From 1e23797619c957fb2d0a7ed9ae1083fb31f592b8 Mon Sep 17 00:00:00 2001
From: Tiago Peczenyj <tpeczenyj@weborama.com>
Date: Mon, 7 Aug 2023 18:39:43 +0000
Subject: [PATCH 01/22] publicsuffix: update table to version 20230804

using version 63cbc63
last update was done in 2022

Change-Id: Ic4634caf5c9dfd97211a5dff966a3ea2ed6a461e
GitHub-Last-Rev: 5b94982f4d7ad7032c80df6a20d7ac09f0e3fc96
GitHub-Pull-Request: golang/net#187
Reviewed-on: https://go-review.googlesource.com/c/net/+/515895
Auto-Submit: Damien Neil <dneil@google.com>
Run-TryBot: Damien Neil <dneil@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-by: Michael Knyszek <mknyszek@google.com>
---
 publicsuffix/data/children   |  Bin 2876 -> 2976 bytes
 publicsuffix/data/nodes      |  Bin 48280 -> 46610 bytes
 publicsuffix/data/text       |    2 +-
 publicsuffix/example_test.go |    2 +-
 publicsuffix/table.go        |   14 +-
 publicsuffix/table_test.go   | 1667 ++++++++++------------------------
 6 files changed, 497 insertions(+), 1188 deletions(-)

diff --git a/publicsuffix/data/children b/publicsuffix/data/children
index 1038c561ade4683e91b37e8298fc5ead7c306779..08261bffd196fd6942b4cebb5ff06e0ffe53808d 100644
GIT binary patch
literal 2976
zcmWO8`9qWS9{_Nl=d<VYyypYx*HD2R$LE2KERVqQzETl=2C0a^6dN1h1)7?PnYR);
zAj7n62y6^dD^Qda?<|4gvvGrffg8j7D(^h<>kqI0;nk~GuU>uM@qcI1JG0(VzeBB>
z_6N0UM-8>A@-p>RrAY0X)<o&jKcF(JhEmx$l={AE6qSP~QhU<FsobzgDmOiq%B@;X
z6@;yz3eq=FX1tLyhi#|K={u-moK6*o>8av$LqKtrG2viXZot8+JnGl50;&X;1(bx9
zQ%BN&qmERar^@gJsx0ghbv&$+IuT~4D#F^SiYg~{Cd@^h3%eh1F8yi1xvFQ>dHkHJ
zPJcmJt9_}<EKk|1gQ+HVB-K1!NwrkZrW|Yxjizs=k=32<ozaK>U-)3UpLH7T2?FgI
zK8yCum`(SGIrM;xx%2?5iuTHwPs^+t+85Rm-|#frKVu#7w{E2aU>h9}zMT%t*r5ru
z=8&N9JtQb&Fa3dapJp%|q(2NlM2A2L2?@87kc=7<V!cd4!$lIBVJD&1T6zT3(IYbI
z=@HgO@<~P$8JW>aMum5g(HTy9wDkr(25you8MnyTj63vL>jN?_;~_oH`iP7Ve@st+
zr}RX4LC>_lrUmJTL@E7<C}#{O%9@W!gfx_%Q!|2&k_vRx3?&`4GlGt)iKHubeoj|h
z?k1HpU8GX%PpY_qq)O*SsyQE0Ees;nqKsHYKT^Z-q(&D=YD75^IRz1gkBBG^AvSIp
zvFU~rn;1guLMW-#eL`x*F{DlyOX_svNxd+E)axdb2JSP`AWS8V+%(cCgp)>b25I61
z(kv)Rvu-wN;pUJQVJ>OaMUz%hMXm_*$rW8ZY2y}>HbG6=#01hVXi2*+iF9zu<SMtA
zToqEtRWX(P#jPNn!k45|w}y0aUz08&ja<{MBiF=@#35`V4&4^w<hBy0u$?%?9i&_L
z9qAT#5tpDNE?pMgqst~eVh*`3>><~6d&y01AGs;)CpX1Ba*Hb<w{#|QODrU}1q->u
z9UymvL*$Nln7+&XLf_T>O701zn)_TCxvwjy{}E4+$6_^k!qt%{LOppRHjt-66M3p@
zAy36t@=Ulwp6S}jGqHm_=dRMvg}=y4u9LhJZjqO|+vKHqhknJ~C9i~g<dyC|c_ls|
zuepchwfHxA!#$?o2v6uY;#2xR-E;aa_Y(CIUn5$H5VA>;#MTEfneQRU9Dt;5gqJD<
zQEyui&nZ9Txy&KFo7+$%vkm8c-PR)C%rxX{`-b;(ThIF`zvcZhHy}UTMkIIJ#LJa>
zB+oP;xy^`zZMkT$n+1K8c?b=2JBEfS&uWKdo<pH-=TWHA#)oFwQK+pJeX6WOpJukB
zQML{=+RcT=*m}@dx4USp@*WzmypJYkKIJFc{zH@8-tv<odZ9^n3QcxLXmW%EO|dil
zRQEpo)U3W}s=XhY9`POux69D%2p-M0PeXIur=uu)IEs$=97ShEqj~muC^lj~Qn@Ff
z`B{t6f{5j4q5Deog*^?a-8Ugk)@GELwF@Oj<e=m%14^+Q(ekY0Xl2A{v@)v_t#+?M
zYa?uEQ$#1)YJY>ad2nc3q#N4q;f~Th`l9bVywFaML1<@oAlmC8N5;sx$e6tZ{hGa$
zFY!3WmqeEHCE366CABB`Qje2-X=DXontci#jXcdC&Ay0^*8YLYJpSa%A}{gBA}jf0
zwKe?lNRdCDZRg89YWecWdcHin0iEz@L=};3=yar0Lb7iMlKNeNd|zE4KPxkk-<>51
z+?_3v@6M4V)*B@&8}>-j8mc85XS*bs4gX4V=7dW2^_w9%&=@N@mh+S3Y`@Er%6@-K
z#3)b6gQg*pmr-XJ_PyH-*F1>voI8y1@|?}cJk?C#k6$GPHs>S-dG1LHn)@R&#B(nb
z(p=7r`B7v(^Sr~%><`SWmS9G^cM7wle|FN6=ptrS%K>Ihv>3EzZws@re=D=K<pr~I
z9>?ry4Ps35K4*$sw=fk0a)T=NIf5!$yMs;*a3!6Z*OPQ=-*x7~yc<mAfHzF-Ku@OS
z$|$B|U<`9BW-)X3Co}WUPo>O@D^)@N#<(zb<vM2CSnSp|FxlNJ6!(c8f&1vk<9_-H
z*fVw}_R`PB-g*sw-zymteG2BicHzLbOdQm<2P@isk_USg;K6zm9^Cdb{xJ3z{E@x{
z4~;#Bhqj%<!}MqHu(tC!RDS`7w$<WKyz1~seKQ{A)rCjt9e7MzHy-bG7f;YX!4ukE
z;)$`Z@Fe{kEX2`RFbt6k?L)EBdl**64abp&kMS(S7(6HLGaMB+1J5-?;ArnTI67`F
zj&6^}F@_i%YgmY5+cj8a(Bg&OOR>5=4Qt}I;Y7nuoNUO!OWTcjS==x3Wrh;@vi4G(
z5_bgeZ7-AW^NEq~Q^jJvDo(C9CSZMs1{+jbxzQ&{p6jz%o@-2z?^i9y`;9B*`#V<2
z^Hr<m`5o)z1*-M(0^<g`$!DY7q}q&4#w~JF$5w3i*(Nu4Y{!MF@36(V6I(j6ak1)q
z{Iib%|ExNMOF9nYqpFi^vg#t6oM&K@JB^A(vRrmi{C>rvygYVMXTD-_UIDwfvyfdP
zvnZCt7qLt74k(t&irJ;{huEcghZW26erA_-ma-|bBWz0iQ8p#7Op(%gj7^mtXH(<L
z+0?w>*woGwiskVq+2whs*yWw4*%h)giWTu^*%f)`6kp2DE53~Xon0ln$gY-I*|jno
zyEgtWc3oa4`%U}}_M5!h?E3gS?E1X>tUmsMLZ6?YF!*W|hJ}d=Lw*u#^i5_Db}d#M
z$}dnH>MB$m_O&PuFDz0V&Og8&?kZ+~%|FPNb{%7n_?}_Qe9y9FU6<J7UDa&4Zyj5{
zu%0c?Z(u8Y8`+*N2m7dC5BuoaW%ltGBKxGk&OW);$iDDvVqX<F6tAv5VBZuxgkFBn
z;N5tDR#PDHmjYJz1y=11tVsr}!xuP{AGoQ9f`{Yd;6DCi!P|dau(vu9yiG~qV@eM8
zaV!OydKvinuYmynZ-J<{18>?1ydxU|)!##)=?9RTav(%)3=T2XK#1cqjBtoB($o|@
z%G3p;)!i`0|2j-i-+~FIe_^8IB}{g_g(+qhrZ_!ds<{t@nft*Erw`0DD<H-^7-F0Y
zAuiwxh)YNWl`{$E2P}j6&J<W+UI7c7s~|pMHN>0OK)my7PzS69t#dOZ27C|60lQ&|
zSq~}B;^5SP<B*zA4yn%HV0FStSZ%h$YG*Bc6;KCh3H7kf>4XjDo3O$83^qHT!#;vQ
zuZe|xk^rXev|zJlTd=usN3gj&9SXa@gCdO%P89wCCp8^VK{}zL+X1HvU2s}+1J01!
zaHjhnoGp9^=QNMtJb4;?Uh@JjkbmJq_iOmQ@GV^AX}IW;z#kSC{?zt{OT0T=a`lBu
z%X?6z9RSt5H&nX@fz{#%HCh5TJ_u~C;b6CfLap{wsN+XNoogJ_YbQbjKN%WaQ=!o^
z9h$T=p_z|>X4foeu|z?ub{<^e<KT*G0km1ZfOcL3?XE=V&@O_j{1Uk8N`b#DE1*-m
z3cC0;(B(>lYnJuk&~5~WWeYg9TcO*v16;fgdiYGZ!S99}T0Pv=8sM&_1n#*?rM)c2
zrF0Q3rF(iyQ6eWrMeb6j$3u#H21+6EeW|o3K*}X5r0zXKq<sQMO8XX#llJZT?1TP^
WQ>6WiqNQGm^Q7L12~wY;r2hjALVp1O

literal 2876
zcmWO8`CAib0svrUzRb+`nSk6zK|{VtNTRiJd7yyG8JU16mRliLD^_b=t;%||>na8l
zP!yF%fdB@t+Ui#Avu#}!)CeZrS5%ZMplz*Iv9&5~*B{>h;dOCwadCeq;GIS9q`Z^&
z4zVS!huE^`0kP%QL!#hTKe0dV5pkd}k|?!C6Nl&oqRgryj?$?_d0`G=rZt2)emhZX
z-9en7jfADpL|Ci`i8}faai*}0IAc9YoTX2R&&HotpS7M5e;NNJao+kBaiQ><_=2^8
zxJch1F2>u5ONGtEC2I%qt+kW*&U&Bt!TN}}690_2YJE;zx4sqEGeBIQz$5DSQiP46
z346kOMDyNYqMeyTbTF|*XM&RGx}8MyGpQt*u$=@DVW1RXU~nZTDBVa8s31KJv7}dH
zBIym6lHSS`(z|gP>8ng7eGQqUP?<$eHK@s{jhpc_xP=T*Zp8tHe~|%=yGSwoHz`r>
z)<_JcSPBnfsj`ez7!GR`jVH+&@Dv%`cn*ia+c-qoh(iobI27K&p-MXrH8hi<jV)xD
zvXu-owBy;z4m?-cjpxA!I9xeEh8sr6@WxR*U-<|xQ2t0RF#LieluyYB!*d)7UyzZF
zFUhFJS7f5{Ety!Pz+BOE%r(7_RZC`JRZ%dxd`Sqoyl4rzyeW}PMI4#BL`7aMN+K`c
z>A?+&y|}@M@D2V1e1j9<8#Y&blbeWd+C1<rz8ALgy|L9O#8%rBe4FowZyWt_qj4H;
z;$z&zNpO=*itlhTe8;H3HvV*MGrosyw)e5!HVZd%p}5&N8@Cwe;8y;8+{#7ZR%0Y?
z<455(ZV_&?EynF!3~sl@;SPQR?&K?Rr%{DFZOORHwiI`Bskqzt0q(Y?;T|p>_t-LV
zFPDvbjVnn9e-(BZ^RUCF!FO$1e2@DG-!tapd$u+BKKC)cZ(N7__@9t{+^1xpZ3BK_
z+^BiTZN?961>`V)8y?}C@Ca9iM~sK@DE|l^HJ0O1+cErze;hwDR^UgrD*Tvl#*evb
z^0Bc7|IF3mpN(JPpKV{`C;ao|6Yc_jV*C$&V*3XF!oP@r;V$8){LA<$_h0g<@jLPv
z|9kS8?F#uTca40(uP4WhjpT3q7V>v~7x}x*LB6)#C*N?7@EhZg<T(E)JZ}6IkK110
zKe;h5k^dVzQ569u+9QFxU?J<STEx1W7PId5Xy74;0lunO*4LB?eC=6ak{}yQ7UX~_
zDjo2*=L3;yBM_N(Xhrs&fK`1CSW_{}+Dm{$upb1P4uC-WF`y6}2MU!1%n;Op8LD$&
zhUqIX)ATi%W&f595?lj8s_Sf!sU8Fi8bGk>CI~j&0$~Cx8>VVw!|d%~wxAQtHFbe-
z!9%dv<OI>KG>A@uAl4OuxMFt@*X#=tTqgl#u|G&m!hma509ElUken0(Qe4A9O41^*
zym>KL(aeFg;#82<oCQ|8W`kADn}E7_8&EeF0&UV>@KJFwSYKQPHo9H~8<Xr{V{tRs
zl+*$?C$)nuu6IF!Yab{mc7i>wqhMdMH`rIA02L+E*-E#6u$9T1*vgX6*vgj8Y?a#<
zwkmlmTUAoPR<-;SnBBGkbMki9T(X0$F4@V}xb0$VN_Mj~Ero1t@?N&Kq=>C;*#|7i
zMsTvE6r3(O#&d6}m3X+vNIX(vB_0RjBpz+?JkPcSo_8C^Qyoa<WtN8U@=8DCedw`^
zx2d$8_fL-w-j4RiyyDVVykpDf@J@8(^Uihb=Uw!?$m=<1=M8yf@t$@Xcw>it;Ej8=
z@c!=nmEv{&O$k<b=>=uMdO=r+-qkyl^6m<wrj(^pc*Pn@(N#nRcb%f<mEESe6+=`?
z_e}jVpBO6Za4ePWvqqZz!CFe&y^dOact5q?r<N)>e1$6X8Kq1|gj8iuh`!2qi@qvt
zD`oL5pw9FhpuXujMSXw7MqTasiE8$JOSPqkQ9bF4sRu_hsnJQBsh=j5Q_m-z);~|b
zNsS%7MUC~gP`~%KQhyx1PmT8uQGfQ1QGchuqUqj0X(q#uM#8D|1fhf$2<3r-j3C<0
z5ll}ME}$otN6_w$DB80;hV~LB(q0Y~?JZnNPjaNtLSZgFIU|qubLeURjP<m?V*@P`
zZluK-+iC3BL$g97&6b;JiKB#`Rep$`<+vIcB)mokWn8C&%IoP6M*|(^u+ekMJL$RQ
z_vm?!hje(xFdbe#LeCeD(hD4q=?KR&I#M`BM>$^7w=>?-ckWN6n~%?+Tm9zH?b#7@
zXLcOjdpwDD_^k?bWakAsj;rarej55OKV9Ho*?$E7b^JBslKn>JQb8~-eI!HV02%2|
z$$&qUfeL|)m*d9pDm-MoK2I5)<0Yf}Cd-%{KN(XoRR;a1$zV<Z11rQb*oPV9&&p7r
zgqe^dWB3&chTr!-<CZgv@$?U8Jad$cPu~(on3K-5<fxezb2!t|KVQ}=TEMjCM#x&t
zkxXlUl&sCXkZJ3WX4*wDvi96qrrjJT>k!2=9l1)T!@NY+X-;H1`;(b2(Nd->H-+gk
zFOzlkFK4<%sZ4k73Z~oq0n^=|ChN&fXL`(;OizCn(<{oB_2%X<z2=oNhiH||k(<Zd
z6RDZ|qSZ{lXf4y9yPX*{?_h><3z;Ev5i^{-j~O->Ll;qr{M`oRE(3&|2mo>-j|YhX
z3QnwM<nDP<a`)=Ra`%B~xko^Z+#@d*dQ`_j@4R^ETfGeW4rD>$KsKCQt%ZKoA40!@
zPoRImdMK*?6sq!e!VGaR%uwgSj6pTb5^G_WdNo{GlMmJ6&2qJRH`I#vKz)q~>IaX&
zj|Pvz{2DX-c<>}#J9r+h6JLbu)R*7}@nyJS@Fv`(zAfKW(++pmbjWuOzJZ^M-@-4%
z<MJ;wE^yZn0e9E(VPUN&+&eS{7GV)A(nw&@kQDC2GHAkbcyuU8UXF8Nxh4-D)2Lx3
z&X-r=O|WWcD>T<`gC~Y|LJQsx>of=8Da~Pc23Nu}8Vfv&>)<(j8lJ}&;Q65|@XF9N
z_&+=buWDYxtF^D;b^Hci*Sf%ZmVoucJlMc8u;B!R4Z{=Q4VDjYX$7!}^?^-V3AAaY
zuw{5AY#&}A?_d*PhgJzYhL=ExmV=HHYUmi&z`Lv#KG5pmL+xj9h%JCaS_2%>7Qr{{
zVK}aRj7au5;yIy$(s?N;i;seG`Xbsn2|=A7nqm<nKiwMSFIk8Dou8tqmW^ndZZi@|
z3XsUT9R*lEM`GPBge7|vSZ6@2qzJK26Ovf=BdO#dk~+&!pyeo%>5d_}q!P)U)ktAE
zfu`$Dq8XAiXom9~de3qm&D4E^f+Uwwkn=hUw%kA=Ix7m5G@($Z9fj#y(QHXOn(gdD
zb1c1RuI?V1CwYM8IR{X<Wf;xZjiLpTAJGEm6BJ>2h9V^|P^9xEiqgG83nj17LgzSI
zWceE{){`h&N}=cxh+^vaC|2)=V(UCmoZb_~kNBVjsUK2G{ZXPc043_>XsKR-mexh0
zl#wX3LK=h8q$wy(pMlawGEurT8)fQqP?lbgvPbgKO8t7YYUDGd)^9_ax;;oI-G_Ag
Z1B%rnr6^x|0)0GUL2F0Oqfew4{}2BS2s{7)

diff --git a/publicsuffix/data/nodes b/publicsuffix/data/nodes
index 34751cd5b9d1b14c3a0977e4fa4b04db058b241d..1dae6ede8f292889cb4252aa473312fea1bac46a 100644
GIT binary patch
literal 46610
zcmaf*b)1#e_W$?kNoIy-2m?_O6)Zwjp7Wf}IcLsvASM<fimeFKGlXKdqJrIujne@`
zDF$|4JFj)k-+S%h>v;X%`~Cg1UVHCVpS5;A`+3e$DplxF$`ke~<zHwM;#8{i{syIr
z4(XuUQ>RpAr%S2WEosVT%r}*7N30Q%5BeZw8-;9A%2-sZly|o-Wj9haN+o7c4W@j`
z-ufohs(Wn85j+Z0{<rFtqitzBr4Z)JKKCo9u?Hf>XXB$VuUk1=XP8Qbe-L~3gT;Gb
z8m6wI<oVRAT*fdfrF(jma!&+g*-&73*7f4@m`;d=wt{~&C|7GXR>~KO$n+ege9N{d
z6^I~Gb+1FI)NNf##n+%~)I!Qz14<<ge0cBbP-(_#?UdHrl!{DlQE9Dvf+ch&YROSG
zN>#tsr!tHj%$xJD7h5YX$HOgM*r_tzZxN+265WEQ>?*T$B65Kzy(%kwJB(nkMP;>S
zV&3;6NsL?-R5`8FFlszSM82JNrRF+y343LKP%7U5Dx=0L#D~ix8`aR($!Pem^{8RS
zv6%O+v#DXN`&nuGtzHc`3`(&XXcX^{Mj+xs<a)vnUWs|5vlAkH9=j(*BF<P2d65(s
zof(8Y-2~&2CN=!kybKWh4uZLp8q^5mWE>UE>>&K{WTX0!I-so}%A#2|W!;f(RU=x5
z;<xM{U4(T7m;=oqsB|~dJ=ahT7E-O+11v^Ktr`_!2#k7hWV;$|R@4wyMS~jMsxVOX
zMm<I+fUmmSPR5H+OBNAF_4gfWjBkxcjcJ|TPVcX#&AmE8Y?naXK7`#jri1DnugW*V
z7<G4n&)w6Z^4l8G2pyB5#u~R#^1T7b>U~=1qvtU1{!-+=$AD??5Yox`TLn@x3oK?n
z=*`L9WOrdLr4+d`H+877?Xxgt&gvz$Ye=H`0r@k(_d|XlYo6Vk)cCeJRyD!=)ucMI
zOHJq)*{gQ*{2>}MaanMZV1CA`cI%klu68$0u2Fk<W@6Msp7&^-PpQy~%hdM(GHwD|
z;+Q%z^cLQXr!bJ%7gU~?u@WCgHVSG5!BIFjk78bW-}NvA)>BQL3D-XxIsa^e@y{l<
z<ePPB&k`$^eG?%5Qz3ys10``8%oC7Xn=l{6QD|NVopLK8#jkd#iN^dIwU@UWeExRq
zc?669&Q7&g`(i77{szL;%W3lw%p_x+3BD__?B0Uksx1L5R{+Qu=Vhqu+l8*Qnb{1-
z<XY^Noa<Ek7<<<cLIDw#wsb31F&d4O1p}#lQA_Ph)jiWLBu(wpnpUIsHRht>*$ZLg
zThxlbN2Em7gOdHyAlEjjeOu?&t3%p;K`j(;sYBgsO?7D7L+xrt>!Nm0mDj6T{XM7^
zXJDoLHoO^&deq@Y2N4xqEY*%)wa7CEq@G|S<Yd~4?UJS?PDq20t}Mvw(g9XPyc6gx
z@5COpsB>?Cdk+?Jbby(1op9@M<gM=^FCV(-fHOPPndUl){B2>pEml6?1o;&apQ|2{
zQ47h!kuS@o&TL&`rIZ_1XQfi6I;-;yt6J>cSfdtq<ViO2&?p?*sm^h~O*Qaj7s*~g
zFd?ghQk&%O!A`p8A?$^=;L?4C2Q2M%lqx#Zc}4{D?)f4&ACbbZd`d;<QHo9?#qkf&
zEjzE5T-^jCltCimwOENCOfaGS>ePjO`!%SGjEIdMd;k(%fN;f&b?RdG_e2!?#7|-`
zXV#Wo3#0lTA%9@h^dsy(#Z*ho4y#(y<~3>i!=^4VexT%;ib&{{2HKuOE_M#ystYKU
zj0(c-153%64n+EhvM`7b-@Z=54^s-<Ex~NVRGYG@rJ)Xljh}34nK7ME&0-JLo9orG
zo?AOqO>b4Ysx=<2QFZP@{DzkxY?}BDkHS=PK5&!s=^lT31V^uQ;kUC{SzCu9TzoWK
z<50V*H!L;Go_QYC5Pr5>HMFu=s@RiFs?k`7T;S#m)nxqUQO(Ai-PqfLT0tv5%C?cA
zvYEtI@LmSwIf5=}@-iXb2&v}RWk2#svJF`*!)B*y32%TK-Vng(bV$KAGz#7Yb8%)9
z!ZKKWr@K^3`>7!C?MGXr0ukQ>LLLRZ@7aJ_5k9$@((`qY_vsnmmjLp8E7flsA^)m{
z{Nhq8T1T16+U;m3{KJ3|eFm<74s!m4l&X6mCwkOM^H8ER?-#jqK^i>OPBzX8Qk7lJ
zUsn&@v1mj#fHdiAq3W$wD_cKC&GQW+ftP?0%;<n*B3HDbk1;ey4D3x?NOn#?9jd~+
zW7!=8eYnC8$S3h;gs|fK8adzB$i)(Piy!U8XsnKOvL2}561ahT2*KP94c{885W8CC
z&a6?ZI`_4yOAT8MZL4dsXG6`f0i*nx2E3J9)unA^?Qmyzs>@oxv#Qm`9#o6(2TSq&
z4&=VWNBJM!YIUmv%SAu<$W=F{{5Jry`e#JU3K+$|bx8>|PX;hj(`@Q;<4jD2pA2CB
zI~cz2NJQA(Nv@u-Vdb+Xb$Ndm)o7QXZ|MNgD-bi@p{_`LZIVu=&=sxyl!}f@V`)y&
zmsPm{uYLtog=M&`DhsG9ecP$JeeLSXu2*Z+RYr9U+y~L{#$hCGs-q;r-m8c_T<fKD
zo~f?t_{2(V$59R6;(~1MVZ{D{aP>Zf;EBNSM1tyS|14bkXVJBhB-}_bmi>N8=8pgm
zTn*Rv1HBrJW4@Br;_9AlSdPhd>~3pU*LXgl8a~X4-wy>9<4;xekd5ekA+>;vUM2=^
zlG5EEjXn`n*R(!Yr>^zS$EfEtOnFYjTXX}}!c%=z%?@>Kdp4mKulB0zjOjJ%y0!)F
z_&vi9$ScLl+Xx$Bf+=4PTw_fw<7K-|U2h!Pu5M@zfU5KXiQ`ZkNDp<W8;!fI>Lz23
ziJYtv#vCub@KL9bjp}B@jyKP>B76&LyV=yMZr&sl+puHVeOm|4&m|(?=gn{#led@)
zX)~XQF<6H+kk}=e>Xz1g{Kl)B)ZOhxR&|e|@D}!Vse4*8FdrD-gS}U=SN2tty4P^g
zW=ykV<s(cL|3nT-dO;PMSF7%CJ+hs2&aA_4h69pIyrI<|O2cZEb#p$JWBF3u%cdSM
zauN2+fD3KIN^pn`-8CKRfv!8PV7`-{i5-Py_bDLtzw1KeF+WLM;8mLqg|6pRHp5Up
zXHheJDU3U6)s}ckyRvrKtZGZ^R7Aqp0kZr&0QoM!uTg=cz;;OJ;{e|7?o?Y%R_d*t
zJ4_b0Qo6A~R+`xS2DQ!eJup0Skc-{rQQKONs!`iZAFHMM2AJa|>1z9yM@{vDcN>np
z+q%>X-Dg|Xi>+^Bs)T8vN<U&9_bsc3Tb-_UxF--yxeUyh*$CVZab)I#s^Ul|W9VfU
zp;~M(=5(u<+<jK{Qd>?9Q;h+l=BAO(L=zg7*$Df-25Dd%Fha{=B*%Ky%ZBV~@p*L^
z{n?Juxtpa#?|VySj4yyuxCJ%$-r{JHm)Nf9Q7`wOgRtjEhkC`mFCyii`PC~O-w}~J
z2WUZgaPsX1!?#yG_BP|(xVT=uYIr&rJ|ztpt?Z(EGO=t7$EY`eMx-!Hy}CKCM(s2V
zNb4}58N;w=4D+hj+_F){yiNFcu@lP&`_*f08%*`OQCFj0Z<Q$&xU(B?@>t-0&rjr)
zI5K{=sW-w!VS3f=fP9D}Pa0fLS_r?F6P9sYFV(d&+Lt-07NXJFjlI<4LG`9Fr$)Wm
znul}mYaQzCg5SVgcrZT7S7V@XCRmID3>e3F)Z2X#7^c~)-tl~o0pEdEtlWl1#l}9W
zbp%r&<G$c+J0SN4OX#%>_0Ee9Q@!i{5{<}GM9SyzJk#2VOF!%ByKRYf^`4P1)qCB4
zpyvMrknRVu5^6*^qK_$yI>09f|I|97jLYdi{sVFawjjg-!+TL3!Y?qm3J$Reaj5r=
zB7Bron(F<Ip;q;Q5d^O3wW$w!H^T^S#(aU_qdsiQhEZ@K_F}W^)j!-kPyeH>*Q!2B
zO*7R;t+Q&>$C2kv^>J&U27GU$W;FTLCjrSuC8sY{HI<UT*`q#fGcjdYFz=mjQ=gfO
zz~a4=UN9HA)Q`Tc(jUJ;3hF)T$F2258T(ihda&Y)di9gB93RH=TJ=+_4J&5677<pi
zf3;>%H98PZ-Ox#fhDt|eLp*-M_gv>!Kbuag`nmNs<igj%NM>J-(Z$`U{fw2w10ap>
z*+uSGv|BRWo7&;NLNIO~wN&J6k0rD9+#2%o&kjqLN49A9>2S-xPNQq1_=xMH_)x4A
z4`q?5I*?v4N7PxejXZ>71zncxwvCwbthN#KS9Fx==&%fFcYq)whedO39az3;u;c`9
za9VP@?xd}}B>=HwD)JE;$q5J>C)g|_Ua;3%Mj9j9EhAe$BIwYtbW;2ZVHJ<C6O25z
z%pLEuj50=afpjkq+$OtaRBMzFJfC|kqs>#=ad}F&vbJ|xEu-825JoP+c;u|?`2oM)
zS=jR$`1Kl@mNAKuMCmo1n3{->@M^zh%(mT{DE(Fo<4WLquk57yI^5`40ZV?o%wfsj
zT3urq>ps?M8D~BNme>lf5JqA$1<2s;otAN}$5<`ngEGs4c_1y_6OqL6^;9RhEaSIb
zi_zjTyJdn=1jw?(n5zl7J}I~ak;I)2%Y^obIQQb$>&>L?NlJ;QH$gTaXGYlR5`Dy$
z*v3Fgyoqq)&5f4bTKzSa-91xG%kG^wc3AdErei*tUTfK-+iSJ#Sv0Ag>L{F>MMR$1
ziMR5L8VK-)ddr@zV-a?H>Zm@0c|VVH%DlH5xw-U~_Z=HizKP4gtqg|phtLhQ`h;Mr
z{1Gox<I`U9+yRzg5mpL5Y((uoxP?z)C7$2HxOyK(QR_y_ME}oDeEf_Le?6qIA4Xw6
zi3mJIfO9Ri42$DyEfd?Ww^{Zw4mVNjcUtz^G8>l(5lP;Sfyf7T%Oqncz<n8=mc5Oa
zkPAG5Na0(ZmVMjXIxLgj{Z_*22Yqy9gJp8-&~}9PrlUO0P9Z=`Mj-Cp?JVYE+5Iz7
zy5*k6+yiLl9$a=s$`J{02vmuyKx)WCjpuYUJpG-P{fvAu+5_g)CpOD|t+gg1wTPr*
zw0TAodFYS;rC(M+e)ogrU?<5rr_nN{<cc24l=j(n%l>U!+bste6ET%6!CQHgmpDFe
zK)9|6dk<4h%t9?Z%3(P$xCd>;yAx{p2z-?1YXY?Lr5%<7yY6qdOf@nvHCKgz_PPV|
zW+%x$qMq)lMJ{q40fug_w@foGw-ejkUfRyUTjVJ(WJj-MTI(1LL{CFF+181-A6=G%
zj8ou-=9!j*T1Ue*J|Ift18KX+2HXSdEeE^hTv8y9!=@~Z@h)5j_JPrUo|W)7c3KWG
zEQnMeN|fG3ewL+vGG6*S5mhY5QEZOGa>(XmSpbTUu><#R%$pZr-u+XD<xuxeUBt03
z=G}g{#$h$&WrNLfXzQ37%VEX>T$V5Jv0gnx=NZ3Y&vPf^D*PPwQU+;C88}L0)0TRp
z(Q;VNOiU#cL|*bOr1U#<&0idr>BjDWH14P;gv-F^KFe>J-uEb3b4M^5>~2J@vB5IK
zeU}xDSBazK^DfJbZ4*t)OwW(#dPg)^W^M}hSY~;WR6`5NRpK%y_Uh_zKAn=!fK+;!
z#QuA_0RAXd<5)s9j<s86wOw07>gsDPha1Bv#r|Ql9NuOSbo_d+Wp?Vf46t0%f$)`t
zn!LhK>6A{(?Dj>X7BekJ7$;FOAHtr0DR4_>3FezI5H!#T?v1y&>@Mc91Z|jImLpno
z(J1L|!17h7nTNFt>9!ncPPJN&Y###G`*N4%DEG%!%TcXM+AVWlt98)b(=iYj*<~>T
z7uKRXl3)^}#K#?Q{rA-)Qs>3g$$%_8#A`8H(-|EpIUyGw11e*BFWLAMuJ6;3kV0ns
z30Nt5(_=APhgh+<7^Ee`K~=T@wd5j)#bbU9qa@#E@wEP7TD<MQwOf1vCm_pvaakF)
zS$u7)YAk+ZKiZ5A;`Lp>5qynUF)oJ0SY$%2V@%759ru`)`EB2sFmf=ON-;p<cY?X_
zfuQB2f;Bakla1l+z<3VlRlfo^a3rMUuqY#JN{8j-o^MRcDegmXl>CtVC2vE{d>kLa
z72V9E4{`24t^-CJZAnRSa%UY@Zh;Z}jZ*S60!)6r(Q-=rg}_MUW1x_WC{>t4Fok37
zkZ}kXjz_rs0H@_tqZg#rcOzF2CW(oa-E@zf^b1x7aQ-T4=BqH={Z!rkabkPYPidON
za%$TW7*!D=Mi&gH*K(RiKfC;^2lFHCmeab<2ar!LNBvCz4^MGH4g^N@WYh|0)-prQ
zm6UjJQogMS`$vPN`giOVUQlaU;Bk<!!iR~s@DUGbI@Sw04iV4sm`dE<fTKOI;=T$W
zo<d03{7h2f6LM_}bLRdC-j)ctp0%?uwwx|&hLM;^DfvY|9k7^EX;X`3!E2{y(dRd2
zAou<d$Uiqhen2=iY&B%mM#wnYQhUNp9f!Ttd~{Q%keAc~Or_2VLoV;PoSwP`E2%q!
zkO%u9&q(#T7D#I*<egQJFOrPTB@EW0r7((Guv~N<PnAV?ZiGB?HRMTzi(W^!=xrgt
zQ7s;q4v7j$W<x5MLzW4nN!nI{rT97w6hDea@rE#@PeitFf_zA_i@(K3@y`j!AE=c~
zAn1~P5GhGTAghS2MABJu6~d*KO^~btNNy%%H1<j-g1Pk2bj#_l93^eW7Kr4&bg{@?
zBW>4hg51~wc^~1jNifRhMIpxtIT?+zMQn>@i=}kIHpr5#kQ%8j7m-yYr|fbLq-D3|
zK^}-h9*qc*(s~hodKF|tE~I@Jq<cGL6Ty^i83K7>1?0^uAfJfHcT)XP$gfx_&)NdX
z17!KAOvv6aD$;>lksXEP3K<6Q3OB+P-ZV(0S;(c36E;~ERxHY()Q|<ak?L!=2={in
zyW(DqRy@5C@?045yj0&3^Pi+cK0~B(0xm1(2ss|4mFGktlJTklZB?N@NQ^$JmiIl?
zbFP5|${?49AZrk=e&kBX6KGUFCn9Y^I;7f1CaX7-i0W52LOu{HpF!s4qgK*WYdNDh
zjmc#0#ypRVk$Lod07lGjIiqbRQ!Q13bN>^}vV=S-xvyi=B^J9Zi;OzB(YHG+i(03e
z#32uqad~P>9)_^-nay(M)(orVEceDb=FFxZ%UK<>YhZMAC^amB%fPLa<Q8n;u}?qf
z_~bx8{s(ciz82y6Sho1mC@sR<e-bvcZA^nwrbfv}DOSCsnwjE$G-7d*Q@RpV<;Puy
zkD+wDZx0ymdkN5Y93<2frfQ(!&LT=<5((3<@`@J2(65O+mv|T;U-+;rZ(9oP-VE?7
z84M-ovD~D-A(QT32-?%$0(mt9^7=;F9E~iSb%=QX1vey*c*cd4!W}`fF)N+wH9*t1
z)8QE_vB#bCz`e4*O-}s)g6K1-CBErItshfGTg3cZ3=n-27~YhLseJ*iFQWV}1n8(2
zP^*3e=OI}X%(scxvwjo6<*D3T478%}LJY3wF%>vV4BP_Om^cF6j4tHldBN+2Tlj1X
zr5;QfMRZEC1mFb=FrW{(#w(cDCq{j^3tdE2AGhMQAWdaBF(8|8>^iF6FLCbM+P`Zt
z*F#{i_Xj&(ce3W{Ha!INh!|}1Md^=$Q8FA<17kym)Sx|mi7;q%aQJ8|)iS&-_tlXc
zd9t>J$gZ}RaRZSLATSwqzKJqeT|yiXFWaJZmE6f#?c`w8a)d`MCqr2soyxj2Lil5@
zAh9EC%Mn>ePdh%u(b!{1M5Z0$H2Prt)C8l8l#HB#sWBI0U|6(HSsM<dWcfZ0pdMC+
zw43@=y0xuCrPm&b<(ws9rScNZFs|ys!2Yz^Ps6B^+w<&?9h7VqrE>43L*>nFMysSm
zzsAyeDf^O8_3Y6%l>^r-HGX<ku9*jOReUl=-7+P0*4$^4oKT23jL&f7FY>}IgzJt$
zw7r}g8xcN|F=VMFXxlNOJH1|I>#6Hl<5Ai2+HOdAk90MpWnoCEjPsd785d{oN^$0M
z_}~-_`srCX8r80HQui=ybMM7o;q78i7JxA$?aEqPXp(Gu&92g_>D@$Wt7S}bX3f?8
z>uIl3c@p$cjZdzCRYZK~D9u-G_^?}d^|||OlN=0{HhGA1--#*r`5vm1sfyp+7Z#Ij
z4b5>7a@w1`bIoi2)6{=8;GIqC{wr6*Ra`46rxm|SUO*|i!?Vb%3VXLy$573(T7gR@
zmDU&>=mTNN)wAwUeVH`am&Tr0G3B9uU<Ul3lSIh_uSK3FY;tWg;7yj?|L9UCj-E3C
zdC<`ZX3NDJ5&oa$dSvYA7u3jJk8~rwYOOEsWiI3~#+AIx86jU!=<abJy$rRh8N0@M
zH)L%aWGlq%leT+lbFZZ8Zl)9nKnxk^hJuW^5$6N3r7fe)DqM?jM@h*hZJAP4Qq5_T
zk`RYfvzI|EQnFegBPh9TQdP@@(IyNbY0{QsfjFgf>@rA(RMXoa|DMyo<o@4NCxdz*
zVRl&_^qjGJnK-tun11%j8B7Ry5$U{uggGyPkv*%9QVYX7=W`#WCn2`xTBXLx<GP~&
zhJ2O7dm$!CvNQtv2qG1)kl2Bg{E0xnEiE~=Yu6H~2Tl2F0TyYw2pz=iJ`VF-q=5AO
zdbaXTM10pXasF$R>Q5hoV{*`5Y7N0?eDaNr(%*h0KOnZEL$R!ldJhJ8<yeMAd0P)y
zii7Nf$C3zb&nR*crL0_4%}orPJy|0LhkSA!<_8wCL&NM$vYJ)yhk1=4)=q}Z3sKYK
z)O~#eY3g9Jj&H+!LJra1CA5{aq2XRja@-GL#hgvazfT4wc?vXSdG*N?OZi!t*WX&X
zx&2k)Q#$~82VDPWRE=zt-7iAcqK&L@#-6okT#bnS#K=rYNk(k(T%vT3a1hbSwE21<
z^2N+Ra*S}T#0%!K6Foq)u})S^rW*VX=f+auzGoxK^E%YHf&4jxyH<H`3taE79r#_0
zuumR+z2&r-heM(=PWAhJ_e0VqS53Q8Y=g0!s<9WPXfGsCPt}tSahF4UrIHe(4icq5
z^m}6enId-p`3ubHfFx@fO$Nfohme8|5O-Mzz#9T;T)S*1-bu8Te*`fqZCGid&3`(i
z@D{RB+Dco=(~`PTwT$9bwQ9U?HEr$}J+wI>)%O!>v;mhzGYBvx`>MARKt?ti^5S7&
zFvLIUrcG|`-PtyTO&{K5y)t4w%G$ObVN+ixIBD~4f#|ztJxa=JG3t+DzHEOOresYo
zpq}5U8va^F&d-#R`7pTPr0p<D1@EBYz0rfq03f+zB&?kTV-BV2evYniZwH3Q%DD3E
z$uRRwV-+aLZ^Fu}sD<W1l4EU*&KpJ70wb}h15?M!#E}~t_d|$yhQKx6rDPrfHy|0;
zo3$RS?sagvHNeytFp|G|Nr{ZzvRkO?MIr04jTn$cT7RIYhpn+E<_*INxd?_QB30Rn
z40+Ht<gJl@Q=?yf1UH+sjesHNA!S728kbYmx6X#VS2GSZA#%HF94|yR7DL}&PHYFR
z-%51}B_%M_Fse#sj}jQHxe$S26Bq+KqQFoB!}h(j1+AQd1cnkAc7dS;h7uS`F29w)
zPy#~<3?(r1{-y+m5*QYNp#;W%U)-Ds|5t8ixETX_{SzX?XZKb;USzZn`=xK!aLl<;
z=FI6eyE@=+_R{Cs;QqOrDtV4F4sKW0WfsPZ-rtNTF|Rvsz?<CS7<shmBZ<FRs>^Gz
z;<WDCCX9Tl`iNtkE2VrBA{p{-l+x&SNK3ogv-@oZh$W4x-jBx0qA=!m)|{NrK|lKN
zP52nW*tK8LtR`;$2tavt4Tw14>b+Z|()<3uAN_X0eZNOds_%5Ez5Ue;Lgzob@g~Q-
ztaEsP(ddWIYgE=Nifh&0`ukILb+c0G=h(p~W5bwK2l;c0F-+R@qGfFcsUDrlVubaH
zR^CAlWYQ{$7~F8nW`a4@#pOWTyxRZi1u;5!B$iENvUi<JSucMKVU=<sHzK4azj#wX
z?N=uI%(#SC?brVYQ#Wl$n%aNZMU9l?bdz;X8jl4FHz{k~&=$4-RSBSFjqg(j<jQ+?
zdwP#LpkuFqI?(%ihqA6H%23v;H=>)~oT(0}l)D1wMI<(NTs<RnWIE38@j~Pfn8%gg
zl$e4s{;OIwrTvbMfs#`7glhSiD3#nm4v_in|5M_`c;JqeAvHCS@~de(rME22Hg%Bq
z({6RJ|2hK9SV7y6u9Zr;<n5A6c3nF!TBbIf>QU1~SgEyG9)1PumHiDO%DEkAIp;Y*
zDu;6WjUDQsW&cSIk%Rxn&}wR&iP4C4*Pzw|PICH}{?$WjV5Qc*e<2YWvmw^2GSp#u
z;&?Y=U|`=GWwMrJ*6bRI@=c8LS3ul)jE{p6{?^36yOfMfD{9*y#`tztvkxc@e};$A
z*svOA#W5yoS3x}2!O$lPd6m3tUN%vRd4wT16Ui)7%}562IYrhI_tthw@=nA&50S(~
z+Kk*9$RCtSdTG;_h5C-H;=&dVG5gSFWI)Qe_&sdr!e%wSXjYgY?Tu=B>scm)P>u!z
z9RNd(4zFVQlTYyG${p>n$v!nxXTvVfACirkm%hv$kMGOQUD+5sBMqP1%sBm_dskSw
zyU}^hyJ~mE_UGfZwdNEUvX{-u+3BUH<)brw_8C}s<Pl0ite0QlVKg1h`_P6K<i@<!
z3FB&pg}Mu*ifkNyLsvGK<!Cy=&hVLFr<(KQMpp0g)oOM*@v3q6QdOVeWBA9tSh<I%
z-m&XmRL5NYL;yyPN!v9<H0G`-aIfcL%Xuvf%ekx@BW~p6Hu4eHrg76TZ{J54@_3jQ
zgIMkesAH{uxYlDB=+<YLYSvkxA3B+J%|4IGB%?`LOw??fAo+58IpWqF+Ux~n_ed!{
zB=NFF9NXVRlvzDNb(~s4pAWe`td4v6h88g1iCTsOl5;pASbNFAn57`dxxWeB_aT;j
zq$ES$V%bXSZrIGS{{0IC{XzutFRWOuC74m)BIn%hf?P`5$f?UAC;0GtKnNli=b4!j
zOivmI{{w(A=6r-Ro<exk_q64AGC;=HlAQ6&(Y1XAvA-(hJ!Y-LOUV&tvOD*PK*o~@
z*X$S>&)Ep$yiD3g!f^3&?fB8_5{$J9)GY6ih}_p8_8c^<JLwNumX7bf1GtXbUP9fr
z2?VW|0eAN;>V&cr$${hf<-}G%TYeMC&O9CSV~-Kc%QArW4H3C+0CU<tjgSL~BTYU5
zNb?CfR>(<0PH%*q6M$SSrDalTazUDVAeTyYwN!5vvR0}O_duSI>T`{dR%vUOYOj>!
z@+@tOkQasQ=z+Z42zf)uyF&iqVpUcFh)qbYRP%ZuyGv;wDaq%u=`$K3vjULWQZ<Fd
zr7hJ1sgP==lunS+DFM>-03D?s43fkH8P7wiXv?~k<fMJNnwfG7lQYMKNLCm9p?Aq~
zpO8e=&omfTktCgc&2-AEbc##XFm)1gSr?JXtlCQ<&Gdd2-{qdL^FH2hWn9{;P7K_H
z^Q@-|=*9&M<>7n`aANyd3=I9aPe?yq8;CQ7@>b9(YqrvFr(nft0iWwoEW1ttnrjg~
z?ds&dJw2WAl0I3;%MpB>RLu5d!QS|n!&GZ1W!%XC$@p>;e)F-Hbrd0F$$fj)&IF_6
zHZW%&j)4(%ILe>aLUnEy<f<Kz9eB(B4a-BufO*K_*^uBC$g+M&vykgDiK7ACQKi@$
z@(SjM{EA%8*c^h%#8lpiabmj~Q+WqOAx%Ay^AO2<eFeJr<T6gHR$?H(k>Pj{)%>-L
z#C*B?&-wws)@i+jaHtr460UO9P`b5G&6g9v{LVFWRQ8dqog)t+iPjuQ_Vr!J@%@_0
zc3^7EzYuYJL^kXTTGUB_KEJXy_Qljmo5yZfC%Y4N@U8We=a(`taAHiI{NhUD$hit#
z>jTTxDYhZ#x}q%WV{az0IhW-@uAwbw9l_+R2Vc&!bgk<~G%VIlM7}rK$elv?xq?cc
zs&bDCs8hDNV^n2L%q?cDsUOjG<kJi4Sxl+hOm%AHk4@^-?rtuAhgZ=b!{oEo^hqKo
zSIQ&DNo-MIjP>I(Gf1AD7vWNUB-uTPVKL?l0$jFN5cHi6a*&U1-b6&QS0ou54+b#x
zeFk!Bg*q)E&)8#kW~tK}yhCs~sRKr(lU&J;ohNHkUYvb!^(pk$_!BYe<g=Ltp}k3%
zRaS=Ff1oz*Jwg8x8fs`e1_I6Wpg+VYKAkSJUjxz!X<Lz#Taruzjm+1u?3#!@m%I!c
zQ^^XPx0!K}_i`H3Z<ZL4VPXGAA8@mmL&n2!)Hi`(3?-KhHJ5`pT$9MNx|~whsW{47
z*aDF!syw;87`l?`kU!AKd7s=n`d6z3y-8r?C5UL`7n{`S)n0_1kCQ*^%VNGE1Vdi$
z<<!xQqvdVnup_AE#x7N-x8K)`H#y;@|F)Tu+yvV0f#mUS$GWsPOD&9*U~dfX92WLf
zi(e-Qa^+4x_oo2K9)rE{^^l=UGt?PFYc8eKfb*fvaEIQu3f*C*I^*U^be`=50Lk+Q
zSJ^f-yKU)4b!708bahlWui1>&x3?&B<A+<6*S&v+^1BaTrGoCNA$%}+A(wk{bg|xe
zAD`6A(Ix6`iK=*&w?!4aadw#BYdw~(QWdt4DmK=IRB7n?3>?Yv(s@5~RlUs^w{Xr?
zmRZ{&m5dzA1<XcEGjP?Tz|FT3f?5k1^E!#h-^uD@A4}DCbQWW+kJJr2D+<}s&$zl`
z3}nYnR+<q)9vDuF`ypdotTbbzS28wM7pbz&aUoT4T}HF2>NvVj&3%ze-g&8)n$;2I
zyu~|W=b7}IMP4S3u3<Jx>ByZhjw=7(45ezft2v@JN7RhMFunTkx;kFBh`2?>)FOjN
z?EfI_5n<1NfZ-JwK7rwTK^*;`R{SCy5aECp{tu3VA`%jj(0>yNi%3L7BL9DvQ4x-b
zaP0pt92emN5&m1k66G)wJO4LBCp#%>g`!sY-!P{{q)0@H{{JwFMYu$SOaA}Dr6OD=
z!hgeDUJj#tCya{1|1tzL`bv?j6uGMZQ?6R%szq+Dmis?@`e+e8T7>_GO1qr56YeqP
z|C?)FD!1LX@_J^)ba}lpk~^~65j@Ra7LKqK?Cnw3>o(WYHjQbJo>9j<a<D8p<=wkt
zQBWBy3d+Kwpe!s3%EF?cEG!Dj!YZH?b6@2%_c=R4>`Xc}hDpcN?PKb0%x2ay^VBeA
zp32JOX=3ymcFD2wa546Cyx9+;lrA4|<$p;j?FBog9-@?)Mai`qE3VZ{`|Q0Mgn&Rm
zTCZ>SAeR^5IYrhDwZ;mOOIfX^AFp${d*B9$Wi#z@Nd5whx|aH>R<oE7kx$WchjtUk
zx1uZ8{<eGSD9P&!+jitEJH&@PscXyDX;M7}E7nK{Rw^M@xu6>-x3Fn^2(Ik%q^a~7
zZW}Ih-V_9K%_r9cyB-y|cGz|M!Se^7PoZI+YNh0ms=P+fFRK1_kEE|t2k(*e1JPeZ
z7UCmf1)6?_{R`vIn<q;@BKiqDQ(l$n`xki!bhZ{Y<aDjM`eSqbh&<>`zcJR=q~?$s
z^5RQVXKz28tw_l$mw_ip31-;W?dqJ4%;oA_k9==tDey7EB%O+1<((@(`cuwh$<_E4
z58VI#M)5E2d-Q{ylIu3xoR~VVb3U1LuIg6jTlVu|Z!`yC`$@D}Z`=sEp$YOSRom5!
z({XZC8-5uP4NbAnIM0NUwi_KPk1f{b3n^tD03+u>#^lhoo$CC$ljG`w;HwO3*W(Ph
z{B4Mgdxz4<6P@VhQq6h<Zq~F-v>im`S@KXb?kv2i*XYo^eWM`w1uR(~(WY;~^hq#l
zD#B?`)0T4<TqUQGoEG5btZ0CI!*-{Sbap=@+kOm(lOc~e)P)6K_5)W2@Q4yLY(L^{
z)LTW6FA;HW4P!J6$*PVqlg~~E!6p#o?ciuIaseNYj6DA(U}Ta%P4rtRDP7Pihh9Bc
z_0$-#)5e6|O2QmRFf44#>V&MoGB3TA^F)@1r40c}Ke2(Q@&3cQEQi%%Sx%F>XzN`-
z(=WaCZRp_pZf#zl6LU^uSPW5_+@LXMAiYG%Yi;YLN4Qv8?qUAcoY<)@zI;6)j4vT2
zmg8|GFO~l?t{h*2MW@O6UM+njuO$C6#^pYCaIoqZGK1WIzXbe?Tx=(5`U+$~L*GTp
zfYaAcdM*qa^_^uycyEZzfTfo|;b6s_P1Vs#!UnyWa&bB6Qs2`UUA5dn{rUPr8`a;x
z=(#G>s>U}1wY+JhQ(plmF7v3`)<3Z%r^3~MJonoE$CTVvc?%%M8TNr()eUMyudCgq
zp=a{nUmL%I6+LU6&!nmPK{X9r=lRczBQ2-Tf9k)!pZ=S9eJiAIw)G|8sCSmD#*IJ9
zXukoZGQ0;~7F&Ah>CrrSHMPpu`BuikK=>n$=my_+#Fldl4AsS?D}SDnU|t@)aiv<`
zEnh!bG8tTaeu#*l5ut&Pe4B}FmGxBbWdpl`UTEdYaWDj(PTf8KDMNa#`%AC>xr)jc
zBznXu%YjV4)Lo2ceT!Z33Yfk5{sEBm3@Hvg$e@l-<?(CC)ZKQClJt9-$=O|yf>wFJ
z8ji-8G4+r?uTKg#$lA1uNvAKr-8U0k#R|^Ap&)Z+uzM08;C$Fm7%=~6A-3bmZelHd
z^&;(=Le^Z30^`<>U4voFWbeNXR+%_D{K0{qbfKZI<cA&(SKWffpWMsFT<K$JNyp`1
zlJlpPzwbT5(A$aoLC>z8Nl)y-8~*`le`eP@oemv%Gw|o&|Jy{=yR*X#NiPtf+Ormo
