From ff26474af6c54bc824e84e4d2e722410c00e2bff Mon Sep 17 00:00:00 2001
From: Cykesiopka <cykesiopka.bmo@gmail.com>
Date: Tue, 11 Nov 2014 00:59:00 +0100
Subject: [PATCH] Bug 1084606 - Allow overrides for
 MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE. r=dkeeler

---
 security/manager/ssl/src/NSSErrorsService.cpp |   1 +
 .../ssl/src/SSLServerCertVerification.cpp     |   2 ++
 .../ssl/tests/unit/test_cert_overrides.js     |   5 +++++
 .../manager/ssl/tests/unit/tlsserver/cert9.db | Bin 294912 -> 294912 bytes
 .../unit/tlsserver/cmd/BadCertServer.cpp      |   1 +
 .../tests/unit/tlsserver/generate_certs.sh    |   1 +
 .../manager/ssl/tests/unit/tlsserver/key4.db  | Bin 458752 -> 458752 bytes
 7 files changed, 10 insertions(+)

diff --git a/security/manager/ssl/src/NSSErrorsService.cpp b/security/manager/ssl/src/NSSErrorsService.cpp
index 82bd3a76523c..71a1b5247f1f 100644
--- a/security/manager/ssl/src/NSSErrorsService.cpp
+++ b/security/manager/ssl/src/NSSErrorsService.cpp
@@ -142,6 +142,7 @@ NSSErrorsService::GetErrorClass(nsresult aXPCOMErrorCode, uint32_t *aErrorClass)
     case SEC_ERROR_EXPIRED_CERTIFICATE:
     case SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED:
     case mozilla::pkix::MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY:
+    case mozilla::pkix::MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE:
     case mozilla::pkix::MOZILLA_PKIX_ERROR_V1_CERT_USED_AS_CA:
       *aErrorClass = ERROR_CLASS_BAD_CERT;
       break;
diff --git a/security/manager/ssl/src/SSLServerCertVerification.cpp b/security/manager/ssl/src/SSLServerCertVerification.cpp
index 31969f400dc7..786941d1fde5 100644
--- a/security/manager/ssl/src/SSLServerCertVerification.cpp
+++ b/security/manager/ssl/src/SSLServerCertVerification.cpp
@@ -306,6 +306,7 @@ MapCertErrorToProbeValue(PRErrorCode errorCode)
     case SEC_ERROR_EXPIRED_CERTIFICATE:                return 10;
     case mozilla::pkix::MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY: return 11;
     case mozilla::pkix::MOZILLA_PKIX_ERROR_V1_CERT_USED_AS_CA: return 12;
+    case mozilla::pkix::MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE: return 13;
   }
   NS_WARNING("Unknown certificate error code. Does MapCertErrorToProbeValue "
              "handle everything in DetermineCertOverrideErrors?");
@@ -335,6 +336,7 @@ DetermineCertOverrideErrors(CERTCertificate* cert, const char* hostName,
     case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE:
     case SEC_ERROR_UNKNOWN_ISSUER:
     case mozilla::pkix::MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY:
+    case mozilla::pkix::MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE:
     case mozilla::pkix::MOZILLA_PKIX_ERROR_V1_CERT_USED_AS_CA:
     {
       collectedErrors = nsICertOverrideService::ERROR_UNTRUSTED;
