 +++++++++++++++----
 1 file changed, 22 insertions(+), 5 deletions(-)

diff --git a/docs/architecture/psa-thread-safety/psa-thread-safety.md b/docs/architecture/psa-thread-safety/psa-thread-safety.md
index 4b122c838f..70b1341c23 100644
--- a/docs/architecture/psa-thread-safety/psa-thread-safety.md
+++ b/docs/architecture/psa-thread-safety/psa-thread-safety.md
@@ -283,8 +283,8 @@ Note that a thread must hold the global mutex when it reads or changes a slot's
 
 For concurrency purposes, a slot can be in one of four states:
 
-* EMPTY: no thread is currently accessing the slot, and no information is stored in the slot.
-* FILLING: one thread is currently loading or creating material to fill the slot, this thread is responsible for the next state transition.
+* EMPTY: no thread is currently accessing the slot, and no information is stored in the slot. Any thread is able to change the slot's state to FILLING and begin loading data.
+* FILLING: one thread is currently loading or creating material to fill the slot, this thread is responsible for the next state transition. Other threads cannot read the contents of a slot which is in FILLING.
 * FULL: the slot contains a key, and any thread is able to use the key after registering as a reader.
 * PENDING_DELETION: the key within the slot has been destroyed or marked for destruction, but at least one thread is still registered as a reader. No thread can register to read this slot. The slot must not be wiped until the last reader de-registers, wiping the slot by calling `psa_wipe_key_slot`.
 
@@ -292,15 +292,32 @@ To change `slot` to state `new_state`, a function must call `psa_slot_state_tran
 
 A counter field within each slot keeps track of how many readers have registered. Library functions must call `psa_register_read` before reading the key data witin a slot, and `psa_unregister_read` after they have finished operating.
 
-Any call to `psa_slot_state_transition`, `psa_register_read` or `psa_unregister_read` must be performed by a function which holds the global mutex.
+Any call to `psa_slot_state_transition`, `psa_register_read` or `psa_unregister_read` must be performed by a thread which holds the global mutex.
+
+##### Linearizability of the system
+
+To satisfy the requirements in [Correctness out of the box](#correctness-out-of-the-box), we require our functions to be "linearizable" (under certain constraints). This means that any (constraint satisfying) set of concurrent calls are performed as if they were executed in some sequential order.
+
+The standard way of reasoning that this is the case is to identify a "linearization point" for each call, this is a single execution step where the function takes effect (this is usually a step in which the effects of the call become visible to other threads). If every call has a linearization point, the set of calls is equivalent to sequentially performing the calls in order of when their linearization point occured.
+
+We only access and modify a slot's state and reader count while we hold the global lock. This ensures the memory in which these fields are stored is correctly synchronized. It also ensures that the key data within the slot is synchronised where needed (the writer unlocks the mutex after filling the data, and any reader must lock the mutex before reading the data).
+
+To help justify that our system is linearizable, here is a list of key slot state changing functions and their linearization points (for the sake of brevity not all failure cases are covered, but those cases are not complex):
+* `psa_wipe_key_slot, psa_register_read, psa_unregister_read, psa_slot_state_transition,` - These functions are all always performed under the global mutex, so they have no effects visible to other threads (this implies that they are linearizable).
+* `psa_get_empty_key_slot, psa_get_and_lock_key_slot_in_memory, psa_load_X_key_into_slot, psa_fail_key_creation` - These functions hold the mutex for all non-setup/finalizing code, their linearization points are the release of the mutex.
+* `psa_get_and_lock_key_slot` - If the key is already in a slot, the linearization point is the linearization point of the call to `psa_get_and_lock_key_slot_in_memory`. If the key is not in a slot and is loaded into one, the linearization point is the linearization point of the call to `psa_load_X_key_into_slot`.
+* `psa_finish_key_creation` - On a successful load, we lock the mutex and set the state of the slot to FULL, the linearization point is then the following unlock. On an unsuccessful load, the linearization point is when we return - no action we have performed has been made visible to another thread as the slot is still in a FILLING state.
+* `psa_destroy_key, psa_close_key, psa_purge_key` - As per the requirements, we need only argue for the case where the key is not in use here. The linearization point is the unlock after wiping the data and setting the slot state to EMPTY.
 
 Library functions which operate on a slot will return `PSA_ERROR_BAD_STATE` if the slot is in an inappropriate state for the function at the linearization point.
 
+##### Key slot state transition diagram
+
 ![](key-slot-state-transitions.png)
 
-In the state transition diagram above, an arrow between two states `q1` and `q2` with label `f` indicates that if the state of a slot is `q1` immediately before `f`'s linearization point, it may be `q2` immediately after `f`'s linearization point. The linearization point of a state changing call to a function must be a call to `psa_slot_state_transition`. (A function which: locks the global mutex, performs some operation, calls `psa_slot_state_transition` and then unlocks the global mutex, cleans up and returns can satisfy this requirement).
+In the state transition diagram above, an arrow between two states `q1` and `q2` with label `f` indicates that if the state of a slot is `q1` immediately before `f`'s linearization point, it may be `q2` immediately after `f`'s linearization point.
 
-#### Generating the state transition diagram from source
+##### Generating the key slot state transition diagram from source
 
 To generate the state transition diagram in https://app.diagrams.net/, open the following url:
 

From abd8977cc15a460213afc72a02aeca778c3f2bfd Mon Sep 17 00:00:00 2001
From: Ryan Everett <ryan.everett@arm.com>
Date: Fri, 15 Dec 2023 12:28:38 +0000
Subject: [PATCH 25/39] Make check_files ignore png files in docs

Signed-off-by: Ryan Everett <ryan.everett@arm.com>
---
 tests/scripts/check_files.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/tests/scripts/check_files.py b/tests/scripts/check_files.py
index a2a9dfa8d0..a93b8256f0 100755
--- a/tests/scripts/check_files.py
+++ b/tests/scripts/check_files.py
@@ -105,6 +105,7 @@ class FileIssueTracker:
 
 BINARY_FILE_PATH_RE_LIST = [
     r'docs/.*\.pdf\Z',
+    r'docs/.*\.png\Z',
     r'programs/fuzz/corpuses/[^.]+\Z',
     r'tests/data_files/[^.]+\Z',
     r'tests/data_files/.*\.(crt|csr|db|der|key|pubkey)\Z',

From f5e135670b5e86e38e20b62beac9942cb982ac58 Mon Sep 17 00:00:00 2001
From: Ryan Everett <ryan.everett@arm.com>
Date: Wed, 20 Dec 2023 15:24:47 +0000
Subject: [PATCH 26/39] Clarify key generation and memory-management
 correctness

Signed-off-by: Ryan Everett <ryan.everett@arm.com>
---
 .../psa-thread-safety/psa-thread-safety.md            | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/docs/architecture/psa-thread-safety/psa-thread-safety.md b/docs/architecture/psa-thread-safety/psa-thread-safety.md
index 70b1341c23..075c8c4e37 100644
--- a/docs/architecture/psa-thread-safety/psa-thread-safety.md
+++ b/docs/architecture/psa-thread-safety/psa-thread-safety.md
@@ -29,7 +29,7 @@ Tempting platform requirements that we cannot add to the default `MBEDTLS_THREAD
 
 If you build with `MBEDTLS_PSA_CRYPTO_C` and `MBEDTLS_THREADING_C`, the code must be functionally correct: no race conditions, deadlocks or livelocks.
 
-The [PSA Crypto API specification](https://armmbed.github.io/mbed-crypto/html/overview/conventions.html#concurrent-calls) defines minimum expectations for concurrent calls. They must work as if they had been executed one at a time, except that the following cases have undefined behavior:
+The [PSA Crypto API specification](https://armmbed.github.io/mbed-crypto/html/overview/conventions.html#concurrent-calls) defines minimum expectations for concurrent calls. They must work as if they had been executed one at a time (excluding resource-management errors), except that the following cases have undefined behavior:
 
 * Destroying a key while it's in use.
 * Concurrent calls using the same operation object. (An operation object may not be used by more than one thread at a time. But it can move from one thread to another between calls.)
@@ -290,7 +290,7 @@ For concurrency purposes, a slot can be in one of four states:
 
 To change `slot` to state `new_state`, a function must call `psa_slot_state_transition(slot, new_state)`.
 
-A counter field within each slot keeps track of how many readers have registered. Library functions must call `psa_register_read` before reading the key data witin a slot, and `psa_unregister_read` after they have finished operating.
+A counter field within each slot keeps track of how many readers have registered. Library functions must call `psa_register_read` before reading the key data within a slot, and `psa_unregister_read` after they have finished operating.
 
 Any call to `psa_slot_state_transition`, `psa_register_read` or `psa_unregister_read` must be performed by a thread which holds the global mutex.
 
@@ -298,7 +298,9 @@ Any call to `psa_slot_state_transition`, `psa_register_read` or `psa_unregister_
 
 To satisfy the requirements in [Correctness out of the box](#correctness-out-of-the-box), we require our functions to be "linearizable" (under certain constraints). This means that any (constraint satisfying) set of concurrent calls are performed as if they were executed in some sequential order.
 
-The standard way of reasoning that this is the case is to identify a "linearization point" for each call, this is a single execution step where the function takes effect (this is usually a step in which the effects of the call become visible to other threads). If every call has a linearization point, the set of calls is equivalent to sequentially performing the calls in order of when their linearization point occured.
+The standard way of reasoning that this is the case is to identify a "linearization point" for each call, this is a single execution step where the function takes effect (this is usually a step in which the effects of the call become visible to other threads). If every call has a linearization point, the set of calls is equivalent to sequentially performing the calls in order of when their linearization point occurred.
+
+We only require linearizability to hold in the case where a resource-management error is not returned. In a set of concurrent calls, it is permitted for a call c to fail with a PSA_ERROR_INSUFFICIENT_MEMORY return code even if there does not exist a sequential ordering of the calls in which c returns this error.
 
 We only access and modify a slot's state and reader count while we hold the global lock. This ensures the memory in which these fields are stored is correctly synchronized. It also ensures that the key data within the slot is synchronised where needed (the writer unlocks the mutex after filling the data, and any reader must lock the mutex before reading the data).
 
@@ -306,8 +308,11 @@ To help justify that our system is linearizable, here is a list of key slot stat
 * `psa_wipe_key_slot, psa_register_read, psa_unregister_read, psa_slot_state_transition,` - These functions are all always performed under the global mutex, so they have no effects visible to other threads (this implies that they are linearizable).
 * `psa_get_empty_key_slot, psa_get_and_lock_key_slot_in_memory, psa_load_X_key_into_slot, psa_fail_key_creation` - These functions hold the mutex for all non-setup/finalizing code, their linearization points are the release of the mutex.
 * `psa_get_and_lock_key_slot` - If the key is already in a slot, the linearization point is the linearization point of the call to `psa_get_and_lock_key_slot_in_memory`. If the key is not in a slot and is loaded into one, the linearization point is the linearization point of the call to `psa_load_X_key_into_slot`.
+* `psa_start_key_creation` - From the perspective of other threads, the only effect of a successful call to this function is that the amount of usable resources decreases (a key slot which was usable is now unusable). Since we do not consider resource management as linearizable behaviour, when arguing for linearizability of the system we consider this function to have no visible effect to other threads.
 * `psa_finish_key_creation` - On a successful load, we lock the mutex and set the state of the slot to FULL, the linearization point is then the following unlock. On an unsuccessful load, the linearization point is when we return - no action we have performed has been made visible to another thread as the slot is still in a FILLING state.
 * `psa_destroy_key, psa_close_key, psa_purge_key` - As per the requirements, we need only argue for the case where the key is not in use here. The linearization point is the unlock after wiping the data and setting the slot state to EMPTY.
+* `psa_import_key, psa_copy_key, psa_generate_key, mbedtls_psa_register_se_key` - These functions call both `psa_start_key_creation` and `psa_finish_key_creation`, the linearization point of a successful call is the linearization point of the call to `psa_finish_key_creation`. The linearization point of an unsuccessful call is the linearization point of the call to `psa_fail_key_creation`.
+* `psa_key_derivation_output_key` - Same as above. If the operation object is in use by multiple threads, the behaviour need not be linearizable.
 