zf1kSkKS;!%m<I;>-{1~%_0!$B4?@y!sA)NUrKh3k387zS{w+=a>BUl&oE`>lX8(*x
zuP^!okiQ50?~B%mZ-_%r$-f~D+(i;?*V+hmnCGuy*_L$gx_T~p2=pZtto$XXGAr~=
zbeS{4oY{?GG4O$-TufIiAz@V|2v_|~wc3J4_0!1B9Ys~muh|v;VB~)b+E%rkaVnoc
zjoh69?0TAABcr90eNgWChssZhb7beV$j4Aa&SbC-y&gI1+UCE;X8Q)=;6CKa_>}I}
zi--I}$-tZR!M+^)v`OE4>$#w_tC!Nj9t{1#?9uD9p0$D7$d&$ag8OJ3mCN0=POSf9
zT<U*T(EnGU`y+W+Bf1Mgs(*W}fBCF`i|jeAYgb=-E16}LGEGxW#9OjI4E?2DK|SX6
zkWa`PlhS`Q;4Qy)mvjA7gV=tZymLrG^ps3FvEq4}<mj)w|2%?S-zp1Kfqa3Tb}qy<
z70miLC>?NvF^itj@#@oI;(V;=Pa^-kzqhWwhoE(odb;Q}Ld@T&E$g;I*}U{tq|au9
z`O|80qonNL(p$MlZA1>;o3ySTj)TJbb*nMN3WARzdUhxG#d1o1^-<Oe(t-Iq!=#iA
z(HlW^jEMB&tG(&J-Z18)p?3(k+{Wwv(B5>%8}&69m7jwc*TU6f(im!DMa}|-jXdkH
zye|P<&(MLHCkJ73Azfz3Z*z@2(IAPt@;4Wx1G{b~Tz*UigZ+2l^GE$oME{szAU3&}
zai0Y-<YGoWiIw3W@Xhh?Ke%ET+~2G>_Ax_WqEm9OU`FYamh(JNWp1Et<jiz7x%Zf0
z8FN=Mdv4`iH)2`_j2b}dkAAE-F|PD=*0|Tu&|m%-^3;*<@UmA_HgIm*%tM#6wSir2
zVZXYy@G&N$MlkY4O2d{$)UDlVjcScQtwpVQV<%%sxtOM7&Iw|92EA%?a0xR)F194a
zw}sl8XuGPOJ};*<atw*E_jb|N)W|_(YB%S<J2t7?c0NXI8FH2FlznE@eIUq`mp<uJ
zv#@*$>6E#DyKg8+^-0j)i8plv*L*F@(aoOSq;9`@2A0*Kwd#&gJNHOSIdoXB{*16{
z@~}7VQx2}VFZ8NAYOZmpwf2qVIgh`}P__d}XKrDpTKmTD+(Fg!(oxy(lPft-Dw}+U
zlXWr(a^(eW!w&Gtr<3bSu7i<gxYS)8t;9BD9<gOi2UYI47Ik;YnZ20bwwVy-B4;@U
zdx}lOdeaNQ9XKvr<=`yZhh^QD@>*=*iFDuthG~q5frmmnCC8mss&Z4QukS3mKAex?
z0k!_MTFmovsdcSfx7}$R=2Ulf^3%M#Dg!Qrmw-xNdj736SRE@rtLH2}&}Dzw#Rtdp
zz=kUa8$EmUgwS6@4o+CTPz-)`ucx1$Wsbvup{JEr8~AzqpZk{jka4ACU2{H9S6I&R
zGE=(ffa-Z<QvXp@;12R<$k!d7Mf69glrbK9qM0@uZH2GVwI#Q3k>@!RQh5QNW_!+k
z5w1KD7_z(?r!f~oNzpxttm&^*^dCEwR?(OGkDV$PceAM0GI5Ms5H4E>7DG;bMsp45
zdxMk=ycvcQxsSF=iCbdd%fKyJ!@;ZaA||Y_m98kAwvml*1L!N30la)W;ipE5DTRTm
z8!_PaQPLT5Hwxo6NR_)0;U`cle}dafbG1VVv(dbTQ<^Dn9?dO?nC~)>+;cFX|7IxV
zZvgJs0805UBl4MIPZqr38G`vHGU@+<QgS*YQU8aKM=q<wzoHRQJPHN_%(CQT+?6Ju
z+{Wf`3~~i0FzI{~z*2f}fV18Y3=mHgm-@4wKsww&7U?wPRebz<Qm6mCNB<ws;2P`k
zk{s{x7#R42o9{sHb6`|2xyIAz`VOIc^gq?4TygsH=<HoX#s2}-@^`70@a+O05#ijs
z0(+iFJN9N#^&L%yeDg8yYpkJ7j^e&|srthNIPf1Nog^pVS^>$}gq4p?N;`=>@Fuwm
zyn89+Lk3OYQx@95S7amb&moW>gz+;70>AAbLsmvp(6y4`a~g>VFZE!`hRfo+7)_=7
z`>8tGN$1G~I50K(apYOu#4^&0NOJvZ$kSxkx{<M~|0}{+Dv8LzihG=klDzq;x(V~8
zRaDCk=;c#^r$}tYj|{1bAM26JLBv>S#fSWozc|A|)oYTMQZf{q5+Gq;Hqz#xEik2y
zl6*^NB%Aq^>Czx2Zs?W%VZSM_Jxw`c$5MbaC-%TSu7eQvb<+FuVvysQ2Eox(^%p|k
z?iwj!ApA=K<PVZla<q%KDYTVM=n?{4ccPuP1Z_TE?JM_Kj}Skj<c)eJ$@`lbP0wE?
zRXQd94*eT{pBok<XvN!R)CNuzff^Qo2QU!lOOtyymrF3W!7bgNHvK75C@SGQkSm-=
z*1YSZkf)Z@CKp@&WE!OttdJ2@O<A)GLx3zil2FUHplcrKgZn8W=1qtg(HdS+$q-Fk
z0II~r;7c5huqhk3{w^&z52L=1Ntmylk~s}jMa|^EogmNp=hVgs6E*qvsG=8B`b)OZ
z9ysDh&s2So=ryDydJTXQKVvzm7nwa^1m$7WyBsz5=5~a~*1%m!vi<L^gnYII;BSM<
zcn~#1@*I1TI4W<FloTL5__drlk(m-J0G}yeA?a&Ax4eAz|4JtZe*%4I0;KrL0MMQR
ziy@~fbCeD89tbK<lQw@Ba-LpF7Py74B0TWT-C^Qwj1YGpZFgDO{Z=+nwIb)a2rGX1
zU5s%ERqqr1kf)h`!O?<+8GoPoYb|Q}T(<;~_#|P}0L`fBLHOeuO6eve?53Bnw^)|f
z^HY?B_>M=U<ZxzGuqXjJp5YTbpXDnkU%LjsWMYTp2W6pRghP+R4IfThxP&<!mS22@
z<(FLHt#Bj5hC(ic5xtM`9POi8Ixdg!f8R>}GKWBRLpb&+2I5I{3rx5L(Ok%*Igoy;
ziNh0gR0Sa<HUrJQ#s&J_386ZN?ny2TkW(G%!9*03|I`V{rBgz_Ye`%v6XKFAG;*wv
zQzKw5VE-uTg~WbfASF&Cb><|-Wb!OBnL3o^+IJ-5AovlZJ#-?ain~Bxb}!Yk*QmxP
zlF4LoH&)JU2jm*Cn5)RRF`TOLmW_^o$_b2*KpOM{Bfgfw;5`jeGO>XW4nZS%1EVf^
zOBM*^bA;sk#Npm%LcX;^?v&E&kkkhwnFb!_bkPDS-FOA$_CkE@pj7-WIjvkpimQ$v
z4LP+GaxQPvs;=fYXH~ZddEgaD*C@!260$aio~hmwd)52B0GUcPeO`^auYGNux?g`m
zrytD+4kB`nu%2E+O5~bKpEm}N8v6Y5w>u+!Oi}NnHt_h6s!<O{4z5=Zwoa|*kac*y
zdMGu6<cv8x$m%@<GV}=YVk;(B>JS)u+qOJHH(I{2<J^v4t6U9PPYZFze76>|C&KpA
zdpYlpV+f?lryH63cBzLpABdWj6R67c3z-f#F9TuA0@SQqnXo#n>~)P8*gFW>+6`%h
z;RsN5K8l>>3QB1UJIPBB#?TH#^zFWS7_Mu)Q$1YrxDUA~R$SAg=$6~iJrd_mk6j3H
zIM4OM-Lg?V-1m}CJrerVr5@>--=`i8tb*YPhMCjPf=|tCz`X2lqZ=_`$ksNVQ|_Z(
zQdRR2$!H;%jJ8Yw$xn4Hn?0a9A4ggH_|#*Oy+i7;{wauLok&~WqHgtg^p!64_$$-F
zm$u!h)*Jg0k+sF4*1yKjeN_H!AQ->6Sv?V1>r_v4oe@$`7H1=(E^ARwZdsa!c>{ZC
zXCpV});jf6<iW6ds_%+U^>pzGUFzvATpFt(7j>y;<UfB@@E0o&fUhxe?47Jv{KlVG
zLhqxih6nIF5_`7wopg7TUp>>FK@x||Z&1%h`O*Ee?RUdX>p(c`^g22;Bb`u}cc|xL
zw|A@O-q@>2ZIFLoQ6ts`)Q0ZY>(ujxg$%i(eX7-)=z-Bj{xah@8uzpvQ+Ich`)}>4
zwf|PTYAZjzQMGM3*~PO}6a=z)wd;Q#vAlra(GLd+bt>kEmSe^8Il*Mf$FH_KC^_Ch
zEmI!#bH65Qx!+<S_q$$FGP#2!?ncS}s&vH{EF%^<363vxfFR*i?R`G4>M*`=sg4(4
zXK9%*!LPakao`TU11q-Q8Oru+ovLf&hz8YdPN-Min_7BQPvlsPX6#Rf(idVXZvpu1
zX;{v3!N|UZ>}EbvM|RJ|l>K&x>Urtj9@QIsJEVHIPWOT8>?YM$Fs4!UZJG#h`}tkC
z{I(u)hM=#aWR>f-{AS`E`4ZKfeTX;jQ@`36kO$fHy}H%L?q~7q_(uS_0ByF}_*KV(
zYHk*bmZv41)odeH{9_}KN(N@=h~=y$Us5fUPv#2WMx*eTO_1MVq<E90Quz$|l-y*c
zCb5d9>ZR>6+KOs3SjhHS1)0H?P%Q7Gii=<rFGQsH%m`!&r1aEHkVP9IOJI~PL!`7;
zstuIN52USPPedvTF;!8L33*b;`?OW=j$Gx$5M)vd<Z!B0bKzFo;8we+Ru5YaIfv?8
zep$RJ^mCKiw6UO1^+$)KtNv{^QZoKnCyTl1U?63CSoCEMR(VKbbOlLFwD{QgWXXt}
z)I{kqsu3A=<|AY>YQ=Bd1}VPQ1>p&o4_zBUzXPtZ1EZds{A>iW{}#HvY%G%-sOn?h
z&@Og^$7qZEf=J|h)J%qt@<tI3ZMOmZe1roJ*Hc|hn_q4SJePyT*bU&pKKdgv!v)-B
z-Bj<PR|D(lMspbW3J<cwJsTgfZ3xHv0{9(9u1q=RC4WOh|8YY^j%B64;K-20JUr5m
zw;P+p0Bwn%$zS*_gd?voO1x_v1bs7AV=|?P3k1e~Kr0)MkI19wMg&zX<^=9)>;*<3
zTyk;)2)@R7Y>SAzhlcw>xJHO56Tf1r$PPaDu?Tx_O=k?rc49t`T4)Z{a4x#hBVCxf
z1V?_^<3nHcG7d7)C}{Fw>iaMn>rsnb4+-aE-p{|DD)V8~Qe|*`|AbN80V6raPj+Rc
z37>#pb3+%xS74=(d9Dh6?*^5;?sCh&i-j$M;CQOxhs4LxO^A$y=#KZ?if-gPA!CCi
zVj(Vr`52A8=qIc_sHQwr{lCJET`5*r|5R{zH^CeTqr8)n9s;Gmw!oN8wV;W3Jr5vU
z_&RO=*NHb#3nRv2sfzDr^$ES$NUpx3ExrWju~<D}MWi|$;lk74hSp&qGDX_t9c1ZD
zFCq_hV($~M6h8~YBVWn}Mo=}T^)Qf@B3E^n3wsCP*K<8*kdhGu9b4}}*MlQNo}+v(
zVcz_f&MR4lZg3WkV)99(IRvArJWNG;fKfIMZg^|}K$~iTVFEI8D8zqACg`^lOwoM+
z3e})iC=;i0!A2MnGy-S1V6e^d7sn9)w7y+w@`g6!t*{HSxPv}=3K&7zr%MA6Jq<jM
zVIcW{pFxuWv`D=J%#UNQVt*JVPf;p9k+7;S0N+3-%Tr9KUqsGAEm%V}o{>ffA0Xm;
z2z<s_y|~;0+~o08J$GZd=pss~8~t#DFiKx?q9$*pBhS+24RsUN^AMwqYVv+e#ZJLW
zL0J<Wx`L|vV;Dw;k8#jIDf%j<YPLnDDZ!ZkBx|0h>Iwe@JEqzkwB6;wie#v?7%Sdb
z1Hj)RB}osZ$la(JZt@a0=#Rv?-2`(MjOY|Ekq_@d_#;2MpNU)<sjKwB2yI3#d?uw-
zUm8Y7lI(&adN4YfG(`gpIO9@ugI7Ai{9q^D!?8z&4?;K`$6ojm4Ct(d-=XAwlD48x
z8-Q_g3%YVvslFKWrSead!NX{)mc2Ie6^zJbSSdZJpH8W*$6Gel<gpkijX5#!qzgb{
zA3mOdTaXGdL_a3{*hScLzuX9sArRluMX3Ybf=t>XU*ah86l$?Wb=Z>?v;1aE8M1Cf
zr$b8Dpb?a#S~L@4HV{$KWOSo%QZ-gkG6E!9AMTPpm<s=BCt<R@hBE@>%GyKf?(*X3
zbDn41Dcba44L!>N(%6A;XiXDomoLeyR$#PPR$I>oG(z<th`0IS=Fk>(b~DzRSZ&=Q
z2aKmtGxx_)d^b8k2V<NksIm}_2^RC8V&zuaDyGmTTbnAC)z&YsaE$LLRoz7hq00an
zl#dVnoi0X19c|@td{n&Lh2L2OZG4GvIIA8qEP%^lK@xTWT)j4#)xEg9eIv>Fno_a{
zd&ar=Ej<x6L*9+K{g6ljQTo46$J<-}UAd3$1}crY$eD(L&zSb1cLm1#B3Dma`MNr=
zycERwC(QtQ2N=E`fDEhxLFiu?h#Z7kq=_fUvPOsGB?}l2QSwzv$L|4*WS<=aQA&Cv
zHNGbYaVxqdOBuV-G9NH5L!@*+yp<k<qrfXTPd!X9@wQ%cEs)UN^^j|53*8OKz<reb
z@=DDpM#KAqlfg9~60E~f@suvQ``AwMys?22XIs?7%7+mWwhy{`rj&QX@RbMXc-hL0
z>mg<gHKW*x?j~U9$>f!+g{M+2{k(x;b|j_n*$kx6T`(f+RzmKTM7)oIiUS()u@y$e
zWaPZEBUaxL+%^9EYw#A5za&mx2zvKD$ocnY(pBu;#4>X3CM@4CmKzWW^*HH;7h#01
z#;ETCG$NB?ke^XAzd<B+GUnqkO5sV!#m_}IUXPFX6+Kv%jlSf0bmK$Qu(Aew-Z%R3
zy9kYfj38|;+Je`k;r)qT&`Y0h9wG&2Kw|49C6B`Of8CATb&yCpj*8ppE%RD}Hf|%Q
zdeoIH!IArPAEW7fh<TkK13eBbZ>JjH&qe8?K61L!OR1%c-oLsYIekKToNDNibmH(K
z7xrN}u?%R*dkE0|C@vFnMHsjr;D-EW-tPic=?S<DXJ9mTikKfA0%T_v<gFm-JO_K#
zJ9-eYV#QO6M)(03!NvGZ9uL0wC21ho2YbOo(e-Y}UT9Ao6?{asAP9oUMBpapb|ZIZ
z6MoOYN_7DxgJ(Kbya4l2JEkfQL@s<HYLRO(8j`zVcRq~BVM4Bxgni|t?J=f?QJzjI
z*o|%%-t=Y|p3{Ze_vpG$#fNt#Y9(^g(r23JY}z6}13dC+5J&5f(}O1Y0BU;UD=5Ud
zDeqTHa+hP}aeAg&{(eL+!-2`@nipfVbX61CxZaKr*`tc*H)AvlEAh#2%WrmqFAHw;
zRt9FY6K|$Gw#24mz}?`&Ko}C7Nkr}^8sR1>nMq6;Q;1EU*P{P&FopI3WcUXkVXehS
zG>&kh1!&Ru3P=g&OQ+LjoYjHwexOP|gb!ac8s_;J4c`x-k^>;-R{=1`7#4azFE8+d
z`S?ySe-1Rgs>HT~)O&#FJ_m`&YF2R|e)aJq8DX7tKR`9mA4ctzJ`&rBfyn;248Pk;
z+e?_&Cv*33Cor5K2;GDEVz~?{?*VCQCUVhm190Uqrq}k$S$=?@3!p%052ltmATkGo
zhhZSL1p`I%)3AIWy87RKOY}i=1b*G?5s8n3Q8I~=k<o=Ixgbe-G2r_R61Kq&8&1gg
za6`8@;pl`QF!m)Fy`QJb5Q&c`K+hv-1T7s^conE3=OXOCErXOC+=%(hU_?r2^M2h4
zLw4BsH9>^sC{#3+Qe*;h?j+vyiMHGZg4jZYi%)YA(W1?8cZwAcgUfdja{j_JtXRER
znN3w6Sju1SLF9IpD)*scU@;=T76;t@dlBx%TTm`4JbR;2EyJSpaQY)@QVPpsQ0497
zqrM5uzxs%1Bf9Ygl+0-il|U<iJdbo?^bC5&Ee{RxOw>YGAQ!8}ig5thh)ae_PHG|T
z<#65d9ej8gA;dnwO3{HqIb@*`>H|<&KBROqM!gS$#W>3cLz11$Y5=4YA5jxVX;%->
z4nf#B00TuA_A;m)0la<7lW=?!_S|=)Tety+u>oPDfE%0m;yRqmAPhM%>Z`zBq!$r=
z#Bq<3(wi_U`iLziyJ_1@`(KGMwU)@2gJodb`7MfNIlKoCqs`b4wZyqWI*L1^fekmF
zi@kycIP$LO##>by2HF5rl9f)|=CFhcDt)3&4in(7Ix%$_Bs#GH-F+b?*<K-Zw<&k<
z?uL4}+abn5a4YIC8Xnq+smI}lhLPA*38s?Ow1xAQGgJ0<5q=I>%&%z+Zs?}-R`gPO
zpZQj0Qk|PaM+HB?=)mKMtV5CUXc%YPAT>m3lp&{cRdG!Qj^v~j>c>DdeG{lo#IGUW
z`@{~gQ`#Swp@vRMQz6NDQYyt|>@Y~xbA(?Y2hGAa0i+)W;;sTf_T#sp1mT!mOed@0
zMjpm*WFq*go&{gQACRi&X!Cx9H}5x?GA2_kz8aCr1(fvq7ke5x_c%lfd(yzNF+hN`
z>KHyV@LMV;(8T=>xZDE`&xersQz2Z+;cnoWvy*E4IX~v*5vAf6C;40IW1OB&sXC4+
zy^Wds05?3Iwpbx;#_qLL55h`f_a@XP^kC%xpoNd38hM@<0OdEgAa@Ro$Zp+~WaPw`
z0<!cDpheo?h8|>+=o^AaHI~cm5c4@gh%Lr)j9V~{Zw`$5y`*G+;eOGG%Ti{1M1DpV
znUA;7I{X%1=@)MRH<sYYysLryU4lj^4HA(xJAM+FjjRqPQy1oa>(Pk5iAFSvmB^1_
za@vI>J-qcZi7^!f?)%fx^`(LIqyVWq4z<GPH{wHXIg=CM243k!?ovwCYZ39hhxuqu
z1I};3a_Cp&BC9ERZlR<{wxJIvt{`12pIydJ0<-SWNX$h#_YaW`IZ=e>)I;R7S-l-%
z&a1<+k5X7xbmLe`CF>z`cW*#Mo|B^y5a^xG9MwnGhT}JIBIW}plI(~aY>H*CO^!#S
zR4xGrmapR-aDO5PzCSYP^9NYNf)Dv|z6uiG;Us9eiIE#zPB#!w2@HLZE0RN7lutoa
zWDW@Qwpe~T!2O#Wh<801_k4(OB%j#yZH3zpS6^9#uR%8%0blZML;?pjqt>5=503yp
z7)I$gPEcJ88JMf`1mxcY7JW!4ewvamiLQAUDJhu(alhsTxI7S*JV8XI0l1}d=JLpK
zHF+=2gSR6W{sczsY%IIwWkkVHxKWw9#iz7@^vfV)NcK>D*$_w&TZ}gnD)}I4#RoRP
z-Iq46oF{{8R=|~qM}46du5;{KR6PN(6l8VcqYy{Yk*wYc<pS>W=$dupx%376nqSc7
znGmA$cE_IHLv`or<5tBagyT!n7`u}DxC2vuxeE%*&<lG(@2R%Snph9M*TlR$;zfMe
z^B>K031*`a8jeUzUZr?1q>}^78ezoIFb>8*G!tlrz2v@ncK}642h{UjV<=hj(9QcC
zdn4lL4pnI6^`blUND$;j05trce(vutgrPqaHsm)Ku{+Qx$m#+{e-mUCSc<+yPOq4u
zuTU$pFlbUaQF`!492F$c2(L{eLpDmWLtP+Ez$kS3$e#?P5;=^S=V3Ikg0{d4>;=YP
zUat&g<1y;n-ART{YrxU_eUNK05RxaQR4&{?c@l}rm&;YtXseV9m&p1cmR(>8f6zcC
zuOv<WThNWn@JhzvCLa#K-HUkRGpWWer4+qY<bJ8AREC;S3S9T^L>_fG2tgjh-FL$%
zKDiewU*R%x1UV@91ebAnDPYPG!hKp3)hU2X)Wh{Pp;1)t2Sy17N}~uTucTAtt%nNT
z1o2#shVD?$2c1N8a~;sq(T%*@4WNSpr0#w@rmmuDRAV44-58alvwsS5#dBR4sKHd!
zjU(Sx4lKWpQGHL7nnzpF*R(}$LBpsZ?Gc%8(LIKMbe}YYzX_7gxe*vgiAWPjy(_>H
z-IH-;PQiR=8wT`-8$YoNwUcR!RDv||2Yv&?F%X&2jiU>&9QTXbewd2f?ZnD<bSo-R
zE8o<E#-{?U3Q{2_sMs@bjg<^meRCJ-ry5#9Sg~8v2vwG<$cGH6$UnK0i4NTgk>j*}
z1kg*QKGJy}=|iNf8B^b5G;&S=k%*7H<YTJhEOB&OHa>QyBO=>-T$TcF8r9MeKC0wE
zuRAI=11piM;p&ULz!*E#j~Gq*i6HW^pLpBQ@cr6=#uqRmN8+Q>gMsn|WJ5m-`BQKc
zzXx$N3U1^CLP%C(v~U8tr6cGCk4;2mX$if6T<mce;c;o8igZCLAijrtDapN0nXI<@
zc}8D4mCh24AO>O=!icU4VDwm)Irqa@)+@C~Zoosl<Qmvg6Lkdbzn5y%C1f<+?R^x>
z#-%ul)HWd}J5#6*m!WPfhhK3(-hdnaC)LO(L?U|%_bxxBWpqWPYa3SNHNwCi^_Gu_
z-V4GgC5ie;GbGiD&7vm9nb0yA;W<r^*8voDz%XUkjV%F7JZL9>FTst57()dI;a8t1
z+)p5)?}Fk#!A;6Tbu2B744sH`{}c6Cc@F0VS(HL{Ou5&0VNWj8t7^JIFsTQSvMNWT
zPUK`b>b`WJN-2DAFMWAGfZ}pWtEdHr`OhHL4IAmG$LKsyfrGXU=tky4+>09s^#d<P
z7uMslH2_0C5{rKmP@U0VyHscY?`Y`X8EP_kGEY71Bg*Y~i@Y61x7JTdI>kM-i?FIu
zi!BC$zP>B?7~t{G!56u;iD2sRQ6`tI;X-=Q{VH;W)36uLM$P=P4`CT_{+kgo3(znQ
zsv}JoBck7kxnJqR)GytT6)R}lmr~Uff(g#XK=|4q&Se}#_VDk@y}1OrkOeDoxy}zB
zj!2{hRLOG?so0Om6StzP?=4F2#Z-9|uJ-^mQa=2KmUyx3r!BM;K%o^_34MWD!AwZ$
zbQcEfV2-S4A<wf|aw{g(Q+kA<oIHkjL!aTYJdRw&KFwg3lYX@x0^u$!k4G*3GjhHM
z;p!Xa(zSi8S8`ohzR^h{p6`Wh$AG@_aX-+AH(9ewM|LwJ{8$<2!8_6rDYUbwF78C+
z;2yYgB~Xw6b9o=Jl{_cj&Vu1T7%M41!d_V;3J!o<egUQO3$n2M2_YC6A?!VaDSZa^
zUH~A^^A5t2ZPxr8;egl+FY@E<YkU;ni{-LrbR!L*O5RIbWE>^WBbe96%b1*1%KH(C
zJ&u)v>VERqjTOJbo_;XVGbOMRzxqfQ{FmrH0G9CQ<VD^^tCFF95WL`ov=N~9;UJ}L
z>6Bzq2o8s#FPzJ*IM++F`7F@%HEuZKpmZE^g$@!Hz60}-r&mI@a4{WC=V<C)50-*+
zVff$Z1-(4ol^%}|zcYip$O>F!^Aq5^STTZPxxE<#&r4V`_+#?MI6eoYrR(7OFT|8y
zseKnw3dk0nYT@y#;2cEsnKd+}n_+Q0R*D<}jON*}x6}z1xz8@$w~4T3z=+DNLC{UL
zY%GAhFQ67HP6z#5KpI~FEjiLfY;s!Had;m?&O87{?0gKA7Gtz9(FF`SuayQi0fQI%
z1MjHf{m2=O7}bve1NYvt?Syke7&yf%1k2tq-U7!XS1<xB@d`@OL)lKMmXjg(FdrIk
z`ib%q5iUeHT8<C>wl6Z;&JgH8BQg<@xqE=Ba1)mGMM^=i3!_1zEc+6<<Z%4zH9Ovr
zw#%>QN<{SVi5w4CA5yFKcha^75wo7KQkMwQ%j<-IFHr%b_?dKE{(?)rDi`fWPwVTz
z@Z$eh+<8aWRUM7~oZHo9$-NM;1DN(`rnhtZy^^l3bk&;!#>Di11EGZ`S<S{aCX`Uj
z3nauboft4JL6)rIZhA17mSB3Z4Gv&1-*4s$A9G*wt(EuI`rbdY&N+Mb?3vlKXYaGi
zY!du;LR5cqb)Q1jrZ7A&fPjXJ)1joQq{IvP(#_<EUk!gc*%kcDYAR3snvRg;lX-32
zABIXd#z2vO)8H0T%Ma$sno8d4SR77AGE1U!03~??&|89r;^K44N5f?DG9RgVP$_w<
z8$|>=kmFmZls(*z!j2&!{uHnJb5Z|p3>4|Hn-4?s$eS2V$vZ14_l^OS?S#|#=a4Vm
zn{vzhV54#g^wh$lV=#fzN1)fx8KI1R9|>pi6c-=X^cp~$P*B=*-G_rDs3*LJ<`RDv
zKb|b^Ldp%~NXjpTe<?ZYK7@^g^e&0n9q{rYc%_K}C{Kq2wZDeH4?%u2d9A(h0%c>t
z)9DypDl3ukeelsRT>TN0()ZD+?374P63OPTbv+mMl2^7i>5&fI-l}K1bPJDeB-PMd
z=`CMjbda&ZjCd04Ls<gI*edUk4S(rqYI3B*J`HGZPRl&MH6;jnozd(=eEUpNIxd|Y
z;?h%jT96)^)KhusGbZ29L+$rCG5KTBfqg2^F3sMjpCN)0(14TH(UhT^;#A(y1JqV@
zVGLzYMw7ZPt$8WmS_ZwmnyrZSrzlUNztE*TReg_kOU9BTdTKYRP9zU~Ktlag45?*s
zkh=7GF`rs;s2o<zA*8@dE4!?fC)xL^YERwohNyH;hE$aIcfy}2N5!&6v>~eKB^?D+
zb^>N@0{mCsB!?XFf1y-n{4?sUI6#r6Oc4?(YR}TNpgj)$*p$oKj2GLUi;#oU7l!Xh
z*tMBVpLnp5)!=rEkdbPf<e>1dj}1*%2iXio3vhH#$Lb2ba5ZK!jBE8&??9ayWdy$@
zRnL;8Ll_oAK<hkE-Zrck-T7$k=OnM3Fv|G{2^m!OuoBwGu-OXF_Cdux6k&_i2C_1)
zsp&9|B8NoMPM0B(wA1ybD0+4zL-!fHC`!f&JUsxGmP7bco6Jz6Mi4NLr#`eXX<IO4
zkG1lra%h81pQ{uqdc4W8s*4SJXNyXZ_l>NDQlWo`XE{`CxTf;z2zAof*I?OEu|)Uv
z<Zxe4s{58wz@2LVcjo{&&t$k|H|_-aMN$6T742|vl+@dAoXj(P3#sC6Qe6WijDOq3
zKDT~SwE`v{;$f4W%=@T4>!Cjl>rikf4Q$LCF}jpTLdF{_PZox9f`H@z<WEE6<CbG8
z#>Q0u>1#D)yb7qg%22UZfPDblKGLhY%0Sk*5E+|kZ4}!}**2ukNOh$;@NGwHnJrXW
zqn#sN6{2VJ?AGBbOWVtj+l=QEvK0)Wh~0VLwRze7EnVm7eZIR}o^3DcbCe;ysNQzc
zw)0hFyV<M4^k%*cMWoO6{kY92Lm8yBaVmjKCU*;%KGVOuZP{lT_YhFDro3dZp`vO$
zX{~Ns_nA#?77fChg^F#n(9@5Wi*G8g_JeZaVEWvwtt%B(F9}QUYM1^^?$P;R#X2q=
z4DWz7&vp!0fwn=lun7{&(Yc`<%l-;5W~*52`yB%4^2hC*D}WvL<Hu90<Hs}IQG8ID
z076mtree>&sZ7M@J)Di_$|l=HLSKE<SDc`r@2)dGzWomcpd8MK%+o!GGUO7ef^%sB
zYEr(NA>bZ@o(6ezcq24tKLw?uI&R^q=<E_UoXRE`_v&urlcW)bfDt!7xpqBmdeoPt
zaNkUuE_&R@6rudK6x_Am_%!!YvgIv=4T&D&SYU#u0UgzOc-lM^+0cc&+W;Dw(Q!vV
z8#Q-E*)uC!X*2+%#$GIvzdNtB5^yPnkLyA&Bj1Ceg6C-v1<x~DGQFUf-bKcz1M;Vy
z`!MoK{KU_a8wZTfZ}{^NobH8&yd#8337zQqIYRpmgMhD|B7IA|fNi|G?{WaFL3Aat
z!g8)gB@++8d5oXNx7^t<o(>H7TZo$H_2N*(Hqv2AZa_+nRWefc;d!2fsK)x!Kz<tg
zPJOHyNA1}QAW*O$T;;v#GqzSqn7W+5Ah}~&2dVQwDY!8TkRP3bN3sB`V}K7k0pF5Z
zIJq65!RZM9kM78($60fhlfzwx?#-=nV_VAA#;XqzM*SX?BH2S<_-76sXau<8uUGRb
zao;55+qTWu%rmxE%1&PA*CmM72^Edzoc~Y+MI7fr{Cm3qi^!%S-+ZO;qJiE#Q`ST3
z*lfzZ8csEMN@1nf*uHu09Oyj<DLvskA_?OjR#v{KJgystp5|%pN{Tc%9r9&a5WQ#=
zWF05^-gQB0(SY&g4f5kI9(~8n3G^(1)IQd$7Tv26(2)BL47uOHkoyf>heA2~ZgMzh
zMbW8jZE_ytB~_v^8FJ&m*h^4^`JImn7#RbM79gWE?=#?KzuRVfCdWlTPrNGR<wgY0
z?dU+C$T<8ecw5)x!lXAvollZk9OqP&?RkpV(XWu;W(vvCF^hw@zqyhkCE$iJu}7**
zg7+9Q^3dNP2@jPH3?nEz^hk$O1}whKeMs~jc*U;^&sRZeP61^Uj+;Zdzm7sh{J2vV
z@WzftlN!cW9iyJsw#U?gf5M-|*v!zd>Uy_CIz+;Sea6?eD|LSgDP#8`Z_7Yo8vj5&
zraD2}$2xvImP+@M|HA33-%Uq!*zHf%^V@FN?sd~=>#wBVlwQ%6AEYe4ryYfftM|;J
z?dQ!KKoPWn;g}{wui0rWq!CA!4Kc7@PL-7}1|>YE)7aT_MX&K~OBV^L8%jX=jH=KR
zwEi=(;+Cb9(Rd{}QlIe}lu7qczK4H0*_IOebqJ?_0134oz6GObGWIPXc(#}SvhN4!
zA^Ol--GLB@k0+rj&<~K=#@Lro4qnYud0w1vmy=rZH1zzFIsw%*9RDv!Xn409hGYN~
zIWGqHhvF21_hTw8=kTp!EL0j#YzIYVfD+3<ZhQ_9%Av?ql!S_p0QKV5<2TYs;zJ((
z&xM}#AR<@~^5j3Pi@(`N$x(BXBp9ND6X4!D2~z$A?qQ9$e1kAGhmy_zDc`E^%0iA;
z!Hd1R2CgP#1CDApzU}devfmsuzDrd?xnYMFHoC}RT`_mqF#VgzQSul$!nX<sr(u81
z9rJnm<66MGJe4+up?5?-JePDbevt`?D$!(Y9to*mKshin$kV<<{0^VQYs=|T`4*$J
zMZ($xyhdfBEPfHGp<ONkUPRcN*V^j`D02P=N^1bGZeJ)j-qlW#UWkT&)rr<#a`Gf|
zxnY?Zi^xu_(&L4zlSybemxAhLJ~2{^Fp&cw8j&fLNPWBUUGKC2<X?m5$i<L~w3014
zbr2v6P|-Shy_js#9=M84YzIstHGV#+@k`t&XG#<>mAvJnP<wcwgun93DKc>cL@P`P
z_&0k1N01QPNw!Flm(*u)s^P2Ps^P?bBr^Hda2>2Q+ztr!LA3f;9c24x5WFvtqvj(x
zsQHK@>nliYTHlSH%PA;$eLFe!4MAQ^Ad<I^8k8X44Kjm~I&%Oe1}VIxo5D+O0i{&*
zS9(_`uM$)tS}+$pnUqM}6Q+(%Bu7hv)Y1ZSlpa?`DtjDuHN6inrKd^W(?BjgN2J`=
zkG#zSPJ{8X)8`tydM5Q6-^-o%gjWQ)!6~(n9734dKAPlPa9WWsmiVv_#*gbVzJK+v
ztH`?qiOL?L@Uk8#m-WU08{nX9Bjm#iJv_YxN-X7tp`*aFnt1X{Z8epKOrzy2a#YIL
zCz0PpeFUR`O&uVwSVfWJ!AtdLqu5J^sB=+qOFdL7oqUUL_L1#Q*e$yWP=V7osy@ns
z^8GntVdSW~94e8cp^|u;hMoBII>1&`m-vF$^2IU0{}yl;0+uf!Z~4+V;66~wAC%We
zAR6$Y&e+coCVDqSW8d<WI0Ysfq$M|0`%vuSQW%=eYg8gDL=E!RO4nw+Fb7`7LZxN~
zIsCH*c>2l>for>9?PQk#=tc7(5d8_+qT)pZzk*7llBeiF;OQaiRGe%rUkQrrRZE1R
z9J-IZfv3VyIcor2jf|48lBZDBJUG3d*Vr;pN@OB0cs2>8ecd3JqrXJF9m;w5gR+?&
z)YjpGH(O9%hF--1<h3q?@%S_bEZS?7Z;JD69RwPlCp8!v1Y|>{?5FLfvHDb6d@|n)
zC_qig$;g)c>40eli*Q=WCdlhwhn}uZJPXm(Phq3>)CfeQXuRabRj~FRg$JLB!QWyM
zs>DPin|z@B77c~RQd;mDQY{JY95Ub_yc3>7`wa1PQI~1<%6$p`eL!wJISVQ>>0Uk)
zb_2aJ(-Dn9uX+IGlpKK^f$M0~wfpj|((N-HJudRb&Y5F6^@@wytr64N6Kq8r*RF=1
zEXV|IrJyR=_7TeSz}ox{Qa|IV`6*Zn&75Pp0&A(6z-0rd?#xcp_4*+&StqyBHAv+J
zk3{Hr0+i^zF?4Vw6;N^OD!?5+z@2cVf7^lM(O>*4w2=xROz<HJD);we-gzL`9R#wq
zekI_6IOV2DsF&WQa#bflM*1xU<cJkfc*|6XwsZm_vi1~9hE2Eib%26igh0HEZ{g7(
zSC+a#QJ?)uJCt|9q%}7}j(JcC%6dikgfOCRfqddgo-85n?}u`9?-F#{5fwnq1fw1p
zuU!RK@Aad)-XV}z<4aO!K{?jsCdYAurn_eh8c!|q(kdpCqegZXmi+|~{^bBvK9Ov_
z6jZk#D0Tbg@%oP-@~(hDOBIC&4}_P7Z~6fTfgC!fg9@D`$kNG$#|f!@+o^Nek5u_a
z1oO`8MDh&~NZtcp;uQ3p2!WTl13bU%ZmW?suaa}A^T^*~sC^NX%OAsKB(EWFas)*t
zC-W_N7&$6r&tgR=ZhG`$<=A<U3NAr)wX&X)kUFn8e-NTeqL9Cv*W_LhP41OMlk$&~
z6w9{$)-M3O+BtEa?jI1qYuyeKg6p9dtnc94<ssC0i5LDZ88SW3N8qLE=V8DHoz&$R
z$cLRP1q_+qz_l=0B4dlNuv;qIovJqq`NDS7+nbMNH_s+-?3;E(&Gn(by`!d2&%Gxv
zaKl=JB7>VEi0~o>ReA-Kz*^&6K<Yh8tC8+K@IG2=-T;-*NxWL4!K+x^LAf$@ABdr$
z)ct^{UkWNjtavbD`g-KRdEliebvcdF{D;G-Usf8TOQF(IgOt|!VU*bFqM+qN&|3_F
zinZjZ-V9!FwHxH~Ljn*hK9+J@?)N}+B84}6=`pif7RBJX15%Z9X=;^=sK&}$V7&6y
zxS93JS~zH#jY;`s;9qk(rPWuKKwf-e?0d+k#zH<NtMygAYXNfqYSnt;0aU%R4m@80
zAcs@p)rC}O^+?W|SC5tR=aUkEDOhavehUBxl>-hh1DpVrY72!`%T*ZFRm?b4&ya+(
z3gO@gUTaRFjG8dyYvS^BIY<0!=0U1v0HQT(;jd;rRB9yjea**ZfX@K6C%*s)vm>B3
zE}()OwY9l`j&8tx^7<f0*=t{eUhUtD0bjs<?LVPX`^^TxuK5_8Yazf_0VrAz2*G$=
z`SpPFCH2yLz!ld4u1CtcKOsWhLz22|5nwq~>YkQ_K|x+Euj>WnWkJ~l8+Bh5qGAVS
z)Mpg{a#3CVKI;K;r$zmt0*=fBoCJY-OI|~gBZk82%Mqr&3U=!o1T>SaVFHvJjzaAX
z$ISzroDc9*WJ6q1E7zFW4YdRXXgD<im_?A4Mh{Po$Gikc%2Pc|HqL;T#_N-S8zInm
z>wLgNl>kv}<2C^@|I+vs<u(cTO`a5B)H=Y_T)@GgG#v`PrXwWv=yE{ib$}W{X@L8t
z>5_LAl$*|mwWbTO*rsb<0L+tYHwgHxQ2CvtKDYt!XCd&I<ak0}pOM!U0#*s$S^*N>
zsp&<;Z~8<MJ{Pc^s%ZMB<k%^^d|yT5^deSsHm}Y3WoGv4BNy;Awg52UWx(OoLUR@L
znj4dVQz6>S1eDRdH5c$j9^jt|T1s{~U^I9w$5K$s3Fy8>E_G;`j_zB|mxK!i<!1SI
z8)dZIN#2$>P+iM=6yCCRBuy>cI}9vSTAsY_@pK+dGQ5z6*zz0b?SU)_`kFYC)ac%T
zJyP$6iY8ROfnsa_mb+)Fji;3DSNlmLAZcFvn?BhE>621c*6i6@dzRDw{nuIDQHv2e
z`&l0|6Mx3J<y?jjV}{hs?U6|Yz2Gh&UT-+Y8&8qra6F-Voq(mhMy0>B|JjwOzYSNa
z)1M7tq)g8N2t9jFK_`uM<sxIISEo*MFZP-F-ru>I?%1aj0@-*+ouu^2#HF`;F3|^W
z3o$40LKc6On_KzmUyyAUHh$bcjHgqWljh@D&1csmU=#LN{CiBm`C^AzxWNdUBT^s1
z+N7f(uVL@T-JQ+6%IuBgIFNeNB@KH*Qg4Z|FNo0z$x(;EmAMgT&eWt?q~XcDlcA?m
zj*jy-nnl<AF@R#*(CPSP6|6L5UuPDFQ`qjftI@dkG8pnbG01`aLsl_^v3-CFkY9cK
z-VxWP=nu1vzs6|f-VsCBNnGz!xE&AK-GnK-pFmVk^#%w`16d~;b1qy1f77YtymPNZ
zYnSJc5Q55>J1KX3ybB$?4I8=dtOa}kO0G21+|TDTuW}f8dIg6@($<+u4U{*2ODUXQ
z6G3&SkauMH8lGOp>FeE@>1oIogfZrIz|a$@Q>P)lMbJx6InJQ)q9>3oKM9r5pHZP^
z5TKKa<By<lolmsyjBuDpB++V(QT4*#wt42LhD)F_ZW*eZa397n;>zyf$-)V*LsTQc
z>7q~Z*Ey87REi9HNno<jC|n6w=G7RmE@C>z2F(#K91PESI>X0Yy<u#Ds39TMjD6<-
za^#!Fo0I>AVu@B}$QprbK%OMZmtJJ#9MQ_tn*d!%bM!e7Mi#@2N93Cc(1^H(1lrPD
zXB>HaOHUt19ei6Vz{NMmFC?49zcRdl^qQOm!7?ODl_|z${uSVoz*B|<o+@?&(zo?V
zoJxl*kr+<CIpnXyxSJ=vZ`SjQh(CjGP6@g+?v@~_$MclF>tjkUPZI6O7%M=+4A~3y
zM3ym&d(Ly1Bg-XPqcOS79LcLb0q$v~qBfxHz&KLV3rjy<xUpms+FrG^r};Dp^tg>a
ztWy?p$3I8~c;`@;`H%86=^=P7{Gc7q9(SXS00yUVi8EH>bW+jwNH%%f`>2<)U)32|
zGOcN6v)6=mebAim!cLFr2SoxC*?GflaGEaiaS{TLwE^bx&3}%(%G6|r%hkzDy{9!&
zK&mm?3EqiqP`-ioVYMQv_1S8=a+#<odWF|!C+ZA6!?)%Ou=eIFd2PNYdzhDKBjz1l
zmc?jTX8oe=r0Nu~GFiWvSO1$Nl*><px49e?F~^3RJbb%}a*J{lbfC^0z=SSxSZ-1S
zEo5sJ2NipI(45dK!qoVqB$!Ux;Ei#(YDFa~VEriSt+}F%POc~nYga?c{|3nZ?SRli
zs6+!@3~P7bj1mt(+4AwNW@aa&S0BQp&O^3TF7#4Y@|vx!aUFTfZ+64MB`cwl8=>4I
zVXb*H2`wq|T3<u7c_Z}dWh`&*jDcLhtK(PT1@4AkID!&GvI90e8_K~7ax}>3-?a&e
zG=6N2{EP;&0f`j@;LQm#E|Do#oeij&2?x3wX}ySVQj@a2flBZlD5tKXjLNsjTUFwr
zpcBa!nCC?=^23(4wZ9C)>GLQowKq}*x5I|URSUJwfrBilRK5aAYT*#S4`+#Dp9Qbt
zf==4?*es|#5Bb8oB7D2g1p)tRp58*#icbV@I|+%4DJ_`fTglU;YUtgn+hM5ULZ}2j
zMg&KQ)Y_NBh(Ep!4sL+d#K{oQz{_Pfkx+5~$nkOg(3?r#{EBvRoJMumiuu$OQorRV
z0+O$FQN|JQT=N)2NA-}c=GD32-5}=pDBr3|eK3Aa2lep*^nwdYFzOd6LpL0x?>qhw
z#_P7Ysmr|}UwR`?M#~WY8uH87ytW&n`2!3(Zh}<gHY%n06zGNSC0ptWkW*KX&H5g^
zpv(aj{RvH`WXnzHud66mW)@v%bfE)T>!{w@4?Q2q8s4&TFT}Sd;<+@&U}6i%sTV0c
zvDA%}%P6gU8QGF8i0>Z)FV@ipa*}L;Eq&m<OF}>_Hab5@f`rj4Squk_N9${VZ`G|r
zuZ^dNSHi}&K3Ee|)_8M)UA$T`Nj1r9Y0S9qVBEieY~fvyvg#ekmLNy?d0yj>y7;E+
z$y-P$dCN({fdX!vgNC}mOWZEtU0y5RAt53`Ga@^KARin;!23u@t#JW1pvk~4s04O-
zhFylYlvKBmY`W;JjzWEyy%ayO1Lde&&+vrS63Vb0p5K6!y)LB9KnHgfPf&PO3gohm
zK3eU;;Ay~iOTOtaPe)|Y*?s0u%D$mK^seN{N2L12@o3j!9fjIQPUF?~#TlIXXOJ4a
zst?&7&&4x@v7t<4>0wni`@W9Q9V>^~D9>#l9v!MSG=7+F<+8V9d7ecWC7Q8|!R|>^
z@_$vhqGW0)Pb8A@hMhy*jrMe-4umyb&r>xiitXy{<-N3nlF7of_c=;*AdNkJf4t1A
z_)l%4jH9u&f(NL5hePx%>vRw`_g&XVbIvdU%SE=dFn{Q!C-LyAM2(MWZ-(TZDC^T%
zGa$;qVpxRYM4!3eOXXfZ$uPioF16s54#=^YZw~2GoNv>db+D7$2pjobpyVA(g0W-3
z++Vl<j9U=KFvTltWb^#@!1FZpnfovN67CBlRFttH1j?iEqQf4aoXl}A5h{~mciaK^
zM8~Q=b85rZwUA#*g0F-eBfgji_$Ee=vkei7enR+RU7)?Tj{7hc4s>zN7T<KKmJ56O
zxmI?NO=t5T>4Ngl$m?c&<>=mq(C(#tOYcI`Yd!Zz!1Mq}f2NM0G&Ru-+sLp<dt{`_
z4&4E#>HS=yzo@7#!_YGb*lksf24$NEtDf~|Dg#;j?u;UJ(~9R2oVg`S-DweImAg92
zF<h&G0XGS<|4(bxDO=Yp2O}uUlpJGt3NJwI^)I>P37#zto}448GSYItI>3<b+w0_Y
z1wQudLHyNW1-PX$jKOk)QgaYhYvo-#+zDGI-<p~jzgQ0Q2g@GiHxJox5M?wUkAYZH
z)4IFOlBIpiTp`E+?Qtww>9;%r<bEM5+XQ5-K!m-?rUA3<MyGl<7W@8BWtX)P3vQxF
zB=w<Hk-e3Qw`<k-1{5mKJalOB5Xj?r)tzU?6BJ}P$(D{;Eq+{EvR+)`y#>kBZF(P+
zGw$Qg;nXa)yE|@s9A0F<V>;fy=OUhp??ZnY@85g@@l}L^H?g`L>3_{9J21x!i2i-O
zjITyCu=QZkdCuW7GVH)M8ohueLlL@lP0cYK;QzLj!{XcKXvzPFO~rvDbKJNJE74mB
z3NNOPir$8yj9x?amytJZ?Yk!og6n8oT2S)1EU5TVldbHDhd^0bt5}ML!iQo=>gL?b
z!JF{QF5JzrWE&@oKI)*19tI*s2bW@h=b~bdc%(_Qu=XM+PwKv$vbyBGp44I&1k`D{
z4f(S!L(k)$Awiv%@4G>=<$D-GiRa3_8v%_A_~!ZpMNarIil;dv4v?9}{010O=QdW>
zaGmeN#t)7RHJwG_>b@qu)y~sgrXtjbnVpn2{%yV$o<SMKF88qenv@sAK->dV_w-fN
z??f+!uf`*dJp|hr@k;@_om){hRMgh&ickNxh>Hx#I3isYKXx*<o>j#;zs#ZH#no%)
zpx^Y@SN}c@4+&~HdWVN@Zqe>ZjA4&#=|0re$~XD@RHJc-9J+%}`xGrBZ7RF%KutjN
zDyQ~t5xWnyrc;n|6%*gCzglUreoRHb*|KH)BU+0^8{NSlRMNz&`pMw_5KaD?YP2pA
z6#2dO-HuAMNNpNAtYz07DF05AzNIUNa~R!D^Ax?_x=_ya`}U>=<&Mbo{nO(X&{65k
ziJ4FBr=zU@w2i)d6v!yY^lKS=+{v(ela8{h7fd7`Acu;InoR$SfMb|(<yo)l@XHqD
z;3PnLyP|A;)@oEWX(zJB?$6zt%oy=#ky<Gc*`}-ef^>4vt{yE?2Z3Q3_`427bvke6
z+kXxwFRQ+KytwFenuc=V-{~?#DrNO&pr{E%WpPqji~b3o?P^r=#@9|dDw)&Li&dtN
z#6=e9C~~*istwtfim3NdD*x(WgQ~<WKmEomEVf)W<Ap}jR;%Ujq$v()lzox$QE+eh
zK+)*#_OL7+*!_FVyQ+$+b*%=)`g<=L|B(5*)Z7L9@i5e2O9tOmK$XpqxuC!_faPjs
z=+cF#p=n9*oP2APkyib^*h|9VDG@2-^%X>o{J{k;JLZ!2Xvr(nMTu_`Fz!KX);$6K
zV!rGJ`PG#??GzL-INi@x_Iv0BCxsC~rj=sfh2U9cl#)BTpeNRDy^hbZ9Aryg3SMKF
zYE-rRXYj4!oK8qdC*08APmaq4$jq2Eo^PeMqoLRobQLi9mJ|n-4u5?uMEzgzt>PgH
zG79LJE0@7brToMNt{@>*45{Fq6xp;zs`feL4Ibx%zb66u7ZZ}B0qQr>o!4$VO}iT@
zQvHjvtA{5P8J}oIdIWhy9EM!Mb~Dy1qte{vypDS9X8i8U#k9+PSP7Z%ChG<hPhe$5
zFI%zut=KDlW?U)j{`>Ne#JumIetn{*tV=2kN3S?RV=Z#18`ewJ;na+V76I1nT0K0@
z@peY(l%5EivCwZ3UoYlzz6tk51|Ypp@G2J;aaa&umZQ4dYf-EY?uu`rk8-f@0MI62
z4mEpxDR~<cW{H&>FiU!h9cC%_IhdtAQvzn0b)ds6>ydd(e!9#AZrx1uJQXm@{cb={
zsY6T@Qrt>nCM_8cg;RZIvS%JSn8h|LtT<d{`v+0ZZJlOCPfM#=Y2`S~%AWmt%@ijT
z%v8@(hgoI0S`n}lZD_EahD+y|RXz6v%<9m_UbDJqGgQpIO3fN8uhp!zP670c2$*%+
zLonty>sD0sn)QUuH|u+14zqzs_+|s%%xtup0%l{688DlyNv&qnilYK%bGS>m+Jqv)
z`v%SC-kVy@mSDWsY*|s+YfiTg0`!dOHGgKwKl_ONP-4zSo#xMas$0!di5qX8+S3*=
zPxEgel?i9_v=#3=%o&lt_L?(#j_);3Cla}N`idi4&6x!GHfQ!6&}*I%c&ODpW7W?C
z=Fj8jv>I5VfPPe`_r(4Ge|6sH#IDBo{ok<mKQ4k<(_^ddXsWS#O$YwKiwOU{CL`jX
z6{Y2}Ag*t78_uW?tJ4)MyFUEV8vPH061f={{@)Y*&r|=$6^015!v15^`?u`=+l2p@
z(*Co&dkSODvPV@-rG2z+nG&%7Ix;-Jo#2@pKtp?u$jmd_r_e$(2pIAYt1~R&LCE6{
zhqL)-I){5_oo3OYv-Z>Wu*W84k0--tlFi;;tp=CgV=c=`HhEQv&2D;#E!TF1kE2Ts
zAB%&k$)yF974n)e=^?@|)2TPL)6XQFc;%W)u>0s$m~v%noKzXGq_y#+n}TFtU%70G
zQytVE>|rqR!XR^k%XzAmAE)UKUQ-uRP<jkf+ks-GA1rx?ggTjkt?vLt&!91tyxI>b
z*~1d3Cx@;H*T|-yvUQy#OhYzXFM9b`&Ba3$xdPUz<aa3`BcACFa>Qh|wyq@tm6-#O
zpTReK#At2jTf#xPl_!f>OJFGU4+w;_06LVcyfzE*?-3LUc2ao~ua#C8Ovd?^kS%G}
z8J!Tll5g>qbd@35iItl99A2d_7b;EN6n;A8R$fgf966oT%HPKrmYq%EdK00p?5XPX
z1fy!m`0)>~E)(fEQU7-2)iL*+LHgCNp{#jzsGHWVD7J7!2ZhV1O2uj%MTMqht+J{O
zCTpLQr%U0bYB^$6Uj?X{(#4qTOa<_ql3|`+Gicu{n7&Q$DZ2c?F?oR53n6eA+aPNH
z2>JTjwGg;;4TX<{tKteqD8)A+bg}FoA1P&w?iMf)%46gl^Oz|D{ulIgIo&P$7|l;t
zF&@1M*>oB8N6iXhe%vJ8Qe|q-(TA}dtJrDIR=c+q5u6jn7n`Dp-FbEWO@HUC>>#O+
zw+*W)eXL5RFw>_3bXHe}_G<EWi?Ye9CEAo#*#U9?S~D_zXBc14VQ$1vb*EdNG<!9E
I%|?#@0(Zjr82|tP