diff --git a/security/manager/ssl/tests/unit/test_cert_overrides.js b/security/manager/ssl/tests/unit/test_cert_overrides.js
index 5057270ff66a..6d3beac85e8a 100644
--- a/security/manager/ssl/tests/unit/test_cert_overrides.js
+++ b/security/manager/ssl/tests/unit/test_cert_overrides.js
@@ -63,6 +63,7 @@ function check_telemetry() {
   do_check_eq(histogram.counts[10], 5); // SEC_ERROR_EXPIRED_CERTIFICATE
   do_check_eq(histogram.counts[11], 2); // MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY
   do_check_eq(histogram.counts[12], 1); // MOZILLA_PKIX_ERROR_V1_CERT_USED_AS_CA
+  do_check_eq(histogram.counts[13], 1); // MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE
   run_next_test();
 }
 
@@ -149,6 +150,10 @@ function add_simple_tests() {
     clearSessionCache();
     run_next_test();
   });
+
+  add_cert_override_test("inadequate-key-size-ee.example.com",
+                         Ci.nsICertOverrideService.ERROR_UNTRUSTED,
+                         getXPCOMStatusFromNSS(MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE));
 }
 
 function add_combo_tests() {
diff --git a/security/manager/ssl/tests/unit/tlsserver/cert9.db b/security/manager/ssl/tests/unit/tlsserver/cert9.db
index 950173131fdae19995ae53ed3fce3eee3d037ac7..87d341115bbef1a813d2fb8dfae0628bfee092d0 100644
GIT binary patch
delta 1615
zcmZo@5Nc=;njp=1W1@^R>kS6oXY3nO7W`)}tO=aT&Ul-nCZ{I3CaNZI`^N@G?y_x-
zj4`Y#9Ly|?BGY~=7DE{dMNo!(A()XVY+JCsw1%;tnYplR&2;t#Mt_#F?`5B+hcz%(
zu#}xITeJOK1LL()7A0m6#_5e$ndMlE;Y|J_7G?&<LJ(0P!EC}fT~U@rWV^_B#t$6K
zh2_>$*_qs#fRrDT98<Z&)EuTVmhy`70*LdbH8Q$QZzyMCaV*wnPGU6BG*mZGWn&Iy
zVHTG2%u7s3Ei6qeNmcMptyBoktV&gI%}ddB%`3?)sVrh=7Ghk=5LF1J3$_D|Y2gql
zta4_kZmBw4bGE9w?swgcx{xaG>0%8`XV|K;tCFjn;lbj^Yyj0-EY57im<hKHXc@>Z
zS656cihnUpWCeQa#8h@>cdhahRm-dTDyLL2Rlck|UAd`RwCYd!v+}c51y$j-KWiUU
z<W_{#^VEGV|G%|>IiMWuPoH8?5Ggx;IQNR#e`nE~g#uBJx2-%8&Yn|*OQH}Yp`)l+
zROGkM@SC&$PM%F3-`ko0ohsNaQNjGCo!MD{Why&MJ%^}+2*1E10Tz%K%lP>kql?Q}
zMELlG7=XZIdZQRiHVY^bOs}}gtP#po?8101*f|&(Gia<!{lmHY#=or<t;dZ|w%9~=
znxCk>6u_oESH@_;msfjkCaXrbX%&@&j5T8D$YBui5CNGE1xeErD_G)eftDx$MHm?w
zumq|>6O)cX6XVnc%uI|-Oh8u{@Un4gwRyCC=VfH%W@P}UE^h-lab80cLjyxY10!QY
z6VoVhUK3<42?=F-VkL`A{XxxNnGO~iO_GLg#i1)^Phk3SqHO9LWd?=yZ(d|8SzhRD
z+VRZn`}^ri=XFjL^9jwUbMz3gepi0+@^_vi)9>x;c+_tANRZ**xx$6d)-Cb1IuzBW
z$mz0KcDY!PN8-BJB$2jXjK_XzEKZ#oSl0D*wu<(GeNQXi`-z({h)&V25M|P4W@KPo
zTx?KipbJdhvVtsX1}aTTh~Ux9POa1}2BtdQ)YRz#FPWq2fkDCC*vO##%xdplmV+gy
zmS5Ye=K4JS?GE?bZ@YW`Kh9z9k8s+=An^XmZMTi0=c-Klo%Z{Gxzoxq*GuS-qRRG;
ze=j_nLw+ol&M%3$KGEsfNsc8m#kbj}Pg@syCTfFt&AP%wJ<*a$pI02yy2*KuGfnFi
zi{PzIi&Ac#|0MKslLv>j#M#Z;l@)lWe@JCfb_2x|@p%(l@@8z(E1W(-pG9rDZ8=L|
zJur>P1Jei-BLgrGgOU%B!m5oCn2dmOKt#<bv?e_cfe{Ey(oF^hAYYW%ivY_^bPr(5
zq(Jw>Jg};i-I{xLhJZtQ>ZM1$Ef#|1C!UHv*t16KoJ@#}u!50*pk>I_86_R>%lyTj
zwjP~xTTUnNw`-zCLXyG8<BhNS{_kfDSaNQbuh9Q9|83j8tD3ZMXjDYLQTX!C{o0y<
zW*z^7N_so(gx(9=-rnwHD;wta-*E%K3y0-{UB~|HD=EoVhIpYdFn@ZZI!oF1H)1Rz
FnE-P-T3i4C

delta 248
zcmZo@5Nc=;njp=1W}=KU>lp^!XKWi&7W`+<ttp+#&UkzK#|FmTrP~@AZ?JAJtzqnE