 Library functions which operate on a slot will return `PSA_ERROR_BAD_STATE` if the slot is in an inappropriate state for the function at the linearization point.
 

From 3dd6cde0d819a9eb45f3be694fbf72e70d54cceb Mon Sep 17 00:00:00 2001
From: Ryan Everett <ryan.everett@arm.com>
Date: Wed, 20 Dec 2023 16:45:31 +0000
Subject: [PATCH 27/39] Mention functional correctness explicitly

Signed-off-by: Ryan Everett <ryan.everett@arm.com>
---
 docs/architecture/psa-thread-safety/psa-thread-safety.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/architecture/psa-thread-safety/psa-thread-safety.md b/docs/architecture/psa-thread-safety/psa-thread-safety.md
index 075c8c4e37..dc5d7e1894 100644
--- a/docs/architecture/psa-thread-safety/psa-thread-safety.md
+++ b/docs/architecture/psa-thread-safety/psa-thread-safety.md
@@ -300,7 +300,7 @@ To satisfy the requirements in [Correctness out of the box](#correctness-out-of-
 
 The standard way of reasoning that this is the case is to identify a "linearization point" for each call, this is a single execution step where the function takes effect (this is usually a step in which the effects of the call become visible to other threads). If every call has a linearization point, the set of calls is equivalent to sequentially performing the calls in order of when their linearization point occurred.
 
-We only require linearizability to hold in the case where a resource-management error is not returned. In a set of concurrent calls, it is permitted for a call c to fail with a PSA_ERROR_INSUFFICIENT_MEMORY return code even if there does not exist a sequential ordering of the calls in which c returns this error.
+We only require linearizability to hold in the case where a resource-management error is not returned. In a set of concurrent calls, it is permitted for a call c to fail with a PSA_ERROR_INSUFFICIENT_MEMORY return code even if there does not exist a sequential ordering of the calls in which c returns this error. Even if such an error occurs, all calls are still required to be functionally correct.
 
 We only access and modify a slot's state and reader count while we hold the global lock. This ensures the memory in which these fields are stored is correctly synchronized. It also ensures that the key data within the slot is synchronised where needed (the writer unlocks the mutex after filling the data, and any reader must lock the mutex before reading the data).
 

From afccc1a6d5fb0fa7133928bca27f3e9faa302a5e Mon Sep 17 00:00:00 2001
From: Gilles Peskine <Gilles.Peskine@arm.com>
Date: Fri, 22 Dec 2023 09:35:34 +0100
Subject: [PATCH 28/39] Indent nested conditionals

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
---
 programs/Makefile | 21 +++++++++++----------
 tests/Makefile    | 27 ++++++++++++++-------------
 2 files changed, 25 insertions(+), 23 deletions(-)

diff --git a/programs/Makefile b/programs/Makefile
index ebdadc0567..c0856b0ac3 100644
--- a/programs/Makefile
+++ b/programs/Makefile
@@ -43,16 +43,17 @@ WINDOWS_BUILD=1
 endif
 
 ifdef WINDOWS_BUILD
-DLEXT=dll
-EXEXT=.exe
-LOCAL_LDFLAGS += -lws2_32 -lbcrypt
-ifdef SHARED
-SHARED_SUFFIX=.$(DLEXT)
-endif
-else
-DLEXT ?= so
-EXEXT=
-SHARED_SUFFIX=
+  DLEXT=dll
+  EXEXT=.exe
+  LOCAL_LDFLAGS += -lws2_32 -lbcrypt
+  ifdef SHARED
+    SHARED_SUFFIX=.$(DLEXT)
+  endif
+
+else # Not building for Windows
+  DLEXT ?= so
+  EXEXT=
+  SHARED_SUFFIX=
 endif
 
 ifdef WINDOWS
diff --git a/tests/Makefile b/tests/Makefile
index 29197b7c71..b044d2522c 100644
--- a/tests/Makefile
+++ b/tests/Makefile
@@ -47,20 +47,21 @@ WINDOWS_BUILD=1
 endif
 
 ifdef WINDOWS_BUILD
-DLEXT=dll
-EXEXT=.exe
-LOCAL_LDFLAGS += -lws2_32 -lbcrypt
-ifdef SHARED
-SHARED_SUFFIX=.$(DLEXT)
-endif
-else
-DLEXT ?= so
-EXEXT=
-SHARED_SUFFIX=
+  DLEXT=dll
+  EXEXT=.exe
+  LOCAL_LDFLAGS += -lws2_32 -lbcrypt
+  ifdef SHARED
+    SHARED_SUFFIX=.$(DLEXT)
+  endif
 
-ifeq ($(THREADING),pthread)
-LOCAL_LDFLAGS += -lpthread
-endif
+else # Not building for Windows
+  DLEXT ?= so
+  EXEXT=
+  SHARED_SUFFIX=
+
+  ifeq ($(THREADING),pthread)
+    LOCAL_LDFLAGS += -lpthread
+  endif
 endif
 
 ifdef WINDOWS

From 4ad5733836fcdcaf95e48b6578e017673378f247 Mon Sep 17 00:00:00 2001
From: Gilles Peskine <Gilles.Peskine@arm.com>
Date: Fri, 22 Dec 2023 11:30:30 +0100
Subject: [PATCH 29/39] Unify treatment of MBEDTLS_TEST_OBJS

Unify the treatment of MBEDTLS_TEST_OBJS between programs/Makefile and
tests/Makefile: include it via LOCAL_LD_FLAGS in both cases. Document why
the definition of MBEDTLS_TEST_OBJS is different.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
---
 programs/Makefile | 6 ++++--
 tests/Makefile    | 9 ++++++---
 2 files changed, 10 insertions(+), 5 deletions(-)

diff --git a/programs/Makefile b/programs/Makefile
index c0856b0ac3..dc6b7a3d66 100644
--- a/programs/Makefile
+++ b/programs/Makefile
@@ -6,8 +6,10 @@ WARNING_CFLAGS ?= -Wall -Wextra -Wformat=2 -Wno-format-nonliteral
 WARNING_CXXFLAGS ?= -Wall -Wextra -Wformat=2 -Wno-format-nonliteral
 LDFLAGS ?=
 
-MBEDTLS_TEST_PATH:=../tests/src
-MBEDTLS_TEST_OBJS:=$(patsubst %.c,%.o,$(wildcard ${MBEDTLS_TEST_PATH}/*.c ${MBEDTLS_TEST_PATH}/drivers/*.c))
+MBEDTLS_TEST_PATH = ../tests
+# Support code used by test programs and test builds, excluding TLS-specific
+# code which is in the src/test_helpers subdirectory.
+MBEDTLS_TEST_OBJS = $(patsubst %.c,%.o,$(wildcard ${MBEDTLS_TEST_PATH}/src/*.c ${MBEDTLS_TEST_PATH}/src/drivers/*.c))
 
 LOCAL_CFLAGS = $(WARNING_CFLAGS) -I../tests/include -I../include -D_FILE_OFFSET_BITS=64
 LOCAL_CXXFLAGS = $(WARNING_CXXFLAGS) -I../include -I../tests/include -D_FILE_OFFSET_BITS=64
diff --git a/tests/Makefile b/tests/Makefile
index b044d2522c..3caa88e2f4 100644
--- a/tests/Makefile
+++ b/tests/Makefile
@@ -14,7 +14,8 @@ default: all
 # from ./include, and private header files (used by some invasive tests)
 # from ../library.
 LOCAL_CFLAGS = $(WARNING_CFLAGS) -I./include -I../include -I../library -D_FILE_OFFSET_BITS=64
-LOCAL_LDFLAGS = -L../library			\
+LOCAL_LDFLAGS = ${MBEDTLS_TEST_OBJS} 		\
+		-L../library 			\
 		-lmbedtls$(SHARED_SUFFIX)	\
 		-lmbedx509$(SHARED_SUFFIX)	\
 		-lmbedcrypto$(SHARED_SUFFIX)
@@ -175,7 +176,9 @@ all: $(BINARIES)
 $(MBEDLIBS):
 	$(MAKE) -C ../library
 
-MBEDTLS_TEST_OBJS=$(patsubst %.c,%.o,$(wildcard src/*.c src/drivers/*.c src/test_helpers/*.c))
+MBEDTLS_TEST_PATH = .
+MBEDTLS_TEST_OBJS = $(patsubst %.c,%.o,$(wildcard ${MBEDTLS_TEST_PATH}/src/*.c ${MBEDTLS_TEST_PATH}/src/drivers/*.c))
+MBEDTLS_TEST_OBJS += $(patsubst %.c,%.o,$(wildcard ${MBEDTLS_TEST_PATH}/src/test_helpers/*.c))
 
 mbedtls_test: $(MBEDTLS_TEST_OBJS)
 
@@ -231,7 +234,7 @@ c: $(C_FILES)
 
 $(BINARIES): %$(EXEXT): %.c $(MBEDLIBS) $(TEST_OBJS_DEPS) $(MBEDTLS_TEST_OBJS)
 	echo "  CC    $<"
-	$(CC) $(LOCAL_CFLAGS) $(CFLAGS) $< $(MBEDTLS_TEST_OBJS) $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
+	$(CC) $(LOCAL_CFLAGS) $(CFLAGS) $< $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
 
 clean:
 ifndef WINDOWS

From f5c5ce7789f23960b9e1aadef47d9c6aa9338d7c Mon Sep 17 00:00:00 2001
From: Gilles Peskine <Gilles.Peskine@arm.com>
Date: Fri, 22 Dec 2023 11:36:53 +0100
Subject: [PATCH 30/39] Partly unify LOCAL_CFLAGS

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
---
 programs/Makefile | 2 +-
 tests/Makefile    | 7 +++----
 2 files changed, 4 insertions(+), 5 deletions(-)

diff --git a/programs/Makefile b/programs/Makefile
index dc6b7a3d66..9ee9820b7a 100644
--- a/programs/Makefile
+++ b/programs/Makefile
@@ -11,7 +11,7 @@ MBEDTLS_TEST_PATH = ../tests
 # code which is in the src/test_helpers subdirectory.
 MBEDTLS_TEST_OBJS = $(patsubst %.c,%.o,$(wildcard ${MBEDTLS_TEST_PATH}/src/*.c ${MBEDTLS_TEST_PATH}/src/drivers/*.c))
 
-LOCAL_CFLAGS = $(WARNING_CFLAGS) -I../tests/include -I../include -D_FILE_OFFSET_BITS=64
+LOCAL_CFLAGS = $(WARNING_CFLAGS) -I$(MBEDTLS_TEST_PATH)/include -I../include -D_FILE_OFFSET_BITS=64
 LOCAL_CXXFLAGS = $(WARNING_CXXFLAGS) -I../include -I../tests/include -D_FILE_OFFSET_BITS=64
 LOCAL_LDFLAGS = ${MBEDTLS_TEST_OBJS} 		\
 		-L../library 			\
diff --git a/tests/Makefile b/tests/Makefile
index 3caa88e2f4..f242b51576 100644
--- a/tests/Makefile
+++ b/tests/Makefile
@@ -10,10 +10,9 @@ TEST_FLAGS ?= $(if $(filter-out 0 OFF Off off NO No no FALSE False false N n,$(C
 
 default: all
 
-# Include public header files from ../include, test-specific header files
-# from ./include, and private header files (used by some invasive tests)
-# from ../library.
-LOCAL_CFLAGS = $(WARNING_CFLAGS) -I./include -I../include -I../library -D_FILE_OFFSET_BITS=64
+LOCAL_CFLAGS = $(WARNING_CFLAGS) -I$(MBEDTLS_TEST_PATH)/include -I../include -D_FILE_OFFSET_BITS=64
+# Also include library headers, for the sake of invasive tests.
+LOCAL_CFLAGS += -I../library
 LOCAL_LDFLAGS = ${MBEDTLS_TEST_OBJS} 		\
 		-L../library 			\
 		-lmbedtls$(SHARED_SUFFIX)	\

From f3d1ae1f0502ecb1a3555bb3fb4ee408231dae54 Mon Sep 17 00:00:00 2001
From: Gilles Peskine <Gilles.Peskine@arm.com>
Date: Fri, 22 Dec 2023 11:40:58 +0100
Subject: [PATCH 31/39] Create common.make with LOCAL_CFLAGS and friends

Create a common.make for definitions that are shared between tests/Makefile
and programs/Makefile, to facilitate maintenance. Start populating it with
CFLAGS/LDFLAGS variables. More to follow in subsequent commits.