literal 48280
zcmaH!2Xs``*2m9GGBc?V0-=T?iYSVxfMUZtbEnr#dJh5?RIDhrr;tup#4a`z6&1yT
zVja>GniRXJ*q+b+?A`CTPk2UM?|qB4_Bv&k|K4Yxa?iaJlqxv8RVnAhWTmPq>`ImF
zN)ke;Jk+67WgWf#E9&VT(xg;@k)o1}309S~=N5-jWrG7s#s9Tf$P%SoyXurOzi3d&
z&dgd$%Mr_KpsoB-+7jo`R#MffZ0^%UpSwZXT8e4&-eoFP(_>e5BdtZL;zFNNZg+>W
zC+5183OeXD9`FJ(+N@M~JE+WfvT_(F&|9<v1kQe)kb!iRUffOZX(=eU1&_R$jdUE~
zRgQ!W&7LRGQZTN+QjyN>z}@18xvrhIXFN((+_ea?XCXxs@vUeMvff|nREqPdT1qMS
z;lD4aQWBrFf_@KT@vrEpXirtCiE&_Y9)w#3Uc`ch4Pd#wUZriGhz(;LF1T)Yt8^n5
z7{%vM+IvZxQogf$REA--!jgj1CHHly{>Euk12<4D8il^1QBB0}Hygy+Np(U8FfK)D
zX&IQkA)m@NhNIMc*;Lt^Z*wVCz06btjp?=U9ow!3Cd$y~DM3|W8<<@^=yOl%M<lm_
zz&s;afP*ix8P8)IL%6VzI2ZiXrBvZRDH(IR)S%Lf(m-H<pz5?nHK_9_Ojf>wSWOzy
zs5uBgmG9KiTVyKho`_ZD7^i|D_#S~UP9-FjO<1eC9tHkYR7<?|AeC`*53Eyzw@h}a
zA+GCc)sU98Xm+jbP(uv`a9=A53TKL;&ydL5n=HhJ(xFLeXver#HOweP!njxrT}%?j
ze@UnG63oV>0c<qZt6_<i!g6O4WR0nY8~2Kh8y2hKiRUTh=Xy{-G>GQ@ZG>dF@I6n-
zcm=!0D{kU)l!MZb@Hvwh0OvR_<Rti<H;`-2uS_+<`Kgr%okhUHI|-s|DkYaBgUgSs
z>&z52%2?Q<MztIXpX*wW8tuB)uSRzs17Ezcm9{&;95~&o#<=dTRbyJStm=T4b;7(Z
zNsTo|QHss3V`NTC#^iKL?wbJ_?%o2l!>Hz64m3k%a&$dNJtuS#Y*&*IW~g}?Hfpwj
zCH9m}s>pixg3r4bmhk3eHFj6Ho`AXOaHqRrE)jjBlE8Njs@y?H{ALWfZZH{??_eo@
zqE#K3nBY<ewVv1l^TBrX^@AlZFIkN<t6fTkK1D&`McSODE;TN(48G_ZG@GkCu{O(x
zmdgQT{0qDOdmG@p3qW~c1~2bk^c7!bSK||%h&gu>tNdSSb6tW&`AhIs79|UzS~V9y
zRdfC75F_AHha?U`!e5D@!tDSr{?J3#UE0W^HJ@tv%oKH~aY(zG;<DA_+v!beN@9Uk
zO*IBv)ik33;I7+j>iAND=Gy2boDTul^^#8=zxgJdDSVr%?~`VAy6cy2oH>cA=>$+w
z0+8lefHW_{xOvT1$UQOu>xJcWa>H$<<hE{Cr?*MMxkuxIyW9cX5{Ub8#N3a=QoRde
zEUi;#xHed6`&v4_?g5LPG53t}K@J6<=O{w#IhtP2(Vgmyb`R)1o}ijjFt<g`>3G|v
z&h+%JRcE%uq~nqX$enHKY}eCNi_dANn$b!~uB2p~0U-Yz07YB9jODWs;}ZO>sc_@l
zg>~v2!vIV8&3eNAJ-y*K(H9=jNMhcbg2ZC@%AO(yl|43A$D=4kciYLFH}TCs!L82k
zn&4FzxK^6<UX0z+(_txiyG>naywF5;zTY8)m{xamVLYE+qpgkDdti3eyVN}6Gf3jG
zT9V<NR&|kK1CX;InOy5e)^!+sk>yycxh;umR|={|c^IwLrYwS#iX+1JoEIVzMeC3?
z4mZ_BovUiq#pbu|bc9;fd?Tj?%{L)de6mf=-;A|OTDLAzmpXH;>N4XPdV^QtrLzt#
z!HMWAm0T;`&hQj367mmvW9i+>nm7>V_><yHyk1>yOrToQ)vB)Wmv*Qt5~(ga&h1kF
zFzj^r9_>+A#>!jORb{!2czLFu%(kJvygy@JFdpBWx#U4!7Qrr&kts_~Rad<^0pJlG
zgZt`mbzrhu;9{he>&{M$cOx766lQm318q+d7te0mJg;=B1)GaNP%x_=eZ!^WYxulJ
zBI})kQtvSiRU67=O1eK!rg~N?<U;to7Yob9sQ3P(71Ge8YC9IxD(kkHwN&o{eR#R_
zK3EUgDW!LsAYaz0y2#Pu^eFr_Mj>mALX|O!s1^L&MGVfwkZ%~qeaHE*TSTdR9Zvh^
zn5r%@A2H87VR@BQ@gJBZ1oi%Z0kZf8KOM5(2cE;4^KO&jIRf=X(*Yhl)sF1KI;>p?
zNY793MP|U~`N@Xt*<ki{)dT$N1{8E5>pYp*y9Q7)E(f!BT)nDy52#i3Z3F65gOP5f
zBONWqKx~9h0fuu4HhfRFsD{K?dfij%Rb$V>TGeC>K|$H^053ZpYi2)eRBgAbro<O?
z7+<y{JE9IOn}FeTQFX1QqxfC;Tx;D7<AWHAuQye*QA0=UWe0#Rp~HI#o(Hng?0Oxf
zkufQ%d24k&fT~dymPN~4N{4ZCt6G$|vlayJx2Q#lv1lo*CF0fNAyp3oJe+Am%cmHx
z`qifv8)H3Gudh{$J8^%B^Tif?d!G<HUxXz-sSUCnma-cOVt5HAqc^vxC9U^Z$tFSI
zddo-HR}hzSC)FDEZWX^t#BS<ROU+9$>3uVe?951p^l!%fHT1dybcCk3k?`Sy_i_f$
zcQH094l~u##1vfclSs-~)uNV#c7Uq#8Q~j@AK~Hfx%V!jG?KW4CD>tqH>9!wa;}j2
zF14)nuw=E|d<JIILvX^4fHXZ`N-KRB{|P>mf6H6fxNzo;dbPqCw5k<}<@i=`J@`uQ
z^T7NJV#UKyP*n(U=ZT`~HB((}<h#^02@~1!Fdb#9fonE5sFj9tscVfiI^r*4%_zmo
z{Ee{WZ|qU4j00*xKc^Mu1*E*W*soT#PNUa200o}vB*u3I(eQqNZ{{Yiy3V<VHuuNd
z=p9B3JZGk>>k?M9c+<Po?Z!j3>h{DzRD&P1t2>N-lq%+c*?87eYQ|{4x+9U}A_eYA
zChW(d%9GiFA5Tj4h9tGdC~m<)c@Bv9Y>>((a_wG$ab_!%{e1LA&aZ=9RHxP?R!}Wi
zfoyR<uoT-`>A1{PcY6<`!+RLx8(Gwb@ni73>_g)0`;1cQ>B%aQu)|`y(@}r^au8gz
z0?b=m)#mMFyR|i1t6Gc$T#U^3C@or!4RfxEjWKqRx*)O39mIZKn`+tIU{$ToVK5hY
zz#O}hj`BfX)!Na9jj|g+5P6|awHYO~s_oUc&=PsWP3~4NQti=>TGier0V`hEt~#PU
zF4bvxQB^VpEoDPxl{%=MF!>k&qtmWBTb@CmnMH=>kH#Z!Im9?W2^X>&X&Z`|zd~$S
zI#gHU?poDt?y!P6mo{%j1JEvQqH5xT=SQj)vJ-n6D8*TeyAyk0E?x;f@B5lWh)^Xd
zP-tT!y01;f>2F~!lEt!cS3SLwlde;2swX@iiEzxLdRh;lBd^A*ws_>R!2LDGi|(kS
zR0WH>$^$vYiwzH@{OjFnOY8Bi`0+~zs=jE)nS>3})5ZW~AQsA4s<uX|YSq@wWb8KM
z_!gKSP7;!=wj~tR=;6#p=OpZ!w|mugXQowcPefbP4#N%t|C$CoKMbeK$0h^Zi*dtF
z)pbst+R-y3$mq-79eflR&Y8e)&LqUH5`3%qhD0)FQ!V=h8~&C?s>@9EqIqI1!}Cgt
zdNFahRqZsc#E|=pI<@P?ATCtMEQ^1(2rUse<Vs|X>yp%N-wjlq^(kt1_v<d=_YS1s
zX(ZxSn2k*))pTTQcEV@Q1yF!T-#tMV?mdY&VGbQlTlpd;#O9kZS^27|UUJ@Bt6oZ!
zyVT3BW@H0j;GlmS3If;G5&IYt&W}t+I*pEk=ZQwlMjpgGxEd=+ffU(czPldv^OzMe
z)I-|U%ZZ7#q~ozx^@`_GNTRX@kd>|KRsTMW`}ZZmx5`wnIm1@<+74M{BCptp<Q<Lb
z^)RXYdSXqjdLzCb(lXhl-ZUPmRc|J8QEFU(teM)V_PVwtlP}Z2Qoa}TL8qzSN<8O+
zWi-}2ht#RJjnM$AUQX6IpYW+qjM0ot`PU9uSpPn0KMAqQ>p@?6{bGXsvrT>Kx)@or
z)Ks4)4xr?E9c%tCP4!tK$;wjj2__33N1|%Ahm^k)%+9Nbf%Enb^||qCt@=DM*o8^i
zor9}a5|`!ln#Y>t+FD)mC~M0NE$VmUKJ-;S06ybBY?Q1>QonCL8(H(@B#ScMYN2BQ
zy;XORNa1OX*!Y#$*YxWU!W1vxiyzLH>n#?evKB07wOcHSwHR`5MxSAAhrDW9tch2>
zV3C^>W1X8U-fp)fRbAd_NlM6iUsZro{|7#ht^{-53t}i?T2fy;t<I8W<XSChEj*<v
zBR7?ftsc}rL^bbDKOvsbU`hAn(N^jq(Vc_P7kDe#lAbsaK+Y!9lHq%RlJ9{=W$k>r
z){@b=fvW#5Jc`SfAC6)?e6x+wzd)08OJ?3IJJop*&%R``WQy04`Qq6~__C02|D=f^
zD0V}3qagpA21~!vsa8wBgx6~6pYV#RS@cF`g<yFz1(U_emMrr`mnExZeG8#G1uc1B
zpg!;4?O;jsSq8+}YnA^cw`D*g3zo7PJc^&_VYtUPQ1Z1~vYm}$JPw~bPPWI3>LI1r
zh|9L^T*+n_pFv#WGg%qpXC(<qvkY_|=CTazzRPME<UT6NGU&xd)W_GhT5`M_td^WT
zbENu38wze@pxm<gSANk!b!vlUura_&Defi^DJYFJGEgOJ8wt+cl-%E7Bk~5pDL4Qa
z(bH`(ceV>bL5(c5#_#kx$CyIU;v9om-h=cOK8lv;gXF#UEco)~_E-idT(lKl)Jd?1
z!xzd$B9t3o8Z7gmsss0ptR%}2=XywDY%K`J+bu(5-_jeEqlWixH0S^9whT?YPH*)Y
z$(CW8FKMBa(*U45lP$Tf*{zn`#C<MQ-3Kb~cO90I#(6N8Z|=g7jH;{H3yg#9cv;g1
z-<`<1lJUcp2Q=4Nn(QDD!(egGBL?n`h#CKGr8h{)v#-rEGVu{Mg1=y+aI$F`WgI3Z
zIh!dL>nZmoj8@<%y!0I%hD;S}KQuD%H#;n&Hec3c8C`yMn`MkqWwne+9D;1PgWf8h
zk5tr8$y@2itz(mk>8%|YnrO2e&=pKU%Vc2q=e0wwuVZ9bhaiag?yj?p^=xuk#wN0B
zLC{WM{o<Qn7Eu2>N}*%gQ2#CtmbBU|2X4NFs{2PgFIns*1+2-W%BLxogN%MH0BUuk
z<*RynZ4S#pi5z-e6;{hQV;^vheI`rz3G}+<2Cd}zcFVX{Ih^Dl2sHC$6a?l|ihkZ;
zIoLImj=+n_mV*-+lxoJ|pmUlXYe`+O%m+cib*PHG=dp};zbjMYsWzNmipkKVR;;zu
zS;i+?a3L@QrNJILoB=D=2AGyZjKi#!LlPD=mp=<j**d}=C~*VhG*rb>7a_5pFcn|z
zr{nNcWcPMj4vlZIu_Ic+QZ~B-@&K9xRW{3^i3plYex{nY5`6LM4$B0;JlVv%>KX2H
znjp*UmI<3*hR<E?MRvK(a+tHA#d28dZ!KuKrO|S@`CF&u@V3-i(DT%$oO|GlcB7zX
zIwsw0MXIWsEODRYf#nve&fAiNBwHpL<Is}-ORHsK;$atdht*k*FzfIrc44yRh!^i?
zu9_a=QtkyyO;ZO5o=&z*GDcy|HOOU|lt`iEUWi?voW3f*f-mT8Bg6*Pc)Az9dpilq
zuPAk{BM{CPY?dQkBM>V;onEsNS@RK$n~!)cN489IS&lM|76xjz$8uE5beH95V?eEC
zvVSh<V<U-GbasPfa_0lMP~oI4Zx-s~chKQJ*+$x)h;dI8q~6)dmMMm%)-rX^%MDbQ
z!dF$p$do_UC}bH5CI^J%<5nrE%4W7&jxpj^Lb6k|497-(HcIo^A&zM|4v@apb(Uj|
zF)qtA*HN{WX`64St$YkD6^EOa<BS@s<+wz$@O=yd-$@d`_tE0!%%CFqb(WJ1i`7!@
z{G`@WVZ`7wCfDNXIiyPT>3SS|FvU`_^TJw7Wul;k@s%~({7TX`36l3(2C8P&S*rZ0
zwU(+xKNLh|t;=_|(>ugu`Yp3ll>=^IQ5~g1+VV@K?VMz+_4A_OQA+ujVJ&}Q&{7=<
zqs4obhw3ehAvdEc{{iWJuo1EzX6ItNrMhLbmGM;_tQPGyMm3vo27Iu@-hn0djswlr
z4MeTQ2j*L;nzwQTUL_lS)u?t$jj@o9s*jo=9q<`uo291Z&RUG;(B^%+-ZH}*bEEXF
zEtvca^pVFpr39A9MoO+*TUiP|<MAuMjc6ES=y3mlDyI*UzoX7FqooLE@_#|LfCoxd
z6M)58XoD0vAh!Xxd<Gry_1JJ9z684~C<RVTX90LVjm4;#YPgnabSmp<-glJpE@Bw-
zuUx`h4KV<vPleF3J7_tj=7X&mN+oIq!+F<Ha40MVhr?VDyap2OffQ_klo5!6^Or&{
z5thrNkSj&DQJ5cCYB^>1lcME?E{MEsDR?&x^1ihFGo4jn0_qEo*$H`-R4IHNvBD3e
z<8z`>_$$>SM=@kL){4rJEvlBbO|TSg>xO)f(qb<uUmRZoIZeoUs4Bh~EX9pT6yJnI
z@vS|OwbCmQDt;~#@@fR~b{6D4Y5P1(AQYvNN$HT&mqX;GK*`0ZFU_K@bT|)`rK3U+
ziAL!(jF+Agu*@ty3%=5GFj;y&9+j?;>fO96Ds7iimq=^@OW7bWmpRc=wghWsD>EQ#
z5G#9x{j%(FOqM;H2T8;r9jGeXvJ|qNu$S%H1=&Ze%0B7``S%tf!t$*!|0r$0T+Ilo
zYazBcBo*26jOCC47%CrH067x%<x{pojukQ;Xytyilt<84UXTtsHw@_nZuu4|Z5Of=
zSIZ@7%70)iD^l^JA{ERP<3g61Z%l-_A`iZbQ<hj}Rm_ID;`|iIyd{wO9!OIVBG;M~
z%a=lK69sn)%Wi4=70s2SfKfRy1PLu+GQCe*)ras^eat{r|AvB^BZfexz6z;Z1i1;m
zn!5%;?uEHVPD?e93VA}RFW_oTD}kulCT(wQgS-owF*t-DXPA~*d(9-KUyRuk-05Mm
z-^FAq_|k5f?c*U+<^6~sm7ldyiZ?UM9%6#!?{rvZw>`(~4nLb@In|gBUo6KCIXD?r
zi`__k*lIZ~+EZ&eEwPri(1<3>>8?9nD3CMtaGp(-lgnUzm)84as2_t2Iqr{e5M5)D
z37KG3Dy^Fc=@$xe@%DFS<44*G?-@*re#+2BrV|qPX&@~=6X5x)K~+-yBJ0(lfw=Gx
z9f5~@0D1*4J+(dLWMwx~=(bccC!c`n_k#t$(BbkD67y_e#9ksU`V~&>7e=AR!yvnE
z>m*F0GAY^W;ad@e+<{o{tBN70cRzw5Pd2^&30^>|HgOu?ToFL#zebzB?e>Hi54q#+
zy{Fc<(*>t3Cc4Wzuq%tX@dc{fho+&=AeHrfVsII7-B+SYUt$I1NL+O@EEOG;0vDjq
zWhHc#Pi(<+d2laGrZ@gz0KU_E(6W>cL*A#9#jaybJdCAOKS;Ra@D-g5i|KEI<(WFL
zbf7AhpiQ5Az4EB#m!qUU@CBMts*hmNT_7!dnb7GyIl2%9o)qF|j3MQFS9D2%KaIXT
z|LTF)gRB#zHyLyaNJjLvxi(VO%%iPI`*TD0{z;$QGxTLsU;1c1*N+6pD(~(zi{)^M
zuGp|lZJ<;@iW-kW@*W}e47t)XhEOs&CtB+tfJMC$R4V(|b|FL~<A!==y?!{+$lcMc
zRL%=alp0xudiz`gkvoDBOlz@IeTd$SZwQ!e0Ub%)L0NB{jRN&TKcz<H5}c7&22`qb
zb}M{4h}x*xi<C;fhDa(og5_RM5S7(J5C_(&H0_Lj@ufYVF%mI7KlDAOzH5oeVNq@?
z{uGU>2^}~iw^lkXRVTSQ$z10kOa7Sz^9KNTK7^{k#jt37{U!BsmZXF4)nrPO>nNSo
zt}+rbIql<GRi;EOv**Ze)h|u5F72{qkbjWWI*3WrP&)GLRHd@&Gf+CFMfKbIE`b;j
zt0(2<fk<PqzfB|;=C&y70<OY(ODnGcz4<UKX2?|iH|sn26>gQanZ;v3Lazt;jFBle
z^nkjnlPC?6anqUe93bO*rIF`1*C><3bO_4`I>c^P@E+o<p;_J#Lt;%{)eh)W^*<H(
zs|nrz?A2qWPQ|Vog-JD`1!5O67UM}LN{59~=B2cGiDYl0_ocFSt8YN{Wl~>e8wa|O
zXsp{GKW(i~R;NH8vyx}sq=T`c-ujQVzWLTC))z?~KmB;)lEZOM1IhZwf}GR#&Pp{n
zdV;?<bk;@Rb}2Q~OhY~Igw;rAC(JTDuG2SD@(F2hLKaBr`GsWN4ht*DBucI`Xftc5
z2Btgdl^iz|WN<Sn-#dQ?OPfuIeKTZ~kaVf0NJ%*%$x=;TC{-bLsd7t&zReJa6Y`Lh
zESgBwvQUTx(od?6&5)~v*cL*jQ~G;M|I1R<8#<D@H{tYjNj;XdNPfc($zF^LXErP4
z$RI)v*%vYgyP3|fdI{a+2E3GaRO!z#j00|@E%lBLf^#<cTr|?R-~F0mX3GD>qGZwf
zpS=Z}Fkba*GI72gyZXb9sJv&7Z9u&ibB|_rSL_V3RXzzm^HV=1d1%$Xd1k<@*B9qp
zR5{OQiuWa^_XU`HmzyPwzFu?krghRLv8sLykK(r?rn9Ny+(s6Kw<5GTQXoYvmhqoq
zDZ3vmMk|3ZatN6FFa|zQ(*tHnJww(%{rFJW1GE05D%h38F8&@-^RY6hs+kbO#wZkA
zL`=gc0n+%amA$7QM1Mcz+$SZ;tN2DdsyG?GYIhO}TI=YLS86&q#lxu17=>G<$5Sdf
zCzFHHD_x)pgFat2pbB{nShK!Wjo7SLr01n~G$D3BNry)knZhj~^%Uc!?+B`{<C8#j
zLmee~Z*SzZO6)1=5S!gp&C(?H(6cGIn&>G0XB~X!O7%`iMVpNn$hD?-3+VN$U+=GU
z_}rlKonk^3K+0NatCYKI=MqTKiFJhOxF$7H&qniUdP^Rs%{UoiPLt|RNcBNPqs)^8
z=FbAySU_9;#5y&yU1H#zM29h$Hs@gC5<ba}jkh`k2F5+7Iq2O&ue>AZO@`oEbQp5M
z9(e`XXgBC}Mil3EDr-XT>`$8@7=nb;Y(-Yz2<tWbYt)y0BBTV_qBG#r%bfWERnt+&
z2;M*`{#7d-vTZv9CJHhzY5M6cx{>kV5|GfnkSZlc!I{wv`Orh#2jr>gCC$tm$v^WW
zdP5JP%5^;?{xxEe#dW0eEF{Vvrpj#!TI4px$f3hu)=FExiOGLKf<09AmfD-FZFO|a
zg5+PB1X<d)KX+Y6!KYWVp`WLz-253^Rc^N&%Z4lhm0nr(7kN61jSW`X%7hHXu78sl
zm;J*yR@&^4!0Rqb^3p=TuizRS7;>Fu$j!E~SBTsayXB72h*L7g(&n6Nr6jvS?`@-8
z8yYQA9RN|XsjCxcQ!<&9z)%8135*nh(YuWa3?(p91%?tBDf^^NU?d3)B`}o0Py!=a
zU?_p11cpUm=uJr-CLIDp2@EAL{^x3@%$EPBH(4!0fh>o5Ym+tS0If<Vf7X4H44X`)
z`hVVumPb*g$K!9-ta2s#r=4>;e8v#YC3UZoYkE^EJoZ1b+L}9AOkM`j=LnZvm+O}_
z^0uXSfj3%&Mb0Hod4XbBTObl4Pk*WIgM_}XRR>mi+??{Rr9<x|mIAQY9_B!mH3jse
zpCx0nW|ElpbGy|+mDd3%dn$Q9=%a45$cC#u(wp^P&ujZTPH?D$?K7Ly!5#0gmN-Tu
ztIuW`<D>i059xMrqP?_EjW^B#M($PERaG$S6xBPEj&5&Y9|O2v!z@JvR%d7LZnY+f
z>fu(1Yy?UIAxFR7ji6vWb_+h`*?I3g#CrF58MnT3tPIqlZ!PmF>yppyIG6?*adNks
z;45xY6ZU@QCmK8&9Tqt@NQiA+>hL=bXJPCoN0N;3eom1CL(017#>Hx4io8YcKfhZ|
zyvEl>b|(4M5&lX@$J<HDx?*)uS+9{BFI(LbHM!?Yp6+bhnUWc2wiDg8i-^!G42nLv
zWpn3t*tTheePF*jb+~bVU2jQQ3UJUm9T$`&LoXR+{ZENw-lW2|fSS~~(5{Xul+hZs
zqE#K$QfXI5x4uF&`cI-Qbv~zN$HEjy9mHChqK>qGTc?h^4Q8blU_&in<+2SVYC}I|
zWCkw>sXj?3AC;tz7NvjZ6PC$;>(F9qSqsbtAazpfgp-)|&Yr%B(>oVrWiY0=Abc-6
zb+c@I?x#?oN8c;Z<cpsDr#`-QQNFEGy{84zNGbTdlpeD}vZXYIHY0_S{_rH_L&6?8
zldAt47YkV>y{_*ddcqpzv}qX5nY6iYwNjP6BK}0JI(C=ZN>!E--h@E1VbO03xJ;)s
zf-1MVAl*n+-{I-2tBT`^<cuj+dV_RCmRQv>o+kt9n7u`dm38@34t1<?W-Ym~EopyD
zN7A8&U%&%f|Mxq9v5i>S!wqVhjz;q90Fr1Nmvu0AP~HoZ(JWK4@3b`XC9)|;PI%g_
ztg~SmnT=R)i1oIJTh<17G?HEIxT_C^CG$p-L7#&3Oi}X4BgA^k4xo*^kXM(tzS2f%
z56Lj3qlcV)z^YCdIh1u{G~b1*)KvgaT_wv1pEasM9Rt(}?YOG?JxMk913!Mq1OA{~
zR)O5awW?&vmrMvX4ns+4T%QaYF0<mPJyc)z;r^+_U~qE?Yj<uTm8YbU@mWY{e2(+c
zr>=6SQp+-WE%$pNZ#O|cCD_SV0VAiIxn;?7kmHviJ6J}4@JIbo|HcYr2g4^TYw6Y*
zxIgsr6jhe}cm@l=-D#@q^;41P|6>mxWl~DLy%~H#rley{7Y-`?$T^-;(il2)dMCZs
zUs+dv5@Atzf%o0RUP}k_SY#~^QnK9R2bBZ2a@Ge?HJvuw*UZMW6KEUS%xDb?plZ~q
zOJP}#AN}PHASr;2<TnUJ@^=v1F(P(B2(o+$<ew-=`DqIZPGU~m-j<H{Bg9!{LZ+j@
z9)ZukP{?l{RX*}Fk|uW<VuRcSV)SW{<nv%28DIcp^(lXO8Avm`v70qIk3m-3RYmFX
zjJe&9mO-ntD6O*bG;!b-RE^k5Nbc^z?z~h=4<nW`sS`5U0huBtrw<}8EK|;uHhC$P
za=uir5>n@bGz(emfLtwYE1Mv9NcABpJtpKSAEZ-CJyP20fb0<Rb|++?kWZQ*pZOqP
zI3Qn1n|vyeYNeW*?t}D~>R>6!%cj&(osh9oJyNPun;`OBk$Sw8B0fl=kZK__h0Jz9
z&TfLp7fe}}G=}z2oX%atxFtVGTkdwUZs@oHbc|?Z**uR?$f#aSaAY6sKbokiv6Awa
z!ZJucMe4T%l6DITtYp1%$PI4B#6^(f8J-M-fzK#PQ5Abe@t&#w(Os(2x1p1^rIN+V
z$>Q9-sj6~wvZ!)v!l0z(Z>M)p7?9VaW#mJWK6~g$k(>O~19w6`Xa?W&C>?PmNt4z<
z9;A0M$m#FoKz@ZUBfST*SW4^2oQ#d2?>}z`38LW39FjqT45TA-Jq~8Rv<(DlQOH2V
z`i)!)xv~(_%-wLmmB{vcAclf(Ff{Z!@b%k?f_}e%s{i@)X0-!yz(-`*pyeUR@5`9`
z(~uZ?1geH^L-VlDu3>e&7KsrT5Q7nqqblPCv}Ame2l+P=8Q;;7nM5@+)ep%)bLIpv
z=dMkGJPk`$8kmRvt6No7edbqH+b$#anTuHFl4}=X@*mw)A7vO7ADyX`FBxCEL0j^*
zX{tKjYG=7_&E&)HcjKxi?^70!?5|N^9g@bFf4_|j@LSXI=%0w$7A;XThDA_nU5)yo
zD`DyXF0t>Aan=_fSOjENza|F$5hRjcM>gwH&}UtVTUiU?lLOz37Z>Ad*6k^fwM@T}
zlbcy6t|IJ76VSo|P@NK)zeJs~dqoj0d`U-6S1QAE9O?(2f)>licr<uK5ZNtQOZu%p
z__h<A-1jhKZDi3JwA0I_*dR1Jo^HUceaL2Yhls{3M$j@8L-tEiFx<6N&5V0t8Ts5+
zHM4O8<2GncD;;Y(P%5X*0YBhJwu58O%6?11vNDB^4^z~vg5zMZtOLQIeaq>PIb*q`
z1sBdE*tTn4#Kv0M?3E0>zO6{Vf`QLC4;YRkftK622+ftGZT1{OGGcfa3)wRPB;KX!
z7=x>h>LrkQFgxzWuHz|K9D87KybSu3abd)MB0?FPJ0V}BF)}<Zscd=2mwXT`*<+Bf
z$jy7YC9Y<@)@Db-iXYkTkeXdH8J65nwxaI>_)_0Q^YEG5Kz}0W2lk+T*xF?>S}WA-
zx4N3~P0nj+{b13Tah6YTHM@}DTz^bhomzEd4=aB(s7~!Z)sNHX3W66Uew%#Q-GRRJ
zWHAo<)3RSBm9yWJs%&@JUoKat-ElNSoAZbmn%<(UwJS|^Vo`ICIw{b#NKG$$E2>W3
zd+v7S3_jLRxr*-UQRYjv%ay0-$f)wZG;eF~L4?ytYVSeBU$t|o3M9VkQNhiYpbEWp
zctAy}uSr$WSK7K&-i#x`r_YHaQ<;q;&mDmAyNFfJLNYsN5^Xv2NUo7Df^<{~NJm|b
z3q#s6h=T!N<`!NB^xs5vU>zNUJ|=28JzI&|3A7D+<0hOA4kN@#uOWNrD#&rXdm1H2
zgHd}}P}G7|DjwU^t@3YsW|1l^s83ZzFKt<*iW7AKb>g0GMr)W{xTK!8T%GjS>U61|
z92iEH{K2A~F$(E0x}~G<4E$FX=U-L1q-tta|4YIxO5IxNUsZWT*85*z_(a0@|HAN#
zY~cU38x$>l4u<|(4NEorUr<FvbM*h!9242t|BEkAwDcK|OEq6B{c8*gL{-6mfl(+D
zMgK31Vv+5$QS#TSb%9*K4(hOxFH@445ZCgESG$sDwHt5T!U{Ld<dnw!nss4;NfJKK
z5<ci7X7Vs*3i-U9xyno-shO8K%oLTwOd+XB(UD9IHHrzLMlm5sYVxH&nW#pQiE1F3
zs4}-P_j5=`rASAfQBbe0X@jg4@*Kq0=w{8C0kQr})$UDZVVEGLb198>bqm4T;4Zuz
z+yxc^X}x^`n~3FoZnqY_!c0*kWZC?Tbytfij&I5)YiIW3DXdMOLy~W)hh=CZ_~d-m
zU)~gEtwE`!nI%ZcO|<1r?CKl!%rD>@9V8@LmDZf%LcNktsx0yrz*-MccO?;s-=x~e
z9*`mrQ#muNOxT}Ug0d#EXsHWfk%wTV56ALQz5n`2p1}3nFK3aIjzz5ZnO&BD{XD22
z_Vz#2w9+fj_WD6gAN>1R^h*n0j(dM^Uq_#WN-^n`=cA-)c&Tp}<R!>inz{Perv1IW
zpF_*FO`oiOP1$=VXta<KyvI4KJ4i+-c?;0{kR;9wI^Lzuel3))=DL2Z$Nf+EvUP#H
zpvZpQuI47BWdCO!OZX?K|1U4O{`3l>_W?$pdab`~Q|GiTW5{wIYE<Xu96_Ab2fMH>
zznK~!@7@P&@RNUOoh)-tr!gM#y2~mDX6wEcn7rA?$P_Z5a%8tIYNC{}nvRs+3`O?W
zZR*_m<=fSHW^S0aYiS#tLRvTu3@{C(G<=3gTuKt!zGv$lWMISgElP*~TdYlmFY9G`
zt&_lFlRZ@5@#v$F?K`T22hou>wg;BU!aSJV=>N8t(#a7BXBsukw;jIU*y;Lpder%O
zx6&q8LuxR;*H!%$&Sd1V@{drkSk|D=aSkMdjnukw7cAN3NMxT*?+`a%EDVWqaJ4=p
z@e`uoj!5aeL=FR`lT}ZR!5fpnTt-G%jAS8bk(aE>{v{8_ix0%^pm}Umw(l9sl`~l=
zZp&*{7wq^MllmpAzUI^V^zo?QbxT-UxEp~m3i3kLdfnPils?2g*TNs%>cS;oEMf$I
z>0pw4!}1{SH2;)Cc6pB1AxV-O>jCn?-=FeX61Xohd*3ujmgt%C*Xyi5@kN)xqMzus
zguYe#-%59jzG+F^B#`YFFZr^874tz8%yS4+pO{mw;QCDJYlmX_(zEYgUL)=Oz(TH1
zWC~qkd`rpNATf|R<J?oHF5Ucx3!dMT_D@7-e@eZoMAjG&DLRDU$b7r3Pa<5@x?e(H
za{TSBrSmex^b8%D*{m+_6Vt$ToO{3h5F5g$Z({!U>(Rfd*Ebz~*I60)A@z^e>zOY7
z<r@}B<=%IdYRxug1y2}Pw&!_BGxDI<{p{!Ll-@8&^iD>4@Dvib=y0aEU|Cr8k4&|2
z@5yOMd}f7D1|`V>p9VhU{TLmxcIthrcjecMs$8D+z2WV<75c9clEu7lRQr-kK2gva
zt8(rELBVDg8J#&*Elk~N`65{d*0~e(;a37&kG;mE8}Qob{rXbQCGT^thg8`(qYqov
z!IB~F_gxcICG{s(`y9OAl9!Gyd1B5#j7J{#8BP1W>>Zw`F+T8&M(*o;OnbjvTgQ#o
z-V{}N{~~I+4dRD>_b!tpcM=2eC%5#(`RlSCm(5FGE?Z+Ju|FA!KiqH3l^@Fu;j-($
zYti}qN80KT>#f82I>z-Lr6+dZ-E}Xt(f{d9+Q7K!UFh#1|6tKOaY}wbMj^!L%l7`a
zsjGja@(1Sq<MB6Cf9TUsHlt**R4);1ZCCHfe_A|Ft^?Iy!}Q-?k(5?40D8vv8Q1HJ
z{{G<aPXBe$8vF`2dNb#*NXrjTV#Sn)NA)nJKFvvIkvaM%wa5nglBruDPVzustd>n&
z!YfnxNKt=5r|(%SP9h_!ekLcYKZLLPQ>r!hBQ|3oRW*Uw_l3Q84f~tZhrq1Au^FgH
zV8;{WpZz_Y);HE^cXyGUqd=APhL^<j!;<~6k11Y-$v)p~^O8wc$wcE(rlejx<d19g
zz9Q}$%f2sb^fj)Y3p%>J>)#(E7|aq`y*|sVHGYRU<%{?#*)=M6(W{MDb-MAl1bq5e
z_If;Ai<wcLS3#<OC#-*<tA8?UdOZ8b(sLSaxl<aMgR3Y7<;8>kl*=PO3+lZAm#gBk
zp?1dOkpCFh-?tan!Q#0JyRvI2?;_$-IR^y#gW^AqTURG!fht}O^YG(gc6e=Q)<-`E
z;2PItdV2?c3|iv3Xwl!?{c#;_UG~1Y-%CB|dY5n(yp>wBZY#PEXnHHs=div+(!oiV
z4;|FJG&Cc2trpYC(8s67*3uidGGzLT07=KZmr+`f2dc8)>Che-b6u3=)urA8YHr0D
zz3ys5zGIr{mA5kbU56pp%!atHt@Vz1K`m)3-;_It(A&F49N2;ueVsqB6$zO=6<uK7
z{}P?h>GQ5rj`oHX1^O3rf10%;L8?c~_cXoyf(HqmFY;-fzTMZ~t@rwt?1I^0g~-Q2
zYN5%RJ&SJ}bDmkX-z|-Pz@v-kJ)H3v_TZBJ2P#LpgHjQLocnL)WzxMpjLaO4bhZbV
z((&&g2hs_|K!0;G;89Xa-{K@qLyP|K#IUzu=&58Btl++B`8Pb?jGW%cRBPR;t`B|A
ztkr=XvMt0~{PYra{jOm?bwmEJpt|Ah6Y2rv$L^>`Y>b*pW?KunaTxptb|u6&23{sY
zshf!IfE|>q&mxg)Fh=RmHc_nyc-ppfbz@>Rv$p@y@C}k*S>=>M(ppFmNB34Vy9tR*
z`<u*xZTnAsNylSt@CiM<&pV=<nDXOA+(&`RPf|Cve#=>J)jAFn^%r#T2+-e)`Z0uL
z!0aw{bCTgvH#hW0>41Fzvc&PtZVRbfLNytPh3LrKhevXhROxb^m1C`Aec6q^+QF!j
z@AYnZeWuto9O|~%8b4U%sWR;v#v|j*9(CI*0ot->ap<ti$ATm0bpeh2!@9DYsy-<U
zmoMFOU%{F_9P76{`oS~%cOqol!WV;ezqJDVv`%%ad`5EXW`CnvEkE{Jy>~0|%YHl=
z^m2Xow^Cnq<nTq<l`p6IR@>gK@~^9H?_`px(c3F;ocd;?UI6+&*Z$M;Dp&G-TfUwZ
zePX%$2yD)LLYy;&;Ea?t%ykfvtddi`kw)tILIFzh{efrI7T(E~Gv*Pw^EJ|IVNMWi
z@4vXA@?6is#y5*^dOf#Xi^-?xbv{M>s*Vf8vLl_2%67yySXs2bqBnmOvWC3SieAzI
z^Vgj8iw&5oJ|}916+UBX3(PGkl;o3#!bwOJUBZ#BXzJDIOSsYeNfCBuW73dqv9y@X
zu9VkAm5%_j{B!(}zrv#og@WpH?UXL2sw1TTYL4-I3s~fSyz+Mu`#lbpXF=+Gmgg;J
zE7tTM!g2l#i%agG<&WMd*OBNeOrUSZm=yq@$hDkn9c_9wb1fm8^k1~`K0(QIZzdgw
z5m;j)&iMN8fDBv?IZNPHG9@cd$->nI#2{YBjH-5Ht+WJE)tV|UxR4!+UElZ&$OOV^
z$jjoGoW6`sO2#2V{#Zaw3uEcNSTIY(J*iEQ@jg(=dg@#av!{S8)_*dka5t`c7f0xj
z)1mJz7MW-W%ri2RP&x<&W-EgdzuAREvB>r?w4R-!^wV0zis<mpLA`eq4(gAge9sUZ
z-?*g^IVl+P5%Yc3AM!1+^8F|=_?67@Te+$9J3!!1k3#y<;m=+U8O+nHe*`JzAH9vw
zYp!5Gg9`;vx|N9k0D40{chY-fs1Yo^Q)4Vx+&}wy5)QypS-lf7i|AV9SzP~tg3{+e
zs{dp_xV)2+yt$}e5|Es9VC{is+Rg`k-b)Nw`D$F%zic;Bv0Hs1N=q;Ez_N#`dx;5_
zdi0scAZrY6!7W!krAI(on6e1t(?#F$bQlWaTF^vWMLR<qBUY|+s2Y#8Vs~u^A-;;R
z$7_jNd?yI>H!S9fwUn;3qPbrTl1-RA13PJ(i9TbKVA<ql6z&ziau;E`9$8-m^fS^>
z8q0<ymd*IahB94Z2ckYU9z(GSJazPavebK0$VH2D2x7)=ySg*HTbvn;Qe!eo^~W;4
z8$ho=!}dzlW*oQ`GG20WObaQni`W~((4s$q@@_>{U>FFT|0F`ipESS{vJtR1Q0l&3
zG#?0a<WPF!BgK8$2t4=ra6xwG-Y=*25=5^H%{2ocmG_X|dGd-g?^C>Vt#5(PfvWf+
zWJ&22$QoI+1?1OafxE02{{a$T!Jx!f;79xhsXhTQEG-y65s+q!h#gK<|AN;0xFqYF
zL@iiMc18oBGA<X1EFtIOQ9-&F%^yiME@ESAWk8uJdG`{vA|HnI&s0ONgVcQ=#@+X&
zK-S}e=P=qzec07M%yhm=ukT9QOb2cL`2t)L#K>?FwSUl|zY5bokmR?K*p=&4=gX9G
zONB2L<DT1FQGZe=)f}ob<n7IjLqfQ^vyryAN8Oo_ujO3wVT}I3ENbym8dL|CGQ@o1
z0>9%U*dMW?dv17%wo`UfTFpcZ&ICqu2<ugJER(q6$(20U{=kYE>5oT|{&^5TQHzuy
z5xJb+${XR!zk#;+;%o+QH_Xuwt|j#{cR{AEfLu*<W3BYYwhkb4Hrnz=kmGshQO*Al
zrSa2H6~F5m$TwNECBc%PhN}EK=q-GVfEBFr5xQCj=))}_Rm3m<5Iov{hNG=Y-u$@6
zo1l8rj;c}HAY(I-n2f(w$FfR!xAhQq`KrYEBvUu?*%DZ?NCDTmThTX(Uh@egYEC4k
z<%cgNF6GM+yDlBEB&wmQNra@GV3!13$X<wMZ!snf`Sit1YQ_B%>GjEGQ#Q~`5bx<?
z$gXL|q@AkK53&3cmO-Xt((AyZ{PUaWI2=_@xrsJzfhEvEsqhGXhgNtE16B9}zql#<
ziZLqufxs4TAjHK_5w%J;v8qlT3OV8i$aLNnRhQognNte6wghq?*MZf~y^LFS#A*hz
zM%0Wzwq^|atjv_V<gWnSrN8mgkKFo<uFnycM_T~2x(;Z6eN_E#7b(5ZDLhgrXJ)Os
zd-Gj3b&p%lQfV)E)ID#XOk74a5C~fd#QIbUhqhG0r1I#{JGN?QpeiRa%OjYyJi-_`
z4oX6-e<!E3Rest&MxT;(JcZNd+Q`CoPB&+vFX@*qh<s!`c#9}q)(Z14EF;>Pfxadb
z^oJ$6l~J&ro5HmE7|o6|VM(6DoE}my!}A!iA2G+S*1r9-2hAs8Xh3%uiN|5Kufv-C
z5j$dONH}&ZR`&+pZ&3Gkf8VL@3+66T_jUY$KHGV0MJj5;%cDi<v4kXTG*x4)s9)Nt
z?)S=fWR`zH(wfONM<u=LTWqLV^&A+tc+~yvDxlVtHu*Wx=DH#Gbf|S(pYW&$N(SLf
z&N*K7K%z#RUecf*%r9=|G(0s`J=n={>mkqUsp_F!pEqOe$27G*Dh~*18mh9Qg6~1M
zTEAsLntIrqSFaxKxv^b661<q+esv!8$jcH_=gDBsI+O{KbUf?O;G>u`W72?O>FI>X
zaX)i;z1rYCx=wA_n$)Ns^>egWS+~G4^bE+5c>#{jN3^O(ce^{(WBKz^)MKrwjXYrt
z^r^=^yhV9DF}g)Pv3WNkwx)OBbSkA3!>u-kXSb=1-S;-BC-vXANP54X(6RSCxn*So
z#wTLPvc4G`FQCu*nUDexfDZA3;3gaA@exEQYYR#TTuR3Pkg5S!BawTgiI<1^3FqtL
z)(WqB%6)2^dTMWJliK8-2LcB{RQ7xAYE#c)jp}K4qfI@%#q_CXO0Gvib{F~v%Ae~>
zI;W0D_zzOhcPp-rtVA~Hy9V{lYtuT_v%&iosb_bLY=>oJmwGOCo=-j3Gao=1Z_}m@
zwBdr>Y4tk*^!<)R>CkKG&A!yGo-aQXLn#}n+IhTDIX{EcbsDRgTMT*nZ(%V%0a@Qx
zO5sUMSRFH|7G$MEhAe^{C2dorP527pK}azpSWw9tR&dJ}$o*-oC2#hyjlIlTT=cGx
z52zLggp|NiT)qS{i&E(=luGYh3|Sw7Y)FGVCe@9U$}gg~Tz+U=k+mH%2$l-@)o;ah
zQhFJ_iq}#h@>p6S&&1V9^j3eq1@cV~>yZ2aw&ov8*vm4vsONjqo7D@!if;A77G5SM
z^zR@?9z-;XUnES1t(9f?Ei%lRLJ+;**$KqObOa-`g=Brn-%d5;V9ZM#os=HNWb|PS
zc_#TF6N#yBC#7JBQvSj1sCpIk?&c=cPiw=O_fZ<Xy^&pGHN8etGOos93Ehc=@vaw%
z9h8DUl1)|Psk)ZiShHW~L`xfn+`oXu2!W+^4nr1RgXZA*@Ok%i(J_EAa?5Yx0t4#V
zHROd>v_H(zFMaGO?-DCdt{-U2k<dTC56z}px~CB_Sx<v<3lUgHoA-H2F@K1*bsgZl
zl#Qk8CJ!cO!EDSxvy0DQRcR2-#*<yBmp@t%Itv8FEOWqx*_=pQ#TcqF1LKjM9T@+~
zLA8=z<3hYNE~FH>2|ub%gs<vGl-9_K9+nS<edSbx2SY+HbrSZ1W{x;=&l>oJQdEG)
z_S)e4kf8{tQLXk#TRlp>uftMeN3%IUjp}?ahMuM){%=Y(x1%q3o`c?Z+JW1FmVjK4
zgiU(OFSoOOJV~&F*;osnOIvXfHljti8k_5<qzAqhvCthT^~xoF$&D%K>%e3*8&!p;
zN_DOe&7U@7{2{air@$95Iw&2FaX0g_Hw8*xS`4!lmKdL!smKYiRA*z-lS8%0Y^3e=
zWMKTjgblpgN$6M|RkQ))#d8|4cCa0#d%6L1F$e;WdvWGgX^YTS6d)~%+@wWiJE#Kp
z&=J}Jmgp?1)%T#U`WE=g{{gDV0<gp<a{{Q4ub+&$*a$p`4dWymfL=ho>#!vJEoz25
z)CgI>h=4^pKp*#^S+djE*hRGgeFb)yi(hO9%V#Ladx9xhTniTSV>g=RU|k?Hs-mKY
zNKQt=Jdmnvf&95!#C+{Q(=)|;6q)F<c(5_G4jZ#ufqN1xCF5Y$)4(&UiNNmh!m<$(
zUu8qz4j&HQfzpCykg7w{NTf#G?;T_ty#blJrL#nADlBE0^qTkMVB|a6+*5JJ*al{I
zb0aa>YR3hcp#@J+a-N4D!B7X`JO>i0qQhAYsorjfd1E7DyU|zvF8X5YQ}E~#s@_Bg
zN>2ozaUp!+C-9^EIgEQo(&qdX2R%b5xi=@HYKMnXA(1Tls0l+dc+MRt2);r{0uOqz
zn-7b#jgUmg6R`X}^t$B>$&wWSuei!V=?dENWFhlhZW7(6(Hz)qr@D=j^CFa1cvEp&
z-ou8r1qsuQsIU0J2fl5{>c5F9M-mluH$%$3*vM(zAGNTkH<s9edl?<h--xpzhY9B#
z{3sq3K*0%%fpKUG5;xNkd<QL|M`i!WZlEOJkwtDrOTm1!L|-Ku-lLKAK1Xll$8Ine
zfu&@<2hFl>=oE<l1dH=Jl!hOnEp!w3VpiIsr{Z~Df)3C9sH!USlRjgy5&j*0B@Z?-
z$VY*+W=1Mv!_gexgz=&?Me{l$>6L?*u^ndfMO1k{r5fa}RQc;+32aP8>;@iI%yG2o
zWDWe7ferb?7r|$-8$1rp5f6r385j?&L?W<~j_AkObyk8UREo*q+02Tfn=xc;qt|(e
zn`*pgzccP>Fjw5%Ot9aEC3=#mf5uLj?uI$Y)}{*QHX`Ar!}kID%H`QFuoe=Ux`Ws+
zp;Ue^AWP*mTs0OF+C`YEWCR17ZD=`^-snD5g^r-A*QRJ8>I>Y!a80Kpcr9Au$D+P?
zlpT<7kwZok#D7u%@*?_z_crd2ee6;sH0H>vF3E^3^uE?fV*UVgNREyE<!!LY^LcP%
zH?fx+G(!&W-XA@*rJ*4BFX9q1uBNw&UgvmH#r-n)0`fDm$giM}o`%zbR8Z-S)EP>q
zP1fR)!U*bbLX{!uUHqM!7~BoWz??4Jk{KWUm{Kqs5_l56NIUof8zJGB92n|IWz1(n
z+!5T0H((<;!A_iCZy<Ezuv^_qwdP5B15Y+%QoQt^)dZ2#fAJ763Lf{-@d)ZGe}K4V
zw$XM964k9p=*i?uPz}1M=IyXEM$!=yR|6ZVhGLnJ0s@i$Q#)dJ0WGqt0~hW}0a_G%
z#%xNx`NyGB1%5?=xvQIi32@&FOu7R3!rqt}!q6L}Xy95T0$aRvETtp=A~47I1km?8
zQ49GIGk@$NVEbr`o(xNHs-M#3po%WXMsy7@^hO`Nq?779^ah_n%>O&;<5g5+<teZX
z=^$2@!Qz&eTzcvA?SmyadMkkD;!)LY=qvKth0jZbIuLWE6DH$b;FkP|=Q`_3^3hVX
z+6M3}#Ekc_=6>5loNFPm>1Zjo5{=3w$hx0wK<p=oyS@v3ui1#Md{Gws&><w9-h(jd
zmb5h*ftx44&J4@T4bM!fzLi*WT>%LW>n4(N6!&ikAl4!1?`<YbS0NkvSy%>ADo$^r
z^d<^ineAw9MtxMyj`3+-$R3YuaV;!`mte>_HWkd*!xEei+`^|Q`Dgjb*lzUI+=iI@
z7?f5`LL#(*-U<)#^T<&=(gvS<Fdfd<I#BQ#q}rFvkjV~aG_rCP$N{bBW~$*E!J;=q
zXAPyGH3gPq9Wb}qG4yjIFyu@V+Cy8&FU;3<!B<C{P8#<f+VsX3`Jo$$YG63485yIQ
zAUe-Tr6fDC&uGBGz36klj{@f%!ndOX7Y+qW_-YS^PNLUyKW&D*Hwd2^6nrTXA=;|z
zF;w%Nk1-$L33(6&#$u|TT$nw%A~v%Q^>SW|OvGC7CO`%qR0EG;L;qP^pZuwtuw^O4
zLEh`<T4OF^<*$OO$nC*FIUE=7M1AlLJLEWsDF+A7WytFNytEOMp@opx30~Uts*=@=
z*bZb}hhs9d6lm3Ja9<xk3J*?$xdIr0L$K@ool@Qc6ohYWhx`NM(VvK#KAF4MHDc|M
zWSF0#RCNSe%11kJ--$<lIl1Y>m|ok<Z|Xqosd^l20A$4^59Dh~zDrOa+2tjDrl3Al
zgslDpuhp`Z2b>@^7P+yzp5D@9C>bZxRyY|k^BmBZJch~OAbNuVv;^(+1~wq;GMdr1
zbrBM>pPTck7UeNoC6B<Y?*&3{fhxG0j({7_%MU<R#g8^va$w1mPxZVK-KZR+^iilv
zI$|M!S6@PhKGFK$>tw>pUv#aSNXb2H8=*S`7~%B{MWx&Wd*$#Hy#dVL7OMKd;u?UK
zko?URvl+3-(iE9i?S!NgYtb)+&qbSgRU<K74YO+p&Xlw`z+6Q~<#QggZWYX~%fRfu
zglgqu5aT=(1YH0MZEIkRxbsk@Kcla#pC1IVcC5+cLurI)#7^wS>Cw0!ldA*c29~to
zp`glJMZ#4{U~4uZk$*7?j3>OL&$lRb{|XlORL}lk=bdgxeGeq`5gooIKD2xab7>d_
z#Rp?IuK*WfE}o~OU)gYLCrYd3q~Q4#W|!RaN9QM_FQo^~Ly#yQD*DcBhFOj{RR_Qv
z-qa<o!WZG5OYNPDmwm)IIf)o7Myz++StslBBHH{XG*X%gbN(JQ2W3Ig8*Xqu)mQ@c
zW-Bbt5H^e*4oYRj#Weve{zk0n6K#ASVnu$KD}I1EbRVVCRU%dai?bpfzTs`)+hqgk
z{ot!!OK(-88Iy<Le!(6P7`d%P;|F>RWuFd?Cre!Y=+#$E(G=SJT^(q-9V~fAY(cXF
zLp5^<Y~GO`w8-O#UWZ~qG@A=dnAbsq=~&aTDjUzx2DV@$urmZwd1CRrScmb~kc}(=
zZmDE(;95$q3{XYnhRU-MlhyT*@}IF58|9}u$Oi&>7${5Qi7NUvrPw_%SJz^r@Co2n
zUQ1i>Edo~lvklMPkn&$>3oLF0^RILmr%?4wq*PJS0bE)CjPu(ehXBYt5<~g(F;wzU
zJs}QIEsbHLbSh%{jO2a>F=Gn~^x;lFOoht=0NN{><q@UgQDKo&c;RG9HLFpjx3Opg
zrC1|vE=w{jVNeA<9_)VI47t#OgLkIV=IcWJOs?NO>+mfuTTCo0N+omjWntAfNQ7pQ
z7J18M>P~D#Hf(3e-lt@~jSHcjXpXcZTNJdR^q<JiNJoo#N+)7JAr{<4DO8WDz~i`3
zoGDr&FuMz3_RsbbhzDqM4@E3=VG6TWzEXA#s3X`<p+4xKBfO~r=G*8E-31_T0kXa6
z{SKO|@5YAfa*2?fRD&Y{6g>~k)!Wm=Mi*F~?*@TPFyjhJ<^xTHZa(U(<uNGubP6O>
z$h#2Zq%HtSW}Cm%Ltc>TBuqMgh3EkdIWSp$2dZ5CQDx3=NBuQ+lHn2Tnr9}1^y^02
zUP6KY9&A+KMs-HAozar#WdE%w&^uj8CctB7`7u5M=HQ5B$QDyA+>|1~z1Wark6ykC
zPeeAfh8V>DEhBRvr<=Tk&>Rr;(H~)s%cDX8H?BM*LW<Mq&<8o!bV{*Xm?S|tvg>Uz
zAWKWhOYj+sh`9S1FTJ~bsFK@?q8n`}m;+1oS9T(P4*2rVL5u$zY?R3F>4NV!Q~kCL
zlk<?R+}42&nXCF~qGUI|=|e)`E=qwh^tv8MW`bSnMm8BSy=hk8&Onunvoj6qF<x*F
z#Jv-{@jHZ1Qa-YbUPHeAjLm66%K=?1H-`to_o*LL^HOM&%LeyFi22WkxL@)@WOoVP
zOtqi`%<<d6T)71W`a&)Epl$!6>Y9b2@CE=?Uy7kn8>@HN4WGHsgA3KfIeej1Pw_#{
z=mtv|kMtg@2Tvcj3T}frD%l=B0OQdO5V`2)&s_jA_yL)19Ezbl*?P-YqN?b(c1SE0
z%r7uq0`q`tj6@=ujYq}2=Hg9jCw|OEvvDY66nYY9=27@jGQmN$!=auiy0VG;=K)yL
zpVb;q!B^nHMtB42L+4;T<OQ?00QGt$j2{ED`8|te{EDS?T!E_C?Jx&xVb0?{BCDQ{
z9NJAscrsO;AcgWYTWqrt#KkaIE=He!Z<oZS6PBk?S}o58m5(;k_A?QRbkN~_7QXnE
zbcCk}ncV<$j8fHesB*p5j5Fs;Vs3!1;2vyvo+l)}iz$W2pguGoEx{>n;xdA2R6h8V
zcLXYshpLL38j*Oyhf?`SJ0woWFG~i&F0pYK>Z|8@Q1BgqoCjgDSRW?z%5{q$eVM2)
zzYmkapqFY7F#Nl*Rv`DvHO)jQaBmaj0c^N`K|&8yNbVU*CtxTz6wM(?QC|lv{*!4d
z{RJ(B{je6RLpF9ZRp0aQ#bqbaS688bBH_QG0ezpOfWD@Ssc{Ew)$?d8`34E&0P*PT
zZpb~{tw$XgFU^CL-Ik7B*`3W)V3@6t&{`G+=fPMDy@g%9kw(u&m41t2?sO9?AHC6;
zSPS3nWq5X@IeHvv<~$g?p*Z@&_aj>|98!D$NIgx>_>qZ8x10ox3q17753u!(Txf1P
z=oc>{R!)=#S9YM~>aCF5xN8X|*hoV=QJ|0Zdg;?gwUP};lnlYR??WWaNe&cTgl1Ew
zY3VH53d~IOB~jJec2t4DOo-UQ^p?MlT|H1WMk;OVFs?7?{Cn{-w35u$Cw+6BovQ4d
z{uzk5U)h4v?*sUjfr9d9#X)(-@tgrEigcm$e0oE*Ot8YosphY5q$JNIt`8{{nc}Zp
zy%=YE8Px_@yptPHa4H><XXq#%hcm|GO~9Q6(U(a@LHMd<ONd-culIX8%H{u9GKM69
zR90a3uQmv;qI$Q=a{0o*ybuy96OTF=?gCkwBb(q0os<Hf>^OmIq$C*|ycGn&yXXxj
zFcjQ@$>3Ykt8XSwh#_`5w=??nfZltmq8=Rlz8M6AyHS5TC37MY?w&3><d_mzMn}+3
zH828bp%O}N`RPLB`cBBrw7IhUME7Q#$rnKSq+l#UOyBXuVn|d@Ng=7_gdCg&NaGWT
z-hjdz8VH0u9UF@%>21d=2daYGP+wI_hkrHB#2!OJkEL-eeBsfU%$M)TqI)}Fk;8HH
zq-L^M{$QeK78BNU1$^c^01DMZsxC%L{=-NVji)2fhWgN*_z`nD{(P`5co9RfWw;eu
zj7NbLh((@3Ouq;!ksG<lQmXn2&UqmCVkdybmyd5X(NuEx7^*>e<PHo%i~BMgrOk+$
zv*^{y<#{dze8Z85eT=Hg?Xc*#T19?JrTJcrdopO7L8<(;4)k5;A%0&qqu_NrVo^GJ
z<1DYH0~z&bc?{2kvaW?pAH7dD62vu>;zuK^?;c7ILbmiLFq;<w%{-Tmz+z;B|Lml+
z6hML1X^>wW^vV-+$skI3`GhItp~INhO2-B5=&K@aBe&3DK8RRpLlf5SplZl03wTqA
z^G7z2HU&ZOA)ZIRh3H%2s&C<&kpxSHTm0CEf*Hd*QCf+$ScMO}*Egf@JmC6o6p(tf
z!nBo5b2GsTlfnE6eBtLHk?*llVPd!DtHs#3n6|tp9B4idKL4YTSZyPKR@4h2H%flR
z1>-~jh2Cg`$T_y?cVHMcO8Wgwi99L<<fr?gVSo(Xij6Yf>#E?~20XeB1@4{F`wi95
zHdyo#F|rUt#baqR=Gw6<KU*&;Ndwh+=+h4uy|dzGs`^;wz8{GSIZ%b=Z+gmWW96KI
z?2Hi|xbPl+6tqi(<YG%N00DzueQE4}&$E9SHs1nT?^SG`4b3B{hL27`-$Jy6D&$ak
zo-6=QP%@fv+We*wd|hZRPD6|P<z~dLSuE=n(4u$H8y<=l=XpLPc3|Axhg&-NBeKs#
z52mf^yCzb38_arDu9QId8X<WbcA&l!XY{$#w}Q6H&r?yb%7L{))>A_kEqy0l{EZ)v
zF2`DEHxj{lpfa9-#9y}4A+Ja(d)iU;0l?$$!x!I;m)ehl-6?>SQ&r>|AE>sYG;lH=
z>EnLMI5q-#_ul)SDf+c|o{Ca^jMo7R$a8#fTmUVVXmM8JrLhs>k~qiC23qvYMyg|2
zfg^H#67AQH#9g$N$c2GB7v|8n*yw#@cNba;laLM0?_k`Lfm>k1ZtvTh1k4`U#%7G9
zE&g6A9kM=0SKx=XTd>wcNzx~@5LEi0S^l~gEiPF6n;|8e>cR2=h9VDu&q!`Y%Nm&V
z)1qD(3gy#heWe$Y*Rs{Cv8x|d^~VK;<FMiV9t1iN!NFZvll%)T5v9AZ7Q2IF(64{=
z+1CF!V_tBFpt=AA)eCH(e+IGm(d{6pS%lNqbz{=)V)W(dJ<x)dfE>%*dT-oBwMZ@{
z^x-Ld1rqvYSW%d^@FfE1^bXpdZzgo<5OW<Qe|Z<`W62n5Bx%A|f;sRTF#PY;<8Q19
zq!EBeKLtjm94~cV`QK!;Dpxj=qIr<$TWHa5(j%E@nPD;iGjT3%ptKE;z3bmn(l*e#
z1*K>DB@i8y=5pdT<|e_n72}mFZIFBE2tG-2g;GR)p*SO17e5$7HL}|q^5@M%9bTOF
zL-b3oV7b7Ug-O4-75cy8&O1t~Dr@xjR(Dl(qG=jvkSG`t6N8E(>a85QsybJ7ZgfUW
z7{=^i0y>e=0dp9Y?=y`f>gbFZrfHfE&<1ow5FK^U5i^L2+4tMKu#2gu^VVDIt?&J_
z*E#p>boSZzoOAa*VMQ45Bv#YNj;sM+n_PM&3x<-LizHmMcaKviOj!hzJb5X(UP`_%
z(-vm2M4ojclL7nehmZwaHrdEwWD1ad4yoO7srBRO`<ZrOrk~rRquX<IHLmVbOA1;5
zvb81%5NW{x#?cLGdiI#d>coDsOD!cWwNO2+3d%rF7PL%Q>DqX$uO%OB{;x4z*}WpD
zg346aVa}#c@B=-sFLsNQl-RH4)*c$_6<Q_`YsX_{rMqVg6ipG3Yosq}`ZPczd!UFl
zQIM>M9IdCf1tpCwYgcu>s2+G#!m2FRh5Im~2shtaw{HWuWOY$;mGUW~_;^aw7tj6N
zGuhxG+uOVQ<bd_Gb}Nz*$G8_1Lr!H)vz0bk+PZ)1fcZwRZeX`v?_nj;3Fw?gmQqcP
z_=}~6om#5xGiJle-o~bg1+%;?uByTYqc6)qU0Lu~+ws49Vzmzn-CLE^PxcV0T)jX^
z?V>9Nb*HT*+inWKUH6|f6+!B@sxx~CK$Zqji>Ldp98Z>X8nLb((5G2B*f?no&ob(f
zVqld+k!JgJy9i3!jx^mBm0J0zswG`uprv*9yiNKheVO!KFk}OSDx~$$7gqNfsyTJf
zkGV68C2p^yt}xwn^A+7JFxwwH%O+bRa|l^I_%_$Tv$Y<MAvn5Y2ydQaynqA1a~v$G
zNs^Lng60&+RKM)I@T;-sWYR|GWnlXyyaol2pk&4j3PxW?K|vwXw8=(o^TQz5OIF_Q
zvJwjPNP~i*2+u1;Q}dfH<E5Y<F5}JwMYlKUwwsLoa25MEeK@cLL-dSpt>DkPp6-j$
zzC;CC>(Ea+54BZVdw7ngG;Kq23MJJ`rMz7`qg0z`NE|)=4HbV$QK+VBXCw2cCR6*R
z1Zmdsgom|$eZhTbx2#RAnH_M3q)&<~r>eh?zwA#{RiVmTv1DWmO=dj^=fHNFwqjj?
zHy}<6dYWk?Jxbp@n*#6b1p@fGtC>kl>&@U+?tJhha_o`0isx=-zLw0^n_hsT{xu3B
zJ$%R4zYIlGcBSan_~4<M5;B=$dp44dHZl0?>3d!|&m(vU46I#IQkUW{dX9hTus(*i
zGuogyRP>YCVbukUZx!;bRyLyxF2mth`v{=o3EZdTbezGe$);fK0#aw8T3J7?;u%fd
ztU2iH?GMp4pM%J{A4TNvVBaA8^h$2e&0g%X4&<2<KDG?ucOdL7Sq5SCB4h8p*T`_4
zG#C(<NzujV?E0txu#=Q~I85CK_6T6`cOQXB_iqsHKHDiE3ve;dJQturodaa+j~P7s
z%8xEVbZM;2AvJgb&t&&XbuF}&92I1gWr6H@e<72Y$Wls=l!CW-=I?XB<zNBtZ$yn>
zp>D%(22qbOlqO^<p4be(#O7t#Aee{MynPs=6fWMg;8%43tjZtrW69%ao{FXjoTvAK
zH>L-aQ|(x&qzk;qn7X(h!Y-8~;Ou@0LGB%FyK(P=v-@BKx%Xs&yal@iw>(ewI|S*C
z&{Yz<@$|yp(~Dg^yM(hR3`pQF-qVogy$Pnl1d2EIppf?k6!OY+rpgN93?bP2Lg*aW
z=ENEottWdqt>wz6W&AZzSZBf|a06D0#t<Hq=~1~vIy_M*y#D}MuX0E{L$-1?rIvh*
zdTyj3?1R1g4Y)M*<skCW5C!rV)YHERg(ON>@i@=Qo^v4WRTQtx1<&ilR`tCo9*8Ui
zuZRX{EaGgXngXFX)Q-sNZulJpD{sCZ85=jCUmwr(YT}X{Y^C=T*G}xCMn6K~&&&c0
zMq2U);%Pmkru715kP7O5ji;!BtHg)g02&0UK~CNdETIxlE!n`5JitR#Kk#%rK)V0n
z0W@RyNLcAjz<TSiUhW%~*hBsDY_ykaG)fB)<XVi3;@1P1X(wcQH*dTMk?~GU5_%1@
z`yPd9@!=REdByD_D8dhwBWM*B)QfH7lcXsgAgdSK77r_d)fbS3tAhCCiO?oa<kwO0
zS2S(#8M47=P~6vx234JOK}~-Z8Q-+fzuXmu)}X#tP86^Srq(9#tWEu>dnyIqh0w;v
z7xQj)p`WGSA5*AS^<ix&`DaqT#y%RLo@`Y9&P5wTfYUtG=#mY*H~}Yuc2L2F(-zW<
zw`am-c`KzqEI^^9WJ~@FJiSsimROIp1T7e=%ja1&*~)7iG`yJ8n*)Oq3AhATqf1o&
zcL%S+x_UFIzq<=NH=#jk6P2m|PO2qA-g*-<S2row>sY8%zDZni5{&mo2eh(TT`vr+
z_)R<d{Q+HkHgxvcFq3~7`W2s!ppqLXExoyy)U~9dcjb@`qo4O?QRAr!@TB^B{ii#G
zNn$sFT(+5-M{g$;yxL3Z=~gO}i!OCH3d%Ng2}mzhd_T0V9iSxd?DQkUFRycngp~Ep
z&f<#^S-+TU__<!5-6sXB;a4JG>ZLQNZ^?_L$avLG&39*^n)IU9Zh-e3%vpLoo>O`}
z`~5201_KsCRzI9=JoR&A-^o^(Hca!O&<;}Wj20Ye6|HY=r9s`Yv^^-lT&l0hCcBwb
z`61{WSWC*<1G3(U>5&mT<fJJY52h8G_Ru%Ec1Y<KkloKZNj(st<{7O5Fis>}M4m;q
z>Rd|WB?t;h<h@Zof*ZDMMAO1<xX9S!dmq*GGRkll^$mAX-^hU|6p?Lx(F<{g*kowy
z?3k`@4D3t)N~&}X3`$>tL4|zv7QYIY(C&q>dZnH=axDgU+bNacqe~VAd#Au9=CYH$
z35u9K$m@48`su|l)>F{NuZApe(*kOA2f}sZS=ITFg-bV}Y14XW^FVR!hcwqU0QaTn
z+;lC^+z<Bw9)+JTqaSILF_>>QOg-;{;%}nT0Tb=@j>For01RYst?I&@HRG?7EE|M;
z>v&Uq>u6P<%oHlykx|+H68=1!ROD^g``dD0dKFo{tgv<%s=0G|C|!rIS#R^2)=LC3
zaT4sKp8>4A7`8fY5TG8zTAi4rY#4Y685RS#kxi_CU+r$H;F(1&gEe?lq#{6ez8wvQ
zg=x3jK-OykYnJ8VDtCma`5G))e3)c6QW}4v9q@8Dc(=Bq#)?d;^$vnc?}tH9E@^6P
zNBhKIeN^xS*z2`>B{w$X=r>}V#t>@g20HI|sG+yvg__W+em5wd5k1(d8rqs_Xyb>Y
znp^(3N8W@?udCDlQPv-k7T%0%!T2%?UR!`6V)#|##vtlu!>_oo4XqlnefYO1*_04X
zKSAfFeh2!!AnGn56&-`1^6D%=trIX?vU4ddpOXu}^=RO_6ycs8)CkCVRo+HKdV6Tb
zutd~dv$9cg6{%1iT-+aEt11b_dcSJNJ71@ztMYh%tA@OT+<G|I%qj-&Rj+^$*0>8~
zpZsJ9jiEGl1+2WYn(>2!5UEq*)KMNft=;DXRi^eOFJg%FDZ4~=^t&hZb@y|u^fOW!
zq^9R-p9RU2Oa>;~$}bHiIoTFn($r85^oon*%zWU}GVP;Kw}4xRxzSl-0Lkxw5jL_D
z=3)EeyWlJ#R=KHouZ)3Ny`Dm$FI{rqqC{fcRc_;r4)%Wi!*f4|aE|NV3-oJIPyf-A
zrHwPNxUC02826{e#+#kXXw~eG`;E75dj`+Rnnu=fKXP+iw8!ATd5IUa<DGf3d?4q0
zT3SzxHnz3$tu~M5))Urj(?|_z-N2Wo^o}_!g?l>|pnVG`W*cueXYv}1$iM{*+2o!3
zDactna@ef&!SlvH^Cm51)77jfT5&|1ZRri5=sD5)mFk#4J@nX#)Pc`K9&JIc7eRJ;
zyY+DA<hjmQ;atucD4umBC}Yd;#NlT+jemBYj=Fi5FF{aWud%)OBfs&^qK|?c!r?>s
z=yQA7P^RZF?_3P+aczK@fQJJZM`r8B95*$;i>!GJD7o_eJL*;Jl0TJac@xPd4;Ze>
z0$Gj_Hl!K#+_${`T##p?!I(EOY>@|kdS<X52&`x5>WBNNzhzVNDd>`aq?qK5cH`Z;
z+n~*?q?Q?1Ib<gsslo3##X`s}kRO```?Uk6^Z>#kfc&IR9(UVJYmImfGCeqC`1eqZ
zJOvxr)@B?3DxHOw*e7A8;b)>+!N-&iDPhZ}9xS{6kzq_C$H|(PcN+g%zc|-;FBIN@
zZ~RDs;{>=EhhmcaPH6QslKkN)o+sPB^h{aj1=$#O6wjP@<iq7w3Wm1@QK-*pytnZ~
z+Gx<H(jGTu;U!tpT0^sp9U+;L*zfK&cFg@}4l*L0#{0$Zw}Wylf;8?}a5P4=@k90f
z>sLc75rPkXzY{abNv&_mxf=K%?<HeCK&~$u*@&6OUe=2SPqgvuzJ)MwN=gp3G~_O!
z{r*Dr3mSqbbPm!6oh#scfKv)`9$jZ_?}GC?u_eOU28I1eQAkp7*qar+ce~F=gHcma
z(vTi5^BzEvS9HFg0>@EZ90>AM8)xU82WL6U%otzY53-zrXv*3YU49{_Y$ngw6O<1c
z1kbi?9iH<!C^k{Ue4_`lxdG17`^$PbOHey|o0DhKp=91oHfs(>)K6~hU-UGbREWzR
z#OxC0GxRDJy){ZBXeKf~PWDLBeK{^d7h@=?WUptq$Z8x;`#<TWQk|gfwG8ki>Z0MS
zRG=cQSJv=JvZEd7@RAWejooPHI}pH8ty0mqk!z&pQp=&wVqHUGEskAuUxQBTrWx`3
z<Z*FwFyN=IBW#SdA7DT0JetgZt)G$U%7F1{$1!eWXEf5wB;g>uGdLv+loMeZ`4>*u
zxSr;5oeaOo8@RH!tr^-XvUM4x!k1x^fCXOS0{FRq?SsKQbn&>`7=+uPjjqNn@h=?=
za=(>=+3P`;-|p25(B4z*gY0t{R4gP_sXrLEI#I2X*Tr)TBIAcHKympZ@a3U><5hHw
zQ8_53Y8y<W^AO}JfM4y0Xm6b@x;ze<CliWzlmcIS3q$X#JoA_FeuVn{6#TXo<lj++
z$f<Dgv{32Bhj>>0Og9Bbi47{z&x#}5YJ@>@;PXJ?mG42%C^%PsNvUTX>Uze(+1-en
zxo>STc6J0inN|6Ej9tYiw^LdGO6}$Ap{)z=ZL*Mjnuq=_6vd*8g}=DYrYmsE@#gLm
zpMz`@GNMQNF!2omY*5n&mjlr+$R=f@+Q1sFS3DR(J}$~005lwoAlECTyt0O`Y!2DT
z-vNzJ@XR+J?S13hU~owmW;)vsa`s@dUk5PBE(dZSLz+8|Bl%=vT|0C>Rtr$zzY4j2
z`3DsK9F*Wis9XC~JAP1(R{k4l6#s27^~*cx-@4w|_1v%Up+F~Ucus(Q;A}hK6qp7Y
z{D2n8-U3<RX|xJXhAeo56O&wnw9tGXf~JxUpA2nyb0*+hY!#V|$i{0IAY%|H5g%H4
zWWWv1h0H6TH-XYY6l8)@b5;u`c>xCT!M%9ckLXwFgsHU*4cz4v_%FwP@lG_TxeDa^
zJf79xolU9CJH7IQF}TzV-f!0fZl_W7I*`~ItyuR)K)eC1>L+)j)h-{xE5Hj>^f24(
z!A0w4hf#c$gUQ{86ja>{Mbm9<JljYryc?9rKSIW5)?-d4t|RRNKrWturoLmzM)G|C
zh6E!rJjeK~BdgQcZLPq$63ZzKZl`(5rGK`jQ;*09>Jd7kSh7K~w*-yduS~`ek#j?U
z%Mck^A*^nof{}aufcw@XXjeC>$9Pt=9yR>4z>Du6K-~+;)=h3UKCfCyY0LxDXmKwU
z97{n-26&AxQsBRqY*RgkXxd3>BtW*zPHFH8o&{cN$M&bRP!I)_Ue-qGD9Fmfw0^}&
zP*g1JgUdY>MBl{uqwfmXu@LZK9&#TACH7|lPjms+gaA)306e<^uvW5NJ?L@)$kyw~
z4TL}r&h18_TtLm4aIS6TS>m%rRBJrQ{)=G{m<|Z-4B$hDW4b^Wsj@YGxO@wjguH&P
zHIVrq%oO0j8t3GKcQ_)0E5UQ0nhou!Zl1Z@AzRH`5sy(z*9o9l6046Lj?NJY?KV9^
z*8e%F@>OWi_&5y83|h;-8M%SwWJC9L!_Px1x*FA@_ff&(qagGCD+-q)2V7PI8aIIA
z+O{5Z(uEsddBH-zqQ}(Pbx8)o>%T^|+D{P_ls~dAS>sjtvfcQ+qqc;`YiI*B1p%j_
zU&)o-#uvUTY@{B8y?z$x0XK;+o<~WUDa4}Pa5+B*yJYp@G#{c>br9nOFQXtjH4DSK
z0U_DHP<0ih9&r`x=m>S2hBSYx=-da2zdC4q(XnM7S^2#Z7k8|mv4HHCXli}bZhYw$
zv%9xp?D{7ut-N9hmA*8HpdW(9mmS0CT3mCRjXin~R(YV?*wax2zp?`{n0F-#S?`FT
z`R!QkUD2<tmC{Smpu7h|cp108@?ApB<C`e0J+jUC>b2LMAb*cSo<c-MW%60|pcn0B
zGVA{h4N!JC1!YH~M%mGQ0Qqqf8Inn*E9{7r(^jn$;1_?9tlI-h{L5Z64TD$vafsIX
zu|<YOw2B{&Ny_KLIc$h(*Z0u0`+?H%8o<>rN}g^vzP4gitMcJ43~?;9Rdc99)yu-=
zMbwSI1YW2b4eEQ~5?stP_fj<Q9%DzB8(?o;0J8Nbq`B_RrZPuREq6^o04?MGwFBg5
z7to+n!1Emw1n;(WC?p!h=K#W4J;v8vg;>1w9k?VcC~9XQBkF3!E(w5-Il2+}zz&5(
zw&S~`pOk2Y^|lXlRzg<#UN5OqvMvdHxaUJwlkLO?V|i93qf6~t7&MNj1*3oU<6N&o
z7P*dR(Pv;9-R_l_iGo-!6qNytUG~>L-j8>vk?T1WFDVj`pcg1P70xARN_JZoVCQ-?
zcsd7)VIkui%cL^prD))K64SZF!`v4F%BLXG6Gxh_A%w_#ppD+c06B9q$R!^l(mxhf
z{;{BxhlFf81+^cMbzP07o|Vm%R(4Y$Tepg91h2E*_-1niR&k~VM*L1EH6PLk%0y6n
z2L+99%R-{0gi1;u4#H&;Dfj3Fc*Mg#<J)!e$8P3i<d!T!M)A^KP<A?v@AT*)SJ+3v
z3e*VP<ri0J$DH+Wsd|}g^&|)2DOlCcAmu)xm`0g}8o`-l6Qe;+$mGsfM%J|q+m}3m
zIek}v;{OBMhhnY9cO6r4LQfUhrUTcLYV`_0Zq);RDzl~y+E1WxJw-w2ye#1dUNjz{
z^kE7b$J?Qpm?;3Oh0aGmzpWM5YeueTu*3MitQK8reho$A4&0}yWih6k268!F>GxZ{
zu<=X=Yil`uY}r%rs~;4mzJEdk?_<a)zpqQcMuwC3`vIQ`_<|#uDks9PGD0&}mJn{M
ztfc>|tS$u96G^Q+l^476j6s02mjW(`0j`9$QbK=~&G4(diJrCcE}{5i9^ffrv{i4w
zs_KIXU>CGipOcC=5$lUzL^gg8Oyd$6i$B;8=#bLq@&K=pN(@GBV(fCj1Obzu155!g
zQA0x|Zh=AKc0$yNw}t?A45bBa=v?i9LAA`+s`H?zE_?w{1cT}c=vO@##j6)d_6~$s
z-}^k^L8MjxO&Dxi3fNi-c!N+~wVdQ${Vp=9cP;_!7FK%%<p)q|Y$3n_F9Ie}P;+z%
z;25f3b8<eQ65%zqg8&T(sySP-a?fbZZ-w>}JgjC8a%--pMm5a>+R&x8meSg5;ZobY
z2+%Ii7RLZLNQ%7_Kh)mAu}ZZM!L;@X;%2oHFs*%$1DomwEdh)e44AMCP$j8q$m$wF
zuDcvF)!mDrI@!8a_Yh51w|X()X~Fv&4OO>M7`!2++Xeg!&UGJ1>Bn%X&&dM}=2`vF
zT)=+N)=z|U{Xt6slW@ZN<6Z{1<XKQaECM(qA8<|y;Cx|l;UK^zlD$H*a|PwLe!!gq
z?iaE@UQY)ve$_BvKr8;zu<!-I(q(|_X^)1x5!vwHg8}#V8$Z0UTC#GuTEky3PQ&ZM
z;HwDW#}eKY`*VP;l6oT#@D>_0Zbwk#o*1u71~Qrsp`huo0>C+&02fffri)?FbeW(m
zMT4g6p9kCkS<|buOw*f4YuZ5rxNqRKS76Cnob=Q%x+ULdyogPU5VQ}n6lk{iXx_`f
z5rBP4pQTg_D&@m2A&RF;Qz_+~%BE6!2&K}do@pv2NK?vLRnt%I)OUO;lA4Nq8V6%U
z+ud|Q&O7PD^0)WW(;P-vqeDKg^-|p8ADVfV{QRe<(cgQn6W1|DT}-y@86TyoZ+7|e
zckf3Bko+mItbgwp<UUc(fsm*!f=LU-YHTy_;Gk(6y8n727-1)o4i~+nh9SqaXA(w}
zc>7=tN*soZ8t2U;@DbQxW;RIgt#}%ww9C&^LmD~fbl!!bPvZi{<W@8D`GDQD#{x7!
z_EtFS!Myf|HV`yf#k;CkL+I+5RLC*ydN~a_W<TEsg@ewV;G^l#<6oUe_3RBanvWKk
zj%yvXxnBJ?s%km$uvrn)S$8GQ>LkQvIPXWHtTj$jy?BIPXO??F7D^sNjr7(s`*QS4
z#u$$PMQ$xKbjgi#B4nv+C5D`YQ)h8GkKyQffz+N5LCWs|BNpM=BU+ci<)R2cW04QQ
zCGWd7RFmI!gN7CZMq!OX;{;3;a1csrXj1PY(a@xxL7cxCopXQHjn$SyHtaS)foz1<
zTd|XI#|J6RsAhOd#U1l!wu2%u#sUU#BUffiMH%1~`k~F~S@=^Faf%q{Xpr~0g=!=<
zmpcHA!l9ztA-QID)e=}4^0%+B2#+Y7Dyd^zIbF<zsV+^_r9=D6YNf)zfn2y2xe_8Y
z29LF4A^EYSOW|xQ)|vL+cTqQAgL|^-FZ1eVN+lNLoZUsr#xrA<fYaxZTM016k<FOV
zNlMOGHHygEO5A`o09}q{d`!v|Z#TzKs#oypJp;yNon$9cnsE;x887xo$`By&F!P=a
zQu(Be;XF&O?2;o$4LKv!FaYKtn`j`<WPNAOr*5kCHYwXwQiep(j0v3p`QV@}0RJFs
z${$K5Avn_AfXpXF(8PHZ5a~@ubqVW|dfN>!DM&5%<Xk_~*)gos%&MLuWFN0Hv&d=+
zAlHfJe@W9?y&k|}HfBZxi<kDs`sOohk(FJ^E@&Xar&nv_&BQTvIpAoCuMIzt2F>rG
zDa?`RJmezUt!S<^UU?X4+mMm=S0?=k`T_PSHGX!TmP9mDeOPK`VRDt34-L|~Qcp9&
zRa)4&jy`b*AR<+@rey#mAeoA@CZnNqJq%voQ!W3Ulo|(-^}e4$c4#lN(kr~oullK0
zV1<JhdvF)XZ(&LIAsY~M81CIT6EAMOiLC09SdM2`O~_{Ay0V24wwY25iE33Vo@;}j
zhl2R^ec112x(AK8)^Eb5u~ld=<jMKG6~8At_EbcgC&Iw>n{G-al+*aAlS%oA9&@l(
zrs^a3`A4F2UIbmr<a16d7`>DxYx><{CcS6zEaHGwr5je(oq&KHE`cmi%H>~v@Dxz2
z5Uj#C0wTxeFb>KBi})WXXc|Oz(BmjH=*1q?_%9!`py}A&V@InoQ{n8J4q5CDCj;p?
zm|Cmt)VUuDn;j#@olw|j`mxJ5>yh@I&`M;-w+*ZLu7;w{3#&}=KV21(5Mwu92u0$n
zR`|&<R`)y<8UqO52z&KY*X49e`VXymJX}Iqv{p#My^#^{^Jf8qO^~^tY$Fv#4Q+GZ
zcL6k*jKRtu0o1HS4L#7d>_-@sU6_d)Z$nYKJxDgM53;wiNfq&I$WBt06V--HhrNDs
zyXEIgnf#k5yF~CVqaeDZg}PnYiyvfBs&^SwJSG$);F8Egm+a#xb;);B>au}x1q=8w
z@<|R=5Ou?+plL|Hn4{$mL@uyn=NM*+#lQ<)(+~SEBWOAqO@m+b!1)~181Wsc8V6iz
z#%{#y6Djp)Bh8!LiXU7A=f-c)$~}yfF2Ib*7@)`I*Ni|~`9ahpaWAQ1`S6QexE_jA
z5m_l;ZIvT==Gj7{G_3bidI_LhzJSV~f-F=6@QO1Oe$mA<(aL(0XYNUG8F>}74P8Ef
zyav^m_fh%?J(A}_Y;TRF)6&D8>sNqWUWCrk4v=HrQt56eN*>Pu<sP~;_tnx+`I41>
zyyWp_DB|E*PB)$?>)TzEVOqA7XEnD9`wJj*wUBj97d$zgSI^`PB|>DI;F9<=OkJ;m
z=bIxGPO`z%0G3Iq_i2Fp5ojxZok78k6ojoVgvY%I+K+7c9uF3}jMC`iWGn2=07o~a
z7k2LL3TzuGuxVdh;YQlP#49!bGtagoQhMsN9?p^;F4d8RYGIZ7%aiOyTjwLKO61O7
zM?L-<P?I35H`}-lgn>@RlGipYo^KXzm=VOff*f5$X|N8Uqk$`g?Z-4{pya@Sp~6#|
zR`i2x9SRsbhVCY<=U3$9|D*Bi=yQg9LB4%H?5Ci(s!{trGLpK8HS~~HUE`lxr$1c&
zx~T?f>km?cgEIX&;fj)GA^ioWKj2do+KuSoHGC_!(!X=6pQ5C?@O^&P=`bdtzogki
z*ucEC3)^p`@$|K7xLE8m8|NSVV=GhLv#_(aDooA&8vo2olAM62TtH?S%FnollzAuY
zmFd_7?~x%MG47T&+~;OI){wST{cI~e=BTQ#10YL76_)Up=@e&d6d8sLe0C2`sPmWH
zFDcExE{kV18O){L>o!Ntmv!MqLjZ>Kwt5B3;1f`{;Kljo=mIy|7p$bA#;_3F$dD<v
zAq{Fwg@GXrY8-&3V~(a*F~>r&ZVlbiptY1b&%>OBExCY&y>NcElN5pJ<nPv%asIh3
zU&7@N*GsTk{;G0|As0(6p2<Cc*PaPQ=5+e7j4^I5uMaJtbGxRUYz9>=n3PF9jzSl;
zsajGUB<Z66{_&IM!23*glJ1D`<c5V`a`ZF?sW(8K24kD!uN6D%r%@WRj>%~vb&bdv
zS#M$SUAMOi^3S?5N+Ty7^CKL|l8qtSsu{AU!LkdoV=Z7Dz_)829rsX7?AtY;XL1{b
zl_jMzc^dVDw7HL_urlY;OG)6eG{KNx`Z)!b!LzEZl5&`P2UjbDRNY(5ODx-3fEdSe
zy37gDn~>pse?3`gX<h7Q$&Y%=bP1Td*X1qwZ*MuJKrUUh>=alhlQN`QdZ}EpZUc5M
zI*A5NHkr6oQl$L;Hbw)~l3JScY!;;ht(q~-qsZm~rJWS)KOAJ;k}zyqC$z&d01in>
z$E|O&-taa)=-+GIylY4edlC21(s4y>f4PNU0lE=}`@pf4GZTyFZKq$;i;>KuXb-Kz
z_)P&^&jxbFtqw#?%fX8~Y0JXwW?cCWgs0Uqy@E2)OhZZTX%LI+O-O;05T52pdXvCD
zuJ<*Uo~$U~z0~WP1`VQ(hVDnT(nk$(%rx5MwiX?Lq$xZr`j965kY@?~Rm#qzwxNbL
zN?EiW7pTBs+Qa31L(L0XvHg&ZP>jD2YiQq8@a_ie661{@F8?s>xu6XHJv~Fg>7=yh
zvdzPOj&CW=`J^4INq=RZSOT~P4>RSzf%aFKkAhcpS2y3L(rM+LLEVPQJZ$)(sB8QP
zUalPQHE1gu<e!B?+OHL~!zJf9)cC0nBlR@GwdWcugKNQ=#GthMDmnmuqpxe>*=|s>
zTA<aQYiuvsu@=IMzFk1a^9*=J$I}^&&&4E#M+q3{*9xzf(stjzO_u!b(f&o2ho}pr
zH|T&rtBFS}hJC6x(`U&KS^1VUJovLZjox#nt5kGkGVp_a$>d{M7px_3nUL4Y*n;V-
z{b8WPiONtfNe(~*Z)0-k6@N(%+oIn-!{^xfaFH4Xq+7S->nZ8k1CF%MbS71|v@gDC
zFwhGYleDLh)h;qzhD|Hqq#3Q<830jy?3_iUM5MkII#V6<9@$^Cq<Kl^UJ9JZ{MAcF
zKMfUzRaR91KX^wPv@j1J`kw6YJ85pctR^r8l+YD$#xCYDYt<wpuw=4ELn&2tRa3ox
zD=3QpG{G>BwVrX46`fUGy~)hulk5-RCD#Os!L$XHl@1-LC6=kCNSo)VNNtabWz<bq
zApYWFOP$7N4#jF3`x@!u%`5C*xL2;*-fT|Ox;0)5E3I2Vw$rFWdP!aC-Pd|#@5x}8
zn2BTRZF4gV=ne~lK`3N4qB^V7q;6VE_B84_vI;3Rk<)FKY6!<c*hO!ui~Ycx9J+;9
z&3g!MS=}VEfh$qBKAr=u+{B<)<EW!+n<sC@nSei6oZCr9F?gQH0C>uXw7FWIC;L5b
zqhEd?r`*xCimbjB8M3v^JArY~6N4;r7Jd-vaxz5a0vdKjNL2vhi_tzL2dukVgjNDQ
z(a*g!z!tJGxjrE(^K3m&UvG)g^;eNIdf+@$x&ny>c^`pGSi(T1UTUchQZrgpJc}=F
zVE~t|H0d-F0V*4e8akm$$cm4KI{_{S1=bEI8iN=oSiAuln>*n=5ry=|kg^|yX$dH?
zdr2AjE<Q(!1Ay{uG>uSDz6!0pZ2)UE4O(|SwRAra#FDS|B3C|9f=vKz+N7Tjyx3`z
z@}#=56H}4t`poI-428B#T(7jnoS`n2*G%=tmvY6$_|y3FGyXgNT<q^CL%&n_d7!sS
zrbed3Hjg=@Ltb{>dKufpyP7#ApP9^wcD|VBFE?x*($^J9R(snKcTo>CHK+GDg64@a
z*><gAf-x<$0-;Xx#O`}>DZQiA?xJpm%K^HsPp|UQi=W4>ZfA6vhGBL3Hgxqe2C9`P
zZj%j6wi~F?(B5KFpG3`*Ivj5EWR|3vCwCm=Hczp}begAhoIKC8bn!5sGN#p0;Wk~|
z)MUCkk93=E%d&|Np*Xj+neNRp<8eRcF+J9|*pH~Q>FKy=9u+L4;m4G=nO@h6ou;>=
zu+#KeSvJ$xQSLVV7RO-uJLCgl)a6uPPe^1Bj2XZk%|O?I^UR>-hhOfNjb^aJVKYM=
zhuh3B)-}T&r*&ecRlR00Hw~G^9kp&V!sS6`r1x!`8KvhkqaC@OW{h{$jIBM!ZI)OW
zoo30}(~zcHLqjjDGfO?6xy{nGhtD(1+?Lxc>v+*-mNTZ9<sI?`Ua$!t8nHBBR#*j{
zW<^JV&8*~&H!C|DC?!fvl=Wn{S=Bjfo*B1hxy^XT)OlutTT{$L$E|L&+8S*$t2>;X
zW=-f^K<BHF=~`^<ZS~6B|NmKYFdmVA3~l*;ugm{<70gh|bgmHo>^-=Z_xx_E@SnA>
z-x}JB;(p#k=kYoeiM1^}lW{P`H2SKrlDW6%?+gA<O#idUpDX<zH`u;)`#FVDHUGKN
zUsU%O3;r{||A(djrmk6=oZZNDzwU5p!PHbuI^Xo3e_&2CJe&SN2jQQ_RkOZewY;YP
z&cKkbRE?no*1=E51tqKh+yeuVtAUi{3|VHIsVUArtOlly)(Ju;5tig~XmL25d>Zl(
zD8*h4w$BtyW+*z#)f)Yq;)uM0Q8y)bpINThK>v8^Rl@ocNon=S1=Ze=`FKi@{*g$|
zX=HektZmWuHu^+AKxuU{_LJ2psAXtNF{m#mlwBd`q*mO_2$t9&DOs6RAzwC?TL4v?
z7&Yn+%@ROXZw%IZf>Rd*>jX`20<JytIqFvb0^kvTaVF+2AqY6PAKGbfE?5;{Ks$%8
z{Goqh%p3Yjh|emKG2*m7!09;zYNwJNc{~LpE1=MywgrC*lDd>Dn-{-8we*i&noaj<
zJTamnK<5XMEz)_^c+Aro8~3_EaytEtb8pBoMVtK9GgfG4WB>;IK>uEAXiZx`>8AsY
robrQ|owa>aoRhN_X(Mf!48lrA?l?kCzkiF4Q8iUAs#=ol_WAz{i*386