zX3j19Go8JG(SLeW17pSZYYmLoN~bk4MzBaQn=npSlw}dwF7lo60|#?%dBaq8CikfU
zOmb5Tn93jq0aZTU-cZie!XcDfRm@P`QgyiIY*lsL@46XvA=4!qn9jg0yvDq}_!rYe
zR_5FaiK*<&?n+h5tNJRZR54Y)tUO)0samw^PgOxxc<s;H2Nk&$A@w|UpSM;p2b6;x
nvt6Qs`As{sy;$*7c9wdOk#9wr8w2yFH>$IgZGR)iB9aLJu3KfW

diff --git a/security/manager/ssl/tests/unit/tlsserver/cmd/BadCertServer.cpp b/security/manager/ssl/tests/unit/tlsserver/cmd/BadCertServer.cpp
index 0e1895d4c32f..5df0d2cf54b8 100644
--- a/security/manager/ssl/tests/unit/tlsserver/cmd/BadCertServer.cpp
+++ b/security/manager/ssl/tests/unit/tlsserver/cmd/BadCertServer.cpp
@@ -60,6 +60,7 @@ const BadCertHost sBadCertHosts[] =
   { "nsCertTypeCriticalWithExtKeyUsage.example.com", "nsCertTypeCriticalWithExtKeyUsage" },
   { "nsCertTypeCritical.example.com", "nsCertTypeCritical" },
   { "end-entity-issued-by-v1-cert.example.com", "eeIssuedByV1Cert" },
+  { "inadequate-key-size-ee.example.com", "inadequateKeySizeEE" },
   { nullptr, nullptr }
 };
 
diff --git a/security/manager/ssl/tests/unit/tlsserver/generate_certs.sh b/security/manager/ssl/tests/unit/tlsserver/generate_certs.sh
index fd52b98d6178..9fdebace9e69 100755
--- a/security/manager/ssl/tests/unit/tlsserver/generate_certs.sh
+++ b/security/manager/ssl/tests/unit/tlsserver/generate_certs.sh
@@ -307,6 +307,7 @@ make_INT self-signed-EE-with-cA-true 'CN=Test Self-signed End-entity with CA tru
 make_INT ca-used-as-end-entity 'CN=Test Intermediate used as End-Entity' testCA "-8 ca-used-as-end-entity.example.com"
 
 make_delegated badKeysizeDelegatedSigner 'CN=Bad Keysize Delegated Responder' testCA "--extKeyUsage ocspResponder -g 1008"
+make_EE inadequateKeySizeEE 'CN=Inadequate Key Size End-Entity' testINT "inadequate-key-size-ee.example.com" "-g 1008"
 
 make_EE_with_nsCertType nsCertTypeCritical 'CN=nsCertType Critical' testCA "localhost,*.example.com" "y"
 make_EE_with_nsCertType nsCertTypeNotCritical 'CN=nsCertType Not Critical' testCA "localhost,*.example.com" "n"
diff --git a/security/manager/ssl/tests/unit/tlsserver/key4.db b/security/manager/ssl/tests/unit/tlsserver/key4.db
index 02ac22e5a984dbf33325e6cd572444c92c07dde6..5598271c5a31c60e7b70c47b9710afa4dfdd9cad 100644
GIT binary patch
delta 5378
zcmbW42{=@J`^V>)G2^jj&k}>`K|{tq7+JF=5@p}_t*nt{jGZVv7+UNlJK5KeWXYaF
zREUtRBxT8ajOV%P?N$Hx|DNkybIvv2`}{t?`#!(#ea;CAVh;*pk7EP+;@K5R`yc|d
zh%)PpT_|5*UJ?S(f(1SZ%qzpc^ev0?gwc^fVE{w&76%{k#DQLhx4J$MPy?WRI8g#3
z2n@$zaH9L+yD)MX6aw(={qPcGcY$_r%-SRb2{>j;VC{ZTDC`gdN(bD981nsn<gM-u
zB#{P3{O@B~`TQY}fGhr+0jL1_fINRlfGG~)uYn8oXQ^a`PWcHRhKd3_@~gcIP_0_`
z#mqy7(^YvL7ZJ{Udjg7!%iaBK6Z*5FRxRZN)r|<~w=UjlVSngg2((Srx)K3vAvvnv
zs-C4brPiu$sm`q)tgfI=qGqk8q#CMftp-zVQ#-2qRyBvvK?1u?rU9r=sb#B$mf@c%
z5s(@%DjZrABW`Ocj5f2f5fc#?5yJp&oKSfZ4+lH&A9qi)pLI##(eHFiF`)H#x|k)<
z@}rLX8DJ?2H2)azvo2-<Jp7$5E(A0kprdWgg!VSHurSd0gO2+r!|wq?Km!N#6tMzM
zHokxJ(Kg?&um7Da1l0X7{NCu|7_^9p?f3fD{;2Qe|L*~kK+TT<KkHzDtAD411+My?