Keep library/Makefile independent, at least for the time being.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
---
 programs/Makefile   | 15 +--------------
 scripts/common.make | 14 ++++++++++++++
 tests/Makefile      | 13 +------------
 3 files changed, 16 insertions(+), 26 deletions(-)
 create mode 100644 scripts/common.make

diff --git a/programs/Makefile b/programs/Makefile
index 9ee9820b7a..b03e613b4c 100644
--- a/programs/Makefile
+++ b/programs/Makefile
@@ -1,23 +1,10 @@
-
-# To compile on SunOS: add "-lsocket -lnsl" to LDFLAGS
-
-CFLAGS	?= -O2
-WARNING_CFLAGS ?= -Wall -Wextra -Wformat=2 -Wno-format-nonliteral
-WARNING_CXXFLAGS ?= -Wall -Wextra -Wformat=2 -Wno-format-nonliteral
-LDFLAGS ?=
-
 MBEDTLS_TEST_PATH = ../tests
 # Support code used by test programs and test builds, excluding TLS-specific
 # code which is in the src/test_helpers subdirectory.
 MBEDTLS_TEST_OBJS = $(patsubst %.c,%.o,$(wildcard ${MBEDTLS_TEST_PATH}/src/*.c ${MBEDTLS_TEST_PATH}/src/drivers/*.c))
 
 LOCAL_CFLAGS = $(WARNING_CFLAGS) -I$(MBEDTLS_TEST_PATH)/include -I../include -D_FILE_OFFSET_BITS=64
-LOCAL_CXXFLAGS = $(WARNING_CXXFLAGS) -I../include -I../tests/include -D_FILE_OFFSET_BITS=64
-LOCAL_LDFLAGS = ${MBEDTLS_TEST_OBJS} 		\
-		-L../library 			\
-		-lmbedtls$(SHARED_SUFFIX)	\
-		-lmbedx509$(SHARED_SUFFIX)	\
-		-lmbedcrypto$(SHARED_SUFFIX)
+include ../scripts/common.make
 
 ifeq ($(shell uname -s),Linux)
 DLOPEN_LDFLAGS ?= -ldl
diff --git a/scripts/common.make b/scripts/common.make
new file mode 100644
index 0000000000..cee8bd245d
--- /dev/null
+++ b/scripts/common.make
@@ -0,0 +1,14 @@
+# To compile on SunOS: add "-lsocket -lnsl" to LDFLAGS
+
+CFLAGS	?= -O2
+WARNING_CFLAGS ?= -Wall -Wextra -Wformat=2 -Wno-format-nonliteral
+WARNING_CXXFLAGS ?= -Wall -Wextra -Wformat=2 -Wno-format-nonliteral
+LDFLAGS ?=
+
+LOCAL_CFLAGS = $(WARNING_CFLAGS) -I../tests/include -I../include -D_FILE_OFFSET_BITS=64
+LOCAL_CXXFLAGS = $(WARNING_CXXFLAGS) -I../include -I../tests/include -D_FILE_OFFSET_BITS=64
+LOCAL_LDFLAGS = ${MBEDTLS_TEST_OBJS} 		\
+		-L../library			\
+		-lmbedtls$(SHARED_SUFFIX)	\
+		-lmbedx509$(SHARED_SUFFIX)	\
+		-lmbedcrypto$(SHARED_SUFFIX)
diff --git a/tests/Makefile b/tests/Makefile
index f242b51576..3a6fd593ba 100644
--- a/tests/Makefile
+++ b/tests/Makefile
@@ -1,23 +1,12 @@
-
-# To compile on SunOS: add "-lsocket -lnsl" to LDFLAGS
-
-CFLAGS	?= -O2
-WARNING_CFLAGS ?= -Wall -Wextra -Wformat=2 -Wno-format-nonliteral
-LDFLAGS ?=
+include ../scripts/common.make
 
 # Set this to -v to see the details of failing test cases
 TEST_FLAGS ?= $(if $(filter-out 0 OFF Off off NO No no FALSE False false N n,$(CTEST_OUTPUT_ON_FAILURE)),-v,)
 
 default: all
 
-LOCAL_CFLAGS = $(WARNING_CFLAGS) -I$(MBEDTLS_TEST_PATH)/include -I../include -D_FILE_OFFSET_BITS=64
 # Also include library headers, for the sake of invasive tests.
 LOCAL_CFLAGS += -I../library
-LOCAL_LDFLAGS = ${MBEDTLS_TEST_OBJS} 		\
-		-L../library 			\
-		-lmbedtls$(SHARED_SUFFIX)	\
-		-lmbedx509$(SHARED_SUFFIX)	\
-		-lmbedcrypto$(SHARED_SUFFIX)
 
 include ../3rdparty/Makefile.inc
 LOCAL_CFLAGS+=$(THIRDPARTY_INCLUDES)

From 076fd2548038c18bb11a9518c125eb12ada152a3 Mon Sep 17 00:00:00 2001
From: Gilles Peskine <Gilles.Peskine@arm.com>
Date: Fri, 22 Dec 2023 11:45:53 +0100
Subject: [PATCH 32/39] Unify common variables of programs/Makefile and
 tests/Makefile

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
---
 programs/Makefile   | 45 ----------------------------------------
 scripts/common.make | 50 +++++++++++++++++++++++++++++++++++++++++++++
 tests/Makefile      | 50 ---------------------------------------------
 3 files changed, 50 insertions(+), 95 deletions(-)

diff --git a/programs/Makefile b/programs/Makefile
index b03e613b4c..590b54eba5 100644
--- a/programs/Makefile
+++ b/programs/Makefile
@@ -12,45 +12,8 @@ else
 DLOPEN_LDFLAGS ?=
 endif
 
-include ../3rdparty/Makefile.inc
-LOCAL_CFLAGS+=$(THIRDPARTY_INCLUDES)
-
-ifndef SHARED
-MBEDLIBS=../library/libmbedcrypto.a ../library/libmbedx509.a ../library/libmbedtls.a
-else
-MBEDLIBS=../library/libmbedcrypto.$(DLEXT) ../library/libmbedx509.$(DLEXT) ../library/libmbedtls.$(DLEXT)
-endif
 DEP=${MBEDLIBS} ${MBEDTLS_TEST_OBJS}
 
-ifdef DEBUG
-LOCAL_CFLAGS += -g3
-endif
-
-# if we're running on Windows, build for Windows
-ifdef WINDOWS
-WINDOWS_BUILD=1
-endif
-
-ifdef WINDOWS_BUILD
-  DLEXT=dll
-  EXEXT=.exe
-  LOCAL_LDFLAGS += -lws2_32 -lbcrypt
-  ifdef SHARED
-    SHARED_SUFFIX=.$(DLEXT)
-  endif
-
-else # Not building for Windows
-  DLEXT ?= so
-  EXEXT=
-  SHARED_SUFFIX=
-endif
-
-ifdef WINDOWS
-PYTHON ?= python
-else
-PYTHON ?= $(shell if type python3 >/dev/null 2>/dev/null; then echo python3; else echo python; fi)
-endif
-
 # Only build the dlopen test in shared library builds, and not when building
 # for Windows.
 ifdef BUILD_DLOPEN
@@ -168,14 +131,6 @@ ${MBEDTLS_TEST_OBJS}:
 GENERATED_FILES = psa/psa_constant_names_generated.c test/query_config.c
 generated_files: $(GENERATED_FILES)
 
-# See root Makefile
-GEN_FILES ?= yes
-ifdef GEN_FILES
-gen_file_dep =
-else
-gen_file_dep = |
-endif
-
 psa/psa_constant_names_generated.c: $(gen_file_dep) ../scripts/generate_psa_constants.py
 psa/psa_constant_names_generated.c: $(gen_file_dep) ../include/psa/crypto_values.h
 psa/psa_constant_names_generated.c: $(gen_file_dep) ../include/psa/crypto_extra.h
diff --git a/scripts/common.make b/scripts/common.make
index cee8bd245d..12fd27fb41 100644
--- a/scripts/common.make
+++ b/scripts/common.make
@@ -12,3 +12,53 @@ LOCAL_LDFLAGS = ${MBEDTLS_TEST_OBJS} 		\
 		-lmbedtls$(SHARED_SUFFIX)	\
 		-lmbedx509$(SHARED_SUFFIX)	\
 		-lmbedcrypto$(SHARED_SUFFIX)
+
+include ../3rdparty/Makefile.inc
+LOCAL_CFLAGS+=$(THIRDPARTY_INCLUDES)
+
+ifndef SHARED
+MBEDLIBS=../library/libmbedcrypto.a ../library/libmbedx509.a ../library/libmbedtls.a
+else
+MBEDLIBS=../library/libmbedcrypto.$(DLEXT) ../library/libmbedx509.$(DLEXT) ../library/libmbedtls.$(DLEXT)
+endif
+
+ifdef DEBUG
+LOCAL_CFLAGS += -g3
+endif
+
+# if we're running on Windows, build for Windows
+ifdef WINDOWS
+WINDOWS_BUILD=1
+endif
+
+ifdef WINDOWS_BUILD
+  DLEXT=dll
+  EXEXT=.exe
+  LOCAL_LDFLAGS += -lws2_32 -lbcrypt
+  ifdef SHARED
+    SHARED_SUFFIX=.$(DLEXT)
+  endif
+
+else # Not building for Windows
+  DLEXT ?= so
+  EXEXT=
+  SHARED_SUFFIX=
+
+  ifeq ($(THREADING),pthread)
+    LOCAL_LDFLAGS += -lpthread
+  endif
+endif
+
+ifdef WINDOWS
+PYTHON ?= python
+else
+PYTHON ?= $(shell if type python3 >/dev/null 2>/dev/null; then echo python3; else echo python; fi)
+endif
+
+# See root Makefile
+GEN_FILES ?= yes
+ifdef GEN_FILES
+gen_file_dep =
+else
+gen_file_dep = |
+endif
diff --git a/tests/Makefile b/tests/Makefile
index 3a6fd593ba..8e4149b94d 100644
--- a/tests/Makefile
+++ b/tests/Makefile
@@ -8,65 +8,15 @@ default: all
 # Also include library headers, for the sake of invasive tests.
 LOCAL_CFLAGS += -I../library
 