diff --git a/publicsuffix/data/text b/publicsuffix/data/text
index 124dcd61f..7e516413f 100644
--- a/publicsuffix/data/text
+++ b/publicsuffix/data/text
@@ -1 +1 @@
-billustrationionjukudoyamakeupowiathletajimageandsoundandvision-riopretobishimagentositecnologiabiocelotenkawabipanasonicatfoodnetworkinggroupperbirdartcenterprisecloudaccesscamdvrcampaniabirkenesoddtangenovarahkkeravjuegoshikikiraraholtalenishikatakazakindependent-revieweirbirthplaceu-1bitbucketrzynishikatsuragirlyuzawabitternidiscoverybjarkoybjerkreimdbaltimore-og-romsdalp1bjugnishikawazukamishihoronobeautydalwaysdatabaseballangenkainanaejrietisalatinabenogatabitorderblackfridaybloombergbauernishimerabloxcms3-website-us-west-2blushakotanishinomiyashironocparachutingjovikarateu-2bmoattachmentsalangenishinoomotegovtattoolforgerockartuzybmsalon-1bmwellbeingzoneu-3bnrwesteuropenairbusantiquesaltdalomzaporizhzhedmarkaratsuginamikatagamilanotairesistanceu-4bondigitaloceanspacesaludishangrilanciabonnishinoshimatsusakahoginankokubunjindianapolis-a-bloggerbookonlinewjerseyboomlahppiacenzachpomorskienishiokoppegardiskussionsbereichattanooganordkapparaglidinglassassinationalheritageu-north-1boschaefflerdalondonetskarelianceu-south-1bostik-serveronagasukevje-og-hornnesalvadordalibabalatinord-aurdalipaywhirlondrinaplesknsalzburgleezextraspace-to-rentalstomakomaibarabostonakijinsekikogentappssejnyaarparalleluxembourglitcheltenham-radio-opensocialorenskogliwicebotanicalgardeno-staginglobodoes-itcouldbeworldisrechtranakamurataiwanairforcechireadthedocsxeroxfinitybotanicgardenishitosashimizunaminamiawajikindianmarketinglogowestfalenishiwakindielddanuorrindigenamsskoganeindustriabotanyanagawallonieruchomoscienceandindustrynissandiegoddabouncemerckmsdnipropetrovskjervoyageorgeorgiabounty-fullensakerrypropertiesamegawaboutiquebecommerce-shopselectaxihuanissayokkaichintaifun-dnsaliasamnangerboutireservditchyouriparasiteboyfriendoftheinternetflixjavaldaostathellevangerbozen-sudtirolottokorozawabozen-suedtirolouvreisenissedalovepoparisor-fronisshingucciprianiigataipeidsvollovesickariyakumodumeloyalistoragebplaceducatorprojectcmembersampalermomahaccapooguybrandywinevalleybrasiliadboxosascoli-picenorddalpusercontentcp4bresciaokinawashirosatobamagazineuesamsclubartowestus2brindisibenikitagataikikuchikumagayagawalmartgorybristoloseyouriparliamentjeldsundivtasvuodnakaniikawatanagurabritishcolumbialowiezaganiyodogawabroadcastlebtimnetzlgloomy-routerbroadwaybroke-itvedestrandivttasvuotnakanojohanamakindlefrakkestadiybrokerbrothermesaverdeatnulmemergencyachtsamsungloppennebrowsersafetymarketsandnessjoenl-ams-1brumunddalublindesnesandoybrunelastxn--0trq7p7nnbrusselsandvikcoromantovalle-daostavangerbruxellesanfranciscofreakunekobayashikaoirmemorialucaniabryanskodjedugit-pagespeedmobilizeroticagliaricoharuovatlassian-dev-builderscbglugsjcbnpparibashkiriabrynewmexicoacharterbuzzwfarmerseinebwhalingmbhartiffany-2bzhitomirbzzcodyn-vpndnsantacruzsantafedjeffersoncoffeedbackdropocznordlandrudupontariobranconavstackasaokamikoaniikappudownloadurbanamexhibitioncogretakamatsukawacollectioncolognewyorkshirebungoonordre-landurhamburgrimstadynamisches-dnsantamariakecolonialwilliamsburgripeeweeklylotterycoloradoplateaudnedalncolumbusheycommunexus-3community-prochowicecomobaravendbambleborkapsicilyonagoyauthgear-stagingivestbyglandroverhallair-traffic-controlleyombomloabaths-heilbronnoysunddnslivegarsheiheijibigawaustraliaustinnfshostrolekamisatokaizukameyamatotakadaustevollivornowtv-infolldalolipopmcdircompanychipstmncomparemarkerryhotelsantoandrepbodynaliasnesoddenmarkhangelskjakdnepropetrovskiervaapsteigenflfannefrankfurtjxn--12cfi8ixb8lutskashibatakashimarshallstatebankashiharacomsecaaskimitsubatamibuildingriwatarailwaycondoshichinohealth-carereformemsettlersanukindustriesteamfamberlevagangaviikanonjinfinitigotembaixadaconferenceconstructionconsuladogadollsaobernardomniweatherchanneluxuryconsultanthropologyconsultingroks-thisayamanobeokakegawacontactkmaxxn--12co0c3b4evalled-aostamayukinsuregruhostingrondarcontagematsubaravennaharimalborkashiwaracontemporaryarteducationalchikugodonnakaiwamizawashtenawsmppl-wawdev-myqnapcloudcontrolledogawarabikomaezakirunoopschlesischesaogoncartoonartdecologiacontractorskenconventureshinodearthickashiwazakiyosatokamachilloutsystemscloudsitecookingchannelsdvrdnsdojogaszkolancashirecifedexetercoolblogdnsfor-better-thanawassamukawatarikuzentakatairavpagecooperativano-frankivskygearapparochernigovernmentksatxn--1ck2e1bananarepublic-inquiryggeebinatsukigatajimidsundevelopmentatarantours3-external-1copenhagencyclopedichiropracticatholicaxiashorokanaiecoproductionsaotomeinforumzcorporationcorsicahcesuoloanswatch-and-clockercorvettenrissagaeroclubmedecincinnativeamericanantiquest-le-patron-k3sapporomuracosenzamamidorittoeigersundynathomebuiltwithdarkasserverrankoshigayaltakasugaintelligencecosidnshome-webservercellikescandypoppdaluzerncostumedicallynxn--1ctwolominamatargets-itlon-2couchpotatofriesardegnarutomobegetmyiparsardiniacouncilvivanovoldacouponsarlcozoracq-acranbrookuwanalyticsarpsborgrongausdalcrankyowariasahikawatchandclockasukabeauxartsandcraftsarufutsunomiyawakasaikaitabashijonawatecrdyndns-at-homedepotaruinterhostsolutionsasayamatta-varjjatmpartinternationalfirearmsaseboknowsitallcreditcardyndns-at-workshoppingrossetouchigasakitahiroshimansionsaskatchewancreditunioncremonashgabadaddjaguarqcxn--1lqs03ncrewhmessinarashinomutashinaintuitoyosatoyokawacricketnedalcrimeast-kazakhstanangercrotonecrownipartsassarinuyamashinazawacrsaudacruisesauheradyndns-blogsitextilegnicapetownnews-stagingroundhandlingroznycuisinellancasterculturalcentertainmentoyotapartysvardocuneocupcakecuritibabymilk3curvallee-d-aosteinkjerusalempresashibetsurugashimaringatlantajirinvestmentsavannahgacutegirlfriendyndns-freeboxoslocalzonecymrulvikasumigaurawa-mazowszexnetlifyinzairtrafficplexus-1cyonabarumesswithdnsaveincloudyndns-homednsaves-the-whalessandria-trani-barletta-andriatranibarlettaandriacyouthruherecipescaracaltanissettaishinomakilovecollegefantasyleaguernseyfembetsukumiyamazonawsglobalacceleratorahimeshimabaridagawatchesciencecentersciencehistoryfermockasuyamegurownproviderferraraferraris-a-catererferrerotikagoshimalopolskanlandyndns-picsaxofetsundyndns-remotewdyndns-ipasadenaroyfgujoinvilleitungsenfhvalerfidontexistmein-iservschulegallocalhostrodawarafieldyndns-serverdalfigueresindevicenzaolkuszczytnoipirangalsaceofilateliafilegear-augustowhoswholdingsmall-webthingscientistordalfilegear-debianfilegear-gbizfilegear-iefilegear-jpmorganfilegear-sg-1filminamiechizenfinalfinancefineartscrapper-sitefinlandyndns-weblikes-piedmonticellocus-4finnoyfirebaseappaviancarrdyndns-wikinkobearalvahkijoetsuldalvdalaskanittedallasalleasecuritytacticschoenbrunnfirenetoystre-slidrettozawafirenzefirestonefirewebpaascrappingulenfirmdaleikangerfishingoldpoint2thisamitsukefitjarvodkafjordyndns-workangerfitnessettlementozsdellogliastradingunmanxn--1qqw23afjalerfldrvalleeaosteflekkefjordyndns1flesberguovdageaidnunjargaflickragerogerscrysecretrosnubar0flierneflirfloginlinefloppythonanywhereggio-calabriafloraflorencefloridatsunangojomedicinakamagayahabackplaneapplinzis-a-celticsfanfloripadoval-daostavalleyfloristanohatakahamalselvendrellflorokunohealthcareerscwienflowerservehalflifeinsurancefltrani-andria-barletta-trani-andriaflynnhosting-clusterfnchiryukyuragifuchungbukharanzanfndynnschokokekschokoladenfnwkaszubytemarkatowicefoolfor-ourfor-somedio-campidano-mediocampidanomediofor-theaterforexrothachijolsterforgotdnservehttpbin-butterforli-cesena-forlicesenaforlillesandefjordynservebbscholarshipschoolbusinessebyforsaleirfjordynuniversityforsandasuolodingenfortalfortefortmissoulangevagrigentomologyeonggiehtavuoatnagahamaroygardencowayfortworthachinoheavyfosneservehumourfotraniandriabarlettatraniandriafoxfordecampobassociatest-iserveblogsytemp-dnserveirchitachinakagawashingtondchernivtsiciliafozfr-par-1fr-par-2franamizuhobby-sitefrancaiseharafranziskanerimalvikatsushikabedzin-addrammenuorochesterfredrikstadtvserveminecraftranoyfreeddnsfreebox-oservemp3freedesktopfizerfreemasonryfreemyiphosteurovisionfreesitefreetlservep2pgfoggiafreiburgushikamifuranorfolkebibleksvikatsuyamarugame-hostyhostingxn--2m4a15efrenchkisshikirkeneservepicservequakefreseniuscultureggio-emilia-romagnakasatsunairguardiannakadomarinebraskaunicommbankaufentigerfribourgfriuli-v-giuliafriuli-ve-giuliafriuli-vegiuliafriuli-venezia-giuliafriuli-veneziagiuliafriuli-vgiuliafriuliv-giuliafriulive-giuliafriulivegiuliafriulivenezia-giuliafriuliveneziagiuliafriulivgiuliafrlfroganservesarcasmatartanddesignfrognfrolandynv6from-akrehamnfrom-alfrom-arfrom-azurewebsiteshikagamiishibukawakepnoorfrom-capitalonewportransipharmacienservicesevastopolefrom-coalfrom-ctranslatedynvpnpluscountryestateofdelawareclaimschoolsztynsettsupportoyotomiyazakis-a-candidatefrom-dchitosetodayfrom-dediboxafrom-flandersevenassisienarvikautokeinoticeablewismillerfrom-gaulardalfrom-hichisochikuzenfrom-iafrom-idyroyrvikingruenoharafrom-ilfrom-in-berlindasewiiheyaizuwakamatsubushikusakadogawafrom-ksharpharmacyshawaiijimarcheapartmentshellaspeziafrom-kyfrom-lanshimokawafrom-mamurogawatsonfrom-mdfrom-medizinhistorischeshimokitayamattelekommunikationfrom-mifunefrom-mnfrom-modalenfrom-mshimonitayanagit-reposts-and-telecommunicationshimonosekikawafrom-mtnfrom-nchofunatoriginstantcloudfrontdoorfrom-ndfrom-nefrom-nhktistoryfrom-njshimosuwalkis-a-chefarsundyndns-mailfrom-nminamifuranofrom-nvalleedaostefrom-nynysagamiharafrom-ohdattorelayfrom-oketogolffanshimotsukefrom-orfrom-padualstackazoologicalfrom-pratogurafrom-ris-a-conservativegashimotsumayfirstockholmestrandfrom-schmidtre-gauldalfrom-sdscloudfrom-tnfrom-txn--2scrj9chonanbunkyonanaoshimakanegasakikugawaltervistailscaleforcefrom-utsiracusaikirovogradoyfrom-vald-aostarostwodzislawildlifestylefrom-vtransportefrom-wafrom-wiardwebview-assetshinichinanfrom-wvanylvenneslaskerrylogisticshinjournalismartlabelingfrom-wyfrosinonefrostalowa-wolawafroyal-commissionfruskydivingfujiiderafujikawaguchikonefujiminokamoenairkitapps-auction-rancherkasydneyfujinomiyadattowebhoptogakushimotoganefujiokayamandalfujisatoshonairlinedre-eikerfujisawafujishiroishidakabiratoridedyn-berlincolnfujitsuruokazakiryuohkurafujiyoshidavvenjargap-east-1fukayabeardubaiduckdnsncfdfukuchiyamadavvesiidappnodebalancertmgrazimutheworkpccwilliamhillfukudomigawafukuis-a-cpalacefukumitsubishigakisarazure-mobileirvikazteleportlligatransurlfukuokakamigaharafukuroishikarikaturindalfukusakishiwadazaifudaigokaseljordfukuyamagatakaharunusualpersonfunabashiriuchinadafunagatakahashimamakisofukushimangonnakatombetsumy-gatewayfunahashikamiamakusatsumasendaisenergyfundaciofunkfeuerfuoiskujukuriyamangyshlakasamatsudoomdnstracefuosskoczowinbar1furubirafurudonostiaafurukawajimaniwakuratefusodegaurafussaintlouis-a-anarchistoireggiocalabriafutabayamaguchinomihachimanagementrapaniizafutboldlygoingnowhere-for-morenakatsugawafuttsurutaharafuturecmshinjukumamotoyamashikefuturehostingfuturemailingfvghamurakamigoris-a-designerhandcraftedhandsonyhangglidinghangoutwentehannanmokuizumodenaklodzkochikuseihidorahannorthwesternmutualhanyuzenhapmircloudletshintokushimahappounzenharvestcelebrationhasamap-northeast-3hasaminami-alpshintomikasaharahashbangryhasudahasura-apphiladelphiaareadmyblogspotrdhasvikfh-muensterhatogayahoooshikamaishimofusartshinyoshitomiokamisunagawahatoyamazakitakatakanabeatshiojirishirifujiedahatsukaichikaiseiyoichimkentrendhostinghattfjelldalhayashimamotobusellfylkesbiblackbaudcdn-edgestackhero-networkisboringhazuminobushistoryhelplfinancialhelsinkitakyushuaiahembygdsforbundhemneshioyanaizuerichardlimanowarudahemsedalhepforgeblockshirahamatonbetsurgeonshalloffameiwamasoyheroyhetemlbfanhgtvaohigashiagatsumagoianiahigashichichibuskerudhigashihiroshimanehigashiizumozakitamigrationhigashikagawahigashikagurasoedahigashikawakitaaikitamotosunndalhigashikurumeeresinstaginghigashimatsushimarburghigashimatsuyamakitaakitadaitoigawahigashimurayamamotorcycleshirakokonoehigashinarusells-for-lesshiranukamitondabayashiogamagoriziahigashinehigashiomitamanortonsberghigashiosakasayamanakakogawahigashishirakawamatakanezawahigashisumiyoshikawaminamiaikitanakagusukumodernhigashitsunosegawahigashiurausukitashiobarahigashiyamatokoriyamanashifteditorxn--30rr7yhigashiyodogawahigashiyoshinogaris-a-doctorhippyhiraizumisatohnoshoohirakatashinagawahiranairportland-4-salernogiessennanjobojis-a-financialadvisor-aurdalhirarahiratsukaerusrcfastlylbanzaicloudappspotagerhirayaitakaokalmykiahistorichouseshiraois-a-geekhakassiahitachiomiyagildeskaliszhitachiotagonohejis-a-greenhitraeumtgeradegreehjartdalhjelmelandholeckodairaholidayholyhomegoodshiraokamitsuehomeiphilatelyhomelinkyard-cloudjiffyresdalhomelinuxn--32vp30hachiojiyahikobierzycehomeofficehomesecuritymacaparecidahomesecuritypchoseikarugamvikarlsoyhomesenseeringhomesklepphilipsynology-diskstationhomeunixn--3bst00minamiiserniahondahongooglecodebergentinghonjyoitakarazukaluganskharkivaporcloudhornindalhorsells-for-ustkanmakiwielunnerhortendofinternet-dnshiratakahagitapphoenixn--3ds443ghospitalhoteleshishikuis-a-guruhotelwithflightshisognehotmailhoyangerhoylandetakasagophonefosshisuifuettertdasnetzhumanitieshitaramahungryhurdalhurumajis-a-hard-workershizukuishimogosenhyllestadhyogoris-a-hunterhyugawarahyundaiwafuneis-into-carsiiitesilkharkovaresearchaeologicalvinklein-the-bandairtelebitbridgestoneenebakkeshibechambagricultureadymadealstahaugesunderseaportsinfolionetworkdalaheadjudygarlandis-into-cartoonsimple-urlis-into-gamesserlillyis-leetrentin-suedtirolis-lostre-toteneis-a-lawyeris-not-certifiedis-savedis-slickhersonis-uberleetrentino-a-adigeis-very-badajozis-a-liberalis-very-evillageis-very-goodyearis-very-niceis-very-sweetpepperugiais-with-thebandovre-eikerisleofmanaustdaljellybeanjenv-arubahccavuotnagaragusabaerobaticketsirdaljeonnamerikawauejetztrentino-aadigejevnakershusdecorativeartslupskhmelnytskyivarggatrentino-alto-adigejewelryjewishartgalleryjfkhplaystation-cloudyclusterjgorajlljls-sto1jls-sto2jls-sto3jmphotographysiojnjaworznospamproxyjoyentrentino-altoadigejoyokaichibajddarchitecturealtorlandjpnjprslzjurkotohiradomainstitutekotourakouhokutamamurakounosupabasembokukizunokunimilitarykouyamarylhurstjordalshalsenkouzushimasfjordenkozagawakozakis-a-llamarnardalkozowindowskrakowinnersnoasakatakkokamiminersokndalkpnkppspbarcelonagawakkanaibetsubamericanfamilyds3-fips-us-gov-west-1krasnikahokutokashikis-a-musiciankrasnodarkredstonekrelliankristiansandcatsolarssonkristiansundkrodsheradkrokstadelvalle-aostatic-accessolognekryminamiizukaminokawanishiaizubangekumanotteroykumatorinovecoregontrailroadkumejimashikis-a-nascarfankumenantokonamegatakatoris-a-nursells-itrentin-sud-tirolkunisakis-a-painteractivelvetrentin-sudtirolkunitachiaraindropilotsolundbecknx-serversellsyourhomeftphxn--3e0b707ekunitomigusukuleuvenetokigawakunneppuboliviajessheimpertrixcdn77-secureggioemiliaromagnamsosnowiechristiansburgminakamichiharakunstsammlungkunstunddesignkuokgroupimientaketomisatoolsomakurehabmerkurgankurobeeldengeluidkurogimimatakatsukis-a-patsfankuroisoftwarezzoologykuromatsunais-a-personaltrainerkuronkurotakikawasakis-a-photographerokussldkushirogawakustanais-a-playershiftcryptonomichigangwonkusupersalezajskomakiyosemitekutchanelkutnowruzhgorodeokuzumakis-a-republicanonoichinomiyakekvafjordkvalsundkvamscompute-1kvanangenkvinesdalkvinnheradkviteseidatingkvitsoykwpspdnsomnatalkzmisakis-a-soxfanmisasaguris-a-studentalmisawamisconfusedmishimasudamissilemisugitokuyamatsumaebashikshacknetrentino-sued-tirolmitakeharamitourismilemitoyoakemiuramiyazurecontainerdpolicemiyotamatsukuris-a-teacherkassyno-dshowamjondalenmonstermontrealestatefarmequipmentrentino-suedtirolmonza-brianzapposor-odalmonza-e-della-brianzaptokyotangotpantheonsitemonzabrianzaramonzaebrianzamonzaedellabrianzamoonscalebookinghostedpictetrentinoa-adigemordoviamoriyamatsumotofukemoriyoshiminamiashigaramormonmouthachirogatakamoriokakudamatsuemoroyamatsunomortgagemoscowiosor-varangermoseushimodatemosjoenmoskenesorfoldmossorocabalena-devicesorreisahayakawakamiichikawamisatottoris-a-techietis-a-landscaperspectakasakitchenmosvikomatsushimarylandmoteginowaniihamatamakinoharamoviemovimientolgamozilla-iotrentinoaadigemtranbytomaritimekeepingmuginozawaonsensiositemuikaminoyamaxunispacemukoebenhavnmulhouseoullensvanguardmunakatanemuncienciamuosattemupinbarclaycards3-sa-east-1murmanskomforbar2murotorcraftrentinoalto-adigemusashinoharamuseetrentinoaltoadigemuseumverenigingmusicargodaddyn-o-saurlandesortlandmutsuzawamy-wanggoupilemyactivedirectorymyamazeplaymyasustor-elvdalmycdmycloudnsoruminamimakis-a-rockstarachowicemydattolocalcertificationmyddnsgeekgalaxymydissentrentinos-tirolmydobissmarterthanyoumydrobofageologymydsoundcastronomy-vigorlicemyeffectrentinostirolmyfastly-terrariuminamiminowamyfirewalledreplittlestargardmyforuminamioguni5myfritzmyftpaccessouthcarolinaturalhistorymuseumcentermyhome-servermyjinomykolaivencloud66mymailermymediapchristmasakillucernemyokohamamatsudamypepinkommunalforbundmypetsouthwest1-uslivinghistorymyphotoshibalashovhadanorth-kazakhstanmypicturestaurantrentinosud-tirolmypsxn--3pxu8kommunemysecuritycamerakermyshopblocksowamyshopifymyspreadshopwarendalenugmythic-beastspectruminamisanrikubetsuppliesoomytis-a-bookkeepermaritimodspeedpartnermytuleap-partnersphinxn--41amyvnchromediatechnologymywirepaircraftingvollohmusashimurayamashikokuchuoplantationplantspjelkavikomorotsukagawaplatformsharis-a-therapistoiaplatter-appinokofuefukihaboromskogplatterpioneerplazaplcube-serversicherungplumbingoplurinacionalpodhalepodlasiellaktyubinskiptveterinairealmpmnpodzonepohlpoivronpokerpokrovskomvuxn--3hcrj9choyodobashichikashukujitawaraumalatvuopmicrosoftbankarmoypoliticarrierpolitiendapolkowicepoltavalle-d-aostaticspydebergpomorzeszowitdkongsbergponpesaro-urbino-pesarourbinopesaromasvuotnarusawapordenonepornporsangerporsangugeporsgrunnanyokoshibahikariwanumatakinouepoznanpraxis-a-bruinsfanprdpreservationpresidioprgmrprimetelemarkongsvingerprincipeprivatizehealthinsuranceprofesionalprogressivestfoldpromombetsupplypropertyprotectionprotonetrentinosued-tirolprudentialpruszkowithgoogleapiszprvcyberprzeworskogpulawypunyufuelveruminamiuonumassa-carrara-massacarraramassabuyshousesopotrentino-sud-tirolpupugliapussycateringebuzentsujiiepvhadselfiphdfcbankazunoticiashinkamigototalpvtrentinosuedtirolpwchungnamdalseidsbergmodellingmxn--11b4c3dray-dnsupdaterpzqhaebaruericssongdalenviknakayamaoris-a-cubicle-slavellinodeobjectshinshinotsurfashionstorebaselburguidefinimamateramochizukimobetsumidatlantichirurgiens-dentistes-en-franceqldqotoyohashimotoshimatsuzakis-an-accountantshowtimelbourneqponiatowadaqslgbtrentinsud-tirolqualifioappippueblockbusternopilawaquickconnectrentinsudtirolquicksytesrhtrentinsued-tirolquipelementsrltunestuff-4-saletunkonsulatrobeebyteappigboatsmolaquilanxessmushcdn77-sslingturystykaniepcetuscanytushuissier-justicetuvalleaostaverntuxfamilytwmailvestvagoyvevelstadvibo-valentiavibovalentiavideovillastufftoread-booksnestorfjordvinnicasadelamonedagestangevinnytsiavipsinaappiwatevirginiavirtual-uservecounterstrikevirtualcloudvirtualservervirtualuserveexchangevirtuelvisakuhokksundviterbolognagasakikonaikawagoevivianvivolkenkundenvixn--42c2d9avlaanderennesoyvladikavkazimierz-dolnyvladimirvlogintoyonezawavminanovologdanskonyveloftrentino-stirolvolvolkswagentstuttgartrentinsuedtirolvolyngdalvoorlopervossevangenvotevotingvotoyonovps-hostrowiecircustomer-ocimmobilienwixsitewloclawekoobindalwmcloudwmflabsurnadalwoodsidelmenhorstabackyardsurreyworse-thandawowithyoutuberspacekitagawawpdevcloudwpenginepoweredwphostedmailwpmucdnpixolinodeusercontentrentinosudtirolwpmudevcdnaccessokanagawawritesthisblogoipizzawroclawiwatsukiyonoshiroomgwtcirclerkstagewtfastvps-serverisignwuozuwzmiuwajimaxn--4gbriminingxn--4it168dxn--4it797kooris-a-libertarianxn--4pvxs4allxn--54b7fta0ccivilaviationredumbrellajollamericanexpressexyxn--55qw42gxn--55qx5dxn--5dbhl8dxn--5js045dxn--5rtp49civilisationrenderxn--5rtq34koperviklabudhabikinokawachinaganoharamcocottempurlxn--5su34j936bgsgxn--5tzm5gxn--6btw5axn--6frz82gxn--6orx2rxn--6qq986b3xlxn--7t0a264civilizationthewifiatmallorcafederation-webspacexn--80aaa0cvacationsusonoxn--80adxhksuzakananiimiharuxn--80ao21axn--80aqecdr1axn--80asehdbarclays3-us-east-2xn--80aswgxn--80aukraanghkembuchikujobservableusercontentrevisohughestripperxn--8dbq2axn--8ltr62koryokamikawanehonbetsuwanouchijiwadeliveryxn--8pvr4uxn--8y0a063axn--90a1affinitylotterybnikeisenbahnxn--90a3academiamicable-modemoneyxn--90aeroportalabamagasakishimabaraffleentry-snowplowiczeladzxn--90aishobarakawaharaoxn--90amckinseyxn--90azhytomyrxn--9dbhblg6dietritonxn--9dbq2axn--9et52uxn--9krt00axn--andy-iraxn--aroport-byandexcloudxn--asky-iraxn--aurskog-hland-jnbarefootballooningjerstadgcapebretonamicrolightingjesdalombardiadembroideryonagunicloudiherokuappanamasteiermarkaracoldwarszawauthgearappspacehosted-by-previderxn--avery-yuasakuragawaxn--b-5gaxn--b4w605ferdxn--balsan-sdtirol-nsbsuzukanazawaxn--bck1b9a5dre4civilwarmiasadoesntexisteingeekarpaczest-a-la-maisondre-landrayddns5yxn--bdddj-mrabdxn--bearalvhki-y4axn--berlevg-jxaxn--bhcavuotna-s4axn--bhccavuotna-k7axn--bidr-5nachikatsuuraxn--bievt-0qa2xn--bjarky-fyaotsurgeryxn--bjddar-ptargithubpreviewsaitohmannore-og-uvdalxn--blt-elabourxn--bmlo-graingerxn--bod-2naturalsciencesnaturellesuzukis-an-actorxn--bozen-sdtirol-2obanazawaxn--brnny-wuacademy-firewall-gatewayxn--brnnysund-m8accident-investigation-acornxn--brum-voagatroandinosaureportrentoyonakagyokutoyakomaganexn--btsfjord-9zaxn--bulsan-sdtirol-nsbaremetalpha-myqnapcloud9guacuiababia-goracleaningitpagexlimoldell-ogliastraderxn--c1avgxn--c2br7gxn--c3s14mincomcastreserve-onlinexn--cck2b3bargainstances3-us-gov-west-1xn--cckwcxetdxn--cesena-forl-mcbremangerxn--cesenaforl-i8axn--cg4bkis-an-actresshwindmillxn--ciqpnxn--clchc0ea0b2g2a9gcdxn--comunicaes-v6a2oxn--correios-e-telecomunicaes-ghc29axn--czr694barreaudiblebesbydgoszczecinemagnethnologyoriikaragandauthordalandroiddnss3-ap-southeast-2ix4432-balsan-suedtirolimiteddnskinggfakefurniturecreationavuotnaritakoelnayorovigotsukisosakitahatakahatakaishimoichinosekigaharaurskog-holandingitlaborxn--czrs0trogstadxn--czru2dxn--czrw28barrel-of-knowledgeappgafanquanpachicappacificurussiautomotivelandds3-ca-central-16-balsan-sudtirollagdenesnaaseinet-freaks3-ap-southeast-123websiteleaf-south-123webseiteckidsmynasushiobarackmazerbaijan-mayen-rootaribeiraogakibichuobiramusementdllpages3-ap-south-123sitewebhareidfjordvagsoyerhcloudd-dnsiskinkyolasiteastcoastaldefenceastus2038xn--d1acj3barrell-of-knowledgecomputerhistoryofscience-fictionfabricafjs3-us-west-1xn--d1alfaromeoxn--d1atromsakegawaxn--d5qv7z876clanbibaidarmeniaxn--davvenjrga-y4axn--djrs72d6uyxn--djty4kosaigawaxn--dnna-grajewolterskluwerxn--drbak-wuaxn--dyry-iraxn--e1a4cldmailukowhitesnow-dnsangohtawaramotoineppubtlsanjotelulubin-brbambinagisobetsuitagajoburgjerdrumcprequalifymein-vigorgebetsukuibmdeveloperauniteroizumizakinderoyomitanobninskanzakiyokawaraustrheimatunduhrennebulsan-suedtirololitapunk123kotisivultrobjectselinogradimo-siemenscaledekaascolipiceno-ipifony-1337xn--eckvdtc9dxn--efvn9svalbardunloppaderbornxn--efvy88hagakhanamigawaxn--ehqz56nxn--elqq16hagebostadxn--eveni-0qa01gaxn--f6qx53axn--fct429kosakaerodromegallupaasdaburxn--fhbeiarnxn--finny-yuaxn--fiq228c5hsvchurchaseljeepsondriodejaneirockyotobetsuliguriaxn--fiq64barsycenterprisesakievennodesadistcgrouplidlugolekagaminord-frontierxn--fiqs8sveioxn--fiqz9svelvikoninjambylxn--fjord-lraxn--fjq720axn--fl-ziaxn--flor-jraxn--flw351exn--forl-cesena-fcbssvizzeraxn--forlcesena-c8axn--fpcrj9c3dxn--frde-grandrapidsvn-repostorjcloud-ver-jpchowderxn--frna-woaraisaijosoyroroswedenxn--frya-hraxn--fzc2c9e2cleverappsannanxn--fzys8d69uvgmailxn--g2xx48clicketcloudcontrolapparmatsuuraxn--gckr3f0fauskedsmokorsetagayaseralingenoamishirasatogliattipschulserverxn--gecrj9clickrisinglesannohekinannestadraydnsanokaruizawaxn--ggaviika-8ya47haibarakitakamiizumisanofidelitysfjordxn--gildeskl-g0axn--givuotna-8yasakaiminatoyookaneyamazoexn--gjvik-wuaxn--gk3at1exn--gls-elacaixaxn--gmq050is-an-anarchistoricalsocietysnesigdalxn--gmqw5axn--gnstigbestellen-zvbrplsbxn--45br5cylxn--gnstigliefern-wobihirosakikamijimatsushigexn--h-2failxn--h1aeghair-surveillancexn--h1ahnxn--h1alizxn--h2breg3eveneswidnicasacampinagrandebungotakadaemongolianxn--h2brj9c8clinichippubetsuikilatironporterxn--h3cuzk1digickoseis-a-linux-usershoujis-a-knightpointtohoboleslawieconomiastalbanshizuokamogawaxn--hbmer-xqaxn--hcesuolo-7ya35barsyonlinewhampshirealtychyattorneyagawakuyabukihokumakogeniwaizumiotsurugimbalsfjordeportexaskoyabeagleboardetroitskypecorivneatonoshoes3-eu-west-3utilitiesquare7xn--hebda8basicserversaillesjabbottateshinanomachildrensgardenhlfanhsbc66xn--hery-iraxn--hgebostad-g3axn--hkkinen-5waxn--hmmrfeasta-s4accident-prevention-aptibleangaviikadenaamesjevuemielnoboribetsuckswidnikkolobrzegersundxn--hnefoss-q1axn--hobl-iraxn--holtlen-hxaxn--hpmir-xqaxn--hxt814exn--hyanger-q1axn--hylandet-54axn--i1b6b1a6a2exn--imr513nxn--indery-fyasugithubusercontentromsojamisonxn--io0a7is-an-artistgstagexn--j1adpkomonotogawaxn--j1aefbsbxn--1lqs71dyndns-office-on-the-webhostingrpassagensavonarviikamiokameokamakurazakiwakunigamihamadaxn--j1ael8basilicataniautoscanadaeguambulancentralus-2xn--j1amhakatanorthflankddiamondshinshiroxn--j6w193gxn--jlq480n2rgxn--jlq61u9w7basketballfinanzgorzeleccodespotenzakopanewspaperxn--jlster-byasuokannamihokkaidopaaskvollxn--jrpeland-54axn--jvr189miniserversusakis-a-socialistg-builderxn--k7yn95exn--karmy-yuaxn--kbrq7oxn--kcrx77d1x4axn--kfjord-iuaxn--klbu-woaxn--klt787dxn--kltp7dxn--kltx9axn--klty5xn--45brj9cistrondheimperiaxn--koluokta-7ya57hakodatexn--kprw13dxn--kpry57dxn--kput3is-an-engineeringxn--krager-gyatominamibosogndalxn--kranghke-b0axn--krdsherad-m8axn--krehamn-dxaxn--krjohka-hwab49jdevcloudfunctionsimplesitexn--ksnes-uuaxn--kvfjord-nxaxn--kvitsy-fyatsukanoyakagexn--kvnangen-k0axn--l-1fairwindswiebodzin-dslattuminamiyamashirokawanabeepilepsykkylvenicexn--l1accentureklamborghinikolaeventswinoujscienceandhistoryxn--laheadju-7yatsushiroxn--langevg-jxaxn--lcvr32dxn--ldingen-q1axn--leagaviika-52batochigifts3-us-west-2xn--lesund-huaxn--lgbbat1ad8jdfaststackschulplattformetacentrumeteorappassenger-associationxn--lgrd-poacctrusteexn--lhppi-xqaxn--linds-pramericanartrvestnestudioxn--lns-qlavagiskexn--loabt-0qaxn--lrdal-sraxn--lrenskog-54axn--lt-liacliniquedapliexn--lten-granexn--lury-iraxn--m3ch0j3axn--mely-iraxn--merker-kuaxn--mgb2ddeswisstpetersburgxn--mgb9awbfbx-ostrowwlkpmguitarschwarzgwangjuifminamidaitomanchesterxn--mgba3a3ejtrycloudflarevistaplestudynamic-dnsrvaroyxn--mgba3a4f16axn--mgba3a4fra1-deloittevaksdalxn--mgba7c0bbn0axn--mgbaakc7dvfstdlibestadxn--mgbaam7a8hakonexn--mgbab2bdxn--mgbah1a3hjkrdxn--mgbai9a5eva00batsfjordiscordsays3-website-ap-northeast-1xn--mgbai9azgqp6jejuniperxn--mgbayh7gpalmaseratis-an-entertainerxn--mgbbh1a71exn--mgbc0a9azcgxn--mgbca7dzdoxn--mgbcpq6gpa1axn--mgberp4a5d4a87gxn--mgberp4a5d4arxn--mgbgu82axn--mgbi4ecexposedxn--mgbpl2fhskosherbrookegawaxn--mgbqly7c0a67fbclintonkotsukubankarumaifarmsteadrobaknoluoktachikawakayamadridvallee-aosteroyxn--mgbqly7cvafr-1xn--mgbt3dhdxn--mgbtf8flapymntrysiljanxn--mgbtx2bauhauspostman-echocolatemasekd1xn--mgbx4cd0abbvieeexn--mix082fbxoschweizxn--mix891fedorainfraclouderaxn--mjndalen-64axn--mk0axin-vpnclothingdustdatadetectjmaxxxn--12c1fe0bradescotlandrrxn--mk1bu44cn-northwest-1xn--mkru45is-bykleclerchoshibuyachiyodancexn--mlatvuopmi-s4axn--mli-tlavangenxn--mlselv-iuaxn--moreke-juaxn--mori-qsakurais-certifiedxn--mosjen-eyawaraxn--mot-tlazioxn--mre-og-romsdal-qqbuseranishiaritakurashikis-foundationxn--msy-ula0hakubaghdadultravelchannelxn--mtta-vrjjat-k7aflakstadaokagakicks-assnasaarlandxn--muost-0qaxn--mxtq1minisitexn--ngbc5azdxn--ngbe9e0axn--ngbrxn--45q11citadelhicampinashikiminohostfoldnavyxn--nit225koshimizumakiyosunnydayxn--nmesjevuemie-tcbalestrandabergamoarekeymachineustarnbergxn--nnx388axn--nodessakyotanabelaudiopsysynology-dstreamlitappittsburghofficialxn--nqv7fs00emaxn--nry-yla5gxn--ntso0iqx3axn--ntsq17gxn--nttery-byaeserveftplanetariuminamitanexn--nvuotna-hwaxn--nyqy26axn--o1achernihivgubsxn--o3cw4hakuis-a-democratravelersinsurancexn--o3cyx2axn--od0algxn--od0aq3belementorayoshiokanumazuryukuhashimojibxos3-website-ap-southeast-1xn--ogbpf8flatangerxn--oppegrd-ixaxn--ostery-fyawatahamaxn--osyro-wuaxn--otu796dxn--p1acfedorapeoplegoismailillehammerfeste-ipatriaxn--p1ais-gonexn--pgbs0dhlx3xn--porsgu-sta26fedoraprojectoyotsukaidoxn--pssu33lxn--pssy2uxn--q7ce6axn--q9jyb4cngreaterxn--qcka1pmcpenzaporizhzhiaxn--qqqt11minnesotaketakayamassivegridxn--qxa6axn--qxamsterdamnserverbaniaxn--rady-iraxn--rdal-poaxn--rde-ulaxn--rdy-0nabaris-into-animeetrentin-sued-tirolxn--rennesy-v1axn--rhkkervju-01afeiraquarelleasingujaratoyouraxn--rholt-mragowoltlab-democraciaxn--rhqv96gxn--rht27zxn--rht3dxn--rht61exn--risa-5naturbruksgymnxn--risr-iraxn--rland-uuaxn--rlingen-mxaxn--rmskog-byaxn--rny31hakusanagochihayaakasakawaiishopitsitexn--rovu88bellevuelosangeles3-website-ap-southeast-2xn--rros-granvindafjordxn--rskog-uuaxn--rst-0naturhistorischesxn--rsta-framercanvasxn--rvc1e0am3exn--ryken-vuaxn--ryrvik-byaxn--s-1faithaldenxn--s9brj9cnpyatigorskolecznagatorodoyxn--sandnessjen-ogbellunord-odalombardyn53xn--sandy-yuaxn--sdtirol-n2axn--seral-lraxn--ses554gxn--sgne-graphoxn--4dbgdty6citichernovtsyncloudrangedaluccarbonia-iglesias-carboniaiglesiascarboniaxn--skierv-utazasxn--skjervy-v1axn--skjk-soaxn--sknit-yqaxn--sknland-fxaxn--slat-5natuurwetenschappenginexn--slt-elabcieszynh-servebeero-stageiseiroumuenchencoreapigeelvinckoshunantankmpspawnextdirectrentino-s-tirolxn--smla-hraxn--smna-gratangentlentapisa-geekosugexn--snase-nraxn--sndre-land-0cbeneventochiokinoshimaintenancebinordreisa-hockeynutazurestaticappspaceusercontentateyamaveroykenglandeltaitogitsumitakagiizeasypanelblagrarchaeologyeongbuk0emmafann-arboretumbriamallamaceiobbcg123homepagefrontappchizip61123minsidaarborteaches-yogasawaracingroks-theatree123hjemmesidealerimo-i-rana4u2-localhistorybolzano-altoadigeometre-experts-comptables3-ap-northeast-123miwebcambridgehirn4t3l3p0rtarumizusawabogadobeaemcloud-fr123paginaweberkeleyokosukanrabruzzombieidskoguchikushinonsenasakuchinotsuchiurakawafaicloudineat-url-o-g-i-naval-d-aosta-valleyokote164-b-datacentermezproxyzgoraetnabudejjudaicadaquest-mon-blogueurodirumaceratabuseating-organicbcn-north-123saitamakawabartheshopencraftrainingdyniajuedischesapeakebayernavigationavoi234lima-cityeats3-ap-northeast-20001wwwedeployokozeastasiamunemurorangecloudplatform0xn--snes-poaxn--snsa-roaxn--sr-aurdal-l8axn--sr-fron-q1axn--sr-odal-q1axn--sr-varanger-ggbentleyurihonjournalistjohnikonanporovnobserverxn--srfold-byaxn--srreisa-q1axn--srum-gratis-a-bulls-fanxn--stfold-9xaxn--stjrdal-s1axn--stjrdalshalsen-sqbeppublishproxyusuharavocatanzarowegroweiboltashkentatamotorsitestingivingjemnes3-eu-central-1kappleadpages-12hpalmspringsakerxn--stre-toten-zcbeskidyn-ip24xn--t60b56axn--tckweddingxn--tiq49xqyjelasticbeanstalkhmelnitskiyamarumorimachidaxn--tjme-hraxn--tn0agrocerydxn--tnsberg-q1axn--tor131oxn--trany-yuaxn--trentin-sd-tirol-rzbestbuyshoparenagareyamaizurugbyenvironmentalconservationflashdrivefsnillfjordiscordsezjampaleoceanographics3-website-eu-west-1xn--trentin-sdtirol-7vbetainaboxfuseekloges3-website-sa-east-1xn--trentino-sd-tirol-c3bhzcasertainaioirasebastopologyeongnamegawafflecellclstagemologicaliforniavoues3-eu-west-1xn--trentino-sdtirol-szbielawalbrzycharitypedreamhostersvp4xn--trentinosd-tirol-rzbiellaakesvuemieleccebizenakanotoddeninoheguriitatebayashiibahcavuotnagaivuotnagaokakyotambabybluebitelevisioncilla-speziaxarnetbank8s3-eu-west-2xn--trentinosdtirol-7vbieszczadygeyachimataijiiyamanouchikuhokuryugasakitaurayasudaxn--trentinsd-tirol-6vbievat-band-campaignieznombrendlyngengerdalces3-website-us-east-1xn--trentinsdtirol-nsbifukagawalesundiscountypeformelhusgardeninomiyakonojorpelandiscourses3-website-us-west-1xn--trgstad-r1axn--trna-woaxn--troms-zuaxn--tysvr-vraxn--uc0atvestre-slidrexn--uc0ay4axn--uist22halsakakinokiaxn--uisz3gxn--unjrga-rtarnobrzegyptianxn--unup4yxn--uuwu58axn--vads-jraxn--valle-aoste-ebbtularvikonskowolayangroupiemontexn--valle-d-aoste-ehboehringerikexn--valleaoste-e7axn--valledaoste-ebbvadsoccerxn--vard-jraxn--vegrshei-c0axn--vermgensberater-ctb-hostingxn--vermgensberatung-pwbigvalledaostaobaomoriguchiharag-cloud-championshiphoplixboxenirasakincheonishiazaindependent-commissionishigouvicasinordeste-idclkarasjohkamikitayamatsurindependent-inquest-a-la-masionishiharaxn--vestvgy-ixa6oxn--vg-yiabkhaziaxn--vgan-qoaxn--vgsy-qoa0jelenia-goraxn--vgu402cnsantabarbaraxn--vhquvestre-totennishiawakuraxn--vler-qoaxn--vre-eiker-k8axn--vrggt-xqadxn--vry-yla5gxn--vuq861biharstadotsubetsugaruhrxn--w4r85el8fhu5dnraxn--w4rs40lxn--wcvs22dxn--wgbh1cntjomeldaluroyxn--wgbl6axn--xhq521bihorologyusuisservegame-serverxn--xkc2al3hye2axn--xkc2dl3a5ee0hammarfeastafricaravantaaxn--y9a3aquariumintereitrentino-sudtirolxn--yer-znaumburgxn--yfro4i67oxn--ygarden-p1axn--ygbi2ammxn--4dbrk0cexn--ystre-slidre-ujbikedaejeonbukarasjokarasuyamarriottatsunoceanographiquehimejindependent-inquiryuufcfanishiizunazukindependent-panelomoliseminemrxn--zbx025dxn--zf0ao64axn--zf0avxlxn--zfr164bilbaogashimadachicagoboavistanbulsan-sudtirolbia-tempio-olbiatempioolbialystokkeliwebredirectme-south-1xnbayxz
\ No newline at end of file
+birkenesoddtangentinglogoweirbitbucketrzynishikatakayamatta-varjjatjomembersaltdalovepopartysfjordiskussionsbereichatinhlfanishikatsuragitappassenger-associationishikawazukamiokameokamakurazakitaurayasudabitternidisrechtrainingloomy-routerbjarkoybjerkreimdbalsan-suedtirololitapunkapsienamsskoganeibmdeveloperauniteroirmemorialombardiadempresashibetsukumiyamagasakinderoyonagunicloudevelopmentaxiijimarriottayninhaccanthobby-siteval-d-aosta-valleyoriikaracolognebinatsukigataiwanumatajimidsundgcahcesuolocustomer-ocimperiautoscanalytics-gatewayonagoyaveroykenflfanpachihayaakasakawaiishopitsitemasekd1kappenginedre-eikerimo-siemenscaledekaascolipicenoboribetsucks3-eu-west-3utilities-16-balestrandabergentappsseekloges3-eu-west-123paginawebcamauction-acornfshostrodawaraktyubinskaunicommbank123kotisivultrobjectselinogradimo-i-rana4u2-localhostrolekanieruchomoscientistordal-o-g-i-nikolaevents3-ap-northeast-2-ddnsking123homepagefrontappchizip61123saitamakawababia-goracleaningheannakadomarineat-urlimanowarudakuneustarostwodzislawdev-myqnapcloudcontrolledgesuite-stagingdyniamusementdllclstagehirnikonantomobelementorayokosukanoyakumoliserniaurland-4-salernord-aurdalipaywhirlimiteddnslivelanddnss3-ap-south-123siteweberlevagangaviikanonji234lima-cityeats3-ap-southeast-123webseiteambulancechireadmyblogspotaribeiraogakicks-assurfakefurniturealmpmninoheguribigawaurskog-holandinggfarsundds3-ap-southeast-20001wwwedeployokote123hjemmesidealerdalaheadjuegoshikibichuobiraustevollimombetsupplyokoze164-balena-devices3-ca-central-123websiteleaf-south-12hparliamentatsunobninsk8s3-eu-central-1337bjugnishimerablackfridaynightjxn--11b4c3ditchyouripatriabloombergretaijindustriesteinkjerbloxcmsaludivtasvuodnakaiwanairlinekobayashimodatecnologiablushakotanishinomiyashironomniwebview-assetsalvadorbmoattachmentsamegawabmsamnangerbmwellbeingzonebnrweatherchannelsdvrdnsamparalleluxenishinoomotegotsukishiwadavvenjargamvikarpaczest-a-la-maisondre-landivttasvuotnakamai-stagingloppennebomlocalzonebonavstackartuzybondigitaloceanspacesamsclubartowest1-usamsunglugsmall-webspacebookonlineboomlaakesvuemielecceboschristmasakilatiron-riopretoeidsvollovesickaruizawabostik-serverrankoshigayachtsandvikcoromantovalle-d-aostakinouebostonakijinsekikogentlentapisa-geekarumaifmemsetkmaxxn--12c1fe0bradescotksatmpaviancapitalonebouncemerckmsdscloudiybounty-fullensakerrypropertiesangovtoyosatoyokawaboutiquebecologialaichaugiangmbhartiengiangminakamichiharaboutireservdrangedalpusercontentoyotapfizerboyfriendoftheinternetflixn--12cfi8ixb8lublindesnesanjosoyrovnoticiasannanishinoshimattelemarkasaokamikitayamatsurinfinitigopocznore-og-uvdalucaniabozen-sudtiroluccanva-appstmnishiokoppegardray-dnsupdaterbozen-suedtirolukowesteuropencraftoyotomiyazakinsurealtypeformesswithdnsannohekinanporovigonohejinternationaluroybplacedogawarabikomaezakirunordkappgfoggiabrandrayddns5ybrasiliadboxoslockerbresciaogashimadachicappadovaapstemp-dnswatchest-mon-blogueurodirumagazinebrindisiciliabroadwaybroke-itvedestrandraydnsanokashibatakashimashikiyosatokigawabrokerbrothermesserlifestylebtimnetzpisdnpharmaciensantamariakebrowsersafetymarketingmodumetacentrumeteorappharmacymruovatlassian-dev-builderschaefflerbrumunddalutskashiharabrusselsantoandreclaimsanukintlon-2bryanskiptveterinaireadthedocsaobernardovre-eikerbrynebwestus2bzhitomirbzzwhitesnowflakecommunity-prochowicecomodalenissandoycompanyaarphdfcbankasumigaurawa-mazowszexn--1ck2e1bambinagisobetsuldalpha-myqnapcloudaccess3-us-east-2ixboxeroxfinityolasiteastus2comparemarkerryhotelsaves-the-whalessandria-trani-barletta-andriatranibarlettaandriacomsecaasnesoddeno-stagingrondarcondoshifteditorxn--1ctwolominamatarnobrzegrongrossetouchijiwadedyn-berlincolnissayokoshibahikariyaltakazakinzais-a-bookkeepermarshallstatebankasuyalibabahccavuotnagaraholtaleniwaizumiotsurugashimaintenanceomutazasavonarviikaminoyamaxunispaceconferenceconstructionflashdrivefsncf-ipfsaxoconsuladobeio-static-accesscamdvrcampaniaconsultantranoyconsultingroundhandlingroznysaitohnoshookuwanakayamangyshlakdnepropetrovskanlandyndns-freeboxostrowwlkpmgrphilipsyno-dschokokekscholarshipschoolbusinessebycontactivetrailcontagematsubaravendbambleborkdalvdalcest-le-patron-rancherkasydneyukuhashimokawavoues3-sa-east-1contractorskenissedalcookingruecoolblogdnsfor-better-thanhhoarairforcentralus-1cooperativano-frankivskodjeephonefosschoolsztynsetransiphotographysiocoproductionschulplattforminamiechizenisshingucciprianiigatairaumalatvuopmicrolightinguidefinimaringatlancastercorsicafjschulservercosenzakopanecosidnshome-webservercellikescandypopensocialcouchpotatofrieschwarzgwangjuh-ohtawaramotoineppueblockbusternopilawacouncilcouponscrapper-sitecozoravennaharimalborkaszubytemarketscrappinguitarscrysecretrosnubananarepublic-inquiryurihonjoyenthickaragandaxarnetbankanzakiwielunnerepairbusanagochigasakishimabarakawaharaolbia-tempio-olbiatempioolbialowiezachpomorskiengiangjesdalolipopmcdirepbodyn53cqcxn--1lqs03niyodogawacrankyotobetsumidaknongujaratmallcrdyndns-homednscwhminamifuranocreditcardyndns-iphutholdingservehttpbincheonl-ams-1creditunionionjukujitawaravpagecremonashorokanaiecrewhoswholidaycricketnedalcrimeast-kazakhstanangercrotonecrowniphuyencrsvp4cruiseservehumourcuisinellair-traffic-controllagdenesnaaseinet-freakserveircasertainaircraftingvolloansnasaarlanduponthewifidelitypedreamhostersaotomeldaluxurycuneocupcakecuritibacgiangiangryggeecurvalled-aostargets-itranslatedyndns-mailcutegirlfriendyndns-office-on-the-webhoptogurafedoraprojectransurlfeirafembetsukuis-a-bruinsfanfermodenakasatsunairportrapaniizaferraraferraris-a-bulls-fanferrerotikagoshimalopolskanittedalfetsundyndns-wikimobetsumitakagildeskaliszkolamericanfamilydservemp3fgunmaniwamannorth-kazakhstanfhvalerfilegear-augustowiiheyakagefilegear-deatnuniversitysvardofilegear-gbizfilegear-iefilegear-jpmorgangwonporterfilegear-sg-1filminamiizukamiminefinalchikugokasellfyis-a-candidatefinancefinnoyfirebaseappiemontefirenetlifylkesbiblackbaudcdn-edgestackhero-networkinggroupowiathletajimabaria-vungtaudiopsysharpigboatshawilliamhillfirenzefirestonefireweblikes-piedmontravelersinsurancefirmdalegalleryfishingoldpoint2thisamitsukefitjarfitnessettsurugiminamimakis-a-catererfjalerfkatsushikabeebyteappilottonsberguovdageaidnunjargausdalflekkefjordyndns-workservep2phxn--1lqs71dyndns-remotewdyndns-picserveminecraftransporteflesbergushikamifuranorthflankatsuyamashikokuchuoflickragerokunohealthcareershellflierneflirfloginlinefloppythonanywherealtorfloraflorencefloripalmasfjordenfloristanohatajiris-a-celticsfanfloromskogxn--2m4a15eflowershimokitayamafltravinhlonganflynnhosting-clusterfncashgabadaddjabbottoyourafndyndns1fnwkzfolldalfoolfor-ourfor-somegurownproviderfor-theaterfordebianforexrotheworkpccwinbar0emmafann-arborlandd-dnsiskinkyowariasahikawarszawashtenawsmppl-wawsglobalacceleratorahimeshimakanegasakievennodebalancern4t3l3p0rtatarantours3-ap-northeast-123minsidaarborteaches-yogano-ipifony-123miwebaccelastx4432-b-datacenterprisesakijobservableusercontentateshinanomachintaifun-dnsdojournalistoloseyouriparisor-fronavuotnarashinoharaetnabudejjunipereggio-emilia-romagnaroyboltateyamajureggiocalabriakrehamnayoro0o0forgotdnshimonitayanagithubpreviewsaikisarazure-mobileirfjordynnservepicservequakeforli-cesena-forlicesenaforlillehammerfeste-ipimientaketomisatoolshimonosekikawaforsalegoismailillesandefjordynservebbservesarcasmileforsandasuolodingenfortalfortefosneshimosuwalkis-a-chefashionstorebaseljordyndns-serverisignfotrdynulvikatowicefoxn--2scrj9casinordlandurbanamexnetgamersapporomurafozfr-1fr-par-1fr-par-2franamizuhoboleslawiecommerce-shoppingyeongnamdinhachijohanamakisofukushimaoris-a-conservativegarsheiheijis-a-cparachutingfredrikstadynv6freedesktopazimuthaibinhphuocelotenkawakayamagnetcieszynh-servebeero-stageiseiroumugifuchungbukharag-cloud-championshiphoplixn--30rr7yfreemyiphosteurovisionredumbrellangevagrigentobishimadridvagsoygardenebakkeshibechambagricoharugbydgoszczecin-berlindasdaburfreesitefreetlshimotsukefreisennankokubunjis-a-cubicle-slavellinodeobjectshimotsumafrenchkisshikindleikangerfreseniushinichinanfriuli-v-giuliafriuli-ve-giuliafriuli-vegiuliafriuli-venezia-giuliafriuli-veneziagiuliafriuli-vgiuliafriuliv-giuliafriulive-giuliafriulivegiuliafriulivenezia-giuliafriuliveneziagiuliafriulivgiuliafrlfroganshinjotelulubin-vpncateringebunkyonanaoshimamateramockashiwarafrognfrolandynvpnpluservicesevastopolitiendafrom-akamaized-stagingfrom-alfrom-arfrom-azurewebsiteshikagamiishibuyabukihokuizumobaragusabaerobaticketshinjukuleuvenicefrom-campobassociatest-iserveblogsytenrissadistdlibestadultrentin-sudtirolfrom-coachaseljeducationcillahppiacenzaganfrom-ctrentin-sued-tirolfrom-dcatfooddagestangefrom-decagliarikuzentakataikillfrom-flapymntrentin-suedtirolfrom-gap-east-1from-higashiagatsumagoianiafrom-iafrom-idyroyrvikingulenfrom-ilfrom-in-the-bandairtelebitbridgestonemurorangecloudplatform0from-kshinkamigototalfrom-kyfrom-langsonyantakahamalselveruminamiminowafrom-malvikaufentigerfrom-mdfrom-mein-vigorlicefrom-mifunefrom-mnfrom-modshinshinotsurgeryfrom-mshinshirofrom-mtnfrom-ncatholicurus-4from-ndfrom-nefrom-nhs-heilbronnoysundfrom-njshintokushimafrom-nminamioguni5from-nvalledaostargithubusercontentrentino-a-adigefrom-nycaxiaskvollpagesardegnarutolgaulardalvivanovoldafrom-ohdancefrom-okegawassamukawataris-a-democratrentino-aadigefrom-orfrom-panasonichernovtsykkylvenneslaskerrylogisticsardiniafrom-pratohmamurogawatsonrenderfrom-ris-a-designerimarugame-hostyhostingfrom-schmidtre-gauldalfrom-sdfrom-tnfrom-txn--32vp30hachinoheavyfrom-utsiracusagaeroclubmedecin-addrammenuorodoyerfrom-val-daostavalleyfrom-vtrentino-alto-adigefrom-wafrom-wiardwebthingsjcbnpparibashkiriafrom-wvallee-aosteroyfrom-wyfrosinonefrostabackplaneapplebesbyengerdalp1froyal-commissionfruskydivingfujiiderafujikawaguchikonefujiminokamoenairtrafficplexus-2fujinomiyadapliefujiokazakinkobearalvahkikonaibetsubame-south-1fujisatoshoeshintomikasaharafujisawafujishiroishidakabiratoridediboxn--3bst00minamisanrikubetsupportrentino-altoadigefujitsuruokakamigaharafujiyoshidappnodearthainguyenfukayabeardubaikawagoefukuchiyamadatsunanjoburgfukudomigawafukuis-a-doctorfukumitsubishigakirkeneshinyoshitomiokamisatokamachippubetsuikitchenfukuokakegawafukuroishikariwakunigamigrationfukusakirovogradoyfukuyamagatakaharunusualpersonfunabashiriuchinadattorelayfunagatakahashimamakiryuohkurafunahashikamiamakusatsumasendaisenergyeongginowaniihamatamakinoharafundfunkfeuerfuoiskujukuriyamandalfuosskoczowindowskrakowinefurubirafurudonordreisa-hockeynutwentertainmentrentino-s-tirolfurukawajimangolffanshiojirishirifujiedafusoctrangfussagamiharafutabayamaguchinomihachimanagementrentino-stirolfutboldlygoingnowhere-for-more-og-romsdalfuttsurutashinais-a-financialadvisor-aurdalfuturecmshioyamelhushirahamatonbetsurnadalfuturehostingfuturemailingfvghakuis-a-gurunzenhakusandnessjoenhaldenhalfmoonscalebookinghostedpictetrentino-sud-tirolhalsakakinokiaham-radio-opinbar1hamburghammarfeastasiahamurakamigoris-a-hard-workershiraokamisunagawahanamigawahanawahandavvesiidanangodaddyn-o-saurealestatefarmerseinehandcrafteducatorprojectrentino-sudtirolhangglidinghangoutrentino-sued-tirolhannannestadhannosegawahanoipinkazohanyuzenhappouzshiratakahagianghasamap-northeast-3hasaminami-alpshishikuis-a-hunterhashbanghasudazaifudaigodogadobeioruntimedio-campidano-mediocampidanomediohasura-appinokokamikoaniikappudopaashisogndalhasvikazteleportrentino-suedtirolhatogayahoooshikamagayaitakamoriokakudamatsuehatoyamazakitahiroshimarcheapartmentshisuifuettertdasnetzhatsukaichikaiseiyoichipshitaramahattfjelldalhayashimamotobusells-for-lesshizukuishimoichilloutsystemscloudsitehazuminobushibukawahelplfinancialhelsinkitakamiizumisanofidonnakamurataitogliattinnhemneshizuokamitondabayashiogamagoriziahemsedalhepforgeblockshoujis-a-knightpointtokaizukamaishikshacknetrentinoa-adigehetemlbfanhigashichichibuzentsujiiehigashihiroshimanehigashiizumozakitakatakanabeautychyattorneyagawakkanaioirasebastopoleangaviikadenagahamaroyhigashikagawahigashikagurasoedahigashikawakitaaikitakyushunantankazunovecorebungoonow-dnshowahigashikurumeinforumzhigashimatsushimarnardalhigashimatsuyamakitaakitadaitoigawahigashimurayamamotorcycleshowtimeloyhigashinarusells-for-uhigashinehigashiomitamanoshiroomghigashiosakasayamanakakogawahigashishirakawamatakanezawahigashisumiyoshikawaminamiaikitamihamadahigashitsunospamproxyhigashiurausukitamotosunnydayhigashiyamatokoriyamanashiibaclieu-1higashiyodogawahigashiyoshinogaris-a-landscaperspectakasakitanakagusukumoldeliveryhippyhiraizumisatohokkaidontexistmein-iservschulecznakaniikawatanagurahirakatashinagawahiranais-a-lawyerhirarahiratsukaeruhirayaizuwakamatsubushikusakadogawahitachiomiyaginozawaonsensiositehitachiotaketakaokalmykiahitraeumtgeradegreehjartdalhjelmelandholyhomegoodshwinnersiiitesilkddiamondsimple-urlhomeipioneerhomelinkyard-cloudjiffyresdalhomelinuxn--3ds443ghomeofficehomesecuritymacaparecidahomesecuritypchiryukyuragiizehomesenseeringhomeskleppippugliahomeunixn--3e0b707ehondahonjyoitakarazukaluganskfh-muensterhornindalhorsells-itrentinoaadigehortendofinternet-dnsimplesitehospitalhotelwithflightsirdalhotmailhoyangerhoylandetakasagooglecodespotrentinoalto-adigehungyenhurdalhurumajis-a-liberalhyllestadhyogoris-a-libertarianhyugawarahyundaiwafuneis-very-evillasalleitungsenis-very-goodyearis-very-niceis-very-sweetpepperugiais-with-thebandoomdnstraceisk01isk02jenv-arubacninhbinhdinhktistoryjeonnamegawajetztrentinostiroljevnakerjewelryjgorajlljls-sto1jls-sto2jls-sto3jmpixolinodeusercontentrentinosud-tiroljnjcloud-ver-jpchitosetogitsuliguriajoyokaichibahcavuotnagaivuotnagaokakyotambabymilk3jozis-a-musicianjpnjprsolarvikhersonlanxessolundbeckhmelnitskiyamasoykosaigawakosakaerodromegalloabatobamaceratachikawafaicloudineencoreapigeekoseis-a-painterhostsolutionslupskhakassiakosheroykoshimizumakis-a-patsfankoshughesomakosugekotohiradomainstitutekotourakouhokumakogenkounosupersalevangerkouyamasudakouzushimatrixn--3pxu8khplaystation-cloudyclusterkozagawakozakis-a-personaltrainerkozowiosomnarviklabudhabikinokawachinaganoharamcocottekpnkppspbarcelonagawakepnord-odalwaysdatabaseballangenkainanaejrietisalatinabenogiehtavuoatnaamesjevuemielnombrendlyngen-rootaruibxos3-us-gov-west-1krasnikahokutokonamegatakatoris-a-photographerokussldkrasnodarkredstonekrelliankristiansandcatsoowitdkmpspawnextdirectrentinosudtirolkristiansundkrodsheradkrokstadelvaldaostavangerkropyvnytskyis-a-playershiftcryptonomichinomiyakekryminamiyamashirokawanabelaudnedalnkumamotoyamatsumaebashimofusakatakatsukis-a-republicanonoichinosekigaharakumanowtvaokumatorinokumejimatsumotofukekumenanyokkaichirurgiens-dentistes-en-francekundenkunisakis-a-rockstarachowicekunitachiaraisaijolsterkunitomigusukukis-a-socialistgstagekunneppubtlsopotrentinosued-tirolkuokgroupizzakurgankurobegetmyipirangalluplidlugolekagaminorddalkurogimimozaokinawashirosatochiokinoshimagentositempurlkuroisodegaurakuromatsunais-a-soxfankuronkurotakikawasakis-a-studentalkushirogawakustanais-a-teacherkassyncloudkusuppliesor-odalkutchanelkutnokuzumakis-a-techietipslzkvafjordkvalsundkvamsterdamnserverbaniakvanangenkvinesdalkvinnheradkviteseidatingkvitsoykwpspdnsor-varangermishimatsusakahogirlymisugitokorozawamitakeharamitourismartlabelingmitoyoakemiuramiyazurecontainerdpoliticaobangmiyotamatsukuris-an-actormjondalenmonzabrianzaramonzaebrianzamonzaedellabrianzamordoviamorenapolicemoriyamatsuuramoriyoshiminamiashigaramormonstermoroyamatsuzakis-an-actressmushcdn77-sslingmortgagemoscowithgoogleapiszmoseushimogosenmosjoenmoskenesorreisahayakawakamiichikawamisatottoris-an-anarchistjordalshalsenmossortlandmosviknx-serversusakiyosupabaseminemotegit-reposoruminanomoviemovimientokyotangotembaixadattowebhareidsbergmozilla-iotrentinosuedtirolmtranbytomaridagawalmartrentinsud-tirolmuikaminokawanishiaizubangemukoelnmunakatanemuosattemupkomatsushimassa-carrara-massacarraramassabuzzmurmanskomforbar2murotorcraftranakatombetsumy-gatewaymusashinodesakegawamuseumincomcastoripressorfoldmusicapetownnews-stagingmutsuzawamy-vigormy-wanggoupilemyactivedirectorymyamazeplaymyasustor-elvdalmycdmycloudnsoundcastorjdevcloudfunctionsokndalmydattolocalcertificationmyddnsgeekgalaxymydissentrentinsudtirolmydobissmarterthanyoumydrobofageometre-experts-comptablesowamydspectruminisitemyeffectrentinsued-tirolmyfastly-edgekey-stagingmyfirewalledreplittlestargardmyforuminterecifedextraspace-to-rentalstomakomaibaramyfritzmyftpaccesspeedpartnermyhome-servermyjinomykolaivencloud66mymailermymediapchoseikarugalsacemyokohamamatsudamypeplatformsharis-an-artistockholmestrandmypetsphinxn--41amyphotoshibajddarvodkafjordvaporcloudmypictureshinomypsxn--42c2d9amysecuritycamerakermyshopblockspjelkavikommunalforbundmyshopifymyspreadshopselectrentinsuedtirolmytabitordermythic-beastspydebergmytis-a-anarchistg-buildermytuleap-partnersquaresindevicenzamyvnchoshichikashukudoyamakeuppermywirecipescaracallypoivronpokerpokrovskommunepolkowicepoltavalle-aostavernpomorzeszowithyoutuberspacekitagawaponpesaro-urbino-pesarourbinopesaromasvuotnaritakurashikis-bykleclerchitachinakagawaltervistaipeigersundynamic-dnsarlpordenonepornporsangerporsangugeporsgrunnanpoznanpraxihuanprdprgmrprimetelprincipeprivatelinkomonowruzhgorodeoprivatizehealthinsuranceprofesionalprogressivegasrlpromonza-e-della-brianzaptokuyamatsushigepropertysnesrvarggatrevisogneprotectionprotonetroandindependent-inquest-a-la-masionprudentialpruszkowiwatsukiyonotaireserve-onlineprvcyonabarumbriaprzeworskogpunyufuelpupulawypussycatanzarowixsitepvhachirogatakahatakaishimojis-a-geekautokeinotteroypvtrogstadpwchowderpzqhadanorthwesternmutualqldqotoyohashimotoshimaqponiatowadaqslgbtroitskomorotsukagawaqualifioapplatter-applatterplcube-serverquangngais-certifiedugit-pagespeedmobilizeroticaltanissettailscaleforcequangninhthuanquangtritonoshonais-foundationquickconnectromsakuragawaquicksytestreamlitapplumbingouvaresearchitectesrhtrentoyonakagyokutoyakomakizunokunimimatakasugais-an-engineeringquipelementstrippertuscanytushungrytuvalle-daostamayukis-into-animeiwamizawatuxfamilytuyenquangbinhthuantwmailvestnesuzukis-gonevestre-slidreggio-calabriavestre-totennishiawakuravestvagoyvevelstadvibo-valentiaavibovalentiavideovinhphuchromedicinagatorogerssarufutsunomiyawakasaikaitakokonoevinnicarbonia-iglesias-carboniaiglesiascarboniavinnytsiavipsinaapplurinacionalvirginanmokurennebuvirtual-userveexchangevirtualservervirtualuserveftpodhalevisakurais-into-carsnoasakuholeckodairaviterboliviajessheimmobilienvivianvivoryvixn--45br5cylvlaanderennesoyvladikavkazimierz-dolnyvladimirvlogintoyonezawavmintsorocabalashovhachiojiyahikobierzycevologdanskoninjambylvolvolkswagencyouvolyngdalvoorlopervossevangenvotevotingvotoyonovps-hostrowiechungnamdalseidfjordynathomebuiltwithdarkhangelskypecorittogojomeetoystre-slidrettozawawmemergencyahabackdropalermochizukikirarahkkeravjuwmflabsvalbardunloppadualstackomvuxn--3hcrj9chonanbuskerudynamisches-dnsarpsborgripeeweeklylotterywoodsidellogliastradingworse-thanhphohochiminhadselbuyshouseshirakolobrzegersundongthapmircloudletshiranukamishihorowowloclawekonskowolawawpdevcloudwpenginepoweredwphostedmailwpmucdnipropetrovskygearappodlasiellaknoluoktagajobojis-an-entertainerwpmudevcdnaccessojamparaglidingwritesthisblogoipodzonewroclawmcloudwsseoullensvanguardianwtcp4wtfastlylbanzaicloudappspotagereporthruherecreationinomiyakonojorpelandigickarasjohkameyamatotakadawuozuerichardlillywzmiuwajimaxn--4it797konsulatrobeepsondriobranconagareyamaizuruhrxn--4pvxs4allxn--54b7fta0ccistrondheimpertrixcdn77-secureadymadealstahaugesunderxn--55qw42gxn--55qx5dxn--5dbhl8dxn--5js045dxn--5rtp49citadelhichisochimkentozsdell-ogliastraderxn--5rtq34kontuminamiuonumatsunoxn--5su34j936bgsgxn--5tzm5gxn--6btw5axn--6frz82gxn--6orx2rxn--6qq986b3xlxn--7t0a264citicarrdrobakamaiorigin-stagingmxn--12co0c3b4evalleaostaobaomoriguchiharaffleentrycloudflare-ipfstcgroupaaskimitsubatamibulsan-suedtirolkuszczytnoopscbgrimstadrrxn--80aaa0cvacationsvchoyodobashichinohealth-carereforminamidaitomanaustdalxn--80adxhksveioxn--80ao21axn--80aqecdr1axn--80asehdbarclaycards3-us-west-1xn--80aswgxn--80aukraanghkeliwebpaaskoyabeagleboardxn--8dbq2axn--8ltr62konyvelohmusashimurayamassivegridxn--8pvr4uxn--8y0a063axn--90a1affinitylotterybnikeisencowayxn--90a3academiamicable-modemoneyxn--90aeroportsinfolionetworkangerxn--90aishobaraxn--90amckinseyxn--90azhytomyrxn--9dbq2axn--9et52uxn--9krt00axn--andy-iraxn--aroport-byanagawaxn--asky-iraxn--aurskog-hland-jnbarclays3-us-west-2xn--avery-yuasakurastoragexn--b-5gaxn--b4w605ferdxn--balsan-sdtirol-nsbsvelvikongsbergxn--bck1b9a5dre4civilaviationfabricafederation-webredirectmediatechnologyeongbukashiwazakiyosembokutamamuraxn--bdddj-mrabdxn--bearalvhki-y4axn--berlevg-jxaxn--bhcavuotna-s4axn--bhccavuotna-k7axn--bidr-5nachikatsuuraxn--bievt-0qa2xn--bjarky-fyanaizuxn--bjddar-ptarumizusawaxn--blt-elabcienciamallamaceiobbcn-north-1xn--bmlo-graingerxn--bod-2natalxn--bozen-sdtirol-2obanazawaxn--brnny-wuacademy-firewall-gatewayxn--brnnysund-m8accident-investigation-aptibleadpagesquare7xn--brum-voagatrustkanazawaxn--btsfjord-9zaxn--bulsan-sdtirol-nsbarefootballooningjovikarasjoketokashikiyokawaraxn--c1avgxn--c2br7gxn--c3s14misakis-a-therapistoiaxn--cck2b3baremetalombardyn-vpndns3-website-ap-northeast-1xn--cckwcxetdxn--cesena-forl-mcbremangerxn--cesenaforl-i8axn--cg4bkis-into-cartoonsokamitsuexn--ciqpnxn--clchc0ea0b2g2a9gcdxn--czr694bargainstantcloudfrontdoorestauranthuathienhuebinordre-landiherokuapparochernigovernmentjeldsundiscordsays3-website-ap-southeast-1xn--czrs0trvaroyxn--czru2dxn--czrw28barrel-of-knowledgeapplinziitatebayashijonawatebizenakanojoetsumomodellinglassnillfjordiscordsezgoraxn--d1acj3barrell-of-knowledgecomputermezproxyzgorzeleccoffeedbackanagawarmiastalowa-wolayangroupars3-website-ap-southeast-2xn--d1alfaststacksevenassigdalxn--d1atrysiljanxn--d5qv7z876clanbibaiduckdnsaseboknowsitallxn--davvenjrga-y4axn--djrs72d6uyxn--djty4koobindalxn--dnna-grajewolterskluwerxn--drbak-wuaxn--dyry-iraxn--e1a4cldmail-boxaxn--eckvdtc9dxn--efvn9svn-repostuff-4-salexn--efvy88haebaruericssongdalenviknaklodzkochikushinonsenasakuchinotsuchiurakawaxn--ehqz56nxn--elqq16hagakhanhhoabinhduongxn--eveni-0qa01gaxn--f6qx53axn--fct429kooris-a-nascarfanxn--fhbeiarnxn--finny-yuaxn--fiq228c5hsbcleverappsassarinuyamashinazawaxn--fiq64barsycenterprisecloudcontrolappgafanquangnamasteigenoamishirasatochigifts3-website-eu-west-1xn--fiqs8swidnicaravanylvenetogakushimotoganexn--fiqz9swidnikitagatakkomaganexn--fjord-lraxn--fjq720axn--fl-ziaxn--flor-jraxn--flw351exn--forl-cesena-fcbsswiebodzindependent-commissionxn--forlcesena-c8axn--fpcrj9c3dxn--frde-granexn--frna-woaxn--frya-hraxn--fzc2c9e2clickrisinglesjaguarxn--fzys8d69uvgmailxn--g2xx48clinicasacampinagrandebungotakadaemongolianishitosashimizunaminamiawajikintuitoyotsukaidownloadrudtvsaogoncapooguyxn--gckr3f0fastvps-serveronakanotoddenxn--gecrj9cliniquedaklakasamatsudoesntexisteingeekasserversicherungroks-theatrentin-sud-tirolxn--ggaviika-8ya47hagebostadxn--gildeskl-g0axn--givuotna-8yandexcloudxn--gjvik-wuaxn--gk3at1exn--gls-elacaixaxn--gmq050is-into-gamessinamsosnowieconomiasadojin-dslattuminamitanexn--gmqw5axn--gnstigbestellen-zvbrplsbxn--45brj9churcharterxn--gnstigliefern-wobihirosakikamijimayfirstorfjordxn--h-2failxn--h1ahnxn--h1alizxn--h2breg3eveneswinoujsciencexn--h2brj9c8clothingdustdatadetectrani-andria-barletta-trani-andriaxn--h3cuzk1dienbienxn--hbmer-xqaxn--hcesuolo-7ya35barsyonlinehimejiiyamanouchikujoinvilleirvikarasuyamashikemrevistathellequipmentjmaxxxjavald-aostatics3-website-sa-east-1xn--hebda8basicserversejny-2xn--hery-iraxn--hgebostad-g3axn--hkkinen-5waxn--hmmrfeasta-s4accident-prevention-k3swisstufftoread-booksnestudioxn--hnefoss-q1axn--hobl-iraxn--holtlen-hxaxn--hpmir-xqaxn--hxt814exn--hyanger-q1axn--hylandet-54axn--i1b6b1a6a2exn--imr513nxn--indery-fyaotsusonoxn--io0a7is-leetrentinoaltoadigexn--j1adpohlxn--j1aefauskedsmokorsetagayaseralingenovaraxn--j1ael8basilicataniaxn--j1amhaibarakisosakitahatakamatsukawaxn--j6w193gxn--jlq480n2rgxn--jlster-byasakaiminatoyookananiimiharuxn--jrpeland-54axn--jvr189misasaguris-an-accountantsmolaquilaocais-a-linux-useranishiaritabashikaoizumizakitashiobaraxn--k7yn95exn--karmy-yuaxn--kbrq7oxn--kcrx77d1x4axn--kfjord-iuaxn--klbu-woaxn--klt787dxn--kltp7dxn--kltx9axn--klty5xn--45q11circlerkstagentsasayamaxn--koluokta-7ya57haiduongxn--kprw13dxn--kpry57dxn--kput3is-lostre-toteneis-a-llamarumorimachidaxn--krager-gyasugitlabbvieeexn--kranghke-b0axn--krdsherad-m8axn--krehamn-dxaxn--krjohka-hwab49jdfastly-terrariuminamiiseharaxn--ksnes-uuaxn--kvfjord-nxaxn--kvitsy-fyasuokanmakiwakuratexn--kvnangen-k0axn--l-1fairwindsynology-diskstationxn--l1accentureklamborghinikkofuefukihabororosynology-dsuzakadnsaliastudynaliastrynxn--laheadju-7yatominamibosoftwarendalenugxn--langevg-jxaxn--lcvr32dxn--ldingen-q1axn--leagaviika-52basketballfinanzjaworznoticeableksvikaratsuginamikatagamilanotogawaxn--lesund-huaxn--lgbbat1ad8jejuxn--lgrd-poacctulaspeziaxn--lhppi-xqaxn--linds-pramericanexpresservegame-serverxn--loabt-0qaxn--lrdal-sraxn--lrenskog-54axn--lt-liacn-northwest-1xn--lten-granvindafjordxn--lury-iraxn--m3ch0j3axn--mely-iraxn--merker-kuaxn--mgb2ddesxn--mgb9awbfbsbxn--1qqw23axn--mgba3a3ejtunesuzukamogawaxn--mgba3a4f16axn--mgba3a4fra1-deloittexn--mgba7c0bbn0axn--mgbaakc7dvfsxn--mgbaam7a8haiphongonnakatsugawaxn--mgbab2bdxn--mgbah1a3hjkrdxn--mgbai9a5eva00batsfjordiscountry-snowplowiczeladzlgleezeu-2xn--mgbai9azgqp6jelasticbeanstalkharkovalleeaostexn--mgbayh7gparasitexn--mgbbh1a71exn--mgbc0a9azcgxn--mgbca7dzdoxn--mgbcpq6gpa1axn--mgberp4a5d4a87gxn--mgberp4a5d4arxn--mgbgu82axn--mgbi4ecexposedxn--mgbpl2fhskopervikhmelnytskyivalleedaostexn--mgbqly7c0a67fbcngroks-thisayamanobeatsaudaxn--mgbqly7cvafricargoboavistanbulsan-sudtirolxn--mgbt3dhdxn--mgbtf8flatangerxn--mgbtx2bauhauspostman-echofunatoriginstances3-website-us-east-1xn--mgbx4cd0abkhaziaxn--mix082fbx-osewienxn--mix891fbxosexyxn--mjndalen-64axn--mk0axindependent-inquiryxn--mk1bu44cnpyatigorskjervoyagexn--mkru45is-not-certifiedxn--mlatvuopmi-s4axn--mli-tlavagiskexn--mlselv-iuaxn--moreke-juaxn--mori-qsakuratanxn--mosjen-eyatsukannamihokksundxn--mot-tlavangenxn--mre-og-romsdal-qqbuservecounterstrikexn--msy-ula0hair-surveillancexn--mtta-vrjjat-k7aflakstadaokayamazonaws-cloud9guacuiababybluebiteckidsmynasushiobaracingrok-freeddnsfreebox-osascoli-picenogatabuseating-organicbcgjerdrumcprequalifymelbourneasypanelblagrarq-authgear-stagingjerstadeltaishinomakilovecollegefantasyleaguenoharauthgearappspacehosted-by-previderehabmereitattoolforgerockyombolzano-altoadigeorgeorgiauthordalandroideporteatonamidorivnebetsukubankanumazuryomitanocparmautocodebergamoarekembuchikumagayagawafflecelloisirs3-external-180reggioemiliaromagnarusawaustrheimbalsan-sudtirolivingitpagexlivornobserveregruhostingivestbyglandroverhalladeskjakamaiedge-stagingivingjemnes3-eu-west-2038xn--muost-0qaxn--mxtq1misawaxn--ngbc5azdxn--ngbe9e0axn--ngbrxn--4dbgdty6ciscofreakamaihd-stagingriwataraindroppdalxn--nit225koryokamikawanehonbetsuwanouchikuhokuryugasakis-a-nursellsyourhomeftpiwatexn--nmesjevuemie-tcbalatinord-frontierxn--nnx388axn--nodessakurawebsozais-savedxn--nqv7fs00emaxn--nry-yla5gxn--ntso0iqx3axn--ntsq17gxn--nttery-byaeservehalflifeinsurancexn--nvuotna-hwaxn--nyqy26axn--o1achernivtsicilynxn--4dbrk0cexn--o3cw4hakatanortonkotsunndalxn--o3cyx2axn--od0algardxn--od0aq3beneventodayusuharaxn--ogbpf8fldrvelvetromsohuissier-justicexn--oppegrd-ixaxn--ostery-fyatsushiroxn--osyro-wuaxn--otu796dxn--p1acfedjeezxn--p1ais-slickharkivallee-d-aostexn--pgbs0dhlx3xn--porsgu-sta26fedorainfraclouderaxn--pssu33lxn--pssy2uxn--q7ce6axn--q9jyb4cnsauheradyndns-at-homedepotenzamamicrosoftbankasukabedzin-brbalsfjordietgoryoshiokanravocats3-fips-us-gov-west-1xn--qcka1pmcpenzapposxn--qqqt11misconfusedxn--qxa6axn--qxamunexus-3xn--rady-iraxn--rdal-poaxn--rde-ulazioxn--rdy-0nabaris-uberleetrentinos-tirolxn--rennesy-v1axn--rhkkervju-01afedorapeoplefrakkestadyndns-webhostingujogaszxn--rholt-mragowoltlab-democraciaxn--rhqv96gxn--rht27zxn--rht3dxn--rht61exn--risa-5naturalxn--risr-iraxn--rland-uuaxn--rlingen-mxaxn--rmskog-byawaraxn--rny31hakodatexn--rovu88bentleyusuitatamotorsitestinglitchernihivgubs3-website-us-west-1xn--rros-graphicsxn--rskog-uuaxn--rst-0naturbruksgymnxn--rsta-framercanvasxn--rvc1e0am3exn--ryken-vuaxn--ryrvik-byawatahamaxn--s-1faitheshopwarezzoxn--s9brj9cntraniandriabarlettatraniandriaxn--sandnessjen-ogbentrendhostingliwiceu-3xn--sandy-yuaxn--sdtirol-n2axn--seral-lraxn--ses554gxn--sgne-graphoxn--4gbriminiserverxn--skierv-utazurestaticappspaceusercontentunkongsvingerxn--skjervy-v1axn--skjk-soaxn--sknit-yqaxn--sknland-fxaxn--slat-5navigationxn--slt-elabogadobeaemcloud-fr1xn--smla-hraxn--smna-gratangenxn--snase-nraxn--sndre-land-0cbeppublishproxyuufcfanirasakindependent-panelomonza-brianzaporizhzhedmarkarelianceu-4xn--snes-poaxn--snsa-roaxn--sr-aurdal-l8axn--sr-fron-q1axn--sr-odal-q1axn--sr-varanger-ggbeskidyn-ip24xn--srfold-byaxn--srreisa-q1axn--srum-gratis-a-bloggerxn--stfold-9xaxn--stjrdal-s1axn--stjrdalshalsen-sqbestbuyshoparenagasakikuchikuseihicampinashikiminohostfoldnavyuzawaxn--stre-toten-zcbetainaboxfuselfipartindependent-reviewegroweibolognagasukeu-north-1xn--t60b56axn--tckweddingxn--tiq49xqyjelenia-goraxn--tjme-hraxn--tn0agrocerydxn--tnsberg-q1axn--tor131oxn--trany-yuaxn--trentin-sd-tirol-rzbhzc66xn--trentin-sdtirol-7vbialystokkeymachineu-south-1xn--trentino-sd-tirol-c3bielawakuyachimataharanzanishiazaindielddanuorrindigenamerikawauevje-og-hornnes3-website-us-west-2xn--trentino-sdtirol-szbiella-speziaxn--trentinosd-tirol-rzbieszczadygeyachiyodaeguamfamscompute-1xn--trentinosdtirol-7vbievat-band-campaignieznoorstaplesakyotanabellunordeste-idclkarlsoyxn--trentinsd-tirol-6vbifukagawalbrzycharitydalomzaporizhzhiaxn--trentinsdtirol-nsbigv-infolkebiblegnicalvinklein-butterhcloudiscoursesalangenishigotpantheonsitexn--trgstad-r1axn--trna-woaxn--troms-zuaxn--tysvr-vraxn--uc0atventuresinstagingxn--uc0ay4axn--uist22hakonexn--uisz3gxn--unjrga-rtashkenturindalxn--unup4yxn--uuwu58axn--vads-jraxn--valle-aoste-ebbturystykaneyamazoexn--valle-d-aoste-ehboehringerikexn--valleaoste-e7axn--valledaoste-ebbvadsoccertmgreaterxn--vard-jraxn--vegrshei-c0axn--vermgensberater-ctb-hostingxn--vermgensberatung-pwbiharstadotsubetsugarulezajskiervaksdalondonetskarmoyxn--vestvgy-ixa6oxn--vg-yiabruzzombieidskogasawarackmazerbaijan-mayenbaidarmeniaxn--vgan-qoaxn--vgsy-qoa0jellybeanxn--vgu402coguchikuzenishiwakinvestmentsaveincloudyndns-at-workisboringsakershusrcfdyndns-blogsitexn--vhquvestfoldxn--vler-qoaxn--vre-eiker-k8axn--vrggt-xqadxn--vry-yla5gxn--vuq861bihoronobeokagakikugawalesundiscoverdalondrinaplesknsalon-1xn--w4r85el8fhu5dnraxn--w4rs40lxn--wcvs22dxn--wgbh1communexn--wgbl6axn--xhq521bikedaejeonbuk0xn--xkc2al3hye2axn--xkc2dl3a5ee0hakubackyardshiraois-a-greenxn--y9a3aquarelleasingxn--yer-znavois-very-badxn--yfro4i67oxn--ygarden-p1axn--ygbi2ammxn--4it168dxn--ystre-slidre-ujbiofficialorenskoglobodoes-itcouldbeworldishangrilamdongnairkitapps-audibleasecuritytacticsxn--0trq7p7nnishiharaxn--zbx025dxn--zf0ao64axn--zf0avxlxn--zfr164bipartsaloonishiizunazukindustriaxnbayernxz
\ No newline at end of file
diff --git a/publicsuffix/example_test.go b/publicsuffix/example_test.go
index 3f44dcfe7..c051dac8e 100644
--- a/publicsuffix/example_test.go
+++ b/publicsuffix/example_test.go
@@ -77,7 +77,7 @@ func ExamplePublicSuffix_manager() {
 	// >               golang.dev             dev  is  ICANN Managed
 	// >               golang.net             net  is  ICANN Managed
 	// >          play.golang.org             org  is  ICANN Managed
-	// >  gophers.in.space.museum    space.museum  is  ICANN Managed
+	// >  gophers.in.space.museum          museum  is  ICANN Managed
 	// >
 	// >                 0emm.com             com  is  ICANN Managed
 	// >               a.0emm.com      a.0emm.com  is  Privately Managed
diff --git a/publicsuffix/table.go b/publicsuffix/table.go
index 6bdadcc44..78d400fa6 100644
--- a/publicsuffix/table.go
+++ b/publicsuffix/table.go
@@ -4,7 +4,7 @@ package publicsuffix
 