z4%WBw2c4MzzfZsdsQ4k^KQaIdTz-&l{k=dBeya-sW#0=Zx>sN#-|GAIrQh}cl!btj
z2yo?ABQ;3hR&diuZbAI8-dEkKU3l$ntg=jB8?x&eXeVn7sT@+!#70YQmEngap;454
z1Z@TQal$zlxIS*LNkAYFD6nU3@B{)L4ssx{x9y4G-om%(ASY=b%z{4cp?CjQ9Lbjs
z@1#W@2(n~x&WRh-9~E3PE55Np;O;|pcu>=&1j?&2NH1R*7}}t0BfM&goQgnC(L%oU
zx@FE{igPrjS`EXw{!l7ElFOu{YEf)r$q>E?w14Hzwn;kY9ld_*=!uM`8K0H2%%Tv+
z#1lS@00a=i7ZEICNa=CR)D?@8{LAvv@WB~f^i(C6Xi7Z^0Ko7;?ypVXT#%$WWrbSZ
zA)jPCax87;&bd;VUL#7#16c8y*v+oTUoNo%M)@3<4GKFBk<TSl!PGa;ke4=%`Qgji
zPX<XIhnGJ3lR|1O-SIrNh|qOJL2G3?Y)(8~V(92ZYE|`QUM+BBR{le0r4$wY)LSKZ
z??+{qKTIczPLZ2Z4(e41ITNR7v~n!sV|oGA(G~W=S0ntFLf+^m<nK*UZoRR^^Rr5k
zOJ&2f^8|(Vx({ip3w9uux;ix_`&nCkR@+<k8*UmKVTP?1r>-Tb9yw`n_dU=eTO8!7
z50|-=obV5zQn`I7247}M-8IXS5%$GciLsZS2tf0-uy^}V4IC$bcDP)#RE=M*N_Emb
zHLB-NE<;VqQ8E=ih|CH^(Cn3hR+zYX+t;2HE%BhMIN_1g%3@(T+&=#R*6g%-k3~t|
zG&yS$y3R<ZY(&AyOawRvmIf|f&XM$rpwnIMXZw@@k8<1=u~bKh3@sYgn}js$Xd4S;
zT#V1jZQ&zp^gS#WYmnLT-po#Jc_<p)gdqU|=$oVrhJLk%am;Z&1%qw;Ya7+*_yI!~
z;`qfcM{i9(PNWx1zrI;3g(-XtbrF%4ul8!B=ww<$IY1(uX_w+|sF_soge>~XjeiyV
z^QjN^V;*^pOk7q^eciFY6Tr21sq!cXzK?dEZpgTkdsMcpm%*0^FuhE|p))ts%d@fN
z=yvEalmJcOc5SiL3nL)Zd5m)}5;B|XKJW!4>l-z&`R8=Jt4npjU+l?@@8-!yTA|o_
z00;yC{!crY|M!0QAM6k%$Ghj}KpX@3nE%<z2R$=?v~s=|LYm^1{UJF!o588rP)XV=
z9W#t?8VdP)*>&0Jk-~>)F}lMko{=lwT1+!xk8i)^K%LuCw%|3l6e@dyU%0;e5YW!)