-include ../3rdparty/Makefile.inc
-LOCAL_CFLAGS+=$(THIRDPARTY_INCLUDES)
-
 # Enable definition of various functions used throughout the testsuite
 # (gethostname, strdup, fileno...) even when compiling with -std=c99. Harmless
 # on non-POSIX platforms.
 LOCAL_CFLAGS += -D_POSIX_C_SOURCE=200809L
 
-ifndef SHARED
-MBEDLIBS=../library/libmbedcrypto.a ../library/libmbedx509.a ../library/libmbedtls.a
-else
-MBEDLIBS=../library/libmbedcrypto.$(DLEXT) ../library/libmbedx509.$(DLEXT) ../library/libmbedtls.$(DLEXT)
-endif
-
-ifdef DEBUG
-LOCAL_CFLAGS += -g3
-endif
-
 ifdef RECORD_PSA_STATUS_COVERAGE_LOG
 LOCAL_CFLAGS += -Werror -DRECORD_PSA_STATUS_COVERAGE_LOG
 endif
 
-# if we're running on Windows, build for Windows
-ifdef WINDOWS
-WINDOWS_BUILD=1
-endif
-
-ifdef WINDOWS_BUILD
-  DLEXT=dll
-  EXEXT=.exe
-  LOCAL_LDFLAGS += -lws2_32 -lbcrypt
-  ifdef SHARED
-    SHARED_SUFFIX=.$(DLEXT)
-  endif
-
-else # Not building for Windows
-  DLEXT ?= so
-  EXEXT=
-  SHARED_SUFFIX=
-
-  ifeq ($(THREADING),pthread)
-    LOCAL_LDFLAGS += -lpthread
-  endif
-endif
-
-ifdef WINDOWS
-PYTHON ?= python
-else
-PYTHON ?= $(shell if type python3 >/dev/null 2>/dev/null; then echo python3; else echo python; fi)
-endif
-
-# See root Makefile
-GEN_FILES ?= yes
-ifdef GEN_FILES
-gen_file_dep =
-else
-gen_file_dep = |
-endif
-
 .PHONY: generated_files
 GENERATED_BIGNUM_DATA_FILES := $(patsubst tests/%,%,$(shell \
 	$(PYTHON) scripts/generate_bignum_tests.py --list || \

From 4392fc101ff3f5ef8d273359f73ad9a83f9923ed Mon Sep 17 00:00:00 2001
From: Gilles Peskine <Gilles.Peskine@arm.com>
Date: Fri, 22 Dec 2023 11:49:35 +0100
Subject: [PATCH 33/39] Unify some common rules of programs/Makefile and
 tests/Makefile

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
---
 programs/Makefile   | 10 ----------
 scripts/common.make | 12 ++++++++++++
 tests/Makefile      | 12 ------------
 3 files changed, 12 insertions(+), 22 deletions(-)

diff --git a/programs/Makefile b/programs/Makefile
index 590b54eba5..64f7cc1a32 100644
--- a/programs/Makefile
+++ b/programs/Makefile
@@ -121,9 +121,6 @@ endif
 fuzz: ${MBEDTLS_TEST_OBJS}
 	$(MAKE) -C fuzz THIRDPARTY_INCLUDES=$(THIRDPARTY_INCLUDES)
 
-$(MBEDLIBS):
-	$(MAKE) -C ../library
-
 ${MBEDTLS_TEST_OBJS}:
 	$(MAKE) -C ../tests mbedtls_test
 
@@ -432,12 +429,5 @@ else
 endif
 	$(MAKE) -C fuzz clean
 
-neat: clean
-ifndef WINDOWS
-	rm -f $(GENERATED_FILES)
-else
-	for %f in ($(subst /,\,$(GENERATED_FILES))) if exist %f del /Q /F %f
-endif
-
 list:
 	echo $(EXES)
diff --git a/scripts/common.make b/scripts/common.make
index 12fd27fb41..1350b12e32 100644
--- a/scripts/common.make
+++ b/scripts/common.make
@@ -62,3 +62,15 @@ gen_file_dep =
 else
 gen_file_dep = |
 endif
+
+default: all
+
+$(MBEDLIBS):
+	$(MAKE) -C ../library
+
+neat: clean
+ifndef WINDOWS
+	rm -f $(GENERATED_FILES)
+else
+	for %f in ($(subst /,\,$(GENERATED_FILES))) if exist %f del /Q /F %f
+endif
diff --git a/tests/Makefile b/tests/Makefile
index 8e4149b94d..7a10af271c 100644
--- a/tests/Makefile
+++ b/tests/Makefile
@@ -3,8 +3,6 @@ include ../scripts/common.make
 # Set this to -v to see the details of failing test cases
 TEST_FLAGS ?= $(if $(filter-out 0 OFF Off off NO No no FALSE False false N n,$(CTEST_OUTPUT_ON_FAILURE)),-v,)
 
-default: all
-
 # Also include library headers, for the sake of invasive tests.
 LOCAL_CFLAGS += -I../library
 
@@ -111,9 +109,6 @@ BINARIES := $(addsuffix $(EXEXT),$(APPS))
 
 all: $(BINARIES)
 
-$(MBEDLIBS):
-	$(MAKE) -C ../library
-
 MBEDTLS_TEST_PATH = .
 MBEDTLS_TEST_OBJS = $(patsubst %.c,%.o,$(wildcard ${MBEDTLS_TEST_PATH}/src/*.c ${MBEDTLS_TEST_PATH}/src/drivers/*.c))
 MBEDTLS_TEST_OBJS += $(patsubst %.c,%.o,$(wildcard ${MBEDTLS_TEST_PATH}/src/test_helpers/*.c))
@@ -193,13 +188,6 @@ else
 	if exist include/test/instrument_record_status.h del /Q /F include/test/instrument_record_status.h
 endif
 
-neat: clean
-ifndef WINDOWS
-	rm -f $(GENERATED_FILES)
-else
-	for %f in ($(subst /,\,$(GENERATED_FILES))) if exist %f del /Q /F %f
-endif
-
 # Test suites caught by SKIP_TEST_SUITES are built but not executed.
 check: $(BINARIES)
 	perl scripts/run-test-suites.pl $(TEST_FLAGS) --skip=$(SKIP_TEST_SUITES)

From 21570cf2327a804cca9bf60c6b5a7cd4fc5b2e7b Mon Sep 17 00:00:00 2001
From: Gilles Peskine <Gilles.Peskine@arm.com>
Date: Fri, 22 Dec 2023 11:49:50 +0100
Subject: [PATCH 34/39] Auto-detect the need to link with pthread on Unix-like
 platforms

When building with Make on a Unix-like platform (shell and compiler),
auto-detect configurations that may require linking with pthread.

This removes the need for MAKE_THREADING_FLAGS in all.sh.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
---
 scripts/common.make  |  27 +++++++
 tests/scripts/all.sh | 169 +++++++++++++++++++++----------------------
 2 files changed, 110 insertions(+), 86 deletions(-)

diff --git a/scripts/common.make b/scripts/common.make
index 1350b12e32..a2d1449fea 100644
--- a/scripts/common.make
+++ b/scripts/common.make
@@ -31,6 +31,27 @@ ifdef WINDOWS
 WINDOWS_BUILD=1
 endif
 
+## Usage: $(call remove_unset_options,PREPROCESSOR_INPUT)
+## Remove the preprocessor symbols that are not set in the current configuration
+## from PREPROCESSOR_INPUT. Also normalize whitespace.
+## Example:
+##   $(call remove_unset_options,MBEDTLS_FOO MBEDTLS_BAR)
+## This expands to an empty string "" if MBEDTLS_FOO and MBEDTLS_BAR are both
+## disabled, to "MBEDTLS_FOO" if MBEDTLS_BAR is enabled but MBEDTLS_FOO is
+## disabled, etc.
+##
+## This only works with a Unix-like shell environment (Bourne/POSIX-style shell
+## and standard commands) and a Unix-like compiler (supporting -E). In
+## other environments, the output is likely to be empty.
+define remove_unset_options
+$(strip $(shell
+  exec 2>/dev/null;
+  { echo '#include <mbedtls/build_info.h>'; echo $(1); } |
+  $(CC) $(LOCAL_CFLAGS) $(CFLAGS) -E - |
+  tail -n 1
+))
+endef
+
 ifdef WINDOWS_BUILD
   DLEXT=dll
   EXEXT=.exe
@@ -43,6 +64,12 @@ else # Not building for Windows
   DLEXT ?= so
   EXEXT=
   SHARED_SUFFIX=
+  ifndef THREADING
+    # Auto-detect configurations with pthread.
+    ifeq (control,$(call remove_unset_options,control MBEDTLS_THREADING_C MBEDTLS_THREADING_PTHREAD))
+      THREADING := pthread
+    endif
+  endif
 
   ifeq ($(THREADING),pthread)
     LOCAL_LDFLAGS += -lpthread
diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh
index 933c563d30..315c6e5cd7 100755
--- a/tests/scripts/all.sh
+++ b/tests/scripts/all.sh
@@ -216,9 +216,6 @@ pre_initialize_variables () {
         esac
         SUPPORTED_COMPONENTS="$SUPPORTED_COMPONENTS $component"
     done
-
-    # Option to enable linking with pthreads under make
-    MAKE_THREADING_FLAGS="THREADING=pthread"
 }
 
 # Test whether the component $1 is included in the command line patterns.
@@ -933,7 +930,7 @@ helper_get_psa_key_type_list() {
 # Here "things" are PSA_WANT_ symbols but with PSA_WANT_ removed.
 helper_libtestdriver1_make_drivers() {
     loc_accel_flags=$( echo "$1 ${2-}" | sed 's/[^ ]* */-DLIBTESTDRIVER1_MBEDTLS_PSA_ACCEL_&/g' )
-    make CC=$ASAN_CC -C tests libtestdriver1.a CFLAGS=" $ASAN_CFLAGS $loc_accel_flags" LDFLAGS="$ASAN_CFLAGS" $MAKE_THREADING_FLAGS
+    make CC=$ASAN_CC -C tests libtestdriver1.a CFLAGS=" $ASAN_CFLAGS $loc_accel_flags" LDFLAGS="$ASAN_CFLAGS"
 }
 
 # Build the main libraries, programs and tests,
@@ -951,7 +948,7 @@ helper_libtestdriver1_make_main() {
     # we need flags both with and without the LIBTESTDRIVER1_ prefix
     loc_accel_flags=$( echo "$loc_accel_list" | sed 's/[^ ]* */-DLIBTESTDRIVER1_MBEDTLS_PSA_ACCEL_&/g' )
     loc_accel_flags="$loc_accel_flags $( echo "$loc_accel_list" | sed 's/[^ ]* */-DMBEDTLS_PSA_ACCEL_&/g' )"
-    make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -I../tests/include -I../tests -I../../tests -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_TEST_LIBTESTDRIVER1 $loc_accel_flags" LDFLAGS="-ltestdriver1 $ASAN_CFLAGS" $MAKE_THREADING_FLAGS "$@"
+    make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -I../tests/include -I../tests -I../../tests -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_TEST_LIBTESTDRIVER1 $loc_accel_flags" LDFLAGS="-ltestdriver1 $ASAN_CFLAGS" "$@"
 }
 