 import _ "embed"
 
-const version = "publicsuffix.org's public_suffix_list.dat, git revision e248cbc92a527a166454afe9914c4c1b4253893f (2022-11-15T18:02:38Z)"
+const version = "publicsuffix.org's public_suffix_list.dat, git revision 63cbc63d470d7b52c35266aa96c4c98c96ec499c (2023-08-03T10:01:25Z)"
 
 const (
 	nodesBits           = 40
@@ -26,7 +26,7 @@ const (
 )
 
 // numTLD is the number of top level domains.
-const numTLD = 1494
+const numTLD = 1474
 
 // text is the combined text of all labels.
 //
@@ -63,8 +63,8 @@ var nodes uint40String
 //go:embed data/children
 var children uint32String
 
-// max children 718 (capacity 1023)
-// max text offset 32976 (capacity 65535)
-// max text length 36 (capacity 63)
-// max hi 9656 (capacity 16383)
-// max lo 9651 (capacity 16383)
+// max children 743 (capacity 1023)
+// max text offset 30876 (capacity 65535)
+// max text length 31 (capacity 63)
+// max hi 9322 (capacity 16383)
+// max lo 9317 (capacity 16383)
diff --git a/publicsuffix/table_test.go b/publicsuffix/table_test.go
index 99698271a..a297b3b0d 100644
--- a/publicsuffix/table_test.go
+++ b/publicsuffix/table_test.go
@@ -2,7 +2,7 @@
 
 package publicsuffix
 
-const numICANNRules = 7367
+const numICANNRules = 6893
 
 var rules = [...]string{
 	"ac",
@@ -302,9 +302,26 @@ var rules = [...]string{
 	"org.bi",
 	"biz",
 	"bj",
-	"asso.bj",
-	"barreau.bj",
-	"gouv.bj",
+	"africa.bj",
+	"agro.bj",
+	"architectes.bj",
+	"assur.bj",
+	"avocats.bj",
+	"co.bj",
+	"com.bj",
+	"eco.bj",
+	"econo.bj",
+	"edu.bj",
+	"info.bj",
+	"loisirs.bj",
+	"money.bj",
+	"net.bj",
+	"org.bj",
+	"ote.bj",
+	"resto.bj",
+	"restaurant.bj",
+	"tourism.bj",
+	"univ.bj",
 	"bm",
 	"com.bm",
 	"edu.bm",
@@ -3596,552 +3613,6 @@ var rules = [...]string{
 	"co.mu",
 	"or.mu",
 	"museum",
-	"academy.museum",
-	"agriculture.museum",
-	"air.museum",
-	"airguard.museum",
-	"alabama.museum",
-	"alaska.museum",
-	"amber.museum",
-	"ambulance.museum",
-	"american.museum",
-	"americana.museum",
-	"americanantiques.museum",
-	"americanart.museum",
-	"amsterdam.museum",
-	"and.museum",
-	"annefrank.museum",
-	"anthro.museum",
-	"anthropology.museum",
-	"antiques.museum",
-	"aquarium.museum",
-	"arboretum.museum",
-	"archaeological.museum",
-	"archaeology.museum",
-	"architecture.museum",
-	"art.museum",
-	"artanddesign.museum",
-	"artcenter.museum",
-	"artdeco.museum",
-	"arteducation.museum",
-	"artgallery.museum",
-	"arts.museum",
-	"artsandcrafts.museum",
-	"asmatart.museum",
-	"assassination.museum",
-	"assisi.museum",
-	"association.museum",
-	"astronomy.museum",
-	"atlanta.museum",
-	"austin.museum",
-	"australia.museum",
-	"automotive.museum",
-	"aviation.museum",
-	"axis.museum",
-	"badajoz.museum",
-	"baghdad.museum",
-	"bahn.museum",
-	"bale.museum",
-	"baltimore.museum",
-	"barcelona.museum",
-	"baseball.museum",
-	"basel.museum",
-	"baths.museum",
-	"bauern.museum",
-	"beauxarts.museum",
-	"beeldengeluid.museum",
-	"bellevue.museum",
-	"bergbau.museum",
-	"berkeley.museum",
-	"berlin.museum",
-	"bern.museum",
-	"bible.museum",
-	"bilbao.museum",
-	"bill.museum",
-	"birdart.museum",
-	"birthplace.museum",
-	"bonn.museum",
-	"boston.museum",
-	"botanical.museum",
-	"botanicalgarden.museum",
-	"botanicgarden.museum",
-	"botany.museum",
-	"brandywinevalley.museum",
-	"brasil.museum",
-	"bristol.museum",
-	"british.museum",
-	"britishcolumbia.museum",
-	"broadcast.museum",
-	"brunel.museum",
-	"brussel.museum",
-	"brussels.museum",
-	"bruxelles.museum",
-	"building.museum",
-	"burghof.museum",
-	"bus.museum",
-	"bushey.museum",
-	"cadaques.museum",
-	"california.museum",
-	"cambridge.museum",
-	"can.museum",
-	"canada.museum",
-	"capebreton.museum",
-	"carrier.museum",
-	"cartoonart.museum",
-	"casadelamoneda.museum",
-	"castle.museum",
-	"castres.museum",
-	"celtic.museum",
-	"center.museum",
-	"chattanooga.museum",
-	"cheltenham.museum",
-	"chesapeakebay.museum",
-	"chicago.museum",
-	"children.museum",
-	"childrens.museum",
-	"childrensgarden.museum",
-	"chiropractic.museum",
-	"chocolate.museum",
-	"christiansburg.museum",
-	"cincinnati.museum",
-	"cinema.museum",
-	"circus.museum",
-	"civilisation.museum",
-	"civilization.museum",
-	"civilwar.museum",
-	"clinton.museum",
-	"clock.museum",
-	"coal.museum",
-	"coastaldefence.museum",
-	"cody.museum",
-	"coldwar.museum",
-	"collection.museum",
-	"colonialwilliamsburg.museum",
-	"coloradoplateau.museum",
-	"columbia.museum",
-	"columbus.museum",
-	"communication.museum",
-	"communications.museum",
-	"community.museum",
-	"computer.museum",
-	"computerhistory.museum",
-	"xn--comunicaes-v6a2o.museum",
-	"contemporary.museum",
-	"contemporaryart.museum",
-	"convent.museum",
-	"copenhagen.museum",
-	"corporation.museum",
-	"xn--correios-e-telecomunicaes-ghc29a.museum",
-	"corvette.museum",
-	"costume.museum",
-	"countryestate.museum",
-	"county.museum",
-	"crafts.museum",
-	"cranbrook.museum",
-	"creation.museum",
-	"cultural.museum",
-	"culturalcenter.museum",
-	"culture.museum",
-	"cyber.museum",
-	"cymru.museum",
-	"dali.museum",
-	"dallas.museum",
-	"database.museum",
-	"ddr.museum",
-	"decorativearts.museum",
-	"delaware.museum",
-	"delmenhorst.museum",
-	"denmark.museum",
-	"depot.museum",
-	"design.museum",
-	"detroit.museum",
-	"dinosaur.museum",
-	"discovery.museum",
-	"dolls.museum",
-	"donostia.museum",
-	"durham.museum",
-	"eastafrica.museum",
-	"eastcoast.museum",
-	"education.museum",
-	"educational.museum",
-	"egyptian.museum",
-	"eisenbahn.museum",
-	"elburg.museum",
-	"elvendrell.museum",
-	"embroidery.museum",
-	"encyclopedic.museum",
-	"england.museum",
-	"entomology.museum",
-	"environment.museum",
-	"environmentalconservation.museum",
-	"epilepsy.museum",
-	"essex.museum",
-	"estate.museum",
-	"ethnology.museum",
-	"exeter.museum",
-	"exhibition.museum",
-	"family.museum",
-	"farm.museum",
-	"farmequipment.museum",
-	"farmers.museum",
-	"farmstead.museum",
-	"field.museum",
-	"figueres.museum",
-	"filatelia.museum",
-	"film.museum",
-	"fineart.museum",
-	"finearts.museum",
-	"finland.museum",
-	"flanders.museum",
-	"florida.museum",
-	"force.museum",
-	"fortmissoula.museum",
-	"fortworth.museum",
-	"foundation.museum",
-	"francaise.museum",
-	"frankfurt.museum",
-	"franziskaner.museum",
-	"freemasonry.museum",
-	"freiburg.museum",
-	"fribourg.museum",
-	"frog.museum",
-	"fundacio.museum",
-	"furniture.museum",
-	"gallery.museum",
-	"garden.museum",
-	"gateway.museum",
-	"geelvinck.museum",
-	"gemological.museum",
-	"geology.museum",
-	"georgia.museum",
-	"giessen.museum",
-	"glas.museum",
-	"glass.museum",
-	"gorge.museum",
-	"grandrapids.museum",
-	"graz.museum",
-	"guernsey.museum",
-	"halloffame.museum",
-	"hamburg.museum",
-	"handson.museum",
-	"harvestcelebration.museum",
-	"hawaii.museum",
-	"health.museum",
-	"heimatunduhren.museum",
-	"hellas.museum",
-	"helsinki.museum",
-	"hembygdsforbund.museum",
-	"heritage.museum",
-	"histoire.museum",
-	"historical.museum",
-	"historicalsociety.museum",
-	"historichouses.museum",
-	"historisch.museum",
-	"historisches.museum",
-	"history.museum",
-	"historyofscience.museum",
-	"horology.museum",
-	"house.museum",
-	"humanities.museum",
-	"illustration.museum",
-	"imageandsound.museum",
-	"indian.museum",
-	"indiana.museum",
-	"indianapolis.museum",
-	"indianmarket.museum",
-	"intelligence.museum",
-	"interactive.museum",
-	"iraq.museum",
-	"iron.museum",
-	"isleofman.museum",
-	"jamison.museum",
-	"jefferson.museum",
-	"jerusalem.museum",
-	"jewelry.museum",
-	"jewish.museum",
-	"jewishart.museum",
-	"jfk.museum",
-	"journalism.museum",
-	"judaica.museum",
-	"judygarland.museum",
-	"juedisches.museum",
-	"juif.museum",
-	"karate.museum",
-	"karikatur.museum",
-	"kids.museum",
-	"koebenhavn.museum",
-	"koeln.museum",
-	"kunst.museum",
-	"kunstsammlung.museum",
-	"kunstunddesign.museum",
-	"labor.museum",
-	"labour.museum",
-	"lajolla.museum",
-	"lancashire.museum",
-	"landes.museum",
-	"lans.museum",
-	"xn--lns-qla.museum",
-	"larsson.museum",
-	"lewismiller.museum",
-	"lincoln.museum",
-	"linz.museum",
-	"living.museum",
-	"livinghistory.museum",
-	"localhistory.museum",
-	"london.museum",
-	"losangeles.museum",
-	"louvre.museum",
-	"loyalist.museum",
-	"lucerne.museum",
-	"luxembourg.museum",
-	"luzern.museum",
-	"mad.museum",
-	"madrid.museum",
-	"mallorca.museum",
-	"manchester.museum",
-	"mansion.museum",
-	"mansions.museum",
-	"manx.museum",
-	"marburg.museum",
-	"maritime.museum",
-	"maritimo.museum",
-	"maryland.museum",
-	"marylhurst.museum",
-	"media.museum",
-	"medical.museum",
-	"medizinhistorisches.museum",
-	"meeres.museum",
-	"memorial.museum",
-	"mesaverde.museum",
-	"michigan.museum",
-	"midatlantic.museum",
-	"military.museum",
-	"mill.museum",
-	"miners.museum",
-	"mining.museum",
-	"minnesota.museum",
-	"missile.museum",
-	"missoula.museum",
-	"modern.museum",
-	"moma.museum",
-	"money.museum",
-	"monmouth.museum",
-	"monticello.museum",
-	"montreal.museum",
-	"moscow.museum",
-	"motorcycle.museum",
-	"muenchen.museum",
-	"muenster.museum",
-	"mulhouse.museum",
-	"muncie.museum",
-	"museet.museum",
-	"museumcenter.museum",
-	"museumvereniging.museum",
-	"music.museum",
-	"national.museum",
-	"nationalfirearms.museum",
-	"nationalheritage.museum",
-	"nativeamerican.museum",
-	"naturalhistory.museum",
-	"naturalhistorymuseum.museum",
-	"naturalsciences.museum",
-	"nature.museum",
-	"naturhistorisches.museum",
-	"natuurwetenschappen.museum",
-	"naumburg.museum",
-	"naval.museum",
-	"nebraska.museum",
-	"neues.museum",
-	"newhampshire.museum",
-	"newjersey.museum",
-	"newmexico.museum",
-	"newport.museum",
-	"newspaper.museum",
-	"newyork.museum",
-	"niepce.museum",
-	"norfolk.museum",
-	"north.museum",
-	"nrw.museum",
-	"nyc.museum",
-	"nyny.museum",
-	"oceanographic.museum",
-	"oceanographique.museum",
-	"omaha.museum",
-	"online.museum",
-	"ontario.museum",
-	"openair.museum",
-	"oregon.museum",
-	"oregontrail.museum",
-	"otago.museum",
-	"oxford.museum",
-	"pacific.museum",
-	"paderborn.museum",
-	"palace.museum",
-	"paleo.museum",
-	"palmsprings.museum",
-	"panama.museum",
-	"paris.museum",
-	"pasadena.museum",
-	"pharmacy.museum",
-	"philadelphia.museum",
-	"philadelphiaarea.museum",
-	"philately.museum",
-	"phoenix.museum",
-	"photography.museum",
-	"pilots.museum",
-	"pittsburgh.museum",
-	"planetarium.museum",
-	"plantation.museum",
-	"plants.museum",
-	"plaza.museum",
-	"portal.museum",
-	"portland.museum",
-	"portlligat.museum",
-	"posts-and-telecommunications.museum",
-	"preservation.museum",
-	"presidio.museum",
-	"press.museum",
-	"project.museum",
-	"public.museum",
-	"pubol.museum",
-	"quebec.museum",
-	"railroad.museum",
-	"railway.museum",
-	"research.museum",
-	"resistance.museum",
-	"riodejaneiro.museum",
-	"rochester.museum",
-	"rockart.museum",
-	"roma.museum",
-	"russia.museum",
-	"saintlouis.museum",
-	"salem.museum",
-	"salvadordali.museum",
-	"salzburg.museum",
-	"sandiego.museum",
-	"sanfrancisco.museum",
-	"santabarbara.museum",
-	"santacruz.museum",
-	"santafe.museum",
-	"saskatchewan.museum",
-	"satx.museum",
-	"savannahga.museum",
-	"schlesisches.museum",
-	"schoenbrunn.museum",
-	"schokoladen.museum",
-	"school.museum",
-	"schweiz.museum",
-	"science.museum",
-	"scienceandhistory.museum",
-	"scienceandindustry.museum",
-	"sciencecenter.museum",
-	"sciencecenters.museum",
-	"science-fiction.museum",
-	"sciencehistory.museum",
-	"sciences.museum",
-	"sciencesnaturelles.museum",
-	"scotland.museum",
-	"seaport.museum",
-	"settlement.museum",
-	"settlers.museum",
-	"shell.museum",
-	"sherbrooke.museum",
-	"sibenik.museum",
-	"silk.museum",
-	"ski.museum",
-	"skole.museum",
-	"society.museum",
-	"sologne.museum",
-	"soundandvision.museum",
-	"southcarolina.museum",
-	"southwest.museum",
-	"space.museum",
-	"spy.museum",
-	"square.museum",
-	"stadt.museum",
-	"stalbans.museum",
-	"starnberg.museum",
-	"state.museum",
-	"stateofdelaware.museum",
-	"station.museum",
-	"steam.museum",
-	"steiermark.museum",
-	"stjohn.museum",
-	"stockholm.museum",
-	"stpetersburg.museum",
-	"stuttgart.museum",
-	"suisse.museum",
-	"surgeonshall.museum",
-	"surrey.museum",
-	"svizzera.museum",
-	"sweden.museum",
-	"sydney.museum",
-	"tank.museum",
-	"tcm.museum",
-	"technology.museum",
-	"telekommunikation.museum",
-	"television.museum",
-	"texas.museum",
-	"textile.museum",
-	"theater.museum",
-	"time.museum",
-	"timekeeping.museum",
-	"topology.museum",
-	"torino.museum",
-	"touch.museum",
-	"town.museum",
-	"transport.museum",
-	"tree.museum",
-	"trolley.museum",
-	"trust.museum",
-	"trustee.museum",
-	"uhren.museum",
-	"ulm.museum",
-	"undersea.museum",
-	"university.museum",
-	"usa.museum",
-	"usantiques.museum",
-	"usarts.museum",
-	"uscountryestate.museum",
-	"usculture.museum",
-	"usdecorativearts.museum",
-	"usgarden.museum",
-	"ushistory.museum",
-	"ushuaia.museum",
-	"uslivinghistory.museum",
-	"utah.museum",
-	"uvic.museum",
-	"valley.museum",
-	"vantaa.museum",
-	"versailles.museum",
-	"viking.museum",
-	"village.museum",
-	"virginia.museum",
-	"virtual.museum",
-	"virtuel.museum",
-	"vlaanderen.museum",
-	"volkenkunde.museum",
-	"wales.museum",
-	"wallonie.museum",
-	"war.museum",
-	"washingtondc.museum",
-	"watchandclock.museum",
-	"watch-and-clock.museum",
-	"western.museum",
-	"westfalen.museum",
-	"whaling.museum",
-	"wildlife.museum",
-	"williamsburg.museum",
-	"windmill.museum",
-	"workshop.museum",
-	"york.museum",
-	"yorkshire.museum",
-	"yosemite.museum",
-	"youth.museum",
-	"zoological.museum",
-	"zoology.museum",
-	"xn--9dbhblg6di.museum",
-	"xn--h1aegh.museum",
 	"mv",
 	"aero.mv",
 	"biz.mv",
@@ -5133,52 +4604,60 @@ var rules = [...]string{
 	"turystyka.pl",
 	"gov.pl",
 	"ap.gov.pl",
+	"griw.gov.pl",
 	"ic.gov.pl",
 	"is.gov.pl",
-	"us.gov.pl",
 	"kmpsp.gov.pl",
+	"konsulat.gov.pl",
 	"kppsp.gov.pl",
-	"kwpsp.gov.pl",
-	"psp.gov.pl",
-	"wskr.gov.pl",
 	"kwp.gov.pl",
+	"kwpsp.gov.pl",
+	"mup.gov.pl",
 	"mw.gov.pl",
-	"ug.gov.pl",
-	"um.gov.pl",
-	"umig.gov.pl",
-	"ugim.gov.pl",
-	"upow.gov.pl",
-	"uw.gov.pl",
-	"starostwo.gov.pl",
+	"oia.gov.pl",
+	"oirm.gov.pl",
+	"oke.gov.pl",
+	"oow.gov.pl",
+	"oschr.gov.pl",
+	"oum.gov.pl",
 	"pa.gov.pl",
+	"pinb.gov.pl",
+	"piw.gov.pl",
 	"po.gov.pl",
+	"pr.gov.pl",
+	"psp.gov.pl",
 	"psse.gov.pl",
 	"pup.gov.pl",
 	"rzgw.gov.pl",
 	"sa.gov.pl",
+	"sdn.gov.pl",
+	"sko.gov.pl",
 	"so.gov.pl",
 	"sr.gov.pl",
-	"wsa.gov.pl",
-	"sko.gov.pl",
+	"starostwo.gov.pl",
+	"ug.gov.pl",
+	"ugim.gov.pl",
+	"um.gov.pl",
+	"umig.gov.pl",
+	"upow.gov.pl",
+	"uppo.gov.pl",
+	"us.gov.pl",
+	"uw.gov.pl",
 	"uzs.gov.pl",
+	"wif.gov.pl",
 	"wiih.gov.pl",
 	"winb.gov.pl",
-	"pinb.gov.pl",
 	"wios.gov.pl",
 	"witd.gov.pl",
-	"wzmiuw.gov.pl",
-	"piw.gov.pl",
 	"wiw.gov.pl",
-	"griw.gov.pl",
-	"wif.gov.pl",
-	"oum.gov.pl",
-	"sdn.gov.pl",
-	"zp.gov.pl",
-	"uppo.gov.pl",
-	"mup.gov.pl",
+	"wkz.gov.pl",
+	"wsa.gov.pl",
+	"wskr.gov.pl",
+	"wsse.gov.pl",
 	"wuoz.gov.pl",
-	"konsulat.gov.pl",
-	"oirm.gov.pl",
+	"wzmiuw.gov.pl",
+	"zp.gov.pl",
+	"zpisdn.gov.pl",
 	"augustow.pl",
 	"babia-gora.pl",
 	"bedzin.pl",
@@ -5722,6 +5201,7 @@ var rules = [...]string{
 	"kirovograd.ua",
 	"km.ua",
 	"kr.ua",
+	"kropyvnytskyi.ua",
 	"krym.ua",
 	"ks.ua",
 	"kv.ua",
@@ -6063,18 +5543,84 @@ var rules = [...]string{
 	"net.vi",
 	"org.vi",
 	"vn",
+	"ac.vn",
+	"ai.vn",
+	"biz.vn",
 	"com.vn",
-	"net.vn",
-	"org.vn",
 	"edu.vn",
 	"gov.vn",
-	"int.vn",
-	"ac.vn",
-	"biz.vn",
+	"health.vn",
+	"id.vn",
 	"info.vn",
+	"int.vn",
+	"io.vn",
 	"name.vn",
+	"net.vn",
+	"org.vn",
 	"pro.vn",
-	"health.vn",
+	"angiang.vn",
+	"bacgiang.vn",
+	"backan.vn",
+	"baclieu.vn",
+	"bacninh.vn",
+	"baria-vungtau.vn",
+	"bentre.vn",
+	"binhdinh.vn",
+	"binhduong.vn",
+	"binhphuoc.vn",
+	"binhthuan.vn",
+	"camau.vn",
+	"cantho.vn",
+	"caobang.vn",
+	"daklak.vn",
+	"daknong.vn",
+	"danang.vn",
+	"dienbien.vn",
+	"dongnai.vn",
+	"dongthap.vn",
+	"gialai.vn",
+	"hagiang.vn",
+	"haiduong.vn",
+	"haiphong.vn",
+	"hanam.vn",
+	"hanoi.vn",
+	"hatinh.vn",
+	"haugiang.vn",
+	"hoabinh.vn",
+	"hungyen.vn",
+	"khanhhoa.vn",
+	"kiengiang.vn",
+	"kontum.vn",
+	"laichau.vn",
+	"lamdong.vn",
+	"langson.vn",
+	"laocai.vn",
+	"longan.vn",
+	"namdinh.vn",
+	"nghean.vn",
+	"ninhbinh.vn",
+	"ninhthuan.vn",
+	"phutho.vn",
+	"phuyen.vn",
+	"quangbinh.vn",
+	"quangnam.vn",
+	"quangngai.vn",
+	"quangninh.vn",
+	"quangtri.vn",
+	"soctrang.vn",
+	"sonla.vn",
+	"tayninh.vn",
+	"thaibinh.vn",
+	"thainguyen.vn",
+	"thanhhoa.vn",
+	"thanhphohochiminh.vn",
+	"thuathienhue.vn",
+	"tiengiang.vn",
+	"travinh.vn",
+	"tuyenquang.vn",
+	"vinhlong.vn",
+	"vinhphuc.vn",
+	"yenbai.vn",
 	"vu",
 	"com.vu",
 	"edu.vu",
@@ -6221,7 +5767,6 @@ var rules = [...]string{
 	"org.zw",
 	"aaa",
 	"aarp",
-	"abarth",
 	"abb",
 	"abbott",
 	"abbvie",
@@ -6235,7 +5780,6 @@ var rules = [...]string{
 	"accountants",
 	"aco",
 	"actor",
-	"adac",
 	"ads",
 	"adult",
 	"aeg",
@@ -6249,7 +5793,6 @@ var rules = [...]string{
 	"airforce",
 	"airtel",
 	"akdn",
-	"alfaromeo",
 	"alibaba",
 	"alipay",
 	"allfinanz",
@@ -6445,7 +5988,6 @@ var rules = [...]string{
 	"contact",
 	"contractors",
 	"cooking",
-	"cookingchannel",
 	"cool",
 	"corsica",
 	"country",
@@ -6554,7 +6096,6 @@ var rules = [...]string{
 	"feedback",
 	"ferrari",
 	"ferrero",
-	"fiat",
 	"fidelity",
 	"fido",
 	"film",
@@ -6576,7 +6117,6 @@ var rules = [...]string{
 	"fly",
 	"foo",
 	"food",
-	"foodnetwork",
 	"football",
 	"ford",
 	"forex",
@@ -6661,7 +6201,6 @@ var rules = [...]string{
 	"helsinki",
 	"here",
 	"hermes",
-	"hgtv",
 	"hiphop",
 	"hisamitsu",
 	"hitachi",
@@ -6680,7 +6219,6 @@ var rules = [...]string{
 	"host",
 	"hosting",
 	"hot",
-	"hoteles",
 	"hotels",
 	"hotmail",
 	"house",
@@ -6761,7 +6299,6 @@ var rules = [...]string{
 	"lamborghini",
 	"lamer",
 	"lancaster",
-	"lancia",
 	"land",
 	"landrover",
 	"lanxess",
@@ -6789,7 +6326,6 @@ var rules = [...]string{
 	"limited",
 	"limo",
 	"lincoln",
-	"linde",
 	"link",
 	"lipsy",
 	"live",
@@ -6800,7 +6336,6 @@ var rules = [...]string{
 	"loans",
 	"locker",
 	"locus",
-	"loft",
 	"lol",
 	"london",
 	"lotte",
@@ -6813,7 +6348,6 @@ var rules = [...]string{
 	"lundbeck",
 	"luxe",
 	"luxury",
-	"macys",
 	"madrid",
 	"maif",
 	"maison",
@@ -6827,7 +6361,6 @@ var rules = [...]string{
 	"markets",
 	"marriott",
 	"marshalls",
-	"maserati",
 	"mattel",
 	"mba",
 	"mckinsey",
@@ -6868,7 +6401,6 @@ var rules = [...]string{
 	"mtn",
 	"mtr",
 	"music",
-	"mutual",
 	"nab",
 	"nagoya",
 	"natura",
@@ -6933,7 +6465,6 @@ var rules = [...]string{
 	"partners",
 	"parts",
 	"party",
-	"passagens",
 	"pay",
 	"pccw",
 	"pet",
@@ -7063,7 +6594,6 @@ var rules = [...]string{
 	"select",
 	"sener",
 	"services",
-	"ses",
 	"seven",
 	"sew",
 	"sex",
@@ -7157,7 +6687,6 @@ var rules = [...]string{
 	"tiaa",
 	"tickets",
 	"tienda",
-	"tiffany",
 	"tips",
 	"tires",
 	"tirol",
@@ -7180,7 +6709,6 @@ var rules = [...]string{
 	"trading",
 	"training",
 	"travel",
-	"travelchannel",
 	"travelers",
 	"travelersinsurance",
 	"trust",
@@ -7225,7 +6753,6 @@ var rules = [...]string{
 	"voting",
 	"voto",
 	"voyage",
-	"vuelos",
 	"wales",
 	"walmart",
 	"walter",
@@ -7316,7 +6843,6 @@ var rules = [...]string{
 	"xn--io0a7i",
 	"xn--j1aef",
 	"xn--jlq480n2rg",
-	"xn--jlq61u9w7b",
 	"xn--jvr189m",
 	"xn--kcrx77d1x4a",
 	"xn--kput3i",
@@ -7379,17 +6905,35 @@ var rules = [...]string{
 	"graphox.us",
 	"*.devcdnaccesso.com",
 	"*.on-acorn.io",
+	"activetrail.biz",
 	"adobeaemcloud.com",
 	"*.dev.adobeaemcloud.com",
 	"hlx.live",
 	"adobeaemcloud.net",
 	"hlx.page",
 	"hlx3.page",
+	"adobeio-static.net",
+	"adobeioruntime.net",
 	"beep.pl",
 	"airkitapps.com",
 	"airkitapps-au.com",
 	"airkitapps.eu",
 	"aivencloud.com",
+	"akadns.net",
+	"akamai.net",
+	"akamai-staging.net",
+	"akamaiedge.net",
+	"akamaiedge-staging.net",
+	"akamaihd.net",
+	"akamaihd-staging.net",
+	"akamaiorigin.net",
+	"akamaiorigin-staging.net",
+	"akamaized.net",
+	"akamaized-staging.net",
+	"edgekey.net",
+	"edgekey-staging.net",
+	"edgesuite.net",
+	"edgesuite-staging.net",
 	"barsy.ca",
 	"*.compute.estate",
 	"*.alces.network",
@@ -7456,46 +7000,72 @@ var rules = [...]string{
 	"s3.dualstack.us-east-2.amazonaws.com",
 	"s3.us-east-2.amazonaws.com",
 	"s3-website.us-east-2.amazonaws.com",
+	"analytics-gateway.ap-northeast-1.amazonaws.com",
+	"analytics-gateway.eu-west-1.amazonaws.com",
+	"analytics-gateway.us-east-1.amazonaws.com",
+	"analytics-gateway.us-east-2.amazonaws.com",
+	"analytics-gateway.us-west-2.amazonaws.com",
+	"webview-assets.aws-cloud9.af-south-1.amazonaws.com",
 	"vfs.cloud9.af-south-1.amazonaws.com",
 	"webview-assets.cloud9.af-south-1.amazonaws.com",
+	"webview-assets.aws-cloud9.ap-east-1.amazonaws.com",
 	"vfs.cloud9.ap-east-1.amazonaws.com",
 	"webview-assets.cloud9.ap-east-1.amazonaws.com",
+	"webview-assets.aws-cloud9.ap-northeast-1.amazonaws.com",
 	"vfs.cloud9.ap-northeast-1.amazonaws.com",
 	"webview-assets.cloud9.ap-northeast-1.amazonaws.com",
+	"webview-assets.aws-cloud9.ap-northeast-2.amazonaws.com",
 	"vfs.cloud9.ap-northeast-2.amazonaws.com",
 	"webview-assets.cloud9.ap-northeast-2.amazonaws.com",
+	"webview-assets.aws-cloud9.ap-northeast-3.amazonaws.com",
 	"vfs.cloud9.ap-northeast-3.amazonaws.com",
 	"webview-assets.cloud9.ap-northeast-3.amazonaws.com",
+	"webview-assets.aws-cloud9.ap-south-1.amazonaws.com",
 	"vfs.cloud9.ap-south-1.amazonaws.com",
 	"webview-assets.cloud9.ap-south-1.amazonaws.com",
+	"webview-assets.aws-cloud9.ap-southeast-1.amazonaws.com",
 	"vfs.cloud9.ap-southeast-1.amazonaws.com",
 	"webview-assets.cloud9.ap-southeast-1.amazonaws.com",
+	"webview-assets.aws-cloud9.ap-southeast-2.amazonaws.com",
 	"vfs.cloud9.ap-southeast-2.amazonaws.com",
 	"webview-assets.cloud9.ap-southeast-2.amazonaws.com",
+	"webview-assets.aws-cloud9.ca-central-1.amazonaws.com",
 	"vfs.cloud9.ca-central-1.amazonaws.com",
 	"webview-assets.cloud9.ca-central-1.amazonaws.com",
+	"webview-assets.aws-cloud9.eu-central-1.amazonaws.com",
 	"vfs.cloud9.eu-central-1.amazonaws.com",
 	"webview-assets.cloud9.eu-central-1.amazonaws.com",
+	"webview-assets.aws-cloud9.eu-north-1.amazonaws.com",
 	"vfs.cloud9.eu-north-1.amazonaws.com",
 	"webview-assets.cloud9.eu-north-1.amazonaws.com",
+	"webview-assets.aws-cloud9.eu-south-1.amazonaws.com",
 	"vfs.cloud9.eu-south-1.amazonaws.com",
 	"webview-assets.cloud9.eu-south-1.amazonaws.com",
+	"webview-assets.aws-cloud9.eu-west-1.amazonaws.com",
 	"vfs.cloud9.eu-west-1.amazonaws.com",
 	"webview-assets.cloud9.eu-west-1.amazonaws.com",
+	"webview-assets.aws-cloud9.eu-west-2.amazonaws.com",
 	"vfs.cloud9.eu-west-2.amazonaws.com",
 	"webview-assets.cloud9.eu-west-2.amazonaws.com",
+	"webview-assets.aws-cloud9.eu-west-3.amazonaws.com",
 	"vfs.cloud9.eu-west-3.amazonaws.com",
 	"webview-assets.cloud9.eu-west-3.amazonaws.com",
+	"webview-assets.aws-cloud9.me-south-1.amazonaws.com",
 	"vfs.cloud9.me-south-1.amazonaws.com",
 	"webview-assets.cloud9.me-south-1.amazonaws.com",
+	"webview-assets.aws-cloud9.sa-east-1.amazonaws.com",
 	"vfs.cloud9.sa-east-1.amazonaws.com",
 	"webview-assets.cloud9.sa-east-1.amazonaws.com",
+	"webview-assets.aws-cloud9.us-east-1.amazonaws.com",
 	"vfs.cloud9.us-east-1.amazonaws.com",
 	"webview-assets.cloud9.us-east-1.amazonaws.com",
+	"webview-assets.aws-cloud9.us-east-2.amazonaws.com",
 	"vfs.cloud9.us-east-2.amazonaws.com",
 	"webview-assets.cloud9.us-east-2.amazonaws.com",
+	"webview-assets.aws-cloud9.us-west-1.amazonaws.com",
 	"vfs.cloud9.us-west-1.amazonaws.com",
 	"webview-assets.cloud9.us-west-1.amazonaws.com",
+	"webview-assets.aws-cloud9.us-west-2.amazonaws.com",
 	"vfs.cloud9.us-west-2.amazonaws.com",
 	"webview-assets.cloud9.us-west-2.amazonaws.com",
 	"cn-north-1.eb.amazonaws.com.cn",
@@ -7542,6 +7112,7 @@ var rules = [...]string{
 	"myasustor.com",
 	"cdn.prod.atlassian-dev.net",
 	"translated.page",
+	"autocode.dev",
 	"myfritz.net",
 	"onavstack.net",
 	"*.awdev.ca",
@@ -7588,6 +7159,8 @@ var rules = [...]string{
 	"vm.bytemark.co.uk",
 	"cafjs.com",
 	"mycd.eu",
+	"canva-apps.cn",
+	"canva-apps.com",
 	"drr.ac",
 	"uwu.ai",
 	"carrd.co",
@@ -7653,8 +7226,11 @@ var rules = [...]string{
 	"cloudcontrolled.com",
 	"cloudcontrolapp.com",
 	"*.cloudera.site",
-	"pages.dev",
+	"cf-ipfs.com",
+	"cloudflare-ipfs.com",
 	"trycloudflare.com",
+	"pages.dev",
+	"r2.dev",
 	"workers.dev",
 	"wnext.app",
 	"co.ca",
@@ -8227,6 +7803,7 @@ var rules = [...]string{
 	"channelsdvr.net",
 	"u.channelsdvr.net",
 	"edgecompute.app",
+	"fastly-edge.com",
 	"fastly-terrarium.com",
 	"fastlylb.net",
 	"map.fastlylb.net",
@@ -8566,6 +8143,7 @@ var rules = [...]string{
 	"ngo.ng",
 	"edu.scot",
 	"sch.so",
+	"ie.ua",
 	"hostyhosting.io",
 	"xn--hkkinen-5wa.fi",
 	"*.moonscale.io",
@@ -8633,7 +8211,6 @@ var rules = [...]string{
 	"iobb.net",
 	"mel.cloudlets.com.au",
 	"cloud.interhostsolutions.be",
-	"users.scale.virtualcloud.com.br",
 	"mycloud.by",
 	"alp1.ae.flow.ch",
 	"appengine.flow.ch",
@@ -8657,9 +8234,7 @@ var rules = [...]string{
 	"de.trendhosting.cloud",
 	"jele.club",
 	"amscompute.com",
-	"clicketcloud.com",
 	"dopaas.com",
-	"hidora.com",
 	"paas.hosted-by-previder.com",
 	"rag-cloud.hosteur.com",
 	"rag-cloud-ch.hosteur.com",
@@ -8834,6 +8409,7 @@ var rules = [...]string{
 	"azurestaticapps.net",
 	"1.azurestaticapps.net",
 	"2.azurestaticapps.net",
+	"3.azurestaticapps.net",
 	"centralus.azurestaticapps.net",
 	"eastasia.azurestaticapps.net",
 	"eastus2.azurestaticapps.net",
@@ -8864,7 +8440,19 @@ var rules = [...]string{
 	"cloud.nospamproxy.com",
 	"netlify.app",
 	"4u.com",
+	"ngrok.app",
+	"ngrok-free.app",
+	"ngrok.dev",
+	"ngrok-free.dev",
 	"ngrok.io",
+	"ap.ngrok.io",
+	"au.ngrok.io",
+	"eu.ngrok.io",
+	"in.ngrok.io",
+	"jp.ngrok.io",
+	"sa.ngrok.io",
+	"us.ngrok.io",
+	"ngrok.pizza",
 	"nh-serv.co.uk",
 	"nfshost.com",
 	"*.developer.app",
@@ -9084,6 +8672,7 @@ var rules = [...]string{
 	"eu.pythonanywhere.com",
 	"qoto.io",
 	"qualifioapp.com",
+	"ladesk.com",
 	"qbuser.com",
 	"cloudsite.builders",
 	"instances.spawn.cc",
@@ -9132,6 +8721,53 @@ var rules = [...]string{
 	"xn--h1aliz.xn--p1acf",
 	"xn--90a1af.xn--p1acf",
 	"xn--41a.xn--p1acf",
+	"180r.com",
+	"dojin.com",
+	"sakuratan.com",
+	"sakuraweb.com",
+	"x0.com",
+	"2-d.jp",
+	"bona.jp",
+	"crap.jp",
+	"daynight.jp",
+	"eek.jp",
+	"flop.jp",
+	"halfmoon.jp",
+	"jeez.jp",
+	"matrix.jp",
+	"mimoza.jp",
+	"ivory.ne.jp",
+	"mail-box.ne.jp",
+	"mints.ne.jp",
+	"mokuren.ne.jp",
+	"opal.ne.jp",
+	"sakura.ne.jp",
+	"sumomo.ne.jp",
+	"topaz.ne.jp",
+	"netgamers.jp",
+	"nyanta.jp",
+	"o0o0.jp",
+	"rdy.jp",
+	"rgr.jp",
+	"rulez.jp",
+	"s3.isk01.sakurastorage.jp",
+	"s3.isk02.sakurastorage.jp",
+	"saloon.jp",
+	"sblo.jp",
+	"skr.jp",
+	"tank.jp",
+	"uh-oh.jp",
+	"undo.jp",
+	"rs.webaccel.jp",
+	"user.webaccel.jp",
+	"websozai.jp",
+	"xii.jp",
+	"squares.net",
+	"jpn.org",
+	"kirara.st",
+	"x0.to",
+	"from.tv",
+	"sakura.tv",
 	"*.builder.code.com",
 	"*.dev-builder.code.com",
 	"*.stg-builder.code.com",
@@ -9204,6 +8840,9 @@ var rules = [...]string{
 	"beta.bounty-full.com",
 	"small-web.org",
 	"vp4.me",
+	"snowflake.app",
+	"privatelink.snowflake.app",
+	"streamlit.app",
 	"streamlitapp.com",
 	"try-snowplow.com",
 	"srht.site",
@@ -9243,6 +8882,7 @@ var rules = [...]string{
 	"myspreadshop.se",
 	"myspreadshop.co.uk",
 	"api.stdlib.com",
+	"storipress.app",
 	"storj.farm",
 	"utwente.io",
 	"soc.srcf.net",
@@ -9272,6 +8912,8 @@ var rules = [...]string{
 	"vpnplus.to",
 	"direct.quickconnect.to",
 	"tabitorder.co.il",
+	"mytabit.co.il",
+	"mytabit.com",
 	"taifun-dns.de",
 	"beta.tailscale.net",
 	"ts.net",
@@ -9350,6 +8992,7 @@ var rules = [...]string{
 	"hk.org",
 	"ltd.hk",
 	"inc.hk",
+	"it.com",
 	"name.pm",
 	"sch.tf",
 	"biz.wf",
@@ -9472,7 +9115,6 @@ var rules = [...]string{
 var nodeLabels = [...]string{
 	"aaa",
 	"aarp",
-	"abarth",
 	"abb",
 	"abbott",
 	"abbvie",
@@ -9488,7 +9130,6 @@ var nodeLabels = [...]string{
 	"aco",
 	"actor",
 	"ad",
-	"adac",
 	"ads",
 	"adult",
 	"ae",
@@ -9508,7 +9149,6 @@ var nodeLabels = [...]string{
 	"airtel",
 	"akdn",
 	"al",
-	"alfaromeo",
 	"alibaba",
 	"alipay",
 	"allfinanz",
@@ -9750,7 +9390,6 @@ var nodeLabels = [...]string{
 	"contact",
 	"contractors",
 	"cooking",
-	"cookingchannel",
 	"cool",
 	"coop",
 	"corsica",
@@ -9882,7 +9521,6 @@ var nodeLabels = [...]string{
 	"ferrari",
 	"ferrero",
 	"fi",
-	"fiat",
 	"fidelity",
 	"fido",
 	"film",
@@ -9908,7 +9546,6 @@ var nodeLabels = [...]string{
 	"fo",
 	"foo",
 	"food",
-	"foodnetwork",
 	"football",
 	"ford",
 	"forex",
@@ -10014,7 +9651,6 @@ var nodeLabels = [...]string{
 	"helsinki",
 	"here",
 	"hermes",
-	"hgtv",
 	"hiphop",
 	"hisamitsu",
 	"hitachi",
@@ -10036,7 +9672,6 @@ var nodeLabels = [...]string{
 	"host",
 	"hosting",
 	"hot",
-	"hoteles",
 	"hotels",
 	"hotmail",
 	"house",
@@ -10149,7 +9784,6 @@ var nodeLabels = [...]string{
 	"lamborghini",
 	"lamer",
 	"lancaster",
-	"lancia",
 	"land",
 	"landrover",
 	"lanxess",
@@ -10180,7 +9814,6 @@ var nodeLabels = [...]string{
 	"limited",
 	"limo",
 	"lincoln",
-	"linde",
 	"link",
 	"lipsy",
 	"live",
@@ -10192,7 +9825,6 @@ var nodeLabels = [...]string{
 	"loans",
 	"locker",
 	"locus",
-	"loft",
 	"lol",
 	"london",
 	"lotte",
@@ -10212,7 +9844,6 @@ var nodeLabels = [...]string{
 	"lv",
 	"ly",
 	"ma",
-	"macys",
 	"madrid",
 	"maif",
 	"maison",
@@ -10226,7 +9857,6 @@ var nodeLabels = [...]string{
 	"markets",
 	"marriott",
 	"marshalls",
-	"maserati",
 	"mattel",
 	"mba",
 	"mc",
@@ -10286,7 +9916,6 @@ var nodeLabels = [...]string{
 	"mu",
 	"museum",
 	"music",
-	"mutual",
 	"mv",
 	"mw",
 	"mx",
@@ -10374,7 +10003,6 @@ var nodeLabels = [...]string{
 	"partners",
 	"parts",
 	"party",
-	"passagens",
 	"pay",
 	"pccw",
 	"pe",
@@ -10530,7 +10158,6 @@ var nodeLabels = [...]string{
 	"select",
 	"sener",
 	"services",
-	"ses",
 	"seven",
 	"sew",
 	"sex",
@@ -10647,7 +10274,6 @@ var nodeLabels = [...]string{
 	"tiaa",
 	"tickets",
 	"tienda",
-	"tiffany",
 	"tips",
 	"tires",
 	"tirol",
@@ -10677,7 +10303,6 @@ var nodeLabels = [...]string{
 	"trading",
 	"training",
 	"travel",
-	"travelchannel",
 	"travelers",
 	"travelersinsurance",
 	"trust",
@@ -10739,7 +10364,6 @@ var nodeLabels = [...]string{
 	"voto",
 	"voyage",
 	"vu",
-	"vuelos",
 	"wales",
 	"walmart",
 	"walter",
@@ -10856,7 +10480,6 @@ var nodeLabels = [...]string{
 	"xn--j1amh",
 	"xn--j6w193g",
 	"xn--jlq480n2rg",
-	"xn--jlq61u9w7b",
 	"xn--jvr189m",
 	"xn--kcrx77d1x4a",
 	"xn--kprw13d",
@@ -11119,18 +10742,24 @@ var nodeLabels = [...]string{
 	"loginline",
 	"messerli",
 	"netlify",
+	"ngrok",
+	"ngrok-free",
 	"noop",
 	"northflank",
 	"ondigitalocean",
 	"onflashdrive",
 	"platform0",
 	"run",
+	"snowflake",
+	"storipress",
+	"streamlit",
 	"telebit",
 	"typedream",
 	"vercel",
 	"web",
 	"wnext",
 	"a",
+	"privatelink",
 	"bet",
 	"com",
 	"coop",
@@ -11316,6 +10945,7 @@ var nodeLabels = [...]string{
 	"edu",
 	"or",
 	"org",
+	"activetrail",
 	"cloudns",
 	"dscloud",
 	"dyndns",
@@ -11330,10 +10960,27 @@ var nodeLabels = [...]string{
 	"orx",
 	"selfip",
 	"webhop",
-	"asso",
-	"barreau",
+	"africa",
+	"agro",
+	"architectes",
+	"assur",
+	"avocats",
 	"blogspot",
-	"gouv",
+	"co",
+	"com",
+	"eco",
+	"econo",
+	"edu",
+	"info",
+	"loisirs",
+	"money",
+	"net",
+	"org",
+	"ote",
+	"restaurant",
+	"resto",
+	"tourism",
+	"univ",
 	"com",
 	"edu",
 	"gov",
@@ -11529,9 +11176,6 @@ var nodeLabels = [...]string{
 	"zlg",
 	"blogspot",
 	"simplesite",
-	"virtualcloud",
-	"scale",
-	"users",
 	"ac",
 	"al",
 	"am",
@@ -11772,6 +11416,7 @@ var nodeLabels = [...]string{
 	"ac",
 	"ah",
 	"bj",
+	"canva-apps",
 	"com",
 	"cq",
 	"edu",
@@ -11853,6 +11498,7 @@ var nodeLabels = [...]string{
 	"owo",
 	"001www",
 	"0emm",
+	"180r",
 	"1kapp",
 	"3utilities",
 	"4u",
@@ -11888,11 +11534,13 @@ var nodeLabels = [...]string{
 	"br",
 	"builtwithdark",
 	"cafjs",
+	"canva-apps",
 	"cechire",
+	"cf-ipfs",
 	"ciscofreak",
-	"clicketcloud",
 	"cloudcontrolapp",
 	"cloudcontrolled",
+	"cloudflare-ipfs",
 	"cn",
 	"co",
 	"code",
@@ -11919,6 +11567,7 @@ var nodeLabels = [...]string{
 	"dnsdojo",
 	"dnsiskinky",
 	"doesntexist",
+	"dojin",
 	"dontexist",
 	"doomdns",
 	"dopaas",
@@ -11951,6 +11600,7 @@ var nodeLabels = [...]string{
 	"eu",
 	"evennode",
 	"familyds",
+	"fastly-edge",
 	"fastly-terrarium",
 	"fastvps-server",
 	"fbsbx",
@@ -12024,7 +11674,6 @@ var nodeLabels = [...]string{
 	"health-carereform",
 	"herokuapp",
 	"herokussl",
-	"hidora",
 	"hk",
 	"hobby-site",
 	"homelinux",
@@ -12098,6 +11747,7 @@ var nodeLabels = [...]string{
 	"isa-geek",
 	"isa-hockeynut",
 	"issmarterthanyou",
+	"it",
 	"jdevcloud",
 	"jelastic",
 	"joyent",
@@ -12107,6 +11757,7 @@ var nodeLabels = [...]string{
 	"kozow",
 	"kr",
 	"ktistory",
+	"ladesk",
 	"likes-pie",
 	"likescandy",
 	"linode",
@@ -12133,6 +11784,7 @@ var nodeLabels = [...]string{
 	"myshopblocks",
 	"myshopify",
 	"myspreadshop",
+	"mytabit",
 	"mythic-beasts",
 	"mytuleap",
 	"myvnc",
@@ -12179,6 +11831,8 @@ var nodeLabels = [...]string{
 	"rhcloud",
 	"ru",
 	"sa",
+	"sakuratan",
+	"sakuraweb",
 	"saves-the-whales",
 	"scrysec",
 	"securitytactics",
@@ -12241,6 +11895,7 @@ var nodeLabels = [...]string{
 	"wphostedmail",
 	"wpmucdn",
 	"writesthisblog",
+	"x0",
 	"xnbay",
 	"yolasite",
 	"za",
@@ -12295,107 +11950,154 @@ var nodeLabels = [...]string{
 	"us-east-2",
 	"us-west-1",
 	"us-west-2",
+	"aws-cloud9",
 	"cloud9",
+	"webview-assets",
 	"vfs",
 	"webview-assets",
+	"aws-cloud9",
 	"cloud9",
+	"webview-assets",
 	"vfs",
 	"webview-assets",
+	"analytics-gateway",
+	"aws-cloud9",
 	"cloud9",
 	"dualstack",
+	"webview-assets",
 	"vfs",
 	"webview-assets",
 	"s3",
+	"aws-cloud9",
 	"cloud9",
 	"dualstack",
 	"s3",
 	"s3-website",
+	"webview-assets",
 	"vfs",
 	"webview-assets",
 	"s3",
+	"aws-cloud9",
 	"cloud9",
+	"webview-assets",
 	"vfs",
 	"webview-assets",
+	"aws-cloud9",
 	"cloud9",
 	"dualstack",
 	"s3",
 	"s3-website",
+	"webview-assets",
 	"vfs",
 	"webview-assets",
 	"s3",
+	"aws-cloud9",
 	"cloud9",
 	"dualstack",
+	"webview-assets",
 	"vfs",
 	"webview-assets",
 	"s3",
+	"aws-cloud9",
 	"cloud9",
 	"dualstack",
+	"webview-assets",
 	"vfs",
 	"webview-assets",
 	"s3",
+	"aws-cloud9",
 	"cloud9",
 	"dualstack",
 	"s3",
 	"s3-website",
+	"webview-assets",
 	"vfs",
 	"webview-assets",
 	"s3",
+	"aws-cloud9",
 	"cloud9",
 	"dualstack",
 	"s3",
 	"s3-website",
+	"webview-assets",
 	"vfs",
 	"webview-assets",
 	"s3",
+	"aws-cloud9",
 	"cloud9",
+	"webview-assets",
 	"vfs",
 	"webview-assets",
+	"aws-cloud9",
 	"cloud9",
+	"webview-assets",
 	"vfs",
 	"webview-assets",
+	"analytics-gateway",
+	"aws-cloud9",
 	"cloud9",
 	"dualstack",
+	"webview-assets",
 	"vfs",
 	"webview-assets",
 	"s3",
+	"aws-cloud9",
 	"cloud9",
 	"dualstack",
 	"s3",
 	"s3-website",
+	"webview-assets",
 	"vfs",
 	"webview-assets",
 	"s3",
+	"aws-cloud9",
 	"cloud9",
 	"dualstack",
 	"s3",
 	"s3-website",
+	"webview-assets",
 	"vfs",
 	"webview-assets",
 	"s3",
+	"aws-cloud9",
 	"cloud9",
+	"webview-assets",
 	"vfs",
 	"webview-assets",
+	"aws-cloud9",
 	"cloud9",
 	"dualstack",
+	"webview-assets",
 	"vfs",
 	"webview-assets",
 	"s3",
+	"analytics-gateway",
+	"aws-cloud9",
 	"cloud9",
 	"dualstack",
+	"webview-assets",
 	"vfs",
 	"webview-assets",
 	"s3",
+	"analytics-gateway",
+	"aws-cloud9",
 	"cloud9",
 	"dualstack",
 	"s3",
 	"s3-website",
+	"webview-assets",
 	"vfs",
 	"webview-assets",
 	"s3",
+	"aws-cloud9",
 	"cloud9",
+	"webview-assets",
 	"vfs",
 	"webview-assets",
+	"analytics-gateway",
+	"aws-cloud9",
 	"cloud9",
+	"webview-assets",
 	"vfs",
 	"webview-assets",
 	"r",
@@ -12610,6 +12312,7 @@ var nodeLabels = [...]string{
 	"pages",
 	"customer",
 	"bss",
+	"autocode",
 	"curv",
 	"deno",
 	"deno-staging",
@@ -12623,8 +12326,11 @@ var nodeLabels = [...]string{
 	"localcert",
 	"loginline",
 	"mediatech",
+	"ngrok",
+	"ngrok-free",
 	"pages",
 	"platter-app",
+	"r2",
 	"shiftcrypto",
 	"stg",
 	"stgstage",
@@ -13016,6 +12722,7 @@ var nodeLabels = [...]string{
 	"net",
 	"org",
 	"blogspot",
+	"mytabit",
 	"ravpage",
 	"tabitorder",
 	"ac",
@@ -13176,6 +12883,13 @@ var nodeLabels = [...]string{
 	"dyndns",
 	"id",
 	"apps",
+	"ap",
+	"au",
+	"eu",
+	"in",
+	"jp",
+	"sa",
+	"us",
 	"stage",
 	"mock",
 	"sys",
@@ -13649,6 +13363,7 @@ var nodeLabels = [...]string{
 	"net",
 	"org",
 	"sch",
+	"2-d",
 	"ac",
 	"ad",
 	"aichi",
@@ -13662,6 +13377,7 @@ var nodeLabels = [...]string{
 	"bitter",
 	"blogspot",
 	"blush",
+	"bona",
 	"boo",
 	"boy",
 	"boyfriend",
@@ -13682,18 +13398,22 @@ var nodeLabels = [...]string{
 	"cocotte",
 	"coolblog",
 	"cranky",
+	"crap",
 	"cutegirl",
 	"daa",
+	"daynight",
 	"deca",
 	"deci",
 	"digick",
 	"ed",
+	"eek",
 	"egoism",
 	"ehime",
 	"fakefur",
 	"fashionstore",
 	"fem",
 	"flier",
+	"flop",
 	"floppy",
 	"fool",
 	"frenchkiss",
@@ -13710,6 +13430,7 @@ var nodeLabels = [...]string{
 	"greater",
 	"gunma",
 	"hacca",
+	"halfmoon",
 	"handcrafted",
 	"heavy",
 	"her",
@@ -13725,6 +13446,7 @@ var nodeLabels = [...]string{
 	"ishikawa",
 	"itigo",
 	"iwate",
+	"jeez",
 	"jellybean",
 	"kagawa",
 	"kagoshima",
@@ -13748,7 +13470,9 @@ var nodeLabels = [...]string{
 	"lovepop",
 	"lovesick",
 	"main",
+	"matrix",
 	"mie",
+	"mimoza",
 	"miyagi",
 	"miyazaki",
 	"mods",
@@ -13761,10 +13485,13 @@ var nodeLabels = [...]string{
 	"namaste",
 	"nara",
 	"ne",
+	"netgamers",
 	"niigata",
 	"nikita",
 	"nobushi",
 	"noor",
+	"nyanta",
+	"o0o0",
 	"oita",
 	"okayama",
 	"okinawa",
@@ -13785,22 +13512,30 @@ var nodeLabels = [...]string{
 	"pussycat",
 	"pya",
 	"raindrop",
+	"rdy",
 	"readymade",
+	"rgr",
+	"rulez",
 	"sadist",
 	"saga",
 	"saitama",
+	"sakurastorage",
+	"saloon",
 	"sapporo",
+	"sblo",
 	"schoolbus",
 	"secret",
 	"sendai",
 	"shiga",
 	"shimane",
 	"shizuoka",
+	"skr",
 	"staba",
 	"stripper",
 	"sub",
 	"sunnyday",
 	"supersale",
+	"tank",
 	"theshop",
 	"thick",
 	"tochigi",
@@ -13809,7 +13544,9 @@ var nodeLabels = [...]string{
 	"tonkotsu",
 	"tottori",
 	"toyama",
+	"uh-oh",
 	"under",
+	"undo",
 	"upper",
 	"usercontent",
 	"velvet",
@@ -13818,8 +13555,11 @@ var nodeLabels = [...]string{
 	"vivian",
 	"wakayama",
 	"watson",
+	"webaccel",
 	"weblike",
+	"websozai",
 	"whitesnow",
+	"xii",
 	"xn--0trq7p7nn",
 	"xn--1ctwo",
 	"xn--1lqs03n",
@@ -14954,6 +14694,14 @@ var nodeLabels = [...]string{
 	"yoshino",
 	"aseinet",
 	"gehirn",
+	"ivory",
+	"mail-box",
+	"mints",
+	"mokuren",
+	"opal",
+	"sakura",
+	"sumomo",
+	"topaz",
 	"user",
 	"aga",
 	"agano",
@@ -15221,6 +14969,10 @@ var nodeLabels = [...]string{
 	"yoshida",
 	"yoshikawa",
 	"yoshimi",
+	"isk01",
+	"isk02",
+	"s3",
+	"s3",
 	"city",
 	"city",
 	"aisho",
@@ -15476,6 +15228,8 @@ var nodeLabels = [...]string{
 	"wakayama",
 	"yuasa",
 	"yura",
+	"rs",
+	"user",
 	"asahi",
 	"funagata",
 	"higashine",
@@ -15865,552 +15619,6 @@ var nodeLabels = [...]string{
 	"net",
 	"or",
 	"org",
-	"academy",
-	"agriculture",
-	"air",
-	"airguard",
-	"alabama",
-	"alaska",
-	"amber",
-	"ambulance",
-	"american",
-	"americana",
-	"americanantiques",
-	"americanart",
-	"amsterdam",
-	"and",
-	"annefrank",
-	"anthro",
-	"anthropology",
-	"antiques",
-	"aquarium",
-	"arboretum",
-	"archaeological",
-	"archaeology",
-	"architecture",
-	"art",
-	"artanddesign",
-	"artcenter",
-	"artdeco",
-	"arteducation",
-	"artgallery",
-	"arts",
-	"artsandcrafts",
-	"asmatart",
-	"assassination",
-	"assisi",
-	"association",
-	"astronomy",
-	"atlanta",
-	"austin",
-	"australia",
-	"automotive",
-	"aviation",
-	"axis",
-	"badajoz",
-	"baghdad",
-	"bahn",
-	"bale",
-	"baltimore",
-	"barcelona",
-	"baseball",
-	"basel",
-	"baths",
-	"bauern",
-	"beauxarts",
-	"beeldengeluid",
-	"bellevue",
-	"bergbau",
-	"berkeley",
-	"berlin",
-	"bern",
-	"bible",
-	"bilbao",
-	"bill",
-	"birdart",
-	"birthplace",
-	"bonn",
-	"boston",
-	"botanical",
-	"botanicalgarden",
-	"botanicgarden",
-	"botany",
-	"brandywinevalley",
-	"brasil",
-	"bristol",
-	"british",
-	"britishcolumbia",
-	"broadcast",
-	"brunel",
-	"brussel",
-	"brussels",
-	"bruxelles",
-	"building",
-	"burghof",
-	"bus",
-	"bushey",
-	"cadaques",
-	"california",
-	"cambridge",
-	"can",
-	"canada",
-	"capebreton",
-	"carrier",
-	"cartoonart",
-	"casadelamoneda",
-	"castle",
-	"castres",
-	"celtic",
-	"center",
-	"chattanooga",
-	"cheltenham",
-	"chesapeakebay",
-	"chicago",
-	"children",
-	"childrens",
-	"childrensgarden",
-	"chiropractic",
-	"chocolate",
-	"christiansburg",
-	"cincinnati",
-	"cinema",
-	"circus",
-	"civilisation",
-	"civilization",
-	"civilwar",
-	"clinton",
-	"clock",
-	"coal",
-	"coastaldefence",
-	"cody",
-	"coldwar",
-	"collection",
-	"colonialwilliamsburg",
-	"coloradoplateau",
-	"columbia",
-	"columbus",
-	"communication",
-	"communications",
-	"community",
-	"computer",
-	"computerhistory",
-	"contemporary",
-	"contemporaryart",
-	"convent",
-	"copenhagen",
-	"corporation",
-	"corvette",
-	"costume",
-	"countryestate",
-	"county",
-	"crafts",
-	"cranbrook",
-	"creation",
-	"cultural",
-	"culturalcenter",
-	"culture",
-	"cyber",
-	"cymru",
-	"dali",
-	"dallas",
-	"database",
-	"ddr",
-	"decorativearts",
-	"delaware",
-	"delmenhorst",
-	"denmark",
-	"depot",
-	"design",
-	"detroit",
-	"dinosaur",
-	"discovery",
-	"dolls",
-	"donostia",
-	"durham",
-	"eastafrica",
-	"eastcoast",
-	"education",
-	"educational",
-	"egyptian",
-	"eisenbahn",
-	"elburg",
-	"elvendrell",
-	"embroidery",
-	"encyclopedic",
-	"england",
-	"entomology",
-	"environment",
-	"environmentalconservation",
-	"epilepsy",
-	"essex",
-	"estate",
-	"ethnology",
-	"exeter",
-	"exhibition",
-	"family",
-	"farm",
-	"farmequipment",
-	"farmers",
-	"farmstead",
-	"field",
-	"figueres",
-	"filatelia",
-	"film",
-	"fineart",
-	"finearts",
-	"finland",
-	"flanders",
-	"florida",
-	"force",
-	"fortmissoula",
-	"fortworth",
-	"foundation",
-	"francaise",
-	"frankfurt",
-	"franziskaner",
-	"freemasonry",
-	"freiburg",
-	"fribourg",
-	"frog",
-	"fundacio",
-	"furniture",
-	"gallery",
-	"garden",
-	"gateway",
-	"geelvinck",
-	"gemological",
-	"geology",
-	"georgia",
-	"giessen",
-	"glas",
-	"glass",
-	"gorge",
-	"grandrapids",
-	"graz",
-	"guernsey",
-	"halloffame",
-	"hamburg",
-	"handson",
-	"harvestcelebration",
-	"hawaii",
-	"health",
-	"heimatunduhren",
-	"hellas",
-	"helsinki",
-	"hembygdsforbund",
-	"heritage",
-	"histoire",
-	"historical",
-	"historicalsociety",
-	"historichouses",
-	"historisch",
-	"historisches",
-	"history",
-	"historyofscience",
-	"horology",
-	"house",
-	"humanities",
-	"illustration",
-	"imageandsound",
-	"indian",
-	"indiana",
-	"indianapolis",
-	"indianmarket",
-	"intelligence",
-	"interactive",
-	"iraq",
-	"iron",
-	"isleofman",
-	"jamison",
-	"jefferson",
-	"jerusalem",
-	"jewelry",
-	"jewish",
-	"jewishart",
-	"jfk",
-	"journalism",
-	"judaica",
-	"judygarland",
-	"juedisches",
-	"juif",
-	"karate",
-	"karikatur",
-	"kids",
-	"koebenhavn",
-	"koeln",
-	"kunst",
-	"kunstsammlung",
-	"kunstunddesign",
-	"labor",
-	"labour",
-	"lajolla",
-	"lancashire",
-	"landes",
-	"lans",
-	"larsson",
-	"lewismiller",
-	"lincoln",
-	"linz",
-	"living",
-	"livinghistory",
-	"localhistory",
-	"london",
-	"losangeles",
-	"louvre",
-	"loyalist",
-	"lucerne",
-	"luxembourg",
-	"luzern",
-	"mad",
-	"madrid",
-	"mallorca",
-	"manchester",
-	"mansion",
-	"mansions",
-	"manx",
-	"marburg",
-	"maritime",
-	"maritimo",
-	"maryland",
-	"marylhurst",
-	"media",
-	"medical",
-	"medizinhistorisches",
-	"meeres",
-	"memorial",
-	"mesaverde",
-	"michigan",
-	"midatlantic",
-	"military",
-	"mill",
-	"miners",
-	"mining",
-	"minnesota",
-	"missile",
-	"missoula",
-	"modern",
-	"moma",
-	"money",
-	"monmouth",
-	"monticello",
-	"montreal",
-	"moscow",
-	"motorcycle",
-	"muenchen",
-	"muenster",
-	"mulhouse",
-	"muncie",
-	"museet",
-	"museumcenter",
-	"museumvereniging",
-	"music",
-	"national",
-	"nationalfirearms",
-	"nationalheritage",
-	"nativeamerican",
-	"naturalhistory",
-	"naturalhistorymuseum",
-	"naturalsciences",
-	"nature",
-	"naturhistorisches",
-	"natuurwetenschappen",
-	"naumburg",
-	"naval",
-	"nebraska",
-	"neues",
-	"newhampshire",
-	"newjersey",
-	"newmexico",
-	"newport",
-	"newspaper",
-	"newyork",
-	"niepce",
-	"norfolk",
-	"north",
-	"nrw",
-	"nyc",
-	"nyny",
-	"oceanographic",
-	"oceanographique",
-	"omaha",
-	"online",
-	"ontario",
-	"openair",
-	"oregon",
-	"oregontrail",
-	"otago",
-	"oxford",
-	"pacific",
-	"paderborn",
-	"palace",
-	"paleo",
-	"palmsprings",
-	"panama",
-	"paris",
-	"pasadena",
-	"pharmacy",
-	"philadelphia",
-	"philadelphiaarea",
-	"philately",
-	"phoenix",
-	"photography",
-	"pilots",
-	"pittsburgh",
-	"planetarium",
-	"plantation",
-	"plants",
-	"plaza",
-	"portal",
-	"portland",
-	"portlligat",
-	"posts-and-telecommunications",
-	"preservation",
-	"presidio",
-	"press",
-	"project",
-	"public",
-	"pubol",
-	"quebec",
-	"railroad",
-	"railway",
-	"research",
-	"resistance",
-	"riodejaneiro",
-	"rochester",
-	"rockart",
-	"roma",
-	"russia",
-	"saintlouis",
-	"salem",
-	"salvadordali",
-	"salzburg",
-	"sandiego",
-	"sanfrancisco",
-	"santabarbara",
-	"santacruz",
-	"santafe",
-	"saskatchewan",
-	"satx",
-	"savannahga",
-	"schlesisches",
-	"schoenbrunn",
-	"schokoladen",
-	"school",
-	"schweiz",
-	"science",
-	"science-fiction",
-	"scienceandhistory",
-	"scienceandindustry",
-	"sciencecenter",
-	"sciencecenters",
-	"sciencehistory",
-	"sciences",
-	"sciencesnaturelles",
-	"scotland",
-	"seaport",
-	"settlement",
-	"settlers",
-	"shell",
-	"sherbrooke",
-	"sibenik",
-	"silk",
-	"ski",
-	"skole",
-	"society",
-	"sologne",
-	"soundandvision",
-	"southcarolina",
-	"southwest",
-	"space",
-	"spy",
-	"square",
-	"stadt",
-	"stalbans",
-	"starnberg",
-	"state",
-	"stateofdelaware",
-	"station",
-	"steam",
-	"steiermark",
-	"stjohn",
-	"stockholm",
-	"stpetersburg",
-	"stuttgart",
-	"suisse",
-	"surgeonshall",
-	"surrey",
-	"svizzera",
-	"sweden",
-	"sydney",
-	"tank",
-	"tcm",
-	"technology",
-	"telekommunikation",
-	"television",
-	"texas",
-	"textile",
-	"theater",
-	"time",
-	"timekeeping",
-	"topology",
-	"torino",
-	"touch",
-	"town",
-	"transport",
-	"tree",
-	"trolley",
-	"trust",
-	"trustee",
-	"uhren",
-	"ulm",
-	"undersea",
-	"university",
-	"usa",
-	"usantiques",
-	"usarts",
-	"uscountryestate",
-	"usculture",
-	"usdecorativearts",
-	"usgarden",
-	"ushistory",
-	"ushuaia",
-	"uslivinghistory",
-	"utah",
-	"uvic",
-	"valley",
-	"vantaa",
-	"versailles",
-	"viking",
-	"village",
-	"virginia",
-	"virtual",
-	"virtuel",
-	"vlaanderen",
-	"volkenkunde",
-	"wales",
-	"wallonie",
-	"war",
-	"washingtondc",
-	"watch-and-clock",
-	"watchandclock",
-	"western",
-	"westfalen",
-	"whaling",
-	"wildlife",
-	"williamsburg",
-	"windmill",
-	"workshop",
-	"xn--9dbhblg6di",
-	"xn--comunicaes-v6a2o",
-	"xn--correios-e-telecomunicaes-ghc29a",
-	"xn--h1aegh",
-	"xn--lns-qla",
-	"york",
-	"yorkshire",
-	"yosemite",
-	"youth",
-	"zoological",
-	"zoology",
 	"aero",
 	"biz",
 	"com",
@@ -16483,6 +15691,19 @@ var nodeLabels = [...]string{
 	"asso",
 	"nom",
 	"adobeaemcloud",
+	"adobeio-static",
+	"adobeioruntime",
+	"akadns",
+	"akamai",
+	"akamai-staging",
+	"akamaiedge",
+	"akamaiedge-staging",
+	"akamaihd",
+	"akamaihd-staging",
+	"akamaiorigin",
+	"akamaiorigin-staging",
+	"akamaized",
+	"akamaized-staging",
 	"alwaysdata",
 	"appudo",
 	"at-band-camp",
@@ -16532,6 +15753,10 @@ var nodeLabels = [...]string{
 	"dynv6",
 	"eating-organic",
 	"edgeapp",
+	"edgekey",
+	"edgekey-staging",
+	"edgesuite",
+	"edgesuite-staging",
 	"elastx",
 	"endofinternet",
 	"familyds",
@@ -16612,6 +15837,7 @@ var nodeLabels = [...]string{
 	"shopselect",
 	"siteleaf",
 	"square7",
+	"squares",
 	"srcf",
 	"static-access",
 	"supabase",
@@ -16634,6 +15860,7 @@ var nodeLabels = [...]string{
 	"cdn",
 	"1",
 	"2",
+	"3",
 	"centralus",
 	"eastasia",
 	"eastus2",
@@ -17619,6 +16846,7 @@ var nodeLabels = [...]string{
 	"is-very-nice",
 	"is-very-sweet",
 	"isa-geek",
+	"jpn",
 	"js",
 	"kicks-ass",
 	"mayfirst",
@@ -17774,6 +17002,7 @@ var nodeLabels = [...]string{
 	"org",
 	"framer",
 	"1337",
+	"ngrok",
 	"biz",
 	"com",
 	"edu",
@@ -17978,12 +17207,17 @@ var nodeLabels = [...]string{
 	"kwpsp",
 	"mup",
 	"mw",
+	"oia",
 	"oirm",
+	"oke",
+	"oow",
+	"oschr",
 	"oum",
 	"pa",
 	"pinb",
 	"piw",
 	"po",
+	"pr",
 	"psp",
 	"psse",
 	"pup",
@@ -18009,11 +17243,14 @@ var nodeLabels = [...]string{
 	"wios",
 	"witd",
 	"wiw",
+	"wkz",
 	"wsa",
 	"wskr",
+	"wsse",
 	"wuoz",
 	"wzmiuw",
 	"zp",
+	"zpisdn",
 	"co",
 	"name",
 	"own",
@@ -18355,6 +17592,7 @@ var nodeLabels = [...]string{
 	"consulado",
 	"edu",
 	"embaixada",
+	"kirara",
 	"mil",
 	"net",
 	"noho",
@@ -18501,6 +17739,7 @@ var nodeLabels = [...]string{
 	"quickconnect",
 	"rdv",
 	"vpnplus",
+	"x0",
 	"direct",
 	"prequalifyme",
 	"now-dns",
@@ -18549,7 +17788,9 @@ var nodeLabels = [...]string{
 	"travel",
 	"better-than",
 	"dyndns",
+	"from",
 	"on-the-web",
+	"sakura",
 	"worse-than",
 	"blogspot",
 	"club",
@@ -18602,6 +17843,7 @@ var nodeLabels = [...]string{
 	"dp",
 	"edu",
 	"gov",
+	"ie",
 	"if",
 	"in",
 	"inf",
@@ -18616,6 +17858,7 @@ var nodeLabels = [...]string{
 	"kirovograd",
 	"km",
 	"kr",
+	"kropyvnytskyi",
 	"krym",
 	"ks",
 	"kv",
@@ -19010,18 +18253,84 @@ var nodeLabels = [...]string{
 	"net",
 	"org",
 	"ac",
+	"ai",
+	"angiang",
+	"bacgiang",
+	"backan",
+	"baclieu",
+	"bacninh",
+	"baria-vungtau",
+	"bentre",
+	"binhdinh",
+	"binhduong",
+	"binhphuoc",
+	"binhthuan",
 	"biz",
 	"blogspot",
+	"camau",
+	"cantho",
+	"caobang",
 	"com",
+	"daklak",
+	"daknong",
+	"danang",
+	"dienbien",
+	"dongnai",
+	"dongthap",
 	"edu",
+	"gialai",
 	"gov",
+	"hagiang",
+	"haiduong",
+	"haiphong",
+	"hanam",
+	"hanoi",
+	"hatinh",
+	"haugiang",
 	"health",
+	"hoabinh",
+	"hungyen",
+	"id",
 	"info",
 	"int",
+	"io",
+	"khanhhoa",
+	"kiengiang",
+	"kontum",
+	"laichau",
+	"lamdong",
+	"langson",
+	"laocai",
+	"longan",
+	"namdinh",
 	"name",
 	"net",
+	"nghean",
+	"ninhbinh",
+	"ninhthuan",
 	"org",
+	"phutho",
+	"phuyen",
 	"pro",
+	"quangbinh",
+	"quangnam",
+	"quangngai",
+	"quangninh",
+	"quangtri",
+	"soctrang",
+	"sonla",
+	"tayninh",
+	"thaibinh",
+	"thainguyen",
+	"thanhhoa",
+	"thanhphohochiminh",
+	"thuathienhue",
+	"tiengiang",
+	"travinh",
+	"tuyenquang",
+	"vinhlong",
+	"vinhphuc",
+	"yenbai",
 	"blog",
 	"cn",
 	"com",

From f09e75378f8ee74a1ff2e883d590eac175d93fea Mon Sep 17 00:00:00 2001
From: Damien Neil <dneil@google.com>
Date: Wed, 2 Aug 2023 12:41:31 -0700
Subject: [PATCH 02/22] quic: send and receive stream data

Send and receive data in STREAM frames.

Write-close streams and communicate the final size in a
STREAM frame with the FIN bit. Return io.EOF on reads
at the end of a stream.

Handle stream-level flow control. Send window updates
in MAX_STREAM_DATA frames, send STREAM_DATA_BLOCKED
when flow control is not available.

Does not include connection-level flow control,
read-closing, aborting, or removing streams from
a conn after both sides have closed the stream.

For golang/go#58547

Change-Id: Ib2b449bf54eb6cf200c4f6e2dd2c33274dda3387
Reviewed-on: https://go-review.googlesource.com/c/net/+/515815
Run-TryBot: Damien Neil <dneil@google.com>
Reviewed-by: Jonathan Amsterdam <jba@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
---
 internal/quic/config.go         |  25 +
 internal/quic/conn.go           |   3 +
 internal/quic/conn_loss.go      |   8 +
 internal/quic/conn_loss_test.go | 270 +++++++++++
 internal/quic/conn_recv.go      |  13 +-
 internal/quic/conn_streams.go   |  31 +-
 internal/quic/conn_test.go      |   2 +
 internal/quic/crypto_stream.go  |  23 +-
 internal/quic/gate.go           |  12 +-
 internal/quic/quic_test.go      |  37 ++
 internal/quic/stream.go         | 394 ++++++++++++++--
 internal/quic/stream_test.go    | 794 ++++++++++++++++++++++++++++++++
 12 files changed, 1549 insertions(+), 63 deletions(-)
 create mode 100644 internal/quic/quic_test.go

diff --git a/internal/quic/config.go b/internal/quic/config.go
index 7d1b7433a..df493579f 100644
--- a/internal/quic/config.go
+++ b/internal/quic/config.go
@@ -17,4 +17,29 @@ type Config struct {
 	// TLSConfig is the endpoint's TLS configuration.
 	// It must be non-nil and include at least one certificate or else set GetCertificate.
 	TLSConfig *tls.Config
+
+	// StreamReadBufferSize is the maximum amount of data sent by the peer that a
+	// stream will buffer for reading.
+	// If zero, the default value of 1MiB is used.
+	// If negative, the limit is zero.
+	StreamReadBufferSize int64
+
+	// StreamWriteBufferSize is the maximum amount of data a stream will buffer for
+	// sending to the peer.
+	// If zero, the default value of 1MiB is used.
+	// If negative, the limit is zero.
+	StreamWriteBufferSize int64
 }
+
+func configDefault(v, def int64) int64 {
+	switch v {
+	case -1:
+		return 0
+	case 0:
+		return def
+	}
+	return v
+}
+
+func (c *Config) streamReadBufferSize() int64  { return configDefault(c.StreamReadBufferSize, 1<<20) }
+func (c *Config) streamWriteBufferSize() int64 { return configDefault(c.StreamWriteBufferSize, 1<<20) }
diff --git a/internal/quic/conn.go b/internal/quic/conn.go
index 90e673963..0952a79e8 100644
--- a/internal/quic/conn.go
+++ b/internal/quic/conn.go
@@ -160,6 +160,9 @@ func (c *Conn) discardKeys(now time.Time, space numberSpace) {
 
 // receiveTransportParameters applies transport parameters sent by the peer.
 func (c *Conn) receiveTransportParameters(p transportParameters) error {
+	c.streams.peerInitialMaxStreamDataBidiLocal = p.initialMaxStreamDataBidiLocal
+	c.streams.peerInitialMaxStreamDataRemote[bidiStream] = p.initialMaxStreamDataBidiRemote
+	c.streams.peerInitialMaxStreamDataRemote[uniStream] = p.initialMaxStreamDataUni
 	c.peerAckDelayExponent = p.ackDelayExponent
 	c.loss.setMaxAckDelay(p.maxAckDelay)
 	if err := c.connIDState.setPeerActiveConnIDLimit(p.activeConnIDLimit, c.newConnIDFunc()); err != nil {
diff --git a/internal/quic/conn_loss.go b/internal/quic/conn_loss.go
index ca178089d..f42f7e528 100644
--- a/internal/quic/conn_loss.go
+++ b/internal/quic/conn_loss.go
@@ -44,6 +44,14 @@ func (c *Conn) handleAckOrLoss(space numberSpace, sent *sentPacket, fate packetF
 		case frameTypeCrypto:
 			start, end := sent.nextRange()
 			c.crypto[space].ackOrLoss(start, end, fate)
+		case frameTypeMaxStreamData,
+			frameTypeStreamDataBlocked:
+			id := streamID(sent.nextInt())
+			s := c.streamForID(id)
+			if s == nil {
+				continue
+			}
+			s.ackOrLoss(sent.num, f, fate)
 		case frameTypeStreamBase,
 			frameTypeStreamBase | streamFinBit:
 			id := streamID(sent.nextInt())
diff --git a/internal/quic/conn_loss_test.go b/internal/quic/conn_loss_test.go
index e3d16a7ba..d9445150a 100644
--- a/internal/quic/conn_loss_test.go
+++ b/internal/quic/conn_loss_test.go
@@ -7,7 +7,9 @@
 package quic
 
 import (
+	"context"
 	"crypto/tls"
+	"fmt"
 	"testing"
 )
 
@@ -145,7 +147,275 @@ func TestLostStreamFrameEmpty(t *testing.T) {
 				data: []byte{},
 			})
 	})
+}
+
+func TestLostStreamWithData(t *testing.T) {
+	// "Application data sent in STREAM frames is retransmitted in new STREAM
+	// frames unless the endpoint has sent a RESET_STREAM for that stream."
+	// https://www.rfc-editor.org/rfc/rfc9000#section-13.3-3.2
+	//
+	// TODO: Lost stream frame after RESET_STREAM
+	lostFrameTest(t, func(t *testing.T, pto bool) {
+		data := []byte{0, 1, 2, 3, 4, 5, 6, 7}
+		tc, s := newTestConnAndLocalStream(t, serverSide, uniStream, func(p *transportParameters) {
+			p.initialMaxStreamsUni = 1
+			p.initialMaxData = 1 << 20
+			p.initialMaxStreamDataUni = 1 << 20
+		})
+		s.Write(data[:4])
+		tc.wantFrame("send [0,4)",
+			packetType1RTT, debugFrameStream{
+				id:   s.id,
+				off:  0,
+				data: data[:4],
+			})
+		s.Write(data[4:8])
+		tc.wantFrame("send [4,8)",
+			packetType1RTT, debugFrameStream{
+				id:   s.id,
+				off:  4,
+				data: data[4:8],
+			})
+		s.Close()
+		tc.wantFrame("send FIN",
+			packetType1RTT, debugFrameStream{
+				id:   s.id,
+				off:  8,
+				fin:  true,
+				data: []byte{},
+			})
+
+		tc.triggerLossOrPTO(packetType1RTT, pto)
+		tc.wantFrame("resend data",
+			packetType1RTT, debugFrameStream{
+				id:   s.id,
+				off:  0,
+				fin:  true,
+				data: data[:8],
+			})
+	})
+}
+
+func TestLostStreamPartialLoss(t *testing.T) {
+	// Conn sends four STREAM packets.
+	// ACKs are received for the packets containing bytes 0 and 2.
+	// The remaining packets are declared lost.
+	// The Conn resends only the lost data.
+	//
+	// This test doesn't have a PTO mode, because the ACK for the packet containing byte 2
+	// starts the loss timer for the packet containing byte 1, and the PTO timer is not
+	// armed when the loss timer is.
+	data := []byte{0, 1, 2, 3}
+	tc, s := newTestConnAndLocalStream(t, serverSide, uniStream, func(p *transportParameters) {
+		p.initialMaxStreamsUni = 1
+		p.initialMaxData = 1 << 20
+		p.initialMaxStreamDataUni = 1 << 20
+	})
+	for i := range data {
+		s.Write(data[i : i+1])
+		tc.wantFrame(fmt.Sprintf("send STREAM frame with byte %v", i),
+			packetType1RTT, debugFrameStream{
+				id:   s.id,
+				off:  int64(i),
+				data: data[i : i+1],
+			})
+		if i%2 == 0 {
+			num := tc.sentFramePacket.num
+			tc.writeFrames(packetType1RTT, debugFrameAck{
+				ranges: []i64range[packetNumber]{
+					{num, num + 1},
+				},
+			})
+		}
+	}
+	const pto = false
+	tc.triggerLossOrPTO(packetType1RTT, pto)
+	tc.wantFrame("resend byte 1",
+		packetType1RTT, debugFrameStream{
+			id:   s.id,
+			off:  1,
+			data: data[1:2],
+		})
+	tc.wantFrame("resend byte 3",
+		packetType1RTT, debugFrameStream{
+			id:   s.id,
+			off:  3,
+			data: data[3:4],
+		})
+	tc.wantIdle("no more frames sent after packet loss")
+}
+
+func TestLostMaxStreamDataFrame(t *testing.T) {
+	// "[...] an updated value is sent when the packet containing
+	// the most recent MAX_STREAM_DATA frame for a stream is lost"
+	// https://www.rfc-editor.org/rfc/rfc9000#section-13.3-3.8
+	lostFrameTest(t, func(t *testing.T, pto bool) {
+		const maxWindowSize = 10
+		buf := make([]byte, maxWindowSize)
+		tc, s := newTestConnAndRemoteStream(t, serverSide, uniStream, func(c *Config) {
+			c.StreamReadBufferSize = maxWindowSize
+		})
+
+		// We send MAX_STREAM_DATA = 19.
+		tc.writeFrames(packetType1RTT, debugFrameStream{
+			id:   s.id,
+			off:  0,
+			data: make([]byte, maxWindowSize),
+		})
+		if n, err := s.Read(buf[:maxWindowSize-1]); err != nil || n != maxWindowSize-1 {
+			t.Fatalf("Read() = %v, %v; want %v, nil", n, err, maxWindowSize-1)
+		}
+		tc.wantFrame("stream window is extended after reading data",
+			packetType1RTT, debugFrameMaxStreamData{
+				id:  s.id,
+				max: (maxWindowSize * 2) - 1,
+			})
+
+		// MAX_STREAM_DATA = 20, which is only one more byte, so we don't send the frame.
+		if n, err := s.Read(buf); err != nil || n != 1 {
+			t.Fatalf("Read() = %v, %v; want %v, nil", n, err, 1)
+		}
+		tc.wantIdle("read doesn't extend window enough to send another MAX_STREAM_DATA")
+
+		// The MAX_STREAM_DATA = 19 packet was lost, so we send 20.
+		tc.triggerLossOrPTO(packetType1RTT, pto)
+		tc.wantFrame("resent MAX_STREAM_DATA includes most current value",
+			packetType1RTT, debugFrameMaxStreamData{
+				id:  s.id,
+				max: maxWindowSize * 2,
+			})
+	})
+}
+
+func TestLostMaxStreamDataFrameAfterStreamFinReceived(t *testing.T) {
+	// "An endpoint SHOULD stop sending MAX_STREAM_DATA frames when
+	// the receiving part of the stream enters a "Size Known" or "Reset Recvd" state."
+	// https://www.rfc-editor.org/rfc/rfc9000#section-13.3-3.8
+	lostFrameTest(t, func(t *testing.T, pto bool) {
+		const maxWindowSize = 10
+		buf := make([]byte, maxWindowSize)
+		tc, s := newTestConnAndRemoteStream(t, serverSide, uniStream, func(c *Config) {
+			c.StreamReadBufferSize = maxWindowSize
+		})
+
+		tc.writeFrames(packetType1RTT, debugFrameStream{
+			id:   s.id,
+			off:  0,
+			data: make([]byte, maxWindowSize),
+		})
+		if n, err := s.Read(buf); err != nil || n != maxWindowSize {
+			t.Fatalf("Read() = %v, %v; want %v, nil", n, err, maxWindowSize)
+		}
+		tc.wantFrame("stream window is extended after reading data",
+			packetType1RTT, debugFrameMaxStreamData{
+				id:  s.id,
+				max: 2 * maxWindowSize,
+			})
+
+		tc.writeFrames(packetType1RTT, debugFrameStream{
+			id:  s.id,
+			off: maxWindowSize,
+			fin: true,
+		})
+
+		tc.ignoreFrame(frameTypePing)
+		tc.triggerLossOrPTO(packetType1RTT, pto)
+		tc.wantIdle("lost MAX_STREAM_DATA not resent for stream in 'size known'")
+	})
+}
+
+func TestLostStreamDataBlockedFrame(t *testing.T) {
+	// "A new [STREAM_DATA_BLOCKED] frame is sent if a packet containing
+	// the most recent frame for a scope is lost [...]"
+	// https://www.rfc-editor.org/rfc/rfc9000#section-13.3-3.10
+	lostFrameTest(t, func(t *testing.T, pto bool) {
+		tc, s := newTestConnAndLocalStream(t, serverSide, uniStream, func(p *transportParameters) {
+			p.initialMaxStreamsUni = 1
+			p.initialMaxData = 1 << 20
+		})
+
+		w := runAsync(tc, func(ctx context.Context) (int, error) {
+			return s.WriteContext(ctx, []byte{0, 1, 2, 3})
+		})
+		defer w.cancel()
+		tc.wantFrame("write is blocked by flow control",
+			packetType1RTT, debugFrameStreamDataBlocked{
+				id:  s.id,
+				max: 0,
+			})
+
+		tc.writeFrames(packetType1RTT, debugFrameMaxStreamData{
+			id:  s.id,
+			max: 1,
+		})
+		tc.wantFrame("write makes some progress, but is still blocked by flow control",
+			packetType1RTT, debugFrameStreamDataBlocked{
+				id:  s.id,
+				max: 1,
+			})
+		tc.wantFrame("write consuming available window",
+			packetType1RTT, debugFrameStream{
+				id:   s.id,
+				off:  0,
+				data: []byte{0},
+			})
 