zy{SpJ`&4W<eB+pCC>gJh!6Ne0vdZ&9?GTh!3%6jcEZqt{_GPsK_Q-|PyYi(pN@SQf
zb?w_to}NxTgmXr47F^R?=Av~s1TKBuIdikuVAU>bfqm}=;Uk}2jn$F;GRyjGTtWWn
zkmwxs=yvyczI47fVX3S;qk@l5S{_cp2s<`=Wg1*RVOJ-q0XKRdBz(DXmd*ZQKK5xq
z4+Zs~`tJ!z{rwBgNspTRq>C=|n$nGzT;sj6?&gY*F>7^BZsB1Zl_hJDt9IyYfK!_H
z#d4lE9cR6ThKfa;r`+rkP|L06DkGGIlQLRV;x@wo-;?d7G|JTLv&byr4;r`kCaNlA
z0t=_onS7T743INtofd0P%aBzC?3BcZreLfzhT3bH);SAL6iU(Jf>KG}43F75YJ66t
z#MBMdb-A2^*G%3yFM1TAFQ&VX!O~PSIE~>2L(EwIx^H0q7^@wqOT<L07}V$AQOvHx
zk}d9#kA{c3vc;iNSjotwS+T*H4E<UL5q~AtOh%WhgkQ_DtvymfiZ`CXrP)N}Tjp5D
z>AWC#>_kyH<WTNo{FtW=mQQBBRtulJiF%vZ{U~zx0TFXucf(}q*?ee+$H{d)e~APv
zXK2oPm3nzb=ZVF&^mg{yGI->$lN!q5xPf+Ld%U+F%9w28#r7*h@+|YP7LVX^I(7=!
zNZ-YMOk_$nNmoFHbMKbF8kw=eIL@difr#O5Qon6B)Ik3v#M_OH32#NJu#0*<QzVn`
zEF)^$p&RF1&>?<2>%Ehq_WI?IVH)<p;%Z{Mm@&dLx#ePPu%cYMl8)(8Gr2DjgY(Pv
zI%*Q|HF!|<YhD2hpNtGvrJaa*YrkV7^1ioYt>&S6=PiBK?&YVd3rG7CKlr$goWFZv
zV7MZRfC!VM!{1pKS9lf0h)GP&Fum5Z4yBxSuVuA7Eu+R*_PkVDnCSLjI>zq*Z<+te
zG1Zz1@M<g+tM3oK$iuZzw#+u})=#aETLoE;S&CX*H=i?CFuQHKVX9+NXaYAjH>xvY
zFmyHOFyPkrFT-zMWW{rbD3Qts(?R~@#g;Ho216lpa(o&3M3w)NZl1kIT5(b8$qjDV
z<qdy{u%xp^wN&Kh1bhe#DOGwHJ|b6zq8UQS2Yi%vWa{X$?5y+&OY7qbc7<M5pav<5
zzo29^gOo?um&Vr%^kyBB<HzfAFDrZtShkQ^v5_!zI`dqQ{D}vVf_d*$`o4kljVZSM
z=C{<$ha)5o!Hb0x`H4Y69G051=6)bW;Xn$(;xk+T8Dl1l@u!`9(ZXopra6#GH_9~k
z{6xsP={WXn`>I04nf+AmP0yT%^Y?eVVg~L-<aS@0J?9w)zHFSS?CVhJO2!w15cvZk
zXhL&2m`eGln@Qvj`LA}gC8-B*D%$3lk5ro0FvKq8AqNYEr#AN}T$lts-bwv#<?L(Q
zSIG+3`=gd#y3fP{9OEvb^98<_Pl6D+UqCVtq$s3LlTirkBPmRPz#C3#m$O3WxqVib
znbK$8Z8)oh(sz09r$QLLkfa;nA|`LZ!sYfrd{t#I!YA~#T#nVT(=^7J6DW{!>K7Ew
z1{jL-0--#Y+`HvrX5$DmE?+F}^Cg5Cqs3j4N8^dni<uk*w;dRll>WP^y10p(Lj6T&
zBvEGCQ3ZORZO-4DguYdpSG7mbvw#rUUqJBNAY?G{1ukJKm4OHP<|0)Lcj9My2+pzK
zq3>YLHxG2%V*>3lQZ9`9)wrp<RJ0v)3<7NE*LgzI4)jX{0&0E!=gh}GWOrAB5bQw^