 ################################################################
@@ -1446,7 +1443,7 @@ component_test_psa_external_rng_no_drbg_classic () {
     # When MBEDTLS_USE_PSA_CRYPTO is disabled and there is no DRBG,
     # the SSL test programs don't have an RNG and can't work. Explicitly
     # make them use the PSA RNG with -DMBEDTLS_TEST_USE_PSA_CRYPTO_RNG.
-    make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DMBEDTLS_TEST_USE_PSA_CRYPTO_RNG" LDFLAGS="$ASAN_CFLAGS" $MAKE_THREADING_FLAGS
+    make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DMBEDTLS_TEST_USE_PSA_CRYPTO_RNG" LDFLAGS="$ASAN_CFLAGS"
 
     msg "test: PSA_CRYPTO_EXTERNAL_RNG minus *_DRBG, classic crypto - main suites"
     make test
@@ -1465,7 +1462,7 @@ component_test_psa_external_rng_no_drbg_use_psa () {
     scripts/config.py unset MBEDTLS_CTR_DRBG_C
     scripts/config.py unset MBEDTLS_HMAC_DRBG_C
     scripts/config.py unset MBEDTLS_ECDSA_DETERMINISTIC # requires HMAC_DRBG
-    make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS" $MAKE_THREADING_FLAGS
+    make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS"
 
     msg "test: PSA_CRYPTO_EXTERNAL_RNG minus *_DRBG, PSA crypto - main suites"
     make test
@@ -1480,7 +1477,7 @@ component_test_psa_external_rng_use_psa_crypto () {
     scripts/config.py set MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG
     scripts/config.py set MBEDTLS_USE_PSA_CRYPTO
     scripts/config.py unset MBEDTLS_CTR_DRBG_C
-    make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS" $MAKE_THREADING_FLAGS
+    make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS"
 
     msg "test: full + PSA_CRYPTO_EXTERNAL_RNG + USE_PSA_CRYPTO minus CTR_DRBG"
     make test
@@ -1498,7 +1495,7 @@ component_test_psa_inject_entropy () {
     scripts/config.py unset MBEDTLS_PLATFORM_NV_SEED_ALT
     scripts/config.py unset MBEDTLS_PLATFORM_STD_NV_SEED_READ
     scripts/config.py unset MBEDTLS_PLATFORM_STD_NV_SEED_WRITE
-    make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS '-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/user-config-for-test.h\"'" LDFLAGS="$ASAN_CFLAGS" $MAKE_THREADING_FLAGS
+    make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS '-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/user-config-for-test.h\"'" LDFLAGS="$ASAN_CFLAGS"
 
     msg "test: full + MBEDTLS_PSA_INJECT_ENTROPY"
     make test
@@ -1532,14 +1529,14 @@ component_test_crypto_full_md_light_only () {
 
     # Note: MD-light is auto-enabled in build_info.h by modules that need it,
     # which we haven't disabled, so no need to explicitly enable it.
-    make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS" $MAKE_THREADING_FLAGS
+    make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS"
 
     # Make sure we don't have the HMAC functions, but the hashing functions
     not grep mbedtls_md_hmac library/md.o
     grep mbedtls_md library/md.o
 
     msg "test: crypto_full with only the light subset of MD"
-    make $MAKE_THREADING_FLAGS test
+    make test
 }
 
 component_test_full_no_cipher () {
@@ -1565,7 +1562,7 @@ component_test_full_no_cipher () {
     scripts/config.py unset MBEDTLS_LMS_PRIVATE
 
     msg "test: full no CIPHER no PSA_CRYPTO_C"
-    make $MAKE_THREADING_FLAGS test
+    make test
 }
 
 # This is a common configurator and test function that is used in:
@@ -1614,7 +1611,7 @@ common_test_full_no_cipher_with_psa_crypto () {
     scripts/config.py unset MBEDTLS_PKCS12_C
     scripts/config.py unset MBEDTLS_PKCS5_C
 
-    make $MAKE_THREADING_FLAGS
+    make
 
     # Ensure that CIPHER_C was not re-enabled
     not grep mbedtls_cipher_init library/cipher.o
@@ -1647,7 +1644,7 @@ component_test_full_no_ccm() {
     # PSA_WANT_ALG_CCM to be re-enabled.
     scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CCM
 
-    make $MAKE_THREADING_FLAGS
+    make
 
     msg "test: full no PSA_WANT_ALG_CCM"
     make test
@@ -1675,7 +1672,7 @@ component_test_full_no_ccm_star_no_tag() {
     scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CBC_NO_PADDING
     scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CBC_PKCS7
 
-    make $MAKE_THREADING_FLAGS
+    make
 
     # Ensure MBEDTLS_PSA_BUILTIN_CIPHER was not enabled
     not grep mbedtls_psa_cipher library/psa_crypto_cipher.o
@@ -1732,7 +1729,7 @@ component_test_full_no_bignum () {
     scripts/config.py unset MBEDTLS_SSL_ASYNC_PRIVATE
     scripts/config.py unset MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
 
-    make $MAKE_THREADING_FLAGS
+    make
 
     msg "test: full minus bignum"
     make test
@@ -2010,7 +2007,7 @@ component_test_small_mbedtls_ssl_dtls_max_buffering () {
 component_test_psa_collect_statuses () {
   msg "build+test: psa_collect_statuses" # ~30s
   scripts/config.py full
-  tests/scripts/psa_collect_statuses.py --make-vars="$MAKE_THREADING_FLAGS"
+  tests/scripts/psa_collect_statuses.py
   # Check that psa_crypto_init() succeeded at least once
   grep -q '^0:psa_crypto_init:' tests/statuses.log
   rm -f tests/statuses.log
@@ -2189,7 +2186,7 @@ component_test_default_no_deprecated () {
 component_test_full_no_deprecated () {
     msg "build: make, full_no_deprecated config" # ~ 30s
     scripts/config.py full_no_deprecated
-    make CC=gcc CFLAGS='-O -Werror -Wall -Wextra' $MAKE_THREADING_FLAGS
+    make CC=gcc CFLAGS='-O -Werror -Wall -Wextra'
 
     msg "test: make, full_no_deprecated config" # ~ 5s
     make test
@@ -2206,7 +2203,7 @@ component_test_full_no_deprecated_deprecated_warning () {
     scripts/config.py full_no_deprecated
     scripts/config.py unset MBEDTLS_DEPRECATED_REMOVED
     scripts/config.py set MBEDTLS_DEPRECATED_WARNING
-    make CC=gcc CFLAGS='-O -Werror -Wall -Wextra' $MAKE_THREADING_FLAGS
+    make CC=gcc CFLAGS='-O -Werror -Wall -Wextra'
 
     msg "test: make, full_no_deprecated config, MBEDTLS_DEPRECATED_WARNING" # ~ 5s
     make test
@@ -2226,7 +2223,7 @@ component_test_full_deprecated_warning () {
     # By default those are disabled when MBEDTLS_DEPRECATED_WARNING is set.
     # Expect warnings from '#warning' directives in check_config.h and
     # from the use of deprecated functions in test suites.
-    make CC=gcc CFLAGS='-O -Werror -Wall -Wextra -Wno-error=deprecated-declarations -Wno-error=cpp -DMBEDTLS_TEST_DEPRECATED' $MAKE_THREADING_FLAGS tests
+    make CC=gcc CFLAGS='-O -Werror -Wall -Wextra -Wno-error=deprecated-declarations -Wno-error=cpp -DMBEDTLS_TEST_DEPRECATED' tests
 
     msg "test: full config + MBEDTLS_TEST_DEPRECATED" # ~ 30s
     make test
@@ -2251,7 +2248,7 @@ component_build_crypto_default () {
 component_build_crypto_full () {
   msg "build: make, crypto only, full config"
   scripts/config.py crypto_full
-  make CFLAGS='-O1 -Werror' $MAKE_THREADING_FLAGS
+  make CFLAGS='-O1 -Werror'
   are_empty_libraries library/libmbedx509.* library/libmbedtls.*
 }
 
@@ -2311,73 +2308,73 @@ support_build_baremetal () {
 # depends.py family of tests
 component_test_depends_py_cipher_id () {
     msg "test/build: depends.py cipher_id (gcc)"
-    tests/scripts/depends.py cipher_id --unset-use-psa --make-vars="$MAKE_THREADING_FLAGS"
+    tests/scripts/depends.py cipher_id --unset-use-psa
 }
 
 component_test_depends_py_cipher_chaining () {
     msg "test/build: depends.py cipher_chaining (gcc)"
-    tests/scripts/depends.py cipher_chaining --unset-use-psa --make-vars="$MAKE_THREADING_FLAGS"
+    tests/scripts/depends.py cipher_chaining --unset-use-psa
 }
 
 component_test_depends_py_cipher_padding () {
     msg "test/build: depends.py cipher_padding (gcc)"
-    tests/scripts/depends.py cipher_padding --unset-use-psa --make-vars="$MAKE_THREADING_FLAGS"
+    tests/scripts/depends.py cipher_padding --unset-use-psa
 }
 
 component_test_depends_py_curves () {
     msg "test/build: depends.py curves (gcc)"
-    tests/scripts/depends.py curves --unset-use-psa --make-vars="$MAKE_THREADING_FLAGS"
+    tests/scripts/depends.py curves --unset-use-psa
 }
 
 component_test_depends_py_hashes () {
     msg "test/build: depends.py hashes (gcc)"
-    tests/scripts/depends.py hashes --unset-use-psa --make-vars="$MAKE_THREADING_FLAGS"
+    tests/scripts/depends.py hashes --unset-use-psa
 }
 
 component_test_depends_py_kex () {
     msg "test/build: depends.py kex (gcc)"
-    tests/scripts/depends.py kex --unset-use-psa --make-vars="$MAKE_THREADING_FLAGS"
+    tests/scripts/depends.py kex --unset-use-psa
 }
 
 component_test_depends_py_pkalgs () {
     msg "test/build: depends.py pkalgs (gcc)"
-    tests/scripts/depends.py pkalgs --unset-use-psa --make-vars="$MAKE_THREADING_FLAGS"
+    tests/scripts/depends.py pkalgs --unset-use-psa
 }
 
 # PSA equivalents of the depends.py tests
 component_test_depends_py_cipher_id_psa () {
     msg "test/build: depends.py cipher_id (gcc) with MBEDTLS_USE_PSA_CRYPTO defined"
-    tests/scripts/depends.py cipher_id --make-vars="$MAKE_THREADING_FLAGS"
+    tests/scripts/depends.py cipher_id
 }
 
 component_test_depends_py_cipher_chaining_psa () {
     msg "test/build: depends.py cipher_chaining (gcc) with MBEDTLS_USE_PSA_CRYPTO defined"
-    tests/scripts/depends.py cipher_chaining --make-vars="$MAKE_THREADING_FLAGS"
+    tests/scripts/depends.py cipher_chaining
 }
 
 component_test_depends_py_cipher_padding_psa () {
     msg "test/build: depends.py cipher_padding (gcc) with MBEDTLS_USE_PSA_CRYPTO defined"
-    tests/scripts/depends.py cipher_padding --make-vars="$MAKE_THREADING_FLAGS"
+    tests/scripts/depends.py cipher_padding
 }
 
 component_test_depends_py_curves_psa () {
     msg "test/build: depends.py curves (gcc) with MBEDTLS_USE_PSA_CRYPTO defined"
-    tests/scripts/depends.py curves --make-vars="$MAKE_THREADING_FLAGS"
+    tests/scripts/depends.py curves
 }
 
 component_test_depends_py_hashes_psa () {
     msg "test/build: depends.py hashes (gcc) with MBEDTLS_USE_PSA_CRYPTO defined"
-    tests/scripts/depends.py hashes --make-vars="$MAKE_THREADING_FLAGS"
+    tests/scripts/depends.py hashes
 }
 
 component_test_depends_py_kex_psa () {
     msg "test/build: depends.py kex (gcc) with MBEDTLS_USE_PSA_CRYPTO defined"
-    tests/scripts/depends.py kex --make-vars="$MAKE_THREADING_FLAGS"
+    tests/scripts/depends.py kex
 }
 
 component_test_depends_py_pkalgs_psa () {
     msg "test/build: depends.py pkalgs (gcc) with MBEDTLS_USE_PSA_CRYPTO defined"
-    tests/scripts/depends.py pkalgs --make-vars="$MAKE_THREADING_FLAGS"
+    tests/scripts/depends.py pkalgs
 }
 
 component_build_no_pk_rsa_alt_support () {
@@ -2389,7 +2386,7 @@ component_build_no_pk_rsa_alt_support () {
     scripts/config.py set MBEDTLS_X509_CRT_WRITE_C
 