+		tc.triggerLossOrPTO(packetType1RTT, pto)
+		tc.wantFrame("STREAM_DATA_BLOCKED is resent",
+			packetType1RTT, debugFrameStreamDataBlocked{
+				id:  s.id,
+				max: 1,
+			})
+		tc.wantFrame("STREAM is resent as well",
+			packetType1RTT, debugFrameStream{
+				id:   s.id,
+				off:  0,
+				data: []byte{0},
+			})
+	})
+}
+
+func TestLostStreamDataBlockedFrameAfterStreamUnblocked(t *testing.T) {
+	// "A new [STREAM_DATA_BLOCKED] frame is sent [...] only while
+	// the endpoint is blocked on the corresponding limit."
+	// https://www.rfc-editor.org/rfc/rfc9000#section-13.3-3.10
+	lostFrameTest(t, func(t *testing.T, pto bool) {
+		tc, s := newTestConnAndLocalStream(t, serverSide, uniStream, func(p *transportParameters) {
+			p.initialMaxStreamsUni = 1
+			p.initialMaxData = 1 << 20
+		})
+
+		data := []byte{0, 1, 2, 3}
+		w := runAsync(tc, func(ctx context.Context) (int, error) {
+			return s.WriteContext(ctx, data)
+		})
+		defer w.cancel()
+		tc.wantFrame("write is blocked by flow control",
+			packetType1RTT, debugFrameStreamDataBlocked{
+				id:  s.id,
+				max: 0,
+			})
+
+		tc.writeFrames(packetType1RTT, debugFrameMaxStreamData{
+			id:  s.id,
+			max: 10,
+		})
+		tc.wantFrame("write completes after flow control available",
+			packetType1RTT, debugFrameStream{
+				id:   s.id,
+				off:  0,
+				data: data,
+			})
+
+		tc.triggerLossOrPTO(packetType1RTT, pto)
+		tc.wantFrame("STREAM data is resent",
+			packetType1RTT, debugFrameStream{
+				id:   s.id,
+				off:  0,
+				data: data,
+			})
+		tc.wantIdle("STREAM_DATA_BLOCKED is not resent, since the stream is not blocked")
+	})
 }
 
 func TestLostNewConnectionIDFrame(t *testing.T) {
diff --git a/internal/quic/conn_recv.go b/internal/quic/conn_recv.go
index 45ef3844e..00985b670 100644
--- a/internal/quic/conn_recv.go
+++ b/internal/quic/conn_recv.go
@@ -191,7 +191,7 @@ func (c *Conn) handleFrames(now time.Time, ptype packetType, space numberSpace,
 			if !frameOK(c, ptype, __01) {
 				return
 			}
-			_, _, n = consumeMaxStreamDataFrame(payload)
+			n = c.handleMaxStreamDataFrame(now, payload)
 		case frameTypeMaxStreamsBidi, frameTypeMaxStreamsUni:
 			if !frameOK(c, ptype, __01) {
 				return
@@ -280,6 +280,17 @@ func (c *Conn) handleAckFrame(now time.Time, space numberSpace, payload []byte)
 	return n
 }
 
+func (c *Conn) handleMaxStreamDataFrame(now time.Time, payload []byte) int {
+	id, maxStreamData, n := consumeMaxStreamDataFrame(payload)
+	if s := c.streamForFrame(now, id, sendStream); s != nil {
+		if err := s.handleMaxStreamData(maxStreamData); err != nil {
+			c.abort(now, err)
+			return -1
+		}
+	}
+	return n
+}
+
 func (c *Conn) handleCryptoFrame(now time.Time, space numberSpace, payload []byte) int {
 	off, data, n := consumeCryptoFrame(payload)
 	err := c.handleCrypto(now, space, off, data)
diff --git a/internal/quic/conn_streams.go b/internal/quic/conn_streams.go
index f626323b5..7a531f52b 100644
--- a/internal/quic/conn_streams.go
+++ b/internal/quic/conn_streams.go
@@ -20,6 +20,10 @@ type streamsState struct {
 	streams   map[streamID]*Stream
 	opened    [streamTypeCount]int64 // number of streams opened by us
 
+	// Peer configuration provided in transport parameters.
+	peerInitialMaxStreamDataRemote    [streamTypeCount]int64 // streams opened by us
+	peerInitialMaxStreamDataBidiLocal int64                  // streams opened by them
+
 	// Streams with frames to send are stored in a circular linked list.
 	// sendHead is the next stream to write, or nil if there are no streams
 	// with data to send. sendTail is the last stream to write.
@@ -55,15 +59,24 @@ func (c *Conn) NewSendOnlyStream(ctx context.Context) (*Stream, error) {
 	return c.newLocalStream(ctx, uniStream)
 }
 
-func (c *Conn) newLocalStream(ctx context.Context, typ streamType) (*Stream, error) {
+func (c *Conn) newLocalStream(ctx context.Context, styp streamType) (*Stream, error) {
 	// TODO: Stream limits.
 	c.streams.streamsMu.Lock()
 	defer c.streams.streamsMu.Unlock()
 
-	num := c.streams.opened[typ]
-	c.streams.opened[typ]++
+	num := c.streams.opened[styp]
+	c.streams.opened[styp]++
+
+	s := newStream(c, newStreamID(c.side, styp, num))
+	s.outmaxbuf = c.config.streamWriteBufferSize()
+	s.outwin = c.streams.peerInitialMaxStreamDataRemote[styp]
+	if styp == bidiStream {
+		s.inmaxbuf = c.config.streamReadBufferSize()
+		s.inwin = c.config.streamReadBufferSize()
+	}
+	s.inUnlock()
+	s.outUnlock()
 
-	s := newStream(c, newStreamID(c.side, typ, num))
 	c.streams.streams[s.id] = s
 	return s, nil
 }
@@ -117,7 +130,17 @@ func (c *Conn) streamForFrame(now time.Time, id streamID, ftype streamFrameType)
 		c.abort(now, localTransportError(errStreamState))
 		return nil
 	}
+
 	s := newStream(c, id)
+	s.inmaxbuf = c.config.streamReadBufferSize()
+	s.inwin = c.config.streamReadBufferSize()
+	if id.streamType() == bidiStream {
+		s.outmaxbuf = c.config.streamWriteBufferSize()
+		s.outwin = c.streams.peerInitialMaxStreamDataBidiLocal
+	}
+	s.inUnlock()
+	s.outUnlock()
+
 	c.streams.streams[id] = s
 	c.streams.queue.put(s)
 	return s
diff --git a/internal/quic/conn_test.go b/internal/quic/conn_test.go
index 5aad69f4d..2480f9cb0 100644
--- a/internal/quic/conn_test.go
+++ b/internal/quic/conn_test.go
@@ -179,6 +179,8 @@ func newTestConn(t *testing.T, side connSide, opts ...any) *testConn {
 	peerProvidedParams := defaultTransportParameters()
 	for _, o := range opts {
 		switch o := o.(type) {
+		case func(*Config):
+			o(config)
 		case func(*tls.Config):
 			o(config.TLSConfig)
 		case func(p *transportParameters):
diff --git a/internal/quic/crypto_stream.go b/internal/quic/crypto_stream.go
index 6cda6578c..75dea87d0 100644
--- a/internal/quic/crypto_stream.go
+++ b/internal/quic/crypto_stream.go
@@ -118,28 +118,7 @@ func (s *cryptoStream) ackOrLoss(start, end int64, fate packetFate) {
 // copy the data it wants into position.
 func (s *cryptoStream) dataToSend(pto bool, f func(off, size int64) (sent int64)) {
 	for {
-		var off, size int64
-		if pto {
-			// On PTO, resend unacked data that fits in the probe packet.
-			// For simplicity, we send the range starting at s.out.start
-			// (which is definitely unacked, or else we would have discarded it)
-			// up to the next acked byte (if any).
-			//
-			// This may miss unacked data starting after that acked byte,
-			// but avoids resending data the peer has acked.
-			off = s.out.start
-			end := s.out.end
-			for _, r := range s.outacked {
-				if r.start > off {
-					end = r.start
-					break
-				}
-			}
-			size = end - s.out.start
-		} else if s.outunsent.numRanges() > 0 {
-			off = s.outunsent.min()
-			size = s.outunsent[0].size()
-		}
+		off, size := dataToSend(s.out, s.outunsent, s.outacked, pto)
 		if size == 0 {
 			return
 		}
diff --git a/internal/quic/gate.go b/internal/quic/gate.go
index efb28daf8..27ab07a6f 100644
--- a/internal/quic/gate.go
+++ b/internal/quic/gate.go
@@ -20,13 +20,19 @@ type gate struct {
 	unset chan struct{}
 }
 
+// newGate returns a new, unlocked gate with the condition unset.
 func newGate() gate {
-	g := gate{
+	g := newLockedGate()
+	g.unlock(false)
+	return g
+}
+
+// newLocked gate returns a new, locked gate.
+func newLockedGate() gate {
+	return gate{
 		set:   make(chan struct{}, 1),
 		unset: make(chan struct{}, 1),
 	}
-	g.unset <- struct{}{}
-	return g
 }
 
 // lock acquires the gate unconditionally.
diff --git a/internal/quic/quic_test.go b/internal/quic/quic_test.go
new file mode 100644
index 000000000..1281b54ee
--- /dev/null
+++ b/internal/quic/quic_test.go
@@ -0,0 +1,37 @@
+// Copyright 2023 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build go1.21
+
+package quic
+
+import (
+	"testing"
+)
+
+func testSides(t *testing.T, name string, f func(*testing.T, connSide)) {
+	if name != "" {
+		name += "/"
+	}
+	t.Run(name+"server", func(t *testing.T) { f(t, serverSide) })
+	t.Run(name+"client", func(t *testing.T) { f(t, clientSide) })
+}
+
+func testStreamTypes(t *testing.T, name string, f func(*testing.T, streamType)) {
+	if name != "" {
+		name += "/"
+	}
+	t.Run(name+"bidi", func(t *testing.T) { f(t, bidiStream) })
+	t.Run(name+"uni", func(t *testing.T) { f(t, uniStream) })
+}
+
+func testSidesAndStreamTypes(t *testing.T, name string, f func(*testing.T, connSide, streamType)) {
+	if name != "" {
+		name += "/"
+	}
+	t.Run(name+"server/bidi", func(t *testing.T) { f(t, serverSide, bidiStream) })
+	t.Run(name+"client/bidi", func(t *testing.T) { f(t, clientSide, bidiStream) })
+	t.Run(name+"server/uni", func(t *testing.T) { f(t, serverSide, uniStream) })
+	t.Run(name+"client/uni", func(t *testing.T) { f(t, clientSide, uniStream) })
+}
diff --git a/internal/quic/stream.go b/internal/quic/stream.go
index b55f927e0..83215dfd3 100644
--- a/internal/quic/stream.go
+++ b/internal/quic/stream.go
@@ -9,34 +9,57 @@ package quic
 import (
 	"context"
 	"errors"
+	"io"
 )
 
 type Stream struct {
 	id   streamID
 	conn *Conn
 
+	// ingate's lock guards all receive-related state.
+	//
+	// The gate condition is set if a read from the stream will not block,
+	// either because the stream has available data or because the read will fail.
+	ingate    gate
+	in        pipe            // received data
+	inwin     int64           // last MAX_STREAM_DATA sent to the peer
+	insendmax sentVal         // set when we should send MAX_STREAM_DATA to the peer
+	inmaxbuf  int64           // maximum amount of data we will buffer
+	insize    int64           // stream final size; -1 before this is known
+	inset     rangeset[int64] // received ranges
+
 	// outgate's lock guards all send-related state.
 	//
 	// The gate condition is set if a write to the stream will not block,
 	// either because the stream has available flow control or because
 	// the write will fail.
-	outgate   gate
-	outopened sentVal // set if we should open the stream
+	outgate    gate
+	out        pipe            // buffered data to send
+	outwin     int64           // maximum MAX_STREAM_DATA received from the peer
+	outmaxbuf  int64           // maximum amount of data we will buffer
+	outunsent  rangeset[int64] // ranges buffered but not yet sent
+	outacked   rangeset[int64] // ranges sent and acknowledged
+	outopened  sentVal         // set if we should open the stream
+	outclosed  sentVal         // set by CloseWrite
+	outblocked sentVal         // set when a write to the stream is blocked by flow control
 
 	prev, next *Stream // guarded by streamsState.sendMu
 }
 
+// newStream returns a new stream.
+//
+// The stream's ingate and outgate are locked.
+// (We create the stream with locked gates so after the caller
+// initializes the flow control window,
+// unlocking outgate will set the stream writability state.)
 func newStream(c *Conn, id streamID) *Stream {
 	s := &Stream{
 		conn:    c,
 		id:      id,
-		outgate: newGate(),
+		insize:  -1, // -1 indicates the stream size is unknown
+		ingate:  newLockedGate(),
+		outgate: newLockedGate(),
 	}
-
-	// Lock and unlock outgate to update the stream writability state.
-	s.outgate.lock()
-	s.outUnlock()
-
 	return s
 }
 
@@ -66,8 +89,48 @@ func (s *Stream) Read(b []byte) (n int, err error) {
 // returning all data sent by the peer.
 // If the peer terminates reads abruptly, ReadContext returns StreamResetError.
 func (s *Stream) ReadContext(ctx context.Context, b []byte) (n int, err error) {
-	// TODO: implement
-	return 0, errors.New("unimplemented")
+	if s.IsWriteOnly() {
+		return 0, errors.New("read from write-only stream")
+	}
+	// Wait until data is available.
+	if err := s.conn.waitAndLockGate(ctx, &s.ingate); err != nil {
+		return 0, err
+	}
+	defer s.inUnlock()
+	if s.insize == s.in.start {
+		return 0, io.EOF
+	}
+	// Getting here indicates the stream contains data to be read.
+	if len(s.inset) < 1 || s.inset[0].start != 0 || s.inset[0].end <= s.in.start {
+		panic("BUG: inconsistent input stream state")
+	}
+	if size := int(s.inset[0].end - s.in.start); size < len(b) {
+		b = b[:size]
+	}
+	start := s.in.start
+	end := start + int64(len(b))
+	s.in.copy(start, b)
+	s.in.discardBefore(end)
+	if s.insize == -1 || s.insize > s.inwin {
+		if shouldUpdateFlowControl(s.inwin-s.in.start, s.inmaxbuf) {
+			// Update stream flow control with a STREAM_MAX_DATA frame.
+			s.insendmax.setUnsent()
+		}
+	}
+	if end == s.insize {
+		return len(b), io.EOF
+	}
+	return len(b), nil
+}
+
+// shouldUpdateFlowControl determines whether to send a flow control window update.
+//
+// We want to balance keeping the peer well-supplied with flow control with not sending
+// many small updates.
+func shouldUpdateFlowControl(curwin, maxwin int64) bool {
+	// Update flow control if doing so gives the peer at least 64k tokens,
+	// or if it will double the current window.
+	return maxwin-curwin >= 64<<10 || curwin*2 < maxwin
 }
 
 // Write writes data to the stream.
@@ -87,65 +150,330 @@ func (s *Stream) WriteContext(ctx context.Context, b []byte) (n int, err error)
 	if s.IsReadOnly() {
 		return 0, errors.New("write to read-only stream")
 	}
-	if len(b) > 0 {
-		// TODO: implement
-		return 0, errors.New("unimplemented")
+	canWrite := s.outgate.lock()
+	if s.outclosed.isSet() {
+		s.outUnlock()
+		return 0, errors.New("write to closed stream")
 	}
-	if err := s.outgate.waitAndLockContext(ctx); err != nil {
-		return 0, err
+	if len(b) == 0 {
+		// We aren't writing any data, but send a STREAM frame to open the stream
+		// if we haven't done so already.
+		s.outopened.set()
+	}
+	for len(b) > 0 {
+		// The first time through this loop, we may or may not be write blocked.
+		// We exit the loop after writing all data, so on subsequent passes through
+		// the loop we are always write blocked.
+		if !canWrite {
+			// We're blocked, either by flow control or by our own buffer limit.
+			// We either need the peer to extend our flow control window,
+			// or ack some of our outstanding packets.
+			if s.out.end == s.outwin {
+				// We're blocked by flow control.
+				// Send a STREAM_DATA_BLOCKED frame to let the peer know.
+				s.outblocked.setUnsent()
+			}
+			s.outUnlock()
+			if err := s.conn.waitAndLockGate(ctx, &s.outgate); err != nil {
+				return n, err
+			}
+			// Successfully returning from waitAndLockGate means we are no longer
+			// write blocked. (Unlike traditional condition variables, gates do not
+			// have spurious wakeups.)
+		}
+		s.outblocked.clear()
+		// Write limit is min(our own buffer limit, the peer-provided flow control window).
+		// This is a stream offset.
+		lim := min(s.out.start+s.outmaxbuf, s.outwin)
+		// Amount to write is min(the full buffer, data up to the write limit).
+		// This is a number of bytes.
+		nn := min(int64(len(b)), lim-s.out.end)
+		// Copy the data into the output buffer and mark it as unsent.
+		s.outunsent.add(s.out.end, s.out.end+nn)
+		s.out.writeAt(b[:nn], s.out.end)
+		s.outopened.set()
+		b = b[nn:]
+		n += int(nn)
+		// If we have bytes left to send, we're blocked.
+		canWrite = false
 	}
+	s.outUnlock()
+	return n, nil
+}
+
+// Close closes the stream.
+// See CloseContext for more details.
+func (s *Stream) Close() error {
+	return s.CloseContext(context.Background())
+}
+
+// CloseContext closes the stream.
+// Any blocked stream operations will be unblocked and return errors.
+//
+// CloseContext flushes any data in the stream write buffer and waits for the peer to
+// acknowledge receipt of the data.
+// If the stream has been reset, it waits for the peer to acknowledge the reset.
+// If the context expires before the peer receives the stream's data,
+// CloseContext discards the buffer and returns the context error.
+func (s *Stream) CloseContext(ctx context.Context) error {
+	s.CloseRead()
+	s.CloseWrite()
+	// TODO: wait for peer to acknowledge data
+	// TODO: Return code from peer's RESET_STREAM frame?
+	return nil
+}
+
+// CloseRead aborts reads on the stream.
+// Any blocked reads will be unblocked and return errors.
+//
+// CloseRead notifies the peer that the stream has been closed for reading.
+// It does not wait for the peer to acknowledge the closure.
+// Use CloseContext to wait for the peer's acknowledgement.
+func (s *Stream) CloseRead() {
+	if s.IsWriteOnly() {
+		return
+	}
+	// TODO: support read-closing streams with a STOP_SENDING frame
+}
+
+// CloseWrite aborts writes on the stream.
+// Any blocked writes will be unblocked and return errors.
+//
+// CloseWrite sends any data in the stream write buffer to the peer.
+// It does not wait for the peer to acknowledge receipt of the data.
+// Use CloseContext to wait for the peer's acknowledgement.
+func (s *Stream) CloseWrite() {
+	if s.IsReadOnly() {
+		return
+	}
+	s.outgate.lock()
 	defer s.outUnlock()
+	s.outclosed.set()
+}
 
-	// Set outopened to send a STREAM frame with no data,
-	// opening the stream on the peer.
-	s.outopened.set()
+// inUnlock unlocks s.ingate.
+// It sets the gate condition if reads from s will not block.
+// If s has receive-related frames to write, it notifies the Conn.
+func (s *Stream) inUnlock() {
+	if s.inUnlockNoQueue() {
+		s.conn.queueStreamForSend(s)
+	}
+}
 
-	return n, nil
+// inUnlockNoQueue is inUnlock,
+// but reports whether s has frames to write rather than notifying the Conn.
+func (s *Stream) inUnlockNoQueue() (shouldSend bool) {
+	// TODO: STOP_SENDING
+	canRead := s.inset.contains(s.in.start) || // data available to read
+		s.insize == s.in.start // at EOF
+	s.ingate.unlock(canRead)
+	return s.insendmax.shouldSend() // STREAM_MAX_DATA
 }
 
 // outUnlock unlocks s.outgate.
 // It sets the gate condition if writes to s will not block.
-// If s has frames to write, it notifies the Conn.
+// If s has send-related frames to write, it notifies the Conn.
 func (s *Stream) outUnlock() {
-	if s.outopened.shouldSend() {
+	if s.outUnlockNoQueue() {
 		s.conn.queueStreamForSend(s)
 	}
-	canSend := true // TODO: set sendability status based on flow control
-	s.outgate.unlock(canSend)
+}
+
+// outUnlockNoQueue is outUnlock,
+// but reports whether s has frames to write rather than notifying the Conn.
+func (s *Stream) outUnlockNoQueue() (shouldSend bool) {
+	lim := min(s.out.start+s.outmaxbuf, s.outwin)
+	canWrite := lim > s.out.end || // available flow control
+		s.outclosed.isSet() // closed
+	s.outgate.unlock(canWrite)
+	return len(s.outunsent) > 0 || // STREAM frame with data
+		s.outclosed.shouldSend() || // STREAM frame with FIN bit
+		s.outopened.shouldSend() || // STREAM frame with no data
+		s.outblocked.shouldSend() // STREAM_DATA_BLOCKED
 }
 
 // handleData handles data received in a STREAM frame.
 func (s *Stream) handleData(off int64, b []byte, fin bool) error {
-	// TODO
+	s.ingate.lock()
+	defer s.inUnlock()
+	end := off + int64(len(b))
+	if end > s.inwin {
+		// The peer sent us data past the maximum flow control window we gave them.
+		return localTransportError(errFlowControl)
+	}
+	if s.insize != -1 && end > s.insize {
+		// The peer sent us data past the final size of the stream they previously gave us.
+		return localTransportError(errFinalSize)
+	}
+	s.in.writeAt(b, off)
+	s.inset.add(off, end)
+	if fin {
+		if s.insize != -1 && s.insize != end {
+			// The peer changed the final size of the stream.
+			return localTransportError(errFinalSize)
+		}
+		s.insize = end
+		// The peer has enough flow control window to send the entire stream.
+		s.insendmax.clear()
+	}
+	return nil
+}
+
+// handleMaxStreamData handles an update received in a MAX_STREAM_DATA frame.
+func (s *Stream) handleMaxStreamData(maxStreamData int64) error {
+	s.outgate.lock()
+	defer s.outUnlock()
+	s.outwin = max(maxStreamData, s.outwin)
 	return nil
 }
 
+// ackOrLoss handles the fate of stream frames other than STREAM.
+func (s *Stream) ackOrLoss(pnum packetNumber, ftype byte, fate packetFate) {
+	// Frames which carry new information each time they are sent
+	// (MAX_STREAM_DATA, STREAM_DATA_BLOCKED) must only be marked
+	// as received if the most recent packet carrying this frame is acked.
+	//
+	// Frames which are always the same (STOP_SENDING, RESET_STREAM)
+	// can be marked as received if any packet carrying this frame is acked.
+	switch ftype {
+	case frameTypeMaxStreamData:
+		s.ingate.lock()
+		s.insendmax.ackLatestOrLoss(pnum, fate)
+		s.inUnlock()
+	case frameTypeStreamDataBlocked:
+		s.outgate.lock()
+		s.outblocked.ackLatestOrLoss(pnum, fate)
+		s.outUnlock()
+	default:
+		// TODO: Handle STOP_SENDING, RESET_STREAM.
+		panic("unhandled frame type")
+	}
+}
+
 // ackOrLossData handles the fate of a STREAM frame.
 func (s *Stream) ackOrLossData(pnum packetNumber, start, end int64, fin bool, fate packetFate) {
 	s.outgate.lock()
 	defer s.outUnlock()
 	s.outopened.ackOrLoss(pnum, fate)
+	if fin {
+		s.outclosed.ackOrLoss(pnum, fate)
+	}
+	switch fate {
+	case packetAcked:
+		s.outacked.add(start, end)
+		s.outunsent.sub(start, end)
+		// If this ack is for data at the start of the send buffer, we can now discard it.
+		if s.outacked.contains(s.out.start) {
+			s.out.discardBefore(s.outacked[0].end)
+		}
+	case packetLost:
+		// Mark everything lost, but not previously acked, as needing retransmission.
+		// We do this by adding all the lost bytes to outunsent, and then
+		// removing everything already acked.
+		s.outunsent.add(start, end)
+		for _, a := range s.outacked {
+			s.outunsent.sub(a.start, a.end)
+		}
+	}
 }
 
+// appendInFrames appends STOP_SENDING and MAX_STREAM_DATA frames
+// to the current packet.
+//
+// It returns true if no more frames need appending,
+// false if not everything fit in the current packet.
 func (s *Stream) appendInFrames(w *packetWriter, pnum packetNumber, pto bool) bool {
+	s.ingate.lock()
+	defer s.inUnlockNoQueue()
 	// TODO: STOP_SENDING
-	// TODO: MAX_STREAM_DATA
+	if s.insendmax.shouldSendPTO(pto) {
+		// MAX_STREAM_DATA
+		maxStreamData := s.in.start + s.inmaxbuf
+		if !w.appendMaxStreamDataFrame(s.id, maxStreamData) {
+			return false
+		}
+		s.inwin = maxStreamData
+		s.insendmax.setSent(pnum)
+	}
 	return true
 }
 
+// appendOutFrames appends RESET_STREAM, STREAM_DATA_BLOCKED, and STREAM frames
+// to the current packet.
+//
+// It returns true if no more frames need appending,
+// false if not everything fit in the current packet.
 func (s *Stream) appendOutFrames(w *packetWriter, pnum packetNumber, pto bool) bool {
+	s.outgate.lock()
+	defer s.outUnlockNoQueue()
 	// TODO: RESET_STREAM
-	// TODO: STREAM_DATA_BLOCKED
-	// TODO: STREAM frames with data
-	if s.outopened.shouldSendPTO(pto) {
-		off := int64(0)
-		size := 0
-		fin := false
-		_, added := w.appendStreamFrame(s.id, off, size, fin)
+	if s.outblocked.shouldSendPTO(pto) {
+		// STREAM_DATA_BLOCKED
+		if !w.appendStreamDataBlockedFrame(s.id, s.out.end) {
+			return false
+		}
+		s.outblocked.setSent(pnum)
+		s.frameOpensStream(pnum)
+	}
+	// STREAM
+	for {
+		off, size := dataToSend(s.out, s.outunsent, s.outacked, pto)
+		fin := s.outclosed.isSet() && off+size == s.out.end
+		shouldSend := size > 0 || // have data to send
+			s.outopened.shouldSendPTO(pto) || // should open the stream
+			(fin && s.outclosed.shouldSendPTO(pto)) // should close the stream
+		if !shouldSend {
+			return true
+		}
+		b, added := w.appendStreamFrame(s.id, off, int(size), fin)
 		if !added {
 			return false
 		}
+		s.out.copy(off, b)
+		s.outunsent.sub(off, off+int64(len(b)))
+		s.frameOpensStream(pnum)
+		if fin {
+			s.outclosed.setSent(pnum)
+		}
+		if pto {
+			return true
+		}
+		if int64(len(b)) < size {
+			return false
+		}
+	}
+}
+
+// frameOpensStream records that we're sending a frame that will open the stream.
+//
+// If we don't have an acknowledgement from the peer for a previous frame opening the stream,
+// record this packet as being the latest one to open it.
+func (s *Stream) frameOpensStream(pnum packetNumber) {
+	if !s.outopened.isReceived() {
 		s.outopened.setSent(pnum)
 	}
-	return true
+}
+
+// dataToSend returns the next range of data to send in a STREAM or CRYPTO_STREAM.
+func dataToSend(out pipe, outunsent, outacked rangeset[int64], pto bool) (start, size int64) {
+	switch {
+	case pto:
+		// On PTO, resend unacked data that fits in the probe packet.
+		// For simplicity, we send the range starting at s.out.start
+		// (which is definitely unacked, or else we would have discarded it)
+		// up to the next acked byte (if any).
+		//
+		// This may miss unacked data starting after that acked byte,
+		// but avoids resending data the peer has acked.
+		for _, r := range outacked {
+			if r.start > out.start {
+				return out.start, r.start - out.start
+			}
+		}
+		return out.start, out.end - out.start
+	case outunsent.numRanges() > 0:
+		return outunsent.min(), outunsent[0].size()
+	default:
+		return out.end, 0
+	}
 }
diff --git a/internal/quic/stream_test.go b/internal/quic/stream_test.go
index 8ae9dbc82..d158e72af 100644
--- a/internal/quic/stream_test.go
+++ b/internal/quic/stream_test.go
@@ -7,10 +7,703 @@
 package quic
 
 import (
+	"bytes"
+	"context"
+	"crypto/rand"
+	"fmt"
+	"io"
 	"reflect"
+	"strings"
 	"testing"
 )
 
+func TestStreamWriteBlockedByStreamFlowControl(t *testing.T) {
+	testStreamTypes(t, "", func(t *testing.T, styp streamType) {
+		ctx := canceledContext()
+		want := []byte{0, 1, 2, 3, 4, 5, 6, 7, 8, 9}
+		tc := newTestConn(t, clientSide, func(p *transportParameters) {
+			p.initialMaxStreamsBidi = 100
+			p.initialMaxStreamsUni = 100
+			p.initialMaxData = 1 << 20
+		})
+		tc.handshake()
+		tc.ignoreFrame(frameTypeAck)
+
+		// Non-blocking write with no flow control.
+		s, err := tc.conn.newLocalStream(ctx, styp)
+		if err != nil {
+			t.Fatal(err)
+		}
+		_, err = s.WriteContext(ctx, want)
+		if err != context.Canceled {
+			t.Fatalf("write to stream with no flow control: err = %v, want context.Canceled", err)
+		}
+		tc.wantFrame("write blocked by flow control triggers a STREAM_DATA_BLOCKED frame",
+			packetType1RTT, debugFrameStreamDataBlocked{
+				id:  s.id,
+				max: 0,
+			})
+
+		// Blocking write waiting for flow control.
+		w := runAsync(tc, func(ctx context.Context) (int, error) {
+			return s.WriteContext(ctx, want)
+		})
+		tc.wantFrame("second blocked write triggers another STREAM_DATA_BLOCKED",
+			packetType1RTT, debugFrameStreamDataBlocked{
+				id:  s.id,
+				max: 0,
+			})
+		tc.writeFrames(packetType1RTT, debugFrameMaxStreamData{
+			id:  s.id,
+			max: 4,
+		})
+		tc.wantFrame("stream window extended, but still more data to write",
+			packetType1RTT, debugFrameStreamDataBlocked{
+				id:  s.id,
+				max: 4,
+			})
+		tc.wantFrame("stream window extended to 4, expect blocked write to progress",
+			packetType1RTT, debugFrameStream{
+				id:   s.id,
+				data: want[:4],
+			})
+
+		tc.writeFrames(packetType1RTT, debugFrameMaxStreamData{
+			id:  s.id,
+			max: int64(len(want)),
+		})
+		tc.wantFrame("stream window extended further, expect blocked write to finish",
+			packetType1RTT, debugFrameStream{
+				id:   s.id,
+				off:  4,
+				data: want[4:],
+			})
+		n, err := w.result()
+		if n != len(want) || err != nil {
+			t.Errorf("Write() = %v, %v; want %v, nil", n, err, len(want))
+		}
+	})
+}
+
+func TestStreamIgnoresMaxStreamDataReduction(t *testing.T) {
+	// "A sender MUST ignore any MAX_STREAM_DATA [...] frames that
+	// do not increase flow control limits."
+	// https://www.rfc-editor.org/rfc/rfc9000#section-4.1-9
+	testStreamTypes(t, "", func(t *testing.T, styp streamType) {
+		ctx := canceledContext()
+		want := []byte{0, 1, 2, 3, 4, 5, 6, 7, 8, 9}
+		tc := newTestConn(t, clientSide, func(p *transportParameters) {
+			if styp == uniStream {
+				p.initialMaxStreamsUni = 1
+				p.initialMaxStreamDataUni = 4
+			} else {
+				p.initialMaxStreamsBidi = 1
+				p.initialMaxStreamDataBidiRemote = 4
+			}
+			p.initialMaxData = 1 << 20
+		})
+		tc.handshake()
+		tc.ignoreFrame(frameTypeAck)
+		tc.ignoreFrame(frameTypeStreamDataBlocked)
+
+		// Write [0,1).
+		s, err := tc.conn.newLocalStream(ctx, styp)
+		if err != nil {
+			t.Fatal(err)
+		}
+		s.WriteContext(ctx, want[:1])
+		tc.wantFrame("sent data (1 byte) fits within flow control limit",
+			packetType1RTT, debugFrameStream{
+				id:   s.id,
+				off:  0,
+				data: want[:1],
+			})
+
+		// MAX_STREAM_DATA tries to decrease limit, and is ignored.
+		tc.writeFrames(packetType1RTT, debugFrameMaxStreamData{
+			id:  s.id,
+			max: 2,
+		})
+
+		// Write [1,4).
+		s.WriteContext(ctx, want[1:])
+		tc.wantFrame("stream limit is 4 bytes, ignoring decrease in MAX_STREAM_DATA",
+			packetType1RTT, debugFrameStream{
+				id:   s.id,
+				off:  1,
+				data: want[1:4],
+			})
+
+		// MAX_STREAM_DATA increases limit.
+		// Second MAX_STREAM_DATA decreases it, and is ignored.
+		tc.writeFrames(packetType1RTT, debugFrameMaxStreamData{
+			id:  s.id,
+			max: 8,
+		})
+		tc.writeFrames(packetType1RTT, debugFrameMaxStreamData{
+			id:  s.id,
+			max: 6,
+		})
+
+		// Write [1,4).
+		s.WriteContext(ctx, want[4:])
+		tc.wantFrame("stream limit is 8 bytes, ignoring decrease in MAX_STREAM_DATA",
+			packetType1RTT, debugFrameStream{
+				id:   s.id,
+				off:  4,
+				data: want[4:8],
+			})
+	})
+}
+
+func TestStreamWriteBlockedByWriteBufferLimit(t *testing.T) {
+	testStreamTypes(t, "", func(t *testing.T, styp streamType) {
+		ctx := canceledContext()
+		want := []byte{0, 1, 2, 3, 4, 5, 6, 7, 8, 9}
+		const maxWriteBuffer = 4
+		tc := newTestConn(t, clientSide, func(p *transportParameters) {
+			p.initialMaxStreamsBidi = 100
+			p.initialMaxStreamsUni = 100
+			p.initialMaxData = 1 << 20
+			p.initialMaxStreamDataBidiRemote = 1 << 20
+			p.initialMaxStreamDataUni = 1 << 20
+		}, func(c *Config) {
+			c.StreamWriteBufferSize = maxWriteBuffer
+		})
+		tc.handshake()
+		tc.ignoreFrame(frameTypeAck)
+
+		// Write more data than StreamWriteBufferSize.
+		// The peer has given us plenty of flow control,
+		// so we're just blocked by our local limit.
+		s, err := tc.conn.newLocalStream(ctx, styp)
+		if err != nil {
+			t.Fatal(err)
+		}
+		w := runAsync(tc, func(ctx context.Context) (int, error) {
+			return s.WriteContext(ctx, want)
+		})
+		tc.wantFrame("stream write should send as much data as write buffer allows",
+			packetType1RTT, debugFrameStream{
+				id:   s.id,
+				off:  0,
+				data: want[:maxWriteBuffer],
+			})
+		tc.wantIdle("no STREAM_DATA_BLOCKED, we're blocked locally not by flow control")
+
+		// ACK for previously-sent data allows making more progress.
+		tc.writeFrames(packetType1RTT, debugFrameAck{
+			ranges: []i64range[packetNumber]{{0, tc.sentFramePacket.num + 1}},
+		})
+		tc.wantFrame("ACK for previous data allows making progress",
+			packetType1RTT, debugFrameStream{
+				id:   s.id,
+				off:  maxWriteBuffer,
+				data: want[maxWriteBuffer:][:maxWriteBuffer],
+			})
+
+		// Cancel the write with data left to send.
+		w.cancel()
+		n, err := w.result()
+		if n != 2*maxWriteBuffer || err == nil {
+			t.Fatalf("WriteContext() = %v, %v; want %v bytes, error", n, err, 2*maxWriteBuffer)
+		}
+	})
+}
+
+func TestStreamReceive(t *testing.T) {
+	// "Endpoints MUST be able to deliver stream data to an application as
+	// an ordered byte stream."
+	// https://www.rfc-editor.org/rfc/rfc9000#section-2.2-2
+	want := make([]byte, 5000)
+	for i := range want {
+		want[i] = byte(i)
+	}
+	type frame struct {
+		start   int64
+		end     int64
+		fin     bool
+		want    int
+		wantEOF bool
+	}
+	for _, test := range []struct {
+		name   string
+		frames []frame
+	}{{
+		name: "linear",
+		frames: []frame{{
+			start: 0,
+			end:   1000,
+			want:  1000,
+		}, {
+			start: 1000,
+			end:   2000,
+			want:  2000,
+		}, {
+			start:   2000,
+			end:     3000,
+			want:    3000,
+			fin:     true,
+			wantEOF: true,
+		}},
+	}, {
+		name: "out of order",
+		frames: []frame{{
+			start: 1000,
+			end:   2000,
+		}, {
+			start: 2000,
+			end:   3000,
+		}, {
+			start: 0,
+			end:   1000,
+			want:  3000,
+		}},
+	}, {
+		name: "resent",
+		frames: []frame{{
+			start: 0,
+			end:   1000,
+			want:  1000,
+		}, {
+			start: 0,
+			end:   1000,
+			want:  1000,
+		}, {
+			start: 1000,
+			end:   2000,
+			want:  2000,
+		}, {
+			start: 0,
+			end:   1000,
+			want:  2000,
+		}, {
+			start: 1000,
+			end:   2000,
+			want:  2000,
+		}},
+	}, {
+		name: "overlapping",
+		frames: []frame{{
+			start: 0,
+			end:   1000,
+			want:  1000,
+		}, {
+			start: 3000,
+			end:   4000,
+			want:  1000,
+		}, {
+			start: 2000,
+			end:   3000,
+			want:  1000,
+		}, {
+			start: 1000,
+			end:   3000,
+			want:  4000,
+		}},
+	}, {
+		name: "early eof",
+		frames: []frame{{
+			start: 3000,
+			end:   3000,
+			fin:   true,
+			want:  0,
+		}, {
+			start: 1000,
+			end:   2000,
+			want:  0,
+		}, {
+			start: 0,
+			end:   1000,
+			want:  2000,
+		}, {
+			start:   2000,
+			end:     3000,
+			want:    3000,
+			wantEOF: true,
+		}},
+	}, {
+		name: "empty eof",
+		frames: []frame{{
+			start: 0,
+			end:   1000,
+			want:  1000,
+		}, {
+			start:   1000,
+			end:     1000,
+			fin:     true,
+			want:    1000,
+			wantEOF: true,
+		}},
+	}} {
+		testStreamTypes(t, test.name, func(t *testing.T, styp streamType) {
+			ctx := canceledContext()
+			tc := newTestConn(t, serverSide)
+			tc.handshake()
+			sid := newStreamID(clientSide, styp, 0)
+			var s *Stream
+			got := make([]byte, len(want))
+			var total int
+			for _, f := range test.frames {
+				t.Logf("receive [%v,%v)", f.start, f.end)
+				tc.writeFrames(packetType1RTT, debugFrameStream{
+					id:   sid,
+					off:  f.start,
+					data: want[f.start:f.end],
+					fin:  f.fin,
+				})
+				if s == nil {
+					var err error
+					s, err = tc.conn.AcceptStream(ctx)
+					if err != nil {
+						tc.t.Fatalf("conn.AcceptStream() = %v", err)
+					}
+				}
+				for {
+					n, err := s.ReadContext(ctx, got[total:])
+					t.Logf("s.ReadContext() = %v, %v", n, err)
+					total += n
+					if f.wantEOF && err != io.EOF {
+						t.Fatalf("ReadContext() error = %v; want io.EOF", err)
+					}
+					if !f.wantEOF && err == io.EOF {
+						t.Fatalf("ReadContext() error = io.EOF, want something else")
+					}
+					if err != nil {
+						break
+					}
+				}
+				if total != f.want {
+					t.Fatalf("total bytes read = %v, want %v", total, f.want)
+				}
+				for i := 0; i < total; i++ {
+					if got[i] != want[i] {
+						t.Fatalf("byte %v differs: got %v, want %v", i, got[i], want[i])
+					}
+				}
+			}
+		})
+	}
+
+}
+
+func TestStreamReceiveExtendsStreamWindow(t *testing.T) {
+	testStreamTypes(t, "", func(t *testing.T, styp streamType) {
+		const maxWindowSize = 20
+		ctx := canceledContext()
+		tc := newTestConn(t, serverSide, func(c *Config) {
+			c.StreamReadBufferSize = maxWindowSize
+		})
+		tc.handshake()
+		tc.ignoreFrame(frameTypeAck)
+		sid := newStreamID(clientSide, styp, 0)
+		tc.writeFrames(packetType1RTT, debugFrameStream{
+			id:   sid,
+			off:  0,
+			data: make([]byte, maxWindowSize),
+		})
+		s, err := tc.conn.AcceptStream(ctx)
+		if err != nil {
+			t.Fatalf("AcceptStream: %v", err)
+		}
+		tc.wantIdle("stream window is not extended before data is read")
+		buf := make([]byte, maxWindowSize+1)
+		if n, err := s.ReadContext(ctx, buf); n != maxWindowSize || err != nil {
+			t.Fatalf("s.ReadContext() = %v, %v; want %v, nil", n, err, maxWindowSize)
+		}
+		tc.wantFrame("stream window is extended after reading data",
+			packetType1RTT, debugFrameMaxStreamData{
+				id:  sid,
+				max: maxWindowSize * 2,
+			})
+		tc.writeFrames(packetType1RTT, debugFrameStream{
+			id:   sid,
+			off:  maxWindowSize,
+			data: make([]byte, maxWindowSize),
+			fin:  true,
+		})
+		if n, err := s.ReadContext(ctx, buf); n != maxWindowSize || err != io.EOF {
+			t.Fatalf("s.ReadContext() = %v, %v; want %v, io.EOF", n, err, maxWindowSize)
+		}
+		tc.wantIdle("stream window is not extended after FIN")
+	})
+}
+
+func TestStreamReceiveViolatesStreamDataLimit(t *testing.T) {
+	// "A receiver MUST close the connection with an error of type FLOW_CONTROL_ERROR if
+	// the sender violates the advertised [...] stream data limits [...]"
+	// https://www.rfc-editor.org/rfc/rfc9000#section-4.1-8
+	testStreamTypes(t, "", func(t *testing.T, styp streamType) {
+		const maxStreamData = 10
+		for _, test := range []struct {
+			off  int64
+			size int64
+		}{{
+			off:  maxStreamData,
+			size: 1,
+		}, {
+			off:  0,
+			size: maxStreamData + 1,
+		}, {
+			off:  maxStreamData - 1,
+			size: 2,
+		}} {
+			tc := newTestConn(t, serverSide, func(c *Config) {
+				c.StreamReadBufferSize = maxStreamData
+			})
+			tc.handshake()
+			tc.ignoreFrame(frameTypeAck)
+			tc.writeFrames(packetType1RTT, debugFrameStream{
+				id:   newStreamID(clientSide, styp, 0),
+				off:  test.off,
+				data: make([]byte, test.size),
+			})
+			tc.wantFrame(
+				fmt.Sprintf("data [%v,%v) violates stream data limit and closes connection",
+					test.off, test.off+test.size),
+				packetType1RTT, debugFrameConnectionCloseTransport{
+					code: errFlowControl,
+				},
+			)
+		}
+	})
+}
+
+func TestStreamReceiveDuplicateDataDoesNotViolateLimits(t *testing.T) {
+	testStreamTypes(t, "", func(t *testing.T, styp streamType) {
+		const maxData = 10
+		tc := newTestConn(t, serverSide, func(c *Config) {
+			// TODO: Add connection-level maximum data here as well.
+			c.StreamReadBufferSize = maxData
+		})
+		tc.handshake()
+		tc.ignoreFrame(frameTypeAck)
+		for i := 0; i < 3; i++ {
+			tc.writeFrames(packetType1RTT, debugFrameStream{
+				id:   newStreamID(clientSide, styp, 0),
+				off:  0,
+				data: make([]byte, maxData),
+			})
+			tc.wantIdle(fmt.Sprintf("conn sends no frames after receiving data frame %v", i))
+		}
+	})
+}
+
+func TestStreamFinalSizeChangedByStreamFrame(t *testing.T) {
+	// "If a [...] STREAM frame is received indicating a change
+	// in the final size for the stream, an endpoint SHOULD
+	// respond with an error of type FINAL_SIZE_ERROR [...]"
+	// https://www.rfc-editor.org/rfc/rfc9000#section-4.5-5
+	testStreamTypes(t, "", func(t *testing.T, styp streamType) {
+		tc := newTestConn(t, serverSide)
+		tc.handshake()
+		sid := newStreamID(clientSide, styp, 0)
+
+		const write1size = 4
+		tc.writeFrames(packetType1RTT, debugFrameStream{
+			id:  sid,
+			off: 10,
+			fin: true,
+		})
+		tc.writeFrames(packetType1RTT, debugFrameStream{
+			id:  sid,
+			off: 9,
+			fin: true,
+		})
+		tc.wantFrame("change in final size of stream is an error",
+			packetType1RTT, debugFrameConnectionCloseTransport{
+				code: errFinalSize,
+			},
+		)
+	})
+}
+
+func TestStreamDataBeyondFinalSize(t *testing.T) {
+	// "A receiver SHOULD treat receipt of data at or beyond
+	// the final size as an error of type FINAL_SIZE_ERROR [...]"
+	// https://www.rfc-editor.org/rfc/rfc9000#section-4.5-5
+	testStreamTypes(t, "", func(t *testing.T, styp streamType) {
+		tc := newTestConn(t, serverSide)
+		tc.handshake()
+		sid := newStreamID(clientSide, styp, 0)
+
+		const write1size = 4
+		tc.writeFrames(packetType1RTT, debugFrameStream{
+			id:   sid,
+			off:  0,
+			data: make([]byte, 16),
+			fin:  true,
+		})
+		tc.writeFrames(packetType1RTT, debugFrameStream{
+			id:   sid,
+			off:  16,
+			data: []byte{0},
+		})
+		tc.wantFrame("received data past final size of stream",
+			packetType1RTT, debugFrameConnectionCloseTransport{
+				code: errFinalSize,
+			},
+		)
+	})
+}
+
+func TestStreamReceiveUnblocksReader(t *testing.T) {
+	testStreamTypes(t, "", func(t *testing.T, styp streamType) {
+		tc := newTestConn(t, serverSide)
+		tc.handshake()
+		want := []byte{0, 1, 2, 3, 4, 5, 6, 7, 8, 9}
+		sid := newStreamID(clientSide, styp, 0)
+
+		// AcceptStream blocks until a STREAM frame is received.
+		accept := runAsync(tc, func(ctx context.Context) (*Stream, error) {
+			return tc.conn.AcceptStream(ctx)
+		})
+		const write1size = 4
+		tc.writeFrames(packetType1RTT, debugFrameStream{
+			id:   sid,
+			off:  0,
+			data: want[:write1size],
+		})
+		s, err := accept.result()
+		if err != nil {
+			t.Fatalf("AcceptStream() = %v", err)
+		}
+
+		// ReadContext succeeds immediately, since we already have data.
+		got := make([]byte, len(want))
+		read := runAsync(tc, func(ctx context.Context) (int, error) {
+			return s.ReadContext(ctx, got)
+		})
+		if n, err := read.result(); n != write1size || err != nil {
+			t.Fatalf("ReadContext = %v, %v; want %v, nil", n, err, write1size)
+		}
+
+		// ReadContext blocks waiting for more data.
+		read = runAsync(tc, func(ctx context.Context) (int, error) {
+			return s.ReadContext(ctx, got[write1size:])
+		})
+		tc.writeFrames(packetType1RTT, debugFrameStream{
+			id:   sid,
+			off:  write1size,
+			data: want[write1size:],
+			fin:  true,
+		})
+		if n, err := read.result(); n != len(want)-write1size || err != io.EOF {
+			t.Fatalf("ReadContext = %v, %v; want %v, io.EOF", n, err, len(want)-write1size)
+		}
+		if !bytes.Equal(got, want) {
+			t.Fatalf("read bytes %x, want %x", got, want)
+		}
+	})
+}
+
+// testStreamSendFrameInvalidState calls the test func with a stream ID for:
+//
+//   - a remote bidirectional stream that the peer has not created
+//   - a remote unidirectional stream
+//
+// It then sends the returned frame (STREAM, STREAM_DATA_BLOCKED, etc.)
+// to the conn and expects a STREAM_STATE_ERROR.
+func testStreamSendFrameInvalidState(t *testing.T, f func(sid streamID) debugFrame) {
+	testSides(t, "stream_not_created", func(t *testing.T, side connSide) {
+		tc := newTestConn(t, side)
+		tc.handshake()
+		tc.writeFrames(packetType1RTT, f(newStreamID(side, bidiStream, 0)))
+		tc.wantFrame("frame for local stream which has not been created",
+			packetType1RTT, debugFrameConnectionCloseTransport{
+				code: errStreamState,
+			})
+	})
+	testSides(t, "uni_stream", func(t *testing.T, side connSide) {
+		ctx := canceledContext()
+		tc := newTestConn(t, side)
+		tc.handshake()
+		sid := newStreamID(side, uniStream, 0)
+		s, err := tc.conn.NewSendOnlyStream(ctx)
+		if err != nil {
+			t.Fatal(err)
+		}
+		s.Write(nil) // open the stream
+		tc.wantFrame("new stream is opened",
+			packetType1RTT, debugFrameStream{
+				id:   sid,
+				data: []byte{},
+			})
+		tc.writeFrames(packetType1RTT, f(sid))
+		tc.wantFrame("send-oriented frame for send-only stream",
+			packetType1RTT, debugFrameConnectionCloseTransport{
+				code: errStreamState,
+			})
+	})
+}
+
+func TestStreamStreamFrameInvalidState(t *testing.T) {
+	// "An endpoint MUST terminate the connection with error STREAM_STATE_ERROR
+	// if it receives a STREAM frame for a locally initiated stream
+	// that has not yet been created, or for a send-only stream."
+	// https://www.rfc-editor.org/rfc/rfc9000.html#section-19.8-3
+	testStreamSendFrameInvalidState(t, func(sid streamID) debugFrame {
+		return debugFrameStream{
+			id: sid,
+		}
+	})
+}
+
+func TestStreamDataBlockedInvalidState(t *testing.T) {
+	// "An endpoint MUST terminate the connection with error STREAM_STATE_ERROR
+	// if it receives a STREAM frame for a locally initiated stream
+	// that has not yet been created, or for a send-only stream."
+	// https://www.rfc-editor.org/rfc/rfc9000.html#section-19.8-3
+	testStreamSendFrameInvalidState(t, func(sid streamID) debugFrame {
+		return debugFrameStream{
+			id: sid,
+		}
+	})
+}
+
+// testStreamReceiveFrameInvalidState calls the test func with a stream ID for:
+//
+//   - a remote bidirectional stream that the peer has not created
+//   - a local unidirectional stream
+//
+// It then sends the returned frame (MAX_STREAM_DATA, STOP_SENDING, etc.)
+// to the conn and expects a STREAM_STATE_ERROR.
+func testStreamReceiveFrameInvalidState(t *testing.T, f func(sid streamID) debugFrame) {
+	testSides(t, "stream_not_created", func(t *testing.T, side connSide) {
+		tc := newTestConn(t, side)
+		tc.handshake()
+		tc.writeFrames(packetType1RTT, f(newStreamID(side, bidiStream, 0)))
+		tc.wantFrame("frame for local stream which has not been created",
+			packetType1RTT, debugFrameConnectionCloseTransport{
+				code: errStreamState,
+			})
+	})
+	testSides(t, "uni_stream", func(t *testing.T, side connSide) {
+		tc := newTestConn(t, side)
+		tc.handshake()
+		tc.writeFrames(packetType1RTT, f(newStreamID(side.peer(), uniStream, 0)))
+		tc.wantFrame("receive-oriented frame for receive-only stream",
+			packetType1RTT, debugFrameConnectionCloseTransport{
+				code: errStreamState,
+			})
+	})
+}
+
+func TestStreamMaxStreamDataInvalidState(t *testing.T) {
+	// "Receiving a MAX_STREAM_DATA frame for a locally initiated stream
+	// that has not yet been created MUST be treated as a connection error
+	// of type STREAM_STATE_ERROR. An endpoint that receives a MAX_STREAM_DATA
+	// frame for a receive-only stream MUST terminate the connection
+	// with error STREAM_STATE_ERROR."
+	// https://www.rfc-editor.org/rfc/rfc9000#section-19.10-2
+	testStreamReceiveFrameInvalidState(t, func(sid streamID) debugFrame {
+		return debugFrameMaxStreamData{
+			id:  sid,
+			max: 1000,
+		}
+	})
+}
+
 func TestStreamOffsetTooLarge(t *testing.T) {
 	// "Receipt of a frame that exceeds [2^62-1] MUST be treated as a
 	// connection error of type FRAME_ENCODING_ERROR or FLOW_CONTROL_ERROR."
@@ -31,3 +724,104 @@ func TestStreamOffsetTooLarge(t *testing.T) {
 		t.Fatalf("STREAM offset exceeds 2^62-1\ngot:  %v\nwant: %v\n  or: %v", got, want1, want2)
 	}
 }
+
+func TestStreamReadFromWriteOnlyStream(t *testing.T) {
+	_, s := newTestConnAndLocalStream(t, serverSide, uniStream)
+	buf := make([]byte, 10)
+	wantErr := "read from write-only stream"
+	if n, err := s.Read(buf); err == nil || !strings.Contains(err.Error(), wantErr) {
+		t.Errorf("s.Read() = %v, %v; want error %q", n, err, wantErr)
+	}
+}
+
+func TestStreamWriteToReadOnlyStream(t *testing.T) {
+	_, s := newTestConnAndRemoteStream(t, serverSide, uniStream)
+	buf := make([]byte, 10)
+	wantErr := "write to read-only stream"
+	if n, err := s.Write(buf); err == nil || !strings.Contains(err.Error(), wantErr) {
+		t.Errorf("s.Write() = %v, %v; want error %q", n, err, wantErr)
+	}
+}
+
+func TestStreamWriteToClosedStream(t *testing.T) {
+	tc, s := newTestConnAndLocalStream(t, serverSide, bidiStream, func(p *transportParameters) {
+		p.initialMaxStreamsBidi = 1
+		p.initialMaxData = 1 << 20
+		p.initialMaxStreamDataBidiRemote = 1 << 20
+	})
+	s.Close()
+	tc.wantFrame("stream is opened after being closed",
+		packetType1RTT, debugFrameStream{
+			id:   s.id,
+			off:  0,
+			fin:  true,
+			data: []byte{},
+		})
+	wantErr := "write to closed stream"
+	if n, err := s.Write([]byte{}); err == nil || !strings.Contains(err.Error(), wantErr) {
+		t.Errorf("s.Write() = %v, %v; want error %q", n, err, wantErr)
+	}
+}
+
+func TestStreamWriteMoreThanOnePacketOfData(t *testing.T) {
+	tc, s := newTestConnAndLocalStream(t, serverSide, uniStream, func(p *transportParameters) {
+		p.initialMaxStreamsUni = 1
+		p.initialMaxData = 1 << 20
+		p.initialMaxStreamDataUni = 1 << 20
+	})
+	want := make([]byte, 4096)
+	rand.Read(want) // doesn't need to be crypto/rand, but non-deprecated and harmless
+	w := runAsync(tc, func(ctx context.Context) (int, error) {
+		return s.WriteContext(ctx, want)
+	})
+	got := make([]byte, 0, len(want))
+	for {
+		f, _ := tc.readFrame()
+		if f == nil {
+			break
+		}
+		sf, ok := f.(debugFrameStream)
+		if !ok {
+			t.Fatalf("unexpected frame: %v", sf)
+		}
+		if len(got) != int(sf.off) {
+			t.Fatalf("got frame: %v\nwant offset %v", sf, len(got))
+		}
+		got = append(got, sf.data...)
+	}
+	if n, err := w.result(); n != len(want) || err != nil {
+		t.Fatalf("s.WriteContext() = %v, %v; want %v, nil", n, err, len(want))
+	}
+	if !bytes.Equal(got, want) {
+		t.Fatalf("mismatch in received stream data")
+	}
+}
+
+func newTestConnAndLocalStream(t *testing.T, side connSide, styp streamType, opts ...any) (*testConn, *Stream) {
+	t.Helper()
+	ctx := canceledContext()
+	tc := newTestConn(t, side, opts...)
+	tc.handshake()
+	tc.ignoreFrame(frameTypeAck)
+	s, err := tc.conn.newLocalStream(ctx, styp)
+	if err != nil {
+		t.Fatalf("conn.newLocalStream(%v) = %v", styp, err)
+	}
+	return tc, s
+}
+
+func newTestConnAndRemoteStream(t *testing.T, side connSide, styp streamType, opts ...any) (*testConn, *Stream) {
+	t.Helper()
+	ctx := canceledContext()
+	tc := newTestConn(t, side, opts...)
+	tc.handshake()
+	tc.ignoreFrame(frameTypeAck)
+	tc.writeFrames(packetType1RTT, debugFrameStream{
+		id: newStreamID(side.peer(), styp, 0),
+	})
+	s, err := tc.conn.AcceptStream(ctx)
+	if err != nil {
+		t.Fatalf("conn.AcceptStream() = %v", err)
+	}
+	return tc, s
+}

From 126a5f3b343c940b1ce677f43b138556311b0999 Mon Sep 17 00:00:00 2001
From: Damien Neil <dneil@google.com>
Date: Wed, 9 Aug 2023 10:55:08 -0700
Subject: [PATCH 03/22] quic: fix some bugs in the sendable stream list

Write a test for multiple streams simultaneously sending data.
Exercise the stream send queue, verify that we fairly schedule
sends among the available streams.

Fix a couple bugs turned up by the test.

For golang/go#58547

Change-Id: I6a56f121d5cb49e79c9e4ad043fb94d34a4dab40
Reviewed-on: https://go-review.googlesource.com/c/net/+/517859
Reviewed-by: Jonathan Amsterdam <jba@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Damien Neil <dneil@google.com>
---
 internal/quic/conn_streams.go      | 10 ++--
 internal/quic/conn_streams_test.go | 82 ++++++++++++++++++++++++++++++
 2 files changed, 89 insertions(+), 3 deletions(-)

diff --git a/internal/quic/conn_streams.go b/internal/quic/conn_streams.go
index 7a531f52b..dd35e34cf 100644
--- a/internal/quic/conn_streams.go
+++ b/internal/quic/conn_streams.go
@@ -163,6 +163,7 @@ func (c *Conn) queueStreamForSend(s *Stream) {
 		// Insert this stream at the end of the queue.
 		c.streams.sendTail.next = s
 		c.streams.sendTail = s
+		s.next = c.streams.sendHead
 	}
 	c.streams.needSend.Store(true)
 	c.wake()
@@ -202,7 +203,11 @@ func (c *Conn) appendStreamFrames(w *packetWriter, pnum packetNumber, pto bool)
 			}
 			return false
 		}
+		next := s.next
 		s.next = nil
+		if (next == s) != (s == c.streams.sendTail) {
+			panic("BUG: sendable stream list state is inconsistent")
+		}
 		if s == c.streams.sendTail {
 			// This was the last stream.
 			c.streams.sendHead = nil
@@ -211,9 +216,8 @@ func (c *Conn) appendStreamFrames(w *packetWriter, pnum packetNumber, pto bool)
 			return true
 		}
 		// We've sent all data for this stream, so remove it from the list.
-		c.streams.sendTail.next = s.next
-		c.streams.sendHead = s.next
-		s.next = nil
+		c.streams.sendTail.next = next
+		c.streams.sendHead = next
 	}
 }
 
diff --git a/internal/quic/conn_streams_test.go b/internal/quic/conn_streams_test.go
index bcbbe81ce..877dbb94f 100644
--- a/internal/quic/conn_streams_test.go
+++ b/internal/quic/conn_streams_test.go
@@ -171,3 +171,85 @@ func TestStreamsStreamSendOnly(t *testing.T) {
 			code: errStreamState,
 		})
 }
+
+func TestStreamsWriteQueueFairness(t *testing.T) {
+	ctx := canceledContext()
+	const dataLen = 1 << 20
+	const numStreams = 3
+	tc := newTestConn(t, clientSide, func(p *transportParameters) {
+		p.initialMaxStreamsBidi = numStreams
+		p.initialMaxData = 1<<62 - 1
+		p.initialMaxStreamDataBidiRemote = dataLen
+	}, func(c *Config) {
+		c.StreamWriteBufferSize = dataLen
+	})
+	tc.handshake()
+	tc.ignoreFrame(frameTypeAck)
+
+	// Create a number of streams, and write a bunch of data to them.
+	// The streams are not limited by flow control.
+	//
+	// The first stream we create is going to immediately consume all
+	// available congestion window.
+	//
+	// Once we've created all the remaining streams,
+	// we start sending acks back to open up the congestion window.
+	// We verify that all streams can make progress.
+	data := make([]byte, dataLen)
+	var streams []*Stream
+	for i := 0; i < numStreams; i++ {
+		s, err := tc.conn.NewStream(ctx)
+		if err != nil {
+			t.Fatal(err)
+		}
+		streams = append(streams, s)
+		if n, err := s.WriteContext(ctx, data); n != len(data) || err != nil {
+			t.Fatalf("s.WriteContext() = %v, %v; want %v, nil", n, err, len(data))
+		}
+		// Wait for the stream to finish writing whatever frames it can before
+		// congestion control blocks it.
+		tc.wait()
+	}
+
+	sent := make([]int64, len(streams))
+	for {
+		p := tc.readPacket()
+		if p == nil {
+			break
+		}
+		tc.writeFrames(packetType1RTT, debugFrameAck{
+			ranges: []i64range[packetNumber]{{0, p.num}},
+		})
+		for _, f := range p.frames {
+			sf, ok := f.(debugFrameStream)
+			if !ok {
+				t.Fatalf("got unexpected frame (want STREAM): %v", sf)
+			}
+			if got, want := sf.off, sent[sf.id.num()]; got != want {
+				t.Fatalf("got frame: %v\nwant offset: %v", sf, want)
+			}
+			sent[sf.id.num()] = sf.off + int64(len(sf.data))
+			// Look at the amount of data sent by all streams, excluding the first one.
+			// (The first stream got a head start when it consumed the initial window.)
+			//
+			// We expect that difference between the streams making the most and least progress
+			// so far will be less than the maximum datagram size.
+			minSent := sent[1]
+			maxSent := sent[1]
+			for _, s := range sent[2:] {
+				minSent = min(minSent, s)
+				maxSent = max(maxSent, s)
+			}
+			const maxDelta = maxUDPPayloadSize
+			if d := maxSent - minSent; d > maxDelta {
+				t.Fatalf("stream data sent: %v; delta=%v, want delta <= %v", sent, d, maxDelta)
+			}
+		}
+	}
+	// Final check that every stream sent the full amount of data expected.
+	for num, s := range sent {
+		if s != dataLen {
+			t.Errorf("stream %v sent %v bytes, want %v", num, s, dataLen)
+		}
+	}
+}

From 95cb3bb9eb72a38ad7817552051746cf41999f5a Mon Sep 17 00:00:00 2001
From: Mateusz Poliwczak <mpoliwczak34@gmail.com>
Date: Sat, 19 Aug 2023 08:25:09 +0000
Subject: [PATCH 04/22] dns/dnsmessage: show AD and CD bit in Header.GoString()

Change-Id: I7b973d255ec4ab1e1c0f8539b811ddc0503c2f48
GitHub-Last-Rev: 954434b6211a6c24d281cda61547070b586ea818
GitHub-Pull-Request: golang/net#188
Reviewed-on: https://go-review.googlesource.com/c/net/+/521075
Run-TryBot: Mateusz Poliwczak <mpoliwczak34@gmail.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Auto-Submit: Ian Lance Taylor <iant@google.com>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Reviewed-by: Ian Lance Taylor <iant@google.com>
Run-TryBot: Ian Lance Taylor <iant@google.com>
---
 dns/dnsmessage/message.go      | 2 ++
 dns/dnsmessage/message_test.go | 3 +--
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/dns/dnsmessage/message.go b/dns/dnsmessage/message.go
index 37da3de4d..69938d54f 100644
--- a/dns/dnsmessage/message.go
+++ b/dns/dnsmessage/message.go
@@ -361,6 +361,8 @@ func (m *Header) GoString() string {
 		"Truncated: " + printBool(m.Truncated) + ", " +
 		"RecursionDesired: " + printBool(m.RecursionDesired) + ", " +
 		"RecursionAvailable: " + printBool(m.RecursionAvailable) + ", " +
+		"AuthenticData: " + printBool(m.AuthenticData) + ", " +
+		"CheckingDisabled: " + printBool(m.CheckingDisabled) + ", " +
 		"RCode: " + m.RCode.GoString() + "}"
 }
 
diff --git a/dns/dnsmessage/message_test.go b/dns/dnsmessage/message_test.go
index 64c6db86d..83fac7812 100644
--- a/dns/dnsmessage/message_test.go
+++ b/dns/dnsmessage/message_test.go
@@ -1185,8 +1185,7 @@ func TestGoString(t *testing.T) {
 		t.Error("Message.GoString lost information or largeTestMsg changed: msg != largeTestMsg()")
 	}
 	got := msg.GoString()
-
-	want := `dnsmessage.Message{Header: dnsmessage.Header{ID: 0, Response: true, OpCode: 0, Authoritative: true, Truncated: false, RecursionDesired: false, RecursionAvailable: false, RCode: dnsmessage.RCodeSuccess}, Questions: []dnsmessage.Question{dnsmessage.Question{Name: dnsmessage.MustNewName("foo.bar.example.com."), Type: dnsmessage.TypeA, Class: dnsmessage.ClassINET}}, Answers: []dnsmessage.Resource{dnsmessage.Resource{Header: dnsmessage.ResourceHeader{Name: dnsmessage.MustNewName("foo.bar.example.com."), Type: dnsmessage.TypeA, Class: dnsmessage.ClassINET, TTL: 0, Length: 0}, Body: &dnsmessage.AResource{A: [4]byte{127, 0, 0, 1}}}, dnsmessage.Resource{Header: dnsmessage.ResourceHeader{Name: dnsmessage.MustNewName("foo.bar.example.com."), Type: dnsmessage.TypeA, Class: dnsmessage.ClassINET, TTL: 0, Length: 0}, Body: &dnsmessage.AResource{A: [4]byte{127, 0, 0, 2}}}, dnsmessage.Resource{Header: dnsmessage.ResourceHeader{Name: dnsmessage.MustNewName("foo.bar.example.com."), Type: dnsmessage.TypeAAAA, Class: dnsmessage.ClassINET, TTL: 0, Length: 0}, Body: &dnsmessage.AAAAResource{AAAA: [16]byte{1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16}}}, dnsmessage.Resource{Header: dnsmessage.ResourceHeader{Name: dnsmessage.MustNewName("foo.bar.example.com."), Type: dnsmessage.TypeCNAME, Class: dnsmessage.ClassINET, TTL: 0, Length: 0}, Body: &dnsmessage.CNAMEResource{CNAME: dnsmessage.MustNewName("alias.example.com.")}}, dnsmessage.Resource{Header: dnsmessage.ResourceHeader{Name: dnsmessage.MustNewName("foo.bar.example.com."), Type: dnsmessage.TypeSOA, Class: dnsmessage.ClassINET, TTL: 0, Length: 0}, Body: &dnsmessage.SOAResource{NS: dnsmessage.MustNewName("ns1.example.com."), MBox: dnsmessage.MustNewName("mb.example.com."), Serial: 1, Refresh: 2, Retry: 3, Expire: 4, MinTTL: 5}}, dnsmessage.Resource{Header: dnsmessage.ResourceHeader{Name: dnsmessage.MustNewName("foo.bar.example.com."), Type: dnsmessage.TypePTR, Class: dnsmessage.ClassINET, TTL: 0, Length: 0}, Body: &dnsmessage.PTRResource{PTR: dnsmessage.MustNewName("ptr.example.com.")}}, dnsmessage.Resource{Header: dnsmessage.ResourceHeader{Name: dnsmessage.MustNewName("foo.bar.example.com."), Type: dnsmessage.TypeMX, Class: dnsmessage.ClassINET, TTL: 0, Length: 0}, Body: &dnsmessage.MXResource{Pref: 7, MX: dnsmessage.MustNewName("mx.example.com.")}}, dnsmessage.Resource{Header: dnsmessage.ResourceHeader{Name: dnsmessage.MustNewName("foo.bar.example.com."), Type: dnsmessage.TypeSRV, Class: dnsmessage.ClassINET, TTL: 0, Length: 0}, Body: &dnsmessage.SRVResource{Priority: 8, Weight: 9, Port: 11, Target: dnsmessage.MustNewName("srv.example.com.")}}, dnsmessage.Resource{Header: dnsmessage.ResourceHeader{Name: dnsmessage.MustNewName("foo.bar.example.com."), Type: 65362, Class: dnsmessage.ClassINET, TTL: 0, Length: 0}, Body: &dnsmessage.UnknownResource{Type: 65362, Data: []byte{42, 0, 43, 44}}}}, Authorities: []dnsmessage.Resource{dnsmessage.Resource{Header: dnsmessage.ResourceHeader{Name: dnsmessage.MustNewName("foo.bar.example.com."), Type: dnsmessage.TypeNS, Class: dnsmessage.ClassINET, TTL: 0, Length: 0}, Body: &dnsmessage.NSResource{NS: dnsmessage.MustNewName("ns1.example.com.")}}, dnsmessage.Resource{Header: dnsmessage.ResourceHeader{Name: dnsmessage.MustNewName("foo.bar.example.com."), Type: dnsmessage.TypeNS, Class: dnsmessage.ClassINET, TTL: 0, Length: 0}, Body: &dnsmessage.NSResource{NS: dnsmessage.MustNewName("ns2.example.com.")}}}, Additionals: []dnsmessage.Resource{dnsmessage.Resource{Header: dnsmessage.ResourceHeader{Name: dnsmessage.MustNewName("foo.bar.example.com."), Type: dnsmessage.TypeTXT, Class: dnsmessage.ClassINET, TTL: 0, Length: 0}, Body: &dnsmessage.TXTResource{TXT: []string{"So Long\x2c and Thanks for All the Fish"}}}, dnsmessage.Resource{Header: dnsmessage.ResourceHeader{Name: dnsmessage.MustNewName("foo.bar.example.com."), Type: dnsmessage.TypeTXT, Class: dnsmessage.ClassINET, TTL: 0, Length: 0}, Body: &dnsmessage.TXTResource{TXT: []string{"Hamster Huey and the Gooey Kablooie"}}}, dnsmessage.Resource{Header: dnsmessage.ResourceHeader{Name: dnsmessage.MustNewName("."), Type: dnsmessage.TypeOPT, Class: 4096, TTL: 4261412864, Length: 0}, Body: &dnsmessage.OPTResource{Options: []dnsmessage.Option{dnsmessage.Option{Code: 10, Data: []byte{1, 35, 69, 103, 137, 171, 205, 239}}}}}}}`
+	want := `dnsmessage.Message{Header: dnsmessage.Header{ID: 0, Response: true, OpCode: 0, Authoritative: true, Truncated: false, RecursionDesired: false, RecursionAvailable: false, AuthenticData: false, CheckingDisabled: false, RCode: dnsmessage.RCodeSuccess}, Questions: []dnsmessage.Question{dnsmessage.Question{Name: dnsmessage.MustNewName("foo.bar.example.com."), Type: dnsmessage.TypeA, Class: dnsmessage.ClassINET}}, Answers: []dnsmessage.Resource{dnsmessage.Resource{Header: dnsmessage.ResourceHeader{Name: dnsmessage.MustNewName("foo.bar.example.com."), Type: dnsmessage.TypeA, Class: dnsmessage.ClassINET, TTL: 0, Length: 0}, Body: &dnsmessage.AResource{A: [4]byte{127, 0, 0, 1}}}, dnsmessage.Resource{Header: dnsmessage.ResourceHeader{Name: dnsmessage.MustNewName("foo.bar.example.com."), Type: dnsmessage.TypeA, Class: dnsmessage.ClassINET, TTL: 0, Length: 0}, Body: &dnsmessage.AResource{A: [4]byte{127, 0, 0, 2}}}, dnsmessage.Resource{Header: dnsmessage.ResourceHeader{Name: dnsmessage.MustNewName("foo.bar.example.com."), Type: dnsmessage.TypeAAAA, Class: dnsmessage.ClassINET, TTL: 0, Length: 0}, Body: &dnsmessage.AAAAResource{AAAA: [16]byte{1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16}}}, dnsmessage.Resource{Header: dnsmessage.ResourceHeader{Name: dnsmessage.MustNewName("foo.bar.example.com."), Type: dnsmessage.TypeCNAME, Class: dnsmessage.ClassINET, TTL: 0, Length: 0}, Body: &dnsmessage.CNAMEResource{CNAME: dnsmessage.MustNewName("alias.example.com.")}}, dnsmessage.Resource{Header: dnsmessage.ResourceHeader{Name: dnsmessage.MustNewName("foo.bar.example.com."), Type: dnsmessage.TypeSOA, Class: dnsmessage.ClassINET, TTL: 0, Length: 0}, Body: &dnsmessage.SOAResource{NS: dnsmessage.MustNewName("ns1.example.com."), MBox: dnsmessage.MustNewName("mb.example.com."), Serial: 1, Refresh: 2, Retry: 3, Expire: 4, MinTTL: 5}}, dnsmessage.Resource{Header: dnsmessage.ResourceHeader{Name: dnsmessage.MustNewName("foo.bar.example.com."), Type: dnsmessage.TypePTR, Class: dnsmessage.ClassINET, TTL: 0, Length: 0}, Body: &dnsmessage.PTRResource{PTR: dnsmessage.MustNewName("ptr.example.com.")}}, dnsmessage.Resource{Header: dnsmessage.ResourceHeader{Name: dnsmessage.MustNewName("foo.bar.example.com."), Type: dnsmessage.TypeMX, Class: dnsmessage.ClassINET, TTL: 0, Length: 0}, Body: &dnsmessage.MXResource{Pref: 7, MX: dnsmessage.MustNewName("mx.example.com.")}}, dnsmessage.Resource{Header: dnsmessage.ResourceHeader{Name: dnsmessage.MustNewName("foo.bar.example.com."), Type: dnsmessage.TypeSRV, Class: dnsmessage.ClassINET, TTL: 0, Length: 0}, Body: &dnsmessage.SRVResource{Priority: 8, Weight: 9, Port: 11, Target: dnsmessage.MustNewName("srv.example.com.")}}, dnsmessage.Resource{Header: dnsmessage.ResourceHeader{Name: dnsmessage.MustNewName("foo.bar.example.com."), Type: 65362, Class: dnsmessage.ClassINET, TTL: 0, Length: 0}, Body: &dnsmessage.UnknownResource{Type: 65362, Data: []byte{42, 0, 43, 44}}}}, Authorities: []dnsmessage.Resource{dnsmessage.Resource{Header: dnsmessage.ResourceHeader{Name: dnsmessage.MustNewName("foo.bar.example.com."), Type: dnsmessage.TypeNS, Class: dnsmessage.ClassINET, TTL: 0, Length: 0}, Body: &dnsmessage.NSResource{NS: dnsmessage.MustNewName("ns1.example.com.")}}, dnsmessage.Resource{Header: dnsmessage.ResourceHeader{Name: dnsmessage.MustNewName("foo.bar.example.com."), Type: dnsmessage.TypeNS, Class: dnsmessage.ClassINET, TTL: 0, Length: 0}, Body: &dnsmessage.NSResource{NS: dnsmessage.MustNewName("ns2.example.com.")}}}, Additionals: []dnsmessage.Resource{dnsmessage.Resource{Header: dnsmessage.ResourceHeader{Name: dnsmessage.MustNewName("foo.bar.example.com."), Type: dnsmessage.TypeTXT, Class: dnsmessage.ClassINET, TTL: 0, Length: 0}, Body: &dnsmessage.TXTResource{TXT: []string{"So Long\x2c and Thanks for All the Fish"}}}, dnsmessage.Resource{Header: dnsmessage.ResourceHeader{Name: dnsmessage.MustNewName("foo.bar.example.com."), Type: dnsmessage.TypeTXT, Class: dnsmessage.ClassINET, TTL: 0, Length: 0}, Body: &dnsmessage.TXTResource{TXT: []string{"Hamster Huey and the Gooey Kablooie"}}}, dnsmessage.Resource{Header: dnsmessage.ResourceHeader{Name: dnsmessage.MustNewName("."), Type: dnsmessage.TypeOPT, Class: 4096, TTL: 4261412864, Length: 0}, Body: &dnsmessage.OPTResource{Options: []dnsmessage.Option{dnsmessage.Option{Code: 10, Data: []byte{1, 35, 69, 103, 137, 171, 205, 239}}}}}}}`
 
 	if got != want {
 		t.Errorf("got msg1.GoString() = %s\nwant = %s", got, want)

From 9cde5a081510f83ae10bc2bf88231babd81ef2d5 Mon Sep 17 00:00:00 2001
From: Alexander Yastrebov <yastrebov.alex@gmail.com>
Date: Wed, 12 Jul 2023 19:16:51 +0000
Subject: [PATCH 05/22] net/http2: remove awaitGracefulShutdown

It was added by https://golang.org/cl/43455 and
its usage was removed by https://golang.org/cl/43230

Updates golang/go#20302

Change-Id: I5072c3d9cbf9a33d2ac613bc5a3c059dc54e9d29
GitHub-Last-Rev: 68a32fb702168992427174c41c5d4638f4e567ad
GitHub-Pull-Request: golang/net#184
Reviewed-on: https://go-review.googlesource.com/c/net/+/509117
Run-TryBot: Damien Neil <dneil@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-by: Cherry Mui <cherryyz@google.com>
---
 http2/server.go | 8 --------
 1 file changed, 8 deletions(-)

diff --git a/http2/server.go b/http2/server.go
index 033b6e6db..6d5e00887 100644
--- a/http2/server.go
+++ b/http2/server.go
@@ -1012,14 +1012,6 @@ func (sc *serverConn) serve() {
 	}
 }
 
-func (sc *serverConn) awaitGracefulShutdown(sharedCh <-chan struct{}, privateCh chan struct{}) {
-	select {
-	case <-sc.doneServing:
-	case <-sharedCh:
-		close(privateCh)
-	}
-}
-
 type serverMessage int
 
 // Message values sent to serveMsgCh.