zG~t{msQ~9Q&k~-zpnhL%S{t6L?r4Cm_=!gy$JE$~Dzx+Nqe6oGGMo$3FQ|E?E6q>e
zlQj10IlVQ7FY#;CJo8ZwtYc^29r0e%1sO62GcxH&1&|v>X}36>v&GVte1oQU?=NMY
zupMT#`Z6!$*G&blWHi`c!n=)Fx(VG0)vH6#=2wsd>O8q#y05Qs7HshiAGvP4au3fH
zB29YgZ#(|@l|{gZf{SZmXG`Wq`DT{&)GED#wdA^r+iFb8O)U)ylW-k1QrQe5L~?VK
zi(z++L<B7Z#PMW(qEKMI&fP00?>KSFRjjlM9SuUH4uTLY#$W<S<a+eshSFrgudkR=
z26>-!ZZJoDaA93I5m+K8aaXHget&J%o2(u(vEy<o={qXasbgQYLNo9+HNdYutb^Yq
zEn3MKtQO|yYVChc?e`To#n8W$!Y{z<SyG*X%ibU@?XPUd3zk*3YHAgB#9Qs`Q?4k|
zRbgoqR;Pk@mP{KQ9^CWgooe#Wjn4FfjKtl=^nw)0Ur>mBWn#`1(xP@em<stW)Gjcn
zvB1T2WW*Y?jg#=H7kH2UWB;b`*EE(_<%jOba=!Va50eCY0ZS}%U)Y%sFbytgmWz-B
zDG~=#2=XgnU*X)~s5E7!)xx#XU*}*SRAXB!;ij0D?<|^z7#m!9LA#$ymeLoiZP`&D
zTGRM6wlBiptcD81{J1Pf3t!c{_W}vqAVmB?i0yt~f$AexSsrVLIAv3o9B!kr`_m_Q
zek@+z@KnNDQT6Rd`TLaTR0%2<a!Cp?rGqwUHwchVrYrU-{BqLiISvJjKr9zX5&H#&
z*jQ575fre3Sd0+6$Ka8A8pKfa9nqL(!L_B%<5+LF1oJ)xI|0>E?-E-fnGbJJW?ov-
zeUPfVIB(U)>*noM9zyySq=^24ve#IUtHa+El!h;fLl$h8QBNp3I!`s#p@F0x>LQ87
z-i8~G_bFRUUXc!4Zt9l1vzjf#OzAd<Pq3k-iVKu0ynBS03$P$X<QJ5^&VodzGTS!A
zr@T;i8FwC0fo!+J`FE$rTP4dFXZSyDA>R=x7}Q}a=_3igUYjLl7}X+_we2mk$szgY
z@Ty3j0st?V3Q~j*q!8RZLED$)U#QRH8N22`8cD}F9*y<xu0B>eL7%>nW;S}rk^9nq
zDx)zSYtQH%WUB7;+`lhk`81YmHK63Rt3>9e@tpN5DiRQaJ`iF}a0>@hp&l$g-t$Rm
zh!x7MIbLNQGi*WNd|=@0s;F(2A(9;Mnn;oOly>}%TBPlh8lT2YZpnwz74lrdU1z?n
zhvo@?E=>;32YoN}lkfK|Nhnn#6+}LvuJR>MlGr?ULuT`&K<Ps7!<7R3h@O8_S6ic$
zfJ-(JA$h2ASn*4jV85vU<p)cy?hg0k&hus0J7~l-6*D>VM<PJP$pa7~1PgDlSgWO6
zx78(<G-g8#J~|}i{ROqElplLKx}na=gVzjuPDNxOF^P!G8(zRV1|26I(>uIAhu$c@
W<$)`eV@#^KKXNO$x?vWs#PTnFx2$Xc

delta 240
zcmZo@kZEX;nIO%0bfSzi>rn>XXKWi&7W`*cuiHJ9ozZ_|<L%0g6S`Qo@2+F?WMo#a
zx0}x102AhAoo@G^@fc9;$*Js2P_;8ywx6tHvIeTfCMu?0W5iHfUh}I~r&hRjWo=wN
zdyRK}%T_t&N7WN2m`$r;X4!65!+frpd7ZbyR(6(yOw->mvCP@nxW~O+!JB2ff;a1v
zEpoh0z6{m2WmSdSb2TzjlNZI^kCF+E44CG9*<HZNcVnZr({^7cw(Yje>S=p`?qvfy
NEiG;Po@Z<>k^s)AUQ_@8