     # Only compile - this is primarily to test for compile issues
-    make CC=gcc CFLAGS='-Werror -Wall -Wextra -I../tests/include/alt-dummy' $MAKE_THREADING_FLAGS
+    make CC=gcc CFLAGS='-Werror -Wall -Wextra -I../tests/include/alt-dummy'
 }
 
 component_build_module_alt () {
@@ -2603,7 +2600,7 @@ component_test_psa_crypto_config_reference_ffdh () {
     # Disable things that are not supported
     scripts/config.py unset MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED
     scripts/config.py unset MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
-    make $MAKE_THREADING_FLAGS
+    make
 
     msg "test suites: full with non-accelerated FFDH alg"
     make test
@@ -2642,7 +2639,7 @@ component_test_psa_crypto_config_accel_pake() {
     # -------------
 
     msg "test: full with accelerated PAKE"
-    make $MAKE_THREADING_FLAGS test
+    make test
 }
 
 component_test_psa_crypto_config_accel_ecc_some_key_types () {
@@ -2702,7 +2699,7 @@ component_test_psa_crypto_config_accel_ecc_some_key_types () {
     # -------------
 
     msg "test suites: full with accelerated EC algs and some key types"
-    make $MAKE_THREADING_FLAGS test
+    make test
 }
 
 # Run tests with only (non-)Weierstrass accelerated
@@ -2901,7 +2898,7 @@ component_test_psa_crypto_config_accel_ecc_ecp_light_only () {
     # -------------
 
     msg "test suites: full with accelerated EC algs"
-    make $MAKE_THREADING_FLAGS test
+    make test
 
     msg "ssl-opt: full with accelerated EC algs"
     tests/ssl-opt.sh
@@ -2913,7 +2910,7 @@ component_test_psa_crypto_config_reference_ecc_ecp_light_only () {
 
     config_psa_crypto_config_ecp_light_only 0
 
-    make $MAKE_THREADING_FLAGS
+    make
 
     msg "test suites: full with non-accelerated EC algs"
     make test
@@ -3006,7 +3003,7 @@ component_test_psa_crypto_config_accel_ecc_no_ecp_at_all () {
     # -------------
 
     msg "test: full + accelerated EC algs - ECP"
-    make $MAKE_THREADING_FLAGS test
+    make test
 
     msg "ssl-opt: full + accelerated EC algs - ECP"
     tests/ssl-opt.sh
@@ -3020,7 +3017,7 @@ component_test_psa_crypto_config_reference_ecc_no_ecp_at_all () {
 
     config_psa_crypto_no_ecp_at_all 0
 
-    make $MAKE_THREADING_FLAGS
+    make
 
     msg "test: full + non accelerated EC algs"
     make test
@@ -3183,7 +3180,7 @@ common_test_psa_crypto_config_accel_ecc_ffdh_no_bignum () {
 
     msg "test suites: full + accelerated $accel_text algs + USE_PSA - $removed_text - DHM - BIGNUM"
 
-    make $MAKE_THREADING_FLAGS test
+    make test
 
     msg "ssl-opt: full + accelerated $accel_text algs + USE_PSA - $removed_text - BIGNUM"
     tests/ssl-opt.sh
@@ -3214,7 +3211,7 @@ common_test_psa_crypto_config_reference_ecc_ffdh_no_bignum () {
 
     config_psa_crypto_config_accel_ecc_ffdh_no_bignum 0 "$test_target"
 
-    make $MAKE_THREADING_FLAGS
+    make
 
     msg "test suites: full + non accelerated EC algs + USE_PSA"
     make test
@@ -3333,7 +3330,7 @@ build_full_minus_something_and_test_tls () {
         scripts/config.py unset $sym
     done
 
-    make $MAKE_THREADING_FLAGS
+    make
 
     msg "test: full minus something, test TLS"
     ( cd tests; ./test_suite_ssl )
@@ -3372,7 +3369,7 @@ build_and_test_psa_want_key_pair_partial() {
     # crypto_config.h so we just disable the one we don't want.
     scripts/config.py -f "$CRYPTO_CONFIG_H" unset "$disabled_psa_want"
 
-    make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS" $MAKE_THREADING_FLAGS
+    make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS"
 
     msg "test: full - MBEDTLS_USE_PSA_CRYPTO - ${disabled_psa_want}"
     make test
@@ -3438,7 +3435,7 @@ component_test_psa_crypto_config_accel_rsa_crypto () {
     # -------------
 
     msg "test: crypto_full with accelerated RSA"
-    make $MAKE_THREADING_FLAGS test
+    make test
 }
 
 component_test_psa_crypto_config_reference_rsa_crypto () {
@@ -3450,7 +3447,7 @@ component_test_psa_crypto_config_reference_rsa_crypto () {
 
     # Build
     # -----
-    make $MAKE_THREADING_FLAGS
+    make
 
     # Run the tests
     # -------------
@@ -3652,7 +3649,7 @@ component_test_psa_crypto_config_reference_hash_use_psa() {
 
     config_psa_crypto_hash_use_psa 0
 
-    make $MAKE_THREADING_FLAGS
+    make
 
     msg "test: full without accelerated hashes"
     make test
@@ -3817,7 +3814,7 @@ component_test_psa_crypto_config_accel_cipher_aead () {
     # -------------
 
     msg "test: full config with accelerated cipher and AEAD"
-    make $MAKE_THREADING_FLAGS test
+    make test
 
     msg "ssl-opt: full config with accelerated cipher and AEAD"
     tests/ssl-opt.sh
@@ -3830,7 +3827,7 @@ component_test_psa_crypto_config_reference_cipher_aead () {
     msg "build: full config with non-accelerated cipher and AEAD"
     common_psa_crypto_config_accel_cipher_aead
 
-    make $MAKE_THREADING_FLAGS
+    make
 
     msg "test: full config with non-accelerated cipher and AEAD"
     make test
@@ -3847,7 +3844,7 @@ component_test_aead_chachapoly_disabled() {
     scripts/config.py full
     scripts/config.py unset MBEDTLS_CHACHAPOLY_C
     scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CHACHA20_POLY1305
-    make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS" $MAKE_THREADING_FLAGS
+    make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS"
 
     msg "test: full minus CHACHAPOLY"
     make test
@@ -3860,7 +3857,7 @@ component_test_aead_only_ccm() {
     scripts/config.py unset MBEDTLS_GCM_C
     scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CHACHA20_POLY1305
     scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_GCM
-    make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS" $MAKE_THREADING_FLAGS
+    make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS"
 
     msg "test: full minus CHACHAPOLY and GCM"
     make test
@@ -3891,7 +3888,7 @@ component_build_psa_accel_alg_ecdh() {
     scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
     scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
     # Need to define the correct symbol and include the test driver header path in order to build with the test driver
-    make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_ECDH -I../tests/include" LDFLAGS="$ASAN_CFLAGS" $MAKE_THREADING_FLAGS
+    make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_ECDH -I../tests/include" LDFLAGS="$ASAN_CFLAGS"
 }
 
 # This should be renamed to test and updated once the accelerator HMAC code is in place and ready to test.
@@ -3901,7 +3898,7 @@ component_build_psa_accel_alg_hmac() {
     scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO
     scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
     # Need to define the correct symbol and include the test driver header path in order to build with the test driver
-    make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_HMAC -I../tests/include" LDFLAGS="$ASAN_CFLAGS" $MAKE_THREADING_FLAGS
+    make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_HMAC -I../tests/include" LDFLAGS="$ASAN_CFLAGS"
 }
 
 # This should be renamed to test and updated once the accelerator HKDF code is in place and ready to test.
@@ -3914,7 +3911,7 @@ component_build_psa_accel_alg_hkdf() {
     # Make sure to unset TLS1_3 since it requires HKDF_C and will not build properly without it.
     scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
     # Need to define the correct symbol and include the test driver header path in order to build with the test driver
-    make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_HKDF -I../tests/include" LDFLAGS="$ASAN_CFLAGS" $MAKE_THREADING_FLAGS
+    make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_HKDF -I../tests/include" LDFLAGS="$ASAN_CFLAGS"
 }
 
 # This should be renamed to test and updated once the accelerator MD5 code is in place and ready to test.
@@ -3933,7 +3930,7 @@ component_build_psa_accel_alg_md5() {
     scripts/config.py unset MBEDTLS_LMS_C
     scripts/config.py unset MBEDTLS_LMS_PRIVATE
     # Need to define the correct symbol and include the test driver header path in order to build with the test driver
-    make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_MD5 -I../tests/include" LDFLAGS="$ASAN_CFLAGS" $MAKE_THREADING_FLAGS
+    make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_MD5 -I../tests/include" LDFLAGS="$ASAN_CFLAGS"
 }
 
 # This should be renamed to test and updated once the accelerator RIPEMD160 code is in place and ready to test.
@@ -3952,7 +3949,7 @@ component_build_psa_accel_alg_ripemd160() {
     scripts/config.py unset MBEDTLS_LMS_C
     scripts/config.py unset MBEDTLS_LMS_PRIVATE
     # Need to define the correct symbol and include the test driver header path in order to build with the test driver
-    make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_RIPEMD160 -I../tests/include" LDFLAGS="$ASAN_CFLAGS" $MAKE_THREADING_FLAGS
+    make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_RIPEMD160 -I../tests/include" LDFLAGS="$ASAN_CFLAGS"
 }
 
 # This should be renamed to test and updated once the accelerator SHA1 code is in place and ready to test.
@@ -3971,7 +3968,7 @@ component_build_psa_accel_alg_sha1() {
     scripts/config.py unset MBEDTLS_LMS_C
     scripts/config.py unset MBEDTLS_LMS_PRIVATE
     # Need to define the correct symbol and include the test driver header path in order to build with the test driver
-    make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_SHA_1 -I../tests/include" LDFLAGS="$ASAN_CFLAGS" $MAKE_THREADING_FLAGS
+    make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_SHA_1 -I../tests/include" LDFLAGS="$ASAN_CFLAGS"
 }
 
 # This should be renamed to test and updated once the accelerator SHA224 code is in place and ready to test.
@@ -3987,7 +3984,7 @@ component_build_psa_accel_alg_sha224() {
     scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_512
     scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS
     # Need to define the correct symbol and include the test driver header path in order to build with the test driver
-    make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_SHA_224 -I../tests/include" LDFLAGS="$ASAN_CFLAGS" $MAKE_THREADING_FLAGS
+    make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_SHA_224 -I../tests/include" LDFLAGS="$ASAN_CFLAGS"
 }
 
 # This should be renamed to test and updated once the accelerator SHA256 code is in place and ready to test.
@@ -4003,7 +4000,7 @@ component_build_psa_accel_alg_sha256() {
     scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_384
     scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_512
     # Need to define the correct symbol and include the test driver header path in order to build with the test driver
-    make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_SHA_256 -I../tests/include" LDFLAGS="$ASAN_CFLAGS" $MAKE_THREADING_FLAGS
+    make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_SHA_256 -I../tests/include" LDFLAGS="$ASAN_CFLAGS"
 }
 