From f89417cca1f18e39ab1db1bb80c42728f99d6143 Mon Sep 17 00:00:00 2001
From: Mateusz Poliwczak <mpoliwczak34@gmail.com>
Date: Tue, 22 Aug 2023 07:54:22 +0000
Subject: [PATCH 06/22] dns/dnsmessage: reduce Parser size

In the net package the Parser is copied a lot, the
size of the Parser can be reduced easily by not storing the
entire ResourceHeader in the Parser.

It reduces the size from 328B to 80B.

Also it makes sure that the resource header parsing
methods don't return stale headers (from different
sections).

Change-Id: If05b03ba654ca5c03d536e86446c5a2a7dc79ec3
GitHub-Last-Rev: dacd25cc355269ff2a89d855d2094bb8f152c83c
GitHub-Pull-Request: golang/net#186
Reviewed-on: https://go-review.googlesource.com/c/net/+/514855
Reviewed-by: Matthew Dempsky <mdempsky@google.com>
Auto-Submit: Matthew Dempsky <mdempsky@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Mateusz Poliwczak <mpoliwczak34@gmail.com>
Run-TryBot: Damien Neil <dneil@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
---
 dns/dnsmessage/message.go      |  69 +++++++++++---------
 dns/dnsmessage/message_test.go | 114 +++++++++++++++++++++++++++++++++
 2 files changed, 151 insertions(+), 32 deletions(-)

diff --git a/dns/dnsmessage/message.go b/dns/dnsmessage/message.go
index 69938d54f..19ea8f17c 100644
--- a/dns/dnsmessage/message.go
+++ b/dns/dnsmessage/message.go
@@ -542,11 +542,13 @@ type Parser struct {
 	msg    []byte
 	header header
 
-	section        section
-	off            int
-	index          int
-	resHeaderValid bool
-	resHeader      ResourceHeader
+	section         section
+	off             int
+	index           int
+	resHeaderValid  bool
+	resHeaderOffset int
+	resHeaderType   Type
+	resHeaderLength uint16
 }
 
 // Start parses the header and enables the parsing of Questions.
@@ -597,8 +599,9 @@ func (p *Parser) resource(sec section) (Resource, error) {
 
 func (p *Parser) resourceHeader(sec section) (ResourceHeader, error) {
 	if p.resHeaderValid {
-		return p.resHeader, nil
+		p.off = p.resHeaderOffset
 	}
+
 	if err := p.checkAdvance(sec); err != nil {
 		return ResourceHeader{}, err
 	}
@@ -608,14 +611,16 @@ func (p *Parser) resourceHeader(sec section) (ResourceHeader, error) {
 		return ResourceHeader{}, err
 	}
 	p.resHeaderValid = true
-	p.resHeader = hdr
+	p.resHeaderOffset = p.off
+	p.resHeaderType = hdr.Type
+	p.resHeaderLength = hdr.Length
 	p.off = off
 	return hdr, nil
 }
 
 func (p *Parser) skipResource(sec section) error {
 	if p.resHeaderValid {
-		newOff := p.off + int(p.resHeader.Length)
+		newOff := p.off + int(p.resHeaderLength)
 		if newOff > len(p.msg) {
 			return errResourceLen
 		}
@@ -866,14 +871,14 @@ func (p *Parser) SkipAllAdditionals() error {
 // One of the XXXHeader methods must have been called before calling this
 // method.
 func (p *Parser) CNAMEResource() (CNAMEResource, error) {
-	if !p.resHeaderValid || p.resHeader.Type != TypeCNAME {
+	if !p.resHeaderValid || p.resHeaderType != TypeCNAME {
 		return CNAMEResource{}, ErrNotStarted
 	}
 	r, err := unpackCNAMEResource(p.msg, p.off)
 	if err != nil {
 		return CNAMEResource{}, err
 	}
-	p.off += int(p.resHeader.Length)
+	p.off += int(p.resHeaderLength)
 	p.resHeaderValid = false
 	p.index++
 	return r, nil
@@ -884,14 +889,14 @@ func (p *Parser) CNAMEResource() (CNAMEResource, error) {
 // One of the XXXHeader methods must have been called before calling this
 // method.
 func (p *Parser) MXResource() (MXResource, error) {
-	if !p.resHeaderValid || p.resHeader.Type != TypeMX {
+	if !p.resHeaderValid || p.resHeaderType != TypeMX {
 		return MXResource{}, ErrNotStarted
 	}
 	r, err := unpackMXResource(p.msg, p.off)
 	if err != nil {
 		return MXResource{}, err
 	}
-	p.off += int(p.resHeader.Length)
+	p.off += int(p.resHeaderLength)
 	p.resHeaderValid = false
 	p.index++
 	return r, nil
@@ -902,14 +907,14 @@ func (p *Parser) MXResource() (MXResource, error) {
 // One of the XXXHeader methods must have been called before calling this
 // method.
 func (p *Parser) NSResource() (NSResource, error) {
-	if !p.resHeaderValid || p.resHeader.Type != TypeNS {
+	if !p.resHeaderValid || p.resHeaderType != TypeNS {
 		return NSResource{}, ErrNotStarted
 	}
 	r, err := unpackNSResource(p.msg, p.off)
 	if err != nil {
 		return NSResource{}, err
 	}
-	p.off += int(p.resHeader.Length)
+	p.off += int(p.resHeaderLength)
 	p.resHeaderValid = false
 	p.index++
 	return r, nil
@@ -920,14 +925,14 @@ func (p *Parser) NSResource() (NSResource, error) {
 // One of the XXXHeader methods must have been called before calling this
 // method.
 func (p *Parser) PTRResource() (PTRResource, error) {
-	if !p.resHeaderValid || p.resHeader.Type != TypePTR {
+	if !p.resHeaderValid || p.resHeaderType != TypePTR {
 		return PTRResource{}, ErrNotStarted
 	}
 	r, err := unpackPTRResource(p.msg, p.off)
 	if err != nil {
 		return PTRResource{}, err
 	}
-	p.off += int(p.resHeader.Length)
+	p.off += int(p.resHeaderLength)
 	p.resHeaderValid = false
 	p.index++
 	return r, nil
@@ -938,14 +943,14 @@ func (p *Parser) PTRResource() (PTRResource, error) {
 // One of the XXXHeader methods must have been called before calling this
 // method.
 func (p *Parser) SOAResource() (SOAResource, error) {
-	if !p.resHeaderValid || p.resHeader.Type != TypeSOA {
+	if !p.resHeaderValid || p.resHeaderType != TypeSOA {
 		return SOAResource{}, ErrNotStarted
 	}
 	r, err := unpackSOAResource(p.msg, p.off)
 	if err != nil {
 		return SOAResource{}, err
 	}
-	p.off += int(p.resHeader.Length)
+	p.off += int(p.resHeaderLength)
 	p.resHeaderValid = false
 	p.index++
 	return r, nil
@@ -956,14 +961,14 @@ func (p *Parser) SOAResource() (SOAResource, error) {
 // One of the XXXHeader methods must have been called before calling this
 // method.
 func (p *Parser) TXTResource() (TXTResource, error) {
-	if !p.resHeaderValid || p.resHeader.Type != TypeTXT {
+	if !p.resHeaderValid || p.resHeaderType != TypeTXT {
 		return TXTResource{}, ErrNotStarted
 	}
-	r, err := unpackTXTResource(p.msg, p.off, p.resHeader.Length)
+	r, err := unpackTXTResource(p.msg, p.off, p.resHeaderLength)
 	if err != nil {
 		return TXTResource{}, err
 	}
-	p.off += int(p.resHeader.Length)
+	p.off += int(p.resHeaderLength)
 	p.resHeaderValid = false
 	p.index++
 	return r, nil
@@ -974,14 +979,14 @@ func (p *Parser) TXTResource() (TXTResource, error) {
 // One of the XXXHeader methods must have been called before calling this
 // method.
 func (p *Parser) SRVResource() (SRVResource, error) {
-	if !p.resHeaderValid || p.resHeader.Type != TypeSRV {
+	if !p.resHeaderValid || p.resHeaderType != TypeSRV {
 		return SRVResource{}, ErrNotStarted
 	}
 	r, err := unpackSRVResource(p.msg, p.off)
 	if err != nil {
 		return SRVResource{}, err
 	}
-	p.off += int(p.resHeader.Length)
+	p.off += int(p.resHeaderLength)
 	p.resHeaderValid = false
 	p.index++
 	return r, nil
@@ -992,14 +997,14 @@ func (p *Parser) SRVResource() (SRVResource, error) {
 // One of the XXXHeader methods must have been called before calling this
 // method.
 func (p *Parser) AResource() (AResource, error) {
-	if !p.resHeaderValid || p.resHeader.Type != TypeA {
+	if !p.resHeaderValid || p.resHeaderType != TypeA {
 		return AResource{}, ErrNotStarted
 	}
 	r, err := unpackAResource(p.msg, p.off)
 	if err != nil {
 		return AResource{}, err
 	}
-	p.off += int(p.resHeader.Length)
+	p.off += int(p.resHeaderLength)
 	p.resHeaderValid = false
 	p.index++
 	return r, nil
@@ -1010,14 +1015,14 @@ func (p *Parser) AResource() (AResource, error) {
 // One of the XXXHeader methods must have been called before calling this
 // method.
 func (p *Parser) AAAAResource() (AAAAResource, error) {
-	if !p.resHeaderValid || p.resHeader.Type != TypeAAAA {
+	if !p.resHeaderValid || p.resHeaderType != TypeAAAA {
 		return AAAAResource{}, ErrNotStarted
 	}
 	r, err := unpackAAAAResource(p.msg, p.off)
 	if err != nil {
 		return AAAAResource{}, err
 	}
-	p.off += int(p.resHeader.Length)
+	p.off += int(p.resHeaderLength)
 	p.resHeaderValid = false
 	p.index++
 	return r, nil
@@ -1028,14 +1033,14 @@ func (p *Parser) AAAAResource() (AAAAResource, error) {
 // One of the XXXHeader methods must have been called before calling this
 // method.
 func (p *Parser) OPTResource() (OPTResource, error) {
-	if !p.resHeaderValid || p.resHeader.Type != TypeOPT {
+	if !p.resHeaderValid || p.resHeaderType != TypeOPT {
 		return OPTResource{}, ErrNotStarted
 	}
-	r, err := unpackOPTResource(p.msg, p.off, p.resHeader.Length)
+	r, err := unpackOPTResource(p.msg, p.off, p.resHeaderLength)
 	if err != nil {
 		return OPTResource{}, err
 	}
-	p.off += int(p.resHeader.Length)
+	p.off += int(p.resHeaderLength)
 	p.resHeaderValid = false
 	p.index++
 	return r, nil
@@ -1049,11 +1054,11 @@ func (p *Parser) UnknownResource() (UnknownResource, error) {
 	if !p.resHeaderValid {
 		return UnknownResource{}, ErrNotStarted
 	}
-	r, err := unpackUnknownResource(p.resHeader.Type, p.msg, p.off, p.resHeader.Length)
+	r, err := unpackUnknownResource(p.resHeaderType, p.msg, p.off, p.resHeaderLength)
 	if err != nil {
 		return UnknownResource{}, err
 	}
-	p.off += int(p.resHeader.Length)
+	p.off += int(p.resHeaderLength)
 	p.resHeaderValid = false
 	p.index++
 	return r, nil
diff --git a/dns/dnsmessage/message_test.go b/dns/dnsmessage/message_test.go
index 83fac7812..ddb062b1e 100644
--- a/dns/dnsmessage/message_test.go
+++ b/dns/dnsmessage/message_test.go
@@ -1670,3 +1670,117 @@ func FuzzUnpackPack(f *testing.F) {
 		}
 	})
 }
+
+func TestParseResourceHeaderMultipleTimes(t *testing.T) {
+	msg := Message{
+		Header: Header{Response: true, Authoritative: true},
+		Answers: []Resource{
+			{
+				ResourceHeader{
+					Name:  MustNewName("go.dev."),
+					Type:  TypeA,
+					Class: ClassINET,
+				},
+				&AResource{[4]byte{127, 0, 0, 1}},
+			},
+		},
+		Authorities: []Resource{
+			{
+				ResourceHeader{
+					Name:  MustNewName("go.dev."),
+					Type:  TypeA,
+					Class: ClassINET,
+				},
+				&AResource{[4]byte{127, 0, 0, 1}},
+			},
+		},
+	}
+
+	raw, err := msg.Pack()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	var p Parser
+
+	if _, err := p.Start(raw); err != nil {
+		t.Fatal(err)
+	}
+
+	if err := p.SkipAllQuestions(); err != nil {
+		t.Fatal(err)
+	}
+
+	hdr1, err := p.AnswerHeader()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	hdr2, err := p.AnswerHeader()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if hdr1 != hdr2 {
+		t.Fatal("AnswerHeader called multiple times without parsing the RData returned different headers")
+	}
+
+	if _, err := p.AResource(); err != nil {
+		t.Fatal(err)
+	}
+
+	if _, err := p.AnswerHeader(); err != ErrSectionDone {
+		t.Fatalf("unexpected error: %v, want: %v", err, ErrSectionDone)
+	}
+
+	hdr3, err := p.AuthorityHeader()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	hdr4, err := p.AuthorityHeader()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if hdr3 != hdr4 {
+		t.Fatal("AuthorityHeader called multiple times without parsing the RData returned different headers")
+	}
+
+	if _, err := p.AResource(); err != nil {
+		t.Fatal(err)
+	}
+
+	if _, err := p.AuthorityHeader(); err != ErrSectionDone {
+		t.Fatalf("unexpected error: %v, want: %v", err, ErrSectionDone)
+	}
+}
+
+func TestParseDifferentResourceHeadersWithoutParsingRData(t *testing.T) {
+	msg := smallTestMsg()
+	raw, err := msg.Pack()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	var p Parser
+	if _, err := p.Start(raw); err != nil {
+		t.Fatal(err)
+	}
+
+	if err := p.SkipAllQuestions(); err != nil {
+		t.Fatal(err)
+	}
+
+	if _, err := p.AnswerHeader(); err != nil {
+		t.Fatal(err)
+	}
+
+	if _, err := p.AdditionalHeader(); err == nil {
+		t.Errorf("p.AdditionalHeader() unexpected success")
+	}
+
+	if _, err := p.AuthorityHeader(); err == nil {
+		t.Errorf("p.AuthorityHeader() unexpected success")
+	}
+}

From 0f7767ccf469d91c5c628723ad5971768b33b981 Mon Sep 17 00:00:00 2001
From: Damien Neil <dneil@google.com>
Date: Tue, 22 Aug 2023 14:20:27 -0700
Subject: [PATCH 07/22] dns/dnsmessage: validate cached section when skipping
 sections

When skipping a section when p.resHeaderValid is set, verify
that the cached resource header is for the right section.

Fixes golang/go#62220

Change-Id: I8731dfdb5ad3cca94221b58f8be830bd2e16cff3
Reviewed-on: https://go-review.googlesource.com/c/net/+/521995
Reviewed-by: Mateusz Poliwczak <mpoliwczak34@gmail.com>
Reviewed-by: Ian Lance Taylor <iant@google.com>
Run-TryBot: Damien Neil <dneil@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
---
 dns/dnsmessage/message.go      |  2 +-
 dns/dnsmessage/message_test.go | 29 +++++++++++++++++++++++++++++
 2 files changed, 30 insertions(+), 1 deletion(-)

diff --git a/dns/dnsmessage/message.go b/dns/dnsmessage/message.go
index 19ea8f17c..cd997bab0 100644
--- a/dns/dnsmessage/message.go
+++ b/dns/dnsmessage/message.go
@@ -619,7 +619,7 @@ func (p *Parser) resourceHeader(sec section) (ResourceHeader, error) {
 }
 
 func (p *Parser) skipResource(sec section) error {
-	if p.resHeaderValid {
+	if p.resHeaderValid && p.section == sec {
 		newOff := p.off + int(p.resHeaderLength)
 		if newOff > len(p.msg) {
 			return errResourceLen
diff --git a/dns/dnsmessage/message_test.go b/dns/dnsmessage/message_test.go
index ddb062b1e..1b7f3cb35 100644
--- a/dns/dnsmessage/message_test.go
+++ b/dns/dnsmessage/message_test.go
@@ -1784,3 +1784,32 @@ func TestParseDifferentResourceHeadersWithoutParsingRData(t *testing.T) {
 		t.Errorf("p.AuthorityHeader() unexpected success")
 	}
 }
+
+func TestParseWrongSection(t *testing.T) {
+	msg := smallTestMsg()
+	raw, err := msg.Pack()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	var p Parser
+	if _, err := p.Start(raw); err != nil {
+		t.Fatal(err)
+	}
+
+	if err := p.SkipAllQuestions(); err != nil {
+		t.Fatalf("p.SkipAllQuestions() = %v", err)
+	}
+	if _, err := p.AnswerHeader(); err != nil {
+		t.Fatalf("p.AnswerHeader() = %v", err)
+	}
+	if _, err := p.AuthorityHeader(); err == nil {
+		t.Fatalf("p.AuthorityHeader(): unexpected success in Answer section")
+	}
+	if err := p.SkipAuthority(); err == nil {
+		t.Fatalf("p.SkipAuthority(): unexpected success in Answer section")
+	}
+	if err := p.SkipAllAuthorities(); err == nil {
+		t.Fatalf("p.SkipAllAuthorities(): unexpected success in Answer section")
+	}
+}

From 3d2be970e8ac4df2e4e5f0dd892c668bafad41cc Mon Sep 17 00:00:00 2001
From: Damien Neil <dneil@google.com>
Date: Fri, 25 Aug 2023 12:46:28 -0700
Subject: [PATCH 08/22] quic: fix testConn.uncheckedHandshake

This test helper was sending the connection-under-test
the wrong TLS 1-RTT data: It was resending the handshake-level
data rather than the application-level data.

This error was hidden by a crypto/tls bug, fixed in CL 522595.

Change-Id: Ib672b174ddb1dfa5763f1eb3dd830932a0d26cad
Reviewed-on: https://go-review.googlesource.com/c/net/+/522678
Run-TryBot: Damien Neil <dneil@google.com>
Reviewed-by: Bryan Mills <bcmills@google.com>
Auto-Submit: Damien Neil <dneil@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
---
 internal/quic/tls_test.go | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/internal/quic/tls_test.go b/internal/quic/tls_test.go
index 1e3d6b622..35cb8bf00 100644
--- a/internal/quic/tls_test.go
+++ b/internal/quic/tls_test.go
@@ -242,6 +242,7 @@ func fillCryptoFrames(d *testDatagram, data map[tls.QUICEncryptionLevel][]byte)
 // Useful for testing scenarios where configuration has
 // changed the handshake responses in some way.
 func (tc *testConn) uncheckedHandshake() {
+	tc.t.Helper()
 	defer func(saved map[byte]bool) {
 		tc.ignoreFrames = saved
 	}(tc.ignoreFrames)
@@ -268,6 +269,7 @@ func (tc *testConn) uncheckedHandshake() {
 				ranges: []i64range[packetNumber]{{0, tc.sentFramePacket.num + 1}},
 			})
 	} else {
+		tc.wantIdle("initial frames are ignored")
 		tc.writeFrames(packetTypeInitial,
 			debugFrameCrypto{
 				data: tc.cryptoDataIn[tls.QUICEncryptionLevelInitial],
@@ -285,7 +287,7 @@ func (tc *testConn) uncheckedHandshake() {
 			debugFrameHandshakeDone{})
 		tc.writeFrames(packetType1RTT,
 			debugFrameCrypto{
-				data: tc.cryptoDataIn[tls.QUICEncryptionLevelHandshake],
+				data: tc.cryptoDataIn[tls.QUICEncryptionLevelApplication],
 			})
 		tc.wantFrame("client ACKs server's first 1-RTT packet",
 			packetType1RTT, debugFrameAck{

From d8d84787ad6422cae430ca5e2455b1e0abf99225 Mon Sep 17 00:00:00 2001
From: Damien Neil <dneil@google.com>
Date: Wed, 9 Aug 2023 13:31:38 -0700
Subject: [PATCH 09/22] quic: read-closing and reset streams, wait on close

s.Close waits for the peer to acknowledge receipt of sent
data before returning.

s.ReadClose closes the receive end of a stream, discarding
buffered data and sending a STOP_SENDING frame to the peer.

s.Reset(code) closes the send end of a stream with an error,
which is sent to the peer in a RESET_STREAM frame.

Receipt of a STOP_SENDING frame resets the stream locally
and causes future writes to fail.

Receipt of a RESET_STREAM frame causes future reads to fail.

Stream state is currently retained even after a stream
has been completely closed. A future CL will add cleanup.

For golang/go#58547

Change-Id: I29088ae570db4079926ad426be6e85dace2122da
Reviewed-on: https://go-review.googlesource.com/c/net/+/518435
Run-TryBot: Damien Neil <dneil@google.com>
Reviewed-by: Jonathan Amsterdam <jba@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
---
 internal/quic/conn.go            |  21 ++
 internal/quic/conn_async_test.go |  46 +++-
 internal/quic/conn_loss.go       |   4 +-
 internal/quic/conn_loss_test.go  |  55 ++++-
 internal/quic/conn_recv.go       |  30 ++-
 internal/quic/errors.go          |   8 +
 internal/quic/stream.go          | 253 ++++++++++++++-----
 internal/quic/stream_test.go     | 404 +++++++++++++++++++++++++++++--
 internal/quic/wire.go            |   5 +-
 9 files changed, 732 insertions(+), 94 deletions(-)

diff --git a/internal/quic/conn.go b/internal/quic/conn.go
index 0952a79e8..ee8f011f8 100644
--- a/internal/quic/conn.go
+++ b/internal/quic/conn.go
@@ -73,6 +73,7 @@ type connTestHooks interface {
 	handleTLSEvent(tls.QUICEvent)
 	newConnID(seq int64) ([]byte, error)
 	waitAndLockGate(ctx context.Context, g *gate) error
+	waitOnDone(ctx context.Context, ch <-chan struct{}) error
 }
 
 func newConn(now time.Time, side connSide, initialConnID []byte, peerAddr netip.AddrPort, config *Config, l connListener, hooks connTestHooks) (*Conn, error) {
@@ -311,6 +312,26 @@ func (c *Conn) waitAndLockGate(ctx context.Context, g *gate) error {
 	return g.waitAndLockContext(ctx)
 }
 
+func (c *Conn) waitOnDone(ctx context.Context, ch <-chan struct{}) error {
+	if c.testHooks != nil {
+		return c.testHooks.waitOnDone(ctx, ch)
+	}
+	// Check the channel before the context.
+	// We always prefer to return results when available,
+	// even when provided with an already-canceled context.
+	select {
+	case <-ch:
+		return nil
+	default:
+	}
+	select {
+	case <-ch:
+	case <-ctx.Done():
+		return ctx.Err()
+	}
+	return nil
+}
+
 // abort terminates a connection with an error.
 func (c *Conn) abort(now time.Time, err error) {
 	if c.errForPeer == nil {
diff --git a/internal/quic/conn_async_test.go b/internal/quic/conn_async_test.go
index 2078325a5..0da3ddb45 100644
--- a/internal/quic/conn_async_test.go
+++ b/internal/quic/conn_async_test.go
@@ -82,10 +82,11 @@ func (a *asyncOp[T]) result() (v T, err error) {
 }
 
 // A blockedAsync is a blocked async operation.
-//
-// Currently, the only type of blocked operation is one waiting on a gate.
 type blockedAsync struct {
-	g     *gate
+	// Exactly one of these will be set, depending on the type of blocked operation.
+	g  *gate
+	ch <-chan struct{}
+
 	donec chan struct{} // closed when the operation is unblocked
 }
 
@@ -133,6 +134,25 @@ func (as *asyncTestState) waitAndLockGate(ctx context.Context, g *gate) error {
 		// Gate can be acquired without blocking.
 		return nil
 	}
+	return as.block(ctx, &blockedAsync{
+		g: g,
+	})
+}
+
+// waitOnDone replaces receiving from a chan struct{} in tests.
+func (as *asyncTestState) waitOnDone(ctx context.Context, ch <-chan struct{}) error {
+	select {
+	case <-ch:
+		return nil // read without blocking
+	default:
+	}
+	return as.block(ctx, &blockedAsync{
+		ch: ch,
+	})
+}
+
+// block waits for a blocked async operation to complete.
+func (as *asyncTestState) block(ctx context.Context, b *blockedAsync) error {
 	if err := ctx.Err(); err != nil {
 		// Context has already expired.
 		return err
@@ -144,12 +164,9 @@ func (as *asyncTestState) waitAndLockGate(ctx context.Context, g *gate) error {
 		// which may have unpredictable results.
 		panic("blocking async point with unexpected Context")
 	}
+	b.donec = make(chan struct{})
 	// Record this as a pending blocking operation.
 	as.mu.Lock()
-	b := &blockedAsync{
-		g:     g,
-		donec: make(chan struct{}),
-	}
 	as.blocked[b] = struct{}{}
 	as.mu.Unlock()
 	// Notify the creator of the operation that we're blocked,
@@ -169,8 +186,19 @@ func (as *asyncTestState) wakeAsync() bool {
 	as.mu.Lock()
 	var woken *blockedAsync
 	for w := range as.blocked {
-		if w.g.lockIfSet() {
-			woken = w
+		switch {
+		case w.g != nil:
+			if w.g.lockIfSet() {
+				woken = w
+			}
+		case w.ch != nil:
+			select {
+			case <-w.ch:
+				woken = w
+			default:
+			}
+		}
+		if woken != nil {
 			delete(as.blocked, woken)
 			break
 		}
diff --git a/internal/quic/conn_loss.go b/internal/quic/conn_loss.go
index f42f7e528..103db9fa4 100644
--- a/internal/quic/conn_loss.go
+++ b/internal/quic/conn_loss.go
@@ -44,7 +44,9 @@ func (c *Conn) handleAckOrLoss(space numberSpace, sent *sentPacket, fate packetF
 		case frameTypeCrypto:
 			start, end := sent.nextRange()
 			c.crypto[space].ackOrLoss(start, end, fate)
-		case frameTypeMaxStreamData,
+		case frameTypeResetStream,
+			frameTypeStopSending,
+			frameTypeMaxStreamData,
 			frameTypeStreamDataBlocked:
 			id := streamID(sent.nextInt())
 			s := c.streamForID(id)
diff --git a/internal/quic/conn_loss_test.go b/internal/quic/conn_loss_test.go
index d9445150a..dc0dc6cd3 100644
--- a/internal/quic/conn_loss_test.go
+++ b/internal/quic/conn_loss_test.go
@@ -75,7 +75,58 @@ func (tc *testConn) triggerLossOrPTO(ptype packetType, pto bool) {
 	})
 }
 
-func TestLostCRYPTOFrame(t *testing.T) {
+func TestLostResetStreamFrame(t *testing.T) {
+	// "Cancellation of stream transmission, as carried in a RESET_STREAM frame,
+	// is sent until acknowledged or until all stream data is acknowledged by the peer [...]"
+	// https://www.rfc-editor.org/rfc/rfc9000.html#section-13.3-3.4
+	lostFrameTest(t, func(t *testing.T, pto bool) {
+		tc, s := newTestConnAndLocalStream(t, serverSide, uniStream, permissiveTransportParameters)
+		tc.ignoreFrame(frameTypeAck)
+
+		s.Reset(1)
+		tc.wantFrame("reset stream",
+			packetType1RTT, debugFrameResetStream{
+				id:   s.id,
+				code: 1,
+			})
+
+		tc.triggerLossOrPTO(packetType1RTT, pto)
+		tc.wantFrame("resent RESET_STREAM frame",
+			packetType1RTT, debugFrameResetStream{
+				id:   s.id,
+				code: 1,
+			})
+	})
+}
+
+func TestLostStopSendingFrame(t *testing.T) {
+	// "[...] a request to cancel stream transmission, as encoded in a STOP_SENDING frame,
+	// is sent until the receiving part of the stream enters either a "Data Recvd" or
+	// "Reset Recvd" state [...]"
+	// https://www.rfc-editor.org/rfc/rfc9000.html#section-13.3-3.5
+	//
+	// Technically, we can stop sending a STOP_SENDING frame if the peer sends
+	// us all the data for the stream or resets it. We don't bother tracking this,
+	// however, so we'll keep sending the frame until it is acked. This is harmless.
+	lostFrameTest(t, func(t *testing.T, pto bool) {
+		tc, s := newTestConnAndRemoteStream(t, serverSide, uniStream, permissiveTransportParameters)
+		tc.ignoreFrame(frameTypeAck)
+
+		s.CloseRead()
+		tc.wantFrame("stream is read-closed",
+			packetType1RTT, debugFrameStopSending{
+				id: s.id,
+			})
+
+		tc.triggerLossOrPTO(packetType1RTT, pto)
+		tc.wantFrame("resent STOP_SENDING frame",
+			packetType1RTT, debugFrameStopSending{
+				id: s.id,
+			})
+	})
+}
+
+func TestLostCryptoFrame(t *testing.T) {
 	// "Data sent in CRYPTO frames is retransmitted [...] until all data has been acknowledged."
 	// https://www.rfc-editor.org/rfc/rfc9000.html#section-13.3-3.1
 	lostFrameTest(t, func(t *testing.T, pto bool) {
@@ -176,7 +227,7 @@ func TestLostStreamWithData(t *testing.T) {
 				off:  4,
 				data: data[4:8],
 			})
-		s.Close()
+		s.CloseWrite()
 		tc.wantFrame("send FIN",
 			packetType1RTT, debugFrameStream{
 				id:   s.id,
diff --git a/internal/quic/conn_recv.go b/internal/quic/conn_recv.go
index 00985b670..e0a91ab00 100644
--- a/internal/quic/conn_recv.go
+++ b/internal/quic/conn_recv.go
@@ -161,12 +161,12 @@ func (c *Conn) handleFrames(now time.Time, ptype packetType, space numberSpace,
 			if !frameOK(c, ptype, __01) {
 				return
 			}
-			_, _, _, n = consumeResetStreamFrame(payload)
+			n = c.handleResetStreamFrame(now, space, payload)
 		case frameTypeStopSending:
 			if !frameOK(c, ptype, __01) {
 				return
 			}
-			_, _, n = consumeStopSendingFrame(payload)
+			n = c.handleStopSendingFrame(now, space, payload)
 		case frameTypeCrypto:
 			if !frameOK(c, ptype, IH_1) {
 				return
@@ -291,6 +291,32 @@ func (c *Conn) handleMaxStreamDataFrame(now time.Time, payload []byte) int {
 	return n
 }
 
+func (c *Conn) handleResetStreamFrame(now time.Time, space numberSpace, payload []byte) int {
+	id, code, finalSize, n := consumeResetStreamFrame(payload)
+	if n < 0 {
+		return -1
+	}
+	if s := c.streamForFrame(now, id, recvStream); s != nil {
+		if err := s.handleReset(code, finalSize); err != nil {
+			c.abort(now, err)
+		}
+	}
+	return n
+}
+
+func (c *Conn) handleStopSendingFrame(now time.Time, space numberSpace, payload []byte) int {
+	id, code, n := consumeStopSendingFrame(payload)
+	if n < 0 {
+		return -1
+	}
+	if s := c.streamForFrame(now, id, sendStream); s != nil {
+		if err := s.handleStopSending(code); err != nil {
+			c.abort(now, err)
+		}
+	}
+	return n
+}
+
 func (c *Conn) handleCryptoFrame(now time.Time, space numberSpace, payload []byte) int {
 	off, data, n := consumeCryptoFrame(payload)
 	err := c.handleCrypto(now, space, off, data)
diff --git a/internal/quic/errors.go b/internal/quic/errors.go
index 55d32f310..f15685932 100644
--- a/internal/quic/errors.go
+++ b/internal/quic/errors.go
@@ -99,6 +99,14 @@ func (e peerTransportError) Error() string {
 	return fmt.Sprintf("peer closed connection: %v: %q", e.code, e.reason)
 }
 
+// A StreamErrorCode is an application protocol error code (RFC 9000, Section 20.2)
+// indicating whay a stream is being closed.
+type StreamErrorCode uint64
+
+func (e StreamErrorCode) Error() string {
+	return fmt.Sprintf("stream error code %v", uint64(e))
+}
+
 // An ApplicationError is an application protocol error code (RFC 9000, Section 20.2).
 // Application protocol errors may be sent when terminating a stream or connection.
 type ApplicationError struct {
diff --git a/internal/quic/stream.go b/internal/quic/stream.go
index 83215dfd3..12117dbd3 100644
--- a/internal/quic/stream.go
+++ b/internal/quic/stream.go
@@ -9,6 +9,7 @@ package quic
 import (
 	"context"
 	"errors"
+	"fmt"
 	"io"
 )
 
@@ -20,28 +21,33 @@ type Stream struct {
 	//
 	// The gate condition is set if a read from the stream will not block,
 	// either because the stream has available data or because the read will fail.
-	ingate    gate
-	in        pipe            // received data
-	inwin     int64           // last MAX_STREAM_DATA sent to the peer
-	insendmax sentVal         // set when we should send MAX_STREAM_DATA to the peer
-	inmaxbuf  int64           // maximum amount of data we will buffer
-	insize    int64           // stream final size; -1 before this is known
-	inset     rangeset[int64] // received ranges
+	ingate      gate
+	in          pipe            // received data
+	inwin       int64           // last MAX_STREAM_DATA sent to the peer
+	insendmax   sentVal         // set when we should send MAX_STREAM_DATA to the peer
+	inmaxbuf    int64           // maximum amount of data we will buffer
+	insize      int64           // stream final size; -1 before this is known
+	inset       rangeset[int64] // received ranges
+	inclosed    sentVal         // set by CloseRead
+	inresetcode int64           // RESET_STREAM code received from the peer; -1 if not reset
 
 	// outgate's lock guards all send-related state.
 	//
 	// The gate condition is set if a write to the stream will not block,
 	// either because the stream has available flow control or because
 	// the write will fail.
-	outgate    gate
-	out        pipe            // buffered data to send
-	outwin     int64           // maximum MAX_STREAM_DATA received from the peer
-	outmaxbuf  int64           // maximum amount of data we will buffer
-	outunsent  rangeset[int64] // ranges buffered but not yet sent
-	outacked   rangeset[int64] // ranges sent and acknowledged
-	outopened  sentVal         // set if we should open the stream
-	outclosed  sentVal         // set by CloseWrite
-	outblocked sentVal         // set when a write to the stream is blocked by flow control
+	outgate      gate
+	out          pipe            // buffered data to send
+	outwin       int64           // maximum MAX_STREAM_DATA received from the peer
+	outmaxbuf    int64           // maximum amount of data we will buffer
+	outunsent    rangeset[int64] // ranges buffered but not yet sent
+	outacked     rangeset[int64] // ranges sent and acknowledged
+	outopened    sentVal         // set if we should open the stream
+	outclosed    sentVal         // set by CloseWrite
+	outblocked   sentVal         // set when a write to the stream is blocked by flow control
+	outreset     sentVal         // set by Reset
+	outresetcode uint64          // reset code to send in RESET_STREAM
+	outdone      chan struct{}   // closed when all data sent
 
 	prev, next *Stream // guarded by streamsState.sendMu
 }
@@ -54,11 +60,13 @@ type Stream struct {
 // unlocking outgate will set the stream writability state.)
 func newStream(c *Conn, id streamID) *Stream {
 	s := &Stream{
-		conn:    c,
-		id:      id,
-		insize:  -1, // -1 indicates the stream size is unknown
-		ingate:  newLockedGate(),
-		outgate: newLockedGate(),
+		conn:        c,
+		id:          id,
+		insize:      -1, // -1 indicates the stream size is unknown
+		inresetcode: -1, // -1 indicates no RESET_STREAM received
+		ingate:      newLockedGate(),
+		outgate:     newLockedGate(),
+		outdone:     make(chan struct{}),
 	}
 	return s
 }
@@ -87,7 +95,8 @@ func (s *Stream) Read(b []byte) (n int, err error) {
 //
 // If the peer closes the stream cleanly, ReadContext returns io.EOF after
 // returning all data sent by the peer.
-// If the peer terminates reads abruptly, ReadContext returns StreamResetError.
+// If the peer aborts reads on the stream, ReadContext returns
+// an error wrapping StreamResetCode.
 func (s *Stream) ReadContext(ctx context.Context, b []byte) (n int, err error) {
 	if s.IsWriteOnly() {
 		return 0, errors.New("read from write-only stream")
@@ -97,6 +106,12 @@ func (s *Stream) ReadContext(ctx context.Context, b []byte) (n int, err error) {
 		return 0, err
 	}
 	defer s.inUnlock()
+	if s.inresetcode != -1 {
+		return 0, fmt.Errorf("stream reset by peer: %w", StreamErrorCode(s.inresetcode))
+	}
+	if s.inclosed.isSet() {
+		return 0, errors.New("read from closed stream")
+	}
 	if s.insize == s.in.start {
 		return 0, io.EOF
 	}
@@ -145,26 +160,17 @@ func (s *Stream) Write(b []byte) (n int, err error) {
 // Buffered data is only sent when the buffer is sufficiently full.
 // Call the Flush method to ensure buffered data is sent.
 //
-// If the peer aborts reads on the stream, ReadContext returns StreamResetError.
+// TODO: Implement Flush.
 func (s *Stream) WriteContext(ctx context.Context, b []byte) (n int, err error) {
 	if s.IsReadOnly() {
 		return 0, errors.New("write to read-only stream")
 	}
 	canWrite := s.outgate.lock()
-	if s.outclosed.isSet() {
-		s.outUnlock()
-		return 0, errors.New("write to closed stream")
-	}
-	if len(b) == 0 {
-		// We aren't writing any data, but send a STREAM frame to open the stream
-		// if we haven't done so already.
-		s.outopened.set()
-	}
-	for len(b) > 0 {
+	for {
 		// The first time through this loop, we may or may not be write blocked.
 		// We exit the loop after writing all data, so on subsequent passes through
 		// the loop we are always write blocked.
-		if !canWrite {
+		if len(b) > 0 && !canWrite {
 			// We're blocked, either by flow control or by our own buffer limit.
 			// We either need the peer to extend our flow control window,
 			// or ack some of our outstanding packets.
@@ -181,6 +187,21 @@ func (s *Stream) WriteContext(ctx context.Context, b []byte) (n int, err error)
 			// write blocked. (Unlike traditional condition variables, gates do not
 			// have spurious wakeups.)
 		}
+		if s.outreset.isSet() {
+			s.outUnlock()
+			return n, errors.New("write to reset stream")
+		}
+		if s.outclosed.isSet() {
+			s.outUnlock()
+			return n, errors.New("write to closed stream")
+		}
+		// We set outopened here rather than below,
+		// so if this is a zero-length write we still
+		// open the stream despite not writing any data to it.
+		s.outopened.set()
+		if len(b) == 0 {
+			break
+		}
 		s.outblocked.clear()
 		// Write limit is min(our own buffer limit, the peer-provided flow control window).
 		// This is a stream offset.
@@ -191,7 +212,6 @@ func (s *Stream) WriteContext(ctx context.Context, b []byte) (n int, err error)
 		// Copy the data into the output buffer and mark it as unsent.
 		s.outunsent.add(s.out.end, s.out.end+nn)
 		s.out.writeAt(b[:nn], s.out.end)
-		s.outopened.set()
 		b = b[nn:]
 		n += int(nn)
 		// If we have bytes left to send, we're blocked.
@@ -218,9 +238,8 @@ func (s *Stream) Close() error {
 func (s *Stream) CloseContext(ctx context.Context) error {
 	s.CloseRead()
 	s.CloseWrite()
-	// TODO: wait for peer to acknowledge data
 	// TODO: Return code from peer's RESET_STREAM frame?
-	return nil
+	return s.conn.waitOnDone(ctx, s.outdone)
 }
 
 // CloseRead aborts reads on the stream.
@@ -233,7 +252,17 @@ func (s *Stream) CloseRead() {
 	if s.IsWriteOnly() {
 		return
 	}
-	// TODO: support read-closing streams with a STOP_SENDING frame
+	s.ingate.lock()
+	defer s.inUnlock()
+	if s.inset.isrange(0, s.insize) || s.inresetcode != -1 {
+		// We've already received all data from the peer,
+		// so there's no need to send STOP_SENDING.
+		// This is the same as saying we sent one and they got it.
+		s.inclosed.setReceived()
+	} else {
+		s.inclosed.set()
+	}
+	s.in.discardBefore(s.in.end)
 }
 
 // CloseWrite aborts writes on the stream.
@@ -251,6 +280,29 @@ func (s *Stream) CloseWrite() {
 	s.outclosed.set()
 }
 
+// Reset aborts writes on the stream and notifies the peer
+// that the stream was terminated abruptly.
+// Any blocked writes will be unblocked and return errors.
+//
+// Reset sends the application protocol error code to the peer.
+// It does not wait for the peer to acknowledge receipt of the error.
+// Use CloseContext to wait for the peer's acknowledgement.
+func (s *Stream) Reset(code uint64) {
+	s.outgate.lock()
+	defer s.outUnlock()
+	if s.outreset.isSet() {
+		return
+	}
+	// We could check here to see if the stream is closed and the
+	// peer has acked all the data and the FIN, but sending an
+	// extra RESET_STREAM in this case is harmless.
+	s.outreset.set()
+	s.outresetcode = code
+	s.out.discardBefore(s.out.end)
+	s.outunsent = rangeset[int64]{}
+	s.outblocked.clear()
+}
+
 // inUnlock unlocks s.ingate.
 // It sets the gate condition if reads from s will not block.
 // If s has receive-related frames to write, it notifies the Conn.
@@ -263,11 +315,13 @@ func (s *Stream) inUnlock() {
 // inUnlockNoQueue is inUnlock,
 // but reports whether s has frames to write rather than notifying the Conn.
 func (s *Stream) inUnlockNoQueue() (shouldSend bool) {
-	// TODO: STOP_SENDING
 	canRead := s.inset.contains(s.in.start) || // data available to read
-		s.insize == s.in.start // at EOF
-	s.ingate.unlock(canRead)
-	return s.insendmax.shouldSend() // STREAM_MAX_DATA
+		s.insize == s.in.start || // at EOF
+		s.inresetcode != -1 || // reset by peer
+		s.inclosed.isSet() // closed locally
+	defer s.ingate.unlock(canRead)
+	return s.insendmax.shouldSend() || // STREAM_MAX_DATA
+		s.inclosed.shouldSend() // STOP_SENDING
 }
 
 // outUnlock unlocks s.outgate.
@@ -282,10 +336,24 @@ func (s *Stream) outUnlock() {
 // outUnlockNoQueue is outUnlock,
 // but reports whether s has frames to write rather than notifying the Conn.
 func (s *Stream) outUnlockNoQueue() (shouldSend bool) {
+	isDone := s.outclosed.isReceived() && s.outacked.isrange(0, s.out.end) || // all data acked
+		s.outreset.isSet() // reset locally
+	if isDone {
+		select {
+		case <-s.outdone:
+		default:
+			close(s.outdone)
+		}
+	}
 	lim := min(s.out.start+s.outmaxbuf, s.outwin)
 	canWrite := lim > s.out.end || // available flow control
-		s.outclosed.isSet() // closed
-	s.outgate.unlock(canWrite)
+		s.outclosed.isSet() || // closed locally
+		s.outreset.isSet() // reset locally
+	defer s.outgate.unlock(canWrite)
+	if s.outreset.isSet() {
+		// If the stream is reset locally, the only frame we'll send is RESET_STREAM.
+		return s.outreset.shouldSend()
+	}
 	return len(s.outunsent) > 0 || // STREAM frame with data
 		s.outclosed.shouldSend() || // STREAM frame with FIN bit
 		s.outopened.shouldSend() || // STREAM frame with no data
@@ -297,21 +365,17 @@ func (s *Stream) handleData(off int64, b []byte, fin bool) error {
 	s.ingate.lock()
 	defer s.inUnlock()
 	end := off + int64(len(b))
-	if end > s.inwin {
-		// The peer sent us data past the maximum flow control window we gave them.
-		return localTransportError(errFlowControl)
+	if err := s.checkStreamBounds(end, fin); err != nil {
+		return err
 	}
-	if s.insize != -1 && end > s.insize {
-		// The peer sent us data past the final size of the stream they previously gave us.
-		return localTransportError(errFinalSize)
+	if s.inclosed.isSet() || s.inresetcode != -1 {
+		// The user read-closed the stream, or the peer reset it.
+		// Either way, we can discard this frame.
+		return nil
 	}
 	s.in.writeAt(b, off)
 	s.inset.add(off, end)
 	if fin {
-		if s.insize != -1 && s.insize != end {
-			// The peer changed the final size of the stream.
-			return localTransportError(errFinalSize)
-		}
 		s.insize = end
 		// The peer has enough flow control window to send the entire stream.
 		s.insendmax.clear()
@@ -319,6 +383,53 @@ func (s *Stream) handleData(off int64, b []byte, fin bool) error {
 	return nil
 }
 
+// handleReset handles a RESET_STREAM frame.
+func (s *Stream) handleReset(code uint64, finalSize int64) error {
+	s.ingate.lock()
+	defer s.inUnlock()
+	const fin = true
+	if err := s.checkStreamBounds(finalSize, fin); err != nil {
+		return err
+	}
+	if s.inresetcode != -1 {
+		// The stream was already reset.
+		return nil
+	}
+	s.in.discardBefore(s.in.end)
+	s.inresetcode = int64(code)
+	s.insize = finalSize
+	return nil
+}
+
+// checkStreamBounds validates the stream offset in a STREAM or RESET_STREAM frame.
+func (s *Stream) checkStreamBounds(end int64, fin bool) error {
+	if end > s.inwin {
+		// The peer sent us data past the maximum flow control window we gave them.
+		return localTransportError(errFlowControl)
+	}
+	if s.insize != -1 && end > s.insize {
+		// The peer sent us data past the final size of the stream they previously gave us.
+		return localTransportError(errFinalSize)
+	}
+	if fin && s.insize != -1 && end != s.insize {
+		// The peer changed the final size of the stream.
+		return localTransportError(errFinalSize)
+	}
+	if fin && end < s.in.end {
+		// The peer has previously sent us data past the final size.
+		return localTransportError(errFinalSize)
+	}
+	return nil
+}
+
+// handleStopSending handles a STOP_SENDING frame.
+func (s *Stream) handleStopSending(code uint64) error {
+	// Peer requests that we reset this stream.
+	// https://www.rfc-editor.org/rfc/rfc9000#section-3.5-4
+	s.Reset(code)
+	return nil
+}
+
 // handleMaxStreamData handles an update received in a MAX_STREAM_DATA frame.
 func (s *Stream) handleMaxStreamData(maxStreamData int64) error {
 	s.outgate.lock()
@@ -336,6 +447,14 @@ func (s *Stream) ackOrLoss(pnum packetNumber, ftype byte, fate packetFate) {
 	// Frames which are always the same (STOP_SENDING, RESET_STREAM)
 	// can be marked as received if any packet carrying this frame is acked.
 	switch ftype {
+	case frameTypeResetStream:
+		s.outgate.lock()
+		s.outreset.ackOrLoss(pnum, fate)
+		s.outUnlock()
+	case frameTypeStopSending:
+		s.ingate.lock()
+		s.inclosed.ackOrLoss(pnum, fate)
+		s.inUnlock()
 	case frameTypeMaxStreamData:
 		s.ingate.lock()
 		s.insendmax.ackLatestOrLoss(pnum, fate)
@@ -345,7 +464,6 @@ func (s *Stream) ackOrLoss(pnum packetNumber, ftype byte, fate packetFate) {
 		s.outblocked.ackLatestOrLoss(pnum, fate)
 		s.outUnlock()
 	default:
-		// TODO: Handle STOP_SENDING, RESET_STREAM.
 		panic("unhandled frame type")
 	}
 }
@@ -358,6 +476,10 @@ func (s *Stream) ackOrLossData(pnum packetNumber, start, end int64, fin bool, fa
 	if fin {
 		s.outclosed.ackOrLoss(pnum, fate)
 	}
+	if s.outreset.isSet() {
+		// If the stream has been reset, we don't care any more.
+		return
+	}
 	switch fate {
 	case packetAcked:
 		s.outacked.add(start, end)
@@ -385,6 +507,15 @@ func (s *Stream) ackOrLossData(pnum packetNumber, start, end int64, fin bool, fa
 func (s *Stream) appendInFrames(w *packetWriter, pnum packetNumber, pto bool) bool {
 	s.ingate.lock()
 	defer s.inUnlockNoQueue()
+	if s.inclosed.shouldSendPTO(pto) {
+		// We don't currently have an API for setting the error code.
+		// Just send zero.
+		code := uint64(0)
+		if !w.appendStopSendingFrame(s.id, code) {
+			return false
+		}
+		s.inclosed.setSent(pnum)
+	}
 	// TODO: STOP_SENDING
 	if s.insendmax.shouldSendPTO(pto) {
 		// MAX_STREAM_DATA
@@ -406,7 +537,17 @@ func (s *Stream) appendInFrames(w *packetWriter, pnum packetNumber, pto bool) bo
 func (s *Stream) appendOutFrames(w *packetWriter, pnum packetNumber, pto bool) bool {
 	s.outgate.lock()
 	defer s.outUnlockNoQueue()
-	// TODO: RESET_STREAM
+	if s.outreset.isSet() {
+		// RESET_STREAM
+		if s.outreset.shouldSendPTO(pto) {
+			if !w.appendResetStreamFrame(s.id, s.outresetcode, s.out.end) {
+				return false
+			}
+			s.outreset.setSent(pnum)
+			s.frameOpensStream(pnum)
+		}
+		return true
+	}
 	if s.outblocked.shouldSendPTO(pto) {
 		// STREAM_DATA_BLOCKED
 		if !w.appendStreamDataBlockedFrame(s.id, s.out.end) {
diff --git a/internal/quic/stream_test.go b/internal/quic/stream_test.go
index d158e72af..5904a9342 100644
--- a/internal/quic/stream_test.go
+++ b/internal/quic/stream_test.go
@@ -10,6 +10,7 @@ import (
 	"bytes"
 	"context"
 	"crypto/rand"
+	"errors"
 	"fmt"
 	"io"
 	"reflect"
@@ -489,32 +490,76 @@ func TestStreamReceiveDuplicateDataDoesNotViolateLimits(t *testing.T) {
 	})
 }
 
-func TestStreamFinalSizeChangedByStreamFrame(t *testing.T) {
-	// "If a [...] STREAM frame is received indicating a change
-	// in the final size for the stream, an endpoint SHOULD
-	// respond with an error of type FINAL_SIZE_ERROR [...]"
-	// https://www.rfc-editor.org/rfc/rfc9000#section-4.5-5
+func finalSizeTest(t *testing.T, wantErr transportError, f func(tc *testConn, sid streamID) (finalSize int64), opts ...any) {
 	testStreamTypes(t, "", func(t *testing.T, styp streamType) {
-		tc := newTestConn(t, serverSide)
-		tc.handshake()
-		sid := newStreamID(clientSide, styp, 0)
+		for _, test := range []struct {
+			name       string
+			finalFrame func(tc *testConn, sid streamID, finalSize int64)
+		}{{
+			name: "FIN",
+			finalFrame: func(tc *testConn, sid streamID, finalSize int64) {
+				tc.writeFrames(packetType1RTT, debugFrameStream{
+					id:  sid,
+					off: finalSize,
+					fin: true,
+				})
+			},
+		}, {
+			name: "RESET_STREAM",
+			finalFrame: func(tc *testConn, sid streamID, finalSize int64) {
+				tc.writeFrames(packetType1RTT, debugFrameResetStream{
+					id:        sid,
+					finalSize: finalSize,
+				})
+			},
+		}} {
+			t.Run(test.name, func(t *testing.T) {
+				tc := newTestConn(t, serverSide, opts...)
+				tc.handshake()
+				sid := newStreamID(clientSide, styp, 0)
+				finalSize := f(tc, sid)
+				test.finalFrame(tc, sid, finalSize)
+				tc.wantFrame("change in final size of stream is an error",
+					packetType1RTT, debugFrameConnectionCloseTransport{
+						code: wantErr,
+					},
+				)
+			})
+		}
+	})
+}
 
-		const write1size = 4
+func TestStreamFinalSizeChangedAfterFin(t *testing.T) {
+	// "If a RESET_STREAM or STREAM frame is received indicating a change
+	// in the final size for the stream, an endpoint SHOULD respond with
+	// an error of type FINAL_SIZE_ERROR [...]"
+	// https://www.rfc-editor.org/rfc/rfc9000#section-4.5-5
+	finalSizeTest(t, errFinalSize, func(tc *testConn, sid streamID) (finalSize int64) {
 		tc.writeFrames(packetType1RTT, debugFrameStream{
 			id:  sid,
 			off: 10,
 			fin: true,
 		})
+		return 9
+	})
+}
+
+func TestStreamFinalSizeBeforePreviousData(t *testing.T) {
+	finalSizeTest(t, errFinalSize, func(tc *testConn, sid streamID) (finalSize int64) {
 		tc.writeFrames(packetType1RTT, debugFrameStream{
-			id:  sid,
-			off: 9,
-			fin: true,
+			id:   sid,
+			off:  10,
+			data: []byte{0},
 		})
-		tc.wantFrame("change in final size of stream is an error",
-			packetType1RTT, debugFrameConnectionCloseTransport{
-				code: errFinalSize,
-			},
-		)
+		return 9
+	})
+}
+
+func TestStreamFinalSizePastMaxStreamData(t *testing.T) {
+	finalSizeTest(t, errFlowControl, func(tc *testConn, sid streamID) (finalSize int64) {
+		return 11
+	}, func(c *Config) {
+		c.StreamReadBufferSize = 10
 	})
 }
 
@@ -637,6 +682,19 @@ func testStreamSendFrameInvalidState(t *testing.T, f func(sid streamID) debugFra
 	})
 }
 
+func TestStreamResetStreamInvalidState(t *testing.T) {
+	// "An endpoint that receives a RESET_STREAM frame for a send-only
+	// stream MUST terminate the connection with error STREAM_STATE_ERROR."
+	// https://www.rfc-editor.org/rfc/rfc9000#section-19.4-3
+	testStreamSendFrameInvalidState(t, func(sid streamID) debugFrame {
+		return debugFrameResetStream{
+			id:        sid,
+			code:      0,
+			finalSize: 0,
+		}
+	})
+}
+
 func TestStreamStreamFrameInvalidState(t *testing.T) {
 	// "An endpoint MUST terminate the connection with error STREAM_STATE_ERROR
 	// if it receives a STREAM frame for a locally initiated stream
@@ -689,6 +747,20 @@ func testStreamReceiveFrameInvalidState(t *testing.T, f func(sid streamID) debug
 	})
 }
 
+func TestStreamStopSendingInvalidState(t *testing.T) {
+	// "Receiving a STOP_SENDING frame for a locally initiated stream
+	// that has not yet been created MUST be treated as a connection error
+	// of type STREAM_STATE_ERROR. An endpoint that receives a STOP_SENDING
+	// frame for a receive-only stream MUST terminate the connection with
+	// error STREAM_STATE_ERROR."
+	// https://www.rfc-editor.org/rfc/rfc9000#section-19.5-2
+	testStreamReceiveFrameInvalidState(t, func(sid streamID) debugFrame {
+		return debugFrameStopSending{
+			id: sid,
+		}
+	})
+}
+
 func TestStreamMaxStreamDataInvalidState(t *testing.T) {
 	// "Receiving a MAX_STREAM_DATA frame for a locally initiated stream
 	// that has not yet been created MUST be treated as a connection error
@@ -743,13 +815,47 @@ func TestStreamWriteToReadOnlyStream(t *testing.T) {
 	}
 }
 
-func TestStreamWriteToClosedStream(t *testing.T) {
-	tc, s := newTestConnAndLocalStream(t, serverSide, bidiStream, func(p *transportParameters) {
-		p.initialMaxStreamsBidi = 1
-		p.initialMaxData = 1 << 20
-		p.initialMaxStreamDataBidiRemote = 1 << 20
+func TestStreamReadFromClosedStream(t *testing.T) {
+	tc, s := newTestConnAndRemoteStream(t, serverSide, bidiStream, permissiveTransportParameters)
+	s.CloseRead()
+	tc.wantFrame("CloseRead sends a STOP_SENDING frame",
+		packetType1RTT, debugFrameStopSending{
+			id: s.id,
+		})
+	wantErr := "read from closed stream"
+	if n, err := s.Read(make([]byte, 16)); err == nil || !strings.Contains(err.Error(), wantErr) {
+		t.Errorf("s.Read() = %v, %v; want error %q", n, err, wantErr)
+	}
+	// Data which shows up after STOP_SENDING is discarded.
+	tc.writeFrames(packetType1RTT, debugFrameStream{
+		id:   s.id,
+		data: []byte{1, 2, 3},
+		fin:  true,
+	})
+	if n, err := s.Read(make([]byte, 16)); err == nil || !strings.Contains(err.Error(), wantErr) {
+		t.Errorf("s.Read() = %v, %v; want error %q", n, err, wantErr)
+	}
+}
+
+func TestStreamCloseReadWithAllDataReceived(t *testing.T) {
+	tc, s := newTestConnAndRemoteStream(t, serverSide, bidiStream, permissiveTransportParameters)
+	tc.writeFrames(packetType1RTT, debugFrameStream{
+		id:   s.id,
+		data: []byte{1, 2, 3},
+		fin:  true,
 	})
-	s.Close()
+	s.CloseRead()
+	tc.wantIdle("CloseRead in Data Recvd state doesn't need to send STOP_SENDING")
+	// We had all the data for the stream, but CloseRead discarded it.
+	wantErr := "read from closed stream"
+	if n, err := s.Read(make([]byte, 16)); err == nil || !strings.Contains(err.Error(), wantErr) {
+		t.Errorf("s.Read() = %v, %v; want error %q", n, err, wantErr)
+	}
+}
+
+func TestStreamWriteToClosedStream(t *testing.T) {
+	tc, s := newTestConnAndLocalStream(t, serverSide, bidiStream, permissiveTransportParameters)
+	s.CloseWrite()
 	tc.wantFrame("stream is opened after being closed",
 		packetType1RTT, debugFrameStream{
 			id:   s.id,
@@ -763,6 +869,45 @@ func TestStreamWriteToClosedStream(t *testing.T) {
 	}
 }
 
+func TestStreamResetBlockedStream(t *testing.T) {
+	tc, s := newTestConnAndLocalStream(t, serverSide, bidiStream, func(p *transportParameters) {
+		p.initialMaxStreamsBidi = 1
+		p.initialMaxData = 1 << 20
+		p.initialMaxStreamDataBidiRemote = 4
+	})
+	tc.ignoreFrame(frameTypeStreamDataBlocked)
+	writing := runAsync(tc, func(ctx context.Context) (int, error) {
+		return s.WriteContext(ctx, []byte{0, 1, 2, 3, 4, 5, 6, 7})
+	})
+	tc.wantFrame("stream writes data until blocked by flow control",
+		packetType1RTT, debugFrameStream{
+			id:   s.id,
+			off:  0,
+			data: []byte{0, 1, 2, 3},
+		})
+	s.Reset(42)
+	tc.wantFrame("stream is reset",
+		packetType1RTT, debugFrameResetStream{
+			id:        s.id,
+			code:      42,
+			finalSize: 4,
+		})
+	wantErr := "write to reset stream"
+	if n, err := writing.result(); n != 4 || !strings.Contains(err.Error(), wantErr) {
+		t.Errorf("s.Write() interrupted by Reset: %v, %q; want 4, %q", n, err, wantErr)
+	}
+	tc.writeFrames(packetType1RTT, debugFrameMaxStreamData{
+		id:  s.id,
+		max: 1 << 20,
+	})
+	tc.wantIdle("flow control is available, but stream has been reset")
+	s.Reset(100)
+	tc.wantIdle("resetting stream a second time has no effect")
+	if n, err := s.Write([]byte{}); err == nil || !strings.Contains(err.Error(), wantErr) {
+		t.Errorf("s.Write() = %v, %v; want error %q", n, err, wantErr)
+	}
+}
+
 func TestStreamWriteMoreThanOnePacketOfData(t *testing.T) {
 	tc, s := newTestConnAndLocalStream(t, serverSide, uniStream, func(p *transportParameters) {
 		p.initialMaxStreamsUni = 1
@@ -797,6 +942,209 @@ func TestStreamWriteMoreThanOnePacketOfData(t *testing.T) {
 	}
 }
 
+func TestStreamCloseWaitsForAcks(t *testing.T) {
+	ctx := canceledContext()
+	tc, s := newTestConnAndLocalStream(t, serverSide, uniStream, permissiveTransportParameters)
+	data := make([]byte, 100)
+	s.WriteContext(ctx, data)
+	tc.wantFrame("conn sends data for the stream",
+		packetType1RTT, debugFrameStream{
+			id:   s.id,
+			data: data,
+		})
+	if err := s.CloseContext(ctx); err != context.Canceled {
+		t.Fatalf("s.Close() = %v, want context.Canceled (data not acked yet)", err)
+	}
+	tc.wantFrame("conn sends FIN for closed stream",
+		packetType1RTT, debugFrameStream{
+			id:   s.id,
+			off:  int64(len(data)),
+			fin:  true,
+			data: []byte{},
+		})
+	closing := runAsync(tc, func(ctx context.Context) (struct{}, error) {
+		return struct{}{}, s.CloseContext(ctx)
+	})
+	if _, err := closing.result(); err != errNotDone {
+		t.Fatalf("s.CloseContext() = %v, want it to block waiting for acks", err)
+	}
+	tc.writeFrames(packetType1RTT, debugFrameAck{
+		ranges: []i64range[packetNumber]{{0, tc.sentFramePacket.num + 1}},
+	})
+	if _, err := closing.result(); err != nil {
+		t.Fatalf("s.CloseContext() = %v, want nil (all data acked)", err)
+	}
+}
+
+func TestStreamCloseUnblocked(t *testing.T) {
+	for _, test := range []struct {
+		name    string
+		unblock func(tc *testConn, s *Stream)
+	}{{
+		name: "data received",
+		unblock: func(tc *testConn, s *Stream) {
+			tc.writeFrames(packetType1RTT, debugFrameAck{
+				ranges: []i64range[packetNumber]{{0, tc.sentFramePacket.num + 1}},
+			})
+		},
+	}, {
+		name: "stop sending received",
+		unblock: func(tc *testConn, s *Stream) {
+			tc.writeFrames(packetType1RTT, debugFrameStopSending{
+				id: s.id,
+			})
+		},
+	}, {
+		name: "stream reset",
+		unblock: func(tc *testConn, s *Stream) {
+			s.Reset(0)
+			tc.wait() // wait for test conn to process the Reset
+		},
+	}} {
+		t.Run(test.name, func(t *testing.T) {
+			ctx := canceledContext()
+			tc, s := newTestConnAndLocalStream(t, serverSide, uniStream, permissiveTransportParameters)
+			data := make([]byte, 100)
+			s.WriteContext(ctx, data)
+			tc.wantFrame("conn sends data for the stream",
+				packetType1RTT, debugFrameStream{
+					id:   s.id,
+					data: data,
+				})
+			if err := s.CloseContext(ctx); err != context.Canceled {
+				t.Fatalf("s.Close() = %v, want context.Canceled (data not acked yet)", err)
+			}
+			tc.wantFrame("conn sends FIN for closed stream",
+				packetType1RTT, debugFrameStream{
+					id:   s.id,
+					off:  int64(len(data)),
+					fin:  true,
+					data: []byte{},
+				})
+			closing := runAsync(tc, func(ctx context.Context) (struct{}, error) {
+				return struct{}{}, s.CloseContext(ctx)
+			})
+			if _, err := closing.result(); err != errNotDone {
+				t.Fatalf("s.CloseContext() = %v, want it to block waiting for acks", err)
+			}
+			test.unblock(tc, s)
+			if _, err := closing.result(); err != nil {
+				t.Fatalf("s.CloseContext() = %v, want nil (all data acked)", err)
+			}
+		})
+	}
+}
+
+func TestStreamPeerResetsWithUnreadAndUnsentData(t *testing.T) {
+	testStreamTypes(t, "", func(t *testing.T, styp streamType) {
+		ctx := canceledContext()
+		tc, s := newTestConnAndRemoteStream(t, serverSide, styp)
+		data := []byte{0, 1, 2, 3, 4, 5, 6, 7}
+		tc.writeFrames(packetType1RTT, debugFrameStream{
+			id:   s.id,
+			data: data,
+		})
+		got := make([]byte, 4)
+		if n, err := s.ReadContext(ctx, got); n != len(got) || err != nil {
+			t.Fatalf("Read start of stream: got %v, %v; want %v, nil", n, err, len(got))
+		}
+		const sentCode = 42
+		tc.writeFrames(packetType1RTT, debugFrameResetStream{
+			id:        s.id,
+			finalSize: 20,
+			code:      sentCode,
+		})
+		wantErr := StreamErrorCode(sentCode)
+		if n, err := s.ReadContext(ctx, got); n != 0 || !errors.Is(err, wantErr) {
+			t.Fatalf("Read reset stream: got %v, %v; want 0, %v", n, err, wantErr)
+		}
+	})
+}
+
+func TestStreamPeerResetWakesBlockedRead(t *testing.T) {
+	testStreamTypes(t, "", func(t *testing.T, styp streamType) {
+		tc, s := newTestConnAndRemoteStream(t, serverSide, styp)
+		reader := runAsync(tc, func(ctx context.Context) (int, error) {
+			got := make([]byte, 4)
+			return s.ReadContext(ctx, got)
+		})
+		const sentCode = 42
+		tc.writeFrames(packetType1RTT, debugFrameResetStream{
+			id:        s.id,
+			finalSize: 20,
+			code:      sentCode,
+		})
+		wantErr := StreamErrorCode(sentCode)
+		if n, err := reader.result(); n != 0 || !errors.Is(err, wantErr) {
+			t.Fatalf("Read reset stream: got %v, %v; want 0, %v", n, err, wantErr)
+		}
+	})
+}
+
+func TestStreamPeerResetFollowedByData(t *testing.T) {
+	testStreamTypes(t, "", func(t *testing.T, styp streamType) {
+		tc, s := newTestConnAndRemoteStream(t, serverSide, styp)
+		tc.writeFrames(packetType1RTT, debugFrameResetStream{
+			id:        s.id,
+			finalSize: 4,
+			code:      1,
+		})
+		tc.writeFrames(packetType1RTT, debugFrameStream{
+			id:   s.id,
+			data: []byte{0, 1, 2, 3},
+		})
+		// Another reset with a different code, for good measure.
+		tc.writeFrames(packetType1RTT, debugFrameResetStream{
+			id:        s.id,
+			finalSize: 4,
+			code:      2,
+		})
+		wantErr := StreamErrorCode(1)
+		if n, err := s.Read(make([]byte, 16)); n != 0 || !errors.Is(err, wantErr) {
+			t.Fatalf("Read from reset stream: got %v, %v; want 0, %v", n, err, wantErr)
+		}
+	})
+}
+
+func TestStreamPeerStopSendingForActiveStream(t *testing.T) {
+	// "An endpoint that receives a STOP_SENDING frame MUST send a RESET_STREAM frame if
+	// the stream is in the "Ready" or "Send" state."
+	// https://www.rfc-editor.org/rfc/rfc9000#section-3.5-4
+	testStreamTypes(t, "", func(t *testing.T, styp streamType) {
+		tc, s := newTestConnAndLocalStream(t, serverSide, styp, permissiveTransportParameters)
+		for i := 0; i < 4; i++ {
+			s.Write([]byte{byte(i)})
+			tc.wantFrame("write sends a STREAM frame to peer",
+				packetType1RTT, debugFrameStream{
+					id:   s.id,
+					off:  int64(i),
+					data: []byte{byte(i)},
+				})
+		}
+		tc.writeFrames(packetType1RTT, debugFrameStopSending{
+			id:   s.id,
+			code: 42,
+		})
+		tc.wantFrame("receiving STOP_SENDING causes stream reset",
+			packetType1RTT, debugFrameResetStream{
+				id:        s.id,
+				code:      42,
+				finalSize: 4,
+			})
+		if n, err := s.Write([]byte{0}); err == nil {
+			t.Errorf("s.Write() after STOP_SENDING = %v, %v; want error", n, err)
+		}
+		// This ack will result in some of the previous frames being marked as lost.
+		tc.writeFrames(packetType1RTT, debugFrameAck{
+			ranges: []i64range[packetNumber]{{
+				tc.sentFramePacket.num,
+				tc.sentFramePacket.num + 1,
+			}},
+		})
+		tc.wantIdle("lost STREAM frames for reset stream are not resent")
+	})
+}
+
 func newTestConnAndLocalStream(t *testing.T, side connSide, styp streamType, opts ...any) (*testConn, *Stream) {
 	t.Helper()
 	ctx := canceledContext()
@@ -825,3 +1173,13 @@ func newTestConnAndRemoteStream(t *testing.T, side connSide, styp streamType, op
 	}
 	return tc, s
 }
+
+// permissiveTransportParameters may be passed as an option to newTestConn.
+func permissiveTransportParameters(p *transportParameters) {
+	p.initialMaxStreamsBidi = maxVarint
+	p.initialMaxStreamsUni = maxVarint
+	p.initialMaxData = maxVarint
+	p.initialMaxStreamDataBidiRemote = maxVarint
+	p.initialMaxStreamDataBidiLocal = maxVarint
+	p.initialMaxStreamDataUni = maxVarint
+}
diff --git a/internal/quic/wire.go b/internal/quic/wire.go
index f0643c922..848602915 100644
--- a/internal/quic/wire.go
+++ b/internal/quic/wire.go
@@ -8,7 +8,10 @@ package quic
 
 import "encoding/binary"
 
-const maxVarintSize = 8
+const (
+	maxVarintSize = 8 // encoded size in bytes
+	maxVarint     = (1 << 62) - 1
+)
 
 // consumeVarint parses a variable-length integer, reporting its length.
 // It returns a negative length upon an error.