 # This should be renamed to test and updated once the accelerator SHA384 code is in place and ready to test.
@@ -4021,7 +4018,7 @@ component_build_psa_accel_alg_sha384() {
     scripts/config.py unset MBEDTLS_LMS_C
     scripts/config.py unset MBEDTLS_LMS_PRIVATE
     # Need to define the correct symbol and include the test driver header path in order to build with the test driver
-    make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_SHA_384 -I../tests/include" LDFLAGS="$ASAN_CFLAGS" $MAKE_THREADING_FLAGS
+    make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_SHA_384 -I../tests/include" LDFLAGS="$ASAN_CFLAGS"
 }
 
 # This should be renamed to test and updated once the accelerator SHA512 code is in place and ready to test.
@@ -4040,7 +4037,7 @@ component_build_psa_accel_alg_sha512() {
     scripts/config.py unset MBEDTLS_LMS_C
     scripts/config.py unset MBEDTLS_LMS_PRIVATE
     # Need to define the correct symbol and include the test driver header path in order to build with the test driver
-    make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_SHA_512 -I../tests/include" LDFLAGS="$ASAN_CFLAGS" $MAKE_THREADING_FLAGS
+    make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_SHA_512 -I../tests/include" LDFLAGS="$ASAN_CFLAGS"
 }
 
 # This should be renamed to test and updated once the accelerator RSA code is in place and ready to test.
@@ -4054,7 +4051,7 @@ component_build_psa_accel_alg_rsa_pkcs1v15_crypt() {
     scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RSA_OAEP
     scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RSA_PSS
     # Need to define the correct symbol and include the test driver header path in order to build with the test driver
-    make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_RSA_PKCS1V15_CRYPT -I../tests/include" LDFLAGS="$ASAN_CFLAGS" $MAKE_THREADING_FLAGS
+    make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_RSA_PKCS1V15_CRYPT -I../tests/include" LDFLAGS="$ASAN_CFLAGS"
 }
 
 # This should be renamed to test and updated once the accelerator RSA code is in place and ready to test.
@@ -4068,7 +4065,7 @@ component_build_psa_accel_alg_rsa_pkcs1v15_sign() {
     scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RSA_OAEP
     scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RSA_PSS
     # Need to define the correct symbol and include the test driver header path in order to build with the test driver
-    make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_RSA_PKCS1V15_SIGN -I../tests/include" LDFLAGS="$ASAN_CFLAGS" $MAKE_THREADING_FLAGS
+    make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_RSA_PKCS1V15_SIGN -I../tests/include" LDFLAGS="$ASAN_CFLAGS"
 }
 
 # This should be renamed to test and updated once the accelerator RSA code is in place and ready to test.
@@ -4082,7 +4079,7 @@ component_build_psa_accel_alg_rsa_oaep() {
     scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RSA_PKCS1V15_SIGN
     scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RSA_PSS
     # Need to define the correct symbol and include the test driver header path in order to build with the test driver
-    make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_RSA_OAEP -I../tests/include" LDFLAGS="$ASAN_CFLAGS" $MAKE_THREADING_FLAGS
+    make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_RSA_OAEP -I../tests/include" LDFLAGS="$ASAN_CFLAGS"
 }
 
 # This should be renamed to test and updated once the accelerator RSA code is in place and ready to test.
@@ -4096,7 +4093,7 @@ component_build_psa_accel_alg_rsa_pss() {
     scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RSA_PKCS1V15_SIGN
     scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RSA_OAEP
     # Need to define the correct symbol and include the test driver header path in order to build with the test driver
-    make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_RSA_PSS -I../tests/include" LDFLAGS="$ASAN_CFLAGS" $MAKE_THREADING_FLAGS
+    make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_RSA_PSS -I../tests/include" LDFLAGS="$ASAN_CFLAGS"
 }
 
 # This should be renamed to test and updated once the accelerator RSA code is in place and ready to test.
@@ -4111,7 +4108,7 @@ component_build_psa_accel_key_type_rsa_key_pair() {
     scripts/config.py -f "$CRYPTO_CONFIG_H" set PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT 1
     scripts/config.py -f "$CRYPTO_CONFIG_H" set PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE 1
     # Need to define the correct symbol and include the test driver header path in order to build with the test driver
-    make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_KEY_PAIR -I../tests/include" LDFLAGS="$ASAN_CFLAGS" $MAKE_THREADING_FLAGS
+    make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_KEY_PAIR -I../tests/include" LDFLAGS="$ASAN_CFLAGS"
 }
 
 # This should be renamed to test and updated once the accelerator RSA code is in place and ready to test.
@@ -4123,7 +4120,7 @@ component_build_psa_accel_key_type_rsa_public_key() {
     scripts/config.py -f "$CRYPTO_CONFIG_H" set PSA_WANT_ALG_RSA_PSS 1
     scripts/config.py -f "$CRYPTO_CONFIG_H" set PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY 1
     # Need to define the correct symbol and include the test driver header path in order to build with the test driver
-    make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_PUBLIC_KEY -I../tests/include" LDFLAGS="$ASAN_CFLAGS" $MAKE_THREADING_FLAGS
+    make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_PUBLIC_KEY -I../tests/include" LDFLAGS="$ASAN_CFLAGS"
 }
 
 
@@ -4292,7 +4289,7 @@ component_test_no_platform () {
     # Note, _DEFAULT_SOURCE needs to be defined for platforms using glibc version >2.19,
     # to re-enable platform integration features otherwise disabled in C99 builds
     make CC=gcc CFLAGS='-Werror -Wall -Wextra -std=c99 -pedantic -Os -D_DEFAULT_SOURCE' lib programs
-    make CC=gcc CFLAGS='-Werror -Wall -Wextra -Os' $MAKE_THREADING_FLAGS test
+    make CC=gcc CFLAGS='-Werror -Wall -Wextra -Os' test
 }
 
 component_build_no_std_function () {
@@ -4310,14 +4307,14 @@ component_build_no_ssl_srv () {
     msg "build: full config except SSL server, make, gcc" # ~ 30s
     scripts/config.py full
     scripts/config.py unset MBEDTLS_SSL_SRV_C
-    make CC=gcc CFLAGS='-Werror -Wall -Wextra -O1' $MAKE_THREADING_FLAGS
+    make CC=gcc CFLAGS='-Werror -Wall -Wextra -O1'
 }
 
 component_build_no_ssl_cli () {
     msg "build: full config except SSL client, make, gcc" # ~ 30s
     scripts/config.py full
     scripts/config.py unset MBEDTLS_SSL_CLI_C
-    make CC=gcc CFLAGS='-Werror -Wall -Wextra -O1' $MAKE_THREADING_FLAGS
+    make CC=gcc CFLAGS='-Werror -Wall -Wextra -O1'
 }
 
 component_build_no_sockets () {
@@ -4492,7 +4489,7 @@ component_test_platform_calloc_macro () {
 component_test_malloc_0_null () {
     msg "build: malloc(0) returns NULL (ASan+UBSan build)"
     scripts/config.py full
-    make CC=$ASAN_CC CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"$PWD/tests/configs/user-config-malloc-0-null.h\"' $ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS" $MAKE_THREADING_FLAGS
+    make CC=$ASAN_CC CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"$PWD/tests/configs/user-config-malloc-0-null.h\"' $ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS"
 
     msg "test: malloc(0) returns NULL (ASan+UBSan build)"
     make test
@@ -5104,7 +5101,7 @@ component_test_psa_crypto_drivers () {
     loc_cflags="${loc_cflags} '-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/user-config-for-test.h\"'"
     loc_cflags="${loc_cflags} -I../tests/include -O2"
 
-    make CC=$ASAN_CC CFLAGS="${loc_cflags}" LDFLAGS="$ASAN_CFLAGS" $MAKE_THREADING_FLAGS
+    make CC=$ASAN_CC CFLAGS="${loc_cflags}" LDFLAGS="$ASAN_CFLAGS"
 
     msg "test: full + test drivers dispatching to builtins"
     make test
@@ -5131,7 +5128,7 @@ test_build_opt () {
     $cc --version
     for opt in "$@"; do
           msg "build/test: $cc $opt, $info" # ~ 30s
-          make CC="$cc" CFLAGS="$opt -std=c99 -pedantic -Wall -Wextra -Werror" $MAKE_THREADING_FLAGS
+          make CC="$cc" CFLAGS="$opt -std=c99 -pedantic -Wall -Wextra -Werror"
           # We're confident enough in compilers to not run _all_ the tests,
           # but at least run the unit tests. In particular, runs with
           # optimizations use inline assembly whereas runs with -O0
@@ -5186,7 +5183,7 @@ component_build_mbedtls_config_file () {
     msg "build: make with MBEDTLS_CONFIG_FILE" # ~40s
     scripts/config.py -w full_config.h full
     echo '#error "MBEDTLS_CONFIG_FILE is not working"' >"$CONFIG_H"
-    make CFLAGS="-I '$PWD' -DMBEDTLS_CONFIG_FILE='\"full_config.h\"'" $MAKE_THREADING_FLAGS
+    make CFLAGS="-I '$PWD' -DMBEDTLS_CONFIG_FILE='\"full_config.h\"'"
     # Make sure this feature is enabled. We'll disable it in the next phase.
     programs/test/query_compile_time_config MBEDTLS_NIST_KW_C
     make clean
@@ -5195,7 +5192,7 @@ component_build_mbedtls_config_file () {
     # In the user config, disable one feature (for simplicity, pick a feature
     # that nothing else depends on).
     echo '#undef MBEDTLS_NIST_KW_C' >user_config.h
-    make CFLAGS="-I '$PWD' -DMBEDTLS_CONFIG_FILE='\"full_config.h\"' -DMBEDTLS_USER_CONFIG_FILE='\"user_config.h\"'" $MAKE_THREADING_FLAGS
+    make CFLAGS="-I '$PWD' -DMBEDTLS_CONFIG_FILE='\"full_config.h\"' -DMBEDTLS_USER_CONFIG_FILE='\"user_config.h\"'"
     not programs/test/query_compile_time_config MBEDTLS_NIST_KW_C
 
     rm -f user_config.h full_config.h
@@ -5254,7 +5251,7 @@ component_test_m32_no_asm () {
     scripts/config.py unset MBEDTLS_HAVE_ASM
     scripts/config.py unset MBEDTLS_PADLOCK_C
     scripts/config.py unset MBEDTLS_AESNI_C # AESNI for 32-bit is tested in test_aesni_m32
-    make CC=gcc CFLAGS="$ASAN_CFLAGS -m32" LDFLAGS="-m32 $ASAN_CFLAGS" $MAKE_THREADING_FLAGS
+    make CC=gcc CFLAGS="$ASAN_CFLAGS -m32" LDFLAGS="-m32 $ASAN_CFLAGS"
 
     msg "test: i386, make, gcc, no asm (ASan build)"
     make test
@@ -5272,7 +5269,7 @@ component_test_m32_o2 () {
     msg "build: i386, make, gcc -O2 (ASan build)" # ~ 30s
     scripts/config.py full
     scripts/config.py unset MBEDTLS_AESNI_C # AESNI for 32-bit is tested in test_aesni_m32
-    make CC=gcc CFLAGS="$ASAN_CFLAGS -m32" LDFLAGS="-m32 $ASAN_CFLAGS" $MAKE_THREADING_FLAGS
+    make CC=gcc CFLAGS="$ASAN_CFLAGS -m32" LDFLAGS="-m32 $ASAN_CFLAGS"
 
     msg "test: i386, make, gcc -O2 (ASan build)"
     make test
@@ -5307,7 +5304,7 @@ support_test_m32_everest () {
 component_test_mx32 () {
     msg "build: 64-bit ILP32, make, gcc" # ~ 30s
     scripts/config.py full
-    make CC=gcc CFLAGS='-Werror -Wall -Wextra -mx32' LDFLAGS='-mx32' $MAKE_THREADING_FLAGS
+    make CC=gcc CFLAGS='-Werror -Wall -Wextra -mx32' LDFLAGS='-mx32'
 
     msg "test: 64-bit ILP32, make, gcc"
     make test
@@ -5371,7 +5368,7 @@ component_test_no_udbl_division () {
     msg "build: MBEDTLS_NO_UDBL_DIVISION native" # ~ 10s
     scripts/config.py full
     scripts/config.py set MBEDTLS_NO_UDBL_DIVISION
-    make CFLAGS='-Werror -O1' $MAKE_THREADING_FLAGS
+    make CFLAGS='-Werror -O1'
 
     msg "test: MBEDTLS_NO_UDBL_DIVISION native" # ~ 10s
     make test
@@ -5381,7 +5378,7 @@ component_test_no_64bit_multiplication () {
     msg "build: MBEDTLS_NO_64BIT_MULTIPLICATION native" # ~ 10s
     scripts/config.py full
     scripts/config.py set MBEDTLS_NO_64BIT_MULTIPLICATION
-    make CFLAGS='-Werror -O1' $MAKE_THREADING_FLAGS
+    make CFLAGS='-Werror -O1'
 
     msg "test: MBEDTLS_NO_64BIT_MULTIPLICATION native" # ~ 10s
     make test
@@ -5395,7 +5392,7 @@ component_test_no_strings () {
     scripts/config.py unset MBEDTLS_ERROR_C
     scripts/config.py set MBEDTLS_ERROR_STRERROR_DUMMY
     scripts/config.py unset MBEDTLS_VERSION_FEATURES
-    make CFLAGS='-Werror -Os' $MAKE_THREADING_FLAGS
+    make CFLAGS='-Werror -Os'
 
     msg "test: no strings" # ~ 10s
     make test
@@ -5406,7 +5403,7 @@ component_test_no_x509_info () {
     scripts/config.pl full
     scripts/config.pl unset MBEDTLS_MEMORY_BACKTRACE # too slow for tests
     scripts/config.pl set MBEDTLS_X509_REMOVE_INFO
-    make CFLAGS='-Werror -O2' $MAKE_THREADING_FLAGS
+    make CFLAGS='-Werror -O2'
 
     msg "test: full + MBEDTLS_X509_REMOVE_INFO" # ~ 10s
     make test
@@ -6009,7 +6006,7 @@ component_build_zeroize_checks () {
     scripts/config.py full
 
     # Only compile - we're looking for sizeof-pointer-memaccess warnings
-    make CC=gcc CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/user-config-zeroize-memset.h\"' -DMBEDTLS_TEST_DEFINES_ZEROIZE -Werror -Wsizeof-pointer-memaccess" $MAKE_THREADING_FLAGS
+    make CC=gcc CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/user-config-zeroize-memset.h\"' -DMBEDTLS_TEST_DEFINES_ZEROIZE -Werror -Wsizeof-pointer-memaccess"
 }
 
 

From 811daaa48c3003a563e4e06102743703e323ac1f Mon Sep 17 00:00:00 2001
From: Gilles Peskine <Gilles.Peskine@arm.com>
Date: Fri, 22 Dec 2023 13:16:59 +0100
Subject: [PATCH 35/39] Revert "Add ability to pass make variables to
 psa_collect_statuses.py"

This reverts commit 6587959a32f978aeb02766c27cf30b04d8a245e1.

The feature is no longer needed, and the script is broken if you don't pass
--make-vars.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
---
 tests/scripts/psa_collect_statuses.py | 14 +++-----------
 1 file changed, 3 insertions(+), 11 deletions(-)

diff --git a/tests/scripts/psa_collect_statuses.py b/tests/scripts/psa_collect_statuses.py
index 6291d7898e..11bbebcc1f 100755
--- a/tests/scripts/psa_collect_statuses.py
+++ b/tests/scripts/psa_collect_statuses.py
@@ -82,15 +82,10 @@ def collect_status_logs(options):
                                   cwd='tests',
                                   stdout=sys.stderr)
         with open(os.devnull, 'w') as devnull:
-            build_command = ['make', '-q'] + options.make_vars.split(' ') + \
-                            ['lib', 'tests']
-            make_q_ret = subprocess.call(build_command, stdout=devnull,
-                                         stderr=devnull)
-            print("blagh")
+            make_q_ret = subprocess.call(['make', '-q', 'lib', 'tests'],
+                                         stdout=devnull, stderr=devnull)
         if make_q_ret != 0:
-            build_command = ['make'] + options.make_vars.split(' ') + \
-                            ['RECORD_PSA_STATUS_COVERAGE_LOG=1']
-            subprocess.check_call(build_command,
+            subprocess.check_call(['make', 'RECORD_PSA_STATUS_COVERAGE_LOG=1'],
                                   stdout=sys.stderr)
             rebuilt = True
         subprocess.check_call(['make', 'test'],
@@ -117,9 +112,6 @@ def main():
                         help='Log file location (default: {})'.format(
                             DEFAULT_STATUS_LOG_FILE
                         ))
-    parser.add_argument('--make-vars',
-                        help='optional variable/value pairs to pass to make',
-                        action='store', default='')
     parser.add_argument('--psa-constant-names', metavar='PROGRAM',
                         default=DEFAULT_PSA_CONSTANT_NAMES,
                         help='Path to psa_constant_names (default: {})'.format(

From 259df9897267d95e97d6c2a813b4112f11c39637 Mon Sep 17 00:00:00 2001
From: Gilles Peskine <Gilles.Peskine@arm.com>
Date: Fri, 22 Dec 2023 13:17:33 +0100
Subject: [PATCH 36/39] Revert "Add option to pass make variables to
 depends.py"

This reverts commit be978a8c4fc52965b486125f2993251025b1a399.

The feature is no longer needed, and the script is broken if you don't pass
--make-vars.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
---
 tests/scripts/depends.py | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/tests/scripts/depends.py b/tests/scripts/depends.py
index 5fe26f158b..38c184a6ae 100755
--- a/tests/scripts/depends.py
+++ b/tests/scripts/depends.py
@@ -381,7 +381,7 @@ class DomainData:
 
     def __init__(self, options, conf):
         """Gather data about the library and establish a list of domains to test."""
-        build_command = [options.make_command] + options.make_vars.split(' ') + ['CFLAGS=-Werror']
+        build_command = [options.make_command, 'CFLAGS=-Werror']
         build_and_test = [build_command, [options.make_command, 'test']]
         self.all_config_symbols = set(conf.settings.keys())
         # Find hash modules by name.
@@ -526,9 +526,6 @@ def main():
         parser.add_argument('--make-command', metavar='CMD',
                             help='Command to run instead of make (e.g. gmake)',
                             action='store', default='make')
-        parser.add_argument('--make-vars',
-                            help='optional variable/value pairs to pass to make',
-                            action='store', default='')
         parser.add_argument('--unset-use-psa',
                             help='Unset MBEDTLS_USE_PSA_CRYPTO before any test',
                             action='store_true', dest='unset_use_psa')

From 2337a3b8864bdf4e700a9af020f665e9f4bec56d Mon Sep 17 00:00:00 2001
From: Gilles Peskine <Gilles.Peskine@arm.com>
Date: Fri, 22 Dec 2023 13:25:18 +0100
Subject: [PATCH 37/39] Explain the use of control

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
---
 scripts/common.make | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/scripts/common.make b/scripts/common.make
index a2d1449fea..6d2fbc3e2b 100644
--- a/scripts/common.make
+++ b/scripts/common.make
@@ -66,6 +66,10 @@ else # Not building for Windows
   SHARED_SUFFIX=
   ifndef THREADING
     # Auto-detect configurations with pthread.
+    # If the call to remove_unset_options returns "control", the symbols
+    # are confirmed set and we link with pthread.
+    # If the auto-detection fails, the result of the call is empty and
+    # we keep THREADING undefined.
     ifeq (control,$(call remove_unset_options,control MBEDTLS_THREADING_C MBEDTLS_THREADING_PTHREAD))
       THREADING := pthread
     endif

From 7602298a16d3e668d7168234c118f50f1664ac3a Mon Sep 17 00:00:00 2001
From: Gilles Peskine <Gilles.Peskine@arm.com>
Date: Fri, 22 Dec 2023 15:28:07 +0100
Subject: [PATCH 38/39] Allow *.make to contain tabs

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
---
 tests/scripts/check_files.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/tests/scripts/check_files.py b/tests/scripts/check_files.py
index a93b8256f0..f6f6d6c713 100755
--- a/tests/scripts/check_files.py
+++ b/tests/scripts/check_files.py
@@ -318,6 +318,7 @@ class TabIssueTracker(LineIssueTracker):
 
     heading = "Tabs present:"
     suffix_exemptions = frozenset([
+        ".make",
         ".pem", # some openssl dumps have tabs
         ".sln",
         "/Makefile",

From f3316f132bc73b59c24b31216a45561561ff5ba8 Mon Sep 17 00:00:00 2001
From: Gilles Peskine <Gilles.Peskine@arm.com>
Date: Fri, 22 Dec 2023 18:30:37 +0100
Subject: [PATCH 39/39] Correct name and documentation of preprocessor symbol
 check function

It's not remove_unset_options, it's remove_enabled_options (or
keep_disabled_options).

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
---
 scripts/common.make | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/scripts/common.make b/scripts/common.make
index 6d2fbc3e2b..2f27d0ef52 100644
--- a/scripts/common.make
+++ b/scripts/common.make
@@ -31,19 +31,19 @@ ifdef WINDOWS
 WINDOWS_BUILD=1
 endif
 
-## Usage: $(call remove_unset_options,PREPROCESSOR_INPUT)
-## Remove the preprocessor symbols that are not set in the current configuration
+## Usage: $(call remove_enabled_options,PREPROCESSOR_INPUT)
+## Remove the preprocessor symbols that are set in the current configuration
 ## from PREPROCESSOR_INPUT. Also normalize whitespace.
 ## Example:
-##   $(call remove_unset_options,MBEDTLS_FOO MBEDTLS_BAR)
+##   $(call remove_set_options,MBEDTLS_FOO MBEDTLS_BAR)
 ## This expands to an empty string "" if MBEDTLS_FOO and MBEDTLS_BAR are both
-## disabled, to "MBEDTLS_FOO" if MBEDTLS_BAR is enabled but MBEDTLS_FOO is
+## enabled, to "MBEDTLS_FOO" if MBEDTLS_BAR is enabled but MBEDTLS_FOO is
 ## disabled, etc.
 ##
 ## This only works with a Unix-like shell environment (Bourne/POSIX-style shell
 ## and standard commands) and a Unix-like compiler (supporting -E). In
 ## other environments, the output is likely to be empty.
-define remove_unset_options
+define remove_enabled_options
 $(strip $(shell
   exec 2>/dev/null;
   { echo '#include <mbedtls/build_info.h>'; echo $(1); } |
@@ -66,11 +66,11 @@ else # Not building for Windows
   SHARED_SUFFIX=
   ifndef THREADING
     # Auto-detect configurations with pthread.
-    # If the call to remove_unset_options returns "control", the symbols
+    # If the call to remove_enabled_options returns "control", the symbols
     # are confirmed set and we link with pthread.
     # If the auto-detection fails, the result of the call is empty and
     # we keep THREADING undefined.
-    ifeq (control,$(call remove_unset_options,control MBEDTLS_THREADING_C MBEDTLS_THREADING_PTHREAD))
+    ifeq (control,$(call remove_enabled_options,control MBEDTLS_THREADING_C MBEDTLS_THREADING_PTHREAD))
       THREADING := pthread
     endif
   endif