From efb8d7ab942d2b798abae11dfebfb9043cac78be Mon Sep 17 00:00:00 2001
From: Mateusz Poliwczak <mpoliwczak34@gmail.com>
Date: Sat, 26 Aug 2023 16:55:17 +0000
Subject: [PATCH 10/22] dns/dnsmessage: don't include bytes after name.Length
 in the compression map
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This improves the performance of name compression and makes
the name.Data[name.Length:] not included in the compression
map, it is unnecessary and might cause issues (i.e. reusing
the Name struct, without using the NewName function).

goos: linux
goarch: amd64
pkg: golang.org/x/net/dns/dnsmessage
cpu: Intel(R) Core(TM) i5-4200M CPU @ 2.50GHz
             │    before     │                after                 │
             │    sec/op     │    sec/op     vs base                │
Pack-4         15.672µ ± 13%   5.470µ ± 14%  -65.10% (p=0.000 n=10)
AppendPack-4   15.144µ ± 12%   5.330µ ± 10%  -64.80% (p=0.000 n=10)
geomean         15.41µ         5.400µ        -64.95%

             │    before    │                after                 │
             │     B/op     │     B/op      vs base                │
Pack-4         6.051Ki ± 0%   1.285Ki ± 0%  -78.76% (p=0.000 n=10)
AppendPack-4    5684.0 ± 0%     804.0 ± 0%  -85.86% (p=0.000 n=10)
geomean        5.795Ki        1.005Ki       -82.67%

             │   before   │               after                │
             │ allocs/op  │ allocs/op   vs base                │
Pack-4         21.00 ± 0%   11.00 ± 0%  -47.62% (p=0.000 n=10)
AppendPack-4   20.00 ± 0%   10.00 ± 0%  -50.00% (p=0.000 n=10)
geomean        20.49        10.49       -48.82%

Change-Id: Idf40d5d4790d37eb7253214f089eff859a937c60
GitHub-Last-Rev: a3182830e27086a0e12e116c7f7916468eb1edf2
GitHub-Pull-Request: golang/net#190
Reviewed-on: https://go-review.googlesource.com/c/net/+/522817
Run-TryBot: Mateusz Poliwczak <mpoliwczak34@gmail.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Ian Lance Taylor <iant@google.com>
Run-TryBot: Ian Lance Taylor <iant@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
Auto-Submit: Ian Lance Taylor <iant@google.com>
---
 dns/dnsmessage/message.go      | 11 +++++++++--
 dns/dnsmessage/message_test.go | 34 ++++++++++++++++++++++++++++++++++
 2 files changed, 43 insertions(+), 2 deletions(-)

diff --git a/dns/dnsmessage/message.go b/dns/dnsmessage/message.go
index cd997bab0..9ddf2c229 100644
--- a/dns/dnsmessage/message.go
+++ b/dns/dnsmessage/message.go
@@ -1961,6 +1961,8 @@ func (n *Name) pack(msg []byte, compression map[string]int, compressionOff int)
 		return append(msg, 0), nil
 	}
 
+	var nameAsStr string
+
 	// Emit sequence of counted strings, chopping at dots.
 	for i, begin := 0, 0; i < int(n.Length); i++ {
 		// Check for the end of the segment.
@@ -1991,7 +1993,7 @@ func (n *Name) pack(msg []byte, compression map[string]int, compressionOff int)
 		// segment. A pointer is two bytes with the two most significant
 		// bits set to 1 to indicate that it is a pointer.
 		if (i == 0 || n.Data[i-1] == '.') && compression != nil {
-			if ptr, ok := compression[string(n.Data[i:])]; ok {
+			if ptr, ok := compression[string(n.Data[i:n.Length])]; ok {
 				// Hit. Emit a pointer instead of the rest of
 				// the domain.
 				return append(msg, byte(ptr>>8|0xC0), byte(ptr)), nil
@@ -2000,7 +2002,12 @@ func (n *Name) pack(msg []byte, compression map[string]int, compressionOff int)
 			// Miss. Add the suffix to the compression table if the
 			// offset can be stored in the available 14 bytes.
 			if len(msg) <= int(^uint16(0)>>2) {
-				compression[string(n.Data[i:])] = len(msg) - compressionOff
+				if nameAsStr == "" {
+					// allocate n.Data on the heap once, to avoid allocating it
+					// multiple times (for next labels).
+					nameAsStr = string(n.Data[:n.Length])
+				}
+				compression[nameAsStr[i:]] = len(msg) - compressionOff
 			}
 		}
 	}
diff --git a/dns/dnsmessage/message_test.go b/dns/dnsmessage/message_test.go
index 1b7f3cb35..ee42febbc 100644
--- a/dns/dnsmessage/message_test.go
+++ b/dns/dnsmessage/message_test.go
@@ -1813,3 +1813,37 @@ func TestParseWrongSection(t *testing.T) {
 		t.Fatalf("p.SkipAllAuthorities(): unexpected success in Answer section")
 	}
 }
+
+func TestBuilderNameCompressionWithNonZeroedName(t *testing.T) {
+	b := NewBuilder(nil, Header{})
+	b.EnableCompression()
+	if err := b.StartQuestions(); err != nil {
+		t.Fatalf("b.StartQuestions() unexpected error: %v", err)
+	}
+
+	name := MustNewName("go.dev.")
+	if err := b.Question(Question{Name: name}); err != nil {
+		t.Fatalf("b.Question() unexpected error: %v", err)
+	}
+
+	// Character that is not part of the name (name.Data[:name.Length]),
+	// shouldn't affect the compression algorithm.
+	name.Data[name.Length] = '1'
+	if err := b.Question(Question{Name: name}); err != nil {
+		t.Fatalf("b.Question() unexpected error: %v", err)
+	}
+
+	msg, err := b.Finish()
+	if err != nil {
+		t.Fatalf("b.Finish() unexpected error: %v", err)
+	}
+
+	expect := []byte{
+		0, 0, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, // header
+		2, 'g', 'o', 3, 'd', 'e', 'v', 0, 0, 0, 0, 0, // question 1
+		0xC0, 12, 0, 0, 0, 0, // question 2
+	}
+	if !bytes.Equal(msg, expect) {
+		t.Fatalf("b.Finish() = %v, want: %v", msg, expect)
+	}
+}

From 4a2d37ed365334ff00b166660d7c497fcfeaef1b Mon Sep 17 00:00:00 2001
From: Damien Neil <dneil@google.com>
Date: Mon, 31 Jul 2023 15:26:38 -0700
Subject: [PATCH 11/22] http2: remove Docker-requiring tests

Remove two tests, one of which uses curl and the other which uses h2load.
These tests don't seem worth the complexity of keeping around a Dockerfile
and curl/h2load dependencies.

Change-Id: I0370af061168e46d8110fa40eba8dabe68acecc3
Reviewed-on: https://go-review.googlesource.com/c/net/+/514597
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Run-TryBot: Damien Neil <dneil@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Bryan Mills <bcmills@google.com>
---
 http2/Dockerfile     | 51 ------------------------
 http2/Makefile       |  3 --
 http2/http2_test.go  | 62 -----------------------------
 http2/server_test.go | 92 --------------------------------------------
 4 files changed, 208 deletions(-)
 delete mode 100644 http2/Dockerfile
 delete mode 100644 http2/Makefile

diff --git a/http2/Dockerfile b/http2/Dockerfile
deleted file mode 100644
index 851224595..000000000
--- a/http2/Dockerfile
+++ /dev/null
@@ -1,51 +0,0 @@
-#
-# This Dockerfile builds a recent curl with HTTP/2 client support, using
-# a recent nghttp2 build.
-#
-# See the Makefile for how to tag it. If Docker and that image is found, the
-# Go tests use this curl binary for integration tests.
-#
-
-FROM ubuntu:trusty
-
-RUN apt-get update && \
-    apt-get upgrade -y && \
-    apt-get install -y git-core build-essential wget
-
-RUN apt-get install -y --no-install-recommends \
-       autotools-dev libtool pkg-config zlib1g-dev \
-       libcunit1-dev libssl-dev libxml2-dev libevent-dev \
-       automake autoconf
-
-# The list of packages nghttp2 recommends for h2load:
-RUN apt-get install -y --no-install-recommends make binutils \
-        autoconf automake autotools-dev \
-        libtool pkg-config zlib1g-dev libcunit1-dev libssl-dev libxml2-dev \
-        libev-dev libevent-dev libjansson-dev libjemalloc-dev \
-        cython python3.4-dev python-setuptools
-
-# Note: setting NGHTTP2_VER before the git clone, so an old git clone isn't cached:
-ENV NGHTTP2_VER 895da9a
-RUN cd /root && git clone https://github.com/tatsuhiro-t/nghttp2.git
-
-WORKDIR /root/nghttp2
-RUN git reset --hard $NGHTTP2_VER
-RUN autoreconf -i
-RUN automake
-RUN autoconf
-RUN ./configure
-RUN make
-RUN make install
-
-WORKDIR /root
-RUN wget https://curl.se/download/curl-7.45.0.tar.gz
-RUN tar -zxvf curl-7.45.0.tar.gz
-WORKDIR /root/curl-7.45.0
-RUN ./configure --with-ssl --with-nghttp2=/usr/local
-RUN make
-RUN make install
-RUN ldconfig
-
-CMD ["-h"]
-ENTRYPOINT ["/usr/local/bin/curl"]
-
diff --git a/http2/Makefile b/http2/Makefile
deleted file mode 100644
index 55fd826f7..000000000
--- a/http2/Makefile
+++ /dev/null
@@ -1,3 +0,0 @@
-curlimage:
-	docker build -t gohttp2/curl .
-
diff --git a/http2/http2_test.go b/http2/http2_test.go
index f77c08a10..a16774b7f 100644
--- a/http2/http2_test.go
+++ b/http2/http2_test.go
@@ -6,16 +6,13 @@ package http2
 
 import (
 	"bytes"
-	"errors"
 	"flag"
 	"fmt"
 	"io/ioutil"
 	"net/http"
 	"os"
-	"os/exec"
 	"path/filepath"
 	"regexp"
-	"strconv"
 	"strings"
 	"testing"
 	"time"
@@ -85,44 +82,6 @@ func encodeHeaderNoImplicit(t *testing.T, headers ...string) []byte {
 	return buf.Bytes()
 }
 
-// Verify that curl has http2.
-func requireCurl(t *testing.T) {
-	out, err := dockerLogs(curl(t, "--version"))
-	if err != nil {
-		t.Skipf("failed to determine curl features; skipping test")
-	}
-	if !strings.Contains(string(out), "HTTP2") {
-		t.Skip("curl doesn't support HTTP2; skipping test")
-	}
-}
-
-func curl(t *testing.T, args ...string) (container string) {
-	out, err := exec.Command("docker", append([]string{"run", "-d", "--net=host", "gohttp2/curl"}, args...)...).Output()
-	if err != nil {
-		t.Skipf("Failed to run curl in docker: %v, %s", err, out)
-	}
-	return strings.TrimSpace(string(out))
-}
-
-// Verify that h2load exists.
-func requireH2load(t *testing.T) {
-	out, err := dockerLogs(h2load(t, "--version"))
-	if err != nil {
-		t.Skipf("failed to probe h2load; skipping test: %s", out)
-	}
-	if !strings.Contains(string(out), "h2load nghttp2/") {
-		t.Skipf("h2load not present; skipping test. (Output=%q)", out)
-	}
-}
-
-func h2load(t *testing.T, args ...string) (container string) {
-	out, err := exec.Command("docker", append([]string{"run", "-d", "--net=host", "--entrypoint=/usr/local/bin/h2load", "gohttp2/curl"}, args...)...).Output()
-	if err != nil {
-		t.Skipf("Failed to run h2load in docker: %v, %s", err, out)
-	}
-	return strings.TrimSpace(string(out))
-}
-
 type puppetCommand struct {
 	fn   func(w http.ResponseWriter, r *http.Request)
 	done chan<- bool
@@ -151,27 +110,6 @@ func (p *handlerPuppet) do(fn func(http.ResponseWriter, *http.Request)) {
 	p.ch <- puppetCommand{fn, done}
 	<-done
 }
-func dockerLogs(container string) ([]byte, error) {
-	out, err := exec.Command("docker", "wait", container).CombinedOutput()
-	if err != nil {
-		return out, err
-	}
-	exitStatus, err := strconv.Atoi(strings.TrimSpace(string(out)))
-	if err != nil {
-		return out, errors.New("unexpected exit status from docker wait")
-	}
-	out, err = exec.Command("docker", "logs", container).CombinedOutput()
-	exec.Command("docker", "rm", container).Run()
-	if err == nil && exitStatus != 0 {
-		err = fmt.Errorf("exit status %d: %s", exitStatus, out)
-	}
-	return out, err
-}
-
-func kill(container string) {
-	exec.Command("docker", "kill", container).Run()
-	exec.Command("docker", "rm", container).Run()
-}
 
 func cleanDate(res *http.Response) {
 	if d := res.Header["Date"]; len(d) == 1 {
diff --git a/http2/server_test.go b/http2/server_test.go
index cd73291ea..b99c5af54 100644
--- a/http2/server_test.go
+++ b/http2/server_test.go
@@ -20,13 +20,11 @@ import (
 	"net/http"
 	"net/http/httptest"
 	"os"
-	"os/exec"
 	"reflect"
 	"runtime"
 	"strconv"
 	"strings"
 	"sync"
-	"sync/atomic"
 	"testing"
 	"time"
 
@@ -2704,96 +2702,6 @@ func readBodyHandler(t *testing.T, want string) func(w http.ResponseWriter, r *h
 	}
 }
 
-// TestServerWithCurl currently fails, hence the LenientCipherSuites test. See:
-//
-//	https://github.com/tatsuhiro-t/nghttp2/issues/140 &
-//	http://sourceforge.net/p/curl/bugs/1472/
-func TestServerWithCurl(t *testing.T)                     { testServerWithCurl(t, false) }
-func TestServerWithCurl_LenientCipherSuites(t *testing.T) { testServerWithCurl(t, true) }
-
-func testServerWithCurl(t *testing.T, permitProhibitedCipherSuites bool) {
-	if runtime.GOOS != "linux" {
-		t.Skip("skipping Docker test when not on Linux; requires --net which won't work with boot2docker anyway")
-	}
-	if testing.Short() {
-		t.Skip("skipping curl test in short mode")
-	}
-	requireCurl(t)
-	var gotConn int32
-	testHookOnConn = func() { atomic.StoreInt32(&gotConn, 1) }
-
-	const msg = "Hello from curl!\n"
-	ts := httptest.NewUnstartedServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		w.Header().Set("Foo", "Bar")
-		w.Header().Set("Client-Proto", r.Proto)
-		io.WriteString(w, msg)
-	}))
-	ConfigureServer(ts.Config, &Server{
-		PermitProhibitedCipherSuites: permitProhibitedCipherSuites,
-	})
-	ts.TLS = ts.Config.TLSConfig // the httptest.Server has its own copy of this TLS config
-	ts.StartTLS()
-	defer ts.Close()
-
-	t.Logf("Running test server for curl to hit at: %s", ts.URL)
-	container := curl(t, "--silent", "--http2", "--insecure", "-v", ts.URL)
-	defer kill(container)
-	res, err := dockerLogs(container)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	body := string(res)
-	// Search for both "key: value" and "key:value", since curl changed their format
-	// Our Dockerfile contains the latest version (no space), but just in case people
-	// didn't rebuild, check both.
-	if !strings.Contains(body, "foo: Bar") && !strings.Contains(body, "foo:Bar") {
-		t.Errorf("didn't see foo: Bar header")
-		t.Logf("Got: %s", body)
-	}
-	if !strings.Contains(body, "client-proto: HTTP/2") && !strings.Contains(body, "client-proto:HTTP/2") {
-		t.Errorf("didn't see client-proto: HTTP/2 header")
-		t.Logf("Got: %s", res)
-	}
-	if !strings.Contains(string(res), msg) {
-		t.Errorf("didn't see %q content", msg)
-		t.Logf("Got: %s", res)
-	}
-
-	if atomic.LoadInt32(&gotConn) == 0 {
-		t.Error("never saw an http2 connection")
-	}
-}
-
-var doh2load = flag.Bool("h2load", false, "Run h2load test")
-
-func TestServerWithH2Load(t *testing.T) {
-	if !*doh2load {
-		t.Skip("Skipping without --h2load flag.")
-	}
-	if runtime.GOOS != "linux" {
-		t.Skip("skipping Docker test when not on Linux; requires --net which won't work with boot2docker anyway")
-	}
-	requireH2load(t)
-
-	msg := strings.Repeat("Hello, h2load!\n", 5000)
-	ts := httptest.NewUnstartedServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		io.WriteString(w, msg)
-		w.(http.Flusher).Flush()
-		io.WriteString(w, msg)
-	}))
-	ts.StartTLS()
-	defer ts.Close()
-
-	cmd := exec.Command("docker", "run", "--net=host", "--entrypoint=/usr/local/bin/h2load", "gohttp2/curl",
-		"-n100000", "-c100", "-m100", ts.URL)
-	cmd.Stdout = os.Stdout
-	cmd.Stderr = os.Stderr
-	if err := cmd.Run(); err != nil {
-		t.Fatal(err)
-	}
-}
-
 func TestServer_MaxDecoderHeaderTableSize(t *testing.T) {
 	wantHeaderTableSize := uint32(initialHeaderTableSize * 2)
 	st := newServerTester(t, func(w http.ResponseWriter, r *http.Request) {}, func(s *Server) {

From 52fbe3731bc7b6873c58d80aae59dc20abbf89c9 Mon Sep 17 00:00:00 2001
From: Damien Neil <dneil@google.com>
Date: Sun, 13 Aug 2023 10:33:31 -0400
Subject: [PATCH 12/22] quic: add test helpers for acking packets

Add connTest methods to send the conn-under-test an ACK
for the latest packet it sent, or for all packets in the
number space it last sent in.

For golang/go#58547

Change-Id: Id35cad9bddf9dd32074dc121fd360a65b989fb4b
Reviewed-on: https://go-review.googlesource.com/c/net/+/522055
Run-TryBot: Damien Neil <dneil@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Jonathan Amsterdam <jba@google.com>
---
 internal/quic/conn_id_test.go   |  4 ++--
 internal/quic/conn_loss_test.go |  7 +------
 internal/quic/conn_test.go      | 34 +++++++++++++++++++++++++++------
 internal/quic/stream_test.go    | 19 ++++--------------
 internal/quic/tls_test.go       |  2 +-
 5 files changed, 36 insertions(+), 30 deletions(-)

diff --git a/internal/quic/conn_id_test.go b/internal/quic/conn_id_test.go
index 04baf0eda..d479cd4a8 100644
--- a/internal/quic/conn_id_test.go
+++ b/internal/quic/conn_id_test.go
@@ -264,7 +264,7 @@ func TestConnIDPeerRequestsRetirement(t *testing.T) {
 		packetType1RTT, debugFrameRetireConnectionID{
 			seq: 0,
 		})
-	if got, want := tc.sentFramePacket.dstConnID, testPeerConnID(1); !bytes.Equal(got, want) {
+	if got, want := tc.lastPacket.dstConnID, testPeerConnID(1); !bytes.Equal(got, want) {
 		t.Fatalf("used destination conn id {%x}, want {%x}", got, want)
 	}
 }
@@ -467,7 +467,7 @@ func TestConnIDUsePreferredAddressConnID(t *testing.T) {
 		packetType1RTT, debugFrameRetireConnectionID{
 			seq: 0,
 		})
-	if got, want := tc.sentFramePacket.dstConnID, cid; !bytes.Equal(got, want) {
+	if got, want := tc.lastPacket.dstConnID, cid; !bytes.Equal(got, want) {
 		t.Fatalf("used destination conn id {%x}, want {%x} from preferred address transport parameter", got, want)
 	}
 }
diff --git a/internal/quic/conn_loss_test.go b/internal/quic/conn_loss_test.go
index dc0dc6cd3..bb4303033 100644
--- a/internal/quic/conn_loss_test.go
+++ b/internal/quic/conn_loss_test.go
@@ -271,12 +271,7 @@ func TestLostStreamPartialLoss(t *testing.T) {
 				data: data[i : i+1],
 			})
 		if i%2 == 0 {
-			num := tc.sentFramePacket.num
-			tc.writeFrames(packetType1RTT, debugFrameAck{
-				ranges: []i64range[packetNumber]{
-					{num, num + 1},
-				},
-			})
+			tc.writeAckForLatest()
 		}
 	}
 	const pto = false
diff --git a/internal/quic/conn_test.go b/internal/quic/conn_test.go
index 2480f9cb0..2aa38fcf3 100644
--- a/internal/quic/conn_test.go
+++ b/internal/quic/conn_test.go
@@ -137,10 +137,10 @@ type testConn struct {
 
 	// Datagrams, packets, and frames sent by the conn,
 	// but not yet processed by the test.
-	sentDatagrams   [][]byte
-	sentPackets     []*testPacket
-	sentFrames      []debugFrame
-	sentFramePacket *testPacket
+	sentDatagrams [][]byte
+	sentPackets   []*testPacket
+	sentFrames    []debugFrame
+	lastPacket    *testPacket
 
 	// Frame types to ignore in tests.
 	ignoreFrames map[byte]bool
@@ -388,6 +388,28 @@ func (tc *testConn) writeFrames(ptype packetType, frames ...debugFrame) {
 	tc.write(d)
 }
 
+// writeAckForAll sends the Conn a datagram containing an ack for all packets up to the
+// last one received.
+func (tc *testConn) writeAckForAll() {
+	if tc.lastPacket == nil {
+		return
+	}
+	tc.writeFrames(tc.lastPacket.ptype, debugFrameAck{
+		ranges: []i64range[packetNumber]{{0, tc.lastPacket.num + 1}},
+	})
+}
+
+// writeAckForLatest sends the Conn a datagram containing an ack for the
+// most recent packet received.
+func (tc *testConn) writeAckForLatest() {
+	if tc.lastPacket == nil {
+		return
+	}
+	tc.writeFrames(tc.lastPacket.ptype, debugFrameAck{
+		ranges: []i64range[packetNumber]{{tc.lastPacket.num, tc.lastPacket.num + 1}},
+	})
+}
+
 // ignoreFrame hides frames of the given type sent by the Conn.
 func (tc *testConn) ignoreFrame(frameType byte) {
 	tc.ignoreFrames[frameType] = true
@@ -423,6 +445,7 @@ func (tc *testConn) readPacket() *testPacket {
 	}
 	p := tc.sentPackets[0]
 	tc.sentPackets = tc.sentPackets[1:]
+	tc.lastPacket = p
 	return p
 }
 
@@ -435,12 +458,11 @@ func (tc *testConn) readFrame() (debugFrame, packetType) {
 		if p == nil {
 			return nil, packetTypeInvalid
 		}
-		tc.sentFramePacket = p
 		tc.sentFrames = p.frames
 	}
 	f := tc.sentFrames[0]
 	tc.sentFrames = tc.sentFrames[1:]
-	return f, tc.sentFramePacket.ptype
+	return f, tc.lastPacket.ptype
 }
 
 // wantDatagram indicates that we expect the Conn to send a datagram.
diff --git a/internal/quic/stream_test.go b/internal/quic/stream_test.go
index 5904a9342..bafd236c9 100644
--- a/internal/quic/stream_test.go
+++ b/internal/quic/stream_test.go
@@ -193,9 +193,7 @@ func TestStreamWriteBlockedByWriteBufferLimit(t *testing.T) {
 		tc.wantIdle("no STREAM_DATA_BLOCKED, we're blocked locally not by flow control")
 
 		// ACK for previously-sent data allows making more progress.
-		tc.writeFrames(packetType1RTT, debugFrameAck{
-			ranges: []i64range[packetNumber]{{0, tc.sentFramePacket.num + 1}},
-		})
+		tc.writeAckForAll()
 		tc.wantFrame("ACK for previous data allows making progress",
 			packetType1RTT, debugFrameStream{
 				id:   s.id,
@@ -968,9 +966,7 @@ func TestStreamCloseWaitsForAcks(t *testing.T) {
 	if _, err := closing.result(); err != errNotDone {
 		t.Fatalf("s.CloseContext() = %v, want it to block waiting for acks", err)
 	}
-	tc.writeFrames(packetType1RTT, debugFrameAck{
-		ranges: []i64range[packetNumber]{{0, tc.sentFramePacket.num + 1}},
-	})
+	tc.writeAckForAll()
 	if _, err := closing.result(); err != nil {
 		t.Fatalf("s.CloseContext() = %v, want nil (all data acked)", err)
 	}
@@ -983,9 +979,7 @@ func TestStreamCloseUnblocked(t *testing.T) {
 	}{{
 		name: "data received",
 		unblock: func(tc *testConn, s *Stream) {
-			tc.writeFrames(packetType1RTT, debugFrameAck{
-				ranges: []i64range[packetNumber]{{0, tc.sentFramePacket.num + 1}},
-			})
+			tc.writeAckForAll()
 		},
 	}, {
 		name: "stop sending received",
@@ -1135,12 +1129,7 @@ func TestStreamPeerStopSendingForActiveStream(t *testing.T) {
 			t.Errorf("s.Write() after STOP_SENDING = %v, %v; want error", n, err)
 		}
 		// This ack will result in some of the previous frames being marked as lost.
-		tc.writeFrames(packetType1RTT, debugFrameAck{
-			ranges: []i64range[packetNumber]{{
-				tc.sentFramePacket.num,
-				tc.sentFramePacket.num + 1,
-			}},
-		})
+		tc.writeAckForLatest()
 		tc.wantIdle("lost STREAM frames for reset stream are not resent")
 	})
 }
diff --git a/internal/quic/tls_test.go b/internal/quic/tls_test.go
index 35cb8bf00..180ea8bee 100644
--- a/internal/quic/tls_test.go
+++ b/internal/quic/tls_test.go
@@ -266,7 +266,7 @@ func (tc *testConn) uncheckedHandshake() {
 			debugFrameAck{
 				ackDelay: unscaledAckDelayFromDuration(
 					maxAckDelay, ackDelayExponent),
-				ranges: []i64range[packetNumber]{{0, tc.sentFramePacket.num + 1}},
+				ranges: []i64range[packetNumber]{{0, tc.lastPacket.num + 1}},
 			})
 	} else {
 		tc.wantIdle("initial frames are ignored")

From 4332436fd1223b60e3127494d5ff771fba2c0adf Mon Sep 17 00:00:00 2001
From: Damien Neil <dneil@google.com>
Date: Wed, 16 Aug 2023 08:57:37 -0400
Subject: [PATCH 13/22] quic: send more transport parameters

Send various transport parameters that we weren't sending yet,
but should have been. Add a test for transport parameters sent
by us.

For golang/go#58547

Change-Id: Id16c46ee39040b091633aca8d4cff4c60562a603
Reviewed-on: https://go-review.googlesource.com/c/net/+/523575
Run-TryBot: Damien Neil <dneil@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Jonathan Amsterdam <jba@google.com>
---
 internal/quic/config_test.go | 32 ++++++++++++++++++++++++++++++++
 internal/quic/conn.go        | 14 ++++++++++----
 internal/quic/conn_test.go   | 10 ++++++++++
 3 files changed, 52 insertions(+), 4 deletions(-)
 create mode 100644 internal/quic/config_test.go

diff --git a/internal/quic/config_test.go b/internal/quic/config_test.go
new file mode 100644
index 000000000..cec57c5e3
--- /dev/null
+++ b/internal/quic/config_test.go
@@ -0,0 +1,32 @@
+// Copyright 2023 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build go1.21
+
+package quic
+
+import "testing"
+
+func TestConfigTransportParameters(t *testing.T) {
+	const (
+		wantInitialMaxStreamData = int64(2)
+	)
+	tc := newTestConn(t, clientSide, func(c *Config) {
+		c.StreamReadBufferSize = wantInitialMaxStreamData
+	})
+	tc.handshake()
+	if tc.sentTransportParameters == nil {
+		t.Fatalf("conn didn't send transport parameters during handshake")
+	}
+	p := tc.sentTransportParameters
+	if got, want := p.initialMaxStreamDataBidiLocal, wantInitialMaxStreamData; got != want {
+		t.Errorf("initial_max_stream_data_bidi_local = %v, want %v", got, want)
+	}
+	if got, want := p.initialMaxStreamDataBidiRemote, wantInitialMaxStreamData; got != want {
+		t.Errorf("initial_max_stream_data_bidi_remote = %v, want %v", got, want)
+	}
+	if got, want := p.initialMaxStreamDataUni, wantInitialMaxStreamData; got != want {
+		t.Errorf("initial_max_stream_data_uni = %v, want %v", got, want)
+	}
+}
diff --git a/internal/quic/conn.go b/internal/quic/conn.go
index ee8f011f8..04dcd7b6b 100644
--- a/internal/quic/conn.go
+++ b/internal/quic/conn.go
@@ -111,11 +111,17 @@ func newConn(now time.Time, side connSide, initialConnID []byte, peerAddr netip.
 	c.loss.init(c.side, maxDatagramSize, now)
 	c.streamsInit()
 
+	// TODO: initial_source_connection_id, retry_source_connection_id
 	c.startTLS(now, initialConnID, transportParameters{
-		initialSrcConnID:  c.connIDState.srcConnID(),
-		ackDelayExponent:  ackDelayExponent,
-		maxUDPPayloadSize: maxUDPPayloadSize,
-		maxAckDelay:       maxAckDelay,
+		initialSrcConnID:               c.connIDState.srcConnID(),
+		ackDelayExponent:               ackDelayExponent,
+		maxUDPPayloadSize:              maxUDPPayloadSize,
+		maxAckDelay:                    maxAckDelay,
+		disableActiveMigration:         true,
+		initialMaxStreamDataBidiLocal:  config.streamReadBufferSize(),
+		initialMaxStreamDataBidiRemote: config.streamReadBufferSize(),
+		initialMaxStreamDataUni:        config.streamReadBufferSize(),
+		activeConnIDLimit:              activeConnIDLimit,
 	})
 
 	go c.loop(now)
diff --git a/internal/quic/conn_test.go b/internal/quic/conn_test.go
index 2aa38fcf3..8ebe49e0e 100644
--- a/internal/quic/conn_test.go
+++ b/internal/quic/conn_test.go
@@ -142,6 +142,9 @@ type testConn struct {
 	sentFrames    []debugFrame
 	lastPacket    *testPacket
 
+	// Transport parameters sent by the conn.
+	sentTransportParameters *transportParameters
+
 	// Frame types to ignore in tests.
 	ignoreFrames map[byte]bool
 
@@ -719,6 +722,13 @@ func (tc *testConnHooks) handleTLSEvent(e tls.QUICEvent) {
 			setKey(&tc.rkeys, e)
 		case tls.QUICWriteData:
 			tc.cryptoDataIn[e.Level] = append(tc.cryptoDataIn[e.Level], e.Data...)
+		case tls.QUICTransportParameters:
+			p, err := unmarshalTransportParams(e.Data)
+			if err != nil {
+				tc.t.Logf("sent unparseable transport parameters %x %v", e.Data, err)
+			} else {
+				tc.sentTransportParameters = &p
+			}
 		}
 	}
 }

From d1b0a97d84e0fa88851b5a065e23262afed10400 Mon Sep 17 00:00:00 2001
From: Damien Neil <dneil@google.com>
Date: Tue, 15 Aug 2023 11:11:36 -0400
Subject: [PATCH 14/22] quic: avoid sending 1-RTT frames in initial/handshake
 packets

Restructure the send path a little to make it clear that
1-RTT frames go in 1-RTT packets.

For golang/go#58547

Change-Id: Id4c2c86c8ccd350bf490f38a8bb01ad9bc2639ee
Reviewed-on: https://go-review.googlesource.com/c/net/+/524035
Reviewed-by: Jonathan Amsterdam <jba@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
---
 internal/quic/conn_send.go | 40 +++++++++++++++++++-------------------
 1 file changed, 20 insertions(+), 20 deletions(-)

diff --git a/internal/quic/conn_send.go b/internal/quic/conn_send.go
index 6e6fbc585..9d315fb39 100644
--- a/internal/quic/conn_send.go
+++ b/internal/quic/conn_send.go
@@ -224,14 +224,6 @@ func (c *Conn) appendFrames(now time.Time, space numberSpace, pnum packetNumber,
 
 	// TODO: Add all the other frames we can send.
 
-	// HANDSHAKE_DONE
-	if c.handshakeConfirmed.shouldSendPTO(pto) {
-		if !c.w.appendHandshakeDoneFrame() {
-			return
-		}
-		c.handshakeConfirmed.setSent(pnum)
-	}
-
 	// CRYPTO
 	c.crypto[space].dataToSend(pto, func(off, size int64) int64 {
 		b, _ := c.w.appendCryptoFrame(off, int(size))
@@ -239,13 +231,6 @@ func (c *Conn) appendFrames(now time.Time, space numberSpace, pnum packetNumber,
 		return int64(len(b))
 	})
 
-	// NEW_CONNECTION_ID, RETIRE_CONNECTION_ID
-	if space == appDataSpace {
-		if !c.connIDState.appendFrames(&c.w, pnum, pto) {
-			return
-		}
-	}
-
 	// Test-only PING frames.
 	if space == c.testSendPingSpace && c.testSendPing.shouldSendPTO(pto) {
 		if !c.w.appendPingFrame() {
@@ -254,11 +239,26 @@ func (c *Conn) appendFrames(now time.Time, space numberSpace, pnum packetNumber,
 		c.testSendPing.setSent(pnum)
 	}
 
-	// All stream-related frames. This should come last in the packet,
-	// so large amounts of STREAM data don't crowd out other frames
-	// we may need to send.
-	if !c.appendStreamFrames(&c.w, pnum, pto) {
-		return
+	if space == appDataSpace {
+		// HANDSHAKE_DONE
+		if c.handshakeConfirmed.shouldSendPTO(pto) {
+			if !c.w.appendHandshakeDoneFrame() {
+				return
+			}
+			c.handshakeConfirmed.setSent(pnum)
+		}
+
+		// NEW_CONNECTION_ID, RETIRE_CONNECTION_ID
+		if !c.connIDState.appendFrames(&c.w, pnum, pto) {
+			return
+		}
+
+		// All stream-related frames. This should come last in the packet,
+		// so large amounts of STREAM data don't crowd out other frames
+		// we may need to send.
+		if !c.appendStreamFrames(&c.w, pnum, pto) {
+			return
+		}
 	}
 
 	// If this is a PTO probe and we haven't added an ack-eliciting frame yet,

From fe2abcb6e15f7a34d285220b437d421da4c76775 Mon Sep 17 00:00:00 2001
From: Damien Neil <dneil@google.com>
Date: Tue, 29 Aug 2023 08:21:51 -0700
Subject: [PATCH 15/22] quic: validate stream limits in transport params

The maximum number of streams of a given type (bidi/uni)
is capped to 2^60, since a larger number would overflow
a varint.

Validate limits received in transport parameters.

RFC 9000, Section 4.6

For golang/go#58547

Change-Id: I7a4a15c569da91ad1b89a5dc71e1c5b213dbda9a
Reviewed-on: https://go-review.googlesource.com/c/net/+/524037
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Jonathan Amsterdam <jba@google.com>
---
 internal/quic/packet_parser.go         |  2 +-
 internal/quic/quic.go                  |  4 ++++
 internal/quic/stream_test.go           |  4 ++--
 internal/quic/transport_params.go      |  6 ++++++
 internal/quic/transport_params_test.go | 14 ++++++++++++++
 5 files changed, 27 insertions(+), 3 deletions(-)

diff --git a/internal/quic/packet_parser.go b/internal/quic/packet_parser.go
index 9a00da756..ca5b37b2b 100644
--- a/internal/quic/packet_parser.go
+++ b/internal/quic/packet_parser.go
@@ -378,7 +378,7 @@ func consumeMaxStreamsFrame(b []byte) (typ streamType, max int64, n int) {
 		return 0, 0, -1
 	}
 	n += nn
-	if v > 1<<60 {
+	if v > maxStreamsLimit {
 		return 0, 0, -1
 	}
 	return typ, int64(v), n
diff --git a/internal/quic/quic.go b/internal/quic/quic.go
index 8cd61aed0..71738e129 100644
--- a/internal/quic/quic.go
+++ b/internal/quic/quic.go
@@ -55,6 +55,10 @@ const timerGranularity = 1 * time.Millisecond
 // https://www.rfc-editor.org/rfc/rfc9000#section-14.1
 const minimumClientInitialDatagramSize = 1200
 
+// Maximum number of streams of a given type which may be created.
+// https://www.rfc-editor.org/rfc/rfc9000.html#section-4.6-2
+const maxStreamsLimit = 1 << 60
+
 // A connSide distinguishes between the client and server sides of a connection.
 type connSide int8
 
diff --git a/internal/quic/stream_test.go b/internal/quic/stream_test.go
index bafd236c9..7b8ba2c54 100644
--- a/internal/quic/stream_test.go
+++ b/internal/quic/stream_test.go
@@ -1165,8 +1165,8 @@ func newTestConnAndRemoteStream(t *testing.T, side connSide, styp streamType, op
 
 // permissiveTransportParameters may be passed as an option to newTestConn.
 func permissiveTransportParameters(p *transportParameters) {
-	p.initialMaxStreamsBidi = maxVarint
-	p.initialMaxStreamsUni = maxVarint
+	p.initialMaxStreamsBidi = maxStreamsLimit
+	p.initialMaxStreamsUni = maxStreamsLimit
 	p.initialMaxData = maxVarint
 	p.initialMaxStreamDataBidiRemote = maxVarint
 	p.initialMaxStreamDataBidiLocal = maxVarint
diff --git a/internal/quic/transport_params.go b/internal/quic/transport_params.go
index 89ea69fb9..dc76d1650 100644
--- a/internal/quic/transport_params.go
+++ b/internal/quic/transport_params.go
@@ -212,8 +212,14 @@ func unmarshalTransportParams(params []byte) (transportParameters, error) {
 			p.initialMaxStreamDataUni, n = consumeVarintInt64(val)
 		case paramInitialMaxStreamsBidi:
 			p.initialMaxStreamsBidi, n = consumeVarintInt64(val)
+			if p.initialMaxStreamsBidi > maxStreamsLimit {
+				return p, localTransportError(errTransportParameter)
+			}
 		case paramInitialMaxStreamsUni:
 			p.initialMaxStreamsUni, n = consumeVarintInt64(val)
+			if p.initialMaxStreamsUni > maxStreamsLimit {
+				return p, localTransportError(errTransportParameter)
+			}
 		case paramAckDelayExponent:
 			var v uint64
 			v, n = consumeVarint(val)
diff --git a/internal/quic/transport_params_test.go b/internal/quic/transport_params_test.go
index e1c45ca0e..cc88e83fd 100644
--- a/internal/quic/transport_params_test.go
+++ b/internal/quic/transport_params_test.go
@@ -236,6 +236,20 @@ func TestTransportParametersErrors(t *testing.T) {
 			15,   // length
 			0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14,
 		},
+	}, {
+		desc: "initial_max_streams_bidi is too large",
+		enc: []byte{
+			0x08, // initial_max_streams_bidi,
+			8,    // length,
+			0xd0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
+		},
+	}, {
+		desc: "initial_max_streams_uni is too large",
+		enc: []byte{
+			0x08, // initial_max_streams_uni,
+			9,    // length,
+			0xd0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
+		},
 	}, {
 		desc: "preferred_address is too short",
 		enc: []byte{

From 8b010a5243b670aca8d2277a3c989d1b6a198a08 Mon Sep 17 00:00:00 2001
From: Damien Neil <dneil@google.com>
Date: Tue, 29 Aug 2023 09:25:04 -0700
Subject: [PATCH 16/22] quic: fix race condition in runAsync test helper

asyncTestState.wakeAsync runs on the conn's goroutine and
accesses as.blocked, so we need to hold as.mu while
initializing as.blocked in runAsync.

For golang/go#58547

Change-Id: Idb5921895cee89dfceec2b2439c43f2e380b64ce
Reviewed-on: https://go-review.googlesource.com/c/net/+/524095
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Jonathan Amsterdam <jba@google.com>
---
 internal/quic/conn_async_test.go | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/internal/quic/conn_async_test.go b/internal/quic/conn_async_test.go
index 0da3ddb45..5b419c4e5 100644
--- a/internal/quic/conn_async_test.go
+++ b/internal/quic/conn_async_test.go
@@ -101,7 +101,9 @@ func runAsync[T any](ts *testConn, f func(context.Context) (T, error)) *asyncOp[
 	as := &ts.asyncTestState
 	if as.notify == nil {
 		as.notify = make(chan struct{})
+		as.mu.Lock()
 		as.blocked = make(map[*blockedAsync]struct{})
+		as.mu.Unlock()
 	}
 	_, file, line, _ := runtime.Caller(1)
 	ctx := context.WithValue(context.Background(), asyncContextKey{}, true)

From b4d09be75101024ceed6b173b49a5630084174e6 Mon Sep 17 00:00:00 2001
From: Mateusz Poliwczak <mpoliwczak34@gmail.com>
Date: Mon, 28 Aug 2023 16:40:48 +0000
Subject: [PATCH 17/22] dns/dnsmessage: compress all names while appending to a
 buffer

Change-Id: Iedccbf3e47a63b2239def189ab41bab18a64c398
GitHub-Last-Rev: eb23195734794ab2b211677e5e3616de5f0eb7be
GitHub-Pull-Request: golang/net#189
Reviewed-on: https://go-review.googlesource.com/c/net/+/522575
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Ian Lance Taylor <iant@google.com>
Run-TryBot: Mateusz Poliwczak <mpoliwczak34@gmail.com>
Reviewed-by: Joedian Reid <joedian@golang.org>
Auto-Submit: Ian Lance Taylor <iant@golang.org>
---
 dns/dnsmessage/message.go      |  7 ++++---
 dns/dnsmessage/message_test.go | 27 +++++++++++++++++++++++++++
 2 files changed, 31 insertions(+), 3 deletions(-)

diff --git a/dns/dnsmessage/message.go b/dns/dnsmessage/message.go
index 9ddf2c229..0215a5dde 100644
--- a/dns/dnsmessage/message.go
+++ b/dns/dnsmessage/message.go
@@ -2000,14 +2000,15 @@ func (n *Name) pack(msg []byte, compression map[string]int, compressionOff int)
 			}
 
 			// Miss. Add the suffix to the compression table if the
-			// offset can be stored in the available 14 bytes.
-			if len(msg) <= int(^uint16(0)>>2) {
+			// offset can be stored in the available 14 bits.
+			newPtr := len(msg) - compressionOff
+			if newPtr <= int(^uint16(0)>>2) {
 				if nameAsStr == "" {
 					// allocate n.Data on the heap once, to avoid allocating it
 					// multiple times (for next labels).
 					nameAsStr = string(n.Data[:n.Length])
 				}
-				compression[nameAsStr[i:]] = len(msg) - compressionOff
+				compression[nameAsStr[i:]] = newPtr
 			}
 		}
 	}
diff --git a/dns/dnsmessage/message_test.go b/dns/dnsmessage/message_test.go
index ee42febbc..23fb3d574 100644
--- a/dns/dnsmessage/message_test.go
+++ b/dns/dnsmessage/message_test.go
@@ -1847,3 +1847,30 @@ func TestBuilderNameCompressionWithNonZeroedName(t *testing.T) {
 		t.Fatalf("b.Finish() = %v, want: %v", msg, expect)
 	}
 }
+
+func TestBuilderCompressionInAppendMode(t *testing.T) {
+	maxPtr := int(^uint16(0) >> 2)
+	b := NewBuilder(make([]byte, maxPtr, maxPtr+512), Header{})
+	b.EnableCompression()
+	if err := b.StartQuestions(); err != nil {
+		t.Fatalf("b.StartQuestions() unexpected error: %v", err)
+	}
+	if err := b.Question(Question{Name: MustNewName("go.dev.")}); err != nil {
+		t.Fatalf("b.Question() unexpected error: %v", err)
+	}
+	if err := b.Question(Question{Name: MustNewName("go.dev.")}); err != nil {
+		t.Fatalf("b.Question() unexpected error: %v", err)
+	}
+	msg, err := b.Finish()
+	if err != nil {
+		t.Fatalf("b.Finish() unexpected error: %v", err)
+	}
+	expect := []byte{
+		0, 0, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, // header
+		2, 'g', 'o', 3, 'd', 'e', 'v', 0, 0, 0, 0, 0, // question 1
+		0xC0, 12, 0, 0, 0, 0, // question 2
+	}
+	if !bytes.Equal(msg[maxPtr:], expect) {
+		t.Fatalf("msg[maxPtr:] = %v, want: %v", msg[maxPtr:], expect)
+	}
+}

From 7374d342a2c3de79d7b96f3aacdb13498c3fc3b5 Mon Sep 17 00:00:00 2001
From: Damien Neil <dneil@google.com>
Date: Tue, 29 Aug 2023 12:51:05 -0700
Subject: [PATCH 18/22] quic: don't block when closing read-only streams

Stream.Close blocks until all data sent on a stream has been
acked by the peer. Don't block indefinitely when closing
a read-only stream, waiting for an ack of data we never sent.

For golang/go#58547

Change-Id: I4087666f739d7388e460b613d211c043626f1c87
Reviewed-on: https://go-review.googlesource.com/c/net/+/524038
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Jonathan Amsterdam <jba@google.com>
---
 internal/quic/stream.go      |  7 ++++++-
 internal/quic/stream_test.go | 11 +++++++++++
 2 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/internal/quic/stream.go b/internal/quic/stream.go
index 12117dbd3..1033cbb40 100644
--- a/internal/quic/stream.go
+++ b/internal/quic/stream.go
@@ -66,7 +66,9 @@ func newStream(c *Conn, id streamID) *Stream {
 		inresetcode: -1, // -1 indicates no RESET_STREAM received
 		ingate:      newLockedGate(),
 		outgate:     newLockedGate(),
-		outdone:     make(chan struct{}),
+	}
+	if !s.IsReadOnly() {
+		s.outdone = make(chan struct{})
 	}
 	return s
 }
@@ -237,6 +239,9 @@ func (s *Stream) Close() error {
 // CloseContext discards the buffer and returns the context error.
 func (s *Stream) CloseContext(ctx context.Context) error {
 	s.CloseRead()
+	if s.IsReadOnly() {
+		return nil
+	}
 	s.CloseWrite()
 	// TODO: Return code from peer's RESET_STREAM frame?
 	return s.conn.waitOnDone(ctx, s.outdone)
diff --git a/internal/quic/stream_test.go b/internal/quic/stream_test.go
index 7b8ba2c54..79377c6a4 100644
--- a/internal/quic/stream_test.go
+++ b/internal/quic/stream_test.go
@@ -972,6 +972,17 @@ func TestStreamCloseWaitsForAcks(t *testing.T) {
 	}
 }
 
+func TestStreamCloseReadOnly(t *testing.T) {
+	tc, s := newTestConnAndRemoteStream(t, serverSide, uniStream, permissiveTransportParameters)
+	if err := s.CloseContext(canceledContext()); err != nil {
+		t.Errorf("s.CloseContext() = %v, want nil", err)
+	}
+	tc.wantFrame("closed stream sends STOP_SENDING",
+		packetType1RTT, debugFrameStopSending{
+			id: s.id,
+		})
+}
+
 func TestStreamCloseUnblocked(t *testing.T) {
 	for _, test := range []struct {
 		name    string

From b82f062c4bc1abcfe993e3750d64c4bdd4a14f87 Mon Sep 17 00:00:00 2001
From: Damien Neil <dneil@google.com>
Date: Tue, 29 Aug 2023 15:35:30 -0700
Subject: [PATCH 19/22] quic: include ignored frames in test log output

When looking at a test log, it's a bit confusing to have
some of the frames silently omitted. Print ignored frames.

Unfortunately, this means we need to do the actual ignoring
of frames after printing the packet. We specify frames to
ignore by the frame number, but after parsing we don't have
a simple way to map from the debugFrame type back to the
number. Add a big, ugly mapping function to do this; it's
clunky, but isolated to one function in tests.

For golang/go#58547

Change-Id: I242f5511dc16be2350fa49030af38588fe92a988
Reviewed-on: https://go-review.googlesource.com/c/net/+/524295
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Jonathan Amsterdam <jba@google.com>
---
 internal/quic/conn_test.go | 77 ++++++++++++++++++++++++++++++++++++--
 1 file changed, 74 insertions(+), 3 deletions(-)

diff --git a/internal/quic/conn_test.go b/internal/quic/conn_test.go
index 8ebe49e0e..d8c44558d 100644
--- a/internal/quic/conn_test.go
+++ b/internal/quic/conn_test.go
@@ -431,7 +431,80 @@ func (tc *testConn) readDatagram() *testDatagram {
 	buf := tc.sentDatagrams[0]
 	tc.sentDatagrams = tc.sentDatagrams[1:]
 	d := tc.parseTestDatagram(buf)
+	// Log the datagram before removing ignored frames.
+	// When things go wrong, it's useful to see all the frames.
 	tc.logDatagram("-> conn under test sends", d)
+	typeForFrame := func(f debugFrame) byte {
+		// This is very clunky, and points at a problem
+		// in how we specify what frames to ignore in tests.
+		//
+		// We mark frames to ignore using the frame type,
+		// but we've got a debugFrame data structure here.
+		// Perhaps we should be ignoring frames by debugFrame
+		// type instead: tc.ignoreFrame[debugFrameAck]().
+		switch f := f.(type) {
+		case debugFramePadding:
+			return frameTypePadding
+		case debugFramePing:
+			return frameTypePing
+		case debugFrameAck:
+			return frameTypeAck
+		case debugFrameResetStream:
+			return frameTypeResetStream
+		case debugFrameStopSending:
+			return frameTypeStopSending
+		case debugFrameCrypto:
+			return frameTypeCrypto
+		case debugFrameNewToken:
+			return frameTypeNewToken
+		case debugFrameStream:
+			return frameTypeStreamBase
+		case debugFrameMaxData:
+			return frameTypeMaxData
+		case debugFrameMaxStreamData:
+			return frameTypeMaxStreamData
+		case debugFrameMaxStreams:
+			if f.streamType == bidiStream {
+				return frameTypeMaxStreamsBidi
+			} else {
+				return frameTypeMaxStreamsUni
+			}
+		case debugFrameDataBlocked:
+			return frameTypeDataBlocked
+		case debugFrameStreamDataBlocked:
+			return frameTypeStreamDataBlocked
+		case debugFrameStreamsBlocked:
+			if f.streamType == bidiStream {
+				return frameTypeStreamsBlockedBidi
+			} else {
+				return frameTypeStreamsBlockedUni
+			}
+		case debugFrameNewConnectionID:
+			return frameTypeNewConnectionID
+		case debugFrameRetireConnectionID:
+			return frameTypeRetireConnectionID
+		case debugFramePathChallenge:
+			return frameTypePathChallenge
+		case debugFramePathResponse:
+			return frameTypePathResponse
+		case debugFrameConnectionCloseTransport:
+			return frameTypeConnectionCloseTransport
+		case debugFrameConnectionCloseApplication:
+			return frameTypeConnectionCloseApplication
+		case debugFrameHandshakeDone:
+			return frameTypeHandshakeDone
+		}
+		panic(fmt.Errorf("unhandled frame type %T", f))
+	}
+	for _, p := range d.packets {
+		var frames []debugFrame
+		for _, f := range p.frames {
+			if !tc.ignoreFrames[typeForFrame(f)] {
+				frames = append(frames, f)
+			}
+		}
+		p.frames = frames
+	}
 	return d
 }
 
@@ -632,9 +705,7 @@ func (tc *testConn) parseTestFrames(payload []byte) ([]debugFrame, error) {
 		if n < 0 {
 			return nil, errors.New("error parsing frames")
 		}
-		if !tc.ignoreFrames[payload[0]] {
-			frames = append(frames, f)
-		}
+		frames = append(frames, f)
 		payload = payload[n:]
 	}
 	return frames, nil

From 03d5e623398478fa929c8ba4b8f15de74017d82a Mon Sep 17 00:00:00 2001
From: Tobias Klauser <tklauser@distanz.ch>
Date: Tue, 29 Aug 2023 15:48:27 +0200
Subject: [PATCH 20/22] http2: remove unused ClientConn.tconnClosed

It was added in CL 429060 but was never used.

Change-Id: Ie1bcd44559006082afed319c0db677ff2ca957d7
Reviewed-on: https://go-review.googlesource.com/c/net/+/523935
Auto-Submit: Ian Lance Taylor <iant@google.com>
Reviewed-by: Ian Lance Taylor <iant@google.com>
Run-TryBot: Tobias Klauser <tobias.klauser@gmail.com>
Reviewed-by: Damien Neil <dneil@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
---
 http2/transport.go | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/http2/transport.go b/http2/transport.go
index b0d482f9f..4515b22c4 100644
--- a/http2/transport.go
+++ b/http2/transport.go
@@ -291,8 +291,7 @@ func (t *Transport) initConnPool() {
 // HTTP/2 server.
 type ClientConn struct {
 	t             *Transport
-	tconn         net.Conn // usually *tls.Conn, except specialized impls
-	tconnClosed   bool
+	tconn         net.Conn             // usually *tls.Conn, except specialized impls
 	tlsState      *tls.ConnectionState // nil only for specialized impls
 	reused        uint32               // whether conn is being reused; atomic
 	singleUse     bool                 // whether being used for a single http.Request

From 97384c11dd0db63357820b2cfcb44c40fbc3116a Mon Sep 17 00:00:00 2001
From: Damien Neil <dneil@google.com>
Date: Tue, 29 Aug 2023 13:18:00 -0700
Subject: [PATCH 21/22] quic: remove streams from the conn when done

When a stream has been fully shut down--the peer has closed
its end and acked every frame we will send for it--remove
it from the Conn's set of active streams.

We do the actual removal on the conn's loop, so stream cleanup
can access conn state without worrying about locking.

For golang/go#58547

Change-Id: Id9715693649929b07d303f0c4b3a782d135f0326
Reviewed-on: https://go-review.googlesource.com/c/net/+/524296
Reviewed-by: Jonathan Amsterdam <jba@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
---
 internal/quic/atomic_bits.go       |  33 +++++++
 internal/quic/conn_streams.go      |  62 +++++++++----
 internal/quic/conn_streams_test.go |  89 ++++++++++++++++++
 internal/quic/conn_test.go         |   2 +
 internal/quic/stream.go            | 140 +++++++++++++++++++++++------
 internal/quic/stream_test.go       |  33 +++++++
 6 files changed, 315 insertions(+), 44 deletions(-)
 create mode 100644 internal/quic/atomic_bits.go

diff --git a/internal/quic/atomic_bits.go b/internal/quic/atomic_bits.go
new file mode 100644
index 000000000..e1e2594d1
--- /dev/null
+++ b/internal/quic/atomic_bits.go
@@ -0,0 +1,33 @@
+// Copyright 2023 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build go1.21
+
+package quic
+
+import "sync/atomic"
+
+// atomicBits is an atomic uint32 that supports setting individual bits.
+type atomicBits[T ~uint32] struct {
+	bits atomic.Uint32
+}
+
+// set sets the bits in mask to the corresponding bits in v.
+// It returns the new value.
+func (a *atomicBits[T]) set(v, mask T) T {
+	if v&^mask != 0 {
+		panic("BUG: bits in v are not in mask")
+	}
+	for {
+		o := a.bits.Load()
+		n := (o &^ uint32(mask)) | uint32(v)
+		if a.bits.CompareAndSwap(o, n) {
+			return T(n)
+		}
+	}
+}
+
+func (a *atomicBits[T]) load() T {
+	return T(a.bits.Load())
+}
diff --git a/internal/quic/conn_streams.go b/internal/quic/conn_streams.go
index dd35e34cf..0ede284e2 100644
--- a/internal/quic/conn_streams.go
+++ b/internal/quic/conn_streams.go
@@ -185,24 +185,46 @@ func (c *Conn) appendStreamFrames(w *packetWriter, pnum packetNumber, pto bool)
 	for {
 		s := c.streams.sendHead
 		const pto = false
-		if !s.appendInFrames(w, pnum, pto) {
-			return false
+
+		state := s.state.load()
+		if state&streamInSend != 0 {
+			s.ingate.lock()
+			ok := s.appendInFramesLocked(w, pnum, pto)
+			state = s.inUnlockNoQueue()
+			if !ok {
+				return false
+			}
 		}
-		avail := w.avail()
-		if !s.appendOutFrames(w, pnum, pto) {
-			// We've sent some data for this stream, but it still has more to send.
-			// If the stream got a reasonable chance to put data in a packet,
-			// advance sendHead to the next stream in line, to avoid starvation.
-			// We'll come back to this stream after going through the others.
-			//
-			// If the packet was already mostly out of space, leave sendHead alone
-			// and come back to this stream again on the next packet.
-			if avail > 512 {
-				c.streams.sendHead = s.next
-				c.streams.sendTail = s
+
+		if state&streamOutSend != 0 {
+			avail := w.avail()
+			s.outgate.lock()
+			ok := s.appendOutFramesLocked(w, pnum, pto)
+			state = s.outUnlockNoQueue()
+			if !ok {
+				// We've sent some data for this stream, but it still has more to send.
+				// If the stream got a reasonable chance to put data in a packet,
+				// advance sendHead to the next stream in line, to avoid starvation.
+				// We'll come back to this stream after going through the others.
+				//
+				// If the packet was already mostly out of space, leave sendHead alone
+				// and come back to this stream again on the next packet.
+				if avail > 512 {
+					c.streams.sendHead = s.next
+					c.streams.sendTail = s
+				}
+				return false
 			}
-			return false
 		}
+
+		if state == streamInDone|streamOutDone {
+			// Stream is finished, remove it from the conn.
+			s.state.set(streamConnRemoved, streamConnRemoved)
+			delete(c.streams.streams, s.id)
+
+			// TODO: Provide the peer with additional stream quota (MAX_STREAMS).
+		}
+
 		next := s.next
 		s.next = nil
 		if (next == s) != (s == c.streams.sendTail) {
@@ -231,10 +253,16 @@ func (c *Conn) appendStreamFramesPTO(w *packetWriter, pnum packetNumber) bool {
 	defer c.streams.sendMu.Unlock()
 	for _, s := range c.streams.streams {
 		const pto = true
-		if !s.appendInFrames(w, pnum, pto) {
+		s.ingate.lock()
+		inOK := s.appendInFramesLocked(w, pnum, pto)
+		s.inUnlockNoQueue()
+		if !inOK {
 			return false
 		}
-		if !s.appendOutFrames(w, pnum, pto) {
+		s.outgate.lock()
+		outOK := s.appendOutFramesLocked(w, pnum, pto)
+		s.outUnlockNoQueue()
+		if !outOK {
 			return false
 		}
 	}
diff --git a/internal/quic/conn_streams_test.go b/internal/quic/conn_streams_test.go
index 877dbb94f..9bbc994b1 100644
--- a/internal/quic/conn_streams_test.go
+++ b/internal/quic/conn_streams_test.go
@@ -8,6 +8,8 @@ package quic
 
 import (
 	"context"
+	"fmt"
+	"io"
 	"testing"
 )
 
@@ -253,3 +255,90 @@ func TestStreamsWriteQueueFairness(t *testing.T) {
 		}
 	}
 }
+
+func TestStreamsShutdown(t *testing.T) {
+	// These tests verify that a stream is removed from the Conn's map of live streams
+	// after it is fully shut down.
+	//
+	// Each case consists of a setup step, after which one stream should exist,
+	// and a shutdown step, after which no streams should remain in the Conn.
+	for _, test := range []struct {
+		name     string
+		side     streamSide
+		styp     streamType
+		setup    func(*testing.T, *testConn, *Stream)
+		shutdown func(*testing.T, *testConn, *Stream)
+	}{{
+		name: "closed",
+		side: localStream,
+		styp: uniStream,
+		setup: func(t *testing.T, tc *testConn, s *Stream) {
+			s.CloseContext(canceledContext())
+		},
+		shutdown: func(t *testing.T, tc *testConn, s *Stream) {
+			tc.writeAckForAll()
+		},
+	}, {
+		name: "local close",
+		side: localStream,
+		styp: bidiStream,
+		setup: func(t *testing.T, tc *testConn, s *Stream) {
+			tc.writeFrames(packetType1RTT, debugFrameResetStream{
+				id: s.id,
+			})
+			s.CloseContext(canceledContext())
+		},
+		shutdown: func(t *testing.T, tc *testConn, s *Stream) {
+			tc.writeAckForAll()
+		},
+	}, {
+		name: "remote reset",
+		side: localStream,
+		styp: bidiStream,
+		setup: func(t *testing.T, tc *testConn, s *Stream) {
+			s.CloseContext(canceledContext())
+			tc.wantIdle("all frames after CloseContext are ignored")
+			tc.writeAckForAll()
+		},
+		shutdown: func(t *testing.T, tc *testConn, s *Stream) {
+			tc.writeFrames(packetType1RTT, debugFrameResetStream{
+				id: s.id,
+			})
+		},
+	}, {
+		name: "local close",
+		side: remoteStream,
+		styp: uniStream,
+		setup: func(t *testing.T, tc *testConn, s *Stream) {
+			ctx := canceledContext()
+			tc.writeFrames(packetType1RTT, debugFrameStream{
+				id:  s.id,
+				fin: true,
+			})
+			if n, err := s.ReadContext(ctx, make([]byte, 16)); n != 0 || err != io.EOF {
+				t.Errorf("ReadContext() = %v, %v; want 0, io.EOF", n, err)
+			}
+		},
+		shutdown: func(t *testing.T, tc *testConn, s *Stream) {
+			s.CloseRead()
+		},
+	}} {
+		name := fmt.Sprintf("%v/%v/%v", test.side, test.styp, test.name)
+		t.Run(name, func(t *testing.T) {
+			tc, s := newTestConnAndStream(t, serverSide, test.side, test.styp,
+				permissiveTransportParameters)
+			tc.ignoreFrame(frameTypeStreamBase)
+			tc.ignoreFrame(frameTypeStopSending)
+			test.setup(t, tc, s)
+			tc.wantIdle("conn should be idle after setup")
+			if got, want := len(tc.conn.streams.streams), 1; got != want {
+				t.Fatalf("after setup: %v streams in Conn's map; want %v", got, want)
+			}
+			test.shutdown(t, tc, s)
+			tc.wantIdle("conn should be idle after shutdown")
+			if got, want := len(tc.conn.streams.streams), 0; got != want {
+				t.Fatalf("after shutdown: %v streams in Conn's map; want %v", got, want)
+			}
+		})
+	}
+}
diff --git a/internal/quic/conn_test.go b/internal/quic/conn_test.go
index d8c44558d..ea720d575 100644
--- a/internal/quic/conn_test.go
+++ b/internal/quic/conn_test.go
@@ -394,6 +394,7 @@ func (tc *testConn) writeFrames(ptype packetType, frames ...debugFrame) {
 // writeAckForAll sends the Conn a datagram containing an ack for all packets up to the
 // last one received.
 func (tc *testConn) writeAckForAll() {
+	tc.t.Helper()
 	if tc.lastPacket == nil {
 		return
 	}
@@ -405,6 +406,7 @@ func (tc *testConn) writeAckForAll() {
 // writeAckForLatest sends the Conn a datagram containing an ack for the
 // most recent packet received.
 func (tc *testConn) writeAckForLatest() {
+	tc.t.Helper()
 	if tc.lastPacket == nil {
 		return
 	}
diff --git a/internal/quic/stream.go b/internal/quic/stream.go
index 1033cbb40..2dbf4461b 100644
--- a/internal/quic/stream.go
+++ b/internal/quic/stream.go
@@ -49,9 +49,38 @@ type Stream struct {
 	outresetcode uint64          // reset code to send in RESET_STREAM
 	outdone      chan struct{}   // closed when all data sent
 
+	// Atomic stream state bits.
+	//
+	// These bits provide a fast way to coordinate between the
+	// send and receive sides of the stream, and the conn's loop.
+	//
+	// streamIn* bits must be set with ingate held.
+	// streamOut* bits must be set with outgate held.
+	// streamConn* bits are set by the conn's loop.
+	state atomicBits[streamState]
+
 	prev, next *Stream // guarded by streamsState.sendMu
 }
 
+type streamState uint32
+
+const (
+	// streamInSend and streamOutSend are set when there are
+	// frames to send for the inbound or outbound sides of the stream.
+	// For example, MAX_STREAM_DATA or STREAM_DATA_BLOCKED.
+	streamInSend = streamState(1 << iota)
+	streamOutSend
+
+	// streamInDone and streamOutDone are set when the inbound or outbound
+	// sides of the stream are finished. When both are set, the stream
+	// can be removed from the Conn and forgotten.
+	streamInDone
+	streamOutDone
+
+	// streamConnRemoved is set when the stream has been removed from the conn.
+	streamConnRemoved
+)
+
 // newStream returns a new stream.
 //
 // The stream's ingate and outgate are locked.
@@ -289,15 +318,34 @@ func (s *Stream) CloseWrite() {
 // that the stream was terminated abruptly.
 // Any blocked writes will be unblocked and return errors.
 //
-// Reset sends the application protocol error code to the peer.
+// Reset sends the application protocol error code, which must be
+// less than 2^62, to the peer.
 // It does not wait for the peer to acknowledge receipt of the error.
 // Use CloseContext to wait for the peer's acknowledgement.
+//
+// Reset does not affect reads.
+// Use CloseRead to abort reads on the stream.
 func (s *Stream) Reset(code uint64) {
+	const userClosed = true
+	s.resetInternal(code, userClosed)
+}
+
+func (s *Stream) resetInternal(code uint64, userClosed bool) {
 	s.outgate.lock()
 	defer s.outUnlock()
+	if s.IsReadOnly() {
+		return
+	}
+	if userClosed {
+		// Mark that the user closed the stream.
+		s.outclosed.set()
+	}
 	if s.outreset.isSet() {
 		return
 	}
+	if code > maxVarint {
+		code = maxVarint
+	}
 	// We could check here to see if the stream is closed and the
 	// peer has acked all the data and the FIN, but sending an
 	// extra RESET_STREAM in this case is harmless.
@@ -310,44 +358,67 @@ func (s *Stream) Reset(code uint64) {
 
 // inUnlock unlocks s.ingate.
 // It sets the gate condition if reads from s will not block.
-// If s has receive-related frames to write, it notifies the Conn.
+// If s has receive-related frames to write or if both directions
+// are done and the stream should be removed, it notifies the Conn.
 func (s *Stream) inUnlock() {
-	if s.inUnlockNoQueue() {
+	state := s.inUnlockNoQueue()
+	if state&streamInSend != 0 || state == streamInDone|streamOutDone {
 		s.conn.queueStreamForSend(s)
 	}
 }
 
 // inUnlockNoQueue is inUnlock,
 // but reports whether s has frames to write rather than notifying the Conn.
-func (s *Stream) inUnlockNoQueue() (shouldSend bool) {
+func (s *Stream) inUnlockNoQueue() streamState {
 	canRead := s.inset.contains(s.in.start) || // data available to read
 		s.insize == s.in.start || // at EOF
 		s.inresetcode != -1 || // reset by peer
 		s.inclosed.isSet() // closed locally
 	defer s.ingate.unlock(canRead)
-	return s.insendmax.shouldSend() || // STREAM_MAX_DATA
-		s.inclosed.shouldSend() // STOP_SENDING
+	var state streamState
+	switch {
+	case s.IsWriteOnly():
+		state = streamInDone
+	case s.inresetcode != -1: // reset by peer
+		fallthrough
+	case s.in.start == s.insize: // all data received and read
+		// We don't increase MAX_STREAMS until the user calls ReadClose or Close,
+		// so the receive side is not finished until inclosed is set.
+		if s.inclosed.isSet() {
+			state = streamInDone
+		}
+	case s.insendmax.shouldSend(): // STREAM_MAX_DATA
+		state = streamInSend
+	case s.inclosed.shouldSend(): // STOP_SENDING
+		state = streamInSend
+	}
+	const mask = streamInDone | streamInSend
+	return s.state.set(state, mask)
 }
 
 // outUnlock unlocks s.outgate.
 // It sets the gate condition if writes to s will not block.
-// If s has send-related frames to write, it notifies the Conn.
+// If s has send-related frames to write or if both directions
+// are done and the stream should be removed, it notifies the Conn.
 func (s *Stream) outUnlock() {
-	if s.outUnlockNoQueue() {
+	state := s.outUnlockNoQueue()
+	if state&streamOutSend != 0 || state == streamInDone|streamOutDone {
 		s.conn.queueStreamForSend(s)
 	}
 }
 
 // outUnlockNoQueue is outUnlock,
 // but reports whether s has frames to write rather than notifying the Conn.
-func (s *Stream) outUnlockNoQueue() (shouldSend bool) {
+func (s *Stream) outUnlockNoQueue() streamState {
 	isDone := s.outclosed.isReceived() && s.outacked.isrange(0, s.out.end) || // all data acked
 		s.outreset.isSet() // reset locally
 	if isDone {
 		select {
 		case <-s.outdone:
 		default:
-			close(s.outdone)
+			if !s.IsReadOnly() {
+				close(s.outdone)
+			}
 		}
 	}
 	lim := min(s.out.start+s.outmaxbuf, s.outwin)
@@ -355,14 +426,32 @@ func (s *Stream) outUnlockNoQueue() (shouldSend bool) {
 		s.outclosed.isSet() || // closed locally
 		s.outreset.isSet() // reset locally
 	defer s.outgate.unlock(canWrite)
-	if s.outreset.isSet() {
-		// If the stream is reset locally, the only frame we'll send is RESET_STREAM.
-		return s.outreset.shouldSend()
-	}
-	return len(s.outunsent) > 0 || // STREAM frame with data
-		s.outclosed.shouldSend() || // STREAM frame with FIN bit
-		s.outopened.shouldSend() || // STREAM frame with no data
-		s.outblocked.shouldSend() // STREAM_DATA_BLOCKED
+	var state streamState
+	switch {
+	case s.IsReadOnly():
+		state = streamOutDone
+	case s.outclosed.isReceived() && s.outacked.isrange(0, s.out.end): // all data sent and acked
+		fallthrough
+	case s.outreset.isReceived(): // RESET_STREAM sent and acked
+		// We don't increase MAX_STREAMS until the user calls WriteClose or Close,
+		// so the send side is not finished until outclosed is set.
+		if s.outclosed.isSet() {
+			state = streamOutDone
+		}
+	case s.outreset.shouldSend(): // RESET_STREAM
+		state = streamOutSend
+	case s.outreset.isSet(): // RESET_STREAM sent but not acknowledged
+	case len(s.outunsent) > 0: // STREAM frame with data
+		state = streamOutSend
+	case s.outclosed.shouldSend(): // STREAM frame with FIN bit
+		state = streamOutSend
+	case s.outopened.shouldSend(): // STREAM frame with no data
+		state = streamOutSend
+	case s.outblocked.shouldSend(): // STREAM_DATA_BLOCKED
+		state = streamOutSend
+	}
+	const mask = streamOutDone | streamOutSend
+	return s.state.set(state, mask)
 }
 
 // handleData handles data received in a STREAM frame.
@@ -431,7 +520,8 @@ func (s *Stream) checkStreamBounds(end int64, fin bool) error {
 func (s *Stream) handleStopSending(code uint64) error {
 	// Peer requests that we reset this stream.
 	// https://www.rfc-editor.org/rfc/rfc9000#section-3.5-4
-	s.Reset(code)
+	const userReset = false
+	s.resetInternal(code, userReset)
 	return nil
 }
 
@@ -504,14 +594,12 @@ func (s *Stream) ackOrLossData(pnum packetNumber, start, end int64, fin bool, fa
 	}
 }
 
-// appendInFrames appends STOP_SENDING and MAX_STREAM_DATA frames
+// appendInFramesLocked appends STOP_SENDING and MAX_STREAM_DATA frames
 // to the current packet.
 //
 // It returns true if no more frames need appending,
 // false if not everything fit in the current packet.
-func (s *Stream) appendInFrames(w *packetWriter, pnum packetNumber, pto bool) bool {
-	s.ingate.lock()
-	defer s.inUnlockNoQueue()
+func (s *Stream) appendInFramesLocked(w *packetWriter, pnum packetNumber, pto bool) bool {
 	if s.inclosed.shouldSendPTO(pto) {
 		// We don't currently have an API for setting the error code.
 		// Just send zero.
@@ -534,14 +622,12 @@ func (s *Stream) appendInFrames(w *packetWriter, pnum packetNumber, pto bool) bo
 	return true
 }
 
-// appendOutFrames appends RESET_STREAM, STREAM_DATA_BLOCKED, and STREAM frames
+// appendOutFramesLocked appends RESET_STREAM, STREAM_DATA_BLOCKED, and STREAM frames
 // to the current packet.
 //
 // It returns true if no more frames need appending,
 // false if not everything fit in the current packet.
-func (s *Stream) appendOutFrames(w *packetWriter, pnum packetNumber, pto bool) bool {
-	s.outgate.lock()
-	defer s.outUnlockNoQueue()
+func (s *Stream) appendOutFramesLocked(w *packetWriter, pnum packetNumber, pto bool) bool {
 	if s.outreset.isSet() {
 		// RESET_STREAM
 		if s.outreset.shouldSendPTO(pto) {
diff --git a/internal/quic/stream_test.go b/internal/quic/stream_test.go
index 79377c6a4..e22e0432e 100644
--- a/internal/quic/stream_test.go
+++ b/internal/quic/stream_test.go
@@ -1111,6 +1111,24 @@ func TestStreamPeerResetFollowedByData(t *testing.T) {
 	})
 }
 
+func TestStreamResetInvalidCode(t *testing.T) {
+	tc, s := newTestConnAndLocalStream(t, serverSide, uniStream)
+	s.Reset(1 << 62)
+	tc.wantFrame("reset with invalid code sends a RESET_STREAM anyway",
+		packetType1RTT, debugFrameResetStream{
+			id: s.id,
+			// The code we send here isn't specified,
+			// so this could really be any value.
+			code: (1 << 62) - 1,
+		})
+}
+
+func TestStreamResetReceiveOnly(t *testing.T) {
+	tc, s := newTestConnAndRemoteStream(t, serverSide, uniStream)
+	s.Reset(0)
+	tc.wantIdle("resetting a receive-only stream has no effect")
+}
+
 func TestStreamPeerStopSendingForActiveStream(t *testing.T) {
 	// "An endpoint that receives a STOP_SENDING frame MUST send a RESET_STREAM frame if
 	// the stream is in the "Ready" or "Send" state."
@@ -1145,6 +1163,21 @@ func TestStreamPeerStopSendingForActiveStream(t *testing.T) {
 	})
 }
 
+type streamSide string
+
+const (
+	localStream  = streamSide("local")
+	remoteStream = streamSide("remote")
+)
+
+func newTestConnAndStream(t *testing.T, side connSide, sside streamSide, styp streamType, opts ...any) (*testConn, *Stream) {
+	if sside == localStream {
+		return newTestConnAndLocalStream(t, side, styp, opts...)
+	} else {
+		return newTestConnAndRemoteStream(t, side, styp, opts...)
+	}
+}
+
 func newTestConnAndLocalStream(t *testing.T, side connSide, styp streamType, opts ...any) (*testConn, *Stream) {
 	t.Helper()
 	ctx := canceledContext()

From 2a0da8be5a758b33fa896384d689071e832b4aa2 Mon Sep 17 00:00:00 2001
From: Gopher Robot <gobot@golang.org>
Date: Tue, 5 Sep 2023 15:01:14 +0000
Subject: [PATCH 22/22] go.mod: update golang.org/x dependencies

Update golang.org/x dependencies to their latest tagged versions.

Change-Id: I2011e2fc11608c371c3145c95a4cf98609010f99
Reviewed-on: https://go-review.googlesource.com/c/net/+/525635
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Gopher Robot <gobot@golang.org>
Auto-Submit: Gopher Robot <gobot@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
Reviewed-by: Carlos Amedee <carlos@golang.org>
---
 go.mod |  8 ++++----
 go.sum | 16 ++++++++--------
 2 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/go.mod b/go.mod
index 90f428f40..b16f4e5e6 100644
--- a/go.mod
+++ b/go.mod
@@ -3,8 +3,8 @@ module golang.org/x/net
 go 1.17
 
 require (
-	golang.org/x/crypto v0.12.0
-	golang.org/x/sys v0.11.0
-	golang.org/x/term v0.11.0
-	golang.org/x/text v0.12.0
+	golang.org/x/crypto v0.13.0
+	golang.org/x/sys v0.12.0
+	golang.org/x/term v0.12.0
+	golang.org/x/text v0.13.0
 )
diff --git a/go.sum b/go.sum
index c39d83131..0fd3311f4 100644
--- a/go.sum
+++ b/go.sum
@@ -1,8 +1,8 @@
 github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
-golang.org/x/crypto v0.12.0 h1:tFM/ta59kqch6LlvYnPa0yx5a83cL2nHflFhYKvv9Yk=
-golang.org/x/crypto v0.12.0/go.mod h1:NF0Gs7EO5K4qLn+Ylc+fih8BSTeIjAP05siRnAh98yw=
+golang.org/x/crypto v0.13.0 h1:mvySKfSWJ+UKUii46M40LOvyWfN0s2U+46/jDd0e6Ck=
+golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
 golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
@@ -20,21 +20,21 @@ golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.11.0 h1:eG7RXZHdqOJ1i+0lgLgCpSXAp6M3LYlAo6osgSi0xOM=
-golang.org/x/sys v0.11.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.12.0 h1:CM0HF96J0hcLAwsHPJZjfdNzs0gftsLfgKt57wWHJ0o=
+golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
 golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
-golang.org/x/term v0.11.0 h1:F9tnn/DA/Im8nCwm+fX+1/eBwi4qFjRT++MhtVC4ZX0=
-golang.org/x/term v0.11.0/go.mod h1:zC9APTIj3jG3FdV/Ons+XE1riIZXG4aZ4GTHiPZJPIU=
+golang.org/x/term v0.12.0 h1:/ZfYdc3zq+q02Rv9vGqTeSItdzZTSNDmfTi0mBAuidU=
+golang.org/x/term v0.12.0/go.mod h1:owVbMEjm3cBLCHdkQu9b1opXd4ETQWc3BhuQGKgXgvU=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
-golang.org/x/text v0.12.0 h1:k+n5B8goJNdU7hSvEtMUz3d1Q6D/XW4COJSJR6fN0mc=
-golang.org/x/text v0.12.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
+golang.org/x/text v0.13.0 h1:ablQoSUd0tRdKxZewP80B+BaqeKJuVhuRxj/dkrun3k=
+golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=